JP2014116897A - Encryption device, encryption method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent increase of memory capacity when encryption processing is performed by table reference upon converting a plaintext and an encryption key into symbols.SOLUTION: An encryption device comprises: means 1100 for converting a plaintext and an encryption key into symbols according to mapping between binary data and symbols with predetermined humming weight; means 1400 for holding a first operation table in which an output symbol of a first operation is stored in an address shown by an input symbol of the first operation, and a second operation table in which an output symbol of a second operation is stored in an address shown by an input symbol of the second operation as a table obtained by overlapping an unused area of one operation table with a used area of the other operation table; means 1200 for generating a cipher text expressed by the symbols by performing the first operation and the second operation based on the plaintext and the encryption key expressed by the symbols, and the overlapped tables; and means 1300 for converting the cipher text expressed by the symbols into the binary data.

Description

  The present invention relates to an encryption device, an encryption method, and a program, and more particularly, to an encryption device, an encryption method, and a program that have tamper resistance that makes side channel attacks difficult.

  As information is converted into electronic data, encryption is an indispensable technology for information protection and confidential communication. In order to maintain encryption security, it is necessary to prevent secret information such as encryption keys from being easily guessed. Although cryptographic analysis methods such as exhaustive search of cryptographic keys, linear decryption that performs mathematical decryption, and differential decryption are known, analysis in real time is impossible at present.

  On the other hand, if an attacker can accurately measure side channel information such as processing time, power consumption, and leaked electromagnetic waves in a device (encryption module) equipped with an encryption function such as a portable terminal, the confidential information is It is necessary to take measures against side channel attacks that attempt to acquire.

  As a side channel attack, a power analysis attack is known in which the power consumption of a cryptographic module is measured and secret information such as a key is analyzed from the power consumption. Among power analysis attacks, differential power analysis in which analysis is performed by performing statistical processing on a plurality of power consumption waveforms is regarded as a particularly powerful attack method (Non-Patent Document 1).

  It has been pointed out that there is a correlation between the number of bits that are 1 in a bit string (that is, Hamming weight) and power consumption when there is a bias in the transition probability of logic gates in a cryptographic module (non-null). Patent Document 2). It is also pointed out that there is a correlation between register bit transitions (Hamming distance) and power consumption before and after encryption processing when ciphertext is generated by executing predetermined encryption processing a predetermined number of times. (Non-Patent Document 3).

  Therefore, there is a possibility that the secret key is decrypted by paying attention to the Hamming weight and the Hamming distance.

  As an example, a DRL (Dual Rail Logic) method has been proposed as a countermeasure method against an attack focusing on the Hamming weight (Patent Document 1). In the DRL method, the original data is divided into 1-bit bits, each of 1-bit 0s and 1s is converted into 2-bits 01 and 10 having a predetermined hamming weight, and values having the same number of hamming weights are used. To perform encryption processing and decryption processing.

  Hereinafter, binary data (eg, 01, 10) having a predetermined bit width having a predetermined Hamming weight is referred to as a “symbol”, and binary data (eg, 0, 1) having a predetermined bit width is referred to as a symbol (eg, 01 10) is referred to as “symbol conversion”.

  According to the DRL method described in Patent Document 1, since the calculation included in the encryption process and the decryption process is performed on the symbol-converted symbols, there is no difference in power consumption due to data difference. Therefore, according to the DRL method, the secret key cannot be analyzed from the Hamming weight, and the safety is improved. However, in the DRL method, since symbol conversion is performed for each bit and encryption and decryption operations are performed in symbol units, it is necessary to repeat the operation for the bit width of the data. That is, when the countermeasure against the side channel attack is performed by the DRL method, the processing time of the encryption process and the decryption process increases.

  Patent Document 2 describes a technique for performing symbol conversion for each predetermined bit instead of performing symbol conversion for each bit. According to the technique described in Patent Document 2, an increase in the number of operations can be prevented by symbol-converting plaintext for each of a plurality of bits, and the problems of the technique described in Patent Document 1 can be solved.

JP 2005260652 A JP 2010-124276 A

P. Kocher, J. Jaffe and B. Jun, "Introduction to Differential Power Analysis and Related Attacks," [online], 1998, [retrieved on November 22, 2012], Internet <URL: http: // www. cryptography.com/public/pdf/DPATechInfo.pdf>. Akihiko Sasaki, Kimiaki Abe, "Evaluation of algorithm-level tolerance against power differential analysis attacks on cryptographic circuits," IEICE Transactions C (Vol.126, No.10, pp.1221) -1228, Oct. 2006. E. Brier, C. Clavier, and F. Olivier, "Correlation Power Analysis with a Leakage Model," [online], 2004, [retrieved on November 22, 2012], Internet <URL: http: // www. iacr.org/archive/ches2004/31560016/31560016.pdf>.

