CA1048935A - Block cipher system for data security - Google Patents

Abstract

BLOCK CIPHER SYSTEM FOR DATA SECURITY

Abstract A device for ciphering message blocks of data bits under con-trol of a cipher key. The cipher device performs a ciphering pro-cess for the first half of the message block of data bits from a first store by carrying out an operation in which the block of data bits is expanded by duplicating predetermined ones of the data bits of the first half of the message block. The data bits of the ex-panded first half of said message block are combined by modulo-2 addition with an equal number of cipher key bits, selected in accor-dance with an arbitrary but fixed permutation, to produce a plurality of multi-bit segments forming the arguments for a plurality of dif-ferent non-linear substitution function boxes. The substitution boxes perform a plurality of nonlinear transformation functions to produce a substitution set of bits which are equal in number to the number of data bits in the first half of the message block. The substitution of data bits is then subjected to a linear transformation in accor-dance with an arbitrary but fixed permutation. The combined non-linear transformation and linear transformation results in a product block cipher for the first half of the said message block. Then the second half of the message block from a second store is subjected to a linear transformation in accordance with the product block cipher to produce a set of bits representing a modified second half of said message block. Finally said modified second half of said message block is loaded into the first store and the first half of the message block from the first store is loaded into the second store concurrently with the modified second half of the message block being loaded into the first store to complete a first iteration operation of the cipher device.

Description

1 Back~round of the Invention This invention relates to a cipher device for utilization within a data processing environment and, more particularly, to a cipher de-vice for performing a product block ciphering process for enciphering and deciphering digital data to ensure complete security and privacy of data within a data processing environment.
With the increasing use of telecommunications in computer system networks, the very long cable connections between terminals or I/O
devices and control units and the removability of storage media, there is an increasing concern over the interception or alteration of data because physical protection cannot normally be guaranteed. Crypto-graphy has been recognized as one type of mechanism for achieving data security and privacy in that it protects the data itself rather than the medium of transmitting the data.
Various systems have been developed in the prior art for en-ciphering messages to maintain the security and privacy of data com-munications. One such system is the block cipher system, which is a substitution technique, in which the entire block is enciphered in accordance with a predetermined cipher key. The resulting substituted 20 message is unintelligible ciphertext which cannot be understood without knowledge of the cipher key. An advantage of the substitution tech-nique operating in accordance with a predetermined cipher key is that KI9-75-002 - 3 - ~

~c ~48935 1 the declpher~ng op-ratlon i~ e~lly implemented by a reverse

2 applicatlon of the clpher key. Further teachings on the design

3 and prlnciples of sub~titutlon techniques may be found in

4 "Communic~tlon Theory o~ Secrecy Syst~ms" by C. E. Shannon, Bell S System Iechn~c~l Journal, Vol. 28, pages 656-715, Oct. 1949, 6 and ln ~Cryptography and Computer Privaay" by H. Feistel, 7 Sclentific American, Vol. 228, No. 5, pages 15-23, May 1973.
- 8 Both Shannon and Feistel expound on a product cipher ~ystem in 9 which two or moro clph~rs are succes~lvely cQmblnsd, as for example, by ~u¢a~lve tage~ of nonlinear substitutlon 11 followed by llno~r ~xansformation.
12 Variou- product ¢lpherlng ~y~t~m~ have been developed 13 in the prlor art ~or lmprovlng th~ securlty ~nd prlvacy of 14 d~ta within a data processing aystem. U.~. Patent No.
3,798,359 isAued March 19, 1974 relat~s to a product clpher 16 system which coMbines lin~ar and nonllnear transformations 17 of a ~leartext messagQ wlth the tran~ormAtions belng a 18 functlon of ~ cipber key. $n addltion to controlling the 19 tran~or~ation, the clpher key al~o controls varlou~ register ~ub~tltutlon~ and ~odulo-2 addltlon~ of partially clphered 21 da~^ within th2 alph~rlng ~y~t~ ow~r, the sy~tem 22 dlsclo~ed ln thls patQnt does not dis¢~os~ any of tho details 2~ of the pre~i~e mapping of clpher key bit~ by the key router 24 to tho modulo-2 addars, the detall~ of the p~rticular nonlinear tran~form~tion carriaa out ~ntornal to the 26 subatitution funct~on bo~es or the particular permutation 27 carrled out by the dlffu~r, all ~f whlch hav~ a signif~cant 28 ~foct on the quAllty of th~ cipho~ operatlon. Also, the 2~ oiphor ~oy 1~ dl~ld-d lnto ~mall group~ wlth th- clpher key 3~ blt~ within each group being ~hi~t~d for e~ch ltor~tion of ~/R1975002 -4-16~48935 l the eipher operatlon. Beeause the 9ize of the group is - 2 ~mall, the ~ffect of eaeh group of cipher key blts i8 3 restricted over n limlted ar~a of the clph~r operation 4 which also has a significant effect on the quality of the cipher operation. Additionally, only two types of 6 substitutlon funetion boxe~ are u~ed in thi8 8y8tem selected 7 as a funetlon of a eipher key bit only which likewise has a -- 8 signific~nt ef~ect on the quality of the cipher operation.
9 Related to this patent i8 U.S. Patent No. 3,796,830 issued March 12, 1974 whieh i~ al~o dlrected to a product 11 cipher systom in whieh the bloek of ~leartext iB proeessed 12 on a ssgmentod basl~ wlth ea~h s~gment belng s~rially 13 tx~n~forme~ ln ~eeordane~ wlth ~ portlon o~ th~ clpher key.
14 Howe~er, the syst~m dlselo~-d ln this patent i8 ~rial in natur~ whleh rQdue-s throughput ~peed and if rearr~nged to a 16 parallel bloek syst~ would add signlflcant complexity to the 17 hardware implementation of ~uch a ~ystem. Furthermore, thi~
18 system like that of the related patent i~ llmited to only two 19 types of ~ubstitution funetion boxe4 ~eleeted as a function of ~ ¢ipher Xey bit only whieh likewi~e has a ~ignifie~nt 21 o~Aet on th~ ~uall~y of th~ ~iphor operation.
22 ~
23 In th- pre~ont lnvention, ~ ~lphox dev~e~ is provlded 24 for enalpherlng or d~¢lpharlng a 64-blt me8~ag~ block under eontrol of an arbitrarily ~hosQn eipher key. The cipher 26 devi~e perorms ~n enclpherlng pro~es~ by earrying out a 27 s~rla~ of 16 iter~tlon operation0 ln the first of which a 28 first hal~ of the me~age block, consisting of 32 data bits, 29 consid~r~d as 8 s~gmen~s of 4 da~a bit~ each, i~ expanded into 48 data ~lt~ conol~ting of 8 80gm~nt~ of 6 data bits D/Ki9 7S00 2 5 1~)48935 1 each, the expansion belng accomplished by duplicating the 2 end data bits of each of thQ 8 4-bit segments~ The 3 expanded 48 data bits ~onsidered as 8 6-bit segments are then 4 combined in parallel by modulo-2 addition with 48 cipher key bit~ con6~dored as 8 6-bit cipher key bit segment~, ~elected 6 in accord~nce with an arbltrary b~t flxed permutation, with 7 the re~ulting 8 6-blt 8eg~e~t8 forming the actual arguments 8 ~or 8 nonaf~lne tra~sformation functions. In eaah of the 8 9 tranaformation ~unctlon~, the 0n~ blts of the applled 6-bit oog~nt, reoultlng ~rom the m~dulo-2 addition of a dupllcated 11 end blt o~ the pr~c-ding 6-blt dsta ~egment and a permuted 12 clpher key blt ana ~rom the modulo-2 addltion of a duplicated 13 end blt of the ~ucceeding 6-bit data 3egment and a different 14 permutod cipher key bit, are effoc~ivaly decoded to ~elect 1 of 4 16-~ntry fun~tion tables, each entry consl~ting of 16 4 bit~. One of the 16 4-bit entrias in the selected function 17 table 1~ then selectQd by ef~ectlvely decoding the remaining 18 inn~r 4~b1t~ of the 6-blt ~egment. The ~unction tables of 19 the 8 tran-~ormation functlon~ are different from eaah other, ther~by providlng 8 dl~for~nt tranJ~orm~tion functions 21 re~ultlng ln 8 4-bit ~egments de~ln~ng a ~ubstitution set of 22 32 blts. The sub~tltution set of 32 b~ts ~ then subjected 23 to a linear transformation by an ~rbitrary but fixed 24 permutation, the comb$ned nonlinear transformation and linear transformation result~ng in a product block cipher of the 26 32-blt first h~lf of the m~sage block. The 32-bit second 27 half of the ~Q~ag~ blook i8 then modified by modulo-2 28 addl~lon wlth th~ 3~-blt produat bloak ciphor of the first 29 half of the m~ g~ block to produc~ ~ 32-bit modifled ~econd h~lf of the m~ ge blOckr Th~ 32-bit modified second D/Ki975002 -6 ~048935 1 half of the message block then replace~ the fir~t half of 2 the me~sage block which at the 9ame time replace~ the 32-bit 3 s~aond half of the me~age block. In the next iteration 4 operation, the ciph~r key i~ shifted in accordance with the predetermined shift sch~dule to provide a new set of cipher 6 key bit~. The 32-blt modifled second half of the mes~age 7 block is then usea w~th the new set of cipher key bit~ in - 8 a similar product block ~ipher operation to modify the 32-bit 9 first half of the m~age block. ~he process of remodifying alternate hal~e~ of the mes~aga block cont$nues in successive 11 iteration8 durlng ~ach of whlch the cipher key bits are 12 selectively ~hifted a predeter~ined amount according to the 13 ~hift ~¢hedule to provlde a ne~ set of clpher k~y bit~.
1~ The alpher operatlon das~rlbed above, carrled out ln a series of 16 iteration~ in accord~nce with ~ product block 16 clpher algorith~, may ~e defined ln terms of a cipher 17 function and a key ~chedule function. Thus, in the 18 ~ncipherlng operation, if the 64-bit input ~Rssage block 19 con~ists of a 32-bit block ~ and a 32-blt block R, then the input me~age block may be denoted by the term LR. Al~o, 21 if ~he block o~ ¢ipher key blt~ i~ cho~-n from a cipher 22 key XEY, then th~ block of ciph-r key bits may be denoted 2~ by the term X. Therefore, for all it6rations except the 24 la6t, the output of an lteration wlth an input o~ LR may be denoted by the term L'R' and may be defined as follows:
26 ~1) L'~R
27 R'-L~f(R,R) 28 wher~ ~ donote~ a blt-by-bit modulo-2 ~ddition and b~fore 29 each iteration a differ~n~ block K of ~ipher key b~ts i8 cbosen from the cipher key XEY. Since the output i9 D/Xi975002 -7-1 transposed after each iteration except the last, then the output of the last iteration with an input of LR may be denoted by the term L'R' and may be defined as follows:
(2) L'=L~f(R,K) R'=R
Additionally, if a key schedule KS is defined as a function of an integer n in the range from 1 to 16 and the cipher key KEY, then the permuted selection of cipher key bits from the cipher key KEY
may be denoted by the term Kn and defined as follows:
(3) Kn=KS(n,KEY) Then, if LO and Ro are L and R, respectively, and Ln and Rn are L' and R', respectively, when Ln 1 and Rn 1 are L and R, respectively, then the output of an iteration when n is in the range from 1 to 15 may be defined by:
(4) Ln=Rn_l Rn=Ln_l~f(Rn_l 'Kn) Since the output is transposed after each iteration except the last, then the output of the last iteration when n is equal to 16 may be defined by:

