The ZK-Crypt III Algorithm SpecificationAlgorithm Spec_071226_after Avi last RW(2).doc 15 January 2008 [email protected] The ZK-Crypt III Algorithm Specification THE ZK-CRYPT STREAM

FORTRESS GB LTD London WC1H 9LG 1 PATENTS PENDING Algorithm Spec_071226_after Avi last RW(2).doc 15 January 2008 [email protected]

The ZK-Crypt III Algorithm Specification

THE ZK-CRYPT STREAM CIPHER & DATA AUTHENTICATION ALGORITHM

WITH IMPLEMENTATIONS

AN ARCHIVED PROFILE II CANDIDATE FOR THE eSTREAM CONTEST

INCLUDES THE DUAL TRACK FEEDBACK STRATEGY

EXPANDED DUAL TRACK FB SUBMITTERS:

Avi Hecht

Carmi Gressel

Ran Granot

ORIGINAL SUBMITTERS:

Orr Dunkelman

Avi Hecht

Carmi Gressel

Ran Granot

SUBMITTED DECEMBER 2007


Table of Contents Introduction 3

A Brief Description of the ZK-Crypt III

Vital Statistics 4

The ZK-Crypt Size

Pipe Lined Throughput at Standard Single Step Operations

Binary Variables/ Flip Flops

The Non-Linear Feedback Registers (nLFSRs) 5

Register Initialization 7

The Data Churn – Hybrid Filters, Displacement Matrices, and Store & XOR

Store & XORs

Splash Matrices

2 of 3Majority/3XOR Hybrid Filter 8

Lower Feedback Store 9

Super Tier Feedback Store

Cipher Super Tier, ST, Feedback 10

MAC Feedback

Random Controller - Clocking Mechanism 11

Permutation Clocking Mechanism –Deterministic Noise Source

Register Clocking Control Units 12

The Permutation Encoder 14

Splash Matrix Vector Rule Selector 16

Key Initialization 17

Clock Bit Initialization

The MAC Mode 18

References 19

Figures in the Appendix [zk-ccc]:

00BASC Basic Design– The ZK-Crypt designer blocks. 20

DC1 Clock Encoder for the Bundled Stream Cipher

4DC2 Clock Random Controller for the Bundled Stream Cipher 21

10S3 Encoding 11 Permutation Activators – Encoders of for Register Bank Permutations

07SEQ Sequence of Initialization & Basic Encryption – Basic cipher operations 22

11S2 MAJ/XOR 3 Tiered Balanced Combiner– Correlation Immunized Output 23

13TCU Top Control Unit – Non-linear Control- 3 Bit LFSR & 4 Bit Random Up-Count (4 to 15)

17TSM Splash Matrices w EVNN–Splash Matrices with Diffusing EVNN MAJ/XOR Permute Barrier 24

18SSEL Splash Matrix Selector- Randomly Selects 1 of 4 rules for Top and Bottom Splash Matrices

31HM Sequencing the MAC/HASH - Includes initialization and diffusing processes. 25

32HYBF One Cell of the MAJ/XOR Diffusion Filter –Large Diffuser with MAJ Selector & Feedback 26

33DACH Top Mid and Bot Store & XOR with FBs – Store & XOR Registers in the Data Manipulator

34DBFB Sparse/Dense Cipher and Double Max Diffusion MAC Feedback 27

34SUMX Super Tier SuperMIX Feedback 28

34MMIX Super Tier MAC MIX Feedback 29


Introduction

The enclosed description of the ZK-Crypt III differs from the ZK-Crypt I with:

1) Added complexity and diffusion which has enhanced the proofs of impossibility

of differentials.

2) Balanced random current consumption, such that all side channel attack methods

can reveal neither the state of the internal variables, nor the sequences exercised by

the ZK-Crypt.

3) Improved crypto-complexity of the clocking mechanism to be compatible with the

AIS 31 spec thereby enhancing the "deterministic noise" driving the cipher's activation,

permutation and control encoder.

And :

4) Introduction of dual track orthogonal feedback to provably preclude modified

messaging safely initialize the engine. Consequently, the second dense feedback track to

the Super Tier provided a random mask on the cipher output of the Register Bank while

retaining optimal statistics of the internal variables and the Result stream.

5) Increased the efficacy, the number and the complexity of feedback signals from

the Register Bank and Data Churn to the Random Controller. This has substantially

increased the number of input variables to be guessed in a divide & conquer attack.

Readers, new to the ZK-Crypt concept should first be familiar with [zk-undr], a thorough

explanation of the Word Manipulator. Someone, less acquainted with the concepts

involved may need the A-Z Guide and Glossary [zk-az glos]. System integrators may

reference [zk-intr]. Interested implementers ready to check AIS 31 compliance may

request the emulator CDROM [zk-ais].

This document is based on the circuits and design from the ZK-Crypt Dual Track FB

Circuit & Concept Drawings [zk-ccc]. The circuits and concepts were implemented by the

ASIC designers, by the cryptanalysts and by the C Simulator programmer; [zk-ccc] may

give a clearer picture of the HW architecture. We have added an appendix with selected

figures taken from [zk-ccc]. Figures are denoted [APPENDIX FIG. xxx], where "xxx" is the

drawing number.

Software oriented readers may choose to follow the C Simulator [zk-code].

Queries and suggestions are requested; please contact carmi or [email protected].

A Brief Description of the ZK-Crypt III [undr]

The ZK-Crypt engine is divided in two – the "Left side" Random Controller and the

"Right side" Word Manipulator. The Word manipulator is further divided into 3 basic

components: the Register Bank, the Data Churn and the Result/Feedback Processor.

[APPENDIX FIG. 00BASC]. ZK-Crypt accepts 128 or 160 bit length keys. 32 bits are loaded

into the Random Controller; 96 bits are loaded into the Register Bank. If 160 bit keys are

used, the remaining 32 bits are loaded through the MAC process. The IV has the same

length as the keys and is loaded (literally hashed in) using the MAC process.

A. The Register Bank – A set of 4 tiers of nonlinear feedback registers (pseudo random

number generators) with rotated images, organized as 3 MAJ function combined tiers

(Top, Middle and Bottom – TMB) and a more independent randomizing Super Tier (ST);

all four tiers and images are joined in a linear combiner. The Super Tier accepts the Super


Tier Feedback; the TMB Tiers each accept the Lower Feedback word; and the linear

combiner outputs an input word into the Data Churn.

B. The Data Churn - A complex of hybrid (MAX/3XOR) filters, displacement matrices,

and correlation immunizing combiners operative to receive the output of the Register

Bank and two rotated streams of Lower Feedback. The Data Churn is a massive diffuser

of the three inputs; operative to output a Cipher Mask and three internal streams to the

Result/Feedback Processor.

C. The Result/Feedback Processor – In Cipher Mode, the processor XORs the Cipher

Mask with the Message Word, and processes and stores the two feedback streams. The

Super Tier Feedback, a Super Mixed dense combination of two internal variables, and the

Lower Feedback, a sparse combination of 4 internal variables, fed back in three versions

to the TMB Tiers and to two Store & XOR stages of the Data Churn. In MAC mode

wherein the Result is typically a Message Word linearly combined to the Cipher Mask,

the two feedbacks are orthogonal words, one a linear derivation of a Present Result and a

Previous Result; whereas the second is displacement derivation of the Present Result and

two variables from the Data Churn.

D. The Random Controller – consists of three (TMB) Control Units and a Deterministic

and Random Noise Source driving the Activation, Permutation and Control Encoder. The

Random Controller receives 10 feedback binary signals from the Register Bank and Data

Churn; and feeds 14 permutation and clock drivers to the Register Bank and Data Churn.

The Controller also consists of a 24 bit counter useful for synchronization, for measuring

online TRNG Chi Square Noise statistics and for secured data authentication.

Consequently, in each clocked cycle, the nonlinear feedback Register Bank output 32 bits

that enter the Data Churn. Simultaneously, ten bits from the Register Bank and the Data

Churn are fed back to increase unpredictability in the Random Controller and 14 binary

signals from the latter serve to clock registers and control permutations of the ensuing

data. Dense and Sparse Feedback words are combined in all 4 tiers and in rotated form in

2 stages in the Data Churn.

