WO2007052477A1 - メッセージ認証装置、メッセージ認証方法、メッセージ認証プログラムとその記録媒体 - Google Patents
メッセージ認証装置、メッセージ認証方法、メッセージ認証プログラムとその記録媒体 Download PDFInfo
- Publication number
- WO2007052477A1 WO2007052477A1 PCT/JP2006/320826 JP2006320826W WO2007052477A1 WO 2007052477 A1 WO2007052477 A1 WO 2007052477A1 JP 2006320826 W JP2006320826 W JP 2006320826W WO 2007052477 A1 WO2007052477 A1 WO 2007052477A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- message
- block
- hash
- message authentication
- output
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
- G09C1/00—Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0637—Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/20—Manipulating the length of blocks of bits, e.g. padding or block truncation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Definitions
- the present invention is constructed by a combination of block cipher and partial processing of block cipher.
- the present invention relates to a general-purpose and high-speed message authentication device, a message authentication method, a message authentication program, and a recording medium thereof.
- Message authentication is a technique for guaranteeing that a message is legitimate by attaching a tag that can be calculated only by those who know the secret key to the message. For example, if message authentication is used, tampering by a third party during the communication can be detected in communication between two parties sharing a secret key.
- the sender's message and tag are sent to the receiver, the message is received on the receiver side, and the message is received by calculating the tag and looking for a match with the received tag. It can be determined whether or not the proper sender power is also sent.
- the recipient's authentication method is uniquely determined as long as the tag generation method is determined, so it is sufficient to describe only the tag generation method.
- block cipher message authentication methods Many methods using block cipher are known as message authentication methods. These are also called block cipher message authentication modes, and include the classic CBC-MAC mode, EMAC, XCBC, and OMAC, which are improved CBC-MAC. It is known that CBC-MAC is not secure when accepting variable-length block messages, and that there is no provision for handling when the message is not a multiple of the block length.
- FIG. 1 a block diagram of OMAC is shown in FIG. As shown in Figure 1, these modes It is necessary to operate the block cipher for the number of message blocks. Therefore, its speed does not always exceed that of block ciphers.
- MT accepts any message whose length is an integral multiple of the block length, and its output is always
- Non-Patent Document 3 the modified tree hash is realized using the MMH hash described in Non-Patent Document 2.
- Carter In the Wegman authentication method, the speed of tag generation is a universal hash function. In general, it is faster than CBC—MAC and other block cipher only authentication modes.
- CBC MAC
- MAC block cipher only authentication modes.
- Non-Patent Document 4 proposes a message authentication method based on such a combination. This is because a part of the block cipher function is iteratively processed like CBC-MAC, thereby realizing tag generation processing faster than the block cipher speed.
- Patent Document 1 discloses a technique for reducing processing costs without compromising the safety in XCBC for message authentication.
- this technology performs encryption by using one of the key K1 and another key K2 and an exclusive logical ring in the final block. If the data length of the digital data is not a multiple of the block length, add 1 to the end of the last block, and then add 0 to the block length so that the data is the key K1 and another key. Encryption is performed by taking an exclusive OR with either one of the keys K2 and K1, which is different from one of the keys K2.
- Patent Document 1 Japanese Patent Laid-Open No. 2003-333036
- Non-Patent Document 1 Satoru Iwata, Survey on Security of Block Cipher Usage Mode, Research Report on Information Technology Promotion Organization (IPA) Cryptographic Technology, 2003
- Patent Document 2 S. Halevi and H. Krawczyk, MMH: Software Message Authentication i n the Gbit / second rates, Fast Software Encryption, 4th International Workshop, FS E '97, Lecture Notes in Computer Science; Vol. 1267, Feb. 1997
- Non-Special Article 3 Martin Boesgaard, Ove Scavenius, Thomas Pedersen, Thomas Christensen, Erik Zenner, Badger-A Fast and Provably Secure MAC, Applied Cryptograp hy and Network Security (ACNS) 2005
- Non-Patent Document 4 J. Daemen and V. Rijmen, A New MAC Construction ALRED and a Special Instance ALPHA-MAC Fast Software Encryption, International Workshop, FSE 2005, Lecture Notes in Computer science; Vol. 3557, Feb. 2005
- the present invention combines a block cipher and some of its components, is faster than the existing block cipher authentication mode, has theoretical security, and is pre-processed.
- Another object of the present invention is to provide a message authentication device, a message authentication method, a message authentication program and a recording medium that are efficient in terms of the amount of memory used.
- the invention according to claim 1 includes an input means for inputting a message, a padding means for padding the message and always outputting the length as a block length constant as a padded message, and the padding.
- a modified tree hash means for outputting a hash value of one block by repeating a process of arranging a hash function with a small input / output width created for a block cipher part by the amount corresponding to the message.
- the encrypted value-added encryption means that encrypts the value to be a tag, and the tag and the message are concatenated.
- a message authentication device provided with output means for outputting.
- the invention according to claim 2 is an input means for inputting a message, a padding means for padding the message and always making its length a constant block length and outputting it as a padded message, and a block cipher And a replacement process derived from the partial strength of the block cipher, an alternating chain means for chaining the padded messages one block at a time and compressing them into a hash value of one block, and encrypting the hash value
- the message authentication apparatus includes an encryption unit with an adjustment value as a tag, and an output unit that connects and outputs the tag and the message.
