NADO CRYPTOGRAPHY with KEY GENERATORS

2 BACKGROUND-FIELD OF INVENTION

The present invention relates broadly to cryptographic methods and devices. In some embodiments, it pertains to symmetric cryptographic methods and machines. Cryptographic devices and methods are generally used to encrypt and decrypt information transmitted through communication and transmission systems. For example, the cryptographic methods may be used to encrypt a phone call; in some embodiments, the phone call may be transmitted using voice over IP (internet protocol) using a mobile phone. These methods also may be used to encrypt passive data stored on a computer or another physical device such as a tape drive. Typically, the information is encrypted by a sending agent, sometimes called Bob, using his unique key(s), and the encrypted information, called ciphertext, is transmitted to a receiving agent, sometimes called Alice. The receiving agent Alice uses her unique key(s) to apply a decryption device or method to the ciphertext. The output of this decryption device or method is the same information that the sending agent gathered before encrypting and sending it. Eve is the name of the agent who is attempting to decrypt the ciphertext. One of Alice and Bob's primary objectives is to assure that Eve cannot decrypt the ciphertext transmitted between them.

3 BACKGROUND—PRIOR ART

The subject matter discussed in this background section should not be assumed to be prior art merely as a result of its mention in the background section. Similarly, a problem mentioned in the background section or associated with the subject matter of the background section should not be assumed to have been previously recognized in the prior art. The subject matter in the “Summary and some Advantages of Invention” section represents different approaches, which in and of themselves may also be inventions, and various problems, which may have been first recognized by the inventor.

Reference [1] provides a practical and theoretical description of cryptography and cryptographic methods. References [2, 3, 4] also provide a description of current cryptographic methods that are publicly available. Public-key cryptography is typically used for key management and a myriad of protocols. Symmetric private-key cryptography is useful for encrypting data and securing private voice and written communications.

In symmetric cryptography, Alice encrypts her plaintext and Bob decrypts the ciphertext received from Alice using the same private key. The key is called private to indicate that Alice and Bob do not want Eve to capture the key. For example, a block cipher algorithm E_A: {0,1}^m×{0,1}^K→{0,1}^muses a K-bit key K as a parameter and encrypts an m-bit block of plaintext M denoted as E_A(M, K). The block cipher's key space {0, 1}^Khas size 2^K. The block cipher's message space {0,1}^mhas size 2^m. The decryption algorithm D_A: {0,1}^m×{0,1}^K→{0,1}^mhas the inverse property that D_A(E_A(x, K), K)=x for every plaintext x∈{0,1}^mand every key K∈{0,1}^K.

Standard AES is a block cipher with block size 16 bytes (128 bits) that is a symmetric cryptographic algorithm [5, 6]. Standard AES is commonly used in industry, endorsed by NIST, and used by the United States Department of Defense. Standard AES is the most widely used block cipher today. For example, standard AES-128—that uses 128-bit static keys—is currently used by the File Vault application on Apple computers. File Vault encrypts the hard drive inside the Apple Computer.

In recent years, various attacks on the standard AES cipher (prior art) have demonstrated weaknesses in this cipher. In some cases, practical oracle padded attacks [7] have been able to capture the plaintext from ciphertext that has been encrypted by standard AES. At least part of the weakness is slow diffusion in the key scheduling [10, 11, 12]. Standard AES's weaknesses are further exacerbated by a static substitution box, and due to its static key standard AES maps two identical blocks of plaintext to two identical blocks of ciphertext. In particular, a feasible attack on standard AES-256 has been demonstrated with only onefewer round—13 rounds instead of 14—in the key schedule [13]. Overall, in recent years, additional publicly available (non-classified) attacks on the standard AES cipher have been discovered [14, 15, 16, 17], which suggest that standard AES is not as strong a cipher as previously believed by the cryptographic community.

Furthermore, the prior art [1, 2, 6, 18] does not disclose the notion of a key generator sequence nor of deriving a new key based on the updating of a key generator. The use of key generators in this invention eliminates the dependence of the cryptographic security on a single, static cryptography key. Typically, the cryptographic methods in the prior art use a static key K throughout the entire execution of the encryption algorithm. The use of a static key in the prior art is further implied by some attacks-cited in the previous paragraph—that attempt to capture or reconstruct the static key. In the prior art, if the static key is captured, the cryptographic security is fatally compromised. In contrast, in the embodiments described in this invention, if one of the dynamic keys is captured by Eve, then Eve still cannot find the prior dynamic keys used by Alice and Bob, nor can Eve find or capture the future dynamic keys used by Alice and Bob.

As an example of the static key assumption in the prior art, some oracle padded attacks [7] rely upon the fact that Eve has some information about the last block. This helps Eve work backwards to find the static key. In this invention, the use of one-way functions to create dynamic keys helps hinder Eve from obtaining even the key used for that one block of plaintext because this would require a pre-image attack on a one-way function with no direct information about the digest and an intractable searching over a huge sequence of unpredictable keys. In the prior art, Eve only has to search for one static key used to encrypt each block of plaintext.

4 SUMMARY and Some ADVANTAGES of INVENTION

The invention(s) described here is a process for encrypting and decrypting information, used in communication, transmission and data storage systems. The first stage or method is called the H process. One of the purposes of the H process is to use a one-way function to partially encrypt the plaintext and help uniformly distribute the statistics of the ciphertext delivered to stage 2. The H process uses a key generator updating method that utilizes one-way functions.

The term “key generator” is used in this specification to mean a value or collection of values to which one or more operations are performed to generate another value or set of values from which a key is derived or may be derived. A “key generator sequence” is a sequence of key generators. In an embodiment, a “key generator sequence” may be mathematically represented as a function Γ: custom-character →{0,1}ⁿwhere is the natural numbers and is the set of all bit-strings of length n. For example, the bit-string 10101 is an element of {0,1}⁵. For example, the set of all bit-strings of length 3 is {0,1}³={000, 001, 010, 011, 100, 101, 110, 111}. Sometimes in the specification the kth key generator (key generator k) of the key generator sequence Γ will be denoted as Γ(k).

In some embodiments, an actual derivation of the key is optional. For example, part of the kth key generator could be used as the kth key. In this specification, whenever a key and key generator are mentioned, in one embodiment there is a separate key and key generator, where the key is derived from the key generator; in another embodiment, there is no separate key that is actually derived, and part of the current key generator may be used as a key. In this specification, the word “key” and the term “cryptographic key” are used interchangeably to mean the same thing. A key is a collection of one or more values, that specifies how a particular encryption function will encrypt a message. For example, a key may be a sequence of 1's are 0's that are bitwise exclusive-or'ed with the bits that comprise a message to form the encrypted message. Other examples of using keys as a part of encryption methods are given elsewhere in this specification.

In some embodiments, the H process may be implemented with a block cipher where the key generator Γ is updated after one or more blocks of plaintext have been encrypted by the block cipher. In some embodiments, this block cipher may be enhanced AES-256 or enhanced AES-128 or enhanced DES. In this specification, when the term “enhanced” AES or “enhanced” DES is used, this means that enhanced AES and enhanced DES no longer use a static key during the encyption and decryption. Further, in other contexts, enhanced AES or enhanced DES means that a dynamic key is used that is derived from a key generator. These enhancements-using key generator sequences and dynamic keys—of the open standards AES and DES are further described in sections 6.9, 6.10 and 6.11. In this specification, “standard” AES [5, 6] or “standard” DES [8, 9] will be used to describe the prior art of AES and DES, respectively, where a static key is used for every encrypted block or decrypted block.

In an alternative embodiment, a new stream cipher method is described in section 6.17, titled PROCESS H AS A STATE GENERATOR; this method also uses key generator updating and one-way functions to implement the H process as a stream cipher. The second stage or method is called the P process. The P process uses a dynamically perturbed permutation to diffuse the partially encrypted plaintext information, created by the H process, across the whole NADO block of information, which may be larger than the block size of the block cipher. FIG. 6a and FIG. 6b illustrate how a permutation can diffuse the information across a block of information. In some embodiments, the block size is 256 bytes which is substantially larger than the 16 byte block size of standard AES. In other embodiments, the NADO block size may be 64 bytes, 128 bytes or even 1024 bytes.

The third stage or method is called the S process. The S process uses a dynamically updated (perturbed) permutation that acts as a nonlinear substitution box [18]. This substitution box is perturbed after one or more bytes have been encrypted so it is a dynamic substitution box, not static.

Any of the embodiments of the P process may be used with any of the embodiments of the H processes. Any of the embodiments of the P process may be used with any of the embodiments of the S processes. Any of the embodiments of the H process may be used with any of the embodiments of the S processes.

The invention introduces the notion of a key generator sequence, key generator updating and dynamic keys. This enables each key used by each process to be unpredictably updated after the processes have together encrypted one or more blocks of plaintext. Furthermore, throughout this specification the key generator may be significantly larger than the key used by each of the three processes. The key generator updating creates favorable, cryptographic properties and strengthens cryptographic ciphers that already exist and have been tested.

Each process depends on a distinct dynamically updated key generator so that the key generator of any given process is updated (perturbed) independently of the other two processes. In other words, these three different dynamically perturbed (updated) key generators are independent of each other; from an alternative perspective, these three processes are three distinct dynamical systems that work together to execute a symmetric cryptography. If M denotes a block of the plaintext, then the complete encryption of one block of plaintext M can be expressed as C=S (P(H(M, Γ(n_H)), K_P(n_P)), K_S(n_S)), where K_S(n_S) is the n_Supdate of the original key generator K_S(0) for the S process; where K_P(n_P) is the n_Pupdate of the original key generator K_P(0) for the P process; and Γ(n_H) is the n_Hupdate of the original key generator Γ(0) for the H process. n_H, n_Pand n_Sare natural numbers. For these embodiments, the decryption of ciphertext C, can be expressed as H⁻¹(P⁻¹(S⁻¹(C, K_S(n_S)), K_P(n_P)), Γ(n_H))=M.

In an embodiment, the jth key generator Γ(j) is n bits in length. Γ(j) is updated to Γ(j+1) by applying a one-way hash function to q bits of Γ(j), where q<n and the message digest is concatenated to the remaining n-q bits of Γ(j). Overall, n-q of the bits of Γ(j) remain unchanged and the other q bits change, due to the one-way hash function. In an embodiment, a dynamic key is derived from Γ(j) and used by a block cipher to encrypt plaintext. In an embodiment, this encryption may act as a standalone symmetric cryptography. In an alternative embodiment, this dynamic key encryption acts as the H process and is integrated with a P process and an S process.

In another embodiment each key generator K_H, K_Pand K_Scan be represented as a circular array. This enables the key generator updating method to exclusive-or a rotation of this circular array with a one-way hash of part of the circular array. In other embodiments, the keys may be updated in another manner, such as by applying a particular function to the key generator. This method of key generator updating exploits the avalanche effect of the one-way hash functions and causes each initial key generator K_H(0), K_P(0), and K_S(0) to iterate over a huge orbit. FIG. 1C shows an example of the avalanche effect for one-way hash function SHA-1 [20]. In more concrete terms, the sequence K_H(0), K_H(1), K_H(2), . . . , K_H(n) . . . does not have collisions until the sequence of key generators is about the length predicted by the birthday paradox, based on a uniform probability distribution. Page 77 of [1] provides a description of the well-known birthday paradox.

In more detail, each key generator can be represented as a finite sequence of symbols: for example, each key generator could be represented by J bits. In this context, the birthday effect can be used as one statistical test of the unpredictability of the key generator sequence if the probability of a repetition (i.e., collision) of any given key generator in the sequence is of the same order as predicted by the birthday effect.

Suppose m=2′ is the total number of possible key generators. Then the n that satisfies equation

$\frac{m!}{m^{n} (m - n)!} = \frac{1}{2}$

indicates the size of a sequence of key generators that has about a 50 percent chance of having a collision, assuming a uniform probability distribution. For a finite sequence of key generators in which the beginning of the key generator sequence is shorter than n have less than a 50 percent chance of having a collision.

$1 - e^{\frac{- n^{2}}{2 m}}$

is a reasonable approximation for

$\frac{m!}{m^{n} (m - n)!} .$

In this approximation, solving

$\frac{1}{2} = 1 - e^{\frac{- n^{2}}{2 m}}$

gives approximately the sample size at which there is a 50 percent chance of a collision. Solving for n, the number n is approximately √{square root over (2m1n2)}, where lnx denotes the natural logarithm of the real number x. In this specification, at least some of the usefulness due to the avalanche effect may be measured as the largest number of key generators in a sequence that is not likely to have a repetition. In an embodiment, a good avalanche effect occurs when on-average sequences of key generators having less than or equal to. 9√{square root over (2mln2)} are not likely to have a collision. In another embodiment if the number of key generators in the sequence is given by √{square root over (2m1n2)}, then the sequence has a 55 percent or less chance of having a collision.

Furthermore, in general, the period of the orbit of K_His substantially larger than the number of possible keys and is usually on the order of

$2^{\frac{❘ K_{H} ❘}{2}}$

where |K_H| is the length of key generator K_H. For example, if |K_H|=1024 bits, and key generator K_H(n) is used to derive a new 256-bit enhanced AES key for the nth block of 16 bytes of plaintext, then the expected length of the period of this orbit is substantially greater than 2²⁵⁶even though for process H, the derivation of a 256-bit key from each key generator is an orbit on {0,1}²⁵⁶.

In particular, a 50 percent chance of a collision in the key generator sequence K_H(0), K_H(1), . . . is expected for a sequence of length n=√{square root over (2¹⁰²⁵ln2)}=2⁵¹²√{square root over (2ln2)}>10¹⁵⁴. When this key generator updating method is applied (using one or more one-way function with a good avalanche effect) where enhanced AES-256 is the block cipher used in the H process, this substantially increases the computational complexity that must be overcome in order to break process H, compared to the standard AES cipher.

The motivation for the new notion of a key generator and its design can also be understood from a differential cryptanalysis point of view [21]. In the enhanced AES-256 cipher, each distinct 256-bit key K creates a different encryption boolean function E(K,·) where E:{0,1}²⁵⁶×{0,1}²⁵⁶→{0,1}²⁵⁶. In other words, the key K acts as a parameter where eachE(K, ·) is some function ƒ:{0,1}¹²⁸→{0,1}¹²⁸with ƒ=(ƒ₁, . . . , ƒ₁₂₈) and each ƒ_k:{0,1}¹²⁸→{0,1}. As discussed in [22], each ƒ_khas a degree ≤128. From this perspective, the sequence of dynamic keys creates a high, dimensional orbit over the function space {ƒ|ƒ:{0,1}¹²⁸→{0,1}¹²⁸}, which greatly increases the effective degree. Overall, dynamic keys derived from key generator updating and based on one-way functions with a good avalanche effect, produce a powerful cryptographic method that can enhance the cryptographic strength of primitives—such as block cipher AES-256—that have already been analyzed for many years.

Further, in some embodiments, the completeness property and avalanche effect of good one-way function(s) enables consecutive key generators K_H(n) and K_H(n+1) to have a Hamming distance that is about, which means K_H(n)⊕K_H(n+1) is about half ones and half zeroes and their order is unpredictable. This property hinders key related attacks. These favorable cryptographic, properties also hold for the orbit of the S key generator K_S(0), K_S(1), K_S(2), . . . , K_S(0), K_S(1), K_S(2), . . . , K_S(n) . . . and the orbit of the P key generator K_P(0), K_P(1), K_P(2), K_P(n) . . .

Typically, one-way hash functions are used to authenticate information. The information that is being authenticated is sometimes called a message in the cryptographic literature that discusses one-way hash functions. In the prior art, one-way hash functions have not been used directly in encryption and decryption because one-way hash functions are not 1 to 1. (See section 6.12, titled PERMUTATIONS, for a definition of 1 to 1.) In the prior art, typically a one-way function is applied directly to the plaintext during encryption or a one-way function is applied directly to the ciphertext during decryption. For this method in which the prior art applies the one-way function directly to the plaintext or ciphertext, if the one-way function used by the prior art were not 1 to 1, then two or more different plaintexts could be mapped by this one-way function to the same ciphertext. In the publication FIPS 180-4, Secure Hash Standard, written by the National Institute of Standards (NIST), the abstract states:

- “This standard specifies hash algorithms that can be used to generate digests of messages. The digests are used to detect whether messages have been changed since the digests were generated.”

This specification describes a novel use of one-way functions to unpredictably update key generators and also perturb the H, P and S processes used in the cryptography. Each of the three processes may use one-way functions. The avalanche property of the one-way functions helps strengthen NADO cryptography against differential cryptanalysis attacks and other kinds of attacks.

NADO may be implemented efficiently in hardware or software. In some embodiments, process H is a block cipher. In other embodiments, as described in section 6.17, process H is a state generator that acts as a stream cipher, by generating an unpredictable sequence of states with the help of one-way hash functions and key generator updating that also uses one-way functions. Process P generates an unpredictable, sequence of permutations that diffuses the encrypted information, created by the H process, across a block that is usually greater than 16 bytes; Process S generates a sequence of substitution boxes, each created by a permutation that is dynamically updated after one or more bytes of encryption.

Another enhancement is the difficulty of breaking this encryption method as function of its execution speed. The executable code that implements a NADO embodiment requires a small amount of computer memory, less than 20K of RAM for even relatively large key generators K_H, K_P, and K_Sand less than 5K in other embodiments. An embodiment can execute on a Reduced Instruction Set Computer (RISC) 150 MHZ chip [24]; this embodiment protects the privacy of a real-time mobile phone conversation. For this embodiment, the key generator K_Hfor the H process has size at least 512 bits; the key generator K_Pfor the P process has size at least 256 bits; and the key generator K_Sfor the S process has size at least 256 bits. Further, in this real-time mobile phone conversation. For this embodiment, the key generator for the H process has size at least 512 bits; the key generator for the P process has size at least 256 bits; and the key generator for the S process has size at least 256 bits. Further, in this real-time mobile phone embodiment, each of these key generators are independent of the other two and are updated using the one-way hash function SHA-512 or another one-way hash function such as Keccak, Blake, Skein or GrØstl. Some NADO embodiments are fast enough to enable applications such as real-time encryption of wireless transmissions, real-time embedded systems, secure communications between satellites and the secure routing and transmission of Internet traffic.

5 BRIEF DESCRIPTION OF THE FIGURES

In the following figures, although they may depict various examples of the invention, the invention is not limited to the examples depicted in the figures.

FIG. 1A shows an embodiment of an information system for sending and receiving encrypted information.

FIG. 1B shows an embodiment of a process for encrypting information that can be used in the embodiment of FIG. 1A.

FIG. 1C shows an example of the avalanche effect after 16 rounds of the SHA-1 one-way hash function on the first 46 bits of the SHA-1 output, which can be used in the embodiment of FIG. 1A.

FIG. 1D shows a diagram of an embodiment of a semiconductor chip that can detect photons and generates a non-deterministic process, which can be used in the embodiment of FIG. 1A.

FIG. 1E shows a diagram of an embodiment of one step of a key generator being updated, using a one-way hash function Φ. The size of the key generator is n bits. The output size of the hash function Φ is q bits. In this embodiment, during the key generator updating step, the one-way function Φ is applied to the first q bits of the key generator and the last n-q bits of the key generator remain unchanged. As described in machine-implemented method 1, FIG. 1E shows step

Set(Γ_i+1,0Γ_i+1,1. . . Γ_i+1,q−1)=Φ(Γ_i,0Γ_i,1. . . Γ_i,q−1) expressed as Φ(b₁. . . b_q)=(c₁. . . c_q).

FIG. 1E also shows the next step Set Γ_i+1,j=Γ_i,jfor each j satisfying q≤j≤n−1.

FIG. 1F shows a diagram of an alternative embodiment of one step of a key generator being updated, using a one-way hash function Φ. The size of the key generator is n bits. The output size of the hash function Φ is q bits. In this alternative embodiment, during the key generator updating step, the one-way function Φ is applied to the last q bits of the key generator and the first n-q bits of the key generator remain unchanged.

FIG. 1G shows a diagram of a key with K bits being derived from the key generator. The one-way function Ψ is applied to the key generator and the first K bits of this output are chosen as the dynamic key. FIG. 1G is the key derivation step that corresponds to the key generator updating step shown in FIG. 1E.

FIG. 1H shows a diagram of a key with K bits being derived from the key generator. The one-way function Ψ is applied to the key generator and the first κ bits of this output are chosen as the dynamic key. FIG. 1H is the key derivation step that corresponds to the key generator updating step shown in FIG. 1F.

FIG. 1I shows an embodiment of a process for encrypting information that can be used in the embodiment of FIG. 1A.

FIG. 1J shows a diagram of an embodiment of one step of a key generator being updated, using a one-way function Φ. The size of the key generator is n bits. The output size of the function Φ is n bits. During the key generator updating step, the one-way function Φ is applied to all n bits of the key generator.

FIG. 1K shows a diagram of a key with K bits being derived from a first part of the key generator. The one-way hash function Ψ is applied to the key generator and the first κ bits of this output are chosen as dynamic key.

FIG. 2A shows an embodiment of a computer network transmitting encrypted plaintext, which in some embodiments may be the Internet or a part of a network that supports an infrastructure such as the electrical grid, a financial exchange, or a power plant, which can be used with the embodiment of FIG. 1A.

FIG. 2B shows an embodiment of a secure computing area for encrypting information, which includes a processor, memory and input/output system, which may be the sending and/or receiving machines of FIG. 1A.

FIG. 3A shows an embodiment of a USB drive that can act as a sending machine and receiving machine to store and protect a user's data by encrypting the data.

FIG. 3B shows an embodiment of an authentication token, which may include the sending and/or receiving machines of FIG. 1A, that contains a computer processor that can encrypt plaintext that represents authentication data.

FIG. 4 shows a mobile phone embodiment 400 that encrypts wireless voice data and decrypts wireless voice data, which may include the sending and/or receiving machines of FIG. 1A. The mobile phone 500 is an embodiment that sends wireless encrypted plaintext to an automobile, which may include the sending and/or receiving machines of FIG. 1A.

FIG. 5A shows an embodiment of the H process being implemented with the enhanced AES-256 block cipher [5], which may used in the sending and/or receiving machines of FIG. 1A.

FIG. 5B shows another embodiment of the H process being implemented with the enhanced DES block cipher [8, 9], which may used in the sending and/or receiving machines of FIG. 1A.

FIG. 6A shows an example of a permutation σ=[4, 2, 0, 5, 3, 1] that permutes 6 bits over a 6 bit block. The representation [4, 2, 0, 5, 3, 1] means σ(0)=4, σ(1)=2, σ(2)=0, σ(3)=5, σ(4)=3 and σ(5)=1, which may used in the sending and/or receiving machines of FIG. 1A.

FIG. 6B shows an example of the P process permuting (diffusing) bits over a 512 bit block. μ is the permutation that performs this diffusion, which may used in the sending and/or receiving machines of FIG. 1A. In FIG. 6B, μ sends bit 181 to bit 267 and also maps bit 311 to bit 1. In [26], the cryptographic value of diffusing information was presented.

FIG. 7 shows an example of a computation that updates the key generator, which may be performed the sending and/or receiving machines of FIG. 1A. The key generator K, indicated in FIG. 7, may represent key generator K_H, used by the H process, or key generator K_Pused by the P process, or key generator K_Sused in the S process. The symbol Φ represents a one-way hash function. The key generator K_Sis rotated one element to the right and then part of it K_mis hashed by Φ and then exclusive-or'd with the rotated key. This updates the key generator in an unpredictable way and exploits the avalanche effect of the one-way function. After enough key generator updates, this updating eventually mixes the output of the one-way function across the whole key generator in an unpredictable way even for a large key generator such as a 512 byte key generator.

6 DETAILED DESCRIPTION

Although various embodiments of the invention may have been motivated by various deficiencies with the prior art, which may be discussed or alluded to in one or more places in the specification, the embodiments of the invention do not necessarily address any of these deficiencies. In other words, different embodiments of the invention may address different deficiencies that may be discussed in the specification. Some embodiments may only partially address some deficiencies or just one deficiency that may be discussed in the specification, and some embodiments may not address any of these deficiencies.

Section 6.1, describes information systems that utilize the cryptographic process. Section 6.2 describes the avalanche effect and one-way functions. Section 6.3 describes methods for encrypting with a block cipher that uses dynamic keys, derived from key generators and key generating updating with one-way hash functions. Section 6.6 explains how the use of dynamic keys stops a generic block cipher attack. Sections 6.4, 6.5, 6.8, 6.9, 6.11, 6.12, 6.13, 6.14, 6.15, 6.16, and 6.17 describe novel algorithms, concepts, hardware, infrastructure, machines, mathematics, methods, techniques and systems that contribute to some embodiments of the cryptographic process. Section 6.7 describes a cryptographic process, integrating the H, P and S processes. Section 6.18 describes some key generator distribution methods. Section 6.19 describes a key generator exchange, based on abelian groups, that securely creates and distributes key generators between Alice and Bob. Section 6.20 describes an elliptic curve key generator exchange that uses non-determinism to create the private key generators.

