JPH0333269B2 - - Google Patents

Description

[Detailed description of the invention]

(Industrial Application Field) The present invention relates to a data spreading device that is the core of an encryption system, and particularly to a data spreading device that enables effective data spreading without using a transposed matrix. (Conventional technology) One of the most popular encryption methods is DES (Data Encryption Standard).
FIPS PUB46, NBS Jan. (see 1977),
The data spreading device in this DES is constructed by combining substitution and transposition. FIG. 4 is a block diagram schematically showing its functions. As shown in the figure, this data spreading device has a data input section 1 that inputs 32-bit input data R, and expands the 32-bit input data R by an expansion function E.
a 48-bit register 3 for the expanded data; a key data input section 4 for inputting 48-bit key data K;
An exclusive OR circuit 5 performs an exclusive OR operation between the expanded input data and the key data, and the 48 bits output from the exclusive OR circuit 5 are converted into 6-bit blocks by substitution functions S1, S2, . . . ...S8
A substitution function operation section 6 that converts the data into 4 bits according to the above procedure and obtains 32 bit data, and a substitution function operation section 6 of the substitution function operation section 6.
It consists of a transposition function calculation section 7 which transposes the bit positions of the 32-bit output according to a transposition function P, and a spread data output section 8. The process of data diffusion will be explained below. First, the 32-bit input data R is expanded into 48-bit data E(R) by the expansion function E shown in Table 1 in the expansion function calculation section 2. The output E(R) of the expansion function calculation unit 2 is represented by eight blocks of 6 bits each, and the bits in the input blocks are selected according to the order from the top left to the bottom right shown in Table 1. It can be obtained by That is, for example, the first three bits of the output data E(R) are selected from the values of bit positions 32, 1, and 2 of the input data R, respectively, and the last three bits are selected from the values of bit positions 31, 32, and 32 of the input data R, respectively. A value of 1 is selected. Subsequently, in the exclusive OR circuit 5, the expanded 48-bit data E(R) and the key data K are exclusive ORed. Next, in the substitution function calculation section 6, from the output of the exclusive OR circuit 5, the substitution function S shown in Table 2 is calculated.
1, S2, ..., S8. Get 32 bit output. How to use the substitution functions shown in Table 2 will be explained by taking substitution function S1 as an example. When B is a 6-bit block, output S1(B) is determined as follows. Let i be the binary number consisting of the first and last bits in the 6-bit block B.
It is in the range of 3. Then, 4 in the center of block B
If bit is a binary number j, it is in the range 0 to 15. Output S1(B) by these binary numbers i and j
Determine. In other words, the output S1(B) is S1 in Table 2.
It is a number in the range of 0 to 15 located in row i and column j of 1. For example, if the input is 011011, the row is 01 and the column is 1101, that is, from Table 2, 1 of the substitution function S1
Since the data in row 13 is 5, 0101 is obtained as the output. Finally, the transposition function P shown in Table 3 is applied in the transposition function calculation unit 7. That is, according to the transposition function in Table 3, the transposition function calculation section 7 processes the data from the substitution function calculation section 6, placing the 16th bit from the left as the first bit, the 7th bit as the second bit, etc. , generates output data in which the 25th bit is replaced with the 32nd bit. (Problems to be Solved by the Invention) In the theta diffusion device, it is important to use as many types of substitution functions as possible from the viewpoint of increasing data diffusion efficiency. Traditional
In DES, this is achieved by selecting four substitution functions using the two bits at both ends of the six input bits. Although this is a clever method, there are two problems: (1) It is only possible to achieve the effect that a 1-bit change in the input is expanded to about 4 bits in the output. (2) The substitution function is a 4-bit to 4-bit conversion,
Because it uses a transpose function for bit positions, it requires a large number of bit operations. This is,
This is a major hindrance to speeding up. The above problem (1) is caused by the fact that there is no mutual interference between blocks of every 6 bits until they are replaced and reach the transpose function P. In addition, the above problem (2) is that this algorithm uses an 8-bit substitution function and a transposition function P that are effective for processing in bytes.
This is due to the fact that the design is not oriented toward processing procedures that do not use . The object of the invention is to solve the problems of the prior art mentioned above. That is, the purpose is to enhance the data diffusion effect without increasing the number of processing steps, and to achieve even higher speed by making most of the units of processing into byte-based operations. (Means for Solving the Problems) In order to solve the above problems, the data diffusion device of the present invention includes a means for dividing input data into a plurality of blocks having the same data length, and a means for dividing input data into a plurality of blocks having the same data length. , a fusion means that directly or indirectly calculates and fuses the data of all other blocks at least once to generate data of a new block, and generates new block data by performing substitution processing on the data of each block. and a combination means for combining the finally obtained data of each block and outputting it as diffused data of the input data, the data is input to the division means, and the data is input from the division means. The output is outputted from the combining means through a plurality of the fusion means and a plurality of the substitution means (the order of the plurality of fusion means and the plurality of substitution means is arbitrary), in which case a part of the output data is returned to the division means. The present invention is characterized in that it does not have a feedback means for inputting data, and that no clock repetition operation is performed in a portion extending between the dividing means, the plurality of merging means, the plurality of substitution means, and the combining means. According to an embodiment, the fusion means includes any one of a means for performing an exclusive OR operation between data of a block or data of a parameter, and a calculation means for performing an addition and a remainder operation between data of a block or data of a parameter. or both. According to another embodiment, the transliteration means includes means for performing a bit rotation operation on each of the blocks. According to yet another embodiment, the substitution means is constituted by a substitution table that refers to each block as an address. (Operation) As described above, the present invention provides a fusion means (bypass) for drawing in and merging data from other blocks or parameters in the fusion processing process of each of the plurality of blocks to be processed, and when the processing is completed. Since the structure is such that the data of each block at a point in time is generated under the influence of the data of all input blocks, the transposition function P
This makes it possible to eliminate the need for data diffusion devices in conventional DES, resulting in higher diffusion efficiency, simpler configuration, and faster processing speeds. Furthermore, by performing substitution processing in units of blocks (bytes), bit processing is eliminated as much as possible, resulting in a remarkable increase in processing speed. (Embodiment) FIG. 1 is a diagram for explaining an embodiment of the present invention, and shows an outline of the configuration of a data spreading device that obtains 32-bit spread output data from 32-bit input data. In Figure 1, R is a 32-bit input data block, and R0 to R3 are input data R.
