WO2006025416A1 - 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム - Google Patents
暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム Download PDFInfo
- Publication number
- WO2006025416A1 WO2006025416A1 PCT/JP2005/015815 JP2005015815W WO2006025416A1 WO 2006025416 A1 WO2006025416 A1 WO 2006025416A1 JP 2005015815 W JP2005015815 W JP 2005015815W WO 2006025416 A1 WO2006025416 A1 WO 2006025416A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- matrix
- square mds
- linear transformation
- function
- processing
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
- G09C1/00—Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0625—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
Definitions
- the present invention relates to a cryptographic processing device, a cryptographic processing method, and a computer program. More specifically, the present invention relates to a cryptographic processing apparatus, a cryptographic processing method, a cryptographic processing method, and a computer program that have improved resistance to linear analysis, differential analysis known as attack processing, and differential analysis. Background art
- an encryption processing module is embedded in a small device such as an IC card, and data is transmitted / received between the IC card and a reader / writer as a data reading / writing device, authentication processing, or encryption of transmitted / received data,
- a decoding system has been put into practical use.
- a public key cryptosystem in which an encryption key and a decryption key are set as different keys, for example, a public key and a secret key, and an encryption key and a decryption key.
- a common key and a common key encryption method As a common key and a common key encryption method.
- the common key cryptosystem has various algorithms. One of them is the generation of multiple keys based on the common key, and the generated multiple keys are used as a block unit (64 bits, 128 bits). Etc.) is repeatedly executed. A typical algorithm using such a key generation method and data conversion processing is the common key block encryption method.
- Algorithms of common key block ciphers represented by DES are mainly used for input data.
- the function can be divided into a round function part that performs conversion and a key schedule part that generates keys to be applied in each round of the round function (F function) part.
- the round key (sub key) applied in each round of the round function part is generated by being input to the key schedule part based on one master key (primary key) and applied in each round function part.
- differential analysis difference decryption
- linear analysis also called linear cryptanalysis or linear attack
- the present invention has been made in view of the above problems, and an encryption processing device, an encryption processing method, and an encryption processing method for realizing a highly-common key block encryption algorithm resistant to linear analysis and differential analysis, and The purpose of providing computer 'programs.
- the first aspect of the present invention provides
- the SPN type F function having a non-linear conversion unit and a linear conversion unit is configured to repeatedly execute multiple rounds.
- the linear transformation unit of the F function corresponding to each of the plurality of rounds performs a linear transformation process on the n-bit and total mn-bit inputs output from each of the m non-linear transformation units by square MDS (
- the inverse matrix: La _ 1 the matrix constituted by m column vectors arbitrarily selected from column vectors constituting the Lb _1 is square It is an MDS matrix.
- the algorithm of the Feistel type common key block cryptographic processing is a cryptographic processing algorithm having 2r rounds, and the linear conversion unit of the F function is r It is characterized in that a linear transformation process is performed in which q different square MDS matrices of 2 ⁇ q ⁇ r are sequentially applied repeatedly in all even rounds and r odd rounds.
- each of the plurality of different square MDS matrices applied in the linear transformation unit of the F function is arbitrarily selected from a column vector constituting the plurality of square MDS matrices.
- the matrix composed of m column vectors selected in is a square MDS matrix that is linearly independent.
- each of a plurality of different square MDS matrices applied in the linear transformation unit of the F function is arbitrarily selected from column vectors constituting the plurality of square MDS matrices.
- the matrix composed of the m column vectors selected for is also a square MDS matrix that becomes a square MDS matrix.
- each of the plurality of different square MDS matrices applied in the linear transformation unit of the F function includes all elements constituting the plurality of square MDS matrices. It is composed of a matrix composed of column vectors extracted from a matrix M ′ composed of row vectors selected from a square MDS matrix M.
- the second aspect of the present invention provides:
- An encryption processing method for executing Feistel type common key block encryption processing The SPN type F function that performs nonlinear transformation processing and linear transformation processing is repeatedly executed for multiple rounds.
- the linear transformation processing of the F function corresponding to each of the plurality of rounds applies a square MDS (Maximum Distance Separable) matrix to the linear transformation processing for the n-bit and total mn-bit inputs output by each of the m non-linear transformation sections.
- This is executed as a linear transformation process, and at least in each of the consecutive even-numbered rounds and the consecutive odd-numbered rounds, different square MDS matrices: La, Lb are applied, and the inverse matrix of the square MDS matrix: La_ 1 , L b
- the cryptographic processing method is characterized by executing a linear transformation process using a square MDS matrix in which the matrix constituted by m column vectors arbitrarily selected from the column vectors constituting _1 is linearly independent.
- the inverse matrix: La _ 1 the matrix constituted by m column vectors arbitrarily selected from column vectors constituting the Lb _1 is square It is characterized by executing a linear transformation process using a square MDS matrix that is an MDS matrix.
- the algorithm of the Feistel type common key block cryptographic processing is a cryptographic processing algorithm having 2r rounds, and the linear transformation processing of the F function is r It is characterized in that linear transformation processing is performed by sequentially and repeatedly applying q kinds of different square MDS matrices of 2 ⁇ q ⁇ r in all even rounds and r odd rounds.
- each of a plurality of different square MDS matrices applied in the linear transformation processing of the F function is a column vector constituting the plurality of square MDS matrices.
- the matrix composed of m column vectors arbitrarily selected from is a square MDS matrix that is linearly independent.
- each of a plurality of different square MDS matrices applied in the linear transformation processing of the F function is a column vector constituting the plurality of square MDS matrices.
- the matrix composed of m column vectors arbitrarily selected from is also a square MDS matrix that becomes a square MDS matrix.
- each of the different square MDS matrices to be applied in the logic is a square MDS matrix including all elements constituting the square MDS matrix M force A column extracted from the matrix M ′ constituted by the selected row vector It is characterized by a matrix composed of vectors.
- the third aspect of the present invention provides
- the linear transformation processing of the F function corresponding to each of the plurality of rounds applies a square MDS (Maximum Distance Separable) matrix to the linear transformation processing for the n-bit and total mn-bit inputs output by each of the m non-linear transformation sections.
- a linear transformation step to be executed as a linear transformation process
- the computer 'program of the present invention is, for example, a storage medium or a communication medium provided in a computer-readable format to a computer system capable of executing various program' codes, such as a CD or an FD.
- a computer program that can be provided via a recording medium such as MO or a communication medium such as a network.
- system is a logical group configuration of a plurality of devices, and the devices of each configuration are not limited to being in the same casing.
- the linear transformation process of the function is executed as a linear transformation process to which a square MDS (Maximum Distance Separable) matrix is applied, and a square MDS matrix that is different for each of at least consecutive even and odd rounds: La, Inverse matrix of the square MDS matrix to which Lb is applied: A force that is a linearly independent matrix composed of m column vectors arbitrarily selected from the column vectors constituting La _1 and Lb _1 , or a square MDS matrix Since it is configured to execute linear transformation processing using a square MDS matrix, the resistance to linear attacks in common key block ciphers is improved, and Analysis will be difficulty increases, the highly safe encryption processing is realized.
