JP5528281B2 - Hash value arithmetic unit - Google Patents

Description

  The present invention relates to a technique for calculating a highly secure hash value, for example.

  The hash function is a function that takes an arbitrary length value as input and outputs a fixed length value.

Non-Patent Documents 1 to 3 describe a configuration method of a hash function having an output length of 2n bits that satisfies the collision difficulty property using an encryption function of a block cipher having an output length of n bits.
Here, in order for the hash functions in Non-Patent Documents 1 to 3 to satisfy the collision difficulty property, the encryption function to be used needs to be an encryption function in an idealized block cipher.

Non-Patent Documents 4 and 5 describe a method of constructing a hash function having an output length of n bits and satisfying the characteristics of a pseudo-random oracle using an encryption function of a block cipher having an output length of s bits. However, s is an integer greater than or equal to n.
Here, in order for the hash function in Non-Patent Documents 4 and 5 to satisfy the properties of pseudo-random oracle, the encryption function to be used needs to be an encryption function in an idealized block cipher. The security level of the hash function safety in Non-Patent Documents 4 and 5 is O (2 ^{s / 2} ) or less. Note that the security level of safety is a calculation amount required to break the property of the pseudo-random oracle.

Non-Patent Document 6 describes a pseudo-random oracle using a function that satisfies the characteristics of a random oracle with a fixed input and output, and an arbitrary-length input and a fixed-length output that satisfy the properties of PrA (Preage Aware). There is a description about constructing a hash function that satisfies the properties. In Non-Patent Document 6, a block cipher encryption function having an output length of n bits is used as a function having PrA properties.
Here, in order for the hash function in Non-Patent Document 6 to satisfy the properties of a pseudo-random oracle, the encryption function to be used needs to be an encryption function in an idealized block cipher.

O. Ozen and M.M. Stam. Another Glance at Double-length Hashing. IMA Int. Conf. 2009. pp176-201. LNCS 5921. S. Hirose. Some Plausible Constructions of Double-Block-length Hash Functions. FSE 2006. 210-225. LNCS 4047. X. Lai and J.H. Massey: Hash Function Based on Block Ciphers. EUROCRYPT 1992. pp55-70. LNCS 653. Shoichi Hirose, Je. Park, and A.A. Yun. A Simple Variant of the Markle-Damgard Scheme with a Permutation. ASIACRYPT 2007. pp113-129. LNCS 4833. J. et al. -S. Coron, Y.M. Dodis, C.I. Malinaud, and P.M. Puniya. Merkle-Damgard Revisited: How to Structure a Hash Function. CRYPTO 2005. pp430-448. LNCS 3621. Y. Dodis, T .; Ristenpart, and T.R. Shripton. Salvaging Merkle-Damgard for Practical Applications. EUROCRYPT 2009. pp371-388. LNCS 5479.

The hash functions described in Non-Patent Documents 1 to 3 are hash functions using block cipher encryption functions, but do not satisfy the properties of pseudo-random oracles.
The hash functions described in Non-Patent Documents 4 and 5 are hash functions using block encryption functions. This hash function is an encryption function in the block cipher in which the encryption function to be used is ideal. When the output length is n bits, the hash function satisfies the property of pseudo-random oracle, but the security level of safety is O ( 2 ^{n / 2} ).
The hash function described in Non-Patent Document 6 needs to use a function that has a fixed input / output and satisfies the characteristics of a random oracle.
The present invention, for example, satisfies the properties of a pseudo-random oracle using an encryption function of a block cipher with an output length of n bits without using a function that satisfies the properties of a random oracle, and has a security level of security. The object is to construct a hash function in which at least O (2 ⁿ ).

The hash value calculation device according to the present invention is:
An arbitrary length value input unit for inputting an arbitrary bit length value M;
A function calculation unit that calculates a function F by using the value M input by the arbitrary length value input unit to obtain a value w of t-bit length (t is an integer of 1 or more);
A key component calculation unit that receives a value w obtained by the function calculation unit and calculates a function g to obtain a value k having a d-bit length (d is an integer equal to or greater than t);
Using the value k generated by the key component calculation unit as a key component and the n-bit predetermined value c1 as a plaintext component, the block cipher encryption function E1 is calculated and n-bit length (n is an integer of 1 or more) An encryption function E1 calculation unit for obtaining the value y of
An encryption function that calculates a block cipher encryption function E2 by using the value k generated by the key component calculation unit as a key component and a predetermined value c2 having an n-bit length as a plaintext component to obtain an n-bit length value yy An E2 calculator,
Using the value y obtained by the encryption function E1 calculation unit and the value yy obtained by the encryption function E2 calculation unit as input, the function h is calculated and an n ′ bit length (n ′ is 1 to 2n) A hash value calculation unit that obtains an integer) value z as a hash value.

According to the hash value calculation device according to the present invention, if the encryption function of the block cipher to be used is an encryption function in an idealized block cipher, the pseudo-random oracle property is satisfied and the security level of safety is high. A hash function can be configured to be O (2 ⁿ ) (n is the output length of the encryption function).

