JP5073635B2 - Cryptographic system and cryptographic program - Google Patents

Description

The present invention is a cryptographic system, relates 及 beauty encryption program, in particular, by sophisticated encryption processing, holds a hard high "secrecy" of decryption of the ciphertext, and prevent tampering of information and destruction " The present invention relates to a cryptographic processing system having three excellent functions of “integrity (integrity)” and “reliability” of information for preventing damage caused by “spoofing”.

  With the recent development of information communication technology and advanced functions of information communication devices, it has become active to send and receive data by connecting a plurality of computers to a communication line such as the Internet. Business use of electronic processing systems of financial institutions such as e-mails used as new communication means is also increasing. On the other hand, the use of so-called Internet shopping is increasing at home. When various types of information and data are transmitted and received in this way, there is a risk that information is illegally fraudulently obtained by a third party in the middle of the communication path. Therefore, sending and receiving important business information such as customer data, and personal information such as the orderer's address, name, and credit card number in online shopping can be fraudulent by a third party. Therefore, sending these pieces of information as they are through a communication line such as the Internet has a high risk of information leakage, which may be hesitant. Therefore, when various types of information and data are sent and received, the information is encrypted on the sender side, and the recipient side that has received the encrypted data performs decryption processing into plain text that can be recognized. Even if a variety of information sent over the line knows the key for decrypting the encrypted data even if it is obtained by a third party, the contents cannot be seen and the confidentiality and confidentiality of the communication contents are maintained. Is done.

  Cryptographic processing methods can be broadly divided into two types: symmetric key cryptography (common key cryptography) and asymmetric key cryptography (public key cryptography). In the case of the symmetric encryption method, the encryption key for encryption and the decryption key for decrypting the ciphertext and returning it to the plaintext are the same, and the sender side uses a secret key together with the ciphertext for confidentiality. It is necessary to send the message to the receiver side by some high technique (Diffe-Hellman key sharing method or the like). On the other hand, the public key cryptosystem uses a public key published together with the algorithm and a private key stored only by the decryptor, and the sender side encrypts the plaintext using the other party's public key, and the receiver side encrypts it. The ciphertext is decrypted with the secret key. Among the common key cryptosystems, there are generally known “stream cipher” and “block cipher”. The stream cipher is also called sequential cipher, and sequentially processes plaintext in units of 1 bit or 1 byte using the same key. For this reason, the same processing is repeatedly performed in 1-bit or 1-byte processing units, and there is a drawback that it is relatively easy to estimate the correspondence between plaintext and ciphertext. As a result, the possibility of decoding in a short time is suggested. In addition, “Burnum cipher”, which is a kind of stream cipher, uses a random number to generate a key with the same length as plaintext, and discards this key every time it is used. It is theoretically impossible for a third party to decipher. However, each process requires complicated processing to generate a long key with the same length as plain text, and there are many operational issues such as key generation, exchange, and management, which are not practical. .

  On the other hand, the block cipher is a method in which plaintext is divided into blocks each having a certain number of bits and cryptographic processing is performed on the blocks. At this time, it is extremely difficult to decipher the entire ciphertext even if the correspondence of a part of the encrypted data can be grasped by combining substitution processing, shift value processing, etc. for each block. , Confidentiality was ensured enough. However, due to recent improvements in computer analysis capabilities, a combination of the full search method (Brute Force Search (Attack)), which tries to combine all types of keys that can be assumed, and "differential cryptanalysis", "linear cryptanalysis", etc. As a result, it is possible to indicate the possibility of decryption or decryption from keys of hundreds to hundreds of billions of patterns, and the time required for decryption has been shortened year by year. For this reason, it was predicted that it could be decrypted in a practical time in the future, and complete confidentiality could not be guaranteed. In addition, the key to be used is often recorded on a semiconductor chip, and is read as necessary during encryption and decryption. A side channel attack that obtains a key by measuring information (side channel information) such as power consumption and execution time at this time and analyzing the result has been proposed. As a result, even if the key is recorded in the memory of the semiconductor chip, the key is decrypted by analyzing the signal waveform indicating the power consumption during the encryption process by side channel attack using simple power analysis or differential power analysis. The ciphertext can be decrypted (see, for example, Patent Document 1). For this reason, as a defense against such an attack, an encryption method, an encryption device, and an encryption program having high resistance against a side channel attack have been developed (see, for example, Patent Document 2).

JP 2001-268072 A JP 2008-141385 A

Cryptographic processing requires a function that guarantees the integrity of data in order to ensure the confidentiality and confidentiality of information through encryption, and to prevent the possibility of incorrect data being altered by a third party in the course of communication. Therefore, there is a need for reliability to prevent so-called “spoofing” by a third party. However, an encryption algorithm having these three functions and features has not been confirmed in the past, and there has been no encryption algorithm having the advantages of both the stream encryption method and the block encryption method. The present invention has been made in view of the above circumstances, in which the cryptographic system configured using the novel algorithm having both benefits of stream cipher and block cipher, to provide 及 beauty encryption program and an object.

  The encryption target data acquisition means, which is a configuration for solving the above problem, is for acquiring common key data and encryption target data of an arbitrary number of bytes. For example, the encryption creator inputs directly from a keyboard or the like. Or data obtained by reading data stored in a storage means such as a memory. The encryption target data may be either plain text or data subjected to at least one encryption process. The common key data and the encryption target data are each composed of an arbitrary number of bytes, and the first data is generated by dividing the total number of bytes obtained by adding both together by the radix. Here, the radix (or base) refers to a natural number N specified by a scale system, for example, N = 10 in the case of a decimal number and N = 8 in the case of an octal number. That is, it indicates the number (street) that can be represented by bits. For example, in the case of 3 bits, there are 8 octal numbers, and in the case of 4 bits, 16 hexadecimal numbers. The first data is specified as an integer value by rounding off the first decimal place.

  The data acquisition means acquires byte value data of a byte at an arbitrary position (for example, the most significant byte) constituting the common key data, and further, an arbitrary position specified by a bit constituting the arbitrary byte and The bit value data of the number of digits (for example, the last 3 digits) is acquired. When 1 byte = 8 bits, the value of the last three digits is the cube of 2, that is, any value from 0 to 7 is represented in binary. Byte value data or the like is an unpredictable value, and can be used as a random number for cryptographic processing by using this as a variable. Further, the dividing means compares the lengths of the respective bytes constituting the common key data and the data to be encrypted, divides one of the long bytes of data, and the other of the short bytes of the short data (common The divided data combined with the length of the number of bytes of the key data or the encryption target data) and the divided remainder data including the remainder are generated.

