high-speed and secure encryption schemes based ... - World Scientific

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

00330

Journal of Mechanics in Medicine and Biology Vol. 10, No. 1 (2010) 167–190 c World Scientific Publishing Company
DOI: 10.1142/S0219519410003307

HIGH-SPEED AND SECURE ENCRYPTION SCHEMES BASED ON CHINESE REMAINDER THEOREM FOR STORAGE AND TRANSMISSION OF MEDICAL INFORMATION

GANESH AITHAL∗,† , K. N. HARI BHAT‡ and U. SRIPATI ACHARYA† †National Institute of Technology, Karnataka Srinivasa Nagar — 575025, Karnataka, India ∗[email protected] ‡Nagarjuna

College of Engineering, Venkatagiri Kote (Post) — 562110, Bangaluru, Karnataka, India Received 9 December 2009 Accepted 28 December 2009

Medical records generated in hospitals often contain private and sensitive information. This privileged information must be prevented from falling into wrong hands. Thus, there is a strong need for developing a secure cryptographic scheme that can be adapted to use in conjunction with transmission and storage of medical information. Previous approaches have proposed the use of the advanced encryption standard (AES) algorithm for this purpose. In this article, we are proposing a new robust, high-speed, and secure cryptographic scheme that has the added advantage of being immune to side-channel attacks. In our article, we have shown that the performance of this scheme is superior in certain aspects to that of the A5/1 system used in global system for mobile (GSM) systems. The parallel architecture employed in this scheme makes it suitable to use in systems where the data-processing operations have to be carried out in real time. Residue number systems (RNS) based on Chinese remainder theorem (CRT) permits the representation of large integers in terms of combinations of smaller ones. The set of all CRT number system representation of an integer from 0 to M-1 with component wise modular addition and multiplication constitutes a direct sum of smaller commutative rings. An encryption and decryption algorithm based on the properties of direct sum of smaller rings offers distinct advantages over decimal or fixed radix arithmetic. We have utilized the representation of integers using CRT to successfully design additive, multiplicative, and affine stream cipher systems. The use of number system based on CRT allows speeding up the encryption/decryption algorithms, reduces the time complexity, and provides immunity to side-channel, algebraic, and known plain text attacks. In this article, the characteristics of additive, multiplicative, and affine stream cipher systems based on CRT number system representation have been studied and analyzed. Keywords: Stream cipher systems; key sequence; Chinese remainder theorem; sidechannel attack; time complexity of encryption/decryption algorithm; affine cipher; ring structure.

∗ Corresponding

author. 167

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

168

00330

G. Aithal, K. N. Hari Bhat & U. S. Acharya

1. Introduction Patient information and medical images constitute a large chunk of the data generated in hospitals and health care centers. Increasing use of electronic diagnostic instruments contributes to the increase in the volume of data that has to be processed and stored. We now have the infrastructure to telecast critical surgical/diagnostic procedures over communication channels. Traditionally, image and text information have been separately handled.1,2 This approach leads to excessive utilization and wastage of scarce resources such as bandwidth, and memory. Hence, an approach where text and image information can be suitably combined into one entity without causing any distortion discernible to the eye will result in savings in memory, bandwidth, and transmission time over the channel. Interleaving techniques such as watermarking where data such as text file which is a one-dimensional signal is embedded into a digital image is one possible solution to this problem. The text information can be encrypted by a suitable algorithm before embedding. By doing this, twin advantages of information security as well as savings in channel resources can be realized. In general, communication channels are not secure and critical (private) data can be easily accessed by unauthorized eavesdroppers. Patient information falling into the hands of unscrupulous persons can cause severe damage to the patient and the medical institution. In order to reduce the occurrence of these nefarious activities, a strong cipher system with high immunity to various forms of attacks is highly desirable. Watermarking can be done in two major domains namely, spatial domain and frequency domain. The spatial domain method employs least significant bit (LSB) insertion.3–6 The LSB of each pixel value of the image is replaced by one bit of the ASCII character representing the text information to be watermarked. In this way, all the information that needs to be watermarked is inserted into the LSB of successive pixels in the image. Text information with 192 KB of data can be watermarked into a 256 × 256 digital color image. The mean square error between the original image and the watermarked image is so small that the human eye is not able to detect the distortion. We have used this approach in this article to embed text information after encryption into a suitable image. Nayak et al.7 have developed a scheme for reliable and robust transmission and storage for medical data. They have employed the AES algorithm to ensure the security of text information that is embedded in the image using watermarking techniques. The AES algorithm has now been in use for several years. While the AES algorithm has no known weaknesses, it is vulnerable to side-channel attacks.8 We are proposing a new security scheme that can replace any existing encryption algorithm in this application. Our algorithm has the advantages of parallelism that leads to immunity against side-channel attack. In addition, the use of modular mathematical operations results in immunity to algebraic attacks. Encryption/decryption algorithms can be performed in considerably less time because of parallelism in arithmetic operations, which makes this scheme suitable for real time applications.

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

00330

High-Speed and Secure Encryption Schemes Based on CRT

169

Residue number systems (RNS) have properties of carry free arithmetic, parallelism, and modularity. The use of RNS in conjunction with the Chinese remainder theorem (CRT) allows the development of algebraic structures, which are suitable for design of stream cipher systems. In addition, they are also employed in very high-speed low-power VLSI implementation of digital systems,9 reliable transmission of information over noisy channels,10 speech signal processing,11 and public key cipher systems.12 The CRT number system has received considerable interest in arithmetic computation and digital signal processing. The main reason for the wide-spread use of CRT is its inherent property of parallelism, which results in speeding up of addition and multiplication operations. Some applications of the CRT in various fields as described in literature summarized herewith. Hiasat13 has proposed a high-speed and reduced area modular adder structure by using RNS-based CRT. Jiang and Lee10 have synthesized large girth quasi cyclic low-density parity check (LDPC) codes by employing the CRT. Bi and Gross14 have introduced a new residue comparator based on CRT, which has been developed for three-moduli set {2n − 1, 2n , 2n + 1}. FPGA implementation results show that the proposed modulo comparators are about 20% faster and smaller than one of the previous best designs. CRT decomposition is also used in reducing chip area of edge sampler circuit.15 RNS systolic approach offers an impressive amount of fault tolerance in low-cost hardware, which is discussed in Ref. 16. RNS based on CRT is also used in cryptographic applications. CRT-based RSA is used in a wide variety of applications. A smart card application is presented in Ref. 17, with fault tolerance attack immunity. In Ref. 18, a new class of product-sum type public key cryptosystem based on CRT has been defined, which is invulnerable to low-density attack. Application of CRT in decomposition of block encrypted cipher text for transmission over multiple channels is discussed in Ref. 19. This scheme hides the cipher text in order to increase the difficulty of attacking the cipher. In this article, we have encrypted text information using a stream cipher scheme, which employs CRT to introduce parallelism in computation. This has the effect of reduction in time complexity. It also gives immunity against side-channel attacks. Encrypted text information is embedded into the image using watermarking technique (LSB insertion). The resulting watermarked image exhibits no visible distortion and is also secured against unauthorized eavesdroppers. Most of the existing stream cipher systems20–22 deal with binary plain text and key sequences. Encryption operation is generally employed by bit-by-bit mod 2 addition. Non-binary stream cipher systems employ multiplication and affine operations together with additive encryption operation. Incorporation of two different algorithms successively leads to higher security level. Stream cipher system employing binary sequences cannot support multiplication operation. This gives us the motivation to develop non-binary stream cipher systems. RNS along with CRT gives us powerful algebraic structure to implement non-binary stream cipher system with parallelism.

