JPH09258655A - Data encryption device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make it possible to execute secrete communication in real time even on communication lines having poor quality and to form ciphertext data having high safety. SOLUTION: Plaintext data is subjected to affine transformation in the block unit based on key data by a first exclusive-OR section 101, a first variable bit substitution section 102 and a first fixed bit substitution section 103. In succession, the data is subjected to the non-affine transformation in the block unit based on the key data by a first variable non-affine transformation section 104 limited in the error spreading rate to a specified value. Finally, the data is subjected to the affine transformation in the block unit based on the key data by a second exclusive-OR section 105 and a second variable bit substitution section 106, by which the ciphertext data is formed.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a data encryption device, and more particularly to a data encryption technique for secret communication using digitized voice data or the like.

[0002]

2. Description of the Related Art In recent years, small and lightweight communication devices such as mobile phones have become widespread. However, in such devices, data encryption is required to prevent wiretapping. (First Conventional Example) As a first conventional example of the data encryption method, there is pseudorandom number addition type encryption.

In this system, both the transmitting side and the receiving side share the same key, the plaintext data M is divided into plaintext data blocks Mi of a fixed length, and the shared key is given to each divided Mi. Is used as a seed to generate random number data R having the same length as the plaintext data block Mi. Then, the ciphertext data block Ci is obtained by calculating the exclusive OR of each plaintext data block Mi and its random number data R for each corresponding bit. This is expressed as follows.

Ci = Mi (+) R However, the operation (+) means an exclusive OR for each corresponding bit. Finally, the obtained ciphertext data blocks Ci are connected to obtain the ciphertext C.
In this method, even if a bit error (reversal) occurs during transmission of the ciphertext C, the error does not spread to another bit, that is, the error spread is 1 It has the characteristic of being a bit. Here, the error ripple is one of the properties of encryption and code conversion, and is obtained by encrypting (converting) two pieces of input data that differ only in one-digit (bit) value. It is the number of digits (bits) whose values differ when two output data are compared.

However, this method is extremely low in safety. That is, assuming that the values of the keys to be encrypted are the same, the random number R can be found from the following equation by only obtaining one set of plaintext data block Mi and ciphertext data block Ci. All plaintext data blocks M
i can be deciphered. R = Mi (+) Ci (Second Conventional Example) As a second conventional example of the data encryption method, there is an affine transformation cipher.

In this system, both the transmitting side and the receiving side share the same key, and the plaintext data M is divided into plaintext data blocks Mi having a fixed length (here, n bits) and the shared key is used. An n × n matrix G (where each element of the matrix is 0 or 1) determined and n-bit data A determined by the shared key are used to obtain a ciphertext data block Ci from the following equation Is.

Ci = G * Mi (+) A However, the operation * means a normal matrix product operation, but the bit-wise product in the matrix product is the logical product (AND), and the bit-wise sum. Is an exclusive OR (EOR).
In this method, when matrix G is a bit permutation matrix,
Similar to the above-mentioned first conventional technique, it has a feature that the error spread is 1 bit.

Here, the bit permutation means a two-dimensional linear conversion in which the position of each bit constituting the data is exchanged in one data, and the bit permutation matrix means the contents of such bit permutation operation. This is a matrix that is uniquely defined, and the operation of bit-permuting n-bit data is n ×
It can be represented by an n matrix. Therefore, even if a certain bit forming the data is erroneously inverted before the bit replacement, an error occurs only in the corresponding bit even in the data after the bit replacement. Further, even in the operation of taking the exclusive OR of the same data for all the data for each bit, the positions of the different bits between the two data do not change. From these things, it can be said that the present cryptosystem is a cryptosystem that does not cause error ripple.

However, even this method is not sufficient in terms of safety. Now, assuming that the values of the keys to be encrypted are the same, the set of the plaintext data block Mi and the ciphertext data block Ci is (n + 1) sets (i = 0, 1, ..., N).
Suppose you have obtained it. Then, C0 (+) C1 = {G * M0 (+) A} (+) {G * M1 (+) A} = G * {M0 (+) M1} C0 (+) C2 = {G * M0 ( +) A} (+) {G * M2 (+) A} = G * {M0 (+) M2} ... C0 (+) Cn = {G * M0 (+) A} (+) {G * Mn ( +) A} = G * {M0 (+) Mn}, so that X is now C0 (+) C1, C0 (+)
Let C2, ..., C0 (+) Cn, be the n × n matrix in which the columns of the matrix are in this order, and let Y be M0 (+) M1 and M0 (+) M.
2, ..., M0 (+) Mn, are the columns of the matrix in this order n
When the matrix is × n, the above n expressions can be collectively expressed as X = G * Y. Here, since X and Y are known, Y
It is possible to know G from G = X * Y ^-1 by ^obtaining the inverse matrix of.

Further, since A can be obtained from A = G * M0 (+) C0, this affine transformation cipher is deciphered. Note that if there is a matrix G and data A that satisfy C = G * M (+) A for all input data M and corresponding output data C, such input data M to output data C The mapping to is called "affine transformation".

On the other hand, when the matrix G and the data A satisfying the above equation do not exist, it is called "non-affine transformation". (Third Conventional Example) As a third conventional example of the data encryption method, a DES (Data Encryption Standard) method or an F
There is a block cipher system such as EAL (Fast Data Encipherment Algorithm) system. The DES and FEAL methods are described in Eiji Okamoto "Introduction to Cryptography"
(Kyoritsu Shuppan).

