The present invention relates to the field of data transmission. In particular, the present invention relates to a generator for generating a message authentication code, a method of generating a message authentication code, a program element and a computer-readable medium.
Almost all message authentication code (MAC) algorithms are constructed over one of the following group of primitives: unkeyed hash functions, such as SHA-1, RIPEMD-160, MD5, and block ciphers, such as DES, AES, IDEA, etc.
In all cases, the schemes result on implementations that require each bit of the message to be processed through at least one execution of either a hash function or a block cipher. Although this may be efficiently implemented on dedicated hardware through deep pipeline setup, this approach leads to the following drawbacks:
Firstly, a significant number of logical gates leading to considerable silicon-area consumption, which is one of the main factors driving chip-manufacturing cost.
Secondly, some noteworthy delay on obtaining the final result after the last bit of the message has been provided to the MACing engine.
Thirdly, high power consumption due to thousands of transistors commuting simultaneously during the whole processing of the message.
Although the first drawback is exacerbated by the deep-pipeline approach, the two latter drawbacks are invariant through all hardware implementations and intrinsic to the algorithms themselves.
In particular, the two latter drawbacks significantly complicate, and in some settings downright preclude, efficient implementations for:
It would be desirable to provide for a hardware optimized MAC.
In accordance with an exemplary embodiment of the present invention, the above desire may be met by a generator for generating a message authentication code, the generator comprising a first circuit adapted for performing a delinearization of a first data set, resulting in a second data set, wherein the first data set comprises an original code (i.e the plain text), and wherein the delinearization is based on a linear feedback shift register construction and a pseudorandom input.
Advantageously, according to this exemplary embodiment of the present invention, a new MAC generator is provided, that uses linear feedback shift registers (LFSRs) as its main security engine. Because of the innovative mechanism used to leverage the LFSR-generated stream, current know-how developed to attack these schemes is not directly applicable to the new design.
According to another exemplary embodiment of the present invention, the generator further comprises a second circuit adapted for performing an error detection code generation of the second data set, resulting in a third data set (i.e. the message authentication code), wherein the first circuit comprises a first linear feedback shift register, and wherein the first circuit is different from the second circuit.
In other words, the delinearization is obtained by continuously affecting the behaviour the LFSR mixing the plain text (i.e. the first data set) following a non-reusable pseudorandom sequence. Advantageously, according to this exemplary embodiment of the present invention, it is not the LFSR which is used for computation of the error detection code, but the error detection code is computed by a different second circuit.
According to another exemplary embodiment of the present invention, the first circuit comprises at least one lower weight stage and at least one higher weight stage, wherein the delinearization of the first data set comprises a generation of arbitrarily delayed mixed copies of the first data set that are xor-ed against the first data set. Furthermore, the at least one lower weight stage is adapted to ensure that an effect of each bit of the first data set propagate through all subsequent states of the first circuit and the at least one higher weight stage is jammed following a pseudorandom number sequence, wherein the pseudorandom number sequence generates logic arbitrarily delayed subsequences of a state of the at least one lower weight stage.
In this manner, while all the plain text bits affect the error detection code computation, most of them also affect it at delayed random positions that are impossible to guess by the adversary.
According to another exemplary embodiment of the present invention, the generator further comprises a fourth circuit comprising a pseudorandom number generating engine adapted for performing a pseudorandom number generation, wherein the fourth circuit is adapted for providing the generated pseudorandom number to the first circuit.
Thus, advantageously, an externally generated pseudorandom number may be used by the first circuit for the delinearization of the plain text or original code. Advantageously, this pseudonumber generation may be performed by a circuit different to the mixing or delinearization circuit.
According to other exemplary embodiments of the present invention, the pseudorandom number generating engine is selected from the group consisting of a combination of at least one second linear feedback shift register and/or a block cipher operated in a counter mode. Furthermore, an initial state of the combination of the at least one second linear feedback shift register may be chosen at random and may not be reused to generate message authentication codes for more than one message, wherein the initial state is used for performing the pseudorandom number generation.
Advantageously, according to this exemplary embodiment of the present invention, it may possible to let the “keying LFSR” run continuously, that is, using the final state of the LFSR achieved when processing message (i) into the initial state of the processing of the message (i+1).
Furthermore, according to another exemplary embodiment of the present invention, the second circuit comprises a cyclic redundancy check circuit, wherein the generation of the error detection code is based on a cyclic redundancy check construction performed by the second circuit.
Advantageously, the cyclic redundancy check construction is very efficient in computing error detection codes, moreover, it can be very efficiently implemented in hardware. Indeed, it is the circuit of choice for error detection codes in high speed networking equipments such as those used in 1Gps Ethernet. Moreover, the cyclic redundancy check construction is easily scalable to generate codes of different sizes (i.e. error detection strengths).
According to another exemplary embodiment of the present invention, the first data set is padded with at least one of a suffix and a prefix before performing the delinearization.
Advantageously, thus an attack may be avoided, which focuses on changing the last bit (s) of the plain text and computing the corresponding cipher text, assuming no jam occurred in the last phases.
According to another exemplary embodiment of the present invention, a method of generating a message authentication code is disclosed, the method comprising the step of performing a delinearization of a first data set by a first circuit, resulting in a second data set, wherein the first data set comprises an original code, and wherein the delinearization is based on a linear feedback shift register construction.
Advantageously, this may provide for a fast, hardware optimized MAC generation, using less hardware resources and less computational or electrical power.