FIG. 3 is a functional block diagram illustrating functions of the hash value calculation device 10 according to the first embodiment. The flowchart which shows operation | movement of the hash value calculating apparatus 10 which concerns on Embodiment 1 shown in FIG. FIG. 3 is a structural diagram of a hash function realized by the hash value calculation device 10 according to the first embodiment shown in FIG. 1. FIG. 4 is a functional block diagram showing functions of a hash value calculation device 10 according to the second embodiment. 5 is a flowchart showing an operation of the hash value calculation apparatus 10 according to the second embodiment shown in FIG. FIG. 5 is a structural diagram of a hash function realized by the hash value calculation device 10 according to Embodiment 2 shown in FIG. 4. FIG. 10 is a functional block diagram illustrating functions of a function calculation unit 12 according to a third embodiment. 8 is a flowchart showing the operation of a function calculation unit 12 according to the third embodiment shown in FIG. The structure figure of the function F implement | achieved by the function calculation part 12 which concerns on Embodiment 3 shown in FIG. FIG. 10 is a functional block diagram illustrating functions of a function calculation unit 12 according to a fourth embodiment. 11 is a flowchart showing the operation of the function calculation unit 12 according to the fourth embodiment shown in FIG. FIG. 11 is a structural diagram of a hash function realized by the function calculation unit 12 according to the fourth embodiment shown in FIG.

Embodiment 1 FIG.
First, the concept of security of the hash function will be described.

A hash function that satisfies the characteristics of a random oracle is an ideal hash function.
The hash function H satisfying the characteristics of the random oracle is a hash function to which the following 1 and 2 are given.
1. (List): It has a list in which pairs of all input values and output values randomly selected for each input value are recorded.
2. (Oracle that outputs a value in the forward direction): For the input value x, search the output value z for the input value x from the list, and output the value z. That is, a value z satisfying H (x) = z is output.

A hash function that satisfies the properties of a random oracle satisfies the following three properties: “(1) collision difficulty”, “(2) second original image calculation difficulty”, and “(3) original image calculation difficulty”.
The definition of each property of (1) to (3) is as follows. In the following definition, “H” indicates a hash function. “M” and “M ′ (≠ M)” indicate input values of the hash function H. “H (x)” indicates an output (hash value) of the hash function H to which x is input.

(1) A hash function that satisfies the collision difficulty is a hash function in which it is difficult to find two input values M and M ′ that satisfy “H (M) = H (M ′)”. That is, the collision difficulty is a property that it is difficult to obtain a plurality of input values having the same hash value.
(2) A hash function that satisfies the second original image calculation difficulty is to find an input value M ′ that satisfies “H (M) = H (M ′)” when a random input value M is given. It is a difficult hash function. That is, the second original image calculation difficulty is a property that it is difficult to obtain a second input value having the same hash value as the first input value.
(3) A hash function satisfying the original image calculation difficulty is a hash function in which it is difficult to find M satisfying “z = H (M)” when a random value z is given. That is, the original image calculation difficulty is a property that it is difficult to obtain an input value corresponding to a hash value.

(1) to (3) In each of the properties, (1) a hash function satisfying the collision difficulty satisfies (2) a second original image calculation difficulty, and (2) a hash function satisfying the second original image calculation difficulty. There is a relationship that (3) the original image calculation difficulty is satisfied.
In addition, (3) a hash function with a broken original image calculation difficulty (a hash function that does not satisfy the original image calculation difficulty) has (1) a collision difficulty and (2) a second original image calculation difficulty. There is a relationship of not satisfying. That is, the hash function whose original image calculation difficulty has been broken is a function that does not satisfy the properties (1) to (3) that should be satisfied by the secure hash function, and is generally unusable because of its low security.

Standard public key cryptography, RSA-OAEP (RSA-Optical Encryption Padding), which is an electronic signature algorithm, RSA-KEEM (RSA-Key Encapsulation Mechanism), RSA-PSS (RSA-Probabilistic Science), etc. It is safe to assume that the hash function satisfies random oracle properties.
However, it is known that it is difficult to realize a hash function that satisfies the characteristics of a random oracle. Therefore, when implementing these public key cryptography and digital signature algorithms, a hash function such as SHA-256 (Secure Hash Algorithm-256) is used instead of a hash function that satisfies the characteristics of a random oracle.

When the above-described public key cryptography and electronic signature algorithm are implemented using a hash function that does not satisfy the characteristics of a random oracle, the security is not necessarily guaranteed. However, there is a concept of pseudo-random oracle as a concept for guaranteeing the safety.
Here, an internal function used in the hash function is P, and a hash function configured using P is H [P]. The fact that H [P] satisfies the property of pseudo-random oracle means that there exists a simulator S that simulates P such that any discriminator cannot distinguish H [P] from a hash function that satisfies the property of random oracle. It is.

  If H [P] satisfies the properties of pseudo-random oracle, H [P] satisfies the properties of (1) collision difficulty, (2) second original image calculation difficulty, and (3) original image calculation difficulty. . A cryptographic algorithm that is secure when using a hash function that satisfies the characteristics of a random oracle is guaranteed to be secure even when H [P] is used.

The hash function satisfying the properties of PrA is that the internal function used in the hash function is P, and the hash function configured using P is H [P]. H [P] satisfies the collision difficulty, and the selection source It is a hash function that satisfies image calculation difficulty.
Here, when H [P] satisfies the difficulty of calculating the selected original image, an arbitrary attacker A determines the output value z of the hash function (however, at this point, A does not know the input value). In this case, the attacker A cannot obtain the input value of z when trying to obtain the input value.

In the block cipher (E, D), E is an encryption function and D is a decryption function. The encryption function E receives two values, d bits and n bits, and outputs an n bit value. When the d-bit value is fixed to the value k, E (k,...) is an n-bit replacement function.
If k is fixed and the forward permutation calculation is the function E (k,...), the decoding function D is the function E ⁻¹ (k ^,.
An idealized block cipher is a block cipher function when one block cipher function is randomly obtained from a set of all block cipher functions.