- a square MDS Maximum Distance Separable
- an SPN type F function having a non-linear conversion unit and a linear conversion unit is applied to each of a plurality of rounds using a Feistel-type common key block encryption process that repeatedly executes a plurality of rounds.
- the corresponding F-function linear transformation process is executed as a linear transformation process using a square MDS (Maximum Distance Separable) matrix, and a square MDS matrix that is different in each of at least consecutive even rounds and consecutive odd rounds. Since this square MDS matrix itself constitutes a linear independence force or square MDS matrix, it is guaranteed that simultaneous differential cancellation does not occur due to the contribution of the active S box, and it is common.
- the minimum number of active S-boxes in the entire cryptographic function which is one of the strength indicators against differential attacks in key block ciphers
- the number can be increased. With this configuration, resistance against both linear attacks and differential attacks is improved, and more secure cryptographic processing is realized.
- FIG. 1 is a diagram showing a configuration of a typical common key block cipher having a Feistel structure.
- FIG. 2 is a diagram for explaining a configuration of an F function set as a round function part.
- FIG. 3 is a diagram showing an example of a square matrix applied to the linear transformation process in the linear transformation unit.
- FIG. 5 is a diagram for explaining a specific example in which linear transformation using a square matrix is performed in the linear transformation unit of the F function to generate an F function output difference AYi.
- FIG. 7 is a diagram for explaining the definition of arbitrary-stage simultaneous difference cancellation in a common key block cipher.
- FIG. 8 shows an example of a square MDS matrix.
- FIG. 9 is a diagram for explaining an example of setting a square MDS matrix as a linear transformation matrix of the F function of each round in the common key block cipher processing algorithm according to the present invention.
- FIG. 10 is a flowchart for explaining a square MDS matrix setting processing sequence as a linear transformation matrix of an F function in each round in the common key block cipher processing algorithm according to the present invention.
- FIG. 11 is a flow diagram illustrating a square MDS matrix generation process example al that realizes improved resistance against differential attacks as a method of generating a square MDS matrix that is a linear transformation matrix set for the F function of each round.
- FIG. 12 is a flow diagram illustrating a square MDS matrix generation processing example a2 that realizes improved resistance to differential attacks as a method of generating a square MDS matrix that is a linear transformation matrix set for the F function of each round.
- FIG. 13 is a flow diagram illustrating a square MDS matrix generation processing example a3 that realizes improved resistance to differential attacks as a method of generating a square MDS matrix that is a linear transformation matrix set in the F function of each round.
- FIG. 14 is a diagram for explaining a specific method of generation example a3 of a square MDS matrix that is a linear transformation matrix set to the F function of each round.
- FIG. 15 is a flow diagram illustrating a square MDS matrix generation processing example b 1 that realizes improved resistance to linear attacks as a method of generating a square MDS matrix that is a linear transformation matrix set for the F function of each round.
- FIG.16 A square MDS matrix generator that is a linear transformation matrix set for the F function of each round As a method, it is a flow diagram illustrating a square MDS matrix generation processing example b2 that realizes improved resistance to linear attacks.
- FIG. 17 A flow diagram illustrating an example of square MDS matrix generation processing that realizes improved resistance against differential attacks and linear attacks as a method of generating a square MDS matrix that is a linear transformation matrix set for the F function of each round. is there.
- FIG. 18 is a diagram showing a configuration example of an IC module as a cryptographic processing device that executes cryptographic processing according to the present invention.
- the algorithm of the common key block cipher can be mainly divided into a round function part that performs conversion of input data and a key schedule part that generates a key to be applied in each round of the round function part.
- the key (sub key) applied in each round of the round function part is generated by being input to the key schedule part based on one master key (primary key) and applied in each round function part.
- a typical method of this common key encryption method is the US Federal Standard Encryption Method.
- DES Data Encryption Standard
- a typical common key block cipher structure called a Feistel structure will be described with reference to FIG.
- the Feistel structure has a structure that converts plaintext into ciphertext by simple repetition of a conversion function.
- the plaintext length is 2mn bits. However, m and n are both integers.
- the 2 mn bits of plaintext is converted into two mn bits of input data P (Plain-Left) 101, P (Plain-Right
- the Feistel structure is expressed by repetition of a basic structure called a round function, and the data conversion function included in each round is called an F function 120.
- a round function the data conversion function included in each round is called an F function 120.
- FIG. 1 a configuration example in which the F function (round function) 120 is repeated r stages is shown.
- the mn-bit input data X and the key generation unit are also input.
- the mn-bit round key K 103 is input to the F function 120, and the F function 120 After the data conversion process, mn bit data Y is output.
- the output is the input data from the other previous stage (input data P in the first stage) and the exclusive OR part 104.
- FIG. 2 (a) is a diagram showing inputs and outputs to the F function 120 in one round
- FIG. 2 (b) is a diagram showing details of the configuration of the F function 120.
- the F function 120 has a so-called SPN type configuration in which a nonlinear conversion layer and a linear conversion layer are connected.
- the SPN type F function 120 has a plurality of S-boxes 121 for executing nonlinear transformation processing, as shown in FIG. 2 (b).
- the mn bit input value X of the round function part is exclusive ORed with the round key K that also receives the key schedule part power, and the output performs multiple non-linear transformation processing for each n bits (m ) S box 121 entered It is.
- a nonlinear conversion process using a conversion table is executed.
- Output value Z of mn bits which is output data from S box 121, is input to linear conversion unit 122 that performs linear conversion processing, and linear conversion processing such as bit position replacement processing is performed, for example.
- Output mn bit output value Y is exclusive ORed with the input data of the previous stage force, and used as the input value of the F function of the next round.
- the F function 120 shown in FIG. 2 has an input / output bit length of mX n (m, n: integer) bits, and the nonlinear conversion layer is an S box as a nonlinear conversion layer having n bits of input / output.
- 121 has a configuration aligned with m parallel elements, and the linear transformation unit 122 as a linear transformation layer has elements on the extension field GF (2 n ) of 2 defined by the irreducible polynomial of order n. Executes linear transformation based on the m-th order square matrix.
- FIG. 3 shows an example of a square matrix applied to the linear conversion process in the linear conversion unit 122.
- Non-linear transformation unit (S bot 121) Forces the output of m n-bit data Z [l], Z [2], Z [m] to which the force is output, applying a predetermined square matrix 125 The linear transformation is performed by, and Y [l], ⁇ [2], and Y [m] are determined as F function (round function) outputs. However, at this time, the linear operation for the matrix elements of each data is performed on the two extension fields GF (2 n ) that are preliminarily determined.
