WO2016067524A1 - Authenticated encryption apparatus, authenticated decryption apparatus, authenticated cryptography system, authenticated encryption method, and program - Google Patents

Authenticated encryption apparatus, authenticated decryption apparatus, authenticated cryptography system, authenticated encryption method, and program Download PDF

Info

Publication number
WO2016067524A1
WO2016067524A1 PCT/JP2015/005042 JP2015005042W WO2016067524A1 WO 2016067524 A1 WO2016067524 A1 WO 2016067524A1 JP 2015005042 W JP2015005042 W JP 2015005042W WO 2016067524 A1 WO2016067524 A1 WO 2016067524A1
Authority
WO
WIPO (PCT)
Prior art keywords
plaintext
value
unit
encryption
mask
Prior art date
Application number
PCT/JP2015/005042
Other languages
French (fr)
Japanese (ja)
Inventor
一彦 峯松
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2016556190A priority Critical patent/JPWO2016067524A1/en
Publication of WO2016067524A1 publication Critical patent/WO2016067524A1/en

Links

Images

Classifications

    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to an authenticated encryption device, an authenticated decryption device, an authenticated encryption system, an authenticated encryption method, and a program that can both conceal content and detect unauthorized tampering.
  • Patent Document 1 is known as an encryption technique.
  • a shared key block cipher application key is generated based on an encryption key as a shared secret key and an initial vector, and plaintext is encrypted based on the shared key block cipher application key. Thereafter, data obtained by concatenating the generated ciphertext and the initial vector is transmitted.
  • Patent Document 1 by using such a method, it becomes possible to encrypt plaintext while preventing encryption analysis such as power difference analysis.
  • Patent Document 2 includes a step of encoding plaintext using an error correction code, a step of encrypting a codeword encoded based on the encoded plaintext, a secret key, and a random vector, and A stochastic symmetric encryption method is described, including the step of adding a noise vector to the codeword. According to Patent Document 2, secure encryption can be realized at low cost by such a method.
  • Non-Patent Documents 1 and 2 an encryption function using a secret key as a parameter is used to generate a ciphertext and a tag that is a fixed-length alteration detection variable from an initial vector and plaintext.
  • the secret key is K
  • the plaintext is M
  • the initial vector is N
  • the encryption function with the key K as a parameter is AEnc_K
  • the encryption is C
  • the tag is T.
  • Non-Patent Documents 1 and 2 after the above processing, the generated ciphertext C, tag T, and initial vector N are transmitted to the other party (decryption device). Thereafter, in the decryption device that has received the transmission result, the presence / absence of alteration and the decryption of plaintext M are performed using the received result and the decryption function ADec_K. It is assumed that the initial vector N is generated so as not to coincide by chance.
  • the length of the ciphertext C is the sum of the lengths of the initial vector N and the plaintext M.
  • the decryption side uses the shared key K to apply the reverse substitution of P_K to the ciphertext C to obtain (N, M), and then whether or not N is the expected value By confirming, authentication check will be performed.
  • the technique of Non-Patent Document 3 requires that the decryption side knows in advance the initial vector N to be used by the encryption side. This can be realized if the encryption side and the decryption side are synchronized with respect to the update of the initial vector N. Typically, this is achieved by the decryption side storing the initial vector of the normal encryption sent immediately before. This condition is a natural condition when the decoding side is required to detect and eliminate the replay attack (reflection attack, replay attack).
  • NIST Special Publication 800-38C Recommendation for Block Cipher Modes of Operation The CCM Mode for Authentication and Confidentiality http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
  • NIST Special Publication 800-38D Recommendation for Block Cipher Modes of Operation Galois / Counter Mode (GCM) and GMAC http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf D. McGrew. Authenticated Encryption with Replay prOtection (AERO) https://tools.ietf.org/html/draft-mcgrew-aero-00
  • Non-Patent Documents 1 and 2 it is necessary to transmit the ciphertext C having the same length as the plaintext M by concatenating the initial vector N and the tag T by encryption of the plaintext M. .
  • both the initial vector N and the tag T are short values of about 4 bytes to 32 bytes.
  • the increase in communication bandwidth due to the addition of the initial vector N and the tag T cannot be ignored. .
  • Such a case is frequently seen, for example, in a device of a wireless sensor network. In such a network, the communication band is one of the important factors that influence power consumption. Therefore, bandwidth reduction has become an important issue.
  • Non-Patent Document 3 the information to be transmitted is only the ciphertext C, and the length is the sum of the lengths of the initial vector N and the plaintext M as described above. Therefore, it is possible to suppress an increase in the communication band as compared with Non-Patent Documents 1 and 2.
  • one block cipher finite field GF (2 n ) multiplication (where n is a block size) is required twice per block of input length. Therefore, the load becomes very large compared with general encryption, and there has been a problem that encryption efficiency is poor.
  • an object of the present invention is to provide an authenticated encryption apparatus that solves the problem that it is difficult to efficiently prevent an increase in bandwidth when using an authenticated encryption method.
  • an authenticated encryption apparatus includes: A plaintext input unit for receiving plaintext input; A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past; A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext; A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit; A tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit, and The ciphertext encrypted by the plaintext encryption unit and the tag generated by the tag generation unit are configured to output, The structure is taken.
  • the decryption apparatus with authentication which is another embodiment of the present invention is as follows.
  • a ciphertext input unit that accepts input of a ciphertext and a tag to be decrypted;
  • a mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value;
  • a plaintext decryption unit that decrypts the ciphertext and generates a plaintext using the mask value generated by the mask value decryption unit;
  • a fixed length decoding unit that generates a fixed length value by decoding the mask value using an adjustment value based on the plaintext;
  • a tamper inspection unit that inspects the presence or absence of tampering by comparing the fixed length value and the expected value stored in advance, Configured to output the presence / absence of tampering inspected by the tampering inspection unit and the plaintext generated by the plaintext decryption unit, The structure is taken.
  • the encryption system with authentication which is the other form of this invention is: A plaintext input unit for receiving plaintext input; A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past; A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext; A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit; A tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit, and An encrypted device with authentication for outputting the ciphertext encrypted by the plaintext encryption unit and the tag generated by the tag generation unit; A ciphertext input unit that accepts input of ciphertext and tags; A mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value; Using the mask value generated by the mask value decryption unit, the plaintext decryption unit that decryption
  • an authenticated encryption method is as follows. Accepts plaintext input, Generate a new fixed length value that is different from the value generated in the past, Using the adjustment value based on the plaintext, the fixed length value is encrypted to generate a mask value, Using the generated mask value, the plaintext is encrypted to generate a ciphertext, A tag is generated by encrypting the generated mask value, Outputting the ciphertext and the tag; The structure is taken.
  • the program which is the other form of this invention is: In the information processing device, A plaintext input unit for receiving plaintext input; A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past; A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext; A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit; Realizing a tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit; It is a program for outputting the ciphertext encrypted by the plaintext encryption unit and the tag generated by the tag generation unit.
  • the present invention provides an authenticated encryption apparatus that solves the problem that it is difficult to efficiently prevent an increase in bandwidth when using an authenticated encryption method. Is possible.
  • FIG. 1 It is a figure which shows an example of a structure of the encryption system with an authentication comprised by the encryption apparatus with authentication and the decryption apparatus with authentication. It is a schematic block diagram which shows the outline of a structure of the encryption apparatus with authentication which concerns on the 3rd Embodiment of this invention. It is a schematic block diagram which shows the outline of a structure of the decoding apparatus with authentication which concerns on the 4th Embodiment of this invention. It is a schematic block diagram which shows the outline of a structure of the encryption system with authentication which concerns on the 4th Embodiment of this invention.
  • FIG. 1 is a block diagram showing an example of the configuration of the encryption device with authentication 1 according to the first embodiment of the present invention.
  • FIG. 2 is a diagram illustrating an example of a checksum calculation method performed by the checksum calculation unit 12 of the authenticated encryption apparatus 1.
  • FIG. 3 is a diagram illustrating an example of an encryption process performed by the adjustment value-added block encryption unit 13 of the authenticated encryption apparatus 1.
  • FIG. 4 is a diagram illustrating another example of the encryption process performed by the adjustment value-added block encryption unit 13 of the authenticated encryption apparatus 1.
  • FIG. 5 is a diagram illustrating an example of the encryption process performed by the encryption unit with mask 14 of the encryption device with authentication 1.
  • FIG. 6 is a diagram illustrating an example of the encryption process performed by the encryption unit with mask 14 of the encryption device with authentication 1.
  • FIG. 7 is a flowchart showing an example of the operation of the authenticated encryption apparatus 1.
  • an encryption apparatus with authentication 1 that uses a common key cryptosystem to encrypt and output input plaintext.
  • the authenticated encryption apparatus 1 in this embodiment is configured to perform an authenticated encryption process.
  • the encrypted encryption device 1 encrypts the input plaintext by a predetermined process, and then outputs a ciphertext obtained by encrypting the plaintext and a tag described later.
  • the encryption device with authentication 1 in the present embodiment is an information processing device having an arithmetic device and a storage device.
  • a program is stored in the storage device, and each unit to be described later is realized by the arithmetic device reading and executing the program stored in the storage device.
  • the authenticated encryption apparatus 1 includes a plaintext input unit 10 (plaintext input unit), an initial vector generation unit 11 (fixed length value generation unit), and a checksum calculation unit 12 (adjustment). Value calculation unit), block encryption unit with adjustment value 13 (mask value generation unit), encryption unit with mask 14 (plaintext encryption unit), tag generation unit 15 (tag generation unit), and ciphertext output And means 16.
  • the plaintext input means 10 (plaintext input unit) is a means for inputting plaintext M to be encrypted.
  • the plaintext input means 10 is composed of a character input device such as a keyboard, for example.
  • the plaintext input unit 10 may be configured to be able to input the plaintext M from an external device connected via a network, for example.
  • plaintext M is input via the plaintext input means 10. Then, the plaintext input means 10 to which the plaintext M has been input outputs the input plaintext M to the checksum calculation means 12 and the masked encryption means 14.
  • the initial vector generation means 11 generates the initial vector N so as not to overlap with values generated in the past. Thereafter, the initial vector generating unit 11 outputs the generated initial vector N to the block encryption unit 13 with adjustment value.
  • the initial vector update function used by the initial vector generation unit 11 is not limited to the above example.
  • the initial vector generation means 11 can be configured to use various functions for generating an initial vector N different from values generated in the past. Further, the initial vector generation means 11 may be configured to generate the initial vector N by combining other auxiliary information such as time information. In this case, the auxiliary information used when generating the initial vector N is assumed to be synchronized on the encryption side and the decryption side.
  • the initial vector generation means 11 in this embodiment generates an n-bit initial vector. If the value corresponding to the initial vector generated by the initial vector generation unit 11 is shorter than n bits, the initial vector generation unit 11 generates an n-bit initial vector after performing appropriate padding. It will be.
  • the checksum calculation unit 12 calculates an n-bit checksum SUM (adjustment value) from the plaintext M acquired from the plaintext input unit 10 by simple calculation.
  • FIG. 2 shows an example of processing when the checksum calculation means 12 calculates the checksum SUM.
  • the checksum calculation unit 12 divides the plaintext M acquired from the plaintext input unit 10 into blocks (M [1],..., M [m]) every n bits.
  • the exclusive OR (Xclusive or XOR) of the plaintext block is calculated.
  • the calculation result is an n-bit checksum SUM (adjustment value). Note that when the plaintext M is divided into blocks each having n bits in this way, the final block M [m] may be less than n bits.
  • the checksum calculation means 12 calculates an exclusive OR after applying appropriate padding to the final block (see FIG. 2).
  • the checksum calculation means 12 calculates the checksum SUM by such processing, for example. Thereafter, the checksum calculation unit 12 outputs the calculated checksum SUM to the block encryption unit 13 with adjustment value.
  • the checksum calculation means 12 may be configured to calculate the checksum SUM by a process other than the above process.
  • the checksum calculation means 12 can be configured to use, for example, arithmetic addition or cyclic redundancy check (CRC) instead of exclusive OR.
  • CRC cyclic redundancy check
  • the block encryption unit with adjustment value 13 (mask value generation unit, Tweakable block encryption unit) is generated by the initial vector generation unit 11 using the checksum SUM acquired from the checksum calculation unit 12 as the adjustment value (Tweak, tweak).
  • the initial vector N is encrypted.
  • the adjustment value-added block encryption means 13 can be realized by using a normal n-bit block cipher.
  • FIG. 3 shows an example of the encryption process performed by the adjustment value-added block encryption means 13.
  • the block encryption means with adjustment value 13 includes, for example, an encryption unit 131 that performs encryption using a key K1 and a block cipher E, and an n-bit input / output having a key K2 different from the key K1.
  • a calculation unit 132 that performs a predetermined calculation process using the keyed function H.
  • the block cipher E for example, a general block cipher scheme such as AES (Advanced Encryption Standard) can be adopted. This process is also performed by M. Liskov, R. L. Rivest, D. Wagner: Tweakable Block Ciphers. Advances in Cryptology-CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18-22, 2002, Proceedings. Lecture Notes in Computer Science 2442 Springer 2002, pp. 31-46. Is used.
  • the function H used in the calculation unit 132 has a checksum SUM and a key K2 as arguments. Therefore, the calculation unit 132 performs a calculation process using the checksum SUM acquired from the checksum calculation unit 12 and the key K2 stored in advance.
  • the adjustment value-added block encryption means 13 calculates an exclusive OR of H (SUM), which is a calculation result by the calculation unit 132, and the initial vector N after the above processing, and the result. Based on the above, the encryption unit 131 performs encryption. Then, the block encryption means with adjustment value 13 calculates exclusive logic between the result of encryption by the encryption unit 131 and the result of calculation by the calculation unit 132, and then outputs the calculation result as a mask L (mask value). To do.
  • the adjustment value-added block encryption means 13 is configured to calculate the mask L by executing the following processing, for example.
  • L E (H (SUM) + N) + H (SUM)
  • L represents a mask L
  • SUM represents a checksum SUM
  • N represents an initial vector N. + Represents an exclusive OR for each bit (hereinafter the same).
  • the adjustment value-attached block encryption means 13 encrypts the initial vector N and generates the mask L. Thereafter, the block encryption means 13 with adjustment value outputs an n-bit mask L, which is the result of encryption, to the encryption means 14 with mask and the tag generation means 15.
  • the block encryption unit with adjustment value 13 may be configured to encrypt the initial vector N by a process other than the above. I do not care.
  • the case where the key K1 and the key K2 are used has been described.
  • the entire key may be a single block cipher key. An example of such a case will be described with reference to FIG. In FIG.
  • the adjustment value-attached block encryption means 13 includes, for example, an encryption unit 133 that performs encryption using a key K1 and a block cipher E, an element 2 on a Galois field GF (2 n ), and a later-described A calculating unit 134 that multiplies the result of encryption by the encrypting unit 135 and an encryption unit 135 that encrypts the checksum SUM using the key K1 and the block cipher E.
  • the block encryption means with adjustment value 13 calculates the exclusive OR of the mul (2, E (SUM)), which is the calculation result by the calculation unit 134, and the initial vector N, and based on the result.
  • the encryption unit 133 performs encryption.
  • the block encryption means with adjustment value 13 calculates the exclusive OR of the result of encryption by the encryption unit 133 and the result of calculation by the calculation unit 134, and then outputs the calculation result as a mask L.
  • the adjustment value-added block encryption means 13 can be configured to calculate the mask L by executing the following processing, for example.
  • L E (mul (2, E (SUM)) + N) + mul (2, E (SUM))
  • mul (2, E (SUM)) represents multiplication of the element 2 on the Galois field GF (2 n ) and E (SUM).
  • the encryption unit with mask 14 (plaintext encryption unit) generates the ciphertext C by encrypting the plaintext M acquired from the plaintext input unit 10 using the mask L acquired from the encryption unit with adjustment value 13. For example, the masked encryption unit 14 encrypts each block (M [1] to M [m]) obtained by dividing the plaintext M into n bits. From the viewpoint of security, when the encrypted text with mask 14 decrypts the ciphertext C and the different ciphertext C ′ with the same mask L, at least the decryption result is obtained with high probability for those who do not know the key. It is assumed that encryption is performed so that one block becomes an unpredictable random number.
  • FIG. 5 shows plaintext M [i] (where i is any value between 1 and m ⁇ 1) when plaintext M is a sequence of n-bit blocks (M [1],..., M [m]).
  • An example of processing when the masked encryption unit 14 encrypts (value) is shown.
  • the encryption means with mask 14 has, for example, a mask L and a constant 2 in the Galois field raised to the i power (in the case of plaintext [i].
  • I is a value corresponding to the order of the plaintext blocks.
  • an encryption unit 142 that performs encryption using the key K1 and the block cipher E.
  • the calculation unit 141 performs multiplication of the mask L and the power of 2 on the Galois field (i corresponds to a value indicating the order of plaintext blocks). Thereafter, the encryption means with mask 14 calculates an exclusive OR of mul (2 i , L), which is a calculation result by the calculation unit 141, and plaintext M [i], and encrypts based on the result. Encryption is performed by the unit 142. The masked encryption unit 14 calculates the exclusive OR of the result of encryption by the encryption unit 142 and the result of calculation by the calculation unit 141, and then outputs the calculation result.
  • the encryption unit with mask 14 is configured to encrypt the plaintext M [i] and output the ciphertext C [i] by executing the following processing, for example.
  • C [i] E (mul (2 i , L) + M [i]) + mul (2 i , L)
  • C [i] represents ciphertext C [i]
  • M [i] represents plaintext M [i].
  • the encryption means with mask 14 performs the above encryption processing from plaintext M [1] to plaintext M [m ⁇ 1] (see FIG. 6). Also, the final block M [m] when the plaintext M is divided into n-bit blocks may be less than n bits. Therefore, for example, as shown below, the encryption means with mask 14 outputs the exclusive OR of the result of encrypting the constant and the plaintext M [m] as the ciphertext C [m] (see FIG. 6). ).
  • C [m] msb_
  • msb_a (X) is a function for extracting the front a bits of X.
  • is a function representing the bit length of X. That is, msb_
  • the ciphertext C [m] is generated by calculating an exclusive OR of the value extracted by the above process and M [m].
  • the encryption unit with mask 14 encrypts the plaintext M input to the plaintext input unit 10 to generate a ciphertext C. Thereafter, the encryption unit with mask 14 outputs the generated ciphertext C to the ciphertext output unit 16.
  • the block encryption means with adjustment value 13 has been described above.
  • L E (mul (2, E (SUM)) + N) + mul (2, E (SUM))
  • the encryption unit with mask 14 needs to use a constant different from the block encryption unit 13 with adjustment value. This is, for example, can be realized by using a mul (2 i + 1, L ) in place of mul (2 i, L). That is, in the above case, for example, the calculation unit 141 is configured to multiply the mask L by 2 i + 1 .
  • the tag generation unit 15 (tag generation unit) generates a tag T using the mask L acquired from the block encryption unit 13 with adjustment value.
  • the tag T is decrypted into a mask L by a decryption device and used for message authentication and decryption of the ciphertext C.
  • the tag generation unit 15 generates the tag T by encrypting the mask L using a block cipher such as AES. Thereafter, the tag generation unit 15 outputs the generated tag T to the ciphertext output unit 16.
  • the ciphertext output means 16 concatenates the ciphertext C output from the masked encryption means 14 and the tag T output from the tag generation means 15 and outputs the result to an external device.
  • the ciphertext output unit 16 is connected to, for example, a display device or a printer device, and outputs the ciphertext C and the tag T to the display device or the printer device. Note that the ciphertext output unit 16 may be configured to output the ciphertext C and the tag T to an external device connected via a network, for example.
  • plaintext M is input to the plaintext input means 10 (step S101). Then, the plaintext input means 10 outputs the input plaintext M to the checksum calculation means 12 and the masked encryption means 14.
  • the checksum calculation means 12 calculates a checksum SUM from the plaintext M (step S102). Specifically, for example, the checksum calculation unit 12 calculates the exclusive OR of each plaintext block when the plaintext M acquired from the plaintext input unit 10 is divided into n-bit blocks. Sum SUM is calculated. Thereafter, the checksum calculation unit 12 outputs the calculated checksum SUM to the block encryption unit 13 with adjustment value.
  • the initial vector generation unit 11 generates an initial vector so that there is no overlap with the value generated by the initial vector generation unit 11 in the past. Then, the initial vector generation unit 11 outputs the generated initial vector to the block encryption unit 13 with adjustment value.
  • the block encryption unit with adjustment value 13 encrypts the initial vector N generated by the initial vector generation unit 11 using the checksum SUM received from the checksum calculation unit 12 as an adjustment value.
  • the adjustment value-added block encryption means 13 generates a mask L (step S103).
  • the adjustment value-attached block encryption means 13 outputs the generated mask L to the masked encryption means 14 and the tag generation means 15.
  • the masked encryption unit 14 that has acquired the plaintext M from the plaintext input unit 10 and has acquired the mask L from the block encryption unit 13 with adjustment value encrypts the plaintext M using the mask L and encrypts the ciphertext C. Is generated (step S104). Specifically, the encryption unit with mask 14 encrypts the plaintext M into the ciphertext C by performing a process represented by the following formula, for example.
  • the tag generation unit 15 that has acquired the mask L from the block encryption unit with adjustment value 13 generates a tag T by encrypting the mask L (step S105).
  • the tag generation unit 15 generates the tag T by encrypting the mask L using a block cipher such as AES, for example. Thereafter, the tag generation unit 15 outputs the generated tag T to the ciphertext output unit 16.
  • the ciphertext output means 16 acquires the ciphertext C from the masked encryption means 14. Also, the ciphertext output unit 16 acquires the tag T from the tag generation unit 15. Then, the ciphertext output means 16 connects the acquired ciphertext C and the tag T. Then, the ciphertext output means 16 outputs the ciphertext C and the tag T to an external device such as a display device (step S106).
  • the authenticated encryption apparatus 1 includes a plaintext input unit 10, an initial vector generation unit 11, a checksum calculation unit 12, a block encryption unit 13 with an adjustment value, and an encryption with a mask. Means 14 and tag generation means 15 are provided.
  • the checksum calculator 12 can calculate the checksum SUM based on the plaintext M input via the plaintext input unit 10.
  • the block encryption unit with adjustment value 13 can generate the mask L by encrypting the initial vector generated by the initial vector generation unit 11 using the checksum SUM as the adjustment value.
  • the encryption means 14 with a mask can generate the ciphertext C by encrypting the plaintext M using the mask L.
  • generation means 15 can produce
  • the ciphertext output unit 16 can output the generated ciphertext C and the tag T.
  • the decryption device that has received the ciphertext C and the tag T can generate the mask L by decrypting the tag T. Further, the decryption device can decrypt the ciphertext C into the plaintext M using the generated mask L. Further, the decryption device can calculate the checksum SUM based on the decrypted plaintext M.
  • the decoding apparatus can generate the initial vector N by decoding the mask L by using the mask L and the checksum SUM. As a result, the decoding apparatus can detect the presence or absence of tampering by comparing the generated initial vector N and the initial vector expected value.
  • the decryption side decrypts the ciphertext C to generate the plaintext M, and the message Authentication can be performed. That is, with the above configuration, it is possible to combine the tag T and the initial vector N, and it is possible to realize an authenticated cipher that transmits only the ciphertext C and the tag T generated by simple calculation processing. Become. As a result, it is possible to efficiently prevent an increase in bandwidth when using the authenticated encryption method.
  • the encryption apparatus 1 with authentication utilized ECB (Electronic CodeBook) mode was demonstrated.
  • the encryption device with authentication 1 may be configured to use, for example, a CBC (Cipher Block Chaining) mode.
  • FIG. 8 is a block diagram showing an example of the configuration of the decryption apparatus 2 with authentication according to the second embodiment of the present invention.
