JPH06342258A - Block cipher generating device - Google Patents

Abstract

PURPOSE:To obtain a safe, high-speed block cipher by providing a specific input value division part, key division part, 1st intermediate value division part, g(K) division part, Z arithmetic part, C calculation part, D calculation part, 3rd intermediate value division part and E calculation part respectively. CONSTITUTION:Left 32 bits L1 and right 32 bits R(A) 2 of input bits and a 32-bit key K3 are provided. For data disconcertion, a 1st intermediate value B is found, a 2nd intermediate value C is found, and then a 3rd intermediate value D is found, and a 4th intermediate value E is found and the left single cycle of E is outputted. The result of bit-by-bit exclusive OR between the result of such operation and the left half of the input is regarded as the left half of the output of the block cipher of one stage and the original A is regarded as the right half of the output of the block cipher. This operation is repeated eight times. At this time, the number of execution bits and completeness are saturated by two stages, and consequently, the block cipher becomes tolerant to a difference attack with eight stages, so that the safe, high-speed block cipher can be constituted.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to secret communication technology, and more particularly to a block cipher generating and decrypting apparatus for digitized information.

[0002]

[Prior art]

(Regarding encryption and decryption of communication information in digital communication) In recent years, with the development of digital computers, their theory, integrated circuits, etc., digital communication technology has been rapidly developed because the S / N ratio can be increased and the transmission amount increases. It is becoming popular. In this digital communication, a digital communication network open to the general public is usually used. Therefore, during communication, it is difficult to completely prevent wiretapping by a third party, modification after wiretapping, spoofing, or erroneous transmission by a sender to the third party. Therefore, the sender sends the communication information after secreting the communication information in a predetermined procedure (performing calculations using various functions referred to in the claims), and the receiver receiving the procedure in the reverse of the secreting procedure. Decode information (decode)
It is widely adopted to obtain the original information after doing so. In this case, the following means are adopted for confidentiality and decryption, which do not lose the characteristics of the digital communication technology and are excellent in confidentiality, execution speed, and economy. Information consisting of 0s and 1s to be transmitted is grouped together by a fixed number and regarded as a numerical value represented by a binary number (corresponding to the input value A in the claims), and further. Is a secret key or shared key, and a certain numerical value (corresponding to the key K in the claims) that can be known only to the sender and the receiver and addition (nonlinear operation) or subtraction or exclusive logic Transmission is performed after performing a predetermined operation such as taking a sum (linear operation), and the receiver obtains the original digitized information by performing the reverse operation. 0 and 1 to send
The bit information composed of is exchanged (permutation operation, matrix operation) in a certain procedure according to the value (0 or 1) of each digit of the secret key or the shared key expressed in binary number, and then transmitted. Various types of information are adopted by the recipient, such as replacing the received information in the reverse order to obtain the original transmission information. In these cases, if not only the confidentiality is high but even a very small part of the key is unknown, all the information will not be decrypted, and specifically, it will not be meaningful information (text or video). It is also said that the request for that. Then again
These secret communication technologies are also being used for pay broadcasting using artificial satellites. In this case, the receiver who paid the reception fee is provided with a key incorporating a circuit that performs a procedure that is the reverse of secrecy, so to speak, and this key is incorporated into the television receiver. Then, the secret of the broadcast contents and the key of the broadcaster are converted every fixed period, so that only the receiver who paid the communication fee for the fixed period can listen to the pay broadcast for that period. Furthermore, this technique is also applied to the signature verification of the sender. However,
For concrete and general contents of these, for example, Shinichi Ikeno and Kenji Koyama, published by The Institute of Electronics and Communication Engineers (1986).
The applicant of the present invention separately describes, for example, Japanese Patent Application No. 3-318816 and Japanese Patent Application No. 3-19914 regarding the related techniques and the concrete method of secrecy and compound sign described in “Modern Cryptography”.
No. 8, Japanese Patent Application No. 4-145964, Japanese Patent Application No. 4-2639
Since the techniques are disclosed in Japanese Patent Application No. 14 and Japanese Patent Application No. 4-168007, description thereof will be omitted.

[0003] Next, since the present invention relates to what is called a block cipher among the techniques relating to secrecy and decryption in these digital communications, this block cipher will be described. Regarding this block cipher, the general theory and the actual circuit configuration (corresponding to the contents of various functions referred to in the claims) are described, for example, in Chapter 3 and Chapter 2 of "Modern Cryptography". It is described in many documents including Chapter 4 (the list is listed on pages 270 to 272 of the above-mentioned "Modern Cryptography"), and in the US etc., it is actually used for interbank communication under the name DES. Since this is a technique adopted in the above, the description in this specification will be limited to the minimum necessary.

