JP5801095B2 - Stream cipher encryption apparatus, stream cipher decryption apparatus, stream cipher encryption method, stream cipher decryption method, and program - Google Patents

Description

  The present invention relates to a stream cipher encryption apparatus, a stream cipher decryption apparatus, a stream cipher encryption method, a stream cipher decryption method, and a program capable of realizing secure and efficient authentication.

  In recent years, various services using computers have been provided. In many services, encryption is used to conceal communication. The most common encryption method is a common key encryption method that performs encryption / decryption with a single key, but the common key encryption method is roughly divided into a block encryption method and a stream encryption method.

  The former is the method that is most commonly used, but the latter has been attracting attention in recent years because it is superior in processing speed. On the other hand, there is a method called authenticated encryption. This is an algorithm for simultaneously realizing message authentication and encryption with one algorithm (see, for example, Non-Patent Document 1).

Philip Hawkes, Cameron McDonald, Michael Paddon, Gregory G. Rose, and Miriam Wiggers de Vries, “Specification for NL Sv. 4986, 2008.

  However, until now, it has been necessary to redesign the algorithm in order to make the stream cipher an authenticated cipher. Or, it was necessary to consider incorporating an authentication function from the design stage. Furthermore, almost all of the authenticated stream cipher is broken by an attack, and there is almost no secure stream cipher with authentication.

  Therefore, the present invention has been made in view of the above-described problems, and a stream cipher encryption apparatus, a stream cipher decryption apparatus, a stream cipher encryption method, a stream, and a stream cipher capable of realizing secure and efficient authentication. It is an object of the present invention to provide an encryption decryption method and program.

  The present invention proposes the following matters in order to solve the above problems. In addition, in order to make an understanding easy, although the code | symbol corresponding to embodiment of this invention is attached | subjected and demonstrated, it is not limited to this.

(1) The present invention includes a first shift register (e.g., corresponding to the shift register 200 in FIG. 1) and is fed back data to the first shift register, together with the first shift register, LFSR constitutes a linear feedback function (e.g., corresponding to the linear feedback function 100 of FIG. 1) and a second shift register which is divided into two, a third shift register (e.g., shift register 400, 500 of FIG. 1 Equivalent), the second shift register, the third shift register, a first nonlinear function unit (for example, equivalent to the nonlinear function unit 710 in FIG. 1), and a second nonlinear function unit (for example, with equivalent) to a non-linear function unit 720 of FIG. 1, the dynamic feedback function constituting a dynamic feedback shift register (e.g., And corresponds to the first dynamic feedback function 300), said second shift register, together with the third shift register, dynamic feedback function constituting a dynamic linear feedback shift register (e.g., dynamic feedback function 300 of FIG. 1 and equivalent) to the second shift register, the non-linear conversion means for non-linear transformation of the input data from the third input data and the first shift register from the shift register (e.g., non-linear conversion section 600 in FIG. 1 And an exclusive OR calculator (for example, the exclusive OR calculator 7 4 in FIG. 1) that performs an exclusive OR operation between the output data of the nonlinear conversion means and the input plaintext and outputs a ciphertext. and 0,7 5 corresponds to 0), wherein the first non-linear function unit is the output data of the dynamic feedback function and non-linear transformation, the A second non-linear function unit performs non-linear conversion on the exclusive OR of the output data of the second shift register and the output ciphertext, and the second shift register includes the first shift function An addition value of the data nonlinearly converted in the nonlinear function unit and the data in the first shift register is input, and the third shift register receives the data nonlinearly converted in the second nonlinear function unit and A stream cipher encryption apparatus is proposed in which an addition value with data in the first shift register is input .

According to the present invention, the encryption device of the stream cipher comprises a first shift register, and feeding back the data to the first shift register, the first shift register, a linear feedback function constitutes a linear feedback shift register A second shift register divided into two, a third shift register , a second shift register, a third shift register, a first non-linear function unit, and a second non-linear function unit, A dynamic feedback function constituting a dynamic feedback shift register, a nonlinear conversion means for nonlinearly converting input data from the second shift register and the third shift register , and input data from the first shift register; exclusive for outputting the ciphertext performs an XOR operation between the input and output data of the conversion means plaintext Comprising a Liwa calculator, a cryptographic first linear function unit is the output data of the dynamic feedback function and non-linear transformation, the second Nonlinear function unit is outputted to the output data of the second shift register A non-linear transformation is performed on the exclusive OR with the sentence, and the second shift register has an added value of the data non-linearly transformed in the first non-linear function unit and the data in the first shift register. The added value of the data that is nonlinearly converted in the second nonlinear function unit and the data in the first shift register is input to the third shift register . In other words, with the above-described configuration, it is possible to realize high-speed encryption processing while improving safety as compared with the prior art.

