JP5578422B2 - ENCRYPTED COMMUNICATION SYSTEM, TRANSMISSION DEVICE, RECEPTION DEVICE, ENCRYPTION / DECRYPTION METHOD, AND PROGRAM THEREOF - Google Patents

Description

  The present invention relates to an encryption communication system, a transmission device, a reception device, an encryption / decryption method, and a program thereof, and in particular, encryption capable of being implemented with a small amount of hardware while maintaining sufficient strength with a block cipher. The present invention relates to a communication system and the like.

  As networks such as computers and mobile phone terminals become widespread, leakage of confidential information from individuals and companies is becoming a social problem. For this reason, in order to protect such confidential information, it is increasingly important to conceal the data by encryption during communication and storage of the data.

  There are roughly two types of encryption methods. They are a symmetric key (common key) encryption method in which the encryption key and the decryption key are the same, and an asymmetric key (public key) encryption method using a pair of mutually different encryption keys and decryption keys. Common key cryptography has the advantage of better encryption / decryption processing performance than public key cryptography, and is therefore used in various environments.

  Common key ciphers are further classified into two types of schemes, block ciphers and stream ciphers. Here, block cipher will be described. In block cipher encryption, data P is divided into block length n bits determined by the cipher specifications, and this is agitated with the secret key K by the encryption function E as shown in Equation 1, n Bit ciphertext C is generated.

  The block cipher uses an encryption function E having a structure in which the round function F is repeated a plurality of times as shown in Equation 2. Here, K_1 to K_r are extended keys (also called subkeys and round keys), and are generated by a key schedule using the secret key K as a seed. The unit of repeating block cipher is called round. That is, the encryption function E shown in Equation 2 has a structure in which the function F is repeated r rounds. In this specification, “A with a superscript B (for example, A raised to the power of B)” is indicated as “A ^ B”, and “A with a subscript B is added to a line other than a mathematical expression. "A_B".

  The secret key K of the common key cipher is not limited to the block cipher, and will always be reached if all the attempts are made by the brute force attack (or brute force attack). Therefore, by making the secret key K sufficiently long, all trials in a realistic time are made difficult.

  However, for block ciphers, an attack technique called a shortcut method that reduces the amount of calculation required to try all secret keys has been studied. The fact that the shortcut method can be applied to the designed full-round configuration of the cipher means that the secret key K can be reached with a smaller amount of calculation. Since the shortcut method uses characteristics resulting from the structure of the encryption algorithm, it is necessary to evaluate that the shortcut algorithm has resistance to the shortcut method when designing the encryption algorithm.

  One specific method of the shortcut method is to observe propagation of data differences. The difference is a difference between two data, and in most cases, a difference by exclusive OR is used. More specifically, for example, the difference value ΔP between P_1 = 0x23 (0x means a hexadecimal number) and P_2 = 0xF5 is 0xD6 as expressed by the following Equation 3. In the present specification, in a line other than the mathematical expression, an exclusive logical sum symbol “superimpose a + character on a circle” is expressed as “(+)”.

  One of the shortcut methods using such a difference is an impossible differential attack. When the input difference ΔP is input to the encryption function E, the output difference of the round function F of the i-th round (i <r) does not become Δx with probability 1 (that is, the probability that Δx occurs from ΔP is If it is zero), it is said to be an impossible difference. Impossible differential attack is an attack technique using such characteristics, and its procedure is briefly described as follows.

(1). First, ciphertexts obtained when two data P_1 and P_2 are encrypted are C_1 and C_2, respectively. Here, the difference between P_1 and P_2 is ΔP. That is, P_2 = P_1 (+) ΔP.
(2). Assuming K_ (i + 1) to K_r, this is applied to Equation 2 to calculate the output data x_1 and x_2 of the i-th round. Here, the size that can be assumed as K_ (i + 1) to K_r is smaller than the size of the secret key K.
(3). If the difference between x_1 and x_2 is Δx, the assumption of the extended key is wrong, and the candidate is rejected.
(4). This series of operations is repeated until key candidates are narrowed down. If the key candidates are narrowed down to one, it is the correct key.

  The number of rounds that can be deciphered by the impossible differential attack is the total number of rounds in which there is an impossible difference (referred to as the number of impossible differential characteristic rounds) and the number of rounds that perform key assumptions. In block ciphers employing a Feistel structure, it is known that there are five rounds of impossibility differences if the round function F (hereinafter referred to as F function) is bijective. However, depending on the structure of the F function, the number of impossible differential characteristic rounds may extend to 6 rounds or more.

  An example of a typical block cipher employing the Faithel structure is Camellia (registered trademark) jointly developed by Nippon Telegraph and Telephone Corporation and Mitsubishi Electric Corporation. FIG. 13 is an explanatory diagram showing the structure of the Camellia round function (F function). Camellia's F function is composed of two parts, an S function and a P function. The F function having such a configuration is called an SP type F function.

  The S function is a non-linear transformation process composed of four types of S boxes (S-Box) 911 to 914 S1 to S4, and the P function is output data of the S boxes 911 to 914 by exclusive OR 921 to 936. This is a linear conversion process for the purpose of diffusing z1 to z8.

  The conversion process of the P function can be expressed by the following equation (4), and can be expressed by a mapping using the matrix of equation (5). Further, the inverse function P ^ -1 of the P function can be expressed by the equation (6), and can be expressed by a mapping using the matrix of the equation (6).

  As shown in Equation 5, a binary matrix composed of only 0 and 1 can be calculated only by exclusive OR (XOR) as shown in Equation 4. For this reason, Camellia has the advantage that it is very easy to mount (resource saving, high-speed processing).

  However, Non-Patent Document 1 reports that there are 8 rounds of impossibility difference in Camellia. The details of the Camellia 8-round impossibility difference will be described below. FIG. 14 is an explanatory diagram showing one round of camelia encryption processing shown in FIG.

  The KS function 941 corresponds to the exclusive OR of 901 to 908 and S boxes 911 to 914 shown in FIG. The P function 942 corresponds to the P function (exclusive ORs 921 to 936) in FIG. Input differences in the i-th round (i is an integer of 1 or more) are denoted as ΔL_ (i−1) and ΔR_ (i−1). Further, the difference value is treated as a rounding difference in units of 8 bits (1 byte), expressed as (xxxxxxxx), and numbered as byte 1, byte 2,. That is, one x represents an 8-bit difference value. When the difference value is 0, it is expressed as 0, and when it is non-zero, it is expressed in an arbitrary alphabet.

  Also, the output difference of the i-th round KS function is Δyi, and the output difference of the P function is PΔyi. Since the KS function performs processing independently for each byte, if the difference value is non-zero, it changes to any non-zero difference value, but does not propagate to other bytes. On the other hand, the P function spreads to other bytes in order to perform operations as shown in Equations 5-6.