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

170

00330

G. Aithal, K. N. Hari Bhat & U. S. Acharya

Let M be the product of k direct primes or powers of primes. It is possible, using CRT representation, to decompose a large integer less than M , in to k components, which can be processed independently. A large size computational task can thus be partitioned into k smaller and independent subtasks, which can be performed in parallel. The CRT representation of integer leads to breaking down of large range integer into smaller range integers. By this process, the estimated time for encryption and decryption will reduce, without compromising on the security level. This article discusses security systems that can be derived by employing CRT representation of integers and their merits as compared to the conventional standard (A5/1) system. The level of security provided by any stream cipher system generally depends on: • number of choices of the key (order of key space), • length or period of the key, and • computational complexity of the encryption algorithm. In a stream cipher, shown in Fig. 1, the message (plain text) is a sequence of source alphabets, which is mapped to corresponding integers. Each integer representing the message alphabet is subjected to key dependent reversible mapping called encryption. The key sequence is also a sequence of integers generated randomly using any method for sequence generation.23,24 A stream cipher based on CRT representation handles smaller integers by decomposing the plain text integers into smaller ones. These smaller components can be handled independently. This feature facilitates parallel operation. This leads to reduction in time complexity without sacrificing security. One of the ways of generating key sequences is by using feedback shift registers (FSRs). The number of stages, feedback coefficients, and initial value, being kept secret, forms part of key and decides the key size. By increasing the number of stages, the period can be increased and made greater than the length of the plain text. In this case, the scheme approaches one time pad and hence is theoretically secure.25 Security systems are generally classified into two categories: strategic and tactical. In strategic applications, the security systems have to withstand attack for a

Sequence of key {Kj}

Encryption Algorithm Sequence of plain text {rj}

Sequence of cipher text {cj}

Fig. 1. Basic stream cipher system.

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

00330

High-Speed and Secure Encryption Schemes Based on CRT

171

very long duration, typically several decades. As a result, the size of the key is large. Thus, the required security can be achieved even with simple encryption algorithm such as additive cipher, multiplicative cipher, or both. The computational complexity mainly depends on encryption and decryption algorithms. Generally, security level increases with complexity. In stream cipher system, the plain text sequence {rj } is in the form of a sequence of integers, which is encrypted integer by integer using a random sequence of integers called the key sequence {Kj }, to get a sequence called cipher text {cj }. Here, rj , Kj , and cj are from Zm , the ring of residue class of integers mod m. Generally, the plain text sequence elements and key sequence elements are subjected to addition or multiplication or combinations of both, modulo an integer m. The resulting systems are respectively called as additive, multiplicative, or affine systems. The encryption algorithm can consist of addition, multiplication, or a combination of these operations operating on the elements of the key modulo m. In case of additive cipher, a single key sequence is used for encryption. In case of multiplicative cipher, a single key sequence of integers having multiplicative inverse in Zm (unit elements) is used for encryption. However, in case of affine systems, two different key sequences, one for addition and another for multiplication, are used. A basic scheme is shown in Fig. 1 corresponding to additive or multiplicative systems. The rest of the article is organized as follows. In Sec. 2, we introduce the necessary mathematical background and notation. The encryption/decryption algorithm along with performance metrics and a comparison with the standard A5/1 system is presented in Sec. 3. Security analysis of the cipher system has been elaborately explained in Sec. 4. An example illustrating the performance of the algorithm with text messages is discussed in Sec. 5. We conclude the article in Sec. 6. 2. Mathematical Preliminaries Two number systems, binary and binary-coded decimals are found to be commonly used in computers. Both are weighted number systems. Even though weighted number systems have got many advantages, the major disadvantage is speed with which arithmetic operations can be performed, because of carry propagation. One of the ways to increase the speed of arithmetic is to perform the carry-free operation in parallel. This carry-free and concurrent operations can be accomplished using the RNS based on CRT. 2.1. Number system based on CRT As mentioned earlier if plain text is a sequence of non-binary integers, it is possible to have multiplicative or affine encryption algorithms apart from additive encryption. Further computation can be carried out in parallel if large integer is decomposed and represented in terms of CRT. The details of representation of numbers in decimal, CRT, and the relation between the two have been discussed in this section.

