JP3401207B2 - Substitution substitution device and program recording medium thereof - Google Patents

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a substitution character replacing device mainly used in encryption technology and its program recording medium.

[0002]

2. Description of the Related Art Encryption technology is effective for concealing data. There are common key cryptography and public key cryptography as the encryption method. In common key cryptography, the same key is used on the cipher creation side and the cipher decryption side, and this key is secretly managed. On the other hand, in public key cryptography, the key for ciphertext creation and the key for ciphertext decryption are different, and it is widely believed that even if the key for ciphertext creation is made public, the other key cannot be obtained within a realistic time. Has been.

A method of dividing data to be encrypted into blocks of an appropriate length and encrypting each block in order to construct a high-speed and secure common key encryption is called a block cipher. A typical configuration of the DES encryption as such an encryption method is shown in, for example, "Ikeno, Koyama:" Modern Cryptography ", The Institute of Electronics and Communication Engineers, pp. 41-62, 1986".

Many common key ciphers, including this DES cipher, are composed of a combination of substitution and permutation. Substitution substitution is a fairly broad concept, but in recent years due to the demand for software implementation. Substitution substitution of the form is often used. Here, all the operations are performed on the ring R and the replacement is performed. Then, the substitution is s _j : R → R (j = 1, 2, ..., N). In other words, consider the product of matrices as permutation.

The substitution substitution shown in the equation (1) is described in the document "V.
Rijmen, et al .: “The Cipher SHARK”, Fast Softwar
e Encryption-Third International Workshop, Lectur
e Notes in Computer Science 1039, pp. 99-111, Sp
Ringer-Verlag, 1996 ”(hereinafter referred to as“ reference S ”) is also used in the SHARK cipher. In the document S, There is also shown a method of efficiently calculating the equation (1) by pre-calculating the output value of the function SP _{j represented} by (j = 1, 2, ..., N) in a memory or the like.

In addition, in a cipher that uses substitution substitution, substitution may not be performed at the end of the process and only substitution may be used. That is, The process of is also necessary for cryptographic implementation. If the size of R is smaller than the word length, which is the basic unit of calculation in the computer, in a straightforward implementation, after calculating each s _j (x _j ), s
The calculated value of _j (x _j ) needs to be moved to the correct place in the vector. In this case, in the same way as the example of the formula (1), If the table is preliminarily calculated such that the positions are adjusted so that the positions other than the j-th position will be 0, the position adjustment process becomes unnecessary.

[0007]

The calculation of substitution substitution shown in the above-mentioned document S requires a large number of memory references,
It also requires a large amount of memory. An object of the present invention is to provide a substitution character replacing device that reduces the number of memory references and the required memory amount.

[0008]

The actual substitution substitution does not have the general form shown in the equation (1) but has the following properties in many cases.・ Some of p _ij and s _j are common ・ Even if the input and output lines are exchanged, this exchange can be absorbed in other parts without changing the processing speed, and the algorithm can be equivalently converted. By storing the element of R ^{n in} the register that stores the word that is the basic unit of calculation of
It is realized in a recent processor as typified by the MMX instruction implemented in the Intel processor, or the operation for each element of R ⁿ is realized by a logical product that can be executed by most processors. Since R is often used, it is considered a realistic assumption.

The present invention utilizes these characteristics to reduce the number of memory references and the memory requirement. That is, according to the present invention, the substitution substitution on the ring R p _ij ∈ R, s _j : R → R i = 1,2, ..., m j = 1,2, ..., n if some of p _ij are equal or some of s _j are equal, permutation By rearranging the rows of the matrix P that expresses, the vector v _l εR ^r on R required when performing substitution substitution (v _l has a dimension r of m or less, and individual vectors have different dimensions). And the function S _k : R
→ The result of previously calculating R ^r (where k = 1, 2, ..., N, r ≦ m) is stored in the storage means, and S _k is read from the storage means for the input x _i to obtain the vector S _k. The calculation result of (x _i ) is obtained, a set of vectors {v _l } required to form the k-th column of the matrix P is read out from the storage means, and a vector u _k is created, and u _k ◇ S _k (x _i ) (⋄ is a product for each vector element) and these are added to obtain a data string y _i .

