WO2016067524A1 - Appareil de chiffrement authentifié, appareil de déchiffrement authentifié, système de cryptographie authentifiée, procédé de chiffrement authentifié et programme - Google Patents

Appareil de chiffrement authentifié, appareil de déchiffrement authentifié, système de cryptographie authentifiée, procédé de chiffrement authentifié et programme Download PDF

Info

Publication number
WO2016067524A1
WO2016067524A1 PCT/JP2015/005042 JP2015005042W WO2016067524A1 WO 2016067524 A1 WO2016067524 A1 WO 2016067524A1 JP 2015005042 W JP2015005042 W JP 2015005042W WO 2016067524 A1 WO2016067524 A1 WO 2016067524A1
Authority
WO
WIPO (PCT)
Prior art keywords
plaintext
value
unit
encryption
mask
Prior art date
Application number
PCT/JP2015/005042
Other languages
English (en)
Japanese (ja)
Inventor
一彦 峯松
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2016556190A priority Critical patent/JPWO2016067524A1/ja
Publication of WO2016067524A1 publication Critical patent/WO2016067524A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to an authenticated encryption device, an authenticated decryption device, an authenticated encryption system, an authenticated encryption method, and a program that can both conceal content and detect unauthorized tampering.
  • Patent Document 1 is known as an encryption technique.
  • a shared key block cipher application key is generated based on an encryption key as a shared secret key and an initial vector, and plaintext is encrypted based on the shared key block cipher application key. Thereafter, data obtained by concatenating the generated ciphertext and the initial vector is transmitted.
  • Patent Document 1 by using such a method, it becomes possible to encrypt plaintext while preventing encryption analysis such as power difference analysis.
  • Patent Document 2 includes a step of encoding plaintext using an error correction code, a step of encrypting a codeword encoded based on the encoded plaintext, a secret key, and a random vector, and A stochastic symmetric encryption method is described, including the step of adding a noise vector to the codeword. According to Patent Document 2, secure encryption can be realized at low cost by such a method.
  • Non-Patent Documents 1 and 2 an encryption function using a secret key as a parameter is used to generate a ciphertext and a tag that is a fixed-length alteration detection variable from an initial vector and plaintext.
  • the secret key is K
  • the plaintext is M
  • the initial vector is N
  • the encryption function with the key K as a parameter is AEnc_K
  • the encryption is C
  • the tag is T.
  • Non-Patent Documents 1 and 2 after the above processing, the generated ciphertext C, tag T, and initial vector N are transmitted to the other party (decryption device). Thereafter, in the decryption device that has received the transmission result, the presence / absence of alteration and the decryption of plaintext M are performed using the received result and the decryption function ADec_K. It is assumed that the initial vector N is generated so as not to coincide by chance.
  • the length of the ciphertext C is the sum of the lengths of the initial vector N and the plaintext M.
  • the decryption side uses the shared key K to apply the reverse substitution of P_K to the ciphertext C to obtain (N, M), and then whether or not N is the expected value By confirming, authentication check will be performed.
  • the technique of Non-Patent Document 3 requires that the decryption side knows in advance the initial vector N to be used by the encryption side. This can be realized if the encryption side and the decryption side are synchronized with respect to the update of the initial vector N. Typically, this is achieved by the decryption side storing the initial vector of the normal encryption sent immediately before. This condition is a natural condition when the decoding side is required to detect and eliminate the replay attack (reflection attack, replay attack).
  • NIST Special Publication 800-38C Recommendation for Block Cipher Modes of Operation The CCM Mode for Authentication and Confidentiality http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
  • NIST Special Publication 800-38D Recommendation for Block Cipher Modes of Operation Galois / Counter Mode (GCM) and GMAC http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf D. McGrew. Authenticated Encryption with Replay prOtection (AERO) https://tools.ietf.org/html/draft-mcgrew-aero-00
  • Non-Patent Documents 1 and 2 it is necessary to transmit the ciphertext C having the same length as the plaintext M by concatenating the initial vector N and the tag T by encryption of the plaintext M. .
  • both the initial vector N and the tag T are short values of about 4 bytes to 32 bytes.
  • the increase in communication bandwidth due to the addition of the initial vector N and the tag T cannot be ignored. .
  • Such a case is frequently seen, for example, in a device of a wireless sensor network. In such a network, the communication band is one of the important factors that influence power consumption. Therefore, bandwidth reduction has become an important issue.
  • Non-Patent Document 3 the information to be transmitted is only the ciphertext C, and the length is the sum of the lengths of the initial vector N and the plaintext M as described above. Therefore, it is possible to suppress an increase in the communication band as compared with Non-Patent Documents 1 and 2.
  • one block cipher finite field GF (2 n ) multiplication (where n is a block size) is required twice per block of input length. Therefore, the load becomes very large compared with general encryption, and there has been a problem that encryption efficiency is poor.
  • an object of the present invention is to provide an authenticated encryption apparatus that solves the problem that it is difficult to efficiently prevent an increase in bandwidth when using an authenticated encryption method.
  • an authenticated encryption apparatus includes: A plaintext input unit for receiving plaintext input; A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past; A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext; A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit; A tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit, and The ciphertext encrypted by the plaintext encryption unit and the tag generated by the tag generation unit are configured to output, The structure is taken.
  • the decryption apparatus with authentication which is another embodiment of the present invention is as follows.
  • a ciphertext input unit that accepts input of a ciphertext and a tag to be decrypted;
  • a mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value;
  • a plaintext decryption unit that decrypts the ciphertext and generates a plaintext using the mask value generated by the mask value decryption unit;
  • a fixed length decoding unit that generates a fixed length value by decoding the mask value using an adjustment value based on the plaintext;
  • a tamper inspection unit that inspects the presence or absence of tampering by comparing the fixed length value and the expected value stored in advance, Configured to output the presence / absence of tampering inspected by the tampering inspection unit and the plaintext generated by the plaintext decryption unit, The structure is taken.
  • the encryption system with authentication which is the other form of this invention is: A plaintext input unit for receiving plaintext input; A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past; A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext; A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit; A tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit, and An encrypted device with authentication for outputting the ciphertext encrypted by the plaintext encryption unit and the tag generated by the tag generation unit; A ciphertext input unit that accepts input of ciphertext and tags; A mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value; Using the mask value generated by the mask value decryption unit, the plaintext decryption unit that decryption
  • an authenticated encryption method is as follows. Accepts plaintext input, Generate a new fixed length value that is different from the value generated in the past, Using the adjustment value based on the plaintext, the fixed length value is encrypted to generate a mask value, Using the generated mask value, the plaintext is encrypted to generate a ciphertext, A tag is generated by encrypting the generated mask value, Outputting the ciphertext and the tag; The structure is taken.
