JP2000214779A - Method and device for generating hash value - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a hash value generation method with high safety without decrease in processing rate by making an output length longer than an input length, and containing processing of injective extension conversion so that a different input surely brings a different output. SOLUTION: The output length is made longer than the input length, and this method contains a processing of injective extension conversion so that a different input surely brings a different output. When a message 2501 is inputted to a hash function 101, a prescribed processing is carried out by a data extension part 102 and an extended data 107 is outputted. Next, the extended data 107 are divided into 64-bit lengths and split into a 1st segment E1 108, a 2nd segment E2 109,... to be inputted to an injective extension part 105. The injective extension part 105 adopts an initial value 110 of 256 bits as a parameter and processes the 1st segment E1 108 with injective extension part 105 and obtains an intermediate output of 256 bits. Next, the 2nd segment E2 109 is processed with the injective extension part 105 with this intermediate output used as a parameter, and an intermediate output of 256 bits is obtained. Such processing is repeated.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] 1. Field of the Invention [0002] The present invention relates to a technique for securing security in a computer network.

[0002]

2. Description of the Related Art Conventionally, it takes a lot of time to generate an electronic seal (digital signature) for a long message using only public key cryptography in electronic seal. Therefore, a method is used in which a message is once compressed into short data and then an electronic seal is generated for the compressed data. The method of compression does not require the original message to be restored from the compressed data as in normal data compression, but it is compressed to have certain cryptographic characteristics. Therefore, the hash function (hashfunctio
n).

[0003] Messages such as commercial transaction documents, for example, Document A: "Suzaki Shokai Passenger Car (Catalog No. 1443)
Is purchased for 1.04 million yen. March 10, 1996 Yoshiura ”is the input data to the hash function. The length of the input data can be any length. The hash function performs a process similar to a cryptographic conversion on the input data, thereby compressing the input data into short data of a fixed length. For example, the hash value: 283AC9081E83D5B28977 is the output of the hash function. This hash value is also called a message digest or fingerprint, and ideally there is only one message in the world for one message. It is said that the hash value must be at least about 128 bits long to guarantee that "there is only one in the world." More specifically, the hash function needs to have the following characteristics.

(1) One-way property: It is assumed that an output value of a certain hash function is given. It is computationally difficult to find another message M that gives the same output value as this output value.

Example Assume that Kazuo's birthday is February 22nd.
To find another person with the same birthday as Kazuo's birthday, you can find someone with the same birthday on average if you give him 365/2 ≒ 183 birthdays. A similar calculation method holds for replacing a person with a message and replacing a birthday with a hash value. In other words, if the length of the hash value is 160 bits,
The total number of hash values There are two ^160. Come to hit another on average 2 ^160/2 = 2 ¹⁵⁹ messages to find a message with the same hash value as the hash value of a message the message is found to have the same hash value. This is computationally difficult.

(2) Collision free propert
y): Regardless of the message or the hash value.
Anyway, it is computationally difficult to find two different messages M and M 'so that they have the same hash value.

[0007] Anyway, anyone can find two people with the same birthday. In this case, if you give birth to about 24 people on average, you will find two people who have the same birthday. Similarly, if the length of the hash value with 160 bits, because whatever may find two different messages with the same hash value Come to hit the 2 ^160/2 = 2 ⁸⁰ sets the order of messages on average good. This number is considerably smaller than the unidirectional case. However, it is still difficult in terms of computational complexity.

Although various methods have been announced as a mechanism for realizing a hash function, a method of repeating substitution and transposition has become mainstream as a method far faster than public key cryptography. A conventional example showing the mechanism of the processing is disclosed in the following document.

[0009] ISO / IEC 10118-2, "Information technolo
gy-Security techniques-Hash-functions: Part 2:
Hash-functions using an n-bit block cipher algori
thm "(1994) In the above conventional example, first, as shown in FIG.
Category M ₁ 2502, the second division M ₂ 2503, split and so on ..., and input to the hash function 2507. In the hash function 2507, the first section M ₁ 250
By performing the substitution / transposition repetition process 2505 on 2
Get the th intermediate output. Then, obtain the the intermediate output to parameter the second intermediate output by performing substitution, transposition repetitive processing 2505 to the second segment M ₂ 2503. ...
Is repeated, and the intermediate output that appears last becomes the hash value H2506 to be obtained.

In this substitution, substitution / transposition repetition process 2505, the above-mentioned conventional document uses an encryption function such as the US encryption standard DES. This is called a “hash function using a block cipher” and has been standardized by ISO, and is disclosed in the above-mentioned document. The details of this method are as follows.

An encryption function 2509 is applied to the first section M ₁ 2502 by using a value obtained by converting the initial value 2504 by the conversion function 2508 as a parameter to perform encryption. Next, an exclusive OR 2510 for each bit applied between the encryption result and the first section M ₁ 2502, the results substitution, transposition repetitive processing 2505
The intermediate output of. The next intermediate output is fed back again and used as an input to the substitution / transposition repetition processing 2505.
₂ 2503 is encrypted by applying an encryption function 2509. Next, performs an exclusive OR 2510 of each bit for the encryption result and the second section M ₂ 2503, substitution, and the results
The intermediate output of the transposition repetition process 2505 is used. .. Are repeated, and the intermediate output that appears last is the hash value H2506 to be obtained.

Here, when DES is used as the encryption function 2509, the length of each section such as the first section M ₁ 2502 and the second section M ₂ 2503 is 64 bits, and the length of the output of the substitution / transposition repetition processing 2505. The length of each hash value is 64 bits, and the length of the hash value H2506 is also 64 bits. This feature of "hash function using a block cipher", each segment of the message M ₁ 2502, M ₂ 2503,
... is equal to the length of the output of the substitution / transposition repetition process 2505.

In the above-described substitution / transposition repetition processing 2505, a method that does not use the encryption function 2509 such as DES is called a “dedicated hash function”, and is an Internet standard such as MD5 or I5.
SHA-1, RIPEMD-160, etc., which are being standardized by SO.

Among them, MD5 is disclosed in the following document.

R. Rivest, "The MD5 Message-Digest Alg
orithm, "IETF RFC 1321 (1992) In MD5, the message 2501 is divided into lengths of 512 bits, and the first division M ₁ 2502 of 512 bits and the second
Partition M ₂ 2503, ...
Input to 2507. In the hash function 2507 to obtain a 128-bit intermediate output by performing substitution, transposition repeating processing 2505 the initial value 2504 of 128 bits for the first segment M ₁ 2502 512 bits as a parameter. Then, by performing a substitution, transposition repetitive processing 2505 to the second segment M ₂ 2503 512 bits the intermediate output as a parameter 128
Get intermediate output of bits. .. Are repeated, and the 128-bit intermediate output that appears last becomes the hash value H2506 to be obtained.

