Parallel stream cipher for secure high-speed communications

Transcription

1 Signal Processing 82 ( Parallel strea cipher for secure high-speed counications Hoonjae Lee a;, Sangjae Moon b a Departent of Coputer Engineering, Kyungwoon University, Induk-ri 55, Sandong-Myun, Kui, Kyungbuk , South Korea b School of Electronic and Electrical Engineering, Kyungpook National University, 370, Sankyuk-Dong, Taegu , South Korea Received 28 April 2000; received in revised for 9 July 200; accepted 7 Noveber 200 Abstract Due to ongoing iproveents in high-speed counications, the speed of data encryption ust also increase. Accordingly, this paper proposes an PS-LFSR with an ( 2-ties faster shifting during one clock interval and a parallel strea cipher that is faster by paralleling any siilar keystrea generators using the PS-LFSRs. Finally, an -parallel SUM-BSG with 8-parallel for detail is proposed as a design exaple of the proposed parallel strea cipher. When copared with a conventional strea cipher, the properties of the proposed cipher exhibited the sae crypto-degree with -ties faster processing.? 2002 Elsevier Science B.V. All rights reserved. Keywords: Parallel strea cipher; Period; Linear coplexity; Randoness; Suation generator. Introduction Due to ongoing iproveents in high-speed counications, the speed of data encryption ust also increase. Cryptography is the only known practical ethod for protecting inforation transitted through counication networks that use land lines, counication satellites, and icrowave facilities. Cryptographic ethods can be divided into block ciphers, strea ciphers, and public-key cryptosystes [4,8]. There are four application odes of block ciphers: the ECB (electronic codebook ode, CFB (cipher feedback ode, CBC (cipher-block chaining ode, and OFB (output feedback ode [8]. The ECB ode outputs ciphertext blocks fro plaintext blocks via a coplex transforation controlled by a secret key. Corresponding author. Tel.: ; fax: E-ail address: hjlee@kyungwoon.ac.kr (H. Lee. The CFB ode autonoously establishes counication synchronization using feedback fro the ciphertext to the input block. The CBC ode is useful for a general-purpose block-oriented transission or for authentication with block-chaining. The OFB ode is siilar to a strea cipher, in which a block cipher generates rando sequence blocks fro an initial value block [8]. However, all four odes have weaknesses in their application to an erroneous channel as in, for exaple, a wireless channel. In an erroneous channel, a one-bit error in a ciphertext will propagate to any blocks of recovered plaintext in the receiver. In the ECB ode, a one-bit channel error in a ciphertext will propagate to the full range of the recovered plaintext block in the receiver. Accordingly, a channel with a 0 6 BER (bit error rate will be degraded to a channel with a 0 4 ( BER if a block cipher with a 28-bit block size is applied. In ters of error propagation, cases using the CFB and CBC odes will be ore seriously aected than those /02/$ - see front atter? 2002 Elsevier Science B.V. All rights reserved. PII: S (

