JP2014238631A - Encryption module generation device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To solve the problem that there is a problem with development efficiency because development is further needed to complete an encryption module in which common key encryption algorithm is used in a real system, although there are conventional proposals for a method to make design development of the common key encryption algorithm more efficient.SOLUTION: A device generates an encryption module from design of efficient encryption algorithm by operating a development flow in the same device from design development of a new common key encryption algorithm to the encryption module which is operable in a system. The device generates the encryption module from an efficient encryption algorithm design device including safety verification, by also realizing a safety evaluation function for the common key encryption algorithm.

Description

  The present invention relates to a development technique corresponding to module implementation of a secret key cryptosystem.

In recent years, various services using computers and communication devices have been provided, and these services often use encryption technology in order to realize communication confidentiality and authentication. There are two types of encryption methods: common key encryption that uses the same key for encryption and decryption, and public key encryption that uses two types of keys with different secret keys and public keys. Common key cryptography has a problem of how to share keys between senders and receivers, but has the advantage of requiring less processing amount for encryption and decryption than public key cryptography, and is used in many fields and applications.
The cryptanalysis technology for the common key encryption algorithm is also improving year by year, and the security of the encryption algorithm currently in general use is not guaranteed in the future, and some systems aim to design and use the encryption algorithm independently. Thus, several techniques have been proposed to efficiently support algorithm design and perform safety evaluation.
Examples of the above-described common key encryption algorithm design apparatus and design support apparatus are disclosed in Patent Documents 1 and 2 below.
In the prior art in Patent Document 1, as an example of supporting the design of a common key encryption algorithm, a diagram representation of a variable having bit string data as a value, a diagram representation of an operation on bit string data, a diagram representation for combining variables and operations, and the like There has been proposed an encryption diagram editing apparatus that allows a user to describe and edit a diagram representation of the entire block cipher algorithm using a predetermined diagram representation. In addition, a technique for generating a block cipher program from a block cipher algorithm designed using an encryption diagram editing device and a technique for testing whether the generated program accurately implements the original algorithm are also proposed. ing.
Also, with the prior art in Patent Document 2, a cryptographic evaluation support system that can significantly reduce the evaluation time during the design and development of a common key cryptographic algorithm, and evaluation of cryptographic algorithms even if you are not a cryptographic design specialist A cryptographic evaluation support system is provided.

JP-A-10-240511 JP 2001-209304 A

  Conventionally, the design and development of a common key encryption algorithm generally involves algorithm design, security evaluation and implementation evaluation on a general implementation platform, generation of algorithm sample programs and test data, and completion of development. In order to use the algorithm developed for an actual system, the development of a cryptographic module that takes into account requirements such as operating conditions and processing performance has been carried out separately.

However, although the technology for expressing the efficiency of the design and development of the common key encryption algorithm is expressed in the conventional technology, the method for efficiently implementing the development of the cryptographic module for use in the actual system is Not proposed.
For this reason, even if a cryptographic module that operates on an actual system is developed based on the generated block encryption algorithm or block encryption program, the operating conditions, processing performance, etc. due to the environment in which the actual system operates There may be non-conformity due to requirements.
In such a case, the block cipher algorithm is designed again.
As for the cryptographic security of the designed cryptographic module, conventionally, a sample program and test data for the generated block cryptographic algorithm are generated, and a cryptographic security evaluation test is performed on an actual system.
In such a case, it is necessary to go back to the design of the common key encryption algorithm again, which is not efficient.
Also, with regard to the cryptographic security of the designed cryptographic module, conventionally, a test for evaluating the cryptographic security using the algorithm sample program and test data is always performed. Although the conventional technology evaluates the security of the cryptographic module under design, it is an index value for performing a relative comparison between the modules. It is not determined whether or not is satisfied. For this reason, tests for evaluating the security of cryptography in an actual system are performed, and as a result, if it is judged that the security is not satisfied, the design of the cryptographic module is usually repeated multiple times. There was a problem that it was not effective.

  The present invention has been made to solve the above-described problems, and provides a cryptographic module generation device that can efficiently realize the development from the design and development of a new common key cryptographic algorithm to the cryptographic module operable in the system. In addition, the main purpose is to provide a cryptographic module generation device with security verification that can implement a security evaluation function by providing components that can evaluate the security of a common key encryption algorithm. Objective.

The cryptographic module generation device according to the present invention includes:
A cryptographic design data input unit for inputting cryptographic algorithm design information in a system designed using the cryptographic function;
A system operating environment selection section for selecting source code according to the system operating environment;
System-installed cryptographic logic converter with the function of converting source code into system-mountable modules,
A cryptographic processing performance determination unit that determines whether the system requirements of the system including the cryptographic module are satisfied;
And a cryptographic module output unit for outputting a cryptographic module when it is determined that the system requirement is satisfied.

  ADVANTAGE OF THE INVENTION According to this invention, it becomes possible to provide the encryption module production | generation apparatus which can implement | achieve efficiently from the design development of a new common key encryption algorithm to the encryption module which can operate | move by a system.

