WO2005103908A1 - 暗号又は復号を行うコンピュータシステム及びコンピュータプログラム - Google Patents
暗号又は復号を行うコンピュータシステム及びコンピュータプログラム Download PDFInfo
- Publication number
- WO2005103908A1 WO2005103908A1 PCT/JP2005/007319 JP2005007319W WO2005103908A1 WO 2005103908 A1 WO2005103908 A1 WO 2005103908A1 JP 2005007319 W JP2005007319 W JP 2005007319W WO 2005103908 A1 WO2005103908 A1 WO 2005103908A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- conversion
- box
- conversion data
- value
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/005—Countermeasures against attacks on cryptographic mechanisms for timing attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/24—Key scheduling, i.e. generating round keys or sub-keys for block encryption
Definitions
- the present invention relates to an encryption and decryption technique for handling information in secret.
- ADSL Asymmetric Digital Subscriber Line
- optical fiber optical fiber
- encryption technology is used. For example, only a user who encrypts digital content using a key and distributes it through a communication channel and receives a decryption key corresponding to the key is encrypted. The decrypted content can be decrypted to reproduce the original digital content.
- the cryptographic program is secretly stored inside the cryptographic program using the execution environment, ie, sub-information leaked from the computer during execution of the cryptographic program on the computer, for example, processing time and power consumption.
- Side channel attacks have been proposed to obtain confidential information, for example, a decryption key.
- Non-Patent Document 1 and Non-Patent Document 2 as one of such attack methods, there is a timing attack that focuses on a cache memory that is built in a computer and used for the purpose of speeding up processing.
- the cache memory (see Non-Patent Document 3) is a key that enables high-speed access to data once obtained from an operation unit, for example, a CPU memory.
- an operation unit for example, a CPU memory.
- This timing attack is effective against a signal program executed on a CPU equipped with a cache memory.
- a repetitive block using a table lookup operation (generally called SBOX lookup) is used.
- the AES (Advanced Encryption Standard) method (described in Non-Patent Document 4) and the DES (Data Encryption Standard) method, which are No. ⁇ systems, are the targets of attacks.
- the execution environment to which this timing attack can be applied is, for example, a general personal computer (PC / AT compatible machine, etc.) or a smart card having a cache memory.
- AES performs an exclusive OR operation on input data and a secret key (expanded key), and performs the above-described table reference operation using the operation result. It is also assumed that the cache data does not store the table data array (SBOX) used in the table reference calculation of the encryption process before the encryption process is started. Under such an assumption, whether a table element is obtained from the cache memory or the main memory in a table reference operation in the middle of the encryption process depends on the input data and the secret key. Is determined.
- the table element is obtained from the cache memory by changing the value of the input data, and the table element is obtained from the main memory. Means that there are both cases. That is, changing the input data changes the entire encryption processing time.
- the entire symbol processing time is measured, and based on the processing time obtained by the measurement, in a table reference operation in the middle of processing, the table element is cached. It guesses whether the force obtained from the sh memory and the force obtained from the main memory, and analyzes the secret key (expanded key) based on the guess and the input data.
- Non-Patent Document 1 There are two main approaches to such timing attacks.
- One is to measure the encryption processing time for each block (128 bits in the case of the AES system), as described in Non-Patent Document 1.
- the other measures the encryption processing time for each two blocks (128 bits X 2 in the case of the AES system) as described in Non-Patent Document 2.
- the timing attack described in Non-Patent Document 1 utilizes the fact that when the same table element is accessed twice, the table element is acquired from the cache memory for the second time, and the processing time is shortened. I have.
- the general outline and flow of the timing attack described in Non-Patent Document 1 are as follows.
- each time one block is encrypted the contents of the cache memory are cleared. Then, focusing on two table reference operations, the key information that affects the input values of the two table reference operations is assumed to be a certain value. Then, under that assumption, input data is selected so that the input values of the two table lookup operations are the same, and the processing time is measured. The above is performed for all possible key information values. Ultimately, the key with the shortest processing time is output as the correct key. After that, we focus on another two table lookup operations and estimate the key in the same way.
- the timing attack for measuring the processing time is caused by the fact that the signal processing time of one block or two blocks differs depending on the input data. For this reason, as a countermeasure against timing attacks, there is a method in which the processing time of the signal processing of one block or two blocks remains constant without changing even if the input data is changed. As a countermeasure for such a problem, there is a conventional technique described in Section 4.2 of Non-Patent Document 5. An outline of the conventional technology will be described. Here, as a specific application example of the encryption processing, an encryption processing of the AES method will be described.
- Non-Patent Document 5 The feature of the prior art disclosed in Non-Patent Document 5 is that before executing the actual AES scheme decoding processing, the table data array of the table reference operation used in the AES SubBytes processing is performed. By accessing each table element one by one, processing independent of input data (called Cache Warming in Non-Patent Document 5) is added. As a result, all the table elements used in the table reference calculation of the AES-type SubBytes process can be stored in the cache memory before the actual AES-type symbol processing is started, and as a result, In the table reference operation of the SubBytes processing of the AES encryption processing, all table elements are obtained from the cache memory. As a result, the processing time is always constant without changing the entire processing time depending on the input message. In other words, it is possible to improve the resistance to the timing attack for measuring the processing time.
- Patent Document 1 discloses a conversion table for encrypting or decrypting one plaintext or one ciphertext for the purpose of providing an encryption device having a protection function against a cache attack type cryptanalysis. It discloses a means for making the number of cache mishits at the time of access to an arbitrary plaintext or ciphertext substantially uniform.
- Non-Patent Document 2 Toruhiro Tsurumaru, "Timing Attacks on 64-bit Block Ciphers” The 2003
- Non-Patent Document 3 David ⁇ Patterson, John 'Le Hennessy, "Computer Configuration and Design, ISBN4-8222-8056-X, published by Nikkei BP
- Non-Patent Document 4 Federal Information Processing Standard (FIPS) Publication 197, November 26, 2001.
- Non-Patent Document 5 D. Page, "Defending against cache-based side-channel attacks" Information Security Technical Report ⁇ Vol. 8, No. l, Page 30-44, 2003.
- Patent Document 1 Japanese Patent Application Publication No. 2004-120307
- An object of the present invention is to provide a computer system, a method, and a computer program which are resistant to a timing attack for observing a processing time in order to meet the above demand.
- the present invention provides a computer system for encrypting or decrypting a plaintext or ciphertext through a process of converting partial data related to the plaintext or ciphertext into corresponding conversion data.
- a main memory unit storing a conversion table including conversion data corresponding to partial data, and a computer program including a plurality of instructions for obtaining conversion data corresponding to partial data using the conversion table in the process.
- a cache memory unit including a line storage area of a predetermined length, and an execution unit that reads and decodes one instruction at a time from the computer program stored in the main memory unit, decodes the instruction, and operates in accordance with the decoding result.
- the execution unit when acquiring the conversion data included in the conversion table, first, obtains the license of the cache memory unit. Attempts to acquire a storage area force the converted data, if the converted data into the line memory area does not exist, Acquiring the conversion data from the main memory unit, writing the predetermined length of inclusion data including the obtained conversion data into the line storage area, wherein the conversion table has the line table area of the predetermined length, At a predetermined position in the line table area, one piece of conversion data corresponding to the partial data is included, and at another position in the line table area, data irrelevant to the conversion is included.
- the line storage area of the cache memory unit contains one piece of conversion data, so that even if the input message is changed, the processing time of the encryption or decryption processing is constant. The resistance to the timing attack for observing the processing time is improved.
- the conversion table includes the conversion data at a position depending on a value of the partial data
- the operation instruction group performs an operation on the acquired partial data to obtain a corresponding conversion data. May be calculated in the conversion table.
- the predetermined length is an integer w times the length of the conversion data
- the line table area includes the conversion data at the predetermined position, and includes data irrelevant to the conversion at all other positions.
- the operation instruction group may calculate the position of the corresponding conversion data in the conversion table using multiplication by an integer w.
- the predetermined position is a head position of the line table area, and the operation instruction group calculates a position of the corresponding conversion data in the conversion table by multiplying the acquired partial data by an integer w. Is also good.
- the position of the converted data corresponding to the partial data can be specified by a simple operation.
- the line table area includes the conversion data at the predetermined position, further includes another conversion data corresponding to another partial data at another predetermined position, and includes the conversion data at all other positions. , May include data unrelated to the conversion.
- the predetermined length is an integer w times the length of the conversion data
- the predetermined position is The other predetermined position is a head position of a latter half area obtained by bisecting the line table area, and the operation instruction group multiplies the acquired partial data by an integer w / 2. Thereby, the position of the corresponding conversion data in the conversion table may be calculated.
- the predetermined length is an integer w times the length of the conversion data
- the predetermined position is an integer X-th position of a head force of the line table area
- the other predetermined position is the line table. This is the position of the integer Xth from the beginning of the latter half area obtained by bisecting the area, and the arithmetic instruction group multiplies the obtained partial data by the integer wZ2 and further adds the integer X to obtain the corresponding converted data.
- the position in the conversion table may be calculated.
- the line storage area of the cache memory unit contains one or more pieces of conversion data, so that the resistance to the timing attack for observing the processing time is maintained to a certain degree, and the cache memory unit is maintained. Can be made smaller.
- a computer system for decoding or decrypting plaintext or ciphertext through a process of converting partial data relating to plaintext or ciphertext into corresponding conversion data, and converting the conversion data corresponding to the partial data into
- a main memory unit for storing and storing a conversion table including a plurality of instructions for obtaining conversion data corresponding to partial data using the conversion table in the process;
- a cache memory unit including a line storage area; and an execution unit that reads and decodes one instruction at a time from the computer program stored in the main memory unit, decodes the instruction, and operates in accordance with a result of the decoding.
- the conversion data of the conversion data is read from the line storage area of the cache memory unit.
- the conversion data is obtained from the main memory unit, and the predetermined-length included data including the obtained conversion data is stored in the line storage area.
- the conversion table has the line table area of the predetermined length, and includes, at a predetermined position in the line table area, one piece of conversion data corresponding to the partial data.
- the predetermined position is a position obtained by performing a predetermined operation on the partial data
- the operation instruction group performs the predetermined operation on the partial data
- the position of the conversion data in the conversion table may be calculated.
- the predetermined operation may be a multiplication of the partial data and an odd number in mod z
- z may be the number of types of values that the partial data can take.
- the conversion data is randomly arranged in the conversion table, so that if a predetermined operation is not leaked, resistance to an attack can be maintained.
- a computer system for decoding or decrypting plaintext or ciphertext through a process of converting partial data relating to plaintext or ciphertext into corresponding conversion data, and converting the conversion data corresponding to the partial data into A first conversion table including the conversion data corresponding to the partial data; and obtaining the conversion data corresponding to the partial data using the first conversion table and the second conversion table in the process.
- a main memory unit for storing a computer program including a plurality of instructions to be executed, a cache memory unit including a line storage area of a predetermined length, and one computer program stored in the main memory unit.
- An execution unit that reads and decodes each instruction and operates in accordance with the result of the decoding, wherein the execution unit includes a conversion unit included in the first conversion table and the second conversion table.
- the line storage area of the cache memory unit is tried to acquire the conversion data, and if the conversion data does not exist in the line storage area, the conversion from the main memory unit is performed. Acquiring data, writing the predetermined length of inclusion data including the acquired conversion data into the line storage area, wherein the first conversion table and the second conversion table each have the line table area of the predetermined length.
- the computer program includes one conversion data corresponding to the partial data, and the computer program uses the acquired instruction data to acquire the partial data, and An operation instruction group for calculating the position of the conversion data in the conversion table, and the conversion data at the calculated position are read from the conversion table.
- the predetermined position in the first conversion table is a position obtained by performing a first operation on the partial data
- the predetermined position in the second conversion table is , A position obtained by performing the second operation
- the operation instruction group includes the first operation each time the conversion is performed.
- the first operation is a multiplication of the partial data in mod z by a first odd number
- the second operation is a multiplication of the partial data in mod z by a second odd number
- z Is the number of types of values that the partial data can take
- the determination command may generate a random number and determine which conversion table to use based on the generated random number.
- FIG. 1 is a configuration diagram showing a configuration of a content distribution system 10 according to a first embodiment of the present invention.
- FIG. 2 is a block diagram showing a configuration of a content server device 100.
- FIG. 3 is a flowchart illustrating the contents of a content encryption program 132.
- FIG. 4 is a configuration diagram showing a configuration of an AES III program 133.
- FIG. 5 is a structural diagram showing a data structure of a standard S box 380.
- FIG. 6 is a structural diagram showing a data structure of a modified S box 511.
- FIG. 7 is a flowchart for explaining the contents of a No. main module 501.
- FIG. 8 is a flowchart illustrating the contents of a Round processing module 503.
- FIG. 9 is a flowchart illustrating the contents of a SubBytes processing module 505.