  FIG. 15 is an explanatory diagram showing that the output difference (s000000000000) after 8 rounds cannot be obtained from the input difference (00000000a0000000) in the encryption processing shown in FIG. 14, that is, an impossible difference.

  Since the input difference on the right side (a0000000) is the input difference of the second round as it is, Δy2 = (b0000000) and PΔy2 = (bbb0b00b). Since PΔy2 is the input difference of the third round as it is, Δy3 is (cde0f00g). Further, considering the output difference after 8 rounds as ΔL_8 = (s0000000) and ΔR_8 = (00000000), the rounds are considered.

  Here, pay attention to Δy5. Δy5 is expressed as shown in the following equations 7 and 8 by using the output difference PΔy5 of the F function of the fifth round. here? Indicates a difference value for which it is not determined whether it is zero or non-zero.

  From Equations 7 and 8, the following Equations 9 and 10 are derived. Further, v = 0 is obtained by substituting equation 10 into equation 9, but v ≠ 0 in FIG. From the above, it can be seen that ΔL_0 = (00000000) and ΔR_0 = (a0000000) to ΔL_8 = (s0000000) and ΔR_8 = (00000000) do not occur. That is, it is an impossible difference.

  As technical documents related to the block cipher described above, there are the following patent documents. Among them, Patent Document 1 includes a key generation unit that generates a plurality of extended keys based on given key data, and an encryption unit and a decryption unit that apply these extended keys in a predetermined order. A secret communication device is described. Patent Document 2 describes an encryption processing apparatus that applies a plurality of different MDS matrices in linear transformation processing.

  Patent Document 3 describes a cryptographic processing device in which the order of applying a plurality of types of linear transformation matrices is devised in Faithel block cryptography. Patent Document 4 describes an encryption processing apparatus having a diffusion matrix switching mechanism. Patent Document 5 describes an encryption processing apparatus that reduces the cost of a circuit that executes a round function using first and second intermediate keys.

JP 2001-134174 A JP 2006-072054 A JP 2007-199156 A JP 2008-051829 A JP 2009-003312 A

Wenling Wu, Wentao Zhang, and Dengguo Feng, "Impossible Differential Cryptanalysis of ARIA and Camellia," Journal of Computer Science and Technology 22 (3), pp. 449-456, 2007.

  As mentioned above, Faithel block ciphers with arbitrary bijective round functions always have 5 rounds of impossibility difference, but Camellia has 8 rounds of impossibility difference longer than that. Yes. This is because both elements of the matrix P and the matrix P ^ -1 have 0, and each piece of data divided in byte units does not act on all bytes of the output. In the case of a binary matrix, if bijectivity is guaranteed, element 0 exists in the matrix P and the matrix P ^ -1, which may cause the above-described impossible difference.

  The long characteristic used for the analysis means that the number of rounds must be increased in order to have resistance to the analysis. Increasing the number of rounds decreases processing performance, which is not desirable in terms of mountability. In particular, this is a major obstacle in using this encryption method with hardware such as a mobile phone terminal and an IC card that have only a small amount of computing power and storage capacity.

  There is an MDS (Maximum Distance Separable) matrix as a matrix having zero elements. The MDS matrix is adopted in some block ciphers because it has good cryptographic properties. However, since the MDS matrix has two or more elements, multiplication on a finite field has to be performed, so that the calculation cost is higher than that of the binary matrix. For this reason, an increase in calculation cost is disadvantageous for a large MDS matrix.

  None of Patent Documents 1 to 5 is intended to shorten the impossible differential characteristic, and does not describe a configuration that can shorten the impossible differential characteristic. Therefore, this problem cannot be solved by a combination of these techniques.

  An object of the present invention is to provide an encrypted communication system, a transmission apparatus, a reception apparatus, an encryption / decryption method, and an encryption / decryption system capable of shortening the impossibility difference characteristic and using a small amount of hardware while maintaining sufficient strength. To provide a program.

  In order to achieve the above object, an encrypted communication system according to the present invention includes a transmitting device for transmitting input data after being encrypted by an encryption unit using a block encryption method, and a decrypting unit for a signal received from the transmitting device. The encryption communication system includes a receiving device that decrypts the key data generated by the key schedule in advance in one of the two sub-block data generated by dividing the input data. A first adder that operates with exclusive OR, an S box layer that performs non-linear conversion on the output from the first adder, a linear conversion layer that performs linear conversion processing on the output from the S box layer, and linear The round including the second adder that operates the remaining one of the sub-block data on the output from the conversion layer by exclusive OR is defined as one round. Key data that has a plurality of rounds specified in advance according to the encryption method to be used, and that is generated in advance by the decryption means by one of the two sub-block data generated by dividing the input data by the key schedule Of the third adder that operates with exclusive OR in the reverse order to the encryption means, an S box layer that performs nonlinear transformation on the output from the third adder, and a linear output on the output from the S box layer A round including a linear conversion layer that performs conversion processing and a fourth adder that operates the remaining one of the sub-block data on the output from the linear conversion layer by exclusive OR is used as one round. The number of rounds specified in advance according to the encryption method to be used, and the linear conversion layer of the encryption means and the decryption means has a plurality of input data that is 2n m-bit data. a function of outputting output data that is 2n m-bit data obtained by multiplying a matrix M of 2n rows and 2n columns obtained by combining square sub-matrices of n rows and n columns (m and n are 2 or more) Natural squares), at least one of the square sub-matrices is a basic matrix that does not include 0 in the elements and does not have the same value in the elements in the same column, and the rest of the square sub-matrices are the basic matrix in the basic matrix. It is characterized by being obtained by exclusive ORing the ones that are cyclically shifted.

  In order to achieve the above object, a transmitting apparatus according to the present invention is a transmitting apparatus for transmitting input data after encrypting the input data by a block cipher encryption means, and the encryption means divides the input data. A first adder for operating the key data generated beforehand by the key schedule on one of the two sub-block data generated by the exclusive OR, and performing nonlinear conversion on the output from the first adder An S box layer, a linear transformation layer that performs linear transformation processing on the output from the S box layer, and a second adder that operates the remaining one of the sub-block data on the output from the linear transformation layer by exclusive OR 1 round, and a number of rounds specified in advance according to the encryption method using this round, and the linear conversion layer has 2n m-bit data. A function of outputting output data that is 2n m-bit data obtained by multiplying a matrix M of 2n rows and 2n columns obtained by combining a plurality of square matrices of n rows and n columns with the input data of Having (m and n are natural numbers greater than or equal to 2), at least one of the square sub-matrices is a basic matrix that does not include 0 in the elements and does not have the same value in the elements in the same column, The remainder is obtained by exclusive ORing a basic matrix obtained by cyclically shifting the basic matrix.