- the invention according to claim 3 includes an input means for inputting a message, a padding means for padding the message and always outputting the length of the message as a block length constant, and the padding message.
- Modified tree chain hash means for outputting a hash value for one block by compressing a completed message with a structure in which a part of the processing of the alternating chain means according to claim 2 is replaced by the modified tree hash means according to claim 1
- a message authenticating device comprising: an encryption unit with adjustment value that encrypts the hash value into a tag; and an output unit that concatenates and outputs the tag and the message.
- the modified tree hash means is configured using four or more repetitions of the AES stage function, and the adjustment value-added encryption means is configured using AES.
- the message authentication device according to claim 1 is provided.
- the invention according to claim 5 is characterized in that the alternating chain means is configured by combining AES and four or more repetitions of the stage function of AES, and the encryption means with adjustment value uses AES.
- the message authentication device according to claim 2 is configured.
- the modified tree chain hash means is configured by combining AES and four or more iterations of the AES stage function, and the adjustment value-encrypted means is AE S
- the invention according to claim 7 is the message authentication device according to any one of claims 1 to 3, wherein the block cipher and a replacement process using a stage function of the block cipher are used. It is characterized by.
- the invention according to claim 8 is the first step in which the input means inputs the message and the padding means power. The input message is padded and its length is always made a block length constant.
- the invention according to claim 9 is the first step in which the input means inputs the message, and the padding means power.
- the input message is padded and its length is always set to a block length constant.
- the second step of outputting as a padded message and the alternative linking means add the block cipher and the replacement process derived from a part of the block cipher while adding the output padded message one block at a time.
- Is a message authentication method comprising a fifth step of concatenating and outputting the encrypted tag and the message.
- the invention according to claim 10 is the first step in which the input means inputs a message, and the padding means pads the input message so that the length is always a block length constant.
- a message authentication method comprising a fifth step of connecting and outputting the encrypted tag and the message.
- the invention according to claim 11 is characterized in that the modified tree hash means is not less than four times of the AES stage function.
- the message authentication method according to claim 8 wherein the message authentication method is configured by using the above repetition, and the encryption unit with adjustment value is configured by using AES.
- the invention according to claim 12 is characterized in that the alternating chain means is configured by combining AES and four or more repetitions of the stage function of AES, and the encryption means with adjustment value uses AES.
- the message authentication method according to claim 9 is configured.
- the invention according to claim 13 is characterized in that the modified tree chain hash means is configured by combining AES and four or more repetitions of the stage function of AES, and the encryption means with adjustment value is AES.
- the invention according to claim 14 is the message authentication method according to any one of claims 8 to 10 using a block cipher and a replacement process using a stage function of the block cipher. It is characterized by.
- the invention described in claim 15 is characterized in that the message authentication method according to any one of claims 8 to 10 is a message authentication program for causing a computer to execute the message authentication method.
- the invention according to claim 16 is characterized in that it is a recording medium on which the message authentication program according to claim 15 is recorded.
- the block cipher and some of its components are combined, which is faster than the existing block cipher authentication mode, has theoretical security, and is also suitable for preprocessing and the amount of memory used.
- An efficient message authentication device, message authentication method, message authentication program, and recording medium thereof can be realized.
- the best mode for carrying out the present invention includes an input means for inputting a message, and padding for padding a message and always making its length a constant block length and outputting it as a padded message. And a modified tree hash method that outputs a hash value of one block by repeating the process of arranging a small input / output width of the padded message based on the block cipher part and the shush function for the message. And the hash value It is assumed that the message authentication apparatus includes an adjustment value-added encryption unit that is encoded and used as a tag, and an output unit that connects the tag and the message to output.
- FIG. 2 is a block diagram showing the configuration of the message authentication device of the present exemplary embodiment.
- the message authentication device 10 of this embodiment includes an input unit 100, a padding unit 101, a modified tree hash unit 102, an adjustment value-added encryption unit 103, and an output unit 104.
- the message authentication device 10 according to the present embodiment is realized by using a CPU (processing device), a memory (main storage device), a disk (auxiliary storage device), and the like that are generally provided in a computer. It is possible.
- FIG. 3 is a block diagram showing a configuration of a general computer.
- a general computer includes an input device 1 such as a keyboard and a mouse, a processing device (CPU) 2, a storage device 3, and an output device 4 such as a display and a printer.
- the processing device (CPU) 2 includes a control device 5 and an arithmetic device 6, and is a central part that performs processing such as calculation.
- the storage device 3 includes a main storage device 7 (main memory) and an auxiliary storage device 8, and stores data temporarily or Z and permanently.
- Each means included in the message authentication device 10 of the present embodiment shown in FIG. 2 stores a program necessary for message authentication in a computer disk (auxiliary storage device 8 shown in FIG. 3). Can be realized by operating it on the CPU (processing device 2 shown in Fig. 3).
- the input means 100 shown in FIG. 2 is a means for inputting a plaintext (message) to be tagged. This is realized by a character input device such as a keyboard (input device 1 shown in FIG. 3).
- Padding means 101 is means for always converting the message length to a multiple of a block.
- the block length is determined by the input width of the block cipher used. If one block is n bits, If the remainder of the plaintext length divided by n is (n ⁇ t), the length is made a multiple of the block by adding t bits with the first being 1 and the rest being all 0 to the plaintext. None is processed for plaintext that is already a multiple of a block.