(5) Ln=Ln l~f(Rn-l'Kn) Rn=Rn 1 In the enciphering operation Kl is used in the first iteration, K2 in the second, and so on, with K16 used in the 16th iteration. See Fig. 8 for a block diagram of the enciphering operation.
The cipher functions f (R,K) may be defined in terms of primi-tive functions called selection functions and permutation functions.
Thus, if a 32-bit block R is expanded to a 48-bit block, then the expanded block may be .~

104~93S
1 denoted by the term E(R). The expanded block E(R) 1~ then 2 combined by modulo~2 addltion with a block of cipher key 3 bits R, sel~cted in accordance wlth an arbitrary but fixed 4 permutatlon, to produce 8 6-blt ~ogn2nts, Bl, B2, B3, B4, B5, B6, B7 and B8, forming the argum~nt~ for a different

6 distinct sele~tion function-~ Sl, S2, S3, 84, SS, S6, S7 and

7 S8. Therefore, the m~dulo-2 addltion may be defined a~

- 8 followY:

9 (6) E~R~R-~l, B2, B~, B4, BS, B6, B7 and B8.
Each diatinct selection unctlon Sl trans~onms a dist$nct 11 6-bit segm~nt B~ into a 4-bit s~gment wherQby the 8 d$stinct 12 selection function~ may be deflned a~ 81(Bl), S2(B2), S3(s~), 13 S4(B4), S5~5), S6~B6), 87(B7) and S8~B8). The 8 4-bit 14 ~egment outputs of th~ 8 selection funct~ons are then consolidated into a slngle 32-b~t block which is permuted by 16 a permMtation function P into a new 32-bit block defined as 17 fol 10WB:
18 ~7) P(Sl(Bl), S2(B2), S3(B3), S4(B4), S5(B5), 19 S6~B6), S7(B7), S a tB8)) which represent~ th~ cipher function f(R,~).
21 Deciphering a 64-bit enciphered mss~age bloc~ under 22 aontrol of the ~ame cipher ~ey i~ accomplished through the 23 same serie~ o~ 16 lterations during whlch the clpher key is 24 shlfted in a directlon opposite to that of the enciphering proc~s~ by one or two bit po~itions according to the 26 predetermined ~hift schedule. This assures proper 27 alignmant of the cipher key bitY during the deciphering 28 lt~rations to undo every iteration that was carried out in 29 the ~nclphering operatlon and produce a re~ult~ng 64-bit ~0 messag~ bloc~ identical with the original me~age block.

D/Ki975002 _9_ 16~48935 1 The deciphering operation described above, carried out 2 in a series of 16 ~terations in accordance with a product 3 block cipher algorithm, may also be aefined in term~ of a 4 cipher function ana key schedule function. Thus, if a 64-bit enciphered input mes~age block con~i~ts of a 32-bit 6 block L' and a 32-bit block R', then the enciphered input 7 mes~age bloc~ may be denoted by the term L'R'. Therefore, 8 the output of the first lteratlon with an input of L'R' may 9 be denoted after being transpo3ed by the term LR and may be deflned a~ follows~
11 (8) L~L'~f~R',K) 12 ~R' ~3 where after each iteration a different block K of cipher key 14 bits i9 cho~en from the cipher key KEY in the reverse order in which it 18 chosen for the enaipherinq operat$on. After 16 the ~lr~t lteration, each succeeding iteration 1~ tran~posed 17 except the la~t, then the output of each succseding iteration 18 with an lnput of L'R' may be denoted by the term LR and may 19 be defined a~ follows:
t9) L-R'~f(h',R) 21 R~L' 22 Then, if Ln and Rn are ~ and R, re~pectively, and Ln 1 2~ and ~ 1 are L' and R', r~pectively, the output of the 24 fir3t iteratlon when n 1A equal to 16 may be aefined as ~ollow~:
~10) ~n l~Ln~f(Rn'Kn) 27 Rn_l ~
28 SincQ the output 1~ transposed after each ~terat~on except 29 the la~t, then the output of ~ach succeedinq lterat$on when n i~ in the range from 15 to 1 may be deflned as follows:

D/Ri975002 -10-1~48~3S
~11) Ln_l3Rn8f (Ln 'Kn 2 ~ n 3 In the declph~ring operation, Rl6 18 u~ed in the firQt 4 lt~ration, Kl5 in the ~econd, and 80 on, wlth Xl used in the 16th iteration. Sea Fig. 8 for a block d~agram of the 6 deciphering operation.
7 In a dat~ proces~lng environmcnt, a sonding 8tat~0n 8 performs an enclphering proces~ $n which a product block 9 c$pher of a flrst half of a mesQage bloak i~ achieved by firs~ modifying the first half of the mo~sage block in 11 accordanc~ with a p~rmuted aipher key, followed by A
12 nonllnear ~ub~tltution ~nd linear permutatio~, tho result of 1~ whlch 1~ u~d ~o mo~lfy the aecona h~l~ of the ~e~sagQ
14 block. The modlfl~d ~o¢ond half o~ the mos~ge block And the orlginal flr~t half of th~ me~age block are th~n 16 interchang~d uo that dified ~econd half of the mRs~age 17 ~lock serv~s ~8 the argument for an iter~tion of the product I8 block cipher operation under control of the permuted clpher l9 key sh~fted, however, ~n aacordance wlth a predetermined shlft schedulo, to modify the flrst half of the message 21 bloc~. 9~xteen lteratlon- of the product block clpher 22 op~r~t~on ~re ex~cutea, ln wh~ch the re~ult o~ one ~erve_ as 23 the argument of the n~xt ~nd at the end of which the result 2~ con~titu~es the enclphered veraion of the orlglnal mesQage block. At a receiving statlon, ~ deciphering process iQ
26 performed under control of the s~me clpher key in a similar 27 m~nner by 16 iterations of th~ product block cipher 28 op~ration with the cipher ~ey beLng uhifted in ~ directLon 29 opposlte to that in the 2nclpherlng proc~ss to undo every it~ration that waa carried out in the enciphering proce3s D/~19~5002 -ll-1~48~35 1 and produce a r~ulting meseage block ld0ntical to that of 2 the original mQss~ge block.
3 Accordingly, ~t i8 an ob~ect of thi8 inv~ntion to 4 provids a ~y~te~ capable of main~aln~ng the ~ecurity of data within a data proa~slng ~nv~ronm~nt.
6 Another ob~ect o~ thl~ invention i~ to provide a cipher 7 devic~ ~or meseage blocks o~ data wh~re~n the c~phar i~
8 developed under control of a ciphsr key shifted according 9 to a predetermined shlft ~chedule.
A further ob~ect of the lnvention i8 to provlde a 11 ciphering 3y9tem for mes~aga blocks of data in which a cipher 12 of a ~o0sag~ block of dat~ i~ aarriea out by a pr~determine~
13 number o~ ~teration~ of ~ product block aipher operatlon 14 wlth th~ re~ult o~ on~ lteration ~rving a~ the argumsnt for the n~xt ltoratlon.
16 Stlll ~nother ob~ct of the lnventlon i8 to provide a 17 ciphering sy~tom for me~sage ~locks o~ d~ta in which a 18 cipher of a me~sage blook of data i8 carrled out by a 19 predetermlned number of lteratlons of a product block cipher operation under control of a clpher key whlch is shifted in 21 a pr~determined directlon and ln accord~nce ~lth a 22 predetermlned shift schedule during the iterations of the 23 clpher operation.
24 Still a further ob~at of th~ invsntlon 15 to provide an enciphering ~y8t8m for me~sage block~ of dat~ in ~h~ch the 26 enciphering of a me~age block of data i8 carried out by a ~7 predetermined number of lteration~ of a product block cipher 28 operation under control of a clpher key which 18 shifted in 29 a predetermined dlr~ctlon and in accordance w~th a pr~determlned ~hlft s~hodule during iterations of the D/X$975002 -12-1~1148935 1 encipher operation ~o that different clpher key3 are used 2 during the iteration~ of the encipher operation.
3 St~ll another ob~ect of the invention i9 to provide a 4 deciphering sy~tem ~or enclpher~d me~sage blocks of data in S which the dec~phering of an enciphered mes~age block of 6 data i8 carried out by a pr~determined number of 7 iterations of a product block cipher operation under control 8 of a cipher key which ia ~hifted ~c¢ording to a predetermined 9 shift w hedule during deciphering iteration~ but in a direction oppo~lte to that in whlch the me~sage block of 11 dat~ i9 gnalphered.
12 Still a ~urthor ob~ct of the ln~entlon 1Q to provlde 13 a ciph~ring pro~e~s for mes~age blocks of data which ~8 14 carried out by a ~erles of product block cipher operation~
performed under control of a cipher key shlfted according to 16 a pr~determined ~hift schedule.
17 Still ~nother ob~ect of the lnventlon i~ to provide an 18 enciphering proce~s for me~sage block~ of dat~ ln which 19 alternate halves of each m~ssage block are modi~ied by a predetermined number of product block clpher operations 21 per~enmed under control of a ciph~r key shif~ed according 22 to a predetermined shi~t schQdule.
23 Still a further ob~ect of the lnvention is to provide 24 a deciphering proce~s ~or nclphered message blocks of data ~n which altarnate h~lves of each enciphered block are 26 modified by a predetarmined nu~ber of product block cipher 27 operations per~ormed under control of the 8ame cipher key 28 that was used to encipher ths me~ago block ~hiftad 29 according to a pr~d~termined shift ~ch~dule but ln a direction oppo~ite to that in encipherin~ the message block.