The feature of this “dedicated hash function” is that the output length of the substitution / transposition repetition processing 2505 is shorter than the length of each of the message segments M ₁ 2502, M ₂ 2503.

The processing speed of the MD5 is high, and the processing speed is 1,000 times or more as compared with that of the public key encryption. For example, software on a PC using Pentium 90MHz compresses about 100,000 bits of data in about 1 millisecond (one thousandth of a second). This makes it possible to generate an electronic seal at a high speed even for a relatively long sentence or figure.

[0018]

However, the above-mentioned known examples have the following unsatisfactory points.

(1) The hash value generated by the “hash function using block cipher” has a low processing speed.

DE that can be used for this hash function
The encryption function (block cipher) such as S has an input length and an output length as short as 64 bits, and as a result, the obtained hash value is also 64 bits, which is sufficiently long to realize the collision avoidance. Not really. Therefore, the calculation of the hash function is performed twice by changing the initial value or the like, thereby generating a 128-bit hash value. However, there is a complaint that the processing speed is reduced.

(2) There is a security concern about the hash value generated by the “dedicated hash function”.

As described above, the “dedicated hash function”
Is a simple substitution /
Repeated transposition process 2505 was performed. Here, the length of the output value (for example, 128 bits) is shorter than the length of the input value (for example, 512 bits). For this reason, one message split data input 512 bits → compressed data output 1
Focusing on the 28-bit relationship, it was relatively easy to cause an input collision, that is, the same output for two different inputs. That is, the hash function could be broken relatively easily.

Accordingly, an object of the present invention is to provide a method and apparatus for generating a hash value with high security without lowering the processing speed.

[0024]

To solve the above-mentioned conventional problems, the present invention uses the following means.

(1) In the above-mentioned conventional example, when the length of the message segment input to the substitution / transposition repetition processing 2507 is compared with the length of the intermediate output to be output, is the output length equal to the input length? ("Hash function using block cipher"), the length of the output was shorter than the length of the input ("Dedicated hash function"). On the other hand, in the present invention, the length of the output is made longer than the length of the input, and the processing for performing the injection expansion conversion is performed so that the output value is always different if the input value is different. This makes it relatively easy to avoid message collision in the substitution / transposition repetition processing 2505, which has become a problem in MD5.

(2) The injection expansion conversion includes a process of multiplying a converted input value and a process of calculating a plurality of cyclic shifts having different shift numbers. . As a result, it has become possible to effectively use multiplication and cyclic shift calculations, which have been particularly improved in processing speed due to recent advances in microprocessors such as Pentium, for data disturbance. That is, multiplication and cyclic shift calculation are used in the calculation of the hash function, and the calculation of the hash function can be significantly improved.

(3) In the above conventional example, if the initial value 2504 is first used as a parameter, it does not participate in any processing thereafter. On the other hand, according to the present invention, the initial value 2504 initially used as a parameter is re-input later to the same input unit as the message 2501 is input. As a result, collision of the initial values such that the same hash value is derived for different initial values is prevented from occurring.

(4) In the above conventional example, M ₁ 2502, M ₂ 25
Once each section of the message, such as 03, was processed, it was not involved in any further processing. On the other hand, in the present invention, each section of the message once processed is input again to the same input unit later. This allows
Message collisions, where the same hash value is derived for different messages, are less likely to occur.

The method of the present invention is realized by software (computer program).
The program is stored in a recording medium such as a hard disk device, and can be distributed in a form stored in a portable recording medium such as a ROM, a CD-ROM, and a flexible disk.

[0030]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Preferred embodiments of the present invention will be described below in detail.

FIG. 1 is a diagram showing a first embodiment of the present invention. When a message 2501 is input to a hash function 101, a “mixing of message and initial value” process 103 is performed in a data enlarging unit 102. After the execution, the “repeatedly expanding the mixed data L blocks every K times” process 104 is performed, and the enlarged data 107 is output. Next, the expanded data 107 is divided into 64-bit lengths, and the 64-bit first sections E ₁ 108, 64
The bits are divided into second sections E ₂ 109,. In the single shot expansion section 105, 25
64-bit first using the 6-bit initial value 110 as a parameter
By performing the injection enlargement 105 on the section E ₁ 108, an intermediate output of 256 bits is obtained. Next, using the intermediate output as a parameter, the injection expansion 105 is performed on the 64-bit second section E ₂ 109.
To obtain a 256-bit intermediate output. ...
Is repeated, and the 256-bit intermediate output that appears last becomes the hash value H111 to be obtained.

FIG. 2 shows details of the "mixing of message and initial value" process 103 in FIG. In the "mixing of message and initial value" process 103, the initial value 110 and the message
2501 is entered. The initial value 110 are those four 64-bit data block _{I 1 201, I 2 202,} I 3 203, I 4 204 , which are arranged in this order. First, in the padding process 220, data is connected so that a value obtained by adding 256 to the length of the message 2501 is an integer multiple of L × 64 with reference to a preset integer L. That is, (1) The value obtained by adding 256 to the length of message 2501 is exactly L × 64
If the value is an integer multiple of
1 ”and L × 64−1 bits of“ 0 ”are connected in this order.

(2) If the value obtained by adding 256 to the length of the message 2501 is not an integral multiple of L × 64 bits, some bits “1” and bits “0” are added at the end of the message (from 0 bits).
By connecting in this order, the total length is exactly an integer multiple of L × 64 bits.

After the padding, the message 2501
N 64-bit data blocks M ₁ 205, M ₂ 206, M ₃ 207, M ₄
, 208, M ₅ 209,... Become data 216 in this order.
When this data 216 is input to the process 217, M ₁ → D ₁ , I ₁
→ D ₂ , M ₂ → D ₃ , I ₂ → D ₄ , M ₃ → D ₅ , I ₃ → D ₆ , M ₄ →
D ₇ , I ₄ → D ₈ , M ₅ → D ₉ , M ₆ → D ₁₀ , M ₇ → D ₁₁ , ...
+4 64-bit data blocks D ₁ 210, D ₂ 211, D ₃ 212,
_{D 4 213, D 5 214,} ... is that continuous in this order is output as an intermediate extension data 215. The length of this intermediate enlarged data 215 is just an integer multiple of L × 64 bits.

FIG. 3 shows the detailed flow of the "repeatedly expanding the mixed data K times for each L block" process 104 in FIG. In FIG. 3, the following processing is performed.

Step 301: Start.

Step 302: The intermediate enlarged data D ₁ , D ₂ ,... Obtained in the processing of FIG. 2 are input.

Step 303: Set i = 1 and j = 0.

Step 304: m = (i− (i (mod L · K))) / K +
((i−1) (mod L)) + 1 Step 305: E _i = D _m Step 306: E _i is output.

