WO2008117142A1 - Procédé et système cryptographiques de chiffrement par bloc - Google Patents

Procédé et système cryptographiques de chiffrement par bloc Download PDF

Info

Publication number
WO2008117142A1
WO2008117142A1 PCT/IB2007/054592 IB2007054592W WO2008117142A1 WO 2008117142 A1 WO2008117142 A1 WO 2008117142A1 IB 2007054592 W IB2007054592 W IB 2007054592W WO 2008117142 A1 WO2008117142 A1 WO 2008117142A1
Authority
WO
WIPO (PCT)
Prior art keywords
bits
function
boxes
block
input
Prior art date
Application number
PCT/IB2007/054592
Other languages
English (en)
Other versions
WO2008117142A9 (fr
Inventor
Itsik Mantin
Erez Waisbard
Aviad Kipnis
Original Assignee
Nds Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nds Limited filed Critical Nds Limited
Publication of WO2008117142A1 publication Critical patent/WO2008117142A1/fr
Publication of WO2008117142A9 publication Critical patent/WO2008117142A9/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/24Key scheduling, i.e. generating round keys or sub-keys for block encryption

Definitions

  • the present invention relates to methods of encryption, and more particularly, to Feistel based block cipher methods of encryption
  • Feistel networks also termed herein “Feistel cipher methods”, or “Feistel-like cipher methods”; a single round of a Feistel cipher method is termed herein a “Feistel cipher round”.
  • HAC Applied Cryptography
  • a Feistel cipher is an iterated block cipher mapping a plaintext (comprising two parts, LQ and RQ), for t-bit blocks LQ and RQ, to a ciphertext (R r and Ly), through an r-round process where r > 1.
  • first half and second half are used to mean one of either: “right half or "left half.
  • Types of block ciphers which are cases of Feistel networks include the following well-known methods: DES, Lucifer, FEAL, Khufu, Khafre, LOKI, GOST, CAST, and Blowfish.
  • Feistel ciphers are also discussed in Applied Cryptography, Second Edition (B. Schneier, John Wiley and Sons, Inc., 1996) on pages 347 - 351. The discussion of Feistel ciphers in Applied Cryptography, Second Edition is hereby incorporated herein by reference.
  • DES is specified in FIPS 46-3, available on the Internet at: csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf.
  • FIPS 46-3 is hereby incorporated herein by reference.
  • FOX A New Family of Block Ciphers, (Pascal Junod and Serge Vaudenay, Selected Areas in Cryptography 2004: Waterloo, Canada, August 9-10, 2004. Revised papers, Lecture Notes in Computer Science. Springer- Verlag.) describes the design of a new family of block ciphers based on a Lai-Massey scheme, named FOX.
  • a new design of strong and efficient key-schedule algorithms is proposed.
  • Evidence is provided that FOX is immune to linear and differential cryptanalysis.
  • serpent cipher uses S-boxes similar to those of DES in a new structure that simultaneously allows a more rapid avalanche, and a more efficient bitslice implementation.
  • the present invention seeks to provide an improved encryption method, and in particular an improved encryption method related to Feistel encryption methods.
  • a Feistel-like cipher, described herein, is preferably designed to be easily implemented in hardware and difficult to implement in software.
  • a method of encrypting a block of data including providing a combining unit operative to combine a key with a block of data, the block of data expressed as a block of bits, providing a mix and condense unit (MAC) operative to mix bits included in the block of bits among themselves, providing a plurality of layers of S-boxes, the S-boxes operative to receive an input including an input which has not yet been input into the mix and condense unit and to provide an output including an input to the mix and condense unit, receiving an input including the block of data expressed as the block of bits, combining, at the combining unit, the block of bits with a key, receiving an output of the combining unit as an input, substituting bits including the input to the plurality of layers of S-boxes with bits including the output of the plurality of layers of S-boxes, outputting the output of the plurality of layers of S-boxes to the mix and condense
  • MAC mix and condense unit
  • the plurality of layers of S-boxes includes two layers of S-boxes.
  • a diffusion layer disposed between each layer of the plurality of S-boxes, routes the output of a first layer of S-boxes to a second layer of S-boxes, the output of the first layer of S-boxes including an input of the second layer of S- boxes.
  • each S-box of the plurality of S-boxes includes one S-box described in the Serpent cipher specification.
  • the two layers of S-boxes include a first layer of S-boxes including 25 S- boxes and a second layer of S-boxes including 25 S-boxes.
  • the combining unit is operative to perform a XOR operation.
  • the method of encrypting cannot be efficiently implemented except on specialized hardware.
  • the MAC comprises a plurality of layers of mini-functions.
  • the plurality of layers of the MAC includes between 30 layers and 50 layers, inclusive.
  • a mini-function layer includes two micro-functions one balanced micro- function, and one non-linear micro-function.
  • the mini-function layer is operative to perform the following receiving an input, splitting the input, at a splitter, into a block of balancing bits and a block of remaining input bits, executing the method of the non-linear micro- function on the block of remaining input bits, inputting the result of the non-linear micro-function into the balanced micro-function, executing the method of the balanced micro-function on the result of the non-linear micro-function and the balancing bits, and outputting a result.
  • the method further including performing an invertible transformation on the block of balancing bits prior to the executing the method of the balanced micro-function.
  • the invertible transformation includes an invertible transformation S- box. Further in accordance with a preferred embodiment of the present invention and wherein the invertible transformation S-box includes a 2bit-to-2bit S-box.
  • the method further including providing a first function Fj and a second function Fj, providing a round key generation function, the round key generation function being operative to utilize, in any given round, exactly one of the first function Fj, and the second function Fj, providing a round mixing function, the round mixing function being operative to utilize, in any given round, exactly one of the first function Fj, and the second function Fi, utilizing the round key generation function in at least a first round to generate a second round key for use in a second round, and utilizing the round mixing function in at least the first round to mix a first round key with a cipher state, wherein one of the following is performed in the first round the round key generation function utilizes the first function Fj to generate the second round key for use in the second round, substantially simultaneously with the round key mixing function utilizing the second function Fi to mix the first round key with the cipher state, and the round key generation function utilizes the second function Fi to generate the second round key for use in the second round
  • a method of encrypting a block of data including providing an expansion unit operative to expand the block of data, expressed as a block of bits, from a first bit size to a second bit size, the second bit size being greater than the first bit size, providing a combining unit operative to combine an expanded block of data with a key, providing a mix and condense unit (MAC) operative to mix the bits of a combined expanded block of data of the second bit size and condense the bit size of the input to a third bit size, the third bit size being less than the second bit size, providing a plurality of layers of S-boxes, the S- boxes operative to receive an input including an input which has not yet been input into the mix and condense unit and to provide an output including an input, expressed as a block of data, to the mix and condense unit, receiving an input including the block of data expressed as the block of bits, inputting the block of bits into the expansion unit, and therein expanding the block of