  • FIG. 9 is a flowchart showing an example of the operation of the authenticating decryption apparatus 2.
  • the ciphertext C and the tag T output from the authenticated encryption apparatus 1 described in the first embodiment are decrypted to generate plaintext M and detect the presence / absence of tampering.
  • the authenticating decryption apparatus 2 will be described.
  • the decryption apparatus 2 with authentication in the present embodiment is an information processing apparatus having an arithmetic device and a storage device.
  • a program is stored in the storage device, and each unit to be described later is realized by the arithmetic device reading and executing the program stored in the storage device.
  • the decryption apparatus with authentication 2 includes a ciphertext input unit 20 (ciphertext input unit), a mask generation unit 21 (mask value calculation unit), a decryption unit with mask 22 (plaintext decryption unit), A checksum calculation unit 23 (adjustment value calculation unit), an adjustment value-added block decoding unit 24 (initial vector generation unit), an initial vector check unit 25 (initial vector check unit), and a plaintext output unit 26. ing.
  • the ciphertext input unit 20 (ciphertext input unit) is a unit for inputting the ciphertext C and the tag T to be decrypted.
  • the ciphertext input means 20 is configured by a character input device such as a keyboard, for example.
  • the ciphertext input unit 20 may be configured to be able to input the ciphertext C and the tag T from an external device connected via a network or the like, for example.
  • the ciphertext C and the tag T are input via the ciphertext input means 20.
  • the ciphertext input unit 20 to which the ciphertext C and the tag T are input outputs the input tag T to the mask generation unit 21 and outputs the ciphertext C to the masked decryption unit 22.
  • the mask generation unit 21 (mask value calculation unit) generates a mask L using the tag T acquired from the ciphertext input unit 20. For example, the mask generation unit 21 generates the mask L by decrypting the tag T using the block cipher decryption function used in the tag generation unit 15 described in the first embodiment. Thereafter, the mask generating means 21 outputs the generated mask L to the masked decoding means 22 and the adjustment value added block decoding means 24.
  • the masked decryption means 22 decrypts the ciphertext C acquired from the ciphertext input means 20 using the mask L acquired from the mask generation means 21 to generate plaintext M.
  • the decryption unit with mask 22 generates the plaintext M by decrypting the ciphertext C by performing the inverse function D of the encryption unit with mask 14 described in the first embodiment.
  • M [i] D (mul (2 i , L) + C [i]) + mul (2 i , L)
  • the decryption means 22 with mask executes, for example, the following process to decrypt the final block C [m] of the ciphertext C.
  • M [m] msb_
  • the decryption means 22 with mask decrypts the ciphertext C input to the ciphertext input means 20 to generate plaintext M. Thereafter, the masked decryption means 22 outputs the generated plaintext M to the checksum calculation means 23 and the plaintext output means 26.
  • the checksum calculator 23 calculates an n-bit checksum SUM from the plaintext M acquired from the masked decryptor 22 by simple calculation. Thereafter, the checksum calculation means 23 outputs the calculated checksum SUM to the block decoding means 24 with adjustment value.
  • the checksum calculation means 23 calculates the checksum SUM by the same process as the checksum calculation means 12 described in the first embodiment.
  • the detailed description of the checksum SUM calculation process performed by the checksum calculation means 23 is the same as that already performed in the first embodiment, and therefore will be omitted.
  • the adjustment value added block decoding means 24 (initial vector generation section) generates the initial vector N by decoding the mask L using the checksum SUM acquired from the checksum calculation means 23 as the adjustment value (Tweak, tweak). Specifically, the block decryption unit with adjustment value 24 performs the inverse function of the block encryption unit with adjustment value 13 described in the first embodiment, thereby decrypting the mask L and generating the initial vector N. . Thereafter, the adjustment value-added block decoding unit 24 outputs the generated initial vector N to the initial vector checking unit 25.
  • the adjustment value-added block decrypting means 24 can be realized by using a normal n-bit block cipher as with the adjustment value-added block encryption means 13.
  • the initial vector check unit 25 is an initial vector expectation that is an initial vector value expected by the decryption side for the pair of the initial vector N acquired from the block decryption unit 24 with adjustment value and the ciphertext C tag T.
  • the value N * is compared to detect the presence or absence of tampering.
  • the initial vector checking means 25 outputs the verification result B (ACK if the test passes, NCK if the test fails) after the comparison between the initial vector N and the initial vector expected value N *, and is necessary. Accordingly, the initial vector expected value N * _new used in the next inspection is generated.
  • the initial vector checking means 25 compares the initial vector N and the initial vector expected value N * by the above processing, for example, and outputs the verification result B, which is the comparison result, to the plaintext output means 26. Further, the initial vector checking means 25 updates the initial vector expected value N * when the test is passed.
  • the method of comparison verification performed by the initial vector inspection unit 25 is not limited to the case described above.
  • the initial vector checking unit 25 stores the threshold value t in advance in a storage unit (not shown), and determines that the test has passed if the absolute value difference between the initial vector N and the initial vector expected value N * is within the threshold value t. You may comprise so that it may do. With this configuration, the initial vector checking unit 25 can cope with information loss such as packet loss on the communication path.
  • the success probability of the attacker who performs the tampering that is, the probability that the value of the initial vector N when the illegal ciphertext is decrypted accidentally becomes a value close to the initial vector expected value N * is: Approximately t / (2 n ). Therefore, by making t sufficiently small, it becomes possible to detect tampering with high probability while dealing with information loss.
  • the plaintext output means 26 outputs the plaintext M acquired from the masked decryption means 22 and the verification result B acquired from the initial vector check means 25 to an external device.
  • the plaintext output means 26 is connected to, for example, a display device or a printer device, and outputs the plaintext M and the verification result B to the display device or printer device.
  • the plaintext output means 26 outputs the verification result B while outputting the plaintext M as an empty string.
  • the plaintext output unit 26 outputs the verification result B and the plaintext M to an external device.
  • the plaintext output means 26 may be configured to output the verification result B and the plaintext M regardless of the verification result B.
  • the ciphertext C and the tag T are input to the ciphertext input means 20 (step S201). Then, the ciphertext input means 20 transmits the input tag T to the mask generation means 21 and transmits the ciphertext C to the masked decryption means 22.
  • the mask generation means 21 decodes the tag T and generates a mask L (step S202). Specifically, for example, the mask generation unit 21 generates the mask L by decrypting the tag T using the block cipher decryption function used in the tag generation unit 15 described in the first embodiment. Then, the mask generation unit 21 outputs the generated mask L to the masked decoding unit 22 and the adjustment value-added block decoding unit 24.
  • the decrypted ciphertext C acquired from the ciphertext input means 20 is decrypted using the mask L to generate plaintext M (step S203).
  • the masked encryption / decryption means 22 decrypts the ciphertext C into plaintext M by performing the processing represented by the following equation.
  • M [i] D (mul (2 i , L) + C [i]) + mul (2 i , L)
  • the masked decryption means 22 outputs the generated plaintext M to the checksum calculation means 23 and the plaintext output means 26.
  • the checksum calculation means 23 calculates a checksum SUM from the acquired plaintext M (step S204). Specifically, for example, the checksum calculation means 23 calculates the checksum SUM by calculating the exclusive OR of each plaintext block when the plaintext M is divided into blocks of n bits. Then, the checksum calculation means 23 outputs the calculated checksum SUM to the block decoding means 24 with adjustment value.
  • the adjustment value-added block decoding unit 24 acquires the checksum SUM calculated by the checksum calculation unit 23. Then, the adjustment value-added block decoding unit 24 decodes the mask L using the checksum SUM calculated by the checksum calculation unit 23 as an adjustment value to generate an initial vector N (step S205). For example, this process is executed by performing the inverse function of the block encryption means 13 with adjustment value. Thereafter, the adjustment value-added block decoding unit 24 outputs the generated initial vector N to the initial vector checking unit 25.
  • the initial vector checking unit 25 acquires the initial vector N from the adjustment value-added block decoding unit 24
  • the initial vector checking unit 25 determines whether or not the initial vector N and the initial vector expected value N * stored in advance match. (Step S206).
  • the plaintext output means 26 outputs the plaintext M and the verification result B (step S208).
  • the decryption apparatus 2 with authentication 2 decrypts the ciphertext C into the plaintext M and detects the presence or absence of tampering.
  • the decryption apparatus with authentication 2 in this embodiment includes the ciphertext input unit 20, the mask generation unit 21, the decryption unit 22 with the mask, the checksum calculation unit 23, and the block decryption unit 24 with the adjustment value. , Initial vector checking means 25 and plain text output means 26.
  • the mask generation unit 21 can generate the mask L by decrypting the tag T input via the ciphertext input unit 20.
  • the decryption means with mask 22 can generate plaintext M by decrypting the ciphertext C input via the ciphertext input means 20 using the mask L.
  • the checksum calculation means 23 can calculate the checksum SUM based on the plaintext M, and the adjustment value added block decoding means 24 decodes the mask L into the initial vector N using the checksum SUM as the adjustment value. I can do it.
  • the initial vector checking means 25 can detect the presence or absence of falsification by comparing the initial vector N and the initial vector expected value N *.
  • the decryption apparatus 2 with authentication was demonstrated.
  • the present invention may be realized by an authenticated encryption system that uses the authenticated encryption apparatus 1 and the authenticated decryption apparatus 2 described in the first embodiment at the same time.
  • the configurations of the encryption device with authentication 1 and the decryption device with authentication 2 are the same as those already described, and will be omitted.
  • an encrypted encryption device 3 that encrypts and outputs an input plaintext
  • the encryption device with authentication 3 in the present embodiment is configured to output a ciphertext obtained by encrypting a plaintext and a tag.
  • an outline of the configuration of the encryption device with authentication 3 will be described.
  • the encrypted encryption apparatus 3 includes a plaintext input unit 31, a fixed length value generation unit 32, a mask value generation unit 33, a plaintext encryption unit 34, and a tag generation unit 35. And have.
  • the plaintext input unit 31 receives plaintext input.
  • the fixed length value generation unit 32 generates a new fixed length value that is different from the value generated by the fixed length value generation unit 32 in the past.
  • the mask value generation unit 33 encrypts the fixed length value generated by the fixed length value generation unit 32 using the adjustment value based on the plain text received by the plain text input unit 31, and generates a mask value. That is, the mask value generation unit 33 acquires plaintext from the plaintext input unit 31. Further, the mask value generation unit 33 acquires a fixed length value from the fixed length value generation unit 32. Then, the mask value generation unit 33 generates a mask value by encrypting the fixed length value using an adjustment value based on plain text.
  • the plaintext encryption unit 34 encrypts the plaintext using the mask value generated by the mask value generation unit 33 to generate a ciphertext. That is, the plaintext encryption unit 34 acquires the mask value from the mask value generation unit 33. The plaintext encryption unit 34 acquires plaintext from the plaintext input unit 31. Then, the plaintext encryption unit 34 encrypts the plaintext using the mask value and generates a ciphertext.
  • the tag generation unit 35 encrypts the mask value generated by the mask value generation unit 33 and generates a tag. That is, when the tag generation unit 35 acquires a mask value from the mask value generation unit 33, the tag generation unit 35 encrypts the acquired mask value and generates a tag.
  • the encryption device with authentication 3 outputs the ciphertext encrypted by the plaintext encryption unit 34 and the tag generated by the tag generation unit 35.
  • the encryption device with authentication 3 includes the plaintext input unit 31, the fixed length value generation unit 32, the mask value generation unit 33, the plaintext encryption unit 34, and the tag generation unit 35.
  • the mask value generation unit 33 encrypts the fixed length value generated by the fixed length value generation unit 32 using the adjustment value based on the plain text input to the plain text input unit 31, thereby masking the mask.
  • a value can be generated.
  • the plaintext encryption unit 34 can generate a ciphertext by encrypting the plaintext using the mask value.
  • generation part 35 can produce
  • the encryption device with authentication 3 can output a ciphertext and a tag.
  • the decryption side that has received the ciphertext and the tag can decrypt the tag and generate a mask value.
  • the plaintext can be generated by decrypting the ciphertext using the mask value. Then, it is possible to generate a fixed length value by decrypting the mask value using the adjustment value based on the plain text.
  • the decoding side can detect the presence or absence of tampering by comparing the generated fixed length value with the expected value that is the expected fixed length value.
  • the decryption side decrypts the ciphertext to generate plaintext and performs message authentication Will be able to. That is, with the above-described configuration, it is possible to perform processing that combines a tag and a fixed-length value, and it is possible to realize authenticated encryption that transmits only a ciphertext and a tag that are generated by simple calculation processing. As a result, it is possible to efficiently prevent an increase in bandwidth when using the authenticated encryption method.
  • a program according to another embodiment of the present invention includes a plaintext input unit 31 that receives plaintext input and a fixed length value that generates a new fixed length value that is different from a value generated in the past.
  • the plaintext is encrypted using the generation unit 32, the mask value generation unit 33 that generates a mask value by encrypting the fixed length value using the adjustment value based on the plaintext, and the mask value generated by the mask value generation unit 33.
  • a plaintext encryption unit 34 that generates a ciphertext and a tag generation unit 35 that encrypts the mask value generated by the mask value generation unit 33 and generates a tag
  • the plaintext encryption unit 34 performs encryption. This is a program that outputs the encrypted text and the tag generated by the tag generation unit 35.
  • the authenticated encryption method executed by operating the above-described authenticated encryption apparatus 3 accepts plaintext input, generates a new fixed length value different from the value generated in the past, Using the adjustment value based on this, the fixed-length value is encrypted to generate a mask value, and the generated mask value is used to encrypt plaintext to generate a ciphertext, and the generated mask value is encrypted to generate a tag.
  • the ciphertext and the tag are output.
  • a decryption apparatus with authentication 4 that acquires a ciphertext and a tag, decrypts the ciphertext to generate plaintext, and detects the presence or absence of tampering.
  • an outline of the configuration of the decryption apparatus 4 with authentication will be described.
  • the decryption apparatus 4 with authentication in the present embodiment includes a ciphertext input unit 41, a mask value decryption unit 42, a plaintext decryption unit 43, a fixed length decryption unit 44, and a falsification inspection unit 45. ,have.
  • the ciphertext input unit 41 receives an input of a ciphertext and a tag to be decrypted.
  • the mask value decryption unit 42 decrypts the tag input to the ciphertext input unit 41 to generate a mask value. That is, the mask value decryption unit 42 acquires a tag from the ciphertext input unit 41. Then, the mask value decoding unit 42 generates a mask value by decoding the tag.
  • the plaintext decryption unit 43 decrypts the ciphertext using the mask value generated by the mask value decryption unit 42 to generate plaintext. That is, the plaintext decryption unit 43 acquires the mask value from the mask value decryption unit 42. The plaintext decryption unit 43 acquires the ciphertext from the ciphertext input unit 41. The plaintext decryption unit 43 then decrypts the ciphertext using the mask value to generate plaintext.
  • the fixed-length value decoding unit 44 generates a fixed-length value by decoding the mask value using an adjustment value based on plain text. That is, the fixed length value decoding unit 44 uses the adjustment value based on the plaintext generated by the plaintext decoding unit 43 to decode the mask value generated by the mask value decoding unit 42 to generate a fixed length value.
  • the falsification inspection unit 45 inspects whether or not falsification has occurred by comparing the fixed length value with the expected value stored in advance. That is, the falsification inspection unit 45 compares the fixed length value generated by the fixed length value decoding unit 44 with the expected value stored in advance. Thereby, the tampering inspection unit 45 inspects whether or not tampering has occurred.
  • the decryption apparatus with authentication 4 includes the ciphertext input unit 41, the mask value decryption unit 42, the plaintext decryption unit 43, the fixed length decryption unit 44, and the falsification inspection unit 45.
  • the mask value decryption unit 42 can decrypt the tag input via the ciphertext input unit 41 and generate a mask value.
  • the plaintext decryption unit 43 can decrypt the ciphertext input via the ciphertext input unit 41 using the mask value to generate plaintext.
  • the fixed length value decoding unit 44 can generate a fixed length value by decoding the mask value using the adjustment value based on the plain text.
  • the tampering inspection unit 45 can detect the presence or absence of tampering by comparing the fixed length value with the expected value.
  • the above-described decryption apparatus with authentication 4 can be realized by incorporating a predetermined program into the information processing apparatus.
  • a program according to another embodiment of the present invention is input to the information processing apparatus into the ciphertext input unit 41 that receives an input of a ciphertext and a tag to be decrypted, and the ciphertext input unit 41.
  • a mask value decryption unit 42 that decrypts the tag to generate a mask value
  • a plaintext decryption unit 43 that decrypts the ciphertext using the mask value generated by the mask value decryption unit 42
  • a plaintext Using the adjustment value the fixed-length value decoding unit 44 that decodes the mask value to generate a fixed-length value
  • the tampering inspection that checks the presence or absence of tampering by comparing the fixed-length value with the expected value stored in advance
  • the plaintext generated by the plaintext decryption unit 43 are output.
  • the authenticated decryption method executed by operating the above-described decryption apparatus with authentication 4 accepts input of a ciphertext and a tag to be decrypted, decrypts the tag, generates a mask value, The value is used to decrypt the ciphertext to generate plaintext, and the adjustment value based on the plaintext is used to decrypt the mask value to generate a fixed length value, and the fixed length value and the expected value stored in advance are In this method, the presence or absence of tampering is inspected by comparison, and the presence or absence of tampering and plain text are output.
  • the above-described object of the present invention can be achieved because it has the same operation as the decryption apparatus 4 with authentication.
  • the authenticated cryptographic system uses, for example, a plaintext input unit 31 that accepts input of plaintext, a fixed-length value generation unit 32 that generates a new fixed-length value different from a value generated in the past, and an adjustment value based on plaintext. Then, a mask value generation unit 33 that generates a mask value by encrypting a fixed length value, and a plaintext encryption unit 34 that generates a ciphertext by encrypting the plaintext using the mask value generated by the mask value generation unit 33.
  • a tag generation unit 35 that encrypts the mask value generated by the mask value generation unit 33 and generates a tag, and a ciphertext encrypted by the plaintext encryption unit 34 and a tag generated by the tag generation unit 33 ,
  • the ciphertext input unit 41 that receives the input of the ciphertext and the tag output from the authenticated encryption device 3, and the tag input to the ciphertext input unit 41 is decrypted Mask value to calculate the mask value
  • the decryption unit 42, the plaintext decryption unit 43 that decrypts the ciphertext using the mask value calculated by the mask value decryption unit 42, and the adjustment value based on the plaintext, decrypts the mask value
  • a fixed-length value decoding unit 44 that generates a fixed-length value
  • a falsification inspection unit 45 that inspects whether or not falsification has occurred by comparing the fixed-length value with a pre-stored expected value.
  • a decryption device with authentication 4 that outputs the presence / absence of
  • (Appendix 2) The encryption apparatus with authentication according to attachment 1, wherein An adjustment value calculation unit that calculates the adjustment value of a fixed length from the plaintext input to the plaintext input unit;
  • the encryption apparatus with authentication configured to generate the mask value by encrypting the fixed length value using the adjustment value calculated by the adjustment value calculation unit.
  • the encryption device with authentication according to attachment 2 wherein The adjustment value calculation unit is configured to calculate the adjustment value by calculating an exclusive OR of each block when the plaintext input to the plaintext input unit is divided into blocks having a predetermined length. Encryption device.
  • the encryption device with authentication according to any one of appendices 1 to 3 The plaintext encryption unit includes a value of a plaintext block that is one of blocks when the plaintext is divided into blocks of a predetermined length, a constant of a finite field according to the order of the plaintext blocks in the plaintext, and the mask After calculating the exclusive OR of the multiplication value, which is a value obtained by multiplying the value, encryption is performed using a predetermined block cipher, and the exclusive OR of the encryption result and the multiplication value is calculated.
  • an encrypted encryption apparatus configured to encrypt the plain text and generate the cipher text.
  • the encryption device with authentication according to attachment 4 wherein The plaintext encryption unit is a value calculated based on the result of encrypting a final block, which is the last block when the plaintext is divided into blocks of a predetermined length, and a finite field constant corresponding to the final block. And an encryption device with authentication configured to perform encryption by calculating an exclusive OR of the value and the value of the last block of the plaintext.
  • a ciphertext input unit that accepts input of a ciphertext and a tag to be decrypted;
  • a mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value;
  • a plaintext decryption unit that decrypts the ciphertext and generates a plaintext using the mask value generated by the mask value decryption unit;
  • a fixed length decoding unit that generates a fixed length value by decoding the mask value using an adjustment value based on the plaintext;
  • a tamper inspection unit that inspects the presence or absence of tampering by comparing the fixed length value and the expected value stored in advance,
  • a decryption apparatus with authentication configured to output the presence / absence of falsification inspected by the falsification inspection unit and the plaintext generated by the plaintext decryption unit.
  • the decryption apparatus with authentication according to appendix 7 is a decryption apparatus with authentication for inspecting whether or not tampering has occurred based on an absolute value of a difference between the fixed length value and an expected value stored in advance and a threshold stored in advance.
  • a plaintext input unit for receiving plaintext input; A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past; A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext; A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit; A tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit, and An encrypted device with authentication for outputting the ciphertext encrypted by the plaintext encryption unit and the tag generated by the tag generation unit; A ciphertext input unit that accepts input of ciphertext and tags; A mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value; Using the mask value generated by the mask value decryption unit, the plaintext decryption unit that decrypts the ciphertext that the ciphertext
  • (Appendix 9-2) Accepts plaintext input, Generate a new fixed length value that is different from the value generated in the past, Using the adjustment value based on the plaintext, the fixed length value is encrypted to generate a mask value, Using the generated mask value, the plaintext is encrypted to generate a ciphertext, A tag is generated by encrypting the generated mask value, Outputting the ciphertext and the tag; Accepting the input of the ciphertext and the tag, Decoding the tag to generate the mask value; Using the mask value, decrypt the ciphertext to generate the plaintext, Using the adjustment value based on the plaintext, the mask value is decrypted to generate the fixed length value, Inspecting the presence or absence of tampering by comparing the fixed length value and the expected value stored in advance, An authenticated cryptographic processing method for outputting the presence / absence of alteration and the plaintext.
  • a plaintext input unit for receiving plaintext input;
  • a fixed-length value generating unit that generates a new fixed-length value different from values generated in the past;
  • a mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext;
  • a plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit; Realizing a tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit;
  • a program for outputting a ciphertext encrypted by the plaintext encryption unit and a tag generated by the tag generation unit.
  • a ciphertext input unit that accepts input of a ciphertext and a tag to be decrypted;
  • a mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value;
  • a plaintext decryption unit that decrypts the ciphertext and generates a plaintext using the mask value generated by the mask value decryption unit;
  • a fixed length decoding unit that generates a fixed length value by decoding the mask value using an adjustment value based on the plaintext; Realizing a falsification inspection unit that inspects the presence or absence of falsification by comparing the fixed length value with an expected value stored in advance;
  • the programs described in the above embodiments and supplementary notes are stored in a storage device or recorded on a computer-readable recording medium.
  • the recording medium is a portable medium such as a flexible disk, an optical disk, a magneto-optical disk, and a semiconductor memory.

