US9270458B2 - Encryption processing device, encryption processing method, and program - Google Patents

Encryption processing device, encryption processing method, and program Download PDF

Info

Publication number
US9270458B2
US9270458B2 US14/002,462 US201214002462A US9270458B2 US 9270458 B2 US9270458 B2 US 9270458B2 US 201214002462 A US201214002462 A US 201214002462A US 9270458 B2 US9270458 B2 US 9270458B2
Authority
US
United States
Prior art keywords
round
key
keys
data
encryption processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related, expires
Application number
US14/002,462
Other languages
English (en)
Other versions
US20130343546A1 (en
Inventor
Kyoji Shibutani
Atsushi Mitsuda
Toru Akishita
Takanori Isobe
Taizo Shirai
Harunaga Hiwatari
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sony Corp
Original Assignee
Sony Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sony Corp filed Critical Sony Corp
Assigned to SONY CORPORATION reassignment SONY CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AKISHITA, TORU, HIWATARI, HARUNAGA, ISOBE, TAKANORI, MITSUDA, Atsushi, SHIBUTANI, KYOJI, SHIRAI, TAIZO
Publication of US20130343546A1 publication Critical patent/US20130343546A1/en
Application granted granted Critical
Publication of US9270458B2 publication Critical patent/US9270458B2/en
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/24Key scheduling, i.e. generating round keys or sub-keys for block encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI

Definitions

  • the present disclosure relates to an encryption processing device, an encryption processing method, and a program. More specifically, this relates to an encryption processing device, an encryption processing method, and a program for executing shared key encryption.
  • a shared key block encryption a key for encryption and a key for decryption are shared items.
  • a data conversion processing is repeatedly executed in block data units of a certain block unit such as 64 bits, 128 bits, 256 bits, or other.
  • DES Data Encryption Standard
  • AES Advanced Encryption Standard
  • Other various shared key block encryptions continue to be proposed, and the CLEFIA proposed by Sony Corporation in 2007 is also a shared key block encryption.
  • These kind of shared key block encryption algorithms are mainly configured with an encryption processing part including a round function executing unit for repeatedly executing conversions of input data, and a key scheduling part for generating round keys to be applied at each round regarding the round function unit.
  • the key scheduling part first generates an expanded key in which the bit count is increased on the basis of a master key (master key), which is a secret key, and generates round keys (secondary keys) to be applied at each round function unit regarding the encryption processing part, based on the generated expanded key.
  • Configurations for repeatedly executing the round function including linear conversion units and non-linear conversion units are known as specific configurations of these kinds of algorithms.
  • Representative structures include the Feistel structure and the generalized Feistel structure, for example.
  • the Feistel structure and the generalized Feistel structure include structures that convert plaintext into ciphertext by the repetition of a simple round function including an F function as a data conversion function.
  • the linear conversion processing and the non-linear conversion processing are executed by the F function.
  • NPL 1 and NPL 2 are examples of literature which discloses encryption processing applying Feistel structures.
  • the present disclosure is the result of considering the previously described situation, for example, and aims to provide an encryption processing device, an encryption processing method, and a program with a high level of security that makes illegal cryptanalysis such as related key attacks difficult.
  • a first aspect of the present disclosure is an encryption processing device comprising:
  • an encryption processing part configured to divide configuration bits of data to be data processed into a plurality of lines, and to input, and to repeatedly execute data conversion processing applying a round function to each line of data as a round calculation;
  • a key scheduling part configured to output round keys to a round calculation executing unit in the encryption processing part
  • the key scheduling part is a replacement type key scheduling part configured to generate a plurality of round keys or round key configuration data by dividing a secret key stored beforehand into a plurality of parts;
  • the key scheduling part changes the input sequence of the multiple round keys corresponding to the round calculation executing unit at units of multiple rounds regarding the round calculation executing unit.
  • the encryption processing part includes an F function executing unit configured to input the data divided into multiple lines and includes a non-linear conversion processing and a linear conversion processing, and a calculating unit configured to execute calculations applying the round keys against the output of the F function executing unit.
  • the key scheduling part divides a secret key stored beforehand into multiple parts, and generates multiple round keys having the same number of bits as the round key input into the round calculation executing unit.
  • the key scheduling part divides a secret key stored beforehand into multiple parts, and generates multiple round keys having a smaller number of bits as the round key input into the round calculation executing unit, and performs multiple combinations of the multiple round key configuration data, and generates a round key having the same number of bits as the round key input into the round calculation executing unit.
  • the key scheduling part outputs juxtaposed multiple round keys that are applied in parallel to the round calculation executing unit regarding the round calculation executing unit sequentially executing in the encryption processing part.
  • the key scheduling part includes at least one selector configured to perform a selection supply processing of keys corresponding to the round calculation executing unit.
  • the key scheduling part sets multiple groups by classifying the multiple round keys or the round key configuration data, and performs control processing of the key supply sequence corresponding to the round calculation executing unit at units of the set groups.
  • the key scheduling part includes selectors in units of the groups.
  • the encryption processing part executes encryption processing to convert plaintext as the input data into ciphertext, and executes decryption processing to convert ciphertext as the input data into plaintext.
  • a second aspect of the present disclosure is an encryption processing method to be executed in an encryption processing device, the encryption processing method comprising:
  • an encryption processing step in which an encryption processing part is configured to divide configuration bits of data to be data processed into a plurality of lines and input, and to repeatedly execute data conversion processing applying a round function to each line of data as a round calculation;
  • a key scheduling step in which a key scheduling part is configured to output round keys to a round calculation executing unit in the encryption processing part;
  • the key scheduling part is a replacement type key scheduling part configured to generate a plurality of round keys or round key configuration data by dividing a secret key stored beforehand into a plurality of parts;
  • a third aspect of the present disclosure is a program to execute encryption processing in an encryption processing device, the program comprising:
  • an encryption processing step in which an encryption processing part is configured to divide configuration bits of data to be data processed into a plurality of lines and input, and to repeatedly execute data conversion processing applying a round function to each line of data as a round calculation;
  • a key scheduling step in which a key scheduling part is configured to output round keys to a round calculation executing unit in the encryption processing part;
  • the key scheduling part is a replacement type key scheduling part configured to generate a plurality of round keys or round key configuration data by dividing a secret key stored beforehand into a plurality of parts;
  • the program according to the present disclosure is a program supplied to a computer system or information processing device capable of executing various program code, for example, by a recording medium, for example.
  • the processing is achieved through the program by executing this kind of program with program executing unit in the information processing device or computer system.
  • an encryption processing device with a high level of security is achieved by supply control of round keys.
  • an encryption processing part configured to divide configuration bits of data to be data processed into a plurality of lines, and to input, and to repeatedly execute data conversion processing applying a round function to each line of data as a round calculation; and a key scheduling part configured to output round keys to a round calculation executing unit in the encryption processing part; wherein the key scheduling part is a replacement type key scheduling part configured to generate a plurality of round keys or round key configuration data by dividing a secret key stored beforehand into a plurality of parts; and wherein the plurality of round keys are output to a round calculation executing unit sequentially executing in the encryption processing part such that a constant sequence is not repeated.
  • an encryption processing configuration with a high level of security is achieved that has a high level of resistance to repeated key attacks or other attacks, for example.
  • FIG. 1 is a diagram describing an n-bit shared key block encryption algorithm corresponding to a key length of k bits.
  • FIG. 2 is a diagram describing a decryption algorithm corresponding to the n-bit shared key block encryption algorithm corresponding to a key length of k bits, illustrated in FIG. 1 .
  • FIG. 3 is a diagram describing a relationship between a key scheduling part and a data encryption part.
  • FIG. 4 is a diagram describing an example configuration of the data encryption part.
  • FIG. 5 is a diagram describing an example of an SPN structure round function.
  • FIG. 6 is a diagram describing an example of a Feistel structure round function.
  • FIG. 7 is a diagram describing an example of an expanded Feistel structure.
  • FIG. 8 is a diagram describing an example of an expanded Feistel structure.
  • FIG. 9 is a diagram describing an example configuration of a non-linear conversion unit.
  • FIG. 10 is a diagram describing an example configuration of a linear conversion processing unit.
  • FIG. 11 is a diagram describing a key scheduling part (expanded key generating unit).
  • FIG. 12 is a diagram describing a key scheduling part (expanded key generating unit).
  • FIG. 13 is a diagram describing an example configuration of a block encryption GOST.
  • FIG. 14 is a diagram describing a Feistel structure which is a GOST data structure.
  • FIG. 15 is a diagram describing an attack which can provide an arbitrary secret key difference ⁇ .