  In order to achieve the above object, a receiving apparatus according to the present invention is a receiving apparatus that outputs data obtained by decrypting a received signal by means of a block cipher decryption means, and the decryption means divides input data. A first adder for operating the key data generated in advance by the key schedule in an order opposite to the time when the data is encrypted in one of the two sub-block data generated by the exclusive OR, An S box layer that performs nonlinear transformation on the output from the adder, a linear transformation layer that performs linear transformation processing on the output from the S box layer, and the remaining one of the sub-block data in the output from the linear transformation layer A round including the second adder operated by exclusive OR is defined as one round, and a plurality of rounds specified in advance according to the encryption method using this round are included. The shape conversion layer multiplies 2n m 2 bits of matrix data M obtained by combining a plurality of n rows and n columns of square small matrices with 2n m bit data of input data. It has a function of outputting output data that is bit data (m and n are natural numbers of 2 or more), and at least one of the square sub-matrices does not contain 0 in the elements, and the same value is given to the elements in the same column It is a basic matrix that does not have, and the remainder of the square small matrix is obtained by exclusive ORing the basic matrix obtained by cyclically shifting the basic matrix.

In order to achieve the above object, an encryption method according to the present invention includes a transmission device that encrypts input data by an encryption unit of a block encryption method and then sends the data, and a signal received from the transmission device by a decryption unit. An encryption communication system including a receiving device for decryption,
One of the two sub-block data generated by dividing the input data is subjected to exclusive OR operation by the first adder provided in the encryption means with the key data generated in advance by the key schedule. The S box layer included in the encryption unit performs nonlinear conversion processing on the output from the exclusive OR, and the linear conversion layer included in the encryption unit performs linear conversion processing on the output from the nonlinear conversion processing. The second adder provided in the encryption means operates the remaining one of the sub-block data on the output from the linear transformation process by exclusive OR, and the round including each processing content is performed. As one round, this round is executed by a plurality of rounds specified in advance according to the encryption method used by the encryption means, and the linear conversion process is performed with an input data that is 2n m-bit data. Output data which is 2n m-bit data obtained by multiplying a matrix M of 2n rows and 2n columns obtained by combining a plurality of square submatrices of n rows and n columns with respect to the data (m and n are 2 or more natural numbers), at least one of the square sub-matrices is a basic matrix that does not contain 0 in the elements and does not have the same value in the elements in the same column, and the rest of the square sub-matrix is the basic matrix It is obtained by exclusive ORing a matrix obtained by cyclically shifting a matrix.

In order to achieve the above object, a decryption method according to the present invention includes a transmitting device that encrypts input data by an encryption unit of a block cipher system and sends the data, and a signal received from the transmitting device by a decrypting unit. in the encrypted communication system including a receiving apparatus for decoding, on one of the two block data generated by dividing the input data, the key schedule in the reverse order as when encrypted data The first adder provided in the decryption means operates the key data generated in advance by exclusive OR, and the S box layer provided in the decryption means is nonlinear in the output from the exclusive OR. performs conversion processing on the output from the nonlinear conversion process, a linear conversion layer is decoding means comprises performs a linear transformation process, the remaining ones of the sub-block data output from the linear conversion process Write a, the second adder exerts exclusive or the decoding means includes, a round containing these respective processing contents as one round, the encryption method that uses this round encryption means 2n rows 2n obtained by executing a plurality of rounds specified in advance, and linear transformation processing combining a plurality of n × n square sub-matrices with respect to input data that is 2n m-bit data. Output data that is 2n m-bit data obtained by multiplying the matrix M of columns (m and n are natural numbers of 2 or more), and at least one of the square sub-matrices does not include 0 as an element, In addition, it is a basic matrix that does not have the same value for the elements in the same column, and the rest of the square small matrix is obtained by exclusive ORing the basic matrix obtained by cyclically shifting the basic matrix. Features.

In order to achieve the above object, an encryption program according to the present invention includes a transmission device that encrypts input data by an encryption unit using a block encryption method, and a signal received from the transmission device by a decryption unit. An encryption program for causing a computer included in the encryption means to function as the transmission device according to claim 4 , wherein the encryption communication system includes a receiving device for decrypting .

In order to achieve the above object, a decryption program according to the present invention is an encryption communication system including an apparatus and a reception apparatus that decrypts a signal received from a transmission apparatus using a decryption means. A decoding program for causing a computer provided to function as the receiving device according to claim 5.

  As described above, the present invention uses a combination of a square submatrix and a matrix obtained by exclusive ORing a square submatrix obtained by cyclically shifting the square submatrix. With this configuration, it is possible to eliminate eight rounds of impossibility difference existing in Camellia. Thus, there are provided an encrypted communication system, a transmission device, a reception device, an encryption / decryption method, and a program thereof capable of shortening the impossible differential characteristic and using a small amount of hardware while maintaining sufficient strength. be able to.

It is explanatory drawing shown about the structure of the encryption communication system which concerns on the 1st Embodiment of this invention. It is explanatory drawing shown about a more detailed structure of the encryption means and decryption means shown in FIG. 3 is a flowchart showing a process of encrypting input data performed by an encryption unit (decryption unit) shown in FIG. 2. It is explanatory drawing shown about the matrix M showing the process of the linear transformation layer shown in FIG. It is explanatory drawing shown about the structure of the matrix M shown in FIG. 6 is an explanatory diagram showing an example in which the matrix Mb shown in FIG. It is explanatory drawing shown about the structure of the encryption communication system which concerns on the 2nd Embodiment of this invention. It is explanatory drawing shown about a more detailed structure of the encryption means and decryption means shown in FIG. It is explanatory drawing shown about the structure of the matrix M showing the process of the linear transformation layer shown in FIG. It is explanatory drawing shown about the structure of the encryption communication system which concerns on the 3rd Embodiment of this invention. It is explanatory drawing shown about a more detailed structure of the encryption means and decryption means shown in FIG. It is explanatory drawing shown about the structure of the matrix M showing the process of the linear transformation layer shown in FIG. It is explanatory drawing which shows the structure of a Camellia round function (F function). It is explanatory drawing shown about the encryption process 1 round of the camelia shown in FIG. It is explanatory drawing which shows that the encryption process shown in FIG. 14 is an impossible difference.

