JP2016157055A - Encryption system, authentication system, encryption device, decryption device, authenticator generation device, verification device, encryption method, and authentication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve a processing speed by providing novel means processing A before implementing a substitution computation f for the first time.SOLUTION: An encryption system of the present invention includes an encryption device and a decryption device. The encryption device is configured to: select N; embed the N in a rate part; generate an encryption initial value of a b-bit by embedding K in a capacity part; substitute the bit having the K embedded in an exclusive OR between a bit having the K of the encryption initial value embedded and a |K|-bit in bit additional authentication data; and let a result substituted by f be a state. The decryption device is configured to: embed the N in the rate part; generate a decryption initial value of a b-bit by embedding the K in the capacity part; substitute the bit having the K embedded in an exclusive OR between a bit having the K of the decryption initial value embedded and the |K|-bit in bit additional authentication data; and let a result substituted by f be the state.SELECTED DRAWING: Figure 5

Description

  The present invention relates to an encryption system for executing authentication encryption with additional authentication data, an encryption device, a decryption device, an encryption method, an authentication system for executing authentication of a message, an authenticator generation device, a verification device, and an encryption method. , Relating to the authentication method.

  The authentication encryption with additional authentication data is a common key encryption primitive that performs concealment of the message M and authentication (falsification detection) of M and the additional authentication data A at the same time. It consists of two functions, an encryption function and a decryption function. In the additional authentication data authentication encryption, the receiver and the sender share a secret key K in advance. In addition to the message M and the additional authentication data A, the sender selects a value N (called nonce) that changes every time the encryption function is called. The encryption function generates a ciphertext C and a tag T corresponding to M, A, and N, and sends a set of (C, T, A, N) to the receiver. The recipient receives (C, T, A, N), but at this point there is no guarantee that these values have not been tampered with by a malicious third party. The receiver calculates the decryption function using the received (C, T, A, N) and K held by the receiver. The decryption function calculates a message M ′ and a tag T ′. If the calculated T ′ and the received T are the same value, it is determined that the received (C, T, A, N) is a correct value, and M ′ is output as a decoded message. If T ≠ T ′, a result indicating that decoding has failed (data has been altered) is output.

  SPONGEWRAP described in Non-Patent Document 1 is a configuration method of an encryption function and a decryption function of an authentication encryption. The encryption function and the decryption function are configured using a relatively large size replacement (bijective map) compared to the security level (number of bits) to be guaranteed.

<SPONGEWRAP>
The encryption function of SPONGEWRAP uses b-bit data called a state, b-bit replacement f: {0, 1} ^b → {0, 1} ^b , input data (N, A, M), and key K. Then, C and T are calculated while repeatedly updating. The b-bit state is divided into r bits called rate and c (= b−r) bits called capacity. When calculating the encryption function, the value of the state is initialized to a predetermined b-bit value called an initial value IV (for example, IV = 0), the b-bit is replaced by f, and the state is updated. The The specific calculation procedure of the encryption function is as described in the following procedure 1 to procedure 4. Fig. 1 shows the calculation structure of SPONGEWRAP encryption.

<Procedure 1>
The key K is divided every r−1 bits. In the final block, a padding process called 10 * padding is performed. Specifically, when the bit length of the last block is shorter than r−1 bits, a 1-bit value “1” is given, and then a bit “0” is given until r−1 bits. When the bit length of the final block is exactly r−1 bits, a 1-bit value “1” is given as the first bit of the next block, and then a bit “0” is given until r−1 bits. .

  A 1-bit value called a frame bit is concatenated with each value obtained by dividing K by r−1 bits to make r bits. Specifically, the frame bit is set to “0” from the first block to the block immediately before the final block, and the frame bit is set to “1” only for the final block. For the r bits in the rate portion of the b-bit state, the exclusive OR of K and the r-bit value obtained by concatenating the frame bits is calculated, and the permutation f is calculated. The output of f is a new state value. This operation is continued until the last block of K is exclusive ORed. Since this process can be performed in advance, the procedure up to step 1 may be called initialization.

<Procedure 2>
The nonce N and the additional authentication data A are concatenated and divided every r−1 bits. 10 * padding is applied to the final block. A frame bit of 1 bit is concatenated to each value obtained by dividing the concatenation of N and A every r−1 bits to make r bits. Specifically, the frame bit is set to “0” from the first block to the block immediately before the final block, and the frame bit is set to “1” only for the final block. In the b-bit state, the exclusive OR of N or A and the r-bit value obtained by concatenating the frame bits is calculated for the r bit of the rate part, and the permutation f is calculated. The output of f is a new state value. This operation is continued until the final blocks of N and A are exclusive ORed.

<Procedure 3>
The message M is divided every r-1 bits. 10 * padding is applied to the final block. A frame bit of 1 bit is concatenated to each value obtained by dividing the concatenation of M every r−1 bits to make r bits. Specifically, the frame bit is set to “1” from the first block to the block immediately before the final block, and the frame bit is set to “0” only for the final block.

  For the r bits in the rate portion of the b-bit state, an exclusive OR of M and the r-bit value obtained by concatenating the frame bits is calculated. The calculated r bits are output as the r bits of the ciphertext. The permutation f is calculated for the state, and the output of f is set as a new state value. This operation is continued until the final block of M is exclusive ORed. If the size of M is not a multiple of r, the last block outputs only the fractional part as ciphertext and performs an exclusive OR with the state.

<Procedure 4>
Among the b bit states, the r bit of the rate part is output as the r bit of the tag. The permutation f is calculated for the state, and the output of f is set as a new state value. This operation is continued until the number of bits of the tag is reached. If the tag length is not a multiple of r, the output of the last r bits is rounded down to the required fraction and used as the tag output.

