I. Field of the Invention
The present invention relates to encryption. More particularly, the present invention relates to a method and apparatus for generating encryption stream ciphers.
II. Description of the Related Art
Encryption is a process whereby data is manipulated by a random process such that the data is made unintelligible by all but the targeted recipient. One method of encryption for digitized data is through the use of stream ciphers. Stream ciphers work by taking the data to be encrypted and a stream of pseudo-random bits (or encryption bit stream) generated by an encryption algorithm and combining them, usually with the exclusive-or (XOR) operation. Decryption is simply the process of generating the same encryption bit stream and removing the encryption bit stream with the corresponding operation from the encrypted data. If the XOR operation was performed at the encryption side, the same XOR operation is also performed at the decryption side. For a secured encryption, the encryption bit stream must be computationally difficult to predict.
Many of the techniques used for generating the stream of pseudo-random numbers are based on linear feedback shift register (LFSR) over the Galois finite field of order 2. This is a special case of the Galois Finite field of order 2n where n is a positive integer. For n=1, the elements of the Galois field comprise bit values zero and one. The register is updated by shifting the bits over by one bit position and calculating a new output bit. The new bit is shifted into the register. For a Fibonacci register, the output bit is a linear function of the bits in the register. For a Galois register, many bits are updated in accordance with the output bit just shifted out from the register. Mathematically, the Fibonacci and Galois register architectures are equivalent.
The operations involved in generating the stream of pseudo-random numbers, namely the shifting and bit extraction, are efficient in hardware but inefficient in software or other implementations employing a general purpose processor or microprocessor. The inefficiency increases as the length of the shift register exceeds the length of the registers in the processor used to generate the stream. In addition, for n=0, only one output bit is generated for each set of operations which, again, results in a very inefficient use of the processor.
An exemplary application which utilizes stream ciphers is wireless telephony. An exemplary wireless telephony communication system is a code division multiple access (CDMA) system. The operation of CDMA system is disclosed in U.S. Pat. No. 4,901,307, entitled xe2x80x9cSPREAD SPECTRUM MULTIPLE ACCESS COMMUNICATION SYSTEM USING SATELLITE OR TERRESTRIAL REPEATERS,xe2x80x9d assigned to the assignee of the present invention, and incorporated by reference herein. The CDMA system is further disclosed in U.S. Pat. No. 5,103,459, entitled SYSTEM AND METHOD FOR GENERATING SIGNAL WAVEFORMS IN A CDMA CELLULAR TELEPHONE SYSTEM, assigned to the assignee of the present invention, and incorporated by reference herein. Another CDMA system includes the GLOBALSTAR communication system for world wide communication utilizing low earth orbiting satellites. Other wireless telephony systems include time division multiple access (TDMA) systems and frequency division multiple access (FDMA) systems. The CDMA systems can be designed to conform to the xe2x80x9cTIA/EIA/IS-95 Mobile Station-Base Station Compatibility Standard for Dual-Mode Wideband Spread Spectrum Cellular Systemxe2x80x9d, hereinafter referred to as the IS-95 standard. Similarly, the TDMA systems can be designed to conform to the TIA/EIA/IS-54 (TDMA) standard or to the European Global System for Mobile Communication (GSM) standard.
Encryption of digitized voice data in wireless telephony has been hampered by the lack of computational power in the remote station. This has led to weak encryption processes such as the Voice Privacy Mask used in the TDMA standard or to hardware generated stream ciphers such as the A5 cipher used in the GSM standard. The disadvantages of hardware based stream ciphers are the additional manufacturing cost of the hardware and the longer time and larger cost involved in the event the encryption process needs to be changed. Since many remote stations in wireless telephony systems and digital telephones comprise a microprocessor and memory, a stream cipher which is fast and uses little memory is well suited for these applications.
The present invention is a novel and improved method and apparatus for generating encryption stream ciphers. In accordance with the present invention, the recurrence relation is designed to operate over finite fields larger than GF(2). The linear feedback shift register used to implement the recurrence relation can be implemented using a circular buffer or sliding a window. In the exemplary embodiment, multiplications of the elements of the finite field are implemented using lookup tables. A non-linear output can be obtained by using one or a combination of non-linear processes. The stream ciphers can be designed to support multi-tier keying to suit the requirements of the applications for which the stream ciphers are used.
It is an object of the present invention to generate encryption stream ciphers using architectures which are simple to implement in a processor. In particular, more efficient implementations can be achieved by selecting a finite field which is more suited for the processor. The elements and coefficients of the recurrence relation can be selected to match the byte or word size of the processor. This allows for efficient manipulation of the elements by the processor. In the exemplary embodiment, the finite field selected is the Galois field with 256 elements (GF(28)). This results in elements and coefficients of the recurrence relation occupying one byte of memory which can be efficiently manipulated. In addition, the use of a larger finite field reduces the order of the recurrence relation. For a finite field GF(2n), the order k of the recurrence relation which encodes the same amount of states is reduced by a factor of n (or a factor of 8 for the exemplary GF(28)).
It is another object of the present invention to implement field multiplications using lookup tables. In the exemplary embodiment, a multiplication (of non-zero elements) in the field can be performed by taking the logarithm of each of the two operands, adding the logarithmic values, and exponentiating the combined logarithmic value. The logarithmic and exponential tables can be created using an irreducible polynomial. In the exemplary embodiment, the tables are pre-computed and stored in memory. Similarly, a field multiplication with a constant coefficient can be performed using a simple lookup table. Again, the table can be pre-computed using the irreducible polynomial and stored in memory.
It is yet another object of the present invention to remove linearity in the output of a linear feedback shift register by the use of one or a combination of the following processes: irregular stuttering (sometimes referred to as decimation), non-linear function, multiple shift registers and combining outputs from the registers, variable feedback polynomial on one register, and other non-linear processes. In the exemplary embodiment, the non-linear output can be use to randomly control the stuttering of the shift register. Additionally, a non-linear output can be derived by performing a non-linear operation on selected elements of the shift register. Furthermore, the output from the non-linear function can be XORed with a set of constants such that the non-linear output bits are unpredictably inverted.
It is yet another object of the present invention to implement the linear feedback shift register using a circular buffer or a sliding window. With the circular buffer or sliding window implementation, the elements are not shifted within the buffer. Instead, a pointer or index is used to indicate the location of the most recently computed element. The pointer is moved as new elements are computed and shifted into the circular buffer or sliding window. The pointer wraps around when it reaches an edge.
It is yet another object of the present invention to provide stream ciphers having multi-tier keying capability. In the exemplary embodiment, the state of the shift register is first initialized with a secret key. For some communication system wherein data are transmitted over frames, a stream cipher can be generated for each frame such that erased or out of sequence frames do not disrupt the operation of the encryption process. A second tier keying process can be initialized for each frame using a frame key initialization process.
It is yet another object of the present invention to utilize a recurrence relation of maximal length so that the sequence covers a maximal number of states before repeating.
It is yet another object of the present invention to utilize a recurrence relation and output equation having distinct pair differences. Distinct pair differences ensure that, as the shift register used to implement the recurrence relation shifts, no particular pair of elements of the shift register are used twice in either the recurrence relation or in the non-linear output equation. This property removes linearity in the output from the output equation.
It is yet another object of the present invention to selectively optimize cryptographic security and computational efficiency according to the requirements of an application while maintaining distinct pair differences.
Moreover, it is another object of the present invention to provide a method of assuring that the delay that results for the encryption process does not exceed predetermined bounds. To this end the ciphering delay is measured and if the estimated delay exceeds a predetermined threshold a second ciphering method is employed to limit the accumulated delay of the ciphering operation.