JP2007333815A - Information processor and its control method, program, and storage medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a technique capable of making processing at high speed by reducing processing with a large calculation cost when generating enlarged data such as an enlarged key from fixed data such as a key. <P>SOLUTION: An information processor generating a plurality of enlarged information based on seed information comprises an input means for inputting the seed information; a calculation means for calculating a plurality of intermediate pieces of information based on the input seed information; a derivation means for deriving a plurality of enlarged information corresponding to each in the intermediate information; and an output means for outputting the enlarged information derived in the derivation means. The derivation means derives first enlarged information corresponding to each in the intermediate information in first assemblage of the plurality of pieces of the intermediate information by processing accompanied by character conversion and derives second enlarged information corresponding to each in the intermediate information based on the derived first enlarged information by exclusive logical sum calculation. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an information processing apparatus, a control method thereof, a program, and a storage medium.

  Conventionally, various encryption methods for encrypting data are known. One of the encryption methods is an encryption method called common key encryption. Common key ciphers are roughly classified into two systems called block ciphers and stream ciphers. The block cipher is an encryption method in which each fixed-length input block and key data are agitated by substitution / transposition processing and copied to an output block having the same length. Stream cipher is an encryption method that obtains ciphertext by performing a logical operation such as exclusive OR on plaintext and a key stream. Typical block ciphers include DES (Data Encryption Standard) and AES (Advanced Encryption Standard). RC4 is a representative stream cipher.

  FIG. 2 is a diagram illustrating a configuration of a general encryption apparatus that performs encryption processing using common key encryption. The encryption apparatus in FIG. 2 receives the encryption processing target data 200 and the key data 201 and outputs encrypted data 206. The encryption apparatus includes an encryption processing unit 202 and a key processing unit 203. The encryption device performs n-stage processing in order from the first round 204 to the n-th round 205. The key processing unit 203 sequentially generates the extended key n from the extended key 1 used in each of the n stages of round processing based on the input encryption key.

One of the typical generations of the above expansion key is 5.2 Key Expansion of Non-Patent Document 1. The following is an extract from KeyExpansion processing content compliant with AES from Non-Patent Document 1.
[KeyExpansion] (* 1)
KeyExpansion (byte key [4 * Nk], word w [Nb * (Nr + 1)], Nk)
begin
word temp
i = 0
while (i <Nk)
w [i] = word (key [4 * i], key [4 * i + 1], key [4 * i + 2], key [4 * i + 3])
i = i + 1
end while
i = Nk
while (i <Nb * (Nr + 1))
temp = w [i-1]
if (i mod Nk = 0)
temp = SubWord (RotWord (temp)) xor Rcon [i / Nk] (* 2)
else if (Nk> 6 and i mod Nk = 4)
temp = SubWord (temp)
end if
w [i] ＝ w [i-Nk] xor temp
i = i + 1
end while
end
Hereinafter, the terms used in the above KeyExpansion will be described. The above word represents a 4-byte unit. Key represents an encryption key (the key length is 128, 192, or 256 bits). W represents an extended key. Nk indicates the length of the encryption key in word units, and is a value of 4, 6, or 8. Nb indicates the block size in word units, and the value here is 4. Nr indicates the number of rounds, and is a value of 10, 12, or 14. SubWords is substitution conversion for each byte. For example, when 00 (16) ((16) indicates hexadecimal notation) is given as an input, 63 (16) is the output value. The principle of SubWords is an inverse operation with an irreducible polynomial X ⁸ + X ⁴ + X ³ + X + 1 on the Galois field GF (2 ⁸ ). RotWords is transposition conversion in byte units. For example, when [a0, a1, a2, a3] is given as an input word, the output word is [a1, a2, a3, a0]. Rcon is substitution conversion.

The principle of Rcon is a power operation on Galois field GF (2 ⁸ ), and is represented by Rcon [i] = [X ⁱ⁻¹ , {00}, {00}, {00}]. The contents in {} are expressed in hexadecimal notation, and X = {02}. (* 1) and (* 2) will be described in later embodiments. As shown in the above KeyExpansion, the “While” sentence and below are expanded key generation processes, which are constituted by substitution processing, transposition processing, and exclusive OR.