Now, when transmitting the digitized information as described above, the transmitting side must not allow a third party to easily obtain the information or obtain it and maliciously tamper with it before transmitting. , The information is confidentially transmitted by mixing the information, and the mixed information is restored on the receiving side. The block cipher, which is one of the secret key communication systems, is used at this time. (Basic example of encryption and decryption) The basics of this block cipher device will be described below.

FIG. 3 shows this basic structure. In the figure, (a) is a 4-bit circuit.
By passing an input signal divided into 4 bits into the circuit, an output signal is obtained in which 1 bit is circulated right by 4 bits. Incidentally, in (a), the input signal A (1011) is the output signal B (1101). The decoding is performed by inputting the output signal from the output side of the circuit, and then taking it out from the input side. (For this reason, the secrecy and decoding of the signal by the present circuiter are performed by performing an operation of shifting to the right one bit at a time and vice versa, and the circuit itself forms a permutation or a permutation. However, it can be easily decrypted (decoded) by a third party who eavesdrops this signal if it is simply passed through the patrol circuit, so the operation with the key that is numerical information It is transmitted after making it secret. This state is shown in FIG. In this (b), K is a 4-bit numerical value called a key, and each bit and the corresponding bit of the input signal divided into 4 bits are subjected to an operation of addition without carry and then 1 It is kept secret by going round to the right bit by bit. That is, in (b), the input signal A (1011) is added to each bit of the key K (1101) without carry, and then (1 + 1, 1 + 0, 0+
1,1 + 1) = (0,1,1,0), and the output signal B (0,0,1,1) is further circulated right bit by bit. In this case, the compounding is performed by performing subtraction for each bit corresponding to the output signals B to K without carrying down the digit, and then passing the circuit through the circuit in reverse as in (a). The circuit is used for the perturbation of the bit information because the secretion and the decryption can be performed with the same hardware and at high speed, the processing speeds of both are almost the same, and the structure and the principle are simple. Also, the addition and subtraction without raising or lowering the digits is due to the omission of the bit for that purpose.

The above is just the basic operation of encryption and the operation that is the center of the basic operation, in this case, replacement,
This is a circuit configuration for addition without carry and subtraction without carry, or in other words, it describes the specific contents of a function.In fact, it is easy to decipher with such simple operations. Will end up. For this reason,
The number of bits, which is a unit of a private key or input signal, is 64
Bits, 128 bits, etc. are made larger, and the operation contents of the secret key and the input signal (contents of each function including the method of division described in the claims) are much more complicated, for example, the secret key is complicated. It is said that the digital information to be transmitted is repeatedly passed through one or the same data disturbing section several times, and the decoding is repeatedly passed through the same number of times in the opposite direction. Is done. Here, the data disturbing unit is a complex circuit combination of the above-mentioned circulators and keys, and in some cases, a large-scale computer may directly perform a mathematical operation. Now, the greater the number of repetitions, the higher the security, but on the other hand, since it is repeated many times, the speed of encryption and decryption becomes slow. Furthermore, there is a certain limit in terms of communication efficiency and communication speed to increase the number of digits and to make the calculation contents sophisticated and complicated. Therefore, in order to realize a high-speed and secure block cipher, it is important to consider how these factors are taken into consideration to make the data disturbing unit strong, or to improve the secrecy.

Next, a technique which has been actually considered in Japan for secret communication using this block cipher will be described. (Conventional example of block cipher related to the present invention)
A well-known conventional example is the fast data encryption algorithm (Fast D
ate Encipherment Algorithm, hereinafter abbreviated as FEAL is used. ) There is a block cipher. FIG. 2 shows this data disturbing section.

This is a 64-bit input / output block cipher, in which the right half of the input 64 bits, 32 bits of the right half, is input to the data disturbing unit and encrypted, and the exclusive OR for each bit of the left half of the input. Is the left half of the output, and the left half of the input is the right half of the output, and this operation is repeated several times. It should be noted that the fact that the input bits are equally divided into right and left here not only can adopt the same hardware configuration for encryption and decryption, but the time required for encryption and decryption is almost the same in terms of hardware arrangements. This is also preferable from the viewpoint of

The data disturbing section will be described below.
It [1. Splitting key and input] K, 32 bits for 16-bit key
Let's input A. 2 blocks K of 8 bits each
₁, K₂Divided into 4 blocks A of 8 bits each₁,
A₂, A₃, A _FourDivide into [2. Key and input involvement] K₁And A₂Bitwise exclusive of
The logical sum is B₁And K₂And A₃Every bit of
B is the exclusive OR of₂And [3. Input disturbance part] B₁And A₁Bitwise exclusive with
D is the logical sum₁And B₂And A_FourA bit of
D is the exclusive OR of each₂And 32 bits
Output C of 4 blocks C₁, C₂, C₃, C_FourDivided into
D₁And D₂And 1 to 256 (= 2⁸) Modulo (m
od256) output plus C₃And C₃And D₁When
Output modulo 256 is the output C₂And C₂When
A₁And add 1 and 256 modulo output C₁When
Then C₃And A_FourOutput modulo 256 is the output C
_FourAnd

By the above operation, information in units of 64 bits is obtained by a relatively simple structure, that is, by a relatively small number of bits, an arithmetic operation unit having a relatively simple logic of exclusive OR, and a circuit configuration. A high degree of confidentiality is obtained for sending and receiving. Here, 256 (= 64 x
The reason why the calculation is modulo 2 ² ) is that bit disturbance is likely to occur.

