JP3490365B2 - Replacement calculation device and its program recording medium - Google Patents

Description

Detailed Description of the Invention

[0001]

TECHNICAL FIELD The present invention relates to, for example, substitution operation instrumentation 置及 Bisono program recording medium used in cryptography.

[0002]

2. Description of the Related Art Encryption technology is effective for concealing data. There are common key cryptography and public key cryptography as the encryption method. In common key cryptography, the same key is used on the cipher creation side and the cipher decryption side, and this key is secretly managed. On the other hand, in public key cryptography, the key for ciphertext creation and the key for ciphertext decryption are different, and even if the key for ciphertext creation is open, the key for decryption can be obtained within a realistic time. It is widely believed that no. From the viewpoint of processing speed, common key cryptography is more advantageous.

A method of dividing data to be encrypted into blocks of an appropriate length and encrypting each block in order to construct a high-speed and secure common key encryption is called a block cipher. A typical configuration of the DES encryption as such an encryption method is shown in, for example, "Ikeno, Koyama:" Modern Cryptography ", Institute of Electronics, Information and Communication Engineers, pp.41-62, 1986".

Many common key ciphers including this DES cipher consist of a combination of substitution and permutation. A linear transformation on the ring R is often used to realize the permutation. For example, E2 encryption (for example, "Kanda," Proposal of 128-bit block cipher E2, "
IEICE, Information Security Study Group, ISEC98-1
2 ”, abbreviated as“ Literature E2 ”below)

[0005]

[Equation 4] Output data for input data (z ₁ , z ₂ , ..., z ₈ ) using
(z ₁ ', z ₂ ', ..., z ₈ ')

[0006]

[Equation 5] It is calculated by the product of matrices.

Several high-speed methods of realizing the permutation represented by the matrix P consisting of {0, 1} elements have been considered. For example, there is a document “Aoki, Ueda:“ Software implementation of E2, ”1999 Encryption and Information Security Symposium SCIS99-F1-2.2”. However, the above-mentioned document mainly describes only a high-speed implementation method in a 32-bit CPU mounting environment, and is not necessarily effective in an 8-bit CPU mounting environment used in a low-priced IC card. It was In other words, the 8-bit accumulator type CPU used in low-priced IC cards and the like has a hardware limitation that it is composed of an accumulator, a small number of general-purpose registers, and a small amount of memory. It is necessary to operate sequentially to realize the replacement.

In the following, in an implementation environment where one accumulator and a small number of general-purpose registers are used, input data
(z ₁ , z ₂ , ..., z ₈ ) is stored in memory, and after reading its input data and computing the permutation as above, the output data (z ₁ ', z ₂ ', Consider writing ..., z ₈ ') to memory. Here, in order to compare the efficiency of the processing speeds by the three conventional methods, three items, that is, the number of addition / subtraction operations, the number of memory readings, and the number of memory writings are evaluated. As a specific example, the replacement when the matrix P is used will be described. Further, as the replacement operation, an expression using the above matrix P
The operation of (2) shall be executed.

Conventional method 1: When the replacement by the equations (1) and (2) is sequentially performed as defined, the following calculation is performed.

Z ₁ '= z ₂ + z ₃ + z ₄ + z ₅ + z ₆ + z ₇ z ₂ ' = z ₁ + z ₃ + z ₄ + z ₆ + z ₇ + z ₈ z ₃ '= z ₁ + z ₂ + z ₄ + z ₅ + z ₇ + z ₈ z ₄ '= z ₁ + z ₂ + z ₃ + z ₅ + z ₆ + z ₈ z ₅ ' = z ₁ + z ₂ + z ₄ + z ₅ + z ₆ z ₆ '= z ₁ + z ₂ + z ₃ + z ₆ + z ₇ z ₇ ' = z _{2 + z 3 + z 4 +} z 7 + z 8 z 8 '= z 1 + z 3 + z 4 + z 5 + z 8 (3) required for this calculation process is subtraction 36th memory read 44 times memory write 8 times. In this method, the number of memory readings is equal to the total number of elements in which the elements of the matrix P are 1. Therefore, the processing amount increases as the number of elements that becomes 1 increases.

Conventional method 2: As a permutation operation method using the above matrix P, document E2 shows a method of performing the operation of the following equation using GF (2 ⁸ ) as a ring R.

[0012] _{a 5 = z 5 + z 1} b 1 = z 1 + a 7 z 5 '= a 5 + b 4 z 1' = b 1 + z 5 'a 6 = z 6 + z 2 b 2 = z 2 + a 8 z 6 _{'= a 6 + b 1 z} 2' = b 2 + z 6 'a 7 = z 7 + z 3 b 3 = z 3 + a 5 z 7' = a 7 + b 2 z 3 '= b 3 + z 7' a 8 = z _{8 + z 4 b 4 = z} 4 + a 6 z 8 '= a 8 + b 3 z 4' = b 4 + z 8 ' operation amount by this method is as follows.

