JP6881112B2 - Cryptographic data generator, decryption data generator, authenticated cryptosystem with additional data, its method, and program - Google Patents

Description

The present invention relates to an authentication encryption technology with additional data that simultaneously performs message concealment and tampering detection.

Authenticated encryption with additional data is a common key cryptographic primitive that simultaneously performs confidentiality of message M and authentication (tampering detection) of message M and additional data A. Examples of the conventional authentication encryption with additional data include APE (Authenticated Permutation-Based Encryption) described in Non-Patent Document 1 and Non-Patent Document 2. Authenticated encryption with additional data consists of two functions, an encryption function and a decryption function. In the authenticated encryption with additional data, the secret key K is shared in advance between the receiver and the sender.

In addition to message M and additional data A, the sender selects a value N, called a nonce, that changes each time the cryptographic function is called. The encryption function generates encrypted data C and tag T corresponding to message M, additional data A, and nonce N, and sends a set of (C, T, A, N) to the recipient.

The recipient receives a set of (C, T, A, N), but at this point there is no guarantee that these values have not been tampered with by a malicious third party. The recipient calculates a decryption function that performs verification at the same time using the received (C, T, A, N) pair and the key K that he owns.

There are several types of decryption functions that perform verification at the same time. Many authenticated encryptions with additional data verify that the tag T'recalculated by the recipient matches the tag T received from the sender. APE verifies whether the value of the intermediate state recalculated by the recipient matches a certain value. In any case, if the values do not match, the result that decoding failed (data has been tampered with) is output.

APE is a method of constructing the encryption function and decryption function of authenticated encryption with additional data. It has the feature that the encryption function and the decryption function are constructed using a substitution (bijective map) whose size is relatively large compared to the security level (number of bits) to be guaranteed. As described above, the APE decoding function is verified by a special method different from the conventional decoding function.

A specific calculation procedure of the APE encryption function will be described with reference to FIG. APE's encryption function replaces b-bit data called state with b-bit replacement f: {0, 1} ^b → {0, 1} ^b , input data (N, A, M), and key K. Calculate the encrypted data C and tag T with repeated updates using. Details of the substitution f are described in Non-Patent Document 2. It should be noted that the input of nonce N is not mandatory, and even if there is nonce N, nonce N becomes a part of the additional data A. Therefore, it is sufficient for the input data to consider additional data A, message M, and key K. Also, the additional data A is processed before the message M. Such additional data A is called the header. The length of both additional data A and message M is limited to double the r-bit length.

The state of b bits is divided into r bits called rate and c (= b-r) bits called capacity. When calculating the encryption function, initialize the b-bit state value to 0 for the r-bit in the rate part (that is, a bit string in which all bits are 0) and the c-bit in the capacity part to the value of key K. To do.

Step 1. Divide the additional data A into blocks of r bits. The exclusive OR with the first block of additional data A is calculated for the r bit of the rate part of the b-bit state, and the substitution f is calculated for the b-bit state. Let the output of this permutation f be the value of the new state. This operation is repeated until the final block of additional data A is exclusively ORed.

Step 2. Calculates the exclusive OR of the c-bit of the capacity portion of the b-bit state with the integer value 1 (that is, the bit string in which only the least significant bit is 1).

Step 3. Divide message M into blocks of r bits. The exclusive OR with the first block of message M is calculated for the r bit of the rate part of the b-bit state, and the substitution f is calculated for the b-bit state. The output of this substitution f is used as the value of the new state, and the r bit of the rate portion is output as the first block of the encrypted data C. This operation is repeated until the last block of message M is exclusively ORed.

Step 4. The exclusive OR of the c-bit key K is calculated for the c-bit of the capacity part of the b-bit state, and the calculation result is output as the c-bit tag T.

A specific calculation procedure of the decoding function of APE will be described with reference to FIG. The APE decryption function calculates the APE encryption function in almost the reverse order. The decoding function normally takes the set of (C, T, A, N) as input, but since nonce N can be regarded as part of the additional data A in APE, the set of (C, T, A) is used. Considered as input.

When calculating the decryption function, the value of the b-bit state is initialized to the value obtained by concatenating the final block of the r-bit encrypted data C (C 2 in the example of FIG. _{2) and the c-bit tag T.}

Step 1. The exclusive OR of the c-bit key K is calculated for the c-bit of the capacity part of the b-bit state, and the c-bit of the capacity part is updated according to the calculation result.

Step 2. For the b-bit state, the inverse function of the permutation f f ^-1 : {0, 1} ^b → {0, 1} ^b is calculated. Let the output of this inverse function f ^{-1 be} the value of the new state. The exclusive OR is calculated for the r bit of the rate part with the block immediately before the final block of the encrypted data C (C _{1 in} the example of FIG. 2), and the calculation result is the final block of the message M (Fig. 2). In the example of 2, it is output as _{M 2).} Further, the r bit of the rate portion is updated by the block immediately before the final block of the encrypted data C (C _{1 in} the example of FIG. 2), and the updated state is set as the value of the new state. This operation is repeated until the first block of encrypted data C (C _{0 in} the example of FIG. 2) is processed. Thus, the last block of the message M (M ₂ in the example of FIG. 2) to a second block (M ₁ in the example of FIG. 2) is restored. _{Of the last updated states, let S r be} the value of the r bit in the rate part _{and S c} be the value of the c bit in the capacity part.

Step 3. The method of restoring the first block of message M (M _{0 in} the example of FIG. 2) is different from that of the other blocks. First, the same calculation as in steps 1 to 2 of the encryption function is performed. Of the updated state, the value of r bits of rate portion S _'r, the value of c bit capacity portion S' and _c. The exclusive OR of the r-bit value S _r and the r-bit value S _'r is calculated, and outputs the calculation result as the first block of the message M (M ₀ in the example of FIG. 2).

Step 4. comparing the c-bit value S _c and c-bit values S _'c, (in the example of FIG. _{2 M = M 0 || M 1} || M 2) message M decoded if they match the value of the output To do. The decrypted message M is also referred to as decrypted data. If they do not match, message M is not output, and only an error code indicating that decoding has failed is output.

In addition, there is a Protected IV (PIV) method as an authentication encryption with additional data that realizes secret nonce (see Non-Patent Document 3). A secret nonce is a type of nonce, and is a value that flows through a communication path after the value is encrypted. When the number of packets communicated so far is used as a nonce, it is desirable to encrypt the nonce before sending it because the nonce includes privacy information.

In an authenticated encryption with additional data that uses normal nonce, the sender uses the input data (N, A, M) and the key K to calculate (C, T) and then (C, T, A, N). Send to recipient. That is, N is not encrypted. In the PIV method, in addition to calculating (C, T) using (N, A, M) and key K, N is encrypted and converted to restoration information RI, and (C, T, A, RI) is received. Send to The recipient restores N from RI in the middle of decryption.

Elena Andreeva, Begul Bilgin, Andrey Bogdanov, Atul Luykx, Bart Mennink, Nicky Mouha and Kan Yasuda, "APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography," FSE 2014, (eds.) Carlos Cid and Christian Rechberger, LNCS, Vol . 8540, pages 168-186, Springer, 2015. Elena Andreeva, Begul Bilgin, Andrey Bogdanov, Atul Luykx, Florian Mendel, Bart Mennink, Nicky Mouha, Qingju Wang and Kan Yasuda, "PRIMATEs v1 | Submission to the CAESAR Competition," Submitted to CAESAR, 2014. Thomas Shrimpton and R. Seth Terashima, \ AModular Framework for Building Variable-Input-Length Tweakable Ciphers, "ASIACRYPT 2013, (eds.) Kazue Sako and Palash Sarkar, LNCS, Vol. 8269, pages 405-423, Springer, 2013.

However, in the prior art APE, when using nonce, it is considered part of A and is sent to the recipient unencrypted.

It is an object of the present invention to provide an encrypted data generator, a decrypted data generator, an authenticated encryption system with additional data, a method thereof, and a program capable of realizing an APE that can utilize a secret nonce.

