JP4708914B2 - Decryption method - Google Patents

Description

  The present invention relates to a decryption method for receiving and decrypting transmission data scrambled by being encrypted.

  In order to conceal information in communication, there has been known an encryption / decryption method in which transmission information is encrypted, and the original information is obtained by receiving and decrypting the encrypted transmission information. Yes. As such an encryption / decryption method, an encryption algorithm such as DES (Data Encryption Standard) which is a standard method in the United States is known.

By the way, there are various and various cryptographic algorithms, and a method with higher security and higher speed has been developed. As an example of this, the encryption system (MULTI2 system) described in U.S. Pat. No. 4,982,429, U.S. Pat. No. 5,103,479, and JP-A-1-276189 is known. It has been.
In the International Organization for Standardization (ISO), there are encryption schemes registered as ISO9979 / 0009 and encryption usage modes registered as ISO / IEC10116.

In the MULTI2 encryption method, the input data size is 64 bits and the output data size is 64 bits, which is necessary for encryption from a 256-bit system key and a 64-bit data key. A 256-bit work key is generated. Furthermore, the number of encryption stages is a positive integer stage.
A schematic configuration of an encryption algorithm in the MULTI2 system is shown in FIG. In the MULTI2 system, as shown in FIG. 17, a 256-bit work key Kw is generated by performing a cryptographic algorithm operation on a 64-bit data key Ks using a 256-bit system key J. The calculation of the encryption algorithm is executed by the encryption algorithm execution means C. The generated work key Kw is supplied to the encryption algorithm execution means F, and the 64-bit plaintext input thereto is encrypted. Note that the encryption algorithms executed by the encryption algorithm execution means C and the encryption algorithm execution means F are the same encryption algorithm.

Such encryption is a basic encryption algorithm of the MULTI2 system, but with this processing, the distribution of the frequency of appearance of characters or words is statistically processed in advance, and the frequency of the character string pattern of the obtained encrypted text There is a possibility that plain text is estimated by matching with the distribution.
Therefore, there is a method of creating a ciphertext by calculating an exclusive OR of the encrypted 64-bit encryption block and the next input 64-bit input data. A mode in which this method is used for encryption is called a CBC (Cipher Block Chaining) mode. In the encryption algorithm executing means F described above, such a CBC mode encryption algorithm is executed.

In addition, there is a communication method in which a unit of data to be communicated is determined in advance, such as packet communication, but in a block encryption method in which 64 bits are one block, data that cannot be divided by the number of bits of one block When a unit is entered, data will be left over. Therefore, the fraction processing is performed in the OFB (Output Feedback) mode.
In this OFB mode, the fractional part of the data is supplied to the encryption algorithm execution means G and encrypted using a random number. This random number is generated by the encryption algorithm execution means G using the work key Kw. Thereby, it becomes possible to obtain a ciphertext having 64 bits as one block. Note that the CBC mode and OFB mode are called encryption usage modes.

FIG. 18 shows a schematic configuration of a decryption algorithm in the MULTI2 system. As shown in FIG. 18, a 256-bit work key Kw is generated by performing a cryptographic algorithm operation on a 64-bit data key Ks using a 256-bit system key J. The calculation of the encryption algorithm is executed by the encryption algorithm execution means c. The generated work key Kw is supplied to the decryption algorithm execution means f and the input 64-bit ciphertext is decrypted.
The ciphertext encrypted in the OFB mode is supplied to the encryption algorithm executing means g and decrypted by using a random number generated by the encryption algorithm executing means g using the work key Kw. Thereby, a 64-bit plaintext can be obtained by decrypting a 64-bit ciphertext. When the CBC mode is set, the decryption algorithm executing means f executes the CBC mode decryption algorithm.

Here, the encryption usage mode will be described with reference to FIG. 19. FIG. 19A shows a schematic configuration of encryption / decryption in the CBC mode, and FIG. 19B shows encryption in the OFB mode.・ The outline structure of decryption is shown.
In the CBC mode, as shown in FIG. 19A, the i-th plaintext block M (i) is input to the exclusive OR circuit 101, and the ciphertext block one block before delayed by the register (REG) 103. An exclusive OR with C (i-1) is calculated. The calculated data is encrypted by the encryption algorithm executing means 102 with the work key generated based on the data key Ks. This encrypted ith ciphertext block C (i) is
C (i) = EKs (M (i) .EOR.C (i-1))
It can be expressed. However, EKs (m) means that m is encrypted with Ks, and EOR indicates that an exclusive OR operation is performed.

The ciphertext block C (i) is transmitted and received at the receiving side. The received ciphertext block C (i) is decrypted by the decryption algorithm execution means 111 using the work key generated based on the data key Ks and supplied to the exclusive OR circuit 113. The exclusive OR circuit 113 is inputted with the ciphertext block C (i-1) one block before delayed in the register (REG) 112, and calculates the exclusive OR of both. At this time, the data key Ks on the transmission side and the reception side are the same, whereby the i-th plaintext block M (i) is decrypted from the exclusive OR circuit 113. The i-th plaintext block M (i) can be expressed as follows.
M (i) = DKs (C (i) .EOR.C (i-1))
However, DKs (c) indicates that c is decrypted by Ks.

