JP7244060B2 - Block cipher device, block cipher method and program - Google Patents

Description

The present invention relates to a block cipher apparatus and block cipher method for encrypting plaintext, and further to a program for realizing these.

Match-in-the-middle attack is known as one of cryptanalysis methods for block ciphers. Match-in-the-middle attack is a cryptanalysis method that divides a block cipher into two sub-ciphers and narrows down the key candidates by confirming that the intermediate value calculated from the plaintext side and the intermediate value u calculated from the ciphertext side match. be. In recent years, match-in-the-middle attacks have been applied as preimage attacks to hash functions, and have been remarkably improved. As an improvement method of the conventional match-in-the-middle attack, there is a method called Biclique Cryptanalysis (see, for example, Non-Patent Document 1). Biclique Cryptanalysis is an attack that divides a private key into groups that satisfy characteristics called Biclique and efficiently performs middle match attacks (see, for example, Non-Patent Document 2).

A. Bogdanov, D. Khovratovich, and C. Rechberger,’Biclique Cryptanalysis of the Full AES,’ASIACRYPT 2011, LNCS 7073, pp.344--371, Springer (2011) W. Diffie, M. E. Hellman: Exhaustive Cryptanalysis of the NBS Data Encryption Standard. Computer 10 (6): 74-84.

However, until now, no method has been proposed to configure a block cipher that is secure against Biclique Cryptanalysis, and a secure block cipher could not be configured.

SUMMARY OF THE INVENTION Accordingly, one example of an object of the present invention is to provide a block cipher apparatus, a block cipher method, and a program capable of constructing a block cipher that is safe against Biclique Cryptanalysis.

To achieve the above object, a block cipher device according to one aspect of the present invention is a block cipher device that encrypts a plaintext with a block length of b bits using a secret key with a key length of b bits,
a plaintext splitting unit that splits the plaintext into d n-bit data sub-blocks;
a key splitting unit for splitting the private key into d n-bit key sub-blocks;
an encryption unit that repeats r rounds of a first process using a round function on the d n-bit data sub-blocks;
a key schedule processing unit that repeats r rounds of a second process using a bijective function on the d n-bit key sub-blocks;
a calculation unit that calculates the output of the encryption unit and the output of the key schedule processing unit and outputs a ciphertext;
with
In the key schedule processing unit,
In a second process of the first round, the d n-bit key sub-blocks generated by the key dividing unit are input to the bijective function,
In the i (i = 2 to r) round second process, the output of the (i-1) round second process is used as the input of the bijective function,
In the encryption unit,
In the first processing of one round, each of the d n-bit data sub-blocks generated by the plaintext dividing unit and each of the d n-bit key sub-blocks generated by the key dividing unit are The result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
In the i (i=2 to r)th round first process, the output of the (i−1)th round first process and the (i−1)th round output of the second process are calculated. , the result of performing nonlinear transformation processing on the operation result is used as the input of the round function,
The round function is a d×d matrix formula that propagates the effect of a rounding difference of 1 in d n-bit data sub-blocks to be input to all other data sub-blocks. .

In order to achieve the above object, a block cipher apparatus according to one aspect of the present invention is a block cipher apparatus that encrypts a plaintext with a block length of b bits using a secret key with a key length of b bits,
a plaintext splitting unit that splits the plaintext into d n-bit data sub-blocks;
a key splitting unit for splitting the private key into d n-bit key sub-blocks;
an encryption unit that repeats r rounds of a first process using a round function on the d n-bit data sub-blocks;
a key schedule processing unit that repeats r rounds of second processing using a round function on the d n-bit key sub-blocks;
a calculation unit that calculates the output of the encryption unit and the output of the key schedule processing unit and outputs a ciphertext;
with
In the key schedule processing unit,
In a second process of the first round, the d n-bit key sub-blocks generated by the key dividing unit are input to a round function,
In the i (i = 2 to r) round second processing, the output of the (i-1) round second processing is used as the input of the round function,
In the encryption unit,
In the first process of the first round, each of the d n-bit data sub-blocks generated by the plaintext dividing unit and each of the d n-bit key sub-blocks generated by the key dividing unit is calculated, and the result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
In the i (i = 2 to r) round first process, the output of the first process of (i-1) round and the output of the second process of (i-1) round are calculated, The result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
Each of the round function of the first process and the round function of the second process is a d×d matrix operation formula,
The n-bit data sub-block and the n-bit key sub-block when the first processing and the second processing are performed in the forward direction, and the difference are stored in the free areas of the n key sub-blocks, and the When comparing the n-bit data sub-block and the n-bit key sub-block when the first process and the second process are performed in reverse, there is always an overlap of rounding differences. do.

In order to achieve the above object, a block cipher method according to one aspect of the present invention is a block cipher method for encrypting plaintext with a block length of b bits using a secret key with a key length of b bits,
(a) dividing the plaintext into d n-bit data sub-blocks;
(b) dividing the private key into d n-bit key sub-blocks;
(c) repeating a first process using a round function for r rounds on said d n-bit data sub-blocks;
(d) repeating a second process using a bijective function for r rounds of the d n-bit key sub-blocks;
(e) computing the output of step (c) and the output of step (d) to output a ciphertext;
with
In step (d),
In a second process of the first round, the d n-bit key sub-blocks generated in step (b) are input to the bijective function,
In the i (i = 2 to r) round second process, the output of the (i-1) round second process is used as the input of the bijective function,
In step (c),
In a first process of the first round, each of the d n-bit data sub-blocks generated in step (a) and the d n-bit key sub-blocks generated in step (b) are calculated, and the result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
In the i (i=2 to r)th round first process, the output of the (i−1)th round first process and the (i−1)th round output of the second process are calculated. , the result of performing nonlinear transformation processing on the operation result is used as the input of the round function,
wherein the round function is a d×d matrix equation that propagates the effect of a rounding difference of 1 in d n-bit data sub-blocks to be input to all other data sub-blocks. do.