- 64-bit data is divided into bytes and expressed as a vector, and each element is expressed in hexadecimal.
- the simultaneous difference cancellation in the F function having the three-stage configuration occurs, for example, based on the following setting mechanism of the data states 1 to 4.
- the data state generated by the mechanism described below is a data state that can be generated by setting a large number of differential input data, and can occur in the analysis of a key (round key) in so-called differential analysis.
- This data state means that such a data state can be obtained in the i-round by setting a large number of differential input data.
- the difference (34) is input to the first S box ((S1) in Fig. 4), and (00) is the input difference for the second to 8S boxes.
- the output difference of the S box with zero (00) input difference is zero (00).
- the S box with zero (00) input difference has no effect. It is not doing and is called inactive or inactive S-box.
- an S box with a non-zero input difference (difference: 34 in the example in Figure 4) generates a nonlinear transformation result corresponding to a non-zero input difference as an output difference. box).
- AYi (98, c4, b4, d3, ac, 72, Of, 32) as the F function output difference of i round is all zero in the exclusive OR unit 131 shown in FIG.
- the input difference to i + 1) is ⁇ Xi + 1.
- the output difference AYi + l from the i + 1 round F function has a non-zero value only at the position of the Active S—box in the i round.
- This data state is that such a data state can be obtained by setting a large number of differential input data!
- AYi + l (ad, 00, 00, 00, 00, 00, 00, 00, 00, 00), and has a non-zero difference value (difference: 34 in the example of FIG. 4) as in the i-round. Only the position of the S-box (first S box (S1)) has a non-zero value. It should be noted that ad ⁇ 00.
- ⁇ + 2 (98, c4, b4, d3, ac, 72, Of, 32),
- the minimum number of active S-boxes in the entire encryption function is known as one of the strength indicators against differential attacks.
- the force that presents the occurrence state of the pattern in which only the first S box (S1) is the active S box is also applied to the other S boxes (S2 to S8). It is possible to set only each S box as the active S box by setting the input data of the fractional analysis. By executing such a differential analysis process, the analysis of the nonlinear transformation processing of each S box and the F function It is possible to analyze the round key input for.
- the active S-box when the right force is also input to the left, that is, when only the i-th round and i + 2nd round are considered as active S-box calculation target rounds, the active S-box The number is force 2, and the left force is input to the right F function, that is, the number of active S boxes is 8 in the i + 1 round, but the number of active S boxes is 8 in the i + 3 round due to simultaneous difference cancellation. Since the number of active S-boxes becomes 0, the analysis process of nonlinear transformation processing of each S-box by differential analysis becomes easy.
- the common-key block cipher algorithm shown in Fig. 4 has the same linear transformation matrix applied in the linear transformation unit in each round, and due to this configuration, input is especially performed from right to left.
- Side force in function Two active S-boxes cause the possibility of simultaneous differential cancellation. Therefore, there is a problem that the minimum number of active S-boxes does not increase sufficiently as the number of rounds increases, and the strength against differential attacks does not increase so much.
- 64-bit data is divided into bytes and expressed as a vector, and each element is expressed in hexadecimal.
- the simultaneous difference cancellation in the F function having the five-stage configuration occurs, for example, based on the following setting mechanism of the data states 1 to 7.
- the data state generated by the mechanism described below is a data state that can be generated by setting a large number of differential input data, and can occur in the analysis of a key (round key) in so-called differential analysis.
- This data state means that such a data state can be obtained in the i-round by setting a large number of differential input data.
- the output difference (b7) of one active S box (S1) that inputs a non-zero input difference (34) is generated, and the other inactive S boxes S2 to S8 are An output difference (00) is generated based on a zero input difference (00) and used as the difference input of the linear conversion unit.
- AYi (98, c4, b4, d3, ac, 72, Of, 32) as the i-round F function output difference is an input that is all zero in the exclusive OR unit 141 shown in FIG.
- the input difference to is ⁇ + 1.
- the output difference AYi + l from the i + 1 round F function has a non-zero value only at the position of the Active S—box in the i round.
- This data state is that such a data state can be obtained by setting a large number of differential input data!
- ⁇ + 1 (34, 00, 00, 00, 00, 00, 00, 00, 00), and the non-zero difference value (difference: 34 in the example of FIG. 6) as in the i round. It has a non-zero value only in the position of the S-box it has (first S box (S1)).
- the output difference of the i + 4 round Active S box (SI) matches the output difference of the i round Active S box (SI), that is, As shown in Fig. 6, the output difference of the active S box ((S1) in i + 4 round is b7, which matches the output difference (b7) of the active S box (S1) in i round.
- This data state is By setting a large number of differential input data, such a data state can be obtained.
- ⁇ + 3 (98, c4, b4, d3, ac, 72, Of, 32),
- ⁇ + 4 (98, c4, b4, d3, ac, 72, Of, 32),
- one of the strength indicators for differential attacks in common key block ciphers is the minimum number of active S-boxes in the entire cryptographic function, and the larger the minimum number of active S-boxes, the greater the resistance against differential attacks. It is judged that tolerance is high.
- the difference analysis process requires that the person executing the analysis facilitates input data (plain text) having a certain difference and analyzes the corresponding output data (cipher text).
- the linear analysis process is based on input data (plain text) that exceeds a predetermined amount and input data (plain text) with a certain difference! / Line
- the common key block cipher algorithm has an S-bottom as a non-linear transformation unit, and there is no linear relationship between input data (plain text) and corresponding output data (cipher text).
- the input and output of this S box is linearly approximated, and the analysis is performed by narrowing down the candidate keys by analyzing the linear relationship between many input data (plaintext) and the corresponding output data (ciphertext). .
- linear analysis it is possible to pray by facilitating a large number of plaintexts and corresponding ciphertexts that do not require the preparation of input data with specific differences.
- the encryption processing algorithm of the present invention will be described below.
- the cryptographic processing algorithm of the present invention has a configuration with improved resistance to attacks such as the linear analysis and differential analysis described above, that is, a configuration in which the difficulty of key analysis is increased and the security is improved.
- One feature of the cryptographic processing algorithm according to the present invention is that it does not have a configuration in which a common processing (transformation matrix) is applied to a linear transformation unit configured as an F function in each round, as in the conventional DES algorithm.
- it has a configuration that executes linear transformation processing applying a different square MDS matrix to each of at least consecutive even-numbered rounds and consecutive odd-numbered rounds.
- the encryption processing algorithm according to the present invention is a square MDS (Maximum Distance Sepa (rable) matrix property to achieve a structure where few, simultaneous differential cancellations based on active S-boxes do not occur or are unlikely to occur, increase the minimum number of active S-boxes and be more resistant to differential attacks Realize common key block cipher processing. Or, it has a configuration that increases the difficulty of linear analysis performed as a known plaintext attack.
- the cryptographic processing algorithm of the present invention has a structure of a typical common key block cipher called a Feistel structure having an SPN type F function described with reference to Figs.
