JP5319209B2 - Apparatus, method and program for scheduling key used in encryption - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a key scheduling apparatus for executing arithmetic key schedule operation securely for fault-utilized analysis, while avoiding increase in computational complexity for computing additional information or the like. <P>SOLUTION: The key scheduling apparatus includes: a first storage unit 320 for storing a plurality of round keys corresponding to a plurality of rounds, respectively; an arithmetic unit 311 for acquiring an update target key representing either the plurality of round keys stored in the first storage unit 320 or a part of at least one of the plurality of round keys for each predetermined processing cycle and calculating the round key of a round next to the round of the acquired update target key on the basis of the acquired update target key; and an updating unit 312 for updating the update target key in the first storage unit 320 while using the calculated round key for each processing cycle. <P>COPYRIGHT: (C)2010,JPO&amp;INPIT

Description

  The present invention relates to an apparatus, a method, and a program for executing a key schedule of a common key cryptosystem that is safe against failure use analysis.

  AES (Advanced Encryption Standard) is known as a secret key block cipher widely used for the purpose of concealing communication contents.

  In recent years, with respect to AES using a 128-bit secret key, failure use analysis has been performed to derive a secret key from which a round key is calculated by causing a calculation error when calculating the round key used in the ninth round. Have been reported (for example, see Non-Patent Document 1).

  As countermeasures against failure usage analysis, (i) eliminate the risk of calculation errors by storing and using pre-calculated round keys, and (ii) detect calculation errors using additional information such as parity information It is also known that correction is performed, (iii) a calculation error is detected by executing the same calculation a plurality of times and comparing the calculation results (see, for example, Non-Patent Document 2).

J. et al. Takahashi, T .; Fukunaga, K. et al. Yamakoshi, “DFA, Mechanism on the AES Key Schedule”, Fault Diagnostics and Tolerance in Cryptography, pp. 62-75, IEEE Computer Society, 2007. C. -N. Chen, S.M. -M. Yen, “Differential Fault Analysis on AES Key Schedule and Some Countermeasures”, Information Security and Privacy, 8th Australian Conference 3, ACISP. 118-129, Texture Notes in Computer Science 2727, Springer-Verlag.

  However, when the countermeasure (i) is used, a safe storage area for storing a pre-calculated key is required. Furthermore, when the secret key is updated, the round key must be calculated and stored without error. When the measure (ii) is used, there is a problem that the amount of calculation for calculating additional information and the amount of calculation for verification increase. When the countermeasure of (iii) is used, there is a problem that the calculation time increases when the calculation is executed a plurality of times using the same circuit, and an operation for comparing a plurality of calculation results is required. There was a problem that the calculation amount increased. If the calculation of (iii) is used and a plurality of calculations are executed in parallel using a plurality of circuits, an increase in calculation time and amount of calculation can be suppressed, but the circuit scale increases. Problem arises.

  The present invention has been made in view of the above, and an apparatus capable of executing a key schedule operation that is safe for failure use analysis while avoiding an increase in the amount of calculation for calculating additional information and the like. An object is to provide a method and a program.

  In order to solve the above-described problems and achieve the object, the present invention is a key schedule device that schedules a round key to be used in each round of a block cipher scheme, and a plurality of round keys corresponding to each of a plurality of rounds. A plurality of round keys stored in the first storage unit and a part of at least one of the plurality of round keys for each predetermined processing cycle, An update target key representing any one of them is acquired, and a calculation unit that calculates a round key of the next round of the acquired update target key based on the acquired update target key, and calculated for each processing cycle And an update unit that updates the update target key of the first storage unit with the round key that has been set.

  The present invention is also a key schedule device that schedules a round key to be used in each round of a block cipher system, and includes a first storage unit that stores a round key, and the first storage unit that is set for each predetermined processing cycle. An operation for obtaining a round key stored in the storage unit and calculating a round key for the next round of the obtained round key and a round key for the second round based on the obtained round key. And an update unit that updates the round key of the first storage unit with the calculated round key of the next two rounds for each processing cycle.

  Further, the present invention is a method and program capable of executing the above-described apparatus.

  According to the present invention, it is possible to execute a safe key schedule calculation for failure utilization analysis while avoiding an increase in calculation amount.

  Exemplary embodiments of an apparatus, a method, and a program according to the present invention will be described below in detail with reference to the accompanying drawings.

(First embodiment)
An example in which the present invention is applied to a key schedule device used when performing an encryption process by a block encryption method will be described. Here, the block encryption method is a method in which a plaintext to be encrypted is divided into blocks for each bit length determined for each method, and encryption processing is performed for each divided block. In the block cipher system, a process called a round is repeatedly performed to calculate a ciphertext block from a plaintext block. Each round uses a data block output by the previous round (a plaintext block in the first round) and a round key calculated by the key scheduling apparatus from previously held key data, and is used by the next round. Output data block (ciphertext block in the last round).

  In the following, an example in which the present invention is realized as an AES key scheduling apparatus using a 128-bit secret key will be described, but the applicable secret key is not limited to 128 bits. In AES using a 128-bit secret key, the plaintext block is 128 bits and the number of rounds is 10.

  The key schedule device according to the first embodiment calculates a round key of a plurality of rounds in one cycle of a predetermined processing cycle when calculating a round key to be used in each round of encryption processing by AES. Here, the predetermined processing cycle represents a unit for processing for one round. For example, when configuring hardware that performs processing for one round per clock, the processing cycle is one clock, and when configuring hardware that performs processing for one round every two clocks, processing cycles Is 2 clocks. As a result, even if the ninth round key is miscalculated by the failure usage analysis as described above, a calculation error may occur in the eighth or tenth round key before and after that. It is difficult to derive the key.

  FIG. 1 is a block diagram illustrating a configuration of a key schedule apparatus 100 according to the first embodiment. As shown in FIG. 1, the key schedule device 100 includes a schedule unit 310, a first storage unit 320, and a second storage unit 330. The key schedule device 100 is connected to an encryption device 200 that encrypts data using the round key calculated by the key schedule device 100.

  The key schedule device 100 and the encryption device 200 can be realized, for example, as a key schedule circuit and a data encryption circuit included in an AES encryption circuit that is a circuit for encrypting data according to AES.

  The first storage unit 320 is a register that stores a plurality of round keys corresponding to a plurality of rounds. The first storage unit 320 includes four registers 320a to 320d that store a 128-bit (16-byte) round key every 4 bytes.

  In the registers 320a to 320d, round keys of different rounds are stored by the update unit 312 described later. Specifically, the registers 320a and 320b store a round key of one round advanced from the registers 320c and 320d.

  The second storage unit 330 is a register that stores a round key corresponding to the previous round of the round key stored in the registers 320a and 320b. The second storage unit 330 includes registers 330a and 330b that store round keys corresponding to the registers 320a and 320b, respectively.

  By providing the registers 330a and 330b, it is possible to adjust the output of the key schedule device 100 so as to be aligned every round. That is, the registers 330a and 330b are referred to when the output unit 313 described later outputs all of the round keys of the same round to the encryption device 200.

  The schedule unit 310 refers to a plurality of round keys stored in the first storage unit 320 and executes key schedule calculation processing for sequentially calculating the round keys of the next round. The schedule unit 310 includes a calculation unit 311, an update unit 312, and an output unit 313 as detailed configurations.

  The calculation unit 311 calculates a round key for the next round of the round keys stored in the first storage unit 320 in a predetermined processing cycle. For example, when the key schedule device 100 is realized by a hardware circuit, the arithmetic unit 311 can set a cycle of a clock signal (clock cycle) for synchronization as a predetermined processing cycle. Further, for example, when the process of the key schedule device 100 is realized by a program as in the fifth embodiment (described later), the arithmetic unit 311 executes a predetermined process (step) defined by the program. The period can be a predetermined processing cycle.

  The calculation unit 311 acquires an update target key representing a round key to be updated among the round keys stored in the first storage unit 320 in each processing cycle, and the round key of the next round with respect to the update target key Is calculated. In the present embodiment, the calculation unit 311 calculates a round key using each of the round keys of a plurality of rounds stored in the first storage unit 320 as an update target key.

  The update unit 312 updates the update target key stored in the first storage unit 320 with the calculated round key.

  The output unit 313 outputs the round key stored in the registers 320 c and 320 d of the first storage unit 320 and the round key stored in the registers 330 a and 330 b of the second storage unit 330 to the encryption device 200. Thereby, the encryption apparatus 200 can acquire the round key of the same round simultaneously. Note that the encryption device 200 may be configured to adjust the difference in timing when the round key is calculated. In this case, the registers 330a and 330b are unnecessary.

  Next, a circuit example for realizing the key schedule apparatus 100 will be described with reference to FIG. FIG. 2 is a circuit diagram illustrating an example of the key schedule device 100 according to the first embodiment.

  As shown in the figure, in addition to the above-described registers 320a to 320d and registers 330a and 330b, the key schedule device 100 includes exclusive OR circuits 302a to 302d, selectors 303a to 303e, and a RotWord calculation unit. 304, a SubByte calculation unit 305, and an AddRcon calculation unit 306 are included.

In the figure, R _i (i = 0 to 15) represents 1-byte (8-bit) data obtained by dividing the 4-byte data stored in the registers 320a to 320d into four.

  The exclusive OR circuits 302a to 302d calculate an exclusive OR for each bit.

  The selectors 303a to 303d select and output the input to the key schedule device 100 and the outputs of the exclusive OR circuits 302a to 302d according to the clock signal. The input to the key schedule device 100 means a secret key that is an initial state (initial value) of a round key, which is input as a key used for round key calculation. As shown in the figure, in this embodiment, data obtained by dividing a 128-bit (16-byte) secret key by 4 bytes is input to the selectors 303a to 303d, respectively.

  The selector 303e is a circuit that selects and outputs either the value held by the register 320d or the value output by the exclusive OR circuit 302d in accordance with the clock signal.

