« PreviousContinue »
METHOD OF AND AN ARRANGEMENT FOR
DIGITAL SIGNAL ENCRYPTION
This invention relates to a method of digital signal encryption involving a cipher algorithm in which a keystream signal is used in an exclusive-OR logical operation with a digital data signal to produce an enciphered digital data signal. With such a method, the 10 same keystream signal and algorithm are also used to restitute the original digital data signal, in which case the data signal would, in effect, be an applied enciphered data signal and the resultant enciphered data signal would be an output deciphered data signal. 15
As part of the cipher algorithm, some form of feedback control may be exercised in order to increase the complexity of the manner in which the keystream signal is produced and various ways of doing this are already known in the art. A first example is described in PCT 20 patent specification WO 80/02349 (Al) which relates to an apparatus for enciphering and deciphering data signals. In an enciphering mode a clear text bit stream is added to the output signal of a first pseudo-random bit generator and the sum signal is then added to the output 25 of a second pseudo-random bit generator to produce an enciphered bit stream. The first generator is stepped by a sum signal formed by adding the clear text bit stream to the output signal of the second generator and the second generator is stepped by a sum signal formed by 30 adding the clear text bit stream to the output signal of the first generator. In a deciphering mode an enciphered bit stream as produced above is added to the output signal of the first generator and the sum signal is then added to the output signal of the second generator 35 to re-form the clear text bit stream. The generators are stepped by respective sum signals formed by adding the enciphered bit stream to the output signal of each generator itself. In each mode the generator outputs form two successive keystream signals. 40
A second example is described in European patent specification 0 035 048 (Al) which relates to a variable key matrix cipher system for enciphering an input stream of binary data. The bits of the data stream are modulo-two added to selected bits of a key matrix to 45 produce a resultant output stream of binary data. The selected bits of the key matrix which are used for the modulo-two addition are progressively modified in two ways, firstly by inputting these selected bits to a nonaffine transformation device which is responsive thereto 50 to change selected elements of the key matrix and, secondly, by using bits of the resultant output stream of binary data to re-arrange or scramble the elements of the key matrix. The selected bits outputted from the key matrix from the keystream signal. 55
In each of these two prior art examples the feedback control which is exercised involves the actual data which is being enciphered or deciphered. In a third prior art example as described in European patent specification 0 119 972 (Al) there is exercised a feedback 60 control which does not involve the actual data being processed. This third example relates to apparatus for ciphering/deciphering digital messages. The apparatus includes circulation registers which are set to an initial content by a predetermined inner key, together with a 65 logic unit which produces a keystream signal on the basis of output pulses from the circulation registers. Pseudo-random control pulses are fed back from the
logic unit to the circulation registers to continually vary their content.
Applicants co-pending Application GB 8601175 describes a teletext decoder which operates using a particular form of cipher algorithm to descramble received scrambled teletext messages and also to decrypt received encrypted key signals for use in the algorithm. In this particular form of cipher algorithm a feedback control not involving the actual data being processed is utilised.
FIG. 1 of the accompanying drawings shows a block diagram which represents this particular form of cipher algorithm as used for descrambling teletext messages which have been scrambled using the same algorithm. For this algorithm, a 64-bit secret key signal K is loaded into a key register KEY-K. A second register REG-R is loaded with a 64-bit initial number signal I which, preferably, is a random number having an impulse autocorrelation function. The key signal K and the number signal I are combined one 8-bit byte at a time by a oneway function OWF which produces a resultant keystream signal Ks of successive 8-bit bytes. This keystream signal Ks is applied as one input to an exclusiveOR logical operation XOR.
An enciphered data signal CDs, composed of 8-bit data bytes and representing a scrambled teletext message which is to be descrambled, is applied as a second input to the exclusive-OR logical operation XOR. Corresponding bits of successive keystream bytes and successive data bytes are exclusive-OR'd by the logical operation XOR. The resultant deciphered data signal Ds is a descrambled version of the teletext message that was originally scrambled.
As part of the cipher algorithm each byte of the keystream signal Ks which is applied to the exclusive-OR logical operation XOR is also loaded into the register REG-R, so that the number signal I is progressively altered one 8-bit at a time in respect of the exclusive-OR logical operations performed on the bits of successive keystream bytes and successive data bytes.
It has now been realised that the direct feedback of the keystream signal Ks to the register REG-R can be detrimental to the security afforded by the cipher algorithm. This may be explained as follows with reference to FIG. 2, which shows some idealised digital waveforms. The waveform Dsi represents a single bit stream of a data signal composed of 8-bit bytes in parallel and representing a teletext message to be scrambled. The waveform Ksi represents a single bit stream of a keystream signal corresponding to the keystream signal Ks produced by the alogorithm of FIG. 1. The waveform CDsi represents a single bit stream of the enciphered data signal CDs applied as a second input to the exclusive-OR logical operation XOR. The waveform Dsi' represents a single bit stream of the deciphered data signal Ds resulting from the exclusive-OR logical operation XOR. It can be seen that the waveforms Dsi and Dsi' are identical. It follows from the foregoing, and it can readily be seen from the remaining waveforms of FIG. 2 that, generally, if a bit stream D and a coded bit stream CD, which latter has been coded by an exclusive-OR logical operation using the bit stream D and a bit keystream BK, are used together in an exclusive-OR operation, then the resulting decoded bit stream will be the bit keystream BK.