  • the plurality of layers of S-boxes includes two layers of S-boxes.
  • a diffusion layer disposed between each layer of the plurality of S-boxes, routes the output of a first layer of S-boxes to a second layer of S-boxes, the output of the first layer of S-boxes including an input of the second layer of S- boxes.
  • each S-box of the plurality of S-boxes includes one S-box described in the Serpent cipher specification.
  • the two layers of S-boxes include a first layer of S-boxes including 25 S- boxes and a second layer of S-boxes including 25 S-boxes.
  • the first bit size is equal to the third bit size. Still further in accordance with a preferred embodiment of the present invention the first bit size is equal to 64 bits.
  • the second bit size is equal to 100 bits.
  • the third bit size is equal to 64 bits.
  • the combining unit is operative to perform a XOR operation.
  • the expansion unit includes a linear transformation.
  • the linear transformation includes an operation wherein each input bit influences at least two output bits.
  • the linear transformation includes an operation wherein each bit of the key influences one output bit.
  • the linear transformation includes an operation wherein any small set of input bits influences a larger set of output bits. Still further in accordance with a preferred embodiment of the present invention the linear transformation includes an operation wherein indices are selected so as to be spread equally between input bits and output bits.
  • the expansion unit includes two layers of gates operative to combine two inputs.
  • the gates include XOR operation gates.
  • the method further includes a NOT operation gate after the XOR operation gates. Still further in accordance with a preferred embodiment of the present invention the method of encrypting cannot be implemented except on specialized hardware.
  • the MAC comprises a plurality of layers of mini-functions.
  • the plurality of layers of the MAC includes between 30 layers and 50 layers, inclusive.
  • a mini-function layer includes two micro-functions one balanced micro- function, and one non-linear micro-function.
  • the mini-function layer is operative to perform the following receiving an input, splitting the input, at a splitter, into a block of balancing bits and a block of remaining input bits, executing the method of the non-linear micro-function on the block of remaining input bits, inputting the result of the non-linear micro- function into the balanced micro-function, executing the method of the balanced micro-function on the result of the non-linear micro-function and the balancing bits, and outputting a result. Still further in accordance with a preferred embodiment of the present invention the method further includes performing an invertible transformation on the block of balancing bits prior to the executing the method of the balanced micro-function.
  • the invertible transformation includes an invertible transformation S-box.
  • the invertible transformation S-box includes a 2bit-to-2bit S-box.
  • the method further includes providing a first function Fj and a second function Fj, providing a round key generation function, the round key generation function being operative to utilize, in any given round, exactly one of the first function Fj, and the second function Fi, providing a round mixing function, the round mixing function being operative to utilize, in any given round, exactly one of the first function Fj, and the second function Fi, utilizing the round key generation function in at least a first round to generate a second round key for use in a second round, and utilizing the round mixing function in at least the first round to mix a first round key with a cipher state, wherein one of the following is performed in the first round the round key generation function utilizes the first function Fj to generate the second round key for use in the second round, substantially simultaneously with the round key mixing function utilizing the second function Fi to mix the first round key with the cipher state, and the round key generation function utilizes the second function Fi to generate the second round key for use in the second round, substantially
  • the method is implemented in hardware. Still further in accordance with a preferred embodiment of the present invention the method further includes mixing and condensing, the mixing and condensing including receiving an input of a block of data expressed as a block of bits, and mixing the bits of the block of data with a round key.
  • the method further includes providing an expansion unit operative to expand the block of data, expressed as a block of bits, from a first bit size to a second bit size, the second bit size being greater than the first bit size, providing a combining unit operative to combine an expanded block of data with a key, providing a mix and condense unit (MAC) operative to mix the bits of a combined expanded block of data of the second bit size and condense the bit size of the input to a third bit size, the third bit size being less than the second bit size, providing a plurality of layers of S-boxes, the S-boxes operative to receive an input including an input which has not yet been input into the mix and condense unit and to provide an output including an input to the mix and condense unit, receiving an input including the block of data expressed as the block of bits, inputting the block of bits into the expansion unit, thereby expanding the block of bits to a block of bits of the second bit size, combining, at the combining
  • a diffusion layer disposed between each layer of the plurality of S- boxes, routes the output of a first layer of S-boxes to a second layer of S-boxes, the output of the first layer of S-boxes including an input of the second layer of S- boxes.
  • each S-box of the plurality of S-boxes includes one S-box described in the Serpent cipher specification.
  • the two layers of S-boxes include a first layer of S-boxes including 25 S-boxes and a second layer of S-boxes including 25 S-boxes.
  • the first bit size is equal to the third bit size. Further in accordance with a preferred embodiment of the present invention the first bit size is equal to 64 bits. Still further in accordance with a preferred embodiment of the present invention the second bit size is equal to 100 bits.
  • the third bit size is equal to 64 bits.
  • the combining unit is operative to perform a XOR operation.
  • the expansion unit includes a linear transformation.
  • the linear transformation includes an operation wherein each input bit influences at least two output bits.
  • the linear transformation includes an operation wherein each bit of the key influences one output bit. Moreover in accordance with a preferred embodiment of the present invention the linear transformation includes an operation wherein any small set of input bits influences a larger set of output bits.
  • the linear transformation includes an operation wherein indices are selected so as to be spread equally between input bits and output bits.
  • the mix and condense unit includes a plurality of layers, each layer among the plurality of layers including a plurality of mini-functions.
  • the plurality of layers of the MAC includes between 30 layers and 50 layers, inclusive.
  • a mini-function layer includes two micro-functions one balanced micro- function, and one non-linear micro-function. Further in accordance with a preferred embodiment of the present invention the mini-function layer is operative to perform the following receiving an input, splitting the input, at a splitter, into a block of balancing bits and a block of remaining input bits, executing the method of the non-linear micro-function on the block of remaining input bits, inputting the result of the non-linear micro- function into the balanced micro-function, executing the method of the balanced micro-function on the result of the non-linear micro-function and the balancing bits, and outputting a result.