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

172

00330

G. Aithal, K. N. Hari Bhat & U. S. Acharya

Let M be any composite integer, which can be expressed in terms of a product of its k factors, which are pair wise relatively prime: M=

k−1


mi ,

(1)

i=0

where, g.c.d. (mi , mj ) = 1 for all i
= j. Let r be any integer such that, 0 ≤ r ≤ M − 1. Then, if the system of congruences, r ≡ r0 mod m0 , r ≡ r1 mod m1 , r ≡ r2 mod m2 · · · r ≡ rk−1 mod mk−1 , has a unique solution r mod M , satisfying all the congruences; then, r can be uniquely represented in terms of a k tuple of CRT digits: {rk−1 , rk−2 , . . . , r1 , r0 },

(2)

where the digits ri i = 1, 2, 3, . . . , k − 1, are such that 0 ≤ ri ≤ mi − 1. Thus, “r” can be expressed in terms of a unique “k” tuple using CRT. 2.2. Conversion from fixed radix to CRT representation An integer r, 0 ≤ r ≤ M − 1 can be represented using CRT: r = rk−1 , rk−2 , rk−3 , . . . , r2 r1 r0 , where r0 = r mod m0 ,

r1 = r mod m1 , . . . , rk−1 = r mod mk−1

(3)

2.3. Conversion of CRT representation to fixed radix Suppose a positive integer r, 0 ≤ r ≤ M − 1 has CRT representation r  (rk−1 , rk−2 , rk−3 , . . . , r2 , r1 , r0 ) then r is expressible as r = (rk−1 × wk−1 + rk−2 × wk−2 + · · · , rk−3 × wk−3 , . . . , r2 × w2 + r1 × w1 + r0 × w0 ) mod M . The wj ’s are obtained as follows. We define Mj equals to M/mj , which is relatively prime to mj , 0 ≤ j ≤ k − 1. Now wj is defined as9 : wj = [{Mj−1 mod mj }Mj ] mod M k−1   and r = ri wi mod M.

(4) (5)

0

2.4. Algebraic structure of set of CRT integers Let M be as defined in Eq. (1). Consider the set S of integers {0, 1, 2, 3, . . . , M − 1}. Each integer in the set can be uniquely represented in CRT system. The set of all CRT representations of integers in set S constitutes a commutative ring, where the operation addition and multiplication are defined as below: Let the CRT representation of any integer 0 ≤ a ≤ M − 1 be (ak−1 , ak−2 , . . . , a2 , a1 , a0 ). Let another integer 0 ≤ b ≤ M − 1 be (bk−1 , bk−2 , . . . , b2 , b1 , b0 ).

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

00330

High-Speed and Secure Encryption Schemes Based on CRT

173

Then, addition of two representations is defined as: (ak−1 ⊕ bk−1 ) mod mk−1 · · · (ai ⊕ bi ) mod mi · · · (a0 ⊕ b0 ) mod m0 .

(6)

Multiplication is defined as: (ak−1 ⊗ bk1 ) mod mk1 · · · (ai ⊗ bi ) mod mi · · · (a0 ⊗ b0 ) mod m0 .

(7)

Further additive identity be (0, 0, 0, 0, 0, . . . , 0, 0). Additive inverse of ak−1 , ak−2 , . . . , a2 , a1 , a0 is: (mk−1 ⊕ (−ak−1 )) mod mk−1 . . . (mi ⊕ (−ai )) mod mi . . . (m0 ⊕ (−a0 )) mod m0 . (8) Multiplicative identity is (1, 1, 1, 1, 1, . . . , 1, 1). Further it is verified that under these operations, the set of all k tuples satisfies the axioms of a finite commutative ring,2 called direct sum of rings Zm(k−1) , Zm(k−2) , . . . , Zmi , . . . , Zm0 and defined as Zm(k−1) ⊕ Zm(k−2) ⊕ · · · Zmi ⊕ · · · ⊕ Zm0 . Further, it is shown that this ring is isomorphic to ZM , ring of integers residue modulo M . 3. Stream Cipher Algorithm Based on CRT Representation First, we consider cipher system defined over Zm . Consider a sequence of plain text where each symbol is assigned a numerical value greater than or equal to zero and less than or equal to an integer m. Referring to Fig. 1, the encryption and decryption algorithms, for the stream cipher is defined as below. In each case, there is single stream of plain text, key sequence, and cipher text. 3.1. Additive cipher Encryption algorithm : {cj } = {rj } ⊕ {Kj } mod m

(9)

Decryption algorithm : {rj } = {cj } ⊕ {−Kj } mod m = {cj }Θ{Kj } mod m,

(10)

where −Kj is additive inverse of Kj mod m and Θ represents modular subtraction. The scheme of generating random binary sequences using feedback shift register has been discussed in Ref. 27. The same concept can be extended to generate nonbinary key sequences. In general, sequence {Kj } is non-binary. Many methods of generating sequences of random integers with desirable properties are reported in literature.23,24 3.2. Multiplicative cipher The key sequence {aj } should be a sequence of integers, which are relatively prime to m. In which case, multiplicative inverse of aj mod m exists. This a−1 j is used for

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

174

00330

G. Aithal, K. N. Hari Bhat & U. S. Acharya

decryption. Encryption algorithm : {cj } = {rj } ⊗ {aj } mod m

(11)

Decryption algorithm : {rj } = {cj } ⊗ {a−1 j } mod m,

(12)

where a−1 is multiplicative inverse of aj mod m. The key sequence {aj } is genj erated using FSRs, where feedback operation is multiplication mod m of contents of selected stages to get a periodic sequence. The initial content loaded into the shift register should be a unit element in Zm . Further, the all-1 sequence or the all-0 sequence should not be used to serve as the initial contents of the register. The number of stages and initial values may be appropriately chosen, by exhaustive search, so that the resulting sequence has desired period. A scheme of generating sequences {aj } where every element of the sequence is a unit element using shift registers is discussed in Ref. 28. 3.3. Affine cipher: this is a combination of additive and multiplicative cipher Encryption algorithm : let{c
j } = {rj } ⊕ {Kj } mod m, The cipher text : {cj } = {c
j } ⊗ {aj } mod m Decryption algorithm :

{c
j }

= {cj } ⊗

{a−1 j }

(13) modm

The plain text {rj } = {c
j } ⊕ {−Kj } mod m

or {rj } = {c
j }Θ{Kj } mod m, (14)

where the key sequence {aj } satisfies the conditions of Sec. 3.2. 3.4. Encryption based on CRT Because of its properties, CRT representation, in general, is well suitable for parallel arithmetic computation. But in case of cipher systems, the plain text is subjected to a key dependent reversible mapping. Every integer representation of plain text, 0 ≤ r ≤ M − 1, can be uniquely represented by k tuple in CRT number system. The encryption operation, uses the key to map the plain text k tuple to a cipher text k tuple. The corresponding decimal value is not of interest here. During decryption, the inverse mapping is employed to map the cipher text k tuple to the corresponding original plain text k tuple. The plain text sequence is decomposed in to k parallel sequences using CRT. Random key sequences {Kij } and {aij } have to be generated for additive and multiplicative ciphers where, i = 0, 1, 2, 3, . . . , k − 1 and j = 0, 1, 2, 3, . . . . In the case of affine cipher, both key sequences have to be generated. The generated key sequences are such that, 0 ≤ Kij < mi , and 1 ≤ aij < mi . The generation of these sequences using FSR has been discussed in Secs. 3.1 and 3.2, respectively. As shown in Fig. 2 each component of the

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

00330

High-Speed and Secure Encryption Schemes Based on CRT

{ Kij }

{ aij }

.... .