Vital Statistics The ZK-Crypt Size

Full implementation includes an FSM, which allows simple or direct memory access

activation– the ZK-Crypt cipher has over 400 flip-flops, almost all of which are used in all

functions. The ZK-Crypt III's 8200 total count of two input NAND gate equivalents is just a

few hundred gates more than the previous single feedback track ZK-Crypt II.

Pipe Lined Throughput at Standard Single Step Operations

One 32 bit word (RNG, Stream Cipher or Message Digest) on every clock (machine cycle)

typically- 3.2 GBits/Sec at 100 MHz. The initialization phase in both the Stream Cipher and

the MAC use the MAC mode to hash in values into the Word Manipulator.

Binary Variables/ Flip Flops

In the Cipher mode 382 bit memory flip-flops are used (406 in MAC authentications). 62 are

in the Random controller and in each cycle 10 discrete binary variables actively permute the

Register Bank and the Data Churn. 320 flip-flops are active in the 32 Bit Word Manipulator in

Stream Cipher Mode. The Data Churn and the Register Bank are permuted by 14 uncorrelated

signals from the Random Controller.


The Non-Linear Feedback Registers (nLFSRs) [REF FIGS. 19TL-30ST]

ZK-Crypt contains four Tiers of nonlinear feedback registers each of 32 bits. They are

composed of two registers each. We denote the four tiers by R1, R2, R3, and ST and the

two sub-registers composing Ri by Ri,1 and Ri,2 (or respectively by ST1 and ST2) where

Ri,1 compose the most significant bits of Ri and Ri,2 contains the least significant bits of

Ri; i.e., Ri = Ri,1||Ri,2. The sub-registers are non-linear feedback shift registers, nLFSRs.

We first note that the clocking mechanism clocks two or three of the tiers Ri in each

cycle. When a tier is clocked, its two registers are clocked. The ST register is clocked at

each cycle, whereas lower tiered TOP, MID and BOT tier, respectively aka R1, R2, and

R3 are guided by random sequences.

All the six registers R1,1, R1,2, R2,1, R2,2, R3,1, R3,2, are updated in the following

manner (when they are updated):

The following bit is computed: bit=MSB(Ri,j) XOR Slip XOR NFIX(Ri,j), where

MSB(Ri,j) is the most significant bit of the register Ri,j, Slip is one of two clock

controlling bits (LeftSlip or RightSlip), and each nLFSR NFIXs ascertains if all bits save

the MS bit, (the rightmost) are all zeros. The sub-register is (right) shifted towards the

most significant bit, and the calculated bit enters the least significant bit and is XORed

into each of the feedback tapped sub-register (nLFSR) cells. Let newRi,j be the new value

of Ri,j after the clocking and oldRi,j be the value of the register before the clocking, then:

bit=MSB(oldRi,j) XOR Slip XOR NFIX (oldRi,j)

newRi,j[0] = bit;

if (t) is a feedback tap: newRi,j[t+1] = oldRi,j [t] XOR bit

else newRi,j[t+1] = oldRi,j[t]

The NFIX changes the behaviour of the cycle, adding the all-zero state to the large cycle.

We note that due to the NFIX operation, a sub-register can never be "stuck" on an all zero

value. Consequently, the all zero sub-register value is valid in the total sequence, which

typically, is not the case in conventional LFSRs. Consequently the value of NFIXx is 1 if

all bits but the most significant bit are 0 otherwise it is 0. (If n = the number of nLFSR

cells, then the number of stages of the nLFSR with NFIXn is now 2n as opposed to the

conventional LFSR 2n-1).

When register Ri is updated it is also XORed with the feedback register, i.e., Ri = Ri XOR

FBR, where FBR is the feedback register. We emphasize the fact that if Ri is not clocked,

it is not affected by the feedback register.

The attributes of the TMB Tiers of nLFSRs are listed in the following table. The TMB

nLFSRs are each randomly clocked, and their feedbacks are delinearized with Slip

signals. The unique number of cells, and the tap configuration for each Ri,j, are listed.


Register Length (# of Cells)

Feedback Taps Slip

(Left/Right)

Clock Bit

R1,1 13 2,3,5,8,9 Left Top clock

R1,2 19 1,4,6,7,8,9,11,14,16 Right Top clock

R2,1 18 2,4,6,7,10,11,12,13,15 Left Middle clock

R2,2 14 1,4,5,8,10 Right Middle clock

R3,1 15 0,1,5,6,10 Left Bottom clock

R3,2 17 1,4,7,9,10,12,13 Right Bottom clock

The Super Tier is regularly clocked by the Primary Clock, and is not affected by

non-linear Slip signals from the Random Controller (which aberrate good statistics). The

parameters of the Super-Tier, ST, are as follows:

Register Length Feedback Taps

ST1 16 0,2,5,6,10,11,12

ST2 16 5,8,11

The super-tier is always clocked, in a similar update rule:

bit=NFIX(oldSTi) XOR STi[15]

newSTi[0] = bit

if (t) is a feedback tap: newSTi[t+1] = oldSTi[t] XOR bit

else newSTi[t+1] = oldSTi[t]

The super tier is XORed with the STFBR, a feedback register especially computed for the

super tier, on every clock cycle.

ST = ST XOR STFBR

After the clocking of all the registers (as described earlier), the following function is

computed (note that the ST is always XORed with its rotated image).

if (TOP BROWN)

x1 = R1 XOR (R1<<<1)

else

x1 = R1

if (MID BROWN)

x2 = R2 XOR (R2<<<3)

else

x2 = R2

if (BOT BROWN)

x3 = R3 XOR (R3<<<5)

else

x3 = R3

z = MAJ(x1 ,x2 ,x3)

output =(z XOR (z>>>5) XOR ST XOR (ST<<<7))

Where Top Brown, Mid Brown and Bot Brown are control bits from the Permutation-

Encoder.


Register Initialization

At initialization, three key words are loaded into the three registers, as follows:

R1 is loaded with the second word of the key, R2 is loaded with the third word of the key,

and R3 is loaded with the fourth word of the key. The ST is initialized to the all zero

state.

Data Churn – Hybrid Filters, Displacement Matrices, and Store & XOR

[APPENDIX FIGS. 11S2, 17TSM, 18SSEL 33DACH & 34DBFB]

The Data Churn has seven main modules:

1. The Top Store & XOR Correlation Immunizer;

2. A first 4 Rule Displacement Permutation Matrix (aka the Top Splash Matrix);

3. The Top 2 of 3 Majority Gate/3XOR Filter (aka the Top Hybrid MAJ/3XOR Filter);

4. The Middle Store & XOR Correlation Immunizer;

5. A second 4 Rule Displacement Permutation (aka the Bottom Splash Matrix);

6. The Bottom 2 of 3 Majority Gate/3XOR Filter (aka the Bot Hybrid MAJ/3XOR Filter); and,

7. The Bottom Store & XOR Correlation Immunizer (the output is the Cipher Mask),

Outputting to the Result/Feedback Processor

The output of the Bottom Store & XOR is the output of the Stream Cipher (the Mask).

Store & XOR [APPENDIX FIG. 32HYBF & ZK-CCC]

A Store & XOR component stores the previous saved values, and outputs the stored value

XORed to a new input value. Stated differently, let Store & XOR have a memory register

X containing the input of the previous clock cycle, then:

Store & XOR (input Y) {

register X (from previous cycle)

output X XOR Y

X <- Y }

The Top Store & XOR accepts the output of the Register Bank's output combiner XORed

with the FBR feedback word right rotated 13 bits. The Intermediate Store & XOR accepts

the output of the MAJ/3XOR Hybrid Filter with the FBR feedback word rotated 7 bits to

the left.

