JP5818768B2 - Mask generation apparatus, information processing apparatus, method thereof, and program - Google Patents

Description

  The present invention relates to a mask generation technique for generating a mask to be used in a cipher use mode using a Gray code, and an information processing technique using a mask generated by the mask generation apparatus.

  Cryptographic technology is effective for data confidentiality or falsification detection. Encryption techniques include asymmetric key techniques including RSA encryption, and symmetric key techniques including AES (Advanced Encryption Standard) encryption using common key encryption. The asymmetric key technology is easier to handle keys than the symmetric key technology. However, in terms of speed, symmetric key technology is overwhelmingly advantageous. For this reason, in practice, a large number of cipher usage modes using AES ciphers and the like are used to conceal a large amount of data and detect tampering, and are practically used in SSL (Secure Sockets Layer) or the like.

  Originally, block ciphers could only encrypt one block (128 bits for AES ciphers). The cipher usage mode is a method of adding functions such as multi-block encryption processing and falsification detection (message authentication) by combining block ciphers with simple operations.

  Conventionally, CFB (Cipher Feed Back) mode for realizing a confidential function, CBC-MAC (Cipher Block Chaining-Message Authentication Code) for realizing message authentication, and the like have been known as encryption usage modes. However, these encryption usage modes have a problem that they cannot exhibit high security.

  Thereafter, encryption usage modes such as an authentication encryption mode OCB (Offset CodeBook), a MAC mode PMAC (Parallelizable Message Authentication Code), and a disk encryption XTS have been proposed, and high security has been shown.

In some of the cryptographic usage modes where high security is shown, an operation of Galois field GF (2 ⁿ ) is used. Let f (x) be an n-th irreducible polynomial over GF (2), and the element of the Galois field GF (2 ⁿ ) is

Is expressed by a polynomial of n−1 order or less, and the coefficient of the polynomial is expressed as an n-bit bit string. Here, the operation of multiplying by x is referred to as “doubling” and is used in many cipher use modes including the cipher use mode. A number of cipher usage modes using secret information L and m masks x ⁱ · L have been announced. However, i = 1, 2,..., M, and A · B represents the product of the element A and the element B on the finite field, and hereinafter “·” may be omitted. Also, an encryption usage mode using a Gray code has been proposed (see Non-Patent Documents 1 and 2). Here, if the i-th gray code is G (i), it can be expressed as G (i) = i xor (i ^{>> 1} ). However, A xor B represents an exclusive OR for each bit of the bit string A and the bit string B, and A ^{>> B} means that the bit string A is shifted to the right by B bits. Let the i-th mask in the encryption usage mode using the Gray code be G (i) L. If w ₂ (A) is a function that returns the Hamming weight of bit string A (the sum of the numbers of 1 in binary representation), the Gray code is
w ₂ (G (i) xor G (i−1)) = 1
Therefore, the i-th mask G (i) L can be generated from the i-1th mask G (i-1) L as follows.
G (i) L ← G (i-1) L xor x ^{2 ^ j} L (1)
However, A ^ B in the superscript represents A to the Bth power (that is, A ^B ), j = 1,..., N−1, and j is arranged from the least significant bit representation of i. Matches the number of Here, x ^{2 ^ j} L changes according to the number j of 0. Therefore, if x ^{2 ^ j} L at j = 1,..., N−1 is calculated in advance and stored in the table for each number j of 0s, the number of 0s arranged from the least significant bit representation of i. Based on j, x ^{2 ^ j} L corresponding to i is searched from the table, and the exclusive OR of the mask G (i−1) L obtained in the (i−1) th and x ^{2 ^ j} L is obtained. , I-th mask G (i) L can be obtained.

Ted Krovetz and Phillip Rogaway, "The Software Performance of Authenticated-Encryption Modes", FSE 2011, Springer, 2011, vol. 6733, pp. 306-327 Phillip Rogaway, "Authenticated-Encryption with Associated-Data", ACM Conference on Computer and Communications Security 2002 (CCS'02), ACM Press, September 2002, pp. 98-107

In the prior art, in order to search for x ^{2 ^ j} L, it is necessary to calculate the number j of 0s arranged from the least significant bit representation of i for each mask. The process of calculating the number of 0s arranged in the lowest order of the bit representation of i and the number of 0s obtained as a result of the process are described as ntz (i). When a large number of masks G (i) L are generated, the processing amount of the processing ntz (i) is large.

  An object of the present invention is to provide a mask generation technique capable of efficiently calculating the mask G (i) L by omitting some of the processes ntz (i).

In order to solve the above-described problem, according to the first aspect of the present invention, the mask generation device generates a mask to be used in the encryption usage mode using a Gray code. The mask generation device sets f (x) to an n-th irreducible polynomial over GF (2), and the element of the Galois field GF (2 ⁿ ) is

Is expressed as a polynomial of n-1 order or lower, the coefficient of the polynomial is expressed as an n-bit bit string, floor (A) is a function that returns the largest integer less than or equal to A, and a mask for generating m A product calculation unit for obtaining a product L [p] of secret information L and x ^{2 ^ p} in p = 0, 1,..., Floor (log ₂ (m)), k is a positive integer, and q = A continuous 0-bit calculation unit for obtaining the number N [q] of 0s arranged from the least significant bit representation of q in 1, 2,..., 2 ^k −1, and (floor (log ₂ (m)) + 1) A storage unit storing the number of products L [p] and 2 ^k −1 0 numbers N [q], and when i is a multiple of 2 ^k , they are arranged from the least significant bit representation of i. The number of zeros ntz (i) is obtained, and the product L [ntz corresponding to the number of zeros ntz (i) is obtained. (I)] was removed from the storage unit, when i is not a multiple of ^{2 k,} based on the remainder i mod ^{2 k} obtained by dividing the i in ^{2 k,} the least significant bit representation of the remainder i mod ^{2 k} The number N [i mod 2 ^k ] of 0 arranged from the memory unit is taken out from the storage unit, and the product L [N [i mod 2 ^k ]] corresponding to the number N [i mod 2 ^k ] is taken out from the storage unit. The product acquisition unit obtains an exclusive OR of the mask G (i−1) L in i−1 and the product L [ntz (i)] or L [N [i mod 2 ^k ]], and the mask G in i (I) an exclusive OR calculation unit that is L.

