WO1999000783A1 - Dispositif de chiffrement - Google Patents
Dispositif de chiffrement Download PDFInfo
- Publication number
- WO1999000783A1 WO1999000783A1 PCT/JP1998/002915 JP9802915W WO9900783A1 WO 1999000783 A1 WO1999000783 A1 WO 1999000783A1 JP 9802915 W JP9802915 W JP 9802915W WO 9900783 A1 WO9900783 A1 WO 9900783A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- unit
- linear
- key
- exclusive
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0625—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
- H04L2209/125—Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations
Definitions
- the present invention relates to an encryption device for concealing data in data communication or holding, and in particular, to an encryption device using a common key encryption method for encrypting or decrypting data in block units under control of a secret key. It is about.
- FIG. 1 shows a functional configuration of the DES encryption.
- the DES encryption uses a 56-bit secret key and performs encryption or decryption in 64-bit data block units.
- the initial transformation unit 11 converts the 64 bits of the plaintext P with the initial transformation value, and then converts the block data L into 32 bits.
- Is input to the function operation unit (called a round function) 12 shown in FIG. 2 as that of the i-th round processing unit 14 i (i 0, 1,..., 15), and 4 8 Bit expansion key k.
- R 16 and L 16 are integrated into 64 bits, and the final converted value 15 is converted by the final converted value to output a ciphertext of 64 bits.
- the expanded key k input to the function f. , Ki, ⁇ , k 14) only by reversing the order of k 15, k 15> k 14 , ⁇ , ki, k. It can be executed in the same procedure as the encryption process, except that it must be entered in the order of. In that case, the final round processing section 1 4 15 swaps output 6 ,
- R 16 By configuring R 16 to be further swapped as shown in the figure, the ciphertext is input to the initial transposition 11 in the decryption processing and the processing of FIG. 1 is executed, thereby outputting the final transposition 15
- the plaintext is obtained as is.
- the expanded key k. , K ⁇ , k ", k 15 is further enlarged key generation routine 1 6 in the 56-bit secret key is expanded to the extended key 1 six of the total of 768 bits of 48-bit and encryption processing Generated by
- the processing inside the function operation 12 is performed as shown in FIG. First, the 32-bit block data Ri is converted into 48-bit data E (Ri) in the expanded value conversion unit 17.
- the exclusive OR is calculated with the expanded key ki, and the result is converted into 48-bit data E (Ri) ®ki by the XOR circuit 18 and then divided into eight sub-block data of 6 bits each. These eight sub-block data are input to different S-boxes S to S S , respectively, and each output 4 bits.
- the eight output data of S-box Si to S S are concatenated again to become 32-bit data, and then, through transposition unit 19, as shown in FIG.
- the output of the function f is f (Ri, ki).
- Differential cryptanalysis calculates the difference between two data X and X *.
- ARi 6 ALi5 ®f (Lie, k 15) ®f (L 16 ⁇ to 6, k 15) (6)
- ARi + i AL> ⁇ ⁇ ⁇ f (ARi) ⁇
- L i + 1 AR i + 1 (8).
- the point here is when there AR i is input, regardless of the value of the extended key lies in the fact that it can predict the probability P i ⁇ ⁇ '( ⁇ ⁇ ) ⁇ .
- the approximation in this way is only the part of the S-box where the non-linear transformation affects ⁇ ⁇ ⁇ ( ⁇ ⁇ ) ⁇ , and the S-box outputs a difference depending on the input difference. This is because an extremely large deviation occurs in the distribution of For example, S-box S, and when the input differential "110100", because the output difference "0010I this conversion 1/4 probability Therefore, each of the S -.
- Input differential box is a probability p si
- p si the relationship between the output difference and the output difference can be predicted
- the larger the probability P the easier the cryptanalysis.
- the good Unishi Te when the extended key k 15 is required, this time is no regarded as one stage less 1 5-stage DES ⁇ , in the same manner, by repeating that to seek the extended key k 14, final To the expanded key k.
- the purpose of the linear cryptanalysis method is to construct the following linear approximation formula and obtain the extended key using the maximum likelihood method based on a set of plaintext and ciphertext obtained by the reader.
- ⁇ (X) represents the vector that selects a particular bit position in X, the mask value and the
- the role of the linear approximation formula is to approximately replace the inside of the cryptographic algorithm with a linear expression and separate it into a part related to a plaintext / ciphertext pair and a part related to an extended key.