- the padding method is that the message length is a multiple of the block length! ,, Padding results between messages of different lengths are always different, and if the message length is a multiple of the block length, nothing will happen, even if the conditions are met
- the padding method may be used.
- the padding means 101 includes a padding message and an indicator that indicates whether padding has been performed in the padding means 101, that is, whether the original message length is a multiple of n. If not)
- the modified tree hash means 102 arranges the padded messages output by the padding means 101 into small! /, Based on the block cipher parts, and a hash function of the input / output width for each message. It is a means to compress to 1 block by repeating the process. One block is n bits, and n bit block cipher is E. Also, let n be a definitive permutation.
- the processing of the modified tree hash means 102 is composed of the following equation (2). This process is a keyed function with 2n-bit input and n-bit output. The key is the key of block cipher E
- the maximum difference probability DP (f) of the n-bit function f represented by Expression (2) will be described.
- the probability is calculated with X set to a uniformly random n-bit value.
- addition and subtraction represent exclusive OR.
- Equation (2) The n-bit function f expressed by Equation (2) is required to have a sufficiently small maximum difference probability DP (f), that is, sufficiently close to 2 ⁇ n).
- DP (f) the maximum differential probability is theoretically known to be able to be reduced to 2 – n + 1).
- the maximum differential probability is sufficiently small, and it is actually easy to make a permutation.
- substitution instead of deterministic substitution, it is also possible to use substitution with a key (the collective power of several substitutions, a random key specifies one substitution). In this case, the average maximum differential probability EDP (f) described below is required to be small.
- A is a non-zero ⁇ bit value
- b is an arbitrary ⁇ bit value
- Pr (f (X) — f (X + a) b
- MT is called a modified tree hash value.
- ⁇ (1), ⁇ (2), ⁇ ' ⁇ , ⁇ (5) are used to obtain MT and are called hash keys.
- Key K is the key of block cipher E
- Each D, D, ⁇ requires a hash key ⁇ (1), ⁇ (2), ⁇ May be generated.
- ⁇ (1), ⁇ (2), ⁇ May be generated.
- Non-Patent Document 3 it has been proposed to add length information to the modified tree hash value in order to prevent collision between the message lengths of messages of different lengths. Even if it is not, the probability of collision between inputs of different lengths is small. Therefore, when the modified tree hash means 102 is realized using the modified tree hash described in Non-Patent Document 3, length information is not added. Good.
- the encryption value adding means 103 with adjustment value outputs TB [E] (Y, d), where Y is the output of the modified tree hash means 102.
- the output unit 104 is a unit that uses the ciphertext output from the encryption key unit with adjustment value 103 as a tag and connects it to the message input to the input unit 100 and outputs it to a computer display, a printer, or the like.
- Fig. 4 shows an operation example of the message authentication device 10 with m block input. In FIG. 4, it is assumed that the message is exactly m blocks long, and the input means 100, padding means 101, and output means 104 are omitted.
- E is a block cipher and f is a deterministic or keyed substitution. If the encryption when the key is K and the message is X is E, the hash keys correspond to E 1, E 2,.
- FIG. 5 is a flowchart for explaining the operation of the message authentication device 10 of the present exemplary embodiment.
- step 101 it is checked whether the hash key and adjustment value used by the modified tree hash means 102 and the adjustment value-added encryption means means 103 are generated in advance. If it has already been generated, the process proceeds to step 103, and if not, a hash key and an adjustment value are generated (step 102).
- a message is input (step 103), and padding is executed (step 104).
- the modified tree hash is executed for the nominated message (step 105), and the adjusted value-encrypted encryption is applied to the output of the modified tree hash to form a tag (step 106).
- the tag and message are concatenated and output (step 107).
- FIG. 6 is a block diagram showing the configuration of the message authentication device of the present exemplary embodiment.
- the message authentication device 20 of the present embodiment includes an input unit 200, a padding unit 201, an alternating chain unit 202, and an adjustment value-added encryption unit 203. And an output means 204.
- the message authentication device 20 of the present embodiment is realized by using a CPU (processing device), a memory (main storage device), a disk (auxiliary storage device), etc., which are generally provided in a computer. Is possible.
- FIG. 3 is a block diagram showing a configuration of a general computer.
- a general computer includes an input device 1 such as a keyboard and a mouse, a processing device (CPU) 2, a storage device 3, and an output device 4 such as a display and a printer.
- the processing device (CPU) 2 includes a control device 5 and an arithmetic device 6, and is a central part that performs processing such as calculation.
- the storage device 3 includes a main storage device 7 (main memory) and an auxiliary storage device 8, and stores data temporarily or Z and permanently.
- Each means included in the message authentication device 20 of the present embodiment shown in FIG. 6 stores a program necessary for message authentication in a computer disk (auxiliary storage device 8 shown in FIG. 3). Can be realized by operating it on the CPU (processing device 2 shown in Fig. 3).
- the input means 200 shown in FIG. 6 is a means for inputting a plaintext (message) to be tagged. This is realized by a character input device such as a keyboard (input device 1 shown in FIG. 3).
- Padding means 201 is means for always converting the message length to a multiple of a block.
- the block length is determined by the input width of the block cipher used. If one block is n bits and the remainder of the plaintext length divided by n is (n ⁇ t), the length is made a multiple of the block by adding t bits that are 1 at the beginning and all the rest are 0 to the plaintext. To do. None is processed for plaintext that is already a multiple of a block.