It is known that it is difficult to realize an ideal block cipher. Therefore, when realizing a hash function that satisfies the properties of a pseudo-random oracle such as the hash functions described in Non-Patent Documents 4 and 5, instead of an idealized block cipher, for example, (1) collision difficulty, It is conceivable to use a function satisfying properties corresponding to the three properties of (2) second original image calculation difficulty and (3) original image calculation difficulty. That is, (1) the property that it is difficult to obtain a plurality of input values having the same output value, and (2) the property that it is difficult to obtain a second input value that has the same output value as the first input value. (3) It is conceivable to use a function that satisfies the three properties of being difficult to obtain the input value corresponding to the output value.
In this case, since an ideal block cipher is not used, the obtained hash function is not a hash function that satisfies the properties of a pseudo-random oracle. However, it has been proved to be safe when a function satisfying the properties of a random oracle is used, and thus it is recognized that there is a certain degree of safety.

In the following description, a hash function using an encryption function in an ideal block cipher will be described in the same manner as the hash functions described in Non-Patent Documents 4 and 5. Similar to the hash functions described in Non-Patent Documents 4 and 5, the hash function described below satisfies the characteristics of a pseudo-random oracle when the block cipher to be used is an encryption function in an ideal block cipher.
However, in the hash function described below, the output length of the encryption function of the block cipher necessary for satisfying the security equivalent to the hash functions described in Non-Patent Documents 4 and 5 may be half or less. That is, the output length of the encryption function to be used is smaller than that of the hash functions described in Non-Patent Documents 4 and 5. Therefore, for example, when the hash function described below is realized by a circuit, the circuit scale can be reduced.

  Next, the hash function according to Embodiment 1 will be described.

FIG. 1 is a functional block diagram illustrating functions of the hash value calculation device 10 according to the first embodiment.
FIG. 2 is a flowchart showing the operation of the hash value calculation apparatus 10 according to the first embodiment shown in FIG.
FIG. 3 is a structural diagram of a hash function realized by the hash value calculation apparatus 10 according to the first embodiment shown in FIG. In FIG. 3, the bit length of each value is shown in parentheses below each value. For example, the value M is an arbitrary length, and the value w is t bits long.

The function and operation of the hash value calculation device 10 shown in FIG. 1 will be described with reference to FIGS.
The hash value calculation device 10 shown in FIG. 1 includes an arbitrary length value input unit 11, a function calculation unit 12, a key component calculation unit 13, an encryption function E1 calculation unit 14, an encryption function E2 calculation unit 15, and a hash value calculation unit 16. Is provided.

(S1: Arbitrary length input step)
The arbitrary length value input unit 11 inputs an arbitrary bit length value M from the input device.

(S2: Function F calculation step)
The function calculation unit 12 receives the value M input in (S1), calculates the function F, and obtains a value w having a t-bit length (t is an integer of 1 or more) by the processing device.

(S3: Function g calculation step)
The key component calculation unit 13 receives the value w obtained in (S2) as an input, calculates the function g, and obtains a value k having a d-bit length (d is an integer equal to or greater than t) by the processing device.

(S4: Encryption function E1 calculation step)
The encryption function E1 calculation unit 14 calculates the encryption function E1 using the value k obtained in (S3) as a key component and the fixed value c1 having an n-bit length (n is an integer of 1 or more) as a plaintext component. Then, a value y having an n-bit length is obtained by the processing device.

(S5: Encryption function E2 calculation step)
The encryption function E2 calculation unit 15 calculates the encryption function E2 by using the value k obtained in (S3) as a key component and the fixed value c2 having an n-bit length as a plaintext component to obtain an n-bit value yy. It is determined by the processing device.
Note that (S4) and (S5) may be executed in parallel.

(S6: Hash value calculation step)
The hash value calculation unit 16 receives the value y obtained in (S4) and the value yy obtained in (S5) as input, calculates a function h, and has an n ′ bit length (where n ′ is 1). The value z of an integer of 2n or less is obtained as a hash value.

  That is, the hash value calculation apparatus 10 according to Embodiment 1 configures a hash function using the function F, the function g, the encryption function E1, the encryption function E2, and the function h.

The function F is a function that receives a value M having an arbitrary length and outputs a value w having a t-bit length.
The function F will be described in detail in a later embodiment.

The function g is a function that receives a value w having a t-bit length and outputs a value k having a d-bit length.
The function g is, for example, a function that bit-combines the input value w and the value c using a fixed value c having a (dt) bit length. The method of bit combination may be w || c, c || w, or the bit of value c and the bit of value w may be shuffled according to a predetermined rule and combined in an arbitrary order. . The symbol “||” means a combination of bit strings. That is, if w || c, it means that the value c is added after the value w, and if c || w, it means that the value w is added after the value c.

The encryption function E1 is a block cipher encryption function that receives a value k of d bits and a value c1 of n bits and outputs an n bit value. Similarly, the encryption function E2 is a block cipher encryption function that receives a value k of d bits and a value c2 of n bits and outputs a value of n bits.
The encryption function E1 and the encryption function E2 may be the same function or different functions. However, when the encryption function E1 and the encryption function E2 are the same function, the value c1 and the value c2 are set to different values.

The function h is a function that inputs two n-bit length values y and yy and outputs an n′-bit length value.
The function h is, for example, a function that bit-combines two input values y and yy, and selects n ′ bits from the bits and outputs them. Note that the method of bit-combining the value y and the value yy may be the same as the method of bit-combining the value w and the value c in the function g. May be combined.

  The hash function realized by the hash value computing device 10 according to the first embodiment is an encryption function in a block cipher in which the function F satisfies the properties of PrA and the encryption functions E1 and E2 are idealized. Satisfy the properties of pseudo-random oracles.

