+

WO2001011818A2 - Method and apparatus for generating a message authentication code - Google Patents

Method and apparatus for generating a message authentication code Download PDF

Info

Publication number
WO2001011818A2
WO2001011818A2 PCT/US2000/021589 US0021589W WO0111818A2 WO 2001011818 A2 WO2001011818 A2 WO 2001011818A2 US 0021589 W US0021589 W US 0021589W WO 0111818 A2 WO0111818 A2 WO 0111818A2
Authority
WO
WIPO (PCT)
Prior art keywords
bits
bit
generator
message
pseudorandomly
Prior art date
Application number
PCT/US2000/021589
Other languages
French (fr)
Other versions
WO2001011818A3 (en
Inventor
Gregory G. Rose
Paul E. Bender
Roy Franklin Quick, Jr.
Jack K. Wolf
Original Assignee
Qualcomm Incorporated
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qualcomm Incorporated filed Critical Qualcomm Incorporated
Priority to JP2001515574A priority Critical patent/JP2003506750A/en
Priority to AU66250/00A priority patent/AU6625000A/en
Priority to EP00953877A priority patent/EP1210790A2/en
Priority to KR1020027001766A priority patent/KR20020026370A/en
Publication of WO2001011818A2 publication Critical patent/WO2001011818A2/en
Publication of WO2001011818A3 publication Critical patent/WO2001011818A3/en
Priority to HK02108158.9A priority patent/HK1046795B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/34Encoding or coding, e.g. Huffman coding or error correction
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention pertains generally to the field of communications, and more particularly to generation of message authentication codes.
  • a message authentication code is a cryptographically derived item that may be appended to a particular message in order to verify that the message originated from a particular party and was not altered by any other party. It stands to reason that MACs find use in many fields of telecommunications.
  • An exemplary field is wireless communications.
  • the field of wireless communications has many applications including, e.g., cordless telephones, paging, wireless local loops, wireless data applications such as personal digital assistants (PDAs), wireless telephony such as cellular and PCS telephone systems, mobile Internet Protocol (IP) telephony, and satellite communication systems.
  • PDAs personal digital assistants
  • IP mobile Internet Protocol
  • satellite communication systems A particularly important application is wireless telephony for mobile subscribers.
  • FDMA frequency division multiple access
  • TDMA time division multiple access
  • CDMA code division multiple access
  • various domestic and international standards have been established including, e.g., Advanced Mobile Phone Service (AMPS), Global System for Mobile Communications (GSM), and Interim Standard 95 (IS-95).
  • AMPS Advanced Mobile Phone Service
  • GSM Global System for Mobile Communications
  • IS-95 Interim Standard 95
  • An exemplary wireless telephony communication system is a code division multiple access (CDMA) system.
  • CDMA code division multiple access
  • the IS-95 standard and its derivatives, IS-95A, ANSI J-STD-008, IS-95B, proposed third generation standards IS-95C and IS-2000, proposed high-data-rate CDMA standards exclusively for data, etc. (referred to collectively herein as IS-95), are promulgated by the Telecommunication Industry Association (TIA) and other well known standards bodies to specify the use of a CDMA over-the-air interface for cellular or PCS telephony communication systems.
  • TIA Telecommunication Industry Association
  • Exemplary wireless communication systems configured substantially in accordance with the use of the IS-95 standard are described in U.S. Patent Nos. 5,103,459 and 4,901,307, which are assigned to the assignee of the present invention and fully incorporated herein by reference.
  • the MAC m is the output of a function computed with the message M (of length L M ) and a shared secret key K known only by the message originator and recipient as the inputs to the function. If the particular function chosen is secure, then an active attacker who can intercept and potentially modify the messages sent can neither discover the key K nor create messages that will be accepted by the recipient as valid with a reasonable probability. If the MAC has a length L m (in bits), then the attacker could always simply guess a value for m for a desired message, and with a probability of l/2 Lm the guess will be correct. Hence, any guarantee of security for a MAC is, by nature, probabilistic.
  • MACs in general provide no better guarantee of detecting an error, whether deliberately or randomly introduced, than this probability.
  • a single-bit error in a message generally has the same chance of matching the MAC attached to the message as would any other substitution. While this probability is small, it is still significant.
  • CRC cyclic redundancy check
  • ECCs error detection-and-correction code
  • CRCs are used in many applications in which data transmissions may be corrupted, and when the receiver wants to be able to detect the most common corruptions and correct them.
  • CRCs are efficient to compute, and have useful error detection properties. If the received message M' has an error in any small number of bits, the CRC will guarantee to detect that there has been an error, and in fact will indicate (on the assumption that the error was the smallest possible) which bits were in error. This enables the correction of the error.
  • CRCs are calculated by considering the bits of the message to be the coefficients of a polynomial and calculating the remainder when the polynomial is divided by a polynomial P of degree L. Careful choice of the polynomial P gives the desired error detection and correction properties.
  • CRCs are good for detecting the kinds of random errors introduced during transmission, they are useless for preventing any kind of active attack because the attacker can easily calculate the effect on the CRC of any modification of a message. The attacker can also modify the CRC accordingly.
  • a method of generating a message authentication code advantageously includes the steps of pseudorandomly distributing in a key- dependent manner a first plurality of message bits into a second plurality of bits; generating a third plurality of bits that comprises a cyclic redundancy check of the second plurality of bits; and transmitting the first plurality of message bits and a message authentication code that comprises the third plurality of bits.
  • a generator configured to generate a message authentication code advantageously includes means for pseudorandomly distributing in a key-dependent manner a first plurality of message bits into a second plurality of bits; means for generating a third plurality of bits that comprises a cyclic redundancy check of the second plurality of bits; and means for transmitting the first plurality of message bits and a message authentication code that comprises the third plurality of bits.
  • a generator configured to generate a message authentication code advantageously includes a processor configured to pseudorandomly distribute in a key-dependent manner a first plurality of message bits into a second plurality of bits; a generator coupled to the distributor and configured to generate a third plurality of bits that comprises a cyclic redundancy check of the second plurality of bits; and a transmitter coupled to the generator and configured to transmit the first plurality of message bits and a message authentication code that comprises the third plurality of bits.
  • a method of pseudorandomly distributing bits of a message advantageously includes the steps of calculating a remainder modulo P of a polynomial x , where i is an intended message bit location and P is a cyclic redundancy check polynomial; and, for each bit of the message that is equal to one, performing an exclusive-OR operation, bit by bit, of the CRC bits and the calculated remainder.
  • FIG. 1 is a block diagram of a cellular telephone system.
  • FIG. 2 is a block diagram of a processor and associated memory elements used to generate a message and an associated message authentication code (MAC).
  • MAC message authentication code
  • FIG. 3 is a block diagram of a generator for generating a message and an associated MAC.
  • FIG. 4 is a schematic diagram of registers that could be used in the generator of FIG. 3 to employ a keyed pseudorandom number (PRN) message bit distribution technique.
  • PRN pseudorandom number
  • FIG. 5 is a schematic diagram of a cyclic redundancy check (CRC) generator that could be used in the generator of FIG. 3.
  • CRC cyclic redundancy check
  • FIG. 6 is a flow chart illustrating method steps performed by a generator such as the generator of FIG. 3 to generate a MAC for a message.
  • FIG. 7 is a flow chart illustrating method steps performed by a generator such as the generator of FIG. 3 to generate a MAC for a message.
  • exemplary embodiments described hereinbelow reside in a wireless telephony communication system configured to employ a CDMA over-the-air interface. Nevertheless, it would be understood by those skilled in the art that a MAC generation method and apparatus embodying features of the instant invention may reside in any of various communication systems employing a wide range of technologies known to those of skill in the art.
  • a CDMA wireless telephone system generally includes a plurality of mobile subscriber units 10, a plurality of base stations 12, base station controllers (BSCs) 14, and a mobile switching center (MSC) 16.
  • the MSC 16 is configured to interface with a conventional public switch telephone network (PSTN) 18.
  • PSTN public switch telephone network
  • the MSC 16 is also configured to interface with the BSCs 14.
  • the BSCs 14 are coupled to the base stations 12 via backhaul lines.
  • the backhaul lines may be configured to support any of several known interfaces including, e.g., El /Tl, ATM, IP, PPP, Frame Relay, HDSL, ADSL, or xDSL. It is understood that there may be more than two BSCs 14 in the system.
  • Each base station 12 advantageously includes at least one sector (not shown), each sector comprising an omnidirectional antenna or an antenna pointed in a particular direction radially away from the base station 12. Alternatively, each sector may comprise two antennas for diversity reception.
  • Each base station 12 may advantageously be designed to support a plurality of frequency assignments. The intersection of a sector and a frequency assignment may be referred to as a CDMA channel.
  • the base stations 12 may also be known as base station transceiver subsystems (BTSs) 12.
  • BTSs base station transceiver subsystems
  • base station may be used in the industry to refer collectively to a BSC 14 and one or more BTSs 12.
  • the BTSs 12 may also be denoted "cell sites" 12. Alternatively, individual sectors of a given BTS 12 may be referred to as cell sites.
  • the mobile subscriber units 10 are typically cellular or PCS telephones 10.
  • the system is advantageously configured for use in accordance with the IS-95 standard.
  • the base stations 12 receive sets of reverse link signals from sets of mobile units 10.
  • the mobile units 10 are conducting telephone calls or other communications.
  • Each reverse link signal received by a given base station 12 is processed within that base station 12.
  • the resulting data is forwarded to the BSCs 14.
