JP2017044757A - Information processing device and information processing method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make a memory capacity for storing data or the like of a table small in an AES system.SOLUTION: An information processing device for encrypting or decrypting input data in an AES system selects four-byte sub-round data in the input data, respectively replaces the sub-round data in each one-byte data on the base of a first table to generate respective replacement data, rearranges bits of the replacement data with replacement based on a second table to generate rearrangement data, and calculates an exclusive OR of the rearrangement data.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an information processing apparatus and an information processing method.

  Conventionally, an AES (Advanced Encryption Standard) system defined by FIPS (Federal Information Processing Standard) 197 (American National Institute of Standards and Technology, published in 2001) is known as a data encryption system.

  Also, a method for protecting a key by performing white box implementation of a Lombok encryption algorithm in a smart card is known (for example, Patent Document 1).

Special table 2011-512726 gazette

  However, in the conventional white box implementation in AES, since the capacity of the table data used is large, the memory capacity for storing the table data may be large.

  One aspect of the present invention is to reduce the memory capacity for storing table data and the like in the AES system.

  In one aspect, an information processing apparatus that encrypts or decrypts input data by an AES method includes: a selection unit that selects 4-byte subround data out of the input data; and the subround data for each 1-byte data. A replacement unit that performs replacement based on the first table and generates respective replacement data; and a rearrangement unit that generates rearrangement data by rearranging the bits of the replacement data by replacement based on the second table; And an exclusive OR calculator for calculating an exclusive OR of the rearranged data.

  In the AES method, the memory capacity for storing table data and the like can be reduced.

It is a block diagram explaining an example of the hardware constitutions of the embedded system which concerns on one Embodiment of this invention. It is a flowchart explaining an example of the process per round of encryption which concerns on one Embodiment of this invention. It is a schematic diagram explaining an example of the process per 1 round of encryption which concerns on one Embodiment of this invention. It is a schematic diagram explaining an example of the process per round of the encryption which concerns on a comparative example. It is a schematic diagram explaining an example of the process per other round of encryption which concerns on one Embodiment of this invention. It is a functional block diagram which shows an example of a function structure of the embedded system which concerns on one Embodiment of this invention.

  The information processing apparatus is, for example, an embedded system. The embedded system is a system for realizing a specific function that is built in an industrial device or a home appliance. The information processing apparatus may be a PC (Personal Computer) or the like. Hereinafter, an embodiment of the present invention will be described based on an example in which an information processing apparatus is an embedded system, based on the drawings.

1. 1. Hardware configuration example of embedded system 2. Example of overall processing by embedded system Example of functional configuration of embedded system << 1. Example of hardware configuration of embedded system >>
FIG. 1 is a block diagram illustrating an example of a hardware configuration of an embedded system according to an embodiment of the present invention. As illustrated, the embedded system 1 includes an arithmetic device HW1, a storage device HW2, and an I / F (interface) HW3.

  The arithmetic device HW1 is a CPU (Central Processing Unit) or an MPU (Micro Processing Unit). The arithmetic device HW1 is a control device that controls the hardware that the embedded system 1 has, and an arithmetic device that performs calculations and data processing for realizing all or part of the processing performed by the embedded system 1. Furthermore, the arithmetic unit HW1 incorporates a storage device such as a RAM (Random Access Memory) HW10 and a ROM (Read-Only Memory) HW11, as shown in the figure, and realizes a storage area.

  The RAM HW 10 is a storage device used for developing and storing programs, setting values, data, or the like used by the arithmetic device HW 1 or the like.

  The ROMHW11 is a storage device that stores programs, setting values, data, and the like used by the arithmetic device HW1 and the like.

  The storage device HW2 is a so-called memory or the like. The storage device HW2 is a storage device that stores programs, setting values, data, and the like used by the embedded system 1. Note that the storage device HW2 may include an auxiliary storage device or the like.

  The I / FHW 3 is an interface for inputting and outputting data and the like to the embedded system 1. The I / FHW 3 is realized by a bus, a connector, a cable, a driver, and the like.

