Clock and Periodic Computing Machines

Abstract

A new computational machine is invented, called a clock machine, that is a novel alternative to computing machines (digital computers) based on logic gates. In an embodiment, computation is performed with one or more clock machines that use time, and can perform any Boolean function. In an embodiment, a cryptographic cipher is implemented with random clock machines, constructed from a non-deterministic process, wherein the compiled set of instructions (i.e., the implementation of the cryptographic procedure) is distinct on each device or chip that executes the cryptographic cipher. In an embodiment, by using a different set of clock machines to execute two different instances of the same cryptographic procedure, each execution of a procedure looks different to malware that may try to infect and subvert the cryptographic procedure. This cryptographic process helps hinder timing attacks. In an embodiment, a detailed implementation of the Midori cipher with random clock machines is described.

Claims

1. A computing system for performing a computational procedure comprising: wherein a procedure performs a finite number of Boolean operations; constructing a first method of a multiplicity of possible methods for a first instance of the procedure; performing the first instance of the procedure with one or more clock or periodic machines; constructing a second method of the multiplicity of possible methods for a second instance of the procedure; and performing the second instance of the procedure with the one or more clock or periodic machines; wherein the one or more periodic machines performing the first instance of the procedure are not identical to the one or more periodic machines performing the second instance of the procedure; wherein the first instance of the procedure and the second instance of the procedure perform a same Boolean function, but the first instance of the procedure performs the Boolean function, via the first method, and the second instance of the procedure performs the Boolean function, via the second method.

2. The computing system of claim 1 wherein at least one clock or periodic machine uses a prime number of states to compute an instance of the procedure.

3. The computing system of claim 1 wherein the constructing of the first instance of the procedure and the constructing of the second instance of the procedure are based on a non-deterministic process.

4. The computing system of claim 1 wherein at least one of the clock machines performing the second instance of the procedure has a different period than each of the clock machines performing the first instance of the procedure.

5. The computing system of claim 1 wherein at least one clock machine is implemented with one or more flip flops.

6. The computing system of claim 5 wherein said flip flops are implemented with a semiconductor material.

7. The computing system of claim 1 wherein the procedure implements at least part of a Midori cipher.

8. The computing system of claim 1 wherein the procedure implements at least part of a cryptographic cipher.

9. A computing process for performing a computational procedure comprising: constructing a first method of a multiplicity of possible methods for a first instance of a procedure; performing the first instance of the procedure with one or more clock machines; constructing a second method of the multiplicity of possible methods for a second instance of the procedure; and performing the second instance of the procedure with one or more clock machines; wherein the one or more clock machines performing the first instance of the procedure are not identical to the one or more clock machines performing the second instance of the procedure; wherein the first instance of the procedure and the second instance of the procedure perform a same Boolean function, but the first instance of the procedure performs the Boolean function, via the first method, and the second instance of the procedure performs the Boolean function, via the second method; wherein the constructing of the first instance of the procedure and the constructing of the second instance of the procedure are based on a non-deterministic process.

10. The process of claim 9 wherein at least one clock or periodic machine uses a prime number of states to compute an instance of the procedure.

11. The process of claim 9 wherein at least one of the clock machines performing the second instance of the procedure has a different period than each of the clock machines performing the first instance of the procedure.

12. The process of claim 9 wherein the first instance of the procedure uses two or more clock machines and at least two clocks have a different number of periods.

13. The machine of claim 9 wherein at least one clock machine is implemented with one or more flip flops.

14. The machine of claim 13 wherein said flip flops are implemented with a semiconductor material.

15. The machine of claim 9 wherein at least one of the clock machines is implemented as a virtual machine.

16. The process of claim 9 wherein the procedure implements the Midori cipher.

17. The process of claim 9 wherein the the non-deterministic process is based at least on a behavior of photons.

18. The process of claim 17 wherein said photons are absorbed by a photodetector.

19. The process of claim 17 further comprising: emitting the photons from a light emitting diode.

20. A computing machine for performing computations comprising: one or more periodic machines that comprise the computing machine; wherein an input to each periodic machine is a time state; wherein each periodic machine generates an output; wherein each periodic machine has a period and a phase; wherein the phase is a time state at which the periodic machine's output changes; wherein a multiple of the period plus the phase is a time at which the periodic machine's output changes; wherein the combining of one or more outputs from each periodic machine generates the output for the computing machine; wherein the output is a voltage; wherein said combining comprises the following: there are n distinct periodic machines with n≥1; each periodic machine producing the output from the input time state; wherein a high voltage output at the input time state represents a 0 bit in the computation; wherein a low voltage output at the output time state represents a 1 bit in the computation.

Description

DESCRIPTION OF FIGURES

[0025] In the following figures, although they may depict various examples of the invention, the invention is not limited to the examples depicted in the figures.

[0026] FIG. 1A shows a [2, 0] clock machine 102 and below it a [3, 1] clock machine 104.

[0027] FIG. 1B shows a [7, 3] clock machine 112 and below it a [13, 6] clock machine 114.

[0028] FIG. 1C shows a standard clock, indicating the time 3 o'clock. In terms of the hour, the standard clock has twelve time states: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 and 12. On the standard clock, the small hand and large hand indicate the hour and minutes, respectively. When the minute and the hour are used to indicate the time state, the standard clock has 60*12=720 distinct time states.

[0029] FIG. 1D shows a Boolean circuit built from logic gates that computes Boolean function ƒ: {0, 1}.fwdarw.{0, 1} such that ƒ(x.sub.0 x.sub.1 x.sub.2 x.sub.3)=[(¬x.sub.2)∧(¬x.sub.3)]∨[x.sub.0∧x.sub.1∧x.sub.2∧(¬x.sub.3)]∨[(¬(x.sub.0∧x.sub.1))∨(¬x.sub.2)∨x.sub.3].

[0030] FIG. 2A shows an embodiment of a computer network system using clock machines inside each computer node. In some embodiments, the execution may be over the Internet or a part of a network that supports an infrastructure such as the electrical grid, a financial exchange, or a power plant, which can be used with the embodiments of FIG. 1A and FIG. 1B.

[0031] FIG. 2B shows an embodiment of a clock machine hardware architecture, which includes a processor that computes using clock machines, memory and input/output system, which may be using the clock machines of of FIG. 1A and FIG. 1B.

[0032] FIG. 3 shows an embodiment of one or more clock machines, combining to implement the sequence of instructions in machine procedures 1, 2, 3 and 4. Procedures 1, 2, 3 and 4 are comprehensively specified in section 6.6, titled CLOCK MACHINE COMPUTATION. In an embodiment, FIG. 3 represents a virtual machine implementation. In another embodiment, FIG. 3 represents a hardware implementation.

[0033] FIG. 4A shows a D-type flip flop (hardware) implemented with NAND gates. Q′ equals NOT Q.

[0034] FIG. 4B shows a D-type flip flop (hardware) in a form so that the internal implementation in terms of NAND gates is not shown. This diagram of a D-type flip flop is convenient for representing the D-type flip flop as a building block for clock machines.

[0035] FIG. 4C shows a D-type flip flop with the output of Q′ feeding back into input D of the flip flop, where Q′ is the logical NOT of Q. The waveforms show the behavior of output Q. Output Q flips its state from 0 to 1 or 1 to 0 upon every downward edge of the clock signal, labelled CLK.

[0036] FIG. 4D shows a hardware implementation of a [p, 0] clock machine, using two clock signals I and p and a single D-type flip flop that has the same feedback structure as FIG. 4C. p is the amount of time that clock signal stays high before it switches to low (0) for a short period of time, when clock signal I is low. This hardware implementation, using a D-type flip flop is independent of the physical units of time. In a hardware embodiment, clock signal I may have a period of 1 millisecond and so clock signal p has a period of p milliseconds. In an embodiment, clock signal I may have a period of 1 nanosecond and clock signal p has a period of p nanoseconds.

[0037] FIG. 5A shows an embodiment of a non-deterministic process, based on quantum randomness. Non-deterministic process 542 is based on the quantum behavior of photons. Non-deterministic process 542 contains a light emitting diode 546 that emits photons and a phototransistor 544 that absorbs photons.

[0038] FIG. 5B shows an embodiment of a non-deterministic process, based on quantum randomness. Non-deterministic process 552 is based on the quantum behavior of photons. Non-deterministic process 552 contains a light emitting diode 556 that emits photons and a photodiode 554 that absorbs photons.

[0039] FIG. 6 shows a light emitting diode 602, which emits photons and in some embodiments is part of the non-deterministic process. The light emitting diode contains a cathode, a diode, an anode, one terminal pin connected to the cathode and one terminal pin connected to the anode, a p-layer of semiconductor, an active region, an n-layer of semiconductor, a substrate and a transparent plastic case.

[0040] FIG. 7 shows some 2-clocks, 3-clocks and some prime clock sums in the abelian group .

[0041] FIG. 8 shows some 5-clocks and some 5-clock sums projected into the abelian group Ω.sub.2 that has 2 distinct time states as output.

[0042] FIG. 9 shows some prime clocks and their sum in the abelian group Ω.sub.5, which has 5 distinct time states.

[0043] FIG. 10 shows all 7-clock machines, projected into abelian group Ω.sub.2.

[0044] FIG. 11 shows all 16 Boolean functions ƒ.sub.k: {0, 1}.sup.2.fwdarw.{0, 1}, their respective truth tables and a corresponding prime clock sum machine that implements each of these 16 Boolean functions. These 16 Boolean functions include the standard logic gates such as AND, OR, NOT, NAND, XOR, and NOR. Thus, this truth table demonstrates that prime clock sums can act as computational primitives.

[0045] FIG. 12 shows a complete specification of 2-bit multiplication in terms of the 4 Boolean multiplication functions .sub.0: {0, 1}.sup.4.fwdarw.{0, 1}, .sub.1: {0, 1}.sup.4.fwdarw.{0, 1}, .sub.2: {0, 1}.sup.4.fwdarw.{0, 1}, and .sub.3: {0, 1}.sup.4.fwdarw.{0, 1}.

[0046] FIG. 13 shows block size, key size, cell size and number of rounds parameters for two versions of the Midori cipher: Midori 64 and Midori 128.

[0047] FIG. 14 shows a complete specification of the Midori 4-bit bijective substitution boxes S.sub.0 and S.sub.1.

[0048] FIG. 15 shows the Midori Round constants.

[0049] FIG. 16 shows a specification of the Midori 64 Boolean functions π.sub.0∘S.sub.0, π.sub.1∘S.sub.0, π.sub.2∘S.sub.0, and π.sub.3∘S.sub.0 and corresponding random prime clock sum machines that compute these 4 functions. The random prime clock sum machines were constructed with machine procedure 5.

[0050] FIG. 17 shows a specification of the Midori 128 Boolean functions π.sub.0∘S.sub.1, π.sub.1∘S.sub.1, π.sub.2∘S.sub.1, and π.sub.3∘S.sub.1 and corresponding random prime clock sum machines that compute these 4 functions.

[0051] FIG. 18 shows CPU time tests on prime clock machines [p, t], where p is prime number in the set {2, 3, 5, 7, 11, 13, 17, 19} and starting time state t satisfies 0≤t<p.

[0052] FIG. 19 shows random prime clock sum machines that compute affine maps used by the Midori cipher.

[0053] FIG. 20 shows a (p, 0) periodic machine that has period p and generates a pulse at time 0, time p, time 2p, time 3p, and so on. Time state 0 is called the phase of the clock machine. In an embodiment, V is the voltage, and the height of the pulse is measured in volts.

[0054] FIG. 21 shows a (p, i) periodic machine that has period p and generates a pulse at time i, time i+p, time i+2p, time i+3p, and so on. Time state i is called the phase of the clock machine. In an embodiment, V is the voltage, and the height of the pulse is measured in volts.

[0055] FIG. 22 shows a) p, i(periodic machine that has period p and generates an inverted pulse at time i, time i+p, time i+2p, time i+3p, and so on. Time state i is called the phase of the clock machine. In an embodiment, V is the voltage, and the height of the inverted pulse is measured in volts.

[0056] FIG. 23 shows how to build a (p, 1) periodic machine (where i=1 in FIG. 21) from a D flip-flop and a clock input that has two consecutive pulses.

DETAILED DESCRIPTION

Machine Terms and Definitions

[0057] In this specification, the term “location” may refer to geographic locations and/or storage locations. A particular storage location may be a collection of contiguous and/or noncontiguous locations on one or more machine readable media. Two different storage locations may refer to two different sets of locations on one or more machine-readable media in which the locations of one set may be intermingled with the locations of the other set.

[0058] In this specification, the term “machine-readable medium” refers to any non-transitory medium capable of carrying or conveying information that is readable by a machine. One example of a machine-readable medium is a computer-readable medium. Another example of a machine-readable medium is paper having holes that are detected that trigger different mechanical, electrical, and/or logic responses. The term machine-readable medium also includes media that carry information while the information is in transit from one location to another, such as copper wire and/or optical fiber and/or the atmosphere and/or outer space.

[0059] In this specification, the term “process” refers to a series of one or more operations. In an embodiment, “process” may also include operations or effects that are best described as non-deterministic. In an embodiment, “process” may include some operations that can be executed by a digital computer program and some physical effects that are non-deterministic, which cannot be executed by a digital computer program and cannot be performed by a finite sequence of processor instructions.

[0060] In this specification, the term “procedure” refers to a sequence of one or more instructions, executed by a machine. A procedure typically is executed by a finite machine that executes a finite number of instructions with finite memory.

[0061] In this specification, machine-implemented procedures and processes execute algorithms and combine non-deterministic processes with a machine. The formal notion of “algorithm” was introduced in Turing's work [29] and refers to a finite machine that executes a finite number of instructions with finite memory. In other words, an algorithm can be executed with a finite number of machine instructions on a processor. “Algorithm” is a deterministic process in the following sense: if the finite machine is completely known and the input to the machine is known, then the future behavior of the machine can be determined. In contrast, there is hardware that can measure quantum effects from photons (or other physically non-deterministic processes), whose physical process is non-deterministic. The recognition of non-determinism produced by quantum randomness and other quantum embodiments is based on decades of experimental evidence and statistical testing. Furthermore, the quantum theory derived from the Kochen-Specker theorem and its extensions [19, 8]—predicts that the outcome of a quantum measurement cannot be known in advance and cannot be generated by a Turing machine (digital computer program). As a consequence, a physically non-deterministic process cannot be generated by an algorithm: namely, a sequence of operations executed by a digital computer program. FIG. 5A and FIG. 5B show embodiments of a non-deterministic process arising from quantum events; that is, the emission and absorption of photons.

