Generating cryptographic checksums

Abstract

A method (400) of generating a cryptographic checksum for a message M(x) is provided. The method is performed by a communication device, such as a sender or a receiver, and comprises calculating (405) the cryptographic checksum as a first function g of a division of a second function of M(x), (M(x)), modulo a generator polynomial p(x) of degree n, g((M(x))mod p(x)). The generator polynomial is calculated (403) as p(x)=(1x).Math.P.sub.1(x), and P1(x) is a primitive polynomial of degree n1. The primitive polynomial is selected (402), based on a first cryptographic key, from the set of primitive polynomials of degree n1 over a Galois Field. By replacing a standard checksum with a cryptographic checksum, an efficient message authentication is provided. The proposed cryptographic checksum may be used for providing integrity assurance on the message, i.e., for detecting random and intentional message changes, with a known level of security. The proposed checksum is capable of detecting double-bit errors which may be introduced by a Turbo code decoder.

Claims

1. A method by a sender device for authenticating a message M(x), the method comprising: acquiring the message M(x); generating a cryptographic checksum for the message M(x), wherein generating the cryptographic checksum comprises calculating the cryptographic checksum as a first function g of a division of a second function of the message M(x), (M(x)), modulo a generator polynomial p(x) of degree n, g((M(x)) mod p(x)), wherein the generator polynomial p(x) is calculated as p(x)=(1x).Math.p.sub.1(x), and p.sub.1(x) is a primitive polynomial of degree n1 that is selected, based on a first cryptographic key, from a set of primitive polynomials of degree n1 over a Galois Field; appending the cryptographic checksum to the message M(x); and transmitting the message M(x) and the cryptographic checksum.

2. A method by a receiver device for authenticating a message M(x), the method comprising: receiving the message M(x) and a first cryptographic checksum appended to the message M(x); generating a second cryptographic checksum for the message M(x), wherein generating the second cryptographic checksum comprises calculating the second cryptographic checksum as a first function g of a division of a second function of the message M(x), (M(x)), modulo a generator polynomial p(x) of degree n, g((M(x)) mod p(x)), wherein the generator polynomial p(x) is calculated as p(x)=(1x).Math.p.sub.1(x), and p.sub.1(x) is a primitive polynomial of degree n1 that is selected, based on a first cryptographic key, from a set of primitive polynomials of degree n1 over a Galois Field; and verifying whether the first cryptographic checksum and the second cryptographic checksum are identical.

3. A sender device configured for authenticating a message M(x), the sender device comprising: processing circuitry; and a memory comprising instructions that when executed by the processing circuitry cause the sender device to: acquire the message M(x); generate a cryptographic checksum for the message M(x) by calculating the cryptographic checksum as a first function g of a division of a second function of the message M(x), (M(x)), modulo a generator polynomial p(x) of degree n, g((M(x)) mod p(x)), wherein the generator polynomial p(x) is calculated as p(x)=(1x).Math.p.sub.1(x), and p.sub.1(x) is a primitive polynomial of degree n1 that is selected, based on a first cryptographic key, from a set of primitive polynomials of degree n1 over a Galois Field; append the cryptographic checksum to the message M(x); and transmit the message M(x) and the cryptographic checksum.

4. The sender device according to claim 3, wherein the memory comprises instructions that cause the sender device to: select the primitive polynomial; and calculate the generator polynomial p(x).

5. The sender device according to claim 3, wherein the memory comprises instructions that cause the sender device to: receive the primitive polynomial or information describing how to generate the primitive polynomial; and calculate the generator polynomial p(x) based on the received primitive polynomial or the received information describing how to generate the primitive polynomial.

6. The sender device according to claim 3, wherein the memory comprises instructions that cause the sender device to: receive the generator polynomial p(x) or information describing how to generate the generator polynomial p(x).

7. The sender device according to claim 3, wherein the primitive polynomial is pseudo-randomly selected.

8. The sender device according to claim 3, wherein the memory comprises instructions that cause the sender device to generate a pad of length n, wherein the first function g comprises an addition with the pad.

9. The sender device according to claim 3, wherein the primitive polynomial is selected additionally based on information that is specific for the message M(x).

10. The sender device according to claim 9, wherein the information that is specific for the message M(x) comprises a message sequence number.

11. The sender device according to claim 3, wherein the second function (M(x)) comprises a multiplication with a fixed polynomial x.sup.n.

12. The sender device according to claim 3, wherein the memory comprises instructions that cause the sender device to: encode the message M(x) and the cryptographic checksum appended to the message M(x) into a codeword of a Forward Error Correction (FEC) code, wherein the message M(x) and the cryptographic checksum are transmitted with the FEC codeword.

13. The sender device according to claim 12, wherein the memory comprises instructions that cause the sender device to encode the message M(x) and the cryptographic checksum into a codeword of an FEC code by: generating one or more check bits of the FEC code based on the message M(x) and the cryptographic checksum; and appending the one or more check bits of the FEC code to the message M(x) and the cryptographic checksum.

14. The sender device according to claim 3, wherein the sender device comprises one of: a mobile terminal configured for operation in a communications network, or a radio access node configured for operation in a communications network.

15. A receiver device configured for authenticating a message M(x), the receiver device comprising: processing circuitry; and a memory comprising instructions that when executed by the processing circuitry cause the receiver device to: receive the message M(x) and a first cryptographic checksum appended to the message M(x); generate a second cryptographic checksum for the message M(x) by calculating the second cryptographic checksum as a first function g of a division of a second function of the message M(x), (M(x)), modulo a generator polynomial p(x) of degree n, g ((M(x)) mod p(x)), wherein the generator polynomial p(x) is calculated as p(x)=(1x).Math.p.sub.1(x), and p.sub.1(x) is a primitive polynomial of degree n1 that is selected, based on a first cryptographic key, from a set of primitive polynomials of degree n1 over a Galois Field; and verify whether the first cryptographic checksum and the second cryptographic checksum are identical.

16. The receiver device according to claim 15, wherein the message M(x) and the first cryptographic checksum are received with a codeword of a Forward Error Correction (FEC) code, wherein the memory comprises instructions that cause the receiver device to: extract the message M(x) and the first cryptographic checksum from the FEC codeword.

17. The receiver device according to claim 16, wherein the FEC codeword comprises the message M(x), the first cryptographic checksum appended to the message M(x), and one or more check bits of the FEC code appended to the message M(x), and wherein the memory comprises instructions that cause the receiver device to extract the message M(x) and the first cryptographic checksum from the FEC codeword by: correcting the message M(x) and the first cryptographic checksum based on the one or more check bits of the FEC code.

18. The receiver device according to claim 15, wherein the receiver device comprises one of: a mobile terminal configured for operation in a communications network, or a radio access node configured for operation in a communications network.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) The above, as well as additional objects, features and advantages of the invention, will be better understood through the following illustrative and non-limiting detailed description of embodiments of the invention, with reference to the appended drawings, in which:

(2) FIG. 1 shows a communication system.