  Further, a value conversion process is performed in units of data or bytes based on the bit value data (value conversion means). For example, when the bit value data is n = 2, each byte (bit) is shifted by two (from the most significant side to the least significant side, etc.). Thereby, the arrangement of data and the like is shifted based on a predetermined value (bit value data). The value of the bit value data is an unpredictable value obtained from an arbitrary number of digits (lower 3 digits, etc.) of an arbitrary byte. After that, the divided data and the short data having the same number of bytes are subjected to a prescribed addition process, thereby generating addition data of the total number of bytes of the divided data and the short data. Here, since the addition order and arrangement order of the addition processing are arbitrarily defined based on the addition rule, it is difficult to predict the original value from each value of the addition data. For example, in the case of 8-bit addition processing, assuming that the values to be added are “A” and “B”, if A + B ≦ 255, the added value is directly obtained as the addition result, and if A + B> 255, A + B− A value of 255 is obtained as the addition result. That is, it is difficult to predict “A” and “B” from the addition results having a large number of combinations, and even if only the addition results leak to a third party, It is impossible to specify the value of “B”. The above assumes the case of 8 bits and the maximum carry value is 255. However, when 1 byte is X bits, the maximum value is represented by “2 to the power of X−1”.

  That is, the so-called “digit removal” processing of the carry is made, and the addition result itself becomes a value having an accidental meaning, making it difficult to decipher. At this time, in the addition process and the addition rule, arbitrary positions of the divided data and the short data (for example, the most significant byte of the divided data and the least significant byte of the short data) are set as reference points, and these are determined from the common key data. By calculating the obtained byte value data m and exclusive OR (XOR), it becomes impossible to decrypt unless the common key data itself is obtained, and the difficulty of decryption is further increased. In particular, since the position of the reference point cannot be assumed by a third party, it is more difficult to decipher. In addition, each bit value of the divided remainder data is inverted like “1” → “0”, “0” → “1”, and combined with the leading or trailing byte end of the added data, thereby sharing the common key. Encryption data having the same number of bytes as the total number of bytes obtained by adding the data and encryption target data is generated. As described above, the encryption process is constructed by the division process, the transposition process based on an arbitrary value (bit value data), the inversion process, the addition process, and the combination process. Even if it is leaked outside and decrypted, it is difficult to proceed with decryption of the entire encrypted data. In particular, when decrypting encrypted data, it is necessary to perform each process sequentially from the reverse, and if the order of the processes and the decryption process are not correct, the plaintext cannot finally be reached. Therefore, the encryption processing of encryption target data such as plain text by this system is sufficiently confidential.

  Furthermore, the number-of-times data acquisition means in the encryption system of the present invention acquires the number of repetitions of encryption processing as number-of-times data. Note that if the number of repetitions is large, decryption becomes more difficult, but the time required for each of the encryption and decryption processes increases, and it is preferable to specify practical number data. On the other hand, the second data generation means obtains second data by further dividing the generated first data by the radix. Here, the second data is obtained as an integer value obtained by rounding off the division result to the first decimal place. If the division result is less than 1, processing that approximates 1 may be performed. The value of the second data is used to specify the number of times to repeat the addition of the bit value data in order to determine the division position data. This value is also unpredictable and is introduced into the cryptographic process as a random value.

  Furthermore, the data designating means means that the common key data and the data to be encrypted (encrypted data) have the same number of bytes and cannot be divided based on the difference in the number of bytes, or the encrypted data is composed of an even number and is divided equally. Therefore, long data and short data cannot be specified by the length of the number of bytes. Therefore, by designating either one as long data and the other as short data, post-encryption processing can be performed. Note that the next process may be executed without performing such designation. The division position generation means obtains the integrated value of the first data and the bit value data, and further, arbitrary bytes (usually the most significant byte) for the number of times specified by the value of the second data generated in the obtained integrated value It shifts to the next position byte (for example, the lower byte) corresponding to the next position, and repeats the addition of the bit value data of the position byte to generate the divided position data. The most significant byte of the encrypted data by the encryption dividing means Alternatively, it is generated from the least significant byte side by dividing into long data and short data based on the division position data. In other words, the division position generation means performs the above-described process to divide again the encrypted data that has already been subjected to the cryptographic process at least once and repeat the cryptographic process. At this time, since the division position data is obtained using arbitrary bit value data, the division position of the encrypted data cannot be predicted.

  Furthermore, according to the encryption system of the present invention, in the decryption process, the reverse of the encryption process is performed using the common key data used for the encryption process, the encryption data to be decrypted, and the count data indicating the number of repetitions of the encryption process. By executing the processing in principle, it is possible to return to the encryption target data consisting of plain text. Here, it is necessary to pay particular attention to the delivery of the common key data to the decryption person, and it is necessary to perform a process for passing the common key data to only the decryption person as in the Diffie-Hellmann key exchange method. The encrypted data is theoretically difficult to decipher unless there is common key data, and may be sent by means (e-mail attachment file) that is highly available to a third party. Absent. In the decoding process, the decoded first data and the decoded second data are the same as the first data described above. Decrypted data acquisition means is for obtaining byte value data and bit value data as a reference for decryption, and acquires byte value data by comparing the number of repetitions with the length of the number of bytes of common key data. By specifying the position of the byte (number of bytes or extra bytes) (decryption data acquisition means) and obtaining the decryption position data based on this, the encrypted data is specified as the data before subtraction and the remainder of the decryption division remainder data, The range of decoding can be specified. Thereafter, it is possible to generate encrypted data as decrypted data by executing a subtraction process, an inverted value process, an inversion process, and a combining process, which are basically the reverse processes of the encryption process. If the obtained decrypted data is still subjected to encryption processing, it is possible to finally obtain decrypted data consisting of plaintext by repeating the above processing a specified number of times.

Also, the cryptographic program of the present invention, by activating the program, the encryption computer in the encryption system, advantages can be attained by the above-described encryption system.

