Block cipher method

Abstract

A data encryption system for encrypting an n-bit block of input in a plurality of rounds is presented, where n is preferably 128 bits or more. The data encryption system includes a computing unit for the execution of each round; memory for storing and loading segments; a bit-moving function capable of rotating, shifting, or bit-permute round segments by predetermined numbers of bits preferably to achieve active and effective fixed rotation; a linear combination function which provides new one-to-one round segments using a round operator generally from one algebraic group to combine two different one-to-one round segments taken from one one-to-one round segment set; and a nonlinear function which affects a one-to-one round segment from a particular one-to-one round segment set based on a value which depends on a preselected number of bits in a preselected location from a different one-to-one round segment from the same one-to-one round segment set. The nonlinear function is a variable rotation function or an s-box. A subkey combining function is generally employed in each round to provide new round segments by combining a round segment typically linearly with a subkey segment.

Claims

What is claimed is:

1. A method of enciphering plaintext in a block cipher, said enciphering using a secret key, said method comprising:

processing round segments in a plurality of rounds of said block cipher, said plurality of rounds including a plurality of bit-moving rounds, each of said bit-moving rounds transforming input primary segments having a total of n bits of data into out-put primary segments having a total of n bits of data, each of said input primary segments originating directly or indirectly from said plaintext, each of said round segments of each said bit-moving round comprising a segment which originates from at least one of said input primary segments of said bit-moving round, each output primary segment of each said bit-moving round being equal to one of said round segments of said bit-moving round, said processing round segments in each of said bit-moving rounds comprising,

predetermined bit-moving at least one present bit-value in a present bit-position of one of said round segments of said bit-moving round to determine a bit-value in an other bit-position of one of said round segments of said bit-moving round, said present bit-position being different than said other bit-position,

variable bit-moving bits of one of said round segments of said bit-moving round by a number of bits dependent on a value from data of one of said round segments of said bit-moving round, and

wherein each of said segments is an ordered set of bits.

2. The method of claim 1 wherein said bit-moving round includes one of said primary segments having a value which is a one-to-one function of a prior value of said one of said primary segments.

3. The method of claim 1 wherein said predetermined bit-moving comprises moving said at least one present bit-value in said present bit-position of said one of said round segments to determine said bit-value in a same said round segment.

4. The method of claim 1 wherein said input primary segments of one of said bit-moving rounds is said output primary segments of a previous one of said bit-moving rounds.

5. The method of claim 1 wherein said variable bit-moving comprises variable circular bit-rotating said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

6. The method of claim 5 wherein said variable circular bit-rotating said bits of one of said round segments comprises variably circular bit-rotating said bits of one of said round segments having a bit-size where a log base 2 of said bit-size equals said selected number of bits of data.

7. The method of claim 5 wherein said output primary segments have a bit-size of 32 bits or 64 bits.

8. The method of claim 5 wherein said predetermined bit-moving affects which bits affect said value of said variable circular bit-rotating, and at least one of said output primary segments originating from said round segment which has been rotated by said variable circular bit-rotating.

9. The method of claim 8 wherein said predetermined bit-moving comprises predetermined bit-rotating.

10. The method of claim 9 wherein substantially all of the bits produced by said predetermined bit-rotating affect said output primary segments of said bit-moving round.

11. The method of claim 5 wherein said one present bit-value in said present bit-position solely determines said bit-value in said other bit-position.

12. The method of claim 11 wherein said predetermined bit-moving affects which bits affect said value of said variable circular bit-rotating, and at least one of said output primary segments originating from said round segment which has been rotated by said variable circular bit-rotating.

13. The method of claim 5 wherein at least one of said output primary segments of each said bit-moving round is affected directly or indirectly by each of said predetermined bit-moving of said bit-moving round and said variable circular bit-rotating of said bit-moving round.

14. The method of claim 5 wherein said processing round segments in each of said bit-moving rounds further comprises a plurality of said predetermined bit-moving steps and a plurality of said variable circular bit-moving steps, each of said output primary segments of each said bit-moving round is affected directly or in directly by each of at least on e of said predetermined bit-moving steps of said bit-moving round and at least one of said variable circular bit-rotating steps of said bit-moving round.

15. The method of claim 14 wherein said predetermined bit-moving comprises predetermined bit-rotating.

16. The method of claim 5 wherein said output primary segments comprise a predetermined number of equal-sized primary segments, said predetermined number of equal-sized primary segments is equal to x, where x is an integer of 2, 3 or 4, and said equal-sized primary segments have a bit-size equal to (n/x) bits of data, where n is at least 128 bits.

17. The method of claim 5 wherein said predetermined bit-moving is non-commutative with respect to said variable circular bit-rotating.

18. The method of claim 5 wherein said predetermined bit-moving comprises predetermined bit-rotating.

19. The method of claim 18 wherein substantially all of the bits produced by said predetermined bit-rotating affect said output primary segments.

20. The method of claim 5 wherein said predetermined bit-moving comprises predetermined circular bit-rotating predetermined bit-shifting or predetermined bit-permuting.

21. The method of claim 5 wherein said variable circular bit-rotating includes said predetermined bit-moving.

22. The method of claim 5 wherein said value of said variable circular bit-rotating is from said selected locations which are preselected least significant bits of said bits of data of one of said round segments of said bit-moving round.

23. The method of claim 5 wherein said output primary segments of one of said rounds result directly or indirectly in ciphertext, such that said plaintext can be decrypted from said ciphertext.

24. The method of claim 23 wherein said predetermined bit-moving affects which bits affect said value which determines said number of bits of said variable circular bit-rotating, and at least one of said output primary segments originating from said round segment which has been rotated by said variable circular bit-rotating.

25. The method of claim 23 wherein said predetermined bit-moving comprises predetermined bit-rotating.

26. The method of claim 23 wherein said one present bit-value in said present bit-position solely determines said bit-value in said other bit-position.

27. The method of claim 26 wherein said predetermined bit-moving affects which bits affect said value of said variable circular bit-rotating, and at least one of said output primary segments originating from said round segment which has been rotated by said variable circular bit-rotating.

28. The method of claim 23 wherein said processing round segments in each of said bit-moving rounds further comprises a plurality of said predetermined bit-moving steps and a plurality of said variable circular bit-moving steps, each of said output primary segments of each said bit-moving round is affected directly or indirectly by each of at least one of said predetermined bit-moving steps of said bit-moving round and at least one of said variable circular bit-rotating steps of said bit-moving round.

29. The method of any of claims 1 to 28 wherein said plurality of bit-moving rounds comprises at least five said bit-moving rounds.

30. The method of claim 1 wherein said variable bit-moving comprises variable bit-shifting said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

31. The method of claim 30 wherein said predetermined bit-moving affects which bits affect said value to said variable bit-shifting, and at least one of said output primary segments originating from said round segment which has been shifted by said variable bit-shifting.

32. The method of claim 30 wherein said one present bit-value in said present bit-position solely determines said bit-value in said other bit-position.

33. The method of claim 30 wherein said processing round segments in each of said bit-moving rounds further comprises a plurality of said predetermined bit-moving steps and a plurality of said variable bit-shifting steps, each of said output primary segments of each said bit-moving round is affected directly or indirectly by each of at least one of said predetermined bit-moving steps of said bit-moving round and at least on e of said variable bit- shifting steps of said bit-moving round.

34. The method of claim 30 wherein said variable bit-shifting includes said predetermined bit-moving.

35. The method of claim 30 wherein said value of said variable bit-sifting is from said selected locations which are preselected least significant bits of said bits of data of one of said round segments of said bit-moving round.

36. The method of claim 30 wherein said output primary segments of one of said rounds result directly or indirectly in ciphertext, such that said plaintext can be decrypted from said ciphertext.

37. The method of any of claims 30 to 36 wherein said plurality of bit-moving rounds comprises at least five of said bit-moving rounds.

38. The method of claim 1 wherein said processing round segments in each of said bit-moving rounds further comprises:

combining two of said round segments in said bit-moving round using a linear mathematical operator.

39. The method of claim 38 wherein said bit -moving round includes one of said primary segments having a value which is a one-to-one function of a prior value of said one of said primary segments.

40. The method of claim 38 wherein said predetermined bit-moving comprises moving said at least one present bit-value in said present bin-position of said one of said round segments to determine said bit-value in a same said round segment.

41. The method of claim 38 wherein said input primary segments of one of said bit-moving rounds is said output primary segments of a previous one of said bit-moving rounds.

42. The method of claim 38 wherein said linear operator comprises addition, subtraction, exclusive-OR, SIMD addition, or SIMD subtraction.

