In a conventional block cipher cryptographic system, a plaintext message is encrypted using a secret key, and is transmitted in its encrypted form. A receiver decrypts the encrypted message using the same secret key in order to recover the plaintext message. An example of a conventional block cipher is the Data Encryption Standard (DES) cipher. DES and other conventional block ciphers are described in B. Schneier, Applied Cryptography, pp. 154-185 and 219-272, John Wiley & Sons, New York, 1994, which is incorporated by reference herein. An improved block cipher utilizing data-dependent rotations is described in U.S. Pat. No. 5,724,428, issued Mar. 3, 1998 in the name of inventor R. L. Rivest, which is incorporated by reference herein. This improved cipher is referred to as RC5.TM., which is a trademark of RSA Data Security, Inc. of Redwood City, Calif., the assignee of U.S. Pat. No. 5,724,428. The RC5.TM. block cipher in an illustrative embodiment provides improved performance in part through the use of data-dependent rotations in which a given word of an intermediate encryption result is cyclically rotated by an amount determined by low-order bits of another intermediate result.
The security of the RC5.TM. block cipher is analyzed in, for example, in B. S. Kaliski Jr. and Y. L. Yin, "On Differential and Linear Cryptanalysis of the RC5.TM. Encryption Algorithm," in D. Coppersmith, ed., Advances in Cryptology--Crypto '95, Vol. 963 of Lecture Notes in Computer Science, pp. 171-184, Springer Verlag, 1995; L. R. Knudsen and W. Meier, "Improved Differential Attacks on RC5.TM.," in N. Koblitz, ed., Advances in Cryptology--Crypto '96, Vol. 1109 of Lecture Notes in Computer Science, pp. 216-228, Springer Verlag, 1996; A. A. Selcuk, "New Results in Linear Cryptanalysis of RC5.TM.," in S. Vaudenay, ed., Fast Software Encryption, Vol. 1372 of Lecture Notes in Computer Science, pp. 1-16, Springer Verlag, 1998; and A. Biryukov and E. Kushelevitz, "Improved Cryptanalysis of RC5.TM.," to appear in proceedings of Advances in Cryptology--Eurocrypt '98, Lecture Notes in Computer Science, Springer Verlag, 1998; all of which are incorporated by reference herein. These analyses have provided a greater understanding of how the structure and operations of RC5.TM. contribute to its security. Although no practical attack on RC5.TM. has been found, the above-cited references describe a number of interesting theoretical attacks.
It is therefore an object of the present invention to provide a further improved block cipher which not only exhibits additional security by thwarting one or more of the above-noted theoretical attacks, but also exhibits an enhanced implementability in a wide variety of cryptographic applications.