PatentDe  


Dokumentenidentifikation EP1232603 15.12.2005
EP-Veröffentlichungsnummer 0001232603
Titel VERFAHREN UND VORRICHTUNGEN ZUR ERZEUGUNG EINER SCHLÜSSELSEQUENZ
Anmelder General Instrument Corporation, Horsham, Pa., US
Erfinder QIU, Xin, San Diego, US;
SPRUNK, J., Eric, Carlsbad, US
Vertreter derzeit kein Vertreter bestellt
DE-Aktenzeichen 60023934
Vertragsstaaten AT, BE, CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, IT, LI, LU, MC, NL, PT, SE, TR
Sprache des Dokument EN
EP-Anmeldetag 17.11.2000
EP-Aktenzeichen 009804469
WO-Anmeldetag 17.11.2000
PCT-Aktenzeichen PCT/US00/31539
WO-Veröffentlichungsnummer 0001039417
WO-Veröffentlichungsdatum 31.05.2001
EP-Offenlegungsdatum 21.08.2002
EP date of grant 09.11.2005
Veröffentlichungstag im Patentblatt 15.12.2005
IPC-Hauptklasse H04L 9/26

Beschreibung[en]
BACKGROUND OF THE INVENTION

The present invention relates generally to the fields of security and cryptography. Methods and apparatus for the generation of a random cryptographic one way function (i.e. a keystream) for use in encrypting or decrypting binary data are provided. Binary data may comprise digitized video or audio, as well as Internet Protocol or other pure data services. Although the invention has particular applicability in controlling access to premium services in cable and satellite television systems, it is also applicable to the protection of other information which is communicated in electronic form.

More particularly, the present invention provides a non-linear keystream generation algorithm using multiple feedback shift registers. The feedback shift registers may be constructed utilizing an advanced mathematical construct called an extended Galois Field GF(2m). The keystream is generated as a non-linear function of the outputs of the multiple feedback shift registers, which may be a combination of static feedback shift registers and dynamic feedback shift registers. Dense primitive polynomials with many coefficients may be used to produce a cryptographically robust keystream for use as an encryption or decryption key.

One way that binary data may be scrambled (encrypted) is by processing the binary data with a keystream (cryptographic key) to produce ciphertext (encrypted data). Keystreams are based on a sequence of bits that can be generated by pseudorandom sequences. The ciphertext can then be decrypted using an identical keystream. Data content owners want technology used in copy protection key derivation to be unique and difficult to duplicate. To achieve this end, binary data can be processed through a hash function by using that data as the input to a cryptographic One Way Hash Function, and by using the output of that Function as an encryption key for other binary data.

Commonly assigned U.S. patent no. 4,860,353 describes a dynamic feedback arrangement scrambling technique (DFAST) keystream generator. DFAST utilizes a dynamic feedback shift register, the structure of which is varied by a polynomial code signal. The polynomial code signal is varied in accordance with the content of data bits shifted from a predetermined register stage of the feedback shift register.

It would be advantageous to provide for generating a keystream having enhanced cryptographic and ease-of-implementation features as compared to those provided by DFAST and other prior art keystream generators.

It would be further advantageous to provide for keystream generation utilizing multiple feedback shift registers constructed using an extended Galois Field GF (2m). Extended Galois Field mathematics is well-suited to implementation in software systems. It would be still further advantageous to provide for keystream generation where the structure of the feedback shift registers are also varied by a polynomial code signal. It would be even further advantageous to provide for keystream generation using several randomization (e.g., permutation) stages to combine data bits from predetermined register stages of the feedback shift registers in a non-linear manner.

The present invention provides the foregoing and other advantages. More specifically, the present invention provides for an extension and improvement of the DFAST technology described in commonly assigned U.S. patent no. 4,860,353. An improved dynamic feedback arrangement scrambling technique in accordance with the invention (sometimes designated herein as "DFAST2"), provides a keystream with enhanced cryptographic and ease-of-implementation features as compared to DFAST. The present invention is suitable for use with a cable television system or hosts with point of deployment (POD) capability. The present invention is particulary suited for use with OpenCable™ set top boxes and PODs developed by Cable Televison Laboratories, Inc. (CableLabs™) of Colorado, USA, and is incorporated into the January 2000 POD Copy Protection Standard.

SUMMARY OF THE INVENTION

The present invention provides methods and apparatus for the generation of a cryptographic one way function that produces an output that appears random for use in encrypting or decrypting binary data. More particularly, the present invention provides a non-linear key generation algorithm using multiple feedback shift registers. A keystream is typically a long series of randomized bits used to encrypt or decrypt a stream of data using the exclusive OR operation. A keystream generator is the source of these bits, and the first set of bits output from this keystream generator can be used as an actual encryption key of determinate size. The term "key" can thus mean a fixed set of bits (e.g. 56 bits) output from a keystream generator. The feedback shift registers may be constructed utilizing an advanced mathematical construct called an extended Galois Field GF(2m). The key is generated as a non-linear function of the outputs of the multiple feedback shift registers, which may be a combination of static feedback shift registers and dynamic feedback shift registers. Dense primitive polynomials with many coefficients may be used to produce a cryptographically robust key for use as an encryption or decryption key.

In an illustrative embodiment of the invention, a key is generated using multiple feedback shift registers. Each feedback shift register has input, intermediate, and output stages through which data bits are shifted serially in response to a clock signal. Data bits from predetermined register stages of multiple feedback shift registers are provided to a first randomization stage. The output of the first randomization stage is provided to a second randomization stage. The output of the second randomization stage and data bits from other predetermined register stages of the feedback shift registers are provided to at least one additional randomization stage. The data bits are permutated at each randomization stage and the final randomization stage output provides the keystream. The last 56 bits of keystream may be used as the final key.

In a preferred embodiment, a third randomization stage may be the final randomization stage.

The structure of at least one of the feedback shift registers may be varied in response to a polynomial code signal generated by a polynomial code signal generator. In addition, the polynomial code used to generate the polynomial code signal may be varied.

The feedback shift registers may comprise a plurality of dynamic feedback shift registers and at least one static feedback shift register.

In a preferred embodiment, the feedback shift registers may comprise a first dynamic feedback shift register, a second dynamic feedback shift register, and a static feedback shift register. Seed data may be input into an input buffer. A first portion of the seed data from the input buffer may be provided to the first dynamic feedback shift register and a second portion of the seed data from the input buffer may be provided to the second dynamic feedback shift register. A third portion of the seed data from the input buffer may be provided to the static feedback shift register.

The data bits of the dynamic feedback shift registers may be shifted serially from each register stage in response to a clock signal. A number of finite field adders may be arranged between predetermined pairs of the register stages of the dynamic feedback shift registers, such that one of the inputs to each adder is provided from the preceding register stage and the other input of each adder is fed back from the output terminal of the output stage via a finite field multiplier.

The first randomization stage may comprise a randomization table (e.g., a permutation table) for permuting data bits from predetermined register stages. The second randomization stage may comprise a non-linear mixing function to combine the output of the second randomization stage and data bits from other predetermined register stages of the feedback shift registers. The third randomization stage may comprise multiple non-linear S-Boxes. The S-Boxes may be 8*8 S-Boxes. The third randomization stage may comprise 256 non-linear 8*8 S-Boxes.

In a preferred embodiment, the feedback shift registers may be constructed using an extended Galois field (GF(2m)). For example, the extended Galois field (GF(2^8)) may be used. The polynomials used for the feedback shift registers may be primitive and irreducible to assure maximum length output sequences.

In an alternate embodiment, the first randomization stage may comprise multiple randomization tables for permuting data bits from predetermined register stages. For example, eight randomization tables may be provided in the first randomization stage. The data bits from the feedback shift registers may be multiplexed prior to input into the first randomization stage.

In a further embodiment, the output from the third randomization stage may be provided to a pre-keystream register. Alternate bits of the output from said pre-keystream register may be provided to a select chain buffer. The output from the select chain buffer may be provided to a decoding logic unit, which decoding logic unit decodes a particular polynomial for use in generating a polynomial code signal, said polynomial code signal being provided to at least one of the feedback shift registers. The remaining bits of the output from said pre-keystream register may be provided to a keystream register. The output of the keystream register provides the keystream. The third randomization stage may comprise multiple non-linear S-Boxes.

Certain output of the S-Boxes may be provided to a codestream register. This output may be clocked through the codestream register and added to data bits shifted from at least one of the feedback shift registers via a non-binary adder to produce feedback data bits. The feedback data bits may be provided to the input stage and predetermined intermediate stages of at least one of the feedback shift registers.

Use of a 192 bit shared seed input is suggested, but other input key lengths can also be used. Use of a 192 bit input will generate a 56 bit key from the output keystream. The 192 bit input may be derived from a 128 bit input by duplicating half the bits.

The use of Galois Field 28 operations is well-suited for implementation on CPUs that use 8, 16, or 32 bit instruction widths. Although the invention is described for implementation in software, it can easily be adapted for implementation in hardware.

BRIEF DESCRIPTION OF THE FIGURES

  • Figure 1 shows a block diagram representation of the present invention;
  • Figure 2 shows an illustrative embodiment of the present invention;
  • Figure 3 shows an alternate illustrative embodiment of the present invention;
  • Figure 4 shows an implementation of a static feedback shift register in accordance with the present invention;
  • Figure 5 shows an implementation of a dynamic feedback shift register in accordance with the present invention; and
  • Figure 6 shows a further implementation of a dynamic feedback shift register in accordance with the present invention.

DETAILED DESCRIPTION OF THE INVENTION

The present invention provides methods and apparatus for key generation using multiple feedback shift registers. The feedback shift registers may be constructed utilizing an advanced mathematical construct called an extended Galois Field GF(2m). The key is generated as a non-linear function of the outputs of the multiple feedback shift registers, which may be a combination of static feedback shift registers and dynamic feedback shift registers. Dense primitive polynomials with many coefficients may be used to produce a cryptographically robust keystream for use as an encryption or decryption key.

The keystream may be pseudorandomly generated from a shared seed key, with the intent that the keystream appears random to a computationally bounded adversary. The shared seed key value may be derived, e.g., from a host authentication and key exchange process. Use of a 192 bit shared seed input is suggested, but other input key lengths can also be used. Use of a 192 bit input will generate a 56 bit keystream. The 192 bit input may be derived from a 128 bit input by duplicating half the bits.