6.1 Information System

FIG. 1A shows an information system 100 for encrypting information in a manner that is expected to be secure. Information system 100 includes plaintext 104 (unencrypted information), encryption processes 106, key generators 107 and one-way hash 107, a sending machine 102, encrypted plaintext (encrypted information) 109 and a transmission path 110, a receiving machine 112, decryption processes 116, decrypted plaintext 114, and key generators 117 and one-way hash 117. In other embodiments, information system 100 may not have all of the components listed above or may have other components instead of and/or in addition to those listed above.

Information system 100 may be used for transmitting encrypted plaintext. Plaintext 104 refers to information that has not been encrypted yet that is intended to be delivered to another location, software unit, machine, person, or other entity. Although plaintext has the word “text” in it, the meaning of plaintext in this specification is broader and refers to any kind of information that has not been encrypted. For example, plaintext could be voice data that has not yet been encrypted. In an embodiment, plaintext may be unencrypted information being transmitted wirelessly between satellites. Plaintext may be represented in analog form in some embodiments and may be represented in digital form. In an embodiment, the sound waves transmitted from a speaker's mouth into a mobile phone microphone are plaintext. The representation of this plaintext information before reaching the microphone is in analog form. Subsequently, the plaintext information may be digitally sampled so it is represented digitally after being received by the mobile phone microphone. In general, plaintext herein refers to any kind of information that has not been encrypted.

In this specification, the term location may refer to geographic locations and/or storage locations. A particular storage location may be a collection of contiguous and/or noncontiguous locations on one or more machine readable media. Two different storage locations may refer to two different sets of locations on one or more machine-readable media in which the locations of one set may be intermingled with the locations of the other set. In this specification, the term “machine-readable medium” is used to refer to any medium capable of carrying information that is readable by a machine. One example of a machine-readable medium is a computer-readable medium. Another example of a machine-readable medium is paper having holes that are detected that trigger different mechanical, electrical, and/or logic responses. The term machine-readable medium also includes media that carry information while the information is in transit from one location to another, such as copper wire and/or optical fiber and/or the atmosphere and/or outer space. It may be desirable to keep the contents of plaintext 104 secret. Consequently, it may be desirable to encrypt plaintext 104, so that the transmitted information is expected to be unintelligible to an unintended recipient should the unintended recipient attempt to read and/or decipher the encrypted plaintext transmitted. Plaintext 104 may be a collection of multiple, unencrypted information blocks, an entire plaintext, a segment of plaintext (information), or any other portion of a plaintext.

Encryption process 106 may be a series of steps that are performed on plaintext 104. In this specification, the term “process” refers to a series of one or more operations. In one embodiment, the term “process” refers to one or more instructions for encrypting machine 102 to execute the series of operations that may be stored on a machine-readable medium. Alternatively, the process may be carried out by and therefore refer to hardware (e.g., logic circuits) or may be a combination of instructions stored on a machine-readable medium and hardware that cause the operations to be executed by sending machine 102 or receiving machine 112. Plaintext 104 may be an input for encryption process 106. The steps that are included in encryption process 106 may include one or more mathematical operations and/or one or more other operations. In an embodiment, “process” may also include operations or effects that are best described as non-deterministic. In an embodiment, “process” may include some operations that can be executed by a digital computer program and some physical effects that are non-deterministic.

Herein the term “process” refers to and expresses a broader notion than “algorithm”. The formal notion of “algorithm” was presented in Turing's paper and refers to a finite machine that executes a finite number of instructions with finite memory. “Algorithm” is a deterministic process in the following sense: if the finite machine is completely known and the input to the machine is known, then the future behavior of the machine can be determined. However, there is quantum random number generator (QRNG) hardware [28, 29] and other embodiments that measure quantum effects from photons (or other physically non-deterministic proceses), whose physical process is non-deterministic. The recognition of non-determinism observed by quantum random number generators and other quantum embodiments is based on experimental evidence and years of statistical testing. Furthermore, the quantum theory-derived from the Kochen-Specker theorem and its extensions [30, 31, 32]-implies that the outcome of a quantum measurement cannot be known in advance and cannot be generated by a Turing machine (digital computer program). As a consequence, a physically non-deterministic process cannot be generated by an algorithm: namely, a sequence of operations executed by a digital computer program. FIG. 1D shows an embodiment of a non-deterministic process arising from quantum events i.e., the arrival of photons.

Some examples of physically non-deterministic processes are as follows. In some embodiments that utilize non-determinism, a semitransparent mirror may be used where photons that hit the mirror may take two or more paths in space. In one embodiment, if the photon is reflected then it takes on one bit value; if the photon is transmitted, then takes on the other bit value 1-b. In another embodiment, the spin of an electron may be sampled to generate the next non-deterministic bit. In still another embodiment, a protein, composed of amino acids, spanning a cell membrane or artificial membrane, that has two or more conformations can be used to detect non-determinism: the protein conformation sampled may be used to generate a non-deterministic value in {0, . . . n−1} where the protein has n distinct conformations. In an alternative embodiment, one or more rhodopsin proteins could be used to detect the arrival times of photons and the differences of arrival times could generate non-deterministic bits. In some embodiments, a Geiger counter may be used to sample non-determinism. In some embodiments, a non-deterministic value is based on the roundoff error in the least significant bit of a computation due to the limitations of the hardware. Lastly, any one of the one-way functions of this specification may be based on a random event such as a quantum event (non-deterministic) generated by the quantum random number generator of FIG. 1D, which is discussed further in section 6.8.

In FIG. 1A, key generators 107 may include one or more key generators. key generators 107 may be used by encryption process 106 to help derive one or more keys used to encrypt at least part of plaintext 104. Key generators 117 may be used by decryption process 116 to help derive one or more keys used to decrypt at least part of encrypted plaintext 109. In an embodiment, one or more key generators 107 and key generators 117 are derived from a non-deterministic generator 136 in FIG. 1B. In another embodiment, by using key generators 107, two parties may use the same encryption process, but are still not expected to be able to decrypt one another's encrypted information unless they use the same key generators 107 in the same order during the cryptographic process. Key generators 107 may be a broad range of sizes. For example, if the size of a key generator 107 is measured in bits, one or more key generators may be 256 bits, 512 bits, 1000 bits, 1024 bits, 4096 bits or larger. In an embodiment, two parties (Alice and Bob) may establish the same key generators 107, by first creating private key generators from their respective non-deterministic generators 136 and then executing key generator exchange. In an embodiment, the hardware device shown in FIG. 1D may be part of non-deterministic generator 136. Sending machine 102 may be an information machine that handles information at or is associated with a first location, software unit, machine, person, sender, or other entity. Sending machine 102 may be a computer, a phone, a mobile phone, a telegraph, a satellite, or another type of electronic device, a mechanical device, or other kind of machine that sends information. Sending machine 102 may include one or more processors and/or may include specialized circuitry for handling information. Sending machine 102 may receive plaintext 104 from another source (e.g., a transducer such as a microphone), may produce all or part of plaintext 104, may implement encryption process 106, and/or may transmit the output to another entity. In another embodiment, sending machine 102 receives plaintext 104 from another source, while encryption process 106 and the delivery of the output of encryption process 106 are implemented manually. In another embodiment, sending machine 102 implements encryption process 106, having plaintext 104 entered, via a keyboard (for example) or via a mobile phone microphone, into sending machine 102. In another embodiment, sending machine 102 receives output from encryption process 106 and sends the output to another entity. In an embodiment, sending machine 102 may generate new key generators 107 for other information machines.

Sending machine 102 may implement any of the encryption methods described in this specification. Encryption process 106 may include any of the encryption methods described in this specification (e.g., encryption process 106 may implement any of the embodiments of the H, P, and S processes). Encrypted plaintext 109 includes at least some plaintext 104 that is encrypted by encryption process 106.

Transmission path 110 is the path taken by encrypted plaintext 109 to reach the destination to which encrypted plaintext 109 was sent. Transmission path 110 may include one or more networks. For example, transmission path 110 may be the Internet; for example, transmission path 110 may be wireless using voice over Internet protocol. Transmission path 110 may include any combination of any of a direct connection, hand delivery, vocal delivery, one or more Local Area Networks (LANs), one or more Wide Area Networks (WANs), one or more phone networks, including paths under the ground via fiber optics cables and/or one or more wireless networks, and/or wireless inside and/or outside the earth's atmosphere.

Receiving machine 112 may be an information machine that handles information at the destination of an encrypted plaintext 109. Receiving machine 112 may be a computer, a phone, a telegraph, a router, a satellite, or another type of electronic device, a mechanical device, or other kind of machine that receives in-formation. Receiving machine 112 may include one or more processors and/or specialized circuitry configured for handling information, such as encrypted plaintext 109. Receiving machine 112 may receive encrypted plaintext 109 from another source and/or reconstitute (e.g., decrypt) all or part of encrypted plaintext 109. Receiving machine 112 may implement any of the encryption methods described in this specification and is capable of decrypting any message encrypted by sending machine 102 and encryption process 106.

In one embodiment, receiving machine 112 only receives encrypted plaintext 109 from transmission path 110, while encryption process 106 is implemented manually and/or by another information machine. In another embodiment, receiving machine 112 implements decryption process 116 that reproduces all or part of plaintext 104, referred to as decrypted plaintext 114. In another embodiment, receiving machine 112 receives encrypted plaintext 109 from transmission path 110, and reconstitutes all or part of decrypted plaintext 114 using decryption process 116.

Decryption process 116 may store any of the processes of decrypting information described in this speci-fication. Decryption process 116 may include any of the decryption methods described in this specification (e.g., decryption process 116 may implement any of the methods for decrypting any of the embodiments of the H, P and S processes).

Receiving machine 112 may be identical to sending machine 102. In the embodiment in which the receiving machine and the sending machine are the same, both receiving and sending machine each include plaintext 104 (unencrypted information), encryption process 106, key generators 107 (which may include a one-way hash), encrypted plaintext (encrypted information) 109, decryption processes 116, decrypted plaintext 114 and key generators 117 (which may include a one-way hash), and are both capable of implementing any of the encryption processes, decryption processes, and methods of exchanging key generators described in this specification. For example, receiving machine 112 may receive plaintext 104 from another source, produce all or part of plaintext 104, and/or implement encryption process 106. Similar to sending machine 102, receiving machine 112 may create key generators 117. Receiving machine 112 may transmit the output of decryption process 116, via transmission path 110 to another entity and/or receive encrypted plaintext 109 (via transmission path 110) from another entity. Receiving machine 112 may present encrypted plaintext 109 for use as input to decryption process 116.

6.2 the Avalanche Effect and One-Way Functions

One-way function 107 in FIG. 1A and one-way function 126 in FIG. 1B may include one or more one-way functions. A one-way function Φ has the property that given an output value z, it is computationally intractable to find an information element m, such that Φ(m_z)=z. In other words, a one-way function Φ is a function that can be easily computed, but that its inverse Φ⁻¹is computationally intractable to compute. A computation that takes 10¹⁰¹computational steps is considered to have computational intractability of 10¹⁰¹.

More details are provided on computationally intractable. In an embodiment, there is an amount of time T that encrypted information must stay secret. If encrypted information has no economic value or strategic value after time T, then computationally intractable means that the number of computational steps required by all the world's computing power will take more time to compute than time T. Let C(t) denote all the world's computing power at the time t in years.

Consider an online bank transaction that encrypts the transaction details of that transaction. Then in most embodiments, the number of computational steps that can be computed by all the world's computers for the next 30 years is in many embodiments likely to be computationally intractable as that particular bank account is likely to no longer exist in 30 years or have a very different authentication interface.

To make the numbers more concrete, the 2013 Chinese supercomputer that broke the world's computational speed record computes about 33,000 trillion calculations per second [33]. If T=1 one year and we can assume that there are at most 1 billion of these supercomputers. (This can be inferred from economic considerations, based on a far too low 1 million dollar price for each supercomputer. Then these 1 billion supercomputers would cost 1,000 trillion dollars.). Thus, C(2014)×1 year is less than 10⁹×33×10¹⁵×3600×356=1.04×10³³computational steps. To get some perspective in terms of cryptography, the Bernstein 25519 elliptic curve cryptography has conjectured complexity of 2¹²⁸Also, 2¹²⁸>10³⁸so in terms of this measure of computational intractability, the Bernstein 25519 elliptic curve cryptography has computational intractability of at least 10³⁸.

As just discussed, in some embodiments and applications, computationally intractable may be measured in terms of how much the encrypted information is worth in economic value and what is the current cost of the computing power needed to decrypt that encrypted information. In other embodiments, economic computational intractability may be useless. For example, suppose a family wishes to keep their child's whereabouts unknown to violent kidnappers. Suppose T=100 years because it is about twice their expected lifetimes. Then 100 years×C(2064) is a better measure of computationally intractable for this application. In other words, for critical applications that are beyond an economic value, one should strive for a good estimate of the world's computing power.

One-way functions that exhibit completeness and a good avalanche effect or the strict avalanche criterion [34] are preferable embodiments: these properties are favorable for the key generator updating. FIG. 1C shows the avalanche effect after 16 rounds of the SHA-1 on the first 46 bits of the SHA-1 output. The SHA-1 digest size is 160 bits (i.e. length of its output). Only one bit has been flipped from b to 1-b in the input. The flipped bit in the input is indicated by a small white rectangle near the top of FIG. 1C. The white squares show bits that have flipped from 0 to 1 or 1 to 0 as a result of flipping the one bit of input. At the 16th round, there are more white bits than black bits. The strict avalanche criteria says that there is a 50%. chance that a bit flip occurs. 80 rounds of SHA-1 are supposed to ensure enough diffusion. The definition of completeness and a good avalanche effect are quoted from [34]:

“If a cryptographic transformation is complete, then each ciphertext bit must depend on all of the plaintext bits. Thus, if it were possible to find the simplest Boolean expression for each ciphertext bit in terms of plaintext bits, each of those expressions would have to contain all of the plaintext bits if the function was complete. Alternatively, if there is at least one pair of n-bit plaintext vector X and X_ithat differ only in bit i, and ƒ(X) and ƒ(X_i) differ at least in bit j for all {(i, j):1≤i,j≤n} the function f must be complete. For a given transformation to exhibit the avalanche effect, an average of one half of the output bits should Change whenever a single input bit is complemented. In order to determine whether a m×n (m input bits and n output bits) function ƒ satisfies this requirement, the 2^mplaintext vectors must be divided into 2^m−1pairs, X and X_jsuch that X and X_jdiffer only in bit i. Then the 2^m−1exclusive-or sums V_i=ƒ(X)⊕ƒ(X_i) must be calculated. These exclusive-or sums will be referred to as avalanche vectors, each of which contains n bits, or avalanche variables. If this procedure is repeated for all i such that 1≤i≤m and one half of the avalanche variables are equal to 1 for each i, then the function ƒ has a good avalanche effect. Of course this method can be pursued only if m is fairly small; otherwise, the number of plaintext vectors becomes too large. If that is the case then the best that can be done is to take a random sample of plaintext vectors X, and for each value i calculate all avalanche vectors V_i. If approximately one half the resulting avalanche variables are equal to 1 for values of i, then we can conclude that the function has a good avalanche effect.”

A hash function, also denoted as Φ, is a function that accepts as its input argument an arbitrarily long string of bits (or bytes) and produces a fixed-size output of information. The information in the output is typically called a message digest or digital fingerprint. In other words, a hash function maps a variable length m of input information to a fixed-sized output, Φ(m), which is the message digest or information digest. Typical output sizes range from 160 to 512 bits, but can also be larger. An ideal hash function is a function Φ, whose output is uniformly distributed in the following way: Suppose the output size of Φ is n bits. If the message m is chosen randomly, then for each of the 2ⁿpossible outputs z, the probability that Φ(m)=z is 2⁻ⁿ. In an embodiment, the hash functions that are used are one-way.

A good one-way hash function is also collision resistant. A collision occurs when two distinct information elements are mapped by the one-way hash function Φ to the same digest. Collision resistant means it is computationally intractable for an adversary to find colllisions: more precisely, it is computationally intractable to find two distinct information elements m₁, m₂where m₁≠m₂and such that Φ(m₁)=Φ(m₂).

A number of one-way hash functions may be used. SHA-512 is a one-way hash function, designed by the NSA and standardized by NIST [25]. The message digest size of SHA-512 is 512 bits. Other alternative hash functions are of the type that conform with the standard SHA-384, which produces a message digest size of 384 bits and SHA-512. SHA-1 has a message digest size of 160 bits. An embodiment of a one-way hash function is Keccak [35]. An embodiment of a one-way hash function is BLAKE [36]. An embodiment of a one-way hash function is GrØstl [37]. An embodiment of a one-way hash function is JH [38]. Another embodiment of a one-way hash function is Skein [39].

In other embodiments, other types of one-way functions may be used instead of a one-way hash function. For example, an elliptic curve over a finite field may be used as a one-way function. For these alternative one-way functions, completeness and a good avalanche effect are favorable properties for these functions to exhibit. The strict avalanche criterion is also a favorable property for these alternative one-way functions to have.

In an embodiment, one-way function 126 in FIG. 1B may be implemented as executable machine instructions in the native machine instructions of a microprocessor. In another embodiment, one-way function 126 in FIG. 1B may be implemented in hardware such as an FPGA (field programmable gate array) or an ASIC (application specific integrated circuit) which can provide a secure area to perform computation.

6.3 Encrypting with Dynamic Keys

The creation and use of dynamic keys depends upon Alice and Bob agreeing upon the next key generator element Γ(i+1) from the previous key generator Γ(i) and this is how the key generator sequence Γ(0), Γ(1), . . . , Γ(i), Γ(i+1) . . . is created. An uncountable number of key generator sequences are Turing incomputable; herein our embodiments describe Turing computable key generator sequences because computability helps simplify the coordination of key generator updating between Alice and Bob.

One-way hash functions have a novel use over the typical application of message authentication in the prior art. In cryptographic method 1, Φ is a one-way hash function with digest size q. The key generator sequence Γ: custom-character →{0,1}ⁿsatisfies q<n. The symbol Γ^i,jis the jth bit of the ith key generator Γ(i).

The first step uses a signed, key generator exchange [40, 41, 42, 43] where in some embodiments Alice and Bob's private secrets are created from a non-deterministic generator 172, as shown in FIG. 1I. In some embodiments, the key generator exchange instructions 170 establish a first key generator that is produced from a non-deterministic process. The key generator exchange is discussed further in sections 6.18, 6.19 and 6.20.

Machine-Implemented Cryptographic Method 1.

Key Generator Updating using a one-way hash function

Alice and Bob execute a signed, Key Generator exchange to establish a shared

0th key generator

Γ(0) = Γ_0,0... Γ_0,n−1

Initialize i = 0

while( Alice and Bob request next key generator Γ(i + 1) )

{

Set (Γ_i+1,0, Γ_i+1,1, ...Γ_i+1,q−1) = Φ(Γ_i,0, Γ_i,1, ...Γ_i,q−1)

Set Γ_i+1,j= Γ_i,jfor each j satisfying q ≤ j < n − 1

Increment i

}

Method 1 is designed to generate a high dimensional orbit on the first q bits Γ_i,0Γ_i,1. . . Γ_i,q−1induced by the avalanche properties [34] of function Φ; to keep the remaining n-q bits invariant for all i; and to assure that no information from the last n-q bits contributes to the orbit of the first q bits.

FIG. 1E shows the key generator updating step in machine-implemented method 1: Set. (Γ_i+1,0, Γ_i+1,1, . . . Γ_i+1,q−1)=Φ(Γ_i,0, Γ_i,1, . . . Γ_i,q−1)

In FIG. 1E, the first q bits Γ_i,0Γ_i,1. . . Γ_i,q−1of key generator i are expressed as b₁b₂. . . b_q. In FIG. 1E, the last n-q bits of key generator i are expressed as a₁a₂. . . a_n−q−1. In FIG. 1E, the expression (c₁. . . c_q)=Φ(b₁b₂. . . b_q) represents the first q bits Γ_i+1,0Γ_i+1,1. . . Γ_i+1,q−1of key generator (i+1). Further, in FIG. 1E, the bits a₁a₂. . . a_n−q−1represent the last n-q bits Γ_i+1,qΓ_i+1,q−1. . . Γ_i+1,n−1since these bits remain unchanged. In an embodiment,n=768 and q=512. In another embodiment, n=1024 and q=512. In still another embodiment, n=20000 and q=1000.

In a typical use case, the adversary Eve never has access to any bits of Alice's key generator Γ(i). This is analogous to Eve not having access to any bits of Alice's static key, used in the prior art's implementations of symmetric cryptography.

In another embodiment, a one-way function Φ may be applied to the last q bits and the remaining n-q bits are kept invariant for all i. This embodiment is shown in FIG. 1F, where the last q bits of the key generator and the remaining n-q bits are kept invariant for all i. This embodiment is shown in FIG. 1F, where the last q bits of the key generator are updated as (c₁. . . c_q)=Φ(b₁b₂. . . b_q). In still other embodiments, the invariant bits a_k₁a_k₂. . . a_k_n-qmay be interleaved between the key generator bits that are updated as (c_j₁. . . c_j_q)=Φ(b_j₁b_j₂. . . b_j_q) where the set of bit locations {k₁, k₂, . . . k_n−q} for the invariant bits is disjoint from the set of bit locations {j₁, j₂, . . . j_q} that point to bits (b_j₁b_j₂. . . b_j_q) that are updated. That is, {k₁, k₂, . . . k_n−q}∩{j₁, j₂, . . . j_q} is the empty set.

In some embodiments of machine-implemented method 1, different one-way functions may be applied at distinct steps of the key generator updating step. For example, SHA-512 or SHA-256 may be used to compute the first key generator Γ(1) from key generator Γ(0); SHA-384 may be used to compute the second key generator Γ(2) from key generator Γ(1); Keccak may be used to compute the third key generator Γ(3) from key generator Γ(2); and so on. In these embodiments, there are key generator update instructions 162 (FIG. 1I) that call different one-way function instructions 164, depending on the jth key generator. One-way function instructions 164 can implement SHA-384, Keccak, SHA-512 and other one-way functions.

Machine-Implemented Cryptographic Method 2.

Keys Generator Updating using a one-way function

Alice and Bob execute a signed, Key Generator exchange to establish a shared 0th key

generator Γ(0) = Γ_0,0... Γ_0,n−1

Initialize i = 0

while( Alice and Bob request next key generator Γ(i + 1) )

{

Set (Γ_i+1,0, Γ_i+1,1, ...Γ_i+1,n−1) = Φ(Γ_i,0, Γ_i,1, ...Γ_i,n−1)

Increment i

}

FIG. 1J shows the key generator updating step in machine-implemented method 2: Set (Γ_i+1,0Γ_i+1,1. . . Γ_i+1,n−1)=Φ(Γ_i,0Γ_i,1. . . Γ_i,n−1). In FIG. 1J, the first q bits (Γ_i,0Γ_i,1. . . Γ_i,g−1) of key generator i are expressed as b₁b₂. . . b_q. In FIG. 1J, the last n-q bits of key generator i (Γ_i,qΓ_i,q+1. . . Γ_i,n−1) are expressed as a₁a₂. . . a_n−q−1. In some embodiments, bits b₁b₂. . . b_qare called the first part of the key generator and bits a₁a₂. . . a_n−q−1are called the second part of the key generator. In other embodiments, bits a₁a₂. . . a_n−g−1are called the first part of the key generator, and bits b₁b₂. . . b_qare called the second part of the key generator. In FIG. 1J, the expression Φ(b₁b₂. . . b₁a₁a₂. . . a_n−q)=(c₁. . . c_n) represents the n bits (Γ_i+1,0Γ_i+1,1. . . Γ_i+1,n−1) of the (i+1) th key generator (i.e., the next key generator). In an embodiment, n=768 and q=512. In another embodiment, n=1024 and q=512. In another embodiment, n=20000 and q=1000. In another embodiment, n=100000 and q=5000. In an embodiment, the adversary Eve never has access to any bits of Alice's key generator Γ(i). This is analogous to Eve not having access to any bits of Alice's static key, used in the prior art's implementations of symmetric cryptography.

In some embodiments of machine-implemented method 2, different one-way functions may be applied at distinct steps of the key generator updating step. For example, AES-256 may be used to compute the first key generator Γ(1) from key generator Γ(0); SHA-256 or SHA-512 may be used to compute the second key generator Γ(2) from key generator Γ(1); Keccak may be used to compute the third key generator Γ(3) from key generator Γ(2); and so on. In these embodiments, there are key generator update instructions 162 (FIG. 1I) that call different one-way function instructions 164, depending on the jth key generator. One-way function instructions 164 can implement SHA-384, Keccak, SHA-512 and other one-way functions such as AES or an elliptic curve method.

In embodiments, where a one-way hash function Ψ is used and the hash size m is less than n, then Φ in FIG. 1J can computed by concatenating multiple instances of Ψ applied to different parts of the key generator each of size m. If n=2048, and Ψ is SHA-512, then the hash size of Ψ is 512 bits. Hence, Φ=(Ψ, Ψ, Ψ, Ψ) so that Φ(a₁. . . a₂₀₄₈) is computed as Ψ(a₁. . . a₅₁₂)*Ψ(a₅₁₃. . . a₁₀₂₄)*Ψ(a₁₀₂₅. . . a₁₅₃₆)*Ψ(a₁₅₃₇. . . a₂₀₄₈) where * represents the concatenation of each bit-string.

