JP6830868B2 - Authenticated encryption system with additional data, decryption device, authenticated encryption method with additional data, and program - Google Patents

Description

The present invention relates to an authentication encryption technique with additional data that simultaneously performs message concealment and tampering detection.

The authentication encryption with additional data is a common key cryptographic primitive that simultaneously performs confidentiality of message M and authentication (tampering detection) of message M and additional data A. Examples of the conventional authentication encryption with additional data include APE (Authenticated Permutation-Based Encryption) described in Non-Patent Document 1 and Non-Patent Document 2. Authenticated encryption with additional data consists of two functions, an encryption function and a decryption function. In the authenticated encryption with additional data, the secret key K is shared in advance between the receiver and the sender.

In addition to message M and additional data A, the sender selects a value N, called a nonce, that changes each time the cryptographic function is called. The encryption function generates ciphertext C and tag T corresponding to message M, additional data A, and nonce N, and sends a set of (C, T, A, N) to the recipient.

The recipient receives a set of (C, T, A, N), but at this point there is no guarantee that these values have not been tampered with by a malicious third party. The recipient calculates a decryption function that performs verification at the same time using the received (C, T, A, N) pair and the key K that he owns.

There are several types of decryption functions that perform verification at the same time. Many authenticated encryptions with additional data verify that the tag T'recalculated by the recipient matches the tag T received from the sender. APE verifies whether the value of the intermediate state recalculated by the recipient matches a certain value. In any case, if the values do not match, the result that decoding failed (data has been tampered with) is output.

APE is a method of constructing the encryption function and decryption function of authenticated encryption with additional data. It has the feature that the encryption function and the decryption function are constructed by using a substitution (bijective map) whose size is relatively large compared to the security level (number of bits) to be guaranteed. As described above, the APE decoding function is verified by a special method different from the conventional decoding function.

A specific calculation procedure of the APE encryption function will be described with reference to FIG. The APE encryption function replaces b-bit data called state with b-bit substitution f: {0, 1} ^b → {0, 1} ^b , input data (N, A, M), and key K. Calculate ciphertext C and tag T with repeated updates using. Details of the substitution f are described in Non-Patent Document 2. It should be noted that the input of nonce N is not mandatory, and even if there is nonce N, nonce N becomes a part of the additional data A. Therefore, it is sufficient for the input data to consider additional data A, message M, and key K. Also, the additional data A is processed before the message M. Such additional data A is called the header. The length of both additional data A and message M is limited to double the r-bit length.

The state of b bits is divided into r bits called rate and c (= b-r) bits called capacity. When calculating the encryption function, the b-bit state value is initialized to 0 for the r-bit in the rate part (that is, a bit string in which all bits are 0) and the c-bit in the capacity part to the value of key K. To do.

Step 1. Divide the additional data A into blocks of r bits. The exclusive OR with the first block of additional data A is calculated for the r bit of the rate part of the b-bit state, and the substitution f is calculated for the b-bit state. Let the output of this permutation f be the value of the new state. This operation is repeated until the final block of additional data A is exclusively ORed.

Step 2. Calculates the exclusive OR of the c-bit of the capacity portion of the b-bit state with the integer value 1 (that is, the bit string in which only the least significant bit is 1).

Step 3. Divide message M into blocks of r bits. The exclusive OR with the first block of message M is calculated for the r bit of the rate part of the b-bit state, and the substitution f is calculated for the b-bit state. The output of this substitution f is used as the value of the new state, and the r bit of the rate part is output as the first block of the ciphertext C. This operation is repeated until the last block of message M is exclusively ORed.

Step 4. The exclusive OR of the c-bit key K is calculated for the c-bit of the capacity part of the b-bit state, and the calculation result is output as the c-bit tag T.

A specific calculation procedure of the decoding function of APE will be described with reference to FIG. The APE decryption function calculates the APE encryption function in almost the reverse order. The decoding function normally takes the set of (C, T, A, N) as input, but since nonce N can be regarded as part of the additional data A in APE, the set of (C, T, A) is used. Considered as input.

When calculating the decryption function, the value of the b-bit state is initialized to the value obtained by concatenating the final block of the r-bit ciphertext C (C 2 in the example of FIG. ₂ ) and the c-bit tag T.

Step 1. The exclusive OR of the c-bit key K is calculated for the c-bit of the capacity part of the b-bit state, and the c-bit of the capacity part is updated according to the calculation result.

Step 2. For the b-bit state, the inverse permutation of the permutation f f ^-1 : {0, 1} ^b → {0, 1} ^b is calculated. Let the output of this inverse permutation f ^{-1 be} the value of the new state. The exclusive OR is calculated for the r bit of the rate part with the block immediately before the final block of the ciphertext C (C _{1 in} the example of FIG. 2), and the calculation result is the final block of the message M (Fig. 2). In the example of, it is output as M ₂ ). Further, the r bit of the rate portion is updated by the block immediately before the final block of the ciphertext C (C _{1 in} the example of FIG. 2), and the updated state is set as the value of the new state. This operation is repeated until the first block of ciphertext C (C _{0 in} the example of FIG. 2) is processed. Thus, the last block of the message M (M ₂ in the example of FIG. 2) to a second block (M ₁ in the example of FIG. 2) is restored. Of the last updated states, let S _{r be} the value of the r bit in the rate part and S _c be the value of the c bit in the capacity part.

Step 3. The method of restoring the first block of message M (M _{0 in} the example of FIG. 2) is different from that of the other blocks. First, the same calculation as in steps 1 to 2 of the encryption function is performed. Of the updated state, the value of r bits of rate portion S _'r, the value of c bit capacity portion S' and _c. The exclusive OR of the r-bit value S _r and the r-bit value S _'r is calculated, and outputs the calculation result as the first block of the message M (M ₀ in the example of FIG. 2).

