JP2010286781A - Bit string generating device, bit string generating method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To perform an arithmetic operation of a mask generation function for certifying whether the function is safe or not in the sense of Indifferentiability which is one of the criteria for evaluation of the safety of a mask generating function. <P>SOLUTION: For each count value i, a hash value y(i) of hash input information u(i) including an optional value x is generated. Each hash value y(i) and/or a bit string of a part of the hash value y(i) are bit-connected to generate a bit string having optional bit length L. The hash input information u(i) corresponding to at least some of the count value i further includes a hash chain value v(j(i)) corresponding to the count value j(i) (j(i) belong to ä0, ..., Max}). The hash chain value v(j(i)) is the hash value of the information including the hash chain value v(m(i)) corresponding to the count value m(i) (m(i)≠j(i)) or a bit string of a part of it. Hash input information u(p(i)) corresponding to the count value p(i) (p(i)≠i) further includes a hash chain value v(m(i)). Fig.1 is a block diagram for explaining the constitution of a bit string generating device in the first embodiment. The bit string generating device 100 in this embodiment includes a control section 101, a memory 102a, an initial value memory 102b, an input section 103, a parameter computing section 104, a counter 105, hash operation sections 106, bit cut-out sections 107, and a bit connecting section 108. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to an application technology of information security technology, and more particularly to a technology for outputting a random bit string of an arbitrary length.

As a conventional mask generation function for generating a mask that is a random bit string of arbitrary length, there is MFG1 (see, for example, Non-Patent Document 1). The structure of MFG1: {0,1} ^* × N → {0,1} ⁿ is shown below. Note that {0,1} ^* indicates a bit string of arbitrary length, {0,1} ⁿ indicates a bit string of bit length n, N indicates a set of integers greater than or equal to 0, and α → β changes from α to β Α || β indicates the bit combination (bit concatenation) of α and β, [α] ^β indicates the upper β bits cut out from α, and CEIL (α) is greater than or equal to α. Indicates the smallest integer (Ceil function value of α), <i> ₃₂ indicates a bit string obtained by encoding i in 32 bits, H indicates a hash function H: {0,1} ^* → {0,1} ⁿ , X∈ {0,1} ^* , L∈ {1, ..., n · 2 ³² }.
MFG1 (x, L) = H (x || <0> ₃₂ ) || ... || H (x || <CEIL (L / n) -2> ₃₂ )
|| [H (x || <CEIL (L / n) -1> ₃₂ )] ^{Ln (CEIL (L / n) -1)} … (1)

  One of the evaluation criteria for the safety of the mask generation function is Indifferentiability (see, for example, Non-Patent Document 2). This evaluation criterion assumes that there is a simulator that can use the ideal mask generation function Oracle Φ. This simulator is configured without depending on the attacker. The probability that an attacker can discriminate between a value obtained by giving a query to a regular mask generation function that can use Oracle φ such as an ideal hash function and a value obtained by giving the query to the simulator, If the function is less than or equal to a negligible function, the mask generation function is assumed to be Indifferentiable (safe in terms of Indifferentiability) with respect to Oracle Φ (for example, see Non-Patent Document 2). The proof that the mask generation function is safe in the Indifferentiability sense is that the attacker's resource range (upper limit of calculation time, upper limit of the number of queries, maximum number of bits of queries, etc.) is determined by a polynomial that depends on the security parameter k. Assumptions are made under that assumption.

ISO / IEC 9796-3: Information technology-Security techniques-Digital signature schemes giving message recovery-Part 3: Discrete logarithm based mechanisms Ueli M. Maurer, Renato Renner, and Clements Holenstein, "Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology," In Moni Naor, editor, TCC 2004, Volume 2951 of LNCS, pages 21-39, Heidelberg, 2004. Springer.

As shown in Equation (1), MFG1 has the hash values H (x || <0> ₃₂ ), ..., H (x || <CEIL (L / n) − for the input values x and L. 2> ₃₂ ) and a value extracted from the hash value H (x || <CEIL (L / n) -1> ₃₂ ) [H (x || <CEIL (L / n) -1> ₃₂ )] ^{Ln ( CEIL (L / n) -1)} bit combination value H (x || <0> ₃₂ ) || ... || H (x || <CEIL (L / n) -2> ₃₂ ) || [ H (x || <CEIL (L / n) -1> ₃₂ )] This function outputs ^{Ln (CEIL (L / n) -1)} . Therefore, each block H (x || <0> ₃₂ ), ..., H (x || <CEIL (L / n) -2> ₃₂ ) and [H (x || <CEIL ( L / n) -1> ₃₂ )] ^{Ln (CEIL (L / n) -1)} is x || <i> ₃₂ (i∈ {0, ..., CEIL (L / n) -1 }) Can be said to be a value obtained by giving Oracle an ideal hash function or the like as a query. This query x || <i> ₃₂ is mutually independent between each i, and an attacker can generate a query x || <i> ₃₂ corresponding to how large i is almost the same.

