JP2010134247A - Common key block cipher evaluation device, common key block cipher evaluation method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To solve a problem of conventional saturation characteristics search: precise evaluation cannot be carried out since an output state may be balanced depending on the structure of a nonlinear function and an input state though the output state is treated to be unknown when a balance state is inputted to the nonlinear function. <P>SOLUTION: The number of times all the data pass through a function F is examined with consideration given to the structure of the function F of an evaluated encipherment algorithm. If the data are exclusive OR between data all passing through the function F only once, it is determined whether a special balance state is established or not from the structure of the function F. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a common key block cipher evaluation apparatus, a common key block cipher evaluation method, and a program for searching for saturation characteristics used in a saturation attack that is a decryption method for a common key block cipher.

  One of the cryptanalysis methods for common key block ciphers is saturation attacks. Saturation attacks are classified as selected plaintext attacks. A saturation attack was first proposed and the cipher applied was the block cipher SQUARE proposed by Daemen et al. At the time it was proposed, it was called a SQUARE attack, but in recent years it has been called a saturation attack.

  First, bijection will be explained as a premise of saturation attacks.

  As shown in FIG. 1, when there is a mapping f: A → B, a mapping in which an arbitrary element of the set A is defined as one-to-one with an arbitrary element of the set B is called bijection.

When the function f is a bijective function with n-bit input / output, the input value and the output value are each 0-2 ^n- 1.

Here, there is a characteristic that the sum of all the values from 0 to 2 ⁿ −1 by bitwise exclusive OR (hereinafter referred to as XOR and expressed by the symbol “+”) becomes zero.

For example, when n = 2, 0 to 2 ² −1 (= 3), and when expressed in bits, 00 (0), 01 (1), 10 (2), and 11 (3).

  If the bit position on the right side is bit 0, the sum of bit 0 is 0 + 1 + 0 + 1 = 0, and the sum of bit 1 is 0 + 0 + 1 + 1 = 0.

  This characteristic is maintained regardless of the value of n (n> 1). Hereinafter, when the sum is zero, it is “balanced”, and such a state is called “balanced state”.

  There are the following four types of balance states.

(1). All values appear once each As described above, 2 ⁿ types of values having an n-bit width appear once.

(2). Some or all of the values appear even times. Since the XOR between the same values is zero, even if the same number of the same values is XORed, the values are balanced. No matter what value is given, the sum for each value is zero, so the whole is zero and balanced. Hereinafter, this is expressed as “even balance”.

(3). All street values appear odd times Every odd number is (even times + 1 time), so if all street values appear (all street values are even times + all street values are 1 time) This is also balanced. Hereinafter, this is expressed as “odd balance”.

(4). Mixed state A complex balance state in which even and odd times are mixed. Hereinafter, this is expressed as “mixed balance”.

  Apart from these four, even if only one type of value appears even number of times, the sum is balanced, but this is distinguished as “constant”.

  In the three balance states (1) to (3), the balance state is maintained no matter how many times the bijective mapping is repeated, but the mixed balance is balanced by an exquisite combination of values. There is no guarantee that the balance will be maintained if a bijective transformation is performed.

  Next, the procedure of the saturation attack will be briefly described.

  Suppose that there is a common key block cipher composed of R rounds, and there is a characteristic that the output of the R-1 round balances when some plaintext is given.

  At this time, assuming an R-round key, all the ciphertexts obtained are traced to obtain output data of the (R-1) -th round.

  The sum of the retroactive data is calculated, and if there is no balance, it can be rejected from the correct key candidates as the key assumption is incorrect. The balanced key is the correct key candidate. If there is one candidate, it is judged as the correct key.

  As described above, in the saturation attack, it is necessary to correctly evaluate the balance state because it affects the number of rounds in which the balance state can be deciphered.

FIG. 2 is an example of a common key block cipher. The input data is generalized Feistel structure that performs a process divided into four x ₀ ~x _3.

  In one round, two of the four data are converted by the function F, and XORed to the remaining two data. The symbol in which the + symbol is circled in the figure represents XOR.

Each data has m bits. The functions F ₀ and F ₁ mix the m-bit data and the key data. The key data key is XORed with respect to the input m-bit data.

S ₀ and S ₁ are non-linear transformations generally called S-boxes. Each input / output data size is m / 2 bits.

M ₀ and M ₁ are linear transformations, respectively. Taking M ₀ as an example, the conversion is represented by the following equation.

