JP2004102310A - Device and method for ciphering - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a device and a method for ciphering in which safety is increased while maintaining interchangeability with the DES. <P>SOLUTION: The device is provided with two key schedule sections A and B which have the same constitution and respectively generate intermediate keys, that are used to scramble an input message, from two ciphered keys obtained by equally dividing the key information made of prescribed bit strings, an exclusive OR 14 which is used to obtain an exclusive OR for the two intermediate keys outputted from the sections A and B and a scrambling section which is used to scramble the input message using either one of the intermediate keys when it is detected that the two intermediate keys are the same by the fact that the exclusive OR 14 becomes 0 and used to scramble the input message based on the two intermediate keys when it is detected that the two intermediate keys are different from each other. <P>COPYRIGHT: (C)2004,JPO

Description

The present invention relates to an encryption device and an encryption method, and more particularly, to an encryption device and an encryption method using a secret key block cipher.

DES (Data Encryption Standard) is currently the most widely used secret key block cryptosystem, and is described in the literature, “Data Encryption Standard,” Federal Information Processing Standards Publication 46, National Bureau of Standards, USDepartment of Commerce, 1977.

$ DES is a 64-bit input, 64-bit output block cipher. Of these, 8 bits are used for key parity, so only 56 bits are a substantial key. Therefore, the safety of DES has been discussed since its inception, and since its introduction in 1977, evaluations have been made from various viewpoints. As a result, around 1990, one after another, more efficient decryption methods such as differential cryptanalysis and linear cryptanalysis than key exhaustive search were proposed. In particular, the use of the linear decoding method has succeeded in decoding the standard 16-stage DES.

For information on differential cryptanalysis, refer to the literature, E. Biham and A. Shamir, “Differential Cryptanalysis of DES-like Cryptosystems,” Journal of CRYPTOLOGY, Vol. 4, Number 1, 1991. Matsui, Makoto, "Linear Decryption of DES Cryptography (I)", Cryptography and Information Security Symposium, SCIS93-3C, 1993.

Considering the development of technology since the development of や DES and the above-described decoding method, DES is considered to have the following problems.

(1) Considering the progress of current hardware technology, it is possible to configure a 128-bit block cipher to perform processing at high speed, but a 64-bit block cipher is still used.

(2) There is a problem in the structure of the F function. At the time DES was developed, no linear cryptanalysis was invented, and its tolerance to linear cryptanalysis was not considered. Further, the table size of the S box included in the F function is small due to the restriction of the development of hardware technology. In view of the current level of hardware technology, it is desirable to increase the size of the S box to enhance security.

(3) Although a key consisting of 56 bits is used, it is not secure with a key length of 56 bits. With the development of hardware, now, it enables hardware to examine the combination of 2 ⁵⁶ keys. It has also been announced that the use of dedicated hardware makes it possible to search for all keys. In addition, a linear decryption method, which is one of the DES decryption methods, is to identify some bits of a key by decryption and perform an exhaustive search on the remaining bits. It is conceivable that the time and effort for performing an exhaustive search for the key bits is increased and the security is improved.

Regarding the above problem (3) regarding the problem of the DES key length, a method of lengthening the key while using the DES chip as it is has been considered. For example, a dissertation, B. Schneier, "Applied Cryptography," 2nd edition, Wiley (1996) discloses encryption methods such as DESX and Triple DES.

DESX is a method of performing an exclusive OR operation on each of the input and output of DES and a 64-bit key. However, theoretical security has been proven for exhaustive key search (J. Kilian and P. Rogaway, "How to protect DES against exhaustive key search," Proc. CRYPTO'96, pp. 252-267 (1996)). Further, since Triple DES uses an algorithm for processing DES in a triple manner, security higher than that of DES can be secured not only for exhaustive key search but also for differential cryptanalysis and linear cryptanalysis.

ＤＥ However, the above-mentioned DESX achieves only the same security as DES against differential cryptanalysis and linear cryptanalysis. Also, since the configuration of Triple DES is tripled, the processing speed is 1/3 of the processing speed of DES.

On the other hand, the problems described in (1) and (2) above relate to the structure of the DES itself, and it is not easy to improve them. Further, if these are improved, an encryption process different from that of the DES of the main body is performed, and a problem of compatibility with the DES newly occurs.