  • the BSCs 14 provides call resource allocation and mobility management functionality including the orchestration of soft handoffs between base stations 12.
  • the BSCs 14 also routes the received data to the MSC 16, which provides additional routing services for interface with the PSTN 18.
  • the PSTN 18 interfaces with the MSC 16
  • the MSC 16 interfaces with the BSCs 14, which in turn control the base stations 12 to transmit sets of forward link signals to sets of mobile units 10.
  • a mechanism 100 for generating a message including a MAC includes a processor 102, a software module 104, and a storage medium 106.
  • the processor 102 is advantageously a microprocessor or a special-purpose processor such as a digital signal processor (DSP), but may in the alternative be any conventional form of processor, controller, microcontroller, or state machine.
  • DSP digital signal processor
  • the processor 102 is coupled to the software module 104, which is advantageously implemented as RAM memory holding software instructions that direct the operation of the processor 102.
  • the software instructions can comprise a software program or a set of microcodes.
  • the RAM memory 104 may be on- board RAM, or the processor 102 and the RAM memory 104 could reside in an ASIC.
  • firmware instructions are substituted for the software module 104.
  • the storage medium 106 is coupled to the processor 102, and is advantageously implemented as a combination of RAM memory and any form of conventional nonvolatile memory such as, e.g., ROM memory.
  • the storage medium 106 is used to implement a linear feedback shift register (LFSR) to generate the MAC, as described hereinbelow, and to store precomputed tables and instructions.
  • LFSR linear feedback shift register
  • the instructions and tables are stored in the ROM memory component while the register is stored in the RAM memory component.
  • the storage medium 106 could be implemented as either a disk memory or a flash memory that is accessible by the processor 102.
  • the storage medium 106 may be implemented as registers.
  • the mechanism 100 may reside in any conventional communications device such as, e.g., the mobile subscriber units 10 or the base stations 12 in the CDMA wireless telephone system of FIG. 1.
  • a generator 200 for generating a message and an associated MAC includes a keyed pseudorandom number (PRN) distributor 202, a cyclic redundancy check (CRC) generator 204, a modulator 206, and a transmitter 208, as shown in FIG. 3.
  • PRN keyed pseudorandom number
  • CRC cyclic redundancy check
  • a modulator 206 a modulator 206
  • transmitter 208 a transmitter 208
  • Message bits of a message, M are provided to the keyed PRN distributor 202.
  • the keyed PRN distributor 202 distributes the message bits pseudorandomly in a key-dependent manner, as described in detail below, into a bit sequence.
  • the bit sequence including the distributed message bits is provided to the CRC generator 204.
  • the CRC generator 204 computes the CRC of the bit sequence including the distributed bits in accordance with any conventional method for CRC calculation as known to those of skill in the art.
  • the CRC generator 204 generates the CRC bits, which will be used as a
  • the MAC bits and the message bits are provided to the modulator 206.
  • the modulator 206 modulates the received bits for transmission on a communication channel.
  • the modulation scheme varies with the communication system and the type of communication channel being used. In one embodiment the modulation scheme is a CDMA scheme and the communication system is the wireless telephone system of FIG. 1.
  • the modulator 206 provides a modulated message and MAC signal to the transmitter 208.
  • the transmitter 208 transmits the modulated message and MAC signal on the communication channel.
  • the CRC of a larger "message” (the bit sequence) is calculated and transmitted as a MAC in which the bits of the original message, M, have been distributed in a key-dependent manner that cannot be predicted by an attacker.
  • small random errors can be detected and corrected by the normal CRC mechanism, while active attacks (i.e., intentional modification of an otherwise legitimate message) have only a limited probability of success.
  • the method of distributing bits of the original message, M, through the larger message varies from message to message.
  • the variation in the distribution method prevents an attacker from gathering messages and thereby gradually increasing the probability of a successful attack.
  • the MAC must guarantee to detect small errors, if two similar messages are transmitted (with, by definition, different MACs) then the MAC on another message which is similar to, but different from, both of the two similar messages must also be different, so that the attacker can choose at random from only 2 L -2 possible MACs, etc.
  • information denoted "salt", S is used to associate information about a particular message, such as, e.g., the time at which the message is transmitted, or a sequence number, with the manner in which the message bits are distributed. This is similar to the fact that a stream cipher should never generate the same stream of output for two different messages, or for two different segments of a single message.
  • uniformly distributed PRNs are generated to control the distribution of message bits within the larger message.
  • the uniformly distributed PRNs are advantageously derived from the shared secret key, K, and the salt, S, in a manner that is unpredictable to the attacker.
  • the output of a stream cipher called SOBER is used as a source of the PRNs.
  • SOBER stream cipher is described in U.S. Application Serial No. 09/246,366, entitled METHOD AND APPARATUS FOR GENERATING ENCRYPTION STREAM CIPHERS, filed February 8, 1999, and assigned to the assignee of the present invention.
  • Stream ciphers are pseudorandomly generated bit streams that are exclusive-OR'ed (XORed), bit by bit, with respective bits of a message to be transmitted, thereby generating an encrypted message. When the encrypted message is received, it is XORed with the same stream cipher in order to produce the original message.
  • other forms of PRN generator may be substituted for the stream cipher.
  • PRN generators that provide less security than a stream cipher could be used in place of the stream cipher.
  • the bits of a message M 300 are distributed under the control of a keyed PRN generator (not shown) by starting at some offset in a larger message 302 and placing bits sequentially, skipping an unpredictable number of positions in the larger message 302 between bits.
  • the distribution position starts again at the beginning of the larger message 302.
  • the maximum number of positions skipped between bits of the larger message 302 is advantageously determined so that the distribution position does not completely wrap around, i.e., so that the initial position in the larger message 302 is not reached or passed. This ensures that no two bits of the message M 300 will be distributed to the same position in the larger message 302.
  • the message bits 300 are distributed by dividing the larger message 302 into approximately equal sized blocks, starting at a random offset and wrapping around, and placing one bit at a random position within each block. This distribution technique has the desirable property that the bits will be well distributed throughout the larger message.
  • the bits of the larger message 302 are provided to a CRC generator 304, which calculates the CRC of the received bits.
  • the CRC bits 306 are used as a MAC 306 for the message M 300. It should be pointed out that, as illustrated in connection with other embodiments described below with reference to FIG. 6, it is not necessary to actually create the larger message 302 to achieve the desired effect.
  • the length L m of the CRC /MAC is sixteen bits.
  • the largest message for which the guarantees for error detection apply is 2 16 bits including the CRC itself.
  • the length L M of the input message M 300 is advantageously kept significantly smaller than 2 15 -16 bits. If the larger message 302 is divided into roughly equal sized blocks, in accordance with the second embodiment described above, the length L M of the input message M 300 is advantageously restricted to less than half of 2 15 -16 bits. If bit positions are skipped within the larger message 302, in accordance with the first embodiment described above, the length L M of the input message M 300 is advantageously restricted to less than one-quarter of 2 15 -16 bits.
  • L M -1 bits are placed in the remaining 2 15 -17 positions. If the length L M of the input message, M, is 1520 bits, the maximum distribution spacing or the size of the block would be the greatest integer less than 32751/1519, or twenty-one bits. However the PRN generator can be viewed as producing a stream of bits. Accordingly, it may advantageously be more efficient to use a number that is a power of two, instead of using twenty-one bits. If a power of two is used as maximum distribution spacing or the block size, random numbers in the range zero to fifteen could be generated by taking four bits of output from the PRN generator. The random numbers are then advantageously adjusted to be in the range five to twenty.
  • the average spacing between bits or the size of the blocks must be at least two.
  • the optimal values for the spacing or the block size are the powers of two between 2 2 and 2 4 . Placement of each bit of the message M 300 therefore requires two to four bits of PRN output.
  • message bits are distributed by using a keyed permutation function such as a block cipher to derive new bit positions from the original bit positions.
  • a block cipher with a block size of fourteen bits is employed in conjunction with a random offset position in the larger message 302. It should be noted that the necessity for using a different permutation for each message requires the block cipher to use a different key for each message 300. While this is theoretically possible, it would be inefficient in practice.
  • a CRC generator 400 is implemented as a register that includes sixteen one-bit storage elements 402a-g (only storage elements 402 are shown for the purpose of simplification), three modulo-2 adders 404, 406, 408, and three switches 410, 412, 414.
  • a CRC generator is implemented with a microprocessor running a set of software instructions, advantageously contained in RAM memory, and accessing lookup tables (LUTs), advantageously contained in ROM memory or flash memory, as described above with reference to FIG. 2.
  • LUTs lookup tables
  • the switch 412 may either be set to receive a digital value of zero or be set to receive a value from the modulo-2 adder 408.
  • the switch 414 may either be set to receive a value from the switch 410 or to receive a value from the switch 412 and the modulo-2 adder 408.
  • the modulo-2 adder 404 is located between the fifth one-bit storage element 402c and the sixth one-bit storage element
  • the modulo-2 adder 406 is located between the twelfth one-bit storage element 402e and the thirteenth one-bit storage element 402f.
  • the modulo-2 adder 408 is located after the sixteenth one-bit storage element 402h and is configured to receive a value from the switch 410.
  • the generator polynomial g(x) for the CRC is equal to x lft + x 12 + x 5 + 1, as defined by the placement of the modulo-2 adders 404, 406, 408.
