WO2006110955A1 - Process of and apparatus for counting - Google Patents

Process of and apparatus for counting Download PDF

Info

Publication number
WO2006110955A1
WO2006110955A1 PCT/AU2006/000528 AU2006000528W WO2006110955A1 WO 2006110955 A1 WO2006110955 A1 WO 2006110955A1 AU 2006000528 W AU2006000528 W AU 2006000528W WO 2006110955 A1 WO2006110955 A1 WO 2006110955A1
Authority
WO
WIPO (PCT)
Prior art keywords
nlfsr
generated
bits
state
bit
Prior art date
Application number
PCT/AU2006/000528
Other languages
French (fr)
Inventor
Sean O'neil
Original Assignee
Synaptic Laboratories Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2005901988A external-priority patent/AU2005901988A0/en
Application filed by Synaptic Laboratories Limited filed Critical Synaptic Laboratories Limited
Priority to EP06721408A priority Critical patent/EP1872515A1/en
Publication of WO2006110955A1 publication Critical patent/WO2006110955A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/582Pseudo-random number generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • H04L9/0668Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator producing a non-linear pseudorandom sequence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/125Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations

Definitions

  • the present invention relates to cryptographic primitives.
  • the term 'counter' is used to mean a set of bits, the set being of a fixed size b. Those bits represent a number, which in turn is the value of the counter. That value increments in a deterministic manner by the operation of a defined process on the bits. Irrespective of the initial state of the set of bits, the value of the counter will eventually reach a value to which, after further incrementing, it will eventually return.
  • Counters for the purpose of generating spreading sequences are used extensively in communications applications.
  • Counters for the purpose of ensuring the minimal period of the generator to be of a certain guaranteed length are used extensively in cryptography.
  • NLFSR nonlinear feedback shift registers
  • i-NLFSR identity-NLFSR
  • a NLFSR of «-bits in length will have 2 n/2 short loops on average.
  • An i-NLFSR has one loop, but unlike a DeBruijn sequence, its loop is not maximal length and there is one or a number of paths into the loop.
  • i-NLFSR natural identity
  • pi-NLFSR prime identity
  • the identity-NLFSRs are very useful in cryptographic applications as they can be initialized with a random value within the range of 0 to 2 n -l and the i-NLFSR is guaranteed to converge to a period of fixed length.
  • LCM Least Common Multiple of all the periods of the m smaller i-NLFSRs.
  • our present invention provides a process of incrementing a counter, comprising updating the state of a n-bit NLFSR by a nonlinear feedback function, such that the length of each loop of the NLFSR is greater than 1 and is not a power of 2
  • NLFSRs with maximum length periods of 2 ⁇ n and NLFSRs with periods of 2 ⁇ (n-l) and a single fixed point (a second period of length 1) are known, a combination of such NLFSRs cannot be used to construct counters with arbitrarily long guaranteed periods for all initial states.
  • Embodiments of the current invention allow construction of counters with arbitrarily long periods for all initial states if smaller NLFSRs as herein described with long preferably co-prime loops and without any fixed points are combined together with a linear or bijective nonlinear output combiner.
  • embodiments of the present invention accordingly guarantee a minimal period length while also ensuring presence of desirable cryptographic properties in the counter output.
  • the present invention provides corresponding apparatus, signals, data and machine-readable substrates as are set out in the claims of this specification.
  • Figure 1 illustrates a NLFSR process that may be used to execute i-NLFSR.
  • the input 500 consists of six bits of input 501, to 506.
  • the ordered intermediate state 510 consists of six bits of intermediate input 511 through 516.
  • the ordered output 520 consists of six bits of output 521 through 526.
  • the region 519 illustrates a 1-bit clockwise rotation.
  • All six bits of the input 500 are supplied to the nonlinear feedback function 530 generating 1 bit of output stored in the intermediate state 510.
  • the remaining five bits of intermediate state 512 through 516 are assigned the input values 502 through 506 from the input 500 respectively.
  • the intermediate state 510 is rotated clockwise by one bit resulting in the state 520.
  • any single bit of the state 520 may be released as output.
  • the state 520 is fed back as the input 500 in the next iteration of the illustration.
  • either the sequence of input bits 501 to 506 or the sequence of output bits 521 to 526 could be considered to be the contents of registers.
  • the total number of possible Boolean functions for 530 is equal to 2 raised to the power 2", also represented as 2 A (2 ⁇ n).
  • a Boolean function of 3 inputs can be represented as a look-up table of 2 3 (8) of its possible output values, and there are 2 8 (256) possible 3-input functions.
  • a search for a suitable NLFSR feedback function either brute-forces all the 2 ⁇ (2 ⁇ n) possible Boolean functions that could be chosen for the non-linear feedback function 530 or selects random functions from the range of valid Boolean functions testing the properties of the generated NLFSR as follows.
  • a simple searching process first creates a true/false table for each of the possible 2" entries of the NLFSR and sets each entry of the table mapping to a state of the NLFSR as false.
  • the initial internal state of the NLFSR is set to zero and the table entry corresponding to the state zero of the NLFSR is set as true to indicate that the NLFSR has reached this position.
  • the NLFSR is then executed updating the current state of the NLFSR.
  • the bit in the table corresponding to the current state of the NLFSR is queried. If the entry is false, the NLFSR under test has not transitioned to this state before, and the entry is set true and the process proceeds to execute and test the next state of the NLFSR. If the entry is true, the NLFSR has returned to a position previously visited.
