JPH03254538A - Cryptographic system - Google Patents

Abstract

PURPOSE:To attain cryptographic processing at a faster speed than a speed of a conventional system by applying parallel processing to a division data resulting from dividing an input plain sentence data comprising plural bits by means of variable bit rotation and addition, and further applying rotation processing to the entire data. CONSTITUTION:In a cryptographic system in which an input plain sentence data comprising plural bits is processed by using an intermediate key obtained from processing a secret key data comprising of plural bits to obtain a cryptographic data, a key processing section 10 processes a 128-bit secret key K to calculate a 256-bit intermediate key KS. The intermediate key KS consists of parallel data KS<0>, KS<1>, KS<2>, KS<3> in 64-bit (8-bit) each. Moreover, the key processing section 10 calculates a 4X4 matrix R using bit rotation number being an integral number of 3-10 as its elements. The cryptographic processing is implemented after the end of key processing. A cryptographic processing section 20 uses the 256-bit intermediate key KS and the matrix R, ciphers a 126-bit plain sentence data Y in parallel processing to obtain a cryptographic sentence Y'.

Description

DETAILED DESCRIPTION OF THE INVENTION [Field of Industrial Application] The present invention relates to a high-speed common key (private key) cryptosystem.

[Conventional technology]

With the advancement of systems that integrate communications and computers, ensuring information security has become an important issue. One of the information security technologies is secret key cryptography. Secret key cryptography can be used in a wide range of applications, including encryption of communication and storage data, as well as authentication.

Conventionally, the DES method (Reference NB
S: “Data Encryption S ta
ndard”.

FIPS-PUB-45 (1977)), FEAL method (Reference Shimizu, Miyaguchi: “High-speed data encryption algorithm FE
AL”, Theory of Faith (D), J70-D.

? , pp. 1413-1423 (1987)). The DES method was developed with the aim of realizing it in hardware, but the LSI darkening speed is 1
0 to 20 Mbps (References Ikeno, Koyama: “Modern Cryptography Theory”, IEICE Theory, pP, 256-2
57 (1986)). On the other hand, the FEAL method was developed for the purpose of high-speed processing in software, and is currently upgraded to FEAL-8 (Literature Room Ro, Shiraishi, Shimizu: "FEAL-8 Algorithm", Research Report, Vol. 3
Volume 7, No. 475, pp, 321-327 (1988)
) is used as. The LSI of FEAL-8 is 9
A 6Mbps version has been developed (Reference H0Mori
ta, M, 5asaoka, S, Miyag
uchi: “5Ecurity Design for
r F E A L -8Encipherment
L S I and B 0ARD/B
OX″Digest of papers of
FTC8-18, Po5terSession, pp
, 21-24 (1988)).

[Problem to be solved by the invention]

Currently, high speed and multimedia technology are progressing mainly in LAN environments. In particular, encryption speeds of several hundred Mbps are required to encrypt lower layer information of a LAN and high-definition video. In order to apply it to this area, it is necessary to use the DES method and FE method.
There is a need for an encryption method that can perform faster processing than the AL method.

An object of the present invention is to provide a high-speed encryption method that can perform encryption processing at several hundred Mbps.

[Means to solve the problem]

In order to achieve the above object, the present invention provides a cryptographic method for processing input plaintext data consisting of a plurality of bits using an intermediate axis obtained by processing secret key data consisting of a plurality of bits, and obtaining ciphertext data. .

Divide the input data into two pieces of equal length data (a and b), and for each data of a and b, rotate the intermediate axis by a variable or predetermined number of rotations as a constant.
Type data is a1, a2゜b1, b2, a1, a
Divide each data of 2, b1, and b2 into small data of equal length, add the small data belonging to al and bl in parallel to create new data of a, and add the small data belonging to a2 and b2 in parallel. It is characterized in that each of these data is added in parallel to create new data of b, and then the combined data of a and b is rotated in either the left or right direction by a plurality of bits, and the result obtained is used as output data.