  The disclosures of the above patent documents and non-patent documents are incorporated herein by reference. The following analysis was made by the present inventors.

  In the case where symbol conversion is performed on a plaintext and an encryption key in units of multiple bits by preparing a large number of symbols having a constant Hamming weight as in the technique described in Patent Document 2, the calculation included in the encryption processing is further displayed in a table. It can be realized by reference.

  However, if the encryption process based on the plaintext converted into the symbol and the encryption key is to be realized by referring to the table, a large number of unused areas may occur in the table. This is because a symbol is binary data of a predetermined bit width having a predetermined Hamming weight, and takes discrete values. Therefore, when a table is referred to using a symbol as an address, the address value used is discrete and the discrete value is used. This is because it becomes a value. In particular, when a plurality of types of operations are included in the encryption processing procedure, it is necessary to hold a plurality of tables in a memory, and an increase in storage capacity for holding the tables becomes a problem.

  Therefore, it is desirable to prevent an increase in storage capacity for holding a table when encryption processing is performed by referring to a table after converting plaintext and an encryption key into symbols. An object of the present invention is to provide an encryption apparatus encryption method and program that contribute to such a demand.

The encryption device according to the first aspect of the present invention is:
Symbol conversion means for converting a plaintext and an encryption key represented by binary data into a plaintext and an encryption key represented by a symbol in accordance with the correspondence between the binary data having the first bit width and the second bit width symbol having a predetermined Hamming weight When,
A first operation table in which a symbol corresponding to the output of the first operation is stored at an address indicated by a symbol corresponding to an input of the first operation included in the encryption processing; and a second operation included in the encryption processing The second calculation table in which the symbol corresponding to the output of the second calculation is stored at the address indicated by the symbol corresponding to the input of is overlaid on the unused area of one calculation table with the used area of the other calculation table. Table holding means for holding as a table;
Symbol encryption means for generating a ciphertext represented by a symbol by performing the first operation and the second operation based on the equalization and encryption key represented by the symbol and the superposed table;
Reverse symbol conversion means for converting a ciphertext represented by a symbol into a ciphertext represented by binary data in accordance with the association.

The encryption method according to the second aspect of the present invention is:
The computer converts the plaintext and the encryption key represented by the binary data into the plaintext and the encryption key represented by the symbol according to the correspondence between the binary data having the first bit width and the symbol having the second bit width having the predetermined Hamming weight. Conversion process;
A first operation table in which a symbol corresponding to the output of the first operation is stored at an address indicated by a symbol corresponding to an input of the first operation included in the encryption processing; and a second operation included in the encryption processing The second calculation table in which the symbol corresponding to the output of the second calculation is stored at the address indicated by the symbol corresponding to the input of is overlaid on the unused area of one calculation table with the used area of the other calculation table. A holding step for holding in the storage unit as a table;
A generation step of generating a ciphertext represented by a symbol by performing the first operation and the second operation based on the equalization and encryption key represented by the symbol and the superposed table;
A reverse conversion step of converting the ciphertext represented by the symbol into a ciphertext represented by binary data according to the association.

The program according to the third aspect of the present invention is:
A conversion process for converting a plaintext and an encryption key represented by binary data into a plaintext and an encryption key represented by a symbol according to the association between the binary data having the first bit width and a symbol having a second bit width having a predetermined Hamming weight; ,
A first operation table in which a symbol corresponding to the output of the first operation is stored at an address indicated by a symbol corresponding to an input of the first operation included in the encryption processing; and a second operation included in the encryption processing The second calculation table in which the symbol corresponding to the output of the second calculation is stored at the address indicated by the symbol corresponding to the input of is overlaid on the unused area of one calculation table with the used area of the other calculation table. Holding processing to be stored in the storage unit as a table;
A generation process for generating a ciphertext represented by a symbol by performing the first operation and the second operation based on the equalization and encryption key represented by the symbol and the superposed table;
Inverse conversion processing for converting a ciphertext represented by a symbol into a ciphertext represented by binary data according to the association is executed by a computer.
The program can be provided as a program product recorded on a non-transitory computer-readable storage medium.

  According to the encryption device, the encryption method, and the program according to the present invention, when the plain text and the encryption key are converted into symbols and the encryption process is performed by referring to the table, it is possible to prevent an increase in memory capacity due to holding of the table. It becomes possible.