- FIG. 10 is a flowchart illustrating the contents of a FinalRound processing module 504.
- FIG. 11 is a block diagram showing a configuration of a microprocessor 101.
- FIG. 12 shows an example in the case where the contents of the modified S box 511 are stored in the cache line units 181 to 187 of the data unit 175.
- FIG. 13 is a flowchart showing an operation of the microprocessor 101.
- FIG. 14 is a data process chart showing the operation of encryption by the AES encryption program 133. [Fig.15] AddRoundKey processing in each Round processing or FinalRound processing operation
- FIG. 16 is a block diagram showing a configuration of a personal computer 200.
- FIG. 17 is a flowchart illustrating the contents of a content decryption program 232 and a playback program 233.
- FIG. 18 is a flowchart illustrating the contents of an AES decryption program 234.
- FIG. 20 is a structural diagram showing a data structure of an inverse transform S box 611.
- FIG. 21 is a flowchart illustrating the contents of a decoding main module 601.
- FIG. 22 is a flowchart illustrating the contents of an InvRound processing module 603.
- FIG. 23 is a flowchart illustrating the contents of an InvSubBytes processing module 605.
- FIG. 24 is a flowchart illustrating the contents of an InvFinalRound processing module 604.
- Garden 25 An example in the case where the contents of the inverse transformation transformation S box 611 are stored in each cache line section of the data section.
- FIG. 26 is a data process chart showing the decryption operation by the AES decryption program 234.
- FIG. 27 is a data process chart showing the detailed operations of InvSubBytes processing and AddRoundKey processing.
- FIG. 28 is a structural diagram showing a data structure of a modified S-box 911.
- FIG. 29 is a data process chart showing the operations of one left shift process 902 and one reference process 903 in SubBytes process by the SubBytes process module 505a.
- FIG. 30 An example when the contents of the modified S-box 911 are stored in the cache line units 181, 182,... Of the data unit 175 is shown.
- FIG. 31 is a structural diagram showing a data structure of a modified S box 1011.
- FIG. 32 is a data process chart showing the operations of one left shift process 1002, one addition process 1003, and one reference process 1004 in SubBytes processing by the SubBytes processing module 505b.
- FIG.33 Transformed into cache line section 181, 182, ... of data section 175.
- S box 1011 An example in the case where contents are stored is shown.
- FIG. 34 is a structural diagram showing a data structure of a modified S box 1121.
- FIG. 35 is a correspondence table showing correspondences between 256 input values A (0, 1, 2,..., 255), which are integers, and calculation results A X 177 mod 256.
- 11 is a data process chart showing operations of 1102 and one reference process 1103.
- FIG. 37 An example in the case where the contents of the modified S box 1121 are stored in the cache line units 181, 182,... Of the data unit 175.
- FIG. 38 is a structural diagram showing a data structure of a modified S box 1221.
- FIG. 39 is a data process chart showing the operations of one multiplication process 1202, one shift process 1203, and one reference process 1204 in the SubBytes process by the SubBytes process module 505d.
- FIG. 40 An example in the case where the contents of the modified S box 1221 are stored in the cache line units 181, 182,... Of the data unit 175.
- FIG. 41 is a structural diagram showing a data structure of a modified S box 1311.
- FIG. 42 is a data process chart showing the operations of one multiplication process 1302, one shift process 1303, one calorie calculation process 1304, and one reference process 1305 in SubBytes processing by the SubBytes processing module 505e. is there.
- FIG. 43 An example in which the contents of the modified S box 1221 are stored in the cache line units 181, 182,... Of the data unit 175 is shown.
- FIG. 44 is a structural diagram showing a data structure of a modified S box 1421.
- FIG. 45 is a structural diagram showing a data structure of a modified S box 1441.
- FIG. 46 is a correspondence table showing correspondence between 256 input values B (0, 1, 2,..., 255), which are integers, and their calculation results B X 77 mod 256.
- FIG. 48 An example in which the contents of the modified S box 1421 are stored in the cache line units 181, 182,... Of the data unit 175.
- FIG. 49 An example when the contents of the modified S box 1441 are stored in the cache line units 181, 182,... Of the data unit 175 is shown.
- FIG. 50 is a flowchart illustrating the contents of a SubBytes processing module 1501. Explanation of symbols
- a content distribution system 10 according to one embodiment of the present invention will be described.
- the content distribution system 10 includes a content server device 100, a distribution server device 30a, a broadcasting device 30b, a BD manufacturing device 30c, a personal computer 200, a digital broadcast receiving device 200a, and a BD reproducing device 200b. I have.
- the content server device 100 stores the contents of a movie composed of video data and sound data, and decodes the stored contents according to a request from the distribution server device 30a.
- the encrypted content is generated, and the generated content is transmitted to the distribution server device 30a connected via the dedicated line 21.
- the distribution server device 30a receives the encrypted content and transmits the encrypted content to the personal computer 200 connected via the Internet 20.
- the personal computer 200 receives the encrypted content, decrypts the received encrypted content to generate decrypted content, reproduces the generated decrypted content, and outputs video and audio.
- the content server device 100 generates an encrypted content in response to a request from the broadcasting device 30b, and connects the generated encrypted content via the dedicated line 22.
- the broadcasting device 30b receives the encrypted content, and broadcasts the received encrypted content on a broadcast wave.
- the digital broadcast receiving device 200a receives the broadcast wave, and receives the broadcast signal from the received broadcast wave. It extracts the dangling content, decrypts the extracted encrypted content to generate a decrypted content, reproduces the generated decrypted content, and outputs video and sound.
- content server device 100 generates the ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ content in response to a request from BD manufacturing device 30c, and transmits the generated ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ content via dedicated line 23.
- the BD manufacturing device 30c receives the encrypted content and writes the received content to the recording medium 40.
- the recording medium 40 on which the encrypted content is written is sold and purchased by the user.
- the BD reproducing device 200b to which the recording medium 40 is attached by the user reads the content from the recording medium 40, decrypts the read encrypted content to generate decrypted content, and generates the decrypted content. Play the content and output video and sound.
- the content server apparatus 100 includes a computer system including a microprocessor 101, a hard disk unit 102, a memory unit 103, an input control unit 104, a display control unit 105, a communication unit 106, and a system bus 109. It is.
- the microprocessor 101, the hard disk unit 102, the memory unit 103, the input control unit 104, the display control unit 105, and the communication unit 106 are mutually connected via a system bus 109.
- the input control unit 104 and the display control unit 105 are connected to a keyboard 107 and a monitor 108, respectively.
- the communication unit 106 is connected to the distribution server device 30a, the broadcasting device 30b, and the BD manufacturing device 30c via the dedicated lines 21, 22, and 23, respectively.
- the hard disk unit 102 is a storage unit for storing computer programs and data for a long period of time. As shown in FIG. 2, the hard disk unit 102 includes a content 120, a content 121, a content 122, a key 123, a key 124, a key 125, a content distribution program 141, a content identification program 142, The AES No. program 143, the transmission program 144, the illustrated level, other computer programs and the illustrated level, and other data are stored. In addition, encrypted content 126, encrypted content 127 , Encrypted content 128, and an area for storing.
- the content 120, the content 121, the content 122, ... correspond to the key 123, the key 124, the key 125, ..., respectively, and the encrypted content 126 and the encrypted content 12 7, Compatible with 128 encrypted contents.
- the content 120, the content 121, the content 122,... are respectively the compressed data in which the video data and the audio data are compressed and encoded with high efficiency.
- Key 123, key 124, key 125, ... are subjected to an encryption algorithm on content 120, content 121, content 122, ..., respectively, to obtain encrypted content 126, decrypted content 127, and cipher.
- the encryption algorithm is based on AES (Advanced Encryption Standard).
- the encrypted content 126, the encrypted content 127, the encrypted content 128, ... are generated by applying the encryption algorithm AES to the content 120, the content 121, the content 122, ..., respectively. It is encrypted data.
- the content distribution program 141, the content encryption program 142, the AES encryption program 143, and the transmission program 144 are respectively provided as a content distribution program 131, a content encryption program 132, an AES encryption program 133, and a transmission program 134 according to an instruction from the microprocessor 101.
- the data is loaded into the memory unit 103.
- the memory unit 103 is a storage unit for temporarily storing a computer program and data to be executed. As shown in FIG. 2, the content distribution program 131, the content No. program 132, the AES No. program 133, and the transmission program 134, an area for storing other programs not shown and other data not shown is provided.
- Each of the above programs is a computer program configured by combining a plurality of instruction codes in a machine language format.
- the machine language form is a form that is decoded and executed by the microprocessor 101.
- the ability to explain the contents of each computer program S in order to make it easier to understand the contents of each computer program, usually use human language to speak or write, rather than using machine language instruction codes.
- the contents of each computer program are expressed in a language used in the case where the computer program is used, or in a flowchart, and each computer program is described.
- the content distribution program 131 is configured to include a plurality of instruction codes. These instruction code groups receive the specification of the content, for example, the content 120 and the specification of the content distribution destination device from the content distribution destination device, for example, from the distribution server device 30a, and indicate the received specification.
- the content No. program 132 is called by designating the content to be encrypted, and then the encrypted content generated by the content No. program 132 is written to the hard disk unit 102 as the encrypted content 126, for example, and the received specification is received. This indicates that the transmission program 134 is to be called by designating the distribution destination device and the content generated and written in the hard disk 102.
- the generated encrypted content is transmitted to the distribution destination device indicated by the received specification.
- the content day code program 132 includes instruction code groups Sll, S112, S113, S114, S115, and S116, and these instruction code groups are composed of content codes. In the program 132, they are arranged in this order. Each instruction code group includes one or more instruction codes.
- the instruction code group S111 substitutes the value “128” as an initial value for a read point indicating the position of data in the content whose specification has been received by a bit, and generates a key corresponding to the content whose specification has been received. From the hard disk unit 102.
- the read point to which the value “_128” is substituted indicates a position outside the content, but the value “-128” is substituted for the read point as an initial value. This is because, in the first execution of the instruction code group SI12 described later, the read point indicates the head position of the content.
- 128 bits are added to the read point, and the read point has a value “0”, and the read point indicates the position of the head of the content. Is shown.
- the instruction code group S112 adds 128 bits to the read point and then attempts to read one block of data from the position indicated by the added read point in the content. If the position indicated by the plurality of instruction codes and the read point is within the content, one block of data is read from the position, and if the position indicated by the read point indicates outside the content, And a plurality of instruction codes indicating that an end code indicating that reading of the block has been completed is output.
- one block is 128-bit data.
- the instruction code group S113 terminates the process by the content encryption program 132 when the end code is output from the instruction code group S112, and when the end code is not output, the next instruction code group A plurality of instruction codes indicating that control is transferred to S114 are included.
- the instruction code group S114 includes a plurality of instruction codes indicating that the AES encryption program 133 is to be called with the read key and the read one block.
- the AES encryption program 133 is called with the one block, the block is subjected to AES encryption to generate an encrypted block.
- both the input message (plaintext) and the output message (ciphertext) are 128 bits, and the input encryption key and decryption key can be selected from 128 bits, 192 bits, and 256 bits. It has become.
- the ⁇ key and the decryption key are 128 bits.
- the instruction code group S115 includes a plurality of instruction codes indicating that one encryption block generated by the AES ⁇ program 133 is written to the hard disk unit 102, for example, as a part of the encrypted content 126. .
- the instruction code group S116 has an instruction code indicating that control is to be transferred to the instruction code group S112. Including code.
- the AES encryption program 133 is a No. algorithm that encrypts a 128-bit length plaintext block based on AES to generate a 128-bit length ciphertext block. As shown in FIG. It comprises an AddRoundKey processing module 502, a Round processing module 503, a FinalRound processing module 504, a SubBytes processing module 505, a ShiftRows processing module 506, a MixColumns processing module 507, a KeySchedule processing module 508, and a modified S box 511.
- Each module is a computer program configured by combining a plurality of instruction codes in a machine language format.
- the machine language form is a form that is decoded and executed by the microprocessor 101.
- the standard S box 380 which is a table data array generally used in the reference processing of the S box that performs 8-bit input and 8-bit output defined in AES encryption, has an array representation shown in FIG. And the sequence representation 382.
- the array expression 381 and the array expression 382 shown in FIG. 5 represent the standard S box 380, and the array expression 381 is a sequence number (suffix) of each of a plurality of array elements included in the standard S box 380.
- the array expression 382 indicates a specific value of each of a plurality of array elements included in the standard S box 380.
- Array expression 381 includes a plurality of array elements arranged in a matrix of 16 rows x 16 columns for convenience in expression
- array expression 382 includes 16 array elements for convenience in expression. Contains specific values for multiple array elements arranged in a matrix of row x 16 columns.
- an array element located at a certain position in the matrix corresponds to a specific value located at the same position in the matrix in the array representation 382.
- the standard S-box 380 contains 256 IJ elements 391, 392, 393, ..., 394, ..., 395, 396, 397, ..., 398.