Step 4. comparing the c-bit value S _c and c-bit values S _'c, and outputs a message M whose value is decoded if they match. If they do not match, message M is not output and only an error code indicating that decoding has failed is output.

Of the additional data, the data processed after the message is called a trailer (see, for example, Non-Patent Document 3). The trailer is used to make the interface flexible assuming actual use, and is not related to the safety of the method.

One of the security concepts of the authentication cipher with additional data is unverified decrypted data output (see, for example, Non-Patent Document 4). If the decrypted data that has not been verified to have been tampered with is output at the time of decryption, the security is significantly impaired and a powerful attack is allowed. Therefore, as described above, it is desirable to implement normal authentication encryption with additional data so that when verification fails, only the verification failure error code is output without outputting a message. Unverified decrypted data output is safety in an erroneous implementation that outputs decrypted data regardless of the result of verification (or without verification).

The unverified decrypted data output will be described in more detail. The APE encryption function takes a set of (N, A, M) as an input and outputs a set of (C, T). When the APE decoding function is performed on the correct (C, T, A, N) pairs, the correct message M is decoded regardless of the verification result, but this is not called unverified decrypted data output. .. Unverified decrypted data output is the modification of one or more of the values of C, T, A, N to the correct set (C, T, A, N) known to the recipient (and therefore validation). If you do, it will fail), and it will discuss whether the information in message M will be leaked to the attacker if the verification is not performed. In APE, nonce N is a part of additional data A, so nonce N can be ignored.

Explain the vulnerability of APE to unverified decrypted data output. Consider the case where an attacker specifies a ciphertext C', which is a partial modification of the ciphertext C, and a correct tag T for the correct (C, T, A) pair. For any additional data A, the unverified decrypted data output will attack the correct message M for the correct ciphertext C and the modified ciphertext C', starting from the last block and up to the first block that is not the same value. It leaks to.

In Figure 3, the attacker responds to r-bit additional data A (including nonce N) and 5-r-bit message M (= M ₀ || M ₁ || M ₂ || M ₃ || M ₄ ). Ciphertext C (= C ₀ || C ₁ || C ₂ || C ₃ || C ₄ ) and the tag T are obtained and the modified ciphertext C'(= C ₀ || C ₁ | _{| C '2 || C 3 ||} C 4) ( i.e., the C ₂ only has been modified), and the correct tag T, modified additional data a' if the decoding process was performed on the , Indicates whether each block of the decrypted message M is correct or incorrect.

Ciphertext C which has been modified to be correct ciphertext C 'with respect to, the first not the same value block beginning to last block, in the example of FIG. 3 C' refers to the _second block. In fact, the M ₄ restore procedure using C ₄ , C ₃ (and T) is a process with the correct values, and the correct M ₄ is leaked to the attacker. The value in the C _3, C _'2 and using the M' ₃ restoration procedure, although becomes a value different from the M _3, displaced from C ₂ and C _'2 and exclusive amount corresponding M ₃ of the sum of There 'because it can be seen that equal to _3, the attacker M' M she can restore the correct M ₃ from _3. In the restoration of M _2, the influence of false C _'2 is expanded to rate portion and capacity portion through inverse permutation f ^-1, even entered the correct C _1, the correct M ₂ attacker Will not leak to.

Elena Andreeva, Begul Bilgin, Andrey Bogdanov, Atul Luykx, Bart Mennink, Nicky Mouha and Kan Yasuda, "APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography," FSE 2014, (eds.) Carlos Cid and Christian Rechberger, LNCS, Vol . 8540, pages 168-186, Springer, 2015. Elena Andreeva, Begul Bilgin, Andrey Bogdanov, Atul Luykx, Florian Mendel, Bart Mennink, Nicky Mouha, Qingju Wang and Kan Yasuda, "PRIMATEs v1 --Submission to the CAESAR Competition," Submitted to CAESAR, 2014. Jean-Philippe Aumasson, Philipp Jovanovic and Samuel Neves, "NORX V3," Submitted to CAESAR, 2015. Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink, Nicky Mouha, and Kan Yasuda, "How to Securely Release Unveried Plaintext in Authenticated Encryption," ASIACRYPT 2014, (eds.) Palash Sarkar and Tetsu Iwata, LNCS, Vol. 8873, pages 105-125, Springer, 2014.

When unverified decrypted data is output with the conventional APE, even if the attacker specifies the wrong additional data A', a part of the message M corresponding to the correct ciphertext C may be leaked.

In view of the above points, an object of the present invention is to realize an authentication encryption technique with additional data, which has improved security for unverified decrypted data output.