Addition / subtraction 16 times memory reading 32 times memory writing 16 times This method is used when a large number of registers are used and addition instructions are orthogonal (addition instructions can be executed for all registers). , More effective than method 1. However, it has the following drawbacks.

(A) Since the characteristic of R is essentially 2, it cannot be applied when the characteristic is not 2.

(B) It is not always efficient depending on the mounting environment in which a large number of registers cannot be used.

(C) The amount of processing largely depends on the component structure of the matrix P.

Conventional method 3: Further, when the number of components is 1 as in the above matrix P, there is the following calculation method.

Σ = z ₁ + z ₂ ＋ z ₃ ＋ z ₄ ＋ z ₅ ＋ z ₆ ＋ z ₇ ＋ z ₈ z ₁ ′ ＝ σ−z ₁ −z ₈ z ₂ ′ ＝ σ−z ₂ −z ₅ z ₃ ′ ＝ σ−z ₃ −z ₆ z ₄ ′ = σ−z ₄ −z ₇ z ₅ ′ = σ−z ₃ −z ₇ −z ₈ z ₆ ′ = σ−z ₄ −z ₈ −z ₅ z ₇ ′ = σ−z ₁ −z ₅ −z ₆ z ₈ '= σ −z ₂ −z ₆ −z ₇ The amount of calculation by this method is as follows.

Addition / subtraction 27 times memory reading 36 times memory writing 9 times In this method, the number of elements of matrix P being 1 is about 6 of the total number.
If it is more than 50%, it will be more efficient than the method 1.

In any of the above-mentioned conventional methods 1 to 3, whether or not the replacement by the matrix P can be efficiently carried out depends on how the {0, 1} components of the matrix P are distributed. In particular, the processing amount is determined depending on the ratio of the number of components that become 1. That is, depending on the configuration of the matrix P, the method 1 may be efficient and the method 3 may be conversely efficient, so these methods cannot be said to be general-purpose. The branch point of which of these methods is more efficient is that the number of elements of the matrix P having 1 is about 60% or more of the whole.

In order to realize a secure permutation that can be used for encryption, it is desirable that the ratio of {0,1} components in the matrix P has a certain balance. For example, in the case of the matrix P used in the permutation of the E2 cipher, the ratio of components that become 1 is about 2/3. In the case of replacement by such a ratio, as described above, since the ratio is near the efficiency branch point, the number of memory readings is almost unchanged in any of the methods 1 to 3. Therefore, considering that memory reading and writing are generally several times slower than addition and subtraction, these methods have practically no effect on improving the processing speed. Even if it does, the execution speed of the replacement operation is slow.

[0022]

The present invention is based on {0,
In every permutation represented by the matrix P consisting of 1} elements, a memory is provided so that it can be applied to an implementation environment composed of an accumulator CPU including a small number of general-purpose registers and a small amount of memory. To reduce the number of readings of
The substitution computation is to provide a recording medium which records a substituted Starring SanSo location and the program can be speeded.

[0023]

According to the present invention, an input device is provided with an arithmetic unit including an accumulator type CPU and a register.
z ₁ , z ₂ , ..., z _n can be expressed by the following equation by an m × n matrix P having {0,1} given as elements.

[0024]

[Formula 6] It is a permutation arithmetic unit that substitutes with to obtain permutation data (z ₁ ', z ₂ ', ..., z _m '), and performs the following arithmetic operations. (a) For each replacement data z _j ', the following equation is calculated using the already calculated z _i ' . _{z j '= z i' +} D i was however, j ≠ i, i and j are 1 or m an integer, D _i
Is the difference D _i = z between the expressions representing the permuted data z _j 'and z _i ' defined by the matrix P using the input data z ₁ , z ₂ , ..., z _n.
j - Ru given by the 'z _i'. (b) Calculate z _j 'for all the above j.

[0025]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below.

In the calculation method as defined by the equation (3), each
Each time z _i 'is calculated, the result is discarded and a new z _i ' is added to obtain the next z _i '. However, since the definition formula for calculating each z _i 'includes multiple components common to other definition formulas for calculating z _j ' and may be similar to some extent, the value of z _i 'is Previous calculated value
available before the calculation result by 'by the difference D _i between the z _i' z _j representing a = z _j '+ D _i. This principle is used to reduce the number of memory readings.

First Embodiment In this first embodiment, z'i _{+ 1} = z '
_It is expressed as _i + D _i, and the replacement operation is performed by the following equation.