- Each Rooster system IJ element is 8-bit data and is expressed as "S [xx]".
- each array element of the array representation 381 in FIG. 5 each array element number is represented by a hexadecimal number.
- the modified S box 511 will be described.
- the modified S box 511 is composed of 2048 rooster systems IJ elements 431, 441, 442, 443, 444, 445, 446, 447, 432, ..., 433, ..., 434, ..., 435, ..., 436, ..., 437, '..., 438, ...
- the array elements constituting the modified S box 511 are arranged in a matrix of 256 rows x 8 columns for convenience of expression.
- Each array element is 8-bit data. Therefore, the length of one row X 8 columns of array elements is 64 bits long.
- the 431, 432, 433, 434, ⁇ , 435, 436, 437, 438 of the 256 IJ elements of the first system IJ are the value S [00], the value S [01], and the value S, respectively. [02], a value S [03],..., A value S [fc, a value S [fd, a value S [fe], and a value S [ff].
- the value S [00], the value S [01],..., The value S [fe], and the value S [ff] are the same as those included in the standard S box 380 described above.
- the 256 array elements in the second column each have a value "0xff".
- “0x” indicates that the number following this is expressed in hexadecimal.
- Each array element included in the third to eighth columns also has the value “0xff”.
- the matrix of the multiple array elements contained in the modified S box 511 has 256 rows and 8 lines.
- each array element included in the standard S box 380 is arranged in each of the 256 array elements in the first row, and the second to eighth The value “0xff” is allocated to each array element of the column.
- the first array element has the same value as the array element included in the standard S box 380, and Has an insignificant value with the value “0xff”.
- the B-note main module 50 If includes instruction code groups S121, S122, S123, S124, S125, and S126. No. In the main module 501, they are arranged in this order. Each instruction code group includes one or more instruction codes.
- the instruction code group S121 includes a plurality of instruction codes indicating that the AddRoundKey processing module 502 that performs AddRoundKey processing that is an operation of the input plaintext block and an extended key generated from the encryption key is called. .
- the instruction code group S122 includes a plurality of instruction codes indicating that the counter is initialized to 0. This counter is for controlling repetition in the encryption main module 501.
- the instruction code group S123 includes a plurality of instruction codes indicating that a round processing module 503 that performs round processing described below is to be called.
- the instruction code group S124 includes a plurality of instruction codes indicating that “1” is added to the counter.
- the instruction code group S125 determines whether or not the counter has a predetermined number of repetitions “Nr_l”. If the counter is not “Nr_l”, the process proceeds to the instruction code group S123, and the number of repetitions “Nr_l” is determined. If “l”, it includes a plurality of instruction codes indicating that the process proceeds to the next instruction code group S126.
- Nr the number of repetitions “Nr” depends on the bit lengths of the encryption key and the decryption key.
- Nr 10
- Nr 12
- Nr 14
- the instruction code group S126 includes a plurality of instruction codes indicating that a FinalRound processing module 504 that performs FinalRound processing described later is to be called.
- the round processing module 503f includes the instruction code groups S131, S132, SI33, and S134, and these instruction codes are included in the round processing module 503.
- Each instruction code group includes one or more instruction codes.
- the instruction code group S 131 includes a plurality of instruction codes indicating that the SubBytes processing module 505 that performs SubBytes processing composed of 16 table reference operations is called.
- the instruction code group S 132 includes a plurality of instruction codes indicating that the ShiftRows processing module 506 for performing the ShiftRows processing is called.
- the instruction code group S133 includes a plurality of instruction codes indicating that the MixColumns processing module 507 that performs the MixColumns processing is called.
- the instruction code group S134 includes a plurality of instruction codes indicating that the AddRoundKey processing module 502 that performs the above-described AddRoundKey processing is called.
- the left shift and the reference processing of the modified S box are performed on the 16 partial block data.
- 16 8-bit data are generated.
- the 16 generated 8-bit data are concatenated to generate and output 128-bit block data.
- each partial block data is shifted left by 3 bits for the following reason.
- each partial block data is multiplied by eight.
- Deformation S In Box 511 among the eight array elements that are consecutively arranged, the first one has a valid array element S [XX], so each partial block data is multiplied by eight.
- the modified S box 511 using the data obtained as an address as an address, only valid array elements S [XX] are obtained.
- SubBytes processing module 505 may include a multiplication process of multiplying by eight instead of the three-bit left shift process for the above-described reason.
- the valid array element S [XX] is arranged for the first one.
- only the valid array element S [XX] can be obtained by referring to the another modified S box using data obtained by multiplying each partial block data by 16 as an address.
- the SubBytes processing module 505 includes instruction code groups S141, S142, S143, S144, S145, S146,..., S147 and S148, and these instruction code groups are , In the Sub Bytes processing module 505.
- Each instruction code group includes one or more instruction codes.
- the instruction code group S141 includes a plurality of instruction codes indicating that the first partial block data of the 16 partial block data is shifted left by 3 bits to generate 11-bit data. Including.
- the instruction code group S142 is stored at a position where the 11-bit data is used as an address with reference to the modified S box 511 using the 11-bit data generated by the instruction code group S141 as an address in the modified S box 511. Contains 8-bit data from the modified S-box 511 and includes a plurality of instruction codes indicating that the read 8-bit data is to be output.
- the instruction code groups S143, S145,..., S147 each include a plurality of instruction codes similar to the instruction code group S141.
- the instruction code groups S144, S146, ..., S148 each include a plurality of instruction codes similar to the instruction code group S142.
- the instruction code groups S 144, S 146,..., S 148 are different from the instruction code group S 142 in that the output results of the instruction code groups S 143, S 145,. Are different.
- the FinalRound processing module 504f includes the instruction code groups S151, S152 and S153 as shown in FIG. 10 (as shown here), and these instruction codes are arranged in this order in the FinalRound processing module 504.
- Each instruction code group includes one or more instruction codes.
- the instruction code group S 151 includes a plurality of instruction codes indicating that the SubBytes processing module 505 is to be called.
- the instruction code group S152 includes a plurality of instruction codes indicating that the ShiftRows processing module 506 for performing the ShiftRows processing is to be called.
- the instruction code group S 153 includes a plurality of instruction codes indicating that the AddRoundKey processing module 502 that performs AddRoundKey processing is to be called.
- the AddRoundKey processing module 502, ShiftRows processing module 506, MixColumns processing module 507, and KeySchedule processing module 508 are the AddRoundKey processing, ShiftRows processing, MixColumns processing, and
- the transmission program 134 is configured by arranging a plurality of instruction codes.
- the transmission program 134 receives designation of data and designation of a distribution destination device from a calling program, and controls the communication unit 106 to transmit the designated data.
- a copy that indicates transmission to the specified destination device Contains a number of instruction codes.
- the microprocessor 101 is a central part that controls the content server device 100 and performs data processing and processing, and performs operations, controls, and the like according to a computer program stored in the memory unit 103.
- the microprocessor 101 includes an arithmetic unit 161, a cache unit 162, and other units shown in FIG.
- the cache unit 162 is provided to prevent the access time from affecting the execution performance of the program due to the access to the memory unit 103 by the arithmetic unit 161 during the execution of the program.
- the cache unit 162 includes a data unit 175 and other units not shown.
- the data section 175 has 256 cache line sections.
- Each cache line unit has a 64-bit memory area.
- Some of the contents stored in the memory unit 103 are copied to any of the cache lines ⁇ ⁇ ⁇ in the data unit 175.
- the cache unit 162 when an address is given, the cache unit 162 outputs data stored in the cache line unit corresponding to the address.
- the operation unit 161 interprets the instruction codes in the computer program stored in the memory unit 103 one by one, and performs operation control according to the interpretation result.
- the operation unit 161 holds a program counter PC that stores address information containing an instruction to be taken out next.
- the arithmetic unit 161 When executing the computer program, the arithmetic unit 161 first copies (loads) the computer program stored in the hard disk unit 102 to the memory unit 103. Next, the program counter PC is set to an initial value, and one instruction in the combi- able program is obtained based on the value of the program counter PC. Then, execute the acquired instruction.
- the instruction refers to fixed value data defined in the computer program loaded into the memory unit 103 during execution of the instruction
- the arithmetic unit 161 accesses the memory unit 103 to acquire the fixed value data
- the same fixed value data is also stored in the section 162.
- the arithmetic unit 161 accesses the cache unit 162 in the memory unit 103 and acquires the fixed value data.
- the arithmetic unit 161 accesses the cache unit 162, reads out the desired data from the memory unit 103 when the desired data does not exist in the cache unit 162, and caches the read data. Write to any of the cache line sections of the data section 175 of the section 162. At this time, it takes some time to copy the data from the memory unit 103 to the cache unit 162, but the operation unit 161 accesses the cache unit 162 for the second time and thereafter, so that the operation speed is high.
- FIG. 12 shows an example in which the contents of the modified S box 511 are stored in the cache line units 181 to 187 of the data unit 175 by the above-described SubBytes processing, as the data unit 175a.
- the contents of the modified S box 511 are stored as they are in the cache line sections 181a, 182a, 183a, 184a,..., 186a, 187a of the data section 175a.
- the cache line section 181a has an array element 451 “3 [00]”, an array element 461 “0 £ f”, an array element 462 “0xff”, an array element 463 “0xff”, an array element 464 “0xff”, Element 4 65 “0xff”, array element 466 “0xff”, and array element 467 “0xff” are stored. Also, in the other cache lines, the array element of the standard S box 380 is stored at the head, and “0xff” is stored in the other parts.
- the array element 452 “S [01]”, which is the array element of the standard S box 380, and the array element 4 53 “3 [02]”, array element 454 [03] ”, ⁇ ⁇ ⁇ , array element 455“ 3 [] ”, array element 456“ S [fd] ”, array element 457“ S [fe] ”and array Element 458 “S [ff]” is stored.
- each cache line section of the data section 175a stores only one array element of the standard S box 380.
- the operation of the content server device 100 will be described.
- the arithmetic unit 161 copies the computer program stored in the hard disk unit 102 to the memory unit 103, and sets a program counter PC for storing address information on an instruction to be taken out next to an initial value (step S161). ).
- the arithmetic unit 161 extracts one instruction from the computer program loaded into the memory unit 103 based on the value of the program counter PC (step S162).
- the arithmetic unit 161 determines whether or not to use fixed data defined in the computer program in the instruction (step S163), and when the fixed data is used (step S163). If the fixed data to be used is in the cache unit 162 (Yes in step S164), the cache unit 162 is accessed, the corresponding fixed data is acquired (step S165), and the retrieved instruction is decoded. Then, the decrypted result is executed using the acquired fixed data (step S166), and if the program counter PC indicates the end (Yes in step S167), the process is terminated. If it does not indicate the end (No in step S167), the program counter PC is advanced by one (step S170), and the control is transferred to step S162 to repeat the processing.
- step S163 If the fixed data is not used (No in step S163), the operation unit 161 then decodes the fetched instruction, executes the decoded result (step S166), and then proceeds to step S167. And repeat the process.
- step S164 If the fixed data to be used is not in the cache unit 162 (No in step S164), the calculation unit 161 accesses the memory unit 103 to acquire the corresponding fixed data (step S16). 8), the acquired fixed data is copied to the cache line section of the cache section 162 (step S169), and then the fetched instruction is decoded, and the decoded result is executed using the obtained fixed data (step S169). (S166) Then, control is transferred to step S167 to repeat the processing.
- the encryption operation by the AES II program 133 is as follows: a key schedule step 302, a ten-step process 304, 305, ⁇ , 306, 307, and the like.
- a key schedule step 302 a ten-step process 304, 305, ⁇ , 306, 307, and the like.
- 11 expanded keys SK, SK,---SK, SK, SK are generated by the KeySchedule processing module 508 (step 302), and the generated expanded key
- AddRoundKey processing is performed using the expanded key SK by the AddRoundKey processing module 502 (step 321),
- SubBytes processing is performed by the SubBytes processing module 505 (step 322),
- the ShiftRows processing module 506 performs the ShiftRows processing (step 323), MixColumns processing is performed (step 324)
- AddRoundKey processing is performed by the AddRoundKey processing module 502 using the expanded key SK (step 331),
- SubBytes processing is performed by the SubBytes processing module 505 (step 332),
- the ShiftRows processing module 506 performs the ShiftRows processing (step 333), and the MixColumns processing module 507 performs the MixColumns processing (step 334).
- AddRoundKey processing is performed by the AddRoundKey processing module 502 using the expanded key SK (step 341),
- SubBytes processing is performed by the SubBytes processing module 505 (step 342)
- ShiftRows processing is performed by the ShiftRows processing module 506 (step 343)
- MixColumns processing is performed by the MixColumns processing module 507 (step 344).