It is a block diagram which shows the structure of the encryption apparatus which concerns on 1st Embodiment as an example. It is a block diagram which shows the structure of the encryption part of the encryption apparatus which concerns on 1st Embodiment as an example. It is a figure which shows the structure of the symbol conversion part of the encryption apparatus which concerns on 1st Embodiment as an example. It is a figure showing the input / output of exclusive OR in the encryption apparatus which concerns on 1st Embodiment. It is a figure showing the input / output when exclusive OR in the encryption apparatus which concerns on 1st Embodiment mounts the table by a symbol. It is a figure showing the input / output of the nonlinear (2n bit Sbox) conversion in the encryption apparatus which concerns on 1st Embodiment. It is a figure showing the input / output when non-linear (2n bit Sbox) conversion in the encryption apparatus which concerns on 1st Embodiment mounts the table by a symbol. It is a figure showing input / output when arithmetic addition in the encryption apparatus which concerns on 1st Embodiment mounts the table by a symbol. It is a figure which shows the structure of the reverse symbol conversion part of the encryption apparatus which concerns on 1st Embodiment as an example. It is a figure for demonstrating the superimposition of a calculation table. It is a flowchart of AES128.

  First, an outline of one embodiment will be described. Note that the reference numerals of the drawings attached to this summary are merely examples for facilitating understanding, and are not intended to limit the present invention to the illustrated embodiment.

  Referring to FIG. 1 and FIG. 2, the encryption device is an encryption device that encrypts plain text using a secret key and outputs it as cipher text, which is a plain text and a round key (hereinafter also referred to as an encryption key). A symbol conversion unit (1100) that performs symbol conversion, a symbol encryption unit (1200) that performs encryption using a symbol, and an operation table for performing an operation included in the encryption process based on a table reference are held. Table holding means (1400) and inverse symbol conversion means (1300) for performing reverse conversion from a symbol to a ciphertext.

  The symbol conversion means (1100) divides the plain text into a plurality of binary data having a predetermined bit width, and converts each binary data into a symbol having a predetermined bit width having a predetermined Hamming weight. The symbol encryption means (1200) performs an encryption operation using an operation table held by the table holding unit (1400) using the converted symbol. In the calculation table, a symbol corresponding to the output of the calculation is stored at an address position indicated by the symbol corresponding to the input of the calculation. Further, the unused areas in the tables are reduced by superimposing the used areas of the other calculation tables on the unused areas of the plurality of calculation tables.

  According to such an encryption apparatus, a DRL (Dual Rail Logic) method, which is a tamper-resistant method in encryption processing, is performed for each of a plurality of bits, thereby suppressing an increase in processing time and increasing a storage area (table storage) ( For example, the ROM area) can be reduced by superimposing the tables.

  The symbol conversion means (1100) divides the plaintext and the round key into a plurality of predetermined bit widths and replaces them with symbols. The symbol has a predetermined bit width larger than the bit width when the plaintext and the ciphertext are divided, and has a predetermined Hamming weight of 1 or 2 or more. Symbols are prepared according to the number of values that can be taken by binary data having a bit width when the plaintext and ciphertext are divided, and the binary data and the symbols are associated with each other.

  The symbol encryption means (1200) realizes all operations included in the encryption by referring to the table (table lookup). Here, the symbol corresponding to the input / output of the table and the symbol corresponding to the output are either a single symbol or a bit string obtained by concatenating the symbols.

  The inverse symbol conversion means (1300) divides the ciphertext composed of symbols for each symbol width and converts it into binary data corresponding to the symbols.

  According to such a configuration, analysis using the difference in power consumption can be made difficult. The reason is that, by replacing all binary data used for the calculation with symbols having a predetermined Hamming weight, a difference in power consumption due to a difference in data does not occur.

  Further, according to such a configuration, an increase in the number of operations can be prevented by converting the plaintext into symbols for each of a plurality of bits. Specifically, the number of operations can be reduced by performing symbol conversion for each of a plurality of bits as compared to the case of performing symbol conversion for each bit. The reason is that symbol conversion can be performed in units of multiple bits by preparing a large number of symbols having a predetermined Hamming weight.

  Also, all encryption operations by the symbol encryption means (1200) are performed by referring to the operation table. The input / output of the operation table is composed of a single symbol or a concatenation of symbols. Since symbols for accessing the calculation table take discontinuous values, a large number of unused areas are generated in the calculation table. When the encryption processing procedure includes a plurality of types of calculations, a plurality of calculation tables are required, and an increase in unused areas becomes a problem. The table holding means (1400) writes the data of the other calculation table in the unused area of one calculation table by shifting the start ends of the calculation tables and overlapping them.

  By adopting such a configuration and overlapping a plurality of calculation tables on one table, an increase in unused areas of the table can be suppressed.

  According to the present invention, it is possible to suppress an increase in unused areas in a table, which can be performed by mounting operations on a table. The reason is that waste of memory can be suppressed by superimposing a plurality of calculation tables including many unused areas.