[0011]

However, this block cipher was developed as a high-speed block cipher with sufficient security by repeating four rounds, that is, it was difficult to decipher, but it is said to be a differential attack submitted in recent years. Depending on the method of decryption, it was necessary to repeat 32 rounds or more to maintain security. Regarding the differential attack, a. Biha, A .. Shamir Co-author, "Differential Analysis of Secrets in DES-like Secret Communications," Advances in Secret Communications Research Conference in 1990, Lecture Booklet 537 (1990) in Computer Science 2-2
One page (the above is a free translation) {E. Biham and A. Shamir, "Diff
erential Cryptanalysis of DES-likeCryptosysytems
”, Advances in Cryptology-Proceedings of CRYPT
O'90, Lecture Notes in Computer Science, 537 (199
0), p2-21}. Differential attack is
2) It is an attack that uses the knowledge of the output difference (a kind of correlation between the input signal and the output signal) of the second stage, so to be strong against this (to make it difficult to decipher), at least (the number of repeated stages-2) It is necessary to visually satisfy the saturation of the number of execution bits and completeness. By the way, for this,
Since the differential attack is considered to have no final three rounds, n
Even at -3 rounds, the number of execution bits must be sufficiently saturated and completeness must be satisfied. If the number of execution bits is saturated and the completeness is satisfied, the block cipher device in which both the input signal and the output signal or the agitation unit is a black box is obtained by some means. Even if a person tries to know this internal structure (block division, bit circulation, specific state of key, content, value) by the relationship between the difference between the input signal and the output signal, the digit of the bit related to the first This is because it becomes difficult because the number increases and secondly the difference becomes difficult to appear. However, in the case of FEAL,
It is necessary to increase the number of iterations in order to saturate the number of execution bits and satisfy the completeness, which results in a decrease in execution (secretion, decryption) speed. On the other hand, 4
If it is left as it is, only one round except the last three rounds cannot satisfy this request, and there is a risk of being decrypted by a differential attack.

The saturation and completeness of the number of execution bits are as follows. Number of executed bits The number of bits of the key that affects the difference between the output plaintexts is called the number of executed bits. The number of execution bits is said to be saturated when the number of execution bits of each bit of the output matches the number of bits of the key. (In this case, since all bits of the key affect the output plaintext difference, the key can be used most effectively for concealing the plaintext, and the number of digits of the key that affects the output plaintext is large. Completion is said to be complete when all bits of the input are involved in the generation of each bit of the output. (In this case, the number of bits related to the relationship between the output plaintext and the input increases, and it becomes difficult to find the relationship between them.) Since it is easily received, it is necessary to increase the number of repetitions in order to prevent a third party from easily obtaining or falsifying the digitized information. As a result, it is difficult to keep secret and decrypt in high speed communication using the public communication network. Specifically, the security of communication using the digital public communication network is impaired, and paid private broadcasting by lending a decryption device incorporating a key to only the person who paid the fee is a business itself. There is even a risk that it will not hold.

In view of the above problems, the present invention has been made with the object of providing a safe and high-speed block cipher.

[0014]