The operation performed here is on a finite field, and the result will never be larger than the size of the variable. Here, α ₀ is the output of S ₀ and α ₁ is the output of S ₁ . The value obtained by connecting β ₀ and β ₁ is the output of M ₀ , that is, the output of the function F ₀ .

  Thus, the structure constituted by the S-box and the diffusion layer will be referred to as an SP type.

  In the following description, since the value of the key data does not affect the state transition, the key data input to the function F is omitted for the sake of simplicity.

  The symbol “A” in the figure indicates that all values appear, the symbol “B” indicates a balanced state, the symbol “C” indicates a constant, and the symbol “U” indicates that the state is unknown. Represents something. Note that the state in which B is configured is not distinguished here.

  The state changes when the function F is passed or XORed. The state transition can be represented by a table as shown in FIG.

A input is data 2 ^m as up to 0 to 2 ^m -1, C is an arbitrary constant. That is, the input {C, A, C, C} means a set of 2 ^m data sets.

The output data 32 of the fourth round is XOR of A and A, and the result is B. In the function F ₀ and the function F ₁ , the key data acts, so the order of appearance of all values is unknown. That is, it is impossible to know which balance state B has.

Therefore, until now, when B passes the function F, the state is evaluated as U. The saturation attack evaluation described in Non-Patent Document 1 is also evaluated as such.
Sony Corporation, The 128-bit Blockcipher CLEFIA Security and Performance Evaluations Revision 1.0, Internet <URL: http://www.sony.co.jp/Products/clefia/technical/data/clefia-eval-1.0.pdf>

  However, in the conventional saturation characteristic search method, since the configuration of the balance state cannot be distinguished, if the balance state passes the nonlinear transformation, the output state has to be treated as unknown.

  Since the unknown state is a characteristic that cannot be used for the saturation attack, if the balance state is treated as unknown, the evaluation is insufficient.

  Therefore, the present invention has been made in view of the above problems, and a common key that can search for a balance state in which the balance state is maintained even if it passes through the function F with respect to a saturation characteristic search method that is an evaluation index for a saturation attack. An object of the present invention is to provide a block cipher evaluation device.

  In order to solve the above-described problem, the common key block cipher evaluation apparatus according to the present invention includes a function type determination unit that determines whether or not the data division number p and the data size q satisfy 2p ≧ q, and an input state And a state transition calculation means for calculating the saturation characteristics after round processing using a relational expression, and the state transition calculation means includes a function term in the relational expression, When the balance state is calculated with reference to the state transition table that associates the number of times that all passed the function and the balance state, and it is determined that there is a possibility of a special balance state, the function type determination means It is characterized by referring to the determination result to determine whether or not the structure has a special balance state.

  The common key block cipher evaluation method according to the present invention includes a function type determination step for determining whether or not the data division number p and the data size q satisfy 2p ≧ q, and a function term in the relational expression. Including, when the balance state is calculated with reference to the state transition table that associates the total number of data passed through the function with the balance state, and it is determined that there is a possibility of a special balance state, A state transition calculation step for determining whether or not the structure is in a special balance state with reference to the determination result in the function type determination step.

  Further, the program according to the present invention includes a function type determination process for determining whether or not the data division number p and the data size q satisfy 2p ≧ q, and the relational expression includes a function term. When the balance state is calculated with reference to the state transition table that associates the number of times that all passed the function and the balance state, and it is determined that there is a possibility of a special balance state, the function type determination process A state transition calculation process for determining whether the structure is in a special balance state with reference to the determination result is executed by a computer.

  According to the present invention, by considering the structure of the function F of the cryptographic algorithm to be evaluated and examining the number of times the input passes through the function F, it is possible to detect a special balance state that could not be detected so far. It becomes like this. In addition, since the special balance state can be detected, the security of the cryptographic algorithm against the saturation attack can be more strictly evaluated.

  First, an input condition in which the balance state is input to the function F and the output is in the balance state is shown.

Referring to FIG. 2 as an example, when the input x ₁ is A and the others are C, the data 32 as the input of the function F _{1 in} the fifth round is in the “special balance state” described later, and the fifth round The output data 33 of the function F ₁ is balanced.

If C is omitted because it does not affect the state, the data 32 can be rewritten as shown in FIG. 4 since it can be said that the output of the functions F ₀ 30 and F ₁ 31 is XORed.

