JP2007034212A - Block encryption apparatus, block decryption apparatus, and their method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To easily generate a cipher in which block length is different. <P>SOLUTION: A bit stream of a part of plain data 110 is defined as an initial value of a first partial data, and the other bit stream of the plain data 110 is defined as an initial value of a second partial data. By using the first partial data, a first conversion data in which bit length is different from that of the first partial data is generated (S3). By using a key data, block cipher data in which the first conversion data is block-encrypted is generated (S4b). By using the block cipher data, a second conversion data in which the bit length is the same as the second partial data is generated (S5). Exclusive OR of the second partial data and the second conversion data is calculated (S6). The calculation result is defined as a new second partial data, and the first partial data and the second partial data are exchanged (S9). Similar processing is repeated and finally, the first partial data and the second partial data are combined into the cipher data 170. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to encryption technology, and more particularly to block encryption technology.

In recent years, various cryptographic techniques have been used with the development of digital networks such as the Internet. For example, block cipher is an encryption method widely used as a common key encryption method, and performs encryption / decryption in units of fixed-length data called “blocks” (see Non-Patent Document 1). In the block cipher field, a block cipher with a fixed block length such as AES can be used relatively easily. The “block length” means the bit length of “block”.
Tatsuaki Okamoto, Hiroshi Yamamoto, “Contemporary Cryptography” 3rd edition, Sangyo Tosho, January 25, 2000, P6

However, in a conventional block cipher having a fixed block length such as AES, when a cipher other than the fixed block length is required, a block cipher having a different block length must be separately prepared.
The present invention has been made in view of these points, and an object of the present invention is to provide a technique that makes it possible to easily generate ciphertexts having different block lengths.

  In order to solve the above problems, a memory for storing plaintext data, a bit string of a part of the plaintext data is read as an initial value of the first partial data, and another bit string of the plaintext data is used as an initial value of the second partial data. A data dividing unit to be read; a first conversion unit that uses the first partial data to generate first conversion data having a different bit length; and block ciphertext data obtained by block-encrypting the first conversion data using key data A block encryption unit that generates data, a second conversion unit that uses block ciphertext data and generates second conversion data having the same bit length as the second partial data, and exclusion of the second partial data and the second conversion data There is provided a block cipher apparatus having an exclusive OR calculation unit that calculates a logical OR and uses the calculation result as new second partial data.

Here, the first conversion unit uses the first partial data and generates first conversion data having a bit length different from the first partial data, and the second conversion unit uses the block ciphertext data to generate the second partial data. The second conversion data having the same bit length is generated. Thereby, the block length of the plaintext data and ciphertext data to be handled can be easily changed.
In the block cipher apparatus of the present invention, preferably, the first partial data and the second partial data are exchanged, and a first conversion unit, a block encryption unit, a second conversion unit, an exclusive OR calculation unit, A control unit that repeatedly executes the round process for executing the above process. The key data used by the block encryption unit is common to at least one of the round processes. The second conversion unit uses a part of the bit string extracted from the block ciphertext data as the second conversion data, and the position of the bit string that the second conversion unit extracts from the block ciphertext data is at least between any round processes. Is different.

Here, the position of the bit extracted from the block ciphertext data by the second conversion unit is set to be different between at least one of the round processes. Thereby, the correlation of the 2nd partial data produced | generated between round processes from which the extraction position of a bit differs can be eliminated. Thereby, the security of encryption improves.
This is also true even if the key data used in the round processing is the same. That is, the correlation of the generated second partial data can be eliminated without performing the process of making the key data different between the round processes. This means that the security of encryption can be improved while keeping the amount of computation low.

Preferably, in the block cipher apparatus according to the present invention, the key data used by the block encryption unit is common to all round processes, and the bit positions extracted from the block ciphertext data by the second conversion unit are all Differences between round processes.
Thereby, the correlation of all the second partial data generated by each round process can be eliminated without performing any process for making the key data different between the round processes. As a result, it is possible to further reduce the amount of calculation and improve the security of encryption.
The block cipher apparatus of the present invention preferably has a counter that outputs a different count value for each round process, and the block encryption unit encrypts one key data stored in the memory in all round processes. Block ciphertext data is generated as a key, and the second conversion unit cuts out from the block ciphertext data a bit string having a head address that is an integer multiple of the count value output from the counter.

Further, in the block cipher apparatus of the present invention, preferably, the bit length of the plaintext data is shorter than the bit length of the key data.
As a result, it is possible to use key data having a long bit length with high security and encrypt plaintext data having a shorter bit length.
In order to solve the above-described problem, a ciphertext data memory and a bit string of one part of the ciphertext data are read as an initial value of the first partial data, and another bit string of the ciphertext data is read as the second part A data division unit to be read as an initial value of data, a first conversion unit that uses first partial data and generates first conversion data having a different bit length, and block-decrypts the first conversion data using key data A block decoding unit that generates the block decrypted text data, a second conversion unit that uses the block decrypted text data to generate second converted data having a bit length equal to the second partial data, a second partial data, and a second There is provided a block decoding device having an exclusive OR calculation unit that calculates an exclusive OR with conversion data and uses the calculation result as new second partial data.

  Thereby, the block length of the plaintext data and ciphertext data to be handled can be easily changed.

As described above, in the present invention, the block length of plaintext data or ciphertext data to be handled can be easily changed.
In addition, by making the position of the bit string that the second conversion unit extracts from the block ciphertext data differ between at least one of the round processes, it is possible to improve safety while suppressing an increase in the amount of computation.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[First Embodiment]
First, a first embodiment of the present invention will be described.
<Configuration of block encryption device>
[Hardware configuration of block cipher]
FIG. 1 is a block diagram illustrating a hardware configuration of the block cipher apparatus 1 according to this embodiment.