<Decryption>
SPONGEWRAP's decryption function performs almost the same calculation as the encryption function. FIG. 2 shows a calculation structure in the decoding of SPONGEWRAP. The state is initialized to IV, and the same processing as the procedure 1 and 2 of the encryption function is performed. The procedure 3 is different from the encryption function. In the b-bit state, the exclusive OR of the r bits of the rate part and the r bits of C is obtained, and the value obtained through the reverse procedure of padding and frame bit assignment is expressed as M. The r-1 bit of '. Of the b-bit states, replace the r bits of the rate part with the r bits of C, and calculate the permutation f. The output of f is a new state value. This operation is continued until the final block of C is exclusive ORed. When the size of the final block of C is not a multiple of r, only the fraction is used for generating M ′ and replacing the state. After the procedure 3 is completed, the same processing as the procedure 4 of the encryption function is performed to obtain a tag T ′. The calculated T ′ is compared with the received T, and if it is the same value, M ′ is output as a decoded message. If they do not match, a result indicating that decoding has failed is output.

<DonkeySponge>
The donkeySponge shown in Non-Patent Document 2 is a method for calculating a message authentication code using the additional authentication data processing part of SPONGEWRAP. Fig. 3 shows the calculation structure of donkeySponge. For the purpose of generating the message authentication code, even if the key K and the input A are exclusively ORed with all the bits of the b bit state, the input data can be processed efficiently without impairing the security.

<MonkeyDuplex>
The monkeyDuplex shown in Non-Patent Document 2 is a method that allows more efficient calculation by adding ingenuity to the K and N processing methods of SPONGEWRAP. The capacity part of c bits of IV is made up to c bits of K. Alternatively, an exclusive OR of up to K c bits and a separately defined c bit constant is used as a capacity portion of IV c bits. In any method, the calculation function of f can be reduced in the procedure 1 (K processing) with the encryption function and the decryption function, so that the calculation efficiency increases. If K is less than c bits, all c bits of IV are defined by appropriate padding.

  Further, the rate part of IV r bits is defined up to N r bits. Alternatively, the exclusive OR of up to N r bits and a separately defined r bit constant is used as the rate portion of IV r bits. Since the calculation function of f in the procedure 2 can be reduced, the calculation efficiency increases. If N is less than r bits, all r bits of IV are defined by appropriate padding. Figure 4 shows the state initialization and K and N processing by monkeyDuplex.

<Nonce stealing>
Unlike SPONGEWRAP, nonce stealing shown in Non-Patent Document 3 is a method for more efficiently processing additional authentication data A using an authentication encryption with additional authentication data designed based on block encryption. In the block cipher-based authentication cipher with additional authentication data, the block cipher is frequently calculated using the nonce N as plain text (initial value). At this time, the length of N is often smaller than plain text. In nonce stealing, the number of A bits processed after this can be reduced by embedding A data in this surplus space.

Guido Bertoni, Joan Daemen, Michael Peeters and Gilles Van Assche, “Duplexing the Sponge: Single-Pass Authenticated Encryption and Other Applications”, SAC 2011, (eds.) Ali Miri and Serge Vaudenay, LNCS, Vol. 7118, pages 320- 337, Springer, 2012. Guido Bertoni, Joan Daemen, Michael Peeters and Gilles Van Assche, “Permutation-based encryption, authentication and authenticated encryption”, Workshop Records of DIAC 2012. Phillip Rogaway, “Authenticated-encryption with associated-data”, ACM CCS 2002, (ed.) Vijayalakshmi Atluri, pages 98-107, ACM, 2002.

  If the concept of nonce stealing is adopted in SPONGEWRAP, the data of A can be filled in the surplus space of the initial value IV. Therefore, in FIG. 4, the number of bits of A processed after this can be reduced by putting A data in the pad portion. However, in the existing authentication encryption technology with additional authentication data, there is only nonce stealing as a means for processing A before performing the first replacement operation f.

  The present invention improves processing speed by providing a new means for processing A before performing the first replacement operation f.

  The encryption system of the present invention has an encryption device and a decryption device for authentication encryption with additional authentication data. First, K is a secret key shared by both the encryption device and the decryption device, A is additional authentication data, M is a message, C is ciphertext, T is a tag, K, A, and M are bit strings, and N is all bits Is a bit string excluding a bit string of “0”, r, c, b are integers of 1 or more, b = r + c, f is a b-bit replacement operation, and || is a symbol indicating the number of bits. Further, the state is a bit string of b bits in which a predetermined r bit is a rate part and c bit is a capacity part. The encryption apparatus selects N, embeds N in the rate part, and embeds K in the capacity part to generate an initial value for b-bit encryption, and the bit in which the initial value K for encryption is embedded And an initial value setting unit for encryption in which the result obtained by substituting K is replaced with the exclusive OR of | K | It is characterized by. The encryption device treats the bit string A ′ formed by the bits not used in the initial value setting unit for encryption in the additional authentication data A as additional authentication data, obtains the ciphertext C and the tag T, and obtains C, T , A, N are output. The decoding device generates a b-bit initial value for decoding by embedding N in the rate part and embedding K in the capacity part, and includes the bit embedded in the initial value for decoding and the additional authentication data A A decoding initial value setting unit having a result obtained by replacing the bit in which K is embedded in an exclusive OR with | K | The decryption apparatus treats the bit string A ′ of the bits not used in the decryption initial value setting unit in the additional authentication data A as the additional authentication data, decrypts the message M ′, and generates the tag T ′. And the tag T ′.

