JP5268011B2 - Encryption system and decryption system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an encryption system and a decryption system performing high speed processing safely. <P>SOLUTION: A function selection means, for each block unit of a document from a document storage means, selects a function sequentially by pseudo-random numbers. A function execution means, using a block of the pseudo-random number sequence as a parameter in the selected function, converts the document to encrypt it. In the decryption system, an inverse function selection means, for each block unit of the encrypted document from the encrypted document storage means, selects an inverse function by pseudo-random numbers. An inverse function execution means, using a block of the pseudo-random number sequence as a parameter in the selected inverse function, converts the encrypted document to decrypt it. Since the respective functions are basic high-speed functions, the combined overall conversion is also carried out at high speed. Since both of the combination of the functions and the number of iteration can be changed, specification reinforcement in the future is facilitated. The execution order of the functions cannot be known, and consequently high safety is ensured. <P>COPYRIGHT: (C)2011,JPO&amp;INPIT

Description

  The present invention is an encryption system and a decryption system using a pseudo random number generation system in a block cipher and a stream cipher using a shared key.

When a document that is difficult to be viewed by a third party is stored as electronic data, the data is encrypted and converted so that it cannot be decrypted without knowing the password. The encryption technology used here is widely used as an encryption called block cipher, where data is divided into fixed-size blocks and each block is encrypted with a specific function that depends on the secret key. It is an encryption method called a stream cipher that is encrypted with a method and a function that differs depending on the position of data. Stream cipher often obtains an exclusive OR of data and a cryptographic random number sequence.
Also, when performing electronic commerce using the Internet, data is encrypted and transmitted in order to securely communicate between the two points A and B without being known by a third party. As encryption techniques used at that time, widely used are shared key cryptosystems represented by DES, Triple DES, and AES. This is a method of converting data to be transmitted into data that cannot be understood by a third party, based on a shared encryption key shared only between A and B that perform communication.

DES (Data Encryption Standard) is a shared key cryptosystem that has been recommended by the National Institute for Standardization (NIST) of the United States government as a standard for data encryption. Triple DES is an encryption method that increases its security by repeating DES three times. AES (Advanced Encryption Standard) is an encryption method called Rijindael developed by the mathematicians J. Daemen and V. Rijmen, which NIST publicly solicited as a data encryption standard to replace DES. These are all block ciphers, which are shared key cryptosystems that use a shared key to encrypt data divided into fixed-size blocks at high speed. The amount of calculation required for this conversion is very small and practical.
In the stream cipher, a method is known in which an encrypted random number sequence is generated by a Blum-Blum-Shub (BBS) method for generating a pseudo-random number using a quadratic remainder and an exclusive OR with a document is used as a ciphertext. The BBS method is a policy in which the encryption key k is squared one after another to create a remainder in the product N of two secret prime numbers, and a sequence formed by arranging the least significant bits is used as an encryption random number sequence. If this N is sufficiently large, this sequence is very good cryptographically, that is, it is difficult to predict the next bit with a better probability than random, even if it collects a lot of continuous data. This is shown in the literature “L. Blum, M. Blum, M. Shub:“ A Simple Unpredictable Psudo-Random Number Generator ”, SIAM J. Comput. Vol15, No.2, May 1986”. ing. Therefore, if this is used, it is considered that it is very difficult to find the law even if many characters are estimated, and calculation equivalent to exhaustive check is required to estimate other subsequences.

However, in the conventional shared key cryptosystem block cipher, a single complex encryption function is created from the key information, and plaintext is converted using this function. There is a problem that it is easy to obtain information for decoding. For example, when trying to decrypt a cipher, an attack by encrypting a known plaintext, such as differential cryptanalysis or linear cryptanalysis, is often used. In other words, in a situation where an attacking person can encrypt an arbitrary document, there is a problem that data used for decryption is collected and the encryption is broken more easily than a full key search. Also, even in a shared-key cryptosystem stream cipher, for example, in the BBS method described above, a cryptographic random number having sufficient security so as to be slow because it calculates a square of a large number and a remainder with a large number N of the value. There is a problem that the amount of calculation for generating a sequence is large and slow, and pseudo-random numbers that can be generated at high speed are not cryptographically secure.
Further, the known cipher random number sequence for stream ciphers has a short cycle and cannot be used for a long time.

  As methods for dealing with these problems, for example, there are Patent Documents 1 to 5. In Patent Document 1 and Patent Document 2, a plurality of encryption functions are prepared, and by selecting which encryption function to encrypt with key information or external data, encryption is performed with different encryption functions depending on plaintext. This prevents information leakage and obtains an authentication effect. Patent Documents 3 to 5 give how to create a cryptographic random number sequence with good properties. In particular, Patent Document 3 generates a cryptographic random number sequence by rewriting a plain text sequence with a finite state automaton, which is closely related to the present invention. Although it is a pseudo-random number generator based on a linear feedback shift register (LFSR), there is a problem that the processing speed when implemented in software is not sufficient. Further, as a conventional technique for a pseudorandom number generator based on LFSR, for example, it is disclosed in a document “B. Schneier,“ Applied Cryptography, ”John Wiley & Sons, Inc., 1996.pp. 369-428”. Yes.

Japanese Patent Publication No. 11-15940 Japanese Patent Publication No. 11-265146 Japanese Patent Publication No. 11-500849 Japanese Patent Publication No. 2003-37482 Japanese Patent Publication No. 2004-38020

However, in order to obtain a sufficient effect using the methods of Patent Document 1 and Patent Document 2 described above, it is necessary to prepare as many encryption functions as possible. To save a plurality of encryption functions, There is a problem that the amount of memory and the amount of calculation for creating a function are required.
Moreover, even if an encryption random number sequence is created using the methods of Patent Documents 3 to 5, a sufficiently long period cannot be obtained, which causes a problem in speed or security.
An object of the present invention is to improve safety without increasing the amount of calculation and solve these problems.

The present invention is an encryption system for encrypting a document with a pre-assigned shared key, the document storing means storing the document, and a predetermined number of bits as a word, and a predetermined number of words Function execution means for executing a plurality of types of functions in block units, pseudo-random number generation means for generating a pseudo-random number sequence from the shared key, and function selection means for selecting the function types of the function execution means with duplication allowed And a predetermined number of bits (word) storage means in which an initial value is set in advance , and the pseudo random number generation means generates the pseudo random number sequence from the shared key and then generates the generated pseudo random number. A column is cut out into words, the least significant bit is set to 1, and a bit string obtained as a result of repeatedly multiplying the cut-out word into the storage means using a word length power of 2 as a modulus. Or whole as the pseudo-random number sequence, the function selection means, for each of the blocks of a document from the document storage means, said sequentially select a function by the pseudo random sequence, wherein the function executing means has said selected The encryption system is characterized in that the document is converted and encrypted using a block of the pseudo-random number sequence as a parameter.
The present invention also provides a decryption system for decrypting an encrypted document with a pre-assigned shared key, wherein the encrypted document storage means for storing the encrypted document, and a predetermined number of bits as a word in advance. An inverse function executing means for executing a plurality of types of inverse functions corresponding to a plurality of types of functions used for encryption, and a pseudo random number generating means for generating a pseudo random number sequence from the shared key; and the inverse function selecting means for selecting forgive duplicate the type of inverse function of the inverse function executing means, to set in advance an initial value, and a storage means with predetermined number of bits (words), the pseudo-random number The generation unit generates a pseudo random number sequence from the shared key, then cuts the generated pseudo random number sequence into words, sets the least significant bit to 1, and cuts the pseudo random number sequence into the storage unit A part or whole of the bit string of repeated multiplication result of the over-de modulo multiplication word length of 2 and the pseudo-random number sequence, the inverse function selecting means, said block of ciphertext from the encrypted document storage means For each unit, an inverse function is selected from the pseudo random number sequence , and the inverse function executing means converts the encrypted document using the pseudo inverse sequence block as a parameter with the selected inverse function. A decoding system characterized by decoding.

In the encryption system, before Symbol pseudorandom number generating means may generate a pseudo-random number sequence using a linear next state function.
The function selection unit and the function execution unit may encrypt the document by repeating selection / conversion a predetermined number of times for each block .
The function execution means may include an interword function for a plurality of words, and the interword function may change the interval of the plurality of words each time a document is encrypted.

