WO2007129197A1 - Cryptographic apparatus and process - Google Patents

Cryptographic apparatus and process Download PDF

Info

Publication number
WO2007129197A1
WO2007129197A1 PCT/IB2007/001162 IB2007001162W WO2007129197A1 WO 2007129197 A1 WO2007129197 A1 WO 2007129197A1 IB 2007001162 W IB2007001162 W IB 2007001162W WO 2007129197 A1 WO2007129197 A1 WO 2007129197A1
Authority
WO
WIPO (PCT)
Prior art keywords
block
blocks
input
cyclic
function
Prior art date
Application number
PCT/IB2007/001162
Other languages
French (fr)
Inventor
Sean O'neil
Original Assignee
Synaptic Laboratories Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2006902344A external-priority patent/AU2006902344A0/en
Application filed by Synaptic Laboratories Limited filed Critical Synaptic Laboratories Limited
Publication of WO2007129197A1 publication Critical patent/WO2007129197A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0637Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • H04L9/0668Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator producing a non-linear pseudorandom sequence

Definitions

  • the present invention relates to cryptographic functions that are particularly applicable to stream ciphers, message authentication codes and hash functions.
  • PCT/IB2005/001487 entitled Process of and apparatus for encoding a signal
  • PCT/IB2005/001475 entitled A method of and apparatus for encoding a signal in a hashing primitive, the contents of all of which are incorporated herein by reference.
  • a linear cryptographic function is understood to be a function of any given number of inputs and any given number of outputs such that the relationship between every bit of output and every bit of input is a polynomial of a degree not higher than 1.
  • a typical linear cryptographic function is an XOR of a number of input bits. All linear cryptographic functions are reversible. There are no irreversible linear cryptographic functions.
  • a cryptographic function is called reversible regarding a given input if the computational cost of finding the value of that input knowing the output and all other inputs is comparable with the computational cost of calculation of the cryptographic function itself.
  • Addition modulo 2 n , multiplication modulo 2 n and multiplicative inverse modulo 2 n are typical reversible non-linear cryptographic functions.
  • the reversibility of a non-linear cryptographic function regarding any of its inputs is determined individually for each input. Any given non-linear cryptographic function may be reversible regarding one input and irreversible regarding another or it can be either reversible or irreversible regarding all its inputs.
  • a block cipher is a reversible non-linear cryptographic function regarding its plaintext input, but it is irreversible regarding its key, and a keyed cryptographic hash is irreversible regarding both its inputs, data and key.
  • a linear combination of non-linear cryptographic functions is also a non-linear cryptographic function.
  • a non-linear cryptographic function of a linear combination of its inputs is also a non-linear cryptographic function. Both these cases are referred to as 'a non-linear cryptographic function' in this specification and are marked according to their reversibility regarding the current block as one of the inputs.
  • a non-linear cryptographic function is reversible regarding one of its inputs x, then a reversible linear or non-linear combination of that input x or that function's output with any other input is also a non-linear cryptographic function reversible regarding that input x.
  • a non-linear cryptographic function is irreversible regarding one of its inputs x
  • a combination of one or more of its inputs and/or its output with any other cryptographic function, linear or non-linear, reversible or irreversible is also irreversible regarding that input x.
  • Cryptographic processes such as block ciphers, in general, receive plaintext and initialize their states with that plaintext. That state is received as input by a further iterative process that updates a portion of the process state in a non-linear fashion. When the iterative process is terminated, the final plaintext is released as ciphertext.
  • Cryptographic processes such as word-based stream ciphers, in general, receive key material and initial vectors and initialize their states with that material. That state is received as input by a further iterative process that updates a portion of the process state in a nonlinear way, and which includes an output combiner function that combines several blocks of the process state with a block of plaintext to produce a block of ciphertext.
  • Stream ciphers can also operate as pseudo-random number generators, which have a broad use outside of cryptographic applications.
  • a cryptographic operation that updates a single bit or a contiguous set of bits of the process state in general, is referred to as a round function or a feedback function.
  • An iterative state update process often referred to as 'a round' comprises the invocation of at least one round function, so that each bit of the process state updated by the round update - A - process is updated by exactly one round function invocation.
  • a full positive difference set is a choice of input taps differences primarily applied to feedback shift-register (FSR) generators ensuring that no pair of inputs is used to update more than one bit in the state.
  • FSR feedback shift-register
  • Figure 1 illustrates the block interdependencies of asynchronous unidirectional block chaining of cyclic internal state according to the type found in the "Rabbit Cipher" of Cryptico A/S.
  • One iteration of the round function of a cipher illustrated in figure 1 results in all 10 blocks 100 to 109 being updated by a set of feedback functions simultaneously.
  • Block 100 is dependent on the state of the cyclic preceding blocks 109 and 108 of the previous round.
  • Block 100 neither depends on all other 9 blocks of state nor it influences all other 9 blocks of state in one iteration, therefore multiple iterations are required for a change in one block to affect all the blocks in the state.
  • each of the blocks 101 to 109 depends on the 2 blocks immediately cyclically preceding it.
  • each updated block depends on the 2 blocks immediately preceding it, resulting in a change propagating in a clockwise manner.