  • the length of the loop is determined by counting the number of NLFSR executions required before the NLFSR returns back to the current position.
  • the remaining states are used as initial states of the NLFSR to find all other loops.
  • a process generates an index that increments sequentially through all possible states, querying the table to determine if the NLFSR has previously visited the state. If the entry is false, the NLFSR is initialized to the respective state. The NLFSR is then executed until it can determine if the NLFSR state matches a state marked as true in the table, or if another loop is discovered. If the NLFSR loops back on itself the NLFSR under test is not an i-NLFSR. If the NLFSR state matches a state in the table marked as true, it indicates that the index location tested converges to a position on the original loop. In that case the NLFSR is executed again starting from the same position but marking bits in the table corresponding to the new states as true. After that the remaining index positions are tested in the same way.
  • the discovered loop is called the identity loop and the NLFSR is an i-NLFSR.
  • the i-NLFSR is classified as a pi-NLFSR if the period length of the identity loop is a prime number. Alternatively, if the period length of the identity loop is not a prime number, the i-NLFSR is classified as a ni- NLFSR.
  • This naive type of search process may be used in principle for any nonlinear function with a feedback to search for i-NLFSR constructions, including parallel feedback NLFSRs.
  • a simple heuristic rule which is suitable in many NLFSR constructions, particularly of the type in figure 1, is that periods with long lengths are usually generated with balanced Boolean functions, which significantly reduces the total search space.
  • two additional heuristic rules are applied to generate i-NLFSR constructions of the type in figure 1: the least significant bit of the balanced Boolean function should be true, and the most significant bit of the balanced Boolean function should be false.
  • an alternate well known searching technique is to use a randomized searching process. Additional search optimization techniques are preferably used like dismissing potential i-NLFSR candidates with short periods without checking for other loops. Other preferred techniques additionally use processes that-select the type of Boolean functions more likely to generate i-NLFSRs by limiting them to Boolean functions that work best for smaller constructions.
  • Figure 2 illustrates the three-bit Boolean function 3x1 truth table represented in binary as 01110111b as is implemented in a 3 -bit variation of the circuit in figure 1.
  • the convention by which we arrive at the representation of 0111011 Ib is as follows. First, we consider the three-bit input to the Boolean function as if they were three contiguous bits representing a number. The input 111 to the Boolean function would represent the decimal number 7, the input 110 to the Boolean function would represent the decimal number 6, and so on up to the input 000 to the Boolean function representing the decimal number zero.
  • the eight possible states of the three-bit finite state machine in figure 2 are illustrated as 0 through 7.
  • the i-NLFSR has a period of 5 (which is a prime number) and its identity loop is the sequence of state transitions ⁇ 4, 6, 7, 3, 1, 4, ... ⁇ .
  • the states 2, 5 and 0 converge onto the identity loop.
  • Figure 3 illustrates the 4x1 truth table of the Boolean function represented in binary as 0110000100011001b as implemented in a 4-bit variation of the circuit in figure 1.
  • the 16 possible states of a 4 bit finite state machine are illustrated as 0 through 15.
  • the i-NLFSR has a period of 11 (which again is a prime number) and its identity loop is the sequence of state transitions ⁇ 0, 8, 12, 6, 3, 9, 4, 10, 5, 2, 1, 0, ... ⁇ .
  • the states 13, 14, 15, 7 and 11 all converge onto the identity loop.
  • Figure 4 illustrates the Boolean function 4x1 truth table represented in binary as 0011010011010001b as implemented in a 4-bit variation of the circuit in figure 1.
  • the 16 possible states of a 4-bit function are illustrated as 0 through 15.
  • the i-NLFSR has a period of 11 (a prime number) and its identity loop is the sequence of state transitions ⁇ 0, 8, 4, 10, 13, 14, 7, 11, 5, 2, 1, 0, ... ⁇ .
  • the states 3, 9, 12, 15 and 6 all converge onto the identity loop in one transition.
  • i-NLFSR guarantees that regardless of the initial state, it will converge to the identity period.
  • i-NLFSR are independent of the type of NLFSR construction used to execute them.
  • i-NLFSR are known to exist for every natural number 2 through 2" bits, including DeBruijn sequences according to NLFSR engines shown in Figure 1.
  • Figure 5 illustrates another preferred embodiment of the current invention known to generate i-NLFSR sequences.
  • the reference number 600 indicates an input of 33 bits, only eight bits 601, 602, 603, 604, 605, 606, 607 and 608 of which are illustrated in the drawing.
  • the reference number 610 indicates an internal state of 33 bits, only eight 611, 612, 613, 614, 615, 616, 617 and 618 of which are illustrated in the drawing.
  • the reference number 620 indicates an output of 33 bits, only eight 621, 622, 623, 624, 625, 626, 627 and 628 of which are illustrated in the drawing.
  • the region 619 illustrates the intermediate state 610 being rotated by 1 bit in a clockwise fashion to generate the output 620.
  • the nonlinear feedback function 630 takes as input the least significant bit 601 of input 600 and the most significant bit 608 of 600. A range of 0 to (the length of state 600 - 3) additional bits are selected as input.
  • Figure 5 illustrates the nonlinear feedback function 630 adapted to receive four additional inputs from 600.
  • the single bit output of 630 is stored in intermediate state 611.
  • the remaining 32 intermediate bits 612 through 618 are assigned the 32 values from the range of 602 through 608 respectively.
  • the 33 bits of intermediate state 610 are rotated by 1 bit in a clockwise fashion.