Splash Matrices [APPENDIX FIG. 17TSM, 18SSEL & ZK-CCC]

A Splash Matrix is a displacement mechanism, designed principally to decorrelate near

neighbour inputs into the Hybrid MAJ/3XOR filter. This displacement is considered

immune to second order side channel attacks, because of its non-linearity and because of

its size. A Splash Selector in the Random Controller chooses one of the four displacement

rules, each defining a unique displacement of each input bit to the Splash Matrix. Bit

combinations from the Random Controller, and data bits from the output of the Top

Splash Matrix together logically define which displacement vector, A, B, C or D is

chosen. See the following table. For legacy software based applications the Splash

Matrices may be locked on Vector D.


Vector\Input

\Bit

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

A 9 18 5 11 22 12 30 19 7 15 31 25 28 24 6 3

B 30 15 6 12 25 18 16 9 19 7 3 31 0 29 27 21

C 19 7 14 29 3 27 0 13 25 16 15 30 20 1 26 31

D 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Vector\Input

\Bit

16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

A 17 13 27 23 1 2 26 21 4 20 8 16 0 14 10 29

B 14 28 24 17 23 5 10 2 11 22 13 26 20 8 4 1

C 8 6 2 4 9 18 12 10 21 11 22 5 24 23 28 17

D 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

2 of 3Majority/3XOR Hybrid Filter [APPENDIX FIG 33DACH & ZK-CCC]

The 32 bit MAJ/3XOR component accepts four bits from the clocking mechanism along

with the 32 bits that exit the Splash matrix. Each two consecutive bits enter a majority

function [APPENDIX FIG 32HYBF & ZK-CCC] along with one of the four bits from the

clocking mechanism. The 32 bit output majorities are XORed twice – with the input right

shifted by one bit and with the input right shift by two bits.

MAJ/3XOR Hybrid filter (input X, four bits TOP,MIDDLE,BOTTOM,FOURTH) {

A = X & 0x11111111

B = X & 0x22222222

C = X & 0x44444444

D = X & 0x88888888

if (TOP) Topmask = 0x11111111, else Topmask = 0

if (MIDDLE) Middlemask = 0x22222222, else Middlemask = 0

if (BOTTOM) Bottommask = 0x44444444, else Bottommask = 0

if (FOURTH) Fourthmask = 0x88888888, else Fourthmask = 0

Z = MAJ(A, D<<<1,Topmask) | MAJ(B,A<<<1,Middlemask) |

MAJ(C,B<<<1,Bottommask) | MAJ(D,C<<<1,Fourthmask)

output Z XOR (X>>>1 ) XOR (X >>> 2)

}

The clocks for the second (bottom) MAJ/3XOR Filter are shifted by one bit with respect

to their place in the first (top) Majority-with-Double-XOR. This ensures that both splash

matrices would not use the same displacement vector.


The Lower and Super Tier Feedback Stores

There are two feedback stores. The LFBR, Lower Feedback Store– affects the TMB tiers

and the Data Churn. The STFBR, Super Tier Feedback Store, affects the Super Tier only.

Each feedback track has two modes of operation: Cipher Mode, used only in ciphering

and the MAC mode used in all initializations, MAC authentications and in the TRNG.

Lower Feedback Store [APPENDIX FIG 34DBFB & ZK-CCC]

The LFBR Feedback Store saves its input to be output on the next cycle.

Cipher Sparse Feedback

Feedback Register (input TopStore, TSPL, IntermediateStore, BottomSplash)

{

temp = IntermediateStore XOR BottomSplash

temp2 = TopStore AND TSPL AND temp

output temp2

}

where TopStore is the output of the Top Store & XOR unit, TSPL is the output of the

first Majority-with-Double-XOR unit, IntermediateStore is the output of the Intermediate

Store & XOR, and the BottomSplash is the output of the bottom splash. Note that this

Sparse Feedback word will contain, on the average, only four ones (and 28 zeroes). As a

result of the massive diffusion in the registers and stores, each "1" bit is subsequently a

factor of every bit in the combining mechanism after only a few clock cycles. Millions of

tests have proved that this sparse encoding produces outstanding output statistics in the

ZK-Crypt multi-feedback orientation. [APPENDIX FIG 32HYBF]

MAC Feedback

ResultStore = MessageIn XOR BottomStore

Feedback Register (input, prevResultStore, PresMessageIn, PresBottomStore)

{

temp = PresMessageIn XOR PresBottomStore

temp2 = temp XOR prevResultStore

output temp2

}

where the BottomStore output is the output of the last Store & XOR. The ResultStore is

kept between cycles

Super Tier Feedback Store (STFBR) [APPENDIX FIG 34SUMX 34MMIX & [ZK-CCC]]

The STFBR saves an input permutated dense feedback to be output on the next cycle.

The two modes of operation are Cipher FB and MAC FB. The first operates while

ciphering messages where the feedback is not a function of the Result and the MAC FB is

used while loading keys, IVs and obviously, for performing MAC Data Authentication

operations. The feedback uses the state of the data churn variables and in case of the

MAC the input data and the XORed output of the Synchronization Counter. The


Synchronization Counter is a 24 bit counter operative to count the occurrence of each

input Message (i.e. counting every 32 bit Word that is sent into the ZK-Crypt engine).

The counter is used for page synchronization – allowing us to decipher a Message from

the middle, after the FSM has updated the engine to the proper cipher mask; and also to

synchronize network transmissions, between senders and receivers.

In MAC Data Authentication functions the 24 bit Synchronization Up-Counter output is

XORed to the Super Tier's nLFSRs. The counter's 16 LS right hand bits, (reversed from

the normal depiction of Up-Counters), are XORed with the right hand Super Tier nLFSR.

The remaining MS 8 bits are XORed with the 8 LS bits of the L/H Super Tier nLFSR,

[haifa] [zk-dfb].

SYNC_FB = ((SYNC COUNTER <<<16) AND 0xFFFF 0000) OR

((SYNC >>> 16) AND 0x0000 00FF)

Cipher Super Tier, ST, Feedback

ST_Feedback Register (input IntermediateStore, BottomSplash)

{

temp = IntermediateStore XOR BottomSplash

temp2 = NibblePermutation (temp)

temp3 =(temp2 >>> 8)

temp4 =(temp3 XOR SYNC_FB)

output temp4

}

where IntermediateStore is the output of the Intermediate Store & XOR and

BottomSplash is the output after the bottom splash MAJ function. The

"NibblePermutation " swaps over each individual nibble, reversing the order of the bits

e.g. bit 0 becomes 3; 1 to 2; 2 to 1; 3 to 0; 4 to 7. The whole swapped buffer is then right

rotated 8 bits.

The MAC Feedback

ST_Feedback Register (input PresBottomStore, PresMessageIn)

{

temp = PresMessageIn XOR PresBottomStore

temp2 = NibblePermutation (temp)

temp3 = temp2 XOR ST_FeedbackRegister

output temp3

}

where the BottomStore is the Message Mask and ST_Feedback Store is the same value

received in the operation above.

Data Churn Initialization

At initialization, the memories of the Store & XOR units and Feedback Stores are

initialized to 0.


The Random Controller - Clocking Mechanism

The clocking mechanism has three modules:

1. the Permutation Clocking Mechanism (the Deterministic Noise Source);

2. the Register clocking control unit and Permutation Encoder module; and

3. the Splash Matrix Selector.

Permutation Clocking Mechanism – Deterministic Noise Source [APPENX FIG 4DC1 & 4DC2]

The clocking unit contains two non-linear feedback registers and a clock-encoder unit.

The first register has 9 bits and the second has 2 bits. We denote these two registers by

ClockRegister1 and ClockRegister2, respectively.

ClockRegister1 has the following feedback behaviour:

FBbit = ClockRegister1[8] XOR NFIX(ClockRegister1) XOR RandomClockSLIP

ClockRegister1[0] = FBbit;

if (t+1) is in {2,4,5,7,8}: ClockRegister1[t+1] = ClockRegister1[t] XOR FBbit

else ClockRegister1[t+1] = ClockRegister1[t]

where NFIX(ClockRegister1)=1 if all 8 least significant bits of ClockRegister1 are 0.

RandomClocksSLIP is determined by the Permutation Encoder module.