2 260 H. Lee, S. Moon / Signal Processing 82 ( using the ECB ode. In contrast, the OFB ode oers a unique solution to the block cipher proble, however, it needs a faster encryption speed. For exaple, a DES [7,8] with 6 rounds will generally output 64 bits in 6 syste-clock intervals, therefore, the concept of repetition (round decreases the processing speed. Public-key cryptosystes are not useful for data-encryption because of their slow processing rate and the proble of bit-error propagation as in the ECB ode. Strea ciphers exhibit good properties including no error propagation, security levels properly selectable according to certain security criteria, and a higher processing ability than block ciphers, however, new high-speed counication systes are requiring faster data encryption. This paper focuses on the following three probles in designing a cryptosyste: security, fast enciphering=deciphering, and error propagation persistence in channels including obile counication. As a result, a parallel strea cipher is proposed that cobines the strengths of strea and block ciphers, that is, the security and freedo fro error propagation of a strea cipher and the parallel processing ability of a block cipher. Norally, all LFSRs in a strea cipher shift=output -bit for one clock-tie interval, whereas, in the proposed cipher the LFSRs are elevated to a high-speed type, PS-LFSRs, which shifts=output ( 2-bits for one clock interval. Plus, as an iproved version of the (single nonlinear cobine function, an -parallel nonlinear cobine function (general type is introduced, which generates -bit keystrea sequences for the proposed parallel strea cipher. Finally, an -parallel SUM-BSG is presented as a design exaple, arranged with any Rueppel s suation generators [] in parallel and = 8 for details. Its perforance is analyzed in ters of cryptographic security and the processing speed copared with a conventional strea cipher. 2. Parallel strea cipher 2.. General requireents of a strea cipher The following requireents are assued necessary for cryptosystes [0]: ( Error propagation: The error propagation due to encryption=decryption should be inial. (2 Redundant inforation: The insertion of redundant inforation bits should be inial. (3 Cryptographic security: The nuber of secret keys should be large enough so an exhaustive key search attack is ipossible. (4 Siplicity of ipleentation: The encryption= decryption syste should be realizable with software or hardware. (5 Perforance speed: The encryption=decryption should be perforable at speeds ranging fro T rate (:544 Mbps up to any Gbps. For a secure strea cipher, the keystrea should be unpredictable and subsequent keystreas should not be able to be anticipated fro previous ones. The following are necessary conditions for the unpredictability of a keystrea [7,0]: ( Long period: A keystrea should have a long period. (2 Large linear coplexity: Large linear coplexity iplies that it is ipractical (infeasible to use the equivalent LFSR to predict the keystrea output sequences. (3 Randoness: A large linear coplexity does not iply randoness. The statistical property of the keystrea should be the sae as an ideal rando source. (4 Proper order of correlation iunity: A nonlinear cobining function F is called a kth order correlation iune when any k(6 N cobinations x i ;x i2 ;:::;x ik ( 6 i ;i 2 ;:::;i k 6 N ofall N-input-bits x ;x 2 ;:::;x N, on function F are uncorrelated with the output of F Proposed PS-LFSR Parallel-structured=-shifting LFSRs (PS-LFSRs for use as the basic eleent of the parallel strea cipher are proposed as shown in Fig.. An PS-LFSR can answer the question how can an LFSR be shifted by -bits within one clock interval? For a parallel structure, there are an n-stage PS-LFSR on the right in Fig. (b and an ( -stage LBUF which stores teporally a lot bits of the shifted-out on the left in the gure. Each -bit block of the n-stage PS-LFSR shifts left by syste clock and the feedback paths are independently XORed based on each cobination of the feedback taps, thereafter the results can be siultaneously shifted to the rightost of the LFSR.

3 H. Lee, S. Moon / Signal Processing 82 ( Feedback connection : the original connection SYSTEM CLOCK i n- n-stage LFSR (a n-stage LFSR -bit OUTPUT Feedback connection : -bit left-shifting of the original cobination -(- -(-2 -(-3 n-+ Feedback connection 2 : -bit left-shifting of the original cobination feedback feedback 2-0 n-2 Feedback connection : the original cobination 0 2 n- feedback :: : -(-2 -( : : n- n-2 n-3 n-4 n-5 n-6 n- -bit OUTPUT SYSTEM CLOCK (--stage LBUF n-stage PS-LFSR (b (n, PS-LFSR Fig.. LFSR and proposed PS-LFSR. Feedback connection 8 : s(33+t= s(28+t ^ s(-5+t ^ s(-6+t ^ s(-7+t feedback Feedback connection 2 : s(39+t= s(34+t ^ s(+t ^ s(t ^ s(-+t feedback Feedback connection : s(40+t= s(35+t ^ s(2+t ^ s(+t ^ s(t feedback =8 bits OUTPUT SYSTEM CLOCK 7-stage LBUF 40-stage PS-LFSR Fig. 2. (n =40; = 8 PS-LFSR as an exaple. In this case, the rst path (feedback in the gure is coputed by using the original feedback connection function (fro priitive polynoial, the second path (feedback 2 by using the -bit left shifted function of the original cobination, and the third path (feedback 3 by using the -bit left shifted of the second cobination, and so on. We depict an exaple of a 40-stage, 8-parallel PS-LFSR in Fig. 2.