- AddRoundKey processing is performed using the expanded key SK by the AddRoundKey processing module 502 (step 351),
- SubBytes processing is performed by the SubBytes processing module 505 (step 352)
- ShiftRows processing is performed by the ShiftRows processing module 506 (step 353)
- AddRoundKey processing is performed by the AddRoundKey processing module 502 using the expanded key SK.
- Each Round process or FinalRound process includes AddRoundKey process 372, SubBytes process 373, ShiftRows process 374, and MixColumns process (or AddRoundKey process) 375.
- the AddRoundKey process 372 includes 16 exclusive OR operations 381, 382, 383,..., 384.
- the SubBytes process 373 includes 16 shift processes 385, 386, 387,..., 388, and 16 modified S box reference processes 391, 392, 393,.
- the 128-bit expanded key 361 is divided into 16 8-bit partial keys, and the 16 partial keys are respectively 16 exclusive logical operations 381, 382, 383 of the AddRoundKey process 372. , ⁇ ⁇ ⁇ ⁇ Output to 384 (steps 362, 363, 364, ⁇ ⁇ ⁇ , 365).
- 128-bit input data 371 powers, divided into 16 8-bit partial data, and the 16 partial data are respectively subjected to AddRoundKey processing 372 16 exclusive OR operations 38 1, 382, 383, ⁇ Output to 384.
- Exclusive OR operation 381 receives the first partial data (8 bits), receives the first partial key (8 bits), and receives the received first partial data and the received first partial key. Then, an exclusive OR operation is performed to obtain the first operation data of 8 bits, and the obtained first operation data is output to the shift processing 385 of the SubBytes processing 373.
- the shift processing 385 obtains 8-bit first operation data, shifts the obtained first operation data by 3 bits to the left, and obtains 11-bit first shift data.
- the upper 8 bits of the obtained first shift data are the same data as the operation data, and the lower 3 bits of the first shift data are “000” (binary representation).
- the obtained first shift data is output to the reference process 391 of the SubBytes process 373.
- the reference process 391 receives the first shift data, and refers to the modified S box 511 using the received first shift data as an address, and obtains an 8-bit first array element.
- the exclusive OR operation 382 performs an exclusive OR operation on the second partial data and the second partial key to obtain second operation data
- the shift processing 386 performs the second operation data.
- the data is shifted to the left by 3 bits to obtain the second shift data
- the reference processing 392 obtains the second array element by referring to the modified S box 511 using the second shift data as an address. I do.
- the exclusive OR operation 383 performs an exclusive OR operation on the third partial data and the third partial key to obtain third operation data
- the shift processing 387 The 3rd operation data is shifted to the left by 3 bits to obtain third shift data
- the reference process 393 refers to the modified S box 511 using the third shift data as an address, and refers to the third array Get the element.
- the exclusive OR operation 384 performs an exclusive OR operation on the sixteenth partial data and the sixteenth partial key to obtain sixteenth operation data
- the shift processing 388 of The operation data is shifted to the left by 3 bits to obtain the 16th shift data
- the reference processing 394 uses the 16th shift data as an address, refers to the modified S box 511, and outputs the 16th array. Get the element.
- ShiftRows processing 374 is performed on the generated data, and then, MixColumns processing (or AddRoundKey processing) 375 is performed. Thus, 128-bit output data 376 is generated and output.
- the personal computer 200 is a computer system similar to the content server device 100, and includes a microprocessor 201, a hard disk unit 202, a memory unit 203, an input control unit 204, a display control unit 205, and a communication unit as shown in FIG. It consists of 206 and others.
- the input control unit 204 and the display control unit 205 are connected to a keyboard 207 and a monitor 208, respectively.
- the communication unit 206 is connected to the Internet 20.
- the digital broadcast receiving device 200a and the BD reproducing device 200b have the same configuration as the personal computer 200, description of these devices will be omitted.
- the hard disk unit 202 stores a key 222, a content reception program 241, a content decryption program 242, a playback program 243, and an AES decryption program 244 as shown in FIG. Area for ⁇ ⁇ 221 ⁇ 221 and key 222 are associated with each other.
- the encrypted content 221 and the key 222 are the same as the encrypted content 126 and the key 123 stored in the hard disk unit 102 of the content server device 100, respectively.
- the content receiving program 241, the content decrypting program 242, the reproducing program 243, and the AES decrypting program 244 are respectively provided as the content receiving program 231, the content decrypting program 232, the reproducing program 233, and the AES decrypting program 234 according to the instruction of the microprocessor 201. Is loaded into the memory unit 203. These computer programs will be described later.
- the memory unit 203 stores a content reception program 231, a content decryption program 232, a playback program 233, and an AES decryption program 234. Further, the memory unit 203 includes a decrypted content area 236.
- Each of these programs is a computer program configured by combining a plurality of instruction codes in a machine language format.
- the machine language form is a form that is decoded and executed by the microprocessor 201.
- decrypted content area 2366 decrypted content generated by decrypting the encrypted content is temporarily written.
- each computer program S usually use human language to speak or write, instead of using machine language instruction codes.
- the contents of each computer program are expressed in a language used in the case where the computer program is used or in a flow chart.
- the content receiving program 231 is configured to include a plurality of instruction codes. These instruction code groups are obtained by acquiring a plurality of instruction codes indicating that the specification of the content is received from the user of the personal computer 200 and a content identifier for identifying the content whose specification has been received. A plurality of instruction codes indicating transmission to the distribution server device 30a via the communication unit 206 and the Internet 20, and identification by the content identifier from the distribution server device 30a via the Internet 20 and the communication unit 206. A plurality of command codes indicating that encrypted content to be received and the received content are sent to the hard disk unit 202, for example, in the content of the content. And a plurality of instruction codes indicating that writing is to be performed as an instruction 221.
- the content decryption program 232 includes instruction code groups S211, S212, S213, S214, S215, S216, S217, and S218. In this order.
- Each instruction code group includes one or more instruction codes.
- the instruction code group S211 includes a plurality of instruction codes indicating that the user of the personal computer 200 accepts designation of any of the encrypted contents stored in the hard disk unit 202.
- the instruction code group S212 includes a plurality of instruction codes indicating that the reproduction program 233 stored in the memory unit 203 is called. By executing the instruction code group S212, as a result, the content decryption program 232 and the reproduction program 233 are executed in parallel.
- the instruction code group S213 substitutes a value "-128" as an initial value for a read point indicating the position of the data in the received content by a bit in the received content, and then accepts the specification. It contains a plurality of instruction codes indicating that the key corresponding to the “ ⁇ ” -Dani content is read from the hard disk unit 202.
- the instruction code group S214 adds 128 bits to the read point, and then generates a plurality of instructions indicating that an attempt is made to read one block of data from the position indicated by the added read point in the encrypted content. If the position indicated by the code and the read point is within the encrypted content, one block of data is read from the position, and if the position indicated by the read point indicates outside the encrypted content, And a plurality of instruction codes indicating that an end code indicating that the reading of the block has been completed is output.
- one block is 128-bit data.
- the instruction code group S215 terminates the processing by the content decryption program 232 when the end code is output from the instruction code group S214, and when the end code is not output, the next instruction code group Contains multiple instruction codes indicating that control is transferred to S216.
- the instruction code group S216 includes a plurality of instruction codes indicating that the AES decryption program 234 is to be called with the read key and the read one block.
- the instruction code group S217 includes a plurality of instruction codes indicating that one decrypted block generated by the decryption program 234 is to be written to the decrypted content area 236 of the memory unit 203.
- the instruction code group S218 includes an instruction code indicating that control is transferred to the instruction code group S214.
- this includes instruction code groups S218, S219 and S220, and these instruction code groups are arranged in this order in the reproduction program 233.
- Each instruction code group includes one or more instruction codes.
- the instruction code group S218 includes a plurality of instruction codes indicating that one or more decrypted blocks are to be read from the decrypted content area 236 of the memory unit 203.
- the instruction code group S219 generates video data and audio data from the read decoded block, converts the generated video data and audio data into video signals and audio signals, and outputs the video and audio signals to the monitor 208 via the display control unit 205. It contains a plurality of instruction codes indicating output to
- the instruction code group S220 includes an instruction code indicating that control is transferred to the instruction code group S218 next.
- the AES decryption program 2344 as shown in FIG.
- AddRoundKey processing module 602 InvRound processing module 603, InvFinalRound processing module 604, InvSubBytes processing module 605, InvShiftRows processing module 606, InvMixColumns processing module 607, KeySchedule processing module 608, and inverse transformation S box 611.
- Each module is composed of a combination of a plurality of machine language instruction codes. It is a pewter program.
- the machine language form is a form that is decoded and executed by the microprocessor 201.
- the standard inverse transform S box 800 which is a table data array generally used in the reference process of the inverse transform S box that performs 8-bit input and 8-bit output defined in AES decoding, is shown in FIG. This will be described using an array expression 801 and an array expression 802 shown in FIG.
- standard inverse transform S box is not generally used, but in order to distinguish it from the inverse transform variant S box 611 used in the present embodiment, such an expression is used. Has adopted.
- the array expression 801 and the array expression 802 shown in FIG. 19 express the standard inverted S box 800, and the array expression 801 assigns a plurality of array elements included in the standard inverted S box 800 to the sequence numbers, respectively.
- the array representation 802 indicates a specific value of each of a plurality of array elements included in the standard inverse transformation S box 800.
- the array expression 801 includes a plurality of array elements arranged in a matrix of 16 rows ⁇ 16 columns for convenience of expression, and the array expression 802 includes 16 elements for convenience of expression. Contains specific values for multiple array elements arranged in a matrix of row x 16 columns. In the array representation 801, an array element arranged at a certain position in the matrix corresponds to a specific value arranged at the same position in the matrix in the array representation 802.
- the standard inversion S box 800 includes 256 array elements 811, 812, 813, ..., 814, ..., 815, 816, 817, ...-, 818.
- Each Rooster system IJ element is 8-bit data and is expressed as "InvS [XX]".
- “InvS” is an array element name indicating an array element
- a numerical value XX enclosed by [] following “InvS” is an array element number for identifying the array element.
- each array element number is represented by a hexadecimal number.
- the inverse transformation deformation S box 611 is composed of 2048 IJ elements 831, 841, 842, 843, 844, 845, 846, 847, 832, ..., 833, ... , 834, ⁇ , 835, ⁇ , 836, ⁇ , 837, ⁇ , 838, ⁇ .
- the array elements constituting the inverse transformation deformation S box 611 are arranged in a matrix of 256 rows x 8 columns for convenience of expression.
- the 256 IJ elements 831, 832, 833, 834, ..., 835, 836, 837, 838 of the first system IJ are the values InvS [00], InvS [01], and InvS, respectively. [02], value InvS [03],..., Value InvS [fc], value InvS [fd], value InvS [fe], and value InvS [ff].
- the value InvS [00], the value InvS [01],..., The value InvS [fe], and the value InvS [ff] are the same as those included in the standard inverse transform S box 800 described above.
- the 256 array elements in the second column each have a value "0xff".
- “0x” indicates that the number following this is expressed in hexadecimal.
- Each array element included in the third to eighth columns also has the value “0xff”.
- the leading array element of the eight consecutively arranged array elements has the same value as the array element included in the standard inverse transform S box 800.
- other array elements have a meaningless value “0xff”.
- the decryption main module 601f includes instruction code groups S231, S232, S233, S234, S235, and S236. In 601, they are arranged in this order.
- Each instruction code group includes one or more instruction codes.
- the instruction code group S231 is composed of the input ciphertext block and the extended code generated from the encryption key. It includes a plurality of instruction codes indicating that the AddRoundKey processing module 602 that performs AddRoundKey processing as an operation with a key is called.
- the instruction code group S232 includes a plurality of instruction codes indicating that the counter is initialized to zero. This counter is for controlling repetition in the decoding main module 601.
- the instruction code group S233 includes a plurality of instruction codes indicating that an InvRound processing module 603 for performing InvRound processing described later is to be called.
- the instruction code group S234 includes a plurality of instruction codes indicating that “1” is added to the counter.
- the instruction code group S235 determines whether or not the counter has a predetermined number of repetitions “Nr_l”. If the counter is not “Nr_l”, the process proceeds to the instruction code group S233, and the number of repetitions “Nr_l” ”Includes a plurality of instruction codes indicating that the process proceeds to the next instruction code group S236.
- Nr the number of repetitions “Nr” depends on the bit lengths of the key and the decryption key.
- Nr 10 Yes
- Nr 12 when the bit length is 192 bits
- Nr 14 when the bit length is 256 bits.
- the instruction code group S236 includes a plurality of instruction codes indicating that the InvFinalRound processing module 604 for performing InvFinalRound processing described later is to be called.
- the InvRound processing module 603 includes instruction code groups S241, S242, S243, and S244, and these instruction code groups are arranged in this order in the InvRound processing module 603. ing.
- Each instruction code group includes one or more instruction codes.
- the instruction code group S241 includes a plurality of instruction codes indicating that the InvShiftRows processing module 606 that performs the InvShiftRows processing is to be called.