In an illustrative embodiment of the invention as shown in Figure 1, a keystream 100 is generated using multiple feedback shift registers. Each feedback shift register has input, intermediate, and output stages through which data bits are shifted serially in response to a clock signal. Data bits 10 from predetermined register stages of multiple feedback shift registers are provided to a first randomization stage 20. The output of the first randomization stage 20 is provided to a second randomization stage 30. The output of the second randomization stage 30 and data bits 12 from other predetermined register stages of the feedback shift registers are provided to at least one additional randomization stage. The data bits are permutated at each randomization stage and the output of a final randomization stage 40 provides the keystream 100.

In Figure 1, three randomization stages 20, 30, and 40 are shown, with the third randomization stage being the final randomization stage 40. However, those skilled in the art will appreciate that any number of randomization stages may be provided, depending on the implementation and the cryptographic integrity of the keystream 100 desired.

The structure of at least one of the feedback shift registers may be varied in response to a polynomial code signal 90 generated by a polynomial code signal generator (e.g., decoding logic unit 80). In addition, the polynomial code used to generate the polynomial code signal 90 may be varied.

The feedback shift registers (FSR) may comprise a plurality of dynamic feedback shift registers (DFSR) and at least one static feedback shift register (SFSR). The two DFSRs may be arranged in parallel. The keystream 100 is generated as a nonlinear function of the outputs of both the SFSR and the DFSRs. The DSFRs are dynamic shift registers whose structure is varied by the polynomial code signal 90. The polynomial code signal 90 may itself be varied in accordance with data bits shifted from a predetermined register stage. It is substantially more difficult to duplicate the keystream 100 if the polynomial code varies. The bits that cause the polynomial code 90 to vary are preferably not included in the keystream 100.

In a preferred embodiment as shown in Figure 2, the feedback shift registers may comprise a static feedback shift register A (generally designated 110), a first dynamic feedback shift register B (generally designated 120), and a second dynamic feedback shift register C (generally designated 130). Seed data may be input into an input buffer 140. The contents of the input buffer 140 may be loaded in parallel into the shift registers 110, 120, and 130 to initialize keystream generation. A first portion of the seed data from the input buffer 140 may be provided to the first dynamic feedback shift register B and a second portion of the seed data from the input buffer may be provided to the second dynamic feedback shift register C. A third portion of the seed data from the input buffer may be provided to the static feedback shift register A.

In the embodiment shown in Figure 2, the feedback shift registers 110, 120, and 130 (registers A, B, and C respectively) may be constructed using an extended Galois field (GF(2m)). As well known in the art, a Galois field is a mathematical field extension obtained by considering the coefficients and roots of a given polynomial. The polynomials used for the feedback shift registers in the present invention may be primitive and irreducible. Each such shift register would generate a sequence with the maximal length max_length=2^(m*L)-1 (where L is the number of shift register stages).

In the Figures, RGA denotes output from a stage of register A (110), RGB denotes output from a stage of register B (120), and RGC denotes output from a stage of register C (130). For example, Figure 2 shows register A having output from L register stages (RGA0, RGA1, RGA2, ... RGAL-1).

The data bits of the feedback shift registers 110, 120, and 130 may be shifted serially from each register stage in response to a clock signal. A number of finite field adders may be arranged between predetermined pairs of the register stages of the feedback shift registers 110, 120, and 130, such that one of the inputs to each adder is provided from the preceding register stage and the other input of each adder is fed back from the output terminal of the output stage via a finite field multiplier. An example of the structure of each feedback shift register 110, 120, and 130 of Figure 2 is described in detail below in connection with Figures 4, 5, and 6. It is noted that the invention may utilize three or more stages of non-linear functions to combine data bits shifted from predetermined register stages of the feedback shift registers.

The first randomization stage (e.g., first randomization stage 20 of Figure 1) may comprise one or more randomization tables (e.g., "F1 tables" 150-157) for permuting data bits from predetermined register stages. In the example shown in Figure 2, eight F1 tables 150-157 are used. The eight F1 tables are shown for purposes of example only, and those skilled in the art will appreciate that the invention can be implemented using any number of F1 tables (or similar non-linear permutation functions) in the first randomization stage. The F1 tables 150-157 may be fixed substitution tables used to map data bits shifted from various feedback shift registers to a different value. The inputs to each F1 table may be separated by at least one exclusive-or gate in their source feedback shift register structure.

The data bits from selected register stages of the feedback shift registers may be multiplexed (e.g., at multiplexers 170-173) prior to input into the F1 tables 150-157. Selection by the multiplexers 170-173 between data bits shifted from different predetermined register stages is controlled in response to a data bit shifted from a different predetermined register stage. For example, in Figure 2, two output bits (RGAj and RGAi) are shifted directly from different stages of register A to multiplexer 170. One of RGAj and RGAi is selected by multiplexer 170 in response to a data bit shifted from register C (RGCk). Similar operations take place at multiplexers 171, 172, and 173. The output of multiplexers 170, 171, 172, and 173 is provided to F1 tables 150, 153, 154, and 157 respectively.

F1 table 151 receives input directly from a stage of register A (RGAm). F1 table 152 receives input directly from a stage of register B (RGBp). F1 table 155 receives input directly from a stage of register A (RGAmm). F1 table 156 receives input directly from a stage of register B (RGBpp).

The second randomization stage (e.g., second randomization stage 30 of Figure 1) may comprise one or more non-linear mixing functions (e.g., 161, 162) to combine the output of the second randomization stage and data bits from other predetermined register stages of the feedback shift registers. In the example shown in Figure 2, two non-linear mixing functions 161, 162 are used for purposes of example only. Those skilled in the art will appreciate that the invention can be implemented using any number of non-linear mixing functions (or similar non-linear permutation functions) in the second randomization stage.

The non-linear logic used by the non-linear mixing functions 161, 162 combines at least 4 tap positions, some of which are from the F1 table outputs, and several others directly from predetermined FSR stages. For example, Figure 2 shows non-linear mixing function 161 as having input RGB'i'/j' from F1 table 153, input RGB'p from F1 table 152, input RGA'm from F1 table 151, and input RGA'i/j from F1 table 150, as well as inputs RGAq' and RGBq directly from a stage of register A and a stage of register B respectively. In such an instance, the non-linear mix function may be g0 = RGA'i/j ⊗ RGB'i'/j' ⊕ RGAq' ⊗ RGB'p ⊕ RGA'm ⊗ RGBq. In this equation, ⊗ represents the field element multiplication operation, and ⊕ represents the field element addition operation (bit-wise XOR).

Non-linear mix function 162 is shown as having input RGA'ii/jj from F1 table 154, input RGA'mm from F1 table 155, input RGB'pp from F1 table 156 and input RGB'ii'/jj' from F1 table 157, as well as inputs RGAn' and RGBn directly from a stage of register A and a stage of register B respectively. These inputs may be combined at the non-linear mix function 162 by function g1 = RGA'ii/jj ⊗ RGB'ii'/jj' ⊕ RGAn, ⊗ RGB'pp ⊕ RGA'mm ⊗ RGBn.

The third randomization stage (e.g., Final Randomization Stage 40 of Figure 1) may comprise multiple non-linear substitution boxes (S-Boxes) 165. The S-Boxes 165 may be 8*8 S-Boxes.

In a preferred embodiment, the third randomization stage may comprise 256 non-linear dynamic 8*8 S-boxes 165 (e.g. , S0, S1, S2, . . .S255). A loop counter is provided to count n (number of FSR cycles) to ensure that every element in the dynamic S-Box 165 changes during operation. At least one predetermined stage of two of the extended Galois field shift register structures directly provides a randomized byte of S-Box address signals (shown as RGBx and RGAy input into S-Box RAM 166). The already highly randomized outputs (g0 and g1) from the non-linear mixing functions 161, 162 are added to the nth element of the S-Box 165, and to the element of S-Box 165 indexed by RGBx/RGAy directly from the FSR structures. This generates highly randomized outputs Y0' and Y1'. The S-box elements indexed by n and Y0'/Y1' are then swapped so that every element in (S0, S1, . . ., S255) is affected during the first 256 cycles of FSR shifting operations.

In a further embodiment, the output (pre-keystream 45) from the third randomization stage (e.g., S-Box 165) may be provided to a pre-keystream register 50. Alternate bits of the output from said pre-keystream register 50 may be provided to a select chain buffer 70. The output from the select chain buffer 70 may be provided to a decoding logic unit 80, which decoding logic unit 80 decodes a particular polynomial for use in generating a polynomial code signal 90, said polynomial code signal 90 being provided to at least one of the dynamic feedback shift registers 120, 130. The remaining bits of the output from said pre-keystream register 50 may be provided to a keystream register 60. The output of the keystream register 60 provides the keystream 100.

The pre-keystream 45 may be clocked into the pre-keystream register 50 at the system clock rate. Alternate bytes of the pre-keystream 45 may be clocked at one-half the system clock rate into the select chain buffer 70 by an inverted CLOCK/2 signal. The remaining bytes of the pre-keystream 45 may be clocked at one-half the system clock rate into the keystream register 60 by an uninverted CLOCK/2 signal. This avoids placing contiguous bytes of the pre-keystream 45 into the keystream 100. This also assures that keystream bytes are not used as signals to control selection of the polynomial code signals 90. The pre-keystream register 50 is the final output creation stage and produces 8 bits of output data per clock cycle of uninverted CLOCK/2.

The decoding logic unit 80 uses the bits stored in the select chain buffer 70 to decode a particular polynomial, setting a signal corresponding to a particular polynomial true while setting all other polynomial signals false.

The decoding logic unit 80 may use a fixed byte substitution table (F2 table 81) to provide up to 2m different polynomial code signals 90. The F2 table 81 may be a fixed substitution table similar to the F1 tables 150-157.

Certain output of the S-Boxes 165 may be provided to a codestream register 175. This output may be clocked through the codestream register 175 (codestream 48) and added to data bits shifted from at least one of the feedback shift registers 120, 130 via a non-binary adder to produce feedback data bits. The feedback data bits may be provided to the input stage and predetermined intermediate stages of at least one of the feedback shift registers 120, 130. The codestream 48 is distinct from the pre-keystream 45 and only affects the dynamic FSR structures (120 and 130) and not the static FSR structure (110).