In order to achieve the above object, a block cipher method according to one aspect of the present invention is a block cipher method for encrypting plaintext with a block length of b bits using a secret key with a key length of b bits,
(a) dividing the plaintext into d n-bit data sub-blocks;
(b) dividing the private key into d n-bit key sub-blocks;
(c) repeating a first process using a round function for r rounds on said d n-bit data sub-blocks;
(d) repeating a second process using a round function for r rounds of the d n-bit key sub-blocks;
(e) computing the output of step (c) and the output of step (d) to output a ciphertext;
with
In step (d),
In a second process of the first round, the d n-bit key sub-blocks generated in step (b) are input to a round function,
In the i (i = 2 to r) round second processing, the output of the (i-1) round second processing is used as the input of the round function,
In step (c),
In a first round of processing, each of the d n-bit data sub-blocks generated in step (a) and each of the d n-bit key sub-blocks generated in step (b). is calculated, and the result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
In the i (i=2 to r)th round first process, the output of the (i−1)th round first process and the (i−1)th round output of the second process are calculated. , the result of performing nonlinear transformation processing on the operation result is used as the input of the round function,
Each of the round function of the first process and the round function of the second process is a d×d matrix operation formula,
The n-bit data sub-block and the n-bit key sub-block when the first processing and the second processing are performed in the forward direction, and the difference are stored in the free areas of the n key sub-blocks, and the When comparing the n-bit data sub-block and the n-bit key sub-block when the first process and the second process are performed in reverse, there is always an overlap of rounding differences. do.

In order to achieve the above object, a program according to one aspect of the present invention causes a computer to encrypt plaintext with a block length of b bits using a secret key with a key length of b bits, comprising:
to the computer;
(a) dividing the plaintext into d n-bit data sub-blocks;
(b) dividing the private key into d n-bit key sub-blocks;
(c) repeating a first process using a round function for r rounds on said d n-bit data sub-blocks;
(d) repeating a second process using a bijective function for r rounds of the d n-bit key sub-blocks;
(e) computing the output of step (c) and the output of step (d) to output a ciphertext;
and
In step (d),
In a second process of the first round, the d n-bit key sub-blocks generated in step (b) are input to the bijective function,
In the i (i = 2 to r) round second process, the output of the (i-1) round second process is used as the input of the bijective function,
In step (c),
In a first process of the first round, each of the d n-bit data sub-blocks generated in step (a) and the d n-bit key sub-blocks generated in step (b) are calculated, and the result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
In the i (i=2 to r)th round first process, the output of the (i−1)th round first process and the (i−1)th round output of the second process are calculated. , the result of performing nonlinear transformation processing on the operation result is used as the input of the round function,
wherein the round function is a d×d matrix equation that propagates the effect of a rounding difference of 1 in d n-bit data sub-blocks to be input to all other data sub-blocks. do.

Furthermore, in order to achieve the above object, a program in one aspect of the present invention causes a computer to encrypt plaintext with a block length of b bits using a secret key with a key length of b bits, comprising:
to the computer;
(a) dividing the plaintext into d n-bit data sub-blocks;
(b) dividing the private key into d n-bit key sub-blocks;
(c) repeating a first process using a round function for r rounds on said d n-bit data sub-blocks;
(d) repeating a second process using a round function for r rounds of the d n-bit key sub-blocks;
(e) computing the output of step (c) and the output of step (d) to output a ciphertext;
and
In step (d),
In a second process of the first round, the d n-bit key sub-blocks generated in step (b) are input to a round function,
In the i (i = 2 to r) round second processing, the output of the (i-1) round second processing is used as the input of the round function,
In step (c),
In a first process of the first round, each of the d n-bit data sub-blocks generated in step (a) and the d n-bit key sub-blocks generated in step (b) are calculated, and the result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
In the i (i=2 to r)th round first process, the output of the (i−1)th round first process and the (i−1)th round output of the second process are calculated. , the result of performing nonlinear transformation processing on the operation result is used as the input of the round function,
Each of the round function of the first process and the round function of the second process is a d×d matrix operation formula,
The n-bit data sub-block and the n-bit key sub-block when the first processing and the second processing are performed in the forward direction, and the difference are stored in the free areas of the n key sub-blocks, and the When comparing the n-bit data sub-block and the n-bit key sub-block when the first process and the second process are performed in reverse, there is always an overlap of rounding differences. do.

As described above, according to the block cipher apparatus, block cipher method, and program of the present invention, a block cipher that is safe against Biclique Cryptanalysis can be constructed.

FIG. 1 is a configuration diagram of a block cipher apparatus according to Embodiment 1 of the present invention. FIG. 2 is a diagram explaining an algorithm in the block cipher device according to Embodiment 1 of the present invention. FIG. 3 is a flow chart showing the operation of the block cipher device according to Embodiment 1 of the present invention. FIG. 4 is a diagram for explaining a configuration method of Biclike characteristics. FIG. 5 is a diagram showing transition states of overlapping differences in FIG. FIG. 6 is a diagram showing that the Biclike property does not hold in encryption by the block cipher apparatus according to Embodiment 1 of the present invention. FIG. 7 is a diagram showing that the Biclike property does not hold in encryption by the block cipher apparatus according to Embodiment 1 of the present invention. FIG. 8 is a diagram showing that the Biclike property does not hold in the encryption according to the modification. FIG. 9 is a diagram showing that the Biclike property does not hold in the encryption according to the modification. FIG. 10 is a diagram explaining an algorithm in the block cipher device according to Embodiment 2 of the present invention. FIG. 11 is a flow chart showing the operation of the block cipher apparatus according to Embodiment 2 of the present invention. FIG. 12 is a diagram showing that the Biclike property does not hold in encryption by the block cipher apparatus according to the second embodiment. FIG. 13 is a diagram showing that the Biclike property does not hold in encryption by the block cipher apparatus according to the second embodiment. FIG. 14 is a diagram showing that the Biclike property does not hold in the encryption according to the modification. FIG. 15 is a diagram showing that the Biclike property does not hold in the encryption according to the modification. FIG. 16 is a block diagram showing an example of a computer that implements the block cipher apparatus according to Embodiments 1 and 2 of the present invention.

(Embodiment 1)
A block cipher apparatus and a block cipher method according to Embodiment 1 of the present invention will be described below with reference to FIGS. 1 to 9. FIG.

[Device configuration]
FIG. 1 is a configuration diagram of a block cipher apparatus according to Embodiment 1 of the present invention.