  • the method further includes performing an invertible transformation on the block of balancing bits prior to the executing the method of the balanced micro-function.
  • the invertible transformation includes an invertible transformation S-box.
  • the invertible transformation S-box includes a 2bit-to-2bit S-box.
  • the method further includes providing a first function Fj and a second function Fi, providing a round key generation function, the round key generation function being operative to utilize, in any given round, exactly one of the first function Fj, and the second function Fi, providing a round mixing function, the round mixing function being operative to utilize, in any given round, exactly one of the first function Fj, and the second function Fi, utilizing the round key generation function in at least a first round to generate a second round key for use in a second round, and utilizing the round mixing function in at least the first round to mix a first round key with a cipher state, wherein one of the following is performed in the first round the round key generation function utilizes the first function Fj to generate the second round key for use in the second round, substantially simultaneously with the round key mixing function utilizing the second function Fi to mix the first round
  • a method of encrypting a block of data including providing a combining unit operative to combine the block of data with a key, providing a mixing unit operative to mix the bits of a combined key and block of data, providing a plurality of layers of S-boxes, the S-boxes operative to receive an input including an input which has not yet been input into the mixing unit and to provide an output including an input to the mixing unit, receiving an input including the block of data expressed as a block of bits, combining, at a combining unit, the block of bits with a key, substituting bits including the input to the plurality of layers of S-boxes with bits including the output of the plurality of layers of S-boxes, outputting the output of the plurality of layers of S-boxes as a second block of bits to the mixing unit, and mixing, at the mixing unit, the second block of bits, thereby producing an encrypted block of data, wherein the mixing unit includes a
  • the plurality of layers of S-boxes includes two layers of S-boxes. Still further in accordance with a preferred embodiment of the present invention a diffusion layer, disposed between each layer of the plurality of S-boxes, routes the output of a first layer of S-boxes to a second layer of S-boxes, the output of the first layer of S-boxes including an input of the second layer of S- boxes. Additionally in accordance with a preferred embodiment of the present invention each S-box of the plurality of S-boxes includes one S-box described in the Serpent cipher specification.
  • the two layers of S-boxes include a first layer of S-boxes including 25 S- boxes and a second layer of S-boxes including 25 S-boxes.
  • the plurality of layers of the mixing unit includes between 30 and 50 layers, inclusive.
  • the combining unit is operative to perform a XOR operation.
  • a mini-function layer includes two micro-functions one balanced micro-function, and one non-linear micro-function.
  • the mini-function layer is operative to perform the following receiving an input, splitting the input, at a splitter, into a block of balancing bits and a block of remaining input bits, executing the method of the non-linear micro-function on the block of remaining input bits, inputting the result of the non-linear micro- function into the balanced micro-function, executing the method of the balanced micro-function on the result of the non-linear micro-function and the balancing bits, and outputting a result.
  • the method further includes performing an invertible transformation on the block of balancing bits prior to the executing the method of the balanced micro-function.
  • the invertible transformation includes an invertible transformation S-box.
  • the invertible transformation S-box includes a 2bit-to-2bit S-box.
  • the method further includes providing an expansion unit operative to expand the block of data, expressed as a block of bits, from a first bit size to a second bit size, the second bit size being greater than the first bit size, and prior to the combining, inputting the block of bits into the expansion unit, and therein expanding the block of bits to a block of bits of the second bit size.
  • the method further includes after the mixing, condensing, at the mix and condense unit, the block of bits of the second bit size to a block of bits of a third size, thereby producing an encrypted block of data, the encrypted block of data being expressed as a block of bits of the third bit size.
  • the method further includes providing a first function Fj and a second function Fj, providing a round key generation function, the round key generation function being operative to utilize, in any given round, exactly one of the first function Fj, and the second function Fj, providing a round mixing function, the round mixing function being operative to utilize, in any given round, exactly one of the first function Fj, and the second function Fj, utilizing the round key generation function in at least a first round to generate a second round key for use in a second round, and utilizing the round mixing function in at least the first round to mix a first round key with a cipher state, wherein one of the following is performed in the first round the round key generation function utilizes the first function Fj to generate the second round key for use in the second round, substantially simultaneously with the round key mixing function utilizing the second function Fj to mix the first round key with the cipher state, and the round key generation function utilizes the second function Fi to generate the second round key for use in the
  • a method including combining a control input derived from a right part of a Feistel-like structure with a transformation input including a left part of the Feistel-like structure, and producing an output including a combination of bits included in the control input and bits included in the transformation input, wherein no bit of the combination of bits includes a linear combination of bits from the control input and bits from the transformation input.
  • the method includes an invertible method.
  • the inverse of the method is not identical to the method.
  • the method includes a non-linear layer including at least one S- box.
  • the method also including a linear transformation of the control input and the transformation input.
  • the method also including splitting, at a control input splitter, the control input, into a plurality of control input sub-blocks, splitting, at a transformation input splitter, the transformation input, into a plurality of transformation input sub-blocks, linearly combining each one of the plurality of control input sub-blocks with a corresponding one of the plurality of transformation input sub-blocks, and joining the result of the linear combing at a output joiner.
  • each one of the plurality of control input sub-blocks and a corresponding one of the plurality of transformation input sub-blocks include sub- blocks of the same size.
  • a first sub-block of the plurality of control input sub-blocks includes a sub-block of a different size than a second sub-block of the plurality of control input sub-blocks.
  • the transformation input splitter permutes the transformation input prior to the splitting at the transformation input splitter.
  • the output joiner permutes an output after the joining operation.