In order to solve the above problems, according to one aspect of the present invention, the encrypted data generator sets the bit length of the private key K to c bits, and sets the rate portion of r bits and the capacity portion of c bits. The b-bit information to be included is the state, the bit length of the additional data A is | A |, and the additional data A is the value A ^r including the data to be concealed in the r bits and the concealment target for (| A | -r) bits. a dividing unit for dividing the value a 'is not a, n = 1,2, ..., | a | / r and, additional data a | a | / r pieces each value obtained by dividing the as a _n , The value obtained by concatenating the predetermined bit string and the private key K is set as the initial value S ₀ of the encryption state, and for the r bits of the rate part S _{R, n-1 of the b-bit encryption state S n-1 Let} the exclusive _{OR part for finding the exclusive OR S R, n-1} xor A _n with the value A n and the function that replaces the b-bit bit string d with the b-bit bit string e be the substitution f. The bit string in which the rate part S _{R, n-1} of the conversion state S _n-1 is replaced with the exclusive OR S _{R, n-1} xor A _n is replaced by the replacement f to obtain the encryption state S _n . encryption state S _{| a |} rate portion of the _{/ r S R, | a |} / r and the first replacement unit for outputting a restoration information RI, the encryption state S _{| a | /} capacity portion _r S _{C, | The boundary setting part that inverts the predetermined bits of A | / r} , the bit length of the message M is | M |, m = 1,2,…, | M | / r, and the message M is | M | / r. Let each value obtained by dividing into pieces M _m, and for the r bits of the rate part S _{R, | A | / r + m-1} of the b-bit encryption state S _{| A | / r + m-1.} exclusive OR S _R of the message _{M m, | a | / r} + and a second exclusive OR unit for determining the _m-1 xor _{M m,} encrypted state _{S | a | / r + m} -1 of The bit string in which the rate part S _{R, | A | / r + m-1} is replaced with the exclusive OR S _{R, | A | / r + m-1} xor M _m is replaced by the replacement f, and the encryption state is used. seek _{/ r + m,} encrypted state S _{| |} S _{| a a |} a r bit rate portion of the _{/ r + m} and the encrypted data C _m, | including / r pieces of encrypted data C _m | M The second substitution part that outputs the encrypted data C = (C ₁ , C ₂ ,…, C _{| M | / r} ) and the capacity part S _{C of the encryption state S | A | / r + | M | / r. , | A | / r + | M | /} tag the exclusive OR of the private key K and tag T It includes a tag generation unit that outputs as, and an output unit that outputs encrypted data C, tag T, value A', and restoration information RI.
In order to solve the above problems, according to another aspect of the present invention, the decoding data generator sets the bit length of the private key K to c bits, and sets the rate portion of r bits and the capacity portion of c bits. The b-bit information to be included is the state, the bit length of the message M is | M |, the bit length of the additional data A is | A |, and it is included in the encrypted data C, the tag T, and the additional data A (| A | -r) Set the input part that receives the non-confidential value A'for the bit and the restoration information RI obtained when generating the encrypted data C, and m = 1,2,…, | M | / r. | M | / r pieces of encrypted data C including the encrypted data _{C m = (C 1, C} 2, ..., C | M | / r) to the encrypted data C included _{| M | / r} and c bits The value concatenated with the tag T of is set as the initial value S _{| A | / r + | M | / r} of the decoding state S, and the capacity portion S _{C, | A of the decoding state S | A | / r + | M | / r. Encrypt with the exclusive OR S C, | A | / r + | M | / r} xor K for the exclusive _{OR S C, | A | / r + | M | / r xor K of | / r + | M | / r} and the c-bit private key K exclusive OR _{/ r |} the inverse substitution f and f ^-1, decoding state S used when _{| a | / r + | M} | / r capacity portion S _{C of, | a | / r + |} M S _{C, | A | / r + | M | / r} xor Replace the bit string replaced with K with the inverse function f ^-1, and find the decoding state S _{| A | / r + | M | / r -1} . a replacement unit, m = 1,2, ..., | M | / in r-1, the decoding state S _{| a | / r + m} of rate portion _{S R, | a | / r} + m and the encrypted data C Exclusive OR with _{m S R, | A | / r + m} xor C _m is output as decoded data M _{m + 1} , and the fourth exclusive OR part and m = 1,2,…, | M | In / r-1, the bit string in which the rate part S _{R, | A | / r + m of the decryption state S | A | / r + m} is replaced with the encrypted data C m is replaced by using the ^{inverse function f -1.} , Exclusive logic of the fourth substitution part for obtaining the decoding state S _{| A | / r + m-1} , the rate part S _{R, | A | / r of the decoding state S | A | / r} , and the restoration information RI. The fifth exclusive OR that outputs the sum S _{R, | A | / r} xor RI as decoding data M _{1, D} , and the capacity _{portion of the decoding state S | A | / r S C, | A | / r} Restoring information of the demarcation part that inverts a predetermined bit of and the rate part S _{R, | A | / r of the decoding state S | A | / r} Replaced with RI and replaced the bit string obtained by inverting the predetermined bits of the capacity portion S _{C, | A | / r of the decoding state S | A | / r} ^{using the inverse function f -1} , and the decoding state S _{| A | /} a fifth replacement unit for determining the _r-1, 'a | a' | value a / r pieces each value obtained by dividing the the _{a 'n, n = 1,2,} ..., | a | / in r-1, rate portion S _R of the decoding state S _n, and _n, 'xOR S _R and _{n, n} xor a' values a and sixth exclusive OR unit for obtaining the _n, n = 1 , 2, ..., | a | / in r-1, using an exclusive OR S _{R, n} xor a 'inverse function f ^-1 bit string is replaced with _n the rate portion S _{R, n} of the decoding state S _n substituted Te, a sixth replacement unit for obtaining the decoding state S _n-1, it performs message authentication by determining whether the capacity portion S _{C, 0} of the decoding state S ₀ and the secret key K coincides matches when Includes an authentication unit that outputs the exclusive OR of the predetermined bit string and the rate portion S _{R, 0 of the decoding state S 0} as the value A ^r.
In order to solve the above problems , according to another aspect of the present invention, the authenticated encryption system with additional data includes an encrypted data generator and a decrypted data generator. The encrypted data generator sets the bit length of the private key K to c-bit, sets the b-bit information including the rate part of r-bit and the capacity part of c-bit as the state, and sets the bit length of additional data A to | A. ^{|, And the division part that divides the additional data A into the value A r} including the data to be concealed by r bits and the value A'that is not concealed by (| A | -r) bits, and n = 1,2. , ..., | a | / r and, adding data a | a | / r pieces each value obtained by dividing the the a _n, the encryption state a value obtained by connecting the predetermined bit sequence and a secret key K With the initial value S ₀ of, the exclusive OR with the _{value A n} for the r bits of the rate portion S _{R, n-1} of the b-bit encryption state S _{n-1 S R, n-1} xor A _n a first exclusive OR unit for determining a function to be substituted with a substituted f bit string d b-bit bit string e of b bits, exclusive encryption state S _n-1 of the rate portion S _R, the _n-1 The bit string replaced by the exclusive OR S _{R, n-1} xor A _n is replaced with the replacement f to obtain the encryption _{state S n,} and the rate part S _{R, | A | of the encryption state S | A | / r} The first substitution part that outputs _{/ r} as the restore information RI, the demarcation part that inverts the predetermined bits of the capacity part S _{C, | A | / r of the encryption state S | A | / r, and the message M.} The bit length of is | M |, m = 1,2,…, | M | / r, and each value obtained by dividing the message M into | M | / r is M _m , and the b-bit encryption Exclusive OR with _{message M m} for the r bits of the rate portion S _{R, | A | / r + m-1} of the conversion state S _{| A | / r + m-1 S R, | A | / r} The second exclusive OR for finding _{+ m-1} xor M _m and the exclusive OR for the rate part S _{R, | A | / r + m-1} of _{the encryption state S | A | / r + m-1} The bit string replaced with the sum S _{R, | A | / r + m-1} xor M _m is replaced with the replacement f to obtain the encryption state S _{| A | / r + m} , and the encryption state S _{| A |} Let the r bit of the rate part of _{/ r + m be the encrypted data C m,} and | M | / encrypted data C _{including r encrypted data C m} = (C ₁ , C ₂ ,…, C _{| M |} a second replacement unit for outputting the _{/ r),} encrypts state _{S | a | / r + |} M | / capacity portion _{r S C, | a | /} r + | M | / r and exclusive of the secret key K A tag generator that outputs the exclusive-OR as tag T, encrypted data C, and tag T Includes an output section that outputs the value A'and the restore information RI. The decryption data generator has an input unit that receives the encrypted data C, the tag T, the value A', and the restoration information RI, and the encrypted data C = (C ₁ , C ₂ ,…, C _{| M | / r} ). The value obtained by concatenating the included encrypted data C _{| M | / r} and the c-bit tag T is set as the initial value S _{| A | / r + | M | / r} of the decryption state S, and the decryption state S _{| A | / r + | M | / r} capacity part S _{C, | A | / r + | M | / r} and the exclusive OR of the c-bit private key K S _{C, | A | / r + | M | / r} xor K ^{Let f -1 be} the inverse function of the third exclusive OR part used for encryption and the substitution f used for encryption, and the capacity part S _{C, | of the} decryption state S _{| A | / r + | M | / r. The} bit string in which A | / r + | M | / r is replaced with the exclusive OR S _{C, | A | / r + | M | / r} xor K is replaced by the inverse function f ^-1 , and the decoding state S _{| A In the third substitution part for finding | / r + | M | / r-1} and m = 1,2,…, | M | / r-1, the rate part S _{R of the decoding state S | A | / r + m , | A | / r + m} and the exclusive OR of the encrypted data C _{m S R, | A | / r + m} xor C _m is output as the decryption data M _{m + 1 4th exclusive OR} In the part and m = 1,2,…, | M | / r-1, the rate part S _{R, | A | / r + m of the decryption state S | A | / r + m} is converted to the encrypted data C _m . The fourth replacement part that replaces the replaced bit string using the inverse function f ^-1 to obtain the decoding state S _{| A | / r + m-1} , and the rate part S _{R, | of the decoding state S | A | / r. Exclusive OR of A | / r} and restore information RI S _{R, | A | / r} xor The fifth exclusive OR that outputs RI as decoding data M _{1, D , and the decoding state S | A | The} demarcation part that inverts a predetermined bit of the capacity part S _{C, | A | / r} of / r and the rate part S _{R, | A | / r of the decoding state S | A | / r} are used as the restore information RI. Substitution, the capacity portion of the decoding state S _{| A | / r S C, | A | / r} is replaced with the inverted bit string of a predetermined bit ^{using the inverse function f -1} , and the decoding state S _{| A | /} a fifth replacement unit for determining the _r-1, 'a | a' | value a / r pieces each value obtained by dividing the the _{a 'n, n = 1,2,} ..., | a | / r- in 1, the rate portion of the decoding state S _n S _{R, n} and 'xOR S _R and _{n, n} xor a' value a sixth exclusive seeking _n The sum unit, n = 1,2, ..., | A | In / r-1, rate portion S _R of the decoding state S _{n, n} exclusive OR S _R, a bit string is replaced with _n xor A _'n substituted with an inverse function f ^-1, and sixth replacement unit for obtaining the decoding state S _n-1, whether the message and capacity portion S _{C, 0} of the decoding state S ₀ and the secret key K coincides Authenticates and, if they match, includes an authentication unit that outputs the exclusive OR of the predetermined bit string and the rate part S _{R, 0 of the decoding state S 0} ^{as the value Ar.}