This block cipher system handles input / output data of 64 bits, but has a strong ability to disturb the data. Even if two types of plaintext data that differ by only 1 bit are encrypted using the same key,
The ciphertext data obtained from them are different by an average of 32 bits, that is, the error spread is designed to have an average of 32 bits.

On the other hand, this is also a drawback.
That is, the 1-bit error generated in the communication path differs from the original output by 32 bits at the output end of the decoder. This means that the error was magnified 32 times. For example, even if an error occurs in the voice data due to a slight disturbance, a large error will eventually be superimposed, resulting in deterioration of the voice.

Even if an error correction device is installed in the communication path, an error exceeding the error correction capability may occur when the quality of the communication line is poor. In such a case, the error correction device is used. Erroneously corrects as a result, one or more erroneous bits still occur at the decoder input end, which is magnified 32 times at the decoder output end.

As a countermeasure, in general data communication, a method may be considered in which, if an error is detected on the receiving side, the transmitting side is requested to retransmit.
However, in the case of real-time communication such as that of a mobile phone, delay of voice due to retransmission is not allowed. Therefore, when real-time communication is particularly required in a communication line of poor quality, an encryption method with less error ripple different from this method is desired. (Fourth Conventional Example) As an encryption method with less error ripple, an encryption method that combines a bit replacement operation of the bit position of plaintext data with a key-defined bit replacement operation and a non-affine transformation operation with error ripple restriction is considered. To be As described in the second conventional example, the bit permutation operation has the property of not causing error propagation, and this is the same when the bit permutation changes depending on the key. This method is realized, for example, by a data disturbing circuit in which a part of the method disclosed in JP-A-7-177139 is slightly modified.

FIG. 8 is a block diagram showing the configuration of the data disturbing circuit. The data disturbing circuit includes an exclusive OR unit 30, a variable bit replacing unit 31, a fixed replacing unit 32, and a key generating circuit 33. The exclusive-OR unit 30 has 3
The 2-bit data and the 32-bit key given from the key generation circuit 33 are exclusive-ORed bit by bit. The operation of exclusive OR for each bit has the property that it does not cause error propagation because it is an operation between bits of the same digit.

The variable bit permutation unit 31 performs bit permutation on the 32-bit data which is exclusive ORed by the exclusive OR unit 30, which is determined by the key value given from the key generation circuit 33. As described above, the bit replacement operation has no error ripple. It should be noted that the case where the content of the conversion operation is determined by the key value as in the variable bit replacing unit 31 is called "variable", and the case where the content of the conversion operation is fixedly determined is called "fixed". .

The variable bit replacement unit 31 further includes a variable bit replacement unit 311 and a fixed bit replacement unit 312. The variable bit replacement unit 311 includes the key generation circuit 3
Based on the value of the key generated in 3, bit data is exchanged between adjacent bit data. The fixed bit replacement unit 312 performs a predetermined bit replacement on the bit data replaced by the variable bit replacement unit 311.

The fixed substituting section 32 is a variable bit substituting section 31.
The 32-bit data transposed by is divided into 4 blocks of 8 bits each, and a predetermined non-affine transformation is performed. Then, the non-affine-transformed data is reconnected to form ciphertext data. It is said that the non-affine transformation operation in the fixed substituting unit 32 is adopted so that the error spread is limited to 2 bits.

Therefore, the data disturbing circuit as a whole has the property that when two kinds of data differing by only 1 bit at the input are input, the difference at the output is only 2 bits, which is the error described in the third conventional example. The spillover problem is resolved. That is, if the input data has a configuration in which an error correction code capable of correcting a 2-bit error in 32-bit data is added, a 1-bit error occurs due to noise on the communication line. However, the original data can be decrypted.

[0021]

However, in the case of the data disturbing circuit in the fourth conventional example, there is a problem in safety as described below. Now the decryptor
If it is possible to obtain two plaintext data differing only in a specific 1 bit and ciphertext data for each, it is possible to know how the 1 bit is replaced by the variable bit replacing unit 31.

This is because the operation in the exclusive OR unit 30 is an operation of performing an exclusive OR for each bit of these two plaintext data by using the same key value.
The bit positions that are different in the two plaintext data do not change before and after being input to the exclusive OR unit 30.
Furthermore, two pieces of data differing by only 1 bit are converted by the fixed substituting section 32 so as to differ by only 2 bits. The position of 1 bit, which was different in the two data, is known. Therefore, the operation of the variable bit replacement unit 31 for the obtained one bit is clarified.

Therefore, if the decryption person can obtain only two sets of two plaintexts differing by one bit and their ciphertexts, such that one bit extends over all the digits (bits) of the plaintext. , All the operations of the variable bit replacement unit 31 are found, and the value of the key input to the exclusive OR unit 30 is also found, and the decryption is successful. That is, there is a problem in safety.

Therefore, an object of the present invention is to enable secret communication in real time even on a communication line of poor quality, and for a decryption person to obtain a convenient plaintext / ciphertext pair. The object of the present invention is to provide a data encryption device that generates highly secure ciphertext data that is difficult to be decrypted.

[0025]

In order to achieve the above object, the present invention is a data encryption device for encrypting plaintext data based on key data given in advance. It is supposed to be composed of means for performing affine transformation determined by the key data, subsequently means for performing non-affine transformation with the error ripple limited to a predetermined value, and finally means for performing affine transformation determined by the key data. .

As a result, the affine transformation is performed with the key data in a format sandwiching the non-affine transformation, so that the security is high and the error spread in the non-affine transformation is limited, which is suitable for real-time secret communication. A data encryption device is realized.