  • the program which is the other form of this invention is: In the information processing device, A plaintext input unit for receiving plaintext input; A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past; A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext; A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit; Realizing a tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit; It is a program for outputting the ciphertext encrypted by the plaintext encryption unit and the tag generated by the tag generation unit.
  • the present invention provides an authenticated encryption apparatus that solves the problem that it is difficult to efficiently prevent an increase in bandwidth when using an authenticated encryption method. Is possible.
  • FIG. 1 It is a figure which shows an example of a structure of the encryption system with an authentication comprised by the encryption apparatus with authentication and the decryption apparatus with authentication. It is a schematic block diagram which shows the outline of a structure of the encryption apparatus with authentication which concerns on the 3rd Embodiment of this invention. It is a schematic block diagram which shows the outline of a structure of the decoding apparatus with authentication which concerns on the 4th Embodiment of this invention. It is a schematic block diagram which shows the outline of a structure of the encryption system with authentication which concerns on the 4th Embodiment of this invention.
  • FIG. 1 is a block diagram showing an example of the configuration of the encryption device with authentication 1 according to the first embodiment of the present invention.
  • FIG. 2 is a diagram illustrating an example of a checksum calculation method performed by the checksum calculation unit 12 of the authenticated encryption apparatus 1.
  • FIG. 3 is a diagram illustrating an example of an encryption process performed by the adjustment value-added block encryption unit 13 of the authenticated encryption apparatus 1.
  • FIG. 4 is a diagram illustrating another example of the encryption process performed by the adjustment value-added block encryption unit 13 of the authenticated encryption apparatus 1.
  • FIG. 5 is a diagram illustrating an example of the encryption process performed by the encryption unit with mask 14 of the encryption device with authentication 1.
  • FIG. 6 is a diagram illustrating an example of the encryption process performed by the encryption unit with mask 14 of the encryption device with authentication 1.
  • FIG. 7 is a flowchart showing an example of the operation of the authenticated encryption apparatus 1.
  • an encryption apparatus with authentication 1 that uses a common key cryptosystem to encrypt and output input plaintext.
  • the authenticated encryption apparatus 1 in this embodiment is configured to perform an authenticated encryption process.
  • the encrypted encryption device 1 encrypts the input plaintext by a predetermined process, and then outputs a ciphertext obtained by encrypting the plaintext and a tag described later.
  • the encryption device with authentication 1 in the present embodiment is an information processing device having an arithmetic device and a storage device.
  • a program is stored in the storage device, and each unit to be described later is realized by the arithmetic device reading and executing the program stored in the storage device.
  • the authenticated encryption apparatus 1 includes a plaintext input unit 10 (plaintext input unit), an initial vector generation unit 11 (fixed length value generation unit), and a checksum calculation unit 12 (adjustment). Value calculation unit), block encryption unit with adjustment value 13 (mask value generation unit), encryption unit with mask 14 (plaintext encryption unit), tag generation unit 15 (tag generation unit), and ciphertext output And means 16.
  • the plaintext input means 10 (plaintext input unit) is a means for inputting plaintext M to be encrypted.
  • the plaintext input means 10 is composed of a character input device such as a keyboard, for example.
  • the plaintext input unit 10 may be configured to be able to input the plaintext M from an external device connected via a network, for example.
  • plaintext M is input via the plaintext input means 10. Then, the plaintext input means 10 to which the plaintext M has been input outputs the input plaintext M to the checksum calculation means 12 and the masked encryption means 14.
  • the initial vector generation means 11 generates the initial vector N so as not to overlap with values generated in the past. Thereafter, the initial vector generating unit 11 outputs the generated initial vector N to the block encryption unit 13 with adjustment value.
  • the initial vector update function used by the initial vector generation unit 11 is not limited to the above example.
  • the initial vector generation means 11 can be configured to use various functions for generating an initial vector N different from values generated in the past. Further, the initial vector generation means 11 may be configured to generate the initial vector N by combining other auxiliary information such as time information. In this case, the auxiliary information used when generating the initial vector N is assumed to be synchronized on the encryption side and the decryption side.
  • the initial vector generation means 11 in this embodiment generates an n-bit initial vector. If the value corresponding to the initial vector generated by the initial vector generation unit 11 is shorter than n bits, the initial vector generation unit 11 generates an n-bit initial vector after performing appropriate padding. It will be.
  • the checksum calculation unit 12 calculates an n-bit checksum SUM (adjustment value) from the plaintext M acquired from the plaintext input unit 10 by simple calculation.
  • FIG. 2 shows an example of processing when the checksum calculation means 12 calculates the checksum SUM.
  • the checksum calculation unit 12 divides the plaintext M acquired from the plaintext input unit 10 into blocks (M [1],..., M [m]) every n bits.
  • the exclusive OR (Xclusive or XOR) of the plaintext block is calculated.
  • the calculation result is an n-bit checksum SUM (adjustment value). Note that when the plaintext M is divided into blocks each having n bits in this way, the final block M [m] may be less than n bits.
  • the checksum calculation means 12 calculates an exclusive OR after applying appropriate padding to the final block (see FIG. 2).
  • the checksum calculation means 12 calculates the checksum SUM by such processing, for example. Thereafter, the checksum calculation unit 12 outputs the calculated checksum SUM to the block encryption unit 13 with adjustment value.
  • the checksum calculation means 12 may be configured to calculate the checksum SUM by a process other than the above process.
  • the checksum calculation means 12 can be configured to use, for example, arithmetic addition or cyclic redundancy check (CRC) instead of exclusive OR.
  • CRC cyclic redundancy check
  • the block encryption unit with adjustment value 13 (mask value generation unit, Tweakable block encryption unit) is generated by the initial vector generation unit 11 using the checksum SUM acquired from the checksum calculation unit 12 as the adjustment value (Tweak, tweak).
  • the initial vector N is encrypted.
  • the adjustment value-added block encryption means 13 can be realized by using a normal n-bit block cipher.
  • FIG. 3 shows an example of the encryption process performed by the adjustment value-added block encryption means 13.
  • the block encryption means with adjustment value 13 includes, for example, an encryption unit 131 that performs encryption using a key K1 and a block cipher E, and an n-bit input / output having a key K2 different from the key K1.
  • a calculation unit 132 that performs a predetermined calculation process using the keyed function H.
  • the block cipher E for example, a general block cipher scheme such as AES (Advanced Encryption Standard) can be adopted. This process is also performed by M. Liskov, R. L. Rivest, D. Wagner: Tweakable Block Ciphers. Advances in Cryptology-CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18-22, 2002, Proceedings. Lecture Notes in Computer Science 2442 Springer 2002, pp. 31-46. Is used.
  • the function H used in the calculation unit 132 has a checksum SUM and a key K2 as arguments. Therefore, the calculation unit 132 performs a calculation process using the checksum SUM acquired from the checksum calculation unit 12 and the key K2 stored in advance.
  • the adjustment value-added block encryption means 13 calculates an exclusive OR of H (SUM), which is a calculation result by the calculation unit 132, and the initial vector N after the above processing, and the result. Based on the above, the encryption unit 131 performs encryption. Then, the block encryption means with adjustment value 13 calculates exclusive logic between the result of encryption by the encryption unit 131 and the result of calculation by the calculation unit 132, and then outputs the calculation result as a mask L (mask value). To do.