D/Ki975002 -13-1~)48935 1 The foregoing and other objects, features and advantages of the invention will be apparent from the following more particular description of a preferred embodiment of the invention, as illus-trated in the accompanying drawings.
Brief Description of the Drawings Fig. 1 is a block diagram illustrating the location of cipher devices in a data processing environment.
Fig. 2 is a block diagram of the cipher device of the present invention.
Fig. 3 is a diagram of how Figs. 3a through 3j may be placed to form a composite block diagram.
Figs. 3a through 3j, taken together, comprise a detailed sche-matic diagrarr, of the ciphering device of the present invention.
Fig. 4 shown on the sheet of drawings bearing Fig. 39 illustrates the logic details of a latch circuit used in the present invention.
Fig. 5 shown on the sheet of drawings bearing Fig. 39 comprises a series of timing diagrams explaining the operation of the latch circuit illustrated in Fig. 4.
Fig. 6 illustrates the details of a substitution box used in the present invention.
Fig. 7 shown on the sheet of drawinas bearina Fig. 3j i71us-trates how Figs. 7a and 7b may be placed to form a composite timing diagram.
Figs. 7a and 7b, taken together, comprise a timing diagram of the enciphering and deciphering operation.
Fig. 8 is a block diagram of the enciphering and deciphering process.
General Description of -~he Disclosed Embodiment At various locations within a data processing network physical protection of the network cannot normally be guaranteed against the intercepiion or alteration of data or KI9-75-ûû2 - 14 -tA

~4893S
1 the phy~lcal ræmoval of atorage media. This probl~m occurs 2 most notably in the c~ where data i~ communicated between 3 a processor and a re~ te control unit or a remote terminal 4 via telecommu~ication or between a control unlt and terminal~
or l/O aevice~ vla a v~ry long cable connection or, where - 6 r2moYnbls ~torage media i8 provided. One mechanism for 7 achievlng data securi~y and privæcy in those situation~ is by the use o~ cryptogr~phic d~vicea located ~t fftrategic g locAtion~ wlthln the notwork. At the ~ending StAtiOn clear d~ta may be enoiph~re~ by a cipher devlce operating in an 11 enclphoring mode and thon tran~mitted to a receiving 12 statlon where the enc~phared data may be deciphered by a 13 cipher de~ice operating in a d~ciphering mode to obtain the 14 original clear data. ~lkewise, when the functions of the recelvlng and ~ending ~tatlon~ are rev~rsed, the functions 16 o~ the clpher d~vices a~oclated with the receiving and 17 s~ndlng ~tation will llkewi~e be reversed ao that clear data 18 from the reaeiving ~tatlon, now operating as the ~ending 19 ~tation, wlll be enolpher-d and transm~tted to the sending atation, now oper~ting a~ the r~ceiving station where it is 21 deci~hered back to the original clear data. Fig. 1 22 illustrates the location of such cipher devices in a 23 repre~entatlv~ data proces~ng network.
24 Referrlng no~ to Fig. 2, a block diagram of the cipher d~v~ce i~ hown for nciphering or deciphering 64-bit mea3age 26 blocks of dat~ ~on~i~ting of 8 byte~ with onch byta 27 containing 8 d~ta bits. The datA bytes of a me~age block 2B are applied ~rially, a ~yte ~t a ti~e, via the data bu~-in 29 to th~ ciph-r devioe, necea~ltating 8 cycle~ to comple~ely tran~it the ~e~age block of 64 data bits. Each byte of ~/Ki975002 -15-1~48935 data bits received by the cipher device is subjected to an initial linear permutation accomplished by ordinary wire crossings herein-after designated by a P box, e.g. P box 50. Following this, each permuted byte of data is divided into two halves with the even data bits ,0, 2, 4 and 6 being applied to an upper input buffer (UIB) 100 and the odd data bits 1, 3, 5 and 7 being applied to a lower input buffer (LIB) 150. The UIB 100 and LIB 150 perform a serial to paral-lel conversion so that after reception of the 8 bytes of the message block the UIB 100 and the LIB 150 present 2 32-bit halves of the mes-

10 sage block in parallel to an upper data register (UDR) 200 and alower data register (LDR) 250, respectively.
At the same time that the 64-bit message block is beinq received and buf;ered into the UIB 100 and the LIB 150, the cipher key is obtained from a 64-bit external register providing 8 bytes with each byte containing 7 key bits and a parity bit used externally as a check bit. The cipher key bytes of the cipher key, with every eighth bit (the parity bit) omitted, are applied serially, a 7-bit byte at a time, via the key bus-in to the cipher device also necessitating 8 cycles to completely transmit the cipher key. Each byte of the cipher 20 key received by the cipher device is also subjected to an initial permutatiGn by P box 300, after which each permuted byte of the cipher key is divided into two halves with the first 4 bits of each 7-bit byte being applied to an upper key register (UKR) 350 and the re-maining 3 bits being applied to a lower key register (LKR) 400. The UKR 350 and LKR 400 each contain 28 stages with a connection from the last siage of the UKR 350 to the 3 ~048935 1 twenty-fifth stage of the LRR 400 and performs a serial to 2 parallel convQrslon ~o that during the serial reception of 3 the 8 7-bit byte~ con~idered as 7 group~ of 8 bits each, 3 4 of the 7 groups of the ~erlally received 8 bits at ~tages 0, 8, and 16 of the UXR 350 and 3 other of the 7 groups of 6 the serially recQived 8 bit~ at 8tage8 p, 8 and 16 of the 7 LKR 400 are each converted to 3 parallel groups of 8 bits 8 which may be considered as 2 parallel groups of 24 bits in 9 the UKR 350 and the LKR 400. The remaining group of the 7 group~ of 8 blts i~ ~erially receivQd at stage 24 of the

