OUTPUT CIPHER FEEDBACK TYPE PSEUDO NOISE-SEQUENCE GENERATION
BACKGROUND
The present invention relates to an improved method and apparatus for generating a pseudo noise sequence (PN sequence). More particularly, the present invention pertains to the generation of a keyed cryptographically strong PN sequence from a block cipher in the output cipher feedback (OFB) mode.
A need exists for data security in systems that transmit, store or manipulate data. In communication systems, for example, it is desirable to provide a secure communications link for the transmission of conversations, messages or other information between users. Typical communications systems that require data security include wireless communication systems such as cellular telephony, paging systems and satellite transmission, as well as wireline communication systems such as cable television, optical cable communications, landline telephone, or other private or public data networks. In regard to data storage or data manipulation applications in which there is a need for security, typical examples of such applications include data storage systems (e.g., computer disks, storage drives or data buffers) and data processing programs (e.g. , computer programs, logic circuits and the like). Typical cryptographic applications include methods of confidentially encoding information through the use of stream ciphers. In short, a need exists in many different types of systems for data security measures that prevent unauthorized access to the protected information or data.
Data encryption using PN sequences can reduce the likelihood of unauthorized eavesdropping or spoofing, thus enhancing the security of data communications. Keyed PN sequences may be used in communication or cryptographic applications to construct messages that appear to be a sequence of seemingly random symbols. Since the PN sequence is not actually random, but only appears to be random, a cryptographically protected communication signal may be decoded at the receiving end through the use of a secret key to perform the
inverse encryption operation and thereby separate the PN sequence from the underlying information signal.
In a communication system, since the communication link is subject to detection by others, it tends to be the portion of the system most vulnerable to eavesdropping or spoofing, that is, the unauthorized interception or introduction of information. PN sequences may be used in spread-spectrum communication systems to ensure security. For instance, PN sequences are often used as spreading sequences in spread-spectrum communication systems to determine the hop sequence and/or the direct spreading sequence. In this way the information communicated via a spread-spectrum communication system is kept secure since the secret key is shared only among the communicating parties.
FIG. 1 is a conventional block cipher system 100 configured in the output cipher feedback (OFB) mode. In general, an OFB type block cipher system 100 as shown in FIG. 1 derives a PN sequence by providing a feedback loop of the PN data supplied at the output of the block cipher back to the input of the block cipher.
An input register 110 of the OFB type block cipher system 100 receives data, and, in turn provides the data to the block cipher section 120. FIG. 1 depicts the block cipher section 120 as having a width W, equal to the width of the input register 110. The block cipher section 120 also receives a secret key from the key section 112. Data is processed within the block cipher section 120 using the secret key to produce PN data consisting of symbols, or data bits, that appear to be randomly distributed. The PN data is then provided from the block cipher section 120 to the output register 130. An important feature of the conventional OFB type block cipher system
100 is that only a portion of the PN data from the output register 130 is supplied as a PN sequence. For instance, FIG. 1 depicts a number r of new symbols output as part of the PN sequence from the output register 130, where r is less than the width W of the block cipher section 120. Another important feature of the OFB
type block cipher system 100 is that part of the ciphered PN data output from output register 130 is fed back to be used as an input to the input register 110. That is, the symbols from among the PN data generated in the block cipher section 120 are directed back to the input register 110. For instance, FIG. 1 depicts a number W - r of symbols being provided via a feedback loop from the output register 130 back to the input register 110.
The extent to which the output symbols are used in the next PN sequence results in a tradeoff between security and efficiency. From a security point of view, it is advantageous to use fewer than all of the output symbols in creating the next PN sequence, since such information can possibly be used to recover the secret key. Hence, a smaller value of r relative to W tends to produce a more secure PN sequence. However, the use of fewer output symbols (i.e., smaller r value) results in less efficiency in creating the next PN sequence. For example, in the case where a block cipher is W bits wide and r= 1 meaning that only one bit of the output of the block cipher is used to give a new PN symbol, then the computational burden (i.e, number of uses or iterations) of the block cipher to produce a PN sequence of length N will be a factor W times larger than it would be when using the full output of W bits. This becomes disadvantageous when the block cipher is complex or in applications where power consumption is critical, such as in a battery driven device.
FIG. 2 is a conventional block cipher system 200 that has a round structure. An iteration of the block cipher shown in FIG. 2 is often referred to as a "round;" thus, the function in each iteration is called a round function. The conventional block cipher system 200 is typically constructed using round functions 224, each of which performs a partial encryption. In short, the block cipher system 200 having a round function configuration does a partial encryption using a sub-key derived in sub-key generator 214 from a key input 212.