[0062] Some examples of physically non-deterministic processes are as follows. In some embodiments that utilize non-determinism, photons strike a semitransparent mirror and can take two or more paths in space. In one embodiment, if the photon is reflected by the semitransparent mirror, then it takes on one bit value b∈{0, 1}; if the photon passes through by the semitransparent mirror, then the non-deterministic process produces another bit value 1−b. In another embodiment, the spin of an electron may be sampled to generate the next non-deterministic bit. In still another embodiment, a protein, composed of amino acids, spanning a cell membrane or artificial membrane, that has two or more conformations can be used to detect non-determinism the protein conformation sampled may be used to generate a non-deterministic value in {0, . . . n−1} where the protein has n distinct conformations. In an alternative embodiment, one or more rhodopsin proteins could be used to detect the arrival times of photons and the differences of arrival times could generate non-deterministic bits. In some embodiments, a Geiger counter may be used to sample non-determinism

[0063] In this specification, the term “photodetector” refers to any type of device or physical object that detects or absorbs photons. A photodiode is an embodiment of a photodetector. A phototransistor is an embodiment of a photodetector. A rhodopsin protein is an embodiment of a photodetector.

Non-Deterministic Processes

[0064] FIG. 5A shows an embodiment of a non-deterministic process 542 arising from quantum events: that is, non-deterministic process 542 uses the emission and absorption of photons for its non-determinism. In FIG. 5A, phototransistor 544 absorbs photons emitted from light emitting diode 546. In an embodiment, the photons are produced by a light emitting diode 546. In FIG. 5B, non-deterministic process 552 has a photodiode 554 that absorbs photons emitted from light emitting diode 556. In an embodiment, the photons are produced by a light emitting diode 556.

[0065] FIG. 6 shows a light emitting diode (LED) 602. In an embodiment, LED 602 emits photons and is part of the non-deterministic process 542 (FIG. 5A). In an embodiment, LED 602 emits photons and is part of the non-deterministic process 552 (FIG. 5B). LED 602 contains a cathode, a diode, an anode, one terminal pin connected to the cathode and one terminal pin connected to the anode, a p-layer of semiconductor, an active region, an n-layer of semiconductor, a substrate and a transparent plastic case. The plastic case is transparent so that a photodetector outside the LED case can detect the arrival times of photons emitted by the LED. In an embodiment, photodiode 544 absorbs photons emitted by LED 602. In an embodiment, phototransistor 554 absorbs photons emitted by LED 602.

[0066] The emission times of the photons emitted by the LED experimentally obey the energy-time form of the Heisenberg uncertainty principle. The energy-time form of the Heisenberg uncertainty principle contributes to the non-determinism of non-deterministic process 542 or 552 because the photon emission times are unpredictable due to the uncertainty principle. In FIG. 5A and FIG. 5B, the arrival of photons are indicated by a squiggly curve with an arrow and by next to the curve. The detection of arrival times of photons is a non-deterministic process. Due to the uncertainty of photon emission, the arrival times of photons are quantum events.

[0067] In FIG. 5A and FIG. 5B, by refers to the energy of a photon that arrives at photodiode 544, respectively, where h is Planck's constant and v is the frequency of the photon. In FIG. 5A, the p and n semiconductor layers are a part of a phototransistor 544, which generates and amplifies electrical current, when the light that is absorbed by the phototransistor. In FIG. 5B, the p and n semiconductor layers are a part of a photodiode 554, which absorbs photons that strike the photodiode.

[0068] A photodiode is a semiconductor device that converts light (photons) into electrical current, which is called a photocurrent. The photocurrent is generated when photons are absorbed in the photodiode. Photodiodes are similar to standard semiconductor diodes except that they may be either exposed or packaged with a window or optical fiber connection to allow light (photons) to reach the sensitive part of the device. A photodiode may use a PIN junction or a p-n junction to generate electrical current from the absorption of photons. In some embodiments, the photodiode may be a phototransistor.

[0069] A phototransistor is a semiconductor device comprised of three electrodes that are part of a bipolar junction transistor. Light or ultraviolet light activates this bipolar junction transistor. Illumination of the base generates carriers which supply the base signal while the base electrode is left floating. The emitter junction constitutes a diode, and transistor action amplifies the incident light inducing a signal current.

[0070] When one or more photons with high enough energy strikes the photodiode, it creates an electron-hole pair. This phenomena is a type of photoelectric effect. If the absorption occurs in the junction's depletion region, or one diffusion length away from the depletion region, these carriers (electron-hole pair) are attracted from the PIN or p-n junction by the built-in electric field of the depletion region. The electric field causes holes to move toward the anode, and electrons to move toward the cathode; the movement of the holes and electrons creates a photocurrent. In some embodiments, the amount of photocurrent is an analog value, which can be digitized by a analog-to-digital converter. In some embodiments, the analog value is amplified before being digitized.

[0071] In an embodiment, the sampling of the digitized photocurrent values may converted to threshold times as follows. A photocurrent threshold θ is selected as a sampling parameter. If a digitized photocurrent value i.sub.1 is above θ at time t.sub.1, then t.sub.1 is recorded as a threshold time. If the next digitized photocurrent value i.sub.2 above θ occurs at time t.sub.2, then t.sub.2 is recorded as the next threshold time. If the next digitized value i.sub.3 above θ occurs at time t.sub.3, then t.sub.3 is recorded as the next threshold time.

[0072] After three consecutive threshold times are recorded, these three times can determine a bit value as follows. If t.sub.2−t.sub.1>t.sub.3−t.sub.2, then the non-deterministic process produces a 1 bit. If t.sub.2−t.sub.1<t.sub.3−t.sub.2, then the non-deterministic process produces a 0 bit. If t.sub.2−t.sub.1=t.sub.3−t.sub.2, then NO bit information is produced. To generate the next bit, non-deterministic process 542 or 552 continues the same sampling steps as before and three new threshold times are produced and compared.

[0073] In an alternative sampling method, a sample mean μ is established for the photocurrent, when it is illuminated with photons. In some embodiments, the sampling method is implemented as follows. Let i.sub.1 be the photocurrent value sampled at the first sampling time. i.sub.1 is compared to μ. ∈ is selected as a parameter in the sampling method that is much smaller number than μ. If i.sub.1 is greater than μ+∈, then a 1 bit is produced by the non-deterministic process 542 or 552. If i.sub.1 is less than μ−∈, then a 0 bit is produced by non-deterministic process 542 or 552. If i.sub.1 is in the interval [μ−∈, μ+∈], then NO bit is produced by non-deterministic process 542 or 552.

[0074] Let i.sub.2 be the photocurrent value sampled at the next sampling time. i.sub.2 is compared to μ. If i.sub.2 is greater than μ+∈, then a 1 bit is produced by the non-deterministic process 542 or 552. If i.sub.2 is less than μ−∈, then a 0 bit is produced by the non-deterministic process 542 or 552. If i.sub.2 is in the interval [μ−∈, μ+∈], then NO bit is produced by the non-deterministic process 542 or 552. This alternative sampling method continues in the same way with photocurrent values i.sub.3, i.sub.4, and so on. In some embodiments, the parameter ∈ is selected as zero instead of a small positive number relative to μ.

[0075] Some alternative hardware embodiments of a non-deterministic process are described below. In some embodiments that utilize non-determinism to produce random clock machines, a semitransparent mirror may be used. In some embodiments, the mirror contains quartz (glass). The photons that hit the mirror may take two or more paths in space. In one embodiment, if the photon is reflected, then the non-deterministic process creates the bit value b∈{0, 1}; if the photon is transmitted, then the non-deterministic process creates the other bit value 1−b. In another embodiment, the spin of an electron may be sampled to generate the next non-deterministic bit. In still another embodiment of generating random clock machines, a protein, composed of amino acids, spanning a cell membrane or artificial membrane, that has two or more conformations can be used to detect non-determinism the protein conformation sampled may be used to generate a value in {0, . . . n−1} where the protein has n distinct conformations. In an alternative embodiment, one or more rhodopsin proteins could be used to detect the arrival times t.sub.1<t.sub.2<t.sub.3 of photons and the differences of arrival times (t.sub.2−t.sub.1>t.sub.3−t.sub.2 versus t.sub.2−t.sub.1<t.sub.3−t.sub.2) could generate non-deterministic bits that produce random values.

[0076] In some embodiments, the seek time of a hard drive can be used as random values as the air turbulence in the hard drive affects the seek time in a non-deterministic manner. In some embodiments, local atmospheric noise can be used as a source of random values. For example, the air pressure, the humidity or the wind direction could be used. In other embodiments, the local sampling of smells based on particular molecules could also be used as a source of non-determinism.

[0077] In some embodiments, a Geiger counter may be used to sample non-determinism and generate random values. In these embodiments, the unpredictability is due to radioactive decay rather than photon emission, arrivals and detection.

One-Way Hash Functions

[0078] A one-way hash function Φ, has the property that given an output value z, it is computationally intractable to find an information element m.sub.z such that Φ(m.sub.z)=z. In other words, a one-way function Φ is a function that can be easily computed, but that its inverse Φ.sup.−1 is computationally intractable to compute [9]. A computation that takes 10.sup.101 computational steps is considered to have computational intractability of 10.sup.101.

[0079] More details are provided on computationally intractable. In an embodiment, there is an amount of time T that encrypted information must stay secret. If encrypted information has no economic value or strategic value after time T, then computationally intractable means that the number of computational steps required by all the world's computing power will take more time to compute than time T. Let C(t) denote all the world's computing power at the time t in years.

[0080] Consider an online bank transaction that encrypts the transaction details of that transaction. Then in most embodiments, the number of computational steps that can be computed by all the world's computers for the next 30 years is in many embodiments likely to be computationally intractable as that particular bank account is likely to no longer exist in 30 years or have a very different authentication interface.

[0081] To make the numbers more concrete, the 2013 Chinese supercomputer that broke the world's computational speed record computes about 33,000 trillion calculations per second [12]. If T=1 one year and we can assume that there are at most 1 billion of these supercomputers. (This can be inferred from economic considerations, based on a far too low 1 million dollar price for each supercomputer. Then these 1 billion supercomputers would cost 1,000 trillion dollars.). Thus, C(2014)×1 year is less than 10.sup.9×33×10.sup.15×3600×24×365=1.04×10.sup.33 computational steps.

[0082] As just discussed, in some embodiments and applications, computationally intractable may be measured in terms of how much the encrypted information is worth in economic value and what is the current cost of the computing power needed to decrypt that encrypted information. In other embodiments, economic computational intractability may be useless. For example, suppose a fusion power plant wants to keep its codes and infrastructure unbreakable to cyber terrorists. Suppose T=2000 years because it is about twice the expected lifetime of the power plant. Then 2000 years×C(4017) is a better measure of computationally intractable for this application. In other words, for critical applications that are beyond an economic value, one should strive for a good estimate of the world's computing power.

[0083] One-way functions that exhibit completeness and a good avalanche effect or the strict avalanche criterion [32] are preferable embodiments: these properties are favorable for one-way hash functions. The definition of completeness and a good avalanche effect are quoted directly from [32]: [0084] If a cryptographic transformation is complete, then each ciphertext bit must depend on all of the plaintext bits. Thus, if it were possible to find the simplest Boolean expression for each ciphertext bit in terms of plaintext bits, each of those expressions would have to contain all of the plaintext bits if the function was complete. Alternatively, if there is at least one pair of n-bit plaintext vectors X and X, that differ only in bit i, and ƒ(X) and ƒ(X.sub.i) differ at least in bit j for all {(i, j): 1≤i, j≤n}, the function ƒ must be complete. [0085] For a given transformation to exhibit the avalanche effect, an average of one half of the output bits should change whenever a single input bit is complemented. In order to determine whether a m×n (m input bits and n output bits) function ƒ satisfies this requirement, the 2.sup.m plaintext vectors must be divided into 2.sup.m−1 pairs, X and Z.sub.j such that X and X.sub.j differ only in bit i. Then the 2.sup.m−1 exclusive-or sums V.sub.i=ƒ(X)⊕ƒ(X.sub.i) must be calculated. These exclusive—or sums will be referred to as avalanche vectors, each of which contains n bits, or avalanche variables.

[0086] If this procedure is repeated for all i such that 1≤i≤m and one half of the avalanche variables are equal to 1 for each i, then the function ƒ has a good avalanche effect. Of course this method can be pursued only if m is fairly small; otherwise, the number of plaintext vectors becomes too large. If that is the case then the best that can be done is to take a random sample of plaintext vectors X, and for each value i calculate all avalanche vectors V.sub.i. If approximately one half the resulting avalanche variables are equal to 1 for values of i, then we can conclude that the function has a good avalanche effect.

[0087] A hash function, also denoted as Φ, is a function that accepts as its input argument an arbitrarily long string of bits (or bytes) and produces a fixed-size output of information. The information in the output is typically called a message digest or digital fingerprint. In other words, a hash function maps a variable length m of input information to a fixed-sized output, Φ(m), which is the message digest or information digest. Typical output sizes range from 160 to 512 bits, but can also be larger. An ideal hash function is a function Φ, whose output is uniformly distributed in the following way: Suppose the output size of Φ is n bits. If the message m is chosen randomly, then for each of the 2.sup.n possible outputs z, the probability that Φ(m)=z is 2.sup.−n. In an embodiment, the hash functions that are used are one-way.

[0088] A good one-way hash function is also collision resistant. A collision occurs when two distinct information elements are mapped by the one-way hash function Φ to the same digest. Collision resistant means it is computationally intractable for an adversary to find collisions: more precisely, it is computationally intractable to find two distinct information elements m.sub.1, m.sub.2 where m.sub.1≠m.sub.2 and such that Φ(m.sub.1)=Φ(m.sub.2).