- the exclusive OR of the value of the specific bit position of the plaintext and the value of the specific bit position of the ciphertext becomes a constant value, and the value is the specific value of the extended key. This indicates that the value at the bit position is equal to the exclusive OR. Therefore, the reader (Lo, Ro) ⁇ ⁇ (Lo, Ro) e (Li 6, Ri 6 ) ⁇ ⁇ (Li e, Ri e)
- each S_box S i can be linearly expressed with the probability p s i.
- the point here is that given an input mask value for an S-box, its output mask value can be predicted with probability p si . This occurs because the distribution of difference mask values in the S-box, which is a non-linear conversion table, is extremely biased depending on the input mask values. For example, in the S-box S s, when the input mask value is “010000”, the output mask value “1111” is predicted with a probability of 3/16.
- each round can be linearly approximated between the input mask value and the output mask value with probability P i, and the linear approximation in each round can be linked.
- R L., Ro
- ⁇ Li e, Ri e
- ⁇ ko, ki, ⁇ , k, 5
- Triple-DES encryption in which three DES ciphers are connected, is an encryption method in which the number of DES rounds is increased from 16 rounds to 48 rounds.
- the rate P is much smaller than DES ⁇ .
- increasing the number of rounds as a countermeasure against the above decryption method will increase the size of the encryption device and the amount of data processing. For example, if the number of rounds is tripled, the amount of encryption will also be tripled.
- the encryption speed of the DES encryption is about 10 Mbps in the Pentium PC class
- the encryption speed is reduced to about 3.5 Mbps for the Triple-DES encryption.
- the speed of networks and computers is increasing year by year, and it is desired that encryption devices be compatible with such speeding. For this reason, it is extremely difficult for conventional cryptographic devices to simultaneously satisfy security and high-speed performance in response to the demand for higher speed.
- An object of the present invention is to provide an encryption device that satisfies the above points and satisfies security conditions without increasing the number of round stages.
- a key-dependent linear conversion section that performs a linear conversion on the input data of the nonlinear function section based on the key data held in the key storage section, and an output data of the key-dependent linear conversion section Divides the bit stream into a plurality of bit strings, a first nonlinear conversion section that performs nonlinear conversion on each of the divided bit strings, and an output bit stream of the first nonlinear conversion section.
- a first linear conversion unit that performs a linear conversion
- a second nonlinear conversion unit that performs a non-linear conversion on a part or all of the output bit string of the first linear conversion unit
- a second non-linear conversion unit And a coupling unit that couples the output bit string of the above to output data of the non-linear function part.
- a second linear conversion unit that performs a linear conversion of the output data of the coupling unit to the output data of the non-linear function unit is provided.
- the linear conversion is performed based on the key data held in the key storage unit. It is a key-dependent linear conversion unit to perform.
- the probability in the S-box is psp b 1 (p b is the maximum difference or linear probability of the S-box)
- the probability of approximating each round is pi ⁇ pb 2 (where In the case of differential cryptanalysis, if the input difference to the function f is not 0, linear decryption In the case of the method, the output mask value of the function f is not 0). If the function f is bijective (the output is always different if the input is different), and the number of rounds of the encryption method is 3 m, the probability as the encryption method is P ⁇ pi 2 m ⁇ p b 4 m It becomes.
- the security against the differential cryptanalysis and the linear cryptanalysis can be ensured with a relatively small number of rounds, so that it is possible to provide an encryption device that achieves both security and a low processing amount.
- FIG. 1 is a diagram showing a functional configuration of a conventional DES encryption device.
- FIG. 2 is a diagram showing a specific functional configuration of an f function operation unit 12 in FIG.
- FIG. 3 is a diagram showing a functional configuration of Embodiment 1 of the present invention.
- FIG. 4 is a diagram illustrating a detailed functional configuration example of a nonlinear function unit 304 according to the first embodiment.
- FIG. 5 is a diagram showing a specific example of a key-dependent linear conversion unit 347 in FIG.
- FIG. 6 is a diagram showing a functional configuration of a second embodiment of the present invention.
- FIG. 7A is a diagram illustrating a detailed functional configuration of a nonlinear function unit 304 according to the second embodiment.
- FIG. 7B is a diagram showing a specific example of the linear conversion unit 354 in the nonlinear function unit 304.
- FIG. 8 is a diagram showing a functional configuration of Embodiment 3 of the present invention.