In order to solve the above-described problem, according to the second aspect of the present invention, the mask generation method generates a mask to be used in the encryption usage mode using a Gray code. In the mask generation method, f (x) is an n-th irreducible polynomial over GF (2), and the element of the Galois field GF (2 ⁿ ) is

Is expressed as a polynomial of n-1 order or lower, the coefficient of the polynomial is expressed as an n-bit bit string, floor (A) is a function that returns the largest integer less than or equal to A, and a mask for generating m A product calculation step for obtaining a product L [p] of secret information L and x ^{2 ^ p} in p = 0, 1,..., Floor (log ₂ (m)), k is a positive integer, and q = A continuous 0-bit calculation step for obtaining the number N [q] of 0 arranged from the least significant bit representation of q in 1, 2,..., 2 ^k −1, and (floor (log ₂ (m)) + 1) A storage step for storing the number of products L [p] and the number of 2 ^k −1 0s N [q] in the storage unit, and when i is a multiple of 2 ^k , the least significant bit representation of i The number ntz (i) of 0s that are lined up is obtained, and the number ntz (0) of this 0 is obtained. product according to i) L [ntz (i) ] was removed from the storage unit, when i is not a multiple of ^{2 k,} based on the remainder i mod ^{2 k} obtained by dividing the i in ^{2 k,} the remainder i the number of zeros are arranged from the least significant bit representation of ^{mod 2 k N [i mod 2} k] is taken out from the storage unit, further, the product L [N [i mod in accordance with the number N [i mod ^{2 k]} 2 ^k ]] from the storage unit and exclusive of the mask G (i−1) L and the product L [ntz (i)] or L [N [i mod 2 ^k ]] in i−1 An exclusive OR calculation step of obtaining a logical sum and setting a mask G (i) L in i.

The present invention eliminates the process ntz (i) when i ≠ c2 ^k (where c is an arbitrary integer greater than or equal to 0, and k is a predetermined positive integer), so that the mask G (i) L There exists an effect that it can calculate efficiently.

The figure which shows the relationship between i and the number j of 0 in k = 2. The figure which shows the relationship between i and the number j of 0 in k = 3. The figure which shows the relationship between i and the number j of 0 in k = 4. The figure which shows the relationship between i and the number j of 0 in k = 5. The functional block diagram of the mask production | generation apparatus 100 which concerns on 1st embodiment. The figure which shows the processing flow of the mask production | generation apparatus 100 which concerns on 1st embodiment. The figure which shows the example of the data of the product L [p] stored in a memory | storage part. The figure which shows the example of the data of the number N [q] of 0 stored in a memory | storage part. The figure which shows the processing flow of the product acquisition part and exclusive OR calculation part of the mask generation apparatus which concerns on 2nd embodiment in k = 1. The figure which shows the processing flow of the product acquisition part and exclusive OR calculation part of the mask generation apparatus which concerns on 2nd embodiment in k = 2. The figure which shows the processing flow of the product acquisition part of the mask production | generation apparatus which concerns on 2nd embodiment, and an exclusive OR calculation part in k = 3. The figure which shows the processing flow of the product acquisition part and exclusive OR calculation part of the mask generation apparatus which concerns on the modification of 2nd embodiment in k = 1. The figure which shows the processing flow of the product acquisition part and exclusive OR calculation part of the mask generation apparatus which concerns on the modification of 2nd embodiment in k = 2. The figure which shows the processing flow of the product acquisition part and exclusive OR calculation part of the mask generation apparatus which concerns on the modification of 2nd embodiment in k = 3. The functional block diagram of the encryption system which concerns on 3rd embodiment. The functional block diagram of the information processing apparatus (encryption apparatus) which concerns on 3rd embodiment. The figure which shows the processing flow of the information processing apparatus (encryption apparatus) which concerns on 3rd embodiment. The functional block diagram of the information processing apparatus (decoding apparatus) which concerns on 3rd embodiment. The figure which shows the processing flow of the information processing apparatus (decoding apparatus) which concerns on 3rd embodiment.

  Hereinafter, embodiments of the present invention will be described. In the drawings used for the following description, constituent parts having the same function and steps for performing the same process are denoted by the same reference numerals, and redundant description is omitted. Further, the processing performed for each element of a vector or matrix is applied to all elements of the vector or matrix unless otherwise specified.

<First embodiment>
<Points of first embodiment>
One positive integer k is fixed. 1 to 4 show the relationship between i and the number j of 0 at k = 2 to 5, respectively. As seen from the figures, for any integer of 0 or more c, 0 of the number ^{j (= ntz (i),} i = c2 k, c2 k + 1, ..., (c + 1) 2 k -1) is i = C2 ^k except for the case of ^k . In each figure, the part of the same pattern is enclosed with the broken line. In the present embodiment, for i = 1, 2,..., 2 ^k −1, a process ntz (i) for calculating the number j of 0s arranged in advance from the least significant bit representation of i is performed, and 0 for each i is performed. Is stored in the storage unit. Further, the number j of 0 corresponding to i (= 1, 2,..., M) in the case of i ≠ c2 ^k is extracted from the storage unit. Since the number j of 0 is the same pattern even if c is different, it can be reused. Therefore, by performing i = c2 when ^k only for calculating the number j of 0 processing ntz (i), the number of processing ntz (i) may be a 1/2 ^k.