- a structure that transforms plaintext into ciphertext or transforms ciphertext into plaintext by simple iteration over multiple rounds of an SPN-type F function with a linear transformation section is applied.
- the plaintext of 2mn bits is converted into two mnbits of data PL (Plain-Left) and PR (Plain-Right)
- the F function is executed in each round using this as an input value.
- the F function is a non-linear conversion unit such as an S box cover. This is an F function with SP N type connected with a linear transformation unit.
- a plurality of different square MDS (Maximum Distance Separation) matrix forces as a matrix for the linear transformation process applied in the linear transformation unit in the F function are used for each round. It is set as a matrix to be applied in the linear transformation part of the F function. Specifically, a square MDS matrix that is different in each of at least consecutive even-numbered rounds and consecutive odd-numbered rounds is applied.
- a square MDS matrix will be described.
- a square MDS matrix is a matrix that satisfies the following properties (a) and (b).
- a matrix that satisfies the above conditions (a) and (b) is called a square MDS matrix.
- the input / output bit length for the F function executed in each round of the common key block cipher is m X n (m, n: integer) bits
- the non-linear transformation part configured in the F function has n bits of input / output Consists of m S-boxes
- linear transformation part is defined by n-th irreducible polynomial
- Figure 8 shows an example of a square MDS matrix when executing a linear transformation process based on an mth-order square matrix with elements on the extension field GF (2 n ) of 2.
- Equation 1 is the number of non-zero elements hw (x) of the input data X linearly transformed by the square MDS matrix (M) and the output linearly transformed by the square MDS matrix (M). This means that the total number of non-zero elements hw (Mx) of data Mx is greater than the order m of the square MDS matrix.
- the square MDS matrix is named because the right half of the standard form of the square MDS code (Maximum Distance Separable Code) generator satisfies the above conditions! / is there.
- a method is proposed in which a matrix satisfying the condition of the square MDS matrix is used for the F function of each round, and a different matrix is set for each round. Specifically, a different square MDS matrix is applied to each of at least consecutive even rounds and consecutive odd rounds.
- the linear transformation matrix applied by the linear transformation unit in the j-stage F function of the Feistel-type symmetric key block cipher processing configuration with 2r stages (round number) is expressed as MLTj. To do.
- the Feistel type common key block cipher processing configuration with 2r stages (number of rounds) is used.
- a matrix selected from a plurality of different square MDS (Maximum Distance Separable) matrices is used as the matrix for the linear transformation process applied to the linear transformation part in the F function at each stage in the generation.
- q square MDS matrices less than or equal to r: LI, L2, ⁇ ⁇ , Lq are generated in response to a Feistel-type symmetric key block cipher processing configuration with 2r rounds
- the upper-stage F function is used as a matrix for the linear transformation processing to be applied to the linear transformation section in the odd-numbered F function in the Feistel-type symmetric key block cipher processing configuration with 2r rounds.
- Q square MDS matrices are repeatedly set as LI, L2, ⁇ , Lq, LI, L2 "in order.
- the lower-stage F-function forces are also ordered by LI , L2, ⁇ ⁇ , Lq, L1, L2 ' ⁇ q square MDS matrices are repeatedly set.
- FIG. 9 shows a configuration example to which this setting is applied.
- a square MDS matrix (LI, L2, L3) set in the linear transformation part of the F function part of each round is shown as an example of the arrangement of three different square MDS matrices in the key block cipher processing configuration.
- FIG. 9 divides a 2 mn-bit plaintext into two mn-bit data PL (Plain-Left) and PR (Plain-Right) and uses this as an input value for each round.
- the F-function 401 in the first round and the F-functions in the other rounds are all connected to the S-box force nonlinear transformation unit and the linear transformation unit as described with reference to Fig. 2.
- each F function indicates a square MDS matrix 402.
- LI, L2, and L3 represent three different types of square MDS matrices, and the square MDS matrix applied to the linear transformation process in the linear transformation part of each F function.
- q is an integer of 2 or more.
- step S22 after the m-order square MDS matrices LI, L2, and Lq on q GF (2 n ) are generated, the following square MDS matrix setting process is executed.
- MLT1 LI
- MLT2 L3
- MLT3 L2
- MLT4 L2
- MLT5 L3
- MLT6 LI
- MLT9 L2
- MLTIO: L2
- MLT11 L3
- MLT12 L1
- q square MDS matrices not more than r, ie, LI, L2, corresponding to the Feistel type common key block cryptographic processing configuration with 2r stages (number of rounds) , ⁇ , Lq, and for the odd-numbered stages the upper-stage F function force is also set to LI, L2, ⁇ , Lq, LI, L2 "in order, and q square MDS matrices are repeatedly set.
- LI, L2, ⁇ , Lq, LI, L2 ' ⁇ can be used to repeatedly set q square MDS matrices.
- step S103 Checks if it is linearly independent when any m pieces of qm columns included in q m-order square MDS matrices LI, L2, and Lq are extracted. If the check passes, go to step S103, otherwise return to step S101.
- the q m-order square MDS matrices LI, L2, and Lq generated in this way are processed according to the processing of [Step S23] and [Step S24] described above with reference to FIG. It is set as a matrix to be applied to the linear transformation process of the linear transformation part of the F function part of each stage of the Feistel type common key block cipher processing configuration with 2r (number of rounds).
- q square MDS matrices are repeatedly set as LI, L2, ..., Lq, LI, L2 '
- q square MDS matrices are repeatedly set as LI, L2, ⁇ , Lq, L1, L2 ' ⁇ .
- the square MDS matrix is a matrix that satisfies the following properties as described above.
- step S102 qm included in q m-order square MDS matrices LI, L2, and Lq
- the linear independence of any m columns was determined, but in the square MDS matrix generation process in this processing example a2, it is included in q m-order square MDS matrices LI, L2, and Lq Check if any m of qm columns is a square MDS matrix. In other words, a stricter checking force S is executed.
- q square MDS matrices are repeatedly set as LI, L2, ⁇ , Lq, LI, L2 ' ⁇ in order from the upper level for the odd-numbered levels, and for the F function of the even-numbered levels, the lower-level F
- q square MDS matrices are repeatedly set as LI, L 2, ⁇ , Lq, LI, L2 ".
- Arbitrary m column vectors of the linear transformation matrix included in at least consecutive q F functions in odd rounds in the cryptographic function are square MDS matrices.
- M rows are arbitrarily selected and extracted from one qm-order square MDS matrix M, and a row M ′ of m rows and qm columns is formed.
- An m-row, qm-column matrix M contains qm column vectors, which are divided into q groups consisting of m column vectors without duplication, and the column vectors included in each group.
- M-order square matrices LI, L2, and Lq are output as square MDS matrices to be applied to Feistel symmetric key block ciphers with 2r rounds.
