WO2008026622A1 - Dispositif de codage, procédé de codage et programme informatique - Google Patents

Dispositif de codage, procédé de codage et programme informatique Download PDF

Info

Publication number
WO2008026622A1
WO2008026622A1 PCT/JP2007/066730 JP2007066730W WO2008026622A1 WO 2008026622 A1 WO2008026622 A1 WO 2008026622A1 JP 2007066730 W JP2007066730 W JP 2007066730W WO 2008026622 A1 WO2008026622 A1 WO 2008026622A1
Authority
WO
WIPO (PCT)
Prior art keywords
processing
box
boxes
round
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2007/066730
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
Taizo Shirai
Kyoji Shibutani
Toru Akishita
Shiho Moriai
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sony Corp
Original Assignee
Sony Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sony Corp filed Critical Sony Corp
Priority to CN2007800408061A priority Critical patent/CN101536062B/zh
Priority to EP07806207.2A priority patent/EP2058781B1/en
Priority to US12/439,464 priority patent/US8577023B2/en
Publication of WO2008026622A1 publication Critical patent/WO2008026622A1/ja
Anticipated expiration legal-status Critical
Priority to US14/049,854 priority patent/US9363074B2/en
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/122Hardware reduction or efficient architectures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/125Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations

Definitions

  • Cryptographic processing apparatus Cryptographic processing method, and computer 'program technology field
  • the present invention relates to a code processing apparatus, a code processing method, and a computer program. More particularly, the present invention relates to a cryptographic processing apparatus that executes common key block cryptographic processing, a key processing method, and a computer program.
  • a code processing module is embedded in a small device such as an IC card, data is transmitted and received between the IC card and a reader / writer as a data read / write device, and authentication processing or transmission / reception data encryption is performed.
  • a code processing module is embedded in a small device such as an IC card, data is transmitted and received between the IC card and a reader / writer as a data read / write device, and authentication processing or transmission / reception data encryption is performed.
  • Decoding systems have been put to practical use.
  • a common key block cryptosystem is a representative of an algorithm to which such a key generation scheme and data conversion processing are applied.
  • Such an algorithm of the common key block sign is mainly composed of an encryption processing unit having a round function execution unit that repeatedly executes conversion of input data, and each round of the round function unit. And a key scheduling unit that generates round keys to be applied.
  • the key scheduling unit first generates an expanded key in which the number of bits is increased based on the master key (primary key) which is a secret key, and each round function part of the encryption processing unit is generated based on the generated expanded key. Generate a round key (subkey) to be applied in.
  • Feistel structure is a typical structure.
  • the Feiste structure has a structure that converts plaintext into ciphertext by simple repetition of a round function (F function) as a data conversion function.
  • F function round function
  • linear conversion processing and non-linear conversion processing are performed.
  • documents describing cryptographic processing to which the Feiste structure is applied include Non-Patent Document 1 and Non-Patent Document 2, for example.
  • Non-patent document 1 K. Nyberg, Generalized Feistel networks, ASIA CRYPT '96, Springer Verlag, 1996, pp. 91-104.
  • Non Patent Literature 2 Yuliang Zheng, Tsutomu Matsumoto, Hideki Imai: On the Constructive Block of lphers Provably Secure and Not Relying on Any Unproved Hypotheses. CRYPTO 1989: 461-480
  • the present invention has been made in view of the above problems, and it is an encryption processing device that enhances the difficulty of the cryptanalysis and achieves high security! /, The common key block encryption algorithm, and the encryption processing Method, as well as providing a computer program.
  • a first aspect of the present invention is
  • An encryption processing device that executes common key block encryption processing
  • the sign processing unit has an encryption processing unit that performs data conversion processing that repeats a round function for multiple rounds,
  • round function execution processing in each round it is configured to perform non-linear transformation processing applying S box,
  • An encryption processing apparatus is characterized in that processing is performed using at least two or more types of different S-boxes as the S-box applied to the non-linear conversion processing.