.....

{ ri }

175

.

.

.

.

.

. Additive Encryption

{ ci }

Multiplicative Encryption

Fig. 2. Basic model of encryption based on CRT system.

sequence {rij }i = 0, 1, 2, 3, 4, 5, . . . , k − 1 and j = 0, 1, 2, . . . is encrypted using the corresponding key sequence {Kij } and/or {aij } to get sequence of cipher text {cij }i = 0, 1, 2, 3, . . . , k − 1 and j = 0, 1, 2, 3, . . . . As mentioned earlier, the sequence {aij } should comprise of unit elements. The encryption and decryption algorithms are identical to those specified in Eqs. (9)–(14), except that the plain text sequence, key sequence and cipher text sequence are all streams of k tuples. The encryption algorithms are defined as follows. 3.4.1. Additive cipher system {cij } = [{rij } ⊕ {Kij }] mod mi ,

i = 0, 1, 2, 3, . . . , k − 1 and j = 0, 1, 2, 3. (15)

The basic scheme is shown in Fig. 2, with all ai ’s as 1’s and Ki ’s satisfies the conditions of Sec. 3.1. 3.4.2. Multiplicative cipher system {cij } = [{rij } ⊗ {aij }] mod mi i = 0, 1, 2, 3, . . . , k − 1 and j = 0, 1, 2, 3, . . . . (16) The scheme is similar to that shown in Fig. 2, with all Ki ’s as ‘0’s and ai ’s satisfies the conditions of 3.2. 3.4.3. Affine cipher system {c
ij } = {rij } ⊕ {Kij } mod mi

and {cij } = {c
ij } ⊗ {aij } mod mi

i = 0, 1, 2, 3, . . . , k − 1 and j = 0, 1, 2, 3, . . . . The scheme is similar to that shown in Fig. 2.

(17)

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

176

00330

G. Aithal, K. N. Hari Bhat & U. S. Acharya

The key sequences {Kij } and {aij } must satisfy the conditions mentioned in Secs. 3.1–3.3. The k encryption operations can be carried out in parallel. 3.5. Decryption algorithm based on CRT representation Having received components {cij } of cipher text sequentially; the first step is to convert the cipher text into parallel blocks of k components. The decryption can also be done in parallel as shown in Fig. 3. The plain text sequence {rij } is obtained from the received cipher text and −1 locally generated key sequence {−Kij } or {a−1 ij } at the receiver. The {aij } are generated as discussed in Sec. 3.2, with initial content being multiplicative inverse of initial content used for encryption. Suppose {cij } is the received cipher text. The decryption algorithms are defined as follows. 3.5.1. Additive cipher {rij } = {cij } ⊕ {−Kij } mod mi

or {rij } = {cij }Θ{Kij } mod mi

i = 0, 1, 2, 3, . . . , k − 1 and j = 0, 1, 2, 3, . . . .

(18)

3.5.2. Multiplicative cipher {rij } = {cij } ⊗ {a−1 ij } mod mi i = 0, 1, 2, 3, . . . , k − 1

and j = 0, 1, 2, 3, 4, . . . . (19)

{ aij-1}

{ Kij-1 }

{ ri }

{ ci }

Multiplicative Decryption

Additive Decryption

Fig. 3. Basic model of decryption based on CRT system.

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

00330

High-Speed and Secure Encryption Schemes Based on CRT

177

3.5.3. Affine cipher {c
ij } = {cij } ⊗ {a−1 ij } mod mi and {rij } = {c
ij } ⊕ {−Kij } mod mi or {rij } = {c
ij }Θ{Kij } mod mi i = 0, 1, 2, 3, . . . , k − 1

and j = 0, 1, 2, 3, . . . (20)

From the algorithm, it is observed that the encryption of plain text integer is component-wise addition or multiplication or both. This denotes that the encryption of the plain text is evaluated component wise in parallel. In parallel operation, the time taken for encryption of plain text is the time taken for its largest CRT component. The time estimation of the arithmetic operation can be expressed in terms of bit operation as given in Koblitz.29 It can be shown that, two decimal numbers “x” and “y” with x > y, the number of bit operation for addition is given by (2 log2 x+ 2) and for multiplication is (log2 x+ 1)2 , respectively. The same can be extended to CRT system. The bit operations can also be expressed in terms of “O” notation.29 It can be easily shown that the time complexity for additive and multiplicative encryption is respectively O log (mj ) and O(log mj )2 where mj is max (m0 , m1 , . . . , mk−1 ). The time taken for arithmetic operation can be reduced further by using look up table to carry out modular arithmetic operation for encryption and decryption. As discussed earlier, the plain text elements are mapped to corresponding integers. To evaluate the performance, the cipher text elements are converted into corresponding integers using CRT to decimal conversion. The performance of the encryption algorithms is investigated on the basis of following parameters: • the standard deviation of the number of occurrences of the cipher text elements, • the entropy of the set of all cipher text elements, • the histograms of plain text and cipher text for the additive, multiplicative, and affine cipher systems. • the mean value of absolute difference between integer corresponding to cipher text and plain text. Avalanche effects of the algorithms are also observed by encrypting the same plain text with two different key sequences generated using initial values differing in onebit position. The avalanche effect is represented graphically by plotting the two cipher text values for the same plain text and is shown in Figs. 4–6, respectively for additive, multiplicative, and affine cipher systems. The standard deviation of number of occurrence of cipher text element is compared as follows: Let ni be the number of occurrence of integer ‘i’ in cipher text 0 ≤ i < M . Let N be the total number of integers in the sequence. Then, mean value of number of occurrence M−1 1  ni , N →∞ M i=0

n = Lim

(21)

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

00330

G. Aithal, K. N. Hari Bhat & U. S. Acharya

178

frequency of occurrence

Histogram of plain text 500 400 300 200 100 0 1

18

35

52

69

86

103

120

137

154

171

188

205

222

239

256

character

Frequency of Occurrence of Character

Fig. 4. Histogram of plain text of 3000 characters chosen for encryption. Hstogram of cipher text 30 25 20 15 10 5 0 1

12

23

34

45

56

67

78

89

100

111

122

133

144

155

166

177

188

199

210

221

232

243

254

ASCII value of Character

Fig. 5. Histogram of the additive cipher system with three-tuple CRT number with m0 = 3, m1 = 5, and m2 = 17 and initial values of FSRs are as shown in Table 2. For all three shift registers, content of stages 14 and 15 are added mod mi and feed back, i = 0, 1, and 3.