  As an effect of the present invention, encrypted data having a high level of confidentiality can be created using common key data composed of an arbitrary number of bytes. At this time, the division of the common key data and the encryption target data, the acquisition of the first data, the transposition processing, and the division position of the encryption data are determined by arbitrary or unpredictable values, respectively, and thus the security of information is extremely high. Can be expensive. In particular, acquisition of byte value data and bit value data is an unpredictable accidental random number, and the use of such values for cryptographic processing can make it difficult to specify the division position. In addition, even if a part is found or decrypted by the digit processing during the addition process, it is extremely difficult to decrypt the entire encrypted data.

  Hereinafter, an encryption system 1 (hereinafter referred to as “system 1”) according to an embodiment of the present invention will be described with reference to FIGS. 1 and 2 are block diagrams showing a functional configuration related to encryption processing and decryption processing of the system 1 of this embodiment, and FIGS. 3, 4 to 6 and 7 show algorithms for encryption processing and decryption processing. FIG. 5 and FIG. 8 are flowcharts showing the flow of encryption processing and decryption processing. The system 1 is mainly configured by an encryption computer 2 (hereinafter referred to as “encryption PC 2”) constructed from a workstation having high processing capability. The encryption PC 2 can cause the encryption PC 2 to function as the system 1 by the encryption program 3 stored therein. As shown in FIGS. 1 and 2, the encryption PC 2 is roughly divided into an encryption processing function 4 related to encryption processing for converting plaintext into ciphertext and the like, and a decryption processing function 5 related to decryption processing for converting ciphertext to plaintext. It consists of two functions. The cryptographic processing function 4 (see FIG. 1) has, as a partial function, frequency data acquisition means 11 that acquires the frequency data RD indicating the number of repetitions of cryptographic processing. Proportion generation including encryption target data acquisition means 12 for acquiring encryption target data FD consisting of sentences, first data FA, and second data generation means 13 for generating second data SA from the first data FA Means 14, data acquisition means 15 for acquiring byte value data m and bit value data n from common key data K, and divided data DV and divided remainder data LO based on the number of bytes of common key data K and encryption target data FD. A dividing means 16 for generating a value, a value changing means 17 for converting the divided data DV in units of data based on the value of the bit value data n, and a part after the value processing. Adding means 18 for adding the data DV ′ and the short data SN (see FIG. 2) in accordance with a predetermined addition rule, and generating the sum data AD of the number of bytes obtained by summing the divided data DV ′ and the short data SN; The cipher generation means 21 is provided to invert the divided remainder byte LO and combine the generated inversion data IN with the byte end of the most significant byte 19a of the addition data AD to generate the cipher data E. In the dividing means 16, the common key data K and the encryption target data FD are configured with the same number of bytes, or the encrypted data E after encryption processing is divided into a pair of equally divided data EQ with the same number of bytes , One of the common key data K and the encryption target data FD or the equally divided data EQ is designated as the divided data DV, and the other is designated as the short data SN, the first data FA and the bit value data n. From the next position byte 23b corresponding to the next position of an arbitrary byte (the most significant byte 23a of the common key data K) for the number of times specified by the value of the second data SA generated in the obtained integrated value. Division position generation means 25 and division for generating division position data DP by repeating the transition to lower bytes 23c and 23d and addition of bit value data n of the lower bytes The encryption data E is divided from the least significant byte 24 side based on the position data DP, and has the encryption division means 27 for generating the long data LN (see FIG. 4) and the short data SN, and the encryption processing is performed by the acquired number of times data RD The encryption processing repeating means 28 for repeating the above is further provided.

  On the other hand, the decryption processing function 5 (see FIG. 2) of the encryption PC 2 includes the decryption target data acquisition means 30 for acquiring the common key data K, the encryption data E to be decrypted, and the number-of-times data RD, and the number of bytes of the encryption data E. Decoding ratio generation means 31 for generating decoded second data DS obtained by further dividing the decoded first data DF and decoded first data DF by the radix, and the number of repetitions by the number data RD When the number of bytes and the number of bytes of the common key data K are compared, and the number of bytes of the common key data K is the same as or larger than the number of times, the number of times is counted from the most significant byte 23a side of the common key data K. When the byte value data m and the bit value data n of the corresponding number of bytes 32 are respectively obtained, and the number of bytes of the common key data K is smaller than the number of times, the number of bytes is the number of bytes of the common key data. Decoding data acquisition means 34 for acquiring the byte value data m and bit value data n of the surplus byte 33 corresponding to the position obtained by dividing and calculating the surplus value calculated as the remainder from the most significant byte 23a side; Generate decoded position data FP calculated by repeatedly shifting the next position byte to the lower byte and adding bit value data n by the number of times specified by the value of decoded second data DS generated in one data DF. Based on the decryption position generation means 36, based on the decryption position data FP, the decryption / encryption splitting means 37 that divides the encrypted data E into the pre-subtraction data MD having the same number of bytes and the decryption split remainder data DL comprising the remainder, and the decryption position If the multiple of the data FP is larger than the number of bytes of the encrypted data E, the number of bytes of the encrypted data E is subtracted from the multiple of the decryption position data, and the obtained reduction The data is divided at the position counted from either the most significant byte 35 or the least significant byte of the encrypted data E according to the value to obtain the decrypted divided remainder data DL, and is divided from the decrypted divided data Db on the lower side of the encrypted data E. If the multiple of the decryption position data is specified as the decryption remainder data DL and the multiple of the decryption position data is smaller than the number of bytes of the encryption data E, the subtraction value obtained by subtracting the multiple of the decryption position data from the number of bytes of the encryption data E Is obtained by dividing the encrypted data E at the position counted from either the most significant byte 35 or the least significant byte to obtain the decrypted divided remainder data DL, and the decrypted data divided from the upper decrypted divided data Da of the encrypted data E Range designating means for designating as the division remainder data DL and designating the decryption division remainder data DL as zero when the multiple of the decryption position data and the number of bytes of the encrypted data E are equal 39, subtraction means 40 for subtracting the pre-subtraction data MD in accordance with a predetermined subtraction rule to generate divided data DV ′ and short data SN, and data unit or byte for the generated divided data DV ′. At least one of the units, a reverse value means 41 that performs a reverse value process in the reverse direction to the reverse value means 17 based on the bit value data n, and an inverse process for the divided decoded division remainder data DL for each bit to generate The divided division data LO is combined with either the most significant byte 42a or the least significant byte 42b of the divided data DV subjected to the conversion process, and the decrypted data DR of the common key data K or the encrypted data E is generated. And a decryption generation means 43 for performing the above.