[For production]

In the present invention, regarding the core processing of cryptographic processing, which is usually called the f function, in the conventional FEAL method, divided data is converted into random numbers by serial processing of addition and fixed bit rotation, but the part is divided into one part. The data is processed in parallel using variable bit rotation and addition, and then the entire data is rotated. This enables faster encryption than before.

By using the encryption method of the present invention, it is possible to reduce the input of the f function from 64 bits to 128 bits,
Combined with the effect of parallelization mentioned earlier, the conventional technology (FE
It is possible to achieve an encryption processing speed that is more than five times that of AL-8 (96 Mbps).

〔Example〕

An embodiment of the present invention will be described below.
It is assumed that 8-bit blocks of input data are processed at once. Also, in order to explain the logical operation of the example,
Use the following notation.

■ 8 bits are 1 byte.

■ 4 of the j1,000th from the left of 8 and 16 byte data
The byte data is represented by the subscript j at the bottom right.

■ The j+1st 8-byte data of the 32-byte data is represented by the subscript j at the upper right.

■ The j1,000th 1-byte data of the 4- and 8-byte data is represented by the subscript j at the lower left.

■ 0 represents bit-based exclusive OR (XOR).

■ The equal sign represents assignment from the right side to the left side.

■ + calculates the remainder when two 1-byte data are added and divided by 28.

■ M[m] indicates the m+1st data of array M.

■ M[m] [nl is m+1 row n+ of two-dimensional array M
Indicates the data in the first column, and in this case, M[m] is 2
The data of the m+1th row of the dimensional array M is shown.

FIG. 1 is a schematic block diagram of an embodiment of cryptographic power production according to the present invention. The key processing unit 10 has 128 bits of secret 101K.
is processed to calculate a 256-bit intermediate axis KS. The intermediate axis KS consists of parallel data KS', KS", and KS"KS" of 64 bits (8 bytes) each, and in the health processing section 10, the element is the bit rotation number that takes an integer value from 3 to IO. A 4×4 array R is calculated. Encryption processing is performed after this key processing is completed. In the encryption processing unit 20, 256
Using the bit intermediate axis KS and array R, 128-bit plaintext data Y is encrypted in parallel processing to obtain ciphertext Y'.

2 and 3 show the detailed configurations of the key processing section 10 and the encryption processing section 20, and FIG. 4 shows the decryption processing section corresponding to the encryption processing section 3@. FO, HFL,
HFR and FX are constituent elements of each processing unit, and below, they will be treated as functions. Among these functions, FO
, HFL, and HFR are involutions (References A and G.

Kohnheim, Cryptography:
“A primer, clause6.6 IN
VOLUTIONS, pp, 236-240”#A
Wiley Interscience P
publication.

John Wiley & 5ons, New
York (Jan, 1986)), the involution is f (f(x))=x, i.e. 2
It is a function that returns to the original state after being applied once. When encryption is performed by successively applying certain involutions, decryption can be performed by applying involutions in the reverse order of encryption. HFL and HFR are ROL.

A bit rotation function denoted ROR, a byte-by-byte addition function denoted ADD8, and a byte rotation function denoted BROR are used.

Hereinafter, the specifications of each function will be shown first, and then the operations shown in FIGS. 2 to 4 will be explained.

(1) FO(X) argument: X is composed of X, to X.

process: The FO performs the following processing as shown in No. 51!1.

X, = X, Φ X2 X, = X, Φ X.

(2) HFL (X, A, B, N) argument: X is composed of xo to X.

A is composed of 80 and A.

B is composed of B and B.

N is an array consisting of four data having integer values of 3 to 10.

process: As shown in FIG. 6, the HFL performs the following processing.

a=X, Φ 80b=x3 Φ A1 t, =ADD8(ROR(a, N [0]),
ROL(b, N[11))1,=^DD8(RO
R(b, N [2]), ROL(a, N [3]
]))BROR(t)X,=t,ΦX.

X1=t work Φ x8 B,=X.

B,=X.