The AES is encrypted and decrypted, and the processing steps of the encryption / decryption processing unit are different. Although the explanation is omitted, for details, please refer to 5.1 Cipher and 5.3 Inverse Cipher of Non-Patent Document 1 above. However, Non-Patent Document 1 also describes an option for making the processing steps of the encryption / decryption processing unit the same. When applying the above options, additional processing must be applied to the above KeyExpansion. The additional processing is described in 5.3.5 Equivalent Inverse Cipher in Non-Patent Document 1 above. The following is an excerpt of the above additional processing from Non-Patent Document 1 described above.
For the Equivalent Inverse Cipher, the following pseudo code is added at
the end of the Key Expansion routine (Sec. 5.2): (* 3)

for i = 0 step 1 to (Nr + 1) * Nb-1
dw [i] = w [i]
end forfor round = 1 step 1 to Nr-1
InvMixColumns (dw [round * Nb, (round + 1) * Nb-1]) // note change of type
end for
Here, the words and phrases used in the additional processing will be described. dw is an extended key for decryption. InvMixColumns is composed of column-by-column substitution and exclusive OR. The essence of substitution conversion of InvMixColumns is multiplication processing on Galois field. The multiplication process is a multiplication process using an irreducible polynomial X ⁸ + X ⁴ + X ³ + X + 1 on the Galois field GF (2 ⁸ ). In this multiplication process, since an output value corresponding to an input can be predicted, a substitution process is generally used.
FIPS197 Advanced Encryption Standard (AES) (NIST / 2001)

  As described above, the extended key generation generally involves a plurality of processes including a substitution process, a logical operation such as an exclusive OR or a shift process. However, substitution processing and logical operations are generally expensive. For this reason, if the above processing is directly implemented in the information processing apparatus, the processing takes time. This problem is particularly noticeable in an environment where keys are updated frequently.

  The present invention has been made in view of the above problems, and when generating enlarged data such as an extended key from fixed data such as a key, it is possible to reduce the processing with a large computation cost and speed up the processing. The purpose is to provide technology.

In order to achieve the above object, an information processing apparatus according to the present invention comprises the following arrangement. That is,
An information processing apparatus that generates a plurality of enlarged information based on seed information,
Input means for inputting the seed information;
A computing means for computing a plurality of intermediate information based on the inputted seed information;
Derivation means for deriving a plurality of pieces of extended information respectively corresponding to the intermediate information based on the plurality of intermediate information obtained by the calculation;
Output means for outputting the enlarged information derived by the derivation means;
With
The derivation means includes
For the first set of the plurality of intermediate information, the first extended information corresponding to each of the intermediate information is derived by processing involving substitution conversion;
For the second set of the plurality of intermediate information, second extended information corresponding to each of the intermediate information is derived by exclusive OR operation based on the derived first expanded information.

An information processing apparatus according to the present invention has the following configuration. That is,
An information processing apparatus that inputs common key information and performs encryption processing on information to be processed in a plurality of rounds based on a plurality of expanded information obtained by expanding the common key information. ,
Intermediate information generating means for generating a plurality of intermediate information for the first round based on the common key information;
A first generation unit configured to generate a plurality of pieces of enlarged information for the first round by executing a process involving substitution processing on the generated intermediate information;
For the subsequent attention round following the first round, one expansion information in the attention round is generated based on intermediate information obtained by inversely transforming one expansion information of the immediately preceding round, Second generation means for deriving the remaining expansion information by exclusive OR operation based on the previous expansion information;
Is provided.

The control method of the information processing apparatus according to the present invention has the following configuration. That is,
A method for controlling an information processing apparatus that generates a plurality of pieces of enlarged information based on seed information,
An input step for inputting the seed information;
A calculation step of calculating a plurality of intermediate information based on the input seed information;
A derivation step of deriving a plurality of pieces of enlarged information corresponding to each of the intermediate information based on the plurality of intermediate information obtained by the calculation;
An output step of outputting the enlarged information derived in the derivation step;
With
In the derivation step,
For the first set of the plurality of intermediate information, first expanded information corresponding to each of the intermediate information is derived by processing involving substitution conversion;
For the second set of the plurality of intermediate information, second extended information corresponding to each of the intermediate information is derived by exclusive OR operation based on the derived first extended information. The control method of the information processing apparatus according to the present invention has the following configuration. That is,
A control method for an information processing apparatus that performs cryptographic processing on information to be processed in a plurality of rounds based on a plurality of pieces of expanded information obtained by inputting the common key information and expanding the common key information. Because
An intermediate information generating step for generating a plurality of intermediate information for the first round based on the common key information;
A first generation step of performing a process involving substitution processing on the generated intermediate information to generate a plurality of pieces of enlarged information for the first round;
For the subsequent attention round following the first round, one expansion information in the attention round is generated based on intermediate information obtained by inversely transforming one expansion information of the immediately preceding round, A second generation step of deriving the remaining expansion information by exclusive OR operation based on the previous expansion information;
Is provided.