  The authentication system of the present invention includes an authenticator generation device and a verification device. K is a secret key shared by both the authenticator generation device and the verification device, A is data to be authenticated, T is a tag, K and A are bit strings, b is an integer of 1 or more, and f is a b-bit replacement operation . The state is a bit string of b bits. The authenticator generation device generates a b-bit generation initial value by embedding K, and sets the result obtained by replacing the exclusive OR of the generation initial value and the b bit in the data A with f as a state. An initial value setting unit for generation is provided. The authenticator generation device treats a bit string A ′ formed by bits not used in the generation initial value setting unit in the data A as data to be authenticated, and uses the state obtained by the generation initial value setting unit. A tag T is obtained and a set of T and A is output. The verification device generates a b-bit verification initial value by embedding K, and uses the result obtained by replacing the exclusive OR of the verification initial value and the b bit in the data A with f as a state. And an initial value setting unit. The verification device handles the bit A ′ that is not used in the verification initial value setting unit in the data A as data to be authenticated, and generates a tag T ′ using the state obtained by the verification initial value setting unit. The tag T and the tag T ′ are compared.

  The calculation cost of exclusive OR is negligibly small compared to the calculation cost of the bit replacement operation f. According to the encryption system and the authentication system of the present invention, since a part of data to be authenticated is used in the calculation of exclusive OR when performing initialization (before performing the first replacement operation f), the bit The number of replacement operations f can be reduced. Therefore, the processing speed can be improved.

The figure which shows the calculation structure in the encryption of SPONGEWRAP. The figure which shows the calculation structure in the decoding of SPONGEWRAP. The figure which shows the calculation structure of donkeySponge. The figure which shows the initialization of the state by monkeyDuplex, and the process of K and N. FIG. 3 is a diagram illustrating a functional configuration example of the encryption system according to the first embodiment. FIG. 3 is a diagram illustrating an example of a calculation structure in encryption according to the first embodiment. FIG. 6 is a diagram illustrating an example of a calculation structure in decoding according to the first embodiment. FIG. 3 is a diagram illustrating a processing flow of the encryption apparatus according to the first embodiment. FIG. 3 is a diagram illustrating a processing flow of the decoding apparatus according to the first embodiment. FIG. 10 is a diagram illustrating an example of a calculation structure in encryption according to the first modification. The figure which shows the example of the calculation structure in the decoding of Example 1 modification 1. FIG. FIG. 6 is a diagram illustrating a functional configuration example of an authentication system according to a second embodiment. FIG. 10 is a diagram illustrating an example of a calculation structure in authenticator generation according to the second embodiment. FIG. 10 is a diagram illustrating an example of a calculation structure in verification of the second embodiment. The figure which shows the processing flow of the authenticator production | generation apparatus of Example 2. FIG. The figure which shows the processing flow of the verification apparatus of Example 2. FIG.

  Hereinafter, embodiments of the present invention will be described in detail. In addition, the same number is attached | subjected to the structure part which has the same function, and duplication description is abbreviate | omitted.

FIG. 5 shows a functional configuration example of the encryption system according to the first embodiment. FIG. 6 is a diagram illustrating an example of a calculation structure in encryption according to the first embodiment, and FIG. 7 is a diagram illustrating an example of a calculation structure in decryption according to the first embodiment. FIG. 8 is a processing flow of the encryption apparatus according to the first embodiment, and FIG. 9 is a diagram illustrating a processing flow of the decryption apparatus according to the first embodiment. The encryption system according to the first embodiment includes an encryption device 100 and a decryption device 200 connected via a network 800. First, K is a secret key shared by both the encryption device 100 and the decryption device 200, A is additional authentication data, M is a message, C is a ciphertext, and T is a tag. K, A, M, C, T, and N are represented by bit strings. N is a bit string excluding a bit string in which all bits are “0”. Tag T is determined in advance the number of bits L _T. r, c, b, P, Q, S are integers of 1 or more, b = r + c, p is an integer of 1 to P, q is an integer of 1 to Q, S is a predetermined integer of 1 or more, s Is an integer from 1 to S, f is a b-bit permutation operation, and || is a symbol indicating the number of bits. Further, the state is a bit string of b bits in which a predetermined r bit is a rate part and c bit is a capacity part.

  A feature of the encryption device 100 according to the first embodiment is an initial value setting unit 110. The initial value setting unit 110 selects N, embeds N in the rate portion, and embeds K in the capacity portion, thereby generating an initial value of b bits. Then, after replacing the bit embedded with K with an exclusive OR of the bit embedded with the initial value K and the | K | bit in the additional authentication data A, the result of replacement with f is the state. . The other components of the encryption device 100 may have the same configuration as the conventional one, or may have some improvements. The encryption device 100 treats the bit string A ′ formed by bits not used by the initial value setting unit 110 in the additional authentication data A as additional authentication data, obtains the ciphertext C and the tag T, and obtains C, T, A set of A and N is output. “Exclusive OR” is an exclusive OR of each bit, and is an operation for performing an exclusive OR of bits at the same position. For example, the result of the exclusive OR of the bit string “10100” and the bit string “00110” is “10010”.

  The feature of the decoding device 200 of the first embodiment is also the initial value setting unit 210. The initial value setting unit 210 generates a b-bit initial value by embedding N in the rate portion and embedding K in the capacity portion. Then, after replacing the bit in which K is embedded with the exclusive OR of the bit in which K is embedded and the | K | bit in the additional authentication data A, the result of replacement with f is defined as a state. The other components of the decoding device 200 may have the same configuration as the conventional one, or a configuration with some improvement. The decryption apparatus 200 treats the bit string A ′ of the bits not used by the initial value setting unit 210 in the additional authentication data A as additional authentication data, decrypts the message M ′, and generates the tag T ′. And the tag T ′.

<Encryption device>
An example in which the above-described features are applied to the prior art shown in FIG. 1 is an encryption device 100 shown in FIGS. The encryption apparatus 100 illustrated in FIG. 5 includes an initial value setting unit 110, an additional authentication data division unit 120, a message division unit 130, an additional authentication data calculation unit 140, an encryption unit 150, a tag calculation unit 160, and an output unit 190. Prepare.

