JP2001142395A - Extended key generator, ciphering/deciphering device, extended key generating method and recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To suppress the price and scale of a device and to improve the intensity of a cipher by improving the agitation of an extended key while blocking generation of a weak key. SOLUTION: As individual key conversion functions fk1 to fkn, conversion processing is executed by an S box 14i (replacing table) on the basis of a first key KA obtained from an inputted key and an adding part 16i calculates extended keys K1 to K16 on the basis of a value obtained by shifting the result of the conversion by this S box 14i to the left and a second key KB obtained from the inputted key in this extended key generator, ciphering/deciphering device and recording medium.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] 1. Field of the Invention [0002] The present invention relates to an extended key generation device, an encryption / decryption device, an extended key generation method, and a storage medium applied to a secret key block cipher.

[0002]

2. Description of the Related Art In the field of computer and communication technologies in recent years, encryption technologies for encrypting transmission data and transmitting the data, and decrypting received data to obtain received contents are widely known. In this type of encryption technology, an encryption algorithm that uses the same secret key (hereinafter, referred to as a common key) for encryption and decryption is called common key encryption. In the common key cryptography, generally, an input message is divided into fixed-length input blocks, and each block is agitated based on a key to generate a ciphertext. As such common key encryption, for example, a method called DES (data encryption standard) is widely used.

In the DES encryption, FIG.
As shown in (a), the data obtained by performing the initial transposition IP on the plaintext is subjected to the processing by the round function 16 times. Further, the inverse transposition I of the initial transposition is applied to the data processed by the round function.
The ciphertext is obtained by applying P- ¹ . In addition, the processing in the round function is executed by giving an expanded key generated from the original key to each round function.

[0004] That is, an encryption device based on the DES system is
Its main components are a stirrer that stirs data to be encrypted by a number of round functions, and a key generator that gives an expanded key to each round function of the stirrer. In addition, as a method of generating a key by the key generation unit in the related art, for example, rearranging bits using a table or wiring,
It is generated by using the same key as the data encryption unit, or by randomly extracting it from key bits.

[0005] On the other hand, decoding by the DES method is performed as shown in FIG.
As shown in (b), the data to be decrypted is subjected to the round function processing in the reverse order of the encryption. Therefore, the expanded key from the key generation unit is also generated in order from the one used in the last round function at the time of encryption.

A first advantage of the DES system is that most of the encryption circuit and the decryption circuit can be shared.
In other words, as shown in FIGS. 18A and 18B, the round function of the stirrer uses the same circuit in the order of input of the expanded key between the time of encryption and the time of decryption. You.

A second advantage of the DES method is that since encryption and decryption are performed using one common key, the number of keys to be managed is small. In the DES method, an expanded key is generated in the reverse order based on a single common key. Therefore, the key generation unit performs the following processing.

That is, at the time of encryption, the common key is cyclically shifted left (rotated left) to generate each expanded key. In addition, the total value of the cyclic shift amount is determined as the number of bits of the common key,
In the final stage, the intermediate key is returned to the initial state (common key).
Thereby, the last expanded key at the time of encryption and the first expanded key at the time of decryption can be generated to the same value. At the time of decryption, the expanded key may be generated in the reverse order by reversely rotating the common key to the right (rotating right).

[0009] However, in the DES system, since the processing of the key generation unit is constituted only by the transposition processing, there is a problem that a low security key generally called a weak key exists. In this specification, the weak key means the same expanded key. When all the expanded keys K1 to K16 are the same as each other (K1 = K2 =... = K16), half the expanded key K1 To K8, K9 to K16 are the same (K1 = K16, K2 = K15,..., K8 = K9).

However, the generation of the weak key is not a threat, and a device for removing an input of a common key having a pattern for generating a weak key, or determining whether or not the generated expanded key is not a weak key. By adding a device for discriminating and removing a weak key, it is considered that the key can be sufficiently prevented.

However, if a device for preventing generation of a weak key of this kind is added, the price of the expanded key generation device and the encryption / decryption device increases, and the scale of the expanded key generation device and the encryption / decryption device increases. There is a possibility.

In addition to the DES method, by preventing the generation of a weak key, it is possible to realize an encryption strength when a different expanded key is used for each original round, and to further improve the encryption strength. An encryption method is desired.

[0013]

As described above, in the conventional extended key generation apparatus and encryption / decryption apparatus, from the viewpoint of preventing a decrease in security, if an apparatus relating to the prevention of weak key generation is added, This may increase the price of the device and the encryption / decryption device, and may further increase the scale of the extended key generation device and the encryption / decryption device.

Further, even if the generation of a weak key is prevented, the processing of the key generation unit does not contribute much to the improvement of the encryption strength, and it is desired to improve the encryption strength.

The present invention has been made in view of the above circumstances, and can reduce the price and scale of a device, improve the agitation of an expanded key while preventing the generation of a weak key, and thereby improve the encryption strength. It is an object of the present invention to provide an obtained expanded key generation device, encryption / decryption device, expanded key generation method, and storage medium.

[0016]

According to a first aspect of the present invention, a different key is input for each round, and a plurality of key conversion function units for generating an expanded key based on each key are connected in cascade. An expanded key generation device, wherein each of the key conversion function units performs first key conversion means for performing a conversion process using a predetermined substitution table based on a first key obtained from the input key; An expanded key generation device comprising: an expanded key calculation unit that calculates the expanded key based on a conversion result obtained by a first key conversion unit and a second key obtained from the input key.

According to a second aspect of the present invention, in the extended key generating apparatus according to the first aspect, each of the key conversion function units cyclically shifts an input key to the left or right, and This is an extended key generation device provided with a cyclic shift means for inputting the shifted key to the key conversion function unit of the next round.

Further, according to a third aspect of the present invention, in the extended key generating apparatus according to the second aspect, the shift amount of the cyclic shift means is disjoint from the number of output bits of the first key conversion means. The value is an extended key generation device.

According to a fourth aspect of the present invention, in the expanded key generating apparatus according to the first aspect, each of the key conversion function units converts an input key by a substitution table, and completes the conversion. This is an extended key generation device provided with input key conversion means for inputting the generated key to the key conversion function unit of the next round.

According to a fifth aspect of the present invention, in the extended key generating apparatus according to any one of the first to fourth aspects, the key conversion function unit includes the first key conversion function unit.
An enlarged key generation device including an extended conversion unit that performs an extended conversion of a conversion result by the key conversion unit and inputs the result to the extended key calculation unit.