In order to solve the above problems, according to another aspect of the present invention, the authenticated encryption system with additional data includes an encrypted data generator and a decrypted data generator. The encrypted data generator sets the bit length of the private key K to c-bit, sets the b-bit information including the rate part of r-bit and the capacity part of c-bit as the state, and sets the bit length of additional data A to | A. ^{Let | be the additional data A for the values A r} = (A ^r ₁ , ^Ar ₂ ,…, ^Ar _P ) and (| A | -P × r) bits including the data to be concealed in the P × r bits. confidential value a is not a subject _{'= (a' 1, a} '2, ..., a' | a | / rP) and dividing unit for dividing the a, n = 1,2, ..., | a / r, | a Each value obtained by dividing the additional data A into | A | / r is A _n, and the value obtained by concatenating the predetermined bit string and the private key K is the initial value S ₀ of the encryption state, and the b bit encryption state S _n-1 of the rate portion S _R, with respect to r-bit _n-1, obtains the exclusive OR _{S R, n-1 xor a} n of the values a _n, the value a _n is concealed In the case of data A ^r ₂ , A ^r ₃ ,…, A ^r _P , the rate part S _{R, n-1} of the state S _n -1 is output as the restoration information RI ₁ , RI ₂ ,…, RI _P-1. Let the exclusive OR part and the function that replaces the b-bit bit string d with the b-bit bit string e be the replacement f, and the rate part S _{R, n-1 of the encryption state S n-1 be} the exclusive OR S _R, and substituted with _n-1 xor a _n bit string is replaced with substitution f, determined encryption state S _n, the encryption state S _{| a | / r} of rate portion S _{R, |} a _{/ r | a} a first replacement unit for outputting a restoration information RI _P, encrypted state S _{| a | / r} capacity portion S _{C of, | a | /} a boundary setting portion for inverting predetermined bits of _r, bit message M The length is | M |, m = 1,2,…, | M | / r, and each value obtained by dividing the message M into | M | / r is M _m , and the b-bit encryption state. S _{| A | / r + m-1} rate part S _{R, | A | / r + m-1} exclusive OR with _{message M m} for r bits _{S R, | A | / r + m -1} The exclusive OR part for finding xor M _m and the exclusive OR S for the rate part S _{R, | A | / r + m-1} of _{the encryption state S | A | / r + m-1 Replace the bit string replaced with R, | A | / r + m-1} xor M _m with the replacement f to obtain the encryption state S _{| A | / r + m,} and obtain the encryption state S _{| A | / r.} Encrypt the r bit of the rate part of _{+ m Data C m} Then, the second replacement part that outputs the encrypted data C = (C ₁ , C ₂ ,…, C _{| M | / r} ) containing | M | / r encrypted data C _{m, and the encryption state S.} Capacity part of _{| A | / r + | M | / r S C, | A | / r + | M | /} A tag generator that outputs the exclusive OR of the r and the private key K as tag T, and encryption Includes an output section that outputs data C, tag T, value A', and restore information RI = (RI ₁ , RI ₂ , ..., RI _P). The decryption data generator has an input unit that receives the encrypted data C, the tag T, the value A', and the restoration information RI, and the encrypted data C = (C ₁ , C ₂ ,…, C _{| M | / r} ). The value obtained by concatenating the included encrypted data C _{| M | / r} and the c-bit tag T is set as the initial value S _{| A | / r + | M | / r} of the decryption state S, and the decryption state S _{| A | / r + | M | / r} capacity part S _{C, | A | / r + | M | / r} and the exclusive OR of the c-bit private key K S _{C, | A | / r + | M | / r} xor K ^{Let f -1 be} the inverse function of the third exclusive OR part used for encryption and the substitution f used for encryption, and the capacity part S _{C, | of the} decryption state S _{| A | / r + | M | / r. The} bit string in which A | / r + | M | / r is replaced with the exclusive OR S _{C, | A | / r + | M | / r} xor K is replaced by the inverse function f ^-1 , and the decoding state S _{| A In the third substitution part for finding | / r + | M | / r-1} and m = 1,2,…, | M | / r-1, the rate part S _{R of the decoding state S | A | / r + m , | A | / r + m} and the exclusive OR of the encrypted data C _{m S R, | A | / r + m} xor C _m is output as the decryption data M _{m + 1 4th exclusive OR} In the part and m = 1,2,…, | M | / r-1, the rate part S _{R, | A | / r + m of the decryption state S | A | / r + m} is converted to the encrypted data C _m . The fourth replacement part that replaces the replaced bit string using the inverse function f ^-1 to obtain the decoding state S _{| A | / r + m-1} , and the rate part S _{R, | of the decoding state S | A | / r. a | / r} and, exclusive OR S _R of the restoration information _{RI P, | a | / r} xor RI and fifth exclusive OR unit for outputting as the decoded data M _{1, D} and _P, decoding state S _{| a | / r} capacity portion S _{C of, | a | /} boundary removing unit for inverting predetermined bits of _r, the decoding state S _{| a | / r} of rate portion S _{R, | a | / r} restoration information replaced with RI _P, decoding state S _{| a | /} capacity portion _r S _{C, | a | /} bit string obtained by inverting predetermined bits of _r replaced with an inverse function f ^-1, and decoding state S _{| Let the fifth substitution part for A | / r-1} and each value obtained by dividing the value A'by | A'| / r into _A'q, and let q = 1,2,…, | A | / rP and p = 1,2, ..., in P-1, (i) value a 'when the enter _q, rate portion S _R of the decoding state S _n, and _n, the value a' _When the exclusive OR S _{R, n} xor A'q with _q is obtained and (ii) the restore information RI _p is input, the restore information is given to the r bits of the rate part S _{R, n} of the decoding state S _n. exclusive OR S _R and RI _p, determine the _n xor RI _p, a sixth exclusive OR unit that outputs the exclusive OR S _R, the _n xor RI _p as the data a _{p + 1} of the confidential, n = 1,2, ..., | a | / in r-1, the decoding state S _n of the rate portion S _R, the _n (i) xOR _{S R, n xor a 'q} , or, (ii) The sixth replacement part that replaces the bit string replaced with the restoration information RI _p ^{using the inverse function f -1} to obtain the decoding state S _n-1 , the capacity part S _{C, 0 of the decoding state S 0} , and the private key K. Message authentication is performed depending on whether or not matches, and if they match, the exclusive OR of the predetermined bit string and the rate part S _{R, 0 of the decoding state S 0} is output as the ^{value A r} _1. Including the part.

According to the present invention, it is possible to realize an APE that can utilize a secret nonce.

The figure for demonstrating the conventional encryption function. The figure for demonstrating the conventional decoding function. The figure which illustrates the functional structure of the authentication encryption system with additional data. The figure which illustrates the functional structure of the encryption device. The figure which illustrates the functional structure of the additional data calculation part. The figure which illustrates the functional structure of the message calculation part. The figure which illustrates the functional structure of the decoding apparatus. The figure which illustrates the functional structure of the encrypted data back calculation part. The figure which illustrates the functional structure of the additional data calculation part. The figure which illustrates the processing procedure of the encryption method. The figure for demonstrating an example of the encryption function of 1st Embodiment. The figure which illustrates the processing procedure of the decoding method. The figure for demonstrating an example of the decoding function of 1st Embodiment. The figure for demonstrating an example of the encryption function of the 2nd Embodiment. The figure for demonstrating an example of the encryption function of the 2nd Embodiment. The figure for demonstrating an example of the decoding function of the 2nd Embodiment. The figure for demonstrating an example of the decoding function of the 2nd Embodiment.

Hereinafter, embodiments of the present invention will be described. In the drawings used in the following description, the same reference numerals are given to the components having the same function and the steps for performing the same processing, and duplicate description is omitted.

<First Embodiment>
In the embodiment of the present invention, the value of the r bit of the internal state is sent as the restoration information RI instead of the nonce N. That is, in the APE encryption process, the sender does not send the additional data A including the encrypted data C, the tag T, and the nonce N, but the additional data of the portion not including the encrypted data C, the tag T, and the nonce N. A, Send the restore information RI to the recipient. The recipient restores the nonce N from the restore information RI in the middle of decryption.

As shown in FIG. 3, the authentication encryption system with additional data of the embodiment includes an encryption device 1 that executes an encryption function of the authentication encryption with additional data and a decryption device 2 that executes a decryption function of the authentication encryption with additional data. And include. In this embodiment, the encryption device 1 and the decryption device 2 are connected to the communication network 3, respectively. The communication network 3 is a circuit-switched or packet-switched communication network configured so that each connected device can communicate with each other. For example, the Internet, LAN (Local Area Network), WAN (Wide Area Network). Etc. can be used. It should be noted that each device does not necessarily have to be able to communicate online via the communication network 3. For example, the information output by the encryption device 1 may be stored in a portable recording medium such as a magnetic tape or a USB memory, and the information may be input offline from the portable recording medium to the decryption device 2.

As shown in FIG. 4, the encryption device 1 included in the authentication encryption system with additional data includes a storage unit 10, an input unit 11, an initialization unit 12, an additional data calculation unit 14, a boundary setting unit 15, and a message calculation unit 16. , A tag generation unit 17, and an output unit 18. As shown in FIG. 5, the additional data calculation unit 14 included in the encryption device 1 includes a division unit 141, an exclusive OR unit 142, and a replacement unit 143. As shown in FIG. 6, the message calculation unit 16 included in the encryption device 1 includes a division unit 161, an exclusive OR unit 162, and a replacement unit 163.