43. The method of claim 38 wherein said variable bit-moving comprises variable bit-shifting said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments in said bit-moving round.

44. The method of claim 43 wherein said linear operator comprises addition, subtraction, exclusive-OR, SIMD addition, or SIMD subtraction.

45. The method of claim 38 wherein said variable bit-moving comprises variable circular bit- rotating said bits of one of said round segments of said bit moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

46. The method of claim 45 wherein said variable circular bit-rotating said bits of one of said round segments comprises variably circular bit-rotating said bits of one of said round segments having a bit-size where a log base 2 of said bit-size equals said selected number of bits of data.

47. The method of claim 45 wherein said output primary segments have a bit-size of 32 bits or 64 bits.

48. The method of claim 45 wherein at least one of said output primary segments of each said bit-moving round is affected directly or indirectly by each of ad predetermined bit-moving of said bit-moving round, said variable circular bit-rotating of said bit-moving round, and said combining of said bit-moving round.

49. The method of claim 48 wherein said linear operator comprises addition, subtraction, exclusive-OR, SIMD addition, or SIMD subtraction.

50. The method of claim 49 wherein said predetermined bit-moving comprises predetermined bit-rotating.

51. The method of claim 45 wherein said processing round segments in each of said bit-moving rounds further comprises a plurality of said predetermined bit-moving steps, a plurality of said variable circular bit-moving steps, and a plurality of said combining steps, each of said output primary segments of each said bit-moving round is affected directly or indirectly by each of at least one of said predetermined bit-moving steps of said bit-moving round, at least one of said variable circular bit-rotating steps of said bit-moving round, and at least one of said combining steps of said bit-moving, round.

52. The method of claim 51 wherein said linear operator comprises addition, subtraction, exclusive-OR, SIMD addition, or SIMD subtraction.

53. The method of claim 52 wherein said predetermined bit-moving comprises predetermined bit-rotating.

54. The method of claim 45 wherein said predetermined bit-moving comprises predetermined bit-rotating.

55. The method of claim 45 wherein said one present bit-value in said present bit-position solely determines said bit-value in said other bit-position.

56. The method of claim 45 wherein said predetermined bit-moving comprises predetermined circular bit-rotating, predetermined bit-shifting or predetermined bit-permuting.

57. The method of claim 45 wherein said variable circular bit-rotating includes said predetermined bit-moving.

58. The method of claim 45 wherein said value of said variable circular bit-rotating is from said selected locations which are preselected least significant bits of said bits of data of one of said round segments of said bit-moving round.

59. The method of claim 45 wherein said linear operator comprises addition, subtraction, exclusive-OR, SIMD addition, or SIMD subtraction.

60. The method of claim 45 wherein said output primary segments of one of said rounds result directly or indirectly in ciphertext, such that said plaintext can be decrypted from said ciphertext.

61. The method of any of claims 38 to 40 wherein said plurality of bit-moving rounds comprises at least five said bit-moving rounds.

62. A method of enciphering plaintext inputted to a block cipher, said plaintext having n bits of data, said enciphering using a secret key, said method comprising:

processing round segments in a plurality of rounds of said block cipher, said plurality of rounds including a plurality of bit-moving rounds, each of said round segments in said bit-moving rounds comprising a segment in said bit-moving rounds which originates from said plaintext directly or through a present or previous one of said rounds, said processing round segments in each of said bit-moving rounds comprising,

predetermined bit-moving at least one present bit-value in a present bit-position of one of said round segments of said bit-moving round to determine a bit-value in an other bit-position of one of said round segments of said bit-moving round,

said present bit-position being different than said other bit-position, variable bit-moving bits of one of said round segments of said bit-moving round by a number of bits dependent on a value from data of one of said round segments of said bit-moving round, and wherein each of said segments comprises an ordered set of bits.

63. The method of claim 62 wherein said predetermined bit-moving comprises moving said at least one present bit-value in said present bit-position of said one of said round segments to determine said bit-value in a same said round segment.

64. The method of claim 62 wherein said variable bit-moving comprises variable circular bit-rotating said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

65. The method of claim 64 wherein said predetermined bit-moving comprises predetermined bit-rotating.

66. The method of claim 64 wherein said predetermined bit-moving comprises predetermined circular bit-rotating, predetermined bit-shifting or predetermined bit-permuting.

67. The method of claim 64 wherein said one present bit-value in said present bit-position solely determines said bit-value in said other bit-position.

68. The method of claim 64 wherein said variable circular bit-rotating includes said predetermined bit-moving.

69. The method of claim 64 wherein said value of said variable circular bit-rotating is from said selected locations which are preselected least significant bits of said bits of data of one of said round segments of said bit-moving round.

70. The method of claim 64 wherein said predetermined bit-moving affects which bits affect said value of said variable circular bit-rotating.

71. The method of claim 62 wherein said variable bit-moving comprises variable bit-shifting said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

72. The method of claim 71 wherein said predetermined bit-moving comprises predetermined bit-rotating.

73. The method of claim 71 wherein said predetermined bit-moving comprises predetermined circular bit-rotating, predetermined bit-shifting or predetermined bit-permuting.

74. The method of claim 71 wherein said one present bit-value in said present bit-position solely determines said bit-value in said other bit-position.

75. The method of claim 71 wherein said variable bit-shifting includes said predetermined bit-moving.

76. The method of claim 71 wherein said value of said variable circular bit-shifting is from said selected locations which are preselected least significant bits of said bits of data of one of said round segments of said bit-moving round.

77. The method of any of claims 62 to 76 wherein said plurality of bit-moving rounds comprises at least five of said bit-moving rounds.

78. The method of claim 62 wherein said processing round segments in each of said bit-moving rounds further comprises:

combining two of said round segments in said bit-moving round using a linear mathematical operator.

79. The method of claim 78 wherein said predetermined bit-moving comprises moving said at least one present bit-value in said present bit-position of said one of said round segments to determine said bit-value in a same said round segment.

80. The method of claim 78 wherein said variable bit-moving comprises variable circular bit-rotating said bits of one of said round segments of said bit moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

81. The method of claim 80 wherein said predetermined bit-moving comprises predetermined bit-rotating.

82. The method of claim 80 wherein said one present bit-value in said present bit-position solely determines said bit-value in said other bit-position.

83. The method of claim 80 wherein said variable circular bit-rotating includes said predetermined bit-moving.

84. The method of claim 80 wherein said value of said variable circular bit-rotating is from said selected locations which are preselected least significant bits of said bits of data of one of said round segments of said bit-moving round.

85. The method of claim 80 wherein said predetermined bit-moving affects which bits affect said value of said variable circular bit-rotating.

86. The method of claim 80 wherein said linear operator comprises addition, subtraction, exclusive-OR, SIMD addition, or SIMD subtraction.

87. The method of claim 78 wherein said variable bit-moving comprises variable bit-shifting said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

88. The method of claim 87 wherein said predetermined bit-moving comprises predetermined bit-rotating.

89. The method of claim 87 wherein said one present bit-value in said present bit-position solely determines said bit-value in said other bit-position.

90. The method of claim 87 wherein said variable bit-shifting includes said predetermined bit-moving.

91. The method of claim 87 wherein said value of said variable bit-shifting is from said selected locations which are preselected least significant bits of said bits of data of one of said round segments of said bit-moving round.

92. The method of claim 87 wherein said predetermined bit-moving affects which bits affect said value which determines said number of bits of said variable bit-shifting.

93. The method of claim 87 wherein said linear operator comprises addition, subtraction, exclusive-OR, SIMD addition, or SIMD subtraction.

94. The method of any of claims 78 to 93 wherein said plurality of bit-moving rounds comprises at least five of said bit-moving rounds.

95. A binary block cipher system for enciphering plaintext in a block cipher, said enciphering using a secret key, said system comprising:

memory registers for storing segments;

a computing unit for executing a plurality of rounds of said block cipher, said plurality of rounds including a plurality of bit-moving rounds, each of said bit-moving rounds transforming input primary segments having a total of n bits of data into output primary segments having a total of n bits of data, each of said input primary segments originating directly or indirectly from said plaintext, each of said bit-moving rounds including round segments each of which comprise a segment which originates from at least one of said input primary segments of said bit-moving round, each output primary segment of each said bit-moving round being equal to one of said round segments of said bit-moving round;

a variable bit-moving function executed on said computing unit in each of said bit-moving rounds, said variable bit-moving function moving bits of one of said memory registers having one of said round segments stored therein by a number of bits dependent on a value from data of one of said memory registers having one of said round segments stored therein;

a predetermined bit-moving function executed on said computing unit in each of said bit-moving rounds, said predetermined bit-moving function moving at least one present bit-value in a present bit-position of one of said round segments to determine a bit-value in an other bit-position of one of said round segments of said bit-moving round, said present bit-position being different than said other bit-position; and

wherein each of said segments is an ordered set of bits.