Step 307: Is D _m the last input data?
If so, go to step 308. If not, go to step 310.

Step 308: j = j + 1 Step 309: j> K? If so, step 3
Go to 11. If not, go to step 310.

Step 310: i = i + 1. Return to step 304.

Step 311: End.

By executing the processing of FIG. 3, the intermediate enlarged data D ₁ , D ₂ ,... Are expanded in such a manner as to repeat K times for each L block, and the enlarged data E ₁ , E ₂ ,. Is output as The length of the enlarged data E ₁ , E ₂ ,... Is K times the length of the intermediate enlarged data D ₁ , D ₂ ,.

FIG. 4 shows a detailed flow of the single shot enlarging unit 105 in FIG. In FIG. 4, the following processing is performed.

Step 401: Start.

Step 402: An initial value of 256 bits is input and set to H.

Step 403: i = 1.

[0049] Step 404: Of the expanded data is output in FIG. 3, and inputs the i-th 64-bit block E _i.

[0050] Step 405: For E _i, 64-bit → 96
Perform bit injection. As a result, 96-bit data is obtained.

Step 406: Injection expansion from 96 bits to 128 bits is performed on the obtained 96-bit data. As a result, 128-bit data is obtained.

Step 407: Injection expansion of 128 bits → 256 bits is performed on the obtained 128-bit data. The resulting 256-bit data is set to H.

Step 408: Is _Ei the last input data?
If so, go to step 410. If not, go to step 409.

Step 409: i = i + 1 is set. Step 40
Return to 4.

Step 410: Output 256-bit data H.

Step 411: End.

The output value H obtained as a result of the processing in FIG. 4 is the hash value H111 to be obtained.

FIG. 5 shows a detailed flow of the step 405 of "injection expansion from 64 bits to 96 bits" in FIG. In FIG. 5, the following processing is performed.

Step 501: Start.

Step 502: 64-bit data block E _i
Enter a, the upper 32 bits of the E _i X _1, the lower 32 bits and Y _1. Similarly, a 256-bit data block H is input, divided into 32 bits from the beginning, and eight 32-bit data H ₁ , H
_2,..., And H _8.

Step 503: X ₂ = X ₁ + (Y ₁ + H ₁ ) ² , Y ₂ = Y ₁
Is calculated. As a result, X ₂ is 64-bit, Y ₂ is a 32-bit data.

Step 504: X ₂ and Y ₂ are output.

Step 505: End.

By the processing of FIG. 5, 64-bit input data E
_i is expanded to a total of 96 bits of X _{2 of} 64 bits and Y ₂ of 32 bits and output. In the process of step 503, X ₁ , Y ₁ → X ₂ , and Y ₂ are single shot enlargements. The output space (96 bits) is the input space (64 bits)
Longer, and given X ₂ , Y ₂ , X ₁ = X ₂ − (Y
_{This is} because X ₁ and Y ₁ are uniquely determined by ₂ + H ₁ ) ² and Y ₁ = Y ₂ .

FIG. 6 shows a detailed flow of the "injection expansion from 96 bits to 128 bits" step 406 in FIG.

Step 601: Start.

Step 602: Input X ₂ and Y ₂ obtained in FIG. Also inputs the _{H 1, H 2, H 3} , H 4, H 5, H 6, H 7, H 8.

[0068] Step 603: upper 32 bits X _H of X _2, the lower 32 bits and X _L.

Step 604: The following calculations are performed in order.

[0070] _{A = rot 5 (X L +} H 2 +1) B = A + (X H VH 3) +1 C = B + rot 12 (B) +1 D = X H + (H 4 XOR C) +1 E = C · D + Y ₂ F = X ₂ + E + (H ₅ ‖H ₆ ) X ₃ = E + F + (H ₇ ‖H ₈ ) Y ₃ = F where rot _T (U) cyclically shifts the numerical data U to the upper side by T bits. This shows the data obtained. For example, rot ₂ (110000) becomes 000011. Here, the left side of the numerical data is the upper side. XOR indicates an exclusive OR for each bit (in the drawing, indicated by a symbol having "+" in a circle). For example, 110010 XOR 011001 = 101011. + Indicates addition of numbers. However, if a carry occurs in the calculation of the most significant bit, the carry part is ignored. For example, 101101 + 100100 = 000011.

It is to be noted that ‖ indicates data joining. For example, 101101‖100100 = 101101100100.

Step 605: X ₃ and Y ₃ are output.

Step 606: End.

By the processing of FIG. 6, 64-bit input data X
₂ and 32-bit Y ₂ are converted to 64-bit X ₃ and 6
4 is extended to a total of 128 bits of bit Y ₃ is output.
Note that the process of step 604 is a single shot enlargement as in step 503.

FIG. 7 shows a detailed flow of “injection expansion from 128 bits to 256 bits” 407 in FIG.

Step 701: Start.

Step 702: X obtained in FIG._Three, Y_ThreeEnter
I do. In addition, H obtained in FIG.₁, H_Two, H _Three, H_Four, H_Five, H₆, H
₇, H₈Enter

[0078] Step 703: The upper 32 bits of the X ₃ X _H, a lower 32 bits and X _L.

Step 704: The upper 32 bits of Y ₃ are set as Y _H and the lower 32 bits are set as Y _L.

Step 705: The following processing is performed.

[0081] _{K1‖K2 = ((X H XOR H} 3) ‖ _{(X H XOR H 4))} + (H 7 ‖H 8) K3‖K4 = ((X L XOR H 1) ‖ (X _L XOR H _{2)) + (H 5 ‖H} 6) K5‖K6 = ((Y H XOR H 7) ‖ _{(Y H XOR H 8))} + (H 2 ‖H 1) K7‖K8 = ((Y L XOR H ₅ ) ‖ (Y _L XOR H ₆ )) + (H ₄ ‖H ₃ ) Step 706: K ₁ ‖K ₂ ‖K ₃ ‖K ₄ ‖K ₅ ‖K ₆ ‖K ₇ ‖K ₈ → H Step 707: Output H.

Step 708: End.

By the processing of FIG. 7, 64-bit input data X
₃ and 64-bit Y ₃ are expanded to 256-bit H and output. Step 705 is a single shot enlargement like step 503.

FIG. 8 is a diagram showing a second embodiment of the present invention. FIG. 8 is different from FIG. 1 in that an initial value 802, a hash value H804, a “mixing of message and initial value” processing 801 and an injection enlarging unit 803 are performed. different.

(1) In FIG. 1, the length of the initial value 110 is 256 bits. In FIG. 8, the length of the initial value 802 is 80 bits.

(2) In FIG. 1, the length of the hash value H111 is 256
Was a bit. In FIG. 8, the length of the hash value H804 is 80
Bit.