  (2) According to the present invention, in the stream cipher encryption device according to (1), the non-linear conversion means stores four internal memories (for example, the internal memories L1, L2, R1, and R2 in FIG. 2) in an internal state. And a stream cipher encryption device having a connection structure through a non-linear function unit (for example, corresponding to the non-linear functions 620a, 620b, 620c, and 620d in FIG. 2) between the four internal memories. is suggesting.

  According to this invention, the non-linear conversion means has four internal memories as internal states and has a connection structure between the four internal memories via the non-linear function unit. In other words, the safety can be increased synergistically by adopting such a configuration of the nonlinear conversion means.

( 3 ) According to the present invention, for the stream cipher encryption device of (1), after executing the encryption process, plain text with all data set to “0” is input and the emptying process is executed a specified number of times. A stream cipher encryption device that is characterized is proposed.

  According to this invention, after executing the encryption process, plain text with all data set to “0” is input and the emptying process is executed a specified number of times. In other words, by executing this processing, a message authenticator can be created, so that a secure stream cipher with authentication can be generated.

( 4 ) The present invention relates to the stream cipher encryption apparatus according to ( 3 ), wherein a key sequence having a specified bit length is output as a message authenticator after the empty rotation processing. A device is proposed.

  According to the present invention, a key sequence having a specified bit length is output as a message authenticator after the idle rotation process. In other words, a secure stream cipher with authentication can be generated by combining an output message authenticator and ciphertext to generate an output result.

( 6 ) According to the present invention, in the stream cipher decryption device of ( 5 ), the non-linear conversion means stores four internal memories (for example, corresponding to the internal memories L1, L2, R1, and R2 in FIG. 5) in an internal state. And a stream cipher encryption device having a connection structure between the four internal memories via a non-linear function unit (for example, equivalent to the non-linear function units 620a, 620b, 620c, and 620d in FIG. 5) Has proposed.

  According to this invention, the non-linear conversion means has four internal memories as internal states and has a connection structure between the four internal memories via the non-linear function unit. In other words, the safety can be increased synergistically by adopting such a configuration of the nonlinear conversion means.

( 7 ) According to the present invention, for the decryption device for stream cipher of ( 5 ), after executing the decryption process, the ciphertext with all the data set to “0” is input and the emptying process is executed a specified number of times. Has been proposed.

  According to the present invention, after executing the decryption process, plain text with all data set to “0” is input and the emptying process is executed a specified number of times. That is, by executing this process, a message authenticator can be created, so that a secure plaintext with authentication can be generated.

( 8 ) The present invention relates to the stream cipher decryption device according to ( 7 ), wherein a key sequence having a specified bit length is output as a message authenticator after the empty rotation process. A device is proposed.

  According to the present invention, a key sequence having a specified bit length is output as a message authenticator after the idle rotation process. That is, by comparing the message authenticator combined with the transmitted ciphertext and the generated message authenticator, it is possible to verify whether or not they match.

  (11) In the present invention, a first step for reading an initial key and an initial vector (for example, equivalent to step S101 in FIG. 3) and a second step for performing an initialization process (for example, in step S102 in FIG. 3) Equivalent), a third step (for example, equivalent to step S103 in FIG. 3) for generating a key sequence by executing key sequence generation processing, and performing an exclusive OR operation between the generated key sequence and plaintext To generate a ciphertext, for example (corresponding to step S104 in FIG. 3), and sequentially input the generated ciphertext to the dynamic feedback function and the final register of one of the divided dynamic feedback registers. Even after the input of the plaintext is completed, the fifth step (for example, corresponding to step S105 in FIG. 3) for executing the blanking with the plaintext set to all zeros and the blanking completion. In addition, a sixth step (for example, corresponding to step S106 in FIG. 3) for generating a key sequence having a specified bit length and outputting it as a message authenticator, and outputting the message authenticator attached to the ciphertext are output. (For example, corresponding to step S107 in FIG. 3).