Therefore, if when using the algorithm shown in FIG. 2, a portion of a data signal which was used in the
production of a received enciphered signal is already known, it becomes possible to determine what certain bytes of the keystream signal Ks should be. Because the bytes of the keystream signal Ks are loaded into the register REG-R, the contents of this register that are 5 needed for a given data output (data signal Ds) are thus readily obtained. This means that one of the 64-bit code inputs into the one-way function OWF is now known. It has been found that only 8 data bytes of an original data signal need be known in order to determine the contents 10 of the register REG-R for a given data output. A trial and error procedure can thereafter be adopted to determine byte-by-byte, the value of the key signal K to be loaded into the register KEY-K using, typically, 16 further known data bytes of the original data signal. 15 This trial and error procedure can be effected using a computer program which for each of the 256 possible values of each byte of the key signal K looks at each output bit on the keystream and compares it with the corresponding bit value already known in the keys- 20 tream. In this way, the value of the keysignal K is found progressively byte-by-byte. Once the key signal K has been found the security of the system is broken. It is of course to be understood that the form of one-way function used is also known or at least available for use with 25 the discovered key signal K and with the register REG-R loaded initially with discovered bytes of the keystream signal Ks.
It is an object of the present invention to provide a more secure method of digital signal encryption using a 30 cipher algorithm.
According to the present invention there is provided a method of digital signal encryption comprising the steps of:
(a) providing a key signal;' 35
(b) providing an initial number signal;
(c) combining said key signal and said number signal in a cipher algorithm to produce a first keystream signal;
(d) performing an exclusive-OR logical operation 40 with the first keystream signal and a digital data signal to produce an enciphered or a deciphered signal; and
(e) modifying progressively the number signal using a feedback control not involving the actual digital 45 data signal being processed;
which method is characterised in that said feedback control utilises a second keystream signal which is different from said first keystream signal and is derived either indirectly or directly from the latter by at least 50 one logical operation.
When this method according to the invention is employed, the (second) keystream signal used in the cipher algorithm cannot be determined directly by performing an exclusive-OR logical operation using an enciphered 55 data signal and a clear text data signal corresponding to that used to produce the enciphered data signal using said method.
In carrying out the invention, the second keystream signal can be produced by the cipher algorithm from 60 the same combined key signal/number signal data as that used to produce the first keystream signal. Alternatively, the second keystream signal can be produced by performing a further logical operation, for instance another exclusive-OR logical operation involving the 65 first keystream signal as one input thereto.
The invention also extends to arrangements for performing the method set forth above.
In order that the invention may be more fully understood, reference will now be made by way of example to the accompanying drawings, of which:
FIG. 1 shows, as aforesaid, a block diagram representing a known cipher algorithm;
FIG. 2 shows, as aforesaid, some idealised digital waveforms;
FIG. 3 shows a block diagram representing one form of cipher algorithm for performing the invention;
FIG. 4 shows a one-way function for the algorithm of FIG. 3;
FIGS. S and 6 shows respective logical operation extensions for the one-way function of FIG. 4;
FIGS. 7 and 8 show block diagrams representing respective second forms of cipher algorithm for performing the invention;
FIGS. 9 to 11 show flow charts giving steps which are carried out by. a logic processor arrangement in the performance of the invention; and
FIG. 12 shows diagrammatically certain elements of such a logic processor arrangement.
Referring to FIG. 3, in the block diagram there shown the elements which have counterparts in the block diagram of FIG. 1 have been given the same references as those counterparts. The block diagram of FIG. 3 differs from that of FIG. 1 by the addition of a second keystream signal Ks2 which, in accordance with the invention and as will be described, is derived either indirectly or directly from the first keystream signal. The keystream signal Ksl corresponds to the keystream Ks which is produced by the known cipher algorithm, but the keystream signal Ksl is used only for the exclusive-OR logical operation XOR to produce the deciphered data signal Ds from the enciphered data signal CDs. The second keystream signal Ks2 is used in the feedback control of the algorithm and is loaded one 8-bit byte at a time into the register REG-R. Thus, it is not possible to discover the contents of the register REG-R simply by performing an exclusive-OR logical operation with the data signal CDs and a known (deduced) data signal corresponding to the data signal from which the data signal CDs was produced.
A suitable one-way function for the cipher algorithm of FIG. 3 is represented by the block diagram of FIG. 4. The one-way function has an add modulo-256 logical operation ADD1 which adds corresponding 8-bit bytes of keysignal K and the number signal I one at a time, without carry.