- the instruction code group S242 includes a plurality of instruction codes indicating that the InvSubBytes processing module 605 that performs the InvSubBytes processing composed of 16 times of table reference operation is called. [0120]
- the instruction code group S243 includes a plurality of instruction codes indicating that the AddRoundKey processing module 602 for performing the AddRoundKey processing described above is to be called.
- the instruction code group S244 includes a plurality of instruction codes indicating that the InvMixColumns processing module 607 for performing InvMixColumns processing is to be called.
- the left shift and the inverse transformation transformation S box 611 reference processing are performed on the 16 partial block data.
- 16 8-bit data are generated.
- the generated 16 pieces of 8-bit data are concatenated to generate and output 128-bit block data.
- the InvSubBytes processing module 605 includes instruction code groups S251, S252, S253, S254, S255, S256,..., S257 and S258, and these instruction code groups are , And InvSubBytes processing module 605 are arranged in this order.
- Each instruction code group includes one or more instruction codes.
- the instruction code group S251 converts a plurality of instruction codes indicating that the first partial block data of the 16 partial block data is shifted left by 3 bits to generate 11-bit data. Including.
- the instruction code group S252 uses the 11-bit data generated by the instruction code group S251 as an address in the inverse-transformed S-box 611, and refers to the inverse-transformed S-box 611 at a position where the 11-bit data is the address.
- the stored 8-bit data is read from the S-box 611, and includes a plurality of instruction codes indicating that the read 8-bit data is output.
- the instruction code groups S253, S255, ⁇ , and S257 each include a plurality of instruction codes similar to the instruction code group S251.
- Instruction code group S253, S255, ⁇ , S257 (the second partial block data and the third partial block data of the 16 partial block data, respectively)
- the instruction code group S251 differs from the instruction code group S251 in that the 16th partial block data is to be shifted.
- the instruction code groups S254, S256, ..., S258 each include a plurality of instruction codes similar to the instruction code group S252.
- the instruction codes S254, S256, ..., S258 differ from the instruction codes S252 in that the output results from the instruction codes S253, S255, ..., S257 are used, respectively. ing.
- the InvFinalRound processing module 604 includes instruction codes S261, S262, and S263, and these instruction codes are arranged in this order in the InvFinalRound processing module 604. ing.
- Each instruction code group includes one or more instruction codes.
- the instruction code group S261 includes a plurality of instruction codes indicating that the InvShiftRows processing module 606 for performing the InvShiftRows processing is called.
- the instruction code group S262 includes a plurality of instruction codes indicating that the InvSubBytes processing module 605 for performing InvSubBytes processing is called.
- the instruction code group S263 includes a plurality of instruction codes indicating that the AddRoundKey processing module 602 for performing AddRoundKey processing is called.
- AddRoundKey processing module 602 InvShiftRows processing module 606, InvMixColumns processing module 607 and KeySchedule processing module 608 Each performs AddRoundKey processing, InvShiftRows processing, InvMixColumns processing, and KeySchedule processing specified in AES. These processes are as specified in the AES, and will not be described.
- the microprocessor 201 like the microprocessor 101, includes an operation unit, a cache unit, and other units.
- the cache unit is composed of a data unit 175 and other units.
- the data unit is composed of 256 cache line units, and each cache line unit has a 64-bit memory area.
- the microprocessor 201 has the same configuration as the microprocessor 101, and the arithmetic unit, the cache unit, and other units are as described above.
- the cache line unit 181b includes the array element 851 “InvS [00]”, the array element 861 “0 £, the array element 862“ ( ⁇ £, the array element 863 “( ⁇ £ ⁇ , the array element 864“ ( ⁇ £ , Array element 865 “0xff”, array element 866 “0xff”, and array element 867 “0xff.” Also in the other cache line part, the array of the inverse conversion standard S box 800 is placed at the beginning. The element is stored, and “0xff” is stored in other parts.
- the decryption operation by the AES decryption program 234 includes the key scheduling step 702, the AddRoundKey processing step 704, and the ten-step process 705, 706, ..., 707, Composed of 708 and power.
- the KeySchedule processing module 608 Based on the input key K701, the KeySchedule processing module 608 generates eleven expanded keys SK, SK, SK, '-', SK, SK (step 702), and generates the expanded key
- the expanded key SK is used by the AddRoundKey processing module 602.
- AddRoundKey processing is performed (step 704).
- the InvShiftRows processing module 606 performs the InvShiftRows processing (step 721)
- the InvSubBytes processing module 605 performs the InvSubBytes processing (step 722)
- the expansion is performed by the AddRoundKey processing module 602.
- AddRoundKey processing is performed using the key SK (step 723),
- InvMixColumns processing module 607 performs InvMixColumns processing (step 724).
- InvShiftRows processing is performed by the InvShiftRows processing module 606 (step 731)
- InvSubBytes processing is performed by the InvSubBytes processing module 605 (step 732)
- the AddRoundKey processing module 602 is performed. Performs AddRoundKey processing using the expanded key SK (step 733).
- the InvMixColumns processing is performed by the InvMixColumns processing module 607 (step 734).
- InvShiftRows processing performs the InvShiftRows processing (step 741)
- the InvSubBytes processing module 605 performs the InvSubBytes processing (step 742)
- the data is expanded by the AddRoundKey processing module 602.
- AddRoundKey processing is performed using the key SK (step 743),
- InvMixColumns processing is performed by the InvMixColumns processing module 607 (step 744).
- the InvShiftRows processing module 606 performs the InvShiftRows processing (step 751)
- the InvSubBytes processing module 605 performs the InvSubBytes processing (step 752)
- the AddRoundKey processing is performed using the expanded key SK by the module 602 (step 753).
- Each InvRound process or InvFinalRound process includes, as shown in FIG.
- InvShiftRows processing 771, InvSubBytes processing 772 and AddRoundKey processing 772 are included.
- the InvSubBytes process 772 includes 16 shift processes 781, 782, 783,..., 784, and 16 inverse transform variants S 611 reference processes 785, 786, 788,.
- the AddRoundKey process 773 includes 16 exclusive OR operations 791, 792, 793,
- the 128-bit expanded key 761 is divided into 16 8-bit partial keys, and the 16 partial keys are respectively subjected to AddRoundKey processing 773 and 16 exclusive OR operations 791, 792, 793, , 794 (steps 762, 763, 764, ... ⁇ 765).
- the InvShiftRows process 771 outputs 128-bit block data, and the block data is divided into 16 8-bit partial data. Partial data power Output to 16 shift processes 781, 782, 783, ⁇ , 784 of InvSubBytes process 772, respectively.
- the shift process 781 receives the first partial data (8 bits), shifts the received first partial data by 3 bits to the left, and obtains 11-bit first shift data.
- the upper 8 bits of the obtained first shift data are the same data as the first partial data, and the lower 3 bits of the first shift data are “000” (binary representation).
- the obtained first shift data is output to the reference process 785.
- the reference process 785 receives the first shift data, obtains the first array element of 8 bits by referring to the inverse transformation transformation S box 611 using the received first shift data as an address. , And outputs the obtained first array element to the exclusive OR operation 791 of the AddRoundKey process 773.
- the exclusive OR operation 791 receives the first array element (8 bits), receives the first partial key (8 bits), and performs an exclusive operation on the received first array element and the received first partial key. Perform logical sum operation to obtain 8-bit first operation data.
- shift processing 782 shifts the second partial data (8 bits) leftward by 3 bits to obtain 11-bit second shift data
- reference processing 786 generates the received second shift data.
- shift data of 2 As an address and referring to the inverse transformation S box 611, an 8-bit second array element is obtained, and an exclusive OR operation 792 calculates the second array element and the second partial key. And an exclusive OR operation is performed on the data to obtain 8-bit second operation data.
- shift processing 783 shifts the third partial data (8 bits) to the left by 3 bits to obtain 11-bit third shift data
- reference processing 788 performs By using the shift data of 3 as an address and referring to the inverse transformation transformation S box 611, an 8-bit third array element is obtained, and the exclusive OR operation 793 performs the third array element and the third partial key. And exclusive-OR operation are performed to obtain the third operation data of 8 bits.
- shift processing 784 shifts the 16th partial data (8 bits) leftward by 3 bits to obtain 16-bit 11-bit shift data
- reference processing 789 outputs the received 16th partial data.
- 16 shift data as an address, refer to the inverse transformation modification S box 611, and 8 bits
- the exclusive OR operation 794 obtains the 16th array element of the above, and performs an exclusive OR operation on the 16th array element and the 16th partial key to obtain an 8-bit 16th operation data .
- the AES III program 133 may include a modified S-bottom 911 shown in Fig. 28 instead of the modified S-box 511.
- the AES # program 133 includes a SubBytes processing module 505a (shown in the figure) instead of the SubBytes processing module 505.
- the SubBytes processing module 505a includes 2-bit left shift processing instead of 3-bit left shift processing.
- the modified S-box 911 is composed of 1024 IJ elements 921, 931, 932, 933, 922, 934, 935, 936, 923, ..., 924, ..., 925, ..., 926, ..., 927, ..., 928, ...
- the array elements constituting the modified S-box 911 are arranged in a matrix of 128 rows ⁇ 8 columns for convenience of expression.
- the 129, 923, ⁇ , 925, and 927 of the 128 systems of the first system IJ are the values S [00], S [02], S [04], and S [06, respectively. ], ..., value S [f 8], value S [fa], value S [fc], value S [fe].
- S [00], S [02], S [04], S [06], ..., S [f8], S [fa], S [fc], S S [fe] is the same as that contained in the standard S box 380 described above.
- the 256 array elements in the second column each have the value "0xff".
- “0x” indicates that the number following this is expressed in hexadecimal.
- Each array element included in the third to fourth columns also has the value “0xff”.
- the 192, 924,..., 926, and 928 elements of the fifth system IJ have the following values: S [01], S [03], S [05], S [07] ], ..., value S [f9], value S [fb], value S [fd], value S [ff] To do.
- value S [01], value S [03], value S [05], value S [07], ⁇ , value S [f9], value S [fb co, value S [fd], value S [ff] is the same as that included in the standard S box 380 described above.
- the 256 array elements in the sixth column each have the value "0xff".
- Each array element included in the seventh to eighth columns also has the value “0xff”.
- each array element having an even sequence number included in the standard S box 380 is arranged, and each of the 128 array elements in the fifth column has an odd sequence number included in the standard S box 380.
- Each array element is arranged, and the value “0xff” is arranged in each of the array elements in the second to fourth columns and the sixth to eighth columns.
- the first array element has the same value as the array element included in the standard S box 380, and Has an insignificant value with the value “0xff”.
- the force display in which 16 2-bit left shift processing and 16 modified S-box 911 reference processing are performed can be easily displayed. 29, among these 16 left shift processes and 16 reference processes, only a set 901 including one left shift process 902 and one reference process 903 is shown.
- the 16-bit partial block data is subjected to 2-bit left shift and reference processing of the modified S box 911. As a result, 16 8-bit data are generated. Generated The resulting 16 8-bit data are concatenated to generate and output 128-bit block data.
- Each partial block data is quadrupled by shifting left by 2 bits.
- the modified S-box 911 among the four array elements arranged consecutively, the first one has a valid array element S [XX], so each partial block data is By referring to the modified S box 911 using the data obtained by quadrupling as the address, only valid array elements S [XX] can be obtained.
- SubBytes processing module 505a may include a multiplication process of performing quadruple multiplication instead of the 2-bit left shift process for the above-described reason.
- the content S of the modified S box 911 is included in the system as it is. . That is, in the cache line section 181c, the array element 941 “3 [00]”, the array element 951 “0 £ f”, the array element 952 “0xff”, the array element 953 “0xff”, and the array element 942 “S [01] , Array element 954 roxffj, array element 955 “0xff” and array element 956 “0xff”. Also in the other cache lines, the array elements of the standard S box 380 are stored in the first and fifth positions, and “0xff” is stored in the other portions.
- the first array element of the 128 cache line units 182c, 183c, 184c,... Includes array elements 943 “S [02]”, which are array elements of the standard S box 380, respectively. ⁇ ⁇
- the fifth system element “J” of the 128 cache line units 182c, 183c, 184c,... Includes array elements 944 “S [03]”, which are array elements of the standard S box 380, respectively. ⁇ ⁇
- the same may be applied as described above.
- the AES decoding program 234 may include an inverse-transformed modified S-box configured similarly to the modified S-box 911 shown in Fig. 28 instead of the inverse-transformed S-box 611.
- the InvSubBytes processing module 605 of the AES decryption program 234 includes 2-bit left shift processing instead of 3-bit left shift processing.
- the AES encryption program 133 may include a modified S box 1011 shown in FIG. 31 instead of the modified S box 511.
- the AES encryption program 133 includes a SubBytes processing module 505b (shown in the figure) instead of the SubBytes processing module 505.