- the padding method is that the message length is a multiple of the block length! ,, Padding results between messages of different lengths are always different, and if the message length is a multiple of the block length, nothing will happen, even if the conditions are met
- the padding method may be used.
- the padding means 201 includes a padding message and an indicator indicating whether padding has been performed in the padding means 201, that is, whether the original message length is a multiple of n. If not)
- the alternating chain means 202 is composed of an n-bit block cipher E and an n-bit derived from a partial force of E. This is a means for compressing the output of the padding means 201 into one block by chaining the permutation f with the message added one block at a time.
- the processing of the alternating chain means 202 is composed of the following equation (5). This processing is a keyed function with n (t + 3) bit input and n bit output, where t is a non-negative integer. Key is block cipher E key and auxiliary key KAux, KA
- the alternating chaining means 202 links the processing ACBC described in the above formula (5). That is, if the first (t + 3) input block is X, ACBC is applied to X and ACBC (X) is obtained according to equation (5), and ACBC (X) is connected to the next (t + 2) input block. Then input it to ACBC again. This process is repeated, and immediately stops when the last input block is added, and the result is output.
- the auxiliary key corresponding to the last input block may or may not be added.
- the auxiliary key may be a key independent of the block cipher key, but may be generated in accordance with processing using an adjustment value-added encryption unit 203 described later.
- the replacement has a small maximum difference probability used in the ACBC in Equation (5).
- the maximum self-difference probability SDP (f) of the n-bit function f described below is also required to be small.
- the maximum self-difference probability SDP (f) of the n-bit function f is Pr when a is an arbitrary n-bit value
- ⁇ -bit keyed function f (where K represents a key) mean maximum self-differential probability ESDP (f
- the rate is calculated with X being uniformly random n-bit values and the key Kp being random. Also, addition and subtraction represent exclusive OR.
- a block cipher stage function it is common to perform an exclusive OR operation on a key to an intermediate variable. In such a structure, it can be easily shown that the average maximum self-difference probability of the step function is minimized.
- the average maximum self-difference probability is the minimum value 2 "(-128) no matter how many stages.
- the output of the alternating chain means 202 is called the alternating chain hash value.
- the adjustment value-added encryption means 203 encrypts the power of processing A shown below and the alternate chain hash value.
- n bits u and u be different constants that are not 1 or 0. Any n-bit value
- the adjustment value-added encryption means 203 encrypts the output of the alternating chain means 202 based on TTB [E, L], with the padding presence / absence indicator output by the padding means 201 being d. If the output of the alternating chaining means 202 is Y, the output of the encryption means with adjusted value 202 is E ((L * u) + Y) if d is 1, and E ((L * u) if d is 2. + Y). L * u and L * u saw
- E (L + 0), E (L + 1), E (L + t-1) can be used as auxiliary keys KAux, ⁇ , KAux! / ⁇ . Also, in process A above
- E ((L * u) + t- 1) may be used as auxiliary keys.
- the output unit 204 is the same as the output unit 104 of the message authentication device 10 in the first exemplary embodiment.
- Fig. 7 shows an example of the operation of the message authentication device 20 for a message of a certain length. Assume that the message length is exactly an integral multiple of the block length, and the input means 200, padding means 201, and output means 204 are omitted. The case where there is no auxiliary key and one case are described as examples.
- E is a block cipher and f is a deterministic or keyed substitution.
- FIG. 8 is a flowchart for explaining the operation of the message authentication device 20 of this embodiment.
- step 201 it is checked whether the auxiliary key and the adjustment value used by the alternate chaining means 202 and the adjustment value-added encryption means means 203 are generated in advance (step 201). If it has already been generated, the process proceeds to step 203, and if not, an auxiliary key and an adjustment value are generated (step 202).
- a message is input (step 203), and padding is executed (step 204).
- the alternate chaining means 202 is executed on the message that has been reported (step 205), and the adjusted alternate chained encryption value is applied to the output alternate chaining hash value of the alternate chaining means 202 to form a tag ( Step 206). Finally, the tag and message are concatenated and output (step 20 7).
- FIG. 9 is a block diagram showing the configuration of the message authentication device of the present exemplary embodiment.
- the message authentication device 30 of this embodiment includes an input unit 300, a padding unit 301, a modified tree chain hash unit 302, an adjustment value-added encryption unit 303, and an output unit 304. Yes.
- the message authentication device of this embodiment The device 30 can be realized by using a CPU (processing device), a memory (main storage device), a disk (auxiliary storage device) and the like that are generally provided in a computer.
- FIG. 3 is a block diagram showing a configuration of a general computer.
- a general computer includes an input device 1 such as a keyboard and a mouse, a processing device (CPU) 2, a storage device 3, and an output device 4 such as a display and a printer.
- the processing device (CPU) 2 includes a control device 5 and an arithmetic device 6, and is a central part that performs processing such as calculation.
- the storage device 3 includes a main storage device 7 (main memory) and an auxiliary storage device 8, and stores data temporarily or Z and permanently.
- Each means included in the message authentication device 30 of the present embodiment shown in FIG. 9 stores a program necessary for message authentication in a computer disk (auxiliary storage device 8 shown in FIG. 3). Can be realized by operating it on the CPU (processing device 2 shown in Fig. 3).
- the input unit 300 and the padding unit 301 shown in FIG. 9 are the same as the units of the message authentication device 10 of the first embodiment.