[0089] A number of one-way hash functions may be used to implement one-way hash function 148. In an embodiment, SHA-512 can implement one-way hash function 148, designed by the NSA and standardized by NIST [25]. The message digest size of SHA-512 is 512 bits. Other alternative hash functions are of the type that conform with the standard SHA-384, which produces a message digest size of 384 bits. SHA-1 has a message digest size of 160 bits. An embodiment of a one-way hash function 148 is Keccak [6]. An embodiment of a one-way hash function 148 is BLAKE [2]. An embodiment of a one-way hash function 148 is GrØstl [13]. An embodiment of a one-way hash function 148 is JH [33]. Another embodiment of a one-way hash function is Skein [11].

Symbol Meanings and Machine Notation

[0090] The symbol ¬ represents the unary NOT gate. ¬(0)=1 and ¬(1)=0. The symbol ∨ represents the binary OR gate. 0∨0=0 and 0∨1=1∨0=1∨1=1. The binary AND gate is represented with ∧. 1 ∧1=1 and 0∧1=1∧0=0∧0=0. In the prior art, gates are typically implemented with transistors.

[0091] A bit has two states 0 or 1. In some embodiments, a bit is represented with voltage. In another embodiment, a bit may be represented with the polarization of a photon. The expression {0, 1 }.sup.n represents the set of all n-bit strings. There are 2.sup.n different n-bit strings. The expression {0, 1}.sup.4 represents the all 4-bit strings. 0101 is a 4-bit string. There are 16 different 4-bit strings

[0092] Symbol denotes the integers and the non-negative integers. For any n∈ such that n≥2 and a∈ such that 0≤a≤n−1, consider the equivalence class [a]={a+kn:k∈} that is a subset of . Let .sub.n={[0], [1], . . . , [n−1]}. mod is the modulo function and a mod n is the remainder when a is divided by n. In the standard manner, (.sub.n, +.sub.n) is an abelian group, where binary operator +.sub.n is defined as [a]+.sub.n[b]=[(a+b) mod n]. For clarity, the brackets are sometimes omitted and [a]∈.sub.n is represented with the integer a, satisfying 0≤a≤n−1. The field .sub.2 is the two elements {0, 1}, where + is addition modulo 2 and multiplication * is equal to ∧ (AND).

[0093] The least common multiple of positive integers a and b is lcm(a, b). The greatest common divisor of a and b is gcd(a, b). Let p.sub.1=2, p.sub.2=3, p.sub.3=5, p.sub.4=7, . . . where the nth prime number is p.sub.n,. Let p be an odd prime. p is called a 3 mod 4 prime if

[00007]$\frac{p-1}{2}$

is odd. p is called a 1 mod 4 prime if

[00008]$\frac{p-1}{2}$

is even. log.sub.2(n) is the logarithm base 2 of n. [x]=the smallest integer l such that l≥x.

Clock Machine Specifications

[0094] This section provides specifications and procedures related to prime clocks executing in one or more prime clock machines.

Machine Specification 1. Prime Clock Machine

[0095] Let p be a prime number. Let t∈ such that 0≤t≤p−1. Define prime clock machine [p, t]: .fwdarw. as [p, t](m)=(m+t) mod p. Prime clock machine [p, t] is called a p-clock machine and is a computational machine that starts ticking (i.e., starts changing its time state) with its hand pointing to t; this is another of saying that its time state starts at t. The number p is the total number of time states that the clock [p, t] has.

[0096] In some embodiments, p is a composite number. Herein the expression clock [p, s] always assumes that the starting time state s satisfies 0≤s≤p−1. Thus, if p≠q or s≠t, then prime clock [p, s] is not equal to prime clock [q, t]; equivalently, if p=q and s=t, then [p, s]=[q, t]. If p≠q, the clock [p, s] has a different number of time states than clock [q, t]. If s≠t, the clock [p, s] has a different starting time state than clock [q, t].

[0097] In machine specification 1, the phrase clock machine was chosen because p-clock machines have some similarities to traditional 12-clocks common in some homes. It is important to recognize that clock machine [p, t] is a computational machine that has different physical instantiations, depending on the hardware or software embodiment.

[0098] In some software embodiments, the clock machine is a virtual machine. A virtual machine means the clock machine may be implemented in C source code or Python source code or another suitable programming language. The source code implementation of the clock machine is compiled to execute on a standard operating system such was Windows, Linux, or Apple OS.

[0099] A clock machine should not be confused with a CPU clock that is built from transistor gates and uses a crystal to provide the voltage oscillations and voltage changes in the transistor gates.

[0100] Another notable difference is that CPU clocks typically tick based on a power of 2; that is, 2.sup.n where n is a positive integer. Clock machines tick (i.e., changes its time state) usually based on clocks that use prime numbers as the number of states in the clock. In a 7-clock, the prime clock machine ticks based on 7 distinct states {0, 1, 2, 3, 4, 5, 6} before it repeats. FIG. 10 shows some different 7-clock machines.

[0101] For the nth prime p.sub.n, let .sub.n={[p.sub.n, 0], [p.sub.n, 1], . . . , [p.sub.n, p.sub.n−1]} be the distinct p.sub.n-clocks. The collection of all prime clocks is defined as

[00009]$\begin{array}{cc}\mathrm{��}=\underset{n=1}{\overset{\infty }{.Math.}}{\mathrm{��}}_n& \left(6.1\right)\end{array}$

[0102] For n≥2, let Ω.sub.n=. Define Π.sub.n: .fwdarw.Ω.sub.n as the projection of each p-clock machine into Ω.sub.n where Π.sub.n([p, t](m))=[p, t](m) mod n.

Machine Specification 2.

[0103] Let n∈ such that n≥2. On the collection of clock machines, define the binary operator machine ⊕.sub.n as ([p, s]⊕.sub.n[q, t])(m)=([p, s](m)+[q, t](m)) mod n, where + is computed in . Observe that the prime clock machine [p, s]⊕.sub.n[q, t] computes in Ω.sub.n.

Machine Specification 3. Finite Prime Clock Sum Machine

[0104] Similarly, with prime clock machines [q.sub.1, t.sub.1], [q.sub.2, t.sub.2], . . . and [q.sub.L, t.sub.L], a new machine [q.sub.1, t.sub.1]⊕.sub.n[q.sub.2, t.sub.2]. . . ⊕.sub.n[q.sub.L, t.sub.L]: .fwdarw..sub.n can be constructed. From a mathematics perspective of how the machine behaves, [q.sub.1, t.sub.1]⊕.sub.n[q.sub.2, t.sub.2]. . . ⊕.sub.n[q.sub.L, t.sub.L] is sometimes called a function. For each m∈ define ([q.sub.1, t.sub.1]⊕.sub.n[q.sub.2, t.sub.2]⊕.sub.n . . . ⊕.sub.n[q.sub.L, t.sub.L])(m)=([q.sub.1, t.sub.1](m)+. . . +[q.sub.2, t.sub.2](m)) mod n, where + is computed in . [q.sub.1, t.sub.1]⊕.sub.n[q.sub.2, t.sub.2]. . . ⊕.sub.n[q.sub.L, t.sub.L] is called a finite prime clock sum machine in Ω.sub.n.

[0105] In some embodiments, the binary operation machine ⊕.sub.n builds prime clock sum machines from prime clock machines (i.e., 306 of FIG. 3) that are executed natively in hardware. The computational operation ⊕.sub.n is shown in adding instructions 308 of FIG. 3. A useful way to think about the ⊕.sub.n operation is that it combines the outputs of one or more (i.e., L≥1) clock machines [q.sub.1, t.sub.1], [q.sub.2, t.sub.2], [q.sub.L, t.sub.L].

[0106] In FIG. 3, modulo instructions 310 refer to the modulo operation (t.sub.k+i) mod q.sub.k, represented by symbols [q.sub.k, t.sub.k](i). In machine specification 3, modulo instructions 310 of FIG. 3, refer to the modulo operation (t.sub.k+m) mod q.sub.k, for each 1≤k≤L and the operator mod n, applied to the sum ([q.sub.1, t.sub.1](m)+[q.sub.2, t.sub.2](m)+. . . +[q.sub.L, t.sub.L](m)).

[0107] In some hardware embodiments, the hardware uses semiconductor materials such as silicon and doping elements such as boron (3 valence electrons) and phosphorus (5 valence electrons). In some embodiments, these semiconductor materials be used to implement transistors that act as components in a flip flop. In some embodiments, these semiconductor materials are used to build D-type flip flops. A D-type flip flop is shown in FIGS. 4A, 4B, 4C and 4D.

[0108] FIG. 4D shows a hardware implementation of a [p, 0] clock machine, using two clock signals I and P and a single D-type flip flop that has the same feedback structure as FIG. 4C. p is the amount of time that clock signal stays high before it switches to low (0) for a short period of time, when clock signal I is low. This hardware implementation, using a D-type flip flop is independent of the physical units of time. In a hardware embodiment, clock signal I may have a period of 1 millisecond and so clock signal P has a period of p milliseconds. In another embodiment, clock signal I may have a period of 1 nanosecond and clock signal P has a period of p nanoseconds.

[0109] In FIG. 4D, the waveform for clock signal I. At the beginning of this waveform, t.sub.0 is the time when the clock signal I starts to rise from low (0) to high (1). The time δ is the amount of time after t.sub.0 that the clock signal I first becomes high. The wavelength time λ=t.sub.i+1−t.sub.i. For example, λ=t.sub.1−t.sub.0. In other words, λ is the amount of time between consecutive pulses, coming from the clock signal I.

[0110] In FIG. 4D, the waveform for clock signal P is below the waveform for clock signal I. The waveform for clock signal P also starts to rise from low to high at time t.sub.0. However, after the waveform for clock signal P first reaches high, it stays high for a time of pλ−2δ. This is so that via the AND gate with inputs of clock signal I and clock signal P, the clock signal I toggles the output Q between low and high during a duration of time equal to λ. The clock signal from P starts to decrease from high to low at time t.sub.p−δ; clock signal from P first reaches a low state again at time t.sub.p. The clock signal from P stays low until time t.sub.p+λ=t.sub.p+1. This means that the output of the AND gate will stay low during the first downward edge of clock signal I after time t.sub.p. Thus, on this first downward edge just after time t.sub.p, the D-type flip flop will not toggle from 0 to 1. This lack of the D-type flip flop not toggling corresponds to the fact that the prime clock machine [p, 0] satisfies the property that [p, 0](p−1)=0 and [p, 0](p)=0.

[0111] A [p, s] clock machine, where 0<s<p, can be constructed in a similar way to the clock machine [p, 0], by translating the waveform of P, shown in FIG. 4D, by an amount of time equal to sλ.

[0112] In some embodiments, elements such as aluminum, indium and arsenic, and antimony are used to build the semiconductor hardware that executes one or more clock machines. In some embodiments, these semi-conductor materials are used to build flip flops that help implement a clock machine, similar to the one shown in FIG. 4D. In other embodiments, the binary operation machine ⊕.sub.n (shown in addition instructions 308 and modulo instructions 310 of FIG. 3) combines the outputs of prime clock machines to build prime clock sum machines that are implemented in software; in some embodiments, a prime clock sum machine is implemented as a virtual machine. In an embodiment, the virtual machine executes on computing system 250 in FIG. 2B. In an embodiment, the virtual machine executes in a distributed manner on the computing system shown in FIG. 2A.

Machine Specification 4. Prime Clock Sum Complexity

[0113] The complexity map is defined as ([p, t])=2┌log.sub.2(p)┐ if p>2 and ([2, t])=4. The complexity of [q.sub.1, t.sub.1]⊕.sub.n[q.sub.2, t.sub.2]. . . ⊕.sub.n[q.sub.L, t.sub.L] is

[00010]$\underset{i=1}{\overset{l}{.Math.}}C\left[q_i,t_i\right].$

Machine Specification 5. Let r.sub.1, . . . r.sub.k be k prime numbers and q.sub.1, . . . q.sub.r be r prime numbers. Let ƒ=[r.sub.1, s.sub.1]⊕.sub.n[r.sub.2, s.sub.2]. . . ⊕.sub.n[r.sub.k, s.sub.k]. Let g=[q.sub.1, t.sub.1]⊕.sub.n[q.sub.2, t.sub.2]. . . ⊕.sub.n[q.sub.L, t.sub.L]. Define ƒ⊕.sub.ng in Ω.sub.n as (ƒ⊕.sub.ng) (m)=ƒ(m)+.sub.ng(m), where +.sub.n is the binary operator in the group (.sub.n, +.sub.n).

[0114] Machine specification 5 is well-defined with respect to machine specification 3. In particular, ƒ⊕.sub.ng=[r.sub.1, s.sub.1]⊕.sub.n[r.sub.2, s.sub.2]. . . ⊕.sub.n[r.sub.k, s.sub.k]⊕.sub.n[q.sub.1, t.sub.1]⊕.sub.n[q.sub.2, t.sub.2]. . . ⊕.sub.n[q.sub.L, t.sub.L] because (m.sub.1+m.sub.2) mod n=((m.sub.1 mod n)+(m.sub.2 mod n)) mod n for any m.sub.1, m.sub.2∈. (See remark 1 in the appendix.)

[0115] The binary operator machine ⊕.sub.n can be extended to all of Ω.sub.n. For any f, g∈Ω.sub.n, define (ƒ⊕.sub.ng) (m)=ƒ(m)+.sub.ng(m). The associative property (ƒ⊕.sub.ng)⊕.sub.nh=ƒ⊕.sub.n(g⊕.sub.nh) follows immediately from the fact that +.sub.n is associative. The zero function 0, where 0(m)=0 in .sub.n, is the identity in Ω.sub.n. For any ƒ in Ω.sub.n, its unique inverse ƒ.sup.−1 is defined as ƒ.sup.−1(m)=−ƒ(m), where −ƒ(m) is the inverse of ƒ(m) in the group (.sub.n, +.sub.n). The commutativity of ⊕.sub.n follows from the commutativity of +.sub.n, so (Ω.sub.n, ⊕.sub.n) is an abelian group.

[0116] Let be a collection of the prime clock machines . Using the projection Π.sub.n of into Ω.sub.n, define ={H:H⊇Π.sub.n() and H is a subgroup of Ω.sub.n}. generates a subgroup

[00011]$\underset{H\in S_Q}{.Math.}H$

of machines computing over (Ω.sub.n, ⊕.sub.n).