As described above, the proof that the mask generation function is safe in the Indifferentiability sense is performed assuming the resource range of the attacker. The safety evaluation under this assumption is based on the case where the above-mentioned simulator executes normal processing if the given query is within the attacker's resource range, and the given query exceeds the attacker's resource. Can be realized by returning a random number. Here, since the above-mentioned simulator does not know information about the attacker, it must determine whether or not the query is within the resource range of the attacker from the query sent from the attacker. However, as described above, the query x || <i> ₃₂ for MFG1 is independent of each other between i, and the simulator described above uses only the query x || <i> _{32 as the} query. It cannot be determined whether or not it is within the range. Therefore, in the conventional MFG1, it has not been possible to prove that the mask generation function is safe in an indifferentiable sense.

  The present invention has been made in view of these points, and provides an apparatus, a method, and a program for performing a mask generation function operation that can prove whether or not it is safe in an indifferentiable sense. For the purpose.

  In the present invention, at least an arbitrary value x is input, and for each count value i∈ {0, ..., Max} (i is an integer, MAX is an integer of 1 or more), a hash input including the arbitrary value x, respectively. A hash value y (i) of information u (i) is generated, each hash value y (i) and / or a bit string of a part of the hash value y (i) is bit-combined, and a bit string having an arbitrary bit length L is obtained. Generate. The hash input information u (i) corresponding to at least a part of the count value i is further converted into a hash chain value v corresponding to the count value j (i) (j (i) ∈ {0, ..., Max}). (j (i)) is included. The hash chain value v (j (i)) is a hash chain value corresponding to the count value m (i) (m (i) ∈ {0, ..., Max}, m (i) ≠ j (i)) It is a hash value of information including v (m (i)) or a bit string of a part thereof, and count value p (i) (p (i) ∈ {0, ..., Max}, p (i) ≠ i ) Corresponding to the hash input information u (p (i)) further includes a hash chain value v (m (i)).

  Here, the hash input information u (i) corresponding to at least a part of the count value i is a hash chain value corresponding to the count value j (i) (j (i) ∈ {0, ..., Max}) v (j (i)) is included. In this case, the hash input information u (i) corresponding to at least a part of the count value i is not after the hash chain value v (j (i)) corresponding to the other count value j (i) is obtained. Cannot be generated. Although the hash input information u (i) corresponds to a query, the attacker needs to obtain the corresponding hash chain value v (j (i)) in order to generate the hash input information u (i). For this purpose, it is necessary to further send a query to the above-mentioned Oracle, and the number of times depends on the number of hash chains of the hash chain value v (j (i)). Therefore, the simulator described above can know how many hash chains the hash input information u (i) was obtained by determining the hash input information u (i) sent from the attacker. The number of hash chains corresponds to an attacker's computation time and the number of queries. Therefore, the above-described simulator can know whether or not the query is within the attacker's resource range from the query sent from the attacker. As a result, the simulator described above executes normal processing if the given query is correctly obtained by the hash chain, and returns a random number if the given query is not correctly obtained by the hash chain. can do. Therefore, it can be proved that the mask generation function of the present invention is safe in terms of Indifferentiability.

  As described above, the mask generation function of the present invention can prove that it is safe in an indifferentiable sense.

The block diagram for demonstrating the structure of the bit string production | generation apparatus of 1st Embodiment. The flowchart for demonstrating the process of 1st Embodiment. The block diagram for demonstrating the structure of the bit string production | generation apparatus of 2nd Embodiment. The flowchart for demonstrating the process of 2nd Embodiment. The flowchart for demonstrating the process of 3rd Embodiment. The flowchart for demonstrating the process of 3rd Embodiment.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[Definition]
First, terms and symbols commonly used in the following are defined.
{0,1} ^* : Bit string of arbitrary length.
{0,1} ⁿ : Bit string of bit length n.
N: A set of integers greater than or equal to zero.
α → β: Mapping from α to β.
α || β: Bit combination (bit concatenation) of α and β.
[Α] ^β : Higher β bits cut out from α. For example, [11101001] ³ = 111.
[Α] _β : Lower β bits cut out from α. For example, [11101001] ₅ = 01001.
CEIL (α): The smallest integer greater than or equal to α (the Ceil function value of α).
<i>: A bit string obtained by encoding i with predetermined bits.
k: A security parameter that is an integer constant of 1 or more.
H, G: Hash function. An example of a hash function is SHA-1.

[First Embodiment]
In the first embodiment, first, at least an arbitrary value x is input to the input unit. Next, for each count value i∈ {0,..., Max} (i is an integer, MAX is an integer of 1 or more), hash input information u (i ) To generate a hash value y (i). The hash calculation unit of this embodiment inputs the hash input information u (i) to the first hash function H and generates a hash value y (i) = H (u (i)). Thereafter, the bit combination unit bit-combines a part of the bit string of the hash value y (i) and / or the hash value y (i) to generate a bit string having an arbitrary bit length L.