[Means for Solving the Problems]
Therefore, in the invention of claim 1, the external input is set every n bits.
And a signal input section for dividing the input value A into
Each input value A obtained by the section from the most significant digit₁B
T, l₂Bit ..._sBit (where l ₁+1
₂+ ... + 1_s= N) s blocks A₁, A₂, ...
A_sInput value division unit to divide into
The value of the n-bit key K is l in order from the most significant digit.₁Bit
To, l₂Bit ..._sS blocks of bits
K₁, K₂, ... K_sA key splitting unit for splitting into
Each output A from the value division unit_i(Where i = 1, ...,
s) is φ_i(A_i) S l_iBit to l_iB
Function to_iA φ-function part having
And each component B_i(Here, B₁+ ... + B_s=
B) to B_i= Φ_i(Φ_i(A_i), K_i)
I want s number of l_i× l_iBit to l_iRelation to a bit
Number Φ_iWith a Φ function part that has
Move an n-bit key K to g (K)
G function part having a function g to
m₁Bit, m₂Bit ... m_tBit (where m₁
+ M₂… + M_t= N, and t is set independently of s
It ) T blocks B₁, B₂, ..., B_tDivide into
Output result g of the first intermediate value division unit and the g-function unit
(K) for each m₁Bit, m₂Bit ... m_tBit of
t blocks g (K)₁, G (K)₂, ..., g (K)
_tG (K) division part for dividing into n and t from n bits
Function f to bit_i(I = 1, ..., t), and f
_iB of (g (K)) and the first intermediate value B_iBit by bit with
Calculate the logical product and take the exclusive OR of all the bits of the result.
Value z_iAnd a second intermediate value C for calculating z
Each component C_i(I = 1, ..., T) is the z_iWhen
G (K)_iThe logical product of each bit with the inversion of
And B above_iBitwise exclusive OR of
Of C_iC calculation section to obtain by
Is it 1 bit that obtains the interval value D by the operation of D = φ (C)?
From the D calculation unit having a function φ to 1 bit,
The n-bit key K that is the determined value is assigned to h (K) (where
h (K) = g (K)) move from n bits to n bits
H function part having a function h and a third intermediate value D for each l₁Bit
To, l₂Bit ..._sS blocks of bits
D₁, D₂, ..., D_s(Here, D₁+ ... + D_s= D)
And the output result of the h-function part
Fruit h (K) for each l₁Bit, l₂Bit ..._sBit
S blocks h (K)₁, H (K)₂…, H
(K)_s(Here, h (K)₁+ ... + h (K)_s= H
(K)) and a fourth intermediate value E
Then, each component E_i(Here, E₁+ ... + E_s=
E) to E_i= Φ_i(H (K)_i, D_i)
Stop l_i× l_iBit to l_iFunction Φ to bit_iTo
The E-calculation part it has and the relationship from s n bits to n bits
Number f _i(I = 1, ..., S), and each f_i(E_i)
A cryptographic output unit for outputting as a force signal
And the block cipher device.

In the invention of claim 2, the Φ function part
And l in the E calculation unit_i× l _iBit to l_iB
Function Φ_i，… ， Φ_sIs Φ_iIs l_iBit in
Value A for force_i= [A₀,…, A_li-1] And K_i= [K
₀, ..., k_li-1] Does not consider the carry of the most significant bit
Claim that is a function that outputs the value added in
The block cipher creation device according to item 1.

[0016] In the invention of claim 3, function phi _i from l _i bits in the phi-function part to l _i bits, ...,
φ _s is the value A _i = for inputs where φ _i is l _i bits
[A ₀ , ..., a _li-1 ] is a function that outputs a value obtained by cyclically shifting left or right by i bits, φ _i (A) = [a _i , ..., a _i-1 ] The block cipher creating apparatus according to claim 1.

[0017] In the invention of claim 4, function phi ₁ from l _i bits in the phi-function part to l _i bits, ...,
φ _s is the l _i- bit key K _i = [k ₀ , ..., k _li-1 ].
The block cipher creating apparatus according to claim 1, wherein the block cipher creating apparatus is obtained depending on In the invention of claim 5, the function f ₁ , ..., F _t from n bits to n bits in the z operation unit is a value A = [a ₀ , ..., a _n -for input where f _i is n bits. ₁ ] for i bits of each function φ
_2. A block cipher creation method according to claim 1, wherein f _i (A) = [a _i , ..., a _i-1 ] is a function that outputs a value obtained by cyclically shifting left or right in the same direction as _i. According to the invention of claim 6, which is an apparatus, a function f ₁ , ...
f _t is a value A = [a ₀ , ...
_n-1 ] is required to be obtained.
The block cipher creation device described is used.

According to the invention of claim 7, in the function g from n bits to n bits in the g function part, a value A = [a ₀ , ..., A _n-1 ] for an input in which g is n bits is i. 2. The block according to claim 1, wherein the function is g (A) = [a _ni , ..., A _ni−1 ], which outputs a value obtained by performing a right or left cyclic shift in the opposite direction to the bit φ _i. It is a cryptographic device.

In the invention of claim 8, in the function h from n bits to n bits in the h function part, the value A = [a ₀ , ..., A _n-1 ] relating to an input in which h is n bits is used. 2. The block according to claim ₁ , wherein a function that outputs a value that is i-bit right or left cyclically shifted in the opposite direction to φ _i is h (A) = [a _ni , ..., A _ni−1 ]. It is a cryptographic device.

In the invention of claim 9, the function ψ from n bits to n bits in the D calculation unit replaces a value C = [c ₀ , ..., C _n-1 ] relating to an input in which ψ is n bits. 2. A function that outputs a value obtained by performing an exclusive OR for each bit of C and the value obtained by cyclically shifting i bits left or right in the same direction as φ _i after the above
The block cipher creation device described is used.