Each of the eight 8-bit outputs from the operation ADD1 is used as an 8-bit input to a look-up table process LUT1 which produces an 8-bit output for each 8-bit input. The eight 8-bit outputs from the look-up table process LUT1 undergo two selection processes SEL1 and SEL2 each of which selects successively a different one of the eight bits from the eight 8-bit outputs. The bit selection performed by the two selection processes SEL1 and SEL2 is different. The two groups of eight bits which are selected are latched by respective latching operations LAT1 and LAT2 and form respective different 8-bit bytes for indirectly related keystream signals Ksl and Ks2, respectively.
The one-way function procedure can include various logical operation extensions at its output in order to further "mix" the bytes of the keystream signals Ksl and Ks2. For example, as shown in FIG. 5, the keystream signals from the one-way function OWF can be treated as pre-output values Ksl' and Ks2' which are added modulo-256 by respective logical operations
ADD2 and ADD3 to the previous 8-bit output value of
the operation ADD2 which is held for this purpose by
a latching operation LAT3. The 8-bit output values of
the operations ADD2 and ADD3 are used as 8-bit input
values for respective look-up table processes LUT2 and 5
LUT3. The 8-bit output values from these look-up ta-
bles processes then form the 8-bit data bytes of the
resultant keystream signals Ksl and Ks2, respectively.
As an alternative to the logical operation extensions
shown in- FIG. 5, the add logical operation ADD3 may 10
be fed with its own previous 8-bit output value by using
a separate latching operation LAT4 as shown in FIG. 6.
Also, as shown in dotted lines in FIG. 6, the add logical
operation ADD2 may instead be fed with its own previ-
ous 8-bit input value of the keystream signal Ksl using 15
the latching operation LAT3, and/or the add logical
operation ADD3 may be replaced by an exclusive-OR
logical operation XOR1. Conversely, the add logical
operation ADD3 may be fed with its own previous 8-bit
input value of the keystream signal Ks2 using the latch- 20
ing operation LAT4, and/or the add logical operation
ADD2 may be replaced by an exclusive-OR logical
Each of the cipher algorithms shown in FIGS. 7 and
8 produce only a single keystream signal Ks which is 25
modified before being loaded into the register REG-R
as a second keystream signal (Ks2). In each algorithm,
the one-way function OWF can take the form shown in FIG. 4, or in FIG. 4 as extended by FIG. 5 or FIG. 6, in respect of the keystream signal Ksl. In this instance, therefore, there is no second selection process SEL2 and latching operation LAT2 to produce the keystream signal Ks2 which is now not present.
In each of the algorithms of FIGS. 7 and 8, the keystream signal Ks is applied one byte at a time as one input value to an exclusive-OR logical operation XOR1, the 8-bit output value of which is each time loaded into the register REG-R. In the algorithm of FIG. 7, the second input value to the exclusive-OR logical operation XOR1 is the FIFO (first-in-first-out) 8-bit byte which is removed from the register REG-R when a new byte is loaded into this register from the exclusive-OR logical operation XOR1. In the algorithm of FIG. 8, the second input value to the exclusive-OR logical operation XOR1 is an 8-bit byte formed by single bits taken one from each of the eight 8-bit bytes present in the register REG-R at any time.
The cipher algorithm shown in FIGS. 3 and 4 can be performed using a conventional processor arrangement which is programmed according to the flow chart shown in FIG. 9. In this flow chart, the legends in the various boxes represent the following instructions or decisions:
(Fl) STRT:- Enter the algorithm.
(F2) LD/K -» Load into the key register KEY-K the particular
KEY0-KEY7:- key signal K to be used for
(It is assumed that the key register KEY-K is
made up of eight 8-bit registers KEY0-KEY7).
(F3) LD/I —* Load into the register REG-R the initial number
REG0-REG7:- signal I.
(It is assumed that the register REG-R is made
up of eight 8-bit registers REG0-REG7).
(F4) AD K/R-^ Nx:
Perform the logical operation ADD1 by adding
modulo-256 the contents of the registers KEYO to
KEY7 with the contents of the registers REGO to
REG7 to produce eight new 8-bit bytes which are
stored in respective registers NEWO to NEW7.
(i.e. KEYO to REGO — NEWO
KEY1 to REG1 -> NEW1
KEY7 to REG7 NEW7).
(F5) SE LAT1 = 0 :
Set to '0' a register "LATCH1" which performs the latching operation LAT1 and in which are recorded the successive single bit values as produced by the selection process SELL (The following steps (F6) to (F19) carry out the selection process SEL1). (F6) LD ISO:- Load a register "ISOLATE" with an initial value
(F7) SE IND = 0:
Set to '0' a register "INDEX" which is used to count the successive selections performed by the selection process SELL
Use the bytes in each of the registers NEWO to NEW7 in turn, as selected by the index value in the register "INDEX", to obtain an 8-bit output by the look-up TABLE process LUT1.
(F9) LD/LUT1 — LUT:
Load into a register "LUTOUT" the 8-bit output resulting from the look-up table process LUT1.
(F10) AN LUT/ISO:
Perform an AND logical operation
(multiplication) with the contents of the
registers "LUTOUT" and "ISOLATE".
(The result of this AND logical operation is
that the bit position which contains a '1' in