KR20070060455A - Internal block chaining-a block cipher pseudo mode of operation - Google Patents

Abstract

An internal block changing and a block cipher pseudo mode operating method is provided to increase a speed of a process by using the pipelining process when hardware of SNP(Substitution Permutation Network) structure block chipper is implemented. An internal block changing and a block cipher pseudo mode operating method includes the steps of: acquiring a cipher calculation result of each block; having an influence on the next block encryption calculation; and encrypting a total input plaintext. If the block cipher has an even number of rounds, the block cipher is converted into a block cipher having an odd number of rounds by adding a round on a center. A round key of the round which is added on the center is generated by adding a previous round key to the next round key. A post calculation is performed by summing an output of a center round with a center round input of the next block encryption calculation.

Description

Internal Block Chaining-A Block Cipher Pseudo Mode of Operation

1 is a diagram illustrating a state in which an output of a center round function is XORed to a center round function input of a next block in a similar operation mode encryption scheme proposed by the present invention.

The present invention relates to an operation mode of a block cipher.

Block ciphers can be encrypted only by a certain size, that is, in units of blocks, according to the design of the corresponding cipher cipher. Most block ciphers in use today use 128-bit or 64-bit blocks. In order to encrypt a plain text of longer length, the block cipher must be divided and applied several times. The standard way of using the block cipher several times is called the operation mode of the block cipher.

The input plaintext is simply cut into blocks and the parts are sequentially encrypted. This is called ECB operation mode. This is because the same plain text is represented by the same cipher text, which is difficult to apply to most real data that lacks randomness.

Other well-known standard modes of operation include CBC, CFB, OFB, and CTR. OFB and CTR modes are stream cipher mode of operation. It generates random sequences using block ciphers, and encryption itself is a simple XOR of random sequences and plain text. This has the disadvantage of being able to perform bitwise modulation, which is a weak point of stream ciphers. Therefore, it is vulnerable to bit-by-bit modulation if no additional message authentication is provided.

The remaining CBC and CFB schemes are somewhat resistant to bitwise modulation. If an attacker modulates an arbitrary bit, he or she can modulate the intended plaintext bit, but the bits of the remaining blocks will be changed simultaneously in a way that the attacker cannot control. Therefore, such modulation is likely to be detected. Because of these advantages, the most commonly used mode of operation is the CBC.

However, CBC and CFB operating modes have disadvantages in hardware implementation. These are chaining methods that combine the encryption result of the block cipher with the next plaintext input block and use it as the input of the block cipher. Therefore, the encryption of the second block cannot be started until the encryption of the first block is finished. As a result, the use of pipelining, a hardware fast implementation technique, becomes impossible.

The five modes of operation introduced so far are the most standard. Among other modes of operation, one achieves the same purpose as the present invention is OCB, developed and patented by P. Rogaway (US, 09/918615). This has a greater meaning as an operation mode that simultaneously provides confidentiality and authentication functions than the object of interest to the present invention. However, since the operation method is deeply related to the CTR operation mode, the pipelining technique can be applied. One problem with OCB is that it is not easy to learn how it works because it is complex, such as using finite field operations, and it requires a little extra computation.

The present invention seeks to solve the problems of the operating modes presented above. In other words, we propose a simple block cipher-like operation mode that can use the pipelining technique in hardware implementation and avoid the bitwise modulation, which is a weak point of stream cipher.

Block ciphers in most cases consist of a structure where the same operation is repeated several times. This same task is referred to as a round. For example, AES using 128-bit keys consists of 10 rounds and ARIA developed in Korea consists of 12 rounds for 128-bit keys.

Considering that the entire encryption is a repetition of rounds, the hardware implementation can configure only one round and iterate over the inputs to calculate the output. This is a way to implement block ciphers using less resources in harsh environments.

When high speed operation is required, all rounds are implemented. In this implementation, if the data to be encrypted is multiple blocks, the first plaintext block goes through the first round of processing and the next plaintext block is entered in the first round. Then, as the first block passes the second round, the second block passes the first round. This is called pipelining to implement multiple blocks at the same time. This is the standard technique of hardware implementation, which makes the block cipher of n rounds approximately n times faster.

However, many modes of operation currently disable the pipelining technique described above because the second input plaintext block is only ready after the first ciphertext block is completed. The present invention seeks to present an operating mode that does not have this problem.

However, there are other aspects to consider while addressing these issues. Existing CTR mode can implement pipelining, but security specificities related to the characteristics of stream ciphers can act as usage constraints. OCB mode solves both problems, but its configuration is complex. It is an object of the present invention to propose a new block cipher operating method considering all these aspects.

The present invention will be applied only to the block cipher of the SPN structure. The block cipher of the SPN structure has a well-defined round function structure. Sometimes there are block ciphers that have a different shape from the rest between several rounds, but in this case, it is not difficult to properly set the boundaries of each round.

If the number of rounds in a given block cipher is even, first add one round to have an odd number of rounds. This variation is closely related to the use of the round key, with the new round being inserted at the center of the overall structure. That is, in the case of a block password consisting of 2k rounds, the previous k rounds are used as they are, and the latter k rounds are pushed backward by one round so that the existing i-th (k + 1≤i≤2k) round key is i + 1th To be used as a round key. The round key of the k-th round, which is the new center round, is composed of the XORs of the existing k-th and k + 1th round keys.

Through the above process, it may be assumed that the target block cipher to which the present invention is applied consists of an odd number of rounds. For convenience of explanation, the number of rounds is set to 2k-1.

If the length of the message is not an integer multiple of the block length, a padding method is used, which can be selected independently of chaining, so it is appropriate among the existing standard methods (for example, NIST's CBC operation mode padding method). You can use

The messages are all given by _n blocks M ₁ to M _n , and the initial vector is denoted by IV. The synthesis of round functions from the first to k-1th is denoted by f, the kth round function is denoted by g, and the synthesis of the round function from k + 1st to 2k-1th is denoted by h. The entire block cipher is h · g · f, which is their synthesis.

The output ciphertext C ₁ to C _n are constructed as follows.

Decryption from the received ciphertext C ₁ to C _n is sequentially as follows.

The present invention enables the use of a pipelining technique in the hardware implementation of the SPN structure block cipher. Encrypting or decrypting one input block takes as long as one round function calculation. This has the effect of increasing the speed of the block cipher rounds (in many cases more than 10 times) compared to most existing chaining methods.

Claims (6)

Encrypts the entire input plaintext using m-bit block ciphers by dividing the input plaintext of any length into m-bits so that the intermediate result of each cipher's calculation affects the next block cipher's computation. Internal block chain connection and block cipher similar operating method characterized in that The method of claim 1, wherein the block ciphers used in the present invention are modified to a block cipher having an odd number of rounds by adding rounds to the center. The method of claim 2, wherein the round key of the round to be added to the center is generated as a round key combination of the immediately preceding and the next round. The method of claim 1, wherein the output of the center round is combined with the center round input of the next block encryption calculation to calculate the following. 2. The inner block chain according to claim 1, wherein the start is performed by encrypting a given initial vector until it passes through the center round, and combining the output with the input of the middle round of the encryption of the first plaintext to calculate the following. Connection and Block Password Similar Operation Method. An internal block chain concatenation and block cipher similar operating method, characterized in that the decoding is a natural and naturally corresponding inverse transform of the block cipher operating mode presented in claim 1.

Images