JPH0682259B2 - Data spreader - Google Patents

Description

The present invention relates to a data diffusion device which is the core of an encryption device.

“Conventional technology” Conventionally, DES (NBS: “Data Encrip
tion Standard ", FIP S-PUB-45, (1977)), FEAL
(Shimizu, Miyaguchi: "High-speed data encryption algorithm FEAL", IEICE Transactions D Vol, J70-D No.7 pp.1413-1423
(1987)) is known.

FIG. 6 shows an outline of the structure of these cryptosystems. These cryptosystems include a key scheduling unit 1 that processes a secret key K to generate an intermediate key K _s , and a data processing unit 2 that processes an input plaintext P using this intermediate key K _S to obtain a ciphertext C. It consists of

In these cryptosystems, different logics are adopted for the key schedule unit 1 and the data processing unit 2. Therefore, when developing a device such as an LSI, it is necessary to separately design the key scheduling unit 1 and the data processing unit 2.

Also, although DES uses a 56-bit secret key and FEAL uses a 64-bit secret key, it is predicted that it will be necessary to increase the length of this secret key in the future. On the other hand, DES, FEAL
Does not have the expandability of the secret key length. Therefore, in order to increase the key length, it is necessary to significantly change the specifications of the key schedule part.

An object of the present invention is to provide a data spreading device that can be commonly used by a key scheduling unit and a data processing unit. As a result, it is possible to make an encryption device that requires significantly less man-hours for deviceization such as an LSI and has excellent expandability with respect to an increase in secret key length.

According to the present invention, the first mechanism for obtaining output data having the same data length as the input data from the input data, the output data of the first mechanism as the input data, and the data length of half the data length of the input data A mechanism is provided in which a plurality of sets of input parameter data are supplied, parameter data of the same data length is newly generated, and a plurality of sets of the input data and the second mechanism for outputting the output data of the same data length are alternately connected in series. Then, the first mechanism divides the input data into two equal parts in the data length direction, and divides one of the two divided data into half of the output data, and divides the input data into two parts. This is a mechanism for taking the bitwise exclusive-OR of the other two data with the other data and making the other half of the output data. The second mechanism described above inputs the input data in the data length direction. And divide one of the two halved data into half of the output data, and perform a logical operation on the input parameter data for the data by the diffusion mechanism to perform the data diffusion process. This is a mechanism for taking the bitwise exclusive OR of the result of the diffusion process and the other input data of the above two halved data to obtain new parameter data and the remaining half of the output data. .

As described above, the data diffusion device of the present invention is mainly characterized in that it has a mechanism for generating a data set equal to the data set of the input parameter as the output parameter. Therefore, the output parameter generated by the device of the present invention can be newly used as the input parameter of the device. That is, by combining two of these devices, the encryption device can be configured with one as the key scheduling unit and the other as the data processing unit. In this case, unlike the conventional technique, the data processing unit and the key scheduling unit perform the same processing.

"Embodiment" FIG. 1 shows an embodiment of the present invention. In FIG. 1, X is input data, Y is output data, A _{0 to} A ₃ are input parameter data, B _{0 to} B ₃ are output parameter data, f
Indicates a 4-byte data diffusion mechanism, α and β indicate input data to f, γ indicates output data of f, and symbols indicate a mechanism that takes an exclusive OR for each bit. The embodiment of FIG. 1 has a structure in which a mechanism 3 and a mechanism 4 surrounded by a dotted line in the drawing are alternately connected in series. Considering the mechanism 5 as a set of the mechanism 3 and the mechanism 4, the embodiment of FIG. 1 can be considered as a structure in which the mechanism 5 is combined in four stages and the mechanism 3 is further added.

The mechanism 3 is a mechanism for obtaining output data having the same data length as the input data from the input data. In the embodiment shown in FIG. 1, the input data is divided into left and right parts, and one of the data is made half of the output data. This is a mechanism for making the bitwise exclusive OR of the data and the other data the output data of the other half of the output data. The mechanism 3 between the two mechanisms 4 may output the input left data as right data and output the input right data as left data.

The mechanism 4 is a mechanism for newly generating parameter data having the same data length as the input parameter data. The mechanism 4 divides the input data into left and right parts, makes one data half of the output data, and uses the data as parameter data. A data diffusion mechanism f for performing a data diffusion process by performing a logical operation, and an exclusive OR for each bit of the result of the diffusion process and the remaining half of the input data is used as new parameter data and the remaining half of the output data. It consists of a mechanism.

The operation of the embodiment shown in FIG. 1 will be described below. In the explanation, the following notation is used.