  Here, the hash input information u (i) corresponding to at least a part of the count value i further includes a hash corresponding to the count value j (i) (j (i) ε {0, ..., Max}). Contains the chain value v (j (i)). The hash chain value v (j (i)) is a hash chain corresponding to the count value m (i) (m (i) ∈ {0, ..., Max}, m (i) ≠ j (i)). A hash value of information including a value v (m (i)) or a bit string of a part thereof. In this embodiment, the hash chain value v (j (i)) corresponds to the count value p (i) (p (i) ∈ {0, ..., Max}, p (i) ≠ i). Hash value y (p (i)) = H (u obtained by inputting hash input information u (p (i)) (including hash chain value v (m (i))) into the first hash function H (p (i))) or a part of the bit string.

In the following, as an example, Max = t-1, t = CEIL (L / (nk)), i∈ {0, ..., t-1}, j (i) = i-1, p (i) = i-1, m (i) = i-2, u (i) = v (i-1) || x || <i>, y (i) = H (v (i-1) || x || <i>), z (i) = [y (i)] ^nk , v (i-1) = [y (i-1)] _k = [H (v (i-2) || x | | <i-1>)] _k (if i ≧ 1), v (i-1) = v (-1) = 0 ^k ∈ {0,1} ^k (if i = 0) and input ( x, L) ∈ {0,1} ^* × N (N ≧ 1), bit string F (x, L) = z (0) || ... || z (t−2) of arbitrary bit length L ) || [z (t−1)] ^r (r = L− (nk) (t−1)) is output. In this embodiment, n is a polynomial with k as a variable and satisfies n> k. The first hash function H is H: {0,1} ^* → {0,1} ⁿ .

<Configuration>
FIG. 1 is a block diagram for explaining the configuration of the bit string generation device 100 of the first embodiment.
As illustrated in FIG. 1, the bit string generation device 100 of this embodiment includes a control unit 101, a memory 102a, an initial value memory 102b, an input unit 103, a parameter calculation unit 104, a counter 105, and a hash calculation unit. 106, a bit cutout unit 107, and a bit combination unit 108.

  The bit string generation device 100 according to this embodiment is configured such that a predetermined program is read into a known computer including, for example, a CPU (central processing unit), a RAM (random-access memory), a ROM (read-only memory), and the like. It is constructed by executing this program. The control unit 101, the parameter calculation unit 104, the counter 105, the hash calculation unit 106, the bit cutout unit 107, and the bit combination unit 108 are, for example, processing units that are constructed when the CPU executes a predetermined program. Note that at least a part of these processing units may be configured by an integrated circuit. The memory 102a and the initial value memory 102b are auxiliary storage devices, RAMs, cache memories, registers, integrated circuit elements, or storage areas obtained by combining at least some of them. The input unit 103 is, for example, a mouse, a keyboard, an input port, a data receiving device, a data reading device from a storage device, or the like.

  In FIG. 1, a plurality of hash calculation units 106 and bit cutout units 107 are illustrated, but this is for convenience of description, and a plurality of hash calculation units 106 and bit cutout units 107 do not necessarily exist. Also good. The bit string generation device 100 executes each process under the control of the control unit 101. Although the description is simplified below, the data output from each processing unit is stored in the memory 102a one by one. The data stored in the memory 102a is input to each processing unit as necessary and used for the processing.

<Processing>
FIG. 2 is a flowchart for explaining the processing of the first embodiment. Hereinafter, the processing of this embodiment will be described with reference to this drawing. As a premise for the following processing, it is assumed that the values of k and n are set and the initial value v (−1) = 0 ^k of the hash chain value is stored in the initial value memory 102b.

First, (x, L) ε {0,1} ^* × N is input to the input unit 103 (step S101). L is input to the parameter calculation unit 104, and the parameter calculation unit 104
t = CEIL (L / (nk))… (2)
The calculation result t is output and the calculation result t is output (step S102).

In addition, the parameter calculation unit 104
r = L- (nk) (t-1) (3)
And the calculation result r is output (step S103). The calculation result t output from the parameter calculation unit 104 is input to the control unit 101, and the calculation result r is input to the bit cutout unit 107.

Next, the counter 105 sets the count value i to 0 (step S104).
Next, the hash calculation unit 106 has the hash chain value v (i−1) output from the initial value memory 102b or the bit cutout unit 107, x input to the input unit 103, and the count output from the counter 105. The value i is entered. The hash calculation unit 106
y (i) = H (v (i-1) || x || <i>)… (4)
And the hash value y (i) is output (step S105).

The hash value y (i) is input to the bit cutout unit 107. The bit cutout unit 107
z (i) = [y (i)] ^nk … (5)
v (i) = [y (i)] _k … (6)
A part of the bit string is cut out from the hash value y (i) by the above operation, and the bit string z (i) and the hash chain value v (i) obtained thereby are output (steps S106 and S107).