  • FIG. 16 is a diagram describing a case in which each round key difference ⁇ i is divided into the secret key difference ⁇ at every m bits when there is a replacement type key scheduling part.
  • FIG. 17 is a diagram describing that the input difference for the F function becomes zero by providing an average difference of (d, d).
  • FIG. 18 is a diagram describing an example of a type-2 generalized Feistel structure.
  • FIG. 19 is a diagram describing an example configuration of an XOR after the F function.
  • FIG. 20 is a diagram describing an example configuration of an XOR after the F function.
  • FIG. 21 is a diagram describing an example configuration in which a secret key K is divided into four equal parts every (n/2) bits when the key is 2n bits, and are supplied while being shuffled every four rounds.
  • FIG. 22 is a diagram describing an example configuration in which the secret key K is divided into eight equal parts at every (n/4) bits, and two (n/4)-bit portions are supplied while being shuffled every four rounds.
  • FIG. 23 is a diagram describing an example configuration in which the secret key K is divided into eight equal parts every (n/2) bits when the length is 4n bits, and are supplied while being shuffled every eight rounds.
  • FIG. 24 is a diagram describing an example configuration in which the secret key K is divided into eight equal parts every (n/4) bits when the key is 2n bits, and two (n/4)-bit portions are supplied while being shuffled every four rounds.
  • FIG. 25 is a diagram describing an example configuration in which the secret key is divided into eight equal parts every (n/4) bits wherein four of these are used in a round key RK r,0 of a left side F function, and the remaining four are used in a round key RK r,1 of a right side F function.
  • FIG. 26 is a diagram describing a model in which the cyclic shift in a generalized Feistel structure with 4 data lines is changed to a round permutation (generalized Feistel structure+ with 4 data lines).
  • FIG. 27 is a diagram describing an example of applying a shuffling technique similar to that in FIG. 25 , as to a generalized Feistel structure with 4 data lines.
  • FIG. 28 is a diagram illustrating a configuration method of a key scheduling part when the secret key is (5n/4) bits, and the round key necessary for one round is (n/2) bits.
  • FIG. 29 is a diagram describing an example configuration when the round keys are simply input in order.
  • FIG. 30 is a diagram describing an example configuration when the round keys are simply input in order.
  • FIG. 31 is a diagram describing a configuration using round keys corresponding to one round for an n-bit block encryption having a generalized Feistel structure with d data lines of a divided number d.
  • FIG. 32 is a diagram describing an example configuration in which the secret key is n bits, round keys of n/4 bits are generated from dividing the n-bit secret key into four equal parts, and these are input two at a time for each round.
  • FIG. 33 is a diagram describing an example configuration in which the secret key is (5/4)n bits, round keys of n/4 bits are generated from dividing the n-bit secret key into five equal parts, and these are input two at a time for each round.
  • FIG. 34 is a diagram describing an example configuration in which the secret key is n bits, round keys of n/4 bits are generated from dividing the (5/4)n-bit secret key into five equal parts, and these are input two at a time for each round.
  • FIG. 35 is a diagram describing an example configuration in which the selection sequence of keys is changed in units of multiple rounds.
  • FIG. 36 is a diagram describing an example configuration of a round key supply set so that a replacement processing executed in units of four rounds is different each time.
  • FIG. 37 is a diagram describing an example configuration in which the selection sequence of keys is changed in units of multiple rounds.
  • FIG. 38 is a diagram describing an example configuration in which replacement is performed every three rounds, and six keys are used in the three rounds.
  • FIG. 39 is a diagram describing an example configuration in which the selection sequence of keys is changed in units of multiple rounds.
  • FIG. 40 is a diagram describing a round key supply configuration as a selector.
  • FIG. 41 is a diagram describing a round key supply configuration as the selector.
  • FIG. 42 is a diagram describing a round key supply configuration as a selector.
  • FIG. 43 is a diagram illustrating an example configuration of an IC module 700 as the encryption processing device.
  • Block encryption obtains a plaintext P and a key K as input, and outputs a ciphertext C.
  • the bit length of the plaintext and the ciphertext is called a block size, which is written as n.
  • n is an arbitrary integer value that is normally one value determined beforehand for each block encryption algorithm. This case in which the block length is an n block encryption is sometimes called an n-bit block encryption.
  • the bit length of the key is expressed as k.
  • the key has an arbitrary integer value.
  • Ciphertext C n bits
  • FIG. 1 illustrates a diagram of an n-bit shared key block encryption algorithm E corresponding to a key length of k bits.
  • a decryption algorithm D corresponding to the encryption algorithm E can be defined as an inversion function E ⁇ 1 of the encryption algorithm E, which receives the ciphertext C and key K as the input, and outputs the plaintext P.
  • FIG. 2 illustrates a diagram of the decryption algorithm D corresponding to the encryption algorithm E illustrated in FIG. 1 .
  • the block encryption thought of as a division into two portions.
  • One is a “key scheduling part” to which the key K is input, and outputs an expanded key K′ (bit length k′) by expanding the bit length according to certain previously determined steps
  • the other is a “data encryption part” that receives the plaintext P and the key K′ expanded from the key scheduling part, performs a data conversion, and outputs the ciphertext C.
  • FIG. 3 The relationship between these two portions is illustrated in FIG. 3 .
  • the data encryption part used in the following embodiments can be divided into processing units called round functions.
  • the round function receives two units of data as the input, conducts processing internally, and outputs one unit of data.
  • One part of the input data is an n-bit data currently being encrypted, which results in a configuration in which the output from the round function for some round is supplied as the input for the next round.
  • the other part of the input data is used as data for a portion of the expanded key output from the key scheduler, and this key data is called the round key.
  • the total number of round functions is called the total round number, and is a value determined beforehand for each encryption algorithm.
  • the total round number is expressed as R.
  • FIG. 4 An overview of the data encryption part is illustrated as in FIG. 4 when looking from the input side of the data encryption part in which the input data for the first round is designated as X 1 , the data input in the round function for an i number of rounds is designated as X i , and the round key is designated as RK i .
  • the round function can have various forms depending on the block encryption algorithm.
  • the round function can be classified by the structure adopted by this encryption algorithm (structure).
  • Typical structures used here as examples are SPN structures, Feistel structures, and expanded Feistel structures.
  • FIG. 5 illustrates an example of an SPN structure round function.
  • the n-bit input data is divided into two units of n/2-bit data.
  • a function (F function) is applied with one part of this data and the round key as the input, and the output and the other part of the data is XOR calculated. The result of shuffling both sides of this data becomes the output data.
  • F function function
  • FIG. 6 illustrates an example of a Feistel structure round function.
  • the data division number of two regarding the Feistel structure is expanded into a format of three or more divisions with the expanded Feistel structure. If the division number is designated as d, then various expanded Feistel structures can be defined depending on d. As the size if the F function input and output is relatively smaller, this is suited for small implementations.
  • a d/2 number of F functions are applied in parallel within one round for expanded Feistel structures in which the division number d is an even number.
  • a cyclic shift is used as a replacement between rounds.
  • FIGS. 7 , 18 , and 20 illustrate a generalized Feistel structure with 4 data lines.
  • Linear conversion processing units can be defined as matrices considering their nature.
  • the elements of the matrix can generally be expressed in various ways such as a body element of GF (2 8 ) and an element of GF (2).
  • FIG. 10 illustrates an example of a linear conversion processing unit defined by a matrix of m ⁇ m, which defines the ms-bit input and output as GF (2 S ).
  • the key scheduling part is a function as illustrated in FIG. 11 which (expanding key generating unit) inputs the secret key K of k bits, and generates a k′-bit expanded key (round key) K′ by some determined conversion.
  • K0 and K1 are called equivalent keys.
  • (+) represents the XOR operator.
  • Expanded keys can be generated on the fly.
  • Scheduling units preferably satisfy these properties in a well-balanced manner, from the perspectives of security and implementation.
  • Examples of encryptions in which a complex non-linear function is introduced into the key scheduling part include CLEFIA (NPL 3: Sony Corporation, “The 128-bit Blockcipher CLEFIA Algorithm Specification”, Revision 1.0, 2007) and Camellia (NPL 4: Aoki, Ichikawa, Kanda, Matsui, Moriai, Nakajima, Tokita, “128-bit Block Encryption Camellia Algorithm Specification”, Version 2.0, 2001) among others.