  The selectors 303a to 303e determine which value to select in accordance with information set in advance or a command instructed from the outside. Details of the selection method for each clock by the selectors 303a to 303e will be described later.

RotWord operation unit 304, 4-byte data _{"k i, 12 k i, 13} k i, 14 k i, 15 " as input, data obtained by rearranging the order of the bytes _{"k i, 13 k i, 14} k i _{, 15} k _{i, 12} ”. The symbol “k _{i, j} ” represents the (j + 1) th byte data of the i-th round key. For example, the data “ki _{, 12} ki _{, 13} ki _{, 14} ki _{, 15} ” is “ki _{, 12} ”, “ki _{, 13} ”, “ki _{, 14} ” which is 1-byte data. ”And“ ki _{, 15} ”in this order represent 4-byte data.

  The SubByte calculation unit 305 receives 4-byte data as input, performs non-linear calculation defined by the AES specification on each input 4-byte byte, and outputs the result.

  The AddRCon operation unit 306 receives 4-byte data as input, adds a round constant determined for each round in the AES specification to the input 4 bytes (exclusive OR operation), and outputs the result.

  As described above, in the present embodiment, the round key held in the registers 320a and 320b is a round key advanced by one round from the round key held in the registers 320c and 320d.

  Next, a key schedule calculation process by the key schedule device 100 configured as described above will be described. FIG. 3 is a diagram illustrating an example of data output at each clock of the key schedule calculation process according to the first embodiment.

Details of the processing at each clock from time C ₀ as the first clock to time C _{11 as the} clock for calculating the round key for the tenth round will be described below.

The (time C ₀ ) selectors 303a to 303d receive the 4-byte keys “k _{0, 0} k _{0, 1} k _{0, 2} k ₀ , ₃ ”, “k _{0, 4} ” received as inputs of the key schedule device 100, respectively. k _0,5 k _0,6 k _0,7 "," _k 0,8 _k 0,9 _{k 0,10 k 0,11} ", and" _{k 0,12 k 0,13 k 0,14 k 0} , ₁₅ ”is selected. 320d from the register 320a is the end of the clock period, respectively holding the values shown in the row corresponding to _{C 0} of FIG.

(Time C ₁ ) The registers 320a to 320d output the held values. The selectors 303a and 303b select and output the outputs of the exclusive OR circuits 302a and 302b. Thus, in the first clock for calculating the round key, only the element corresponding to the first 8 bytes of the input key is selected, and only the first 8 bytes are updated to the next round key as will be described later. That is, in this case, the element corresponding to the first 8 bytes is the update target key.

Selector 303c and 303d is, 4 bytes of the key that has been received as input of the key schedule device 100 _"k 0,8 _k 0,9 _{k 0,10 k 0,11"} and _{"k 0,12 k 0,13 k 0 , 14} k _0,15 ”.

The selector 303e selects and outputs the value held by the register 320d. At this time, held in the register 320d _{"k 0,12 k 0,13 k 0,14 k 0,15"} is exclusively converted by the RotWord operation unit 304, SubByte calculation unit 305, and AddRCon arithmetic unit 306 “K _0,0 k _0,1 k _0,2 k _0,3 ” sent to the logical sum circuit 302 a and stored in the register 320 a is _replaced with “k _1,0 k _1,1 k _1,2 k _1,3 Update to The updated “k _1,0 k _1,1 k _1,2 k _1,3 ” is sent to the exclusive OR circuit 302b and held in the register 320b “k _0,4 k _0,5 k _{0”. , 6} k _0,7 ”is _updated to“ k _1,4 k _1,5 k _1,6 k _1,7 ”.

On the other hand, it is held in the register 320c and 320d as _"k 0,8 _k 0,9 _{k 0,10 k 0,11" "k 0,12 k 0,13 k 0,14 k 0,15"} identical Updated to value. That is, the value of data held in these registers does not change. The updated value is held in registers 320a-320d as shown in FIG. 3 at the end of the clock period. The registers 330a and 330b hold the same values as the registers 320a and 320b.

(Time C ₂ ) The registers 320a to 320d and the registers 330a to 330b output the held values. The selectors 303a to 303d select and output the outputs of the exclusive OR circuits 302a to 302d. The selector 303e selects and outputs the value output from the exclusive OR circuit 302d. “K _1,4 k _1,5 k _1,6 k _1,7 ” held in the register 320 b is sent to the exclusive OR circuit 302 c and “k _0,8 k _{0, 9} k _0,10 k _0,11 ”is updated to“ k _1,8 k _1,9 k _1,10 k _1,11 ”. Updated _"k 1,8 _k 1,9 _{k 1,10 k 1,11"} exclusively sent to the OR circuit 302d, is held in the register 320d _{"k 0,12 k 0,13 k 0 ,} to update the 14 _{k 0,15} "to" _{k 1,12 k 1,13 k 1,14 k 1,15} ". Updated _{"k 1,12 k 1,13 k 1,14 k 1,15"} is converted by the RotWord operation unit 304, SubByte calculation unit 305, and AddRCon calculating section 306 sent to the exclusive OR circuit 302a and Then, “k _1,0 k _1,1 k _1,2 k _1,3 ” held in the register 320a is updated to “k _2,0 k _2,1 k _2,2 k _2,3 ”.

The updated “k _2,0 k _2,1 k _2,2 k _2,3 ” is sent to the exclusive OR circuit 302b and held in the register 320b “k _1,4 k _1,5 k _{1 , 6} k _1,7 ”is updated to“ k _2,4 k _2,5 k _2,6 k _2,7 ”. The values “k _1,0 k _1,1 k _1,2 k _1,3 ” and “k _1,4 k _1,5 k _1,6 k _1,7 ” held in the registers 330 a and 330 b and exclusive logical output of the OR circuit 302c and 302d as _"k 1,8 _k 1,9 _{k 1,10 k 1,11," "k 1,12 k 1,13 k 1,14 k 1,15"} is, 1 round Output from the key schedule device 100 as the round key of the eye. The updated value is held in registers 320a-320d as shown in FIG. 3 at the end of the clock period. The registers 330a and 330b hold the same values as the registers 320a and 320b.

Time _{C 10} to a similar process is repeated, 9 round of the round-key _"k 9,0 _k 9,1 _k 9,2 _{k 9,3", "k} 9,4 _k 9,5 _{k 9,6 k 9,7} "," _k 9,8 _k 9,9 _{k 9,10 k 9,11} ", and" _{k 9,12 k 9,13 k 9,14 k 9,15} "is output, in FIG. 3 shown as registers 320a (and 330a), the register 320b (and 330b), the register 320c, and the register 320d, respectively _{"k 10,0 k 10,1 k 10,2 k 10,3", "k 10, 4} k _10,5 k _10,6 k _10,7 "," k _9,8 k _9,9 k _9,10 k _9,11 ", and" k _9,12 k _9,13 k _9,14 k _{9, 15} "is held.

(Time C ₁₁ ) The registers 320a to 320d and the registers 330a to 330b output the held values. The selectors 303a to 303d select and output the outputs of the exclusive OR circuits 302a to 302d. The selector 303e selects and outputs the value output from the exclusive OR circuit 302d. “K _10,4 k _10,5 k _10,6 k _10,7 ” held in the register 320b is sent to the exclusive OR circuit 302c, and “k _9,8 k _{9, 9} k _9,10 k _9,11 "to update the" _{k 10,8 k 10,9 k 10,10 k 10,11} ".

Updated _{"k 10,8 k 10,9 k 10,10 k 10,11"} exclusively sent to the OR circuit 302d, is held in the register 320d _{"k 9,12 k 9,13 k 9 , 14} k _9,15 "is updated to" k _10,12 k _10,13 k _10,14 k _10,15 ". It is held in the register 330a and 330b and the _{"k 10,0 k 10,1 k 10,2 k 10,3" "k 10,4 k 10,5 k 10,6 k 10,7",} and is updated was _{"k 10,8 k 10,9 k 10,10 k 10,11"} and _{"k 10,12 k 10,13 k 10,14 k 10,15",} the key schedule device as a round key of the 10 round 100. Based on the updated “k _10,12 k _10,13 k _10,14 k _10,15 ”, the values held in the registers 320 a and 320 b are updated to values that are not actually used. For example, by a process similar to the above, it is updated and held at a value corresponding to the 11th round. In FIG. 3, this value is represented by the symbol “---” to indicate that it is not used.

By executing the key schedule calculation process in this manner, it becomes difficult to derive the secret key by the failure use analysis disclosed in Non-Patent Document 1 or the like. In other words, in order to cause a calculation error in the ninth round key, it is necessary to make a calculation error at time C ₉ or C ₁₀ . However, it is part of the round key of 8 round this time _{"k 8,8 k 8,9 k 8,10 k 8,11} k 8,12 k 8,13 k 8,14 k 8,15 ", or, calculated it is a part of the round key of the 10 th round _{"k 10,0 k 10,1 k 10,2 k 10,3} k 10,4 k 10,5 k 10,6 k 10,7 " Since an error may occur, it is difficult to obtain a secret key by failure use analysis.

Further, as in Non-Patent Document 2 described above, calculation for information other than the round key, such as calculation of additional information and comparison of calculation results, is not necessary, so that an increase in the amount of calculation can be suppressed. it can. In addition, since the round key up to the 10th round can be calculated at 11 clocks (time C ₁₁ ), the amount of calculation for calculating the round key compared with the conventional method of calculating the round keys up to the 10th round at 10 clocks The increase of can also be minimized.

  So far, the key schedule device has been described in which the registers 320a and 320b hold a round key advanced by one round than the registers 320c and 320d. In a similar manner, a key scheduling device in which the register 320a holds a round key that is advanced by one round from the registers 320b, 320c, and 320d, or the registers 320a, 320b, and 320c are one more than the register 320d. It is possible to configure a key schedule device that holds round keys advanced by rounds.