(First embodiment)
Hereinafter, the structure of the 1st Embodiment of this invention is demonstrated based on attached FIGS. 1-2.
First, the basic content of the present embodiment will be described, and then more specific content will be described.
The encryption communication system 1 according to the present embodiment includes a transmission device 10 that transmits input data after being encrypted by a block encryption method encryption unit 12, and a decryption unit 23 that decrypts a signal received from the transmission device. It is the encryption communication system containing the receiver 20 which makes it. The encryption means 12 includes a first adder 101a that operates, by exclusive OR, key data generated in advance by a key schedule on one of two sub-block data generated by dividing input data. An S box layer 101b that performs nonlinear conversion on the output from the adder 1; a linear conversion layer 101c that performs linear conversion processing on the output from the S box layer; and the subblock data remaining in the output from the linear conversion layer One round including the second adder 102 that operates one of them with exclusive OR is defined as one round, and has a plurality of round numbers specified in advance according to the encryption method using this round. The decryption means 23 operates the key data previously generated by the key schedule on one of the two sub-block data generated by dividing the input data by exclusive OR in the reverse order to the encryption means. A third adder 201a, an S box layer 201b that performs nonlinear transformation on the output from the third adder, a linear transformation layer 201c that performs linear transformation processing on the output from the S box layer, and a linear transformation layer A round including the fourth adder 202 that operates the remaining one of the sub-block data on the output by exclusive OR is defined as one round, and a plurality of rounds specified in advance according to the encryption method using this round Have a number. The linear transformation layer 101c (201c) of the encryption means and the decryption means obtains 2n rows and 2n columns obtained by combining a plurality of n rows and n columns of square small matrices with respect to input data that is 2n m-bit data. Output data that is 2n m-bit data obtained by multiplying the matrix M, and at least one of the square sub-matrices does not contain 0 and has the same value for the elements in the same column There is no basic matrix, and the remainder of the square small matrix is obtained by exclusive ORing the basic matrix obtained by cyclically shifting the basic matrix.

  Here, the matrix M by which the linear conversion layer multiplies the input data is configured by combining two kinds of square small matrices. This basic matrix is an MDS (Maximum Distance Separable) matrix having no elements.

By providing this configuration, the encrypted communication system 1 of the present embodiment eliminates the 8 rounds of impossible differences existing in Camellia, shortens the impossible differential characteristics, and uses less hardware while maintaining sufficient strength. It is possible to perform encrypted communication.
Hereinafter, this will be described in more detail.

  FIG. 1 is an explanatory diagram showing the configuration of the encrypted communication system 1 according to the first embodiment of the present invention. The encrypted communication system 1 includes a transmission device 10 and a reception device 20. The transmitting apparatus 10 compresses input data by the compression means 11, then encrypts the data by the encryption means 12, and then performs encoding by adding error correction data by the encoding means 13. The code word output from the signal is modulated by the modulation means 14, placed on a carrier wave, and sent to the transmission line 30. Then, the key schedule means 15 generates key data Ek_i, which will be described later, and gives it to the encryption means 12.

  The receiving device 20 that has received the signal transmitted via the transmission path 30 first demodulates the received signal by the demodulating means 21 to extract a code word, and performs error correction or the like on the code word by the error correcting means 22. Then, the decryption means 23 releases the encryption, and finally the decompression means 24 releases the data compression. Then, the key schedule unit 25 generates key data Ek_i, which will be described later, and gives it to the decryption unit 23. As a result, the original input data is restored and output.

  The transmission path 30 may be, for example, an optical cable, a metal cable, or wireless communication. The transmission path 30 may be replaced with a storage medium or storage device such as an optical disk, a magnetic disk, or a flash memory.

  The encryption / decryption method according to the present embodiment relates to the encryption unit 12 and the decryption unit 23. This method may be realized as a computer program or an electronic circuit such as an LSI (Large-scale Integrated Circuit).

  FIG. 2 is an explanatory diagram showing a more detailed configuration of the encryption unit 12 and the decryption unit 23 shown in FIG. FIG. 3 is a flowchart showing the process of encrypting input data performed by the encryption unit 12 (decryption unit 23) shown in FIG. The encryption means 12 performs encryption using a 4 nm-bit Faithtel block cipher. The input data is divided into two sub-block data (step S51), and the size of each sub-block data is 2 nm bits.

  The i-th round process 100 of the encryption means 12 includes an F function 101 and a second adder (exclusive OR) 102. This is repeated for the number of rounds determined by the specification. In FIG. 2, only the process of the i-th round is shown in detail, but the same applies to the other rounds.

  The F function 101 is a first adder (exclusive OR) 101a for applying the key data Ek_i generated by the key scheduling means 15 to one of the sub-block data, and 2n m-bit input / output S boxes. The S box layer 101b that performs nonlinear conversion and the linear conversion layer 101c that performs linear conversion processing to be described later are configured.

  The adder (exclusive OR) 101a applies the key data Ek_i to one of the divided sub-block data (step S52), and the output is subjected to non-linear transformation by the S box layer 101b (step S53). Linear conversion processing is performed in the linear conversion layer 101c (step S54). The output data of the processing by the F function 101 is applied to the other sub-block data by the second adder (exclusive OR) 102 (step S55).

  Then, left-right switching is performed between the sub-block data on the side input to the F function 101 and the sub-block data generated by the second adder (exclusive OR) (step S56). The output data is i-round. The processes in steps S52 to S56 are repeated for a predetermined number of rounds determined by the specifications (steps S57 to S58).

  The basic structure of the decryption means 23 is the encryption shown in FIGS. 2 to 3 except that the order in which the key data Ek_i generated by the key schedule means 25 is applied is opposite to that of the encryption means 12. Similar to the means 12. The process 200 for one round is composed of an F function 201 and an exclusive OR 202. This is repeated for a predetermined number of rounds determined by the specification. Therefore, hereinafter, only the configuration of the linear conversion layer 101c of the encryption unit 12 will be described.

  FIG. 4 is an explanatory diagram showing the matrix M representing the processing of the linear conversion layer 101c shown in FIG. This matrix M is a matrix of 2n rows and 2n columns (n is a natural number of 2 or more), and a square small matrix M1 composed of elements a_ (0, 0) to elements a_ (n−1, n−1), elements A square small matrix M2 composed of a_ (0, n) to element a_ (n-1,2n-1), composed of element a_ (n, 0) to element a_ (2n-1, n-1). It is represented by a combination of four square n matrixes of n rows and n columns of a square small matrix M4 including a square small matrix M3 and elements a_ (n, n) to elements a_ (2n-1,2n-1).

  The square sub-matrices M1 to M4 are two or more kinds of matrices. If one of them is a basic sub-matrix, the other sub-matrices are obtained by exclusive ORing the basic sub-matrix with a matrix obtained by cyclically shifting the basic sub-matrix. It is a matrix generated by doing.

  FIG. 5 is an explanatory diagram showing the configuration of the matrix M shown in FIG. In the present embodiment, Ma and Mb are used as the square small matrices M1 to M4, the square small matrices M2 to M4 are Ma, and the square small matrix M1 is Mb. A matrix Ma that does not include 0 as an element and does not have an element with the same value in the same column (such as an MDS matrix) is defined as a basic small matrix. At this time, the matrix Mb is expressed by the following Expression 11. Here, “<<” represents a cyclic shift in units of rows, and R is an integer of 1 to n−1.

