JP2016157054A - Encryption system, encryption device, decryption device, encryption method, encryption program and decryption program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce the number of computations of a substitution computation f.SOLUTION: An encryption system of the present invention is composed of an encryption device and a decryption device. The encryption device is configured to calculate an exclusive OR between a rate part of a state and a message block m; calculate an exclusive OR between a capacity part of the state and an additional authentication data block a; implement a substitution computation f; and repeat processing for all message blocks and additional authentication data blocks until this processing therefor is ended. A c bit of the capacity part is treated as an element of a finite field to implement multiplication by g, and the c bit is substituted for a bit string obtained by the multiplication. Then, a result obtained by the substitution computation f is used as a new state. A result of the exclusive OR between the above-described rate part and message block mis denoted as an encryption block d, and connection processing of encryption blocks d,..., dis used to obtain a ciphertext C.SELECTED DRAWING: Figure 5

Description

  The present invention relates to an encryption system, an encryption device, a decryption device, an encryption method, an encryption program, and a decryption program that execute authentication encryption with additional authentication data.

  The authentication encryption with additional authentication data is a common key encryption primitive that performs concealment of the message M and authentication (falsification detection) of M and the additional authentication data A at the same time. It consists of two functions, an encryption function and a decryption function. In the additional authentication data authentication encryption, the receiver and the sender share a secret key K in advance. In addition to the message M and the additional authentication data A, the sender selects a value N (called nonce) that changes every time the encryption function is called. The encryption function generates a ciphertext C and a tag T corresponding to M, A, and N, and sends a set of (C, T, A, N) to the receiver. The recipient receives (C, T, A, N), but at this point there is no guarantee that these values have not been tampered with by a malicious third party. The receiver calculates the decryption function using the received (C, T, A, N) and K held by the receiver. The decryption function calculates a message M ′ and a tag T ′. If the calculated T ′ and the received T are the same value, it is determined that the received (C, T, A, N) is a correct value, and M ′ is output as a decoded message. If T ≠ T ′, a result indicating that decoding has failed (data has been altered) is output.

  SPONGEWRAP described in Non-Patent Document 1 is a configuration method of an encryption function and a decryption function of an authentication encryption. The encryption function and the decryption function are configured using a relatively large size replacement (bijective map) compared to the security level (number of bits) to be guaranteed.

<SPONGEWRAP>
The encryption function of SPONGEWRAP uses b-bit data called a state, b-bit replacement f: {0, 1} ^b → {0, 1} ^b , input data (N, A, M), and key K. Then, C and T are calculated while repeatedly updating. The b-bit state is divided into r bits called rate and c (= b−r) bits called capacity. When calculating the encryption function, the value of the state is initialized to a predetermined b-bit value called an initial value IV (for example, IV = 0), the b-bit is replaced by f, and the state is updated. The The specific calculation procedure of the encryption function is as described in the following procedure 1 to procedure 4. Fig. 1 shows the calculation structure of SPONGEWRAP encryption.

<Procedure 1>
The key K is divided every r−1 bits. In the final block, a padding process called 10 * padding is performed. Specifically, when the bit length of the last block is shorter than r−1 bits, a 1-bit value “1” is given, and then a bit “0” is given until r−1 bits. When the bit length of the final block is exactly r−1 bits, a 1-bit value “1” is given as the first bit of the next block, and then a bit “0” is given until r−1 bits. .

  A 1-bit value called a frame bit is concatenated with each value obtained by dividing K by r−1 bits to make r bits. Specifically, the frame bit is set to “0” from the first block to the block immediately before the final block, and the frame bit is set to “1” only for the final block. For the r bits in the rate portion of the b-bit state, the exclusive OR of K and the r-bit value obtained by concatenating the frame bits is calculated, and the permutation f is calculated. The output of f is a new state value. This operation is continued until the last block of K is exclusive ORed. Since this process can be performed in advance, the procedure up to step 1 may be called initialization.

<Procedure 2>
The nonce N and the additional authentication data A are concatenated and divided every r−1 bits. 10 * padding is applied to the final block. A frame bit of 1 bit is concatenated to each value obtained by dividing the concatenation of N and A every r−1 bits to make r bits. Specifically, the frame bit is set to “0” from the first block to the block immediately before the final block, and the frame bit is set to “1” only for the final block. In the b-bit state, the exclusive OR of N or A and the r-bit value obtained by concatenating the frame bits is calculated for the r bit of the rate part, and the permutation f is calculated. The output of f is a new state value. This operation is continued until the final blocks of N and A are exclusive ORed.

<Procedure 3>
The message M is divided every r-1 bits. 10 * padding is applied to the final block. A frame bit of 1 bit is concatenated to each value obtained by dividing the concatenation of M every r−1 bits to make r bits. Specifically, the frame bit is set to “1” from the first block to the block immediately before the final block, and the frame bit is set to “0” only for the final block.

  For the r bits in the rate portion of the b-bit state, an exclusive OR of M and the r-bit value obtained by concatenating the frame bits is calculated. The calculated r bits are output as the r bits of the ciphertext. The permutation f is calculated for the state, and the output of f is set as a new state value. This operation is continued until the final block of M is exclusive ORed. If the size of M is not a multiple of r, the last block outputs only the fractional part as ciphertext and performs an exclusive OR with the state.

<Procedure 4>
Among the b bit states, the r bit of the rate part is output as the r bit of the tag. The permutation f is calculated for the state, and the output of f is set as a new state value. This operation is continued until the number of bits of the tag is reached. If the tag length is not a multiple of r, the output of the last r bits is rounded down to the required fraction and used as the tag output.

<Decryption>
SPONGEWRAP's decryption function performs almost the same calculation as the encryption function. FIG. 2 shows a calculation structure in the decoding of SPONGEWRAP. The state is initialized to IV, and the same processing as the procedure 1 and 2 of the encryption function is performed. The procedure 3 is different from the encryption function. In the b-bit state, the exclusive OR of the r bits of the rate part and the r bits of C is obtained, and the value obtained through the reverse procedure of padding and frame bit assignment is expressed as M. The r-1 bit of '. Of the b-bit states, replace the r bits of the rate part with the r bits of C, and calculate the permutation f. The output of f is a new state value. This operation is continued until the final block of C is exclusive ORed. When the size of the final block of C is not a multiple of r, only the fraction is used for generating M ′ and replacing the state. After the procedure 3 is completed, the same processing as the procedure 4 of the encryption function is performed to obtain a tag T ′. The calculated T ′ is compared with the received T, and if it is the same value, M ′ is output as a decoded message. If they do not match, a result indicating that decoding has failed is output.

<DonkeySponge>
The donkeySponge shown in Non-Patent Document 2 is a method for calculating a message authentication code using the additional authentication data processing part of SPONGEWRAP. Fig. 3 shows the calculation structure of donkeySponge. For the purpose of generating the message authentication code, even if the key K and the input A are exclusively ORed with all the bits of the b bit state, the input data can be processed efficiently without impairing the security.

<MonkeyDuplex>
The monkeyDuplex shown in Non-Patent Document 2 is a method that allows more efficient calculation by adding ingenuity to the K and N processing methods of SPONGEWRAP. The capacity part of c bits of IV is made up to c bits of K. Alternatively, an exclusive OR of up to K c bits and a separately defined c bit constant is used as a capacity portion of IV c bits. In any method, the calculation function of f can be reduced in the procedure 1 (K processing) with the encryption function and the decryption function, so that the calculation efficiency increases. If K is less than c bits, all c bits of IV are defined by appropriate padding.

  Further, the rate part of IV r bits is defined up to N r bits. Alternatively, the exclusive OR of up to N r bits and a separately defined r bit constant is used as the rate portion of IV r bits. Since the calculation function of f in the procedure 2 can be reduced, the calculation efficiency increases. If N is less than r bits, all r bits of IV are defined by appropriate padding. Figure 4 shows the state initialization and K and N processing by monkeyDuplex.