The present invention also relates to a computer-readable medium and a program element of generating a message authentication code, which is stored on the computer-readable medium. The program element is adapted to carry out the step of performing a delinearization of a first data set by a first circuit, resulting in a second data set, when being executed by a processor. The program element may be part of, for example, an always-on stand alone medical device or an ultra-high speed router that operates in an internet backbone. The program element, according to an exemplary embodiment of the present invention, may preferably be loaded into working memories of a data processor. The data processor may thus be equipped to carry out exemplary embodiments of the methods of the present invention. The computer program may be written in any suitable programming language, such as, for example, Cow and may be stored on a computer-readable medium, such as a CD-ROM. Also, the computer program may be available from a network, such as the WorldWideWeb, from which it may be downloaded into processors, or any suitable computers.
Further exemplary embodiments of the present invention are set forth in the sub-claims.
An aspect of the present invention may be that the generator for generating a message authentication code is based on linear feedback shift registers which are adapted to produce secure MACs by performing a delinearization procedure of the original code.
The above and other aspects of the present invention will become readily apparent from and elucidated with reference to the embodiments described hereinafter.
Exemplary embodiments of the present invention will be described in the following, with reference to the following drawings:
The illustration in the drawings is schematically. In different drawings, similar or identical elements are provided with the same reference numerals.
It should be noted, that, according to an aspect of the present invention, a generator does not include the last CRC stage 3, but only circuits 1 and 2.
The pseudorandom number generator group 1 comprises a load input 14, an initial input 15, a clock 13, new bit input 16 and bit output 12, which is fed into LFSR stages 26 and 27.
The clock signals 13 are fed into the pseudorandom number generator group 1 and into each of the five LFSR stages 23-27 via lines 44, 45, 46, 47, 48.
The new bit 16 is provided to the pseudorandom number generator group 1 and to the checksum generation block 3 via element 18.
The load input 14 is further provided to the five LFSR stages 23-27 via lines 49-53, respectively.
The checksum generation block 3 further comprises a secure CRC output 31 and a ready pin 32.
Not gate 18 helps in establishing the correct operating mode between processing input plain text 11 and generating output MAC 31.
Xor gate 21 introduced the plaintext 11 into the LFSR state after computing polynomial result 41
While the CRC-32 algorithm is well suited to detect random changes on the plain text, including error-bursts up to 32 bits and all error burst affecting an odd number of bits (assuming that the CRC-32 polynomial defined in IEEE 802 is used (X32+X26+X23+X22+X16+X12+X11+X10+X8+X7+X5+X4+X2+X1+1), as disclosed in A. S. Tanenbaum, Computer Networks, 4th Edition, which is hereby incorporated by reference), it is definitively not able to prevent from undetected deliberate modifications of the plaintext. However, this well-known algorithm may be leveraged into generating secure MACs by re-mixing the plain text 11 into an internal stream in such a manner that it may be unfeasible for the attacker to guess the contents of this internal stream without knowing a secret value (i.e. the key). This stream is labeled “Secret Stream” 28 in
The mixing bloc, which outputs the “Secret Stream” 28, works by generating arbitrarily delayed mixed copies of the plain text 11 that are xor-ed against the plain text 11 itself as this is imputed into the mixing bloc 2. The Mixing Engine 2 comprises two main sub-components:
In this manner, while all the plain text bits affect the CRC-32 computation, most of them also affect it at delayed random positions that are impossible to guess by the adversary.
It should be noted, that the connection polynomial shown in
Finally, the “Keying LFSR” bloc 1 may be a standard LFSR with a primitive polynomial and it may have the role of clocking the higher weight stages of the mixing bloc 2 with its output stream 12.
It should be noted that
Obviously, to be secure the initial state of the clock-generating LFSR should be chosen at random and should not be reused to generate MACs for more than one message (i.e. a secret nonce). However, it is possible to let the “Keying LFSR” run continuously, that is, using the final state of the LFSR achieved when processing message(i) into the initial state of the processing of message(i+1).
When relaunching the engine, both the Mixing and the CRC-32 blocs should be cleared (this may be necessary to achieve pre-image resistance).
The first bits of the plaintext message may have only a small chance of being affected by the Mixing Engine and therefore may become easy targets for undetected message modification. To prevent this from happening, it may be necessary to prefix the message with some extra amount of bits. This padding should not be secret and may be a fixed algorithm parameter. Any sequence larger than the Mixing Engine-size with a balanced mix of zeros and ones may be sufficient. For a five-stage Mixing Engine-size the sequence represented by the byte AAhex may be used.
Finally, the latest bits of the plaintext message have only a small chance of affecting the Mixing Engine state in an unpredictable way and therefore can become easy targets for undetected message modification. To prevent this from happening, it may be advantageous to pad the message with some extra amount of bits. This padding should not be secret and can be a fixed algorithm parameter. Any sequence equal or larger than the CRC output stage would do. Therefore, for a 16-bit CRC a sequence of 16 zero bits may be used.
In this version of the algorithm, the clock of each randomized stage of the Mixing bloc is controlled by a different pseudorandom number generator LFSR.
The LFSR lengths may be co-prime and may be of lengths 61 and 67 for a CRC-32 based output. In this configuration, the MAC key may be 128 bits long.
The same baseline requirements for secure operation as described above apply.
Given
It should be noted, that the embodiments presented above are highly customisable. Indeed, a generalization of this invention to the constructions described below may be performed.