[0027]

Embodiments of the present invention will now be described. Usually, the ciphertext data encrypted by the data encryption device is subjected to an operation of encryption conversion and inverse conversion by the data decryption device that shares the key data at the time of encryption,
The decrypted text data is output. In the present embodiment, in a transmitter having a data encryption device, certain plaintext data is encrypted and transmitted as ciphertext data, and the ciphertext data is decrypted by a receiver having a data decryption device to be decrypted text data. This will be described as an encrypted communication system that outputs data. (Configuration of Encryption Communication System) FIG. 1 is a block diagram showing the configuration of the encryption communication system according to the present embodiment. This cryptographic communication system includes a transmitter 1 and a receiver 2. The transmitter 1 and the receiver 2 are, for example, mobile phones, cordless phones, and the like, which are protected from eavesdropping on wireless communication.

As shown in FIG. 1, the transmitter 1 includes a data encryption device 10 and a transmission unit 11, but in addition to these, a microphone, a voice codec, an error code (not shown) included in a general mobile phone are provided. It also has a correction circuit. The data encryption device 10 includes 32-bit plaintext data and 144
Bit key data is input. This plaintext data is data to which an error correction code is added after the voice input from the microphone is encoded. Moreover, the key data is previously determined between the transmitter 1 and the receiver 2. The plaintext data and the key data are input to the data encryption device 10 and processed to become 32-bit ciphertext data, which is modulated / amplified by the transmitter 11 and transmitted to the receiver 2.

As shown in FIG. 1, the receiver 2 is provided with a data decoding device 20 and a receiving section 21, but is also provided with a speaker, a voice codec, an error correction circuit and the like which are not shown. The data decoding device 20 includes a receiving unit 2
The 32-bit ciphertext data received via 1 and the 144-bit key data previously determined by the transmitter 1 and the receiver 2 are input. The ciphertext data and the key data are input to the data decryption device 20 to be processed into decrypted text data, which are output to the speaker after error correction is performed. (Configuration of Data Encryption Apparatus 10) FIG. 2 is a block diagram showing an example of the configuration of the data encryption apparatus 10 shown in FIG. In FIG. 2, the data encryption device 10 is
First exclusive OR unit 101 and first variable bit replacement unit 1
02, the first fixed bit replacement unit 103, the first variable non-affine transformation unit 104, the second exclusive OR unit 105,
The second variable bit replacing unit 106 and the key dividing unit 107 are provided.

The first exclusive OR unit 101 performs an exclusive OR operation for each bit of the input 32-bit plaintext data and the first 32-bit addition key input from the key dividing unit 107. , That value is output. The first variable bit permutation unit 102 bit-performs the 32-bit data input from the first exclusive OR unit 101 according to the first 32-bit substitution key input from the key division unit 107, and outputs it. .

The first fixed bit replacement unit 103 performs a fixed bit replacement on any data of the 32-bit data input from the first variable bit replacement unit 102 and outputs it. The above three constituent units 101 to 103 sequentially perform the exclusive OR and the bit replacement, and thus perform one affine transformation as a whole.

The first variable non-affine transformation unit 104 has a first
The 32-bit data input from the fixed bit replacement unit 103 is converted and output according to the first 16-bit selection key input from the key division unit 107. The second exclusive OR unit 105 performs exclusive exclusion for each bit on the 32-bit data input from the first variable non-affine transformation unit 104 and the second 32-bit addition key input from the key division unit 107. The logical sum operation is performed and the value is output.

The second variable bit permutation unit 106 bit-performs the 32-bit data input from the second exclusive OR unit 105 according to the second 32-bit substitution key input from the key division unit 107. Output. The above-described two constituent units 105 and 106 also sequentially perform the exclusive OR and the bit replacement, so that one affine transformation is performed as a whole.

The key dividing unit 107 converts the input 144-bit key data into a first 32-bit addition key and a first 3-bit addition key.
It is divided into a 2-bit replacement key, a first 16-bit selection key, a second 32-bit addition key, and a second 32-bit replacement key. More specifically, each component of the data encryption device 10 described above is more specifically implemented on a computer system including a general-purpose microprocessor, a ROM storing a control program and a table described later, and a RAM serving as a work area. It is realized by software. (Structure of Data Decoding Device 20) FIG. 3 is a block diagram showing an example of the structure of the data decoding device 20 shown in FIG. In FIG. 3, the data decoding device 20 includes a third variable bit replacing unit 201 and a third exclusive OR unit 202.
And a second variable non-affine transformation unit 203, a second fixed bit replacement unit 204, a fourth variable bit replacement unit 205, a fourth exclusive OR unit 206, and a key division unit 207.

The third variable bit permutation unit 201 performs bit permutation on the input 32-bit data according to the third 32-bit permutation key input from the key division unit 207 and outputs it. The third exclusive OR unit 202 sets the 32-bit data input from the third variable bit replacement unit 201 and the third 32-bit addition key input from the key division unit 207 to an exclusive logic for each bit. Performs a sum operation and outputs the value.

The second variable non-affine transformation unit 203 has a third
The 32-bit data input from the exclusive OR unit 202 is converted according to the second 16-bit selection key input from the key dividing unit 207 and output. The second fixed bit replacement unit 204 performs fixed bit replacement on any of the 32-bit data input from the second variable non-affine conversion unit 203 and outputs the result.

The fourth variable bit permutation unit 205 bit-performs the 32-bit data input from the second fixed bit permutation unit 204 according to the fourth 32-bit substitution key input from the key division unit 207. Output. The fourth exclusive OR unit 206 compares the 32-bit data input from the fourth variable bit replacing unit 205 and the fourth 32-bit addition key input from the key dividing unit 207 with an exclusive logic for each bit. Performs a sum operation and outputs the value.