  • block 100 influences blocks 101 and 102. After two iterations of the round function, block 100 influences blocks 101 to 104; after three iterations 101 to 106; after four iterations 101 to 108; and after five iterations of the round function block 100 influences all blocks in the state.
  • Input to all the feedback functions in the cipher illustrated on figure 1 is drawn only from the cyclic preceding blocks as is done in asymmetric word-based ciphers and all block chaining methods for block-ciphers.
  • the present invention provides a cryptographic state update process which: receives a contiguously numbered blocks / / , I 2 to I a , where a is at least 5, and outputs a contiguously numbered blocks Oi, O 2 to O a , where the length of the sum of the bits /;, I 2 to I 0 is equal to the length of the sum of the bits O 1 , O 2 to O a ; and each of the a contiguously numbered blocks I 1 , I 2 to I a have a one-to-one corresponding index to the contiguously numbered blocks Oi, O 2 to O a , the indexing for blocks in / and O is cyclic, such that index ⁇ +1 references the cyclic first index and 0-1 references the cyclic last index a, the state update function comprising: b feedback functions F 1 , F 2 to F b , each of which: has a multiple-input single-output Boolean to f
  • none of the outputs of a feedback function are used as inputs into the same feedback function on the next iteration.
  • the distances between input blocks to the feedback functions form a full positive difference set.
  • cyclic preceding and cyclic following blocks the blocks located cyclically before and after the current block in the state. Accordingly, we refer to distances between two blocks as the difference between indexes of those blocks.
  • the nonlinear block chaining defined by the present invention allows the cipher state to be concurrently updated by small feedback functions in its entirety when implemented in hardware or the potential to take advantage of multiple instruction-level parallelism present in modern general purpose processors.
  • It can also be used in conjunction with an output combiner function to construct stream ciphers releasing output on every round. It can also be used in conjunction with existing block ciphers or hash functions used as round functions.
  • Figure 1 illustrates transitions in internal state of the Rabbit cipher
  • FIG. 2 illustrates hardware according to embodiments of the current invention
  • FIG. 3 illustrates the data dependencies of one embodiment of the current invention
  • FIG. 4 illustrates operation of embodiments of the current invention.
  • Figure 2 illustrates some fields of use apparatus according to embodiments of the present invention.
  • reference numbers 201 and 202 each represent hardware devices that are in communication with each other by communication means indicated generally by reference numbers 202 and 203.
  • devices 201 and 202 represent semiconductor chips mounted on-board in a device and 203 and 204 represent a bus over which chips 201 and 202 communicate.
  • the chips 201 and 202 each have a stream-cipher encryption module 205, 206 respectively securing communications between the chips 201 and 202.
  • the in-chip encryption modules 205 and 206 make it more difficult for a copyist to reverse-engineer the contents of chips 201 and 202 by analysis of signals going in and out of a chip.
  • These in-chip encryption modules also make the use of the device more secure against electronic eavesdropping.
  • Figure 3 illustrates the block interdependencies of asynchronous bidirectional nonlinear block chaining of cyclic internal state updated by a round function according to a preferred embodiment of the current invention.
  • Blocks 300 to 309 illustrate the cipher state. During the round update process, block 300 depends on the immediately cyclic preceding block 309 and the immediately cyclic following block 301. Each of the blocks 301 to 309 also depend on 2 blocks, one immediately cyclic preceding and one immediately cyclic following.
  • block 300 influences 309 and 301.
  • block 300 influences 308, 309, 301 and 302; after three iterations, 307 to 309 and 301 to 303; after four iterations, 306 to 309 and 301 to 304; after five iterations, block 300 influences all the blocks in the state.
  • FIG. 4 illustrates operation of embodiments of the current invention.
  • the process state 400 is partitioned on six equidistant blocks 401 to 406, all of the same length greater than one bit.
  • the process state is initialized through an initialization function.
  • the inputs to the initialization function are selected according to the operation to be performed. Some exemplary embodiments are described in figures 5, 6 and 7. One or more of the following are accepted as inputs to the input process:
  • Nonlinear feedback function 421 takes as input current block 401, its cyclic preceding block 406, its cyclic following block 402 and optional additional blocks of process input
  • Nonlinear feedback function 422 takes as input current block 402, its cyclic preceding block 401, its cyclic following block 403 and optional additional blocks of process input
  • Nonlinear feedback function 423 takes as input current block 403, its cyclic preceding block 402, its cyclic following block 404 and optional additional blocks of process input
  • Nonlinear feedback function 424 takes as input current block 404, its cyclic preceding block 403, its cyclic leading block 405 and optional additional blocks of process input 414 and generates an output that is used to update the current block 404.
  • Nonlinear feedback function 425 takes as input current block 405, its cyclic preceding block 404, its cyclic following block 406 and optional additional blocks of process input 415 and generates an output that is used to update the current block 405.
  • the feedback functions 421 to 425 may implement different nonlinear operations to increase the complexity of the cipher round function.
  • the blocks 401 to 406 of the process state are preferably executed in arbitrary order, with partial or full concurrency by the nonlinear feedback functions 421 to 426.
  • the optional inputs 411 to 416 supplied to feedback functions 421 to 426 are selected according to the operation to be performed. Some exemplary embodiments are described in figures 5, 6 and 7. One or more of the following are accepted as inputs to the input process:
  • FIG. 4 Another preferred embodiments of the current invention are assisted by counters as shown on figure 4 where an optional counter state 418 is updated by a (preferably nonlinear) counter feedback function 428 and is used as an additional input into a nonlinear feedback function 425.
  • a (preferably nonlinear) counter feedback function 428 is used as an additional input into a nonlinear feedback function 425.
  • One of the counter purposes is ensuring a guaranteed long period.
  • the round functions may accept more than one cyclic preceding or cyclic following blocks as illustrated in function 425 that accepts as input a cyclic preceding block 403 and a cyclic following block 407.
  • Nonlinear round function 426 takes as input cyclic preceding block 401, cyclic leading block 403, current block 402 and zero or more additional blocks of input 412 and generates an output that updates the current block 402.
  • the optional output combiner function 429 used in preferred embodiments of the current invention operating as stream ciphers takes as its inputs blocks 401, 402 and 406 and as a reversible input a plaintext/ciphertext block 419 and produces an output block 409.
  • a portion of the output block 409 is released on each iteration as the ciphertext/plaintext.
  • a second portion of the output block 409 is used as an additional input to a feedback function 421.
  • more than one iteration of the round update process is performed before any material is released as output. In a preferred embodiment of the current invention, more than one iteration of the round update process is performed between the cryptographic process outputs.
  • Common word lengths for general-purpose software processors include 8, 16, 32, 64 and 128 bits.
  • the blocks have uniform length in bits mapping to the word length of a common software processor.
  • the feedback functions accept blocks of uniform length in bits and selected to match a common word-length as described above.
  • Figure 5 illustrates a preferred process of operation for the embodiment of figure 4 for the purpose of generating a hash.
  • Label 501 illustrates the start of the process.
  • Process 502 initializes the intermediate state 401 to 406 with plaintext material.
  • the iterative round update process 503 executes a set of round update functions, where feedback functions 421 to 426 are invoked.
  • Decision 504 determines if a sufficient number of iterations have been performed. If 504 is false, execution returns to step 503.
  • Process 505 performs a filter function 429, taking as input the original values of 406, 401 and 402 and releases output 409.
  • the iterative round update process 506 executes a set of round update functions, where feedback functions 421 to 426 are invoked.
  • Decision 507 determines if sufficient number of blocks of output has been generated. If 507 is false, execution returns to step 505. The process stops at 508.
  • Figure 6 illustrates another preferred process of operation for the embodiment of figure 4 as a stream cipher and performing single-pass authenticated encryption.
  • Label 601 illustrates the start of the process.
  • Process 602 initializes the process state 401 to 406 with a fixed constant material.
  • Process 602 also initializes the counter 418 with a fixed constant value.
  • the counter state 418 is supplied as input to round function 425 on every iteration throughout the entire process.
  • the counter 418 is incremented on every iteration by the counter update function 428 throughout the entire process.
  • the iterative update process 603 executes the feedback functions 421 to 426.
  • One or more of the round functions 421 to 426 receive key and/or IV material as input blocks 411 to 416. No output is released.
  • Decision 604 determines if a sufficient number of iterations have been performed to load the key material. If 604 is false, execution returns to step 603.
  • the iterative update process 605 executes the feedback functions 421 to 426. No output is released. Decision 606 determines if a sufficient number of iterations have been performed to seal the cipher state. If 606 is false, execution returns to step 605.
  • the iterative update process 607 executes the feedback functions 421 to 426.
  • Round function 421 receives a portion of the previous value of 409 as one of its inputs from now on.
  • Process 608 executes a filter function 429 taking as input the original values of 406, 401 and 402 and plaintext block 419 and releases output 409 a part of which is returned as a block of ciphertext output of the cryptographic process.
  • Decision 609 determines if sufficient number of plaintext blocks has been encrypted. If 609 is false, execution returns to step 605.
  • the iterative update process 610 executes the feedback functions 421 to 426. No output is released. Decision 611 determines if a sufficient number of iterations have been performed to seal the cipher state. If 611 is false, execution returns to step 610.
  • the iterative update process 612 executes the feedback functions 421 to 426.
  • Process 613 executes a filter function 429 taking as input the original values of 406, 401 and 402 and releases an output block 409, a portion of which is returned as a block of message authentication code output of the cryptographic process.
  • Decision 614 determines if sufficient number of MAC blocks has been generated. If 614 is false, execution returns to step 612.
  • Figure 7 illustrates another preferred process of operation for the embodiment of figure 4 for the purpose of hashing user data.
  • Label 701 illustrates the start of the process.
  • Process 702 initializes the intermediate state 401 to 406 with key material and constant values.
  • the iterative process 703 executes the feedback functions 421 to 426 supplying user data blocks as inputs 411 to 416. No output-is released. Decision 704 determines if all user data blocks have been processed a sufficient number of times. If 704 is false, execution returns to step 703. No output is released.
  • Process 705 combines a number of bits of the process state and releases at least one bit of the process state as hash output of the cryptographic process.
  • Label 706 indicates that the process stops.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Physics & Mathematics (AREA)
  • Nonlinear Science (AREA)
  • Storage Device Security (AREA)