<Mask Generation Device 100 according to First Embodiment>
FIG. 5 is a functional block diagram of the mask generation apparatus 100, and FIG. In FIG. 6, variables = initial value, final value, and increment value are described at the upper end of the loop end, and variables are described at the lower end.

  The mask generation apparatus 100 includes a product calculation unit 111, a continuous 0-bit calculation unit 113, a storage unit 115, a product acquisition unit 117, and an exclusive OR calculation unit 119.

  The mask generation apparatus 100 receives the secret information L, the positive integer k, and the number m of masks desired by the user as input, and generates m masks G (i) L used in the encryption usage mode using the Gray code. Output.

Note that f (x) is an n-th irreducible polynomial over GF (2), and the element of the Galois field GF (2 ⁿ ) is

Is represented by a polynomial of n−1 order or less, and the coefficient of the polynomial is represented as an n-bit bit string. Details of each part will be described below.

<Product Calculation Unit 111>
The product calculation unit 111 receives the number m of masks desired by the user and the secret information L, and the product of the secret information L and x ^{2 ^ p} in p = 0, 1,..., Floor (log ₂ (m)). L [p] is obtained (s111) and stored in the storage unit 115. However, floor (A) is a function that returns the largest integer less than or equal to A. FIG. 7 shows an example of data of the product L [p] stored in the storage unit 115. Tables 111A to 111E show examples of data in m = 16, 32, 64, 128, and 256, respectively. Actually, the storage unit 115 stores a specific value as x ^{2 ^ p} L.

<Continuous 0-bit calculation unit 113>
The continuous 0-bit calculation unit 113 receives a positive integer k, and the number n of 0s arranged from the least significant bit representation of q in q = 1, 2,..., 2 ^k −1 by processing ntz (q). [Q] (= ntz (q)) is obtained (s113) and stored in the storage unit 115. FIG. 8 shows an example of data of the number N [q] of 0 stored in the storage unit 115. Tables 113A to 113D show examples of data at k = 2 to 5, respectively.

<Storage unit 115>
The storage unit 115 stores (floor (log ₂ (m)) + 1) products L [p] and 2 ^k −1 0 number N [q] (see FIGS. 7 and 8). ).

<Product acquisition unit 117>
The product acquisition unit 117 determines whether i is a multiple of 2 ^k (s117a).

Furthermore, the product acquiring unit 117, when i is a multiple of ^{2 k,} by the processing ntz (i), the number of zeros are arranged from the least significant bit representation of i p (= ntz (i) ) was calculated The product L [p] (= L [ntz (i)]) corresponding to the number p of 0 is extracted from the storage unit 115 (s117b) and output to the exclusive OR calculation unit 119.

Product acquisition unit 117, when i is not a multiple of ^{2 k} is based on the remainder q (= i mod ^{2 k)} obtained by dividing the i in ^{2 k,} bit representation of the remainder q (= i mod ^{2 k)} The number of zeros p (= N [q] = N [i mod 2 ^k ]) arranged from the lowest order is taken out of the storage unit 115, and the number of zeros p (= N [q] = N [i mod 2 ^k ]) is taken out from the storage unit 115 (s117c), and the exclusive OR calculation unit is obtained from the product L [p] (= L [N [q]] = L [N [i mod 2 ^k ]]) It outputs to 119.

In other words, the product acquiring unit 117, when i is not a multiple of 2 ^k, instead of calculating the number of 0 in a row from the least significant bit representation of i, the remainder i obtained by dividing the i in 2 ^k Based on mod 2 ^k , the number N [i mod 2 ^k ] of 0 is extracted from the storage unit 115. The processing for obtaining the remainder i mod 2 ^k may be determined by extracting a bit string of the following k bits from the bit string i, is smaller amount of processing than the processing ntz (i). For example, a bit string of k bits or less is extracted from the bit string i by masking the bit string i with a bit string in which 0 is set to a portion greater than k bits (left side) and 1 is set to k bits or less (right side). If the extracted bit string is 0, the process of s117b is performed, and if it is not 0, the process of s117c is performed.

With this configuration, it is possible to omit the process ntz (i) when i ≠ c2 ^k.

<Exclusive OR Calculation Unit 119>
The exclusive OR calculator 119 receives the product L [ntz (i)] or L [N [i mod 2 ^k ]], and receives the mask G (i−1) L and the product L [ntz (i) in i−1. )] Or L [N [i mod 2 ^k ]] is obtained (s119), the obtained exclusive OR is output as the i-th mask G (i) L, and the i + 1-th mask. This is stored for obtaining G (i + 1) L.

<Effect>
In this embodiment, by using a table composed of 2 ^k −1, the number N [q] of 0s arranged from the least significant bit representation of q, processing with high calculation cost when i ≠ c2 ^k. ntz (i) can be omitted, and the mask G (i) L can be calculated efficiently. In addition, an information processing apparatus that efficiently performs encryption or decryption can be realized by mounting in an encryption use mode such as OCB that generates a mask G (i) L using a Gray code.

Note that by setting k large, it is possible to increase the number of times that the product ntz (i) can be omitted in the product acquisition unit 117, but the processing amount in the continuous 0-bit calculation unit 113 increases. If k is set large, N [q] increases (uses a lot of memory, see FIG. 8), and the processing amount at the time of search increases. Therefore, a positive integer k may be set in a range of 1 ≦ k <log ₂ m so that the entire processing amount of the mask generation apparatus 100 is minimized according to the number m of masks desired by the user.

<Second embodiment>
<Points of second embodiment>
In the second embodiment, in the product-acquisition unit 217, i is determined whether or not a multiple of ^{2 k (s117a),} and obtains a remainder i mod ^{2 k} obtained by dividing the i in ^{2 k} processing Can be omitted.