- the adjustment value-added encryption means 303 is the same as the adjustment value-added encryption means 203 of the message authentication device 20 of the second embodiment.
- the processing of the modified tree chain hash unit 302 is obtained by replacing a part of the processing in the alternating chain unit 102 of the first embodiment with the modified tree hash unit 202 of the second embodiment. First, an integer t greater than 1 is determined. Let t hash keys (R, R,..., R) be used.
- Y is obtained by encrypting the first block with the block cipher E for the output of the padding means 301. Input the next 2 '(t + 1) blocks and select (R, R,..., R, Y)
- a modified tree hash that uses (R, R,..., R, Y) as a noisy key
- the output of the last modified tree hash becomes the output of the modified tree chain hash means 302. However, if the input to the last modified tree hash is shorter than the 2 '(t + 1) block, the output follows: Assuming that the above process is repeated s times, the hash key is (R, R,..., R, Y).
- ⁇ is used in the process of compressing to 1 block.
- the modified tree hash is s in equation (1).
- ⁇ , f must have a small average maximum difference probability and average maximum self-difference probability.
- E (L + 0), E (L + 1),..., E (L + t ⁇ l) may be R,. .
- the modified tree chain hash means 302 outputs the modified tree chain
- the adjustment value-added encryption means 303 is the same as the adjustment value-added encryption means 203 of the second embodiment.
- the output unit 304 is the same as the output unit 104 of the first embodiment.
- FIG. 10 shows an operation example of the message authentication device 30 for a message having a certain length. Assuming that the message length is an integral multiple of the block length, the input means 300, the padding means 301, and the output means 304 are omitted.
- E, f, g,... G are the same as those in FIGS.
- FIG. 11 is a flowchart for explaining the operation of the message authentication device 30 of the present exemplary embodiment.
- the process proceeds to step 301, and if it has not been generated, a hash key and an adjustment value are generated (step 302).
- a message is input (step 303), and padding is executed (step 304).
- the modified tree chain hash means 302 is executed for the nominated message (step 3 05), and the adjusted value-added encryption key ⁇ is applied to the output of the modified tree chain hash means 302 to form a tag (step 306). ). Finally, the tag and message are concatenated and output (step 307).
- the first effect is the authentication mode of block cipher such as CBC-MAC. It is a high-speed process. The reason is the ability to extract a part of processing such as a block cipher stage function and use it for message processing. Except for a small amount of pre-processing time, it can be executed at any message length with less processing amount than CBC-MAC processing! When the message is one block, the power is almost the same as CBC-MAC. This is clearly an indispensable process.
- the speed is about 1.3 to 2.5 times faster than the AES CBC-MAC, the degree of speed depends on the embodiment, and which embodiment is desirable depends on the dynamic It depends on the amount of memory and the allowable preprocessing time.
- the second effect is that the program size is almost the same as the authentication mode for block ciphers such as CBC-MAC.
- the reason is that only the block cipher and a part of it are used.
- the only other necessary operation is a very simple function such as exclusive OR.
- the third effect is that when the present invention is applied to a known block cipher, it has a theoretical security equivalent to that of an authentication mode of a block cipher such as CB C MAC. It can be done.
- the reason for this is that if a part of the block cipher used in the present invention has theoretical security against differential attacks, that is, if the average maximum differential probability is sufficiently small, the present invention describes the theoretical security described in Non-Patent Document 1. This is because it is a secure authentication method.
- the fact that several iterations of the block cipher stage function have a small average maximum difference probability is an essential condition for a block cipher with sufficient security.
- the four-stage AES has a sufficiently small average maximum differential probability ⁇ S. Park, SH Sung, b. Lee, and J. Lim, Improving the Upper Bound on the Maximum Differential and the Maximum Linear Hull Probability for SPN Structure and AES, International Workshop, FSE 2003, Lecture Notes in Computer Science; Vol. 2887, Feb. 2003 ”.
- an average maximum self-difference probability that is obtained only by the average maximum difference probability. It is a condition. In fact, in many block ciphers including AES, it can be shown that the stage function takes the theoretically smallest average maximum self-difference probability regardless of the number of iterations.
- the present invention can be applied to uses such as preventing falsification in wireless or wired data communication, and uses such as preventing falsification of data on storage.
- FIG. 1 is a block diagram showing an OMAC.
- FIG. 2 is a block diagram showing a configuration of a message authentication device in the first exemplary embodiment.
- FIG. 3 is a block diagram showing a configuration of a general computer.
- FIG. 4 is a diagram showing an operation example with m block input in the message authentication device of the first exemplary embodiment.
- FIG. 5 is a flowchart for explaining the operation of the message authentication device of the first exemplary embodiment.
- FIG. 6 is a block diagram showing a configuration of a message authentication device in a second exemplary embodiment.
- FIG. 7 is a diagram showing an operation example for a message of a certain length in the message authentication device of the second exemplary embodiment.
- FIG. 8 is a flowchart for explaining the operation of the message authentication device of the second exemplary embodiment.
- FIG. 9 is a block diagram showing a configuration of a message authentication device in a third exemplary embodiment.
- FIG. 10 is a diagram showing an operation example for a message of a certain length in the message authentication device of the third exemplary embodiment.