  Note that each of the above means is stored in the encryption PC 2. Further, as a configuration common to both the encryption processing function 4 and the decryption processing function 5, the encryption PC 2 includes a storage means 44 composed of a semiconductor memory, an HDD, etc. related to storage processing including storage and temporary storage of various data. . In addition to the common key data K stored in advance, the storage unit 44 can store various data generated in the course of cryptographic processing and the like. Note that if data generated in the course of cryptographic processing or the like leaks, there is a high possibility that a third party can easily decrypt the data. Therefore, it is desirable that data or the like is temporarily stored in a volatile semiconductor memory (RAM or the like), and the data is quickly lost after the processing is completed. For this reason, the storage of the decrypted decrypted data DR may be restricted under certain conditions, and measures such as only displaying on the screen may be taken. The storage unit 44 has a configuration common to the encryption processing function 4 and the decryption processing function 5, and FIGS. 1 and 2 respectively extract data used for the encryption processing and the decryption processing, and decrypt other data. The related information 6 and the encryption related information 7 are collectively shown. Further, some data temporarily generated in each process is not shown.

  In addition, the encryption PC 2 includes an operation unit 45 including an operation terminal such as a keyboard and a mouse for performing various commands, operations, data input, and the like, and the progress of the encryption process and the decryption process. And display means 46 including a display device such as a liquid crystal display for displaying a screen so that the situation can be confirmed, and finally the encrypted data E or the decrypted decrypted data DR can be visually confirmed. Has been. In addition to such a configuration, a configuration including a technical configuration of a known peripheral device used in a normal server or a personal computer may be used.

  Next, specific examples of encryption processing and decryption processing by the system 1 will be described based on schematic diagrams of FIGS. 3, 4, 6, and 7, and flowcharts of FIGS. The system 1 illustrates an example in which encryption target data FD composed of plain text to be encrypted having a byte number length of 5 bytes is encrypted with the common key data K having a byte number length of 8 bytes. The number of times the encryption process is repeated (the value of the number data RD) is set as “5”, and the encryption process and the decryption process are repeated five times. The number of repetitions is within a practical range in the encryption PC 2 having a high processing capability, and it does not require much time for encryption processing and decryption processing. In the present embodiment, the encryption process and the decryption process are performed in one encryption PC 2, but the present invention is not limited to this, and the encryption process and the decryption process each have a single function. It is also possible to use a computer capable of encryption (encryption computer and decryption computer). In this case, the encryption program 3 needs to be constructed as two programs in which the encryption processing function 4 and the decryption processing function 5 are separated from each other. For other conditions, "8" (octal number, 8 types) is used as the radix, 1 byte is composed of 8 bits, and the value of 1 byte is between 0 and 255 depending on "2 to the 8th power". The value of

  First, the data K or the like directly input by the operation means 45 is received, and three data necessary for the encryption process of the common key data K, the encryption target data FD, and the number of times data RD are acquired (encryption target data acquisition step: Step S1 (see FIG. 3A)). One square square in FIG. 3A represents one byte, and the left side of the drawing represents the upper byte and the right side represents the lower byte. After acquiring the three pieces of data K and the like, the encryption PC 2 generates the first data FA and the second data SA (ratio generation process: step S2). Specifically, the total number of bytes (13 bytes) obtained by adding the number of bytes of the common key data K (8 bytes) and the number of bytes of the encryption target data FD (5 bytes) is divided by the base (8) per byte. Thus, the first data FA is generated (see FIG. 3A). Here, from the calculation formula “13 ÷ 8 = 1.625”, “first data FA = 1.625”. In the present embodiment, processing that approximates an integer as “≈2” is performed by rounding off the first decimal place. On the other hand, the second data SA is obtained by further dividing the first data FA by the radix (8) (see FIG. 3A). In this case, “2 ÷ 8 = 0.25”, and the value of the second data SA is 1 or less. When the value of the second data SA is 1 or less, the second data SA needs to be at least 1 or more, and therefore the second data is incremented to “1”. On the other hand, when 1 or more 2nd data SA are produced | generated, the process which rounds off the first decimal place similarly to 1st data FA is performed.

  Further, using another example, when the total number of bytes is 120 bytes, the first data FA is “120 ÷ 8 = 15”, while the second data SA is “15 ÷ 8 = 1.8145. Is generated as ≈2 ". Here, the second data SA is used as a value of the number of times of processing when performing a division process based on bit value data n described later. That is, when the second data SA is “2”, the division range can be adjusted twice. That is, it is possible to perform processing for adding bit value data n up to twice. Due to the above, the first data FA and the second data SA required for the length of the total number of bytes are different, and the division position data DP calculated using them changes based on the second data SA. Even if the common key data K is the same, it is difficult to predict the position where the encrypted data E described later is divided. Then, the value of the most significant byte (see FIG. 3B) at the left end of the common key data K is acquired as byte value data m, and a bit value (here, the arbitrary number of digits of the most significant byte 23). , The lower 3 bits) is acquired as bit value data n expressed in octal (data acquisition step: step S3). In the present embodiment, processing is performed assuming that a value of “n = 2” has been acquired.