(3) HFR(X) argument: X is composed of X, to X.

process: As shown in FIG. 7, HFR performs the following processing.

t,=ADD8((ROR(X,,3), ROL(X
,,3)) J=muDD8((ROR(X,,3), R
OL(X,,3))BROR(t) X,=t,Φ xs X,=t1ΦX.

(4) FX (X, R) argument: X is composed of X, to X.

R is a 4×4 four-dimensional array.

process: FX performs the following processing as shown in FIG.

Each 32-bit data of X, ,
Divide into 8 units.

The value obtained by adding 3 to the data from 0 to 7 represented by the right 6 bits of each 4-bit data is R[O][01°R[O][1
],..., R[3] Set to [3].

(5) ROL (x, n) argument: X is 4-byte data.

n is data that takes an integer value of 3 to 10.

process: Rotate X to the left by n bits.

(6) ROR(X, n) argument: X is 4-byte data.

n is data that takes an integer value of 3 to 10.

process: Rotate X to the right by n bits.

(7) ADD8 (x, y) argument: X and y are 4-byte data.

Processing: As shown in FIG. 9, the ADD 8 performs addition for each byte and returns 4-byte data 2. The processing is as follows.

. 2=. x ten, y □z=1x+,y+1 , z=, x + engineering y 3z=3x10. y+1 (8) BROR(t) argument: t is 8-byte data.

Processing: As shown in FIG. 10, BROR rotates 8-byte data by 1 byte in the right direction. The processing is as follows.

C=. t , 1 =, 1 vt"it , 1 =, 1 s t = 4 t 4t"at: 2t , 1 = 11, t = cm (Figure 2) First, the following processing is performed as preprocessing. Set 32-byte data 1 as a parameter for the key processing unit. 1° and 11 are set to system-specific values, and 13 and 13 are set to 0 to Ka in this order.

All elements of R (R[O][O] to R[3][3]) are initialized to 6. After that, perform the health treatment using the following steps.

FO(K) FHL (K, 1', KS', R[O] ) HFR(K
) HFL (K, 1', KS", R[1] ) FO (K) HFL (K, 1", KS", R[2] ) HFR (K
) HFL (K, 1", KS", R[3] ) FO (K) FX (K, R) Encryption process (Figure 3) Set Z as a 64-bit work area, and perform encryption using the following steps. conduct. Here, FO(Y) corresponds to ciphertext Y'.

FO(Y) HFL (Y, KS', Z, R[01) HFR(Y) HFL (Y, KS1, Z, R[1 piece) FO(Y) HFL (Y, KS'', Z, R[2 ] ) HFR (Y) HFL (Y, KS”, Z, R [3] ) FO (Y) East Five Emperors (Figure 4) Decryption processing is performed after the key processing is completed. In the decryption process, involution is applied to the ciphertext Y' in the reverse order of the encryption process, and the process is performed using the 256-bit intermediate @KS.
Decrypt the bit plaintext data Y. The processing is performed using the following procedure with Z as a 64-bit work area.

FO(Y) HFL (Y, KS", Z, R[3] ) HFR(Y
) HFL (Y, KS”, Z, R [2 pieces) FO (Y) HFL (Y, KS1, Z, R [1 piece) HFR (Y) HFL (Y, KS', Z, R [O] ) FO(Y) Below, the performance of this example will be evaluated by dividing into data randomization performance, structural strength, and speed performance.

(1) Data randomization performance The data randomization performance of the algorithm is evaluated in order to understand its strength against code breaking based on the syntactic properties of plaintext and ciphertext.

An ideally strong algorithm is such that the bit changes in the ciphertext have a binomial distribution B (n, 1
/2), so the security of the cryptographic algorithm is
A method has been proposed that uses an index that indicates how closely the distribution of bit changes in ciphertext corresponding to all bit changes in plaintext and private keys is close to the binomial distribution (Reference Room B,
Hirano: “Cryptography/Authentication Algorithm Strength Evaluation Index”, IEICE Theory, Vol. 1. J69-A, Halo.

pp. 1252-1259 (1986)), the index is
Find each plaintext change and key change.