Abstract

A cryptographic state update process uses both cyclic preceding and cyclic following blocks as inputs into a round function.

Description

Title
Cryptographic apparatus and process.
Field of the invention
The present invention relates to cryptographic functions that are particularly applicable to stream ciphers, message authentication codes and hash functions.
Background of the invention
The present application is related to our co-pending international patent applications, filed on 10 May 2005:
PCT/IB2005/001499 entitled Methods of encoding and decoding data;
PCT/IB2005/001487 entitled Process of and apparatus for encoding a signal; PCT/IB2005/001475 entitled A method of and apparatus for encoding a signal in a hashing primitive, the contents of all of which are incorporated herein by reference.
Throughout this specification, including the claims: we use the terms 'comprises' and 'comprising' to specify the presence of stated features, integers, steps or components but do not preclude the presence or addition of one or more other features, integers, steps, components or groups thereof; we use the term 'secret key material' to refer to material that consists of at least one secret key or material derived from that at least one secret key; when we refer to blocks of data, key or hash bits, it is to be understood that they are of arbitrary size, not necessarily identical in size, and depend on the function receiving input or generating output; we use the term 'secret key material' to refer to material that consists of at least one secret key or material directly derived from that at least one secret key; we use the term 'key material' synonymously with the term 'secret key material; we use the term 'cipher state' to refer to the variables updated by a round function; and we use the term 'balanced constant' to refer to constants consisting of 50% binary zero digits and 50% binary 1 digits.
In cryptography, a linear cryptographic function is understood to be a function of any given number of inputs and any given number of outputs such that the relationship between every bit of output and every bit of input is a polynomial of a degree not higher than 1. (An illustration of the sense that the term 'polynomial' has in the present art is in the analysis of linear feedback shift registers which is set out at pages 372 to 379 of the book Applied Cryptography: Protocols, Algorithms, and Source Code in C by Bruce Schneier, second edition, 1996.)
A typical linear cryptographic function is an XOR of a number of input bits. All linear cryptographic functions are reversible. There are no irreversible linear cryptographic functions.
A cryptographic function is called reversible regarding a given input if the computational cost of finding the value of that input knowing the output and all other inputs is comparable with the computational cost of calculation of the cryptographic function itself. Addition modulo 2n, multiplication modulo 2n and multiplicative inverse modulo 2n are typical reversible non-linear cryptographic functions.
A cryptographic function is called irreversible regarding a given input if the computational cost of finding the value of that input knowing the output and all other inputs is either computationally infeasible or extremely high comparing with the computational cost of calculation of the cryptographic function itself, y = x <« x (x rotated left by x bit) is an example of an irreversible non-linear cryptographic function.
The reversibility of a non-linear cryptographic function regarding any of its inputs is determined individually for each input. Any given non-linear cryptographic function may be reversible regarding one input and irreversible regarding another or it can be either reversible or irreversible regarding all its inputs.
For example, a block cipher is a reversible non-linear cryptographic function regarding its plaintext input, but it is irreversible regarding its key, and a keyed cryptographic hash is irreversible regarding both its inputs, data and key. A linear combination of non-linear cryptographic functions is also a non-linear cryptographic function. A non-linear cryptographic function of a linear combination of its inputs is also a non-linear cryptographic function. Both these cases are referred to as 'a non-linear cryptographic function' in this specification and are marked according to their reversibility regarding the current block as one of the inputs.
If a non-linear cryptographic function is reversible regarding one of its inputs x, then a reversible linear or non-linear combination of that input x or that function's output with any other input is also a non-linear cryptographic function reversible regarding that input x.
If a non-linear cryptographic function is irreversible regarding one of its inputs x, then a combination of one or more of its inputs and/or its output with any other cryptographic function, linear or non-linear, reversible or irreversible is also irreversible regarding that input x.
Cryptographic processes such as block ciphers, in general, receive plaintext and initialize their states with that plaintext. That state is received as input by a further iterative process that updates a portion of the process state in a non-linear fashion. When the iterative process is terminated, the final plaintext is released as ciphertext.
Cryptographic processes such as word-based stream ciphers, in general, receive key material and initial vectors and initialize their states with that material. That state is received as input by a further iterative process that updates a portion of the process state in a nonlinear way, and which includes an output combiner function that combines several blocks of the process state with a block of plaintext to produce a block of ciphertext. Stream ciphers can also operate as pseudo-random number generators, which have a broad use outside of cryptographic applications.
A cryptographic operation that updates a single bit or a contiguous set of bits of the process state, in general, is referred to as a round function or a feedback function. An iterative state update process often referred to as 'a round' comprises the invocation of at least one round function, so that each bit of the process state updated by the round update - A - process is updated by exactly one round function invocation.
A full positive difference set (FPDS) is a choice of input taps differences primarily applied to feedback shift-register (FSR) generators ensuring that no pair of inputs is used to update more than one bit in the state. In contrast to FSR generators, we use the term FPDS herein to describe a choice of input taps applied to blocks of state ensuring that no pair of input blocks is used to update any other block in the state by any other round function. A full description of FPDS can be found: Jovan Dj. Golic, "On the Security of Nonlinear Filter Generators", Lecture Notes In Computer Science; 1993, Vol. 1039, Proceedings of the Third International Workshop on Fast Software Encryption
Figure 1 illustrates the block interdependencies of asynchronous unidirectional block chaining of cyclic internal state according to the type found in the "Rabbit Cipher" of Cryptico A/S. There are 10 blocks, 100 to 109. One iteration of the round function of a cipher illustrated in figure 1 results in all 10 blocks 100 to 109 being updated by a set of feedback functions simultaneously. Block 100 is dependent on the state of the cyclic preceding blocks 109 and 108 of the previous round. Block 100 neither depends on all other 9 blocks of state nor it influences all other 9 blocks of state in one iteration, therefore multiple iterations are required for a change in one block to affect all the blocks in the state.
In this manner, each of the blocks 101 to 109 depends on the 2 blocks immediately cyclically preceding it. On every iteration, each updated block depends on the 2 blocks immediately preceding it, resulting in a change propagating in a clockwise manner. The advantage of this type of feedback is that all feedback functions within one round can be executed in parallel.