  • CLEFIA NPL 3: Sony Corporation, “The 128-bit Blockcipher CLEFIA Algorithm Specification”, Revision 1.0, 2007
  • Camellia NPL 4: Aoki, Ichikawa, Kanda, Matsui, Moriai, Nakajima, Tokita, “128-bit Block Encryption Camellia Algorithm Specification”, Version 2.0, 2001
  • These have a high level of security against attack methods such as related key attacks occurring in
  • AES is an example of encryption having a key scheduling part in which a comparatively simple non-linear function has been introduced in order to raise implementation performance, but it is known that AES is fragile against related key attacks (for cases of 192- and 256-bit keys).
  • a technique as an example of a technique to further raise the implementation performance involves a configuration of only a linear function without using a non-linear function.
  • a key scheduling part which divides the secret key data into multiple parts, and only replaces these does not require many circuits to implement in hardware in particular, and so has a high level of implementation performance.
  • This kind of key scheduling part is called a replacement type key scheduling part.
  • the key scheduling part regarding the block encryption GOST (NPL 5: GOST 28147-89: Encryption, Decryption, and Message Authentication Code (MAC) Algorithms, RFC 5830) has a structure to divide a 4n-bit secret key K into eight equal parts every (n/2) bits, and designate these in order as the round keys.
  • NPL 5 GOST 28147-89: Encryption, Decryption, and Message Authentication Code (MAC) Algorithms, RFC 5830
  • the key scheduling part can be configured as only a selector for each round without any calculations against the secret key K, this has a feature in which the number of circuits necessary to implement as hardware is very small.
  • the GOST data structure takes the Feistel structure and performs an XOR before each F function of the round keys, so it is known that this is fragile against related key attacks, and it is also known that there in actual probability of one that an attack will be successful.
  • the round keys obtained from the secret key K0 are designated as RK0 1 , RK0 2 , . . . , and RK0 R
  • the round keys obtained from the secret key K1 are designated as RK1 1 , RK1 2 , . . . , RK1 R
  • the difference between the secret key K0 and the secret key K1 is designated as the secret key difference ⁇
  • the difference between each round key is designated as the round key difference ⁇ 1 , ⁇ 2 , . . . , and ⁇ R .
  • each round key difference ⁇ i is not uniquely predetermined, and so attacks on the data encryption part are difficult.
  • each round key difference ⁇ i is that in which the secret key difference ⁇ is divided every m bits.
  • the input difference into the F function is zero by providing (d, d) as the plaintext difference as illustrated in FIG. 17 .
  • the output difference is always zero, and so the input difference into the next round function is (d, d).
  • KASUMI NPL 6: 3rd Generation Partnership Project, Technical Specification Group Services and System Aspects, 3G Security, Specification of the 3GPP Confidentiality and Integrity Algorithms; Document 2: KASUMI Specification, V9.0.0, 2009) is an example of an encryption having another kind of replacement type key scheduling part.
  • the present method first divides the secret key K into multiple equal parts, and supplies these to the data encryption part according to the following techniques.
  • a high level of implementation performance can be expected similar to that of the related art by using a replacement type key scheduling part.
  • This sequence is linked to the bit length and number of divisions of the secret key K and the structure of the data encryption part, and so it is necessary to design the key scheduling part for each data encryption part structure.
  • the length of one round key is (n/2) bits
  • the secret key K is divided in to 4 equal parts of (n/2) bits when the key is 2n bits, and these parts are supplied shuffled every four rounds.
  • FIG. 21 illustrates this setting.
  • the secret key K is 2n-bit key data.
  • This 2n-bit secret key K is divided into four equal parts, and four round keys K1, K2, K3, and K4 are generated.
  • the four round keys K1, K2, K3, and K4 are (n/2)-bit key data.
  • the first four rounds as illustrated in FIG. 21 the round keys K1 through K4 are input and applied by the following sequence regarding R1 through R4.
  • FIG. 22 An example of this is the configuration illustrated in FIG. 22 .
  • the secret key K is 2n-bit key data.
  • This 2n-bit secret key K is divided into eight equal parts, and eight keys K1, K2, K3, K4, K5, K6, K7, and K8 are generated.
  • the eight keys K1 through K8 are (n/4)-bit key data.
  • (n/2)-bit round keys made up from two keys of combined data selected from these eight keys K1 through K8: KxKy are used in a sequence different at each unit in which one unit is four rounds.
  • the first four rounds as illustrated in FIG. 22 the round keys KxKy as a combination of the key data K1 through K8 are input and applied by the following sequence regarding R1 through R4.
  • the secret key K is divided into eight equal parts every (n/2) bits when the length is 4-n bits, and these parts are supplied while being shuffled every eight rounds.
  • FIG. 23 An example of this is the configuration illustrated in FIG. 23 .
  • the secret key K is 4n-bit key data.
  • This 4n-bit secret key K is divided into eight equal parts, and eight round keys K1, K2, K3, K4, K5, K6, K7, and K8 are generated.
  • the eight round keys K1 through K8 are (n/2)-bit key data.
  • the first eight rounds as illustrated in FIG. 23 the round keys are input and applied by the following sequence regarding R1 through R8.
  • the round keys are two units of (n/4) bits.
  • the secret key K is 2n bits, it is divided into eight equal parts every (n/4) bits, and two units of (n/4) bits is supplied while being shuffled every four rounds.
  • FIG. 24 An example of this configuration is illustrated in FIG. 24 .
  • the secret key K is 2n-bit key data.
  • This 2n-bit secret key K is divided into eight equal parts, and eight round keys K1, K2, K3, K4, K5, K6, K7, and K8 are generated.
  • the eight round keys K1 through K8 are (n/4)-bit key data.
  • Two round keys selected from these eight round keys K1 through K8 are used in a sequence different for each unit in which one unit is four rounds.
  • the first four rounds as illustrated in FIG. 24 two round keys are input and applied by the following sequence regarding R1 through R4.
  • Round R1 round key K1 and round key K2
  • Round R2 round key K3 and round key K4
  • Round R3 round key K5 and round key K6
  • Round R4 round key K7 and round key K8
  • Round R5 round key K5 and round key K1
  • Round R6 round key K2 and round key K6
  • Round R7 round key K7 and round key K3
  • Round R8 round key K4 and round key K8
  • Round R9 round key K7 and round key K5
  • Round R10 round key K1 and round key K3
  • Round R11 round key K4 and round key K2
  • Round R12 round key K6 and round key K8
  • FIG. 25 An example of this configuration is illustrated in FIG. 25 .
  • the secret key K is 2n-bit key data.
  • This 2n-bit secret key K is divided into eight equal parts, and eight round keys K1, K2, K3, K4, K5, K6, K7, and K8 are generated.
  • the eight round keys K1 through K8 are (n/4)-bit key data.
  • Two round keys selected from these eight round keys K1 through K8 are used in a sequence different for each unit in which one unit is four rounds.
  • the round keys K1 through K4 are applied to the left side F function in each round regarding the Feistel structure with 4 data lines, and the round keys K5 through K8 are applied to the right side F function for each round regarding the Feistel structure with 4 data lines.
  • the first four rounds as illustrated in FIG. 25 two round keys are input and applied by the following sequence regarding R1 through R4.
  • Round R1 round key K1 and round key K5
  • Round R2 round key K2 and round key K6
  • Round R3 round key K3 and round key K7
  • Round R4 round key K7 and round key K8
  • Round R5 round key K2 and round key K5
  • Round R6 round key K4 and round key K8
  • Round R7 round key K1 and round key K6
  • Round R8 round key K3 and round key K7
  • Round R9 round key K4 and round key K5
  • Round R10 round key K3 and round key K7
  • Round R11 round key K2 and round key K8
  • Round R12 round key K1 and round key K6
  • the key scheduling part regarding the present method is also valid for models in which the cyclic shift is modified to a round permutation (generalized Feistel+ with 4 data lines).
  • the basic configuration of the configuration illustrated in FIG. 26 is a configuration in which an n-bit input data is divided into a d number of units every n/d bits regarding a d-line generalized Feistel structure, wherein an F function processing and an XOR processing is performed on these units as the basic configuration, and the configuration of the calculation with the round keys is performed against the output of the F function.
  • the data sequence input into the F function is designated as the F function input side data sequence
  • n/d-bit data transferred in each sequence is further divided again into d/2 units (in this case, the division does not have to be equal division).
  • the data divided into d/2 units is combined into one unit of data.
  • the key scheduling part according to the present method is also valid regarding a model (generalized Feistel+ with 4 data lines) in which this cyclic shift has been modified to a round permutation.
  • FIG. 27 which is a similar shuffling technique as that in FIG. 25 , is a suitable example.
  • the secret key K is 2n-bit key data.