  In the OFB mode, the i-th plaintext block M (i) is supplied to the exclusive OR circuit 105. The exclusive OR circuit 105 is supplied with the output of the encryption algorithm executing means 104 randomized by the work key generated based on the data key Ks. The output of the encryption algorithm execution means 104 is delayed by one block by the register 103 and returned to the encryption algorithm execution means 104. As a result, the ciphertext block C (i) encrypted with the random number is output from the exclusive OR circuit 105.

  The ciphertext block C (i) is transmitted and received at the receiving side. The received ciphertext block C (i) is supplied to the exclusive OR circuit 114. The exclusive OR circuit 114 is supplied with an output randomized using the work key generated based on the data key Ks in the encryption algorithm execution means 115. The output of the encryption algorithm executing means 115 is delayed by one block in the register (REG) 112 and returned to the encryption algorithm executing means 115. In this case, the random number supplied to the exclusive OR circuit 114 is equal to the random number supplied to the exclusive OR circuit 105, so that the i-th plaintext block M (i) from the exclusive OR circuit 114 is changed. can get.

FIG. 20 shows a schematic configuration of the encryption / decryption method having the encryption use mode described above.
In this figure, a scrambler 100 is provided on the transmission side, and input data is scrambled by the scrambler 100 and transmitted. The scrambled transmission data is propagated through a transmission path such as a space and received at the receiving side. On the receiving side, a descrambler 110 is provided, and the transmission data scrambled by the descrambler 110 is descrambled, returned to the original data, and output.

The scrambler 100 includes an encryption algorithm executing means 102 for encrypting input data (plaintext) input, a register 103, and a CBC mode encryption unit including an exclusive OR circuit (EX-OR) 101. The encryption algorithm execution means includes an encryptor 104 and an OFB mode encryption unit including an exclusive OR circuit (EX-OR) 105. Note that an encryptor 106 that generates a work key from the data key and the system key is also provided in the scrambler 100. The generated work key is supplied to the encryptors 102 and 104.
By the way, since the encryptor 102, the encryptor 104, and the encryptor 106 have the same configuration, three encryptors can be shared by one encryptor. Since the operations of the CBC mode encryption unit and OFB mode encryption unit are the same as described above, they are omitted here.

The descrambler 110 also decrypts the CBC mode, which includes a decryptor 111 that performs decryption algorithm execution means for decrypting input received data (ciphertext), a register 112, and an exclusive OR circuit (EX-OR) 113. And an OFB mode decryption unit comprising an exclusive OR circuit (EX-OR) 114 and an encryption unit 115, which is an encryption algorithm executing means. Note that an encryptor 116 that generates a work key from the data key and the system key is also provided in the descrambler 110. The generated work key is supplied to the Decryptor 111 and the Encryptor 115.
Since the encryptor 115 and the encryptor 116 have the same configuration, two encryptors can be used by one encryptor. The operations of the CBC mode decoding unit and the OFB mode decoding unit are the same as described above, and are omitted here.

By the way, when an advanced encryption / decryption method such as the MULTI2 method described above is realized by software and used, real-time processing cannot be performed at the current calculation speed of the calculation means. In other words, for example, when applied to satellite digital television broadcasting, etc., it is necessary to reproduce images and sounds in real time without interruption, so that decoding processing on the receiving side is performed by hardware capable of high-speed processing. Will have to.
However, the hardware capable of completing all the decoding processes in real time on the receiving side has a problem that it becomes a large size because it performs complicated processes.

  Therefore, the present invention has an object to provide a decryption method that can complete all decryption processing in real time on the receiving side using scrambled data with a high-level encryption method using small and inexpensive hardware. It is said.

In order to achieve the above object, the decryption method of the present invention provides transmission data including encrypted data, information indicating the type of the data, and information indicating whether or not the data is encrypted. A decryption method for receiving and decrypting the encrypted data, wherein a plurality of different key information assigned to information indicating one type of the data is written in the memory means and writing step, the key information in which information and data indicating the type of data included is instructed by the information indicating whether it is encrypted in the transmission data received, and reading step of reading from said memory means A decryption step of decrypting the encrypted data based on the key information read in the read step, and an execution period of the write step , In a case where the execution period of the read step are overlapped, if the write address and the read address are coincident, so that prohibits execution of the write step.

  In order to achieve the above object, another decryption method of the present invention reads any key information from the memory means storing the plurality of key information based on the instruction data in the input data. The memory means includes a reading step and a decoding step for decoding the input data based on the key information read in the reading step. In the reading step, the memory means is configured to refer to a key table by the instruction data. The key information to be read from is searched, and when there are two or more key addresses for reading the key information corresponding to the instruction data in the key table, the smallest key address is selected. .

  Furthermore, in order to achieve the above object, still another decryption method of the present invention provides any key information from the memory means storing the plurality of key information based on the instruction data in the input data. And a decryption step for decrypting the input data based on the key information read in the read step. In the read step, the memory is obtained by referring to the table by the instruction data. When the key address of the key information read from the means is searched and the key address referred to by the instruction data does not exist in the table, the key address is not searched.