  • the linearly combining includes (A(C) x I) ⁇ C, where C represents the control input sub-block, I represents the transformation input sub- block, and A(C) includes a matrix depending on C, of size mxm, where m is a size of the control input sub-block.
  • C[O...3] include bits included in the control input.
  • the method also including a non-linear layer including at least one S- box.
  • an output from the linear transformation includes an input for the non- linear layer.
  • an output from the non-linear layer includes a transformation input for the linear transformation.
  • At least one of the S-boxes includes an S-box according to the Serpent Cipher specification.
  • the S-box layer includes S-boxes which are simple to implement in hardware.
  • the method is cryptographically secure and non-involutable.
  • an encryptor for encrypting a block of data
  • the encryptor including a combining unit operative to combine a key with a block of data, the block of data being expressed as a block of bits, a mix and condense unit operative to mix bits included in the block of bits among themselves, and a plurality of layers of S-boxes, the S-boxes operative to receive an input including an input which has not yet been input into the mix and condense unit and to provide an output including an input to the mix and condense unit, wherein a received input including the block of data expressed as the block of bits is combined, at the combining unit, with a key, and bits included in the combined block of bits are, in each layer of the plurality of layers of S-boxes, substituted for other bits, thereby providing output bits, bits in the output bits are mixed among themselves at the mix and condense unit, and the mix and condense unit includes a plurality of layers
  • the encrypting cannot be efficiently implemented except on specialized hardware.
  • an encryptor for encrypting a block of data
  • the encryptor including an expansion unit operative to expand the block of data, expressed as a block of bits, from a first bit size to a second bit size, the second bit size being greater than the first bit size, thereby producing an expanded block of data, a combining unit operative to receive the expanded block of data from the expansion unit and combine the expanded block of data with a key thereby producing a combined expanded block of data of the second bit size, a mix and condense unit operative to mix the bits of the combined expanded block of data of the second bit size and condense the bit size of the combined expanded block of data of the second bit size to a third bit size, the third bit size being less than the second bit size, and a plurality of layers of S-boxes, the S-boxes operative to receive an input including an input which has not yet been input into the mix and condense unit and to provide an output including an input to the mix
  • an encryptor operative to encrypt a block of data
  • the encryptor including a combining unit operative to combine the block of data with a key and produce a combined key and block of data, a mixing unit operative to mix the bits of the combined key and block of data, and a plurality of layers of S-boxes, the S-boxes operative to receive an input including an input which has not yet been input into the mix and condense unit and to provide an output including an input to the mix and condense unit, wherein the mixing unit includes a plurality of layers, each layer including a plurality of mini-functions.
  • an apparatus including a combiner operative to combine a control input derived from a right part of a Feistel-like structure with a transformation input including a left part of the Feistel-like structure, an outputter operative to producing an output including a combination of bits included in the control input and bits included in the transformation input, and a plurality of layers of S-boxes, the S-boxes operative to receive an input including an input which has not yet been input into the mix and condense unit and to provide an output including an input to the mix and condense unit, wherein no bit of the combination of bits includes a linear combination of bits from the control input and bits from the transformation input.
  • a cipher device including a combine key right (CKR) unit, operative to receive a first portion of a message and to combine the first portion of the message with a key, the CKR including an expansion unit operative to expand the first portion of the message to a number of bits appropriate to a key size, thereby producing an expanded first portion of the message, a combining function unit operative to receive the expanded first portion of the message and combine the expanded first portion of the message with the key, thereby producing a combined output, a mixing and condensing function unit operative to receive the combined output and condensing the combined output, and a plurality of layers of S-boxes disposed at least one of before the mixing and condensing function unit, each S-box among the plurality of S-boxes included in each of the plurality of layers of the S-boxes being operative to receive an input string of bits and substitute the input string of bits with an output string of bits, and a combine right
  • CKR combine key right
  • the first portion of the message includes a right portion of the message, and the second portion of the message includes a left portion of the message. Still further in accordance with a preferred embodiment of the present invention the first portion of the message includes a left portion of the message, and the second portion of the message includes a right portion of the message.
  • the plurality of layers of S-boxes includes two layers of S-boxes.
  • a diffusion layer disposed between each layer of the plurality of S-boxes routes the output of a first layer of S-boxes to a second layer of S-boxes, the output of the first layer of S-boxes including an input of the second layer of S-boxes.
  • a cipher device including a combine key right (CKR) unit, operative to receive a first portion of a message and to combine the first portion of the message with a key, the CKR including an expansion unit operative to expand the first portion of the message to a number of bits appropriate to a key size, thereby producing an expanded first portion of the message, a combining function unit operative to receive the expanded first portion of the message and combine the expanded first portion of the message with the key, thereby producing a combined output, a mixing and condensing function unit operative to receive the combined output and condensing the combined output, and a combine right - left (CRL) unit, operative to combine an output of the CKR with a second portion of the message, an improvement including adding a plurality of layers of S-boxes disposed before the mixing and condensing function unit, thereby increasing a level of confusion of an output ciphertext and making the ciphertext more resistant to
  • CKR combine key right
  • the first portion of the message includes a right portion of the message
  • the second portion of the message includes a left portion of the message
  • the first portion of the message includes a left portion of the message, and the second portion of the message includes a right portion of the message.
  • the plurality of layers of S-boxes includes two layers of S-boxes.
  • a diffusion layer disposed between each layer of the plurality of S-boxes routes the output of a first layer of S-boxes to a second layer of S-boxes, the output of the first layer of S-boxes including an input of the second layer of S-boxes.
  • Fig. 1 is an illustration of a hardened Feistel-like structure constructed and operative in accordance with a preferred embodiment of the present invention
  • FIG. 2A is an illustration of a Combine Key RightPart function comprised in the hardened Feistel-like structure of Fig. 1;