  Note that the hardware configuration of the embedded system 1 is not limited to the illustrated configuration. For example, the embedded system 1 may not have the storage device HW2. The embedded system 1 may further include an auxiliary device such as an arithmetic device outside or inside.

<< 2. Example of overall processing by embedded system >>
FIG. 2 is a flowchart for explaining an example of processing per round of encryption according to an embodiment of the present invention. In the following, a processing unit (hereinafter referred to as “one round”) for 16-byte input data, which is a processing unit in the AES method, will be described. Note that processing per round is repeatedly performed according to the bit length of the key used in the AES method.

  FIG. 3 is a schematic diagram illustrating an example of processing per round of encryption according to an embodiment of the present invention. Specifically, the processing per round is processing for input data D_IN into which 16 pieces of 1-byte data “0” to “15” shown in FIG. 3 are input. Further, the processing per round is repeatedly performed using the selected 4-byte data out of 16 bytes as a processing unit (hereinafter referred to as “1 sub-round”). That is, in the process per round, the process of 4 sub-rounds is repeatedly performed. Hereinafter, in FIG. 2 and FIG. 3, processing per sub-round among processing per round will be mainly described.

<< Sub Round Data Selection Example (Step S0101) >>
In step S0101 shown in FIG. 2, the embedded system selects sub-round data. That is, in step S0101 shown in FIG. 2, the embedded system selects one subround data to be processed per subround from the input data D_IN shown in FIG.

  Hereinafter, as shown in FIG. 3, in step S0101 shown in FIG. 2, 1-byte data of “0”, “5”, “10”, and “15” in the input data D_IN is sub-round data. A description will be given with an example of selection. Of the sub-round data to be selected, a process for 1-byte data “0” will be described as an example.

<< Replacement Example Based on First Table (Step S0102) >>
In step S0102 shown in FIG. 2, the embedded system performs replacement based on the first table. That is, as shown in FIG. 3, the embedded system replaces input 1-byte data of “0” based on the first table. When replacement is performed based on the first table, replacement data is generated. The replacement based on the first table includes the first transformation “g” and the second inverse transformation “f ⁻¹ ”. Details of step S0102 will be described later.

<< Example of rearranging bits based on second table (step S0103) >>
In step S0103 shown in FIG. 2, the embedded system rearranges the bits based on the second table. Details of step S0103 will be described later.

<< Exclusive OR (XOR, exclusive or) calculation example (step S0104) >>
In step S0104 shown in FIG. 2, the embedded system calculates an exclusive OR. Details of step S0104 will be described later.

  Also, the calculation based on the substitution and exclusive OR based on the second table includes the second transformation “f”.

  Similarly to the 1-byte data “0”, when the steps S0101 to S0104 are performed on the 1-byte data “5”, “10”, and “15” in the input data D_IN, the output data Of D_OUT, data of “0” to “3” is generated, and one sub-round process is completed.

  In addition, the order in which each procedure in the process shown in FIG. 2 is performed is not restricted to the order shown in FIG. For example, the order in which step S0101 and step S0102 are performed may be reversed. In addition, part or all of each procedure may be performed in a distributed, parallel, redundant, or a combination thereof.

<< Comparative Example >>
FIG. 4 is a schematic diagram illustrating an example of processing per round of encryption according to the comparative example. 4, as in FIG. 3, processing is performed on four 1-byte data of the input data D_IN, and four 1-byte data of the output data D_OUT is generated per subround. An example of the process is shown. In the process shown in FIG. 4 as well, in the process per round, four sub-round processes are repeated as in FIG. Hereinafter, the processing per sub-round will be mainly described.

  In step S0201, four 1-byte data are selected. The processing result obtained by executing the “ShiftRows” function defined in FIPS197 and the processing result obtained by performing step S0201 are similar.

  In step S0202, the 1-byte data selected in step S0201 is converted by so-called T-Box or the like, and the converted data is output.

  In step S0203, the data output in step S0202 is converted by a table such as so-called XOR-Tables, and as shown in the figure, the same processing result as that obtained when the exclusive OR is calculated is obtained. Is output.