Next, the control unit 101 determines whether or not the count value i output from the counter 105 is t-2 (step S108). If it is determined that i = t−2 is not satisfied, the counter 105 counts up i + 1 as a new i (step S109), and the process returns to step S105. On the other hand, if it is determined that i = t-2, the hash chain value v (t-2) output from the bit cutout unit 107 and the x input to the input unit 103 are sent to the hash calculation unit 106. The counted up value i = t−1 output from the counter 105 is input. The hash calculator 106 corresponds to the count value i = t−1.
y (t-1) = H (v (t-2) || x || <t-1>)… (7)
And the hash value y (t-1) is output (step S110).

The hash value y (t−1) output from the hash calculation unit 106 is input to the bit cutout unit 107. The bit cutout unit 107 corresponds to the count value i = t−1.
z (t-1) = [y (t-1)] ^r … (8)
A part of the bit string is cut out from the hash value y (t-1), and the bit string z (t-1) obtained thereby is output (step S111).

Each bit string z (i) (iε {0,..., T−1}) output from the bit cutout unit 107 is input to the bit combination unit 108. The bit combining unit 108
F (x, L) = z (0) || ... || z (t-2) || z (t-1)… (9)
The bit string of each bit string z (i) is combined by the above operation to generate and output a bit string F (x, L) having a bit length L (step S112).

<Modification of First Embodiment>
The present invention is not limited to the first embodiment.
For example, the hash input information u (i) of this embodiment is a bit combination of the hash chain value v (i−1), the arbitrary value x, and the encoding bit string <i> of the count value i. However, the hash input information u (i) corresponding to the count value i may not include the encoding bit string <i> of the count value i at least partially. In addition, hash input information u (i) corresponding at least in part to the count value i includes a hash chain value v (i-1), an arbitrary value x, and other information (for example, random numbers, device specific information, etc. May be a bit combination of the hash chain value v (i−1), the arbitrary value x, the encoding bit string <i>, and the other information.

  Also, each bit string z (i) (iε {0,..., T−1}) may be bit-coupled in an order other than that in Equation (9). Also, in this embodiment, hash input information u (i), u (p (i)) (i ≠ p (i)) and hash chain values v (j (i)), v (m ( i)) satisfies the relationship j (i) = i-1, p (i) = i-1, m (i) = i-2, for example, j (i) = i + 1, p (i) = i + 1, m (i) = i + 2, etc., j (i), p (i) (i ≠ p (i)), m (i) It may be a function. In this case, the count value update method differs accordingly. In this embodiment, since j (i) = i-1, p (i) = i-1, m (i) = i-2, iterative processing is performed while incrementing the count value i by 1 from 0 to t-1. For example, if j (i) = i + 1, p (i) = i + 1, m (i) = i + 2, the count value i is incremented by 1 from t-1 to 0. What is necessary is just to perform a repeating process, decreasing.

In this embodiment, the initial value of the hash chain value is v (-1) = 0 ^k , but the initial value of the hash chain value is an arbitrary constant or a function value of the arbitrary value x. The value may be the initial value v (-1) of the hash chain value. In this embodiment, since j (i) = i-1, p (i) = i-1, m (i) = i-2, an initial value is set for the hash chain value v (-1). , J (i), p (i) (i ≠ p (i)), and m (i) are other functions, the hash chain values to which initial values are set differ accordingly. For example, when j (i) = i + 1, p (i) = i + 1, m (i) = i + 2, an initial value is set to v (t + 1).

In this embodiment, the upper nk bits or r bits of the hash value y (i) are set to the bit string z (i) = [y (i)] ^nk , but other bit positions of the hash value y (i) (for example, , Lower nk bits or r bits, or discretely extracted nk bits or r bits) may be used as the bit string z (i). Also, the hash value y (i) (i ≠ t-1) itself is set to a bit string z (i) (i ≠ t-1), and r bits extracted from the hash value y (i) (i = t-1) are The bit string z (i) (i = t−1) may be used. In this case, t = CEIL (L / n) and r = Ln (t−1). In this embodiment, z (t-1) = [y (t-1)] ^r is calculated, but after calculating [y (t-1)] ^nk , z (t-1) = [[y (t-1)] ^nk ] ^r may be calculated. In this embodiment, n is a polynomial with k as a variable, but n may be a constant.

  In this embodiment, x and L are input to the input unit 103. However, a configuration in which L is fixed and only x is input to the input unit 103 may be employed.

[Second Embodiment]
The second embodiment is a modification of the first embodiment, and does not generate a hash chain value from the hash value of the first hash function H, but instead generates a hash chain from the hash value of the second hash function G that is calculated separately. Generate a value.

  Also in the second embodiment, first, at least an arbitrary value x is input to the input unit. Next, for each count value i∈ {0,..., Max} (i is an integer, MAX is an integer of 1 or more), hash input information u (i ) To generate a hash value y (i). The hash calculation unit of this embodiment inputs the hash input information u (i) to the first hash function H and generates a hash value y (i) = H (u (i)). Thereafter, the bit combination unit bit-combines a part of the bit string of the hash value y (i) and / or the hash value y (i) to generate a bit string having an arbitrary bit length L.