FIG. 3 is a diagram illustrating a configuration example of a cryptographic module generation device according to the first embodiment. FIG. 3 is a diagram illustrating an example of a cryptographic design part according to the first embodiment. FIG. 3 is a diagram showing an example of a designed encryption algorithm according to the first embodiment. The figure which shows the structural example of the encryption module production | generation apparatus with security verification which concerns on Embodiment 2. FIG. FIG. 4 is a diagram illustrating an example of a cryptographic algorithm designed according to the second embodiment. The figure which shows the structural example of the encryption module production | generation apparatus which can convert the secret key size and input data size which concern on Embodiment 3. FIG. The figure which shows the structural example of the encryption module production | generation apparatus with security verification which can convert the secret key size and input data size which concern on Embodiment 4. FIG. 3 is a flowchart showing a flow of processing according to the first embodiment. 10 is a flowchart showing a flow of processing according to the second embodiment. 10 is a flowchart showing a flow of processing according to the third embodiment. 10 is a flowchart showing a flow of processing according to the fourth embodiment. The figure which shows an example of the method of converting simply the private key size and input data size which concern on Embodiment 3 and Embodiment 4. FIG. The figure which shows an example of the method of converting using the information table with respect to the secret key size and input data size which concern on Embodiment 3 and Embodiment 4. FIG.

Embodiment 1 FIG.
The cryptographic module generation apparatus according to the present embodiment performs development and design of a common key cryptographic algorithm, and generates a cryptographic module that satisfies the system required performance. Cryptographic module test with quality that can be used in the system by converting to cryptographic logic suitable for the environment (restrictions related to CPU processing performance, restrictions related to memory capacity, compatibility of multiplexing processing, etc.) To output a cryptographic module that satisfies the required performance of the system.
Details of the cryptographic module generation apparatus according to this embodiment will be described below with reference to FIGS.

FIG. 1 shows a configuration example of a cryptographic module generation device according to the present embodiment.
In FIG. 1, a cryptographic design data input unit (101) has an information input interface function for inputting cryptographic scheme information desired to be designed using cryptographic design parts as shown in FIG. The on-board cryptographic logic conversion unit (102) converts the information into information that can uniquely determine the configuration of the cryptographic algorithm and outputs the information. In the present embodiment, the cryptographic design data input unit (101) is configured as a part of the cryptographic module generation apparatus. However, the cryptographic design data input unit (101) is configured as a part of the cryptographic algorithm design apparatus separately from processing related to the cryptographic algorithm design. May be.
More specifically, the cryptographic design data input unit (101) sets the input / output data size of each cryptographic design part and the number of times (number of stages) of repeated use and sets the relationship between the respective cryptographic design parts set. Cryptographic algorithm configuration information that is input to the system-installed cryptographic logic conversion unit (102) is output by an information input interface that can set connection information to be combined. The cryptographic design part shown in FIG. 2 is a basic configuration of an algorithm of Feistel type (201), modified Feistel type (202), and SPN (Substitution Permutation Network) type that is generally used in block ciphers of common key cryptographic algorithms. (203), linear feedback shift register (204) used in stream cipher, extended linear feedback shift register (205), SBOX (206) (Substitution BOX) and exclusive OR used in both ciphers Internal primitive functions such as (207), logical product (208), logical sum (209), addition (210), multiplication (211), rotate shift (212), bit substitution (213), m bit substitution (214) Prepare and assume The block cipher, and is flexibly corresponding to the configuration of the stream cipher.
By using the above-mentioned cryptographic design parts, it is possible to design a new cryptographic algorithm, and the configuration of cryptographic algorithms such as MISTY, Camellia, and AES (Advanced Encryption Standard), which are publicly available cryptographic algorithms, are also available. It can be reproduced.

In FIG. 1, the system-installed cryptographic logic conversion unit (102) includes cryptographic algorithm configuration information output from the cryptographic design data input unit (101) and information on the source code selected by the system operating environment selection unit (103). From the two pieces of information, a cryptographic module suitable for the actual system environment is generated.
The source code generation method is the same as the conventional technique. In the conventional method, for each cryptographic design part constituting the cryptographic module, the corresponding source code is held in advance, and after the cryptographic module is designed, the configuration of the cryptographic design part used, Source code is generated based on the order. In the present invention, the source code is generated using the same technique.
The difference between the prior art and the present invention is that source code suitable for the actual system environment is provided from the system operating environment selection unit (103).

In FIG. 1, the system operating environment selection unit (103) sends an appropriate source code to the system-mounted cryptographic logic conversion unit (102) according to the environment information (operating environment information) of the system that operates the designed cryptographic algorithm. Make selections to provide.
In FIG. 1, a system operation environment selection unit (103) selects an appropriate source code corresponding to the environment information (operation environment information) of the system that operates the designed encryption algorithm, and the system-installed encryption logic conversion unit ( 102).
For example, for all cryptographic design parts, (A) a source that supports multiplexing, (B) a source that uses less memory, and (C) a source that uses less CPU are available. In the system, if the amount of memory that can be used is small and saving of memory usage is specified as the operating environment information, the memory usage of the three types of prepared source code is suppressed. (B) is selected.
The selection of which source code to use may reflect the instructions of the system operating environment selection section (103) for all the cryptographic design parts used in the cryptographic module design, or a part of the designer May be changed by using the GUI function of the cryptographic design data input unit (101).
However, since it is necessary to cope with multiplexing as instructed by the system operating environment selection unit (103), for example, the time required for processing is defined in advance for each cryptographic design part, and the system operating environment is selected. The unit (103) can generate source code efficiently and correctly corresponding to the operating environment information by selecting the multiplexed source only for the cryptographic design part that takes a specified time or more in processing time.