To solve the above problems, the authentication encryption system with additional data of the present invention includes an encryption device and a decryption device. The encryption device has a storage unit that stores an encryption state consisting of a rate part and a capacity part, a common key shared in advance with the decryption device, and a rate part of the encryption state in a predetermined bit string, and is in the encryption state. For the initialization part that sets the capacity part of the above to the common key and each block that divides the input nonce into the length of the rate part of the encryption state, the rate part of the encryption state is applied in order from the previous block. For the nonce calculation unit that calculates a predetermined replacement for the encryption state after updating by exclusive logical sum with the block, and for each block that divides the input message into the length of the rate part of the encryption state. In order from the previous block, the replacement is calculated for the encryption state after updating the rate part of the encryption state by the exclusive logical sum with the block, and each time the replacement is calculated, the rate part of the encryption state is calculated. A message calculation unit that outputs as a block of encrypted text, an additional data calculation unit that calculates replacement with an auxiliary input that changes the rate part of the encryption state using the input additional data, and an encryption unit that encrypts the rate part of the encryption state. It includes a tag generator that outputs as the final block of the statement and outputs as a tag the exclusive logical sum of the capacity part of the encryption state and the common key. The decryption device is a storage unit that stores a decryption state consisting of a rate portion and a capacity portion, a common key shared in advance with the encryption device, and a final encryption text that receives the rate portion of the decryption state from the encryption device. In the block, a first initialization unit that sets the capacity part of the decryption state to the tag received from the encryption device, and a tag decryption unit that updates the capacity part of the decryption state by an exclusive logical sum with the common key. The additional data inverse calculator that calculates the inverse replacement of the replacement with auxiliary input that changes the rate part of the decryption state using the additional data received from the encryption device, and the cipher statement received from the encryption device other than the last block For each block, the inverse substitution of the substitution is calculated for the decryption state in order from the subsequent block, and each time the inverse substitution of the substitution is calculated, the exclusive logical sum of the rate part of the decryption state and the block is the block of the message. The cryptographic inverse calculation unit that updates the rate part of the decryption state by the block, and after storing the value of the decryption state as an intermediate state value, the rate part of the decryption state is stored in a predetermined bit string and the capacity of the decryption state. For the second initialization unit that sets the city part as the common key, and for each block that divides the nonce received from the encryption device into the length of the rate part of the decryption state, the rate part of the decryption state is displayed in order from the previous block. When the nonce calculation unit that calculates the replacement for the decryption state after updating by the exclusive logical sum with the block and the capacity part of the intermediate state value and the capacity part of the decryption state match, the intermediate state value Includes a tampering detector that outputs the exclusive logical sum of the rate portion of the message and the rate portion of the decryption state as the first block of the message.

According to the present invention, in the authenticated encryption with additional data, the security against unverified decrypted data output is improved.

FIG. 1 is a diagram for explaining a conventional encryption function. FIG. 2 is a diagram for explaining a conventional decoding function. FIG. 3 is a diagram for explaining the vulnerability to unverified decrypted data output. FIG. 4 is a diagram illustrating a functional configuration of an authenticated encryption system with additional data. FIG. 5 is a diagram illustrating the functional configuration of the encryption device. FIG. 6 is a diagram illustrating the functional configuration of the nonce calculation unit. FIG. 7 is a diagram illustrating the functional configuration of the message calculation unit. FIG. 8 is a diagram illustrating the functional configuration of the additional data calculation unit. FIG. 9 is a diagram illustrating the functional configuration of the decoding device. FIG. 10 is a diagram illustrating the functional configuration of the additional data inverse calculation unit. FIG. 11 is a diagram illustrating the functional configuration of the ciphertext inverse calculation unit. FIG. 12 is a diagram illustrating the functional configuration of the nonce calculation unit. FIG. 13 is a diagram illustrating the processing procedure of the encryption method. FIG. 14 is a diagram for explaining an example of the encryption function of the embodiment. FIG. 15 is a diagram for explaining an example of the encryption function of the embodiment. FIG. 16 is a diagram illustrating a processing procedure of the decoding method. FIG. 17 is a diagram for explaining an example of the decoding function of the embodiment. FIG. 18 is a diagram for explaining an example of the decoding function of the embodiment.

Hereinafter, embodiments of the present invention will be described in detail. In the drawings, the components having the same function are given the same number, and duplicate description is omitted.

An embodiment of the present invention is an authentication encryption system and method with additional data that performs authentication encryption with additional data, which is more secure than ever before for unverified decrypted data output. In the conventional APE, the nonce N is treated as a part of the additional data A, but in the embodiment, the additional data of the APE is divided into the nonce N and the other additional data A and treated. Nonce N is processed as a header before message M, and additional data A is processed as a trailer after message M.

As shown in FIG. 4, the authentication encryption system with additional data of the embodiment includes an encryption device 1 that executes an encryption function of the authentication encryption with additional data and a decryption device 2 that executes a decryption function of the authentication encryption with additional data. And include. In this embodiment, the encryption device 1 and the decryption device 2 are each connected to the communication network 3. The communication network 3 is a circuit-switched or packet-switched communication network configured so that each connected device can communicate with each other. For example, the Internet, LAN (Local Area Network), WAN (Wide Area Network). Etc. can be used. It should be noted that each device does not necessarily have to be able to communicate online via the communication network 3. For example, the information output by the encryption device 1 may be stored in a portable recording medium such as a magnetic tape or a USB memory, and the information may be input offline from the portable recording medium to the decoding device 2.

As shown in FIG. 5, the encryption device 1 included in the authentication encryption system with additional data includes a storage unit 10, an input unit 11, an initialization unit 12, a nonce calculation unit 13, a message calculation unit 14, and a boundary setting unit 15. It includes an additional data calculation unit 16, a tag generation unit 17, and an output unit 18. As shown in FIG. 6, the nonce calculation unit 13 included in the encryption device 1 includes a division unit 131, an exclusive OR unit 132, and a replacement unit 133. As shown in FIG. 7, the message calculation unit 14 included in the encryption device 1 includes a division unit 141, an exclusive OR unit 142, a replacement unit 143, and a ciphertext output unit 144. The additional data calculation unit 16 included in the encryption device 1 includes a division unit 161, an exclusive OR unit 162, and a replacement unit 163, as shown in FIG.