  FIG. 6 is an explanatory diagram showing an example in which the matrix Mb shown in FIG. Here, r (j) = (R + j) mod n, and x mod n is a remainder when x is divided by n.

  The input data of the linear conversion layer 101c is y_0, y_1, ..., y_ (2n-2), y_ (2n-1), and the output data is z_0, z_1, ..., z_ (2n-2), z_ (2n-1). ). Here, yi and zi (0 ≦ i ≦ 2n−1) are m-bit data, respectively. In addition, an element in the i-th row and j-th column (0 ≦ i, j ≦ n−1) of the matrix Ma is referred to as a_ (i, j). First, the linear conversion layer 101c performs matrix operations shown in the following equations 12-13. Here, “·” is a symbol representing multiplication on GF (2 ^ m). Equation 12 corresponds to the square small matrix M3 shown in FIG. 4, and Equation 13 corresponds to the square small matrices M2 and M4 shown in FIG.

  Subsequently, the linear conversion layer 101c performs the calculation shown in the following equation 14 to obtain z_ (n + i) (0 ≦ i ≦ n−1).

  Finally, the linear conversion layer 101c obtains z_i (0 ≦ i ≦ n−1) by performing the calculation shown in the following Expression 15.

  Note that, even if the matrix Mb shown in FIG. 6 is arranged in any of the small square matrices M1 to M4 of the matrix M shown in FIG. 5, the calculation result as the matrix M is obtained with the same number of calculations.

(Overall operation of the first embodiment)
Next, the overall operation of the above embodiment will be described. The encryption method according to the present embodiment includes a transmission device 10 that transmits input data after being encrypted by a block encryption method encryption unit, and a reception device that decrypts a signal received from the transmission device by a decryption unit. The first adder uses the exclusive logic of the key data previously generated by the key schedule in one of the two sub-block data generated by dividing the input data. The S box layer performs non-linear transformation processing on the output from the exclusive OR, the linear transformation layer performs linear transformation processing on the output from the non-linear transformation processing, and sub-block data is output from the linear transformation processing. The second adder operates the exclusive one of the remaining one of them, and each processing content is executed by the encryption means for a predetermined number of rounds. 2n m-bit data obtained by linear transformation processing by multiplying input data, which is 2n m-bit data, by a matrix M of 2n rows and 2n columns obtained by combining a plurality of n × n square small matrices. Is output, and at least one of the square submatrices is a basic matrix that does not include 0 in the elements and does not have the same value in the elements in the same column, and the rest of the square submatrix is the basic matrix. This basic matrix is obtained by performing an exclusive OR operation on the cyclic shift of the basic matrix.

  In addition, the decryption method according to the present embodiment uses a key that is generated in advance in accordance with the key schedule in the reverse order to when data is encrypted into one of two sub-block data generated by dividing input data. The first adder operates the data with exclusive OR, the S box layer performs nonlinear conversion processing on the output from the exclusive OR, and the linear conversion layer performs linear conversion processing on the output from the nonlinear conversion processing. The second adder operates the remaining one of the sub-block data on the output from the linear transformation processing by exclusive OR, and the contents of each processing are executed by the number of rounds determined in advance. 2n m obtained by multiplying the input data, which is 2n m-bit data, by a matrix M of 2n rows and 2n columns obtained by combining a plurality of n rows and n columns of square small matrices. Bi Output data, which is data, and at least one of the square sub-matrices is a basic matrix that does not include 0 in the elements and does not have the same value in the elements in the same column, and the rest of the square sub-matrices are the basic matrix Is obtained by exclusive ORing the basic matrix obtained by cyclically shifting the matrix.

Here, each of the above-described operation steps may be programmed to be executable by a computer and executed by the transmission device 10 and the reception device 20 which are computers that directly execute the respective steps.
By this operation, this embodiment has the following effects.

  The first effect is that by adopting the linear transformation processing according to the present invention for the SP-type F function, it is possible to eliminate the eight rounds of impossible differences existing in Camellia, thereby reducing the number of applicable rounds of impossible differential attacks. It can be done. If the number of rounds can be reduced, encryption processing can be performed at high speed, which is suitable for use with hardware such as a mobile phone terminal or IC card that has a small amount of computing capacity and storage capacity.

  The second effect is that the number of computations required for the encryption and decryption processes can be reduced (calculation time is shortened). When calculating a 2n × 2n matrix having random elements, it is necessary to perform 2n multiplications on GF (2 ^ m) and 2n−1 exclusive ORs for one row of operations. . If this is performed for 2n rows, 4n ^ 2 times multiplication on GF (2 ^ m) and 2n (2n-1) times exclusive OR are performed.

  On the other hand, in the case of a matrix of 2n rows and 2n columns constructed according to the present invention, 2n ^ 2 times multiplication over GF (2 ^ m) and 2n ^ 2 times exclusive logic as shown in Equations 12-15. Can be calculated as a sum. That is, the number of operations is almost halved. This is also a factor suitable for use with hardware having only a small computing capacity and storage capacity.

(Second Embodiment)
In the second embodiment of the present invention, the configuration of the matrix M by which the linear conversion layer multiplies input data is changed as compared with the first embodiment. With this configuration, the same effect as in the first embodiment can be obtained.
Hereinafter, this will be described in more detail.

  FIG. 7 is an explanatory diagram showing the configuration of the encrypted communication system 301 according to the second embodiment of the present invention. The encrypted communication system 301 includes a transmission device 310 and a reception device 320. The transmission device 310 and the reception device 320 are different from the transmission device 10 and the reception device 20 according to the first embodiment only in the encryption unit 312 and the decryption unit 323. A reference number is attached.

  FIG. 8 is an explanatory diagram showing a more detailed configuration of the encryption unit 312 and the decryption unit 323 shown in FIG. Since the processing 400 for one round of the encryption unit 312 is different from the first embodiment only in the linear conversion layer 401c in the F function 401, the other elements have the same names and reference numbers. The processing procedure is also the same as the flowchart shown in FIG. Similarly, only the linear conversion layer 501c in the F function 501 is different from the first embodiment in the decoding unit 323.

  FIG. 9 is an explanatory diagram showing the configuration of the matrix M representing the processing of the linear conversion layer 401c shown in FIG. In this embodiment, two of the square small matrices M1 to M4 constituting the matrix M are Mb, the remaining two are matrix Ma, and they are diagonally arranged. It is a difference. Here, M2 and M3 are basic submatrix Ma, and M1 and M4 are matrix Mb.