- FIG. 9 is a diagram illustrating a detailed functional configuration of a nonlinear function unit 304 according to the third embodiment.
- FIG. 3 shows a functional configuration of an encryption processing procedure in an encryption device according to an embodiment of the present invention.
- the input data is divided into two block data. , R. And sequentially round them
- Input data ⁇ ⁇ corresponding to plain text is input from the input unit 301 into the encryption device.
- the key data generation unit 321 determines the key data based on the data input from the key input unit 320 in advance.
- R is block data consisting of 32 bits of data of 64 bits.
- the block data Ro is the key data k stored in the key storage unit 322. . , K 10 , k 2 . With the 0th round processing unit 38.
- the same processing as described above is repeatedly performed on Ri for two input block data. That is, in the i-th round processing unit 38 i, two block data are obtained, and the data Ri of the Ri is a non-linear function together with the key data k 0 i and k lit held in the key storage unit 322.
- the data is input to the section 304, subjected to conversion processing in the nonlinear function section 304, and converted into data Yi.
- the data Yi and the block data L i are calculated by the linear calculation unit 305 and converted into data *.
- the data and data Ri are exchanged in the data position in the exchange section 306, and the data L i + Replaced as *.
- the linear operation unit 305 performs, for example, an exclusive OR operation.
- the round processing unit 38 Assuming that the appropriate number of repetitions for ensuring the security of the encryption method is n, the round processing unit 38. To 38 DEG n results for iterative processing by, and data, R n are obtained.
- plaintext P is obtained from ciphertext C by following the reverse of the encryption procedure.
- type the ciphertext data instead of the input data in FIG. 3, in contrast to FIG. 3 the key data, ek, ko, kl, k 2, ..., koi, ki!, K 21, koo, k 10, You should give k-2 o, fk in order.
- FIG. 4 shows the functional configuration of the non-linear function unit 304 used in each round processing unit 38!
- the input data R i of the i-th round processing unit 38 is the key data k held in the key storage unit 322.
- k! i along with the k 2 i is the input data to the non-linear function unit 304.
- the block data Ri is the key data k.
- the key-dependent linear conversion unit 341 using i performs linear conversion to data Ri *.
- the data Ri * is divided into four data in, for example, 8 bits in the dividing unit 342.
- Ini, in 2 and in 3 are divided into bits. Four data in.
- the key-dependent linear transform unit 347 includes four processing sequences 30 each including at least one exclusive OR in this example. Consists 1-3 0 3, are logically coupled to each other by these processing science columns their exclusive.
- a linear operation exclusive OR
- data homogenized in each processing series is generated, and in the example of FIG. Linear processing is performed using the data ki. That is, data mid. . , Midoi, mid. 2, mid. 3 is the processing sequence 30 for each. ⁇ 30 3, input data mid in the processing sequence 30. . And mid. ! XOR with XOR 3 1, and input data mid in the processing sequence 302. 2 and mid.
- Exclusive OR 3 is taken by the XOR 3 1 2, further exclusive OR of the output of XOR 3 1 1 and the output of the XOR 3 12 is more taken XOR 3 2 2.
- Exclusive logic of The sum is XOR 34.
- XOR 3 2 2 output and input data mid.
- Exclusive OR operation of the 3 is taken by the XOR 3 4 3.
- XOR 34. , 33, 322, 343 and the key data i. , Ki ii, k li 2 , and k li 3 are XOR 35. Taken by to 3 5 3, respectively mid 10, midi i, mid 12 , mid Interview 3 is output. That is, the processing sequence 30. ⁇ 3 Os input data mid. . , Midoi, mid.
- midi 0 midoo ®mido 2 miclo s ®ki i 0
- midi 2 mi do o ®mido i ⁇ mi do 2 ⁇ mi do 3 ®ki i 2
- the output of each processing series of the key-dependent linear transformation unit 34 includes at least two or more other series of input data in this example in the form of exclusive OR. Therefore, the output data of each series is homogenized so that two or more components of the four input data are included.
- These output data mic o, midi!, Mid 12 and mid 13 are the respective processing sequences 30.
- the data Yi * is linearly converted into data Yi by the key data k 2 i in the key-dependent linear conversion unit 353, and output data Yi from the nonlinear function unit 304 is generated.
- Each of the non-linear conversion units 343 to 346 and 348 to 351 is, for example, the same as one S-box in the DES encryption, and is composed of, for example, a ROM that outputs different output data according to the input data.