As illustrated in FIG. 1, the block cipher apparatus 1 of this example includes a CPU (Central Processing Unit) 2, an input unit 3, an auxiliary storage device 4, a RAM (Random Access Memory) 5, a ROM (Read Only Memory) 6, A communication unit 7 and a bus 8 are included.
The CPU 12 in this example includes a control unit 2a, a calculation unit 2b, and a register 2c, and executes various calculation processes according to various programs read into the register 2c. Also, the input unit 3 in this example is an input port for inputting data, a keyboard, a mouse, and the like, and the transmission unit 7 is a NIC (Network Interface Card) that performs information communication through a network such as the Internet, a modem, and the like. is there. The auxiliary storage device 4 is, for example, a hard disk, an MO (Magneto-Optical disc), a semiconductor memory, or the like. The auxiliary storage device 4 is a program area 4a that stores a program for executing the block cipher processing of this embodiment, and data that stores various data. It has the area | region 4b. The RAM 5 is, for example, a static random access memory (SRAM), a dynamic random access memory (DRAM), and the like, and has a program area 5a and a data area 5b. The bus 8 in this example connects the CPU 2, the input unit 3, the auxiliary storage device 4, the RAM 5, the ROM 6, and the communication unit 7 so that they can communicate with each other.

[Software configuration of block cipher]
Next, the configuration of the program of the block cipher apparatus stored in the program areas 4a and 5a will be described.
This program reads a bit string of a part of plaintext data as an initial value of the first partial data, a data division program for reading another bit string of the plaintext data as an initial value of the second partial data, and the first partial data And a block encryption for generating block ciphertext data obtained by block-encrypting the first conversion data using the key data. A program, a second conversion program for generating second conversion data having the same bit length as the second partial data using block ciphertext data, and an exclusive OR of the second partial data and the second conversion data An exclusive OR calculation program for calculating and making the calculation result a new second partial data; a first partial data; a second partial data; An exchange operation program for executing the exchange operation, a combined program for generating ciphertext data by combining the first partial data and the second partial data, and a control program for controlling the entire block cipher apparatus; have.

Each of these programs may be configured as a single program sequence, or at least one program may be stored in the library as a separate module. The function may be realized by the above-described program alone, or the above-mentioned program may read out another library (not described) to realize each function.
[Cooperation between hardware and software]
The CPU 2 in this example writes the above-mentioned program stored in the program area 4 a of the auxiliary storage device 4 in the program area 5 a of the RAM 5 in accordance with the read OS (Operating System) program. Similarly, the CPU 2 writes various data stored in the data area 4 b of the auxiliary storage device 4 in the data area 5 b of the RAM 5. Further, the CPU 2 stores the address on the RAM 5 where the program and various data are written in the register 2c. Then, the control unit 2a of the CPU 2 sequentially reads these addresses stored in the register 2c, reads a program and data from the area on the RAM 5 indicated by the read address, and sequentially executes the calculation indicated by the program by the calculation unit 2b. The operation result is stored in the register 2c.

FIG. 2 is an example of a block diagram of the block encryption device 1 configured by reading the program into the CPU 2 in this way. In this figure, the description of the flow of data to and from the control unit 80 is omitted.
As illustrated in FIG. 2, the block cipher apparatus 1 of this example includes a data dividing unit 10, a first conversion unit 20, a counter 31, block encryption units 32 and 33, a second conversion unit 40, and an exclusive OR calculation. Unit 50, data operation unit 60, memory 70, and control unit 80. Note that the memory 70 has areas 71 to 77.

Here, the memory 70 corresponds to, for example, any one of the auxiliary storage device 4, the RAM 5, the register 2 c, or a storage area using these in combination. In addition, the data dividing unit 10, the first conversion unit 20, the counter 31, the block encryption units 32 and 33, the second conversion unit 40, the exclusive OR calculation unit 50, the data operation unit 60, and the control unit 80 in this example are as follows. This corresponds to the CPU 2 into which the above program is read. Each data stored in the memory 70 will be described later.
<Configuration of block decoding device>
[Hardware configuration of block decoding apparatus]
This is the same as the hardware configuration of the block cipher apparatus illustrated in FIG.

[Program Configuration of Block Decoding Device]
A program of the block decryption device includes a data division program for reading a bit string of a part of ciphertext data as an initial value of the first partial data and reading another bit string of the ciphertext data as an initial value of the second partial data; , Using the first partial data, generating a first conversion program for generating first conversion data having a different bit length, and generating block decrypted text data obtained by block decoding the first conversion data using the key data A block decoding program for generating a second converted data having a bit length equal to the second partial data using the block decoded text data, and the second partial data and the second converted data An exclusive OR calculation program for calculating exclusive OR and making the calculation result a new second partial data, and first partial data The exchange operation program for executing the exchange operation with the second partial data, the combined program for generating the plaintext data by combining the first partial data and the second partial data, and the entire block decoding device are controlled. Control program.

Each of these programs may be configured as a single program sequence, or at least one program may be stored in the library as a separate module. The function may be realized by the above-described program alone, or the above-mentioned program may read out another library (not described) to realize each function.
[Cooperation between hardware and software]
FIG. 3 is an example of a block diagram of a block decryption apparatus 200 configured by reading a program into the CPU, similarly to the block encryption apparatus 1. In this figure, the description of the flow of data entering and exiting the control unit 280 is omitted.

As illustrated in FIG. 3, the block decryption apparatus 200 in this example includes a data division unit 210, a first conversion unit 220, a counter 231, a block encryption unit 232, a block decryption unit 233, a second conversion unit 240, an exclusive A logical OR calculation unit 250, a data operation unit 260, a memory 270, and a control unit 280. The memory 270 has areas 271 to 277.
Here, the memory 270 corresponds to, for example, an auxiliary storage device, a RAM, a register, or a storage area using these in combination. In this example, the data dividing unit 210, the first conversion unit 220, the counter 231, the block encryption unit 232, the block decryption unit 233, the second conversion unit 240, the exclusive OR calculation unit 250, the data operation unit 260, and the control The unit 280 corresponds to a CPU in which the above program is read. Each data stored in the memory 270 will be described later.