Abstract

An authenticated encryption apparatus comprises: a plain text input unit that receives the input of a plain text; a fixed length value generation unit that generates a new fixed length value different from the values generated in the past; a mask value generation unit that encrypts, by use of an adjustment value based on the plain text, the fixed length value, thereby generating a mask value; a plain text encryption unit that encrypts, by use of the mask value generated by the mask value generation unit, the plain text, thereby generating a cipher text; and a tag generation unit that encrypts the mask value generated by the mask value generation unit, thereby generating a tag. The authenticated encryption apparatus outputs both the cipher text, which has been encrypted by the plain text encryption unit, and the tag generated by the tag generation unit.

Description

認証付暗号化装置、認証付復号装置、認証付暗号システム、認証付暗号化方法、プログラムAuthenticated encryption device, authenticated decryption device, authenticated encryption system, authenticated encryption method, program
 本発明は、内容の秘匿と、不正な改ざんに対する検知と、を共に可能とする認証付暗号化装置、認証付復号装置、認証付暗号システム、認証付暗号化方法、プログラム、に関する。 The present invention relates to an authenticated encryption device, an authenticated decryption device, an authenticated encryption system, an authenticated encryption method, and a program that can both conceal content and detect unauthorized tampering.
 通信におけるセキュリティ確保などを目的として、平文を暗号化する暗号化技術が用いられることが知られている。 It is known that encryption technology that encrypts plain text is used for the purpose of ensuring security in communications.
 暗号化技術としては、例えば、特許文献1が知られている。特許文献1に記載されている技術では、共有秘密鍵としての暗号鍵と初期ベクトルとに基づいて共有鍵ブロック暗号適用鍵を生成し、共有鍵ブロック暗号適用鍵に基づいて平文を暗号化する。その後、生成した暗号文と初期ベクトルとを連結したデータを送信することになる。特許文献1によると、このような方法を用いることで、電力差分解析などによる暗号解析を防ぎつつ平文を暗号化することが可能となる。 For example, Patent Document 1 is known as an encryption technique. In the technique described in Patent Literature 1, a shared key block cipher application key is generated based on an encryption key as a shared secret key and an initial vector, and plaintext is encrypted based on the shared key block cipher application key. Thereafter, data obtained by concatenating the generated ciphertext and the initial vector is transmitted. According to Patent Document 1, by using such a method, it becomes possible to encrypt plaintext while preventing encryption analysis such as power difference analysis.
 また、暗号化技術の他の一例として、例えば、特許文献2が知られている。特許文献2には、誤り訂正符号を用いて平文を符号化するステップと、符号化した平文と秘密鍵とランダムベクトルとに基づいて符号化した符号語を暗号化するステップと、暗号化された符号語にノイズベクトルを付加するステップと、を有する確率的対称暗号化方法が記載されている。特許文献2によると、このような方法により、低コストで安全な暗号化を実現することが出来る。 Further, as another example of the encryption technique, for example, Patent Document 2 is known. Patent Document 2 includes a step of encoding plaintext using an error correction code, a step of encrypting a codeword encoded based on the encoded plaintext, a secret key, and a random vector, and A stochastic symmetric encryption method is described, including the step of adding a noise vector to the codeword. According to Patent Document 2, secure encryption can be realized at low cost by such a method.
 また、事前に共有された秘密鍵を用いて平文メッセージに対する暗号化と改ざん検知用の認証タグ計算とを同時に適用する、いわゆる認証付き暗号(Authenticated Encryption,AE)技術としては、例えば、非特許文献1や非特許文献2のような技術が知られている。非特許文献1、2によると、秘密鍵をパラメータとする暗号化関数を用いて、初期ベクトルと平文から、暗号文と固定長の改ざん検出用の変数であるタグとを生成する。つまり、非特許文献1、2によると、例えば、秘密鍵をK、平文をM、初期ベクトルをNとし、鍵Kをパラメータとした暗号化関数をAEnc_K、暗号分をC、タグをTとした場合に、下記のような処理を行うことになる。
(C,T)=AEnC_K(N,M) Further, as a so-called authenticated encryption (AE) technique that simultaneously applies encryption to a plaintext message and authentication tag calculation for falsification detection using a secret key shared in advance, for example, a non-patent document Techniques such as No. 1 and Non-Patent Document 2 are known. According to Non-Patent Documents 1 and 2, an encryption function using a secret key as a parameter is used to generate a ciphertext and a tag that is a fixed-length alteration detection variable from an initial vector and plaintext. In other words, according to Non-Patent Documents 1 and 2, for example, the secret key is K, the plaintext is M, the initial vector is N, the encryption function with the key K as a parameter is AEnc_K, the encryption is C, and the tag is T. In this case, the following processing is performed.
(C, T) = AEnC_K (N, M)
 非特許文献1、2では、上記処理の後、生成された暗号文CとタグTと、初期ベクトルNとを相手側(復号装置)へと送信する。その後、送信結果を受信した復号装置では、受信した結果と復号関数ADec_Kとを用いて、改ざんの有無の検出と、平文Mの復号と、が行われることになる。なお、初期ベクトルNは偶然一致することがないように生成されるものとする。 In Non-Patent Documents 1 and 2, after the above processing, the generated ciphertext C, tag T, and initial vector N are transmitted to the other party (decryption device). Thereafter, in the decryption device that has received the transmission result, the presence / absence of alteration and the decryption of plaintext M are performed using the received result and the decryption function ADec_K. It is assumed that the initial vector N is generated so as not to coincide by chance.
 また、AEの他の技術の一つとして、例えば、非特許文献3が知られている。非特許文献3では、Kを鍵とした可変長入出力の擬似ランダム置換(Wide Pseudo Random Permutation,WPRP)P_Kを用いて、初期ベクトルNと平文Mとを連結して得られた入力(N,M)に対し、暗号文C=P_K(N,M)を全体の出力とする。この場合、暗号文Cの長さは、初期ベクトルNと平文Mの長さの和となることになる。 Further, as another technique of AE, for example, Non-Patent Document 3 is known. In Non-Patent Document 3, a variable length input / output pseudo-random permutation (Wide Pseudo Random Permutation, WPRP) P_K with K as a key is used to input (N, For M), the ciphertext C = P_K (N, M) is the overall output. In this case, the length of the ciphertext C is the sum of the lengths of the initial vector N and the plaintext M.
 また、上記の場合、復号側では、共有する鍵Kを用いて、暗号文CへP_Kの逆置換を適用して(N,M)を得たのち、Nが期待する値であるか否かを確認することで、認証チェックを行うことになる。なお、非特許文献3の技術では、復号側が、暗号化側が用いるべき初期ベクトルNを予め分かっていることが必要となる。これは、初期ベクトルNの更新に関して暗号化側と復号側とで同期がとれていれば実現可能である。典型的には、復号側が直前に送られた正規の暗号分の初期ベクトルを記憶していることで達成される。この条件は、復号側でリプレイアタック(反射攻撃、Replay Attack)を検知して排除することが求められているケースでは自然な条件となる。 Also, in the above case, the decryption side uses the shared key K to apply the reverse substitution of P_K to the ciphertext C to obtain (N, M), and then whether or not N is the expected value By confirming, authentication check will be performed. Note that the technique of Non-Patent Document 3 requires that the decryption side knows in advance the initial vector N to be used by the encryption side. This can be realized if the encryption side and the decryption side are synchronized with respect to the update of the initial vector N. Typically, this is achieved by the decryption side storing the initial vector of the normal encryption sent immediately before. This condition is a natural condition when the decoding side is required to detect and eliminate the replay attack (reflection attack, replay attack).
特開2005-134478号公報JP 2005-134478 A 特表2011-509433号公報Special table 2011-509433 gazette
 特許文献1、2のような技術では、メッセージ認証機能を新たに追加したい場合、例えば、メッセージ認証符号(Message Authentication Code,MAC)を新たに付加することになる。その結果、送信する情報量が増え、通信帯域が増加するという問題があった。また、このように新たにメッセージ認証機能を追加し、全体として認証暗号の機能を達成しようとする場合には、メッセージの長さに関わらずプロトコルの変更が求められる場合があり、実用上の困難を生じることがあった。 In technologies such as Patent Documents 1 and 2, when a new message authentication function is desired, for example, a message authentication code (MAC) is newly added. As a result, there is a problem that the amount of information to be transmitted increases and the communication band increases. In addition, when a new message authentication function is added in this way to achieve the authentication encryption function as a whole, it may be required to change the protocol regardless of the length of the message. May occur.
 また、非特許文献1、2に記載されている技術では、平文Mの暗号化により、平文Mと同じ長さの暗号文Cに初期ベクトルNとタグTとを連結して送信する必要がある。通常の処理では、初期ベクトルNもタグTも4バイトから32バイト程度の短い値であるが、平文Mも同様に短い場合などでは、初期ベクトルNとタグTの追加による通信帯域増加は無視できない。このようなケースは、例えば、無線センサーネットワークのデバイスなどで頻繁に見受けられるが、このようなネットワークでは、通信帯域が消費電力を左右する重要な要素の一つとなる。そのため、帯域削減は重要な課題となっていた。 In the techniques described in Non-Patent Documents 1 and 2, it is necessary to transmit the ciphertext C having the same length as the plaintext M by concatenating the initial vector N and the tag T by encryption of the plaintext M. . In normal processing, both the initial vector N and the tag T are short values of about 4 bytes to 32 bytes. However, when the plain text M is also short, the increase in communication bandwidth due to the addition of the initial vector N and the tag T cannot be ignored. . Such a case is frequently seen, for example, in a device of a wireless sensor network. In such a network, the communication band is one of the important factors that influence power consumption. Therefore, bandwidth reduction has become an important issue.
 また、非特許文献3に記載されている技術では、送信する情報は暗号文Cのみとなり、その長さは、上述したように、初期ベクトルNと平文Mの長さの和となる。そのため、非特許文献1、2と比べて通信帯域の増加を抑えることが可能となっている。一方で、非特許文献3の技術では、入力長1ブロックにつき、ブロック暗号1回有限体GF(2)乗算(ただしnはブロックサイズ)を2回必要とする。そのため、一般的な暗号化と比べてその負荷は非常に大きくなり、暗号化の効率が悪いという問題が生じていた。 Further, in the technology described in Non-Patent Document 3, the information to be transmitted is only the ciphertext C, and the length is the sum of the lengths of the initial vector N and the plaintext M as described above. Therefore, it is possible to suppress an increase in the communication band as compared with Non-Patent Documents 1 and 2. On the other hand, in the technique of Non-Patent Document 3, one block cipher finite field GF (2 n ) multiplication (where n is a block size) is required twice per block of input length. Therefore, the load becomes very large compared with general encryption, and there has been a problem that encryption efficiency is poor.
 このように、認証付き暗号化方式を用いる際には、通信帯域が増加してしまうか、通信帯域の増加を抑えるためには、処理が複雑になるという問題があった。つまり、認証付き暗号化方式を用いる際には、効率的に帯域増加を防止することが難しい、という課題が生じていた。 As described above, when using the encryption method with authentication, there is a problem that the communication band increases or the processing becomes complicated in order to suppress the increase of the communication band. That is, when using the encryption method with authentication, there has been a problem that it is difficult to efficiently prevent an increase in bandwidth.
 そこで、本発明の目的は、認証付き暗号化方式を用いる際に、効率的に帯域増加を防止することが難しい、という課題を解決する認証付暗号化装置を提供することにある。 Therefore, an object of the present invention is to provide an authenticated encryption apparatus that solves the problem that it is difficult to efficiently prevent an increase in bandwidth when using an authenticated encryption method.
 かかる目的を達成するため本発明の一形態である認証付暗号化装置は、
 平文の入力を受け付ける平文入力部と、
 過去に生成した値とは異なる新たな固定長値を生成する固定長値生成部と、
 前記平文に基づく調整値を用いて、前記固定長値を暗号化してマスク値を生成するマスク値生成部と、
 前記マスク値生成部が生成したマスク値を用いて、前記平文を暗号化して暗号文を生成する平文暗号化部と、
 前記マスク値生成部が生成したマスク値を暗号化してタグを生成するタグ生成部と、を備え、
 前記平文暗号化部が暗号化した暗号文と、前記タグ生成部が生成したタグと、を出力するよう構成された、
 という構成を採る。 In order to achieve such an object, an authenticated encryption apparatus according to an aspect of the present invention includes:
A plaintext input unit for receiving plaintext input;
A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past;
A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext;
A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit;
A tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit, and
The ciphertext encrypted by the plaintext encryption unit and the tag generated by the tag generation unit are configured to output,
The structure is taken.
 また、本発明のほかの形態である認証付復号装置は、
 復号の対象となる暗号文とタグとの入力を受け付ける暗号文入力部と、
 前記暗号文入力部に入力されたタグを復号してマスク値を生成するマスク値復号部と、
 前記マスク値復号部が生成したマスク値を用いて、前記暗号文を復号して平文を生成する平文復号部と、
 前記平文に基づく調整値を用いて、前記マスク値を復号して固定長値を生成する固定長値復号部と、
 前記固定長値と予め記憶された期待値とを比較することで改ざんの有無を検査する改ざん検査部と、を備え、
 前記改ざん検査部が検査した改ざんの有無と、前記平文復号部が生成した平文と、を出力するよう構成された、
 という構成を採る。 Moreover, the decryption apparatus with authentication which is another embodiment of the present invention is as follows.
A ciphertext input unit that accepts input of a ciphertext and a tag to be decrypted;
A mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value;
A plaintext decryption unit that decrypts the ciphertext and generates a plaintext using the mask value generated by the mask value decryption unit;
A fixed length decoding unit that generates a fixed length value by decoding the mask value using an adjustment value based on the plaintext;
A tamper inspection unit that inspects the presence or absence of tampering by comparing the fixed length value and the expected value stored in advance,
Configured to output the presence / absence of tampering inspected by the tampering inspection unit and the plaintext generated by the plaintext decryption unit,
The structure is taken.
 また、本発明のほかの形態である認証付暗号システムは、
 平文の入力を受け付ける平文入力部と、
 過去に生成した値とは異なる新たな固定長値を生成する固定長値生成部と、
 前記平文に基づく調整値を用いて、前記固定長値を暗号化してマスク値を生成するマスク値生成部と、
 前記マスク値生成部が生成したマスク値を用いて、前記平文を暗号化して暗号文を生成する平文暗号化部と、
 前記マスク値生成部が生成したマスク値を暗号化してタグを生成するタグ生成部と、を備え、
 前記平文暗号化部が暗号化した暗号文と、前記タグ生成部が生成したタグと、を出力する認証付暗号化装置と、
 暗号文とタグとの入力を受け付ける暗号文入力部と、
 前記暗号文入力部に入力されたタグを復号してマスク値を生成するマスク値復号部と、
 前記マスク値復号部が生成したマスク値を用いて、前記暗号文入力部が入力を受け付けた暗号文を復号して平文を生成する平文復号部と、
 前記平文復号部が生成した平文に基づく調整値を用いて、前記マスク値復号部が生成したマスク値を復号して固定長値を生成する固定長値復号部と、
 前記固定長値復号部が生成した固定長値と予め記憶された期待値とを比較することで改ざんの有無を検査する改ざん検査部と、を備え、
 前記改ざん検査部が検査した改ざんの有無と、前記平文復号部が生成した平文と、を出力する認証付復号装置と、を備える
 という構成を採る。 Moreover, the encryption system with authentication which is the other form of this invention is:
A plaintext input unit for receiving plaintext input;
A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past;
A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext;
A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit;
A tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit, and
An encrypted device with authentication for outputting the ciphertext encrypted by the plaintext encryption unit and the tag generated by the tag generation unit;
A ciphertext input unit that accepts input of ciphertext and tags;
A mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value;
Using the mask value generated by the mask value decryption unit, the plaintext decryption unit that decrypts the ciphertext that the ciphertext input unit has accepted and generates plaintext;
A fixed length decoding unit that generates a fixed length value by decoding the mask value generated by the mask value decoding unit using an adjustment value based on the plaintext generated by the plaintext decoding unit;
A tampering inspection unit that inspects the presence or absence of tampering by comparing the fixed length value generated by the fixed length value decoding unit and the expected value stored in advance,
And a decryption device with authentication that outputs the presence / absence of alteration checked by the alteration checking unit and the plaintext generated by the plaintext decoding unit.
 また、本発明のほかの形態である認証付暗号化方法は、
 平文の入力を受け付け、
 過去に生成した値とは異なる新たな固定長値を生成し、
 前記平文に基づく調整値を用いて、前記固定長値を暗号化してマスク値を生成し、
 前記生成したマスク値を用いて、前記平文を暗号化して暗号文を生成し、
 前記生成したマスク値を暗号化してタグを生成し、
 前記暗号文と、前記タグと、を出力する、
 という構成を採る。 In addition, an authenticated encryption method according to another embodiment of the present invention is as follows.
Accepts plaintext input,
Generate a new fixed length value that is different from the value generated in the past,
Using the adjustment value based on the plaintext, the fixed length value is encrypted to generate a mask value,
Using the generated mask value, the plaintext is encrypted to generate a ciphertext,
A tag is generated by encrypting the generated mask value,
Outputting the ciphertext and the tag;
The structure is taken.
 また、本発明のほかの形態であるプログラムは、
 情報処理装置に、
 平文の入力を受け付ける平文入力部と、
 過去に生成した値とは異なる新たな固定長値を生成する固定長値生成部と、
 前記平文に基づく調整値を用いて、前記固定長値を暗号化してマスク値を生成するマスク値生成部と、
 前記マスク値生成部が生成したマスク値を用いて、前記平文を暗号化して暗号文を生成する平文暗号化部と、
 前記マスク値生成部が生成したマスク値を暗号化してタグを生成するタグ生成部と、を実現させ、
 前記平文暗号化部が暗号化した暗号文と、前記タグ生成部が生成したタグと、を出力する
プログラムである。 Moreover, the program which is the other form of this invention is:
In the information processing device,
A plaintext input unit for receiving plaintext input;
A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past;
A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext;
A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit;
Realizing a tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit;
It is a program for outputting the ciphertext encrypted by the plaintext encryption unit and the tag generated by the tag generation unit.
 本発明は、以上のように構成されることにより、認証付き暗号化方式を用いる際に、効率的に帯域増加を防止することが難しい、という課題を解決する認証付暗号化装置を提供することが可能となる。 By configuring as described above, the present invention provides an authenticated encryption apparatus that solves the problem that it is difficult to efficiently prevent an increase in bandwidth when using an authenticated encryption method. Is possible.
本発明の第1の実施形態に係る認証付暗号化装置の構成の一例を示すブロック図である。It is a block diagram which shows an example of a structure of the encryption apparatus with authentication which concerns on the 1st Embodiment of this invention. 本発明の第1の実施形態に係る認証付き暗号化装置のチェックサム計算手段によるチェックサムの算出方法の一例を説明するための図である。It is a figure for demonstrating an example of the checksum calculation method by the checksum calculation means of the encryption apparatus with authentication which concerns on the 1st Embodiment of this invention. 本発明の第1の実施形態に係る認証付暗号化装置の調整値付きブロック暗号化手段による暗号化の一例を説明するための図である。It is a figure for demonstrating an example of the encryption by the block encryption means with an adjustment value of the encryption apparatus with authentication which concerns on the 1st Embodiment of this invention. 本発明の第1の実施形態に係る認証付暗号化装置の調整値付きブロック暗号化手段による暗号化の他の一例を説明するための図である。It is a figure for demonstrating another example of the encryption by the block encryption means with an adjustment value of the encryption apparatus with authentication which concerns on the 1st Embodiment of this invention. 本発明の第1の実施形態に係る認証付暗号化装置のマスク付き暗号化手段による暗号化の一例を説明するための図である。It is a figure for demonstrating an example of the encryption by the encryption means with a mask of the encryption apparatus with authentication which concerns on the 1st Embodiment of this invention. 本発明の第1の実施形態に係る認証付暗号化装置のマスク付き暗号化手段による暗号化の一例を説明するための図である。It is a figure for demonstrating an example of the encryption by the encryption means with a mask of the encryption apparatus with authentication which concerns on the 1st Embodiment of this invention. 本発明の第1の実施形態に係る認証付暗号化装置の動作の一例を示すフローチャートである。It is a flowchart which shows an example of operation | movement of the encryption apparatus with authentication which concerns on the 1st Embodiment of this invention. 本発明の第2の実施形態に係る認証付復号装置の構成の一例を示すブロック図である。It is a block diagram which shows an example of a structure of the decoding apparatus with authentication which concerns on the 2nd Embodiment of this invention. 本発明の第2の実施形態に係る認証付復号装置の動作の一例を示すフローチャートである。It is a flowchart which shows an example of operation | movement of the decoding apparatus with authentication which concerns on the 2nd Embodiment of this invention. 認証付暗号化装置と認証付復号装置とにより構成される認証付暗号システムの構成の一例を示す図である。It is a figure which shows an example of a structure of the encryption system with an authentication comprised by the encryption apparatus with authentication and the decryption apparatus with authentication. 本発明の第3の実施形態に係る認証付暗号化装置の構成の概略を示す概略ブロック図である。It is a schematic block diagram which shows the outline of a structure of the encryption apparatus with authentication which concerns on the 3rd Embodiment of this invention. 本発明の第4の実施形態に係る認証付復号装置の構成の概略を示す概略ブロック図である。It is a schematic block diagram which shows the outline of a structure of the decoding apparatus with authentication which concerns on the 4th Embodiment of this invention. 本発明の第4の実施形態に係る認証付暗号システムの構成の概略を示す概略ブロック図である。It is a schematic block diagram which shows the outline of a structure of the encryption system with authentication which concerns on the 4th Embodiment of this invention.
[第1の実施形態]
 本発明の第1の実施形態について、図1乃至図7を参照して説明する。図1は、本発明の第1の実施形態に係る認証付暗号化装置1の構成の一例を示すブロック図である。図2は、認証付暗号化装置1のチェックサム計算手段12が行うチェックサムの算出方法の一例を示す図である。図3は、認証付暗号化装置1の調整値付きブロック暗号化手段13が行う暗号化処理の一例を示す図である。図4は、認証付暗号化装置1の調整値付きブロック暗号化手段13が行う暗号化処理の他の一例を示す図である。図5は、認証付暗号化装置1のマスク付き暗号化手段14が行う暗号化処理の一例を示す図である。図6は、認証付暗号化装置1のマスク付き暗号化手段14が行う暗号化処理の一例を示す図である。図7は、認証付暗号化装置1の動作の一例を示すフローチャートである。 [First Embodiment]
A first embodiment of the present invention will be described with reference to FIGS. FIG. 1 is a block diagram showing an example of the configuration of the encryption device with authentication 1 according to the first embodiment of the present invention. FIG. 2 is a diagram illustrating an example of a checksum calculation method performed by the checksum calculation unit 12 of the authenticated encryption apparatus 1. FIG. 3 is a diagram illustrating an example of an encryption process performed by the adjustment value-added block encryption unit 13 of the authenticated encryption apparatus 1. FIG. 4 is a diagram illustrating another example of the encryption process performed by the adjustment value-added block encryption unit 13 of the authenticated encryption apparatus 1. FIG. 5 is a diagram illustrating an example of the encryption process performed by the encryption unit with mask 14 of the encryption device with authentication 1. FIG. 6 is a diagram illustrating an example of the encryption process performed by the encryption unit with mask 14 of the encryption device with authentication 1. FIG. 7 is a flowchart showing an example of the operation of the authenticated encryption apparatus 1.