ClockRegister2 has 2 bits that behave in the following manner:

Let FBbit = NOT (ClockRegister1[0] OR ClockRegister1[1] NOR ClockRegister1[2])

The first bit - ClockRegister2[0] =

FBbit OR (ClockRegister2[0] NAND ClockRegister2[1])

The second bit - ClockRegister2[1] = ClockRegister2[0]

The most significant bit of ClockRegister2 along with all ClockRegister1 are sent to the

clock encoder unit.

ClockRegister1 is initialized in the following manner:

ClockRegister1[0]=ClockRegister1[2]=ClockRegister1[8]=1

ClockRegister1[1]=ClockRegister1[3]=0

ClockRegister1[4..7]=Key bits 28-31 (bit 28 of the key is loaded into ClockRegister1[7])

ClockRegister2 is initialized to "11" (binary representation).

The clock-encoder unit accepts the 10 bits from the registers and outputs the following

four values: The (P)Random clock; the Juggle Toggle bit for the Splash Matrix selector

and to mask the output bits of MC1, MC2 and MC3.; the FOURTH bit (that affects the

output of the splash matrix unit); and the DAS bit which toggles Left and Right slip bits.

The encoder has 9 memory cells (flip-flops) marked from F0 to F8 which are activated on

each clock cycle.

The computation is as follows:

F3 = ClockRegister1[1] XOR ClockRegister1[5] XOR ClockRegister1[7]



F0= ClockRegister2[1] OR F4 OR F5


Outputs:

Current Compensator1= F0

Current Compensator2= F0 delayed one clock cycle.

Current Compensator1 is used to govern the activation of the tiers.

Current Compensator2 activate 'digital noise' to draw current when, as the result of

missed pulses in the (P)Random clock, not all 3 tiers are activated.

P(Random) Clock = F0 delayed one clock cycle activated through F1 and F2.

(P)Random Clock is a positive edge clock signal which is delayed one system clock

cycle. F1 and F2 generate a clock signal, synchronized to the system clock, whenever a

binary one resides on its input during the rising edge of the system clock. F0 precedes F1,

operative to delay the signal by one output cycle.

The following outputs use the QTA binary output from the Register-Clocking Control

Unit, R1 and in each case use their previous value in the next cycle (XOR and Store).

Next State (Juggle Toggle) = F6 = QTA XOR F5 XOR F3 XOR oldF6

Fourthmask = F7 = QTA XOR F5 XOR F4 XOR oldF7

DAS = F8 = QTA XOR F3 XOR F4 XOR oldF8

The output values are used only in the next clock cycle.

At initialization all cells are set to initial values see [zk-code][zk-ccc].

Register Clocking Control Units [ZK-CCC FIGS 13TCU-15BCU]

There are three register clock Control Units, which relate, via the permutation controller

to each of the three nonlinear registers. Each unit is composed of two components: A

counter and a nonlinear feedback shift register. We describe the mechanism that controls

R1, and note the differences between it and later explain the mechanisms that control R2

and R3.

The mechanism that controls R1 [APPENDIX FIG 13TCU] is composed of a 4-bit up-counter

Counter1, a 3-bit nonlinear feedback register TCnLSFR, and 1-bit memory cell MC1.

Each cycle, the counter is incremented by 1. Whenever the counter reaches 15, a slip

signal is generated, and the following values are loaded into the counter:

Counter1 [0] = R2,2[13] XOR TCnLSFR[0]

Counter1 [1] = ST,1[15] XOR TCnLSFR[0] XOR TCnLSFR[1]

Counter1 [2] =0

Counter1 [3] = ST,2[15] XOR TCnLSFR[1] XOR CompMC1

XOR JuggleToggle

Counter1 [0] is also called QTA and used to debias signals in the clock encoder.

At count 15, the output of MC1 recalculated MC1 = NOT(oldMC1) XOR Fourthmask

(from the clock-encoder)

The TCnLSFR register is a linear feedback shift register with two twists: It cannot enter

the all zero state (as then the bit that enters the least significant bit is XORed with 1) and


the feedback is XORed with the AND of the Right Middle-Tier FB and Counter1 [0].

The LFSR feedback bit is:

FBbit=oldTCnLSFR[2] XOR oldTCnLSFR[0] XOR oldNFIX3 XOR (R2,1[17]

AND oldCounter1 [0])

(NFIX3 outputs 1 only when all bits of the register save the MSB are 0).

And the register is shifted into the new stage

newTCnLSFR[0] = FBbit;

For t=1,2: newTCnLSFR[t+1] = oldTCnLSFR[t]

The clock control unit of R1 outputs the following bit:

TOP BRN=TCnLSFR[0] XOR TCnLSFR[1] XOR TCnLSFR[2]

At count 15 a SLIP signal is generated, the XOR of the DAS bit and TCnLSFR[2]

randomly selects a left slip (when the XOR is 1) or a right slip (when the XOR is 0).

As mentioned, the polarity of MC1 is reversed (complemented) at every count 15.

The mechanisms that relate to R2 and R3 have similar structure, where MCnLSFR has

five bits and BCnLSFR has six bits (in both cases there is a 4-bit counter and a memory

cell).

For the component that controls R2 the following update rules are used:

In case of a slip:

Counter2 [0] =R1,1[12] XOR R1,2[18] XOR MCnLSFR[0]

Counter2 [1] =R1,1[12] XOR MCnLSFR[0] XOR MCnLSFR[1]

Counter2 [2] =0

Counter2 [3] =MCnLSFR[2] XOR MCnLSFR[3] XOR compMC2 XOR JuggleToggle

In each cycle:

FBbit=oldMCnLSFR[4] XOR oldMCnLSFR[1] XOR (oldMCnLSFR) XOR

(R1,1[12] AND Counter2[0])

newMCnLSFR[0] = FBbit;

For t=1,..,4: newTCnLSFR[t+1] = oldTCnLSFR[t]

MID BRN=MCnLSFR[0] XOR MCnLSFR[1] XOR MCnLSFR[2]

For the component that controls R3 the following update rules are used:

In case of a slip:

Counter3 [0] =R3,1[14] XOR R3,2[16] XOR BCnLSFR[0]

Counter3 [1] =R3,1[14] XOR BCnLSFR[0] XOR BCnLSFR[1]

Counter3 [2] =0

Counter3 [3] =BCnLSFR[3] XOR BCnLSFR[4] XOR compMC3 XOR JuggleToggle

In each cycle:

FBbit=oldBCnLSFR[5] XOR oldBCnLSFR[0] XOR NFIX(oldBCnLSFR) XOR

(R3,1[14] AND Counter3 [0])

newBCnLSFR[0] = FBbit;

For t=0,..,3: newBCnLSFR[t+1] = oldBCnLSFR[t]

BOT BRN=BCnLSFR[0] XOR BCnLSFR[1] XOR BCnLSFR[2]

We note that MC1 is in the TOP control unit MC2 is in the MIDDLE, and MC3 is in the

BOTTOM control unit, and is used to configure permutations in the encoder of


[APPENDIX FIG. 10S3]. All three are updated on a count of 15 with a similar function: MCn

= NOT(oldMCn) XOR Fourthmask (from the clock-encoder)

The three xCnLFSR Clock registers as well as the three counters are initialized with 26

bits of the first key word entering the clocking mechanism (bits 0-25). TCnLSFR is

loaded with bits 0-2 of the key, where bit 0 is put into the most significant bit of the

register (and bit 2 in the least significant bit). Bits 3-6 of the key are loaded into

Counter1, where bit 3 is loaded in the most significant bit of the counter. Similarly,

MCnLSFR is loaded with bits 7-11 of the key, where bit 7 is put into the most significant

bit of the register. Bits 12-15 of the key are loaded into Counter2, where bit 12 is loaded

in the most significant bit of the counter. The same also holds for BCnLSFR, which is

loaded with bits 16-21 of the key, where bit 16 is put into the most significant bit of the

register. Bits 22-25 of the key are loaded into Counter3, where bit 22 is loaded in the

most significant bit of the counter.