  • the cryptographic processing unit may have a Feiste structure in which the number of data series (number of divisions) is 2, or the number of data series (number of divisions) is 2 or more. It is configured to execute the cryptographic processing to which the extended Feiste structure is applied, and the system of input data ⁇ IJ and the series of output data are the same, and F as a round function execution part located at vertically adjacent positions It is characterized in that it is configured to perform cryptographic processing using an F function in which non-linear transformation processing in the function is set as different S-boxes that execute different non-linear transformation processing.
  • each of the F functions as the round function execution unit includes a plurality of S-boxes that execute non-linear transformation processing of each of divided data obtained by dividing processing target data.
  • the plurality of S-box forces are configured by at least two or more different S-boxes.
  • each of the F functions as the round function execution unit is configured to execute a plurality of S-boxes that execute nonlinear conversion processing of each of divided data obtained by dividing processing target data.
  • the sequence of input data and the sequence of output data are the same in each divided data unit, and the nonlinear conversion process in the F function as a round function execution unit located at vertically adjacent positions is different from the nonlinear conversion process. It is characterized in that it is configured as different S-boxes to be executed.
  • the types of S-boxes included in each of the F-functions as the round function execution part and the number of each S-box are different for each F-function. , And the same setting.
  • the cryptographic processing unit is an S-box having different s-bit input / output applied to the non-linear conversion processing
  • Type 2 S-box small t-bit S-box created by combining multiple boxes, where t ⁇ s.
  • the configuration is characterized in that at least two or more different types of S-boxes are used.
  • the cryptographic processing unit applies an S-box applied to the execution of the round function
  • the cryptographic processing unit executes, in the round function execution unit, a plurality of S for executing non-linear transformation processing of each of divided data obtained by dividing processing target data. It is characterized in that it has a box, and one round uses one type of S-box and executes processing using different types of S-box in round units.
  • the cryptographic processing unit executes, in the round function execution unit, a plurality of S for executing non-linear transformation processing of each divided data obtained by dividing processing target data. It is characterized by having a box and having a configuration using multiple types of S-boxes in one round.
  • the types of S-boxes included in each of the round function execution units and the number of each S-box have the same setting in each of the F functions. It is characterized by
  • the cryptographic processing unit is characterized in that it is configured to execute cryptographic processing according to a common key cryptosystem. [[00002222]]
  • the present invention is applied to one embodiment of the present invention.
  • the processing unit is a configuration that executes the encryption processing in accordance with the common common key key Brock's lock encryption type system. And and as a feature feature. .
  • the side surface of the twenty-second side of the present invention is:
  • the non-linear transformation transformation processing with the application of the SS robotx is applied.
  • non-linear it is applicable to the non-linear type transformation conversion processing, and as SS robotics, it is at least 22 types or more.
  • Cryptographic Processing Method The method is in the method. .
  • the method of the present invention is as follows: No. processing process management Susutetepppupu is ,, co common communication Kagikagi ⁇ Tsutsu Tata encryption cipher No. punished process management in a dark encryption No. lateral scheme formula remains Tatahaha co common communication Kagikagi Buburorokkkuku encryption encryption No. lateral scheme formula Let's carry out the actual execution, and let 's and here as the feature feature. .
  • the side surface of the thirty-third side of the present invention is:
  • Rarauun'ndodo function functions have Nio dark cryptographic No. processing processing unit as part !! // ,, Rarauun'ndodo Amblyseius Lili Kaekae soot Dedetata I of Arukiiki the the variable conversion ⁇ process management Have a treatment process step step-up process,
  • the non-linear transformation transformation processing with the application of the SS robotx is applied.
  • non-linear it is applicable to the non-linear type transformation conversion processing, and as SS robotics, it is at least 22 types or more. This is a step feature that makes it possible to process the processing using multiple different SS bobocks on the above, as a feature feature It's in the school area '' Prourologuraramum '. .
  • the computer 'program of the present invention is, for example, a storage medium, communication medium such as a CD or FD, which provides various programs' computer capable of executing code' in a computer readable form.
  • a computer program that can be provided by a recording medium such as MO, or a communication medium such as a network.
  • a system is a logical set configuration of a plurality of devices, and the devices of each configuration are not limited to those in the same casing.