  Note that the encryption functions E1 and E2 shown in FIG. 3 are replaced functions when the input (value k in FIG. 3) with a triangular mark is fixed. Similarly, in the following embodiments, when the input of the portion marked with a triangle in the figure is fixed, the encryption function is a replacement function.

Embodiment 2
In the second embodiment, a hash function different from that in the first embodiment will be described.

FIG. 4 is a functional block diagram illustrating functions of the hash value calculation apparatus 10 according to the second embodiment.
FIG. 5 is a flowchart showing the operation of the hash value calculation apparatus 10 according to the second embodiment shown in FIG.
FIG. 6 is a structural diagram of a hash function realized by the hash value calculation apparatus 10 according to the second embodiment shown in FIG. In FIG. 6, as in FIG. 3, the bit length of each value is shown in parentheses below each value.

The function and operation of the hash value calculation apparatus 10 shown in FIG. 4 will be described with reference to FIGS.
The hash value calculation device 10 shown in FIG. 4 is different from the hash value calculation device 10 shown in FIG. 1 in that the encryption function E2 calculation unit 15 is not provided.

  Since (S11) to (S12) are the same as (S1) to (S2) shown in FIG.

(S13: Function G calculation step)
The key component calculation unit 13 receives the value w obtained in (S12) as an input, calculates the function G, and obtains a value k of d-bit length by the processing device.

(S14: Encryption function E1 calculation step)
The encryption function E1 calculation unit 14 calculates the encryption function E1 by using the value k obtained in (S13) as a key component and the n-bit fixed value c1 as a plaintext component to obtain an n-bit length value y. It is determined by the processing device.

(S15: Hash value calculation step)
The hash value calculation unit 16 receives the value y obtained in (S14) as an input, calculates the function H, and hashes the value z having an n′-bit length (where n ′ is an integer between 1 and n). Calculate as a value.

  That is, the hash value calculation device 10 according to the second embodiment configures a hash function using the function F, the function G, the encryption function E1, and the function H.

The function F is a function that receives a value M having an arbitrary length and outputs a value w having a t-bit length.
The function F will be described in detail in a later embodiment.

The function G is a function that receives a value w having a t-bit length and outputs a value k having a d-bit length.
The function G is a function that, for example, bit-links the input value w and the value c using a fixed value c having a length of (d−t) bits. As a method of bit combination of the input value w and the value c, the input value w and the value c may be combined as they are, or the bits may be mixed and combined.

  The encryption function E1 is a block cipher encryption function that receives a value k of d bits and a value c1 of n bits and outputs an n bit value.

The function H is a function that receives an n-bit length value y and outputs an n′-bit length value.
The function H is, for example, a function that selects and outputs n ′ bits from the input value y.

  The hash function realized by the hash value computing device 10 according to the second embodiment is pseudo-random when the function F satisfies the properties of PrA and the encryption function E1 is an encryption function in an idealized block cipher. Satisfy the nature of Oracle.

Embodiment 3 FIG.
In the third embodiment, an example of the function F in the first and second embodiments will be described.

FIG. 7 is a functional block diagram illustrating functions of the function calculation unit 12 according to the third embodiment.
FIG. 8 is a flowchart showing the operation of the function calculation unit 12 according to the third embodiment shown in FIG.
FIG. 9 is a structural diagram of the function F realized by the function calculation unit 12 according to the third embodiment shown in FIG. In FIG. 9, as in FIG. 3, the bit length of each value is shown in parentheses below each value.

The function and operation of the function calculation unit 12 shown in FIG. 7 will be described with reference to FIGS.
The function calculation unit 12 includes a padding unit 21, a division unit 22, a key component k1 calculation unit 23, an encryption function E _{j, 1} calculation unit 24, a function R calculation unit 25, a function p calculation unit 26, an encryption function E _{j, 2} calculation unit 27, function S calculation unit 28, key component kj calculation unit 29, function V calculation unit 30, and variable j control unit 31.

(S21: Padding step)
The padding unit 21 adds a predetermined value to the arbitrary length value M by using the padding function pad (L ′ + L (i−1)) bit length (L ′ is an integer of 1 or more and d or less) , Where L is an integer of 1 or more and dn or less, and i is an integer of 1 or more).

(S22: Division step)
The dividing unit 22 divides the value M ′ generated in (S21) from the beginning into L ′ bits first, and then L bits, and then L ′ bit length value m [1] and L bit length The values m [2],. . . , Value m [i] is generated by the processing device.

(S23: Variable j initialization step)
The variable j control unit 31 initializes the variable j to 1.

(S24: Function T1 calculation step)
The key component k1 calculation unit 23 calculates the function T [j] (that is, the function T [1]) using the value m [j] (that is, the value m [1]) generated in (S22) as an input. Then, a d-bit length value k [j] (that is, the value k [1]) is obtained by the processing device.

(S25: Encryption function E _{j, 1} calculation step)
The encryption function E _{j, 1} calculation unit 24 uses the value k [j] obtained in (S24) or (S32) described later as a key component, and the value y [j−1] (value y [0] having an n-bit length. ], The encryption function E _{j, 1} is calculated by using the fixed value IV) as a plaintext component, and an n-bit length value x [j] is obtained by the processing device.

(S26: Function R calculation step)
The function R calculation unit 25 receives the value x [j] obtained in (S25) and the n-bit length value y [j-1] as inputs and calculates the function R [j] to obtain an n-bit length value. y [j] is obtained by the processing device.

(S27: function p calculation step)
The function p calculator 26 receives the value y [j−1] having an n-bit length as an input, calculates the function p [j], and obtains the value vv [j] having an n-bit length by the processing device.