In FIG. 1, the cryptographic processing performance determination unit (105) satisfies the required performance (required performance information) in the actual system environment by the cryptographic module output from the system-installed cryptographic logic conversion unit (102). Judgment is performed by executing a simulation of whether or not
Examples of the required performance information include the processing speed performance of the encryption process for the data block, the number of simultaneous processes that can be executed in parallel, and the like.
As a means for inputting the required performance information, a GUI function provided by the cryptographic design data input unit (101) may be used, or the required performance information is described in a file and processed by the cryptographic processing performance determination unit (105). It may be read when performing.
In the cryptographic processing performance determination unit (105), for example, an emulator environment for simulating an actual H / W configuration model on S / W is used as an environment for performing simulation.
In addition, the cryptographic processing performance determination unit (105) generates a test program for evaluating the required performance information. For example, when evaluating the processing speed performance, the time is recorded before and after calling the cryptographic module, a program for repeatedly measuring the difference is generated, executed in the above-mentioned emulator environment, and measured.
If the required performance is satisfied, the measured processing performance result and the cryptographic module are output from the system-installed cryptographic logic conversion unit (102) to the cryptographic module output unit (106). If the required performance is not satisfied, the measured processing performance result is output together with the required performance condition, and the design is repeated again from the information input of the cryptographic method desired to be designed by the cryptographic design data input unit (101).

FIG. 8 is a flowchart for explaining the processing flow of the first embodiment.
The designer inputs the operating environment information regarding the actual system on which the cryptographic algorithm to be designed will operate, to the cryptographic module generation device (S801). Examples of the operating environment information include restrictions related to CPU processing performance, restrictions related to the amount of memory, compatibility of multiplexing processing, and the like. For the input of the operating environment information, the GUI function provided by the cryptographic design data input unit (101) may be used, or the operating environment information is described in a file and processed by the cryptographic logic conversion unit for system installation (102). It may be read when performing.
Next, required performance information for the system is input to the cryptographic module generation device (S802). Examples of the required performance information include a time limit for completing the encryption process for one data block, and the number of processes that can be executed concurrently. The GUI function provided by the cryptographic design data input unit (101) may be used to input the required performance information, or the required performance information is described in a file, and the cryptographic processing performance determination unit (105) performs processing. You may make it read at the time.
Next, in the cryptographic design data input unit (101), a cryptographic module is designed (S803), and a relative evaluation for cryptographic security is performed (S804, S805). Regarding the relative evaluation of cryptographic security, since it is the one performed in the prior art (index is assigned to each cryptographic design part and the total of the selected parts is taken), the detailed explanation is Omitted. If the relative evaluation for cryptographic security is insufficient, the cryptographic module is designed again (803).
Next, the system-installed cryptographic logic conversion unit (102) generates source code based on the configuration information of the cryptographic module output in the above procedure (S806). A plurality of source codes are prepared for each cryptographic design part, and the system operating environment selection unit (103) selects which source code is used.
Next, the system-installed cryptographic logic conversion unit (102) compiles (S807). The compiler to be used is a cross compiler that corresponds to the actual system, and the compile options at that time correspond to the operating environment information, for example, if there is a specification to reduce the memory usage, the memory usage Set an option that minimizes. It should be noted that after generating the source code (S806), the source code output may be modified as necessary.
Next, the cryptographic processing performance determination unit (105) verifies whether the generated cryptographic module satisfies the performance condition when operating on the actual system (S808).
As a result of the verification, it is confirmed whether or not the required performance is satisfied (S809). If not, the cryptographic module design (S803) is repeated, and if satisfied, the cryptographic module output unit (106) configures the cryptographic module configuration information. Is output (S810).

Next, an outline of a cryptographic algorithm when a cryptographic design is performed using the cryptographic module generation device shown in FIG. 1 will be described.
FIG. 3 shows an example of a cryptographic algorithm designed according to the present embodiment.

FIG. 3 illustrates an example in which a block cipher algorithm with 64 bits as a block unit is designed and an encryption module is generated.
As an overall basic configuration of the algorithm, for example, a 5-stage Feistel type (201) that is repeated 5 times is processed using a cryptographic design part prepared in the cryptographic design data input unit (101), and 6-stage that is repeated 6 times. A configuration for processing the SPN type (203) and processing the five-stage modified Feistel type (202) repeated five times is selected. As input to the cipher design data input unit (101), 64 bits of input / output information and stage number information of 5, 6, 5 stages are input. In the SPN type (203), 8 bits are input as division information of input data.

First, a method for setting information of the 5-stage Feistel type (301) processed first will be described. In the 5-stage Feistel type (301) Function (304), 32 bits of input / output information are determined. Further, as the internal structure of the Function, a 32-bit exclusive OR between the one-stage SPN type and the input key is selected. In the one-stage SPN type, 4 bits are input as division information of input data. Therefore, 4 bits of input / output information are determined for the one-stage SPN function. A 4-bit input / output SBOX is selected as the internal configuration of the 4-bit input / output function (305). When SBOX is selected, definition of SBOX table information (16 entries) for every 4 bits of information amount is performed. Also, regarding 4-bit replacement, which is an internal configuration of the one-stage SPN type, definition of replacement information for data in units of 4 bits is performed. Note that the same information is set for all of the eight 4-bit input / output SBOXs, but different SBOX table information may be defined depending on the setting.