Frequency of Occurrence of Character

Hystogram of Cipher Text 40 35 30 25 20 15 10 5 0 1

12

23

34

45

56

67

78

89

100

111

122

133

144

155

166

177

188

199

210

221

232

243

254

ASCII value of Character

Fig. 6. Histogram of the multiplicative cipher system with three-tuple CRT number with m0 = 3, m1 = 5, and m2 = 17 and initial values of FSRs are as shown in Table 3 for channel 3. For all three shift registers content of stages 14 and 15 are added modulo mi and feedback, i = 0, 1, and 3.

where N =

M−1 i=0

ni . Then, standard deviation σ is given by:   M−1  1  σ= (ni − n)2 . M i=0

(22)

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

00330

High-Speed and Secure Encryption Schemes Based on CRT

179

A small value of σ indicates that every integer occurs almost equal number of times in the cipher text sequence of length N . This provides security against statistical attack. Entropy is a measure of uncertainty. Entropy of a source is maximum when all the elements in the source occur with equal probability. Let pi be the probability of occurrence of integer ‘i’ in the cipher text sequence i = 0, 1, 2, . . . , M − 1 and pi = LimN →∞ (ni/N ). Further, entropy is defined as: Entropy = Lim

N →∞

M−1  i=0

pi log2

1 bits/cipher text elements pi

(23)

A high value of entropy implies better level of security. A histogram is a plot of ni verses i i = 0, 1, . . . , M − 1. The integer i may corresponds to plain text or cipher text. A flat histogram of cipher text indicates that all cipher text elements occur equal number of times. The mean absolute value difference is defined as: Mean absolute difference =

N 1  |cj ∼ rj |, N i=1

(24)

where cj is cipher text integer and rj is plain text integer. A large value of absolute mean difference indicates very small residual information in the cipher text.

4. Security Analysis Shannon25 has proved that by making the statistical relation between plain text and cipher text and cipher text and key complex the cipher system can be made secure against statistical attacks. The first technique is called diffusion and the second one is referred to as confusion. Further in a stream cipher system, if the period of the key sequence is larger than the length of plain text the cipher system approaches one time pad, which is theoretically secure.30 It is seen that the proposed scheme exhibits diffusion and confusion. By properly choosing the number of stages of shift register, it is possible to have the period of key sequence larger than plain text sequence length and thus make the scheme approach one time pad. The proposed scheme has immunity against attacks such as exhaustive key search, algebraic attack, and side-channel attacks. A brief discussion follows. 4.1. Exhaustive key search Given a certain amount of known key stream from the key stream generator, the most obvious way to determine the state of generator is to search through all possible states, checking for the match between the resulting and observed key streams. This search is conducted by guessing all the values of the inner state. For each guess, the attacker generates all values of the generator and compares the result with the known key stream; if they differ, the guess is discarded as being wrong. Otherwise the guess is added to the set of possible key candidates. The

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

180

00330

G. Aithal, K. N. Hari Bhat & U. S. Acharya

method of encryption and key generation discussed is based on FSR. The total number of states for a binary FSR is 2L , for non-binary case of arithmetic modulo m, the number of states will be mL , where L is the number of stages of FSR. In our scheme, there are k FSRs, which generate k different key sequences. The number of stages of FSR used and the number of factors of the CRT system used decides the key space. An increase in number of factors of M increases the number of FSR used. In cryptographic algorithm, key space refers to the set of all possible keys. In the proposed system the key space depends on: (i) n1 , number of possible stages of FSR; (ii) n2 , number of possible feedback coefficients of the FSR used in key generation; (iii) n3 , number of possible seed values; (iv) The selection of M with number of factors, k; (v) number of choices (s) for choosing factors of M to represent CRT system; and (vi) the order (d) in which the factors are chosen for representing M in CRT number system. Some of the properties of i, ii, and iii using binary valued FSRs are discussed in Ref. 27. The fourth, fifth, and sixth properties depend on the characteristics of CRT system representation and these properties form part of the key. For brute force attack, the number of trials A, a cryptanalyst has to perform is given by the product of the above factors. This implies: A = n1 × n2 × n3 × k × s × d.

(25)

By proper choice of these numbers, wherever possible the value of A can be made sufficiently large depending on the application. 4.2. Algebraic attack Algebraic attack on stream cipher is to find and solve appropriate system of multivariate linear equations in order to break the target cryptosystem.31,32 Algebraic attack can be foiled by using nonlinear feedback in the generation of key sequence. Generation of key sequence {Kij } using shift register employs addition mod mi and generation of key sequence {aij } using shift register employs multiplication mod mi . Thus, whether it is addition or multiplication mod mi , the feedback is nonlinear. Hence, the proposed scheme is immune against algebraic attack. 4.3. Side-channel attack Side-channel attacks are based on the physical implementation of a cryptographic algorithm rather than a mathematical attack on the algorithm itself.8 Many types of side-channel attacks have been described in literature Refs. 8, 31 and 32. The AES algorithm is vulnerable to differential power side-channel attack.8 Using this scheme, one can find secret key or plain text or both even by analyzing the processing system. These cipher systems are generally implemented on a physical device that interacts with and is influenced by the environment. Electronic devices such as computers, mobiles, and smart cards pagers consume power and emit radiations as they operate. They also react to temperature changes and electromagnetic fields.