As may be seen from
According to exemplary embodiments of the present invention, the generator may comprise:
An arbitrarily number of stages, and/or
an arbitrary number of input Random Streams driving the MSB stages that have correspondent exponent in the LFSR's characteristic polynomial set to 1, and/or
an output extracted from the input of the first flip stage instead of what is presented in
an output computed as a (non-) linear combining function of the output of all the LFSR stages, in particular using resilient functions (P. Camion and A. Canteaut. Correlation-immune and resilient functions over a finite alphabet and their applications in cryptography. Designs, Codes and Cryptography, (16):121-149, 1999, which is hererby incorporated by reference), and/or
any kind of characteristic polynomial, and/or
additional clear and/or set signals, and/or
additional parallel loading and/or reading of LFSR, and/or
compositions of the mixing engine where the plain text 11 is distributed through several mixing engines 1000, 1100, this controlled by secondary input random streams 100, 200, 300, as depicted in
Note that when the aforementioned non-linear combining function is used, it MAY be possible to reuse the pseudo-random keying stream. In this case the delinearization is not directly performed by the mixing engine (or combinations thereof) but uniquely by the non-linear combining function. This has the advantage of significantly simplifying key management of the MAC function when multiple asynchronous messages are interchanged between parties.
In
The stage(s) “Keying LFSR” may be substituted by any pseudo-random generating engine, in particular by any block cipher operated in counter and/or output feedback modes or any combination of LFSRs.
Furthermore, the output stage “CRC-32” may be substituted by any bloc capable of generating an error-detecting code, in particular by any error-detecting code, in particular CRCs of any length and checksums, by cryptographic MDC functions such as SHA-1 and RIPEMD-160, or by congruence generators, or by hash functions commonly used for efficient indexing of data or by the circuit described hereafter:
Take the final state of the mixing engine and use it as initial state of a self-shrinking generator LFSR.
Run the self-shrinking generator LFSR until MAC output of the desired size is obtained.
In the following, further information about the LFSRs and CLCs is provided:
In the following, further information about linear feedback shift registers, linear finite state machines, cyclic redundancy codes, self-shrinking generator and non-linear filter generator is provided.
Now, the main characteristics of linear feedback shift registers (LFSRs) are summarized. Throughout the paper we will consider the binary field F. An LFSR of length n consists of n memory cells, which form together the state (s0, s1, . . . , sn−1). We will refer to the memory cells also as D Flip-Flops. An LFSR defines the output sequence {si}i≧0, which is defined by the recurrence relation
where cn=1 by definition. Let s(i) define the state of the LFSR at time i, i.e. s(i)=(si, si+1, . . . , si+n−1).
Then a similar relation for the states holds
The coefficients ci are called feedback coefficients, if ci=0 then the corresponding switch is open, while if ci=1 this switch is closed. We will always assume c0=1, because otherwise the output sequence is just a delayed version of a sequence with c0=1.
As usual let associate with an LFSR the so-called characteristic polynomial ƒ(x) defined by:
where cn=1 by definition and c0=1 by assumption. The reciprocal polynomial of ƒ(x) is defined by:
With a sequence {si}i≧0 we associate the power series
It is known that S(x) is uniquely
determined by s0, s1, . . . , sn−1, and ƒ(x), which dependency we state now explicitly
A polynomial g(x)εF[x] is said to be irreducible over F if it can not be factored into polynomials of smaller positive degrees in the ring of polynomials F[x]. Note that no linear recursion can iterate through all 2n states, since the zero state is forbidden. On the other hand when we start with a non-zero state and a recurrence iterates through all 2n−1 non-zero states such an LFSR (sequence) is called maximum-length LFSR (sequence), and the corresponding characteristic polynomial is said to be primitive. Then the period T of such maximum length sequence is T=2n−1. Note that every primitive polynomial is irreducible.
The linear complexity of a sequence, denoted by L, is the length of the shortest LFSR that generates the sequence. The linear complexity may be determined with the Berlekamp-Massey algorithm, as disclosed in “J. Massey. Shiftregister synthesis and BCH decoding, IEEE Thrans. on Inform. Theory 15 (24), 1969, pp. 122-127”, which is hereby incorporated by reference, which efficiently computes the characteristic polynomial given at least 2L of output symbols. Thus a pure LFSR is not good keystream generator. As an example we can take an LFSR of length n, which produces a maximallength sequence of length 2n−1, but the Berlekamp-Massey algorithm needs only 2n consecutive bits in a known-plaintext attack to fully determine the feedback polynomial and the initial state and thus the complete sequence.
An n-bit linear finite state machine (LFSM) is a realization or an implementation of a certain linear operator
given by an n×n matrix M. The internal state of the LFSM is described by an n-bit vector vεFn. The
evolution over the time is described by a sequence of n-bit vectors v(i)=(v0(i), v1(i), vn−1(i)), i≧0, satisfying
v(i+1)=Mv(i). (6)
Here, v(0) is the initial state. The characteristic polynomial of a matrix M with entries in the binary field F is defined to be the polynomial
char(M)=det(xI−M)εF[x], (7)
where as usual I denotes the n×n identity matrix. It is well known that if the characteristic polynomial of M is primitive over F, then each of the sequences {vj(i)}i≧0 (for j=0, 1, . . . , n−1) has period 2n−1. Let define the companion matrix of a polynomial ƒ(x) given by (3) to be the matrix
The most popular subclasses of the LFSM's are LFSR's and cellular automata (CA). A CA is an LFSM with a defining matrix M which is tridiagonal. An LFSR with a characteristic polynomial ƒ(x) given by (3) is an LFSM with defining matrix set to the companion matrix off ƒ(x) given by (8). The following fact is well known.