  • ni-NLFSR and pi-NLFSR with very long periods approaching 2" for internal states of n bits are known to exist according to NLFSR engines as shown on Figure 5.
  • Figure 6 illustrates an alternate preferred embodiment of the current invention known to generate i-NLFSR sequences.
  • the reference number 700 indicates a state of 32 bits, eight bits of which 701, 702, 703, 704, 705, 706, 707 and 708 are shown in the drawing.
  • the reference number 710 indicates an intermediate state of 32 bits, eight of which 711, 712, 713, 714, 715, 716, 717 and 718 are shown in the drawing.
  • the reference number 720 indicates an output of 32 bits, eight bits of which 721, 722, 723, 724, 725, 726, 727 and 728 are shown in the drawing.
  • the region of the drawing that is indicated by reference number 719 partially illustrates the intermediate state 710 of 32 bits being rotated by 2 bits in a clockwise fashion.
  • the nonlinear feedback function 730 takes as input the least significant bit 701 and the most significant bit 708 of input 700. A range of 0 to (the length of state 700 - 3) additional bits are selected as input to the feedback function 730.
  • Figure 6 illustrates the nonlinear feedback function 730 as receiving four additional bits from input 700.
  • the two bits of output of 730 are stored in intermediate state 710 in 711 and 712.
  • the remaining 30 intermediate bits 712 through 718 are assigned the 30 values from the range of 603 through 708 respectively.
  • the 32 bits of intermediate state 710 are rotated by 2 bits in a clockwise fashion.
  • Any rotation from 1 to n-1 bits can be selected and any choice of two or more bits of the state can be used as input to the feedback function 730 updating the internal state 700 of the NLFSR engine.
  • i-NLFSRs are known to exist according to NLFSR engines shown in Figure 6.
  • Figure 7 illustrates a process according to a preferred embodiment of the current invention.
  • the portion of the drawing that is indicated by reference number 900 shows five finite state machines that implement the remainders of an RNS counter.
  • the 5 remainders 901, 902, 903, 904 and 905 are selected from finite state machine with periods selected according to our above-referenced co-pending Australian provisional patent application.
  • the five moduli in 900 are i-NLFSRs.
  • Remainder 901 releases one bit of state 911 every round.
  • Remainders 902, 903, 904, 905 each release on bit of state 912, 913, 914 and 915 respectively every round.
  • Function 920 takes five inputs from the outputs of 911, 912, 913, 914, and 915 and releases one bit 921 every round.
  • the function 920 is a 5-to-l XOR operation which ensures that each of the 5 moduli in 900 contribute to the total period length as released in bit 921.
  • the operation 920 performs a nonlinear function releasing a single bit output 921.
  • the nonlinear operation 920 is calculated as (911 XOR 912 XOR 913 XOR (914 AND 915)) releasing 1 bit of output 921.
  • the periods of 911, 912, 913 are guaranteed and the functions 914 and 915 further reduce predictability of the output.
  • a linear combination of RNS moduli can be used to guarantee a certain minimal period length in addition with other moduli that can be used to increase the guaranteed period length as well as the randomness properties of the output.
  • FIG 8 illustrates another preferred embodiment of the current invention.
  • Module 940 is a RNS counter as described in figure 7 releasing one bit of output on every round.
  • the Module 950 is a nonlinear bijective accumulator taking one bit of input releasing one bit of output as described in our above-referenced co-pending Australian provisional patent application, consisting of 12 bits of internal state 952 through 963 and a single key input bit 951.
  • the sequence generated by 940 is hashed in a lossless bijective fashion in 950. In the current illustration it takes 12 rounds to load 12 bits of unique state from 940. In a preferred embodiment a full 12 rounds of RNS output 940 is loaded into the 950 to initialize the module 950, then for each addition round of RNS output 940 one bit of state 965 is released as output.
  • the module 950 increases the randomness properties of the
  • RNS counter output while ensuring a certain minimal period length.
  • the i-NLFSR used in RNS counters are selected by evaluating the linear complexity of the nonlinear feedback function as a NxI substitution box. That is, a heuristic process generates several unique i-NLFSRs with equal identity periods and selects the i-NLFSR with the strongest nonlinear feedback function. This process is repeated for each of the i-NLFSR moduli used in a remainder number system (RNS) counter.
  • RNS remainder number system
  • the i-NLFSRs used in RNS counters are selected by evaluating the randomness of the output of each i-NLFSR.
  • a heuristic process generates several unique i-NLFSRs with equal identity periods.
  • the engine is executed releasing every bit, every second bit, every third bit and so on and testing the output streams with a number of randomness tests.
  • the i-NLFSR that better passes the randomness tests is selected. If multiple i-NLFSR have equivalent randomness properties one may be selected at random or the entire RNS set can be subjected to further randomness testing as described above.
  • the i-NLFSRs are selected by evaluating the number of states that directly join onto the identity period.
  • a heuristic process generates several unique instances of i-NLFSRs with equal identity periods. For each i-NLFSR the number of unique joins is counted and the i-NLFSR with the lowest number of collisions is selected.
  • the heuristic searching process selects NLFSR that have i loops such that each of the i loops is larger than t period, and such that any state not on the i loops converges to one of the i loops; where t is larger than 2 (n/2) .
  • the selection of values oft larger than T- n 2 ' ensures that the counters perform significantly better than the expected average performance of randomly chosen functions.
  • the i-NLFSR replaces a maximal distance linear feedback shift register used for the purpose of generation of spreading sequences.
  • a RNS counter comprising of at least two i-NLFSR remainders replaces a chaotic sequence generator.