  • At least two types of S-boxes as the non-linear conversion processing unit set in the round function execution unit are provided in the encryption processing apparatus that executes the common key block encryption processing. It was configured to use the above multiple different S-boxes. This configuration makes it possible to increase the resistance to saturated attacks.
  • different types of S-boxes are mixed, it is possible to enhance the resistance to algebraic attacks (XSL attacks), and the security is high.
  • a cryptographic processor is realized.
  • FIG. 1 is a diagram showing a basic configuration of a common key block keying algorithm.
  • FIG. 2 is a view for explaining an internal configuration of common key block sign processing unit E10 shown in FIG. 1;
  • FIG. 3 A diagram for explaining the detailed configuration of a key processing unit 12 shown in FIG.
  • Fig. 4 is a diagram for describing an SPN structure round function as one configuration example of a round function execution unit.
  • Fig. 5 is a diagram illustrating a Feistel (Facetel) structure as one configuration example of a round function execution unit!
  • FIG. 6 Diagram for explaining the extended Feiste structure as one configuration example of the round function execution unit It is.
  • FIG. 7 is a diagram for explaining a specific example of the non-linear conversion processing unit.
  • FIG. 8 is a diagram for explaining a specific example of a linear transformation processing unit.
  • Fig. 9 is a view for explaining a general configuration example of a Feiste structure or an expanded Feistel structure.
  • Fig. 10 is a view for explaining a configuration example in which different S-boxes are arranged in the Feiste structure or the expanded Feistel structure.
  • FIG. 11 is a diagram illustrating a configuration example in which improvement in resistance to a saturated attack is realized by arranging different S-boxes.
  • FIG. 12 is a diagram illustrating a configuration example in which improvement in resistance to a saturated attack is realized by arranging different S-boxes.
  • FIG. 13 is a diagram illustrating a configuration example in which improvement in resistance to a saturated attack is realized by arranging different S-boxes.
  • FIG. 14 A diagram showing an example of configuration that achieves improvement in resistance to algebraic attacks (XSL attacks) by arranging different types of S-boxes!
  • FIG. 15 A diagram showing an example of the configuration that achieves an improvement in resistance to algebraic attacks (XSL attacks) by arranging different types of S-boxes!
  • FIG. 16 A diagram showing an example of configuration that achieves improvement in resistance to algebraic attacks (XSL attacks) by arranging different types of S-boxes!
  • FIG. 17 A diagram showing an example of the configuration that achieves improvement in resistance to algebraic attacks (XSL attacks) by arranging different types of S-boxes!
  • FIG. 18 This is a diagram for explaining an example of configuration that achieves improvement in resistance to algebraic attacks (XSL attacks) by arranging different types of S-boxes!
  • FIG. 19 is a diagram showing a configuration example of an IC module as an encryption processing device that executes encryption processing according to the present invention.
  • (2-8) 3-1-3 A configuration in which the resistance to a saturation attack is improved by arranging two or more different S-boxes in the form
  • (2B) A configuration that improves the resistance to algebraic attacks (XSL attacks) by mixing two or more different S-boxes in a block number using S-boxes.
  • common key block cipher (hereinafter block cipher) shall refer to the one defined below.
  • the block cipher inputs the plaintext P and the key K, and outputs a ciphertext C.
  • the bit length of plaintext and ciphertext is called the block size and is denoted by n here.
  • n is a force that can take an arbitrary integer value Usually, one value is determined in advance for each block sign algorithm.
  • a block code with a block length of n may be called an n- bit block code.
  • the bit length of the key is represented by k.
  • the key can have any integer value.
  • the common key block number algorithm will correspond to one or more key sizes.
  • Ciphertext C n bits
  • Fig. 1 shows a diagram of an n-bit common key block No. algorithm E corresponding to a key length of k bits.
  • the common key block key processing unit E10 inputs an n bit plaintext P and a k bit key K, executes a predetermined key algorithm, and generates an n bit cipher.
  • Sentence C Output In addition, only the encryption process which produces
  • generates plaintext from encryption text generally uses the inverse function of E10.
  • the same common key block code processing part E10 can be applied to decryption processing as well, and decryption processing can be performed by changing the sequence such as the key input order.