<Pretreatment>
Next, pre-processing of block encryption processing and block decryption processing executed by the block encryption device 1 and the block decryption device 200 will be described.
First, the M bit key data 100 is stored in the area 71 of the memory 70 of the block cipher apparatus 1, and the M bit key data 300 is stored in the area 271 of the memory 270 of the block decryption apparatus 200. The key data 100 and 300 are common keys used in the block cipher of this embodiment, and the key data 100 and 300 are data indicating the same value. In the example of this embodiment, the key data 100 and 300 are data having a bit length M = 128 bits.

Further, 2 L-bit plaintext data 110 is stored in the area 72 of the memory 70 of the block cipher apparatus 1. Note that the bit length of the plaintext data 110 in this example is 2L = 36 bits, which is shorter than the bit length of the key data 100 and 300.
<Block cipher processing>
Next, block cipher processing executed by the block cipher apparatus 1 of the present embodiment will be described.
FIG. 4 is a flowchart for explaining the block cipher processing of this embodiment. 5 to 7 are diagrams for explaining the block cipher processing of this embodiment. Hereinafter, the block cipher processing of this embodiment will be described with reference to these drawings and FIG. The following processing is executed under the control of the control unit 80 (FIG. 2).

The block cipher processing of this embodiment is cipher processing using the Faithtel structure.
First, the counter 31 resets the count value n to 0 (step S1). The count value n is a character string of M bits (in this example, M = 128 bits).
Next, the data dividing unit 10 reads a bit string 111 of a part of the plaintext data 110 stored in the area 72 of the memory 70 as an initial value of the first partial data 121 and stores it in the area 73. Is read as the initial value of the second partial data 122 and stored in the area 74 (step S2). In this example, the lower L = 16 bits of the plaintext data 110 are stored in the area 73 as the initial value of the first partial data 121, and the upper L = 16 bits of the plaintext data 110 are stored in the area 74 as the initial value of the second partial data 122. To do.

Next, the first conversion unit 20 reads the first partial data 121 stored in the area 73 of the memory 70, generates first conversion data 130 having a different bit length from this, and stores the first conversion data 130 in the area 75 of the memory 70. (Step S3). In this example, the first partial data 121 having a bit length L = 16 bits is converted into first converted data 130 having a bit length M = 128 bits, which is equal to the key data 100, by padding. Note that padding refers to the following processing.
[Padding (Fig. 6 (a))]
Input: L bit string Output: M bit string (however, L <M)
Processing: Outputs a specific L-bit character string that is not dependent on the input value of a specific M-bit character string, replaced with the input L-bit character string.

For example, in the example of FIG. 6A, M = 128, L = 16, and the first L bit of the M bit character string in which all bits are 0 is replaced with the input L bit character string and output “padding” (End of description of [Padding]).
Next, the block encryption unit 32 reads M (128 in this example) key data (K) 100 from the area 71 of the memory 70. Then, the block encryption unit 32 performs block encryption of the count value n of M (128 in this example) output from the counter 31 with this key data (K) 100, and M (128 in this example) bit. generating the key data _{K n} (step S4a).

Next, the block encryption unit 33 reads M (128 in this example) first conversion data 130 from the area 75 of the memory 70. Then, the block encryption unit 33 uses the key data K _n (M = 128 bits in this example) generated by the block encryption unit 32, and the block ciphertext data (C _n ) obtained by performing block encryption on the first conversion data 130 ) 140 (M = 128 bits in this example) is generated (step S4b). The block encryption unit 33 stores the generated block ciphertext data (C _n ) 140 in the area 76 of the memory 70. Block encryption is the following processing.

[Block encryption (FIG. 7A)]
Input: Plain text data (α bit character string), key data (β bit character string)
Output: Ciphertext data (γ bit character string)
Process: Ciphertext data is obtained and output from the key data and plaintext data using block cipher.
For example, FIG. 7A shows an example where α = β = γ = 128. Moreover, as an example of block cipher, AES specification cipher etc. can be illustrated, for example (end of description of [block encryption]).

The second conversion unit 40 reads the block ciphertext data _(C n) 140 from the area 76 of the memory 70, using the block ciphertext data _(C n) 140, the bit length to the second partial data 122 Equal second conversion data 150 is generated (step S5). The second conversion unit 40 stores the generated second conversion data 150 in the area 77 of the memory 70. In the example of this embodiment, a part (L = 16 bit) bit string cut out from the M = 128 bit block ciphertext data (C _n ) 140 is set as the second conversion data 150. The term “cutout” refers to the following processing.

[Cut out (FIG. 6B)]
Input: M bit character string Output: L bit character string (however, L <M)
Processing: A specific L bit is extracted from the input and output without depending on the value of the input.
For example, the example of FIG. 6B is an example of “cutout” in which M = 128 and L = 16 and the leading L bit of the input M bit character string is output (end of description of [cutout]).
Next, the exclusive OR calculation unit 50 reads the second partial data 122 from the area 74 of the memory 70 and reads the second conversion data 150 from the area 77. Then, the exclusive OR calculation unit 50 calculates the exclusive OR of the read second partial data (L = 16 bits in this example) and the second conversion data (L = 16 bits in this example), and the calculation The result is overwritten and saved in the area 74 of the memory 70 as new second partial data 122 (step S6). The exclusive OR is the following process.