 本発明の第1の実施形態では、入力された平文を暗号化して出力する、共通鍵暗号方式を用いた認証付暗号化装置1について説明する。本実施形態における認証付暗号化装置1は、認証付き暗号化処理を行うよう構成されている。後述するように、認証付暗号化装置1は、入力された平文を所定の処理により暗号化した後、平文を暗号化した暗号文と後述するタグとを出力する。 In the first embodiment of the present invention, a description will be given of an encryption apparatus with authentication 1 that uses a common key cryptosystem to encrypt and output input plaintext. The authenticated encryption apparatus 1 in this embodiment is configured to perform an authenticated encryption process. As will be described later, the encrypted encryption device 1 encrypts the input plaintext by a predetermined process, and then outputs a ciphertext obtained by encrypting the plaintext and a tag described later.
 本実施形態における認証付暗号化装置1は、演算装置と記憶装置とを有する情報処理装置である。記憶装置にはプログラムが記憶されており、記憶装置に記憶されたプログラムを演算装置が読み込んで実行することにより、後述する各手段を実現する。 The encryption device with authentication 1 in the present embodiment is an information processing device having an arithmetic device and a storage device. A program is stored in the storage device, and each unit to be described later is realized by the arithmetic device reading and executing the program stored in the storage device.
 図1を参照すると、本実施形態における認証付暗号化装置1は、平文入力手段10(平文入力部)と、初期ベクトル生成手段11(固定長値生成部)と、チェックサム計算手段12(調整値算出部)と、調整値付きブロック暗号化手段13(マスク値生成部)と、マスク付き暗号化手段14(平文暗号化部)と、タグ生成手段15(タグ生成部)と、暗号文出力手段16と、を有している。 Referring to FIG. 1, the authenticated encryption apparatus 1 according to the present embodiment includes a plaintext input unit 10 (plaintext input unit), an initial vector generation unit 11 (fixed length value generation unit), and a checksum calculation unit 12 (adjustment). Value calculation unit), block encryption unit with adjustment value 13 (mask value generation unit), encryption unit with mask 14 (plaintext encryption unit), tag generation unit 15 (tag generation unit), and ciphertext output And means 16.
 平文入力手段10(平文入力部)は、暗号化の対象となる平文Mを入力する手段である。平文入力手段10は、例えば、キーボードなどの文字入力装置により構成されている。なお、平文入力手段10は、例えば、ネットワークなどを介して接続された外部の装置から平文Mを入力可能なよう構成しても構わない。 The plaintext input means 10 (plaintext input unit) is a means for inputting plaintext M to be encrypted. The plaintext input means 10 is composed of a character input device such as a keyboard, for example. Note that the plaintext input unit 10 may be configured to be able to input the plaintext M from an external device connected via a network, for example.
 上記のように、平文入力手段10を介して、平文Mが入力される。そして、平文Mを入力された平文入力手段10は、当該入力された平文Mを、チェックサム計算手段12とマスク付き暗号化手段14へと出力する。 As described above, plaintext M is input via the plaintext input means 10. Then, the plaintext input means 10 to which the plaintext M has been input outputs the input plaintext M to the checksum calculation means 12 and the masked encryption means 14.
 初期ベクトル生成手段11(固定長値生成部)は、過去に生成した値とは異なるnビットの初期ベクトルN(固定長値、nonce)を生成する。初期ベクトル生成手段11は、例えば、最初は任意の固定値を生成する。また、初期ベクトル生成手段11は、図示しない記憶部に前回生成した初期ベクトルを記憶しておき、新たに初期ベクトルを生成する際には、記憶された初期ベクトルに1を加えることで、過去に生成した値とは異なる新たな初期ベクトルを生成する。例えば、初期ベクトル生成手段11は、最後に生成した初期ベクトルがNのときに、新たな初期ベクトルN’として、N+1を生成する。この場合には、初期ベクトル生成手段11により行われる更新処理は、初期ベクトル更新関数f(N)=N+1を用いて表現できることになる。 The initial vector generation means 11 (fixed length value generation unit) generates an n-bit initial vector N (fixed length value, nonce) different from the values generated in the past. For example, the initial vector generation means 11 initially generates an arbitrary fixed value. Further, the initial vector generation means 11 stores the previously generated initial vector in a storage unit (not shown), and when newly generating an initial vector, by adding 1 to the stored initial vector, A new initial vector different from the generated value is generated. For example, the initial vector generating unit 11 generates N + 1 as a new initial vector N ′ when the last generated initial vector is N. In this case, the update process performed by the initial vector generation means 11 can be expressed using the initial vector update function f (N) = N + 1.
 このように、初期ベクトル生成手段11は、過去に生成した値と重複しないように初期ベクトルNを生成する。その後、初期ベクトル生成手段11は、生成した初期ベクトルNを調整値付きブロック暗号化手段13に対して出力する。 In this way, the initial vector generation means 11 generates the initial vector N so as not to overlap with values generated in the past. Thereafter, the initial vector generating unit 11 outputs the generated initial vector N to the block encryption unit 13 with adjustment value.
 なお、初期ベクトル生成手段11が用いる初期ベクトル更新関数は、上記例示した場合に限定されない。初期ベクトル生成手段11は、過去に生成した値とは異なる初期ベクトルNを生成する様々な関数を用いるよう構成することが出来る。また、初期ベクトル生成手段11は、時間情報などのその他の補助情報を組み合わせて、初期ベクトルNを生成するように構成しても構わない。この場合には、初期ベクトルNを生成する際に用いる補助情報は、暗号化側と復号側で同期がとれているものとする。 Note that the initial vector update function used by the initial vector generation unit 11 is not limited to the above example. The initial vector generation means 11 can be configured to use various functions for generating an initial vector N different from values generated in the past. Further, the initial vector generation means 11 may be configured to generate the initial vector N by combining other auxiliary information such as time information. In this case, the auxiliary information used when generating the initial vector N is assumed to be synchronized on the encryption side and the decryption side.
 また、上述したように、本実施形態における初期ベクトル生成手段11は、nビットの初期ベクトルを生成する。仮に、初期ベクトル生成手段11が生成する初期ベクトルに相当する値がnビットよりも短い場合には、初期ベクトル生成手段11は、適当なパディングを行った上で、nビットの初期ベクトルを生成することになる。 Also, as described above, the initial vector generation means 11 in this embodiment generates an n-bit initial vector. If the value corresponding to the initial vector generated by the initial vector generation unit 11 is shorter than n bits, the initial vector generation unit 11 generates an n-bit initial vector after performing appropriate padding. It will be.
 チェックサム計算手段12(調整値算出部)は、平文入力手段10から取得した平文Mから、簡易な計算によりnビットのチェックサムSUM(調整値)を算出する。 The checksum calculation unit 12 (adjustment value calculation unit) calculates an n-bit checksum SUM (adjustment value) from the plaintext M acquired from the plaintext input unit 10 by simple calculation.
 図2は、チェックサム計算手段12がチェックサムSUMを算出する際の処理の一例を示している。図2を参照すると、チェックサム計算手段12は、例えば、平文入力手段10から取得した平文Mをnビットごとのブロック(M[1]、…、M[m])に分割した際の、各平文ブロックの排他的論理和(Exclusive or,XOR)を算出する。例えば、その算出結果が、nビットのチェックサムSUM(調整値)になる。なお、このように平文Mをnビットごとのブロックに分割すると、最終ブロックM[m]がnビットに満たない場合がある。この場合には、チェックサム計算手段12は、適当なパディングを最終ブロックに適用した上で排他的論理和を算出することになる(図2参照)。 FIG. 2 shows an example of processing when the checksum calculation means 12 calculates the checksum SUM. Referring to FIG. 2, for example, the checksum calculation unit 12 divides the plaintext M acquired from the plaintext input unit 10 into blocks (M [1],..., M [m]) every n bits. The exclusive OR (Xclusive or XOR) of the plaintext block is calculated. For example, the calculation result is an n-bit checksum SUM (adjustment value). Note that when the plaintext M is divided into blocks each having n bits in this way, the final block M [m] may be less than n bits. In this case, the checksum calculation means 12 calculates an exclusive OR after applying appropriate padding to the final block (see FIG. 2).
 チェックサム計算手段12は、例えば、このような処理によりチェックサムSUMを算出する。その後、チェックサム計算手段12は、算出したチェックサムSUMを調整値付きブロック暗号化手段13へと出力する。 The checksum calculation means 12 calculates the checksum SUM by such processing, for example. Thereafter, the checksum calculation unit 12 outputs the calculated checksum SUM to the block encryption unit 13 with adjustment value.
 なお、チェックサム計算手段12は、上記処理以外の処理によりチェックサムSUMを算出するように構成しても構わない。チェックサム計算手段12は、例えば、排他的論理和の代わりに、算術加算、あるいは、巡回冗長検査(Cyclic Redundancy Check,CRC)などを使用するように構成することが出来る。 The checksum calculation means 12 may be configured to calculate the checksum SUM by a process other than the above process. The checksum calculation means 12 can be configured to use, for example, arithmetic addition or cyclic redundancy check (CRC) instead of exclusive OR.
 調整値付きブロック暗号化手段13(マスク値生成部、Tweakableブロック暗号化手段)は、チェックサム計算手段12から取得したチェックサムSUMを調整値(Tweak、ツィーク)として、初期ベクトル生成手段11が生成した初期ベクトルNを暗号化する。調整値付きブロック暗号化手段13は、通常のnビットブロック暗号を用いて実現することが可能である。 The block encryption unit with adjustment value 13 (mask value generation unit, Tweakable block encryption unit) is generated by the initial vector generation unit 11 using the checksum SUM acquired from the checksum calculation unit 12 as the adjustment value (Tweak, tweak). The initial vector N is encrypted. The adjustment value-added block encryption means 13 can be realized by using a normal n-bit block cipher.
 図3は、調整値付きブロック暗号化手段13が行う暗号化処理の一例を示している。図3を参照すると、調整値付きブロック暗号化手段13は、例えば、鍵K1とブロック暗号Eを用いて暗号化を行う暗号化部131と、鍵K1とは異なる鍵K2を持つnビット入出力の鍵付き関数Hを用いて所定の計算処理を行う計算部132と、を有している。なお、ブロック暗号Eは、例えば、AES(Advanced Encryption Standard)等、一般的なブロック暗号方式を採用することが出来る。また、この処理は、M. Liskov, R. L. Rivest, D. Wagner: Tweakable Block Ciphers. 
Advances in Cryptology - CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18-22, 2002, Proceedings. Lecture Notes in Computer Science 2442 Springer 2002, pp. 31-46.
に記載のLRWの方式を用いている。 FIG. 3 shows an example of the encryption process performed by the adjustment value-added block encryption means 13. Referring to FIG. 3, the block encryption means with adjustment value 13 includes, for example, an encryption unit 131 that performs encryption using a key K1 and a block cipher E, and an n-bit input / output having a key K2 different from the key K1. A calculation unit 132 that performs a predetermined calculation process using the keyed function H. For the block cipher E, for example, a general block cipher scheme such as AES (Advanced Encryption Standard) can be adopted. This process is also performed by M. Liskov, R. L. Rivest, D. Wagner: Tweakable Block Ciphers.
Advances in Cryptology-CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18-22, 2002, Proceedings. Lecture Notes in Computer Science 2442 Springer 2002, pp. 31-46.
Is used.
 計算部132で用いられる関数Hは、チェックサムSUMと鍵K2とを引数としている。そのため、計算部132は、チェックサム計算手段12から取得したチェックサムSUMと予め記憶している鍵K2とを用いて計算処理を行うことになる。図3を参照すると、調整値付きブロック暗号化手段13では、上記処理の後、計算部132による計算結果であるH(SUM)と初期ベクトルNとの排他的論理和を算出して、その結果に基づいて、暗号化部131により暗号化を行う。そして、調整値付きブロック暗号化手段13は、暗号化部131による暗号化の結果と計算部132による計算結果との排他的論理を算出した後、その算出結果をマスクL(マスク値)として出力する。つまり、調整値付きブロック暗号化手段13は、例えば、以下のような処理を実行してマスクLを算出するように構成されている。
L=E(H(SUM)+N)+H(SUM)
なお、LはマスクLを表し、SUMはチェックサムSUMを表し、Nは初期ベクトルNを表すものとする。また、+は、ビット毎の排他的論理和を表している(以下、同様とする)。 The function H used in the calculation unit 132 has a checksum SUM and a key K2 as arguments. Therefore, the calculation unit 132 performs a calculation process using the checksum SUM acquired from the checksum calculation unit 12 and the key K2 stored in advance. Referring to FIG. 3, the adjustment value-added block encryption means 13 calculates an exclusive OR of H (SUM), which is a calculation result by the calculation unit 132, and the initial vector N after the above processing, and the result. Based on the above, the encryption unit 131 performs encryption. Then, the block encryption means with adjustment value 13 calculates exclusive logic between the result of encryption by the encryption unit 131 and the result of calculation by the calculation unit 132, and then outputs the calculation result as a mask L (mask value). To do. That is, the adjustment value-added block encryption means 13 is configured to calculate the mask L by executing the following processing, for example.
L = E (H (SUM) + N) + H (SUM)
Note that L represents a mask L, SUM represents a checksum SUM, and N represents an initial vector N. + Represents an exclusive OR for each bit (hereinafter the same).
 例えば、このような処理により、調整値付きブロック暗号化手段13は、初期ベクトルNの暗号化を行ってマスクLを生成する。その後、調整値付きブロック暗号化手段13は、暗号化した結果であるnビットのマスクLを、マスク付き暗号化手段14とタグ生成手段15へと出力する。 For example, through such processing, the adjustment value-attached block encryption means 13 encrypts the initial vector N and generates the mask L. Thereafter, the block encryption means 13 with adjustment value outputs an n-bit mask L, which is the result of encryption, to the encryption means 14 with mask and the tag generation means 15.
 なお、関数Hは、セキュリティーパラメータをe(eは0以上1以下)としたとき、任意の異なる2つの入力xとx’について、Pr[H(X)+H(X’)=c]の式で表される確率がeよりも小さくなる必要がある。このような場合、つまり、関数HがAXUユニバーサルハッシュ関数である場合、上記の構成は安全な調整値付きブロック暗号を実現することになる。 The function H is an expression Pr [H (X) + H (X ′) = c] for any two different inputs x and x ′, where e is a security parameter (e is 0 or more and 1 or less). Must be smaller than e. In such a case, that is, when the function H is an AXU universal hash function, the above configuration realizes a secure block cipher with an adjustment value.
 また、上記では、調整値付きブロック暗号化手段13の処理の一例について説明したが、調整値付きブロック暗号化手段13は、上記以外の処理により初期ベクトルNを暗号化するように構成しても構わない。例えば、上記では、鍵K1と鍵K2とを用いる場合について説明したが、全体の鍵をブロック暗号の鍵1つとすることも可能である。このような場合の一例について、例えば、図4を用いて説明する。なお、図4では、
Phillip Rogaway: Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC. Advances in Cryptology - ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, December 5-9, 2004, Proceedings. Lecture Notes in Computer Science 3329 Springer 2004, pp. 16-31
に記載のXEXモードを用いている。 In the above description, an example of the process of the block encryption unit with adjustment value 13 has been described. However, the block encryption unit with adjustment value 13 may be configured to encrypt the initial vector N by a process other than the above. I do not care. For example, in the above description, the case where the key K1 and the key K2 are used has been described. However, the entire key may be a single block cipher key. An example of such a case will be described with reference to FIG. In FIG. 4,
Phillip Rogaway: Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC.Advances in Cryptology-ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, December 5-9, 2004, Proceedings . Lecture Notes in Computer Science 3329 Springer 2004, pp. 16-31
The XEX mode described in (1) is used.
 図4を参照すると、調整値付きブロック暗号化手段13は、例えば、鍵K1とブロック暗号Eを用いて暗号化を行う暗号化部133と、ガロア体GF(2)上の元2と後述する暗号化部135による暗号化の結果とを乗算する計算部134と、鍵K1とブロック暗号Eを用いてチェックサムSUMを暗号化する暗号化部135と、を有している。 Referring to FIG. 4, the adjustment value-attached block encryption means 13 includes, for example, an encryption unit 133 that performs encryption using a key K1 and a block cipher E, an element 2 on a Galois field GF (2 n ), and a later-described A calculating unit 134 that multiplies the result of encryption by the encrypting unit 135 and an encryption unit 135 that encrypts the checksum SUM using the key K1 and the block cipher E.
 上記構成によると、チェックサム計算手段12から取得したチェックサムSUMを、暗号化部135により暗号化した後、その暗号化結果であるE(SUM)とガロア体GF(2)上の元2との乗算を計算部134により行う。その後、調整値付きブロック暗号化手段13では、計算部134による計算結果であるmul(2,E(SUM))と、初期ベクトルNとの排他的論理和を算出して、その結果に基づいて、暗号化部133により暗号化を行う。そして、調整値付きブロック暗号化手段13は、暗号化部133による暗号化の結果と計算部134による計算結果との排他的論理和を算出した後、その算出結果をマスクLとして出力する。つまり、調整値付きブロック暗号化手段13は、例えば、以下のような処理を実行してマスクLを算出するように構成することも出来る。
L=E(mul(2,E(SUM))+N)+mul(2,E(SUM))
なお、mul(2,E(SUM))は、ガロア体GF(2)上の元2とE(SUM)との乗算を表している。 According to the above configuration, after the checksum SUM acquired from the checksum calculation means 12 is encrypted by the encryption unit 135, the encrypted result E (SUM) and the element 2 on the Galois field GF (2 n ) Is multiplied by the calculation unit 134. Thereafter, the block encryption means with adjustment value 13 calculates the exclusive OR of the mul (2, E (SUM)), which is the calculation result by the calculation unit 134, and the initial vector N, and based on the result. The encryption unit 133 performs encryption. Then, the block encryption means with adjustment value 13 calculates the exclusive OR of the result of encryption by the encryption unit 133 and the result of calculation by the calculation unit 134, and then outputs the calculation result as a mask L. That is, the adjustment value-added block encryption means 13 can be configured to calculate the mask L by executing the following processing, for example.
L = E (mul (2, E (SUM)) + N) + mul (2, E (SUM))
Note that mul (2, E (SUM)) represents multiplication of the element 2 on the Galois field GF (2 n ) and E (SUM).
 マスク付き暗号化手段14(平文暗号化部)は、調整値付き暗号化手段13から取得したマスクLを用いて、平文入力手段10から取得した平文Mを暗号化して暗号文Cを生成する。マスク付き暗号化手段14は、例えば、平文Mをnビットごとに分割した各ブロック(M[1]~M[m])を暗号化する。安全性の観点から、マスク付き暗号化手段14は、同じマスクLで暗号文Cと、異なる暗号文C’と、を復号した場合に、鍵を知らないものにとって、高い確率で復号結果の少なくとも1ブロックが予測不可能な乱数となるように暗号化を行うものとする。 The encryption unit with mask 14 (plaintext encryption unit) generates the ciphertext C by encrypting the plaintext M acquired from the plaintext input unit 10 using the mask L acquired from the encryption unit with adjustment value 13. For example, the masked encryption unit 14 encrypts each block (M [1] to M [m]) obtained by dividing the plaintext M into n bits. From the viewpoint of security, when the encrypted text with mask 14 decrypts the ciphertext C and the different ciphertext C ′ with the same mask L, at least the decryption result is obtained with high probability for those who do not know the key. It is assumed that encryption is performed so that one block becomes an unpredictable random number.
 図5は、平文Mがnビットブロックの系列(M[1]、…、M[m])である場合の、平文M[i](iは、1からm-1の間の何れかの値)をマスク付き暗号化手段14が暗号化する際の処理の一例を示している。図5を参照すると、マスク付き暗号化手段14は、例えば、マスクLとガロア体上の定数2のi乗(平文[i]の場合。iは、平文のブロックの順番に応じた値になる)を乗算する計算部141と、鍵K1とブロック暗号Eを用いて暗号化を行う暗号化部142と、を有している。 FIG. 5 shows plaintext M [i] (where i is any value between 1 and m−1) when plaintext M is a sequence of n-bit blocks (M [1],..., M [m]). An example of processing when the masked encryption unit 14 encrypts (value) is shown. Referring to FIG. 5, the encryption means with mask 14 has, for example, a mask L and a constant 2 in the Galois field raised to the i power (in the case of plaintext [i]. I is a value corresponding to the order of the plaintext blocks. ) And an encryption unit 142 that performs encryption using the key K1 and the block cipher E.
 上記構成によると、マスクLとガロア体上の2のi乗(iは平文のブロックの順番を示す値と対応する)との乗算を計算部141により行う。その後、マスク付き暗号化手段14では、計算部141による計算結果であるmul(2,L)と平文M[i]との排他的論理和を算出して、その結果に基づいて、暗号化部142により暗号化を行う。そして、マスク付き暗号化手段14は、暗号化部142による暗号化の結果と計算部141による計算結果との排他的論理和を算出した後、その算出結果を出力する。つまり、マスク付き暗号化手段14は、例えば、以下のような処理を実行して、平文M[i]を暗号化して暗号文C[i]を出力するように構成されている。
C[i]=E(mul(2,L)+M[i])+mul(2,L)
ただし、C[i]は暗号文C[i]を表し、M[i]は、平文M[i]を表している。 According to the above configuration, the calculation unit 141 performs multiplication of the mask L and the power of 2 on the Galois field (i corresponds to a value indicating the order of plaintext blocks). Thereafter, the encryption means with mask 14 calculates an exclusive OR of mul (2 i , L), which is a calculation result by the calculation unit 141, and plaintext M [i], and encrypts based on the result. Encryption is performed by the unit 142. The masked encryption unit 14 calculates the exclusive OR of the result of encryption by the encryption unit 142 and the result of calculation by the calculation unit 141, and then outputs the calculation result. In other words, the encryption unit with mask 14 is configured to encrypt the plaintext M [i] and output the ciphertext C [i] by executing the following processing, for example.
C [i] = E (mul (2 i , L) + M [i]) + mul (2 i , L)
However, C [i] represents ciphertext C [i], and M [i] represents plaintext M [i].
 マスク付き暗号化手段14は、上記暗号化処理を、平文M[1]から平文M[m-1]まで行うことになる(図6参照)。また、平文Mをnビットのブロックに分割した際の最終ブロックM[m]はnビットに満たない場合がある。そのため、マスク付き暗号化手段14は、例えば、下記のように、定数を暗号化した結果と平文M[m]との排他的論理和を、暗号文C[m]として出力する(図6参照)。
C[m]=msb_|M[m]|(E(mul(2,L)))+M[m]
ここで、msb_a(X)は、Xの前方aビットを取り出す関数である。また、|X|はXのビット長を表す関数である。つまり、msb_|M[m]|(E(mul(2,L)))は、E(mul(2,L))の前方M[m]ビットを取り出すことを示している。暗号文C[m]は、上記処理により取り出された値と、M[m]との排他的論理和を算出することで、生成されることになる。 The encryption means with mask 14 performs the above encryption processing from plaintext M [1] to plaintext M [m−1] (see FIG. 6). Also, the final block M [m] when the plaintext M is divided into n-bit blocks may be less than n bits. Therefore, for example, as shown below, the encryption means with mask 14 outputs the exclusive OR of the result of encrypting the constant and the plaintext M [m] as the ciphertext C [m] (see FIG. 6). ).
C [m] = msb_ | M [m] | (E (mul (2 m , L))) + M [m]
Here, msb_a (X) is a function for extracting the front a bits of X. | X | is a function representing the bit length of X. That is, msb_ | M [m] | (E (mul (2 m , L))) indicates that the front M [m] bits of E (mul (2 m , L)) are extracted. The ciphertext C [m] is generated by calculating an exclusive OR of the value extracted by the above process and M [m].
 例えば、このような処理により、マスク付き暗号化手段14は、平文入力手段10に入力された平文Mを暗号化して暗号文Cを生成する。その後、マスク付き暗号化手段14は、生成した暗号文Cを暗号文出力手段16へと出力する。 For example, by such a process, the encryption unit with mask 14 encrypts the plaintext M input to the plaintext input unit 10 to generate a ciphertext C. Thereafter, the encryption unit with mask 14 outputs the generated ciphertext C to the ciphertext output unit 16.
 なお、調整値付きブロック暗号化手段13が、上述した、
L=E(mul(2,E(SUM))+N)+mul(2,E(SUM))
の処理を実行するように構成されている場合、マスク付き暗号化手段14は、調整値付きブロック暗号化手段13とは異なる定数を用いる必要がある。これは、例えば、mul(2,L)の代わりにmul(2i+1,L)を用いることで実現可能である。つまり、上記のような場合には、例えば、計算部141が、マスクLと2i+1とを乗算するように構成されることになる。 It should be noted that the block encryption means with adjustment value 13 has been described above.
L = E (mul (2, E (SUM)) + N) + mul (2, E (SUM))
In the case where the process is performed, the encryption unit with mask 14 needs to use a constant different from the block encryption unit 13 with adjustment value. This is, for example, can be realized by using a mul (2 i + 1, L ) in place of mul (2 i, L). That is, in the above case, for example, the calculation unit 141 is configured to multiply the mask L by 2 i + 1 .
 タグ生成手段15(タグ生成部)は、調整値付きブロック暗号化手段13から取得したマスクLを用いて、タグTを生成する。タグTは、復号装置にてマスクLに復号され、メッセージ認証や暗号文Cの復号に用いられることになる。例えば、タグ生成手段15は、AESなどのブロック暗号を用いてマスクLを暗号化することで、タグTを生成する。その後、タグ生成手段15は、生成したタグTを暗号文出力手段16へと出力する。 The tag generation unit 15 (tag generation unit) generates a tag T using the mask L acquired from the block encryption unit 13 with adjustment value. The tag T is decrypted into a mask L by a decryption device and used for message authentication and decryption of the ciphertext C. For example, the tag generation unit 15 generates the tag T by encrypting the mask L using a block cipher such as AES. Thereafter, the tag generation unit 15 outputs the generated tag T to the ciphertext output unit 16.