  As described above, in the key schedule device according to the first embodiment, when calculating the round key used in each round of the encryption process by AES, the round key of a plurality of rounds is calculated in one clock. Key schedule calculation processing can be executed. For this reason, it is possible to execute a safe key schedule calculation for failure utilization analysis while avoiding an increase in the amount of calculation for calculating additional information and the like.

(Second Embodiment)
In the key schedule device according to the first embodiment, the 16-byte round key is divided into units of 4 bytes, and the round key is calculated so that the first 8 bytes advance one round from the last 8 bytes. The key schedule device according to the second exemplary embodiment further divides the divided 4 bytes into one byte, and calculates the round key so that the odd-numbered bytes from the head advance one round from the even-numbered bytes.

  FIG. 4 is a block diagram illustrating a configuration of the key schedule device 500 according to the second embodiment. As shown in FIG. 4, the key schedule device 500 includes a schedule unit 510, a first storage unit 520, and a second storage unit 530.

  In the second embodiment, the schedule unit 510, the first storage unit 520, and the second storage unit 530 are configured to control the update of the round key in units of 1 byte as described above. This is different from the first embodiment. Hereinafter, functions of the key schedule device 500 will be described with reference to FIG. 5 which is a circuit example for realizing the key schedule device 500 of the second embodiment. FIG. 5 is a circuit diagram illustrating an example of the key schedule device 500 according to the second embodiment.

  As shown in the figure, the key schedule device 500 includes registers 520a to 520p constituting the first storage unit 520, registers 530a to 530h constituting the second storage unit 530, registers 501y and 501z, and exclusive logic. The sum circuits 502a to 502p, selectors 503a to 503p, selectors 503q to 503t, a RotWord arithmetic unit 304, a SubByte arithmetic unit 305, and an AddRcon arithmetic unit 506 are included.

  The registers 520a to 520d correspond to the register 320a in the first embodiment, and are registers that hold the first 4 bytes of the round key for each byte. Similarly, the registers 520e to 520h, the registers 520i to 520l, and the registers 520m to 520p correspond to the register 320b, the register 320c, and the register 320d in the first embodiment, respectively.

  The registers 530a to 530h are used to adjust the outputs of the key schedule device 500 so as to be aligned for each round, similarly to the registers 330a and 330b in the first embodiment.

  The registers 501y and 501z are used to generate a difference in the round key round calculated at a specific time.

  The exclusive OR circuits 502a to 502p are circuits obtained by dividing the exclusive OR circuits 302a to 302d in the first embodiment for each byte, and are exclusive for each bit with respect to two 1-byte inputs. Outputs the result of calculating the logical sum.

  The selectors 503a to 503p are circuits in which the selectors 303a to 303d in the first embodiment are divided for each byte, and either the outputs of the exclusive OR circuits 502a to 502p or the inputs of the key schedule device 500 are used. Are selected according to the clock signal and output.

  The selectors 503q and 503s are circuits that select and output either the output of the registers 520m and 520o or the input of the key schedule device 500 according to the clock signal.

  The selectors 503r and 503t are circuits that select and output either the output of the exclusive OR circuits 502n and 502p or the input of the key schedule device 500 according to the clock signal.

  The RotWord calculation unit 304 and the SubByte calculation unit 305 are the same as those in FIG. 2 which is the circuit diagram of the key schedule device 100 according to the first embodiment, and thus the same reference numerals are given and description thereof is omitted.

  The AddRCon operation unit 506 adds the round constant determined for each round in the AES specification to the 4-byte input (exclusive OR operation) and outputs the result. However, in the second embodiment described below, since the 4-byte input input to the AddRCon operation unit 506 corresponds to a plurality of different rounds, the constants of the corresponding rounds are appropriately added. . That is, the AddRCon operation unit 506 determines the round of each byte constituting 4 bytes, and adds a round constant for the determined round for each byte.

  Next, key schedule calculation processing by the key schedule device 500 configured as described above will be described. FIG. 6 is a diagram illustrating an example of data output at each clock of the key schedule calculation process according to the second embodiment.

Details of the processing at each clock from time C ₀ as the first clock to time C _{11 as the} clock for calculating the round key for the tenth round will be described below.

(Time C ₀ ) The selectors 503a to 503p and the selectors 503q and 503s receive the keys “k _0,0 ”, “k _0,1 ”, “k ₀ ” of each byte received as the input of the key schedule device 500, respectively. _{, 2} ”,“ k _0,3 ”,“ k _0,4 ”,“ k _0,5 ”,“ k _0,6 ”,“ k _0,7 ”,“ k _0,8 ”,“ k _{0, 9} "," _{k 0,10} "," _{k 0,11} "," _{k 0,12} "," _{k 0,13} "," _{k 0,14} "," _{k 0,15} "," _{k 0,12} And “k _0,14 ” are selected. Registers 520a through 520p and registers 501y and 501z hold their respective values as shown in FIG. 6 at the end of the clock period.

(Time C ₁ ) The registers 520a to 520p and the registers 501y and 501z output the held values. Selectors 503a, 503c, 503e, 503g, 503i, 503k, 503m, and 503o select and output the outputs of the exclusive OR circuits 502a, 502c, 502e, 502g, 502i, 502k, 502m, and 502o, respectively. . The selectors 503b, 503d, 503f, 503h, 503j, 503l, 503n, and 503p receive the keys k _0,1 , “k _0,3 ”, “k _0,5 ” of each byte received as the input of the key schedule device 500. "," _{k 0,7} "," _{k 0,9} "," _{k 0,11} "," _{k 0,13} ", select the" _{k 0,15} ". Selectors 503q and 503s select and output values held by registers 520m and 520o, respectively. The selectors 503r and 503t select and output the keys “k _0,12 ” and “k _0,14 ” of each byte received as inputs of the key schedule device 500, respectively.

At this time, the output selector 503r and 503t _{'k 0, 13} "and" _{k 0, 15} ", after being converted by the RotWord operation unit 304, and SubByte calculation unit 305, first round in AddRCon arithmetic unit 506 Are added to the exclusive OR circuits 502a and 502c, and "k _0,0 " and "k _0,2 " held in the registers 520a and 520c are respectively changed to "k _{1, 0} ". And “k _1,2 ”.

The updated “k _1,0 ” and “k _1,2 ” are sent to the exclusive OR circuits 502e and 502g and held in the registers 520e and 520g, respectively, “k _0,4 ” and “k _{0, 6} ”is updated to“ k _1,4 ”and“ k _1,6 ”, respectively. Similarly, “k _0,8 ”, “k _0,10 ”, “k _0,12 ”, and “k _0,14 ” held in the registers 520 i, 520 k, 520 m, and 520 o, respectively, are “k _{1 , 8} ”,“ k _1,10 ”,“ k _1,12 ”, and“ k _1,14 ”, respectively.

On the other hand, “k _0,1 ”, “k _0,3 ”, “k _0,5 ”, “k” held in the registers 520b, 520d, 520f, 520h, 520j, 520l, 520n, 520o, 501y, and 501z, respectively. k _0,7 "," _{k 0,9} "," _{k 0,11} "," _{k 0,13} "," _{k 0,15} "," _{k 0,12} ", and" _{k 0,14} "is, Updated to the same value.

The updated values are held in registers 520a to 520p (corresponding to R _{0 to} R ₁₅ ) and registers 501y and 501z (corresponding to T ₁₂ and T ₁₄ ) as shown in FIG. 6 at the end of the clock period. .

The registers 530a to 530h are updated “k _1,0 ”, “k _1,2 ”, “k _1,4 ”, “k _1,6 ”, “k _1,8 ”, “k _1,10 ”. , “K _1,12 ”, and “k _1,14 ”.

(Time C ₂ ) The registers 520a to 520p, the register 501y, and the register 501z output the held values. The selectors 503a to 503p select and output the outputs of the exclusive OR circuits 502a to 502p, respectively. Selectors 503q and 503s select and output values output from registers 520m and 520o, respectively. Selectors 503r and 503t select and output the outputs of exclusive OR circuits 502n and 502p, respectively.

“K _0,12 ” and “k _0,14 ” held in the registers 501y and 501z correspond to the first round in the AddRCon operation unit 506 after being converted by the RotWord operation unit 304 and the SubByte operation unit 305. The constants are added to “k _0,3 ” and “k _0,1 ” that are sent to the exclusive OR circuits 502d and 502b and held in the registers 520d and 520b, respectively, “k _1,3 ” and Update to “k _1,1 ”. The updated “k _1,1 ” and “k _1,3 ” are sent to the exclusive OR circuits 502 f and 502 h and held in the registers 520 f and 520 h, respectively, “k _0,5 ” and “k _{0, 7} ”is updated to“ k _1,5 ”and“ k _1,7 ”, respectively. Similarly, the register 520j, 520L, 520n, and _{"k 0, 9"} respectively held in 520p, _{"k 0, 11", "k 0, 13",} and _{"k 0, 15",} respectively "k _1,9 "," _k1,11 "," _k1,13 ", and" _k1,15 ".

Additionally, the updated _{"k 1, 13"} and _{"k 1, 15"} is output after being selected by each selector 503r and 503s, after being converted by the RotWord operation unit 304, and SubByte calculation unit 305, AddRCon The arithmetic unit 506 adds the constants corresponding to the second round and sends them to the exclusive OR circuits 502a and 502c. Then, “k _1,0 ” and “k _1,2 ” held in the registers 520a and 520c are updated to “k _2,0 ” and “k _2,2 ”, respectively. The updated “k _2,0 ” and “k _2,2 ” are sent to the exclusive OR circuits 502e and 502g and held in the registers 520e and 520g, respectively, “k _1,4 ” and “k _{1, 6} ”is updated to“ k _2,4 ”and“ k _2,6 ”, respectively. Similarly, “k _1,8 ”, “k _1,10 ”, “k _1,12 ”, and “k _1,14 ” held in the registers 520i, 520k, 520m, and 520o, respectively, _2,8 "," _k2,10 "," _k2,12 ", and" _k2,14 ".