[0117] In some computing applications and embodiments, such as cryptography, the ciphers such as Midori [4] are computed with Boolean functions, so the specification sometimes refers to subgroups of Ω.sub.2, generated by a finite number of prime clocks. Consequently, the symbol e throughout the patent specification represents the symbol ⊕.sub.2. In other embodiments, the prime clock machine may compute over subgroups of Ω.sub.256 or subgroups over Ω.sub.264. In these embodiments, the subscript will be explicitly shown as in the symbols ⊕.sub.256 or Ω.sub.264.

Clock Machine Computation

[0118] Let F.sub.n denote the set of all Boolean functions in n variables. Mathematically, F.sub.n={ƒ.sub.n|ƒ.sub.n: {0, 1}.sup.n.fwdarw.{0, 1}}, so F.sub.n contains 2.sup.2.sup.n distinct functions with an n-bit string as input and the output is a single bit. With prime clock sum machine embodiments in mind, it is convenient to think of ƒ.sub.n∈F.sub.n as a binary string of length 2.sup.n, called the truth-table of ƒ.sub.n. FIG. 11 shows all 16 Boolean functions in F.sub.2 and shows corresponding prime clock machines that compute each of these 16 functions. Since any universal computing machine [29, 30] can be constructed from these functions in F.sub.2, this table demonstrates that prime clocks can be used to construct a universal machine. In some embodiments, it is advantageous to design prime clock machines that compute Boolean functions for substantially higher values of n in order to exploit the computational advantages of prime clock machines since they can compute in parallel.

[0119] Consider clock machine [p, s]⊕[q, t] in Ω.sub.2. The first 2.sup.n elements of [p, s]⊕[q, t] refer to the bit string ([p, s]⊕[q, t]) (0), ([p, s]⊕[q, t]) (1), . . . , ([p, s]⊕[q, t]) (2.sup.n−1) of length 2.sup.n. The first 2.sup.n elements of [p, s]⊕[q, t] represent a Boolean function ƒ.sub.n∈F.sub.n. In some embodiments with q.sub.1, . . . , q.sub.L as primes, the first 2.sup.n elements of [q.sub.1, t.sub.1]⊕[q.sub.2, t.sub.2]⊕. . . ⊕[q.sub.L, t.sub.L] represent a Boolean function ƒ.sub.n∈F.sub.n.

[0120] Consider clock machine [q.sub.1, t.sub.1]⊕[q.sub.2, t.sub.2]⊕. . . ⊕[q.sub.L, t.sub.L] whose first 2.sup.n elements represent a truth table in F.sub.n; this truth table is a bit string with length 2.sup.n. Machine procedure 1 shows how [q.sub.1, t.sub.1]⊕[q.sub.2, t.sub.2]⊕. . . ⊕[q.sub.L, t.sub.L] computes the Boolean function [q.sub.1, t.sub.1]⊕[q.sub.2, t.sub.2]⊕. . . ⊕[q.sub.L, t.sub.L]: {0, 1}.sup.n.fwdarw.{0, 1} in L steps, where L is the number of clocks. The input is stored in the variable x, which takes up n bits of memory 256, shown in FIG. 2B. The output bit is stored in the variable , which takes up 1 bit of memory 256, shown in FIG. 2B. In other words, computational machine 1 computes =[q.sub.1, t.sub.1]⊕[q.sub.2, t.sub.2]⊕. . . ⊕[q.sub.L, t.sub.L](x).

TABLE-US-00001 Machine Procedure 1. INPUT: x is a bit string in {0, 1}.sup.n store input value in x which takes up n bits of memory. set   = 0 set k = 1 while (k ≤ L) { set e = (t.sub.k + x) mod q.sub.k set e = e mod 2 set   = (   + e) mod 2 increment k } OUTPUT:   is 0 or 1.

[0121] The output is called a bit output because is 0 or 1. Output is produced, by combining the output from the L clock machines [q.sub.1, t.sub.1], [q.sub.2, t.sub.2], . . . [q.sub.L, t.sub.L]. In some embodiments, machine procedure 1 is coded in a programming language such as C, Python, JAVA, Haskell, LISP or Ruby and executes as a virtual machine on a standard operating system such as Apple OS, Linux, Unix, or Windows. In other embodiments, machine procedure 1 can be coded in a programming language such as C or Python and then compiled to execute on a field programmable gate array (FPGA). In other embodiments, machine procedure 1 can be implemented directly in hardware with flip flops. FIG. 4A, FIG. 4B, and FIG. 4C show how to implement a hardware prime clock machine from a D-flip flop.

[0122] In some embodiments, machine procedure 1 executes the two instructions set e=(t.sub.k+x) mod q.sub.k and set e=e mod 2, inside the while loop, in parallel with L prime clock devices implemented in hardware. In some embodiments, the prime clock devices are implemented in semiconductor hardware. In some semiconductor embodiments, the prime clock machines are constructed with counters that reset after a prime number of state changes. In these embodiments, the mod 2 operator is implemented by selecting the least significant of the counter. In other semiconductor hardware embodiments, the output of a single prime clock machine is stored in a table in memory 256, shown in FIG. 2B. In some embodiments, the prime clocks are implemented with strands of DNA or RNA. In an embodiment, one or more prime clock machines with hardware architecture (as shown in FIG. 2B) execute machine instructions according to machine procedure 1.

TABLE-US-00002 Machine Procedure 2. A Prime Clock Sum in Ω.sub.2 Computes a Boolean Function INPUT: i set r.sub.1 = (t.sub.1 + i) mod q.sub.1 set r.sub.2 = (t.sub.2 + i) mod q.sub.2 . . . set r.sub.L = (t.sub.L + i) mod q.sub.L set y = (r.sub.1 + r.sub.2 + ... + r.sub.L) mod 2 OUTPUT: y
The output is called a bit output. The ith element of ([q.sub.1, t.sub.1]⊕[q.sub.2, t.sub.2]⊕. . . ⊕[q.sub.L, t.sub.L])'s truth table is stored in the variable when machine procedure 2 halts. The execution of machine procedure 2 is presented in a serial form. Nevertheless, the computation of the L instructions set r.sub.k=(t.sub.k+i) mod q.sub.k, where 1≤k≤L, can be executed in parallel when there is a separate physical device for each of these L prime clocks [q.sub.1, t.sub.1], [q.sub.2, t.sub.2]. . . [q.sub.L, t.sub.L]. Subsequently, the parity of can be determined in a second computational step that executes a parallel add of r.sub.1+r.sub.2 +. . . +r.sub.t, followed by setting to the least significant bit of the sum r.sub.1+r.sub.2 +. . . +r.sub.L.

[0123] In an embodiment, clock machine 302 in FIG. 3 represents machine procedure 2. In machine procedure 2 clocks [q.sub.1, t.sub.1], [q.sub.2, t.sub.2], . . . [q.sub.L, t.sub.L] are shown in Clocks 306 of FIG. 3. In machine procedure 2, the instructions

set r.sub.1=(t.sub.1+i) mod q.sub.1

set r.sub.2=(t.sub.2+i) mod q.sub.2

. . .

set r.sub.L=(t.sub.L+i) mod q.sub.L

are represented by Adding Instructions 308 and Modulo Instructions 310 in FIG. 3. In FIG. 3, Modulo Instructions 310 also represent the instruction set =(r.sub.1+r.sub.2+. . . +r.sub.L) mod 2 in machine procedure 2. Furthermore, FIG. 3 represents both virtual machine embodiments and hardware embodiments of machine procedure 2.

[0124] In some embodiments, machine procedure 2 is coded in a programming language such as C, Python, JAVA, Haskell, LISP or Ruby and executes as a virtual machine on an operating system such as Android, Apple OS, Linux, Unix, or Windows. In other embodiments, machine procedure 2 can be coded in a programming language such as C or Python and then compiled to execute on an field programmable gate array (FPGA). FPGA hardware has the computational capability to execute one or more clock machines in parallel.

[0125] An n-bit exclusive-OR on n bits b.sub.1, b.sub.2, . . . b.sub.n is denoted as b.sub.1⊕b.sub.2⊕. . . b.sub.n. Furthermore, if an even number of these n-bits are 1, then b.sub.1⊕b.sub.2⊕. . . b.sub.n=0; if an odd number of these n-bits are 1, then b.sub.1⊕b.sub.2⊕. . . b.sub.n=1.

[0126] As an alternative implementation of machine procedure 2, when there is a more suitable physical device for prime clocks, the kth clock can compute the kth bit b.sub.k=((t.sub.k+i) mod q.sub.k) mod 2 and then an L-bit exclusive-or can be applied in parallel [34] to the bits b.sub.1, b.sub.2, . . . , b.sub.L.

EXAMPLE

[0127] This example demonstrates 2-bit multiplication with prime clock sums, computed with machine procedure 2. In FIG. 12, for each u∈{0, 1}.sup.2 and each l∈{0, 1}.sup.2, the product u*l is shown in each row, whose 4 columns are labelled by .sub.3, .sub.2, .sub.1 and .sub.0. With input i of 4 bits (i.e., u concatenated with l), the output of the 2-bit multiplication is a 4-bit string .sub.3(i) .sub.2(i) .sub.1(i) .sub.0(i) shown in each row of FIG. 12.

[0128] One can verify that the function .sub.0: {0, 1}.sup.2×{0, 1}.sup.2.fwdarw.{0, 1} can be computed with the prime clock sum [2, 0]⊕[7, 3]⊕[7, 4]⊕[7, 5]⊕[11, 10], according to machine procedure 2. Similarly, the Boolean function .sub.1 can be computed with the prime clock sum [2, 0]⊕[2, 1]⊕[3, 0]⊕[5, 2]⊕[11, 0]⊕[11, 1], according to machine procedure 2. The Boolean function .sub.2 can be computed with the prime clock sum [5, 0]⊕[7, 0]⊕[7, 2]⊕[11, 4]. Lastly, the function .sub.3 can be computed with the prime clock sum [2, 1]⊕[5, 0]⊕[11, 1]⊕[11, 6]. □

[0129] As described in machine specifications 1, 2, 3 and 5 and as shown in FIG. 9 one or more clock machines may also perform computations that are not (beyond) Boolean functions. Machine procedure 3 uses L clock machines [q.sub.1, t.sub.1], [q.sub.2, t.sub.2]. . . [q.sub.L, t.sub.L] to perform a clock machine computation where the output is one of the 3 distinct time states 0, 1, or 2.

TABLE-US-00003 Machine Procedure 3. A Prime Clock Sum in Ω.sub.3 Procedure INPUT: i set r.sub.1 = (t.sub.1 + i) mod q.sub.1 set r.sub.2 = (t.sub.2 + i) mod q.sub.2 . . . set r.sub.L = (t.sub.L + i) mod q.sub.L set y = (r.sub.1 + r.sub.2 + ... + r.sub.L) mod 3 OUTPUT: y is one of three distinct time states 0, 1 or 2

[0130] In an embodiment, clock machine 302 in FIG. 3 represents machine procedure 3. In machine procedure 3 clocks [q.sub.1, t.sub.1], [q.sub.2, t.sub.2]. . . [q.sub.L , t.sub.L] are shown in Clocks 306 of FIG. 3. In machine procedure 3, the instructions

set r.sub.1=(t.sub.1+i) mod q.sub.1

set r.sub.2=(t.sub.2+i) mod q.sub.2

. . .

set r.sub.L=(t.sub.L+i) mod q.sub.L

are represented by Adding Instructions 308 and Modulo Instructions 310 in FIG. 3. In FIG. 3, Modulo Instructions 310 also represent the instruction set =(r.sub.1+r.sub.2+. . . +r.sub.L) mod 3 in machine procedure 3. Furthermore, FIG. 3 represents both virtual machine embodiments and hardware embodiments of machine procedure 3.

[0131] Similar to FIG. 9, machine procedure 4 uses L clock machines [q.sub.1, t.sub.1], [q.sub.2, t.sub.2]. . . [q.sub.L, t.sub.L] to perform a clock machine computation where the output is one of the 5 distinct time states 0, 1, 2, 3, or 4.

Machine Procedure 4. A Prime Clock Sum in Ω.SUB.5 .Procedure

INPUT: i

[0132]
set r.sub.1=(t.sub.1+i) mod q.sub.1

set r.sub.2=(t.sub.2+i) mod q.sub.2

. . .

set r.sub.L=(t.sub.L+i) mod q.sub.L

set =(r.sub.1+r.sub.2+. . . +r.sub.L) mod 5

OUTPUT: is one of five distinct time states 0, 1, 2, 3, or 4

[0133] In an embodiment, clock machine 302 in FIG. 3 represents machine procedure 4. In machine procedure 4 clocks [q.sub.1, t.sub.1], [q.sub.2, t.sub.2], . . . [q.sub.L, t.sub.L] are shown in Clocks 306 of FIG. 3. In machine procedure 4, the instructions

set r.sub.1=(t.sub.1+i) mod q.sub.1

set r.sub.2=(t.sub.2+i) mod q.sub.2

. . .

set r.sub.L=(t.sub.L+i) mod q.sub.L

are represented by Adding Instructions 308 and Modulo Instructions 310 in FIG. 3. In FIG. 3, Modulo Instructions 310 also represent the instruction set =(r.sub.1+r.sub.2+. . . +r.sub.L) mod 5 in machine procedure 4. Furthermore, FIG. 3 represents both virtual machine embodiments and hardware embodiments of machine procedure 4.

Periodic Machine Computation

[0134] The machine specification for periodic machine (p, i): .fwdarw.{0, 1} is as follows: (p, i)(t)=1 whenever (p+t−i) mod p=0; (p, i)(t)=0 whenever (p+t−i) mod p≠0. In FIG. 21, the discrete time states of i and the height of this pulse corresponds to a digital output of 1, as specified in (p, i)(t)=1 whenever (p+t−i) mod p=0. It is assumed that 0≤i≤p. p is called the period and i is the phase of this periodic machine. The output of this periodic machine is shown as 0 at the time states i+1, . . . p+i−1; in other words, all time states k satisfying i+1≤k≤p+i−1. FIG. 20 shows the periodic machine (p, 0), where the phase is 0.