  Next, a method for setting information of the six-stage SPN type (302) to be processed second in the overall basic configuration of the algorithm will be described. In the function (306) of the 6-stage SPN type (302), 8 bits are set as the division information, so 8 bits of input / output information are determined. An 8-bit input / output SBOX is selected as the internal configuration of the 8-bit input / output function. When SBOX is selected, SBOX table information (256 entries) is defined for every 8 bits of information. In this case as well, the same information is set for all eight 8-bit input / output SBOXs, but different SBOX table information may be defined depending on the setting. Also, regarding 8-bit replacement, which is an internal configuration of the 6-stage SPN type (302), definition of replacement information for data in units of 8 bits is performed.

  Finally, a method for setting information of the five-stage modified Feistel type (303) processed third in the overall basic configuration of the algorithm will be described. In the function (307) of the five-stage modified Feistel type (303), 32 bits of input / output information are determined. Further, as the internal structure of the Function, a 32-bit exclusive OR of the four-stage modified Feistel type and the input key is selected. The four-stage modified Feistel function (308) has 16 bits of input / output information. A 16-bit input / output 1-bit left rotate shift is selected as the internal configuration of the 16-bit input / output function.

By setting as described above, the configuration of the data randomizing unit in the 64-bit input / output block cipher algorithm can be determined. In this description, the key schedule part defined by a general block cipher algorithm is not described, but it can be set by a method similar to the setting method of the data randomization part.
In the present embodiment, the number of combinations of cryptographic design information that can be set by the cryptographic design data input unit (101) is enormous, and the cryptographic designer installs the cryptographic algorithm design device and the cryptographic module automatic generation device. It is difficult to uniquely identify the cryptographic algorithm designed by using it. In addition, since a cryptographic designer can generate a cryptographic module using a cryptographic algorithm design device and a cryptographic module automatic generation device, a general system user does not need to know the details of the cryptographic algorithm and blackens the cryptographic module. Can be used in a box. Since this is a preventive measure that prevents easy analysis of the cryptographic algorithm, an effect of improving the security of the system can be obtained.

Embodiment 2. FIG.
In the present embodiment, another configuration in the case where a function capable of verifying the security of encryption is added will be described below.
FIG. 4 shows a configuration example of the cryptographic module generation apparatus with security verification according to the present embodiment.
In FIG. 4, the cryptographic design data input unit (101) has an information input interface function for inputting cryptographic scheme information to be designed using cryptographic design parts as shown in FIG. The on-board cryptographic logic conversion unit (102) converts the information into information that can uniquely determine the configuration of the cryptographic algorithm and outputs the information. In the present embodiment, the cryptographic design data input unit (101) is configured as a part of the cryptographic module generation apparatus. However, the cryptographic design data input unit (101) is configured as a part of the cryptographic algorithm design apparatus separately from processing related to the cryptographic algorithm design. May be.
More specifically, the cryptographic design data input unit (101) sets the input / output data size of each cryptographic design part and the number of times (number of stages) of repeated use and sets the relationship between the respective cryptographic design parts set. Cryptographic algorithm configuration information that is input to the system-installed cryptographic logic conversion unit (102) is output by an information input interface that can set connection information to be combined. In the present embodiment, unlike the case of the first embodiment, a combination example of cryptographic design parts whose security can be evaluated in advance is prepared as a pattern instead of freely selecting a combination of cryptographic design part configurations. In addition, the encryption designer sets information on the encryption method to be designed from the pattern. The pattern of the combination example has a finite configuration, but by setting the parameters such as how many times the cryptographic design parts are used repeatedly, the input / output size selection, the SBOX that has been confirmed to be secure and the logical operation combination method, It is possible to adopt a configuration in which the algorithm configuration cannot be uniquely specified.
The security measures defined here are, for example, exhaustive search, differential cryptanalysis, linear cryptanalysis, etc. for block ciphers, and typical cryptanalysis, such as long-periodity, linear complexity, and correlation attacks, for stream ciphers. Refers to the legal evaluation index.

  In FIG. 4, the cryptographic security verification unit (401) receives the cryptographic algorithm configuration information from the cryptographic design data input unit (101), determines whether the combination pattern is assumed, and satisfies the combination pattern. If so, the defined safety evaluation index is calculated to determine whether the safety measure is satisfied. If the safety measure is satisfied, the verified safety determination result and the encryption algorithm configuration information are output to the system-installed encryption logic conversion unit (102). If the safety measure is not satisfied, the verified safety judgment result is output, and the design is repeated again from the information input of the encryption method desired to be designed by the cipher design data input unit (101). In this embodiment, the cryptographic security verification unit (401) is configured as a part of the cryptographic module generation apparatus. However, the cryptographic security verification unit (401) is configured as a part of the cryptographic algorithm design apparatus separately from processing related to the cryptographic algorithm design. May be.

In FIG. 4, the system-installed cryptographic logic conversion unit (102) includes cryptographic algorithm configuration information output from the cryptographic design data input unit (101) and information on the source code selected by the system operating environment selection unit (103). From the two pieces of information, a cryptographic module suitable for the actual system environment is generated.
The source code generation method is the same as the conventional technique. In the conventional method, for each cryptographic design part constituting the cryptographic module, the corresponding source code is held in advance, and after the cryptographic module is designed, the configuration of the cryptographic design part used, Source code is generated based on the order. In the present invention, the source code is generated using the same technique.
The difference between the prior art and the present invention is that source code suitable for the actual system environment is provided from the system operating environment selection unit (103).