In the present invention, the following modes are possible.
[Form 1]
The encryption apparatus according to the first aspect.
[Form 2]
In the superimposed table, a symbol corresponding to the output of the first calculation is stored at an address indicated by a bit string obtained by connecting a plurality of symbols corresponding to the input of the first calculation, and corresponds to the input of the second calculation. A symbol corresponding to the output of the second calculation may be stored at an address obtained by adding a predetermined offset to a bit string obtained by concatenating a plurality of symbols.
[Form 3]
The symbol conversion means converts the plaintext and the encryption key represented by the binary data into symbols according to the association between the binary data having the first bit width and the second bit width symbol having any one of a plurality of predetermined Hamming weights. It may be converted into a plaintext and an encryption key represented by
[Form 4]
The first operation and the second operation may be at least one of exclusive OR, nonlinear transformation, multiplication on a Galois field, and arithmetic addition included in the encryption process.
[Form 5]
The encryption process may be an encryption process based on AES (Advanced Encryption Standard).
[Form 6]
The encryption method according to the second aspect is as described above.
[Form 7]
In the encryption method, the superimposed table stores a symbol corresponding to the output of the first calculation at an address indicated by a bit string obtained by concatenating a plurality of symbols corresponding to the input of the first calculation. A symbol corresponding to the output of the second calculation may be stored at an address obtained by adding a predetermined offset to a bit string obtained by concatenating a plurality of symbols corresponding to the input of the calculation.
[Form 8]
In the conversion step, according to the correspondence between the binary data having the first bit width and the second bit width symbol having any of a plurality of predetermined Hamming weights, the plaintext and the encryption key represented by the binary data are represented by symbols. You may convert into the plaintext and encryption key represented.
[Form 9]
The program according to the third aspect.
[Mode 10]
In the program, the superimposed table stores a symbol corresponding to the output of the first calculation at an address indicated by a bit string obtained by connecting a plurality of symbols corresponding to the input of the first calculation. A symbol corresponding to the output of the second calculation may be stored at an address obtained by adding a predetermined offset to a bit string obtained by concatenating a plurality of symbols corresponding to the input.
[Form 11]
In the conversion process, according to the association between the binary data having the first bit width and the second bit width symbol having any of a plurality of predetermined Hamming weights, the plaintext and the encryption key represented by the binary data are represented by symbols. You may convert into the plaintext and encryption key represented.
[Form 12]
Symbol for converting ciphertext and cipher key represented by binary data into ciphertext and cipher key represented by symbol according to association between binary data of first bit width and second bit width symbol of predetermined Hamming weight Conversion means;
A first calculation table in which a symbol corresponding to the output of the first calculation is stored at an address indicated by a symbol corresponding to the input of the first calculation included in the decoding process, and an input of the second calculation included in the decoding process A table in which a symbol corresponding to the output of the second calculation is stored at an address indicated by a symbol corresponding to is a table in which a use area of the other calculation table is superimposed on an unused area of one calculation table. Table holding means for holding;
Symbol decryption means for generating plaintext represented by a symbol by performing the first computation and the second computation based on the ciphertext and encryption key represented by the symbol and the superposed table;
And a reverse symbol conversion unit that converts plain text represented by symbols into plain text represented by binary data according to the association.
[Form 13]
The computer converts the ciphertext and cipher key represented by the binary data into ciphertext and cipher key represented by the symbol in accordance with the correspondence between the binary data having the first bit width and the symbol having the second bit width having the predetermined Hamming weight. A conversion process to convert;
A first calculation table in which a symbol corresponding to the output of the first calculation is stored at an address indicated by a symbol corresponding to the input of the first calculation included in the decoding process, and an input of the second calculation included in the decoding process A table in which a symbol corresponding to the output of the second calculation is stored at an address indicated by a symbol corresponding to is a table in which a use area of the other calculation table is superimposed on an unused area of one calculation table. Holding process to hold in the storage unit;
Generating a plaintext represented by a symbol by performing the first operation and the second operation based on the ciphertext and encryption key represented by the symbol and the superimposed table;
A reverse conversion step of converting plain text represented by symbols into plain text represented by binary data in accordance with the association.
[Form 14]
Conversion for converting ciphertext and cipher key represented by binary data into ciphertext and cipher key represented by symbols according to the correspondence between the binary data having the first bit width and symbols having the second bit width having a predetermined Hamming weight Processing,
A first calculation table in which a symbol corresponding to the output of the first calculation is stored at an address indicated by a symbol corresponding to the input of the first calculation included in the decoding process, and an input of the second calculation included in the decoding process A table in which a symbol corresponding to the output of the second calculation is stored at an address indicated by a symbol corresponding to is a table in which a use area of the other calculation table is superimposed on an unused area of one calculation table. A holding process held in the storage unit;
Generation processing for generating plaintext represented by a symbol by performing the first operation and the second operation based on the ciphertext and encryption key represented by the symbol and the superimposed table;
A program that causes a computer to execute reverse conversion processing for converting plain text represented by symbols into plain text represented by binary data in accordance with the association.