11 UKR 350. The connection between the la~t stage of the

12 UKR 350 and stage 24 of tha LKR 400 p2rm1t~ the first 4

13 bit~ of the xemalning group of 8 bit~ ~erially received by

14 the UKR 350 to be pa-aed to the LKR 400 80 that durinq receptlon of the group of 8 blt~, the flrst 4 bit~ are 16 converted to A parallel subgroup of 4 bit~ in the last 4 17 stage~ of the LKR 400 and the second 4 bits are converted 18 to a parallel subgroup of 4 bits in the last 4 stages of the 19 URR 350. ~he UKR 350 and the LRR 400 now contain the cipher key con~ldered as 2 par~llel groups of 28 bit~ each.
21 At thl~ point, the flrst and second half of the message 22 bloc~ are tr~nsferred to the UDR 200 and the LDR 250 and 23 the clpher key 1~ cont~ned ln ~ho UKR 350 and LKR 400.
2~ Once the UXR 350 and LKR 400 are loaded, the connection between the two registers is no longer used ~nd the UKR 350 26 and LKR 400 operate a~ two independent 28-blt shift registers.
27 In an enciphering proces~, a series of 16 iterations is 28 carried out, prior to ~hlch the cipher key contents of the 29 UKR 350 and the LKR ~00 are preshifted by one bit position.
During the iteration operations of the encipherinq D~Ri97500~ -17-10~8935 1 process except the first the cipher key contents of UKR 350 and LKR 400 are shifted by one or two bit positions. This procedure assures proper align-ment of the cipher key bits as each register is always shifted exactly 28 positions according to a predetermined shift schedule.
In the first iteration of the enciphering process, the first half of the message block contained in the UDR 200, consisting of 32 data bits considered as 8 segments of 4 data bits each, is expanded into 48 data bits consisting of 8 segments of 6 data bits each, the expansion being accomplished by duplicating the end bits of each of the 8 4-bit segments.
The expanded 48 data bits now considered as 8 6-bit segments are then applied, in parallel, to 8 modulo-2 adders 500 to 514, each consisting of 6 exclusive OR's. At the same time, a selected set of 48 predeter-mined ones of the 56 cipher key bits, 24 selected from the UKR 350 and 24 from the LKR 400, are linearly permuted in P box 450 by a predetermined fixed permutation and applied as 8 segments of 6 cipher key bits, in parallel, to the exclusive OR's of the 8 modulo-2 adders 500 to 514. The 8 modulo-2 adders 500 to 514 effectively combine the expanded 48 data bits, considered as 8 6-bit segments, in parallel, with the permuted 48 cipher key bits, considered as 8 6-bit segments, with the resulting 8 6-bit segments forming the actual arguments for 8 nonaffine substitution function boxes 550 to 564 hereinafter designated as S boxes in each of which a nonlinear transformation function is carried out. In each S box the end bits of the applied 6-bit segment, resulting from the modulo-2 addition of a duplicated end bit of the preceding 6-bit data segment and a permuted cipher key D/ Ki 975002 - 18 -1~4~935 1 bit and from the modulo-2 addltion of a duplicated end bit of 2 the Rucceedlng 6-blt data ~egment and a different permuted 3 cipher key bit, are effectively decoded to select 1 of 4 4 16-entxy function table~ contained in a read only storage (ROS) within the S box, each entry consistin~ of 4 bits.
6 One of the 16 4-bit entries in the ~elected function table is 7 then ~elected by sf~ctlvely decodlng the remaining lnner 4 8 bits of the applied 6-blt segmant. The 8 S boxes are 9 different from each other, ther~by providlng 8 different transformation functlons resultlng in 8 4-bit segments 11 deflning a ~ubstitutlon 8Qt of 32 bits. The substitution 12 set of 32 bit~ i8 then ~ubjected to a linear transformation 13 by an arbitr~ry but flxed permutation in P box 600, the 14 combined nonlinear transformation and llnear transformation re~ltlng in a 32-blt product block cipher of ~le first 16 half of the me~age block which 1~ applied to the modulo-2 17 adder~ 650 to 664. The 32 dat~ bit~ of the ~econd half of 18 the me~sage block in the ~DR 250 are al~o applled to the 19 modulo-2 adder~ 650 to ~64 which then modifies the 32-bit ~econd half of the me~sage block from LDR 250 in 21 acccLd~nce with the 32-bit product block cipher of the first 22 half of the mes~age bloak from the P box 600, the result of 23 which 1~ 8 4-blt groups comprising a new set of 32 bits ~4 representing a modified ~econd half of the mas~age block.
Th~ 32-bit modl~led ~econd half of the mes~age block lg 2 6 applied to replace the 32-bit flr3t half of the mes~age 27 block contalned in the UDR 200 which at the same time i~
28 tr~nsferred to replace the 32-bit aecond half of the 29 message block presently contained in the LDR 250. During the next iteration of the enclphering operation, the cipher D/Ki975002 -19-~4893S
1 key presently stored in the UKR 350 and the LKR 400 is shifted in accordance with the predetermined shift schedule to provide a new permuted set of cipher key bits. The 32-bit modified second half of the message block presently stored in the UDR 200 is then used with the new set of permuted cipher key bits in a similar product block cipher operation, the result of which is used by the modulo-2 adders 650 to 664 to modify the 32-bit first half of the message block presently stored in the LDR 250. The 32-bit modified first half of the message block from the modulo-2 adders 650 to 664 is then applied to replace the 32-bit modified second half of the mes-sage block contained in UDR 200 which at the same time is trans-ferred to replace the 32-bit first half of the message block presently contained in LDR 250. During each of the remaining iteration opera-tions of the enciphering process except the last, the cipher key bits in UKR 350 and LKR 400 are shifted according to the predeter-mined shift schedule to provide a new set of permuted cipher key bits, a 32-bit modified half of the message block stored in LDR 250 is re-modified according to a 32-bit product block cipher of the previously modified half of the message block stored in the UDR 200 and the re-sulting 32-bit remodified half of a message block from the modulo-2 adders 650 to 664 is applied to replace the previously modified 32-bit half of the message block contained in UDR 200 which at the same time is transferred to replace the contents of LDR 250. During the last iteration operation, the cipher key bits in UKR 350 and LKR 400 are shifted a last time according to the shift schedule to provide a last set of permuted KI9-75-Qa2 - 20 -~)4893S
1 cipher key bits and a last remodification of a 32-bit modified half of the messane block stored in LDR 250 is performed according to a 32-bit product block cipher of the previously modified half of the message block stored in UDR 200 but the resulting 32-bit remodi-fied half of the message block from the modulo-2 adders 650 to 664 and the 32-bit previously modified half of the message block stored in UDR 200 are not transposed and now constitute the 64-bit enciphered version of the original message block. After the sixteenth iteration, the 32-bit contents of the UDR 200 and the 32-bit output of the modulo-2 adders 650 to 664, representing the enciphered message block of data, are transferred to an upper output buffer (UOB) 700 and a lower output buffer (LOB) 750, respectively. The 64-bit en-ciphered block of data consisting of 4 8-bit bytes of enciphered data stored in the UOB 700 and 4 8-bit bytes of enciphered data stored in the LOB 750, is then subjected to a parallel to serial con-version on each 8-bit byte of enciphered data and applied, an 8-bit byte at a time, to a P box 800, necessitating 8 cycles to completely transmit the 64-bit enciphered message block of data. Each byte of enciDhered data is subjected to a final linear permutation to con-nect the enciphered data bits to the proper bit lines of the data bus-out for transmission to a receiving station.
At a receiving station, deciphering the 64-bit enciphered mes-sage block of data under control of the same cipher key is accom-plished through the same series of 16 iterations. However, no pre-shift of the cipher key contents of uKR 350 and LKR 400 is performed, as in th~ enciphering process, prior to ihe deciphering process.
During the iteration ~I9-75-002 - 21 -1~148935 1 operation~ o the deciphering process except the fir~t the 2 cipher key contents of UXR 350 and LKR 400 are shifted 3 according to a predetermined ~hift schedule by one or two 4 bit position~, as in the enciphering process, but in a direction opposite to that in the enciphering process to 6 reverse the enciphering proce~s and undo every iteration 7 ~lat wa~ caxried out in the ~ncipherlng proce~ to produce ~ a re~ulting 64-bit mas~age block whlch i8 identical to 9 t.he original 64-bit message block. Additionally, the cipher key content of UKR 350 and LK~ 400 is shifted 27 bit 11 positions during the iteration operations of the deciphering 12 proce~s. Consequently, since UKR 350 and LKR 400 are 28-bit 13 shift registers, at the end of the deciphering proces~, the 14 cipher key aontent of UKR 350 and LKR 400 are postshifted by one more bit posit$on. ~hls permlt~ the cipher key to 16 be sh~fted a completo revolution through the UKR 350 and LKR
17 400 shlft regl~ters aaaording to the predetermined shift 18 schedule to a~ure proper alignment of the clpher key bits 19 during each iteration of the dec$phering proces~ and in preparation for another deciphering proce~.
21 DETAlLED D~SCRIPTION OF DISCLOSED EMBODIMENT:
22 Referring now to Fig~. 3a through 3;, taken together, 23 a detailed ~chematic diagram of the cipher device of the 24 present inventlon i8 shown and a detailed de~cription will 2~ follow tak2n in connection with the timing diagrams of Figs.
26 7a ana 7b.
27 Before proceedlng to a detalled description of the 2g aipher device, r~fer to Fig. 4 wh1ch illu~trates the logic 29 detail of a latch cir~uit used throughout the pre~ent invention. The latch circuit 10 may be implemented with D/Ki975002 -22-loY8935 1 dynamic FET circuits O~Qr~TIns WiTh ~ ~ clock phase timing with each phase being 250 nan~seconds in duration giving a total of 1 microsecond for a complete clock cycle. The basic latch circuit consists of device 22 connected between a plus source and line 28 and having a gate electrode connected to receive a recurring clock signal 01; parallel pairs of serially connected devices 23 and 24 and 25 and 26, respectively, connected between lines 28 and 29 with each pair haviny gate electrodes connected to receive inputs D3 and G3 and inputs D4 and G4, respectively; a device 30 connected between line 29 and ground and having a gate electrode connected to receive a recurring clock signal 02; a group of 3 serially con-nected devices 32, 33 and 34 connected between the plus source and ground and each having a gate electrode respectively connected to a recurring clock signal 03, line 28 and a recurring clock signal 04 and the connection between devices 32 and 33 taken as the output line 36 of the latch circuit lO and fed back as input D4 to the gate electrode of device 25. The stray and inter-electrode capacitances within the circuit are lumped together and shown as dotted capacitors 31 and 35. Devices 23 and 24 and 25 anu 26 effectively function as AND circuits, line 28 as a dot OR function and device 33 as an inver-ter.
In operation, and with reference to the timing diagrams of Fig. 5, assuming the latch circuit lO is initially in a O state, then when the 01 clock signal is applied to render device 22 conductive, line 28 will be charged up to the plus source inasmuch as device 30 is nonconducting due to the absence of the 02 clock sianal. When the 02 clock signal is next applied, the charge on line 28 will be maintained or 1 discharged depending upon the signals being applied at inputs D3 and G3 or inputs D4 and G4. Since the latch circuit 10 is assumed to be in the O state, a lo level signal is applied at input D4 to maintain device 25 nonconducting and a lo level signal is applied to G4 to also maintai" device 26 nonconducting and thereby block a discharge path through devices 25, 26 and 30. With respect to the discharge path including devices 23 and 24, if a 1 bit (hi level signal) is present at input D3 concurrently with a gate signal (hi level signal) at input G3, devices 23 and 24 conduc~ and provide a discharge path through device 30 thereby causing the signal on line 28 to discharge toward ground. On the other hand, if a O-bit (lo level signal) is present at input D3 concurrently with a gate signal at input G3, then during 02 clock time device 23 will remain non-conducting to block the discharge path from line 28 through devices 24 and 3n and the hi level signal will be maintained on line 28.
When the 03 clock signal is next applied to the gate electrode of device 32, line 36 will be charged up to the plus source inasmuch as device 34 is maintained nonconductins due to the absence of a 04 clock signal. When the 04 clock signal is next applied to the gate electrode of device 34, the charge on line 36 will be maintained or discharged depending upon the level of the signal on line 28. If a lo level signal is present on line 28, representing an input of a data l-bit, then during 04 clock time device 33 will remain noncon-ducting io block the discharge path from line 36 through device 34 and a hi level signal will be maintained on line 36 indicating the presence of a l-bit. During ~4 clock signal time valid data (1) is assured at the output of the latch circuit 10. Subsequently to setting the latch circuit 10 to the data l-bit state, the positive signal at input A

5 -~S-1 D4 together with the positive signal applied to input G4 are effective to maintain a discharge path for line 28 so that a lo level signal will be maintained on line 28 irrespective of the signal levels at the inputs D3 and G3. This in turn, maintains the device 33 non-conducting to thereby block the discharge path through device 34 and maintain a hi level signal on line 36 so that circuit 10 will remain latched in the data 1 bit state until such time as a new data bit is to be entered whereupon gating pulses G3 and G4 and a data bit level D3 are applied as shown in Fig. 5. On the other hand, if a hi level signal is present on 10 line 28, representing an input of a data O bit then during 04 clock time, device 33 will be conducting providing a discharge path through device 34 and a lo level signal will be maintained on line 36 indicating the presence of a O bit. In this case, during 04 clock signal time, as before, valid data (O) is assured at the output of the latch circuit 10.
Subsequently to setting the latch circuit 10 to the data O-bit state, the lo level signal at input D4 is effective to maintain the device 25 non-conducting thereby blocking the discharge path for line 28 and the lo level signal at input G3 is effective to maintain device 24 non-conducting thereby blocking the other discharge path for line 28 so that 20 a charge or hi level signal is maintained on line 28. This, in turn, maintains the device 33 conducting to thereby maintain the discharge path through device 34 and maintain a lo level signal on line 36 so that circuit 10 will remain latched in the data O bit state until such time as a new data bit is to be entered whereupon gating pulses G3 and G4 and a data bit level D3 are applied as shown in Fig. 5. Thus, valid data is assured at the output of the latch circuit 10.
When the latch circuit 10 is in the 1 state, a clock cycle opera-tion is initiated with a 01 clock signal applied to render device 22 conductive causing line 28 to be charged up to the plus source as be-30 fore. When the 02 clock signal is next applied, the charge on line 28will, as before, be maintained or discharged depending upon the signals being applied at inputs D3 and G3 or inputs D4 and G4. If a data l-bit is applied at D3, a lo level signal is maintained on line 28 whereas if a data O-bit is applied at D3 a hi level signal is maintained on line 28 as previously described. When the 03 clock signal is next applied to the gate electrode of device 32, line 36 will ~.. ...