Theorem 1. Let ƒ(x) be the characteristic polynomial of a square matrix M. Denote by L, the companion matrix of ƒ(x). If ƒ(x) is irreducible, then there exists an invertible matrix T satisfying
TMT−1=L.
The matrix T appearing in this theorem is not unique. Theorem 1 may be used to reduce an LFSM to an LFSR. Recall that the evolution of LFSM internal state is given by (6), if the initial state of the LFSM is v(0) then the state v(i) will be given by
v(i)=Miv(0)
Similarly, if the initial state of the LFSR defined by ƒ(x) (matrix L) was s(0), the state s(i) will be given by
s(i)=Lis(0).
Now, if the initial states satisfy the relation s(0)=Tv(0) then (by Theorem 1) the current state v(i) of the LFSM may be calculated using the internal state s(i) of the associated LFSR through the simple linear equation
v(i)=T−1s(i).
So, even an LFSM seems much more complicated than an LFSR, the two are apart by a simple linear transformation.
Let g(x) be an irreducible polynomial of degree s. In what follows we will explicitly or implicitly associate each binary string S with the polynomial S(x) over F with coefficients corresponding to the bits of S. Let B be a message of length m, thus B(x) is the corresponding polynomial of degree m. Then the CRC value (based on g(x)) may be defined as a polynomial C(x) of degree s−1 satisfying the relation
C(x)=xsB(x)mod g(x), (9)
i.e. xs B(x)+C(x) is divisible by g(x). It is easy to derive the following lemma.
Lemma 1. With the notations above for given polynomials g(x) and C(x) there are 2m−s polynomials B(x) satisfying (9).
In “D. Coppersmith, H. Krawczyk, Y. Mansour. The shrinking generator, CRYPTO'93, LNCS 773, 1993, pp. 22-39”, which is hereby incorporated by reference, conceptual simple keystream generator the so-called shrinking generator is proposed. It combines only two LFSRs: one of them controls the output of the other, and thus the output keystream is an irregularly decimated subsequence of a maximal-length sequence. A year later even more elegant construction—self-shrinking generator were presented by Meier and Staffelbach in “W. Meier, O. Staffelbach. The self-shrinking generator, EUROCRYPT'94, LNCS 905, 1994, pp. 205-214”. In fact, the two LFSRs from the shrinking generator are combined into one LFSR, which output a sequence divided into pairs of bits. The selection bit, usually the first one, determines if the other bit, the active bit, is to be taken to output keystream or to be discarded. As pointed out by Meier and Staffelbach, the self-shrinking generator is equivalent in functionality to the shrinking generator. Notice that from the selection logic of the self-shrinking generator, on average, 3 out of 4 bits produced by the LFSR are discarded, while for the shrinking generator, on average, 1 out of 2 bits are discarded. The period T of the self-shrinking generator satisfies 2[n/2]≦T≦2n−1, but the experimental results indicate that the period always takes the maximum possible value. It was also shown that the linear complexity satisfies T/2≦L≦2n−1−(n−2) (see “S. Blackburn. The linear complexity of the self-shrinking generator, IEEE Trans. on Inform. Theory, 45 (6), 1999, pp. 2073-2077”). Hence, if T=2n−1 then L=O(2n−1).
Cryptanalysis of the self-shrinking generator often assumes known feedback polynomial. The computational complexity of the attack may vary from O(20.5n) Up to O(20.75n) using long O(20.5n) observed keystream. Also, an attack with computational complexity O(20.69n), but using very short length of observed keystream, has bee proposed in “E. Zenner, M. Krause, S. Lucks. Improved cryptanalysis of the self-shrinking generator, ACISP'01, LNCS 2119, 2001, pp. 21-35”. The latter attack was improved in “H. Krawczyk. LFSR-based Hashing and Authentication, CRYPTO'94, LNCS 839, 1994, pp. 129-139” reducing the complexity to O(20.64n), again using very short length of observed keystream sequence. For a certain classes of weak (sparse) feedback polynomials even more efficient attacks may exist.
A non-linear filter generator consists of a single LFSR (with length n) and a non-linear function ƒ(x) whose r inputs (r≦n) are taken from some shift register stages to compute the output.
For a Boolean function of algebraic degree k, it is very likely that the linear complexity of the keystream is at least (kn) and its period remains equal to 2n−1. There are several types of attacks, e.g. (fast) correlation, inversion, algebraic. In order to resist these attacks the Boolean function should be highly non-linear, with high degree, correlation-immune and algebraic-immune.
Building Blocks
Now, several cryptographic primitives based on linear finite state machines, namely continuously fed linear feedback shift registers, jamming linear feedback shift registers, shrinking linear finite state machines and self-shrinking linear feedback shift registers according to exemplary embodiments of the present invention are described.