  Furthermore, in order to achieve the above object, still another decryption method of the present invention includes an initial step of performing initial setting, a write step of writing a plurality of key information in the memory means, and input data from the memory means. A reading step of reading any key information based on the instruction data in the medium, and a decoding step of decoding the input data based on the key information read in the reading step. In the reading step, The initial step is performed so that the key address of the key information read from the memory means is searched by referring to the key table by the instruction data, and within the initialization period, there is no corresponding key address as a result of the search. Initial processing is performed in

According to such a decryption method of the present invention, the memory means storing the key information necessary for performing the decryption process can be appropriately read and written, so that the memory control is easily performed. Can be a decryption method that can be used. Therefore, the decoding method can perform all decoding processes in real time on the receiving side.
In addition, in an electronic device provided with a decoding means for executing such a decoding method, the configuration of the memory control means can be simplified, so that the electronic device can be provided in a small size and at a low cost.

Since the present invention is configured as described above, it is possible to appropriately perform read and write control of the memory means storing the key information for performing the decryption process, and to easily perform the memory control. It can be a decryption method. Therefore, a decryption method that can execute all decryption processes in real time on the receiving side can be provided.
In addition, since the configuration of the memory control unit in the electronic device including the decoding unit that executes such a decoding method can be reduced, the electronic device can be provided in a small size and at low cost.

FIG. 1 is a block diagram showing a configuration example of a decryption apparatus which is an embodiment of the decryption method of the present invention.
In this figure, a decryption device A includes a decryption unit B in CBC mode, a decryption unit C in OFB mode, a data key indirect searcher (IDT) 16 having a packet ID (PID) table, and encryption of input data. The dual-port memory (DPMEM) 17 that passes the data key used for the decryption to the decryption units B and C, and the comparator (COMP) 11 that compares the write address and the read address of the DPMEM 17.

Ciphertext data as received data is input to the terminal 1 of the decryption device A, and this ciphertext data is input to the switching means 3. At this time, when the CBC mode is set, both the switching means 3 and the switching means 4 are switched to the terminal a side, and the input ciphertext data is supplied to the CBC mode decryption unit B for decryption and output. Is done. In the OFB mode, both the switching means 3 and the switching means 4 are switched to the terminal b side, and the ciphertext data is input to the OFB mode decryption unit C side. The input ciphertext data is decrypted by the OFB mode decryption unit C, and plaintext data is output.
In the CBC mode decryption unit B and OFB mode decryption unit C, the input ciphertext data is decrypted into plain text data, and the decryption algorithm is the same as the decryption algorithm shown in FIG. It is. In this case, the data key necessary for the decryption process is supplied from the DPMEM 17.

  Further, the format of the received data input to the terminal 1 is, for example, a transport stream (hereinafter referred to as TS) defined as ISO / IEC13818. The TS has a packet structure of 188 bytes, and normally a 184-byte payload follows a 4-byte header. Further, since a parity is added for error correction with respect to a transmission error, a dummy period for 16-byte parity is added to form a repeated stream.

Whether the packet is composed of video data, audio data, or other data in the header of this TS, or whether it is an encrypted TS A TSC (Transport Scrambling Control) flag indicating whether or not the packet is included is included, and the attributes of these packets are interpreted by analyzing the header in an analysis unit (not shown).
At this time, if the packet is interpreted as an unencrypted packet by the TSC, the TS is output as it is through the delay unit without being decrypted. The delay time of the delay unit is made equal to the time required for the decryption apparatus A to perform decryption processing.

Two data keys Kse (Ks_even) and data key Kso (Ks_odd) are assigned to one PID. This is because the data key is updated every few seconds to several tens of seconds, so it is necessary to rewrite the data key in time for the update, and one of the data key Kse and the data key Kso is used during the decryption process. This is because only the used data key can be updated and the data key can be updated. That is, it is for easily performing update control for updating the data key.
Although not shown, the analysis unit is provided in, for example, the CBC mode decoding unit B, and PID / TSC information having a data size of 15 bits is sent from the CBC mode decoding unit B to the IDT 16.

The IDT 16 refers to the PID table using the received 13-bit size PID information, combines the address information read from the PID and the 2-bit size TSC information, and reads the read address RA (data size is 9). Bit). The generated read address RA is supplied from the AD terminal to the RA terminal of the DPMEM 17, and at this time, the read enable (RE) signal is controlled to be in an active state, and the data key corresponding to the read address RA is read from the DPMEM 17. . The read data key is equal to the data key used at the time of encryption of the input TS, and is output from the terminal RD and supplied to the Decryptor 5.
The Decryptor 5 generates a work key from the supplied data key and a different system key for each system, and performs decryption processing of the ciphertext data input based on the generated work key.
The system key is passed from the CPU 10 to the decryption device A in advance.

Further, the CPU 10 writes the updated data key required by the decryption units B and C into the DPMEM 17 before it becomes necessary in the decryption process. When writing, the write enable (WE) is set. While being in an active state, a write address (WA) having a data size of 9 bits and write data (WD) of a data key having a data size of 8 bits are supplied to the DPMEM 17. In this case, the CPU 10 is provided with a ROM and a RAM, and data to be given to the decrypting device A is written in these memories.
When the data key information is written to DPMEM 17, if IDT 16 reads the data key at the same read address as the write address, the read data becomes indefinite. Writing is prohibited.