(3) FIG. 2 shows a codeword.

(4) FIG. 3 shows a block diagram illustrating message authentication.

(5) FIG. 4 shows a flow chart for a method of a sender, in accordance with an embodiment of the invention.

(6) FIG. 5 shows a flow chart for a method of a receiver, in accordance with an embodiment of the invention.

(7) FIG. 6 shows a sender, in accordance with an embodiment of the invention.

(8) FIG. 7 shows a receiver, in accordance with an embodiment of the invention.

(9) FIG. 8 shows a sender, in accordance with another embodiment of the invention.

(10) FIG. 9 shows a receiver, in accordance with another embodiment of the invention.

(11) FIG. 10 shows an IC, in accordance with an embodiment of the invention.

(12) FIG. 11 shows a mobile phone, in accordance with an embodiment of the invention.

(13) All the figures are schematic, not necessarily to scale, and generally only show parts which are necessary in order to elucidate the invention, wherein other parts may be omitted or merely suggested.

DETAILED DESCRIPTION

(14) The invention will now be described more fully herein after with reference to the accompanying drawings, in which certain embodiments of the invention are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

(15) In FIG. 1, a communication system 100 is illustrated which comprises two communication devices, a sender device 101 and a receiver device 102, throughout this disclosure referred to as sender and receiver, respectively, which are configured for communicating over a communications network 103. In particular, sender 101 is configured for transmitting a message 105, and receiver 102 is configured for receiving message 105. Preferably, communication devices 101 and 102 are configured for transmitting and receiving messages. Sender 101 and receiver 102 may be any type of device capable of effecting communications over communications network 103, such as computers, mobile terminals, User Equipments (UEs), M2M/IoT type of devices, or nodes of a Radio Access Network (RAN), such as gateways, Radio Network Controllers (RNCs), Radio Base Stations (RBSs), NodeBs, or eNodeBs. Communications network 103 may be any one, or a combination of, a wired or wireless network, e.g., a RAN such as GSM, UMTS, LTE, a WLAN/WiFi network, an Ethernet network, a corporate network, the Internet, or the like.

(16) Message 105 which is transmitted from sender 101 to receiver 102 via communications network 103 may be subject to modifications, either random/unintentional or intentional/malicious. Random modifications may, e.g., be caused by burst errors or non-adjacent t-bit errors (t=2), occurring during transmission over an air interface of a wireless network of communications network 103 or by some FEC decoder such as a Turbo code decoder. Malicious modifications on the other hand may originate from an adversary 104 which is also illustrated in FIG. 1. Adversary 104 may intercept message 105 transmitted by sender 101 and re-transmit a modified copy of the message to receiver 102. Adversary 104 may also attempt to generate new messages without relying on modifications of messages received from sender 101. Typically, the intent of adversary 104 is to inject malicious messages into receiver 102, in particular a network interface, operating system, or application, of receiver 102.

(17) It is known in the art to detect random modifications of message 105 by means of an integrity assurance on message 105. This may be achieved by providing message 105 with a checksum, such as a CRC, as is illustrated in FIG. 2. The usage of checksums in accordance with embodiments of the invention is throughout this disclosure described in connection with Forward Error Correction (FEC) codes, which are used for controlling errors in data transmission over unreliable or noisy communication channels. FEC codes are, e.g., used in LTE networks. The idea behind FEC is that sender 101 encodes a message in a redundant way by using an error-correcting code, allowing receiver 102 to detect and correct certain errors. The capability of detecting different types of errors depends on the type of FEC code employed. Note, however, that the invention may be useful also in scenarios which do not rely on FEC. For example, this may be the case if a channel between a sender and a receiver for some reason has a tendency to introduce double-bit errors, akin to what may occur in an FEC decoder, as discussed above.

(18) To this end, a checksum 203, such as a CRC, is generated for a message 204, which in FIG. 2 is illustrated as comprising a header 201 and a body 202 carrying payload, and appended to message 204. Message 204 and the appended checksum 203 are subsequently encoded into an FEC codeword 206. If an FEC algorithm with separable FEC codes is used, as is illustrated in the upper part 210 of FIG. 2, a number of FEC check bits 205 are generated based on the FEC algorithm and appended to message 204 and checksum 203, resulting in an FEC codeword 206 with separable check bits 205. As an alternative, illustrated in the lower part 220 of FIG. 2, one may envisage FEC algorithms which do not use separable FEC codes. In the latter case, message 204 and checksum 203 are encoded into an FEC codeword 206 which has an increased length as compared to the combined length of message 204 and checksum 203, to provide for redundant bits. Codeword 206 (corresponding to, or carried in, message 105 in FIG. 1) is then transmitted to receiver 102 where the integrity of message 204 is verified, as is described in the following with reference to FIG. 3, which shows a block diagram 300 illustrating the sender side (left in FIG. 3) and the receiver side (right in FIG. 3), corresponding to sender 101 and receiver 102, respectively, of FIG. 1.

(19) At sender 101, message 204 which is to be transmitted to receiver 102 is acquired, e.g., received from a higher layer of a protocol stack of sender 101, and fed into an algorithm 301 configured for calculating a first checksum (CS in FIG. 3) 203, in particular a CRC. In addition to message 204, checksum algorithm 301 receives a shared secret as input, e.g., a cryptographic key, and generates first checksum 203 as output. Optionally, checksum algorithm 301 may additionally receive an Initialization Value (IV) as input, based on which first checksum 203 is generated. The IV may be a separate input to checksum algorithm 301, or it may be input as part of message 204, e.g., by prepending or appending it to message 204. Then, message 204 and checksum 203 are combined, by appending checksum 203 to message 204 before they are encoded, by an FEC encoding algorithm 311, into an FEC codeword 206 which subsequently is transmitted as message 105 to receiver 102, e.g., via communications network 103.

(20) At receiver 102, an FEC codeword 216 is received and fed into an FEC decoding algorithm 312, which corresponds to FEC encoder 311 and is capable of detecting and correcting burst errors introduced during transmission of FEC codeword 206 originating from sender 101. In absence of any transmission errors, FEC codeword 216 received by receiver 102 is identical to FEC codeword 206 transmitted by sender 101. An output from FEC decoder 312 is a message 214 and its checksum 213 (CS in FIG. 3). Note that message 214 and checksum 213 may be different from message 204 and checksum 203, respectively, fed into FEC encoder 311 on the sender side, owing to errors introduced by FEC decoder 312. Such errors may be introduced by Turbo code decoders which are frequently used in LTE, since Turbo code decoding is based on probabilistic decisions. A common type of error introduced by Turbo code decoders is double-bit errors, where the two flipped bits are not necessarily consecutive.