The key dividing unit 207 converts the input 144-bit key data into a fourth 32-bit addition key and a fourth 3-bit addition key.
It is divided into a 2-bit replacement key, a second 16-bit selection key, a third 32-bit addition key, and a third 32-bit replacement key. In addition, each component of the above data decoding device 20 is
Similar to the data encryption device 10, more specifically, it is realized by software on a computer system including a general-purpose microprocessor, a ROM storing a control program and a table described later, and a RAM as a work area. (First exclusive OR section 101, second exclusive OR section 10
5. Operation of third exclusive OR unit 202 and fourth exclusive OR unit 206) First exclusive OR unit 101 and second exclusive OR unit 105 included in the data encryption device 10, and data decryption Third exclusive OR unit 20 included in the device 20
The second and fourth exclusive OR units 206 respectively perform the same operation. That is, the input 32-bit data IN
And 32-bit key data (first or second addition key) K
With respect to EY, 32-bit output data OUT is OUT = IN (+) KEY. However, (+) indicates an exclusive OR (EOR or XOR) for each bit.

Since such an operation is performed,
When the first addition key and the fourth addition key have the same value, the first exclusive OR unit 101 and the fourth exclusive OR unit 206 are inverse conversions of each other. Similarly, the second addition key and the third addition key
When the addition keys of 2 and 3 have the same value, the second exclusive OR unit 105 and the third exclusive OR unit 202 are inversely converted. (Operation of First Variable Bit Substitution Unit 102) FIG. 4 is a diagram showing in detail the operation of the first variable bit substitution unit 102 included in the data encryption device 10. First variable bit replacement unit 1
02 consists of two operations.

The first operation is bit replacement. First,
The input 32-bit data is divided into 8 blocks B [7], B [6], ..., B [0] of 4 bits each. The first 32-bit replacement key also includes the upper 24 bits of 3
Bit-by-bit division SK [7], SK [6], ..., S
Let K [0]. The divided data B [i] (i = 0,
1, ..., 7) are bit-replaced according to SK [i], and C
[I] is obtained. Note that this replacement is determined by eight types of bit replacement tables, and which bit replacement table is selected is determined by the value of SK [i].

Table 1 shows an example of this bit replacement table.

[0042]

[Table 1]

In Table 1, the vertical axis shows the number of input bits and the horizontal axis shows the key data. 4-bit data B
[I] is the 3rd bit, the 2nd bit, the 1st bit, and the 0th bit from the higher order. Value of SK [i] (0 to
The vertical axis is selected by 7) to show what number of bits of the data of each input bit is the output. For example, SK
When [i] = 1, the 0th bit of the input is the 3rd bit of the output.
The first bit of the input is the second bit of the output, the second bit of the input is the first bit of the output, and the third bit of the input is the zeroth bit of the output.

The second operation that follows is block replacement.
First, eight blocks C [7], C [6], ..., C
Eight blocks D [7], D are obtained by replacing the contents of the block with [0] according to the lower 8 bits L1 of the first replacement key key.
Let [6], ..., D [0]. Note that this replacement is 256
It is determined by the type of block replacement table, and which replacement table is selected is determined by L1.

Table 2 shows an example of this block replacement table.

[0046]

[Table 2]

In Table 2, the vertical axis shows the input block number and the horizontal axis shows the key data. Value of L1 (0 to 2
55), the vertical axis is selected and the number of output blocks of the data of each input block is shown. For example,
When L1 = 1, input C [0] is output D
[5], the input C [1] is output D [2], ..., and the input C [7] is output D [4]. Then, eight blocks D [7], D that have been block-replaced
[6], ..., D [0] are concatenated to form 32-bit output data. (Operation of Fourth Variable Bit Substituting Unit 205) FIG. 5 is a diagram showing in detail the operation of the fourth variable bit substituting unit 205 included in the data decoding device 20. Fourth variable bit replacement unit 20
5 is the input of the fourth 32-bit replacement key is the first 3
When the value is the same as that of the 2-bit replacement key, the conversion is reverse to that of the first variable bit replacement unit 102. That is, it consists of the following two operations.

The first operation is block replacement. First, the input 32-bit data is divided into 8 blocks d [7], d [6], ..., D [0] of 4 bits each. Eight divided blocks d [7], d [6],
, D [0] is the eight blocks c obtained by substituting the contents of the block according to the lower 8 bits 11 of the fourth replacement key.
Let [7], c [6], ..., C [0].

This replacement is determined by 256 types of block replacement tables, and which replacement table is selected is determined by l1. This block replacement table is an inverse conversion of the block replacement table of the first variable bit replacement unit 102 shown in FIG. 4, and has the same format as Table 2. The second operation that follows is bit replacement. First, for the fourth 32-bit replacement key, the upper 24 bits are also divided into 3 bits, and sk
Let [7], sk [6], ..., Sk [0]. The divided data c [i] (i = 0, 1, ..., 7) is sk [i]
Then, the bits are replaced according to the above, resulting in b [i]. Note that this replacement is determined by eight types of bit replacement tables, and which bit replacement table is selected depends on sk.
Determined by the value of [i].