  According to the present invention, the initial key and the initial vector are read and the initialization process is performed. Next, a key sequence generation process is executed, a key sequence is generated, a ciphertext is generated by executing an exclusive OR operation between the generated key sequence and plaintext, and the generated ciphertext is converted into a dynamic feedback function and After the input to the final register of one of the divided dynamic feedback registers is sequentially performed and the plaintext input is completed, the plaintext is set to all zeros and the idling is executed. Then, after completion of idling, a key sequence having a specified bit length is generated and output as a message authenticator, and the message authenticator is attached to the ciphertext and output. That is, by performing the above-described processing, it is possible to realize high-speed encryption processing while improving safety as compared with the prior art. Further, by combining the message authenticator to be output and the ciphertext to generate an output result, a secure stream cipher with authentication can be generated.

  (12) The present invention is a stream cipher decryption method for decrypting ciphertext encrypted by the stream cipher encryption method of (11), and includes a first step of reading an initial key and an initial vector (for example, , Corresponding to step S201 in FIG. 6), a second step for executing initialization processing (for example, corresponding to step S202 in FIG. 6), a key sequence generation process, and a third sequence for generating a key sequence A step (for example, corresponding to step S203 in FIG. 6), a fourth step for receiving the ciphertext and the message authenticator (for example, corresponding to step S204 in FIG. 6), the generated key sequence and the received encryption A fifth step (for example, equivalent to step S205 in FIG. 6) for generating a plaintext by executing an exclusive OR operation with the sentence, and two messages obtained by dividing the generated plaintext A sixth step (for example, corresponding to step S206 in FIG. 6) of executing the idling with the ciphertext set to all zeroes after the ciphertext input is completed after being sequentially input to the memory for creating a certificate. After completing the idling, a seventh step (for example, corresponding to step S207 in FIG. 6) that combines the two divided message authenticator values to form a message authenticator, and converts the message authenticator into plaintext. A seventh step of attaching and outputting, and an eighth step of verifying whether or not the output message authenticator matches the received message authenticator (for example, corresponding to step S208 in FIG. 6) And a stream cipher decryption method characterized by comprising:

  According to the present invention, the initial key and the initial vector are read and the initialization process is performed. Next, a key sequence generation process is executed, a key sequence is generated, a plaintext is generated by executing an exclusive OR operation between the generated key sequence and ciphertext, and two message authentications obtained by dividing the generated plaintext Even after the ciphertext input is completed, the ciphertext is set to all zeros, and the ciphertext is circulated. Then, after completing the idling, the two divided values for the message authenticator memory are combined to form a message authenticator, and the message authenticator is attached to the plaintext and output. That is, by performing the above-described processing, it is possible to realize a high-speed decoding process while improving the safety as compared with the prior art. Further, by comparing the message authenticator combined with the transmitted ciphertext and the generated message authenticator, it is possible to verify whether or not they match.

  (13) In the present invention, a first step (for example, corresponding to step S101 in FIG. 3) for reading an initial key and an initial vector and a second step for performing initialization processing (for example, in step S102 in FIG. 3) Equivalent), a third step (for example, equivalent to step S103 in FIG. 3) for generating a key sequence by executing key sequence generation processing, and performing an exclusive OR operation between the generated key sequence and plaintext To generate a ciphertext, for example (corresponding to step S104 in FIG. 3), and sequentially input the generated ciphertext to the dynamic feedback function and the final register of one of the divided dynamic feedback registers. Even after the input of the plaintext is completed, the fifth step (for example, corresponding to step S105 in FIG. 3) for executing the blanking with the plaintext set to all zeros and the blanking completion. In addition, a sixth step (for example, corresponding to step S106 in FIG. 3) for generating a key sequence having a specified bit length and outputting it as a message authenticator, and outputting the message authenticator attached to the ciphertext are output. (For example, corresponding to step S107 in FIG. 3).

  According to the present invention, the initial key and the initial vector are read and the initialization process is performed. Next, a key sequence generation process is executed, a key sequence is generated, a ciphertext is generated by executing an exclusive OR operation between the generated key sequence and plaintext, and the generated ciphertext is converted into a dynamic feedback function and After the input to the final register of one of the divided dynamic feedback registers is sequentially performed and the plaintext input is completed, the plaintext is set to all zeros and the idling is executed. Then, after completion of idling, a key sequence having a specified bit length is generated and output as a message authenticator, and the message authenticator is attached to the ciphertext and output. That is, by performing the above-described processing, it is possible to realize high-speed encryption processing while improving safety as compared with the prior art. Further, by combining the message authenticator to be output and the ciphertext to generate an output result, a secure stream cipher with authentication can be generated.