96. The binary block cipher system of claim 95 wherein one of said bit-moving rounds includes one of said primary segments having a value that is a one-to-one function of a prior value of one of said primary segments.

97. The binary block cipher system of claim 95 wherein said predetermined bit-moving function moves said at least one present bit-value in said present bit-position of said one of said round segments to determine said bit-value in a same said round segment.

98. The binary block cipher system of claim 95 wherein said variable bit-moving function comprises a variable circular bit-rotating function moving bits of one of said memory registers having one of said round segments stored therein by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said memory registers having one of said round segments stored therein.

99. The binary block cipher system of claim 98 wherein said predetermined bit-moving function affects which bits affect said value of said variable circular bit-rotating function, and at least one of said output primary segments originating from said memory register having said round segment stored therein which has been rotated by said variable circular bit-rotating function.

100. The binary block cipher system of claim 99 wherein said predetermined bit-moving function comprises a predetermined bit-rotating function.

101. The binary block cipher system of claim 100 wherein substantially all of the bits executed on by said predetermined bit-rotating function affect said output primary segments of said bit-moving round.

102. The binary block cipher system of claim 99 wherein said one present bit-value in said present bit-position solely determines said bit-value in said other bit-position.

103. The binary block cipher system of any of claims 135 to 102 wherein said plurality of bit-moving rounds comprises at least five of said bit-moving rounds.

104. The binary block cipher system of claim 95 further comprising:

a combining function executed on said computing unit in each of said bit-moving rounds, said combining function combining two of said memory registers, each of said memory registers having one of said round segments stored therein, using a linear mathematical operator.

105. The binary block cipher system of claim 104 wherein one of said bit moving rounds includes one of said primary segments having a value that is a one-to-one function of a prior value of one of said primary segments.

106. The binary block cipher system of claim 104 wherein said predetermined bit-moving function moves said at least one present bit-value in said present bit-position of said one of said round segments to determine said bit-value in a same said round segment.

107. The binary block cipher system of claim 104 wherein said variable bit-moving function comprises a variable circular bit-rotating function moving bits of one of said memory registers having one of said round segments stored therein by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said memory registers having one of said round segments stored therein.

108. The binary block cipher system of claim 104 wherein said predetermined bit-moving function affects which bits affect said value of said variable circular bit-rotating function, and at least one of said output primary segments originating from said memory register having said round segment stored therein which has been rotated by said variable circular bit-rotating function.

109. The binary block cipher system of claim 108 wherein said predetermined bit-moving function comprises a predetermined bit-rotating function.

110. The binary block cipher system of claim 109 wherein substantially all of the bits executed on by said predetermined bit-rotating function affect said output primary segments of said bit-moving round.

111. The binary block cipher system of claim 108 wherein said one present bit-value in said present bit-position solely determines said bit-value in said other bit-position.

112. The binary block cipher system of any of claims 104 to 111 wherein said plurality of bit-moving rounds comprises at least five of said bit-moving rounds.

113. A method of key expansion to generate subkey values used in rounds of a block cipher, the block cipher using data-dependent rotation of round segments in at least three of the rounds, the data-dependent rotation having a variable number of bits of rotation which depend directly or indirectly on plaintext, the method of key-expansion including a plurality of expansion calculations on key-dependent segments to generate the subkey values, each of said expansion calculations comprising mathematically combining key-dependent segments with predetermined values to produce the subkey values, wherein the improvement comprises:

said key expansion using expansion calculations having a mathematical operator ratio less than 3.5 to 1, said operator ratio being a ratio of a total number of bits produced by all mathematical operators of said key expansion to a total number of all subkey bits produced.

114. The method of claim 113 wherein the improvement further comprises said expansion calculations comprising mathematically combining said key-dependent segments with said predetermined values to directly produce the subkey values.

115. The method of claim 113 wherein said mathematical operator ratio is less than 2 to 1.

116. The method of claim 113 wherein said mathematically combining of said key-dependent segment and said predetermined values is substantially linear.

117. The method of claim 113 wherein said mathematically combining of said key-dependent segment and said predetermined value comprises mathematically combining using a linear operator, said linear operator comprising addition, subtraction, exclusive-OR, SIMD addition or SIMD subtraction.

118. A method of enciphering plaintext in a block cipher, said enciphering using a secret key, said method comprising:

processing round segments in a plurality of rounds of said block cipher, certain of said rounds transforming input primary segments having a total of n bits of data into output primary segments having a total of n bits of data, each of said input primary segments originating directly or indirectly from said plaintext, each of said round segments of each of said rounds comprising a segment which originates from at least one of said input primary segments of said round, each output primary segment of each said round being equal to one of said round segments of said round, said processing round segments in at least one of said rounds comprising, linearly combining first, second, and third variable segments of data, said first variable segment of at least 64 bits includes at least 50 variable bits from one of said round segments of said round, said second variable segment of at least 64 bits includes at least 50 variable bits from one of said round segments of said round, and said third variable segment is derived from a value selected from a lookup table in response to one of said round segments of said round, and

wherein each of said segments is an ordered set of bits.

119. The method of claim 118 wherein said at least one of said rounds comprises at least five of said rounds.

120. The method of claim 118 wherein said linear combining comprises linearly combining using a plurality of linear operators, said plurality of linear operators comprising exclusive-OR and at least one of addition, subtraction, SIMD addition or SIMD subtraction.

121. The method of claim 120 wherein said output primary segments of each said round comprises an integer number of 2 or 3 output primary segments.

122. The method of claim 121 wherein said linear combining comprises linearly combining using a plurality of linear operators, said plurality of linear operators comprising exclusive-OR and at least one of addition, subtraction, SIMD addition or SIMD subtraction.

123. The method of claim 121 wherein said linear combining comprises direct linear combining.

124. A method of enciphering plaintext in a block cipher, said enciphering using a secret key, said method comprising:

processing round segments in a plurality of rounds of said block cipher, certain of said rounds transforming input primary segments having a total of n bits of data into output primary segments having a total of n bits of data, each of said input primary segments originating directly or indirectly from said plaintext, each of said round segments of said rounds comprising a segment which originates from at least one of said input primary segments of said rounds, each output primary segment of each said round being equal to one of said round segments of said round, said processing round segments in at least one of said rounds comprising, linearly combining first, second, and third variable segments of data, said first variable segment including at least 75 percent of variable bits of one of two said primary segments of said round, said second variable segment including at least 75 percent of variable bits of the other of said two of said primary segments of said round, and said third variable segment is derived from a value selected from a lookup table in response to one of said round segments of said round, and

wherein each of said segments is an ordered set of bits.

125. The method of claim 124 wherein said at least one of said rounds comprises at least five of said rounds.

126. The method of claim 124 wherein said linear combining comprises linearly combining using a plurality of linear operators, said plurality of linear operators comprising exclusive-OR and at least one of addition, subtraction, SIMD addition or SIMD subtraction.

127. The method of claim 124 wherein said linear combining comprises direct linear combining.

128. A storage medium encoded with machine-readable program code for enciphering plaintext in a block cipher, said enciphering using a secret key, said program code including instructions for causing, a computer to implement a method comprising:

processing round segments in a plurality of rounds of said block cipher, said plurality of rounds including a plurality of bit-moving rounds, each of said bit-moving rounds transforming input primary segments having a total of n bits of data into output primary segments having a total of n bits of data, each of said input primary segments originating directly or indirectly from said plaintext, each of said round segments of each said bit-moving round comprising a segment which originates from at least one of said input primary segments of said bit-moving round, each output primary segment of each said bit-moving round being equal to one of said round segments of said bit-moving round, said processing round segments in each of said bit-moving rounds comprising,

predetermined bit-moving at least one present bit-value in a present bit-position of one of said round segments of said bit-moving round to determine a bit-value in an other bit-position of one of said round segments of said bit-moving round, said present bit-position being different than said other bit-position,

variable bit-moving bits of one of said round segments of said bit-moving round by a number of bits dependent on a value from data of one of said round segments of said bit-moving round, and

wherein each of said segments is an ordered set of bits.

129. The storage medium of claim 128 wherein said method further comprises said variable bit-moving comprising variable circular bit-rotating said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

130. The storage medium of claim 129 wherein said method further comprises said variable circular bit-rotating said bits of one of said round segments comprising variably circular bit-rotating said bits of one of said round segments having a bit-size where a log base 2 of said bit-size equals said selected number of bits of data.