Figure 3 illustrates a specific configuration of the Figure 2 embodiment of the invention where the polynomials used for the FSRs are constructed over extended Galois Field GF(2^8), and all polynomials are selected to be primitive and irreducible in order to generate a maximum length sequence. The degree of these polynomials is 8 so there will be 8 stages of 8-tuple shift register cells used in each FSR. Since the sparseness of the terms for the polynomial can be a source of cryptographic weakness, dense primitive polynomials with many coefficients are used. The output from each stage of each FSR may have 8 bits (one byte).

The three FSRs 110, 120, and 130 require 192 total bits (18 bytes) of information to initialize them. These 192 bits are drawn from 128 bits of input, with half the 128 bits duplicated to provide 192 bits of input to input buffer 140. Input buffer 140 provides 64 bits of input to each FSR 110, 120, and 130.

As shown in the table below, a 128 bit (16 byte) input is used to initialize 192 bits (18 bytes) of FSR state. The input bytes are numbered from 0 to 15, and are used to initialize the three FSRs A, B, and C. Mapping Input to FSRs A, B, and C Input Byte FSR Bytes That Are Initialized Using this Byte FSR Byte FSR Byte 0 B 0 A 0 1 B 1 A 1 2 B 2 A 2 3 B 3 A 3 4 B 4 5 B 5 6 B 6 7 B 7 8 C 0 A 4 9 C 1 A 5 10 C 2 A 6 11 C 3 A 7 12 C 4 13 C 5 14 C 6 15 C 7

A 128 bit input data seed is stored in the input buffer 140. All of the bits of the input seed are loaded in parallel from the input buffer into dynamic FSR structures B and C. The other third of the input (bytes 0-3 and 8-11) is loaded in parallel into the static FSR structure A.

As each FSR constructed in the extended Galois Field GF(2^8) has 8 stages, input data for each stage should be 64 bits in size (since the actual input size is 128 bits, the above processing step is needed to reduce the information from 192 to 128 bits in size.)

As discussed above in connection with Figure 2, each pre-keystream byte 45 is generated from a combination of a three-stage non-linear function process. In the first randomization stage, certain predetermined data bytes shifted from two separate feedback shift registers (A and B) are permutated by the F1 tables 150-157. In the second randomization stage, non-linear functions 161, 162 are used to mix data bytes from different F1 tables as well as data bytes directly from predetermined stages of registers A and B. In a third randomization stage, an 8*8 S-box 165 (initialized to S0 =0, S1 = 1, . . . S255 = 255) is used to permute the outputs from the second-level non-linear function, along with 2 bytes of data from registers A and B.

Static FSR structure 110 (register A) and two dynamic FSR structures 120 and 130 (registers B and C) are shown in Figure 4, Figure 5, and Figure 6 respectively. Each of these structures includes L stages, where L = 8, with stage 0 being the input stage, stage 7 being the output stage, and stage 1 through 6 being the intermediate stages. All the polynomials used in the explanations herein are selected for illustration purposes. It should be appreciated that various other polynomials may be used to implement the invention.

All the FSRs are constructed over the extended Galois Field, GF (2^8). The elements in GF(2^8) are generated by: F(X) = X^8 + X^4 + X^3 + X^2 + 1 = [1 0 0 0 1 1 1 0 1] Where X is a primitive element of GF(2^8). Addition and multiplication operations within GF(2^8) are also illustrated in Figure 4 at 117.

In the static feedback register 110 (structure A) shown in Figure 4, data bits are shifted serially from each stage in response to a clock signal applied to the CLK terminal. Data bytes shifted from the register stages are provided respectively at the output terminals RGA0 through RGA7. A number of finite field adders 111-116 are respectively located between predetermined pairs of register stages. In Figure 4, finite field adders are located between Stage 0 and Stage 1 (111), Stage 1 and Stage 2 (112), Stage 3 and Stage 4 (113), Stage 4 and Stage 5 (114), Stage 5 and Stage 6 (115), and Stage 6 and Stage 7 (116). No finite field adder is located between Stages 2 and 3. One of the inputs to each adder 111-116 is provided from the preceding register stage and the other input to each adder is fed back from output terminal RGA7 of the eighth output stage via finite field multipliers 91-97 respectively.

The function of a non-binary adder (XOR) and a non-binary multiplier at is shown generally at 117.

The structure of register A has a fixed, non-dynamic polynomial code and coefficients. The polynomial code of the static FSR structure of register A is not varied in response to the polynomial code signal. As shown in Figure 4 the polynomial used for A register is:

Register Structure Poly_A = x^8 ⊕ α^212 ⊗ x^7 ⊕α^147 ⊗ x^6 ⊕ α^194 ⊗ x^5 ⊕ α^47 ⊗ x^4 ⊕ 0 ⊗ x^3 ⊕α^38 ⊗ x^2 ⊕ α^229 ⊗ x ⊕ α^74, where α(X) = α = X to obtain the 8-tuple j7X^7 + j6X^6 + j5X^5 + j4X^4 + j3X^3 + j2X^2 + j1X + j0. The values for the individual coefficient multipliers are as follows: α^212 = α^6 + α^5 + α^4 + α^3 + 1 = [0 1 1 1 1 0 0 1] α^147 = α^5 + α^3 + 1 = [0 0 1 0 1 0 0 1] α^194 = α^5 + α^4 + α = [0 0 1 1 0 0 1 0] α^47 = α^5 + α^2 = [0 0 1 0 0 1 0 0] α^38 = α^7 + α^4 + α^2 = [1 0 0 1 0 1 0 0] α^229 = α^6 + α^5 + α^4 + α^3 + α = [0 1 1 1 1 0 1 0] α^74 = α^7 + α^3 + 1 = [1 0 0 0 1 0 0 1]

In the dynamic feedback shift register structures B and C (120 and 130), as shown in Figures 5 and 6 respectively, data bits are shifted serially in response to a clock signal, and they are also shifted in accordance with a polynomial code signal 90 connected from the output stage into the input stage. As discussed in connection with Figure 4, a number of logic elements are respectively located between predetermined pairs of register stages of registers B and C. The logic elements process a data bit shifted from the preceding stage with the data bit feedback from the output stage, also in accordance with a polynomial code signal 90.

In the B-register and C-register structures, a polynomial code signal from the decoding logic unit is applied to select one set of polynomial coefficients (i.e. a different set of extended Galois Field multiplier values) from two sets of polynomial coefficients.

For example, in the dynamic feedback register structure B shown in Figure 5, data bits are shifted serially from each stage in response to a clock signal applied to the CLK terminal. Data bytes shifted from the register stages are provided respectively at the output terminals RGB0 through RGB7. A number of finite field adders 121-127 are respectively located between each pair of register stages. One of the inputs to each adder 121-127 is provided from the preceding register stage and the other input to each adder is fed back from output terminal RGB7 of the eighth output stage via one of two sets of finite field multipliers (e.g., one set includes finite field multipliers 200, 202, 204, 205, 206, 208, 210, 212, and 214; the second set includes 201, 203, 205, 207, 209, 211, 213, and 215). Which set of finite field multipliers is used depends on the polynomial selected in response to the polynomial code 90 (from the decoding logic unit 80 of Figure 3).

The structure of dynamic feedback shift register B shown in Figure 5 uses only two polynomials. The least significant bit (lsb) of Decoding Logic Unit 80 output is used to select one of the following polynomials from the dynamic FSR structure B:

Poly_B0 = x^8 ⊕ α^92 ⊗ x^7 ⊕ α^229 ⊗ x^6 ⊕ α^5 ⊗ x^5 ⊕ α^95 ⊗ x^4 ⊕ α^84 ⊗ x^3 ⊕ 0 ⊗ x^3 ⊕ α^195 ⊗ x ⊕ α^176, where α(X) = α = X to obtain the 8-tuple j7X^7 + j6X^6 + j5X^5 + j4X^4 + j3X^3 + j2X^2 + j1X + j0. The values for the individual coefficient multipliers are as follows: α^92 = α^6 + α^4 + α^3 + α + 1 = [0 1 0 1 1 0 1 1] α^229 = α^6 + α^5 + α^4 + α^3 + α = [0 1 1 1 1 0 1 0] α^5 = α^5 = [0 0 1 0 0 0 0 0] α^95 = α^7 + α^6 + α^5 + α = [1 1 1 0 0 0 1 0] α^84 = α^6 + α^5 + α^3 + α + 1 = [0 1 1 0 1 0 1 1] α^195 = α^6 + α^5 + α^2 = [0 1 1 0 0 1 0 0] α^176 = α^7 + α^6 + α^5 + α + 1 = [1 1 1 0 0 0 1 1] The second polynomial used in the structure B is:

Poly_B1 = x^8 ⊕ α^22 ⊗ x^7 ⊕ α^47 ⊗ x^6 ⊕ 0 ⊗ x^5 ⊕ α^230 ⊗ x^4 ⊕ α^94 ⊗ x^3 ⊕ α^202 ⊗ x^2 ⊕ α^28 ⊗ x ⊕ α^188.

The values for the individual coefficient multipliers are as follows: α^22 = α^7 + α^6 + α^5 + α^3 + α = [1 1 1 0 1 0 1 0] α^47 = α^5 + α + 1 = [0 0 1 0 0 0 1 1] α^230 = α^7 + α^6 + α^5 + α^4 + α^2 = [1 1 1 1 0 1 0 0] α^94 = α^6 + α^5 + α^4 + 1 = [0 1 1 1 0 0 0 1] α^202 = α^5 + α^4 + α^3 = [0 1 1 1 0 0 0 0] α^28 = α^4 + α^3 = [0 0 0 1 1 0 0 0] α^188 = α^7 + α^5 + α^2 + 1 = [1 0 1 0 0 1 0 1]

The structure of dynamic feedback shift register C (130) is shown in Figure 6. The function of register C corresponds to that of register B shown in Figure 5, with finite field adders 221-227 of register C equivalent to the finite field adders 121-127 of register B of Figure 5 and finite field multipliers 230-245 of register C equivalent to finite field multipliers 200-215 of register B of Figure 5.