Guido Bertoni, Joan Daemen, Michael Peeters and Gilles Van Assche, “Duplexing the Sponge: Single-Pass Authenticated Encryption and Other Applications”, SAC 2011, (eds.) Ali Miri and Serge Vaudenay, LNCS, Vol. 7118, pages 320- 337, Springer, 2012. Guido Bertoni, Joan Daemen, Michael Peeters and Gilles Van Assche, “Permutation-based encryption, authentication and authenticated encryption”, Workshop Records of DIAC 2012.

  However, in SPONGEWRAP, the additional authentication data A is processed for every r−1 bits, so the number of replacement operations f increases and is inefficient. Accordingly, an object of the present invention is to reduce the number of operations of the replacement operation f.

The encryption system of the present invention has an encryption device and a decryption device. First, K is a secret key shared by both the encryption device and the decryption device, A is additional authentication data, M is a message, C is ciphertext, T is a tag, K, A, and M are bit strings, and N is all bits Is a bit string excluding a bit string of “0”, r, c, b, P, and Q are integers of 1 or more, b = r + c, p is an integer of 1 to P, q is an integer of 1 to Q, and S is set in advance A predetermined integer of 1 or more, s is an integer of 1 or more and S or less, f is a b-bit permutation operation, g is a finite field element consisting of integers of 0 to 2 ^c −1, and a predetermined constant other than 0 and 1 And multiplication on a finite field. Further, the state is a bit string of b bits in which a predetermined r bit is a rate part and c bit is a capacity part.

The encryption apparatus includes an initial value setting unit for encryption, a message dividing unit, an additional authentication data dividing unit for encryption, an encryption unit, an encryption tag calculation unit, and an output unit. The encryption initial value setting unit selects N, generates a b-bit encryption initial value using N and K, and sets the result of replacing the encryption initial value with f as a state. The message dividing unit divides the message M into message blocks m ₁ ,..., M _P every r bits using padding. The additional authentication data dividing unit for encryption divides the additional authentication data A into additional authentication data blocks a ₁ ,..., A _Q for each c bits using padding.

  The encryption unit executes the following (1) to (3) when P = Q.

(1) the exclusive OR of the rate portion of the state and the message block m _p is calculated, replacing the result of the calculation with the cipher block d _p of r bits, the rate portion of the state on the result of the calculation. The exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, and the capacity part is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = 1 to p = P-1.

(2) the exclusive OR of the rate portion of the state and the message block m _p is calculated, replacing the result of the calculation with the cipher block d _p of r bits, the rate portion of the state on the result of the calculation. The result of calculating the exclusive OR of the capacity part of the state and the additional authentication data block _ap is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1 and multiplied by g, and the capacity part is Replace with the bit string obtained by the multiplication. Thereafter, the result of replacement by f is set as a new state.

(3) The ciphertext C is obtained using the combination processing of the cipher blocks d ₁ ,..., D _P.

  When P> Q, the encryption unit executes the following (1) to (4).

(1) the exclusive OR of the rate portion of the state and the message block m _p is calculated, replacing the result of the calculation with the cipher block d _p of r bits, the rate portion of the state on the result of the calculation. The exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, and the capacity part is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = 1 to p = Q.

(2) If P−1 ≧ Q + 1, the exclusive OR of the state rate portion and the message block m _p is calculated, and the result of the calculation is an r-bit cipher block d _p, and the state rate portion Is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = Q + 1 to p = P-1.

(3) an exclusive logical sum of the rate portion of the state and the message block m _P calculated, replacing the result of the calculation together with the cipher block d _P of r bits, the rate portion of the state on the result of the calculation. The c bits of the capacity part are treated as elements of a finite field consisting of integers of 0 to 2 ^c −1, multiplication by g is performed, and the capacity part is replaced with a bit string obtained by the multiplication. Thereafter, the result of replacement by f is set as a new state.

(4) The ciphertext C is obtained using the combination processing of the cipher blocks d ₁ ,..., D _P.

  The encryption unit executes the following (1) to (4) when P <Q.

(1) the exclusive OR of the rate portion of the state and the message block m _p is calculated, replacing the result of the calculation with the cipher block d _p of r bits, the rate portion of the state on the result of the calculation. The exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, and the capacity part is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = 1 to p = P.

(2) If P + 1 ≦ Q−1, the exclusive OR of the capacity portion of the state and the additional authentication data block a _q is calculated, and the capacity portion is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from q = P + 1 to q = Q-1.

(3) The result of calculating the exclusive OR of the capacity portion of the state and the additional authentication data block a _Q is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1, multiplied by g, and the capacity Replace the city part with the bit string obtained by the multiplication. Thereafter, the result of replacement by f is set as a new state.

(4) The ciphertext C is obtained using the combination processing of the cipher blocks d ₁ ,..., D _P.

The encryption tag calculation unit obtains the tag T from the rate portion of the state when S = 1. If S ≧ 2, the rate portion of the state is the tag block t ₁ . Further in the case of S ≧ 2, the results of the state has been replaced by f as a new state, and repeats the processing of the rate portion and tag block t _s from s = 2 to s = S. The tag block _t 1, ..., determine the tag T using _{t S.} The output unit outputs a set of C, T, A, and N.

The decryption apparatus includes an input unit, a decryption initial value setting unit, a ciphertext segmentation unit, a decryption additional authentication data segmentation unit, a decryption unit, a decryption tag calculation unit, and a verification unit. The input unit acquires a set of C, T, A, and N. The initial value setting unit for decoding generates a b-bit initial value for decoding using N and K, and sets the result obtained by replacing the initial value for decoding with f as a state. The ciphertext dividing unit divides the ciphertext C into r-bit cipher blocks d ₁ ,..., D _P. The additional authentication data division unit for decryption divides the additional authentication data A into additional authentication data blocks a ₁ ,..., A _Q for each c bits using padding.

  The decoding unit executes the following (1) to (3) when P = Q.

(1) The exclusive OR of the state rate part and the cipher block d _p is calculated, and the result of the calculation is an r-bit message block m _p ′, and the state rate part is replaced with the cipher block d _p . . The exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, and the capacity part is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = 1 to p = P-1.

(2) The exclusive OR of the state rate part and the cipher block d _P is calculated, and the result of the calculation is an r-bit message block m _P ′, and the state rate part is replaced with the cipher block d _P. . The result of calculating the exclusive OR of the capacity part of the state and the additional authentication data block _ap is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1 and multiplied by g, and the capacity part is Replace with the bit string obtained by the multiplication. Thereafter, the result of replacement by f is set as a new state.

(3) A message M ′ is formed by combining the message blocks m ₁ ′,..., M _P ′ by removing the bits added by padding.

  When P> Q, the decoding unit executes the following (1) to (4).

(1) The exclusive OR of the state rate part and the cipher block d _p is calculated, and the result of the calculation is an r-bit message block m _p ′, and the state rate part is replaced with the cipher block d _p . . The exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, and the capacity part is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = 1 to p = Q.

(2) If P−1 ≧ Q + 1, the exclusive OR of the state rate portion and the cipher block d _p is calculated, and the result of the calculation is the r-bit message block m _p ′, and the state rate Replace the part with the cipher block d _p . Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = Q + 1 to p = P-1.

(3) The exclusive OR of the state rate part and the cipher block d _P is calculated, and the result of the calculation is an r-bit message block m _P ′, and the state rate part is replaced with the cipher block d _P. . The c bits of the capacity part are treated as elements of a finite field consisting of integers of 0 to 2 ^c −1, multiplication by g is performed, and the capacity part is replaced with a bit string obtained by the multiplication. Thereafter, the result of replacement by f is set as a new state.

(4) A message M ′ is obtained by combining the message blocks m ₁ ′,..., M _P ′ by removing the bits added by padding.