1~48935 1 again be charged up to the plus source inasmuch as deyice 34 is main-tained nonconducting due to the absence of a 04 clock signal. When the 04 clock signal is next applied to the gate electrode of device 34, the charge on line 36 will, as before, be maintained or discharged depending upon the level of the signal on line 28. If a lo level signal is present on line 28, representing an input data l-bit then a hi level signal will be maintained on line 36 indicating the presence of a l-bit whèreas if a hi level signal is present on line 28, representing an input data 0-bit, then a lo level signal will be maintained on line 36 indicating the pre-sence of a 0-bit, as previously described. The latch circuit 10 may be expanded to a 2-way input by the inclusion of devices 18 and 19 connected to inputs Dl and Gl or to a 3-way input by the inclusion of devices 20 and 21 connected to inputs D2 and G2. Throughout the embodiment of the pre-sent invention, which will now be described, l-way, 2-way or 3-way input latch circuits will be utilized.
Referring now to Fig. 3a, a 64-bit message block of data consisting of 8 bytes is applied serially, a byte at a time, via the data bus-in to the P box 50. Each byte is subjected to an initial permutation by the P box 50 so that the byte of data is divided into two halves with the even data bits being applied to the UIB 100 and the odd data bits being applied to the LIB 150. The UIB 100 and LIB 150 each consist of 4 8-stage shift registers pUIB, lUIB, 2UIB and 3UIB and 0LIB, lLIB, 2LIB and 3LIB.
The first and last stages of the first shift register ~UIB is shown in detail in Fig. 3a with the remaining shift registers being shown in block form inasmuch as they are identical in detail to D/Ki975002 - 26 -1~)48935 1 that of the ~hlft reglstor 0VIB.
2 Ra~erring to the timing dlagram of Fig. 7a, during 3 cycle 0~ when a valid data byte is being applied to the 4 UIB 100 and LIB 150, via the P box 50, signals are applied on the LIB ~G3) and $IB- (G4) lines causing the first 8-bit 6 byte of data to b~ loaded into the latches of the first 7 stag~ o~ ea~h of the ~hift registers in UI~ 100 And LIB 150.
8 During cycle~ 1-7, the re~sining 8-blt bytes of the m~sage ~9 block are ~pplled, a byte at a time, to the UIB 100 and LI~ 150, each bit of the byte being applied to the first 11 ~tage ~n3) of each o~ the shift regioters. Since the ~ignal~
12 on the LIB ~nd LIB llne~ are applied to each stage of the 13 ~hift reg~sters, then during each of the ~ycles 1-7 the data 14 blts are sh$fted down by one position in each of the shift reg~sters ~o that at the end of cycle 7 the UIB 100 and the 16 LIB 150 are loaded with two halve~ of the applied message 17 block of dnta. The UIB 100 and LIB 150 effectively perform 18 a serlal-to-parallel conversion 30 that the 8 byte~ of the 19 mæssage ~loc~ presently ~tored in the UIB 100 and the LIB
150 provide 2 32-bit halves o~ the me~s~ge block in parallel 21 at the output8 of the UIB 100 ana LIB 150.
22 R~ferring now to Fig~.3b, 3c and 3d, at the ~ame time 23 that the 64-bit me~sage block i8 being received and buffered 24 into the U~B 100 and the LIB 150, the cipher key is obtained from a 64-bit external register and appl$ed 26 ~erially, a 7-blt byte at a time, v$a the key bu~-in to 27 the P box 300. Each 7-bit byte ~g ~ubject to an initial 28 permutation by the P box 300 ~o that each byte $s dl~ided 29 into two halves with the first 4 key bits being applied 3Q to the UKR 350 and the remaining 3 key bits be~ng applied ~/Ri975002 -27-1 in a tran~posed manner to the LKR 400. URR 350 and LRR
2 400 each consi~t o~ 3 8-stage shift registers 0UK~, lURR, 3 2URR and p~XR, lLKR, 2LXR, respectively, and 1 4-stage 4 ~hift registert 3UKR and 3L~R, re~pectively, with the output of the fourth stage of the shift register 3UKR being 6 connected to the first stage of the shift register 3LKR.
7 The 8-stage sh~ft register 0URR consist~ of 1 3-way input 8 latch 352 of the fir~t 8tage and 7 2-way input latches, 9 ~uch as latches 354 and 366 of the ~econd and last ~tages of the shift regl~ter ~URR, ~hown ln detail in Fig. 3b.
11 The 8-stage ~hift regi~ter lUKR also consists of 1 3-way 12 input latch 368 of ~he flrst stage and 7 2-way 13 input latches, such as latches 370 and 382 of the second 14 and last stage8 of the shift register lUKR, shown in detail in Fig. 3b. The 8-~tage sh~ft register 2UKR is shown in 16 block form in Flg. 3c ina~much as it is identical in detail 17 to that of ~hift register lUXR. The 4-stage shift regi~ter 18 3UXR consi~ts of 1 3-way lnput latch 384 of the first stage 19 and 3 2-Wfiy input latche~, such as latch 390 of the last stage of the ~hift regl~ter 3UKR, shown ~n detail in ~ig.
21 3c~ ~lmllarly, the 8-~tage shift registers 0LKR, lLKR and 22 2LKR of the LKR 400 are ~hown in block form in Figs. 3c 2~ and 3d inasmuch a~ they are identical in detail to that of 24 the corresponding 8-stage ~hift reglsters ~URR, lUKR and 2UXR of the UKR 350. The 4-stage shift re~i~ter 3LKR
26 con~i~t~ of 1 3-way input latch 402 of the ~ir~t ~tage, 27 connected to the output of latch 390 of the last stage of 28 ~hift reglst~r 3UXX, ~nd 3 2-way input latches, ~uch as 29 l~tch 408 o~ the la~t stag~ of the ~hlft reglst~r 3LKR, ~hown in detall in Fig. 3d. Thus, for loading purpo~es, D/Ki975002 -28-1~)48935 1 the combination of the UKR 350 and the LKR 400 may be considered as consisting of 7 8-stage shift registers for storing the key bits of the cipher key word.
Referring now to Figs. 3b, 3c and 3d and the timing diagram of Fig. 7a, during cycle O, when a valid cipher key byte is ap-plied to the UKR 350 and the LKR 400, via the P box 300, signals are applied on the LDK (G3) and LDK (G4) lines connected to the first stages of shift registers 0UKR, lUKR, 2UKR, 3UKR, 0LKR, lLKR and 2LKR causing the first 7-bit key byte to be loaded into the first stages of each of the 7 shift registers in UKR 350 and LKR 40Q~ as for example into input latches 352, 368, 384 and 402.
During cycle 1, the second of the 8 7-bit bytes of the cipher key is applied and loaded into the first stages OT the 7 shift re-gisters in UKR 350 and LKR 400. A~ the same time, the previous contents of these stages, namely, the first of the 8 7-bit bytes, is shifted down one bit position by signals applied on the SR (G3) and LDK lines which are connected to the second stages of shift registers 0UKR, lUKR, 2UKR, 3UKR, 0LKR, lLKR and 2LKR. The resol-ving time within the latch of any stage is sufficient to allow the shift operation to occur before any change occurs at the output of the latch from the preceding stage.
During cycle 2, the third of the 8 7-bit bytes of the cipher key is applied and loaded into the first stages of the 7 shift re-gisters in UKR 350 and LKR 400. At the same time, the previous contents of the first and second stages, namely, the second and first of the 8 7-bit bytes, respectively, are shifted down 1 bit position by sig~als applied on the SR and LDK lines which are con-nected tn the ~I9-75-002 - 29 -1~48935 1 second and third stages of shift registers 0UKR, lUKR, 2UKR, 3UKR, 0LKR?
lLKR and 2LKR.
During cycles 3 and 4, the fourth and fifth of the 8 7-bit bytes of the cipher key are applied and successively loaded into the first stages of the 7 shift registers in UKR 350 and LKR 400 while the contents thereof are shifted successive 1 bit positions. However, it should be noted, re-ferring to Figs. 3c and 3d, that during cycle 4, the bit in the last stage of the 3UKR is shifted to the first stage of the shift register 3LKR. During cycles 5, 6 and 7, the remaining 7-bit bytes of the cipher key are applied, a 7-bit byte at a time, to the first stages of shift registers 0UKR, lUKR, 2UKR, 3UKR, 0LKR, lLKR and 2LKR of the UKR 350 and LKR 400. Since the sig-nals on the LDK and LDK lines are applied to the first stages of the shift registers and the signals on the SR and LDK lines are applied to the remain-ing stages of each of the shift registers, then during each of the cycles 5, 6 and 7, the cipher key bits are shifted down by one position so that at the end of cycle 7, UKR 350 and LKR 400 are loaded with two halves of the applied cipher key. ~n the loading operation, the UKR 350 and LKR 400 effectively perform a serial-parallel conversion so that the 8 7-bit bytes of the cipher key, presently stored in UKR 350 and LKR 400, may be con-sidered as two parallel 28-bit halves. The key bit mapping tables for loading UKR 350 and LKR 400 with the cipher key is as follows:

D/Ki975002 - 30 -~048935 1 TABL~ 1 2 ClP~ER KEY MAP FOR UKR
~ UXR Poslt~on~
. .

9 C~P~ER K~ M~P FO~ LXR
LKR Posit~on~ ~ er K~ ts 11 LKR 0 - h~R 7 62 54 46 38 30 2214 6 13 LRR 16 - LKR 2~ 60 52 44 36 28 2012 4 Ref~rring now to Fig. 3a and the tlming diagram of Fig.
16 7a, UDR 200 and LDR 250 each consi~t of 32 ~tages compri~ing 17 latches pUDR to 31UDR and ~LDR to 31LDR, re~pectivaly. Durlng 18 cycle 8, signals are appli~d to th~ IBT and LDR line to cause 19 a parallel tran~fer o the 32 data bits in the UIB 100 and the 32 data blt~ in the LIB lS0 to the UDR 200 and the LDR
21 250, r~pectively. Th w , the 64 ~t~ of the me~age block 22 aro di~tr~buted in UDR 200 and LDR 250 a~ follow~:

24 DATA MAP FO~ UDR
DR Po~ltlono Data Blt8 27 UDR 8 - U~R 15 58 50 42 34 26 1810 2 32 LDR Posltion~ Data Bit~

D~Xi9 75002 -31-~048~3S
1Referring now to Figs. 3b, 3c and 3d and the timing diagram of Fig. 7a, it should be noted that no further signals are produced on LDK line. Accordingly, the connection from the last latch 390 of the shift register 3UKR to the first latch 402 of the shift re-gister 3LKR is no longer used tO transfer any bits due to the ab-sence of any further signals applied to the LDK line. Additionally, the output of the last latch 390 in the shift register 3UKR and the output of the last latch 408 in the shift register 3LKR are con-nected back to the first latch 352 of the shift register 0LKR, re-10spectively. Therefore, UKR 350 and LKR 400 may be considered as two independent 28-bit shift registers. Prior to the enciphering process, ihe cipher key bits presently stored in UKR 350 and LKR 400 are preshifted up 1 bit position with the bit stored in the first latch 352 of UKR 350 being shifted around to the last latch 390 of UKR 350 and the bit in the first stage of the LKR 400 being shifted around to the last latch 408 of the LKR 400. This is accomplished, in cycle 8, by a signals being applied to the SL and LDK lines which are connected to every stage of the UKP~ 350 and LKR 400. The output of every latch is connerted to the pre~eding latch and in combination with the sig-nals on the SL and LDK lines is effective to transfer the bit from one la~ch to the precedi;lg latch. For example, the output UKRl from the iatch 354 is connected to one input OT the latch 352 which in combination with the signals on the SL and LDK lines is effective to shift the bit content of latch 354 to latch 352. Similarly, the output UKR0 from the latch 352 is connected to one input of the latch 390 which, in combination with the signals on the SL and ~b~ 1ine is ~048935 1 effsctive to shift the bit content of the latch 352 to the 2 latch 390. This preshift of the cipher key bits by one bit 3 po~ition before the beginning of the enciphering process 4 a~sures proper alignment of the key bit~ in the first iteration of the enciphering process. In the en~uing 6 enciphering proce~, VKR 350 and LKR 400 are ~hifted up by 7 one ox two bit positions during esch ~teration of the 8 enciphering proce~s except the fir~t to provide 27 additional 9 ~hift~ of the cipher key bit~ in VKR 350 ana LKR 400. Since UKR 350 and LKR 400 are 28-bit shift rsgisters, the 2~ ~hifts 11 of the cipher key bit~ ln UKR 350 and LKR 400, conslsting of 12 the 1 pre~hift and the 27 shift~ during the enciphering 13 proce3~, assures proper alignment of the cipher key bit~
14 durlng the iteration operation-~ as well as the beginning of the enciphering operation. The predetermined ~hift 16 schedule for the cipher key is shown in the following Table 17 5:

D/Xi975002 -33-1~48~35 2 CIPHER ~CEY S~IFT SCHEDUIE

4 I~ERATION NO. ~SHIFT I~P) (SHIFT DOWN) llP,reshift) 8 ?

o 3 4 s 18 _ 7 _ _________ _~

~3 2 2 24 lo 26 il 28 l2 2~ 2 2 3 o 1 3~

3 4 ~ 5 37 (Po~t~hift) D/~i9 75002 - 34-i~48935 1 A one in the shift schedule of Table 5 indicates a one bit position shift in the UKR 350 and LKR 400 while a two in the table indicates two one-bit position shifts of the UKR 350 and LKR 400.
ENCIPHERING PROCESS
An enciphering process consists of a series of 16 iteration opera-tions to encipher a message block of data bits.
Referring now to Figs. 3b to 3d and the timing diagram of Fig. 7a, a preshift of the cipher key bits in UKR 350 and LKR 400 is performed during cycle 8 before the enciphering process is carried out. Thus, first sig-10nals on SL and LDK lines applied to all stages of UKR 350 and LKR 400 causes a 1 bit position shift up of the cipher key in accordance with the cipher key shift schedule. This provides a valid first set of cipher key bits at the end of cycle 8 for the first iteration operation of the encipher-ing process. The first iteration operation of the enciphering process is carried out during cycle 9 and cycle 10 and is initiated by linearly transforming 24 of the 28 preshifted cipher key bits in UKR 350 and 24 of the 28 preshifted cipher key bits in LKR 400 in P box 450. The P box 450 provides an arbitrary but fixed permutation of the 48 bits from the UKR 350 and LKR 400 according to the following cipher key bit mapping Tables 6 and 7:

D/Ki75002 - 35 -1~)48935 2 UXR CIP~ER XSY aIT PERMUTATION MAP
3 UKR BIT NO. PERMUTED UKR BIT NO.
4 UKR p URR 13 11 UKR 7 . UKR 27 13 URR 1~ UKR 5 18 UKR lS URR 11 UXR la UKR 25 10~89;~5 3 LXR BIT NO. PERMUTED LXR BIT NO.
4 LXR ~ LXR 12 12 LXR 1~ LXR 22 lS LXR 13 L~R 19 ~Ki975002 -37-1~8935 1 The 48 permuted cipher key bit~ considered as 8 6-bit 2 segments are applied ag one input of the 8 modulo-2 3 adders 500, 502, 504, 506~ 508, 510, 512 and 514, each of 4 which consists of ~ix exclueive OR'~. At the same time~
the fixst half of the me~age block contained in UDR 200, 6 con~i~ting of 32 data bit~ conoidered as 8 4-bit data . . 7 ~egmentg, i8 expanded into 48 data blts con~i~ting of 8 8 6-b$t data segments and applied as the other input of the 9 ~ modulo-2 adder~ 500 to 514. The expansion is accompli~hed by duplicating the end bitfi of each of the 8 11 4-bit data segments as ~hown in F~ g8 3e, ~f and 3g. The 12 8 modulo-2 adders 500 to 514 effectively combine the 13 expanded 48 data bits in parall~l with the permuted 48 14 clpher key bits produclng 8 6-bit segments forming the actual argument~ for 8 nonafflne ~ubstitution function 16 boxes 550 to 564 as set forth in the following Table~ 8 17 and 9:

D~Xi975002 -38-1TAB~E 8 2S BOX MPPPING 8CHEDU$E A

4 UXR BIT NO. UDR BIT NO. S BOX BIT NO. S BOX NO.
U~R 13 UDR 31 0 6 UR~ 16 ~ UDR p 1 p 7 UKR 1~ ~ UDR 1 2 8 URR 23 ~ UDR 2 3 0 9 UKR ~ ~ UDR 3 4 0 11 UKR 2 ~ UDR 3 0 12 UKR 27 ~ UDR 4 1~ UKR 14 ~ UDR 5 2 14 UKR 5 ~ UDR 6 3 UXR 20 e UDR 7 4 17 UKR 22 0 U~R 7 ~ 2 18 UKR 18 ~ UDR 8 1 2 UKR 3 0 UDR lp 3 2 21 UKR 25 ~ UDR 11 4 2 23 UKR 15 e UDR 11 p 3 24 Ui;R 6 ~ UDR 12 1 3 U~R 26 0 UDR 13 2 3 28 UKR 1 ~ UDR 16 5 3 D/Ki975002 -39-1~48~35 2 S ~OX MAPPING SC~EDVLE 3 4 LXR ~IT NO. UDR BIT ~O. S BOX ~I~ NO. S BOX NO.
S LXR 12 ~ UDR 15 p 4 6 L~R 23 ~ UD~ 16 1 4 8 LRR B ~ UDR 18 3 4 12 LKR 11 O UDR 2~ 1 5 14 LKR 16 ~ UDR 22 3 5 LKR 4 ~ UDR 23 4 5 16 LXR 19 ~ UDR 24 5 5 17 LKR 15 ~ UDR 23 0 6 18 LKR 2~ ~ UDR 24 1 6 21 LICR 5 ~ UDR 27 4 6 22 LXR 24 ~ UDR 28 5 6 23 LXR 17 ~ UDR 27 0 7 LgR 21 0 UDR 29 2 7 2S LRR 7 ~ UDR 30 3 7 27 LKR ~ ~ UDR 31 4 7 28 LKR 3 ~ UDR 0 5 7 D~K1975002 -40-i~)48~35 i Referring now to Fig. 6, representative 0 S-Box 550 is shown consisting of decoder 552 and read only storaye (ROS) 584. A 6-bit segment from the 0 modulo-2 adder 500 is applied as the input to the 0 S-Box 550. Signals representing the end bits of the applied 6-bit segment, resulting from the modulo-2 addition of duplicated data bit UDR 31 and the permuted cipher key bit UKR 13 and the modulo-2 addi-tion of the duplicated data bit UDR 4 and the permuted cipher key bit UKR 4 are applied to inverters 554 and 556 to thereby provide true and complement signals representing the end bits of the applied 6-bit segment. When the resul-t of the end bit modulo-2 addition is 00, one of 4 groups of 16 AND circuits are selected, namely, AND cir-cuits 568 to 570. Likewise, when the result of the end bit modulo-2 addition is 01, the second of the 4 groups of 16 AND circuits are selected, namely, AND circuits 572 ~o 574. Similarly, when the re-sult of the end bit modulo-2 addition is 10, the third Or 4 groups of 16 AND circuits a,e selected, namely, AND circuits 576 and 578. Lastly, when the result of the end bit modulo-2 addition is 11, the fourth of tne 4 groups of 16 AND circuits are selected, namely, AND circuits 580 to 582. Signals representing the inner 4 bits of the applied 6-bit segment are applied to inverters 558, 560, 562 and 564 to thereby provide true and complement signals representing the inner 4 bits of the applied 6-bit segment. The inner 4 bits of the 6-bit segment are decoded by one of the 16 AND circuits of the selected group to apply a driving signal to an address line of the RGS 584. ROS 584 essen-tially consists of 4 function tables, 0ROS, lROS, 2ROS and 3ROS, each containing 1~8935 1 16 entries and each entry consisting of 4 bits in the form 2 of 4 FET devices such as devices 586, 587, 588 and 589, or 3 devices 590, 591, 592 and 593. The device~, when selected, 4 produce a unique 4-bit segment on the output lines 594, 595, 596 and 597 of ~OS 584 which are applied to the 4 - 6 output line~ S~, Sl, S2 and S3 of the S-~ox 550. While the 7 arrangement of the other 7 of the 8 S-Boxes are sLmilar to 8 that of ~ S-Box 550, the function tables in each of the 9 other S-Boxes are difforent from each other, thereby providlng 8 different transformation functions. The outputs 11 of the function table~ of the 8 S-Boxes are shown in the 12 following ~ables 10, 11, 12 and 13 of S-Box functions 13 where each output number represents a 4-bit ~llexadecimal) 14 binary pattern, i.e., 14 ~ 1 1 1 0:

D/Ki975002 -42-TABL~3 10 2S-BOX FUNCTION TABI.E A

- 6 S BOX INNER BITS l0)(1) ~2) (3) (0) (1)(2) (3) 7 0000 (0) 14 0 4 15 15 3 0 13 8 0001 (1) 4 15 1 12 1 13 14 8 9 0010 (2) 1~ 7 14 8 8 4 7 10 0011 t 3) 1 4 8 2 14 7 11 11 0100 ~4) 2 14 13 4 6 15 10 3 12 0101 ~5) 15 2 6 9 11 2 4 15 13 0110 ~6) 11 13 2 1 3 8 13 4 14 0111 (7) 8 1 11 7 4 14 1 2 1000 (8) 3 10 15 5 g 12 5 11 16 1001 ~9) 10 6 12 11 7 0 8 6 17 1010 ~10) 6 12 9 3 2 1 12 7 18 1011 ~11) 12 11 7 14 13 10 6 12 19 1100 (12) 5 9 3 10 12 6 9 0 1101 (13) 9 5 10 0 0 9 3 5 21 1110 (14) 0 3 5 6 5 11 2 14 22 1111 (15) 7 8 0 13 10 5 15 9 DjK1975002 -4 3-1~48935 ~ABIE 11 4S BOX E2~1) BITS S BOX Et7D BI~S

- 6 S BOX INNER BITS (0)(1) (2) (3) (0) (1)(2) (3) 7 0000 (0) 10 13 13 1 7 13 10 3 8 0001 (1) 0 7 6 10 13 8 6 15 9 0010 (2) 9 0 4 13 14 ~1 9 0 0011 ( 3) 14 9 9 0 3 5 0 6 11 0100 (4) 6 3 8 6 0 6 12 10 12 0101 (5) 3 4 15 9 6 15 11 13 0110 (6) 15 6 3 8 9 0 7 13 14 0111 (7) 5 10 0 7 10 3 13 8 1000 (8) 1 :2 11 4 1 4 15 9 16 1001 (9) 13 8 1 15 2 7 1 4 17 1010 (10) 12 5 2 14 8 2 3 5 18 1011 (11) 7 14 12 3 5 1;~ 14 11 19 1100 ~ 12 ) 11 12 5 11 11 1 5 12 1101 (13) 4 11 10 5 12 10 2 7 21 1110 (14) 2 15 14 2 4 14 8 2 22 1111 (15) 8 1 7 12 15 9 ~ 14 ~Ki975002 -44-TA~LE 12 25-EIOX FUNC~ION TABLE C

- 6 S BOX INNERBITS (0) (1) (2) (3) (0) (1) ~2) (3) 7 0000 (0) 2 14 4 11 12 10 9 4 8 0001 (1) 12 11 2 8 ~ 15 1~ 3 9 0010 (2) 4 2 1 12 10 4 15 2 0011 t3) 1 12 11 7 15 2 5 12 11 0100 (4) 7 4 10 1 9 7 2 9 12 0101 (5) 10 7 13 14 2 12 8 5 13 0110 (~i) 11 13 7 2 6 g 12 15 14 0111 (7) 6 1 8 13 8 5 3 10 1000 (8) 8 5 15 6 0 6 7 ~1 16 1001 (9) 5 0 9 15 13 1 0 14 17 1010 ~10~ 3 15 12 0 3 13 4 18 1011 (11) 15 10 5 9 4 14 10 7 19 1100 ~12 ) 13 3 6 10 14 0 1 6 1101 (13) 0 9 3 4 7 11 13 0 21 1110 (14) 14 8 0 5 5 3 11 8 22 1111 (15) 9 6 14 3 11 8 6 13 1~48935 TABL;E 13 2S-BOX FU2~CTION TA}~hE D