In this example implementation, there are also only two polynomials used in the structure of register C. The least significant bit (lsb) of Decoding Logic Unit 80 output is used to select one out of two polynomials from the dynamic FSR structure C:

Poly_C0 = x^8 ⊕ α^221 ⊗ x^7 ⊕ α^18 ⊗ x^6 ⊕ α^129 ⊗ x^5 ⊕ α^200 ⊗ x^4 ⊕ 0 ⊗ x^3 ⊕ α^124 ⊗ x^2 ⊕ α^25 ⊗ x ⊕ α^31, where α(X) = α = X to obtain the 8-tuple j7X^7 + j6X^6 + j5X^5 + j4X^4 + j3X^3 + j2X^2 + j1X + j0.

The values for the individual coefficient multipliers are as follows: α^221 = α^6 + α^2 + 1 = [0 1 0 0 0 1 0 1] α^18 = α^5 + α^3 + α^2 + 1 = [0 0 1 0 1 1 0 1] α^129 = α^4 + α^2 + α + 1 = [0 0 0 1 0 1 1 1] α^200 = α^4 + α^3 + α^2 = [0 0 0 1 1 1 0 0] α^124 = α^7 + α^4 + α^2 + α + 1 = [1 0 0 1 0 1 1 1] α^25 = α + 1 = [0 0 0 0 0 0 1 1] α^31 = α^7 + α^6 = [1 1 0 0 0 0 0 0] The second polynomial used in the structure of register C is:

Poly_C1 = x^8 ⊕ α^39 ⊗ x^7 ⊕ α^203 ⊗ x^6 ⊕ 0 ⊗ x^5 ⊕ α^185 ⊗ x^4 ⊕ α^151 ⊗ x^3 ⊕ α^114 ⊗ x^2 ⊕ α^7 ⊗ x ⊕ α^47.

The following values for the individual coefficient multipliers are as follows: α^39 = α^5 + α^4 + α^2 + 1 = [0 0 1 1 0 1 0 1] α^203 = α^7 + α^6 + α^5 = [1 1 1 0 0 0 0 0] α^185 = α^5 + α^4 + α^2 + α + 1 = [0 0 1 1 0 1 1 1] α^151 = α^7 + α^5 + α^3 + α = [1 0 1 0 1 0 1 0] α^114 = α^5 + α^4 + α^3 + α^2 + α = [0 0 1 1 1 1 1 0] α^7 = α^7 = [1 0 0 0 0 0 0 0] α^47 = α^5 + α + 1 = [0 0 1 0 0 0 1 1]

Referring back to Figure 3, the polynomial code signal 90 that is applied in the dynamic FSRs 120 and 130 varies in accordance with data bits shifted from a predetermined register stage. An F2 table 81 is used in the Decoding Logic Unit (DLU) 80 to generate the polynomial code signal.

The decoding logic unit 80 of Figure 3 uses the least significant bit (lsb) of F2 table output to select one of two polynomials from the dynamic FSRs 120, 130. In this case, 2 different polynomials are used in the B-register structure and C-register structure, and one polynomial is used in the A-register structure. Therefore, only one bit in every other pre-keystream byte after F2 table substitution is used directly to select between the two polynomials, POLY_AO(POLY_BO) and POLY_A1(POLY_B1).

Alternate bytes (8 bits) from the pre-keystream 45 are processed to vary the polynomial code signal 90, and the remaining bytes of the pre-keystream 45 are processed to provide the keystream 100. The bytes that cause the polynomial code signal 90 to be varied are not included in the keystream 100.

As discussed above in connection with Figure 2, in the embodiment described in Figure 3, the multiplexers 170-173 use the output from predetermined register stages of register C to select between data bytes shifted from different predetermined register stages of registers A and B to provide some of the inputs to the F1 tables (e.g., F1 tables 150, 153, 154, and 157). Each multiplexer 170-173 is a 2:1 multiplexer. For example, two output bits (RGA0 and RGA7) are shifted directly from different stages of register A to multiplexer 170. One of RGA0 and RGA7 is selected by multiplexer 170 in response to a data bit shifted from register C (RGC6). Similar operations take place at multiplexers 171, 172, and 173. The output of multiplexers 170, 171, 172, and 173 is provided to F1 tables 150, 153, 154, and 157 respectively.

Detailed multiplexer settings for multiplexers (MUX) 170 and 172 are shown in the table below. MUX 170 and 172 Settings SEL A B Descriptions MUX 170 RGC6 RGA0 RGA7 Outputi = RGA0_i if RGC6_i = 0 Or = RGA7_i if RGC6_i = 1 Where i = 0, 1, ..., 7 MUX 172 RGC6 RGA1 RGA6 Outputi = RGA1_i if RGC7_i = 0 Or = RGA6_i if RGC7_i = 1 Where i = 0, 1, ..., 7

Detailed multiplexer settings for multiplexers (MUX) 171 and 173 are shown in the table below. MUX 171 and 173 Settings SEL A B Descriptions MUX 171 RGC0 RGB1 RGB6 Outputi = RGB1_i if RGC6_i = 0 Or = RGB6_i if RGC6_i = 1 Where i = 0, 1, ..., 7 MUX 173 RGC0 RGB0 RGB7 Outputi = RGB0_i if RGC7_i = 0 Or = RGB7_i if RGC7_i = 1 Where i = 0, 1, ..., 7

Multiplexers may also be used to provide the address signal to the S-Box substitution function 165. For example, the inverse of MUX 170 (MUX 170-1) is used to select alternate bits from RGA0 and RGA7. MUX 170-1 is defined in the following table: MUX 170<sup>-1</sup> Settings SEL A B Descriptions MUX 170-1 RGC6 RGA7 RGA0 Outputi = RGA7_i if RGC6_i = 0 Or = RGA0_i if RGC6_i = 1 Where i = 0, 1, ..., 7

The inverse of MUX 173 (MUX 173-1) is used to select alternate bits from RGB0 and RGB7. MUX 173-1 is defined in the following table: MUX 173<sup>-1</sup> Settings SEL A B Descriptions MUX 173-1 RGC0 RGB7 RGB0 Outputi = RGB7_i if RGC6_i = 0 Or = RGA0_i if RGC6_i = 1 Where i = 0, 1, ..., 7

Two of eight register outputs from each shift register are tapped as direct inputs to the F1 tables 151, 152, 155, 156. No tap is used more than once. Input to the remaining F1 tables 150, 153, 154, and 157 are from the multiplexers 170, 171, 172, and 173 respectively.

The non-linear mix functions 161, 162 used to combine two bytes shifted directly from the register A or register B (RGA2/RGA4, RGB3/RGB5) with others that are from the F1 tables: g0 = RGA'0|7 ⊗ RGB'1|6 ⊕ RGA2 ⊗ RGB'4 ⊕ RGA'5 ⊗ RGB3 g1 = RGA'1|6 ⊗ RGB'0|7 + RGA4 ⊗ RGB'2 + RGA'3 ⊗ RGB5 The RGA'0|7 is a field element constructed from selecting 8 bits from RGA0 and RGA7 based on RGC6, and then passing the selected bits to the F1 table 150. By the same definition, RGB'1|6 is a field element constructed from selecting 8 bits from RGB1 and RGB6 based on RGC0, and then passing the selected bits to the F1 table 153. The RGA'1|6 is a field element constructed from selecting 8 bits from RGA1 and RGA6 based on RGC6, and then passing the selected bits to the F1 table 172. RGB'0|7 is a field element constructed from selecting 8 bits from RGB0 and RGB7 based on RGC0, and then passing the selected bits to the F1 table 157.

The two non-linear functions g0 and g1 set forth above are constructed in accordance with the following rules:

  • Terms multiplied together shall be from different register structures.
  • At least one of two multiplication terms shall be from the F1 tables.

Referring to Figure 3, the 8 * 8 S-Box 165 is used to provide individual pre-keystream bytes 45 and codestream bytes 48 respectively from output terminal Y1 and Y0 in accordance with the contents of the output from the non-linear mix functions 161, 162 and two bytes of data from the A and B register structures. The entries of the S-Box are a permutation of the numbers 0 through 255, and the address of the S-Box is a function of loop counter n, g0, g1, RGB0|7, and RGA0|7.

The S-box is initialized linearly to S0 = 0, S1 = 1, ..., S255 = 255. The S-box permutation process can be formulated in accordance with the following relationships:

   n from 0 to runup_Cycles

  • n = (n % 256);
  • Y0' = (g0 + SRGB7|0+ Sn) mod 256
  • swap Si and SY0'
  • Y1' = (g1 + S RGA7|0 + Sn) mod 256
  • swap Si and SY1'
  • t0 = (Sg1+ SY0') mod 256
  • t1 = (Sg0+ SY1') mod 256
  • Y0 = St0 and Y1 = St1
The S-Box slowly evolves with the iterations of n to ensure that every element changes, and also with the use of (g0, g1, RGB0|7, RGA0|7, Y0', Y1') to ensure that the elements change randomly.

The Codestream Register 175 receives codestream bits 48 from the Y1 output terminal of the S-Box 165 in response to the address signal from the A and B structures, and also from the non-linear mix functions 161, 162. The codestream bytes 48 are clocked through the Codestream Register 175, and added by a non-binary adder (XOR) to the data bytes (RGB7, RGC7) shifted from the MSB output stage (stage 7) of register B and register C. This process provides a feedback data byte, which is then fed back both to the input stage (stage 0) and to predetermined intermediate stages of registers B and C in accordance with the applied polynomial code 90.

Keystream bytes 100 from the Keystream Register 60 are produced based on the control clock, CLOCK. These bytes are assembled to form the 7 bytes or 56 bits of output only after the algorithm has had adequate mixing time to circulate data among the FSRs. The amount of mixing time is measured in the number of clock cycles of CLOCK between the time FSRs A, B, and C are initialized, and the time that the Keystream Register 60 byte output is stored. The initialization takes place at time T=0, where time is measured in CLOCK cycles. After initialization, 701 CLOCK cycles may occur before the first byte of Keystream Register 60 output is stored. Thereafter, output bytes may be stored after the completion of the following additional cycles: CLOCK Cycles from Initialization to Output Storage CLOCK Cycle Number Event CLOCK Cycle Number Event 0 Initialize FSR A, B, and C 701 + 126 = 827 Store output byte 3 701 Store output byte 0 701 + 142 = 843 Store output byte 4 701 + 30 = 731 Store output byte 1 701 + 580 = 1281 Store output byte 5 701 + 70 = 771 Store output byte 2 701 + 636 = 1337 Store output byte 6

The embodiments of the invention described above are selected preferred embodiments and are not intended to provide a limitation on the scope of the invention. It should be appreciated that many variations of the implementations described above are available. For example, the invention described herein can be implemented using a wide variety of input key sizes. In addition, various Galois field selections may be used to implement the invention. The number of static and/or dynamic feedback shift registers used may vary, as well as the number of register stages for each such shift register. The number of randomization stages may vary, as well as the functionality contained within each stage (e.g., number of multiplexers, number of S-Boxes, number of randomization tables, and the like). Other implementation complexities can be varied or changed consistent with the general description of the invention described above.