[Exclusive OR (FIG. 7B)]
Input: Input 1 (L bit character string), Input 2 (L bit character string)
Output: Output (L bit string)
Processing: For each bit corresponding to input 1 and input 2, each bit of output is determined according to the following trial value table.
Trial value table of exclusive-or input 1 input 2 output 0 0 0
0 1 1
1 0 1
1 1 0
FIG. 7B is an example of L = 16 (end of explanation of [exclusive OR]).

Next, the counter 31 counts up the count value n. That is, the counter 31 sets n + 1 as a new count value n (step S7). Next, the control unit 80 determines whether or not the count value n of the counter 31 is the number of stages w (step S8). The stage number w is a preset value.
Here, if n = w is not satisfied, the control unit 80 gives an instruction for the exchange operation to the data operation unit 60, and the data operation unit 60 that has received the instruction is stored in the areas 73 and 74 of the memory 70, respectively. The first partial data 121 and the second partial data 122 are exchanged (step S9). That is, the data operation unit 60 stores the first partial data 121 used in step S3 (L = 16 bits in this example) in the area 74 as new second partial data 122, and the second partial data used in step S6. The partial data 122 (L = 16 bits in this example) is stored in the area 73 as the new first partial data 121 (FIG. 7C). And the control part 80 returns a process to step S3, and newly performs the process (round process) of step S3-S8.

On the other hand, when it is determined in step S8 that n = w, the data operation unit 60 reads the first partial data 121 and the second partial data 122 from the areas 73 and 74 of the memory 70, respectively. Then, the data operation unit 60 outputs a combination of the read first partial data 121 and second partial data 122 as ciphertext data 170 (step S10). In this example, the first partial data 121 of L = 16 bits is set to the lower 16 bits of the ciphertext data 170, and the second partial data 122 is set to the upper 16 bits of the ciphertext data 170.
The ciphertext data 170 generated in this way is transmitted from the communication unit 7 to the block decryption apparatus 200 via the network, for example. The block decryption apparatus 200 stores this as ciphertext data 310 in the area 272 of the memory 270.

<Block decoding process>
Next, block decoding processing executed by the block decoding apparatus 200 according to this embodiment will be described.
FIG. 8 is a flowchart for explaining the block decoding processing of this embodiment. 9 and 10 are diagrams for explaining the block decoding process of the present embodiment. Hereinafter, the block decoding process of this embodiment will be described with reference to these drawings and FIG. 3. The following process is executed under the control of the control unit 280 (FIG. 3).

The block decoding process of this embodiment is a decoding process using a Faithel structure.
First, the counter 231 resets the count value n to the stage number w (step S21). The stage number w is a preset value and is the same value as w used in the block cipher apparatus 1.
Next, the data dividing unit 210 reads one bit string 311 of the ciphertext data 310 stored in the area 272 of the memory 270 as an initial value of the first partial data 321 and stores it in the area 273. The other bit string 312 is read as the initial value of the second partial data 322 and stored in the area 274 (step S22). In this example, the lower L = 16 bits of the ciphertext data 310 is stored in the area 273 as the initial value of the first partial data 321, and the upper L = 16 bits of the ciphertext data 310 is stored as the initial value of the second partial data 322 in the area 274. To store.

Next, the first conversion unit 220 reads the first partial data 321 stored in the area 273 of the memory 270, generates first conversion data 330 having a different bit length from this, and stores it in the area 275 of the memory 270. (Step S23). In this example, the first partial data 321 having a bit length L = 16 bits is converted into first conversion data 330 having a bit length M = 128 bits, which is equal to the key data 300, by padding.
Next, the block encryption unit 232 reads M (128 in this example) key data (K) 300 from the area 271 of the memory 270. Then, the block encryption unit 232 performs block encryption of the count value n of M (128 in this example) output from the counter 231 with the key data (K) 300, and M (128 in this example) bit. generating the key data _{K n} (step S24a).

Next, the block decoding unit 233 reads M (128 in this example) first conversion data 330 from the area 275 of the memory 270. Then, the block decryption unit 233 uses the key data K _n (M = 128 bits in this example) generated by the block encryption unit 232, and performs block decryption data (D _n 340 (M = 128 bits in this example) is generated (step S24b). The block decryption unit 233 stores the generated block decrypted text data (D _n ) 340 in the area 276 of the memory 270. Note that block decoding refers to the following processing.

[Block decoding (FIG. 10)]
Input: Ciphertext data (α bit character string), key data (β bit character string)
Output: Decrypted text data (γ bit character string)
Processing: Using the key data and ciphertext data, the decrypted text data is obtained and output by block decryption.
For example, FIG. 10 shows an example where α = β = γ = 128. The block decryption method corresponds to the block cipher method performed by the block cipher apparatus 1 described above (end of description of [block decryption]).

The second conversion unit 240 reads the block decrypted text data _(D n) 340 from the area 276 of the memory 270, using the block decrypted text data _(D n) 340, the bit length to the second partial data 322 Equal second conversion data 350 is generated (step S25). The second conversion unit 240 stores the generated second conversion data 350 in the area 277 of the memory 270. In the example of this embodiment, a part (L = 16 bit) bit string cut out from the block decrypted text data (D _n ) 340 of M = 128 bits is set as the second conversion data 350.
Next, the exclusive OR calculation unit 250 reads the second partial data 322 from the area 274 of the memory 270 and reads the second converted data 350 from the area 277. Then, the exclusive OR calculator 250 calculates an exclusive OR of the read second partial data (L = 16 bits in this example) and the second converted data (L = 16 bits in this example), and the calculation The result is overwritten and saved in the area 274 of the memory 270 as new second partial data 322 (step S26).