(21) Message 314 is fed into checksum algorithm 301 which is identical to checksum algorithm 301 of sender 101 and which generates a second checksum 223 (CS in FIG. 3) based on message 314 and further based on a shared secret which is identical to the shared secret used by sender 101. Optionally, checksum algorithm 301 may additionally receive an IV as input which is identical to the IV used by sender 101. Then, the integrity of message 314 is verified by feeding the second checksum 223 into a comparator 305 and comparing it to the first checksum 213 extracted from the received codeword 206. The result of the comparison is made available by comparator 305 for further use, e.g., for a higher layer of a communication stack of receiver 102, and indicates whether the first checksum 213 and the second checksum 223 are identical or not. For instance, the result output by comparator 305 may be a Boolean value, wherein a high value (Boolean 1) indicates that the two checksums are identical and a low value (Boolean 0) indicates that the two checksums differ, or vice versa. If identical, the integrity of message 304 may be assumed, i.e., that message 214 received by receiver 102 is identical to message 204 transmitted by sender 101. By verifying the integrity of message 214, it can be inferred with a certain probability that message 204 has not been modified during transmission 105.

(22) Known checksums, in particular CRCs which are cryptographic hash functions like HMAC or CBC-MAC, are designed for detecting random modifications of a message. More specifically, a CRC with a generator polynomial p(x) of degree n is capable of detecting all burst errors of length less than or equal to n. Furthermore, a CRC will detect any error which is not a multiple of its generator polynomial p(x). Encoding and decoding of CRCs can efficiently be implemented by hardware, using LFSRs, and software.

(23) For encoding at sender 101, message M(x) 204 is typically first multiplied by x.sup.n and then divided modulo generator polynomial p(x). The polynomial coefficients of the remainder,
r(x)=M(x).Math.x.sup.n mod p(x)(1),
constitute the CRC checksum 203, i.e., the message digest, and are added to the data bits, M(x).Math.x.sup.n, to form the combination of message 204 and checksum 203. Throughout this disclosure, .Math. is a finite GF multiplication (which for the finite GF(2) is equivalent to the Boolean AND) operation and mod is the remainder of polynomial modulo division in the finite field. Note that multiplication by x.sup.n shifts message M(x) 204 by n bits. That is, message M(x) 204 is shifted before combining with CRC checksum 203. As a result, the message bits are separable from the checksum bits. Then, message 204 and checksum 203 are encoded into an FEC codeword 206 by FEC encoder 311, which operates in accordance with a certain FEC algorithm. In LTE, Turbo codes are commonly used.

(24) For decoding at receiver 102, the data bits M(x).Math.x.sup.n received in FEC codeword 216 are first fed into FEC decoder 312, which operates in correspondence with FEC encoder 311, thereby extracting message 214 and checksum 213, which subsequently are divided modulo generator polynomial p(x). The polynomial coefficients of the resulting remainder, checksum 223,
r(x)=M(x).Math.x.sup.n mod p(x)(2),
are compared with the check bits r(x) 213 (CS) received with codeword 206. If no error has occurred, i.e., message 204 has not been modified during transmission 105 and no double-bit errors haven been introduced by FEC decoder 312, the remainder r(x) is the same as the received remainder r(x). A disagreement indicates an error, either a flipped bit in message 203, a flipped bit in checksum 203, or both.

(25) While traditional CRC techniques are useful for detecting random modifications or errors, adversary 104 may easily craft a modification to a message transmitted by sender 101 which passes the CRC check at receiver 102, since generator polynomial p(x) utilized by checksum algorithm 301 is not a secret known to sender 101 and receiver 102 only. For instance, adversary 104 may add to the transmitted message M(x) 204 an error e(x) corresponding to a polynomial which is a multiple of generator polynomial p(x), such that e(x) mod p(x)=0. Moreover, adversary 104 may simply replace message 204 transmitted by sender 101 by a different message 304, presumably with malicious content, encode it using the same checksum algorithm 301 as sender 101, and transmit it to receiver 102 where it passes the integrity check.

(26) A resource efficient solution for providing data integrity, and in particular in the user plane, is to replace the conventional CRC by a cryptographically secure CRC, which has the same capability of detecting random errors as a traditional CRC but which is also capable of detecting, with high probability, any intentional or malicious modification. An advantage of using a cryptographically secure CRC of the same size as a traditional CRC is that existing protocol stacks can be extended to support message authentication without requiring to redesign the entire protocol stack in order to account for a change in message size.

(27) The cryptographically secure CRC proposed by Krawczyk is based on the idea to let the generator polynomial be a shared secret, known only to sender 101 and receiver 102. Thereby, adversary 104 cannot design messages so as to pass the integrity check at receiver 102. This works satisfactorily from a security point of view, but the generator polynomial proposed by Krawczyk does not allow detecting double-bit errors.

(28) The embodiments of the invention which are described in the following are advantageous in that the integrity of message 105 transmitted from sender 101 to receiver 102 can be verified by means of a cryptographic checksum which is of the same size as a conventional CRC but which is capable of detecting intentional of malicious modifications with a high probability in addition to random errors, to which conventional CRCs are limited. In contrast to the cryptographic checksum proposed by Krawczyk, embodiments of the invention are further advantageous in that the proposed generator polynomials have the capability of detecting double-bit errors which may be introduced by FEC decoder 312.

(29) To this end, embodiments of the invention utilize a cryptographic checksum which replaces the conventional checksum 203, such as a CRC, illustrated in FIGS. 2 and 3. Note that message 204, or parts thereof, e.g., body 202, may also be encrypted in some embodiments of the invention. In such case, receiver 102 may first decrypt the message, or parts of the message, before performing integrity verification. Alternatively, at least part of the decryption process may be interleaved with the checksum verification. As yet a further alternative, there may be no need for receiver 102 to first decrypt the received message. The need to first decrypt the received message at receiver 102 is dependent on the order of processing at sender 101. For instance, if message encryption is applied at sender 101 after checksum 203 is generated and appended to message 204, receiver 102 typically first needs to decrypt the at least parts of received codeword 216. On the other hand, if sender 101 first encrypts message 204 before computing checksum 203 over the encrypted message, then receiver 102 may postpone decryption until after checksum 223 has been calculated and the integrity of the received encrypted message has been verified. Throughout this disclosure, unless otherwise noted, we assume that decryption is performed as required.

(30) Accordingly, checksum algorithm 301 which is used for generating cryptographically secure checksums at sender 101 (CS in FIG. 3) and receiver 102 (CS in FIG. 3), respectively, is modified in comparison with that proposed by Krawczyk as is described in the following.