Moreover, the product acquiring unit 217 of the second embodiment is acquired a plurality of products are overlapped, performs i> branch prediction in 2 ^k based on the processing in the i ≦ 2 ^k. With such a configuration, the processing can be made more efficient. For example, the product acquisition unit 217 is realized by a CPU (Central Processing Unit) with a branch prediction function.

  Hereinafter, only different parts from the first embodiment will be described.

<Mask Generation Device 200 According to Second Embodiment>
The mask generation apparatus 200 includes a product acquisition unit 217 instead of the product acquisition unit 117 (see FIG. 5).

Product acquisition unit 217 and an exclusive OR calculation unit 119, 2 ^k-number of repeats the process of generating a mask (in other words, to produce a 2 ^k-number of mask in one iteration (loop)) . In the iterative process, each time one mask is generated, it is determined whether the number of generated masks is m or less. At this time, based on the determination result when i ≦ 2 ^k (for example, satisfying the conditional expression and determination expression (i ≦ m)), the determination result (for example, the conditional expression and determination expression (i ≦ m)) of i> 2 ^k is obtained. Estimate). Incidentally, in the iteration, first, it executes the following process as the process performed at the time i is not a multiple of 2 ^k. Based on the remainder q when i is divided by 2 ^k , the number N [q] of 0s arranged from the least significant bit representation of the remainder q is changed to N [1], N [2],. ^k- 1] from the storage unit 115, and a product L [p] corresponding to the number N [1], N [2],..., N [ ^2k- 1] is stored in the storage unit 115. [N [1]], L [N [2]],..., L [N [2 ^k −1]] are extracted in this order.

Next, the following processing is performed as processing performed when i is a multiple of 2 ^k . By the process ntz (i), the number of 0s p (= ntz (i)) arranged from the least significant bit representation of i is calculated, and the product L [p] (= L [ ntz (i)]) is taken out from the storage unit 115.

In the iterative process when i> 2 ^k , when i is not a multiple of 2 ^k , the product acquisition unit 217 determines the number N [1], N [2],..., N [2 ^k −1] and the product. The process of extracting L [N [1]], L [N [2]],..., L [N [2 ^k −1]] from the storage unit 115 is omitted, and is extracted from the storage unit 115 when i ≦ 2 ^k . The products L [N [1]], L [N [2]],..., L [N [2 ^k −1]] may be reused.

  9 to 11 show processing flows of the product acquisition unit 217 and the exclusive OR calculation unit 119 when k = 1 to 3, respectively. 9 to 11, the continuation conditional expression is described at the upper end of the loop end. The case where k = 1 will be specifically described with reference to FIG.

<When k = 1>
First, the product acquisition unit 217 performs initial setting (s217a).

  Next, the product acquisition unit 217 repeats the following process when i ≦ m.

Product acquisition unit 217 extracts the number N [1] = 0 of 0 in a row from the least significant bit representation of the remainder q = 1 when A is divided by i with ^{2 k} from the storage unit 115, N [1] = The product L [0] corresponding to 0 is extracted from the storage unit 115 (s217b) and output to the exclusive OR calculation unit 119. In the case of k = 1, since the remainder i mod ^{2 k} obtained by dividing the i calculated by the s217b with ^{2 k} are determined in 1, it can be omitted from the processing.

  Next, the product acquisition unit 217 increments i (s217c), and if i after the increment is larger than m (no in s217d), exits from the loop.

  When i after the increment is less than or equal to m (in the case of yes in s217d), the product acquisition unit 217 performs the process ntz (i) to determine the number of zeros p (= ntz (i) arranged from the least significant bit representation of i. )), And the product L [p] (= L [ntz (i)]) corresponding to the number p of 0 is extracted from the storage unit 115 (s217e) and output to the exclusive OR calculation unit 119. Further, i is incremented (s217f), and when the continuation conditional expression (i ≦ m) is true, the above processing s217b to s217f is repeated.

  With such a configuration, part of s117a and s117c can be omitted.

In addition, the product acquisition unit 217 acquires a plurality of products in an overlapping manner, and performs branch prediction when i> ^2k based on the processing when i ≦ ^2k . Therefore, the following processing is possible when i> ^2k It becomes.

Based on the processing at i ≦ 2 ^k , when i> 2 ^k , the determination result is estimated in the loop continuation conditional expression or the determination expression at s217d, and the next instruction is fetched and speculatively executed. More specifically, when k = 1, based on the determination result when i = 1 and i = 2 (for example, the conditional expression and the determination expression (i ≦ m) are satisfied), the determination result when i ≧ 3 (for example, the condition The formula and the judgment formula (i ≦ m) are estimated, and the next processing (s217b, s119 and s217c, s217e, s119 and s217f) is started before the judgment result is obtained. Since the condition is satisfied except for the last one (that is, when i> m), a branch prediction error does not occur except for the last one. Therefore, the penalty ratio with respect to the entire process is very small, and the efficiency of the entire mask generation process can be realized.

  The same applies to the case of k = 2 (see FIG. 10), the case of k = 3 (see FIG. 11), and the case of k ≧ 4.

<Effect>
With such a configuration, the same effect as that of the first embodiment can be obtained, and the mask G (i) L can be generated more efficiently.

<Modification>
Only parts different from the second embodiment will be described.

<Points of modification>
Not for each generating one mask, each time generating the 2 ^k-number of mask, the number of the generated mask 'determines whether or less, m' m a 2 ^k-number of mask when: Repeat the generation process. However, m ′ = 2 ^k · floor (m / 2 ^k ), and m ′ represents the maximum multiple of 2 ^{k that} is less than or equal to m. With such a configuration, the number of determinations can be reduced and processing can be reduced when i ≦ m ′.