Next, the counter 231 counts down the count value n. That is, the counter 231 sets n−1 as a new count value n (step S27). Next, the control unit 280 determines whether or not the count value n of the counter 231 is 0 (step S28).
Here, if n = 0 is not satisfied, the control unit 280 gives an instruction for the exchange operation to the data operation unit 260, and the data operation unit 260 that has received the instruction is stored in the areas 273 and 274 of the memory 270, respectively. The first partial data 321 and the second partial data 322 are exchanged (step S29). That is, the data operation unit 260 stores the first partial data 321 used in step S23 (L = 16 bits in this example) in the area 274 as new second partial data 322, and the second partial data used in step S26. The partial data 322 (L = 16 bits in this example) is stored in the area 273 as new first partial data 321 (FIG. 7C). And the control part 280 returns a process to step S23, and newly performs the process (round process) of step S23-S28.

On the other hand, if it is determined in step S28 that n = 0, the data operation unit 260 reads the first partial data 321 and the second partial data 322 from the areas 273 and 274 of the memory 270, respectively. Then, the data operation unit 260 outputs a combination of the read first partial data 321 and second partial data 322 as plain text data 370 (step S30). In this example, the first partial data 321 is the lower 16 bits of the plaintext data 370 and the second partial data 322 is the upper 16 bits of the plaintext data 370.
<Features of this embodiment>
As described above, in the block cipher apparatus 1 of the present embodiment, the first conversion unit 20 converts the first partial data 121 into a bit length suitable for the block encryption process in the block encryption unit 33, and the second conversion unit 40 converts the block ciphertext data 140 generated by the block encryption unit 33 into the second converted data 150 having the same bit length as that of the second partial data 122. Similarly, in the block decoding device 200 of the present embodiment, the first conversion unit 220 converts the first partial data 321 into a bit length suitable for the block decoding process in the block decoding unit 233, and the second conversion unit 240 The block decrypted text data 340 generated by the block decryption unit 233 is converted into second converted data 350 having the same bit length as that of the second partial data 322. This makes it possible to easily change the block length of the plaintext data or ciphertext data to be handled without taking a complicated method such as changing the structure of the block encryption unit 33 or the block decryption unit 233.

Even if the block length of the plaintext data or ciphertext data to be handled changes, the bit length of the key data used for the block cipher processing is the same. For this reason, the block length of plaintext data or ciphertext data can be shortened without reducing the security of the encryption.
The document "Lars R. Knudsen The Security of Feistel Ciphers with Six Round or Less," Journal of Cryptology: the journal of the International Association for Cryptologic Research, "volumes 15 number 3 207-222" It describes the security of the Faithel structure when using a “random function” or “random substitution” ideal for key generation. This embodiment is an "random function" and the "random replacement" no, block cipher that changes the key data K _n secret for each round processing. However, the block cipher with just the correlation of a block cipher process executed in each round processing by changing the key data K _n secret for each round processing, in terms of safety and "random function" or "random replacement" It can be assumed that they cannot be distinguished. Therefore, it can be said that the block cipher of this form is safe.

[Second Embodiment]
Next, a second embodiment of the present embodiment will be described.
This embodiment is a modification of the first embodiment. In the first embodiment, the security is ensured by changing the key data for each round process, whereas in this embodiment, the second conversion unit uses the second conversion data generation method for each round process. Change to ensure safety. That is, in this embodiment, the address of the bit string used as the second conversion data is changed for each round process, thereby generating a function string having no correlation between the round processes. In this embodiment, only one type of key data is used for block encryption or block decryption through each round process. As a result, the block encryption process that is performed many times is made more efficient.

Below, it demonstrates centering around difference with 1st Embodiment, and abbreviate | omits description about the matter which is common in 1st Embodiment.
<Configuration of block encryption device>
[Hardware configuration of block cipher]
This is the same as in the first embodiment.
[Software configuration of block cipher]
The difference from the first embodiment is that the block encryption program performs block encryption without changing the key data for each round process, and the second conversion program is round. The second conversion data is generated by a different generation method for each process.

[Cooperation between hardware and software]
FIG. 11 is an example of a block diagram of a block cipher apparatus 500 according to the present embodiment, which is configured by reading a program into the CPU as in the first embodiment. In this figure, the same reference numerals are given to parts common to the first embodiment.
The differences from the first embodiment are that there is no block encryption unit 32 that converts key data for each round process, a counter 531 is provided instead of the counter 31, and second conversion. The second conversion unit 540 is provided instead of the unit 40.

<Configuration of block decoding device>
[Hardware configuration of block decoding apparatus]
This is the same as the hardware configuration of the block cipher apparatus illustrated in FIG.
[Program Configuration of Block Decoding Device]
The difference from the first embodiment is that the block decryption program is for performing block decryption without changing the key data for each round process, and the second conversion program is a round The second conversion data is generated by a different generation method for each process.

[Cooperation between hardware and software]
FIG. 12 is an example of a block diagram of a block decoding apparatus 600 configured by reading a program into the CPU as in the first embodiment. In this figure, the same reference numerals are given to parts common to the first embodiment.
The difference from the first embodiment is that there is no block encryption unit 232 that converts key data for each round process, a counter 631 is provided instead of the counter 231, and second conversion The second converter 640 is provided instead of the unit 240.

<Pretreatment>
This is the same as in the first embodiment.
<Block cipher processing>
Next, block cipher processing executed by the block cipher apparatus 1 of the present embodiment will be described.
FIG. 13 is a flowchart for explaining the block cipher processing of this embodiment. 14 and 15 are diagrams for explaining the block cipher processing of this embodiment. Hereinafter, the block cipher processing of this embodiment will be described with reference to these drawings and FIG. 11. The following processing is executed under the control of the control unit 80 (FIG. 11).