(31) Checksum algorithm 301 is dependent on a hash function h.sub.p(M) for generating a cryptographic checksum 203 for a message M(x) 204. It comprises calculating cryptographic checksum t(M) 203 as a first function g of a division of a second function of M(x), (M(x)), modulo p(x), i.e.,
t(M)=g((M(x))mod p(x))(3),
where
h.sub.p(M)=(M(x))mod p(x)(4)
is the hash function. The generator polynomial is of the form
p(x)=(1x).Math.p.sub.1(x)(5),
where p.sub.1(x) is a primitive polynomial of degree n1 which is selected from the set of primitive polynomials over a Galois Field, in particular the Galois field of order 2, GF(2). The primitive polynomial p.sub.1(x) may be selected based on a first cryptographic key, i.e., a shared secret which is known to sender 101 and receiver 102. The shared secret may, e.g., be established by public key techniques or symmetric techniques supported by Subscriber Identity Modules (SIM), Universal SIMs (USIM), or the like, as is known in the art. The selection of the primitive polynomial p.sub.1(x) and the calculation of the generator polynomial p(x) according to Eq. (4) may be performed by sender 101 and receiver 102, e.g., in checksum algorithm 301.

(32) As an alternative, sender 101 and/or receiver 102 may also be configured for receiving the primitive polynomial p.sub.1(x), or information describing how to generate the primitive polynomial p.sub.1(x), and calculating the generator polynomial p(x) based on the received primitive polynomial p.sub.1(x) or the received information describing how to generate the primitive polynomial p.sub.1(x). For instance, sender 101 may be configured for selecting the primitive polynomial p.sub.1(x), calculating the generator polynomial p(x), and transmitting the primitive polynomial p.sub.1(x), or information describing how to generate the primitive polynomial p.sub.1(x), to receiver 102. Correspondingly, receiver 102 may be configured for receiving the primitive polynomial p.sub.1(x), or information describing how to generate the primitive polynomial p.sub.1(x), and calculating the generator polynomial p(x) based on the received primitive polynomial p.sub.1(x) or the received information describing how to generate the primitive polynomial p.sub.1(x). Alternatively, both sender 101 and receiver 102 may be configured for receiving the primitive polynomial p.sub.1(x), or information describing how to generate the primitive polynomial p.sub.1(x), from a third party, such as a key or AAA server 106, or the like, and calculating the generator polynomial p(x) based on the received primitive polynomial p.sub.1(x) or the received information describing how to generate the primitive polynomial p.sub.1(x). It will be appreciated that, in this case, the received primitive polynomial p.sub.1(x), or the received information describing how to generate the primitive polynomial p.sub.1(x), is used as input to checksum algorithm 301, instead of the shared secret and the optional IV.

(33) As yet another alternative, sender 101 and/or receiver 102 may also be configured for receiving the generator polynomial p(x) or information describing how to generate the generator polynomial p(x). For instance, sender 101 may be configured for selecting the primitive polynomial p.sub.1(x), calculating the generator polynomial p(x), and transmitting the generator polynomial p(x), or information describing how to generate the generator polynomial p(x), to receiver 102. Correspondingly, receiver 102 may be configured for receiving the generator polynomial p(x), or information describing how to generate the generator polynomial p(x). Alternatively, both sender 101 and receiver 102 may be configured for receiving the generator polynomial p(x) or information describing how to generate the generator polynomial p(x) from a third party, such as key or AAA server 106, or the like. It will be appreciated that, in this case, the received generator polynomial p(x) or the received information describing how to generate the generator polynomial p(x) is used as input to checksum algorithm 301, instead of the shared secret and the optional IV.

(34) Information describing how to generate the primitive polynomial p.sub.1(x) or the generator polynomial p(x) may, e.g., comprise an index into a list of primitive polynomials or generator polynomials, which list is known to both sender 101 and receiver 102, or the coefficients of the primitive polynomial p.sub.1(x) or the generator polynomial p(x), respectively. Alternatively, the information describing how to generate the primitive polynomial may be a seed which is used as input to a deterministic algorithm which generates a primitive polynomial in dependence of the seed. For example, the seed may be an arbitrary polynomial and the deterministic algorithm may operate by testing, in lexicographic order starting from the seed input, consecutive polynomials until a primitive polynomial is found. To test if a certain polynomial is primitive or not is well known in the art [see, e.g., ivkovi, Generation of primitive binary polynomials, International Conference on Algebra, Logic and Discrete Mathematics, Apr. 14-16, 1995, Ni].

(35) For instance, if the primitive polynomial p.sub.1(x) of degree n1 is represented as
p.sub.1(x)=.sub.i=0.sup.n-1c.sub.i.Math.x.sup.i(6),
the information describing how to generate the primitive polynomial p.sub.1(x) may comprise the set of coefficients {c.sub.i}, where c.sub.i=0 or 1, for all i=0, . . . , n1, for GF(2).

(36) Correspondingly, if the generator polynomial p(x) of degree n is represented as
p(x)=.sub.i=0.sup.nc.sub.i.Math.x.sup.i(7),
the information describing how to generate the generator polynomial p(x) may comprise the set of coefficients {c.sub.i}, where c.sub.i=0 or 1, for all i=0, . . . , n, for GF(2).

(37) The primitive polynomial p.sub.1(x), the generator polynomial p(x), or information describing how to generate the primitive polynomial p.sub.1(x) or the generator polynomial p(x), respectively, may be provided to devices involved in a communication session, such as sender 101 and/or receiver 102, during a handshake procedure which is performed as part of an initialization process of the communication session. For example, if an Authentication and Key Agreement (AKA) procedure, or the like, is utilized as part of the initialization process, the key produced by the AKA may be used as the aforementioned first cryptographic key, and may further be used as input to a deterministic algorithm generating a primitive polynomial as describe above. Alternatively, the first cryptographic key may be used as an index into a pre-computed table of suitable primitive polynomials.

(38) Further optionally, the first function g may comprise an addition with a pad s of length n, i.e.,
g(h.sub.p(M))=h.sub.p(M)+s(8),
where + is the Boolean bitwise XOR operation. Pad s may be generated pseudo-randomly, e.g., based on a second cryptographic key which may be identical to, or different from, the first cryptographic key. The first and/or the second cryptographic key may be generated from a third cryptographic key, e.g., by generating pseudo-random bit sequence from the third cryptographic key and some information known to sender 101 and receiver 102, and selecting a portion of the generated bit sequence to be the first cryptographic key and the remaining bits of the bit sequence to be the second cryptographic key. The addition of the random pad s is advantageous in that the linear transformation of generating a cryptographic checksum by means of hash function h.sub.p(M), i.e., h.sub.p(A)+h.sub.p(B)=h.sub.p(A+B), is converted into an affine transformation, h.sub.p(M)+s. In absence of the pad, h.sub.p(0)=0, irrespective of the generator polynomial used for the hash function, enabling an adversary to inject an all-zero message. Note that if encryption using a stream cipher is applied at sender 101, pad s may be provided by the encryption function, thus interleaving encryption and integrity processing. In this case, receiver 102 may either (i) first remove pad s by decryption and then treat only h.sub.p(M) as checksum 213, or (ii) not remove pad s and rather treat h.sub.p(M)+s as checksum 213.

(39) The pad used in embodiments of the invention is similar to the well-known one-time pad introduced by Vernam in the early 1900's. In the Vernam cipher, the message was combined bit-by-bit with the pad using the Boolean XOR operation. In embodiments of the invention, the pad is combined with the cryptographic checksum in an analogous fashion.