  • the adjustment value-added block encryption means 13 is configured to calculate the mask L by executing the following processing, for example.
  • L E (H (SUM) + N) + H (SUM)
  • L represents a mask L
  • SUM represents a checksum SUM
  • N represents an initial vector N. + Represents an exclusive OR for each bit (hereinafter the same).
  • the adjustment value-attached block encryption means 13 encrypts the initial vector N and generates the mask L. Thereafter, the block encryption means 13 with adjustment value outputs an n-bit mask L, which is the result of encryption, to the encryption means 14 with mask and the tag generation means 15.
  • the block encryption unit with adjustment value 13 may be configured to encrypt the initial vector N by a process other than the above. I do not care.
  • the case where the key K1 and the key K2 are used has been described.
  • the entire key may be a single block cipher key. An example of such a case will be described with reference to FIG. In FIG.
  • the adjustment value-attached block encryption means 13 includes, for example, an encryption unit 133 that performs encryption using a key K1 and a block cipher E, an element 2 on a Galois field GF (2 n ), and a later-described A calculating unit 134 that multiplies the result of encryption by the encrypting unit 135 and an encryption unit 135 that encrypts the checksum SUM using the key K1 and the block cipher E.
  • the block encryption means with adjustment value 13 calculates the exclusive OR of the mul (2, E (SUM)), which is the calculation result by the calculation unit 134, and the initial vector N, and based on the result.
  • the encryption unit 133 performs encryption.
  • the block encryption means with adjustment value 13 calculates the exclusive OR of the result of encryption by the encryption unit 133 and the result of calculation by the calculation unit 134, and then outputs the calculation result as a mask L.
  • the adjustment value-added block encryption means 13 can be configured to calculate the mask L by executing the following processing, for example.
  • L E (mul (2, E (SUM)) + N) + mul (2, E (SUM))
  • mul (2, E (SUM)) represents multiplication of the element 2 on the Galois field GF (2 n ) and E (SUM).
  • the encryption unit with mask 14 (plaintext encryption unit) generates the ciphertext C by encrypting the plaintext M acquired from the plaintext input unit 10 using the mask L acquired from the encryption unit with adjustment value 13. For example, the masked encryption unit 14 encrypts each block (M [1] to M [m]) obtained by dividing the plaintext M into n bits. From the viewpoint of security, when the encrypted text with mask 14 decrypts the ciphertext C and the different ciphertext C ′ with the same mask L, at least the decryption result is obtained with high probability for those who do not know the key. It is assumed that encryption is performed so that one block becomes an unpredictable random number.
  • FIG. 5 shows plaintext M [i] (where i is any value between 1 and m ⁇ 1) when plaintext M is a sequence of n-bit blocks (M [1],..., M [m]).
  • An example of processing when the masked encryption unit 14 encrypts (value) is shown.
  • the encryption means with mask 14 has, for example, a mask L and a constant 2 in the Galois field raised to the i power (in the case of plaintext [i].
  • I is a value corresponding to the order of the plaintext blocks.
  • an encryption unit 142 that performs encryption using the key K1 and the block cipher E.
  • the calculation unit 141 performs multiplication of the mask L and the power of 2 on the Galois field (i corresponds to a value indicating the order of plaintext blocks). Thereafter, the encryption means with mask 14 calculates an exclusive OR of mul (2 i , L), which is a calculation result by the calculation unit 141, and plaintext M [i], and encrypts based on the result. Encryption is performed by the unit 142. The masked encryption unit 14 calculates the exclusive OR of the result of encryption by the encryption unit 142 and the result of calculation by the calculation unit 141, and then outputs the calculation result.
  • the encryption unit with mask 14 is configured to encrypt the plaintext M [i] and output the ciphertext C [i] by executing the following processing, for example.
  • C [i] E (mul (2 i , L) + M [i]) + mul (2 i , L)
  • C [i] represents ciphertext C [i]
  • M [i] represents plaintext M [i].
  • the encryption means with mask 14 performs the above encryption processing from plaintext M [1] to plaintext M [m ⁇ 1] (see FIG. 6). Also, the final block M [m] when the plaintext M is divided into n-bit blocks may be less than n bits. Therefore, for example, as shown below, the encryption means with mask 14 outputs the exclusive OR of the result of encrypting the constant and the plaintext M [m] as the ciphertext C [m] (see FIG. 6). ).
  • C [m] msb_
  • msb_a (X) is a function for extracting the front a bits of X.
  • is a function representing the bit length of X. That is, msb_
  • the ciphertext C [m] is generated by calculating an exclusive OR of the value extracted by the above process and M [m].
  • the encryption unit with mask 14 encrypts the plaintext M input to the plaintext input unit 10 to generate a ciphertext C. Thereafter, the encryption unit with mask 14 outputs the generated ciphertext C to the ciphertext output unit 16.
  • the block encryption means with adjustment value 13 has been described above.
  • L E (mul (2, E (SUM)) + N) + mul (2, E (SUM))
  • the encryption unit with mask 14 needs to use a constant different from the block encryption unit 13 with adjustment value. This is, for example, can be realized by using a mul (2 i + 1, L ) in place of mul (2 i, L). That is, in the above case, for example, the calculation unit 141 is configured to multiply the mask L by 2 i + 1 .
  • the tag generation unit 15 (tag generation unit) generates a tag T using the mask L acquired from the block encryption unit 13 with adjustment value.
  • the tag T is decrypted into a mask L by a decryption device and used for message authentication and decryption of the ciphertext C.
  • the tag generation unit 15 generates the tag T by encrypting the mask L using a block cipher such as AES. Thereafter, the tag generation unit 15 outputs the generated tag T to the ciphertext output unit 16.
  • the ciphertext output means 16 concatenates the ciphertext C output from the masked encryption means 14 and the tag T output from the tag generation means 15 and outputs the result to an external device.
  • the ciphertext output unit 16 is connected to, for example, a display device or a printer device, and outputs the ciphertext C and the tag T to the display device or the printer device. Note that the ciphertext output unit 16 may be configured to output the ciphertext C and the tag T to an external device connected via a network, for example.
  • plaintext M is input to the plaintext input means 10 (step S101). Then, the plaintext input means 10 outputs the input plaintext M to the checksum calculation means 12 and the masked encryption means 14.
  • the checksum calculation means 12 calculates a checksum SUM from the plaintext M (step S102). Specifically, for example, the checksum calculation unit 12 calculates the exclusive OR of each plaintext block when the plaintext M acquired from the plaintext input unit 10 is divided into n-bit blocks. Sum SUM is calculated. Thereafter, the checksum calculation unit 12 outputs the calculated checksum SUM to the block encryption unit 13 with adjustment value.
  • the initial vector generation unit 11 generates an initial vector so that there is no overlap with the value generated by the initial vector generation unit 11 in the past. Then, the initial vector generation unit 11 outputs the generated initial vector to the block encryption unit 13 with adjustment value.
  • the block encryption unit with adjustment value 13 encrypts the initial vector N generated by the initial vector generation unit 11 using the checksum SUM received from the checksum calculation unit 12 as an adjustment value.
  • the adjustment value-added block encryption means 13 generates a mask L (step S103).
  • the adjustment value-attached block encryption means 13 outputs the generated mask L to the masked encryption means 14 and the tag generation means 15.