  (14) The present invention is a program for decrypting a ciphertext encrypted by the program according to the thirteenth aspect, and includes a first step of reading an initial key and an initial vector (for example, in step S201 in FIG. 6). Equivalent), a second step (for example, equivalent to step S202 in FIG. 6) for executing the initialization process, and a third step (for example, in FIG. 6) for generating the key series by executing the key series generation process. 4) (equivalent to step S203), a fourth step of receiving the ciphertext and the message authenticator (for example, equivalent to step S204 of FIG. 6), and the exclusive OR of the generated key sequence and the received ciphertext. A fifth step (for example, corresponding to step S205 in FIG. 6) for generating plaintext by executing an operation, and a dynamic feedback function and one motion obtained by dividing the generated plaintext. A fifth step (for example, corresponding to step S206 in FIG. 6) of performing the idling with the ciphertext set to all zeros after the ciphertext input is completed after being sequentially input to the final register of the feedback register, and the idling After completion, a seventh step (for example, corresponding to step S207 in FIG. 6) for generating a key sequence having a specified bit length and outputting it as a message authenticator, and outputting the message authenticator attached to plaintext is output. And an eighth step (for example, corresponding to step S208 in FIG. 6) for verifying whether or not the output message authenticator matches the received message authenticator. A program for this is proposed.

  According to the present invention, the initial key and the initial vector are read and the initialization process is performed. Next, after executing key sequence generation processing, generating a key sequence, sequentially inputting the generated plaintext into the dynamic feedback function and the final register of one of the divided dynamic feedback registers, and after the ciphertext input is completed Then, the ciphertext is all-zeroed, and the idling is executed. After the idling is completed, a key sequence having a specified bit length is generated and output as the message authenticator, and the message authenticator is attached to the plaintext and output. That is, by performing the above-described processing, it is possible to realize a high-speed decoding process while improving the safety as compared with the prior art. Further, by comparing the message authenticator combined with the transmitted ciphertext and the generated message authenticator, it is possible to verify whether or not they match.

  According to the present invention, it is possible to generate a stream cipher with authentication that is safe and efficient. Also, there is an effect that safe and efficient processing can be realized in the decoding processing.

It is a figure which shows schematic structure of the encryption apparatus of the stream encryption which concerns on the 1st Embodiment of this invention. It is a figure which shows the specific structure of the encryption apparatus of the stream encryption which concerns on the 1st Embodiment of this invention. It is a figure which shows the specific process of the encryption apparatus of the stream encryption which concerns on the 1st Embodiment of this invention. It is a figure which shows the specific process of the decoding apparatus of the stream encryption which concerns on the 2nd Embodiment of this invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
Note that the constituent elements in the present embodiment can be appropriately replaced with existing constituent elements and the like, and various variations including combinations with other existing constituent elements are possible. Therefore, the description of the present embodiment does not limit the contents of the invention described in the claims.

  A stream cipher encryption apparatus and decryption apparatus according to the present invention will be described with reference to FIGS.

<First Embodiment>
A stream cipher encryption apparatus according to this embodiment will be described with reference to FIGS. 1 to 3.

<Schematic configuration of encryption device for stream cipher>
As shown in FIG. 1, the encryption apparatus for stream ciphers according to the present embodiment includes a linear feedback function 100, a shift register 200, a dynamic feedback function 300, a shift register A 400, a shift register B 500, a non-linear transformation. Unit 600, nonlinear function units (Msub) 710 and 720, and exclusive OR calculators 730, 740, and 750.

Linear feedback function 100 performs calculation processing on the data obtained from the shift register 200, according to the result, it controls whether to feed back the data after processing into the final register of shift register 200.

The shift register A 400 and the shift register B 500 are shift registers whose structures dynamically change depending on the processing result of the dynamic feedback function 300. Therefore, encryption processing and authentication code derivation can be performed more securely.

Non-linear conversion unit 600 includes a shift register 200 and the shift register A400, the data inputted from the shift register B500, performs the processing of non-linear transformation.

The non-linear function unit (Msub) 710 sequentially performs AES cipher mix column processing, S-box processing, and mix column processing on the output from the dynamic feedback function 300, and the processing result is the final register of the shift register A400. Output to. The non-linear function unit (Msub) 720 uses the exclusive OR calculator 730 to calculate the value of the output register of the shift register A 400 and the ciphertext output from the non-linear conversion unit 600, and the AES cipher mix column. processing, S-Box processing, intends line in order the Mix Column processing. Then , the added value of the processing result and the data in the shift register 200 is output to the final register of the shift register B500.