- the SubBytes processing module 505b includes a 1-bit left shift process and a process of adding the value “1” in mod 512 instead of the 3-bit left shift process.
- the modified S-box 1011 has 512 IJ elements 1041, 1031, 1042, 1032, 1043, 1033, 1044, 1034, ..., 1035, ..., 1036, ⁇ ⁇ ⁇ ⁇ , 1037,..., 1038, ⁇ ⁇ ⁇
- each array element constituting the modified S box 1011 constituting the modified S box 1011
- the 64 array elements 1031, ⁇ , 1035 in the second column are the values S [00], S [04], S [08], S [12], ⁇ , S, respectively. [fO], value S [f4], value S [f8], and value S [fc].
- S [00], S [04], S [08], S [12], ⁇ , S [f0], S [f4], S [f8], S S [fc] is the same as that included in the standard S box 380 described above.
- the 64 array elements 1032, ..., 1036 in the fourth column are respectively the value S [01], the value S [05], the value S [09], the value S [13], ⁇ , value S [fl], value S [f5], value S [f9], value S [fd].
- the value S [fd] is the same as that contained in the standard S box 380 described above.
- the 64 array elements 1033, ..., 1037 in the sixth column are the value S [02], the value S [06], the value S [10], the value S [14], ⁇ , value S [f2], value S [f6], value S [fa], value S [fe].
- S [02], S [06], S [10], S [14], ⁇ , S [f 2], S [f6], S [fa] The value S [fe] is the same as that contained in the standard S box 380 described above.
- the 64 array elements 1034,..., 1038 in the eighth column are respectively a value S [03], a value S [07], a value S [11], a value S [15],. , Value S [f3], value S [f7], value S [fb], and value S [ff].
- S [03], S [07], S [11], S [15], ⁇ , S [f 3], S [f7], S [fb] The value S [ff] is the same as that contained in the standard S box 380 described above.
- the 64 array elements in the first column each have a value "0xff".
- “0x” indicates that the number following this is expressed in hexadecimal.
- Each of the array elements included in the third, fifth, and seventh columns also has the value “0xff”.
- the first array element has a meaningless value “0xff”
- the other array elements are the standard S box It has the same value as the array element contained in 380.
- each partial block data is shifted to the left by one bit, and the value “1” in mod 512 is added for the following reason.
- the SubBytes processing module 505b may include a multiplication process of performing double multiplication instead of the 1-bit left shift process for the above-described reason.
- the modified S box if the valid array element S [XX] is arranged for the second array element among the two array elements arranged consecutively, As described above, the data obtained by doubling each partial block data and further adding “1” is used as an address, and by referring to the another modified S box, only the valid array element S [x X] is obtained. Is obtained.
- each partial block data is multiplied by 8 and further obtained by adding “3” is used as an address, and by referring to the another modified S box, an effective array element S [x X] only.
- the contents of the modified S box 1011 are stored as they are in the 64 cache line units 181d, 182d, 183d, 184d, etc., from the head of the data unit 175d.
- the array element 1061 “0xff”, the array element 1051 “S [00]”, the array element 1062 “( ⁇ £ ⁇ , the array element 1052“ 3 [01] ”, the array element 1063“ ( ⁇ £, array element 1053 “S [02]”, array element 1064 "0xff", and array element 1054 “S [03]” are stored.
- the fourth, sixth, and eighth array elements store the array element of the standard S box 380, and the other array elements store “0xff”.
- the second array "J element" of the 64 cache line units 182d, 183d, 184d, ... has an array element "S [04]” which is an array element of the standard S box 380, respectively.
- S [08]”, “S [12]”,..., “S [fOko”, “S [f4]”, “38”, and “3 []” are stored.
- the 64th cache line 182 B182d, 183d, 184d,..., The fourth rooster system [J has array elements “S [05]”, which are array elements of the standard S box 380, respectively.
- “S [09]", “S [13]",..., “S [fl]", “S [f5]", "39” and "3 (1)” are stored. .
- the sixth rooster system [J] has an array element “S [06 ]], "S [10]”, “S [ 14],..., “S [f2]”, “S [f6]”, “S [fa]”, and “S [fe]”.
- the array element which is the array element of the standard S box 380, "S [07]”, “S [11]”, "S
- each cache line section of the data section 175d only four array elements of the standard S box 380 are stored.
- the same may be applied as described above.
- AES decoding program 234 may include an inverse transformed modified S box configured similarly to modified S box 1011 shown in Fig. 31 instead of inverse transformed modified S box 611.
- the InvSubBytes processing module 605 of the AES decryption program 234 replaces the 3-bit left shift processing with the 1-bit left shift processing and the value “1” in mod 512. ).
- the AES encryption program 133 may include a modified S box 1121 shown in FIG. 34 instead of the modified S box 511.
- the AES encryption program 133 includes a SubBytes processing module 505c (not shown) instead of the SubBytes processing module 505.
- the SubBytes processing module 505c includes multiplication processing in mod 256 instead of the 3-bit left shift processing.
- the modified S-box 1121 has 256 IJ elements 1131, 1132, 113
- each array element constituting the modified S box 1121 is They are arranged in a matrix of 32 rows x 8 columns.
- the eight array elements 1131,..., 1138 in the first row are the values S [0], S [81], S [162], S [243], S [68], It has a value S [149], a value S [230], and a value S [55].
- S [0], S [81], S [162], S [243], S [68], S [149], S [230], S [55] are the same as those contained in the standard S box 380 described above.
- S [XX] XX is represented by a decimal number.
- the eight array elements 1139, ..., 1146 in the second row are the value S [136], the value S [217], the value S [42], the value S [123], and the value, respectively. It has S [204], value S [29], value S [110], and value S [191]. Where value S [136], value S [217], value S [42], value S [123], value S [204], value S [29], value S [110], value S [191] Are the same as those contained in the standard S box 380 described above. Again, in S [XX], XX is a decimal number.
- Each array element in the third to 32nd rows is the same as the array element included in the standard S box 380 described above. However, in the modified S box 1121 of FIG. 34, the display of each array element from the third row to the 32nd row is omitted.
- each array element stored in the above-described standard S box 380 is stored according to a rule described below.
- AX 177 mod 256 is calculated for each of the 256 input values A (0, 1, 2, ..., 255), which are integers. Each input value A and the corresponding calculation result are shown in a correspondence table 1122 shown in FIG.
- Correspondence table 1122 shows 256 person chi chi A in association with the calculation result by AX 177 mod 256. However, in the correspondence table 1122 shown in Fig. 35, the calculation results corresponding to all the values of A are not displayed for reasons of space, and only a part of them is displayed. Is omitted.
- the array element of the standard S box 380 stored in the array element 1131 indicated by the array number “0” of the modified S box 1121 is determined as follows.
- the calculation result “0” having the same value as the sequence number “0” is searched from the correspondence table 1122, and the input value A “0” corresponding to the calculation result is obtained.
- the array element S [0] having the obtained input value A “0” as the array number is set as the value of the array element 1131 indicated by the array number “0” of the modified S box 1121.
- the array element of the standard S box 380 stored in 1132 is determined as follows.
- the calculation result “1” having the same value as the array number “1” is searched from the correspondence table 1122, and the input value A “81” corresponding to the calculation result is obtained.
- the array element S [81] having the acquired input value A “81” as the array number is set as the value of the array element 1132 indicated by the array number “1” of the modified S box 1121.
- the array element of the standard S box 380 stored in the array element 1133 indicated by the array number “2” of the modified S box 1121 is determined as follows.
- the calculation result “2” having the same value as the sequence number “2” is searched from the correspondence table 1122, and the input value A “162” corresponding to the calculation result is obtained.
- the array element S [162] having the acquired input value A “162” as the array number is set as the value of the array element 1133 indicated by the array number “2” of the modified S box 1121.
- the array elements included in the standard S box 380 are arranged according to the rules described above.
- the calculation result A XI 77 mod 256 for the input value A is used, and the force obtained by multiplying the input value A by “177” is not limited to “177”. It may be multiplied by another odd value.
- the force S that performs multiplication in mod 256 where the value "256" is a length (for example, a bit length) that can be taken by the data to be converted, in other words, the data to be converted dependss on the number of possible value types.
- the data to be converted is 8 bits, and the number of possible values of the data is 256.
- the number of possible value types of the multiplied value obtained is 256, which is the same as the data to be converted.
- FIG. 36 shows only a set 1101 consisting of one multiplication process 1102 and one reference process 1103 among these 16 multiplication processes and 16 reference processes.
- the multiplication of mod 256 and the reference processing of the modified S-bottom 1121 are performed on the 16 partial block data.
- 16 8-bit data are generated.
- the generated 16 8-bit data is concatenated to generate and output 128-bit block data.
- each partial block data is multiplied by the value “177” for the following reason.
- each partial block data is multiplied by the value “177” in mod 256, and the obtained multiplied value is used as an address to refer to the modified S box 1121 to obtain each partial block data.
- the result is a valid array element S [XX] that corresponds appropriately to the data.
- the content of the S box 1121 is stored as it is.
- the cache element 181e includes the array element 1151 “S [0]” and the array element 1152 “S [0
- the cache element 182e has an array element 1159 "S [136]” and an array element 1160 "S [136].
- array element 1166 [204] ", array element 1164" S [29] ", array element 1165" S [110] "and array element 1166
- the AES decoding program 234 may include an inverse-transformed S-box configured similarly to the modified S-box 1121 shown in Fig. 34 instead of the inverse-transformed S-box 611.
- the AES III program 133 may include a modified S-bottom 1221 shown in FIG. 38 instead of the modified S-box 511. Also, at this time, the AES # program 133 includes a SubBytes processing module 505d (shown in the figure) instead of the SubBytes processing module 505.
- the SubBytes processing module 505d includes a multiplication process and a 1-bit left shift process in mod 256 instead of the 3-bit left shift process.
- the modified S box 1221 is composed of 512 IJ elements 1231, 1241, 1232, 1242, 1233, 1243, 1234, 1244, 1235, ..., 1236, ..., 1237, ..., 123 8, ...
- the array elements constituting the modified S box 1221 are arranged in a matrix of 64 rows ⁇ 8 columns for convenience of expression.
- each array element S [XX] stored in the modified S box 1121 shown in FIG. 34 is stored every other while maintaining the arrangement order in the modified S box 1121. Have been.
- “0xff” is stored between these array elements.
- the eight IJ elements 1231, 1241, 1232, 1242, and 1233 in the first row of the deformed S box 1221 are stored.
- 1243, 1234, and 1244 respectively represent the value S [0], “0xff”, the value S [81], “0xff”, the value S [162], “0xff”, the value S [243], “0xff” Have.
- the values S [0], S [81], S [162], and S [243] are the same as the first four array elements in the first row of the modified S box 1121 shown in FIG. Things.
- the eight array elements 1235, ..., 1236, ..., 1237, ..., 1238, ... in the second row of the modified S box 1221 are the values S [68] , “0xff”, value S [149], “0xff”, value S [230], “0xff”, value S [55], and “0xff”.
- the value S [68], the value S [149], the value S [230], and the value S [55] are the same as the last four array elements in the first row of the modified S box 1121 shown in FIG. Things.
- S [XX] XX is represented by a decimal number.
- the modulo 256 multiplication, the 1-bit left shift process, and the reference process of the modified S box 1221 are performed on the 16 partial block data.
- 16 8-bit data are generated.
- the 16 generated 8-bit data are concatenated to generate and output 128-bit block data.
- each partial block data is multiplied by the value “177” as described in the modification (4).
- the 1-bit left shift processing is performed as described in the modification (2).
- each partial block data is multiplied by the value “177” in mod 256, and the obtained multiplied value is subjected to 1-bit left shift processing to obtain shifted data.
- the modified S box 1221 using the obtained shift data as an address, a valid array element S [XX] appropriately corresponding to each partial block data can be obtained.
- the SubBytes processing module 505d may include a multiplication process of performing double multiplication instead of the 1-bit left shift process.
- the contents of the modified S box 1221 are stored as they are in the 64 cache line units 181f, 182f, ... from the beginning of the data unit 175f.
- each of the cache line portions of the data portion 175f stores the eight array elements contained in one row of the modified S box 1221.
- the same may be applied as described above.
- the AES decoding program 234 may include an inverse transform modified S box configured similarly to the modified S box 1221 shown in Fig. 38 instead of the inverse transform modified S box 611.
- the InvSubBytes processing module 605 of the AES decryption program 234 replaces the 3-bit left shift processing with multiplication processing of the value “177” in mod 2 56 and 1 And left shift of bits.
- the AES encryption program 133 may include a modified S box 1311 shown in FIG. 41 instead of the modified S box 511.
- the AES encryption program 133 includes a SubBytes processing module 505e (shown in the figure) instead of the SubBytes processing module 505.
- the SubBytes processing module 505e includes a multiplication process in mod 256, a 1-bit left shift process, and an addition process in mod 512, instead of the 3-bit left shift process.