  • the masked encryption unit 14 that has acquired the plaintext M from the plaintext input unit 10 and has acquired the mask L from the block encryption unit 13 with adjustment value encrypts the plaintext M using the mask L and encrypts the ciphertext C. Is generated (step S104). Specifically, the encryption unit with mask 14 encrypts the plaintext M into the ciphertext C by performing a process represented by the following formula, for example.
  • the tag generation unit 15 that has acquired the mask L from the block encryption unit with adjustment value 13 generates a tag T by encrypting the mask L (step S105).
  • the tag generation unit 15 generates the tag T by encrypting the mask L using a block cipher such as AES, for example. Thereafter, the tag generation unit 15 outputs the generated tag T to the ciphertext output unit 16.
  • the ciphertext output means 16 acquires the ciphertext C from the masked encryption means 14. Also, the ciphertext output unit 16 acquires the tag T from the tag generation unit 15. Then, the ciphertext output means 16 connects the acquired ciphertext C and the tag T. Then, the ciphertext output means 16 outputs the ciphertext C and the tag T to an external device such as a display device (step S106).
  • the authenticated encryption apparatus 1 includes a plaintext input unit 10, an initial vector generation unit 11, a checksum calculation unit 12, a block encryption unit 13 with an adjustment value, and an encryption with a mask. Means 14 and tag generation means 15 are provided.
  • the checksum calculator 12 can calculate the checksum SUM based on the plaintext M input via the plaintext input unit 10.
  • the block encryption unit with adjustment value 13 can generate the mask L by encrypting the initial vector generated by the initial vector generation unit 11 using the checksum SUM as the adjustment value.
  • the encryption means 14 with a mask can generate the ciphertext C by encrypting the plaintext M using the mask L.
  • generation means 15 can produce
  • the ciphertext output unit 16 can output the generated ciphertext C and the tag T.
  • the decryption device that has received the ciphertext C and the tag T can generate the mask L by decrypting the tag T. Further, the decryption device can decrypt the ciphertext C into the plaintext M using the generated mask L. Further, the decryption device can calculate the checksum SUM based on the decrypted plaintext M.
  • the decoding apparatus can generate the initial vector N by decoding the mask L by using the mask L and the checksum SUM. As a result, the decoding apparatus can detect the presence or absence of tampering by comparing the generated initial vector N and the initial vector expected value.
  • the decryption side decrypts the ciphertext C to generate the plaintext M, and the message Authentication can be performed. That is, with the above configuration, it is possible to combine the tag T and the initial vector N, and it is possible to realize an authenticated cipher that transmits only the ciphertext C and the tag T generated by simple calculation processing. Become. As a result, it is possible to efficiently prevent an increase in bandwidth when using the authenticated encryption method.
  • the encryption apparatus 1 with authentication utilized ECB (Electronic CodeBook) mode was demonstrated.
  • the encryption device with authentication 1 may be configured to use, for example, a CBC (Cipher Block Chaining) mode.
  • FIG. 8 is a block diagram showing an example of the configuration of the decryption apparatus 2 with authentication according to the second embodiment of the present invention.
  • FIG. 9 is a flowchart showing an example of the operation of the authenticating decryption apparatus 2.
  • the ciphertext C and the tag T output from the authenticated encryption apparatus 1 described in the first embodiment are decrypted to generate plaintext M and detect the presence / absence of tampering.
  • the authenticating decryption apparatus 2 will be described.
  • the decryption apparatus 2 with authentication in the present embodiment is an information processing apparatus having an arithmetic device and a storage device.
  • a program is stored in the storage device, and each unit to be described later is realized by the arithmetic device reading and executing the program stored in the storage device.
  • the decryption apparatus with authentication 2 includes a ciphertext input unit 20 (ciphertext input unit), a mask generation unit 21 (mask value calculation unit), a decryption unit with mask 22 (plaintext decryption unit), A checksum calculation unit 23 (adjustment value calculation unit), an adjustment value-added block decoding unit 24 (initial vector generation unit), an initial vector check unit 25 (initial vector check unit), and a plaintext output unit 26. ing.
  • the ciphertext input unit 20 (ciphertext input unit) is a unit for inputting the ciphertext C and the tag T to be decrypted.
  • the ciphertext input means 20 is configured by a character input device such as a keyboard, for example.
  • the ciphertext input unit 20 may be configured to be able to input the ciphertext C and the tag T from an external device connected via a network or the like, for example.
  • the ciphertext C and the tag T are input via the ciphertext input means 20.
  • the ciphertext input unit 20 to which the ciphertext C and the tag T are input outputs the input tag T to the mask generation unit 21 and outputs the ciphertext C to the masked decryption unit 22.
  • the mask generation unit 21 (mask value calculation unit) generates a mask L using the tag T acquired from the ciphertext input unit 20. For example, the mask generation unit 21 generates the mask L by decrypting the tag T using the block cipher decryption function used in the tag generation unit 15 described in the first embodiment. Thereafter, the mask generating means 21 outputs the generated mask L to the masked decoding means 22 and the adjustment value added block decoding means 24.
  • the masked decryption means 22 decrypts the ciphertext C acquired from the ciphertext input means 20 using the mask L acquired from the mask generation means 21 to generate plaintext M.
  • the decryption unit with mask 22 generates the plaintext M by decrypting the ciphertext C by performing the inverse function D of the encryption unit with mask 14 described in the first embodiment.
  • M [i] D (mul (2 i , L) + C [i]) + mul (2 i , L)
  • the decryption means 22 with mask executes, for example, the following process to decrypt the final block C [m] of the ciphertext C.
  • M [m] msb_
  • the decryption means 22 with mask decrypts the ciphertext C input to the ciphertext input means 20 to generate plaintext M. Thereafter, the masked decryption means 22 outputs the generated plaintext M to the checksum calculation means 23 and the plaintext output means 26.
  • the checksum calculator 23 calculates an n-bit checksum SUM from the plaintext M acquired from the masked decryptor 22 by simple calculation. Thereafter, the checksum calculation means 23 outputs the calculated checksum SUM to the block decoding means 24 with adjustment value.
  • the checksum calculation means 23 calculates the checksum SUM by the same process as the checksum calculation means 12 described in the first embodiment.
  • the detailed description of the checksum SUM calculation process performed by the checksum calculation means 23 is the same as that already performed in the first embodiment, and therefore will be omitted.
  • the adjustment value added block decoding means 24 (initial vector generation section) generates the initial vector N by decoding the mask L using the checksum SUM acquired from the checksum calculation means 23 as the adjustment value (Tweak, tweak). Specifically, the block decryption unit with adjustment value 24 performs the inverse function of the block encryption unit with adjustment value 13 described in the first embodiment, thereby decrypting the mask L and generating the initial vector N. . Thereafter, the adjustment value-added block decoding unit 24 outputs the generated initial vector N to the initial vector checking unit 25.
  • the adjustment value-added block decrypting means 24 can be realized by using a normal n-bit block cipher as with the adjustment value-added block encryption means 13.
  • the initial vector check unit 25 is an initial vector expectation that is an initial vector value expected by the decryption side for the pair of the initial vector N acquired from the block decryption unit 24 with adjustment value and the ciphertext C tag T.
  • the value N * is compared to detect the presence or absence of tampering.
  • the initial vector checking means 25 outputs the verification result B (ACK if the test passes, NCK if the test fails) after the comparison between the initial vector N and the initial vector expected value N *, and is necessary. Accordingly, the initial vector expected value N * _new used in the next inspection is generated.