[Notation]

 (1) Make 8 bits into 1 byte.

(2) The j + 1th four bytes from the left in the data are represented by the lower right subscript j. (Example X ₀ ) The lower right subscript is used to identify 4-byte data.

(3) The j + 1th two bytes from the left in the data are represented by the upper right subscript j. (Example X ⁰ ) (4) represents an exclusive OR of bits.

(5) The equal sign represents substitution from the right side to the left side.

In this example, X (8 bytes) and A (4 × (r +
1) byte) (r = 0,1,2, ...)
This is a device for obtaining (8 bytes) and B (4 × (r + 1) bytes) output data. That is, if this example is regarded as the function U, it can be defined by the following mathematical expression.

(Y, B) = U (X, A, round, mode) Particularly, Y and B are separated and defined as the following equation.

Y = U0 (X, A, round, mode) B = U1 (X, A, round, mode) In the U function, round specifies the number of processing steps and mode specifies the encryption / decryption mode (encryption: 0, decryption) : other values) parameters.

r = about 0~round-1, determine the _{B r} in the following procedure.

X ₁ = X ₁ X _{0 When} mode = 0, k = r mode ≠ 0, k = round-r−1, X ₀ = X ₀ f (X ₁ , A _k ) B _r = X ₀ Last Then, the following process is performed to obtain Y.

Y ₀ = X ₀ Y ₁ = X ₀ X ₁ This embodiment can be regarded as an instrumentalization of the U function when round = 4 and mode = 0. In this example, the input X
In the process of obtaining the output Y from, the parameter data set A is used to generate a data set B having the same data format as A.

The data diffusion mechanism of the above-mentioned f obtains the output γ of 4 bytes from the input α and β of 4 bytes, respectively. The structure of f is shown in FIG. In Fig. 2, α, β
Indicates input data, γ indicates output data, a, b, c indicate input data to the mechanism s, and s indicates a 2-byte data diffusion mechanism. Further, as shown in [Notation], α ⁰ and β ⁰ represent 2-byte data in the left half of α and β, and α ¹ and β ¹ represent 2-byte data in the right half.

If f is regarded as a function, it can be said that γ = f (α, β) and f is a process for obtaining γ by the following procedure.

γ ⁰ = s (α ⁰ , α ¹ , β ⁰ ) γ ¹ = γ ⁰ α ¹ γ ¹ = s (γ ¹ , γ ⁰ , β ⁰ ) γ ⁰ = γ ⁰ γ ¹ Each of the above mechanisms s has 2 bytes It is also a mechanism to obtain the output of 2 bytes from the inputs a, b, and c.

The operation of s is defined by the following equation.

s (a, b, c) = (ROL3 (a) + ROR3 (b) + c) mcd2 ¹⁶ where ROL3 () is a 3-bit rotation function to the left, RO
R3 () is a 3-bit rotation function to the right. Also,
mod is a remainder operation.

The detailed structure of the mechanism s is shown in FIG. In FIG.
ADD is an adder, ROL3 is a left 3-bit data rotator, ROR
Reference numeral 3 indicates a rightward 3-bit data rotator. Mod2 ¹⁶ in the above equation is not visible on the circuit because it can be realized by ignoring the carry of the most significant bit caused by ADD.

By using this example, as shown below,
The encryption device can be easily configured.

An example of a cryptographic device to which this embodiment is applied will be shown and described below. FIG. 4 shows an example of the structure of the encryption device. In FIG. 4, P is plaintext data, K is secret key data, C is ciphertext data, K0 and K1 are data on the left and right half of K respectively, 6 is a key schedule section, and 7 is a data processing section. The output parameter data created by the key scheduling unit 6 is the input parameter data of the data processing unit 7.

This cryptographic device uses an 8-byte secret key K to obtain an 8-byte ciphertext C from an 8-byte plaintext P.
It can be defined as follows using the U function.

Key schedule part: K _s = U1 (K, I, 4,0), data processing part: Cryptographic process: C = U0 (P, K _s , 4,0) Decryption process: P = U0 (C, K _s , 4,1) In the above equation, I is set to the following value.

I ₀ = K ₀ I ₁ = K ₁ I ₂ = K ₀ I ₃ = K ₁ In the key scheduling unit of this encryption device, as input parameter data to the data diffusion device of this embodiment,
The private key data of the input data is set. This makes it extremely difficult to deduce the input secret key from the output of the key scheduling unit.