  As described above, the initial value setting unit 110 selects N, embeds N in the rate portion, and embeds K in the capacity portion, thereby generating an initial value of b bits. Then, after replacing the bit embedded with K with an exclusive OR of the bit embedded with the initial value K and the | K | bit in the additional authentication data A, the result of replacement with f is the state. (S110). “Embedding” means, for example, that when the number of bits of N is smaller than r, it is converted to r bits by padding and made into a rate portion. f is the same as the replacement described in SPONGEWRAP, and is determined in advance between the encryption device 100 and the decryption device 200. It may be combined with the concept of nonce stealing. That is, the following processing may be further performed. In the process of embedding N in the rate part, the initial value setting unit 110 sets the (r− | N |) bits and N in the additional authentication data A and N as the rate part when | N | In the process of embedding K in the city part, when | K | is smaller than c, another (c− | K |) bit and K in the additional authentication data A are used as the capacity part, and exclusive OR The | K | bit used in the calculation may be a bit that is not used for generating the initial value. In this case, “the bit string A ′ formed by bits not used in the initial value setting unit 110 in the additional authentication data A” means the (r− | N |) bits used for the rate portion and the capacity portion. This is a bit string formed by bits other than the (c− | K |) bits used and the | K | bits used for exclusive OR. In FIG. 6, a portion surrounded by a dotted line with 110 corresponds to the initial value setting unit.

In the example of FIG. 6, the additional authentication data dividing unit 120 divides the bit string A ′ treated as additional authentication data into additional authentication data blocks a ₁ ′,..., A _Q ′ for each r bits using padding ( S120). As padding, for example, 10 * padding may be used. Further, it may be divided after being padded so as to be an integral multiple of r, or may be divided so as to be r bits after being divided for each bit number smaller than r. In FIG. 6, a portion surrounded by a dotted line with 120 corresponds to the additional authentication data dividing unit.

The message dividing unit 130 divides the message M into message blocks m ₁ ,..., M _P every r bits using padding (S130). As padding, for example, 10 * padding may be used. In FIG. 6, a part surrounded by a dotted line marked with 130 corresponds to a message dividing part.

The additional authentication data calculation unit 140 calculates the exclusive OR with the additional authentication data block a _q ′ for the rate part of the state, and further changes the result of replacement with f to a new state from q = 1. Repeat until q = Q (S140). In FIG. 6, a portion surrounded by a dotted line marked with 140 corresponds to an additional authentication data calculation unit.

Encryption unit 150, an exclusive OR of the message block m _p calculated for rate portion of the state, the calculation result with a cipher block d _p of r bits, the rate portion of the state to the calculation result After the replacement, the process of setting the result replaced by f as a new state is repeated from p = 1 to p = P. Then, the ciphertext C is obtained by using the combination processing of the cipher blocks d ₁ ,..., D _P (S150). “Determining ciphertext C using the combining process” means simply combining the cipher blocks d ₁ ,..., D _P into the ciphertext C, and combining and removing the padding portion to obtain the ciphertext C It is meant to include. In FIG. 6, a portion surrounded by a dotted line with 150 corresponds to the encryption unit.

Tag calculation section 160 obtains tag T from the rate portion of the state when S = 1. If S ≧ 2, the rate portion of the state is the tag block t ₁ . Further in the case of S ≧ 2, the results of the state has been replaced by f as a new state, the process of the rate portion and tag block t _s, repeated from s = 2 to s = S. The tag block _t 1, ..., determine the tag T using _{t S} (S160). For S = 1, to the rate portion may be directly tag T, may be a tag T by only the cut-out number of bits L _T from the rate portion. For S ≧ 2, for example, tag block t _1, ..., may be set as the tag T a result of coupling the t _S, tag block t _1, ..., than the number of bits L _T from the result obtained by combining the t _S truncated more bits (cut out the number of bits L _T min) or as a tag T. Further, after cutting out a predetermined bit from each tag block t _s, or as a tag T attached to them. Note, S is, it is sufficient to set in advance so as r × S is equal to or greater than the number of bits L _T of the tag T. In FIG. 6, a part surrounded by a dotted line with 160 corresponds to the tag calculation unit. The output unit 190 outputs a set of C, T, A, and N (S190). The set of C, T, A, and N output is transmitted to the decoding device 200.

<Decoding device>
An example in which the above-described features are applied to the prior art shown in FIG. 2 is a decoding device 200 shown in FIGS. 5 includes an initial value setting unit 210, an additional authentication data division unit 220, a ciphertext division unit 230, an additional authentication data calculation unit 240, a decryption unit 250, a tag calculation unit 260, a verification unit 270, and an input. Part 290. The input unit 290 acquires a set of C, T, A, and N transmitted from the encryption device 100 (S290).

  As described above, the initial value setting unit 210 embeds N in the rate part and embeds K in the capacity part to generate a b-bit initial value. The bit embedded with K is replaced with the exclusive OR of the bit embedded with K and the | K | bit in the additional authentication data A, and the result of replacement with f is set as a state (S210). . It may be combined with the concept of nonce stealing. That is, the following processing may be further performed. In the process of embedding N in the rate part, the initial value setting unit 210 sets the (r− | N |) bit and N in the additional authentication data A and N as the rate part when | N | In the process of embedding K in the city part, when | K | is smaller than c, another (c− | K |) bit and K in the additional authentication data A are used as the capacity part, and exclusive OR The | K | bit used in the calculation may be a bit that is not used for generating the initial value. In this case, “the bit string A ′ formed by bits not used in the initial value setting unit 210 in the additional authentication data A” is the (r− | N |) bits used for the rate portion and the capacity portion. This is a bit string formed by bits other than the (c− | K |) bits used and the | K | bits used for exclusive OR. In FIG. 7, a portion surrounded by a dotted line marked with 210 corresponds to an initial value setting unit.