  • the initial vector checking means 25 compares the initial vector N and the initial vector expected value N * by the above processing, for example, and outputs the verification result B, which is the comparison result, to the plaintext output means 26. Further, the initial vector checking means 25 updates the initial vector expected value N * when the test is passed.
  • the method of comparison verification performed by the initial vector inspection unit 25 is not limited to the case described above.
  • the initial vector checking unit 25 stores the threshold value t in advance in a storage unit (not shown), and determines that the test has passed if the absolute value difference between the initial vector N and the initial vector expected value N * is within the threshold value t. You may comprise so that it may do. With this configuration, the initial vector checking unit 25 can cope with information loss such as packet loss on the communication path.
  • the success probability of the attacker who performs the tampering that is, the probability that the value of the initial vector N when the illegal ciphertext is decrypted accidentally becomes a value close to the initial vector expected value N * is: Approximately t / (2 n ). Therefore, by making t sufficiently small, it becomes possible to detect tampering with high probability while dealing with information loss.
  • the plaintext output means 26 outputs the plaintext M acquired from the masked decryption means 22 and the verification result B acquired from the initial vector check means 25 to an external device.
  • the plaintext output means 26 is connected to, for example, a display device or a printer device, and outputs the plaintext M and the verification result B to the display device or printer device.
  • the plaintext output means 26 outputs the verification result B while outputting the plaintext M as an empty string.
  • the plaintext output unit 26 outputs the verification result B and the plaintext M to an external device.
  • the plaintext output means 26 may be configured to output the verification result B and the plaintext M regardless of the verification result B.
  • the ciphertext C and the tag T are input to the ciphertext input means 20 (step S201). Then, the ciphertext input means 20 transmits the input tag T to the mask generation means 21 and transmits the ciphertext C to the masked decryption means 22.
  • the mask generation means 21 decodes the tag T and generates a mask L (step S202). Specifically, for example, the mask generation unit 21 generates the mask L by decrypting the tag T using the block cipher decryption function used in the tag generation unit 15 described in the first embodiment. Then, the mask generation unit 21 outputs the generated mask L to the masked decoding unit 22 and the adjustment value-added block decoding unit 24.
  • the decrypted ciphertext C acquired from the ciphertext input means 20 is decrypted using the mask L to generate plaintext M (step S203).
  • the masked encryption / decryption means 22 decrypts the ciphertext C into plaintext M by performing the processing represented by the following equation.
  • M [i] D (mul (2 i , L) + C [i]) + mul (2 i , L)
  • the masked decryption means 22 outputs the generated plaintext M to the checksum calculation means 23 and the plaintext output means 26.
  • the checksum calculation means 23 calculates a checksum SUM from the acquired plaintext M (step S204). Specifically, for example, the checksum calculation means 23 calculates the checksum SUM by calculating the exclusive OR of each plaintext block when the plaintext M is divided into blocks of n bits. Then, the checksum calculation means 23 outputs the calculated checksum SUM to the block decoding means 24 with adjustment value.
  • the adjustment value-added block decoding unit 24 acquires the checksum SUM calculated by the checksum calculation unit 23. Then, the adjustment value-added block decoding unit 24 decodes the mask L using the checksum SUM calculated by the checksum calculation unit 23 as an adjustment value to generate an initial vector N (step S205). For example, this process is executed by performing the inverse function of the block encryption means 13 with adjustment value. Thereafter, the adjustment value-added block decoding unit 24 outputs the generated initial vector N to the initial vector checking unit 25.
  • the initial vector checking unit 25 acquires the initial vector N from the adjustment value-added block decoding unit 24
  • the initial vector checking unit 25 determines whether or not the initial vector N and the initial vector expected value N * stored in advance match. (Step S206).
  • the plaintext output means 26 outputs the plaintext M and the verification result B (step S208).
  • the decryption apparatus 2 with authentication 2 decrypts the ciphertext C into the plaintext M and detects the presence or absence of tampering.
  • the decryption apparatus with authentication 2 in this embodiment includes the ciphertext input unit 20, the mask generation unit 21, the decryption unit 22 with the mask, the checksum calculation unit 23, and the block decryption unit 24 with the adjustment value. , Initial vector checking means 25 and plain text output means 26.
  • the mask generation unit 21 can generate the mask L by decrypting the tag T input via the ciphertext input unit 20.
  • the decryption means with mask 22 can generate plaintext M by decrypting the ciphertext C input via the ciphertext input means 20 using the mask L.
  • the checksum calculation means 23 can calculate the checksum SUM based on the plaintext M, and the adjustment value added block decoding means 24 decodes the mask L into the initial vector N using the checksum SUM as the adjustment value. I can do it.
  • the initial vector checking means 25 can detect the presence or absence of falsification by comparing the initial vector N and the initial vector expected value N *.
  • the decryption apparatus 2 with authentication was demonstrated.
  • the present invention may be realized by an authenticated encryption system that uses the authenticated encryption apparatus 1 and the authenticated decryption apparatus 2 described in the first embodiment at the same time.
  • the configurations of the encryption device with authentication 1 and the decryption device with authentication 2 are the same as those already described, and will be omitted.
  • an encrypted encryption device 3 that encrypts and outputs an input plaintext
  • the encryption device with authentication 3 in the present embodiment is configured to output a ciphertext obtained by encrypting a plaintext and a tag.
  • an outline of the configuration of the encryption device with authentication 3 will be described.
  • the encrypted encryption apparatus 3 includes a plaintext input unit 31, a fixed length value generation unit 32, a mask value generation unit 33, a plaintext encryption unit 34, and a tag generation unit 35. And have.
  • the plaintext input unit 31 receives plaintext input.
  • the fixed length value generation unit 32 generates a new fixed length value that is different from the value generated by the fixed length value generation unit 32 in the past.
  • the mask value generation unit 33 encrypts the fixed length value generated by the fixed length value generation unit 32 using the adjustment value based on the plain text received by the plain text input unit 31, and generates a mask value. That is, the mask value generation unit 33 acquires plaintext from the plaintext input unit 31. Further, the mask value generation unit 33 acquires a fixed length value from the fixed length value generation unit 32. Then, the mask value generation unit 33 generates a mask value by encrypting the fixed length value using an adjustment value based on plain text.
  • the plaintext encryption unit 34 encrypts the plaintext using the mask value generated by the mask value generation unit 33 to generate a ciphertext. That is, the plaintext encryption unit 34 acquires the mask value from the mask value generation unit 33. The plaintext encryption unit 34 acquires plaintext from the plaintext input unit 31. Then, the plaintext encryption unit 34 encrypts the plaintext using the mask value and generates a ciphertext.
  • the tag generation unit 35 encrypts the mask value generated by the mask value generation unit 33 and generates a tag. That is, when the tag generation unit 35 acquires a mask value from the mask value generation unit 33, the tag generation unit 35 encrypts the acquired mask value and generates a tag.
  • the encryption device with authentication 3 outputs the ciphertext encrypted by the plaintext encryption unit 34 and the tag generated by the tag generation unit 35.