 暗号文出力手段16は、マスク付き暗号化手段14が出力する暗号文Cと、タグ生成手段15が出力するタグTと、を連結して、外部の装置へと出力する。暗号文出力手段16は、例えば、ディスプレイ装置やプリンタ装置などと接続されており、当該ディスプレイ装置やプリンタ装置などに、暗号文CとタグTとを出力することになる。なお、暗号文出力手段16は、例えば、ネットワークを介して接続された外部の装置へと暗号文CとタグTとを出力するように構成しても構わない。 The ciphertext output means 16 concatenates the ciphertext C output from the masked encryption means 14 and the tag T output from the tag generation means 15 and outputs the result to an external device. The ciphertext output unit 16 is connected to, for example, a display device or a printer device, and outputs the ciphertext C and the tag T to the display device or the printer device. Note that the ciphertext output unit 16 may be configured to output the ciphertext C and the tag T to an external device connected via a network, for example.
 以上が、認証付暗号化装置1の構成の一例である。次に、認証付暗号化装置1の動作の一例について、図7を用いて説明する。 The above is an example of the configuration of the encryption device with authentication 1. Next, an example of the operation of the encryption device with authentication 1 will be described with reference to FIG.
 図7を参照すると、まず、平文入力手段10に平文Mが入力される(ステップS101)。すると、平文入力手段10は、入力された平文Mを、チェックサム計算手段12とマスク付き暗号化手段14へと出力する。 Referring to FIG. 7, first, plaintext M is input to the plaintext input means 10 (step S101). Then, the plaintext input means 10 outputs the input plaintext M to the checksum calculation means 12 and the masked encryption means 14.
 続いて、チェックサム計算手段12が、平文MからチェックサムSUMを計算する(ステップS102)。具体的には、例えば、チェックサム計算手段12は、平文入力手段10から取得した平文Mをnビットごとのブロックに分割した際の、各平文ブロックの排他的論理和を算出することで、チェックサムSUMを算出する。その後、チェックサム計算手段12は、計算したチェックサムSUMを調整値付きブロック暗号化手段13へと出力する。 Subsequently, the checksum calculation means 12 calculates a checksum SUM from the plaintext M (step S102). Specifically, for example, the checksum calculation unit 12 calculates the exclusive OR of each plaintext block when the plaintext M acquired from the plaintext input unit 10 is divided into n-bit blocks. Sum SUM is calculated. Thereafter, the checksum calculation unit 12 outputs the calculated checksum SUM to the block encryption unit 13 with adjustment value.
 また、初期ベクトル生成手段11は、当該初期ベクトル生成手段11が過去に生成した値と重複がないように、初期ベクトルを生成する。そして、初期ベクトル生成手段11は、生成した初期ベクトルを調整値付きブロック暗号化手段13へと出力する。 Also, the initial vector generation unit 11 generates an initial vector so that there is no overlap with the value generated by the initial vector generation unit 11 in the past. Then, the initial vector generation unit 11 outputs the generated initial vector to the block encryption unit 13 with adjustment value.
 続いて、調整値付きブロック暗号化手段13は、チェックサム計算手段12から受信したチェックサムSUMを調整値として、初期ベクトル生成手段11が生成した初期ベクトルNを暗号化する。具体的には、例えば、調整値付きブロック暗号化手段13は、下記式で表される処理を行うことで初期ベクトルNを暗号化する。
L=E(mul(2,E(SUM))+N)+mul(2,E(SUM))
この処理により、調整値付きブロック暗号化手段13は、マスクLを生成することになる(ステップS103)。その後、調整値付きブロック暗号化手段13は、生成したマスクLを、マスク付き暗号化手段14とタグ生成手段15へと出力する。 Subsequently, the block encryption unit with adjustment value 13 encrypts the initial vector N generated by the initial vector generation unit 11 using the checksum SUM received from the checksum calculation unit 12 as an adjustment value. Specifically, for example, the adjustment value-added block encryption means 13 encrypts the initial vector N by performing processing represented by the following equation.
L = E (mul (2, E (SUM)) + N) + mul (2, E (SUM))
With this process, the adjustment value-added block encryption means 13 generates a mask L (step S103). Thereafter, the adjustment value-attached block encryption means 13 outputs the generated mask L to the masked encryption means 14 and the tag generation means 15.
 平文入力手段10から平文Mを取得して、また、調整値付きブロック暗号化手段13からマスクLを取得したマスク付き暗号化手段14は、マスクLを用いて平文Mを暗号化して暗号文Cを生成する(ステップS104)。具体的には、マスク付き暗号化手段14は、例えば、下記式で表される処理を行うことで、平文Mを暗号文Cへと暗号化する。
C[i]=E(mul(2,L)+M[i])+mul(2,L)
但し、i=1~m-1
C[m]=msb_|M[m]|(E(mul(2,L)))+M[m]
その後、マスク付き暗号化手段14は、生成した暗号文Cを暗号文出力手段16へと出力する。 The masked encryption unit 14 that has acquired the plaintext M from the plaintext input unit 10 and has acquired the mask L from the block encryption unit 13 with adjustment value encrypts the plaintext M using the mask L and encrypts the ciphertext C. Is generated (step S104). Specifically, the encryption unit with mask 14 encrypts the plaintext M into the ciphertext C by performing a process represented by the following formula, for example.
C [i] = E (mul (2 i , L) + M [i]) + mul (2 i , L)
However, i = 1 to m−1
C [m] = msb_ | M [m] | (E (mul (2 m , L))) + M [m]
Thereafter, the encryption unit with mask 14 outputs the generated ciphertext C to the ciphertext output unit 16.
 また、調整値付きブロック暗号化手段13からマスクLを取得したタグ生成手段15は、マスクLを暗号化することでタグTを生成する(ステップS105)。タグ生成手段15は、例えば、AESなどのブロック暗号を用いてマスクLを暗号化することで、タグTを生成することになる。その後、タグ生成手段15は、生成したタグTを暗号文出力手段16へと出力する。 Further, the tag generation unit 15 that has acquired the mask L from the block encryption unit with adjustment value 13 generates a tag T by encrypting the mask L (step S105). The tag generation unit 15 generates the tag T by encrypting the mask L using a block cipher such as AES, for example. Thereafter, the tag generation unit 15 outputs the generated tag T to the ciphertext output unit 16.
 その後、暗号文出力手段16は、マスク付き暗号化手段14から暗号文Cを取得する。また、暗号文出力手段16は、タグ生成手段15からタグTを取得する。すると、暗号文出力手段16は、取得した暗号文CとタグTとを連結する。そして、暗号文出力手段16は、暗号文CとタグTとをディスプレイ装置などの外部の装置へと出力する(ステップS106)。 Thereafter, the ciphertext output means 16 acquires the ciphertext C from the masked encryption means 14. Also, the ciphertext output unit 16 acquires the tag T from the tag generation unit 15. Then, the ciphertext output means 16 connects the acquired ciphertext C and the tag T. Then, the ciphertext output means 16 outputs the ciphertext C and the tag T to an external device such as a display device (step S106).
 以上が、認証付暗号化装置1の動作の一例である。 The above is an example of the operation of the authenticated encryption apparatus 1.
 このように、本実施形態における認証付暗号化装置1は、平文入力手段10と、初期ベクトル生成手段11と、チェックサム計算手段12と、調整値付きブロック暗号化手段13と、マスク付き暗号化手段14と、タグ生成手段15と、を有している。このような構成により、チェックサム計算手段12は、平文入力手段10を介して入力された平文Mに基づいて、チェックサムSUMを計算することが出来る。また、調整値付きブロック暗号化手段13は、チェックサムSUMを調整値として、初期ベクトル生成手段11により生成された初期ベクトルを暗号化することにより、マスクLを生成することが出来る。さらに、マスク付き暗号化手段14は、マスクLを用いて平文Mを暗号化して暗号文Cを生成することが出来る。そして、タグ生成手段15は、マスクLを暗号化することでタグTを生成することが出来る。その結果、暗号文出力手段16は、生成した暗号文CとタグTとを出力することが出来る。 As described above, the authenticated encryption apparatus 1 according to the present embodiment includes a plaintext input unit 10, an initial vector generation unit 11, a checksum calculation unit 12, a block encryption unit 13 with an adjustment value, and an encryption with a mask. Means 14 and tag generation means 15 are provided. With such a configuration, the checksum calculator 12 can calculate the checksum SUM based on the plaintext M input via the plaintext input unit 10. The block encryption unit with adjustment value 13 can generate the mask L by encrypting the initial vector generated by the initial vector generation unit 11 using the checksum SUM as the adjustment value. Furthermore, the encryption means 14 with a mask can generate the ciphertext C by encrypting the plaintext M using the mask L. And the tag production | generation means 15 can produce | generate the tag T by encrypting the mask L. FIG. As a result, the ciphertext output unit 16 can output the generated ciphertext C and the tag T.
 ここで、暗号文CとタグTとを受信した復号装置は、タグTを復号することでマスクLを生成することが出来る。また、復号装置は、生成したマスクLを用いて暗号文Cを平文Mに復号することが出来る。さらに、復号装置は、復号した平文Mに基づいてチェックサムSUMを算出することが出来る。そして、復号装置は、マスクLとチェックサムSUMとを用いることで、マスクLを復号して初期ベクトルNを生成することが出来る。その結果、復号装置は、生成された初期ベクトルNと初期ベクトル期待値とを比較することで、改ざんの有無を検知することが出来る。 Here, the decryption device that has received the ciphertext C and the tag T can generate the mask L by decrypting the tag T. Further, the decryption device can decrypt the ciphertext C into the plaintext M using the generated mask L. Further, the decryption device can calculate the checksum SUM based on the decrypted plaintext M. The decoding apparatus can generate the initial vector N by decoding the mask L by using the mask L and the checksum SUM. As a result, the decoding apparatus can detect the presence or absence of tampering by comparing the generated initial vector N and the initial vector expected value.
 このように、上記認証付暗号化装置1の各構成により生成される暗号文CとタグTとを出力することで、復号側は、暗号文Cを復号して平文Mを生成するとともに、メッセージ認証を行うことが出来るようになる。つまり、上記構成により、タグTと初期ベクトルNとを組み合わせた処理が可能となり、容易な計算処理により生成される暗号文CとタグTとのみを送信する認証付き暗号を実現することが可能となる。その結果、認証付き暗号化方式を用いる際に、効率的に帯域増加を防止することが可能となる。 In this way, by outputting the ciphertext C and the tag T generated by each configuration of the above-described encrypted encryption apparatus 1, the decryption side decrypts the ciphertext C to generate the plaintext M, and the message Authentication can be performed. That is, with the above configuration, it is possible to combine the tag T and the initial vector N, and it is possible to realize an authenticated cipher that transmits only the ciphertext C and the tag T generated by simple calculation processing. Become. As a result, it is possible to efficiently prevent an increase in bandwidth when using the authenticated encryption method.
 なお、本実施形態においては、認証付暗号化装置1がECB(Electronic CodeBook)モードを利用する場合について説明した。しかしながら、認証付暗号化装置1は、例えば、CBC(Cipher Block Chaining)モードなどを利用するように構成しても構わない。 In addition, in this embodiment, the case where the encryption apparatus 1 with authentication utilized ECB (Electronic CodeBook) mode was demonstrated. However, the encryption device with authentication 1 may be configured to use, for example, a CBC (Cipher Block Chaining) mode.
[第2の実施形態]
 次に、本発明の第2の実施形態について、図8、図9を参照して説明する。図8は、本発明の第2の実施形態に係る認証付復号装置2の構成の一例を示すブロック図である。図9は、認証付復号装置2の動作の一例を示すフローチャートである。 [Second Embodiment]
Next, a second embodiment of the present invention will be described with reference to FIGS. FIG. 8 is a block diagram showing an example of the configuration of the decryption apparatus 2 with authentication according to the second embodiment of the present invention. FIG. 9 is a flowchart showing an example of the operation of the authenticating decryption apparatus 2.
 本発明の第2の実施形態では、第1の実施形態で説明した認証付暗号化装置1が出力した暗号文CとタグTとを復号して、平文Mを生成するとともに改ざんの有無を検出する認証付復号装置2について説明する。 In the second embodiment of the present invention, the ciphertext C and the tag T output from the authenticated encryption apparatus 1 described in the first embodiment are decrypted to generate plaintext M and detect the presence / absence of tampering. The authenticating decryption apparatus 2 will be described.
 本実施形態における認証付復号装置2は、演算装置と記憶装置とを有する情報処理装置である。記憶装置にはプログラムが記憶されており、記憶装置に記憶されたプログラムを演算装置が読み込んで実行することにより、後述する各手段を実現する。 The decryption apparatus 2 with authentication in the present embodiment is an information processing apparatus having an arithmetic device and a storage device. A program is stored in the storage device, and each unit to be described later is realized by the arithmetic device reading and executing the program stored in the storage device.
 図8を参照すると、認証付復号装置2は、暗号文入力手段20(暗号文入力部)と、マスク生成手段21(マスク値算出部)と、マスク付き復号手段22(平文復号部)と、チェックサム計算手段23(調整値算出部)と、調整値付きブロック復号手段24(初期ベクトル生成部)と、初期ベクトル検査手段25(初期ベクトル検査部)と、平文出力手段26と、を有している。 Referring to FIG. 8, the decryption apparatus with authentication 2 includes a ciphertext input unit 20 (ciphertext input unit), a mask generation unit 21 (mask value calculation unit), a decryption unit with mask 22 (plaintext decryption unit), A checksum calculation unit 23 (adjustment value calculation unit), an adjustment value-added block decoding unit 24 (initial vector generation unit), an initial vector check unit 25 (initial vector check unit), and a plaintext output unit 26. ing.
 暗号文入力手段20(暗号文入力部)は、復号の対象となる暗号文CとタグTとを入力する手段である。暗号文入力手段20は、例えば、キーボードなどの文字入力装置により構成されている。なお、暗号文入力手段20は、例えば、ネットワークなどを介して接続された外部の装置から暗号文CとタグTとを入力可能なよう構成しても構わない。 The ciphertext input unit 20 (ciphertext input unit) is a unit for inputting the ciphertext C and the tag T to be decrypted. The ciphertext input means 20 is configured by a character input device such as a keyboard, for example. The ciphertext input unit 20 may be configured to be able to input the ciphertext C and the tag T from an external device connected via a network or the like, for example.
 上記のように、暗号文入力手段20を介して、暗号文CとタグTとが入力される。そして、暗号文CとタグTとを入力された暗号文入力手段20は、入力されたタグTをマスク生成手段21へと出力するとともに、暗号文Cをマスク付き復号手段22へと出力する。 As described above, the ciphertext C and the tag T are input via the ciphertext input means 20. The ciphertext input unit 20 to which the ciphertext C and the tag T are input outputs the input tag T to the mask generation unit 21 and outputs the ciphertext C to the masked decryption unit 22.
 マスク生成手段21(マスク値算出部)は、暗号文入力手段20から取得したタグTを用いて、マスクLを生成する。例えば、マスク生成手段21は、第1の実施形態で説明したタグ生成手段15で用いられるブロック暗号の復号関数を用いてタグTを復号することで、マスクLを生成する。その後、マスク生成手段21は、生成したマスクLをマスク付き復号手段22と調整値付きブロック復号手段24へと出力する。 The mask generation unit 21 (mask value calculation unit) generates a mask L using the tag T acquired from the ciphertext input unit 20. For example, the mask generation unit 21 generates the mask L by decrypting the tag T using the block cipher decryption function used in the tag generation unit 15 described in the first embodiment. Thereafter, the mask generating means 21 outputs the generated mask L to the masked decoding means 22 and the adjustment value added block decoding means 24.
 マスク付き復号手段22(平文復号部)は、マスク生成手段21から取得したマスクLを用いて、暗号文入力手段20から取得した暗号文Cを復号して平文Mを生成する。例えば、マスク付き復号手段22は、第1の実施形態で説明したマスク付き暗号化手段14の逆関数Dを行うことで、暗号文Cを復号して平文Mを生成する。 The masked decryption means 22 (plaintext decryption unit) decrypts the ciphertext C acquired from the ciphertext input means 20 using the mask L acquired from the mask generation means 21 to generate plaintext M. For example, the decryption unit with mask 22 generates the plaintext M by decrypting the ciphertext C by performing the inverse function D of the encryption unit with mask 14 described in the first embodiment.
 例えば、暗号文Cがm個のnビットブロック(C[1]、…、C[m])からなり、第1の実施形態で説明した
C[i]=E(mul(2,L)+M[i])+mul(2,L)
但し、i=1~m-1
を用いて暗号化が行われている場合を想定する。この場合、マスク付き復号手段22は、暗号文の各ブロックC[i](i=1、…、m-1)に対して、例えば以下で示すような処理を実行して、暗号文C(最終ブロックを除く)を復号する。
M[i]=D(mul(2,L)+C[i])+mul(2,L)
また、マスク付き復号手段22は、例えば、以下で示すような処理を実行して、暗号文Cの最終ブロックC[m]を復号する。
M[m]=msb_|C[m]|(E(mul(2,L)))+C[m] For example, the ciphertext C is composed of m n-bit blocks (C [1],..., C [m]), and C [i] = E (mul (2 i , L)) described in the first embodiment. + M [i]) + mul (2 i , L)
However, i = 1 to m−1
Assume that encryption is performed using. In this case, the masked decryption means 22 performs, for example, the following processing on each block C [i] (i = 1,..., M−1) of the ciphertext to obtain the ciphertext C ( Decode the last block).
M [i] = D (mul (2 i , L) + C [i]) + mul (2 i , L)
Further, the decryption means 22 with mask executes, for example, the following process to decrypt the final block C [m] of the ciphertext C.
M [m] = msb_ | C [m] | (E (mul (2 m , L))) + C [m]
 例えば、このような処理により、マスク付き復号手段22は、暗号文入力手段20に入力された暗号文Cを復号して平文Mを生成する。その後、マスク付き復号手段22は、生成した平文Mをチェックサム計算手段23と平文出力手段26へと出力する。 For example, by such a process, the decryption means 22 with mask decrypts the ciphertext C input to the ciphertext input means 20 to generate plaintext M. Thereafter, the masked decryption means 22 outputs the generated plaintext M to the checksum calculation means 23 and the plaintext output means 26.
 チェックサム計算手段23(調整値算出部)は、マスク付き復号手段22から取得した平文Mから、簡易な計算によりnビットのチェックサムSUMを算出する。その後、チェックサム計算手段23は、算出したチェックサムSUMを調整値付きブロック復号手段24へと出力する。 The checksum calculator 23 (adjustment value calculator) calculates an n-bit checksum SUM from the plaintext M acquired from the masked decryptor 22 by simple calculation. Thereafter, the checksum calculation means 23 outputs the calculated checksum SUM to the block decoding means 24 with adjustment value.
 チェックサム計算手段23は、第1の実施形態で説明したチェックサム計算手段12と同様の処理によりチェックサムSUMを算出する。チェックサム計算手段23により行われるチェックサムSUMの算出処理の詳細な説明については、第1の実施形態で既に行ったものと同様なため省略する。 The checksum calculation means 23 calculates the checksum SUM by the same process as the checksum calculation means 12 described in the first embodiment. The detailed description of the checksum SUM calculation process performed by the checksum calculation means 23 is the same as that already performed in the first embodiment, and therefore will be omitted.
 調整値付きブロック復号手段24(初期ベクトル生成部)は、チェックサム計算手段23から取得したチェックサムSUMを調整値(Tweak、ツィーク)として、マスクLを復号処理して初期ベクトルNを生成する。具体的には、調整値付きブロック復号手段24は、第1の実施形態で説明した調整値付きブロック暗号化手段13の逆関数を行うことで、マスクLを復号して初期ベクトルNを生成する。その後、調整値付きブロック復号手段24は、生成した初期ベクトルNを初期ベクトル検査手段25へと出力する。 The adjustment value added block decoding means 24 (initial vector generation section) generates the initial vector N by decoding the mask L using the checksum SUM acquired from the checksum calculation means 23 as the adjustment value (Tweak, tweak). Specifically, the block decryption unit with adjustment value 24 performs the inverse function of the block encryption unit with adjustment value 13 described in the first embodiment, thereby decrypting the mask L and generating the initial vector N. . Thereafter, the adjustment value-added block decoding unit 24 outputs the generated initial vector N to the initial vector checking unit 25.
 なお、調整値付きブロック復号手段24は、調整値付きブロック暗号化手段13と同様に、通常のnビットブロック暗号を用いて実現することが出来る。 The adjustment value-added block decrypting means 24 can be realized by using a normal n-bit block cipher as with the adjustment value-added block encryption means 13.
 初期ベクトル検査手段25(初期ベクトル検査部)は、調整値付きブロック復号手段24から取得した初期ベクトルNと、暗号文CタグTのペアに対して復号側が期待する初期ベクトル値である初期ベクトル期待値N*と、を比較して、改ざんの有無を検出する。初期ベクトル検査手段25は、初期ベクトルNと初期ベクトル期待値N*との比較の後、検証結果を2値表現した検証結果B(検査合格ならACK、検査失敗ならNCK)を出力するとともに、必要に応じて次回の検査で用いる初期ベクトル期待値N*_newを生成することになる。 The initial vector check unit 25 (initial vector check unit) is an initial vector expectation that is an initial vector value expected by the decryption side for the pair of the initial vector N acquired from the block decryption unit 24 with adjustment value and the ciphertext C tag T. The value N * is compared to detect the presence or absence of tampering. The initial vector checking means 25 outputs the verification result B (ACK if the test passes, NCK if the test fails) after the comparison between the initial vector N and the initial vector expected value N *, and is necessary. Accordingly, the initial vector expected value N * _new used in the next inspection is generated.
 例えば、初期ベクトル検査手段25は、図示しない記憶部に初期ベクトル期待値N*を予め記憶しておき、調整値付きブロック復号手段24から取得した初期ベクトルNと、予め記憶した初期ベクトル期待値N*と、を比較する。そして、初期ベクトル検査手段25は、初期ベクトルNと初期ベクトル期待値N*とが一致した場合に、改ざんは無いと判断してB=ACKを出力する(検査合格)。また、この場合、初期ベクトル検査手段25は、暗号側が用いる初期ベクトルNの更新関数がfであるとすると、新たな初期ベクトル期待値N*_new=f(N)を生成し、上記図示しない記憶部に記憶する。つまり、初期ベクトル検査手段25は、検査合格の場合、例えば、初期ベクトルをNからN+1に更新する(初期ベクトル更新関数f(N)=N+1の場合)。一方、初期ベクトル検査手段25は、初期ベクトルNと初期ベクトル期待値N*とが一致しない場合に、改ざんがあったと判断してB=NCKを出力する(検査失敗)。この場合には、初期ベクトル検査手段25は、初期ベクトル期待値N*を更新しない。つまり、新たな初期ベクトル期待値N*_new=N*となる。 For example, the initial vector checking unit 25 stores the initial vector expected value N * in a storage unit (not shown) in advance, the initial vector N acquired from the adjustment value-added block decoding unit 24, and the initial vector expected value N stored in advance. * And are compared. Then, when the initial vector N and the initial vector expected value N * match, the initial vector checking means 25 determines that there is no falsification and outputs B = ACK (pass inspection). Further, in this case, if the update function of the initial vector N used by the encryption side is f, the initial vector checking means 25 generates a new initial vector expected value N * _new = f (N), and stores the memory (not shown). Store in the department. That is, the initial vector checking means 25 updates the initial vector from N to N + 1, for example, when the test is passed (when the initial vector update function f (N) = N + 1). On the other hand, when the initial vector N and the initial vector expected value N * do not match, the initial vector checking means 25 determines that the falsification has occurred and outputs B = NCK (test failure). In this case, the initial vector checking means 25 does not update the initial vector expected value N *. That is, the new initial vector expected value N * _new = N *.
 初期ベクトル検査手段25は、例えば、上記処理により初期ベクトルNと初期ベクトル期待値N*とを比較して、その比較結果である検証結果Bを平文出力手段26に出力する。また、初期ベクトル検査手段25は、検査合格の場合に、初期ベクトル期待値N*を更新する。 The initial vector checking means 25 compares the initial vector N and the initial vector expected value N * by the above processing, for example, and outputs the verification result B, which is the comparison result, to the plaintext output means 26. Further, the initial vector checking means 25 updates the initial vector expected value N * when the test is passed.
 なお、初期ベクトル検査手段25が行う比較検証の方法は、上記説明した場合に限られない。初期ベクトル検査手段25は、例えば、閾値tを図示しない記憶部に予め記憶しておき、初期ベクトルNと初期ベクトル期待値N*との絶対値差が閾値t以内である場合に検査合格と判断するように構成しても構わない。このように構成することで、初期ベクトル検査手段25は、通信路上のパケットロスなどの情報消失に対応することが出来るようになる。なお、上記のような構成の場合、改ざんを行う攻撃者の成功確率、すなわち不正な暗号文を復号した時の初期ベクトルNの値が偶然初期ベクトル期待値N*と近い値になる確率は、およそt/(2)となる。そのため、tを十分小さくすることで、情報消失に対応しつつ、改ざんを高い確率で検知することが可能となる。 Note that the method of comparison verification performed by the initial vector inspection unit 25 is not limited to the case described above. For example, the initial vector checking unit 25 stores the threshold value t in advance in a storage unit (not shown), and determines that the test has passed if the absolute value difference between the initial vector N and the initial vector expected value N * is within the threshold value t. You may comprise so that it may do. With this configuration, the initial vector checking unit 25 can cope with information loss such as packet loss on the communication path. In the case of the configuration as described above, the success probability of the attacker who performs the tampering, that is, the probability that the value of the initial vector N when the illegal ciphertext is decrypted accidentally becomes a value close to the initial vector expected value N * is: Approximately t / (2 n ). Therefore, by making t sufficiently small, it becomes possible to detect tampering with high probability while dealing with information loss.