The encryption apparatus and encryption method of the present invention have been made in view of such a problem, and an object thereof is to provide an encryption apparatus capable of increasing security while maintaining compatibility with DES. An encryption device and an encryption method are provided.

In order to achieve the above object, an encryption device according to a first aspect of the present invention is configured to agitate an input message from a plurality of encryption keys obtained by dividing key information including a predetermined bit string into a plurality of pieces. A plurality of key generating means having the same configuration for generating intermediate keys to be used, a comparing means for comparing a plurality of intermediate keys output from the plurality of key generating means with each other, and a plurality of intermediate keys compared by the comparing means. When it is detected that the keys are the same, the input message is agitated using any one of the plurality of intermediate keys, and when it is detected that the compared plurality of intermediate keys are not the same. Comprises stirring means for stirring the input electronic message based on all of the plurality of intermediate keys.

Also, the encryption method according to the second invention is characterized in that a data agitating unit that agitates an input electronic message depending on externally input key information and outputs a corresponding encoded electronic message and a plurality of key generation units having the same configuration. And a comparing means, comprising: a key scheduler for expanding the intermediate information into an intermediate key when supplying the key information to the data agitator. From a plurality of encryption keys obtained by dividing key information consisting of a plurality of pieces of key information, by the plurality of key generation means, respectively, an intermediate key generation step of generating an intermediate key used to stir an input telegram; A comparing step of comparing the plurality of intermediate keys generated in the intermediate key generating step with each other by the comparing means; and, when it is detected that the plurality of intermediate keys compared in the comparing step are the same, The data agitating unit agitates the input message using any one of the plurality of intermediate keys, and when it is detected that the compared plurality of intermediate keys are not the same, the data agitating unit uses the plurality of intermediate keys. A stirring step of stirring the input electronic message based on all of the intermediate keys.

Further, the encryption device according to the third invention generates an intermediate key used to stir an input message from a plurality of encryption keys obtained by dividing key information consisting of a predetermined bit string into a plurality of pieces. A plurality of key generation means having the same configuration, a plurality of intermediate keys output from the plurality of key generation means being exclusive ORed with each other. Agitates the input message using any one of the plurality of intermediate keys, and if the result of the exclusive OR operation does not become 0, converts the input message based on all of the plurality of intermediate keys. Stirring means for stirring.

Further, the encryption method according to the fourth aspect of the present invention provides a data agitating unit that agitates an input telegram depending on key information input from the outside and outputs a corresponding encoded telegram; Means, and an exclusive OR operation means, wherein the key information is supplied to the data agitation section, and a key schedule section for developing the intermediate key is provided. ,
An intermediate key generation step of generating, from a plurality of encryption keys obtained by dividing key information consisting of a predetermined bit string into a plurality of pieces, an intermediate key used to stir an input telegram by the plurality of key generation means; An operation step of calculating exclusive OR by the exclusive OR operation means for the plurality of intermediate keys generated in the intermediate key generation step, and when the operation result in this operation step becomes 0, The data agitating unit agitates the input telegram using any one of the plurality of intermediate keys, and if the operation result in the operation step does not become 0, the data agitating unit generates a plurality of intermediate keys. And a stirring step of stirring the input message on the basis of all of them.

According to the present invention, it is possible to provide an encryption device and an encryption method that can increase security while maintaining compatibility with DES.

Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings.

FIG. 1 is a diagram showing a configuration of an encryption device according to the present embodiment, in which a plain text (64 bits) as an input telegram is mixed depending on key information k input from the outside, and a corresponding coded telegram is converted. The data stirrer includes first to sixteenth stages for output and a key scheduler 4 for expanding key information k into intermediate keys supplied to the data stirrer.

In FIG. 1, a plaintext (64 bits) is subjected to an initial transposition IP, and is equally divided into two to generate a left 32 bits L ₀ and a right 32 bits R ₀ .

On the other hand, the key schedule 4 receives 128-bit key information k. The key schedule unit 4 generates an F function expansion key, an F2 key, and an F2 shift key by the method described below, and inputs them to the F function 2 and the F2 function 3 of the data agitation unit. Here, the F function 2 performs the same agitation processing as in the ordinary DES, and the F2 function 3 performs the agitation processing described below.