According to a sixth aspect of the present invention, there is provided the extended key generation apparatus according to the fifth aspect, wherein the extended conversion by the extended conversion means is a shift of a predetermined number of bits.

According to a seventh aspect of the present invention, in the expanded key generating apparatus according to the sixth aspect, the predetermined number of bits is shifted by half the number of bits of the conversion result by the first key conversion means, Alternatively, this is an extended key generation device that performs the conversion result by shifting the conversion result to the left by the number of bits obtained by adding an integral multiple of the conversion result bit number to half the bit number.

According to an eighth aspect of the present invention, in the expanded key generation apparatus according to any one of the first to seventh aspects, the operation by the expanded key operation means includes addition with carry. Is an extended key generation device.

According to a ninth aspect of the present invention, there is provided an encryption / decryption device including an extended key generation device according to any one of the first to eighth aspects, wherein the key conversion function unit generates An encryption / decryption device including a stirrer for encrypting an input plaintext based on the respective expanded keys and outputting a ciphertext, and decrypting the input ciphertext and outputting the plaintext.

Further, the invention according to claim 10 is the encryption / decryption device according to claim 9, wherein the agitating section comprises:
An encryption / decryption device including a plurality of replacement tables for the encryption and the decryption, wherein one of the replacement tables of the stirring unit is shared with a replacement table of the first key conversion unit.

According to the invention corresponding to claim 11, a different key is input for each round, a first key is generated from the input key, and the generated first key is converted by a predetermined replacement table. , An expanded key generation method for calculating an expanded key based on a conversion result and a second key generated from an input key.

Further, the invention according to claim 12 causes a computer to generate a first key from a different key input in each round, convert the generated first key by a predetermined replacement table, A computer-readable storage medium storing a program for calculating an expanded key based on a conversion result and a second key obtained from the input key.

According to a thirteenth aspect of the present invention, a program for causing a computer to cyclically shift the input key to the left or right and to input the key after the cyclic shift is completed in the next round is stored. A computer-readable storage medium.

Further, according to a fourteenth aspect of the present invention, in the computer readable storage medium according to the thirteenth aspect, the shift amount of the cyclic shift is a value relatively prime to the number of output bits of the first key conversion. A computer-readable storage medium.

Further, the invention according to claim 15 is a computer-readable storage medium according to claim 14, which causes a computer to convert the input key using a substitution table, and This is a computer-readable storage medium storing a program to be input in a round.

The invention according to claim 16 is a computer-readable storage medium according to claim 12, wherein the computer-readable storage medium stores a program for causing a computer to expand and convert a conversion result based on the first key. It is a possible storage medium.

Further, the invention according to claim 17 is the computer readable storage medium according to claim 12, wherein the function of performing the expansion conversion is a shift of a predetermined number of bits.

Further, the invention according to claim 18 is the computer-readable storage medium according to claim 17, wherein the shift of the predetermined number of bits is a half of the number of bits of the conversion result based on the first key conversion. A computer-readable storage medium that performs a left-shift of the conversion result by the number of bits or a bit number obtained by adding an integer multiple of the number of bits of the conversion result to the half bit number.

Further, the invention according to claim 19 is the computer-readable storage medium according to claim 12, wherein the function of calculating the expanded key is addition with carry. .

Further, the invention according to claim 20 causes a computer to generate a first key from a different key input for each round, and to convert the generated first key by a predetermined replacement table. An expanded key is calculated based on the conversion result and a second key obtained from the input key, the input plaintext is encrypted and output based on the generated expanded key, and the input encryption This is a computer-readable storage medium storing a program for executing a stirring process of decoding a sentence and outputting a plaintext.

Further, an invention according to claim 21 is the computer-readable storage medium according to claim 20, wherein the agitation processing includes a plurality of replacement tables for the encryption and decryption. Any of the replacement tables of the process is a computer-readable storage medium shared with the replacement table used for the conversion based on the first key.

Further, the invention according to claim 22 has a plurality of key conversion function units connected to a cascade, each of which receives a different key in each round and generates an expanded key based on each key, Each of the key conversion function units has a plurality of expansion conversion elements arranged in parallel, and each of the expansion conversion elements includes a constant register holding a constant, and a key input with the constant held in the constant register. An exclusive-OR calculating means for calculating an exclusive-OR with the obtained first key, and an S box for performing a conversion process by a predetermined replacement table based on a value output from the exclusive-OR calculating means,
An enlarging conversion unit for enlarging and converting the conversion result output from the S-box, and a conversion result output from the plurality of expansion conversion elements and a second key obtained from the input key.
An extended key generation device includes an extended key calculation unit that calculates an extended key based on a key.

[0038] Further, according to the invention corresponding to claim 23, an extended key generation method is provided in which a different key is input for each round, and a plurality of key conversion function units for generating an extended key based on each key are connected in cascade. A computer-readable storage medium used in the device, wherein the computer in the extended key generation device includes, as each of the key conversion function units, a constant register holding a constant, and a constant register held in the constant register. Exclusive-OR calculating means for calculating an exclusive-OR of a constant and a first key obtained from the input key, and conversion by a predetermined substitution table based on a value output from the exclusive-OR calculating means An S box for processing;
A plurality of expansion conversion elements arranged in parallel comprising an expansion conversion section for expanding and changing the conversion result output from the S box; a conversion result output from the plurality of expansion conversion elements; and the input key. A computer-readable storage medium storing a program for realizing an expanded key calculating means for calculating an expanded key based on the second key obtained from the second key.

Further, the invention corresponding to claim 24 has a plurality of cascade-connected key conversion function units, each of which receives a different key in each round and generates an expanded key based on each key. Wherein each of the key conversion function units nonlinearly replaces the input key and outputs a replacement result, and a predetermined replacement table based on the first key output from the replacement processing unit. A first key conversion unit for performing a conversion process; and an expanded key calculation unit for calculating the expanded key based on a conversion result of the first key conversion unit and a first key output from the replacement processing unit. It is a key generation device.

Further, according to a twenty-fifth aspect of the present invention, a different key is input for each round, the input key is nonlinearly replaced, and the first key obtained by the replacement is converted by a predetermined replacement table. An expanded key generation method for calculating the expanded key based on the conversion result and a second key obtained by the replacement.