In the example of FIG. 7, the additional authentication data dividing unit 220 divides the bit string A ′ treated as additional authentication data into additional authentication data blocks a ₁ ′,..., A _Q ′ for each r bits using padding ( S220). In FIG. 7, a portion surrounded by a dotted line with 220 corresponds to the additional authentication data dividing unit.

The ciphertext dividing unit 230 divides the ciphertext C into cipher blocks d ₁ ,..., D _P every r bits (S230). When the number of bits of the ciphertext C is not an integer multiple of r, the ciphertext C may be divided into r-bit cipher blocks by padding. In FIG. 7, a portion surrounded by a dotted line with 230 corresponds to the ciphertext dividing unit.

The additional authentication data calculation unit 240 calculates an exclusive OR with the additional authentication data block a _q ′ for the rate part of the state, and further changes the result replaced with f to a new state q = 1. To q = Q (S240). In FIG. 7, a portion surrounded by a dotted line denoted by 240 corresponds to an additional authentication data calculation unit.

The decryption unit 250 calculates an exclusive OR with the cipher block d _p for the rate part of the state, sets the calculation result to an r-bit message block m _p ′, and uses the rate part of the state as the cipher block d _p. The process of replacing with f and setting the result of replacement with f as a new state is repeated from p = 1 to p = P. The “exclusive OR” here is also an exclusive OR of each bit, and is an operation for performing an exclusive OR of bits at the same position. Then, a message M ′ is obtained by combining the message blocks m ₁ ′,..., M _P ′ by removing the bits added by padding (S250). In FIG. 7, a part surrounded by a dotted line with 250 corresponds to a decoding unit.

The tag calculation unit 260 obtains the tag T ′ from the rate portion of the state when S = 1. When S ≧ 2, the rate portion of the state is the tag block t ₁ ′. In the case of S ≧ 2, the process of replacing the state with f as a new state and setting the rate part as the tag block t _s ′ is repeated from s = 2 to s = S. The tag block _{t 1 ', ..., t S} ' Request tag T 'using (S260). In FIG. 7, a portion surrounded by a dotted line denoted by 260 corresponds to a tag calculation unit. The verification unit 270 compares the tag T with the tag T ′ (S270). The decoding device 200 sets the message M ′ as a decoded message when T = T ′. When T ≠ T ′, a result indicating that decoding has failed is output.

<Effect>
The calculation cost of exclusive OR is negligibly small compared to the calculation cost of the bit replacement operation f. According to the encryption system of the present invention, when initialization is performed (before the first replacement operation f), a part of the data to be authenticated is used in the exclusive OR calculation, so that the bit replacement operation is performed. The number of times f can be reduced. Therefore, the processing speed can be improved.

[Modification 1]
In Example 1, the example which applied the initial value setting part which is the characteristics of this invention to the prior art shown in FIG. However, the configuration other than the initial value setting units 110 and 210 need not be limited to the configuration of FIGS. As described above, the encryption apparatus 100 obtains the ciphertext C and the tag T by treating the bit string A ′ formed by the bits not used by the initial value setting unit 110 in the additional authentication data A as additional authentication data. , C, T, A, and N may be output. Further, the decryption apparatus 200 treats the bit string A ′ of the bits not used by the initial value setting unit 210 in the additional authentication data A as additional authentication data, performs the decryption of the message M ′ and the generation of the tag T ′, The tag T and the tag T ′ may be compared.

  FIG. 10 shows an example of the calculation structure in the encryption of this modification, and FIG. 11 shows an example of the calculation structure in the decryption of this modification. The functional configuration example of the encryption system is the same as in FIG. 5, the processing flow of the encryption device is the same as in FIG. 8, and the processing flow of the decryption device is the same as in FIG. The processing contents differ from the first embodiment in the additional authentication data division unit 120, the additional authentication data calculation unit 140, the encryption unit 150, the additional authentication data division unit 220, the additional authentication data calculation unit 240, and the decryption unit 250. The processing of the other components is the same.

In the example of FIG. 10, the additional authentication data dividing unit 120 converts the bit string A ′ treated as additional authentication data into additional authentication data blocks a ₁ ′,..., A _Q ′ for each b bit using 10 * 1 padding. Divide (S120). The 10 * 1 padding is padding in which the first and last bits are “1” and the remaining bits are “0”. In FIG. 10, a portion surrounded by a dotted line with 120 corresponds to the additional authentication data dividing unit.

The additional authentication data calculation unit 140 calculates an exclusive OR with the additional authentication data block a _q ′ for the state (b bits), and further sets the result of replacing with f as a new state, q = 1 To q = Q (S140). In FIG. 10, a portion surrounded by a dotted line marked with 140 corresponds to an additional authentication data calculation unit.

  The encryption unit 150 performs the following processes (1) to (3) (S150). In FIG. 10, a portion surrounded by a dotted line with 150 corresponds to the encryption unit.

(1) the exclusive OR of the message block m _p calculated for rate portion of the state, the calculation result with a cipher block d _p of r bits, on the rate portion of the state is replaced with the calculated results The process in which the result of replacement by f is used as a new state is repeated from p = 1 to p = P-1.

(2) An exclusive OR with the message block m _P is calculated for the rate part of the state, the calculation result is an r-bit cipher block d _P, and the rate part of the state is replaced with the calculation result. The c bit of the city portion is treated as a finite field consisting of integers of 0 to 2 ^c −1, multiplication by g is performed, and the result of replacement by f is set as a new state. Incidentally, g is the multiplication on a finite field with a predetermined constant other than 1 as the original and 0 of the finite field of integers of 0 to 2 c ^-1.

(3) The ciphertext C is obtained using the combination processing of the cipher blocks d ₁ ,..., D _P. “Determining ciphertext C using the combining process” means simply combining the cipher blocks d ₁ ,..., D _P into the ciphertext C, and combining and removing the padding portion to obtain the ciphertext C It is meant to include.