  • the switches 410, 412, 414 are set initially in the "up" positions (as shown in the drawing).
  • the register is clocked k times, where k is defined as the length of the input message plus eight bits.
  • the register is a shift register such that with each clock cycle the bits each move one storage element to the right (as shown in the drawing).
  • the switches 410, 412, 414 are then set to the "down" position (as shown in the drawing).
  • the register is then clocked an additional sixteen times.
  • the sixteen additional output bits comprise the CRC field for the message.
  • the bits are transmitted in the order at which they appear at the output of the CRC generator 400.
  • the input message bits constitute a "larger message.”
  • the CRC field for the larger message serves as a MAC for the message M.
  • the MAC includes the inherent security benefits of a CRC. Because the MAC calculated is actually a CRC, the guarantees about error detection and correction that apply to CRCs apply to the MAC, with the exception of guarantees applying to "burst errors.” Burst error guarantees are violated because consecutive bits are separated during the calculation and therefore no longer form a "burst.”
  • the attacker tries to deduce the secret key, K, allowing the attacker to create forged messages at will.
  • the second kind of attack against a MAC is chosen message.
  • the attacker tries to craft specific messages and somehow contrive for the system to calculate the valid MAC, with a view to recovery of the secret key, K.
  • One possible attack against MACs of any kind is a so-called chosen plaintext attack.
  • the attacker can somehow arrange to have a message transmitted, accompanied with a valid MAC, such that the message has a particular content chosen by the attacker.
  • the attacker might send electronic mail to the recipient, which would eventually be routed through the transmission channel and have a valid MAC computed and attached.
  • the attacker might make such a message consisting of a single "1" bit followed by all "0" bits.
  • the attacker would be able to infer the initial position, and hence some of the output of the PRN generator. This is undesirable, as it may lead to a method of predicting future outputs.
  • one other bit of the larger message is set to one. The other bit is chosen at a random position.
  • the attacker has the alternative of sending a message comprising all zeroes.
  • the observed CRC gives the attacker L m bits of output from the PRN generator, which needs to be secure enough to prevent recovery of the secret key information, K, given this disclosure. If the attacker tries to make a multi-bit alteration to the message in addition to predicting the starting position of the bits, the attacker must also determine the dispersion of the bits. This would allow a smaller probability of success than if done for only a single bit.
  • a CRC computation is performed on a "larger message" to generate a MAC for an input message, M, without actually creating the larger message.
  • M For each bit of the input message, M, to be distributed in the fictitious "larger message,” it is necessary to calculate the remainder modulo P of the polynomial x', where i is the intended position of the message bit in the larger message.
  • the remainder calculation can be added by polynomial addition, i.e., an exclusive-or (XOR) operation, to the existing CRC if the particular bit of the message is a one.
  • the CRC of the all-zero message is zero, so by applying the XOR polynomial addition technique to each of the bits in the input message, M, in turn, the CRC can be calculated without ever creating the larger message, and also by performing only L M calculations.
  • the initial seeding of the input message, M, with a non-zero bit is equivalent to choosing a random starting CRC for the calculation.
  • Calculating x' mod P, where i is in the range 0 .. 32767 (assuming that L m is sixteen) can be done in a variety of ways. In a particular embodiment, a pair of lookup tables (LUTs) is used.
  • i is advantageously expressed in the form 256hi + lo, where hi and lo are the high- order and low-order eight bits of i, respectively.
  • Two LUTs are precalculated to give the results of the CRC calculation x 1M " mod P and x'° mod P, respectively, so that performing an XOR operation on each entry in the first LUT with the corresponding entry in the second LUT is equivalent to calculating the CRC. Accordingly, two LUTs are required, each LUT having 256 16-bit entries, and two table lookups are performed per nonzero bit of the input message, M, to calculate the CRC.
  • a PRN generator generates a MAC for an input message, M, as the CRC of a fictitious "larger message" without creating the larger message in accordance with the algorithm steps illustrated in the flow chart of FIG. 6.
  • L m is sixteen bits and L M is 1520 bits.
  • the notation R n where n is an integer, is used below to indicate that the next n bits of output from the PRN generator (not shown) should be taken.
  • a constant minimum spacing of five bits is employed, and three bits of PRN output are used, giving a spacing between uniformly distributed bits of between five and twelve bits.
  • the variable C denotes the accumulator of the eventual output MAC.
  • the variable K denotes the position of the next bit to be placed in the "larger message.”
  • the variable i denotes the position of the bit in the input message, M.
  • step 500 the generator sets C equal to R 16 , which is equivalent to choosing a random bit position to be set to one. The next sixteen bits of generator output will form the CRC.
  • the generator then proceeds to step 502.
  • step 502 the generator sets K equal to R J5 modulo 32751, which is effectively the position of the first bit of the input message, M, to be distributed.
  • step 504. the generator sets i equal to zero.
  • the generator then proceeds to step 506.
  • step 506 the generator determines whether the bit M[i] (the input message bit currently being distributed) is set to one. If the bit M[i] is not set to one, the generator proceeds to step 508. If, on the other hand, the bit M[i] is set to one, the generator proceeds to step 510. In step 510 the generator calculates x k modulo P, and performs an XOR operation, bit by bit, on C and x k modulo P, in accordance with the polynomial addition technique described above. The new value of C is set equal to the bits resulting from the XOR calculation. The generator then proceeds to step 508.
  • step 508 the generator computes the sum of K, five, and K, (the next three bits of generator output), modulo 32751. The result is set equal to K, so that K is updated to be the location in which the next bit of the input message is to be distributed. This calculation is performed after distribution of the current bit, M[I], in step 510.
  • the generator then proceeds to step 512.
  • step 512 the generator increments i by one.
  • the generator then proceeds to step 514.
  • step 514 the generator determines whether i is greater than 1519. If i is not greater than 1519, the generator returns to step 506 to process the next input message bit, M[i]. If, on the other hand, i is greater than 1519, the generator proceeds to step 516. In step 516 the generator returns the value of C as the MAC for the input message.
  • the calculation performed in step 508 is to compute the sum of K, ten, and R 4 (the next four bits of generator output), modulo 65521. Again, the result is set equal to K.
  • the generator sets K equal to R modulo 65521 in step 502.
  • a primitive polynomial that may be used in accordance with this embodiment is
  • a PRN generator generates a MAC for an input message, M, as the CRC of a fictitious "larger message" without creating the larger message in accordance with the algorithm steps illustrated in the flow chart of FIG. 7.
  • L m is sixteen bits and L M is 1520 bits.
  • the notation R n where n is an integer, is used below to indicate that the next n bits of output from the PRN generator (not shown) should be taken.
  • a constant minimum spacing of five bits is employed, and three bits of PRN output are used, giving a spacing between uniformly distributed bits of between five and twelve bits.
  • the variable C denotes the accumulator of the eventual output MAC.
  • the variable K denotes the position of the next bit to be placed in the "larger message.”
  • the variable i denotes the position of the bit in the input message, M.
  • step 600 the generator sets C equal to R u , which is equivalent to choosing a random bit position to be set to one.
  • the next sixteen bits of generator output will form the CRC.
  • the generator then proceeds to step 602.
  • step 602 the generator sets K equal to R 15 modulo 32751, which is effectively the position of the first bit of the input message, M, to be distributed.
  • step 604. the generator sets i equal to zero.
  • step 606. the generator determines whether the bit M[i] (the input message bit currently being distributed) is set to one. If the bit M[i] is not set to one, the generator proceeds to step 608. If, on the other hand, the bit M[i] is set to one, the generator proceeds to step 610.
  • step 610 the generator calculates x ⁇ modulo P, and performs an XOR operation, bit by bit, on C and x ⁇ modulo P, in accordance with the polynomial addition technique described above.
  • the new value of C is set equal to the bits resulting from the XOR calculation.
  • the generator then proceeds to step 608.
  • step 608 the generator the generator increments i by one. The generator then proceeds to step 612.
  • step 612 the generator determines whether i is greater than 1519. If i is not greater than 1519, the generator proceeds to step 614. If, on the other hand, i is greater than 1519, the generator proceeds to step 616.
  • step 616 the generator returns the value of C as the MAC for the input message.
  • step 614 the generator computes the sum of K, five, and R 3 (the next three bits of generator output), modulo 32751. The result is set equal to K, so that K is updated to be the location in which the next bit of the input message is to be distributed. This calculation of the new bit location is performed when a new bit is about to be distributed.
  • step 606 the generator increments i by one.
  • M[i] the generator determines whether i is greater than 1519. If i is not greater than 1519, the generator proceeds to step 614. If, on the other hand, i is greater than 1519, the generator
  • the calculation performed in step 614 is to compute the sum of K, ten, and R 4 (the next four bits of generator output), modulo 65521. Again, the result is set equal to K.
  • the generator sets K equal to R 16 modulo 65521 in step 602.
  • a primitive polynomial that may be used in accordance with this embodiment is x 16 + x 14 + x 12 + x + x 6 + x 5 + x 2 + X + 1.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • discrete gate or transistor logic discrete hardware components such as, e.g., registers and FIFO
  • processor may advantageously be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine.
  • the software module could reside in RAM memory, flash memory, registers, or any other form of writable storage medium known in the art.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Error Detection And Correction (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Detection And Prevention Of Errors In Transmission (AREA)
  • Detection And Correction Of Errors (AREA)