  Here, the byte value data m and the bit value data n are lower positions (right adjacent) from the position where the byte value data m is acquired (here, the most significant byte 23a) when the encryption processing described later is repeated. , The byte value data m and the bit value data n are acquired from the next position byte 23b, and the value m, n is transferred to the lower bytes 23c, 23d,. To get. In addition, after reaching the least significant byte of the common key data K by a plurality of encryption processes, the process returns to the most significant byte 23a again and the process is repeated. Thereafter, the encryption PC 2 performs a process of determining a target range for executing the encryption process. Note that step S4 is a process when the cryptographic process is performed a plurality of times. When the number of processes is the first, the short byte data SN and the long byte data LN (first time are generated without generating the division position data DP. In this case, the process proceeds to the process of step S5 for comparing the lengths of the common key data K and the encryption target data FD). Specifically, the lengths of the common key data K and the encryption target data FD (here, 8 bytes and 5 bytes) are compared (step S5). If the number of bytes of the common key data K and the encryption target data FD are different (YES in step S5), either one of the long data LN (in this case, the 8-byte common key data K is equivalent). ) Are divided into two and divided data DV corresponding to the number of bytes of one of the other short data (here, equivalent to 5-byte encryption target data FD) and the number of bytes corresponding to divided data DV from long data LN Is generated (division step: step S6 (see FIG. 3C)). That is, the divided data DV is composed of the same number of bytes (5 bytes) as the encryption target data FD as the short data SN. On the other hand, the remaining divided data LO is “8−5 = 3”, which is 3 It will consist of bytes. Here, when the common key data K and the encryption target data FD are configured with the same number of bytes (NO in step S5: for example, when both are 8 bytes), there is no difference between them, so the common key Either one of the data K and the encryption target data FD is forcibly designated as the long data LN (divided data DV), and the other is forcibly designated as the short data SN (data designation step: step S7). The same processing is performed when the later-described encrypted data E is divided into a pair of equally divided data EQ having the same number of bytes. In such a case, since there is no difference in the length of the number of bytes, the long data LN is not divided, and the number of bytes of the division remaining data LO is zero. Thereafter, the process proceeds to step S8. In this case, the inversion process may be canceled and the direct addition process may be performed (see the broken line in FIG. 5).

  The encryption PC 2 performs the conversion process on the divided or designated divided data DV based on the bit value data n (= 2) in units of data or bytes (inversion process: step S8 (FIG. 3 (d) Here, as shown in FIG. 3D, the shift value process (shift process) shifts the value in one byte to the right by n (= 2) (two-bit right shift). At this time, the bit value data n serving as a reference for the transposition processing is extracted as a bit value having an arbitrary number of digits from the byte value data m of the common key data K, and is predicted by a third party. Therefore, the third party cannot know the value of the original divided data DV before the transposition process unless the common key data K is acquired. For transposition processing based on bit value data n In this case, the transposition processing is not performed in units of bytes as described above, but may be performed in units of bits or the like. The divided data DV ′ and the short data SN that have been subjected to the inversion process are added according to a predetermined addition rule, and the divided data DV may be changed. '(Or short data SN) is generated as addition data AD having the number of bytes twice (addition step: step S9 (see FIG. 4A)). Here, an example of the addition rule is shown in FIG. For example, the position and value of each byte of the divided data DV ′ consisting of 5 bytes are set as A, B, C, D, E sequentially from the front (from the left side of the page), while the short data SN in order from the front , G, H, I, J. Thus, the generated addition data AD (number of bytes = 10) is a, b, c, d, e, f, g, h, It shall be expressed as i and j, respectively, and will be described according to the above rules.

<Addition rules>
(1) Using “A” of the divided data DV ′ as a reference point, the byte value data m of the common key data K and the exclusive OR (XOR) are calculated, and the calculation result is input as a of the addition data AD. / (2) Using “J” of the short data SN as a reference point, the byte value data m of the common key data K and the exclusive OR (XOR) are calculated, and the calculation result is input as b of the addition data AD. / (3) Add D and F and input the addition result as c. / (4) Add G and E and input the addition result as d. / (5) Add C and G, and input the addition result as e. / (6) Add H and D and input the addition result as f. / (7) Add B and H and input the addition result as g. / (8) Add I and C and input the addition result as h. / (9) Add A and I, and input the addition result as i. / (10) Add J and B, and input the addition result as j.

  Thereby, the addition data AD in which the reference value a and the reference value b shown in FIG. 4B are respectively input to the most significant byte 19a and the next position byte 19b is generated. Here, in the above addition process, the value of i of the addition data AD has been found for the two values of the divided data DV ′ side value (for example, A) and the short data SN side value (for example, I). However, it cannot be estimated easily. That is, in the addition processing of the present embodiment, when each sum is 255 or more, since the digit removal processing is performed in which the number obtained by subtracting 255 from the sum is input as the addition result, There are many values, and their identification is very difficult. That is, when A + I ≦ 255, the input addition result is the value of “A + I” as it is. On the other hand, when A + I> 255, the input addition result is “A + I-255”. As a result, even if the value of “i” of the addition result is known by a third party, the possibility of combination of “A” and “I” is enormous, and it is difficult to specify both. . Thereafter, before the most significant byte 19a (position “a”) of the obtained addition data AD, the value of the division remainder data LO is inverted (“1” → “0”, “0” → “1”). The inverted data IN thus connected is connected, and the encrypted data E is completed (encryption generation step: step S10 (see FIG. 4C)).

  Thereby, the encryption data E having sufficiently high confidentiality is completed. However, in order to further improve confidentiality, the encryption process is repeated according to the number of repetitions indicated in the number-of-times data RD. That is, when the number of repetitions of the encryption process is smaller than the number of times indicated by the number of times data RD (YES in step S11), the process returns to step S3, and after acquiring byte value data m and bit value data n ( Step S3), the division position data DP is generated from the encrypted data E (division position generation step: step S4), the short byte data SN and the long byte data LN are compared (step S5), the division data DV, the division remainder data LO, And short data SN (step S6). More specifically, a process of dividing the encrypted data E from the right (least significant byte) is performed using the first data FA and the second data SA that have already been obtained. First, an integrated value obtained by adding the first data FA to the bit value data n is obtained, and the addition of the bit value data n is repeated for the number of times specified by the value of the generated second data SA, thereby dividing the position. Data DP is generated. For example, when the first data FA is “2”, the current bit value data n is “2”, and the second data SA indicating the number of addition processes is “1”, the integrated value is “2 × 2 = 4”. It becomes. Further, since the addition process is performed once with the second data SA, the bit value data n in the next position byte 23b is obtained, and since “n = 1”, “4 + 1 = 5” becomes the divided position data DP. Become. Therefore, by dividing the encrypted data E at the position of 5 bytes from the right, the long data LN (= 8 bytes) and the short data SN (= 5 bytes) related to the encryption processing are generated (FIG. 4D). reference). This makes it possible to repeat the steps related to the encryption processing a predetermined number of times. At this time, since the position where the encrypted data E is divided differs depending on the bit value data n and the first data FA that are obtained for each number of repetitions, it is difficult to predict. Therefore, it is possible to generate encrypted data E that is difficult to decipher. If the number of times data RD is the same as the number of encryption processes (NO in step S11), the final encrypted data E is completed and the encryption process is completed (step S12). By the above encryption process, the randomness based on the common key data K, the randomization by the transposition process, the inability to determine the reference value by the addition rule, the encryption excluding the reference value, and the duplicate encryption process for these By doing so, it is possible to perform strong encryption and randomization processing, and it is possible to construct a system 1 that is difficult for a third party to decipher.