(3) In FIG. 1, “mixing of message and initial value
Details of the “combination” process 103 are as shown in FIG. In FIG.
The “mixing of message and initial value” process 801 is as shown in FIG.
Become. That is, the “mixing of message and initial value” processing 80
For 1, an initial value 802 and a message 2501 are input. initial value
802 is a 64-bit data block I₁901 and 16-bit data
Lock I_Two902 is a series in this order. Message
The page 2501 is padded with 220 64-bit data
Tablock M₁205, M_Two206, M_Three207, M_Four208, M_Five209,…
It is converted to a sequence in this order. These to processing 903
When the data of is input, M ₁→ D₁, I₁→ D_Two, M_Two→ D_Three,
 I_Two‖I_Two‖I_Two‖I_Two→ D_Four, M_Three→ D_Five, M_Four→ D₆, M_Five→ D₇, M
₆→ D₈, M₇→ D₉,… Data is replaced
N + 2 64-bit data blocks
Lock D₁211, D_Two211, D_Three212, D_Four213, D_Five214,… in this order
Are output as intermediate enlarged data 215
You.

(4) In FIG. 1, the processing of the injection enlarging unit 105 is performed as shown in FIG.
It was as follows. In FIG. 8, the processing of the inject
It is as shown in 10. That is, Step 1001: Start.

Step 1002: An initial value of 80 bits is input and set to H.

Step 1003: i = 1 is set.

[0091] Step 1004: Of the expanded data is output in FIG. 3, and inputs the i-th 64-bit block E _i.

[0092] Step 1005: For E _i, 64-bit → 6
Performs 4-bit injection transformation. As a result, 80-bit data is obtained.

Step 1006: Injection expansion of 64 bits → 80 bits is performed on the obtained 80-bit data. As a result, 80-bit data is obtained. The resulting 80-bit data is set to H.

[0094] Step 1007: Is the E _i is the last of the input data? If so, go to step 1009. If not, go to step 1008.

Step 1008: i = i + 1 is set. step 1
Return to 004.

Step 1009: Output 80-bit data H.

Step 1010: End.

The output value H obtained as a result of the processing in FIG. 10 is the hash value H804 to be obtained.

FIG. 11 shows a detailed flow of the “100% injection from 64 bits to 80 bits” 1005 in FIG. Figure
At 11, the following processing is performed.

Step 1101: Start.

Step 1102: 64-bit data block E _i
And the upper 32 bits of E _i are X ₁ and the lower 32 bits are Y ₁
And Similarly, input an 80-bit data block H,
The data is divided into 32 bits, 32 bits, and 16 bits from the beginning, and three data H ₁ , H ₂ , and H ₃ are obtained.

Step 1103: X ₂ = X ₁ + (Y ₁ + H ₁ ) ² (mod 2
^32), calculating a Y ₂ = Y _1. Where X (mod 2 ³² ) is
Indicates the remainder when divided by ³² . As a result, X ₂ is 32 bits and Y ₂ is
It becomes 32-bit data.

Step 1104: X ₂ and Y ₂ are output.

Step 1105: End.

By the processing of FIG. 11, 64-bit input data
E _i is converted to 32-bit X ₂ and 32-bit Y _{2 for} a total of 64 bits and output. In the process of step 1103, X ₁ , Y ₁ → X ₂ , and Y ₂ are single shots. If X ₂ and Y ₂ are given, X ₁ = X ₂ − (Y ₂ + H ₁ ) ² (m
od 2 ⁴⁸ ), because X ₁ and Y ₁ are uniquely determined by Y ₁ = Y ₂ .

FIG. 12 shows a detailed flow of the “injection expansion from 64 bits to 80 bits” 1006 in FIG.

Step 1201: Start.

Step 1202: Input X ₂ and Y ₂ obtained in FIG. Also inputs the _{H 1, H 2, H 3} .

Step 1203: The following calculations are performed in order.

A = rot ₅ (X ₂ + H ₂ +1) B = A + (X ₂ XOR (H ₃ ‖H ₃ ) +1 C = rot ₁₃ (B + H ₁ ) D = C + (B∨H ₂ ) +1 E = D ² + Y ₂ (mod 2 ⁴⁸ ) F = X ₂ + H ₃ + E (mod 2 ³² ) X ₃ = E + F + (H ₁ ‖H ₂ ) (mod 2 ⁴⁸ ) Y ₃ = F Step 1204: Output X ₃ and Y ₃ I do.

Step 1205: End.

By the processing of FIG. 12, 32-bit input data
X ₂ and 32-bit Y ₂ are converted to 32-bit X ₃ and
It is extended to a total of 80 bits of the 48 bits of Y ₃ and is output.
Note that the processing in step 1203 is a single shot enlargement.

According to the above-described second embodiment, a hash function for generating an 80-bit output by using the injection expansion can be constructed.

Similarly, a hash function that generates an output of an arbitrary length of 64 bits or more can be configured by using the injection extension.

FIG. 13 is a diagram showing a third embodiment of the present invention. In FIG. 13, a data key 1302 of an arbitrary length and a 128-bit plaintext 1305 are input to an encryption device 1311, and a 128-bit encrypted text 1310 is output. The hash function h1301 is the same as the hash function shown in FIG. 1, and receives a data key of an arbitrary length, generates a 256-bit hash value, and uses it as a work key 1304. The system key 1303 is given as an initial value of the hash function h1301. 256 work key bit, eight 32-bit data _{H 1, H 2, ···,} H
Divided into _eight . The 128-bit plaintext 1305 is the work key 1304
Of, is converted by a function π1306 seven 32-bit data H ₁ to H _7, except for the H ₈ as a key. Moreover, the conversion results of the work key 1304 is transformed by the function π1307 seven 32-bit data H ₂ to H ₈ except for H ₁ as a key.・
・ ・ The process is repeated, and finally the work key
Of 1304 it is transformed by the function π1309 seven 32-bit data H ₈ to H ₆ excluding H ₇ as the key. As a result, 128
Bit ciphertext is output.

FIG. 14 shows a processing flow of the function π1306 in FIG.

Step 1401: Begin.

Step 1402: Two 64-bit data X ₁ , Y
Enter ₁ . Input seven 32-bit data H ₁ to H _7.

[0119] Step 1403: The upper 32 bits of the X ₁ and X _H. The lower 32 bits of X ₁ and X _L.

Step 1404: The following calculations are performed in order.

[0121] _{A = rot 5 (X L +} H 1 +1) B = A + (X H VH 2) +1 C = B + rot 12 (B) +1 D = X H + (H 1 XOR C) +1 E = C · _{D + Y 1 F = X 1} + E + (H 4 ‖H 5) X 2 = E + F + (H 6 ‖H 7) Y 2 = F step 1405: X _2, and outputs a Y _2.