Abstract

A process of incrementing a counter updates the state of a n-bit NLFSR by a nonlinear feedback function, such that the length of each loop of the NLFSR is greater than (1) and is not a power of (2).

Description

Title
Process of and apparatus for counting
Field of the invention
The present invention relates to cryptographic primitives.
Background of the invention The present application is related to our co-pending Australian provisional patent applications numbers 2005901987 and 2005902019, both entitled Process of and Apparatus for Counting, the contents of each of which are incorporated herein by reference.
Throughout this specification, including the claims: the term 'counter' is used to mean a set of bits, the set being of a fixed size b. Those bits represent a number, which in turn is the value of the counter. That value increments in a deterministic manner by the operation of a defined process on the bits. Irrespective of the initial state of the set of bits, the value of the counter will eventually reach a value to which, after further incrementing, it will eventually return. We refer to the phenomenon of the value of the counter incrementing from a value to eventually return to that value as 'looping', and to the values through which the counter increments as a 'loop' of the counter; and the symbols x* and xAy both represent x raised to the power of y.
Counters for the purpose of generating spreading sequences are used extensively in communications applications.
Counters for the purpose of ensuring the minimal period of the generator to be of a certain guaranteed length, such as maximal distance linear feedback shift registers, are used extensively in cryptography.
As described in our above-referenced co-pending Australian provisional patent application, nonlinear feedback shift registers (NLFSR) are known. DeBruijn sequences of n bits generate sequences with 2" (also represented as 2Aή) long periods. Construction of arbitrarily large DeBruijn sequences is an open problem, and the only known method to find them is by brute force, which to date remains infeasible for n of 64-bit and over. Also, even if construction of large (80-bit or wider) DeBruijn generators was possible, all 80 bits of the counter state would have to be used as inputs into the feedback function and such a wide function would most probably be unable to compete in performance with the modern stream ciphers.
In contrast, the present application discloses a new class of nonlinear feedback shift registers that we describe as identity-NLFSR (i-NLFSR).
A NLFSR of «-bits in length will have 2n/2 short loops on average. An i-NLFSR has one loop, but unlike a DeBruijn sequence, its loop is not maximal length and there is one or a number of paths into the loop.
We introduce two classes of i-NLFSRs; natural identity (ni-NLFSR) for periods of natural numbers and a sub-category called prime identity (pi-NLFSR) for periods of prime lengths.
The identity-NLFSRs are very useful in cryptographic applications as they can be initialized with a random value within the range of 0 to 2n-l and the i-NLFSR is guaranteed to converge to a period of fixed length. A number of such i-NLFSR's with periods {pi,p2,P3,-- -Pm) can be trivially combined in a single module by the skilled reader of this specification resulting in a counter with a period up to p = LCM (pi,p2,p3, ...pm), where LCM is the Least Common Multiple of all the periods of the m smaller i-NLFSRs. Thus the pi-NLFSR and ni-NLFSR with large prime factors make excellent moduli for RNS-based counters as described in our above-referenced co-pending Australian provisional patent application.
Summary of the invention
In one aspect, our present invention provides a process of incrementing a counter, comprising updating the state of a n-bit NLFSR by a nonlinear feedback function, such that the length of each loop of the NLFSR is greater than 1 and is not a power of 2
While small NLFSRs with maximum length periods of 2Λn and NLFSRs with periods of 2Λ(n-l) and a single fixed point (a second period of length 1) are known, a combination of such NLFSRs cannot be used to construct counters with arbitrarily long guaranteed periods for all initial states. Embodiments of the current invention allow construction of counters with arbitrarily long periods for all initial states if smaller NLFSRs as herein described with long preferably co-prime loops and without any fixed points are combined together with a linear or bijective nonlinear output combiner.
It will be seen that embodiments of the present invention accordingly guarantee a minimal period length while also ensuring presence of desirable cryptographic properties in the counter output.
It will also be seen that various embodiments of the present invention also provide a hardware efficient process of counting to guarantee a minimal period length with each subsequent output exhibiting several desirable cryptographic properties.
It will also be seen that various embodiments of the present invention also provide a hardware efficient generator of spreading sequences used in encoding communication signals.
It will also be seen that various embodiments of the present invention can also be used as a replacement for pseudo-random sequence generators such as maximal distance linear feedback shift registers and n-LFSR found in a broad range of applications.
In other aspects, the present invention provides corresponding apparatus, signals, data and machine-readable substrates as are set out in the claims of this specification.
Brief description of the drawings
In order that the present invention may be more readily understood, its preferred embodiments are described by reference to figures 1, 2, 3, 4, 5, 6, 7 and 8 of the drawings. - A -
Descriptions of preferred embodiments of the invention
Figure 1 illustrates a NLFSR process that may be used to execute i-NLFSR. The input 500 consists of six bits of input 501, to 506. The ordered intermediate state 510 consists of six bits of intermediate input 511 through 516. The ordered output 520 consists of six bits of output 521 through 526. The region 519 illustrates a 1-bit clockwise rotation.
All six bits of the input 500 are supplied to the nonlinear feedback function 530 generating 1 bit of output stored in the intermediate state 510. The remaining five bits of intermediate state 512 through 516 are assigned the input values 502 through 506 from the input 500 respectively.
The intermediate state 510 is rotated clockwise by one bit resulting in the state 520.
In this illustration, any single bit of the state 520 may be released as output. The state 520 is fed back as the input 500 in the next iteration of the illustration.
In implementations of embodiments of the invention according to figure 1, either the sequence of input bits 501 to 506 or the sequence of output bits 521 to 526 could be considered to be the contents of registers.
The total number of possible Boolean functions for 530 is equal to 2 raised to the power 2", also represented as 2A(2Λn). A Boolean function of 3 inputs can be represented as a look-up table of 23 (8) of its possible output values, and there are 28 (256) possible 3-input functions.
A search for a suitable NLFSR feedback function either brute-forces all the 2Λ(2Λn) possible Boolean functions that could be chosen for the non-linear feedback function 530 or selects random functions from the range of valid Boolean functions testing the properties of the generated NLFSR as follows.
To test all the loops of a NLFSR under consideration, a simple searching process first creates a true/false table for each of the possible 2" entries of the NLFSR and sets each entry of the table mapping to a state of the NLFSR as false. The initial internal state of the NLFSR is set to zero and the table entry corresponding to the state zero of the NLFSR is set as true to indicate that the NLFSR has reached this position.