  The exclusive OR calculators 740 and 750 perform an exclusive OR operation on the output from the non-linear conversion unit 600 and the plaintext to generate a ciphertext. After the encryption process is completed, the plaintext value is set to all “0” and emptying is executed a specified number of times. After emptying, a key sequence having a specified bit length is output and used as a message authenticator. Further, the generated ciphertext and the message authenticator are combined to obtain a final output.

<Specific Configuration of Stream Cipher Encryption Device>
As shown in FIG. 2, the linear feedback function 100 includes a plurality of exclusive OR calculators. The dynamic feedback function 300 is composed of a plurality of exclusive OR calculators and adders. In the case of FIG. 2, the feedback processing is performed using 4-bit data in the second register of the shift register 200. , The control unit selects whether an adder or an exclusive OR calculator is selected. By performing such control, the safety of the entire stream encryption apparatus can be improved.

  The non-linear conversion unit 600 is exclusive of internal memories 610a, 610b, 610c, 610d, and 610e, non-linear functions (Sub) 620a, 620b, 620c, 620d, and 620e, and adders 630a, 630b, 630c, 630d, and 630e. The logical sum calculator 640a, 640b.

The adder 630a is connected to the shift register A400 and the internal memory L2, adds the value of the internal memory L2 and the output value from the shift register A400, and outputs the result to the nonlinear function unit 620b.

The adder 630b is connected to the shift register B500 and the internal memory R2, adds the value of the internal memory R2 and the output value from the shift register B500, and outputs the result to the nonlinear function unit 620c. Note that the nonlinear function units (Sub) 620a, 620b, 620c, 620d, and 620e sequentially perform the S-Box processing and Mix Column processing of AES encryption, and the processing results are stored in the internal memories 610a, 610b, 610c, 610d, and 610e. Output to.

  The adder 630c is connected to the internal memory (L2) 610c and the internal memory (L1) 610a, and adds the internal memory (L2) 610c and the internal memory (L1) 610a to obtain an exclusive OR calculator. Output to 640a.

  The adder 630d is connected to the internal memory (R2) 610d and the internal memory (R1) 610b, and adds the internal memory (R2) 610d and the internal memory (R1) 610b to obtain an exclusive OR calculator. Output to 640b.

  The internal memory (L1) 610a stores the output value of the nonlinear function 620c, the internal memory (R1) 610b stores the output value of the nonlinear function 620c, and the internal memory (L2) 610c stores the output value of the nonlinear function 620a. The internal memory (R2) 610d stores the output value of the nonlinear function 620d. As described above, by providing four internal memories as internal states and connecting the four internal memories via a non-linear function unit, safety can be increased synergistically.

The exclusive OR calculator 640 a performs an exclusive OR operation on the output value of the adder 630 c and the output value of the shift register 200 , and outputs the calculation result to the exclusive OR calculator 740. The exclusive OR calculator 640 b performs an exclusive OR operation on the output value of the adder 630 d and the value from the shift register 200, and outputs the calculation result to the exclusive OR calculator 750.

<Processing of encryption device for stream cipher>
With reference to FIG. 3, the processing of the encryption device for stream encryption according to the present embodiment will be described.

  First, an initial key and an initial vector are read (step S101), and an initialization process is performed (step S102). Next, key sequence generation processing is executed to generate a key sequence (step S103). A ciphertext is generated by exclusive ORing the generated key sequence and plaintext (step S104).

  Further, the generated ciphertext is sequentially input to the dynamic feedback function and the final register of one of the divided dynamic feedback registers, and even after the plaintext input is completed, the plaintext is all-zeroed (step S105). After the idle rotation, a key sequence having a specified bit length is generated and used as a message authenticator (step S106). Then, the message authenticator is attached to the ciphertext and transmitted (step S107).

  As described above, according to the present embodiment, it is possible to realize high-speed encryption processing while improving safety as compared with the prior art. Further, by combining the message authenticator to be output and the ciphertext to generate an output result, a secure stream cipher with authentication can be generated.

<Second Embodiment>
The stream cipher decryption apparatus according to this embodiment will be described with reference to FIGS. The stream cipher decryption apparatus according to the present embodiment decrypts the data encrypted in the first embodiment.