131. The storage medium of claim 129 wherein said method further comprises said Output primary segments having a bit-size of 32 bits or 64 bits.

132. The storage medium of claim 129 wherein said method further comprises said predetermined bit-moving affecting which bits affect said value of said variable circular bit-rotating, and at least one of said output primary segments originating from said round segment which has been rotated by said variable circular bit-rotating.

133. The storage medium of claim 129 wherein said method further comprises said predetermined bit-moving comprising predetermined bit-rotating.

134. The storage medium of claim 128 wherein said method further comprises said variable bit-moving comprising variable bit-shifting said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

135. The storage medium of any of claims 128 to 134 wherein said method further comprises said plurality of bit-moving rounds comprising at least five said bit-moving rounds.

136. The storage medium of claim 128 wherein said method further comprises:

combining two of said round segments in said bit-moving round using a linear mathematical operator.

137. The storage medium of claim 136 wherein said method further comprises said variable bit-moving comprising variable circular bit-rotating said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

138. The storage medium of claim 137 wherein said method further comprises said variable circular bit-rotating said bits of one of said round segments comprising variably circular bit-rotating said bits of one of said round segments having a bit-size where a log base 2 of said bit-size equals said selected number of bits of data.

139. The storage medium of claim 137 wherein said method further comprises said output primary segments having a bit-size of 32 bits or 64 bits.

140. The storage medium of claim 137 wherein said method further comprises said predetermined bit-moving affecting which bits affect said value of said variable circular bit-rotating, and at least one of said output primary segments originating from said round segment which has been rotated by said variable circular bit-rotating.

141. The storage medium of claim 137 wherein said method further comprises said predetermined bit-moving comprising predetermined bit-rotating.

142. The storage medium of claim 136 wherein said method further comprises said variable bit-moving comprising variable bit-shifting said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

143. The storage medium of any of claims 136 to 142 wherein said method further comprises said plurality of bit-moving rounds comprising at least five said bit-moving rounds.

144. A storage medium encoded with machine-readable program code for enciphering plaintext inputted to a block cipher, said plaintext having n bits of data, said block cipher using a secret key, said program code including instructions for causing a computer to implement a method comprising:

processing round segments in a plurality of rounds of said block cipher, said plurality of rounds including a plurality of bit-moving rounds, each of said round segments in said bit-moving rounds comprising a segment in said bit-moving rounds which originates from said plaintext directly or through a present or previous one of said rounds, said processing round segments in each of said bit-moving rounds comprising,

predetermined bit-moving at least one present bit-value in a present bit-position of one of said round segments of said bit-moving round to determine a bit-value in an other bit-position of one of said round segments of said bit-moving round, said present bit-position being different than said other bit-position,

variable bit-moving bits of one of said round segments of said bit-moving round by a number of bits dependent on a value from data of one of said round segments of said bit-moving round, and

wherein each of said segments comprises an ordered set of bits.

145. The storage medium of claim 144 wherein said method further comprises said variable bit-moving comprising variable circular bit-rotating said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

146. The storage medium of claim 145 wherein said method further comprises said variable circular bit-rotating said bits of one of said round segments comprising variably circular bit-rotating said bits of one of said round segments having a bit-size where a log base 2 of said bit-size equals said selected number of bits of data.

147. The storage medium of claim 145 wherein said method further comprises said predetermined bit-moving affecting which bits affect said value of said variable circular bit-rotating, and at least one of said output primary segments originating from said round segment which has been rotated by said variable circular bit-rotating.

148. The storage medium of claim 145 wherein said method further comprises said predetermined bit-moving comprising predetermined bit-rotating.

149. The storage medium of claim 144 wherein said method further comprises said variable bit-moving comprising variable bit-shifting said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

150. The storage medium of any of claims 145 to 149 wherein said method further comprises said plurality of bit-moving rounds comprising at least five said bit-moving rounds.

151. The storage medium of claim 144 wherein said method further comprises:

combining two of said round segments in said bit-moving round using a linear mathematical operator.

152. The storage medium of claim 151 wherein said method further comprises said variable bit-moving comprising variable circular bit-rotating said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

153. The storage medium of claim 152 wherein said method further comprises said variable circular bit-rotating said bits of one of said round segments comprising variably circular bit-rotating said bits of one of said round segments having a bit-size where a log base 2 of said bit-size equals said selected number of bits of data.

154. The storage medium of claim 152 wherein said method further comprises said predetermined bit-moving affecting which bits affect said value of said variable circular bit-rotating, and at least one of said output primary segments originating from said round segment which has been rotated by said variable circular bit-rotating.

155. The storage medium of claim 152 wherein said method further comprises said predetermined bit-moving comprising predetermined bit-rotating.

156. The storage medium of claim 151 wherein said method further comprises said variable bit-moving comprising variable bit-shifting said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

157. The storage medium of any of claims 151 to 156 wherein said method further comprises said plurality of bit-moving rounds comprising at least five said bit-moving rounds.

158. A storage medium encoded with machine-readable program code for key expansion, said program code including instructions for causing a computer to implement a method of said key expansion to generate subkey values used in rounds of a block cipher, the block cipher using data-dependent rotation of round segments in at least three of the rounds, the data-dependent rotation having a variable number of bits of rotation which depend directly or indirectly on plaintext, the method of key-expansion including a plurality of expansion calculations on key-dependent segments to generate the subkey values, each of said expansion calculations comprising mathematically combining key-dependent segments with predetermined values to produce the subkey values, wherein the improvement comprises said program code including instructions for causing said computer to implement said key expansion using expansion calculations having a mathematical operator ratio less than 3.5 to 1, said operator ratio is a ratio of a total number of bits produced by all mathematical operators of said key expansion to a total number of all subkey bits produced.

159. A storage medium encoded with machine-readable program code for enciphering plaintext in a block cipher, said enciphering using a secret key, said program code including instructions for causing a computer to implement a method comprising:

processing round segments in a plurality of rounds of said block cipher, certain of said rounds transforming input primary segments having a total of n bits of data into output primary segments having a total of n bits of data, each of said input primary segments originating directly or indirectly from said plaintext, each of said round segments of each of said rounds comprising a segment which originates from at least one of said input primary segments of said round, each output primary segment of each said round being equal to one of said round segments of said round, said processing round segments in at least one of said rounds comprising,

linearly combining first, second, and third variable segments of data, said first variable segment of at least 64 bits includes at least 50 variable bits from one of said round segments of said round, said second variable segment of at least 64 bits includes at least 50 variable bits from one of said round segments of said round, and said third variable segment is derived from a value selected from a lookup table in response to one of said round segments of said round, and

wherein each of said segments is an ordered set of bits.

160. A storage medium encoded with machine-readable program code for enciphering plaintext in a block cipher, said enciphering, using a secret key, said program code including instructions for causing a computer to implement a method comprising:

processing round segments in a plurality of rounds of said block cipher, certain of said rounds transforming input primary segments having a total of n bits of data into output primary segments having, a total of n bits of data, each of said input primary segments originating- directly or indirectly from said plaintext, each of said round segments of said rounds comprising a segment which originates from at least one of said input primary segments of said rounds, each output primary segment of each said round being equal to one of said round segments of said round, said processing round segments in at least one of said rounds comprising,

linearly combining first, second, and third variable segments of data, said first variable segment including at least 75 percent of variable bits of one of two said primary segments of said round, said second variable segment including at least 75 percent of variable bits of the other of said two of said primary segments of said round, and said third variable segment is derived from a value selected from a lookup table in response to one of said round segments of said round, and

wherein each of said segments is an ordered set of bits.

161. An apparatus for enciphering plaintext in a block cipher using a secret key, said block cipher including a plurality of rounds having round segments, said plurality of rounds including, a plurality of bit-moving rounds, each of said bit-moving, rounds for transforming input primary segments having a total of n bits of data into output primary segments having a total of n bits of data, each of said input primary segments originating directly or indirectly from said plaintext, each of said round segments of each said bit-moving round comprising a segment which originates from at least one of said input primary segments of said bit-moving round, each output primary segment of each said bit-moving round being equal to one of said round segments of said bit-moving round, said apparatus comprising:

means for predetermined bit-moving at least one present bit-value in a present bit-position of one of said round segments in each of said bit-moving rounds to determine a bit-value in an other bit-position of one of said round segments, said present bit-position being different than said other bit-position;

means for variable bit-moving bits of one of said round segments in each of said bit-moving rounds by a number of bits dependent on a value from data of one of said round segments of said bit-moving round; and

wherein each of said segments is an ordered set of bits.