(40) In the following, the security of the proposed family hash functions for calculating cryptographic checksums in accordance with embodiments of the invention is analyzed and compared to the cryptographic checksums akin to Krawczyk.

(41) We consider an (m, n)-family of cryptographically secure hash functions which is defined as follows. For any message M(x) of binary length m and for each generator polynomial p(x) according to Eq. (4), wherein p.sub.1(x) is a primitive polynomial of degree n1 over a Galois Field, a hash function h.sub.p is defined as the binary coefficients of the polynomial
h.sub.p(M)=M(x).Math.x.sup.n mod p(x)(9).

(42) In order to compute the authentication tag, i.e., the message digest or cryptographically secure checksum,
t(M)=h.sub.p(M)+s(10),
a primitive polynomial p.sub.1(x) is generated, preferably pseudo-randomly, the generator polynomial p(x) is formed according to Eq. (4), hash function h.sub.p is evaluated, and a pseudo-randomly generated pad s is added, either explicitly or as part of an encryption process. Note that generating the primitive polynomial p.sub.1(x) either requires to run a test for primitivity for each polynomial pseudo-randomly selected from the set of all polynomials of degree n1 over a Galois Field, or to pseudo-randomly draw each primitive polynomial p.sub.1(x) from a database comprising a set of, preferably all, primitive polynomials of order n1 over a Galois Field.

(43) For the sake of analyzing the security of the proposed family of hash functions, it is assumed that adversary 104 succeeds in breaking the authentication if, after seeing M(x) and t, adversary 104 can find a message M(x)M(x) such that t=t. It is assumed here that adversary 104 knows the (m, n)-family of hash functions, but not the particular hash function h.sub.p and the pad s which are used for authenticating a particular message.

(44) The analysis is carried out by considering the distribution of CRCs over all messages of a given length. Note that a worst-case scenario is considered here, i.e., it is assumed that adversary 104 will maximize his chances by trying to design checksums and we assume adversary 104 knows (and chooses) those message(s) which maximize the probability of success. Thus, probability of success will depend on the maximum probability that two different messages M and M will have identical checksums t, calculated according to Eq. (10), since this means that adversary 104 can replace a message transmitted by sender 101 with another message without being detected, i.e., passing the integrity check at receiver 102. That is, we look for
max.sub.M,MPr[h.sub.p(M)=h.sub.p(M)](11),
where the maximum is taken over all distinct m-bit messages M and M, and the probability Pr is taken over random choices of generator polynomial p(x), according to Eq. (4), defining the hash function. Note that the presence of the pad s does not affect the probability, since h.sub.p(M)+s=h.sub.p(M)+s if, and only if, h.sub.p(M)=h.sub.p(M). Note further that the probability is a statistical quantity, and the optimal strategy to predict a random event is to make predictions according to the statistical distribution of the event. For example, predicting whether a coin-flip (of a hypothetical, perfect coin) comes up heads or tails cannot be done with success greater than , no matter what resources are available. Therefore, Eq. (11) leads to an upper bound of any adversary's probability of success, no matter what computational resources the adversary may have at its disposal.

(45) According to Theorem 1 (see Appendix), for any value of m and n, and for any message M, no adversary can succeed in breaking the authentication with the cryptographic checksum based on a randomly selected generator polynomial with probability larger than
(m+n1)/(2.sup.n-11)(12),
where is the well-known Euler totient function. The probability is called the collision probability. If 2.sup.n-11 is prime, Eq. (12) reduces to
(m+n1)/(2.sup.n-12)(13).

(46) For the case when 2.sup.n-11 is not prime, Eq. (12) can be approximated as
(m+n1)/2.sup.n-2(14).

(47) For comparison, the collision probability for the irreducible generator polynomials akin to Krawczyk is given
.sub.Kr(m+n)/2.sup.n-1(15).

(48) As one can see, for the case of 2.sup.n-11 being prime (which holds, e.g., for n=32), the proposed cryptographically secure CRC has approximately the same collision probability (Eq. (13)) as the cryptographically secure CRC of Krawczyk (Eq. (15)), and thus provides similar security.

(49) For instance, for n=32 and m=6114, the collision probability for embodiments of the invention is =2.8615.Math.10.sup.6 (Eq. (13)), whereas the collision probability for the cryptographically secure CRC akin to Krawczyk is .sub.Kr=2.8620.Math.10.sup.6 (Eq. (15)). In addition, the presented cryptographically secure CRC can detect all double-bit errors for messages of size up to 2.sup.n-11 bits, which is not the case for the cryptographically secure CRC of Krawczyk.

(50) Note that while the security analysis presented herein is based on the assumption of uniformly random parameters, e.g., randomly selected polynomials, these parameters are in practice generated pseudo-randomly. This distinction is, however, not of importance since pseudo-random generators are known which produce an output distribution which in practice cannot be distinguished from a uniform distribution. Thus, an adversary cannot exploit these differences in distributions.

(51) Embodiments of the invention are based on an, for adversary 104, unpredictable change of at least one of generator polynomial p(x) and pad s in a fashion which is deterministic for sender 101 and receiver 102. That is, the change of the generator polynomial p(x) and/or the pad s has to be synchronized between sender 101 and receiver 102.

(52) The shared secret based on which the primitive polynomial is pseudo-randomly selected, i.e., the first cryptographic key, is intended to make the output of checksum algorithm 301 unpredictable for adversary 104, but checksum algorithm 301 may optionally select the primitive polynomial p.sub.1(x) based on some (non-secret) message dependent data, such as a sequence number of the message or some other unique information in the message, e.g., a time stamp, a message identifier, or a random number. Such additional information may, e.g., be carried in header 201 of message 204.

(53) In general, it may not be required to compute a new generator polynomial for each message, but it suffices to generate the generator polynomial at the beginning of a new session between sender 101 and receiver 102 and keep it fixed for all messages which are exchanged between sender 101 and receiver 102 during the session. The pad, however, then has to be changed for each message and may be changed dependent on message dependent data, i.e., information which is specific for the message.

(54) In FIG. 4, an embodiment 400 of the method of a sender device for authenticating a message is illustrated. An embodiment of method 400 may, e.g., be performed by sender 101. Method 400 comprises acquiring 401 the message, e.g., from a higher layer of a communication stack of sender 101 or an application being executed by sender 101, generating a cryptographic checksum for the message, appending 406 the generated cryptographic checksum to the message, encoding 407 the message and the appended cryptographic checksum into a codeword of an FEC code, and transmitting 408 the FEC codeword.