Machine-Implemented Cryptographic Method 3.

Block Cipher A encrypts with Dynamic Keys derived from a Key Generator

Alice computes shared secret key generator Γ(0) with the first step of cryptographic method 1

Initialize i = 0.

while( more plaintext for Alice to encrypt )

{

Derive dynamic key K_i= π_K° Ψ(Γ_i,0Γ_i,1...Γ_i,n−1)

Compute C_i= E_A(M_i, K_i) which encrypts plaintext M_iwith key K_i

Cryptographic Method 1 computes key generator element Γ(i + 1) from Γ(i)

Increment i

}

Method 3 derives a dynamic key K_ifor block cipher A from the ith key generator Γ(i) of the key generator sequence as shown in FIG. 1G and FIG. 1H. The symbol Ψ denotes a one-way function whose output size is r bits, where κ≤r. As shown in FIG. 1G and FIG. 1H, Ψ is applied to a concatenation of the dynamic part Γ_i,0Γ_i,1. . . Γ_i,g−1of Γ_iand the invariant part Γ_i,q. . . Γ_i,n−1in order to derive a distinct key K_iblock that is encrypted.

In FIG. 1G., the first q bits (b₁b₂. . . b_q) are the part of the key generator that are changed after each key generator update step shown in FIG. 1E; in FIG. 1G, the last n-q bits (a₁a₂. . . a_n−q) remain unchanged. In FIG. 1H, the first n-q bits (a₁a₂. . . a_n−q) remain unchanged; in FIG. 1H, the last q bits (b₁b₂. . . b_q) are the part of the key generator that are changed after each key generator update step shown in FIG. 1F.

Machine-Implemented Cryptographic Method 4.

Block Cipher A encrypts with Dynamic Keys derived from a Key Generator.

Alice computes shared secret key generator Γ(0) with the first step of cryptographic method 1

Initialize i = 0.

while( more plaintext for Alice to encrypt )

{

Derive dynamic key K_i= π_K° Ψ(Γ_i,0Γ_i,1... Γ_i,q−1)

Compute C_i= E_A(M_i, K_i) which encrypts plaintext M_iwith key K_i

Cryptographic Method 1 computes key generator Γ(i + 1) from Γ(i)

Increment i

}

The expression E_A(M_i, K_i) represents block cipher A encrypting plaintext block M_iwith key K_i, and D_A(C_i, K_i) represents block cipher A decrypting ciphertext C_iwith key K_i. The key size |K_i| of the block cipher is K bits and satisfies κ≤r. π_κ is a projection function that produces κ bits from one-way hash Ψ(b₁b₂. . . b_q). In typical embodiments, κ≤q. In other embodiments, q=κ. In some embodiments, the following projection map π_κ: {0,1}^r→{0,1}^κ is used, where π_κ(x₁x₂. . . x_r)=(x₁x₂. . . x_κ).

In machine implemented method 4 shown in FIG. 1K, the first q bits (b₁, b₂. . . b_q) comprise the first part of the key generator and n-q bits (a₁, a₂. . . a_n−q) comprise the second part of the key generator. In this embodiment, one-way hash function Ψ is applied to the first part of the key generator to derive a dynamic key, expressed as π_κ∘Ψ(Γ_i,0Γ_i,1. . . Γ_i,n−1), where π_κ is a projection function. In other embodiments, the first part of the key generator is the last q bits of the key generator, and the second part of the key generator are the first n-q bits. In other embodiments, the first part of the key generator is a random subset of q bits, selected from the key generator, and the remaining n-q bits are the second part of the key generator.

In some embodiments, Ψ is a different one-way function than Φ. For example, in some embodiments, Ψ may be implemented with Keccak and Φ may be implemented with SHA-512. In some embodiments, Ψ may be used to derive the first dynamic key and a different one-way function Δ may be used to derive the second dynamic key, and so on.

In other parts of the specification, process H will be referred to—in some embodiments—as being implemented with a block cipher that uses dynamic keys, derived from key generator updating. In this regard, cryptographic methods selected from machine-implemented methods 1, 2, 3, 4, 5, 6, 7 can implement process H.

Machine-Implemented Cryptographic Method 5.

Block Cipher A decrypts with Dynamic Keys derived from a Key Generator

Bob computes shared secret key generator Γ(0) with the first step of cryptographic method 1

Initialize i = 0

while( more ciphertext C_ifor Bob to decrypt )

{

Derive dynamic key K_i= π_K° Ψ(Γ_i,0Γ_i,1... Γ_i,n−1)

Compute M_i= D_A(C_i, K_i) which encrypts cipherext C_iwith key K_i

Cryptographic Method 1 computes key generator Γ(i + 1) from Γ(i)

Increment i

}

An implementation of Standard Serpent is a 16-byte block cipher with a 256-bit key [44]. An example of key generating and dynamic key derivation for enhanced Serpent is described below. “Photons are keys” is 16-byte block of plaintext that is concatenated together 4 times to create a 64-byte of plaintext.

In the description that follows, each byte (8 bits) is expressed as a number between 0 and 255 inclusive. The 16-byte block of plaintext “Photons are keys” is

- 80 104 111 116 111 110 115 32 97 114 101 32 107 101 121 115

Key generator Γ(1) is 768 bits (96 bytes) and shown below.

- 112 132 168 213 84 252 132 50 143 235 140 71 123 248 243 160 240 248 237 200 113 43 65 95 208 97 175 125 184 234 154 227 130 187 104 4 131 204 239 92 44 187 34 166 71 146 186 241 108 149 70 166 66 35 108 195 13 235 58 218 85 229 180 66 109 55 178 123 110 135 57 238 177 21 29 225 222 84 215 155 21 179 210 201 122 202 210 208 51 104 213 58 247 238 139 116

The first 256-bit key K₁derived from key generator Γ(1) is

- 32 23 248 49 234 86 223 193 83 37 87 247 191 22 112 130 34 177 54 67 56 186 154 188 149 130 23 146 220 118 192 55

After encrypting the first 16-byte plaintext block “Photons are keys” with enhanced Serpent and dynamic key K₁, the ciphertext is 33 175 244 28 210 147 63 101 221 74 197 89 195 30 31 228.

Key generator Γ(2) is 768 bits (96 bytes) and shown below.

- 219 14 199 128 227 62 241 230 111 13 179 127 82 52 211 235 216 220 52 233 191 255 121 103 165 109 90 168 10 36 23 172 246 97 184 183 134 6 195 84 171 123 50 184 60 112 217 7 249 224 23 186 238 174 199 235 214 22 152 211 212 186 202 240 109 55 178 123 110 135 57 238 177 21 29 225 222 84 215 155 21 179 210 201 122 202 210 208 51 104 213 58 247 238 139 116

The second 256-bit key K₂derived from key generator Γ(2) is

- 86 35 129 230 137 79 46 48 202 130 242 209 127 25 84 159 185 250 154 249 12 245 176 61 12 242 200 226 63 90 62 44

After encrypting the second 16-byte block of plaintext “Photons are keys” with enhanced Serpent and key K₂, the ciphertext is 79 101 31 159 181 228 83 121 166 170 215 94 99 67 100 139.

Key generator Γ(3) is 768 bits (96 bytes) and shown below.

- 106 83 207 235 94 38 238 182 252 52 145 130 208 170 9 222 90 70 48 182 140 87 211 89 241 135 27 217 27 4 83 65 122 137 153 188 253 116 162 45 70 34 57 162 77 45 116 126 190 163 194 142 206 195 184 102 154 112 164 53 38 215 50 187 109 55 178 123 110 135 57 238 177 21 29 225 222 84 215 155 21 179 210 201 122 202 210 208 51 104 213 58 247 238 139 116

The third 256-bit key K₃derived from key generator Γ(3) is

- 137 141 95 102 34 68 172 9 169 183 22 154 200 144 84 232 251 87 33 62 155 72 214 82 81 119 46 198 52 253 120 133

After encrypting the third 16-byte block of plaintext “Photons are keys” with enhanced Serpent and key K₃, the ciphertext is 138 83 40 138 141 153 198 180 164 108 233 135 99 130 205 34.

Key generator Γ(4) is 768 bits (96 bytes) and shown below.

- 22 228 65 144 60 200 76 27 17 148 227 251 74 182 41 167 6 215 249 33 9 219 36 170 139 106 189 109 42 190 115 21 220 162 232 214 66 167 48 226 230 77 73 198 147 180 29 41 103 238 224 24 103 225 181 252 103 103 194 164 76 132 242 207 109 55 178 123 110 135 57 238 177 21 29 225 222 84 215 155 21 179 210 201 122 202 210 208 51 104 213 58 247 238 139 116

The fourth 256-bit key K₄derived from key generator Γ(4) is

- 184 244 102 78 50 249 102 189 46 27 147 31 37 96 37 36 50 13 62 209 109 30 126 93 248 239 161 157 195 223 108 48

After encrypting the fourth 16-byte block of plaintext “Photons are keys” with enhanced Serpent and key K₄, the ciphertext is 248 255 208 238 140 14 26 6 121 1 52 78 22 48 168 112.

In some embodiments, the key generator update of Γ occurs after every other encryption of a block: the update occurs after blocks B₂, B₄, B₆. . . but not after the blocks B₁, B₃, B₅. . . . In other embodiments, the key generator update occurs only after blocks B₁, B₃, B₅but not after the blocks B₂, B₄, B₆. . . . In some embodiments, the key generator update of Γ occurs after only the fourth blocks B₄, B₈, B₁₂. . . of encryption. In other embodiments, the key generator update is executed in an aperiodic manner; for example, the key generator update occurs only after blocks B₂, B₃, B₅B₇, B₁₁, B₁₃, B₁₉and so on.

The use of key generator updating in machine-implement cryptographic methods 3 and 5 should not be confused with the existing block cipher modes of operation such as CBC or CTR. First, each of these modes still relies on a static key.

Even CTR—where K=E(nonce∥i, K) and the ith block of ciphertext is C_i=M_i⊕K—relies on the static key K. Second, key generator updating uses values of n for the key generator that can be substantially greater than the block and static key size. That is, usually n»|M_i| and n»κ, where»means “much greater than”. In some embodiments, n=1024, while the key size κ=128 and the block size 128; this is an example of wheren»κ. As explained in section 6.5, the periodicity of the orbit of dynamic keys produced by a key generator can be substantially greater than 2^κ.

Each of these modes puts an upper bound on the amount of entropy increase, based on the block size or key size. In the case of ECB, no entropy increase occurs. In the case of CBC, the entropy increase is bounded above by the size of the message space. In the case of CTR, the nonce concatenated with the counter i is bounded above by the size of the message space and the resulting key orbit is bounded above by the size of the key space. Since n can be substantially greater than the key or block size, a greater entropy increase can occur with key generator updating.

Furthermore, nothing precludes combining key generator updating with the CBC mode or the CTR mode. In alternative embodiments, a cryptographic mode such as cipher block chaining (CBC) can be added to machine-implemented cryptographic methods 3 and 5. Machine-implemented cryptographic methods 6 and 7 show key generator updating combined with the CBC mode.

Machine-Implemented Cryptographic Method 6.

Block Cipher A encrypts with Dynamic Keys and CBC mode

Alice computes secrets Γ(0), C₋₁with the first step of cryptographic method 1

Initialize i = 0

while( more Cryptographic plaintext M_ifor Alice to encrypt )

{

Derive dynamic key K_i= π_K° Ψ(Γ_i,0Γ_i,1... Γ_i,n−1)

Compute C_i= E_A(M_i⊕ C_i−1, K_i) which encrypts M_i⊕ C_i−1with dynamic key K_i

Cryptographic method 1 computes key generator element Γ(i + 1) from Γ(i)

Increment i

}

In cryptographic methods 6 and 7, the symbol C₋₁represents the initialization vector established between Alice and Bob during the key generator exchange.

Machine-Implemented Cryptographic Method 7.

Block Cipher A decrypts with Dynamic Keys and CBC mode

Bob computes secrets Γ(0), C₋₁with the first step of cryptographic method 1.

Initialize i = 0

while( more plaintext C_ifor Bob to decrypt )

{

Derive dynamic key K_i= π_K° Ψ(Γ_i,0Γ_i,1... Γ_i,n−1)

Compute M_i= C_i−1⊕ D_A(C_i, K_i) which decrypts ciphertext C_iwith dynamic key K_i

Cryptographic method 1 computes key generator element Γ(i + 1) from Γ(i)

Increment i

}

In other embodiments, other cryptographic modes such as CTR or OFB may be used.

In an embodiment, machine-implemented cryptographic method 1 executes in sending machine 102 and also receiving machine 112, as shown in FIG. 1A. In an embodiment, methods 3 and 5, execute in sending machine 102 and also receiving machine 112, as shown in FIG. 1A. In an alternative embodiment, methods 6 and 7, execute in sending machine 102 and also receiving machine 112, as shown in FIG. 1A. In some embodiments, the non-deterministic generator 172 in FIG. 1I-used in the first step of method 1—may use photons, as shown in FIG. 1D, or other kinds of quantum effects to produce the non-determinism.

In some embodiments, as shown in FIG. 1I, key generator update instructions 162 and key derive instructions 168—described in methods 1, 3, 5, 6 and 7—are part of encryption process 160. In some embodiments, as shown in FIG. 1I, FIG. 1E, and FIG. 1F, key generator updating in methods 1, 3, 5, 6 and 7 may be implemented as executable machine instructions in the native machine instructions of a microprocessor. In other embodiments, key generator updating in methods 1, 3, 5, 6 and 7 may be implemented in hardware such as an FPGA (field programmable gate array) or an ASIC (application specific integrated circuit). In other embodiments, key generator update instructions 162 in methods 1, 3, 5, 6 and 7 may be implemented as C source code and compiled to native instructions for an ASIC, microprocessor or FPGA.

6.4 Concrete Complexity and One-Way Preimage Functions

Based on Turing machines, this section introduces concrete complexity and then defines a one-way preimage hash function. The first goal of our new machine specifications is to avoid the difficulty that asymptotic machine specifications of complexity cannot model one-way hash functions used in practice. A second longer term goal is to further develop an appropriate framework to characterize one-wayness, by applying powerful tools from dynamical systems to the Turing machine.

As a brief review, a Turing machine is a triple (Q, Σ, η) where Q is a finite set of states that does not contain a unique halting state h. When machine execution begins, the machine is in an initial state s in Q. Σ is a finite alphabet whose symbols are read from and written to a tape T:Z→Σ. The alphabet symbol in the kth tape square is T(k). −1 and +1 represent advancing the tape head to the left or right tape square, respectively. η is a program function, where η:Q×Σ≥Q∪{h}×{−1, +1}.

For each q in Q and α in Σ, the instruction η(q, α)=(r, β, x) specifies how the machine executes one computational step. When in state q and reading alphabet symbol a on the tape: the machine jumps to state r. On the tape, the machine replaces alphabet symbol a with symbol β. If x=−1 or x=+1, then the machine moves its tape head one square to the left or right, respectively, and subsequently reads the symbol in this new square. If r=h, the machine reaches the halting state and stops executing.

Machine 1. Concrete Complexity.

For machine input u in Σ*, let |u| be the length of u. Let g: custom-character → be a function of |u|. Machine M=(Q, Σ, η) has concrete complexity C(g, σ, ρ, |u|) if all three conditions hold:

- (1) On input u, machine M takes at least g(|u|) computational steps to halt.
- (2) M's alphabet satisfies |Σ|≤σ.
- (3) M's states satisfy |Q|≤ρ.

Remark 1.

Parameters σ and ρ impose limits on the size of the Turing machine program η in order to eliminate precomputations (table lookups). Precomputations are assumed to be encoded into η and/or the input u.

Remark 2.

Observe that prior complexity definitions depend on the meaning of algorithm. For any given algorithm, there can be an infinite number of Turing machines that implement the algorithm, where each of these machines have Shannon's State×Symbol complexity [45] such that |Q∥Σ|>ρσ. The distinction between a machine's implementation of an algorithm and an abstract algorithm can lead to deep subtleties [46, 47, 48]. In [49], a blackbox is constructed with a self-modifying, parallel machine that utilizes quantum randomness; this incomputable method raises more questions about the differences between an algorithm and the “machine” that executes it. Also, see [50].

Remark 3.

From a practical perspective, side channel attacks typically exploit the particular machine implementation of an algorithm. (For example, see [51].) This further supports our position that a complexity definition should be based on the machine, not the algorithm.

Informally, h:{0,1}^<N→{0,1}^qis an (N, σ, ρ, r) one-way, presage function if A and B hold:

- A. A Turing machine M exists that on input x outputs h(x) in a feasible number of computational steps.
- B. Any probabilistic, Turing machine P—that is given y in {0,1}^qas input and searches for an inverse image point x in h⁻¹(y)—only succeeds with exponentially low probability under the following 3 conditions:
- (1) Turing machine P has at most σ alphabet symbols.
- (2) Turing machine P has at most ρ states.
- (3) There is some fixed degree r and each success takes at least |x|^rsteps.

In our formal machine specification, no assumptions are made about collision resistance.

Machine Specification 2. One-Way Preimage Function

Let σ, ρ, r be in custom-character (natural numbers). Let be a number (cardinal) in ∪{ω₀}. A function h:{0,1}^<N→{0,1}^qis called an (N, σ, ρ, r) one-way, preimage function with digest size q if the following two conditions hold:

- A. Easy to evaluate: There exists a polynomial time Turing machine A such that M(x)=h(x) for every x in {0,1}^<N.
- B. Computationally hard to invert: For every probabilistic Turing machine P and every n such that q≤n<N the probability of the set {x={0,1}ⁿ: P(h(x)1ⁿ)∈h⁻¹(h(x)) and machine P has concrete complexity

$C (n^{r}, σ, ρ, ❘ h (x) 1^{n} ❘)} \leq 2^{- \frac{n}{2}} .$

The following remarks help further explain machine specification 2.

Remark 4. ω₀is the first countably infinite ordinal. When N=ω₀, this implies the domain of his {0,1} * and in this case machine specification 2 is asymptotic.

Remark 5.

The adversary's machine P receives h(x) as input and the auxiliary input 1ⁿwhich is the binary length of x. The purpose of the auxiliary input 1ⁿis to eliminate the possibility that a function is speciously considered one-way because machine P does not have enough time to print its output. For example, the function h(x)=y, where y=log n of the least significant bits of x with |x|=n. No machine can find a point of h⁻¹(y) in time polynomial in |h(x)|; however, there is a machine which finds a point of h⁻¹(y) in polynomial time as a function of |x|.

Remark 6.

For our purposes only n≥q is needed in algorithms 1 and 3. There is some k<q such that the adversary can brute force compute h(x) for every x in {0,1}^jwhenever j≤k. The number k depends on the adversary's computational resources.

Remark 7.

The one-way notion is probabilistic. The machine specification does not state that it is impossible for the adversary's machine P to find a point in the inverse image h⁻¹(h(x)); it says that P has a probability

$\leq 2^{- \frac{n}{2}}$

of finding a point in the inverse image, where the machine takes at least n″ computational steps to find it. Here g(|x|)=(|x|−q)^r, where u=h(x) 1ⁿ. To “succeed”, the adversary's machine P only has to find some point in h⁻¹(h(x)). P is not required to find the x that machine M used. Furthermore, the probability distribution is uniform over the input x and the possible coin tosses of the adversary's machine P.

Remark 8.

The intuitive reason for the upper bound

$2^{- \frac{n}{2}}$

on the probability stems from the birthday paradox: given a randomly selected digest y, it should be computationally more difficult for Eve to find a preimage point x in h⁻¹(y)∪{0,1}ⁿ, than for Eve to randomly select preimage points x₁, x₂, . . . , x_m, compute h(x₁), h(x₂), . . . , h(x) and search for a collision in {h(x₁), h(x₂), . . . , h(x_m)}.

Example 1

Let Φ₅₁₂:{0,1}^<2¹²⁸→{0,1}⁵¹²denote SHA-512. For Φ₅₁₂, N=2¹²⁸and q=512.

Currently, no mathematical proof exists that SHA-512 is a one-way preimage function, for some values of r, σ and ρ. In this regard, it is helpful to mention the recent biclique preimage attack [52] on a reduced 50 rounds of Φ₅₁₂: their preimage complexity estimate of 2^511.5still supports this possibility and is far beyond today's computing power. In practice, input strings ≥2¹²⁸bits do not arise. However, based on the current art's definition(s) of one-wayness, SHA-512 does not satisfy their mathematical definition of a one-way hash function because SHA-512's domain is not {0,1}* and consequently cannot satisfy the definition's asymptotic requirements.

6.5 Some Analysis of Cryptographic Methods 1, 3, 5, 6 and 7

Let ƒ:X→X be a function on some topological space X. The orbit of the point p in X is O(p,ƒ)={p,ƒ(p),ƒ∘ƒ(p), . . . ,ƒⁿ(p) . . . }. In general, the orbit may be an infinite set. In cryptographic methods 1, 3, 5, 6 and 7, the space X={0,1}^mfor some m in custom-character , so our key orbits and key generator orbits are finite. Point p in X is a periodic point if there exists j in such that ƒ^j(p)=p. Point x in X is eventually periodic if there exists j in such that ƒ^j(x)=p and p is a periodic point.

Suppose ƒ:{0,1}^m→{0,1}^mis a function. The pigeonhole principle implies that every point x in {0,1}^mis eventually periodic with period at most 2^m. Each function ƒ:{0,1}^m→{0,1}^minduces an equivalence relation on the set {0,1}^mas follows. If x and y are eventually periodic in the same orbit with respect to ƒ, then x and y are called eventually periodic equivalent, expressed as

$\underset{f}{x \sim y} .$

Let [x] denote the equivalence class

${y \in {0, 1}^{m} : \underset{f}{x \sim y}} .$

The key generator orbit O(Γ, Φ, A₁)={π_q∘Γ(i)∈{0,1}^q:Γ(i) is computed by machine-implemented cryptographic method 1}. The dimension of the key generator orbit is the number of points in O(Γ, Φ, A₁). Also, A₃and A₆denote machine-implemented cryptographic methods 3 and 6, respectively.

Machine Specification 3:

Let ϕ:{0,1}^<N→{0,1}^qbe a function with digest size q. No assumption is made about ϕ's (one-wayness). ϕ has a periodic point p in {0,1}^qwith period m if m is the smallest, positive integer such that ϕ^m(p)=p.

The periodic orbit contained in O(Γ, Φ, A₁) has a period ≤|O(Γ, Φ, A₁)|. One of our tools uses machine property 1 to provide a method for finding a preimage attack on Φ based on the eventually periodic equivalence classes. When q>κ where κ=|K_j|, there is an important subtlety to mention. At a first glance, one might expect that the sequence of dynamic keys K₁, K₂, . . . should always have a period ≤2^κ because the set {K₁, K₂. . . . K_2κ+1} must have a collision. This is even further magnified by the birthday paradox that it is likely for the sequence {K₁, K₂, . . . K_2κ/2} to contain two identical dynamic keys. If this dynamic key sequence were produced by a discrete, autonomous dynamical system ƒ:{0,1}^κ→{0,1}^κ, then the first collision would determine the periodicity of the key sequence. Instead the orbit O(Γ, Φ, A₁)⊂{0,1}^qis used to derive dynamic keys K₁, K₂. . . Thus, the dimension of O(Γ, Φ, A₁) can be much greater than 2^κ, particularly when q is substantially greater than κ. This observation leads us to machine property 1.

Machine Property 1.

Suppose z∈{0,1}^qhas period m with respect to ϕ. Then z has a preimage attack, by computing m−1 iterations of ϕ.

PROOF. Compute x=ϕ^m−1(z). Then ϕ(x)=ϕ^m(z)=z

The following machine specification helps analyze cryptographic methods 3 and 6.

Machine Specification 4.

A function ϕ:{0,1}^<N→{0,1}^qis regular on its subdomain {0,1}^kwith k≥q if for every y in {0,1}^q, then the intersection of the inverse image ϕ⁻¹(y) and {0,1}^khave the same number of points. This means that for every y in {0,1}^q, then |ϕ⁻¹(y)∩{0,1}^k|=2^k−q.

Machine Property 2.

Suppose function ϕ:{0,1}^<N→{0,1}^qis regular on subdomain {0,1}^q. Then every point in {0,1}^qis a periodic point and lies in a unique periodic orbit with respect to ϕ.

PROOF. By reductio ad absurdum, suppose x in {0,1}^qis not a periodic point. Let k be the smallest positive natural number such that y=ϕ^k(x) is a periodic point. Let m be the period of y. Then ϕ⁻¹(y) contains at least two points ϕ^m−1(y) and ϕ^k−1(x). These two points contradict the regularity condition of ϕ. The uniqueness of x's periodic orbit immediately follows from the equivalence relation ˜ that ϕ induces on {0,1}^q. ¢

When ϕ satisfies the regularity condition on subdomain {0,1}^q, machine properties 1 and 2 are useful because there is no need to search for clever preimage attacks. Instead, the size and number of the periodic orbits of ϕ on {0,1}^qcan be studied. Machine property 3 states that 29 equals the sum of the periods of each periodic orbit with respect to ϕ.