<Mask Generation Device 600 According to Modification>
The mask generation apparatus 600 includes a product acquisition unit 617 instead of the product acquisition unit 217 (see FIG. 5).

Product acquisition unit 617 and an exclusive OR calculation unit 119, 2 ^k-number of repeats the process of generating a mask (in other words, to produce a 2 ^k-number of mask in one iteration (loop)) . It is determined whether or not the number of masks generated for each repetition process (every ^2k masks are generated) is less than or equal to m ′, and the process is repeated until it becomes larger than m ′.

Incidentally, in the iteration, first, it executes the following process as the process performed at the time i is not a multiple of 2 ^k. Product acquisition unit 617, based on the i to the remainder q when divided by ^{2 k,} the number of zeros are arranged from the least significant bit representation of the remainder q N [q] to N [1], N [2 ] , ..., is taken out from the forward in the storage unit 115 of the ^{N [2} k -1], further, the number N [1], N [2 ], ..., a product corresponding to the ^{N [2 k -1] L [} p] Are extracted from the storage unit 115 in the order of L [N [1]], L [N [2]],..., L [N [2 ^k −1]].

Next, the following processing is performed as processing performed when i is a multiple of 2 ^k . The product acquisition unit 617 calculates the number of zeros p (= ntz (i)) arranged from the least significant bit representation of i by the process ntz (i), and the product L [ p] (= L [ntz (i)]) is taken out from the storage unit 115.

Note that in the iterative process at i> 2 ^k (more specifically, 2 ^k <i ≦ m ′), when i is not a multiple of 2 ^k , the product acquisition unit 617 uses the number N [1], N [2 ], ..., N [2 ^k -1] and the products L [N [1]], L [N [2]], ..., L [N [2 ^k -1]] are omitted from the storage unit 115. and the product was taken out from the storage unit 115 in the ^{i ≦ 2 k L [N [} 1]], L [N [2]], ..., L [N [2 k -1]] may be reused.

  If the number of generated masks is larger than m ', it is determined whether or not the number of generated masks is less than or equal to m, and the following processing is repeated until it becomes larger than m.

Product acquisition unit 617, based on the remainder q (= i mod ^{2 k)} obtained by dividing the i in ^{2 k,} the number of zeros are arranged from the least significant bit representation of the remainder q (= i mod ^{2 k)} p (= N [q] = N [i mod 2 ^k ]) is taken out from the storage unit 115, and the product L corresponding to the number p of 0 (= N [q] = N [i mod 2 ^k ]) [P] (= L [N [q]] = L [N [i mod 2 ^k ]]) is extracted from the storage unit 115 and output to the exclusive OR calculation unit 119.

With such a configuration, the same effect as that of the second embodiment can be obtained. Since m 'is the maximum multiple of the following 2 ^k m, in the iteration of the first half may be the number of generated mask for each generates one mask to omit a process of determining whether or not more than m It may be determined whether or not the number of masks generated for each repetition process (every 2 ^k masks are generated) is equal to or less than m ′. Further, when m is a multiple of 2 ^k, m = m 'becomes so the second half iteration becomes also not performed configuration once, i although not determined whether or not a multiple of 2 ^k be able to.

  12 to 14 show processing flows of the product acquisition unit 617 and the exclusive OR calculation unit 119 when k = 1 to 3, respectively. In addition, in FIGS. 12-14, the continuation conditional expression is described in the upper end of a loop end. Specifically, the case where k = 1 will be described with reference to FIG.

<When k = 1>
First, the product acquisition unit 617 performs initial setting (s617a).

  Next, the product acquisition unit 617 repeats the following processing when i ≦ m ′.

Product acquisition unit 617 extracts the number N [1] = 0 of 0 in a row from the least significant bit representation of the remainder q = 1 when A is divided by i with ^{2 k} from the storage unit 115, N [1] = The product L [0] corresponding to 0 is extracted from the storage unit 115 (s617b) and output to the exclusive OR calculation unit 119. In the case of k = 1, since the remainder i mod ^{2 k} obtained by dividing the i calculated by the s617b with ^{2 k} are determined in 1, it can be omitted from the processing.

  Next, the product acquisition unit 617 increments i (s617c).

  The product acquisition unit 617 calculates the number of zeros p (= ntz (i)) arranged from the least significant bit representation of i by the process ntz (i), and the product L [ p] (= L [ntz (i)]) is extracted from the storage unit 115 (s617d) and output to the exclusive OR calculation unit 119. Further, i is incremented (s617e), and if the continuation conditional expression (i ≦ m ′) is true, the above processing s617b to s617e is repeated.

  If the continuation conditional expression (i ≦ m ′) is not satisfied, the following processing is repeated for i ≦ m.

Product acquisition unit 617, based on the remainder q (= i mod ^{2 k)} obtained by dividing the i in ^{2 k,} the number of zeros are arranged from the least significant bit representation of the remainder q (= i mod ^{2 k)} p (= N [q] = N [i mod 2 ^k ]) is taken out from the storage unit 115, and the product L corresponding to the number p of 0 (= N [q] = N [i mod 2 ^k ]) [P] (= L [N [q]] = L [N [i mod 2 ^k ]]) is extracted from the storage unit 115 (s617f) and output to the exclusive OR calculation unit 119. Further, i is incremented (s617g), and if the continuation conditional expression (i ≦ m) is true, the above processes s617f to s617g are repeated.

  With such a configuration, the determination process can be omitted.

  In addition, the product acquisition unit 617 may perform a plurality of processes in the same manner as in the second embodiment. In this case, the determination result can be estimated in the loop continuation conditional expression, the next instruction can be fetched and speculatively executed, and the overall efficiency of the mask generation process can be realized.

