JPH0697930A - Block cipher processor - Google Patents

Abstract

PURPOSE:To enhance secrecy by section-dividing an input block to be subjected by an initial transposing part of a data randomizing par, moving a bit train in accordance with a key, and thereafter, and processing it in accordance with an intermediate key by plural stages of involution processing parts of a non- linear function part. CONSTITUTION:An input block of a plain text is divided in two by an initial transposing part of a data randomizing part 1, and also, each bit string is subjected to position movement by setting a key as an address becomes the left and the right blocks L, R, and is inputted to a first stage involution processing part 6. Subsequently, it is subjected to involution processing by a function corresponding to an intermediate key 1 formed, based on the key and the bit string is converted, the right and the left outputs R, L become the left and the right inputs L, R of the processing part 6 of the next respectively, and after the same repetition, from a reverse initial transposing part 5, a Fast Data Encipherment Algorithm (FEAL) cipher high in secrecy in outputted. Besides, decoding is also executed in the same way.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a block cipher, and more particularly to an encryption device for performing encryption and decryption processing by so-called FEAL encryption.

[0002]

PRIOR ART AND PROBLEMS TO BE SOLVED BY THE INVENTION FEAL
(Fast Data Encipherment Algorithm) Cryptography is well known as one of the leading block ciphers (eg Tsujii and Kasahara, "Cipher and Information Security", 1990,
Published by Shokodo, pp.43-49).

A typical example of FEAL encryption is configured as shown in FIGS. 5 and 6. That is, a block having a 64-bit length is encrypted and decrypted with a key having a 64-bit length, and includes a data randomizing unit shown in FIG. 5A and a key generating unit shown in FIG.

First, as an explanation of encryption, in the data randomizing section, first, the plaintext input and the bit string KA generated from the key are exclusive-ORed and the resulting 64-bit block is divided into 32-bit left and right bit strings. It is divided into two parts, and the left bit string is used as the left input, and the exclusive OR of the left bit string and the right bit string is used as the right input, and the result is put in the involution processing unit at the first stage.

There are eight stages of involution processing units (enclosed by broken lines in the figure), and the left output of the involution processing units of each stage is used as the right input of the next stage, and the right output is used as the left input. Connected.

Each involution processing section has a function section (denoted by f in the figure), and is generated by a key generation section described later.
The exclusive OR of the bit string generated by the function part with one of the bit intermediate keys K _{0 to} K ₇ and the right input as the input is taken as the left output, and the right input is taken as it is as the right output.

As shown in FIG. 5 (b), each function part divides the 32-bit right input into 4 bytes of 8 bits, and the exclusive logic of that byte or that byte and the byte obtained by dividing the intermediate key into two bytes. The bytes mixed by the sum are input to one of the four S boxes (S ₀ and S _{1 in the} figure).

The respective S boxes are connected to each other so that the output of another byte or the output of the other S box is used as the other input, and addition is performed modulo 256 for two inputs (S _{0 in the} figure). (Slightly different for S ₁ ) and the result is left circularly shifted by 2 bits and output, and 32 bits obtained by arranging each byte output of 4 S boxes are the output of the function part.

As described above, the left output output from the involution processing unit at the final stage is the left bit string,
The exclusive OR of the left output and the right output is the right bit string 64
The exclusive OR of the bit and the bit string KB generated from the key is taken as the output of the ciphertext.

In the decryption process, the ciphertext is input and the same operation as the above may be performed using the same key as the encryption.
At that time, KA, K _{0 to} K ₇ , and KB generated from the key are applied in the reverse order of the encryption.

As shown in FIG. 6, the key generation unit has a key processing unit (shown by a broken line in the figure) having the same number of stages as the data randomization unit, and a 64-bit key is left bit string of equal length. And the right bit string are equally divided into left and right inputs, and each function part (f _{K in the} figure is processed by a similar operation to the data randomization part.
2) is divided into left and right to generate two 16-bit intermediate keys. The content of the function part f _{K is} the same as that of the data randomizing part.

From the above, the intermediate keys generated by the key processing units of the first to eighth stages are designated as K ₀ , K ₁ , K ₂ , K _{3 to} K ₁₄ and K ₁₅ , and K _{0 to} K ₇ are unchanged. Intermediate keys K _{0 to} K ₇ and K _{8 to} K
_The 64 bits in which ₁₁ are arranged are set as KA, and the 64 bits in which K _{12 to} K ₁₅ are arranged are set as KB and are supplied to the data randomization unit.

An object of the present invention is to provide a block cipher processing device which performs cipher processing with enhanced confidentiality based on the FEAL cipher.