Machine Property 3.

Let function ϕ:{0,1}^<N→{0,1}^qbe regular on subdomain {0,1}^q. Then

$\sum_{[x]} ❘ [x] ❘ = 2^{q}$

where the sum ranges over each equivalence class [x] induced by {tilde over (ϕ)} and |[x]| is the number of points in [x]. That is, |[x]| is the period of x with respect to ϕ. PROOF. {tilde over (ϕ)} is an equivalence relation on {0,1}^q. Apply machine property 2.

Machine property 3 creates a counting tool for finding the probability that a point lies in a periodic orbit with period m. As a simple example, let S: {0,1}→{0,1}⁸be the substitution box used in AES. Then {tilde over (s)} induces the five equivalence classes [0], [1], [4], [11], on {0,1}⁸. The equivalence class [0] has 59 elements. This implies S⁵⁹(0)=0 since S is a bijection. Observe that [11]={11, 43, 241, 161, 50, 35, 38, 247, 104, 69, 110, 159, 219, 185, 86, 177, 200, 232, 155, 20, 250 45, 216, 97, 239, 223, 158}. Also, |[1]|=81, |[4]|=87, |[11]|=27 and |[115]|=2. Moreover, |[0]|+|[1]|+|[4]|+|11|+|[115]|=2⁸.

During a single execution of machine-implemented cryptographic method 3, there is a low probability of encrypting two distinct blocks with identical keys. In other words, when i≠j, the event K_i=K_jhas a low probability. The following lemma helps sharpen the expression “low probability”.

Machine Property 4.

Suppose Φ: {0,1}^<N→{0,1}^qis a (N, σ, ρ, r+m+2) one-way preimage function satisfying the regularity condition on subdomain {0,1}^q, where r, m≥1, N=n+1, and σ=q and ρ=q². Suppose machine M computes Φ on any input x in {0,1}^qin at most q^mcomputational steps. Suppose Alice randomly chooses x in {0,1}^qand computes Φ(x)=y. Suppose Eve only sees y. Set S={x∈{0,1}^q:|O(∛, Φ, A₁)|<q^rand π_q∘Γ(0)=x}. Then

$❘ S ❘ \leq 2^{- \frac{q}{2}} .$

PROOF Outline. Using machine M, Eve computes the orbit [y, Φ(y), Φ²(y), . . . ] with at most q^riterates. After completing the computation of each iterate Φ^k(y), Eve searches for a collision in {y, Φ(y), Φ²(y), . . . Φ^k(y)}. If a collision is found, Eve's machine halts. If Eve's machine reaches Φ^q^r(y) and does not find a collision, then Eve's machine halts.

When there is a collision in {y, Φ(y), Φ²(y), . . . Φ^k(y)}, by machine property 2, the regularity condition implies that y lies in this periodic orbit (equivalence class). Let a=|[y]|. Then machine property 1 implies x=Φ^a−1(y) is the preimage point sought by Eve. If

$❘ S ❘ > 2^{- \frac{q}{2}},$

then Eve's machine will find preimage point x in less than q^r+m−1logq computational steps with probability greater than

$2^{- \frac{q}{2}},$

contradicting that Φ is a (N, σ, ρ, r+m+2) one-way preimage function.

Machine Example 2

Consider Φ₅₁₂, where q=512. Assume m=3 because 512³steps is a more conservative upper bound for a TM (Turing machine) computing Φ₅₁₂on x in {0,1}⁵¹²than 512². If Φ₅₁₂satisfies the regularity condition on subdomain {0,1}⁵¹²and Φ₅₁₂is a (2¹²⁸, q, q², 9) pre-image function, then the probability is ≤2⁻²⁵⁶that the key generator in machine-implemented cryptographic method 3 has an orbit satisfying |O(Γ, Φ₅₁₂, A₃)|<q⁴; with probability at least 1−2⁻²⁵⁶, whenever j≠k, then Γ(j)≠Γ(k) for an encryption length up to 8.5 billion bytes. Seeing two identical keys that encrypt distinct blocks requires a SHA-512 collision after only 134,217,728 iterations of SHA-512. Currently, no mathematical proof exists of Φ₅₁₂'s one-wayness; however, (2¹²⁸, q, q², 9) seems conservative based on the biclique preimage attack that depends on a reduced 50 rounds instead of the standard 80 rounds.

Remark 9.

In the prior art, standard block cipher algorithms such as AES, Serpent or DES must not reveal the static key to Eve: in the prior art, if the static key is compromised, the cryptographic security is fatally compromised. The embodiments decribed in this specification are superior: If a dynamic key used in machine-implemented cryptographic methods 3, 5, 6 and 7 is compromised to Eve, this this compromise does not reveal prior dynamic keys and future dynamic keys used by block cipher A.

To construct future dynamic keys K_ksuch that k>j, Eve must find the preimage point Γ(j), the jth key generator. In machine-implements cryptographic method 3, suppose the block cipher A is AES-256, q=512 and n=1024 and suppose a processor backdoor leaks a 256-bit key K_leakto Eve. Even after the leak, constructing future keys requires Eve knowing Γ(j). For machine-implemented algorithm 3, constructing future keys involves considerably more computational steps for Eve than finding a single, preimage point x in {0,1}¹⁰²⁴such that Φ₅₁₂(x)=K_leak. If Φ₅₁₂is regular on subdomain {0,1}¹⁰²⁴, then |Φ⁻¹₅₁₂(K_leak)|=2⁵¹². The regularity condition implies Eve must guess Γ(j) from 2⁵¹²possible preimage points. When Eve attempts to find dynamic keys that precede K_ji, she has even less information available than when she is attempting to construct future keys. While the last n-q bits of Γ(j) are invariant, even if Eve knows key generator Γ(j), Eve's knowledge does not enable her to immediately capture Γ(j−1) because Φ₅₁₂(Γ_j−1,0. . . Γ_j−1,q−1)=Γ_j,0. . . Γ_j,q−1and Φ₅₁₂is resistant to preimage attacks.

Remark 10.

A Boolean function ƒ: {0,1}ⁿ→{0,1} can be expressed as

$f (x_{1}, \dots x_{n}) = \sum_{a \in {0, 1}^{n}} c_{a} {x_{1}}^{a_{1}} \dots {x_{n}}^{a_{n}} over 𝔽 [x_{1}, \dots, x_{n}] / (x_{1}^{2} - x_{1}, \dots, x_{n}^{2} - x_{n}) where c_{a} = \sum_{x \leq a} f (x_{1}, \dots x_{n}) and x \leq a$

if and only if x_i≤a_ifor each i. The algebraic degree of ƒ is defined as deg ƒ=max{wt(a):a∈{0,1}ⁿand c_a≠0}, where wt(a) is the Hamming weight of a. For each i such that 1≤i≤n, consider function ƒ_i:{0,1}ⁿ→{0,1} and function F:{0,1}ⁿ→{0,1}ⁿ, defined as F(x)=(ƒ₁(x), ƒ₂(x), . . . , ƒ_n(x)). The algebraic degree of F=max{degf₁, degf₂, . . . , degf_n)}. For a static AES key K, the AES encryption function E_K:{0,1}¹²⁸→{0,1}¹²⁸has an algebraic degree ≤128 and E_Kis a function of 128 Boolean variables. It is well-know that a Boolean function's resistance to differential cryptanalysis and higher order differentials depends on its algebraic degree and how quickly its degree can be reduced by taking discrete derivatives [53, 54, 55].

Set M=|O(Γ, Φ, A₆)|. For each dynamic key K_i, let E_K_i:{0,1}¹²⁸→{0,1}¹²⁸, denote the block cipher encryption function; this block cipher may be AES, Serpent or another block cipher, whose block size is 16 bytes. During execution of machine-implemented cryptographic method 6, there are 4M distinct functions E_K₀. . . E_K_4M−1, where encryption function E_K₀is applied to plaintext block M₀, encryption function E_K₁is applied to block M₁, and so on. This sequence of encryptions induces a function ƒ_Γ: {0,1}^512M→{0, 1}^512M, where ƒ_Γ=(ƒ₁, ƒ₂, . . . , ƒ_512M). As discussed in machine example 2, even for an extremely rare event such as a collision after only 134,217,728 iterations of SHA-512 (if such an orbit exists), the induced ƒ_Γ=(ƒ₁, ƒ₂, . . . , ƒ_512M) will be a function of 68,719,476,736 Boolean variables versus 128 Boolean variables for E_K. The cipher block chaining and key generator orbit create a composition of the block cipher encryption functions E_K₀, E_K₁, . . . .

For example, C₂=E_K₂(M₂⊕E_K₁(M₁⊕E_K₀(M₀⊕C₋₁))). Thus, functions ƒ_1+128k. . . ƒ_128(k+1)are a function of the 128(k+1) variables x₁, . . . , x_128(k+1)for 0≤k<4M. Overall, this remark (and the fact that 68,719,476,736 is far greater than 128) explains how machine-implemented cryptographic method 6 substantially increases the algebraic degree above the maximum algebraic degree of the underlying block cipher that uses a static key in the prior art.

6.6 DYNAMIC KEYS Stop a Generic Block Cipher Attack

The dynamic keys, derived in machine-implemented cryptographic methods 3, 5, 6 and 7, help stop Huang and Lai's generic block cipher attack [56], which is described below in Huang and Lai's algorithm 8. The following list describes the symbols, used in their attack algorithm 8.

- P plaintext
- C ciphertext
- n block size
- K master key
- k master key size
- R number of rounds
- S non-linear layer
- L linear layer
- K^rsubkey used in round r
- X^rinput block to round r where X⁰=P
- Y^routput block of the key mixing in round r
- Z^routput block of the nonlinear layer in round r
- Z_i^rith subblock in Z^r

S₁is the internal state that can be calculated from P only with k₁bits of subkeys, where k₁is the maximum smaller than k that can be obtained. Similarly, S₂is the internal state that can be derived from C only with (other) k₁bits of subkeys. For any block cipher, the states of S₁and S₂can be found. The attack algorithm has two stages: 1. A meet-in-the-middle stage generates the candidate list containing 2^k−Mkeys, where M is the met intermediate size. 2. A check stage that examines the keys in the candidate list.

Algorithm 8. Generic Block Cipher Attack

Data : ⌈ \frac{k}{n} ⌉ + 1 (plaintext, ciphertext) pairs

Result: the output key K

1
for each value in the 1st k₁key bits {

2
compute S₁from P with these k₁bits

3
for each value in the remaining k − k₁bits {

4

compute {Z_{0}}^{⌊ \frac{R}{2} ⌋} from S_{1}

store {Z_{0}}^{⌊ \frac{R}{2} ⌋} in a table corresponding to the guessed

key

6
}

7
}

8
for each value in the last k₁key bits {

9
compute S₂from C with these k₂bits

10
for each value in the remaining k − k₁bits {

11

compute {Z_{0}}^{⌊ \frac{R}{2} ⌋} f rom S_{2}

if {Z_{0}}^{⌊ \frac{R}{2} ⌋} corresponding to the guessed key is in

the table {

13
add guessed key to candidate list

14
move onto the next guess

15
}

16
else move onto the next guess

17
}

18
}

19

Check keys in candidate list with other ⌈ \frac{k}{n} ⌉

(plaintext, ciphertext) pairs

Line numbers were added to this attack algorithm [56] to help explain how machine-implemented cryptographic methods 3 and 6 hinder this attack.

Algorithm 8's method of using a candidate key list to find the static key of the block cipher is not effective against machine-implemented cryptographic methods 3 and 6. To illustrate this, consider machine-implemented cryptographic method 3, for example, using a 16-byte block cipher such as Serpent, with q=512 and n=768. After each 16 byte block is encrypted, the candidate list of keys changes because the next 256-bit key is derived from an updated key generator Γ_j,0. . . Γ_j,767and the average Hamming distance between Γ_j,0. . . Γ_j,511and Γ_j−1,0. . . Γ_j−1,511is 256. Consider machine-implemented cryptographic method 3, encrypting 25,600 bytes of voice data per second. At this rate, a one hour phone conversation requires a key generator orbit (Γ_0,0. . . Γ_0,511), Φ₅₁₂(Γ_0,0. . . Γ_0,511) . . . Φ₅₁₂^1440000(Γ_0,0. . . Γ_0,511) with size 1,440,001. If a collision occurred in this orbit during a one hour phone call, then machine property 1 provides a devastating, preimage attack on SHA-512 with at most 1,440,000 iterations of SHA-512. Based on an extremely low probability of this rare event (such orbits may not even exist), a collision would also imply that SHA-512 does not satisfy any reasonable values of (2¹²⁸, σ, ρ, r) preimage complexity. “Reasonable” means not constraining Eve's machine P so much that she cannot compute, for example, SHA-512. Consider ρ=1, so machine P can have only one state.

Recall that the biclique preimage attack [52] (on a reduced 50 rounds of SHA-512 instead of the complete 80) has an estimated preimage complexity of 2^511.5. For a typical orbit, it is extremely likely that O(Γ, Φ₅₁₂, A₃) has a size far greater than the number of SHA-512 iterations needed to provide a complete encryption for any foreseeable application. In this case, the assumption that there are ┌n^k┘ (plaintext, ciphertext). pairs does not hold for method 3. Furthermore, the lack of ┌n^k┘ (plaintext, ciphertext) pairs invalidates the effectiveness of the loop composed of lines 1 through 7 and the loop composed of lines 8 through 18.

6.7 Integrating the H, P and S Processes

Information 104 in FIG. 1A that has not been encrypted is called plaintext or a message: Please wire $50,000 to account 349-921118. Information that has been encrypted is sometimes called ciphertext: +,−3y=0z14.*5A,0QxR4cie;iu-j″:9b!2P-)1X[0t. In some embodiments, information may consist of voice data that is trans-mitted across the Internet, using a voice over Internet protocol. Square brackets [ ] represent a sequence. The sequence [0, 1] is not the same sequence as [1, 0]; the order matters. A NADO cryptographic method consisting of an H process 130 in FIG. 1B, a P process 132 in FIG. 1B and an S process 134 in FIG. 1B is described below. In some embodiments, the order of the H process, S process and P process may rearranged with order generator 128. In some embodiments, one or two of the processes may be omitted.

Encryption. Consider a block of plaintext of size M=N, where N is the size of the output of the block cipher used and J is a natural number i.e., {1, 2, 3, . . . , 8, . . . , 16, . . . ,}. This part describes an encryption process S∘P∘H, where stage 1 is process H, stage 2 is process P and stage 3 is process S. Plaintext B=B=[B₁, B₂. . . , B_J] is the current block that will be encrypted where each subblock B_khas size N.

- 1. Process H uses at least some of the current key generator K_H(1) to derive a key that the block cipher uses to encrypt the first plaintext block of size N bytes, represented as H(B₁, K_H(1)) The symbol H represents the encryption performed by the block cipher used in the H process. Then the H process updates key generator K_H(1) to key generator K_H(2). Some of K_H(2) is used to derive a new key for the block cipher in order to encrypt the second subblock B₂represented as H(B₂, K_H(2)). This encryption of each subblock B_koccurs J times until the last one is encrypted as H(B_J, K_H(J)). FIG. 5A shows enhanced AES-256 as the block cipher, where M=256 bytes (2048 bits). FIG. 5B shows enhanced DES implementing the block cipher, where M=64 bytes (512 bits).
- 2. Process P uses at least some of the current value of key generator K_Pto update the permutation μ: {1, 2, . . . , M}→{1, 2, . . . , M}. Then the permutation permutes the encrypted M bits received from process H to [c₁, c₂, . . . c_M], where each c_j=b_μ(j). Permutation μ diffuses the partially encrypted plaintext from process H over a block of size M bits. A portion of the current key generator K_Pis updated using a one-way hash function: this means that the permutation μ used for the next block of size M will usually be quite different.

FIG. 6B shows an example of the P process diffusing bits of information across a 512 bit block. In FIG. 6b, μ sends bit 181 to bit 267 and also maps bit 311 to bit 1. FIG. 6A shows an example of the P process diffusing bits of information across a 6 bit block. For the example in FIG. 5A, μ permutes the bits across a 2048 bit block.

3. Process S uses at least some of the current key generator K_Sto generate a substitution box, represented as σ₁. σ₁: {0,1, . . . , K−1}→{0,1, . . . , K−1} further encrypts the first element of the block from step 2 as σ₁(c₁, . . . c_K) where each c_jis the jth bit received from process P. In some embodiments, σ₁is updated to σ₂: {0,1, . . . , K−1}→{0,1, . . . , K−1} so that σ₂≠σ₁; in other embodiments, σ₁may not be updated so that σ₂=σ₁. σ₂further encrypts the second element c_K+1. . . c_2Kof the M bit block from process P as σ₂(c_K+1. . . c_2K) and so on all the way up to σ_n(c_(n−1)K+1. . . c_nK). This completely encrypted block of M bits is [e₁, e₂. . . e_n] where the jth completely encrypted element is e_j=σ_j(c_(j−1)K+1. . . c_jK) and M=K_n. The current key generator K_Sis updated using a one-way hash function. This means that the updated substitution box for the next block is usually quite different from the previous substitution box.

Decryption. For each block of ciphertext of size M=JN, this part describes a decryption process H⁻¹∘P⁻¹∘S⁻¹in 3 stages. Ciphertext [e₁, e₂. . . e_M] is the current block that will be decrypted where M=K_n.

- 1. Process S uses at least some of the current key generator K_Sto create a substitution box, represented as σ₁⁻¹. σ₁⁻¹further decrypts the first element of the block as σ₁⁻¹(e₁). In some embodiments, σ₁⁻¹is updated to σ₂⁻¹so that σ₁⁻¹≠σ₂⁻¹. In other embodiments, σ₁⁻¹may not be updated so that σ₂⁻¹=σ₁⁻¹. σ₂⁻¹further decrypts the second element of the block as σ₂⁻¹(e₂) and so on all the way up to σ_n⁻¹(e_n). This partially decrypted block is [d₁, d₂. . . d_n] where the kth partially decrypted element is d_k=σ_k⁻¹(e_k). The current key generator K_Sis updated using a one-way hash function: This means that the substitution box for the next block that will be decrypted is usually quite different.
- 2. Process P uses at least some of the current key generator K_Pto create an inverse permutation μ⁻¹:{1, . . . M}→{1, . . . M} and permutes the block received from stage one to [d_μ₋₁₍₁₎, d_μ₋₁₍₂₎. . . d_μ₋₁_(M)]. Over a block of size M, permutation μ⁻¹unscrambles the partially decrypted ciphertext received from stage 1 (decryption process S). A portion of the current key generator K_Pis updated using a one-way hash function: this means that the permutation μ⁻¹used for the next block is usually quite different.
- 3. After process P is completed, the encrypted subblocks of size N bytes are [H(B₁,K_H(1)), . . . , H(B_J, K_H(J))]. Process H uses at least some of the current key generator K_Hto derive a key that completely decrypts the first subblock as H⁻¹[H(B₁, K_H(1)), K_H(1)]=B₁where symbol H⁻¹represents the decryption algorithm of the block cipher in process H. Then key generator K_H(1) is updated to K_H(2). Using some of K_H(2) to derive a new key, the block cipher decrypts the second encrypted subblock H⁻¹[H(B₂, K_H(2)), K_H(2)]=B₂. This decryption of each subblock H⁻¹[H(B_j, K_H(j)), K_H(j)]=B; is performed times by the block cipher. The current key generator K_H(j) is updated using a one-way hash function after the decryption of each subblock. In some embodiments, the key generator update occurs after the decryption subblocks B₂, B₄, B₆. . . but not after the decryption of subblocks B₁, B₃, B₅In other embodiments, the key generator update occurs only after subblocks B₁, B₃, B₅. . . but not after the subblocks B₂, B₄, B₆In some embodiments, the key generator update occurs after every fourth subblock of decryption. Overall, this computes the completely decrypted block [B₁, . . . . B_J].

In other embodiments, during encryption, process H may be executed after the S or P process. For example, an embodiment may compute H∘P∘S as the encryption. This means the H process is executed in stage 3 and the S process is executed in stage 1. For the nth block B of size M, formally this encryption computation is represented as H(P(S(B, K_S(n)), K_P(n)), K_H(n)), where K_S(n) is the key generator for process S on the nth block; K_P(n) is the key generator for process P on the nth block; and where K_H(n) is the key generator for process H on the nth block.

In other embodiments, the H process may be performed in the second stage. For example, S∘H∘P may be computed as the encryption. In an embodiment, an order generator K_O(n) may be used to determine the order of processes H, S, P for the encryption of the nth block B of size M. For example, in the first block, during encryption, S∘H∘P may perform the encryption computation. In the second block, H∘S∘P may perform the encryption computation. In the third block, H∘P∘S may perform the encryption computation. In the fourth block, P∘S∘H may perform the encryption and so on. In embodiment, the order generator K_O(n) may be updated to K_O(n+1) for the (n+1)th block, according to the key generator updating methods, described in section 6.9.

6.8 Cryptographic Hardware and Infrastructure

FIG. 1D shows an embodiment of a non-deterministic process, which detects arrival times of photons. Arrival times of photons are considered quantum events. FIG. 1D shows an example of an embodiment of non-deterministic generator 136. hν refers to the energy of the photon that arrives where h is Planck's constant and ν is the frequency. In an embodiment, three consecutive arrival times t₁<t₂<t₃of three consecutive photons may be compared. If t₂−t₁>t₃−t₂, then non-deterministic generator 142 produces a 1 bit. If t₂−t₁<t₃−t₂, then non-deterministic generator 142 produces a 0 bit. If t₂−t₁=t₃−t₂, then no non-deterministic information is produced and three more arrival times are sampled by this non-deterministic process.

Information system 200 illustrates some of the variations of the manners of implementing information system 100. Sending machine 202 is one embodiment of sending machine 101. Sending machine 202 may be a secure USB memory storage device as shown in 3A. Sending machine 202 may be an authentication token as shown in FIG. 3B. A mobile phone embodiment of sending machine 202 is shown in FIG. 4.

Sending machine 202 or sending machine 400 may communicate wirelessly with computer 204. In an embodiment, computer 204 may be a call station for receiving encrypted plaintext 109 from sending machine 400. A user may use input system 254 and output system 252 of sending machine (mobile phone) 400 to transmit encrypted voice data to a receiving machine that is a mobile phone. In an embodiment, input system 254 in FIG. 2B includes a microphone that is integrated with sending machine (mobile phone) 400. In an embodiment, output system 252 in FIG. 2B includes a speaker that is integrated with sending machine (mobile phone) 400. In another embodiment, sending machine 202 is capable of being plugged into and communicating with computer 204 or with other systems via computer 204.

Computer 204 is connected to system 210, and is connected, via network 212, to system 214, system 216, and system 218, which is connected to system 220. Network 212 may be any one or any combination of one or more Local Area Networks (LANs), Wide Area Networks (WANs), wireless networks, telephones networks, and/or other networks. System 218 may be directly connected to system 220 or connected via a LAN to system 220. Network 212 and system 214, 216, 218, and 220 may represent Internet servers or nodes that route encrypted plaintext (voice data) received from sending machine 400 shown in FIG. 4. In FIG. 2A, system 214, 216, 218, and system 220 and network 212 may together serve as a transmission path 110 for encrypted plaintext 109. In an embodiment, system 214, 216, 218, and system 220 and network 212 may execute the Internet protocol stack in order to serve as transmission path 110 for encrypted plaintext 109. In an embodiment, encrypted plaintext 109 may be voice data. In an embodiment, encrypted plaintext 109 may be routing data. In an embodiment, encrypted plaintext 109 may be email. In an embodiment, encrypted plaintext 109 may be text data sent from sending machine 400.

In FIG. 1B, encryption process 122 may be implemented by any of, a part of any of, or any combination of any of system 210, network 212, system 214, system 216, system 218, and/or system 220. As an example, routing information of transmission path 110 may be encrypted using encryption process 122 that executes in system computer 210, network computers 212, system computer 214, system computer 216, system computer 218, and/or system computer 220. Encryption process 106 may be executed inside sending machine 400 and decryption process 116 may be executed inside receiving machine 400 in FIG. 4.

In an embodiment, the NADO processes H, P and S execute in a secure area of processor system 258 of FIG. 2B. In an embodiment, specialized hardware in processor system 258 may be implemented to speed up the computation of the one-way functions 126 in FIG. 1B that are used in processes H, P and S. In an embodiment, this specialized hardware in processor system 258 may be embodied as an ASIC (application specific integrated circuit) that computes SHA-1 and/or SHA-512 and/or Keccak and/or BLAKE and/or JH and/or Skein. An ASIC chip can increase the execution speed of the computation of processes H, P and S. In an embodiment, input system 254 receives voice data and sends it to processor system 258 where the voice data is encrypted. Output system 252 sends the encrypted voice data 109 to a telecommunication network 212. In an embodiment, memory system 256 stores key generators 124 and permutation data structures and process H block cipher instructions 130 as described in section 6.11, titled DERIVING A BLOCK CIPHER KEY FROM A GENERATOR. In another embodiment, memory system 256 stores process H state generator instructions as described in section 6.17, titled PROCESS HAS A STATE GENERATOR.