  Next, the flow of decoding processing in the system 1 of the present embodiment will be described. Here, in the process of decrypting the encrypted data E into the original plaintext, those having the same configuration as the encryption process, or simply performing the reverse process are given the same numbers to simplify the description. Detailed description will be omitted. First, the common key data K, the encrypted data E that is the decryption target data, and the number-of-times data RD indicating the number of encryption processes are obtained (decryption target data acquisition step: step T1 (see FIG. 6A)). Then, the decrypted first data DF obtained by dividing the number of bytes of the encrypted data E by the radix (= 8) and the decrypted second data DS obtained by dividing the decrypted first data DF by the radix are generated (decryption ratio generating step: step T2). ). Since the generation process is substantially the same as the generation process of the first data FA and the second data SA, the description thereof is omitted here. Furthermore, the number of repetitions specified by the number data RD (here, “5”) is compared with the number of bytes of the acquired common key data K, and the number of bytes of the common key data K is the value of the number of processes. Is equal to or larger than the byte value data m and the bit value data n of the number of bytes 32 corresponding to the position where the number of times is counted from the most significant byte 23a of the common key data K specified by the value of the number of processes. On the other hand, when the number of bytes of the common key data K is smaller than the number of times, the number of times is divided by the number of bytes of the common key data K, and the value calculated as the remainder (residue value) is counted from the most significant byte 23a. The byte value data m and the bit value data n of the extra byte 33 corresponding to the position are respectively acquired (decoded data acquisition step: step T3). Here, in the case of the present embodiment, since the count value is “5” and the number of bytes of the common key data K is “8”, the former processing is performed, and five bytes are counted to the right from the most significant byte 23a. The byte value data m and the bit value data n of the byte at the position (number of bytes 32) are acquired.

  Then, using the acquired byte value data m and bit value data n, the decoding position data FP is generated (decoding position generation step: step T4), and the number of bytes of 13 bytes (in the case of iterative decoding, the long data LN and A decryption range in the encrypted data E composed of the new decryption target data obtained by combining the short data SN in a prescribed order is designated (range designation step: step T5). Note that the generation of the decryption position data FP is substantially the same as the generation of the divided position data DP described above in the encryption process, and thus the description thereof is omitted here. Then, based on the value generated as the decryption position data FP, the range of decryption processing in the encrypted data E is determined. Here, based on the decryption position data FP, the encrypted data E is divided into pre-subtraction data MD and decryption division remainder data DL comprising the remainder. That is, as shown in FIG. 6B, when the bit value data n is “2”, the decoded first data DF is “2”, and the decoded second data DS is “1”, the generated decoding position The data FP is “5”. Then, by comparing the multiple of the decryption position data FP and the length of the encryption data E by the method described later, the encryption processing range and the decryption division extra byte DL are determined. From this, the data is divided into a pair of decoded divided data Da, Db divided by 5 bytes and a decoded divided redundant byte DL of 3 bytes consisting of the remainder. Further, in such a process, it is determined whether the pair of decrypted divided data Da and Db divided from the least significant byte is the common key data K or the encryption target data FD (step T5). Here, when the length of the encrypted data E is smaller than a multiple of the generated decryption position data FP, “the multiple of the decryption position data FP−the number of bytes of the encrypted data E” from the most significant byte 35 of the encrypted data E. Is determined as being divided from the decryption division data Db on the right side of the encryption data E, while the length of the encryption data is determined to be the generated decryption data DL. If it is larger than a multiple of the position data FP, the byte number of the difference of “the number of bytes of the encrypted data E−multiple of the decrypted position data FP” from the most significant byte 35 of the encrypted data E is designated as the decryption division remainder data DL, Further, it is determined that the encrypted data E is divided from the decrypted divided data Da on the left side. That is, in the former case, the right side decoded divided data Db is shown to be larger, while in the latter case, the left side decoded divided data Da is shown to be larger. Decoded divided data Da and Db to which the data DL belongs are determined. Thereafter, a subtraction process based on the subtraction rule is performed from the generated pre-subtraction data MD (subtraction process: step T6 (see FIG. 7A)). In the case of the present embodiment, when generating the addition data AD in the encryption process, the reference value a and the reference value b are added to the most significant byte 19a and the next position byte 19b of the addition data AD in the addition rules (1) and (2). Enter and set. That is, as described above, although it is difficult to derive each value by a simple subtraction process, by obtaining the common key data K and the byte value data m, the position of the reference value a and the reference value b and A value can be specified, and based on this, each value can be subtracted to generate divided data DV ′ and short data SN. The subtraction rule is illustrated in FIG. 7A and is basically the reverse operation of the addition process, and thus the description thereof is omitted.

  Thereafter, in the range designating step (step T5), the designated decoded divided remainder data DL is inverted to each bit to return to the original divided remainder data LO, and the divided data DV ′ obtained by the subtraction process is further converted. Inversion processing is performed in the opposite direction to the encryption processing to obtain divided data DV (inversion value process: step T7 (not shown)). Then, the divided data DV (Da or Db specified by the range designating step) and the divided remainder data LO are combined to generate decoded data DR (decoded generation step: step T8 (see FIG. 7B)). Thereby, one of the obtained long data LN and short data SN is the common key data K, and the other is the encryption target data FD. If the encryption processing is performed a plurality of times by the number-of-times data RD, the above-described decryption processing is repeated based on the number-of-times data RD (see the broken line arrow in FIG. 8), and finally the decrypted data DR consisting of plaintext. And the decoding process is completed. The repetition of the decoding process is not shown in order to simplify the description. At this time, simultaneously with obtaining the decrypted data DR, the system 1 of the present embodiment also generates the common key data K used for the encryption processing. Therefore, decryption is performed by comparing the common key data K (decryption key) given to the decryptor for the decryption process and the common key data K (generated key) generated in the course of the decryption process. The completeness and reliability of processing can be confirmed. That is, when the encrypted data E has been tampered with by a third party, even if the correct common key data K is used, it is not restored to the original encryption target data FD, and each common after decryption processing It is recognized that the key data K is completely different. That is, the possibility of information falsification can be recognized. Therefore, according to the system 1 of the present embodiment, it has high confidentiality that is not deciphered by a third party, and the integrity of data due to the absence of information falsification due to the comparison of the common key data K, and this The reliability of information based on