(S28: Encryption function E _{j, 2} calculation step)
The encryption function E _{j, 2} calculation unit 27 uses the value k [j] obtained in (S24) or (S32) described later as a key component, and the value vv [j] obtained in (S27) as a plaintext component. The encryption function E _{j, 2} is calculated, and an n-bit length value xx [j] is obtained by the processing device.

(S29: Function S calculation step)
The function S calculation unit 28 receives the value xx [j] obtained in (S28) and the value vv [j] obtained in (S27), calculates the function S [j], and has an n-bit length value. Find yy [j].
Note that (S25) to (S26) and (S27) to (S29) may be executed in parallel.

(S30: variable j determination step)
The variable j control unit 31 determines whether or not the value of the variable j is the value i. If the value of variable j is not value i (NO in S30), the process proceeds to (S31). On the other hand, if the value of variable j is value i (YES in S30), the process proceeds to (S33).

(S31: Variable j increment step)
The variable j control unit 31 adds 1 to the variable j.

(S32: Function T calculation step)
The key component kj calculation unit 29 calculates the function T [j] by using the value m [j] generated in (S22) and the value yy [j-1] obtained in (S29) as input and d A bit length value k [j] is obtained by the processing device.
Then, the process returns to (S25) and (S27).

(S33: Function V calculation step)
The function V calculation unit 30 receives the value y [i] obtained in (S26) and the value yy [i] obtained in (S29), calculates the function V, and processes the value w having a t-bit length. Determined by device.

That is, the function calculation unit 12 according to the third embodiment includes the padding function pad, the function T [1],. . . , Function T [i], function p [1],. . . , Function p [i], encryption function E _1,1,. . . , Encryption function E _{i, 1} , encryption function E _1,2,. . . , Encryption function E _{i, 2} , function R [1],. . . , Function R [i], function S [1],. . . , Function S [i] and function V are used to construct function F shown in FIGS.

The padding function pad is, for example, M ′ = pad (M) = M || 1 || 0. . . 0 || <M>. Here, <M> is, for example, a 64-bit value and a value including M bit length information.
In other words, the padding function pad is a function that generates a value M ′ by generating a bit string that starts with “1”, thereafter has a plurality of “0” s, and ends with <M> and is added to the value M. It is.
The number of 0s is determined so that M ′ becomes L ′ + L (i−1) bits.

The function T [1] is a function that receives a value of L ′ bit length and outputs a value of d bit length.
The function T [1] is, for example, a function that outputs a concatenated bit of const ′ with respect to an input value m of L ′ bit length when const ′ is a fixed value of dL ′ bit length. . When L ′ = d, the input value is output as it is.
As a method of bit combination of the value m and the value const ′, the value m and the value const ′ may be combined as they are, or the bits may be mixed and combined.

Functions T [2],. . . , Function T [i] is a function that receives an L-bit length value and an n-bit length value and outputs a d-bit length value.
Functions T [2],. . . , Function T [i] is a bit combination of an L-bit input value m, an n-bit input value x, and a value const, where the value const is a fixed value of (d−L−n) bits. Is a function that outputs Note that the value const is not added when L = dn.
As a method of combining the input value m, the input value x, the value const, and the bit, the input value m, the input value x, and the value const may be combined as they are, or the bits may be mixed and combined.

  Functions p [1],. . . , Function p [i] is a replacement function such that p [j] (x) ≠ x (j = 1,..., I) for all n-bit values x.

The encryption functions E _1,1,. . . , Encryption functions E _{i, 1} and encryption functions E ₁ , _2,. . . , Encryption function E _{i, 2} is a block cipher encryption function that takes a d-bit length value and an n-bit length value as inputs and outputs an n-bit length value.
The encryption functions E _1,1,. . . , Encryption function E _{i, 1} , encryption function E _1,2,. . . , The encryption function E _{i, 2} and the encryption functions E1, E2 may all be the same encryption function.
Also, the encryption functions E _1,1,. . . , Encryption function E _{i, 1} , encryption function E _1,2,. . . , Encryption functions E _{i, 2} are the same encryption function, and encryption functions E1, E2 are encrypted functions E _1,1,. . . , Encryption function E _{i, 1} , encryption function E _1,2,. . . The encryption function may be different from the encryption function E _{i, 2} . In this case, the encryption functions E1 and E2 may be the same encryption function or different encryption functions.

Functions R [1],. . . , Function R [i] and functions S [1],. . . , Function S [i] is a function that receives two n-bit length values and outputs an n-bit length value.
Functions R [1],. . . , Function R [i] and functions S [1],. . . , Function S [i] is, for example, a function that outputs an exclusive OR of a value x and a value y with respect to two n-bit input values x and y.
The functions R [1],. . . , Function R [i] and functions S [1],. . . , Function S [i] may be a function that outputs a value obtained by adding a value x and a value y to two n-bit input values x and y. In this case, as an addition method, for example, L bits may be added from the beginning of the value x and the value y, and the last addition may be bit-coupled.

The function V is a function that inputs two n-bit length values and outputs a t-bit length value.
The function V is, for example, a function that bit-combines a value x and a value y with respect to two n-bit input values x and y, and extracts and outputs t bits by a predetermined method. If t = 2n, the bit-coupled value may be output as it is.
As a method of bit combination of the value x and the value y, the value x and the value y may be combined as they are, or the bits may be mixed and combined. The bit extraction method may be extracted from the beginning, from the back, or any other extraction method.

A hash function realized by the hash value calculation apparatus 10 according to the first embodiment using the function F realized by the function calculation unit 12 according to the third embodiment is an encryption function E _1,1,. . . , Encryption function E _{i, 1} , encryption function E _1,2,. . . , Encryption function E _{i, 2} , and encryption functions E 1, E 2 are the encryption functions in the ideal block cipher, the pseudo random oracle property is satisfied. The security level of the safety is O (2 ⁿ ). In this hash function, the output length of each encryption function is n bits, and the output length of the hash value is 2n bits at the maximum.