  For this purpose, a comparator 11, an AND gate 12, OR gates 13 and 14, and an inverter 15 are provided. Explaining this operation, the read address RA output from the IDT 16 and the write address WA output from the CPU 10 are input to the P terminal and the Q terminal of the comparator 11, respectively. When the input data at the P terminal matches the input data at the Q terminal (P = Q), the comparator 11 outputs a high level signal. At this time, if the inversion RE is at the low level and is in the active state, the inverter 15 outputs a high level, and eventually the AND gate 12 outputs a high level. Since the output of the AND gate 12 is input to the OR gate 13 and the output of the OR gate 13 is set to the high level, the inverted WE becomes inactive and writing to the DPMEM 17 is prohibited.

Next, the memory space of the register of the decryption device A as seen from the CPU 10 is shown in FIG. 3. An area of 64 bits × 1 in which the upper 6 bits of the 9-bit data size address (HADD) is “000100” It is assigned to an initial value table (CBC Initial value table) in the CBC mode. The initial values stored in the initial value table are supplied to the CBC mode decoding unit B and set in the register 6 at the time of initial processing executed when the power is turned on.
In addition, an area of 256 bits × 1 in which the upper 4 bits of the address (HADD) are “0010” is assigned to the system key table (SYSTEM_Key table). This system key is different for each system, but is a fixed key in one system.

Furthermore, an area of 13 bits × 12 in which the upper 4 bits of the address (HADD) are “0100” is assigned to the PID table (PID value table). This PID table is information indicating packetized data types, and a maximum of 12 types per channel is set to a different PID for each data type.
The system key table is written to a predetermined register, and the information of the PID table is written to the IDT 16 from the CPU 10 during the initial processing.

  Furthermore, an area of 64 bits × 12 in which the upper 2 bits of the address (HADD) is “10” is allocated to the data key Kse table (Ks_even value table), and the upper 2 bits of the address (HADD) is “11”. The 64-bit × 12 area is assigned to the data key Kso table (Ks_odd value table). Information on the data key Kse table and the data key Kso table is written in the DPMEM 17, but is updated by the CPU 10 at predetermined timings of several seconds to several tens of seconds.

  Next, a block diagram showing an example of a detailed configuration of the IDT 16 is shown in FIG. In this figure, 41 to 52 are twelve flip-flops (DF0 to DF11) each having a 13-bit width, and 61 to 72 are twelve comparators (CP0 to CP11) each having a 13-bit width. Reference numeral 40 denotes an address decoder (ADEC). When 9-bit data size address information is input, only one of the 12 outputs has an output that activates one of DF0 to DF11. Is issued. Further, 39 is a priority encoder (PE), which outputs address information TMP0 to TMP3 combined with TSC information.

In the IDT 16, the 8-bit data size PID information output from the CPU 10 is developed into a 13-bit data size and input to the terminal 30. Further, the address information having a data size of 9 bits output from the CPU 10 is input to the terminal 32 and decoded by the ADEC 40. This decoded output is input to DF0 to DF11 as a strobe signal, and only one of DF0 to DF11 can be latched.
At this time, the input PID information having a data size of 13 bits is input in common to 12 DF0 to DF11, and DF0 to DF11 are sequentially selected and supplied one by one by the decode output of ADEC40. PID information is latched. In this way, a maximum of 12 types of PID information can be latched in DF0 to DF11, and a PID table is configured by DF0 to DF11.

In addition, PID information having a data size of 13 bits is input to the terminal 33 and is input in common to the B input terminals of the comparators CP0 to CP11. This PID information is extracted from the header of the packet, which is received data, in the CBC mode decoding unit B, and PID information having a 13-bit data size out of the 15-bit PID / TSC information supplied to the IDT 16 It is.
In this case, the comparators CP0 to CP11 have the PID information from DF0 to DF11 input to the A terminal, respectively, and the PID information that matches the PID information input from the terminal 33 is input to the A terminal. A match signal is output from. Therefore, when the PID information in the PID table is input from the terminal 33, a coincidence signal is output from any one of CP0 to CP11.

FIG. 4 shows a logical table of CP0 to CP11. When all “1” s are not input to the A terminal and B terminal of CP0 to CP11, a “1” signal is output when they coincide (A = B). Is output. If they do not match, “0” is output.
Furthermore, the logical table of PE39 is shown in FIG. In the logic table of PE39, for example, when a "1" signal is output from CP2, "0010" 4-bit (TMP0 to TMP3) data is output from PE39. In this PE 39, as shown in FIG. 5, D0 is the input with the highest priority, and D11 is the input with the lowest priority.
Incidentally, PID information that does not match the PID information in the PID table set in DF0 to DF11 may be input. In this case, all “0” is input to the PE. At this time, the NK output of PE becomes “1”. When the NK output is “1”, reading a key table of a data key described later is prohibited.