The block cipher processing in this embodiment is also cipher processing using the Faithtel structure.
First, the counter 531 resets the count value n to 0 (step S41).
Next, the data dividing unit 10 reads a bit string 111 of a part of the plaintext data 110 stored in the area 72 of the memory 70 as an initial value of the first partial data 121 and stores it in the area 73. Is read as the initial value of the second partial data 122 and stored in the area 74 (step S42). In this example, the lower L = 16 bits of the plaintext data 110 are stored in the area 73 as the initial value of the first partial data 121, and the upper L = 16 bits of the plaintext data 110 are stored in the area 74 as the initial value of the second partial data 122. To do.

Next, the first conversion unit 20 reads the first partial data 121 stored in the area 73 of the memory 70, generates first conversion data 130 having a different bit length from this, and stores the first conversion data 130 in the area 75 of the memory 70. (Step S43). In this example, the first partial data 121 having a bit length L = 16 bits is converted into first converted data 130 having a bit length M = 128 bits, which is equal to the key data 100, by padding.
Next, the block encryption unit 33 reads the first conversion data 130 from the area 75 of the memory 70, and reads M (128 in this example) key data (K) 100 from the area 71. The block encryption unit 33 uses the key data (K) 100 to generate block ciphertext data (C _n ) 140 (M = 128 bits in this example) obtained by block encryption of the first conversion data 130. (Step S44).

Next, the second conversion unit 540 reads the block ciphertext data (C _n ) 140 from the area 76 of the memory 70 and reads the count value n from the counter 531. Then, the second conversion unit 540 uses the block ciphertext data (C _n ) 140 and the count value n to generate the second conversion data 150 having the same bit length as the second partial data 122 (step S45). The second conversion unit 540 stores the generated second conversion data 150 in the area 77 of the memory 70. In the example of this embodiment, a part (L = 16 bit) bit string cut out from the M = 128 bit block ciphertext data (C _n ) 140 is set as the second conversion data 150. The position (address) of the bit string that the second conversion unit 540 takes out from the block ciphertext data (C _n ) 140 depends on the count value n (cut out with an address). This “cutout with address” will be described below.

[Cut out with address (Fig. 15)]
Input: M bit character string, count value (address) n (however, 0 ≦ n ≦ w)
Output: L bit string (however, wL <M)
Processing: Outputs a specific L bit from the input M bit character string depending only on the value of the input count value n. In this example, when n ≠ n ′, any specific L bit related to the count value n does not match any specific L bit related to the count value n ′.
For example, the example of FIG. 15 is “cutout with address” in which M = 128, L = 16, and L bit is output from the first nL bit of the input M bit character string. In the example of FIG. 15, 0 <w ≦ 8 (end of the description of [Cut out with address]).

Next, the exclusive OR calculation unit 50 reads the second partial data 122 from the area 74 of the memory 70 and reads the second conversion data 150 from the area 77. Then, the exclusive OR calculation unit 50 calculates the exclusive OR of the read second partial data (L = 16 bits in this example) and the second conversion data (L = 16 bits in this example), and the calculation The result is overwritten and saved in the area 74 of the memory 70 as new second partial data 122 (step S46).
Next, the counter 531 counts up the count value n. That is, the counter 31 sets n + 1 as a new count value n (step S47). Next, the control unit 80 determines whether or not the count value n of the counter 31 is the number of stages w (step S48). The stage number w is a preset value.

  Here, if n = w is not satisfied, the control unit 80 gives an instruction for the exchange operation to the data operation unit 60, and the data operation unit 60 that has received the instruction is stored in the areas 73 and 74 of the memory 70, respectively. The first partial data 121 and the second partial data 122 are exchanged (step S49). That is, the data operation unit 60 stores the first partial data 121 (L = 16 bits in this example) used in step S43 in the area 74 as the new second partial data 122, and the second partial data used in step 4S6. The partial data 122 (L = 16 bits in this example) is stored in the area 73 as the new first partial data 121 (FIG. 7C). And the control part 80 returns a process to step S43, and newly performs the process (round process) of step S43-S48.

On the other hand, if it is determined in step S48 that n = w, the data operation unit 60 reads the first partial data 121 and the second partial data 122 from the areas 73 and 74 of the memory 70, respectively. Then, the data operation unit 60 outputs a combination of the read first partial data 121 and second partial data 122 as ciphertext data 170 (step S50). In this example, the first partial data 121 of L = 16 bits is set to the lower 16 bits of the ciphertext data 170, and the second partial data 122 is set to the upper 16 bits of the ciphertext data 170.
The ciphertext data 170 generated in this way is transmitted from the communication unit 7 to the block decryption apparatus 600 through the network, for example. The block decryption device 600 stores this in the area 272 of the memory 270 as ciphertext data 310.

<Block decoding process>
Next, block decoding processing executed by the block decoding apparatus 600 according to this embodiment will be described.
FIG. 16 is a flowchart for explaining the block decoding processing of this embodiment. FIG. 17 is a diagram for explaining the block decoding processing of this embodiment. Hereinafter, the block decoding process of this embodiment will be described with reference to these drawings and FIG. 12. The following process is executed under the control of the control unit 280 (FIG. 12).

The block decoding process of this embodiment is a decoding process using a Faithel structure.
First, the counter 631 resets the count value n to the stage number w (step S61). The stage number w is a preset value.
Next, the data dividing unit 210 reads one bit string 311 of the ciphertext data 310 stored in the area 272 of the memory 270 as an initial value of the first partial data 321 and stores it in the area 273. The other bit string 312 is read as the initial value of the second partial data 322 and stored in the area 274 (step S62). In this example, the lower L = 16 bits of the ciphertext data 310 is stored in the area 273 as the initial value of the first partial data 321, and the upper L = 16 bits of the ciphertext data 310 is stored as the initial value of the second partial data 322 in the area 274. To store.