  While the present invention has been described with reference to the preferred embodiments, various improvements and design changes can be made without departing from the scope of the present invention. That is, a parameter related to time may be added to the encryption process to set an effective time related to the maintenance of the encrypted data E. As a result, it is possible to place a time restriction on decoding. The encrypted data E is strongly randomized based on the common key data K and the encryption target data FD, and the encrypted data can be used as a kind of the common key data K. For this reason, the Diffie-Hellmann key exchange method is adopted, the common key data K encrypted by the present system is acquired, and there is a possibility that the Vernam cipher can be easily processed with an arbitrary size. In this case, it is possible to create a large number of common keys that are not restricted by the length of the key, and the original data for exchanging keys and creating random numbers is simply data that has no meaning originally. The common key can be exchanged relatively freely. Therefore, it is possible to simplify the key exchange procedure as compared with the prior art. Further, the cryptographic processing system 1 of the present invention is not limited to the use related to the transmission / reception of data between terminals via a general Internet, for example, the transmission / reception of data between mobile phones, and the conventional SSL, etc. Therefore, it is possible to easily change from the system that has been performing the cryptographic processing, and application in a wide range of fields can be expected.

It is a block diagram which shows the functional structure which concerns on the encryption process of an encryption system. It is a block diagram which shows the functional structure which concerns on the decoding process of an encryption system. It is explanatory drawing which shows the algorithm of an encryption process typically. It is explanatory drawing which shows the algorithm of an encryption process typically. It is a flowchart which shows the flow of the encryption process in encryption PC. It is explanatory drawing which shows the algorithm of a decoding process typically. It is explanatory drawing which shows the algorithm of a decoding process typically. It is a flowchart which shows the flow of the decoding process in encryption PC.

Explanation of symbols

1 system (encryption system)
2 Encryption PC (encryption computer)
DESCRIPTION OF SYMBOLS 3 Cryptographic program 11 Time count data acquisition means 12 Encryption object data acquisition means 13 Second data generation means 14 Ratio generation means 15 Data acquisition means 16 Division means 17 Transfer value means 18 Addition means 21 Encryption generation means 22 Data specification means 25 Data location means 25 Means 27 Encryption division means 28 Encryption processing repetition means 30 Decryption target data acquisition means 31 Decryption rate generation means 34 Decryption data acquisition means 36 Decryption position generation means 37 Decryption encryption division means 39 Range designation means 40 Subtraction means 41 Reverse value means 43 Decryption Generation means

Claims (5)