  When P <Q, the decoding unit executes the following (1) to (4).

(1) The exclusive OR of the state rate part and the cipher block d _p is calculated, and the result of the calculation is an r-bit message block m _p ′, and the state rate part is replaced with the cipher block d _p . . The exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, and the capacity part is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = 1 to p = P.

(2) If P + 1 ≦ Q−1, the exclusive OR of the capacity portion of the state and the additional authentication data block a _q is calculated, and the capacity portion is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from q = P + 1 to q = Q-1.

(3) The result of calculating the exclusive OR of the capacity portion of the state and the additional authentication data block a _Q is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1, multiplied by g, and the capacity Replace the city part with the bit string obtained by the multiplication. Thereafter, the result of replacement by f is set as a new state.

(4) A message M ′ is obtained by combining the message blocks m ₁ ′,..., M _P ′ by removing the bits added by padding.

The decryption tag calculation unit obtains the tag T ′ from the rate portion of the state when S = 1. When S ≧ 2, the rate portion of the state is the tag block t ₁ ′. In the case of S ≧ 2, the process of replacing the state with f as a new state and setting the rate portion as the tag block t _s ′ is repeated from s = 2 to s = S. The tag block _{t 1 ', ..., t S} ' Request tag T 'with. The verification unit compares the tag T and the tag T ′.

  In SPONGEWRAP, additional authentication data A and message M are processed in order for every r−1 bits, so a replacement operation f of about | A | / (r−1) + | M | / (r−1) times is performed. There was a need. In the encryption system of the present invention, even if the exclusive OR is calculated for the capacity part, if the result is not known, secure encryption can be realized, and the capacity part and The calculation of the exclusive OR with the additional authentication data A and the calculation of the exclusive OR with the rate part and the message M are performed in parallel. Further, since the processing for the additional authentication data A and the processing for the message M are different, the frame bit necessary for determining whether the data to be processed is the additional authentication data A or the message M is not necessary. Therefore, the additional authentication data A can be processed every c bits, and the message M can be processed every r bits. Therefore, the number of times of performing the replacement operation f can be made approximately equal to the larger of | A | / c and | M | / r. That is, the number of replacement operations f can be reduced. || is a symbol indicating the number of bits in the bit string.

The figure which shows the calculation structure in the encryption of SPONGEWRAP. The figure which shows the calculation structure in the decoding of SPONGEWRAP. The figure which shows the calculation structure of donkeySponge. The figure which shows the initialization of the state by monkeyDuplex, and the process of K and N. The figure which shows the function structural example of the encryption system of this invention. The figure which shows the example of the calculation structure in the case of P = Q in the encryption of this invention. The figure which shows the example of the calculation structure in the case of P> Q in the encryption of this invention. The figure which shows the example of the calculation structure in the case of P <Q in the encryption of this invention. The figure which shows the example of the calculation structure in the case of P = Q in the decoding of this invention. The figure which shows the example of the calculation structure in the case of P> Q in the decoding of this invention. The figure which shows the example of the calculation structure in the case of P <Q in the decoding of this invention. The figure which shows the processing flow of the encryption apparatus of this invention. The figure which shows the processing flow of the decoding apparatus of this invention.

  Hereinafter, embodiments of the present invention will be described in detail. In addition, the same number is attached | subjected to the structure part which has the same function, and duplication description is abbreviate | omitted.

FIG. 5 shows a functional configuration example of the encryption system of the present invention. 6 is a diagram showing an example of a calculation structure in the case of P = Q in the encryption of the present invention, FIG. 7 is a diagram showing an example of a calculation structure in the case of P> Q in the encryption of the present invention, FIG. These are figures which show the example of a calculation structure in the case of P <Q in the encryption of this invention. 7 and 8, the calculation structures of the initial value setting unit 110 and the tag calculation unit 150 are omitted, but the calculation structure is the same as that of FIG. 9 is a diagram showing an example of a calculation structure in the case of P = Q in the decoding of the present invention, FIG. 10 is a diagram showing an example of a calculation structure in the case of P> Q in the decoding of the present invention, and FIG. It is a figure which shows the example of the calculation structure in the case of P <Q in the decoding of invention. 10 and 11, the calculation structure portions of the initial value setting unit 210 and the tag calculation unit 250 are omitted, but the calculation structure is the same as that of FIG. FIG. 12 shows the processing flow of the encryption apparatus of the present invention, and FIG. 13 shows the processing flow of the decryption apparatus of the present invention. The encryption system according to the first embodiment includes an encryption device 100 and a decryption device 200 connected via a network 800. First, a secret key, an additional authentication data A, message M, ciphertext C, tag number of bits T L _T, K, A, M a bit sequence that shares K for both encryption device and the decryption device, N is a bit string excluding a bit string in which all bits are “0”, r, c, b, P, and Q are integers of 1 or more, b = r + c, p is an integer of 1 to P, and q is 1 to Q Integer, S is a predetermined integer of 1 or more, s is an integer of 1 to S, f is a b-bit permutation operation, g is an element of a finite field consisting of integers of 0 to 2 ^c -1 and other than 0 and 1 Let ∥ be a symbol indicating the number of bits in the bit string. Further, the state is a bit string of b bits in which a predetermined r bit is a rate part and c bit is a capacity part.

<Encryption device>
The encryption device 100 includes an initial value setting unit 110, a message division unit 120, an additional authentication data division unit 130, an encryption unit 140, a tag calculation unit 150, and an output unit 190. The initial value setting unit 110 selects N, generates a b-bit initial value using N and K, and sets the result obtained by replacing the initial value with f as a state (S110). For example, the initial value setting unit 110 may embed N in the rate portion and embed K in the capacity portion as the initial value. “Embedding” means, for example, that when the number of bits of N is smaller than r, it is converted to r bits by padding and made into a rate portion. When the number of bits of N is larger than r, r bits may be cut out from N, or converted into r bits using a hash function or the like to be a rate part. f is the same as the replacement described in SPONGEWRAP, and is determined in advance between the encryption device 100 and the decryption device 200. 6-8, the part enclosed with the dotted line which attached | subjected 110 corresponds to an initial value setting part.

The message dividing unit 120 divides the message M into message blocks m ₁ ,..., M _P for each r bits using padding (S120). For padding, 10 * padding may be used. For example, the message block m ₁ ,..., M _P may be generated by padding the message M so that the number of bits is an integer multiple (P times) of r bits and dividing the message M every r bits. P is an integer not lower than | M | / r. 6-8, the part enclosed with the dotted line which attached | subjected 120 corresponds to a message division | segmentation part.

The additional authentication data dividing unit 130 divides the additional authentication data A into additional authentication data blocks a ₁ ,..., A _Q for each c bits using padding (S130). Similarly, 10 * padding may be used for padding. For example, if additional authentication data blocks a ₁ ,..., A _Q are generated by padding additional authentication data A so that the number of bits is an integer multiple (Q times) of c bits, and dividing every c bits. Good. Q is an integer not lower than | A | / c. 6-8, the part enclosed with the dotted line which attached | subjected 130 corresponds to a message division | segmentation part.

Encryption unit 140 performs a calculation of the exclusive OR of the rate portion of the state and the message block m _p, the calculation of the exclusive OR of the capacity portion of the state and the additional authentication data blocks a _q. The replacement operation f is performed every time this process is repeated until the processes for all message blocks and additional authentication data blocks are completed. Finally, the c bit in the capacity part is treated as an element of a finite field consisting of integers from 0 to 2 ^c −1 and multiplication by g is performed, and the capacity part is replaced with the bit string obtained by the multiplication. Thereafter, the result of replacement by f is set as a new state. Moreover, the results of the calculation of the exclusive OR of the rate portion and a message block m _p above and cipher block d _p, cipher block d _1, ..., obtaining the ciphertext C by using the coupling process d _P (S140 ). “Exclusive OR” is an exclusive OR of each bit, and is an operation for performing an exclusive OR of bits at the same position. For example, the result of the exclusive OR of the bit string “10100” and the bit string “00110” is “10010”. “Determining ciphertext C using the combining process” means simply combining the cipher blocks d ₁ ,..., D _P into the ciphertext C, and combining and removing the padding portion to obtain the ciphertext C It is meant to include. 6-8, the part enclosed with the dotted line which attached | subjected 140 corresponds to an encryption part.