After one iteration of the round function, block 100 influences blocks 101 and 102. After two iterations of the round function, block 100 influences blocks 101 to 104; after three iterations 101 to 106; after four iterations 101 to 108; and after five iterations of the round function block 100 influences all blocks in the state.
Input to all the feedback functions in the cipher illustrated on figure 1 is drawn only from the cyclic preceding blocks as is done in asymmetric word-based ciphers and all block chaining methods for block-ciphers.
Summary of the invention
In contrast, the present invention provides a cryptographic state update process which: receives a contiguously numbered blocks //, I2 to Ia, where a is at least 5, and outputs a contiguously numbered blocks Oi, O2 to Oa, where the length of the sum of the bits /;, I2 to I0 is equal to the length of the sum of the bits O1, O2 to Oa; and each of the a contiguously numbered blocks I1, I2 to Ia have a one-to-one corresponding index to the contiguously numbered blocks Oi, O 2 to Oa, the indexing for blocks in / and O is cyclic, such that index α+1 references the cyclic first index and 0-1 references the cyclic last index a, the state update function comprising: b feedback functions F1, F 2 to Fb, each of which: has a multiple-input single-output Boolean
Figure imgf000006_0001
to fa defining the relationship between the multiple input blocks and the single block output, where the single output updates a block in Oi, O2 to Oa ; and has a reference block in //, I2 to I0 that corresponds to the single output block; and receives a set of blocks from /;, I2 to Ia comprising.- at least one cyclic preceding block of input relative to the reference input block; and at least one cyclic following block of input relative to the reference input block; so that the length of the sum of the cyclic preceding and cyclic following blocks selected as input is less than half the length of the sum of the blocks //, I2 to Ia. It is preferred that at least one of the multiple-input single-output Boolean functions/},^ to fa is a nonlinear function.
It is preferred that none of the outputs of a feedback function are used as inputs into the same feedback function on the next iteration.
It is preferred that the distances between input blocks to the feedback functions form a full positive difference set.
We call cyclic preceding and cyclic following blocks the blocks located cyclically before and after the current block in the state. Accordingly, we refer to distances between two blocks as the difference between indexes of those blocks.
The nonlinear block chaining defined by the present invention, allows the cipher state to be concurrently updated by small feedback functions in its entirety when implemented in hardware or the potential to take advantage of multiple instruction-level parallelism present in modern general purpose processors.
It can also be used in conjunction with an output combiner function to construct stream ciphers releasing output on every round. It can also be used in conjunction with existing block ciphers or hash functions used as round functions.
Brief description of the drawings In order that the invention may be more readily understood, embodiments of it are described with reference to the accompanying drawings in which:
Figure 1 illustrates transitions in internal state of the Rabbit cipher;
Figure 2 illustrates hardware according to embodiments of the current invention;
Figure 3 illustrates the data dependencies of one embodiment of the current invention;
Figure 4 illustrates operation of embodiments of the current invention; and
Figures 5, 6, and 7 show processes according to embodiments of the present invention Descriptions of preferred embodiments of the invention
Figure 2 illustrates some fields of use apparatus according to embodiments of the present invention. In figure 2, reference numbers 201 and 202 each represent hardware devices that are in communication with each other by communication means indicated generally by reference numbers 202 and 203. For example, devices 201 and 202 represent semiconductor chips mounted on-board in a device and 203 and 204 represent a bus over which chips 201 and 202 communicate. In this example, the chips 201 and 202 each have a stream-cipher encryption module 205, 206 respectively securing communications between the chips 201 and 202. The in-chip encryption modules 205 and 206 make it more difficult for a copyist to reverse-engineer the contents of chips 201 and 202 by analysis of signals going in and out of a chip. These in-chip encryption modules also make the use of the device more secure against electronic eavesdropping.
Figure 3 illustrates the block interdependencies of asynchronous bidirectional nonlinear block chaining of cyclic internal state updated by a round function according to a preferred embodiment of the current invention. Blocks 300 to 309 illustrate the cipher state. During the round update process, block 300 depends on the immediately cyclic preceding block 309 and the immediately cyclic following block 301. Each of the blocks 301 to 309 also depend on 2 blocks, one immediately cyclic preceding and one immediately cyclic following.
In asynchronous implementations of the current invention, on every round iteration all the blocks in the state simultaneously updated by their feedback functions using their cyclic preceding and cyclic following blocks as inputs result an interdependency being generated in both a clockwise and counter clockwise fashion. After one iteration, block 300 influences 309 and 301. After two iterations, block 300 influences 308, 309, 301 and 302; after three iterations, 307 to 309 and 301 to 303; after four iterations, 306 to 309 and 301 to 304; after five iterations, block 300 influences all the blocks in the state.
Even though the embodiments illustrated on figure 3 and on figure 1 would require 5 asynchronous iterations for a change in any block to affect all the blocks in the state, the wire distances in the implementations of both embodiments are different. An implementation of the embodiment of the current invention illustrated on figure 3 requires shorter wires resulting in lower wire latencies comparing to the cipher illustrated on figure 1 and consequently in improved hardware performance with the same avalanche speed.
Figure 4 illustrates operation of embodiments of the current invention.
The process state 400 is partitioned on six equidistant blocks 401 to 406, all of the same length greater than one bit. The process state is initialized through an initialization function. The inputs to the initialization function are selected according to the operation to be performed. Some exemplary embodiments are described in figures 5, 6 and 7. One or more of the following are accepted as inputs to the input process:
• key material;
• initialization vector material;
• constant values that are preferably balanced;
• plaintext material for encrypting, decrypting or hashing; • ciphertext material for block chaining of messages;
• pseudo random material in the form of a nonce;
• pseudo random material to be securely expanded as part of a PRNG;
• random numbers from a source of entropy to be securely accumulated as part of a RNG;
Nonlinear feedback function 421 takes as input current block 401, its cyclic preceding block 406, its cyclic following block 402 and optional additional blocks of process input
411 and generates an output that is used to update the current block 401.
Nonlinear feedback function 422 takes as input current block 402, its cyclic preceding block 401, its cyclic following block 403 and optional additional blocks of process input
412 and generates an output that is used to update the current block 402.
Nonlinear feedback function 423 takes as input current block 403, its cyclic preceding block 402, its cyclic following block 404 and optional additional blocks of process input
413 and generates an output that is used to update the current block 403.
Nonlinear feedback function 424 takes as input current block 404, its cyclic preceding block 403, its cyclic leading block 405 and optional additional blocks of process input 414 and generates an output that is used to update the current block 404.