[0014]

1 and 2 are block diagrams showing the configuration of the present invention. 1 is a block diagram of a data randomization unit of a block cipher processing device, and FIG. 2 is a configuration of a key generation unit. An input block consisting of a bit string of a predetermined length is generated based on a given key consisting of a bit string of the bit length. The device is a device for converting the input block into an output block having the same length, and has a data randomization unit 1 and a key generation unit 2.

The data randomizing unit 1 includes an initial transposing unit 3
And a non-linear function unit 4 and an inverse initial transposition unit 5. The initial transposing unit 3 divides the input block into predetermined sections,
The value of each bit string at the position determined so as to correspond to each of the sections of the key is set as the section position address in the input block,
The bit string of each section is sequentially moved to a section having a predetermined positional relationship with the section determined by the corresponding section position address, the resulting block is passed to the non-linear function unit 4, and the sections before and after the movement are transferred to each other. Information indicating the correspondence between the two is passed to the inverse initial transposition unit 5.

The non-linear function unit 4 has a plurality of stages of involution processing units 6, divides the block received from the initial transposition unit 3 into a left bit string and a right bit string of equal length, and divides the left bit string to the left. The input L, the exclusive OR of the left bit string and the right bit string is input as the right input R to the involution processing unit 6 of the first stage, and the left output of the involution processing unit 6 of each stage is sequentially output. The right input R of the stage is used as the right input and the right output is used as the left input L, and the block of the bit string obtained by combining the left output of the final stage and the exclusive OR of the left output and the right output is input to the inverse initial transposition unit 5. It is something to pass.

Each involution processing section 6 has a function section 7, and a bit string generated by the function section 7 with each predetermined one of the intermediate keys generated by the key generation section 2 and the right input R as an input and a left side. The exclusive OR with the input L is the left output, and the right input R is the right output.

Each function unit 7 divides the right input R into predetermined sections, and sets the value of each bit string at the position determined so as to correspond to each section of the intermediate key as the section position address in the right input, The bit string of each section is sequentially moved to a section having a predetermined positional relationship with the section determined by the corresponding section position address, and a predetermined conversion is executed on the bit string resulting from the movement.

The inverse initial transposition unit 5 reverses the movement between the sections performed by the initial transposition unit 3 according to the correspondence information between the sections received from the initial transposition unit 3 for the block received from the non-linear function unit 4. The block that has moved is output as the output block.

The key generation unit 2 has a key processing unit 8 having the same number of stages as the non-linear function unit 4, divides the key into a left bit string and a right bit string of equal length, and inputs the left bit string to the left key. KL, the exclusive OR of the left bit string and the right bit string is input to the first-stage key processing unit 8 as the right key input KR, and the left key output of the key processing unit 8 of each stage is sequentially output to the next stage. The right key input KR is used, the right key output is used as the left key input KL, and the left key output of each stage is passed to the nonlinear function unit 4 as each intermediate key.

Each key processing unit 8 has a key function unit 9, which receives the given initial vector and the right key input KR as input.
The exclusive OR of the bit string generated by and the left key input KL is the left key output, and the right key input KR is the right key output.

Each key function unit 9 divides the right key input KR into predetermined sections, and sets the value of each bit string at the position determined so as to correspond to each section of the initial vector as the section position address in the right key input KR. , The bit string of each section is sequentially moved to a section having a predetermined positional relationship with the section determined by the corresponding section position address, and a predetermined conversion is executed on the bit string of the moved result.

In the second invention, each of the function units 7 is
Assuming that the number of said sections is N, it has 2N-1 function boxes, and regarding the bit string resulting from the movement based on the intermediate key, the first function box and the second bit string of the said section And the bit string of the section of

The bit string of the (i + 1) th section and the output of the (i-1) th function box are input to each of the i-th function boxes from the 2nd to the (N-1) th, and are input to the Nth function box. The bit string of the first section and the output of the (N-1) th function box are input.

The output of the j-Nth function box and the j-th function box of each of the j-th function boxes from the (N + 1) th to the 2N-1th.
−1 and the output of the function box are input, and the output of each of the Nth to 2N−1th function boxes is set as an output bit string.

It is assumed that each of the function boxes performs a predetermined operation on two inputs having the same bit width in each of the sections and generates one output having the same bit width. In the third invention,
Each of the key function units 9 has the same configuration as each of the function units 7 of the second invention.

[0027]

With the block cipher processing device of the present invention, the FEA
In the data randomizing unit and the function processing in the L-cipher, the key or the intermediate key is transposed to a key by transposing a bit string whose address is the value of the key and the intermediate key, instead of performing a mere exclusive OR with the key or the intermediate key as in the FEAL encryption. By performing the dependent transposition process, the apparent internal structure conversion is performed in the spiral structure connection of the function boxes as in the second and third inventions, and the confidentiality is improved.