  The processing of the encryption unit 140 will be described in detail for each of three cases of P = Q, P> Q, and P <Q. When P = Q, the encryption unit 140 executes the following (1) to (3) (see FIG. 6).

(1) the exclusive OR of the rate portion of the state and the message block m _p is calculated, replacing the result of the calculation with the cipher block d _p of r bits, the rate portion of the state on the result of the calculation. The exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, and the capacity part is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = 1 to p = P-1.

(2) the exclusive OR of the rate portion of the state and the message block m _p is calculated, replacing the result of the calculation with the cipher block d _p of r bits, the rate portion of the state on the result of the calculation. The result of calculating the exclusive OR of the capacity part of the state and the additional authentication data block _ap is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1 and multiplied by g, and the capacity part is Replace with the bit string obtained by the multiplication. Thereafter, the result of replacement by f is set as a new state.

(3) The ciphertext C is obtained using the combination processing of the cipher blocks d ₁ ,..., D _P.

  The encryption unit 140 executes the following (1) to (4) when P> Q (see FIG. 7).

(1) the exclusive OR of the rate portion of the state and the message block m _p is calculated, replacing the result of the calculation with the cipher block d _p of r bits, the rate portion of the state on the result of the calculation. The exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, and the capacity part is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = 1 to p = Q.

(If the difference between P and Q is 2 or more) (2) P-1 ≧ Q + 1 if the exclusive OR of the rate portion of the state and the message block m _p is calculated and the result of the calculation of r bits The encryption block d _p is used, and the rate portion of the state is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = Q + 1 to p = P-1. That is, this process is not performed when the difference between P and Q is 1.

(3) an exclusive logical sum of the rate portion of the state and the message block m _P calculated, replacing the result of the calculation together with the cipher block d _P of r bits, the rate portion of the state on the result of the calculation. The c bits of the capacity part are treated as elements of a finite field consisting of integers of 0 to 2 ^c −1, multiplication by g is performed, and the capacity part is replaced with a bit string obtained by the multiplication. Thereafter, the result of replacement by f is set as a new state.

(4) The ciphertext C is obtained using the combination processing of the cipher blocks d ₁ ,..., D _P.

  The encryption unit 140 executes the following (1) to (4) when P <Q (see FIG. 8).

(1) the exclusive OR of the rate portion of the state and the message block m _p is calculated, replacing the result of the calculation with the cipher block d _p of r bits, the rate portion of the state on the result of the calculation. The exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, and the capacity part is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = 1 to p = P.

(2) If P + 1 ≦ Q−1 (if the difference between P and Q is 2 or more), the exclusive OR of the capacity part of the state and the additional authentication data block a _q is calculated to determine the capacity part Replace with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from q = P + 1 to q = Q-1.

(3) The result of calculating the exclusive OR of the capacity portion of the state and the additional authentication data block a _Q is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1, multiplied by g, and the capacity Replace the city part with the bit string obtained by the multiplication. Thereafter, the result of replacement by f is set as a new state.

(4) The ciphertext C is obtained using the combination processing of the cipher blocks d ₁ ,..., D _P.

Tag calculation unit 150 obtains tag T from the rate portion of the state when S = 1. If S ≧ 2, the rate portion of the state is the tag block t ₁ . Further in the case of S ≧ 2, the results of the state has been replaced by f as a new state, and repeats the processing of the rate portion and tag block t _s from s = 2 to s = S. The tag block _t 1, ..., determine the tag T using _{t S} (S150). For S = 1, to the rate portion may be directly tag T, may be a tag T by only the cut-out number of bits L _T from the rate portion. For S ≧ 2, for example, tag block t _1, ..., may be set as the tag T a result of coupling the t _S, tag block t _1, ..., than the number of bits L _T from the result obtained by combining the t _S truncated more bits (cut out the number of bits L _T min) or as a tag T. Further, after cutting out a predetermined bit from each tag block t _s, or as a tag T attached to them. Note, S is, it is sufficient to set in advance so as r × S is equal to or greater than the number of bits L _T of the tag T. 6-8, the part enclosed with the dotted line which attached | subjected 150 corresponds to a tag calculation part. The output unit 190 outputs a set of C, T, A, and N (S190). The set of C, T, A, and N output is transmitted to the decoding device 200.

<Decoding device>
The decryption apparatus 200 includes an input unit 290, an initial value setting unit 210, a ciphertext division unit 220, an additional authentication data division unit 230, a decryption unit 240, a tag calculation unit 250, and a verification unit 260. The input unit 290 acquires a set of C, T, A, and N (S290).

  The initial value setting unit 210 generates a b-bit initial value using N and K, and sets the result obtained by replacing the initial value with f as a state (S210). For example, the initial value setting unit 210 may embed N in the rate part and K in the capacity part as the initial value. 9 to 11, a portion surrounded by a dotted line marked with 210 corresponds to an initial value setting unit.

The ciphertext dividing unit 220 divides the ciphertext C into cipher blocks d ₁ ,..., D _P every r bits (S220). The division into the cipher blocks d ₁ ,..., D _P is the reverse of the combining process performed by the encryption unit 140 of the encryption device 100. 9 to 11, a portion surrounded by a dotted line with 220 corresponds to a message dividing unit.

The additional authentication data dividing unit 230 divides the additional authentication data A into additional authentication data blocks a ₁ ,..., A _Q for each c bits using padding (S230). For padding, 10 * padding may be used. 9 to 11, a portion surrounded by a dotted line denoted by 230 corresponds to an additional authentication data dividing unit.

In the decryption unit 240, the exclusive OR of the rate part of the state and the cipher block d _p is calculated, the rate part is replaced with the cipher block d _p , and the exclusive of the capacity part of the state and the additional authentication data block a _q Performs logical OR. The replacement operation f is performed every time this process is repeated until the processes for all the encryption blocks and the additional authentication data blocks are completed. Finally, the c bit in the capacity part is treated as an element of a finite field consisting of integers from 0 to 2 ^c −1 and multiplication by g is performed, and the capacity part is replaced with the bit string obtained by the multiplication. Thereafter, the result of replacement by f is set as a new state. In addition, the result of the exclusive OR between the rate part and the cipher block d _p is the message block m _p ′, and the bits added by padding are removed from the message block m ₁ ′,..., M _P ′. The message M ′ is combined (S240). 9 to 11, a part surrounded by a dotted line with 240 corresponds to a decoding unit.

  The processing of the decoding unit 240 will be described in detail for each of three cases of P = Q, P> Q, and P <Q. When P = Q, the decoding unit 240 executes the following (1) to (3) (see FIG. 9).

(1) The exclusive OR of the state rate part and the cipher block d _p is calculated, and the result of the calculation is an r-bit message block m _p ′, and the state rate part is replaced with the cipher block d _p . . The exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, and the capacity part is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = 1 to p = P-1.

(2) The exclusive OR of the state rate part and the cipher block d _P is calculated, and the result of the calculation is an r-bit message block m _P ′, and the state rate part is replaced with the cipher block d _P. . The result of calculating the exclusive OR of the capacity part of the state and the additional authentication data block _ap is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1 and multiplied by g, and the capacity part is Replace with the bit string obtained by the multiplication. Thereafter, the result of replacement by f is set as a new state.

(3) A message M ′ is formed by combining the message blocks m ₁ ′,..., M _P ′ by removing the bits added by padding.