Updated “k _1,1 ”, “k _1,3 ”, “k _1,5 ”, “k _1,7 ”, “k _1,9 ”, “k _1,11 ”, “k _1,13 ", and" _{k 1, 15} "is" _{k 1, 0} held from the register 530a to 530h "," _{k 1, 2} "," _{k l, 4} "," _{k 1, 6} "," _{k 1 , 8} ”,“ k _1,10 ”,“ k _1,12 ”, and“ k _1,14 ”are output as the first round key.

The updated value is held in registers 520a to 520p and registers 501y and 501z as shown in FIG. 6 at the end of the clock period. The registers 530a to 530h have “k _2,0 ”, “k _2,2 ”, “k _2,4 ”, “k _2,6 ”, “k _2,8 ”, “k _2,10 ”, “K _2,12 ” and “k _2,14 ” are retained.

The same process until the time _{C 10} is repeated, 9 round round keys of _{"k 9,0 k 9,1 k 9,2 k 9,3} k 9,4 k 9,5 k 9,6 k 9,7 _{k 9,8 k 9,9 k 9,10 k 9,11} k 9,12 k 9,13 k 9,14 k 9,15 "is output, 520p from the register 520a as shown in FIG. 6, the register 501y , and the register 501z, respectively _{"k 10, 0", "k 9,1", "k 10, 2", "k 9, 3", "k 10, 4", "k 9, 5",} " k _10,6 "," _{k 9,7} "," _{k 10,8} "," _{k 9,9} "," _{k 10,10} "," _{k 9,11} "," _{k 10,12} "," k _9,13 "," _k10,14 "," _k9,15 "," _k9,12 ", and" _k9,14 "are retained.

(Time C ₁₁ ) The registers 520a to 520p, the register 501y, and the register 501z output the held values. The selectors 503a to 503p select and output the outputs of the exclusive OR circuits 502a to 502p. The selectors 503q and 503s select and output the values output from the registers 520m and 520o. The selectors 503r and 503t select and output the outputs of the exclusive OR circuits 502n and 502p.

Register 501y and _{"k 9, 12"} and respectively held in 501z _{"k 9, 14} ', after being converted by the RotWord operation unit 304, and SubByte calculation unit 305, corresponding to 10 round in AddRCon arithmetic unit 506 are constants is added, is sent to the exclusive oR circuit 502d and 502b, _{"k 9, 3"} and, respectively held in the register 520d and 520b to _{"k 9,1",} respectively _{"k 10,3"} And “k _10,1 ”. The updated “k _10,1 ” and “k _10,3 ” are sent to the exclusive OR circuits 502 f and 502 h, respectively, and “k _9,5 ” and “k ₉ ” held in the registers 520 f and 520 h, respectively. _{, 7} "and updates to each" _{k 10,5} "and" _{k 10,7} ". Similarly, the register 520j, 520L, 520n, and _{"k 9, 9} 'respectively held in 520p," _{k 9, 11} "," _{k 9, 13} ", and" _{k 9, 15} ", respectively" k _{10, 9} ", is updated to" _{k 10,11} "," _{k 10,13} ", and" _{k 10,15} ".

Additionally, the updated _{"k 10, 13"} and _{"k 10, 15"} is output after being selected by the selector 503r and 503s, are converted by the RotWord operation unit 304, and SubByte arithmetic unit 305. However, since the constant corresponding to the eleventh round is not defined in the AddRCon operation unit 506, the subsequent data becomes invalid and is actually used for the registers 520a, 520c, 520e, 520g, 520i, 520k, 520m, and 520o. Is updated to a value that is not.

It has been updated _{"k 10,1", "k 10,3", "k 10,5", "k 10,7", "k 10,9", "k 10,11", "k 10,13} ", and" _{k 10, 15} "is" _{k 10, 0} being held from the register 530a to 530h "," _{k 10, 2} "," _{k 10, 4} "," _{k 10,6} "," _{k 10 , 8} ”,“ k _10,10 ”,“ k _10,12 ”, and“ k _10,14 ”are output as the round key of the tenth round.

In the second embodiment, in order to cause a calculation error in the round key of the ninth round, it is necessary to make a calculation error at time C ₉ or C ₁₀ . However, part of the round key of 8 round this time _{"k 8,1 k 8,3 k 8,5 k 8,7} k 8,9 k 8,11 k 8,13 k 8,15 ", or 10 part of the round key for round _{"k 10,0 k 10,2 k 10,4 k 10,6} k 10,8 k 10,10 k 10,12 k 10,14 " also possible to calculate an error occurs with Therefore, it is difficult to obtain a secret key by failure utilization analysis disclosed in Non-Patent Document 1 or the like.

  So far, for example, focusing on the first 4 bytes, a key schedule device has been described in which the registers 520a and 520c hold a round key advanced by one round from the registers 520b and 520d. The combination of registers that advance the round is not limited to this, and any combination may be used as long as the same technique as the circuit example of FIG. 6 can be applied.

For example, the following combinations are possible.
(1) Registers 520b and 520d advance one round than registers 520a and 520c (2) Register 520a advances one round more than registers 520b, 520c, and 520d (3) Register 520b uses registers 520a and 520c , And 520d advance by one round (4) register 520c advances one round more than registers 520a, 520b, and 520d (5) register 520d advances one round more than registers 520a, 520b, and 520c ( 6) Registers 520b, 520c, and 520d advance one round from register 520a (7) Registers 520a, 520c, and 520d advance one round from register 520b (8) Registers 520a, 520b, and 5 0d is, advances 1 rounds than register 520c (9) registers 520a, 520b, and 520c are, advances 1 rounds than register 520d

(Modification)
In the second embodiment, the 8-byte data held in the registers 520b and 520d, 520f and 520h, 520j and 520l, and 520n and 520p based on the information held in the registers 501y and 501z in a certain clock cycle. Information is updated in order. Based on the information updated from the registers 520n and 520p, 8-byte information held in the registers 520a and 520c, 520e and 520g, 520i and 520k, and 520m and 520o are updated in order. As a result, the data path becomes longer and the clock frequency cannot be sufficiently increased.

  Thus, in a modification of the second embodiment, a key schedule device that can increase the clock frequency by dividing the update of data within the clock cycle will be described. FIG. 7 is a circuit diagram illustrating an example of a key schedule device 550 according to a modification of the second embodiment.

  As shown in FIG. 7, in this modification, instead of the selectors 503a to 503p of the key schedule device 500 of the second embodiment (see FIG. 5), three-input one-output selectors 553a to 553p are used. Then, the key schedule calculation process is executed. By using such selectors 553a to 553p, only a part of 8-byte information is selected and updated in a certain clock cycle.

FIG. 8 is a diagram illustrating an example of data output at each clock of the key schedule calculation process in the present modification. The figure, for example, registers 520a and 520c, 520e and 520 g, 520i and 520k, and the 8 bytes of the information held in the 520m and 520O, divided into two clock periods (e.g., time _{C 1} and the time _{C 2)} An example of updating is shown.

  With this configuration, it is possible to shorten the data path and increase the clock frequency, as compared with the second embodiment in which information of 8 bytes is selected and updated in one clock cycle.

  As described above, in the key schedule device according to the second exemplary embodiment, the round key is divided for each byte, and the round key is calculated so that the odd-numbered bytes from the head advance one round from the even-numbered bytes. To do. As a result, it is possible to execute a safe key schedule calculation for failure utilization analysis while avoiding an increase in the amount of calculation for calculating additional information and the like.

(Third embodiment)
The key schedule device according to the third exemplary embodiment calculates two consecutive round keys using the same clock.

  FIG. 9 is a block diagram illustrating a configuration of a key schedule apparatus 700 according to the third embodiment. As illustrated in FIG. 9, the key schedule device 700 includes a schedule unit 710, a first storage unit 720, and a second storage unit 730.

  In the third embodiment, as described above, the schedule unit 710, the first storage unit 720, and the second storage unit 730 are configured to calculate the round keys of two consecutive rounds with the same clock. This is different from the first embodiment. Hereinafter, functions of the key schedule device 700 will be described with reference to FIG. 10 which is a circuit example for realizing the key schedule device 700 of the third embodiment. FIG. 10 is a circuit diagram illustrating an example of the key schedule device 700 according to the third embodiment.

  As shown in the figure, the key schedule device 700 includes registers 720a to 720d constituting the first storage unit 720, registers 730a to 730h constituting the second storage unit 730, and exclusive OR circuits 702a to 702h. , Selectors 703a to 703d, RotWord arithmetic units 304a and 304b, SubByte arithmetic units 305a and 305b, and AddRcon arithmetic units 306a and 306b.

  Registers 720a to 720d correspond to the registers 320a to 320d in the first embodiment, and hold a 16-byte round key divided into four bytes.

The registers 730a to 730h are registers that hold round keys output from the key schedule device 700. In the third embodiment, round keys for two rounds are calculated per one time (clock cycle). As described above, the data encryption circuit (encryption device 200) normally performs one round of encryption processing per time. For this reason, at the end of time C _i (i = 1, 2, 3, 4, 5) so that the data encryption circuit can refer to the round key of each round, the registers 730a to 730d are in the second * i−1 round. The second round key is held, and the registers 730e to 730h are configured to hold the second * i round key.

  When the data encryption circuit is configured to perform processing for two rounds per time, the round key may be directly output from the key schedule device 700 without using the registers 730a to 730h. .

  Exclusive OR circuits 702a to 702d and exclusive OR circuits 702e to 702h calculate an exclusive OR for each bit.

  The selectors 703a to 703d select and output the input to the key schedule device 700 and the outputs of the exclusive OR circuits 702e to 702h according to the clock signal.

  The RotWord calculation units 304a and 304b have the same functions as the RotWord calculation unit 304 of the first embodiment.

  The SubByte calculation units 305a and 305b each have the same function as the AddRCon calculation unit 305 of the first embodiment.

  The AddRCon operation units 306a and 306b have the same functions as the AddRCon operation unit 306 of the first embodiment.