  • This 2n-bit secret key K is divided into eight equal parts, and eight round keys K1, K2, K3, K4, K5, K6, K7, and K8 are generated.
  • the eight round keys K1 through K8 are (n/4)-bit key data.
  • Two round keys selected from these eight round keys K1 through K8 are used in a sequence different for each unit in which one unit is four rounds.
  • two of the round keys selected from the round keys K1 through K8 are applied to the two F functions in each round regarding the generalized Feistel+ structure with 4 data lines in which the cyclic shift has been modified to a round permutation.
  • the first four rounds as illustrated in FIG. 27 two round keys are input and applied by the following sequence regarding R1 through R4.
  • Round R1 round key K1 and round key K5
  • Round R2 round key K2 and round key K6
  • Round R3 round key K3 and round key K7
  • Round R4 round key K7 and round key K8
  • Round R5 round key K2 and round key K5
  • Round R6 round key K4 and round key K8
  • Round R7 round key K1 and round key K6
  • Round R8 round key K3 and round key K7
  • Round R9 round key K4 and round key K5
  • Round R10 round key K3 and round key K7
  • Round R11 round key K2 and round key K8
  • Round R12 round key K1 and round key K6
  • FIG. 28 illustrates a configuration method of a key scheduling part when the secret key is (5n/4) bits, and the round keys necessary for one round are (n/2) bits.
  • the secret key K is (5/4)n-bit key data.
  • the replacement type key scheduling part generates five round keys K1, K2, K3, K4, and K5 equivalent to the bit length of the round key on the basis of this (5/4)n-bit key data.
  • Two round keys selected from these round keys K1 through K5 are applied to two F functions input as the round keys applied to each round.
  • the first FIVE rounds as illustrated in FIG. 28 two round keys are input and applied by the following sequence regarding R1 through R5.
  • Round R1 round key K3 and round key K4
  • Round R2 round key K1 and round key K2
  • Round R3 round key K3 and round key K4
  • Round R4 round key K5 and round key K5
  • Round R5 round key K1 and round key K2
  • Difference attacks are attacks which use that propagating from some input difference to some output difference with a high probability. That is to say, when considering security, it is necessary to indicate combinations of input differences and output differences that do not contain that which is propagated with a high probability.
  • Such a difference probability is known to decrease only by a non-linear function (F function) to which a non-zero input difference is provided.
  • the non-linear function (F function) to which this non-zero input difference is provided is the definition of the active F function.
  • the number of active F functions is closely related to the level of security against difference attacks, and so it can be thought that if there many active F functions regarding some input difference, this will be sufficiently secure.
  • the number of active F functions can be determined if one input difference is determined. From that just described, it is understood that it needs to be determined how many active F functions should be indicated depending on the kind of input difference provided when considering security against difference attacks.
  • the minimum value of the number of active F functions regarding each kind of such input differences is the definition of the minimum active F function number.
  • Table 1 illustrates the minimum active F function number corresponding to the number or rounds after consideration of the related key difference when the method according to the related art is adopted such that the round keys are simply input in order as illustrated in FIG. 29 .
  • a processing according to the present disclosure as illustrated in FIG. 24 for example, in a generalized Feistel structure with 4 data lines such as that illustrated in FIG. 20 , that is to say, regarding a replacement type key scheduling part, (Table 2) illustrates the corresponding minimum active F function number and number of rounds in consideration of the related key difference regarding a configuration in which processing to change the input key sequence is performed at a predetermined round unit.
  • the processing according to the present disclosure that is to say, regarding the replacement type key scheduling part, it is understood that a larger number of active F functions can be ensured over the method of the related art, which does not perform this kind of key shuffling, by implementing a configuration in which the processing to change the input key sequence is performed at a predetermined round unit.
  • the processing according to the present disclosure that is to say, regarding the replacement type key scheduling part, it is understood that a larger number of active F functions can be ensured over the method of the related art, which does not perform this kind of key shuffling, by implementing a configuration in which the processing to change the input key sequence is performed at a predetermined round unit, and an encryption processing configuration with high security can be realized with few rounds.
  • the number of (n/d)-bit round keys generally used for one round is (d/2) units as illustrated in FIG. 31 .
  • the generation and input of the round key as described below are executed depending on the length of the secret key forming the basis to generate the round keys.
  • n/4-bit round keys are generated by dividing the n-bit secret key into four equal parts, and two each are input for each round as illustrated in FIG. 32 , for example.
  • n/4-bit round keys are generated by dividing the n-bit secret key into five equal parts, and two each are input for each round as illustrated in FIG. 33 and FIG. 34 , for example.
  • key replacement is performed every two rounds regarding a configuration using four round keys K1, K2, K3, and K4 from the division of the secret key of n bits into four equal parts as illustrated in FIG. 32 , that is to say, the key supply sequence is changed every two rounds.
  • the secret key K is n-bit key data.
  • the four round keys K1, K2, K3, and K4 are (n/4)-bit key data.
  • the first two rounds as illustrated in FIG. 21 two of the round keys K1 through K4 are input and applied by the following sequence regarding R1 through R2.
  • Round R1 round key K1 and round key K2
  • Round R2 round key K3 and round key K4
  • Round R3 round key K3 and round key K1
  • Round R4 round key K4 and round key K2
  • Round R5 round key K4 and round key K3
  • Round R6 round key K2 and round key K1
  • Round R7 round key K2 and round key K4
  • Round R8 round key K1 and round key K3
  • Round R9 round key K1 and round key K2
  • Round R10 round key K3 and round key K4
  • the secret key K is (5/4)n-bit key data.
  • the replacement type key scheduling part generates the five round keys K1, K2, K3, K4, and K5 corresponding to the bit length of the round key based on this (5/4)n-bit key data.
  • Two round keys selected from these round keys K1 through K5 are applied to two F functions as the input of round keys applied to each round.
  • the first five rounds as illustrated in FIG. 33 two round keys are input and applied by the following sequence regarding R1 through R5
  • Round R1 round key K1 and round key K2
  • Round R2 round key K3 and round key K4
  • Round R3 round key K5 and round key K5
  • Round R4 round key K2 and round key K3
  • Round R5 round key K3 and round key K4
  • the key supply is performed in an order of K1, K2, K3, K4, K5, K5, K5, K1, K2, K3, . . . .
  • the configuration may perform a processing to change the key selection sequence without performing more than two key replacements regarding a setting which the number of necessary key replacements is m′ (>1) for an m number of rounds, for example.
  • the key supply processing sequence illustrated in FIG. 33 and the key supply processing sequence illustrated in FIG. 34 is exactly the same.
  • Round R1 round key K1 and round key K2
  • Round R2 round key K3 and round key K4
  • Round R3 round key K5 and round key K5
  • Round R4 round key K2 and round key K3
  • Round R5 round key K3 and round key K4
  • Round R1 round key K1 and round key K2
  • Round R2 round key K3 and round key K4
  • Round R3 round key K5 and round key K6
  • Round R4 round key K7 and round key K8
  • Round R5 round key K5 and round key K1
  • Round R6 round key K2 and round key K6
  • Round R7 round key K7 and round key K3
  • Round R8 round key K4 and round key K8
  • Round R9 round key K7 and round key K5
  • Round R10 round key K1 and round key K3
  • Round R11 round key K4 and round key K2
  • Round R12 round key K6 and round key K8
  • the round key supply configuration described with reference to FIG. 24 and the key supply processing sequence illustrated in FIG. 35 are configurations that apply different round key input sequences at each unit in which one unit is four rounds.
  • the same form of key replacement is performed every four rounds when the key length is 2n bits and divided into eight equal parts.
  • the replacement processing executed at 4-round units may set to be of a different form every time such as with that illustrated in FIG. 36 , for example.
  • the key supply sequence according to the configuration illustrated in FIG. 36 is as follows. The first four rounds: two round keys are input and applied by the following sequence regarding R1 through R4.
  • Round R1 round key K1 and round key K2
  • Round R2 round key K3 and round key K4
  • Round R3 round key K5 and round key K6
  • Round R4 round key K7 and round key K8
  • Round R5 round key K5 and round key K1
  • Round R6 round key K2 and round key K6
  • Round R7 round key K7 and round key K3
  • Round R8 round key K4 and round key K8
  • Round R9 round key K8 and round key K5
  • Round R10 round key K7 and round key K3
  • Round R11 round key K1 and round key K2
  • Round R12 round key K4 and round key K6