  • Fig. 2B is an illustration of an alternative preferred embodiment of the Combine Key RightPart function comprised in the hardened Feistel-like structure of Fig. 1;
  • Fig. 3 is an illustration of a preferred implementation of hardware for a RightPart Expansion Function comprised in the Combine Key RightPart function of Figs. 2A and 2B;
  • Fig. 4 is an illustration of a preferred embodiment of a mini- function, the mini-function serving as a building block for a Mix and Condense function comprised in the Combine Key RightPart function of Figs. 2A and 2B;
  • Fig. 5 is an illustration of a Combine RightPart Combine LeftPart function comprised in the hardened Feistel-like structure of Fig. 1 ;
  • Fig. 6 is an illustration of one preferred implementation of a linear layer in the Combine RightPart Combine LeftPart function of Fig. 5;
  • Fig. 7 is an illustration of one preferred implementation of an S- boxes layer in the Combine RightPart Combine LeftPart function of Fig. 5;
  • Fig. 8 is an illustration of one preferred implementation of a key expansion function comprised in the hardened Feistel-like structure of Fig. 1;
  • Fig. 9 is an illustration of one preferred implementation of round key generation utilizing the Mix and Condense function in the key expansion function of Fig. 8;
  • Figs. 10 - 13 are simplified flowchart illustrations of preferred alternative methods of operation of the hardened Feistel-like structure of Fig. 1 , in accordance with preferred embodiments thereof;
  • Fig. 14 is a simplified block diagram illustration of a system for robust cipher design constructed and operative in accordance with a preferred embodiment of the invention described in Appendix B;
  • Fig. 15 is a time line showing one preferred implementation of the relationship between key expansion and encryption rounds in a cipher designed according to the method of Fig. 14;
  • Fig. 16 is a simplified block diagram illustration depicting the use of MUX and DEMUX modules in a preferred implementation of the method of Fig. 14;
  • Fig. 17 is a simplified block diagram illustration of a preferred implementation of a round key generation function operative to generate round keys in a cipher designed according to the method of Fig. 14;
  • Fig. 18 is a simplified block diagram illustration of four rounds of a typical Feistel block cipher constructed and operative in accordance with the system of Fig. 14;
  • Fig. 19 is a simplified block diagram illustration of four rounds of a typical AES-like block cipher constructed and operative in accordance with the system of Fig. 14;
  • Fig. 20 is a simplified block diagram illustration of eight rounds of a typical Feistel block cipher constructed and operative in accordance with an alternative preferred embodiment of the system of Fig. 14;
  • Fig. 21 is a simplified block diagram illustration of eight rounds of a typical AES-like block cipher constructed and operative in accordance with an alternative preferred embodiment of the system of Fig. 14;
  • Fig. 22 is a simplified block diagram illustration of eight rounds of a typical Feistel block cipher constructed and operative in accordance with yet another alternative preferred embodiment of the system of Fig. 14;
  • Fig. 23 is a simplified block diagram illustration of eight rounds of a typical AES-like block cipher constructed and operative in accordance with yet another alternative preferred embodiment of the system of Fig. 14;
  • Fig. 24 is an illustration of a hardened Feistel-like structure constructed and operative in accordance with a preferred embodiment of the present invention;
  • Fig. 25 is an illustration of an alternative preferred embodiment of the hardened Feistel-like structure of Fig. 24;
  • Fig. 26 is a simplified block diagram of a preferred implementation of a MixKey function of the system of Fig. 24;
  • Fig. 27 is a simplified block diagram of a CombParts function of the system of Fig. 24.
  • Appendix A comprises table describes one implementation of the relationship between bits output from the first layer of S-boxes and input into the second layer of S-boxes in the system of Fig. 2B.
  • Appendix B is a description of a method for robust cipher design, comprising a preferred method of key expansion and set up and a preferred implementation of a round key encryption function, the method of Appendix B comprising a preferred implementation of the Feistel-like structure of Fig. 1;
  • Appendix C is a copy of Appendix A.5 of the Serpent Cipher specification, describing S-boxes SQ through S ⁇ of the Serpent Cipher; and
  • Appendix D comprises a description of certain alternative preferred embodiments of the present invention.
  • Fig. 1 is an illustration of a hardened Feistel-like structure 100 constructed and operative in accordance with a preferred embodiment of the present invention. It is appreciated that Fig. 1 provides an illustration of data structures and methods for implementing an encryption network, the illustration being drawn in a format which is well known in the art. Fig. 1 depicts two rounds of the hardened Feistel-like structure 100, it being appreciated that a plurality of rounds comprising more than two rounds is preferred, similarly to the plurality of rounds known in the prior art in the case of Feistel-like networks.
  • the Feistel-like structure 100 of Fig. 1 comprises a Combine Key RightPart (CKR) function 110, a preferred implementation of which is described below with reference to Figs. 2A and 2B, and a Combine RightPart Combine LeftPart (CRL) function 120, a preferred implementation of which is described below described below with reference to Fig. 5.
  • CKR Combine Key RightPart
  • CTL Combine LeftPart
  • a preferred implementation of a key expansion function (not depicted in Fig. 1), operative to provide a round key (RKj, RKj+ 1) for each round of the Feistel-like structure 100 is described below with reference to Fig. 8.
  • L and R In each round of the hardened Feistel-like structure 100, two halves of a plaintext, left and right, depicted as L and R, are operated on by the CKR function 110 and the CRL function 120. It is appreciated that in each round, L and R preferably have an identical size of 64 bits. It is nevertheless appreciated that L and R may be any equal size, and 64 bits is used herein as an example. It is further appreciated that the size of the round key, RK 1 , is described herein as 100 bits by way of example, only. RKj may be any appropriate size.
  • the plurality of rounds may preferably be preceded by preprocessing of L and R.
  • L and R may preferably be permuted according to a pre-defined permutation in the same manner the DES block cipher permutes the input before the first round (refer to FIPS 46-3).
  • an encrypted output of the hardened Feistel-like structure 100 may be post-processed.
  • output may preferably be further permuted according to a pre-defined permutation in the same manner the DES block cipher permutes the state after the 16 th round (refer to FIPS 46-3).
  • a particular round may preferably differ from the other n-1 rounds.
  • the Feistel-like structure 100 preferably uses a 128-bit key to encrypt and decrypt 128-bit blocks.
  • the number of rounds (RN) is preferably RN between 40 and 50, inclusive.
  • Feistel-like structure 100 is preferably less efficient if implemented in software.
  • the Feistel-like structure 100 preferably utilizes CKR 110 to integrate a round key with a right half of a state and the function CRL 120 to combine the result of the key integration with a left half of the state.
  • the left and right halves of the state are referred below as L and R, respectively.
  • Fig. 2 A is an illustration of a
  • Combine Key RightPart (CKR) function 110 comprised in the hardened Feistel- like structure of Fig. 1.
  • the CKR function 110 preferably comprises the following operations: 1. RExp (Right Part Expansion) 210 preferably expands the right half R from 64 to 100 bits;
  • a 100 bit round key, RKj is preferably combined with the expanded 100 bit right half;