  First, the linear conversion layer 401c calculates Mb shown in FIG. 6 by the matrix calculation shown in the above formulas 12-13. Subsequently, the linear conversion layer 401c performs the following Expression 16 for 0 ≦ i ≦ n−1 and performs the following Expression 17 for 0 ≦ i ≦ 2n−1. Thereby, the matrix M shown in FIG. 9 can be obtained.

(Third embodiment)
In the third embodiment of the present invention, the configuration of the matrix M by which the linear conversion layer multiplies the input data by combining three kinds of square small matrices. With this configuration, the same effect as in the first embodiment can be obtained.
Hereinafter, this will be described in more detail.

  FIG. 10 is an explanatory diagram showing the configuration of the encrypted communication system 601 according to the third embodiment of the present invention. The encrypted communication system 601 includes a transmission device 610 and a reception device 620. Since the transmission device 610 and the reception device 620 are different from the transmission device 10 and the reception device 20 according to the first embodiment only in the encryption unit 612 and the decryption unit 623, the other elements have the same names and A reference number is attached.

  FIG. 11 is an explanatory diagram showing a more detailed configuration of the encryption unit 612 and the decryption unit 623 shown in FIG. In the processing 700 for one round of the encryption unit 612, only the linear conversion layer 701c in the F function 701 is different from that of the first embodiment, and therefore, the other elements have the same names and reference numbers. The processing procedure is also the same as the flowchart shown in FIG. Similarly for the decoding means 623, only the linear conversion layer 801c in the F function 801 is different from the first embodiment.

  FIG. 12 is an explanatory diagram showing the configuration of the matrix M representing the processing of the linear conversion layer 701c shown in FIG. The present embodiment is different from the first and second embodiments in that three matrixes Ma, Mb, and Mc are used as the square small matrices M1 to M4 constituting the matrix M. Here, M2 and M3 are basic sub-matrix Ma, M1 is matrix Mb, and M4 is matrix Mc. However, the arrangement of Ma, Mb, and Mc is not limited to this example.

  Mb and Mc are generated from the basic submatrix Ma by applying different cyclic shifts to the above equation (11). Here, the cyclic shift numbers of the matrices Mb and Mc are R1 and R2, respectively.

  First, the linear conversion layer 701c calculates Mb shown in FIG. 6 by the matrix operation shown in the above equations 12-13 and 16. Subsequently, the linear conversion layer 701c performs the following calculation of Equation 18 for 0 ≦ i ≦ n−1. Thereby, the matrix M shown in FIG. 12 can be obtained. Here, r_1 (j) = R1 + j mod n and r_2 (j) = R2 + j mod n.

  The present invention has been described with reference to the specific embodiments shown in the drawings. However, the present invention is not limited to the embodiments shown in the drawings, and any known hitherto provided that the effects of the present invention are achieved. Even if it is a structure, it is employable.

  About each embodiment mentioned above, it is as follows when the summary of the novel technical content is put together. In addition, although part or all of the said embodiment is summarized as follows as a novel technique, this invention is not necessarily limited to this.

(Supplementary Note 1) Encrypted communication including a transmitting apparatus that encrypts input data after being encrypted by a block cipher encrypting means, and a receiving apparatus that decrypts a signal received from the transmitting apparatus by a decrypting means A system,
The encryption means is
A first adder that operates on one of two sub-block data generated by dividing the input data by exclusive OR, the key data generated in advance by the key schedule; and from the first adder An S-box layer that performs nonlinear transformation on the output, a linear transformation layer that performs linear transformation processing on the output from the S-box layer, and the remaining one of the sub-block data in the output from the linear transformation layer is exclusive logic A round including the second adder that acts as a sum is defined as one round, and has a plurality of round numbers specified in advance according to the encryption method using this round,
The decoding means comprises:
A third adder for operating the key data generated beforehand by the key schedule on one of the two sub-block data generated by dividing the input data by exclusive OR in the reverse order to the encryption means An S box layer that performs nonlinear transformation on the output from the third adder, a linear transformation layer that performs linear transformation processing on the output from the S box layer, and an output from the linear transformation layer that includes the sub-block. The round including the fourth adder that operates the remaining one of the data by exclusive OR is defined as one round, and has a plurality of rounds specified in advance according to the encryption method using this round,
A matrix of 2n rows and 2n columns obtained by the linear transformation layer of the encryption unit and the decryption unit obtained by combining a plurality of n rows and n columns of square small matrices with respect to input data that is 2n m-bit data. A function of outputting output data which is 2n m-bit data obtained by multiplying M (m and n are natural numbers of 2 or more);
At least one of the square sub-matrices is a basic matrix whose elements do not include 0, and the elements in the same column do not have the same value, and the rest of the square sub-matrices are row-based on the basic matrix. An encryption communication system characterized by being obtained by performing an exclusive OR operation on what is cyclically shifted.

(Supplementary note 2) The supplementary note 1 according to supplementary note 1, wherein the matrix M by which the linear transformation layer multiplies input data is configured by combining any one of two or three kinds of the square sub-matrices. Encrypted communication system.

(Supplementary Note 3) The encrypted communication system according to Supplementary Note 1 or Supplementary Note 2, wherein the basic matrix is an MDS (Maximum Distance Separable) matrix.

(Supplementary Note 4) A transmission device that encrypts input data using block encryption method and transmits the data.
The encryption means is
A first adder that operates on one of two sub-block data generated by dividing the input data by exclusive OR, the key data generated in advance by the key schedule; and from the first adder An S-box layer that performs nonlinear transformation on the output, a linear transformation layer that performs linear transformation processing on the output from the S-box layer, and the remaining one of the sub-block data in the output from the linear transformation layer is exclusive logic A round including the second adder that acts as a sum is defined as one round, and has a plurality of round numbers specified in advance according to the encryption method using this round,
The linear conversion layer multiplies 2n-by-2n matrix M obtained by combining a plurality of n-by-n square sub-matrices with 2n m-bit input data, and 2n a function of outputting output data which is m-bit data (m and n are natural numbers of 2 or more);
At least one of the square sub-matrices is a basic matrix whose elements do not include 0, and the elements in the same column do not have the same value, and the rest of the square sub-matrices are row-based on the basic matrix. A transmitting apparatus characterized by being obtained by exclusive ORing a cyclically shifted one.

(Supplementary Note 5) A receiving device that outputs data obtained by decrypting a received signal by a decryption unit of a block encryption method,
The decoding means comprises:
First of all, the key data previously generated by the key schedule is operated by exclusive OR in the reverse order to the case where the data is encrypted to one of the two sub-block data generated by dividing the input data. The S box layer that performs nonlinear transformation on the output from the first adder, the linear transformation layer that performs linear transformation processing on the output from the S box layer, and the output from the linear transformation layer A round including a second adder that operates the remaining one of the sub-block data with exclusive OR is defined as one round, and has a plurality of rounds specified in advance according to an encryption method using this round. With
The linear conversion layer multiplies 2n-by-2n matrix M obtained by combining a plurality of n-by-n square sub-matrices with 2n m-bit input data, and 2n a function of outputting output data which is m-bit data (m and n are natural numbers of 2 or more);
At least one of the square sub-matrices is a basic matrix whose elements do not include 0, and the elements in the same column do not have the same value, and the rest of the square sub-matrices are row-based on the basic matrix. A receiving apparatus obtained by performing an exclusive OR operation on a cyclically shifted one.