The NLFSR is then executed updating the current state of the NLFSR. The bit in the table corresponding to the current state of the NLFSR is queried. If the entry is false, the NLFSR under test has not transitioned to this state before, and the entry is set true and the process proceeds to execute and test the next state of the NLFSR. If the entry is true, the NLFSR has returned to a position previously visited.
Having discovered a loop, the length of the loop is determined by counting the number of NLFSR executions required before the NLFSR returns back to the current position.
If the length of the discovered loop is desirable, the remaining states are used as initial states of the NLFSR to find all other loops.
A process generates an index that increments sequentially through all possible states, querying the table to determine if the NLFSR has previously visited the state. If the entry is false, the NLFSR is initialized to the respective state. The NLFSR is then executed until it can determine if the NLFSR state matches a state marked as true in the table, or if another loop is discovered. If the NLFSR loops back on itself the NLFSR under test is not an i-NLFSR. If the NLFSR state matches a state in the table marked as true, it indicates that the index location tested converges to a position on the original loop. In that case the NLFSR is executed again starting from the same position but marking bits in the table corresponding to the new states as true. After that the remaining index positions are tested in the same way.
If all index positions tested converge to the singular discovered loop, the discovered loop is called the identity loop and the NLFSR is an i-NLFSR. The i-NLFSR is classified as a pi-NLFSR if the period length of the identity loop is a prime number. Alternatively, if the period length of the identity loop is not a prime number, the i-NLFSR is classified as a ni- NLFSR. This naive type of search process may be used in principle for any nonlinear function with a feedback to search for i-NLFSR constructions, including parallel feedback NLFSRs.
According to some preferred embodiments of the invention, a simple heuristic rule, which is suitable in many NLFSR constructions, particularly of the type in figure 1, is that periods with long lengths are usually generated with balanced Boolean functions, which significantly reduces the total search space.
According to further preferred embodiments of the invention, two additional heuristic rules are applied to generate i-NLFSR constructions of the type in figure 1: the least significant bit of the balanced Boolean function should be true, and the most significant bit of the balanced Boolean function should be false.
According to other preferred embodiments, an alternate well known searching technique is to use a randomized searching process. Additional search optimization techniques are preferably used like dismissing potential i-NLFSR candidates with short periods without checking for other loops. Other preferred techniques additionally use processes that-select the type of Boolean functions more likely to generate i-NLFSRs by limiting them to Boolean functions that work best for smaller constructions.
Other preferred embodiments of the current invention accept NLFSRs that generate two to four long loops.
Other preferred embodiments of the invention trade CPU execution time for memory also exploiting parallelism within a processor, within a multi-CPU system and within a cluster of computers. Other preferred embodiments of the invention implement the searching process in FPGA or ASIC chips exploiting massive parallelism inherent in these architectures.
Figure 2 illustrates the three-bit Boolean function 3x1 truth table represented in binary as 01110111b as is implemented in a 3 -bit variation of the circuit in figure 1. The convention by which we arrive at the representation of 0111011 Ib is as follows. First, we consider the three-bit input to the Boolean function as if they were three contiguous bits representing a number. The input 111 to the Boolean function would represent the decimal number 7, the input 110 to the Boolean function would represent the decimal number 6, and so on up to the input 000 to the Boolean function representing the decimal number zero. We have then arbitrarily assigned: the output 0 to the Boolean function for an input of 7 decimal (or 11 Ib); the output 1 to the Boolean function for an input of 6 decimal; the output 1 to the Boolean function for an input of 5 decimal; the output 1 to the Boolean function for an input of 4 decimal; the output 0 to the Boolean function for an input of 3 decimal; the output 1 to the Boolean function for an input of 2 decimal; the output 1 to the Boolean function for an input of 1 decimal; and the output 1 to the Boolean function for an input of 0 decimal.
It can be seen that the respective outputs from the Boolean function are 01110111, and so we represent the truth table of the Boolean function as 0111011 Ib.
The eight possible states of the three-bit finite state machine in figure 2 are illustrated as 0 through 7. The i-NLFSR has a period of 5 (which is a prime number) and its identity loop is the sequence of state transitions {4, 6, 7, 3, 1, 4, ...}. The states 2, 5 and 0 converge onto the identity loop.
Figure 3 illustrates the 4x1 truth table of the Boolean function represented in binary as 0110000100011001b as implemented in a 4-bit variation of the circuit in figure 1. The 16 possible states of a 4 bit finite state machine are illustrated as 0 through 15. The i-NLFSR has a period of 11 (which again is a prime number) and its identity loop is the sequence of state transitions {0, 8, 12, 6, 3, 9, 4, 10, 5, 2, 1, 0, ...}. The states 13, 14, 15, 7 and 11 all converge onto the identity loop.
Figure 4 illustrates the Boolean function 4x1 truth table represented in binary as 0011010011010001b as implemented in a 4-bit variation of the circuit in figure 1. The 16 possible states of a 4-bit function are illustrated as 0 through 15. The i-NLFSR has a period of 11 (a prime number) and its identity loop is the sequence of state transitions {0, 8, 4, 10, 13, 14, 7, 11, 5, 2, 1, 0, ...}. The states 3, 9, 12, 15 and 6 all converge onto the identity loop in one transition.
Comparing figure 3 with figure 4, the convergence properties are slightly different even though both functions are pi-NLFSR constructions. The faster convergence in figure 4 results in a wider distribution of starting positions within the identity loop and also results in a larger number of potentially exploitable collisions.
If only a singular bit of an RNS remainder with a prime moduli is selected as output as described in our above-reference co-pending Australian provisional patent application, the sequence is also a pi-NLFSR.
i-NLFSR guarantees that regardless of the initial state, it will converge to the identity period.
In principle i-NLFSR are independent of the type of NLFSR construction used to execute them. i-NLFSR are known to exist for every natural number 2 through 2" bits, including DeBruijn sequences according to NLFSR engines shown in Figure 1.
Figure 5 illustrates another preferred embodiment of the current invention known to generate i-NLFSR sequences. The reference number 600 indicates an input of 33 bits, only eight bits 601, 602, 603, 604, 605, 606, 607 and 608 of which are illustrated in the drawing. The reference number 610 indicates an internal state of 33 bits, only eight 611, 612, 613, 614, 615, 616, 617 and 618 of which are illustrated in the drawing. The reference number 620 indicates an output of 33 bits, only eight 621, 622, 623, 624, 625, 626, 627 and 628 of which are illustrated in the drawing. The region 619 illustrates the intermediate state 610 being rotated by 1 bit in a clockwise fashion to generate the output 620.