A state refers to a particular value or set of values of any set of one or more internal variables, where the manner in which operations are carried out are affected by the choice of the value or the set of values that make up the state. A state generator performs one or more operations to update a state.

In an embodiment, memory system 256 stores process P permutation instructions 132 as described in section 6.13, titled The P PROCESS: PERMUTING INFORMATION and section 6.15, titled UPDATING PERMUTATIONS IN THE S OR P PROCESS. In an embodiment, memory system 256 stores process S substitution box instructions 134, as described in section 6.16, titled THE S PROCESS and section 6.15, titled UPDATING PERMUTATIONS IN THE S OR P PROCESS. In an embodiment, memory system 256 stores encrypted voice data that is waiting to be sent to output system 252 and sent out along transmission path 110, routed and served by system computers 210, 214, 216, 218 and 220 and network 212.

In an embodiment, the H process instructions 130, the P process instructions 132 and S process instructions 134 execute in a secure area of processor system 258 that is inside self-contained USB drive shown in FIG. 3A. In an embodiment, encryption process 122 encrypts data stored on the USB drive to protect the data's privacy. In an embodiment, the H process 130, the P process 132 and the S process 134 encrypt a voice conversation in a secure area of processor system 258 is inside mobile phone 400 that is an embodiment of sending machine 102 and receiving machine 112). In an embodiment, in FIG. 1B, the H process 130 and/or P process 132 and/or S process execute in a secure area of each processor system 258 (FIG. 2B) that is contained inside system computers 210, 214, 216, 218 and 220 and inside network 212, shown in FIG. 2A.

6.9 an Alternative Embodiment of Key Generator Updating with One-Way Functions

The binary operator ⊕ represents addition modulo 2 (mathematicians) or exclusive-or (computer scientists). ⊕ is defined as: 1 ⊕0=1. 0⊕1=1. 0 ⊕0=0. 1 ⊕1=0. If k and d represent more than one bit and have the same length in bits, then the bitwise exclusive-or function is defined by applying ⊕ to corresponding bits. As an example, suppose the key generator k=[10110000], and the digest d=[00101110]. In this case, ⊕(k, d)=[1⊕0, 0⊕0, 1⊕1, 1⊕0, 0⊕1, 0⊕1, 0⊕0]=[10011110].

Suppose K=[k₀, k₁. . . , k_n−1] is the current key generator. In the description below, K may represent the current key generator K_Pused in the P process; or K may be the current key generator K_Hused in the H process; or S may be the current key generator K_Sused in the S process.

Let Φ denote a one-way hash function. In an embodiment, Φ may be SHA-512. In an embodiment, Φ may be SHA-1. In another embodiment Ø may be Keccak. In another embodiment Φ may be BLAKE. In another embodiment Φ may be JH. In another embodiment Φ may be GrØstl. In another embodiment, Φ may be Skein.

Suppose the digest size of Φ is q elements. Let K_m=[k₀, k₁. . . k_m−1] where m≤n. Let the output of the one-way hash Φ on input K_mbe Φ(K_m)=[d₀, d₁, . . . d_q−1] where q<n. After the last round of encryption or decryption, in an embodiment, the key generator K may be updated to K_next, where K_next=[k_n−1⊕d₀, k₀⊕d₁, k₁⊕d₂, . . . , k_q−2⊕d_q−1, k_q−1, . . . k_n−2]. This computation of K_nextis shown in FIG. 7.

The purpose of the rotation and one-way hash of part of the key generator is to exploit the avalanche effect of the one-way function. The exclusive-or operation ⊕ mixes the output of the one-way hash function, by not skewing what ideally should be a 50% probability of each bit being 0 or 1. The rotation enables the key generator update to use a much larger key generator than the key size used by the H, P or S process. For example, the standard AES-256 block cipher uses a static 256-bit key. However, key generator K_Hfor the H process may be greater than 512 bits. A much larger key generator that is dynamically updated using a one-way function enables NADO to significantly enhance the cryptographic strength of the block cipher when a block cipher is used in process H. The rotation eventually mixes the output of the one-way hash function even if the one-way function is SHA-1 which has an output size of only 160 bits.

The following C code implements the above computation with the following assumptions. Each subscript above indexes a byte (8 bits) of unsigned char. Each element K[i] is an unsigned char. In the C syntax, the symbol {circumflex over ( )}performs the bitwise exclusive-or computation, represented above as ⊕. The symbol {circumflex over ( )} is above the numeral 6 on a standard American computer keyboard. Function one_way_hash (unsigned char* d, unsigned char* K, int K_length) implements one-way hash function Φ, where int K_length is the size of input K[_O] . . . . K[m−1] to function one_way_hash.

unsigned char temp;

int i;

unsigned char d[q];

temp = K[n−1];

/* Rotate the circular array of unsigned char one byte to the right. */

memmove(K+1, K, n−1);

/* K[n−1] is rotated into K[0] */

K[0] = temp;

/* Hash n bytes of the key and store the digest in d */

one_way_hash(d, K, n);

/* {circumflex over ( )} is the exclusive-or in C syntax. */

for(i = 0; i < q; i++)

{

K[i] = K[i] {circumflex over ( )} d[i];

}

K may refer to the H process key generator K_H(i) where after the update K_nextis the name of H process key generator K_H(i+1) as described in section 6.7. Similarly, in the C code listing, K may refer to the P process key generator K_P(i) where after the update K_nextis the name of P process key generator K_P(i+1). Similarly, symbol K may refer to the S process key generator K_S(i) where after the update K_nextis the name of S process key generator K_S(i+1). Similarly, symbol K in the C code listing or above may refer to the order generator K_O(i) being updated to K_O(i+1). The C code above executes generator updating that corresponds to rotating the key generator K by one to the right. The three instructions

- temp=K[n−1];
- memmove (K+1, K, n−1);
- K[0]=temp;

rotate the circular array K[0], K[1], . . . . K[n−1] by one to the right, where it is understood that key generator value K[0] lies one to the right of key generator value K[n−1]. In FIG. 7, the arrows indicate this rotation of the circular array, storing the key generator.

In another embodiment, after the prior round of encryption or decryption, the key generator K may be updated to K_next, by first rotating K one element to the left and then exclusive-or′ing this rotated K key with the one-way hash of K_m. In this embodiment, K_next=[k₁⊕d₀, k₂⊕d₁, . . . k_q⊕d_q−1, k_q+1, . . . , k_n−1, k₀]. In other embodiment, key generator K may be rotated left by i elements where 1<i<n. For example, K may be rotated left by i=5 elements. In other embodiment, key generator K may be rotated right by j elements where 1<j<n. When q=n, an embodiment may choose to NOT rotate key K before the one-way hash of K_mis exclusive-or'd with elements of K. In another embodiment, the key generator K_Hfor the process H is updated in this way after one byte of information has been encrypted as described in section 6.17.

In what follows, a key generator update of K_Pfor | K_P|=512 bits is described that uses one-way hash SHA-512. This demonstrates how the updated key generator K_Pchanges and how

$\frac{1}{2} ❘ K_{P} (n) ❘ = 256 bits .$

the Hamming distance between K_P(n) and K_P(n+1) stays close to Below is K_P(1) represented as bytes. Each byte is represented by a number between 0 and 255 inclusive.

250
133
237
118
205
252
77
62
207
103
68
102
187
63
204
237

44
238
49
189
137
29
132
206
193
202
190
160
218
224
6
113

69
168
125
49
88
211
155
14
91
182
14
190
133
198
117
201

14
40
203
127
170
189
55
49
2
225
115
40
105
150
231
35

Below is key generator K_P(1) represented as 512 bits.

11111010
10000101
11101101
01110110
11001101
11111100
01001101
00111110

11001111
01100111
01000100
01100110
10111011
00111111
11001100
11101101

00101100
11101110
00110001
10111101
10001001
00011101
10000100
11001110

11000001
11001010
10111110
10100000
11011010
11100000
00000110
01110001

01000101
10101000
01111101
00110001
01011000
11010011
10011011
00001110

01011011
10110110
00001110
10111110
10000101
11000110
01110101
11001001

00001110
00101000
11001011
01111111
10101010
10111101
00110111
00110001

00000010
11100001
01110011
00101000
01101001
10010110
11100111
00100011

Observe that 250 represents 11111010 and 133 represents 10000101 and so on all the way to the last byte where 35 represents 00100011. Below is K_P(2) represented as 64 bytes.

206
177
181
190
54
245
37
133
212
75
184
82
211
46
139
52

237
84
12
169
85
246
170
250
155
130
142
172
130
119
220
220

134
243
71
138
181
212
215
215
173
229
60
192
96
171
167
56

147
160
133
16
229
13
2
58
183
238
98
52
2
208
219
43

Below is K_P(2) represented as 512 bits.

11001110
10110001
10110101
10111110
00110110
11110101
00100101
10000101

11010100
01001011
10111000
01010010
11010011
00101110
10001011
00110100

11101101
01010100
00001100
10101001
01010101
11110110
10101010
11111010

10011011
10000010
10001110
10101100
10000010
01110111
11011100
11011100

10000110
11110011
01000111
10001010
10110101
11010100
11010111
11010111

10101101
11100101
00111100
11000000
01100000
10101011
10100111
00111000

10010011
10100000
10000101
00010000
11100101
00001101
00000010
00111010

10110111
11101110
01100010
00110100
00000010
11010000
11011011
00101011

Below is K_P(1)⊕K_P(2) represented as 512 bits.

00110100
00110100
01011000
11001000
11111011
00001001
01101000
10111011

00011011
00101100
11111100
00110100
01101000
00010001
01000111
11011001

11000001
10111010
00111101
00010100
11011100
11101011
00101110
00110100

01011010
01001000
00110000
00001100
01011000
10010111
11011010
10101101

11000011
01011011
00111010
10111011
11101101
00000111
01001100
11011001

11110110
01010011
00110010
01111110
11100101
01101101
11010010
11110001

10011101
10001000
01001110
01101111
01001111
10110000
00110101
00001011

10110101
00001111
00010001
00011100
01101011
01000110
00111100
00001000

The Hamming distance between K_P(1) and K_P(2) is the number of ones in K_P(1)⊕K_P(2), which is 254. Observe that 254 is about 0.496 which is close to 50%. The value

$\frac{1}{2} ❘ K_{P} (n) ❘ = 256$

is the expected value for the Hamming distance between consecutive key generators updated by a true random process with a uniform distribution. A uniform distribution means that there is a 50% probability of the next bit being a zero and a 50% probability of the next bit being a one. In some embodiments, it is preferable for the Hamming distance between consecutive key generators to be in the range of 40 percent to 60 percent of the total number of bits in one of the key generators. For example, if two consecutive key generators each have a length of 1000 bits, then in these embodiments, it is preferable for the Hamming distance between the two key generators to be between 400 and 600.

Below is K_P(3) represented as 64 bytes.

217
213
34
123
224
13
79
215
178
250
130
135
7
162
155
232

164
195
15
117
197
10
19
132
114
65
154
37
114
150
190
205

148
98
244
113
195
156
224
194
229
239
235
202
184
141
85
37

19
64
82
1
2
83
56
165
10
203
217
14
90
247
202
218

Below is K_P(3) represented as 512 bits.

11011001
11010101
00100010
01111011
11100000
00001101
01001111
11010111

10110010
11111010
10000010
10000111
00000111
10100010
10011011
11101000

10100100
11000011
00001111
01110101
11000101
00001010
00010011
10000100

01110010
01000001
10011010
00100101
01110010
10010110
10111110
11001101

10010100
01100010
11110100
01110001
11000011
10011100
11100000
11000010

11100101
11101111
11101011
11001010
10111000
10001101
01010101
00100101

00010011
01000000
01010010
00000001
00000010
01010011
00111000
10100101

00001010
11001011
11011001
00001110
01011010
11110111
11001010
11011010

Below is K_P(2)⊕K_P(3) represented as 512 bits.

00010111
01100100
10010111
11000101
11010110
11111000
01101010
01010010

01100110
10110001
00111010
11010101
11010100
10001100
00010000
11011100

01001001
10010111
00000011
11011100
10010000
11111100
10111001
01111110

11101001
11000011
00010100
10001001
11110000
11100001
01100010
00010001

00010010
10010001
10110011
11111011
01110110
01001000
00110111
00010101

01001000
00001010
11010111
00001010
11011000
00100110
11110010
00011101

10000000
11100000
11010111
00010001
11100111
01011110
00111010
10011111

10111101
00100101
10111011
00111010
01011000
00100111
00010001
11110001

The Hamming distance between key generator K_P(2) and key generator K_P(3) is 250. In order to illustrate the other statement that the order of the zeroes and ones changes unpredictably between consecutive key generator updates, we compute (K_P(1)⊕K_P(2))⊕(K_P(2) ⊕K_P(3))=K_P(1)⊕K_P(3).

00100011
01010000
11001111
00001101
00101101
11110001
00000010
11101001

01111101
10011101
11000110
11100001
10111100
10011101
01010111
00000101

10001000
00101101
00111110
11001000
01001100
00010111
10010111
01001010

10110011
10001011
00100100
10000101
10101000
01110110
10111000
10111100

11010001
11001010
10001001
01000000
10011011
01001111
01111011
11001100

10111110
01011001
11100101
01110100
00111101
01001011
00100000
11101100

00011101
01101000
10011001
01111110
10101000
11101110
00001111
10010100

00001000
00101010
10101010
00100110
00110011
01100001
00101101
11111001

The number of ones in K_P(1)⊕K_P(3) is 252 which is close to 50%. Analogous to the second derivative in calculus, this computation illustrates the statement that the order of the zeroes and ones is unpredictable and close to the expected value of a random process with a uniform distribution.

In some embodiments, in each process, a different one-way hash function may be used for key generator updating. In an embodiment, Keccak may be used to update the key generator in process H. BLAKE may be used to update the key generator in process P; and SHA-512 may be used to update the key generator in process S. In section 6.15, titled UPDATING PERMUTATIONS IN THE S OR P PROCESS, further details are provided on how to update the permutation u based on one of the nth key generators K_H(n) or K_P(n) or K_S(n).

6.10 Process has a Block Cipher

FIG. 5A shows an embodiment of process H. The block size is M=256 bytes of information and enhanced AES-256 encrypts 16 of these subblocks, labeled B₁, B₂, . . . , B₁₆Each of these 16 byte subblocks BR are encrypted with a different key due to the key generator updating. The function symbol S represents the encryption by enhanced AES. B₁represents bytes 1 to 16 of the 256 byte block. S(B₁, K_H(1)) indicates that subblock B, is encrypted with a 256-bit key derived from the current value of key generator K_Hindicated as K_h(1). B₆represents bytes 81 to 96 of the 256 byte block. S (B₆, K_H(6)) indicates that B₆is encrypted with a 256-bit key derived from the current key generator K_H(6). B₁₅represents bytes 225 to 240 of the 256 byte block. S B₁₅, K_H(15)) indicates that B₁₅is encrypted with a 256-bit key derived from the current key generator K_H(15). The 15 inside the parentheses indicates that key generator H has been updated 15 times since its initial value K_H(0).

FIG. 5B shows another embodiment of the H process being implemented with the enhanced DES block cipher. The NADO block size is 64 bytes of information and enhanced DES encrypts 8 of these subblocks, labeled B₁, B₂, . . . , B₈. In an embodiment, each of these 8 byte subblocks B_kare encrypted with a different 56-bit key due to the key generator updating. The function symbol Δ represents the encryption performed on a subblock of 8 bytes. B₁refers to bytes 1 to 8 of the 64 byte block. Δ(B₁, K_H(1)) indicates that B₁is encrypted with a 56-bit enhanced DES key derived from the value of the key generator K_H(1). B₃refers to bytes 17 to 24 of the 64 byte block. Δ(B₃, K_H(3)) indicates that B₃is encrypted with a 56-bit key derived from the current value of key generator K_H(3).

Before an embodiment with key updating for enhanced AES-256 is described below, the standard AES block cipher is briefly described. There is a 128-bit state. Standard AES supports three static key sizes: 128, 192, and 256 bits and is a 16 byte block cipher that uses 10 rounds for a static 128-bit key; 12 rounds for a static 192-bit key and 14 rounds for a static 256-bit key. The internal state can be represented as a 4×4 matrix of bytes. During each round, the internal state is transformed by the following operations:

- 1. SubBytes applies a substitution box S: {0,1 . . . 255}→{0,1 . . . 255}, denoted below as unsigned char S_BOX [256], to each byte of the state.
- 2. ShiftRows computes a cyclic shift of each row of the state matrix by some amount k.
- 3. MixColumns computes columnwise matrix multiplication.
- 4. AddRoundKey computes an exclusive-or of the state with the subkey.

An additional AddRoundKey operation is performed before the first round. The MixColumns operation is omitted in the last round. The key schedule produces eleven, thirteen or fifteen 128-bit subkeys from master static keys of sizes 128, 192 or 256 bits, respectively. The block ciphers are referred to as standard AES-128, standard AES-192 and standard AES-256, respectively, where the number specifies the master key size. Each 128-bit subkey contains four words. A word is a 32-bit quantity which is denoted by W[·].

Let the number of rounds be N_r. Let the number of 32-bit words in the master key be N_k. Standard AES-128 has N_r=10 and N_k=4. Standard AES-256 has N_r=14 and N_k=8. Below is the key schedule expressed in pseudo-code.

For i = 0 ... N_k− 1

W[i] = K[i] where K[i] is a 32-bit word of the master key.

For i = N_k... 4N_r+ 3

temp = W[i − 1]

If ( i mod N_k== 0 ) then temp = SB(RotWord(temp)) ⊕ RCON [i/N_k]

If (N_k== 8 and i mod 8 == 4) then temp = SB(temp)

W[i] = W[i − N_k] ⊕ temp

where RCON[·] are round constants and RW(·) rotates four bytes by one byte to the left. A C code listing of the four operations applied during a round is shown below. The 4×4 state matrix is represented as unsigned char State[4][4].

int WCount;

unsigned char State[4][4];

const unsigned char S_BOX[256] =

{

0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5,0x30,0x1,0x67,0x2b,0xfe,0xd7,0xab,0x76,

0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0,0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0,

0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc,0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15,

0x4,0xc7,0x23,0xc3,0x18,0x96,0x5,0x9a,0x7,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75,

0x9,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0,0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84,

0x53,0xd1,0x0,0xed,0x20,0xfc,0xb1,0x5b,0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf,

0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85,0x45,0xf9,0x2,0x7f,0x50,0x3c,0x9f,0xa8,

0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5,0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2,

0xcd,0xc,0x13,0xec,0x5f,0x97,0x44,0x17,0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73,

0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88,0x46,0xee,0xb8,0x14,0xde,0x5e,0xb,0xdb,

0xe0,0x32,0x3a,0xa,0x49,0x6,0x24,0x5c,0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79,

0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9,0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x8,

0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6,0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a,

0x70,0x3e,0xb5,0x66,0x48,0x3,0xf6,0xe,0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e,

0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94,0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf,

0x8c,0xa1,0x89,0xd,0xbf,0xe6,0x42,0x68,0x41,0x99,0x2d,0xf,0xb0,0x54,0xbb,0x16

};

int sub_state_bytes(unsigned char state[4][4])

{

int row, col;

for (row = 0; row < 4; row++)

for (col = 0; col < 4; col++)

{

state[row][col] = S_BOX[ state[row][col] ];

}

return 0;

}

int shift_rows(unsigned char state[4][4])

{

unsigned char temp[4];

int r, c;

for (r = 1; r < 4; r++)

{

for (c = 0; c < 4; c++)

temp[c] = state[r][(c + r) % 4];

for (c = 0; c < 4; c++)

state[r][c] = temp[c];

}

return 0;

}

unsigned char FMul(unsigned char a, unsigned char b)

{

unsigned char aa = a, bb = b, r = 0, t;

while (aa != 0)

{

if ((aa & 1) != 0) r = (unsigned char) (r {circumflex over ( )} bb);

t = (unsigned char) (bb & 0x80);

bb = (unsigned char) (bb << 1);

if (t != 0) bb = (unsigned char) (bb {circumflex over ( )} 0x1b);

aa = (unsigned char) ((aa & 0xff) >> 1);

}

return r;

}

int mix_columns(unsigned char state[4][4])

{ int c, sp[4];

unsigned char x02 = (unsigned char) 0x02;

unsigned char x03 = (unsigned char) 0x03;

for (c = 0; c < 4; c++)

{

sp[0]=FMul(x02,state[0][c]) {circumflex over ( )} FMul(x03,state[1][c]) {circumflex over ( )} state[2][c] {circumflex over ( )} state[3][c];

sp[1]=state[0][c] {circumflex over ( )} FMul(x02,state[1][c]) {circumflex over ( )} FMu1(x03,state[2][c]) {circumflex over ( )} state[3][c];

sp[2]=state[0][c] {circumflex over ( )} state[1][c] {circumflex over ( )} FMul(x02,state[2][c]) {circumflex over ( )} FMul(x03,state[3][c]);

sp[3]=FMul(x03,state[0][c]) {circumflex over ( )} state[1][c] {circumflex over ( )} state[2][c] {circumflex over ( )} FMul(x02,state[3][c]);

for(i = 0; i < 4; i++)

state[i][c] = (unsigned char) (sp[i]);

}

return 0;

}

int add_round_key(unsigned char state[4][4])

{

int c, r;

for (c = 0; c < 4; c++)

for (r = 0; r < 4; r++)

{

state[r][c] = (unsigned char) (state[r][c] {circumflex over ( )} W[WCount]);

WCount++;

}

return 0;

}

int encrypt(unsigned char* cipher, unsigned char* plain, int num_rounds)

{

int round;

WCount = 0;

copy_in(State, plain);

add_round_key(State);

for(round = 1; round < num_rounds; round++)

{

sub_state_bytes(State);

shift_rows(State);

mix_columns(State);

add_round_key(State);

}

sub_state_bytes(State);

shift_rows(State);

add_round_key(State);

copy_out(cipher, State);

return 0;

}

An example of this key updating and encrypting with enhanced AES-256 is shown below. Consider the plaintext “Photons are keysPhotons are keysPhotons are keysPhotons are keys” The phrase “Photons are keys” repeats four times in the plaintext. In what follows, each byte of ciphertext and the current enhanced AES-256 key will be expressed as a number between 0 and 255 inclusive.

Plaintext “Photons are keys” is

80 104 111 116 111 110 115 32 97 114 101 32 107 101 121 115

The first key K₁derived from key generator K_H(1) is

49
204
127
197
122
54
96
2
160
221
204
228
192
201
39
195

98
184
161
197
193
176
187
204
23
132
76
124
170
63
229
38

After encrypting plaintext block B₁=“Photons are keys” with enhanced AES and key K₁, the ciphertext is 251 150 133 203 3 182 4 7 13 198 112 173 159 22 26 173.

The second key K₂derived from key generator K_H(2) is

28
182
250
112
238
48
71
79
11
76
203
67
106
61
93
171

64
103
230
63
1
188
208
133
128
230
99
94
178
54
106
75

After encrypting plaintext block B₂= “Photons are keys” with enhanced AES and key K₂, the ciphertext is 65 7 228 219 145 13 117 25 52 169 72 225 225 81 104 11.

The third key K₃derived from key generator K_H(3) is

203
216
128
224
174
19
253
33
86
68
39
231
138
201
215
80

215
9
138
112
235
239
104
48
207
214
101
83
66
183
220
111

After encrypting plaintext block B₃=“Photons are keys” with key K₃, the ciphertext is

23 116 212 23 67 91 3 235 82 172 89 172 223 144 115 250.

The fourth key K₄derived from key generator K_H(4) is

91
97
42
241
167
27
11
254
236
131
38
3
177
11
79

68
28
203
120
207
180
8
46
72
153
247
13
38
193
46
43
239

After encrypting plaintext block B₄=“Photons are keys” with key K₄, the ciphertext is

8 161 3 243 173 80 124 200 110 18 216 43 156 194 22 206.

In some embodiments, the key generator update of K_Hoccurs after every other encryption of a subblock: the update occurs after subblocks B₂, B₄, B₆. . . but not after the subblocksB₁, B₃, B₅. . . . In other em-bodiments, the key generator update occurs only after subblocks B₁, B₃, B₅. . . but not after the subblocks B₂, B₄, B₆In some embodiments, the key generator update of K_Hoccurs after only the fourth subblocks B₄, B₈, B₁₂. . . of encryption.

6.11 Deriving a Block Cipher Key from a Key Generator

This section describes the derivation of a block cipher key from the current key generator K_H(n). In an embodiment for a block cipher that uses a m-bit key, the first m bits of the current key generator K_H(n) may be used to encrypt the current block. In this embodiment, m-bit key changes each time the key generator K_His updated. In an embodiment, the block cipher is enhanced AES-256 and the length of the key generator K_His 64 bytes (512 bits). In an alternative embodiment, the length of the key generator is 128 bytes (1024 bits).