  As shown in the figure, the processing results obtained by executing the “AddRoundKey” function, the “SubBytes” function, and the “MixColumns” function defined in FIPS197 are similar to the processing results obtained by performing the steps S0202 and S0203, respectively. It becomes.

  As shown in the figure, when processing per sub-round is performed, four 1-byte data that is output in step S0203 is generated as data “0” to “3” in the output data D_OUT. .

  In this comparative example, the data of each table used for conversion or the like in the process has a capacity of 508 kilobytes (k bytes) in total when the bit length of the key is 128 bits, and the bit length of the key is In the case of 256 bits, the total capacity is 732 kilobytes. That is, when the key bit length is 128 bits, a memory area of 508 kilobytes or more is required to realize the comparative example, and the information processing apparatus is equipped with a ROM or the like that can store 508 kilobytes or more. There is a need.

<< Details of Processes and Process Result Examples by Embedded System According to One Embodiment of the Present Invention >>
As shown in FIG. 3, the embedded system obtains the same processing result by performing step S0101 (FIGS. 2 and 3) on the processing result obtained by executing the “ShiftRows” function defined in FIPS197. be able to.

Further, as shown in FIG. 3, the embedded system is obtained by performing step S0102 (FIGS. 2 and 3) on the processing results obtained by executing the “AddRoundKey” function and the “SubBytes” function defined in FIPS197. Can include similar processing results. For example, when step S0102 is performed on 1-byte data “0” in the input data D_IN (FIG. 3), the embedded system performs the first conversion “g ₀ ” and the second inverse conversion “f”. _The same processing result can be included when the conversion is performed by “ ₀ ⁻¹ ” and the conversion by “T ₀ ¹ ” shown in FIG. 4.

The first transformation “g” and the first inverse transformation “g ⁻¹ ” are the relationship between the transformation and the inverse transformation. Similarly, the second transformation “f” and the second inverse transformation “f ⁻¹ ” are the relationship between the transformation and the inverse transformation. The relationship between the conversion and the inverse conversion is a relationship in which, after any conversion is performed on arbitrary data, the data is returned to the data before the conversion when the inverse conversion is further performed.

  As shown in FIG. 3, when the first conversion “g” is included in the replacement based on the first table T1, a so-called random number component is included, and the embedded system performs so-called obfuscation at the output of step S0102. realizable.

Also, as shown in FIG. 3, step S0102 is realized by a first table T1, a so-called LUT (Look Up Table). If the 1-byte data is replaced in “2 ⁸ = 256” by the replacement by the first table T1, the first table T1 has a capacity of “1 byte × 256 ways = 256 bytes”.

  Furthermore, in the process per round, four sub-rounds are performed, so the capacity related to the first table T1 is “256 bytes × 4 pieces / sub-round = 1024 bytes / sub-round = 1 kilobyte for one round. / Sub-round. Furthermore, as shown in FIG. 3, since the first table T1 is used for each of four 1 bytes, the capacity of the first table T1 is “1 kilobyte × 4 = 4 kilobytes”. If a different first table T1 is used in each round, the capacity required for all rounds related to the first table T1 is “4 kilobytes × 9 rounds = 36 kilobytes” when nine rounds are performed. .

  When a different first table T1 is used in each round and nine rounds are performed, the number of first tables T1 is “4 × 4 sub-rounds × 9 rounds = 144”. .

  Further, the capacity required for all rounds related to the first table T1 and the number of first tables T1 differ depending on the bit length of the key in the AES scheme. Specifically, when the key bit length is 192 bits, the number of rounds to be performed is different from the case where the key bit length is 128 bits, so the capacity required for all the rounds related to the first table T1 Is “44 kilobytes”, and the number of the first table T1 is “176”. Further, when the bit length of the key is 256 bits, the capacity required for all rounds related to the first table T1 is “52 kilobytes”, and the number of the first table T1 is “208”. .

  Next, as shown in FIG. 3, Steps S0103 (FIGS. 2 and 3) and S0104 (FIGS. 2 and 3) are respectively performed on the processing results obtained by executing the “MixColumns” function defined in FIPS197. By doing so, the embedded system can include similar processing results.