It should now be appreciated that the present invention provides improved methods and apparatus for generating a cryptographically robust keystream for use in data encryption and decryption.

Although the invention has been described in connection with various illustrated embodiments, numerous modifications and adaptations may be made thereto without departing from the scope of the invention as set forth in the claims.


Anspruch[de]
  1. Ein Verfahren zum Erzeugen einer Schlüsselzeichenfolge, das die folgenden Schritte beinhaltet:
    • einer ersten Randomisierungsphase (150-157) Datenbits aus vorbestimmten Registerphasen mehrfacher rückgekoppelter Schieberegister (110, 120, 130) bereitstellen, wobei jedes rückgekoppelte Schieberegister Eingabe-, Zwischen- und Ausgabephasen aufweist, durch die die Datenbits seriell als Reaktion auf ein Taktsignal verschoben werden; gekennzeichnet durch die folgenden zusätzlichen Schritte:
    • einer zweiten Randomisierungsphase (161) die Ausgabe der ersten Randomisierungsphase bereitstellen;
    • der mindestens einen zusätzlichen Randomisierungsphase (165) die Ausgabe der zweiten Randomisierungsphase und die Datenbits aus anderen vorbestimmten Registerphasen der rückgekoppelten Schieberegister bereitstellen, wobei
    • die Datenbits in jeder Randomisierungsphase permutiert werden und die Ausgabe einer endgültigen Randomisierungsphase die Schlüsselzeichenfolge bereitstellt.
  2. Verfahren gemäß Anspruch 1, wobei eine dritte Randomisierungsphase die endgültige Randomisierungsphase ist.
  3. Verfahren gemäß Anspruch 1 oder 2, das ferner die folgenden Schritte beinhaltet:
    • Variieren von mindestens einer rückgekoppelten Schieberegisterstruktur als Reaktion auf ein durch einen Polynomcodesignalgenerator erzeugtes Polynomcodesignal.
  4. Verfahren gemäß Anspruch 3, das ferner den folgenden Schritt beinhaltet:
    • Variieren des Polynomcodes, der zum Erzeugen des Polynomcodesignals verwendet wird.
  5. Verfahren gemäß einem der Ansprüche 1 bis 4, wobei die rückgekoppelten Schieberegister Folgendes beinhalten:
    • eine Vielzahl dynamischer rückgekoppelter Schieberegister und
    • mindestens ein statisches rückgekoppeltes Schieberegister.
  6. Verfahren gemäß einem der Ansprüche 1 bis 4, wobei die rückgekoppelten Schieberegister Folgendes beinhalten:
    • ein erstes dynamisches rückgekoppeltes Schieberegister,
    • ein zweites dynamisches rückgekoppeltes Schieberegister, und
    • ein statisches rückgekoppeltes Schieberegister.
  7. Verfahren gemäß Anspruch 6, das ferner die folgenden Schritte beinhaltet:
    • Startparameter-Daten in einen Eingabepuffer eingeben;
    • dem ersten dynamischen rückgekoppelten Schieberegister einen ersten Abschnitt der Startparameter-Daten des Eingabepuffers bereitstellen;
    • dem zweiten dynamischen rückgekoppelten Schieberegister einen zweiten Abschnitt der Startparameter-Daten des Eingabepuffers bereitstellen, und
    • dem statischen rückgekoppelten Schieberegister einen dritten Abschnitt der Startparameter-Daten des Eingabepuffers bereitstellen.
  8. Verfahren gemäß Anspruch 7, wobei:
    • die Datenbits des dynamischen rückgekoppelten Schieberegisters seriell von jeder Registerphase als Reaktion auf ein Taktsignal verschoben werden;
    • eine Anzahl von endlichen Feldaddierern zwischen vorbestimmten Paaren der Registerphasen der dynamischen rückgekoppelten Schieberegister angeordnet werden, so dass eine der Eingaben in jeden Addierer von der vorangehenden Registerphase bereitgestellt wird und die andere Eingabe von jedem Addierer von dem Ausgabeterminal der Ausgabephase über einen endlichen Feldmultiplikator bereitgestellt wird.
  9. Verfahren gemäß einem der Ansprüche 1 bis 8, wobei die erste Randomisierungsphase eine Randomisierungstabelle zum Permutieren von Datenbits aus vorbestimmten Registerphasen beinhaltet.
  10. Verfahren gemäß einem der Ansprüche 1 bis 9, wobei die zweite Randomisierungsphase eine nichtlineare Mischfunktion beinhaltet, um die Ausgabe der zweiten Randomisierungsphase und Datenbits aus anderen vorbestimmten Registerphasen der rückgekoppelten Schieberegister zu kombinieren.
  11. Verfahren gemäß einem der Ansprüche 1 bis 10, wobei die endgültige Randomisierungsphase 256 nichtlineare 8*8 S-Boxen beinhaltet.
  12. Verfahren gemäß einem der Ansprüche 1 bis 11, wobei die rückgekoppelten Schieberegister unter Verwendung eines erweiterten Galoisfelds GF (2m) konstruiert werden.
  13. Verfahren gemäß Anspruch 12, wobei m gleich acht ist.
  14. Verfahren gemäß Anspruch 12 oder 13, wobei die für die rückgekoppelten Schieberegister verwendeten Polynome primitiv und irreduzibel sind.
  15. Verfahren gemäß einem der Ansprüche 1 bis 14, wobei die erste Randomisierungsphase mehrfache Randomisierungstabellen zum Permutieren von Datenbits aus vorbestimmten Registerphasen beinhaltet.
  16. Verfahren gemäß Anspruch 15, wobei die mehrfachen Randomisierungstabellen acht Randomisierungstabellen beinhalten.
  17. Verfahren gemäß einem der Ansprüche 1 bis 16, das ferner folgenden Schritt beinhaltet:
    • die Datenbits aus den rückgekoppelten Schieberegistern vor der Eingabe in die erste Randomisierungsphase multiplexieren.
  18. Verfahren gemäß einem der Ansprüche 1 bis 17, das ferner die folgenden Schritte beinhaltet:
    • einem Vor-Schlüsselzeichenfolge-Register die Ausgabe aus der endgültigen Randomisierungsphase bereitstellen;
    • einem ausgewählten Kettenpuffer alternierende Bits der Ausgabe aus dem Vor-Schlüsselzeichenfolge-Register bereitstellen;
    • einem decodierenden Logikbaustein die Ausgabe des ausgewählten Kettenpuffers bereitstellen, wobei der decodierende Logikbaustein ein bestimmtes Polynom zur Verwendung beim Erzeugen eines Polynomcodesignals decodiert, wobei mindestens einem rückgekoppelten Schieberegister das Polynomcodesignal bereitgestellt wird; und
    • einem Schlüsselzeichenfolge-Register die verbleibenden Bits der Ausgabe aus dem Vor-Schlüsselzeichenfolge-Register bereitstellen, wobei die Ausgabe des Schlüsselzeichenfolge-Registers das Schlüsselzeichen bereitstellt.
  19. Verfahren gemäß einem der Ansprüche 1 bis 18, wobei die endgültige Randomisierungsphase mehrere nichtlineare S-Boxen beinhaltet.
  20. Verfahren gemäß Anspruch 19, wobei die S-Boxen 8*8 S-Boxen sind.
  21. Verfahren gemäß Anspruch 19, das ferner die folgenden Schritte beinhaltet:
    • einem Codestrom-Register eine gewisse Ausgabe der S-Boxen bereitstellen;
    • die Ausgabe durch das Codestrom-Register takten;
    • die Ausgabe an von mindestens einem der rückgekoppelten Schieberegister über einen nichtbinären Addierer verschobenen Datenbits zugeben, um rückgekoppelte Datenbits zu produzieren;
    • der Eingabephase und den vorbestimmten Zwischenphasen von mindestens einem der rückgekoppelten Schieberegister die rückgekoppelten Datenbits bereitstellen.
  22. Verfahren gemäß einem der Ansprüche 1 bis 21, wobei:
    • den mehreren rückgekoppelten Schieberegistern ein 192 Bit geteilter Startparameter-Schlüssel bereitgestellt wird; und
    • eine 56 Bit Schlüsselzeichenfolge erzeugt wird.
  23. Verfahren gemäß Anspruch 22, wobei der 192 Bit geteilte Startparameter-Schlüssel durch das Duplizieren der Hälfte der Bits aus einer 128 Bit Eingabe gewonnen wird.
  24. Eine Schlüsselzeichenfolgegeneratorvorrichtung, die Folgendes beinhaltet:
    • mehrere rückgekoppelte Schieberegister (110, 120, 130), wobei jedes rückgekoppelte Schieberegister Eingabe-, Zwischen- und Ausgabephasen aufweist, durch die Datenbits seriell als Reaktion auf ein Taktsignal verschoben werden, gekennzeichnet durch
    • eine erste Randomisierungsphase (150-157), die die Ausgabe von vorbestimmten Registerphasen der mehrfachen rückgekoppelten Schieberegister empfängt;
    • eine zweite Randomisierungsphase (161), die die Ausgabe von der ersten Randomisierungsphase empfängt;
    • eine dritte Randomisierungsphase (165), die die Ausgabe von der zweiten Randomisierungsphase und Datenbits von anderen vorbestimmten Registerphasen der rückgekoppelten Schieberegister empfängt, wobei
    • die Datenbits in jeder Randomisierungsphase permutiert werden und die Ausgabe einer endgültigen Randomisierungsphase die Schlüsselzeichenfolge bereitstellt.
  25. Vorrichtung gemäß Anspruch 24, wobei die dritte Randomisierungsphase die endgültige Randomisierungsphase ist.
  26. Vorrichtung gemäß Anspruch 24 oder 25, wobei:
    • mindestens eine rückgekoppelte Schieberegisterstruktur als Reaktion auf ein durch einen Polynomcodesignalgenerator erzeugtes Polynomcodesignal variiert wird.
  27. Vorrichtung gemäß Anspruch 26, wobei:
    • der Polynomcode, der zum Erzeugen des Polynomcodesignals verwendet wird, variiert wird.
  28. Vorrichtung gemäß einem der Ansprüche 24 bis 27, wobei die rückgekoppelten Schieberegister Folgendes beinhalten:
    • eine Vielzahl dynamischer rückgekoppelter Schieberegister, und
    • mindestens ein statisches rückgekoppeltes Schieberegister.
  29. Vorrichtung gemäß einem der Ansprüche 24 bis 28, wobei die rückgekoppelten Schieberegister Folgendes beinhalten:
    • ein erstes dynamisches rückgekoppeltes Schieberegister;
    • ein zweites dynamisches rückgekoppeltes Schieberegister, und
    • ein statisches rückgekoppeltes Schieberegister.
  30. Vorrichtung gemäß Anspruch 29, wobei:
    • Startparameter-Daten in einen Eingabepuffer eingegeben werden;
    • dem ersten dynamischen rückgekoppelten Schieberegister ein erster Abschnitt der Startparameter-Daten aus dem Eingabepuffer bereitgestellt wird,
    • dem zweiten dynamischen rückgekoppelten Schieberegister ein zweiter Abschnitt der Startparameter-Daten aus dem Eingabepuffer bereitgestellt wird, und
    • dem statischen rückgekoppelten Schieberegister ein dritter Abschnitt der Startparameter-Daten aus dem Eingabepuffer bereitgestellt wird.
  31. Vorrichtung gemäß Anspruch 30, wobei:
    • die Datenbits des dynamischen rückgekoppelten Schieberegisters seriell von jeder Registerphase als Reaktion auf ein Taktsignal verschoben werden;
    • eine Anzahl von endlichen Feldaddierern zwischen vorbestimmten Paaren der Registerphasen der dynamischen rückgekoppelten Schieberegister angeordnet werden, so dass eine der Eingaben in jeden Addierer von der vorangehenden Registerphase bereitgestellt wird und die andere Eingabe von jedem Addierer von dem Ausgabeterminal der Ausgabephase über einen endlichen Feldmultiplikator bereitgestellt wird.
  32. Vorrichtung gemäß einem der Ansprüche 24 bis 31, wobei die erste Randomisierungsphase eine Randomisierungstabelle zum Permutieren von Datenbits aus vorbestimmten Registerphasen beinhaltet.
  33. Vorrichtung gemäß einem der Ansprüche 24 bis 32, wobei die zweite Randomisierungsphase eine nichtlineare Mischfunktion beinhaltet, um die Ausgabe der zweiten Randomisierungsphase und Datenbits aus anderen vorbestimmten Registerphasen der rückgekoppelten Schieberegister zu kombinieren.
  34. Vorrichtung gemäß einem der Ansprüche 24 bis 33, wobei die dritte Randomisierungsphase mehrere nichtlineare S-Boxen beinhaltet.
  35. Vorrichtung gemäß Anspruch 34, wobei die S-Boxen 8*8 S-Boxen sind.
  36. Vorrichtung gemäß einem der Ansprüche 24 bis 35, wobei die dritte Randomisierungsphase 256 nichtlineare 8*8 S-Boxen beinhaltet.
  37. Vorrichtung gemäß einem der Ansprüche 24 bis 36, wobei die rückgekoppelten Schieberegister unter Verwendung eines erweiterten Galoisfelds GF (2m) konstruiert werden.
  38. Vorrichtung gemäß Anspruch 37, wobei m gleich acht ist.
  39. Vorrichtung gemäß Anspruch 37 oder 38, wobei die für die rückgekoppelten Schieberegister verwendeten Polynome primitiv und irreduzibel sind.
  40. Vorrichtung gemäß einem der Ansprüche 24 bis 39, wobei die erste Randomisierungsphase mehrere Randomisierungstabellen zum Permutieren von Datenbits aus vorbestimmten Registerphasen beinhaltet.
  41. Vorrichtung gemäß Anspruch 40, wobei die mehrfachen Randomisierungstabellen acht Randomisierungstabellen beinhalten.
  42. Vorrichtung gemäß einem der Ansprüche 24 bis 41, wobei:
    • die Datenbits aus den rückgekoppelten Schieberegistern vor der
    • Eingabe in die erste Randomisierungsphase gemultiplext werden.
  43. Vorrichtung gemäß einem der Ansprüche 24 bis 42, die ferner Folgendes beinhaltet:
    • ein Vor-Schlüsselzeichenfolge-Register zum Empfangen der Ausgabe aus der dritten Randomisierungsphase;
    • einen ausgewählten Kettenpuffer zum Empfangen von alternierenden Bits der Ausgabe aus dem Vor-Schlüsselzeichenfolge-Register;
    • einen decodierenden Logikbaustein zum Empfangen der Ausgabe aus dem ausgewählten Kettenpuffer, wobei der decodierende Logikbaustein ein bestimmtes Polynom zur Verwendung beim Erzeugen eines Polynomcodesignals decodiert, wobei mindestens einem rückgekoppelten Schieberegister das Polynomcodesignal bereitgestellt wird; und
    • ein Schlüsselzeichenfolge-Register zum Empfangen der verbleibenden Bits der Ausgabe aus dem Vor-Schlüsselzeichenfolge-Register, wobei die Ausgabe des Schlüsselzeichenfolge-Registers das Schlüsselzeichen bereitstellt.
  44. Vorrichtung gemäß Anspruch 43, wobei:
    • die dritte Randomisierungsphase mehrere nichtlineare S-Boxen beinhaltet;
    • eine gewisse Ausgabe der S-Boxen an ein Codestrom-Register bereitgestellt wird;
    • die Ausgabe durch das Codestrom-Register getaktet wird;
    • die Ausgabe an von mindestens einem der rückgekoppelten Schieberegister über einen nichtbinären Addierer verschobenen Datenbits zugegeben wird, um rückgekopplte Datenbits zu produzieren; und
    • der Eingabephase und den vorbestimmten Zwischenphasen von mindestens einem der rückgekoppelten Schieberegister die Rückkopplungsdatenbits bereitgestellt werden.
  45. Vorrichtung gemäß einem der Ansprüche 24 bis 44, wobei:
    • den mehreren rückgekoppelten Schieberegistern ein 192 Bit geteilter Startparameter-Schlüssel bereitgestellt wird; und
    • eine 56 Bit Schlüsselzeichenfolge erzeugt wird.
  46. Vorrichtung gemäß Anspruch 45, wobei der 192 Bit geteilte Startparameter-Schlüssel durch das Duplizieren der Hälfte der Bits aus einer 128 Bit Eingabe gewonnen wird.
Anspruch[en]
  1. A method of generating a keystream, comprising the steps of:
    • providing data bits from predetermined register stages of multiple feedback shift registers (110,120,130) to a first randomization stage (150-157), each feedback shift register having input, intermediate, and output stages through which the data bits are shifted serially in response to a clock signal;
    characterized by the additional steps of
    • providing output of said first randomization stage to a second randomization stage (161);
    • providing output of said second randomization stage and data bits from other predetermined register stages of said feedback shift registers to at least one additional randomization stage (165), wherein,
    • said data bits are permuted at each randomization stage and the output of a final randomization stage provides said keystream.
  2. A method in accordance with claim 1, wherein a third randomization stage is the final randomization stage.
  3. A method in accordance with claim 1 or 2, further comprising the step of:
    • varying at least one feedback shift register structure in response to a polynomial code signal generated by a polynomial code signal generator.
  4. A method in accordance with claim 3, further comprising the step of:
    • varying the polynomial code used to generate the polynomial code signal.
  5. A method in accordance with one of claims 1 to 4,