The F-function 2 receives the F-function expansion key and the output of the F2 function 3, performs a predetermined agitation process, and inputs the result to the exclusive OR 1. The exclusive OR 1 outputs an exclusive OR between L ₀ (32 bits) and the output of the F function 2, thereby obtaining the right 32 bits R _{1 of the} next stage. The output of F2 function 3 becomes the next stage of the left 32-bit L _1.

The above-described stirring processing is performed in the first stage, and L ₁ (32 bits) and R ₁ (32 bits) are sent to the second stage, and the same processing as in the first stage is performed. After the stirring process up to the 16th stage is performed in this way, the final transposition IP- ¹ is performed to obtain a cipher text (64 bits).

As described above, in this embodiment, in order to increase the number of bits of the key used in each stage of the DES, in addition to the normal DES configuration, the F2 function is added to the input side (the position shown in FIG. 1) of each stage. Is incorporated.

FIG. 2 shows a configuration of one stage of the key schedule unit 4 shown in FIG. 1, and includes a key schedule unit A and a key schedule unit B having the same configuration as the DES. Therefore, the key schedule unit 4 has a configuration in which 16 stages of the key schedule unit having such a configuration are provided. Since the key schedule units A and B perform the same processing, only the key schedule unit A will be described here.

The $ 128-bit key information is divided into halves, subjected to the contracted transposition PC-1, and then input as a 56-bit key to each key schedule unit.

After performing a left shift process on the C ₀ (28 bits) and D ₀ (28 bits) of each of the two 28-bit keys generated by equally dividing the key (56 bits) into two in the left shift unit 10A. , To the bit selection unit 11A. The bit selector 11A outputs a first intermediate key composed of 48 bits and a key composed of 5 bits by a predetermined bit selection process. As the 5-bit key, for example, the 9, 18, 22, 25, and 35th 5 bits from the left of the 56-bit key are used. Similarly, a second intermediate key composed of 48 bits and a key composed of 5 bits are output from the bit selection section 10B.

Then, an exclusive OR 14 is obtained between the 48-bit key from the bit selection unit 11A and the 48-bit key from the bit selection unit 11B, and the resulting 48-bit third intermediate key is set to 3 or the like. Then, 16-bit keys G1, G2, and G3 are obtained. The keys G1, G2, and G3 are input to the F2 function 3 as the F2 key.

Similarly, an exclusive OR 12 is obtained between the 5-bit key from the bit selection unit 11A of the key schedule unit A and the 5-bit key from the bit selection unit 11B of the key schedule unit B. A value obtained by taking an exclusive OR 13 with 0X10 (0X represents hexadecimal) is input to the F2 function 3 as an F2 shift key.

Further, in the present embodiment, the 48-bit key from the bit selection unit 11A of the key schedule unit A is input to the F function 2 as an F function expansion key. Further, C ₁ (28 bits) and D ₁ (28 bits) obtained by left-shifting each of the 28-bit keys C ₀ (28 bits) and D ₀ (28 bits) are used as the key schedule of the next stage. It becomes the input of the department.

As described above, in the present embodiment, in order to maintain compatibility with DES, a 128-bit key is divided into 64 bits, and the key schedule units A and B of DES are applied to each key. Also, the 48-bit key from the key schedule unit A is used as it is as the expanded key input to the F function. As a key used for the F2 function, the bitwise exclusive OR of a 48-bit key from the key scheduler A and a 48-bit key from the key scheduler B is divided into blocks of 16 bits each, and G1 , G2, G3. In addition, a specific 5th bit from the left of the 56-bit key is selected and used as a shift key of the F2 function.

FIG. 3 is a diagram showing the configuration of the F2 function 3. Here generates R ₀ (32 bits) equal to two of the 16-bit block into two as shown in FIG. The 16-bit block on the left is input to the exclusive OR 20. The 16-bit block on the right is input to the logical product 21 and the exclusive logical sum 22.

The logical product 21 is the logical product of the 16-bit key G1 and the right 16-bit key and input to the exclusive OR 20. The exclusive OR 20 takes exclusive logic between the left 16-bit block and the key from the logical product 21, and inputs the result to the left cyclic shift unit 23.