  • the key supply sequence illustrated in FIG. 36 is the same as the key supply sequence illustrated in FIG. 24 up to rounds 1 through 4 and rounds 5 through 8 , but the sequence is different from round 9 .
  • the key replacement executing by the replacement type key scheduling part regarding the setting illustrated in FIG. 24 that is to say, the key shuffling processing is a configuration executed at the same setting at 4-round units, but according to the configuration illustrated in FIG. 36 , the key replacement by the replacement type key scheduling part, that is to say, the key shuffling processing is executed at a different setting at 4-rounds units.
  • a configuration using only six keys over three rounds performing replacement every three rounds as illustrated in FIG. 38 is also possible.
  • the key supply sequence according to the configuration illustrated in FIG. 38 is as follows. The first three rounds: two round keys are input and applied by the following sequence regarding R1 through R3.
  • Round R1 round key K1 and round key K2
  • Round R2 round key K3 and round key K4
  • Round R3 round key K5 and round key K6
  • Round R4 round key K7 and round key K3
  • Round R5 round key K8 and round key K1
  • Round R6 round key K2 and round key K4
  • Round R7 round key K6 and round key K8
  • Round R8 round key K5 and round key K7
  • Round R9 round key K3 and round key K1
  • Round R10 round key K4 and round key K5
  • Round R11 round key K2 and round key K6
  • Round R12 round key K8 and round key K7
  • This example designates a configuration in which the same pattern of key replacement is repeated at 3-round units.
  • the round key supply configuration described with reference to FIG. 38 is exactly the same as the key supply processing sequence illustrated in FIG. 39 .
  • the round key supply method according to the present disclosure is similar to the method according to the related art in that the implementation efficiency is high as the processing executed is that by a replacement type key scheduling part.
  • a configuration including two selectors of replacement type key scheduling part is designated, and the groups of the four previously described round keys, regarding each selector, that is to say,
  • n/4-bit round keys K1, K2, K, K4, and K5 are generated from the secret key K of (5/4)n bits
  • the first selector executes a key selection of K1, K2, and K3, and the second selector executes a key selection of K3, K4, K5.
  • the encryption processing devices for executing the encryption processing in accordance with the previously described embodiments can be installed in various information processing devices executing encryption processing. Specifically, this can be used regarding various crises in which encryption processing is executed along with data processing and communication processing by devices such as PCs, TVs, recorders, players, communication devices, RFIDs, smart cards, sensor network devices, battery/battery authentication modules, health and medical devices, independent network devices, etc.
  • FIG. 43 illustrates an example configuration of an IC module 700 as an example of a device executing the encryption processing according to the present disclosure.
  • the previously described processing can be executed in various information processing devices such as PCs, IC cards, reader-writers, and others, and the IC module 700 illustrated in FIG. 43 can be configured in these various devices.
  • a CPU (Central Processing Unit) 701 illustrated in FIG. 43 is a processor executing various programs such as the starting and termination of the encryption processing, control of data transmission and reception, data transfer control between each configuration element, and others.
  • a memory 702 is made up from ROM (Read Only Memory) storing fixed data such as the program executed by the CPU 701 , calculation parameter, and so on, and RAM (Random Access Memory) used as a work region and storage area of the program executed regarding the processing of the CPU 701 and parameters that arbitrarily change during the processing of the program.
  • the memory 702 can be used as a storage region for data and such applied to conversion matrices and conversion tables (replacement tables) applied during the encryption processing, and for key data necessary during encryption processing.
  • the data storage region is desirably configured as memory having a tamper-resistant structure.
  • An encryption processing part 703 executes encryption processing and decryption processing in accordance with the shared key block encryption processing algorithm applying the previously described encryption processing configurations, that is to say for example, generalized Feistel structures or Feistel structures.
  • encryption processing means as individual models, instead of provisioning these kinds of independent encryption processing modules, a configuration can be implemented in which an encryption processing program can be stored in ROM, for example, and the CPU 701 reads out and executes the program stored in ROM.
  • a random number generator 704 executes random number generation processing necessary during the generation of keys necessary during encryption processing.
  • a transmission/reception unit 705 is a data communication processing unit executing data communication with external devices, executes data communication with IC modules such as reader-writers, for example, and executes the output of ciphertext generated within the IC module, the input of data from external reader-writers and so on among others.
  • the encryption processing device described in the previously described embodiments is not only applicable to encryption processing to encrypt plaintext as input data, but is also applicable to decryption processing to decode the ciphertext as input data back to plaintext.
  • An encryption processing device comprising:
  • an encryption processing part configured to divide configuration bits of data to be data processed into a plurality of lines, and to input, and to repeatedly execute data conversion processing applying a round function to each line of data as a round calculation;
  • a key scheduling part configured to output round keys to a round calculation executing unit in the encryption processing part
  • the key scheduling part is a replacement type key scheduling part configured to generate a plurality of round keys or round key configuration data by dividing a secret key stored beforehand into a plurality of parts;
  • the encryption processing part includes an F function executing unit configured to input the data divided into multiple lines and includes a non-linear conversion processing and a linear conversion processing, and a calculating unit configured to execute calculations applying the round keys against the output of the F function executing unit.
  • the key scheduling part includes at least one selector configured to perform a selection supply processing of keys corresponding to the round calculation executing unit.
  • the key scheduling part sets multiple groups by classifying the multiple round keys or the round key configuration data, and performs control processing of the key supply sequence corresponding to the round calculation executing unit at units of the set groups.
  • processing method executed in the previously described device and system, and the program executing this processing is included in the configuration of the present disclosure.
  • a portion of the processing described in this specification can be executed as hardware, software, or combination of the two.
  • a program to which the processing sequence is recorded is installed and executed in memory within a computer assembled with specialized hardware, or the program can be installed and executed in a general-purpose computer capable of executing the various processing.
  • the program can be recorded onto a recording medium beforehand.
  • the program can be received via a network such as a LAN (Local Area Network) or the Internet, and can be installed to a recording medium such as an internal hard disk.
  • LAN Local Area Network
  • the various processing disclosed in this specification can not only be executed temporally as according to the disclosure, but can also be executed in parallel or individually as necessary or depending on the processing performance of the device executing the processing.
  • the system regarding the present specification is a logical combination configuration of multiple devices, and so each configuration of the devices is not limited to being housed within the same physical unit.
  • an encryption processing device with a high level of security is achieved by a supply control of round keys.
  • an encryption processing part configured to divide and input configuration bits of data to be data processed into multiple lines, and to repeatedly execute data conversion processing applying a round function to each line of data as a round calculation
  • a key scheduling part configured to output round keys to a round calculation executing unit in the encryption processing part
  • the key scheduling part is a replacement type key scheduling part configured to generate a plurality of round keys by dividing a secret key stored beforehand into multiple parts, in which the generated multiple round keys are output to a round calculation executing unit sequentially executing in an encryption processing part at a setting such that a constant sequence is not repeated.
US14/002,462 2011-03-28 2012-02-20 Encryption processing device, encryption processing method, and program Expired - Fee Related US9270458B2 (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
JP2011069185 2011-03-28
JP2011-069185 2011-03-28
JP2011207705A JP5682527B2 (ja) 2011-03-28 2011-09-22 暗号処理装置、および暗号処理方法、並びにプログラム
JP2011-207705 2011-09-22
PCT/JP2012/053933 WO2012132623A1 (ja) 2011-03-28 2012-02-20 暗号処理装置、および暗号処理方法、並びにプログラム