    wherein the feedback shift registers comprise:
    • a plurality of dynamic feedback shift registers; and
    • at least one static feedback shift register.
  6. A method in accordance with one of claims 1 to 4,

    wherein the feedback shift registers comprise:
    • a first dynamic feedback shift register;
    • a second dynamic feedback shift register; and
    • a static feedback shift register.
  7. A method in accordance with claim 6, further comprising the steps of:
    • inputting seed data into an input buffer;
    • providing a first portion of the seed data from the input buffer to the first dynamic feedback shift register;
    • providing a second portion of the seed data from the input buffer to the second dynamic feedback shift register; and
    • providing a third portion of the seed data from the input buffer to the static feedback shift register.
  8. A method in accordance with claim 7, wherein:
    • the data bits of the dynamic feedback shift registers are shifted serially from each register stage in response to a clock signal;
    • a number of finite field adders are arranged between predetermined pairs of the register stages of the dynamic feedback shift registers, such that one of the inputs to each adder is provided from the preceding register stage and the other input of each adder is fed back from the output terminal of the output stage via a finite field multiplier.
  9. A method in accordance with one of claims 1 to 8,

    wherein the first randomization stage comprises a randomization table for permuting data bits from predetermined register stages.
  10. A method in accordance with one of claims 1 to 9,

    wherein the second randomization stage comprises a non-linear mixing function to combine the output of said second randomization stage and data bits from other predetermined register stages of said feedback shift registers.
  11. A method in accordance with one of claims 1 to 10, wherein the final randomization stage comprises 256 non-linear 8*8 S-Boxes.
  12. A method in accordance with one of claims 1 to 11, wherein the feedback shift registers are constructed using an extended Galois field GF (2m).
  13. A method in accordance with claim 12, wherein m equals eight.
  14. A method in accordance with one of claims 12 or 13, wherein the polynomials used for the feedback shift registers are primitive and irreducible.
  15. A method in accordance with one of claims 1 to 14, wherein the first randomization stage comprises multiple randomization tables for permuting data bits from predetermined register stages.
  16. A method in accordance with claim 15, wherein the multiple randomization tables comprise eight randomization tables.
  17. A method in accordance with one of claims 1 to 16, further comprising the step of:
    • multiplexing the data bits from the feedback shift registers prior to input into the first randomization stage.
  18. A method in accordance with one of claims 1 to 17, further comprising the steps of;
    • providing the output from the final randomization stage to a pre-keystream register;
    • providing alternate bits of the output from said pre-keystream register to a select chain buffer;
    • providing output from the select chain buffer to a decoding logic unit, which decoding logic unit decodes a particular polynomial for use in generating a polynomial code signal, said polynomial code signal being provided to at least one feedback shift register; and
    • providing the remaining bits of the output from said pre-keystream register to a keystream register,