Let us consider an LFSR of length n and a sequence
are polynomials of degree n−1. Denote by P(j)=(pnj pnj+1, . . . , pnj+n−1) the corresponding to P(j)(x) n-bit vector. Recall that the internal state of an LFSR defined by characteristic polynomial ƒ(x) (matrix L) is calculated by s(i)=Ls(i−1), where s(0)=P(0). We will further use P(j)(x) as initial states for generating new sequences S(j)(x) with the same LFSR. In other words instead of feeding once the LFSR and producing a sequence S(x) (as described above in “Linear Feedback Shift Registers”), we will feed it periodically. This can be done in the following two ways:
The difference between (11) and (12) is that in (12) we have added a polynomial to each new sequence.
In both cases the power series S(j)(x) and {tilde over (S)}(j)(x) are uniquely determined by their initial states P(j)(x) in the same way as defined above in “Linear Feedback Shift Registers”. Now we give a formal definition and derive some basic properties.
Definition 1. Let an LFSR and an input sequence P(x) are given. When LFSR produces output sequence S(x) by periodically updating (xor-ing) its internal state with the input sequence we call it continuously fed LFSR.
Lemma 2. Consider a continuously fed LFSR of length n. Let the output sequence S(x) and the LFSR (i.e. ƒ(x) or L) are known. Then in the first case (11) the input sequence P(x) can be efficiently reconstructed, whereas in the second case (12) one needs to know also n consecutive bits of P(x).
Let the output sequence S(x) is known but ƒ(x) is unknown. Then in order to apply Berlekamp-Massey algorithm and to reconstruct the whole input sequence P(x) the attacker needs n consecutive bits of P(x) in the first case (11), while in the second case (12) 2n consecutive bits of P(x) are required.
We start with the following well known definition.
Definition 2. Let a sequence {σi}i≧0 is given. A D flip-flop (cell) is called 1-bit register if (at time i) the sequence value σi=0 the previous cell state is repeated and the input is ignored, while if σi=1 the input replaces the cell state. In both cases the output is the previous cell state.
In other words an 1-bit register works as normal D flip-flop (just as a delay element) except when the corresponding value of the sequence is zero, in which ease we will say that we have a jam. We will call the sequence {σi}i≧0—the shrinking sequence.
Definition 3. We will call an LFSR jamming if one or more of its cells (D flip-flops) are replaced by 1-bit registers.
Let us consider an LFSR of length n. As usual let the LFSR produces a sequence {si}i≧0 Now let fix the l-th (l≦n) D flip-flop, i.e. the LFSR cell, which is replaced by an 1-bit register. In order to have an 1-bit register we need a shrinking sequence which will control when the flip-flop cell will be jammed. Assume that the state of the LFSR at time i is
s(i)=(si, si+1, . . . , si+l−2, si+l−1, si+l+1, . . . si+n−1)
and that the LFSR (its l-th flip-flop) is jammed then the next state of the LFSR at time i+1 will be
s(i+1)=(si+1, si+2, . . . si+l−1, si+l, si+l, si+l+2, . . . si+n)
Thus s(i+1)=L′s(i) holds, where the companion matrix L is changed to L′ as follows
Hence every jam of the cell generates a new sequence, which gives the difference that this jam introduces, compared with the normal state (without a jam). Assume that the normal sequence is computed as follows:
si+n+1=c0si+1+c1si+2+ . . . +cl−1si+l+clsi+l+1+ . . . +cn−1si+n, which is changed to
{tilde over (s)}i+n+1=c0si+1+c1si+2+ . . . +cl−1si+l+clsi+l+ . . . +cn−1si+n, when the l-th flip-flop is jammed, thus
{tilde over (s)}i+n+1=c1si+n+1+cl(si+l+si+l+1) is their difference.
Hence the new additional sequence has the following initial state {tilde over (s)}=(0, . . . , 0, Si+l+si+l+1, 0, . . . , 0). The conclusion is that every jam generates a new sequence Sjam(i)(x) (shifted to the time when a jam occurs). Thus the output of the LFSR becomes S(x)+xiSjam(i)(x) if the jam occur at time i. As a consequence we have an output of the jamming LFSR computed from its initial state and depending on the shrinking sequence. Thus the output sequence of the jamming LFSR will have the form
where i and hence the initial states of Sjam(i)(x) depend on the shrinking sequence {σi}i≧0. Recall that a jam at time i occur (i.e. Sjam(i)(x) exists) if and only if σi=0.
Considering the internal state sequence {s(i)}i≧0 of the jamming LFSR and taking into account (8) and (13) we notice that
The way internal state is changed (15) leads to a generalization, which will be presented in the following.
We start with the formal definition of shrinking LFSMs.
Definition 4. Assume we have a shrinking sequence {σi}i≧0. Let the internal state has length n. Consider two LFSMs with n×n matrices M and M′ correspondingly, with primitive characteristic polynomials. We call the LFSMs shrinking if they have common internal state and the next state is computed by applying one of the LFSMs depending on the shrinking sequence. By replacing LFSMs with LFSRs we obtain shrinking LFSRs.
Let the internal state sequence of the shrinking LFSMs be {v(i)}i≧0 and let the shrinking sequence be {σi}i≧0, then the following relation holds:
Hence v(i+k)=[Mi
Theorem 2. Let the (secret) shrinking sequence has period TD. Let the shrinking LFSMs have the internal state v with length n. Then each of the output sequences vi0≦i≦n−1 of the shrinking LFSMs have period T=CTD, where c is a constant 1≦c≦2n−1, and linear complexity L=n TD.
Proof: Let the shrinking sequence {σj}j=0T
It remains an open question which conditions M and M′ should satisfy, without any requirements for the shrinking sequence, in order M″ to be of maximum length (i.e. c=2n−1).