On the other hand, the exclusive OR 22 takes an exclusive OR between the 16-bit key G2 and the right 16-bit block, and inputs the result to the left cyclic shift unit 23. The left cyclic shift unit 23 regards the input 5-bit F2 shift key in binary notation with respect to the 32-bit key composed of the output of the exclusive OR 20 and the output of the exclusive OR 22, Perform a left cyclic shift by the number of bits.

１６ The left half 16 bits of the 32-bit intermediate data after the left cyclic shift is the right half output of the F2 function 3. The right half 16 bits of the 32-bit intermediate data after the left cyclic shift is input to the exclusive OR 24.

The logical product 25 calculates the logical product of the 16-bit key G3 and the left half 16 bits of the 32-bit intermediate data after the left cyclic shift, and inputs the result to the exclusive OR 24. The exclusive OR 24 calculates the exclusive OR between this logical product and the right half 16 bits of the 32-bit intermediate data after performing the left cyclic shift, and sets the result as the left half of the F2 function 3. Output.

As described above, in the F2 function of the present embodiment, a 32-bit input is divided into 16 bits, and a logical sum or a logical product of the divided keys is calculated for each bit. Further, the cyclic shift unit performs a cyclic shift on the 32-bit key by the number of bits of the F2 shift key.

わ か る As can be seen from the above description, the advantage of the encryption device of the present embodiment is that the same key schedule configuration as DES is used. By duplicating the 64-bit key to generate a 128-bit key, full compatibility with DES can be maintained. This is because if the 64-bit inputs of the two key schedule units A and B are the same, the intermediate key generated by each schedule unit is also the same. If the intermediate keys generated by the respective schedule units are the same, the exclusive OR 14 for each bit of the two becomes 0, so that G1, G2, and G3 used in the F2 function 3 also become 0. Similarly, the output of the exclusive OR 12 is also 0, and the F2 shift key is 0X10.

At this time, one of the inputs of the exclusive ORs 20 and 22 of the F2 function 3 shown in FIG. 3 becomes 0, so the two 16-bit keys input to the F2 function 3 are directly input to the left cyclic shift unit 23. Is done. Further, the left cyclic shift unit 23 uses the exclusive OR 12 and the exclusive OR 13 of 0X10 between the two 5-bit keys from the key schedule units A and B as an F2 shift key. Therefore, when G3 = 0, that is, when one input of the exclusive OR 24 is 0, the same bit string as the bit string (32 bits) input to the F2 function 3 is output. Will be.

In this way, if the input of the 64 bits of the two key schedule units A and B is the same, the structure of the F2 function 3 will be ignored. The processing is exactly the same as the DES used, and the compatibility is satisfied.

Furthermore, in this embodiment, the addition of the F2 function increases the data processing in each stage as compared with DES, but the operations used in the F2 function include a left cyclic shift instruction, a logical sum, a logical product, These are exclusive ORs, and these operations are usually implemented in many pieces of hardware, so that high-speed processing is possible. As a result, the processing efficiency does not decrease so much as compared with DES.

In the present embodiment, the key is added by the F2 function. When adding a key, there is a method to take the exclusive OR of the input data and the key. In this method, when the linear decryption method is applied, the key added by the exclusive OR is relatively easy during the decryption process. , And increasing the number of bits of the key has little effect on enhancing security. On the other hand, in the present embodiment, the key is added using the logical sum or the logical product, so that the key is not directly derived by the linear decryption method, and the strength of the security is increased by increasing the number of bits of the key. Improvement can be measured.

The throughput when the sample source program for encryption of the present embodiment is executed in a system environment without the optimization option using Solaris 2.5 as the OS and gcc-2.7.2 as the compiler is as follows. DES was measured. Here, the DES configuration is obtained by removing the portion related to the F2 function from the sample source program.

As a result of the measurement, a result as shown in FIG. 4A was obtained. In this embodiment, the speed ratio of the throughput is 90.6% of the DES, which is compared with that of the triple DES in which the DES is configured three times (1 / 33.3%) the speed of the DES. It turns out that it is fast enough.

Next, the throughput when a similar sample source program is executed in a system environment using Linux as an OS, Pentium (registered trademark) 120 MHz as a CPU, gcc-2.7.2.1 as a compiler, and −02 as an optimization option is shown. The embodiment and DES were measured. Also in this case, the DES configuration is obtained by removing the part related to the F2 function from the sample source program.