For example, in the first half of the iterative process, the determination result of the loop continuation conditional expression is estimated when 2 ^k <i (more specifically, 2 ^k <i ≦ m ′) based on the process in i ≦ 2 ^k . Are fetched and speculatively executed. More specifically, when k = 1, based on the determination result when i = 1 (for example, satisfying conditional expression (i ≦ m ′)), the determination result when i ≧ 3 (for example, conditional expression (i ≦ m)) The following processing (s617b, s119 and s617c, s617d, s119 and s617e) is started before the determination result is obtained.

  In the second half of the iterative process, based on the process at i = m ′ + 1, the determination result of the loop continuation conditional expression is estimated when m ′ + 1 <i, and the next instruction is fetched and speculatively executed. More specifically, based on a determination result when i = m ′ + 1 (for example, satisfying conditional expression (i ≦ m)), a determination result when i> m ′ + 1 (for example, satisfying conditional expression (i ≦ m)) And the next processing (s617f and s617g) is started before the determination result is obtained.

  In each repetitive process, the condition is satisfied except for the last one (that is, when i> m ′ or i> m), and therefore, no branch prediction error occurs except for the last one. Therefore, the penalty ratio with respect to the entire process is very small, and the efficiency of the entire mask generation process can be realized.

  The same applies to the case of k = 2 (see FIG. 13), the case of k = 3 (see FIG. 14), and the case of k ≧ 4.

<Third embodiment>
<Points of third embodiment>
Cryptography that uses a process called “whying” (exclusive OR with extended key) such as AES cipher or Camellia (see Reference 1), and uses a mask using a Gray code such as PMAC or OCB. When there is a usage mode, the speed of mounting can be increased by combining with the invention according to the first embodiment and the second embodiment.
(Reference 1) Kazumaro AOKI, Tetsuya ICHIKAWA, Masayuki KANDA, Mitsuru MATSUI, Shiho MORIAI, Junko NAKAJIMA, Toshio TOKITA, "The 128-Bit Block Cipher Camellia", IEICE TRANSACTIONS on Fundamentals of Electronics, 2002, Communications and Computer Sciences Vol .E85-A, No.1, pp.11-24

First, in AES encryption, P is plaintext, K is a key, C is ciphertext, and encryption processing is C = AES_K (P)
But when whitening is performed,
C = aes_K (P xor k ′) = AES_K (P)
It can be expressed as Here, k ′ represents a bit string calculated from K (hereinafter also referred to as “extended key”).

In OCB and PMAC,
AES_K (P xor G (1) L), AES_K (P xor G (2) L), ..., AES_K (P xor G (i) L), ...
Is calculated. Here, the calculation for obtaining the i-th mask G (i) L from the (i-1) -th mask G (i-1) L includes the mask G (i-1) L and a value L [ntz ( i)] = x ^{ntz (i)} Since only exclusive OR with L is obtained,
G (i) L
Instead of constantly updating
k 'xor G (i) L
If you update
aes_K (P xor (k 'xor G (1) L)), aes_K (P xor (k' xor G (2) L)), ...
, aes_K (P xor (k 'xor G (i) L)), ...
This makes it possible to omit the exclusive OR once for each block of encryption processing.

  That is, when G (i) L is updated by the following equation, it is necessary to obtain an exclusive OR of G (i) L and k ′ in the whitening.

G (i) L ← G (i-1) L xor L [ntz (i)]
On the other hand, when k ′ xor G (i) L is updated by the following equation, k ′ xor G (i) L can be used as it is in the whitening, and the number of exclusive OR processing can be omitted once. .

  k ′ xor G (i) L ← k ′ xor G (i−1) L xor L [ntz (i)]

<Encryption System 500 According to Third Embodiment>
FIG. 15 shows a functional block diagram of the cryptographic system 500. The cryptographic system 500 includes an information processing device 300, an information processing device 400, and a communication line 501. The information processing apparatus 300 encrypts the plaintext P, generates a ciphertext C, and transmits the ciphertext C to the information processing apparatus 400 via the communication line 501. The information processing apparatus 400 receives the ciphertext C and decrypts it. That is, the information processing device 300 functions as an encryption device, and the information processing device 400 functions as a decryption device. The processing contents of each device will be described below.

<Information processing apparatus 300>
FIG. 16 is a functional block diagram of the information processing apparatus 300, and FIG. In FIG. 17, variables = initial value, final value, and increment value are described at the upper end of the loop end, and variables are described at the lower end.

  The information processing apparatus 300 includes a product calculation unit 111, a continuous 0-bit calculation unit 113, a storage unit 115, a product acquisition unit 117, an exclusive OR calculation unit 319, an expanded key generation unit 321 and an encryption unit 323.

  The information processing apparatus 300 receives the secret information L, the positive integer k, the number m of masks desired by the user, the key K, and m plaintexts P [i], and uses them in the encryption usage mode using the Gray code. M masks G (i) L are generated, and m ciphertexts C [i] are generated and output using the masks G (i) L.

  The processing contents of the product calculation unit 111, the continuous 0-bit calculation unit 113, the storage unit 115, and the product acquisition unit 117 are the same as those in the first embodiment, and a description thereof will be omitted.

<Extended Key Generation Unit 321>
The extended key generation unit 321 receives the key K, generates an extended key k ′ (s321), and outputs it to the exclusive OR calculation unit 319.

<Exclusive OR Calculation Unit 319>
The exclusive OR calculation unit 319 first receives the extended key k ′. Further, the product L [ntz (i)] or L [N [i mod 2 ^k ]] is received. k ′ xor G (i−1) L (exclusive OR of mask G (i−1) L in i−1 and extended key k ′) and product L [p] (where p = ntz (i) Alternatively, an exclusive OR (k ′ xor G (i−1) L xor L [p]) with p = i mod 2 ^k ) is obtained (s319), and this is used as the mask G (i) L and the expanded key in i As the exclusive logical sum k ′ xor G (i) L with k ′, the exclusive logical sum k ′ xor G (i) L is output to the encryption unit 323 and the exclusive logical sum (k ′ xor) of the mask G (i + 1) L and the expanded key k ′ in i + 1 G (i + 1) L) is stored for determination.

