JPH0814748B2 - Data diffusion mechanism - Google Patents

Description

The present invention relates to a data diffusion device which is the core of an encryption device.

"Conventional technology" Conventionally, FEAL ("Shimizu, Miyaguchi:
See “High-speed data encryption algorithm FEAL”, IEICE Transactions D Vol.J70-D No.7pp.1413-1423 (1987) ”, where FEAL is 8 steps from the 4-step data processing described in this paper. The specification has been changed in October 1987 for the step data processing).

Figure 3 shows the structure of FEAL. In FIG. 3, 1 is a key scheduling unit, 2 is a data processing unit, P is 64-bit plaintext data, K is a 64-bit secret key, C is a 64-bit ciphertext, f and fk are data processing units, respectively. The processing unit that performs the diffusion process of 32-bit data in the key scheduling unit indicates an exclusive OR for each bit.

The operation of the FEAL shown in FIG. 3 will be briefly described. FEAL is
Process 64-bit plaintext with 64-bit private key
This is an encryption method that generates a bit ciphertext and is suitable for software processing.

First, the one key schedule part will be described. The input 64-bit private key is divided into left and right data of 32 bits each. The left data has the right data as parameter data and is spread by the 32-bit data spreading processing unit fk to be a 32-bit intermediate key and the right data of the next stage. As described above, the right data serves as the parameter of the data diffusion processing unit fk and also serves as the left data of the next stage. Below, total 8
The process using this data diffusion processing unit fk is performed, but from the second stage onward, the input left data to the data diffusion processing unit fk of the previous stage is added by exclusive OR to the parameter data of the data diffusion processing unit fk. ing. In this way, the key schedule unit of 1 generates the 256-bit intermediate key Ki from the 64-bit secret key K.

Next, the second data processing unit will be described. The input 64-bit plaintext is first added with a 64-bit intermediate key by bitwise exclusive OR, and the exclusive OR output is divided into left and right 32-bit data. Then, the bitwise exclusive OR of the right data and the left data is taken to obtain new right data. This right data is the next left processing,
This right data is spread by the data spreading processor f using a 16-bit intermediate key, and the bitwise exclusive OR of the spread output and the left data is taken to obtain the right data of the next stage. To do. Hereinafter, processing using the data diffusion processing unit f having a total of eight stages is performed, but in the final stage, the right and left data are not exchanged, and the exclusive OR of each bit of the right data and the left data is taken and a new right is obtained. The data is combined with the left data, and a 64-bit intermediate key is finally added to the combined output by bitwise exclusive OR to obtain the final output.

Next, the data diffusion processing unit f used in the FEAL data processing unit will be described. FIG. 4 shows the structure of the data diffusion processing unit f. In FIG. 4, A is 32-bit input data, B is 32-bit output data, and A1 to A4 are A = 4.
Each divided 8-bit, Kf is 16-bit intermediate key, is bitwise exclusive OR, ADD is addition (carry from the most significant bit is ignored), ROL is 1-bit rotation processing to the left, +1 → and ← + 1 indicate addition of 1.

The data diffusion processing unit f operates as follows. First, the input 32-bit data is divided into four 8-bit data of A1 to A4. The intermediate key Kf is added to A2 and A3 by bitwise exclusive OR to obtain new data of A2 and A3. In addition, A1 is added to the new A2 and A4 is added to A3 by exclusive OR. Next, after adding A2 and A3 and further adding 1, bit rotation processing of 2 bits is performed in the left direction to obtain new data of A2. As for A3, A3 and the new A2 are added, and 2-bit bit rotation processing is performed in the left direction to obtain new A3 data. For A1, A1
And the new A2 are added, and bit rotation processing of 2 bits is performed in the left direction to obtain new A1 data. For A4, after adding A4 and the new A3 and adding 1,
A bit rotation process of 2 bits is performed to the left and new A4 data is obtained. By performing the above series of processing in order,
Obtain 32-bit output data B.