  As shown in FIG. 3, step S0103 is realized by a second table T2, a so-called LUT. In the process illustrated in FIG. 3, in order to include the process result obtained by executing the “MixColumns” function and the same process result, the replacement by the second table T2 is performed in step S0103.

Also, as shown in FIG. 3, when the replacement by the second table T2 is performed, the first inverse transformation “g ⁻¹ ” for the first transformation “g” in step S0102 is included.

  Further, when the replacement by the second table T2 shown in FIG. 3 is performed, the bits are rearranged. The bit rearrangement is indicated by rearrangement “h” in FIG. For example, the rearrangement “h” makes the input 1-byte data 1 ×, 1 ×, 2 ×, and 3 ×, respectively, and then arranges the sequence of 4 bytes that is the output of each calculation result. Change. Accordingly, the rearrangement “h” multiplies the input of 1-byte data and outputs the rearranged values, that is, outputs four 1-byte data.

  Therefore, the second table T2 has 256 inputs, and performs four outputs for the 256 inputs, so the capacity is “256 patterns × 4 bytes = 1024 bytes = 1 kilobyte”. Also, as shown in FIG. 3, since one second sub-round uses four second tables T2, the capacity related to the second table T2 is “1 kilobyte × 4 = 4 kilobytes”.

In addition, the second transformation “f” with respect to the second inverse transformation “f ⁻¹ ” in step S 0102 shown in FIG. Is included. Specifically, if the data “a” is input as 1-byte data “0” in the input data D_IN, the rearrangement “h ₀ ” and the exclusive OR calculation are performed. The relationship with the conversion “f ₀ ” is the relationship shown in the following equation (1).

  Similarly to the above equation (1), if the data “a” is input as 1-byte data “5” in the input data D_IN, the processing combining step S0103 and step S0104, The relationship with the conversion “f” is as shown in the following equation (2).

Since the rearrangement “h” included in the replacement by the second table T2 rearranges 1 byte, that is, 8 bits, the rearrangement pattern is “8! = 40320≈2 ^15.3 ”. . Also, the calculation of the exclusive OR in step S0104 can create “2 ³² = 4294967296” patterns. Accordingly, the replacement by the second table T2 in step S0103 and the exclusive OR calculation in step S0104 allow the embedded system to include a processing result similar to the processing result of executing the “MixColumns” function.

  Compared with the comparative example shown in FIG. 4, even if there is no table such as so-called XOR-Tables used in step S0203, the embedded system is similar to the case where the “MixColumns” function is executed in steps S0103 and S0104. , Security strength can be ensured.

  In addition, as shown in FIG. 3, the execution of the “AddRoundKey” function, the “SubBytes” function, and the “MixColumns” function is performed by the replacement by the first table T1, the replacement by the second table T2, and the calculation of exclusive OR, respectively. When the embedded data is analyzed, the embedded system can make it difficult to understand the contents of the data to be processed, that is, the data contents can be obfuscated. .

  This is because the data to be processed is acquired by some method with respect to Black Box AES which makes it difficult to acquire or analyze the data to be processed. Corresponds to so-called White Box AES. Therefore, the embedded system can realize White Box AES by performing the processes shown in FIGS. 2 and 3 respectively.

  Note that if the different table is prepared for each process in the sub-round, the second table T2 is different in the table referred to in each process in the sub-round. Therefore, the embedded system analyzes the replacement by the second table T2. The calculation cost can be increased. That is, the embedded system can further improve security. Specifically, in FIG. 3, in each process for “0”, “5”, “10”, and “15” of the input data D_IN, the second table T2 used in each process is different from each other. And so on.

  On the other hand, as the second table T2, a different table may be prepared for each round. That is, the second table T2 may be reused for each sub-round.

  FIG. 5 is a schematic diagram illustrating an example of another process per round of encryption according to an embodiment of the present invention. Specifically, as the next processing after the processing shown in FIGS. 2 and 3, as shown in the drawing, 1-byte data of “3”, “4”, “9”, and “14” in the input data D_IN. In the example shown in FIG. 3, each process shown in FIG. 2 is performed on the selected 1-byte data. That is, first, data “0” to “3” is generated as output data by the process shown in FIG. 3, and the process of one sub-round is completed. Next, in the example shown in FIG. 5, “4” to “7” data is generated from the output data D_OUT.