(Supplementary note 6) Encrypted communication including a transmitting apparatus that encrypts input data after being encrypted by a block cipher encrypting means, and a receiving apparatus that decrypts a signal received from the transmitting apparatus by a decrypting means In the system,
The first adder operates the key data previously generated by the key schedule on one of the two sub-block data generated by dividing the input data by exclusive OR,
The S box layer performs non-linear transformation processing on the output from the exclusive OR,
A linear conversion layer performs linear conversion processing on the output from the nonlinear conversion processing,
The second adder operates the remaining one of the sub-block data on the output from the linear transformation process by exclusive OR,
A round including each of these processing contents is defined as one round, and this round is executed by a plurality of rounds specified in advance according to the encryption method used by the encryption means,
The linear transformation process is performed by multiplying input data, which is 2n m-bit data, by a matrix M of 2n rows and 2n columns obtained by combining a plurality of n rows and n columns of square small matrices. Output data that is m-bit data (m and n are natural numbers of 2 or more),
At least one of the square sub-matrices is a basic matrix whose elements do not include 0, and the elements in the same column do not have the same value, and the rest of the square sub-matrices are row-based on the basic matrix. An encryption method characterized by being obtained by exclusive ORing a cyclically shifted one.

(Supplementary note 7) Encrypted communication including a transmitting device that encrypts input data after being encrypted by a block cipher encryption unit and a receiving device that decrypts a signal received from the transmitting device by a decrypting unit In the system,
The first adder performs exclusive logic on the key data previously generated by the key schedule in the reverse order to the case where the data is encrypted into one of the two sub-block data generated by dividing the input data. Act in sum,
The S box layer performs non-linear transformation processing on the output from the exclusive OR,
A linear conversion layer performs linear conversion processing on the output from the nonlinear conversion processing,
The second adder operates the remaining one of the sub-block data on the output from the linear transformation process by exclusive OR,
A round including each of these processing contents is defined as one round, and this round is executed by a plurality of rounds specified in advance according to the encryption method used by the encryption means,
The linear transformation process is performed by multiplying input data, which is 2n m-bit data, by a matrix M of 2n rows and 2n columns obtained by combining a plurality of n rows and n columns of square small matrices. Output data that is m-bit data (m and n are natural numbers of 2 or more),
At least one of the square sub-matrices is a basic matrix whose elements do not include 0, and the elements in the same column do not have the same value, and the rest of the square sub-matrices are row-based on the basic matrix. A decoding method characterized by being obtained by performing an exclusive OR operation on a cyclic shift.

(Supplementary Note 8) Encrypted communication including a transmission device that transmits input data after being encrypted by a block cipher encryption unit, and a reception device that decrypts a signal received from the transmission device by a decryption unit In the system,
In the computer provided with the encryption means,
A procedure for operating the key data generated in advance by the key schedule by exclusive OR on one of the two sub-block data generated by dividing the input data;
A procedure for performing nonlinear transformation processing on the output from the exclusive OR,
A procedure for performing linear transformation processing on the output from the nonlinear transformation processing,
And a procedure for operating the remaining one of the sub-block data by exclusive OR on the output from the linear transformation process,
A round including each of these procedures is set as one round, and this round is executed by a plurality of rounds specified in advance according to the encryption method used by the encryption means,
The linear transformation process is performed by multiplying input data, which is 2n m-bit data, by a matrix M of 2n rows and 2n columns obtained by combining a plurality of n rows and n columns of square small matrices. Output data that is m-bit data (m and n are natural numbers of 2 or more),
At least one of the square sub-matrices is a basic matrix whose elements do not include 0, and the elements in the same column do not have the same value, and the rest of the square sub-matrices are row-based on the basic matrix. An encryption program obtained by performing an exclusive OR operation on a cyclic shift.

(Supplementary note 9) Encrypted communication including a transmission device that transmits input data after being encrypted by block encryption method encryption means, and a reception device that decrypts a signal received from the transmission device by decryption means In the system,
In the computer provided in the decoding means,
A procedure for operating the key data previously generated by the key schedule in an exclusive OR in the reverse order to the case where the data is encrypted to one of the two sub-block data generated by dividing the input data;
A procedure for performing nonlinear transformation processing on the output from the exclusive OR,
A procedure for performing linear transformation processing on the output from the nonlinear transformation processing,
And a procedure for operating the remaining one of the sub-block data by exclusive OR on the output from the linear transformation process,
A round including each of these procedures is set as one round, and this round is executed by a plurality of rounds specified in advance according to the encryption method used by the encryption means,
The linear transformation process is performed by multiplying input data, which is 2n m-bit data, by a matrix M of 2n rows and 2n columns obtained by combining a plurality of n rows and n columns of square small matrices. Output data that is m-bit data (m and n are natural numbers of 2 or more),
At least one of the square sub-matrices is a basic matrix whose elements do not include 0, and the elements in the same column do not have the same value, and the rest of the square sub-matrices are row-based on the basic matrix. A decoding program obtained by performing an exclusive OR operation on a cyclic shift.

  The present invention can be applied to uses such as an encryption device for concealing communication data in a voice communication terminal or a data communication device.

DESCRIPTION OF SYMBOLS 1,301,601 Encryption communication system 10,310,610 Transmission apparatus 11 Compression means 12,312,612 Encryption means 13 Encoding means 14 Modulation means 15,25 Key schedule means 20,320,620 Receiver 21 Demodulation means 22 Error correction means 23, 323, 623 Decoding means 24 Decompression means 30 Transmission path 100, 200 Processing of i-th round 101, 201 F function 101a, 201a First adder (exclusive OR)
101b, 201b S box layer 101c, 201c, 401c, 501c, 701c, 801c Linear transformation layer 102, 202 Second adder (exclusive OR)

Claims (9)