The nonlinear feedback function 630 takes as input the least significant bit 601 of input 600 and the most significant bit 608 of 600. A range of 0 to (the length of state 600 - 3) additional bits are selected as input. Figure 5 illustrates the nonlinear feedback function 630 adapted to receive four additional inputs from 600. The single bit output of 630 is stored in intermediate state 611. The remaining 32 intermediate bits 612 through 618 are assigned the 32 values from the range of 602 through 608 respectively. The 33 bits of intermediate state 610 are rotated by 1 bit in a clockwise fashion.
ni-NLFSR and pi-NLFSR with very long periods approaching 2" for internal states of n bits are known to exist according to NLFSR engines as shown on Figure 5.
Figure 6 illustrates an alternate preferred embodiment of the current invention known to generate i-NLFSR sequences. The reference number 700 indicates a state of 32 bits, eight bits of which 701, 702, 703, 704, 705, 706, 707 and 708 are shown in the drawing. The reference number 710 indicates an intermediate state of 32 bits, eight of which 711, 712, 713, 714, 715, 716, 717 and 718 are shown in the drawing. The reference number 720 indicates an output of 32 bits, eight bits of which 721, 722, 723, 724, 725, 726, 727 and 728 are shown in the drawing. The region of the drawing that is indicated by reference number 719 partially illustrates the intermediate state 710 of 32 bits being rotated by 2 bits in a clockwise fashion.
The nonlinear feedback function 730 takes as input the least significant bit 701 and the most significant bit 708 of input 700. A range of 0 to (the length of state 700 - 3) additional bits are selected as input to the feedback function 730. Figure 6 illustrates the nonlinear feedback function 730 as receiving four additional bits from input 700. The two bits of output of 730 are stored in intermediate state 710 in 711 and 712. The remaining 30 intermediate bits 712 through 718 are assigned the 30 values from the range of 603 through 708 respectively. The 32 bits of intermediate state 710 are rotated by 2 bits in a clockwise fashion.
Any rotation from 1 to n-1 bits can be selected and any choice of two or more bits of the state can be used as input to the feedback function 730 updating the internal state 700 of the NLFSR engine.
i-NLFSRs are known to exist according to NLFSR engines shown in Figure 6.
Figure 7 illustrates a process according to a preferred embodiment of the current invention. The portion of the drawing that is indicated by reference number 900 shows five finite state machines that implement the remainders of an RNS counter. The 5 remainders 901, 902, 903, 904 and 905 are selected from finite state machine with periods selected according to our above-referenced co-pending Australian provisional patent application. For the purpose of illustration the five moduli in 900 are i-NLFSRs. Remainder 901 releases one bit of state 911 every round. Remainders 902, 903, 904, 905 each release on bit of state 912, 913, 914 and 915 respectively every round. Function 920 takes five inputs from the outputs of 911, 912, 913, 914, and 915 and releases one bit 921 every round.
In a preferred embodiment the function 920 is a 5-to-l XOR operation which ensures that each of the 5 moduli in 900 contribute to the total period length as released in bit 921. The XOR of several i-NLFSR together reduces predictability of bit 921.
In another preferred embodiment of the current invention the operation 920 performs a nonlinear function releasing a single bit output 921. For the purpose of illustration, the nonlinear operation 920 is calculated as (911 XOR 912 XOR 913 XOR (914 AND 915)) releasing 1 bit of output 921. The periods of 911, 912, 913 are guaranteed and the functions 914 and 915 further reduce predictability of the output. In this way a linear combination of RNS moduli can be used to guarantee a certain minimal period length in addition with other moduli that can be used to increase the guaranteed period length as well as the randomness properties of the output.
Figure 8 illustrates another preferred embodiment of the current invention. Module 940 is a RNS counter as described in figure 7 releasing one bit of output on every round. The Module 950 is a nonlinear bijective accumulator taking one bit of input releasing one bit of output as described in our above-referenced co-pending Australian provisional patent application, consisting of 12 bits of internal state 952 through 963 and a single key input bit 951.
The sequence generated by 940 is hashed in a lossless bijective fashion in 950. In the current illustration it takes 12 rounds to load 12 bits of unique state from 940. In a preferred embodiment a full 12 rounds of RNS output 940 is loaded into the 950 to initialize the module 950, then for each addition round of RNS output 940 one bit of state 965 is released as output. The module 950 increases the randomness properties of the
RNS counter output while ensuring a certain minimal period length.
In another preferred embodiment the i-NLFSR used in RNS counters are selected by evaluating the linear complexity of the nonlinear feedback function as a NxI substitution box. That is, a heuristic process generates several unique i-NLFSRs with equal identity periods and selects the i-NLFSR with the strongest nonlinear feedback function. This process is repeated for each of the i-NLFSR moduli used in a remainder number system (RNS) counter.
In a preferred embodiment the i-NLFSRs used in RNS counters are selected by evaluating the randomness of the output of each i-NLFSR. A heuristic process generates several unique i-NLFSRs with equal identity periods. For each i-NLFSR the engine is executed releasing every bit, every second bit, every third bit and so on and testing the output streams with a number of randomness tests. The i-NLFSR that better passes the randomness tests is selected. If multiple i-NLFSR have equivalent randomness properties one may be selected at random or the entire RNS set can be subjected to further randomness testing as described above.
In a preferred embodiment the i-NLFSRs are selected by evaluating the number of states that directly join onto the identity period. A heuristic process generates several unique instances of i-NLFSRs with equal identity periods. For each i-NLFSR the number of unique joins is counted and the i-NLFSR with the lowest number of collisions is selected.
In a preferred embodiment the heuristic searching process selects NLFSR that have i loops such that each of the i loops is larger than t period, and such that any state not on the i loops converges to one of the i loops; where t is larger than 2(n/2). The selection of values oft larger than T-n 2' ensures that the counters perform significantly better than the expected average performance of randomly chosen functions.
Although detailed embodiments, with a number of variations, which incorporates the teachings of the present invention, have been shown and described in detail herein, those skilled in the art can readily devise many other embodiments and applications of the present invention that still utilize these teachings. Those skilled in the art can readily adapt the NLFSRs as described above as a one-to-one replacement for counters of other types in existing designs.
For instance, in a preferred embodiment the i-NLFSR replaces a maximal distance linear feedback shift register used for the purpose of generation of spreading sequences.
In another preferred embodiment a RNS counter comprising of at least two i-NLFSR remainders replaces a chaotic sequence generator.
'Comprises/comprising' when used in this specification is taken to specify the presence of stated features, integers, steps or components but does not preclude the presence or addition of one or more other features, integers, steps, components or groups thereof.