  In this example, as shown in FIG. 5, the same second table T <b> 2 may be used in common in the previous process shown in FIG. 3 and the next process shown in FIG. 5.

  On the other hand, as the second table T2, different tables may be prepared for odd-numbered rounds and even-numbered rounds.

  When the second table T2 is commonly used for each of the sub-round, the round, the odd-numbered round, or the even-numbered round, the embedded system can reduce the memory capacity for storing the data of the second table T2.

  For example, if the same second table T2 is used in common in a round, the capacity is 4 kilobytes per sub-round, so the capacity per round can be 4 kilobytes. On the other hand, when different second tables T2 are used, the capacity per round is 16 kilobytes.

  Therefore, the embedded system can further reduce the memory capacity for storing the data of the second table T2.

  Further, the configurations described above may be realized in combination. For example, if a different second table T2 is prepared for each process in the sub-round, and the second table T2 is used in common for each odd-numbered round or even-numbered round, the number of second tables T2 is: “4 × 2 = 8”. The capacity required for all rounds related to the second table T2 is “4 kilobytes × 8 = 32 kilobytes”.

  For example, it is assumed that 9 rounds are performed and the second table T2 is commonly used for every odd number or even number round. In this case, the capacity required for all rounds related to the first table T1 is “36 kilobytes”, and the capacity required for all rounds related to the second table T2 is “8 kilobytes”. Therefore, the embedded system can realize White Box AES with a small memory capacity of “36 kilobytes + 8 kilobytes = 44 kilobytes”, which makes it difficult to analyze data contents. When the bit length of the key is 256 bits, the embedded system can realize White Box AES with a small memory capacity of “60 kilobytes” and the data contents are not easily analyzed.

<< 3. Example of functional configuration of embedded system >>
FIG. 6 is a functional block diagram showing an example of a functional configuration of the embedded system according to the embodiment of the present invention. As illustrated, the embedded system 1 includes a selection unit FN1, a replacement unit FN2, a rearrangement unit FN3, and an exclusive OR calculation unit FN4.

  The selection unit FN1 selects 4-byte sub-round data D_SR from the input data D_IN. The input data D_IN is 16-byte 1-round data as shown in FIG. When the sub-round data D_SR is selected by the selection unit FN1, a processing result similar to the processing result obtained by executing the “ShiftRows” function defined in FIPS197 is obtained. Furthermore, the selection unit FN1 is realized by, for example, the arithmetic device HW1 (FIG. 1).

The replacement unit FN2 replaces the sub-round data D_SR for each 1-byte data based on the first table T1, and generates respective replacement data D_SS. Further, the replacement based on the first table T1 includes the first conversion “g” shown in FIG. Further, the replacement based on the first table T1 includes the second inverse transformation “f ⁻¹ ” and the like shown in FIG. Furthermore, when the replacement based on the first table T1 is performed by the replacement unit FN2, processing results similar to the processing results obtained by executing the “AddRoundKey” function and the “SubBytes” function defined in FIPS197 are included. The replacement unit FN2 is realized by, for example, the arithmetic device HW1.

The rearrangement unit FN3 rearranges the bits of the replacement data D_SS by replacement based on the second table T2, and generates rearrangement data D_CH. Further, the replacement based on the second table T2 includes the first inverse transformation “g ⁻¹ ” and the like shown in FIG. Furthermore, the rearrangement unit FN3 may use the second table T2 in common for each sub-round, round, odd-numbered round, or even-numbered round. The rearrangement unit FN3 is realized by, for example, the arithmetic device HW1.

  The exclusive OR calculator FN4 calculates an exclusive OR of the rearranged data D_CH. The exclusive OR calculation unit FN4 is realized by, for example, the arithmetic device HW1.