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

00330

High-Speed and Secure Encryption Schemes Based on CRT

181

The performance of a certain specific operation in them takes specified duration. All these facts can be used for cryptanalysis. If computations are processed in parallel with a parallel architecture for computation, it is possible to avoid side-channel attack.35,36 The proposed system supports parallel operation for encryption and decryption by using CRT system. This ensures that the system becomes immune to side-channel attack. The application of the proposed scheme is illustrated by two examples. In the first example, we have illustrated the various figures of merit that quantify the strength of the scheme by considering a paragraph consisting of 3000 characters from a text book on cryptography.37 In the second example, we have illustrated the working of the cipher system in the context of watermarking of text information in an image file. The proposed scheme is compared with the standard binary stream cipher A5/138 recommended for GSM. The comparison is made from the viewpoint of entropy of set of cipher text, standard deviation of number of occurrences of cipher text characters, mean absolute difference between cipher text and plain text integers, and histogram of plain text and cipher text. 5. Examples We will give two examples to illustrate the working of our stream cipher system. In the first example, we quantify mathematically the figure of merits associated with this scheme. This gives a feel for the robustness and security offered by the cipher system. In the second example, we have taken a sample text file containing medical information, encrypted it using our algorithm and embedded it into an image file. We demonstrate the working of the decryption algorithm by removing the watermarked information from the image file and extracting the text information from it. These steps are illustrated in Figs. 7–12.

Frequency of occurrence of character

Histogram of cipher text 25

20

15

10

5

0 1

12

23

34

45

56

67

78

89

100

111

122

133

144

155

166

177

188

199

210

221

232

243

254

ASCII value of character

Fig. 7. Histogram of the affine cipher system with three-tuple CRT number with m0 = 3, m1 = 5, and m2 = 17 with initial values of FSRs for additive and multiplicative keys are given in Table 4. For all three shift registers, of additive and multiplicative content of stage 14, 13, 11, and 9 are added, and multiplied modulo mi respectively and feedback, i = 0, 1 and 3.

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

G. Aithal, K. N. Hari Bhat & U. S. Acharya

182

Integer value of plainr / cipher text

00330

PT

300

CT

250

CT K2=1

200 150 100 50 0 1

4

7

10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76 79 82 85 88 91 94 97 jth value of plain / cipher text

Integer value of plain / cipher text

Fig. 8. Plot of plain text, and cipher text with one-bit change in key sequence for additive cipher with m0 = 3, m1 = 5, and m2 = 17. PT

300

CT CT K2=2

250 200 150 100 50 0 1

4

7

10

13

16

19

22

25

28

31 34

37

40

43

46

49

52

55

58

61

64

67

70

73

76

79

82

85

88

91

94

97

jth value of plain / cipher text

Integer value of plain / cipher text

Fig. 9. Plot of plain text, and cipher text with one-bit change in key sequence for multiplicative cipher with m0 = 3, m1 = 5, and m2 = 17. PT

300

CT CT K2=2

250 200 150 100 50 0 1

4

7

10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76 79 82 85 88 91 94 97

jth value of plain / cipher text

Fig. 10. Plot of plain text, and cipher text with one-bit change in key sequence for affine cipher with m0 = 3, m1 = 5, and m2 = 17.

Fig. 11. Plain text of patient information.

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

00330

High-Speed and Secure Encryption Schemes Based on CRT

183

Fig. 12. Cipher text to be embedded.

5.1. Example 1 The proposed data encryption and decryption algorithms take an eight-bit binary block and map into another eight-bit block. Each eight-bit pattern corresponds to one of 256 characters or analog level or pixel of an image. For the sake of obtaining good mathematical structure, only 255 levels are considered (0–255). The highest two levels are merged. These 255 levels can be regarded as elements from ring Z255 . The number 255 has factor 17, 5, and 3. The group 255 can be decomposed into external direct sum of Z17 , Z5 , and Z3 . In this section, encryption and decryption algorithms based on isomorphic structure Z255 ∼ = Z17 ⊕ Z5 ⊕ Z3 is discussed. In encryption algorithm, plain text rεZ255 is mapped into a three-tuple r0 , r1 , and r2 , where r0 = r mod m0 , r1 = r mod m1 , and r2 = r mod m2 and m0 = 3, m1 = 5, and m2 = 17. Let K00 , K10 , K20 , . . . , K(i−1)0 be key sequences for additive cipher system, generated by using sequence generator over Z3 for the r0 stage, Z5 for r1 stage and Z17 for r2 stage. By choosing one-key sequence for each for the stage, say K00 , K01 , and K02 , we obtain the ordered pair cipher text c0 , c1 , and c2 . This three tuple of cipher text is mapped into a decimal integer c, using: r=

k−1=2  j=0

r wj , j

where the wj are defined as wj = [{Mj−1 mod mj }Mj ] mod M and ri ε{0, 1, 2, 3, . . . , (mi − 1)}, i = 0, 1, . . . , k − 1 as in Eq. (4). In decryption algorithm, the mapped decimal cipher text cεZ255 is converted into ordered tuple c0 , c1 , and c2 of CRT digits, corresponding to the rings Z3 , Z5 , and Z17 . This CRT number is then converted into a decimal number (plain text). To evaluate the performance of the system, quantitatively and graphically, we introduce the following parameters: (i) standard deviation, (ii) entropy, and (iii) absolute mean difference. These are computed as discussed in Sec. 3.5. Histogram of plain and cipher texts have been plotted for our scheme and the standard A5/1 scheme. Let binary 8 bit (pattern)

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

00330

G. Aithal, K. N. Hari Bhat & U. S. Acharya

184

be defined by Pi , where index i is decimal equivalent of binary pattern for example P0 = 00000000, P1 = 00000001, . . . , P253 = 11111101, . . . , P254 = 11111110, and P255 = 11111110. We consider P254 = P255 for the last two integer values to make it convenient to get good algebraic structure. As mentioned earlier a paragraph of 3000 characters is taken, the frequency of occurrence of each character is found out, and is plotted against character represented as ASCII. This gives the distribution of ASCII characters in plain text. The cipher scheme is now used to obtain cipher text. The measures of standard deviation, entropy, and mean absolute difference for cipher text have been computed and tabulated in Table 1. In this example, a paragraph of text having 3000 characters from a text file is used to simulate a finite discrete information source. These 3000 characters are converted into appropriate eight-bit ASCII integers sequence {rj }. The sequences of integers {rj } are converted into sequences of three CRT representation integer tuples with factors as m0 = 3, m1 = 5, and m2 = 17, as {r0j }, {r1j }, and {r2j }, respectively. All the digit sequences are processed in three separate channels for encryption with a key sequence as per the Eqs. (15)–(17) receptively for additive, multiplicative, and affine cipher systems. The key sequence is generated using a 15-stage linear feedback shift register, with feedback and initial conditions chosen to satisfy conditions given in Secs. 3.1–3.3. After encryption, the cipher text sequence of each channel {c0j }, {c1j }, and {c2j } are transmitted sequentially by employing parallel to serial conversion. After receiving the sequences at receiving end these are converted into the three parallel sequences. These three parallel sequences are processed for decryption, separately in three channels with locally generated key sequences, using linear feedback shift registers, as per Eqs. (18)– (20), and conditions given in Secs. 3.1–3.3.