Further, the invention according to claim 26 causes a computer to generate a first key from a different key input for each round, nonlinearly replace the input key, and output a replacement result. , The first obtained by the substitution
A computer-readable storage medium storing a program for converting a key using a predetermined replacement table and calculating an expanded key based on the conversion result and a second key obtained by the replacement.

(Operation) Therefore, the inventions corresponding to the first, the eleventh and the twelfth aspects have the following features.
As each key conversion function unit, the first key conversion unit performs a conversion process based on a first key obtained from the input key by using a predetermined replacement table, and the expanded key calculation unit outputs the first key conversion unit. An expanded key is calculated based on the result of the conversion by the means and the second key obtained from the input key.

As described above, a simple configuration without adding an external device is used. When generating an expanded key, a non-linear conversion process is performed using a replacement table. , The agitation of the expanded key can be improved, and the encryption strength can be improved.

The invention according to claims 2 and 13 is:
As each key conversion function unit, the cyclic shift means cyclically shifts the input key to the left or right and inputs the key after the cyclic shift to the key conversion function unit of the next round. , 12 and the keys inputted in each round can be easily and reliably made different from each other.

Further, according to the third and fourteenth aspects of the present invention, the shift amount of the cyclic shift means is a value which is relatively prime to the number of output bits of the first key conversion means. One key can be different from each other, and the action corresponding to the second and thirteenth aspects can be more easily and reliably achieved.

The invention corresponding to claims 4 and 15 is:
As each of the key conversion function units, the input key conversion unit converts the input key according to the substitution table and inputs the converted key to the key conversion function unit of the next round. In addition to the action corresponding to 12, the keys input in each round can be made different from each other easily and reliably.

Further, according to the inventions corresponding to claims 5 and 16, since the key conversion function section, the enlarging conversion means performs the enlarging conversion of the conversion result by the first key converting means and inputs the result to the expanded key calculating means. In addition to the action corresponding to any one of the first to fourth and twelfth aspects, the stirring action of the first key can be reflected on an arbitrary area of the expanded key.

The invention according to claims 7 and 18 is:
The conversion result is shifted by a predetermined number of bits by half the number of bits of the conversion result by the first key conversion, or the number of bits of a value obtained by adding an integral multiple of the conversion result bit number to half the number of bits. Since the shift is performed, the action corresponding to claims 6 and 17 can be easily and reliably achieved.

Further, in the invention corresponding to claims 8 and 19, since the operation by the expanded key calculation means is addition with carry, the operation corresponding to any of claims 1 to 7 and 12 It can be played easily and reliably.

Also, the invention corresponding to claims 9 and 20 is:
Since the agitator encrypts the input plaintext based on each expanded key generated by each key conversion function unit and outputs a ciphertext, and decrypts the input ciphertext and outputs the plaintext. An encryption / decryption device including the extended key generation device according to any one of claims 1 to 8 can be realized.

Further, in the invention corresponding to claims 10 and 21, the stirring section has a plurality of replacement tables for encryption and decryption, and one of the replacement tables of the stirring section is the first table.
Since it is shared with the replacement table of the key conversion means, the size of the apparatus can be reduced in addition to the actions corresponding to claims 9 and 20.

[0052]

Embodiments of the present invention will be described below with reference to the drawings.

(First Embodiment) FIG. 1 is a block diagram showing a configuration of an encryption / decryption device according to a first embodiment of the present invention, and FIG. 2 is a configuration of an extended key generation unit in the encryption / decryption device. FIG.

This encryption / decryption device is configured as an encryption / decryption processing unit of a computer such as a personal computer or a workstation, and performs encryption and decryption processing by hardware or software. , An expanded key generation unit 10 for generating n-stage expanded keys K1 to Kn from the common key, and encryption or decryption by sequentially using the expanded keys K1 to Kn generated by the expanded key generation unit 10 for each round R1 to Rn. And a stirrer 20 for performing the following. That is, the extended key generation unit 10 and the agitation unit 20 are commonly used for encryption and decryption, and when the encryption / decryption device is realized by software, a program indicating both operations is installed in advance from a storage medium. ing. Note that a transposition process or the like may be provided between the expanded key generation unit 10 and the stirring unit 20.

Here, the expanded key generation unit 10 is provided with key conversion functions fk1 to fkn (also simply referred to as a key conversion function fk) that are cascaded in order corresponding to the respective rounds R1 to Rn. When the common key KC or the intermediate key conversion results kc1 to kcn-1 are input, the key conversion functions fk1 to fkn are expanded keys K1 to Kn obtained by converting them.
Are output to the round functions fr1 to frn of the stirring unit 20,
Also, an intermediate key conversion function kc1 to kcn-1 obtained separately.
Is input to the key conversion functions fk2 to fkn of the next stage.

Here, the key conversion functions fk1 to fkn are shown in FIG.
As shown in FIG.₁~ 11_n,constant
Register 12₁~ 12_n, XOR element 13₁~ 13_n,
S box 14₁~ 14_n, Enlargement conversion unit 15₁~ 1
5_n, Adder 16₁~ 16_nAnd cyclic shift unit 17₁~
17_n-1It has. Incidentally, the cyclic shift unit 1 in the last stage
7 _nIs unnecessary because there is no key conversion function fk (n + 1) in the next stage.
Therefore, it has been omitted.

The temporary key register 11 _i (where 1 ≦ i ≦
n, the same applies hereinafter) holds the common key input to the extended key generation unit 10 or the intermediate key conversion result input from the preceding key conversion function fk (i-1). , 5
A 6-bit register is used.

[0058] The constant register 12 _i, key conversion function fk
A constant is set according to the number of rounds to which i belongs, and XO
It can be supplied to the R element _13i . Specifically, the constant register 12 _i is an example in which the number of rounds n = 16 is shown in FIG.
As shown in (a), the extended keys K1 to K16 are arranged in reverse order (K1
6 to K1), the held constants are set to be bilaterally symmetrical (symmetrical in the first and second stages) around the median (n = 8, 9) of the number of rounds. However, not limited to this, the constant register 12 _i is also generated extended keys K1~K16 in reverse order (K16~K1) if possible, a constant holding is optional, for example, as shown in FIG. 3 (b) Alternatively, the constant may be replaced between the time of encryption and the time of decryption. Note that the constant register 12 _i, of the constant hold as shown in FIG. 3 (a), may be set at different from the other at least any one value.