If the data 32 and y, y can be expressed by equation x _1. x and y in accordance with the internal processing of the function F ₀ and functions F _1, respectively, y ₀ and y ₁ when divided into x ₁₀ and x _11, y ₀ and y ₁ can be expressed by the following equation.

When Equation 3 is collectively described for each type of term, it can be rewritten as the following equation. Here, G ₀ and G ₁ mean non-linear transformation.

Thus, it can be seen that each term of the input is converted independently. In such a state, when G ₀ and G ₁ are balanced, the number of types of terms in the equation is p, and the data width of the terms is q bits, y ₀ is an even balance if the following equation holds: Or it becomes one of odd balance.

Looking at the number 5, the type of term because two x ₁₀ and x _11, the number of kinds p is 2. For example, if the data width q is 4 (= 2 · 2) bits or less, Equation 6 holds. Since it does not hold if it is 5 bits or more, it becomes a mixing balance.

The case where y ₀ is either an even balance or an odd balance under the conditions of Equations 5 and 6 will be described with reference to FIG. It should be noted that y ₁ can be similarly explained.

Here, since the description will be made assuming that the size m of x ₁ is 8 bits, this is the case where p = 2 and q = 4. Since this satisfies Expression 6, either the even balance or the odd balance is obtained.

Since the x ₁ as an input function F ₀ and the function F ₁ it is given the total number, 256 from 0 to 255 (= 2 ⁸⁾ as data is provided.

Since x ₁₀ and x ₁₁ are obtained by dividing x ₁ into two, 16 (= 2 ⁴ ) data from ₀ to 15 are respectively given 16 times to S ₀ and S ₁ . It is clear that G ₀ and G ₁ in Equation 5 are independently balanced when the other is a certain value.

  Here, the appearance pattern of the output value of each G is analyzed.

when there is a x ₁₀ values, given all through the x _11, as the number of occurrences of the output value 16 kinds of G _1, three kinds are considered below.

(1). Appears only 0 times and even times (2). Appears only 0 times and odd times (3). Number of appearances is 0, even and odd

FIG. 5 shows an example of 0 times and even times only. In fact, since the number of occurrences of the table is obtained for each value of 16 combinations of x _10, the sum of the number of occurrences is 16 times the number of occurrences of FIG.

  FIG. 6 is an example in which the number of appearances is 0, even, and odd. The number of occurrences of values 1, 2, 4, and 7 is odd.

  Since the balance is set as G, the balance is set at a value at which the number of appearances is an odd number. In this example, since 1 + 2 + 4 + 7 = 0, it is balanced.

  Even if two different types of values are XORed, it cannot be 0, so at least three types are required, but the total number of appearances of the three types is an odd number, so the remaining number of appearances is an odd number. .

  On the other hand, since the remaining number of appearances is an even number, there is a contradiction. Therefore, the number of times of odd number is limited to four or more types of even numbers. This is also actually counted 16 times.

When one of G is only 0 times and even times, y ₀ is 0 times or even times, that is, even balance, regardless of the other.

Here, a case will be described where both G ₀ and G ₁ are “only 0 times and odd times” and “0 times, even times and odd times”.

  Since values that appear even times are balanced only by that, when focusing on odd times, “0 times, even times, and odd times” is the same as “0 times and only odd times”.

Values that have become odd times at G ₀ are a ₀ , a ₁ , a ₂ , a ₃ , and values that have become odd times at G ₁ are b ₀ , b ₁ , b ₂ , b ₃ . As mentioned earlier, since a and b are balanced,

It is. As a combination of XOR of the values that appear odd times,

There are 16 (= 4 ² ) ways.

Here, assuming that (a ₀ + b ₀ ) and (a ₁ + b ₂ ) are equal,

  In Equation 10, since the exchange rule is established, the following equation is obtained.

  Further, since the exchange rule is similarly established in Equations 7 and 8, the following equations are obtained from Equations 10 and 11. Substituting Equation 7 into Equation 10

  By transforming Equation 12,

  Substituting equation 8 into equation 10,

  By transforming Equation 14,

  Substituting equation 8 into equation 12,

  By transforming Equation 16,

In this way, a _i + b _m = a _j + b _n holds for arbitrary values a _i and a _j output odd times at G ₀ and arbitrary values b _m and b _n output odd times at G _1. Then, there are things that are equal to each other for all other combinations. In such a state, the number of occurrences of the value appearing at y ₀ is all an even number.