  When the replacement based on the second table T2 by the rearrangement unit FN3 and the exclusive OR calculation by the exclusive OR calculation unit FN4 are performed, the processing result is the same as the result of executing the “MixColumns” function defined in FIPS197. The processing result of is included.

  The embedded system is not limited to performing encryption by the AES method. For example, the embedded system may perform decoding using a process corresponding to an inverse function of each process. For example, an inverse function of the “ShiftRows” function is an “InvShiftRows” function or the like. In addition, an inverse function of the “SubBytes” function is an “InvSubBytes” function, and an inverse function of the “MixColumns” function is an “InvMixColumns” function.

  Further, it is desirable that the present invention be applied to an embedded system having many restrictions on usable storage capacity. Furthermore, in order to make it difficult to decipher the program and data, the embedded system preferably has a hardware configuration in which a memory is built in the arithmetic unit as shown in FIG.

  The embedded system is used for a so-called smart meter, for example. Smart meters and the like often send and receive data to and from external devices. In this case, the smart meter or the like can transmit and receive data encrypted by the AES method by an embedded system. Thereby, since the data to be transmitted / received is encrypted, the smart meter can improve security in the data transmission / reception.

  The embedded system is not limited to being applied to a smart meter. For example, the embedded system may be applied to embedded devices in general, devices that communicate with other devices via the cloud, etc., each device used for IoT (Internet of Things), or an information processing system that combines these devices. .

  Further, the embedded system is not limited to a configuration realized by one information processing apparatus. In other words, the embedded system may be realized by an information processing system having two or more information processing devices. In the information processing system, processing may be performed so that part or all of each processing is distributed, redundant, parallel, or a combination thereof.

  As mentioned above, although the preferable Example of this invention was explained in full detail, this invention is not limited to the specific embodiment which concerns. That is, various modifications or changes can be made within the scope of the gist of the present invention described in the claims.

1 Embedded System D_IN Input Data D_OUT Output Data T1 First Table T2 Second Table

Claims (11)

An information processing apparatus that encrypts or decrypts input data using the AES method,
A selection unit for selecting 4-byte sub-round data among the input data;
A substituting unit for substituting the sub-round data for each byte of data based on the first table, and generating respective replacement data;
A rearrangement unit for rearranging the bits of the replacement data by replacement based on a second table to generate rearranged data;
An information processing apparatus comprising: an exclusive OR calculator that calculates an exclusive OR of the rearranged data.   The information processing apparatus according to claim 1, wherein the input data is 16-byte one-round data.   The information processing apparatus according to claim 1, wherein the replacement based on the first table includes a first conversion, and the replacement based on the second table includes a first inverse conversion with respect to the first conversion. .   The substitution based on the second table and the calculation of the exclusive OR include a second transformation, and the substitution based on the first table includes a second inverse transformation with respect to the second transformation. The information processing apparatus described in 1.   The information processing apparatus according to claim 1, wherein when the selection is performed, a processing result similar to the processing result obtained by executing the ShiftRows function is obtained.   The information processing apparatus according to claim 1, wherein when the replacement based on the first table is performed, a processing result similar to the processing result of executing the AddRoundKey function and the SubBytes function is included.   The information processing apparatus according to claim 1, wherein when the replacement based on the second table and the calculation of the exclusive OR are performed, a processing result similar to the processing result of executing the MixColumns function is included.   The information processing apparatus according to claim 1, wherein the second table is used in common for each of a sub-round, a round, an odd-numbered round, or an even-numbered round.   The information processing apparatus according to claim 1, wherein the information processing apparatus is an embedded system.   The information processing apparatus according to claim 1, wherein the AES method is White Box AES. An information processing method performed by an information processing apparatus that encrypts or decrypts input data using the AES method,
A selection procedure in which the information processing apparatus selects 4-byte sub-round data among the input data;
The information processing apparatus replaces the sub-round data for each 1-byte data based on the first table, and generates a replacement data.
A reordering procedure in which the information processing apparatus reorders the bits of the replacement data by permutation based on a second table to generate permutation data;
An information processing method, wherein the information processing apparatus includes an exclusive OR calculation procedure for calculating an exclusive OR of the rearranged data.

Images