(55) More specifically, generating the cryptographic checksum comprises calculating 405 the cryptographic checksum as a first function g of a division of a second function of M(x), (M(x)), modulo a generator polynomial p(x) of degree n, g((M(x)) mod p(x)). The generator polynomial is calculated as p(x)=(1x).Math.p.sub.1(x), where p.sub.1(x) is a primitive polynomial of degree n1 which is selected, based on a first cryptographic key, from the set of primitive polynomials of degree n1 over a Galois Field, in particular GF(2). The first cryptographic key is a shared secret known to the sender and the receiver of the message. Preferably, the primitive polynomial is selected pseudo-randomly.

(56) Method 400 may further comprise selecting 402 the primitive polynomial and calculating 403 the generator polynomial. Alternatively, method 400 may further comprise receiving the primitive polynomial, or information describing how to generate the primitive polynomial, and calculating the generator polynomial based on the received primitive polynomial or the received information describing how to generate the primitive polynomial (not shown in FIG. 4). As yet a further alternative, method 400 may further comprise receiving the generator polynomial or information describing how to generate the generator polynomial (not shown in FIG. 4). The primitive polynomial, the generator polynomial, or information describing how to generate the respective polynomial, may be received from another device involved in the communication session, or from a third party. For instance, sender 101 may receive the primitive polynomial, the generator polynomial, or information describing how to generate the respective polynomial, from receiver 102, key or AAA server 106, or the like.

(57) Encoding 407 the message and the appended cryptographic checksum into an FEC codeword may optionally comprise generating one or more check bits of the FEC code based on the message and the appended cryptographic checksum, and appending the generated FEC check bits to the message and the appended cryptographic checksum. This is the case for separable FEC codes.

(58) Method 400 may further comprise pseudo-randomly generating 404 a pad s of length n, wherein the first function g comprises an addition with the pad s. Pad s may be generated based on a second cryptographic key which may be equal to, or different from, the first cryptographic key. The second and the first cryptographic keys are shared secret known to the sender and the receiver of the message. Optionally, at least one of primitive polynomial p.sub.1(x) and pad s, or both, may be generated dependent on information which is specific for the message, such as a message sequence number, a time stamp, a random number, or the like.

(59) In FIG. 5, an embodiment 500 of the method of a receiver device for authenticating a message is illustrated. An embodiment of method 500 may, e.g., be performed by receiver 102. Method 500 comprises receiving 501 an FEC codeword, i.e., an encoded representation of the message and an appended first cryptographic checksum, extracting 502 the message and the appended first cryptographic checksum from the FEC codeword by decoding the FEC codeword, generating a second cryptographic checksum for the message, and verifying 508 if the first cryptographic checksum and the second cryptographic checksum are identical. If not, the integrity of the message could not be established. That is, the message has been modified, either accidentally/randomly or intentionally/maliciously.

(60) More specifically, generating the second cryptographic checksum comprises calculating 505 the cryptographic checksum as a first function g of a division of a second function of M(x), (M(x)), modulo a generator polynomial p(x) of degree n, g((M(x)) mod p(x)). The generator polynomial is calculated as p(x)=(1x).Math.p.sub.1(x), where p.sub.1(x) is a primitive polynomial of degree n1 which is selected, based on a first cryptographic key, from the set of primitive polynomials of degree n1 over a Galois Field, in particular GF(2). The first cryptographic key is a shared secret known to the sender and the receiver of the message. Preferably, the primitive polynomial is pseudo-randomly selected.

(61) Method 500 may further comprise selecting 504 the primitive polynomial and calculating 505 the generator polynomial. Alternatively, method 500 may further comprise receiving the primitive polynomial, or information describing how to generate the primitive polynomial, and calculating the generator polynomial based on the received primitive polynomial or the received information describing how to generate the primitive polynomial (not shown in FIG. 5). As yet a further alternative, method 500 may further comprise receiving the generator polynomial or information describing how to generate the generator polynomial (not shown in FIG. 5). The primitive polynomial, the generator polynomial, or information describing how to generate the respective polynomial, may be received from another device involved in the communication session, or from a third party. For instance, receiver 102 may receive the primitive polynomial, the generator polynomial, or information describing how to generate the respective polynomial, from sender 101, key or AAA server 106, or the like.

(62) Optionally, the FEC codeword may comprise the message, the appended first cryptographic checksum, and one or more appended check bits of the FEC code. In this case method 500 may further comprise correcting 503 the message and the appended first cryptographic checksum based on the appended FEC check bits.

(63) Method 500 may further comprise pseudo-randomly generating 506 a pad s of length n, wherein the first function g comprises an addition with the pad s. Pad s may be generated based on a second cryptographic key which may be equal to, or different from, the first cryptographic key. The second and the first cryptographic keys are shared secret known to the sender and the receiver of the message. Optionally, at least one of primitive polynomial p.sub.1(x) and pad s, or both, may be generated dependent on information which is specific for the message, such as a message sequence number, a time stamp, a random number, or the like.

(64) The computation of cryptographic checksums in accordance with embodiments of the invention is based on the same type of operations as is used for conventional CRCs. Therefore, it retains most of the simplicity of traditional CRCs except that embodiments of the invention utilize a variable pseudo-random generator polynomial. Accordingly, implementing embodiments of the invention in hardware is simple, and the resulting implementations are very resource efficient. The operation of division modulo a polynomial over GF(2) may be implemented through an LFSR, where the taps of the LFSR determine the generator polynomial p(x), as is known in the art. Even multiplication by x.sup.n can be implemented in hardware with high performance. However, in contrast to traditional CRCs, where the generator polynomial is fixed and known in advance and the implementing circuits typically have feedback connections which determine the generator polynomial hardwired, a cryptographic checksum in accordance with embodiments of the invention requires an implementation in which the feedback connections are programmable. It is the actual configuration of these feedback connections which is the key for the hashing and which should be changeable and secret. Note that some non-cryptographic CRC circuits also may use programmable connections if they need to support different CRC standards based on different generator polynomials, or to support different polynomial degrees [see, e.g., J. Birch, L. G. Christensen, and M. Skov, A programmable 800 Mbit/s CRC check/generator unit for LANG and MANs, Comp. Networks and ISDN Sys., 1992].

(65) Efficient implementations of CRC generators in software exist, too. In these implementations, significant speed up is achieved by using pre-computed tables which depend on the particular cryptographic key based on which the primitive polynomial is pseudo-randomly selected. Therefore, they are computed only once per cryptographic key, which is affordable in many applications.

(66) The functions in the hash function family according to embodiments of the invention are essentially defined by the generator polynomial p(x), and not by the length of the messages to which the hash functions are applied. Therefore, they can be applied to messages of different lengths, as is desirable in practice. In particular, the polynomial corresponding to a message M(x) should have 1 as leading coefficient, rather than 0 (if M is of length m, then M(x) is of proper degree m). This determines a one-to-one mapping between messages and polynomials and, in particular, prevents changing the message by just appending zeros to it. For instance, a message 01011 should be treated as a 4-bit message 1011 rather than as a 5-bit message. Otherwise, both messages are represented by the same message polynomial 1.Math.x.sup.3+0.Math.x.sup.2+1.Math.x.sup.1+1.Math.x.sup.0=x.sup.3+x.sup.1+1 and will accordingly have the same checksum after encoding. Otherwise an adversary could simply append one or more leading zeros to a message, knowing that the new message should have the same checksum. Alternatively, or additionally, an explicit length indication may be used as input to the authentication/verification process, e.g., by prepending or appending the message length to the message.