Thus, if the input data or the processed data of the input data is set as the parameter data of the data diffusion device of the present invention, the data diffusion device of the present invention can be operated as a device having a function of a one-way function. You can

Furthermore, another encryption device to which this embodiment is applied will be shown. FIG. 5 shows the structure of this encryption device. In FIG.
P is plaintext data, K _L and K _R are secret key data, C is ciphertext data, and K _R0 and K _R1 are left and right half data of K _R , respectively.

This cryptographic device obtains an 8-byte ciphertext C from an 8-bit plaintext P using a 16-bit secret key K,
It can be defined as follows using the U function.

Key schedule part: K _S = U1 (K _R , I, 4,0) K _s ′ = U1 (K _L , K _S , 4,0) Data processing part: Cryptographic process: C = U0 (P, K _S ', 4,0) Decoding process: P = U0 (C, K _S ', 4,1) In the above equation, I is set to the following value.

I0 = K0 I1 = K1 I2 = K0 I3 = K1 As described above, since the data diffusion device of the present invention can be easily connected in parallel, it flexibly copes with an increase in the secret key length of the encryption device. be able to.

[Advantages of the Invention] As described above, since the data diffusion device of the present invention has the same input and output interfaces, as described above, for example, both the key scheduling unit and the data processing unit of the encryption device are used. Can be used for. This means that the number of man-hours required for deviceization can be halved, such as when implementing LSI.

If input data is set in the parameter data of the data diffusion device of the present invention, it can be operated as a device having a unidirectional property. This means that it is difficult to estimate the input secret key if used in the key scheduling unit of the encryption device, and the encryption strength can be increased.

In addition, since parallel connection can be easily performed, that is, the output of one device can be input to another device or re-input to its own device. Increases in length are possible without changing the algorithm. That is, this means that when it becomes necessary to increase the secret key length in the future, the usage mode can be changed without replacing the already installed hardware.

Since the data diffusion device shown as the embodiment of the present invention and the encryption device to which it is applied have a simple logical structure in which 16 bits are a processing unit, they can be used not only as hardware but also as software. High performance can be obtained. It is especially suitable for processing on 16-bit and 32-bit processors.

[Brief description of drawings]

FIG. 1 is a block diagram showing an embodiment of the present invention, and FIG. 2 is a block diagram showing a structural example of a 4-byte data diffusion mechanism f,
FIG. 3 is a block diagram showing a structural example of the 2-byte data diffusion mechanism s, FIG. 4 is a block diagram showing an example of application of the data diffusion device of the present invention to an encryption device, and FIG. 5 is a data diffusion device of the present invention. FIG. 6 is a block diagram showing a second example of application of the above to the encryption device, and FIG. 6 is a diagram showing an outline of the structure of the encryption system. P ...... plain text _{data, K, K L, K R} ...... secret key data, K _R0,
K _R1 ...... Data for the left and right half of K _R , K _S , K _s ′ ...
... Intermediate key, C ... Ciphertext, X, α, β, a, b, c ... Input data, Y, γ ... Output data, A _{0 to} A ₃ ... Input parameter data, B _{0 to} B ₃ ...... Output parameter data, α ⁰ , β ⁰ ......
2-byte data of the left half of α and β, α ¹ and β ^1, ...
… 2-byte data in the right half of α and β,… exclusive OR calculator, ADD …… adder, ROL3 …… leftward 3
Bit data rotator, ROR3 ... rightward 3-bit data rotator, f ... 4-byte data diffusion mechanism, s ... 2-byte data diffusion mechanism, 1 ... key schedule part, 2 ...
Data processing unit, 3,4,5 ... Processing mechanism, 6 ... Key scheduling unit, 7 ... Data processing unit.

Claims (1)

[Claims] 1. A first mechanism for obtaining output data having the same data length as the input data from the input data, and using the output data of the first mechanism as the input data, the data length of half the data length of the input data A mechanism is provided in which a plurality of sets of input parameter data are supplied, parameter data of the same data length is newly generated, and a plurality of sets of the input data and the second mechanism for outputting the output data of the same data length are alternately connected in series. Then, the first mechanism divides the input data into two equal parts in the data length direction, makes one of the two divided data half the output data, and divides the input data into the above two parts. This is a mechanism for taking the bitwise exclusive OR of the other data of the two data to make the other half of the output data. The above-mentioned second mechanism stores the input data in the data length direction. The data is divided into two equal parts, one of the two divided data is made half of the output data, and a diffusion operation is performed on the data with the input parameter data to perform the data diffusion processing, and the diffusion Data that is a mechanism that takes the bitwise exclusive OR of the processing result and the other input data of the above two halved data to obtain new parameter data and the remaining half of the output data. Diffuser.