[0010]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below. Since most of the actual substitution substitutions use a field as R, we limit R to a unitary ring (including the multiplicative identity element 1). Further, in each example, for simplification of the description, the calculation of the equation (1) is p _ij ε {0, 1}, and the case where all s _j are the same will be described. If there are multiple types of s _j or p _ij
When there are some values other than 0 and 1, if there are some equal values, the efficiency is lower than that of the following example, but the processing can be performed more efficiently than the conventional method shown in document S. First Example Consider a case where the formula (1) is calculated. In equation (2), if s _j are all s, Can be written. Here, ◇ represents the product of each element of the vector.

If S is calculated in advance by this formula and stored in the memory, the formula (1) is obtained from x ₁ to obtain the value of S.
It can be seen that the equation (1) can be calculated with n times of memory reference for x _n , n times of element-wise product of the vector for executing ◇, and n−1 times of addition of n vertical vectors. Conventionally, SP _{1 to} SP _n are stored, but since only S is stored in this embodiment, the storage amount becomes 1 / n. Second Example In an environment where the unit of calculation is smaller than R ^{<(m + 1) / 2>} (<(m +
1) / 2> is the maximum integer less than or equal to (m + 1) / 2), and consider the case of calculating equation (1). The following example can be applied to a general P, but for the sake of clarity, E2 encryption (for example, "Kanda et al .:" Proposal of 128-bit block cipher E2 "", IEICE, Information Security Research Group,
Matrix used in ISEC98-12 ") Consider applying the present invention to the substitution substitution. Here, the horizontal line in the matrix of equation (4) is included for ease of viewing. Also note that the E2 cipher also requires a final substitution without substitution.

In order to realize the substitution substitution using this P according to the policy of Document S, there are four types of vertical vectors of each four elements of the upper half of the partial matrix of P, including one 0, and the lower half of The left four sub-matrices are also four types that include one zero, and the four four to the right are four types that include two zeros. Therefore Needs to be calculated.

In this case, the memory amount required to store #R elements of R ⁴ (where # is the number of elements of the set) is one unit (hereinafter, the unit of memory amount is all in accordance with this definition). ─────────────────── Required memory 12 Number of table references for substitution substitution processing 16 Number of additions for substitution substitution processing 14 ─────────── ─────────

In this embodiment, the calculation order is changed by replacing the rows of P. To change. The vertical and horizontal lines in the above matrix are entered for the sake of easy understanding of the description below, and have no special meaning. According to this change, the required table is 4 including one 0.
In addition to four types of vertical vectors of elements, there are two zeros, ones only, and ones only, but ones containing one is used for replacement. Is also used for substituting. Therefore, the table to be stored is Since the memory references and additions corresponding to x ₀ , x ₁ , x ₂ , x ₃ can be made common, the required memory amount is required. ──────────────────── 10 Number of table references for substitution substitution process 12 Number of additions for substitution substitution process 11 ───────────────────── , The total number of additions can be reduced. Where y on the left side
_It should be noted that the sequence of _i (0 ≦ i ≦ 7) does not cause performance degradation as described in the section “Means for solving the problem”. Third Embodiment Similar to the second embodiment, the environment where the unit of calculation is smaller than R ^{<(m + 1) / 2>} and the shift operation is performed. Consider a case where Expression (1) is calculated in an environment in which, for example, can be executed at high speed.