<Encryption unit 323>
The encryption unit 323 receives m plaintexts P [i], a key K, and an exclusive OR k ′ xor G (i) L. The encryption unit 323 encrypts the plaintext P [i] using the key K and the exclusive OR (k ′ xor L [p]) as follows.
C [i] = aes_K (P [i] xor k ′ xor G (i) L)
m ciphertexts C [i] are output to the information processing apparatus 400.

<Information processing apparatus 400>
18 shows a functional block diagram of the information processing apparatus 400, and FIG. 19 shows its processing flow. In FIG. 19, variables = initial value, final value, and increment value are described at the upper end of the loop end, and variables are described at the lower end.

  The information processing apparatus 400 includes a product calculation unit 111, a continuous 0-bit calculation unit 113, a storage unit 115, a product acquisition unit 117, an exclusive OR calculation unit 319, an expanded key generation unit 321 and a decryption unit 423.

  The information processing apparatus 400 receives the secret information L, the positive integer k, the number m of masks desired by the user, the key K, and m ciphertexts C [i], and uses the Gray code in the cipher usage mode. M masks G (i) L to be used are generated, m ciphertexts C [i] are decrypted using the masks G (i) L, and m plaintexts P [i] are output.

  The processing contents of the product calculation unit 111, the continuous 0-bit calculation unit 113, the storage unit 115, and the product acquisition unit 117 are the same as in the first embodiment, and the processing contents of the exclusive OR calculation unit 319 and the extended key generation unit 321 Is the same as that of the information processing apparatus 300, and the description is omitted.

<Decoding unit 423>
The decryption unit 423 receives m ciphertexts C [i], a key K, and an exclusive OR k ′ xor G (i) L. The decryption unit 423 decrypts m ciphertexts C [i] using the key K and the exclusive OR (k ′ xor L [p]) as follows.
P [i] = aes ⁻¹ _K (C [i] xor k ′ xor G (i) L)
Output m plaintexts P [i].

<Effect>
With this configuration, the information processing apparatuses 300 and 400 can omit one exclusive OR for each block encryption or decryption process.

<Modification>
The present embodiment may be applied to the second embodiment.

  Further, m may be a value automatically generated according to the size (data amount) of plaintext P or ciphertext C. Similarly, in the first embodiment and the second embodiment, a plaintext or ciphertext to be encrypted or decrypted is given, and m may be automatically generated according to the size.

  The information processing apparatuses 300 and 400 may function by a single computer. In that case, the product calculation unit 111, the continuous 0-bit calculation unit 113, the storage unit 115, the product acquisition unit 117, the exclusive OR calculation unit 319, and the expanded key generation unit 321 can be used in common.

<Other variations>
The present invention is not limited to the above-described embodiments and modifications. For example, the various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes. In addition, it can change suitably in the range which does not deviate from the meaning of this invention.

<Program and recording medium>
The above-described mask generation apparatus and information processing apparatus can also be functioned by a computer. In this case, each process of a program for causing a computer to function as a target device (a device having the functional configuration shown in the drawings in various embodiments) or a process procedure (shown in each embodiment) is processed by the computer. A program to be executed by the computer may be downloaded from a recording medium such as a CD-ROM, a magnetic disk, or a semiconductor storage device or via a communication line into the computer, and the program may be executed.

Claims (8)

A mask generation device that generates a mask to be used in an encryption mode using a gray code,
Let f (x) be an n-th irreducible polynomial over GF (2), and the element of the Galois field GF (2 ⁿ ) is