In the decoding system, before Symbol pseudorandom number generating means may generate a pseudo-random number sequence using a linear next state function.
Further, the inverse function selection means and the inverse function execution means may repeat the selection / conversion for a predetermined number of times for each block to decrypt the encrypted document .
The inverse function executing means may include an inverse function between words for a plurality of words, and the inverse function between words may change the interval of the plurality of words every time the encrypted document is decrypted.

  A program for causing a computer system to construct the functions of the encryption system and the decryption system described above is also the present invention.

In the pseudo random number generation system, the encryption system, and the decryption system according to the second to fifth embodiments of the present invention, a plurality of high-speed different types of transformations are generated instead of generating a single large decryption function that is difficult to decrypt from the key information. Encrypt them by preparing them and using them for conversion multiple times in a combination determined by the key information. Since each conversion is basic and fast, the combined conversion is also very fast. In addition, the combination of functions and the number of iterations can be changed, so future specification enhancement is easy. Since it is not known which function genus was applied in what order, it is highly secure. For this reason, unlike the conventional patent document 1 and patent document 2, it is possible to realize a system in which the types of functions used by the keys are different and difficult to decipher without applying a burden of preparing a plurality of large-scale encryption functions. It became so.
Further, as shown in the sixth embodiment, a system that is more difficult to decipher can be realized by adding the method of the first embodiment to the second to fifth embodiments.
As described above, according to the present invention, the security of encryption can be improved as compared with the conventional method.

It is a figure which shows the example of a system structure in the case of encrypting and decoding a document using the pseudorandom number generation system of Embodiment 1 of this embodiment. It is a figure which shows the system configuration example of the encryption system of Embodiment 2, 3, 5 of this embodiment, and a decoding system. It is a figure which shows the system structural example in the case of encrypting and decoding a document using the pseudorandom number generation system of Embodiment 4 of this embodiment. (A) It is a figure which shows the flow of a process of the conventional stream cipher. (B) It is a figure which shows the flow of a process of the conventional block cipher. It is a figure which shows the flow of a process of the pseudorandom number generation system of Embodiment 1. It is a figure which shows the flow of a process of the encryption system of Embodiment 2, 3, and the pseudorandom number generation system of Embodiment 4. It is a figure which shows the flow of a process of the encryption system of Embodiment 5.

Hereinafter, embodiments of the pseudo random number generation system, the encryption system, and the decryption system of the present invention will be described in detail with specific examples. Embodiments 1 and 4 are embodiments in which a pseudo-random number generation system is used for document encryption / decryption as an example. The second, third, and fifth embodiments are embodiments of the encryption system and the decryption system.
The terms used hereinafter are defined as follows.
Word: In this embodiment, 1 word = 32 bits.
Block: A unit block of how many words are encrypted. (For example, 1 block = 4 words)

(Embodiment 1) A product of a cryptographically insecure pseudorandom number sequence generated from a number sequence prepared in advance and a word written in a one-word memory are successively taken, and the result is stored in the one-word memory. A pseudo-random number generation system characterized in that a secure cryptographic random number sequence is generated from the higher-order bits. By using a shared key for the number sequence, the generated encrypted random number sequence can be used for document encryption / decryption by stream cipher.
(Embodiment 2) An encryption system characterized in that an encrypted document is generated by converting a document divided into blocks with a function selected by a pseudo-random number sequence (extended key) generated from a shared key for each block And a basic example (block cipher) of a decoding system.
(Embodiment 3) An encryption system and a decryption system for generating an encrypted document by converting a document divided into blocks with a function selected by a pseudo-random number sequence generated from a shared key for each block (Stream cipher).
(Embodiment 4) Generation of a pseudo-random number sequence, wherein a block of a pseudo-random number sequence generated from a number sequence prepared in advance is converted by a function selected by the pseudo-random number sequence to generate a secure cryptographic random number sequence system. By using a shared key for the number sequence, the generated encrypted random number sequence can be used for document encryption / decryption by stream cipher.
(Fifth Embodiment) A method of performing more efficient encryption by adding a “JUMP process” to be described later to an encryption system and a decryption system similar to those in the third embodiment is proposed. This JUMP process can also be used in the encryption system and decryption system of the second embodiment and the pseudo-random number sequence generation system of the fourth embodiment.
(Embodiment 6) The method of performing more complicated encryption by producing | generating the pseudorandom number sequence used in each embodiment of Embodiment 2-5 with the method of Embodiment 1 is proposed.
Hereinafter, each embodiment will be described in detail.

<1. Embodiment 1>
In the first embodiment, a product of a cryptographically insecure pseudorandom number sequence generated from a number sequence (shared key) prepared in advance and a word written in a one-word memory are successively taken, and the result is obtained as one word. This is a pseudorandom number generation system characterized in that it is stored in a memory and a secure cryptographic random number sequence is generated from the upper bits. By using the shared key in encrypted communication as a number sequence, the generated encrypted random number sequence can be used for document encryption / decryption by stream cipher.

(1-1. Overview and problems of conventional stream ciphers)
Assuming that a set of document blocks b is BL, a stream cipher is an encryption function E _i that is E ₁ , E ₂ ,... On the encryption side: BL → BL ′.
, And a decoding function D _i : BL ′ → BL on the decoding side consisting of D ₁ , D ₂ ,...
The column prepared in advance so as to be _{D i (E i (b)} ) = b in all blocks b The BL, column _b 1, _{b 2} messages = block, _{E 1} a ... by encrypting (B ₁ ), E ₂ (b ₂ ),..., And the decoding side performs decoding by applying D ₁ , D ₂ ,.
Typically, pseudo random number sequences r ₁ , r ₂ ,... Composed of BL elements are generated, and E _i (b): = b EXOR r _i
D _i (b): = b EXOR r _i
It is what. That is, the transmission side, the receiving side need only have a generator of the pseudo random number sequence r _i.

FIG. 4A shows the process flow of the conventional stream cipher described above. A memory 420 (state memory) is used to generate a pseudo random number sequence PN (pseudorandom numbers), and a next state function 462 is applied to the memory 420 (state memory), and is written in the memory 420. By repeating this, the contents of the memory 420 are converted one after another. The contents of the memory 420 are converted using the output function 464 and used as a pseudo random number sequence PN.
For the generated PN (corresponding to the sequence (r _i ) in the above example) and the plaintext message M (block sequence), the encryption function 470 (corresponding to E (r _i , b _i ) in the above example) Is calculated, and an encrypted text C (cryptography) is calculated.
As shown in the encryption function 470 in FIG. 4A, a small circle in the function indicates that an inverse function can be created, that is, it can be easily calculated by a computer. The meaning of this small circle is the same in the following figures. Here, there is a decryption function D (r _i , c _i ), and D (r _i , E (r _i , b)) = b. In the typical example of the stream cipher described above, both E and D are EXOR.
A stream cipher having E ₁ = E ₂ =..., And thus D ₁ = D ₂ =.

In the conventional stream cipher shown in FIG. 4A (for example, B. Schneier, “Applied Cryptography,” John Wiley & Sons, Inc., 1996.pp. 369-428), the next state function 462 is complicated ( For example, in the above-described prior art BBS (Blum-Blum-Shub), the memory holds an integer with a large number of digits, and its square is calculated by modulo M as a next state function) or the output function 464 is complicated (for example, , Hash function) or the encryption function 470 is complicated (for example, block cipher).
However, when the next state function is complicated, the generation speed of the pseudo random number sequence PN decreases. In addition, the PN period and distribution cannot be calculated.
If the next state function is linear, PN can be generated at high speed, and the period and distribution can be calculated. An example is Mersenne Twister (MT). (For Mersenne Twister, http://www.math.keio.ac.jp/~matsumoto/mt.html, M. Matsumoto and T. Nishimura, "Mersenne Twister: A 623-dimensionally equidistributed uniform pseudorandom number generator", (See ACM Trans. On Modeling and Computer Simulation Vol.8, No.1, January pp.3-30 (1998).) This pseudo-random number can be generated at high speed and has a long period. However, if the output function is simple, the internal state is inferred from the output sequence, so it cannot be said that it is cryptographically safe.