  Next, key schedule calculation processing by the key schedule device 700 configured as described above will be described. FIG. 11 is a diagram illustrating an example of data output at each clock of the key schedule calculation process according to the third embodiment.

(Time C ₀ ) The selectors 703 a to 703 d receive the 4-byte keys “k _0,0 k _0,1 k _0,2 k _0,3 ” and “k _0,4 ” received as inputs of the key schedule device 700, respectively. k _0,5 k _0,6 k _0,7 "," _k 0,8 _k 0,9 _{k 0,10 k 0,11} ", and" _{k 0,12 k 0,13 k 0,14 k 0} , ₁₅ ”is selected. Registers 720a to 720d hold their respective values as shown in FIG. 11 at the end of the clock period.

(Time C ₁ ) The registers 720a to 720d output the held values. The selectors 703a to 703d select and output the outputs of the exclusive OR circuits 702e to 702h, respectively. At this time, held in the register 720d _{"k 0,12 k 0,13 k 0,14 k 0,15"} is exclusively converted by the RotWord operation unit 304a, SubByte calculating unit 305a, and AddRCon calculation unit 306a It is sent to the logical sum circuit 702a. The exclusive OR circuit 702a includes “k _0,0 k _0,1 k _0,2 k _0,3 ” to “k _1,0 k _1,1 k _1,2 k _1,3 held in the register 720a. Is output to the register 720e and exclusive OR circuits 702b and 702e.

“K _1,0 k _1,1 k _1,2 k _1,3 ” sent to the exclusive OR circuit 702b is stored in the register 720b as “k _0,4 k _0,5 k _0,6 k”. exclusive OR operation and _0,7 "is performed," _k 1,4 _k 1,5 _k 1,6 _{k 1,7} "is output. Likewise, exclusive the OR circuit 702c and 702d, are held in the registers 720c and 720d _"k 0,8 _k 0,9 _{k 0,10 k 0,11"} and _{"k 0, 12} k _{0, 13} based on the k _0,14 k _0,15 ", and" _k 1,8 _k 1,9 _{k 1,10 k 1,11,} "" _{k 1,12 k 1,13 k 1,14 k 1,15} " Is output.

Exclusive OR circuit 702d outputs _{"k 1,12 k 1,13 k 1,14 k 1,15"} is, RotWord operation unit 304b, SubByte calculation unit 305b, and AddRCon exclusively converted by the computing unit 306b It is sent to the logical sum circuit 702e. The exclusive OR circuit 702e is configured to output “k _2,0 k _2,1 k _2,3 ” based on “k _1,0 k _1,1 k _1,2 k _1,3 ” output from the exclusive OR circuit 702a _. and it outputs the ₂ k _2,3 ", and sends the selector 703a, register 730e, and to the exclusive oR circuit 702f.

“K _2,0 k _2,1 k _2,2 k _2,3 ” sent to the exclusive OR circuit 702f is “k _1,4 k _1,5 k ₁ ” output from the exclusive OR circuit 702b. _{, 6} k _1,7 ”and an exclusive OR operation is performed to output“ k _2,4 k _2,5 k _2,6 k _2,7 ”. Similarly, in the exclusive OR circuits 702g and 702h, “k _1,8 k _1,9 k _1,10 k _1,11 ” and “k _1,12 k” output from the exclusive OR circuits 702c and 702d, respectively. on the basis of _1,13 k _1,14 k _1,15 ", each" _k 2,8 _k 2,9 _{k 2,10 k 2,11} "and" _{k 2,12 k 2,13 k 2,14 k 2,15} "is output.

Updated "k _2,0 k _2,1 k _2,2 k _2,3 ", "k _2,4 k _2,5 k _2,6 k _2,7 ", "k _2,8 k _2,9 " k _2,10 k _{2, 11} ", and" _{k 2,12 k 2,13 k 2,14 k 2,15} ", in addition to being held in 720d from the register 720a as shown in FIG. 11, the second round Are stored in the registers 730e to 730h as round keys used in. “K _1,0 k _1,1 k _1,2 k _1,3 ”, “k _1,4 k _1,5 k _1,6 k _1,7 ” and “k _1,7 ” output from the exclusive OR circuits 702a to 702d, k _1,8 k _1,9 k _1,10 k _1,11 ", and" _{k 1,12 k 1,13 k 1,14 k 1,15} ", as a round key to be used in the first round, register 730a to 730d.

By the same process, the round keys up to 10 round by the time C ₅ is output is updated.

In the third embodiment, in order to produce a calculation error in the round key 9 round, it is necessary to falsify the calculation at time C _5. However, at this time, the round keys “k _{10, 0} k _10, 1 k ₁₀ , ₂ k ₁₀ , ₃ ”, “k _{10, 4} k _{10, 5} k _{10, 6} k ₁₀ , ₇ ”, “k” of the 10th round _10,8 k _10,9 k _10,10 k _10,11 ", and" _{k 10,12 k 10,13 k 10,14 k 10,15} to "there is a possibility that calculation errors occur, non-Patent Document It becomes difficult to obtain the secret key by the failure use analysis disclosed in No. 1 and the like.

  In addition, although the example which calculates the round key for 2 rounds per time was demonstrated so far, the key schedule apparatus which calculates the round key for 3 rounds per time by the same method is comprised. Can do.

  As described above, the key schedule device according to the third embodiment calculates the round keys of two consecutive rounds in the same processing cycle. As a result, it is possible to execute a safe key schedule calculation for failure utilization analysis while avoiding an increase in the amount of calculation for calculating additional information and the like.

(Fourth embodiment)
The key scheduling apparatus according to the fourth embodiment divides a 16-byte round key into units of 4 bytes, and in order from the first 4 bytes, the next round key for predetermined 2 bytes among the bytes included in the 4 bytes. Is calculated.

  FIG. 12 is a block diagram illustrating a configuration of a key schedule apparatus 900 according to the fourth embodiment. As shown in FIG. 12, the key schedule device 900 includes a schedule unit 910, a first storage unit 920, and a second storage unit 930.

  In the fourth embodiment, as described above, the scheduling unit 910 and the first storage so as to calculate the next round key in order from the first 4 bytes for the predetermined 2 bytes among the bytes included in the 4 bytes, as described above. The point which comprised the part 920 and the 2nd memory | storage part 930 differs from 1st Embodiment. Hereinafter, the function of the key schedule apparatus 900 will be described with reference to FIG. 13 which is a circuit example for realizing the key schedule apparatus 900 of the fourth embodiment. FIG. 13 is a circuit diagram illustrating an example of the key schedule device 900 according to the fourth embodiment.

  As shown in the figure, the key schedule device 900 includes registers 920a to 920h constituting the first storage unit 920, registers 930a to 930f constituting the second storage unit 930, and exclusive OR circuits 902a to 902j. , Selectors 903a to 903t, SubByte arithmetic units 905a and 905b, and AND circuits 907a and 907b.

  The registers 920a and 920b correspond to the register 320a in the first embodiment and are registers that hold the first two bytes of the round key. Similarly, registers 920c and 920d, registers 920e and 920f, and registers 920g to 920h correspond to the registers 320b, 320c, and 320d in the first embodiment, respectively.

  The registers 930a to 930f are used for adjusting the outputs of the key schedule device 900 to be aligned for each round, similarly to the registers 330a and 330b in the first embodiment.

  The exclusive OR circuits 902a to 902h are obtained by dividing the exclusive OR circuits 302a to 302d in the first embodiment into two bytes, and are exclusive for each bit with respect to two 2-byte inputs. The result of calculating the logical OR is output.

  Exclusive OR circuits 902i and 902j output a result of calculating an exclusive OR for each bit with respect to two 2-byte inputs.

  The selectors 903a to 903h are circuits in which the selectors 303a to 303d in the first embodiment are divided every two bytes, and outputs of registers 920a to 920h, outputs of exclusive OR circuits 902a to 902h, or This is a circuit that selects and outputs one of the inputs of the key schedule device 900 according to a clock signal.

  The selectors 903i to 903n divide the 2-byte data output from the registers 920a to 920f, respectively, into two bytes, add 0 (1 byte), and expand to 2 bytes. Any one of them is a circuit that selects and outputs one according to a clock signal.

  The selectors 903o and 903p are circuits that select and output one of the two 1-byte data obtained by dividing the 2-byte data output from the registers 920g and 920h, according to the clock signal.

  The selectors 903q and 903r cut out the corresponding round constants (to cut off unnecessary round constants) in order to add the round constants determined for each round in the AES specification by the exclusive OR circuits 902i and 902j, respectively. This is a circuit for selecting a mask for the purpose.

  SubByte calculation units 905a and 905b receive the outputs (1 byte) of selectors 903o and 903p, respectively, perform SubByte processing defined by the AES specification, and output a 1-byte value.

  The selectors 903 s and 903 t select and output one of the two 2-byte data expanded by adding 0 (1 byte) to the output of the SubByte arithmetic units 905 a and 905 b according to the clock signal. Circuit. The selectors 903 s and 903 t correspond to the RotWord calculating unit 304 in the first embodiment.

  The AND circuits 907a and 907b calculate and output a product for each bit with respect to two 2-byte inputs.

  Next, a key schedule calculation process performed by the key schedule apparatus 900 configured as described above will be described. FIG. 14 is a diagram illustrating an example of data output at each clock of the key schedule calculation process according to the fourth embodiment.

(Time C ₀ ) The selectors 903 a to 903 h respectively receive the 2-byte keys “k _0,0 k _0,1 ”, “k _0,2 k _0,3 ”, “k” received as inputs of the key schedule device 900. _0,4 k _0,5 "," _k 0,6 _{k 0,7} "," _k 0,8 _{k 0,9} "," _{k 0,10 k 0,11} "," _{k 0,12 k 0, 13} ”and“ k _0,14 k _0,15 ”. Registers 920a through 920h hold their respective values as shown in FIG. 14 at the end of the clock period.

