US 20020025035 A1 Abstract A plaintext message to be encrypted is segmented into a number of words, e.g., four words stored in registers A, B, C and D, and an integer multiplication function is applied to a subset of the words, e.g., to the two words in registers B and D. The use of such an integer multiplication greatly increases the diffusion achieved per round of encryption, allowing for higher security per round, and increased throughput. The integer multiplication function may be a quadratic function of the form ƒ(x)=x(ax+b), where a is an even integer and b is an odd integer, or other suitable function such as a higher-order polynomial. The results of the integer multiplication function are rotated by 1 g w bits, where 1 g denotes log base 2 and w is the number of bits in a given word, to generate a pair of intermediate results t and u. An exclusive-or of another word, e.g., the word in register A, and one of the intermediate results, e.g., t, is rotated by an amount determined by the other intermediate result u. Similarly, an exclusive-or of the remaining word in register D and the intermediate result u is rotated by an amount determined by the other intermediate result t. An element of a secret key array is applied to each of these rotation results, and the register contents are then transposed. This process is repeated for a designated number of rounds to generate a ciphertext message. Pre-whitening and post-whitening operations may be included to ensure that the input or output does not reveal any internal information about any encryption round. Corresponding decryption operations may be used to decrypt the ciphertext message.
Claims(27) 1. A method of encrypting a plaintext message, comprising the steps of:
(a) segmenting the plaintext message into a plurality of words; (b) applying an integer multiplication function to at least one of the words; (c) rotating a value which is based on the result of the applying step (b) by a first number of bits; (d) rotating a value which is based on the result of the rotating step (c) by a second number of bits derived from another one of the words; (e) applying a secret key to a value which is based on the result of step (d); and (f) repeating steps (b), (c), (d) and (e) for a designated number of rounds. 2. The method of 3. The method of 4. The method of 5. The method of 6. The method of ^{w}), where w is the number of bits in a given one of the words. 7. The method of 8. The method of 9. The method of (i) computing an exclusive-or of one of the other words and one of the two intermediate results;
(ii) rotating the result of step (i) by an amount given by the other intermediate result; and
(iii) applying an element of a secret key array to the result of step (ii).
10. The method of 11. The method of 12. The method of 13. An apparatus for encrypting a plaintext message, comprising:
a memory for storing at least a portion of a secret key; and a processor associated with the memory, wherein the processor is operative:
(a) to segment the plaintext message into a plurality of words;
(b) to apply an integer multiplication function to at least one of the words;
(c) to rotate a value which is based on the result of operation (b) by a first number of bits;
(d) to rotate a value which is based on the result of operation (c) by a second number of bits derived from another one of the words;
(e) to apply the portion of the secret key to a value which is based on the result of operation (d); and
(f) to repeat operations (b), (c), (d) and (e) for a designated number of rounds.
14. The apparatus of 15. The apparatus of 16. The apparatus of 17. The apparatus of 18. The apparatus of ^{w}), where w is the number of bits in a given one of the words. 19. The apparatus of 20. The apparatus of 21. The apparatus of (i) computing an exclusive-or of one of the other words and one of the two intermediate results;
(ii) rotating the result of operation (i) by an amount given by the other intermediate result; and
(iii) applying an element of a secret key array to the result of operation (ii).