In FIG. 4, the system operation environment selection unit (103) selects an appropriate source code corresponding to the environment information (operation environment information) of the system that operates the designed encryption algorithm, and the system-installed encryption logic conversion unit ( 102).
For example, for all cryptographic design parts, (A) a source that supports multiplexing, (B) a source that uses less memory, and (C) a source that uses less CPU are available. In the system, if the amount of memory that can be used is small and saving of memory usage is specified as the operating environment information, the memory usage of the three types of prepared source code is suppressed. (B) is selected.
The selection of which source code to use may reflect the instructions of the system operating environment selection section (103) for all the cryptographic design parts used in the cryptographic module design, or a part of the designer May be changed by using the GUI function of the cryptographic design data input unit (101).
However, since it is necessary to cope with multiplexing as instructed by the system operating environment selection unit (103), for example, the time required for processing is defined in advance for each cryptographic design part, and the system operating environment is selected. The unit (103) can generate source code efficiently and correctly corresponding to the operating environment information by selecting the multiplexed source only for the cryptographic design part that takes a specified time or more in processing time.

In FIG. 4, the cryptographic processing performance determination unit (105) satisfies the requested west (required performance information) in the actual system environment when the cryptographic module output from the system-installed cryptographic logic conversion unit (102) Judgment is performed by executing a simulation of whether or not
Examples of the required performance information include the processing speed performance of the encryption process for the data block, the number of concurrent executions that can be executed in parallel, and the like.
As a means for inputting the required performance information, a GUI function provided by the cryptographic design data input unit (101) may be used, or the required performance information is described in a file and processed by the cryptographic processing performance determination unit (105). It may be read when performing.
In the cryptographic processing performance determination unit (105), for example, an emulator environment for simulating an actual H / W configuration model on S / W is used as an environment for performing simulation.
In addition, the cryptographic processing performance determination unit (105) generates a test program for evaluating the required performance information. For example, when evaluating the processing speed performance, the time is recorded before and after calling the cryptographic module, a program for repeatedly measuring the difference is generated, executed in the above-mentioned emulator environment, and measured.
If the required performance is satisfied, the measured processing performance result and the cryptographic module are output from the system-installed cryptographic logic conversion unit (102) to the cryptographic module output unit (106). If the required performance is not satisfied, the measured processing performance result is output together with the required performance condition, and the design is repeated again from the information input of the cryptographic method desired to be designed by the cryptographic design data input unit (101).

FIG. 9 is a flowchart illustrating the processing flow of the second embodiment.
The designer inputs the operating environment information regarding the actual system on which the cryptographic algorithm to be designed will operate, to the cryptographic module generation device (S801). Examples of the operating environment information include restrictions related to CPU processing performance, restrictions related to the amount of memory, compatibility of multiplexing processing, and the like. As a means for inputting the operating environment information, a GUI function provided by the cryptographic design data input unit (101) may be used, or the operating environment information is described in a file, and the system-installed cryptographic logic converting unit (102). May be read when performing processing.
Next, required performance information for the system is input to the cryptographic module generation device (S802). Examples of the required performance information include a time limit for completing the encryption process for one data block, and the number of processes that can be executed concurrently. The GUI function provided by the cryptographic design data input unit (101) may be used to input the required performance information, or the required performance information is described in a file, and the cryptographic processing performance determination unit (105) performs processing. You may make it read at the time.
Next, the cryptographic design data input unit (101) designs a cryptographic module (S803), and verifies cryptographic security (S901, S805). In order to verify the cryptographic security, it is determined whether the designed cryptographic algorithm is a combination pattern that satisfies a security measure in advance. If the cryptographic algorithm does not satisfy the security, the cryptographic module is designed again (S803).
Next, the system-installed cryptographic logic conversion unit (102) generates source code based on the configuration information of the cryptographic module output in the above procedure (S806). A plurality of source codes are prepared for each cryptographic design part, and the system operating environment selection unit (103) selects which source code is used.
Next, the system-installed cryptographic logic conversion unit (102) compiles (S807). The compiler to be used is a cross compiler that corresponds to the actual system, and the compile options at that time correspond to the operating environment information, for example, if there is a specification to reduce the memory usage, the memory usage Set an option that minimizes. It should be noted that after generating the source code (S806), the source code output may be modified as necessary.
Next, the cryptographic processing performance determination unit (105) verifies whether the generated cryptographic module satisfies the performance condition when operating on the actual system (S808).
As a result of the verification, it is confirmed whether or not the required performance is satisfied (S809). If not, the cryptographic module design (S803) is repeated, and if satisfied, the cryptographic module output unit (106) configures the cryptographic module configuration information. Is output (S810).

Next, an overview of a cryptographic algorithm when performing cryptographic design using the cryptographic module generating apparatus with security verification shown in FIG. 4 will be described.
FIG. 5 shows an example of a cryptographic algorithm designed according to this embodiment.

FIG. 5 illustrates an example in which a block cipher algorithm with a block unit of 64 bits is designed and an encryption module is generated.
As an overall basic configuration of the algorithm, an n-stage Feistel type (201) is selected as a configuration capable of verifying security from a combination pattern of cryptographic design parts prepared in the cryptographic design data input unit (101), and m is set as its internal Function. A step-deformed Feistel type (202) is selected, and a l-step deformed Feistel type (202) is selected as its internal function. A k-bit input / output SBOX (206) is selected as an internal function of the final l-stage modified Feistel type (202).