The XOR element 13 _i stores the temporary key register 11
The exclusive OR of the first key KA consisting of 8-bit data in _i and the constant in the constant register is calculated, and the obtained 8
The bit calculation result is input to the S box.

S (substitution) box 14 _i
Is intended to prevent the generation of weak keys (identical extended keys in all stages), specifically, an 8-bit value input from the XOR element 13 _i nonlinearly converting the resulting 8 It has a function of inputting conversion result bit to enlarge converting unit 15 _i. The S box 14i performs non-linear conversion using a replacement table for replacing input bits and output bits, for example, as shown in FIG. For example, S box 14
In i, when the input bit is (00000001), the information of (00000001) is regarded as a binary expression, and the binary expression is converted to a value “1” that is expressed in decimal.

Referring to the replacement table of FIG. 4, if the first occurrence “48” is the 0th, the “first” element “54” (decimal notation) is determined, and its binary notation is determined. A certain (00111010) is output as an output bit. Therefore, the input bit (00000001) can be replaced with the output bit (001110110).

As described above, the replacement table of FIG. 4 holds elements corresponding to 256 inputs from the 0th to the 255th, and corresponds to the case where a value of 0 to 255 is input. It is used to determine the value of ~ 255.

[0063] In addition, S-boxes 14 _i, from the viewpoint of reduction of the device size, it is preferable to share with one S-box in round function fk to be described later.

[0064] enlargement conversion unit 15 _i is configured to convert the 8-bit conversion result input from the S box 14 _i into a larger value, in this case, as shifted to left by 4 bits 8 bits of the conversion result expanding transform has a function of inputting the 12-bit expansion conversion result obtained by embedding "0" in lower 4 bits to the adder 16 _i.

[0065] Note that the shift amount of the enlargement conversion unit 15 _i is, S
The output bit of the box _14i is transmitted to the stirrer 20-2 described later.
One in terms of reflecting the S-boxes S3, S4, it is preferable that the equivalent to S box 14 _i output bit number (= 8) of the half (= 4 bits). Here, the word “equivalently” means, for example, 12
(= 4 + 8 × 1) bit shift or 20 (= 4 + 8 ×
2) A modified example in which an integer multiple of the number of output bits is added, such as a bit shift (in other words, when divided by the number of output bits (= 8), the remainder is the number of bits equal to half the divisor (= 4)) ) Is included.
Also, the output bits of the S box 14 _i is 12 if it is bit-shifted, not the S box S3, S4,
It is reflected on the S boxes S2 and S3, and when shifted by 20 bits, it is reflected on the S boxes S1 and S2. Furthermore, if to reflect the output bits of the S box 14 _i (including S2, S3 or S1, S2) 2 two S boxes S3, S4, not limited to the combination of four bits, 1 bit and 7 bits out of order, A combination of 2 bits and 6 bits or 3 bits and 5 bits may be used. That is, instead of the equivalent 4-bit shift, equivalents 1-3, 5-7
May be an arbitrary bit shift.

[0066] adding unit 16 _i includes a 12-bit expansion conversion result inputted from the enlargement conversion unit 15 _i, and a second key KB consisting of 32-bit data in the temporary key register 11 within the _i sum (carry ), And the obtained addition result (32 bits (carry is ignored)) is rounded to Ri.
Has a function of inputting to the round function fri of the agitating unit 20 as the expanded key Ki.

[0067] The first key KA and the second key KB extracted from the temporary key register 11 _i, in FIG. 2 is taken out separately from the area, each successive not limited thereto, discontinuous It may be taken out of the area. That is, the first key KA may be any total of 8 bits of data in the temporary key register 11 within the _i, second key KB, if any total of 32 bits of data in the temporary key register 11 within the _i Good. Further, the first key KA may overlap with the second key KB. It is preferable that the bit length of the first key KA is equal to the input bit length of the S box of the agitator 20 from the viewpoint of sharing the S box. It is preferable that the bit length of the second key KB be equal to the bit length of the expanded key Ki from the viewpoint of simplification of design (however, if desired, the bit lengths of the second key KB and the expanded key Ki may be different from each other. In this case, it is possible to finally adjust the bit length of the expanded key Ki using, for example, a contraction type permutation or an expansion permutation).

The cyclic shift unit _17i stores the temporary key register 1
1 _i value of by cyclically shifted by a predetermined shift amount is intended to enter the next stage of the temporary key register 11 i _{+ 1,} where as shown in FIG. 5, for each key conversion function Fk1～fkn, The shift amount is set. Note that the cyclic shift unit 1
Shift amount of 7 _i, from the viewpoint of increasing the agitation of the keys is preferably relatively prime to any number of output bits of the least common key bits or S box 14 _i of KC, three parties are disjoint Is most preferred. Also,
This shift amount is determined by expanding the expanded keys K1 to K16 in the reverse order (K16 to K16).
K1), from the viewpoint of being able to generate the key conversion function, the key conversion functions fk1 to fk (n + 1) are set to be symmetrical (symmetrical at the front and rear stages) about the median (n = 8) of the key conversion functions excluding the last stage. ing. However, not limited to this, the cyclic shift unit 17 _i also generates if the expanded key K1~K16 in reverse order (K16~K1), can be arbitrarily set the shift amount and a cyclic direction.

On the other hand, when the expanded keys K1 to K16 are sequentially given from the expanded key generation unit 10 in the processing of the n rounds from the round R1 to the round Rn, the agitating unit 20 encrypts the input plaintext and encrypts it. A decryption function for decrypting the input ciphertext and outputting a plaintext when the extended keys K16 to K1 are given in the reverse order of the encryption from the extended key generation unit 10; have. The stirrer 20 includes round functions fr1 to fr cascaded in order corresponding to the rounds R1 to Rn.
rn is provided.

The round function fri converts, at the time of encryption, a plaintext or an intermediate encryption result based on the expanded key Ki input from the expanded key generation unit 10, and converts the intermediate encryption result or the encrypted text. Is a function that outputs a ciphertext or an intermediate decryption result at the time of decryption based on the extended key K (n + 1-i) input in the reverse order from the extended key generation unit 10, This is a function for outputting a decryption result or a plaintext, and here, for example, a Feistel structure as shown in FIG. 6 is used.