  According to the present invention, it is possible to provide a technique capable of reducing processing with high calculation cost and speeding up processing when generating expanded data such as an expanded key from fixed data such as a key. Can do.

  Embodiments according to the present invention will be described below in detail with reference to the accompanying drawings. However, the constituent elements described in this embodiment are merely examples, and are not intended to limit the scope of the present invention only to them.

<< First Embodiment >>
FIG. 1 is a diagram for explaining an electrical configuration of an information processing apparatus that implements each embodiment of the present invention. Note that, in realizing the present invention, it is not essential to use all the functions shown in FIG.

(Configuration of information processing device)
As illustrated in FIG. 1, the information processing apparatus 100 is configured by connecting the following hardware via a bus 116 so that they can communicate with each other.
A modem 118 such as a public line.
-Monitor 102 as display unit
CPU 103.
ROM 104.
RAM 105.
HD (hard disk) 106.
A network connection unit 107 of the network.
-CD108.
FD (flexible disk) 109.
DVD (Digital Video Disc or Digital Versatile Disk) 110.
An interface (I / F) 117 of the printer 115.
-Mouse 112 and keyboard 113 as operation units
An interface (I / F) 111 of the operation unit.

  The mouse 112 and the keyboard 113 are operation units for the user to input various instructions to the information processing apparatus 100. Information (operation information) input via the operation unit is taken into the information processing apparatus 100 via the interface 111.

  Various information (character information, image information, etc.) in the information processing apparatus 100 can be printed out by the printer 115. The monitor 102 displays various instruction information to the user and various information such as character information or image information.

  The CPU 103 controls operation of the entire information processing apparatus 100, and functions as a control unit in the configuration according to the present embodiment. In other words, the CPU 103 controls the entire information processing apparatus 100 by reading and executing a processing program (software program) from the HD (hard disk) 106 or the like. In particular, in the configuration according to the present embodiment, the CPU 103 reads out and executes a processing program that realizes the encryption processing function and the decryption processing function from the HD 106 and the like, thereby performing an information conversion process described later. Note that, for example, the program according to the present embodiment may be recorded in the ROM 104, configured to form a part of the memory map, and directly executed by the CPU 103.

  The ROM 104 stores processing programs for the encryption processing function and the decryption processing function, various data used in the program, and the like. The RAM 105 is used as a work area or the like for temporarily storing a processing program and information to be processed for various processes in the CPU 103.

  The HD 106 is a component as an example of a large-capacity storage device, and stores various data or a processing program for information conversion processing that is transferred to the RAM 105 or the like when various processing is executed. The CD (CD drive) 108 has a function of reading data stored in a CD (CD-R) as an example of an external storage medium and writing data to the CD. The FD (flexible disk drive) 109 reads data stored in the FD 109 as an example of an external storage medium, like the CD 108. It also has a function of writing various data to the FD 109. Similar to the CD 108 and the FD 109, the DVD (digital video disk) 110 has a function of reading data stored in the DVD 110 as an example of an external storage medium and writing data to the DVD 110.

  For example, when an editing program or a printer driver is stored in an external storage medium such as CD 108, FD 109, or DVD 110, these programs may be installed in the HD 106. Good. In this case, the program can be configured to be transferred to the RAM 105 when the program becomes necessary.

  An interface (I / F) 111 is used to receive input from the user through the mouse 112 or the keyboard 113. The modem 118 is a communication modem, and is connected to an external network through an interface (I / F) 119 through, for example, a public line. The network connection unit 107 is connected to an external network via an interface (I / F) 114.

  Note that the present invention can be applied to a system composed of a plurality of devices (for example, a host computer, an interface device, a reader, a printer, etc.), but a device (for example, a copier, a facsimile machine, etc.) composed of a single device You may apply to. That is, in the present embodiment, for convenience of explanation, a configuration in which the information processing apparatus according to the present embodiment is realized by one device will be described, but may be realized by a configuration in which resources are distributed to a plurality of devices. For example, storage and calculation resources may be distributed in a plurality of devices. Alternatively, resources may be distributed for each component virtually realized on the information processing apparatus, and parallel processing may be performed.

  In addition, it can also be comprised as an alternative of a hardware apparatus with the software which implement | achieves a function equivalent to the above each apparatus.