Step 1406: End.

According to the processing of FIG. 14, 64-bit input data
X ₁ and 64-bit Y ₁ are converted to 64-bit X ₂ and
64-bit is converted to a total of 128 bits of Y ₂ is output. The processing of this function π: X ₁ ‖Y ₁ → X ₂ ‖Y ₂ is bijective. That is, the inverse transformation π ⁻¹ from the output X ₂ ‖Y ₂ to the input X ₁ ‖Y ₁
Exists: (1) Let X ₂ ‖Y _{2 be} the input to π ⁻¹ .

(2) The following calculations are performed in order.

F = Y ₂ E = X ₂ −F− (H ₆ ‖H ₇ ) X ₁ = F−E− (H ₄ ‖H ₅ ) X _H ‖X _L = X ₁ A = rot ₅ (X _L + H ₁ +1) B = A + (X _H VH ₂ ) +1 C = B + rot ₁₂ (B) +1 D = X _H + (H ₃ XOR C) +1 Y ₁ = E−C · D (3) X ₁ ‖ Let Y _{1 be} the output from π ^-1 .

Similar processing is performed for the other functions π1307 to 1309. This makes it possible to decrypt the ciphertext 1310 generated in FIG. 13 into the original plaintext by the inverse transformation using π ⁻¹ .

In the embodiment shown in FIG. 13, the function
Although the number of repetitions n of f is n = 8, in general, the value of n may be given from the outside so that n can be changed to any positive integer.

FIG. 15 is a diagram showing a fourth embodiment of the present invention. In FIG. 15, a 128-bit common key 1502 and decompressed data 1503 are input to a masking device 1501. The decompressed data 1503 is obtained by connecting N common keys 1502 together. In masking device 1601, random number generator 1508 generates random number 1521. Data obtained by connecting the random number 1521 and the common key 1502 is input to the hash function h1509, and the output value becomes the work key 1524. When the first section 1504, which is the first 128-bit data of the decompressed data 1503, is input, it is converted by the π function 1513 using a part of the data of the work key 1524 as a parameter to become the 128-bit work key 1525. Here, the π function 1513 performs a process as shown in FIG. The same applies to π functions 1513, 1518, and 1519 described later. Work key 1525, an H ₁ 1522 a portion of data of 128 bits is converted by π function 1514 as a parameter of the work key 1524. When the next 128-bit second section 1505 of the decompressed data 1503 is input, it is converted by the π function 1518 using the work key 1525 as a parameter.
It becomes a 128-bit work key 1526. The work key 1526 is converted by the π function 1519 using the work key 1525 as a parameter to become a 128-bit H ₂ 1523. .. Are converted, and the masking data 1520 is output.

In the fourth embodiment, the masking data 1502 can be regarded as data obtained by expanding the common key 1502. Also, the masking data 1502 can be regarded as data obtained by encrypting the decompressed data 1503 with the common key 1502. In fact, by performing the reverse process of FIG. 15, the common key 1502 and the masking data 1502 are
1503 can be decrypted.

In the fourth embodiment, the common key 1502
Is 128 bits, but may be of any length in general. In the fourth embodiment, the decompressed data 1503
Are applied twice for each data block 1504, 1505,..., But may be applied N times in general.

FIG. 16 is a diagram showing a fifth embodiment of the present invention. In FIG. 16, a base point P1602 and a public key
03 and plaintext 1604 are input.

Here, the elliptic encryption means an elliptic curve, the addition (x ₁ , y ₁ ) + of two points (x ₁ , y ₁ ) and (x ₂ , y ₂ ) on y ² = x ³ + ax + b. (x ₂ ,
It is a public key cryptosystem generated by defining y ₂ ), integer multiple operation k (x ₁ , y ₁ ), and the like. Base point P160
2 and the public key Q1603 are also points on the above elliptic curve, and satisfy the following relationship with the secret key d1802 described later.

Q = dP In the encryption device 1601, a random number generation function 1607 generates a random number k. Then, the random number k and the base point P1602 are input to the integer multiple calculation function 1608, R = kP is calculated, and R1616 is output. The random number k and the public key Q1603 are input to the integer multiple operation function 1609, (x, y) = kQ is calculated, and the numerical value x of the x coordinate is output.

The number generation function 1610 has the sequence number “1”.
Is generated, and the hash function h1611 generates and outputs a hash value to data obtained by connecting the sequence number “1” and the numerical value x. Using this hash value as a key, the compression / encryption function 1612 compresses / encrypts the first N bits 1605 of the plaintext 1604. The result of the compression and encryption is output as c ₁ 1618.

The number generation function 1613 has the sequence number “2”.
Is generated, and the hash function h1614 generates and outputs a hash value for data obtained by connecting the sequence number “2” and the numerical value x. Using this hash value as a key, the compression / encryption function 1614
N bits 1606 are compressed and encrypted. The result of compression and encryption is output as c21619. .. Are repeated, and all the plaintext 1604 is converted. as a result,
A ciphertext 1616 is obtained.

FIG. 17 shows the compression / encryption function 1612 of FIG.
The details are shown below. In the compression / encryption function 1701, the key
When 1705 is input, the extended function 1706 copies a plurality of keys 1705 and connects them to form a work key 1723.
Output as Of the first N bits 1702, the first category 1
When 703 is input, compression (substitution) processing 1707 is performed using a part of the data of the work key 1723 as a parameter, and 128-bit compressed data 1708 and a fraction 1709 are output. As the compression (substitution) processing 1707, for example, Huffman compression is used. The same applies to a compression (substitution) process 1713 described later. The 128-bit compressed data 1708 is the work key 1
The data is converted by the π function 1710 using a part of the data of 723 as a parameter, the conversion result is expanded by the expansion function 1712, and output as the work key 1722. Where the π function
1710 performs the processing as shown in FIG. The same applies to π functions 1711, 1716, and 1718 described later. The π function
The output of 1710, g ₁ 172 a portion of data of 128 bits is converted by π function 1711 as a parameter of the work key 1723
It becomes 0. When the second section 1704 of the plaintext 1702 is input, compression (substitution) processing 1713 is performed using a part of the work key 1722 as a parameter, and compressed 128-bit data 1714 and a fraction 1715 are output. The length of the data obtained by connecting the fraction 1709 and the compressed data 1714 is 128 bits. Data obtained by connecting the fraction 1709 and the compressed data 1714 is converted by the π function 1716 using a part of the work key 1722 as a parameter, and the conversion result is expanded by the expansion function 1717. The output of the π function 1716, g ₂ 172 a portion of the data of the converted 128-bit by π function 1718 as a parameter of the work key 1722
It becomes 1. The first N bits by repeating the process
When all of 1702 are converted, c ₁ 1719 is obtained as a conversion result.