(Embodiment 1)
The encryption device according to the first embodiment will be described with reference to the drawings.

  FIG. 1 is a block diagram illustrating an example of the configuration of the encryption device according to the present embodiment. Referring to FIG. 1, the encryption apparatus includes an encryption unit 1000 and a key generation unit 2000. In the following, an encryption apparatus that encrypts plain text and generates cipher text will be described, but similarly, a decryption apparatus that decrypts cipher text and generates plain text can be realized.

  The key generation unit 2000 generates a round key Kn used by the encryption unit 1000 based on the input secret key.

  The encryption unit 1000 encrypts data based on the input plaintext and the round key Kn received from the key generation unit 2000, and outputs a ciphertext.

  FIG. 2 is a block diagram illustrating the configuration of the encryption unit 1000 as an example. Referring to FIG. 2, the encryption unit 1000 includes a symbol conversion unit 1100, a symbol encryption unit 1200, an inverse symbol conversion unit 1300, and a table holding unit 1400.

  First, the symbol conversion unit 1100 converts a plain text into a symbol.

  Next, the symbol encryption unit 1200 performs encryption processing in accordance with an encryption algorithm. As an encryption calculation method, the symbol encryption unit 1200 refers to the calculation table held by the table holding unit 1400 with a symbol, and receives the calculation result as a symbol.

  When the encryption with the symbol is completed, the inverse symbol conversion unit 1300 performs conversion from the symbol to the ciphertext.

  FIG. 3 is a block diagram illustrating an example of the configuration of the symbol conversion unit 1100. Referring to FIG. 3, the symbol conversion unit 1100 holds a conversion table 1101 indicating the correspondence between n-bit binary data and symbols.

  As a symbol, a bit string consisting of m bits and having a predetermined (one or a plurality of types) of Hamming weights is selected in advance and assigned to n-bit binary data.

  The symbol conversion unit 1100 divides the input plaintext or round key every n bits (1 <n). Also, the symbol conversion unit 1100 converts the input value divided into n bits into a symbol with reference to the conversion table 1101.

  It is preferable to select a value larger than n and smaller than 2n as the bit width m of the symbol. Also, the variation in power consumption becomes smaller as the number of symbol Hamming weights is smaller. For example, when there is one kind of hamming weight, the variation in power consumption is zero. Attacks based on differential power analysis become more difficult as power consumption variation decreases.

  The symbol encryption unit 1200 receives the symbol converted by the symbol conversion unit 1100 as input, and performs an encryption operation in accordance with an encryption algorithm. The symbol encryption unit 1200 performs all operations included in the encryption process by referring to the table stored in the table holding unit 1400. The table holding unit 1400 holds input / output of all operations necessary for the encryption algorithm as a table (calculation table).

  In the following, exclusive OR (XOR), nonlinear transformation, multiplication on a Galois field, and arithmetic addition will be described as examples of calculation table formation.

  An example of an exclusive OR table implementation will be described with reference to FIGS.

  FIG. 4 is a diagram showing exclusive OR input / output. When the bit width of the symbol is m bits, the exclusive logical sum takes the input 1 and the input 2 of m bits × x and outputs the operation result of m bits × x. FIG. 5 shows a case where exclusive OR is implemented using a table based on symbols. The symbol encryption unit 1200 uses an input (subscript, address) obtained by concatenating an m-bit input 1 and an input 2 and performs table lookup to obtain an m-bit output.

  The symbol encryption unit 1200 repeats this x times and concatenates the outputs to obtain an output of m bits × x.

  Next, using FIG. 6 and FIG. 7, a table implementation example of 2n-bit non-linear (Sbox) conversion when the bit width of a symbol is m bits and the bit width of binary data is n bits is shown.

  FIG. 6 shows input / output of nonlinear (Sbox) transformation. In the non-linear conversion, 2n-bit data is input and 2n-bit data is output. FIG. 7 shows a case where non-linear transformation is implemented with a table based on symbols. The symbol encryption unit 1200 refers to two tables (an upper bit table and a lower bit table) with an input (subscript) obtained by concatenating two m-bit symbols, and obtains an m-bit output. The symbol encryption unit 1200 concatenates these outputs to obtain a 2m-bit output.

  The structure of input / output of multiplication on the Galois field is the same as the nonlinear transformation shown in FIG. Necessary multiplications such as double multiplication and triple multiplication are prepared according to the encryption algorithm. Note that triple multiplication can be replaced with an operation that performs exclusive OR with itself after double multiplication.