162. The apparatus of claim 161 wherein said means for variable bit-moving comprises means for variable circular bit-rotating said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

163. The apparatus of claim 162 wherein said means for variable circular bit-rotating said bits of one of said round segments comprising means for variably circular bit-rotating said bits of one of said round segments having a bit-size where a log base 2 of said bit-size equals said selected number of bits of data.

164. The apparatus of claim 162 wherein said output primary segments have a bit-size of 32 bits or 64 bits.

165. The apparatus of claim 162 wherein said means for predetermined bit-moving affects which bits affect said value of said means for variable circular bit-rotating, and at least one of said output primary segments originating from said round segment which has been rotated by said means for variable circular bit-rotating.

166. The apparatus of claim 162 wherein said means for predetermined bit-moving comprising means for predetermined bit-rotating said at least one present bit value.

167. The apparatus of claim 161 wherein said means for variable bit-moving comprising means for variable bit-shifting said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

168. The apparatus of any of claims 161 to 167 wherein said plurality of bit-moving rounds comprising at least five said bit-moving rounds.

169. The apparatus of claim 161 further comprising:

means for combining two of said round segments in each of said bit-moving rounds using a linear mathematical operator.

170. The apparatus of claim 169 wherein said means for variable bit-moving comprises means for variable circular bit-rotating said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

171. The apparatus of claim 170 wherein said means for variable circular bit-rotating said bits of one of said round segments comprises means for variably circular bit-rotating said bits of one of said round segments having a bit-size where a log base 2 of said bit-size equals said selected number of bits of data.

172. The apparatus of claim 170 wherein said output primary segments have a bit-size of 32 bits or 64 bits.

173. The apparatus of claim 170 wherein said means for predetermined bit-moving affects which bits affect said value of said means for variable circular bit-rotating, and at least one of said output primary segments originating from said round segment which has been rotated by said means for variable circular bit-rotating.

174. The apparatus of claim 170 wherein said means for predetermined bit-moving comprising means for predetermined bit-rotating said at least one present bit value.

175. The apparatus of claim 169 wherein said means for variable bit-moving comprises means for variable bit-shifting said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

176. The apparatus of any of claims 169 to 175 wherein said plurality of bit-moving, rounds comprising at least five said bit-moving rounds.

177. An apparatus for enciphering plaintext inputted to a block cipher using a secret key, said block cipher including a plurality of rounds having round segments, said plurality of rounds including a plurality of bit-moving rounds, each of said round segments in said bit-moving rounds comprising a segment in said bit-moving rounds which originates from said plaintext directly or through a present or previous one of said rounds, said apparatus comprising:

means for predetermined bit-moving at least one present bit-value in a present bit-position of one of said round segments in each of said bit-moving rounds to determine a bit-value in an other bit-position of one of said round segments, said present bit-position being different than said other bit-position;

means for variable bit-moving bits of one of said round segments in each of said bit-moving rounds by a number of bits dependent on a value from data of one of said round segments of said bit-moving round; and

wherein each of said segments comprises an ordered set of bits.

178. The apparatus of claim 177 wherein said means for variable bit-moving comprises means for variable circular bit-rotating said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

179. The apparatus of claim 178 wherein said means for variable circular bit-rotating said bits of one of said round segments comprising means for variably circular bit-rotating said bits of one of said round segments having a bit-size where a log base 2 of said bit-size equals said selected number of bits of data.

180. The apparatus of claim 178 wherein said means for predetermined bit-moving affects which bits affect said value of said means for variable circular bit-rotating, and at least one of said output primary segments originating from said round segment which has been rotated by said means for variable circular bit-rotating.

181. The apparatus of claim 178 wherein said means for predetermined bit-moving comprising means for predetermined bit-rotating said at least one present bit value.

182. The apparatus of claim 177 wherein said means for variable bit-moving comprising means for variable bit-shifting said bits of one of said round segments of said bit-moving, round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

183. The apparatus of any of claims 177 to 182 wherein said plurality of bit-moving rounds comprising at least five said bit-moving rounds.

184. The apparatus of claim 177 further comprising:

means for combining two of said round segments in each of said bit-moving rounds using a linear mathematical operator.

185. The apparatus of claim 184 wherein said means for variable bit-moving comprises means for variable circular bit-rotating said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

186. The apparatus of claim 185 wherein said means for variable circular bit-rotating said bits of one of said round segments comprises means for variably circular bit-rotating said bits of one of said round segments having a bit-size where a log base 2 of said bit-size equals said selected number of bits of data.

187. The apparatus of claim 185 wherein said means for predetermined bit-moving affects which bits affect said value of said means for variable circular bit-rotating, and at least one of said output primary segments originating from said round segment which has been rotated by said means for variable circular bit-rotating.

188. The apparatus of claim 185 wherein said means for predetermined bit-moving comprising means for predetermined bit-rotating said at least one present bit value.

189. The apparatus of claim 184 wherein said means for variable bit-moving comprises means for variable bit-shifting said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

190. The apparatus of any of claims 184 to 189 wherein said plurality of bit-moving rounds comprising at least five said bit-moving rounds.

191. An apparatus including means for key expansion to generate subkey values used in rounds of a block cipher, the block cipher using data-dependent rotation of round segments in at least three of the rounds, the data-dependent rotation having a variable number of bits of rotation which depend directly or indirectly on plaintext, said means for key-expansion utilizing a plurality of expansion calculations on key-dependent segments to generate the subkey values, each of said expansion calculations comprising mathematically combining key-dependent segments with predetermined values to produce the subkey values, wherein the improvement comprises,

said means for key expansion using said expansion calculations having a mathematical operator ratio less than 3.5 to 1, said operator ratio being a ratio of a total number of bits produced by all mathematical operators of said key expansion to a total number of all subkey bits produced.

192. An apparatus for enciphering plaintext in a block cipher using a secret key, said block cipher including a plurality of rounds having round segments, certain of said rounds for transforming input primary segments having a total of n bits of data into output primary segments having a total of n bits of data, each of said input primary segments originating directly or indirectly from said plaintext, each of said round segments of each of said rounds comprising a segment which originates from at least one of said input primary segments of said round, each output primary segment of each said round being equal to one of said round segments of said round, wherein the improvement comprises:

means for linearly combining first, second, and third variable segments of data, said first variable segment of at least 64 bits includes at least 50 variable bits from one of said round segments, said second variable of at least 64 bits includes at least 50 variable bits from one of said round segments, and said third variable segment is derived from a value selected from a lookup table in response to one of said round segments; and

wherein each of said segments is an ordered set of bits.

193. An apparatus for enciphering plaintext in a block cipher using a secret key, said block cipher including a plurality of rounds having round segments, certain of said rounds for transforming input primary segments having a total of n bits of data into output primary segments having a total of n bits of data, each of said input primary segments originating directly or indirectly from said plaintext, each of said round segments of each of said rounds comprising a segment which originates from at least one of said input primary segments of said round, each output primary segment of each said round being equal to one of said round segments of said round, wherein the improvement comprises:

means for linearly combining first, second and third variable segments of data, said first variable segment including at least 75 percent of variable bits of one of two said primary segments, said second variable segment including at least 75 percent of the variable bits of the other of said two of said primary segments, and said third variable segment is derived from a value selected from a lookup table in response to one of said round segments; and

wherein each of said segments is an ordered set of bits.

194. A method of deciphering ciphertext inputted to a block cipher, said ciphertext having n bits of data, said deciphering using a secret key, said method comprising:

processing round segments in a plurality of rounds of said block cipher, said plurality of rounds including a plurality of bit-moving rounds, each of said round segments in said bit-moving rounds comprising a segment in said bit-moving rounds which originates from said ciphertext directly or through a present or previous one of said rounds, said processing round segments in each of said bit-moving rounds comprising,

predetermined bit-moving at least one present bit-value in a present bit-position of one of said round segments of said bit-moving round to determine a bit-value in an other bit-position of one of said round segments of said bit-moving round, said present bit-position being different than said other bit-position,

variable bit-moving bits of one of said round segments of said bit-moving round by a number of bit s dependent on a value from data of one of said round segments of said bit-moving round, and

wherein each of said segments comprises an ordered set of bits.

195. The method of claim 194 wherein said variable bit-moving comprises variable circular bit-rotating said bits of one of said round segments of said bit moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

196. The method of claim 195 wherein said predetermined bit-moving comprises pre determined bit-rotating.

197. The method of claim 195 wherein said predetermined bit-moving comprises predetermined circular bit-rotating, predetermined bit-shifting or predetermined bit-permuting.

198. The method of claim 195 wherein said one present bit-value in said present bit-position solely determines said bit-value in said other bit-position.