First, an information setting method of the n-stage Feistel type (201) having the entire basic configuration will be described. For example, the n-stage Feistel type is an 8-stage Feistel type (501) that is repeated eight times, and the input / output is set to 64 bits. An 8-stage Feistel type (501) Function (502) determines 32 bits of input / output information. Further, although the m-stage modified Feistel type is selected as the internal configuration of the Function (502), the three-stage modified Feistel type is selected as the setting information. However, before processing each stage of the three-stage modified Feistel type, a 16-bit exclusive OR of the input key and the upper 16-bit information input to the modified Feistel type is inserted, and the three-stage modified Feistel type A 16-bit exclusive OR of the key input after the process of step S1 and the higher-order 16-bit information output from the modified Feistel type is inserted.

In the three-stage modified Feistel function (503), 16 bits of input / output information are determined. In addition, as the internal configuration of the Function (503), the three-stage modified Feistel type is selected again. However, a 16-bit exclusive OR of a key input after the second stage processing of the three-stage modified Feistel type and information output from the modified Feistel type after the second stage processing is inserted.

Finally, if the 3-stage modified Feistel function (504) is not set, the 8-bit input / output information is determined. In this case, the non-uniform modified Feistel type is selected and divided into 9 bits and 7 bits. Set to Therefore, the first and third modified Feistel functions are 9 bits of input / output information, and the second modified Feistel function is 7 bits of input / output information. As the internal configuration of the 9-bit input / output function, the 9-bit input / output SBOX (504a) is selected. When SBOX is selected, SBOX table information (512 entries) is defined for every 9 bits of information. A 7-bit input / output SBOX (504b) is selected as the internal configuration of the 7-bit input / output function. When SBOX is selected, definition of SBOX table information (128 entries) for every 7 bits of information amount is performed. Although the same information is set for two 9-bit input / output SBOXs (504a, 505), two different SBOX table information can be defined depending on the setting.
As a method for defining the SBOX table information, a configuration capable of safety evaluation for differential cryptanalysis and linear cryptanalysis is selected. As a configuration capable of safety evaluation, cryptographic algorithms MISTY and Hiercrypt are generally known as configurations that can be mathematically proved in safety. As a configuration of this embodiment, an operation on a Galois field such as MISTY is also known. The SBOX configuration constituted by is adopted.

By setting as described above, the configuration of the data randomizing unit in the 64-bit input / output block cipher algorithm can be determined. In this description, the key schedule part defined by a general block cipher algorithm is not described, but it can be set by a method similar to the setting method of the data randomization part.

From the cryptographic design information set by the cryptographic design data input unit (101) as described above, the cryptographic security verification unit (107) verifies the security of the designed cryptographic algorithm. The security verification unit performs security verification by a calculation method of a security evaluation index set for each combination pattern of cryptographic design parts prepared in advance. In the present embodiment, since it is a safety evaluation of a 64-bit input / output block cipher algorithm, it is possible to carry out a security verification regarding an exhaustive search method, a differential cryptanalysis method, and a linear cryptanalysis method. The configuration shown in FIG. 5 is obtained by converting the cryptographic algorithm MISTY into a simple configuration as a configuration that can be mathematically proved to be safe, and can be similarly evaluated for differential cryptanalysis and linear cryptanalysis. is there. The maximum average differential probability that is the safety evaluation index of the differential cryptanalysis is ^2-56 , and the maximum average linear probability that is the safety evaluation index of the linear cryptanalysis is ^2-56 .

The cryptographic design information verified by the cryptographic security verification unit (107) as described above is converted into an executable encryption program by the system-installed cryptographic logic conversion unit (102). Conversion to an encryption program by calling a function call corresponding to the encryption design part prepared in advance using the encryption design information and setting the set bit information, SBOX table information, and bit replacement replacement information of the encryption design information I do. At this time, when a function function is defined in the selected cryptographic design part, a function for recursively calling a function call corresponding to the function is also set in advance.

Next, using the converted encryption program, the CPU model name and clock frequency used in the system, available memory (ROM, RAM) size, and usage set from the system operating environment input unit (103) A cryptographic module is generated using a module configuration that takes the conditions into account as a compilation condition.
In the present embodiment, the number of combinations of cryptographic design information that can be set in the cryptographic design data input unit (101) is limited when compared with the first embodiment, but the Feistel type of the overall basic configuration is limited. The number of stages and input / output sizes, the number of stages and input / output sizes of the modified Feistel type of the internal function, the number of stages and input / output sizes of the modified Feistel type of the internal function, and the number of selection candidates for the SBOX table information inside it There are variable parameters. The combination pattern of the cryptographic design parts prepared in the cryptographic design data input unit (101) can also be configured by combining Feistel type, modified Feistel type, and SPN type in addition to the MISTY configuration of this embodiment. Therefore, it is difficult to uniquely identify a cryptographic algorithm designed by a cryptographic designer using a cryptographic algorithm design device and a cryptographic module automatic generation device.
In addition, since a cryptographic designer can generate a cryptographic module using a cryptographic algorithm design device and a cryptographic module automatic generation device, a general system user does not need to know the details of the cryptographic algorithm and blackens the cryptographic module. Can be used in a box. Since this is a preventive measure that prevents easy analysis of the cryptographic algorithm, an effect of improving the security of the system can be obtained.