(Overview of block cipher processing)
Hereinafter, the process by the structure which concerns on this embodiment is demonstrated with reference to drawings. FIG. 2 is a block diagram illustrating a functional configuration of an information processing apparatus that performs block cipher processing.

  In FIG. 2, encryption processing target data 200 and key data 201 are input to the information processing apparatus 100 shown in FIG. The encryption processing target data 200 is input to the encryption processing unit 202, and the key data 201 is input to the key processing unit 203. The key processing unit 203 generates an extended key based on the input key information 201 and inputs it to the encryption processing unit 202.

  The encryption processing unit 202 performs encryption by sequentially performing predetermined processing from the first round 204 to the nth round 205 on the encryption processing target data 200 that is input simultaneously with the input of the extended key from the key processing unit 203. Execute the conversion process. Then, the output of the n-th round 205 is output from the information processing apparatus 100 as the encrypted data 206.

  Note that the decryption process for the encryption process is realized by sequentially performing the above processes from the reverse side using exclusive OR (XOR) for the encryption process. The process including the encryption process and the decryption process is called an encryption process.

  Note that the encryption processing based on the above-described common key encryption can be configured to be executed in accordance with, for example, data to be subjected to encryption processing and key data specified by a user instruction input. Or it can comprise so that it may be performed according to predetermined event generation | occurrence | production in the process procedure which performs the encryption process based on a common key encryption. However, it is obvious that the present invention is not limited to those exemplified here.

(Processing in the conventional configuration)
FIG. 3 is a block diagram showing processing for generating an extended key for decryption from the AES 128-bit key 301 in the conventional configuration. From the 128-bit key 301, by the above KeyExpansion processing 302, 44 pieces of expanded key W _t is generated. The KeyExpansion process 302 is the process indicated by (* 1) above. Also, 36 dW _t are generated from a part of W _t by executing the InvMixColumns process 303 36 times. The InvMixColumns process 303 is the process indicated in (* 3) above. As described above, InvMixColumns process 303 from W _t seek dW _t is to accompany substitution processing, computational cost is high.

(Overview of extended key generation)
FIG. 4 is a block diagram showing processing for generating an extended key for decryption from the AES 128-bit key 301 (seed information) in this embodiment. From the 128-bit key 401, by the KeyExpansion processing 402, 44 pieces of expanded key W _t is generated. In addition, 40 dW _t are generated from a part of W _t by the InvMixColumns process 403.

However, in this embodiment, after calculating a part of dw _t using the InvMixColumns process 403, the remaining dw _t is calculated by exclusive OR with a low calculation cost based on the calculation result. For this reason, according to the structure which concerns on this embodiment, a process can be performed with a calculation cost lower than the process in said conventional structure.

(Extended key generation process)
Next, the extended key generation process with the configuration according to the present embodiment will be described with reference to FIG. FIG. 5 is a flowchart showing the procedure of the extended key generation process in the present embodiment.

  First, in step S501, the 128-bit key is input.

Next, in step S502, it performs the KeyExpansion process, to produce a 44 amino W _t.

Next, in step S503, W _{0 to} W ₃ are selected from 44 W _t .

Next, in step S504, the above InvMixColumns conversion is performed on W _{0 to} W ₃ selected in step S503. As a result of this processing, dW _{0 to} dW ₃ are generated.

  On the other hand, in step S505, temp data used in the key expansion process in step S502 is secured. However, this temp data indicates the temp used in the processing contents of (* 1) KeyExpansion. The secured temp data indicates temp data satisfying i mod Nk = 0. In the configuration according to the present embodiment, the parameter i is an integer from 4 to 39, and the parameter Nk is 4.

After the processing in step S505, in step S506, InvMixColumns conversion is performed on the temp data secured in step S505. As a result of step S506, the generated data is defined as dW ′ _{i−1 in} order. In the configuration according to the present embodiment, dW ′ ₃ , dW ′ _{7 and the} like are defined.

（ｔ：０〜３９）
ここで、記号

は、排他的論理和を示す。なお、ｔ mod Nk＝０を満たす場合に限り、式中ｄＷ_t-1をｄＷ'_t-1に置き換える。本実施形態に係る構成にて、ｄＷ₄を算出する際を例に挙げると、

となる。このような排他的論理和演算により、InvMixColumns処理により求められたもの以外の全てのｄＷが算出される。そして、ステップＳ５０８へ進む。 When the processes of step S504 and step S506 are completed, the process proceeds to step S507. In step S507, the remaining dW _t is calculated except for the dW _t obtained in step S504. This calculation process is expressed by Equation 1.
[Formula 1]

(T: 0 to 39)
Where the sign

Indicates exclusive OR. Only when t mod Nk = 0 is satisfied, dW _{t−1 in the} formula is replaced with dW ′ _t−1 . Taking the case of calculating dW ₄ in the configuration according to the present embodiment as an example,

It becomes. By such an exclusive OR operation, all dWs other than those obtained by the InvMixColumns process are calculated. Then, the process proceeds to step S508.