In the embodiment described below, the key generator K_His 64 bytes. The block cipher is AES-256. After every other block of 16 bytes, the key generator is updated as described in section 6.9. Below key generator K_H(1) is 64 bytes, where each number between 0 and 255 inclusive represents 8 bits.

129
165
24
90
164
61
166
218
203
144
104
88
9
207
128
203

205
58
232
83
72
24
213
25
156
81
250
187
123
80
197
184

251
74
49
194
76
153
208
59
26
209
17
240
129
26
225
218

60
97
227
240
127
219
2
190
116
241
29
83
109
107
135
133

The AES-256 block cipher uses the first 256 bits of key generator K_H(1) as the key:

129
165
24
90
164
61
166
218
203
144
104
88
9
207
128
203

205
58
232
83
72
24
213
25
156
81
250
187
123
80
197
184

This key is used to encrypt the first 16 byte block of plain text in process H. In the second 16 byte block, K_H(2)=K_H(1) because no updating has occurred. The same 256-bit key is used to encrypt the second 16 byte block of plain text in process H.

Before the third block is encrypted, key generator is updated as described in section 6.9. Key generator K_H(3) equals:

41
36
203
73
192
63
221
101
102
95
80
9
55
218
91
181

32
5
172
3
174
179
43
117
250
72
59
39
110
227
240
5

34
10
27
92
214
247
230
82
136
254
216
73
5
29
166
177

43
4
80
187
3
81
150
193
222
150
1
100
126
51
73
144

The enhanced AES-256 block cipher uses the first 256 bits of key generator K_H(3) as the key:

41
36
203
73
192
63
221
101
102
95
80
9
55
218
91
181

32
5
172
3
174
179
43
117
250
72
59
39
110
227
240
5

Enhanced AES-256 uses this key to encrypt the third 16 byte block of plain text in process H.

Enhanced AES-256 uses this same key to encrypt the fourth 16 byte block of plain text in process H.

Before the fifth block is encrypted, key generator is updated. Key generator K_H(5) equals:

96
52
112
190
153
179
248
252
15
230
46
215
216
7
61
231

73
215
102
153
175
10
90
163
255
68
211
238
224
73
141
242

100
148
24
45
231
174
159
217
93
237
66
126
125
112
8
15

170
156
138
186
146
162
206
64
48
254
17
187
65
17
244
50

The enhanced AES-256 block cipher uses the first 256 bits of key generator K_H(5) as the key:

96
52
112
190
153
179
248
252
15
230
46
215
216
7
61
231

73
215
102
153
175
10
90
163
255
68
211
238
224
73
141
242

AES-256 uses this key to encrypt the fifth 16 byte block of plain text in process H. This key derivation and updating method is continued indefinitely until the whole data stream has been encrypted.

In an alternative embodiment described below, the key generator $K_H$ is 96 bytes and the block cipher is enhanced DES. After every block of 8 bytes is encrypted, the key generator is updated as described in section 6.9. Key generator K_H(1) equals

49
204
127
197
122
54
96
2
160
221
204
228
192
201
39
195

98
184
161
197
193
176
187
204
23
132
76
124
170
63
229
38

82
149
5
202
41
226
106
137
55
239
92
99
169
8
222
158

104
102
56
240
251
102
86
160
157
199
151
121
150
246
104
87

17
140
63
133
58
118
32
66
224
157
140
164
128
137
103
131

34
248
225
133
129
240
251
140
87
196
12
60
234
127
165
102

The enhanced DES block cipher uses a 56-bit key that is generated by applying SHA-512 to the key generator K_H(1) and using the first 56 bits of the digest as the key:

199
20
209
195
126
132
197

Before the second block of 8 bytes is encrypted, key generator is updated as described in section 6.9. Key generator K_H(2) equals

176
122
15
150
18
17
154
170
122
62
135
60
82
41
96
199

92
65
254
126
48
70
220
3
59
38
17
170
155
175
177
109

145
243
232
159
120
166
66
31
174
164
192
176
114
110
228
164

49
163
204
203
47
22
166
153
202
8
5
60
194
81
76
12

129
90
79
214
82
81
218
234
58
126
199
124
18
105
32
135

28
1
190
62
112
6
156
67
123
102
81
234
219
239
241
45

A 56-bit key is generated by applying SHA-512 to the key generator K_H(2) and then enhanced DES uses the first 56 bits of the digest as the key: 227 114 181 58 168 40 196

Before the third block of 8 bytes is encrypted by DES, key generator is updated as described in section 6.9. Key generator K_H(3) equals

126
126
183
2
151
62
12
140
2
102
252
220
94
179
247
221

78
249
13
78
26
43
151
92
32
192
84
7
82
96
192
196

208
22
190
33
193
234
195
164
195
122
228
189
87
65
208
166

97
88
186
22
222
186
0
77
33
191
139
251
188
131
58
242

95
79
151
66
215
126
76
204
66
38
188
156
30
243
183
157

14
185
77
14
90
107
215
28
96
128
20
71
18
32
128
132

A 56-bit key is generated by applying SHA-512 to the key generator K_H(3) and enhanced DES uses the first 56 bits of the digest as the key: 106 7 29 109 200 183 151

A third 8 byte block of plain text is encrypted with this new 56-bit key. This key derivation and updating method is continued indefinitely until the whole data stream has been encrypted.

6.12 Permutations

Process P applies an unpredictable sequence of permutations to scramble the information elements across the whole block. Process S uses an unpredictable sequence of permutations to create a new substitution box for each block of information.

Let the symbol X denote a set. X can be a finite or infinite set. A permutation is a function σ:X→X that maps elements of X to elements of X, that is 1 to 1, and is also onto. 1 to 1 means that no two distinct elements from X get mapped by σ to the same element. More formally, if S₁, S₂are any two distinct element from X (s₁≠s₂), then σ(s₁)≠σ(s₂). Onto means that if you choose any element r from X, you can find an element s so that σ maps s to r. In other words, for any element r from X, there is some element s in X satisfying σ(s)=r. In the context of cryptography, the properties 1 to 1, and onto are useful because they help assure that a sequence of information that has been scrambled by a permutation(s) can be unscrambled by the inverse permutation(s).

When X is finite and contains n elements, then the set of all permutations on X is called the symmetric group on n elements; there are n! permutations in S_n. For example, when n=5, then S₅contains 5*4*3*2*1=120 permutations.

The identity permutation is the permutation that sends every element to itself. Formally, i:X→X. For every element s in X, i(s)=s. As an example, choose X to be the numbers 0 thru 4, inclusive. The identity i sends every element to itself means that i(0)=0, i(1)=1, i(2)=2, i(3)=3, and i(4)=4.

A finite permutation is a permutation on a finite set. Any finite permutation can be represented as a finite sequence of numbers. The word ‘sequence’ means that the order of the numbers matters. The sequence [1, 2, 3] is not the same sequence as [2, 3, 1].

The sequence, [0, 1, 2, 3, 4], represents the identity permutation on X. This sequence is interpreted as a permutation in the following way. The number 0 is at the beginning of the sequence, so i(0)=0. The next number in the sequence is 1, so i(1)=1. The number 2 follows 1 in the sequence, so i(2)=2. The number 3 follows 2 in the sequence, so i(3)=3. Finally, 4 follows 3 in the sequence, so i(4)=4.

As a different example, choose X to be the numbers 0 thru 7, inclusive. Choose λ=[1,5, 3,6, 7,2, 4,0]. The number 1 is at the beginning of the sequence, so λ(0)=1. The next number in the sequence is 5, so λ(1)=5. The number 3 follows 5, so λ(2)=3. Similarly, λ(3)=6, λ(4)=7, λ(5)=2, λ(6)=4, and λ(7)=0.

There is a simple way to check that λ is 1 to 1 and onto. Check that all 8 numbers are in the sequence, and make sure none of these numbers occurs in the sequence more than once. If σ is a permutation, then the inverse of σ is denoted σ⁻¹. When you apply σ and then apply σ⁻¹, or vice versa, this composite function is the identity map. Formally, σ∘σ⁻¹=σ⁻¹∘σ=i. In other words, the function σ∘σ⁻¹sends every element to itself, and the function σ⁻¹∘σ maps every element to itself.

The inverse of λ, denoted λ⁻¹, is represented by the sequence, [7,0, 5,2, 6,1, 3,4]. The following analysis verifies that this sequence defines the inverse of lambda. From the sequence, [7,0, 5,2, 6,1, 3,4], λ⁻¹(0)=7, λ⁻¹(1)=0, λ⁻¹(2)=5, λ⁻¹(3)=2, λ⁻¹(4)=6, λ⁻¹(5)=1, λ⁻¹(6)=3, and λ⁻¹(7)=4. Next, check that λ∘λ⁻¹(0)=λ(7)=0, λ∘λ⁻¹(1)=λ(0)=1, λ∘λ⁻¹(2)=λ(5)=2, λ∘λ⁻¹(3)=λ(2)=3, λ∘λ⁻¹(4)=λ(6)=4, λ∘λ⁻¹(5)=λ(1)=5, λ∘λ⁻¹(6)=λ(3)=6, and λ∘λ⁻¹(7)=λ(4)=7.

This paragraph defines two different operations on a permutation. A transposition is an operation that swaps two elements in a permutation. Let σ=[1, 0, 2, 6, 7, 5, 3, 4] be the initial permutation. Transpose 2 and 5 in σ. After the transposition, σ=[1, 0, 5, 6, 7, 2, 3, 4]. A rotation is an operation that rotates the elements in a permutation. Let σ=[1, 0, 2, 6, 7, 5, 3, 4] be the initial permutation. After a rotation, the new permutation is σ=[4, 1, 0, 2, 6, 7, 5, 3].

Any permutation can be constructed efficiently using transpositions. Consider the permutation σ=[a₀, a₁. . . a_n−1] on n elements. In other words, σ(k)=a_k. σ can be constructed from the identity [0,1, . . . n−1]. Starting with the identity, the transpositions (0 c₀), (1 c₁), (n−1 c_n−1) are successively applied, where c_kis the array index of ax in the current state of the permutation as consequence of the previous transpositions (0 c₀), . . . (k−1 c_k−1).

Mathematically, the application of these transpositions is not function composition of a transposition with a permutation even though both the permutation and transposition lie in S_n. Instead, each transposition τ_kacts as an transformation on the current permutation, where τ_k: S_n→S_nand as defined previously.

The following example demonstrates how to build λ=[1, 5, 3, 6, 7, 2, 4, 0] in S₈, starting with the identity permutation and applying transpositions as transformations. The identity permutation on 8 elements is represented by the sequence [0, 1, 2, 3, 4, 5, 6, 7].

- [0, 1, 2, 3, 4, 5, 6, 7]. The array index of a₀=1 is 1, so c₀=1. Apply transposition (0 1).
- [1, 0, 2, 3, 4, 5, 6, 7]. The array index of a₁=5 is 5, so c₁=5. Apply transposition (1 5).
- [1, 5, 2, 3, 4, 0, 6, 7]. The array index of a₂=3 is 3, so c₂=3. Apply transposition (2 3).
- [1, 5, 3, 2, 4, 0, 6, 7]. The array index of a₃=6 is 6, so c₃=6. Apply transposition (3 6).
- [1, 5, 3, 6, 4, 0, 2, 7]. The array index of a₄=7 is 7, so c₄=7. Apply transposition (4 7).
- [1, 5, 3, 6, 7, 0, 2, 4]. The array index of a₅=2 is 6, so c₅=6. Apply transposition (5 6).
- [1, 5, 3, 6, 7, 2, 0, 4]. The array index of a₆=0 is 7, so c₆=6. Apply transposition (6 7).
- [1, 5, 3, 6, 7, 2, 4, 0].

It took 7 transpositions to transform the identity permutation to the permutation λ. Starting with the identity permutation, it takes at most 8 transpositions to generate any of the possible permutations. There are a total of 8!=8*7*6*5*4*3*2*1=40320 possible permutations.

For a permutation of size 256, the number of possible permutations is greater than 10⁵⁰⁶In the future, as the speed of computers improves, the size of the permutations used in the S and P processes should increase enough so that attacks are impractical.

If X has n elements, it takes at most n transpositions to construct any permutation on X. The general procedure for constructing any of the n! permutations is similar to the steps already mentioned. Start with the identity permutation, and then execute n transpositions.

Initialize σ equal to the identity permutation, [0, 1, 2, 3, . . . , n−2, n−1].

Execute the steps inside the brackets at least n times.

{

Randomly choose two distinct natural numbers i ≠ k, satisfying 0 ≤ i, k < n.

Transpose the ith element and the kth element in σ.

}

- This procedure is shown for a permutation of length 32.
- Initialize σ equal to the identity permutation:
- [0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31].
- Choose 21 and 4 randomly. Transpose the 21st and 4th elements.
- [0,1,2,3, 21, 5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20, 4, 22,23,24,25,26,27,28,29,30,31]
- Choose 27 and 14 randomly. Transpose the 27th and 14th elements.
- [0,1,2,3,21,5,6,7,8,9,10,11,12,13, 27,15,16,17,18,19,20,4,22,23,24,25,26, 14, 28,29,30,31]
- Choose 29 and 4 randomly. Transpose the 29th and 4th elements.
- [0,1,2,3, 29,5,6,7,8,9,10,11,12,13,27,15,16,17,18,19,20,4,22,23,24,25,26,14,28, 21,30,31]
- Choose 11 and 17 randomly. Transpose the 11th and 17th elements.
- [0,1,2,3,29,5,6,7,8,9,10, 17, 12,13,27,15,16, 11, 18,19,20,4,22,23,24,25,26,14,28,21,30,31]

Continue these steps for another 28 transpositions to build a random permutation on 32 elements. This method of constructing an arbitrary permutation is important because it prevents an intruder from trying to guess the permutation. A potential intruder can not eliminate permutations that may be unreachable by some other algorithm that constructs a permutation. In our case, the intruder must check on average

$\frac{n!}{2}$

possibilities. Further, transpositions can be executed very quickly on a digital computer. A permutation σ of size 256 requires only 256 memory swaps, and about 2 * 256=512 bytes of memory to store σ and the inverse of σ. On the other hand, a brute force attack requires checking more than 10⁵⁰⁶permutations because 256!>10⁵⁰⁶.

This transposition method when combined with key generator updating using one-way hash functions is able to generate an unpredictable sequence of permutations, using a small amount of computation (256 memory swaps), and a small amount of memory.

6.13 the P Process: Permuting Information

This section describes in further detail how permutations are used to represent and compute the diffusion (spreading) of information across a block. It describes methods of using permutations to change the order of a sequence of information. The information may be plaintext. The information may be partially encrypted plaintext. The information may be a key generator or key generators. The information may be states that are used by a block cipher or stream cipher.

In section 6.7, titled CRYPTOGRAPHIC PROCESS, the permutation μ: {1,2, . . . , M}→{1,2, . . . , M}, in the P process, diffuses information across a block of size M. The information is diffused by reordering the information, based on the permutation μ. By updating the permutation μ after each block, this enables the P process to diffuse the information across the block of size M in an unpredictable way.

In some embodiments, the elements of information are bits (0's and 1's). As an illustrative example, consider σ=[4, 2, 0, 5, 3, 1] applied to the 6 bits of information b₀b₁b₂b₃b₄b₅. This permutation of 6 bits is shown in FIG. 6A. σ(0)=4 means that bit b₀in location 0 is permuted to bit location 4. σ(1)=2 means that bit b₁in location 1 is permuted to bit location 2. σ(2)=0 means that bit b₂in location 2 is permuted to bit location 0. σ(3)=5 means that bit b₃in location 3 is permuted to bit location 5. σ(4)=3 σ(4)=3 means that bit b₄in location 4 is permuted to bit location 3. σ(5)=1 means that bit b₅in location 5 is permuted to bit location 1. Thus, σ(b₀b₁b₂b₃b₄b₅)=b₂b₅b₁b₄b₀b₃. For example, if b₀b₁b₂b₃b₄b₅=010101, then σ (010101)=011001.

In FIG. 6B, an embodiment is shown where information elements are bits and M is 512. The permutation μ: {1,2, . . . , M}→{1,2, . . . , M} sends the block of information b₁b₂. . . b₅₁₂to c₁x₂. . . c₅₁₂where c_k=b_μ(k). In FIG. 6B, one arrow indicates that b₁₈₁is permuted by μ to bit location 267. In other words, c₂₆₇=b₁₈₁which means that μ(181)=267. Similarly, another arrow indicates that b₁₈₁is permuted by μ to bit location 511. In other words, c₅₁₁=b₁₈₂which means that μ(182)=511. Similarly, the third arrow indicates μ(311)=1, so b₃₁₁is permuted to location 1 in the permuted block.

In some embodiments, elements of information are permuted that may be larger than a bit. The element of information may be a sequence of bits. In some embodiments the number of bits in an element may change. In other embodiments, the element of information that is permuted may be different from a bit. Although current computers are built from hardware that is natively base 2, information elements can be used that are based on a different base from base 2. For example, in base 3 each element of information e_kin [e₁, . . . , e_k, . . . e_n] could represent 0, 1, 2. This embodiment is useful when the native hardware of a computer has 3 physical states instead of 2 physical states (bits). Then these information elements could be permuted to [e_μ(1), . . . , e_μ(k), . . . e_μ(n)] where is a permutation. In some embodiments, the information elements could represent part of a continuum instead of a discrete symbol.

Details are provided below that describe how different permutations sizes may be used. LetD=[m₀, m₁, m₂, m₃, m₄, m₅, m₆, m₇, m₈, m₉, m₁₀, m₁₁, m₁₂] be a sequence of information with 13 elements. Each information element, m_i, represents n_iinformation elements, where n_i≥1. Define the permutation/of length λ to be [2, 0, 3, 1]. This means that λ=2, λ(1)=0, λ(2)=3, and λ(3)=1. Define the permutation σ of length 6 to be σ=[4,2,0,5,3,1]. This means that σ(0)=4, σ(1)=2, σ(2)=0, σ(3)=5, σ(4)=3, and σ(5)=1. Define γ=[2,0,1]. Then γ(0)=2, γ(1)=0, and γ(2)=1.

Apply λ to permute the first 4 elements of D, apply σ to permute the next 6 elements of D, and apply γ to permute the last 3 elements of D. The permuted sequence is: [m_λ(0), m_λ(1), m_λ(2), m_λ(3), m_σ(0)+4, m_σ(1)+4, m_σ(2)+4, m_σ(3)+4, m_σ(4)+4, m_σ(5)+4, m_γ(0)+10, m_γ(1)+10, m_γ(2)+10]=[m₂, m₀, m₃, m₁, m₈, m₆, m₄, m₉, m₇, m₅, m₁₂, m₁₀, m₁₁].

Here are some details on σ is applied to the subsequence, [m₄, m₅, m₆, m₇, m₈, m₈] of the information sequence D. Applying σ creates a new permuted subsequence [m₈, m₆, m₄, m₉, m₇, m₅]. The 0th element of the permuted subsequence is mg because σ(0)+4=8. The first element of the permuted subsequence is m₆because σ(1)+4=6. The second element of the permuted subsequence is m₄because σ(2)+4=4. The third element of the permuted subsequence is mg because σ(3)+4=9. The fourth element of the permuted subsequence is m₇because σ(4)+4=7. The fifth element of the permuted subsequence is m₅because σ(5)+4=5. Notice that 4 is added each time because 4 is the sum of the lengths of the previous permutations applied to D. In this particular case, λ is the only previous permutation applied to D and λ's length is 4 so the sum is 4.

Further details are provided here on how to apply γ to the subsequence [m₁₀, m₁₁, m₁₂] of the information sequence D. Applying y creates a new permuted subsequence [m₁₂, m₁₀, m₁₁]. The 0th element of the permuted subsequence is m₁₂because γ(0)+10=12. The first element of the permuted subsequence is m₁₀because γ(1)+10=10. The second element of the permuted subsequence is m₁₁because γ(2)+10=11. Notice that 10 is added each time because 10 is the sum of the lengths of the previous permutations, λ and σ, applied to D.

In a similar way, λ, σ, and γ can permute the sequence of states S=[s₀, s₁, s₂, s₃, s₄, s₅, s₆, s₇, s₈, s₉, s₁₀, s₁₁, s₁₂]. After applying λ, σ, and γ, the permuted sequence is [s₂, s₀, s₃, s₁, s₈, s₆, s₄, s₉, s₇, s₅, s₁₂, s₁₀, s₁₁]. In general, let D be a sequence of information [m₀, m₁, m₂, m₃, m₄, . . . m_n−1] with n information elements. Choose any sequence of permutations [σ₁, σ₂, . . . σ_k], where σ₁is a permutation of length n₁, σ₂is a permutation of length n₂, and so forth up to, σ_kis a permutation of length n_k, and all the lengths sum to n. In other words, n₁+n₂+n₃+ . . . +n_k=n. Permute the information sequence D with this sequence of permutations so that the new permuted information sequence is [m_σ₁₍₀₎, m_σ₁₍₁₎, m_σ₁₍₂₎, . . . m_σ₁_(n₁₋₁₎, m_σ₂_(0)+n₁, . . . m_σ₂_(n₂_−1)+n₁, m_σ₃_(0)+n₁_+n₂, m_σ₃_(1)+n₁_+n₂, . . . m_σ₃_(n₃_−1)+n₁_+n₂, m_σ₄_(0)+n₁_+n₂_+n₃, . . . , m_σ_k_(n_k_−1)+n−n_k].

Similarly, let S be a sequence of states [s₀, s₁, s₂, s₃, s₄. . . s_n−1] with n elements. Choose any sequence of permutations [σ₁, σ₂, . . . , σ_k], where σ₁is a permutation of length, n₁, σ₂is a permutation of length n₂, and so forth, σ_kis a permutation of length k, and all the lengths sum to n.

In other words, n₁+n₂+ . . . n_k=n. Permute this sequence of states S: the permuted sequence. is [s_σ₁₍₀₎, s_σ₁₍₁₎, s_σ₁₍₂₎, . . . , s_σ₁_(n₁₋₁₎, s_σ₂_(0)+n₁, . . . , s_σ₂_(n₂_−1)+n₁, s_σ₃_(0)+n₁_+n₂, s_σ₃_(1)+n₁_+n₂, . . . , s_σ₃_(n₃_−1)+n₁_+n₂, s_σ₄_(0)+n₁_+n₂_+n₃, . . . , s_σ_k_(n_k_−1)+n−n_k].

6.14 Initializing Permutations with a Generator

A NADO key generator is a collection of integers, or a sequence of bits interpreted as a collection of integers or a sequence of bytes, where 8 bits is a byte. To generate a permutation σ, first initialize σ to the identity permutation, where n is the size of σ. A part of the NADO key generator can be a sequence of non-negative integers, denoted as k₀, k₁, . . . , k_m. When the following three conditions hold,

- 1. m+1 equals n.
- 2. The numbers k₀, k₁, . . . , k_msatisfy 1≤k_i≤n.
- 3. k₀, k₁, . . . , k_mare created by a reliable hardware, random number generator (RNG) and software selects the next k_jgenerated from the RNG such that k_jis not in {k₀, k₁, . . . , k_j−1}. then initialize σ equal to [k₀, k₁, . . . , k_m].