199. A storage medium encoded with machine-readable program code for deciphering ciphertext inputted to a block cipher, said ciphertext having n bits of data, said block cipher using a secret key, said program code including instructions for causing a computer to implement a method comprising:

processing round segments in a plurality of rounds of said block cipher, said plurality of rounds including a plurality of bit-moving rounds, each of said round segments in said bit-moving rounds comprising a segment in said bit-moving rounds which originates from said ciphertext directly or through a present or previous one of said rounds, said processing round segments in each of said bit-moving rounds comprising,

predetermined bit-moving at least one present bit-value in a present bit-position of one of said round segments of said bit-moving round to determine a bit-value in an other bit-position of one of said round segments of said bit-moving round, said present bit-position being different than said other bit-position,

variable bit-moving bits of one of said round segments of said bit-moving round by a number of bits dependent on a value from data of one of said round segments of said bit-moving round, and

wherein each of said segments comprises an ordered set of bits.

200. The storage medium of claim 199 wherein said method further comprises said variable bit-moving comprising variable circular bit-rotating said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

201. The storage medium of claim 199 wherein said method further comprises said predetermined bit-moving comprising predetermined bit-rotating.

202. The storage medium of claim 199 wherein said method further comprises said predetermined bit-moving, comprising predetermined circular bit-rotating, predetermined bit-shifting or predetermined bit-permuting.

203. The method of claim 199 wherein said method further comprises said one present bit-value in said present bit-position solely determining said bit-value in said other bit position.

204. An apparatus for deciphering ciphertext inputted to a block cipher using a secret key, said block cipher including a plurality of rounds having round segments, said plurality of rounds including a plurality of bit-moving rounds, each of said round segments in said bit-moving rounds comprising a segment in said bit-moving rounds which originates from said ciphertext directly or through a present or previous one of said rounds, said apparatus comprising:

means for predetermined bit-moving at least one present bit-value in a present bit-position of one of said round segments in each of said bit-moving rounds to determine a bit-value in an other bit-position of one of said round segments, said present bit-position being different than said other bit-position;

means for variable bit-moving bits of one of said round segments in each of said bit-moving rounds by a n umber of bit s dependent on a value from data of one of said round segments of said bit-moving round; and

wherein each of said segments comprises an ordered set of bits.

205. The apparatus of claim 204 wherein said means for variable bit-moving comprises means for variable circular bit-rotating said bits of one of said round segments of said bit-moving round by a number of bits dependent on said value from a selected number of bits of data in selected locations of one of said round segments of said bit-moving round.

206. The apparatus of claim 205 wherein said means for predetermined bit-moving comprising means for predetermined bit-rotating said at least one present bit value.

207. The apparatus of claim 205 wherein said means for predetermined bit-moving comprises means for predetermined circular bit-rotating, means for predetermined bit-shifting or means for predetermined bit-permuting.

208. The apparatus of claim 205 wherein said one present bit-value in said present bit-position solely determines said bit-value in said other bit-position.

209. A method of encrypting a plaintext message, comprising:

(a) identifying the plaintext message, the plaintext message including a plurality of words;

(b) applying a mathematical function to at least one of the words;

(c) rotating a value which is based on the result of the applying step (b) by a first number of bits;

(d) rotating a value which is based on the result of the rotating step (c) by a second number of bits, wherein one of the first number of bits and the second number of bits is a predetermined number of bits and the other one of the first number of bits and the second number of bits is derived from one of the words;

(e) applying a secret key to a value originating from one of the words; and

(f) repeating steps (b), (c), (d), and (e) for a number of rounds.

210. The method of claim 209 wherein the applying the mathematical function comprises applying an operation on two unsigned integers of 32 bits or 64 bits.

211. The method of claim 210 wherein a result of the applying the operation has an equal probability of having bits equal to one or zero when one of the integers has an equal probability of having bits equal to one or zero.

212. The method of claim 209 wherein the predetermined number of bits is given by a log base 2 of the number of bits in a given one of the words.

213. The method of claim 209 further comprising:

(g) rotating a value which is based on the result of the rotating step (d) by a third number of bits, wherein the third number of bits is a predetermined number of bits different from the predetermined number of bits of step (d).

214. The method of claim 213 wherein the step (f) comprises repeating steps (b), (c), (d), (g), and (e) for the number of rounds.

215. A method of encrypting a plaintext message, comprising:

(a) identifying the plaintext message, the plaintext message including a plurality of words;

(b) applying a mathematical function to at least one of the words;

(c) rotating a value originating from one of the words which is based on the result of the applying step (b) by a first number of bits resulting in another value which affects another one of the words, with the one of the words being affected by the other value only indirectly through the other one of the words;

(d) rotating a value which is based on the result of the rotating step (c) by a second number of bits derived from one of the words;

(e) applying a secret key to a value originating from one of the words; and

(f) repeating steps (b), (c), (d), and (e) for a number of rounds.

216. The method of claim 215 wherein the applying the mathematical function comprises applying an operation on two unsigned integers of 32 bits or 64 bits.

217. The method of claim 215 wherein the first number of bits comprises a predetermined number of bits given by a log base 2 of the number of bits in a given one of the words.

218. A system for encrypting a plaintext message, comprising:

memory registers for storing the plaintext message, the plaintext message including a plurality of words;

a computing unit for applying a mathematical function to at least one of the words;

a first rotating function executed on the computing unit for rotating a value which is based on the result of the applying the mathematical function by a first number of bits;

a second rotating function executed on the computing unit for rotating a value which is based on the result of the first rotating function by a second number of bits, wherein one of the first number of bits and the second number of bits is a predetermined number of bits and the other one of the first number of bits and the second number of bits is derived from one of the words; and

a function executed on the computing unit for applying a secret key to a value originating from one of the words.

219. The system of claim 218 wherein the computing unit for applying the mathematical function includes applying an operation on two unsigned integers of 32 bits or 64 bits.

220. The system of claim 219 wherein a result of the applying the operation has an equal probability of having bits equal to one or zero when one of the integers has an equal probability of having bits equal to one or zero.

221. The system of claim 218 wherein the predetermined number of bits is given by a log base 2 of the number of bits in a given one of the words.

222. The system of claim 218 further comprising:

a third rotating function executed on the computing unit for rotating a value which is based on the result of the second rotating function by a third number of bits, wherein the third number of bits is a predetermined number of bits different from the predetermined number of bits of the second rotation function.

223. A system for encrypting a plaintext message, comprising:

memory registers for storing the plaintext message, the plaintext message including a plurality of words;

a computing unit for applying a mathematical function to at least one of the words;

a first rotating function executed on the computing unit for rotating a value originating from one of the words which is based on the result of the applying the mathematical function by a first number of bits resulting in another value which affects another one of the words, with the one of the words being affected by the other value only indirectly through the other one of the words;

a second rotating function executed on the computing unit for rotating a value which is based on the result of the first rotating function by a second number of bits derived from one of the words; and

a function executed on the computing unit for applying a secret key to a value originating from one of the words.

224. The system of claim 223 wherein the computing unit for applying the mathematical function includes applying an operation on two unsigned integers of 32 bits or 64 bits.

225. The system of claim 223 wherein the first number of bits comprises a predetermined number of bits given by a log base 2 of the number of bits in a given one of the words.

226. A storage medium encoded with machine-readable program code for encrypting a plaintext message, the program code including instructions for causing a computer to implement a method comprising:

(a) identifying the plaintext message, the plaintext message including a plurality of words;

(b) applying a mathematical function to at least one of the words;

(c) rotating a value which is based on the result of the applying step (b) by a first number of bits;

(d) rotating a value which is based on the result of the rotating step (c) by a second number of bits, wherein one of the first number of bits and the second number of bits is a predetermined number of bits and the other one of the first number of bits and the second number of bits is derived from one of the words;

(e) applying a secret key to a value originating from one of the words; and

(f) repeating steps (b), (c), (d), and (e) for a number of rounds.

227. The storage medium of claim 226 wherein the method further comprises the applying the mathematical function comprising applying an operation on two unsigned integers of 32 bits or 64 bits.

228. The storage medium of claim 227 wherein the method further comprises a result of the applying the operation having an equal probability of having bits equal to one or zero when one of the integers has an equal probability of having bits equal to one or zero.

229. The storage medium of claim 226 wherein the method further comprises the predetermined number of bits being given by a log base 2 of the number of bits in a given one of the words.

230. The storage medium of claim 226 wherein the method further comprises:

(g) rotating a value which is based on the result of the rotating step (d) by a third number of bits, wherein the third number of bits is a predetermined number of bits different from the predetermined number of bits of step (d).

231. The storage medium of claim 230 wherein the method further comprises the step (f) comprising repeating steps (b), (c), (d), (g), and (e) for the number of rounds.