(67) On the receiver side, verification of a message's integrity can be efficiently implemented by a Finite State Machine (FSM) which processes the message more or less simultaneously with the sequential reception of message elements, an element typically being a bit. Such FSMs may also be integrated within the Medium Access Control (MAC) layer of the receiver and typically consist of a checksum decoder, a comparator and a control block. The checksum decoder re-computes the check bits for the received message elements as they arrive one-by-one, i.e., bit-by-bit. The comparator compares the re-computed check bits with the check bits received in the message, i.e., the authentication tag or checksum. If the re-computed and the received check bits disagree, the comparator sends an error signal to the control block, indicating that the integrity of the message could not be verified.

(68) In FIG. 6, an embodiment 600 of the sender device for authenticating a message is illustrated, such as sender 101 shown in FIG. 1. Sender 600 comprises a message buffer 601 for acquiring the message, e.g., from a higher layer of a communication stack of sender 600 or an application being executed by sender 600, a checksum generator 602 for generating a cryptographic checksum for the message, a codeword buffer 603 for forming a codeword by appending the generated cryptographic checksum to the message, an FEC encoder 604 for encoding the message and the appended cryptographic checksum into an FEC codeword, an interface 604 for transmitting the FEC codeword (I/O in FIG. 6), and a shared secret module 606 for providing checksum generator 602 with a first cryptographic key, i.e., a shared secret known to sender 600 and the receiver of the message. Interface 605 may, e.g., be a network interface or a radio transceiver configured for effecting communications with a RAN.

(69) More specifically, checksum generator 602 is configured for generating the cryptographic checksum by calculating the cryptographic checksum as a first function g of a division of a second function of M(x), (M(x)), modulo a generator polynomial p(x) of degree n, g((M(x)) mod p(x)). The generator polynomial is calculated as p(x)=(1x).Math.p.sub.1(x), where p.sub.1(x) is a primitive polynomial of degree n1 which is selected, based on a first cryptographic key, from the set of primitive polynomials of degree n1 over a Galois Field, in particular GF(2).

(70) Optionally, sender 600, in particular checksum generator 602, may be configured for selecting the primitive polynomial and calculating the generator polynomial. Alternatively, they may be configured for receiving the primitive polynomial, or information describing how to generate the primitive polynomial, and calculating the generator polynomial based on the received primitive polynomial or the received information describing how to generate the primitive polynomial (not shown in FIG. 6). As yet a further alternative, they may be configured for receiving the generator polynomial or information describing how to generate the generator polynomial (not shown in FIG. 6). The primitive polynomial, the generator polynomial, or information describing how to generate the respective polynomial, may be received from another device involved in the communication session, or from a third party. For instance, sender 101 may receive the primitive polynomial, the generator polynomial, or information describing how to generate the respective polynomial, from receiver 102, key or AAA server 106, or the like.

(71) Checksum generator 602 may further be configured for pseudo-randomly generating a pad s of length n, wherein the first function g comprises an addition with the pad s. Pad s may be generated based on a second cryptographic key which may be equal to, or different from, the first cryptographic key. The second cryptographic key is a shared secret known to sender 600 and the receiver of the message. Accordingly, shared secret module 606 may further be configured for providing the second cryptographic key to checksum generator 602. Alternatively, pad s may be provided by an encryption algorithm, as was described hereinbefore, rather than being generated by checksum generator 602.

(72) Optionally, checksum generator 602 may be configured for generating at least one of primitive polynomial p.sub.1(x) and pad s, or both, dependent on information which is specific for the message, such as a message sequence number, a time stamp, a random number, or the like. Such information may be utilized as input to checksum generator 602, in particular to an LFSR comprised in checksum generator 602.

(73) In FIG. 7, an embodiment 700 of the receiver device for authenticating a message is illustrated, such as receiver 102 shown in FIG. 1. Receiver 700 comprises an interface 701 for receiving an FEC codeword (I/O in FIG. 7), i.e., an encoded representation of the message and an appended first cryptographic checksum, an FEC decoder 702 for extracting the message and then appended first cryptographic checksum from the FEC codeword, a codeword buffer 704 for extracting the message and the first cryptographic checksum from the codeword output by FEC decoder 702, a checksum generator 703 for generating a second cryptographic checksum for the message, a comparator 705 for verifying if the first cryptographic checksum and the second cryptographic checksum are identical, and a shared secret module 707 for providing checksum generator 703 with the first cryptographic key, i.e., a shared secret known to receiver 700 and the sender of the message. Receiver 700 may further comprise a message buffer 706 for storing the received message and passing the message to a higher layer of a communication stack of receiver 700 or an application being executed by receiver 700 in response to an indication received by comparator 705 that the integrity of the received message has been verified. Interface 701 may, e.g., be a network interface or a radio transceiver configured for effecting communications with a RAN.

(74) More specifically, checksum generator 703 is similar to checksum generator 602 described with reference to FIG. 6 and is configured for generating the second cryptographic checksum by calculating the cryptographic checksum as a first function g of a division of a second function of M(x), (M(x)), modulo a generator polynomial p(x) of degree n, g((M(x)) mod p(x)). The generator polynomial is calculated as p(x)=(1x).Math.p.sub.1(x), where p.sub.1(x) is a primitive polynomial of degree n1 which is selected, based on a first cryptographic key, from the set of primitive polynomials of degree n1 over a Galois Field, in particular GF(2).

(75) Optionally, receiver 700, in particular checksum generator 703, may be configured for selecting the primitive polynomial and calculating the generator polynomial. Alternatively, they may be configured for receiving the primitive polynomial, or information describing how to generate the primitive polynomial, and calculating the generator polynomial based on the received primitive polynomial or the received information describing how to generate the primitive polynomial (not shown in FIG. 7). As yet a further alternative, they may be configured for receiving the generator polynomial or information describing how to generate the generator polynomial (not shown in FIG. 7). The primitive polynomial, the generator polynomial, or information describing how to generate the respective polynomial, may be received from another device involved in the communication session, or from a third party. For instance, receiver 102 may receive the primitive polynomial, the generator polynomial, or information describing how to generate the respective polynomial, from sender 101, key or AAA server 106, or the like.

(76) Checksum generator 703 may further be configured for pseudo-randomly generating a pad s of length n, wherein the first function g comprises an addition with the pad s. Pad s may be generated based on a second cryptographic key which may be equal to, or different from, the first cryptographic key. The second cryptographic key is a shared secret known to receiver 700 and the sender of the message. Accordingly, shared secret module 707 may further be configured for providing the second cryptographic key to checksum generator 703. Alternatively, pad s may be provided by an encryption algorithm, as was described hereinbefore, rather than being generated by checksum generator 703.