  Next, a table implementation for arithmetic addition will be described with reference to FIG. FIG. 8 shows a table implementation 1430 for arithmetic addition. When performing arithmetic addition, the symbol encryption unit 1200 divides the input into units of symbol bit widths (m bits) and processes them from the lower side. The symbol encryption unit 1200 uses an input (subscript) obtained by concatenating an m-bit input 1 and an input 2, and obtains an m-bit output by referring to an arithmetic addition table within m bits. Also, the symbol encryption unit 1200 refers to the carry table exceeding m bits and acquires the presence / absence of carry. When performing symbol-wise arithmetic addition for the next symbol unit, the symbol encryption unit 1200 first arithmetically adds the carry value of the previous stage and the input 1, and arithmetically adds the result and the input 2. In addition, in the two arithmetic additions here, the carry occurs only once at the maximum.

  In addition to the method of performing arithmetic addition twice, an arithmetic addition table within m bits of “input 1 + input 2 + 1” and a carry table exceeding m bits are prepared. You may make it switch the table to refer according to the presence or absence of a carry. Furthermore, instead of using m-bit symbols as symbols representing carry, 2-bit symbols such as 01 for 0 and 10 for 1 may be used.

  FIG. 9 is a block diagram illustrating an example of the configuration of the inverse symbol conversion unit 1300. Referring to FIG. 9, the inverse symbol conversion unit 1300 receives the output of the symbol encryption 1200. The inverse symbol conversion unit 1300 divides the received data for each symbol bit width (m bits), reversely converts the conversion table 1101 (FIG. 3) of the symbol conversion unit 1100, and converts the symbol into an n-bit ciphertext. Convert. A reverse lookup table for converting symbols into ciphertexts may be prepared separately.

  FIG. 10 is a diagram for explaining the superposition of a plurality of calculation tables. Each calculation table when the calculation is implemented as a table has the same interface. That is, each calculation table has an input with a bit width of two symbols and an output of one symbol. Each calculation table is accessed using a symbol as a subscript (or address). Since the symbol has a predetermined one or more Hamming weights, the symbol takes a discontinuous value. At this time, an unused area is generated in the calculation table. Therefore, by offsetting the start points of the plurality of calculation tables, the data of other calculation tables are substituted into unused areas of the calculation tables. If the output bit widths are the same, the table can be superposed.

  An example of the encryption apparatus according to the first embodiment will be specifically described in a case where 128-bit AES (Advanced Encryption Standard) (AES128) is used as the encryption process.

  In this embodiment, it is assumed that 4-bit binary data is assigned to a 6-bit symbol having a Hamming weight of 3. There are 16 types of values from 0 to 15 (0xF) that the 4-bit binary data can take. On the other hand, there are 20 symbols with 6 bits and a Hamming weight of 3. Binary data 0000 to 1111 (that is, numerical values 0 to 15 (0xF)) are assigned to 16 of these 20 symbols. Table 1 shows the conversion table 1101 at this time as an example. In Table 1, symbols with x in the binary data column are unused symbols.

  In Table 1, the symbol has only one hamming weight, but the symbol may have a plurality of types of hamming weights. For example, a bit string having a bit width of 5 and having a Hamming weight of 2 and 3 may be selected as a symbol. Table 2 shows the conversion table 1101 at this time as an example. In Table 2, a symbol with a cross in the binary data column is an unused symbol.

  By increasing the types of hamming weights that symbols have, the resistance to attacks focusing on hamming weights is reduced, but the number of bits that make up symbols can be reduced, and when implementing encryption processing based on table references It is possible to reduce the size of the table. Hereinafter, a case where the conversion table 1101 shown in Table 1 is used will be described.

  The symbol conversion unit 1100 in FIG. 2 divides the read plaintext into 4 bits and converts them into symbols. At this time, 128 bits of plaintext (= 32 × 4 bits) are converted into 192 bits (= 32 symbols × 6 bits).

  Next, the symbol encryption unit 1200 performs encryption with symbols. In the AddRoundKey operation, exclusive OR of 128-bit plaintext and 128 round keys is performed. Here, the result of exclusive OR operation is obtained by referring to the table 32 times for each symbol (6 bits).

  The argument 1 in the table implementation 1411 in FIG. 5 corresponds to a plaintext converted into a symbol, and an argument 2 corresponds to a round key converted into a symbol. The symbol encryption unit 1200 concatenates these argument 1 and argument 2 and refers to the exclusive OR table (FIG. 5) with the concatenated value. The return value is a symbol corresponding to a value obtained by exclusive ORing the values before symbol conversion (for 4 bits). The symbol encryption unit 1200 performs this table reference 32 times and connects the results.