Claims

Claims:
1. A process of incrementing a counter, comprising updating the state of a n-hit NLFSR by a nonlinear feedback function, such that the length of each loop of the NLFSR is greater than 1 and is not a power of 2.
2. A process as claimed in claim 1, in which the NLFSR has at least one and no more than four loops.
3. A process as claimed in claim 1 or claim 2, in which n is greater than 5.
4. A process as claimed in any one of the preceding claims, in which the length of each loop of the NLFSR is a prime number.
5. A process as claimed in any one the preceding claims, in which the values of the counter are used to ensure a predetermined minimal period length in another cryptographic module.
6. A process as claimed in claim 5, in which the another cryptographic primitive is one of a stream cipher, a block cipher, a hash function and a pseudo-random number generator.
7. A process of counting in accordance with a remainder number system, the process of counting comprising: a first process as claimed in any one of the preceding claims; and a second process as claimed in any one of the preceding claims.
8. A process as claimed in claim 7, in which outputs of at least two counters are combined by a linear function.
9. A process as claimed in claim 7, in which outputs of at least two counters are combined by a bijective nonlinear function.
10. Data which has been generated by encryption according to the process of any one of the preceding claims.
11. Data which has been generated by decryption according to the process of any one of claims 1 to 9.
12. A message authentication code which has been generated by hashing according to the process of any one of claims 1 to 9.
13. A hash which has been generated by hashing according to the process of any one of claims 1 to 9.
14. Pseudo-random sequences which have been generated according to the process of any one of claims 1 to 9.
15. Spreading sequences which have been generated according to the process of any one of the claims 1 to 9.
16. A machine readable substrate carrying data which has been generated according to the process of any one of claims 1 to 9.
17. A signal carrying data which has been generated according to the process of any one of claims 1 to 9.
18. Apparatus for encoding a digital input, which apparatus performs a process according to any one of claims 1 to 9.
19. Apparatus for decoding a digital input, which apparatus performs a process according to any one of claims 1 to 9.
PCT/AU2006/000528 2005-04-20 2006-04-20 Process of and apparatus for counting WO2006110955A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP06721408A EP1872515A1 (en) 2005-04-20 2006-04-20 Process of and apparatus for counting