In the case where the three previous conditions do not hold, note that num_keys is m+1. Also, k[j] corresponds to key generator k_j. Further sigma_inverse corresponds to σ⁻¹and similarly, sigma_inverse[i] corresponds to σ⁻¹(i). Finally, mod corresponds to modulo arithmetic. In an embodiment, execute the steps in the following for loop to initialize permutation σ.

for(i = 0; i < n; i++)

{

r = k[i mod num_keys];

j = (r + j − sigma_inverse[i]) mod n;

transpose elements i and sigma_inverse(j) in the permutation sigma;

update sigma_inverse;

}

6.15 Updating Permutations in the S or P Process

This section describes how to create an unpredictable sequence of permutations that are used in the P process and the S process. There is an initial permutation μ with length L. K=[k₀, . . . , k_n−1] represents the key generator K_Pfor process P or the key generator K_Sfor process S. s is an index satisfying 0≤s<L. μ represents a permutation that can represent the substitution box σ in the S process or the permutation that diffuses the bits across a block in the P process, as described in section 6.7. μ⁻¹is the inverse permutation of μ; in other words, μ∘μ⁻¹(a)=a for every a satisfying 0≤a<L. In this code, notice that permutation μ:{0, . . . L−1}→{0, . . . , L−1}, since programming languages generally use arrays that start at 0 instead of 1. The number of times the loop is executed is based on a variable num_iterates. In the code shown below, mu corresponds to μ. The expression mu_inverse corresponds to μ⁻¹and mu_inverse(s) is μ⁻¹(s). The expression k[j] corresponds to k_j. The expression mod means perform modulo arithmetic. 23 mod 11 is 1. In an embodiment, the next permutation is generated by the instructions in the following for loop.

for(r = 0; r < num_iterates; r++)

{

j = r mod n;

i = k[j] mod L;

transpose elements mu(i) and mu_inverse(s) in mu;

update mu_inverse;

s = (s + mu(i)) mod L;

}

Before entering the for loop, suppose μ:{0,1, . . . , 255}→{0,1, . . . , 255} is the permutation:

[44, 248,189, 104, 187, 201, 127, 3, 220, 136, 155, 237, 86, 144, 166, 27, 152, 204, 150, 202, 114, 157, 67,245,172, 22, 89,167,214, 145, 42, 191, 57, 77,186,251, 31,161,221, 111, 250, 51, 117, 205, 0, 48, 79, 165, 76,209,181, 151, 198, 78,200,129, 179, 49,230,226, 102, 222, 146, 203, 30, 227, 70,196,140, 109, 177, 63, 32, 75,228,178, 253, 43, 10, 105, 38, 128, 11, 174, 23, 215, 25, 223, 110, 182, 137, 216, 176, 229, 141, 163, 212, 94,143,193, 219, 88,133,218, 197, 180, 90, 171, 255, 84, 95, 81,124,185, 108, 121, 247, 194, 87, 40, 9, 41, 238, 92,131,168, 184, 115, 2, 14, 54, 103, 17, 122, 26,192,246, 4,208,225, 71,119,126, 118, 33,130,183, 46,101,159, 224, 1, 125, 142, 107, 217, 37,234,242, 15, 35,239,211, 236, 65, 154, 16, 5, 34, 98, 61, 156, 53, 6, 59,100,162, 116, 206, 68, 169, 85, 58, 113, 45, 62,148,106, 243, 249, 7, 55, 147, 66, 91, 233, 39, 36, 47,190,252, 29, 235, 82, 96, 60, 188, 97, 18, 213, 24, 153, 240, 158, 195, 139, 232, 72, 120, 93,135,210, 199, 164, 149, 99,160,134, 13, 19, 83, 52, 132, 175, 231, 123, 241, 28, 207, 73, 112, 64, 50, 12, 80, 74, 20, 56, 8,173,254, 138, 244, 170, 69, 21]

One iteration of the loop is described when r is 0. Suppose the key size n is 79. Before entering the loop, suppose s is 3 and k[0] is 7. The first instruction j=r mod n sets j to 0. The second instruction i=k[j] mod L sets i to 7. For the transposition instruction, the elements μ(7) and μ⁻¹(3) of μ are transposed μ(7)=3 and μ⁻¹(3)=7. Thus, the third element (104) and the seventh element (3) are swapped. μ is updated to:

[44,248,189, 3, 87,201,127, 104, 220, 136, 155, 237, 86,144,166, 27,152,204, 150, 202, 114, 157, 67,245,172, 22, 89,167,214, 145, 42, 191, 57, 77,186,251, 31,161,221, 111, 250, 51, 117, 205, 0, 48, 79, 165, 76,209,181, 151, 198, 78,200,129, 179, 49,230,226, 102, 222, 146, 203, 30, 227, 70,196,140, 109, 177, 63, 32, 75,228,178, 253, 43, 10, 105, 38, 128, 11, 174, 23, 215, 25,223,110, 182, 137, 216, 176, 229, 141, 163, 212, 94,143,193, 219, 88,133,218, 197, 180, 90,171,255, 84, 95, 81,124,185, 108, 121, 247, 194, 87, 40, 9, 41, 238, 92,131,168, 184, 115, 2, 14, 54, 103, 17, 122, 26,192,246, 4,208,225, 71,119,126, 118, 33,130,183, 46,101,159, 224, 1,125,142, 107, 217, 37,234,242, 15, 35,239,211, 236, 65, 154, 16, 5, 34, 98, 61, 156, 53, 6, 59,100,162, 116, 206, 68, 169, 85, 58, 113, 45, 62,148,106, 243, 249, 7, 55, 147, 66, 91, 233, 39, 36, 47,190,252, 29, 235, 82, 96, 60, 188, 97, 18, 213, 24,153,240, 158, 195, 139, 232, 72, 120, 93,135,210, 199, 164, 149, 99,160,134, 13, 19, 83, 52,132,175, 231, 123, 241, 28, 207, 73, 112, 64, 50, 12, 80, 74, 20, 56, 8,173,254, 138, 244, 170, 69, 21]

Also, μ⁻¹is updated accordingly with the changes μ⁻¹(104)=7 and μ⁻¹(3)=3. The last instruction is s=(s+mu(i)) mod 256 which is computed as s=(3+104) mod 256=107.

6.16 the S Process

This section describes how permutations are used to represent and compute a substitution box. In an embodiment, a substitution box used in process S is a permutation σ in the symmetric group S₂₅₆. In alternative embodiments, the substitution boxes used in process S may be permutations in the symmetric group S₅₁₂, S₂₀₄₈or even S₆₅₅₃₆. In process S, the substitution box is not static during the encryption process. It is updated based on methods shown in 6.15. In some embodiments, the avalanche effect of the one-way functions used during the key generator updating of K_Shelps unpredictably update the substitution box σ.

An embodiment is further described where the permutation σ is in S₂₅₆and the block size M for the P process is 512 bits, where this block is represented as 64 bytes [e₁, e₂, . . . , e₆₄]. In this embodiment, during the S process, σ₁is applied to the first byte e₁, received from process P, σ₂is applied to the second byte e₂, received from process P, and so on, all the way up to σ₆₄is applied to the 64th byte e₆₄, received from process P. After each application of σ_k(e_k), σ_kis updated to σ_k+1. In other words, the substitution box σ_kin S₂₅₆is updated after each byte of encryption. After the last byte of encryption by σ₆₄(e₆₄), the key generator K_S(n) is updated using the methods described in section 6.9. After the key generator K_S(n) is updated to the new key generator K_S(n+1), the new key generator K_S(n+1) helps further transpose the elements of σ₆₄, using transposition methods similar to those described in section 6.12.

To distinguish between the successive 64 byte blocks, σ₁represents the substitution box that encrypts the first byte of the first 64 byte block; σ₆₄represents the substitution box that encrypts the 64th byte of the first 64 byte block; σ₆₅represents the substitution box that encrypts the first byte of the second 64 byte block; σ₆₆represents the substitution box that encrypts the second byte of the second 64 byte block, and so on.

Suppose 94₁initially equals:

- [206, 45, 204, 90, 93, 99, 166, 53, 3, 9, 211, 68,233,229, 23,178,159, 205, 213, 43, 185, 2, 209, 51, 227, 76, 238, 4, 247, 73,191,142, 122, 201, 85, 49, 54, 37, 219, 86,151,164, 102, 231, 162, 78,123,147, 148, 71,144,132, 35, 52,169,216, 218, 128, 214, 228, 225, 177, 136, 103, 236, 104, 146, 224, 11, 33, 44, 1, 126, 10, 27, 56, 193, 24, 65, 16, 174, 5, 8,230,248, 255, 47,250,105, 82, 115, 120, 167, 235, 25, 114, 69,244,116, 170, 29, 62,118,125, 139, 58, 34, 28,223,176, 101, 0, 194, 249, 131, 89, 160, 7,111,192, 150, 96, 32, 12,135,110, 237, 94, 57, 112, 74,240,215, 234, 17, 220, 40,252,221, 38, 81,155,246, 137, 119, 196, 88,175,163, 199, 64, 138, 46,232,239, 165, 127, 183, 195, 222, 60,189,243, 70,158,212, 72, 55, 200, 21, 121, 181, 50,190,254, 179, 48,245,207, 124, 95, 203, 42,157,106, 173, 152, 63, 15,130,226, 14, 202, 156, 186, 66,149,100, 97, 187, 39, 41,208,113, 242, 134, 182, 98, 83,184,107, 154, 141, 217, 129, 161, 210, 36,253,197, 26, 251, 19, 6, 91, 171, 77, 20, 59, 13, 140, 92,153,180, 18, 198, 87, 108, 84, 67, 30,117,172, 109, 61, 143, 31, 188, 80,241,133, 168, 22, 75, 79, 145]

This means that σ₁maps 0 to 206, σ₁(1)=45, σ₁(2)=204, . . . and σ₁(255)=145. In this notation, the byte 0 corresponds to the eight bits 00000000. Byte 1 corresponds to the eight bits 00000001. The byte 2 corresponds to the eight bits 00000010. The byte 3 corresponds to the eight bits 00000011 . . . . The byte 149 corresponds to the bits 10010101 . . . . The byte 255 corresponds to the eight bits 11111111. For example, in bits σ₁(11111111)=10010001.

The function perturb generator_w_hash (uchar* K, int n, uchar* digest, int q)—defined in the C code listing below—is a method for updating a key generator or order generator. This method of updat-ing the generator was described in section 6.9. It exploits the avalanche effect of the one-way hash function one_way_hash (uchar* digest, uchar* K, int n). In an embodiment, one_way_hash (uchar* digest, uchar* K, int n) is implemented with Keccak. In another embodiment, it is implemented with SHA-512. In another embodiment, it is implemented with BLAKE. In another embodiment, it is implemented with JH. In another embodiment, it is implemented with GrØstL.

In the C listing, function transpose (uchar* mu, uchar* mu_inverse, int a, int b) transposes the elements of permutation mu (μ) and mu_inverse (μ⁻¹) as described in section 6.12, titled PERMUTATIONS. transpose_sbox (uchar* mu, uchar* mu_inverse, int offset, int num_transpositions) transposes the elements of mu and mu_inverse based on the digest derived from the current key generator. Since the digest values exhibit an avalanche effect, this updates the permutation mu in an unpredictable manner.

In an embodiment, perturb_sbox (uchar* sbox, . . . , uchar* digest, int q) transposes about the same number of elements as the number of elements in the symmetric group. For example, in the C code embodiment, transpose_sbox ( . . . ) is called inside a loop 8 times and num_transpositions=32. Thus, 8*32=256 and the substitution box S_box lies in the symmetric group S₂₅₆. This embodiment follows the observation from section 6.12 that it is possible with n transpositions to transform any permutation in S_nto any other permutation in S_n.

Function call initialize_permutation_inverse (S_box_inverse, S_box, S_BOX_LENGTH); exits with the array S_box_inverse storing the inverse permutation of σ₁i.e., σ₁⁻¹.

#define S_BOX_LENGTH 256

typedef unsigned char uchar;

const int N = 64;

const int q = 64;

uchar S_box [S_BOX_LENGTH] ={

206, 45, 204, 90, 93, 99, 166, 53, 3, 9, 211, 68, 233, 229, 23, 178, 159,

205, 213, 43, 185, 2, 209, 51, 227, 76, 238, 4, 247, 73, 191, 142, 122,

201, 85, 49, 54, 37, 219, 86, 151, 164, 102, 231, 162, 78, 123, 147, 148,

71, 144, 132, 35, 52, 169, 216, 218, 128, 214, 228, 225, 177, 136, 103, 236,

104, 146, 224, 11, 33, 44, 1, 126, 10, 27, 56, 193, 24, 65, 16, 174,

5, 8, 230, 248, 255, 47, 250, 105, 82, 115, 120, 167, 235, 25, 114, 69,

244, 116, 170, 29, 62, 118, 125, 139, 58, 34, 28, 223, 176, 101, 0, 194,

249, 131, 89, 160, 7, 111, 192, 150, 96, 32, 12, 135, 110, 237, 94, 57,

112, 74, 240, 215, 234, 17, 220, 40, 252, 221, 38, 81, 155, 246, 137, 119,

196, 88, 175, 163, 199, 64, 138, 46, 232, 239, 165, 127, 183, 195, 222, 60,

189, 243, 70, 158, 212, 72, 55, 200, 21, 121, 181, 50, 190, 254, 179, 48,

245, 207, 124, 95, 203, 42, 157, 106, 173, 152, 63, 15, 130, 226, 14, 202,

156, 186, 66, 149, 100, 97, 187, 39, 41, 208, 113, 242, 134, 182, 98, 83,

184, 107, 154, 141, 217, 129, 161, 210, 36, 253, 197, 26, 251, 19, 6, 91,

171, 77, 20, 59, 13, 140, 92, 153, 180, 18, 198, 87, 108, 84, 67, 30,

117, 172, 109, 61, 143, 31, 188, 80, 241, 133, 168, 22, 75, 79, 145 };

uchar S_box_inverse[S_BOX_LENGTH];

uchar K[N] = {

12, 37, 68, 213, 218, 178, 219, 36, 85, 72, 29, 57, 189, 33, 13, 72,

64, 98, 24, 247, 56, 29, 62, 10, 16, 251, 181, 78, 171, 89, 7, 21,

7, 82, 233, 28, 205, 147, 153, 125, 92, 116, 127, 157, 215, 24, 114, 70,

186, 228, 39, 53, 48, 11, 2, 254, 82, 165, 224, 237, 58, 35, 203, 199, };

uchar Digest[q];

void one_way_hash(uchar* digest, uchar* K, int n);

void perturb_generator_w_hash(uchar* K, int n, uchar* digest, int q)

{

int i;

uchar temp = K[n−1];

/* Rotate the circular array of unsigned char one byte to the right. */

memmove(K+1, K, n−1);

/* K[n−1] is rotated into K[0] */

K[0] = temp;

/* Hash n bytes of the key and store the digest in d */

one_way_hash(digest, K, n);

/* {circumflex over ( )} is the exclusive-or in C syntax. */

for(i = 0; i < q; i++) K[i] = K[i] {circumflex over ( )} digest [i];

}

void transpose(uchar* mu, uchar* mu_inverse, int a, int b)

{

unsigned char temp = mu[a];

mu[a] = mu[b] ;

mu[b] = temp;

mu_inverse[ mu[a] ] = a;

mu_inverse[ mu[b] ] = b;

}

void initialize_permutation_inverse(uchar* mu_inverse, uchar* mu, int n)

{

int k;

for(k = 0; k < n; k++) mu_inverse[ mu[k] ] = k;

}

void transpose_sbox(uchar* mu, uchar* mu_inverse, int offset, int num_transpositions)

{

static int j = 0;

int k, o_idx;

o_idx = offset % S_BOX_LENGTH;

for(k = 0; k < num_transpositions; k++)

{

j = (j + mu_inverse [o_idx]) % S_BOX_LENGTH;

transpose(mu, mu_inverse, mu_inverse[o_idx], mu_inverse[j] );

o_idx = (o_idx+1) % S_BOX_LENGTH;

}

}

void perturb_sbox(uchar* sbox, uchar* sbox_inverse, int m, uchar* g,

int g_size, uchar* digest, int q)

{

int k;

perturb_generator_w_hash(g, g_size, digest, q);

for(k = 1; k <= 8; k++)

transpose_sbox(sbox, sbox_inverse, digest[k], m);

}

initialize_permutation_inverse(S_box_inverse, S_box, S_BOX_LENGTH);

In the embodiment shown below, function one_way_hash is implemented with SHA-512. After encrypting the first block of 64 bytes perturb_sbox (S_box, S_box_inverse, 32, K, N, Digest); is called. Consequently, σ₆₅equals

- [176,53,151,217,20,99,87,247,251,228,25,65,27,196,206,98,175,198,171,52, 173, 2,105,233, 28,190,238,4,162,156,136,70,186, 165, 209,168,82,178,174,10,9,195,102,231,249, 220,14,158, 54, 202, 144, 132,253,90,213,133, 146,37,187,128,122,44,143,5,55,7, 218, 46, 160, 95, 113, 1, 172, 232, 135, 166, 142, 6, 68, 185, 48,103,141,159,248,255,58,245,236,69, 115, 120,75, 71, 36, 114, 91, 194,116,180, 205,104,118,31,139,157,169,242,56,214, 101,76, 254, 63,131,89, 92,239,203, 161,8,96,49,100,35,110,237,94, 134, 112,84,224,240, 226,59,252,211, 246, 30, 22, 3, 216, 73, 137, 62, 183,88, 147,197, 200, 184, 138,12, 29, 81, 97,127,199, 77,153,125, 0, 74,154,149, 51, 219, 189, 241, 43, 121, 38,229,126,244,16, 24,117,108, 124, 13, 19, 85, 193,86, 188, 152, 208, 42, 130, 234, 21, 18,181,182, 39,227,191, 79,223,215, 170, 207, 109, 106, 221, 93,192,148, 78,107,250,163,57,41,32,15, 230,23,150,34,50,155, 17, 179, 26, 66, 47,129,212, 140, 11, 222, 40, 225, 177, 72, 45,123,235, 61, 80,164,201,33,67,119, 243, 204, 83, 111, 60, 64,167,210, 145]
  
  perturb_sbox (S_box, S_box_inverse, 32, K, N, Digest); is called again after encrypting the second block of 64 bytes. Consequently, σ₁₂₉equals
- [97, 6, 252, 94, 20, 68, 99, 13,240,228, 202, 66, 70, 83, 9,222,133, 154, 87,82, 207, 89,147,176, 28, 157, 80, 65, 81,203,136, 131, 57, 16, 199, 48,139,214, 193, 5, 95, 231, 7,166,249, 104, 179, 192, 114, 183, 115, 178, 172, 245, 105, 209, 116, 61,243,128, 170, 44,145,210, 142, 162, 159, 126, 47, 255, 73, 124, 58, 204, 56, 33,184,153, 235, 221, 135, 112, 141, 143, 29, 106, 93, 90, 181, 118, 144, 64,152,194, 36, 219, 85, 244, 37,111,251, 125, 107, 238, 67,102,239, 78,177,165, 241, 217, 254, 225, 100, 122, 190, 200, 71, 195, 8, 224, 49, 88, 35, 17, 163, 31, 150, 79,253,130, 205, 226, 167, 75,113,246, 30, 212, 3,180,188, 137, 42,232,160, 213, 247, 191, 1,138,168, 121, 186, 220, 189, 223, 164, 27, 175, 62, 74, 134, 54, 51, 52,127,101, 43, 236, 38,229,174, 215, 182, 206, 146, 156, 185, 96, 19, 14, 208, 23,155,120, 218, 69,123,234, 21, 18, 22, 60, 39, 77, 171, 55,161,216, 211, 4,148,103, 46,117,187, 109, 10, 92, 76, 72, 53, 25, 237, 15, 230, 91, 0, 34, 50,119,110, 173, 26, 197, 84, 129, 32,140,198, 86, 40, 59,149,227, 45, 132, 63, 41, 196, 201, 248, 12,108,242, 233, 151, 158, 11, 24, 98, 2,250,169]

In some embodiments, a static substitution box with a good avalanche effect may be applied first, followed by a dynamic substitution box. It is known that the static substitution box shown below exhibits statistics that are close to a good avalanche effect [57]. In an embodiment, consider this substitution box τ shown below.

- [99,124,119, 123, 242, 107, 111, 197, 48, 1, 103, 43,254,215, 171, 118, 202, 130, 201, 125, 250, 89, 71,240,173, 212, 162, 175, 156, 164, 114,192, 183, 253, 147, 38, 54, 63,247,204, 52, 165, 229, 241, 113, 216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18,128,226, 235, 39,178,117, 9, 131,44, 26, 27, 110, 90, 160, 82, 59,214,179, 41, 227, 47, 132, 83, 209, 0, 237, 32,252,177, 91,106, 203, 190, 57, 74, 76, 88,207,208, 239, 170, 251,67, 77, 51, 133, 69, 249, 2, 127, 80, 60,159, 168, 81, 163, 64,143,146, 157, 56,245,188, 182, 218, 33,16,255,243,210, 205, 12,19, 236, 95, 151, 68, 23,196,167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42,144,136, 70, 238, 184, 20, 222, 94, 11,219,224, 50, 58, 10, 73, 6, 36, 92,194,211, 172, 98,145,149, 228, 121, 231, 200, 55,109,141, 213, 78,169,108, 86,244,234, 101,122, 174, 8,186,120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75,189,139, 138, 112, 62,181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29,158,225, 248, 152, 17,105,217, 142, 148, 155, 30,135,233, 206, 85, 40,223,140, 161, 137, 13,191,230, 66, 104, 65, 153, 45, 15, 176, 84, 187, 22]

Using function composition, in an embodiment, σ₁∘τ is applied to the first byte of information e₁and computed as σ₁∘τ(e₁). On the second byte e₂of information σ₂∘τ(e₂) is computed. On the 65th byte e₆₅of information, σ₆₅∘τ(e₆₅) is computed. On the 129th byte e₁₂₉of information, σ₁₂₉∘τ(e₁₂₉) is computed.

As an example of this composition of substitution boxes, if e₆₅=255, then σ₆₅∘τ(e₆₅)=σ₆₅(22)=105, based on the substitution boxes previously shown for σ₆₅and τ. If e₁₂₉=255, then σ₁₂₉∘τ(e₁₂₉)=σ₆₅(22)=147.

This composition of substitution boxes yields a favorable cryptographic property because a static substitution box (static permutation) can be used that is known to exhibit close to a good avalanche effect and the other substitution box is unknown to the adversary. Furthermore, due to the good avalanche effect of one-way hash functions and the use of the key generator updating, the unknown substitution box unpredictably changes as the encryption process executes. This increases the computational complexity of potential cryptographic attacks.

6.17 Process. H as a State Generator

In an alternative embodiment, process H is a state generator. This process is a dynamical system that creates a sequence of states. An iterative autonomous dynamical system is created by a function ƒ:X→X, where X is a set. When a function ƒ and an initial orbit point x are chosen, the iteration of ƒ on x creates a sequence of states: [x, ƒ(x), ƒ∘ƒ(x), ƒ∘ƒ∘ƒ(x), . . . ]. This sequence of states is called the orbit of x with the function ƒ. It is also possible to create a sequence of states using a sequence of functions [ƒ₁, ƒ₂, ƒ₃, ƒ₄, . . . ], rather than a single function. The iteration of this collection on an initial orbit point x creates a sequence of states: [x, ƒ₁(x), ƒ₂∘ƒ₁(x), ƒ₃∘ƒ₂∘ƒ₁(x), ƒ₄∘ƒ₃∘ƒ₂∘ƒ₁(x), . . . ]. As the system is iterated, if the function applied sometimes changes, then this is an iterative non-autonomous dynamical system [58]. An iterative autonomous dynamical system is a special case of a non-autonomous dynamical system. If all the ƒ_irepresent the same function, then this is the definition of an autonomous dynamical system.

A smooth dynamical system is created by a vector field on a manifold [59]. If the vector field does not change over time, then it is a smooth autonomous dynamical system. If the vector field changes smoothly over time, then it is a smooth non-autonomous dynamical system. In a smooth dynamical system, one creates a sequence of unpredictable states by sampling the coordinates of the trajectory at successive time intervals: t₀<t₁<t₂< . . .

Below is a summary of an alternative embodiment when the H process acts as a state generator. Process H State Generator Encryption. For each block of plaintext of size n, this part describes an encryption process P∘S∘H. Plaintext [m₁, m₂, . . . , m_n] is the current block that will be encrypted.

- 1. Process H uses some of the current key generator K_Hto generate the next n states [s₁, S₂, . . . , s_n] and partially encrypts this block as [m₁⊕s₁, m₂⊕s₂, . . . , m_n⊕s_n]. A portion of the current key generator K_His updated using a one-way hash function: this means that the next n states used to partially encrypt the next block will usually be different from [s₁, s₂, . . . ,s_n].
- 2. Process S uses some of the current key generator K_Sto generate a substitution box, represented as σ₁. σ₁further encrypts the first element of the block from step 2 as σ₁(m₁⊕s₁). In some embodiments, σ₁is updated to σ₂so that σ₂≠σ₁; in other embodiments, σ₁may not be updated so that σ₂=σ₁. σ₂further encrypts the second element of the block from process H as σ₂(m₂⊕s₂) and so on all the way up to σ_n(m_n⊕s_n). The current key generator K_Sis updated using a one-way hash function: This means that the substitution box for the next block is usually different.
- 3. Process P uses some of key generator K_Pto create permutation τ: {1, . . . , n}→{1, . . . , n} and permute the block from step 2 to [σ_τ(1)(m_τ(1)⊕s_τ(1)), . . . , σ_τ(n)(m_τ(n)⊕s_τ(n)]. Permutation τ spreads the encrypted plaintext from process S over a block of size n. The fully encrypted plaintext block is [e₁, . . . , e_n] where e_k=σ_τ(k)(m_τ(k)⊕s_τ(k)). A portion of the current key generator K_Pis updated using a one-way hash function: this means that the permutation t used for the next block will usually be different.

In one embodiment, the current key generator for process His K_H=[k₁, k₂, . . . , k_n] and m is a positive integer such that m<n. The current plaintext element p will be encrypted by the next state, which is determined as described here. In an embodiment, key generator K_His used to help construct a state generator, wherein one-way hash function Φ is applied to two different portions of the key generator K_Hand the resulting two message digests are compared to generate the next state. In an alternative embodiment, only one message digest is computed and states are determined based on the parity of elements of this single message digest.