Nonlinear feedback function 425 takes as input current block 405, its cyclic preceding block 404, its cyclic following block 406 and optional additional blocks of process input 415 and generates an output that is used to update the current block 405.
The feedback functions 421 to 425 may implement different nonlinear operations to increase the complexity of the cipher round function.
The blocks 401 to 406 of the process state are preferably executed in arbitrary order, with partial or full concurrency by the nonlinear feedback functions 421 to 426.
The optional inputs 411 to 416 supplied to feedback functions 421 to 426 are selected according to the operation to be performed. Some exemplary embodiments are described in figures 5, 6 and 7. One or more of the following are accepted as inputs to the input process:
• key material;
• initialization vector material; • constant values that are preferably balanced;
• plaintext material for encrypting, decrypting or hashing;
• ciphertext material for block chaining of messages;
• pseudo random material in the form of a nonce;
• pseudo random material to be securely expanded as part of a PRNG; • random numbers from a source of entropy to be securely accumulated as part of a
RNG;
Other preferred embodiments of the current invention are assisted by counters as shown on figure 4 where an optional counter state 418 is updated by a (preferably nonlinear) counter feedback function 428 and is used as an additional input into a nonlinear feedback function 425. One of the counter purposes is ensuring a guaranteed long period.
In other preferred embodiments of the current invention, the round functions may accept more than one cyclic preceding or cyclic following blocks as illustrated in function 425 that accepts as input a cyclic preceding block 403 and a cyclic following block 407.
Nonlinear round function 426 takes as input cyclic preceding block 401, cyclic leading block 403, current block 402 and zero or more additional blocks of input 412 and generates an output that updates the current block 402.
The optional output combiner function 429 used in preferred embodiments of the current invention operating as stream ciphers takes as its inputs blocks 401, 402 and 406 and as a reversible input a plaintext/ciphertext block 419 and produces an output block 409. In a preferred embodiment of the current invention operating as a stream cipher, a portion of the output block 409 is released on each iteration as the ciphertext/plaintext. In another preferred embodiment of the current invention operating as an authenticated stream cipher, a second portion of the output block 409 is used as an additional input to a feedback function 421.
In a preferred embodiment of the current invention, more than one iteration of the round update process is performed before any material is released as output. In a preferred embodiment of the current invention, more than one iteration of the round update process is performed between the cryptographic process outputs.
Common word lengths for general-purpose software processors include 8, 16, 32, 64 and 128 bits. In a preferred embodiment of the current invention, the blocks have uniform length in bits mapping to the word length of a common software processor. In a preferred embodiment of the current invention, the feedback functions accept blocks of uniform length in bits and selected to match a common word-length as described above.
As will be seen from the following descriptions referring to figures 5, 6 and 7, various embodiments of the current invention function differently when implemented as unauthenticated stream ciphers, authenticated stream ciphers, cryptographic hash functions or nonlinear block chaining operations.
Figure 5 illustrates a preferred process of operation for the embodiment of figure 4 for the purpose of generating a hash. Label 501 illustrates the start of the process. Process 502 initializes the intermediate state 401 to 406 with plaintext material. The iterative round update process 503 executes a set of round update functions, where feedback functions 421 to 426 are invoked. Decision 504 determines if a sufficient number of iterations have been performed. If 504 is false, execution returns to step 503. Process 505 performs a filter function 429, taking as input the original values of 406, 401 and 402 and releases output 409. The iterative round update process 506 executes a set of round update functions, where feedback functions 421 to 426 are invoked. Decision 507 determines if sufficient number of blocks of output has been generated. If 507 is false, execution returns to step 505. The process stops at 508.
Figure 6 illustrates another preferred process of operation for the embodiment of figure 4 as a stream cipher and performing single-pass authenticated encryption. Label 601 illustrates the start of the process. Process 602 initializes the process state 401 to 406 with a fixed constant material. Process 602 also initializes the counter 418 with a fixed constant value. The counter state 418 is supplied as input to round function 425 on every iteration throughout the entire process. The counter 418 is incremented on every iteration by the counter update function 428 throughout the entire process.
The iterative update process 603 executes the feedback functions 421 to 426. One or more of the round functions 421 to 426 receive key and/or IV material as input blocks 411 to 416. No output is released. Decision 604 determines if a sufficient number of iterations have been performed to load the key material. If 604 is false, execution returns to step 603.
The iterative update process 605 executes the feedback functions 421 to 426. No output is released. Decision 606 determines if a sufficient number of iterations have been performed to seal the cipher state. If 606 is false, execution returns to step 605.
The iterative update process 607 executes the feedback functions 421 to 426. Round function 421 receives a portion of the previous value of 409 as one of its inputs from now on. Process 608 executes a filter function 429 taking as input the original values of 406, 401 and 402 and plaintext block 419 and releases output 409 a part of which is returned as a block of ciphertext output of the cryptographic process. Decision 609 determines if sufficient number of plaintext blocks has been encrypted. If 609 is false, execution returns to step 605.
The iterative update process 610 executes the feedback functions 421 to 426. No output is released. Decision 611 determines if a sufficient number of iterations have been performed to seal the cipher state. If 611 is false, execution returns to step 610.
The iterative update process 612 executes the feedback functions 421 to 426. Process 613 executes a filter function 429 taking as input the original values of 406, 401 and 402 and releases an output block 409, a portion of which is returned as a block of message authentication code output of the cryptographic process. Decision 614 determines if sufficient number of MAC blocks has been generated. If 614 is false, execution returns to step 612.
The process stops at 615.
Figure 7 illustrates another preferred process of operation for the embodiment of figure 4 for the purpose of hashing user data. Label 701 illustrates the start of the process. Process 702 initializes the intermediate state 401 to 406 with key material and constant values.
The iterative process 703 executes the feedback functions 421 to 426 supplying user data blocks as inputs 411 to 416. No output-is released. Decision 704 determines if all user data blocks have been processed a sufficient number of times. If 704 is false, execution returns to step 703. No output is released.
Process 705 combines a number of bits of the process state and releases at least one bit of the process state as hash output of the cryptographic process.
Label 706 indicates that the process stops.
Although we have described detailed embodiments of the invention, with a number of variations, which incorporate the teachings of the present invention, the skilled reader of this specification can readily devise other embodiments and applications of the present invention that utilize these teachings.