- the modified S box 1311 has 512 IJ elements 1331, 1321, 133 2, 1322, 1333, 1323, 1334, 1324, ..., 1325, ..., 1326, ⁇ 1327, ⁇ , 1328, ⁇
- the array elements constituting the modified S box 1311 are arranged in a matrix of 64 rows x 8 columns for convenience of expression.
- the eight IJ elements 1331, 1321, 1332, 1322, 1333, 1323, 1334, and 1324 are “0xff” and the value S, respectively. [0], “0xff”, value S [81, “0xff”, value S [162], “0xff”, and value S [243].
- the values S [0], S [81], S [162], and S [243] are the same as the first four array elements in the first row of the modified S box 1121 shown in FIG. Things.
- a value [1] is added to each generated 9-bit shift data to generate a 9-bit added value (step S1304).
- the generated 9-bit addition value is subjected to a reference process in the modified S box 1311 to output 8-bit data (step 1305).
- each partial block data is multiplied by the value “177” as described in the modification (4).
- the 1-bit left shift processing is performed as described in the modification (2).
- the addition in the mod 512 is as described in the modification (2).
- each partial block data is multiplied by the value "177" in mod 256, and the obtained multiplied value is subjected to 1-bit left shift processing to obtain shifted data.
- Mod 256 Then, by adding the value “1” to the obtained shift data to obtain an added value, and using the obtained added value as an address and referring to the modified S box 1311, it is possible to appropriately correspond to each partial block data.
- the effective array element S [XX] is obtained.
- SubBytes processing module 505e may include a multiplication process of performing double multiplication instead of the 1-bit left shift process.
- the contents of the modified S box 1311 are stored as they are in the 64 cache line units 181g, 182g, ... from the beginning of the data unit 175g.
- the cache line unit 181g includes the array element 1351 “0xff”, the array element 1341 “S [0]”, the array element 1352 “0xff”, the array element 1342 “S [81]”, the array element 1352 “0xff”, Array element 1343 “S [162]”, array element 1353 “0xff”, and array element 1344 “S [243]” are stored.
- each of the cache line portions of the data portion 175g stores eight array elements included in one row of the modified S box 1311.
- the same may be applied as described above.
- the AES decoding program 234 may include, instead of the inverse transform modified S box 611, an inverse transform modified S box configured in the same manner as the modified S box 1311 shown in FIG.
- the InvSubBytes processing module 605 of the AES decryption program 234 replaces the 3-bit left shift processing with the multiplication of the direct “177” in mod 256, and 1-bit left shift processing and mod 512 And processing for adding the value “1”.
- the AES III program 133 may include a modified S box 1421 shown in FIG. 44 and a modified S box 1441 shown in FIG. 45 instead of the modified S box 511.
- the AES # program 133 includes a SubBytes processing module 505f (shown in detail) instead of the SubBytes processing module 505. The details of the SubBytes processing module 505f will be described later.
- the modified S box 1421 is composed of 256 IJ elements 1431, 1432, 1433, 1434, 1435, 1436, 1437, 1438,.
- the modified S box 1421 is the same as the modified S box 1121 shown in FIG. Here, description of the modified S box 1421 is omitted.
- the modified S box 1441 is generated based on a concept similar to the modified S box 1121 shown in FIG. 34, and as shown in FIG. 45, the 256 IJ elements 1451, 1452, 1453, 1454, 1455 , 1456, 1457, 1458,... It is assumed that these IJ elements are identified by the sequence numbers “0”, “1”, “2”, “3”,..., “255”.
- the array elements constituting the modified S box 1441 are arranged in a matrix of 32 rows x 8 columns for convenience of expression.
- the eight array elements 1451,..., 1458 in the first row are the values S [0], S [133], S [10], S [143], S [20], It has a value S [153], a value S [30], and a value S [163].
- S [0], S [133], S [10], S [143], S [20], S [153], S [30], S [163] are the same as those contained in the standard S box 380 described above.
- S [XX] XX is represented by a decimal number.
- the eight array elements in the second row are the values S [40], S [173], S [50], S [183], S [60], and S [S], respectively. [193], the value S [70], and the value S [203].
- Value S [173], value S [50], value S [183], value S [60], value S [193], value S [70], value S [203] are the standard S box 380 described above. Is the same as that included in Again, in S [XX], XX is a decimal number.
- the array elements in the third to 32nd rows are the same as the array elements included in the standard S box 380 described above. However, in the modified S box 1441 in FIG. 45, the display of each array element from the third row to the 32nd row is omitted.
- Each of the array elements stored in the standard S box 380 is stored in the modified S box 1441 according to the rules described below.
- This arrangement rule is similar to the arrangement rule in the modified S box 1121 shown in FIG.
- Correspondence table 1442 shows 256 people chi B, and the calculation result by B X 77 mod 256 in association with each other. However, in the correspondence table 1442 shown in Fig. 46, the calculation results corresponding to all the values of B are not displayed for reasons of space, but only a part of them is displayed. , The display is omitted.
- the array element of the standard S box 380 stored in the array element 1451 indicated by the array number “0” of the modified S box 1441 is determined as follows.
- the calculation result “0” having the same value as the sequence number “0” is searched from the correspondence table 1442, and the input value B “0” corresponding to the calculation result is obtained.
- the array element S [0] having the obtained input value B “0” as the array number is set as the value of the array element 1451 indicated by the array number “0” of the modified S box 1441.
- the array element of the standard S box 380 stored in the array element 1452 indicated by the array element number “1” of the modified S box 1441 is determined as follows. Array number The calculation result “1” having the same value as the number “1” is searched from the correspondence table 1442, and the input value B “133” corresponding to the calculation result is obtained. Next, the array element S [133] having the obtained input value B “133” as the array number is set as the value of the array element 1452 indicated by the array number “1” of the modified S box 1441.
- the array element of the standard S box 380 stored in the array element 1453 indicated by the array element number “2” of the modified S box 1441 is determined as follows.
- the calculation result “2” having the same value as the sequence number “2” is searched from the correspondence table 1442, and the input value B “10” corresponding to the calculation result is obtained.
- the array element S [10] having the acquired input value B “10” as the array number is the value of the array element 1453 indicated by the array number “2” of the modified S box 1441.
- the array elements included in the standard S box 380 are arranged according to the rules described above.
- the random number R is either a value “0” or a value “1” (step 14).
- step 1406 If the generated random number R value is “0”, the modulo 256 multiplies the partial block data by the value “177” (step 1406). Thus, an 8-bit product value is generated. Next, the generated 8-bit multiplied value is subjected to reference processing of a modified S box 1421 to output 8-bit data (step 1407).
- step 1408 If the generated random number R value is “1”, the partial block Is multiplied by the value “77” (step 1408). Thus, an 8-bit product value is generated. Next, the generated 8-bit multiplied value is subjected to reference processing of a modified S box 1441 to output 8-bit data (step 1409).
- the multiplication of 177 or 77 by mod 256 and the reference processing of the modified S box 1421 or 1441 are performed on the 16 partial block data.
- 16 8-bit data are generated.
- the 16 generated 8-bit data are concatenated to generate 128-bit block data and output.
- each partial block data is multiplied by the value “177” or multiplied by the value “77” in mod 256 using the generated random numbers.
- each partial block data is multiplied by the value “177” or multiplied by the value “77” in mod 256 using the generated random numbers.
- an effective array element S [XX] corresponding to each partial block data is obtained.
- FIG. 48 shows an example in which the contents of the modified S box 1421 are stored in the cache line units 181, 182,... Of the data unit 175 by the above-described SubBytes processing, as the data unit 175h.
- FIG. 49 shows an example of the case where the contents of the modified S box 1441 are stored as a data section 175i.
- the AES decryption program 234 stored in the memory unit 203 of the personal computer 200, the same may be applied as described above. [0241] That is, the AES decryption program 234 replaces the inverse transform modified S box 611 with the inverse transform modified S box configured in the same manner as the modified S box 1421 shown in FIG. 44 and the modified S box 1441 shown in FIG. And an inverse transformation S box configured in the same manner as above.
- the InvSubBytes processing module 605 of the AES decoding program 234 includes the processing of each step shown in FIG. 47 instead of the 3-bit left shift processing.
- the AES No. program 133 may include a SubBytes processing module 1501 shown in FIG. 50 instead of the SubBytes processing module 505.
- the reference calculation of the S box is performed 16 times as in the normal SubBytes processing. Further, before or after performing the reference operation of the S box (FIG. 50 shows the latter case), all array elements stored in the data section 175 of the cache section 162 are deleted. Perform processing.
- a method for erasing data stored in the cache unit 162 As a method for erasing data stored in the cache unit 162, a method using a special instruction (in the case of Pentium (registered trademark), an “INVD” instruction or a “WBINVD” instruction) or a memory unit is used. There is a method of accessing data unrelated to the cryptographic processing on 103, causing the data to be copied to the cache unit 162, and evicting array elements already existing in the cache unit 162.
- a special instruction in the case of Pentium (registered trademark), an “INVD” instruction or a “WBINVD” instruction
- step S301 reference processing of the S box is performed (step S301), and then the array elements stored in the cache unit 162 are processed in the manner described above. Is performed (step S302).
- steps S303 to S314 the array elements stored in the cache unit 162 are erased after the reference process i (i is a natural number from 2 to 16) of the S-bots, similarly to steps S301 and S302. Is repeated.
- the force to call the cache clear processing after accessing (or before accessing) the array element of the S box is not limited thereto.
- a cache clearing process is provided after each of the 16 table reference operations, and for other counter values (from 1 to Nr-2), the cache Utalia processing is performed. You don't have to. This is because the amount of computation required to estimate the key in the SubBytes process (for example, the first stage or the first stage of Nr_1) that is closer to plaintext and ciphertext is farther from plaintext and ciphertext. It takes advantage of the fact that the amount of computation required for estimating a key in SubBytes processing (for example, (Nr_l) / 2nd stage) is larger than that required.
- the processor included in the device that processes the computer program is not limited to the configuration shown in FIG.
- the microprocessor 101 instead of the cache unit 162, the microprocessor 101 includes a primary cache unit 162a having a higher speed and a smaller capacity and a secondary cache unit 162b having a lower speed and a larger capacity. .
- the arithmetic unit 161 first goes to the primary cache unit 162a to read data, and if the data is not in the primary cache unit 162a, goes to the secondary cache unit 162b.
- the primary cache unit 162a there are three cases: a table element is obtained from the primary cache unit 162a, a table element is obtained from the secondary cache unit 162b, and a table element is obtained from the memory unit 103.
- microprocessor 101 may further include a tertiary cache unit and the like.
- the microprocessor is provided with a cache unit.
- the present invention is not limited to this.
- the computer system it is also possible for the computer system to include a cache unit to include a microprocessor, a cache unit, and a memory unit.
- the modified S box 511 is assumed to be included in the AES encryption program 133.
- the present invention is not limited to this.
- Each module (computer program) included in the AES No. 133 program and the modified S box 511 may constitute separate data sets (files). The same applies to the AES decryption program 134.
- each modified S box is not limited to the force roxffj that includes "0xff" as dummy data that does not exist in the standard S box. Les ,. It may include other data instead of "0xff".
- each modified S box may include a random number generated by a random number generator instead of “0xff”, or may include data existing in a standard S box.
- the round processing module 503 includes instruction code groups S131, S132, S133 and S134, and these instruction codes
- the command groups are arranged in this order in the round processing module 503, and the order is used to execute each instruction code group.
- the present invention is not limited to this.
- the modified round processing module includes instruction codes S132, S133, S134, and S131, and these instruction codes are included in the modified round processing module.
- the instruction codes may be executed in this order, and each instruction code group may be executed in this order.
- the encryption main module calls the instruction code group S131, and then calls the modified Round processing module a predetermined number of times.
- the cache unit of the microprocessor 101 is assumed to have a 64-bit cache line unit.
- the bit length of the cache line unit is not limited to this.
- Each cache line unit having another length may be provided. In this case as well, the above description can be realized.
- the force applied to AES as a symbol algorithm is not limited to this.
- the symbol ARGO such as DES (Data Encryption Stanadard) It may be applied to the rhythm.
- the present invention is not only applicable to decoding and decoding. Specifically, it may be used for purposes such as information tampering check and digital signature.
- Each of the above devices is, specifically, a computer system including a microprocessor, a ROM, a RAM, a hard disk unit, a display unit, a keyboard, a mouse, and the like.
- a computer program is stored in the RAM or the hard disk unit.
- the computer program is configured by combining a plurality of instruction codes indicating instructions to the computer in order to achieve a predetermined function.
- Each device achieves its function by operating according to the microprocessor power and the computer program. That is, the microprocessor reads each instruction included in the computer program one by one, decodes the read instruction, and operates according to the decoding result.
- System LSIs are super-multifunctional LSIs manufactured by integrating multiple components on a single chip.
- a computer system that includes a microprocessor, R ⁇ M, RAM, etc. It is.