Publications (2)

Publication Number Publication Date
US20130343546A1 US20130343546A1 (en) 2013-12-26
US9270458B2 true US9270458B2 (en) 2016-02-23

Family

ID=46930384

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/002,462 Expired - Fee Related US9270458B2 (en) 2011-03-28 2012-02-20 Encryption processing device, encryption processing method, and program

Country Status (8)

Country Link
US (1) US9270458B2 (ja)
EP (1) EP2693684B1 (ja)
JP (1) JP5682527B2 (ja)
CN (1) CN103621007A (ja)
BR (1) BR112013024231A2 (ja)
RU (1) RU2013142993A (ja)
TW (1) TW201251412A (ja)
WO (1) WO2012132623A1 (ja)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2675435C1 (ru) * 2016-02-25 2018-12-20 Федеральное государственное казенное военное образовательное учреждение высшего образования "Военный учебно-научный центр Военно-Морского Флота "Военно-морская академия имени Адмирала флота Советского Союза Н.Г. Кузнецова" Устройство аппаратурного шифрования и передачи данных в локальных сетях
US10389007B1 (en) * 2018-06-11 2019-08-20 Lg Electronics Inc. Mobile terminal
US20210320792A1 (en) * 2018-08-28 2021-10-14 Siemens Aktiengesellschaft Method for Storing Key Data in an Electronic Component
US11269993B2 (en) * 2017-08-10 2022-03-08 Sony Corporation Encryption device, encryption method, decryption device, and decryption method

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5871827B2 (ja) * 2013-01-11 2016-03-01 日本電信電話株式会社 安全性強化システム、安全性強化装置、検証装置、およびプログラム
KR101516574B1 (ko) * 2014-02-21 2015-05-04 한국전자통신연구원 형태보존 암호화를 위한 가변길이 블록암호 장치 및 방법
WO2015142765A1 (en) 2014-03-17 2015-09-24 Coinbase, Inc Bitcoin host computer system
US9515818B2 (en) * 2014-09-16 2016-12-06 Apple Inc. Multi-block cryptographic operation
US9735958B2 (en) * 2015-05-19 2017-08-15 Coinbase, Inc. Key ceremony of a security system forming part of a host computer for cryptographic transactions
US20180150836A1 (en) * 2016-11-29 2018-05-31 Ca, Inc. Generating tokens dynamically using payment keys
CN110785960B (zh) * 2017-06-27 2023-06-20 三菱电机株式会社 码生成装置、码生成方法和计算机能读取的存储介质
WO2019204426A1 (en) * 2018-04-17 2019-10-24 Coinbase, Inc. Offline storage system and method of use
US11394543B2 (en) 2018-12-13 2022-07-19 Coinbase, Inc. System and method for secure sensitive data storage and recovery
US10903991B1 (en) 2019-08-01 2021-01-26 Coinbase, Inc. Systems and methods for generating signatures
WO2021076868A1 (en) * 2019-10-16 2021-04-22 Coinbase, Inc. Systems and methods for re-using cold storage keys
JP2023022525A (ja) * 2021-08-03 2023-02-15 Kddi株式会社 暗号化装置、暗号化方法及び暗号化プログラム

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1997009705A1 (fr) 1995-09-05 1997-03-13 Mitsubishi Denki Kabushiki Kaisha Appareil de conversion de donnees et procede de conversion de donnees
US20040049687A1 (en) * 1999-09-20 2004-03-11 Orsini Rick L. Secure data parser method and system
JP2008051829A (ja) 2006-07-28 2008-03-06 Sony Corp 暗号処理装置、暗号処理アルゴリズム構築方法、および暗号処理方法、並びにコンピュータ・プログラム
JP2008145791A (ja) 2006-12-11 2008-06-26 Sony Corp 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム
US20090010425A1 (en) 2006-01-24 2009-01-08 Sony Corporation Encryption/decryption device, encryption/decryption device manufacturing device, and method, and computer program
US7747011B2 (en) * 2004-09-03 2010-06-29 Sony Corporation Encryption device, encryption method, and computer program
US7881466B2 (en) * 2004-10-28 2011-02-01 Irdeto B.V. Method and system for obfuscating a cryptographic function
US8073140B2 (en) * 2006-01-17 2011-12-06 Sony Corporation Encryption/decryption device, encryption/decryption method, and computer program

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1997009705A1 (fr) 1995-09-05 1997-03-13 Mitsubishi Denki Kabushiki Kaisha Appareil de conversion de donnees et procede de conversion de donnees
US20040049687A1 (en) * 1999-09-20 2004-03-11 Orsini Rick L. Secure data parser method and system
US7747011B2 (en) * 2004-09-03 2010-06-29 Sony Corporation Encryption device, encryption method, and computer program
US7881466B2 (en) * 2004-10-28 2011-02-01 Irdeto B.V. Method and system for obfuscating a cryptographic function
US8073140B2 (en) * 2006-01-17 2011-12-06 Sony Corporation Encryption/decryption device, encryption/decryption method, and computer program
US20090010425A1 (en) 2006-01-24 2009-01-08 Sony Corporation Encryption/decryption device, encryption/decryption device manufacturing device, and method, and computer program
JP2008051829A (ja) 2006-07-28 2008-03-06 Sony Corp 暗号処理装置、暗号処理アルゴリズム構築方法、および暗号処理方法、並びにコンピュータ・プログラム
US20100061548A1 (en) * 2006-07-28 2010-03-11 Taizo Shirai Cryptographic processing apparatus, cryptographic-processing-algorithm constructing method, and cryptographic processing method, and computer program
US8295478B2 (en) * 2006-07-28 2012-10-23 Sony Corporation Cryptographic processing apparatus, algorithm constructing method, processing method, and computer program applying an extended feistel structure
JP2008145791A (ja) 2006-12-11 2008-06-26 Sony Corp 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム
US8737603B2 (en) * 2006-12-11 2014-05-27 Sony Corporation Cryptographic processing apparatus, cryptographic processing method, and computer program

Non-Patent Citations (22)