In general, the block cipher system 200 has an input register 210 that receives data to be encrypted. The data may be processed through an input
transformation section 222, and fed into a first one of the round functions 224. The input transformation section 222 may be configured to perform data conversion to put the input data in a proper format for further processing within the block cipher system 200. Such processing may include, for instance, reordering of the data to further enhance the security of the PN sequence output or to increase the efficiency of the block cipher system 200. The input transformation section 222 provides the processed data to a first one of the round functions 224.
The data becomes encrypted by iterating the round functions 224 a sufficient number of times, each time using a different sub-key to partially encrypt the data. For instance, the block cipher system 200 of FIG. 2 depicts the round function 224 being iterated 2K times. After being iterated in the round function 224, the encrypted data may be processed through an output transformation section 226. For instance, the output transformation section 226 may perform a conversion of the PN data in a manner similar to, or complimentary to, the input transformation section 222 and output from the output section 230. That is, the output transformation section 226 may reorder the PN data to cancel the reordering of the input transformation section 222, or may otherwise process the PN data for security or processing efficiency purposes. The output transformation section 226 then provides the PN data to an output register 230, where it is finally supplied at an output from the output register 230.
Conventional block ciphers such as the block cipher system 200 often have weaknesses that may not be discovered until after their conception. Given a sufficient number of input/output pairs, such weaknesses can be exploited to construct an attack that will recover the key. Because of this, it is desirable to enhance the security of the PN sequence generator by keeping the information given away about the input/output pairs of the block cipher to a minimum when producing a PN sequence. However, enhancing the security in such a manner tends to reduce the rate of PN sequence generation, where rate is defined as the
number of binary PN symbols generated per usage of the block cipher. That is, a conventional block cipher may be made more secure by reducing the information given away about the input/output pairs of the block cipher, but such measures tend to reduce the rate at which the OFB construction produces random symbols. Thus, a trade-off exists in a block cipher using a round function between security and efficiency considerations.
It is therefore desired to provide improved methods and apparatuses for the generation of PN sequences.
SUMMARY OF THE INVENTION The present invention is directed to a method and apparatus for the generation of a keyed cryptographically strong PN sequence from a block cipher operating in the output cipher feedback (OFB) mode.
The present invention has a practical application in the technological arts of encoding, enciphering or encrypting information. For example, an apparatus or method according to the present invention generates a sequence of pseudo-random bits for encoding, enciphering or encrypting information such as human speech, written text, audio or video signals.
According to exemplary embodiments of the present invention, a feedback loop is provided from an intermediate part of a block cipher back to the input. This allows symbols of partially encrypted data to be directed back to the input section for use as input values. By taking input values via the feedback loop from the middle of the block cipher instead of from the PN sequence output data, the present invention does not contain any input/output pair information in the outputted PN sequence. Because input/output pairs are not in the outputted PN sequence, the full width of data from within the block cipher can be utilized for the feedback loop without compromising the security of the system. Such full use of data for feedback increases the processing efficiency of the system.
Generally speaking, exemplary embodiments of the present invention are directed to a round function output feedback-type (OFB-type) block cipher apparatus for generating sequence of pseudo-random bits. The OFB-type block cipher apparatus has an input section, a block cipher section, a key data source, an output section, and a feedback loop from an intermediate part of said block cipher to the input section. Data received at the input section is passed to or shifted into the block cipher section. The block cipher section has number of round functions and is connected to a key data source which itself has a number of subkey data sources. Each of the round functions of the block cipher section partially encrypts data using a subkey from one of the subkey data sources. The block cipher section is also connected to an output section. In accordance with the present invention, a feedback loop connects an intermediate part of the block cipher to the input section. In this way, the feedback loop provides partially encrypted data from within the block cipher back to the input section. Other exemplary embodiments of the present invention are directed to methods of performing round function OFB block cipher processing to generate a sequence of pseudo-random bits. According to one exemplary method, received data is provided to a block cipher section which has a number of round functions, each round function being in communication with a sub-key for encrypting the data in the block cipher section. Data is partially encrypted in each of the round functions of said block cipher section using the sub-keys. Partially encrypted data is sent via a feedback loop from an intermediate part of the block cipher back to the input section. Encrypted data is provided to an output section in communication with the block cipher, thus, generating a sequence of pseudo- random bits of encrypted data.
BRIEF DESCRIPTION OF THE DRAWINGS
Other objects and advantages of the present invention will become apparent to those skilled in the art upon reading the following detailed description of
preferred embodiments, in conjunction with the accompanying drawings, wherein like reference numerals have been used to designate like elements, and wherein:
FIG. 1 is a conventional OFB type block cipher for generating a keyed PN sequence; FIG. 2 is a conventional block cipher with a round structure for generating a keyed PN sequence;
FIG. 3 is an OFB-type block cipher for generating a keyed PN sequence according to the present invention;
FIG. 4 is a round function OFB-type block cipher using an intermediate round for the feedback loop according to another exemplary embodiment of the present invention; and
FIG. 5 is an OFB-type block cipher system in accordance with an alternative embodiment of the present invention configured with a feedback loop path section which switches the feedback amongst the round functions.