Corollary 1. Let the (secret) shrinking sequence {σi}i≧0 has period TD. An attacker needs 2L=2n TD output bits of an shrinking LFSM in order to recover the initial state and the shrinking sequence.
Proof: By applying the Berlekamp-Massey algorithm to each of the sub-sequences with length 2n the attacker can recover the corresponding LFSR producing it. So, he obtains the initial state and using the result from “J. Hong, D. Lee, S. Lee, P. Sarkar. Vulnerability of nonlinear filter generators based on linear finite state machine, FSE'04, LNCS 3017, 2004, pp. 193-209” he also computes the matrix M″. Then going over all TD sub-sequences he can restore the shrinking sequence.
It is straightforward to generalize the idea of shrinking LFSMs to several (more than 2) LFSMs when using several shrinking sequences to control the way internal state is computed.
Notice that the jamming LFSRs are not shrinking LFSRs. Although we have two LFSRs (LFSMs) defined by the matrices L and L′, the second matrix L′ is not of maximum-length. Even worse its determinant is zero, hence from some point the sequence becames all zero, which is undesirable. On the other hand a jamming LFSR is like self-shrinking LFSR, i.e. it behaves as two different LFSRs depending on the shrinking sequence. So, here such a self-shrinking LFSR based on the jamming LFSR is constructed, using the simple structure that the jamming LFSRs have. Returning to the definition of L′ in equation (13) we notice that depending on the primitive polynomial f (x) (defined by (3) and on the position of the flip-flop which is replaced by an 1-bit register (i.e. l) the following matrix can be of maximum-length.
Note that L′ and {tilde over (L)} differ only in the l-th row where 1 is added in the (l+1)-th column. Now we are ready to define self-shrinking LFSR as follows.
Definition 5. Let a shrinking sequence is given. We call an LFSR, with primitive polynomial ƒ(x) (given by (3), self-shrinking LFSR when it is considered as shrinking LFSMs with matrices L and {tilde over (L)} (given by (8) and (17) respectively). This is depicted in
Note that we require both matrices L and L to have primitive characteristic polynomials. Now as a consequence Theorem 2 and Corollary 1 hold for self-shrinking LFSRs too.
A Message Authentication Code
First informal definitions of one-way hash function (OWHF) and collision resistant hash function (CRHF) will be provided. An OWHF is a public function h with argument X of arbitrary length, a fixed length output h(X) and satisfying the following conditions: given h and X it is “easy” to compute h(X), but giving Yin the image of h it is “hard” to find X such that h(X)=Y, and given X and h(X) it is “hard” to find X′ such that h(X)=h(X′). A CRHF is a OWHF which additionally is collision resistant, meaning it is “hard” to find two distinct arguments that hash to the same output. Remember that in the case of “ideal security” producing a (second) pre-image requires 2n operations, while producing collision requires 2n/2 operations (n is the hash length). OWHF and CRHF are also known as weak and strong one-way hash functions.
A MAC is a function h accepting two arguments. The function is publicly known, the first argument X (the text) is publicly known too and can be of arbitrary length, the second argument K (the key) is the only secret and has a fixed length, the output of the function has a fixed length. A MAC should be both one-way function and collision resistant for someone who doesn't know the secret key K. Moreover when the attacker have selected a large set of arguments {Xi} and have got the corresponding set of pairs {Xi, h(Xi K} it must be “hard” to determine the key K or to compute h(X′, K) for any X′≠X. The last is known as adaptive chosen plaintext attack. Let denote the length of the key by n and the length of the MAC's tag by s. Recall that a MAC with security parameters n and s should provide resistance to the possible attacks with complexity 0(2min(n,s)).
A general design of a message authentication code according to an exemplary embodiment of the present invention is disclosed. In contrast to the standard approach based on iteration of a compression function with fixed input size we propose a different way of building MAC which is more suitable for streams.
Let us consider a self-shrinking LFSR of length n, with characteristic primitive polynomial ƒ(x) and companion matrices L and L′. Let also a shrinking sequence {σi}i≧0 is given. As described above, the output sequence of such self-shrinking LFSR is
where {tilde over (S)}3(X) is the usual output of the LFSR (without jamming). Recall that S3jam(i)(x) are uniquely determined by the state of the LFSR at time i. Feed this LFSR continuously as described above in “Continuously Fed LFSR”. Let we have the following input sequence (see (10)):
where S1(j)(x) are polynomials of degree n−1. Then as described above in “Continuously Fed LFSR” the 2nd case we obtain the output sequence (see (12)):
Recall that S2(j)(x) are uniquely determined by the corresponding initial state S1(j)(x). Now putting together (18) and (20) we obtain that when fed continuously with a sequence S1, (x) the self-shrinking LFSR generates
where S2(j) (x) are uniquely determined by the corresponding initial state S1(j)(x) and S4jam(i)(x) are uniquely
determined by the state of the LFSR at time i. Recall that a jam at time i occurs (i.e. S4jam(i) (x) exists) and only if σi=0, thus (21) can be rewritten also as follows
Note that if a continuously fed self-shrinking LFSR is applied with a shrinking sequence to two input sequences say S′1(x) and S″1(x) and correspondingly two output sequences (denoted by S′4(x) and S″4(x) are produced, then since the computation is linear the output sequence S′4(x)+S″4(x) corresponds to the input sequence S′1(x)+S″1(x).