22. The apparatus of 23. The apparatus of 24. The apparatus of 25. A computer-readable medium for storing one or more programs for encrypting a plaintext message, wherein the one or more programs when executed implement the steps of:
(a) segmenting the plaintext message into a plurality of words; (b) applying an integer multiplication function to at least one of the words; (c) rotating a value which is based on the result of the applying step (b) by a first number of bits; (d) rotating a value which is based on the result of the rotating step (c) by a second number of bits derived from another one of the words; (e) applying a secret key to a value which is based on the result of step (d); and (f) repeating steps (b), (c), (d) and (e) for a designated number of rounds. 26. A method of decrypting a ciphertext message, comprising the steps of:
(a) segmenting the ciphertext message into a plurality of words; (b) applying an integer multiplication function to at least one of the words; (c) rotating a value which is based on the result of the applying step (b) by a first number of bits; (d) rotating a value which is based on the result of the rotating step (c) by a second number of bits derived from another one of the words; (e) applying a secret key to a value which is based on the result of step (d); and (f) repeating steps (b), (c), (d) and (e) for a designated number of rounds. 27. An apparatus for decrypting a ciphertext message, comprising:
a memory for storing at least a portion of a secret key; and a processor associated with the memory, wherein the processor is operative:
(a) to segment the ciphertext message into a plurality of words;
(b) to apply an integer multiplication function to at least one of the words;
(c) to rotate a value which is based on the result of operation (b) by a first number of bits;
(d) to rotate a value which is based on the result of operation (c) by a second number of bits derived from another one of the words;
(e) to apply the portion of the secret key to a value which is based on a result of operation (d); and
(f) to repeat operations (b), (c), (d) and (e) for a designated number of rounds.
Description [0001] The present invention relates generally to cryptography, and more particularly to block ciphers for implementing encryption and decryption operations in cryptographic applications. [0002] In a conventional block cipher cryptographic system, a plaintext message is encrypted using a secret key, and is transmitted in its encrypted form. A receiver decrypts the encrypted message using the same secret key in order to recover the plaintext message. An example of a conventional block cipher is the Data Encryption Standard (DES) cipher. DES and other conventional block ciphers are described in B. Schneier, Applied Cryptography, pp. 154-185 and 219-272, John Wiley & Sons, New York, 1994, which is incorporated by reference herein. An improved block cipher utilizing data-dependent rotations is described in U.S. Pat. No. 5,724,428, issued Mar. 3, 1998 in the name of inventor R. L. Rivest, which is incorporated by reference herein. This improved cipher is referred to as RC5™, which is a trademark of RSA Data Security, Inc. of Redwood City, Calif., the assignee of U.S. Pat. No. 5,724,428. The RC5™ block cipher in an illustrative embodiment provides improved performance in part through the use of data-dependent rotations in which a given word of an intermediate encryption result is cyclically rotated by an amount determined by low-order bits of another intermediate result. [0003] The security of the RC5™ block cipher is analyzed in, for example, in B. S. Kaliski Jr. and Y. L. Yin, “On Differential and Linear Cryptanalysis of the RC5™ Encryption Algorithm,” in D. Coppersmith, ed., Advances in Cryptology—Crypto '95, Vol. 963 of Lecture Notes in Computer Science, pp. 171-184, Springer Verlag, 1995; L. R. Knudsen and W. Meier, “Improved Differential Attacks on RC5™,” in N. Koblitz, ed., Advances in Cryptology—Crypto '96, Vol. 1109 of Lecture Notes in Computer Science, pp. 216-228, Springer Verlag, 1996; A. A. Selcuk, “New Results in Linear Cryptanalysis of RC5™,” in S. Vaudenay, ed., Fast Software Encryption, Vol. 1372 of Lecture Notes in Computer Science, pp. 1-16, Springer Verlag, 1998; and A. Biryukov and E. Kushelevitz, “Improved Cryptanalysis of RC5™,” to appear in proceedings of Advances in Cryptology—Eurocrypt '98, Lecture Notes in Computer Science, Springer Verlag, 1998; all of which are incorporated by reference herein. These analyses have provided a greater understanding of how the structure and operations of RC5™ contribute to its security. Although no practical attack on RC5™ has been found, the above-cited references describe