In the example of FIG. 11, the additional authentication data dividing unit 220 converts the bit string A ′ treated as additional authentication data into additional authentication data blocks a ₁ ′,..., A _Q ′ for each b bit using 10 * 1 padding. Divide (S220). In FIG. 11, a portion surrounded by a dotted line with 220 corresponds to the additional authentication data dividing unit.

The additional authentication data calculation unit 240 calculates the exclusive OR of the additional authentication data block a _q ′ with respect to the state (b bits), and further changes the result replaced with f to a new state q = Repeat from 1 to q = Q (S240). In FIG. 11, a portion surrounded by a dotted line denoted by 240 corresponds to an additional authentication data calculation unit.

  The decryption unit 250 performs the following processes (1) to (3) (S250). In FIG. 11, a part surrounded by a dotted line with 250 corresponds to a decoding unit.

(1) An exclusive OR with the cipher block d _p is calculated for the rate part of the state, the calculation result is an r-bit message block m _p ′, and the rate part of the state is replaced with the cipher block d _p In addition, the process of setting the result replaced with f as a new state is repeated from p = 1 to p = P-1.

(2) An exclusive OR with the cipher block d _P is calculated for the rate part of the state, and the calculation result is an r-bit message block m _P ′, and the rate part of the state is replaced with the cipher block d _P Then, the c bit in the capacity portion is treated as a finite field consisting of integers of 0 to 2 ^c −1, multiplication by g is performed, and the result of replacement by f is set as a new state. g is the same as the constant multiplication on the finite field used in the encryption apparatus 100.

(3) A message M ′ is formed by combining the message blocks m ₁ ′,..., M _P ′ by removing the bits added by padding.

  Even in such a configuration, by applying the initial value setting units 110 and 210, which is a feature of the present invention, when performing initialization (before performing the first replacement operation f) Since part of the data is used, the number of bit replacement operations f can be reduced. That is, the same effect as in the first embodiment can be obtained.

FIG. 12 shows a functional configuration example of the authentication system according to the second embodiment. FIG. 13 is a diagram illustrating an example of a calculation structure in authenticator generation according to the second embodiment. FIG. 14 is a diagram illustrating an example of a calculation structure in verification according to the second embodiment. FIG. 15 is a processing flow of the authenticator generation device according to the second embodiment, and FIG. 16 is a diagram illustrating a processing flow of the verification device according to the second embodiment. The authentication system according to the second embodiment includes an authenticator generation apparatus 300 and a verification apparatus 400 connected via a network 800. First, K is a secret key shared by both the authenticator generation device 300 and the verification device 400, A is data to be authenticated, and T is a tag. K, A, and T are represented by bit strings. Tag T is determined in advance the number of bits L _T. r, c, b, Q, and S are integers of 1 or more, b = r + c, q is an integer of 1 to Q, S is a predetermined integer of 1 or more, s is an integer of 1 to S, and f is b Bit substitution operation, || is a symbol indicating the number of bits. Further, the state is a bit string of b bits in which a predetermined r bit is a rate part and c bit is a capacity part.

  A feature of the authenticator generation device 300 according to the second embodiment is an initial value setting unit 310. The initial value setting unit 310 embeds K, generates a b-bit initial value, and sets the result obtained by replacing the exclusive OR of the initial value and the b-bit in the data A with f. The authenticator generation device 300 treats a bit string A ′ formed by bits not used in the initial value setting unit 310 in the data A as data to be authenticated, and uses the state obtained by the initial value setting unit to generate a tag T And outputs a set of T and A.

  A feature of the verification apparatus 400 according to the second embodiment is an initial value setting unit 410. The initial value setting unit 410 generates a b-bit initial value by embedding K, and sets the result obtained by replacing the exclusive OR of the initial value and the b-bit in the data A with f. The verification apparatus 400 treats the bit A ′ that is not used in the initial value setting unit 410 in the data A as data to be authenticated, generates the tag T ′ using the state obtained by the initial value setting unit 410, and Tag T and tag T ′ are compared.

<Authentication generator>
12 includes an initial value setting unit 310, an authentication data division unit 320, an authentication data calculation unit 340, a tag calculation unit 360, and an output unit 390. As described above, the initial value setting unit 310 generates a b-bit initial value by embedding K, and replaces the exclusive OR of the initial value and the b-bit in the data A with f as a state. (S310). “Embedding” means, for example, when the number of bits of K is smaller than b, b bits are set by padding.

The authentication data dividing unit 320 divides the bit string A ′ treated as data to be authenticated into authentication data blocks a ₁ ′,..., A _Q ′ for every b bits using padding (S320). As padding, for example, 10 * padding may be used. In FIG. 13, a portion surrounded by a dotted line with 320 corresponds to the additional authentication data dividing unit.

The authentication data calculation unit 340 calculates an exclusive OR with the additional authentication data block a _q ′ for the state, and further changes the result of replacement with f to a new state from q = 1 to q = Q (S340). In FIG. 13, a portion surrounded by a dotted line marked with 340 corresponds to an additional authentication data calculation unit.

Tag calculation unit 360 obtains tag T from the rate portion of the state when S = 1. If S ≧ 2, the rate portion of the state is the tag block t ₁ . Further in the case of S ≧ 2, the results of the state has been replaced by f as a new state, the process of the rate portion and tag block t _s, repeated from s = 2 to s = S. The tag block _t 1, ..., determine the tag T using _{t S} (S360). For S = 1, to the rate portion may be directly tag T, may be a tag T by only the cut-out number of bits L _T from the rate portion. For S ≧ 2, for example, tag block t _1, ..., may be set as the tag T a result of coupling the t _S, tag block t _1, ..., than the number of bits L _T from the result obtained by combining the t _S truncated more bits (cut out the number of bits L _T min) or as a tag T. Further, after cutting out a predetermined bit from each tag block t _s, or as a tag T attached to them. Note, S is, it is sufficient to set in advance so as r × S is equal to or greater than the number of bits L _T of the tag T. In FIG. 13, a portion surrounded by a dotted line with 360 corresponds to a tag calculation unit. The output unit 390 outputs a set of T and A (S390). The output T, A pair is transmitted to the verification device 400.