- m rows are arbitrarily selected and extracted from the qm-order square MDS matrix M to form a matrix M 'with m rows and qm columns.
- m consecutive rows are selected.
- the m-th order square MDS matrix M shown in the extracted example may be selected and extracted from m arbitrarily spaced rows to form a matrix M ′ of m rows and qm columns.
- An m-row, qm-column matrix M contains qm column vectors that are arbitrarily divided into X groups of m column vectors without duplication, and the column vectors included in each group.
- each step of the Feistel type symmetric key block cipher processing configuration with 2r (round number) It is set as a matrix to be applied to the linear transformation process of the linear transformation part of the F function part.
- q square MDS matrices are repeatedly set as LI, L2, ⁇ , Lq, LI, L2 "in order of the upper-stage forces.
- q square MDS matrices are repeatedly set as LI, L2, ⁇ , Lq, LI, L2 ".
- the processing example a3 is particularly effective because m, r, increase, and the time cost for the matrix determination processing method of the processing examples a1, a2 described above is enormous, which is realistic. This is a case where it is difficult to determine the matrix within a short time. Even in such a case, the square MDS matrix generation method of the present processing example a3 can perform matrix generation processing in a relatively short time.
- the q m-order square MDS matrices LI, L2, and Lq generated in this way are processed according to the processing of [Step S23] and [Step S24] described above with reference to FIG. It is set as a matrix to be applied to the linear transformation process of the linear transformation part of the F function part of each stage of the Feistel type common key block cipher processing configuration with 2r (number of rounds).
- q square MDS matrices are repeatedly set as LI, L2, ..., Lq, LI, L2 '
- q square MDS matrices are repeatedly set as LI, L2, ⁇ , Lq, L1, L2 ' ⁇ .
- the square MDS matrix is a matrix that satisfies the following properties as described above.
- step S402 Ml of q m-th square MDS matrices, M2, inverse of Mq Ml- 1, M2 "1, arbitrary in qm number of columns included in Mq _1 m Force to determine linear independence when taking out pieces
- q m-order square MDS matrix Ml, M2, Mq inverse matrix Ml— 1 , M2 " 1 , Mq _1 Check if it is a square MDS matrix when any m of qm columns included in Mq _1 are extracted. In other words, a stricter check is performed.
- q square MDS matrices are repeatedly set as LI, L2, ⁇ , Lq, LI, L2 ' ⁇ in order from the upper level for the odd-numbered levels, and for the F function of the even-numbered levels, the lower-level F
- q square MDS matrices are repeatedly set as LI, L 2, ⁇ , Lq, LI, L2 ".
- the cryptographic processing algorithm having resistance against differential attacks is the above-described square MDS matrix applied to the processing described with reference to FIGS. 10 to 13, that is, the linear transformation in the linear processing unit of the F function. It can be realized by applying and setting one of the processing examples al (Fig. 11) to a3 (Fig. 13). Also, the cryptographic algorithm that is resistant to linear attacks is a square MDS that is applied to the processing described above with reference to FIGS. 10, 14, and 15, that is, the linear transformation in the linear processing part of the F function. This is realized by setting the matrix by applying any one of the processing examples b 1 (FIG. 14) and b2 (FIG. 15) described above.
- Q square MDS matrices are generated by any combination of the above, and set as a matrix to be applied to the linear transformation process of the linear transformation part of the F function part of each stage of the 2r Feistel symmetric key block cipher processing configuration.
- q square MDS matrices are repeatedly set as LI, L2, ⁇ , Lq, LI, L2 "in order of upper-stage forces.
- the lower-order F functions are LI, L2, ⁇ ⁇ , Lq, LI, L2 ' ⁇ q square MDS Set the matrix repeatedly. This setting enables cryptographic processing with improved resistance to differential attacks and linear attacks.
- Input Number of necessary square MDS q, expansion order: n, matrix size: m, q m-order square MDS matrices Ml, M2, Mq are randomly generated on GF (2 n ).
- the square MDS matrix is a matrix that satisfies the following properties as described above.
- q m-order square MDS matrices LI, L2, and Lq are output as square MDS matrices to be applied to Feistel symmetric key block ciphers with 2r rounds. [0181] Through the above process, q m-order square MDS matrices LI, L2, and Lq are generated. Note that q ⁇ r.
- Arbitrary m column vectors of the linear transformation matrix included in at least consecutive q F functions in odd rounds in the cryptographic function are square MDS matrices.
- the difficulty of analyzing both the differential attack and the linear attack is improved, and a highly secure cryptographic process in which the key analysis is difficult is realized.
- the example shown in FIG. 17 is a force that is an example of generating a square MDS matrix by the combination of the processing example a2 and the processing example b2 described above.
- processing example al and the processing example bl, Processing example al and processing example b2, processing example a2 and processing example bl, processing example a3 and processing example bl, processing example a3 and processing example b2 are combined to generate q square MDS matrices, and the number of stages As a matrix that is applied to the linear transformation of the linear transformation part of the F function part of each stage of the Feistel-type symmetric key block cipher processing configuration with 2r (round number), LI, L2, Q square MDS matrices are repeatedly set as, Lq, LI, L2- ', and for even-numbered F functions, LI, L2, ..., Lq, LI, L2 "As a key analysis, it is difficult to analyze both differential attacks and linear attacks by repeatedly setting q square MDS matrices. High encryption processing of difficult safety can be realized.
- the linear conversion matrix has been performed as a data conversion operation from mn bits to mn bits as a matrix of m x m defined on GF (2 n ), giving priority to easy understanding.
- the same effect for differential analysis and linear analysis is effective even when using a matrix of mn X mn defined on GF (2).
- any matrix on GF (2 n ) can have a one-to-one correspondence with a matrix on GF (2) that represents the same transformation. Therefore, it can be said that the matrix on GF (2) represents a more general expression.
- the number of rows and columns is mn, which is n times that of GF (2 n ).
- the first row of the matrix on GF (2 n ) corresponds to the 1st to nth rows of the matrix on GF (2), and the first column corresponds to the 1st to nth columns.
- the i-th row corresponds to the (i- 1) + 1-th row to the (i- 1) + n-th row
- the i-th row corresponds to the (i- 1) + 1-th column to the (i- 1) + n-th column It corresponds to. Therefore, when the matrix defined on GF (2) is used for the operation to retrieve the rows and columns on GF (2 n ), V and U are obtained when the corresponding n rows or n columns are extracted. Let the operation correspond!
- FIG. 18 shows a configuration example of the IC module 600 as a cryptographic processing apparatus that executes cryptographic processing.
- the above-described processing can be executed in, for example, various information processing apparatuses such as a PC, an IC card, a reader / writer, and the IC module 600 shown in FIG. 18 can be configured in these various devices.
- a CPU (Central processing Unit) 601 shown in FIG. 18 is a processor that executes encryption processing start and end, control of data transmission / reception, data transfer control between each component, and other various programs. It is.