(1-2. Pseudorandom number generation system of this embodiment)
On the other hand, the pseudo-random number generation system (called cryptoMT) of the present embodiment converts a pseudo-random number sequence PN that may not be cryptographically secure into a secure pseudo-random number sequence SPN (secure pseudorandom number).
FIG. 5 is a diagram showing a processing flow of the pseudo-random number generation system of this embodiment. Before the PN shown in FIG. 5 (a pseudo-random number sequence that may be unsafe), the processing on the left side of the PN in FIG. 4A is performed. In the present embodiment, this configuration may be repeated many times. That is, the processing up to the SPN generation in FIG. 5 may be further connected to the position of the PN that is the input in FIG.
In the configuration of the present embodiment shown in FIG. 5, the following case is most effective in speed versus safety.
In the PN generation part (the left part of the PN in FIG. 4A connected to FIG. 5), the linear generation method with a high-speed and high-dimensional distribution (the next state function 462 in FIG. 4A is linear, for example, the above-described MT ) Is used.
The next state function 562 of the PN → SPN conversion portion is not linear but can be calculated at high speed (eg, multiplication as if it were a 32-bit integer).
The output function 564 of the SPN conversion part is a simple and high-speed one (eg, only the upper 8 bits are taken out from 32 bits and the rest are discarded).
The cryptoMT of this embodiment uses a method having these effects. However, since multiplication is used and an even product is modulo 2 ^{32} and is not reversible, it is necessary to force the least significant bit of the MT output to 1.

Hereinafter, with reference to FIG. 4A and FIG. 5, processing in the case of encrypting and decrypting a document (plain text) by stream cipher using the pseudorandom number generation system of the present embodiment will be described. Here, as described above, an example in which a Mersenne twister is used for the next state function 462 in FIG.
(1) Using a shared key (key 430 in FIG. 4A) as an initial seed array, data of 624 words is generated by a nonlinear initialization method (init_by_array), and Mersenne Twister (hereinafter referred to as MT) mt19937ar. c is initialized. This corresponds to the process of the key conversion 432 in FIG. 4A, and thereby initializes the state memory (memory 420) of the MT (next state function 462). Output function 464 simply outputs the first word of memory 420.
(2) The MT output word string after initialization is M (0), M (1), M (2),. This is a pseudo-random number sequence PN (a pseudo-random number sequence that may not be safe) shown in FIG. 4A and is sent to FIG. 5 (corresponding to the upper left PN in FIG. 5). As described above, M (n) is obtained by forcing the least significant bit of the MT output to 1.
(3) Prepare 1-word = 32-bit memory (variable) accum. This corresponds to the memory 520 in FIG.
(4) An initial value (for example, 1) is assigned to accum. Note that the initial value may be other values (however, other than zero).
(5) After that, substitution accum <-accum * M (n) (mod2 ^{32} )
Is repeated (next state function 562). Here, the first 64 times are idled, and the upper 8 bits of accum are output one after another from the 65th to the predetermined number of times (output function 564). As a result, a cryptographically secure 8-bit integer pseudorandom number sequence (SPN) can be output.
The number of repetitions of the above calculation is an example, and may be set to a necessary number depending on the system. Instead of the upper 8 bits of the above-mentioned accum, all or part of the accumulative bit string (for example, outputting every other bit) may be output one after another as a safe pseudorandom number string.
(6) The ciphertext C is output by performing an EXOR between the output safe SPN and the document (plaintext M) (corresponding to the encryption function 570).

Further, the processes (2) to (5) may be performed as follows. M (n) is a data in which the least significant bit of the n-th word data of pseudorandom numbers generated by Mersenne Twister is set to 1, and a number sequence using a hash function is created from the shared key data in a 32-bit memory accum. The initial value of. Here, the least significant bit of this sequence may be forced to be 1. Next, for n = 1, 2, 3,.
accum ← accum × M (n) (mod2 ^{32} )
, And the higher 8 bits of accum are output and output as cryptographically secure 8-bit integer pseudorandom numbers.

(1-3. Effect)
In this embodiment, Mersenne Twister (mt19937ar.c) is used as a pseudo-random number, so that it is possible to mathematically prove that the output encrypted random number sequence has a period of ^2199937-1 . This period is longer than any conventionally known cryptographic random number sequence, and can be used for a long period of time with confidence.
Further, by performing non-linear operation (multiplication) on accum and not using the least significant bit that remains linear, the cipher random number sequence has sufficient security.
In addition, the cryptographic random number generation method generated using this algorithm by converting a pseudo-random number that is cryptographically insecure but high-speed like Mersenne Twister using a relatively fast function of a 32-bit product is currently available in the United States. The standard encryption random number generation method of AES is 1.5 times more than the fastest optimized version of AES, which is very fast.
Further, due to the size of the internal space of the MT, it is highly resistant to time-memory-trade-off attacks.

(1-4. Configuration Example of Encryption System and Decryption System Using This Example)
Finally, a system configuration in the case of encrypting and decrypting a document (plain text) by stream cipher using the pseudo random number generation system of the present embodiment will be described with reference to the system configuration diagram of FIG.
The system of the present embodiment is mounted on a terminal such as a normal personal computer. As shown in FIG. 1, an encryption system 110 is installed in a terminal that encrypts and transmits a document, and a decryption system 150 is installed in a terminal that receives and decrypts a document. In addition, in both the encryption system 110 and the decryption system 150, a numerical sequence (shared key 122) and the pseudorandom number generation system 130 of this embodiment are prepared.
In the encryption system 110, the pseudo random number generation program 132 of the pseudo random number generation system 130 generates a secure pseudo random number sequence (safe pseudo random number sequence) 125 from the shared key 122 using the method of the present embodiment described above. . Next, as a typical example of the stream cipher, the encryption program 136 encrypts the document 124 by taking the EXOR of the secure pseudo-random number sequence 125 and the document 124 to generate the encrypted document 140.

  On the other hand, in the decryption system 150, the pseudo random number generation program 132 of the pseudo random number generation system 130 generates a secure pseudo random number sequence 125 from the shared key 122 using the method of the present embodiment described above. Next, the decryption program 166 decrypts the encrypted document 140 by taking the OROR of the secure pseudorandom number sequence 125 and the decrypted document 124 to obtain the original document 124. In the encryption system 110 and the decryption system 150, the same secure pseudorandom number sequence 125 is generated from the same shared key 122 using the same pseudorandom number generation program 132, and therefore corresponding encryption / decryption processing is performed. be able to.

<2. Second Embodiment>
Embodiment 2 is an encryption system and a decryption system that generate an encrypted document by converting a document divided into blocks by a function selected by a pseudo-random number sequence generated from a shared key for each block Is a basic example of a block cipher. A pseudo-random number sequence generated from the shared key is used for function selection and function parameters. Here, in Embodiment 3 to be described later, the longer the document, the more the pseudorandom number sequence is consumed. In Embodiment 2, however, only a certain length is consumed. For this reason, in this embodiment, a fixed-length pseudorandom number sequence generated from the shared key is called an “extended key”.

(2-1. Overview and problems of conventional block ciphers)
A conventional block cipher such as AES has the configuration shown in FIG. That is, the plaintext M block is taken into the memory 420, converted (EXOR indicated by 466) using the pseudo random number sequence PN, and written into the memory 420. This is repeated several times to obtain ciphertext C. Here, the lower right function 460 is a complex bijection. As described with reference to FIG. 4A, the small circle in the function indicates that an inverse function can be created, that is, it can be easily calculated by a computer.
However, as described above, the conventional block cipher creates a complex encryption function from the key information and converts the plaintext using this, so the function created in a high-speed encryption system is biased. There is a problem that it is easy to obtain information for decoding. For example, when trying to decrypt a cipher, an attack by encrypting a known plaintext, such as differential cryptanalysis or linear cryptanalysis, is often used. In other words, in a situation where an attacking person can encrypt an arbitrary document, data used for decryption is collected, and the encryption is broken more easily than an exhaustive key search.

(2-2. Process flow)
On the other hand, in this embodiment, the conventional problems are solved by adopting the following configuration.
FIG. 6 is a diagram showing a processing flow of the encryption system of the present embodiment. The processing of the encryption system according to the third embodiment described later is also as shown in FIG.
In the present embodiment (and the third embodiment), for the set BL of the block b,
F: PARAM × BL → BL
Simple function in the form of, and F 'which corresponds to the reverse operation: PARAM × BL → BL
Are prepared (F ′ (P, F (P, b)) = b), and as shown in FIG. 6, a pseudo-random number sequence PN (PN shown in the upper left of FIG. 6) is obtained. While being consumed as the parameter P, the contents of the memory 620 in which the block of the plaintext M is taken are repeatedly converted to obtain the ciphertext C. In the conversion, which function 660 (corresponding to F above) is used is selected by sending the PN to the selector 640.