According to this evaluation method, the degree of approximation of the ideal algorithm to the binomial distribution with a sample size of 4096, that is, the theoretical value of the index is:
It is 96.5%.

Figure 11 shows the changes in index values after applying each function in this example. As shown in Figure 11, the effects of any bit changes in the plaintext are almost completely gone after the second HFR is applied. be exposed. Furthermore, the effect of bit changes in the secret key is absorbed by the first application of HER. In other words, for this embodiment, it is impossible to break the code by guessing the secret key based on the statistical properties of the plaintext and ciphertext.

(2) In order to increase the structural strength of the structural strength algorithm, the processing may be made more complex, but this must be done in a trade-off with speeding up.

In this embodiment, the number of bit rotations of the data in the HFL function of the encryption/decryption processing section is made variable based on the data obtained by processing the secret key by the key processing section. Similar data randomization performance can be obtained by fixing the HFL bit rotation speed to, for example, 6 bits instead of making it variable, but in order to improve structural strength without sacrificing processing speed as much as possible, we decided to use this method. Adopted.

Each bit rotation number has 8 degrees of freedom from 3 to 10. 4
Since there are 4 bit rotation operations in each HFL of @, there are 81 ", or 2 degrees, types in this example. This makes it extremely difficult to break the code using the structure of the algorithm as a clue. become.

(3) Speed performance The encryption processing speed of this embodiment is shown in comparison with the FEAL-8 LSI.

First, a comparison will be made regarding the f function, which is the main component of the present invention. FIG. 13 shows the f-function of EFAL-8. In the embodiment of the present invention, what corresponds to this f-function is a processing section shown as an HFL function. First, FEAL-8 will be explained. The f-function of FEAL-8 is shown in Figure 13,
The hardware consists of three stages of XOR and three stages of 8-bit addition (Reference Room Ro, Shiraishi, Shimizu: “EFAL-8
Algorithm”, Research Report.

Volume 37, No. 415, pP, 321-327 (198
8)) The processing time for 8-bit addition is about three times that of XOR, so the f function of EFAL-8 is
That's 12 steps. On the other hand, in this example, H
As shown in FIG. 6, the FL is composed of two stages of XOR, one stage of bit rotation, and one stage of 8-bit addition.

Of these, bit rotation takes approximately the same processing time as XOR, so it corresponds to 6 stages in terms of XOR. In this way, the number of HFL processing s-0 processing stages in this embodiment is FE
It is half of AL-8.

Furthermore, since the data to be processed is twice as much, it can be seen that the result is four times faster.

Next, think about the overall structure. The encryption processing section of FEAL-8 is as shown in FIG. When considering parallel processing in hardware, the 2-stage XOR (exclusive OR) at each entrance and exit, and the 12-stage f function in XOR conversion shown earlier are processed 8 times in series, so in XOR conversion Total 1
Processing equivalent to 00 stages will be performed. On the other hand, in this embodiment, there are three FOs in the XoRI stage, four HFLs with 6 stages in XOR conversion, and 5 HFRs in XOR conversion.
A total of 0 consisting of two corresponds to processing of 37 stages of X0R. It is about 3 times weaker than FEAL-8.

However, as shown above, in the cryptographic device of this embodiment,
It can process 128 bits of data at once, twice as much as FEAL-8, so it is more than five times faster.

Next, we will discuss the actual encryption speed. The FEAL-8 LSI consists of cyLos and gate array.
The clock is 12MHz. this is.

The processing unit is the circuit of the part shown as the f function in the previous explanation, and assuming that the XOR processing takes about 3 nanoseconds, 36 nanoseconds for 12 stages is the number of clocks set in consideration of the exchange with the register and margin.

64-bit block data is encrypted in 8 clocks, achieving an encryption processing speed of 96 Mbps (References H, Morita, M, Sasa
okay.

S. Miyaguchi: “5 security
Design for F EAL-8 Enciph
element LS I and BOARD/BOX
”, Digest of Papers of F
TCS-18, Po5tr 5ession, p
p., 21-24 (1988)).