  • Block ciphers can be considered in two parts.
  • One is a key scheduling unit 11 which has a key K as an input and expands the bit length of the input key K in a predetermined step to output an expanded key K '(bit length k'), a plaintext P and a key scheduling unit No.
  • the cryptographic processing unit 12 may be applicable to data decryption processing that returns a ciphertext to plaintext.
  • the decoding processing unit 12 has a configuration for repeatedly executing data conversion to which the round function execution unit 20 is applied. That is, the cryptographic processing unit 12 can be divided into processing units called round function execution units 20.
  • the round function execution unit 20 receives, as inputs, two data of the output X of the previous round function execution unit and the round key PK generated based on the expanded key, and executes data conversion processing internally to output data Output X to the next round function execution part.
  • the input is plaintext or initialization processing data for plaintext.
  • the output of the final round is a ciphertext.
  • the sign processing unit 12 has r round function execution units 20, and is configured to generate data by repeating data conversion in r round function execution units. ing .
  • the number of iterations of the round function is called the number of rounds. In the example shown in the figure, the number of rounds will be.
  • the input data X of each round function execution unit is n-bit data during encryption, and the output X of the round function in a certain round is supplied as the input of the next round.
  • Another input data of each learning function execution unit is an expanded key output from the key schedule. The data based on K 'of is used.
  • a key that is input to each round function execution unit and applied to the execution of the round function is called a round key. In the figure, apply the round key to i round
  • the expanded key K ′ is configured, for example, as linked data of round keys RK to RK for r rounds.
  • the input data of the first round is X when viewed from the input side of the processing unit 12.
  • the round function execution unit 20 of the encryption processing unit 12 shown in FIG. 3 can take various forms.
  • the ladder functions can be classified according to the structure adopted by the algorithm. As a typical structure,
  • the SPN structure round function execution unit 20a has a so-called SP type configuration in which a non-linear transformation layer (S layer) and a linear transformation layer (P layer) are connected.
  • S layer non-linear transformation layer
  • P layer linear transformation layer
  • FIG. 4 the operations of the exclusive-OR operation unit 21 and the exclusive-OR operation unit 21 that execute an exclusive-OR (EXOR) operation with a round key on all n-bit input data.
  • the result is input, and the non-linear conversion processing unit 22 that executes non-linear conversion of input data, and the non-linear conversion processing unit 22 receives the non-linear conversion processing result in the linear conversion processing unit 22.
  • the linear transformation processing result of the linear transformation processing unit 23 is output to the next round.
  • the final round it is a ciphertext.
  • the force indicating the processing order of the exclusive OR operation unit 21, the non-linear conversion processing unit 22, and the linear conversion processing unit 23.
  • the order of these processing units is limited. Other countries It is also possible to process it in a single can!
  • the Feiste structure divides the n-bit input data, which is the input from the previous round (the input sentence in the first round), into two n / 2-bit data, and in each round Execute processing while replacing.
  • the F-function unit 30 has a non-linear conversion layer (S layer) and a linear conversion layer (P layer) connected to each other!
  • the n / 2 bit data from the previous round and the round key are input to the exclusive OR operation unit 31 of the F function unit 30, and an exclusive OR (EXOR) process is performed. Further, the resultant data is input to the non-linear conversion processing unit 32 to perform non-linear conversion, and further, the non-linear conversion result is input to the linear conversion processing unit 33 to perform linear conversion. This linear conversion result is output as F function processing result data.
  • this F-function output and another n / 2-bit input from the previous round are input to exclusive-OR operation unit 34, and an exclusive-OR operation (EXOR) is performed.
  • the execution result is set as the input of the F function in the next round.
  • the n / 2 bit set to the F function input in the first round shown in the figure is applied to the exclusive OR operation with the F function output of the next round.
  • the Feiste structure performs data conversion processing applying the F function while alternately switching the input in each round.
  • the number of divisions is also called the number of data sequences.
  • the number of data series (number of divisions) d is set to any integer of 2 or more. Determine the various extended Feiste structures according to the number of data series (number of divisions) d It is possible to do righteousness S.