Abstract

A method for generating a message authentication code (MAC) includes the steps of distributing the bits of a message into a larger message in accordance with a pseudorandom number distribution format. The cyclic redundancy check (CRC) bits of the larger message are computed and used as the MAC for the message. The larger message need not be created. The remainder modulo the CRC polynomial of a polynomial xi, where i is the intended bit position in the 'larger message', is calculated. An exclusive-OR(XOR) operation is performed, bit by bit, on the CRC and the calculated remainder to derive the new CRC.

Description

METHOD AND APPARATUS FOR GENERATING A MESSAGE
AUTHENTICATION CODE
BACKGROUND OF THE INVENTION
I. Field of the Invention
The present invention pertains generally to the field of communications, and more particularly to generation of message authentication codes.
II. Background A message authentication code (MAC) is a cryptographically derived item that may be appended to a particular message in order to verify that the message originated from a particular party and was not altered by any other party. It stands to reason that MACs find use in many fields of telecommunications. An exemplary field is wireless communications. The field of wireless communications has many applications including, e.g., cordless telephones, paging, wireless local loops, wireless data applications such as personal digital assistants (PDAs), wireless telephony such as cellular and PCS telephone systems, mobile Internet Protocol (IP) telephony, and satellite communication systems. A particularly important application is wireless telephony for mobile subscribers.
Various over-the-air interfaces have been developed for wireless communication systems including, e.g., frequency division multiple access (FDMA), time division multiple access (TDMA), and code division multiple access (CDMA). In connection therewith, various domestic and international standards have been established including, e.g., Advanced Mobile Phone Service (AMPS), Global System for Mobile Communications (GSM), and Interim Standard 95 (IS-95).
An exemplary wireless telephony communication system is a code division multiple access (CDMA) system. The IS-95 standard and its derivatives, IS-95A, ANSI J-STD-008, IS-95B, proposed third generation standards IS-95C and IS-2000, proposed high-data-rate CDMA standards exclusively for data, etc. (referred to collectively herein as IS-95), are promulgated by the Telecommunication Industry Association (TIA) and other well known standards bodies to specify the use of a CDMA over-the-air interface for cellular or PCS telephony communication systems. Exemplary wireless communication systems configured substantially in accordance with the use of the IS-95 standard are described in U.S. Patent Nos. 5,103,459 and 4,901,307, which are assigned to the assignee of the present invention and fully incorporated herein by reference.
In a typical communication, the MAC m is the output of a function computed with the message M (of length LM) and a shared secret key K known only by the message originator and recipient as the inputs to the function. If the particular function chosen is secure, then an active attacker who can intercept and potentially modify the messages sent can neither discover the key K nor create messages that will be accepted by the recipient as valid with a reasonable probability. If the MAC has a length Lm (in bits), then the attacker could always simply guess a value for m for a desired message, and with a probability of l/2Lm the guess will be correct. Hence, any guarantee of security for a MAC is, by nature, probabilistic. MACs in general provide no better guarantee of detecting an error, whether deliberately or randomly introduced, than this probability. In particular, a single-bit error in a message generally has the same chance of matching the MAC attached to the message as would any other substitution. While this probability is small, it is still significant.
A cyclic redundancy check (CRC) is one example of a well-known error detection-and-correction code (ECC). ECCs are used in many applications in which data transmissions may be corrupted, and when the receiver wants to be able to detect the most common corruptions and correct them. CRCs are efficient to compute, and have useful error detection properties. If the received message M' has an error in any small number of bits, the CRC will guarantee to detect that there has been an error, and in fact will indicate (on the assumption that the error was the smallest possible) which bits were in error. This enables the correction of the error. CRCs are calculated by considering the bits of the message to be the coefficients of a polynomial and calculating the remainder when the polynomial is divided by a polynomial P of degree L. Careful choice of the polynomial P gives the desired error detection and correction properties.
While CRCs are good for detecting the kinds of random errors introduced during transmission, they are useless for preventing any kind of active attack because the attacker can easily calculate the effect on the CRC of any modification of a message. The attacker can also modify the CRC accordingly.
This remains true even if there is some secret information incorporated in the calculation of the CRC but not transmitted with the message. It would be desirable to provide a combined MAC /CRC, i.e., a code that includes a guarantee that small, random errors that would have been detected by the CRC will be detected by the mismatch of the message and its MAC. It would further be advantageous for the code to simultaneously guarantee that an active attacker who does not know the secret information K will not be able to discover K, or "forge" a message with a probability of better than \/(2kA). (It should be noted that, as would be understood by those of skill in the art, the extra "A" in the probability value comes from the fact that the attacker knows, in this case, that the original MAC will not work for a message that is mostly the same as the one the attacker is modifying, so the attacker will choose one of the other possible MACs at random instead.) Thus, there is a need for a method of generating a MAC with guaranteed corruption detection properties.
SUMMARY OF THE INVENTION
The present invention is directed to a method of generating a MAC with guaranteed corruption detection properties. Accordingly, in one aspect of the invention, a method of generating a message authentication code advantageously includes the steps of pseudorandomly distributing in a key- dependent manner a first plurality of message bits into a second plurality of bits; generating a third plurality of bits that comprises a cyclic redundancy check of the second plurality of bits; and transmitting the first plurality of message bits and a message authentication code that comprises the third plurality of bits. In another aspect of the invention, a generator configured to generate a message authentication code advantageously includes means for pseudorandomly distributing in a key-dependent manner a first plurality of message bits into a second plurality of bits; means for generating a third plurality of bits that comprises a cyclic redundancy check of the second plurality of bits; and means for transmitting the first plurality of message bits and a message authentication code that comprises the third plurality of bits.
In another aspect of the invention, a generator configured to generate a message authentication code advantageously includes a processor configured to pseudorandomly distribute in a key-dependent manner a first plurality of message bits into a second plurality of bits; a generator coupled to the distributor and configured to generate a third plurality of bits that comprises a cyclic redundancy check of the second plurality of bits; and a transmitter coupled to the generator and configured to transmit the first plurality of message bits and a message authentication code that comprises the third plurality of bits.
In an embodiment of the invention, a method of pseudorandomly distributing bits of a message advantageously includes the steps of calculating a remainder modulo P of a polynomial x , where i is an intended message bit location and P is a cyclic redundancy check polynomial; and, for each bit of the message that is equal to one, performing an exclusive-OR operation, bit by bit, of the CRC bits and the calculated remainder.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram of a cellular telephone system. FIG. 2 is a block diagram of a processor and associated memory elements used to generate a message and an associated message authentication code (MAC).
FIG. 3 is a block diagram of a generator for generating a message and an associated MAC. FIG. 4 is a schematic diagram of registers that could be used in the generator of FIG. 3 to employ a keyed pseudorandom number (PRN) message bit distribution technique.
FIG. 5 is a schematic diagram of a cyclic redundancy check (CRC) generator that could be used in the generator of FIG. 3.
FIG. 6 is a flow chart illustrating method steps performed by a generator such as the generator of FIG. 3 to generate a MAC for a message.
FIG. 7 is a flow chart illustrating method steps performed by a generator such as the generator of FIG. 3 to generate a MAC for a message.
DETAILED DESCRIPTION OF THE PREFERRED
EMBODIMENTS
The exemplary embodiments described hereinbelow reside in a wireless telephony communication system configured to employ a CDMA over-the-air interface. Nevertheless, it would be understood by those skilled in the art that a MAC generation method and apparatus embodying features of the instant invention may reside in any of various communication systems employing a wide range of technologies known to those of skill in the art.
As illustrated in FIG. 1, a CDMA wireless telephone system generally includes a plurality of mobile subscriber units 10, a plurality of base stations 12, base station controllers (BSCs) 14, and a mobile switching center (MSC) 16. The MSC 16 is configured to interface with a conventional public switch telephone network (PSTN) 18. The MSC 16 is also configured to interface with the BSCs 14. The BSCs 14 are coupled to the base stations 12 via backhaul lines. The backhaul lines may be configured to support any of several known interfaces including, e.g., El /Tl, ATM, IP, PPP, Frame Relay, HDSL, ADSL, or xDSL. It is understood that there may be more than two BSCs 14 in the system. Each base station 12 advantageously includes at least one sector (not shown), each sector comprising an omnidirectional antenna or an antenna pointed in a particular direction radially away from the base station 12. Alternatively, each sector may comprise two antennas for diversity reception. Each base station 12 may advantageously be designed to support a plurality of frequency assignments. The intersection of a sector and a frequency assignment may be referred to as a CDMA channel. The base stations 12 may also be known as base station transceiver subsystems (BTSs) 12. Alternatively, "base station" may be used in the industry to refer collectively to a BSC 14 and one or more BTSs 12. The BTSs 12 may also be denoted "cell sites" 12. Alternatively, individual sectors of a given BTS 12 may be referred to as cell sites. The mobile subscriber units 10 are typically cellular or PCS telephones 10. The system is advantageously configured for use in accordance with the IS-95 standard. During typical operation of the cellular telephone system, the base stations 12 receive sets of reverse link signals from sets of mobile units 10. The mobile units 10 are conducting telephone calls or other communications. Each reverse link signal received by a given base station 12 is processed within that base station 12. The resulting data is forwarded to the BSCs 14. The BSCs 14 provides call resource allocation and mobility management functionality including the orchestration of soft handoffs between base stations 12. The BSCs 14 also routes the received data to the MSC 16, which provides additional routing services for interface with the PSTN 18. Similarly, the PSTN 18 interfaces with the MSC 16, and the MSC 16 interfaces with the BSCs 14, which in turn control the base stations 12 to transmit sets of forward link signals to sets of mobile units 10.
In accordance with one embodiment, as shown in FIG. 2, a mechanism 100 for generating a message including a MAC includes a processor 102, a software module 104, and a storage medium 106. The processor 102 is advantageously a microprocessor or a special-purpose processor such as a digital signal processor (DSP), but may in the alternative be any conventional form of processor, controller, microcontroller, or state machine. The processor 102 is coupled to the software module 104, which is advantageously implemented as RAM memory holding software instructions that direct the operation of the processor 102. The software instructions can comprise a software program or a set of microcodes. The RAM memory 104 may be on- board RAM, or the processor 102 and the RAM memory 104 could reside in an ASIC. In an alternate embodiment, firmware instructions are substituted for the software module 104. The storage medium 106 is coupled to the processor 102, and is advantageously implemented as a combination of RAM memory and any form of conventional nonvolatile memory such as, e.g., ROM memory. The storage medium 106 is used to implement a linear feedback shift register (LFSR) to generate the MAC, as described hereinbelow, and to store precomputed tables and instructions. For example, the instructions and tables are stored in the ROM memory component while the register is stored in the RAM memory component. In the alternative, the storage medium 106 could be implemented as either a disk memory or a flash memory that is accessible by the processor 102. In the alternative, the storage medium 106 may be implemented as registers. The mechanism 100 may reside in any conventional communications device such as, e.g., the mobile subscriber units 10 or the base stations 12 in the CDMA wireless telephone system of FIG. 1.