In step S508, the output results W _{0 to} W ₃ and W _{40 to} W ₄₃ in step S502 and the results dW _{4 to} dW ₃₉ in step S507 are output as decryption extended keys. This is the end of the process for generating the decryption extended key.

As described above, in the configuration according to the present embodiment, when calculating dw _t , the InvMixColumns process 403 with high calculation cost is not executed step by step. Instead, dw _t is calculated by exclusive OR operation with the lowest possible operation cost. Therefore, according to the configuration according to the present embodiment, when generating an extended key from the 128-bit key 401, it is possible to reduce the InvMixColumns process 403 having a large calculation cost and to speed up the process.

<< Second Embodiment >>
In the configuration according to the first embodiment, temp data is used when generating a decryption extended key. However, t with respect to the mod Nk = 0 satisfies the dW _t, can be generated directly dW _t from created W _t at KeyExpansion. Therefore, in the present embodiment, a configuration that does not use temp data will be described. In addition, description is abbreviate | omitted about the location similar to 1st Embodiment, such as a structure of an information processing apparatus, the outline | summary of a block encryption process, and the content which is different is demonstrated.

(Extended key generation process)
The expanded key generation process with the configuration according to the present embodiment will be described with reference to FIG. FIG. 6 is a flowchart showing the procedure of the extended key generation process in the present embodiment.

  First, in step S601, the 128-bit key is input.

Next, in step S602, it performs the KeyExpansion process, to produce a 44 amino W _t.

Next, in step S603, W _{0 to} W ₃ are selected from 44 W _t .

Next, in step S604, the above InvMixColumns conversion is performed on W _{0 to} W ₃ selected in step S603. As a result of this processing, dW _{0 to} dW ₃ are generated.

On the other hand, in step S605, W _t satisfying t mod Nk = 0 is selected from 44 W _t . However, in the configuration according to the present embodiment, the parameter t is an integer between 4 and 39, and the parameter Nk is 4.

After the process of step S605, in step S606, the relative W _t selected in step S605, performs InvMixColumns conversion. The data generated as a result of the process in step S606 is defined as dW _t in order. In the configuration according to the present embodiment, dW ₄ , dW _{8 and the} like are defined.

（ｔ：０〜３９）
ここで、記号

は、排他的論理和を示す。本実施形態に係る構成にて、ｄＷ₄を算出する際を例に挙げると、

となる。このような排他的論理和演算により、InvMixColumns処理により求められたもの以外の全てのｄＷが算出される。そして、ステップＳ６０８へ進む。 When the processing of step S604 and step S606 ends, the process proceeds to step S607. In step S607, the remaining dW _t is calculated except for dW _t obtained in steps S604 and S606. The arithmetic processing is expressed by Equation 2.
[Formula 2]

(T: 0 to 39)
Where the sign

Indicates exclusive OR. Taking the case of calculating dW ₄ in the configuration according to the present embodiment as an example,

It becomes. By such an exclusive OR operation, all dWs other than those obtained by the InvMixColumns process are calculated. Then, the process proceeds to step S608.

In step S608, the output results W _{0 to} W ₃ and W _{40 to} W ₄₃ in step S602 and the results dW _{4 to} dW ₃₉ in steps S606 and 607 are output as the decryption extended key. This is the end of the process for generating the decryption extended key.

As described above, in the present embodiment, like the first embodiment, when calculating the dw _t, for calculating dw _t by low exclusive OR operation of calculating possible cost, the operation cost Can be reduced. Therefore, according to the configuration according to the present embodiment, when generating an extended key from the 128-bit key 401, it is possible to reduce the InvMixColumns process 403 having a large calculation cost and to speed up the process.

<< Third Embodiment >>
In the configurations according to the first and second embodiments, the expanded key for decryption is generated after the expanded key is generated first by KeyExpansion. By changing the internal processing of the configuration according to the first embodiment, it is possible to generate a decryption expanded key without performing KeyExpansion processing.

(Overview of extended key generation)
First, an outline of processing in the present embodiment will be described with reference to FIG. FIG. 7 is a block diagram showing processing for generating an extended key for decryption from the AES 128-bit key 701 in the configuration according to the present embodiment.