      wherein the output of the keystream register provides said keystream.
  19. A method in accordance with one of claims 1 to 18, wherein the final randomization stage comprises multiple non-linear S-Boxes.
  20. A method in accordance with claim 19, wherein the S-Boxes are 8*8 S-Boxes.
  21. A method in accordance with claim 19, further comprising the steps of:
    • providing certain output of the S-Boxes to a codestream register;
    • clocking said output through said codestream register;
    • adding said output to data bits shifted from at least one of the feedback shift registers via a non-binary adder to produce feedback data bits;
    • providing the feedback data bits to the input stage and predetermined intermediate stages of at least one of the feedback shift registers.
  22. A method in accordance with one of claims 1 to 21, wherein:
    • a 192 bit shared seed input key is provided to the multiple feedback shift registers; and
    • a 56 bit keystream output is generated.
  23. A method in accordance with claim 22, wherein the 192 bit shared seed input key is derived from a 128 bit input by duplicating half the bits.
  24. A keystream generator apparatus, comprising:
    • multiple feedback shift registers (110,120,130), each feedback shift register having input, intermediate, and output stages through which data bits are shifted serially in response to a clock signal;
    characterized by
    • a first randomization stage (150-157) which receives output from predetermined register stages of the multiple feedback shift registers;
    • a second randomization stage (161) which receives output from said first randomization stage;
    • a third randomization stage (165) which receives output from said second randomization stage and data bits from other predetermined register stages of said feedback shift registers, wherein,
    • said data bits are permuted at each randomization stage and the output of a final randomization stage provides said keystream.
  25. Apparatus in accordance with claim 24, wherein the third randomization stage is the final randomization stage.
  26. Apparatus in accordance with claim 24 or 25,

    wherein:
    • at least one feedback shift register structure is varied in response to a polynomial code signal generated by a polynomial code signal generator.
  27. Apparatus in accordance with claim 26, wherein:
    • the polynomial code used to generate the polynomial code signal is varied.
  28. Apparatus in accordance with one of claims 24 to 27, wherein the feedback shift registers comprise:
    • a plurality of dynamic feedback shift registers; and
    • at least one static feedback shift register.
  29. Apparatus in accordance with one of claims 24 to 28, wherein the feedback shift registers comprise:
    • a first dynamic feedback shift register;
    • a second dynamic feedback shift register; and
    • a static feedback shift register.
  30. Apparatus in accordance with claim 29, wherein:
    • seed data is input into an input buffer;
    • a first portion of the seed data from the input buffer is provided to the first dynamic feedback shift register;
    • a second portion of the seed data from the input buffer is provided to the second dynamic feedback shift register; and
    • a third portion of the seed data from the input buffer is provided to the static feedback shift register.
  31. Apparatus in accordance with claim 30, wherein:
    • the data bits of the dynamic feedback shift registers are shifted serially from each register stage in response to a clock signal;
    • a number of finite field adders are arranged between predetermined pairs of the register stages of the dynamic feedback shift registers, such that one of the inputs to each adder is provided from the preceding register stage and the other input of each adder is fed back from the output terminal of the output stage via a finite field multiplier.
  32. Apparatus in accordance with one of claims 24 to 31, wherein the first randomization stage comprises a randomization table for permuting data bits from predetermined register stages.
  33. Apparatus in accordance with one of claims 24 to 32, wherein the second randomization stage comprises a non-linear mixing function to combine the output of said second randomization stage and data bits from other predetermined register stages of said feedback shift registers.
  34. Apparatus in accordance with one of claims 24 to 33, wherein the third randomization stage comprises multiple non-linear S-Boxes.
  35. Apparatus in accordance with claim 34, wherein the S-Boxes are 8*8 S-Boxes.
  36. Apparatus in accordance with one of claims 24 to 35, wherein the third randomization stage comprises 256 non-linear 8*8 S-Boxes.
  37. Apparatus in accordance with one of claims 24 to 36, wherein the feedback shift registers are constructed using an extended Galois field GF(2m).
  38. Apparatus in accordance with claim 37, wherein m equals eight.
  39. Apparatus in accordance with claim 37 or 38, wherein the polynomials used for the feedback shift registers are primitive and irreducible.
  40. Apparatus in accordance with one of claims 24 to 39, wherein the first randomization stage comprises multiple randomization tables for permuting data bits from predetermined register stages.
  41. Apparatus in accordance with claim 40, wherein the multiple randomization tables comprise eight randomization tables.
  42. Apparatus in accordance with one of claims 24 to 41, wherein:
    • the data bits from the feedback shift registers are multiplexed prior to input into the first randomization stage.
  43. Apparatus in accordance with one of claims 24 to 42, further comprising;
    • a pre-keystream register for receiving the output from the third randomization stage;
    • a select chain buffer for receiving alternate bits of the output from said pre-keystream register;
    • a decoding logic unit for receiving output from the select chain buffer, which decoding logic unit decodes a particular polynomial for use in generating a polynomial code signal, said polynomial code signal being provided to at least one feedback shift register; and
    • a keystream register for receiving the remaining bits of the output from said pre-keystream register,