[Problems to be Solved by the Invention] The FEAL data diffusion processing unit f described above is a processing unit that most affects FEAL data randomization performance and speed performance. The FEAL using the data diffusion processing unit f has excellent data randomization performance, and the data is almost completely randomized at the stage when the third processing of the data processing unit is completed.

From the viewpoint of speed performance, the data diffusion processing unit f is designed to pursue high-speed processing by software. The data diffusion processing unit f can be realized by processing of exclusive OR of 1-byte data 4 times, addition of 1-byte data 4 times, and 1-bit rotation of 1-byte data 8 times.

Next, consider the case where it is realized by hardware such as LSI. In this case, the data diffusion processing unit f newly uses the processing result of the diffusion processing of one of the four divided data for the diffusion processing of other data in order to improve the data diffusion efficiency. Therefore, the places where parallel processing is possible are limited, which hinders the improvement of the processing speed in hardware. As shown by the dotted line in FIG. 4, when the data diffusion processing unit f is configured by hardware, it has a configuration of two stages of exclusive OR processing, three stages of addition and bit rotation processing.

FEAL is treated in 8 steps because of its structural strength. Therefore, even if the saturation performance of the data randomness in the current three rounds by the data diffusion processing unit f is slightly lowered, if the saturation is within eight rounds, the same effect is obtained from the viewpoint of encryption strength.

The object of the present invention is to maintain data diffusion efficiency while
It is to provide a data diffusion mechanism that can be processed at high speed by hardware.

[Means for Solving the Problem] According to the invention of claim 1, the input data is divided into two pieces of left and right data having the same data length in the data length direction,
The above-mentioned parameter data is added to the divided left and right data or fused by exclusive OR, and the two fused data are added by the first adding means to form left data, and the two fused data Is added to the right data by the second adding means, and at least one of the two input data of the first adding means is bit-rotated by the first bit rotating means to obtain the two input data of the second adding means. At least one of the two is rotated by the second bit rotating means.

According to the invention of claim 2, the input data is divided into the first to fourth data having the same data length in the data length direction, and a part (first and fourth data) or all of these four data are divided. Parameter data is added or fused by exclusive OR, second data and first data are fused by exclusive OR to become second data, and third data and fourth data are fused by exclusive OR. To be the third data, the first data and the third data are added by the first adding means to be the first data, and the second data and the third data are the second data.
The third data is added to the third data by the third adding means, and the fourth data and the second data are added by the fourth adding means. 4th data, at least one of the two input data of the first adding means is bit-rotated by the first bit rotating means, and at least one of the two input data of the second adding means is the second bit rotating. The bit is rotated by means, and the third
At least one of the two input data of the adding means is bit-rotated by the third bit rotating means, and at least one of the two input data of the fourth adding means is bit-rotated by the fourth bit rotating means.

Here, the bit rotation means shifting the data by 1 or more bits toward the upper digit or the lower digit. When the overflowed bit data is shifted toward the upper digit, it is compensated as the lower digit data. In the case of shifting to, it is to use the upper digit data as it is.

With such a configuration, it is possible to perform parallel processing,
The cryptographic LSI incorporating the data diffusion mechanism of the present invention enables higher speed processing than the conventional one.

“Embodiment” FIG. 1 shows an embodiment of the invention of claim 2. In FIG. 1, A is input data of 32 bits, B is output data of 32 bits, A1 to A4 are 8 bits obtained by dividing A into four,
Kf is a 16-bit intermediate key, is a bitwise exclusive OR,
ADD is addition (carry from the most significant bit is ignored), ROL
Indicates 1-bit rotation processing to the left, and ROR indicates 1-bit rotation processing to the right.

The embodiment shown in FIG. 1 operates as follows. First, the input 32-bit data is divided into four 8-bit data of A1 to A4. The intermediate key Kf is added to A1 and A4 by bitwise exclusive OR. Further, the added A1 is added to A2, and the added A4 is added to A3 by exclusive OR. Then, add the data obtained by rotating A1 by 1 bit to the left and the data obtained by rotating A3 by 1 bit to the right to obtain new data of A1.