  • the encryption device with authentication 3 includes the plaintext input unit 31, the fixed length value generation unit 32, the mask value generation unit 33, the plaintext encryption unit 34, and the tag generation unit 35.
  • the mask value generation unit 33 encrypts the fixed length value generated by the fixed length value generation unit 32 using the adjustment value based on the plain text input to the plain text input unit 31, thereby masking the mask.
  • a value can be generated.
  • the plaintext encryption unit 34 can generate a ciphertext by encrypting the plaintext using the mask value.
  • generation part 35 can produce
  • the encryption device with authentication 3 can output a ciphertext and a tag.
  • the decryption side that has received the ciphertext and the tag can decrypt the tag and generate a mask value.
  • the plaintext can be generated by decrypting the ciphertext using the mask value. Then, it is possible to generate a fixed length value by decrypting the mask value using the adjustment value based on the plain text.
  • the decoding side can detect the presence or absence of tampering by comparing the generated fixed length value with the expected value that is the expected fixed length value.
  • the decryption side decrypts the ciphertext to generate plaintext and performs message authentication Will be able to. That is, with the above-described configuration, it is possible to perform processing that combines a tag and a fixed-length value, and it is possible to realize authenticated encryption that transmits only a ciphertext and a tag that are generated by simple calculation processing. As a result, it is possible to efficiently prevent an increase in bandwidth when using the authenticated encryption method.
  • a program according to another embodiment of the present invention includes a plaintext input unit 31 that receives plaintext input and a fixed length value that generates a new fixed length value that is different from a value generated in the past.
  • the plaintext is encrypted using the generation unit 32, the mask value generation unit 33 that generates a mask value by encrypting the fixed length value using the adjustment value based on the plaintext, and the mask value generated by the mask value generation unit 33.
  • a plaintext encryption unit 34 that generates a ciphertext and a tag generation unit 35 that encrypts the mask value generated by the mask value generation unit 33 and generates a tag
  • the plaintext encryption unit 34 performs encryption. This is a program that outputs the encrypted text and the tag generated by the tag generation unit 35.
  • the authenticated encryption method executed by operating the above-described authenticated encryption apparatus 3 accepts plaintext input, generates a new fixed length value different from the value generated in the past, Using the adjustment value based on this, the fixed-length value is encrypted to generate a mask value, and the generated mask value is used to encrypt plaintext to generate a ciphertext, and the generated mask value is encrypted to generate a tag.
  • the ciphertext and the tag are output.
  • a decryption apparatus with authentication 4 that acquires a ciphertext and a tag, decrypts the ciphertext to generate plaintext, and detects the presence or absence of tampering.
  • an outline of the configuration of the decryption apparatus 4 with authentication will be described.
  • the decryption apparatus 4 with authentication in the present embodiment includes a ciphertext input unit 41, a mask value decryption unit 42, a plaintext decryption unit 43, a fixed length decryption unit 44, and a falsification inspection unit 45. ,have.
  • the ciphertext input unit 41 receives an input of a ciphertext and a tag to be decrypted.
  • the mask value decryption unit 42 decrypts the tag input to the ciphertext input unit 41 to generate a mask value. That is, the mask value decryption unit 42 acquires a tag from the ciphertext input unit 41. Then, the mask value decoding unit 42 generates a mask value by decoding the tag.
  • the plaintext decryption unit 43 decrypts the ciphertext using the mask value generated by the mask value decryption unit 42 to generate plaintext. That is, the plaintext decryption unit 43 acquires the mask value from the mask value decryption unit 42. The plaintext decryption unit 43 acquires the ciphertext from the ciphertext input unit 41. The plaintext decryption unit 43 then decrypts the ciphertext using the mask value to generate plaintext.
  • the fixed-length value decoding unit 44 generates a fixed-length value by decoding the mask value using an adjustment value based on plain text. That is, the fixed length value decoding unit 44 uses the adjustment value based on the plaintext generated by the plaintext decoding unit 43 to decode the mask value generated by the mask value decoding unit 42 to generate a fixed length value.
  • the falsification inspection unit 45 inspects whether or not falsification has occurred by comparing the fixed length value with the expected value stored in advance. That is, the falsification inspection unit 45 compares the fixed length value generated by the fixed length value decoding unit 44 with the expected value stored in advance. Thereby, the tampering inspection unit 45 inspects whether or not tampering has occurred.
  • the decryption apparatus with authentication 4 includes the ciphertext input unit 41, the mask value decryption unit 42, the plaintext decryption unit 43, the fixed length decryption unit 44, and the falsification inspection unit 45.
  • the mask value decryption unit 42 can decrypt the tag input via the ciphertext input unit 41 and generate a mask value.
  • the plaintext decryption unit 43 can decrypt the ciphertext input via the ciphertext input unit 41 using the mask value to generate plaintext.
  • the fixed length value decoding unit 44 can generate a fixed length value by decoding the mask value using the adjustment value based on the plain text.
  • the tampering inspection unit 45 can detect the presence or absence of tampering by comparing the fixed length value with the expected value.
  • the above-described decryption apparatus with authentication 4 can be realized by incorporating a predetermined program into the information processing apparatus.
  • a program according to another embodiment of the present invention is input to the information processing apparatus into the ciphertext input unit 41 that receives an input of a ciphertext and a tag to be decrypted, and the ciphertext input unit 41.
  • a mask value decryption unit 42 that decrypts the tag to generate a mask value
  • a plaintext decryption unit 43 that decrypts the ciphertext using the mask value generated by the mask value decryption unit 42
  • a plaintext Using the adjustment value the fixed-length value decoding unit 44 that decodes the mask value to generate a fixed-length value
  • the tampering inspection that checks the presence or absence of tampering by comparing the fixed-length value with the expected value stored in advance
  • the plaintext generated by the plaintext decryption unit 43 are output.
  • the authenticated decryption method executed by operating the above-described decryption apparatus with authentication 4 accepts input of a ciphertext and a tag to be decrypted, decrypts the tag, generates a mask value, The value is used to decrypt the ciphertext to generate plaintext, and the adjustment value based on the plaintext is used to decrypt the mask value to generate a fixed length value, and the fixed length value and the expected value stored in advance are In this method, the presence or absence of tampering is inspected by comparison, and the presence or absence of tampering and plain text are output.
  • the above-described object of the present invention can be achieved because it has the same operation as the decryption apparatus 4 with authentication.
  • the authenticated cryptographic system uses, for example, a plaintext input unit 31 that accepts input of plaintext, a fixed-length value generation unit 32 that generates a new fixed-length value different from a value generated in the past, and an adjustment value based on plaintext. Then, a mask value generation unit 33 that generates a mask value by encrypting a fixed length value, and a plaintext encryption unit 34 that generates a ciphertext by encrypting the plaintext using the mask value generated by the mask value generation unit 33.
  • a tag generation unit 35 that encrypts the mask value generated by the mask value generation unit 33 and generates a tag, and a ciphertext encrypted by the plaintext encryption unit 34 and a tag generated by the tag generation unit 33 ,