First, four expanded keys W _{0 to} W ₃ are generated from the 128-bit key 701 by the KeySet process 702. This KeySet process 702 is the same as the process of generating W _{0 to} W ₃ from the 128-bit key of the conventional KeyExpansion process. Also, dW _t (t = 0 to 4) is generated from W _{0 to} W ₃ by the InvMixColumns processing 703. By using the generated dW _t for subsequent processing, all dW _t are finally generated. Also, W _t is generated from the part of dW _t by MixColumns processing 704. However, the MixColumns process 704 is an inverse conversion process of the InvMixColumns process 703.

(Extended key generation process)
Next, the extended key generation process with the configuration according to the present embodiment will be described with reference to FIG. FIG. 8 is a flowchart showing the procedure of the extended key generation process in the present embodiment.

First, in step S801, the 128-bit key is input. Next, in step S802, the perform the above KeySet process to generate four W ₀ to _W-3. Next, in step S803, the above InvMixColumns conversion is performed on W _{0 to} W ₃ selected in step S802. As a result of this conversion, dW _{0 to} dW ₃ are generated.

On the other hand, in step S804, W ₃ generated by the KeySet process in step S802 is selected. Next, in step S805, the relative W ₃ selected in step S804, the performing the (* 2) described in the processing content of KeyExpansion the SubWord & RotWord & Rcon process. Next, in step S806, InvMixColumns conversion is performed on the data generated in step S805. Result of step S806, the generated data, defined as dW _'3.

（ｔ：０〜３９）
この演算処理では、まず、ｄＷ₄を算出する（つまり、ｔ＝４から処理を開始する）。ここで、ｄＷ₃はｄＷ'₃と置き換えられて実行される。つまり、

となる。ｄＷ₅以降については、次のステップＳ８０８の判定を行った後に実行する。なお、ステップＳ８０７の処理は、実行するたびにｔの値を増加して行う。 When performing the processing of steps S801～S806, in step S807, dW generated in step S803 and S806, the calculation of W _t using dW _'s performed. The arithmetic processing is expressed by Equation 3.
[Formula 3]

(T: 0 to 39)
In this calculation process, first, dW ₄ is calculated (that is, the process is started from t = 4). Here, dW ₃ is replaced with dW ′ ₃ for execution. That means

It becomes. For dW ₅ or later, it is executed after the determination of the next step S808. Note that the process of step S807 is performed by increasing the value of t each time it is executed.

After the process of step S807, the parameter is determined for each process step of step S807 in step S808. That, in the calculation of dW _t, t is, tmodNk = Nk-1, or to determine whether it satisfies 36 ≦ t ≦ 39. If t satisfies tmodNk = Nk−1 or 36 ≦ t ≦ 39 (YES in step S808), the process proceeds to step S809. If not (NO in step S808), the process returns to step S807 to continue the calculation process. To do. In the configuration according to the present embodiment, Nk = 4.

In step S809, if the step S808 is true (YES), it performs conversion of the MixColumns, derives the W _t. Then, the process proceeds to step S810.

  In step S810, it is determined whether t is t modNk = Nk−1 and t ≠ 39. If both t mod Nk = Nk−1 and t ≠ 39 are satisfied (YES in step S810), that is, if the determination is true, the process proceeds to step S811. If it is false (NO in step S810), the process returns to step S807 to continue the calculation process.

In step S811, with respect to W _t generated in step S809, it performs the (* 2) described in the processing content of KeyExpansion the SubWord & RotWord & Rcon process.

Next, in step S812, InvMixColumns conversion is performed on the data generated in step S811. Result of step S812, the generated data, defined as dW _'t. Then, the process returns to step S807 and the calculation process is continued. At this time, dW _t−1 in Equation 3 is replaced with dW ′ _t−1 . In this way, dW is calculated.

When all W _t , that is, W _{0 to} W ₃₉ are derived in step S809, the process proceeds to step S813. In step S813, W _{36 to} W ₃₉ are selected from W _t created in step S809.

Next, in step S814, W _{40 to} W ₄₃ generation processing is performed using W _{36 to} W ₃₉ selected in step S810. This generation process is the same as the conventional KeyExpansion process.

Next, in step S815, output W ₀ to _W-3 of the step S802, the output W ₄₀ to _W-43 in steps S814 and, an output result dW ₄ ~dW ₃₉ in step S807, and outputs the extended key for decryption . This is the end of the process for generating the decryption extended key.