Further, at the time of initial processing such as when the power is turned on, the level of the terminal 31 becomes “0”, and all of DF0 to DF11 are preset, so “1” is output from DF0 to DF11. Accordingly, in this case, all “0” is output from CP0 to CP11, and reading the key table of the data key as described above is prohibited.
When reading the key table is prohibited, the key table is not used, so that the data key can be written from the CPU 10 to this key table. That is, the data key can be initialized. The terminal 31 is a power-on reset terminal, and its level returns to “1” after a predetermined time.

Next, an operation for searching a key table of data keys based on PID information and TSC information in received data will be described with reference to FIG.
In step S20 shown in FIG. 6, it is assumed that “PID-F” is input as PID information having a 13-bit data size and “10” is input as TSC information having a 2-bit data size from the header of the received data. This “10” indicates that it is scrambled with the data key Kse.
Next, in step S21, the PID information is input to the A terminals of CP0 to CP11 and compared with the PID information stored in DF0 to DF11. As a result, a “1” signal is output from CP5, and the outputs TMP [3. . 0] becomes “0101”. That is, “PID-F” is searched. “0101”, which is the output of PE39, is changed from the fourth bit to the first bit of the address HADD.

Next, in step S22, the TSC information TSC [1. . 0] 2 bits (“10”) are the 5th and 6th bits of the HADD, and an address HADD [8. . 3] is generated. Therefore, the address HADD [8. . 3] becomes “100101”.
In step S23, the address HADD [8. . 3], the 64-bit data key Kse-F can be obtained from Ks_even Table. Then, the decryption apparatus A executes decryption of the ciphertext input based on the obtained data key Kse-F.
Thus, since the decryption method of the present invention uses an indirect search method for indirectly searching for a data key, a 6-bit key table is prepared without preparing a 13-bit table corresponding to PID information. Therefore, the memory capacity can be reduced and the size can be reduced.

Since only one of the key tables Ks_even Table and Ks_odd Table is used during decryption in this way, the data key of the unused key table can be updated. This is executed by the CPU 10 as described above. Since the timing of the CPU 10 and the timing of the decryption device A operate asynchronously, the CPU 10 goes to write the data key to be updated asynchronously.
For this reason, in the dual port memory 17 in which the key table is stored, there are cases where writing and reading are simultaneously performed at the same address as described above. FIG. 9 shows an example of the timing at this time. When an inversion RE of 8 clock width occurs at the timing shown in the figure, writing of the same address from the CPU 10 is prohibited during the 8 clock period as described above. The

By the way, there is a case where the same PID is stored in the PID table for some reason. For example, although the maximum 12 types of PID information per channel is not required, when 12 types of PID are not required, it is not necessary to write 12 types of PID in the PID table, and only the required types of PID are written. Become. Then, the data in the PID column that has not been written may accidentally become the same data as the PID.
In such a case, there is a possibility that an incorrect data key may be read and cannot be decrypted. Therefore, in the present invention, this is prevented as follows.

As shown in FIG. 7, when there are a plurality of “PID-F” in the PID table, priority is given to the smaller one of the addresses HADD. This is because writing to the PID table starts from the smaller address HADD, and the higher the address HADD is, the higher the probability of being wrong.
Thus, when “PID-F” is input as PID information, the address HADD [8. . 1] is obtained, the same processing as described above is performed, and a 64-bit data key Kse-F is obtained from the Ks_even table.

Further, there may be no corresponding PID even if the PID table is referred to by the PID information from the header of the input data. For example, as shown in FIG. 8, even if “PID-F” is input as PID information, there is no PID corresponding to “PID-F” in the PID table.
In such a case, neither the key table Ks_even Table nor Ks_odd Table is read, and the data key is not read. In this case, the input data TS is output as it is.

Next, the decoding flow of the decoding apparatus A shown in FIG. 1 is shown in FIG. 10. When a transport stream (TS) is input, it is determined in step S10 whether or not it is scrambled. This determination is made by detecting whether or not a flag in the header indicating that it is scrambled is set. In this case, if the flag is set, it is determined that the scramble is on, and the process proceeds to step S11, where a desired flag or the like is rewritten. Next, in step S12, PID information is extracted from the header, and the key table is referred to. For the key table in this case, host interface processing is performed in step S16 of the key table processing, and the key table written in step S17 is referred to.
The process of step S12 is the process shown in FIG.

The process from step S10 to step S12 is the header control process. If it is determined in step S10 that the scramble is off, TS is output as it is.
Next, CBC mode decryption processing is performed in step S13, and it is determined in step S14 whether or not the ciphertext to be decrypted is an integer multiple of 64 bits. If the ciphertext has a fraction and it is determined No, in step S15, the decryption processing in the OFB mode is performed on the fractional portion, and the decrypted plaintext is output. If it is determined in step S14 that the integer multiple of 64 bits, the decrypted 64-bit plain text is output.