6 S BOX INNER BITS (0) (1)(2)(3)(0) _1) (2) (3) 7 0000 ~0) 4 13 1 6 13 1 7 2 8 0001 (1) 11 0 4 11 2 15 11 9 0010 ~2) 2 11 11 13 8 13 4 14 0011 ~3) 14 7 13 8 4 8 1 7 11 0100 ~4 )15 4 12 1 6 10 9 4 12 0101 (5) 0 9 3 4 15 3 12 10 13 0110 (6) 8 1 7 10 11 7 1~ 8 14 0111 ~7) 13 10 14 7 1 4 2 13 1000 ~8) 3 lJ, 10 9 10 12 0 15 16 1001 t9) 12 3 15 5 9 5 6 12 17 1010 ~10) 9 5 6 0 3 6 10 9 18 1011 (11) 7 12 8 15 14 11 13 0 19 1100 ~12) 5 2 0 14 5 0 15 3 1101 ~13)10 15 5 2 0 14 3 5 21 1110 (14) 6 8 9 3 12 9 5 6 22 1111 (15) 1 S 2 12 7 2 8 11 I!/Ki975002 -46-~48935 1 ~eferring now to Figs. 3e, 3f and 3g, the 8 S-boxes 550 2 to 564 produce 8 4-bit segments defining a sub~titution set 3 of 32 bits which are linearly transformed by an arhitrary but 4 fixed permutation in P box 600. The comhined nonlinear transformation performed by the S-Boxes 550 to 564 and the 6 linear tran~formation performed by the P Box 600 results in 7 a product block cipher of the first half of the me~sage 8 block. The linear permutation of the S-Box outputs i~
9 shown in the following Table 14:

D/Ki975002 -47-1~D4~935 TAB$E 14 2 S-BOX OUq~PU~ PERMU~ATION MAP
3S BOX BIT NO . PERMU~D 8 BOX BIT NO .

Sl S16 !B S4 S12 S6 Sl Sll S5 17 S13 Sl9 a3 Sl9 52 27 S23 SlB

28 S2~ S31 29 S25 Sll 3~ S30 S14 D/Ki97500q -4 8-~04893S
1 Referring now to Flgs. 3h, 3i and 3j, the 8 modulo-~
2 adders 650, 652, 654, 656, 658, 660, 662 an4 664, each 3 consi~ts of 4 exclusive OR's. The second half of the message 4 block contained in LDR 250 conslsting of 32 data bits S considered as 8 4-bit data ~egment~, together with the 6 permut~d substitution ~et of 32 bits representlng the product 7 bloc~ cipher of the first half of the me~saqe bleck, are 8 applied a~ inputs to the 8 modulo-2 adders 650 to 66~. The 9 8 modulo-2 adders 650 to 664 effectively modlfy the 32 data bits of the second half of the mes~age block in parallel 11 w~th the 32-bit product block cipher of the first half of the 12 message block producing 8 4-bit ~egments formlng a new set 13 of 32 bits reprefienting the modified ~econd half of the 14 message block which i~ appliod via a bu~ to the UDR 200 in Fiq. 3~.
16 Referrlng now to Flg. 3a and the timing diagram in Fig.
17 7a, during the first part of oycle 10, flrst s~gnals are 18 applied to the LB and LDR llnes which are connected to all 19 of the latches in the UDR 200 permitting the new set of 32 bits representing the modified second half of the message 21 block to be ~tored in the UDR 200. At the same time, the 22 signals on the LB and L~R lines are also applied to all of 23 the latches of the LDR 250 permitting the first half of the 24 message block presently stored in the UDR 200 to be ~rans~erred to and stored in the latches of the LDR 250.
26 This tran~posing of the now modified ~econd half of the 27 messag~ block and the first half of the message block is in 28 preparatlon for carrying out the next iteration operation 29 of the enciphering proce~s. At thls point, the first iteration operation of the enciphering process that was ~/Xi975002 -~9-1~)48~35 1 started after the preshift of the cipher key in cycle 8 is completed.
Referring now to Figs. 3a to 3j and the timing diagram of Fig. 7a, the second iteration operation of the enciphering process is carried out during cycles 10, 11 and 12 and is initiated by a shifting operation per-formed during cycle 10. During cycle 10, second signals on the SL and nb~ lines applied to all stages of UKR-350 and LKR 400 cause another 1 bit position shift up of the cipher key in accordance with the cipher key shift schedule. This provides a second set of cipher key bits for the second iteration operation of the enciphering process. During cycle 11, the modified second half of the message block presently stored in UDR 200 is then used in a similar product block cipher operation, as described above, the result of which is used by the modulo-2 adders 650 to 664 to modify the first half of the message block presently stored in LDR 250.
Referring now to Fig. 3a and the timing diagram in Fig. 7a, during cycle 12, second signals are applied to the LB and LDR lines which being connected to all the latches in UDR 200 permit the next new set of 32 bits representing the modified first half of the message block to be stored in UDR 200. At the same time, the second signals on the LB and LDR lines are also applied to all latches of LDR 250 permitting the modified second half of the message block presently stored in UDR 200 to be transferred to and stored in LDR 250. This operation prepares the cipher device to carry out the next iteration of the enciphering process. At this point, the second iteration operation of the enciphering operation is completed.

D/Ki975002 - 50 -`` 1~48935 1 Referring now to the cipher key shift schedule in Table 5, it should be noted that the cipher key must be shifted 2 bit posi-tions during the third iteration operation of the enciphering pro-cess which is carried out during cycles 11, 12, 13 and 14. Accord-ingly, during cycle 11, the first of the two shift operations of the cipher key is performed by applying ~hird sign~ls to the SL and LDK
lines. This initiates the first of tne two shif~s for the third iteration operation and because of the resolving time through the cipher device has nc effect on the second iteration operation which ~as initiated by the second signal applied to the SL line. During cycle 12, fourth signals applied to the SL and LDK lines cause the cipher key to be shifted up another 1 bit position. Thus, the cipher key is shifted 2 bit position~ by the third and fourth signals applied t~ the SL and ~ lines during the third itera+ion operation.
In a similar manner, and in accordance with the cipher key shift schedule, successive iteration operations of the enciphering process are carried out by the cipher device. During each of the remaining iteration operations of the encipher-ing process except the last, the cipher key bits in UKR 350 and LKR 400 are shifted according to the predetermined shift schedule, a modified half of the message block stored in LDR 250 is remodified according to a product block cipher of the previously modified half of the message block stored in UDR 200 and the resulting remodified half of a message block from the modulo-2 adders 650 to 664 is applied to replace the previously modified half of the message block contained in UDR 200 which at the same time is transferred to replace the contents of LDR 250. During the last :1~)4~935 1 iteration operation of the enciphering process, performed during cycles 38 and 39, the cipher key bits in UKR 350 and LKR 400 are shifted a last time according to the shift schedule and a last re-modification of a modified half of the message block stored in LDR
250 is performed according to a product block cipher of the pre-viously modified half of the message block stored in UDR 200 but the resulting remodified half of the message block from the modulo-2 adders 65Q to 664 and the previously modified half of the message block stored in UDR 200 are not transposed due to the absence of a signal on t~e L6 line and now constitute the enciphered version of the original block. Consequently, referring to Figs. 3a, 3h, 3i and 3j, the 32-bit output of the UDR 200 and the 32-bit output of the modulo-2 adders 650 to 664, representing the 64-bit enciphered ver-sion of the original message block, are applied to the UOB 700 and the LOB 750, respectively. The UOB 700 and LOB 750 each consists of 4 8-stage shift registers 0UOB, lUOB, 2UOB, 3UOB and 0LOB, lLOB, 2LOB, 3LOB. The first, second and last stages of the first shift r~gister 0UOB are shown in detail in Fig. 3h with the remaining shift registers being shown in block f rm inasmuch as they are identical in detail to that of ~he shift register 0UOB.
Referring now to Figs. 3h, 3i and 3j and the timing diagram cf Fig. 7b, during cycle 40, signals are applied to the LDOB and LDOB
lines which are connected to all of the latches in e~ch of the shift registers of the UOB 700 and LOB 750 such as latches 702, 7n4 and 716 in shift register UOB. Accordingly, these signals dre effective to cause a parallel transfer of the 32-bit output of the ^ ~, ~.

8~35 1 UDR 200 to the UOB 700 and a concurrent parallel transfer of the 32-bit output of the modulo-2 adders 650 to 664 to the LOB 750.
The 64-bit enciphered block of data now stored in UOB 700 and LOB 750 is subjected to a parallel to serial conversion, an 8-bit byte at a time, with the bit content of the last stage of each of the 8 registers being applied as an 8-bit byte to the P
box 800 where each 8-bit byte ls subjected to a final linear per-mutation to connect the enciphered data bits to the proper bit lines of the data bus-out. This is accomplished by the applica-tion of signals on the DOB and LDOB lines to tne second to theeighth stages of each of the 8 shift registers OUOB, lUOB, 2UOB, 3UOB and OLOB, lLOB, 2LOB, 3LOB. Thus, during each of the cycles 41 to 47 the data bits in each of the 8 shift registers are shifted down by one position and an 8-bit byte of data is permuted via the P
box 800 to the data bus-out. At the end of cycle 48, the last byte of the 64-bit enciphered block of data is transmitted and the en-ciphering process is completed.
While it is not shown in the timing diagram of Fiss. 7a and 7b, -it should be apparellt that successive message blocks of data may be enciphered in a similar manner. Accordingly, during the enciphering of the first message block of data, if the next message block of data is received by the cipher device, 1t may be loaded into the UIB 100 and LIB 150. Then, at the end of cycle 39, when the last iteration of the first enciphering process is co~pleted, the ciphering key has made a complete revolution through the UKR 350 and L'KR 400 and is back to its original . ~..~

104~93S
1 format in preparation for controlling the enciphering of the next messa~e block of data. Therefore, during cycle 40 of the first enciphering opera-tion, while the enciphered first message block of data is being trans-ferred to UOB 700 and LOB 750, the next message block of data may be trans-ferred to UDR 200 and LDR 250 under control of signals applied to the IBT and LDR lines, shown in dotted form in Fig. 7b, and the next encipher-ing process may proceed while the first message block of data is being transferred from UOB 700 and LOB 750 via P box 800 to the data bus-out. It should be apparent that if the rate of message block transmission to the cipher device becomes too high, so that a succeeding message block of data is received before the preceding message block of data has been trans-ferred from the input buffers to the data registers, then circuitry will have to be provided to indicate this condition, e.g., a busy signal. This will permit succeeding blocks of data to be transmitted synchronously at the operating speed of the cipher device.
DECIPHERING PROCESS
Deciphering a 64-bit enciphered message block of data is accomplished under control of the same cipher key as is used in the enciphering pro-cess through the same series of 16 iterations. However, in the decipher-ing process, the cipher key is postshifted after the last iteration opera-tion rather than preshifted before the first iteration operation as in the case of the enciphering process. Additionally, the cipher key is shifted in a direction opposite to that of the enciphering process accord-ing to the predetermined shift schedule shown in Table 5.