(77) Optionally, checksum generator 703 may be configured for generating at least one of primitive polynomial p.sub.1(x) and pad s, or both, dependent on information which is specific for the received message, such as a message sequence number, a time stamp, a random number, or the like. Such information may be utilized as input to checksum generator 703, in particular to an LFSR comprised in checksum generator 703.

(78) Embodiments of sender 600 and receiver 700 may be implemented in hardware, software, or a combination thereof, as is known in the art. For instance, modules 601-606 and modules 701-707 may be implemented by means of electronic circuitry, in particular digital binary logic. Alternatively, modules 601-606 and modules 701-707 may be implemented based on Digital Signal Processors (DSPs). It will be appreciated that interfaces 605 and 701 may comprise analog electronic circuitry configured for transmitting or receiving, respectively, the codeword over the air interface of a RAN.

(79) Embodiments of checksum generators 602 and 703 operate very similar to standard CRC generators, the implementation of which is known in the art. Embodiments of checksum generators 602 and 703 which rely on a pseudo-randomly generated pad s may implement the addition of pad s by a bit-wise XOR operation between the n-bit string representing (M(x)) mod p(x) and the n-bit pad s.

(80) In FIG. 8, an alternative embodiment 800 of the sender device for authenticating a message is shown. Sender 800 comprises a processor 801, e.g., a DSP, a memory 802 comprising software, i.e., a computer program 803 comprising computer-executable instructions, for causing sender 800 to implement an embodiment of the method of a sender of authenticating a message described hereinbefore, in particular with reference to FIG. 4, when the computer-executable instructions are executed on processor 801. Sender 800 may further comprise an interface 804 (I/O in FIG. 8) for effecting communications via a communications network, e.g., communications network 103. Interface 804 may, e.g., be a network interface or a radio transceiver configured for effecting communications with a RAN.

(81) In FIG. 9, an alternative embodiment 900 of the receiver device for authenticating a message is shown. Receiver 900 comprises a processor 901, e.g., a DSP, a memory 902 comprising software, i.e., a computer program 903 comprising computer-executable instructions, for causing receiver 900 to implement an embodiment of the method of a receiver of authenticating a message described hereinbefore, in particular with reference to FIG. 5, when the computer-executable instructions are executed on processor 901. Receiver 900 may further comprise an interface 904 (I/O in FIG. 9) for effecting communications via a communications network, e.g., communications network 103. Interface 904 may, e.g., be a network interface or a radio transceiver configured for effecting communications with a RAN.

(82) Embodiments 1001 of the sender and the receiver described with reference to FIGS. 6 to 9 may be implemented in an Integrated Circuit (IC) 1000 illustrated in in FIG. 10. Further, embodiments 1101 of the sender and the receiver described with reference to FIGS. 6 to 9 may also be implemented in a mobile terminal, such as mobile phone 1100 illustrated in FIG. 11. As yet a further alternative, embodiments 1101 of the sender and the receiver described with reference to FIGS. 6 to 9 may also be implemented in a node of a RAN, e.g., a gateway, an RNC, or a radio access node, such as an RBS, a NodeB, an eNodeB, a WLAN access point, or the like.

(83) The person skilled in the art realizes that the invention by no means is limited to the embodiments described above. On the contrary, many modifications and variations are possible within the scope of the appended claims.

APPENDIX

(84) The totient function (k), also called Euler's totient function, is defined as the number of positive integers less than or equal to k which are relatively prime to k, i.e., which do not contain any factor in common with k. It is known that, if k is prime, then (k)=k1. It is also known that, if k is of type k.sup.a where k is prime and a>0, then (k.sup.a)=k.sup.ak.sup.a-1. Another property of the totient function, which is used in the proof below, is that (2.sup.a1)(2.sup.a).

(85) Theorem 1 For any values of n and m, the family of hash functions based on a generator polynomial of type
p(x)=(1+x).Math.p.sub.1(x),(1)
where p.sub.1(x) is a primitive polynomial of degree n1, is -opt-secure for

(86) $\begin{matrix} .Math. \frac{m + n - 1}{(2^{n - 1} - 1)} . & (2) \end{matrix}$
Proof: A family of hash functions is -opt-secure if it is +-linear and -balanced. The family of hash functions based on generator polynomials of the type according to Eq. (1) is +-linear since the division modulo a polynomial is a linear operation, where addition is equivalent to a bit-wise XOR operation. To show that the family is also -balanced, we observe that, on one hand, for any polynomial p(x) of degree n over GF(2), any non-zero message M of length m, and any string c of length n, h.sub.p(M)=c if and only if M(x).Math.x.sup.n mod p(x)=c(x). On the other hand, M(x).Math.x.sup.n mod p(x)=c(x) if and only if p(x) divides M(x).Math.x.sup.nc(x).

(87) Let q(x)M(x).Math.x.sup.nc(x). Obviously, q(x) is a non-zero polynomial of degree less than or equal to m+n, and p(x) is a polynomial of degree n which divides q(x). Since p(x)=(1+x).Math.p.sub.1(x), this implies that both 1+x and p.sub.1(x) are factors of q(x). Because of the unique factorization property, there are at most (m+n1)/(n1) prime factors of q(x), each of degree n1. In other words, there are at most (m+n1)/(n1) hash functions in the CRC family that map M into c. On the other hand, the size of the hash family is equal to the number of primitive polynomials of degree n1 over GF(2), which is (2.sup.n-11)/n1. Therefore,

(88) $\begin{matrix} \Pr [h_{p} (M) = c] \frac{m + n - 1}{(2^{n - 1} - 1)} . & (3) \end{matrix}$

(89) If 2.sup.n-11 is prime, then Eq. (2) reduces to

(90) $\begin{matrix} .Math. \frac{m + n - 1}{2^{n - 1} - 2} . & (4) \end{matrix}$

(91) Since (2.sup.n-1)(2.sup.n-1)=2.sup.n-2, for a general case, we can approximate Eq. (2) as follows:

(92) $\begin{matrix} .Math. \frac{m + n - 1}{2^{n - 2}} . & (5) \end{matrix}$

Generating cryptographic checksums

Assignee

Inventors

Cpc classification

Classification Explorer

H04L9/3236

ELECTRICITY

Classification Explorer

H04L9/3242

ELECTRICITY

Classification Explorer

H03M13/09

ELECTRICITY

Classification Explorer

H04L2209/34

ELECTRICITY

Classification Explorer

H03M13/158

ELECTRICITY

Classification Explorer

G06F11/1004

PHYSICS

International classification

Classification Explorer

H04L9/32

ELECTRICITY

Classification Explorer

H03M13/15

ELECTRICITY

Classification Explorer

G06F11/10

PHYSICS

Classification Explorer

H03M13/09

ELECTRICITY

Abstract

Claims

Description