A hash function realized by the hash value calculation apparatus 10 according to the second embodiment using the function F realized by the function calculation unit 12 according to the third embodiment is an encryption function E _1,1,. . . , Encryption function E _{i, 1} , encryption function E _1,2,. . . , The encryption function E _{i, 2} and the encryption function E1 are the encryption functions in the ideal block cipher, the pseudo random oracle property is satisfied. The security level of the safety is O (2 ⁿ ). In this hash function, the output length of each encryption function is n bits, and the output length of the hash value is n bits at the maximum.

Note that when the output lengths of the hash function according to the first embodiment and the hash function according to the second embodiment are the same 2n, the hash function according to the first embodiment has the security level of safety as described above. Is O (2 ⁿ ), and the output length of each encryption function used is n bits. On the other hand, in the hash function according to the second embodiment, the security level of security is O (2 ²ⁿ ), and the output length of each encryption function used is 2n bits.
That is, when the output length of the hash function is the same, the output length of the encryption function used in the hash function according to the first embodiment may be shorter than that of the hash function according to the second embodiment. Therefore, for example, when the hash function is realized by a circuit, the circuit scale can be reduced. On the other hand, the hash function according to the second embodiment has a higher security level than the hash function according to the first embodiment.

Embodiment 4 FIG.
In the fourth embodiment, an example different from the third embodiment of the function F in the first and second embodiments will be described.

FIG. 10 is a functional block diagram illustrating functions of the function calculation unit 12 according to the fourth embodiment.
FIG. 11 is a flowchart showing the operation of the function calculation unit 12 according to the fourth embodiment shown in FIG.
FIG. 12 is a structural diagram of a hash function realized by the function calculation unit 12 according to the fourth embodiment shown in FIG. In FIG. 12, as in FIG. 3, the bit length of each value is shown in parentheses below each value.

Functions and operations of the hash value calculation device 10 shown in FIG. 10 will be described with reference to FIGS. 11 and 12.
The function calculation unit 12 shown in FIG. 10 includes a function h calculation unit 32 and a function h ′ calculation unit 33, but does not include a function p calculation unit 26, a function R calculation unit 25, and a function S calculation unit 28. Different from the function calculation unit 12 shown in FIG.

  The processing from (S41) to (S43) is the same as the processing from (S21) to (S23) shown in FIG. However, L here is an integer of 1 or more and d-2n or less.

(S44: Function g1 calculation step)
The key component k1 calculator 23 receives the value m [j] (value m [1]) generated in (S42) as an input, calculates the function g [j] (function g [1]), and has a d bit length Value k [j] (value k [1]) is obtained by the processing device.

(S45: Encryption function E _{j, 1} calculation step)
The encryption function E _{j, 1} calculation unit 24 uses the value k [j] obtained in (S44) or (S50) described later as a key component, and uses a predetermined value c _{j, 1} having an n-bit length as a plaintext component. The encryption function E _{j, 1} is calculated, and an n-bit length value y [j] is obtained by the processing device.

(S46: Encryption function E _{j, 2} calculation step)
The encryption function E _{j, 2} calculation unit 27 uses the value k [j] obtained in (S44) or (S50) described later as a key component, and uses a predetermined value c _{j, 2} having an n-bit length as a plaintext component. The encryption function E _{j, 2} is calculated, and an n-bit length value yy [j] is obtained by the processing device.
Note that (S45) and (S46) may be executed in parallel.

(S47: Function h calculation step)
The function h calculation unit 32 receives the value y [j] obtained in (S45) and the value yy [j] obtained in (S46), calculates the function h [j], and has a value of 2n bits. w [j] is obtained by the processing device.

(S48: Variable j determination step)
The function calculation unit 12 determines whether or not the value of the variable j is the value i. If the value of variable j is not value i (NO in S48), the process proceeds to (S49). On the other hand, if the value of variable j is value i (YES in S48), the process proceeds to (S51).

(S49: Variable j increment step)
The function calculation unit 12 adds 1 to the variable j.

(S50: function g calculation step)
The key component kj calculation unit 29 calculates the function g [j] by using the value m [j] generated in (S42) and the value w [j-1] obtained in (S47) as input, and d A bit length value k [j] is obtained by the processing device.
Then, the process returns to (S45) and (S46).

(S51: Function h ′ calculation step)
The function h ′ calculation unit 33 receives the value w [i] obtained in (S47) as an input, calculates the function h ′, and obtains a value w having a t-bit length by the processing device.

That is, the function calculation unit 12 according to the fourth embodiment includes the padding function pad, the function g [1],. . . , Function g [i], encryption function E _1,1,. . . , Encryption function E _{i, 1} , encryption function E _1,2,. . . , Encryption function E _{i, 2} , function h [1],. . . , Function h [i] and function h ′ are used to construct the function F shown in FIGS.

  The padding function pad is the same as the padding function pad of the third embodiment.

The function g [1] is a function that takes an L ′ bit length value as an input and outputs a d bit length value.
The function g [1] is a function that outputs, for example, const ′ bit-coupled to an input value m of L ′ bit length when const ′ is a fixed value of dL ′ bit length. . When L ′ = d, the input value is output as it is.
As a method of bit combination of the value m and the value const ′, the value m and the value const ′ may be combined as they are, or the bits may be mixed and combined.