By adopting the above configuration, in the present embodiment (and the third embodiment), the degree of freedom of the combination of functions increases exponentially, and a strong encryption can be realized.
In addition, since the parameter (where the function 660 in FIG. 6 does not have a white circle) is taken in from the pseudo-random number sequence PN, there is flexibility and a stronger encryption can be realized.
Furthermore, if the pseudo-random number sequence PN is generated by using the Mersenne Twister as described above as the shared key 430 shown in FIG. 4A, any number of PNs can be generated. Therefore, the number of times plaintext conversion is repeated by the function 660 can be increased, and the encryption strength can be increased.
In addition, in FIG. 6, when the plaintext is composed of a plurality of blocks, each block can be encrypted with a different combination of functions (that is, it can be used as a stream cipher).

(2-3. Preconditions)
In this embodiment, an encryption method using shared secret key information of 1 block = 4 words (may be 8 words or 16 words) and 128 bits or more will be described as an example.
As pre-processing, the shared key is expanded to a required size with a hash function to generate a pseudo random number sequence PN, that is, an extended key (corresponding to the upper left PN in FIG. 6). In this embodiment, the document is divided into block sizes (4 words) and converted for each block.

(2-4. Prepared functions)
For the block conversion, the following seven kinds of functions having completely different properties (corresponding to the function 660 in FIG. 6) that can convert block size data at high speed are used. Hereinafter, these function families are referred to as PEF (primary encryption family). In the present embodiment, four types of functions (intraword functions) for performing calculations within words and three types of functions (interword functions) for performing calculations across a plurality of words in a block are prepared. In decoding, an inverse function corresponding to an intraword function is referred to as an intraword inverse function, and an inverse function corresponding to an interword function is referred to as an interword inverse function.
Data for the t block of the extended key (pseudo random number sequence PN) is used for the t th operation (conversion). The last block of the extended key is used for selecting a function.

(A) Calculation within a word (4 types)
(1) EXOR: The data of the t-th block of the extended key is added to each word of the block by exclusive OR for each word.
(2) +: Data of the t-th block of the extended key is added to each word of the block with mod 2 ³² for each word.
(3) x: Mod 2 ³² multiplies each word of the block by changing the least significant bit of the corresponding word of the t-th block of the extended key to 1. For this conversion, all inverse functions of multiplication of expanded key words with the least significant bit changed to 1 are calculated and stored so that they can be looked up in a dictionary.
(4) Horizontal shift: For each word of the block, the lower 5 bits of each corresponding word of the t-th block of the extended key are used as numbers, and the bits corresponding to the size are shifted to the right. The part that protrudes to the right of the word is bit-reversed and written to the left.

(B) Calculations across words (3 types)
(5) Vertical rotation: An array of 4 words per block (when 1 block = 4 words. When 1 block = 8 words, 8 when 1 block = 16 words) And a matrix of 0, 1 of 4 rows and 32 columns (8 rows and 32 columns when 1 block = 8 words, 16 rows and 32 columns when 1 block = 16 words). One word is extracted from the t-th block of the extended key. The column corresponding to the bit of 1 in this one word is bit-inverted and further shifted downward by one row. Write the data on the bottom line at the top (rotate).
(6) Replacement: 2 bits from the t-th block of the extended key (if 1 block = 4 words. 3 bits if 1 block = 8 words, 4 bits if 1 block = 16 words) Extracted 4 times, and the k-th and ((k + 5) mod4) -th row of blocks arranged with respect to the value k as a number (when 1 block = 4 words. When 1 block = 8 words) If ((k + 5) mod 8) line, 1 block = 16 words, ((k + 5) mod 16) line) is replaced four times.
(7) Sum replacement: 2 bits from the t-th block of the extended key (when 1 block = 4 words, 3 bits when 1 block = 8 words, 4 bits when 1 block = 16 words) Are extracted four times, and each is expressed as a number. The k-th row of the block arranged for the value k ((k + 7) mod 4) row (when 1 block = 4 words. When 1 block = 8 words) In the case of ((k + 7) mod 8) line, 1 block = 16 words, ((k + 7) mod 16) line) is added four times by exclusive OR.

(2-5. Document encryption)
In the encryption of a document, the document is divided into block sizes, and the above function is selected and converted into each block depending on the extension key (pseudorandom number sequence PN) as follows. As described above, the t-th block data of the extended key is used as the parameter of the function (function 660 in FIG. 6) for the t-th calculation (conversion). The last block of the extended key is used for selecting a function. Referring to FIG. 6, the last block of PN is sent to the selector 640, and the function 660 is selected by the selector 640.
In the present embodiment, for each block of the document (in FIG. 6, the plaintext M block fetched in the memory 620), the above-described seven types of functions are changed to, for example, “horizontal shift, x, vertical rotation, (substitution or sum substitution). ) · (+ Or EXOR) ”is set as one set, and the block is converted by performing eight sets. However, at the places where the two types of functions are shown in parentheses, each one bit from the last block of the extended key is used 2 × 8 times one after the other. Shall be selected. In this case, since computation (conversion) is performed t = 40 times, the extended key is generated with a size of 41 blocks, and the last 41 blocks are used for function selection.
The above functions (1) to (7) are merely examples, and other operations that can be processed at high speed may be prepared. Moreover, the combination and order of the above functions are examples, and other combinations and orders may be used. Further, the number of repetitions may be other than the above eight sets. In addition, for example, it is possible to repeat all types of conversions in the first set and the last set, and select one of all types of functions using an extended key in the set between, for example, 5 times or more. May be used. The reason why one set is performed a plurality of times is that in the present embodiment, the same conversion is performed on all blocks, and thus it is necessary to improve safety.

(2-6. Document Decryption)
Decryption may be performed by performing reverse mapping of each conversion in the reverse order of encryption, and can be calculated in the same amount of time as encryption in this embodiment.

(2-7. Effect)
According to the encryption system and the decryption system of the present embodiment, since each conversion is fast, a large amount of documents can be encrypted at a high speed, and the types of functions applied and their order are not known. Decoding is more difficult than block ciphers.

(2-8. Configuration example of encryption system and decryption system using this embodiment)
Finally, an example of a system configuration when performing encrypted communication of a document using the encryption system and the decryption system of the present embodiment will be described with reference to FIG. It should be noted that Embodiments 3 and 5 described later can have the same system configuration.
It is assumed that the encryption system and the decryption system of this embodiment are mounted on a terminal such as a normal personal computer, for example. As shown in FIG. 2, an encryption system 110 is installed in a terminal that encrypts and transmits a document, and a decryption system 150 is installed in a terminal that receives and decrypts a document. Also, the encryption system 110 is provided with a shared key 122 and a plurality of functions 126 used for encryption, and the decryption system 150 is provided with a plurality of inverse functions 128 (each function 126 is used for each function 126). Corresponding functions are prepared for each operation.

As described above, the encryption system and the decryption system of the present embodiment use the shared key information (a pseudo-random number sequence generated from the shared key) as the encryption function selection and the selected function parameters. Is the main feature, and this realizes a high-speed and highly secure system. In the encryption system 110, first, the pseudo random number generation program 232 generates a pseudo random number sequence 225 (an extended key in this embodiment) from the shared key 122. Next, using the generated pseudorandom number sequence (extended key) 225, the function selection program 234 selects a function to be used for encrypting the document 124 from the function 126. Also, the encryption program 236 executes the function using the pseudo random number sequence (extended key) 225 as the parameter of the function selected by the function selection program 234 and encrypts the document 124. Thereby, the encrypted document 140 is generated.
On the other hand, in the decryption system 150, first, the pseudo random number generation program 232 generates the same pseudo random number sequence (extended key) 225 as the transmission terminal 110 from the shared key 122. Next, using the generated pseudo-random number sequence (extended key) 225, the inverse function selection program 264 selects an inverse function used for decryption of the encrypted document 140 received from the inverse function 128. Here, an inverse function corresponding to the function selected by the transmission terminal 110 is selected. The decryption program 266 executes the inverse function using the pseudo random number sequence (extended key) 225 as the parameter of the inverse function selected by the inverse function selection program 264, and decrypts the encrypted document 140. As a result, the original document 124 is obtained.