  In the SubBytes operation, the intermediate sentence is processed by two symbols. S1 and S2 of the table implementation 1421 in FIG. 7 are tables in which the original Sbox operation value is divided into upper 4 bits and lower 4 bits and converted into symbols. The symbol encryption unit 1200 refers to the S1 and S2 tables using two intermediate sentence symbols and concatenates the return values.

  The ShiftRows operation is a rearrangement by dividing every two symbols of the intermediate sentence. As an example, rearrangement is possible when storing a calculation result such as a SubBytes calculation.

  The MixColumns operation processes the intermediate sentence by two symbols in the same manner as the SubBytes operation. The symbol encryption unit 1200 performs a MixColumns operation by referring to a multiplication table on the Galois field.

  When the process is repeated for the number of rounds according to FIG. 11, a ciphertext composed of symbols is obtained.

  The inverse symbol conversion 1300 in FIG. 9 converts a ciphertext composed of symbols into a ciphertext composed of original binary data.

  Next, the size when the computation in the encryption process is implemented as a table will be described.

  All the interfaces in the table are common, and a value obtained by concatenating two symbols (6 bits × 2) is input, and one symbol (6 bits) is returned.

  In order to access with a value obtained by concatenating two symbols, the number of elements is 2 ^ 12 (= 4096).

  Since there are 16 possible values for one symbol, 256 (= 16 × 16) possible values are obtained by concatenating two symbols. Therefore, although 4096 elements are required in one table, only 256 elements can be set as valid values.

  The following five operation tables 1 to 5 are required to implement double multiplication on a Galois field in the exclusive OR (XOR) operation, SubBytes (Sbox) operation, and MixColumns operation in AES. .

Operation table 1: XOR operation Operation table 2: Sbox operation (for upper 4 bits)
Calculation table 3: Sbox calculation (for lower 4 bits)
Calculation table 4: Double multiplication (for upper 4 bits)
Calculation table 5: Double multiplication (for lower 4 bits)

  Here, the start edges of the calculation tables 2 to 5 are shifted backward by 10, 20, 636, and 646 elements from the start edge of the calculation table 1, respectively, and superimposed on the calculation table 1, so that the respective unused positions are placed at the unused positions. Data can be stored. At this time, 1280 (= 256 × 5) data can be stored in 4742 (= 4096 + 646) elements.

  Since one symbol is stored in one element, the size of one element is 1 byte. Therefore, a storage capacity of 4742 bytes is required to hold five calculation tables. If the calculation tables are not overlapped, a storage capacity of 20480 (= 4096 × 5) bytes is required. Therefore, the storage capacity for holding the calculation tables is reduced by the overlap of the calculation tables. It can be reduced to 4 or less.

  Table 3 shows the storage capacity required to hold the calculation table in each of the cases where the calculation tables are not overlapped and when the calculation tables are not overlapped. Referring to Table 3, it can be seen that by overlapping a plurality of calculation tables, the storage area for holding the calculation tables can be significantly reduced.

  Refer to the elements from the beginning of the calculation table to the position where the first valid value is stored (456th) and the elements from the position where the last valid value is stored (the 456th from the back) to the end. Not. Therefore, these elements can be deleted. By deleting these elements, it is possible to reduce the storage capacity to 3186 (= 4096-455-455) bytes in the calculation table alone. In addition, when these elements are deleted, if the calculation tables are not overlapped, the storage capacity is 15930 bytes for five calculation tables. On the other hand, when five calculation tables are overlapped, the storage capacity can be reduced to 3832 (= 4742−455−455) bytes (see Table 4).

  It should be noted that the disclosures of prior art documents such as the above patent documents are incorporated herein by reference. Within the scope of the entire disclosure (including claims) of the present invention, the embodiment can be changed and adjusted based on the basic technical concept. Further, various combinations or selections of various disclosed elements (including each element of each claim, each element of each embodiment, each element of each drawing, etc.) are possible within the scope of the claims of the present invention. It is. That is, the present invention of course includes various variations and modifications that could be made by those skilled in the art according to the entire disclosure including the claims and the technical idea. In particular, with respect to the numerical ranges described in this document, any numerical value or small range included in the range should be construed as being specifically described even if there is no specific description.