  Here, the hash input information u (i) corresponding to at least a part of the count value i further includes a hash corresponding to the count value j (i) (j (i) ε {0, ..., Max}). Contains the chain value v (j (i)). The hash chain value v (j (i)) is a hash chain corresponding to the count value m (i) (m (i) ∈ {0, ..., Max}, m (i) ≠ j (i)). A hash value of information including a value v (m (i)) or a bit string of a part thereof. In the case of this embodiment, the hash chain value v (j (i)) is a hash value obtained by inputting information including the hash chain value v (m (i)) to the second hash function G or a part thereof. The “information including the hash chain value v (m (i))” is information that does not depend on the arbitrary value x. The hash input information u (p (i)) corresponding to the count value p (i) (p (i) ∈ {0, ..., Max}, p (i) ≠ i) Contains the value v (m (i)).

Below, as an example, Max = t-1, t = CEIL (L / n), i∈ {0, ..., t-1}, j (i) = i-1, p (i) = i -1, m (i) = i-2, u (i) = v (i-1) || x || <i>, y (i) = H (v (i-1) || x || <i>), v (i-1) = G (v (i-2) || <i-1>) (if i ≧ 1), v (i-1) = v (-1) = 0 ^k ∈ {0,1} ^k (when i = 0), and an input (x, L) ∈ {0,1} ^* × N (N ≧ 1), and a bit string F (x, L) = y (0) || ... || y (t-2) || [y (t-1)] ^r (r = Ln (t-1)) is output as an example. In this embodiment, n is a polynomial with k as a variable and satisfies n> k. The first hash function H is H: {0,1} ^* → {0,1} ⁿ , and the second hash function G is G: {0,1} ^* → {0,1} ^k . In the following description, differences from the first embodiment will be mainly described, and description of matters common to the first embodiment will be omitted.

<Configuration>
FIG. 3 is a block diagram for explaining the configuration of the bit string generation device 200 of the second embodiment. In FIG. 3, the same reference numerals as those in the first embodiment are used for portions common to the first embodiment.

  As illustrated in FIG. 3, the bit string generation device 200 of this embodiment includes a control unit 101, a memory 102 a, an initial value memory 102 b, an input unit 103, a parameter calculation unit 204, a counter 105, and a hash calculation unit. 106, 209, bit cutout unit 207, and bit combination unit 208.

  The bit string generation device 200 of this embodiment is constructed by reading a predetermined program into a known computer having a CPU, a RAM, a ROM, and the like and executing the program by the CPU. For example, the parameter calculation unit 204, the hash calculation unit 209, the bit cutout unit 207, and the bit combination unit 208 are, for example, processing units that are constructed when the CPU executes a predetermined program. Note that at least a part of these processing units may be configured by an integrated circuit.

  In FIG. 1, the plurality of hash calculation units 106 and 209 are illustrated, but this is for convenience of description, and the plurality of hash calculation units 106 and 209 may not necessarily exist. The bit string generation device 200 executes each process under the control of the control unit 101. Although the description is simplified below, the data output from each processing unit is stored in the memory 102a one by one. The data stored in the memory 102a is input to each processing unit as necessary and used for the processing.

<Processing>
FIG. 4 is a flowchart for explaining the processing of the second embodiment. Hereinafter, the processing of this embodiment will be described with reference to this drawing. As a premise for the following processing, it is assumed that the values of k and n are set and the initial value v (−1) = 0 ^k of the hash chain value is stored in the initial value memory 102b.

First, (x, L) ε {0,1} ^* × N is input to the input unit 103 (step S101). L is input to the parameter calculation unit 104, and the parameter calculation unit 204
t = CEIL (L / n)… (10)
And the calculation result t is output (step S202).

In addition, the parameter calculation unit 204
r = Ln (t-1)… (11)
The calculation result r is output (step S203). The calculation result t output from the parameter calculation unit 104 is input to the control unit 101, and the calculation result r is input to the bit cutout unit 207.

Next, the counter 105 sets the count value i to 0 (step S104).
Next, the hash calculation unit 106 has the hash chain value v (i−1) output from the initial value memory 102 b or the hash calculation unit 209, x input to the input unit 103, and the count output from the counter 105. The value i is entered. The hash calculation unit 106
y (i) = H (v (i-1) || x || <i>)… (12)
And the hash value y (i) is output (step S105).

Next, the hash chain value v (i−1) output from the initial value memory 102 b or the hash calculation unit 209 and the count value i output from the counter 105 are input to the hash calculation unit 209. The hash calculation unit 209
v (i) = G (v (i-1) || <i>)… (13)
The hash value v (i) is output as the hash chain value v (i) (step S207).