In an embodiment, a one-way function Φ is applied to one portion k₁, k₂, . . . , k_mand Φ is applied to a second portion k_j, k_j+1, . . . , k_m−jwhere j+1<n−m or j+1<m. In an embodiment, one message digest is Φ(k₁, k₂, . . . , k_m) and the second message digest is Φ(k₃, k₄, . . . , k_m−2). In an alternative embodiment, when m is an even number, one message digest is Φ(k₁, k₃, k₅, . . . , k_m−1) and the second message digest is Φ(k₂, k₄, k₆, . . . , k_m). Let [t₁, t₂, . . . , t_q] denote the first aforementioned message digest and let [u₁, u₂, . . . , u_q] denote the second aforementioned message digest. In one embodiment, plaintext message element p is 8 bits and each bit of p is encrypted by comparing elements of the first message digest [t₁, t₂, . . . , t_q] with elements of the second message digest [u₁, u₂, . . . , u_q].

Suppose q≥40. In an embodiment, the first bit of p is exclusive-or'd with 1 if [u₁, u₉, u₁₇, u₂₅, u₃₃] is less than [t₁, t₉, t₁₇, t₂₅, t₃₃] with respect to the dictionary order. The first bit of p is left unchanged if [u₁, u₉, u₁₇, u₂₅, u₃₃] is greater than [t₁, t₉, t₁₇, t₂₅, t₃₃] with respect to the dictionary order. Ties are determined by whether u₃₃is odd or even. The following code computes [u₁, u₉, u₁₇, u₂₅, u₃₃] is less than [t₁, t₉, t₁₇, t₂₅, t₃₃] with respect to the dictionary order.

if (u[1] < t [1]) return true;

else if (u[1] == t[1]) {

if (u[9] < t [9]) return true;

else if (u[9] == t[9]) {

if (u[17] < t[17]) return true;

else if (u[17] == t[17]) {

if (u[25] < t[25]) return true;

else if (u[25] == t[25]) {

if (u[33] < t[33]) return true;

else if (u[33] == t[33]) {

if (u[33] is even) return true;

else return false;

}

return false;

}

return false;

}

return false;

}

return false;

}

return false;

In an embodiment, the second bit of p is exclusive-or'd with 1 if [u₂, u₁₀, u₁₈, u₂₆, u₃₄] is less than [t₂, t₁₀, t₁₈, t₂₆, t₃₄] with respect to the dictionary order. The second bit of p is left unchanged if [u₂, u₁₀, u₁₈, u₂₆, u₃₄] is greater than [t₂, t₁₀, t₁₈, t₂₆, t₃₄]. Ties are resolved the same way as for bit 1: i.e., if (u[34] is even) return true; else return false;

In an embodiment, the third bit of p is exclusive-or'd with 1 if [u₃, u₁₁, u₁₉, u₂₇, u₃₅] is less than [t₃, t₁₁, t₁₉, t₂₇, t₃₅] with respect to the dictionary order. The third bit of p is left unchanged if [u₃, u₁₁, u₁₉, u₂₇, u₃₅] is greater than [t₃, t₁₁, t₁₉, t₂₇, t₃₅]. Ties are resolved the same way as for bit 1: i.e., if (u[35] is even) return true; else return false;

This same pattern of dictionary order comparison and encryption is continued for bits 4, 5, 6, 7 and bit 8 of plaintext information p. In some other embodiments, q<40. In some embodiments, a different comparison operator is used on the two message digests. In some embodiments, only one message digest is computed and each bit of the plaintext is encrypted, based on whether one element of the message digest has an odd or even number of 1 bits.

6.18 Distribution of the Nado Key Generators

NADO uses symmetric private key generator sequences K_H, K_Pand K_S. This means the initial private key generator that the encryptor uses for each process is the same as the private key generator that the decryptor uses for that corresponding process. There are different methods for distributing the NADO private key generators.

- 1. An electronic key exchange between two parties can be used.
- 2. A courier may hand-carry the key or key generators to two or more parties.

Method 1 is preferable when the number of potential recipients of an encrypted transmission is large and potential recipients are unknown. These applications include: Secure wireless applications such as mobile phone conversations, wireless e-mail transmissions, wireless transactions, wireless e-commerce, and satellite transmissions. Secure software applications such as e-mail applications, enterprise computing, online e-commerce, online messaging, enterprise portal software, and other internet applications.

In applications where the number of potential recipients of an encrypted transmission is small and the recipients are known beforehand, method 2 can be used, where sending and receiving agents can agree to have the private key or key generators transmitted in a secure way. This method can be used when there are concerns about man-in-the-middle attacks on the key exchange.

6.19 Exchange of Key Generators

In the prior art, the Diffie-Hellman-Merkle key exchange is a key exchange method where two parties (Alice and Bob) that have no prior knowledge of each other jointly establish a shared secret key over an insecure communications channel. In this specification, an extension to this exchange method is used by two parties (Alice and Bob) to establish an initial shared key generator K_H(0) for the H process; establish an initial shared key generator K_P(0) for the P process; and establish an initial shared key generator K_S(0) for the S process.

The key generator exchange depends on the properties of abelian groups. A group G is a set with a binary operation *, (g²means g*g and g⁵means g*g*g*g*g), such that the following four properties hold:

- 1. The binary operation * is closed on G.
  - In other words, a*b lies in G for all elements a and b in G.
- 2. The binary operation * is associative on G.
  - a*(b*c)=(a*b)*c for all elements a, b, and c in G.
- 3. There is a unique identity element e in G. a*e=e*a=a.
- 4. Each element a in G has a unique inverse denoted as a⁻¹.

$a * a^{- 1} = a^{- 1} * a = e .$

In an abstract context, the operator is sometimes omitted so a*b is written as ab. Sometimes the identity of the group is represented as 1 when the group operation is a form of multiplication. Sometimes the identity of the group is represented as 0 when the group operation is a form of addition. The integers { . . . , −2, −1, 0, 1, 2, . . . } with respect to the binary operation + are an example of an infinite group. 0 is the identity element. For example, the inverse of 5 is −5 and the inverse of −107 is 107. The set of permutations on n elements {1, 2, . . . , n}, denoted as S_n, is an example of a finite group with n! elements where the binary operation is function composition. Each element of S_nis a function σ:{1,2, . . . , n}→{1,2, . . . , n} that is 1 to 1 and onto. In this context, σ is called a permutation. The identity permutation e is the identity element in S_n, where e(k)=k for each k in {1,2, . . . , n}.

If H is a non-empty subset of a group G and H is a group with respect to the binary group operation * of G, then H is called a subgroup of G. H is a proper subgroup of G if H is not equal to G (i.e., H is a proper subset of G). G is a cyclic group if G has no proper subgroups. The integers modulo n (i.e., Z_n={[0], [1], . . . [n−1]} are an example of a finite group with respect to addition modulo n. If n=5, [4]+[4]=[3] in Z₅because 5 divides (4+4)−3. Similarly, [3]+[4]=[3] in Z₅. Z₅is a cyclic group because 5 is a prime number. When p is a prime number, Z is a cyclic group containing p elements {[0], [1], . . . [p−1]}. [1] is called a generating element for cyclic group Z since [1]^m=[m] where m is a natural number such that 0<m≤p−1 and [1]^p=[0]. This multiplicative notation works as follows: [1]²=[1]+[1]; [1]³=[1]+[1]+[1]; and so on. This multiplicative notation (i.e. using superscripts) is used in the description of the key generator exchange described below.

There are an infinite number of cyclic groups and an infinite number of these cyclic groups are extremely large. The notion of extremely large means the following: if 2¹⁰²⁴is considered to be an extremely large number based on the computing power of current computers, then there are still an infinite number of finite cyclic groups with each cyclic group containing more than 2¹⁰²⁴elements. Steps 1, 2, 3, 4, and 5 describe the key generator exchange.

- 1. Alice and Bob agree on an extremely large, finite, cyclic group G and a generating element g in G. The group G is written multiplicatively as explained previously.
- 2. Alice picks a random natural number a and sends ga to Bob.
- 3. Bob picks a random natural number b and sends gb to Alice.
- 4. Alice computes (gb)a.
- 5. Bob computes (ga)b.

Alice and Bob sometimes agree on finite cyclic group G and element g long before the rest of the key exchange protocol; g is assumed to be known by all attackers. The mathematical concepts of cyclic group, generating element and finite field are presented in [60].

Both Alice and Bob are now in possession of the group element gab, which can serve as the shared secret key. The values of (gb) a and (ga) b are the same because g is an element of group G. Alice can encrypt information m, as mgab, and sends mgab to Bob. Bob knows |G|, b, and ga. For finite groups, Lagrange's theorem implies that the order of every element of a group divides the number of elements in the group, denoted as |G|. This means x^|G|=1 for all x in G where 1 is the identity element in group G. Bob calculates (ga)^|G|−b=(g^|G|)^ag^−ab=(g^ab)⁻¹. After Bob receives the encrypted information mg^abfrom Alice, then Bob applies (g^ab)⁻¹and decrypts the encrypted information by computing m g^ab(g^ab)⁻¹=m.

6.20 Elliptic Curve Key Generator Exchange

This section describes an asymmetric key cryptography, called elliptic curve cryptography, which in some embodiments can be used to implement a key generator exchange. The notation Enc(E, m) is used to represent the result of encrypting plaintext m using an elliptic curve E. In what follows, the notation Dec(E, c) is used to represent the result of decrypting ciphertext c which is embedded as a point on elliptic curve E. In an embodiment, elliptic curve cryptography is an asymmetric cryptography method used to establish shared key generators between Alice and Bob.

In an embodiment, it is assumed that E is an elliptic curve over finite field F_pwhere p is a prime number and H is a cyclic subgroup of E(F_p) generated by the point P that lies in E(F_p). Alice wants to securely send information to Bob whose public key is (E, P, aP) and whose private key is the natural number a<p−1.

Alice executes the following Encryption Stage. Chose a random natural number b<p−1. Consider the plaintext information embedded as points m on E. Compute β=bP and γ=m+b(ap). Send the ciphertext Enc(E, m)=c=(B, γ) to Bob. Bob executes the following Decryption Stage after receiving the ciphertext c=(β, γ). The plaintext m is recovered using the private key as Dec(E, c)=m=γ−αβ.

Elliptic curve computations over a finite field also enable Alice and Bob to establish common private key generators before the symmetric cryptography is started. The following is a simple example described here for illustrative purposes, not security purposes. Consider the elliptic curve E given by y²=x³+4x+4 over F₁₃. It can be shown that E(F₁₃) has 15 elements which is necessarily cyclic. Also, P=(1, 3) is a generator of E. Assuming that Bob's public key is (E, P, 4P) where a=4 is the private key and m=(10, 2) is the information that Alice wants to send to Bob, then Alice performs the following. Alice chooses b=7 at random. Then Alice calculates Enc(E, m)=Enc(E, (10,2))=(bP,m+b(aP))=(7P, (10,2)+7(4P))=((0,2), (10,2)+7(6,6))=((0, 2), (10, 2)+(12, 5))=((0, 2), (3, 2))=(β, γ)=c. Then Alice sends ciphertext c=(β, γ)=((0, 2), (3, 2)) to Bob who uses his private key to decrypt the ciphertext and recover information m=(10,2) as follows: Dec(E,c)=(3,2)−4(0,2)=(3,2)−(12,5)=(3,2)+(12,8)=(10,2). For further information on elliptic curves, see [61, 62].

In an embodiment, the 25519 curve [42] may be used to perform a elliptic curve key generator exchange. The curve 25519 function is F_prestricted x-coordinate multiplication on E(F_p²), where p is the prime number 2²⁵⁵−19 and E is the elliptic curve y²=x³+486663x²+x. The order of the base point 9 on curve 25519 is 2²⁵²+27742317777372353535851937790883648493 which is a prime number so the group for this elliptic curve is cyclic. Curve 25519 is conjectured to have a complexity of 2¹²⁸for conventional Turing machine algorithms, based on the last two decades of research on elliptical curve cryptography.

A private elliptic curve point for curve 25519 can be created by any sequence of 32 bytes (256 bits). In an embodiment shown in 136 of FIG. 1B and in 140 of FIG. 1D, a non-deterministic generator cre-ates these bits by measuring event times of photons as described in section 6.8, titled CRYPTOGRAPHIC HARDWARE and INFRASTRUCTURE. In an embodiment, 256 distinct triplets of photons event times (t_(1,1), t_(1,2), t_(1,3)), (t_(2,1), t_(2,2), t_(2,3)), . . . (t_(k,1), t_(k,2), t_(k,3)), . . . (t_(256,1), t_(256,2), t_(256.3)) that for each k satisfy t_(k,1)<t_(k,2)<t_(k,3)and t_(k,2)−t_(k,1)≈t_(k,3)−t_(k,2)are observed by the non-deterministic generator.

Each triplet generates a 1 or 0 depending on whether t_(k,2)−t_(k,1)>t_(k,3)−t_(k,2)or t_(k,2)−t_(k,1)<t_(k,3)−t_(k,2). Each corresponding public elliptic curve point is computed, using curve 25519, the base point 9 and the 32 byte private elliptic curve point that was obtained from non-deterministic generator 136 in FIG. 1B. In an embodiment, Alice may generate 6 public elliptic curve points using curve 25519 and Bob may generate 6 public elliptic curve points. As described in further detail below, Alice and Bob may execute a key generator exchange 6 times using curve 25519. As a result of performing this exchange 6 times, Alice and Bob are able to establish a shared 64 bytes for key generator K_H(0) and a shared 64 bytes for key generator K_P(0), and also and a shared 64 bytes for key generator K_S(0). In this embodiment and other embodiments, each of these shared key generators may be established independently of the other two.

Next a particular execution (of curve 25519 establishing a shared secret of 32 bytes between Alice and Bob) is described. From a non-deterministic generator (e.g., the hardware in FIG. 1D), Alice generates the following private elliptic curve point.

176
58
103
36
37
153
39
136
180
50
46
216
242
83
24
30

195
218
194
126
250
57
183
248
185
98
39
166
78
243
168
110

Alice uses her private elliptic curve point and base point 9 to compute on curve 25519 the following public key.

176
14
25
19
209
34
71
218
92
255
207
141
132
249
209
123

121
96
174
173
235
210
156
15
93
151
82
191
57
78
189
101

Alice sends her public elliptic curve point to Bob.

From non-deterministic hardware shown in FIG. 1D, Bob generates the following private elliptic curve point.

160
234
84
52
17
88
119
69
197
210
143
199
195
20
88
62

228
4
215
143
181
48
78
47
23
101
23
184
47
232
37
80

Bob uses his private elliptic curve point and base point 9 to compute on curve 25519 the following public elliptic curve point.

104
9
3
245
60
155
177
175
166
78
151
128
205
57
243
109

121
237
239
140
224
210
200
46
214
102
212
168
162
221
188
21

Bob sends his public elliptic curve point to Alice.

Next Alice uses her private elliptic curve point and Bob's public elliptic curve point to compute on curve 25519 the shared point shown below.

134
141
241
224
244
91
115
246
226
156
20
66
29
94
238
158

67
135
202
219
21
47
129
214
150
235
119
141
40
57
202
83

Similarly, Bob uses his private elliptic curve point and Alice's public elliptic curve point to compute on curve 25519 the shared point shown below.

134
141
241
224
244
91
115
246
226
156
20
66
29
94
238
158

67
135
202
219
21
47
129
214
150
235
119
141
40
57
202
83

When this exchange is performed 6 times, this enables Bob and Alice to establish 64 bytes of shared key generator K_H(0) for process H, 64 bytes of shared key generator K_P(0) for process P and 64 bytes of shared key generator K_S(0) for process S.

Although the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted for elements thereof without departing from the true spirit and scope of the invention. In addition, modifications may be made without departing from the essential teachings of the invention.

REFERENCES

[1] Mihir Bellare and Phillip Rogaway. Introduction to Modern Cryptography. 2005.

[2] Oded Goldreich. Foundations of Cryptography. Volumes I Basic Tools. Cambridge University Press. 2001.

[3] Oded Goldreich. Foundations of Cryptography. Volume II Basic Applications. Cambridge University Press. 2004.

[4] T. W. Cusick and Pante Stanica. Cryptographic Boolean Functions and Applications. Academic Press, Elsevier, 2009.

[5] NIST. Advanced Encryption Standard (AES), FIPS 197. Nov. 2001.

[6] Richard A. Mollin. Codes: The Guide to Secrecy From Ancient to Modern Times. Chapman & Hall. 527-530, 2005.

[7] Juliano Rizzo and Thai Duong. Practical Padding Oracle Attacks. Black Hat Conference. 2010.

[8] Data Encryption Standard. Federal Information Processing Standards Publication. FIPS PUB 46, National Bureau of Standards, Washington, D C. 1977.

[9] Data Encryption Standard (DES). Federal Information Processing Standards Publication, FIPS PUB 46-3, National Bureau of Standards, Gaithersburg, MD. 1999.

[10] Alex Biryukov and Khovratovich, D.: Related-Key Cryptanalysis of the Full AES-192 and AES-256. In Matsui, M., ed.: Asiacrypt. LNCS 5912, Springer, 1-18, 2009.

[11] Alex Biryukov, Khovratovich, D., Nikolic, I. Distinguisher and Related-Key Attack on the Full AES-256. Ad-vances in Cryptology—Crypto 2009. LNCS 5677. Springer, 231-249, 2009.

[12] Patrick Derbez, Pierre-Alain Fouque and Jeremy Jean. Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting. Advances in Cryptology—Eurocrypt 2011. LNCS 7881. Springer, 371-387, 2011. [13] Alex Biryukov and Dmitry Khovratovich. Feasible Attack on the 13-round AES-256. 2010.

[14] Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger. Biclique Cryptanalysis of the Full AES. Advances in Cryptology—Asiacrypt 2011. LNCS 7073, Springer, 344-371, 2011.

[15] Daniel Bernstein and Tanja Lange. Non-uniform cracks in the concrete: the power of free precomputation. Advances in Cryptology—Asiacrypt. LNCS 8270. Springer, 321-340, 2013.

[16] Orr Dunkelman, Nathan Keller, Adi Shamir. Improved Single-Key Attacks on 8-round AES. Cryptology ePrint Archive, Report 2010:322, 2010.

[17] Jon Passki and Tom Ritter. An Adaptive-Ciphertext Attack against I® C Block Cipher Modes with Oracle. IACR Cryptology ePrint Archive 2012:292, 2012.

[18] Horst Feistel. Cryptography and Computer Privacy. Scientific American. 228, No. 5, 15-23, 1973.

[19] Clark Robinson. Dynamical Systems Stability, Symbolic Dynamics, and Chaos. CRC Press. 1995.

[20] Dake. Image of SHA-1 avalanche effect.

[21] Xuejia Lai. Higher Order Derivatives and Differential Cryptanalysis. In Communications and Cryptography: Two Sides of One Tapestry, R. E. Blahut et al., eds., Kluwer Adademic Publishers, 227-233, 1994.

[22] Ming Duan, Xuejia Lai, Mohan Yang, Xiaorui Sun and Bo Zhu. Distinguishing Properties of Higher Order Derivatives of Boolean Functions. IACR Cryptology ePrint. 2010.

[23] NIST. FIPS-180-4. Secure Hash Standard, March 2012.

[24] John Hennessy, David Patterson. Computer Architecture. 5th Edition, Morgan Kaufmann, 2012.

[25] NIST. FIPS-180-2: Secure Hash Standard, August 2002.

[26] Claude Shannon. Communication Theory of Secrecy Systems. 1949.

[27] Alan M. Turing. On computable numbers, with an application to the Entscheidungsproblem. Proc. London Math. Soc. Series 2 42 (Parts 3 and 4), 230-265, 1936.[28] Andre Stefanov, Nicolas Gisin, Olivier Guinnard, Laurent Guinnard, and Hugo Zbinden. Optical quantum random number generator. Journal of Modern Optics, 47(4):595-598, 2000.

[29] Mario Stipcevic and B. Medved Rogina. Quantum random number generator based on photonic emission in semiconductors. Review of Scientific Instruments. 78, 045104: 1-7, 2007.

[30] A. A. Abbott, C. S. Calude, J. Conder & K. Svozil. Strong Kochen-Specker theorem and incomputability of quantum randomness. Physical Review A. 86 062109, 1-11, 2012.

[31] John Conway and Simon Kochen. The Strong Free Will Theorem. Notices of the American Mathematical Society. 56(2), 226-232, February 2009.

[32] Simon Kochen and Ernst P. Specker. The Problem of Hidden Variables in Quantum Mechanics. Journal of Mathematics and Mechanics (now Indiana Univ. Math Journal) 17 No. 1, 59-87, 1967.

[33] Klint Finley. Chinese Supercomputer Is Still the World's Most Powerful. Wired Magazine. Nov. 18, 2013.

[34] A. F. Webster and S. E. Tavares. On the Design of S-Boxes. Advances in Cryptology. CRYPTO 85 Proceedings. LNCS 218. Springer, 523-534, 1986.

[35] Guido Bertoni, Joan Daemen, Michael Peeters, Gilles Van Assche. Keccak Reference 3.0 2011.

[36] Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, Christian Winnerlein. BLAKE.

[37] Praveen Gauravaram, Lars Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schlaffer, and Soren S. Thomsen. GrØstl—a SHA-3 candidate.

[38] Hongjun Wu. The Hash Function J H. 2011.

[39] Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker. The Skein Hash Function Family. 2010.

[40] Ralph C. Merkle. Secure Communications over Insecure Channels. Communications of the ACM. 21 (4), 294-299, April 1978. Rejected 1975 submission:

[41] Whitfield Diffie and Martin Hellman. New directions in cryptography. IEEE Transactions on Information Theory 22, 644-654, 1976.

[42] Daniel Bernstein. Curve25519: new Diffie-Hellman speed records. Public Key Cryptography. LNCS 3958. New York, Springer. 207-228, 2006.

[43] Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, Bo-Yin Yang. High-speed high-security signatures. Journal of Cryptographic Engineering. 2, 77-89, 2012.

[44] Ross Anderson, Eli Biham, Lars Knudsen. A Proposal for the Advanced Encryption Standard.

[45] Claude Shannon. A universal Turing machine with two internal states. Automata Studies, C. E. Shannon and J. McCarthy (eds.). Princeton University Press, 129-153, 1956.

[46] Yiannis N. Moschovakis. What is an algorithm? In Mathematics Unlimited—2001 and beyond (eds. B. Engquist and W. Schmid), Springer. 919-936, 2001.

[47] Yiannis N. Moschovakis. Algorithms and Implementations. Tarski Lecture 1, Mar. 3, 2008.

[48] Yuri Gurevich. What is an algorithm? In SOFSEM: Theory and Practice of Computer Science (eds. M. Bielikova et al.), LNCS 7147. Springer. 31-42, 2012.

[49] Michael S. Fiske. Turing Incomputable Computation. Turing-100 Proceedings. Alan Turing Centenary. EasyChair 10, 69-91, 2012.

[50] Michael S. Fiske. Quantum Random Active Element Machine. UCNC 2013 Proceedings. LNCS 7956, 252-254, Springer, 2013.

[51] Daniel Bernstein. Cache-timing attack on AES. 2005.

[52] Dmitry Khovratovich, Christian Rechberger and Alexandra Savelieva. Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family. FSE, 244-263, 2012.

[53] E. Biham and Adi Shamir. Differential Cryptanalysis of DES-like Cryptosystems. Advances in Cryptology. CRYPTO 90 Proceedings. LNCS 537. Springer, 2-21, 1990.

[54] Xuejia Lai. Higher Order Derivatives and Differential Cryptanalysis. In Communications and Cryptography: Two Sides of One Tapestry, R. E. Blahut et al., eds., Kluwer Adademic Publishers, 227-233, 1994.

[55] L. Knudsen. Truncated and higher order differentials. In Fast Software Encryption. Springer, 196-211, 1995.

[56] Jialin Huang and Xuejia Lai. What is the Effective Key Length for a Block Cipher: an Attack on Every Block Cipher. Science China Information Sciences. 57, Issue 7, Springer, 1-11, 2014.

[57] Fouz Sattar and Muid Mufti. Spectral Characterization and Analysis of Avalanche in Cryptographic Substitution Boxes using Walsh-Hadamard Transformations. International Journal of Computer Applications. 28 No. 6. August 2011.

[58] Michael Stephen Fiske. Non-autonomous Dynamical Systems Applicable to Neural Computation. Northwestern University. 1996.

[59] Mike Spivak. Differential Geometry. Volume I. Publish or Perish, Inc. 1979.

[60] Nathan Jacobson. Basic Algebra I. W.H. Freeman and Company. 1985.

[61] Neil Koblitz. Introduction to Elliptic Curves and Modular Forms. Springer-Verlag 1984.

[62] Joseph Silverman and John Tate. Rational Points on Elliptic Curves. Springer-Verlag 1992.

Number	Date	Country
61865134	Aug 2013	US
61992915	May 2014	US
62004852	May 2014	US
62056537	Sep 2014	US

	Number	Date	Country
Parent	14843999	Sep 2015	US
Child	18412537		US
Parent	16826304	Mar 2020	US
Child	18412537		US

NADO CRYPTOGRAPHY with KEY GENERATORS

Information

Publication Number

Date Filed

Date Published

Inventors

CPC

International Classifications

Abstract

Description

Claims

1 RELATED APPLICATIONS

Provisional Applications (4)

Continuation in Parts (2)