- the memory 602 is a program executed by the CPU 601 or a ROM (Read-Only-Memory) that stores fixed data as an operation parameter, a process executed by the CPU 601, a program executed by the CPU 601, and a program process!
- the parameter storage area and the RAM (Random Access Memory) used as the work area will change accordingly.
- the memory 602 can be used as a storage area for key data and the like necessary for encryption processing.
- the data storage area is preferably configured as a tamper-resistant memory.
- the encryption processing unit 603 executes encryption processing, decryption processing, and the like according to, for example, the above-described Feistel type common key block encryption processing algorithm.
- the power shown here is an example in which the encryption processing means is an individual module. Such an independent encryption processing module is not provided.
- the encryption processing program is stored in the ROM, and the CPU 601 reads the ROM storage program. You can configure it to run! / ⁇ .
- the random number generator 604 executes random number generation processing necessary for generating a key necessary for encryption processing.
- the transmission / reception unit 605 is a data communication processing unit that performs data communication with the outside. For example, the data communication with the IC module such as a reader / writer is performed, and the ciphertext generated in the IC module is output. Or, data input for equipment such as an external reader / writer is executed.
- the program can be recorded in advance on a hard disk or ROM (Read Only Memory) as a recording medium.
- the program can be temporarily or permanently stored on a removable recording medium such as a flexible disk, CD-ROM (Compact Disc Read Only Memory), MO (Magneto optical) disk, DVD (Digital Versatile Disc), magnetic disk, or semiconductor memory. Can be stored (recorded).
- a removable recording medium such as a flexible disk, CD-ROM (Compact Disc Read Only Memory), MO (Magneto optical) disk, DVD (Digital Versatile Disc), magnetic disk, or semiconductor memory.
- Such removable recording media can be provided as V, so-called packaged software.
- the program can be transferred wirelessly from a download site to the computer, or via a network such as a LAN (Local Area Network) or the Internet.
- the computer can receive the program transferred in this way and install it on a built-in recording medium such as a hard disk.
- the Feistel-type common key block cipher processing that repeatedly executes a SPN-type F function having a nonlinear conversion unit and a linear conversion unit over a plurality of rounds.
- the F function linear transformation process corresponding to each of the multiple rounds is executed as a linear transformation process to which a square MDS (Maximum Distance Separable) matrix is applied, and at least consecutive even rounds and consecutive odd rounds.
- a square MDS matrix La and Lb, which are different from each other, and an inverse matrix of the square MDS matrix: La _1 , Lb "is a matrix composed of m column vectors arbitrarily selected from the column vectors constituting 1 Since it is configured to perform linear transformation processing using a square MDS matrix with the power of being linearly independent or a property that constitutes a square MDS matrix, it improves resistance to linear attacks in common key block ciphers and makes it difficult to analyze cryptographic keys, etc. Therefore, encryption processing with high security is realized, so that it is difficult to perform key analysis and the encryption processing execution device that requires security is required. It is applicable.
- an FN corresponding to each of a plurality of rounds can be obtained by performing a Feistel-type common key block cipher process in which an SPN type F function having a nonlinear conversion unit and a linear conversion unit is repeatedly executed for a plurality of rounds.
- the linear transformation of the function is performed using the square MDS (Maximum
- (Distance Separable) matrix is applied as a linear transformation process, and a different square MDS matrix is applied to each of at least consecutive even rounds and consecutive odd rounds, and these square MDS matrices themselves are linear. Since it is configured to construct a force or square MDS matrix that shows independence, it is guaranteed that simultaneous differential cancellation does not occur due to the contribution of the active S box, and it is one of the strength indicators against differential attacks in common key block ciphers. It is possible to increase the minimum number of active S-boxes in a certain cryptographic function. With this configuration, resistance against both linear attacks and differential attacks is improved, and more secure cryptographic processing is realized. Therefore, the present invention can be applied to a cryptographic processing execution device that increases the difficulty of key analysis and requires security.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Complex Calculations (AREA)
- Error Detection And Correction (AREA)
- Mobile Radio Communication Systems (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Lock And Its Accessories (AREA)
Abstract
Description
Claims
Priority Applications (11)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP05781289A EP1788542B1 (en) | 2004-09-03 | 2005-08-30 | Encryption device, encryption method, and computer program |
BRPI0506365A BRPI0506365B1 (pt) | 2004-09-03 | 2005-08-30 | aparelho e método de processamento criptográfico, e, meio de armazenamento legível por computador para realizar o referido método |
EP10011885.0A EP2375625B1 (en) | 2004-09-03 | 2005-08-30 | On Feistel ciphers using optimal diffusion mappings across multiple rounds |
ES05781289T ES2391639T3 (es) | 2004-09-03 | 2005-08-30 | Dispositivo de cifrado, método de cifrado, y programa de ordenador |
US10/577,955 US7747011B2 (en) | 2004-09-03 | 2005-08-30 | Encryption device, encryption method, and computer program |