The block cipher device 1 is a device that block-ciphers a plaintext with a block length of b bits using a secret key with a key length of b bits. As shown in FIG. 1 , the block cipher device 1 includes a plaintext division unit 2 , a key division unit 3 , an encryption unit 4 , a key schedule processing unit 5 and a calculation unit 6 .

The plaintext dividing unit 2 divides the b-bit plaintext input to the block cipher device 1 into d n-bit data sub-blocks.

The key division unit 3 divides the secret key input to the block cipher device 1 into d n-bit key sub-blocks.

The encryption unit 4 repeats r rounds of the first process using the round function on the d n-bit data sub-blocks generated by the plaintext division unit 2 .

The key schedule processing unit 5 repeats r rounds of the second processing using the bijective function on the d n-bit key sub-blocks generated by the key dividing unit 3 . In the second process of the first round in this key schedule processing unit, the d n-bit key sub-blocks generated by the key dividing unit 3 are used as inputs of the bijective function. In addition, in the i-th (i=2 to r)-th round second processing, the output of the (i-1)-th round second processing is used as the input of the bijective function.

A calculation unit 6 calculates the output of the encryption unit 4 and the output of the key schedule processing unit 5, and outputs a ciphertext.

In the encryption unit 4, in the first process of the first round, each of d n-bit data sub-blocks generated by the plaintext division unit 2 and d n-bit keys generated by the key division unit 3 are Compute each sub-block. A result obtained by performing nonlinear transformation processing on the calculation result is used as an input of the round function. In addition, in the i (i=2 to r) round first process, the output of the (i−1) round first process and the (i−1) round and the output of the second process. A result obtained by performing nonlinear transformation processing on the calculation result is used as an input of the round function.

The round function used in the first processing of the encryption unit 4 is a matrix operation formula that causes the influence of the rounding difference of 1 in the input n-bit data sub-block to affect all other data sub-blocks. Further, the calculation executed in the first process of the encryption unit 4 is either arithmetic addition, arithmetic subtraction, or exclusive OR.

The block cipher apparatus 1 of the first embodiment can construct a block cipher that is safe against Biclique Cryptanalysis.

Next, the configuration of the block cipher apparatus 1 according to the first embodiment will be specifically described with reference to FIGS. 2 to 9. FIG.

FIG. 2 is a diagram explaining an algorithm in the block cipher device 1 according to Embodiment 1 of the present invention. The block cipher device 1 includes the plaintext division unit 2, the key division unit 3, the encryption unit 4, the key schedule processing unit 5, and the calculation unit 6 described above. Plaintext and a secret key are input to the block cipher device 1 as shown in FIG. In Embodiment 1, the plaintext block length is b bits. Also, the private key has a key length of b bits, which is the same as the plaintext block length.

The plaintext division unit 2 divides the plaintext input to the block cipher device 1 into d n-bit data sub-blocks. The key dividing unit 3 also divides the secret key input to the block cipher device 1 into d n-bit key sub-blocks.

The key schedule processing unit 5 has a bijection calculation unit 51 . The bijection calculator 51 performs calculation using a bijection function on d n-bit key sub-blocks. In the key schedule processing unit 5, the calculation processing performed by the bijection calculation unit 51 is defined as the second processing, and this second processing is repeated r rounds.

In the second process of the first round, d n-bit key sub-blocks generated by the key division unit 3 are input to the bijection calculation unit 51 . In the second process from the second round onward, the results calculated by the bijection calculator 51 in the previous round are input to the bijection calculator 51 .

The encryption unit 4 has a logic operation unit 41 , an S layer unit 42 and a matrix operation unit 43 .

The logical operation unit 41 performs an exclusive OR operation on the input d n-bit data sub-blocks and d n-bit key sub-blocks. The operation performed by the logic operation unit 41 may be arithmetic addition or arithmetic subtraction.

The S layer section 42 performs nonlinear conversion on the output of the logical operation section 41 . The S layer part 42 functions as an S box (substitution box) in common key cryptography. For example, the S layer section 42 performs nonlinear conversion based on a stored conversion table.

The matrix calculator 43 performs arithmetic processing using a d×d matrix. The matrix calculator 43 functions as data agitation by MDS (Maximum Distance Separation) conversion. MDS transform is transform using an MDS matrix. In the MDS conversion in the matrix calculator 43, if one of the input data sub-blocks is affected by the exclusive OR difference between the two data, the effect of the difference spreads to all the output data sub-blocks. do. The MDS transform in the matrix calculator 43 is represented by the following equation.

The encryption unit 4 sets the processing by the logical operation unit 41, the S layer unit 42, and the matrix operation unit 43 as one first process, and repeats this first process for r rounds.

In the first process of the first round, the logical operation unit 41 receives d n-bit data sub-blocks generated by the plaintext dividing unit 2 and d n-bit keys generated by the key dividing unit 3. A sub-block is entered. Then, the logical operation unit 41 computes the exclusive OR of the two input data.

In the first process from the second round onwards, the result calculated by the matrix calculator 43 in the previous round and the result calculated by the bijection calculator 51 in the previous round are input to the logical calculator 41. be done.

The calculation unit 6 calculates exclusive logic between the output of the encryption unit 4 and the output of the key schedule processing unit 5 . The calculation performed by the calculation unit 6 may be arithmetic addition or arithmetic subtraction. The output of the encryption unit 4 is the output of the matrix calculation unit 43 of the first process of the final round (r round). Also, the output of the key schedule processing unit 5 is the output of the bijection calculation unit 51 of the second process of the final round (r round). The output of the computing unit 6 is the plaintext ciphertext block-encrypted by the block cipher device 1 .

[Description of operation]
Next, the operation of the block cipher device 1 according to Embodiment 1 of the present invention will be explained using FIG. FIG. 3 is a flow chart showing the operation of the block cipher device 1 according to Embodiment 1 of the present invention. In the following description, FIG. 1 and FIG. 2 are appropriately referred to. Further, in the first embodiment, the block cipher method is implemented by operating the block cipher device 1 . Therefore, the description of the block cipher method in this embodiment is replaced with the description of the operation of the block cipher device 1 below.

First, it is assumed that the block cipher apparatus 1 is supplied with a plaintext with a block length of b bits and a secret key with a key length of b bits, which is the same as the block length of the plaintext.