The Permutation Encoder

The permutation encoder collects the results from the clocking mechanism to determine

the value of the control bits of the: EVNN (Top, Mid, Bot), Tier Clock (Top, Mid, Bot),

Brown (Top, Mid, Bot) and Slip (Left, Right, (P)Random). The encoder includes a

Johnson Counter 3 bits long (of which only a single bit is ON at any moment) driven by

the (P)Random clock.

The TOP BRN, MID BRN, and BOT BRN along with the three MC bits determine the

clocking of the registers and the value of TOP EVNN, MIDDLE EVNN, and BOTTOM

EVNN (operative in the Top and Bottom Splash Matrix units).

Let bit_inv_brwn=NOT (TOP BRN XOR MID BRN XOR BOT BRN XOR

CurrentCompensator1 ), then:

(bit Inverse Brownian)

Top EVNN = MC1 XOR bit_inv_brwn

Middle EVNN = MC2 XOR bit_inv_brwn

Bottom EVNN = MC3 XOR bit_inv_brwn

The three MC bits and the Johnson counter also affect which of the registers is NOT

clocked (outputs Y1 to Y3) according to the following select mechanism:

Y1 = (JC0 AND (NOT (MC1 OR MC3))) OR (JC2 AND (MC2 OR MC3))



These are summarised in the following table:

MC bits Johnson Counter Result

MC1 MC2 MC3 JC0 JC1 JC2 Y1 Y2 Y3

0 0 0 1 0 0 1 0 0

0 0 0 0 1 0 0 1 0

0 0 0 0 0 1 0 0 1

0 0 1 1 0 0 0 1 0

0 0 1 0 1 0 0 1 0

0 0 1 0 0 1 1 0 0


0 1 0 1 0 0 1 0 0

0 1 0 0 1 0 0 0 1

0 1 0 0 0 1 1 0 0

0 1 1 1 0 0 0 1 0

0 1 1 0 1 0 0 0 1

0 1 1 0 0 1 1 0 0

1 0 0 1 0 0 0 1 0

1 0 0 0 1 0 0 0 1

1 0 0 0 0 1 0 0 1

1 0 1 1 0 0 0 1 0

1 0 1 0 1 0 0 0 1

1 0 1 0 0 1 1 0 0

1 1 0 1 0 0 0 1 0

1 1 0 0 1 0 0 0 1

1 1 0 0 0 1 1 0 0

1 1 1 1 0 0 0 1 0

1 1 1 0 1 0 0 0 1

1 1 1 0 0 1 1 0 0

The following TMB Tier clock values are computed:

Top Clock= NOT (Y2 AND bit_inv_brwn AND CurrentCompensator1)

Middle Clock = NOT (Y3 AND bit_inv_brwn AND CurrentCompensator1)

Bottom Clock = NOT (Y1 AND bit_inv_brwn AND CurrentCompensator1)

The Brownian controlling bits are also determined by the clocking mechanism as follows:

NCUR=NOT (CurrentCompensator1)

T2=TOP BRN OR Y1 OR NCUR

M2=MID BRN OR Y2 OR NCUR

B2=BOT BRN OR Y3 OR NCUR

SENSE3 =T2 AND M2 AND B2

Mid BROWN = M2 XOR (SENSE3 AND Y1)

Bot BROWN = B2 XOR (SENSE3 AND Y2)

Top BROWN = T2 XOR (SENSE3 AND Y3)

The Slip to the Left and Right nLFSRs (Rx,1 and Rx,):

Left Slip = (Top Left Slip) OR (Mid Left Slip) OR (Bot Left Slip)

Right Slip = (Top Right Slip) OR (Mid Right Slip) OR (Bot Right Slip)

The last control bit is the RandomClockSLIP bit that is equal to:

RandomClockSLIP = LeftSLIP if bit_inv_brwn = 1

= RightSLIP if bit_inv_brwn =0


All the results (Top EVNN, Middle EVNN, Bottom EVNN, Top Clock, Middle Clock,

Bottom Clock, Mid BROWN, Bot BROWN, Top BROWN, Left Slip, Right Slip,

RandomClockSLIP) from the Permutation encoder are delayed by one clock signal to

match the (P)random clock pulse.

Splash Matrix Vector Rule Selector [APPENDIX FIG 18SSEL]

This unit is found in one of four states: choose permutation A, B, C, or D.

We denote the four states by A, B, C, and D, respectively. In each cycle, the state changes

according to the value of the two bits of the clocking unit. Table 3 gives the states, and to

which state they change according to the bits in the clocking unit:

Let these two bits be SPFF1 and SPFF2. The two bits are updated according to

SFF1 = prev SFF2 XOR TSPL[15],

SFF2 = prev SFF1 XOR TSPL[31] XOR JuggleToggle

where TSPL is the output of the Top Splash matrix. The sequence is easily understood

from the following Table 3.

Pre-state Post-State Vector Selection

SPFF1 SPFF2 TSPL[15] TSPL[31]

XOR Juggle

SFF1 SFF2 Top

SPLASH

Bottom

SPLASH

0 0 0 0 0 0 D A

0 0 0 1 0 1 B C

0 0 1 0 1 0 C D

0 0 1 1 1 1 A B

0 1 0 0 1 0 C D

0 1 0 1 1 1 A B

0 1 1 0 0 0 D A

0 1 1 1 0 1 B C

1 0 0 0 0 1 B C

1 0 0 1 0 0 D A

1 0 1 0 1 1 A B

1 0 1 1 1 0 C D

1 1 0 0 1 1 A B

1 1 0 1 1 0 C D

1 1 1 0 0 1 B C

1 1 1 1 0 0 D A

The initial state is set by two key bits (bits 26 and 27 of the key that enter the clocking

mechanism). The state chooses the entry of the Top Splash matrix, while in the Bottom

Splash matrix as is seen in the table, A� B, B�C, C�D, and D�A, i.e., when A Vector

of the Top Splash Matrix is selected, simultaneously the B Vector of the Bottom Splash

Vector is chosen.


Key Initialization: [APPENDIX FIG. 7SEQ]

The key is typically treated as an array of four or five 32-bit words. The first word is

loaded into 32 bits of the clock unit. The second word is loaded into the top tier, the third

key word is loaded into the middle tier, and the fourth key word is loaded into the bottom

tier. For 160 bit key length, a fifth key word is loaded through the MAC feedback (set the

“plaintext” to be the fifth key word). After the key is loaded it is digested, the machine is

clocked thirty two times (set the “plaintext” to zero), and the output not read. The IV is

loaded in the MAC feedback mode, after the key is digested. Note that the length of the

IV is the same as the length of the key. After the key and IV are loaded, the cipher is

clocked 16 times and its output is again not read. The ZK-Crypt engine is initialized.

Clock Bit Initialization

Bit Count Initialized element

0-2 TCnLSFR

3-6 Counter1

7-11 MCnLSFR

12-15 Counter2

16-21 BCnLSFR

22-25 Counter3

26 SFF1

27 SFF2

28-31 ClockRegister1[4..7]

Fixed Initialization

0 MC1

MC2

MC3

1 ClockRegister1[0]

ClockRegister1[2]

ClockRegister1[8]

0 ClockRegister1[1]

ClockRegister1[3]

11 ClockRegister2

1 JohnsonCounter[0]

0 JohnsonCounter[1]

JohnsonCounter[2]


The MAC Mode:

As shown in [APPENDIX FIG. 33HM & ZK-CCC] the procedure is similar to the encryption

modes. The MAC is used with 128 or 160 key bits loaded.

The stages are:

A. Initialization: The ZK-Crypt is initialized by loading the 4 (or 5 key words).

These are then digested in 8 rounds of Full-MAC feedback (the input is set to be 0 for

these words)

B. MAC Data Digest: The data is fed in, while the engine is in full MAC FB mode.

No Data is read out for the duration of the operation.

C. Interhash Digest: ZK-Crypt is run 16 cycles while the input word is set to 0, again

in full MAC feedback mode, without producing output

D. TAG generation: Output is turned on and the engine is run, in full MAC feedback

mode with the input word set to 0. The machine is cycled once for each 32 bits required

in the tag.