  • MCF (Mix and Condense Function) 230 preferably mixes the 100 bit result of RExp 210 and, preferably in a pseudorandom fashion, preferably condenses the mixed 100 bits to 64 bits.
  • Fig. 2B is an illustration of an alternative preferred embodiment of the Combine Key RightPart function comprised in the hardened Feistel-like structure of Fig. 1.
  • a plurality of layers of S-boxes 310, 330 is added, before the MCF 230.
  • the plurality of layers of S-boxes 310, 330 is operative to receive the output of the 100 bit result of the XOR operation 220.
  • S-boxes substitute bits comprising a set of input bits with a set of output bits, the substitution preferably increasing a level of confusion of an output ciphertext.
  • the plurality of layers of S-boxes 310, 330 comprises a first layer of S- boxes 310, a diffusion layer 320, and a second layer of S-boxes 330.
  • Each of the first layer of S-boxes 310 and the second layer of S-boxes 330 comprises 25 S- boxes, each S-box operative to receive a 4 bit input, and produce a 4 bit output.
  • the diffusion layer 320 connects the first layer of S-boxes 310 and the second layer of S-boxes 330, such that a large number of S-boxes in the second layer of S-boxes 330 are affected by substitutions in the first layer of S-boxes 310.
  • the 25 S-boxes are S-boxes from the Serpent Cipher, as discussed below.
  • the Serpent Cipher and the S-boxes thereof are discussed at greater length below, with reference to Fig. 7.
  • Appendix A comprises a table describing one implementation of the relationship between bits output from the first layer of S-boxes 310 and input into the second layer of S-boxes 330 in the system of Fig. 2B
  • FIG. 3 is an illustration of a preferred implementation of hardware for a RightPart Expansion Function comprised in the Combine Key RightPart function of Figs. 2A and 2B. It is appreciated that Fig. 3 provides an illustration of a preferred implementation of hardware structures and methods for implementing an expansion function, the illustration being drawn in a format which is well known in the art.
  • RExp 210 preferably uses a linear transformation to expand the 64 bit R into a 100 bit expanded RightPart, where each of the 100 bit output bits is the result of a XORing of 2 or 3 input bits.
  • Indices implemented in the proposed hardware of Fig. 3 are preferably selected pseudo-randomly with the following constraints:
  • Each one of the 64 input bits of the R preferably influences at least two output bits
  • Each bit of the 100 bit round key preferably influences exactly one output bit; 3. Indices are preferably selected so as to be spread equally between the input and output bits, thereby avoiding a situation where a small number of input bits influence only a small number of output bits; and
  • any small set of input bits preferably influences a larger set of output bits.
  • error correcting codes such as the well known Hamming error correcting code
  • the RExp function 210 (Figs. 2A and 2B) and the subsequent XOR 220 operation (with the round key) balance between a proper mixing of the round key with the right part and a time-efficient implementation of the mixing, thereby allowing a hardware implementation of both the RExp function 210 (Figs. 2 A and 2B) and the XOR 220 operation that preferably comprises only two layers of XOR operations (and, in some preferred embodiments, an additional layer of NOT gates).
  • the 100 bit expanded right half, after XORing with the 100 bit round key RKj, is preferably input into the MCF function 230.
  • a 100 bit result of the XORing is preferably reduced and condensed into a 64-bit temporary result, which is used later as a control input of the CRL function (described with reference to Fig. 5).
  • the MCF function 230 is preferably critical in making the Feistel-like structure 100 (Fig. 1) emulation resistant.
  • FIG. 4 is an illustration of a preferred embodiment of the mini- function, the mini-function serving as a building block for the MCF function 230 (Figs. 2A and 2B) comprised in the CKR function 110 of Figs. 2A and 2B.
  • the MCF function preferably uses between round key generation function and 50, inclusive, layers of mini-functions 400, where each of the mini- functions 400 preferably comprises two micro-functions, a balanced micro- function BF 410 and a non-linear micro-function NLF 420.
  • a balanced micro-function BF 410 is defined as follows: a set of the input bits for the balanced function are denoted as the balancing set and for every selection of the other input bits, a uniform distribution on the balancing set guarantees uniform distribution on the output (i.e., a uniform distribution of zeros and ones input guarantees a uniform distribution of zeros and ones output).
  • a XOR operation is a balanced function for which each of the input bits is a balancing set.
  • the mini-functions 400 are preferably designed as follows: the input bits are preferably input into a splitter 415, which splits the balancing set of bits from the other input bits;
  • NLF 420 is preferably executed on the other input bits; and afterwards BF 410 is preferably executed on the output of NLF 420 and on the balancing set of bits, received from the splitter 415.
  • the balancing set of bits goes through a third type of micro-functions, comprising an invertible transformation, such as a 2bit-to-2bit S-box, where the balancing set comprises 2 bits.
  • Putting the balancing set through the invertible transformation is preferably performed simultaneously with the NLF, and thus, employing the third micro-function can be performed preferably without cost in execution time.
  • the following functions process 3-bit inputs (according to the design criteria stated immediately above): (input 1 v input2) ⁇ input3; NOT ((inputl ⁇ input2) ⁇ input3); The Majority function; and
  • MUX where a single bit selects which of the two other input bits to output.
  • the mini-functions 400 in layer i preferably receive inputs from the outputs of the mini-functions 400 in layer i-1. Selection of which output of layer i-1 goes to which input of layer i is preferably performed in a manner that preferably maximizes the mixing between layers and thus preferably avoids localization effects.
  • the exact MCF 230 (Figs. 2 A and 2B) utilized is automatically generated during design.
  • the MCF utilized preferably passes several statistical tests measuring correlation between output bits (in particular, linear correlations).
  • the statistical tests are preferably not restricted to input and output, but preferably also measure correlations in internal layers between inputs and outputs.
  • Appendix B is a description of a method for robust cipher design, comprising a preferred method of key expansion and set up and a preferred implementation of a round key encryption function, the method of Appendix B comprising a preferred implementation of the Feistel-like structure of Fig. 1.
  • MCF 230 Figs. 2A and 2B
  • MCF 230 Figs. 2A and 2B
  • the two versions are preferably used in an alternating manner throughout the rounds of the Feistel-like structure 100 (Fig. 1).
  • Feistel-like structure 100 as a whole preferably remains strong.
  • a "faulty" function in the present context is either a cryptographically weak function (e.g., having strong linear or differential properties) or a function that is easy to emulate in software.
  • Fig. 5 is an illustration of a cryptographically weak function
  • Combine RightPart Combine LeftPart (CRL) function 120 comprised in the hardened Feistel-like structure 100 of Fig. 1.
  • the CRL 120 function combines the
  • the CRL function 120 preferably complies with the following design criteria:
  • CRL 120 is preferably not an involution. That is, ICRL preferably differs significantly from CRL 120 (as opposed, for example, to the XOR function that is used in DES).
  • the CRL function 120 preferably comprises two stages, each stage working on small sub-blocks.
  • each sub-block comprises 4 bits.