The bit replacement table is an inverse conversion of the bit replacement table of the first variable bit replacement unit 102 shown in FIG. 4, and has the same format as Table 1. Then, the block-replaced 8 blocks are concatenated to form 32-bit output data. Therefore, when the input first substitution key and fourth substitution key have the same value, the first variable bit substitution unit 102 and the fourth variable bit substitution unit 205 perform inverse conversion with each other. (Operation of Second Variable Bit Substitution Unit 106) The second variable bit substitution unit 106 included in the data encryption device 10 has the same configuration as the first variable bit substitution unit 102. However, although the bit substitution table and the block substitution table are different, the formats are the same as those in Table 1 and Table 2, respectively. (Operation of Third Variable Bit Replacement Unit 201) The third variable bit replacement unit 201 included in the data decoding device 20 has the same configuration as the fourth variable bit replacement unit 205. However,
When the bit substitution table and the block substitution table in the third variable bit permutation unit 201 have the same value for the input second substitution key and third substitution key, the second variable bit substitution unit 10
6 and the third variable bit permutation unit 201 are adapted to perform inverse conversion with each other. (Operation of First Fixed Bit Substitution Unit 103) The first fixed bit substitution unit 103 included in the data encryption device 10 performs fixed bit substitution on 32-bit input data and outputs it. (Operation of Second Fixed Bit Replacement Unit 204) The second fixed bit replacement unit 204 included in the data decoding device 20 performs fixed bit replacement that is the reverse replacement of the first fixed bit replacement unit 103. (Operation of First Variable Non-Affine Transformation Unit 104) FIG. 6 is a diagram showing in detail the operation of the first variable non-affine transformation unit 104 included in the data encryption device 10.

The input 32-bit data is 4 blocks of 8 bits each E [3], E [2], ..., E [0].
Is divided into The input first 16-bit selection key is also divided into 4 bits, and CK [3], CK [2],
…, CK [0]. Each block E [i] (i = 0,
1, 2, 3) are non-affine transformed according to CK [i] to become F [i]. Note that this non-affine transformation is 16
It is determined by the kind of non-affine conversion table,
CK which non-affine conversion table is selected
Determined by the value of [i].

Table 3 shows an example of this non-affine conversion table.

[0053]

[Table 3]

In Table 3, the vertical axis represents input data (0 to 25).
5), key data is written on the horizontal axis. The 8-bit data E [i] is the output value F [i] corresponding to the data E [i] among the output values belonging to the vertical axis selected by the value (0 to 15) of CK [i]. To be converted. For example, when CK [i] = 1, the output value F [i] when the input data E [i] is 0 is 255, and the output value F [i] is
The output value F [i] when [i] is 1 is 251, and ...
The output value when the input is 255 is 172.

This table shows 16 conversions out of all non-affine conversions that convert 8-bit input data into 8-bit output data, so that the average error spread is 1.5 bits. , Is selected in advance by a so-called brute force search by a computer. This is because the error correction circuit provided in the receiver 2 has a capability of correcting an error of 2 bits out of 8 bits, so that the error ripple factor does not exceed this value.

Finally, the non-affine-transformed four blocks F [3], F [2], ..., F [0] are concatenated to form 32-bit output data. (Operation of Second Variable Non-Affine Transformation Unit 203) FIG. 7 shows the second variable non-affine transformation unit 2 included in the data decoding device 20.
It is the figure which described the operation of 03 in detail.

The input 32-bit data is 4 blocks of 8 bits, f [3], f [2], ..., F [0].
Is divided into The input second 16-bit selection key is also divided into 4 bits, and ck [3], ck [2],
..., ck [0]. Each block f [i] (i = 0,
1, 2, 3) are non-affine transformed according to ck [i] to be e [i]. Note that this non-affine transformation is 16
It is determined by the kind of non-affine conversion table,
Which non-affine translation table to select is ck
Determined by the value of [i].

This non-affine conversion table is an inverse conversion of the non-affine conversion table in the first variable non-affine conversion unit 104, and has the same format as Table 3. Therefore, when the input first selection key and the third selection key have the same value, the first variable non-affine transformation unit 10
4 and the second variable non-affine transformation unit 203 are inverse transformations of each other. (Operation of Cryptographic Communication System) Next, the operation of the entire cryptographic communication system will be described with reference to FIGS.

First, in the transmitter 1, the voice of a fixed time length input from the microphone is encoded by a voice codec, and an error correction code is added by an error correction circuit to generate 32-bit plaintext data. . The plaintext data and the 144-bit key data previously held in the transmitter 1 are input to the data encryption device 10.

The 144-bit key data is stored in the key division unit 10
7, the first 32-bit addition key from the higher order, the first 32-bit replacement key, the first 16-bit selection key,
It is divided into a second 32-bit addition key and a second 32-bit replacement key. The 32-bit plaintext data is input to the first exclusive OR unit 101, bit-wise exclusive OR operation is performed with the first addition key input from the key division unit 107, and then the first addition key is output. It is input to the variable bit replacement unit 102.

The data input to the first variable bit permutation unit 102 is input to the first variable bit permutation unit 102, bit-permuted according to the first 32-bit permutation key input from the key division unit 107, and output. And then input to the first fixed bit replacement unit 103. First fixed bit replacement unit 10
The data input to 3 is subjected to fixed bit permutation and output, and then input to the first variable non-affine transformation unit 104.

The data input to the first variable non-affine transformation unit 104 is the first 1 input from the key division unit 107.
It is non-affine-transformed according to the 6-bit selection key, is output, and is then input to the second exclusive OR unit 105. Second
The data input to the exclusive OR unit 105 is output by performing an exclusive OR operation for each bit with the second 32-bit addition key input from the key division unit 107, and then output to the second
It is input to the variable bit replacement unit 106.