(Time C ₁ ) The registers 920a to 920h output the held values. Selector 903o and 903p, respectively registers 920g and register lower 1 byte _{"k 0, 13"} obtained output of 920h (2 bytes) is divided into byte by byte and _{"k 0, 15",} respectively selects and outputs To do. The selectors 903s and 903t select and output a 2-byte value obtained by adding 0 (1 byte) to the output of the SubByte arithmetic units 905a and 905b. The selectors 903q and 903r both select ff00 (2 bytes). Selectors 903a and 903b select and output the outputs of exclusive OR circuits 902a and 902b, respectively. The selectors 903c to 903h select and output the outputs of the registers 920c to 920h, respectively. The selectors 903i to 903n select and output 2-byte values obtained by adding 0 (1 byte) after the upper 1 byte obtained by dividing the outputs (2 bytes) of the registers 920a to 920f into bytes. To do. Note that the selectors 903i to 903n do not change the operation regardless of which value is selected.

Register 920g and each is held in 920h and _{"k 0, 12} k _{0, 13" "k 0, 14} k _{0, 15",} after being divided into bytes, and _{"k 0, 13" "k 0 , 15} "are selected and output by the selectors 903o and 903p, respectively, and converted by the SubByte arithmetic units 905a and 905b, respectively. The selectors 903 s and 903 t select the 2-byte values obtained by adding 0 (1 byte) after the outputs of the SubByte arithmetic units 905 a and 905 b, respectively, and the exclusive OR circuits 902 i and 902 j respectively perform the first round. Are added to the exclusive OR circuits 902a and 902b (each lower byte is 0).

In the exclusive OR circuits 902a and 902b, “k _0,0 k _0,1 ” and “k _0,2 k _0,3 ” held in the registers 920a and 920b are “k _1,0 k _{0,1”, respectively.} And “k _1,2 k _0,3 ” respectively. “K _0,4 k _0,5 ”, “k _0,6 k _0,7 ”, “k _0,8 k _0,9 ”, “k _0,10 k _0, respectively” held in the registers 920 c to 920 h, respectively _{. 11} "," _{k 0,12 k 0,13} ", and" _{k 0,14 k 0,15} "is updated to the same value. Registers 920a through 920h hold their respective values as shown in FIG. 14 at the end of the clock period.

(Time C ₂ ) The registers 920a to 920h output the held values. The selectors 903o and 903p select and output the upper 1 byte “k _0,12 ” and “k _0,14 ” obtained by dividing the output (2 bytes) of the register 920g and the register 920h for each byte, respectively. . The selectors 903 s and 903 t select and output a 2-byte value with 0 (1 byte) added before the output of the SubByte arithmetic units 905 b and 905 a. The selectors 903q and 903r both select 00ff (2 bytes). The selectors 903a to 903d select and output the outputs of the exclusive OR circuits 902a to 902d, respectively. Selectors 903e to 903h select and output the outputs of registers 920e to 920h, respectively. The selectors 903i to 903n select and output 2-byte values obtained by adding 0 (1 byte) after the upper 1 byte obtained by dividing the outputs (2 bytes) of the registers 920a to 920f into bytes. To do. Note that the selectors 903k to 903n do not change the operation regardless of which value is selected.

Register 920g and each is held in 920h and _{"k 0, 12} k _{0, 13" "k 0, 14} k _{0, 15",} after being divided into bytes, and _{"k 0, 12" "k 0 , 14} "are selected and output by the selectors 903o and 903p, respectively, and converted by the SubByte arithmetic units 905a and 905b, respectively. The selectors 903 s and 903 t select the 2-byte values with 0 (1 byte) added before the outputs of the SubByte arithmetic units 905 b and 905 a, respectively, and the exclusive OR circuits 902 i and 902 j respectively perform the first round. Are added to the exclusive OR circuits 902a and 902b (each lower byte is 0).

In the exclusive OR circuits 902a and 902b, the registers 920a and 920b, each of which holds a _"k 1, 0 _{k 0, 1", "k} 1, 2 _{k 0, 3", "k} 1, 0 _{k 1, 1} "And" k _1,2 k _1,3 ", respectively. “K _1,0 0” (2-byte data obtained by adding “0” to “k _1,0 ”) and “k _1,2 0” (“k _1,2 ”) selected by the selectors 903i and 903j, respectively. 2 bytes of data) with “0” added to them, respectively, are “k _0,2 k _0,3 ” and “k _0,4 k” held by the registers 920c and 920d in the exclusive OR circuits 902c and 902d, respectively. from _0,5 ', it is updated to the respective _"k 1, 2 _{k 0, 3"} and _"k l, 4 _{k 0,5".} Register _"k 0, 8 _{k 0, 9"} held in 920h from 92Oe, _{"k 0, 10} k _{0, 11", "k 0, 12} k _{0, 13",} and _{"k 0, 14} k _{0, 15} "is updated to the same value. Registers 920a through 920h hold their respective values as shown in FIG. 14 at the end of the clock period.

By the same process, a round key is updated until the time C _4. At time C ₅ , the round key is updated as shown in FIG. 14, and “k _1,0 k _1,1 ”, “k _1,2 k _1,3 ”, “k” held in the registers 930 a to 930 f are updated. _{1, 4} k _1,5 ”,“ k _1,6 k _1,7 ”,“ k _1,8 k _1,9 ”, and“ k _1,10 k _1,11 ”, and selectors 903 g and 903 h, respectively the output of the output _{"k 1,12 k 1,13"} and the _{"k 1,14 k 1,15"} as a round key to be used in the first round.

By the same process, the round key is updated is output further to time C _41.

In the fourth embodiment, in order to produce a calculation error in the round key 9 round, it is necessary to misleading calculated from time C ₃₆ at time C _40. However, 8 round of the round-key this time _"k 8,0 _k 8,1 _k 8,2 _{k 8,3", "k} 8,4 _k 8,5 _k 8,6 _{k 8,7",} "k _8,8 k _8,9 k _8,10 k _8,11 ", and" _{k 8,12 k 8,13 k 8,14 k 8,15} part of ", or, 10 round of the round-key" k _10,0 k _10,1 k _10,2 k _10,3 "," _{k 10,4 k 10,5 k 10,6 k 10,7} "," _{k 10,8 k 10,9 k 10,10 k 10, 11} ", and" _{k 10,12 k 10,13 k 10,14 k 10,15} 'may compute error and a part is caused, the fault use disclosed in non-Patent Document 1 It becomes difficult to obtain a secret key by analysis.

  A key schedule device that switches the update order of two bytes in the register 920a and a key schedule device that delays the timing of using the update contents of the register 920a for updating the register 920c by the same method as the circuit example described so far. It is configurable.

  As described above, in the key schedule device according to the fourth embodiment, a 16-byte round key is divided into units of 4 bytes, and predetermined 2 bytes among the bytes included in the 4 bytes in order from the first 4 bytes. The next round key can be calculated. As a result, it is possible to execute a safe key schedule calculation for failure utilization analysis while avoiding an increase in the amount of calculation for calculating additional information and the like.

(Fifth embodiment)
In the first to fourth embodiments, the configuration and operation of the circuit that implements the key schedule device have been described. In the fifth embodiment, a program for executing a key schedule calculation process for realizing a key schedule device will be described.

  In the following, a key schedule program that realizes the key schedule device of the second embodiment will be described. For other embodiments, a corresponding key schedule program can be configured by the same method.

  FIG. 15 is a block diagram illustrating an example of a hardware configuration of the key schedule apparatus 1100 according to the fifth embodiment. As illustrated in FIG. 15, the key schedule device 1100 includes an input / output unit 1101, a control unit 1102, an arithmetic device 1103, a main storage device 1104, and an auxiliary storage device 1105 as main hardware configurations. Yes.

  The input / output unit 1101 is connected to an input / output device capable of inputting / outputting data or a network line, inputs / outputs data, and accepts an encryption execution command. The input / output unit 1101 outputs information for displaying the encryption result.

  When the control unit 1102 receives an encryption execution command together with input data from the input / output unit 1101, the control unit 1102 executes the data encryption based on the program and data stored in the auxiliary storage device 1105. Commands are issued to 1103 and the main storage device 1104.

  The arithmetic unit 1103 receives data received based on an instruction from the control unit 1102 as input, performs bit operations such as copy, inversion, shift operation, sum, product, and exclusive OR operation, addition, multiplication, remainder calculation, etc. Performs arithmetic operations. The control unit 1102 and the arithmetic device 1103 can be configured by a CPU (Central Processing Unit) or the like.

  The main storage device 1104 temporarily stores data stored in the auxiliary storage device 1105 and data processed by the arithmetic device 1103. The main storage device 1104 can input and output data faster than the auxiliary storage device 1105, and is used for the purpose of speeding up the processing. The main storage device 1104 can be constituted by, for example, a RAM (Random Access Memory).

  The auxiliary storage device 1105 stores encryption processing programs and variables. The secret key used for the encryption process may be stored in the auxiliary storage device 1105 or may be received from the input / output unit 1101 every time the encryption process is executed. The auxiliary storage device 1105 can be configured by, for example, an HDD (Hard Disk Drive).

  The key schedule program executed by the key schedule device 1100 is a file in an installable format or an executable format and is a CD-ROM (Compact Disk Read Only Memory), a flexible disk (FD), a CD-R (Compact Disk). The program is recorded on a computer-readable recording medium such as a recordable (DVD) or a DVD (Digital Versatile Disk).

  Alternatively, the key schedule program executed by the key schedule device 1100 may be stored on a computer connected to a network such as the Internet and provided by being downloaded via the network. Further, the key schedule program executed by the key schedule device 1100 may be provided or distributed via a network such as the Internet.

  Further, the key schedule program may be provided by being incorporated in advance in a ROM or the like.

  The key schedule program executed by the key schedule device 1100 has a module configuration including the above-described schedule unit. As actual hardware, the CPU (control unit) reads the key schedule program from the storage medium and executes it. As a result, the schedule section is loaded on the main storage device 1104 and is generated on the main storage device 1104.