  When P> Q, the decoding unit 240 executes the following (1) to (4) (see FIG. 10).

(1) The exclusive OR of the state rate part and the cipher block d _p is calculated, and the result of the calculation is an r-bit message block m _p ′, and the state rate part is replaced with the cipher block d _p . . The exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, and the capacity part is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = 1 to p = Q.

(2) If P−1 ≧ Q + 1 (if the difference between P and Q is 2 or more), the exclusive OR of the rate portion of the state and the cipher block d _p is calculated, and the result of the calculation is expressed as r bits. The message block is m _p ′, and the rate part of the state is replaced with the cipher block d _p . Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = Q + 1 to p = P-1.

(3) The exclusive OR of the state rate part and the cipher block d _P is calculated, and the result of the calculation is an r-bit message block m _P ′, and the state rate part is replaced with the cipher block d _P. . The c bits of the capacity part are treated as elements of a finite field consisting of integers of 0 to 2 ^c −1, multiplication by g is performed, and the capacity part is replaced with a bit string obtained by the multiplication. Thereafter, the result of replacement by f is set as a new state.

(4) A message M ′ is obtained by combining the message blocks m ₁ ′,..., M _P ′ by removing the bits added by padding.

  When P <Q, the decoding unit 240 executes the following (1) to (4) (see FIG. 11).

(1) The exclusive OR of the state rate part and the cipher block d _p is calculated, and the result of the calculation is an r-bit message block m _p ′, and the state rate part is replaced with the cipher block d _p . . The exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, and the capacity part is replaced with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from p = 1 to p = P.

(2) If P + 1 ≦ Q−1 (if the difference between P and Q is 2 or more), the exclusive OR of the capacity part of the state and the additional authentication data block a _q is calculated to determine the capacity part Replace with the result of the calculation. Thereafter, the result of replacement by f is set as a new state. These processes are repeated from q = P + 1 to q = Q-1.

(3) The result of calculating the exclusive OR of the capacity portion of the state and the additional authentication data block a _Q is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1, multiplied by g, and the capacity Replace the city part with the bit string obtained by the multiplication. Thereafter, the result of replacement by f is set as a new state.

(4) A message M ′ is obtained by combining the message blocks m ₁ ′,..., M _P ′ by removing the bits added by padding.

The tag calculation unit 250 obtains a tag T ′ from the rate portion of the state when S = 1. When S ≧ 2, the rate portion of the state is the tag block t ₁ ′. In the case of S ≧ 2, the process of replacing the state with f as a new state and setting the rate portion as the tag block t _s ′ is repeated from s = 2 to s = S. The tag block _{t 1 ', ..., t S} ' Request tag T 'using (S250). 9 to 11, a part surrounded by a dotted line with 250 corresponds to a tag calculation unit. The verification unit 260 compares the tag T with the tag T ′ (S260). The decoding device 200 sets the message M ′ as a decoded message when T = T ′. When T ≠ T ′, a result indicating that decoding has failed is output.

<Effect>
In SPONGEWRAP, additional authentication data A and message M are processed in order for every r−1 bits, so a replacement operation f of about | A | / (r−1) + | M | / (r−1) times is performed. There was a need. In the encryption system of the present invention, attention is paid to the fact that even if the exclusive OR operation is performed on the capacity portion, the security of the encryption can be secured if the result is not understood. Then, by performing an operation of g during the processing of the encryption unit 140 and the decryption unit 240, the result is not understood. Therefore, according to the encryption system of the present invention, calculation of exclusive OR of the capacity portion and additional authentication data A and calculation of exclusive OR of the rate portion and message M can be performed in parallel. . Further, since the processing for the additional authentication data A and the processing for the message M are different, the frame bit necessary for determining whether the data to be processed is the additional authentication data A or the message M is not necessary. Therefore, the additional authentication data A can be processed every c bits, and the message M can be processed every r bits. Therefore, the number of times of performing the replacement operation f can be made approximately equal to the larger of | A | / c and | M | / r. That is, the number of replacement operations f can be reduced.

[Program, recording medium]
The various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes. Needless to say, other modifications are possible without departing from the spirit of the present invention.

  Further, when the above-described configuration is realized by a computer, processing contents of functions that each device should have are described by a program. The processing functions are realized on the computer by executing the program on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

DESCRIPTION OF SYMBOLS 100 Encryption apparatus 110,210 Initial value setting part 120 Message division part 130,230 Additional authentication data division part 140 Encryption part 150,250 Tag calculation part 190 Output part 200 Decryption apparatus 220 Ciphertext division part 240 Decryption part 260 Verification part 290 input unit 800 network

Claims (6)