In the fifth embodiment, the plaintext 1604 is the same as the conventional public key encryption such as RSA in the sense that the plaintext 1604 has been converted into the ciphertext 1616 using the public key Q1603.
However, for ordinary plaintext in which compression is effective by Huffman compression or the like, it differs from conventional public key cryptography in that the length of ciphertext 1616 is shorter than the length of plaintext 1604.
In the fifth embodiment, in FIG. 17, the π function is operated twice each on the 128-bit compressed data 1708, the fraction 1709 and the compressed data 1714,... You may.

FIG. 18 is a diagram showing a sixth embodiment of the present invention. In FIG. 18, a secret key 1802, which is a parameter in elliptic encryption, and a ciphertext 1803 are provided to a decryption device 1801.
Is entered.

In the decryption device 1801, the secret key 1802,
And R1804 of ciphertext 1803 is integer multiple operation function 180
Then, (x, y) = dR is calculated, and the numerical value x of the x coordinate is output.

The number generation function 1808 has the sequence number “1”.
Generate The hash function h1809 generates and outputs a hash value for the data in which the sequence number “1” and the numerical value x are joined. Using this hash value as a key, the decryption / decompression function 1810
Decrypt and decompress c1805. The result of decoding and decompression is output as the first N bits 1815.

The number generation function 1811 has the sequence number “2”.
Generate A hash function h1812 generates and outputs a hash value for data in which the sequence number “2” and the numerical value x are joined. Using this hash value as a key, the decryption / decompression function 1813 outputs c ₂ 1806 of the ciphertext 1803.
Is decrypted and decompressed. The result of decoding and decompression is output as the next N bits 1816. .. Are repeated, and all the ciphertexts 1803 are converted. As a result, the plaintext 18
14 is obtained.

FIG. 19 shows the decryption / decompression function 1810 of FIG.
Show details. Within the decryption / decompression function 1810, the key 1905
, The extended function 1906 copies multiple keys 1905
And connecting them together as a work key 1923
Output. c₁G out of 1902₁When 1903 is entered,
Π with some data of the^-1function
1907, and the conversion result is stored in the extension 1909.
And expanded and output as a work key 1924. here
Where π^-1The function 1907 is the inverse function of the π function 1711 in FIG.
is there. That is, the same parameters are used for the π function 1711 and π^-1function
When set to 1907, the data m is
The data π (m) obtained by the conversion is further converted to π ^-1Function 1907
Returns to the original data m after conversion. Sand
M = π^-1(π (m)). The π^-1The output of function 1907 is a partial data of work key 1923.
Data with parameters as π^-1Converted by function 1910,
Is output. The output result is output to the expansion (substitution) function 1911.
From the part of the work key 1923 as a parameter
Decompressed and the result is decompressed data 1912 and fraction 19
It becomes 13. The decompression data 1912 is output as the first section 1921.
It is.

Here, the expansion (substitution) function 1911 is the inverse conversion of the compression (substitution) function 1707 in FIG. That is, when the same parameter is set in the compression (substitution) function 1707 and the decompression (substitution) function 1911, the data m is compressed (substitution) function 1
If the data obtained by conversion by 707 is further converted by the decompression (substitution) function 1911, the original data is restored.

When g ₂ 1904 of c ₁ 1902 is input, the π ⁻¹ function is performed using a part of the data of the work key 1924 as a parameter.
The conversion is performed by 19141, and the conversion result is expanded in the expansion function 1915.

The output of the π ⁻¹ function 1914 is the work key 1924
Is converted by the π ⁻¹ function 1916 using a part of the data as a parameter and output. The output result is expanded (substitution)
The function 1917 decompresses the data of a part of the work key 1924 as a parameter, and the result is decompressed data 1918 and a fraction 1919. Data obtained by joining the fraction 1913 obtained in the previous process and the decompressed data 1912 obtained in the current process is output as the second section 1922. .. Are repeated to convert all c ₁ 1902, the first N bits 1920 are obtained.

In the sixth embodiment, the ciphertext 1803
Is the same as a conventional public key encryption such as RSA in the sense that it has been decrypted and converted into a plaintext 1814 using the secret key d1802. However, ciphertext compressed by Huffman compression or the like is different from conventional public key cryptography in that data length after decryption is longer than that before decryption.

FIG. 20 is a diagram showing a seventh embodiment of the present invention. In FIG. 20, a cryptographic device 2001 provides a base point P2002 and a public key Q20
03 and plaintext 2004 are input.

In the encryption device 2001, a random number generation function
2007 generates a random number k. Then, the random number k and the base point P2002 are input to the integer multiple operation function 2008, and R
= KP is calculated, and the ciphertext R2016 is output. The random number k and the public key Q2003 are input to the integer multiple operation function 2009,
(x, y) = kQ is calculated, and the numerical value x of the x coordinate is output.

A hash function h2001 generates a hash value for the numerical value x and outputs it as a key 2020. Using the key 2020 as a key, the compression / encryption function 2012 compresses and encrypts the first N bits 2005 of the plaintext 2004. Compressed and encrypted result is output as c ₁ 2018.

For the key 2020, the hash function h2014 generates a hash value and outputs it as the key 2021. This key 2021
Using the as a key, the compression / encryption function 2015 compresses / encrypts the next N bits 2006 of the plaintext 2004. Compressed and encrypted result is output as c ₂ 2019. .. Are repeated, and all the plaintext 2004 is converted. As a result, a ciphertext 2016 is obtained.

In the seventh embodiment, the plaintext 2004 is the same as the conventional public key encryption such as RSA in the sense that the plaintext 2004 is converted into the ciphertext 2016 using the public key Q2003.
However, it differs from conventional public key cryptography in that the length of the ciphertext 2016 is shorter than the length of the plaintext 2004 for ordinary plaintext in which compression is effective by Huffman compression or the like.

[0152]

The present invention has the following special effects.

(1) A high-speed hash function can be realized.

In the process of the hash function, FIG.
Cyclic shift processing for 32-bit data as shown in _{(A = rot 5 (X L} + H 2 +1), the process of _{C = B + rot 12 (B} ) +1) and 3
And a combination of the 2-bit AND operation between (process _{E = C · D + Y 2} ). This is effective in efficiently disturbing data. What is a cyclic shift is a single process
Although a 32-bit transpose is implemented, modern microprocessors, such as Intel's Pentium, complete this cyclic shift in one cycle. A 100MHz Pentium will make 100 million cyclic shifts per second. 20MHz once
With the 68020 processor, it was possible to shift cyclically only about 2.5 million times per second, but it was 40 times faster. Also, the product operation of 32 bits, that is, 32 bits × 32 bits → 64 bits, is a very effective substitute for increasing the degree of data disturbance in which each input bit is affected by all input bits. is there. A 100MHz Pentium performs 10 million product operations per second. Former
With a 20MHz 68020 processor, the product operation could be performed only 500,000 times per second, but it is 20 times faster. One of the features of the present invention is to use the basic operation of the microprocessor, which is particularly advantageous due to recent technical innovations, in performing such transposition / substitution mixed processing. As a result, a high-speed hash function can be realized. By the way, about the addition of 32 bits which has been often used in the conventional substitution processing, if the Pentium is 100 MHz, the addition is performed 100 million times per second. Former
A 20MHz 68020 processor could add about 10 million times a second, but only 10 times faster.
Considering that multiplication has a data disturbing effect for 32 additions and 32 shifts, it can be said that the advantage of using multiplication over addition has increased in the Pentium era.