[0021]

With the above structure, in the invention of claim 1,
The signal input section is externally input to the block signal device.
Input the signal after dividing it into n bits.
The value is A. The input value division unit orders the input value A from the highest digit.
Each l₁Bit, l₂Bit ..., l _sS bits of bits
Lock A₁, A₂, ... A_sSplit into (where l₁+
l₂+ ... + 1_s= N).

The key division unit divides the n-bit key K into s blocks K ₁ , K ₂ , ..., K _s each having 1 ₁ bit, ₁₂ bits, ..., 1 _s bits in order from the highest digit. . The φ-function unit uses the function φ _{i that} transfers each A _i from l _i bits to l _i bits to obtain s blocks φ each of which has l _i bits.
_i (A _i ) (where i = 1, 2, ..., S).

The Φ function unit transfers s functions Φ _{i that} transfer B _i, which is each component of the first intermediate value B, from the above φ _i (A _i ) and K _i from l _i × l _i bits to l _i bits. It is obtained by acting. Here, B ₁ + B ₂ + ... + B _s = B. The g-function part uses the n-bit key K from n bits to n.
By operating the function g to transfer to bits, g (K)
I want it.

The first intermediate value dividing unit is for the first intermediate value B.
For each m₁Bit, m₂Bit, ... m _tT of bits
Block B₁, B₂…, B_tSplit into. In addition, here
t is arbitrarily selected independently of s, and B₁+ ...
+ B_s= B. The g (K) division unit is the g function unit.
Output g (K) for each m₁Bit, m₂Bit ... m_tBit
T blocks g (K)₁, G (K)₂, ..., g
(K)_tSplit into.

The z calculator has t n-bit to n-bit functions f _i (where i = 1, 2, ..., T),
After obtaining t f _i (g (K)) in total, the bitwise logical product of these and each B _i of the first intermediate value B is obtained,
A value z _i is obtained by taking the exclusive OR of all the bits of the result. The C calculator calculates C _{i, which is} each component of the second intermediate value C.
Is obtained by obtaining a logical product of each of the z _i and the inversion of the g (K) _i for each bit, and taking an exclusive OR of each of these with each B _i of the first intermediate value B. . Here, C ₁ + C ₂ + ... + C _t = C.

The D calculator obtains the third intermediate value D by the operation ψ (C). The h function part transfers the K to h (K) by operating the function h from n bits to n bits. The third intermediate value dividing section, the l ₁ bit third intermediate value D, l ₂ bits ... l _s bit s blocks D _1, D
₂ , ..., D _s (where D = D ₁ + D ₂ + ...
+ D _s ).

The h (K) division unit outputs the output h of the h function unit.
(N) each l ₁ bit, l ₂ bits ..., l _s bit s
The blocks are divided into blocks h (K) ₁ , h (K) _2, ..., H (K) _s . The E calculation unit calculates each component E _i of the fourth intermediate value E.
Is calculated by applying the function Φ _i to the h (K) _i and the energy D _i to perform the calculation of E _i = Φ _i (h (K) _i , D _i ).

Where i = 1, 2, ..., S, E₁+ E₂+
… + E_s= E. The encryption output unit is_iTo the above
Each function f_iAnd let f_i(E_i) Is the output signal
Output. In the invention of claim 2, the l_i× l
_iBit to l_iFunction Φ to bit ₁，… ， Φ_sAbout
All operations are performed with Φ as the subscript_iIs l_iBit in
Value related to force (The value related to input here is the input value
Strict because A is divided, disturbed, or operated with a key
This is because it is hard to say the input value itself. ) A
_i= [A₀,…, A_li-1] And K_i= [K₀, ..., k_li-1] Up
Output the added value without considering the carry of the upper bits
Function. Then, the block cipher code according to claim 1.
Is done.

[0029] In the invention of claim 3, wherein the function phi ₁ from l _i bits to l _i bits, ..., phi _s is, phi _i is l
_i-bit input values _{A i = [a 0, ...} , a li-1] to i-bit left or function that outputs the right cyclically shifted value _{was, φ i (A) = [} a i, ..., a i-1 ] Becomes Then, the block cipher according to claim 1 is created.

In the block cipher according to claim 4,
The l_iBit to l_iFunction φ to bit₁,,, φ_s
Is l_iThe key K of bits_i= [K₀, ..., k_li-1]
Existed (content changes depending on the value of K)
Then, the block cipher according to claim 1 is created.
It In the invention of claim 5, from n bits to n bits
Function f to₁,, f _tFor the operation for
_iIs an n-bit input value A = [a₀，… ，
a _n-1] For i bits_iSame direction as left or right
Output a value that is cyclically shifted, f_i(A) = [a_i, ..., a_i-1] Becomes Then, the block cipher according to claim 1 cannot be created.
To be done.