[0028]

FIG. 3 shows an example of the flow of processing of the initial transposition unit 3. Assuming that a 64-bit data block is processed by a 64-bit key, both are divided into 8 bytes in an 8-bit section, and each key is divided. When the lower 3 bits of the byte are used as the address indicating the section position, the byte of the data block corresponding to the byte is moved to the section indicated by the address, and when the move destination is already filled, for example, sequential address 1
We shall proceed one by one and move to a vacant position.

That is, in processing step 10, control information such as a byte position is set to an initial value, and processing is performed from the left byte. In processing step 11, the lower 3 bits of the key at that byte position are set.
Take out a bit.

In processing step 12, whether or not the moving destination indicated by the address is empty is identified by looking at the moving record to be passed to the inverse initial transposition unit 5 later, and if the position of the moving source byte is already recorded at that position. If yes, add the address in processing step 13
1 and the processing step 12 is repeated.

If the movement destination is empty, the movement source byte position is recorded in the column designated by the address in the movement recording in processing step 14, and the data byte is copied to the movement destination byte position in processing step 15. To do.

When the transposition of all the bytes of the data block is completed by performing the above processing 8 times by identifying in the processing step 16, the moving record is recorded in the reverse initial transposition part 5 in the processing step 17.
To end the process.

FIG. 4 shows a configuration example of the function unit 7 of each involution processing unit 6 and the key function unit 9 of each key processing unit 8. The right input R of 32-bit data or the right key input KR of a key is shown.
Is used as input data, and a 32-bit intermediate key or initial vector is used as an input key to generate 32-bit output data as follows.

The input data is transposed according to the value of the input key by transposition processing. This transposition process converts 32-bit data to 4
It is assumed that the divided bytes of the 8-bit section are subjected to the same processing as described with reference to FIG.

The input data of the transposition result is f1 ...
It is converted by a conversion mechanism that connects the f7 box to form a spiral structure. That is, each byte of the input data of the transposed result is input to the f1 to f4 boxes, is operated with the other input shown in the figure, and the output is input to the f5 to f7 boxes, f4 to f7
The output is the 32 bits that connect the box outputs.

With such a configuration, the internal structure of the spiral conversion mechanism can be apparently changed with respect to the input data by the transposition process. The operations of the f1 to f7 boxes are, for example, addition modulo 256 and 2-bit left circular shift.

Also in the case of the present encryption device, encryption and decryption can be performed by using the same key with the same configuration and applying the intermediate key in the reverse order. The key input to the initial transposing unit 3 is the same for both.

FIGS. 7 and 8 are data showing an example of the performance of encryption in the case of encrypting a 64-bit plaintext with a 64-bit key, and the involution processing unit of 8 stages is provided as a comparison target. The FEAL encryption is used, and the encryption device of the present invention is a case where only two stages of involution processing units are provided.

FIG. 7 shows a cipher block obtained for a plaintext and a key (both in hexadecimal notation) shown in the block data column, and a cipher block when one bit of the plaintext or the key is changed to a value different from that shown in the figure. It is the number of different bits when comparing and, and the figure shows the average value and variance of the results for all 64-bits of plaintext and key.

Further, FIG. 8 shows the number of changed bits when the plaintext block is compared with the cipher block resulting from the encryption with the key shown in the key column, with the actual data of 10,500 blocks as the input plaintext block. , Mean and variance over all blocks.

As is clear from the figure, in the cryptographic process of the present invention, the number of stages of the involution process is reduced to 1/4 of that in the FEAL cryptosystem, but almost the same result as the FEAL cryptosystem is obtained. It is shown that the encryption of the present invention has high randomness.

On the other hand, in order to perform the above performance comparison, comparing the time required for the encryption processing by the general-purpose computer,
The EAL cipher requires about 1.8 times the processing time of the cipher of the present invention.

[0043]

As is apparent from the above description, according to the present invention, it is possible to provide an encryption processing device that uses a highly confidential block cipher.

[Brief description of drawings]

FIG. 1 is a block diagram showing a configuration of the present invention (No. 1)

FIG. 2 is a block diagram showing a configuration of the present invention (part 2).

[Fig. 3] Flow chart of processing of initial transposition unit

FIG. 4 is a block diagram of a configuration example of a function unit.

FIG. 5 is a diagram showing a configuration example of a FEAL encrypted data randomizing unit.

FIG. 6 is a diagram showing a configuration example of a FEAL encryption key generation unit.