An encryption system having an encryption device and a decryption device,
K is a secret key shared by both the encryption device and the decryption device, A is additional authentication data, M is a message, C is a ciphertext, T is a tag, K, A, and M are bit strings, and N is all bits Is a bit string excluding a bit string of “0”, r, c, b, P, and Q are integers of 1 or more, b = r + c, p is an integer of 1 to P, q is an integer of 1 to Q, and S is set in advance A predetermined integer of 1 or more, s is an integer of 1 or more and S or less, f is a b-bit permutation operation, g is a finite field element consisting of integers of 0 to 2 ^c −1, and a predetermined constant other than 0 and 1 And multiplication on a finite field with
The state is defined as a bit string of b bits in which a predetermined r bit is a rate part and c bit is a capacity part,
The encryption device is:
Selecting N, generating an initial value for b-bit encryption using N and K, and setting an initial value setting unit for encryption in which a result obtained by replacing the initial value for encryption with f is a state;
A message dividing unit that divides the message M into r-bit message blocks m ₁ ,..., M _P using padding;
An additional authentication data division unit for encryption that divides the additional authentication data A into additional authentication data blocks a ₁ ,..., A _Q for each c bits using padding;
If P = Q,
(1) Calculate the exclusive OR of the rate part of the state and the message block m _p , set the result of the calculation to an r-bit cipher block d _p, and replace the rate part of the state with the result of the calculation, Further, the exclusive OR of the capacity portion of the state and the additional authentication data block _ap is calculated, the capacity portion is replaced with the result of the calculation, and the result of replacement with f is set as a new state. , Repeat from p = 1 to p = P-1,
(2) Calculate the exclusive OR of the rate part of the state and the message block m _p, and change the result of the calculation to an r-bit cipher block d _p, and replace the rate part of the state with the result of the calculation, The result of calculating the exclusive OR of the capacity part of the state and the additional authentication data block _ap is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1 and multiplied by g, and the capacity part is After replacing with the bit string obtained by the multiplication, the result of replacement by f is processed as a new state,
(3) The ciphertext C is obtained by using the combination processing of the cipher blocks d ₁ ,..., D _P ,
If P> Q,
(1) Calculate the exclusive OR of the rate part of the state and the message block m _p , set the result of the calculation to an r-bit cipher block d _p, and replace the rate part of the state with the result of the calculation, Further, the exclusive OR of the capacity portion of the state and the additional authentication data block _ap is calculated, the capacity portion is replaced with the result of the calculation, and the result of replacement with f is set as a new state. , Repeat from p = 1 to p = Q,
(2) If P−1 ≧ Q + 1, the exclusive OR of the state rate portion and the message block m _p is calculated, and the result of the calculation is an r-bit cipher block d _p, and the state rate portion Is replaced with the result of the calculation, and the process of replacing the result of f with a new state is repeated from p = Q + 1 to p = P−1.
(3) Calculate the exclusive OR of the rate part of the state and the message block m _P , set the result of the calculation to an r-bit cipher block d _P, and replace the rate part of the state with the result of the calculation, Further, the c bits of the capacity part are treated as elements of a finite field consisting of integers of 0 to 2 ^c −1, multiplication by g is performed, the capacity part is replaced with a bit string obtained by the multiplication, and f Perform the processing that makes the replacement result a new state,
(4) cipher block _d 1, ..., obtains the encrypted C using a binding process _{d P,}
If P <Q,
(1) Calculate the exclusive OR of the rate part of the state and the message block m _p , set the result of the calculation to an r-bit cipher block d _p, and replace the rate part of the state with the result of the calculation, Further, the exclusive OR of the capacity portion of the state and the additional authentication data block _ap is calculated, the capacity portion is replaced with the result of the calculation, and the result of replacement with f is set as a new state. , Repeat from p = 1 to p = P,
(2) If P + 1 ≦ Q−1, the exclusive OR of the capacity part of the state and the additional authentication data block a _q is calculated, and the capacity part is replaced with the result of the calculation, and then replaced by f. The process of setting the result as a new state is repeated from q = P + 1 to q = Q−1.
(3) The result of calculating the exclusive OR of the capacity portion of the state and the additional authentication data block a _Q is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1, multiplied by g, and the capacity After replacing the city part with the bit string obtained by the multiplication, the result of replacement by f is processed as a new state,
(4) an encryption unit that obtains a ciphertext C using a combination process of cipher blocks d ₁ ,..., D _P ;
For S = 1 obtains the tag T from the rate portion of the state, in the case of S ≧ 2, and the rate portion of the state and tag block t _1, further rate portion of the result of replacing the state by f as a new state repeating the process of the tag block t _s from s = 2 to s = S, tag block t _1, ..., a tag calculation unit for encryption of obtaining a tag T using t _S,
An output unit that outputs a set of C, T, A, and N;
With
The decoding device
An input unit for acquiring a set of C, T, A, and N;
A decoding initial value setting unit that generates a b-bit decoding initial value using N and K, and uses the result obtained by replacing the decoding initial value with f;
A ciphertext dividing unit that divides the ciphertext C into cipher blocks d ₁ ,..., D _P every r bits;
A decryption additional authentication data division unit that divides the additional authentication data A into additional authentication data blocks a ₁ ,..., A _Q for each c bits using padding;
If P = Q,
(1) The exclusive OR of the state rate part and the cipher block d _p is calculated, the result of the calculation is an r-bit message block m _p ′, and the state rate part is replaced with the cipher block d _p Further, the exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, the capacity part is replaced with the result of the calculation, and the result replaced with f is set as a new state. Is repeated from p = 1 to p = P-1,
(2) The exclusive OR of the state rate part and the cipher block d _P is calculated, and the result of the calculation is an r-bit message block m _P ′, and the state rate part is replaced with the cipher block d _P Further, the result of calculating the exclusive OR of the capacity portion of the state and the additional authentication data block _ap is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1 and multiplied by g to obtain the capacity. The part is replaced with the bit string obtained by the multiplication, and the result of replacement by f is processed as a new state.
(3) A message M ′ is obtained by combining the message blocks m ₁ ′,..., M _P ′ by removing the bits added by padding.
If P> Q,
(1) The exclusive OR of the state rate part and the cipher block d _p is calculated, the result of the calculation is an r-bit message block m _p ′, and the state rate part is replaced with the cipher block d _p Further, the exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, the capacity part is replaced with the result of the calculation, and the result replaced with f is set as a new state. Is repeated from p = 1 to p = Q,
(2) If P−1 ≧ Q + 1, the exclusive OR of the state rate portion and the cipher block d _p is calculated, and the result of the calculation is the r-bit message block m _p ′, and the state rate The process of replacing the part with the cipher block d _p and setting the result replaced with f as a new state is repeated from p = Q + 1 to p = P−1.
(3) Exclusive OR of the state rate part and the cipher block d _P is calculated, and the result of the calculation is an r-bit message block m _P ′, and the state rate part is replaced with the cipher block d _P Then, the c bit of the capacity part is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1, multiplication by g is performed, the capacity part is replaced with a bit string obtained by the multiplication, and f Perform the processing that makes the replacement result a new state,
(4) A message M ′ is obtained by combining the message blocks m ₁ ′,..., M _P ′ by removing the bits added by padding.
If P <Q,
(1) The exclusive OR of the state rate part and the cipher block d _p is calculated, the result of the calculation is an r-bit message block m _p ′, and the state rate part is replaced with the cipher block d _p Further, the exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, the capacity part is replaced with the result of the calculation, and the result replaced with f is set as a new state. Is repeated from p = 1 to p = P,
(2) If P + 1 ≦ Q−1, the exclusive OR of the capacity part of the state and the additional authentication data block a _q is calculated, and the capacity part is replaced with the result of the calculation, and then replaced by f. The process of setting the result as a new state is repeated from q = P + 1 to q = Q−1.
(3) The result of calculating the exclusive OR of the capacity portion of the state and the additional authentication data block a _Q is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1, multiplied by g, and the capacity After replacing the city part with the bit string obtained by the multiplication, the result of replacement by f is processed as a new state,
(4) a decoding unit that forms a message M ′ by combining the message blocks m ₁ ′,..., M _P ′ by removing bits added by padding;
When S = 1, the tag T ′ is obtained from the rate portion of the state. When S ≧ 2, the rate portion of the state is set as a tag block t ₁ ′, and the result of replacing the state with f is set as a new state. A tag calculation unit for decoding for obtaining a tag T ′ using the tag blocks t ₁ ′,..., T _S ′ by repeating the process of setting the rate part as the tag block t _s ′ from s = 2 to s = S