Claims

Claims:
1. a cryptographic state update process which: receives a contiguously numbered blocks /;, I2 to Ia, where a is at least 5, and outputs a contiguously numbered blocks O/, O2 to Oa, where the length of the sum of the bits /;, I2 to Ia is equal to the length of the sum of the bits O/, O2 to O0; and each of the a contiguously numbered blocks /;, I2 to Ia have a one- to-one corresponding index to the contiguously numbered blocks
O1, O2 to Oa, the indexing for blocks in /and O is cyclic, such that index α+1 references the cyclic first index and 0-1 references the cyclic last index a, the state update function comprising: b feedback functions F1, F2 to Fb, each of which: has a multiple-input single-output Boolean function//,^ to/, defining the relationship between the multiple input blocks and the single block output, where the single output updates a block in Oi, O2 to Oα ; has a reference block in //, I2 to Ia that corresponds to the single output block; and receives a set of blocks from //, h to Ia comprising.- at least one cyclic preceding block of input relative to the reference input block; and at least one cyclic following block of input relative to the reference input block; so that the length of the sum of the cyclic preceding and cyclic following blocks selected as input is less than half the length of the sum of the blocks /;, I2 to Ia.
2. A cryptographic state update process as claimed in claim 1, in which at least one of the multiple-input single-output Boolean functions /7, ^2 to/, is a nonlinear function.
3. A cryptographic state update process as claimed in claim 1, in which none of the outputs of a feedback function are used as inputs into the same feedback function on the next iteration.
4. A cryptographic state update process as claimed in claim 1, in which the distances between input blocks to the feedback functions form a full positive difference set.
5. A cryptographic state update process as claimed in any one of the preceding claims, substantially as described with reference to the drawings.
6. A cryptographic state update process substantially as described with reference to the drawings.
7. Apparatus for implementing a cryptographic state update process as claimed in any one of the preceding claims.
8. A signal carrying data which has been generated by a process according to any one of claims 1 to 6.
9. A substrate carrying data which has been generated by a process according to any one of claims 1 to 6.
PCT/IB2007/001162 2006-05-04 2007-05-04 Cryptographic apparatus and process WO2007129197A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2006902344A AU2006902344A0 (en) 2006-05-04 Cryptographic Apparatus and Process
AU2006902344 2006-05-04

Publications (1)

Publication Number Publication Date
WO2007129197A1 true WO2007129197A1 (en) 2007-11-15