  • the ciphertext input unit 41 that receives the input of the ciphertext and the tag output from the authenticated encryption device 3, and the tag input to the ciphertext input unit 41 is decrypted Mask value to calculate the mask value
  • the decryption unit 42, the plaintext decryption unit 43 that decrypts the ciphertext using the mask value calculated by the mask value decryption unit 42, and the adjustment value based on the plaintext, decrypts the mask value
  • a fixed-length value decoding unit 44 that generates a fixed-length value
  • a falsification inspection unit 45 that inspects whether or not falsification has occurred by comparing the fixed-length value with a pre-stored expected value.
  • a decryption device with authentication 4 that outputs the presence / absence of
  • (Appendix 2) The encryption apparatus with authentication according to attachment 1, wherein An adjustment value calculation unit that calculates the adjustment value of a fixed length from the plaintext input to the plaintext input unit;
  • the encryption apparatus with authentication configured to generate the mask value by encrypting the fixed length value using the adjustment value calculated by the adjustment value calculation unit.
  • the encryption device with authentication according to attachment 2 wherein The adjustment value calculation unit is configured to calculate the adjustment value by calculating an exclusive OR of each block when the plaintext input to the plaintext input unit is divided into blocks having a predetermined length. Encryption device.
  • the encryption device with authentication according to any one of appendices 1 to 3 The plaintext encryption unit includes a value of a plaintext block that is one of blocks when the plaintext is divided into blocks of a predetermined length, a constant of a finite field according to the order of the plaintext blocks in the plaintext, and the mask After calculating the exclusive OR of the multiplication value, which is a value obtained by multiplying the value, encryption is performed using a predetermined block cipher, and the exclusive OR of the encryption result and the multiplication value is calculated.
  • an encrypted encryption apparatus configured to encrypt the plain text and generate the cipher text.
  • the encryption device with authentication according to attachment 4 wherein The plaintext encryption unit is a value calculated based on the result of encrypting a final block, which is the last block when the plaintext is divided into blocks of a predetermined length, and a finite field constant corresponding to the final block. And an encryption device with authentication configured to perform encryption by calculating an exclusive OR of the value and the value of the last block of the plaintext.
  • a ciphertext input unit that accepts input of a ciphertext and a tag to be decrypted;
  • a mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value;
  • a plaintext decryption unit that decrypts the ciphertext and generates a plaintext using the mask value generated by the mask value decryption unit;
  • a fixed length decoding unit that generates a fixed length value by decoding the mask value using an adjustment value based on the plaintext;
  • a tamper inspection unit that inspects the presence or absence of tampering by comparing the fixed length value and the expected value stored in advance,
  • a decryption apparatus with authentication configured to output the presence / absence of falsification inspected by the falsification inspection unit and the plaintext generated by the plaintext decryption unit.
  • the decryption apparatus with authentication according to appendix 7 is a decryption apparatus with authentication for inspecting whether or not tampering has occurred based on an absolute value of a difference between the fixed length value and an expected value stored in advance and a threshold stored in advance.
  • a plaintext input unit for receiving plaintext input; A fixed-length value generating unit that generates a new fixed-length value different from values generated in the past; A mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext; A plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit; A tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit, and An encrypted device with authentication for outputting the ciphertext encrypted by the plaintext encryption unit and the tag generated by the tag generation unit; A ciphertext input unit that accepts input of ciphertext and tags; A mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value; Using the mask value generated by the mask value decryption unit, the plaintext decryption unit that decrypts the ciphertext that the ciphertext
  • (Appendix 9-2) Accepts plaintext input, Generate a new fixed length value that is different from the value generated in the past, Using the adjustment value based on the plaintext, the fixed length value is encrypted to generate a mask value, Using the generated mask value, the plaintext is encrypted to generate a ciphertext, A tag is generated by encrypting the generated mask value, Outputting the ciphertext and the tag; Accepting the input of the ciphertext and the tag, Decoding the tag to generate the mask value; Using the mask value, decrypt the ciphertext to generate the plaintext, Using the adjustment value based on the plaintext, the mask value is decrypted to generate the fixed length value, Inspecting the presence or absence of tampering by comparing the fixed length value and the expected value stored in advance, An authenticated cryptographic processing method for outputting the presence / absence of alteration and the plaintext.
  • a plaintext input unit for receiving plaintext input;
  • a fixed-length value generating unit that generates a new fixed-length value different from values generated in the past;
  • a mask value generation unit that generates a mask value by encrypting the fixed length value using an adjustment value based on the plaintext;
  • a plaintext encryption unit that encrypts the plaintext and generates a ciphertext using the mask value generated by the mask value generation unit; Realizing a tag generation unit that generates a tag by encrypting the mask value generated by the mask value generation unit;
  • a program for outputting a ciphertext encrypted by the plaintext encryption unit and a tag generated by the tag generation unit.
  • a ciphertext input unit that accepts input of a ciphertext and a tag to be decrypted;
  • a mask value decryption unit that decrypts a tag input to the ciphertext input unit to generate a mask value;
  • a plaintext decryption unit that decrypts the ciphertext and generates a plaintext using the mask value generated by the mask value decryption unit;
  • a fixed length decoding unit that generates a fixed length value by decoding the mask value using an adjustment value based on the plaintext; Realizing a falsification inspection unit that inspects the presence or absence of falsification by comparing the fixed length value with an expected value stored in advance;
  • the programs described in the above embodiments and supplementary notes are stored in a storage device or recorded on a computer-readable recording medium.
  • the recording medium is a portable medium such as a flexible disk, an optical disk, a magneto-optical disk, and a semiconductor memory.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un appareil de chiffrement authentifié comportant: une unité d'entrée de texte clair qui reçoit l'entrée d'un texte clair; une unité de génération de valeurs de longueur fixe qui génère une nouvelle valeur de longueur fixe différente des valeurs générées dans le passé; une unité de génération de valeurs de masque qui chiffre, à l'aide d'une valeur d'adaptation basée sur le texte clair, la valeur de longueur fixe, générant ainsi une valeur de masque; une unité de chiffrement de texte clair qui chiffre, à l'aide de la valeur de masque générée par l'unité de génération de valeurs de masque, le texte clair, générant ainsi un texte chiffré; et une unité de génération d'étiquettes qui chiffre la valeur de masque générée par l'unité de génération de valeurs de masque, générant ainsi une étiquette. L'appareil de chiffrement authentifié délivre à la fois le texte chiffré, qui a été chiffré par l'unité de chiffrement de texte clair, et l'étiquette générée par l'unité de génération d'étiquettes.
PCT/JP2015/005042 2014-10-30 2015-10-02 Appareil de chiffrement authentifié, appareil de déchiffrement authentifié, système de cryptographie authentifiée, procédé de chiffrement authentifié et programme WO2016067524A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2016556190A JPWO2016067524A1 (ja) 2014-10-30 2015-10-02 認証付暗号化装置、認証付復号装置、認証付暗号システム、認証付暗号化方法、プログラム