Lemma 3. Let the (secret) shrinking sequence {σi}i≧0 has period TD. Consider a continuously fed selfshrinking LFSR of length n. Denote by P(x) the input sequence and by S(x) the output sequence of this LFSR. Then an attacker needs 2nTD consecutive input bits of P(x) and their corresponding output bits from S(x) in order to recover the shrinking sequence. The knowledge of the shrinking sequence allows him further to compute the whole sequence P(x) from S(x).
Consider a continuously fed self-shrinking LFSR of length n as described above. Let the shrinking sequence be {σi}i≧0 and the input sequence be S1(x). Recall that the self-shrinking LFSR has an internal state of length n. Let f be a non-linear function with r≦n inputs. We apply in the standard way (see section “Non-linear Filter Generators” above) the function ƒ to the LFSR's internal state, by taking some of its stages (taps) to be the function inputs. In this way the standard LFSR output S4(x)(22) is transformed to a new sequence. This transformation we denote as follows
S5(X)+←fS4(X). (23)
Note that by applying the non-linear function ƒ(x) we achieve two goals: first, the linear dependance between the input and the output is destroyed and second, the new sequence S5(x) has the same period as S4(x) but its linear complexity increases. Denote the algebraic degree of a Boolean function ƒ by deg(ƒ), note that the non-linearity of f imply deg(f)≧2. We emphasize that the function ƒ should also possess several other properties enumerated in section “Non-linear Filter Generators” above. Thus we can improve Lemma 3.
Theorem 3. Let the (secret) shrinking sequence {σi}i≧0 has period TD. Consider a continuously fed selfshrinking LFSR of length n with non-linear filter function f. Denote by P(x) the input sequence to the LFSR and by S(x) the output sequence produced by f. Then an attacker needs at least (deg(ƒ)2nT
We are ready to present the SN-MAC algorithm, which comprise the following building-blocks, which are depicted in
A primitive polynomial f2(x) of degree n2 defining a LFSR who generates the shrinking sequence {σi}i≧0 904.
SN-MAC has key with length n=n1+n2 and produce a tag with length s, i.e. it is a MAC with security parameters n and s. SN-MAC is a general framework for a MAC algorithm instead of fixed construction. Thus we will not fixe any of the parameters of the proposition, allowing the user to chose the most appropriate parameters for his application. The heart of the SN-MAC is a continuously fed self-shrinking LFSR with non-linear filter function (see section “Applying Non-linear Filter to Continuously Fed Self-Shrinking LFSR” above). We will further refer to it as the mixing engine. The SN-MAC algorithm can be described as follows:
Now some of the design choices according to exemplary embodiments of the present invention are explained. Note that every jam propagates differences till the end of the text, so from the attacker's point of view there is higher probability of success if he changes the last bit(s) of the plaintext. To avoid that kind of attack we require to pad the plaintext with fixed suffix.
Since the padded plaintext PP(x) is a polynomial of degree m, then the corresponding output S5(x) is also a polynomial of degree m. Recall that for given S5(x) and g(x) there are 2m-s polynomials satisfying (9) see Lemma 1. So, we require the padded plaintext to be with length m≧2s, in order to have for a given tag at least 2s corresponding different choices (for S5(x)).
Note that the LFSR which produces the shrinking sequence has period TD=2n
O(2n
bits of the corresponding input/output pair (i.e. PP(x)/S5(x)) in order to derive the key, i.e. to break both the mixing engine and the self-shrinking generator. Note that in this calculation we use the result from Lemma 3 instead of the stronger result from Theorem 3.
Since SN-MAC is a stream oriented MAC algorithm we use the same approach as stream ciphers use to change the key when certain amount of information is manipulated. Based on the calculations above we require the current SN-MAC key to be replaced when 2n−2 bits of information is manipulated. Note that the latter does not imply that only one MAC per key is allowed, instead as stream ciphers work one can encrypt (calculate the MAC tag) several times without resetting the key sequence. We should stress that the information, which is allowed to be manipulated with one key, is equal to the key sequence period and as we have shown it is the minimum amount of information which an attacker needs in order to reveal the key.
The rigorous proof of security for a MAC algorithm is usually obtained for algorithms based on either primitives like block ciphers or dedicated hash functions, or based on universal hashing paradigm. The algorithm we propose is specifically designed for streams, and therefore it does not rely on the standard approach of underlying compression function. Let expand the definitions of OWHF/CRHF to functions which for arbitrary length input compute the output with the same length (instead of fixed length output) and call such functions OWHF/CRHF with arbitrary length. Let present schematically SN-MAC algorithm as follows:
F: PP(x)→S5(x) (24)
G: S5(x)→tag.
In other words, consider the SN-MAC but without the last step (the CRC calculation) as a function F which for a given (arbitrary length) input PP(x) calculates an output S5(x) with the same length. Analogously define the last step as a function G which takes an arbitrary length input and produces a fixed length output. Thus, as we showed function F (with fixed key) is an OWHF with arbitrary length. It is an ongoing work to prove that F is also a CRHF with arbitrary length. An interesting open problem how to choose G, when a CRHF with arbitrary length F is given, in such a way that the composition G o F is a CRHF. We chose G to be an error-detection code in order to achieve this goal.