a number of interesting theoretical attacks. [0004] It is therefore an object of the present invention to provide a further improved block cipher which not only exhibits additional security by thwarting one or more of the above-noted theoretical attacks, but also exhibits an enhanced implementability in a wide variety of cryptographic applications. [0005] The present invention provides an improved block cipher in which data-dependent rotations are influenced by an additional primitive operation which is in the form of an integer multiplication. The use of such an integer multiplication greatly increases the diffusion achieved per round of 15=encryption, allowing for higher security per round, and increased throughput. The integer multiplication is used to compute rotation amounts for data-dependent rotations, such that the rotation amounts are dependent on substantially all of the bits of a given register, rather than just low-order bits as in the above-described embodiment of the RC5™ block cipher. [0006] In an illustrative embodiment of the invention, a plaintext message to be encrypted is segmented into four words stored in registers A, B, C and D, and an integer multiplication function is applied to two of the words in registers B and D. The integer multiplication function may be a quadratic function of the form ƒ(x)=x(ax+b), where a is an even integer and b is an odd integer. Other types of functions, including polynomials with degree greater than two, may be used in alternative embodiments. The results of the integer multiplication function in the illustrative embodiment are rotated by 1 g w bits, where 1 g denotes log base [0007]FIGS. 1 and 2 show exemplary encryption and decryption processes, respectively, in accordance with illustrative embodiments of the invention. [0008]FIGS. 3 and 4 are diagrams illustrating the computations involved in the encryption and decryption processes of FIGS. 1 and 2, respectively. [0009]FIG. 5 shows an exemplary key generation process in accordance with the invention. [0010]FIG. 6 shows an illustrative system incorporating encryption and decryption processes in accordance with the invention. [0011] The illustrative embodiment of the invention to be described below is designed to meet the requirements of the Advanced Encryption Standard (AES) as set forth by the National Institute of Standards and Technology (NIST). To meet the requirements of the AES, a block cipher must handle 128-bit input and output blocks. The specified target architecture and languages for the AES do not yet support 64-bit operations in an efficient and clean manner. The illustrative embodiment to be described below uses four 32-bit registers. The invention thus exploits 32-bit operations, such as integer multiplications, that are efficiently implemented on modern processors. [0012] The illustrative block cipher in accordance with the invention is referred to as RC6™, which is a trademark of RSA Data Security, Inc. of Redwood City, Calif., assignee of the present application. [0013] Like the above-described RC5™ block cipher, the RC6™ block cipher in accordance with the invention may be viewed as a parameterized family of encryption algorithms. A given version of RC6™ can be specified as RC6™-w/r/b, where the word size is w bits, the encryption process includes a nonnegative number of rounds r, and b denotes the length of the encryption key in bytes. Of particular relevance to the AES will be versions of RC6™ with 16-, 24- and 32-byte keys. For all variants in the illustrative embodiment, RC6™-w/r/b operates on four w-bit words using the following six basic operations. The base-two logarithm of w will be denoted by 1 g w.
[0014] Note that in the following description of RC6™ the term “round” is in accordance with the more established DES-like idea of a round, i.e., half of the data is updated by the other half, and the two are then swapped. Various descriptions of the RC5™ block cipher have used the term “half-round” to describe this type of action, such that a given RC5™ round included two half-rounds. The present description will utilize the more established meaning of a “round.” [0015]FIG. 1 illustrates an encryption process in accordance with the illustrative embodiment of the invention. As noted above, the illustrative embodiment uses four w-bit input registers. These registers, which are designated A, B, C and D, contain an initial plaintext message to be encrypted, as well as the output ciphertext message at the end of encryption. The designations A, B, C and D will also be used herein to refer to the contents of the registers. The first byte of plaintext or ciphertext is placed into the least-significant byte of A; the last byte of plaintext