An encryption system comprising: a verification unit that compares the tag T and the tag T ′. K is a secret key shared by both the encryption device and the decryption device, A is additional authentication data, M is a message, C is ciphertext, T is a tag, K, A, and M are bit strings, and N is all bits. Bit string excluding 0 "bit string, r, c, b, P, Q are integers of 1 or more, b = r + c, p is an integer of 1 to P, q is an integer of 1 to Q, and S is predetermined An integer of 1 or more, s is an integer of 1 or more and S or less, f is a b-bit permutation operation, g is an element of a finite field composed of integers of 0 to 2 ^c −1, and predetermined constants other than 0 and 1 Multiply over a finite field,
The state is defined as a bit string of b bits in which a predetermined r bit is a rate part and c bit is a capacity part,
An initial value setting unit that selects N, generates an initial value of b bits using N and K, and uses the result of replacing the initial value with f as a state;
A message dividing unit that divides the message M into r-bit message blocks m ₁ ,..., M _P using padding;
An additional authentication data dividing unit that divides the additional authentication data A into additional authentication data blocks a ₁ ,..., A _Q for each c bits using padding;
If P = Q,
(1) Calculate the exclusive OR of the rate part of the state and the message block m _p , set the result of the calculation to an r-bit cipher block d _p, and replace the rate part of the state with the result of the calculation, Further, the exclusive OR of the capacity portion of the state and the additional authentication data block _ap is calculated, the capacity portion is replaced with the result of the calculation, and the result of replacement with f is set as a new state. , Repeat from p = 1 to p = P-1,
(2) Calculate the exclusive OR of the rate part of the state and the message block m _p, and change the result of the calculation to an r-bit cipher block d _p, and replace the rate part of the state with the result of the calculation, The result of calculating the exclusive OR of the capacity part of the state and the additional authentication data block _ap is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1 and multiplied by g, and the capacity part is After replacing with the bit string obtained by the multiplication, the result of replacement by f is processed as a new state,
(3) The ciphertext C is obtained by using the combination processing of the cipher blocks d ₁ ,..., D _P ,
If P> Q,
(1) Calculate the exclusive OR of the rate part of the state and the message block m _p , set the result of the calculation to an r-bit cipher block d _p, and replace the rate part of the state with the result of the calculation, Further, the exclusive OR of the capacity portion of the state and the additional authentication data block _ap is calculated, the capacity portion is replaced with the result of the calculation, and the result of replacement with f is set as a new state. , Repeat from p = 1 to p = Q,
(2) If P−1 ≧ Q + 1, the exclusive OR of the state rate portion and the message block m _p is calculated, and the result of the calculation is an r-bit cipher block d _p, and the state rate portion Is replaced with the result of the calculation, and the process of replacing the result of f with a new state is repeated from p = Q + 1 to p = P−1.
(3) Calculate the exclusive OR of the rate part of the state and the message block m _P , set the result of the calculation to an r-bit cipher block d _P, and replace the rate part of the state with the result of the calculation, Further, the c bits of the capacity part are treated as elements of a finite field consisting of integers of 0 to 2 ^c −1, multiplication by g is performed, the capacity part is replaced with a bit string obtained by the multiplication, and f Perform the processing that makes the replacement result a new state,
(4) cipher block _d 1, ..., obtains the encrypted C using a binding process _{d P,}
If P <Q,
(1) Calculate the exclusive OR of the rate part of the state and the message block m _p , set the result of the calculation to an r-bit cipher block d _p, and replace the rate part of the state with the result of the calculation, Further, the exclusive OR of the capacity portion of the state and the additional authentication data block _ap is calculated, the capacity portion is replaced with the result of the calculation, and the result of replacement with f is set as a new state. , Repeat from p = 1 to p = P,
(2) If P + 1 ≦ Q−1, the exclusive OR of the capacity part of the state and the additional authentication data block a _q is calculated, and the capacity part is replaced with the result of the calculation, and then replaced by f. The process of setting the result as a new state is repeated from q = P + 1 to q = Q−1.
(3) The result of calculating the exclusive OR of the capacity portion of the state and the additional authentication data block a _Q is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1, multiplied by g, and the capacity After replacing the city part with the bit string obtained by the multiplication, the result of replacement by f is processed as a new state,
(4) an encryption unit that obtains a ciphertext C using a combination process of cipher blocks d ₁ ,..., D _P ;
For S = 1 obtains the tag T from the rate portion of the state, in the case of S ≧ 2, and the rate portion of the state and tag block t _1, further rate portion of the result of replacing the state by f as a new state the processing for the tag block _{t s} repeatedly from s = 2 to s = S, tag block _t 1, ..., a tag calculation unit which obtains a tag T using _{t S,}
An output unit that outputs a set of C, T, A, and N;
An encryption device comprising: K is a secret key shared by both the encryption device and the decryption device, A is additional authentication data, M is a message, C is ciphertext, T is a tag, K, A, and M are bit strings, and N is all bits. Bit string excluding 0 "bit string, r, c, b, P, Q are integers of 1 or more, b = r + c, p is an integer of 1 to P, q is an integer of 1 to Q, and S is predetermined An integer of 1 or more, s is an integer of 1 or more and S or less, f is a b-bit permutation operation, g is an element of a finite field composed of integers of 0 to 2 ^c −1, and predetermined constants other than 0 and 1 Multiply over a finite field,
The state is defined as a bit string of b bits in which a predetermined r bit is a rate part and c bit is a capacity part,
An input unit for acquiring a set of C, T, A, and N;
An initial value setting unit that generates a b-bit initial value using N and K and sets the result of replacing the initial value by f as a state;
A ciphertext dividing unit that divides the ciphertext C into cipher blocks d ₁ ,..., D _P every r bits;
An additional authentication data dividing unit that divides the additional authentication data A into additional authentication data blocks a ₁ ,..., A _Q for each c bits using padding;
If P = Q,
(1) The exclusive OR of the state rate part and the cipher block d _p is calculated, the result of the calculation is an r-bit message block m _p ′, and the state rate part is replaced with the cipher block d _p Further, the exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, the capacity part is replaced with the result of the calculation, and the result replaced with f is set as a new state. Is repeated from p = 1 to p = P-1,
(2) The exclusive OR of the state rate part and the cipher block d _P is calculated, and the result of the calculation is an r-bit message block m _P ′, and the state rate part is replaced with the cipher block d _P Further, the result of calculating the exclusive OR of the capacity portion of the state and the additional authentication data block _ap is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1 and multiplied by g to obtain the capacity. The part is replaced with the bit string obtained by the multiplication, and the result of replacement by f is processed as a new state.
(3) A message M ′ is obtained by combining the message blocks m ₁ ′,..., M _P ′ by removing the bits added by padding.
If P> Q,
(1) The exclusive OR of the state rate part and the cipher block d _p is calculated, the result of the calculation is an r-bit message block m _p ′, and the state rate part is replaced with the cipher block d _p Further, the exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, the capacity part is replaced with the result of the calculation, and the result replaced with f is set as a new state. Is repeated from p = 1 to p = Q,
(2) If P−1 ≧ Q + 1, the exclusive OR of the state rate portion and the cipher block d _p is calculated, and the result of the calculation is the r-bit message block m _p ′, and the state rate The process of replacing the part with the cipher block d _p and setting the result replaced with f as a new state is repeated from p = Q + 1 to p = P−1.
(3) Exclusive OR of the state rate part and the cipher block d _P is calculated, and the result of the calculation is an r-bit message block m _P ′, and the state rate part is replaced with the cipher block d _P Then, the c bit of the capacity part is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1, multiplication by g is performed, the capacity part is replaced with a bit string obtained by the multiplication, and f Perform the processing that makes the replacement result a new state,
(4) A message M ′ is obtained by combining the message blocks m ₁ ′,..., M _P ′ by removing the bits added by padding.
If P <Q,
(1) The exclusive OR of the state rate part and the cipher block d _p is calculated, the result of the calculation is an r-bit message block m _p ′, and the state rate part is replaced with the cipher block d _p Further, the exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, the capacity part is replaced with the result of the calculation, and the result replaced with f is set as a new state. Is repeated from p = 1 to p = P,
(2) If P + 1 ≦ Q−1, the exclusive OR of the capacity part of the state and the additional authentication data block a _q is calculated, and the capacity part is replaced with the result of the calculation, and then replaced by f. The process of setting the result as a new state is repeated from q = P + 1 to q = Q−1.
(3) The result of calculating the exclusive OR of the capacity portion of the state and the additional authentication data block a _Q is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1, multiplied by g, and the capacity After replacing the city part with the bit string obtained by the multiplication, the result of replacement by f is processed as a new state,
(4) a decoding unit that forms a message M ′ by combining the message blocks m ₁ ′,..., M _P ′ by removing bits added by padding;
When S = 1, the tag T ′ is obtained from the rate portion of the state. When S ≧ 2, the rate portion of the state is set as a tag block t ₁ ′, and the result of replacing the state with f is set as a new state. the rate portion tag block t _{s 'a} process of repetitive from s = 2 to s = S, tag block t _1', ..., a tag calculation unit which obtains a _'tag T using a' t S,
A decoding device comprising: a verification unit that compares the tag T and the tag T ′. An encryption method using an encryption device and a decryption device,