* Cited by examiner, † Cited by third party
Title
"GOST 28147-89: Encryption, Decryption, and Message Authentication Code (MAC) Algorithms", V. Dolmatov, Ed., Cryptocom, Ltd., ISSN: 2070-1721, Mar. 2010, 19 pages.
"The 128-bit Blockcipher CLEFIA: Algorithm Specification", Sony Corporation, Revision 1.0, Jun. 1, 2007, 41 pages.
"Universal Mobile Telecommunications System (UMTS); LTE; Specification of the 3GPP confidentiality and integrity algorithms; Document 2: Kasumi specification (3GPP TS 35.202 version 9.0.0 Release 9)" ETSI TS 135 202 V9.0.0 (Feb. 2010), XP014045969, Feb. 1, 2010, 26 Pages.
3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Specification of the 3GPP Confidentiality and Integrity Algorithms; Document 2: KASUMI Specification (Release 9), 3GPP TS 35.202 V9.0.0 (Dec. 2009), 2009, 24 pages.
Extended European Search Report issued Feb. 20, 2015 in Patent Application No. 12765375.6.
Haruki Seki et al., Differential Cryptanalysis of CAST-256 Reduced to Nine Quad-Rounds, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E84-A No. 4 (Apr. 2001). *
International Search Report issued Apr. 3, 2012 in Application No. PCT/JP2012/053933.
Kaisa Nyberg, "Generalized Feistel Networks", Advances in Cryptology-ASIACRYPT'96, Lecture Notes in Computer Science, vol. 1163, 1996, pp. 91-104.
Kazumaro Aoki, et al., "Specification of Camellia-a 128-bit Block Cipher", Nippon Telegraph and Telephone & Mitsubishi Electric Corporations, Version 1.0: Jul. 12, 2000, Version 2.0: Sep. 26, 2001, 35 pages.
Kyoji Shibutani, et al., "Piccolo: An Ultra-Lightweight Blockcipher", Lecture Notes in Computer Science, vol. 6917, Sep. 27, 2011, pp. 342-357.
Lawrie Brown, et al., "Introducing the new LOKI97 Block Cipher" Retrieved from the Internet: URL:http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=C2B792B35E02A510DB42AE53F0EF82B4?doi=10.1.1.26.6958&rep=rep1&type=pdf [retrieved on Feb. 9, 2015], XP055168204, Jun. 12, 1998, 22 Pages.
Office Action issued Oct. 21, 2014 in Japanese Patent Application No. 2011-207705 (with English language translation).
Panasayya Yalla, et al., "Compact FPGA Implementation of Camellia" International Conference on Field Programmable Logic and Applications, XP031534082, Aug. 31, 2009, pp. 658-661.
Ralph C. Merkle, "Fast Software Encryption Functions" Advances in Cryptology-CRYPTO '90 Proceedings Lecture Notes in Computer Science, vol. 537, XP047288201, 1991, pp. 477-501.
Ronald L. Rivest, et al., "The RC6(TM) Block Cipher" First Advanced Encryption Standard (AES) Conference, Retrieved from the Internet: URL:http://people.csail.mit.edu/rivest/Rc6.pdf [retrieved on Aug. 27, 2009] XP002543314, Aug. 20, 1998, 21 Pages.
Ronald L. Rivest, et al., "The RC6™ Block Cipher" First Advanced Encryption Standard (AES) Conference, Retrieved from the Internet: URL:http://people.csail.mit.edu/rivest/Rc6.pdf [retrieved on Aug. 27, 2009] XP002543314, Aug. 20, 1998, 21 Pages.
U.S. Appl. No. 14/002,379, filed Aug. 30, 2013, Shibutani, et al.
U.S. Appl. No. 14/005,663, filed Sep. 17, 2013, Shibutani, et al.
U.S. Appl. No. 14/006,392, filed Sep. 20, 2013, Shibutani, et al.
Youngdai Ko, et al., "Related Key Differential Attacks on 27 Rounds of XTEA and Full-Round GOST" Lecture Notes in Computer Science, vol. 3017, 2004, pp. 299-316 and cover page.
Youngdai Ko, et al., "Related Key Differential Attacks on 27 Rounds of XTEA and Full-Round GOST", Lecture Notes in Computer Science, vol. 3017, Jul. 28, 2004, pp. 299-316.
Yuliang Zheng, et al., "On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypotheses" Advances in Cryptology-CRYPT'89 Proceedings Lecture Notes in Computer Science, vol. 435, 1990, pp. 461-480.

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2675435C1 (ru) * 2016-02-25 2018-12-20 Федеральное государственное казенное военное образовательное учреждение высшего образования "Военный учебно-научный центр Военно-Морского Флота "Военно-морская академия имени Адмирала флота Советского Союза Н.Г. Кузнецова" Устройство аппаратурного шифрования и передачи данных в локальных сетях
US11269993B2 (en) * 2017-08-10 2022-03-08 Sony Corporation Encryption device, encryption method, decryption device, and decryption method
US10389007B1 (en) * 2018-06-11 2019-08-20 Lg Electronics Inc. Mobile terminal
US20210320792A1 (en) * 2018-08-28 2021-10-14 Siemens Aktiengesellschaft Method for Storing Key Data in an Electronic Component

Also Published As

Publication number Publication date
EP2693684A1 (en) 2014-02-05
CN103621007A (zh) 2014-03-05
US20130343546A1 (en) 2013-12-26
RU2013142993A (ru) 2015-03-27
EP2693684A4 (en) 2015-03-25
BR112013024231A2 (pt) 2016-12-20
WO2012132623A1 (ja) 2012-10-04
EP2693684B1 (en) 2018-11-07
TW201251412A (en) 2012-12-16
JP2012215816A (ja) 2012-11-08
JP5682527B2 (ja) 2015-03-11

Similar Documents

Publication Publication Date Title
US9270458B2 (en) Encryption processing device, encryption processing method, and program
Derbez et al. Improved key recovery attacks on reduced-round AES in the single-key setting
US8369516B2 (en) Encryption apparatus having common key encryption function and embedded apparatus
US8165288B2 (en) Cryptographic processing apparatus and cryptographic processing method, and computer program
US8787568B2 (en) Data transformation apparatus, data transformation method, and computer program
US9363074B2 (en) Encryption processing apparatus, encryption processing method, and computer program
US8396210B2 (en) Cryptographic processing apparatus and cryptographic processing method, and computer program
EP2693682B1 (en) Data processing device, data processing method, and programme
CA2827761C (en) Cryptographic processing device, cryptographic processing method, and program
US10103876B2 (en) System and method for multichannel cryptographic processing
US9418245B2 (en) Encryption processing device, encryption processing method, and program
Wu et al. JAMBU lightweight authenticated encryption mode and AES-JAMBU
Lu Cryptanalysis of block ciphers
Gruber et al. Persistent fault analysis of OCB, DEOXYS and COLM
Salameh A new symmetric-key block ciphering algorithm
Rabbaninejad et al. Cube and dynamic cube attacks on SIMON32/64
Jovanovic et al. Multi-stage fault attacks on block ciphers
RU2738321C1 (ru) Способ криптографического преобразования и устройство для его осуществления
Karmakar et al. DESIV: Differential fault analysis of SIV-Rijndael256 with a single fault
JP2010130353A (ja) 暗号処理装置
JP2017207604A (ja) 行列生成装置、暗号装置、これらの方法及びプログラム
Ramamoorthy Construction and Properties of Cryptographic S-Boxes—A Study

Legal Events

Date Code Title Description
AS Assignment

Owner name: SONY CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SHIBUTANI, KYOJI;MITSUDA, ATSUSHI;AKISHITA, TORU;AND OTHERS;REEL/FRAME:031118/0300

Effective date: 20130808

ZAAA Notice of allowance and fees due

Free format text: ORIGINAL CODE: NOA

ZAAB Notice of allowance mailed

Free format text: ORIGINAL CODE: MN/=.

ZAAA Notice of allowance and fees due

Free format text: ORIGINAL CODE: NOA

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362