DETAILED DESCRIPTION
FIG. 3 is an OFB-type block cipher system 300 according to an exemplary embodiment of the present invention for generating a keyed PN sequence. In accordance with this and other embodiments of the present invention, the aforementioned tradeoff between security and efficiency considerations may be reduced. The block ciphers according to the present invention maintain both a high degree of security and a relatively fast transmission rate. The OFB-type block cipher system 300 generates a sequence of pseudo-random bits which may be used, for example, in the encoding of information.
Input section 310 of the OFB-type block cipher system 300 may comprise one or more input registers, buffers, data latches, feedthrough paths, or like circuitry for receiving data. The data input section 310 is depicted in FIG. 3 as a register having a width equal to a number W of bits. As such, the data input section 310 can be loaded with a number W of bits that may be provided to the
next section of the OFB-type block cipher system 300. In the case of the data input section 310 being a register, data is typically loaded by shifting bits of the data a number of places into the data input section 310. The data input section 310, having been loaded with data, provides data to a block cipher section 320. For the purposes of describing the present invention, the term bits used herein refers to digital ones and zeros, symbols, characters, portions of data or other instances of information.
The block cipher section 320 is depicted in FIG. 3 as having a width W, corresponding to the width W of the data input section 310. In addition to receiving data from the data input section 310, the block cipher section 320 also receives a key as an input from the key section 312 which serves as a key data source. The key may be a secret key, an algorithm or relationship, or other information for encoding data. Data received from the data input section 310 is processed within the block cipher section 320 using the key to produce PN data in the form of data bits, sometimes called symbols, that appear to be randomly distributed. The PN data is then supplied to the output section 330 from the block cipher section 320.
According to the exemplary configuration of the present invention shown in FIG. 3, a feedback loop is provided from within the block cipher section 320. This allows symbols of partially encrypted data from within the block cipher section 320 to be directed back to the data input section 310. For instance, FIG. 3 depicts a number W of symbols being provided via a feedback loop from the block cipher section 320 back to the data input section 310. In accordance with the present invention, the feedback loop may be provided from an intermediate point which may be any point within the block cipher section 320 other than the final output of the block cipher section 320 which is supplied to the output section 330. Providing the feedback from an intermediate point of the block cipher section 320 enhances the greatest degree of security. The intermediate point from which the feedback loop is derived is defined as not being at the input of the block cipher
section 320 or the final output of the block cipher section 320. However, the intermediate point need not be the very centermost point of the block cipher section 320. Alternatively, the point from which the feedback loop is derived may be configured towards the middle of the block cipher section 320, that is, closer to the centermost point than to the input of the block cipher section 320 or the output of the block cipher section 320.
By taking input values from an intermediate point of the block cipher section 320 via the feedback loop instead of from the PN sequence output data, the data that is output at output section 330 of the present invention does not contain input/output pair information. Since no input/ output pair information is contained in the PN data output of the output section 330, the full amount of data (i.e., width W) from within the block cipher section 320 can be utilized for the feedback loop to the data input section 310 without compromising the security of the system. In accordance with alternative embodiments of the present invention, the feedback loop to the input section 310 may be configured to provided data from more than one point within the block cipher 320. In one alternative embodiment, the feedback loop "hops, " or is switched, from one point to another so as to provide data from different points within the block cipher 320 to the input section 310. The feedback loop may be connected to various points within the block cipher 320 according to an algorithm or scheme which may be predetermined to further enhance the security of the block cipher system 300. Furthermore, the algorithm or scheme may be such that the feedback loop is connected to only one point within the block cipher 320 at any one time. Alternatively, the algorithm or scheme may be such that the feedback loop is connected more than one point within the block cipher 320 simultaneously. The feedback loop hopping could be controlled by or depend on the sub-key wherein a control line is connected between the sub-key section 312 and a feedback loop path section. Otherwise, the feedback loop hopping could be deterministically independent of the sub-key.
FIG. 4 is an OFB-type block cipher system 400 configured with round functions and having a feedback loop from one of the rounds, according to an exemplary embodiment of the present invention. The round function OFB-type block cipher system 400 is constructed using round functions 424 that each perform a partial encryption using a sub-key derived in sub-key generator 414 from a key input 412 which serves as a key data source. The key may be a secret key, an algorithm or relationship, or other information for encoding data. The OFB-type block cipher system 400 generates a sequence of pseudo-random bits which may be used, for example, in the encoding of information. An iteration of the block cipher depicted in FIG. 4 may be referred to as a "round. " A round may be an algorithm, function, transform, or encoding scheme associated with the iterations of the block cipher system 400.