232. A storage medium encoded with machine-readable program code for encrypting a plaintext message, the program code including instructions for causing a computer to implement a method comprising:

(a) identifying the plaintext message, the plaintext message including a plurality of words;

(b) applying a mathematical function to at least one of the words;

(c) rotating a value originating from one of the words which is based on the result of the applying step (b) by a first number of bits resulting in another value which affects another one of the words, with the one of the words being affected by the other value only indirectly through the other one of the words;

(d) rotating a value which is based on the result of the rotating step (c) by a second number of bits derived from one of the words;

(e) applying a secret key to a value originating from one of the words; and

(f) repeating steps (b), (c), (d), and (e) for a number of rounds.

233. The storage medium of claim 232 wherein the method further comprises the applying the mathematical function comprising applying an operation on two unsigned integers of 32 bits or 64 bits.

234. The storage medium of claim 232 wherein the method further comprises the first number of bits comprising a predetermined number of bits given by a log base 2 of the number of bits in a given one of the words.

235. A method of encrypting a plurality of words, comprising:

(a) rotating a value which is based directly or indirectly on at least one of the words by a first number of bits;

(b) rotating a value which is based on the result of the rotating step (a) by a second number of bits, wherein one of the first number of bits and the second number of bits is a predetermined number of bits and the other one of the first number of bits and the second number of bits is derived from one of the words;

(c) rotating a value which is based on the result of the rotating step (b) by a third number of bits, wherein the third number of bits is a predetermined number of bits different from the predetermined number of bits of step (b);

(d) applying a secret key to a value originating from one of the words; and

(e) repeating steps (a), (b), (c) and (d) for a number of rounds.

236. The method of claim 235 further comprising:

(f) applying a mathematical function to a value originating from one of the words.

237. The method of claim 235 wherein the step (e) comprises repeating steps (a), (b), (c), (d), and (f) for the number of rounds.

238. The method of claim 236 wherein the applying the mathematical function comprises applying an operation on two unsigned integers of 32 bits or 64 bits.

239. A system for encrypting a plurality of words, comprising:

a computing unit for processing the plurality of words;

a first rotating function executed on the computing unit for rotating a value which is based on at least one of the words by a first number of bits;

a second rotating function executed on the computing unit for rotating a value which is based on the result of the first rotating function by a second number of bits, wherein one of the first number of bits and the second number of bits is a predetermined number of bits and the other one of the first number of bits and the second number of bits is derived from one of the words;

a third rotating function executed on the computing unit for rotating a value which is based on the result of the second rotating function by a third number of bits, wherein the third number of bits is a predetermined number of bits different from the predetermined number of bits of the second rotating function; and

a function executed on the computing unit for applying a secret key to a value originating from one of the words.

240. The system of claim 239 further comprising:

mathematical function executed the computing unit for operating on a value originating from one of the words.

241. The system of claim 240 wherein the computing unit for applying the mathematical function includes applying an operation on two unsigned integers of 32 bits or 64 bits.

242. A storage medium encoded with machine-readable program code for encrypting a plurality of words, the program code including instructions for causing a computer to implement a method comprising:

(a) rotating a value which is based on at least one of the words by a first number of bits;

(b) rotating a value which is based on the result of the rotating step (a) by a second number of bits, wherein one of the first number of bits and the second number of bits is a predetermined number of bits and the other one of the first number of bits and the second number of bits is derived from one of the words;

(c) rotating a value which is based on the result of the rotating step (b) by a third number of bits, wherein the third number of bits is a predetermined number of bits different from the predetermined number of bits of step (b);

(d) applying a secret key to a value originating from one of the words; and

(e) repeating steps (a), (b), (c) and (d) for a number of rounds.

243. The storage medium of claim 242 wherein the method further comprises:

(f) applying a mathematical function to a value originating from one of the words.

244. The storage medium of claim 243 wherein the method further comprises the step (e) comprising repeating steps (a), (b), (c), (d), and (f) for the number of rounds.

245. The storage medium of claim 243 wherein the method further comprises the applying the mathematical function comprising applying an operation on two unsigned integers of 32 bits or 64 bits.

246. A method of decrypting a plaintext message, comprising:

(a) identifying the plaintext message, the plaintext message including a plurality of words;

(b) applying a mathematical function to at least one of the words;

(c) rotating a value which is based on the result of the applying step (b) by a first number of bits;

(d) rotating a value which is based on the result of the rotating step (c) by a second number of bits, wherein one of the first number of bits and the second number of bits is a predetermined number of bits and the other one of the first number of bits and the second number of bits is derived from one of the words;

(e) applying a secret key to a value originating from one of the words; and

(f) repeating steps (b), (c), (d), and (e) for a number of rounds.

247. A method of decrypting a plaintext message, comprising:

(a) identifying the plaintext message, the plaintext message including a plurality of words;

(b) applying a mathematical function to at least one of the words;

(c) rotating a value originating from one of the words which is based on the result of the applying step (b) by a first number of bits resulting in another value which affects another one of the words, with the one of the words being affected by the other value only indirectly through the other one of the words;

(d) rotating a value which is based on the result of the rotating step (c) by a second number of bits derived from one of the words;

(e) applying a secret key to a value originating from one of the words; and

(g) repeating steps (b), (c), (d), and (e) for a number of rounds.

248. A method of decrypting a plurality of words, comprising:

(a) rotating a value which is based on at least one of the words by a first number of bits;

(b) rotating a value which is based on the result of the rotating step (a) by a second number of bits, wherein one of the first number of bits and the second number of bits is a predetermined number of bits and the other one of the first number of bits and the second number of bits is derived from one of the words;

(c) rotating a value which is based on the result of the rotating step (b) by a third number of bits, wherein the third number of bits is a predetermined number of bits different from the predetermined number of bits of step (b);

(d) applying a secret key to a value originating from one of the words; and

(e) repeating steps (a), (b), (c) and (d) for a number of rounds.

Description

FIELD OF INVENTION

This invention relates to block cipher secret-key cryptographic systems and methods. More particularly, the invention relates to improvements in a secret-key cryptographic system and method which uses data-dependent and variable rotations of data in block cipher rounds which are dependent, directly of indirectly, on plaintext data being enciphered.

BACKGROUND OF THE INVENTION

Cryptography is the science of securing communications and information. In recent years, the importance of cryptographic systems has been magnified by the explosive growth and deployment of telecommunications technology. Increasing volumes of confidential data are being transmitted across telecommunications channels and are being stored in file servers, where such data ranges from financial information to electronic votes. It is desired that systems provide security from unsanctioned or illicit interception or modification of such confidential information.

There are two basic operations used in secret-key or symmetric block cipher cryptography. Encryption or encipherment is the process of disguising a communication to hide its content. During encryption, the communication which is known as plaintext is encrypted into what is known as ciphertext. Decryption or decipherment is the inverse process of using the same secret-key values to recover the plaintext from the ciphertext output. While the two basic operations of encryption and decryption may be distinguished in practice, there is in general no necessary mathematical difference between the two operations, other than that they are inverse transformations of each other.

Ciphertext output of a secure block cipher has little or no statistical relation to its corresponding plaintext input. The output (or input) is uncorrelated to the input (or output). Every bit of ciphertext output reflects every bit of the plaintext input and every bit of the key in a complex uncorrelated manner, just as every bit of recovered plaintext input reflects every bit of the ciphertext output and every bit of the key in a complex uncorrelated manner.

Block ciphers, generally, are binary ciphers receiving inputs consisting of a fixed number of bits (a block of n bits), and have outputs of the same fixed number of bits (an equal sized block of n bits). The input and output of such ciphers are one-to-one mappings: each ordered n-bit input is transformed by the block cipher into only one ordered n-bit output; and further, when the transformation is computed in reverse each ordered n-bit output may be transformed back into only one ordered n-bit input.

Secret key values are the values which influence the mapping of input to output provided by the block cipher. It is useful to divide secret keys into two categories: secret input keys and secret keys. Secret input keys may be based on varied input from a user or the encryption system which may be of fixed or variable length, and a secret key is often a transformed secret key input. A secret key is usually of fixed length. A block cipher usually operates on a secret key, but in some cases may operate on an secret input key. If a block cipher first operates on a secret input key, potentially it may use so me algorithm to transform the secret input key into a secret key in a standard format. Then, a block cipher expands the secret key to form subkeys whose length or number of bits exceeds that of the secret key.