- FIG. 11 is a flowchart for explaining the operation of the message authentication device of the third exemplary embodiment.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP06812014A EP1944907A4 (en) | 2005-11-04 | 2006-10-19 | DEVICE, METHOD AND MESSAGE AUTHENTICATION AND RECORD MEDIUM DEVICE THEREFOR |
JP2007542334A JP4735644B2 (ja) | 2005-11-04 | 2006-10-19 | メッセージ認証装置、メッセージ認証方法、メッセージ認証プログラムとその記録媒体 |
CA002627136A CA2627136A1 (en) | 2005-11-04 | 2006-10-19 | Message authentication device, message authentication method, message authentication program and storage medium therefor |
US12/083,872 US8589688B2 (en) | 2005-11-04 | 2006-10-19 | Message authentication device, message authentication method, message authentication program and storage medium therefor |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2005-321234 | 2005-11-04 | ||
JP2005321234 | 2005-11-04 | ||
JP2006-004812 | 2006-01-12 | ||
JP2006004812 | 2006-01-12 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2007052477A1 true WO2007052477A1 (ja) | 2007-05-10 |
Family
ID=38005629
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2006/320826 WO2007052477A1 (ja) | 2005-11-04 | 2006-10-19 | メッセージ認証装置、メッセージ認証方法、メッセージ認証プログラムとその記録媒体 |
Country Status (6)
Country | Link |
---|---|
US (1) | US8589688B2 (ja) |
EP (1) | EP1944907A4 (ja) |
JP (1) | JP4735644B2 (ja) |
KR (1) | KR20080058462A (ja) |
CA (1) | CA2627136A1 (ja) |
WO (1) | WO2007052477A1 (ja) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012501579A (ja) * | 2008-08-28 | 2012-01-19 | アルカテル−ルーセント ユーエスエー インコーポレーテッド | セキュアなメモリに応用するメッセージ認証コードの事前計算 |
WO2012011455A1 (ja) * | 2010-07-20 | 2012-01-26 | 日本電気株式会社 | 暗号化装置、復号装置、暗号化方法、復号方法、および、コンピュータ・プログラム |
JP2013506369A (ja) * | 2009-09-29 | 2013-02-21 | ロベルト・ボッシュ・ゲゼルシャフト・ミト・ベシュレンクテル・ハフツング | センサデータの操作を防止するための方法及びこのためのセンサ |
JP2015158665A (ja) * | 2014-02-21 | 2015-09-03 | 韓國電子通信研究院Electronics and Telecommunications Research Institute | 形態保存暗号化のための可変長ブロック暗号装置および方法 |
US9787475B2 (en) | 2013-03-04 | 2017-10-10 | Nec Corporation | Device, method, and program for message authentication tag generation |
US10326589B2 (en) | 2015-09-28 | 2019-06-18 | Mitsubishi Electric Corporation | Message authenticator generating apparatus, message authenticator generating method, and computer readable recording medium |
US11177936B2 (en) | 2017-02-22 | 2021-11-16 | Mitsubishi Electric Corporation | Message authenticator generation apparatus |
US11438137B2 (en) | 2017-09-01 | 2022-09-06 | Mitsubishi Electric Corporation | Encryption device, decryption device, encryption method, decryption method, and computer readable medium |
US11522712B2 (en) | 2018-08-30 | 2022-12-06 | Mitsubishi Electric Corporation | Message authentication apparatus, message authentication method, and computer readable medium |
Families Citing this family (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE10213658B4 (de) * | 2002-03-27 | 2005-10-13 | Robert Bosch Gmbh | Verfahren zur Datenübertragung zwischen Komponenten der Bordelektronik mobiler Systeme und solche Komponenten |
US8687800B2 (en) * | 2006-08-15 | 2014-04-01 | Alcatel Lucent | Encryption method for message authentication |
KR100805273B1 (ko) * | 2007-02-28 | 2008-02-20 | 고려대학교 산학협력단 | 무선 식별 시스템을 이용한 진열된 물품의 정보 확인 방법,무선 식별 시스템을 이용한 구매된 물품의 정보 확인방법, 그 기록매체 및 그 시스템 |
US8098816B2 (en) * | 2008-10-17 | 2012-01-17 | Qualcomm Incorporated | Apparatus and method for evaluating a cipher structure's resistance to cryptanalysis |
US8050404B2 (en) * | 2008-12-29 | 2011-11-01 | Nortel Networks Limited | Bandwidth efficient method and system for obscuring the existence of encryption in a communications channel |
US8654969B2 (en) * | 2009-02-26 | 2014-02-18 | Lsi Corporation | Cipher independent interface for cryptographic hardware service |
WO2010131563A1 (ja) * | 2009-05-11 | 2010-11-18 | 日本電気株式会社 | タグ生成装置、タグ検証装置、通信システム、タグ生成方法、タグ検証方法および記録媒体 |
CN102725737B (zh) * | 2009-12-04 | 2016-04-20 | 密码研究公司 | 可验证防泄漏的加密和解密 |
US20110222683A1 (en) * | 2010-02-09 | 2011-09-15 | Certicom Corp. | Device and method for implementing a cryptographic hash function |
US8694467B2 (en) * | 2010-03-31 | 2014-04-08 | Xerox Corporation | Random number based data integrity verification method and system for distributed cloud storage |