As shown in FIG. 7, the decryption device 2 included in the authentication encryption system with additional data includes, for example, a storage unit 20, an input unit 21, a first initialization unit 22, a tag decryption unit 23, and an encrypted data inverse calculation unit 24. , Boundary removal unit 25, additional data inverse calculation unit 26, authentication unit 29, and output unit 30. As shown in FIG. 8, the encrypted data inverse calculation unit 24 included in the decryption device 2 includes an inverse replacement unit 241 and an exclusive OR unit 242. As shown in FIG. 9, the additional data inverse calculation unit 26 included in the decoding device 2 includes a division unit 261, an exclusive OR unit 263, and an inverse replacement unit 264.

The encryption device 1 performs the processing of each step shown in FIG. 10, and the decryption device 2 performs the processing of each step shown in FIG. 12, so that the authentication encryption method with additional data of the embodiment is realized. Of the authentication encryption methods with additional data, the portion executed by the encryption device 1 is also referred to as an encryption method, and the portion executed by the decryption device 2 is also referred to as a decryption method.

In the encryption device 1 and the decryption device 2, a special program is read into a known or dedicated computer having, for example, a central processing unit (CPU), a main storage device (RAM: Random Access Memory), and the like. It is a special device configured. The encryption device 1 and the decryption device 2 execute each process under the control of the central processing unit, for example. The data input to the encryption device 1 and the decryption device 2 and the data obtained by each process are stored in the main storage device, for example, and the data stored in the main storage device is stored in the central processing unit as needed. It is read out and used for other processing. At least a part of each processing unit of the encryption device 1 and the decryption device 2 may be configured by hardware such as an integrated circuit. Each storage unit included in the encryption device 1 and the decryption device 2 is composed of, for example, a main storage device such as RAM (Random Access Memory) and a semiconductor memory element such as a hard disk, an optical disk, or a flash memory (Flash Memory). It can be configured with storage or middleware such as relational databases and key-value stores.

<Encryption device 1>
Among the authentication encryption methods with additional data executed by the authentication encryption system with additional data of the embodiment, the encryption method executed by the encryption device 1 will be described with reference to FIGS. 10 and 11.

<Memory unit 10>
In the storage unit 10 of the encryption device 1, a b-bit state composed of an r-bit rate portion and a c-bit capacity portion (hereinafter, in order to distinguish from the state stored in the storage unit 20 of the decryption device 2). , Also referred to as an encryption state) and a common key K (hereinafter, also referred to as a secret key K) shared in advance with the decryption device 2. For example, the state is 512 bits, the rate part is 256 bits, and the capacity part is 256 bits (that is, b = 512, r = 256, c = 256). The ratio of the length of the rate part to the length part of the capacity part is a trade-off between processing speed and safety. As the length of the rate portion increases, the processing speed increases but the safety decreases. On the contrary, when the length of the capacity portion is increased, the safety is improved but the processing speed is lowered. Therefore, each value of b, r, and c may be appropriately designed in consideration of a desired balance between processing speed and safety.

<Input unit 11>
In step S11, the set (A, M) of the additional data A and the message M is input to the input unit 11 of the encryption device 1. Both the additional data A and the message M are r-bit doubled data. Note that the additional data A and message M are not limited to r-bit double-length data, and if the r-bit double length is not used, for example, 10 ^* padding is applied to make the r-bit double length. The present embodiment may be applied by changing to data. The input unit 11 inputs the message M to the message calculation unit 16 and the additional data A to the additional data calculation unit 14.

<Initialization unit 12>
In step S12, the initialization unit 12 of the encryption device 1 sets a value obtained by concatenating a predetermined bit string and the private key K _{as the initial value S 0} of the encryption state. For example, the initialization unit 12 sets the value of the rate portion to 0 (that is, a bit string in which all bits are 0) and the value of the capacity portion to the secret key K in the encryption state stored in the storage unit 10. Set to the value of and initialize.

<Additional data calculation unit 14>
In step S14, the additional data calculation unit 14 of the encryption device 1 receives the additional data A from the input unit 11, and uses the additional data A to update the value of the encryption state stored in the storage unit 10.

In this case, the additional data calculation unit 14 is configured as follows.

(Division 141)
The division unit 141 of the additional data calculation unit 14 divides the additional data A into blocks of r bits. The bit length of the additional data A is | A |, n = 1,2, ..., | A | / r, and each value obtained by dividing the additional data A into | A | / r is A _n. And. The r bit of the first block A ₁ ^{is represented by A r,} and the rest is represented by A'. That is, A → ^Ar || A'. In the present embodiment, it is assumed to store confidential data (eg secret nonce) to A ^r.

(Exclusive OR 142)
Exclusive OR unit 142 of the additional data generator 14, the state S _n-1 of the rate portion of the b bits S _R, with respect to r-bit _n-1, the exclusive OR S _R between the values A _{n, n} Request _-1 xor a _n.

(Replacement part 143)
The replacement unit 143 of the additional data calculation unit 14 uses the replacement f for the bit string in which the rate portion S _{R, n-1 of the encryption state S n-1} is replaced with the exclusive OR S _{R, n-1} xor A _n. To find the encryption state S _n. The replacement f: {0, 1} ^b → {0, 1} ^b is a function that replaces the b-bit bit string d with the b-bit bit string e, and is an inverse function f ^{-1 that restores the input value.} : {0, 1} ^b → {0, 1} ^b (a function that replaces the b-bit bit string e with the b-bit bit string d) is a function that can be defined. As the substitution f, for example, the technique described in Non-Patent Document 2 can be used. The processing of the exclusive OR part 142 and the replacement part 143 is repeated from n = 1 to n = | A | / r in order.

Then, the replacement unit 143 outputs the rate portion S _{R, | A | / r of the encryption state S | A | / r} obtained when n = | A | / r as the restoration information RI.

<Boundary setting unit 15>
In step S15, the boundary setting unit 15 of the encryption apparatus 1 the encrypted state S from the additional data generator 14 _| receive _{/ r,} encrypted state S _{| | A A | /} capacity portion _r S _{C, | a | /} inverts a predetermined bit of _r, the encrypted state S _| update _{/ r | a '.} For example, the boundary setting unit 15 calculates the exclusive OR of the capacity portion of the encryption state and the integer value 1 (that is, a bit string in which only the least significant bit is 1), and the calculation result is used to calculate the capacity of the encryption state. Update the city part. In other words, the boundary setting unit 15 inverts only the least significant bit of the encryption state. This operation is performed so that the recipient can determine the boundary between the encrypted data C and the additional data A.

<Message calculation unit 16>
In step S16, the message calculation unit 16 of the encryption device 1 receives the message M from the input unit 11, and uses the message M to update the value of the encryption state stored in the storage unit 10.

(Division 161)
The division unit 161 of the message calculation unit 16 divides the message M into blocks of r bits. Let the bit length of the message M be | M |, let m = 1,2,…, | M | / r, and let each value obtained by dividing the message M into | M | / r pieces be M _m .

(Exclusive OR 162)
The exclusive OR unit 162 of the message calculation unit 16 is for the r bit of the rate portion S _{R, | A | / r + m-1 of the b-bit encryption state S | A | / r + m-1.} Find the exclusive OR S _{R, | A | / r + m-1} xor M _m with the message M _m.

(Replacement part 163)
The replacement unit 163 of the message calculation unit 16 sets the exclusive OR of the rate portion S _{R, | A | / r + m-1 of the encryption state S | A | / r + m-1 S R, | A | /. Replace the bit string replaced with r + m-1} xor M _m with the replacement f to obtain the encryption state S _{| A | / r + m,} and find the rate part of the encryption state S _{| A | / r + m.} Let r bits be the encrypted data C _m, and output the encrypted data C = (C ₁ , C ₂ ,…, C _{| M | / r} ) containing | M | / r encrypted data C _m.

<Tag generator 17>
In step S17, the tag generation unit 17 of the encryption device 1 receives the encryption state S _{| A | / r + | M | / r} from the message calculation unit 16, retrieves the private key K from the storage unit 10, and takes out the encryption state. _{S | a | / r + |} M | / r capacity portion S _{C of, | a | / r + |} M | / r and calculates the exclusive OR of the secret key K, and outputs the calculation result as a tag T To do.

<Output unit 18>
In step S18, the output unit 18 of the encryption device 1 replaces the encrypted data C from the message calculation unit 16, the tag T from the tag generation unit 17, the value A'from the division unit 161 and the restoration information RI from the replacement unit 143. Receives from, and transmits the set (C, T, A', RI) of the encrypted data C, the tag T, the value A', and the restoration information RI to the decryption device 2.

<Decoding device 2>
Of the authentication encryption methods with additional data executed by the authentication encryption system with additional data of the embodiment, the decryption method executed by the decryption device 2 will be described with reference to FIGS. 12 to 13.

<Memory unit 20>
The storage unit 20 of the decryption device 2 is distinguished from a b-bit state (hereinafter, an encryption state stored in the storage unit 10 of the encryption device 1) including an r-bit rate portion and a c-bit capacity portion. Therefore, it is called a decryption state) and the private key K shared in advance with the encryption device 1 is stored. Each value of b, r, and c is assumed to be the same as the state stored in the storage unit 10 of the encryption device 1.

<Input unit 21>
In step S21, the set (C, T, A', RI) of the encrypted data C, the tag T, the value A', and the restoration information RI received from the encryption device 1 is input to the input unit 21 of the decryption device 2. Will be done. In the present embodiment, the value A'is the data for the lower (| A | -r) bits included in the additional data A. The input unit 21 transfers the final block of the encrypted data C and the tag T to the first initialization unit 22, the value A'to the additional data inverse calculation unit 26, and other than the restoration information RI and the final block of the encrypted data C. Each block is input to the encrypted data inverse calculation unit 24, respectively.