The data input to the second variable bit permutation unit 106 is bit-permuted according to the second 32-bit permutation key input from the key division unit 107 and output to become 32-bit ciphertext data. Then, the 32-bit ciphertext data output from the data encryption device 10 is transmitted to the receiver 2 via the transmission unit 11.

In the receiver 2, the 32-bit ciphertext data transmitted from the transmitter 1 is received by the receiver 21 and together with the 144-bit key data, the data decryption device 20.
Is input to The 144-bit key data is stored in the key division unit 2
07, which is the fourth 32-bit addition key from the higher order,
It is divided into a fourth 32-bit replacement key, a second 16-bit selection key, a third 32-bit addition key, and a third 32-bit replacement key.

The 32-bit ciphertext data is input to the third variable bit permutation unit 201, bit-permuted according to the third 32-bit permutation key input from the key division unit 207, and then output. It is input to the logical OR section 202. The data input to the third exclusive OR section 202 is
The third 32-bit addition key input from the key division unit 207 and an exclusive OR operation for each bit are performed and output.
Then, it is input to the second variable non-affine transformation unit 203.

The data input to the second variable non-affine transformation unit 203 is the second 1 input from the key division unit 207.
The data is converted and output according to the 6-bit selection key, and then input to the second fixed bit replacement unit 204. The data input to the second fixed bit replacement unit 204 is output after performing fixed bit replacement, and then input to the fourth variable bit replacement unit 205.

The data input to the fourth variable bit permutation unit 205 is bit-permuted according to the fourth 32-bit permutation key input from the key division unit 207 and output, and then the fourth exclusive OR unit. It is input to 206. The data input to the fourth exclusive OR unit 206 is output by performing an exclusive OR operation for each bit with the fourth 32-bit addition key input from the key division unit 207, and is decrypted to 32 bits. It becomes sentence data.

The decoded text data is subjected to error correction by the error correction circuit of the receiver 2, converted into a voice signal by the voice codec, and output from the speaker. Here, as described above, the first exclusive OR section 101 and the fourth exclusive OR section 101
An exclusive OR section 206, a first variable bit replacing section 102 and a fourth variable bit replacing section 205, a first variable non-affine converting section 104, a second variable non-affine converting section 203, and a second exclusive OR section 105. Third exclusive OR section 202, second variable bit replacing section 106 and third variable bit replacing section 201.
Are the first addition key and the fourth addition key, the first replacement key and the fourth replacement key, the first selection key and the second input key, which are respectively input.
If the selection key, the second addition key and the third selection key, and the second replacement key and the third replacement key have the same value, they are inversely transformed. Also, the first fixed bit replacement unit 1
03 and the second fixed bit replacement unit 204 are also inverse transforms of each other.

Therefore, when the input 144-bit key data has the same value, the conversion performed by the data encryption device 10 and the conversion performed by the data decryption device 20 are reverse conversions. That is, the key data is sent to the transmitter 1 and the receiver 2
In the case where the same value is shared by, the decrypted text data obtained by decrypting the encrypted text data created by the transmitter 1 from the plain text data by the data decryption device 20 matches the plain text data.

Further, the first exclusive OR unit 101, the first variable bit replacing unit 102, the first fixed bit replacing unit 103,
Second exclusive OR section 105, second variable bit replacing section 10
The operations performed in 6 are all operations that do not cause error ripple, as described in the section "Prior Art". The error spread of the operations performed by the first variable non-affine transform section 104 is also limited to 1.5 bits on average, so that the error spread of all operations is also 1.5 bits on average.

Therefore, for example, 1 in 8 bits of the ciphertext data due to noise on the communication path from the transmitter 1 to the receiver 2
Even if an error occurs in the bit, the average of the decoded text data in the receiver 2 is expanded to an error of 1.5 bits, so that the receiver 2 having the error correction capability of 2 bits returns to the original plaintext data. Restored. This eliminates the need for the receiver 2 to request the transmitter 1 to retransmit the ciphertext data, and enables encrypted communication without impairing the real-time property in a noisy communication path.

Next, safety will be described. When the decrypter can obtain two plaintext data different by 1 bit at the input and the ciphertext data corresponding to each, the first variable bit replacement unit 102 and the second variable bit replacement unit 102 and
The operation of the entire bit permutation in which the variable bit permutation unit 106 is combined can be understood. However, the decryption person does not know how each of the first variable bit replacement unit 102 and the second variable bit replacement unit 106 replaces each other. That is, it is unknown which block is converted in the first variable non-affine conversion unit 104.

Therefore, even if the decrypter obtains 32 sets of plaintext and ciphertext that are convenient for himself as described in the conventional technique, he cannot determine the plaintext from arbitrary ciphertext. Decryption fails. Therefore, this encryption method is
The safety is higher than that of the above-mentioned fourth conventional example. The first variable bit replacement unit 102 and the second variable bit replacement unit 106 described in the present embodiment are internally divided into 8 blocks by 4 bits, perform the bit replacement within each block, and then between 8 blocks. However, the same effect can be obtained by first performing replacement between 8 blocks and then performing bit replacement within each block. However, in this case, in the third variable bit substituting unit 201 and the fourth variable bit substituting unit 205, the bit permutation within the block is performed first, and then the inter-block permutation is performed.

Further, although the first fixed bit replacement unit 103 and the second fixed bit replacement unit 204 described in the present embodiment are assumed to be inverse conversion and separate conversion, respectively, the bits of the first fixed bit replacement unit 103 are different. If the permutation is equal to the inverse transform, the first fixed bit permutation unit 10
3 and the second fixed bit replacement unit 204 can be the same.