US9673983B2 (en) | 2012-09-14 | 2017-06-06 | Qualcomm Incorporated | Apparatus and method for protecting message data |
US9065632B2 (en) * | 2013-02-20 | 2015-06-23 | Qualcomm Incorporated | Message authentication using a universal hash function computed with carryless multiplication |
US10263783B2 (en) * | 2013-08-23 | 2019-04-16 | Nec Corporation | Method and system for authenticating a data stream |
US9565114B1 (en) * | 2014-03-08 | 2017-02-07 | Google Inc. | Weighted load balancing using scaled parallel hashing |
EP3384406A4 (en) * | 2015-12-04 | 2018-11-14 | Hewlett-Packard Enterprise Development LP | Combining hashes of data blocks |
US9794025B2 (en) | 2015-12-22 | 2017-10-17 | Qualcomm Incorporated | Systems and methods for communication and verification of data blocks |
US11251965B2 (en) * | 2017-04-17 | 2022-02-15 | Nec Corporation | Authentication tag generation apparatus, authentication tag verification apparatus, method and program |
US11863304B2 (en) * | 2017-10-31 | 2024-01-02 | Unm Rainforest Innovations | System and methods directed to side-channel power resistance for encryption algorithms using dynamic partial reconfiguration |
US11080433B2 (en) * | 2018-04-29 | 2021-08-03 | Cryptowerk Corp. | Cryptographic data storage |
WO2020065820A1 (ja) * | 2018-09-27 | 2020-04-02 | 日本電気株式会社 | Macタグリスト生成装置、macタグリスト検証装置、集約mac検証システム及び方法 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPS6350223A (ja) * | 1986-08-20 | 1988-03-03 | Matsushita Electric Ind Co Ltd | 認証子生成装置 |
JPH03266544A (ja) * | 1990-03-15 | 1991-11-27 | Nec Corp | メッセージの暗号化および認証方式 |
JP2001519930A (ja) * | 1998-02-04 | 2001-10-23 | サンマイクロシステムズ インコーポレーテッド | 階層型ハッシュを用いた効率的な認証及び完全性検査の方法及びその装置 |
JP2003051821A (ja) * | 2001-05-11 | 2003-02-21 | Lucent Technol Inc | 認証のためにメッセージを処理する方法 |
JP2003333036A (ja) | 2002-05-09 | 2003-11-21 | Nippon Telegr & Teleph Corp <Ntt> | メッセージ認証装置、メッセージ認証方法とメッセージ認証プログラムおよび該プログラムを記録したコンピュータ読取り可能な記録媒体 |
JP2004363739A (ja) * | 2003-06-03 | 2004-12-24 | Hitachi Ltd | 改竄検知可能な、共通鍵暗号の暗号化装置または復号化装置 |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0412268B1 (en) * | 1989-08-11 | 1996-09-11 | International Business Machines Corporation | Apparatus for interconnecting a control unit having a parallel bus with a channel having a serial link |
US5754659A (en) | 1995-12-22 | 1998-05-19 | General Instrument Corporation Of Delaware | Generation of cryptographic signatures using hash keys |
JP3266544B2 (ja) | 1997-06-02 | 2002-03-18 | 三菱電線工業株式会社 | 電力ケーブル用接続部の組立方法 |
JP2983533B1 (ja) * | 1998-10-01 | 1999-11-29 | 株式会社高度移動通信セキュリティ技術研究所 | ハッシュ関数方式 |
US20010034839A1 (en) * | 1999-12-24 | 2001-10-25 | Guenter Karjoth | Method and apparatus for secure transmission of data and applications |
US20060136728A1 (en) | 2003-08-15 | 2006-06-22 | Gentry Craig B | Method and apparatus for authentication of data streams with adaptively controlled losses |
EP1716663A1 (en) * | 2004-02-10 | 2006-11-02 | Cryptico A/S | Methods for generating identification values for identifying electronic messages |
-
2006
- 2006-10-19 CA CA002627136A patent/CA2627136A1/en not_active Abandoned
- 2006-10-19 KR KR1020087010697A patent/KR20080058462A/ko not_active Application Discontinuation
- 2006-10-19 US US12/083,872 patent/US8589688B2/en active Active
- 2006-10-19 EP EP06812014A patent/EP1944907A4/en not_active Withdrawn
- 2006-10-19 WO PCT/JP2006/320826 patent/WO2007052477A1/ja active Application Filing
- 2006-10-19 JP JP2007542334A patent/JP4735644B2/ja active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPS6350223A (ja) * | 1986-08-20 | 1988-03-03 | Matsushita Electric Ind Co Ltd | 認証子生成装置 |
JPH03266544A (ja) * | 1990-03-15 | 1991-11-27 | Nec Corp | メッセージの暗号化および認証方式 |
JP2001519930A (ja) * | 1998-02-04 | 2001-10-23 | サンマイクロシステムズ インコーポレーテッド | 階層型ハッシュを用いた効率的な認証及び完全性検査の方法及びその装置 |
JP2003051821A (ja) * | 2001-05-11 | 2003-02-21 | Lucent Technol Inc | 認証のためにメッセージを処理する方法 |
JP2003333036A (ja) | 2002-05-09 | 2003-11-21 | Nippon Telegr & Teleph Corp <Ntt> | メッセージ認証装置、メッセージ認証方法とメッセージ認証プログラムおよび該プログラムを記録したコンピュータ読取り可能な記録媒体 |
JP2004363739A (ja) * | 2003-06-03 | 2004-12-24 | Hitachi Ltd | 改竄検知可能な、共通鍵暗号の暗号化装置または復号化装置 |