An encryption communication system comprising: a transmission device that encrypts input data after being encrypted by block encryption method encryption means; and a reception device that decrypts a signal received from the transmission device by decryption means. ,
The encryption means is
A first adder that operates on one of two sub-block data generated by dividing the input data by exclusive OR, the key data generated in advance by the key schedule; and from the first adder An S-box layer that performs nonlinear transformation on the output, a linear transformation layer that performs linear transformation processing on the output from the S-box layer, and the remaining one of the sub-block data in the output from the linear transformation layer is exclusive logic A round including the second adder that acts as a sum is defined as one round, and has a plurality of round numbers specified in advance according to the encryption method using this round,
The decoding means comprises:
A third adder for operating the key data generated beforehand by the key schedule on one of the two sub-block data generated by dividing the input data by exclusive OR in the reverse order to the encryption means An S box layer that performs nonlinear transformation on the output from the third adder, a linear transformation layer that performs linear transformation processing on the output from the S box layer, and an output from the linear transformation layer that includes the sub-block. The round including the fourth adder that operates the remaining one of the data by exclusive OR is defined as one round, and has a plurality of rounds specified in advance according to the encryption method using this round,
A matrix of 2n rows and 2n columns obtained by the linear transformation layer of the encryption unit and the decryption unit obtained by combining a plurality of n rows and n columns of square small matrices with respect to input data that is 2n m-bit data. A function of outputting output data which is 2n m-bit data obtained by multiplying M (m and n are natural numbers of 2 or more);
At least one of the square sub-matrices is a basic matrix whose elements do not include 0, and the elements in the same column do not have the same value, and the rest of the square sub-matrices are row-based on the basic matrix. An encryption communication system characterized by being obtained by performing an exclusive OR operation on what is cyclically shifted.   The encrypted communication according to claim 1, wherein the matrix M by which the linear conversion layer multiplies input data is configured by combining either one of two types or three types of the square sub-matrices. system.   The encrypted communication system according to claim 1, wherein the basic matrix is an MDS (Maximum Distance Separable) matrix. A transmission device that encrypts input data by an encryption means of a block encryption method and sends it out,
The encryption means is
A first adder that operates on one of two sub-block data generated by dividing the input data by exclusive OR, the key data generated in advance by the key schedule; and from the first adder An S-box layer that performs nonlinear transformation on the output, a linear transformation layer that performs linear transformation processing on the output from the S-box layer, and the remaining one of the sub-block data in the output from the linear transformation layer is exclusive logic A round including the second adder that acts as a sum is defined as one round, and has a plurality of round numbers specified in advance according to the encryption method using this round,
The linear conversion layer multiplies 2n-by-2n matrix M obtained by combining a plurality of n-by-n square sub-matrices with 2n m-bit input data, and 2n a function of outputting output data which is m-bit data (m and n are natural numbers of 2 or more);
At least one of the square sub-matrices is a basic matrix whose elements do not include 0, and the elements in the same column do not have the same value, and the rest of the square sub-matrices are row-based on the basic matrix. A transmitting apparatus characterized by being obtained by exclusive ORing a cyclically shifted one. A receiving device that outputs data obtained by decrypting a received signal by a decryption unit of a block encryption method,
The decoding means comprises:
First of all, the key data previously generated by the key schedule is operated by exclusive OR in the reverse order to the case where the data is encrypted to one of the two sub-block data generated by dividing the input data. The S box layer that performs nonlinear transformation on the output from the first adder, the linear transformation layer that performs linear transformation processing on the output from the S box layer, and the output from the linear transformation layer A round including a second adder that operates the remaining one of the sub-block data with exclusive OR is defined as one round, and has a plurality of rounds specified in advance according to an encryption method using this round. With
The linear conversion layer multiplies 2n-by-2n matrix M obtained by combining a plurality of n-by-n square sub-matrices with 2n m-bit input data, and 2n a function of outputting output data which is m-bit data (m and n are natural numbers of 2 or more);
At least one of the square sub-matrices is a basic matrix whose elements do not include 0, and the elements in the same column do not have the same value, and the rest of the square sub-matrices are row-based on the basic matrix. A receiving apparatus obtained by performing an exclusive OR operation on a cyclically shifted one. An encryption communication system comprising: a transmission device that encrypts input data after being encrypted by block encryption method encryption means; and a reception device that decrypts a signal received from the transmission device by decryption means. ,
One of the two sub-block data generated by dividing the input data is subjected to key data generated in advance by the key schedule, and the first adder provided in the encryption means operates by exclusive OR. Let
The S box layer provided in the encryption means performs nonlinear transformation processing on the output from the exclusive OR,
A linear conversion layer provided in the encryption unit performs linear conversion processing on the output from the nonlinear conversion processing,
A second adder provided in the encryption means operates the remaining one of the sub-block data on the output from the linear transformation process by exclusive OR,
A round including each of these processing contents is defined as one round, and this round is executed by a plurality of rounds specified in advance according to the encryption method used by the encryption means,
The linear transformation process is performed by multiplying input data, which is 2n m-bit data, by a matrix M of 2n rows and 2n columns obtained by combining a plurality of n rows and n columns of square small matrices. Output data that is m-bit data (m and n are natural numbers of 2 or more),
At least one of the square sub-matrices is a basic matrix whose elements do not include 0, and the elements in the same column do not have the same value, and the rest of the square sub-matrices are row-based on the basic matrix. An encryption method characterized by being obtained by exclusive ORing a cyclically shifted one. An encryption communication system comprising: a transmission device that encrypts input data after being encrypted by block encryption method encryption means; and a reception device that decrypts a signal received from the transmission device by decryption means. ,
To one of the two block data generated by dividing the input data, the key data are previously generated by the key scheduling in the reverse order that encrypted the data, provided that said decoding means A first adder that operates with exclusive OR,
The S box layer provided in the decoding means performs nonlinear transformation processing on the output from the exclusive OR,
A linear conversion layer provided in the decoding means performs linear conversion processing on the output from the nonlinear conversion processing,
A second adder provided in the decoding means operates the remaining one of the sub-block data on the output from the linear transformation process by exclusive OR,
A round including each of these processing contents is defined as one round, and this round is executed by a plurality of rounds specified in advance according to the encryption method used by the encryption means,
The linear transformation process is performed by multiplying input data, which is 2n m-bit data, by a matrix M of 2n rows and 2n columns obtained by combining a plurality of n rows and n columns of square small matrices. Output data that is m-bit data (m and n are natural numbers of 2 or more),
At least one of the square sub-matrices is a basic matrix whose elements do not include 0, and the elements in the same column do not have the same value, and the rest of the square sub-matrices are row-based on the basic matrix. A decoding method characterized by being obtained by performing an exclusive OR operation on a cyclic shift. An encryption communication system comprising: a transmission device that encrypts input data after being encrypted by block encryption method encryption means; and a reception device that decrypts a signal received from the transmission device by decryption means. ,
The encryption program for functioning the computer with which the said encryption means is provided as a transmission apparatus of Claim 4 . An encryption communication system comprising: a transmission device that encrypts input data after being encrypted by block encryption method encryption means; and a reception device that decrypts a signal received from the transmission device by decryption means. ,
A decoding program for causing a computer provided in the decoding means to function as the receiving device according to claim 5 .

Images