Although substitution conversion is performed even in KeyExpansion processing, as described above, in the configuration according to the present embodiment, in order to determine all of W _t, it does not execute the processing of one by one KeyExpansion. For this reason, according to the configuration according to the present embodiment, it is possible to generate the decryption extended key at a lower calculation cost.

<< Fourth Embodiment >>
In the first to third embodiments, it is assumed that the fixed data to be input is key data, but the fixed data to be input is not limited to this. For example, the present invention is also applicable when the input data is a fixed-length pseudorandom number seed or the like. As a pseudo random number generator used for generating a pseudo random number to which the methods of the first to third embodiments can be applied, for example, a pseudo random number generator based on the same principle as a block cipher such as a PANAMA type pseudo random number generator Is mentioned. The PANAMA type pseudo-random number generator conforms to Fast Hashing and Stream Encryption with PANAMA (FSE (Fast Software Encryption) / 1998).

式４および式５のInData，InDataX，InDataYは擬似乱数のシードもしくは擬似乱数の処理の過程で生成されるデータを指す。Ｓは換字変換を伴う処理を示しており、OutDataは擬似乱数の処理の過程で生成されるデータを指し、少なくとも上記の換字変換で生成されるデータを含む。式４のＳ[InData]が式５のように構成できるのであれば、第１〜第３実施形態の手法を適用可能であり、演算コストを削減することができる。 Such a pseudo-random number generator must include the configurations of Equation 4 and Equation 5 in the entire process or a part of the process.
[Formula 4]
OutData = S [InData] ...
[Formula 5]

InData, InDataX, and InDataY in Expression 4 and Expression 5 indicate data generated in the process of pseudorandom number seeding or pseudorandom number processing. S indicates processing accompanied by substitution conversion, and OutData indicates data generated in the process of pseudorandom number processing, and includes at least data generated by the substitution conversion described above. If S [InData] in Expression 4 can be configured as in Expression 5, the methods of the first to third embodiments can be applied, and the calculation cost can be reduced.

<< Other Embodiments >>
Even if the first to fourth embodiments are applied as part of a system including a plurality of devices (for example, a host computer, an interface device, a reader, and a printer), a single device (for example, a copier, a facsimile machine) You may apply to a part of what consists of.

  Moreover, although the exemplary embodiments of the present invention have been described in detail, the present invention can take an embodiment as a system, apparatus, method, program, storage medium, or the like. Specifically, the present invention may be applied to a system composed of a plurality of devices, or may be applied to an apparatus composed of a single device.

  The present invention can also be achieved by supplying a program that realizes the functions of the above-described embodiment directly or remotely to a system or apparatus, and the computer of the system or apparatus reads and executes the supplied program code. Including the case where it is achieved.

  Therefore, since the functions of the present invention are implemented by a computer, the program code installed in the computer is also included in the technical scope of the present invention. That is, the present invention includes a computer program itself for realizing the functional processing of the present invention.

  In that case, as long as it has the function of a program, it may be in the form of object code, a program executed by an interpreter, script data supplied to the OS, and the like.

  Examples of the recording medium for supplying the program include the following. Namely, floppy (registered trademark) disk, hard disk, optical disk, magneto-optical disk, MO, CD-ROM, CD-R, CD-RW, magnetic tape, nonvolatile memory card, ROM, DVD (DVD-ROM, DVD-) R) and the like are included.

  In addition, the following types of programs may be considered. That is, it is also possible to connect to a homepage on the Internet using a browser of a client device and download a computer program according to the present invention or a compressed file including an automatic installation function from the homepage to a recording medium such as an HD. It can also be realized by dividing the program code constituting the program according to the present invention into a plurality of files and downloading each file from a different homepage. That is, a WWW server that allows a plurality of users to download a program file for realizing the functional processing of the present invention on a computer is also included in the present invention.

  The following supply forms are also conceivable. That is, first, the program according to the present invention is encrypted, stored in a storage medium such as a CD-ROM, and distributed to users. Further, the present invention allows a user who has cleared a predetermined condition to download key information to be decrypted from a homepage via the Internet, execute a program encrypted by using the key information, and install the program on a computer. The structure which concerns on is implement | achieved. Such a supply form is also possible.

  In addition to realizing the functions of the above-described embodiments by the computer executing the read program, the following implementation modes are also assumed. In other words, based on the instructions of the program, the OS running on the computer performs part or all of the actual processing, and the functions of the above-described embodiments can be realized by the processing.