or ciphertext is placed into the most-significant byte of D. The operation (A, B, C, D)=(B, C, D, A) denotes the 30 parallel assignment of values on the right to registers on the left. In the encryption process of FIG. 1, the user supplies a key of b bytes. Extra zero bytes are appended to the key if necessary to make the length of the key a non-zero multiple of four bytes. From this, 2r+4 w-bit words are derived which are stored in an array S[0, . . . , 2r+3]. This array is used in both encryption and decryption. Additional aspects of the key schedule are described below in conjunction with FIG. 5. [0016] The input to the encryption process of FIG. 1 includes a plaintext message stored in registers A, B, C and D, a specified number r of rounds, and the w-bit secret key in the form of the above-noted array S[0, . . . , 2r+3]. The output ciphertext is stored in the registers A, B, C and D. The steps of the encryption process are shown as pseudocode in FIG. 1, and are illustrated in a process diagram in FIG. 2. Referring to FIG. 2, the operations between the horizontal dashed lines are repeated in the for loop of the pseudocode for each of the r rounds. Before entering the loop, the contents of register B are summed in operation [0017] The pre-whitened value of B is supplied to an operation ƒ( [0018] has the following properties: (i) when a is even and b is odd, ƒ(x) maps {0, 1, . . . , 2 [0019] The output of operation [0020] The corresponding steps of the decryption process are shown as pseudocode in FIG. 3 and illustrated in a process diagram in FIG. 4. The input to the decryption process is the ciphertext stored in the four w-bit registers A, B, C and D, the number of rounds r, and the secret round key array S[0, . . . , 2r+3]. The output of the decryption process is the original plaintext. Operations [0021] The function ƒ(x)=x(2x+1) is applied in operation 44 to D, and the result, which corresponds to (D×(2D+1)), is rotated to the left by 1 g w bits in operation [0022] The above-described illustrative embodiment includes at least two significant changes relative to the conventional RC5™ block cipher. These are the introduction of the quadratic function ƒ(x)=x(2x+1) and the fixed rotation by 1 g w bits. The use of the quadratic function is aimed at providing a much faster rate of diffusion thereby improving the chances that simple differentials will spoil rotation amounts much sooner than in RC5™. The quadratically transformed values of B and D are used in place of B and D as additives for the registers A and C, increasing the nonlinearity of the cipher while not losing any entropy (since the transformation is a permutation). The fixed rotation plays a simple yet important role in hindering both linear and differential cryptanalysis. [0023]FIG. 5 shows an example of a key schedule suitable for use in generating the secret key array S[0, . . . , 2r+3] used in the illustrative embodiment of FIGS. 1 through 4. The key schedule of FIG. 5 is similar to that used for RC5™ and described in detail in the above-cited U.S. Patent No. 5,724,428, but derives more words from the user-supplied key for use during encryption and decryption. The key schedule uses two w-bit registers A and B, along with variables i, j, v and s. The inputs to the key schedule are a user-supplied key of b bytes, and the number of rounds r. The output is the array S[0, . . . , 2r+3] of w-bit round keys. Extra zero bytes are appended to the user-supplied key if necessary to make the length of the key a non-zero multiple of w/8 bytes. This is then stored as a sequence of c w-bit words L[0], . . . L[c−1], with the first byte of the key stored as the low-order byte of L[0], etc., and L[c−1] padded with high order zero bytes if necessary. Note that if b=0, then c=1 and L[0 ] =0. [0024] In the key generation procedure shown in FIG. 5, element S[0] is initiated to a designated constant P [0025]FIG. 6 shows one possible implementation of the invention. A secure communication system [0026] The transmitter [0027] Illustrative performance measurements for the above-described encryption and decryption processes are given in TABLE 1 below. The performance figures do not include key setup, and are therefore applicable to any key size b. The performance figures shown here for an optimized ANSI C implementation of RC
[0028]