4 262 H. Lee, S. Moon / Signal Processing 82 ( C C2 CN C C2 CN l -LFSR l 2 -LFSR 2 l 3 -LFSR 3 (x (x 2 (x 3 cobiners: (eoryless or not l -LFSR l 2 -LFSR 2 l 3 -LFSR 3 (x (x 2 (x 3 cobiners: (eoryless or not l N -LFSR N (x N f, f2,, f l N -LFSR N (x N f, f2,, f Plaintext Serial/ Parallel Parallel/ Serial Ciphertext Serial/ Parallel Parallel/ Serial Plaintext Transitter Channel Receiver Fig. 3. Proposed parallel strea cipher. As a result, the processing speed of the PS-LFSR is -ties faster than that of a noral LFSR where the clock only shifts -bit left. Moreover, a PS-LFSR has the sae cryptographic security in ters of randoness, period, and linear coplexity as a conventional LFSR, because it siultaneously generates -bit outputs while -bit shifting and each output is only used once. In addition, recent VLSI technology facilitates the ipleentation of a PS-LFSR, in contrast to the increased coplexity of the hardware ipleentation Proposed parallel strea cipher Unlike a conventional keystrea generator, the proposed parallel strea cipher generates (6 N independent sequences fro nonlinear cobine functions (f ;f 2 ;:::;f via N LFSRs, as in Fig. 3,and each ( sequence enciphers (XORs fro a plaintext block to a ciphertext block in parallel. This akes the proposed cipher -ties faster than a conventional strea cipher in spite of the increased coplexity in the hardware ipleentation. The proposed cipher also retains the channel quality level in the BER using channel error propagation without additional equipent. If required, it can prevent a correlation attack with the use of a correlation iune function with eory bits [3,6,9,]. In Fig. 4, -parallel nonlinear cobine functions (f ;f 2 ;:::;f are proposed as a generalized odel, which use -bit eories (c ;c 2 ;:::;c and PS-LFSRs (Fig. in place of LFSRs. All the LFSRs ust have dierent lengths and that are pair-wise co-prie: gcd(l i ;l j = for all 6 i; j; (i j 6 N. Each function f i (i =; 2;:::; in an algebraic noral for (ANF is dened as follows: f i (x i ;x 2i ;:::;x Ni ;c i ;c i2 ;:::;c imi N N + =a i0 + a ij x ji + j= j=n + a ijc ij + a ijk x ji x ki + a ijkc ij c ik + j;k j;k j;k a ijkx ji c ik + + a ijk N +i x ji x ki x ti c i c i2 c imi ; ( where, x jk is the kth output sequence of the parallel -bit on LFSR j, c jk ( 6 j; k 6 isthekth eory sequence of the jth function, a ij ;a ij;a ijk ;a ijk ;a ijk ;:::; a ijk::n +i [0; ] are all binary coecients, and M j is the nuber of eories used in the jth function f j. Each f i (x i ;x 2i ;:::;x Ni ;c i ;c i2 ;:::;c imi ;i = ; 2;:::;, is required to fulll the conditions in Section 2..

5 H. Lee, S. Moon / Signal Processing 82 ( c,..,, c2 cm l -PS-LFSR (x (x 2 (x N cobiners: f (eoryless or not (y l 2 -PS-LFSR 2 c c,.., c, 2 M M M l N -PS-LFSR N (x (x 2 (x N cobiner f (eoryless or not (y Note: N M M,, M N,, 2 Fig. 4. Generalized -parallel nonlinear cobiners. As an exaple, an -parallel suation generator is proposed with eories (called -parallel SUM-BSG in Fig. 5.In this gure, nuber of SUM-BSGs [,6] used is congured in parallel and all the LFSRs used are the sae type of PS-LFSR. Each PS-LFSR (siply LFSR generates -output sequences: PS-LFSR generates (x ;x 2 ;:::;x sequences for a clock, PS-LFSR 2 generates (x 2 ;x 22 ;:::;x 2 sequences, and the sae ethod PS-LFSR generates (x ;x 2 ;:::;x sequences. For the next clock PS-LFSR generates (x ;+ ;x ;+2 ;:::;x ;2 sequences, and so on. Therefore, (x sequences are as follows: x ;x ;+ ;x ;2+ ;x ;3+ ;:::. The properties of the output sequence y i of the ith SUM-BSG are as follows: (y i ={(x i (x i } {(c i (c im }; (2 where (y i represents the ith output sequences of SUM-BSG i (i =; 2;:::;, (x i the ith output sequences of LFSR,(x 2i the ith output sequences of LFSR 2,(x i the ith output sequences of LFSR, and (c ij the jth carry sequences of the ith function. Property. If gcd(l i ;l j = (6 i; j 6 ; i j; is relatively prie; and the all LFSRs used have a