  • a permutation is preferably applied to the result, breaking any locality effect of working on small sub-blocks.
  • the first stage comprises a linear layer LL 510 that mixes the control input with the transform input.
  • a bit-permutation PL 520 is preferably applied to the result of the LL 510.
  • the output of PL 520 is preferably input into an S-boxes layer SL 530, comprised of sixteen 4-bit to 4-bit S-boxes.
  • bit-permutation (not depicted) is preferably applied to the output of SL 530.
  • FIG. 6 an illustration of one preferred implementation of the linear layer 510 in the Combine RightPart
  • LL 510 comprises a first splitter
  • a second splitter splits control input into 4-bit micro-blocks.
  • the 4-bit micro-blocks resulting from the control input are preferably used to determine a linear transformation (LT).
  • the determined transformation is preferably applied to the input 4-bit micro-blocks, thereby producing a 4-bit output micro-block.
  • Linear transform operations of the control data 4-bit micro-blocks and the transform data 4-bit micro-blocks are depicted in Fig.6 as "LT".
  • AJC A 42 ( C ) A 43 ( C ) A 44 ( C ) for A y S which are 4bit-to-lbit functions which are applied to the control input, and
  • A(C) is invertible; that is there exists B(C), such that:
  • B(C) B 21 ( C ) B 22 ( C ) B 23 ( C ) B 24 ( C )
  • A(C) comprises: ' A n (C) A n (C) Ai 3 (Q Au(C) A 21 (Q A 22 (C) A 23 (C) A 24 (C) A 3 i(C) A 32 (C) A 33 (C) A 34 (C) A 4 i(C) A 42 (C) A 43 (C) A 44 (C)
  • the transformation A(C) is used during decryption, then during encryption the inverse transformation of A(C) is used.
  • the inverse transformation B(C) is the composition of the transformations in reversed order.
  • the results of all linear transformations are preferably input into join function 630.
  • Join function 630 preferably joins the results of all 16 linear transformations into one 64 bit value.
  • the 64 bit output of join function 630 is preferably input into bit- permutation PL 520, thereby producing a 64 bit permuted output.
  • Bit- permutations are well known cryptographic structures.
  • Fig. 7 is an illustration of one preferred implementation of an S-boxes layer in the Combine RightPart Combine LeftPart (CRL) function 120 of Fig. 5.
  • the layer of S-boxes SL 530 (Fig. 5) preferably comprises 4-bit to 4-bit S-boxes, which are preferably simple to implement in hardware and still comprise a significant contribution to non- linearity of the hardened Feistel-like structure 100 (Fig. 1).
  • the 64-bit input is input into an S-box splitter 710.
  • the S-box splitter 710 preferably divides the 64- bit input into 16 4-bit micro-blocks.
  • the 16 4-bit micro-blocks go through sixteen S-boxes 720. Output from the sixteen S-boxes 720 is all mixed in a bit permutation join function 730.
  • Appendix C which is a copy of Appendix A.5 of the Serpent Cipher specification, describing S-boxes SQ through S7 of the Serpent Cipher.
  • Fig. 8 is an illustration of one preferred implementation of a key expansion function 800 comprised in the hardened Feistel-like structure 100 of Fig. 1.
  • the key setup function 800 preferably extends a 128-bit key to RN 100-bit round keys (RN is the number of rounds).
  • the key expansion function is preferably designed according to the following principles:
  • the key expansion function 800 takes advantage of the fact that the MCF preferably comprises two variations; one variation is preferably active during any round in the MCF function for the CKR 110 (Figs. 2A and 2B), while the other variation is preferably available for use.
  • the key expansion function 800 therefore preferably uses the available MCF function in order to generate the round keys in a cryptographically secure manner. Imitating a typical design for stream ciphers, the key setup function
  • a first function, state update 810 is preferably operative to update a state.
  • the second function, round key generation 830 preferably derives a new round key 840 from the new state.
  • the state update 810 and round key generation 830 functions are executed in an alternating order generating round keys 840 which are preferably cryptographically decoupled from the key itself, as well as from each other.
  • the state of the key setup is preferably a 128-bit shift register.
  • the 128-bit shift register is initialized 850 with the 128-bit key.
  • the state update function 810 preferably comprises a circular rotation of the 128-bit register. It is appreciated that the number of rounds (RN) is preferably smaller than the size of the 128-bit register, and thus the state update function preferably does not loop during a round.
  • a decrypter in order to get the round keys in the proper order (reverse order from the order used during encryption), a decrypter preferably receives the state in reverse order used during encryption.
  • decryption preferably begins with shifting the shift register as many times as needed in order to get the state appropriate for the last round key. Each subsequent round then preferably shifts the state in the opposite direction to the direction used to circularly shift the state during encryption.
  • the decryption key is the result of applying a linear transformation (calculated in advance and hard-wired) on the encryption key, and then the LFSRs are preferably rolled back to get the round keys in the reverse order.
  • an additional XOR with a predefined round string may preferably be applied after the state update function 810.
  • Fig. 9 is an illustration of one preferred implementation of round key generation 830 utilizing the Mix and Condense function (MCF) 230 (Figs. 2A and 2B) in the key expansion function 800 of Fig. 8.
  • MCF Mix and Condense function
  • the round key generation 830 function inputs the 128-bit state into the MCF 230 (Figs. 2A and 2B) and takes the 100-bit output as the next round key, as discussed above with reference to Appendix B.
  • the following are design principles for selecting the order of using the MCF variations in the key setup and the round operation:
  • the round operation preferably uses A and B in the following order: A A B B A A B B A A B B A A B B ...
  • the key setup operation uses the function that is left available, i.e., B on rounds 1, 2 (preparing the keys for round 2, 3), A on round 3, 4 (preparing the key for round 4, 5) etc.
  • rounds of the hardened Feistel-like structure 100 have the following combinations as round key derivation and round operation: Round 4t+l: AA; Round 4t+2: BA; Round 4t+3: BB; and
  • MCF 230 (Figs. 2A and 2B) that is preferably used in the round operation and the MCF that is used in the key expansion have different sizes of inputs and outputs. Specifically, a 128 bit value is preferably input in order to produce a 100 bit output for key setup, and a 100 bit value is preferably input in order to produce a 64 bit output for a round operation.
  • the implemented MCFs are preferably implantations of 100 bits going to 128 bits going to 100 bits going to 64 bits, where most of the layers are in the 128 bits going to 100 bits part.
  • the round operation uses the whole function and the key expansion uses only the middle part of the function.
  • the blowing effect herein described also contributes to preferably making the function hard to emulate in software.
  • FIGs. 10 - 13 are simplified flowchart illustrations of preferred alternative methods of operation of the hardened Feistel-like structure of Fig. 1, in accordance with preferred embodiments thereof.
  • the methods of Figs. 10 - 13 are believed to be self explanatory with reference to the above discussion.
  • Appendix D comprises a description of certain alternative preferred embodiments of the present invention. It is appreciated that software components of the present invention may, if desired, be implemented in ROM (read only memory) form. The software components may, generally, be implemented in hardware, if desired, using conventional techniques.