In the Feistel structure in FIG. 6, one of the given data blocks consisting of two sub-blocks Li and Ri is assigned to one sub-block Ri based on the expanded key Ki.
The XOR element 21 calculates the exclusive OR of the conversion result and the other sub-block Li with a non-linear conversion using a function. The calculation result Ri + 1 and one of the sub-blocks Li + 1 (= Ri)
The position is changed and given to the next stage.

Here, the F function is obtained by dividing the output of the XOR element 22 and the XOR element 22 for calculating the exclusive OR of the expanded key K and the sub-block Ri (or Li) in FIG. It comprises four S-boxes S1 to S4 for nonlinear conversion. Each of the S boxes S1 to S4 has a replacement table as shown in FIG. 3, for example. However, each S box may be configured to have a common replacement table, or may be configured to have different replacement tables. You may comprise.

The conversion by each round function fr is as follows:
When the same transformation is repeated twice, the original data is restored, which is called an evolution. For this reason, the stirring unit 20 converts the plaintext into the expanded keys K1 to K.
When a ciphertext is generated by converting the ciphertext in the order of 16 and the ciphertext is converted again in the order of the expanded keys K16 to K1, a plaintext can be generated.

Next, the operation of the encryption / decryption device configured as described above will be described with reference to the flowchart shown in FIG. At the time of encryption, as shown in FIG. 1, the input common key KC or intermediate key conversion result kci is converted into an expanded key Ki for each round by a key conversion function fki.

More specifically, as shown in FIG.
In ki, the temporary key register 11 the exclusive OR of the constants 8 in the first key KA and the constant register 12 _i of bits taken from _i XOR element 13 _i is calculated (step S1 of FIG. 7), the the calculation result S box 14 _i is non-linear transformation (step S3 in FIG. 7). As the non-linear conversion, for example, the input and the output are replaced for each bit in the relationship shown in FIG. This substitution result is input 4-bit left shift by enlargement conversion unit 15 _i (= 16 times) has been to the adder 16 _i (step S5 in FIG. 7).

Adder 16_iIs the input shift result
(12 bits) and temporary key register 11 _iTaken out of
A 32-bit second key KB is added, and the addition result is 32-bit.
It is output to the agitator 20 as the expanded key Ki of the unit (see FIG. 7).
Step S7).

In this expanded key Ki, the S box 1
First key KA of 8 bits converted by 4 _i is located 12 bit 5 bit from the right (least significant digit). This bit position corresponds to the input to the third and fourth S boxes S3, S4. Accordingly, the stirring action by the S box 14 _i in the extended key generator 10 can be reflected in two S boxes S3, S4 of the stirring portion 20, agitation of the expanded key is improved.

In the stirring unit 20, the plaintext is converted for each of the round functions fr1 to frn based on the expanded keys K1 to Kn, and finally converted into a ciphertext through an intermediate encryption result. .

On the other hand, at the time of decryption, when the common key KC is input in the same manner as described above, the expanded key generation unit 10 performs key conversion processing in the reverse order of the encryption, and generates the expanded keys Kn to K1.
Are sequentially output to the stirring unit 20.

In the agitating section 20, the input ciphertext is converted based on the expanded keys Kn to K1 in the reverse order of the encryption, and finally converted into plaintext through an intermediate decryption result.

As described above, according to the present embodiment, each of the key conversion functions fk1 to fkn is converted by the S box 14 _i (substitution table) based on the first key KA obtained from the input key. The processing is performed, and the adding unit 16
_i calculates a value of the conversion result obtained by left-shifting by the S box 14 _i, the expanded key K1~K16 based on a second key KB obtained from the input key.

As described above, a simple configuration without adding an external device is used, and when generating an expanded key Ki, a non-linear conversion process is performed using the replacement table (S box 14i). Thus, it is possible to improve the agitation of the expanded key while preventing the generation of a weak key, thereby improving the encryption strength.

[0083] Also, in each key transform function fki, cyclic shift section 17 _i is, the input key is cyclically shifted to the left (or right), the key conversion follows round key completed cyclic shift function fk (i Since +1) is input, keys input in each round can be easily and reliably different from each other.

[0084] Further, as the shift amount of the cyclic shift section 17 _i, for example, when relatively prime values and the number of output bits of the S box 14 _i, nearly all first keys KA in the rounds R1~Rn each other Can be different,
The effects described above can be more easily and reliably obtained.

Further, as each key conversion function fki, an expanded
Large conversion unit 15_iBut S box 14 _iConversion result by
Enlargement conversion and addition unit 16_iEnter the above,
In addition to the effect, the stirring action of the first key KA is expanded
Area can be reflected.

[0086] As the expansion conversion by enlargement conversion unit 15 _i, since it is shifted a predetermined number of bits, can be obtained easily and reliably effects described above.

Further, the stirring unit 20 has a plurality of S boxes S1 to S4 for encryption and decryption.
Of any one of the key conversion functions fk1 to fkn
Since the S-box 14 _i are shared, it is possible to achieve a reduction of the device size.

[0088] Further, as each of the key conversion function Fk1～fkn, enlargement conversion unit 15 _i is, when subjected to the conversion result by S box 14 _i, half the number of bits of the number of bits of the conversion result, or half the bit only the number of bits obtained by adding an integer multiple of the number of bits of the result converted to a number, so the conversion result by left shift and inputs to the adder 16 _i, the first key KA
Can be reflected in the area shifted leftward by the expansion key Ki. In this case, the stirring action can be reflected in the areas input to the plurality of S boxes S3 and S4 of the stirring section 20, so that the stirring action can be further improved. Thus, the encryption strength can be improved.

(Second Embodiment) FIG. 9 is a block diagram showing a configuration of a key conversion function applied to an extended key generation device according to a second embodiment of the present invention. The same reference numerals are given and the detailed description is omitted, and only different portions are described here. In the following respective embodiments, the duplicated description will be omitted in the same manner.

That is, the present embodiment is a modification of the first embodiment, and aims at further improving the agitation of the expanded key. Specifically, as shown in FIG. In the conversion function, the conversion elements including the constant register 12 _i , the XOR element 13 _i , the S box 14 _i and the expansion conversion unit 15 _i are connected in parallel with each other between the temporary key register 11 _i and the addition unit 16 _i. Have been.

Here, the two S boxes _14i may be provided in one type or in a plurality of types.
When a plurality of types are used, from the viewpoint that the expanded key Ki can be generated in both the normal order and the reverse order based on the common key KC,
First half key conversion function fk1 to fk8 and second half key conversion function f
It is preferable that the types k9 to fk16 are provided so as to be vertically symmetrical from the center (fk8, 9).