By the way, the execution of the decoding flow as shown in FIG. 10 is executed by the decoding algorithm shown in FIG. The decryption algorithm shown in FIG. 18 is the same as described above, and is omitted here. Details of the configuration for executing the decryption algorithm and the encryption algorithm in the decryption algorithm will be described with reference to FIGS.
FIG. 11 shows a configuration of cryptographic processing for executing a cryptographic algorithm. In FIG. 11, 64-bit wide input data is divided into upper 32-bit data and lower 32-bit data and input to the first eight ciphers. The eight encryption stages have a configuration in which a four-stage operation stage for calculating a function is repeated twice. Then, the calculation of the function π1 is performed on the input upper 32 bits data and lower 32 bits data in the first stage of the operation stage 20. Next, in the second stage, the function π2 is calculated on the output of the first stage. In this case, a 32-bit work key K1 is input to the second stage, and the second-stage operation is performed using the work key K1.

Further, the function π3 is calculated on the output of the second stage in the third stage. In this case, 32-bit work keys K2 and K3 are input to the third stage, and calculations are performed using the work keys K2 and K3. Subsequently, the function π4 is calculated on the output of the third stage in the fourth stage. In this case, a 32-bit work key K4 is input to the fourth stage, and calculation is performed using this work key K4.
Further, in the operation stage 21 that performs the remaining 4 stages of operations, the output of the operation stage 20 is subjected to the calculation of the function π1 in the first stage. Next, in the second stage, the function π2 is calculated on the output of the first stage. In this case, the work key K5 having a 32-bit width is input to the second stage, and calculation is performed using the work key K5.

Further, the function π3 is calculated on the output of the second stage in the third stage. In this case, 32-bit work keys K6 and K7 are input to the third stage, and operations are performed using the work keys K6 and K7. Subsequently, the function π4 is calculated on the output of the third stage in the fourth stage. In this case, a work key K8 having a 32-bit width is input to the fourth stage, and calculation is performed using the work key K8.
The data having a total 64-bit width of the upper 32 bits and the lower 32 bits subjected to the encryption process in this way is further input to the cipher 8 stage 22. In the cipher 8 stage 22, the same operation as that of the above-described cipher 8 stage is performed, and randomized output data having a total of 64 bits width of upper 32 bits and lower 32 bits is obtained.

As shown in the figure, the number of repetitions of the eight encryption stages is not limited to two, but can be repeated as many times as desired. As the number of times is repeated, the output data is highly randomized and the encryption strength can be increased.
In addition, the calculation of the function that is performed in the operation stage is an operation that performs substitution that replaces a character with another character according to a certain rule, and transposes that replaces the order of the characters.

  Next, FIG. 12 shows the configuration of the decryption process for executing the decryption algorithm. The difference from the encryption process described above is that the operation is performed in reverse from the output side of the structure of the encryption process. That is, in the first four operation stages 23 of the eight encryption stages, the 32-bit work key K8 is added to the 64-bit encrypted input data divided into the upper 32 bits and the lower 32 bits. Is used to calculate the function π4. Next, in the second stage, the function π3 is calculated using the work key K7 for the output data of the first stage. Further, in the third stage, the function π2 is calculated using the work keys K6 and K7 on the output data of the second stage. Furthermore, in the third stage, the function π2 is calculated using the work key K5 for the second stage output data, and in the fourth stage, the function π1 is calculated for the third stage output data.

Such a four-stage calculation is similarly performed in the calculation 24 using the work keys K4 to K1.
Furthermore, the above-described 8-stage cipher operation is also executed in the 8-stage cipher 8 stage, and the decrypted upper 32 bits and lower 32 bits total 64-bit output data is obtained. It should be noted that the number of repetitions of the eight encryption steps is the same as the number of repetitions of the eight encryption steps executed in the encryption process.

Next, details of the calculation performed in the calculation stage will be described in detail with reference to FIG. 13 by taking the calculation stage 20 of the cryptographic process as an example.
In the calculation of the function π1 at the first stage, the input upper bits divided into 32 bits are output as they are without being calculated, and the exclusive OR of the upper bits and the lower bits are calculated and output as the lower bits. .
In the subsequent calculation of the function π2 in the second stage, the work key K1 is added to the lower-order 32-bit data x, and x + K1 is calculated first. Next, when x + K1 is y, y is cyclically shifted by 1 bit to the left, and y-1 is added to the value to obtain z. Next, z is shifted left by 4 bits, and an exclusive OR of the value and z is obtained. The operation result and the upper 32 bits exclusive OR are calculated, and the calculated upper 32 bits of data are output. In this case, in the lower 32 bits, the input data is output as it is without being calculated.

Further, in the calculation of the function π3 in the third stage, the work key K2 is added to the upper 32 bits of data x, and x + K2 is first calculated. Next, when x + K2 is set to y, y is cyclically shifted by 2 bits and y + 1 is added to the value to obtain z. Next, z is cyclically shifted by 8 bits to obtain an exclusive OR a between the value and z.
Further, the work key K3 is added to a, and a + K3 is calculated. Next, when a + K3 is b, b is cyclically shifted by 1 bit to the left, and -b is added to the value to obtain c. Next, an exclusive logical sum of a logical sum for each bit of a and x and a value obtained by cyclically shifting c by 16 bits is calculated. The exclusive OR of this operation result and the lower 32 bits of data is calculated, and the calculated lower 32 bits of data are output. The upper 32 bits of data become the upper 32 bits of output data without being calculated.