In one embodiment a generator 200 for generating a message and an associated MAC includes a keyed pseudorandom number (PRN) distributor 202, a cyclic redundancy check (CRC) generator 204, a modulator 206, and a transmitter 208, as shown in FIG. 3. Message bits of a message, M, are provided to the keyed PRN distributor 202. The keyed PRN distributor 202 distributes the message bits pseudorandomly in a key-dependent manner, as described in detail below, into a bit sequence. The bit sequence including the distributed message bits is provided to the CRC generator 204. The CRC generator 204 computes the CRC of the bit sequence including the distributed bits in accordance with any conventional method for CRC calculation as known to those of skill in the art.
The CRC generator 204 generates the CRC bits, which will be used as a
MAC for the message bits. The MAC bits and the message bits are provided to the modulator 206. The modulator 206 modulates the received bits for transmission on a communication channel. The modulation scheme varies with the communication system and the type of communication channel being used. In one embodiment the modulation scheme is a CDMA scheme and the communication system is the wireless telephone system of FIG. 1. The modulator 206 provides a modulated message and MAC signal to the transmitter 208. The transmitter 208 transmits the modulated message and MAC signal on the communication channel.
In accordance with the embodiment described with reference to FIG. 3, the CRC of a larger "message" (the bit sequence) is calculated and transmitted as a MAC in which the bits of the original message, M, have been distributed in a key-dependent manner that cannot be predicted by an attacker. Thus, small random errors can be detected and corrected by the normal CRC mechanism, while active attacks (i.e., intentional modification of an otherwise legitimate message) have only a limited probability of success.
Advantageously, the method of distributing bits of the original message, M, through the larger message varies from message to message. The variation in the distribution method prevents an attacker from gathering messages and thereby gradually increasing the probability of a successful attack. Because the MAC must guarantee to detect small errors, if two similar messages are transmitted (with, by definition, different MACs) then the MAC on another message which is similar to, but different from, both of the two similar messages must also be different, so that the attacker can choose at random from only 2L-2 possible MACs, etc. Advantageously, information denoted "salt", S, is used to associate information about a particular message, such as, e.g., the time at which the message is transmitted, or a sequence number, with the manner in which the message bits are distributed. This is similar to the fact that a stream cipher should never generate the same stream of output for two different messages, or for two different segments of a single message.
Accordingly, it is necessary to distribute the bits from the original message, M, in the larger "message" in a manner that is unpredictable to the attacker and does not help the attacker discover information about the shared secret key, K. Thus, in accordance with the embodiment described with reference to FIG. 3, uniformly distributed PRNs are generated to control the distribution of message bits within the larger message. The uniformly distributed PRNs are advantageously derived from the shared secret key, K, and the salt, S, in a manner that is unpredictable to the attacker.
In an exemplary embodiment, the output of a stream cipher called SOBER is used as a source of the PRNs. The SOBER stream cipher is described in U.S. Application Serial No. 09/246,366, entitled METHOD AND APPARATUS FOR GENERATING ENCRYPTION STREAM CIPHERS, filed February 8, 1999, and assigned to the assignee of the present invention. Stream ciphers are pseudorandomly generated bit streams that are exclusive-OR'ed (XORed), bit by bit, with respective bits of a message to be transmitted, thereby generating an encrypted message. When the encrypted message is received, it is XORed with the same stream cipher in order to produce the original message. In alternate embodiments, other forms of PRN generator may be substituted for the stream cipher. In particular, PRN generators that provide less security than a stream cipher could be used in place of the stream cipher.
In one embodiment, as illustrated in FIG. 4, the bits of a message M 300 are distributed under the control of a keyed PRN generator (not shown) by starting at some offset in a larger message 302 and placing bits sequentially, skipping an unpredictable number of positions in the larger message 302 between bits. When, or if, the end of the larger message 302 is encountered, the distribution position starts again at the beginning of the larger message 302. The maximum number of positions skipped between bits of the larger message 302 is advantageously determined so that the distribution position does not completely wrap around, i.e., so that the initial position in the larger message 302 is not reached or passed. This ensures that no two bits of the message M 300 will be distributed to the same position in the larger message 302. If two bits were distributed to the same position in the larger message 302, a simultaneous change to both of these bits would cancel out, and not be detected, which would not achieve the goal. To allow for the worst case, wherein every gap between distributed bits is maximum length, the maximum gap length must be limited. However the average gap length is only half as long as the maximum gap length. Therefore, on average, the message bits are distributed only within half of the larger message. This distribution technique advantageously provides ample security and relative ease of implementation.
In another embodiment the message bits 300 are distributed by dividing the larger message 302 into approximately equal sized blocks, starting at a random offset and wrapping around, and placing one bit at a random position within each block. This distribution technique has the desirable property that the bits will be well distributed throughout the larger message.
The bits of the larger message 302 are provided to a CRC generator 304, which calculates the CRC of the received bits. The CRC bits 306 are used as a MAC 306 for the message M 300. It should be pointed out that, as illustrated in connection with other embodiments described below with reference to FIG. 6, it is not necessary to actually create the larger message 302 to achieve the desired effect. In an exemplary embodiment, the length Lm of the CRC /MAC is sixteen bits. The largest message for which the guarantees for error detection apply is 216 bits including the CRC itself. (If (1+x) multiplied by a primitive polynomial were used as the generator for the CRC, the largest message length would be 215-1 bits.) The length LM of the input message M 300 is advantageously kept significantly smaller than 215-16 bits. If the larger message 302 is divided into roughly equal sized blocks, in accordance with the second embodiment described above, the length LM of the input message M 300 is advantageously restricted to less than half of 215-16 bits. If bit positions are skipped within the larger message 302, in accordance with the first embodiment described above, the length LM of the input message M 300 is advantageously restricted to less than one-quarter of 215-16 bits.
After the first bit of the message M 300 has been placed, the remaining
LM-1 bits are placed in the remaining 215-17 positions. If the length LM of the input message, M, is 1520 bits, the maximum distribution spacing or the size of the block would be the greatest integer less than 32751/1519, or twenty-one bits. However the PRN generator can be viewed as producing a stream of bits. Accordingly, it may advantageously be more efficient to use a number that is a power of two, instead of using twenty-one bits. If a power of two is used as maximum distribution spacing or the block size, random numbers in the range zero to fifteen could be generated by taking four bits of output from the PRN generator. The random numbers are then advantageously adjusted to be in the range five to twenty. It would be understood by those of skill in the art that the average spacing between bits or the size of the blocks must be at least two. Hence, the optimal values for the spacing or the block size are the powers of two between 22 and 24. Placement of each bit of the message M 300 therefore requires two to four bits of PRN output.
As described further below, it may be advantageous to spread the bits further apart, even if the uncertainty in the position of the bits is limited by accepting less output from the PRN generator. A minimum spread size or minimum block size, whether constant or variable, could be used. In another embodiment, message bits are distributed by using a keyed permutation function such as a block cipher to derive new bit positions from the original bit positions. In a particular embodiment, a block cipher with a block size of fourteen bits is employed in conjunction with a random offset position in the larger message 302. It should be noted that the necessity for using a different permutation for each message requires the block cipher to use a different key for each message 300. While this is theoretically possible, it would be inefficient in practice.
In one embodiment, illustrated in FIG. 5, a CRC generator 400 is implemented as a register that includes sixteen one-bit storage elements 402a-g (only storage elements 402 are shown for the purpose of simplification), three modulo-2 adders 404, 406, 408, and three switches 410, 412, 414. In an alternate embodiment a CRC generator is implemented with a microprocessor running a set of software instructions, advantageously contained in RAM memory, and accessing lookup tables (LUTs), advantageously contained in ROM memory or flash memory, as described above with reference to FIG. 2. In the CRC generator 400, input message bits are provided to the switch
410, which may either be set to receive the input message bits or be set to receive a digital value of one. The switch 412 may either be set to receive a digital value of zero or be set to receive a value from the modulo-2 adder 408. The switch 414 may either be set to receive a value from the switch 410 or to receive a value from the switch 412 and the modulo-2 adder 408. An output
CRC is taken from the switch 414. The modulo-2 adder 404 is located between the fifth one-bit storage element 402c and the sixth one-bit storage element
402d. The modulo-2 adder 406 is located between the twelfth one-bit storage element 402e and the thirteenth one-bit storage element 402f. The modulo-2 adder 408 is located after the sixteenth one-bit storage element 402h and is configured to receive a value from the switch 410. The generator polynomial g(x) for the CRC is equal to xlft + x12 + x5 + 1, as defined by the placement of the modulo-2 adders 404, 406, 408. In operation the switches 410, 412, 414 are set initially in the "up" positions (as shown in the drawing). The register is clocked k times, where k is defined as the length of the input message plus eight bits. The register is a shift register such that with each clock cycle the bits each move one storage element to the right (as shown in the drawing). The switches 410, 412, 414 are then set to the "down" position (as shown in the drawing). The register is then clocked an additional sixteen times. The sixteen additional output bits comprise the CRC field for the message. The bits are transmitted in the order at which they appear at the output of the CRC generator 400.
The input message bits constitute a "larger message." The CRC field for the larger message serves as a MAC for the message M. Advantageously then, the MAC includes the inherent security benefits of a CRC. Because the MAC calculated is actually a CRC, the guarantees about error detection and correction that apply to CRCs apply to the MAC, with the exception of guarantees applying to "burst errors." Burst error guarantees are violated because consecutive bits are separated during the calculation and therefore no longer form a "burst." There are essentially two kinds of attacks against MACs. The first kind of attack against a MAC is theft of service. The attacker tries to create a message with a valid MAC, having observed other valid messages. Alternatively, the attacker tries to deduce the secret key, K, allowing the attacker to create forged messages at will. The second kind of attack against a MAC is chosen message. The attacker tries to craft specific messages and somehow contrive for the system to calculate the valid MAC, with a view to recovery of the secret key, K.