<3. Embodiment 3>
Embodiment 3 is an encryption system and decryption system that generate an encrypted document by converting a document divided into blocks with a function selected by a pseudo-random number sequence generated from a shared key for each block This is an example of a stream cipher. The shared key information (a pseudo-random number sequence generated from the shared key) is used for function selection and function parameters.
The system configuration example of the present embodiment is as described in the second embodiment with reference to FIG. The processing flow is as described in the second embodiment with reference to FIG. The difference between the present embodiment and the above-described second embodiment is that in the second embodiment (block cipher), once a plurality of functions are selected and parameters are determined, all blocks are converted with the same function and parameters. In this embodiment (stream cipher), a function and a parameter are determined and converted for each block of the document. That is, when there are two identical blocks, the two blocks are converted into the same ciphertext in the second embodiment, but in the third embodiment, the functions and parameters selected are different, so that different ciphertexts are obtained. Further, as described above, the second embodiment uses only a pseudo-random number sequence (extended key) having a certain length, but the third embodiment consumes pseudo-random numbers according to the length of the document. Become.

(3-1. Preprocessing)
Pseudorandom numbers are generated based on the shared key, and 32 types of multiplication values (32-bit unsigned integer constants, all odd numbers) are prepared. These multiplicative inverse values at mod 2 ³² are calculated and tabulated.

(3-2. Macro constants determined by the user)
(1) Define the number of words (Tuple) in one block.
#Define Log_Tuple 2
#Define Tuple (1UL << Log_Tuple)
In this embodiment, one block is Tuple words.
The value of Tuple is 2 and needs to be 4 or more and 16 or less.
A log with Tuple 2 as the base is designated as Log_Tuple.
The above is a description when 1 block = 4 words.
(2) Define the number of conversions (Iteration) by the encryption function of the document block.
#Define Iteration 10
The above is a description when the number of conversions is 10.

(3-3. Global variables)
The array for storing the document (plain text) to be encrypted is a double array msg [Msg_Length] [Tuple]
It is. The global variables used in this embodiment are as follows.
(1) Store a document (plain text) to be encrypted.
unsigned long msg [Msg_Length] [Tuple];
(2) The array msg is directly rewritten and encrypted.
hmncode (key [], init_value [])
(3) Decoding by directly rewriting the array msg.
hmndecode (key [], init_value [])

(3-4. Prepared functions)
As a function (PEF) (corresponding to the function 660 in FIG. 6) used for conversion of a block of Tuple words, in the present embodiment, five types of functions for performing calculation in a word and a plurality of words in a block in advance. A total of 8 types of functions, ie, 3 types of functions that perform calculations across the two, are prepared.
All of these functions
PEF: BL × PARAM → BL
It is a mapping. Here, BL is a set of document blocks, PARAM is a parameter given to the function, and PARAM is a set of data consisting of Tuple words as in BL, and is obtained from a pseudo-random number sequence PN.
Here, as an example of Tuple = 4, (w ₁ , w ₂ , w ₃ , w ₄ ) ← PEF (w ₁ , w ₂ , w ₃ , w ₄ ; p ₁ , p ₂ , p ₃ , p ₄ )
It will be described in the form of
Hereinafter, each of eight types of PEF functions and their inverse functions (_inv) will be described. Note that these functions (1) to (8) are merely examples, and other operations that can be processed at high speed may be prepared.

(A) Five types of calculations within a word (intraword function and corresponding inverse function within word)
(1) crypto_plus
crypto_plus
w _i ← w _i + p _i (i = 1, 2, 3, 4).
crypto_plus_inv
w _i <-w _i −p _i (i = 1, 2, 3, 4).

(2) crypto_exor
crypto_exor
_{w i ← w i EOR p i} (i = 1,2,3,4).
crypto_exor_inv
_{w i ← w i EOR p i} (i = 1,2,3,4).

(3) crypto_multi
Modern CPUs have multiplication instructions, but division is slow. Therefore, in the present embodiment, Multi_Size (= 32) random number constants for multiplication are prepared and stored in the global variable array multi_table as described in (3-1. Preprocessing) above.
As actual processing,
1) When prepare_multi () is called, a random number is stored in multi_table.
2) The lower bits are forcibly converted, and those with 3 in mod7 and those with 7 in mod16 are alternately placed in the multi_table. These generate a multiplicative group with mod2 ³² .
3) When prepare_multi_inv () is called, the multiplicative inverse of multi_table is stored in inv_table.
crypto_multi
[upper 5 bits of _{p i] w i ← w i} × mutli_table
w _i ← w _i −p _i
Is performed for i = 1, 2, 3, 4. That is, read out for multiplication constant corresponding to the upper 5 bits of the parameters _{p i} from mutli_table [], hang it in _{w i.} Since the low-order 27 bits of p _i is discarded waste, keep pulling the _{p i} from _{w i.}
crypto_multi_inv
w _i ← w _i + _pi
[upper 5 bits of _{p i] w i ← w i} × inv_table
Is performed for i = 1, 2, 3, 4.

(4) crypto_hori_rotate
crypto_hori_rotate
Rotate horizontally while inverting bits for each word. That s _i ← the upper 5 bits of _{p i,} where the fourth bit from the bottom is always 1 to set w _i ← (the bit inversion right _{32-s i} shift of the _{w i)} (left _{s i} shift of _{w i)} OR
w _i ← w _i −p _i
Is performed at i = 1, 2, 3, 4. The fourth bit is set to 1 in order to rotate even if the parameter is 0.
crypto_hori_rotate_inv
Inverse transformation described above

(5) crypto_hori_rightshift
crypto_hori_rightshift
Rotate horizontally while inverting bits for each word. That s _i ← _{p i} upper 5 bits, but (bit inversion right _{s i} shift of the _{w i)} 5-th bit set is always to 1 _{w i} ← w _i EOR from the bottom of the
w _i ← w _i + _pi
Is performed at i = 1, 2, 3, 4. The 5th bit is set to 1 in order to rotate even if the parameter is 0 and to facilitate reverse conversion.
crypto_hori_rightshift_inv
Inverse transformation above

(B) Calculations across words (word function and corresponding inverse function between words) (6) crypto_vert_rotate
crypto_vert_rotate
key ← p ₁ + p ₄
I think the key is a 32-bit random pattern.
Regarding w ₁ , w ₂ , w ₃ , and w ₄ , the bits that are 1 in the key are rotated while being inverted in the vertical direction. Since random numbers are wasteful, w _i ← w _i + p _i
Is performed for i = 1, 2, 3, 4.
crypto_vert_rotate_inv
Inverse transformation above

(7) crypto_add_permute
crypto_add_permute
For i = 1, 2, 3, 4
w _i ← w _i + w _j
Do the sum. Although where j is determined by using the lowest Low_Mask = 2 bits _{p i,} keep increment the j in mod Low_Mask when happens the same it to i.
w for the effective use of _{p 1 -p 4 i ← w i} EOR p i
I = 1, 2, 3, 4
crypto_add_permute_inv
Inverse transformation above

(8) crypto_exor_permute
crypto_exor_permute
For i = 1, 2, 3, 4
w _i ← w _i EXOR w _j
Do the sum. Although where j is determined by using the lowest Low_Mask = 2 bits _{p i,} keep increment the j in mod Low_Mask when happens the same it to i.
for the effective use of _{p 1 -p 4 w i ← w} i -p i
I = 1, 2, 3, 4
crypto_exor_permute_inv
Inverse transformation above

(3-5. Pseudorandom number sequence)
Here, the Mersenne Twister (mt19937ar.c) described above is used as a method for generating the pseudo-random number sequence PN (corresponding to the upper left PN in FIG. 6). mt19937ar. c has a function of receiving an arbitrary-length array as an initial value.
The pseudo-random number sequence was read 4 words at a time. Since the internal array length 624 can be divided by 4, a pseudo-random number sequence is generated again for the entire array every time it is read 624/4 times.
genrand_fourint32 (param)
Thus, a 32-bit long unsigned integer random number is read into param [0] to param [3].
When encrypting crypt_. . . (Unsigned long block [Tuple])
Then, all generate genland_fourint32 (param) to generate p ₁ , p ₂ , p ₃ , and p ₄ . On the other hand, crypt_. . . _Inv (block [], param [])
In, specify the _p 1 ~p ₄ at the param. This difference is due to the fact that a pseudo-random number sequence must be generated in the reverse direction when decoding. In the case of decoding, a pseudo-random number sequence is once recorded in the array temp_rand and used in the reverse direction.