D/Ki975002 - 54 -1 This assures proper alignment of the cipher key bits during the de~iphering iterations to undo every iteration that was carried out in the enciphering process and produce a resulting 64-bit message block identical with the original message block.
Referring now to Figs. 3a to 3d and the timing diagram in Fig. 7a, during cycles 0 to 7 the enciphered message block of data is received via the data bus-in, buffered in UIB 100 and LIB 150 and the cipher key is received and loaded into UKR 350 and LKR 400, in a manner as previously described. During cycle 8, the enciphered message block is transferred in parallel from the UIB 100 and LIB 150 to the UDR 200 and LDR 250, respectively, as previously described. Referring now to Figs. 3a and 3j, during cycle 9, a first half of the enciphered message block presently stored in UDR 200 is used with a permuted set of the cipher key bits in a product block cipher operation, the result of which is used by the modulo-2 adders 650 to 664 to modify the second half of the message block presently stored in LDR 250 in a similar man-ner to that described in the encipnering process. Referring now to Fig. 7a, during cycle 10, the first signal applied to the LB line and the signal applied to the LDR line permit the modified second half of the enciphered message block to replace the first half of the enciphered message block in UDR 200 which at the same time replaces the second half of the enciphered message in LDR 250 in preparation for the next iteration operation of the deciphering process.
The second iteration operation o, the dec;phering process is carried out during cycles 10, 11 and 12 and is initiated by shi,ting the cipher key bits down one bit ~48~35 1 position during cycle 10. This is accomplished by the first signal on the SRR line applied to the first stages of the UKR 350 and LKR
400, the first siynal on the SR line applied to the remaining stages of each of the UKR 350 and LKR 400 and the signal on the LDK line applied to all stages of the UKR 350 and the L~R 400. The first signal on the SRR line together with the signal on the LDK line causes the bit content of the last stage of each of the UKR 350 and LKR 400 to be transferred up to the first stage of each of these registers while the first signal on the SR line together with the signal on the ~ line, which are applied to all of the remaining stages of the UKR 350 and LKR 400, causes the bit content of each stage of these registers to be transferred down to the succeedin~ stage thereby pro-viding a one bit position shift down of the entire cipher key. This provides a new set of ciphec key bits for the second iteration of the deciphering process which is completed by the end of cycle 12 in a similar manner to that described for the enciphering process.
2eferring now to the cipher key shift schedule in Table 5, it should be noted that the cipher key must be shifted 2 bit positions at the beginning of the third iteration of the deciphering process.
According?y, during cycle 1', the first of the two shift operations of the cipher key is performed by applying second signals to the SRR and SR lines and a signal to the ~ line. During cycle 12 third signals are applied to the SRR and SR lines and another signal to the ~
line causing the cipher key to be shifted down two bit positinns by the secor,d ar,d third signals applied to the SRR and SR 11nes. In a similar manner, and 1~48935 1 in accordance with the cipher key shift schedule, successive 2 iterat~on operations of the deciphering process are carried 3 out by the cipher device which are completed by the end of cycle 30, except that in the 16th iterat~on the absence of a signal on the LB line inhibits the transposing operation 6 similar to that de~cribed in the 16th iteration of the 7 enciphering operation. During cycle 40, a postshift operation 8 of the cipher key i8 parformed to complete a full revolution 9 of the cipher key through the UKR 350 and LKR 400 back to its original format in preparation for controlling the 11 deciphering of the next me~sage block of data. Then, 12 during cycles 40 to 48 the deciphered mes3age block of data 13 is parallel tran~ferred from the output of the UDR 200 and 14 the modulo-2 adders 650 to 664 to the UOB 700 ~nd LOB 75Q, resp~ctively, and then tranqferred, an 8-bit byte at a time, 16 via the P box 800 to the data bus-out. At the end of cycle 17 48, the last byte of the 64~bit declphered block of data i~
18 tran~mitted and the declpherlng proceRs i~ completed. While 19 it is not shown in the tlming diagr~ms of Figs. 7a and 7b, it should be apparent th~t successive enciphered message blocks ~1 of ~ata may be declphered in a similar manner. It ~hould 22 slso be apparent by those s~illed in the art that the modulo-2 2~ addltion performed by the modulo-2 adders 650 to 664 during 24 enciphering is a self-reversing process which occurs during the deciphering proces~.
26 While the invention ha~ shown a series of modulo-2 27 adders 500 to 514, it should be apparent by those skilled 28 in the art that the product block cipher operation need not 29 be restricted to the use of such modulo-2 adders only, but that any type adder or comhination of adders may be used D/Ki975002 _57_ 1048~35 1 provlded a 48-bit output i8 produced.
2 While the inventlon has been de~crlbed in terms of an 3 encipher device for onclphering a me~sage block of clear 4 data and a decipher dev$ce for deciphering the enciphered S mes~age block of data back to the orlginal block of clear 6 data, lt should be recogn~zed by those skilled in the art 7 that the encipher/decipher devices are inverse devices 8 and, therefore, are not limited to that type of operation.
9 For ex~mple, a decipher devlce may be used to encipher a mQssage block of clear data and an encipher device may 11 then be u~ed to decipher the enciphered m~ssage block of 1~ data back to the origlnal block of clear data.
13 While the inventlon ha~ been particularly ~hown and 14 described with referænce to the preferred embodiment hereof, it wlll be understood by those skilled in the art that 16 several changes in form and detail may be made without 17 departing from the spirit and 3cope of the invention.
18 What i~ claimed i8:

Claims (4)

The embodiments of the invention in which an exclusive property or privilege is claimed are defined as follows:

1. A device for ciphering a message block of data bits under control of a set of cipher key bits by a predetermined number of iteration operations, said cipher device comprising:
first store means storing a first half of said message block of data bits, second store means storing a second half of said message block of data bits, control means including third store means storing said set of cipher key bits, and first linear transformation means connected to said third store means producing a permuted set of cipher key bits from said set of cipher key bits, expansion means connected to said first store means duplicating pre-determined ones of the data bits of the first half of said message block to produce an expanded first half of said message block containing data bits equal in number to the number of cipher key bits in said permuted set of cipher key bits, means connected to said expansion means and said control means car-rying out a substitution transformation function in accordance with the data bits of said expanded first half of said message block and the cipher key bits of said permuted set of cipher key bits to produce a substitution set of bits equal in number to the number of bits in the first half of said message block, second linear transformation means connected to said substitution transformation means producing a permuted substitution set of bits, the combined transformation performed by said substitution transformation means and said second linear transformation means resulting in a product block cipher of the first half of said message block, means connected to said second store means and said second linear transformation means modifying the data bits of the second half of said message block in accordance with the product block cipher of the first half of said message block to produce a set of bits representing a modi-fied second half of said message block, means connected between said modifying means and said first store means to load said modified second half of said message block from said modifying means into said first store means, and means connected between said first store means and said second store means to load the first half of said message block from said first store means into said second store means concurrently with said modified second half of said message block being loaded into said first store means to complete a first iteration operation of said cipher device.

2. A cipher device as defined in Claim 1 wherein a second iteration opera-tion of said cipher device is performed and further comprising;
means effective during said second iteration operation to shift said set of cipher key bits in said control means in a predetermined direction according to a predetermined shift schedule to produce a new permuted set of cipher key bits, said cipher device being further effective during said second itera-ton operation to modify the first half of said message block of data stored in said second store means in accordance with said modified second half of said message block of data stored in said first store means and said new permuted set of cipher key bits produced by said control means to produce a modified first half of said message block of data in a similar manner in which the second half of said message block was modified during said first iteration operation and concurrently load said modified first half of said message block from said modifying means into said first store means and said modified second half of said message block from said first store means into said second store means to complete said second iteration operation of said cipher device.

3. A cipher device as defined in Claim 2 wherein the remaining iteration operations of said predetermined number of iteration operations are each performed in a similar manner as is performed in said second iteration operation to repetitively shift each set of cipher key bits in said control means in said pre-determined direction according to said predetermined shift schedule to produce another new permuted set of cipher key bits in each remaining iteration operation, remodify each modified half of said message block of data stored in said second store means in accordance with each previously modified half of said message block of data stored in said first store means and each other new permuted set of cipher key bits produced by said control means to produce a remodified half of said message block of data stored in said second store means in each remaining iteration operation, and concurrently load each presently remodified half of said message block of data from said modifying means into said first store means and each previously modified half of said message block of data from said first store means into said second store means in each remaining itera-tion operation except the last, and further comprising:
first output means, second output means, means connected between said first store means and said first out-put means effective after the last iteration operation to transfer the previously modified half of said message block from said first store means to said first output means, and means connected between said modifying means and said second output means effective after the last iteration operation to transfer the pre-sently remodified half of said message block from said modifying means to said second output means, whereby said first and second output means contains a cipher of said message block of data bits.

4. A process for performing a cipher operation on a message block of data bits comprising the steps of:
a. storing a first half of said message block of data bits in a first store means, b. storing a second half of said message block of data bits in a second store means, c. storing a set of cipher key bits in a third store means, d. linearly transforming said set of cipher key bits stored in said third store means to produce a transformed set of cipher key bits, e. duplicating predetermined ones of the data bits stored in said first store means to produce an expanded set of data bits equal in number to the number of cipher key bits in said transformed set of cipher key bits, f. carrying out a substitution transformation function in accordance with the data bits of said expanded set of data bits and the cipher key bits of said transformed set of cipher key bits to produce a substitution set of bits equal in number to the number of bits stored in said first store means, g. linearly transforming said substitution set of bits to produce a transformed substitution set of bits, h. modifying the data bits stored in said second store means in accordance with said transformed substitution set of bits to produce a set of bits representing a modified half of said message block of data, i. concurrently transferring said modified half of said message block of data to said first store means and the half of said message block of data stored in said first store means to said second store means, j. shifting said set of cipher key bits in said third store means in a predetermined direction according to a predetermined shift schedule to produce a new set of cipher key bits, k. repeating steps d to i to modify the half of said message block of data stored in said second store means in accordance with the modified half of said message block of data stored in said first store means and said new set of cipher key bits stored in said third store means to produce a modified half of said message block of data and concurrently transfer the presently modified half of said message block of data to said first store means and said previously modified half of said message block of data from said first store means to said second store means, and l. repeating steps j and k for a predetermined number of iterations to repetitively shift each new set of cipher key bits in said third store means in said predetermined direction according to said pre-determined shift schedule to produce another new set of cipher key bits in each iteration, remodify each modified half of said message block of data store in said second store means in accordance with each modified half of said message block of data stored in said first store means and each other new set of cipher key bits in each iteration to produce a remodified half of said message block of data, and concurrently transfer each presently re-modified half of said message block of data to said first store means and each previously remodified half of said message block of data from said first store means to said second store means in each iteration except the last, whereby the combination of said previously remodified half of said message block of data produced during the next to the last iteration and stored in said first store means and the presently remodified half of said message block of data produced during the last iteration represent a cipher of said message block of data.