<First initialization unit 22>
In step S22, the first initialization unit 22 of the decryption device 2 receives the final block of the encrypted data C and the tag T from the input unit 21, and of the decryption states stored in the storage unit 20, the rate portion of the decryption state. Initialize by setting the value to the value of the last block of encrypted data C and the value of the capacity part to the value of tag T. In other words, the first initialization unit 22 uses the encrypted _{data C | M | / r} and the c-bit tag T contained in the encrypted _{data C = (C 1} , C ₂ ,…, C _{| M | / r).} Set the value concatenated with and as the initial value S _{| A | / r + | M | / r} of the decryption state S. In the subsequent processing, the decoding state S is updated in the order of _{S | A | / r + | M | / r} , S _{| A | / r + | M | / r-1} ,…, S _{| A | / r.} To go.

<Tag decoding unit 23>
In step S23, the tag decoding unit 23 of the decoding device 2 receives the decoding state S _{| A | / r + | M | / r} from the first initialization unit 22, and its capacity portion S _{C, | A | / r + | Find the exclusive OR of M | / r} and the c-bit private key K S _{C, | A | / r + | M | / r} xor K.

<Encrypted data inverse calculation unit 24>
In step S24, the encrypted data inverse calculation unit 24 of the decryption device 2 receives each block other than the final block of the encrypted data C from the input unit 21, and stores _{each block C m of the encrypted data C.} The value of the decryption state S _{| A | / r + m stored in 20 is updated.} m = | M | / r, | M | / r-1,…, 1.

(Reverse replacement part 241)
The inverse substitution unit 241 of the encrypted data inverse calculation unit 24 calculates the inverse function f ^-1 of the substitution f for the entire decryption state of the b bit, and sets the calculation result as the value of the new decryption state. For example, in m = | M | / r (the final block of encrypted data C), the inverse substitution unit 241 has the capacity portion S _{C, | A | / of the decryption state S | A | / r + | M | / r. The} bit string in which r + | M | / r is replaced with the exclusive OR S _{C, | A | / r + | M | / r} ^{xor K is replaced by using the inverse function f -1} , and the decoding state S _{| A | / r + | M | / Find r-1} . Further, in m = (| M | / r) -1, (| M | / r) -2, ..., 1, the inverse substitution unit 241 is the rate portion S _{R of the decoding state S | A | / r + m.} The bit string in which _{, | A | / r + m} is replaced with the encrypted data C _m ^{is replaced by using the inverse function f -1} , and the decryption state S _{| A | / r + m -1} is obtained. The inverse function f ^-1 : {0, 1} ^b → {0, 1} ^b is the inverse function f ^-1 of the substitution f as described above, and the bit string e of the b bit is changed to the bit string d of the b bit. The function to replace.

(Exclusive OR 242)
In m = | M | / r-1, (| M | / r) -2,…, 2,1, the exclusive OR part 242 of the encrypted data inverse calculation unit 24 is in the decryption state S _{| A | / r + m} of rate portion _{S R, | a | / r} + m and an exclusive OR S _R and the encrypted data _{C m, | a | / r} + a _m xor C _m is calculated and decodes the calculation result It is output from the output unit 30 as data M _{m + 1, D.} Incidentally, | M | / r pieces of decoded data M _m, the decoded data is finally output the union of _{D M D = (M 1,} D || M 2, D || ... || M | M | _{/ r, D} ). However, the decoded data M _{1, D} (obtained by decrypting the encrypted data of the first block) is decoded state S _{| A | / r} of rate portion S _{R, | A | / r} and, exclusive of the restoration information RI The exclusive OR S _{R, | A | / r} xor RI is calculated, and the calculation result is output from the output unit 30 as _{decoded data M 1 and D.} If it has not been tampered with, M = M _D.

<Boundary removal unit 25>
In step S25, the boundary removal unit 25 of the decoding device 2 is decoded state S from the encrypted data inverse calculation unit 24 _| receive _{/ r,} decoding state S _{| | A A | /} capacity portion _r S _{C, | A} | Inverts a given bit of _{/ r.} For example, the exclusive OR of the capacity part of the decoding state and the integer value 1 is calculated, and the capacity part of the decoding state is updated according to the calculation result. That is, the boundary removing unit 25 inverts only the least significant bit of the decoding state.

<Additional data inverse calculation unit 26>
In step S26, the additional data inverse calculation unit 26 of the decoding device 2 receives the value A'from the input unit 21 and updates the value of the decoding state stored in the storage unit 20 using the value A'. In this case, the additional data inverse calculation unit 26 is configured as follows.

(Division 261)
The division unit 261 of the additional data inverse calculation unit 26 divides the value A'into r-bit blocks. The bit length of the value A'is | A'|, n = 1,2, ..., | A'| / r, and the value A'is divided into | A'| / r, and each value is obtained. _{Let A'n} . It should be noted that | A'| = | A | -r and n = 1,2, ..., | A | / r-1.

(Reverse replacement part 264)
n = | case / r, reverse replacement section 264 of the additional data inverse calculation unit 26, the decoding state S _{| | A} A _{| / r} of rate portion S _{R, | A | / r} to replace the restoration information RI, decoding state S _{| a | /} capacity portion S _C of _{r, | a | /} a bit string obtained by inverting predetermined bits of _r replaced with an inverse function f ^-1, decoding state S _{| a | / r-1} Ask for.

In the case of n = | A | / r-1, | A | / r-2,…, 1 (| A'| = | A | -r, so n = | A'| / r, | A'| / r-1, ..., 1), the inverse permutation unit 264 of the additional data inverse calculation unit 26, replacement rate portion S _R of the decoding state S _n, a _n exclusive OR S _R, the _n xor a _'n The obtained bit string is ^{replaced by using the inverse function f -1} , and the decoding state S _n -1 is obtained.

(Exclusive OR 263)
Exclusive OR unit 263 of the additional data inverse calculation unit 26, rate portion of the decoding state S _n b bits S _R, with respect to r-bit _n, the exclusive OR S _R between the values A _{'n, n} xor determine the a _'n.

The additional data inverse calculation unit 26 repeats the processing of the inverse replacement unit 264 and the exclusive OR unit 263 from n = | A | / r-1 to n = 1.

<Authentication unit 29>
In step S29, the authentication unit 29 of the decryption device 2 _{receives the decryption state S 0} from the additional data inverse calculation unit 26, takes out the private key K from the storage unit 20, and sets the capacity portions S _{C, 0 of the decryption state S 0.} Message authentication is performed based on whether or not the private key K matches. If the two values are equal, the process proceeds to step S301, and the predetermined bit string (the value corresponding to the initial value of the initialization unit 12, in this example, all bits are 0 bit strings) and the decoding state S _0. The exclusive OR with the rate part S _{R, 0 of} is output from the output unit 30 as the ^{value A r.} If the two values are not equal, the process proceeds to step S302, and an error code indicating that decoding has failed is output from the output unit 30.

<Effect>
With the above configuration, APE that can use secret nonce can be realized. Also, in the conventional APE, while the encryption process uses only one type of substitution f, it is necessary to implement two types of substitutions ^{, the substitution f and the inverse function f -1, during the decryption processing.} Therefore, there is a problem that the mounting cost in the decoding device is high. The decoding device of this embodiment requires ^{only one type of implementation of the inverse function f -1} , and the implementation efficiency is improved. Further, the encryption device side only needs to implement the substitution f, and it is possible to avoid an increase in the implementation cost of the encryption device.

The encryption device according to the present embodiment is also called an encryption data generation device in the sense of generating encrypted data, and the decryption device according to the present embodiment is the decryption data in the sense of generating decryption data. Also called a generator. The encrypted data and the decrypted data are information used for processing by a computer, and use (i) an invention relating to an encrypted data generation method using an encrypted data generator and (ii) a decrypted data generator. Needless to say, the invention relating to the decrypted data generation method falls under the "invention of the method for producing a product" in Article 2, Paragraph 3, Item 3 of the Patent Act.

<Second embodiment>
The part different from the first embodiment will be mainly described.

In the first embodiment, the data amount of the data to be concealed (for example, secret nonce) is r bits (the same as the data amount of the rate portion of the state), but in the present embodiment, the data amount of the data to be concealed is P. Let × r. P is one of an integer greater than or equal to 1. However, the data to be concealed is not limited to r-bit double-length data, and if it is not ^{r-bit double-length data, for example, 10 *} padding is applied to change to r-bit double-length data. Then, this embodiment may be applied.

<Encryption device 1>
Of the authentication encryption methods with additional data executed by the authentication encryption system with additional data of the embodiment, the encryption method executed by the encryption device 1 will be described with reference to FIGS. 10, 14, and 15.

<Additional data calculation unit 14>
In step S14, the additional data calculation unit 14 of the encryption device 1 receives the additional data A from the input unit 11, and uses the additional data A to update the value of the encryption state stored in the storage unit 10.

In this case, the additional data calculation unit 14 is configured as follows.

(Division 141)
The division unit 141 of the additional data calculation unit 14 divides the additional data A into blocks of r bits. The bit length of the additional data A is | A |, n = 1,2, ..., | A | / r, and each value obtained by dividing the additional data A into | A | / r is A _n. And. The data to be concealed (for P × r bits) included in the additional data A is expressed as A ^r = (A ^r ₁ , ^Ar ₂ ,…, A ^r _P ), and ((| A |-(P × r) )) of bits) the remaining portion _{a '= (a' 1,} a '2, ..., a' | a | / rP) represent. Incidentally, p = 1,2, ..., is P, the data of confidential and _{^{A r p, q = 1,2,}} ..., | A | and / rP, and the remainder of A _'q. ^{The data A r} ₁ included in the data to be concealed must be placed at the beginning of the additional data A. The data to be concealed A ^r ₂ ,…, A ^r _P and the part A ′ ₁ , A ′ ₂ ,…, A ′ _{| A | /} r P may be arranged in the additional data A in any manner. For example, when the data A ^r ₁ , ^Ar ₂ , ..., A ^r _P to be concealed is placed at the beginning of the additional data A, A → A ^r || A', and the concealment target is at the beginning of the additional data A. If the _first ^{data A r} 1 of the data is placed and the remaining confidential data A ^r ₂ ,…, A ^r _P is placed at the end of the additional data A, A → A ^r ₁ || A'| | A ^r ₂ ||… || A ^r _P. The data A ^r _p to be concealed may be arranged between the divided part _A'q and the part _{A'q + 1} , but the above two arrangement examples can be considered as practical examples. ^{In addition, the arrangement of the data A r} ₂ ,…, A ^r P and the part A ′ ₁ , A ′ ₂ ,…, A ′ _{| A | / r P to be} concealed in the additional data A is between the receiver and the sender. Share in advance with.