Embodiment 3 FIG.
In the present embodiment, another configuration when a function capable of converting the secret key data size to be used and the input data size is added is shown below.
FIG. 6 shows a configuration example of a cryptographic module generation apparatus capable of converting the secret key size and the input data size according to the present embodiment, and FIG. 10 is a flowchart showing a processing flow of the present embodiment.
In FIG. 6, the encryption design information set in the encryption design data input unit (101) in the first embodiment shown in FIG. 1 is added to the secret key data information conversion unit (601) and the input data information conversion unit (602). Thus, as a cryptographic module interface, a function of converting different input information into secret key data and input data used in the internal cryptographic algorithm is added.
The cryptographic design data input unit (101), system-installed cryptographic logic conversion unit (102), system operating environment selection unit (103), cryptographic processing performance determination unit (105), and cryptographic module output unit (106) in FIG. The same as FIG. In this embodiment, the cryptographic design data input unit (101), the secret key data information conversion unit (601), and the input data information conversion unit (602) are configured as a part of the cryptographic module generation device. You may comprise as a part of encryption algorithm design apparatus except the process relevant to design of this.

In FIG. 6, a secret key data information conversion unit (601) receives the cipher design information set by the cipher design data input unit (101), and uses the cipher key data size (n bits) used in the internal cipher algorithm. And the secret key data size (m bits) disclosed in the interface part of the cryptographic module is set. Also, a method for converting m-bit secret key data input from the interface of the cryptographic module into n-bit secret key data used in the internal encryption algorithm is set, and the system-installed cryptographic logic conversion unit (102) is set. Output.
For example, the designer inputs the values of n and m using the cryptographic design data input unit (101). The conversion method may be input by the designer using the cryptographic design data input unit (101), or the designer may select from several methods prepared in advance.
As a conversion method from m-bit data to n-bit data, for example, as shown in FIG. 12, the left end is a very simple method such as enabling upper n-bit data (1220) of m-bit data (1210). As shown in FIG. 13, a selection information table (1300) for selecting n-bit information from the m-bit data (1310) for each bit is defined (on n-bit data). A number of bits (1301a) and the number of bits (1301b) on m-bit data), and conversion to n-bit data (1320) based on the information table (1300) There is.

In FIG. 6, an input data information conversion unit (602) receives the cryptographic design information set by the cryptographic design data input unit (101) as an input, and sets an initial value data size (n bits) used in the internal cryptographic algorithm. The initial value data size (m bits) disclosed in the interface portion of the cryptographic module is determined. Also, a method for converting m-bit initial value data input from the cryptographic module interface into n-bit initial value data used in the internal cryptographic algorithm, and n-bit output data used in the internal cryptographic algorithm The m-bit output data output from the interface of the encryption module is set and output to the system-installed encryption logic conversion unit (102).
The values of n and m are input by, for example, a designer using the cryptographic design data input unit (101) as in the secret key data information conversion unit (601). The conversion method may be input by the designer using the cryptographic design data input unit (101), or the designer may select from several methods prepared in advance.
As a conversion method from m-bit data to n-bit data, in the same manner as the secret key data information conversion unit (601), for example, from a very simple method such as enabling upper n-bit data of m-bit data, There is a method of defining a selection information table for selecting information from m bits to n bits for each bit and performing conversion based on the information table.
As a conversion method from n-bit data to m-bit data, a method of reversing the conversion method from m-bit data to n-bit data and filling a portion corresponding to a bit deleted at the time of input with a random number There is.
The processing flow of the present embodiment will be described with reference to FIG. Basically, it is the same as FIG. 8 used in the description of the processing flow in the description of the first embodiment. For example, the data size (m bits) of the secret key disclosed as the interface of the cryptographic module by the designer When the data size (n bits) of the secret key used in the internal encryption algorithm is set in the encryption design data input unit (101) (S1001), Initial value data, output data size (m bits), input data used in an internal encryption algorithm, initial value data, and data size of output data (n bits) are set in the encryption design data input unit (101) ( S1002) is newly added. In this embodiment, the data handled by the secret key data information conversion unit (601) and the data handled by the input data information conversion unit (602) are the same m bits and n bits. Good.
Conventionally, the initial value data size and the encryption key data size disclosed in the interface part of the cryptographic module are the same as those used for the internal cryptographic algorithm. However, as described in the present embodiment, by having the secret key data information conversion unit and the input data information conversion unit, the data length disclosed as the interface of the cryptographic module is changed to the internal encryption. By making the value different from the data length used in the algorithm, it is possible to improve the cryptographic security of the cryptographic module.

Embodiment 4 FIG.
In the present embodiment, as in the third embodiment, another configuration when a function capable of converting the secret key data size to be used and the input data size is added will be described below.
FIG. 7 shows a configuration example of a cryptographic module generating apparatus with security verification capable of converting the secret key size and the input data size according to the present embodiment, and FIG. 11 is a flowchart showing the flow of the present embodiment.
7, the secret key data information conversion of FIG. 6 used for the description in the third embodiment is applied to the cryptographic design information set in the cryptographic design data input unit (101) in the second embodiment shown in FIG. The function (601) and the input data information conversion unit (602) add a function of converting different input information into secret key data and input data used in the internal encryption algorithm as an interface of the encryption module.
The cryptographic design data input unit (101), cryptographic security verification unit (401), system-installed cryptographic logic conversion unit (102), system operating environment selection unit (103), cryptographic processing performance determination unit (105), and The cryptographic module output unit (106) is the same as in FIG. In this embodiment, the cryptographic design data input unit (101), the cryptographic security verification unit (401), the secret key data information conversion unit (601), and the input data information conversion unit (602) are included in the cryptographic module generation device. Although it is configured as a part, it may be configured as a part of a cryptographic algorithm design apparatus separately from processing related to the design of the cryptographic algorithm.