FIG. 7 is a diagram showing an example of cryptographic performance (No. 1)

FIG. 8 is a diagram showing an example of cryptographic performance (No. 2)

[Explanation of symbols]

 1 Data Randomization Section 2 Key Generation Section 3 Initial Transposition Section 4 Nonlinear Function Section 5 Inverse Initial Transposition Section 6 Involution Processing Section 7 Function Section 8 Key Processing Section 9 Key Function Section 10-17 Processing Steps

Claims (3)

[Claims] 1. An apparatus for converting an input block consisting of a bit string of a predetermined length into an output block having the same length as the input block, based on a given key consisting of the bit string of the bit length, wherein the device randomizes data. The data randomizing unit (1) has a unit (1) and a key generating unit (2), and the data randomizing unit (1) includes an initial transposing unit (3), a non-linear function unit (4), and an inverse initial transposing unit (5). The initial transposing unit (3) divides the input block into predetermined sections, and sets the value of each bit string at a position determined so as to correspond to each of the sections of the key in the input block. As a section position address, sequentially move the bit string of each section to a section having a predetermined positional relationship with the section determined by the corresponding section position address, and pass the resulting block to the non-linear function unit (4), Information indicating the correspondence between the sections before and after the movement is provided to the inverse initial transposition unit (5). The non-linear function unit (4) has a plurality of stages of involution processing unit (6), the block received from the initial transposition unit (3) into a left bit string and a right bit string of equal length. It is divided into two parts, the left bit string is used as the left input, and the exclusive OR of the left bit string and the right bit string is input as the right input to the involution processing unit of the first stage, and the inversion processing unit of each stage is sequentially input. The left output of the volume processing unit is used as the right input of the next stage, the right output is used as the left input, and the left output of the final stage and the exclusive OR of the left output and the right output are combined. A block is passed to the inverse initial transposition unit (5), each involution processing unit (6) has a function unit (7), and each of the intermediate keys generated by the key generation unit (2) Exclusive of a bit string generated by the function unit with a predetermined one and the right input as inputs and the left input The logical sum is used as the left output, and the right input is used as the right output. Each function unit (7) divides the right input into a predetermined section and corresponds to each section of the intermediate key. The value of each bit string at the position determined as described above is used as the section position address in the right input, and the bit string of each section is sequentially moved to a section having a predetermined positional relationship with the section determined by the corresponding section position address, The inverse initial transposition unit (5) executes a predetermined conversion on the bit string of the moved result, and the inverse initial transposition unit (5) receives the section received from the initial transposition unit (3) for the block received from the nonlinear function unit (4). According to the mutual correspondence information, a block that is moved in the opposite direction of the movement performed by the initial transposition unit between the sections is output as the output block, and the key generation unit (2) Has a key processing unit (8) with the same number of steps as the function unit (4) , The key is equally divided into a left bit string and a right bit string of equal length, the left bit string is used as the left key input, and the exclusive OR of the left bit string and the right bit string is used as the right key input. Input to the key processing unit, the left key output of each key processing unit in each stage is sequentially set as the right key input of the next stage, the right key output is set as the left key input, and the left key output of each stage is set in each of the intermediate stages. The key processing unit (8) has a key function unit (9) as a key, and each key processing unit (8) receives a given initial vector and the right key input, and the key function unit receives The exclusive OR of the bit string to be generated and the left key input is used as the left key output, the right key input is used as the right key output, and each of the key function units (9) outputs the right key input to a predetermined value. Divided into intervals,
The value of each bit string at a position determined so as to correspond to each of the intervals of the initial vector is used as an interval position address in the right key input, and the bit string of each interval is determined by the corresponding interval position address and a predetermined position. A block cipher processing device, characterized in that the block cipher processing device is configured to sequentially move to a section having a relationship and perform a predetermined conversion on a bit string resulting from the movement. 2. Each of the function units (7) has 2N−1 function boxes, where N is the number of the sections, and the first bit string of the result of movement based on the intermediate key is the first box. The bit string of the first section and the bit string of the second section are input to the function box, and the i-th function box from the second to the (N-1) th is the i-th function box.
The bit string of the section of +1 and the output of the i−1 th function box are input, and the bit string of the first section and the N th function box are input to the N th function box.
−1 of the output of the function box, and the output of the j−Nth function box and the output of the j−1th function box of each of the jth function boxes N + 1 to 2N−1. Output and the output of each of the Nth to 2N−1th function boxes as an output bit string, each of the function boxes performs a predetermined operation on two inputs having a bit width equal to each of the sections, and outputs the same bit. The block cipher processing device according to claim 1, which generates one output having a width. 3. The respective key function parts (9) are provided with the respective function parts (7).
The block cipher processing device according to claim 2, having the same configuration as that of.