As shown in FIG. 9, the decryption device 2 included in the authentication encryption system with additional data includes, for example, a storage unit 20, an input unit 21, a first initialization unit 22, a tag decryption unit 23, and an additional data inverse calculation unit 24. It includes a boundary removal unit 25, a ciphertext inverse calculation unit 26, a second initialization unit 27, a nonce calculation unit 28, a tampering detection unit 29, and an output unit 30. As shown in FIG. 10, the additional data inverse calculation unit 24 included in the decoding device 2 includes a division unit 241, an inverse replacement unit 242, and an exclusive OR unit 243. As shown in FIG. 11, the ciphertext inverse calculation unit 26 included in the decryption device 2 includes an inverse replacement unit 261, an exclusive OR unit 262, and a message output unit 263. As shown in FIG. 12, the nonce calculation unit 28 included in the decoding device 2 includes a division unit 281, an exclusive OR unit 282, and a replacement unit 283.

The encryption device 1 performs the processing of each step shown in FIG. 13, and the decryption device 2 performs the processing of each step shown in FIG. 16, thereby realizing the authentication encryption method with additional data of the embodiment. Of the authenticated encryption methods with additional data, the portion executed by the encryption device 1 is also referred to as an encryption method, and the portion executed by the decryption device 2 is also referred to as a decryption method.

In the encryption device 1 and the decryption device 2, a special program is read into a known or dedicated computer having, for example, a central processing unit (CPU), a main storage device (RAM: Random Access Memory), and the like. It is a special device configured. The encryption device 1 and the decryption device 2 execute each process under the control of the central processing unit, for example. The data input to the encryption device 1 and the decryption device 2 and the data obtained by each process are stored in the main storage device, for example, and the data stored in the main storage device is stored in the central processing unit as needed. It is read out and used for other processing. At least a part of each processing unit of the encryption device 1 and the decryption device 2 may be configured by hardware such as an integrated circuit. Each storage unit included in the encryption device 1 and the decryption device 2 is composed of, for example, a main storage device such as RAM (Random Access Memory) and a semiconductor memory element such as a hard disk, an optical disk, or a flash memory (Flash Memory). It can be configured with storage or middleware such as relational databases and key-value stores.

Among the authentication encryption methods with additional data executed by the authentication encryption system with additional data of the embodiment, the encryption method executed by the encryption device 1 will be described with reference to FIGS. 13-15.

In the storage unit 10 of the encryption device 1, a b-bit state composed of an r-bit rate portion and a c-bit capacity portion (hereinafter, in order to distinguish from the state stored in the storage unit 20 of the decryption device 2). , Called the encryption state) and the common key K shared in advance with the decryption device 2. For example, the state is 512 bits, the rate part is 256 bits, and the capacity part is 256 bits (that is, b = 512, r = 256, c = 256). The ratio of the length of the rate part to the length part of the capacity part is a trade-off between processing speed and safety. As the length of the rate portion increases, the processing speed increases but the safety decreases. On the contrary, when the length of the capacity portion is increased, the safety is improved but the processing speed is lowered. Therefore, each value of b, r, and c may be appropriately designed in consideration of a desired balance between processing speed and safety.

In step S11, the set (N, A, M) of the nonce N, the additional data A, and the message M is input to the input unit 11 of the encryption device 1. The nonce N may be input as a part of the additional data as in the conventional APE, in which case the input unit 11 divides the input additional data into the nonce N and the additional data A. Since the nonce N is usually a fixed length, it can be easily divided by, for example, setting a predetermined number of bits from the beginning of the input additional data as the nonce N and setting the rest as the additional data A. .. Nonce N, additional data A, and message M are all r bits in length. The input unit 11 inputs the nonce N to the nonce calculation unit 13, the message M to the message calculation unit 14, and the additional data A to the additional data calculation unit 16.

In step S12, the initialization unit 12 of the encryption device 1 sets the value of the rate portion of the encryption state stored in the storage unit 10 to 0 (that is, a bit string in which all bits are 0) and has a capacity. Initialize by setting the value of the part to the value of the common key K.

In step S13, the nonce calculation unit 13 of the encryption device 1 receives the nonce N from the input unit 11, and uses the nonce N to update the value of the encryption state stored in the storage unit 10. The division unit 131 of the nonce calculation unit 13 divides the nonce N into blocks of r bits (that is, the same length as the rate portion of the encryption state). The exclusive OR unit 132 of the nonce calculation unit 13 calculates the exclusive OR of the rate portion of the encryption state and the block of the nonce N, and updates the rate portion of the encryption state according to the calculation result. The replacement unit 133 of the nonce calculation unit 13 calculates a predetermined b-bit replacement f: {0, 1} ^b → {0, 1} ^b for the entire b-bit encryption state, and calculates the calculation result. The value of the new encryption state. As the substitution f, for example, the substitution described in Non-Patent Document 2 can be used. The nonce calculation unit 13 executes the above operation from the first block to the final block of the nonce N in order from the previous block.

In step S14, the message calculation unit 14 of the encryption device 1 receives the message M from the input unit 11, and uses the message M to update the value of the encryption state stored in the storage unit 10. The division unit 141 of the message calculation unit 14 divides the message M into blocks of r bits. The exclusive OR unit 142 of the message calculation unit 14 calculates the exclusive OR of the rate portion of the encryption state and the block of the message M, and updates the rate portion of the encryption state according to the calculation result. The replacement unit 143 of the message calculation unit 14 calculates the b-bit replacement f for the entire b-bit encryption state, and sets the calculation result as the value of the new encryption state. The ciphertext output unit 144 of the message calculation unit 14 outputs the value of the rate portion of the encryption state as a block of the ciphertext C. The message calculation unit 14 executes the above operation from the first block to the last block of the message M in order from the previous block. However, here, the block of ciphertext C corresponding to the final block of message M is not output.