 平文出力手段26は、マスク付き復号手段22から取得した平文Mと、初期ベクトル検査手段25から取得した検証結果Bとを、外部の装置へと出力する。平文出力手段26は、例えば、ディスプレイ装置やプリンタ装置などと接続されており、当該ディスプレイ装置やプリンタ装置などに、平文Mと検証結果Bとを出力する。 The plaintext output means 26 outputs the plaintext M acquired from the masked decryption means 22 and the verification result B acquired from the initial vector check means 25 to an external device. The plaintext output means 26 is connected to, for example, a display device or a printer device, and outputs the plaintext M and the verification result B to the display device or printer device.
 具体的には、例えば、平文出力手段26は、検証結果B=ACK(検査合格)であった場合に、検証結果Bと平文Mを出力する。一方、平文出力手段26は、検証結果B=NCK(検査失敗)であった場合に、検証結果Bを出力する一方で平文Mを空列として出力する。例えばこのように、平文出力手段26は、検証結果Bと平文Mとを外部の装置に出力する。なお、平文出力手段26は、検証結果Bに関わらず検証結果Bと平文Mとを出力するように構成しても構わない。 Specifically, for example, the plaintext output unit 26 outputs the verification result B and the plaintext M when the verification result B = ACK (inspection pass). On the other hand, when the verification result B = NCK (inspection failure), the plaintext output means 26 outputs the verification result B while outputting the plaintext M as an empty string. For example, as described above, the plaintext output unit 26 outputs the verification result B and the plaintext M to an external device. The plaintext output means 26 may be configured to output the verification result B and the plaintext M regardless of the verification result B.
 以上が、認証付復号装置2の構成の一例である。次に、認証付復号装置2の動作の一例について、図9を用いて説明する。 The above is an example of the configuration of the decryption apparatus 2 with authentication. Next, an example of the operation of the authenticating decryption apparatus 2 will be described with reference to FIG.
 図9を参照すると、まず、暗号文入力手段20に暗号部CとタグTとが入力される(ステップS201)。すると、暗号文入力手段20は、入力されたタグTをマスク生成手段21に送信するとともに、暗号文Cをマスク付き復号手段22に送信する。 Referring to FIG. 9, first, the ciphertext C and the tag T are input to the ciphertext input means 20 (step S201). Then, the ciphertext input means 20 transmits the input tag T to the mask generation means 21 and transmits the ciphertext C to the masked decryption means 22.
 続いて、マスク生成手段21が、タグTを復号してマスクLを生成する(ステップS202)。具体的には、例えば、マスク生成手段21は、第1の実施形態で説明したタグ生成手段15で用いられるブロック暗号の復号関数を用いてタグTを復号することで、マスクLを生成する。そして、マスク生成手段21は、生成したマスクLをマスク付き復号手段22と調整値付きブロック復号手段24へと出力する。 Subsequently, the mask generation means 21 decodes the tag T and generates a mask L (step S202). Specifically, for example, the mask generation unit 21 generates the mask L by decrypting the tag T using the block cipher decryption function used in the tag generation unit 15 described in the first embodiment. Then, the mask generation unit 21 outputs the generated mask L to the masked decoding unit 22 and the adjustment value-added block decoding unit 24.
 マスク付き復号手段22は、マスク生成手段21からマスクLを取得すると、暗号文入力手段20から取得した暗号文Cを、マスクLを用いて復号して平文Mを生成する(ステップS203)。具体的には、例えば、マスク付き暗復号手段22は、下記式で表される処理を行うことで、暗号文Cを平文Mへと復号する。
M[i]=D(mul(2,L)+C[i])+mul(2,L)
但し、i=1~m-1
M[m]=msb_|C[m]|(E(mul(2,L)))+C[m]
その後、マスク付き復号手段22は、生成した平文Mをチェックサム計算手段23と平文出力手段26へと出力する。 When the masked decryption means 22 acquires the mask L from the mask generation means 21, the decrypted ciphertext C acquired from the ciphertext input means 20 is decrypted using the mask L to generate plaintext M (step S203). Specifically, for example, the masked encryption / decryption means 22 decrypts the ciphertext C into plaintext M by performing the processing represented by the following equation.
M [i] = D (mul (2 i , L) + C [i]) + mul (2 i , L)
However, i = 1 to m−1
M [m] = msb_ | C [m] | (E (mul (2 m , L))) + C [m]
Thereafter, the masked decryption means 22 outputs the generated plaintext M to the checksum calculation means 23 and the plaintext output means 26.
 続いてチェックサム計算手段23は、取得した平文MからチェックサムSUMを計算する(ステップS204)。具体的には、例えば、チェックサム計算手段23は、平文Mをnビットごとのブロックに分割した際の、各平文ブロックの排他的論理和を算出することで、チェックサムSUMを算出する。そして、チェックサム計算手段23は、計算したチェックサムSUMを調整値付きブロック復号手段24へと出力する。 Subsequently, the checksum calculation means 23 calculates a checksum SUM from the acquired plaintext M (step S204). Specifically, for example, the checksum calculation means 23 calculates the checksum SUM by calculating the exclusive OR of each plaintext block when the plaintext M is divided into blocks of n bits. Then, the checksum calculation means 23 outputs the calculated checksum SUM to the block decoding means 24 with adjustment value.
 その後、調整値付きブロック復号手段24が、チェックサム計算手段23が計算したチェックサムSUMを取得する。すると、調整値付きブロック復号手段24は、チェックサム計算手段23が算出したチェックサムSUMを調整値としてマスクLを復号して、初期ベクトルNを生成する(ステップS205)。例えば、この処理は、調整値付きブロック暗号化手段13の逆関数を行うことで、実行されることになる。その後、調整値付きブロック復号手段24は、生成した初期ベクトルNを初期ベクトル検査手段25へと出力する。 Thereafter, the adjustment value-added block decoding unit 24 acquires the checksum SUM calculated by the checksum calculation unit 23. Then, the adjustment value-added block decoding unit 24 decodes the mask L using the checksum SUM calculated by the checksum calculation unit 23 as an adjustment value to generate an initial vector N (step S205). For example, this process is executed by performing the inverse function of the block encryption means 13 with adjustment value. Thereafter, the adjustment value-added block decoding unit 24 outputs the generated initial vector N to the initial vector checking unit 25.
 そして、初期ベクトル検査手段25は、調整値付きブロック復号手段24から初期ベクトルNを取得すると、当該初期ベクトルNと予め記憶している初期ベクトル期待値N*とが一致しているか否かを判断する(ステップS206)。 Then, when the initial vector checking unit 25 acquires the initial vector N from the adjustment value-added block decoding unit 24, the initial vector checking unit 25 determines whether or not the initial vector N and the initial vector expected value N * stored in advance match. (Step S206).
 初期ベクトルNと初期ベクトル期待値N*とが一致している場合(ステップS206、Yes)、初期ベクトル検査手段25は、検証結果B=ACK(検査合格)とするとともに、新たな初期ベクトル期待値N*_new=f(N)に初期ベクトル期待値N*を更新する(ステップS207)。そして、初期ベクトル検査手段25は、検証結果B=ACKを平文出力手段26へと出力する。その後、平文出力手段26は、平文Mと検証結果Bとを出力する(ステップS208)。 When the initial vector N and the initial vector expected value N * match (step S206, Yes), the initial vector checking means 25 sets the verification result B = ACK (passed inspection) and a new initial vector expected value. The initial vector expected value N * is updated to N * _new = f (N) (step S207). Then, the initial vector checking unit 25 outputs the verification result B = ACK to the plaintext output unit 26. Thereafter, the plaintext output means 26 outputs the plaintext M and the verification result B (step S208).
 一方、初期ベクトルNと初期ベクトル期待値N*とが一致していない場合(ステップS206、No)、初期ベクトル検査手段25は、検証結果B=NCK(検査失敗)とするとともに、初期ベクトル期待値N*を更新しない(ステップS209)。そして、初期ベクトル検査手段25は、検証結果B=NCKを平文出力手段26へと出力する。その後、平文出力手段26は、検証結果Bを出力する一方で、平文Mを空列で出力する(ステップS210)。 On the other hand, if the initial vector N and the initial vector expected value N * do not match (No at step S206), the initial vector checking means 25 sets the verification result B = NCK (check failure) and the initial vector expected value. N * is not updated (step S209). Then, the initial vector checking unit 25 outputs the verification result B = NCK to the plaintext output unit 26. Thereafter, the plaintext output means 26 outputs the verification result B while outputting the plaintext M as an empty string (step S210).
 以上が、認証付復号装置2の動作の一例である。例えばこのような動作により、認証付復号装置2は、暗号文Cを平文Mに復号するとともに、改ざんの有無を検出する。 The above is an example of the operation of the decryption apparatus 2 with authentication. For example, by such an operation, the decryption apparatus with authentication 2 decrypts the ciphertext C into the plaintext M and detects the presence or absence of tampering.
 このように、本実施形態における認証付復号装置2は、暗号文入力手段20と、マスク生成手段21と、マスク付き復号手段22と、チェックサム計算手段23と、調整値付きブロック復号手段24と、初期ベクトル検査手段25と、平文出力手段26と、を有している。このような構成により、マスク生成手段21は、暗号文入力手段20を介して入力されたタグTを復号して、マスクLを生成することが出来る。また、マスク付き復号手段22は、暗号文入力手段20を介して入力された暗号文Cを、マスクLを用いて復号することで平文Mを生成することが出来る。さらに、チェックサム計算手段23は、平文Mに基づいてチェックサムSUMを算出することができ、調整値付きブロック復号手段24は、チェックサムSUMを調整値として、マスクLを初期ベクトルNに復号することが出来る。そして、初期ベクトル検査手段25は、初期ベクトルNと初期ベクトル期待値N*とを比較することで改ざんの有無を検出することが出来る。 As described above, the decryption apparatus with authentication 2 in this embodiment includes the ciphertext input unit 20, the mask generation unit 21, the decryption unit 22 with the mask, the checksum calculation unit 23, and the block decryption unit 24 with the adjustment value. , Initial vector checking means 25 and plain text output means 26. With this configuration, the mask generation unit 21 can generate the mask L by decrypting the tag T input via the ciphertext input unit 20. Further, the decryption means with mask 22 can generate plaintext M by decrypting the ciphertext C input via the ciphertext input means 20 using the mask L. Further, the checksum calculation means 23 can calculate the checksum SUM based on the plaintext M, and the adjustment value added block decoding means 24 decodes the mask L into the initial vector N using the checksum SUM as the adjustment value. I can do it. The initial vector checking means 25 can detect the presence or absence of falsification by comparing the initial vector N and the initial vector expected value N *.
 以上より、上記構成によると、暗号文CとタグTとを受け取るだけで、暗号文Cを平文Mに復号するとともに、改ざんの有無を検出することが可能となる。その結果、認証付き暗号化方式を用いる際に、効率的に帯域増加を防止することが可能となる。 As described above, according to the above configuration, it is possible to decrypt the ciphertext C into the plaintext M and detect the presence or absence of tampering only by receiving the ciphertext C and the tag T. As a result, it is possible to efficiently prevent an increase in bandwidth when using the authenticated encryption method.
 なお、本実施形態においては、認証付復号装置2について説明した。しかしながら、例えば図10で示すように、第1の実施形態で説明した認証付暗号化装置1と認証付復号装置2とを同時に用いる認証付暗号システムにより、本発明を実現しても構わない。認証付暗号化装置1と認証付復号装置2との構成は、既に説明したものと同様のため、省略する。 In addition, in this embodiment, the decryption apparatus 2 with authentication was demonstrated. However, for example, as shown in FIG. 10, the present invention may be realized by an authenticated encryption system that uses the authenticated encryption apparatus 1 and the authenticated decryption apparatus 2 described in the first embodiment at the same time. The configurations of the encryption device with authentication 1 and the decryption device with authentication 2 are the same as those already described, and will be omitted.
 次に本発明の第3の実施形態について図11を参照して説明する。
[第3の実施形態]
 第3の実施形態では、入力された平文を暗号化して出力する、認証付暗号化装置3について説明する。本実施形態における認証付暗号化装置3は、平文を暗号化した暗号文とタグとを出力するよう構成されている。なお、本実施形態では、認証付暗号化装置3の構成の概略について説明する。 Next, a third embodiment of the present invention will be described with reference to FIG.
[Third embodiment]
In the third embodiment, an encrypted encryption device 3 that encrypts and outputs an input plaintext will be described. The encryption device with authentication 3 in the present embodiment is configured to output a ciphertext obtained by encrypting a plaintext and a tag. In the present embodiment, an outline of the configuration of the encryption device with authentication 3 will be described.
 図11を参照すると、本実施形態における認証付暗号化装置3は、平文入力部31と、固定長値生成部32と、マスク値生成部33と、平文暗号化部34と、タグ生成部35と、を有している。 Referring to FIG. 11, the encrypted encryption apparatus 3 according to the present embodiment includes a plaintext input unit 31, a fixed length value generation unit 32, a mask value generation unit 33, a plaintext encryption unit 34, and a tag generation unit 35. And have.
 平文入力部31は、平文の入力を受け付ける。また、固定長値生成部32は、当該固定長値生成部32が過去に生成した値とは異なる新たな固定長値を生成する。 The plaintext input unit 31 receives plaintext input. In addition, the fixed length value generation unit 32 generates a new fixed length value that is different from the value generated by the fixed length value generation unit 32 in the past.
 マスク値生成部33は、平文入力部31が受け付けた平文に基づく調整値を用いて、固定長値生成部32が生成した固定長値を暗号化してマスク値を生成する。つまり、マスク値生成部33は、平文入力部31から平文を取得する。また、マスク値生成部33は、固定長値生成部32から固定長値を取得する。そして、マスク値生成部33は、平文に基づく調整値を用いて、上記固定長値を暗号化してマスク値を生成する。 The mask value generation unit 33 encrypts the fixed length value generated by the fixed length value generation unit 32 using the adjustment value based on the plain text received by the plain text input unit 31, and generates a mask value. That is, the mask value generation unit 33 acquires plaintext from the plaintext input unit 31. Further, the mask value generation unit 33 acquires a fixed length value from the fixed length value generation unit 32. Then, the mask value generation unit 33 generates a mask value by encrypting the fixed length value using an adjustment value based on plain text.
 平文暗号化部34は、マスク値生成部33が生成したマスク値を用いて、平文を暗号化して暗号文を生成する。つまり、平文暗号化部34は、マスク値生成部33からマスク値を取得する。また、平文暗号化部34は、平文入力部31から平文を取得する。そして、平文暗号化部34は、マスク値を用いて平文を暗号化して暗号文を生成する。 The plaintext encryption unit 34 encrypts the plaintext using the mask value generated by the mask value generation unit 33 to generate a ciphertext. That is, the plaintext encryption unit 34 acquires the mask value from the mask value generation unit 33. The plaintext encryption unit 34 acquires plaintext from the plaintext input unit 31. Then, the plaintext encryption unit 34 encrypts the plaintext using the mask value and generates a ciphertext.
 タグ生成部35は、マスク値生成部33が生成したマスク値を暗号化してタグを生成する。つまり、タグ生成部35は、マスク値生成部33からマスク値を取得すると、当該取得したマスク値を暗号化してタグを生成する。 The tag generation unit 35 encrypts the mask value generated by the mask value generation unit 33 and generates a tag. That is, when the tag generation unit 35 acquires a mask value from the mask value generation unit 33, the tag generation unit 35 encrypts the acquired mask value and generates a tag.
 その後、認証付暗号化装置3は、平文暗号化部34が暗号化した暗号文とタグ生成部35が生成したタグとを出力する。 Thereafter, the encryption device with authentication 3 outputs the ciphertext encrypted by the plaintext encryption unit 34 and the tag generated by the tag generation unit 35.
 このように、本実施形態における認証付暗号化装置3は、平文入力部31と、固定長値生成部32と、マスク値生成部33と、平文暗号化部34と、タグ生成部35とを有している。このような構成により、マスク値生成部33は、平文入力部31に入力された平文に基づく調整値を用いて、固定長値生成部32が生成した固定長値を暗号化することにより、マスク値を生成することが出来る。また、平文暗号化部34は、マスク値を用いて、平文を暗号化して暗号文を生成することが出来る。そして、タグ生成部35は、マスク値を暗号化してタグを生成することが出来る。その結果、認証付暗号化装置3は、暗号文とタグとを出力することが出来る。 As described above, the encryption device with authentication 3 according to the present embodiment includes the plaintext input unit 31, the fixed length value generation unit 32, the mask value generation unit 33, the plaintext encryption unit 34, and the tag generation unit 35. Have. With such a configuration, the mask value generation unit 33 encrypts the fixed length value generated by the fixed length value generation unit 32 using the adjustment value based on the plain text input to the plain text input unit 31, thereby masking the mask. A value can be generated. Also, the plaintext encryption unit 34 can generate a ciphertext by encrypting the plaintext using the mask value. And the tag production | generation part 35 can produce | generate a tag by encrypting a mask value. As a result, the encryption device with authentication 3 can output a ciphertext and a tag.
 ここで、上記暗号文とタグとを受信した復号側では、タグを復号してマスク値を生成することが出来る。また、マスク値を用いて暗号文を復号して平文を生成することが出来る。そして、平文に基づく調整値を用いて、マスク値を復号して固定長値を生成することが出来る。その結果、復号側では、生成した固定長値と期待する固定長値である期待値とを比較することで、改ざんの有無を検出することが出来る。 Here, the decryption side that has received the ciphertext and the tag can decrypt the tag and generate a mask value. Also, the plaintext can be generated by decrypting the ciphertext using the mask value. Then, it is possible to generate a fixed length value by decrypting the mask value using the adjustment value based on the plain text. As a result, the decoding side can detect the presence or absence of tampering by comparing the generated fixed length value with the expected value that is the expected fixed length value.
 このように、上記認証付暗号化装置3の各構成により生成される暗号文とタグとを出力することで、復号側は、暗号文を復号して平文を生成するとともに、メッセージ認証を行うことが出来るようになる。つまり、上記構成により、タグと固定長値を組み合わせた処理が可能となり、容易な計算処理により生成される暗号文とタグとのみを送信する認証付き暗号を実現することが可能となる。その結果、認証付き暗号化方式を用いる際に、効率的に帯域増加を防止することが可能となる。 Thus, by outputting the ciphertext and tag generated by each configuration of the encryption device with authentication 3, the decryption side decrypts the ciphertext to generate plaintext and performs message authentication Will be able to. That is, with the above-described configuration, it is possible to perform processing that combines a tag and a fixed-length value, and it is possible to realize authenticated encryption that transmits only a ciphertext and a tag that are generated by simple calculation processing. As a result, it is possible to efficiently prevent an increase in bandwidth when using the authenticated encryption method.
 なお、上述した認証付暗号化装置3は、情報処置装置に所定のプログラムが組み込まれることで実現できる。具体的に、本発明の他の形態であるプログラムは、情報処理装置に、平文の入力を受け付ける平文入力部31と、過去に生成した値とは異なる新たな固定長値を生成する固定長値生成部32と、平文に基づく調整値を用いて、固定長値を暗号化してマスク値を生成するマスク値生成部33と、マスク値生成部33が生成したマスク値を用いて、平文を暗号化して暗号文を生成する平文暗号化部34と、マスク値生成部33が生成したマスク値を暗号化してタグを生成するタグ生成部35と、を実現させ、平文暗号化部34が暗号化した暗号文と、タグ生成部35が生成したタグと、を出力するプログラムである。 In addition, the encryption apparatus 3 with authentication mentioned above is realizable by incorporating a predetermined program in an information processing apparatus. Specifically, a program according to another embodiment of the present invention includes a plaintext input unit 31 that receives plaintext input and a fixed length value that generates a new fixed length value that is different from a value generated in the past. The plaintext is encrypted using the generation unit 32, the mask value generation unit 33 that generates a mask value by encrypting the fixed length value using the adjustment value based on the plaintext, and the mask value generated by the mask value generation unit 33. And a plaintext encryption unit 34 that generates a ciphertext and a tag generation unit 35 that encrypts the mask value generated by the mask value generation unit 33 and generates a tag, and the plaintext encryption unit 34 performs encryption. This is a program that outputs the encrypted text and the tag generated by the tag generation unit 35.
 また、上述した認証付暗号化装置3が作動することにより実行される認証付暗号化方法は、平文の入力を受け付け、過去に生成した値とは異なる新たな固定長値を生成し、平文に基づく調整値を用いて、固定長値を暗号化してマスク値を生成し、生成したマスク値を用いて、平文を暗号化して暗号文を生成し、生成したマスク値を暗号化してタグを生成し、暗号文と、前記タグと、を出力する、という方法である。 In addition, the authenticated encryption method executed by operating the above-described authenticated encryption apparatus 3 accepts plaintext input, generates a new fixed length value different from the value generated in the past, Using the adjustment value based on this, the fixed-length value is encrypted to generate a mask value, and the generated mask value is used to encrypt plaintext to generate a ciphertext, and the generated mask value is encrypted to generate a tag. The ciphertext and the tag are output.
 上述した構成を有する、プログラム、又は、認証付暗号化方法、の発明であっても、上記認証付暗号化装置3と同様の作用を有するために、上述した本発明の目的を達成することが出来る。 Even the invention of the program or the authentication-encrypted method having the above-described configuration has the same operation as the authentication-encrypted encryption device 3, and therefore the above-described object of the present invention can be achieved. I can do it.
 次に本発明の第4の実施形態について図12を参照して説明する。
[第4の実施形態]
 第4の実施形態では、暗号文とタグとを取得して、暗号文を復号して平文を生成するとともに、改ざんの有無を検出する認証付復号装置4について説明する。なお、本実施形態では、認証付復号装置4の構成の概略について説明する。 Next, a fourth embodiment of the present invention will be described with reference to FIG.
[Fourth Embodiment]
In the fourth embodiment, a description will be given of a decryption apparatus with authentication 4 that acquires a ciphertext and a tag, decrypts the ciphertext to generate plaintext, and detects the presence or absence of tampering. In the present embodiment, an outline of the configuration of the decryption apparatus 4 with authentication will be described.
 図12を参照すると、本実施形態における認証付復号装置4は、暗号文入力部41と、マスク値復号部42と、平文復号部43と、固定長値復号部44と、改ざん検査部45と、を有している。 Referring to FIG. 12, the decryption apparatus 4 with authentication in the present embodiment includes a ciphertext input unit 41, a mask value decryption unit 42, a plaintext decryption unit 43, a fixed length decryption unit 44, and a falsification inspection unit 45. ,have.
 暗号文入力部41は、復号の対象となる暗号文とタグとの入力を受け付ける。 The ciphertext input unit 41 receives an input of a ciphertext and a tag to be decrypted.
 マスク値復号部42は、暗号文入力部41に入力されたタグを復号してマスク値を生成する。つまり、マスク値復号部42は、暗号文入力部41からタグを取得する。そして、マスク値復号部42は、タグを復号してマスク値を生成する。 The mask value decryption unit 42 decrypts the tag input to the ciphertext input unit 41 to generate a mask value. That is, the mask value decryption unit 42 acquires a tag from the ciphertext input unit 41. Then, the mask value decoding unit 42 generates a mask value by decoding the tag.
 平文復号部43は、マスク値復号部42が生成したマスク値を用いて、暗号文を復号して平文を生成する。つまり、平文復号部43は、マスク値復号部42からマスク値を取得する。また、平文復号部43は、暗号文入力部41から暗号文を取得する。そして、平文復号部43は、マスク値を用いて暗号文を復号して平文を生成する。 The plaintext decryption unit 43 decrypts the ciphertext using the mask value generated by the mask value decryption unit 42 to generate plaintext. That is, the plaintext decryption unit 43 acquires the mask value from the mask value decryption unit 42. The plaintext decryption unit 43 acquires the ciphertext from the ciphertext input unit 41. The plaintext decryption unit 43 then decrypts the ciphertext using the mask value to generate plaintext.
 固定長値復号部44は、平文に基づく調整値を用いて、前記マスク値を復号して固定長値を生成する。つまり、固定長値復号部44は、平文復号部43が生成した平文に基づく調整値を用いて、マスク値復号部42が生成したマスク値を復号して固定長値を生成する。 The fixed-length value decoding unit 44 generates a fixed-length value by decoding the mask value using an adjustment value based on plain text. That is, the fixed length value decoding unit 44 uses the adjustment value based on the plaintext generated by the plaintext decoding unit 43 to decode the mask value generated by the mask value decoding unit 42 to generate a fixed length value.