[0135] The purpose of δ is to indicate the time duration of the high output, indicating the digital output of 1. In some embodiments, the output is a voltage. For example, flip-flops (FIG. 4B) have outputs (labelled Q) that store or hold a voltage. By constructing a 2-bit counter with flip flops that counts 00 at time state 0. The 2-bit counter increments to 01 at time state 1; and increments to 10 at time state 2; and increments to 11 at time state 3; and restarts at 00 at time state 4. Then the circuit just repeats. This enables a periodic machine computation to compute a two-input AND gate as follows. Map AND input (x, ƒ)=(0, 0) to time state 0. Map AND input (x, ƒ)=(0, 1) to time state 1. Map AND input (x, ƒ)=(1, 0) to time state 2. Map AND input (x, ƒ)=(1, 1) to time state 3. Thus, the periodic machine (4, 3) computes the AND gate since AND(1, 1)=1 and (4, 3)(3)=1. Furthermore, AND(0, 0)=0 and (4, 3)(0)=0. AND(0, 1) =0 and (4, 3)(1)=0. AND(1, 0)=0 and (4, 3)(2)=0.

[0136] A finite number of periodic machines can be “summed” to construct a computing machine. “Summed” means computing the logical OR (maximum) of the output of all periodic machines at a particular input time state. In periodic machines (p.sub.1, i.sub.1), (p.sub.2, i.sub.2), . . . , (p.sub.m, i.sub.m) can be summed to perform a computation as follows. For time state t that serves as the input, the sum [(p.sub.1, i.sub.1)+(p.sub.2, i.sub.2)+. . . +(p.sub.m, i.sub.m)](t)=0 if (p.sub.k, i.sub.k)(t)=0 for every k satisfying 1≤k≤m. Otherwise, if there is some k such that (p.sub.k, i.sub.k)(t)=1, then [(p.sub.1, i.sub.1)+(p.sub.2, i.sub.2)+. . . +(p.sub.m, i.sub.m)](t)=1. Thus, we can construct a 2-input OR gate as (4, 1) +(4, 2) +(4, 3).

[0137] In general, a periodic machine computation is executed according to machine procedure 5, where each periodic machine (p.sub.k, i.sub.k) can compute its output in parallel. The output of this computation is not dependent on the order shown in the while loop. Every computation y.sub.k=(p.sub.k, i.sub.k)(t) may be performed simultaneously with hardware that implements the periodic machine (p.sub.k, i.sub.k). FIG. 23 shows hardware using a D flip-flop to implement periodic machine (p, 1).

TABLE-US-00004 Machine Procedure 5. INPUT: Time state t represents a bit string in {0, 1}.sup.n store input value in t which takes up n bits of memory. set k = 1 while (k ≤ m) { set y.sub.k = (p.sub.k, i.sub.k)(t). increment k } OUTPUT: y = max{y.sub.1, y.sub.2, ... , y.sub.m}.

[0138] In machine procedure 5, max means take the maximum of all outputs .sub.1, .sub.2, . . . .sub.m, which in some embodiments is computed by an m-bit logical OR of these outputs. In other embodiments, more than one logical OR may be used to compute the maximum. Similar to theorem 8, any Boolean function ƒ: {0, 1}.sup.n.fwdarw.{0, 1} can be computed from a finite number of periodic machines, according to machine procedure 5. As an example, in FIG. 16, the Boolean function π.sub.2∘S.sub.0(x): {0, 1}.sup.4.fwdarw.{0, 1}—that is part of the Midori64 standard—can be implemented with the following sum of periodic machines: [7, 4]+[8, 6]+[8, 7]+[16, 0]+[16, 2]. Similarly, the Boolean functions that compose a round of the cryptographic cipher AES-256 can be implemented as a sum of periodic machines, since any Boolean function can be computed by a finite sum of periodic machines.

Random Clock Machines That Execute the Midori Cipher

[0139] This section of the specification demonstrates how to execute the lightweight cipher Midori [4] with random prime clock machines. In some embodiments, clock machines can execute directly in semiconductor hardware. FIG. 4A, FIG. 4B, FIG. 4C and FIG. 4D show how to implement a clock machine directly in hardware, using D-type flip flops.

[0140] The purpose of randomly generating the clock machines is to help provide greybox protection. In this specification, the greybox model assumes that the adversary Eve can observe the electromagnetic signal emitted from the processor chip executing the computer instructions and Eve knows the cryptographic algorithm executed (e.g., Midori cipher). In some embodiments, Eve does not have realtime, direct access to the prime clock machines executing a cryptographic algorithm. In some embodiments, greybox protection can help make key recovery attacks more difficult for the adversary.

A Description of the Midori Cipher

[0141] Midori consists of two different block ciphers: Midori64 and Midori128. Both use 128-bit keys. Midori64 has block size n=64. In function notation, Midori64: {0, 1}.sup.64×{0, 1}.sup.128.fwdarw.{0, 1}.sup.64. The set {0, 1}.sup.64 represents 64-bit blocks selected from the message space and {0, 1}.sup.128 is the key space. Midori128 has block size n=128, where Midori128: {0, 1}.sup.128×{0, 1}.sup.128.fwdarw.{0, 1}.sup.128. The first set {0, 1}.sup.128 in the Cartesian product represents the 128-bit blocks selected from the message space and the second set {0, 1}.sup.128 is the key space. FIG. 13 shows a summary of these Midori parameters.

[0142] Midori is a variant of a Substitution-Permutation Network cipher that has an S-layer, a P-layer and has a 4×4 data structure as the state:

[00012]$S=\left(\begin{array}{cccc}{s}_0& s_4& s_8& s_{12}\\ s_1& s_5& s_9& s_{13}\\ s_2& s_6& s_{10}& s_{14}\\ s_3& s_7& s_{11}& s_{15}\end{array}\right)$

[0143] Each element (cell) s.sub.i of the state is 4 bits in Midori64 and 8 bits in Midori128. Before Midori64 encrypts a 64-bit block, the 64-bit plaintext M is stored in the state. Similarly, before Midori128 encrypts a 128-bit block, the 128-bit plaintext M is stored in the state. After the ith round, the output state is S.sub.i. The 0th state S.sub.0=M since no rounds have been computed when i=0.

[0144] Next, this section describes how Midori64 and Midori128 compute their nonlinear operations. Midori64 uses the bijective 4-bit S-box S.sub.0: {0, 1}.sup.4.fwdarw.{0, 1}.sup.4 which is defined in FIG. 14 by the row labelled with S.sub.0(x). FIG. 14 is interpreted based on the correspondence 0.Math.0000, 1.Math.1000, 2.Math.0100, 3.Math.1100, 4.Math.0010, 5.Math.1010, 6.Math.0110, 7.Math.1110, 8.Math.0001, 9.Math.1001, a.Math.0101, b.Math.1101, c.Math.0011, d.Math.1011, e.Math.0111, f.Math.1111. From the sixteenth column of FIG. 14, S.sub.0(e)=4 corresponds to S.sub.0(0111)=0010.

[0145] Similarly, Midori128 uses the bijective 4-bit S-box S.sub.1: {0, 1}.sup.4.fwdarw.{0, 1}.sup.4 which is defined in FIG. 14 by the row labelled with S.sub.1(x). A bijective function ƒ: X.fwdarw.X is called an involution if ƒ is its own inverse. In other words, ƒ∘ƒ(x)=x for every x∈X. Both S.sub.0 and S.sub.1 are involutions.

[0146] The concatenation operation ∥ on two strings can be extended to functions. Define the concatenation operator ∥ on S.sub.1 where S.sub.1∥S.sub.1: {0, 1}.sup.8.fwdarw.{0, 1}.sup.8 is defined as S.sub.1∥S.sub.1(x.sub.0x.sub.1x.sub.2x.sub.3x.sub.4x.sub.5x.sub.6x.sub.7)=S.sub.1(x.sub.0x.sub.1x.sub.2x.sub.3)∥S.sub.1(x.sub.4x.sub.5x.sub.6x.sub.7). Since (S.sub.1∥S.sub.1)∘(S.sub.1∥S.sub.1)=(S.sub.1∘S.sub.1)∥(S.sub.1∘S.sub.1), this implies S.sub.1∥S.sub.1 is also an involution.

[0147] Midori128 uses four 8-bit substitution boxes .sub.0, .sub.1, .sub.2, and .sub.3, where each .sub.i: {0, 1}.sup.8.fwdarw.{0, 1}.sup.8. For each i∈{0, 1, 2, 3}, the substitution box .sub.i is computed as .sub.i=σ.sub.i.sup.−1∘(S.sub.1∥S.sub.1)∘σ.sub.i, where S.sub.1 is defined in FIG. 14 and the four permutations σ.sub.i: {0, 1}.sup.8.fwdarw.{0, 1}.sup.8 are defined below. First, σ.sub.0(x.sub.0x.sub.1x.sub.2x.sub.3x.sub.4x.sub.5x.sub.6x.sub.7)=x.sub.4x.sub.1x.sub.6x.sub.3 x.sub.0x.sub.5x.sub.2x.sub.7. Expressed as a product of disjoint cycles, σ.sub.0=(0 4)(2 6). Permutation σ.sub.1=(0 3 6 1)(2 5 4 7). Permutation σ.sub.2=(0 6 4 2)(1 3)(5 7). Permutation σ.sub.3=(0 5 6 7)(1 2 3 4). Now .sub.i∘.sub.i=σ.sub.i.sup.−1∘(S.sub.1∥S.sub.1)∘σ.sub.i ∘σ.sub.i.sup.−1∘(S.sub.1∥S.sub.1)°σ.sub.i is the identity map since S.sub.1∥S.sub.1 is an involution. Thus, each .sub.i is an involution.

[0148] Lastly, in order to compute the round function, the following matrix is needed

[00013]$M=\left(\begin{array}{cccc}0& 1& 1& 1\\ 1& 0& 1& 1\\ 1& 1& 0& 1\\ 1& 1& 1& 0\end{array}\right).$

Midori Round Function

[0149] The round function is comprised of an S-layer SubCell: {0, 1}.sup.n.fwdarw.{0, 1}.sup.n a P-layer ShuffleCell and MixColumn: {0, 1}.sup.n.fwdarw.{0, 1}.sup.n and a key-addition layer KeyAdd: {0, 1}.sup.n×{0, 1}.sup.n.fwdarw.{0, 1}.sup.n. Each of these layers updates the n-bit state S according to the following 4 steps. [0150] 1. SubCell(S): In parallel for Midori64, S-box S.sub.0 is applied to each 4-bit cell of the state S. That is, each cell is updated as s.sub.i←S.sub.0(s.sub.i). In parallel for Midori128, S-box .sub.(i mod 4) is applied to each 8-bit cell of the state S. That is each cell is updated as s.sub.i←.sub.(i mod 4)(s.sub.i) where 0≤i≤15. [0151] 2. ShuffleCell(S): Expressed as disjoint cycles, τ=(s.sub.1 s.sub.7 s.sub.12 s.sub.10)(s.sub.2s.sub.14 s.sub.4 s.sub.5)(s.sub.3s.sub.9 s.sub.8 s.sub.15)(s.sub.6 s.sub.11). Each cell s.sub.i, where 0≤i≤15, of the state is permuted by τ. [0152] 3. MixColumn(S): Matrix M is applied to every 4m-bit column of the state S. That is, for each i∈{0, 4, 8, 12}

[00014]$\left(\begin{array}{c}{s}_i\\ s_{i+1}\\ s_{i+2}\\ s_{i+3}\end{array}\right)\leftarrow \left(\begin{array}{cccc}0& 1& 1& 1\\ 1& 0& 1& 1\\ 1& 1& 0& 1\\ 1& 1& 1& 0\end{array}\right)\left(\begin{array}{c}{s}_i\\ s_{i+1}\\ s_{i+2}\\ s_{i+3}\end{array}\right)$ [0153] 4. KeyAdd(S, R.sub.i): The ith n-bit round key R.sub.i is XORed with the state S.

[0154] The round function is executed for Midori64 and Midori128 sixteen and twenty times, respectively.

Midori Round Key Generation

[0155] For Midori64, the 128-bit secret key K is denoted as the concatenation of two 64-bit keys K.sub.0 and K.sub.1, where K=K.sub.0∥K.sub.1. The 64-bit key W=K.sub.0⊕K.sub.1 and the 64-bit round key R.sub.i=K.sub.(i mod 2) ⊕α.sub.i where 0≤i≤14. Note that α.sub.i=β.sub.i for 0≤i≤14, where the round constants β.sub.i are defined in FIG. 15. The constants α.sub.i are added bitwise to the LSB of every round key nibble.

[0156] For Midori128, the 128-bit key W=K and the 128-bit round key R.sub.i=K⊕β.sub.i, for 0≤i≤18. In FIG. 15, the constants β.sub.i are 4×4 binary matrices. The constants β.sub.i are added bitwise to the LSB of every round key byte.

Executing the Midori Cipher with a Clock Machine

[0157] As discussed above, the S-box S.sub.0 and the S-box S.sub.1 are fundamental building blocks for the nonlinear operations in Midori64 and Midori128, respectively. FIG. 16 and FIG. 17 show functions constructed from S-boxes S.sub.0 and S.sub.1 and the four projection functions π.sub.i: {0, 1}.sup.4.fwdarw.{0, 1} where π.sub.i(x.sub.0x.sub.1x.sub.2x.sub.3)=x.sub.i for each i∈{0, 1, 2, 3}. For example, in FIG. 16 π.sub.3∘S.sub.0(7)=0. This is computed by reading from FIG. 14 that S.sub.0(7)=7; using the correspondence 7.Math.1110; and then π.sub.3 selecting the x.sub.3 bit from 1110.

[0158] Prime clock sum [2, 1]⊕[3, 2]⊕[5, 2]⊕[17, 16] is located in the last row and last column of FIG. 16. When machine 1 is executed, ([2, 1]⊕[3, 2]⊕[5, 2]⊕[17, 16])(7)=([2, 1](7)+[3, 2](7)+[5, 2](7)+[17, 16](7)) mod 2=0. Thus, prime clock sum [2, 1]⊕[3, 2]⊕[5, 2]⊕[17, 16](7) computes π∘S.sub.0(7) and has complexity 24.

[0159] As another example of a prime clock machine execution, in FIG. 17 π.sub.2∘S.sub.1(4)=1. This is computed by reading from FIG. 14 that S.sub.1(4)=e; using the correspondence e.Math.0111; and then π.sub.2 selecting the the x.sub.2 bit from 0111. The corresponding prime clock sum is applied to 4. ([2, 1]⊕[7, 6]⊕[11, 0]⊕[13, 3]⊕[17, 10])(4)=(1+3+4+7+14) mod 2=1.