On the above premise, as shown in FIG. 3, the plaintext dividing unit 2 divides b-bit plaintext into d n-bit data sub-blocks (S1). The key dividing unit 3 divides the b-bit secret key into d n-bit key sub-blocks (S2).

In the first round, the logical operation unit 41 of the encryption unit 4 performs exclusive processing on the d n-bit data sub-blocks generated in S1 and the d n-bit key sub-blocks generated in S2. A logical sum is calculated (S3). Next, the S layer section 42 of the encryption section 4 performs non-linear conversion on the calculation result of the exclusive OR in S3 based on the stored conversion table (S4). Then, the matrix calculator 43 of the encryption unit 4 performs MDS conversion using a d×d matrix on the nonlinear conversion of S4 (S5). Further, the bijection calculation unit 51 of the key schedule processing unit 5 performs S2
Calculation using a bijective function is performed on the d n-bit key sub-blocks generated in (S6).

If the processing of S3 to S6 is not the processing of the r-th round, which is the final round (S7: NO), the processing of S3 to S6 is repeated. From the second round onwards, the logical operation unit 41 of the encryption unit 4 computes the exclusive OR of the conversion result of S5 and the calculation result of S6 (S3). Also, the bijection calculation unit 51 of the key schedule processing unit 5 performs calculation using a bijection function on the calculation result of S6 in the previous round (S6).

If the processing of S3 to S6 is the rth round processing (S7: YES), the calculation unit 6 performs the exclusive ethical sum of the conversion result of S5 in the final round and the calculation result of S6 in the final round. is calculated (S8).

[Effects of Embodiment 1]
The block cipher apparatus 1 configured as described above can encrypt plaintext such that the Biclike property does not hold. In the following description, it will be shown that the above algorithm was able to encrypt plaintext such that the Biclike property does not hold. First, a method for configuring the Biclike characteristics will be described.

FIG. 4 is a diagram for explaining a configuration method of Biclike characteristics. FIG. 4 shows the difference in data (colored or shaded block) transition state. A difference is a difference between two plaintext data, and a difference based on exclusive OR is often used. In FIG. 4, the difference is treated as a rounding difference in units of n bits. "SB" is a process for performing non-linear conversion. "SR" is a process of changing the order. “MC” is a process for performing linear conversion. Also, (1) in FIG. 4 shows a state in which the data difference transitions in the forward direction (from the input to the output direction). (2) in FIG. 4 shows a state in which the data difference transitions in the reverse direction (from the output to the input direction).

In FIG. 4(1), the difference is entered in the key sub-block (FIG. 4(A)). Then, encryption processing is performed in the forward direction (two rounds in FIG. 4). FIG. 4B shows the propagation result of the difference after two rounds of processing. In FIG. 4(2), the difference is put in the free area of the key sub-block so as not to overlap with the difference of the key sub-block shown in FIG. 4(B) (FIG. 4(C)). Then, two rounds of encryption processing are performed in the opposite direction. FIG. 4D shows the propagation result of the difference after two rounds of processing in the reverse direction. In FIG. 4, how the difference spreads depends on the algorithm.

FIG. 5 is a diagram showing transition states of overlapping differences in FIG. As shown in FIG. 5, the data sub-blocks do not have blocks with overlapping differentials.

The difference is used as an important index in evaluating the security of block ciphers. If the difference is skewed, the block cipher is rated as insecure as the two plaintexts can be easily found. On the other hand, if the two plaintexts are difficult to find, the block cipher is rated as secure. It should be noted that how the difference is propagated depends on the algorithm. In other words, as shown in FIG. 5, if the data sub-blocks do not have overlapping differences, the Biqlike property holds and the block cipher is evaluated as being insecure.

6 and 7 are diagrams showing that the Biclike property does not hold in encryption by the block cipher apparatus according to Embodiment 1 of the present invention. (1) in FIG. 6 shows a state in which the difference in data transitions in the forward direction. (2) in FIG. 6 shows a state in which the data difference transitions in the opposite direction.

In FIG. 6(1), the difference is entered in the key sub-block (FIG. 6(A)). Note that the key length of the key sub-block must be the same as the block length of the data sub-block so that the difference of the key sub-block always affects the data sub-block. In Embodiment 1, since MDS conversion is performed, when the second round of encryption processing is performed in the forward direction, the difference propagates to all blocks of the data sub-blocks as shown in FIG. 6B.

As a result, when the difference is inserted into the key sub-block so as not to overlap with the difference of the key sub-block shown in FIG. Even if there is no difference in all the data blocks (FIG. 6(E)), as shown in FIG. 7(A), there are blocks (black blocks in FIG. 7) where the difference overlaps in the data sub-blocks. In other words, it can be seen that the above-described block cipher apparatus 1 performs block ciphers in which the Biqlike property does not hold in one round of processing.

As described above, a block cipher that is secure against Biclique Cryptanalysis can be constructed.

[program]
The program in the first embodiment may be any program that causes a computer to execute steps S1 to S8 shown in FIG. By installing this program in a computer and executing it, the block cipher apparatus 1 and the block cipher method according to the first embodiment can be realized. In this case, the processor of the computer functions as a plaintext division unit 2, a key division unit 3, an encryption unit 4, a key schedule processing unit 5 and a calculation unit 6, and performs processing.

Also, the program in the first embodiment may be executed by a computer system constructed by a plurality of computers. In this case, for example, each computer may function as one of the plaintext division unit 2, the key division unit 3, the encryption unit 4, the key schedule processing unit 5, and the calculation unit 6, respectively.

(Modification)
Here, a modification of the first embodiment will be described. In this modification, the matrix calculator 43 uses a d×d matrix that does not have 0 in the coefficients to perform matrix conversion for the nonlinear conversion in the S layer section 42 . In the matrix conversion in the matrix operation unit 43, if one of the input data sub-blocks is affected by the exclusive OR difference by the logic operation unit 41, all the output data sub-blocks will always have a difference. Matrix conversion in the matrix calculator 43 is expressed in the same way as the above equation.

[Effects of modified example]
8 and 9 are diagrams showing that the Biclike property does not hold in the encryption according to this modified example. (1) in FIG. 8 shows a state in which the difference in data transitions in the forward direction. (2) in FIG. 8 shows a state in which the data difference transitions in the opposite direction.