Is expressed as a polynomial of n-1 order or lower, the coefficient of the polynomial is expressed as an n-bit bit string, floor (A) is a function that returns the largest integer less than or equal to A, and a mask for generating m A product calculation unit for obtaining a product L [p] of secret information L and x ^{2 ^ p} in p = 0, 1,..., Floor (log ₂ (m));
a continuous 0-bit calculating unit for obtaining the number N [q] of 0s arranged from the least significant bit representation of q in ^k = 1, 2,..., 2 ^k −1, where k is a positive integer;
A storage unit storing (floor (log ₂ (m)) + 1) number of the products L [p] and 2 ^k −1 number of the Ns [q];
When i is a multiple of 2 ^k , the number ntz (i) of 0s arranged from the least significant bit representation of i is obtained, and the product L [ntz (i) corresponding to the number ntz (i) of 0 is obtained. )] was removed from the storage unit, when i is not a multiple of ^{2 k,} based on the remainder i mod ^{2 k} obtained by dividing the i in ^{2 k,} from the least significant bit representation of the remainder i mod ^{2 k} The number N [i mod 2 ^k ] of 0 arranged is taken out from the storage unit, and the product L [N [i mod 2 ^k ]] corresponding to the number N [i mod 2 ^k ] is further stored in the storage unit. A product acquisition unit to be taken out from
An exclusive OR of the mask G (i−1) L in i−1 and the product L [ntz (i)] or L [N [i mod 2 ^k ]] is obtained, and the mask G (i) L in i And an exclusive OR calculation unit,
Mask generator. The mask generating apparatus according to claim 1,
The product acquisition unit acquires a plurality of products L [p] in an overlapping manner, repeats the process of retrieving 2 ^k products L [p] from the storage unit, and sets one mask in the repetition process. It is determined whether or not the number i of masks generated is less than or equal to m every time it is generated. Based on the determination result when i ≦ 2 ^k , the determination result at i> 2 ^k is estimated, and i is divided by 2 ^k . Based on the remainder q, the number N [q] of 0s arranged from the least significant bit representation of the remainder q in the order of N [1], N [2],..., N [2 ^k −1]. The product L [p] corresponding to the number N [1], N [2],..., N [2 ^k −1] is further extracted from the storage unit L [N [1]], L [N [2]],..., L [N [2 ^k −1]], and then the number of 0s arranged from the least significant bit representation of i ntz (i) is obtained, and a product L [ntz (i)] corresponding to the number p of 0 is extracted from the storage unit.
Mask generator. The mask generating apparatus according to claim 1,
The product acquisition unit repeats the process of extracting 2 ^k products L [p] from the storage unit, and the number i of masks generated each time 2 ^k masks are generated in the iterative process is m or less. It is determined whether or not the maximum multiple m ′ of 2 ^k is less than or equal to m ′. If the number of generated masks is less than or equal to m ′, the bit representation of the remainder q is based on the remainder q when i is divided by 2 ^k . The number N [q] of 0 arranged from the lowest is taken out from the storage unit in the order of N [1], N [2],..., N [2 ^k −1], and this number N [1] , N [2],..., N [2 ^k −1], L [N [1]], L [N [2]],. extraction in the order of 2 k ^-1]], the next, determine the number of zeros in a row from the least significant bit representation of i ntz (i), the product L corresponding to the number p of 0 ntz a (i)] is taken out from the storage unit,
Mask generator. An information processing apparatus using a mask generated by the mask generation apparatus according to any one of claims 1 to 3,
An expanded key generation unit that generates an expanded key k ′ from the key K;
An encryption / decryption unit that encrypts or decrypts using the key K and the exclusive OR k ′ xor G (i) L;
The exclusive OR calculation unit calculates the exclusive OR of the expanded key k ′ and the mask G (i−1) L in i−1 and the product L [ntz (i)] or L [N [i mod 2 ^k ]], and the obtained exclusive OR is calculated as an exclusive OR k ′ xor G (i) L of the mask G (i) L and the expanded key k ′ in i. To
Information processing device. A mask generation method for generating a mask to be used in an encryption mode using a gray code,
Let f (x) be an n-th irreducible polynomial over GF (2), and the element of the Galois field GF (2 ⁿ ) is

Is expressed as a polynomial of n-1 order or lower, the coefficient of the polynomial is expressed as an n-bit bit string, floor (A) is a function that returns the largest integer less than or equal to A, and a mask for generating m A product calculation step in which the product calculation unit obtains a product L [p] of the secret information L and x ^{2 ^ p} in p = 0, 1,..., Floor (log ₂ (m));
k is a positive integer, and the continuous 0-bit calculating unit obtains the number N [q] of 0s arranged from the least significant bit representation of q in q = 1, 2,..., 2 ^k −1. A calculation step;
The product calculation unit stores (floor (log ₂ (m)) + 1) products L [p] , and the continuous 0-bit calculation unit stores 2 ^k -1 number N [q ] of 0. A storage step to store in
When i is a multiple of 2 ^k , the product acquisition unit obtains the number ntz (i) of 0s arranged from the lowest order of the bit representation of i, and the product corresponding to the number ntz (i) of 0 L extraction [ntz (i)] from the storage unit, when i is not a multiple of ^{2 k,} based on the remainder i mod ^{2 k} obtained by dividing the i in ^{2 k,} bits of the remainder i mod ^{2 k} The number N [i mod 2 ^k ] of 0 arranged from the lowest of the expression is extracted from the storage unit, and the product L [N [i mod 2 ^k ] corresponding to the number N [i mod 2 ^k ] is further ^obtained . ] To obtain a product from the storage unit;
An exclusive OR calculating unit obtains an exclusive OR of the mask G (i−1) L in i−1 and the product L [ntz (i)] or L [N [i mod 2 ^k ]]; an exclusive OR calculation step with a mask G (i) L in i,
Mask generation method. The mask generation method according to claim 5, comprising:
In the product acquisition step, a plurality of products L [p] are acquired in an overlapping manner, and 2 ^k products L [p] are extracted from the storage unit repeatedly, and one mask is set in the repetition processing. It is determined whether or not the number i of masks generated is less than or equal to m every time it is generated. Based on the determination result when i ≦ 2 ^k , the determination result at i> 2 ^k is estimated, and i is divided by 2 ^k . Based on the remainder q, the number N [q] of 0s arranged from the least significant bit representation of the remainder q in the order of N [1], N [2],..., N [2 ^k −1]. The product L [p] corresponding to the number N [1], N [2],..., N [2 ^k −1] is further extracted from the storage unit L [N [1]], L [N [2]],..., L [N [2 ^k −1]] are extracted in this order, and then arranged from the least significant bit representation of i. The number of zeros ntz (i) is obtained, and the product L [ntz (i)] corresponding to the number of zeros p is taken out from the storage unit.
Mask generation method. The mask generation method according to claim 5, comprising:
In the product acquisition step, the process of taking out 2 ^k products L [p] from the storage unit is repeated, and the number i of masks generated each time 2 ^k masks are generated in the repetition process is less than or equal to m. It is determined whether or not the maximum multiple m ′ of 2 ^k is less than or equal to m ′. If the number of generated masks is less than or equal to m ′, the bit representation of the remainder q is based on the remainder q when i is divided by 2 ^k . The number N [q] of 0 arranged from the lowest is taken out from the storage unit in the order of N [1], N [2],..., N [2 ^k −1], and this number N [1] , N [2],..., N [2 ^k −1], L [N [1]], L [N [2]],. 2 ^k -1]] extracted in order, the next, determine the number of zeros in a row from the least significant bit representation of i ntz (i), the number of 0 p Depending productsum L [ntz (i)] to retrieve from the storage unit,
Mask generation method.   A program for causing a computer to function as the mask generation device according to any one of claims 1 to 3 or the information processing device according to claim 4.

Images