Further, as in the second embodiment, a general P can be applied in the following example, but E2 is used for the sake of simplicity.
Consider the matrix P (see equation (3)) and substitution substitution (see equation (4)) used in cryptography. Similar to the second embodiment, in this embodiment, the calculation order is changed by replacing each row of P. , The required tables are x ₄ , x ₅ , x
_The memory reference is used as it is for y ₀ , y ₁ , y ₃ , and y ₂ in the portions corresponding to ₆ and x ₇ , and y ₆ , y ₇ , y ₅ , and
For y ₄ , by shifting the results of memory references at y ₀ , y ₁ , y ₃ , y ₂ by lower 1, lower 2, upper 1, upper 2 elements, respectively, that is, the upper right submatrix of P From the left
The first vertical vector from the left of the lower right submatrix is obtained by element-shifting the second vertical vector by the lower one, and the second vertical vector from the left of the upper right submatrix is shifted by the lower two elements to the right. The second vertical vector from the left of the lower submatrix is obtained, and the third and fourth vertical vectors from the left of the upper right submatrix are similarly shifted to the left of the lower right submatrix by shifting the upper 1 and upper 2 elements, respectively. Using the fact that the 3rd and 4th vertical vectors can be obtained from, And the k element up shift operation is SU _k , and the k element down shift operation is SD _k , Can be calculated. Further, the memory references and additions corresponding to x ₀ , x ₁ , x ₂ , x ₃ can be made common as in the second embodiment, so that ─────────────────── ── Required memory 8 Number of table references for substitution substitution processing 8 Number of additions for substitution substitution processing 11 Number of shifts for substitution substitution processing 4 ──────────────────── Compared with the method of Document S, the memory amount, the number of references, and the number of additions can all be reduced. Also in this embodiment, it should be noted that the arrangement of y _i (0 ≦ i ≦ 7) on the left side does not cause performance degradation as described in the section “Means for solving the problem”. Fourth Embodiment In this case as well, general P can be applied, but the matrix P (see equation (3)) and substitution substitution (see equation (4)) used in the E2 cipher are standard for the sake of clarity. Consider the case defined for R, which is the number 2.

As in the third embodiment, the rows of P are replaced with each other. To get

Here, the upper and lower right submatrixes of the above matrix Holds. Note that we are considering a ring of characteristic 2 as R here.

At this time, similarly to the third embodiment, If you prepare the table in advance, from formula (5) Can be calculated. In this case: ─────────────────────────── Substitution substitution table reference count (calculation of SP _j ) 8 Substitution substitution addition count ( Calculation of +) 9 Number of shifts in substitution substitution processing (calculation of SU and SD) 2 ───────────────────────────── and the third The number of additions and the number of shifts can be reduced more than in the embodiment. Fifth Embodiment Depending on the processor, the lower k element rotation calculation RD _k (x) = SD _k (x) + SU _nk (x) for n elements may be used in addition to the shift calculations SU and SD.

In this case, in the fourth embodiment, RD is used for the calculation of equation (6), Can be In this case: ─────────────────────────── Table reference count of substitution substitution (calculation of SP _j ) 8 Addition count of substitution substitution (Calculation of ±) 8 Rotation number of substitution processing (calculation of RD) 1 ───────────────────────────── and the fourth implementation The number of additions and the like can be further reduced compared to the example.

The functional configuration of the first embodiment is shown in FIG. Entering
Input data x by force means 11_iIs x in the storage device 12_i
V stored in the storage area 13 and stored in the storage device 12._kStorage area
Replace vector v with 14_k∈ R^rIs stored, and S_kCase
Substitution function S in storage area 15_kIs stored. Further w_k
Vector w for work in storage area 16_kIs stored
The work parameter k is stored in the k storage area 17. Calculation
K is initialized to 0 by the k initialization means 19 in the device 18.
And S_kThe input data x is calculated by the calculation means 21. _iBy
S_kThe storage area 15 is read and the vector S_k(X_i)of
The calculation result is w_kAs w_kIt is stored in the storage area 16.
From storage means 12 v_kAnd w_kIs read and these
The product of each element is v_k◇ S_kCalculated by the calculation means 22,
According to the calculation result, w_kWill be updated. k updating means 2
By 3, the k in the k storage area 17 is incremented by 1 and updated.
S_kComputing means 21, v_k◇ S_kComputing means 22, k update hand
The stages 23 are sequentially operated until k = n, and the storage device 12
Each w in_kAre read out, their sum is calculated, and
The calculation result is output by the output means 25.