Conversely, if there is nothing to be _{a i + b m = a j} + b n, a x and b XOR combination sixteen all of _y is different. That is, all the values (0 to 15) all appear odd times.

At this time, even if there are other values that appear even times, all the values appear in y ₀ and the number of appearances is all odd.

  Here, the conditional expression shown in Equation 6 will be described in detail.

The type of G, that is, the type of term, is equal to the division number p of the function F. When the size of each divided data is q bits, there are 2 ^q kinds of values.

In order for all the values to appear, the number of combinations of the value types appearing from each G that are odd times needs to be 2 ^q or more.

  As described above, there are at least four types in which the number of appearances is an odd number of values that appear from each G. That is,

When attention is paid to the power number, Expression 6 is obtained.

By the way, if both y ₀ and y ₁ satisfy the _equations 5 and 6, y ₀ and y ₁ are either even balance or odd balance, but they cannot be distinguished.

Here, in view of m bits of y obtained by combining y ₀ and y ₁ , there is a possibility of mixing balance.

When the mixing balance is converted by the function F, the output state is unknown. However, if y ₀ and y ₁ are either the even balance or the odd balance, the output of the output even if the function F is converted. The state is balanced.

  If the function F is SP type, the output balance of the input of the S-box is maintained, and the input of the function F is balanced because the diffusion layer also stirs each input data by XOR.

  In this way, when the balanced data is divided and viewed, the state where each is even balance or odd balance is referred to as “special balance state”.

Next, looking at the example shown in the following equation, although x ₁₀ and x ₁₁ are converted independently in S ₀ and S _1, respectively, obtained by XOR, respectively, it is converted by S _2.

In such a case, y ₂ cannot be bundled for each input term as shown in Equation 5, so y ₂ may have a mixing balance.

Since the data 34 in FIG. 2 is converted by the function F ₀ twice in the second round and the third round, it is clear that the S-box nesting expression is obtained as shown in Equation 19.

  Thus, there is no guarantee that data that has passed the function F more than once will be in a special balanced state. In order to achieve a special balance state, the input data needs to be converted only once by two different functions F.

That is, the function F performs processing by dividing the data into p pieces therein, and for each cryptographic algorithm whose bit width is q and satisfies Equation 6, A is given to the input x, and F ₀ (x) Data obtained by XORing F ₁ (x) is in a special balance state.

  Next, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 7 is a configuration diagram of the common key block cipher evaluation apparatus in the embodiment of the present invention. The apparatus includes an input unit 1 such as a keyboard, a state transition calculation unit 21 operated by program control, a saturation characteristic search unit 2 having a function type determination unit 22, an output unit 3 such as a display and a printing device, It is comprised.

  From the input unit 1, five evaluation parameters, “number of rounds”, “relational expression”, “input state”, “number of divisions”, and “data size” are input.

  For round number, specify the number of rounds to be evaluated. Specify "10" if you want to evaluate up to 10 rounds.

  The relational expression represents the structure of the evaluation target encryption algorithm. In the case of the encryption algorithm of FIG. 2, the relational expressions are four expressions represented by the following expressions.

In the input state, for the inputs x _{0 to} x ₃ , a variable that gives the total number and a variable that gives the constant are specified. For example, all the x ₁ as in the example of FIG. 2, if other To give constant, and {C, A0, C, C }. The subscript 0 of A means the initial state. Moreover, in this evaluation apparatus, all numbers shall be given only to one place.

The number of divisions specifies the number of data divisions inside the function F of the evaluation target cryptographic algorithm. In the example of FIG. 2, the data is divided into two by the function F ₀ and the function F ₁ , and internal processing is performed, so “2”.

  The data size represents the size of the divided data in bits.

  First, the function type determination unit 22 will be described. The function type determination unit 22 determines whether a special balance state can be obtained from the structure of the function F of the evaluation target cryptographic algorithm.

  Next, the operation of the function type determination unit 22 will be described with reference to FIG.

  Of the five input parameters, the function type determination means 22 is passed two values, the number of divisions and the data size. If the number of divisions is p and the data size is q, whether or not 2p ≧ q holds. Judgment is made (step A1).

  If true, the flag is set to ON (step A2), and if not true, the flag is set to OFF (step A3). The set flag is passed to the state transition calculation means 21.

  Next, the operation of the state transition calculation unit 21 will be described with reference to FIG.