In the invention of claim 6, the n bits
To n-bit function f₁,, f _tIs the n bits
Value for input of A = [a₀, ..., a_n-1] Depends on
Desired. Then, create the block cipher according to claim 1.
Is done. In the invention of claim 7, the n bits
To n-bit function g is related to input where g is n-bit
Value A = [a₀, ..., a_n-1] For i bits_iAnd the reverse
Depending on the direction, the function that outputs the value shifted right or left cyclically
Number, g (A) = [a_n-1, ..., a_ni-1] Becomes Then, the block cipher according to claim 1 cannot be created.
To be done.

[0032] In the invention of claim 8, the function h from the n bits to n bits, h values _{A = [a 0, ...,} a n-1] about the n-bit input and i bits of the phi _i In the opposite direction, a function that outputs a value that is cyclically shifted to the right or left is h (A) = [a _ni , ..., A _ni−1 ]. Then, the block cipher according to claim 1 is created.

In the ninth aspect of the present invention, the function ψ from n bits to n bits has a value i after substituting the value C = [c ₀ , ..., C _n-1 ] for the input where ψ is n bits. This is a function that outputs a value obtained by taking the exclusive OR for each bit and the value obtained by cyclically shifting left or right in the same direction as the bit φ _i . Then, the block cipher according to claim 1 is created.

[0034]

EXAMPLES The present invention will be described below based on examples.
The basis of the present invention is the invention of claim 1, and the invention of each claim limits the essential items (components) to concrete functions and obtains the technical effect by the functions. Is. For this reason, in the embodiment, a block cipher device integrally incorporating the inventions of the claims is adopted.

FIG. 1 is a basic block diagram of an embodiment of a 64-bit input / output block cipher according to the present invention. The procedure of the embodiment will be described below with reference to the figure. In the figure, 1 is the left 32 bits L of the input bit, and 2 is the right 32 bits.
Bit R, 3 is a 32-bit key K. The data that is actually input to the data disturbance unit is the right 32 bits R of the input.
Which is hereinafter referred to as A. Next, the contents of the data disturbance will be described in six steps. [1. The first intermediate value B is calculated. ] 32 bits are divided into 4 blocks of 8 bits each, and for each division i from 1 to 8, the i-th block of the key K corresponding to said 8 bits is K _i , the input corresponding to 8 bits Letting the i-th block of the value A be A _i and the _i- th block of the first intermediate value B be B _i , first, the corresponding block as a result of circulating A _i leftward by the value of the left 2 bits of K _i A value obtained by adding the above K _i to the modulus 256 is defined as a first intermediate value B _i . It should be noted that the reason why 256 is adopted as the law here is for the same reason as in the prior art. [2. Find second intermediate value C] 32 bits k ₁ = 3
It is divided into two blocks of 0 bit, k ₂ = 2 bits,
Let g be a function that cycles rightward once, j be a non-negative integer (may be 0), and let g ^{j be} a function that cycles j times to the right,
When K ′ = g (K), for each division i from 1 to 2, the i-th block of the key K ′ corresponding to the k _i bits corresponds to K ′ _i and the k _i bits. the i block B _i of the B, wherein k _i a i-th block of the second intermediate value C corresponding to the bits as C _i, wherein the function g output value by ^i-1 g ⁱ (K the key K '') And B are obtained for each bit, and the value z _i obtained by taking the exclusive OR of all the bits of the result is obtained, and for each bit of z _i and the inversion of K ′ _i The logical product is obtained, and the bitwise exclusive OR of these and B _i is taken as the second intermediate value C _i . Note that the bit-wise operation of g ⁱ (K ′) and B is the logical product for matrix operation, and the exclusive OR of all bits is used to obtain z _i . The reason is to cause bit agitation. [3. Obtaining a third intermediate value D] The 32 bits of C are divided into _four blocks C ₁ , C ₂ , C ₃ and C ₄ of 8 bits each, and bit substitution in the block is performed for each block. . If the bit information in each block is called the first bit and the second bit from the right, the contents of the replacement are as follows.

1st bit → 3rd bit 2nd bit → 7th bit 3rd bit → 5th bit 4th bit → 1st bit 5th bit → 2nd bit 6th bit → 6th bit 7th bit → 4 Bit 8th bit → 8th bit Next, the bit obtained as a result of the above replacement in each block.
Information is C ', and this is eight blocks of 4 bits each.
Block C '₁, C '₂, C '₃, C '_Four, C ' _Five，
C ’₆, C '₇, C '₈For every 8 bits of C '.
Rearrange 4 blocks as shown in block permutation in FIG.
C ", C" = C'4, C'1, C'8, C'5, C'2, C '
3, C'6, C'7 (However, in the specification, contrary to FIG.
It is listed. ), The C ”was patrolled three times to the left and the above
D'is obtained by adding C's left 7 times
And In addition, 32 bits of this D'are set in blocks of 4 bits.
Duck₁, D ’ ₂, D ’₃, D ’_Four, D ’_Five，
D ’₆, D ’₇, D ’₈Divided into
Let D be the result of performing the replacement as follows.
Shown in. ). In addition, here D₁, D₂, D₃, D_Four, D
_Five, D₆, D₇, D₈In the same way as D'in every 4 bits
It is divided into blocks.