In FIG. 7, the secret key data information conversion unit (601) receives the cipher design information set by the cipher design data input unit (101), and uses the cipher key data size (n bits) used in the internal cipher algorithm. And the secret key data size (m bits) disclosed in the interface part of the cryptographic module is set. Also, a method for converting the m-bit secret key data input from the cryptographic module interface into the n-bit secret key data used in the internal encryption algorithm is set and output to the cryptographic security verification unit (107). .
For example, the designer inputs the values of n and m using the cryptographic design data input unit (101). The conversion method may be input by the designer using the cryptographic design data input unit (101), or the designer may select from several methods prepared in advance.
As a conversion method from m-bit data to n-bit data, as shown in FIG. 12, for example, as shown in FIG. 12, the upper n-bit data (1220) of m-bit data (1210) is validated. From a method of enabling only n bits from the left end as a very simple method, as shown in FIG. 13, a selection information table (1300) for selecting n-bit information from m-bit data (1310) for each bit is created. Definition (number bit (1301a) on n-bit data and number bit (1301b) on m-bit data) and n-bit data (1320) based on the information table (1300) There is a method such as converting to.

In FIG. 7, the input data information conversion unit (602) receives the cryptographic design information set by the cryptographic design data input unit (101) as an input, and sets the initial value data size (n bits) used in the internal cryptographic algorithm. The initial value data size (m bits) disclosed in the interface portion of the cryptographic module is determined. Also, a method for converting m-bit initial value data input from the cryptographic module interface into n-bit initial value data used in the internal cryptographic algorithm, and n-bit output data used in the internal cryptographic algorithm The m-bit output data output from the cryptographic module interface is set and output to the cryptographic security verification unit (401).
The values of n and m are input by, for example, a designer using the cryptographic design data input unit (101) as in the secret key data information conversion unit (601). The conversion method may be input by the designer using the cryptographic design data input unit (101), or the designer may select from several methods prepared in advance.
As a conversion method from m-bit data to n-bit data, in the same manner as the secret key data information conversion unit (601), for example, from a very simple method such as enabling upper n-bit data of m-bit data, There is a method of defining a selection information table for selecting information from m bits to n bits for each bit and performing conversion based on the information table.
As a conversion method from n-bit data to m-bit data, a method of reversing the conversion method from m-bit data to n-bit data and filling a portion corresponding to a bit deleted at the time of input with a random number There is.
The processing flow of this embodiment will be described with reference to FIG. Basically, it is the same as FIG. 9 used in the description of the processing flow in the description of the second embodiment. For example, the data size (m bits) of the secret key disclosed as an interface of the cryptographic module by the designer When the data size (n bits) of the secret key used in the internal encryption algorithm is set in the encryption design data input unit (101) (S1001), Initial value data, output data size (m bits), input data used in an internal encryption algorithm, initial value data, and data size of output data (n bits) are set in the encryption design data input unit (101) ( S1002) is newly added. In this embodiment, the data handled by the secret key data information conversion unit (601) and the data handled by the input data information conversion unit (602) are the same m bits and n bits. Good.
Conventionally, the initial value data size and the encryption key data size disclosed in the interface part of the cryptographic module are the same as those used for the internal cryptographic algorithm. However, as described in the present embodiment, by having the secret key data information conversion unit and the input data information conversion unit, the data length disclosed as the interface of the cryptographic module is changed to the internal encryption. By making the value different from the data length used in the algorithm, it is possible to improve the cryptographic security of the cryptographic module.
In addition, by adding a function capable of verifying the security of encryption, it is possible to construct a cryptographic module generation apparatus with safety verification that can be used even by users who are not familiar with encryption design technology.

Claims (3)

Based on required performance information of encryption processing in a system designed using an encryption function, an encryption design data input unit for inputting design information of an encryption algorithm used in the system, and based on operating environment information of the system System operating environment selection section for selecting source code,
Based on the design information input by the cryptographic design data input unit, a system-installed cryptographic logic conversion unit that converts the source code selected by the system operating environment selection unit into a cryptographic module;
A cryptographic processing performance determination unit that determines whether or not the cryptographic module satisfies a system requirement condition of cryptographic processing performance of a system in which the cryptographic module converted by the system mounting cryptographic logic conversion unit is mounted;
And a cryptographic module output unit configured to output the cryptographic module when the cryptographic processing performance determination unit determines that the system requirement is satisfied. Having a cryptographic security analysis unit for evaluating the cryptographic security of the design information,
The system-installed cryptographic logic conversion unit converts the source code selected by the system operating environment selection unit into the cryptographic module based on the security evaluation result by the cryptographic security analysis unit and the design information. The cryptographic module generation apparatus according to claim 1, wherein: A secret key data information conversion unit for converting secret key data input to the cryptographic module into secret key data used in the internal cryptographic algorithm;
Input data and initial value data input to the encryption module are converted into data input by the internal encryption algorithm, and output data output from the internal encryption algorithm is output from the encryption module And having an input data information conversion unit for converting to output data,
The system-installed cryptographic logic conversion unit is a source selected by the system operating environment selection unit based on the design information and the data converted by the secret key data information conversion unit and the input data information conversion unit. The cryptographic module generation apparatus according to claim 1, wherein the code is converted into the cryptographic module.

Images