[0029] It can be seen that the RC6™-32/20/b encryption process provides greater throughput in Mbits/sec at 200 MHz than the corresponding RC5™-32/16/16 encryption process, for each of the three exemplary software implementations of TABLE 2. As noted above, the encryption times given in TABLES 1 and 2 do not include key setup, and are independent of the length of the user-supplied key. It is expected that the key setup required for both RC6™-32/20/b and RC5™-32/16/b will be approximately the same. Timings in the ANSI C case were obtained by encrypting or decrypting a single 3,000-block piece of data. The timings in Java and assembly were obtained by encrypting or decrypting a single block 10,000 times. Faster implementations may well be possible. [0030] Estimates will now be given for the performance of RC6™-32/20/16 on 8-bit platforms such as those that may be found in smart cards and other similar devices. In particular, estimates will be considered for the Intel MCS-51 microcontroller family. It is expected that the estimates can be considered to hold for other types of processors, such as the Philips 80C51 family, that have similar instruction sets and timings. A given round of RC6™-32/20/16 encryption includes six additions, two exclusive-ors, two squarings, two left-rotates by 1 g 32=5 bits, and two left-rotates by a variable quantity r. Note that this counts (B×(2B+1))=2B [0031] 1. A 32-bit addition can be computed using four 8-bit additions with carry (ADDC). [0032] 2. A 32-bit exclusive-or can be computed using four 8-bit exclusive-ors (XRL) [0033] 3. A 32-bit squaring can be computed using six 8-bit by 8-bit multiplications (MUL) and eleven ADDCs. Note that six multiplications are enough since we only need the lower 32 bits of the 64-bit product. [0034] 4. Rotating a 32-bit word left by five can be computed by rotating the word right by one bit position three times and then permuting the four bytes. Note that rotating the word right by one bit position can be done using four byte rotations with carry (RRC). [0035] 5. Rotating a 32-bit word left by r can be computed by rotating the word left or right by one bit position r′ times (r′≦4, with average two) and then permuting the four bytes appropriately. The five bits of r are used to determine r′ and the permutation which can be controlled using jumps (JB). [0036] 6. Most instructions take one cycle except MUL which takes four cycles and JB which takes two cycles. [0037] Using the above observations, the total number of processor clock cycles needed to implement one round of RC6™-32/20/16 on an 8-bit microcontroller or other similar platform is summarized in TABLE 3 below.
[0038] Taking conservative account of the addressing instructions, the pre-whitening, post-whitening and any additional overheads, we estimate that encrypting one block of data with RC6™-32/20/16 requires about (174×20)×4=13,920 cycles. Assuming that a single cycle on the Intel MCS-51 microcontroller takes one microsecond, an estimate for the encryption speed of RC6™-32/20/16 on this particular processor is about (1,000,000/13,920)×1289.2 Kbits/second. As for the key setup, the dominant loop in the FIG. 5 process is the second for loop. For b=16, 24, 32 and r=20, the number of iterations in this loop is v=max {20×2+4, b/4}=132, which is independent of b. Each iteration in the second for loop uses four 32-bit additions, one rotate to the left by three, and one variable rotate to the left by r. In addition, there are some 8-bit operations which will be included as overheads. Following an analysis similar to that given above for the encryption process, the total estimated number of cycles for each iteration, ignoring addressing instructions, is 52. Again, making a conservative estimate for the additional overheads, we estimate about (52×132)×4=27,456 cycles to set up a 128-, 192-or 256-bit key, which will require about 27 milliseconds on an Intel MCS-51 microcontroller. [0039] An estimate of hardware requirements for a custom or semi-custom hardware implementation of the invention will now be provided. The most relevant parameters are the silicon area, speed and power consumption of a 32×32 integer multiplication. We estimate that this multiplication may require 120×100 microns (0.012 mm [0040] In terms of security, the best attack on RC6™ appears to be an exhaustive search for the user-supplied encryption key. The data requirements to mount more sophisticated attacks, such as differential and linear cryptanalysis, can be shown to exceed the available data. In addition, there are no known examples of so-called “weak” keys. [0041] It should again be emphasized that the encryption and decryption techniques described herein are exemplary and should not be construed as limiting the present invention to any particular embodiment or group of embodiments. Alternative embodiments may use functions other than the exemplary quadratic described above, including polynomial functions with degree greater than two. In addition, the output of the function need not be taken mod 2 Referenced by
Classifications
Legal Events
Rotate |