The full synchronized data authentication MAC FB includes an XOR combined to the

internal SYNC Counter. This affects the Super Tier and will reduce the capability of

adversaries to move word sequences in the middle of the digest stream. The Interhash

stage prevents attackers from ignoring the affects of adding a short length of contrived

words at the end of the Message. Without it, short additions might not cause changes in

the clocks, to significantly affect the output.


References:

[haifa] E. Biham & O. Dunkelman, A Framework for Iterative Hash Functions, NIST Hash Forum 2006, Santa Barbara, August 2006. [zk-ais] The AIS 32 Combination Deterministic and on-line Testable True Random Noise Generator, CDROM, available from www.FortressGB.com. [zk-a-z glos] Guide to the ZK-Crypt, An Annotated Glossary, www..FortressGB.com, London & Omer, December 2007. [zk-ccc] ZK-Crypt Circuit Concept Drawings, www..FortressGB.com, London & Omer, December 2007. [zk-code] A. Hecht, ZK-Crypt C Code Simulator, vers3, eSTREAM website, vers 3, December 30, 2006. [zk-dfb] ZK-Crypt Feedback Obviates Contrived Word Fraud, eSTREAM website, December 30, 2006. [zk-fbpat] Patent Application PCT/IL/2007001101, Orthogonal Feedback, Priority September 7, 2006. [zk-intr] C.Gressel, A.Hecht, What the Host Sees in the ZK-Crypt", www.FortressGB.com, December 2007. [zk-undr] C.Gressel, O.Dunkelman, A.Hecht, Understanding the ZK-Crypts-Ciphers for (Almost) All Reasons", www.FortressGB.com.


APPENDIX FIG. 00BASC

SU

PE

RM

IX

00

BA

SC

APPENDIX FIG 4DC1

4D

C1


4D

C2

APPENDIX FIG 4DC2

MS BITS OF ALL 8 REGISTER BANK nLFSRs TO

TMB CONTROL UNITS

LOAD TIER/CONTROL WORD ~0

CIPHER PRESET CONTROL

CIPHER RESET ~ 1

8

TOP CONFIG

CONTROL FF MC1

MIDDLE CONTROL

TOP CONTROL

FIG. 13

BOTTOM CONTROL

BITS 15-7

BITS 6-0

BITS 25-16

BOTTOM CONFIG

CONTROL FF MC3

MIDDLE CONFIG

CONTROL FF MC2

L/H SLIP

R/H SLIP

L/H SLIP

R/H SLIP

L/H SLIP

R/H SLIP

L/H nLFSRs SLIP

R/H nLFSRs SLIP

E

N

C

O

D

E

R

ACTIVE HIGH

OUT

FIG. 14

FIG. 15

~0

~0

~1

~1

~1

~1

~1

~1

(P)RANDOM CLOCK SLIP FIGS. 4xC2

PRIMARY CLOCK

ENABLE EVNN PERMUTATONS

19/12/07 19:41

DISABLE/EN

BROWNIAN

TOP BRN FROM FIG. 13

MID BRN FROM FIG. 14

BOT BRN FROM FIG. 15

M

TOP BROWNFIG. 26

MID BROWN FIG. 27

BOT BROWNFIG. 28

T3

M3

B3

SENSES IF T2=M2=B2=1

OUTPUT OF DECODER

ONLY 1 OF (Y1, Y2 or Y3) =1

2 OR 3 TIER ACTIVE/

SINGLE TIER ACTIVE

FT

MB

INV BROWN

INV BROWN

~0

~1

CURRENT

COMPENSATOR 1WHEN “EN RANDOM 2 OR 3

TIER” IS ACTIVE & INV BROWN IS

ACTIVE THEN A, B & C ARE ALL 1;

SELECTED B, M or T VIA D, E OR F

DISABLES THE TOP, MIDDLE orBOTTOM TIER CLOCK ENABLE.

EN LOAD CONTROL WORD T BRN

Y1

Y2

Y3

T2

M2

B2

Z1

Y1 MAY DISABLE T3

Z2

Y2 MAY DISABLE M3

Y3 MAY DISABLE B3

Z3

B BRNM BRN

D

E

A

WHEN (P)RANDOM CLOCK = 0,

2 OF 3 TIER ROTATED IMAGESWILL BE XORed TO THE TMB TIERS’

nLFSR PAIRS’ OUTPUT

SUPER TIER IS ALWAYS “BROWNED”

M/B/T ARE NEVER BROWN TOGETHERAT LEAST 1 OF M/T/B TIERS ALWAYS

NOT BROWNED

EST AVER # OF BROWNED TIERS -

2 TIER -36%3 TIER -64%

4 TIER - 0%

TOP TIER

CLOCK EN

MID TIER

CLOCK EN

BOT TIER

CLOCK EN

26

10

S3

CURRENT COMPENSATOR 1

STANDARD CONFIG - IF CURRENT COMPENSATOR or INV BROWN=0 > D E & F = 1

THEN ALL T M B TIER CLOCKS ARE ACTIVE - IF INV BROWN=1 > ONLY ONE OF B, M or T WILL CAUSE DISABLING OF THE TOP, MIDDLE OR BOTTOM TIER’S CLOCK SIGNAL.

B

C

CURRENT COMPENSATOR = 0 DURING MISSED (P)RANDOM CLOCK PERIOD

Y1

Y2

Y3 STANDARD

CONFIGURATION Z1=Z2=Z3=0

STANDARD

CONFIG A = B = C = 1

STANDARD CONFIG=1

STANDARD CONFIG=1

~1

STANDARD CONFIG=0

ALSO ENABLES ENCODER

EN

SEE FIGS. 10S1 & 10S2

D QS

D Q

R

MID EVNN PERMUTE

BOT EVNN PERMUTE

TO FIG 17

TO FIG 17

TOP EVNN PERMUTETO FIG 17

D QSINITS TO

1

D QSINITS TO

1

D QSINITS TO

1

D QS

D Q

R

D Q

R

INITS TO

0

INITS TO

1

INITS TO

0

D Q

R

INITS TO

0

D Q

R

INITS TO

0

D QS

D Q

R

INITS TO

0

INITS TO

1

INITS TO

1

INITS TO

0

OUTUTS TO

SCHEMATIC

FIG. 10S1

NOT PART OF KEYED WORD









KEYED WORD

NOT PART OF

KEYED WORDNOT PART OF

KEYED WORDNOT PART OF

YS

PRIMARY CLOCKP

ADVANCED XnS

ADVANCED PRIMARYP

ADVANCED PRIMARYP

ADVANCED PRIMARYP

APPENDIX FIG 10S3


LOADING INITIAL VALUES WITH FULL MAC FB

D1

EIV0

LOAD MIDDLE TIER (2)EL0

EL

EL2

EL3

LOAD CONTROL WORD (0)

LOAD TOP TIER (1)

LOAD BOTTOM TIER (3)

ELOPT

yL4

DO

LOADS ONE OPTIONAL

KEY WORD ZK-CRYPT II

4 SCRAMBLES WITH MAC FEEDBACK

(MESSAGE = 0)

L4

D2 D3

EIV3EIV2EIV1

IV1 IV2

D4

yIVn

EIV4

yIV3yIV1 yIV2 IV3

000....0000

IVn

ES0

FB

ES1 ES3

FB FB FB

ES2

FB

x2

Dm

xm

ym

Dt

xt

yt

15/01/07 16:56

D1

x1

y1

D2

y2

FBFBFB

EM2

FB FB

DO

x0

y0

FB FB FB FB FB

tL0

tL1

tL2

tL3 tL4 tS0 tS1 tS3tS2

EMtEM0 EM1 EMm

tIV1 tIV3tIV2 tIV4

tNV15

tM0 tM1 tM2 tMm tMt

5TH

OPTIONAL

IV WORD

FINALIZING IV WITH FULL MAC SCRAMBLE FEEDBACK (MESSAGE = 0)