Next, the first conversion unit 220 reads the first partial data 321 stored in the area 273 of the memory 270, generates first conversion data 330 having a different bit length from this, and stores it in the area 275 of the memory 270. (Step S63). In this example, the first partial data 321 having a bit length L = 16 bits is converted into first conversion data 330 having a bit length M = 128 bits, which is equal to the key data 300, by padding.
Next, the block decryption unit 233 reads the first conversion data 330 from the area 275 of the memory 270 and reads M (128 in this example) key data (K) 300 from the area 271. Then, the block decryption unit 233 generates block decrypted text data (D _n ) 340 (M = 128 bits in this example) obtained by block decrypting the first conversion data 330 using the key data (K) 300 ( Step S64).

Next, the second conversion unit 640 reads the block decrypted text data (D _n ) 340 from the area 276 of the memory 270 and reads the count value n from the counter 631. The second conversion unit 640, using the block decrypted text data _(D n) 340 and the count value n, the bit length to the second partial data 322 to generate the same second conversion data 350 (step S65). The second conversion unit 640 stores the generated second conversion data 350 in the area 277 of the memory 270. In the example of the present embodiment, a part (L = 16 bit) bit string cut out from the block decrypted text data (D _n ) 140 of M = 128 bits is set as the second conversion data 350. The position (address) of the bit string that the second conversion unit 640 takes out from the block decrypted text data (D _n ) 340 depends on the count value n. Further, the relationship between the cut-out position of the bit string and the count value n is the same as that of the second conversion unit 540 of the block cipher apparatus 500.

Next, the exclusive OR calculation unit 250 reads the second partial data 322 from the area 274 of the memory 270 and reads the second converted data 350 from the area 277. Then, the exclusive OR calculator 250 calculates an exclusive OR of the read second partial data (L = 16 bits in this example) and the second converted data (L = 16 bits in this example), and the calculation The result is overwritten and saved in the area 274 of the memory 270 as new second partial data 322 (step S66).
Next, the counter 631 counts down the count value n. That is, the counter 631 sets n−1 as a new count value n (step S67). Next, the control unit 280 determines whether or not the count value n of the counter 631 is 0 (step S68).

Here, if n = 0 is not satisfied, the control unit 280 gives an instruction for the exchange operation to the data operation unit 260, and the data operation unit 260 that has received the instruction is stored in the areas 273 and 274 of the memory 270, respectively. The first partial data 321 and the second partial data 322 are exchanged (step S69). And the control part 280 returns a process to step S63, and newly performs the process (round process) of step S63-S68.
On the other hand, if it is determined in step S68 that n = 0, the data operation unit 260 reads the first partial data 321 and the second partial data 322 from the areas 273 and 274 of the memory 270, respectively. Then, the data operation unit 260 outputs a combination of the read first partial data 321 and second partial data 322 as plain text data 370 (step S70). In this example, the first partial data 321 is the lower 16 bits of the plaintext data 370 and the second partial data 322 is the upper 16 bits of the plaintext data 370.

<Features of this embodiment>
As described above, the block cipher apparatus 500 according to this embodiment includes the counter 531 that outputs a different count value for each round process. Then, the block encryption unit 33 generates block ciphertext data using one key data 100 stored in the memory 70 as an encryption key in all round processing, and the second conversion unit 540 outputs the block ciphertext data from the counter 531. A bit string having a start address of L times the counted value n is cut out from the block ciphertext data. As a result, the key data 100 used by the block encryption unit 33 is common to all round processes, and the position of the bit extracted by the second conversion unit 540 from the block ciphertext data 140 is different between all round processes. . Also in this case, the block cipher process executed in each round process has no correlation, and the security as described in the first embodiment can be ensured. Unlike the first embodiment, since the same key data 100 is used in all round processes in this embodiment, a block cipher for generating key data for each round process as in the first embodiment. Does not require processing. As a result, the block encryption process can be made more efficient. For example, when Faithel's stage number is w, 2n block cipher calls are required in the first embodiment, but in this embodiment, n block cipher calls are sufficient. That is, the speed can be increased about twice as much as that in the first embodiment. In particular, in the first embodiment, when the block encryption unit 32 performs a block encryption process that is sufficiently heavier than the block encryption unit 33, the configuration of the present embodiment allows the block encryption unit 32 to compare with the first embodiment. A speed increase of about n times can be achieved. The same applies to the block decoding apparatus 600.

In addition, with the configuration of this embodiment, the plaintext data and ciphertext can be easily changed in the block length of the plaintext data and ciphertext data to be handled, as in the first embodiment, without reducing the security of the cipher. There is also an effect that the block length of data can be shortened.
[Modifications, etc.]
The present invention is not limited to the embodiments described above. For example, the first embodiment and the second embodiment are mixed, and the configuration of the first embodiment is adopted in a certain round process, and the configuration of the second embodiment is taken in another round process. It is good as well.

In each of the above-described embodiments, the first conversion unit generates the first conversion data by padding. However, the first conversion data may be generated by other means such as a hash function.
Furthermore, the bit positions of the first partial data and the second partial data that the data dividing unit divides from plaintext data and ciphertext data are not limited to those described above. For example, instead of a continuous bit string, bits at discrete positions may be extracted from plaintext data or the like and used as first partial data or the like.

Further, the bit positions cut out from the block ciphertext data and the block decrypted text data by the second conversion unit are not limited to those described above, and other positions may be cut out.
Further, as a modification of the second embodiment, the key data used by the block encryption unit is common to any one round process, and the position of the bit string taken out from the block ciphertext data by the second conversion unit is any It is good also as differing between round processing of a part of.
Needless to say, other modifications are possible without departing from the spirit of the present invention. Further, the various processes described above are not only executed in time series according to the description, but may be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes.