In step S15, the boundary setting unit 15 of the encryption device 1 calculates the exclusive OR of the capacity portion of the encryption state and the integer value 1 (that is, the bit string in which only the least significant bit is 1), and the calculation thereof. The capacity part of the encryption state is updated according to the result. In other words, the boundary setting unit 15 inverts only the least significant bit of the encryption state. This operation is performed so that the recipient can determine the boundary between the ciphertext C and the additional data A.

In step S16, the additional data calculation unit 16 of the encryption device 1 receives the additional data A from the input unit 11, and updates the value of the encryption state stored in the storage unit 10 using the additional data A. As shown in FIG. 14, the additional data calculation unit 16 inputs the replacement f': {0, 1} ^b → {0, 1} ^b with an auxiliary input and the b-bit encryption state as an input, and inputs the additional data A. It is calculated as an auxiliary input, and the calculation result is used as the value of the new encryption state. Substitution f'with auxiliary input is an inverse substitution f'- ¹ : that changes the input value using the auxiliary input value and restores the input value from the replaced value using the same auxiliary input. {0, 1} ^b → {0, 1} ^b is a permutation that can be defined. Specifically, as shown in FIG. 15, the substitution f'with an auxiliary input can be implemented by using the substitution f. In this case, the additional data calculation unit 16 is configured as follows. The division unit 161 of the additional data calculation unit 16 divides the additional data A into blocks of r bits. The exclusive OR unit 162 of the additional data calculation unit 16 calculates the exclusive OR of the rate portion of the encryption state and the block of the additional data A, and updates the rate portion of the encryption state according to the calculation result. The replacement unit 163 of the additional data calculation unit 16 calculates the b-bit replacement f for the entire b-bit encryption state, and sets the calculation result as the value of the new encryption state. The additional data calculation unit 16 executes the above operation from the first block to the final block of the additional data A in order from the previous block.

In step S17, the tag generation unit 17 of the encryption device 1 calculates the exclusive OR of the capacity portion of the encryption state and the common key K, and updates the capacity portion of the encryption state based on the calculation result. .. The tag generation unit 17 outputs the rate portion of the encryption state as the final block of the ciphertext C, and outputs the capacity portion of the encryption state as the tag T.

In step S18, the output unit 18 of the encryption device 1 transmits a set (C, T, A, N) of the ciphertext C, the tag T, the additional data A, and the nonce N to the decryption device 2.

Of the authentication encryption methods with additional data executed by the authentication encryption system with additional data of the embodiment, the decryption method executed by the decryption device 2 will be described with reference to FIGS. 16-18.

In the storage unit 20 of the decryption device 2, a b-bit state composed of an r-bit rate portion and a c-bit capacity portion (hereinafter, for distinguishing from the state stored in the storage unit 10 of the encryption device 1). , Called a decryption state) and the common key K shared in advance with the encryption device 1. Each value of b, r, and c is assumed to be the same as the encryption state stored in the storage unit 10 of the encryption device 1.

In step S21, the set (C, T, A, N) of the ciphertext C, the tag T, the additional data A, and the nonce N received from the encryption device 1 is input to the input unit 21 of the decryption device 2. The input unit 21 transfers the final block of the ciphertext C and the tag T to the first initialization unit 22, additional data A to the additional data inverse calculation unit 24, and each block other than the final block of the ciphertext C to the ciphertext inverse. The nonce N is input to the calculation unit 26 and the nonce N is input to the nonce calculation unit 28, respectively.

In step S22, the first initialization unit 22 of the decryption device 2 receives the final block of the ciphertext C and the tag T from the input unit 21, and the value of the rate portion of the decryption state stored in the storage unit 20. Is set to the value of the last block of ciphertext C, and the value of the capacity part is set to the value of tag T, and initialized.

In step S23, the tag decoding unit 23 of the decoding device 2 calculates the exclusive OR of the capacity portion of the decoding state and the common key K, and updates the capacity portion of the decoding state based on the calculation result.

In step S24, the additional data inverse calculation unit 24 of the decoding device 2 receives the additional data A from the input unit 21, and updates the value of the decoding state stored in the storage unit 20 using the additional data A. As shown in FIG. 17, the additional data inverse calculation unit 24 sets the inverse substitution f'- ¹ : {0, 1} ^b → {0, 1} ^b of the substitution f'with auxiliary input, and the decoding state of the b bit. As an input, the additional data A is calculated as an auxiliary input, and the calculation result is used as the value of the new decoding state. The inverse permutation f'- ¹ of the permutation f'with an auxiliary input can be specifically implemented using the inverse permutation f ^-1 of the permutation f, as shown in FIG. In this case, the additional data inverse calculation unit 24 is configured as follows. The division unit 241 of the additional data inverse calculation unit 24 divides the additional data A into blocks of r bits. The inverse substitution unit 242 of the additional data inverse calculation unit 24 calculates the inverse substitution f ^-1 of the b-bit substitution f for the entire decoding state of the b bit, and sets the calculation result as the value of the new decoding state. The exclusive OR unit 243 of the additional data inverse calculation unit 24 calculates the exclusive OR of the rate portion of the decoding state and the block of the additional data A, and updates the rate portion of the decoding state according to the calculation result. The additional data inverse calculation unit 24 executes the above operation in order from the block after the last block to the first block of the additional data A.

In step S25, the boundary removing unit 25 of the decoding device 2 calculates the exclusive OR of the capacity portion of the decoding state and the integer value 1, and updates the capacity portion of the decoding state based on the calculation result. That is, the boundary removing unit 25 inverts only the least significant bit of the decoding state.