[0092] Further, the two expansion conversion section 15i, it is also possible to the same shift amount to each other, from the viewpoint of more widely reflect stirring effect by the two S boxes 14 _i, mutually different shift amount It is preferable to shift the output of the S box _14i to the left. In this case, for example, one of the enlargement conversion units _15i is shifted left by 4 bits, and
Assuming that the other enlargement conversion unit 15 _i is shifted left by 20 bits, the stirring effect of the first key KA is determined by the S box S of the stirring unit 20.
This is preferable because it can be reflected in all of the steps 1 to S4.

According to the above configuration, the agitation by the first key KA can be further improved, so that the agitation of the expanded key Ki can be further improved in addition to the effect of the first embodiment.

(Third Embodiment) FIG. 10 shows a third embodiment of the present invention.
It is a block diagram showing the composition of the expansion key generation device concerning an embodiment. This embodiment is a modification of the first or second embodiment. Instead of the temporary key register 11 _i and the cyclic shift unit 17 _i , an input common key KC or intermediate keys kc1 to kcn-1 are used. Are non-linearly replaced with each other, a part of the obtained intermediate key is input to the XOR element 13 _{i and the} adder 16 _i of its own stage, and the entire intermediate key is transferred to the next stage. and a replacement processing unit 18 _i to be inputted to the replacement processor 18 _{(i + 1)} of the.

[0095] Each replacement processor 18 _i are common from the viewpoint of enabling generation, substituted result is based on n times the common key KC in normal order in both forward order and the reverse order of the expansion key Ki on the basis of the common key KC FIG. 11 shows an example in which each is set to be equal to the key KC and the number of rounds is n = 16. As shown in FIG. 11, conversion is performed in ascending order at the time of encryption, and inversely performed in descending order at the time of decryption. Is set to do. The specific processing of each replacement processing unit 18i is performed, for example, by rotating the common key KC by an arbitrary number of bits to the left.

In the embodiment shown in FIG. 10, FIG.
In step S21, the replacement processing unit 18i
A process for nonlinearly converting the common key KC is performed. next,
In step S23, an exclusive OR of the first key KA obtained from the replacement processing unit 18i and the constant held in the constant register 12i is calculated by the XOR element 13i. Then, in step S25, the XOR element 13I
Is converted nonlinearly by the S box 14i using the replacement table. And step S
In 27, the value subjected to the non-linear conversion is converted to the magnification conversion unit 15i.
, The result is shifted left by 4 bits, and a result of 12-bit expansion conversion is obtained. Then, in step S29, the result of the 12-bit expansion conversion and the replacement processing unit 1
8i and the second key KB obtained from 8i are added to generate an expanded key. Even with the above configuration, the same effects as those of the first or second embodiment can be obtained.
The keys KC and kc1 to KCn-1 input to the respective key conversion functions fk1 to fkn can be easily and reliably different from each other.

In each of the above embodiments, the S box 1
4 An XOR element 1 for exclusive-ORing a constant is provided on the input side of _i.
3 A description has been given of the case where _i is provided.
The XOR element 13 _i is omitted, and the S box 14 after calculating the exclusive OR of the constants instead of the S box 14 _i
It has a structure in which a x _i, it is possible to obtain the same effect by performing the present invention in a similar manner. That is, for example, the exclusive OR of the value of the KA and the constant is calculated in advance and stored in the form of a table, and the S box 14xi draws the table using the value of the KA as an input parameter, and You may comprise so that a calculation result may be obtained.

FIG. 13 is a functional block diagram showing the configuration of a smart card embodying the above-described expanded key generation device, encryption / decryption device, and storage medium of the present invention. As shown in the figure, the smart card 51 includes a CPU 53, a RAM 5
5, ROM 57, EEPROM 59, and contactor 6
One. The RAM 55 is used for storing various data, a work area, and the like. The ROM 57 is used for storing various data and programs. EEPRO
M59 stores the programs and the like shown in the flowcharts shown in FIGS. The contactor 61 obtains electrical contact with a smart card reader / writer (not shown). Note that the program shown in FIGS.
RAM55 or ROM instead of EPROM59
57. (Fourth Embodiment) Next, an encryption / decryption device according to a fourth embodiment of the present invention will be described with reference to FIG. This encryption / decryption device 30
Has the configuration described in any of the first to third embodiments, and is for protecting digital information (hereinafter, referred to as raw data) such as image data and music data.

It is assumed that the encryption / decryption device 30 is realized in a personal computer (hereinafter referred to as a personal computer) PC by installing a program from a storage medium as shown in FIG. 14, for example. Here, the encryption / decryption device 30 encrypts the raw data input to the personal computer PC using, for example, a user ID as a common key, and stores the obtained encrypted data (corresponding to the cipher text described above) in a portable storage element 31. To memorize. As this type of storage element 31,
There are a smart card, a smart media, a memory card, and the like.

This storage element 31 is distributed to the user's house,
The encryption / decryption device (not shown) in the user's home
Decrypting the encrypted data in the storage element 31 based on D,
The obtained image data and music data are reproduced and output from a speaker or the like. Thus, for example, raw data (content) can be distributed only to users who have contracted in advance.

This embodiment can be variously modified as follows. For example, as shown in FIG. 15, a configuration is provided in which a recording device 32 having an encryption / decryption device 30 composed of, for example, a hardware circuit is provided instead of the personal computer PC. According to this configuration, when writing the content into the storage element 31, the encryption / decryption device 30 encrypts the raw data using the user ID or the like and stores the raw data in the storage element 31. The process from home delivery to decryption is as described above. As described above, the encryption / decryption device 30 may be provided in the dedicated recording device 32 without being a general-purpose computer such as the personal computer PC.

Further, as shown in FIG.
0 is provided on the network N
It may be configured to be connected to the personal computer PC via W. In this case, the encrypted data downloaded from the host computer 33 is stored in the storage element 32 in an encrypted state via the personal computer PC. The process from home delivery to decryption is as described above. According to this modification, in addition to the effects described above, eavesdropping of content (raw data) on the network NW can be prevented.

Further, as shown in FIG. 17, the storage element may be, for example, a DVD (digital versatile disc). In the case shown in FIG. 17A, a DVD 34 in which encrypted data is stored in advance is distributed to users. The encryption / decryption device 30 at the user's home decrypts the encrypted data in the DVD 34 and reproduces and outputs the obtained image data and music data from a speaker or the like.