Table 1. The value of entropy, standard deviation, and mean absolute difference, for three different CRT cipher systems with additive multiplicative, affine, and A5/1 system.

S. No

Scheme of encryption

Entropy

Absolute mean difference

1

Additive cipher with three digit of RNS based on CRT with m0 = 3, m1 = 5, and m2 = 17

1.85380

7.93151

83.34

2

Multiplicative cipher with three digit of RNS based on CRT with m0 = 3, m1 = 5, and m2 = 17

2.84181

7.65330

80.63

3

Affine cipher with three digit of residue number system based on CRT with m0 = 3, m1 = 5, and m2 = 17

1.91246

7.92437

79.59

4

A5/1 encryption system with random seed key elements

4.4084

7.89677

84.89

Standard deviation

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

00330

High-Speed and Secure Encryption Schemes Based on CRT

185

Table 2. Initial conditions of FSRs SR1 , SR2, and SR3 for additive cipher system. Shift register stage

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

Initial values

1 1 1

2 2 2

1 3 3

2 4 4

1 1 5

2 2 6

1 3 7

2 4 8

1 0 9

2 1 10

1 2 11

2 3 12

1 4 13

2 0 14

1 1 15

SR1 SR2 SR3

Table 3. Initial conditions of FSRs SR1 , SR2, and SR3 for multiplicative cipher system. Shift register stage

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

Initial values

2 1 1

1 2 2

2 3 3

1 4 4

2 1 5

1 2 6

2 3 7

1 4 8

2 1 9

1 2 10

2 3 11

1 4 12

2 1 13

1 2 14

2 3 15

SR1 SR2 SR3

Table 4. Initial conditions of FSRs SR1 , SR2, and SR3 for both multiplicative and additive cipher system. Shift register stage Additive

Initial values

Multiplicative

Initial values

SR1 SR2 SR3 SR1 SR2 SR3

1

2

3 4

5

6

7 8

1 2 2 2 2 2

2 3 2 1 3 2

1 1 4 2 1 4

1 3 6 2 3 6

2 1 7 1 1 7

1 2 8 2 2 8

2 2 4 1 2 5

2 3 9 1 3 9

9

10

11

12

13

14

15

1 1 10 2 1 10

2 2 11 1 2 11

1 3 12 2 3 12

2 1 13 1 1 13

1 2 14 2 2 14

2 3 15 1 3 15

1 1 16 2 1 16

As discussed earlier, histogram is defined as the plot of ni v/s Pi . Both plain text and cipher text histograms are plotted. The avalanche effect is observed by encrypting plain text with randomly chosen key. The resulting cipher text is compared with the cipher text, which is obtained by changing one digit of the key. Keeping plain text same with variation in one digit of key, there is large variation in cipher text as shown in the Figs. 8–10. 5.2. Example 2 In this example application of proposed algorithm in transmission or storage of encrypted medical information by embedding the same in image is illustrated. The additive cipher has been employed in this case. We have taken a sample text file representing patient information and encrypted it using our encryption algorithm. The plain text and cipher text are illustrated in Figs. 11 and 12, respectively. The original image is shown in Fig. 13. Cipher text information is embedded into this image and the resulting image with watermarked text is shown in Fig. 14. It can be observed that there is no distortion discernible to the naked eye in the interleaved image.

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

186

00330

G. Aithal, K. N. Hari Bhat & U. S. Acharya

Fig. 13. Original image.

Fig. 14. Interleaved image.

In Figs. 15 and 16, we show the encrypted text file extracted from the image and the plain text after decryption, respectively. Thus, this example illustrates the working of the steam cipher scheme operating on medical data. We see that critical patient information is exactly recovered without any error.

6. Conclusion It is has been demonstrated in this article that CRT representation of integers can be advantageously used to design robust stream cipher systems. CRT representation

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

00330

High-Speed and Secure Encryption Schemes Based on CRT

187

Fig. 15. Encrypted image extracted from image.

Fig. 16. Patient information after decryption.

of integers aids in parallel processing of both encryption and decryption algorithms thus, reducing time complexity. It is also seen that properties of confusion and diffusion, which make the cipher system strong and secure, are inherently present. The modular arithmetic employed in the system makes the system immune to algebraic attack. Immunity to side-channel attack is a result of parallel processing employed in the system. It is also shown by means of example that all the symbols of the cipher text occur with almost equal probability, which provides immunity against cipher text only attack. The scheme also exhibits avalanche effect. By proper choice of number of stages of shift register and hence the period of key sequence, it is possible to make the scheme theoretically secure (the system can be made to approach a one-time pad). The proposed scheme is compared with standard binary stream cipher A5/1 recommended for GSM. If the comparison metric is standard deviation, the proposed scheme is superior by a considerable margin over A5/1. With regard to entropy and mean absolute value metrics, the performance of the system is very close to that of A5/1.

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

188

00330

G. Aithal, K. N. Hari Bhat & U. S. Acharya

A secure cipher system with strong immunity to various types of attacks in which the mathematical operations of encryption and decryption can be performed in real time is of utmost importance in applications where huge amount of data have to be securely stored and/or transmitted. Biomedical applications constitute a typical example of such systems where high-speed and secure information transfer is very vital. A technique in which encrypted patient information (text) is interleaved with physiological signals (medical image) has been described. This technique has three major advantages. (1) Security of patient information is strengthened (2) Channel resource utilization is improved. (3) Reduction in computation time required for encryption and decryption. We feel that the cipher system proposed by us has several advantages over AES or A5/1 in any application where speed and immunity to side-channel and algebraic attacks are essential. As compared to AES and A5/1, our scheme has the advantage of being algorithmically simpler while not compromising on security or robustness.