-Add the data obtained by rotating A2 by 1 bit to the left and the data obtained by rotating A3 by 1 bit to the right to obtain new A2 data.

-Add the data obtained by rotating A3 leftward by 1 bit and the data obtained by rotating A2 rightward by 1 bit to obtain new A3 data.

-Add the data obtained by rotating A4 leftward by 1 bit and the data obtained by rotating A2 rightward by 1 bit to obtain new A4 data.

The above four processes are performed in parallel to obtain a 32-bit output B.

The performance of the data diffusion mechanism of this embodiment will be described.
First, when it is realized by software, it can be realized by processing of exclusive OR of 1-byte data 4 times, addition of 1-byte data 4 times, and 1-bit rotation of 1-byte data 8 times. This is the same performance as FEAL shown above. Therefore, when the data diffusion mechanism of this embodiment is replaced with the FEAL data diffusion processing f, the speed performance of the software is almost the same.

Next, if this embodiment is realized by hardware, the processing indicated by the dotted line in FIG. 1 can be parallelized.
Therefore, the two-stage exclusive OR processing and the one-stage addition and bit rotation processing are configured. This can realize a speed performance of 2 to 3 times as compared with the case where the FEAL is the two-stage exclusive OR processing and the three-stage addition and bit rotation processing.

In order to investigate the data diffusion performance of this embodiment, an experiment was carried out in which the data diffusion performance was statistically evaluated by replacing the data diffusion processor f of FEAL. According to this, it has been confirmed that the FEAL incorporating the data diffusion mechanism of this embodiment becomes almost perfect random numbers in the processing of the fifth to sixth stages. This is inferior to FEAL, which has been almost randomized in the three-stage processing, but since it is within 8 stages, which is the number of FEAL processing stages,
The same effect is obtained from the viewpoint of encryption strength.

In the embodiment of the present invention, the bit change at A2 in FIG. 1 does not affect A1 and the bit change at A3 does not affect A4. Of course, this embodiment is not a problem because it is used in combination in multiple stages, but in order to further improve the bit diffusion efficiency, in this embodiment,
When the parallel processing of addition is completed, the exclusive OR of A1 and A2 is newly set to A1, and the exclusive OR of A3 and A4 is newly set.
The number of processing steps for random number saturation can be reduced by almost one by adding processing to replace A4.

Further, in this embodiment, the intermediate keys are fused by exclusive OR, but if they are fused by addition, the bit diffusion efficiency can be improved, and at the same time, the carry will destroy the constant property of the data, so that it is more secure. You can improve the property. Each AD
One of the two data added in D may not be bit-rotated. Various variations are conceivable in the combination of data fused by bit rotation speed or addition.

The expansions of this embodiment described above are all trade-offs with speed performance.

FIG. 2 shows an embodiment of the invention of claim 1. In FIG. 2, A is 32-bit input data, B is 32-bit output data, AL and AR are 16-bit data obtained by dividing A into two left and right parts, and K.
f is a 16-bit intermediate key, is a bitwise exclusive OR, A
DD is addition (carry from the most significant bit is ignored), ROL
Indicates 1-bit rotation processing to the left, and ROR indicates 1-bit rotation processing to the right.

The embodiment shown in FIG. 2 operates as follows. First, the input 32-bit data is divided into 2 data of 16 bits each for AL and AR. An intermediate key Kf is added to AL and AR by bitwise exclusive OR. Then, add AL data rotated 3 bits to the left and data rotated AR to the right 3 bits to obtain new AL data.

・ Add the data obtained by rotating AR by 3 bits to the left and the data obtained by rotating AL by 3 bits to the right to obtain new AR data.

The above two processes are performed in parallel. Get the 32-bit output B.