Further, the first variable bit permutation unit 102 and the second variable bit permutation unit 106 described in the present embodiment set the bit permutation table and the block permutation table so that they are different conversions, respectively. The same bit permutation table and block permutation table can be used to make them identical. In that case, the fourth variable bit replacement unit 205 and the third variable bit replacement unit 201 may be the same.

Further, in this embodiment, the data encryption device 10 and the data decryption device 20 are realized by software, but the invention is not limited to this. For example, the first exclusive OR unit 101 or the like is realized by dedicated hardware including a logic circuit such as XOR, or
The first variable non-affine conversion unit 104 and the like may be realized by a ROM that stores Table 3 in which the output data from the fixed bit replacement unit 103 is an address input. This speeds up data encryption and decryption processing.

Further, in the transmitter 1, although the error correction code is added to the voice data and then encrypted, the order is not limited to this order, and the error correction code is transmitted after the voice data is encrypted. It may be added. In that case, in the receiver 2, the received ciphertext data may be subjected to error correction and then decrypted.

[0078]

As is apparent from the above description, the data encryption device according to the present invention is a data encryption device for encrypting plaintext data consisting of a plurality of bits based on key data given in advance. , First variable affine transformation means for performing affine transformation determined on the plaintext data on the basis of the key data, and error propagation degree of the data obtained by the first variable affine transformation means is limited to a predetermined value. It is characterized by comprising non-affine transformation means for performing non-affine transformation, and second variable affine transformation means for performing affine transformation determined on the basis of the key data with respect to the data obtained by the non-affine transformation means.

As a result, the plaintext data is affine-transformed, then non-affine-transformed, and finally affine-transformed again. Therefore, this data encryption apparatus is compared with the conventional encryption in which only non-affine transformation is performed after affine transformation. The non-affine transformation operation of is hidden and the security is high. further,
Since the error ripple factor in the non-affine transforming means is limited to a predetermined value, noisy communication can be achieved by setting this predetermined value within the error correction capability of the receiver that decrypts the ciphertext data. Ciphertext data suitable for real-time communication on the road is generated.

Here, the first variable affine transforming means and the second variable affine transforming means may perform the same affine transformation if the key data is the same. Thus, the first variable affine transforming means and the second variable affine transforming means can be the same constituent element, so that the data encryption device can be realized with fewer constituent elements.

Also, the first variable affine transformation means and the second
The variable affine transformation means can also perform transformation such that the transformation and the inverse transformation thereof are the same. Thereby, the first variable affine transformation means and the second variable affine transformation means
Since the variable affine transforming means and the decrypting means for performing the respective inverse transforms can be the same constituent element, miniaturization of a communication device including the encryption device and the decryption device can be realized.

Further, the non-affine transformation in the non-affine transformation means may be determined based on the key data. As a result, a data encryption device with higher security than when a fixed non-affine transformation is adopted is realized. Here, the non-affine transformation unit divides the data obtained by the first variable affine transformation unit into a plurality of blocks each having a predetermined bit, performs non-affine transformation on each divided block, and performs non-affine transformation. The encryption strength can be further increased by connecting each block and by independently encrypting the non-affine transformation based on the key data for each divided block.

Further, the first variable affine transformation means is
For a first exclusive OR unit that calculates an exclusive OR of the first addition key data determined based on the key data and the plaintext data, and for the data calculated by the first exclusive OR unit A first variable bit permutation unit that performs bit permutation determined based on the key data, and the non-affine transformation unit performs non-affine transformation on the data obtained by the first variable bit substitution unit, The second variable affine transformation means is the second variable affine transformation means, which is determined based on the key data.
A second exclusive OR section for calculating an exclusive OR of the addition key data and the data obtained by the non-affine transformation means, and the key for the data calculated by the second exclusive OR section. The second variable bit replacement unit may perform the bit replacement determined based on the data.

As a result, since the conversion operation in the first and second variable affine conversion means is represented by a simple combination of logical operations, the data encryption device can be easily realized by a program or a logic circuit. Here, the first variable bit permutation unit and the second variable bit permutation unit perform the same bit permutation if the key data is the same, or perform the inverse conversion if the key data are the same. It is possible to have a relationship of

As a result, the conversion algorithms required for the first and second variable bit permutation units are made common, and the implementation of the data encryption device and the corresponding data decryption device is simplified. Also, the first variable bit replacement unit and the second variable bit replacement unit.
The variable bit replacement unit divides the data calculated by the first exclusive OR unit and the second exclusive OR unit into a plurality of blocks each having a predetermined bit, and the key data is divided for each block. After performing bit replacement determined based on the above, block replacement determined based on the key data is performed on those blocks, and each block subjected to block replacement is connected, or
The first variable bit replacement unit and the second variable bit replacement unit divide the data calculated by the first exclusive OR unit and the second exclusive OR unit into a plurality of blocks each having a predetermined bit. Then, after performing block replacement determined on the basis of the key data for the divided blocks, performing bit replacement determined on the basis of the key data for each of the blocks, and concatenating the bit-substituted blocks. Can also be

As a result, since the plaintext data is divided into blocks and then independently encrypted based on the key data for each block, the encryption strength is increased. In addition, the first
The variable affine transformation means further includes a fixed bit replacement unit that performs a predetermined bit replacement on the data obtained by the first variable bit replacement unit, whereby the encryption strength can be further increased.

Here, the bit permutation in the fixed bit permutation unit may be a conversion in which the bit permutation and its inverse conversion are the same. This allows
It is possible to share the components required for the fixed bit replacement unit in this data encryption device and the corresponding data decryption device. As described above, according to the present invention,
Highly secure ciphertext data that enables real-time secret communication even on poor-quality communication lines, and is difficult to decipher even if the decryptor can obtain a convenient plaintext / ciphertext pair. A data encryption device for generating is realized.