Functions g [2],. . . , Function g [i] is a function that receives an L-bit length value and an n-bit length value and outputs a d-bit length value.
When the value const is a fixed value of (d−L−2n) bits, this is a function that outputs a bit combination of an L-bit input value m, an n-bit input value x, and a value const. Note that the value const is not added when L = d−2n.
As a method of combining the input value m, the input value x, the value const, and the bit, the input value m, the input value x, and the value const may be combined as they are, or the bits may be mixed and combined.

The encryption functions E _1,1,. . . , Encryption functions E _{i, 1} and encryption functions E ₁ , _2,. . . , Encryption function E _{i, 2} is a block cipher encryption function that takes a d-bit length value and an n-bit length value as inputs and outputs an n-bit length value.
The encryption functions E _1,1,. . . , Encryption function E _{i, 1} , encryption function E _1,2,. . . , The encryption function E _{i, 2} and the encryption functions E1, E2 may all be the same encryption function.
Also, the encryption functions E _1,1,. . . , Encryption function E _{i, 1} , encryption function E _1,2,. . . , Encryption functions E _{i, 2} are the same encryption function, and encryption functions E1, E2 are encrypted functions E _1,1,. . . , Encryption function E _{i, 1} , encryption function E _1,2,. . . The encryption function may be different from the encryption function E _{i, 2} . In this case, the encryption functions E1 and E2 may be the same encryption function or different encryption functions.

Functions h [1],. . . , Function h [i] is a function that inputs two n-bit length values and outputs a 2n-bit length value.
Functions h [1],. . . , Function h [i] is a function that bit-combines two n-bit long values. As a method of bit combination of two n-bit values, two n-bit values may be combined as they are, or bits may be mixed and combined.

The function h ′ is a function that inputs two n-bit length values and outputs a t-bit length value.
The function h ′ is, for example, a function that bit-combines a value x and a value y with respect to two n-bit input values x and y, and extracts and outputs t bits of them by a predetermined method.
As a method of bit combination of the value x and the value y, the value x and the value y may be combined as they are, or the bits may be mixed and combined. The bit extraction method may be extracted from the beginning, from the back, or any other extraction method.

A hash function realized by the hash value calculation apparatus 10 according to the first embodiment using the function F realized by the function calculation unit 12 according to the fourth embodiment is an encryption function E _1,1,. . . , Encryption function E _{i, 1} , encryption function E _1,2,. . . , Encryption function E _{i, 2} , and encryption functions E 1, E 2 are the encryption functions in the ideal block cipher, the pseudo random oracle property is satisfied. The security level of the safety is O (2 ⁿ ). In this hash function, the output length of each encryption function is n bits, and the output length of the hash value is 2n bits at the maximum.

A hash function realized by the hash value calculation apparatus 10 according to the second embodiment using the function F realized by the function calculation unit 12 according to the fourth embodiment is an encryption function E _1,1,. . . , Encryption function E _{i, 1} , encryption function E _1,2,. . . , The encryption function E _{i, 2} and the encryption function E1 are the encryption functions in the ideal block cipher, the pseudo random oracle property is satisfied. The security level of the safety is O (2 ⁿ ). In this hash function, the output length of each encryption function is n bits, and the output length of the hash value is n bits at the maximum.

Note that when the output lengths of the hash function according to the first embodiment and the hash function according to the second embodiment are the same 2n, the hash function according to the first embodiment has the security level of safety as described above. Is O (2 ⁿ ), and the output length of each encryption function used is n bits. On the other hand, in the hash function according to the second embodiment, the security level of security is O (2 ²ⁿ ), and the output length of each encryption function used is 2n bits.
That is, when the output length of the hash function is the same, the output length of the encryption function used in the hash function according to the first embodiment may be shorter than that of the hash function according to the second embodiment. Therefore, for example, when the hash function is realized by a circuit, the circuit scale can be reduced. On the other hand, the hash function according to the second embodiment has a higher security level than the hash function according to the first embodiment.

The hash value calculation device 10 described above is configured by, for example, a circuit or software. In the case of a circuit, the processing device in the above description is, for example, an arithmetic circuit, and the storage device is, for example, a register. When configured by software, the processing device in the above description is, for example, a CPU (Central Processing Unit), and the storage device is, for example, a RAM (Random Access Memory). The input device in the above description is, for example, a keyboard or a communication board, and the output device is a display device such as an LCD (Liquid Crystal Display), a communication board, or a storage device such as a register or RAM. Of course, it is not limited to these.
In addition, when the hash value calculation apparatus 10 is comprised with a circuit, you may read "~ part" mentioned above as "~ circuit". In addition, the “to part” described above may be read as “to process”, “to apparatus”, “to device”, “to means”, “to procedure”, and “to function”. That is, what is described as “˜unit” may be realized by firmware stored in a ROM (Read Only Memory). Alternatively, it may be realized only by software, only hardware such as an element, a device, a board, and wiring, or a combination of software and hardware, or further a combination of firmware.

DESCRIPTION OF SYMBOLS 10 Hash value calculation apparatus, 11 Arbitrary length value input part, 12 Function calculation part, 13 Key component calculation part, 14 Encryption function E1 calculation part, 15 Encryption function E2 calculation part, 16 Hash value calculation part, 21 Padding part, 22 division unit, 23 key component k1 calculation unit, 24 encryption function E _{j, 1} calculation unit, 25 function R calculation unit, 26 function p calculation unit, 27 encryption function E _{j, 2} calculation unit, 28 function S calculation unit 29 key component kj calculation unit, 30 function V calculation unit, 31 variable j control unit, 32 function h calculation unit, 33 function h ′ calculation unit.