References 1. Digital imaging and communications in medicine (DICOM), National Electrical Manufacturers Association, Rosslyn, Virginia USA, DICOM Committee, 2001. 2. Sergio SF, Marina SR, Ramon AM, Marcelo S, Nivaldo B, Gustavo HMBM et al., Managing medical images and clinical information:InCor’s experience, IEEE Trans Inf Technol Biomed 11(1):17–24, 2007. 3. Shoemaker C, Independent Study, Hidden bits: a survey of techniques for digital watermarking, EER-290 Prof Rudko, Spring 2002. 4. Chung YY, Wong MT, Implementation of digital watermarking system, Dig Tech Pap IEEE Int Conf Consum Electron 214–215, 2003. 5. Gonzales RC, Woods RE, Eddins SL, Digital image processing using MATLAB, Prentice-Hall, 2004. 6. Gonzales RC, Woods RE, Digital Image Processing, 2nd edn., Prentice-Hall, 2001. 7. Nayak J, Bhat PS, Acharya R, Kumar MS, Efficient storage and transmission of digital fundus images with patient information using reversible watermarking technique and error control codes, J Med Syst 163–171, 2009. 8. Goodwin J, Wilson PR, Advanced encryption standard (AES) implementation with increased DPA resistance and low overhead circuits and systems, IEEE International Symposium ISCAS 2008, 18–21 May 2008, pp. 3286–3289, 2008. 9. Szabo NS, Tanaka RI, Residue Arithmetic and Its Applications to Computer Technology, McGraw-Hill Publication, 1967. 10. Jiang X, Lee MH, Large girth quasi-cyclic LDPC codes based on the Chinese remainder theorem, IEEE Commun Lett 13(5), May 2009. 11. Houenstein M, A computationally efficient algorithm for calculating loudness patterns of narrowband speech, IEEE Trans. on Acoustics, Speech, and Signal Processing ICASSP-97, 2:1311–1314, 1997. 12. Ciet M, Neve M, Peeters E, Jacques J, Parallel FPGA implementation of RSA with reduced number system — can side channel threat be avoided? UCL Crypto group du Levant, 3 1348 Louvain-La-Neuva, Belgium.

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

00330

High-Speed and Secure Encryption Schemes Based on CRT

189

13. Hiasat AA, High-speed and reduced area modular adder structure for RNS, IEEE Trans Comput 51(1):84–89, 2008. 14. Bi S, Gross WJ, The mixed radix and its applications to residue comparison, IEEE Trans Comput 57(12):1624–1632, 2008. 15. Chren Jr. WA, Low-area edge sampler using the chinese remainder theorem, IEEE Trans Instrum Meas 48(4):793–797, 1999. 16. Cosentino RJ, Fault tolerance in a systolic residue arithmetic processor array, IEEE Trans Comput 37(7):886–890, 1988. 17. Liu S, King B, Wang W, A CRT-RSA algorithm secure against hardware fault attack, Proceeding of the 2nd IEEE Dependable, Autonomic and Secure Computing (DASC’06), pp. 1–7, 2006. 18. Murakami Y, Katayanagi K, Kasahara M, A new class of cryptosystems based on the chinese remainder theorem, International Symposium on Information Theory and Applications, ISITA 2008, Auckland, New Zealand, 7–10, December, 2008. 19. Abdelhamid AS, Belel AA, Secure transmission of sensitive data using multiple channels, IEEE International Conference on Computer System Application 3rd ACS, 6th January 2005. 20. Halevi S, Coppersmith D, Jutla CS, Scream: A Software-Efficient Stream Cipher. In Fast Software Encryption — FSE 2002, Lecture Notes in Computer Science, SpringerVerlag, pp. 195–209, 2002. 21. Rose GG, Turing PH, A fast stream cipher. In Fast Software Encryption, FSE 2003, Springer-Verlag, pp. 290–306, 2003. 22. Watanabe D, Furuya S, Yoshida H, Takaragi K, Preneel B, A new Keystream Generator MUGI, In Fast Software Encryption, FSE 2002, Springer-Verlag, pp. 179–194, 2002. 23. Kunth DD, Art of Computer Programming Semi Numerical Algorithm Vol. 2, Third Edition, Pearson Education Inc. Publication, 2006. 24. Banks J, Carson II JS, Nicol DM, Discrete-Event System Simulation, Prentice Hall, 2002. 25. Shannon C, Communication theory and secrecy system, Bell System Technical J 4:1949. 26. Hungerford TW, Algebra, Springer-Verlag, New York Inc., 2004. 27. Rueppl A, Stream cipher, In Contemporary Cryptography, N.Y. IEEE Press, 1992. 28. Hari Bhat KN, Amberker BB, Sequences of unit over ring Zm of integer modulo m, National Communication Conference (NCC), IIT Kanpur, 1995. 29. Koblitz N, A Course in Number Theory and Cryptography, Springer-Verlag, New York, p. 11, 1987. 30. Vernam GS, Cipher printing telegraph systems for secret wire and radio telegraphic communications, J IEEE 55:109–115, 1926. 31. Penzhorn WT, Algebraic attack on cipher system, IEEE AFRICON 969–973, 2004. 32. KIM JY, Song HY, A nonlinear boolean function with good algebraic immunity, IEEE Proc IWSDA ’07, 94–98, 2007. 33. Moradi A, Khatir M, Salmasizadeh M, Shalmani MTM, Charge recovery logic as a side channel attack countermeasure, Quality of Electronic Design ISQED 2009, 16–18 March 2009, pp. 686–691, 2009 34. Kocher PC, Timing attacks on implementations of diffie-Hellman, RSA, DSS, and other systems, In Advances in Cryptology, CRYPTO 96, Vol. 1109 of LNCS, Springer, pp. 104–113, 1996. 35. Ciet M, Neve M, Peeters E, Jacques J, Parallel FPGA implementation of RSA with reduced number system — can side channel threat be avoided?, UCL Crypto Group du Levant, 3 1348 Louvain-La-Neuva, Belgium.

April 17, 2010 14:17 WSPC/S0219-5194/170-JMMB

190

00330

G. Aithal, K. N. Hari Bhat & U. S. Acharya

36. Bajard J-C, Imbert L, A full RNS implementation of RSA, IEEE Trans Comput 53(6):769–774, 2004. 37. Simmons GJ, Contemporary Cryptology: The Science of Information Integrity, WileyIEEE Press, 1992. 38. Recommendation of GSM 02.09 European Telecommunication Standards institute (ETSI), Security Aspects.