[Brief description of drawings]

FIG. 1 is a block diagram showing a configuration of a data encryption device according to an embodiment of the present invention.

FIG. 2 is a block diagram showing a configuration of a data encryption device 10 shown in FIG.

3 is a block diagram showing a configuration of a data decoding device 20 shown in FIG.

FIG. 4 is a diagram detailing the operation of the first variable bit replacement unit 102 shown in FIG.

5 is a diagram detailing an operation of a fourth variable bit replacement unit 205 shown in FIG.

6 is a first variable non-affine transformation unit 10 shown in FIG.
FIG. 4 is a diagram illustrating in detail the operation of No. 4.

FIG. 7 is a second variable non-affine transformation unit 20 shown in FIG.
It is a figure which described operation of 3 in detail.

FIG. 8 is a block diagram showing a configuration of a conventional data encryption device.

[Explanation of symbols]

 1 transmitter 2 receiver 10 data encryption device 11 transmission unit 20 data decryption device 21 reception unit 101 first exclusive OR unit 102 first variable bit permutation unit 103 first fixed bit permutation unit 104 first variable non-affine transformation Unit 105 second exclusive OR unit 106 second variable bit replacement unit 107 key division unit 201 third variable bit replacement unit 202 third exclusive OR unit 203 second variable non-affine conversion unit 204 second fixed bit replacement unit 205 fourth variable bit replacing unit 206 fourth exclusive OR unit 207 key dividing unit

Claims (14)

[Claims] 1. A data encryption device for encrypting plaintext data consisting of a plurality of bits based on key data given in advance, wherein the plaintext data is subjected to affine transformation determined based on the key data. 1 variable affine transforming means, non-affine transforming means for performing non-affine transforming on data obtained by the first variable affine transforming means with an error ripple limited to a predetermined value, and non-affine transforming means The affine transformation determined based on the key data for the second data
A data encryption device comprising variable affine transformation means. 2. The data encryption apparatus according to claim 1, wherein the first variable affine transformation means and the second variable affine transformation means perform the same affine transformation if the key data are the same. . 3. The first variable affine transformation means performs a transformation such that the transformation is the same as the inverse transformation thereof, and the second variable affine transformation means performs the transformation and the inverse transformation thereof are the same. The data encryption device according to claim 1, wherein the data encryption device performs the following conversion. 4. The data encryption device according to claim 1, wherein the non-affine transformation in the non-affine transformation means is determined based on the key data. 5. The non-affine transformation means divides the data obtained by the first variable affine transformation means into a plurality of blocks each having a predetermined bit, and performs non-affine transformation on each of the divided blocks to obtain a non-affine transformation. The data encryption device according to claim 1, wherein the converted blocks are connected to each other. 6. The data encryption apparatus according to claim 5, wherein the non-affine transformation for each block in the non-affine transformation means is independently determined based on the key data. 7. The first variable affine transformation means, a first exclusive OR section for calculating an exclusive OR of the first addition key data determined based on the key data and the plaintext data, 1 bit replacement determined based on the key data is performed on the data calculated by the exclusive OR unit.
A variable bit permutation unit, the non-affine transformation unit performs non-affine transformation on the data obtained by the first variable bit substitution unit, and the second variable affine transformation unit is based on the key data. A second exclusive OR unit for calculating an exclusive OR of the second addition key data determined by the above and the data obtained by the non-affine transformation unit, and the data calculated by the second exclusive OR unit. Secondly, the second bit replacement is performed based on the key data.
2. A variable bit replacement section, comprising:
The data encryption device described. 8. The first variable bit replacement unit and the second variable bit replacement unit.
The data encryption device according to claim 7, wherein the variable bit replacement unit performs the same bit replacement if the key data are the same. 9. The bit permutation in the first variable bit permutation unit and the bit permutation in the second variable bit permutation unit have an inverse conversion relationship if the key data is the same. The data encryption device according to claim 7. 10. The first variable bit replacement unit and the second variable bit replacement unit.
The variable bit replacement unit divides the data calculated by the first exclusive OR unit and the second exclusive OR unit into a plurality of blocks each having a predetermined bit, and the key data is divided for each block. 8. The data encryption according to claim 7, wherein the block permutation determined based on the key data is performed after performing the bit permutation determined based on the key data, and the blocks subjected to the block permutation are connected. Device. 11. The first variable bit replacement unit and the second variable bit replacement unit.
The variable bit replacement unit divides the data calculated by the first exclusive OR unit and the second exclusive OR unit into a plurality of blocks each having a predetermined bit, and the divided block is divided into the keys. 8. The data encryption according to claim 7, wherein after the block replacement determined based on the data is performed, the bit replacement determined based on the key data is performed for each block, and the bit-substituted blocks are connected. Device. 12. The bit permutation for each block in the first variable bit permutation unit and the second variable bit permutation unit is independently determined on the basis of the key data. Data encryption device. 13. The first variable affine transformation unit further includes a fixed bit substitution unit that performs a predetermined bit substitution on the data obtained by the first variable bit substitution unit, and the non-affine transformation unit. The data encryption device according to claim 7, wherein the non-affine transformation is performed on the data obtained by the fixed bit substitution unit instead of the data obtained by the first variable bit substitution unit. 14. The data encryption device according to claim 13, wherein the bit replacement in the fixed bit replacement unit is a conversion in which the bit replacement and its inverse conversion are the same.