  Encryption key data acquisition means for acquiring common key data composed of an arbitrary number of bytes and plaintext or encryption target data subjected to encryption processing, and the number of bytes of the common key data and the encryption target data A ratio generating means for generating first data obtained by summing and dividing the obtained total number of bytes by a radix, byte value data of an arbitrary byte at an arbitrary position of the common key data, and an arbitrary number of digits of the arbitrary byte The data acquisition means for acquiring the bit value data is compared with the common key data and the encryption target data, the long data having either one of the long bytes is divided, and the other is the short having the short number of bytes. Dividing means for generating divided data according to the number of bytes of data and the remainder of the divided data, and the divided data as data units or byte units. At least one of the above, a value conversion means for performing a value conversion process based on the value of the bit value data, an addition process according to a specified addition rule for the divided data and the short data subjected to the value conversion process, Addition means for generating addition data having the total number of bytes obtained by dividing the divided data and the short data, the division remainder data is inverted for each bit, and the generated inverted data is converted into the most significant byte or the least significant byte of the addition data. A cryptographic system comprising cryptographic generation means coupled to any one byte end of the bytes to generate cryptographic data.   The encryption target data acquisition means further includes number-of-times data acquisition means for acquiring number-of-times data indicating the number of repetitions of encryption processing, and the ratio generation means further divides the first data by the radix. A second data generation unit configured to generate two data, wherein the dividing unit is configured such that the common key data and the encryption target data are configured with the same number of bytes, or the encrypted encryption data is the same. When dividing as a pair of equally divided data of the number of bytes, either one of the common key data and the encryption target data or the equally divided data is designated as the divided data, and any other is designated as the short data. The data designation means is designated by the value of the second data generated by integrating the first data and the bit value data and generating the obtained integrated value. Based on the divided position data and divided position generation means for generating divided position data by repeating the transition to the next position byte corresponding to the next position of the arbitrary byte and the addition of the bit value data of the position byte by the number of times. The cryptographic system according to claim 1, further comprising: a cryptographic processing repeating unit having a cryptographic dividing unit that divides the cryptographic data and generates the long data and the short data.   Decryption target data acquisition means for acquiring the common key data, the encryption data to be decrypted, and the number-of-times data; first decryption data obtained by dividing the number of bytes of the encryption data by the radix; and A decryption ratio generating means for generating decrypted second data obtained by further dividing one data by the radix, a number value based on the number data and a number of bytes of the common key data, and a number of bytes of the common key data Is the same as or larger than the number value, the byte value data and the bit value data of the number of bytes corresponding to the position where the number value is counted from the arbitrary byte of the common key data are obtained, When the number of bytes of the key data is smaller than the number of times, the number of times is divided by the number of bytes of the common key data, and the remainder calculated as the remainder is the arbitrary buffer. Decoding data acquisition means for acquiring the byte value data and bit value data of the surplus bytes corresponding to the positions counted from the data, and adding the bit value data to the decoded first data, and obtaining the decoded integrated value For the number of times specified by the value of the generated decoded second data, the transition of the next byte of the number byte or the extra byte from which the bit value data has been acquired to the next position byte and addition of the bit value data are performed. Decryption position generation means for repeatedly generating decryption position data, and if the multiple of the decryption position data is larger than the number of bytes of the encrypted data, subtract the number of bytes of the encrypted data from the multiple of the decryption position data, Divide at the position counted from either the most significant byte or the least significant byte of the encrypted data by the obtained subtraction value, and from the least significant byte side When it is divided, it is designated as the decryption remainder data divided from the lower side of the encrypted data. On the other hand, when it is divided from the most significant byte side, the decryption remainder data is divided from the upper side of the encrypted data. If the multiple of the decryption position data is smaller than the number of bytes of the encryption data, the multiple of the decryption position data is subtracted from the number of bytes of the encryption data, the obtained subtraction value of the encryption data Dividing at the position counted from either the most significant byte or the least significant byte, and when dividing from the least significant byte side, specify as the decryption division remaining data divided from the upper side of the encrypted data, When the data is divided from the most significant byte side, it is designated as the decryption division remaining data divided from the lower side of the encrypted data, and the decryption position data When the multiple and the number of bytes of the encrypted data are equal, range designation means for designating the decryption remainder data as zero, and based on the decryption position data and the range designation means, the encrypted data is subtracted from the data, and A decryption / encryption division unit that divides the data into the decryption division remainder data, and a subtraction unit that subtracts the pre-subtraction data according to a predetermined subtraction rule to generate the divided data and the short data; Inverted value means for performing reverse value processing in the opposite direction to the inverted value means based on the bit value data in at least one of data units and byte units for the divided data, and the divided decoding division The surplus data is inverted for each bit, and the generated segmented surplus data is converted into the most significant byte or the least significant byte of the segmented data that has been transcoded. Re or bonded to one byte end, the common key data or cryptographic system according to claim 1 or claim 2, characterized in that it comprises a decoding generating means for generating a decoded data of the encrypted data. Encryption target data acquisition means for acquiring common key data composed of an arbitrary number of bytes, plaintext or encryption target data to be encrypted, and number of times data indicating the number of times of encryption processing, the common key The data and the number of bytes of the data to be encrypted are added together, and the first data obtained by dividing the obtained total number of bytes by the radix and the second data obtained by further dividing the first data by the radix are generated. Ratio generation means , data acquisition means for acquiring byte value data of an arbitrary byte at an arbitrary position of the common key data, and bit value data of an arbitrary number of digits of the arbitrary byte, the common key data and the encryption target data are compared. , One of the long data having a long number of bytes is divided, and the other is divided data according to the number of short data bytes having a short number of bytes And the shared key data and the encryption target data are configured with the same number of bytes, or the encrypted encrypted data is used as a pair of equally divided data with the same number of bytes. Data specifying means for specifying any one of the common key data and the encryption target data or the equally divided data as the divided data and specifying the other as the short data when dividing, and the first The data and the bit value data are integrated, and the transition to the next position byte corresponding to the next position of the arbitrary byte and the position are the number of times specified by the value of the second data generated in the obtained integrated value based on the dividing position generating means and the division position data to generate the division position data by repeating the addition of the bit value data bytes Wherein dividing the encrypted data, the length data and the divided data generation means and a cryptographic processing repeating unit having an encryption dividing means for generating the short data, the divided data in at least one of the data units or bytes, A transposition means for performing a transposition process based on the value of the bit value data, an addition process of the divided data and the short data subjected to the transposition process in accordance with a predetermined addition rule, and the divided data and the short data Addition data generation means for generating addition data having the total number of bytes, and the division remainder data is inverted for each bit, and the generated inverted data is either the most significant byte or the least significant byte of the addition data. bonded to one byte end, as the encryption generating means for generating encrypted data, the encryption-flop, characterized in Rukoto to function cryptographic computer Program . Decryption target data acquisition means for acquiring the common key data, the encryption data to be decrypted, and the number of times data, first decryption data obtained by dividing the number of bytes of the encryption data by the radix, and the first decryption Decryption ratio generation means for generating second decryption data obtained by further dividing the data by the radix, a number value indicating the number of repetitions of encryption processing based on the number of times data, and the number of bytes of the acquired common key data When the number of bytes of the common key data is equal to or larger than the number of times, the byte value data and the bit value of the number of bytes corresponding to a position obtained by counting the number of times from the arbitrary byte of the common key data On the other hand, if the number of bytes of the common key data is smaller than the number of times value, the number of times is divided by the number of bytes of the common key data, and the remainder Decoded data acquisition means an extra value calculated to acquire the byte value data and the bit value data over bytes corresponding to the position counted from the arbitrary byte Te, integrated the bit value data to said decoded first data The transition to the next position byte of the next position of the number of bytes or the surplus bytes that acquired the bit value data by the number of times specified by the value of the decoded second data generated in the obtained decoded integrated value And decryption position generation means for repeatedly generating addition of the bit value data to generate decryption position data, and when the multiple of the decryption position data is larger than the number of bytes of the encryption data, the encryption data is calculated from the multiple of the decryption position data. The number of bytes is subtracted, and the obtained subtraction value is divided at the position counted from either the most significant byte or the least significant byte of the encrypted data. When the data is divided from the least significant byte side, it is designated as decryption remainder data divided from the lower side of the encrypted data. On the other hand, when it is divided from the most significant byte side, it is divided from the upper side of the encrypted data. If the multiple of the decryption position data is smaller than the number of bytes of the encrypted data, the multiple of the decryption position data is subtracted from the number of bytes of the encrypted data. Dividing at a position counted from either the most significant byte or the least significant byte of the encrypted data according to a value, and when dividing from the least significant byte side, the decryption division divided from the upper side of the encrypted data On the other hand, when the data is divided from the most significant byte side, it is designated as the decryption divided remainder data divided from the lower side of the encrypted data. When the multiple of the decryption position data is equal to the number of bytes of the encrypted data, the encryption is performed based on the range designating means for designating the decryption remainder data as zero, the decryption position data, and the range designating means. Decryption / encryption dividing means for dividing data into pre-subtraction data and the decryption-partitioned remainder data comprising the remainder, and subtracting the pre-subtraction data in accordance with a predetermined subtraction rule to generate the divided data and the short data subtraction means for, with respect to generated the divided data, at least one of the data units or bytes, reversing value means for processing the rolling value to the rolling value means the opposite direction based on the bit value data, and division The decoded divided remainder data is inverted for each bit, and the generated divided remainder data is converted to the highest order byte of the divided data that has been transposed. Or bonded to any one of the byte ends the least significant byte, the common key as the data or decoding generating means for generating a decoded data of the encrypted data, according to claim 4, characterized in Rukoto further function the encrypted computer The encryption program described in .

Images