[0160] The prime clock sums in FIG. 16 and FIG. 17 were computed by machine procedure 6 that randomly builds p-clock sums from the first 8 primes {2, 3, 5, 7, 11, 13, 17, 19}. Overall, from sections 6.9 and 6.10, it is straightforward to build SubCell(S) function, based on the prime clock sums in FIG. 16 and FIG. 17.

[0161] Next we turn to the linear operations used in Midori64 and Midori128. First, observe that the other three layers ShuffleCell(S), MixColumn(S), and KeyAdd(S) can be constructed from affine Boolean functions.

[0162] ShuffleCell(S) is a permutation τ of the state S, where τ=(s.sub.1 s.sub.7 s.sub.12 s.sub.10) (s.sub.2 s.sub.14 s.sub.4 s.sub.5)(s.sub.3 s.sub.9 s.sub.8 s.sub.15)(s.sub.6 s.sub.11). In Midori64, τ: {0, 1}.sup.64.fwdarw.{0, 1}.sup.64, here τ(x)=(τ.sub.0(x), τ.sub.1(x), . . . , τ.sub.63(x)) and each τ.sub.i: {0, 1}.sup.64.fwdarw.{0, 1} is an affine function. In Midori128, τ: {0, 1}.sup.128.fwdarw.{0, 1}.sup.128, where τ(x)=(τ.sub.0(x), . . . τ.sub.127(x)) and each τ.sub.i: {0, 1}.sup.128.fwdarw.{0, 1} is an affine function.

[0163] In MixColumn(S), each row×column multiplication in the matrix multiplication is a dot product on the vector space over .sub.2. For example, the first row of M corresponds to the affine map A.sub.0111,0, which is defined in FIG. 19.

[0164] In KeyAdd(S, R.sub.i), each R.sub.i is built from a different constant from FIG. 15 and XOR'd with the state, so KeyAdd(S, R.sub.i) is also composed of affine Boolean functions.

[0165] FIG. 19 shows a list of every affine map A.sub.a.sub.o.sub.a.sub.1.sub.a.sub.2.sub.a.sub.3.sub.,c: {0, 1}.sup.4.fwdarw.{0, 1} such that c=0. In the last column, the specified affine map is computed by a random prime clock sum machine built from the 8 primes {2, 3, 5, 7, 11, 13, 19}. The affine maps A.sub.a.sub.0.sub.a.sub.1.sub.a.sub.2.sub.a.sub.3.sub.,1: {0, 1}.sup.4.fwdarw.{0, 1} can be constructed by adding prime clock sum machine [2, 0]⊕[2, 1] to each of the prime clock sum machines in FIG. 19. This machine composition works because ¬A.sub.a.sub.0.sub.a.sub.1.sub.a.sub.2.sub.a.sub.3.sub.,0=A.sub.a.sub.0.sub.a.sub.1.sub.a.sub.2.sub.a.sub.3.sub.,1 and ([2, 0]⊕[2, 1])(m)=1 for every number m∈.

[0166] Overall, the Midori cipher can be executed with prime clocks chosen from the first 8 primes. Of the first 8 primes, {5, 13, 17} are the 1 mod 4 primes. Define function α.sub.4 on the primes as follow. If (p>16) then α.sub.4(p)=16. If p<16 and p is a 1 mod 4 prime then α.sub.4(p)=p−1. If p<16 and p is a 3 mod 4 prime or p=2, then α.sub.4(p)=p. There are 2.sup.2.sup.4=2.sup.16 distinct Boolean functions f: {0, 1}.sup.4.fwdarw.{0, 1}. 2.sup.2+3+(5−1)+7=2.sup.16, so prime clock sums, constructed from the first 4 primes, can compute any Boolean function ƒ: {0, 1}.sup.4.fwdarw.{0, 1}. Note that

[00015]$\hspace{0.17em}{2}^{\underset{i=1}{\overset{S}{.Math.}}{\alpha }_4\left(p_i\right)}=2^{16}{2}^{56}.$

[0167] In section 6.15, machine lemma 3 and machine corollaries 5 and 7 imply that for each ƒ: {0, 1}.sup.4.fwdarw.{0, 1}, there are 2.sup.56 different prime clock sums, constructed from the first 8 primes, that compute ƒ. Note 2.sup.56>10.sup.16. Thus, each processor chip could be programmed with a unique collection of random prime clock sums that compute the Midori cipher such that the probability of two distinct processor chips computing the Midori cipher with identical random prime clock sums over the primes {p.sub.1, p.sub.2, . . . , p.sub.8} is substantially less than 10.sup.−9. A unique computational footprint for each chip can substantially obfuscate the execution of the Midori cipher and also break up any type of timing patterns during the cipher's execution.

Random Clock Machines

[0168] This section describes machine procedure 6 that uses randomness for finding a clock machine that computes ƒ: {0, 1}.sup.n.fwdarw.{0, 1}. In an embodiment, random clock machines are chosen, using non-deterministic process 542 in FIG. 5A. In an embodiment, random clock machines are chosen, using non-deterministic process 552 in FIG. 5B. After the machine procedure 6 description, an augmentation is described that can help substantially increase the process speed for constructing prime clock machines that compute ƒ. In an embodiment, 64 distinct ƒ's: ƒ.sub.0, ƒ.sub.1, ƒ.sub.2, . . . , ƒ.sub.63 that compute the addition of two 64-bit numbers in binary.

[0169] Some parameters are passed into the probabilistic machine and also a computable representation as either a software or hardware embodiment of Boolean function ƒ. The purpose is to be able to compute ƒ(x) on every input x∈{0, 1}.sup.n. A distance metric H, computed as a machine, between 2 functions is also needed.

[0170] Let Q be a prime clock sum machine. Let ƒ be a computable representation of Boolean function ƒ: {0, 1}.sup.n.fwdarw.{0, 1}. The function ƒ⊕Q: {0, 1}.sup.n.fwdarw.{0, 1} is defined as ƒ(x)⊕Q(x). Define the Hamming distance between these two functions as H(Q, ƒ)=|(ƒ⊕Q).sup.−1{1}|, where inverse image (ƒ⊕Q).sup.−1{1}={x∈{0, 1}.sup.n: ƒ(x)⊕Q(x)=1}. If H(Q, ƒ)=0, then Q(x)=ƒ(x) for every x in {0, 1}.sup.n.

[0171] The first parameter passed in is a positive integer u. u is an upper bound on the index of the primes to use for selecting prime clocks. For example, if u=6, then machine procedure 6 builds clock machines from the primes {2, 3, 5, 7, 11, 13}.

[0172] The second and third parameters passed in are r.sub.lb and r.sub.ub such that r.sub.lb≤r.sub.ub, which create a range of values for the number of random prime clocks to use to build prime clock machine Q. The fourth parameter passed in is s, which is the number of different random prime clocks machines to build for each value of r in {r.sub.lb, r.sub.lb+1, . . . , r.sub.ub}. The fifth parameter passed in is n.

TABLE-US-00005 Machine Procedure 6 Random Prime Clock Machines that Compute f set r = r.sub.lb [00016]$\mathrm{set}m=\frac{n}{2}$ while (r ≤ r.sub.ub) {  set c = 0  while (c ≤ s)  {   set k = 0   while (k ≤ r)   {    choose a random integer i in [1, u]    choose a random integer t in [0, p.sub.i − 1] Clock and Periodic Computing Machines    if k = 0 set Q = [p.sub.i, t]    else set Q = Q ⊕ [p.sub.i, t]    increment k   }   set h = H (Q, f)   if (h = 0) return Q.sub.best   else if (h = n) return [2, 0] ⊕ [2, 1] ⊕ Q   if (h < m)   {    set prime clock sum machine Q.sub.best = Q    set m = h   }   increment c  }  increment r } return Q.sub.best

[0173] In an embodiment, non-deterministic process 542 or non-deterministic process 552 in FIG. 5B are used to help implement the instructions [0174] choose a random integer i in [1, u] [0175] choose a random integer t in [0, p.sub.i−1]
in machine procedure 6. In an embodiment, non-deterministic process 542 or non-deterministic process 552 help the first instruction randomly choose p.sub.i. Recall that p.sub.i is the number of distinct time states in the randomly constructed clock machine. In an embodiment, non-deterministic process 542 or non-deterministic process 552 help the second instruction randomly choose t, which is the starting time state in clock machine [p.sub.i, t].

[0176] The search process time for machine Q.sub.best can be substantially reduced by passing in a small s; and then exiting machine 6 with prime clock machine Q.sub.best and then repairing Q.sub.best at x such that Q.sub.best(x)⊕ƒ(x)=1. As an example, for n=4, suppose that the computation Q.sub.best(12)⊕ƒ(12)=1, then repair machine Q.sub.best by updating it to prime clock sum machine [2, 0]⊕[2, 1]⊕[17, 6]⊕[17, 7]⊕Q.sub.best. If Q.sub.best(i)⊕ƒ(i)=1 at i=10 and i=11, then update Q.sub.best to [17, 5]⊕[17, 7]⊕Q.sub.best. A similar repair machine can be used for larger n with a prime p>2.sup.n.

[0177] In an alternative embodiment, periodic machines (shown in FIG. 20, FIG. 21, FIG. 22, and FIG. 23) may be also used in addition to clock machines in machine procedure 6. In this alternative embodiment, the sum of a periodic machine to the other machines is a logical OR. In another embodiment, only periodic machines may be used in a machine procedure similar to machine procedure 6, to build a random implementation of Boolean function ƒ.

Timing Differences in Clock Machines

[0178] The purpose of this section is to better understand timing differences that occur when different instances of machine procedures 1 are executed. It is well-known in the prior art that timing differences can be exploited to capture a key from a cryptographic cipher and break the cryptography. (See [5, 20].) In the prior art, standard digital computers often have timing differences due to branch instructions. There are two places in the execution of machine procedure 1 where timing differences could occur: [0179] 1. The size of r is the number of clocks in the prime clock sum. [0180] 2. The two instructions set e=(t.sub.k+x) mod q.sub.k and set e=e mod 2 depend upon q.sub.k, t.sub.k and x.

[0181] The other instructions such as set =(+e) mod 2 should exhibit no timing differences because both and e store 0 or 1 and y{circumflex over ( )}=e; is the C source code for this mathematical operation.

[0182] For these reasons, the Intel timestamp instruction RDTSC [17] was called to measure timing differences with b−a, as shown in the following C source code. The value b−a is the number of Intel CPU clock cycles that occur during the CPU's execution of the two instructions e=(t+x) % p; and e &=1;

TABLE-US-00006 static _ _inline_ _ unsigned long long rdtsc(void) { unsigned hi, lo; _ _asm_ _ _ _volatile_ _ (“RDTSC” : “=a”(lo), “=d”(hi)); return ( (unsigned long long) lo) | (((unsigned long long) hi) << 32); } unsigned long long a, b; for(x = 0; x < 65535; x++) { for(t = 0; t < p; t++) { a = rdtsc( ); e = (t + x) % p; e &= 1; Clock and Periodic Computing Machines b = rdtsc( ); } }

[0183] A 2.5 GHz Intel Core i5 CPU executed for these timing tests. Our timing results were measured on the first 100 primes p; on each prime clock ticking time t such that 0≤t<p; and all 16-bit input values x. For a fixed triplet (p, t, x), the CPU clock cycles timing difference b−a was measured on 1000 samples.

[0184] In FIG. 18, the range [24, 25] in the 2-clock column indicates that 95 percent of the measurements b−a satisfied 24≤b−a≤25 over all of the 2-clock machine tests. The same ranges of [23, 25] or [24, 25] were also obtained for the remaining 92 primes {23, 29, . . . , 523, 541}.

[0185] In some embodiments, timing tests for prime clock machines executing in semiconductor hardware suggest that the number of clocks (parameter r in algorithm 1) in the sum is the primary influence on execution time. In some embodiments, prime clocks execute in parallel to help eliminate timing differences.

[0186] An alternative embodiment varies the number of clocks for each random prime clock sum machine instantiation in hardware: in the greybox model, Eve would not know for a particular processor chip how many prime clocks are used to implement the S.sub.0 or S.sub.1 S-boxes or the number of clocks used to implement one of the affine maps that compose the ShuffleCell(S), MixColumn(S) or KeyAdd(S) layers.

Clock Machine Properties and Theorems

[0187] This section provides further specifications, properties and proofs about prime clock machines and in particular finite prime clock machines executing in Ω.sub.2. The intermediate results work toward the theorem 8, stated in the introduction: For any positive integer n, for each of the 2.sup.2.sup.n Boolean functions ƒ: {0, 1}.sup.n.fwdarw.{0, 1}, there exists a finite sum of prime clock machines executing in Ω.sub.2 that can compute ƒ. Because universal computing machines [29, 30] can be computed using Boolean functions as building blocks, this means that universal computing machines can be constructed from prime clock machines.

[0188] First, a remark is proven that was cited in section 6.5.

Machine Remark 1. (m.sub.1+m.sub.2) mod n=((m.sub.1 mod n)+(m.sub.2 mod n)) mod n.

[0189] PROOF. Euclid's division algorithm implies that m.sub.1=k.sub.1n+r.sub.1 and m.sub.2=k.sub.2n+r.sub.2, where 0≤r.sub.1, r.sub.2<n. Now (m.sub.1+m.sub.2) mod n=((k.sub.1+k.sub.2)n+r.sub.1+r.sub.2) mod n=(r.sub.1+r.sub.2) mod n=((m.sub.1 mod n)+(m.sub.2 mod n)) mod n □

[0190] The following equivalence relation on induced by a function ƒ∈Ω.sub.n helps characterize prime clock sums.

Machine Specification 6. For any ƒ∈Ω.sub.n, define the relation on such that

[00017]$\underset{f}{x\text{∼}y}$

if and only if for all m∈, ƒ(m)=ƒ(m+−x|).