EN/DECRYPTION of m MESSAGE WORDS with CIPHER FEEDBACK

FB

ENV0

tNV0

FB

ENV1

tNV1

FB

ENV2

tNV2

FB

ENV3

tNV3

FB

ENV12

tNV12

FB

ENV13

tNV13

FB

ENV14

tNV14

FB

ENV15

IV0

DO

yIV0

tIV0

APPENDIX FIG 07SEQ


19/12/2007 19:53

RESULT TO HOST PORT

MESSAGE IN 32

32

32

PRIMARY CLK

TOP SPLASH MATRIX & EVNN MAJ/XOR HYBRID FILTER FIG. 17

MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ MAJ

TOP STORE & XOR FIG. 33PRIMARY CLK

PRIMARY CLK

13 RIGHT ROTATE

7 LEFT ROTATE

RESULT STOREPREVIOUS RESULT

PRESENT RESULT

CIPHER MASK

LOWER MAC & CIPHER

FEEDBACK PROCESSORSEE FIGS. 34DBFB & 34TAND

PRIMARY CLK

SAMPLE RESULT

ONLY

INTERMEDIATE STORE & XOR FIG. 33PRIMARY CLK

BOTTOM STORE & XOR FIG. 33

BOTTOM SPLASH MATRIX & EVNN MAJ/XOR HYBRID FILTER FIG. 16

LOWER CIPHER

FEEDBACK

LOWER MAC FEEDBACK

NO ROTATE

UNROTATED MAC FEEDBACK32

32

B TIER 15 & 17 BIT nLFSR OUTPUT ALSO GENERATES SINGLE RROTATE IMAGE IMAGE IS (P)RANDOMLY

XORed TO nLFSRs’ OUTPUT

M TIER 18 & 14 BIT nLFSR OUTPUT ALSO

GENERATES TRIPLE RROTATE IMAGE. IMAGE IS

(P)RANDOMLY XORed TO nLFSRs’ OUTPUT

T TIER 13 & 19 BIT nLFSR OUTPUT ALSO GENERATES

SINGLE RROTATE IMAGE. IMAGE IS (P)RANDOMLY XORed TO nLFSRs’ OUTPUT

SUPER TIER 2x16 BIT nLFSRs OUTPUT ALSO GENERATING

7 LROTATE IMAGE. IMAGE IS ALWAYS XORed TO nLFSRs’ OUTPUTS. FOR SERVER AND S/W.

&

MAC MIX & MUXFIG. 34MMIX

SUPER TIER FEEDBACK

STORE FIG. 34DBDF

SUPERMIXFIG. 34SUMX

PRIMARY CLK

8 16 240 31

MULTIPROCESSOR

OPTION SEE FIG. 34TAND

2 2 2MISSING SAMPLE

RANDOM IMAGEMISSING SAMPLE

RANDOM IMAGE

MISSING SAMPLE

RANDOM IMAGE

PRIMARY CLK

UN-ROTATED SUPER

TIER

MAJ &

5 RROT MAJ IMAGE

APPENDIX FIG.11S2

D Q

R

_

Q

S D Q

R

_

Q

S D Q

R

_

Q

S

TA TB TC D

Q17 18 BIT nLFSR

FIG. 23ML R2,1[17]

Q13 14 BIT nLFSR

FIG. 20MR R2,2[13]

4

D Q

R

_

Q

S

TD

7 7

7 BITS OF CIPHER

PRESET CONTROL KEY

13TCU

(P)RANDOM

CLOCK

CIPHER RESET

3

TOP LEFT SLIP

D Q

R

S D Q

R

_

Q

S

T1 T2

19/12/07 19:55

SYNCHED TO THE SYSTEM & PRIMARY

CLOCK BUT MISSES RANDOMLY ABOUT

1 OF 12 PRIMARY PULSES

MUST PRECEDE STREAM CIPHER

INITIALIZATION

~0 EXCEPT AT COUNT 15

~1

BIT 6 OF CONTROL KEY WORD

~1 UNLESS ALL PREVIOUS Q’s

ARE EQUAL TO 1

BIT 5 OF CONTROL KEY WORD BIT 4 OF CONTROL KEY WORD


BIT 2 OF CONTROL KEY WORD BIT 1 OF CONTROL KEY WORD


TOP CONTROL

CONFIG FF MC1

TOP RIGHT SLIP

NAND CTOG

X

QT0

TO FIG. 10

TO FIG. 10

TO FIG. 10

CONTROL WORD I.C. BITS 6÷0

D Q

R

S

T0

TOP BRNTOP RANDOM BROWN

DISABLE/ EN BROWNIAN

FIG. 10

D Q

R

_

Q

MC1EN

~1

~1

das TOGGLE

dsa (AIS) SLIP TOGGLE FIG. 4C2

JUGGLE SPLASH TOGGLE FIG. 4C2

~0

NFIX3

NAND BNAND A

QT1

NAND TD

QTA DEBIASFIG 4C1

TCnLFSR

UP-COUNTS FROM RANDOM VALUESIN TA, TB & TD (0 IN TC) TO 15

COUNTER 1

IF “1” QTCt = QTCt-1

Q15 16 BIT nLFSR

FIG. 28SL-R0,1[15]

Q15 16 BIT nLFSR

FIG. 29SR R-R0,2[15]

QT0

EN LOAD CNTRL WORD

LOAD TIER/CNTRL WORDS

4TH

TOGGLE FIG. 4C2

4TH TOGGLE

THIT15

nxtTCONF FF ={ [NOT(TCONF FF)] 4TH TOGGLE} THIT15

APPENDIX FIG. 13TCU


SPLASH PERMUTATION GENERATION MODULESEE FIG. 18 – SELF INITIALIZING FOR RANDOM NUMBER GENERATION

ELSE, PART OF CONTROL UNIT INITIALIZING WORD

FOR STREAM CIPHERING AND MESSAGE AUTHENTICATION MUST BE

PART OF AN INITIALIZATION SEQUENCE

A

B

C

B04

A29A10A14A00A16A08A20A04A21A26A02A01A23A27A13A17A03A06A24A28A25A31A15A07A19A30A12A22A11A05A18

B10 B08B20B26B13B22B11B23 B05 B02B17B24B28B14B21B27B29B00B31B03B07B19B09B16B18B25B12B06B15

C10C07 C14 C29 CO3 C27 C17C28C23C24C05C22C11C21C12C26C00 C13 C25 C16 C15 C30 C20 C01 C18C09C04C02C06C08C31C19

A09

B30

D31D00 D01 D02 D03 D04 D05 D06 D07 D08 D09 D10 D11 D12 D13 D14 D15 D16 D17 D18 D19 D20 D22 D23 D24 D25 D26 D27 D28 D29 D30D21

I00 I01 I02 I03 I04 I05 I06 I07 I08 I09 I10 I11 I12 I13 I14 I15 I16 I17 I18 I19 I20 I22 I23 I24 I25 I26 I27 I28 I29 I30I21 I31

B01

D

e.g., WHEN B VECTOR IS ACTIVATED, INPUT BIT I08 IS OUTPUT BIT O19 (DIRECTED BY B19)

ENABLE SPLASH MATRICES (DISABLE FOR TESTING ONLY)

TOP SPLASH MATRIX

30/4/2007 15:21

TO INTERMEDIATE STORE & XOR

FOURTH TOGGLE

To XOR 00

TOP EVNN

PERMUTE

MID EVNN

PERMUTE

BOT EVNN

PERMUTE

FIG 10

FIG 10

FIG 4 EVNN

FROM

CELL 31

M

A

JFROM 31

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

M

A

J

FIG 10

M

A

J

From H(00)

M

A

J

To MAJ 00

32

TOP STORE & XOR

TO LOWER CIPHER FEEDBACK

SEE FIG. 34

LOAD CONTROL WORD

CIPHER CONTROL BITS 27 & 26ENABLE LOAD CONTROL WORD

JUGGLE TOGGLE

SAMPLE

2

CIPHER RESETTSPL-31 & TSPL-15

2

SYSTEM CLOCK

TOP SPLASH VECTOR A; BOTTOM SPLASH B

LOCKS ON D IF SPLASH

DISABLED

TOP SPLASH VECTOR C; BOTTOM SPLASH D

TOP SPLASH VECTOR D; BOTTOM SPLASH A

TOP SPLASH VECTOR B; BOTTOM SPLASH C

D

AB

C

TO LOWER CIPHER FEEDBACK SEE FIG. 34

TO FIG. 18

TO FIG. 18

APPENDIX FIG.17TSM

18

SS

EL

APPENDIX FIG. 18SSEL


APPENDIX FIG. 31HM

31HM

MT MAC MODE ENGINE STAGES GENERATES TAG (MESSAGE =0)