K0 and K1 are 1-byte parameters each, XOR is an exclusive OR circuit, and S fuses the two input data blocks and performs substitution conversion. ,
This is a fusion substitution function calculation unit that obtains one data block. The operation of the data diffusion device of this embodiment configured as shown in FIG. 1 will be explained. First, a 32-bit input data block R is divided into 1-byte processing blocks R0, R1, R2, and R3.
Divided into two. Each processing block is sequentially processed according to the processing procedure shown below, and finally a 32-bit output is produced. The "=" in the following formula indicates that the right side is to be used as the new data on the left side after the calculation. <Processing procedure> Step 1: R1=R1K0R0 Step 2: R2=R2K1R3 Here, indicates an exclusive OR operation. Then, Step 3: R1 = S (R1, R2, 1) Step 4: R2 = S (R2, R1, 0) Step 5: R0 = S (R0, R1, 0) Step 6: R3 = S (R3 , R2, 1) Here, S(a, b, δ) (where δ=0 or 1) represents the function of performing the fusion means and the substitution means successively. S will be explained in detail later. After this processing procedure, R0, R1, R2, and R3 are combined to form an output block, but as is clear from the structure of Figure 1, each output block is generated under the influence of all input blocks. has been done.
That is, it is possible to obtain the effect that the output changes by an average of 11 bits for a 1-bit change in input data. This improvement effect is remarkable compared to the prior art, which could only achieve diffusion of about 4 bits. Furthermore, in order to spread this diffusion effect between processing blocks, there is no need for a new bit position transposition function P. In this embodiment, by performing fusion processing and substitution processing while making each block interfere with each other,
In other words, by performing direct or indirect calculations on the data of all other blocks at least once, a data diffusion effect that is significantly superior to that of the prior art is achieved without using the transposition function P. As shown in FIG. 1, this mutual interference between the processing blocks is realized by two bypasses in the form of an exclusive OR circuit XOR and an input to the fusion transposition function operation section S. A configuration example of the fused substitution function calculation unit S will be described below. When data a and b are input, S
(a, b, δ) is given by the following equation. S (a, b, δ) = {(a + b + δ) mod256} rol2 where a and b are inputs of S, δ is a constant of 0 or 1, input of S, x mod y is x divided by y. This is an operation to find the remainder resulting from x rol y
indicates the operation of bit-rotating x to the left by the value indicated by y. Hereinafter, S(a, b, δ) will be simply expressed as S(x). However, x is (a+b+δ) mod256 Generally, x mod256 can be easily realized by assigning a numerical value to an 8-bit register of a microprocessor. Further, the fused substitution function calculation section is implemented by a combination of an adder ADD as a fusion means and a circular shift register as a substitution means, as shown in FIG. Further, in the fused substitution function calculation section, substitution processing can be configured using a substitution table. That is, when programming in a high-level language, it is effective to prepare the value of S(x) (x=0 to 511) [however, a+b+δ) mod256] in advance as a substitution table. If a method of preparing a substitution table is used, a plurality of substitution functions other than the bit rotation method described above can be used. For example, the fourth
The substitution table shown in the table shows values from upper left S (0) to upper right S (15), from left S (16) in the second row to right S (31) and lower right S (255). . This substitution table contains two different data 1 from 0 to 255.
For 0 and 11 and the reference values 00 and 01 of the substitution table corresponding to the respective inputs, the former Hamming distance H10, 11 and the latter Hamming distance H0
The relationship shown in Table 5 occurs between 0 and 01. A substitution table that can be generated by applying the same 8-bit transposed matrix T to each element of this substitution table and adding a constant A using an exclusive OR circuit exhibits similar properties. Generally, this kind of substitution table uses a transposed matrix T and a constant A to calculate TX+A for input X when the number of bits in X is even, and T~ when it is odd.
It is obtained by setting X+A (~X is the bit inversion value of X) as each value. In either case, a substitution table that inputs the sum of 1-byte data from 0 to 255 and outputs 1-byte data has two tables of the same type that substitutes any value from 0 to 255. By successively preparing the characters, input from 0 to 511 can be converted to 1-byte data from 0 to 255. That is, S
In (a+b), b is considered to play the role of shifting the start address of the substitution table for substituting a by b. When using mod256, only one substitution table is required. The embodiment of the present invention described above is one-tenth as large as the conventional DES data diffusion device.
This can be realized using the following dynamic steps, requires a small amount of memory, and can obtain a data diffusion effect that is more than twice as large. Furthermore, in the above embodiment, the unit of processing such as substitution is 8 bits (1 byte), but this is because currently popular data terminals, personal computers, etc. use 8-bit and 16-bit CPUs. Because it is a thing. In the future, as technology advances, if the mainstream shifts from 16 bits to 32 bits, the technology of the present invention can easily handle this. In other words, the unit of substitution and other processing is set to 16 bits (2 bytes). In this case, the structure of the embodiment shown in FIG. 1 is not changed, but 256 in the fused substitution function S is replaced with 65536. The fused substitution function S is as follows. S(a)=(a mod65536) rol2 In principle, the processing unit can be set arbitrarily. In addition to the two-input substitution process shown in this embodiment, it is also possible to use three-manpower processing or to combine these with bypass using exclusive OR. In the above embodiment, the spreading process is performed on a 32-bit input, but as a second embodiment, a 16-bit
FIG. 3 shows the bit input. First, a 16-bit input block R is divided into 1-byte processing blocks R0 and R1. Each processing block is processed in order according to the processing procedure shown below, and finally outputs 16 bits. K0 and K1 are parameter data. <Processing procedure> R1=S (R1, R0K0, 1) R0=S (R0, R1K1, 0) Operation symbols, function S, etc. are the same as in the embodiment shown in FIG. (Effects of the Invention) As described in detail above, the present invention provides means (bypass) for drawing in and merging data from other blocks in each fusion process of multiple blocks to be processed, so that the process is completed. Since each block at the moment of input is generated under the influence of all input blocks, the transpose function P can be made unnecessary, and the conventional
Compared to the data diffusion device in DES, the configuration is simpler and processing speed can be increased.
Furthermore, by performing the substitution process in units of blocks (bytes), bit processing is eliminated as much as possible, resulting in a remarkable increase in processing speed. Further, the present invention can be implemented by partially combining hardware such as a data terminal or a personal computer with software for performing the above processing procedure, and in that case, the program size is small. Therefore, it is expected that it will rapidly become popular for uses such as credit cards in the future.
Suitable for application to IC card security.