- non-linear conversion units 343 to 346 are arranged in parallel and their conversion processes are not related to each other, it is possible to execute them in parallel, and therefore, the number of these units increases. Can increase the processing time due to parallel processing. The same can be said for the non-linear conversion units 348 to 351.
- the time required for the processing of the linear operation unit 305 (FIG. 3) and the linear conversion units 341, 347, 353 (FIG. 4) that constitute the round processing unit 38 of each stage is the same as that of the S_box. Since the time required for the processing such as 346, 348-351, etc. is considerably shorter, the time required for the encryption processing is almost proportional to the number of S-boxes or non-linear transformation units used.
- the key-dependent linear conversion unit 347 since the key-dependent linear conversion unit 347 homogenizes a plurality of input data into each output as described above and outputs the same, the key-dependent linear conversion unit 347, for example, as shown in FIG. If it is known in advance that this is a specific linear transformation, one or more of the non-linear transformation units 348 to 351 may be omitted and the corresponding data may be directly provided to the combining unit 352.
- the security against differential cryptanalysis and linear cryptanalysis can be prevented from deteriorating, and the amount of encryption can be reduced by omitting the non-linear transformation. For example, when the key-dependent linear transform unit 347 is shown in FIG.
- the nonlinear transform units 349 and 350 are omitted, and even if the data mid and mich 2 are input to the combining unit 352 as they are, the differential decoding and linear decoding are performed. While the security against the law is not reduced, the encryption speed is increased by about 33%. In other words, if the key-dependent linear transformation unit 347 is predetermined, one or more of the non-linear transformation units 348 to 351 may have no relation to security for the linear cryptanalysis. The non-linear conversion can be omitted.
- the key data ⁇ fk, k. . ,. , Ko, ko i, kik 2 1, ⁇ ⁇ ⁇ , ko, ki, generation of k 2, ek ⁇ can be carried out in the same manner as the extended key generation algorithm 1-6 DES ⁇ in FIG.
- the m 4 (1 2-stage round), 9 6, and the met safety requirements P rather 2-6 4 in number less round than the round number 1 6 DES, differential cryptanalysis and linear cryptanalysis Is a sufficiently secure encryption device. That is, according to the present invention, nonlinear conversion is cascaded twice in the conventional round function operation unit 12 (FIG. 1). With this configuration, the security against decryption can be doubled.
- the key-dependent initial linear transformation unit 302, the key-dependent final linear transformation unit 308, and the key-dependent linear transformation units 347, 353 are linear transformation units that depend on the key. This is an encryption device that has sufficient security, but places the highest priority on security.
- the present invention is not limited to this example.
- the key-dependent initial linear conversion unit 302, the key-dependent final linear conversion unit 308, and the key-dependent Regarding the dependent linear transformation unit 353, any or all of them can be omitted.
- the encryption processing speed can be improved by the amount of the deletion.
- the security is not reduced for decryption methods other than the differential decryption method and the linear decryption method, but the encryption processing speed can be improved by optimizing the implementation.
- the linear conversion unit performs transposition in which bit positions are exchanged in a predetermined relationship, and performs rotational shift by a predetermined number of bits.
- the key-dependent linear conversion unit performs a rotational shift by the number of bits corresponding to the key data, or performs an exclusive OR operation with the key data ⁇ ? It is a thing.
- FIG. 6 shows an embodiment in which the center two of the four nonlinear conversion units 348 to 351 in the second stage in the nonlinear function unit 304 (FIG. 4) of the first embodiment in FIG. 3 are omitted.
- the key-dependent initial linear transformation unit 302 and the key-dependent final linear transformation unit 308 in FIG. 3 are also omitted.
- Input data P corresponding to plain text is input from the input unit 301 into the encryption device.
- the input data P is divided into two blocks in the initial division unit 303. , R. Is divided into Block data R.
- the data Y is input to the non-linear function part 304 and subjected to the conversion processing by the non-linear function part 304.
- And data L. Is the linear operation unit 30 Calculated with 5 and data L. Converted to *.
- the data Ri is input to the non-linear function part 304 together with the key data k.i and k 2 i held in the key storage part 322, undergoes a conversion process in the non-linear function part 304, and is converted into data Yi.
- the data Yi and the data Li are operated on by the linear operation unit 305 and converted to data *.
- plaintext P is obtained from ciphertext C by following the reverse of the encryption procedure.