In the case shown in FIG. 17B, raw data such as images and music is encrypted by the encryption / decryption device 30 at the user's house using a predetermined common key, and the obtained encrypted data is stored in the DVD-ROM. It is stored in the RAM 35. This encrypted data is decrypted by a predetermined common key set by the user, but is not decrypted by anyone unless the common key is known. Therefore, hobby image data and music data can be stored while being protected from others.

(Other Embodiments) As storage media storing programs for realizing the processing of the extended key generation device and the encryption / decryption device in the present invention, a magnetic disk, a floppy (registered trademark) disk, a hard disk , Optical disks (CD-ROM, CD-R, DVD
Etc.), a magneto-optical disk (MO, etc.), a semiconductor memory, etc. are applicable. Actually, any storage medium that can store the program and can be read by a computer may be used.

An OS (Operating System) running on the computer based on instructions of a program installed in the computer from the storage medium,
MW for database management software, network software, etc.
(Middleware) or the like may execute a part of each process for realizing the present embodiment.

Further, the storage medium of the present invention is not limited to a medium independent of a computer, but also includes a storage medium in which a program transmitted via a LAN, the Internet, or the like is downloaded and stored or temporarily stored.

Further, the number of storage media is not limited to one, and the case where the processing in the present embodiment is executed from a plurality of media is also included in the storage media of the present invention, and any media configuration may be used.

The computer according to the present invention executes each processing according to the present embodiment based on a program stored in a storage medium. An apparatus such as a personal computer and a plurality of apparatuses are connected to a network. Any configuration such as a system described above may be used.

The computer in the present invention is
It is not limited to a personal computer, but also includes a processing device, a microcomputer, and the like included in an information processing device, and generically refers to a device and a device capable of implementing the functions of the present invention by a program.

Further, the present invention is not limited to the DES encryption system,
The present invention can be applied to any block encryption system using a round function, and may be applied to encryption systems such as Lucifer, LOKI, MISTY 1, MISTY 2, and SAFER (Secure And Fast Encryption Routine).

Further, in the above-described embodiment, the S box is configured to perform the non-linear conversion using the replacement table. However, the S box may be configured to perform the non-linear conversion by wiring.

In the embodiment shown in FIG. 9, the constant register 12i, the XOR element 13i, the S box 14i and the enlargement conversion unit 1
Although two sets of conversion elements composed of 5i are provided in parallel, two or more sets of conversion elements may be provided in parallel.

In addition, the present invention can be variously modified and implemented without departing from the gist thereof.

[0115]

As described above, according to the present invention, it is possible to reduce the price and scale of the device, to improve the agitation of the expanded key while preventing the generation of a weak key, and to thereby improve the encryption strength. A generation device, an encryption / decryption device, an extended key generation method, and a storage medium can be provided.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating a configuration of an encryption / decryption device according to a first embodiment of the present invention.

FIG. 2 is a block diagram illustrating a configuration of an extended key generation unit in the encryption / decryption device according to the embodiment.

FIG. 3 is a schematic diagram for explaining a set value of a constant register in the embodiment.

FIG. 4 is a schematic diagram for explaining a configuration of an S box in the embodiment.

FIG. 5 is a schematic diagram for explaining setting of a cyclic shift unit in the embodiment.

FIG. 6 is a block diagram showing a structure of a round function in the embodiment.

FIG. 7 is a flowchart showing the operation of the encryption / decryption device.

FIG. 8 is a schematic diagram for explaining an operation in the embodiment.

FIG. 9 is a block diagram illustrating a configuration of a key conversion function applied to an extended key generation device according to a second embodiment of the present invention.

FIG. 10 is a block diagram illustrating a configuration of an extended key generation device according to a third embodiment of the present invention.

FIG. 11 is a schematic diagram for explaining setting of a replacement processing unit in the embodiment.

FIG. 12 is a flowchart showing the operation of the embodiment shown in FIG.

FIG. 13 is a functional block diagram showing a configuration of a smart card embodying an extended key generation device, an encryption / decryption device, and a storage medium according to the present invention.

FIG. 14 is a schematic diagram illustrating an encryption / decryption device according to a fourth embodiment of the present invention.

FIG. 15 is a schematic diagram for explaining a modification of the embodiment.

FIG. 16 is a schematic diagram for explaining a modification of the embodiment.

FIG. 17 is a schematic diagram for explaining a modification of the embodiment.

FIG. 18 is a block diagram illustrating a DES method as an example of conventional common key encryption.

[Explanation of symbols]

10 ... expansion key generating unit 11 ₁ to 11 n _... temporary key register 12 ₁ to 12 n _... constant register 13 ₁ to 13 _n ... XOR element 14 ₁ to 14 _n ... S box 15 ₁ to 15 n _... enlargement conversion unit 16 ₁ ~ 16 n _... adding unit 17 ₁ ~17 _n-1 ... cyclic shift unit 18 i _... replacement processor 20 ... stirring portion 30 ... decryption device 31 ... storage device 32 ... recording apparatus 33 ... host computer 34 ... DVD 35 ... DVD -RAM fk1 to fkn key conversion function R1 to Rn round K1 to Kn extended key KC common key kc1 to kcn-1 key conversion result KA first key KB second key PC personal computer NW network

 ──────────────────────────────────────────────────の Continued on the front page (72) Inventor Kaoru Yokota 1006 Kazuma Kadoma, Osaka Prefecture Matsushita Electric Industrial Co., Ltd. (72) Inventor Makoto Tatebayashi 1006 Kazuma Kadoma, Osaka Pref. Matsushita Electric Industrial Co., Ltd. 1 Tokoba, Komukai Toshiba-cho, Kawasaki-shi, Kanagawa Prefecture

Claims (26)