1000 Encryption unit 1100 Symbol conversion unit 1101 Conversion table 1200 Symbol encryption unit 1300 Inverse symbol conversion unit 1400 Table holding unit 1410 Exclusive OR 1411 Exclusive OR table implementation 1420 Non-linear transformation 1421 Non-linear transformation table implementation 1430 Arithmetic addition Table implementation 2000 Key generation unit 3000 Calculation table superposition 4000 AES128 flow diagram

Claims (10)

Symbol conversion means for converting a plaintext and an encryption key represented by binary data into a plaintext and an encryption key represented by a symbol in accordance with the correspondence between the binary data having the first bit width and the second bit width symbol having a predetermined Hamming weight When,
A first operation table in which a symbol corresponding to the output of the first operation is stored at an address indicated by a symbol corresponding to an input of the first operation included in the encryption processing; and a second operation included in the encryption processing The second calculation table in which the symbol corresponding to the output of the second calculation is stored at the address indicated by the symbol corresponding to the input of is overlaid on the unused area of one calculation table with the used area of the other calculation table. Table holding means for holding as a table;
Symbol encryption means for generating a ciphertext represented by a symbol by performing the first operation and the second operation based on the equalization and encryption key represented by the symbol and the superposed table;
And a reverse symbol conversion unit configured to convert a ciphertext represented by a symbol into a ciphertext represented by binary data in accordance with the association.   In the superimposed table, a symbol corresponding to the output of the first calculation is stored at an address indicated by a bit string obtained by connecting a plurality of symbols corresponding to the input of the first calculation, and corresponds to the input of the second calculation. The encryption device according to claim 1, wherein a symbol corresponding to the output of the second operation is stored at an address obtained by adding a predetermined offset to a bit string obtained by concatenating a plurality of symbols.   The symbol conversion means converts the plaintext and the encryption key represented by the binary data into symbols according to the association between the binary data having the first bit width and the second bit width symbol having any one of a plurality of predetermined Hamming weights. The encryption device according to claim 1, wherein the encryption device converts the data into a plaintext and an encryption key represented by:   4. The first operation and the second operation are at least one of exclusive OR, nonlinear transformation, multiplication on a Galois field, and arithmetic addition included in the encryption process. 5. The encryption device according to any one of the above.   5. The encryption apparatus according to claim 1, wherein the encryption process is an encryption process based on AES (Advanced Encryption Standard). The computer converts the plaintext and the encryption key represented by the binary data into the plaintext and the encryption key represented by the symbol according to the correspondence between the binary data having the first bit width and the symbol having the second bit width having the predetermined Hamming weight. Conversion process;
A first operation table in which a symbol corresponding to the output of the first operation is stored at an address indicated by a symbol corresponding to an input of the first operation included in the encryption processing; and a second operation included in the encryption processing The second calculation table in which the symbol corresponding to the output of the second calculation is stored at the address indicated by the symbol corresponding to the input of is overlaid on the unused area of one calculation table with the used area of the other calculation table. A holding step for holding in the storage unit as a table;
A generation step of generating a ciphertext represented by a symbol by performing the first operation and the second operation based on the equalization and encryption key represented by the symbol and the superposed table;
A reverse conversion step of converting a ciphertext represented by a symbol into a ciphertext represented by binary data in accordance with the association.   In the superimposed table, a symbol corresponding to the output of the first calculation is stored at an address indicated by a bit string obtained by connecting a plurality of symbols corresponding to the input of the first calculation, and corresponds to the input of the second calculation. The encryption method according to claim 6, wherein a symbol corresponding to the output of the second operation is stored at an address obtained by adding a predetermined offset to a bit string obtained by concatenating a plurality of symbols.   In the conversion step, according to the correspondence between the binary data having the first bit width and the second bit width symbol having any of a plurality of predetermined Hamming weights, the plaintext and the encryption key represented by the binary data are represented by symbols. The encryption method according to claim 6, wherein the encryption method is converted into the expressed plaintext and encryption key. A conversion process for converting a plaintext and an encryption key represented by binary data into a plaintext and an encryption key represented by a symbol according to the association between the binary data having the first bit width and a symbol having a second bit width having a predetermined Hamming weight; ,
A first operation table in which a symbol corresponding to the output of the first operation is stored at an address indicated by a symbol corresponding to an input of the first operation included in the encryption processing; and a second operation included in the encryption processing The second calculation table in which the symbol corresponding to the output of the second calculation is stored at the address indicated by the symbol corresponding to the input of is overlaid on the unused area of one calculation table with the used area of the other calculation table. Holding processing to be stored in the storage unit as a table;
A generation process for generating a ciphertext represented by a symbol by performing the first operation and the second operation based on the equalization and encryption key represented by the symbol and the superposed table;
A program that causes a computer to execute reverse conversion processing for converting a ciphertext represented by a symbol into a ciphertext represented by binary data in accordance with the association.   In the superimposed table, a symbol corresponding to the output of the first calculation is stored at an address indicated by a bit string obtained by connecting a plurality of symbols corresponding to the input of the first calculation, and corresponds to the input of the second calculation. The program according to claim 9, wherein a symbol corresponding to the output of the second operation is stored at an address obtained by adding a predetermined offset to a bit string obtained by concatenating a plurality of symbols.

Images