  • F function is executed as one or more round functions.
  • the example shown in the figure is a configuration example in which two F function units perform round operations in one round.
  • the configuration of F function units 41 and 42 is the same as the configuration of F function unit 30 described above with reference to FIG. 5, and the exclusive OR operation of the round key and the input value, and the nonlinear conversion Processing and linear transformation processing are performed.
  • the round key input to each F function section is adjusted so that the number of input bits matches the number of bits.
  • the round key input to each of the F function units 41 and 42 is n / 4 bits. These keys are generated by further dividing the launch key that composes the expanded key into bits. When the number of data sequences (number of divisions) is d, the data input to each sequence is n / d bits, and the number of key bits input to each F function is also adjusted to n / d bits. .
  • the force S is an example of configuration in which d / 2 F functions are executed in parallel in each round.
  • Forgery can be configured to execute one or more and d / 2 or less F functions in each round.
  • the round function execution unit 20 of the encryption processing unit 12 in the common key block cipher is
  • Each of these round function execution units has a so-called SP type configuration in which a non-linear transformation layer (S 2 layer) and a linear transformation layer (P layer) are connected. That is, it has a non-linear conversion processing unit that performs non-linear conversion processing, and a linear conversion processing unit that performs linear conversion processing.
  • S 2 layer non-linear transformation layer
  • P layer linear transformation layer
  • the non-linear conversion processing unit 50 is a series of m non-linear conversion tables of s-bit input and s-bit output called S-box (S-box) 51.
  • Bit input data The data is divided into s bits and input to the corresponding S-box 51 to convert the data.
  • S-box 51 for example, nonlinear conversion processing using a conversion table is performed.
  • the data to be processed X is often divided into a plurality of units, and a configuration in which non-linear transformation is applied to each unit is often employed.
  • the input size is ms bits
  • the data is divided into m pieces of data of s bits each, and s bits are input to each of m S boxes (Sb ox) 51, for example, a conversion table is applied.
  • the above non-linear transformation process is executed to combine m of these S bit outputs to obtain a non-linear transformation result of ms bits.
  • the linear transformation processing unit inputs an input value, for example, an output value of ms bits which is output data from the S box as the input value X, performs linear transformation on this input, and outputs a result of ms bits .
  • the linear conversion process performs, for example, a linear conversion process such as an input bit position replacement process, and outputs an output value Y of ms bits.
  • a linear transformation matrix is applied to the input to perform an input bit position interchange process.
  • An example of this matrix is the linear transformation matrix shown in Fig.8.
  • linear transformation processing part to your / elements of the linear transformation matrix to be applied Te is larger bodies: such elements GF body elements and GF (2 8) (2), a generally various expressions It can be configured as an applied matrix.
  • FIG. 8 shows an example of one configuration of a linear transformation processing unit defined by an m ⁇ m matrix defined on GF (2 s ) with ms bit input / output.
  • the common key block cipher is configured to perform cryptographic processing by repeating a round function.
  • One of the problems with this common key block cipher processing is the leakage of keys by cryptanalysis.
  • the fact that the key analysis by cryptanalysis is easy means that the security of the cryptographic processing is low, which is a major problem in practical use.
  • a cryptographic processing configuration is described in which the resistance is improved by arranging a plurality of different S-boxes (S-boxes). Do.
  • the non-linear transformation processing unit included in the round function execution unit is configured of a plurality of S-boxes (S-boxes) that perform non-linear transformation processing.
  • S-boxes S-boxes
  • these S-boxes are all configured to apply a common non-linear conversion processing table, and perform common non-linear conversion processing in each S-box! /.
  • the present invention focuses on the vulnerability caused by the commonality of this S-box, that is, the vulnerability to an attack that is a code analysis such as key analysis, and places resistance by the arrangement of a plurality of different S-boxes. Suggest an improved configuration.
  • (2-8) 3-1-3 A configuration in which the resistance to a saturation attack is improved by arranging two or more different S-boxes in the form
  • (2B) A configuration that improves the resistance to algebraic attacks (XSL attacks) by mixing two or more different S-boxes in a block number using S-boxes.
  • the output value after the conversion process is taken as c to c as follows.