<Verification device>
12 includes an initial value setting unit 410, an authentication data division unit 420, an authentication data calculation unit 440, a tag calculation unit 460, a verification unit 470, and an input unit 490. The input unit 490 acquires the set of T and A transmitted by the authenticator generation device 300 (S490).

  As described above, the initial value setting unit 410 generates a b-bit initial value by embedding K, and replaces the exclusive OR of the initial value and the b-bit in the data A with f as a state. (S410). In FIG. 14, a portion surrounded by a dotted line denoted by 410 corresponds to an initial value setting unit.

The authentication data dividing unit 420 divides the bit string A ′ treated as data to be authenticated into authentication data blocks a ₁ ′,..., A _Q ′ for each b bits using padding (S420). In FIG. 14, a portion surrounded by a dotted line with 420 corresponds to the authentication data dividing unit.

The authentication data calculation unit 440 calculates an exclusive OR with the authentication data block a _q ′ for the state, and further changes the result of replacement with f to a new state from q = 1 to q = Q. Repeat (S440). In FIG. 14, a part surrounded by a dotted line marked with 440 corresponds to the authentication data calculation unit.

Tag calculation unit 460 obtains tag T ′ from the rate portion of the state when S = 1. When S ≧ 2, the rate portion of the state is the tag block t ₁ ′. In the case of S ≧ 2, the process of replacing the state with f as a new state and setting the rate part as the tag block t _s ′ is repeated from s = 2 to s = S. The tag block _{t 1 ', ..., t S} ' Request tag T 'using (S460). In FIG. 14, a portion surrounded by a dotted line denoted by 460 corresponds to a tag calculation unit. The verification unit 470 compares the tag T with the tag T ′ (S470). When T = T ′, information indicating that the authenticator is correct is output. When T ≠ T ′, a result indicating that the authentication has failed is output.

<Effect>
According to the authentication system of the present invention, when initialization is performed (before the first replacement operation f), a part of the data to be authenticated is used in the exclusive OR calculation, so the number of bit replacement operations f Can be reduced. Therefore, the processing speed can be improved.

[Program, recording medium]
The various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes. Needless to say, other modifications are possible without departing from the spirit of the present invention.

  Further, when the above-described configuration is realized by a computer, processing contents of functions that each device should have are described by a program. The processing functions are realized on the computer by executing the program on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

100 Encryption device 110, 210, 310, 410 Initial value setting unit 120, 220 Additional authentication data division unit 130 Message division unit 140, 240 Additional authentication data calculation unit 150 Encryption unit 160, 260, 360, 460 Tag calculation unit 190 , 390 Output unit 200 Decryption device 230 Ciphertext division unit 250 Decryption unit 270, 470 Verification unit 290, 490 Input unit 300 Authentication code generation device 320, 420 Authentication data division unit 340, 440 Authentication data calculation unit 400 Verification device 800 Network

Claims (8)