EP10011884.3A EP2375624B1 (en) | 2004-09-03 | 2005-08-30 | On Feistel ciphers using optimal diffusion mappings across multiple rounds |
KR1020067006887A KR101091749B1 (ko) | 2004-09-03 | 2006-04-10 | 암호 처리 장치, 암호 처리 방법 및 기록매체 |
HK07101567.4A HK1096758A1 (en) | 2004-09-03 | 2007-02-09 | Encryption device, encryption method, and computer program |
US12/780,512 US8275127B2 (en) | 2004-09-03 | 2010-05-14 | Cryptographic processing apparatus, cryptographic processing method, and computer program therefor |
US13/594,444 US8767956B2 (en) | 2004-09-03 | 2012-08-24 | Cryptographic processing apparatus, cryptographic processing method, and computer program therefor |
US14/278,632 US9240885B2 (en) | 2004-09-03 | 2014-05-15 | Cryptographic processing apparatus, cryptographic processing method, and computer program therefor |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2004256465A JP4561252B2 (ja) | 2004-09-03 | 2004-09-03 | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム |
JP2004-256465 | 2004-09-03 |
Related Child Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/577,955 A-371-Of-International US7747011B2 (en) | 2004-09-03 | 2005-08-30 | Encryption device, encryption method, and computer program |
US12/780,512 Continuation US8275127B2 (en) | 2004-09-03 | 2010-05-14 | Cryptographic processing apparatus, cryptographic processing method, and computer program therefor |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006025416A1 true WO2006025416A1 (ja) | 2006-03-09 |
Family
ID=36000066
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2005/015815 WO2006025416A1 (ja) | 2004-09-03 | 2005-08-30 | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム |
Country Status (10)
Country | Link |
---|---|
US (4) | US7747011B2 (ja) |
EP (3) | EP1788542B1 (ja) |
JP (1) | JP4561252B2 (ja) |
KR (1) | KR101091749B1 (ja) |
CN (1) | CN100511331C (ja) |
BR (1) | BRPI0506365B1 (ja) |
ES (3) | ES2860689T3 (ja) |
HK (1) | HK1096758A1 (ja) |
RU (1) | RU2383934C2 (ja) |
WO (1) | WO2006025416A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101553856B (zh) * | 2006-09-01 | 2011-04-20 | 索尼株式会社 | 密码处理装置和密码处理方法 |
Families Citing this family (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4622222B2 (ja) | 2003-09-30 | 2011-02-02 | ソニー株式会社 | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム |
JP4561252B2 (ja) * | 2004-09-03 | 2010-10-13 | ソニー株式会社 | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム |
JP4622807B2 (ja) | 2005-03-25 | 2011-02-02 | ソニー株式会社 | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム |
US7970133B2 (en) * | 2006-01-19 | 2011-06-28 | Rockwell Collins, Inc. | System and method for secure and flexible key schedule generation |
JP4882598B2 (ja) * | 2006-07-28 | 2012-02-22 | ソニー株式会社 | 暗号処理装置、暗号処理アルゴリズム構築方法、および暗号処理方法、並びにコンピュータ・プログラム |
JP2008058830A (ja) | 2006-09-01 | 2008-03-13 | Sony Corp | データ変換装置、およびデータ変換方法、並びにコンピュータ・プログラム |
JP4967544B2 (ja) * | 2006-09-01 | 2012-07-04 | ソニー株式会社 | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム |
JP2010044251A (ja) * | 2008-08-13 | 2010-02-25 | Hitachi Ltd | ハッシュ値生成装置、プログラム及びハッシュ値生成方法 |
WO2011075902A1 (zh) * | 2009-12-24 | 2011-06-30 | 华南理工大学 | 一种基于线性几何的群组密钥管理方法 |
JP5578422B2 (ja) * | 2010-07-21 | 2014-08-27 | 日本電気株式会社 | 暗号化通信システム、送信装置、受信装置、暗号化/復号化方法およびそれらのプログラム |
US20120079462A1 (en) * | 2010-09-24 | 2012-03-29 | SoftKrypt LLC | Systems and methods of source software code obfuscation |
MY150357A (en) * | 2010-11-04 | 2013-12-31 | Mimos Berhad | A method for linear transformation in substitution-permutation networks symmetric-key block cipher |
JP5682527B2 (ja) * | 2011-03-28 | 2015-03-11 | ソニー株式会社 | 暗号処理装置、および暗号処理方法、並びにプログラム |
EP3029877B1 (en) | 2013-08-02 | 2018-04-11 | Nec Corporation | Authenticated encryption device, authenticated encryption method, and program for authenticated encryption |
CN103427986B (zh) * | 2013-08-22 | 2016-08-24 | 中国科学院信息工程研究所 | 获取分组密码活跃s盒个数下界的方法 |
JP5772934B2 (ja) * | 2013-12-02 | 2015-09-02 | ソニー株式会社 | データ変換装置、およびデータ変換方法、並びにコンピュータ・プログラム |
CN103701584B (zh) * | 2013-12-10 | 2017-01-18 | 中国船舶重工集团公司第七0九研究所 | 一种对称密码中二进制线性扩散结构的设计方法 |
US11038668B2 (en) * | 2015-05-17 | 2021-06-15 | Gideon Samid | Transposition encryption alphabet method (TEAM) |
US10608814B2 (en) * | 2015-05-17 | 2020-03-31 | Gideon Samid | Equivoe-T: Transposition equivocation cryptography |
CN105912938B (zh) * | 2016-04-01 | 2019-02-12 | 青岛大学 | 一种求多元素逆元的计算方法及计算系统 |
KR20190037980A (ko) | 2017-09-29 | 2019-04-08 | 한밭대학교 산학협력단 | 퍼베이시브 컴퓨팅을 위한 효과적인 초경량 블록 암호 시스템 |
JP7244060B2 (ja) * | 2019-02-20 | 2023-03-22 | Necソリューションイノベータ株式会社 | ブロック暗号装置、ブロック暗号方法およびプログラム |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002023623A (ja) * | 2000-07-13 | 2002-01-23 | Toshiba Corp | パラメータ決定装置、パラメータ決定方法、暗号化装置、および復号装置 |
JP2002091295A (ja) * | 2000-07-13 | 2002-03-27 | Fujitsu Ltd | Feistel構造とSPN構造とを組み合わせた演算装置および演算方法 |
JP2002091297A (ja) * | 2000-07-13 | 2002-03-27 | Fujitsu Ltd | F関数内部にspn構造を用いた演算装置および演算方法 |
JP2004245988A (ja) * | 2003-02-13 | 2004-09-02 | Sony Corp | データ処理装置、その方法およびそのプログラムと線形変換回路および暗号化回路 |
Family Cites Families (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3499810B2 (ja) * | 2000-03-06 | 2004-02-23 | 株式会社東芝 | 暗号化装置、暗号化方法及び暗号化装置としてコンピュータを機能させるためのプログラムを記録したコンピュータ読取り可能な記録媒体並びに復号装置、復号方法及び復号装置としてコンピュータを機能させるためのプログラムを記録したコンピュータ読取り可能な記録媒体 |
US7305085B2 (en) * | 2000-06-30 | 2007-12-04 | Kabushiki Kaisha Toshiba | Encryption apparatus and method, and decryption apparatus and method based on block encryption |
JP3505482B2 (ja) * | 2000-07-12 | 2004-03-08 | 株式会社東芝 | 暗号化装置、復号装置及び拡大鍵生成装置、拡大鍵生成方法並びに記録媒体 |
US20020021801A1 (en) * | 2000-07-13 | 2002-02-21 | Takeshi Shimoyama | Computing apparatus using an SPN structure in an F function and a computation method thereof |
JP2003098959A (ja) * | 2001-09-21 | 2003-04-04 | Toshiba Corp | 暗号処理装置 |
US20030233557A1 (en) * | 2002-06-13 | 2003-12-18 | Zimmerman Thomas Guthrie | Electronic signature verification method and apparatus |