Input section 410 of the round function OFB-type block cipher system 400 may comprise of one or more input registers, buffers, data latches, feedthrough paths, or like circuitry for receiving data, as discussed above in regard to the previous embodiment. The input section 410 is depicted as having a width W of bits. Upon being loaded with data, the data input section 410 provides the data to an input transformation section 422 for processing. The input transformation section 422 performs data conversion to put the input data in a proper format for further processing within the round function OFB-type block cipher system 400. Such processing may include, for instance, reordering of the data to further enhance the security of the PN sequence output or to increase the efficiency of the round function OFB-type block cipher system 400. The input transformation section 422 provides the processed data to a first one of the round functions 424. Alternative to the embodiment depicted in FIG. 4, the data input section 410 may be configured to provide data directly to the round functions 424, without the input transformation section 422.
The round function OFB-type block cipher system 400 is configured to have a number of round functions 424, each of which performs a partial
encryption of the data. Each of the round functions 424 may be designed to use a different sub-key to perform a partial encryption. By iterating inputted data through the round functions 424 a sufficient number of times, the data provided to data input section 410 is encrypted in such a way that cryptanalysis becomes infeasible with presently known methods and computational resources. The round function OFB-type block cipher system 400 of FIG. 4 is depicted as having a number 2K of the round functions 424. Hence, the input data provided from the input transformation section 422 to the round functions 424 is iterated 2K times to produce PN data that has been fully encrypted to appear as a random string of data bits.
According to the exemplary configuration of the present invention shown in FIG. 4, a feedback loop is provided after the Kth one of the round functions 424 of the round function OFB-type block cipher system 400. According to this preferred embodiment, all W of the bits of the partially encrypted data at round K are directed back to the data input section 410, as shown in FIG. 4. According to alternative embodiments, a number less than W of the bits may be provided via a feedback loop from the Kth round back to the data input section 410. In accordance with the present invention, the feedback loop may be provided from any round of the round functions 424, except the last round. According to a preferred embodiment, the feedback loop is provided from an iteration at or near the Kth round, in order to provide the greatest degree of security. That is, the feedback is preferably taken from about halfway through the full number of iterations back to the input.
By taking input values from the Kth round via the feedback loop instead of from the PN sequence output data, the data that is output at output section 430 of the present invention contains no direct input/output pair information. Since no direct input/output pair information is contained in the PN data output from the output section 430, the full amount of data (i.e. , width W) from the Kth round can be utilized for the PN sequence without compromising the security of the system.
The last of the round functions 424 provides the PN data to an output transformation section 426. The output transformation section 426 performs data processing. For instance, the output transformation section 426 may perform a conversion of the PN data in a manner similar to, or complimentary to, the input transformation section 422. That is, the output transformation section 426 may reorder the PN data to cancel the reordering of the input transformation section 422, or may otherwise process the PN data for security or processing efficiency purposes. The output transformation section 426 then provides the PN data to an output section 430. Alternative to the embodiment depicted in FIG. 4, the output section 430 and the round functions 424 may be configured such that the round functions 424 provide data directly to the output section 430, without the output transformation section 426. Finally, the PN data, having been loaded into the output section 430, is output as a PN sequence.
FIG. 5 is an OFB-type block cipher system 500 in accordance with an alternative embodiment of the present invention in which the feedback loop to the input section 410 is configured to provided data from more than one of the round functions 424. In this alternative embodiment, the feedback loop "hops" or switches from one to another of the round functions 424 via a feedback loop path section 540, so as to provide data from different ones of the round functions 424 to the input section 410. The feedback loop may be connected to various ones of the round functions 424 according to an algorithm or scheme which may be predetermined to further enhance the security of the block cipher system 400. Furthermore, the algorithm or scheme may be such that the feedback loop is connected to only one of the round functions 424 at any one time. Alternatively, the algorithm or scheme may be such that the feedback loop is connected more than one of the round functions 424 simultaneously. The feedback loop hopping could be controlled by or depend on the sub-key as depicted in FIG. 5 wherein a control line is connected between the sub-key generator 414 and the feedback loop path section 540. Otherwise, the feedback loop hopping could be deterministically
independent of the sub-key, in which case the sub-key generator 414 need not be directly connected to the feedback loop path section 540.
It will be appreciated by those skilled in the art that the present invention can be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The presently disclosed embodiments are therefore considered in all respects to be illustrative and not restrictive. The scope of the invention is indicated by the appended claims rather than the foregoing description and all changes that come within the meaning and range and equivalence thereof are intended to be embraced therein.