US006182216B1 (12) United States Patent (10) Patent No.: US 6,182,216 B1 Luyster (45) Date of Patent: Jan. 30, 2001 (54) BLOCK CIPHER METHOD nology Laboratory National Institute of Standards and Technology. (76) Inventor: Frank C. Luyster, 100 Riverside La., Riverside, CT (US) 06878 Burton S. Kaliski Jr. and Yiqun Lisa Yin, On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm, (*) Notice: Under 35 U.S.C. 154(b), the term of this Lecture Notes in Computer Science, vol. 963, pp. 171-184, patent shall be extended for 0 days. Aug. 1995. (21) Appl. No.: 09/154.391 (List continued on next page.) (22) Filed: Sep. 16, 1998 Related U.S. Application Data Primary Examiner Thomas R. Peeso (60) Provisional application No. 60/059,142, filed on Sep. 17, 1997, provisional application No. 60/062.992, filed on Oct. (74) Attorney, Agent, or Firm-Cantor Colburn LLP 23, 1997, provisional application No. 60/064.331, filed on Oct. 30, 1997, provisional application No. 60/094,632, filed (57) ABSTRACT on Jul. 30, 1998, provisional application No. 60/096,788, filed on Aug. 17, 1998, provisional application No. 60/096, A data encryption System for encrypting an n-bit block of 921, filed on Aug. 18, 1998, and provisional application No. 60/098,905, filed on Sep. 2, 1998. input in a plurality of rounds is presented, where n is preferably 128 bits or more. The data encryption system (51) Int. Cl. ................................................. G06F 1/26 includes a computing unit for the execution of each round; (52) U.S. Cl. .......................... 713/168; 713/171; 713/200; memory for Storing and loading Segments, a bit-moving 713/201; 380/28; 380/44 (58) Field of Search ........................ 380/28, 44; 713/168, function capable of rotating, shifting, or bit-permute round 713/171, 182, 200, 201 Segments by predetermined numbers of bits preferably to achieve active and effective fixed rotation; a linear combi (56) References Cited nation function which provides new one-to-one round Seg U.S. PATENT DOCUMENTS ments using a round operator generally from one algebraic group to combine two different one-to-one round Segments 4,078,152 3/1978 Tuckerman, III ...................... 178/22 taken from one one-to-one round Segment Set, and a non 4,157,454 * 6/1979 Becker ................................... 380/37 4,160,120 * 7/1979 Barnes et al. .......................... 380/29 linear function which affects a one-to-one round Segment from a particular one-to-one round Segment Set based on a (List continued on next page.) value which depends on a preselected number of bits in a FOREIGN PATENT DOCUMENTS preSelected location from a different one-to-one round Seg ment from the same one-to-one round Segment Set. The PCT/US99/ nonlinear function is a variable rotation function or an S-box. 13358 6/1999 (WO). A Subkey combining function is generally employed in each OTHER PUBLICATIONS round to provide new round Segments by combining a round AES-A Crypto Algorithm for the Twenty-first Century Segment typically linearly with a Subkey Segment. The First Advanced Encryption Standard Candidate Confer ence Aug. 20-22, 1998 Sponsored by: Information Tech 40 Claims, 14 Drawing Sheets N-8T BOOK (64.28.258 BITSEC: -53 RO Na BITS - 2 --34. 