(Exclusive OR 142)
Exclusive OR unit 142 of the additional data generator 14, the state S _n-1 of the rate portion of the b bits S _R, with respect to r-bit _n-1, the exclusive OR S _R between the values A _{n, n} Request _-1 xor a _n.

Further, in the present embodiment, the exclusive OR unit 142 sets the rate portion S _{R, n-1} of the state S _{n-1 when the value A n} is the data A ^r ₂ , ..., A ^r _{P to be concealed.} Restore information Output as _{RI 1} , RI ₂ ,…, RI _P-1.

FIG. 14 shows a processing example when the data to be concealed A ^r ₁ , ^Ar ₂ , ..., A ^r _P is placed at the beginning of the additional data A, and FIG. _{An example is shown in which the first} data A ^r 1 is placed and the remaining confidential data A ^r ₂ , ..., A ^r _P are placed at the end of the additional data A.

(Replacement part 143)
The replacement unit 143 of the additional data calculation unit 14 uses the replacement f for the bit string in which the rate portion S _{R, n-1 of the encryption state S n-1} is replaced with the exclusive OR S _{R, n-1} xor A _n. To find the encryption state S _n.

Then, the replacement unit 143, n = | A | rate portion S _R of _{/ r, | |} / encrypted state obtained S when _{r | A A | /} r outputs as restoration information RI _P.

The processing in the boundary setting unit 15, the message calculation unit 16, and the tag generation unit 17 is the same as that in the first embodiment.

<Output unit 18>
In step S18, the output unit 18 of the encryption device 1, the encrypted data C from the message calculation unit 16, the tag T from the tag generator 17, the value A 'from the division unit 161, the restoration information RI _1, RI ₂ , ..., from the exclusive OR unit 162 the RI _P-1, restoring information RI _P receives from substitution unit 143, = encrypted data C and tag T and the value a 'and restoration information RI (RI _1, RI _2, ..., set of the _{RI P) (C, T,} a ', RI) and transmits the to the decoder 2.

<Decoding device 2>
Of the authentication encryption methods with additional data executed by the authentication encryption system with additional data of the embodiment, the decryption method executed by the decryption device 2 will be described with reference to FIGS. 12, 16 and 17.

<Input unit 21>
In step S21, the set (C, T, A', RI) of the encrypted data C, the tag T, the value A', and the restoration information RI received from the encryption device 1 is input to the input unit 21 of the decryption device 2. Will be done. In the present embodiment, the value A'is the data for (| A |-(P × r)) bits included in the additional data A. The input unit 21 adds the final block of the encrypted data C and the tag T to the first initialization unit 22, the value A'and the restoration information RI ₁ , RI ₂ , ..., RI _P-1. to be inputted each block except the last block of the reconstruction information RI _P and the encrypted data C to the encrypted data inverse calculation unit 24.

The processing in the first initialization unit 22, the tag decryption unit 23, the encrypted data inverse calculation unit 24, and the boundary removal unit 25 is the same as in the first embodiment. However, instead of the reconstruction information RI, using a restoration information RI _P.

<Additional data inverse calculation unit 26>
In step S26, the additional data inverse calculation unit 26 of the decoding device 2 receives the value A'and the restoration information RI ₁ , RI ₂ , ..., RI _P-1 from the input unit 21, and uses these values in the storage unit 20. Update the decryption state value stored in. In this case, the additional data inverse calculation unit 26 is configured as follows.

(Division 261)
The division unit 261 of the additional data inverse calculation unit 26 divides the value A'into r-bit blocks. The bit length of the value A'is | A'|, q = 1,2, ..., | A'| / r, and the value A'is divided into | A'| / r, and each value is obtained. _{Let A'q} . Here, | A'| = | A |-(r × P) and q = 1,2, ..., | A | / rP.

(Reverse replacement part 264)
n = | A | / For r, the inverse substitution unit 264 of the additional data inverse calculation unit 26, the decoding state S _{| A | / r} of rate portion S _{R, | A | / r} to replace the restoration information RI _P, The capacity portion of the decoding state S _{| A | / r S C, | A | / r} is replaced with the inverted bit string of a predetermined bit ^{using the inverse function f -1} , and the decoding state S _{| A | / r-} Find _1.

In the case of n = | A | / r-1, | A | / r-2,…, 1, the inverse substitution unit 264 of the additional data inverse calculation unit 26 sets the rate portion S _{R, n} of the _{decoding state S n.} the output value of the exclusive oR unit 263 to be described later (i) xOR _{S R, n xor a 'q} , or, using the inverse function f ^-1 bit string is replaced with (ii) restoration information RI _p To find the decryption state S _n-1.

(Exclusive OR 263)
The exclusive OR unit 263 of the additional data inverse calculation unit 26 inputs (i) the value _A'q or (ii) the restoration information RI _p .

(i) XOR unit 263 'when the enter _q, rate portion of the decoding state S _n b bits S _R, with respect to r-bit _n, the value A' the value A exclusive of _q sum S _R, seek _n xor a _'q, and outputs the inverse permutation unit 264.

(ii) exclusive unit 263, when receives the restoration information RI _p, rate portion of the decoding state S _n b bits S _R, with respect to r-bit _n, exclusive of the restoration information RI _p The sum S _{R, n} xor RI _p is obtained, and the exclusive OR S _{R, n} xor RI _p is output as the data A _{p + 1 to be concealed.} Further, the exclusive OR unit 263 outputs a bit string in which the rate portions S _{R, n of the decoding state S n} are replaced with the restoration information RI _p to the inverse replacement unit 264.

The additional data inverse calculation unit 26 includes the inverse substitution unit 264 and the exclusive OR in p = 1,2, ..., P-1, q = | A | / rP, | A | / rP-1, ..., 1. The process of unit 263 is repeated.

FIG. 16 shows a processing example when the data to be concealed A ^r ₁ , ^Ar ₂ , ..., A ^r _P is placed at the beginning of the additional data A, and FIG. 17 shows the processing example of the data to be concealed at the beginning of the additional data A. _{An example is shown in which the first} data A ^r 1 is placed and the remaining confidential data A ^r ₂ , ..., A ^r _P are placed at the end of the additional data A. ^{The arrangement of the data A r} ₂ ,…, A ^r P and the part A ′ ₁ , A ′ ₂ ,…, A ′ _{| A | / r P to be} concealed in the additional data A is performed in advance between the receiver and the sender. Since they are shared, the exclusive OR part 263 and the inverse replacement part 264 are input in the order in which they _{are input, whether (i) the value A'q} or (ii) the restoration information RI _p is input, or the decoding state S _n. the rate portion S _R, the _n, it is possible to determine (i) xOR _{S R, n xor a 'q} , or, what is the input bit string is replaced with (ii) restoration information RI _p.

<Authentication unit 29>
In step S29, the authentication unit 29 of the decryption device 2 _{receives the decryption state S 0} from the additional data inverse calculation unit 26, takes out the private key K from the storage unit 20, and sets the capacity portions S _{C, 0 of the decryption state S 0.} Message authentication is performed based on whether or not the private key K matches. If the two values are equal, the process proceeds to step S301, and the predetermined bit string (the value corresponding to the initial value of the initialization unit 12, in this example, all bits are 0 bit strings) and the decoding state S _0. The exclusive OR with the rate part S _{R, 0 of} is output from the output unit 30 as the ^{value A r} _1. If the two values are not equal, the process proceeds to step S302, and an error code indicating that decoding has failed is output from the output unit 30.

<Effect>
With such a configuration, the same effect as that of the first embodiment can be obtained. Furthermore, the size of the data to be concealed can be flexibly set. When P = 1, the configuration is the same as that of the first embodiment, so that the first embodiment can be said to be an example of the second embodiment.

<Other variants>
The present invention is not limited to the above embodiments and modifications. For example, the various processes described above may not only be executed in chronological order according to the description, but may also be executed in parallel or individually as required by the processing capacity of the device that executes the processes. In addition, changes can be made as appropriate without departing from the spirit of the present invention.

<Programs and recording media>
Further, various processing functions in each device described in the above-described embodiment and modification may be realized by a computer. In that case, the processing content of the function that each device should have is described by the program. Then, by executing this program on the computer, various processing functions in each of the above devices are realized on the computer.

The program describing the processing content can be recorded on a computer-readable recording medium. The computer-readable recording medium may be, for example, a magnetic recording device, an optical disk, a photomagnetic recording medium, a semiconductor memory, or the like.

Further, the distribution of this program is performed, for example, by selling, transferring, renting, or the like a portable recording medium such as a DVD or a CD-ROM in which the program is recorded. Further, the program may be distributed by storing the program in the storage device of the server computer and transferring the program from the server computer to another computer via a network.

A computer that executes such a program first temporarily stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage unit. Then, when the process is executed, the computer reads the program stored in its own storage unit and executes the process according to the read program. Further, as another embodiment of this program, a computer may read the program directly from a portable recording medium and execute processing according to the program. Further, each time the program is transferred from the server computer to this computer, the processing according to the received program may be executed sequentially. In addition, the above processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition without transferring the program from the server computer to this computer. May be. The program shall include information used for processing by a computer and equivalent to the program (data that is not a direct command to the computer but has a property of defining the processing of the computer, etc.).