- the RAM stores a computer program. By operating in accordance with the computer program, the microprocessor achieves its functions.
- a part or all of the constituent elements of each of the above devices may be constituted by an IC card detachable to each device or a single module.
- the IC card or the module is a computer system including a microprocessor, a ROM, a RAM, and the like.
- the IC card or the module may include the above super-multifunctional LSI. By operating according to a microprocessor-powered computer program, the IC card or the module achieves its function. This IC card or this module may have tamper resistance.
- the present invention may be the method described above. Further, the present invention may be a computer program that realizes these methods on a five-computer, or may be a computer program. It may be a digital signal consisting of a program.
- the present invention provides a computer-readable recording medium for the computer program or the digital signal, for example, a flexible disk, hard disk, CD-ROM, MO, DVD, DVD-ROM, DVD-RAM, BD (Blu-ray Disc), semiconductor memory, or the like. Further, the present invention may be the computer program or the digital signal recorded on the recording medium.
- the computer program or the digital signal may be transmitted via an electric communication line, a wireless or wired communication line, a network represented by the Internet, data broadcasting, or the like.
- the present invention may be a computer system including a microprocessor and a memory, wherein the memory stores the computer program, and the microprocessor operates according to the computer program.
- the computer or the digital signal is recorded on the recording medium and transferred, or the program or the digital signal is transferred via the network or the like, so that another computer system becomes independent. May be implemented by
- the computer system empowered by the present invention can increase resistance to timing attacks that observe the processing time, so that it can be used in any industry that needs to handle information confidentially. And repetitively, can use power S. Further, each device constituting the present invention can be manufactured and sold in the electric appliance manufacturing industry in a business-wise manner and continuously and repeatedly.
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP05730638A EP1764698A1 (en) | 2004-04-26 | 2005-04-15 | Computer system and computer program executing encryption or decryption |
US11/578,837 US8054967B2 (en) | 2004-04-26 | 2005-04-15 | Computer system and computer program executing encryption or decryption |
JP2006512522A JP4701166B2 (ja) | 2004-04-26 | 2005-04-15 | 暗号又は復号を行うコンピュータシステム及びコンピュータプログラム |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2004129284 | 2004-04-26 | ||
JP2004-129284 | 2004-04-26 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2005103908A1 true WO2005103908A1 (ja) | 2005-11-03 |
Family
ID=35197160
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2005/007319 WO2005103908A1 (ja) | 2004-04-26 | 2005-04-15 | 暗号又は復号を行うコンピュータシステム及びコンピュータプログラム |
Country Status (5)
Country | Link |
---|---|
US (1) | US8054967B2 (ja) |
EP (1) | EP1764698A1 (ja) |
JP (1) | JP4701166B2 (ja) |
CN (1) | CN100416519C (ja) |
WO (1) | WO2005103908A1 (ja) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011175039A (ja) * | 2010-02-23 | 2011-09-08 | Toshiba Corp | 暗号化装置および復号装置 |
JP2013246678A (ja) * | 2012-05-28 | 2013-12-09 | Kddi Corp | 記憶装置、記憶媒体、アクセスパターンの秘匿方法およびプログラム |
US20180316499A1 (en) * | 2017-04-28 | 2018-11-01 | Samsung Sds Co., Ltd. | Apparatus and method for performing operation being secure against side channel attack |
US11119930B2 (en) | 2018-06-06 | 2021-09-14 | Fujitsu Limited | Arithmetic processing apparatus and control method for arithmetic processing apparatus |
Families Citing this family (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2838210B1 (fr) * | 2002-04-03 | 2005-11-04 | Gemplus Card Int | Procede cryptographique protege contre les attaques de type a canal cache |
GB0211812D0 (en) * | 2002-05-23 | 2002-07-03 | Koninkl Philips Electronics Nv | S-box encryption in block cipher implementations |
US7664173B2 (en) * | 2004-06-07 | 2010-02-16 | Nahava Inc. | Method and apparatus for cached adaptive transforms for compressing data streams, computing similarity, and recognizing patterns |
JP4989055B2 (ja) * | 2005-08-31 | 2012-08-01 | 株式会社富士通ビー・エス・シー | 文字コード暗号処理プログラム、および文字コード暗号処理方法 |
US20080052530A1 (en) * | 2006-02-16 | 2008-02-28 | International Business Machines Corporation | System and method to provide CPU smoothing of cryptographic function timings |
US8607350B2 (en) * | 2006-03-30 | 2013-12-10 | International Business Machines Corporation | Sovereign information sharing service |
JP5060119B2 (ja) * | 2006-12-19 | 2012-10-31 | 株式会社富士通ビー・エス・シー | 暗号処理プログラム、暗号処理方法および暗号処理装置 |
US7949130B2 (en) | 2006-12-28 | 2011-05-24 | Intel Corporation | Architecture and instruction set for implementing advanced encryption standard (AES) |
JP4962335B2 (ja) * | 2008-02-04 | 2012-06-27 | 富士通株式会社 | 埋込みデータを復元するための方法 |
US8280040B2 (en) * | 2009-02-04 | 2012-10-02 | Globalfoundries Inc. | Processor instructions for improved AES encryption and decryption |
US8958554B2 (en) * | 2009-11-30 | 2015-02-17 | Red Hat, Inc. | Unicode-compatible stream cipher |
DE102010010851A1 (de) * | 2010-03-10 | 2011-09-15 | Giesecke & Devrient Gmbh | Ausspähungsschutz bei der Ausführung einer Operationssequenz in einem tragbaren Datenträger |
CN101887397B (zh) * | 2010-06-03 | 2011-12-28 | 复旦大学 | 一种抗时间驱动缓存攻击的硬件改进结构 |
JP5755970B2 (ja) * | 2011-08-26 | 2015-07-29 | 株式会社東芝 | 演算装置 |
US9239926B2 (en) | 2012-06-29 | 2016-01-19 | International Business Machines Corporation | Static analysis for discovery of timing attack vulnerabilities in a computer software application |
US9411735B2 (en) * | 2014-04-15 | 2016-08-09 | International Business Machines Corporation | Counter-based wide fetch management |
CN104811445B (zh) * | 2015-04-20 | 2018-03-27 | 深圳市文鼎创数据科技有限公司 | 一种时间攻击安全性评估的方法及系统 |
JP6187624B1 (ja) * | 2016-03-17 | 2017-08-30 | 富士電機株式会社 | 情報処理装置、情報処理方法及びプログラム |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004120307A (ja) * | 2002-09-26 | 2004-04-15 | Nec Corp | 暗号装置及び暗号プログラム |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5497494A (en) * | 1993-07-23 | 1996-03-05 | International Business Machines Corporation | Method for saving and restoring the state of a CPU executing code in protected mode |
US5860106A (en) * | 1995-07-13 | 1999-01-12 | Intel Corporation | Method and apparatus for dynamically adjusting power/performance characteristics of a memory subsystem |
US5765194A (en) * | 1996-05-01 | 1998-06-09 | Hewlett-Packard Company | Timing consistent dynamic compare with force miss circuit |
US6061449A (en) * | 1997-10-10 | 2000-05-09 | General Instrument Corporation | Secure processor with external memory using block chaining and block re-ordering |
US6523118B1 (en) * | 1998-06-29 | 2003-02-18 | Koninklijke Philips Electronics N.V. | Secure cache for instruction and data protection |
DE69935913T2 (de) * | 1998-07-02 | 2008-01-10 | Cryptography Research Inc., San Francisco | Leckresistente aktualisierung eines indexierten kryptographischen schlüssels |
US7599491B2 (en) * | 1999-01-11 | 2009-10-06 | Certicom Corp. | Method for strengthening the implementation of ECDSA against power analysis |
US7360252B1 (en) * | 1999-04-30 | 2008-04-15 | Macrovision Corporation | Method and apparatus for secure distribution of software |
EP1247186B1 (de) * | 2000-01-11 | 2007-10-17 | Infineon Technologies AG | Speicherzugriffsverfahren und schaltungsanordung |
US7310706B1 (en) * | 2001-06-01 | 2007-12-18 | Mips Technologies, Inc. | Random cache line refill |
US7739521B2 (en) * | 2003-09-18 | 2010-06-15 | Intel Corporation | Method of obscuring cryptographic computations |
-
2005
- 2005-04-15 JP JP2006512522A patent/JP4701166B2/ja not_active Expired - Fee Related
- 2005-04-15 WO PCT/JP2005/007319 patent/WO2005103908A1/ja active Application Filing
- 2005-04-15 CN CNB2005800213863A patent/CN100416519C/zh not_active Expired - Fee Related
- 2005-04-15 EP EP05730638A patent/EP1764698A1/en not_active Withdrawn
- 2005-04-15 US US11/578,837 patent/US8054967B2/en not_active Expired - Fee Related
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004120307A (ja) * | 2002-09-26 | 2004-04-15 | Nec Corp | 暗号装置及び暗号プログラム |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011175039A (ja) * | 2010-02-23 | 2011-09-08 | Toshiba Corp | 暗号化装置および復号装置 |
JP2013246678A (ja) * | 2012-05-28 | 2013-12-09 | Kddi Corp | 記憶装置、記憶媒体、アクセスパターンの秘匿方法およびプログラム |
US20180316499A1 (en) * | 2017-04-28 | 2018-11-01 | Samsung Sds Co., Ltd. | Apparatus and method for performing operation being secure against side channel attack |
US10812260B2 (en) * | 2017-04-28 | 2020-10-20 | Samsung Sds Co., Ltd. | Apparatus and method for performing operation being secure against side channel attack |
US11119930B2 (en) | 2018-06-06 | 2021-09-14 | Fujitsu Limited | Arithmetic processing apparatus and control method for arithmetic processing apparatus |
Also Published As
Publication number | Publication date |
---|---|
JPWO2005103908A1 (ja) | 2007-08-30 |
EP1764698A1 (en) | 2007-03-21 |
JP4701166B2 (ja) | 2011-06-15 |
US8054967B2 (en) | 2011-11-08 |
CN100416519C (zh) | 2008-09-03 |
CN1977250A (zh) | 2007-06-06 |
US20070237326A1 (en) | 2007-10-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4701166B2 (ja) | 暗号又は復号を行うコンピュータシステム及びコンピュータプログラム | |
Kulsoom et al. | An efficient and noise resistive selective image encryption scheme for gray images based on chaotic maps and DNA complementary rules | |
Zhang et al. | Chaotic image encryption based on circular substitution box and key stream buffer | |
JP6017501B2 (ja) | 暗号システム | |
US6917684B1 (en) | Method of encryption and decryption with block number dependant key sets, each set having a different number of keys | |
JP5985123B1 (ja) | 秘匿検索システム、管理装置、秘匿検索方法及び秘匿検索プログラム | |
JP4828517B2 (ja) | プログラム変換装置及びプログラム実行装置 | |
KR20010067121A (ko) | 확대키 생성기, 암호/복호 장치, 확대키 생성 방법 및기억 매체 | |
JP2001274786A (ja) | コンテンツ情報伝送方法、コンテンツ情報記録方法、コンテンツ情報伝送装置、コンテンツ情報記録装置、伝送媒体、及び記録媒体 | |
US7434898B2 (en) | Computer system, computer program, and addition method | |
Wong et al. | Embedding compression in chaos-based cryptography | |
CA2717622A1 (en) | White-box implementation | |
CN110190951B (zh) | 一种针对des算法l寄存器翻转的功耗攻击方法及系统 | |
Alvarez et al. | Analysis of security problems in a medical image encryption system | |
JP2007507742A (ja) | 情報伝達システム、暗号装置及び復号装置 | |
KR20180110550A (ko) | 부채널 분석 방지를 위한 화이트박스 암호 방법 및 장치 | |
JP5060079B2 (ja) | 暗号処理プログラム | |
Mohamad | Data hiding by using AES Algorithm | |
Corpuz et al. | A modified approach of Blowfish algorithm based on S-box permutation using shuffle algorithm | |
Tu et al. | Protecting secret documents via a sharing and hiding scheme | |
Adebayo et al. | Data Privacy System Using Steganography and Cryptography | |
JP2007189597A (ja) | 暗号化装置および暗号化方法、並びに復号化装置および復号化方法 | |
JP2007171412A (ja) | 鍵生成装置、暗号化装置、復号化装置、乗法型ナップザック暗号システム、乗法型ナップザック暗号復号方法およびプログラム | |
JP2002023624A (ja) | ブロック暗号通信方法とその装置、及びブロック暗号通信プログラムを記録した記録媒体 | |
WO2023242955A1 (ja) | 秘匿情報処理システム、秘匿情報処理方法、及び秘匿情報処理プログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 11578837 Country of ref document: US Ref document number: 2007237326 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006512522 Country of ref document: JP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2005730638 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 200580021386.3 Country of ref document: CN |
|
WWP | Wipo information: published in national office |
Ref document number: 2005730638 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 11578837 Country of ref document: US |