Block ciphers and have many rounds calculated in series where each round depends on plaintext through the output of the immediately prior round where generally in each round the same operations are performed iteratively in the same manner. The n-bit input into the block cipher may be called n-bit cipher input. After encryption, the result may be called n-bit cipher output. In each of these rounds, the ordered binary input may be called n-bit cipher round input, and the n-bit ordered binary output may be called n-bit cipher round output. An n-bit cipher input or n-bit cipher output refers to the variable n-bit binary input or variable n-bit binary output of a binary block cipher. Such n-bit cipher input and n-bit cipher output are typically plaintext input and ciphertext output. By contrast, key inputs or subkey values used by a binary block cipher are not variable binary inputs, but arc generally fixed or predetermined values for a given use of the block cipher. An n-bit cipher round input or n-bit cipher round output refers to the variable n-bit binary input or variable n-bit binary output of one (and typically of one operative round) round of a binary block cipher.

An operative round of a binary block cipher is an iterative round which calculates new values for each of x primary segments in the round, where x may vary in different operative rounds, where there are a total of n-bits in the x primary segments, and where the new values of the x primary segments determine the n-bit round output. Operative rounds of a binary block cipher refer to iterative rounds which calculate new values for each of x primary segments in a given round, where x may vary in different rounds, where the n-bit cipher round output consists of these x segments of new values, and where the total of all bits of the x segments equals n bits. Binary block ciphers are ciphers receiving inputs consisting of n ordered bits of input and have outputs of the same number of ordered bits (n bits). A mapping of block cipher inputs to outputs reveals that every possible combination of n input bits from 2 n possible combinations has only one corresponding combination of n output bits, and likewise every combination of n output bits from 2 n possible combinations has only one corresponding combination of n input bits. In other words, binary block ciphers transform input values to output values in a manner such that the mapping of this transformation relates the members of the set of all possible ordered input values of n-bits in a one-to-one manner with the members of the set of all possible ordered output values of n-bits.

While a segment is defined simply as a plurality of ordered bits, it is also possible to classify types of segments. There are also round segments and one-to-one round segments.

A round segment is a segment within a round (and typically an operative round) of a binary block cipher which is part of n-bit cipher input or n-bit cipher output, or is calculated within a round or operative round the operative round and is intermediate between input and output; is affected by n-bit cipher round input; and affects n-bit cipher round output. For example, a first value in a calculation is said to affect a second value if, after taking into account the specifics of the particular calculation, a random change in all bits of the first value is likely to change at least one bit of the second value with a chance of at least one in three.

A one-to-one round segment is defined as a member of a one-to-one round segment set. A one-to-one round segment set is defined as a set of ordered round segments in an operative round of a binary block cipher where it is true that each n-bit round input corresponds with only one possible result or group of particular values of the ordered segments of that set, and that any group of particular values of the ordered segments of that set correspond with only one possible n-bit round input. For example, the set of segments in the n-bit cipher output are a one-to-one round segment set. The set of segments in any of the n-bit round input or the n-bit round output of each operative round are also one-to-one round segment sets. Where one-to-one round segment sets are calculated in a binary block cipher which operates on n-bits of input or output, it obviously follows that all such one-to-one round segment sets consist of exactly n-bits.

Note that in general there are usually more one-to-one round segment sets than the examples just mentioned. For example, in most binary block ciphers it is possible to form one-to-one round segment sets by combining particular round segments which are determined consecutively even though they are determined in different rounds.

There is a term-of-art in which one speaks of the n-bit data or bits (which for block ciphers can be called text or plaintext or cipher data) of a calculation method from encryption. Such data is generally dependent on any variable input into the method from plaintext. If so, such data is, in another term-of-art, also called variable as opposed to predetermined or fixed. Consequently, one can speak of all the n-bit data (all the bits) in one-to-one round segment sets as being variable; and such data is different than the predetermined secret subkey data which is also part of block ciphers. Such subkey data is dependent on the secret key, and is fixed and often precalculated relative to any variable plaintext input of the block cipher.

One can observe further that in a well designed block cipher most bits of variable round segments are variable. This observation is true for efficient block ciphers since any non-variable bits can be wasteful or inefficient. For example, although a round segment may be called variable as it has at least one variable bit within it by definition, in a well designed block cipher if a round segment is variable in general, a substantial portion (such as 50 out of 64) of the bits within that round segment will also be variable.

Further, block ciphers may linearly combine one-to-one round segments with subkeys, or rotate them by a predetermined number of bits, or rotate them by a data-dependent number of bits determined by some bits of another unrelated one-to-one round segment, or even combine them linearly with other unrelated one-to-one round segments, and generally such resulting output segments, which are sometimes intermediate values that do not affect n-bit output directly, are also one-to-one round segments.

Finally, the preceding description of primary segment values while sufficient for understanding the scope of the prior art is incomplete. Typically, primary segment values are more than just calculated round segment values which determine a n-bit round output. Typically, a n-bit round input contains old or prior values of primary segments which are replaced over the course of an operative round. Typically, each such replacement value of a primary segment is a one-to-one function of the prior value, if all subkey values and all other primary segments are constant. Generally, all primary segment values are one-to-one round segments.

To increase security each operative round typically interacts one-to-one round segments and secret subkey values. In each operative round, each of the x primary segments is typically a function of its prior segment modified by the combined interaction of at least one other one-to-one round segment and in some cases by a subkey segment for that round.

In practice, execution of block ciphers in microprocessors generally takes place using registers, which typically are the data locations in a microprocessor which are quickest at loading and storing data. Often, binary block ciphers are configured such that the usual segment operated on by the rounds of the block cipher is equal in size to the 32-bit or 64-bit registers of microprocessors which may compute the block cipher.

Increasingly, not only do binary block ciphers use algorithms optimized for 32-bit or 64-bit registers but also they use algorithms which are optimized for the microprocessors of network servers, which are typically internet or intranet nodes. Such network nodes usually must be capable of more than just encryption or decryption. In fact, the majority of time and resources of such servers is allocated to other tasks. As a result, it is critical that a block cipher well suited to this task be capable of quick bootup or startup and make minimal use of on-chip cache, which is one of the most critical resources of a server's microprocessor.

Another type of encryption which may not require as much optimization as node encryption on network servers is bulk encryption of large files. Calculation of block ciphers, well suited to bulk encryption, typically takes place in registers. However, as the amount of data to be encrypted is larger in bulk encryption, quick startup is not essential. Such startup time becomes a small percentage of the total time spent encrypting a large file.

A good example of perhaps the first historically significant symmetric cryptographic system (i.e., when the same key is used in the encipherment and decipherment transformations) is the Data Encryption Standard ("DES"), which is a U.S. Government standard. DES uses small "s-boxes" to provide security. These so-called s-boxes are substitution boxes or, simply, look-up tables.

S-boxes provide output which is a nonlinear function of the input, based on a lookup table. Small s-boxes are lookup tables with a small number of possible inputs. Often, small s-boxes have a small number of output bits as well. For example, each s-box of DES has 6-bit inputs or 64 possible inputs and 4-bit outputs or 16 possible output values. They do not require much memory; nor does it take long to load them in microprocessor memory. S-boxes are generally stored in on-chip cache, generally the next quickest form of microprocessor memory after registers.

DES was the first significant example of a Feistel block cipher. Such block ciphers are named after Horst Feistel. Feistel block ciphers perform repetitive operations on a left half and right half of a block, respectively. This is convenient for execution in hardware and software when the number of registers is limited.

One aspect of DES which is particularly relevant to the defined terms used herein is the fact it swaps its primary segments, also known in DES as cipher block halves. If the swaps are included, some equations which describe in a general way both segments being recalculated in each two successive iterative rounds, are as follows, where LH means the left half, and RH means the right half:

              increment i by +1
              LH= LH xor F(RH xor Key[i])
              Swap{LH,RH}
              increment i by +1
              LH= LH xor F(RH xor Key[i])
              Swap{LH,RH}            Eq. 1

              increment i by +2
              LH=LH xor F(RH xor Key[i])
              RH=RH xor F(LH xor Key[i+1]) Eq. 2

            R[0]= ((R[-4] + R[-1])<<<F-table[i])
              xor (s-box(LSB(R[-2])) + R[-3]) Eq. 3

           R0= ((R0 xor R1)<<<LSB(R1)) + Key[i] Eq. 4
           R1= ((R1 xor R0)<<<LSB(R0)) + Key[i+1] Eq. 5

           R1= ((R1-Key[i+1])>>>LSB(R0)) xor R0 Eq. 6
           R0= ((R0-Key[i])>>>LSB(R1)) xor R1 Eq. 7

                  For Plaintext Input #1 let,
                  R0 ={00000000...};R1 ={00000000...}
                  For Plaintext Input #2 let,
                  R0'={00001000...};R1'={00001000...}
                  The difference between these registers is,
                  D0= {00001000...};D1 ={00001000...}