An attacker wishing to make a single bit alteration to a message with a valid MAC would need to be able to calculate the corresponding alteration to the CRC; this in turn requires being able to predict the position of the bit in the expanded message. Since there are just under 2L_1 possible positions of the bit, the attacker can do only slightly better than just guessing the MAC.
One possible attack against MACs of any kind is a so-called chosen plaintext attack. In this type of attack, the attacker can somehow arrange to have a message transmitted, accompanied with a valid MAC, such that the message has a particular content chosen by the attacker. For example, the attacker might send electronic mail to the recipient, which would eventually be routed through the transmission channel and have a valid MAC computed and attached. The attacker might make such a message consisting of a single "1" bit followed by all "0" bits. By observing the calculated CRC, the attacker would be able to infer the initial position, and hence some of the output of the PRN generator. This is undesirable, as it may lead to a method of predicting future outputs. Accordingly, in one embodiment, one other bit of the larger message is set to one. The other bit is chosen at a random position.
The attacker has the alternative of sending a message comprising all zeroes. The observed CRC gives the attacker Lm bits of output from the PRN generator, which needs to be secure enough to prevent recovery of the secret key information, K, given this disclosure. If the attacker tries to make a multi-bit alteration to the message in addition to predicting the starting position of the bits, the attacker must also determine the dispersion of the bits. This would allow a smaller probability of success than if done for only a single bit.
There remains one modification attack that is applicable. If the attacker can make a change that will be spread out into a pattern that is a multiple of the CRC polynomial, there will be no effect on the calculated MAC. This effectively nullifies the unpredictability of the initial position of the bits. If it is desirable to use a small number of stream cipher bits, it is advantageous to choose the method of spreading the bits with consideration for the particular CRC polynomial, so as to make this type of attack impossible for small multiples of the polynomial and statistically difficult for large multiples of the polynomial.
In one embodiment a CRC computation is performed on a "larger message" to generate a MAC for an input message, M, without actually creating the larger message. For each bit of the input message, M, to be distributed in the fictitious "larger message," it is necessary to calculate the remainder modulo P of the polynomial x', where i is the intended position of the message bit in the larger message. Because the CRC is linear, the remainder calculation can be added by polynomial addition, i.e., an exclusive-or (XOR) operation, to the existing CRC if the particular bit of the message is a one. The CRC of the all-zero message is zero, so by applying the XOR polynomial addition technique to each of the bits in the input message, M, in turn, the CRC can be calculated without ever creating the larger message, and also by performing only LM calculations. Similarly, the initial seeding of the input message, M, with a non-zero bit is equivalent to choosing a random starting CRC for the calculation. Calculating x' mod P, where i is in the range 0 .. 32767 (assuming that Lm is sixteen) can be done in a variety of ways. In a particular embodiment, a pair of lookup tables (LUTs) is used. It should be pointed out that a single LUT that gave the CRC corresponding to each possible value of i in the above equation would suffice, but would require 216 16-bit table entries. Instead, i is advantageously expressed in the form 256hi + lo, where hi and lo are the high- order and low-order eight bits of i, respectively. Two LUTs are precalculated to give the results of the CRC calculation x1M" mod P and x'° mod P, respectively, so that performing an XOR operation on each entry in the first LUT with the corresponding entry in the second LUT is equivalent to calculating the CRC. Accordingly, two LUTs are required, each LUT having 256 16-bit entries, and two table lookups are performed per nonzero bit of the input message, M, to calculate the CRC.
It may also be advantageous in a software implementation to note that as the bits are being distributed through the larger message, hi does not change very rapidly, so that repeated lookups of the same value would cancel each other out. All that would actually count in the final result would be whether each value of hi was used an odd number of times.
In one embodiment a PRN generator generates a MAC for an input message, M, as the CRC of a fictitious "larger message" without creating the larger message in accordance with the algorithm steps illustrated in the flow chart of FIG. 6. In this particular embodiment, Lm is sixteen bits and LM is 1520 bits. The CRC polynomial, P, is the 16-bit CRC-CCITT polynomial P(x) = x16 + xn + x5 + 1. Specific LUTs for looking up the CRC values may be readily calculated, as understood by those of skill in the art. The notation Rn, where n is an integer, is used below to indicate that the next n bits of output from the PRN generator (not shown) should be taken. In this particular embodiment, a constant minimum spacing of five bits is employed, and three bits of PRN output are used, giving a spacing between uniformly distributed bits of between five and twelve bits. The variable C denotes the accumulator of the eventual output MAC. The variable K denotes the position of the next bit to be placed in the "larger message." The variable i denotes the position of the bit in the input message, M.
In step 500 the generator sets C equal to R16, which is equivalent to choosing a random bit position to be set to one. The next sixteen bits of generator output will form the CRC. The generator then proceeds to step 502. In step 502 the generator sets K equal to RJ5 modulo 32751, which is effectively the position of the first bit of the input message, M, to be distributed. The generator then proceeds to step 504. In step 504 the generator sets i equal to zero. The generator then proceeds to step 506.
In step 506 the generator determines whether the bit M[i] (the input message bit currently being distributed) is set to one. If the bit M[i] is not set to one, the generator proceeds to step 508. If, on the other hand, the bit M[i] is set to one, the generator proceeds to step 510. In step 510 the generator calculates xk modulo P, and performs an XOR operation, bit by bit, on C and xk modulo P, in accordance with the polynomial addition technique described above. The new value of C is set equal to the bits resulting from the XOR calculation. The generator then proceeds to step 508.
In step 508 the generator computes the sum of K, five, and K, (the next three bits of generator output), modulo 32751. The result is set equal to K, so that K is updated to be the location in which the next bit of the input message is to be distributed. This calculation is performed after distribution of the current bit, M[I], in step 510. The generator then proceeds to step 512. In step 512 the generator increments i by one. The generator then proceeds to step 514. In step 514 the generator determines whether i is greater than 1519. If i is not greater than 1519, the generator returns to step 506 to process the next input message bit, M[i]. If, on the other hand, i is greater than 1519, the generator proceeds to step 516. In step 516 the generator returns the value of C as the MAC for the input message.
In an alternate embodiment, the calculation performed in step 508 is to compute the sum of K, ten, and R4 (the next four bits of generator output), modulo 65521. Again, the result is set equal to K. In accordance with this embodiment, the generator sets K equal to R modulo 65521 in step 502. A primitive polynomial that may be used in accordance with this embodiment is
X + X + X + X + X + X + X + X + 1.
In another embodiment a PRN generator generates a MAC for an input message, M, as the CRC of a fictitious "larger message" without creating the larger message in accordance with the algorithm steps illustrated in the flow chart of FIG. 7. In this particular embodiment, Lm is sixteen bits and LM is 1520 bits. The CRC polynomial, P, is the 16-bit CRC-CCITT polynomial P(x) = xLb + x 2 + x5 + 1. Specific LUTs for looking up the CRC values may be readily calculated, as understood by those of skill in the art. The notation Rn, where n is an integer, is used below to indicate that the next n bits of output from the PRN generator (not shown) should be taken. In this particular embodiment, a constant minimum spacing of five bits is employed, and three bits of PRN output are used, giving a spacing between uniformly distributed bits of between five and twelve bits. The variable C denotes the accumulator of the eventual output MAC. The variable K denotes the position of the next bit to be placed in the "larger message." The variable i denotes the position of the bit in the input message, M.
In step 600 the generator sets C equal to Ru, which is equivalent to choosing a random bit position to be set to one. The next sixteen bits of generator output will form the CRC. The generator then proceeds to step 602. In step 602 the generator sets K equal to R15 modulo 32751, which is effectively the position of the first bit of the input message, M, to be distributed. The generator then proceeds to step 604. In step 604 the generator sets i equal to zero. The generator then proceeds to step 606. In step 606 the generator determines whether the bit M[i] (the input message bit currently being distributed) is set to one. If the bit M[i] is not set to one, the generator proceeds to step 608. If, on the other hand, the bit M[i] is set to one, the generator proceeds to step 610. In step 610 the generator calculates xκ modulo P, and performs an XOR operation, bit by bit, on C and xκ modulo P, in accordance with the polynomial addition technique described above. The new value of C is set equal to the bits resulting from the XOR calculation. The generator then proceeds to step 608.
In step 608 the generator the generator increments i by one. The generator then proceeds to step 612. In step 612 the generator determines whether i is greater than 1519. If i is not greater than 1519, the generator proceeds to step 614. If, on the other hand, i is greater than 1519, the generator proceeds to step 616. In step 616 the generator returns the value of C as the MAC for the input message. In step 614 the generator computes the sum of K, five, and R3 (the next three bits of generator output), modulo 32751. The result is set equal to K, so that K is updated to be the location in which the next bit of the input message is to be distributed. This calculation of the new bit location is performed when a new bit is about to be distributed. After performing the calculation of step 614, the generator returns to step 606 to process the next input message bit, M[i].
In an alternate embodiment, the calculation performed in step 614 is to compute the sum of K, ten, and R4 (the next four bits of generator output), modulo 65521. Again, the result is set equal to K. In accordance with this embodiment, the generator sets K equal to R16 modulo 65521 in step 602. A primitive polynomial that may be used in accordance with this embodiment is x16 + x14 + x12 + x + x6 + x5 + x2 + X + 1. Thus, a novel method and apparatus for generating a MAC have been described. Those of skill in the art would understand that the various illustrative logical blocks and algorithm steps described in connection with the embodiments disclosed herein may be implemented or performed with a digital signal processor (DSP), an application specific integrated circuit (ASIC), discrete gate or transistor logic, discrete hardware components such as, e.g., registers and FIFO, a processor executing a set of firmware instructions, or any conventional programmable software module and a processor. The processor may advantageously be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. The software module could reside in RAM memory, flash memory, registers, or any other form of writable storage medium known in the art. Those of skill would further appreciate that the data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced throughout the above description are advantageously represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof. Preferred embodiments of the present invention have thus been shown and described. It would be apparent to one of ordinary skill in the art, however, that numerous alterations may be made to the embodiments herein disclosed without departing from the spirit or scope of the invention. Therefore, the present invention is not to be limited except in accordance with the following claims.
What is claimed is:

Claims

1. A method of generating a message authentication code, comprising the steps of: pseudorandomly distributing in a key-dependent manner a first plurality of message bits into a second plurality of bits; generating a third plurality of bits that comprises a cyclic redundancy check of the second plurality of bits; and transmitting the first plurality of message bits and a message authentication code that comprises the third plurality of bits.
2. The method of claim 1, wherein the generating step is performed with a microprocessor, lookup tables accessible by the microprocessor, and a set of software instructions executable by the microprocessor.
3. The method of claim 1, wherein the generating step is performed with a shift register.
4. The method of claim 1, wherein the pseudorandomly distributing step comprises the steps of: placing a first bit of the first plurality of bits into an offset bit location in the second plurality of bits; and skipping an unpredictable number of bit locations in the second plurality of bits from the offset bit location.
5. The method of claim 4, further comprising the step of putting a next bit of the first plurality of bits into an initial bit location of the second plurality of bits.
6. The method of claim 4, further comprising the step of determining a maximum number of bit locations skipped in the skipping step so that an initial bit location of the second plurality of bits is not reached or passed.
7. The method of claim 4, wherein the number of bit locations skipped in the skipping step is a power of two between four and sixteen, inclusive.
8. The method of claim 1, wherein the pseudorandomly distributing step comprises the steps of: dividing the second plurality of bits into blocks of approximately uniform block size; and placing the first plurality of bits into random bit locations within each block, with one bit being placed into each block.
9. The method of claim 8, wherein the uniform block size is a power of two between four and sixteen, inclusive.
10. The method of claim 1, wherein the pseudorandomly distributing step comprises the step of deriving new bit locations from original bit locations of the first plurality of bits in the second plurality of bits with a keyed permutation function.
11. The method of claim 1, wherein the pseudorandomly distributing step comprises the steps of: calculating a remainder modulo P of a polynomial x', where i is an intended bit location in the second plurality of bits and P is a cyclic redundancy check polynomial derived from the third plurality of bits; and for each bit of the first plurality of bits that is equal to one, performing an exclusive-OR operation, bit by bit, of the third plurality of bits and the calculated remainder.
12. A generator configured to generate a message authentication code, comprising: means for pseudorandomly distributing in a key-dependent manner a first plurality of message bits into a second plurality of bits; means for generating a third plurality of bits that comprises a cyclic redundancy check of the second plurality of bits; and means for transmitting the first plurality of message bits and a message authentication code that comprises the third plurality of bits.
13. The generator of claim 12, wherein the means for generating comprises a microprocessor, lookup tables accessible by the microprocessor, and a set of software instructions executable by the microprocessor.
14. The generator of claim 12, wherein the means for generating comprises a shift register.
15. The generator of claim 12, wherein the means for pseudorandomly distributing comprises: means for placing a first bit of the first plurality of bits into an offset bit location in the second plurality of bits; and means for skipping an unpredictable number of bit locations in the second plurality of bits from the offset bit location.
16. The generator of claim 15, further comprising means for putting a next bit of the first plurality of bits into an initial bit location of the second plurality of bits.
17. The generator of claim 15, further comprising means for determining a maximum number of bit locations skipped so that an initial bit location of the second plurality of bits is not reached or passed.
18. The generator of claim 15, wherein the number of bit locations skipped is a power of two between four and sixteen, inclusive.
19. The generator of claim 12, wherein the means for pseudorandomly distributing comprises: means for dividing the second plurality of bits into blocks of approximately uniform block size; and means for placing the first plurality of bits into random bit locations within each block, with one bit being placed into each block.
20. The generator of claim 19, wherein the uniform block size is a power of two between four and sixteen, inclusive.
21. The generator of claim 12, wherein the means for pseudorandomly distributing comprises means for deriving new bit locations from original bit locations of the first plurality of bits in the second plurality of bits with a keyed permutation function.
22. The generator of claim 12, wherein the means for pseudorandomly distributing comprises: means for calculating a remainder modulo P of a polynomial x', where i is an intended bit location in the second plurality of bits and P is a cyclic redundancy check polynomial derived from the third plurality of bits; and means, for each bit of the first plurality of bits that is equal to one, for performing an exclusive-OR operation, bit by bit, of the third plurality of bits and the calculated remainder.
23. A generator configured to generate a message authentication code, comprising: a processor configured to pseudorandomly distribute in a key- dependent manner a first plurality of message bits into a second plurality of bits; a generator coupled to the distributor and configured to generate a third plurality of bits that comprises a cyclic redundancy check of the second plurality of bits; and a transmitter coupled to the generator and configured to transmit the first plurality of message bits and a message authentication code that comprises the third plurality of bits.
24. The generator of claim 23, wherein the generator comprises lookup tables accessible by the microprocessor, and a set of software instructions stored in a memory element and executable by the microprocessor.
25. The generator of claim 23, wherein the generator comprises a shift register.
26. The generator of claim 23, wherein the processor is further configured to place a first bit of the first plurality of bits into an offset bit location in the second plurality of bits, and to skip an unpredictable number of bit locations in the second plurality of bits from the offset bit location.
27. The generator of claim 26, wherein the processor is further configured to put a next bit of the first plurality of bits into an initial bit location of the second plurality of bits.
28. The generator of claim 23, wherein the processor is further configured to divide the second plurality of bits into blocks of approximately uniform block size, and to place the first plurality of bits into random bit locations within each block, with one bit being placed into each block.
29. The generator of claim 23, wherein the processor comprises a calculator configured to calculate a remainder modulo P of a polynomial x, where i is an intended bit location in the second plurality of bits and P is a cyclic redundancy check polynomial derived from the third plurality of bits, and a polynomial adder configured to perform, for each bit of the first plurality of bits that is equal to one, an exclusive-OR operation, bit by bit, of the third plurality of bits and the calculated remainder.
PCT/US2000/021589 1999-08-09 2000-08-07 Method and apparatus for generating a message authentication code WO2001011818A2 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
JP2001515574A JP2003506750A (en) 1999-08-09 2000-08-07 Method and apparatus for generating a message authentication code
AU66250/00A AU6625000A (en) 1999-08-09 2000-08-07 Method and apparatus for generating a message authentication code
EP00953877A EP1210790A2 (en) 1999-08-09 2000-08-07 Method and apparatus for generating a message authentication code
KR1020027001766A KR20020026370A (en) 1999-08-09 2000-08-07 Method and apparatus for generating a message authentication code
HK02108158.9A HK1046795B (en) 1999-08-09 2002-11-11 Method and apparatus for generating a message authentication code