Family

ID=38667475

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2007/001162 WO2007129197A1 (en) 2006-05-04 2007-05-04 Cryptographic apparatus and process

Country Status (1)

Country Link
WO (1) WO2007129197A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009127955A1 (en) * 2008-04-17 2009-10-22 Synaptic Laboratories Ltd Method and apparatus for encoding a signal using incomplete unbalanced feistel networks
DE102017216839A1 (en) * 2017-09-22 2019-03-28 Bundesdruckerei Gmbh Bidirectionally concatenated extended blockchain structure
DE102017218736A1 (en) * 2017-10-19 2019-04-25 Bundesdruckerei Gmbh Bidirectional linked blockchain structure
DE102017126349A1 (en) * 2017-11-10 2019-05-16 Bundesdruckerei Gmbh METHOD FOR CONNECTING A FIRST DATA BLOCK TO A SECOND DATA BLOCK, METHOD FOR VERIFYING THE INTEGRITY OF A BLOCK CHAIN STRUCTURE, DEVICE AND COMPUTER PROGRAM PRODUCT
DE102017216974A1 (en) * 2017-09-25 2019-05-16 Bundesdruckerei Gmbh Datacule structure and method for tamper-proof storage of data

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000002342A2 (en) * 1998-07-02 2000-01-13 Cryptography Research, Inc. Leak-resistant cryptographic indexed key update
WO2000025476A1 (en) * 1998-10-28 2000-05-04 L-3 Communications Corporation Apparatus and methods for cryptographic synchronization in packet based communications
US6701435B1 (en) * 1998-08-20 2004-03-02 International Business Machines Corporation Cryptographic key generation system
WO2006033013A2 (en) * 2004-09-24 2006-03-30 Synaptic Laboratories Limited Substitution boxes

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000002342A2 (en) * 1998-07-02 2000-01-13 Cryptography Research, Inc. Leak-resistant cryptographic indexed key update
US6701435B1 (en) * 1998-08-20 2004-03-02 International Business Machines Corporation Cryptographic key generation system
WO2000025476A1 (en) * 1998-10-28 2000-05-04 L-3 Communications Corporation Apparatus and methods for cryptographic synchronization in packet based communications
WO2006033013A2 (en) * 2004-09-24 2006-03-30 Synaptic Laboratories Limited Substitution boxes

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009127955A1 (en) * 2008-04-17 2009-10-22 Synaptic Laboratories Ltd Method and apparatus for encoding a signal using incomplete unbalanced feistel networks
DE102017216839A1 (en) * 2017-09-22 2019-03-28 Bundesdruckerei Gmbh Bidirectionally concatenated extended blockchain structure
DE102017216974A1 (en) * 2017-09-25 2019-05-16 Bundesdruckerei Gmbh Datacule structure and method for tamper-proof storage of data
DE102017218736A1 (en) * 2017-10-19 2019-04-25 Bundesdruckerei Gmbh Bidirectional linked blockchain structure
DE102017126349A1 (en) * 2017-11-10 2019-05-16 Bundesdruckerei Gmbh METHOD FOR CONNECTING A FIRST DATA BLOCK TO A SECOND DATA BLOCK, METHOD FOR VERIFYING THE INTEGRITY OF A BLOCK CHAIN STRUCTURE, DEVICE AND COMPUTER PROGRAM PRODUCT

Similar Documents

Publication Publication Date Title
Güneysu et al. Cryptanalysis with COPACOBANA
Etzel et al. Square hash: Fast message authentication via optimized universal hash functions
US20210021405A1 (en) Key sequence generation for cryptographic operations
CA2497935C (en) Stream cipher design with revolving buffers
US8374351B2 (en) Encryption device, program, and method
WO2006033013A2 (en) Substitution boxes
Samir et al. ASIC and FPGA comparative study for IoT lightweight hardware security algorithms
US20130129088A1 (en) Method and system for generating unpredictable pseudo-random numbers
Nara et al. A scan-based attack based on discriminators for AES cryptosystems
Zhao et al. Block cipher design: generalized single-use-algorithm based on chaos
Kiyomoto et al. K2: A stream cipher algorithm using dynamic feedback control
KR20050078271A (en) Hardware cryptographic engine and method improving power consumption and operation speed
WO2007129197A1 (en) Cryptographic apparatus and process
EP1326363A1 (en) Chaos-based block encryption
Nawaz et al. The WG stream cipher
KR20050092698A (en) A small hardware implementation of the subbyte function of rijndael
Preneel et al. Cryptanalysis and design of stream ciphers
Bajaj et al. AES algorithm for encryption
Al-Saadi et al. Provably-secure led block cipher diffusion and confusion based on chaotic maps
Diedrich et al. Comparison of Lightweight Stream Ciphers: MICKEY 2.0, WG-8, Grain and Trivium
Watanabe et al. A MAC forgery attack on SOBER-128
Ullagaddi et al. Symmetric synchronous stream encryption using images
JoshI et al. Design and analysis of a robust and efficient block cipher using cellular automata
Yoshikawa et al. Dedicated hardware for RC5 cryptography and its implementation
Cary et al. A message authentication code based on unimodular matrix groups

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07734478

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 571156

Country of ref document: NZ

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07734478

Country of ref document: EP

Kind code of ref document: A1