  Further, after the program read from the recording medium is written in the memory provided in the function expansion board inserted in the computer or the function expansion unit connected to the computer, the above-described embodiment is also based on the instructions of the program. The function is realized. That is, a CPU or the like provided in the function expansion board or function expansion unit performs part or all of the actual processing, and the functions of the above-described embodiments are realized by the processing.

It is a figure for demonstrating the electrical structure of information processing apparatus. It is a figure which shows the structure of the general encryption apparatus which performs the encryption process by a common key encryption. It is a block diagram which shows the process which produces | generates the extended key for a decoding from the 128 bit key of AES in the conventional structure. It is a block diagram which shows the process which produces | generates the extended key for a decoding from the 128 bit key of AES. It is a flowchart which shows the procedure of an expansion key production | generation process. It is a flowchart which shows the procedure of an expansion key production | generation process. It is a block diagram which shows the process which produces | generates the extended key for a decoding from the 128 bit key of AES. It is a flowchart which shows the procedure of an expansion key production | generation process.

Claims (11)

An information processing apparatus that generates a plurality of enlarged information based on seed information,
Input means for inputting the seed information;
A computing means for computing a plurality of intermediate information based on the inputted seed information;
Derivation means for deriving a plurality of pieces of extended information respectively corresponding to the intermediate information based on the plurality of intermediate information obtained by the calculation;
Output means for outputting the enlarged information derived by the derivation means;
With
The derivation means includes
For the first set of the plurality of intermediate information, the first extended information corresponding to each of the intermediate information is derived by processing involving substitution conversion;
For the second set of the plurality of intermediate information, second extended information respectively corresponding to the intermediate information is derived by exclusive OR operation based on the derived first extended information. Information processing device.   The information processing apparatus according to claim 1, further comprising storage means for temporarily storing the intermediate information included in the first set.   The information processing apparatus according to claim 1, wherein the expanded information is expanded key information or pseudorandom numbers.   The information processing apparatus according to any one of claims 1 to 3, wherein the substitution conversion is reversible so that a calculation result value can be predicted. A second storage means for storing table information indicating a correspondence relationship between the operand value and the calculation result value;
The information processing apparatus according to claim 1, wherein the derivation unit performs the substitution conversion based on a reference to the table information.   The information processing apparatus according to claim 1, wherein the seed information is fixed-length data. An information processing apparatus that inputs common key information and performs encryption processing on information to be processed in a plurality of rounds based on a plurality of expanded information obtained by expanding the common key information. ,
Intermediate information generating means for generating a plurality of intermediate information for the first round based on the common key information;
A first generation unit configured to generate a plurality of pieces of enlarged information for the first round by executing a process involving substitution processing on the generated intermediate information;
For the subsequent attention round following the first round, one expansion information in the attention round is generated based on intermediate information obtained by inversely transforming one expansion information of the immediately preceding round, Second generation means for deriving the remaining expansion information by exclusive OR operation based on the previous expansion information;
An information processing apparatus comprising: A method for controlling an information processing apparatus that generates a plurality of pieces of enlarged information based on seed information,
An input step for inputting the seed information;
A calculation step of calculating a plurality of intermediate information based on the input seed information;
A derivation step of deriving a plurality of pieces of enlarged information corresponding to each of the intermediate information based on the plurality of intermediate information obtained by the calculation;
An output step of outputting the enlarged information derived in the derivation step;
With
In the derivation step,
For the first set of the plurality of intermediate information, first expanded information corresponding to each of the intermediate information is derived by processing involving substitution conversion;
For the second set of the plurality of intermediate information, second extended information corresponding to each of the intermediate information is derived by exclusive OR operation based on the derived first expanded information. Control method for information processing apparatus. A control method for an information processing apparatus that performs cryptographic processing on information to be processed in a plurality of rounds based on a plurality of pieces of expanded information obtained by inputting the common key information and expanding the common key information. Because
An intermediate information generating step for generating a plurality of intermediate information for the first round based on the common key information;
A first generation step of performing a process involving substitution processing on the generated intermediate information to generate a plurality of pieces of enlarged information for the first round;
For the subsequent attention round following the first round, one expansion information in the attention round is generated based on intermediate information obtained by inversely transforming one expansion information of the immediately preceding round, A second generation step of deriving the remaining expansion information by exclusive OR operation based on the previous expansion information;
An information processing apparatus control method comprising:   A computer program for causing a computer to function as the information processing apparatus according to claim 1.   A computer-readable storage medium storing the computer program according to claim 10.

Images