In the functional configuration corresponding to the second embodiment, as shown in FIG. 2 by giving the same numbers to the portions corresponding to FIG. 1, SP is used instead of the v _k storage area 14 and the S _k storage area 15.
_{A k} storage area 31 is provided, in which SP _k is stored,
SP _k calculation means 32 outputs SP according to the input data x _i.
The result of calculating _k (x _i ) is obtained and stored in the area 16 as a vector w _k . Others are the same as in FIG.

In the one corresponding to the third embodiment,
The shift means 33 performs shift processing on the read SP _k (x _i ) and the shifted SP _k (x _i )
Is stored in the area 16 as a vector w _k .

[0023]

As described above, according to the present invention, it is possible to reduce the amount of memory required for calculating substitution substitution and the number of times of memory access, and to perform high-speed processing.

[Brief description of drawings]

FIG. 1 is a block diagram showing a functional configuration of an embodiment of the present invention.

FIG. 2 is a block diagram showing a functional configuration of another embodiment of the present invention.

Continuation of the front page (56) Reference JP-A-60-167062 (JP, A) The Cipher SHARK, Right Notes in Computer Science, March 11, 1996, Vol. 1039, p. 99-111 (58) Fields surveyed (Int.Cl. ⁷ , DB name) G09C 1/00 610 JISST file (JOIS)

Claims (5)

(57) [Claims] 1. Substitution substitution on the ring R In the substitution-substitution device that substitute-substitutes the input data string x _j and outputs the data string y _i , the same function SP _lj (x _j ) below is increased by the matrix P
Multiply each element in column j of the matrix in which the rows of are rearranged by s _j (x _j ).
Function to calculate [Equation 2] (However, t: {1,2, ..., m} → {1,2, ...
, M} is a permutation, ql and rl are natural numbers of 1 or more and n or less, and ql ≦ rl) is stored, and n is stored.
Vectors w _k εR ^m , storage means for storing the integer k, input means for storing the input data string x _j in the storage means, k initialization means for setting the integer k to 0, and storage in the storage means K update means for updating the stored k to k + 1, and read the input data x _k from the storage means, and each l (l = l
1, 2, ..., b (j) , b (j) is 1 or more and m or less
SP _lj (x _k ) for the natural number ) is read from the storage means, the calculation results are concatenated so as to correspond to the rearranged k-th column of P to form an m-dimensional vector, and this is stored in the storage means as w _k. SP _k calculation means for updating w _k , k stored in the storage means, and control means for sequentially operating the SP _k calculation means and k update means until k = n, and stored in the storage means A substitution substituting device comprising an output means for reading out each w _k , calculating the sum of them, and outputting the sum. 2. The read vector SP _k (x _i )
Substitution substitution apparatus according to claim 1, characterized in that it comprises a shift operation means for updating the w _k stored in the shift to the storage means in its longitudinal direction vertical vector of. 3. The read several vector SPs
means for determining the sum vector sum calculated in _lj (x _k), with respect to the partial sum vector obtained in the course of calculating the sum vector, shea longitudinally in different amounts for each the column vector <br / > Means for performing a vertical operation to obtain a plurality of vertical vectors, means for adding a plurality of these vertical vectors and the above sum vector to obtain an addition vector, and a method for connecting the above addition vector and the above sum vector as an m-dimensional vector substitution substitution apparatus according to claim 1, further comprising a means for outputting. 4. The read several vector SPs
means for calculating the sum vector by calculating the sum of _lj (x _k ), and means for vertically calculating the partial sum vector obtained during the calculation of the sum vector to obtain a vertical vector, means for obtaining a sum vector by adding the vector and the sum vector, substitution replacement device according to claim 1, characterized in that it has a means for outputting the m-dimensional vector connecting the add vector and the sum vector . 5. A substitution device according to any one of claims 1 to 4.
A program for making a computer function as an exchange device.
A computer-readable recording medium in which a program is recorded.