In FIG. 8(1), the difference is entered in the key subblock (FIG. 8(A)). In this modification, since matrix transformation is performed using a d×d matrix that does not have 0 in the coefficients, when the second round of encryption processing is performed in the forward direction, data sub-blocks as shown in FIG. The difference propagates to all blocks of .

As a result, when the difference is added to the key sub-block so as not to overlap with the difference of the key sub-block shown in FIG. Even if there is no difference in all data blocks (FIG. 8(E)), as shown in FIG. 9(A), data sub-blocks include blocks (black blocks in FIG. 9) where differences overlap. In other words, it can be seen that the above-described block cipher apparatus 1 performs block ciphers in which the Biqlike property does not hold in one round of processing.

(Embodiment 2)
Next, a block cipher apparatus, a block cipher method, and a program according to Embodiment 2 of the present invention will be described with reference to FIGS. 10 to 16. FIG.

[Device configuration]
FIG. 10 is a diagram explaining an algorithm in the block cipher device 1A according to Embodiment 2 of the present invention. The block cipher device 1A includes the plaintext division unit 2, the key division unit 3, the encryption unit 4, the key schedule processing unit 5, and the calculation unit 6 described above. The second embodiment differs from the first embodiment in the round function in the encryption unit 4 and the processing in the key schedule processing unit 5. FIG. The difference will be mainly described below.

The key schedule processing unit 5 repeats r rounds of the second process using the round function for d n-bit key sub-blocks. In the second process of the first round in the key schedule processing unit 5, the d n-bit key sub-blocks generated by the key dividing unit 3 are used as the input of the round function. In addition, in the i (i=2 to r)th round second process, the output of the (i−1)th round second process is used as the input of the round function.

The key schedule processing section 5 has an S layer section 52 and a matrix calculation section 53 .

The S-layer unit 52 performs a non-linear transform on the d n-bit key sub-blocks. The S layer part 52 functions as an S box (substitution box) in common key cryptography. For example, the S layer section 52 performs nonlinear conversion based on a stored conversion table.

The matrix calculator 53 performs arithmetic processing using a d×d matrix. The matrix calculator 53 functions as data agitation by MDS (Maximum Distance Separation) conversion. MDS transform is transform using an MDS matrix.

The matrix calculation unit 43 of the encryption unit 4 performs calculation processing using a d×d matrix.

The d×d matrix used in the matrix calculation unit 43 of the encryption unit 4 and the matrix calculation unit 53 of the key schedule processing unit 5 can be appropriately combined so that the Biqlike characteristic described in the first embodiment does not hold. set. In the second embodiment, the d×d matrix used in the matrix calculator 53 is the MDS matrix.

[Device operation]
Next, the operation of the block cipher apparatus 1A according to the second embodiment will be explained using FIG. FIG. 11 is a flow chart showing the operation of the block cipher device 1A according to Embodiment 2 of the present invention. Further, in the second embodiment, the information processing method is implemented by operating the block cipher apparatus 1A. Therefore, the description of the block cipher method in the second embodiment is replaced with the description of the operation of the block cipher apparatus 1A below.

First, it is assumed that the block cipher apparatus 1A is supplied with a plaintext with a block length of b bits and a secret key with a key length of b bits, which is the same as the block length of the plaintext.

On the above premise, as shown in FIG. 11, the plaintext dividing unit 2 divides the b-bit plaintext into d n-bit data sub-blocks (S21). The key dividing unit 3 divides the b-bit secret key into d n-bit key sub-blocks (S22).

In the first round, the logical operation unit 41 of the encryption unit 4 performs exclusive processing on the d n-bit data sub-blocks generated in S21 and the d n-bit key sub-blocks generated in S22. A logical sum is calculated (S23). Next, the S layer section 42 of the encryption section 4 performs non-linear conversion on the calculation result of the exclusive OR in S23 based on the stored conversion table (S24). Then, the matrix calculator 43 of the encryption unit 4 performs matrix conversion using a d×d matrix for the nonlinear conversion of S24 (S24). Further, the S layer section 52 of the key schedule processing section 5 performs non-linear transformation on the d n-bit key sub-blocks generated in S22 (S26). Then, the matrix calculation unit 53 of the key schedule processing unit 5 performs MDS conversion using a d×d matrix on the nonlinear conversion of S26 (S27).

If the processing of S23 to S27 is not the processing of the r-th round, which is the final round (S28: NO), the processing of S23 to S27 is repeated. From the second round onwards, the logical operation unit 41 of the encryption unit 4 computes the exclusive OR of the conversion result of S25 and the conversion result of S27 (S23). Also, the S layer section 52 of the key schedule processing section 5 performs full non-linear transformation on the transformation result of S27 in the previous round (S26).

If the processing of S23 to S27 is the r-th round processing (S28: YES), the calculation unit 6 performs the exclusive ethical sum of the conversion result of S25 in the final round and the conversion result of S27 in the final round. is calculated (S29).

[Effects of Embodiment 2]
12 and 13 are diagrams showing that the Biclike property does not hold in encryption by the block cipher apparatus 1A according to the second embodiment.

In FIG. 12(1), the difference is entered in the key subblock (FIG. 12(A)). In Embodiment 2, since the MDS transformation is performed on the key sub-blocks, when the second round of encryption processing is performed in the forward direction, as shown in FIG. , the difference propagates.

As a result, as shown in FIG. 12(C), when a difference is added to the key sub-block and two rounds of encryption processing are performed in the opposite direction, even if there is no difference in all data blocks (FIG. 12(D) )), and as shown in FIG. 13A, there are blocks (black blocks in FIG. 13) where the difference overlaps in the key sub-blocks. In other words, it can be seen that the above-described block cipher apparatus 1A performs block ciphers in which the Biqlike property does not hold in one round of processing.

[program]
The program in the second embodiment may be any program that causes a computer to execute steps S21 to S29 shown in FIG. By installing this program in a computer and executing it, the block cipher apparatus 1A and the block cipher method according to the second embodiment can be realized. In this case, the processor of the computer functions as a plaintext division unit 2, a key division unit 3, an encryption unit 4, a key schedule processing unit 5 and a calculation unit 6, and performs processing.

Also, the program in the second embodiment may be executed by a computer system constructed by a plurality of computers. In this case, for example, each computer may function as one of the plaintext division unit 2, the key division unit 3, the encryption unit 4, the key schedule processing unit 5, and the calculation unit 6, respectively.