82 80 L2 88 64 R. xxx W W-LSBR) RCUN 78 *ist () 82 84 88 R M2 BITS 88 x-STBLOCK 84.28.258 ITSEC: US 6,182,216 B1 Page 2 U.S. PATENT DOCUMENTS Lars R. Knudsen and Willi Meier, Improved Differential 4,168,396 9/1979 Best ..................................... 380/244 Attacks on RC5, Lecture Notes in Computer Science, vol. 4,249,180 2/1981 Eberle et al. .. ... 375/2 1109, pp. 216-228, Aug. 1996. 4.255.811 3/1981 Adler ......... ... 375/2 Bruce Schneier and Doug Whiting, Fast Software Encryp 4,306,111 * 12/1981 Lu et al. ... ... 380/30 4,308.617 * 12/1981 German, Jr. ... ... 375/208 tion. Designing Encryption Algorithms for Optimal Soft 4,375,579 3/1983 Davida et al. ......................... 380/28 ware Speed on the Intel Pentium Processor, Lecture Notes in 4,724.541 2/1988 Mallick .................................. 380/28 Computer Science, vol. 1267, pp. 242-259, Jan. 1997. 4,982,429 1/1991 Takaragi et al.. 5,003,596 3/1991 Wood. Lars R. Knudsen & Willi Meier; Differential Cryptanalysis 5,003,597 3/1991 Merkle ................................... 380/37 of RC5 (1), Pub. European Transactions on Telecommuni 5,054,067 10/1991 Moroney et al. ...................... 380/37 cation, vol. 8, No. 5, Sep. 23, 1997. 5,103,479 4/1992 Takaragi et al.. 5,214,704 5/1993 Mittenthal .............................. 380/37 W.E. Madryga; A high Performance Encryption Algorithm, 5,317,638 5/1994 Kao et al. Pub. 1984. 5,351,299 9/1994 Matsuzaki et al. .................... 380/37 5,381,480 1/1995 Butter et al. Ronald L. Rivest, M.J.B. Robshaw, R. Sidney and Y.L. Yin; 5,454,039 9/1995 Coppersmith et al. ................ 380/28 The RC6 Block Cipher, Pub. Aug. 20, 1998. 5,835,600 10/1998 Rivest. John Kelsey, Bruce Schneir and David Wagner; Key-Sched OTHER PUBLICATIONS ule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Ronald L. Rivest, The RC5 Encryption Algorithm, Lecture Triple-DES. Notes in Computer Science, vol. 1008, pp. 86-96, Dec. 1994. * cited by examiner U.S. Patent Jan. 30, 2001 Sheet 1 of 14 US 6,182,216 B1 10 FIG. 1 N-BIT BLOCK (64. BIT) PRIOR ART RO (N/2 BITS) - 12 R1 (N/2 BITS) - 14 26 24 1 RO - 30 ROUND RC5 /Y-22 |ENCRYPTON 32 \/ J6 - - - -K4 4 O 42 RO (N/2 BITS) R1 (N/2 BITS) N - Bf T B E O C K U.S. Patent Jan. 30, 2001 Sheet 2 of 14 US 6,182,216 B1 FIG 2 PRIOR ART -16 18 KEY = RO-RO + KEY } R1-R, + KEY 2 KEY 2 = O 0000 100000000000 0000IOOOOOOOOOOO O -----------------|---------RO-RO (BR1 OOOOOOOOOOOOOOOO RO=RO<<<l SB(RI) : OOOOOOOOOOOOOOOO | KEY 3= RO-RO + P(EY 3 28 O OOOOOOOOOOOOOOOO Ri=R1 (D RO 22 OOOOIOOOOOOOOOOO - - - ST R1-Rik KLSB(RO) J4.32 ROUND OOOOOOOOOOOOOOO 36 RC5 ENCRYTION Ri=R1 + KEY 4 KEY 4 = 0000 100000000000 OJ |- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - V RO-RO (DR1 20 OOOOIOOOOOOOOOOO RO-RO<<<LSBCR1) 2624 OOOO IOOOOOOOOOOO KEY 5- RO-RO + KEY 5 28 O OOOOIOOOOOOOOOOO Ri=R1 (D RO 22 OOOOOOOOOOOOOOOO - - -2ND 34.32 ROUND R=Rik<<LSBCRO) A. RC5 OOOOOOOOOOOOOOOO 36 ENCRYPTION R}=R + KEY 6 KEY 6 = OOOOOOOOOOOOOOOO O R O 4 O R= 42 0000 100000000000 OOOOOOOOOOOOOOOO U.S. Patent Jan. 30, 2001 Sheet 3 of 14 US 6,182,216 B1 FIG 3 N-BIT BLOCK (64.128.256 BITS, ETC) 54 (E)-(2) W-LSB(R1) 7O 3 72 RO > f HC2) 86 RO (N/2. BITS) R (N/2. BITS) 88 N-BIT BLOCK (64.28.256 BITS, ETC) U.S. Patent Jan. 30, 2001 Sheet 4 of 14 US 6,182,216 B1 FIG 4 52 56 RO= Ry-Ri XOr KEY 7 KEY 1 = 0000 100000000000 0000 100000000000 O - - - - - - - - - - - - - - - - - -Sao TTTTTTTTTT KEY 2- RO-RO --((RDX)4) €9KEY2) w w O OOOO IOOOIOOOOOOO RO-RO) >>LSB(Ri) 64.66 0000|IOOOOOOOOOO 70,72.74 - - -ROUND ST RER0000IOOOIOOOIOOO (ROAREr3KEY 3O -: OF ENCRYPTION R=Ri>>>LSBCRO) 76.78 OOOOIOOOIOOOOOO - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - KEY 4= RO-RO -- (CRD)>4) €BKEY4) O IOOO IOOOOOOIOOO RO-ROXXY SBCRI) OOOOOOOOOO IOO1 70,72.74 - - - 2ND Ri=R1+(CRO)>>4) (DKEY5), KEY 5 = ROUND IOO 10010001OOOOOOOOO O ENCRYPTION R=Ri>>>LSB(RO)IOOO IOOOOOOIOO 76.78 OOOOIOOO IOOOIOO1 IOOO IOOOOOO!!OO WHERE THE LINEAR OPERATIONS ARE L2, L6 = xor L4. L8 F Xor L3, L7 = ADDITION L5, L9 = ADDITION U.S. Patent Jan. 30, 2001 Sheet 5 of 14 US 6,182,216 B1 FIG 5 K-BIT BLOCK (64.128.256 BITS, ETC) -90 92 94 KA (K/2 BITS) KB (K/2 BITS) U.S. Patent Jan. 30, 2001 Sheet 6 of 14 US 6,182,216 B1 FIG 6 N-BIT BLOCK (64.28.256 BITS, ETC) -10 RO (N/2 EITS)2 RI (N/2 BITS) ' N-BIT BLOCK (64.128.256 BITS, ETC) U.S. Patent Jan. 30, 2001 Sheet 7 of 14 US 6,182,216 B1 FIG 7 N-BIT BLOCK (128.256 BITS, ETC) 150 54 f 170 ROUND V=SBOXILSB(RO) (E 172 K3 174 176 178 18O 186 RO (N/2 BITS) R! (N/2 BITS) N-BIT BLOCK (128.256 BITS, ETC) U.S. Patent Jan. 30, 2001 Sheet 8 of 14 US 6,182,216 B1 FIG. 8 Ki =0 152 154 RO= - R=Rée Kl 0000 100000000000 0000 100000000000 - - - - - - - - - - - - 160T 5a - - - - - RO-RO €D V V=SBOXOOOO) 1011107O IOO! IOI! 1077 OOIO IOO! IOI RO-RO -- (CRD)>4) (DK2) IOI 2011 0001101) 172 - - - ST V=SBOXFOil R=R) (DV ROUND OF OOO7IIIO IOIOOOIO OOOO!!OOOOOO ENCRYPTION O 178.18O RO->>>4 f=R --((ROXXX4) (DK3) IOM Oil ION OOO! 1101 OOOO101 OO!! - -- - - - - - m - - - - - - - - - m - - - - - - - - - - RO-RO €D V V=SBOXIOOI OOOOOOOOOOO! III IOOOO!! IIIO FSA =O RO-RO --((RDX)4) (DK4) LRI->>>4 162 Oilill OIOOIOIO 00illiol looloolol 4. 17O' 172' --ND V=SBOXOO) Ri=R16DV ROUND OF OJOT 1111 OOIO IOO) 10001101011! IOIO ENCRYPTION 174 K50 78.80 RO=>>>4 1TY R=R! --((RO)))4) €DK5) IOIOO!!! Illi O100 Sf OOIOIO, OIO IIIO - - - - - - - - - - - - - - - - - - - - - 176 RO= 184 186 - R= ON 1117 OIOO IOIO OO11010101101110 WHERE SBOXIOOOO}=1011 OOIO IOOi O11 OPERATORS SBOXIO11)=OOO! (11O IOIO OOIO L2L8-XOr L5L11-xOr SBOXOOIL)=1111 |OOJ OOil IIIO L3L9-XOr L6L2=XOr SBOXIIO1Oji=OIOf 1111 OOIO IOO1 L4, LIO-Odd L7L (3=GGd U.S.