  Furthermore, in the calculation of the function π4 in the fourth stage, the work key K4 is added to the lower-order 32-bit data x, and x + K4 is first calculated. Next, when x + K4 is set to y, y is cyclically shifted by 2 bits to the left, and y + 1 is added to the value. The operation result and the upper 32 bits exclusive OR are calculated, and the calculated upper 32 bits of data are output. In this case, the lower 32 bits of data are output as they are without being calculated.

In the above calculation, by adding the work keys K1 to K4 to the data, substitution processing for replacing the character with another character is performed, and transposition for replacing the position of the character is performed by cyclically shifting the data. In this way, plain text is encrypted into cipher text by performing substitution and transposition algorithms.
In the case of decryption, the original plaintext can be decrypted by performing a substitution and transposition algorithm reverse to the encryption.

Next, a configuration for performing the above-described calculation of the function will be described in more detail. An example of the function π2 will be described with reference to FIG.
In FIG. 14, the first adder Add80 adds the lower 32 bits of the input data x and the 32 bits of the work key K1, and outputs the added data y. The added data y is shifted by 1 bit to the left in the first left cyclic shifter 81 and is added to the output of the first left cyclic shifter 81 in the second adder 82. The addition result is added with -1 by the third adder 84 to calculate the data z. The data z is 4-bit left-round shifted in the second left cyclic shifter 85 and supplied to the exclusive OR circuit 86. The exclusive OR circuit 86 receives the output data of the second left cyclic shifter 85, the data z, and the upper 32 bits of input data, and calculates the exclusive OR of the three data.
The calculation result is the upper 32 bits input data input to the next stage. The lower 32 bits input data becomes lower 32 bits input data that is input to the next stage without being calculated.

Next, FIG. 15 shows a configuration of key schedule processing for generating a 256-bit work key from a 64-bit data key and a 256-bit system key.
As shown in FIG. 15, the key schedule process has a configuration in which four operation stages 26 and 27 are connected in two stages and one operation stage 28 is connected in one cascade. In the four operation stages 26 and 27, the function π1 is calculated in the first stage, the function π2 is calculated in the second stage, and the function π3 is calculated in the third stage. The function π4 is calculated in FIG.

  Since such an arithmetic algorithm is the same as the above-described cryptographic processing algorithm, the description thereof will be omitted. However, in the key schedule processing, the input data is a 64-bit data key, and each of the 32-bit system keys J1 to J1. The functions π1 to π4 are calculated using J8, and eight 32-bit work keys K1 to K8 are generated. However, it is different from the above-described encryption processing algorithm in that the calculation of 9 stages is performed as a whole and the function π1 is calculated in the final stage.

The upper 32 bits output data after the calculation of the function π2 of the calculation stage 26 is output as the work key K1, the lower 32 bits of output data after the calculation of the function π3 is output as the work key K2, and the upper 32 bits after the calculation of the function π4. Output data is output as the work key K3.
Further, the lower 32-bit output data after the calculation of the function π1 in the calculation stage 27 is output as the work key K4, the upper 32-bit output data after the calculation of the function π2 is output as the work key K5, and the upper 32 bits after the calculation of the function π3. The output data is output as the work key K6, the upper 32-bit output data after the function π4 operation is output as the work key K7, and the lower 32-bit output data after the function π1 operation in the final stage 28 is output as the work key K8. Yes.

Referring to the encryption process shown in FIG. 11 and the key schedule process shown in FIG. 13 described above, the configuration of the four operation stages, that is, the operation algorithm is made equal, and the operation of the four operation stages is repeated. Thus, encryption processing or key schedule processing can be executed. Therefore, if the computation core has a configuration in which the computation stage of the function π1, the computation stage of the function π2, the computation stage of the function π3, and the computation stage of the function π4 are cascaded as shown in FIG. By repeatedly executing the core, encryption processing or key schedule processing can be executed.
This computing core corresponds to an Encryptor that generates a work key from the data key and system key shown in FIG. 20 and performs encryption processing in the CBC mode and OFB mode, and is an Encryptor core. In this case, data keys Ks1 to Ks4 and data keys Ks5 to Ks8 are supplied to the Encryptor core in a time division manner.

Referring to FIG. 12, the configuration of the four operation stages, that is, the operation algorithm is made equal, and the decoding process can be executed by repeatedly performing the operation of the four operation stages. Therefore, as shown in FIG. 16 (b), if the decoding operation core has a configuration in which the calculation stage of function π4, the calculation stage of function π3, the calculation stage of function π2, and the calculation stage of function π1 are cascaded, By repeatedly executing the decoding operation core, the decoding process can be executed.
Note that this decryption operation core corresponds to the Decryptor performing decryption processing in the CBC mode and OFB mode shown in FIG. 20, and is a Decryptor core. In this case, data keys Ks8 to Ks5 and data keys Ks4 to Ks1 are supplied to the Decryptor core in a time division manner.
As described above, the encryption process and the key schedule algorithm can be executed by repeatedly executing the Encryptor core, and the decryption algorithm can be executed by repeatedly executing the Decryptor core.