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
AU2005901988 2005-04-20
AU2005901988A AU2005901988A0 (en) 2005-04-20 Process of and Apparatus for Counting
AU2005902030A AU2005902030A0 (en) 2005-04-22 Process of and Apparatus for Counting
AU2005902030 2005-04-22

Publications (1)

Publication Number Publication Date
WO2006110955A1 true WO2006110955A1 (en) 2006-10-26

Family

ID=37114633

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2006/000528 WO2006110955A1 (en) 2005-04-20 2006-04-20 Process of and apparatus for counting

Country Status (3)

Country Link
EP (1) EP1872515A1 (en)
TW (1) TW200707276A (en)
WO (1) WO2006110955A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201025095A (en) * 2008-12-31 2010-07-01 Giantplus Technology Co Ltd Touch-control LCD device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3911330A (en) * 1974-08-27 1975-10-07 Nasa Nonlinear nonsingular feedback shift registers
US3911216A (en) * 1973-12-17 1975-10-07 Honeywell Inf Systems Nonlinear code generator and decoder for transmitting data securely
EP0615361A1 (en) * 1993-03-12 1994-09-14 Hughes Aircraft Company System and method for high speed encryption using multiple keystream generator
FR2859290A1 (en) * 2003-08-29 2005-03-04 Infineon Technologies Ag Pseudo-random number generator for e.g. chip card, has combination unit to combine outputs of non linear feedback shift registers to obtain combined signal comprising pseudo random number at output

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3911216A (en) * 1973-12-17 1975-10-07 Honeywell Inf Systems Nonlinear code generator and decoder for transmitting data securely
US3911330A (en) * 1974-08-27 1975-10-07 Nasa Nonlinear nonsingular feedback shift registers
EP0615361A1 (en) * 1993-03-12 1994-09-14 Hughes Aircraft Company System and method for high speed encryption using multiple keystream generator
FR2859290A1 (en) * 2003-08-29 2005-03-04 Infineon Technologies Ag Pseudo-random number generator for e.g. chip card, has combination unit to combine outputs of non linear feedback shift registers to obtain combined signal comprising pseudo random number at output

Also Published As

Publication number Publication date
TW200707276A (en) 2007-02-16
EP1872515A1 (en) 2008-01-02

Similar Documents

Publication Publication Date Title
Biryukov et al. Equihash: Asymmetric proof-of-work based on the generalized birthday problem
EP1820295B1 (en) Substitution boxes
US7092525B2 (en) Cryptographic system with enhanced encryption function and cipher key for data encryption standard
Aagaard et al. ACE: An authenticated encryption and hash algorithm
JP5831202B2 (en) Individual information generation apparatus and individual information generation method
Bertoni et al. Radiogatun, a belt-and-mill hash function
Xiao et al. 2-Adic complexity of two classes of generalized cyclotomic binary sequences
US20070165847A1 (en) Defined-distribution pseudo-random number generator
James et al. An implementation of modified lightweight advanced encryption standard in FPGA
Mihaljević et al. A cellular automaton based fast one-way hash function suitable for hardware implementation
WO2006110954A1 (en) Process of and apparatus for counting
Nawaz et al. A 32-bit RC4-like Keystream Generator
Satoh et al. Small and high-speed hardware architectures for the 3GPP standard cipher KASUMI
Shamir et al. Guaranteeing the diversity of number generators
EP1872515A1 (en) Process of and apparatus for counting
Isobe et al. Slide cryptanalysis of lightweight stream cipher RAKAPOSHI
Diedrich et al. Comparison of Lightweight Stream Ciphers: MICKEY 2.0, WG-8, Grain and Trivium
WO2006116801A1 (en) Process of and apparatus for hashing
Pandian et al. Five decade evolution of feedback shift register: algorithms, architectures and applications
Modi et al. Effective hardware architectures for LED and PRESENT ciphers for resource-constrained applications
Biryukov et al. Equihash: asymmetric proof-of-work based on the generalized birthday problem (full version)
CN113946313B (en) Processing circuit, chip and terminal of LOOKUP3 hash algorithm
Nikhil et al. Hardware implementation of quasigroup based encryption
Shi et al. Modeling Attack Resistant Arbiter PUF based on Dynamic Finite Field Matrix Multiplication scheme
Hayes Non-Cryptographic Hash Functions: Focus on FNV

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

WWE Wipo information: entry into national phase

Ref document number: 2006721408

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: RU

WWW Wipo information: withdrawn in national office

Country of ref document: RU

WWP Wipo information: published in national office

Ref document number: 2006721408

Country of ref document: EP