6 264 H. Lee, S. Moon / Signal Processing 82 ( c,..,, c2 cm The priitive polynoials in the proposed generator are generated by Ref. [5]. l -PS-LFSR l 2 -PS-LFSR 2 (x (x 2 (x Suation Generator: SUM-BSG (y g (x=x 9 + x 9 + x 6 + x 3 + x 2 + x +; g 2 (x=x 23 + x 2 + x 6 + x 3 + x 2 + x +; g 3 (x=x 29 + x + x 7 + x 3 + x 2 + x +; g 4 (x=x 3 + x 3 +; g 5 (x=x 37 + x 8 + x 2 + x +; g 6 (x=x 4 + x 7 + x 4 + x 3 + x 2 + x +; g 7 (x=x 43 + x 6 + x 4 + x 3 + x 2 + x +; g 8 (x=x 47 + x 4 + x 4 + x 3 + x 2 + x +: l -PS-LFSR Note: N =, (x (x 2 (x c c,.., c, 2 M M Suation Generator: SUM-BSG = M 2 =..= M = M Fig. 5. Proposed -parallel SUM-BSG. M (y non-null initial value; then each SUM-BSG i will have the following properties [;7]: ( Period: P i = j= (2lj. (2 Randoness: good. (3 Linear coplexity: LC i P i. (4 The order of the correlation iunity of the function f i : K i =. An SUM-BSG includes a axiu period; good randoness; near axial linear coplexity; and axiu order of correlation iunity; as in Property. An 8-parallel suation generator with a 3-bit carry (called 8-parallel SU -BSG, with an -input in total in detail is also proposed, which can operate a real-su fro an -input (x i ;x 2i ;:::;x 8i ; c i3 ;c i2 ;c i and then convert the decial (sued to binary. Property 2. If gcd(l i ;l j =; ( 6 i; j 6 ; i j and all the LFSRs used have non-null initial values; then the ith SU BSG i of the proposed 8-parallel SU -BSG will have the following properties: ( Period: P i =(2 9 (2 23 (2 29 (2 3 (2 37 (2 4 (2 43 ( ; i=; 2;:::;8: (2 Randoness: good [6,7]. (3 Linear coplexity: LC i P i ;i=; 2;:::;8. (4 The order of the correlation iunity of the function: K i = =7;i=; 2;:::;8. (5 The ciphering speed is =8 ties faster than that of the original application in a strea cipher. (6 The coplexity of the nuber of gates used in the hardware is approxiately 2-ties (upper-liited by ties ore coplex than that of the conventional SU -BSG (Refer to Table, siilar concluded in [2].. Since each SUM-BSG i function generates each output sequence using an independent ethod, the cryptographic properties of a single output sequence of the proposed generator are the sae as those of a single SUM-BSG. Accordingly, the proposed generator guarantees a axiu period, near-axiu linear coplexity, axiu order of correlation iunity, and randoness properties like the conventional generator. Therefore, the proposed parallel

7 H. Lee, S. Moon / Signal Processing 82 ( Table Coparison of siilar generators 8-parallel SU -BSG Ites SU -BSG (M =8 Period Randoness Rando Rando Linear coplexity Approxiate Approxiate to period to period Correlation iunity 7 7 Nuber of F=Fs used (F=F eans ip=op device Nuber of XOR gates used Total nuber of gates used (iff=f = 5 gates (.67 ties coplex Processing rate ratio 8 (M = 8 ties high generator is a secure high-perforance generator with slightly ore coplex hardware. 3. Conclusion This paper proposed a parallel strea cipher which cobines the strengths of strea and block ciphers, that is, the security and freedo fro propagation error of a strea cipher and the block or parallel processing ability of a block cipher. Generally, all LFSRs in a strea cipher shift=output -bit during one clock-tie interval. This was iproved with the use of parallel-structured type PS-LFSRs to -bit shifting=outputting for one clock. In addition, -parallel nonlinear cobine functions (general type were introduced that iprove the nonlinear cobine function, outputting -bit keystrea sequences and generating -bit keystrea sequences for applying the proposed parallel strea cipher. Finally, an -parallel SUM-BSG was presented as a design exaple, arranged with an nuber of Rueppel s suation generators (SUM-BSGs in parallel, and an 8-parallel SU -BSG in detail. The design perforance was analyzed in ters of cryptographic security and the processing speed copared with a conventional strea cipher. The results showed the sae cryptographic security fro the perspective of period, linear coplexity, randoness, and correlation iunity, however, the perforance was -ties faster. References [] Hoonjae Lee, SangJae Moon, On an iproved suation generator with 2-bit eory, Signal Processing 80 ( (January [2] Hoon-jae Lee, Sang-jae Moon, On a high-speed ipleentation of LILI-28 strea cipher using FPGA=VHDL, Journal of Korea Inst. Infor. Security Cryptol. (3 (June [3] W. Meier, O. Staelbach, Correlation properties of cobiners with eory in strea ciphers, J. Cryptol. 5 ( [4] A.J. Menezes, P.C. Oorschot, S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, FL, 997. [5] B. Park, H. Choi, T. Chang, K. Kang, Period of sequences of priitive polynoials, Electron. Lett. 29 (4 (February [6] R.A. Rueppel, Correlation iunity and the suation generator, Advances in cryptology, Proceedings of CRYPTO 85, Santa Barbara, Aug. 8 22, 985, pp [7] R.A. Rueppel, Analysis and Design of Strea Ciphers, Springer, Berlin, 986. [8] B. Schneier, Applied Cryptography, 2nd Edition, Wiley, New York, 996. [9] T. Siegenthaler, Correlation-iunity of nonlinear cobining functions for cryptographic applications, IEEE Trans. Infor. Theory IT-30 (5 (Septeber [0] M. Tatebayashi, N. Matsuzaki, D.B. Newan, A cryptosyste using digital signal processors for obile counication, ICASSP 90, 990, pp [] G.Z. Xiao, J.L. Massey, A spectral characterization of correlation iune cobining functions, IEEE Trans. Infor. Theory 34 (3 (May