(2) A secure (high security) hash function can be realized.

(A) In the conventional example of FIG. 21, when the length of the message segment input to the substitution / transposition repetition processing 2505 is compared with the length of the intermediate output to be output, the input length is equal to the output length. ("Hash function using block cipher"), the length of the input was longer than the length of the output ("Dedicated hash function"). In contrast, in the present invention, FIG.
As shown in the injection expansion unit 105, the length of the input unit of the message is shorter than the output length, and includes a process of performing injection expansion conversion such that the output value is always different if the input value is different I did it. This makes it relatively easy to avoid message collision in the substitution / transposition repetition processing 2505, which has become a problem in MD5.

(3) In the above-described conventional example, the initial value 2504 is not processed at all after the initial processing. On the other hand, in the present invention, as shown in FIG. 1, the input unit of the message of the injection enlargement unit 105 is input to the initially processed initial value 110 after the processing in the data enlargement unit 102. It was made to be input again to the same input part as. As a result, collision of the initial values such that the same hash value is derived for different initial values is less likely to occur.

(4) In the above conventional example, M ₁ 2502, M ₂ 2503
Once each section of the message was processed, it was not involved in any further processing. In contrast, in the present invention,
As shown in the process 104 of FIG. 1, the input is generally performed again K times toward the same input unit. This makes it difficult for messages to collide such that the same hash value is derived for different messages.

(5) Conventionally, public key encryption, common key encryption, and data compression have been provided as separate functions.
In other words, conventionally, when a message is to be compressed for encrypted communication, (a) the session key generated by random number generation is encrypted by the public key encryption function and delivered to the recipient, and (b) the message is Compression by compression function,
(c) The process of encrypting the compressed message using the session key and the common key encryption function and transmitting the encrypted message to the recipient is performed separately. On the other hand, the present invention makes it possible to simultaneously and efficiently realize these three functions by fusing public key encryption, common key encryption, and data compression in an inseparable manner.

[Brief description of the drawings]

FIG. 1 is an explanatory diagram illustrating a configuration example of a 256-bit hash function according to a first embodiment of the present invention.

FIG. 2 is an explanatory diagram showing a configuration example of a mixing process of a message and an initial value in the 256-bit hash function of FIG. 1;

FIG. 3 is a flowchart showing a flow of repeatedly expanding K data of L blocks of mixed data K times in the 256-bit hash function of FIG. 1;

FIG. 4 is a flowchart illustrating a processing flow of a single shot enlarging unit in FIG. 1;

5 is a flowchart showing a one-shot enlargement processing flow of 64 bits → 96 bits in the processing flow of the one-shot enlargement unit of FIG. 4;

6 is a flowchart showing a single-shot enlargement processing flow from 96 bits to 128 bits in the processing flow of the single-shot enlargement unit in FIG. 4;

FIG. 7 is a flowchart showing a single-shot enlargement processing flow from 128 bits to 256 bits in the processing flow of the single-shot enlargement unit in FIG. 4;

FIG. 8 is an explanatory diagram showing a configuration example of an 80-bit hash function according to the second embodiment of the present invention.

9 is an explanatory diagram showing a configuration example of a mixing process of a message and an initial value in the 80-bit hash function of FIG. 8;

FIG. 10 is a flowchart showing a processing flow of a single shot enlarging unit in FIG. 8;

11 is a flowchart showing a 64-bit → 64-bit one-shot processing flow in the processing flow of the single shot enlarging unit of FIG. 10;

FIG. 12 is a flowchart showing a flow of a one-shot enlargement process from 64 bits to 80 bits in the process flow of the one-shot enlargement unit in FIG. 10;

FIG. 13 is an explanatory diagram showing a configuration example of a 128-bit block cipher showing a third embodiment of the present invention.

14 is a flowchart showing a detailed flow of a π function in the block cipher of FIG.

FIG. 15 is an explanatory diagram illustrating a configuration example of a masking device according to a fourth embodiment of the present invention.

FIG. 16 is an explanatory diagram illustrating a configuration example of an encryption device according to a fifth embodiment of the present invention.

17 is an explanatory diagram illustrating a configuration example of a compression / encryption function in the encryption device of FIG. 16;

FIG. 18 is an explanatory diagram illustrating a configuration example of a decoding device according to a sixth embodiment of the present invention.

19 is an explanatory diagram showing a configuration example of a decoding / decompression function in the decoding device of FIG. 18;

FIG. 20 is an explanatory diagram illustrating a configuration example of an encryption device according to a seventh embodiment of the present invention.

FIG. 21 is a diagram showing a conventional device configuration.

[Explanation of symbols]

2501 ... message, 101 ... hash function, 102 ... data enlargement unit, 103 ... "mixing of message and initial value" processing, 104 ...
"The mixing L blocks each K iterations extension data" processing, 107 ... extension data, 108 ... 64-bit first section E _1, 109
… 64-bit second section E ₂ , 105… Injection expansion unit, 110… 256-bit initial value, 111… Hash value H

────────────────────────────────────────────────── ───

[Procedure amendment]

[Submission date] March 1, 2000 (200.3.1)

[Procedure amendment 1]

[Document name to be amended] Statement

[Correction target item name] Claims

[Correction method] Change

[Correction contents]

[Claims]

Claims (20)