 改ざん検査部45は、固定長値と予め記憶された期待値とを比較することで改ざんの有無を検査する。つまり、改ざん検査部45は、固定長値復号部44が生成した固定長値と予め記憶した期待値とを比較する。これにより、改ざん検査部45は、改ざんの有無を検査する。 The falsification inspection unit 45 inspects whether or not falsification has occurred by comparing the fixed length value with the expected value stored in advance. That is, the falsification inspection unit 45 compares the fixed length value generated by the fixed length value decoding unit 44 with the expected value stored in advance. Thereby, the tampering inspection unit 45 inspects whether or not tampering has occurred.
 このように、認証付復号装置4は、暗号文入力部41と、マスク値復号部42と、平文復号部43と、固定長値復号部44と、改ざん検査部45と、を有している。このような構成により、マスク値復号部42は、暗号文入力部41を介して入力されたタグを復号して、マスク値を生成することが出来る。また、平文復号部43は、暗号文入力部41を介して入力された暗号文を、マスク値を用いて復号して平文を生成することが出来る。さらに、固定長値復号部44は、平文に基づく調整値を用いて、マスク値を復号して固定長値を生成することが出来る。そして、改ざん検査部45は、固定長値と期待値とを比較することで改ざんの有無を検出することが出来る。 As described above, the decryption apparatus with authentication 4 includes the ciphertext input unit 41, the mask value decryption unit 42, the plaintext decryption unit 43, the fixed length decryption unit 44, and the falsification inspection unit 45. . With this configuration, the mask value decryption unit 42 can decrypt the tag input via the ciphertext input unit 41 and generate a mask value. Further, the plaintext decryption unit 43 can decrypt the ciphertext input via the ciphertext input unit 41 using the mask value to generate plaintext. Further, the fixed length value decoding unit 44 can generate a fixed length value by decoding the mask value using the adjustment value based on the plain text. The tampering inspection unit 45 can detect the presence or absence of tampering by comparing the fixed length value with the expected value.
 以上より、上記構成によると、暗号文とタグとを受け取るだけで、暗号文を平文に復号するとともに、改ざんの有無を検出することが可能となる。その結果、認証付き暗号化方式を用いる際に、効率的に帯域増加を防止することが可能となる。 As described above, according to the above configuration, it is possible to decrypt the ciphertext into plaintext and detect the presence or absence of tampering only by receiving the ciphertext and the tag. As a result, it is possible to efficiently prevent an increase in bandwidth when using the authenticated encryption method.
 なお、上述した認証付復号装置4は、情報処置装置に所定のプログラムが組み込まれることで実現できる。具体的に、本発明の他の形態であるプログラムは、情報処理装置に、復号の対象となる暗号文とタグとの入力を受け付ける暗号文入力部41と、暗号文入力部41に入力されたタグを復号してマスク値を生成するマスク値復号部42と、マスク値復号部42が生成したマスク値を用いて、暗号文を復号して平文を生成する平文復号部43と、平文に基づく調整値を用いて、マスク値を復号して固定長値を生成する固定長値復号部44と、固定長値と予め記憶された期待値とを比較することで改ざんの有無を検査する改ざん検査部45と、を実現させ、改ざん検査部45が検査した改ざんの有無と、平文復号部43が生成した平文と、を出力するプログラムである。 Note that the above-described decryption apparatus with authentication 4 can be realized by incorporating a predetermined program into the information processing apparatus. Specifically, a program according to another embodiment of the present invention is input to the information processing apparatus into the ciphertext input unit 41 that receives an input of a ciphertext and a tag to be decrypted, and the ciphertext input unit 41. Based on the plaintext, a mask value decryption unit 42 that decrypts the tag to generate a mask value, a plaintext decryption unit 43 that decrypts the ciphertext using the mask value generated by the mask value decryption unit 42, and a plaintext Using the adjustment value, the fixed-length value decoding unit 44 that decodes the mask value to generate a fixed-length value, and the tampering inspection that checks the presence or absence of tampering by comparing the fixed-length value with the expected value stored in advance And the plaintext generated by the plaintext decryption unit 43 are output.
 また、上述した認証付復号装置4が作動することにより実行される認証付復号方法は、復号の対象となる暗号文とタグとの入力を受け付け、タグを復号してマスク値を生成し、マスク値を用いて、暗号文を復号して平文を生成し、平文に基づく調整値を用いて、マスク値を復号して固定長値を生成し、固定長値と予め記憶された期待値とを比較することで改ざんの有無を検査し、改ざんの有無と、平文と、を出力する、という方法である。 Further, the authenticated decryption method executed by operating the above-described decryption apparatus with authentication 4 accepts input of a ciphertext and a tag to be decrypted, decrypts the tag, generates a mask value, The value is used to decrypt the ciphertext to generate plaintext, and the adjustment value based on the plaintext is used to decrypt the mask value to generate a fixed length value, and the fixed length value and the expected value stored in advance are In this method, the presence or absence of tampering is inspected by comparison, and the presence or absence of tampering and plain text are output.
 上述した構成を有する、プログラム、又は、認証付復号方法、の発明であっても、上記認証付復号装置4と同様の作用を有するために、上述した本発明の目的を達成することが出来る。 Even with the invention of the program or the decryption method with authentication having the above-described configuration, the above-described object of the present invention can be achieved because it has the same operation as the decryption apparatus 4 with authentication.
 また、図13で示すような認証付暗号化装置3と認証付復号装置4とを備える認証付暗号システムであっても、本発明の目的を達成することが出来る。認証付暗号システムは、例えば、平文の入力を受け付ける平文入力部31と、過去に生成した値とは異なる新たな固定長値を生成する固定長値生成部32と、平文に基づく調整値を用いて、固定長値を暗号化してマスク値を生成するマスク値生成部33と、マスク値生成部33が生成したマスク値を用いて、平文を暗号化して暗号文を生成する平文暗号化部34と、マスク値生成部33が生成したマスク値を暗号化してタグを生成するタグ生成部35と、を備え、平文暗号化部34が暗号化した暗号文と、タグ生成部33が生成したタグと、を出力する認証付暗号化装置3と、認証付暗号化装置3が出力した暗号文とタグとの入力を受け付ける暗号文入力部41と、暗号文入力部41に入力されたタグを復号してマスク値を算出するマスク値復号部42と、マスク値復号部42が算出したマスク値を用いて、暗号文を復号して平文を生成する平文復号部43と、平文に基づく調整値を用いて、マスク値を復号して固定長値を生成する固定長値復号部44と、固定長値と予め記憶された期待値とを比較することで改ざんの有無を検査する改ざん検査部45と、を備え、改ざん検査部45が検査した改ざんの有無と、平文復号部43が生成した平文と、を出力する認証付復号装置4と、を備えている。 Further, the object of the present invention can be achieved even with an authenticated encryption system including the authenticated encryption apparatus 3 and the authenticated decryption apparatus 4 as shown in FIG. The authenticated cryptographic system uses, for example, a plaintext input unit 31 that accepts input of plaintext, a fixed-length value generation unit 32 that generates a new fixed-length value different from a value generated in the past, and an adjustment value based on plaintext. Then, a mask value generation unit 33 that generates a mask value by encrypting a fixed length value, and a plaintext encryption unit 34 that generates a ciphertext by encrypting the plaintext using the mask value generated by the mask value generation unit 33. A tag generation unit 35 that encrypts the mask value generated by the mask value generation unit 33 and generates a tag, and a ciphertext encrypted by the plaintext encryption unit 34 and a tag generated by the tag generation unit 33 , The ciphertext input unit 41 that receives the input of the ciphertext and the tag output from the authenticated encryption device 3, and the tag input to the ciphertext input unit 41 is decrypted Mask value to calculate the mask value The decryption unit 42, the plaintext decryption unit 43 that decrypts the ciphertext using the mask value calculated by the mask value decryption unit 42, and the adjustment value based on the plaintext, decrypts the mask value A fixed-length value decoding unit 44 that generates a fixed-length value, and a falsification inspection unit 45 that inspects whether or not falsification has occurred by comparing the fixed-length value with a pre-stored expected value. And a decryption device with authentication 4 that outputs the presence / absence of the tampering checked and the plaintext generated by the plaintext decryption unit 43.
 <付記>
 上記実施形態の一部又は全部は、以下の付記のようにも記載されうる。以下、本発明における認証付暗号化装置などの概略を説明する。但し、本発明は、以下の構成に限定されない。 <Appendix>
Part or all of the above-described embodiment can be described as in the following supplementary notes. The outline of the encryption apparatus with authentication in the present invention will be described below. However, the present invention is not limited to the following configuration.
(付記1)
 平文の入力を受け付ける平文入力部と、
 過去に生成した値とは異なる新たな固定長値を生成する固定長値生成部と、
 前記平文に基づく調整値を用いて、前記固定長値を暗号化してマスク値を生成するマスク値生成部と、
 前記マスク値生成部が生成したマスク値を用いて、前記平文を暗号化して暗号文を生成する平文暗号化部と、
 前記マスク値生成部が生成したマスク値を暗号化してタグを生成するタグ生成部と、を備え、
 前記平文暗号化部が暗号化した暗号文と、前記タグ生成部が生成したタグと、を出力するよう構成された
認証付暗号化装置。 (Appendix 1)
A plaintext input unit for receiving plaintext input;
A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past;
A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext;
A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit;
A tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit, and
An authenticated encryption apparatus configured to output a ciphertext encrypted by the plaintext encryption unit and a tag generated by the tag generation unit.
(付記2)
 付記1に記載の認証付暗号化装置であって、
 前記平文入力部に入力された平文から固定長の前記調整値を算出する調整値算出部を備え、
 前記マスク値生成部は、前記調整値算出部が算出する調整値を用いて、前記固定長値を暗号化して前記マスク値を生成するよう構成された
認証付暗号化装置。 (Appendix 2)
The encryption apparatus with authentication according to attachment 1, wherein
An adjustment value calculation unit that calculates the adjustment value of a fixed length from the plaintext input to the plaintext input unit;
The encryption apparatus with authentication configured to generate the mask value by encrypting the fixed length value using the adjustment value calculated by the adjustment value calculation unit.
(付記3)
 付記2に記載の認証付暗号化装置であって、
 前記調整値算出部は、前記平文入力部に入力された平文を所定長のブロックに分割した際の各ブロックの排他的論理和を算出することで前記調整値を算出するよう構成された
認証付暗号化装置。 (Appendix 3)
The encryption device with authentication according to attachment 2, wherein
The adjustment value calculation unit is configured to calculate the adjustment value by calculating an exclusive OR of each block when the plaintext input to the plaintext input unit is divided into blocks having a predetermined length. Encryption device.
(付記4)
 付記1乃至3のいずれかに記載の認証付暗号化装置であって、
 前記平文暗号化部は、前記平文を所定長のブロックに分割した際のブロックの一つである平文ブロックの値と、前記平文中における前記平文ブロックの順番に応じた有限体の定数と前記マスク値とを乗算した値である乗算値と、の排他的論理和を算出した後、所定のブロック暗号により暗号化を行い、当該暗号化の結果と前記乗算値との排他的論理和を算出することで、前記平文を暗号化して前記暗号文を生成するよう構成された
認証付暗号化装置。 (Appendix 4)
The encryption device with authentication according to any one of appendices 1 to 3,
The plaintext encryption unit includes a value of a plaintext block that is one of blocks when the plaintext is divided into blocks of a predetermined length, a constant of a finite field according to the order of the plaintext blocks in the plaintext, and the mask After calculating the exclusive OR of the multiplication value, which is a value obtained by multiplying the value, encryption is performed using a predetermined block cipher, and the exclusive OR of the encryption result and the multiplication value is calculated. Thus, an encrypted encryption apparatus configured to encrypt the plain text and generate the cipher text.
(付記5)
 付記4に記載の認証付暗号化装置であって、
 前記平文暗号化部は、前記平文を所定長のブロックに分割した際の最後のブロックである最終ブロックを、当該最終ブロックに応じた有限体の定数を暗号化した結果に基づいて算出される値と当該平文の最終ブロックの値との排他的論理和を算出することで暗号化するよう構成された
認証付暗号化装置。 (Appendix 5)
The encryption device with authentication according to attachment 4, wherein
The plaintext encryption unit is a value calculated based on the result of encrypting a final block, which is the last block when the plaintext is divided into blocks of a predetermined length, and a finite field constant corresponding to the final block. And an encryption device with authentication configured to perform encryption by calculating an exclusive OR of the value and the value of the last block of the plaintext.
(付記6)
 復号の対象となる暗号文とタグとの入力を受け付ける暗号文入力部と、
 前記暗号文入力部に入力されたタグを復号してマスク値を生成するマスク値復号部と、
 前記マスク値復号部が生成したマスク値を用いて、前記暗号文を復号して平文を生成する平文復号部と、
 前記平文に基づく調整値を用いて、前記マスク値を復号して固定長値を生成する固定長値復号部と、
 前記固定長値と予め記憶された期待値とを比較することで改ざんの有無を検査する改ざん検査部と、を備え、
 前記改ざん検査部が検査した改ざんの有無と、前記平文復号部が生成した平文と、を出力するよう構成された
認証付復号装置。 (Appendix 6)
A ciphertext input unit that accepts input of a ciphertext and a tag to be decrypted;
A mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value;
A plaintext decryption unit that decrypts the ciphertext and generates a plaintext using the mask value generated by the mask value decryption unit;
A fixed length decoding unit that generates a fixed length value by decoding the mask value using an adjustment value based on the plaintext;
A tamper inspection unit that inspects the presence or absence of tampering by comparing the fixed length value and the expected value stored in advance,
A decryption apparatus with authentication configured to output the presence / absence of falsification inspected by the falsification inspection unit and the plaintext generated by the plaintext decryption unit.
(付記7)
 付記6に記載の認証付復号装置であって、
 前記平文復号部が復号した平文から固定長の前記調整値を算出する調整値算出部を備え、
 前記固定長復号部は、前記調整値算出部が算出する前記調整値を用いて、前記マスク値を復号して前記固定長値を生成するよう構成された
認証付復号装置。 (Appendix 7)
The decryption device with authentication according to attachment 6, wherein
An adjustment value calculation unit that calculates the fixed-length adjustment value from the plaintext decrypted by the plaintext decryption unit;
The decryption apparatus with authentication configured to generate the fixed length value by decoding the mask value using the adjustment value calculated by the adjustment value calculation unit.
(付記7-1)
 付記7に記載の認証付復号装置であって、
 前記改ざん検査部は、前記固定長値と予め記憶された期待値との差の絶対値と、予め記憶した閾値と、に基づいて、改ざんの有無を検査する
認証付復号装置。 (Appendix 7-1)
The decryption apparatus with authentication according to appendix 7,
The tampering inspection unit is a decryption apparatus with authentication for inspecting whether or not tampering has occurred based on an absolute value of a difference between the fixed length value and an expected value stored in advance and a threshold stored in advance.
(付記8)
 平文の入力を受け付ける平文入力部と、
 過去に生成した値とは異なる新たな固定長値を生成する固定長値生成部と、
 前記平文に基づく調整値を用いて、前記固定長値を暗号化してマスク値を生成するマスク値生成部と、
 前記マスク値生成部が生成したマスク値を用いて、前記平文を暗号化して暗号文を生成する平文暗号化部と、
 前記マスク値生成部が生成したマスク値を暗号化してタグを生成するタグ生成部と、を備え、
 前記平文暗号化部が暗号化した暗号文と、前記タグ生成部が生成したタグと、を出力する認証付暗号化装置と、
 暗号文とタグとの入力を受け付ける暗号文入力部と、
 前記暗号文入力部に入力されたタグを復号してマスク値を生成するマスク値復号部と、
 前記マスク値復号部が生成したマスク値を用いて、前記暗号文入力部が入力を受け付けた暗号文を復号して平文を生成する平文復号部と、
 前記平文復号部が生成した平文に基づく調整値を用いて、前記マスク値復号部が生成したマスク値を復号して固定長値を生成する固定長値復号部と、
 前記固定長値復号部が生成した固定長値と予め記憶された期待値とを比較することで改ざんの有無を検査する改ざん検査部と、を備え、
 前記改ざん検査部が検査した改ざんの有無と、前記平文復号部が生成した平文と、を出力する認証付復号装置と、を備える
認証付暗号システム。 (Appendix 8)
A plaintext input unit for receiving plaintext input;
A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past;
A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext;
A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit;
A tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit, and
An encrypted device with authentication for outputting the ciphertext encrypted by the plaintext encryption unit and the tag generated by the tag generation unit;
A ciphertext input unit that accepts input of ciphertext and tags;
A mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value;
Using the mask value generated by the mask value decryption unit, the plaintext decryption unit that decrypts the ciphertext that the ciphertext input unit has accepted and generates plaintext;
A fixed length decoding unit that generates a fixed length value by decoding the mask value generated by the mask value decoding unit using an adjustment value based on the plaintext generated by the plaintext decoding unit;
A tampering inspection unit that inspects the presence or absence of tampering by comparing the fixed length value generated by the fixed length value decoding unit and the expected value stored in advance,
An authenticated encryption system comprising: an authenticated decryption device that outputs the presence / absence of tampering inspected by the tampering inspection unit and the plaintext generated by the plaintext decryption unit.
(付記9)
 平文の入力を受け付け、
 過去に生成した値とは異なる新たな固定長値を生成し、
 前記平文に基づく調整値を用いて、前記固定長値を暗号化してマスク値を生成し、
 前記生成したマスク値を用いて、前記平文を暗号化して暗号文を生成し、
 前記生成したマスク値を暗号化してタグを生成し、
 前記暗号文と、前記タグと、を出力する
認証付暗号化方法。 (Appendix 9)
Accepts plaintext input,
Generate a new fixed length value that is different from the value generated in the past,
Using the adjustment value based on the plaintext, the fixed length value is encrypted to generate a mask value,
Using the generated mask value, the plaintext is encrypted to generate a ciphertext,
A tag is generated by encrypting the generated mask value,
An authenticated encryption method for outputting the ciphertext and the tag.
(付記9-1)
 復号の対象となる暗号文とタグとの入力を受け付け、
 前記タグを復号してマスク値を生成し、
 前記マスク値を用いて、前記暗号文を復号して平文を生成し、
 前記平文に基づく調整値を用いて、前記マスク値を復号して固定長値を生成し、
 前記固定長値と予め記憶された期待値とを比較することで改ざんの有無を検査し、
 前記改ざんの有無と、前記平文と、を出力する
認証付復号方法。 (Appendix 9-1)
Accepts input of ciphertext and tag to be decrypted,
Decoding the tag to generate a mask value;
Using the mask value, decrypt the ciphertext to generate plaintext,
Using the adjustment value based on the plaintext, the mask value is decrypted to generate a fixed length value,
Inspecting the presence or absence of tampering by comparing the fixed length value and the expected value stored in advance,
A decryption method with authentication for outputting the presence / absence of falsification and the plaintext.
(付記9-2)
 平文の入力を受け付け、
 過去に生成した値とは異なる新たな固定長値を生成し、
 前記平文に基づく調整値を用いて、前記固定長値を暗号化してマスク値を生成し、
 前記生成したマスク値を用いて、前記平文を暗号化して暗号文を生成し、
 前記生成したマスク値を暗号化してタグを生成し、
 前記暗号文と、前記タグと、を出力し、
 前記暗号文と、前記タグと、の入力を受け付け、
 前記タグを復号して前記マスク値を生成し、
 前記マスク値を用いて、前記暗号文を復号して前記平文を生成し、
 前記平文に基づく前記調整値を用いて、前記マスク値を復号して前記固定長値を生成し、
 前記固定長値と予め記憶された期待値とを比較することで改ざんの有無を検査し、
 前記改ざんの有無と、前記平文と、を出力する
認証付暗号処理方法。 (Appendix 9-2)
Accepts plaintext input,
Generate a new fixed length value that is different from the value generated in the past,
Using the adjustment value based on the plaintext, the fixed length value is encrypted to generate a mask value,
Using the generated mask value, the plaintext is encrypted to generate a ciphertext,
A tag is generated by encrypting the generated mask value,
Outputting the ciphertext and the tag;
Accepting the input of the ciphertext and the tag,
Decoding the tag to generate the mask value;
Using the mask value, decrypt the ciphertext to generate the plaintext,
Using the adjustment value based on the plaintext, the mask value is decrypted to generate the fixed length value,
Inspecting the presence or absence of tampering by comparing the fixed length value and the expected value stored in advance,
An authenticated cryptographic processing method for outputting the presence / absence of alteration and the plaintext.
(付記10)
 情報処理装置に、
 平文の入力を受け付ける平文入力部と、
 過去に生成した値とは異なる新たな固定長値を生成する固定長値生成部と、
 前記平文に基づく調整値を用いて、前記固定長値を暗号化してマスク値を生成するマスク値生成部と、
 前記マスク値生成部が生成したマスク値を用いて、前記平文を暗号化して暗号文を生成する平文暗号化部と、
 前記マスク値生成部が生成したマスク値を暗号化してタグを生成するタグ生成部と、を実現させ、
 前記平文暗号化部が暗号化した暗号文と、前記タグ生成部が生成したタグと、を出力する
プログラム。 (Appendix 10)
In the information processing device,
A plaintext input unit for receiving plaintext input;
A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past;
A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext;
A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit;
Realizing a tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit;
A program for outputting a ciphertext encrypted by the plaintext encryption unit and a tag generated by the tag generation unit.
(付記10-1)
 情報処理装置に、
 復号の対象となる暗号文とタグとの入力を受け付ける暗号文入力部と、
 前記暗号文入力部に入力されたタグを復号してマスク値を生成するマスク値復号部と、
 前記マスク値復号部が生成したマスク値を用いて、前記暗号文を復号して平文を生成する平文復号部と、
 前記平文に基づく調整値を用いて、前記マスク値を復号して固定長値を生成する固定長値復号部と、
 前記固定長値と予め記憶された期待値とを比較することで改ざんの有無を検査する改ざん検査部と、を実現させ、
 前記改ざん検査部が検査した改ざんの有無と、前記平文復号部が生成した平文と、を出力する
プログラム。 (Appendix 10-1)
In the information processing device,
A ciphertext input unit that accepts input of a ciphertext and a tag to be decrypted;
A mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value;
A plaintext decryption unit that decrypts the ciphertext and generates a plaintext using the mask value generated by the mask value decryption unit;
A fixed length decoding unit that generates a fixed length value by decoding the mask value using an adjustment value based on the plaintext;
Realizing a falsification inspection unit that inspects the presence or absence of falsification by comparing the fixed length value with an expected value stored in advance;
A program for outputting presence / absence of falsification inspected by the falsification inspection unit and plaintext generated by the plaintext decryption unit.
 なお、上記各実施形態及び付記において記載したプログラムは、記憶装置に記憶されていたり、コンピュータが読み取り可能な記録媒体に記録されていたりする。例えば、記録媒体は、フレキシブルディスク、光ディスク、光磁気ディスク、及び、半導体メモリ等の可搬性を有する媒体である。 Note that the programs described in the above embodiments and supplementary notes are stored in a storage device or recorded on a computer-readable recording medium. For example, the recording medium is a portable medium such as a flexible disk, an optical disk, a magneto-optical disk, and a semiconductor memory.
 以上、上記各実施形態を参照して本願発明を説明したが、本願発明は、上述した実施形態に限定されるものではない。本願発明の構成や詳細には、本願発明の範囲内で当業者が理解しうる様々な変更をすることが出来る。 Although the present invention has been described with reference to the above embodiments, the present invention is not limited to the above-described embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.
 なお、本発明は、日本国にて2014年10月30日に特許出願された特願2014-221754の特許出願に基づく優先権主張の利益を享受するものであり、当該特許出願に記載された内容は、全て本明細書に含まれるものとする。 The present invention enjoys the benefit of the priority claim based on the patent application of Japanese Patent Application No. 2014-221754 filed on October 30, 2014 in Japan, and is described in the patent application. The contents are all included in this specification.
1、3 認証付暗号化装置
10 平文入力手段
11 初期ベクトル生成手段
12 チェックサム計算手段
13 調整値付きブロック暗号化手段
131、133、135 暗号化部
132、134 計算部
14 マスク付き暗号化手段
141 計算部
142 暗号化部
15 タグ生成手段
16 暗号文出力手段
2、4 認証付復号装置
21 マスク生成手段
22 マスク付き復号手段
23 チェックサム計算手段
24 調整値付きブロック復号手段
25 初期ベクトル検査手段
26 平文出力手段
31 平文入力部
32 固定長値生成部
33 マスク値生成部
34 平文暗号化部
35 タグ生成部
41 暗号文入力部
42 マスク値復号部
43 平文復号部
44 固定長値復号部
45 改ざん検査部