Further, although each device is configured by executing a predetermined program on a computer, at least a part of these processing contents may be realized by hardware.

Claims (9)

An authenticated encryption system with additional data that includes an encrypted data generator and a decrypted data generator.
The encrypted data generator is
The bit length of the private key K is c-bit, the b-bit information including the rate part of r-bit and the capacity part of c-bit is the state, and the bit length of additional data A is | A |.
^{A dividing part that divides the additional data A into a value A r} that includes r-bit data to be concealed and a value A'that is not concealed for (| A | -r) bits.
Let n = 1,2, ..., | A | / r, and let each value obtained by dividing the additional data A into | A | / r pieces be A _n, and concatenate the predetermined bit string and the private key K. Let the value obtained be the initial value S ₀ of the encryption state, and the b-bit encryption state S _n-1 rate portion S R, the exclusive OR with the _{value A n} for the r bits of _{n-1 S R,} a first exclusive OR unit for obtaining the _n-1 xor a _n,
Let the function that replaces the bit string d of the b bits with the bit string e of the b bits be the permutation f, and the rate part S _{R, n-1 of the encryption state S n-1 is} the exclusive OR S _{R, n-1} xor. Replace with A _n , replace the replaced bit string with the replacement f, find the replaced bit string as the encryption state S _n , and set the rate part S _{R, | A | / r} of the _{encryption state S | A | / r.} The first replacement part that is output as the restoration information RI,
Capacity part of encryption state S _{| A | / r} A boundary setting part that inverts a predetermined bit of _{S C, | A | / r,}
The bit length of the message M is | M |, m = 1,2,…, | M | / r, and each value obtained by dividing the message M into | M | / r is M _m , b. Bit encryption state S _{| A | / r + m-1} rate portion S _{R, | A | / r + m-1} exclusive OR with _{message M m} for r bits _{S R, | A | / r + m-1} xor M _m The second exclusive OR part,
The rate portion S _{R, | A | / r + m-1} of the encryption state S _{| A | / r + m-1 is} the exclusive OR S _{R, | A | / r + m-1} xor M _m. the replacement, the bit string replacing substituted with a substituent f, and the bit string obtained by replacing the encrypted state S _| determined as _{/ r + m,} the encrypted state _{S | | a a | / r} + r of rate portion of the _m bits and the encrypted data C _m, | _M | / r pieces of encrypted data C including the encrypted data _{C m = (C 1, C} 2, ..., C | M | / r) second replacement for outputting Department and
A tag generator that outputs the exclusive OR of the private key K and the capacity part S _{C, | A | / r + | M | / r of the} encryption state S _{| A | / r + | M | / r as the tag T.} When,
Includes an output unit that outputs the encrypted data C, the tag T, the value A', and the restoration information RI.
The decoded data generator is
An input unit that receives the encrypted data C, the tag T, the value A', and the restoration information RI.
The decryption state is the value obtained by concatenating the encrypted data C _{| M | / r} contained in the encrypted data C = (C ₁ , C ₂ , ..., C _{| M | / r) and the tag T of the c bit.} The initial value of S is S _{| A | / r + | M | / r,} and the capacity portion of the decoding state S _{| A | / r + | M | / r S C, | A | / r + | M | / r} and c bits Exclusive OR with the private key K S _{C, | A | / r + | M | / r} xor K
The inverse of the substitution f used when encrypting and f ^-1, the decoded state _{S | A | / r + |} M | / r capacity portion S _{C of, | A | / r + |} M | / r Is replaced with the exclusive OR S _{C, | A | / r + | M | / r} xor K, the replaced bit string is replaced with the inverse function f ^-1 , and the replaced bit string is in the decoding state S _{| A | /} The third permutation part obtained as _{r + | M | / r-1 and}
m = 1,2, ..., | M | / In r-1, the decoding state S _{| A | / r + m} of rate portion _{S R, | A | / r} + and _m, exclusive of the encrypted data C _m OR _{, | A | / r + m} xor C _m is output as decoded data M _{m + 1} , and the fourth exclusive OR part,
In m = 1,2, ..., | M | / r-1, the rate portion S _{R, | A | / r + m of the decryption state S | A | / r + m} is replaced with the encrypted data C m. The fourth substitution part, in which the replaced bit string is replaced ^{by using the inverse function f -1} , and the replaced bit string is obtained as the decoding state S _{| A | / r + m-1,}
The exclusive OR of the rate part S _{R, | A | / r of the} decoding state S _{| A | / r} and the restoration information RI S _{R, | A | / r} xor RI is output as the _{decoding data M 1, D.} With the 5th exclusive OR part,
Demarcation state S _{| A | / r} capacity portion S _{C, | A | / r} demarcation section that inverts a given bit,
Said decoding state S _{| A | / r} of rate portion S _{R, | A | / r} to replace the restoration information RI, the decoded state S _{| A | / r} capacity portion S _{C of, | A | / r} of The fifth substitution part, in which the bit string obtained by inverting a predetermined bit is ^{replaced by using the inverse function f -1} , and the replaced bit string is obtained as the decoding state S _{| A | / r-1,}
'The | A' | the value A / r pieces each value obtained by dividing the the _{A 'n, n = 1,2,} ..., | A | In / r-1, rate portion of the decoding state S _n S _R, and _n, 'xOR S _R and _{n, n} xor a' the value a and the sixth exclusive OR unit for obtaining the _n,
n = 1,2, ..., | A | / In r-1, the decoding state S _n of the rate portion S _{R, n} exclusive OR S _{R, n} xor A 'replaced by _n, the bit string replacing reverse The sixth substitution part, which is replaced by using the function f ^-1 and the replaced bit string is obtained as the decoding state S _n-1,
Message authentication is performed based on whether or not the capacity portion S _{C, 0} of the decryption state S 0 and the private key K match, and if they match, the predetermined bit string and the rate portion S _{R of the decryption state S 0, 0} and an authentication unit for outputting an exclusive OR as the value a ^r of viewing including,
The above substitution f is a substitution indistinguishable from a random substitution ,
Authenticated encryption system with additional data. An authenticated encryption system with additional data that includes an encrypted data generator and a decrypted data generator.
The encrypted data generator is
The bit length of the private key K is c-bit, the b-bit information including the rate part of r-bit and the capacity part of c-bit is the state, and the bit length of additional data A is | A |.
^{The additional data A is the value A r} = (A ^r ₁ , ^Ar ₂ ,…, ^Ar _P ) and (| A | -P × r) bits that include the data to be concealed in the P × r bits. no value _{a '= (a' 1,} a '2, ..., a' | / rP | a) and a dividing portion for dividing into,
Let n = 1,2, ..., | A | / r, and let each value obtained by dividing the additional data A into | A | / r pieces be A _n, and concatenate the predetermined bit string and the private key K. Let the value obtained be the initial value S ₀ of the encryption state, and the b-bit encryption state S _n-1 rate portion S R, the exclusive OR with the _{value A n} for the r bits of _{n-1 S R, Find n-1} xor A _n, and if the value A _n is the data A ^r ₂ , A ^r ₃ , ..., A ^r _{P to} be concealed, restore the rate part S _{R, n-1} of the state S _n-1. Information RI ₁ , RI ₂ ,…, RI _P-1 output as the first exclusive OR part,
Let the function that replaces the bit string d of the b bits with the bit string e of the b bits be the permutation f, and the rate part S _{R, n-1 of the encryption state S n-1 is} the exclusive OR S _{R, n-1} xor. Replace with A _n , replace the replaced bit string with the replacement f, find the replaced bit string as the encryption state S _n , and set the rate part S _{R, | A | / r} of the _{encryption state S | A | / r.} a first replacement unit for outputting a restoration information RI _P,
Capacity part of encryption state S _{| A | / r} A boundary setting part that inverts a predetermined bit of _{S C, | A | / r,}
The bit length of the message M is | M |, m = 1,2,…, | M | / r, and each value obtained by dividing the message M into | M | / r is M _m , b. Bit encryption state S _{| A | / r + m-1} rate portion S _{R, | A | / r + m-1} exclusive OR with _{message M m} for r bits _{S R, | A | / r + m-1} xor M _m The second exclusive OR part,
The rate portion S _{R, | A | / r + m-1} of the encryption state S _{| A | / r + m-1 is} the exclusive OR S _{R, | A | / r + m-1} xor M _m. the replacement, the bit string replacing substituted with a substituent f, and the bit string obtained by replacing the encrypted state S _| determined as _{/ r + m,} the encrypted state _{S | | a a | / r} + r of rate portion of the _m bits and the encrypted data C _m, | _M | / r pieces of encrypted data C including the encrypted data _{C m = (C 1, C} 2, ..., C | M | / r) second replacement for outputting Department and
A tag generator that outputs the exclusive OR of the private key K and the capacity part S _{C, | A | / r + | M | / r of the} encryption state S _{| A | / r + | M | / r as the tag T.} When,
It includes an output unit that outputs the encrypted data C, the tag T, the value A', and the restoration information RI = (RI ₁ , RI ₂ , ..., RI _P).
The decoded data generator is
An input unit that receives the encrypted data C, the tag T, the value A', and the restoration information RI.
The decryption state is the value obtained by concatenating the encrypted data C _{| M | / r} contained in the encrypted data C = (C ₁ , C ₂ , ..., C _{| M | / r) and the tag T of the c bit.} The initial value of S is S _{| A | / r + | M | / r,} and the capacity portion of the decoding state S _{| A | / r + | M | / r S C, | A | / r + | M | / r} and c bits Exclusive OR with the private key K S _{C, | A | / r + | M | / r} xor K