In step S26, the ciphertext inverse calculation unit 26 of the decryption device 2 receives each block other than the final block of the ciphertext C from the input unit 21, and stores each block of the ciphertext C in the storage unit 20. Update the value of the decryption state. The inverse substitution unit 261 of the ciphertext inverse calculation unit 26 calculates the inverse substitution f ^-1 of the substitution f for the entire decoding state of the b bit, and sets the calculation result as the value of the new decoding state. The exclusive OR unit 262 of the ciphertext inverse calculation unit 26 calculates the exclusive OR of the rate portion of the decryption state and the block of the ciphertext C, and updates the rate portion of the decryption state by the block of the ciphertext C. To do. The message output unit 263 of the ciphertext inverse calculation unit 26 outputs the exclusive OR of the rate portion of the decryption state and the block of the ciphertext C as a block of the message M. The ciphertext inverse calculation unit 26 executes the above operation in order from the block immediately before the final block of the ciphertext C to the first block from the block behind.

In step S27, the second initialization unit 27 of the decoding device 2 sets the value of the rate portion of the decoding state as the intermediate state value S _r and the value of the capacity portion of the decoding state as the intermediate state value S _c , for example, a storage unit. Store in 20 etc. After that, among the decryption states stored in the storage unit 20, the value of the rate portion is set to 0 and the value of the capacity portion is set to the value of the common key K for initialization.

In step S28, the nonce calculation unit 28 of the decoding device 2 receives the nonce N from the input unit 21, and uses the nonce N to update the value of the decoding state stored in the storage unit 20. The division unit 281 of the nonce calculation unit 28 divides the nonce N into blocks of r bits. The exclusive OR unit 282 of the nonce calculation unit 28 calculates the exclusive OR of the rate portion of the decoding state and the block of the nonce N, and updates the rate portion of the decoding state according to the calculation result. The replacement unit 283 of the nonce calculation unit 28 calculates the replacement f of the b bit for the entire decoding state of the b bit, and sets the calculation result as the value of the new decoding state. The nonce calculation unit 28 executes the above operation from the first block to the final block of nonce N in order from the previous block.

In step S29, the tampering detection unit 29 of the decoding device 2, the value of the rate portion of the decoding state 'and _r, the value of the capacity part of the decoding state intermediate state value S' intermediate state value S as _c, for example, a storage unit Store in 20 etc. Then compared with the intermediate state value S _c stored in the storage unit 20 and an intermediate state value S _'c. Exclusive of the case two intermediate state values is equal to (S _c = S _'c) advances the process to step S301, the intermediate state value S _r and the intermediate state value S stored in the storage unit 20' and _r Is output from the output unit 30 as the first block of the message M. If the two intermediate state values are not equal, the process proceeds to step S302, and an error code indicating that decoding has failed is output from the output unit 30.

By configuring as described above, the authentication encryption technique with additional data of the embodiment is improved in security against unverified decrypted data output. In the authentication encryption technique with additional data of the embodiment, when the unverified decrypted data is output, the attacker not only specifies the ciphertext C'which is a part of the correct ciphertext C modified and the correct tag T, but also is correct. Unless additional data A is also specified, the correct message M will not be leaked. Correct additional data A is incorrect even by 1 bit If additional data A'is used, all blocks of message M are incorrect because the state value is incorrect at the stage of calculating the final block of message M. It becomes the data. Therefore, the correct message M is not leaked even if the unverified decrypted data is output, and the security for the unverified decrypted data output is improved.

Although the embodiments of the present invention have been described above, the specific configuration is not limited to these embodiments, and even if the design is appropriately changed without departing from the spirit of the present invention, the specific configuration is not limited to these embodiments. Needless to say, it is included in the present invention. The various processes described in the embodiments are not only executed in chronological order according to the order described, but may also be executed in parallel or individually as required by the processing capacity of the device that executes the processes.

[Program, recording medium]
When various processing functions in each device described in the above embodiment are realized by a computer, the processing contents of the functions that each device should have are described by a program. Then, by executing this program on the computer, various processing functions in each of the above devices are realized on the computer.

The program describing the processing content can be recorded on a computer-readable recording medium. The computer-readable recording medium may be, for example, a magnetic recording device, an optical disk, a photomagnetic recording medium, a semiconductor memory, or the like.

In addition, the distribution of this program is carried out, for example, by selling, transferring, renting, or the like a portable recording medium such as a DVD or CD-ROM on which the program is recorded. Further, the program may be stored in the storage device of the server computer, and the program may be distributed by transferring the program from the server computer to another computer via a network.

A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. Then, when the process is executed, the computer reads the program stored in its own storage device and executes the process according to the read program. Further, as another execution form of this program, a computer may read the program directly from a portable recording medium and execute processing according to the program, and further, the program is transferred from the server computer to this computer. It is also possible to execute the process according to the received program one by one each time. In addition, the above processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition without transferring the program from the server computer to this computer. May be. The program in this embodiment includes information used for processing by a computer and equivalent to the program (data that is not a direct command to the computer but has a property of defining the processing of the computer, etc.).

Further, in this embodiment, the present device is configured by executing a predetermined program on the computer, but at least a part of these processing contents may be realized by hardware.