US20040088588A1 (en) * | 2002-10-31 | 2004-05-06 | International Business Machines Corporation | Limited resource access while power-on-password is active |
JP4622222B2 (ja) * | 2003-09-30 | 2011-02-02 | ソニー株式会社 | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム |
JP4466108B2 (ja) * | 2004-02-13 | 2010-05-26 | 株式会社日立製作所 | 証明書発行方法および証明書検証方法 |
JP4561252B2 (ja) * | 2004-09-03 | 2010-10-13 | ソニー株式会社 | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム |
JP4622807B2 (ja) | 2005-03-25 | 2011-02-02 | ソニー株式会社 | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム |
JP2007199156A (ja) | 2006-01-24 | 2007-08-09 | Sony Corp | 暗号処理装置、暗号処理装置製造装置、および方法、並びにコンピュータ・プログラム |
US8146139B2 (en) * | 2006-06-30 | 2012-03-27 | Samsung Electronics Co., Ltd. | System and method of user authentication using handwritten signatures for an MFP |
JP4882598B2 (ja) | 2006-07-28 | 2012-02-22 | ソニー株式会社 | 暗号処理装置、暗号処理アルゴリズム構築方法、および暗号処理方法、並びにコンピュータ・プログラム |
JP2008058830A (ja) | 2006-09-01 | 2008-03-13 | Sony Corp | データ変換装置、およびデータ変換方法、並びにコンピュータ・プログラム |
JP5682526B2 (ja) | 2011-03-28 | 2015-03-11 | ソニー株式会社 | データ処理装置、およびデータ処理方法、並びにプログラム |
JP5682525B2 (ja) | 2011-03-28 | 2015-03-11 | ソニー株式会社 | 暗号処理装置、および暗号処理方法、並びにプログラム |
JP5652363B2 (ja) | 2011-03-28 | 2015-01-14 | ソニー株式会社 | 暗号処理装置、および暗号処理方法、並びにプログラム |
-
2004
- 2004-09-03 JP JP2004256465A patent/JP4561252B2/ja not_active Expired - Fee Related
-
2005
- 2005-08-30 US US10/577,955 patent/US7747011B2/en active Active
- 2005-08-30 ES ES10011884T patent/ES2860689T3/es active Active
- 2005-08-30 CN CNB2005800012597A patent/CN100511331C/zh not_active Expired - Fee Related
- 2005-08-30 ES ES05781289T patent/ES2391639T3/es active Active
- 2005-08-30 RU RU2006114754/12A patent/RU2383934C2/ru active
- 2005-08-30 EP EP05781289A patent/EP1788542B1/en not_active Not-in-force
- 2005-08-30 EP EP10011884.3A patent/EP2375624B1/en active Active
- 2005-08-30 WO PCT/JP2005/015815 patent/WO2006025416A1/ja active Application Filing
- 2005-08-30 EP EP10011885.0A patent/EP2375625B1/en active Active
- 2005-08-30 ES ES10011885T patent/ES2879845T3/es active Active
- 2005-08-30 BR BRPI0506365A patent/BRPI0506365B1/pt not_active IP Right Cessation
-
2006
- 2006-04-10 KR KR1020067006887A patent/KR101091749B1/ko active IP Right Grant
-
2007
- 2007-02-09 HK HK07101567.4A patent/HK1096758A1/xx not_active IP Right Cessation
-
2010
- 2010-05-14 US US12/780,512 patent/US8275127B2/en active Active
-
2012
- 2012-08-24 US US13/594,444 patent/US8767956B2/en active Active
-
2014
- 2014-05-15 US US14/278,632 patent/US9240885B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002023623A (ja) * | 2000-07-13 | 2002-01-23 | Toshiba Corp | パラメータ決定装置、パラメータ決定方法、暗号化装置、および復号装置 |
JP2002091295A (ja) * | 2000-07-13 | 2002-03-27 | Fujitsu Ltd | Feistel構造とSPN構造とを組み合わせた演算装置および演算方法 |
JP2002091297A (ja) * | 2000-07-13 | 2002-03-27 | Fujitsu Ltd | F関数内部にspn構造を用いた演算装置および演算方法 |
JP2004245988A (ja) * | 2003-02-13 | 2004-09-02 | Sony Corp | データ処理装置、その方法およびそのプログラムと線形変換回路および暗号化回路 |
Non-Patent Citations (2)
Title |
---|
See also references of EP1788542A4 * |
TAIZO SHIRAI; KYOJI SHIBUTAMI: "Fast Software Encryption 2004, Lecture Notes in Computer Science", vol. 3017, February 2004, SPRINGER VER- LAG., article "Improving immunity of Feistel ciphers against differential cryptanalysis by using multiple MDS matrices", pages: 260 - 278 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101553856B (zh) * | 2006-09-01 | 2011-04-20 | 索尼株式会社 | 密码处理装置和密码处理方法 |
Also Published As
Publication number | Publication date |
---|---|
ES2391639T3 (es) | 2012-11-28 |
RU2006114754A (ru) | 2007-11-10 |
US20120324243A1 (en) | 2012-12-20 |
US8275127B2 (en) | 2012-09-25 |
EP2375624A3 (en) | 2015-05-06 |
US9240885B2 (en) | 2016-01-19 |
US8767956B2 (en) | 2014-07-01 |
US7747011B2 (en) | 2010-06-29 |
JP2006072054A (ja) | 2006-03-16 |
US20090103714A1 (en) | 2009-04-23 |
CN1879138A (zh) | 2006-12-13 |
EP2375625A3 (en) | 2015-05-06 |
RU2383934C2 (ru) | 2010-03-10 |
US20140247937A1 (en) | 2014-09-04 |
HK1096758A1 (en) | 2007-06-08 |
JP4561252B2 (ja) | 2010-10-13 |
ES2860689T3 (es) | 2021-10-05 |
EP1788542A4 (en) | 2008-01-16 |
CN100511331C (zh) | 2009-07-08 |
EP2375624B1 (en) | 2021-03-17 |
EP2375624A2 (en) | 2011-10-12 |
EP1788542A1 (en) | 2007-05-23 |
BRPI0506365A (pt) | 2006-10-31 |
EP2375625B1 (en) | 2021-06-16 |
ES2879845T3 (es) | 2021-11-23 |
KR101091749B1 (ko) | 2011-12-08 |
EP2375625A2 (en) | 2011-10-12 |
KR20070058370A (ko) | 2007-06-08 |
US20110026706A1 (en) | 2011-02-03 |
BRPI0506365B1 (pt) | 2019-01-15 |
EP1788542B1 (en) | 2012-07-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2006025416A1 (ja) | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム | |
JP4622807B2 (ja) | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム | |
US8306217B2 (en) | Cryptographic processing apparatus and cryptographic processing method, and computer program | |
EP2048641B1 (en) | Encryption processing device, method for building encryption process algorithm, encryption processing method, and computer program | |
EP2096616A1 (en) | Encryption device, encryption method, and computer program | |
JPH0863097A (ja) | データを暗号化するための対称暗号化方法およびシステム | |
WO2008026624A1 (en) | Data conversion device, data conversion method, and computer program | |
JP2007199156A (ja) | 暗号処理装置、暗号処理装置製造装置、および方法、並びにコンピュータ・プログラム | |
Deb et al. | Study of NLFSR and reasonable security improvement on trivium cipher |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200580001259.7 Country of ref document: CN |
|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2005781289 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020067006887 Country of ref document: KR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006114754 Country of ref document: RU |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
ENP | Entry into the national phase |
Ref document number: PI0506365 Country of ref document: BR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 10577955 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWP | Wipo information: published in national office |
Ref document number: 2005781289 Country of ref document: EP |