[0191] Trivially, is reflexive and symmetric. Next, transitivity of is verified. Suppose

[00018]$\underset{f}{x\text{∼}y}$

and

[00019]$\underset{f}{y\text{∼}z}.$

W.L.O.G., suppose x≤.Math.≤z. (The other orderings of x, .Math. and z can be handled by permuting x, .Math. and z in the following steps.) This means for all m∈, ƒ(m+.Math.−x)=ƒ(m); and for all k∈, ƒ(k)=ƒ(k+z−.Math.). This implies that for all m∈, ƒ(m+z−x)=ƒ(m+z−+.Math.−x)=ƒ(m+.Math.−x)=ƒ(m).
Machine Remark 2. is an equivalence relation.

Machine Specification 7. Periodic Functions

[0192] ƒ∈Ω.sub.n is a periodic function if there exists a positive integer b such that for every m∈, then ƒ(m)=ƒ(m+b). Furthermore, if a is the smallest positive integer such that ƒ(m)=ƒ(m+a) for all m∈, then a is called the period of ƒ. After k substitutions of m+a for m, this implies for any m∈ that ƒ(m)=ƒ(m+ka) for all positive integers k.

[0193] As shown in FIG. 7, both prime clocks [2, 0] and [2, 1] projected into Ω.sub.2 have period 2. Both prime clock machines [3, 0] and [3, 1] projected into ≠.sub.2 have period 3. Each prime clock sum [2, 0]⊕[3, 0], [2, 1]⊕[3, 0] and [2, 0]⊕[3, 1] has period 6.

[0194] When ƒ is periodic with period a, each equivalence class is of the form [k]={k+ma:m∈}, where 0≤k<a. Thus, ƒ has period a implies there are a distinct equivalence classes on with respect to .

Machine Remark 3. If a is the period of ƒ and b is a positive integer such that ƒ(m)=ƒ(m+b) for all m∈, then a divides b.

[0195] PROOF. First, verify that

[00020]$\underset{f}{a\text{∼}b}.$

By the definition of period, a≤b and for all m∈, then ƒ(m+b−a)=ƒ(m+a+b−a)=ƒ(m+b)=ƒ(m). From the prior observation, a lies in [0] and b also lies in [0]. Thus, b=ma for some positive integer m. □
Machine Lemma 1. If ƒ,g∈Ω.sub.n are periodic, then ƒ⊕.sub.ng is periodic. Further, if the period of ƒ is a and the period of g is b, then ƒ⊕.sub.ng has a period that divides lcm(a, b).

[0196] PROOF. Let a be the period of ƒ and b the period of g. Let l.sub.a,b=lcm(a, b). l.sub.a,b=ia and l.sub.a,b=jb for positive integers i, j. For any m∈, (ƒ⊕.sub.n g)(m)=ƒ(m)+.sub.ng(m)=ƒ(m+ia)+.sub.ng(m+jb)=ƒ(m+l.sub.a,b)+.sub.ng(m+l.sub.a,b)=(ƒ⊕.sub.ng)(m+l.sub.a,b). Thus, ƒ⊕.sub.ng is periodic and remark 3 implies its period divides l.sub.a,b. □

In regard to lemma 1, if g=−ƒ, then the period of ƒ⊕.sub.ng is 1.
Machine Remark 4. There are n.sup.a distinct periodic functions ƒ∈Ω.sub.n whose period divides a.

[0197] PROOF. Since ƒ is periodic and its period divides a, the values of ƒ(0), ƒ(1), . . . , ƒ(a−1) uniquely determine ƒ. There are n choices for ƒ(0). There are n choices for ƒ(1), and so on. □

[0198] Periodic functions with prime periods are straightforward to count.

Machine Remark 5. Suppose p is prime. There are n.sup.9−n distinct periodic functions ƒ∈Ω.sub.n with period p.

[0199] PROOF. Consider a finite sequence c.sub.0, c.sub.1, . . . , c.sub.p-1 of length p where each c.sub.i∈.sub.n This sequence uniquely determines a periodic ƒ such that ƒ(m+p)=ƒ(m) for all m∈. In particular, ƒ(0)=c.sub.0, ƒ(1)=c.sub.1, . . . , ƒ(p−1)=c.sub.p−1. There are n.sup.p periodic functions with a period that divides p. If the period of ƒ is less than p, then remark 3 implies ƒ has period 1 since p is prime. There are n distinct, constant (period 1) functions in Ω.sub.n Thus, the remaining n.sup.p−n periodic functions have period p. □

Machine Remark 6. The prime clock [p, t], projected into Ω.sub.n, has period p.

[0200] PROOF. Since p is prime, this follows immediately from remark 3. □

Machine Theorem 2. Finite Prime Clock Sums are Periodic

[0201] Any finite sum of prime clock machines [q.sub.1, t.sub.1]⊕.sub.n[q.sub.2, t.sub.2]⊕.sub.n . . . ⊕.sub.n [q.sub.1, t.sub.1] is periodic.

[0202] PROOF. Use induction and apply remark 6 and lemma 1. □

[0203] The following statements are restricted to Ω.sub.2.

Machine Remark 7. [p, t]⊕[p, t]=0 for any prime clock [p, t].

[0204] Per definition , ([p, k]⊕[p, k])(m)=([p, k](m)+[p, k](m)) mod 2=0 in .sub.2.

[0205] Let ƒ∈Ω.sub.n. If ƒ is a constant function where ƒ(m)=c for all m∈, then the expression ƒ=c indicates this.

[0206] Machine Remark 8. Let p be an odd prime. If p is a 3 mod 4 prime, then prime clock machine [p, 0]⊕[p, 1]⊕. . . ⊕[p, p−1]=1. If p is a 1 mod 4 prime, then prime clock machine [p, 0]⊕[p, 1]⊕. . . ⊕[p, p−1]=0.

[0207] PROOF. ([p, 0]⊕[p, 1]⊕. . . ⊕[p, p−1]) (0)=(0+1 +. . . +p−1) mod 2=½(p−1)p mod 2. For each m>0, ([p, 0]⊕[p, 1]⊕. . . ⊕[p, p−1])(m) is a permutation of the sum inside (0+1 +. . . +p−1) mod 2. □

For the special case p=2, observe that [2, 0]⊕[2, 1]=1.
Machine Specification 8. A finite sum [q.sub.1, t.sub.1]⊕[q.sub.2, t.sub.2]⊕. . . ⊕[q.sub.l, t.sub.l] machine of prime clocks is non-repeating if i≠j implies [q..sub.i, t.sub.i] is not equal to [q.sub.j,t.sub.j].
Machine Remark 9. Any finite sum [q.sub.1, t.sub.1]⊕[q.sub.2, t.sub.2]⊕. . . ⊕[q.sub.l, t.sub.l] of prime clock machines in Ω.sub.2 can be reduced to a non-repeating finite sum [q.sub.i.sub.1, t.sub.i.sub.1]⊕[q.sub.i.sub.2, t.sub.i.sub.2]⊕. . . ⊕[q.sub.i.sub.r, t.sub.i.sub.r], where r≤l such that for any m∈, ([q.sub.1, t.sub.1]⊕[q.sub.2, t.sub.2]⊕. . . ⊕[q.sub.l, t.sub.l]) (m)=([q.sub.i.sub.1, t.sub.i.sub.1]⊕[q.sub.i.sub.2, t.sub.i.sub.2]⊕. . . ⊕[q.sub.i.sub.r, t.sub.i.sub.r])(m).

[0208] Since (Ω.sub.2, ⊕.sub.2) is abelian, if necessary, rearrange the order of [q.sub.1, t.sub.1]⊕[q.sub.2, t.sub.2]⊕. . . ⊕[q.sub.l, t.sub.l], so that the prime clocks are ordered using the dictionary order. If two or more adjacent prime clocks are equal, then the associative property and remark 7 enables the cancellation of even numbers of equal prime clocks. This reduction can be performed a finite number of times so that the resulting sum is non-repeating. □

Machine Specification 9. Let p be a prime. A finite sum of prime clock machines [p, t.sub.1]⊕[p, t.sub.2]⊕. . . [p, t.sub.l−1]⊕[p, t.sub.l] is called a p-clock sum of length l if for each 1≤i<l, the clock [p, t.sub.i] is a p-clock machine and the sum is non-repeating. The non-repeating condition implies l≤p.
Machine Lemma 3. Let p be a prime. A p-clock machine sum with length p has period 1. A p-clock machine sum with length l such that 1≤l<p has period p.

[0209] PROOF. When p=2, the 2-clock sum [2, 0] has period 2 and the 2-clock sum [2, 1] also has period 2. Recall that [2, 0]⊕[2, 1]=1. For the remainder of the proof, it is assumed that p is an odd prime.

[0210] Let [p, t.sub.1]⊕[p, t.sub.2]⊕. . . [p, t.sub.l−1]⊕[p, t.sub.l] be a p-clock sum. When l=p, remark 8 implies that [p, t.sub.1]⊕[p, t.sub.2]⊕. . . [p, t.sub.l−1]⊕[p, t.sub.l] has period 1. Lemma 1 and remark 6 imply that [p, t.sub.1]⊕[p, t.sub.2]⊕. . . [p, t.sub.l−1]⊕[p, t.sub.l] has period p or period 1. The rest of this proof shows that 1≤l≤p−1 implies that the p-clock sum cannot have period 1.

[0211] Thus, it suffices to show that 1≤l<p implies that ([p, t.sub.1]⊕[p, t.sub.2]⊕. . . ⊕[p, t.sub.l])(m)≠([p, t.sub.1]⊕[p, t.sub.2]⊕. . . ⊕[p, t.sub.l])(m+1) for some m∈. If needed, the p-clock sum may be permuted so that [p, s.sub.1]⊕[p, s.sub.2]⊕. . . ⊕[p, s.sub.l]=[p, t.sub.1]⊕[p, t.sub.2]⊕. . . ⊕[p, t.sub.l] and the s.sub.i are strictly increasingly. Strictly increasing means 0≤s.sub.1<s.sub.2 . . . s.sub.l−1<s.sub.l≤p−1.

[0212] Case A. l is odd. If s.sub.l<p−1, then

[00021]$\begin{array}{cc}\left(\left[p,s_1\right]\oplus \left[p,s_2\right]\oplus \mathrm{.Math.}\oplus \left[p,s_l\right]\right)\left(0\right)=\underset{i=1}{\overset{l}{.Math.}}{s}_i\mathrm{mod}2\ne \underset{i=1}{\overset{l}{.Math.}}\left(s_i+1\right)\mathrm{mod}2=\left(\left[p,s_1\right]\oplus \left[p,s_2\right]\oplus \mathrm{.Math.}\oplus \left[p,s_l\right]\right)\left(1\right)& \end{array}$

because l is odd.

[0213] Otherwise, s.sub.l=p−1. Set s.sub.0=0. (The auxiliary index s.sub.0=0 handles the case s.sub.k+1−s.sub.k for all k such that 1≤k<l.) Set m=max {k∈: s.sub.k+1−s.sub.k≥2 and 0≤k<l}. Since s.sub.0=0 and 1≤l<p, the pigeonhole principle implies m exists. Before the mod 2 step, the difference between

[00022]$\underset{i=1}{\stackrel{l}{.Math.}}\left(\left(s_i+l-m+1\right)\mathrm{mod}p\right)$$\mathrm{and}$$\underset{i=1}{\stackrel{i}{.Math.}}\left(\left(s_i+l-m\right)\mathrm{mod}p\right)$

equals l. Thus, ([p, s.sub.1]⊕[p, s.sub.2]⊕. . . ⊕[p, s.sub.l])(l−m)≠[p, s.sub.1]⊕[p, s.sub.2]⊕. . . ⊕[p, s.sub.l])(l−m+1).

[0214] Case B. l is even. Set j=(p−1)−s.sub.l. Before the mod 2 step, the sum

[00023]$\underset{i=1}{\overset{l}{.Math.}}\left(\left(s_i+j\right)\mathrm{mod}p\right)$

differs from the sum

[00024]$\underset{i=1}{\overset{l}{.Math.}}\left(\left(s_i+j+1\right)\mathrm{mod}p\right)$

by an odd number. Thus, ([p, s.sub.1]⊕. . . ⊕[p, s.sub.l])(j)≠([p, s.sub.1]⊕. . . ⊕[p, s.sub.l])(j+1). □.
Machine Specification 10. Let p be prime. The p-clock machine sum [p, s.sub.1]⊕. . . ⊕[p, s.sub.l] is distinct from the p-clock machine sum [p, t.sub.1]⊕. . . ⊕[p, t.sub.m] if l≠m or if for some i, prime clock [p, s.sub.i] machine is not an element of the set of machines {[p, t.sub.1], [p, t.sub.2], . . . [p, t.sub.m]}.

[0215] 7-clock sum [7, 2]⊕[7, 3] is distinct from [7, 2]⊕[7, 3]⊕[7, 4]. 7-clock sum [7, 0]⊕[7, 2]⊕[7, 3] is distinct from [7, 1]⊕[7, 2]⊕[7, 3].

Machine Theorem 4. For any 3 mod 4 prime p, if two p-clock sums are distinct, then they are not equal in Ω.sub.2. The theorem also holds for p=2.

[0216] PROOF. The special case p=2 is verified by examining columns 2 and 3 of FIG. 7.

[0217] Let p be a 3 mod 4 prime. Assume p-clock sum [p, s.sub.1]⊕. . . ⊕[p, s.sub.1] is distinct from p-clock sum [p, t.sub.1]⊕. . . ⊕[p, t.sub.m]. By reductio absurdum, suppose

[p, s.sub.1]⊕. . . ⊕[p, s.sub.l]=[p, t.sub.1]⊕. . . ⊕[p, t.sub.m].  (6.2)

[0218] For each s.sub.i∈{t.sub.1, . . . , t.sub.m}, the operation ⊕[p, s.sub.i] in Ω.sub.2 can be applied to both sides of equation 6.2. Similarly, for each t.sub.j∈{s.sub.1, . . . , s.sub.l}, the operation ⊕[p, t.sub.j] can be applied to both sides of equation 6.2. Since (Ω.sub.2, ⊕) is an abelian group, equation 6.2 can be simplified to [p, s.sub.1]⊕. . . ⊕[p, s.sub.L]=[p, t.sub.1]⊕. . . ⊕[p, t.sub.M] such that {s.sub.1, . . . , s.sub.L}∩{t.sub.1, . . . , t.sub.M}=0 and M+L≤p.