D1 = D'4 D2 = D'1 D3 = D'8 D4 = D'5 D5 = D'2 D6 = D'3 D7 = D'6 D8 = D'7 This result is the third intermediate value. Let be D. [5. Obtaining a fourth intermediate value E] The 32 bits of D are divided into four blocks D ₁ , D ₂ , D ₃ and D ₄ of 8 bits each, and similarly, the key K and the fourth intermediate value E are also 8 bits. 4 blocks for each K ₁ , K ₂ , K ₃ , K ₄ , E ₁ , E ₂ , E ₃ , E
Is divided into _4, the K ₁ "similarly divided into four as for each of the i-th block, the K" K what was changed to a result of adding 1 to 256, modulo the D _i and _i 256 Let E _{i be} the fifth intermediate value added modulo. [6. Obtain output value] The left one round of E is output.

The result obtained by the above operation and the bitwise exclusive OR of the left half of the input are taken as the left half of the output of the one-stage block cipher, and the original A is the output of the block cipher. And the right half of. This operation is repeated 8 times.
At this time, the number of execution bits and the completeness are saturated in two rounds, and as a result, it becomes strong in eight rounds against a differential attack, which is a strong solution of the block cipher, and a safe and high-speed block cipher can be constructed. That is, the number of execution bits and the completeness are saturated twice or more in the five stages excluding the final three stages.

Although the present invention has been described above based on the embodiments, it goes without saying that the present invention is not limited to the above embodiments. That is, for example, the number of times the block cipher is repeated is not limited to eight, but may be any number greater than that. This is extremely effective when, for some reason, a division of digital information or the number of digits of a key is small, or when the confidentiality of communication information is very important. Since not only digital communication but also digital signal processing and calculation such as digital calculation are performed in units of powers of 2 as usual, the input signal, the key, the number of divisions, etc. are also powers of 2 in this embodiment. Of course, these are not limited to powers of two. In the present embodiment, each calculation and division are performed as if they were electric circuits, but they may be performed by calculation by a large-scale computer. In this case, each function (φ,
It may be useful when (f, etc.) is complex rather than just a cycle. For convenience of manufacture, each component may be physically a plurality of components, or a plurality of components may be physically integrated.

[0040]

As described above, the present invention makes it possible to construct a block cipher at low cost, high security, and high speed. According to the invention of claim 2, since the addition is performed without considering the carry of the most significant bit, high-speed operation is possible, and further, the logical and circuit is simple and the hardware does not increase. Therefore, the invention of claim 1 The effect of is increased.

Particularly, in the inventions of claim 3, claim 5, claim 7, claim 8 and claim 9, since the cyclic shift is adopted for agitation, the configuration of the logic circuit is simple and inexpensive. Also, the encryption and decryption in the invention of claim 1 can be performed at high speed. In the inventions of claims 4 and 6, since the function φ is determined depending on the key K and the function f is dependent on the input value A, the number of executions is small to satisfy the saturation and completeness. Since the number of stages is sufficient, the effect of the invention of claim 1 is increased.

[Brief description of drawings]

FIG. 1 is a block diagram of a block cipher algorithm according to an embodiment of the present invention.

FIG. 2 is a block diagram of a block cipher algorithm according to a conventional technique.

FIG. 3 is a conceptual diagram of a circuit configuration for circulation and key and circulation by a bit information circulator.

[Explanation of symbols]

 1 input bit left 32 bits 2 input bit right 32 bits 3 key

Claims (9)