(3-6. Document Encryption)
hmncode (key [], init_value [])
Is called, the document (in FIG. 6, the block of plaintext M captured in the memory 620) is encrypted. The key and init_value are arrays and are used together to initialize the Mersenne Twister.
(1) A multiplication constant is stored in multi_table.
(2) The pseudo random number sequence PN is stored in four of four words func_choice [0]-[3], and rewritten to new four words using the product and EOR. (Later, these 4 words are cut into 3 bits, and the above 5 + 3 types of PEFs are selected.)
(3) First, the following three are applied to plaintext.
crypto_multi (msg [i]);
crypto_vert_rotate (msg [i]);
crypto_hori_rightshift (msg [i]);
(4) After that, the PEF function is selected using Iterate times and func_choice (corresponding to the processing of the selector 640 in FIG. 6), and the conversion is repeated while giving the pseudo random number sequence PN generated by MT as a parameter.
(5) Finally, again, crypto_multi (msg [i]);
crypto_vert_rotate (msg [i]);
crypto_hori_rightshift (msg [i]);
Act.

(3-7. Decryption of Document)
hmndecode (key [], init_value [])
When is called, decryption is performed. The key and init_value are arrays and are used together to initialize the Mersenne Twister.
(1) A multiplication constant is stored in multi_table.
(2) The inverse element related to the multiplication is stored in inv_table.
(3) Pseudorandom numbers are stored in four of four words func_choice [0] to [3], and rewritten to new four words using the product and EOR. (Later, these 4 words are cut into 3 bits, and the above 5 + 3 types of PEFs are selected.)
(4) 3 + Iteration + 3 random number blocks to be used later are created and stored in the array temp_rand.
(5) Three reverse transformations are performed on the ciphertext.
crypto_hori_rightshift_inv (msg [i], temp_rand [-k]);
crypto_vert_rotate_inv (msg [i], temp_rand [-k]);
crypto_multi_inv (msg [i], temp_rand [-k]);
(6) After that, the PEF function is selected using Iterate times and func_choice, and the inverse transformation is repeated while giving the stored MT output.
(7) Finally, again, crypt_hori_rightshift_inv (msg [i], temp_rand [-k]);
crypto_vert_rotate_inv (msg [i], temp_rand [-k]);
crypto_multi_inv (msg [i], temp_rand [-k]);
Act.

<4. Embodiment 4>
The fourth embodiment is characterized in that a secure cryptographic random number sequence is generated by converting a block of a pseudo random number sequence generated from a number sequence (shared key) prepared in advance with a function selected by the pseudo random number sequence. This is a pseudo random number sequence generation system. Here, the numerical sequence is used as a function selection and a function parameter. By using the shared key in encrypted communication as a number sequence, the generated encrypted random number sequence can be used for document encryption / decryption by stream cipher.

(4-1. Generation of pseudo-random number sequence)
In general, a pseudo-random number sequence used for experiments and the like is generated at a high speed. However, when some words are seen, other words are known, so that it is not cryptographically secure. For this reason, conventionally, an encryption method with a large amount of calculation represented by the BBS method has been used to generate an encrypted random number sequence. This embodiment is a pseudorandom number generation system characterized by rewriting a high-speed pseudorandom number sequence into a cryptographic random number sequence with a small amount of calculation by using key information for function selection, which is a point of the present invention. And a safe stream cipher can be configured.
Here, the Mersenne Twister (mt19937ar.c) described in the first embodiment is used as a method for generating the pseudorandom number PN. This is because a pseudo-random number sequence having a long period and a high cycle can be generated. Other pseudo random number generation methods may be used.
As preprocessing, the initial value of a 624-word secret pseudorandom number sequence is obtained using a shared key in both encryption and decryption. If you want to receive a session key for each communication in addition to the shared secret key that you continue to use, replace the initial value created here with the session key, and use the initial pseudo-random number sequence used for that communication. The random number is used from the next value after the initial value.

The pseudo random number sequence PN is generated one after another as much as necessary, and a safe pseudo random number sequence is output as follows. The 12n word data of the pseudo random number sequence PN is rewritten as follows using the 12n + 1 word to 12n + 11 word data. Hereinafter, the mth word data of the pseudorandom number is represented by R (m).
x = R (12n), R (12n + 1) data is viewed 10 bits at a time, 2 bits from the top, and x is rewritten in the next operation using this value.
If the 2nd bit of the t-th time is (1) 00, x is rewritten to x + R (12n + t + 1) mod2 ³² .
(2) If 01, rewrite x to x EXOR R (12n + t + 1).
(3) If 10, rewrite x to x × R (12n + t + 1) ^* . However, p ^* is a number obtained by setting the least significant bit of p to 1.
(4) If 11, rewrite x to x shift R (12n + t + 1). It is assumed that s shift t is written to the left by shifting the bit of s by the size of the upper 5 bits of t to the right, bit-inverting the portion protruding to the right of the word.
After rewriting 10 times, x is output as the nth word of the cryptographic random number sequence.

The above functions (1) to (4) are merely examples, and other operations that can be processed at high speed may be prepared. In addition, safety can be improved by increasing the number of conversions according to the required strength and forcibly causing multiplication and shift. To obtain one word, m + 2 words (m is about 6 to 16) are used, the number of conversions is m times, the first and m-1 conversions are shifted, and the second and mth conversions are determined as multiplications. It is good to adjust as necessary.
Mersenne Twister has full guarantee of period and some guarantee of distribution. Since the period is very long, the period of the generated secure pseudorandom number sequence is too long to be used up, and can be used for a long time without changing the shared key.

(4-2. Configuration Example of Encryption System and Decryption System Using This Example)
Finally, a system configuration example in the case of encrypting and decrypting a document (plain text) by stream cipher using the pseudo random number generation system of this embodiment will be described with reference to the system configuration diagram of FIG.
The system of the present embodiment is mounted on a terminal such as a normal personal computer. As shown in FIG. 1, an encryption system 110 is installed in a terminal that encrypts and transmits a document, and a decryption system 150 is installed in a terminal that receives and decrypts a document. In addition, a number sequence (shared key 122), a function 126, and a pseudo-random number generation system 330 of this embodiment are prepared for both the encryption system 110 and the decryption system 150.
In the encryption system 110, first, a pseudo-random number sequence PN that may not be secure is generated from the shared key 122 by a conventional technique. Next, using the generated PN, the function selection program 334 selects a function used for PN encryption from the function 126. Further, the pseudo random number generation program 332 executes the function using the PN as a parameter of the function selected by the function selection program 334, and encrypts the PN. As a result, a safe pseudo-random number sequence 325 is generated and temporarily stored in the storage area. Next, as a typical example of the stream cipher, the encryption program 336 encrypts the document 124 by taking the EXOR of the pseudorandom number sequence 325 and the document 124 to generate the encrypted document 140.

On the other hand, the decryption system 150 also generates a pseudo-random number sequence PN that may not be secure from the shared key 122 by a conventional technique. Next, using the generated PN, the function selection program 334 selects a function used for PN encryption from the function 126. Further, the pseudo random number generation program 332 executes the function using the PN as a parameter of the function selected by the function selection program 334, and encrypts the PN. As a result, a safe pseudo-random number sequence 325 is generated and temporarily stored in the storage area. Next, the decryption program 366 decrypts the encrypted document 140 by taking the EXOR of the pseudorandom number sequence 325 and the encrypted document 140 to obtain the original document 124.
The encryption system 110 and the decryption system 150 generate the same secure pseudo-random number sequence 325 using the same shared key 122 and the function 126, so that the decryption process corresponding to the encryption can be performed.

<5. Embodiment 5>
The fifth embodiment proposes a technique for performing more efficient encryption by adding “JUMP processing” to be described later to the systems of the above-described second to fourth embodiments. Here, an example in which JUMP processing is added to the same encryption system and decryption system as in the third embodiment will be described. However, functions (PEF) and the like to be used are different from those in the third embodiment. explain.
FIG. 7 shows a processing flow of the encryption system of this embodiment.
First, a pseudorandom number sequence is generated from the shared key (number sequence) by the same method (for example, Mersenne Twister) as in Embodiments 2 to 4 described above, and this is used as the pseudorandom number sequence PN used in this embodiment (FIG. 7). At the top left).
Next, the pseudo random number sequence PN is sent to the selector 740 to determine which function 760 to select. The difference from Embodiments 2 to 4 shown in FIG. 6 is that a history memory 750 for recording the number of steps of block conversion is added. As a result, the value jump is calculated.
“jump” specifies to each function “how far away the information of each word is passed to”. When converting one block, jump is doubled twice in the first step conversion, the first step is the second step, the third step is 4, ..., t (number of words in one block) Return to 1 when it is above. This jump processing is performed when the history memory 750 issues an instruction to the selector 740.