[Claims] 1. A plurality of key conversion function units connected to a cascade, each of which receives a different key for each round and generates an expanded key based on the key, wherein each of the key conversion function units includes: First key conversion means for performing a conversion process using a predetermined substitution table based on the first key obtained from the input key; and a conversion result obtained by the first key conversion means and the key obtained from the input key. An expanded key generation device, comprising: an expanded key calculation unit that calculates the expanded key based on a second key. 2. The key conversion function unit includes a cyclic shift unit that cyclically shifts the input key to the left or right and inputs the key after the cyclic shift to the key conversion function unit of the next round. The extended key generation device according to claim 1, wherein: 3. The expanded key generation apparatus according to claim 2, wherein the shift amount of said cyclic shift means is a value relatively prime to the number of output bits of said first key conversion means. 4. Each of the key conversion function units includes an input key conversion unit that converts an input key using a substitution table and inputs the converted key to a key conversion function unit of the next round. The extended key generation device according to claim 1, wherein: 5. The key conversion function unit according to claim 1, further comprising an expansion conversion unit that performs an expansion conversion of the conversion result obtained by the first key conversion unit and inputs the result to the expanded key calculation unit. The extended key generation device according to claim 4. 6. The extended key generation device according to claim 5, wherein the extended conversion by said extended conversion means is a shift of a predetermined number of bits. 7. The method according to claim 1, wherein the predetermined number of bits is shifted by half the number of bits as a result of conversion by the first key conversion means.
7. The expanded key generation apparatus according to claim 6, wherein the conversion is performed by shifting the conversion result to the left by the number of bits obtained by adding an integer multiple of the conversion result bit number to the half bit number. 8. The extended key generation device according to claim 1, wherein the operation by the extended key operation means is addition with carry. 9. Encrypting an input plaintext and outputting a ciphertext based on each expanded key generated by each of the key conversion function units, and decrypting the input ciphertext and outputting a plaintext. An encryption / decryption device comprising the expanded key generation device according to claim 1, further comprising a stirring unit that performs the operation. 10. The stirring unit has a plurality of replacement tables for the encryption and the decryption, and one of the replacement tables of the stirring unit is shared with a replacement table of the first key conversion unit. The encryption / decryption device according to claim 9, wherein 11. A different key is input for each round, a first key is generated from the input key, and the generated first key is converted by a predetermined replacement table. The second generated from the input key
An extended key generation method, comprising: calculating an extended key based on a key. 12. A computer causes a computer to generate a first key from a different key input for each round, converts the generated first key by a predetermined substitution table, and converts the conversion result and the input key. A computer-readable storage medium for storing a program for calculating an expanded key based on a second key obtained from a computer. 13. The computer-readable storage according to claim 12, wherein a program for causing the computer to cyclically shift the input key to the left or right and to input the key for which the cyclic shift is completed in the next round is stored. Medium. 14. The shift amount of the cyclic shift is equal to the first shift amount.
14. The computer-readable storage medium according to claim 13, wherein the value is a value relatively prime to the number of output bits of the key conversion. 15. The computer-readable storage medium according to claim 14, wherein a program for causing a computer to convert the input key by using a substitution table and inputting the converted key in the next round is stored. 16. The computer-readable storage medium according to claim 12, wherein a program for enlarging and converting the conversion result based on the first key is stored in a computer. 17. The computer-readable storage medium according to claim 12, wherein the function of performing the enlargement conversion is a shift of a predetermined number of bits. 18. The method according to claim 18, wherein the predetermined number of bits is shifted by half the number of bits of the conversion result based on the first key conversion, or by adding an integral multiple of the number of bits of the conversion result to the half number of bits. 18. The computer-readable storage medium according to claim 17, wherein the conversion is performed by left-shifting the conversion result by the number of bits of the value. 19. The computer-readable storage medium according to claim 12, wherein the function of calculating the expanded key is addition with carry. 20. A computer that generates a first key from a different key input in each round, converts the generated first key by a predetermined substitution table, and converts the conversion result and the input key. And calculates an expanded key based on the second key obtained from the above, encrypts and outputs the input plaintext based on the generated expanded key, and decrypts the input ciphertext and outputs the plaintext. A computer-readable storage medium storing a program for executing a stirring process. 21. The agitation process has a plurality of replacement tables for the encryption and decryption, and any of the replacement tables in the agitation process is a replacement table used for conversion based on the first key. The computer-readable storage medium according to claim 20, wherein the storage medium is shared with a computer. 22. A plurality of key conversion function units connected to a cascade, each of which receives a different key for each round and generates an expanded key based on the key, wherein each key conversion function unit has a plurality of key conversion function units. It has expansion conversion elements arranged in parallel, wherein each of the expansion conversion elements is exclusive of a constant register holding a constant, and a first key obtained from a key stored in the constant register and an input key. An exclusive OR calculating means for calculating a logical sum; an S box for performing a conversion process using a predetermined replacement table based on a value output from the exclusive OR calculating means; and a conversion result output from the S box And an expansion conversion unit that performs expansion conversion of the expansion key. An expansion key calculation that calculates an expansion key based on the conversion results output from the plurality of expansion conversion elements and a second key obtained from the input key means Expanded key generation apparatus characterized by having. 23. A different key is input for each round,
A plurality of key conversion function units for generating an expanded key based on the key is a computer-readable storage medium used in an expanded key generation device connected in cascade, wherein a computer in the expanded key generation device, Each of the key conversion function units includes: a constant register for holding a constant; and an exclusive logic for calculating an exclusive OR of the constant held in the constant register and a first key obtained from the input key. A sum calculation unit, an S box that performs a conversion process using a predetermined replacement table based on a value output from the exclusive OR calculation unit, and an expansion conversion unit that expands and changes the conversion result output from the S box. A plurality of expansion conversion elements arranged in parallel, a conversion result output from the plurality of expansion conversion elements, and a second key obtained from the input key. Computer-readable storage medium storing a program for realizing, and extended key computation means for calculating the expansion key Zui. 24. A different key is input for each round,
Each of the key conversion function units includes a plurality of key conversion function units connected in cascade, each of which generates an expanded key based on the key. A replacement processing unit for outputting, a first key conversion unit for performing a conversion process using a predetermined replacement table based on the first key output from the replacement processing unit, a conversion result by the first key conversion unit, and the replacement process Extended key calculation means for calculating the extended key based on the first key output from the unit. 25. A different key is input for each round, the input key is nonlinearly replaced, the first key obtained by the replacement is converted by a predetermined replacement table, and the conversion result and the replacement are used. An extended key generation method, wherein the extended key is calculated based on an obtained second key. 26. A computer that generates a first key from a different key input for each round, nonlinearly replaces the input key, and outputs a replacement result. A computer-readable storage medium storing a program for converting a key using a predetermined replacement table and calculating an expanded key based on the conversion result and a second key obtained by the replacement.