[Claims] 1. An input value obtained by dividing an external input every n bits.
A signal input section designated as A and obtained by the signal input section
Set each input value A to 1 from the highest digit₁Bit, l ₂Bit
To ..._sBit (where l₁+1₂+ ... + 1_s=
n) s blocks A₁, A₂, ..., A_sSplit into
Input value division part and n bits which is a predetermined value
The key K of the₁Bit, l₂bit,
…, L_sS blocks of bits K₁, K₂, ... K_s
Output from the input value division unit and the key division unit
Each A_i(Where i = 1, ..., S)_i(A _i) To
S number of l to transfer_iBit to l_iFunction φ to bit_iHave
Φ function part and its constituent elements B as the first intermediate value B
_i(Here, B₁+ ... + B_s= B) to B_i= Φ_i(Φ_i
(A_i), K_i), The s number of l_i× l
_iBit to l_iFunction Φ to bit_iΦ function part with
And an n-bit key K that is a predetermined value is g
Have a function g from n bits to n bits that is transferred to (K)
g function part and the first intermediate value B for each m₁Bit, m₂bit
…, M_tBit (where m₁+ M₂… + M_t= N
One t is set independently of s. ) T blocks B
₁, B ₂, ..., B_tThe first intermediate value division part to divide into
The output result g (K) of the g-function part is m₁Bit, m₂B
T ... m_tT blocks of bits g (K)₁, G
(K)₂, ..., g (K)_tG (K) division part to divide into
And a function f from t n bits to n bits_i(I =
1, ..., T), and f_i(G (K)) and the first intermediate value B
Each B_iAnd the bitwise logical product of
Value z which is the exclusive OR of_iZ calculation unit for obtaining
And each of the constituent elements C as the second intermediate value C._i(I =
1, ..., t) is the z_iAnd the above g (K)_iWith the inversion of
The logical product of each bit is obtained and these are_iA bit of
C is the exclusive OR of each_iBy
The calculation of the C and the third intermediate value D are performed by D = φ (C).
There is a function φ from 1 bit to 1 bit obtained by arithmetic
D calculation unit and n bits, which is a predetermined value
Key K to h (K) (where h (K) = g (K))
H function part having a function h from n bits to n bits
And the third intermediate value D for each l₁Bit, l₂Bit ...
_sS blocks of bits D ₁, D₂, ..., D_s(here
To D₁+ ... + D_s= D) third intermediate value division unit
And the output result h (K) of the h function part is₁bit,
l₂Bit ..._sS blocks of bits h (K)
₁, H (K)₂…, H (K)_s(Here, h (K)₁+
… + H (K)_s= H (K)) h (K) division unit
And, as the fourth intermediate value E, the respective constituent elements E_i(here
To E₁+ ... + E_s= E) to E _i= Φ_i(H (K)_i,
D_i) Is calculated by_i× l_iBit to l_i
Function Φ to bit_iE calculation unit with s n bits
Function f from the output to n bits_iWith (i = 1, ..., s)
And each f_i(E_i) As an output signal
And a block cipher device. 2. A function of the l _i × l _i bits in the [Phi function unit and the E calculator to l _i bits Φ _i, ..., Φ
_s is the value A _i = for inputs where Φ _i is l _i bits
[A ₀ , ..., a _li-1 ] and K _i = [k ₀ , ..., k _li-1 ] are the functions to output a value added without considering the carry of the most significant bit. The block cipher creation device according to claim 1. 3. From l _i bits in the φ function part to l
Functions to _i bits φ _i, ..., φ _s is, phi _i is l _i values _{A i = [a 0, ...} , a li-1] for the input bits and a value obtained by i-bit left or right cyclic shift The block cipher creation device according to claim 1, wherein the output function is φ _i (A) = [a _i , ..., A _i-1 ]. 4. From l _i bits in the φ function part to l
_2. The function φ ₁ , ..., φ _s for _i bits is obtained depending on the key K _i = [k ₀ , ..., k _li-1 ] of l _i bits. Block cipher creation device. 5. The n-bit-to-n-bit function f ₁ , ..., F _t in the z operation unit has a value A = [a ₀ , ..., A _n-1 ] related to an input in which f _i is n bits. i-bit function f _i (A) = [a _i , ..., A _i-1 ] which outputs a value obtained by cyclically shifting left or right in the same direction as each function φ _i. 1. The block cipher creation device according to 1. 6. The n-bit to n-bit function f ₁ , ..., F _t in the z operation unit depends on the value A = [a ₀ , ..., A _n-1 ] related to the n-bit input. The block cipher creation device according to claim 1, wherein the block cipher creation device is obtained. 7. The function g from n bits to n bits in the g function unit is a value A = for an input in which g is n bits.
[A ₀ , ..., a _n-1 ] is a function that outputs a value obtained by shifting i bits in the opposite direction to φ _i in the right or left cyclic shift, g (A) = [a _ni , ..., a _ni-1 ] The block cipher creation device according to claim 1, wherein 8. A function h from n bits to n bits in the h function section is such that a value A for an input in which h is n bits is A =
A function that outputs [a ₀ , ..., A _n-1 ] a value that is i-bit right or left cyclically shifted in the opposite direction to φ _i , h (A) = [a _ni , ..., A _ni-1 ] The block cipher creation device according to claim 1, wherein 9. From n bits to n bits in the D calculation unit.
The function ψ to the input is the value C = for inputs where ψ is n bits.
[C₀, ..., c_n-1] After replacing _iSame direction as
The i-bit left or right cyclically shifted value and C
It is a function that outputs the value obtained by taking the exclusive OR of each bit.
The block cipher creation device according to claim 1, wherein
Place