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2014221754 2014-10-30
JP2014-221754 2014-10-30

Publications (1)

Publication Number Publication Date
WO2016067524A1 true WO2016067524A1 (fr) 2016-05-06

Family

ID=55856893

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2015/005042 WO2016067524A1 (fr) 2014-10-30 2015-10-02 Appareil de chiffrement authentifié, appareil de déchiffrement authentifié, système de cryptographie authentifiée, procédé de chiffrement authentifié et programme

Country Status (2)

Country Link
JP (1) JPWO2016067524A1 (fr)
WO (1) WO2016067524A1 (fr)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021171543A1 (fr) * 2020-02-28 2021-09-02 日本電気株式会社 Dispositif de chiffrement d'authentification, dispositif de déchiffrement d'authentification, procédé de chiffrement d'authentification, procédé de déchiffrement d'authentification, et support de stockage
JP2021528899A (ja) * 2018-06-18 2021-10-21 コーニンクレッカ フィリップス エヌ ヴェKoninklijke Philips N.V. データの暗号化および完全性のためのデバイス
US11349668B2 (en) 2017-02-21 2022-05-31 Mitsubishi Electric Corporation Encryption device and decryption device
US11522712B2 (en) 2018-08-30 2022-12-06 Mitsubishi Electric Corporation Message authentication apparatus, message authentication method, and computer readable medium
US11750398B2 (en) 2018-09-27 2023-09-05 Nec Corporation MAC tag list generation apparatus, MAC tag list verification apparatus, aggregate MAC verification system and method
US11824993B2 (en) 2019-04-18 2023-11-21 Nec Corporation MAC tag list generation apparatus, MAC tag list verification apparatus, method, and program

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060285684A1 (en) * 2001-07-30 2006-12-21 Rogaway Phillip W Method and apparatus for facilitating efficient authenticated encryption

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060285684A1 (en) * 2001-07-30 2006-12-21 Rogaway Phillip W Method and apparatus for facilitating efficient authenticated encryption

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
ABED, F. ET AL.: "The POET Family of On-Line AuthenticatedEncryption Schemes, Version 1.01", COMPETITIONS, 15 March 2014 (2014-03-15), pages 1 - 65, XP055278686, Retrieved from the Internet <URL:http://competitions.cr.yp.to/round1/poetv101.pdf> [retrieved on 20151216] *
DATTA, N. ET AL.: "ELmD v1.0", COMPETITIONS, 15 March 2014 (2014-03-15), pages 1 - 37, XP055278678, Retrieved from the Internet <URL:http://competitions.cr.yp.to/round1/elmdv10.pdf> [retrieved on 20151216] *
HOSSEINI, H. ET AL.: "CBA Mode (vl) - A Submission to CAESAR Competition for Authenticated Encryption", COMPETITIONS, 15 March 2014 (2014-03-15), pages 1 - 14, XP055278677, Retrieved from the Internet <URL:http://competitions.cr.yp.to/round1/cbav1.pdf> [retrieved on 20151216] *
MEYER, C. H. ET AL., CRYPTOGRAPHY: A NEW DIMENSION IN COMPUTER SECURITY, 1982, pages 100 - 105 *
SASAKI, Y. ET AL.: "Minalpher v1", COMPETITIONS, 15 March 2014 (2014-03-15), pages 1 - 70, XP055278683, Retrieved from the Internet <URL:http://competitions.cr.yp.to/round1/minalpherv1.pdf> [retrieved on 20151216] *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11349668B2 (en) 2017-02-21 2022-05-31 Mitsubishi Electric Corporation Encryption device and decryption device
JP2021528899A (ja) * 2018-06-18 2021-10-21 コーニンクレッカ フィリップス エヌ ヴェKoninklijke Philips N.V. データの暗号化および完全性のためのデバイス
JP7362676B2 (ja) 2018-06-18 2023-10-17 コーニンクレッカ フィリップス エヌ ヴェ データの暗号化および完全性のためのデバイス
US11522712B2 (en) 2018-08-30 2022-12-06 Mitsubishi Electric Corporation Message authentication apparatus, message authentication method, and computer readable medium
US11750398B2 (en) 2018-09-27 2023-09-05 Nec Corporation MAC tag list generation apparatus, MAC tag list verification apparatus, aggregate MAC verification system and method
US11824993B2 (en) 2019-04-18 2023-11-21 Nec Corporation MAC tag list generation apparatus, MAC tag list verification apparatus, method, and program
WO2021171543A1 (fr) * 2020-02-28 2021-09-02 日本電気株式会社 Dispositif de chiffrement d'authentification, dispositif de déchiffrement d'authentification, procédé de chiffrement d'authentification, procédé de déchiffrement d'authentification, et support de stockage
JP7371757B2 (ja) 2020-02-28 2023-10-31 日本電気株式会社 認証暗号化装置、認証復号装置、認証暗号化方法、認証復号方法およびプログラム

Also Published As

Publication number Publication date
JPWO2016067524A1 (ja) 2017-08-10

Similar Documents

Publication Publication Date Title
US10623176B2 (en) Authentication encryption method, authentication decryption method, and information-processing device
Jones JSON web algorithms (JWA)
JP6519473B2 (ja) 認証暗号装置、認証暗号方法および認証暗号用プログラム
WO2016067524A1 (fr) Appareil de chiffrement authentifié, appareil de déchiffrement authentifié, système de cryptographie authentifiée, procédé de chiffrement authentifié et programme
US8107620B2 (en) Simple and efficient one-pass authenticated encryption scheme
US20150244518A1 (en) Variable-length block cipher apparatus and method capable of format preserving encryption
WO2011105367A1 (fr) Dispositif de chiffrement par blocs, dispositif de déchiffrement de blocs, procédé de chiffrement par blocs, procédé de déchiffrement de blocs et programme associé
US11463235B2 (en) Encryption device, encryption method, program, decryption device, and decryption method
JP7031580B2 (ja) 暗号化装置、暗号化方法、復号化装置、及び復号化方法
JP7367860B2 (ja) 認証暗号化装置、認証復号装置、認証暗号システム、方法及びプログラム
WO2021171543A1 (fr) Dispositif de chiffrement d&#39;authentification, dispositif de déchiffrement d&#39;authentification, procédé de chiffrement d&#39;authentification, procédé de déchiffrement d&#39;authentification, et support de stockage
US11728968B2 (en) Authenticated encryption device, authenticated decryption device, authenticated encryption method, authenticated decryption method, authenticated encryption program, and authenticated decryption program
Jones RFC 7518: JSON Web Algorithms (JWA)
CN108616351B (zh) 一种全动态加密解密方法及加密解密装置
JP3694242B2 (ja) 署名付き暗号通信方法及びその装置
Dubinsky Cryptography for Payment Professionals
KR102626974B1 (ko) 화이트박스 암호의 비밀키 보호를 위한 방법 및 시스템
JP2000004223A (ja) 暗号・認証システム
WO2022237440A1 (fr) Appareil de chiffrement authentifié avec résistance à l&#39;abus de vecteur d&#39;initialisation, et procédé associé
WO2009081975A1 (fr) Dispositif de chiffrage, dispositif de déchiffrage, procédé de chiffrage, procédé de déchiffrage et programme
Strenzke Botan's implementation of the McEliece PKC
JP2004347885A (ja) 暗号化装置処理方法、暗号復号装置処理方法、これらの装置及びプログラム
Jauhari et al. Secure and Optimized Algorithm for Implementation of Digital Signature
Singh et al. ENHANCEMENT OF WIRED EQUIVALENT PRIVACY
JPH11224048A (ja) 暗号変換装置、復号変換装置、および暗号通信方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15855905

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2016556190

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15855905

Country of ref document: EP

Kind code of ref document: A1