<Schematic Configuration of Stream Cipher Decryption Device>
As shown in FIG. 4, the stream cipher decryption apparatus according to the present embodiment includes a linear feedback function 100, a shift register 200, a dynamic feedback function 300, a shift register A 400, a shift register B 500, a non-linear transformation. Unit 600, nonlinear function units (Msub) 710 and 720, and exclusive OR calculators 730, 760, and 770. In addition, since the component which attaches | subjects the same code | symbol as 1st Embodiment has the same function, the detailed description is abbreviate | omitted.

<Processing of Decryption Device for Stream Cipher>
With reference to FIG. 6, the processing of the stream cipher encryption apparatus according to this embodiment will be described.

  First, an initial key and an initial vector are read (step S201), and an initialization process is performed (step S202). Next, a key sequence generation process is executed to generate a key sequence (step S203), and a ciphertext and a message authenticator are received (step S204). Next, a plaintext is generated by exclusive ORing the generated key sequence and the ciphertext (step S205).

  Further, the generated plaintext is sequentially input to the dynamic feedback function and the final register of one of the divided dynamic feedback registers, and the ciphertext is all-zeroed after the ciphertext input is completed (step S206). ) After the idling, a key sequence having a specified bit length is generated and output as a message authenticator (step S207). Then, the received message authenticator is collated with the generated message authenticator (step S208).

  As described above, according to the present embodiment, it is possible to realize a high-speed decoding process while improving the safety as compared with the prior art. Further, by comparing the message authenticator combined with the transmitted ciphertext and the generated message authenticator, it is possible to verify whether or not they match.

  The processing of the stream cipher encryptor or the stream cipher decryptor is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read by the stream cipher encryptor or the stream cipher decryptor. By executing this, the stream cipher encryptor or the stream cipher decryptor of the present invention can be realized. The computer system here includes an OS and hardware such as peripheral devices.

  Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW (World Wide Web) system is used. The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.

  The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

  The embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the embodiments, and includes designs and the like that do not depart from the gist of the present invention.

100; linear feedback function 200; shift register 300; dynamic feedback function 400; shift register A
500: Shift register B
600: Non-linear conversion unit 610a; Internal memory 610b; Internal memory 610c; Internal memory 610d; Internal memory 610e; Internal memory 620a; Non-linear function unit (Sub)
620b; Nonlinear function unit (Sub)
620c; nonlinear function unit (Sub)
620d; Nonlinear function unit (Sub)
620e; Nonlinear function unit (Sub)
603a; adder 603b; adder 603c; adder 603d; adder 603e; adder 640a; exclusive OR operator 640b; exclusive OR operator 710; nonlinear function unit (Msub)
720: Nonlinear function unit (Msub)
730; exclusive OR calculator 740; exclusive OR calculator 750; exclusive OR calculator 760; exclusive OR calculator 770; exclusive OR calculator

Claims (4)

A first shift register;
A linear feedback function that feeds back data to the first shift register and forms a linear feedback shift register together with the first shift register;
A second shift register divided into two, a third shift register, and
A dynamic feedback function constituting a dynamic feedback shift register together with the second shift register, the third shift register, a first nonlinear function unit, and a second nonlinear function unit;
Nonlinear conversion means for nonlinearly converting input data from the second shift register and the third shift register and input data from the first shift register;
An exclusive OR calculator that performs an exclusive OR operation between the output data of the nonlinear conversion means and the input plaintext and outputs a ciphertext;
With
The first nonlinear function unit nonlinearly transforms the output data of the dynamic feedback function, and the second nonlinear function unit exclusively outputs the output data of the second shift register and the output ciphertext. A non-linear conversion is performed on the logical sum, and an addition value of the data non-linearly converted in the first non-linear function unit and the data in the first shift register is input to the second shift register. The stream shift cipher is characterized in that the third shift register receives an addition value of the data nonlinearly converted in the second nonlinear function unit and the data in the first shift register. Device.   2. The stream cipher encryption apparatus according to claim 1, wherein the non-linear conversion means includes four internal memories as internal states and has a connection structure between the four internal memories via a non-linear function unit. .   2. The stream cipher encryption apparatus according to claim 1, wherein after the encryption process is executed, plain text with all data set to “0” is input and the empty rotation process is executed a specified number of times.   4. The stream cipher encryption apparatus according to claim 3, wherein a key sequence having a specified bit length is output as a message authenticator after the empty rotation processing.

Images