Next, the control unit 101 determines whether or not the count value i output from the counter 105 is t-2 (step S108). If it is determined that i = t−2 is not satisfied, the counter 105 counts up i + 1 as a new i (step S109), and the process returns to step S105. On the other hand, if it is determined that i = t-2, the hash chain value v (t-2) output from the hash calculator 209 and the x input to the input unit 103 are sent to the hash calculator 106. The counted up value i = t−1 output from the counter 105 is input. The hash calculator 106 corresponds to the count value i = t−1.
y (t-1) = H (v (t-2) || x || <t-1>)… (14)
And the hash value y (t-1) is output (step S110).

The hash value y (t−1) output from the hash calculation unit 209 is input to the bit cutout unit 207. The bit cutout unit 207 corresponds to the count value i = t−1.
z (t-1) = [y (t-1)] ^r … (15)
A part of the bit string is cut out from the hash value y (t-1), and the bit string z (t-1) obtained thereby is output (step S211).

The hash values y (0),..., Y (t-2) output from the hash calculation unit 106 and the bit string z (t−1) output from the bit cutout unit 207 are sent to the bit combination unit 208. Entered. The bit combination unit 208
F (x, L) = y (0) || ... || y (t-2) || z (t-1)… (16)
Each hash value y (0), ..., y (t-2) and bit string z (t-1) are bit-combined by the operation of to generate a bit string F (x, L) of bit length L Output (step S212).

<Modification of Second Embodiment>
The present invention is not limited to the second embodiment.
For example, in this embodiment, the hash chain value v (i) is calculated in an iterative process performed while increasing the count value i (step S207). However, the hash chain value v (i) in this embodiment does not depend on the input arbitrary value x. Therefore, all necessary hash chain values v (i) may be calculated together, or the hash chain value v (j) is pre-calculated before step S101 and the hash value y (i) is calculated in parallel. May be. Thereby, calculation speed can be improved.

  Also, the hash input information u (i) of this embodiment is a bit combination of the hash chain value v (i−1), the arbitrary value x, and the encoding bit string <i> of the count value i. However, the hash input information u (i) corresponding to the count value i may not include the encoding bit string <i> of the count value i at least partially. In addition, hash input information u (i) corresponding at least in part to the count value i includes a hash chain value v (i-1), an arbitrary value x, and other information (for example, random numbers, device specific information, etc. May be a bit combination of the hash chain value v (i−1), the arbitrary value x, the encoding bit string <i>, and the other information.

  Further, the hash chain value v (i) of this embodiment is a hash value G (v (i-1) || <i>) of bit combination between the hash chain value v (i-1) and the encoding bit string <i>. Met. However, the hash chain value v (i) corresponding at least in part to the count value i is a hash value of a value that does not include the encoding bit string <i> of the count value i (for example, v (i) = G (v (i -1))). In addition, the hash chain value v (i) corresponding to the count value i at least in part, the hash chain value v (i-1), the encoding bit string <i>, and other information (for example, random numbers or device-specific Or a hash value of bit combination with the other information, or a hash value of bit combination with the other information. Also, some bits of the hash value such as the hash value G (v (i−1) || <i>) may be used as the hash chain value v (i).

  Also, each bit string y (0),..., Y (t-2), z (t-1) may be bit-coupled in an order other than Expression (16). Also, in this embodiment, hash input information u (i), u (p (i)) (i ≠ p (i)) and hash chain values v (j (i)), v (m ( i)) satisfies the relationship j (i) = i-1, p (i) = i-1, m (i) = i-2, for example, j (i) = i + 1, p (i) = i + 1, m (i) = i + 2, etc., j (i), p (i) (i ≠ p (i)), m (i) It may be a function. In this case, the count value update method differs accordingly. In this embodiment, since j (i) = i-1, p (i) = i-1, m (i) = i-2, iterative processing is performed while incrementing the count value i by 1 from 0 to t-1. For example, if j (i) = i + 1, p (i) = i + 1, m (i) = i + 2, the count value i is incremented by 1 from t-1 to 0. What is necessary is just to perform a repeating process, decreasing.

In this embodiment, the initial value of the hash chain value is v (-1) = 0 ^k , but the initial value of the hash chain value is an arbitrary constant or a function value of the arbitrary value x. The value may be the initial value v (-1) of the hash chain value. In this embodiment, since j (i) = i-1, p (i) = i-1, m (i) = i-2, an initial value is set for the hash chain value v (-1). , J (i), p (i) (i ≠ p (i)), and m (i) are other functions, the hash chain values to which initial values are set differ accordingly. For example, when j (i) = i + 1, p (i) = i + 1, m (i) = i + 2, an initial value is set to v (t + 1).

  In this embodiment, the bit combination of the hash value y (0), ..., y (t-2) and the bit string z (t-1) is the bit string F (x, L). Bit combinations of a part of bit strings y (0),..., y (t-2) and the bit string z (t-1) may be defined as a bit string F (x, L). In this case, t and r are calculated so that the bit length of the bit string F (x, L) is L.

  In this embodiment, n is a polynomial with k as a variable, but n may be a constant. In this embodiment, x and L are input to the input unit 103. However, a configuration in which L is fixed and only x is input to the input unit 103 may be employed.