On the other hand, in the embodiment of the present invention, when the HFL processing unit is used as a processing unit, the 6 stages of XOR can be processed in about 18 nanoseconds, so even considering the exchange with the register,
Z's clock is usable enough.

When processing 128 bits in 6 clocks, the encryption processing speed is 427 Mbps. Furthermore, if the number of gates is allowed to increase, it is possible to process a total of 37 stages of X0R, that is, a process of over 100 nanoseconds, with one clock of 8 MHz. The processing speed in this case exceeds IGbps.

The same effect can be obtained even if the structure of the cryptographic device of the embodiment described above is reversed left and right. In addition, the FO described in this example
, HFL, HFR, etc., variations in which the power distribution order of the processing units is changed are also within the scope of the present invention. Furthermore, the scope of the present invention also includes configurations in which the number of these processing units is increased or decreased.

〔Effect of the invention〕

As is clear from the above explanation, according to the present invention, it is possible to realize a cryptographic device that can perform high-speed processing using hardware.Since the cryptographic device according to the present invention has a key length of, for example, 128 bits, It is difficult to break the code. Furthermore, since the ciphertext is randomized regardless of bit changes in the input plaintext and secret key, it is difficult to break the code by guessing the secret key using the statistical properties of the plaintext and ciphertext.

Furthermore, the number of bit rotations during processing is made variable depending on the key, making it difficult to break the code using the processing structure.

The encryption speed performance of the previous example is 400 Mbps ~ 1G
bps. This is several ten times as much as DES, FEAL-
The performance is about 5 times that of 8. Since the method of the present invention is high-speed, it is possible to implement hardware that enables encryption of communication data handled in the lower layer of the LAN and multimedia information including high-definition videos using a single-chip LSI of a general-purpose CMOS gate array. can do.

[Brief explanation of drawings]

FIG. 1 is a schematic block diagram of an embodiment of the encryption device according to the present invention, 2nd WI is a diagram showing the detailed configuration of the key processing section, FIG. 3 is a diagram showing the detailed configuration of the encryption processing section, and FIG. 4 is a diagram showing the detailed configuration of the encryption processing section. Figure 5 is a diagram showing the detailed configuration of the decoding processing unit; Figure 5 is a diagram explaining the processing of the FO function; Figure 6 is a diagram explaining the processing of the HFL function; Figure 7 is a diagram explaining the processing of the HFL function.
Figure 8 is a diagram explaining the processing of the HFRyR number, Figure 8 is a diagram explaining the processing of the FX function, Figure 9 is a diagram explaining the processing of ADD8, Figure 10 is a diagram explaining the processing of BROR, 1
Fig. 1 is a diagram showing the measurement results of the data randomization index in the embodiment of the present invention, Fig. 12 is an overall configuration diagram of a conventional FEAL-8 encryption processing device, and Fig. 13 is a diagram showing the f processing section of Fig. 12. FIG. 3 is a diagram showing a detailed configuration. 10...Key processing section. 20... Encryption processing unit. Figure 2 Figure 5 lol! &6 Fig. 13 13 +3 3 Fig. 8 3 13th SW & 12 Figures Time Snake & Junpai d Shakan LP

Claims (1)

[Claims] (1) In a cryptographic method that obtains ciphertext data by processing input plaintext data consisting of multiple bits using an intermediate key obtained by processing secret key data consisting of multiple bits, the input data is divided into two pieces of equal length data. (referred to as a, b), and each data of a and b is rotated by a variable number of rotations using an intermediate key or a predetermined number of rotations as a constant.
Let the type data be a1, a2, b1, b2, a1, a
Divide each data of 2, b1, and b2 into small data of equal length, add the small data belonging to a1 and b1 in parallel to create new data of a, and add the small data belonging to a2 and b2 in parallel. An encryption method characterized by adding each in parallel to create new data of b, and then rotating the combined data of a and b by a plurality of bits in either direction to the left or right and using the result as output data.