  Next, the configuration of the main storage device 1104 for storing various data used in the key schedule calculation process will be described. FIG. 16 is a diagram illustrating a configuration example of an area secured in the main storage device 1104. As shown in FIG. 16, the main storage device 1104 performs MeA [i], MemB [i], MemC [i], MemD [i], 4 bytes (32 bits), respectively, for the key schedule calculation process. And each area of MemT [j] (i = 0, 1, 2, 3, j = 0, 1) is secured.

  MemA [i] and MemB [i] are areas for storing a part of the round key. MemB [i] stores a round key corresponding to one round ahead of the round key stored in MemA [i]. MemC [i] stores the result of calculating the exclusive OR of MemA [i] and MemB [i]. MemD [i] stores the result of calculating the exclusive OR with MemA [i] calculated in the same step by copying the data stored in MemB [i] at the beginning of each step. MemT [j] temporarily stores information for updating the round key in the next step.

  Next, a key schedule calculation process by the key schedule apparatus 1100 according to the fifth embodiment configured as described above will be described with reference to FIG. FIG. 17 is a flowchart showing an overall flow of the key schedule calculation process in the fifth embodiment.

  First, the schedule unit generated on the main storage device 1104 secures each area as shown in FIG. 16 on the main storage device 1104 and initializes it with a predetermined value. Then, the schedule unit stores the input secret key in a predetermined area (step S1701).

  Next, the schedule unit calculates a part of the round key for the first round (step S1702). Further, the schedule unit calculates the remaining part of the round key of the round calculated in the previous step and a part of the round key of the next round (step S1703).

  Next, the scheduling unit determines whether or not a part of the round key for the tenth round has been calculated (step S1704). If not calculated (step S1704: NO), the process is further repeated (step S1703). When it is calculated (step S1704: YES), the schedule unit calculates the remaining part of the round key of the tenth round (step S1705), and ends the key schedule calculation process.

Next, the details of the flowchart described with reference to FIG. 17 will be further described with reference to FIGS. 18 to 24 are diagrams illustrating an example of data stored in the area of the main storage device 1104 after execution of each processing cycle. The following describes the details from time C ₀ of the second embodiment of the processing in each processing cycle from the step S ₀ corresponding respectively to the C ₁₁ to step S _11.

Incidentally, steps _{S 0} below, corresponding to step S1701 of FIG. 17. Further, step _{S 1} is corresponding to step S1702 of FIG. 17. Further, the step _{S 10} from step _{S 2,} corresponding to step S1704 from step S1703 in FIG. 17. Further, step _{S 11} corresponds to step S1705 in FIG. 17.

(Step S ₀ (initialization)) 16-byte (128-bit) keys “k _0,0 k _0,1 k _0,2 k _0,3 ”, “k _0,4 k _0,5 k _0,6 k _0,7 "," _k 0,8 _k 0,9 _{k 0,10 k 0,11} ", and If you accept the" _{k 0,12 k 0,13 k 0,14 k 0,15} ", MemC [i ] Stores 4 bytes each. MemA [i], MemB [i], MemD [i] (i = 0, 1, 2, 3), and MemT [1] are initialized with 0x00000000 (4 bytes). MemT [0] stores a bit product of MemC [3] and 0xff00ff00 (4 bytes). At the end of step S ₀ , each area stores the values shown in FIG.

(Step S ₁ ) Overwrite MemD [i] with the bit product of MemC [i] and 0xff00ff00 (4 bytes). At this time, for i = 1, 2, 3, MemD [i] stores 4 bytes of “k _{0, 4 * i} 0k _{0, 4 * i + 2} 0”.

The bit product of MemC [i] and 0x00ff00ff (4 bytes) is stored in MemA [i]. At this time, for i = 1, 2, 3, 4 bytes of “0k _{0, 4 * i + 1} 0k _{0, 4 * i + 3} ” are stored in MemA [i].

The bit product of MemC [i] and 0xff00ff00 (4 bytes) is stored in MemB [i]. At this time, for i = 1, 2, 3, MemB [i] stores 4 bytes of “k _{0, 4 * i} 0k _{0, 4 * i + 2} 0”.

MemB [i] is updated as follows. A SubByte operation defined by the AES specification is performed on each byte on the value obtained by cyclically shifting MemA [3] to the left by 8 bits. In practice, it is sufficient to perform the SubByte operation only on the first byte and the third byte. Further, after adding the round constant of the first round defined by the AES specification (exclusive OR operation), the exclusive logic of MemB [0] and the value obtained by performing bit product with 0xff00ff00 (4 bytes) Calculate the sum operation and overwrite MemB [0]. At this time, MEMA [3] is stored is _"0k 0, 13 _{0k 0, 15"} of 4 bytes, are stored in the _"k 1,0 _{0k 1,2} 0" of 4 bytes for memb [0] . For i = 1, 2, 3, MemB [i] is overwritten with the exclusive OR of MemB [i] and MemB [i-1]. At this time, for i = 1, 2, 3, MemB [i] stores 4 bytes of “k _{1, 4 * i} 0k _{1, 4 * i + 2} 0”.

Overwrite MemC [i] with the exclusive OR of MemA [i] and MemB [i]. At this time, for i = 0, 1, 2, 3, MemC [i] has 4 bytes of “k _{1,4 * i} k _{0,4 * i + 1} k _{1,4 * i + 2} k _{0,4 * i + 3} ”. Remembered.

Overwrite MemD [i] with the exclusive OR of MemD [i] and MemA [i]. At this time, for i = 0, 1, 2, 3, MemD [i] has 4 bytes of “k _{0, 4 * i} k _{0, 4 * i + 1} k _{0, 4 * i + 2} k _{0, 4 * i + 3} ”. Remembered. Mek [i] stores “k _0,0 k _0,1 k _0,2 k _0,3 ”, “k _0,4 k _0,5 k _0,6 k _0,7 ”, “k _0,8 ” k _0,9 k _0,10 k _0,11 ", and outputs" _{k 0,12 k 0,13 k 0,14 k 0,15} "as an initial key.

MemT [1] stores a bit product of MemC [3] and 0xff00ff00 (4 bytes). Step S ₁ at the end, each region stores a value shown in FIG. 19.

(Step S ₂ ) Overwrite MemD [i] with a bit product of MemC [i] and 0xff00ff00 (4 bytes). At this time, for i = 1, 2, 3, 4-byte “k _{1, 4 * i} 0k _{1, 4 * i + 2} 0” is stored in MemD [i].

Update MemA [i] as follows. A SubByte operation defined by the AES specification is performed on each byte on the value obtained by cyclically shifting MemT [0] to the left by 8 bits. In practice, it is sufficient to perform the SubByte operation only on the second byte and the fourth byte. Furthermore, after adding the round constant of the first round defined by the AES specification (exclusive OR operation), the exclusive logic of the value obtained by performing bit product with 0xff00ff00 (4 bytes) and MemA [0] Calculate the sum operation and overwrite MemA [0]. At this time, 4-byte “0k _1,1 0k _1,3 ” is stored in MemA [0]. For i = 1,2,3, MemA [i] is overwritten with an exclusive OR of MemA [i] and MemA [i-1]. At this time, for i = 1, 2, 3, MemA [i] stores 4 bytes of “0k _{1, 4 * i + 1} 0k _{1, 4 * i + 3} ”.

MemB [i] is updated as follows. A SubByte operation defined by the AES specification is performed on each byte on the value obtained by cyclically shifting MemA [3] to the left by 8 bits. In practice, it is sufficient to perform the SubByte operation only on the first byte and the third byte. Further, after adding the round constant of the second round defined by the AES specification (exclusive OR operation), the exclusive logic of the value obtained by performing bit product with 0xff00ff00 (4 bytes) and MemB [0] Calculate the sum operation and overwrite MemB [0]. At this time, MEMA [3] is stored in the _"0k 1, 13 _{0k 1, 15"} of 4 bytes, a _"k 2,0 _{0k 2,2} 0" of 4 bytes is stored in the MemB [0]. For i = 1, 2, 3, the value stored in MemB [i] is overwritten with the exclusive OR of MemB [i] and MemB [i−1]. At this time, for i = 1, 2, 3, MemB [i] stores “k _{2, 4 * i} 0k _{2, 4 * i + 2} 0” in 4 bytes.

Overwrite MemC [i] with the exclusive OR of MemA [i] and MemB [i]. At this time, for i = 0, 1, 2, 3, MemC [i] has 4 bytes of “k _{2,4 * i} k _{1,4 * i + 1} k _{2,4 * i + 2} k _{1,4 * i + 3} ”. Remembered.

Overwrite MemD [i] with the exclusive OR of MemD [i] and MemA [i]. At this time, for i = 0, 1, 2, 3, MemD [i] has 4 bytes of “k _{1,4 * i} k _{1,4 * i + 1} k _{1,4 * i + 2} k _{1,4 * i + 3} ”. Remembered. “K _1,0 k _1,1 k _1,2 k _1,3 ”, “k _1,4 k _1,5 k _1,6 k _1,7 ”, “k _1,8 ” stored in MemD [i] k _1,9 k _1,10 k _1,11 ", and outputs" _{k 1,12 k 1,13 k 1,14 k 1,15} "as a round key to be used in the first round.

MemT [0] stores a bit product of MemC [3] and 0xff00ff00 (4 bytes). Step S The ₂ end, each region stores a value shown in FIG. 20.

(Step S ₃ ) The roles of MemT [0] and MemT [1] are switched, the same processing as Step S ₂ is performed, the values are updated to the values shown in FIG. 21, and “k ₂ ” stored in MemD [i] is stored. _{, 0} k _2,1 k _2,2 k _2,3 "," k _2,4 k _2,5 k _2,6 k _2,7 "," k _2,8 k _2,9 k _2,10 k _{2 , 11} ", and outputs" _{k 2,12 k 2,13 k 2,14 k 2,15} "as a round key to be used in the second round.