  1, 3 Encryption device with authentication 10 Plain text input unit 11 Initial vector generation unit 12 Checksum calculation unit 13 Block encryption unit with adjustment value 131, 133, 135 Encryption unit 132, 134 Calculation unit 14 Encryption unit with mask 141 Calculation unit 142 Encryption unit 15 Tag generation unit 16 Ciphertext output unit 2, 4 Decryption device with authentication 21 Mask generation unit 22 Decryption unit with mask 23 Checksum calculation unit 24 Block decryption unit with adjustment value 25 Initial vector check unit 26 Plaintext Output means 31 Plain text input unit 32 Fixed length value generation unit 33 Mask value generation unit 34 Plain text encryption unit 35 Tag generation unit 41 Cipher text input unit 42 Mask value decryption unit 43 Plain text decryption unit 44 Fixed length value decryption unit 45 Tampering inspection unit

Claims (10)

  1.  平文の入力を受け付ける平文入力部と、
     過去に生成した値とは異なる新たな固定長値を生成する固定長値生成部と、
     前記平文に基づく調整値を用いて、前記固定長値を暗号化してマスク値を生成するマスク値生成部と、
     前記マスク値生成部が生成したマスク値を用いて、前記平文を暗号化して暗号文を生成する平文暗号化部と、
     前記マスク値生成部が生成したマスク値を暗号化してタグを生成するタグ生成部と、を備え、
     前記平文暗号化部が暗号化した暗号文と、前記タグ生成部が生成したタグと、を出力するよう構成された
    認証付暗号化装置。     A plaintext input unit for receiving plaintext input;
    A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past;
    A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext;
    A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit;
    A tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit, and
    An authenticated encryption apparatus configured to output a ciphertext encrypted by the plaintext encryption unit and a tag generated by the tag generation unit.
  2.  請求項1に記載の認証付暗号化装置であって、
     前記平文入力部に入力された平文から固定長の前記調整値を算出する調整値算出部を備え、
     前記マスク値生成部は、前記調整値算出部が算出する調整値を用いて、前記固定長値を暗号化して前記マスク値を生成するよう構成された
    認証付暗号化装置。     The encryption device with authentication according to claim 1,
    An adjustment value calculation unit that calculates the adjustment value of a fixed length from the plaintext input to the plaintext input unit;
    The encryption apparatus with authentication configured to generate the mask value by encrypting the fixed length value using the adjustment value calculated by the adjustment value calculation unit.
  3.  請求項2に記載の認証付暗号化装置であって、
     前記調整値算出部は、前記平文入力部に入力された平文を所定長のブロックに分割した際の各ブロックの排他的論理和を算出することで前記調整値を算出するよう構成された
    認証付暗号化装置。     The encryption device with authentication according to claim 2,
    The adjustment value calculation unit is configured to calculate the adjustment value by calculating an exclusive OR of each block when the plaintext input to the plaintext input unit is divided into blocks having a predetermined length. Encryption device.
  4.  請求項1乃至3のいずれかに記載の認証付暗号化装置であって、
     前記平文暗号化部は、前記平文を所定長のブロックに分割した際のブロックの一つである平文ブロックの値と、前記平文中における前記平文ブロックの順番に応じた有限体の定数と前記マスク値とを乗算した値である乗算値と、の排他的論理和を算出した後、所定のブロック暗号により暗号化を行い、当該暗号化の結果と前記乗算値との排他的論理和を算出することで、前記平文を暗号化して前記暗号文を生成するよう構成された
    認証付暗号化装置。     The encryption device with authentication according to any one of claims 1 to 3,
    The plaintext encryption unit includes a value of a plaintext block that is one of blocks when the plaintext is divided into blocks of a predetermined length, a constant of a finite field according to the order of the plaintext blocks in the plaintext, and the mask After calculating the exclusive OR of the multiplication value, which is a value obtained by multiplying the value, encryption is performed using a predetermined block cipher, and the exclusive OR of the encryption result and the multiplication value is calculated. Thus, an encrypted encryption apparatus configured to encrypt the plain text and generate the cipher text.
  5.  請求項4に記載の認証付暗号化装置であって、
     前記平文暗号化部は、前記平文を所定長のブロックに分割した際の最後のブロックである最終ブロックを、当該最終ブロックに応じた有限体の定数を暗号化した結果に基づいて算出される値と当該平文の最終ブロックの値との排他的論理和を算出することで暗号化するよう構成された
    認証付暗号化装置。     The encryption device with authentication according to claim 4,
    The plaintext encryption unit is a value calculated based on the result of encrypting a final block, which is the last block when the plaintext is divided into blocks of a predetermined length, and a finite field constant corresponding to the final block. And an encryption device with authentication configured to perform encryption by calculating an exclusive OR of the value and the value of the last block of the plaintext.
  6.  復号の対象となる暗号文とタグとの入力を受け付ける暗号文入力部と、
     前記暗号文入力部に入力されたタグを復号してマスク値を生成するマスク値復号部と、
     前記マスク値復号部が生成したマスク値を用いて、前記暗号文を復号して平文を生成する平文復号部と、
     前記平文に基づく調整値を用いて、前記マスク値を復号して固定長値を生成する固定長値復号部と、
     前記固定長値と予め記憶された期待値とを比較することで改ざんの有無を検査する改ざん検査部と、を備え、
     前記改ざん検査部が検査した改ざんの有無と、前記平文復号部が生成した平文と、を出力するよう構成された
    認証付復号装置。     A ciphertext input unit that accepts input of a ciphertext and a tag to be decrypted;
    A mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value;
    A plaintext decryption unit that decrypts the ciphertext and generates a plaintext using the mask value generated by the mask value decryption unit;
    A fixed length decoding unit that generates a fixed length value by decoding the mask value using an adjustment value based on the plaintext;
    A tamper inspection unit that inspects the presence or absence of tampering by comparing the fixed length value and the expected value stored in advance,
    A decryption apparatus with authentication configured to output the presence / absence of falsification inspected by the falsification inspection unit and the plaintext generated by the plaintext decryption unit.
  7.  請求項6に記載の認証付復号装置であって、
     前記平文復号部が復号した平文から固定長の前記調整値を算出する調整値算出部を備え、
     前記固定長復号部は、前記調整値算出部が算出する前記調整値を用いて、前記マスク値を復号して前記固定長値を生成するよう構成された
    認証付復号装置。     The decryption apparatus with authentication according to claim 6,
    An adjustment value calculation unit that calculates the fixed-length adjustment value from the plaintext decrypted by the plaintext decryption unit;
    The decryption apparatus with authentication configured to generate the fixed length value by decoding the mask value using the adjustment value calculated by the adjustment value calculation unit.
  8.  平文の入力を受け付ける平文入力部と、
     過去に生成した値とは異なる新たな固定長値を生成する固定長値生成部と、
     前記平文に基づく調整値を用いて、前記固定長値を暗号化してマスク値を生成するマスク値生成部と、
     前記マスク値生成部が生成したマスク値を用いて、前記平文を暗号化して暗号文を生成する平文暗号化部と、
     前記マスク値生成部が生成したマスク値を暗号化してタグを生成するタグ生成部と、を備え、
     前記平文暗号化部が暗号化した暗号文と、前記タグ生成部が生成したタグと、を出力する認証付暗号化装置と、
     暗号文とタグとの入力を受け付ける暗号文入力部と、
     前記暗号文入力部に入力されたタグを復号してマスク値を生成するマスク値復号部と、
     前記マスク値復号部が生成したマスク値を用いて、前記暗号文入力部が入力を受け付けた暗号文を復号して平文を生成する平文復号部と、
     前記平文復号部が生成した平文に基づく調整値を用いて、前記マスク値復号部が生成したマスク値を復号して固定長値を生成する固定長値復号部と、
     前記固定長値復号部が生成した固定長値と予め記憶された期待値とを比較することで改ざんの有無を検査する改ざん検査部と、を備え、
     前記改ざん検査部が検査した改ざんの有無と、前記平文復号部が生成した平文と、を出力する認証付復号装置と、を備える
    認証付暗号システム。     A plaintext input unit for receiving plaintext input;
    A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past;
    A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext;
    A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit;
    A tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit, and
    An encrypted device with authentication for outputting the ciphertext encrypted by the plaintext encryption unit and the tag generated by the tag generation unit;
    A ciphertext input unit that accepts input of ciphertext and tags;
    A mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value;
    Using the mask value generated by the mask value decryption unit, the plaintext decryption unit that decrypts the ciphertext that the ciphertext input unit has accepted and generates plaintext;
    A fixed length decoding unit that generates a fixed length value by decoding the mask value generated by the mask value decoding unit using an adjustment value based on the plaintext generated by the plaintext decoding unit;
    A tampering inspection unit that inspects the presence or absence of tampering by comparing the fixed length value generated by the fixed length value decoding unit and the expected value stored in advance,
    An authenticated encryption system comprising: an authenticated decryption device that outputs the presence / absence of tampering inspected by the tampering inspection unit and the plaintext generated by the plaintext decryption unit.
  9.  平文の入力を受け付け、
     過去に生成した値とは異なる新たな固定長値を生成し、
     前記平文に基づく調整値を用いて、前記固定長値を暗号化してマスク値を生成し、
     前記生成したマスク値を用いて、前記平文を暗号化して暗号文を生成し、
     前記生成したマスク値を暗号化してタグを生成し、
     前記暗号文と、前記タグと、を出力する
    認証付暗号化方法。     Accepts plaintext input,
    Generate a new fixed length value that is different from the value generated in the past,
    Using the adjustment value based on the plaintext, the fixed length value is encrypted to generate a mask value,
    Using the generated mask value, the plaintext is encrypted to generate a ciphertext,
    A tag is generated by encrypting the generated mask value,
    An authenticated encryption method for outputting the ciphertext and the tag.
  10.  情報処理装置に、
     平文の入力を受け付ける平文入力部と、
     過去に生成した値とは異なる新たな固定長値を生成する固定長値生成部と、
     前記平文に基づく調整値を用いて、前記固定長値を暗号化してマスク値を生成するマスク値生成部と、
     前記マスク値生成部が生成したマスク値を用いて、前記平文を暗号化して暗号文を生成する平文暗号化部と、
     前記マスク値生成部が生成したマスク値を暗号化してタグを生成するタグ生成部と、を実現させ、
     前記平文暗号化部が暗号化した暗号文と、前記タグ生成部が生成したタグと、を出力する
    プログラム。

          In the information processing device,
    A plaintext input unit for receiving plaintext input;
    A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past;
    A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext;
    A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit;
    Realizing a tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit;
    A program for outputting a ciphertext encrypted by the plaintext encryption unit and a tag generated by the tag generation unit.

PCT/JP2015/005042 2014-10-30 2015-10-02 Authenticated encryption apparatus, authenticated decryption apparatus, authenticated cryptography system, authenticated encryption method, and program WO2016067524A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2016556190A JPWO2016067524A1 (en) 2014-10-30 2015-10-02 Authenticated encryption device, authenticated decryption device, authenticated encryption system, authenticated encryption method, program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2014-221754 2014-10-30
JP2014221754 2014-10-30

Publications (1)

Publication Number Publication Date
WO2016067524A1 true WO2016067524A1 (en) 2016-05-06

Family

ID=55856893

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2015/005042 WO2016067524A1 (en) 2014-10-30 2015-10-02 Authenticated encryption apparatus, authenticated decryption apparatus, authenticated cryptography system, authenticated encryption method, and program

Country Status (2)

Country Link
JP (1) JPWO2016067524A1 (en)
WO (1) WO2016067524A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021171543A1 (en) * 2020-02-28 2021-09-02 日本電気株式会社 Authentication encryption device, authentication decryption device, authentication encryption method, authentication decryption method, and storage medium
US11349668B2 (en) 2017-02-21 2022-05-31 Mitsubishi Electric Corporation Encryption device and decryption device
US11522712B2 (en) 2018-08-30 2022-12-06 Mitsubishi Electric Corporation Message authentication apparatus, message authentication method, and computer readable medium
US11750398B2 (en) 2018-09-27 2023-09-05 Nec Corporation MAC tag list generation apparatus, MAC tag list verification apparatus, aggregate MAC verification system and method
JP7362676B2 (en) 2018-06-18 2023-10-17 コーニンクレッカ フィリップス エヌ ヴェ Devices for data encryption and integrity
US11824993B2 (en) 2019-04-18 2023-11-21 Nec Corporation MAC tag list generation apparatus, MAC tag list verification apparatus, method, and program

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060285684A1 (en) * 2001-07-30 2006-12-21 Rogaway Phillip W Method and apparatus for facilitating efficient authenticated encryption

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060285684A1 (en) * 2001-07-30 2006-12-21 Rogaway Phillip W Method and apparatus for facilitating efficient authenticated encryption

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
ABED, F. ET AL.: "The POET Family of On-Line AuthenticatedEncryption Schemes, Version 1.01", COMPETITIONS, 15 March 2014 (2014-03-15), pages 1 - 65, XP055278686, Retrieved from the Internet <URL:http://competitions.cr.yp.to/round1/poetv101.pdf> [retrieved on 20151216] *
DATTA, N. ET AL.: "ELmD v1.0", COMPETITIONS, 15 March 2014 (2014-03-15), pages 1 - 37, XP055278678, Retrieved from the Internet <URL:http://competitions.cr.yp.to/round1/elmdv10.pdf> [retrieved on 20151216] *
HOSSEINI, H. ET AL.: "CBA Mode (vl) - A Submission to CAESAR Competition for Authenticated Encryption", COMPETITIONS, 15 March 2014 (2014-03-15), pages 1 - 14, XP055278677, Retrieved from the Internet <URL:http://competitions.cr.yp.to/round1/cbav1.pdf> [retrieved on 20151216] *
MEYER, C. H. ET AL., CRYPTOGRAPHY: A NEW DIMENSION IN COMPUTER SECURITY, 1982, pages 100 - 105 *
SASAKI, Y. ET AL.: "Minalpher v1", COMPETITIONS, 15 March 2014 (2014-03-15), pages 1 - 70, XP055278683, Retrieved from the Internet <URL:http://competitions.cr.yp.to/round1/minalpherv1.pdf> [retrieved on 20151216] *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11349668B2 (en) 2017-02-21 2022-05-31 Mitsubishi Electric Corporation Encryption device and decryption device
JP7362676B2 (en) 2018-06-18 2023-10-17 コーニンクレッカ フィリップス エヌ ヴェ Devices for data encryption and integrity
US11522712B2 (en) 2018-08-30 2022-12-06 Mitsubishi Electric Corporation Message authentication apparatus, message authentication method, and computer readable medium
US11750398B2 (en) 2018-09-27 2023-09-05 Nec Corporation MAC tag list generation apparatus, MAC tag list verification apparatus, aggregate MAC verification system and method
US11824993B2 (en) 2019-04-18 2023-11-21 Nec Corporation MAC tag list generation apparatus, MAC tag list verification apparatus, method, and program
WO2021171543A1 (en) * 2020-02-28 2021-09-02 日本電気株式会社 Authentication encryption device, authentication decryption device, authentication encryption method, authentication decryption method, and storage medium
JP7371757B2 (en) 2020-02-28 2023-10-31 日本電気株式会社 Authentication encryption device, authentication decryption device, authentication encryption method, authentication decryption method and program

Also Published As

Publication number Publication date
JPWO2016067524A1 (en) 2017-08-10

Similar Documents

Publication Publication Date Title
Jones JSON web algorithms (JWA)
US10623176B2 (en) Authentication encryption method, authentication decryption method, and information-processing device
JP6519473B2 (en) Authentication encryption apparatus, authentication encryption method and program for authentication encryption
WO2016067524A1 (en) Authenticated encryption apparatus, authenticated decryption apparatus, authenticated cryptography system, authenticated encryption method, and program
US8107620B2 (en) Simple and efficient one-pass authenticated encryption scheme
US20150244518A1 (en) Variable-length block cipher apparatus and method capable of format preserving encryption
WO2011105367A1 (en) Block encryption device, block decryption device, block encryption method, block decryption method and program
US11463235B2 (en) Encryption device, encryption method, program, decryption device, and decryption method
JP7031580B2 (en) Cryptographic device, encryption method, decryption device, and decryption method
JP7367860B2 (en) Authentication encryption device, authentication decryption device, authentication encryption system, method and program
WO2021171543A1 (en) Authentication encryption device, authentication decryption device, authentication encryption method, authentication decryption method, and storage medium
CN108616351B (en) Full-dynamic encryption and decryption method and encryption and decryption device
JP3694242B2 (en) Signed cryptographic communication method and apparatus
Jones RFC 7518: JSON Web Algorithms (JWA)
Dubinsky Cryptography for Payment Professionals
US11728968B2 (en) Authenticated encryption device, authenticated decryption device, authenticated encryption method, authenticated decryption method, authenticated encryption program, and authenticated decryption program
KR102626974B1 (en) Method and system for protecting secret key of white box cryptography
JP2000004223A (en) Encryption/authentication system
WO2022237440A1 (en) Authenticated encryption apparatus with initialization-vector misuse resistance and method therefor
WO2009081975A1 (en) Encryption device, decryption device, encryption method, decryption method, and program
Strenzke Botan's implementation of the McEliece PKC
JP2004347885A (en) Encryption device processing method, decryption device processing method, device and program for same
Jauhari et al. Secure and Optimized Algorithm for Implementation of Digital Signature
Singh et al. ENHANCEMENT OF WIRED EQUIVALENT PRIVACY
JPH11224048A (en) Ciphering device, deciphering device, and cipher communicating method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15855905

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2016556190

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15855905

Country of ref document: EP

Kind code of ref document: A1