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US37114799A 1999-08-09 1999-08-09
US09/371,147 1999-08-09

Publications (2)

Publication Number Publication Date
WO2001011818A2 true WO2001011818A2 (en) 2001-02-15
WO2001011818A3 WO2001011818A3 (en) 2001-06-07

Family

ID=23462682

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/021589 WO2001011818A2 (en) 1999-08-09 2000-08-07 Method and apparatus for generating a message authentication code

Country Status (7)

Country Link
EP (1) EP1210790A2 (en)
JP (1) JP2003506750A (en)
KR (1) KR20020026370A (en)
CN (1) CN1163018C (en)
AU (1) AU6625000A (en)
HK (1) HK1046795B (en)
WO (1) WO2001011818A2 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2839594A1 (en) * 2002-05-10 2003-11-14 Radio Systemes Ingenierie Intruder protection secure radio frequency transmission having intermediate base digital word/header encryption with encryption key and second decoding calculation coding based and message only accepted where decoding correct
WO2004038999A1 (en) * 2002-10-24 2004-05-06 Telefonaktiebolaget Lm Ericsson (Publ) Message authentication code based on error correcting code
WO2004100445A3 (en) * 2003-05-07 2005-02-24 Matsushita Electric Ind Co Ltd Transmission/reception system using message authentication code
US6941461B2 (en) * 2000-05-12 2005-09-06 International Business Machines Corporation System and method of uniquely authenticating each replication of a group of soft-copy documents
WO2004099976A3 (en) * 2003-05-12 2005-09-15 Ibm Instruction for computing a security message authentication code
US7103754B2 (en) 2003-03-28 2006-09-05 International Business Machines Corporation Computer instructions for having extended signed displacement fields for finding instruction operands
US7159122B2 (en) 2003-05-12 2007-01-02 International Business Machines Corporation Message digest instructions
US7257718B2 (en) 2003-05-12 2007-08-14 International Business Machines Corporation Cipher message assist instructions
WO2008034998A1 (en) * 2006-09-18 2008-03-27 France Telecom Improvement of the resistance to cryptanalytic attacks of a hash function
US8516258B2 (en) 2005-03-01 2013-08-20 Nxp B.V. Generator for generating a message authentication code, method of generating a message authentication code, program element and computer-readable medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9455962B2 (en) * 2013-09-22 2016-09-27 Winbond Electronics Corporation Protecting memory interface
US12189824B2 (en) 2021-06-03 2025-01-07 Google Llc Register file protection

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5646997A (en) * 1994-12-14 1997-07-08 Barton; James M. Method and apparatus for embedding authentication information within digital data
EP0805575A3 (en) * 1996-05-03 2002-03-06 Texas Instruments Deutschland Gmbh Transponder

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6941461B2 (en) * 2000-05-12 2005-09-06 International Business Machines Corporation System and method of uniquely authenticating each replication of a group of soft-copy documents
FR2839594A1 (en) * 2002-05-10 2003-11-14 Radio Systemes Ingenierie Intruder protection secure radio frequency transmission having intermediate base digital word/header encryption with encryption key and second decoding calculation coding based and message only accepted where decoding correct
WO2004038999A1 (en) * 2002-10-24 2004-05-06 Telefonaktiebolaget Lm Ericsson (Publ) Message authentication code based on error correcting code
US7702910B2 (en) 2002-10-24 2010-04-20 Telefonaktiebolaget L M Ericsson (Publ) Message authentication
US7103754B2 (en) 2003-03-28 2006-09-05 International Business Machines Corporation Computer instructions for having extended signed displacement fields for finding instruction operands
US7457410B2 (en) 2003-05-07 2008-11-25 Panasonic Corporation Transmission/reception system
WO2004100445A3 (en) * 2003-05-07 2005-02-24 Matsushita Electric Ind Co Ltd Transmission/reception system using message authentication code
US7725736B2 (en) 2003-05-12 2010-05-25 International Business Machines Corporation Message digest instruction
US7720220B2 (en) 2003-05-12 2010-05-18 International Business Machines Corporation Cipher message assist instruction
CN100363887C (en) * 2003-05-12 2008-01-23 国际商业机器公司 Instruction for computing a security message authentication code
US9424055B2 (en) 2003-05-12 2016-08-23 International Business Machines Corporation Multi-function instruction that determines whether functions are installed on a system
US7356710B2 (en) 2003-05-12 2008-04-08 International Business Machines Corporation Security message authentication control instruction
KR100745889B1 (en) * 2003-05-12 2007-08-02 인터내셔널 비지네스 머신즈 코포레이션 Processing a security message authentication control instruction
US7159122B2 (en) 2003-05-12 2007-01-02 International Business Machines Corporation Message digest instructions
US7257718B2 (en) 2003-05-12 2007-08-14 International Business Machines Corporation Cipher message assist instructions
WO2004099976A3 (en) * 2003-05-12 2005-09-15 Ibm Instruction for computing a security message authentication code
US7770024B2 (en) 2003-05-12 2010-08-03 International Business Machines Corporation Security message authentication instruction
US8103860B2 (en) 2003-05-12 2012-01-24 International Business Machines Corporation Optional function multi-function instruction
US8661231B2 (en) 2003-05-12 2014-02-25 International Business Machines Corporation Multi-function instruction that determines whether functions are installed on a system
US8516258B2 (en) 2005-03-01 2013-08-20 Nxp B.V. Generator for generating a message authentication code, method of generating a message authentication code, program element and computer-readable medium
WO2008034998A1 (en) * 2006-09-18 2008-03-27 France Telecom Improvement of the resistance to cryptanalytic attacks of a hash function

Also Published As

Publication number Publication date
HK1046795B (en) 2005-04-22
JP2003506750A (en) 2003-02-18
CN1163018C (en) 2004-08-18
EP1210790A2 (en) 2002-06-05
WO2001011818A3 (en) 2001-06-07
AU6625000A (en) 2001-03-05
HK1046795A1 (en) 2003-01-24
CN1369157A (en) 2002-09-11
KR20020026370A (en) 2002-04-09

Similar Documents

Publication Publication Date Title
EP0672273B1 (en) Method and apparatus for encryption having a feedback register with selectable taps
US6707914B1 (en) System and method for encrypting information within a communications network
US6014446A (en) Apparatus for providing improved encryption protection in a communication system
US6289000B1 (en) Frame control encoder/decoder for robust OFDM frame transmissions
US5966450A (en) Variable mask for encryption generated independently at communications stations
US10396996B2 (en) Generating cryptographic checksums
US10623187B2 (en) Generating cryptographic checksums
EP1210790A2 (en) Method and apparatus for generating a message authentication code
KR20020041815A (en) Linear transformation for symmetric-key ciphers
JP3728500B2 (en) Modulation message authentication system and method
EP2452484A1 (en) Systems and methods for providing physical layer security
EP1197035B1 (en) Method and apparatus for securely transmitting distributed challenge values (rand) for use in mobile station authentication
EP0757459B1 (en) Cryptographic system for wireless communications
NZ238651A (en) Encryption system for digital cellular communications
US7489722B2 (en) Apparatus for production of scrambling codes and preambles
US7774677B2 (en) Method and device for transmitting information with verification of unintentional and intentional transmission errors
WO2001084772A2 (en) Generation of keyed integer permutations for message authentication codes
EP1316155A2 (en) Communicating information via a frame check sequence having an information block associated therewith
Dubrova et al. Error-correcting message authentication for 5g
CN116634421B (en) High-security mobile phone communication method
Zibideh et al. Key-based coded permutation ciphers with improved error performance and security in wireless channels
Macleod 4 Coding
Canteaut Lecture Notes on Error-Correcting Codes and their Applications to Symmetric Cryptography

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2000953877

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 1020027001766

Country of ref document: KR

Ref document number: 008114854

Country of ref document: CN

WWP Wipo information: published in national office

Ref document number: 1020027001766

Country of ref document: KR

WWP Wipo information: published in national office

Ref document number: 2000953877

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWW Wipo information: withdrawn in national office

Ref document number: 2000953877

Country of ref document: EP

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载