The same process is repeated from step S ₄ through step S _10, updates the value of each region, and outputs round keys. Incidentally, FIGS. 22 and 23 show the values stored in the area of the main memory 1104 after performing Step _{S 9} and step _{S 10,} respectively.

(Step S ₁₁ ) Overwrite MemD [i] with the bit product of MemC [i] and 0xff00ff00 (4 bytes). At this time, for i = 1, 2, 3, MemD [i] stores 4-byte “k _{10, 4 * i} 0k _{10, 4 * i + 2} 0”.

Update MemA [i] as follows. A SubByte operation defined by the AES specification is performed on each byte on the value obtained by cyclically shifting MemT [1] to the left by 8 bits. In practice, it is sufficient to perform the SubByte operation only on the second byte and the fourth byte. Further, after adding the round constant of the 10th round defined by the AES specification (exclusive OR operation), the exclusive logic of the value obtained by performing bit product with 0xff00ff00 (4 bytes) and MemA [0] Calculate the sum operation and overwrite MemA [0]. At this time, 4-byte “0k _10,1 0k _10,3 ” is stored in MemA [0]. For i = 1,2,3, MemA [i] is overwritten with an exclusive OR of MemA [i] and MemA [i-1]. At this time, for i = 1, 2, 3, MemA [i] stores 4 bytes of “0k _{10, 4 * i + 1} 0k _{10, 4 * i + 3} ”.

MemB [i] and MemC [i] do not update values. It is also possible to perform the same processing until step S _10, but the value to be updated is not actually used. In FIG. 24, this value is represented by the symbol “---” to indicate that it is not used.

Overwrite MemD [i] with the exclusive OR of MemD [i] and MemA [i]. At this time, for i = 0, 1, 2, 3, MemD [i] has 4 bytes of “k _{10, 4 * i} k _{10, 4 * i + 1} k _{10, 4 * i + 2} k _{10, 4 * i + 3} ”. Remembered. Storing of MemD [i] _{"k 10,0 k 10,1 k 10,2 k 10,3", "k 10,4 k 10,5 k 10,6 k 10,7", "k 10,8} k _10,9 k _10,10 k _10,11 ", and outputs" _{k 10,12 k 10,13 k 10,14 k 10,15} "as a round key to be used in the 10 th round.

MemT [0] stores a bit product of MemC [3] and 0xff00ff00 (4 bytes). The step S ₁₁ at the end, each region stores a value shown in FIG. 24.

In the fifth embodiment, in order to produce a calculation error in the round key 9 round, it is necessary to falsify the calculation in step S ₉ or step S _10. However, 8 round of the round-key this time _"k 8,0 _k 8,1 _k 8,2 _{k 8,3", "k} 8,4 _k 8,5 _k 8,6 _{k 8,7",} "k _8,8 k _8,9 k _8,10 k _8,11 ", and" _{k 8,12 k 8,13 k 8,14 k 8,15} part of ", or, 10 round of the round-key" k _10,0 k _10,1 k _10,2 k _10,3 "," _{k 10,4 k 10,5 k 10,6 k 10,7} "," _{k 10,8 k 10,9 k 10,10 k 10, 11} ", and" _{k 10,12 k 10,13 k 10,14 k 10,15} 'may compute error and a part is caused, the fault use disclosed in non-Patent Document 1 It becomes difficult to obtain a secret key by analysis.

  Thus, in the key schedule device according to the fifth embodiment, the same processing as that of the key schedule device of the second embodiment can be realized by the program.

  As described above, the apparatus, method, and program according to the present invention are suitable for an apparatus, method, and program that execute a key schedule of a common key cryptosystem such as AES.

It is a block diagram which shows the structure of the key schedule apparatus concerning 1st Embodiment. It is a circuit diagram showing an example of a key schedule device of a 1st embodiment. It is a figure which shows an example of the data output with each clock of the key schedule calculation process in 1st Embodiment. It is a block diagram which shows the structure of the key schedule apparatus concerning 2nd Embodiment. It is a circuit diagram which shows an example of the key schedule apparatus of 2nd Embodiment. It is a figure which shows an example of the data output with each clock of the key schedule calculation process in 2nd Embodiment. It is a circuit diagram which shows an example of the key schedule apparatus concerning the modification of 2nd Embodiment. It is a figure which shows an example of the data output with each clock of the key schedule calculation process in the modification of 2nd Embodiment. It is a block diagram which shows the structure of the key schedule apparatus concerning 3rd Embodiment. It is a circuit diagram which shows an example of the key schedule apparatus of 3rd Embodiment. It is a figure which shows an example of the data output with each clock of the key schedule calculation process in 3rd Embodiment. It is a block diagram which shows the structure of the key schedule apparatus concerning 4th Embodiment. It is a circuit diagram which shows an example of the key schedule apparatus of 4th Embodiment. It is a figure which shows an example of the data output with each clock of the key schedule calculation process in 4th Embodiment. It is a block diagram which shows an example of the hardware constitutions of the key schedule apparatus concerning 5th Embodiment. It is a figure which shows the structural example of the area | region ensured in a main memory. It is a flowchart which shows the whole flow of the key schedule calculation process in 5th Embodiment. It is a figure which shows an example of the data stored in the area | region of a main memory. It is a figure which shows an example of the data stored in the area | region of a main memory. It is a figure which shows an example of the data stored in the area | region of a main memory. It is a figure which shows an example of the data stored in the area | region of a main memory. It is a figure which shows an example of the data stored in the area | region of a main memory. It is a figure which shows an example of the data stored in the area | region of a main memory. It is a figure which shows an example of the data stored in the area | region of a main memory.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Key schedule apparatus 200 Encryption apparatus 310 Schedule part 311 Operation part 312 Update part 313 Output part 320 1st memory | storage part 320a-320d Register 330 2nd memory | storage part 330a, 330b Register 302a-302d Exclusive OR circuit 303a-303e selection Unit 304 RotWord arithmetic unit 305 SubByte arithmetic unit 306 AddRCon arithmetic unit 500 key schedule device 510 schedule unit 520 first storage unit 520a to 520p register 530 second storage unit 530a to 530h register 501y, 501z register 502a to 502p exclusive OR circuit 503a to 503t selector 506 AddRCon operation unit 550 key schedule device 553a to 553t selector 700 key schedule device 7 0 schedule part 720 first storage part 720a to 720d register 730 second storage part 730a to 730h register 702a to 702h exclusive OR circuit 703a to 703d selector 900 key schedule device 910 schedule part 920 first storage part 920a to 920h register 930 Second storage unit 930a to 930f Register 902a to 902h Exclusive OR circuit 903a to 903t Selector 905a, 905b SubByte operation unit 907a, 907b AND circuit 1100 Key schedule device 1101 Input / output unit 1102 Control unit 1103 Main unit 1104 Device 1105 Auxiliary storage device

Claims (8)

A key schedule device that schedules a round key to be used in each round of block ciphers,
A first storage unit that stores a plurality of round keys corresponding to each of a plurality of rounds;
For each predetermined processing cycle, an update target key that represents one of a plurality of round keys stored in the first storage unit and a part of at least one round key among the plurality of round keys is acquired. And, based on the acquired update target key, a calculation unit that calculates a round key of the next round of the acquired update target key round;
An update unit that updates the update target key of the first storage unit with the calculated round key for each processing cycle;
A key schedule device comprising: The first storage unit is a first element among the elements constituting the round key and a round key element of a round after the first element round, and corresponds to elements other than the first element. Remember two elements,
The computing unit obtains the first element and the second element as the update target key for each processing cycle, and the round key of the next round of the first element round from the obtained first element Calculating an element corresponding to the second element of the round key of the round next to the round of the second element from the acquired second element;
The update unit is an element corresponding to the calculated first element, updates the first element of the first storage unit, and is an element corresponding to the calculated second element, the first storage unit Updating the second element of
The key schedule apparatus according to claim 1. The first storage unit further stores the input secret key as an initial value of a round key,
The computing unit further acquires the first element of the initial value of a round key as the update target key in the first processing cycle, and the first round key of the first round from the acquired first element. Calculate the element corresponding to the element,
The updating unit further updates the first element of the initial value of the round key in the first storage unit with an element calculated for the first element of the initial value of the round key;
The key schedule device according to claim 2. The calculation unit acquires each of a plurality of elements constituting a round key of an arbitrary round as the update target key in any of the plurality of processing cycles, and based on the acquired elements, the round of the acquired elements Calculating the element corresponding to the acquired element among the elements of the round key of the next round of
The key schedule apparatus according to claim 1. The first storage unit is a first element among the elements constituting the round key and a round key element of a round after the first element round, and corresponds to elements other than the first element. Remember two elements,
A second storage unit that stores an element corresponding to the second element among the elements constituting the round key including the first element;
An output unit that outputs the first element stored in the first storage unit and the element corresponding to the second element stored in the second storage unit;
The key schedule apparatus according to claim 1. The computing unit calculates a round key using a round constant determined in advance according to the round of the update target key;
The key schedule apparatus according to claim 1. There is a key scheduling method for scheduling round keys to be used in each round of block ciphers,
The arithmetic unit, for each predetermined processing cycle, a plurality of round keys corresponding to each of the plurality of rounds stored in the first storage unit, a part of at least one round key among the plurality of round keys, A calculation step of obtaining an update target key representing any one of the following, and calculating a round key of the next round of the round of the acquired update target key based on the acquired update target key;
An update unit updates the update target key of the first storage unit with the calculated round key for each processing cycle;
A key schedule method comprising: A key schedule program that is executed by a key schedule device that schedules a round key to be used in each round of a block cipher method,
The key schedule device;
For each predetermined processing cycle, one of a plurality of round keys corresponding to each of the plurality of rounds stored in the first storage unit and a part of at least one round key among the plurality of round keys. A calculation unit that obtains an update target key to be represented, and calculates a round key of a round next to the round of the acquired update target key based on the acquired update target key;
An update unit that updates the update target key of the first storage unit with the calculated round key for each processing cycle;
Key schedule program to function as

Images