In the present embodiment, even in the selection of a function, in the first step, among the nine types of functions (PF1 to PF9) used in the present embodiment, the in-word functions PF1 to PF4 (functions for performing calculations in the word) are selected. In the second step, one of the inter-word functions PF5 to PF8 (a function for performing calculation across a plurality of words in the block) is selected, PF9 is selected in the third step, and PF1 to PF1 in the fourth step. Select one of PF4, and so on, and so on, the range of function selection changes at each step. This processing is also performed when the history memory 750 gives an instruction to the selector 740. The nine types of functions (PF1 to PF9) used in the present embodiment will be described in detail later.
Also, the selected function 760 receives a parameter that is approximately as large as the block size. As a function parameter, a pseudorandom number sequence PN generated from a shared key (number sequence) is used as in the second to fourth embodiments.

The utility of the jump described above is as follows. If 1 block = t words and conversion between words is performed using the inter-word function, in order to pass information of a word to all other words quickly, the information is passed only to the next adjacent word. Is not the most efficient method because it requires t iterations for information in one word to reach all other words. It is better to calculate between two words, such as 2 words, for high-speed conversion. Every time conversion is performed, the next is adjacent to 1 word (interval 1), the next is adjacent to 2 words (interval 2), and the next is adjacent to 4 words. It is most efficient to double the word interval (interval 4), and so on.
Here, if the target two words are represented by ●, the above-mentioned word interval is
●● Relationship of interval 1 ● ○ ● Relationship of interval 2 ● ○○○ ● Relationship of interval 4.
In this way, since all natural numbers t are represented by binary numbers of log ₂ (t) digits, words of all distances of 0, 1,..., T−1 can be obtained by repeating log ₂ (t) times. Can pass information to. That is, the JUMP process is a process for allowing sufficient agitation with a small number of repetitions even when the calculation is performed between words (in this embodiment, between two words) with a small number of word-to-word functions.

(5-1. Preconditions and preprocessing)
(1) Let W be a set of 32-bit = 1-word unsigned integers.
Here, EXOR, AND, OR, addition, and multiplication (modulo 2 ^{32} ) for each bit can be performed as binary operations, and right shift, left shift, and bit inversion can be performed as unary operations. These are operations that are normally included in recent CPU instruction sets.
(2) A set BL of blocks b is
BL = W ^t
Define in. However, t is 4, 8, or 16.
(3) A set PARAM of parameters p is
PARAM = W ^t × {0, 1, 2,..., T / 2}
And a set JUMP of skip values j is defined as JUMP = {1, 2, 4, 8,..., T / 2}
Define in.
(4) Nine types (PF1,..., PF9) of the following functions (PEF) are prepared. This corresponds to the function 760 in FIG. Details of the nine types of PEF will be described later.
PF: JUMP × PARAM × BL → BL.
These JUMP, PARAM, and BL correspond to three input lines to the function 760 in FIG.
Here, the inverse function PF ′ of PF: JUMP × PARAM × BL → BL.
Is also configured for decoding. here,
PF ′ (j, P, PF (j, P, b)) = b
It is necessary to be able to calculate at high speed.
(5) In this embodiment, the key information (shared key) is sent to the Mersenne Twister (MT) process as in the other embodiments described above. A multiplicative constant table and an additive constant table are created using MT. The multiplicative constant table and the additive constant table will be described in detail later.
The preconditions and preprocessing other than those described above are the same as those described in (3-1. Preprocessing) to (3-3. Global variable) in the above-described third embodiment. Determine (logarithm of the number of words in the block).

(5-2. Document Encryption)
Next, the plaintext block is encrypted. Here, it is assumed that 1 block = 4 words and the number of conversions is 4. In the present embodiment, the document encryption is the same as that of the third embodiment except for the JUMP process.
Now, the given plaintext block is an array B of word-length variables t: = (b ₀ , b ₁ ,..., B _{t−1} ).
Is stored.
One round of this embodiment is as follows.
1) Start of round 2) Randomly select one from PF1 to PF4 and rewrite B using it 3) Randomly select one from PF5 to PF8 and rewrite B using it 4) Use PF9 5) End of the round 4 rounds are performed to obtain one block of encrypted blocks.

Specifically, one block encryption is performed as follows.
(0) jump ← 1
(1) Obtain 4-word pseudo-random numbers from MT (2) Generate 8 sets of 2-bit pseudo-random numbers from these 4 words, and c ₁ , c ₂ , c ₃ ,. . . , C ₈ (the generation method will be described later)
(3) Select one PF ^* from PF1, PF2, PF3, and PF4 according to c ₁ = 0, 1, 2, 3. (4) Obtain a 4-word pseudorandom number from MT, (5) Rewrite B using PF ^* (jump, P, B). Double jump and set it to 1 when t is greater than or equal to t (6) Select one PF ^* from PF5, PF6, PF7, and PF8 according to c ₂ = 0, 1, 2, 3 (7) MT (4) Rewrite B using PF ^* (jump, P, B). Double jump and set it to 1 when t is greater than or equal to (9) Acquire a 4-word pseudorandom number from MT and set it to P (10) Rewrite B using PF9 (jump, P, B). Double the jump and set it to 1 when t or more (3) to (10) are repeated four times. In the second time, c ₃ and c ₄ are used instead of c ₁ and c ₂ .
In the third _{c 5, c 6,} using respectively the _c 7, _{c 8} in the fourth. Note that jump is stored in the history memory 750 in FIG.

Next, a method for generating c _{1 to} c _{8 in} the above (2) will be described.
The four words obtained in the above (1) are converted into func_choice [0],. . . , Func_choice [3], the following conversion is performed.
func_choice [2] ^* = (func_choice [0] | 1);
func_choice [3] ^* = (func_choice [1] | 1);
func_choice [0] ^ = (func_choice [3] >>5);
func_choice [1] ^ = (func_choice [2] >>5);
Where ^* = is the instruction to multiply the left side by the right side and assign to the left side, ^ = is the instruction to take the right side and EXOR to the left side and assign to the left side, | is the bitwise OR, >> 5 is 5 bits right Represents a shift. In this way, the upper 2 bits of func_choice [0] are c ₀ , and the next 2 bits are c ₁ . When the number of rounds is greater than 16, for example, the upper bits of func_choice [1] are used.

(5-3. Document Decryption)
The document decryption in the present embodiment is the same as that in the third embodiment except for the JUMP process.
(1) An initial value of JUMP used for decoding is obtained.
This can be obtained from the above two constants used for encryption, Iteration (number of conversions) and Log_Tuple (logarithm of the number of words in the block) by the following equation.
JUMP = 1 <<< ((3 * Iteration-1)% Log_Tuple)
Here,% is an operation for obtaining a remainder, and 1 << means that 1 is doubled by the number of times to the right of <<.
(2) The change in JUMP is the reverse of encryption.
In other words, if 1 block = 4 words, the number is halved to 4, 2, 1 every time it is repeated, and the next to 1 returns to 4.
(3) If JUMP is determined in this way, an inverse function corresponding to the function used at the time of encryption can be selected, and this JUMP value and the same parameters as at the time of encryption can be given.

(5-4. Prepared functions)
As functions used in this embodiment, four types of PF1, PF2, PF3, and PF4 are mainly used as functions for converting each word in a block, and PF5 is used as a function for performing conversion for mixing information between words. Four types of PF6, PF7, and PF8, one type as a function, and a total of nine types of functions are prepared. Hereinafter, these nine types of functions will be described in order. Note that these functions of PF1 to PF9 are examples, and other operations that can be processed at high speed may be prepared.