  The state transition calculation means 21 calculates the saturation characteristic after the round process using the relational expression with the input state as the initial state of the saturation characteristic, and ends when the process reaches the round number of parameters.

Let m be the number of input relational expressions and n be the number of rounds. The input state of the input parameter is set to S _{0,0 to} S _{0, m-1} as the initial value of the state (step B1). In the example of FIG. 2, when the input state is {C, A0, C, C}, S _0,0 = C, S _0,1 = A0, S _0,2 = C, S _0,3 = C are set. The

1 is set to the counter i indicating the current calculation round (step B2). The state S _i-1 is set in the term of the input x of the relational expression (step B3). A counter j indicating the number of the calculation formula is set to 0 (step B4). Thereafter, the process enters the step of calculating the output state S _i of the i-th round.

It is determined whether or not the relational expression y _{j is} just substitution (step B5). If substitution is made, the state of the substitution source is set to S _{i, j} as it is (step B6). For example, Expression 21 and Expression 23 are examples of substitution.

On the other hand, if the relational expression y _j is not an assignment, it is determined whether or not there is a term of the function F (step B7), and the term of the function F is calculated using the state transition table of the function F shown in FIG. Step B8). For example, the terms of F ₀ (x ₀ ) and F ₁ (x ₂ ) in Equations 20 and 22 are calculated.

  When the state of the term to be input to the function F is A, the subscript is incremented by 1. When A0 is input to the function F as an input state, the output state is A1, and when it is input again, it is A2. That is, the subscript A means the number of times that the function F is passed.

There are two types of balance states, B and B ^* . B is one of the four types of balance states described above, and B ^* is a special balance state. Since B includes the balance of the mixed state, the output of the function F is U, but the output of B ^* is B.

  When the state of the term of the function F is changed, Equations 20 and 22 are as follows.

  Since only the XOR expression is obtained as in the above expression, the state is calculated using the XOR state transition table of FIG.

  Here, it is determined whether only the XOR of A1 and A1 is in a state, and is not uniquely determined (step B9). Since A1 means that all the numbers have passed the function F once, the XOR of A1 and A1 may be in a special balance state. Whether or not a special balance state is reached depends on the structure of the function F. The function type determination means 22 checks the structure of the function F and receives the result as a flag.

If only the XOR of A1 and A1 is in a state, it is determined whether the flag is ON or OFF (step B10). If the flag is ON, the structure is in a special balance state, so B ^* is set in the state S _{i, j} (step B11).

On the other hand, if the flag is OFF, B is set in the state S _{i, j} because the structure is not a special balance state (step B12).

On the other hand, in the case of XOR other than A1 and A1, the state according to the state transition table of XOR is set to S _{i, j} (step B13).

When the state calculation of the relational expression y _j is completed, the counter j is incremented (step B14), and it is determined whether or not the counter j is less than the expression number m (step B15), and the counter j is less than the expression number m. If there is, the state calculation of the following equation is performed in the same manner. On the other hand, when the counter j is counted up to m, the state calculation for the i-th round ends.

Here, it is determined whether or not all the states S _i of the i-th round are U (step B16), and if all are U, the states of the subsequent rounds are also U and there is no need to evaluate, so the end To do.

On the other hand, if there is a state other than U in the state S _i , the counter i is incremented (step B17), and if the counter i exceeds the number of rounds n specified by the parameter, the evaluation is terminated (step B18). If not, the next round of evaluation is performed as well.

(Other embodiments)

  Next, a second embodiment of the present invention will be described in detail with reference to the drawings.

  FIG. 11 is a configuration diagram of a common key block cipher evaluation apparatus according to another embodiment of the present invention. The apparatus includes an input unit 1 such as a keyboard, a state transition calculation unit 21 that operates by program control, a function type determination unit 22, and an input state generation unit 23, a saturation characteristic search unit 2, a display and a print And an output unit 3 such as a device.

  In the common key block cipher evaluation apparatus of the present embodiment, the input state is automatically generated by the input state generation unit 23. The operation of the input state generation unit 23 will be described with reference to FIG.

  A relational expression among the input parameters is passed to the input state generation means 23. The input state generation means 23 calculates the number from the relational expression.

  The variable s is for generating an input state and has digits for the relational expression. As the initial value of the variable s, the rightmost is set to 1 and the remaining is set to 0 (step C1).