An encryption system having an encryption device and a decryption device for authentication encryption with additional authentication data,
K is a secret key shared by both the encryption device and the decryption device, A is additional authentication data, M is a message, C is a ciphertext, T is a tag, K, A, and M are bit strings, and N is all bits Is a bit string excluding a bit string of “0”, r, c, b are integers of 1 or more, b = r + c, f is a b-bit replacement operation, || is a symbol indicating the number of bits,
The state is defined as a bit string of b bits in which a predetermined r bit is a rate part and c bit is a capacity part,
The encryption device is:
N is selected, N is embedded in the rate part, and K is embedded in the capacity part to generate an initial value for b-bit encryption, and the bit in which the initial value K for encryption is embedded and additional authentication data A An initial value setting unit for encryption having a result obtained by replacing the bit in which K is embedded in an exclusive OR with | K |
A bit string A ′ formed by bits not used in the initial value setting unit for encryption in the additional authentication data A is treated as additional authentication data to obtain a ciphertext C and a tag T, and C, T, A, N Output a set of
The decoding device
By embedding N in the rate part and embedding K in the capacity part, a b-bit initial value for decoding is generated, and the bit in which K of the initial value for decoding is embedded and | K | bit in the additional authentication data A And an initial value setting unit for decoding in which the result of replacement with f is replaced after replacing the bit embedded with K in the exclusive OR.
Of the additional authentication data A, the bit string A ′ of the bits not used in the initial value setting unit for decryption is treated as additional authentication data, the message M ′ is decoded and the tag T ′ is generated, and the tag T and the tag T 'Encryption system to compare with. An authentication system having an authenticator generation device and a verification device,
K is a secret key shared by both the authenticator generation device and the verification device, A is data to be authenticated, T is a tag, K and A are bit strings, b is an integer of 1 or more, and f is a b-bit replacement operation age,
The state is a bit string of b bits,
The authenticator generation device includes:
A generation initial value for b bits is generated by embedding K, and an initial value setting for generation in which the result obtained by substituting the exclusive OR of the generation initial value and the b bits in data A with f is used as a state. Part
The bit string A ′ formed by bits not used in the generation initial value setting unit in the data A is treated as data to be authenticated, and the tag T is obtained using the state obtained by the generation initial value setting unit. , T, A set,
The verification device includes:
An initial value for verification is generated by embedding K to generate a b-bit initial value for verification and replacing the exclusive OR of the initial value for verification and the b bit in data A with f. Part
The bit A ′ that is not used in the verification initial value setting unit in the data A is treated as data to be authenticated, and the tag T ′ is generated using the state obtained by the verification initial value setting unit. An authentication system for comparing T and tag T ′. K is a secret key shared by both the encryption device and the decryption device, A is additional authentication data, M is a message, C is ciphertext, T is a tag, K, A, and M are bit strings, and N is all bits. A bit string excluding a bit string of 0 ″, r, c, b are integers of 1 or more, b = r + c, f is a b-bit replacement operation, || is a symbol indicating the number of bits,
The state is defined as a bit string of b bits in which a predetermined r bit is a rate part and c bit is a capacity part,
N is selected, N is embedded in the rate part, and K is embedded in the capacity part to generate an initial value for b-bit encryption, and the bit in which the initial value K for encryption is embedded and additional authentication data A An initial value setting unit for encryption having a result obtained by replacing the bit embedded with K in the exclusive OR with | K |
A bit string A ′ formed by bits not used in the initial value setting unit for encryption in the additional authentication data A is treated as additional authentication data to obtain a ciphertext C and a tag T, and C, T, A, N An encryption device that outputs a set of K is a secret key shared by both the encryption device and the decryption device, A is additional authentication data, M is a message, C is ciphertext, T is a tag, K, A, and M are bit strings, and N is all bits. A bit string excluding a bit string of 0 ″, r, c, b are integers of 1 or more, b = r + c, f is a b-bit replacement operation, || is a symbol indicating the number of bits,
The state is defined as a bit string of b bits in which a predetermined r bit is a rate part and c bit is a capacity part,
By embedding N in the rate part and embedding K in the capacity part, a b-bit initial value for decoding is generated, and the bit in which K of the initial value for decoding is embedded and | K | bit in the additional authentication data A And a decoding initial value setting unit having a result obtained by substituting the bit embedded with K in the exclusive OR with the result of f.
Of the additional authentication data A, the bit string A ′ of the bits not used in the initial value setting unit for decryption is treated as additional authentication data, the message M ′ is decoded and the tag T ′ is generated, and the tag T and the tag T 'Decryption device to compare with. K is a secret key shared by both the authenticator generation device and the verification device, A is data to be authenticated, T is a tag, K and A are bit strings, b is an integer of 1 or more, and f is a substitution operation of b bits,
The state is a bit string of b bits,
A generation initial value for b bits is generated by embedding K, and an initial value setting for generation in which the result obtained by substituting the exclusive OR of the generation initial value and the b bits in data A with f is used as a state. Characterized by comprising a part,
The bit string A ′ formed by bits not used in the generation initial value setting unit in the data A is treated as data to be authenticated, and the tag T is obtained using the state obtained by the generation initial value setting unit. , T, A authenticator generating device that outputs a set. K is a secret key shared by both the authenticator generation device and the verification device, A is data to be authenticated, T is a tag, K and A are bit strings, b is an integer of 1 or more, and f is a substitution operation of b bits,
The state is a bit string of b bits,
An initial value for verification is generated by embedding K to generate a b-bit initial value for verification and replacing the exclusive OR of the initial value for verification and the b bit in data A with f. Characterized by comprising a part,
The bit A ′ that is not used in the verification initial value setting unit in the data A is treated as data to be authenticated, and the tag T ′ is generated using the state obtained by the verification initial value setting unit. A verification device for comparing T and a tag T ′. An encryption method executed by an encryption device and a decryption device for authentication encryption with additional authentication data,
K is a secret key shared by both the encryption device and the decryption device, A is additional authentication data, M is a message, C is a ciphertext, T is a tag, K, A, and M are bit strings, and N is all bits Is a bit string excluding a bit string of “0”, r, c, b are integers of 1 or more, b = r + c, f is a b-bit replacement operation, || is a symbol indicating the number of bits,
The state is defined as a bit string of b bits in which a predetermined r bit is a rate part and c bit is a capacity part,
The encryption device is
N is selected, N is embedded in the rate part, and K is embedded in the capacity part to generate an initial value for b-bit encryption, and the bit in which the initial value K for encryption is embedded and additional authentication data A An initial value setting step for encryption having a result obtained by substituting the bit embedded with K in the exclusive OR with | K |
A bit string A ′ formed of bits not used in the initial value setting step for encryption in the additional authentication data A is treated as additional authentication data to obtain a ciphertext C and a tag T, and C, T, A, N Output a set of
The decoding device is
By embedding N in the rate part and embedding K in the capacity part, a b-bit initial value for decoding is generated, and the bit in which K of the initial value for decoding is embedded and | K | bit in the additional authentication data A In the exclusive OR, the bit embedded with the K is replaced, and the decryption initial value setting step is executed with the result replaced by f as the state. An encryption method in which a bit string A ′ of bits not used in the step is treated as additional authentication data, the message M ′ is decrypted and a tag T ′ is generated, and the tag T and the tag T ′ are compared. An authentication method executed by an authenticator generation device and a verification device,
K is a secret key shared by both the authenticator generation device and the verification device, A is data to be authenticated, T is a tag, K and A are bit strings, b is an integer of 1 or more, and f is a b-bit replacement operation age,
The state is a bit string of b bits,
The authenticator generating device is
A generation initial value for b bits is generated by embedding K, and an initial value setting for generation in which the result obtained by substituting the exclusive OR of the generation initial value and the b bits in data A with f is used as a state. Perform steps,
A bit string A ′ formed of bits not used in the generation initial value setting step in the data A is treated as data to be authenticated, and the tag T is obtained using the state obtained in the generation initial value setting step. , T, A set,
The verification device is
An initial value for verification is generated by embedding K to generate a b-bit initial value for verification and replacing the exclusive OR of the initial value for verification and the b bit in data A with f. Perform steps,
The bit A ′ not used in the verification initial value setting step in the data A is treated as data to be authenticated, and the tag T ′ is generated using the state obtained in the verification initial value setting step. An authentication method for comparing T and tag T ′.

Images