【table】

【table】

【table】

【table】

【table】

【table】 [Brief explanation of drawings]

1 and 2 are diagrams showing the configuration of a first embodiment of the present invention, FIG. 3 is a diagram schematically showing the configuration of a second embodiment of the present invention, and FIG. FIG. 2 is a diagram schematically showing the configuration of a data spreading device in the DES of FIG. R...Input data block, R0 to R3...R
1st to 4th byte blocks from the left, K...Key data, K0, K1...Key blocks of 1 byte each,
S...Fusion substitution function operation unit, XOR...Exclusive OR circuit, ADD...Adder, ROL...2-bit left circular register.

Claims (1)

[Claims] 1. A dividing means for dividing input data into a plurality of blocks having the same data length;
A fusion means that directly or indirectly calculates and fuses the data of all other blocks to generate data of a new block, and a substitution means that performs substitution processing on the data of each block to generate new block data. and a combining means for combining the finally obtained data of each block and outputting it as spread data of the input data, the data is input to the dividing means, and the output from the dividing means is divided into a plurality of pieces. output from the combining means through the merging means and a plurality of the substitution means, in which case a part of the output data does not have a feedback means for re-inputting it to the dividing means,
Further, the data spreading device is characterized in that a clock repetition operation is not performed in a portion spanning the dividing means, the plurality of the merging means, the plurality of the replacing means, and the combining means. 2. The data diffusion device according to claim 1, wherein the fusion means includes means for performing an exclusive OR operation between block data or parameter data. 3. The data spreading device according to claim 1, wherein the fusion means includes calculation means for performing addition and remainder calculation between block data or parameter data. 4. The data spreading device according to claim 1, wherein said conversion means includes means for performing bit rotation on the data of each block. 5. The data diffusion device according to claim 1, wherein said substitution means is constituted by a substitution table that refers to each block as an address.