  • the value of up to 255 values can be used regardless of their order, and if they appear in advance each time in advance, they can attack using that property. It is known that round key estimation can be performed by sequentially changing the input value and analyzing the output value.
  • the saturation attack thus outputs a specific rule such as the above to the conversion result of the round function part, ie, All 256 values c to c appear. Or
  • the round operation to which the F function part is applied is repeatedly executed.
  • the Feistel structure is limited in the number of data series (division number) to 2, but the extended Feiste structure differs in that the number of data series (division number) is set to an arbitrary number of 2 or more.
  • an S-box is used for the non-linear transformation processing unit in the F function which is the execution unit of the round function in the cryptographic processing to which the Feistel structure or the extended Feiste structure is applied.
  • the S-box is a non-linear conversion using, for example, a non-linear conversion table for each of s-bit data obtained by dividing the ms bit data input to the non-linear conversion processing unit into m. Execute the process
  • the same F function is used repeatedly in each round as the F function applied to the execution of the round function in the old block cipher.
  • the Feiste structure or extended Feistel structure in which the same F function is set in each round is susceptible to the above-mentioned saturation attack. The reason will be described with reference to FIG.
  • FIG. 9 is a diagram showing a configuration in which a part of the Feistel structure or the expanded Feiste structure is cut out. That is, FIG. 9 shows the Feiste structure or a No. configuration having an extended Feistel structure.
  • the two round function execution parts included in, namely, the F functions 101 and 102 are shown.
  • the two F-functions 101 and 102 are F-functions in which the series (X) of input data and the series (y) of output data are the same and located adjacent to each other in the vertical direction.
  • the two F functions 101 and 102 are configured by an exclusive OR operation unit with a round key, a non-linear conversion processing unit, and a linear conversion processing unit.
  • the F functions 101 and 102 are configured to perform 32-bit input / output processing
  • the non-linear conversion processing unit is configured by four S-boxes
  • each S-box is 8-bit. Do input and output.
  • a to J shown in FIG. 9 show various data. That is,
  • this input value be the input data A for the leading F function 101 shown in FIG.
  • data A shows all 256 values from 0 to 2 55 in the first byte A [0] when observing 256 types of data, and the other byte positions are always the same. It is fixed by a value! (This assumes that an attacker trying to saturate may control the plaintext input and create such a situation.)
  • a [0] (EXOR) I [0] is an exclusive OR operation of data A [0] and data 1 [0]
  • C [0] (EXOR) J [0] is data C [0]
  • the values B and D output from the two F-functions 101 and 102 to the exclusive OR operation units 111 and 112 have specific difference values ⁇ . That is,
  • the data G is calculated by
  • the same configuration of non-linear transformation processes applied to a plurality of F-functions outputting at least the same sequence may enable key estimation by a saturation attack. Furthermore, depending on the S-box, its operation (EXOR) result, ie,
  • FIG. 10 also shows a configuration in which a part of the Feiste structure or the extended Feistel structure is cut out, and The F-functions 201 and 202 are shown where the data series (x) and the output data series (y) are the same and are adjacent to each other at the top and bottom.
  • the two F functions 201 and 202 are configured by an exclusive OR operation unit with a round key, a non-linear transformation processing unit, and a linear transformation processing unit.
  • the F functions 201 and 202 are configured to perform 32-bit input / output processing, and the non-linear conversion processing unit is configured of four S-boxes, and each S-box performs 8-bit input / output.
  • a to J shown in FIG. 10 are the same as in FIG.
  • the S-boxes of the non-linear transformation processing units set in each of the preceding F function 201 and the succeeding F function 202 use different S-boxes [Sl] and [S2]. It is configured.
  • S-box [Sl] which executes nonlinear conversion processing in leading F-function 201 and S-box [S2] which executes nonlinear conversion processing in subsequent F-function 202 are different from each other.
  • Execute non-linear conversion processing Specifically, for example, non-linear transformation processing using different non-linear transformation tables is executed, and the same output may not be obtained for the same input.
  • each S-box Sl and S2 are assumed to be two different S-boxes satisfying the following conditions.