- FIG. 7A shows a functional configuration of the nonlinear function unit 304 of the i-th round processing unit 38 i in the embodiment of FIG.
- the input data Ri from the previous stage is the key data k stored in the key storage unit 322. Together with i, k 2 i , it becomes input data to the nonlinear function section 304.
- the data is the data k in the key-dependent linear transformation 341. Linearly converted to data Ri * by i.
- the data Ri * is divided into four data in in the division unit 342. , In,, it is divided into in 2, in 3. 4 data in. , I, in 2 , and in 3 are data mid in the non-linear converters 343, 344, 345, and 346, respectively. . , Midoi, mid.
- the homogenized data mic. , Mid: 1 ( mic mid 13 is generated, and the data mid 1 Q and mid 13 are nonlinearly transformed into data out. And out 3 by the nonlinear transforming units 348 and 351, respectively.
- the four data out., Midn, and mid outs are combined into one data Yi *
- the data Yi * is linearly transformed into data Yi in the key-dependent linear transformation unit 353 based on data k 2 i.
- the output data Yi from the nonlinear function section 304 is generated.
- non-linear conversion units 343 to 346 are arranged in parallel, and their conversion processes are not related to each other, they can be executed in parallel. The same can be said for the non-linear converters 348 and 351.
- the second-stage nonlinear deformation section in each nonlinear function section 304 is reduced to only the outer two (348, 351), it is necessary to reduce the amount of encryption or decryption processing accordingly. Can be.
- the key data k i is data that is converted by the key data generation unit 321 from the key information K e y input into the encryption device from the key input unit 320, and is stored in the key storage unit 322.
- the m 4 (1 2-stage round)
- a sufficient secure cryptographic device P ⁇ 2_ 96 and the relative differential cryptanalysis and linear cryptanalysis.
- the structure since there is a key-dependent linear transformation unit 353, the structure has a margin in security even for the decryption methods other than the differential decryption method and the linear decryption method, and the structure is simplified compared to the first embodiment. Therefore, the processing amount has been reduced. In other words, the encryption device emphasizes the balance between security and low processing amount.
- FIG. 8 shows an embodiment in which the key-dependent linear conversion section 353 is omitted from the nonlinear function section 304 of the second embodiment in FIG.
- Input data P equivalent to plain text is encrypted from input unit 301. Enter in the box.
- the input data P is two block data L in the initial division unit 303. , Ro. Block data R.
- And data Lo are calculated by the linear calculation unit 305 to obtain data L. Converted to *. Data L. * And data scale.
- the i-th round processing unit 38 i performs two input block data, and repeats the same processing for Ri. That is, the data Ri is input to the non-linear function unit 304 together with the key data ki stored in the key storage unit 322, and the data Ri is converted by the nonlinear function unit 304 to the data Yi. Is converted to The data Yi and the data Li are operated on by the linear operation unit 305, and are converted into data *. The data position of the data * and data Ri is exchanged by the exchange unit 306, and L i + And the block data R i + i are output.
- the output unit 309 outputs the output data C as cipher text.
- plaintext P is obtained from ciphertext C by following the reverse of the encryption procedure.
- FIG. 9 shows a functional configuration of the nonlinear function section 304 in the embodiment of FIG.
- the input data Ri to the non-linear function unit 304 is input to the key-dependent linear transformation 341 together with the key data ki stored in the key storage unit 322.
- the data is linearly transformed into data Ri * by the key data ki in the key-dependent linear transformation 341.
- the data Ri * is divided into four data in the ij part 342.
- In, in 2 in 3
- Four data in. , Im, in in 3 are data mid in the non-linear converters 343, 344, 345, 346, respectively. . , Midoi, micl. 2 , mid.
- the linear conversion unit 354 for example, as in FIG. 7B of the second embodiment,
- midi 0 midoo ®mido 2 ®mido 3
- non-linear conversion units 343 to 346 are arranged in parallel, and their conversion processes are not related to each other, they can be executed in parallel. The same can be said for the non-linear converters 348 and 351.
- the key data k i is data converted from the key information Key input into the encryption device from the key input unit 320 by the key data generation unit 321 and held in the key storage unit 322.
- the m 4 (1 2-stage round)
- a sufficient secure cryptographic device P ⁇ 2 one 96
- the relative differential cryptanalysis and linear cryptanalysis since it is a structure that executes only the minimum necessary parts to secure sufficient security against differential cryptanalysis and linear cryptanalysis, the processing amount is reduced, and the encryption or decryption speed is also reduced. It has only been improved.