1 Encryption device 2 Decryption device 3 Communication network 10 Storage unit 11 Input unit 12 Initialization unit 13 Nonce calculation unit 14 Message calculation unit 15 Boundary setting unit 16 Additional data calculation unit 17 Tag generation unit 18 Output unit 20 Storage unit 21 Input unit 22 First initialization unit 23 Tag decoding unit 24 Additional data inverse calculation unit 25 Boundary removal unit 26 Ciphertext inverse calculation unit 27 Second initialization unit 28 Nonce calculation unit 29 Tampering detection unit 30 Output unit

Claims (5)

An authenticated encryption system with additional data, including an encryption device and a decryption device.
The above encryption device
A storage unit that stores an encryption state consisting of a rate part and a capacity part, and a common key shared in advance with the decryption device.
An initialization unit that sets the rate portion of the encryption state to a predetermined bit string and the capacity portion of the encryption state to the common key.
For each block in which the input nonce is divided into the lengths of the rate portion of the encryption state, the rate portion of the encryption state is updated by the exclusive OR with the block in order from the previous block. A nonce calculation unit that calculates a predetermined replacement for the encryption state and updates the above encryption state with the calculation result ,
For each block in which the input message is divided into the lengths of the rate portion of the encrypted state, the rate portion of the encrypted state is updated by the exclusive OR with the block in order from the previous block. A message calculation unit that calculates the above substitution for the encryption state, updates the above encryption state with the calculation result, and outputs the rate part of the above encryption state as a ciphertext block each time the above substitution is calculated. ,
An additional data calculation unit that calculates a replacement with an auxiliary input that changes the rate part of the encryption state using the input additional data, and updates the encryption state with the calculation result .
A tag generation unit that outputs the rate portion of the encryption state as the final block of the ciphertext and outputs the exclusive OR of the capacity portion of the encryption state and the common key as a tag.
Including
The above decoding device
A storage unit that stores a decryption state consisting of a rate portion and a capacity portion, and a common key shared in advance with the encryption device.
A first initialization unit that sets the rate portion of the decryption state in the final block of the ciphertext received from the encryption device, and the capacity portion of the decryption state in the tag received from the encryption device.
A tag decryption unit that updates the capacity portion of the decryption state by exclusive OR with the common key,
An additional data inverse calculation unit that calculates the inverse substitution of the substitution with an auxiliary input that changes the rate portion of the decryption state using the additional data received from the encryption device, and updates the decryption state with the calculation result .
For each block other than the final block of the ciphertext received from the encryption device, the inverse substitution of the substitution is calculated for the decryption state in order from the subsequent block, and the decryption state is updated with the calculation result. , Each time the inverse substitution of the above substitution is calculated, the exclusive logical sum of the rate portion of the decryption state and the block is output as a block of the message, and the ciphertext reverse that updates the rate portion of the decryption state by the block. Calculation department and
After storing the value of the decoding state as an intermediate state value in the storage unit of the decoding device, the rate portion of the decoding state is set in the predetermined bit string, and the capacity portion of the decoding state is set in the common key. Initialization part and
For each block obtained by dividing the nonce received from the encryption device into the lengths of the rate portion of the decryption state, the rate portion of the decryption state is updated by exclusive OR with the block in order from the previous block. A nonce calculation unit that calculates the substitution for the decoding state of the above and updates the decoding state with the calculation result ,
When the capacity portion of the intermediate state value and the capacity portion of the decoding state match, the exclusive OR of the rate portion of the intermediate state value and the rate portion of the decoding state is used as the first block of the message. The tampering detector that outputs and
Only including,
The above-mentioned predetermined substitution is a substitution indistinguishable from a random substitution, and is
The above substitution with auxiliary input is a substitution that can define an inverse substitution that changes the input value using the auxiliary input value and restores the input value from the replaced value using the same auxiliary input. ,
The encryption device performs processing in the order of the initialization unit, the nonce calculation unit, the message calculation unit, the additional data calculation unit, and the tag generation unit.
The decoding device processes the first initialization unit, the tag decoding unit, the additional data inverse calculation unit, the ciphertext inverse calculation unit, the second initialization unit, the nonce calculation unit, and the falsification detection unit in this order. Is to do,
Authenticated encryption system with additional data. The authentication encryption system with additional data according to claim 1.
The additional data calculation unit divides the input additional data into the lengths of the rate portion of the encryption state, and in order from the previous block, the rate portion of the encryption state is exclusive to the block. The replacement with an auxiliary input is calculated by calculating the replacement for the encryption state after updating by exclusive-or.
The additional data back calculation unit divides the additional data received from the encryption device into the lengths of the rate portion of the decryption state, and in order from the rear block, the reverse of the substitution with respect to the decryption state. By calculating the substitution, the inverse substitution of the substitution with the auxiliary input is calculated, and the rate portion of the decoding state is updated by the exclusive OR with the block.
Authenticated encryption system with additional data. A storage unit that stores the decryption state consisting of the rate part and the capacity part, and the common key shared in advance with the encryption device.
A first initialization unit that sets the rate portion of the decryption state in the final block of the ciphertext received from the encryption device and the capacity portion of the decryption state in the tag received from the encryption device.
A tag decryption unit that updates the capacity portion of the decryption state by exclusive OR with the common key,
An additional data inverse calculation unit that calculates the inverse substitution of the substitution with an auxiliary input that changes the rate portion of the decryption state using the additional data received from the encryption device, and updates the decryption state with the calculation result .
For each block other than the final block of the ciphertext received from the encryption device, the inverse substitution of the predetermined substitution is calculated for the decryption state in order from the subsequent block, and the decryption state is updated with the calculation result. Then, every time the inverse substitution of the above substitution is calculated, the exclusive logical sum of the rate portion of the decryption state and the block is output as a block of the message, and the ciphertext reverse that updates the rate portion of the decryption state by the block. Calculation department and
After storing the value of the decoding state as an intermediate state value in the storage unit, the second initialization unit sets the rate portion of the decoding state in a predetermined bit string and the capacity portion of the decoding state in the common key. ,