  • Each S-box: Sl and S2 execute non-linear conversion processing of n bits input / output. If it is S- box ,
  • the output S2 (x (EXOR) c) of S-box [S2] corresponding to the input data [X (EXOR) c] has at least one different value. That is,
  • the output S2 (x (EXOR) c) of S-box [S2] corresponding to the input data [X (EXOR) c] has at least one duplicate value. That is,
  • FIG. 11 shows a configuration in which a part of the Feiste structure or the extended Feiste structure is cut out, and a sequence (X) of input data and a sequence (y) of output data are identical and adjacent to each other vertically.
  • the three F functions 21;! To 213 are shown.
  • S box [Sl] is set in the non-linear transformation processing unit of the F function 211,
  • S-box [S2] is set in the non-linear transformation processing unit of the F function 212,
  • S-box [S3] is set in the non-linear transformation processing unit of the F function 213,
  • S-box outputs are not completely identical, and at least one outputs different values. That is, The result of the exclusive OR of Si (x) and Sj (x (EXOR) c) does not have a fixed value.
  • FIG. 12 also shows a configuration in which a part of the Feiste structure or the extended Feiste structure is cut out, the input data series (X) and the output data series (y) are identical, and The F functions 221 and 222 are shown at positions adjacent to. [0107]
  • the four S-boxes included in the fiT function 221 ahead are assigned to the J force of the upper force, SI, S2, SI, S2, and the upper force in the subsequent F function 222 of the next round. Make one injection of S2, SI, S2 and S1.
  • the F function 221 and 222 is executed applying that configuration. It is possible to reduce the cost of mounting, and also to miniaturize the device.
  • the corresponding bit data (for example, in units of bytes) is processed as described with reference to FIG. 10, and as a result, the same effect, that is, the data strength S appearing in the output series, round
  • the possibility of matching the data appearing in the same output sequence before the function execution can be significantly reduced, and as a result, the degree of difficulty of the saturated attack can be greatly improved and the resistance to the attack can be improved.
  • FIG. 13 shows a configuration in which a part of the Feiste structure or the extended Feiste structure is cut out, the input data series (X) and the output data series (y) are identical, and It shows three F-functions 23;! ⁇ 23 3 located next to each other.
  • the four S-boxes included in the fiT function 231 ahead are assigned to the J force of the upper force, SI, S2, S3, S4, and the intermediate force of the next round, the F function 232, the upper force, Set one of the S2, S3, S4 and S1 injections, and the J of the next run, the middle F function 233 of the next run, the upper force, and the S injection of the S3, S4, SI, and S2.
  • the corresponding bit data (for example, in units of bytes) is processed in the same way as described with reference to FIG. 10 and FIG. 11, and as a result, the same effect, that is, appears in the output series It is possible to significantly reduce the possibility that the data matches the data appearing in the same output sequence before the round function execution, and as a result, it is possible to greatly improve the degree of difficulty of the saturation attack and to improve the resistance to the attack. Become.
  • (2B) A configuration in which the resistance to an algebraic attack (XSL attack) is improved by mixing two or more different S-boxes in a block No. using S-boxes.
  • a method using a Boolean expression is an example of an algebraic attack (XSL attack).
  • XSL attack it is assumed that there is a block symbol including a plurality of S-boxes having an 8-bit input / output.
  • the bits on the input and output sides are respectively input X: (xl, x2, x3, x4, x5, x6, x7, x8),
  • Type 2 S— box created by combining multiple S—boxes smaller than s bits, such as 4-bit input / output
  • Type 3 S randomly selected S— box
  • Type 1 and Type 2 are S-boxes that are often used because they can be implemented at low cost in hardware (H / W) implementation.
  • the randomly selected S-box is not expected to have the above-mentioned algebraically weak nature, and it can be expected to be highly secure against algebraic attacks (XSL attacks) H
  • (2B-3) A configuration in which the resistance is improved by using plural types of S-boxes having different algebraic properties.
  • Type 2 S—box created by combining multiple small S—boxes of t—bit (assuming t ⁇ s)
  • Type 3 S randomly selected S— box
  • the S-box as the non-linear conversion processing unit included in the round function that performs data conversion processing is the following (a) to (d)! Set as.