- each division section 342 in the nonlinear function section 304 is not limited to four divisions, but may be divided into arbitrary plural parts. In the case of four divisions, the number of the second non-linear conversion units can be only two as shown in FIGS. 7A and 9.
- the safety strength per round stage and The following table shows the number of round stages that satisfy the security conditions and the required processing amount (number of steps) in comparison with the case of the DES encryption device shown in Figs.
- the nonlinear conversion unit corresponding to the S-box of the DES is used. Since the total number of bits of the input data to 3 to 346 is 32, and therefore the input data to each non-linear converter is 8 bits, the size of each 5-box of 0 £ 3 is adjusted to match the size. Was set to 8 bits, and thus the number of S-boxes was set to four.
- the security strength per round stage of the present invention is It is twice as large as DES. Therefore, the number of round stages to satisfy the safety condition is smaller than in the case of DES, and the processing amount (number of steps) required for the safety is also smaller.
- the input data is divided into a plurality of parts by the non-linear function part, and the non-linear functions are respectively subjected to the non-linear conversion.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Facsimile Transmission Control (AREA)
- Complex Calculations (AREA)
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE69829566T DE69829566T2 (de) | 1997-06-30 | 1998-06-30 | Verschlüsselungsgerät |
EP98929747A EP1001398B1 (en) | 1997-06-30 | 1998-06-30 | Ciphering apparatus |
CA002295167A CA2295167C (en) | 1997-06-30 | 1998-06-30 | Cryptographic device |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP9/173672 | 1997-06-30 | ||
JP17367297A JP3782210B2 (ja) | 1997-06-30 | 1997-06-30 | 暗号装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO1999000783A1 true WO1999000783A1 (fr) | 1999-01-07 |
Family
ID=15964969
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP1998/002915 WO1999000783A1 (fr) | 1997-06-30 | 1998-06-30 | Dispositif de chiffrement |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP1001398B1 (ja) |
JP (1) | JP3782210B2 (ja) |
CA (1) | CA2295167C (ja) |
DE (1) | DE69829566T2 (ja) |
WO (1) | WO1999000783A1 (ja) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2789535B1 (fr) * | 1999-02-04 | 2001-09-28 | Bull Cp8 | Procede de securisation d'un ensemble electronique de cryptographie a cle secrete contre les attaques par analyse physique |
KR100365308B1 (ko) * | 1999-12-10 | 2002-12-26 | 강소대 | 마그네틱 페이퍼 제작방법 |
JP3505482B2 (ja) * | 2000-07-12 | 2004-03-08 | 株式会社東芝 | 暗号化装置、復号装置及び拡大鍵生成装置、拡大鍵生成方法並びに記録媒体 |
US6956951B2 (en) * | 2000-07-13 | 2005-10-18 | Fujitsu Limited | Extended key preparing apparatus, extended key preparing method, recording medium and computer program |
JP4515716B2 (ja) * | 2002-04-03 | 2010-08-04 | パナソニック株式会社 | 拡大鍵生成装置、暗号化装置および暗号化システム |
JP2008058830A (ja) * | 2006-09-01 | 2008-03-13 | Sony Corp | データ変換装置、およびデータ変換方法、並びにコンピュータ・プログラム |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH0954547A (ja) * | 1995-08-14 | 1997-02-25 | Nec Corp | 暗号装置 |
WO1998009705A1 (en) * | 1996-09-02 | 1998-03-12 | Davidson, Clifford, M. | Filter |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CA2203380C (en) * | 1995-09-05 | 2000-05-30 | Mitsuru Matsui | Data transformation apparatus and data transformation method |
-
1997
- 1997-06-30 JP JP17367297A patent/JP3782210B2/ja not_active Expired - Lifetime
-
1998
- 1998-06-30 DE DE69829566T patent/DE69829566T2/de not_active Expired - Fee Related
- 1998-06-30 EP EP98929747A patent/EP1001398B1/en not_active Expired - Lifetime