  0 means state C and 1 means total number A. An input state is generated with the position of 1 of the variable s as A0 and the position of 0 as C (step C2). In the example of FIG. 2, since the number of expressions is 4, the input state generated first is {C, C, C, A0}.

  The generated input state is output (step C3), and it is determined whether or not the output input state is {A0, C,..., C}, that is, whether the leftmost of s is 1 (step C4). If the leftmost of s is not 1, s is cyclically shifted left by 1 (step C5). If s is 0001, it becomes 0010, and the next state is generated.

  If the leftmost s finally becomes 1, the process ends.

  The present invention has been described above by the preferred embodiments of the present invention. While the invention has been described with reference to specific embodiments thereof, various modifications and changes can be made to these embodiments without departing from the broader spirit and scope of the invention as defined in the claims. is there.

  The input data is divided into 2n (n ≧ 2) or more, each of the n data is mixed with the key data by the basic function, and the process of exclusive ORing the remaining n data is repeatedly performed. It consists of a diffusion layer that divides the input data into two or more, performs the exclusive OR and nonlinear transformation of the key in order, and stirs so that each divided data affects all the outputs of the basic function. It can be used as an apparatus for searching for saturation characteristics with respect to an encryption apparatus that employs a common key block encryption method in which a plurality of functions are configured.

It is a figure which shows the example of a bijection. It is a figure showing an example of the state transition of a saturation characteristic. It is a figure showing the state transition by the function F and XOR of a prior art. FIG. 6 is a diagram illustrating an input of a function F1 in the fifth round in FIG. 2. It is a figure showing the example of the value output from G only 0 times and even number of times. It is a figure showing the example of the value output from G 0 times, an even number of times, and an odd number of times. It is a block diagram which shows the structure of the 1st Embodiment of this invention. It is a flowchart figure which shows operation | movement of a function type determination means. It is a flowchart figure which shows operation | movement of a state transition calculation means. It is a figure showing the state transition by the function F and XOR of this invention. It is a block diagram which shows the structure of the 2nd Embodiment of this invention. It is a flowchart figure which shows operation | movement of an input state production | generation means.

Explanation of symbols

1 Input unit 2 saturation characteristic searching unit 3. Output 4 saturation characteristic search portion 21 state transition calculating means 22 function type determination unit 23 input state generator 30 functions F ₀
31 Function F ₁
32 Intermediate data of the fourth round 33 Output data of the function F ₁ of the fifth round 34 Intermediate data

Claims (7)

The number of data divisions p and the data size q are 2p ≧ q
Function type determination means for determining whether or not
State transition calculation means for calculating the saturation characteristics after round processing using a relational expression, with the input state as the initial state of the saturation characteristics, and
When the state transition calculation means includes a function term in the relational expression, the state transition calculation means calculates a balance state by referring to a state transition table in which the total number of the data passes the function and the balance state, When it is determined that there is a possibility of a special balance state, it is determined whether the structure is in a special balance state by referring to the determination result by the function type determination unit Key block cipher evaluation device.   2. The state transition calculation means determines that there is a possibility of a special balance state if the total number is an exclusive OR of data that has passed the function only once. The common key block cipher evaluation apparatus described.   The common key block cipher evaluation apparatus according to claim 1 or 2, wherein the state transition calculation means distinguishes the balance state into two types of whether or not the balance state is a special balance state.   The common key block according to any one of claims 1 to 3, wherein when the state transition calculation unit determines that all the states are unknown, the state of the subsequent round is also unknown, and the process is terminated. Cryptographic evaluation device.   5. The common key block cipher evaluation apparatus according to claim 1, further comprising an input state generation unit configured to set the number of digits from the relational expression and generate the initial state. 6. The number of data divisions p and the data size q are 2p ≧ q
A function type determination step for determining whether or not
When a relational term is included in the relational expression, the balance state is calculated by referring to a state transition table in which the total number of the data passes through the function and the balance state, and a special balance state may be obtained. A state transition calculation step for determining whether the structure is in a special balance state with reference to the determination result of the function type determination step when it is determined that there is a common state. Key block cipher evaluation method. The number of data divisions p and the data size q are 2p ≧ q
A function type determination process for determining whether or not
When a relational term is included in the relational expression, the balance state is calculated by referring to a state transition table in which the total number of the data passes through the function and the balance state, and a special balance state may be obtained. A program for causing a computer to execute a state transition calculation process for determining whether or not a structure is in a special balance state with reference to a determination result of the function type determination process when it is determined that there is a function.

Images