(1) PF1 to PF4 (in-word function)
PF1 to PF4 are intra-word functions that convert each word in the block mainly within the word. In the decoding, an inverse function (inverse function in word) that performs the inverse process of the function is used.
The block is a t word b ₀ , b ₁ ,..., B _{t−1} , and the parameters are p ₀ , p ₁ ,. . . , P _{t−1} . First,
b _j ← b _j EXOR p _j
Is assigned. (J = 0, 1,..., T−1). Next, multiply by an odd constant:
b _j ← b _j × c _j (mod 2 ^{32} , hereinafter, mod is always attached but omitted) (j = 0, 1,..., t−1).
c _j is selected by the following method from an odd random number table m ₀ , m ₁ ,..., m _{31} generated in advance by MT. The least significant bit is set to 1 so that m ₀ ,..., m _{31} are all odd numbers. Also, c _j : = m _{kj} , where k _j is the most significant 5 bits of p _{{j + ell}} viewed as an integer from 0 to 31. Here, the values of “ell” are 1, 2, 2, and 3 for PF1, PF2, PF3, and PF4, respectively. The table was prepared because the inverse of c _j (modulo 2 ^{32} ) is used for decoding.
In the present embodiment, this multiplicative constant table m ₀ ,..., M _{31} is created by MT as preprocessing for encryption, and a multiplicative reciprocal table of modulo 2 ^{32} is created and stored. Further, a certain additive constant table add ₀ ,..., Add _{31} is also created and stored by the MT.

next,
b _{{(j + jump) mod t}} ← b _{{(j + jump) mod t}} □ add _{{[bj >> (32-5)]}}
Is assigned. j = 0, 1, 2,..., t−1 are calculated in this order. This is done by first looking at the upper 5 bits of b _j and performing a binary operation on the value of the corresponding add table (additive constant table) and the value of b _{{j + jump}} (the subscript is seen in modulo t). Take □ and store the result in b _{{j + jump}} . The binary operations □ are +, EOR, +, and EOR for PF1, PF2, PF3, and PF4, respectively.
Next, a pseudo random number s _j having a value of 16 to 23 is generated as follows.
s _j ← ((p _j >> (32-4)) | 0x10) & 0x17
Here, & is an AND operation for each bit.
s _j is used to perform one of the following two transformations on b _j .
b _j ← ((˜b _j ) << (32-s _j )) | (b _j >> s _j ).
b _j ← b _j EXOR ((˜sim b _j ) >> s _j ).
The top is rotate (however, the bit overflow from the left is bit-reversed). Below is a bit-inverted version shifted s _j to the right and added to b _j (called a shift). Rotate, rotate, shift, and shift are selected with PF1, PF2, PF3, and PF4, respectively.

(2) PF5 to PF8 (inter-word function)
PF5 to PF8 are interword functions that perform conversion mainly for mixing information between words (in this embodiment, between two words). For decoding, an inverse function (inverse function between words) that performs the reverse operation of the processing of each function is used.
1) PF5
First, j = 0
b _j ← b _j + (b _{j−jump} × p _j )
To do.
s _j ← ((p _j >> (32-4)) | 0x10) & 0x17
To generate a pseudo-random number that takes a value between 16 and 23,
b _j ← b _j EXOR ((˜sim b _j ) >> s _j ).
I do. This is repeated in this order as j = 0, 1, 2,.

2) PF6 to PF8
Let j = 0.
s ← (p _j >> (32-log ₂ (t)))
Thus, the upper log ₂ (t) bits of p _j are stored in s. When s = j, 1 is subtracted from s (calculated by modulo t). Thereby, s and j are different. here,
In PF6,
b _j ← (b _j EXOR (b _{j−jump} × b _s )) − p _j
b _j ← b _j EXOR (b _j >> 16)
Is assigned. Subscripts are considered as modulo t.
In PF7 and PF8,
b _j ← (b _j EXOR (b _{j−jump} × (b _s □ −p _j ));
b _j ← b _j EXOR (b _j >>c);
Is assigned. Here, □ is OR for each bit at PF7 and EXOR at PF8. C is 16 for PF7 and 17 for PF8.

(3) PF9
k = 2 (p ₀ + p _{t−1} ) +1 mod 2 ^{32}
Where jump_odd is the largest odd number less than or equal to jump. In block b ₀ , b ₁ ,..., B _{t−1} , the place where k is 1 in the bit pattern is cyclically replaced with jump_odd. That is, the following substitution is performed.
1) The bit b ₀ corresponding to the portion that is 1 in the k bit pattern is extracted and stored. This is equivalent to storing the result of the bitwise AND operation of b ₀ and k.
2) Next, replace the above bit in b _{0 with} the corresponding bit in b _{{-jump_odd}} . Here, the subscript of b is calculated as modulo t.
3) Next, _replace the corresponding bit in b _{{-jump_odd}} with the bit corresponding to b _{{-2 jump_odd}} . Thus, the corresponding bits in b _{{−j × jump_odd}}
b The operation of replacing with the corresponding bit in _{{− (j + 1) × jump_odd}} is performed for j = 0, 1 _,.
4) Finally, the corresponding bit in b _{{− (t + 1) × jump_odd}} is replaced with the corresponding bit in b ₀ that has been saved.
For decoding, an inverse function that performs the reverse operation of the above process is used.

<6. Embodiment 6>
In the sixth embodiment, in each of the second to fifth embodiments, a cryptographically secure pseudo-random number sequence SPN generated by the method of the above-described cryptoMT (embodiment 1) from a number sequence (shared key) prepared in advance is used. This is a method of using a pseudo-random number sequence PN used in these embodiments. In this method, encryption that is more difficult to decipher can be performed because a cryptographically secure pseudo-random number sequence is used for selection of a function used for encryption and a parameter of the function.

Claims (10)

An encryption system for encrypting a document with a pre-assigned shared key,
Document storage means for storing the document;
Function execution means for executing a plurality of types of functions in units of blocks of a predetermined number of words, with a predetermined number of bits as a word,
Pseudo-random number generation means for generating a pseudo-random number sequence from the shared key;
Function selection means for selecting a function type of the function execution means by allowing duplication ; and
A storage means for storing a predetermined number of bits (words) with an initial value set in advance ,
The pseudo-random number generation means generates a pseudo-random number sequence from the shared key, then cuts the generated pseudo-random number sequence into words, sets the least significant bit to 1, and stores the cut-out word in the storage means with a word length of 2 A part or the whole of a bit string resulting from repeated multiplication using a power as a modulus is the pseudo random number sequence,
The function selection means sequentially selects a function by the pseudo random number sequence for each block unit of the document from the document storage means,
The function execution means converts and encrypts the document using the block of the pseudo-random number sequence as a parameter with the selected function. The encryption system according to claim 1,
The pseudorandom number generating means generates a pseudorandom number sequence using a linear order state function. The encryption system according to claim 1 or 2 ,
The function selection means and the function execution means encrypt the document by repeating selection / conversion a predetermined number of times for each block. The encryption system according to any one of claims 1 to 3 ,
The function execution means includes an inter-word function for a plurality of words, and the inter-word function changes an interval of the plurality of words every time a document is encrypted. A decryption system for decrypting an encrypted document with a shared key given in advance,
Encrypted document storage means for storing the encrypted document;
Inverse function execution means for executing a plurality of types of inverse functions corresponding to a plurality of types of functions used for encryption in units of blocks of a predetermined number of words, with a predetermined number of bits as a word,
Pseudo-random number generation means for generating a pseudo-random number sequence from the shared key;
Inverse function selection means for selecting the type of inverse function of the inverse function execution means while allowing duplication ;
A storage means for storing a predetermined number of bits (words) with an initial value set in advance ,
The pseudo-random number generation means generates a pseudo-random number sequence from the shared key, then cuts the generated pseudo-random number sequence into words, sets the least significant bit to 1, and stores the cut-out word in the storage means with a word length of 2 A part or the whole of a bit string resulting from repeated multiplication using a power as a modulus is the pseudo random number sequence,
The inverse function selection means selects an inverse function from the pseudo-random number sequence for each block unit of the encrypted document from the encrypted document storage means,
The decryption system characterized in that the inverse function executing means transforms and decrypts the encrypted document with the selected inverse function using the block of the pseudo random number sequence as a parameter. The decoding system according to claim 5 , wherein
The pseudorandom number generation means generates a pseudorandom number sequence using a linear order state function. The decoding system according to claim 5 or 6 , comprising:
The decryption system, wherein the inverse function selection unit and the inverse function execution unit decrypt the encrypted document by repeating selection / conversion a predetermined number of times for each block. The decoding system according to any one of claims 5 to 7 ,
The decryption system characterized in that the inverse function execution means includes an inverse function between words for a plurality of words, and the inverse function between words changes an interval of the plurality of words every time the encrypted document is decrypted. The program which makes a computer system build the function of the encryption system in any one of Claims 1-4 . The program which makes a computer system construct | assemble the function of the decoding system in any one of Claims 5-8 .

Images