Thus, according to exemplary embodiments of the present invention, a new design for a message authentication code. SN-MAC is disclosed to provide a sufficient level of security for highly constrained devices and to be used together with stream ciphers. It is a hardware-optimized MAC algorithm for powerless devices. The definition of one-way (collision resistant) hash function has been expanded, to functions with arbitrary length. Also, several new building blocks for symmetric cryptographic schemes, which are of independent interest, are disclosed.
Therefore, the following constructions are disclosed:
A. Stand-alone circuit of
B. Stand-alone circuit of
C. The circuit according to (A), using a hash function as those used to generate efficient lookup tables and routing algorithms.
D. The circuit according to (A) using two keying LFSRs 1, 4 (see
E. Two circuits 1000, 1100 according to (A) (as depicted in
F. A substitution for the circuit according to (A) (as depicted in
G. A substitution for the circuit according to (A), implemented as in
H. A full circuit as described in
I. The circuit as described in
J. once the plain-text is been all fed to circuit A (or one of its alternatives D, F and G), take the final state of the LFSR in A as the input of the next stage. Use this state as initial state of a SSG (see “Self Shrinking Generator” above) of equal size to circuit A. Run the SSG until obtaining an output of the size of the initial state (e.g. 64 bits output for a 64 bit LFSR). This output is the final MAC.
It should be noted, that the delinearization of the plain text data and the pseudonumber generation as well as the computation of the error detection code may be performed by different hardware components.
Furthermore, via the bus system 153, it may also be possible to connect the processor 151 to, for example, a receiving station, which is adapted for receiving the encoded data stream.
As introduced above, the invention may be readily used to implement tamper-resistant communication in the following generic domains:
In addition, the invention may be used to optimise systems that require strong integrity checking of their externally stored state while operate, such as secure microprocessors that store working data in external RAM.
Moreover, the present invention may be advantageously by applied for:
It should be noted that the term “comprising” does not exclude other elements or steps and the “a” or “an” does not exclude a plurality and that a single processor or system may fulfil the functions of several means or units recited in the claims. Also elements described in association with different embodiments may be combined.
It should also be noted, that any reference signs in the claims shall not be construed as limiting the scope of the claims.
Number | Date | Country | Kind |
---|---|---|---|
05101537 | Mar 2005 | EP | regional |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/IB2006/050590 | 2/24/2006 | WO | 00 | 6/18/2008 |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2006/092753 | 9/8/2006 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
5383143 | Crouch et al. | Jan 1995 | A |
5664016 | Preneel et al. | Sep 1997 | A |
5767784 | Khamharn et al. | Jun 1998 | A |
6457147 | Williams | Sep 2002 | B1 |
6480101 | Kelly et al. | Nov 2002 | B1 |
6560338 | Rose et al. | May 2003 | B1 |
6735693 | Hamlin | May 2004 | B1 |
6754824 | Persson et al. | Jun 2004 | B1 |
6785389 | Sella et al. | Aug 2004 | B1 |
6816968 | Walmsley | Nov 2004 | B1 |
6993694 | Kapur et al. | Jan 2006 | B1 |
7761764 | Hurley | Jul 2010 | B2 |
7822797 | Buer et al. | Oct 2010 | B2 |
20020071552 | Rogaway | Jun 2002 | A1 |
20020176578 | LaPat et al. | Nov 2002 | A1 |
20030002677 | Dagan et al. | Jan 2003 | A1 |
20030133497 | Kinjo et al. | Jul 2003 | A1 |
20070140485 | Ghigo et al. | Jun 2007 | A1 |
Number | Date | Country |
---|---|---|
WO0111818 | Feb 2001 | WO |
WO 0111818 | Feb 2001 | WO |
WO0111818 | Feb 2001 | WO |
Entry |
---|
Meier et al, “The Self-Shrinking Generator”, Springer-Verlag, 1998, p. 205-214. |
Shift-Register Synthesis and BCH Decoding IEEE Transactions on Information Theory, vol. IT-15, No. 1 Jan. 1969 pp. 122-127 James L. Massey. |
The Linear Complexity of the Self-Shrinking Generator IEEE Transactions on Information Theory, vol. 45, No. 6 Sep. 1999 pp. 2073-2077 S. Blackburn. |
The Self-Shrinking Generator Proceedings of Eurocrypt '94 May 9, 1994 pp. 205-214 Meier et al. |
Achieving High Encoding Efficiency With Partial Dynamic LFSR Reseeding ACM Transactions on Design Automation of Electronic Systems vol. 9, No. 4 2004 C.V. Krishna et al. |
The Shrinking Generator Crypto '93, LNCS 773, 1993 pp. 22-39 D. Coppersmith et al. |
Correlation-Immune and Resilient Functions Over a Finite Alphabet and Their Applications in Cryptography Designs, Codes and Cryptography, (16), (1999) pp. 121-149 P Camion et al. |
Achieving High Encoding Efficiency With Partial Dynamic LFSR Reseeding ACM Transactions on Design Automation of Electronic Systems, vol. 9, No. 4 2004 C.V. Krishna et al. |
Improved Cryptanalysis of the Self-Shrinking Generator ACISP 2001, LNCS 2119 pp. 21-35 Zenner et al. |
LFSR-Based Hashing and Authentication Cryypto '94, LNCS 839, 1994 pp. 129-139 H. Krawczyk. |
Vulnerability of Nonlinear Filter Generators Based on Linear Finite State Machines FSE '04, LNCS 3017, 2004 pp. 193-209 J. Hong et al. |
Number | Date | Country | |
---|---|---|---|
20090222667 A1 | Sep 2009 | US |