[Third Embodiment]
Next, a third embodiment of the present invention will be described.
The present embodiment is a modification of the first and second embodiments, in which only hash input information u (i) corresponding to a part of count values i includes a hash chain value v (j (i)). As a result, the calculation cost of the hash chain value v (j (i)) can be reduced, and the hash input information u (i) that does not include the hash chain value v (j (i)) and its hash value are calculated in parallel. And the calculation speed can be improved.
In addition, since the structure of this form is the same as that of 1st, 2 embodiment, description of a structure is abbreviate | omitted below and it demonstrates centering around a process.

<Example 1>
FIG. 5 is a flowchart for explaining the processing of the third embodiment.
In the example of FIG. 5, input is performed only when the count value i∈ {0, ..., t-1} satisfies i = w · q (w is an integer of 2 or more, q is a positive integer). The information u (i) includes the hash chain value v (j (i)). On the other hand, the input information u (i) corresponding to the count value i where i ≠ w · q does not include the hash chain value v (j (i)). In the present embodiment, as in the first embodiment, a case where j (i) = i−1, p (i) = i−1, and m (i) = i−2 will be described as an example.

First, the same processing of steps S101 to S103 as in the first embodiment is executed. Next, the hash calculation unit 106 (FIG. 1) inputs x input to the input unit 103 and the count value i (i∈ {0,... T−1}, i ≠ w · q) is entered. The hash calculator 106 calculates the count values i (i∈ {0,... T-1}, i ≠ w · q).
y (i) = H (x || <i>)… (17)
The hash value y (i) is output (step S304). The calculation of Expression (17) for each count value i may be executed simultaneously in parallel or serially.

Among these hash values y (i), the one corresponding to the count value i (iε {0,... T−1}, i = w · q−1) is input to the bit cutout unit 107. The bit cutout unit 107 calculates the count value i (i∈ {0, ... t-1}, i = w · q-1)
v (i) = [y (i)] _k … (18)
A part of the bit string is cut out from the hash value y (i) by the above operation, and the bit string z (i) and the hash chain value v (i) obtained thereby are output (step S305). The calculation of Expression (18) for each count value i may be executed simultaneously in parallel or serially.

Next, the hash chain value v (i−1) (i∈ {0,... T−1}, i = w · q output from the initial value memory 102b or the bit cutout unit 107 is sent to the hash calculator 106. ), X input to the input unit 103, and the count value i (iε {0,... T−1}, i = w · q) output from the counter 105 are input. The hash calculator 106 calculates the count values i (i∈ {0, ... t-1}, i = w · q).
y (i) = H (v (i-1) || x || <i>)… (19)
The hash value y (i) is output (step S306). The calculation of Equation (19) for each count value i may be executed simultaneously in parallel or serially.

The hash value y (i) corresponding to each count value i∈ {0,... T−2} is input to the bit cutout unit 107. The bit cutout unit 107
z (i) = [y (i)] ^nk … (20)
A part of the bit string is cut out from the hash value y (i) by the above operation, and the bit string z (i) (iε {0,... T−2}) obtained thereby is output (step S307).
Thereafter, the processes of steps S111 and S112 similar to those of the first embodiment are executed.

<Example 2>
FIG. 6 is a flowchart for explaining the processing of the third embodiment.
In the example of FIG. 6, input is performed only when the count value i∈ {0, ..., t-1} satisfies i = w · q (w is an integer of 2 or more, q is a positive integer). The information u (i) includes the hash chain value v (j (i)). On the other hand, the input information u (i) corresponding to the count value i where i ≠ w · q does not include the hash chain value v (j (i)). In the present embodiment, as in the first embodiment, a case where j (i) = i−1, p (i) = i−1, and m (i) = i−2 will be described as an example. Further, it is assumed that the initial value v (−w) = 0 ^k of the hash chain value is stored in the initial value memory 102b as a premise of the following processing.

  First, the same processes of steps S101, S202, and S203 as in the second embodiment are executed. Next, the hash calculation unit 106 (FIG. 3) inputs x input to the input unit 103 and the count value i (i∈ {0,... T−1}, i ≠ w · q) is entered. The hash calculation unit 106 performs the calculation of Expression (17) on each count value i (i∈ {0,... T-1}, i ≠ w · q), and the hash value y (i ) Is output (step S304). The calculation of Expression (17) for each count value i may be executed simultaneously in parallel or serially.

Next, the counter 105 sets the count value i to 0 (step S315).
Next, the hash calculation unit 106 has the hash chain value v (i−1) output from the initial value memory 102 b or the hash calculation unit 209, x input to the input unit 103, and the count output from the counter 105. The value i is entered. The hash calculation unit 106
y (i) = H (v (iw) || x || <i>)… (21)
The hash value y (i) is output (step S316).