FBFB

EIH2

tIH2

FB FB FB

EIH12 EIH15

tIH12 tIH15

H0 H1 H2 HMT-1

19/12/07 20:05

FB

EIH0

tIH0

FB

EIH1

tIH1

FB

EIH3

tIH3

FB

EIH13

tIH13

FB

EIH14

tIH14

FB

DO

EMT0

tMT0 D1

FB

EMT1

tMT1 D2

FB

EMT2

tMT2

FB FB

D1

MD0

EMD0

DO

yMD0

D2 Dm-1

EMDmEMD2EMD1

MD1 MD2

DT

yMDT

EMDT

yMDm-1yMD1 yMD2 MDm-1 MDT

FB FB FB FB FB

tMD0 tMD1 tMDm-1tMD2 tMDT

EL0

EL

EL2

EL3

tL0

tL1

tL2

tL3

CIPHER

RESET

yADn-1

EAD0

FB FB

tAn-1Dn-1

EADn-1

tA0

AD0 yAD0

DO

ADn-1

32 ENGINE STAGES- MAC

FEEDBACK SCRAMBLES (MESSAGE = 0)

4 ENGINE STAGES- INITIAL 4- 32 BIT

KEY WORD LOAD

KEY EXTENSION

NO KEY EXTENSION (MESSAGE=0)

LOADING IN MAC MODE

LOADING DIRECTLY

INTO REGISTERS

m+1 MAC MODE ENGINE STAGES- MESSAGE DIGEST with TAIL WORD

16 ENGINE STAGE - MAC FEEDBACK SCRAMBLE (MESSAGE = 0)

ZK-CRYPT MAC DATA AUTHENTICATION PROTOCOL

TAIL WORD

ES31

FB FB

ES0

FB

tS31tS0

EMT-1

DMT-1

tMT-1

EMTi

DitMTi

Hi

MAC TAG

GATEWAY TO SAFE HASH CONFIGURATION


APPENDIX FIG. 32HYBF

MA

J

APPENDIX FIG. 33DACH

INSXI0

INSXO31INSXO2

INSXI2INSXI1

INSXO0 INSXO1

D Q

R

IS00

D Q

R

IS01

D Q

R

D Q

R

IS02 IS31

INSXO3

INSXI3

D Q

R

IS03

INSXO4

INSXI4

D Q

R

IS04

FB(4+7=11)FB(7) FB(1+7) FB(2+7) FB(10) FB(31+7 mod 32)=6INTERMEDIATE STORE & XORWITH 7 BIT LEFT ROTATE FEEDBACK

SAMPLE

CIPHER RESET

INSXI31

19/12/07 20:14

CIPHER RESET

BSXI0 BSXI31

CM31CM2

BSXI2BSXI1

CM0 CM1

D Q

R

BS00

D Q

R

BS01

D Q

R

D Q

R

BS02 BS31

CM3

BSXI3

D Q

R

BS03

CM4

BSXI4

D Q

R

BS04

BOTTOM STORE & XOR

SAMPLE

CIPHER MASK TO XOR TO MESSAGE

T

O

C

IP

H

ER

F

E

ED

B

AC

K

F

I

G

3

4

TOP SPLASH MATRIX & EVNN MAJ/XOR HYBRID FILTER SEE FIGS. 17 & 34

SAMPLE

CIPHER RESET

TSXI0 TSXI31

TSXO 31TSXO 2

TSXI2TSXI1

TSXO 0 TSXO 1

D Q

R

TS00

D Q

R

TS01

D Q

R

D Q

R

TS02 TS31

TSXO 3

TSXI3

D Q

R

TS03

TSXO 4

TSXI4

D Q

R

TS04

FB(4+19)FB(0-13 mod32=19) FB(1+19) FB(21) FB(22) FB(18)TOP STORE & XORWITH 13 BIT RIGHT (=19 BIT LEFT)

ROTATE FEEDBACK

BOTTOM SPLASH MATRIX & EVNN MAJ/XOR HYBRID FILTER SEE FIGS. 16 & 34

3 TIER MAJ COMBINER XORed to 5 LEFT ROTATED IMAGE SEE FIG. 11S2

33

DA

CH

F

OR

TR

ES

S G

B L

TD

Lo

nd

on

WC

1H

9L

G 2

7 P

AT

EN

TS

PE

ND

ING

A

lgorith

m S

pec_

071

22

6_

after Avi last R

W(2

).doc 1

5 J

an

uary

20

08

carm

i@fo

rtressg

b.c

om

AP

PE

ND

IX F

IG. 3

4D

BF

B

SAMPLE

FIG 3

32

13 RIGHT ROTATE TO

TOP STORE & XOR

FB TO MID TIER NO ROTATE

FB TO BOT TIER NO ROTATE

32

32CIPHER FEEDBACK

RESULT STORED & XORed

USE MAC/CIPHER FEEDBACK

FR0 FR31FR4FR3FR2FR1

C0 C31C4C3C2C1

7 LEFT ROTATE TO

INTERMEDIATE STORE & XOR

TOP/MIDDLE/BOTTOM

TIERS WITH XORED IMAGES

TOP STORE & XOR

TOP SPLASH MATRIX &

EVNN HYBRID FILTER

INTERMEDIATE STORE & XOR

H

O

S

T

USE CIPHER FEEDBACK

FR0O FR31OFR4OFR3OFR2OFR1O C0O C31OC4OC3OC2OC1O

IN THE PREFERRED MODE OF

OPERATION, 2 OR 3 TIERS ARE

ACTIVATED AT EACH STEP.

SUCH ACTIVATED TIERS XORin

FEEDBACKs INTO THE NEXT

nLFSR STATES ALONG WITH

ROTATED AND nLFSR FEEDBACK

10/12/06 10:43

FB0 FM31FB4FB3FB2FB1

LOWER FEEDBACK STORE SAMPLE

EN MAC FB

BOTTOM STORE & XOR

MESSAGE

RESULT STORED & XORed

RESULT

RESULT STORESAMPLE RESULT (ONLY) TEST MODE

&

HYBRID MAJ/XOR 32 BIT 4 TIER COMBINER

LWR CIPHER FEEDBACK

BOTTOM SPLASH MATRIX &

EVNN HYBRID FILTER

SUPER TIER TIER GENERATES 7 LEFT ROTATE IMAGE &

XORs IMAGE TO nLFSR OUTPUT WHICH IS XORed

TO 3 TIER MAJ/XOR COMBINER SEE FIGS 11S,28,29,30

FB TO TOP TIER NO ROTATE

SUPER TIER FEEDBACK STORE

32

SUPER TIER FEEDBACK

MAC MIX & MUX

SAMPLE

34CUNFILTERED SUPER TIER CIPHER FEEDBACK

RESULT

RESULT

34

BS

UP

ER

MIX

LWR FB OUTPUT BITS COMPLEMENTED

34D

BF

B

CIPHER MODE FB-

THE LOWER FEEDBACK IS A SIMPLE LOW

DENSITY FB TO 5 REGISTERS;

THE SUPER TIER FEEDBACK IS

A DENSE 32 BIT WORD (SUPERMIX)

TO THE SUPER TIER.

IN MAC FB MODE-

THE LOWER FEEDBACK IS A THE RESULT

STORE XOR THE MESSAGE XOR THE CIPHER

MASK

THE SUPER TIER FB IS THE PERMUTED

MESSAGE XOR THE CIPHER MASK XOR

THE SUPERMIX WORD.


APPENDIX FIG 34SUMX


APPENDIX FIG. 34MMIX

Documents

The ZK-Crypt III Algorithm SpecificationAlgorithm Spec_071226_after Avi last RW(2).doc 15 January 2008 [email protected] The ZK-Crypt III Algorithm Specification THE ZK-CRYPT STREAM