Non-Patent Citations (5)
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012501579A (ja) * | 2008-08-28 | 2012-01-19 | アルカテル−ルーセント ユーエスエー インコーポレーテッド | セキュアなメモリに応用するメッセージ認証コードの事前計算 |
JP2013506369A (ja) * | 2009-09-29 | 2013-02-21 | ロベルト・ボッシュ・ゲゼルシャフト・ミト・ベシュレンクテル・ハフツング | センサデータの操作を防止するための方法及びこのためのセンサ |
WO2012011455A1 (ja) * | 2010-07-20 | 2012-01-26 | 日本電気株式会社 | 暗号化装置、復号装置、暗号化方法、復号方法、および、コンピュータ・プログラム |
US9787475B2 (en) | 2013-03-04 | 2017-10-10 | Nec Corporation | Device, method, and program for message authentication tag generation |
JP2015158665A (ja) * | 2014-02-21 | 2015-09-03 | 韓國電子通信研究院Electronics and Telecommunications Research Institute | 形態保存暗号化のための可変長ブロック暗号装置および方法 |
US10326589B2 (en) | 2015-09-28 | 2019-06-18 | Mitsubishi Electric Corporation | Message authenticator generating apparatus, message authenticator generating method, and computer readable recording medium |
US11177936B2 (en) | 2017-02-22 | 2021-11-16 | Mitsubishi Electric Corporation | Message authenticator generation apparatus |
US11438137B2 (en) | 2017-09-01 | 2022-09-06 | Mitsubishi Electric Corporation | Encryption device, decryption device, encryption method, decryption method, and computer readable medium |
US11522712B2 (en) | 2018-08-30 | 2022-12-06 | Mitsubishi Electric Corporation | Message authentication apparatus, message authentication method, and computer readable medium |
Also Published As
Publication number | Publication date |
---|---|
JP4735644B2 (ja) | 2011-07-27 |
US8589688B2 (en) | 2013-11-19 |
KR20080058462A (ko) | 2008-06-25 |
EP1944907A1 (en) | 2008-07-16 |
JPWO2007052477A1 (ja) | 2009-04-30 |
EP1944907A4 (en) | 2011-08-31 |
CA2627136A1 (en) | 2007-05-10 |
US20090138710A1 (en) | 2009-05-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4735644B2 (ja) | メッセージ認証装置、メッセージ認証方法、メッセージ認証プログラムとその記録媒体 | |
US9742557B2 (en) | Compressing encrypted data without the encryption key | |
US8321675B2 (en) | Method and apparatus for facilitating efficient authenticated encryption | |
WO2015015702A1 (ja) | 認証暗号装置、認証暗号方法および認証暗号用プログラム | |
Rahim | Combination of the Blowfish and Lempel-Ziv-Welch algorithms for text compression | |
JP3650611B2 (ja) | 暗号化及び復号化するためのプログラム | |
JP5402632B2 (ja) | 共通鍵ブロック暗号化装置、共通鍵ブロック暗号化方法及びプログラム | |
US8060743B2 (en) | Cryptographic method and apparatus | |
US20070028088A1 (en) | Polymorphic encryption method and system | |
JP5079204B2 (ja) | 対称鍵暗号のための線形変換 | |
JP5704159B2 (ja) | ブロック暗号化装置、ブロック復号装置、ブロック暗号化方法、ブロック復号方法及びプログラム | |
US20150244518A1 (en) | Variable-length block cipher apparatus and method capable of format preserving encryption | |
US20100067686A1 (en) | Shared key block cipher apparatus, its method, its program and recording medium | |
WO2013065241A1 (ja) | インクリメンタルmacタグ生成装置、方法及びプログラム並びにメッセージ認証装置 | |
WO2017056150A1 (ja) | メッセージ認証子生成装置、メッセージ認証子生成方法及びメッセージ認証子生成プログラム | |
KR20170036100A (ko) | 인코더, 디코더 및 방법 | |
US8526602B2 (en) | Adjustment-value-attached block cipher apparatus, cipher generation method and recording medium | |
JPWO2010024004A1 (ja) | 調整値付きブロック暗号化装置、調整値付きブロック暗号化方法及び調整値付きブロック暗号化プログラム並びに調整値付きブロック復号装置、調整値付きブロック復号方法及び調整値付きブロック復号プログラム | |
JP5365750B2 (ja) | ブロック暗号化装置、復号装置、暗号化方法、復号方法およびプログラム | |
KR20080072345A (ko) | 암호화 장치 및 그 방법 | |
Chandrika et al. | Magnified cipher block chaining mode using DES to ensure data security in cloud computing | |
WO2009081975A1 (ja) | 暗号化装置、復号装置、暗号化方法、復号方法およびプログラム | |
KR20030001888A (ko) | 키를 사용하지 않고 블록 정보만을 이용하는 암호알고리즘 설계 방법 | |
Chabaud et al. | CASSI/SCY/EC |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
DPE2 | Request for preliminary examination filed before expiration of 19th month from priority date (pct application filed from 20040101) | ||
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2006812014 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 12083872 Country of ref document: US |
|
ENP | Entry into the national phase |
Ref document number: 2627136 Country of ref document: CA |
|
ENP | Entry into the national phase |
Ref document number: 2007542334 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020087010697 Country of ref document: KR |
|
NENP | Non-entry into the national phase |
Ref country code: DE |