[Claims] 1. A method for generating a hash value for converting a message so as to make it difficult to perform an inverse conversion, comprising: dividing a message into a plurality of blocks; Multiplying the intermediate data; dividing the 2 × N-bit data obtained as a result of the multiplication into N-bit second intermediate data and N-bit third intermediate data; Performing a cyclic shift calculation on the data obtained by converting the intermediate data of the above, and performing a cyclic shift calculation also on the data obtained by converting the third intermediate data. Hash value generation method to be used. 2. A hash value generating method for converting a message so that it is difficult to perform a reverse conversion, wherein the message is divided into a plurality of pieces, and an output is provided if an input value is different for each divided message obtained by the division. The value of the output value is longer than the length of the input value, and includes the step of performing an injection extension conversion in which the length of the output value is longer than the length of the input value. A hash value generation method characterized in that the hash value changes. 3. The method according to claim 2, wherein the step of performing the injection expansion conversion includes a step of performing a multiplication on a converted input value or a step of performing a plurality of cyclic shift calculations having different shift numbers. 3. The hash value generation method according to claim 2, wherein: 4. An injection expansion conversion of a certain divided message among the plurality of divided messages is changed with an initial value set independently of the message as a parameter. 3. The hash value generation method according to claim 2, wherein the one-shot expansion conversion of the message changes using a result of the one-shot expansion conversion of the initial value as a parameter. 5. The method according to claim 1, wherein the first message comprises a first message.
Includes two steps of performing an extended injection transformation for each of the divided messages, wherein each of the extended injection transformations includes a result of the injection extended conversion of a second divided message different from the first divided message. 3. The hash value generation method according to claim 2, wherein the hash value is changed as a parameter. 6. A block encryption method for cryptographically converting a message block of a fixed length and outputting a ciphertext block of a fixed length, wherein the first N-bits obtained by converting the message block.
Multiplying the intermediate data of N by 2; dividing the 2 × N-bit data obtained as a result of the multiplication into N-bit second intermediate data and N-bit third intermediate data; 2) performing a cyclic shift calculation on data obtained by converting the second intermediate data, and performing a cyclic shift calculation on data obtained by converting the third intermediate data. Block encryption method. 7. A hash value generating apparatus for converting a message so as to make it difficult to perform an inverse conversion, wherein the hash value generating apparatus divides the message into a plurality of blocks, and converts the divided message blocks into N-bit first bits. Means for multiplying the intermediate data; means for dividing 2 × N-bit data obtained as a result of the multiplication into N-bit second intermediate data and N-bit third intermediate data; Means for performing a cyclic shift calculation on the data obtained by converting the intermediate data of the above, and also performing a cyclic shift calculation on the data obtained by converting the third intermediate data. Hash value generation device. 8. A hash value generating apparatus for converting a message so as to make it difficult to perform reverse conversion, wherein the message is divided into a plurality of pieces, and an output is provided if an input value is different for each of the divided messages obtained by the division. Includes means for performing the injection expansion conversion such that the value is always different and the length of the output value is longer than the length of the input value.The injection expansion conversion for a certain split message depends on other split messages. A hash value generation device characterized in that the hash value changes. 9. The method according to claim 1, wherein the means for performing the injection expansion conversion includes means for multiplying the input value converted, or means for performing a plurality of cyclic shift calculations having different shift numbers. 9. The hash value generation device according to claim 8, wherein: 10. An injection expansion conversion of a certain divided message among the plurality of divided messages is changed with an initial value set independently of the message as a parameter. 9. An injection expansion conversion of a message, wherein the result of the injection expansion conversion of the initial value is changed as a parameter.
The hash value generation device according to the above. 11. A method for performing one-shot extended conversion on a first divided message of the plurality of divided messages twice, wherein each of the one-shot extended conversions is performed by a first divided message. 9. The hash value generation device according to claim 8, wherein the result of the injection expansion conversion of the second divided message different from the above is changed as a parameter. 12. A block encryption device for cryptographically converting a message block of a fixed length and outputting a ciphertext block of a fixed length, wherein the first N-bits obtained by converting the message block.
Means for multiplying the intermediate data of N, N and N by dividing the 2 × N-bit data obtained as a result of the multiplication into N-bit second intermediate data and N-bit third intermediate data; Means for performing a cyclic shift calculation on data obtained by converting the second intermediate data, and also performing a cyclic shift calculation on data obtained by converting the third intermediate data. Block encryption device. 13. A method for compressing a message so that the message can be inversely transformed.
A compression / encryption method for performing cipher conversion and outputting a ciphertext, wherein after performing processing for compressing and converting a part of a message using data obtained by converting a key as a parameter, further performing injective conversion, A process of outputting the result as a part of the ciphertext, and compressing and transforming another part of the message using the intermediate data obtained during the process of the injection transformation as a parameter. , A compression / encryption method including a process of performing a multiplication and a process of performing a cyclic shift calculation. 14. A masking data generation method for converting input data of an arbitrary length to an arbitrary length so as to make it difficult to perform an inverse conversion, wherein a hash value of data generated from the input data and random number data is generated. Performing a one-shot transformation of a part of the input data using the hash value as a parameter, and outputting the result as a part of masking data; and converting the intermediate generated data obtained during the one-shot transformation into a parameter. Transforming a part of the input data into a single shot. 15. A public key encryption method that receives a public key and a plaintext as input and outputs a ciphertext, wherein a random number generation step, a random number generated by the random number generation step, and the public key are operated. Compressing or encrypting a part of the plaintext using the obtained data as a parameter, and compressing or encrypting another part of the plaintext using the data obtained during the compression or the encryption as a parameter A public key encryption method, comprising: 16. When a secret key and a ciphertext are input and plaintext is output, another part of the ciphertext is used as a parameter by using a part of the ciphertext and data obtained by operating the secret key. The public key encryption according to claim 15, wherein after decryption or expansion conversion, another part of the ciphertext is decrypted or expanded using data obtained during the decryption or expansion conversion as a parameter. Method. 17. A public key encryption method for receiving a public key and a plaintext as input and outputting a ciphertext as output, comprising the steps of: generating a random number; operating the random number generated by the random number generation step and the public key. Compressing or encrypting a part of the plaintext by using a parameter obtained by further converting the obtained data by a hash function; and obtaining another parameter of the plaintext using the data obtained during the compression or encryption conversion as a parameter. Compression / encryption conversion of a part of the public key encryption method. 18. A public key encrypting apparatus for receiving a public key and a plaintext as input and outputting a ciphertext as output, wherein the random number generating means, the random number generated by the random number generating means and the public key are operated. Means for compressing or encrypting a part of the plaintext using the obtained data as a parameter, and compressing or encrypting another part of the plaintext using the data obtained during the compression or the encryption conversion as a parameter Means, and a public key encryption device, comprising: 19. When a secret key and a ciphertext are input and plaintext is output, another part of the ciphertext is used as a parameter by using a part of the ciphertext and data obtained by operating the secret key. 19. The public key encryption according to claim 18, wherein after decryption or expansion conversion, another part of the ciphertext is decrypted or expanded using data obtained during the decryption or expansion conversion as a parameter. apparatus. 20. A public key encrypting apparatus which receives a public key and a plaintext as input and outputs a ciphertext, wherein the random number generating means, the random number generated by the random number generating means and the public key are operated. Means for compressing or encrypting a part of the plaintext by using a parameter obtained by further converting the obtained data by a hash function; and obtaining another parameter of the plaintext by using data obtained during the compression or encryption conversion as a parameter. Means for compressing or encrypting a part of the public key.