Z ₁ '= z ₂ + z ₃ + z ₄ + z ₅ + z ₆ + z ₇ z ₂ ' = z ₁ '+ z ₁ -z ₂ -z ₅ + z ₈ z ₃ ' = z ₂ '+ z ₂ -z ₃ + z ₅ −z ₆ z ₄ ′ = z ₃ ′ + z ₃ −z ₄ ＋ z ₆ −z ₇ z ₅ ′ = z ₄ ′ −z ₃ ＋ z ₄ −z ₈ z ₆ ′ = z ₅ ′ + z ₃ −z ₄ −z ₅ ＋ z ₇ z ₇ ′ ＝ z ₆ ′ −z ₁ ＋ z ₄ −z ₆ ＋ z ₈ z ₈ ′ ＝ z ₇ ′ ＋ z ₁ −z ₂ ＋ z ₅ −z ₇ (4) The required processing amount by this method is as follows. Is.

Addition / subtraction 32 times memory reading 33 times memory writing 8 times This result can reduce the number of times of memory reading by 25% as compared with the method 1 described in the prior art. Note that z '
Note that when calculating _{i + 1} , the value of z _i 'is in the accumulator, and the memory reading for that amount can be omitted.

For simplification of the description, this embodiment has been described by using the matrix P shown in the E2 cipher as a permutation, but the above examination is not limited to the above matrix P, and { It can be applied to all permutation operations expressed by a matrix consisting of 0, 1} elements. The general characteristics at that time are as follows.

First, the method 1 of the prior art requires it.
Read z _j (j = 1,2, ..., 8) and then each z _i '(i = 1,2, ..., 8)
Are seeking. Therefore, the total number of memory readings required in the method 1 is equal to the total number of the elements of the matrix P being 1. This means that the larger the total number of elements of the matrix P being 1, the larger the number of memory readings and the slower the execution speed.

On the other hand, in the first embodiment, if only z _j (j = 1,2, ..., 8), which is the difference between z ′ _{i + 1} and z ′ _i , is read, z ′ _{i + 1} becomes You can ask. In general, it can be expected that the difference between z ′ _{i + 1} and z ′ _i becomes smaller as the total number of the elements of the matrix P becomes 1 increases. Therefore, the larger the total number of the elements of the matrix P being 1, the smaller the number of memory readings, which means that the execution speed is improved.

Further, in the first embodiment, the conventional method 2
Unlike the above, there is no limitation on the method of realizing the matrix P, and it has versatility. When the total number of elements of the matrix P is 1 is extremely large, it is not obvious whether the first embodiment is superior to the conventional method 3.

Second Embodiment In the second embodiment, it has been described that z ′ _i is calculated sequentially from i = 1, but in actual implementation, z ′ _i (i = 1,2, ..., 8) ) Is a parallel notation, it is not necessary to calculate sequentially from i = 1. Therefore, the calculation processing amount can be reduced by using z _j 'where the difference D _{i from} z _i ' is small. For example, if you want to calculate z ₇ 'from z ₆ ', you have to read z ₁ , z ₄ , z ₆ , z ₈ but if you want to calculate z ₄ ', z ₅ , z ₇ , z ₈ It is only necessary to read in, and the number of memory readings can be reduced to 1 and the number of additions and subtractions to be reduced by 1.

In this way, by obtaining the calculation order of z _i 'so that the total number of the total differences, that is, the number of times of reading the memory is minimized, optimum execution becomes possible. The optimum calculation order when the matrix P of E2 encryption is used is as follows.

Z ₆ ′ = z ₁ ＋ z ₂ ＋ z ₃ ＋ z ₆ ＋ z ₇ z ₄ ′ ＝ z ₆ ′ ＋ z ₅ −z ₇ ＋ z ₈ z ₅ ′ ＝ z ₄ ′ −z ₃ ＋ z ₄ −z ₈ z ₃ ′ = _{z 5 '-z 6 + z 7} + z 8 z 8' = z 3 '-z 2 + z 3 -z 7 z 2' = z 8 '-z 5 + z 6 + z 7 z 7' = z 2 '-z 1 + z ₂ −z ₆ z ₁ ′ ＝ z ₇ ′ ＋ z ₅ ＋ z ₆ −z ₈ (5) The permutation calculation amount by this method is as follows.

Addition / subtraction number 25 times Memory reading number 26 times Memory writing number 8 times Therefore, the memory reading number is about 35 compared with the conventional method 1.
%, About 25% less than the conventional method 2.

In order to simplify the explanation, this embodiment has been described using the matrix P shown in the E2 encryption as the permutation calculation, but the above discussion is limited to the above matrix P. It is obvious that the present invention can be applied to all permutation calculations expressed by a matrix of elements of {0, 1}, rather than one. The general characteristics at that time are as follows.

Firstly, the second embodiment, since obviously it is improvements in the first embodiment, in terms of subtraction memory read and write times faster than the conventional method 1. In addition, conventional method 2
Unlike the above, there is no limitation on the method of realizing the matrix P, and it has versatility.