Claims (4)

An arbitrary length value input unit for inputting an arbitrary bit length value M;
A function calculation unit that calculates a function F by using the value M input by the arbitrary length value input unit to obtain a value w of t-bit length (t is an integer of 1 or more);
A key component calculation unit that receives a value w obtained by the function calculation unit and calculates a function g to obtain a value k having a d-bit length (d is an integer equal to or greater than t);
Using the value k obtained by the key component calculation unit as a key component and the n-bit predetermined value c1 as a plaintext component, the block cipher encryption function E1 is calculated and n-bit length (n is an integer of 1 or more) An encryption function E1 calculation unit for obtaining the value y of
An encryption function for calculating a block cipher encryption function E2 by using the value k obtained by the key component calculation unit as a key component and a predetermined value c2 having an n-bit length as a plaintext component to obtain an n-bit length value yy An E2 calculator,
Using the value y obtained by the encryption function E1 calculation unit and the value yy obtained by the encryption function E2 calculation unit as input, the function h is calculated and an n ′ bit length (n ′ is 1 to 2n) A hash value calculation device comprising: a hash value calculation unit that obtains an integer) value z as a hash value. An arbitrary length value input unit for inputting an arbitrary bit length value M;
A function calculation unit that calculates a function F by using the value M input by the arbitrary length value input unit to obtain a value w of t-bit length (t is an integer of 1 or more);
A key component calculation unit that calculates a function G by calculating the function G using the value w obtained by the function calculation unit as an input;
Using the value k obtained by the key component calculation unit as the key component, the n-bit length value c1 as the plaintext component, the block cipher encryption function E1 is calculated, and the n-bit length (n is an integer of 1 or more) an encryption function E1 calculation unit for obtaining y;
A hash value calculation unit that calculates a function H by using the value y obtained by the encryption function E1 calculation unit as an input and obtains a value z of n ′ bit length (n ′ is an integer of 1 to n) as a hash value; A hash value calculation device comprising: The function calculator is
A predetermined value is added to the value M input by the arbitrary length value input unit (L ′ + L (i−1)) and the bit length (L ′ is an integer of 1 to d, L is 1 to d) A padding part that generates a value M ′ of an integer less than or equal to −n, i is an integer greater than or equal to 1),
The value M ′ generated by the padding unit is divided into an L ′ bit length value m [1], an L bit length value m [2],. . . , A dividing unit for generating a value m [i],
A key component k1 calculating unit that calculates a function T [1] by using the value m [1] generated by the dividing unit and calculates a value k [1] having a d-bit length;
In order from j = 1 to i, a value k [j] is a key component, and an n-bit length value y [j−1] (a value y [0] is a fixed value IV) is a plaintext component. An encryption function Ej, 1 calculating section for calculating an encryption function Ej, 1 to obtain an n-bit length value x [j];
In order from j = 1 to i, the value y [j−1] and the encryption function Ej, the value x [j] calculated by one calculation unit are input, and the function R [j] is calculated and n A function R calculator for obtaining a bit length value y [j];
a function p calculator that calculates the function p [j] by calculating the function p [j] with the value y [j−1] as an input in order from j = 1 to i;
In order from j = 1 to i, the encryption function Ej, 2 of the block cipher is calculated using the value k [j] as a key component and the value vv [j] obtained by the function p calculation unit as a plaintext component. an encryption function Ej, 2 calculation unit for obtaining an n-bit length value xx [j];
A function for obtaining an n-bit value yy [j] by calculating a function S [j] by inputting the value xx [j] obtained by the encryption function Ej, 2 calculation unit in order from j = 1 to i An S calculator,
In order from j = 2 to i, the function m [j] generated by the dividing unit and the value yy [j−1] calculated by the function S calculating unit are input and the function T [j] is calculated. a key component kj calculation unit for obtaining a value k [j] having a d-bit length;
A function V for obtaining the value w having a 2n-bit length by calculating the function V using the value y [i] obtained by the function R calculation unit and the value yy [i] obtained by the function S calculation unit as inputs. The hash value calculation apparatus according to claim 1, further comprising a calculation unit. The function calculator is
A predetermined value is added to the value M input by the arbitrary length value input unit (L ′ + L (i−1)) and the bit length (L ′ is an integer of 1 to d, L is 1 to d) A padding unit that generates a value M ′ of −2n or less, i is an integer of 1 or more);
The value M ′ generated by the padding unit is divided into an L ′ bit length value m [1], an L bit length value m [2],. . . , A dividing unit for generating a value m [i],
A key component k1 calculating unit that calculates a function g [1] by using the value m [1] generated by the dividing unit and calculates a value k [1] having a d-bit length;
In order from j = 1 to i, a block cipher encryption function Ej, 1 is calculated using a value k [j] as a key component and a predetermined value cj, 1 having an n-bit length as a plaintext component. An encryption function Ej for obtaining a value y [j], one calculation unit;
In order from j = 1 to i, the encryption function Ej, 2 of the block cipher is calculated by using the value k [j] as a key component and the predetermined value cj, 2 having an n-bit length as a plaintext component to obtain an n-bit length An encryption function Ej, 2 calculation unit for obtaining the value yy [j] of
In order from j = 1 to i, the value y [j] obtained by the encryption function Ej, 1 calculation unit and the value yy [j] obtained by the encryption function Ej, 2 calculation unit are input, and the function a function h calculator for calculating h [j] to obtain a 2n-bit length value w [j];
In order from j = 2 to i, the value m [j] generated by the dividing unit and the value w [j-1] calculated by the function h calculating unit are input and the function h [j] is calculated. a key component kj calculation unit for obtaining a value k [j] having a d-bit length;
The function h ′ calculating unit which calculates the function h ′ by calculating the value w [i] obtained by the function h calculating unit and calculating the value w having a t-bit length. 2. The hash value calculation device according to 2.

Images