Next, the hash chain value v (iw) output from the initial value memory 102 b or the hash calculation unit 209 and the count value i output from the counter 105 are input to the hash calculation unit 209. The hash calculation unit 209
v (i) = G (v (iw) || <i>)… (22)
The hash value v (i) is output as the hash chain value v (i) (step S317).

  Next, the control unit 101 determines whether or not the count value i output from the counter 105 is equal to or greater than t−1 (step S318). If it is determined that i ≧ t−1 does not hold, the counter 105 counts up i + w as a new i (step S319), and the process returns to step S316. On the other hand, if it is determined that i ≧ t−1, the processes of steps S211 and S212 of the second embodiment are executed.

<Modification of Third Embodiment>
The present invention is not limited to the third embodiment. For example, in Examples 1 and 2 of the third embodiment, among the count values i∈ {0,..., T−1}, i = w · q (w is an integer of 2 or more, q is a positive integer) ), The example in which the input information u (i) includes the hash chain value v (j (i)) has been described. However, the input information u (i) may include the hash chain value v (j (i)) only for a subset of other count values i∈ {0,..., T−1}. In each of the above processes, the modifications described in the modification of the first embodiment and the modification of the second embodiment may be made.

[Other variations, etc.]
The processing of each of the above-described embodiments is not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processing or as necessary. Needless to say, other modifications are possible without departing from the spirit of the present invention.
Further, when the above-described configuration is realized by a computer, processing contents of functions that each device should have are described by a program. The processing functions are realized on the computer by executing the program on the computer.
The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  Examples of the application field of the present invention include encryption communication fields such as encryption key generation processing and electronic signatures.

100,200 bit string generator

Claims (7)

An input unit for inputting at least an arbitrary value x;
For each count value i∈ {0,..., Max} (i is an integer, MAX is an integer of 1 or more), the hash value y (i) of the hash input information u (i) including the arbitrary value x, respectively. ) To generate a hash calculation unit,
A bit combination unit that bit-combines a part of the hash value y (i) and / or a part of the hash value y (i) and generates a bit string of an arbitrary bit length L, and
The hash input information u (i) corresponding to at least a part of the count value i further includes a hash chain value corresponding to the count value j (i) (j (i) ∈ {0, ..., Max}). including v (j (i))
The hash chain value v (j (i)) is a hash chain corresponding to the count value m (i) (m (i) ε {0, ..., Max}, m (i) ≠ j (i)). A hash value of information including the value v (m (i)) or a bit string of a part thereof,
The hash input information u (p (i)) corresponding to the count value p (i) (p (i) ε {0, ..., Max}, p (i) ≠ i) is further the hash chain value including v (m (i)),
A bit string generation device characterized by that. The bit string generation device according to claim 1,
The hash calculation unit inputs the hash input information u (i) to a first hash function H to generate the hash value y (i),
Information including the hash chain value v (m (i)) is the hash input information u (p (i)),
The hash chain value v (j (i)) is a hash value y (p (i)) obtained by inputting the hash input information u (p (i)) to the first hash function H or one of the hash values y (p (i)). Part bit string,
A bit string generation device characterized by that. The bit string generation device according to claim 1,
The hash calculation unit inputs the hash input information u (i) to a first hash function H to generate the hash value y (i) = H (u (i)),
The hash chain value v (j (i)) is a hash value obtained by inputting information including the hash chain value v (m (i)) to the second hash function G or a bit string of a part thereof. ,
The information including the hash chain value v (m (i)) is information that does not depend on the arbitrary value x.
A bit string generation device characterized by that. The bit string generation device according to claim 3, wherein
The hash chain value v (j) is a value calculated in advance before the arbitrary value x is input to the input unit.
A bit string generation device characterized by that. The bit string generation device according to any one of claims 1 to 4,
Only the hash input information u (i) corresponding to some count values i includes the hash chain value v (j (i)),
A bit string generation device characterized by that. A bit string generation method executed by a bit string generation device having an input unit, a hash calculation unit, a bit combination unit, and a bit combination unit,
At least an arbitrary value x is input to the input unit;
For each count value i∈ {0,..., Max} (i is an integer, MAX is an integer of 1 or more), hash input information u (i) that includes the arbitrary value x, respectively. Generating a hash value y (i) of
The bit combining unit bit-combining part of the hash value y (i) and / or the hash value y (i) to generate a bit string having an arbitrary bit length L, and
The hash input information u (i) corresponding to at least a part of the count value i further includes a hash chain value corresponding to the count value j (i) (j (i) ∈ {0, ..., Max}). including v (j (i))
The hash chain value v (j (i)) is a hash chain corresponding to the count value m (i) (m (i) ε {0, ..., Max}, m (i) ≠ j (i)). A hash value of information including the value v (m (i)) or a bit string of a part thereof,
The hash input information u (p (i)) corresponding to the count value p (i) (p (i) ε {0, ..., Max}, p (i) ≠ i) is further the hash chain value including v (m (i)),
A bit string generation method characterized by the above.   A program for causing a computer to function as the bit string generation device according to any one of claims 1 to 5.

Images