      wherein output of the keystream register provides said keystream.
  44. Apparatus in accordance with claim 43, wherein:
    • the third randomization stage comprises multiple non-linear S-Boxes;
    • certain output of the S-Boxes is provided to a codestream register;
    • said output is clocked through said codestream register;
    • said output is added to data bits shifted from at least one of the feedback shift registers via a non-binary adder to produce feedback data bits; and
    • said feedback data bits are provided to the input stage and predetermined intermediate stages of at least one of the feedback shift registers.
  45. Apparatus in accordance with one of claims 24 to 44, wherein:
    • a 192 bit shared seed input key is provided to the multiple feedback shift registers; and
    • a 56 bit keystream output is generated.
  46. Apparatus in accordance with claim 45, wherein the 192 bit shared seed input key is derived from a 128 bit input by duplicating half the bits.
Anspruch[fr]
  1. Une méthode pour générer une séquence de clé, comportant les étapes de :
    • fournir des bits de données provenant d'étages de registres prédéterminés de registres à décalage à rétroaction multiples (110, 120, 130) à un premier étage d'aléation (150 à 157), chaque registre à décalage à rétroaction ayant des étages d'entrée, intermédiaires, et de sortie dans lesquels les bits de données sont décalés en série en réponse à un signal d'horloge ; caractérisée par les étapes additionnelles de
    • fournir une sortie dudit premier étage d'aléation à un deuxième étage d'aléation (161) ;
    • fournir une sortie dudit deuxième étage d'aléation et des bits de données provenant d'autres étages de registres prédéterminés desdits registres à décalage à rétroaction à au moins un étage d'aléation additionnel (165), dans laquelle,
    • lesdits bits de données sont permutés à chaque étage d'aléation et la sortie d'un étage d'aléation final fournit ladite séquence de clé.
  2. Une méthode conformément à la revendication 1, dans laquelle un troisième étage d'aléation est l'étage d'aléation final.
  3. Une méthode conformément à la revendication 1 ou la revendication 2, comportant de plus l'étape de :
    • faire varier au moins une structure de registre à décalage à rétroaction en réponse à un signal de code polynomial généré par un générateur de signal de code polynomial.
  4. Une méthode conformément à la revendication 3, comportant de plus l'étape de :
    • faire varier le code polynomial utilisé pour générer le signal de code polynomial.
  5. Une méthode conformément à l'une des revendications 1 à 4, dans laquelle les registres à décalage à rétroaction comportent :
    • une pluralité de registres à décalage à rétroaction dynamiques ; et
    • au moins un registre à décalage à rétroaction statique.
  6. Une méthode conformément à l'une des revendications 1 à 4, dans laquelle les registres à décalage à rétroaction comportent :
    • un premier registre à décalage à rétroaction dynamique ;
    • un deuxième registre à décalage à rétroaction dynamique ; et
    • un registre à décalage à rétroaction statique.
  7. Une méthode conformément à la revendication 6, comportant de plus les étapes de :
    • entrer des données d'amorce dans un tampon d'entrée ;
    • fournir une première portion des données d'amorce provenant du tampon d'entrée au premier registre à décalage à rétroaction dynamique;
    • fournir une deuxième portion des données d'amorce provenant du tampon d'entrée au deuxième registre à décalage à rétroaction dynamique ; et
    • fournir une troisième portion des données d'amorce provenant du tampon d'entrée au registre à décalage à rétroaction statique.
  8. Une méthode conformément à la revendication 7, dans laquelle :
    • les bits de données des registres à décalage à rétroaction dynamiques sont décalés en série de chaque étage de registres en réponse à un signal d'horloge ;
    • un nombre d'additionneurs à champ fini sont arrangés entre des paires prédéterminées des étages de registres des registres à décalage à rétroaction dynamiques, de telle sorte que l'une des entrées pour chaque additionneur provient de l'étage de registre précédent et que l'autre entrée de chaque additionneur est réintroduite à partir du terminal de sortie de l'étage de sortie par le biais d'un multiplicateur à champ fini.
  9. Une méthode conformément à l'une des revendications 1 à 8, dans laquelle le premier étage d'aléation comporte une table d'aléation pour permuter des bits de données provenant d'étages de registres prédéterminés.
  10. Une méthode conformément à l'une des revendications 1 à 9, dans laquelle le deuxième étage d'aléation comporte une fonction de mélange non linéaire pour combiner la sortie dudit deuxième étage d'aléation et des bits de données provenant d'autres étages de registres prédéterminés desdits registres à décalage à rétroaction.
  11. Une méthode conformément à l'une des revendications 1 à 10, dans laquelle l'étage d'aléation final comporte 256 S-Box 8*8 non linéaires.
  12. Une méthode conformément à l'une des revendications 1 à 11, dans laquelle les registres à décalage à rétroaction sont construits à l'aide d'un champ de Galois GF (2m) étendu.
  13. Une méthode conformément à la revendication 12, dans laquelle m égale huit.
  14. Une méthode conformément à l'une des revendications 12 et 13, dans laquelle les polynomiaux utilisés pour les registres à décalage à rétroaction sont primitifs et irréductibles.
  15. Une méthode conformément à l'une des revendications 1 à 14, dans laquelle le premier étage d'aléation comporte des tables d'aléation multiples pour permuter des bits de données provenant d'étages de registres prédéterminés.
  16. Une méthode conformément à la revendication 15, dans laquelle les tables d'aléation multiples comportent huit tables d'aléation.
  17. Une méthode conformément à l'une des revendications 1 à 16, comportant de plus l'étape de :
    • multiplexer les bits de données provenant des registres à décalage à rétroaction avant leur entrée dans le premier étage d'aléation.
  18. Une méthode conformément à l'une des revendications 1 à 17, comportant de plus les étapes de :
    • fournir la sortie provenant de l'étage d'aléation final à un registre de pré-séquence de clé ;
    • fournir des bits alternés de la sortie provenant dudit registre de pré-séquence de clé à un tampon de chaîne choisi ;
    • fournir une sortie provenant du tampon de chaîne choisi à une unité logique de décodage, laquelle unité logique de décodage décode un polynomial particulier destiné à être utilisé dans la génération d'un signal de code polynomial, ledit signal de code polynomial étant fourni à au moins un registre à décalage à rétroaction ; et
    • fournir les bits restants de la sortie provenant dudit registre de pré-séquence de clé à un registre de séquence de clé, dans laquelle la sortie du registre de séquence de clé fournit ladite séquence de clé.
  19. Une méthode conformément à l'une des revendications 1 à 18, dans laquelle l'étage d'aléation final comporte des S-Box non linéaires multiples.
  20. Une méthode conformément à la revendication 19, dans laquelle les S-Box sont des S-Box 8*8.
  21. Une méthode conformément à la revendication 19, comportant de plus les étapes de :
    • fournir une certaine sortie des S-Box à un registre de flux de code ;
    • synchroniser ladite sortie dans ledit registre de flux de code ;
    • ajouter ladite sortie à des bits de données décalés d'au moins un des registres à décalage à rétroaction par le biais d'un additionneur non binaire pour produire des bits de données à rétroaction ;
    • fournir les bits de données à rétroaction à l'étage d'entrée et aux étages intermédiaires prédéterminés d'au moins un des registres à décalage à rétroaction.
  22. Une méthode conformément à l'une des revendications 1 à 21, dans laquelle :
    • une clé d'entrée d'amorce partagée de 192 bits est fournie aux registres à décalage à rétroaction multiples ; et
    • une sortie de séquence de clé de 56 bits est générée.
  23. Une méthode conformément à la revendication 22, dans laquelle la clé d'entrée d'amorce partagée de 192 bits est dérivée d'une entrée de 128 bits en reproduisant la moitié des bits.
  24. Un appareil générateur de séquence de clé, comportant :
    • des registres à décalage à rétroaction multiples (110, 120, 130), chaque registre à décalage à rétroaction ayant des étages d'entrée, intermédiaires, et de sortie dans lesquels des bits de données sont décalés en série en réponse à un signal d'horloge ; caractérisé par
    • un premier étage d'aléation (150 à 157) qui reçoit une sortie provenant d'étages de registres prédéterminés des registres à décalage à rétroaction multiples ;
    • un deuxième étage d'aléation (161) qui reçoit une sortie provenant dudit premier étage d'aléation ;
    • un troisième étage d'aléation (165) qui reçoit une sortie provenant dudit deuxième étage d'aléation et des bits de données provenant d'autres étages de registres prédéterminés desdits registres à décalage à rétroaction, dans lequel,
    • lesdits bits de données sont permutés à chaque étage d'aléation et la sortie d'un étage d'aléation final fournit ladite séquence de clé.
  25. Appareil conformément à la revendication 24, dans lequel le troisième étage d'aléation est l'étage d'aléation final.
  26. Appareil conformément à la revendication 24 ou la revendication 25, dans lequel :
    • au moins une structure de registre à décalage à rétroaction subit une variation en réponse à un signal de code polynomial généré par un générateur de signal de code polynomial.
  27. Appareil conformément à la revendication 26, dans lequel :
    • le code polynomial utilisé pour générer le signal de code polynomial subit une variation.
  28. Appareil conformément à l'une des revendications 24 à 27, dans lequel les registres à décalage à rétroaction comportent :
    • une pluralité de registres à décalage à rétroaction dynamiques ; et
    • au moins un registre à décalage à rétroaction statique.
  29. Appareil conformément à l'une des revendications 24 à 28, dans lequel les registres à décalage à rétroaction comportent :
    • un premier registre à décalage à rétroaction dynamique ;
    • un deuxième registre à décalage à rétroaction dynamique ; et
    • un registre à décalage à rétroaction statique.
  30. Appareil conformément à la revendication 29, dans lequel :
    • des données d'amorce sont entrées dans un tampon d'entrée ;
    • une première portion des données d'amorce provenant du tampon d'entrée est fournie au premier registre à décalage à rétroaction dynamique ;
    • une deuxième portion des données d'amorce provenant du tampon d'entrée est fournie au deuxième registre à décalage à rétroaction dynamique ; et
    • une troisième portion des données d'amorce provenant du tampon d'entrée est fournie au registre à décalage à rétroaction statique.
  31. Appareil conformément à la revendication 30, dans lequel :
    • les bits de données des registres à décalage à rétroaction dynamiques sont décalés en série de chaque étage de registres en réponse à un signal d'horloge ; un nombre d'additionneurs à champ fini sont arrangés entre des paires prédéterminées des étages de registres des registres à décalage à rétroaction dynamiques, de telle sorte que l'une des entrées pour chaque additionneur provient de l'étage de registre précédent et que l'autre entrée de chaque additionneur est réintroduite à partir du terminal de sortie de l'étage de sortie par le biais d'un multiplicateur à champ fini.
  32. Appareil conformément à l'une des revendications 24 à 31, dans lequel le premier étage d'aléation comporte une table d'aléation pour permuter des bits de données provenant d'étages de registres prédéterminés.
  33. Appareil conformément à l'une des revendications 24 à 32, dans lequel le deuxième étage d'aléation comporte une fonction de mélange non linéaire pour combiner la sortie dudit deuxième étage d'aléation et des bits de données provenant d'autres étages de registres prédéterminés desdits registres à décalage à rétroaction.
  34. Appareil conformément à l'une des revendications 24 à 33, dans lequel le troisième étage d'aléation comporte des S-Box non linéaires multiples.
  35. Appareil conformément à la revendication 34, dans lequel les S-Box sont des S-Box 8*8.
  36. Appareil conformément à l'une des revendications 24 à 35, dans lequel le troisième étage d'aléation comporte 256 S-Box 8*8 non linéaires.
  37. Appareil conformément à l'une des revendications 24 à 36, dans lequel les registres à décalage à rétroaction sont construits à l'aide d'un champ de Galois GF (2m) étendu.
  38. Appareil conformément à la revendication 37, dans laquelle m égale huit.
  39. Appareil conformément à la revendication 37 ou la revendication 38, dans lequel les polynomiaux utilisés pour les registres à décalage à rétroaction sont primitifs et irréductibles.
  40. Appareil conformément à l'une des revendications 24 à 39, dans lequel le premier étage d'aléation comporte des tables d'aléation multiples pour permuter des bits de données provenant d'étages de registres prédéterminés.
  41. Appareil conformément à la revendication 40, dans lequel les tables d'aléation multiples comportent huit tables d'aléation.
  42. Appareil conformément à l'une des revendications 24 à 41, dans lequel :
    • les bits de données provenant des registres à décalage à rétroaction sont multiplexés avant leur entrée dans le premier étage d'aléation.
  43. Appareil conformément à l'une des revendications 24 à 42, comportant de plus :
    • un registre de pré-séquence de clé destiné à recevoir la sortie provenant du troisième étage d'aléation ;
    • un tampon de chaîne choisi destiné à recevoir des bits alternés de la sortie provenant dudit registre de pré-séquence de clé ;
    • une unité logique de décodage destinée à recevoir une sortie provenant du tampon de chaîne choisi, laquelle unité logique de décodage décode un polynomial particulier destiné à être utilisé dans la génération d'un signal de code polynomial, ledit signal de code polynomial étant fourni à au moins un registre à décalage à rétroaction ; et
    • un registre de séquence de clé destiné à recevoir les bits restants de la sortie provenant dudit registre de pré-séquence de clé, dans lequel la sortie du registre de séquence de clé fournit ladite séquence de clé.
  44. Appareil conformément à la revendication 43, dans lequel :
    • le troisième étage d'aléation comporte des S-Box linéaires multiples ;
    • une certaine sortie des S-Box est fournie à un registre de flux de code ;
    • ladite sortie est synchronisée dans ledit registre de flux de code ;
    • ladite sortie est ajoutée à des bits de données décalés d'au moins un des registres à décalage à rétroaction par le biais d'un additionneur non binaire pour produire des bits de données à rétroaction ; et
    • lesdits bits de données à rétroaction sont fournis à l'étage d'entrée et aux étages intermédiaires prédéterminés d'au moins un des registres à décalage à rétroaction.
  45. Appareil conformément à l'une des revendications 24 à 44, dans lequel :
    • une clé d'entrée d'amorce partagée de 192 bits est fournie aux registres à décalage à rétroaction multiples ; et
    • une sortie de séquence de clé de 56 bits est générée.
  46. Appareil conformément à la revendication 45, dans lequel la clé d'entrée d'amorce partagée de 192 bits est dérivée d'une entrée de 128 bits en reproduisant la moitié des bits.






IPC
A Täglicher Lebensbedarf
B Arbeitsverfahren; Transportieren
C Chemie; Hüttenwesen
D Textilien; Papier
E Bauwesen; Erdbohren; Bergbau
F Maschinenbau; Beleuchtung; Heizung; Waffen; Sprengen
G Physik
H Elektrotechnik

Anmelder
Datum

Patentrecherche

Patent Zeichnungen (PDF)

Copyright © 2008 Patent-De Alle Rechte vorbehalten. eMail: info@patent-de.com