Further, when the above-described configuration is realized by a computer, processing contents of functions that each device should have are described by a program. The processing functions are realized on the computer by executing the program on the computer.
The program describing the processing contents can be recorded on a computer-readable recording medium. The computer-readable recording medium may be any medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, or a semiconductor memory. Specifically, for example, the magnetic recording device may be a hard disk device or a flexible Discs, magnetic tapes, etc. as optical disks, DVD (Digital Versatile Disc), DVD-RAM (Random Access Memory), CD-ROM (Compact Disc Read Only Memory), CD-R (Recordable) / RW (ReWritable), etc. As the magneto-optical recording medium, MO (Magneto-Optical disc) or the like can be used, and as the semiconductor memory, EEP-ROM (Electronically Erasable and Programmable-Read Only Memory) or the like can be used.

The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.
As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

  As an application field of the present invention, for example, concealment of data communication on the Internet can be exemplified.

FIG. 1 is a block diagram illustrating a hardware configuration of a block cipher apparatus according to the first embodiment. FIG. 2 is an example of a block diagram of the block cipher apparatus according to the first embodiment. FIG. 3 is an example of a block diagram of the block decoding apparatus according to the first embodiment. FIG. 4 is a flowchart for explaining block cipher processing according to the first embodiment. FIG. 5 is a diagram for explaining block cipher processing according to the first embodiment. FIG. 6 is a diagram for explaining the block cipher processing according to the first embodiment. FIG. 7 is a diagram for explaining the block cipher processing according to the first embodiment. FIG. 8 is a flowchart for explaining block decoding processing according to the first embodiment. FIG. 9 is a diagram for describing block decoding processing according to the first embodiment. FIG. 10 is a diagram for explaining block decoding processing according to the first embodiment. FIG. 11 is an example of a block diagram of a block cipher apparatus according to the second embodiment. FIG. 12 is an example of a block diagram of a block decoding apparatus according to the second embodiment. FIG. 13 is a flowchart for explaining block cipher processing according to the second embodiment. FIG. 14 is a diagram for explaining block cipher processing according to the second embodiment. FIG. 15 is a diagram for explaining block cipher processing according to the second embodiment. FIG. 16 is a flowchart for explaining block decoding processing according to the second embodiment. FIG. 17 is a diagram for explaining block decoding processing according to the second embodiment.

Explanation of symbols

1,500 block encryption device 200,600 block decryption device

Claims (10)

A block encryption device for block-encrypting plaintext data,
A memory for storing the plaintext data;
A data dividing unit that reads a partial bit string of the plaintext data as an initial value of the first partial data and reads another bit string of the plaintext data as an initial value of the second partial data;
A first conversion unit that uses the first partial data and generates first conversion data having a different bit length from the first partial data;
A block encryption unit that generates block ciphertext data obtained by block encryption of the first converted data using the key data;
A second conversion unit that generates second conversion data having the same bit length as the second partial data using the block ciphertext data;
Calculating an exclusive OR of the second partial data and the second conversion data, and using the calculation result as a new second partial data;
A block cipher apparatus comprising: The block cipher apparatus according to claim 1,
The first partial data and the second partial data are exchanged, and a round process for newly executing the processes of the first conversion unit, the block encryption unit, the second conversion unit, and the exclusive OR calculation unit is repeatedly executed. Having a control unit,
The key data used by the block encryption unit is
Common to at least one of the round processes,
The second converter is
A part of the bit string cut out from the block ciphertext data is used as the second conversion data,
The position of the bit taken out from the block ciphertext data by the second conversion unit is as follows:
At least between any round process,
A block cipher apparatus. The block cipher apparatus according to claim 2,
The key data used by the block encryption unit is
Common to all rounds,
The position of the bit extracted from the block ciphertext data by the second conversion unit is as follows:
Differ between all rounds,
A block cipher apparatus. The block cipher apparatus according to claim 3,
It has a counter that outputs a different count value for each round process,
The block encryption unit
Generate block ciphertext data using one key data stored in the memory as an encryption key for all round processing,
The second converter is
A bit string having a start address that is an integer multiple of the count value output from the counter is cut out from the block ciphertext data.
A block cipher apparatus. A block cipher apparatus according to any one of claims 1 to 4,
The bit length of plaintext data is shorter than the bit length of key data.
A block cipher apparatus. A block decrypting device for block decrypting ciphertext data,
A memory for storing ciphertext data;
A data dividing unit that reads a bit string of a part of the ciphertext data as an initial value of the first partial data, and reads another bit string of the ciphertext data as an initial value of the second partial data;
A first conversion unit that uses the first partial data and generates first conversion data having a different bit length from the first partial data;
A block decryption unit that generates block decrypted text data obtained by block decrypting the first converted data using the key data;
A second conversion unit that uses block decrypted text data and generates second conversion data having a bit length equal to the second partial data;
Calculating an exclusive OR of the second partial data and the second conversion data, and using the calculation result as a new second partial data;
A block decoding apparatus comprising: A block encryption method for block-encrypting plaintext data,
A first converter using the first partial data and generating first converted data having a bit length different from the first partial data;
A block encryption unit generating block ciphertext data obtained by block encryption of the first converted data using the key data;
A step of generating a second conversion data having a bit length equal to the second partial data using the block ciphertext data, the second conversion unit;
An exclusive OR calculation unit calculating an exclusive OR of the second partial data and the second converted data, and setting the calculation result as new second partial data;
A block cipher method comprising: A block decryption method for block decrypting ciphertext data,
A first converter using the first partial data and generating first converted data having a bit length different from the first partial data;
A block decrypting unit generating block decrypted text data obtained by block decrypting the first converted data using the key data;
A step of generating a second conversion data having a bit length equal to the second partial data using the block decrypted text data, the second conversion unit;
An exclusive OR calculation unit calculating an exclusive OR of the second partial data and the second converted data, and setting the calculation result as new second partial data;
A block decoding method comprising:   A program for causing a computer to function as the block cipher apparatus according to claim 1.   A program for causing a computer to function as the block decoding device according to claim 6.

Images