The inverse of the substitution f used when encrypting and f ^-1, the decoded state _{S | A | / r + |} M | / r capacity portion S _{C of, | A | / r + |} M | / r Is replaced with the exclusive OR S _{C, | A | / r + | M | / r} xor K, the replaced bit string is replaced with the inverse function f ^-1 , and the replaced bit string is in the decoding state S _{| A | /} The third permutation part obtained as _{r + | M | / r-1 and}
m = 1,2, ..., | M | / In r-1, the decoding state S _{| A | / r + m} of rate portion _{S R, | A | / r} + and _m, exclusive of the encrypted data C _m OR _{, | A | / r + m} xor C _m is output as decoded data M _{m + 1} , and the fourth exclusive OR part,
In m = 1,2, ..., | M | / r-1, the rate portion S _{R, | A | / r + m of the decryption state S | A | / r + m} is replaced with the encrypted data C m. The fourth substitution part, in which the replaced bit string is replaced ^{by using the inverse function f -1} , and the replaced bit string is obtained as the decoding state S _{| A | / r + m-1,}
Decoding state S _{| A | / r} of rate portion S _{R, | A |} and _{/ r,} exclusive S _R of the restoration information RI _{P, |} a _{/ r} xor RI _P decoded data M _{1, D | A} The fifth exclusive OR part to be output and
Demarcation state S _{| A | / r} capacity portion S _{C, | A | / r} demarcation section that inverts a given bit,
Said decoding state S _{| A | / r} of rate portion S _{R, | A | / r} to replace the restoration information RI _P, the decoded state S _{| A | /} capacity portion _{r S C, | A | /} r The fifth substitution part, in which the bit string obtained by inverting the predetermined bits of is ^{replaced by using the inverse function f -1} , and the replaced bit string is obtained as the decoding state S _{| A | / r-1,}
'The | A' | the value A / r pieces each value obtained by dividing the the _{A 'q, q = 1,2,} ..., | A | / rP and p = 1,2, ..., P- in 1, (i) value a 'when the enter _q, rate portion S _R of the decoding state S _n, and _n, the value a' calculated exclusive OR S _R and _q, the _n xor a _'q , (Ii) When the restoration information RI _p is input, the exclusive OR S _{R, n} xor RI _p with the restoration information RI _p is obtained for the r bits of the rate part S _{R, n} of the decoding state S _n. , Exclusive OR S _{R, n} xor RI _p is output as _{data A p + 1} to be concealed.
n = 1,2, ..., | A | / In r-1, the decoding state S _n of the rate portion S _R, the _n (i) XOR _{S R, n xor A 'q} , or, (ii ) The sixth substitution part, which is replaced with the restoration information RI _p , the replaced bit string is replaced ^{by using the inverse function f -1} , and the replaced bit string is obtained as the decoding state S _n-1.
Message authentication is performed based on whether or not the capacity portion S _{C, 0} of the decryption state S 0 and the private key K match, and if they match, the predetermined bit string and the rate portion S _{R of the decryption state S 0, 0} and outputs the exclusive OR as the value a ^r ₁ viewed including the authentication unit and,
The above substitution f is a substitution indistinguishable from a random substitution ,
Authenticated encryption system with additional data. The encrypted data generator according to claim 1 or 2. The decrypted data generator according to claim 1 or 2. An authentication encryption method with additional data using an encrypted data generator and a decrypted data generator.
The encrypted data generator
The bit length of the private key K is c-bit, the b-bit information including the rate part of r-bit and the capacity part of c-bit is the state, and the bit length of additional data A is | A |.
^{A split step that divides the additional data A into a value A r} that contains r bits of data to be hidden and a value A'that is not hidden by (| A | -r) bits.
Let n = 1,2, ..., | A | / r, and let each value obtained by dividing the additional data A into | A | / r pieces be A _n, and concatenate the predetermined bit string and the private key K. Let the value obtained be the initial value S ₀ of the encryption state, and the b-bit encryption state S _n-1 rate portion S R, the exclusive OR with the _{value A n} for the r bits of _{n-1 S R,} a first exclusive OR step of obtaining _n-1 xor a _n,
Let the function that replaces the bit string d of the b bits with the bit string e of the b bits be the permutation f, and the rate part S _{R, n-1 of the encryption state S n-1 is} the exclusive OR S _{R, n-1} xor. Replace with A _n , replace the replaced bit string with the replacement f, find the replaced bit string as the encryption state S _n , and set the rate part S _{R, | A | / r} of the _{encryption state S | A | / r.} The first replacement step to be output as the restore information RI, and
A demarcation step that inverts a given bit of the encryption state S _{| A | / r} capacity portion S _{C, | A | / r, and}
The bit length of the message M is | M |, m = 1,2,…, | M | / r, and each value obtained by dividing the message M into | M | / r is M _m , b. Bit encryption state S _{| A | / r + m-1} rate portion S _{R, | A | / r + m-1} exclusive OR with _{message M m} for r bits _{S R, | A | / r + m-1} xor M _m The second exclusive OR step and
The rate portion S _{R, | A | / r + m-1} of the encryption state S _{| A | / r + m-1 is} the exclusive OR S _{R, | A | / r + m-1} xor M _m. the replacement, the bit string replacing substituted with a substituent f, and the bit string obtained by replacing the encrypted state S _| determined as _{/ r + m,} the encrypted state _{S | | a a | / r} + r of rate portion of the _m bits and the encrypted data C _m, | _M | / r pieces of encrypted data C including the encrypted data _{C m = (C 1, C} 2, ..., C | M | / r) second replacement for outputting Steps and
Tag generation step that outputs the exclusive OR of the private key K and the capacity part S _{C, | A | / r + | M | / r of the} encryption state S _{| A | / r + | M | / r as the tag T.} When,
The output step of outputting the encrypted data C, the tag T, the value A', and the restoration information RI is executed.
The decoded data generator
An input step for receiving the encrypted data C, the tag T, the value A', and the restoration information RI.
The decryption state is the value obtained by concatenating the encrypted data C _{| M | / r} contained in the encrypted data C = (C ₁ , C ₂ , ..., C _{| M | / r) and the tag T of the c bit.} The initial value of S is S _{| A | / r + | M | / r,} and the capacity portion of the decoding state S _{| A | / r + | M | / r S C, | A | / r + | M | / r} and c bits Exclusive OR with the private key K S _{C, | A | / r + | M | / r} xor K
The inverse of the substitution f used when encrypting and f ^-1, the decoded state _{S | A | / r + |} M | / r capacity portion S _{C of, | A | / r + |} M | / r Is replaced with the exclusive OR S _{C, | A | / r + | M | / r} xor K, the replaced bit string is replaced with the inverse function f ^-1 , and the replaced bit string is in the decoding state S _{| A | /} The third substitution step obtained as _{r + | M | / r-1 and}
m = 1,2, ..., | M | / In r-1, the decoding state S _{| A | / r + m} of rate portion _{S R, | A | / r} + and _m, exclusive of the encrypted data C _m OR The fourth exclusive OR step that outputs _{S R, | A | / r + m} xor C _m as decrypted data M _{m + 1 and}
In m = 1,2, ..., | M | / r-1, the rate portion S _{R, | A | / r + m of the decryption state S | A | / r + m} is replaced with the encrypted data C m. The fourth replacement step, in which the replaced bit string is replaced ^{by using the inverse function f -1} , and the replaced bit string is obtained as the decoding state S _{| A | / r + m-1,}
The exclusive OR of the rate part S _{R, | A | / r of the} decoding state S _{| A | / r} and the restoration information RI S _{R, | A | / r} xor RI is output as the _{decoding data M 1, D.} The fifth exclusive OR step and
A demarcation step that inverts a given bit of the capacity portion S _{C, | A | / r} of the decryption state S _{| A | / r,}
Said decoding state S _{| A | / r} of rate portion S _{R, | A | / r} to replace the restoration information RI, the decoded state S _{| A | / r} capacity portion S _{C of, | A | / r} of The fifth substitution step, in which the bit string obtained by inverting a predetermined bit is ^{replaced by using the inverse function f -1} , and the replaced bit string is obtained as the decoding state S _{| A | / r-1,}
'The | A' | the value A / r pieces each value obtained by dividing the the _{A 'n, n = 1,2,} ..., | A | In / r-1, rate portion of the decoding state S _n S _R, and _n, 'xOR S _R and _{n, n} xor a' the value a and the sixth exclusive OR step of determining _n,
n = 1,2, ..., | A | / In r-1, the decoding state S _n of the rate portion S _{R, n} exclusive OR S _{R, n} xor A 'replaced by _n, the bit string replacing reverse The sixth replacement step of substituting using the function f ^-1 and finding the replaced bit string as the decoding state S _n-1.
Message authentication is performed based on whether or not the capacity portion S _{C, 0} of the decryption state S 0 and the private key K match, and if they match, the predetermined bit string and the rate portion S _{R of the decryption state S 0,} Execute the authentication step that outputs the exclusive OR with ₀ ^{as the value Ar} ,
The above substitution f is a substitution indistinguishable from a random substitution ,
Authenticated encryption method with additional data. The encrypted data generator according to claim 5 has the division step, the first exclusive OR step, the first replacement step, the boundary setting step, and the second exclusive OR step. Execute the step, the second replacement step, the tag generation step, and the output step.
Encrypted data generation method. The decoding data generator according to claim 5 has the input step, the third exclusive OR step, the third replacement step, the fourth exclusive OR step, and the fourth replacement. The step, the fifth exclusive OR step, the boundary removal step, the fifth replacement step, the sixth exclusive OR step, the sixth replacement step, and the authentication step are executed. ,
Decrypted data generation method. A program for operating a computer as the encrypted data generation device of claim 3. A program for operating a computer as the decryption data generation device of claim 4.

Images