- 1998-06-30 CA CA002295167A patent/CA2295167C/en not_active Expired - Fee Related
- 1998-06-30 WO PCT/JP1998/002915 patent/WO1999000783A1/ja active IP Right Grant
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH0954547A (ja) * | 1995-08-14 | 1997-02-25 | Nec Corp | 暗号装置 |
WO1998009705A1 (en) * | 1996-09-02 | 1998-03-12 | Davidson, Clifford, M. | Filter |
Non-Patent Citations (4)
Title |
---|
KANDA M., ET AL.: "ROUND FUNCTION STRUCTURE CONSISTING OF FEW S-BOXES.", IEICE TECHNICAL REPORT, DENSHI JOUHOU TSUUSHIN GAKKAI, JP, vol. 97., no. 181., 18 July 1997 (1997-07-18), JP, pages 41 - 52., XP002917232, ISSN: 0913-5685 * |
MATSUI M., ET AL.: "NEW PRACTICAL BLOCK CIPHERS WITH PROVABLE SECURITY AGAINST DIFFERENTIAL AND LINEAR CRYPTANALYSIS.", SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY (SCIS), XX, XX, 1 January 1996 (1996-01-01), XX, pages 01 - 14., XP002917231 * |
MATSUI M.: "ON PROVABLE SECURITY OF BLOCK CIPHERS AGAINST DIFFERENTIAL AND LINEAR CRYPTANALYSIS.", SYMPOSIUM ON INFORMATION THEORY AND ITS APPLICATIONS .SITA, XX, XX, vol. 01/02., 24 October 1995 (1995-10-24), XX, pages 175 - 178., XP002917230 * |
See also references of EP1001398A4 * |
Also Published As
Publication number | Publication date |
---|---|
EP1001398B1 (en) | 2005-03-30 |
DE69829566D1 (de) | 2005-05-04 |
CA2295167A1 (en) | 1999-01-07 |
DE69829566T2 (de) | 2006-02-16 |
EP1001398A4 (en) | 2002-01-30 |
CA2295167C (en) | 2003-02-04 |
EP1001398A1 (en) | 2000-05-17 |
JPH1124559A (ja) | 1999-01-29 |
JP3782210B2 (ja) | 2006-06-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1052611B1 (en) | Data converter and recording medium on which program for executing data conversion is recorded | |
US5745577A (en) | Symmetric cryptographic system for data encryption | |
JP5229315B2 (ja) | 共通鍵暗号機能を搭載した暗号化装置及び組込装置 | |
EP2058781B1 (en) | Encryption device, encryption method, and computer program | |
WO2015146431A1 (ja) | 暗号処理装置、および暗号処理方法、並びにプログラム | |
WO2001067425A1 (fr) | Systeme de chiffrage de blocs utilisant la conversion auxiliaire | |
JPH0863097A (ja) | データを暗号化するための対称暗号化方法およびシステム | |
US20090202070A1 (en) | Robust Cipher Design | |
WO2015146430A1 (ja) | 暗号処理装置、および暗号処理方法、並びにプログラム | |
Knudsen et al. | On the role of key schedules in attacks on iterated ciphers | |
JP5617845B2 (ja) | 暗号化装置、暗号化方法及びプログラム | |
Shorin et al. | Linear and differential cryptanalysis of Russian GOST | |
WO1999000783A1 (fr) | Dispositif de chiffrement | |
EP1087425A1 (en) | Method for the cryptographic conversion of binary data blocks | |
Biham et al. | Differential cryptanalysis of Q | |
JPH1124558A (ja) | 暗号装置 | |
JPH09269727A (ja) | 暗号化方法および暗号化装置 | |
JP3017726B2 (ja) | データ変換装置 | |
JP3017725B2 (ja) | データ変換装置 | |
Seki et al. | Cryptanalysis of five rounds of CRYPTON using impossible differentials | |
Lin et al. | Cryptanalysis of a Multiround Image Encryption Algorithm Based on 6D Self-Synchronizing Chaotic Stream Cipher | |
JP5500277B2 (ja) | 共通鍵暗号機能を搭載した暗号化装置及び組込装置 | |
WO2015146432A1 (ja) | 暗号処理装置、および暗号処理方法、並びにプログラム | |
Ji et al. | Square attack on reduced-round Zodiac cipher | |
JP2000089666A (ja) | 暗号化/復号化装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): CA US |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE |
|
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 1998929747 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2295167 Country of ref document: CA Ref country code: CA Ref document number: 2295167 Kind code of ref document: A Format of ref document f/p: F |
|
WWE | Wipo information: entry into national phase |
Ref document number: 09446525 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 1998929747 Country of ref document: EP |
|
WWG | Wipo information: grant in national office |
Ref document number: 1998929747 Country of ref document: EP |