K is a secret key shared by both the encryption device and the decryption device, A is additional authentication data, M is a message, C is a ciphertext, T is a tag, K, A, and M are bit strings, and N is all bits Is a bit string excluding a bit string of “0”, r, c, b, P, and Q are integers of 1 or more, b = r + c, p is an integer of 1 to P, q is an integer of 1 to Q, and S is set in advance A predetermined integer of 1 or more, s is an integer of 1 or more and S or less, f is a b-bit permutation operation, g is a finite field element consisting of integers of 0 to 2 ^c −1, and a predetermined constant other than 0 and 1 And multiplication on a finite field with
The state is defined as a bit string of b bits in which a predetermined r bit is a rate part and c bit is a capacity part,
The encryption device is
Selecting N, generating an initial value for b-bit encryption using N and K, and setting the initial value for encryption with the result obtained by replacing the initial value for encryption with f as a state;
A message division step of dividing the message M into message blocks m ₁ ,..., M _P every r bits using padding;
An additional authentication data division step for encryption that divides the additional authentication data A into additional authentication data blocks a ₁ ,..., A _Q for each c bits using padding;
If P = Q,
(1) Calculate the exclusive OR of the rate part of the state and the message block m _p , set the result of the calculation to an r-bit cipher block d _p, and replace the rate part of the state with the result of the calculation, Further, the exclusive OR of the capacity portion of the state and the additional authentication data block _ap is calculated, the capacity portion is replaced with the result of the calculation, and the result of replacement with f is set as a new state. , Repeat from p = 1 to p = P-1,
(2) Calculate the exclusive OR of the rate part of the state and the message block m _p, and change the result of the calculation to an r-bit cipher block d _p, and replace the rate part of the state with the result of the calculation, The result of calculating the exclusive OR of the capacity part of the state and the additional authentication data block _ap is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1 and multiplied by g, and the capacity part is After replacing with the bit string obtained by the multiplication, the result of replacement by f is processed as a new state,
(3) The ciphertext C is obtained by using the combination processing of the cipher blocks d ₁ ,..., D _P.
If P> Q,
(1) Calculate the exclusive OR of the rate part of the state and the message block m _p , set the result of the calculation to an r-bit cipher block d _p, and replace the rate part of the state with the result of the calculation, Further, the exclusive OR of the capacity portion of the state and the additional authentication data block _ap is calculated, the capacity portion is replaced with the result of the calculation, and the result of replacement with f is set as a new state. , Repeat from p = 1 to p = Q,
(2) If P−1 ≧ Q + 1, the exclusive OR of the state rate portion and the message block m _p is calculated, and the result of the calculation is an r-bit cipher block d _p, and the state rate portion Is replaced with the result of the calculation, and the process of replacing the result of f with a new state is repeated from p = Q + 1 to p = P−1.
(3) Calculate the exclusive OR of the rate part of the state and the message block m _P , set the result of the calculation to an r-bit cipher block d _P, and replace the rate part of the state with the result of the calculation, Further, the c bits of the capacity part are treated as elements of a finite field consisting of integers of 0 to 2 ^c −1, multiplication by g is performed, the capacity part is replaced with a bit string obtained by the multiplication, and f Perform the processing that makes the replacement result a new state,
(4) cipher block _d 1, ..., obtains the encrypted C using a binding process _{d P,}
If P <Q,
(1) Calculate the exclusive OR of the rate part of the state and the message block m _p , set the result of the calculation to an r-bit cipher block d _p, and replace the rate part of the state with the result of the calculation, Further, the exclusive OR of the capacity portion of the state and the additional authentication data block _ap is calculated, the capacity portion is replaced with the result of the calculation, and the result of replacement with f is set as a new state. , Repeat from p = 1 to p = P,
(2) If P + 1 ≦ Q−1, the exclusive OR of the capacity part of the state and the additional authentication data block a _q is calculated, and the capacity part is replaced with the result of the calculation, and then replaced by f. The process of setting the result as a new state is repeated from q = P + 1 to q = Q−1.
(3) The result of calculating the exclusive OR of the capacity portion of the state and the additional authentication data block a _Q is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1, multiplied by g, and the capacity After replacing the city part with the bit string obtained by the multiplication, the result of replacement by f is processed as a new state,
(4) an encryption step for obtaining a ciphertext C using a combination process of cipher blocks d ₁ ,..., D _P ;
For S = 1 obtains the tag T from the rate portion of the state, in the case of S ≧ 2, and the rate portion of the state and tag block t _1, further rate portion of the result of replacing the state by f as a new state The tag block t _s is repeated from s = 2 to s = S, and the encryption tag calculation step for obtaining the tag T using the tag blocks t ₁ ,..., T _S ,
An output step for outputting a set of C, T, A, and N;
Run
The decoding device is
An input step for obtaining a set of C, T, A, and N;
A decoding initial value setting step of generating a b-bit decoding initial value using N and K, and setting the result obtained by replacing the decoding initial value by f as a state;
A ciphertext dividing step of dividing the ciphertext C into cipher blocks d ₁ ,..., D _P every r bits;
Decryption additional authentication data division step for dividing the additional authentication data A into additional authentication data blocks a ₁ ,..., A _Q for each c bits using padding;
If P = Q,
(1) The exclusive OR of the state rate part and the cipher block d _p is calculated, the result of the calculation is an r-bit message block m _p ′, and the state rate part is replaced with the cipher block d _p Further, the exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, the capacity part is replaced with the result of the calculation, and the result replaced with f is set as a new state. Is repeated from p = 1 to p = P-1,
(2) The exclusive OR of the state rate part and the cipher block d _P is calculated, and the result of the calculation is an r-bit message block m _P ′, and the state rate part is replaced with the cipher block d _P Further, the result of calculating the exclusive OR of the capacity portion of the state and the additional authentication data block _ap is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1 and multiplied by g to obtain the capacity. The part is replaced with the bit string obtained by the multiplication, and the result of replacement by f is processed as a new state.
(3) A message M ′ is obtained by combining the message blocks m ₁ ′,..., M _P ′ by removing the bits added by padding.
If P> Q,
(1) The exclusive OR of the state rate part and the cipher block d _p is calculated, the result of the calculation is an r-bit message block m _p ′, and the state rate part is replaced with the cipher block d _p Further, the exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, the capacity part is replaced with the result of the calculation, and the result replaced with f is set as a new state. Is repeated from p = 1 to p = Q,
(2) If P−1 ≧ Q + 1, the exclusive OR of the state rate portion and the cipher block d _p is calculated, and the result of the calculation is the r-bit message block m _p ′, and the state rate The process of replacing the part with the cipher block d _p and setting the result replaced with f as a new state is repeated from p = Q + 1 to p = P−1.
(3) Exclusive OR of the state rate part and the cipher block d _P is calculated, and the result of the calculation is an r-bit message block m _P ′, and the state rate part is replaced with the cipher block d _P Then, the c bit of the capacity part is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1, multiplication by g is performed, the capacity part is replaced with a bit string obtained by the multiplication, and f Perform the processing that makes the replacement result a new state,
(4) A message M ′ is obtained by combining the message blocks m ₁ ′,..., M _P ′ by removing the bits added by padding.
If P <Q,
(1) The exclusive OR of the state rate part and the cipher block d _p is calculated, the result of the calculation is an r-bit message block m _p ′, and the state rate part is replaced with the cipher block d _p Further, the exclusive OR of the capacity part of the state and the additional authentication data block _ap is calculated, the capacity part is replaced with the result of the calculation, and the result replaced with f is set as a new state. Is repeated from p = 1 to p = P,
(2) If P + 1 ≦ Q−1, the exclusive OR of the capacity part of the state and the additional authentication data block a _q is calculated, and the capacity part is replaced with the result of the calculation, and then replaced by f. The process of setting the result as a new state is repeated from q = P + 1 to q = Q−1.
(3) The result of calculating the exclusive OR of the capacity portion of the state and the additional authentication data block a _Q is treated as an element of a finite field consisting of integers of 0 to 2 ^c −1, multiplied by g, and the capacity After replacing the city part with the bit string obtained by the multiplication, the result of replacement by f is processed as a new state,
(4) a decoding step of combining the message block m ₁ ′,..., M _P ′ by removing the bits added by padding into a message M ′;
When S = 1, the tag T ′ is obtained from the rate portion of the state. When S ≧ 2, the rate portion of the state is set as a tag block t ₁ ′, and the result of replacing the state with f is set as a new state. A decoding tag calculation step for determining the tag T ′ using the tag blocks t ₁ ′,..., T _S ′ by repeating the process of setting the rate portion as the tag block t _s ′ from s = 2 to s = S;
A verification method for comparing the tag T and the tag T ′.   An encryption program for causing a computer to function as the encryption apparatus according to claim 2. A decoding program for causing a computer to function as the decoding device according to claim 3.

Images