On the other hand, when the total number of the elements of the matrix P being 1 is large, it can be expected that an order is given so that the difference between z _i 'and z _j ' is small as a whole. Is achieved with the minimum number of memory reads. For example,
In the case of this second embodiment, there is an order in which three z _k's are read from memory to obtain z _i 'to z _j '. In general, it can be considered that the number of memory readings required to obtain z _i 'from σ in Conventional Method 3 is equal to or more than the minimum number of memory readings in the second embodiment. Therefore, in most cases, the total number of readings required to obtain all z _i '(i = 1,2, ..., 8) is smaller in the second embodiment than in the conventional method 3. You can think of it.

[0041] Figure 1 shows a configuration of a device for by that substitution operation on the first or second embodiment. Input data to be replaced
z ₁ , z ₂ , ..., z ₈ are held in the input data memory 221. The program memory 227 stores a program for executing the substitution calculation process of the formula (4) or the formula (5). According to the program, the control device 220 controls the address generator 226 that generates the address of the data sequentially read from the memory 221 and the address of the memory 222 to which the data obtained by the operation should be written, and at the same time, accumulator 224 and register 225. The addition / subtraction (or exclusive OR) control using is sequentially executed. Each calculation result z _i 'is held in the accumulator 224 or the register 225 or the temporary data memory 223 until it is used for the next calculation of z _j '.

In the above-mentioned first and second embodiments, an example of permutation calculation is shown when an 8 × 8 matrix is used as the matrix P.
When m and n are integers of 2 or more, m is generally used as the matrix P.
Using the × n matrix, the permuted output data (z ₁ ', z ₂ ', ..., z _m ') for the input data (z ₁ , z ₂ , ..., z _n ) are given in advance { An m × n matrix P whose elements are 0, 1} is given by

[0043]

[Equation 7] It is obvious that the present invention can be applied to the replacement operation represented by

[0044]

As described above, this embodiment is considered to have the smallest total number of memory reads, and memory read / write is generally slower than addition / subtraction, and address calculation and the like are included. Will be faster than any of the methods.

[Brief description of drawings]

FIG. 1 is a block diagram showing an embodiment of the present invention.

─────────────────────────────────────────────────── ─── Continuation of the front page (56) References Chu Yamamoto, Hidehisa Mizuno, Tsuru Fujiwara, Tadao Shige, Shu Lin, “A recursive maximum likelihood decoding algorithm for linear codes using the detailed structure of a section trellis diagram” , ”IEICE Technical Report (SST95-130 to 150), Japan, The Institute of Electronics, Information and Communication Engineers, March 19, 1996, Vol. 95, No. 595, p. 31-36 Masatoru Kanda, Shiho Moriai, Kazumaro Aoki, Hiroki Ueda, Miyako Okubo, Yoichi Takashima, Kazuo Ota, Tsutomu Matsumoto, "Proposal of 128-bit block code E2", IEICE technical research report ( IEC98-10-19), Japan, The Institute of Electronics, Information and Communication Engineers, July 30, 1998, Vol. 98, No. 227, p. 13-24 (58) Fields investigated (Int.Cl. ⁷ , DB name) G09C 1/00 650 G09C 1/00 610

Claims (4)

(57) [Claims] 1. An accumulator-type CP including a small number of general-purpose registers.
Input data z ₁ , z by an arithmetic unit including U and a small amount of memory
M having ₂ , ..., z _n as elements of {0,1} given in advance
× n matrix P It is a permutation operation unit that obtains the permutation data (z ₁ ', z ₂ ', ..., z _m ') by substituting with: the memory holding the above input data and the previously calculated permutation data z _i ' The following replacement data z _j 'is calculated using the following expression z _j ' = z _i '+ D _i using the storage means for storing and the replacement data z _i ' read out from the storage means, and the replacement data z _j '
Is stored in the storage means as replacement data z _i ' calculated last time , where j ≠ i , i and j are 1 or more m
The following integers, m and n are integers of 2 or more, and D _i is the replacement data z _j 'defined by the matrix P using the input data z ₁ , z ₂ , ..., z _n. Difference of each expression that represents z _i 'D _i = z _j '
- 'provided by, the replacement data z _j by the computing means' z _i control means for controlling repeated for all the j operations of substitution operation device including a city. 2. The permutation operation device according to claim 1 , wherein
The control means is j = i + 1 and i = 0,1, ..., m-1 in the order of z _j
A permutation arithmetic unit including means for calculating '. 3. The permutation operation device according to claim 1 , wherein
The control means previously obtains the total number of additions and subtractions required for the calculation of z _j 'for all of the m different orders of j, determines the order of j that gives the minimum total number, and the order is determined. A permutation arithmetic unit including a means for sequentially calculating the above z _j '. 4. A substitution according to any one of claims 1 to 3.
A program for operating a computer as a computing device
A computer-readable recording medium on which a ram is recorded.