For each block obtained by dividing the nonce received from the encryption device into the lengths of the rate portion of the decryption state, the rate portion of the decryption state is updated by exclusive OR with the block in order from the previous block. A nonce calculation unit that calculates the substitution for the decoding state of the above and updates the decoding state with the calculation result ,
When the capacity portion of the intermediate state value and the capacity portion of the decoding state match, the exclusive OR of the rate portion of the intermediate state value and the rate portion of the decoding state is used as the first block of the message. The tampering detector that outputs and
Including
The first initialization unit, the tag decoding unit, the additional data inverse calculation unit, the ciphertext inverse calculation unit, the second initialization unit, the nonce calculation unit, and the falsification detection unit are processed in this order.
The above encryption device
The storage unit stores the encryption state consisting of the rate part and the capacity part and the common key shared in advance with the decryption device.
The initialization unit sets the rate portion of the encryption state to the predetermined bit string and the capacity portion of the encryption state to the common key.
For each block in which the input nonce is divided into the lengths of the rate portion of the encryption state , the nonce calculation unit divides the input nonce into the lengths of the rate portion of the encryption state. The above substitution is calculated for the above-mentioned encryption state after the update, and the above- mentioned encryption state is updated with the calculation result.
For each block in which the input message is divided into the lengths of the rate portion of the encryption state , the message calculation unit performs the rate portion of the encryption state in order from the previous block by exclusive-OR with the block. The above substitution is calculated for the above encryption state after the update, the above encryption state is updated by the calculation result, and the rate portion of the above encryption state is used as a block of the above ciphertext each time the above substitution is calculated. Output and
The additional data calculation unit calculates the replacement with the auxiliary input that changes the rate portion of the encryption state using the input additional data, and updates the encryption state with the calculation result.
The tag generation unit outputs the rate portion of the encryption state as the final block of the ciphertext, and outputs the exclusive OR of the capacity portion of the encryption state and the common key as the tag .
The above-mentioned predetermined substitution is a substitution indistinguishable from a random substitution, and is
The above substitution with auxiliary input is a substitution that can define an inverse substitution that changes the input value using the auxiliary input value and restores the input value from the replaced value using the same auxiliary input. ,
The encryption device performs processing in the order of the initialization unit, the nonce calculation unit, the message calculation unit, the additional data calculation unit, and the tag generation unit.
Decoding device. An authentication encryption method with additional data performed by an authentication encryption system with additional data, including an encryption device and a decryption device.
The above encryption device
The storage unit stores the encryption state consisting of the rate part and the capacity part and the common key shared in advance with the decryption device.
The initialization unit sets the rate portion of the encryption state to a predetermined bit string and the capacity portion of the encryption state to the common key.
For each block in which the input nonce is divided into the lengths of the rate portion of the encryption state , the nonce calculation unit divides the input nonce into the lengths of the rate portion of the encryption state. A predetermined replacement is calculated for the above-mentioned encryption state after the update, and the above-mentioned encryption state is updated with the calculation result.
For each block in which the input message is divided into the lengths of the rate portion of the encryption state , the message calculation unit performs the rate portion of the encryption state in order from the previous block by exclusive-OR with the block. The above substitution is calculated for the above encryption state after the update, the above encryption state is updated by the calculation result, and the rate part of the above encryption state is output as a ciphertext block each time the above substitution is calculated. And
The additional data calculation unit calculates the replacement with an auxiliary input that changes the rate part of the encryption state using the input additional data, and updates the encryption state with the calculation result.
The tag generation unit outputs the rate portion of the encryption state as the final block of the ciphertext, and outputs the exclusive OR of the capacity portion of the encryption state and the common key as a tag.
The above decoding device
The storage unit stores the decryption state consisting of the rate portion and the capacity portion and the common key shared in advance with the encryption device.
The first initialization unit sets the rate portion of the decryption state in the final block of the ciphertext received from the encryption device, and sets the capacity portion of the decryption state in the tag received from the encryption device.
The tag decryption unit updates the capacity portion of the decryption state by the exclusive OR with the common key.
The additional data inverse calculation unit calculates the inverse substitution of the substitution with the auxiliary input that changes the rate portion of the decryption state using the additional data received from the encryption device, and updates the decryption state with the calculation result. ,
The ciphertext inverse calculation unit calculates the inverse substitution of the substitution for the decryption state in order from the subsequent block for each block other than the final block of the ciphertext received from the encryption device, and the calculation result. Updates the decoding state with, and each time the inverse substitution of the substitution is calculated, the exclusive logical sum of the rate portion of the decoding state and the block is output as a block of the message, and the rate of the decoding state is output by the block. Update the part,
After the second initialization unit stores the value of the decoding state as an intermediate state value in the storage unit of the decoding device, the rate portion of the decoding state is set to the predetermined bit string, and the capacity portion of the decoding state is set to the above. Set to common key,
For each block in which the nonce calculation unit divides the nonce received from the encryption device into the lengths of the rate portion of the decryption state, the rate portion of the decryption state is exclusively ORed with the block in order from the previous block. The substitution is calculated for the decoding state after being updated by the sum, and the decoding state is updated with the calculation result.
When the tampering detection unit matches the capacity portion of the intermediate state value and the capacity portion of the decoding state, the above message indicates the exclusive OR of the rate portion of the intermediate state value and the rate portion of the decoding state. and outputs as the first block of,
The above-mentioned predetermined substitution is a substitution indistinguishable from a random substitution, and is
The above substitution with auxiliary input is a substitution that can define an inverse substitution that changes the input value using the auxiliary input value and restores the input value from the replaced value using the same auxiliary input. ,
The encryption device performs processing in the order of the initialization unit, the nonce calculation unit, the message calculation unit, the additional data calculation unit, and the tag generation unit.
The decoding device processes the first initialization unit, the tag decoding unit, the additional data inverse calculation unit, the ciphertext inverse calculation unit, the second initialization unit, the nonce calculation unit, and the falsification detection unit in this order. Is to do,
Authenticated encryption method with additional data. A program for operating a computer as the decoding device according to claim 3 .

Images