As a result of the measurement, a result as shown in FIG. 4 (b) was obtained. According to FIG. 4B, the speed ratio of the throughput in this embodiment is 65% of the DES, and the Triple DES in which the DES is configured three times has a speed of 1/3 of the DES. It turns out that it is fast enough.

FIG. 1 is a diagram illustrating a configuration of an encryption device according to an embodiment of the present invention. FIG. 2 is a diagram illustrating a configuration of one stage of a key schedule unit 4 illustrated in FIG. 1. FIG. 2 is a diagram illustrating a configuration of an F2 function illustrated in FIG. 1. FIG. 14 is a diagram illustrating a result of measuring a throughput when the sample source program according to the encryption method of the present embodiment is executed for the present embodiment and DES.

Explanation of reference numerals

DESCRIPTION OF SYMBOLS 1 ... Exclusive OR, 2 ... F function, 3 ... F2 function, 4 ... Key schedule part, 10A, 10B ... Left shift part, 11A, 11B ... Bit selection part, 12, 13, 14 ... Exclusive OR

Claims (4)

From a plurality of encryption keys obtained by dividing key information consisting of a predetermined bit string into a plurality of pieces, a plurality of key generation means of the same configuration that respectively generate intermediate keys used for stirring the input message,
Comparing means for comparing the plurality of intermediate keys output from the plurality of key generating means with each other;
If the comparison means detects that the plurality of intermediate keys are the same, the input message is agitated using any one of the plurality of intermediate keys, and the plurality of compared intermediate keys are used. If it is detected that are not the same, a stirring means for stirring the input message based on all of the plurality of intermediate keys,
An encryption device comprising: A data agitating unit that agitates an input telegram depending on key information input from the outside and outputs a corresponding encoded telegram, a plurality of key generation units having the same configuration, and a comparison unit; An encryption method using an encryption device including a key schedule unit that expands an intermediate key when supplying the data to the data agitation unit,
An intermediate key generation step of generating, from the plurality of encryption keys obtained by dividing key information composed of a predetermined bit string into a plurality of pieces of key information, the plurality of key generation means respectively generating intermediate keys used to stir an input message; When,
A comparing step of comparing the plurality of intermediate keys generated in the intermediate key generating step with each other by the comparing means;
When it is detected that the plurality of intermediate keys compared in the comparing step are the same, the data agitating unit agitates the input electronic message using any one of the plurality of intermediate keys, When it is detected that the plurality of intermediate keys are not the same, a stirring step of stirring the input electronic message based on all of the plurality of intermediate keys in the data stirring section,
An encryption method comprising: From a plurality of encryption keys obtained by dividing key information consisting of a predetermined bit string into a plurality of pieces, a plurality of key generation means of the same configuration that respectively generate intermediate keys used for stirring the input message,
Means for exclusive-ORing the plurality of intermediate keys output from the plurality of key generation means with each other;
If the result of the exclusive ethics is 0, the input message is agitated using one of the plurality of intermediate keys, and the result of the exclusive OR is not 0 A stirring means for stirring the input message based on all of the plurality of intermediate keys;
An encryption device comprising: It has a data agitating unit that agitates an input telegram depending on key information input from the outside and outputs a corresponding encoded telegram, a plurality of key generation units having the same configuration, and an exclusive OR operation unit. An encryption method using an encryption device comprising: a key schedule unit that expands an intermediate key when supplying the key information to the data agitation unit;
An intermediate key generation step of generating, from a plurality of encryption keys obtained by dividing key information consisting of a predetermined bit string into a plurality of pieces, an intermediate key used to stir an input telegram by the plurality of key generation means; ,
An operation step of calculating exclusive OR by the exclusive OR operation means for the plurality of intermediate keys generated in the intermediate key generation step;
When the calculation result in this calculation step becomes 0, the data shuffling unit mixes the input telegram using any one of the plurality of intermediate keys, and if the calculation result in the calculation step becomes 0, If not, a stirring step of stirring the input electronic message based on all of the plurality of intermediate keys in the data stirring section;
An encryption method comprising:

Images