Abstract

L'invention concerne un procédé et un système de chiffrement d'un bloc de données, le procédé comprenant la fourniture d'une unité de combinaison fonctionnelle pour combiner une clé avec un bloc de données, le bloc de données étant exprimé sous forme d'un bloc de bits, la fourniture d'une unité de mélange et de condensation (MAC) fonctionnelle pour mélanger des bits compris dans le bloc de bits entre eux, la fourniture d'une pluralité de couches de boîtes S, les boîtes S étant fonctionnelles pour recevoir une entrée comprenant une entrée qui n'a pas encore été mise en entrée de l'unité de mélange et de condensation et pour fournir une sortie comprenant une entrée à l'unité de mélange et de condensation, la réception d'une entrée comprenant le bloc de données exprimées sous forme du bloc de bits, la combinaison, au niveau de l'unité de combinaison, du bloc de bits avec une clé, la réception d'une sortie de l'unité de combinaison en tant qu'entrée, la substitution de bits comprenant l'entrée à la pluralité de couches de boîtes S par des bits comprenant la sortie de la pluralité de couches de boîtes S, la fourniture de la sortie de la pluralité de couches de boîtes S à l'unité de mélange et de condensation, et le mélange, au niveau de l'unité de mélange et de condensation, de la sortie de la pluralité de couches de boîtes S, produisant ainsi un bloc de bits chiffré.
PCT/IB2007/054592 2007-03-27 2007-11-12 Procédé et système cryptographiques de chiffrement par bloc WO2008117142A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IL182246 2007-03-27
IL182246A IL182246A0 (en) 2007-03-27 2007-03-27 Method and system for block cipher encryption

Publications (2)

Publication Number Publication Date
WO2008117142A1 true WO2008117142A1 (fr) 2008-10-02
WO2008117142A9 WO2008117142A9 (fr) 2009-05-14

Family

ID=39316389

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2007/054592 WO2008117142A1 (fr) 2007-03-27 2007-11-12 Procédé et système cryptographiques de chiffrement par bloc

Country Status (2)

Country Link
IL (1) IL182246A0 (fr)
WO (1) WO2008117142A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1133100A2 (fr) * 2000-03-06 2001-09-12 Kabushiki Kaisha Toshiba Procédé et dispositif de chiffrage et de déchiffrage par bloc
WO2007043045A2 (fr) * 2005-10-10 2007-04-19 Nds Limited Procede et systeme de chiffrement de cryptage par blocs

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1133100A2 (fr) * 2000-03-06 2001-09-12 Kabushiki Kaisha Toshiba Procédé et dispositif de chiffrage et de déchiffrage par bloc
WO2007043045A2 (fr) * 2005-10-10 2007-04-19 Nds Limited Procede et systeme de chiffrement de cryptage par blocs

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ANDERSON R ET AL: "SERPENT: A PROPOSAL FOR THE ADVANCED ENCRYPTION STANDARD", SERPENT: A PROPOSAL FOR THE ADVANCED ENCRYPTION STANDARD, XX, XX, 1998, pages 1 - 23, XP001028802 *
MENEZES A ET AL: "Handbook of Applied Cryptography", HANDBOOK OF APPLIED CRYPTOGRAPHY, CRC PRESS SERIES ON DISCRETE MATHEMATICES AND ITS APPLICATIONS, BOCA RATON, FL, CRC PRESS, US, 1997, pages 223 - 282, XP002209334, ISBN: 0-8493-8523-7 *
P. JUNOD AND S. VAUDENAY: "FOX: a New Family of Block Ciphers", SELECTED AREAS IN CRYPTOGRAPHY 2004, 9 August 2004 (2004-08-09), Waterloo, CANADA, XP002478578 *

Also Published As

Publication number Publication date
WO2008117142A9 (fr) 2009-05-14
IL182246A0 (en) 2008-01-06

Similar Documents

Publication Publication Date Title
AU2006324920B2 (en) Method and system for usage of block cipher encryption
US5745577A (en) Symmetric cryptographic system for data encryption
EP0618701B1 (fr) Dispositif hardware de chiffrement des blocs de bit pendant renouvellement de clé à chaque itération
US5623549A (en) Cipher mechanisms with fencing and balanced block mixing
JP4712017B2 (ja) ストリーム暗号を利用したメッセージ認証コード生成方法とストリーム暗号を利用した認証暗号化方法及びストリーム暗号を利用した認証復号化方法
US10333702B2 (en) Updating key information
US8437470B2 (en) Method and system for block cipher encryption
US8509427B2 (en) Hybrid mode cryptographic method and system with message authentication
EP2016524B1 (fr) Conception d'un cryptage robuste
CA3051928A1 (fr) Systeme de confidentialite dynamique d'augmentation d'equivoque
JP2005527853A (ja) 高度暗号化規格(aes)のハードウェア暗号法エンジン
WO2006048704A1 (fr) Procedes de codage et de decodage de donnees
Wenceslao Jr Enhancing the performance of the advanced encryption standard (AES) algorithm using multiple substitution boxes
Patil et al. An enhancement in international data encryption algorithm for increasing security
Wenceslao Jr Performance efficiency of modified AES algorithm using multiple S-boxes
WO2008117142A1 (fr) Procédé et système cryptographiques de chiffrement par bloc
JPWO2008117804A1 (ja) ストリーム暗号向け擬似乱数生成装置とプログラムと方法
Cook et al. Elastic block ciphers: the basic design
Izotov et al. Controlled operations as a cryptographic primitive
Salih et al. Dynamic Stream Ciphering Algorithm
JP2001215874A (ja) 副鍵生成装置およびそのプログラム記録媒体
Roy et al. RASS—A concurrency based bitwise symmetric key cryptographic algorithm
Yaw PGP: An Algorithmic Overview
Alwane et al. KEY EXTENDED-BASE DES ALGORITHM
Barni Symmetric Cryptography

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07849096

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07849096

Country of ref document: EP

Kind code of ref document: A1