(Modification)
Here, a modification of the second embodiment will be described. In this modified example, the matrix calculator 53 uses a d×d matrix with no coefficients of 0 to perform matrix conversion for the nonlinear conversion in the S layer section 52 . In the matrix conversion in the matrix calculator 53, if one of the input data sub-blocks is affected by the exclusive OR difference, all the output data sub-blocks will always have a difference. Matrix conversion in the matrix calculator 43 is expressed in the same way as the above equation.

[Effects of modified example]

14 and 15 are diagrams showing that the Biclike property does not hold in the encryption according to this modified example. In FIG. 14(1), the difference is entered in the key sub-block (FIG. 14(A)). In the second embodiment, matrix transformation is performed using a d×d matrix that does not have 0 in the coefficients. Differences are propagated to all blocks of blocks.

As a result, as shown in FIG. 14(C), when a difference is added to the key sub-block and two rounds of encryption processing are performed in the opposite direction, even if there is no difference in all data blocks (FIG. 14(D) )), and as shown in FIG. 15(A), data sub-blocks include blocks (black blocks in FIG. 15) where differences overlap. In other words, it can be seen that the above-described block cipher apparatus 1A performs block ciphers in which the Biqlike property does not hold in one round of processing.

Note that the d×d matrix used by the matrix calculation unit 43 of the encryption unit 4 and the matrix calculation unit 53 of the key schedule processing unit 5 is obtained when the first process and the second process are performed in the forward direction. n-bit data sub-blocks, n-bit key sub-blocks, and n-bit data sub-blocks when the first and second processes are performed in the opposite direction by putting the difference into the empty areas of the n key sub-blocks. and n-bit key sub-blocks are appropriately set so that overlapping rounding differences always exist.

(physical configuration)
Here, a computer that realizes a block cipher apparatus by executing the programs in Embodiments 1 and 2 will be described with reference to FIG. FIG. 16 is a block diagram showing an example of a computer that implements the block cipher apparatus according to Embodiments 1 and 2 of the present invention.

As shown in FIG. 16, computer 110 includes CPU 111 , main memory 112 , storage device 113 , input interface 114 , display controller 115 , data reader/writer 116 and communication interface 117 . These units are connected to each other via a bus 121 so as to be able to communicate with each other. The computer 110 may include a GPU (Graphics Processing Unit) or an FPGA (Field-Programmable Gate Array) in addition to the CPU 111 or instead of the CPU 111 .

The CPU 111 expands the programs (codes) according to the first and second embodiments stored in the storage device 113 into the main memory 112 and executes them in a predetermined order to perform various calculations. The main memory 112 is typically a volatile storage device such as a DRAM (Dynamic Random Access Memory). Also, the programs in Embodiments 1 and 2 are provided in a state stored in computer-readable recording medium 120 . The programs in Embodiments 1 and 2 may be distributed over the Internet connected via communication interface 117 .

Further, as a specific example of the storage device 113, in addition to a hard disk drive, a semiconductor storage device such as a flash memory can be cited. Input interface 114 mediates data transmission between CPU 111 and input devices 118 such as a keyboard and mouse. The display controller 115 is connected to the display device 119 and controls display on the display device 119 .

Data reader/writer 116 mediates data transmission between CPU 111 and recording medium 120 , reads programs from recording medium 120 , and writes processing results in computer 110 to recording medium 120 . Communication interface 117 mediates data transmission between CPU 111 and other computers.

Specific examples of the recording medium 120 include general-purpose semiconductor storage devices such as CF (Compact Flash (registered trademark)) and SD (Secure Digital); magnetic recording media such as flexible disks; An optical recording medium such as a ROM (Compact Disk Read Only Memory) can be used.

It should be noted that the block cipher apparatus in the first and second embodiments can also be realized by using hardware corresponding to each part instead of a computer in which a program is installed. Furthermore, the block cipher device may be partly realized by a program and the rest by hardware.

Part or all of the first and second embodiments described above can be expressed by the following (Appendix 1) to (Appendix 8), but are not limited to the following descriptions.

(Appendix 1)
A block cipher device that encrypts plaintext with a block length of b bits using a secret key with a key length of b bits,
a plaintext splitting unit that splits the plaintext into d n-bit data sub-blocks;
a key splitting unit for splitting the private key into d n-bit key sub-blocks;
an encryption unit that repeats r rounds of a first process using a round function on the d n-bit data sub-blocks;
a key schedule processing unit that repeats r rounds of a second process using a bijective function on the d n-bit key sub-blocks;
a calculation unit that calculates the output of the encryption unit and the output of the key schedule processing unit and outputs a ciphertext;
with
In the key schedule processing unit,
In a second process of the first round, the d n-bit key sub-blocks generated by the key dividing unit are input to the bijective function,
In the i (i = 2 to r) round second process, the output of the (i-1) round second process is used as the input of the bijective function,
In the encryption unit,
In the first processing of one round, each of the d n-bit data sub-blocks generated by the plaintext dividing unit and each of the d n-bit key sub-blocks generated by the key dividing unit are The result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
In the i (i=2 to r)th round first process, the output of the (i−1)th round first process and the (i−1)th round output of the second process are calculated. , the result of performing nonlinear transformation processing on the operation result is used as the input of the round function,
The round function is a d×d matrix equation that propagates the effect of a rounding difference of 1 in d n-bit data sub-blocks to be input to all other data sub-blocks.
A block cipher device characterized by:

(Appendix 2)
A block cipher device that encrypts plaintext with a block length of b bits using a secret key with a key length of b bits,
a plaintext splitting unit that splits the plaintext into d n-bit data sub-blocks;
a key splitting unit for splitting the private key into d n-bit key sub-blocks;
an encryption unit that repeats r rounds of a first process using a round function on the d n-bit data sub-blocks;
a key schedule processing unit that repeats r rounds of second processing using a round function on the d n-bit key sub-blocks;
a calculation unit that calculates the output of the encryption unit and the output of the key schedule processing unit and outputs a ciphertext;
with
In the key schedule processing unit,
In a second process of the first round, the d n-bit key sub-blocks generated by the key dividing unit are input to a round function,
In the i (i = 2 to r) round second processing, the output of the (i-1) round second processing is used as the input of the round function,
In the encryption unit,
In the first process of the first round, each of the d n-bit data sub-blocks generated by the plaintext dividing unit and each of the d n-bit key sub-blocks generated by the key dividing unit is calculated, and the result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
In the i (i = 2 to r) round first process, the output of the first process of (i-1) round and the output of the second process of (i-1) round are calculated, The result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
Each of the round function of the first process and the round function of the second process is a d×d matrix operation formula,
The n-bit data sub-block and the n-bit key sub-block when the first processing and the second processing are performed in the forward direction, and the difference are stored in the free areas of the n key sub-blocks, and the When comparing the n-bit data sub-block and the n-bit key sub-block when the first process and the second process are performed in reverse, there is always an overlap of rounding differences;
A block cipher device characterized by:

(Appendix 3)
The block cipher device according to appendix 2,
The round function of the second process is a d×d matrix equation that propagates the effect of a rounding difference of 1 in d n-bit key sub-blocks to be input to all other data sub-blocks,
A block cipher device characterized by:

(Appendix 4)
The block cipher device according to any one of appendices 1 to 3,
The operation performed in the first process of the encryption unit is either arithmetic addition, arithmetic subtraction or exclusive OR,
The operation performed by the operation unit is either arithmetic addition, arithmetic subtraction or exclusive OR,
A block cipher device characterized by:

(Appendix 5)
A block cipher method for encrypting plaintext with a block length of b bits using a secret key with a key length of b bits,
(a) dividing the plaintext into d n-bit data sub-blocks;
(b) dividing the private key into d n-bit key sub-blocks;
(c) repeating a first process using a round function for r rounds on said d n-bit data sub-blocks;
(d) repeating a second process using a bijective function for r rounds of the d n-bit key sub-blocks;
(e) computing the output of step (c) and the output of step (d) to output a ciphertext;
with
In step (d),
In a second process of the first round, the d n-bit key sub-blocks generated in step (b) are input to the bijective function,
In the i (i = 2 to r) round second process, the output of the (i-1) round second process is used as the input of the bijective function,
In step (c),
In a first process of the first round, each of the d n-bit data sub-blocks generated in step (a) and the d n-bit key sub-blocks generated in step (b) are calculated, and the result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
In the i (i=2 to r)th round first process, the output of the (i−1)th round first process and the (i−1)th round output of the second process are calculated. , the result of performing nonlinear transformation processing on the operation result is used as the input of the round function,
The round function is a d×d matrix equation that propagates the effect of a rounding difference of 1 in d n-bit data sub-blocks to be input to all other data sub-blocks.
A block cipher method characterized by:

(Appendix 6)
A block cipher method for encrypting plaintext with a block length of b bits using a secret key with a key length of b bits,
(a) dividing the plaintext into d n-bit data sub-blocks;
(b) dividing the private key into d n-bit key sub-blocks;
(c) repeating a first process using a round function for r rounds on said d n-bit data sub-blocks;
(d) repeating a second process using a round function for r rounds of the d n-bit key sub-blocks;
(e) computing the output of step (c) and the output of step (d) to output a ciphertext;
with
In step (d),
In a second process of the first round, the d n-bit key sub-blocks generated in step (b) are input to a round function,
In the i (i = 2 to r) round second processing, the output of the (i-1) round second processing is used as the input of the round function,
In step (c),
In a first round of processing, each of the d n-bit data sub-blocks generated in step (a) and each of the d n-bit key sub-blocks generated in step (b). is calculated, and the result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
In the i (i=2 to r)th round first process, the output of the (i−1)th round first process and the (i−1)th round output of the second process are calculated. , the result of performing nonlinear transformation processing on the operation result is used as the input of the round function,
Each of the round function of the first process and the round function of the second process is a d×d matrix operation formula,
The n-bit data sub-block and the n-bit key sub-block when the first processing and the second processing are performed in the forward direction, and the difference are stored in the free areas of the n key sub-blocks, and the When comparing the n-bit data sub-block and the n-bit key sub-block when the first process and the second process are performed in reverse, there is always an overlap of rounding differences;
A block cipher method characterized by:

(Appendix 7)
A program that causes a computer to encrypt plaintext with a block length of b bits using a private key with a key length of b bits,
to the computer;
(a) dividing the plaintext into d n-bit data sub-blocks;
(b) dividing the private key into d n-bit key sub-blocks;
(c) repeating a first process using a round function for r rounds on said d n-bit data sub-blocks;
(d) repeating a second process using a bijective function for r rounds of the d n-bit key sub-blocks;
(e) computing the output of step (c) and the output of step (d) to output a ciphertext;
and
In step (d),
In a second process of the first round, the d n-bit key sub-blocks generated in step (b) are input to the bijective function,
In the i (i = 2 to r) round second process, the output of the (i-1) round second process is used as the input of the bijective function,
In step (c),
In a first process of the first round, each of the d n-bit data sub-blocks generated in step (a) and the d n-bit key sub-blocks generated in step (b) are calculated, and the result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
In the i (i=2 to r)th round first process, the output of the (i−1)th round first process and the (i−1)th round output of the second process are calculated. , the result of performing nonlinear transformation processing on the operation result is used as the input of the round function,
The round function is a d×d matrix equation that propagates the effect of a rounding difference of 1 in d n-bit data sub-blocks to be input to all other data sub-blocks.
A program characterized by

(Appendix 8)
A program that causes a computer to encrypt plaintext with a block length of b bits using a private key with a key length of b bits,
to the computer;
(a) dividing the plaintext into d n-bit data sub-blocks;
(b) dividing the private key into d n-bit key sub-blocks;
(c) repeating a first process using a round function for r rounds on said d n-bit data sub-blocks;
(d) repeating a second process using a round function for r rounds of the d n-bit key sub-blocks;
(e) computing the output of step (c) and the output of step (d) to output a ciphertext;
and
In step (d),
In a second process of the first round, the d n-bit key sub-blocks generated in step (b) are input to a round function,
In the i (i = 2 to r) round second processing, the output of the (i-1) round second processing is used as the input of the round function,
In step (c),
In a first process of the first round, each of the d n-bit data sub-blocks generated in step (a) and the d n-bit key sub-blocks generated in step (b) are calculated, and the result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
In the i (i=2 to r)th round first process, the output of the (i−1)th round first process and the (i−1)th round output of the second process are calculated. , the result of performing nonlinear transformation processing on the operation result is used as the input of the round function,
Each of the round function of the first process and the round function of the second process is a d×d matrix operation formula,
The n-bit data sub-block and the n-bit key sub-block when the first processing and the second processing are performed in the forward direction, and the difference are stored in the free areas of the n key sub-blocks, and the When comparing the n-bit data sub-block and the n-bit key sub-block when the first process and the second process are performed in reverse, there is always an overlap of rounding differences;
A program characterized by

As described above, according to the present invention, a block cipher that is secure against Biclique Cryptanalysis can be configured.