The performance of the data diffusion mechanism of this embodiment will be described.
First, when it is realized by software, it can be realized by processing of exclusive OR of 2 byte data 2 times, addition of 2 byte data 2 times, 1 bit rotation of 2 byte data 12 times. The speed performance of the software is almost the same as FEAL.

Next, if this embodiment is realized by hardware, the processing indicated by the dotted line in FIG. 2 can be parallelized.
Therefore, it has a configuration of one-stage exclusive OR processing, one-stage addition and bit rotation processing. This can realize a speed performance of 2 to 3 times as compared with the case where the FEAL is the two-stage exclusive OR processing and the three-stage addition and bit rotation processing.

The FEAL incorporating the data diffusion performance of this embodiment has 5
It has been confirmed that almost complete random numbers are obtained in the processing of the first stage. This is inferior to FEAL, which is almost randomized in the three-stage processing, but it is the same effect from the viewpoint of encryption strength because it is saturated within 8 stages which is the number of processing stages of FEAL.

In this embodiment, the intermediate keys are fused by exclusive OR, but if they are fused by addition, the bit diffusion efficiency can be improved and, at the same time, the carry reduces the constant property of the data, thus further increasing the security. Can be improved. One of the two data added in each ADD may not be bit-rotated. In addition, various variations are conceivable in the combination of the bit rotation speed or the data fused by addition. According to experiments, it is effective that the bit rotation speed is 2 bits or more.

The expansions of this embodiment described above are all trade-offs with speed performance.

"Effects of the Invention" As described above, the data expansion mechanism of the present invention is
In order to spread the data, a fusion process of bit rotated data is used. For this reason, the structure is more suitable for parallel processing than the conventional mechanism of the same kind, and when realized by hardware such as LSI, higher speed processing is possible as compared with the conventional technology.

The conventional FEAL is realized as an LSI having an encryption speed performance of about 80 Mbps. If the data diffusion mechanism of the present invention is applied to FEAL, it is possible to realize an LSI having performance that is two to three times as high as this, that is, performance that reaches 200 Mbps. As a result, it becomes possible to implement security measures by encryption in areas where FEAL cannot be applied in the past in terms of processing speed, such as moving image transmission in a high-speed LAN in the future (about 100 Mbps per channel).

[Brief description of drawings]

1 is a block diagram showing an embodiment of the invention of claim 2, FIG. 2 is a block diagram showing an embodiment of the invention of claim 1, and FIG.
Fig. 4 is a block diagram showing the structure of the data encryption method FEAL.
The figure is a block diagram showing the structure of a conventional data diffusion processing unit f used in FEAL.

Claims (2)

[Claims] 1. A data diffusion mechanism that obtains output data by subjecting input data to diffusion processing using parameter data, and means for dividing the input data into two pieces of left and right data having equal data lengths in the data length direction, and these divisions. Means for adding the above parameter data to the merged left and right data or merging them by exclusive OR, first adding means for adding the merged two data into left data, and the above two merged data To add to the right data, a first bit rotating means for bit-rotating at least one of the two input data of the first adding means, and two input data of the second adding means. And a second bit rotating means for rotating at least one of the two. 2. A data diffusion mechanism that obtains output data by subjecting input data to diffusion processing using parameter data, and dividing the input data into four pieces of first to fourth data having equal data lengths in the data length direction. Means, means for adding parameter data to some or all of these four data (first and fourth data) or fusion by exclusive OR, and fusion of second data and first data by exclusive OR Then second
The means for making the data and the third data and the fourth data fused by exclusive OR
Data, means for adding the first data and the third data to form the first data, first addition means for adding the second data and the third data to form the second data, and A third adding means for adding the third data and the second data to obtain the third data; a fourth adding means for adding the fourth data and the second data to obtain fourth data; A means for bit-rotating at least one of the two input data, a means for bit-rotating at least one of the two input data of the second adding means, and at least one of the two input data of the third adding means. A bit rotating means, and a means for rotating at least one of the two input data of the fourth adding means by a bit, a data diffusion mechanism.