[0219] Set ƒ=[p, s.sub.1]⊕. . . ⊕[p, s.sub.L]. Apply ƒ⊕ to both sides of [p, s.sub.1]⊕. . . ⊕[p, s.sub.L]=[p, t.sub.1]⊕. . . ⊕[p, t.sub.M]. This simplifies to ƒ⊕[p, t.sub.1]⊕. . . ⊕[p, t.sub.M]=0. Lemma 3 implies that L+M=p. Since L+M=p and {s.sub.1, . . . , s.sub.L}∩{t.sub.1, . . . , t.sub.M}=0 and p is a 3 mod 4 prime, remark 8 implies that ƒ⊕[p, t.sub.1]⊕. . . ⊕[p, t.sub.M]=1. This is a contradiction, so [p, s.sub.1]⊕. . . ⊕[p, s.sub.l] is not equal to [p, t.sub.1]⊕. . . ⊕[p, t.sub.m] in Ω.sub.2.

[0220] Let .sub.l be the set of all p-sums of length l, where 1≤l≤p. There are

[00025]$\hspace{1em}\left(\begin{array}{c}p\\ l\end{array}\right)$

distinct p-sums in each set .sub.l.

Set

[0221] [00026]$G_p=\underset{l=1}{\overset{p}{.Math.}}{S}_l.Math.\left\{\overline{0}\right\}.$

For any ƒ, g∈G.sub.p, remark 7 implies ƒ⊕g.sup.−1 in G.sub.p. Thus, (G.sub.p, ⊕) is an abelian subgroup of Ω.sub.2.

[0222] Set B.sub.p={0, 1}.sup.p. For any a.sub.1 . . . a.sub.p∈B.sub.p and b.sub.1 . . . b.sub.p∈B.sub.p, define a.sub.1 . . . a.sub.p+2 b.sub.1 . . . b.sub.p=c.sub.p, where c.sub.i=(a.sub.i+b.sub.i) mod 2. (B.sub.p, +.sub.2) is an abelian group with 2.sup.p elements.

[0223] When p is a 3 mod 4 prime, define the group isomorphism ϕ: G.sub.p.fwdarw.B.sub.p where ϕ(0)=0 . . . 0∈B.sub.p and ϕ([p, t.sub.1]⊕[p, t.sub.2]⊕. . . [p, t.sub.1])=c.sub.1 . . . c.sub.p where c.sub.i=([p, t.sub.1]⊕[p, t.sub.2]⊕. . . [p, t.sub.1]) (i).

Machine Corollary 5. Let p be a 3 mod 4 prime. The subgroup G.sub.p of Ω.sub.2, generated by the p-clocks [p, 0], [p, 1], . . . [p, p−1] has order 2.sup.p and is isomorphic to (B.sub.p, +.sub.2).

[0224] PROOF. Theorem 4 implies ϕ is a group isomorphism.

[0225] Theorem 4 does not hold when p is a 1 mod 4 prime. For example, [5, 0]⊕[5, 1] equals [5, 2]⊕[5, 3]⊕[5, 4].

Machine Theorem 6. For any 1 mod 4 prime p, if two p-clock sums are distinct and their lengths are

[00027]$\mathrm{both}\le \frac{p-1}{2},$

then they are not equal in Ω.sub.2.

[0226] PROOF. The proof is almost the same as the proof in theorem 4, except the additional condition that

[00028]$L\le \frac{p-1}{2}$$\mathrm{and}$$M\le \frac{p-1}{2}$

and reduction [p, s.sub.1]⊕. . . ⊕[p, s.sub.L]⊕[p, t.sub.1]⊕. . . ⊕[p, t.sub.M]=0leads to an immediate contradiction: L+M≤p−1 and {s.sub.1, . . . , s.sub.L}∩{t.sub.1, . . . , t.sub.M}=0 means lemma 3 implies [p, s.sub.1]⊕. . . ⊕[p, s.sub.L]⊕[p, t.sub.1]⊕. . . ⊕[p, t.sub.M] has period p. □
Machine Remark 10. Let p be a 1 mod 4 prime. Let ƒ=[p, s.sub.1]⊕. . . ⊕[p, s.sub.l] for some 1≤l≤½(p−1). Set T={0, 1, . . . , p−1}−{s.sub.1, . . . , s.sub.l}. Now T={t.sub.1, . . . , t.sub.m}, where l+m=p. Set g=[p, t.sub.1]⊕. . . ⊕[p, t.sub.m]. Then ƒ=g in Ω.sub.2.

[0227] PROOF. Since p is a 1 mod 4 prime,

[00029]$\begin{array}{cc}\left(f\oplus g\right)\left(0\right)=\underset{0}{\overset{p-1}{.Math.}}k\mathrm{mod}2=0& \end{array}$

in .sub.2. When k>1, the sum of the elements of ƒ⊕g before projecting into Ω.sub.2 is a permutation of the elements {0, 1, . . . , p−1}. Thus, for all k>1, (f⊕g)(k)=0 in .sub.2. This means g=ƒ.sup.−1. Lastly, ƒ=ƒ.sup.−1 in Ω.sub.2, so ƒ=g in Ω.sub.2. □

[0228] Let p be a 1 mod 4 prime. Set

[00030]$H_{p-1}=\stackrel{\frac{1}{2}\left(p-1\right)}{\underset{l=1}{.Math.}}{S}_l.Math.\left\{\overline{0}\right\}.$

Observe that

[00031]$.Math.H_{p-1}.Math.=\underset{l=1}{\overset{\frac{1}{2}\left(p-1\right)}{.Math.}}\left(\begin{array}{c}p\\ k\end{array}\right)+1=2^{p-1}.$

To verify that (H.sub.p−1, ⊕) is a subgroup of (Ω.sub.2, ⊕), let ƒ, g∈H.sub.p−1. Since g=g.sup.−1 in (Ω.sub.2, ⊕), it suffices to show that ƒ⊕g lies in H.sub.p−1. If ƒ or g equals 0, closure in (H.sub.p−1, ⊕) holds. Otherwise, ƒ=[p, s.sub.1]⊕. . . [p, s.sub.l] for some 1≤l≤½(p−1) and g=[p, t.sub.1]⊕. . . ⊕[p, t.sub.m] for some 1≤m≤½(p−1). As mentioned before, the sum ƒ⊕g may be reduced to [p, s.sub.1]⊕. . . ⊕[p, s.sub.L]⊕[p, t.sub.1]⊕. . . ⊕[p, t.sub.M], where {s.sub.1, . . . , s.sub.L}∩{t.sub.1, . . . , t.sub.M}=0 and L+M≤p. If L+M≤½(p−1), closure in (H.sub.p−1, ⊕) holds. Otherwise, if L+M>½(p−1), remark 10 implies that there is a p-sum h=ƒ⊕g, where h's length is p−(L+M) and p−(L+M)≤½(p−1).

[0229] Similar to the group isomorphism ϕ, define φ: H.sub.p−1.fwdarw.B.sub.p−1 such that φ(0)=0 . . . 0∈B.sub.p. For each p-sum in S.sub.l, where 1≤l≤½(p−1), define φ([p, t.sub.1]⊕[p, t.sub.2]⊕. . . [p, t.sub.l])=c.sub.1 . . . c.sub.p-1 where c.sub.i=([p, t.sub.1]⊕[p, t.sub.2]⊕. . . [p, t.sub.l](i). It is straightforward to verify that φ is a group isomorphism onto B.sub.p-1. The group isomorphism φ: H.sub.p-1.fwdarw.B.sub.p-1 leads to the following corollary.

Machine Corollary 7. Let p be a 1 mod 4 prime. The subgroup H.sub.p−1 of Ω.sub.2, generated by the p-clock machines [p, 0], [p, 1], . . . [p, p−1] has order 2.sup.p−1 and is isomorphic to (B.sub.p−1, +.sub.2).
Machine Theorem 8. Let n be a positive integer. For any of the 2.sup.2.sup.n boolean functions ƒ: {0, 1}.sup.n.fwdarw.{0, 1}, there exists a finite sum of prime clock machines on Ω.sub.2 that can compute ƒ.

[0230] PROOF. This theorem follows immediately from corollaries 5 and 7 along with Euclid's second theorem [15] that the number of primes is infinite. □

Furthermore, finding a finite prime clock machine that computes ƒ can be computed with efficient computational procedures because there are efficient computable algorithms that can decide whether a natural number n is prime.

REFERENCES

[0231] [1] H. Aiken and G. Hopper. “The Automatic Sequence Controlled Calculator,” reprinted in B. Randell, ed., The Origins of Digital Computers. Berlin: Springer Verlag, 203-222, 1982.

[0232] [2] Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, Christian Winnerlein. BLAKE. https://131002.net/blake/

[0233] [3]J. Bardeen and W. H. Brattain. The Transistor, A Semi-Conductor Triode. Physical Review, 74, 230, Jul. 15, 1948.

[0234] [4] S. Banik, A. Bogdanov, T. Isobe, K. Shibutani, H. Hiwatari, T. Akishata, F. Regazzoni: Midori: A Block Cipher for Low Energy. In: T. Iwata, J. H. Cheon (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 411-436. Springer, Heidelberg (2015)

[0235] [5] Daniel Bernstein. Cache-timing attack on AES. 2005. http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

[0236] [6] Guido Bertoni, Joan Daemen, Michael Peeters, Gilles Van Assche. Keccak Reference 3.0 2011. http://keccak.noekeon.org/ http://en.wikipedia.org/wiki/Keccak

[0237] [7] A. W. Burks and A. R. Burks, “The ENIAC: First General Purpose Electronic Computer,” Annals of the History of Computing, 3, 4, 310-399, 1981.

[0238] [8] John Conway and Simon Kochen. The Strong Free Will Theorem. Notices of the American Mathematical Society. 56(2), 226-232, February 2009.

[0239] [9] Stephen Cook. The P VS NP Problem. http://www.claymath.org/sites/default/files/pvsnp.pdf

[0240] [10] Thomas W. Cusick and Pante Stanica. Cryptographic Boolean Functions and Applications. Academic Press (2009)

[0241] [11] Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker. The Skein Hash Function Family. 2010. https://www.schneier.com/skein1.3.pdf http://en.wikipedia.org/wiki/Skein_(hash_function)

[0242] [12] Klint Finley. Chinese Supercomputer Is Still the World's Most Powerful. Wired Magazine. Nov. 18, 2013.

[0243] [13] Praveen Gauravaram, Lars Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schlaffer, and Søren S. Thomsen. GrØstl—a SHA-3 candidate. http://www.groestl.info

[0244] [14] Paul Halmos, S. Givant: Logic as Algebra. The Mathematical Association of America (1998)

[0245] [15] G. H. Hardy and E. M. Wright: An Introduction to the Theory of Numbers. Oxford University Press, 6th edition, Oxford (2008)

[0246] [16] J. Hennessy, D. Patterson: Computer Architecture. A Quantitative Approach. 5th Edition, Elsevier (2012)

[0247] [17] Intel 64 and IA-32 Architectures Software Developer's Manual. April (2016)

[0248] [18] Jack Kilby. Miniaturized Electronic Circuits. U.S. Pat. No. 3,138,743. 1959.

[0249] [19] Simon Kochen and E. P. Specker. The Problem of Hidden Variables in Quantum Mechanics. Journal of Mathematics and Mechanics. Vol. 17, No. 1, 59-87 (1967)

[0250] [20] Paul Kocher, Joshua Jaffe and Benjamin Jun. Differential Power Analysis. Advances in Cryptology—Crypto 99 Proceedings. LNCS Volume 1666, M. Weiner, edited, Springer-Verlag, (1999).

[0251] [21] J. E. Lilienfeld. Method and apparatus for controlling electric currents. U.S. Pat. No. 1,745,175: Jan. 28, 1930. Oct. 8, 1926.

[0252] [22] J. E. Lilienfeld. Device for controlling electric current. U.S. Pat. No. 1,900,018: March 7, 1933. Mar. 28, 1928.

[0253] [23] Carver Mead. Analog VLSI and Neural Systems. Addison-Wesley Publishing Company (1989)

[0254] [24] Lily Hay Newman. What We Know About Friday's Massive East Coast Internet Outage. Wired Magazine. Oct. 21, 2016. https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/

[0255] [25] NIST. FIPS-180-2: Secure Hash Standard, August 2002. http://www.itl.nist.gov/fipspubs/.

[0256] [26] Robert N. Noyce. Semiconductor Device-and-Lead Structure. U.S. Pat. No. 2,981,877. 1959.

[0257] [27] M. Riordan, Lillian Hoddeson, and Conyers Herring. The invention of the transistor. Reviews of Modern Physics, vol. 71, no. 2, Centenary 1999. American Physical Society, 1999.

[0258] [28] Claude Shannon: The synthesis of two-terminal switching circuits. Bell Systems Technical Journal. 28, 59-98, (1949)

[0259] [29] Alan M. Turing. On computable numbers, with an application to the Entscheidungsproblem. Proc. London Math. Soc. Series 2 42 (Parts 3 and 4), 230-265 (1936). A correction, ibid. 43, 544-546 (1937).

[0260] [30] Alan M. Turing. Proposals for Development in the Mathematics Division of an Automatic Computing Engine (ACE), Report E882. NPL, 1945.

[0261] [31] Herbert Vollmer: Introduction to Circuit Complexity. Springer, Heidelberg (1999)

[0262] [32] A. F. Webster and S. E. Tavares. On the Design of S-Boxes. Advances in Cryptology. CRYPTO 85 Proceedings. LNCS 218. Springer, 523-534, 1986.

[0263] [33] Hongjun Wu. The Hash Function J H. 2011. http://ehash.iaik.tugraz.at/wiki/JH http://www3.ntu.edu.sg/home/wuhj/research/jh/jh_round3.pdf

[0264] [34] Hao Yan, Liping Feng, Thomas H. LaBean and John H. Reif. Parallel Molecular Computations of Pairwise Exclusive-Or (XOR) Using DNA “String Tile” Self-Assembly. J. Am. Chem. Soc., 125, 47, 14246-14247, 2003.

[0265] [35] Konrad Zuse. Patentanmeldung Z-2391, German Patent Office, 1941.

[0266] [36] Konrad Zuse. Der Computer mein Lebenswerk. Springer-Verlag, 1970.