1, 1A block cipher device 2 plaintext division unit 3 key division unit 4 encryption unit 5 key schedule processing unit 6 operation unit 41 logic operation unit 42 S layer unit 43 matrix operation unit 51 bijection calculation unit 52 S layer unit 53 matrix Operation part

Claims (4)

A block cipher device that encrypts plaintext with a block length of b bits using a secret key with a key length of b bits,
a plaintext splitting unit that splits the plaintext into d n-bit data sub-blocks;
a key splitting unit for splitting the private key into d n-bit key sub-blocks;
an encryption unit that repeats one of arithmetic addition, arithmetic subtraction, and exclusive OR using a round function for r rounds of the d n-bit data sub-blocks as a first process;
a key schedule processing unit that repeats r rounds of second processing using a round function on the d n-bit key sub-blocks;
a calculation unit that calculates the output of the encryption unit and the output of the key schedule processing unit and outputs a ciphertext;
with
In the key schedule processing unit,
In a second process of the first round, the d n-bit key sub-blocks generated by the key dividing unit are input to a round function,
In the i (i = 2 to r) round second processing, the output of the (i-1) round second processing is used as the input of the round function,
In the encryption unit,
In the first process of the first round, each of the d n-bit data sub-blocks generated by the plaintext dividing unit and each of the d n-bit key sub-blocks generated by the key dividing unit is calculated, and the result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
In the i (i = 2 to r) round first process, the output of the first process of (i-1) round and the output of the second process of (i-1) round are calculated, The result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
Each of the round function of the first process and the round function of the second process is a d×d matrix operation formula,
Furthermore, each of the round function of the first process and the round function of the second process is
The n-bit data sub-block and the n-bit key sub-block when the first processing and the second processing are performed in the forward direction, and the difference are stored in the free areas of the n key sub-blocks, and the When the n-bit data sub-block and the n-bit key sub- block are compared when the first process and the second process are performed in the reverse direction, an overlap of rounding differences always exists. there is
A block cipher device characterized by: The block cipher apparatus of claim 1 , comprising:
The round function of the second process is a d×d matrix equation that propagates the effect of a rounding difference of 1 in d n-bit key sub-blocks to be input to all other data sub-blocks,
A block cipher device characterized by: A block cipher method in which a computer encrypts plaintext with a block length of b bits using a secret key with a key length of b bits,
(a) dividing the plaintext into d n-bit data sub-blocks;
(b) dividing the private key into d n-bit key sub-blocks;
(c) repeating, as a first process, one of arithmetic addition, arithmetic subtraction, and exclusive OR, using a round function, on the d n-bit data sub-blocks for r rounds;
(d) repeating a second process using a round function for r rounds of the d n-bit key sub-blocks;
(e) computing the output of step (c) and the output of step (d) to output a ciphertext;
with
In step (d),
In a second process of the first round, the d n-bit key sub-blocks generated in step (b) are input to a round function,
In the i (i = 2 to r) round second processing, the output of the (i-1) round second processing is used as the input of the round function,
In step (c),
In a first round of processing, each of the d n-bit data sub-blocks generated in step (a) and each of the d n-bit key sub-blocks generated in step (b). is calculated, and the result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
In the i (i=2 to r)th round first process, the output of the (i−1)th round first process and the (i−1)th round output of the second process are calculated. , the result of performing nonlinear transformation processing on the operation result is used as the input of the round function,
Each of the round function of the first process and the round function of the second process is a d×d matrix operation formula,
Furthermore, each of the round function of the first process and the round function of the second process is
The n-bit data sub-block and the n-bit key sub-block when the first processing and the second processing are performed in the forward direction, and the difference are stored in the free areas of the n key sub-blocks, and the When the n-bit data sub-block and the n-bit key sub- block are compared when the first process and the second process are performed in the reverse direction, an overlap of rounding differences always exists. there is
A block cipher method characterized by: A program that causes a computer to encrypt plaintext with a block length of b bits using a private key with a key length of b bits,
to the computer;
(a) dividing the plaintext into d n-bit data sub-blocks;
(b) dividing the private key into d n-bit key sub-blocks;
(c) repeating, as a first process, one of arithmetic addition, arithmetic subtraction, and exclusive OR, using a round function, on the d n-bit data sub-blocks for r rounds;
(d) repeating a second process using a round function for r rounds of the d n-bit key sub-blocks;
(e) computing the output of step (c) and the output of step (d) to output a ciphertext;
and
In step (d),
In a second process of the first round, the d n-bit key sub-blocks generated in step (b) are input to a round function,
In the i (i = 2 to r) round second processing, the output of the (i-1) round second processing is used as the input of the round function,
In step (c),
In a first process of the first round, each of the d n-bit data sub-blocks generated in step (a) and the d n-bit key sub-blocks generated in step (b) are calculated, and the result of performing nonlinear transformation processing on the calculation result is used as the input of the round function,
In the i (i=2 to r)th round first process, the output of the (i−1)th round first process and the (i−1)th round output of the second process are calculated. , the result of performing nonlinear transformation processing on the operation result is used as the input of the round function,
Each of the round function of the first process and the round function of the second process is a d×d matrix operation formula,
Furthermore, each of the round function of the first process and the round function of the second process is
The n-bit data sub-block and the n-bit key sub-block when the first processing and the second processing are performed in the forward direction, and the difference are stored in the free areas of the n key sub-blocks, and the When the n-bit data sub-block and the n-bit key sub- block are compared when the first process and the second process are performed in the reverse direction, an overlap of rounding differences always exists. there is
A program characterized by

Images