Although the decryption device that executes the decryption method of the present invention has been described above, the electronic apparatus of the present invention is a tuner, a television device, or the like that includes at least such a decryption device.
In the above description, ciphertext of a 64-bit block has been described as generating a plaintext of a 64-bit block using a 64-bit data key and a 256-bit system key. However, the present invention is limited to these numerical values. It is not intended to be an arbitrary numerical value.
Furthermore, the present invention is not limited to the encryption / decryption method that repeats the above transposition and substitution, and can be applied to other encryption / decryption methods.

It is a block diagram which shows the structural example of the decoding apparatus which is embodiment of the decoding method of this invention. It is a block diagram which shows the structure of IDT in the decoding apparatus shown in FIG. It is a chart which shows the memory space of the register | resistor in the decoding apparatus seen from CPU shown in FIG. 3 is a chart showing a logic table of comparators CP0 to CP11 of the IDT shown in FIG. FIG. 3 is a diagram showing a logical table of IDT PEs shown in FIG. 2. FIG. 2 is a diagram for explaining a method for searching for a data key by an indirect search method from information in a header of input data in the decryption device shown in FIG. 1. It is a figure for demonstrating operation | movement when PID overlaps in a PID table. It is a figure for demonstrating operation | movement when the applicable PID does not exist in a PID table. It is a figure which shows the example of the read timing of DPMEM in the decoding apparatus shown in FIG. It is a flowchart which shows the decoding flow of the decoding apparatus shown in FIG. It is a figure which shows the structure of an encryption process. It is a figure which shows the structure of a decoding process. It is a figure which shows the detail of the basic function in a cryptographic process. It is a figure which shows the detailed structure for calculating the function (pi) 2 in a basic function. It is a figure which shows the structure of a key schedule process. It is a figure which shows the structure of Encryptor core and Decryptor core. It is a figure which shows the algorithm of the conventional encryption. It is a figure which shows the algorithm of the conventional decoding. It is a figure which shows the structure of the encryption utilization mode of CBC mode and OFB mode. It is a figure which shows the structure of the conventional encryption / decryption system.

Explanation of symbols

1 received data, 2 output data, 3, 4 switching means, 5 Decryptor, 6 registers, 7, 9, 86 exclusive OR circuit, 8 Encryptor, 10 CPU, 11 comparator, 12 AND gate, 13, 14 OR gate, 15 Inverter, 16 IDT, 17 DPMEM, 20-28 operation stage, 39 PE, 40 ADEC, 41-52 flip-flop, 61-72 comparator, 80, 82, 84 Adder, 81, 85 Left cyclic shifter

Claims (4)

A decryption unit that receives transmission data including encrypted data, information indicating the type of the data, and information indicating whether the data is encrypted, and decrypts the encrypted data. A method of
A writing step of writing a plurality of different pieces of key information assigned to information indicating one type of data in the memory means;
Received key information in which information and data indicating the type of data included is instructed by the information indicating whether it is encrypted in the transmission data, a reading step of reading from said memory means,
Decrypting the encrypted data based on the key information read in the reading step, and
When the execution period of the write step and the execution period of the read step overlap, and the write address and the read address match, execution of the write step is prohibited. Method. A decryption unit that receives transmission data including encrypted data, information indicating the type of the data, and information indicating whether the data is encrypted, and decrypts the encrypted data. A method of
The information and data indicating the data type in the received transmission data are encrypted from the memory means storing a plurality of different key information assigned to the information indicating the one data type . A reading step of reading any key information based on instruction data by information indicating whether or not
A decrypting step for decrypting the encrypted data based on the key information read in the reading step,
In the reading step, key information to be read from the memory means is searched by referring to a key table of information indicating the data type by the instruction data, and corresponds to information indicating the data type of the instruction data A decryption method for selecting the smallest key address when there are two or more key addresses for reading the key information in the key table. A decryption unit that receives transmission data including encrypted data, information indicating the type of the data, and information indicating whether the data is encrypted, and decrypts the encrypted data. A method of
The information and data indicating the data type in the received transmission data are encrypted from the memory means storing a plurality of different key information assigned to the information indicating the one data type . A reading step of reading any key information based on instruction data by information indicating whether or not
A decrypting step for decrypting the encrypted data based on the key information read in the reading step,
In the reading step, the key address of the key information read from the memory means is searched by referring to a key table of information indicating the data type by the instruction data , and the data type of the instruction data is indicated. If the key addresses referenced by the information does not exist in the key table of information indicating the type of the data, decrypting method is not performed search key address. A decryption unit that receives transmission data including encrypted data, information indicating the type of the data, and information indicating whether the data is encrypted, and decrypts the encrypted data. A method of
An initial step for initial settings;
A writing step of writing a plurality of different pieces of key information assigned to information indicating one type of data in the memory means;
A step of reading out any key information from the memory means based on information indicating the type of data in the received transmission data and instruction data based on information indicating whether the data is encrypted ;
A decrypting step for decrypting the encrypted data based on the key information read in the reading step,
In the reading step, the key address of the key information to be read from the memory means is searched by referring to a key table of information indicating the type of data by the instruction data, and the search result is within the initialization period. The decryption method is initially processed in the initial step so that there is no corresponding key address.

Images