  • (d)-Part 1 is an S-box of type 1, another part is an S-box of type 2 and the other is an S-box of type 3
  • half S-box is type 1, ie, S-box using inverse element mapping on GF (2 8 )
  • XSL attack algebraic attack
  • the remaining half S-boxes are configured as type 8 (ie, an 8-bit S-box created by combining a plurality of small 4-bit small S-b ox).
  • FIGS. 14-18 A specific symbol processing configuration in which different types of S-boxes are arranged as in (a) to (d) above.
  • An example is described with reference to FIGS. 14-18.
  • the examples shown in FIGS. 14 to 18 each show an encryption processing configuration having round function execution units of six rounds, and each round function execution unit includes a non-linear transformation processing unit including a plurality of S-boxes, and a linear transformation It has a processing unit.
  • FIG. 14 shows an example of an SPN block cipher consisting of six rounds and ten S-boxes per round.
  • the SPN block cipher performs data transformation with a non-linear transformation layer (S layer) and a linear transformation layer (P layer) in each round.
  • the 10 S-boxes of each round for example, input divided data obtained by dividing the input data into 10, execute non-linear conversion processing, and output non-linear conversion result data to the linear conversion layer (P layer)
  • the conversion processing result is output to the next round function execution part.
  • the output of the final round function execution block is the ciphertext.
  • type 2 S-box which is S-box as a different type of non-linear transformation processing unit as described above.
  • Type 2 S-box created by combining multiple small S-boxes such as 4-bit This is a configuration example in which this type 2 S-box [S] is arranged.
  • the non-linear transformation process is executed as a process to which an S-box of type 1 is applied in the first round, and as a process to which an S-box of type 2 is applied in the second round.
  • algebraic attacks XSL attacks
  • XSL attack is executed on the assumption that all are S-boxes of the same type, and in such a configuration where different types of S-boxes are mixed, , Attack, ie analysis becomes difficult.
  • high resistance to cryptanalysis such as algebraic attack (XSL attack) / / cryptographic processing configuration is realized
  • FIG. 15 is similar to FIG. 14 and includes six rounds, including ten S-boxes per round.
  • SPN block number is an example of the SPN block number!
  • the second, fourth, and sixth rounds of the second round, the second round, the second round, the second round, the second round, the second round, the second round, the second round, the second round, the third round This is a configuration example in which an S-box [S] of type 2 is arranged.
  • the non-linear transformation process is executed as a process to which an S-box of type 1 is applied in the odd round, and is executed as a process to which an S-box of type 2 is applied in the even round. Be done. Also in this configuration, as in the configuration of Fig. 14, different types of S-boxes are mixed and high resistance to cryptographic analysis such as algebraic attack (XSL attack) //, decryption processing configuration realized Be done.
  • XSL attack algebraic attack
  • decryption processing configuration realized Be done.
  • Fig. 16 shows an example of an SPN block number including six rounds and including ten S-boxes per round, as in Fig. 14 and Fig. 15! /.
  • Type 2 S—box created by combining multiple small S—boxes such as 4—bit This type 2 S—box [S],
  • Data to be input to each round function execution unit 34;! To 346 is divided into 10 and input to each S box.
  • Data in the first half of the 10 divided data d to d are of type 1
  • S-box performs nonlinear transformation processing applying type 1 S-box, and the second half data d to d is input into type 2 S-box and applies type 2 S- box did A non-linear transformation process will be performed.
  • Fig. 17 shows an example of an SPN block ⁇ which consists of six rounds and includes 10 S-boxes per round, as in Fig. 14 to Fig. 16 !.
  • FIG. 17 is similar to the example shown in FIG.
  • Type 2 S—box created by combining multiple small S—boxes such as 4—bit This type 2 S—box [S],
  • a non-linear transformation process is applied which is input and applied to the type 2 S-box.
  • FIG. 16 and FIG. 17 the S-boxes to be executed in parallel in each round are S-1 boxes of type 1 and 5 S-boxes of type 2 respectively. This is common to all runs. Therefore, for example, if an implementation is configured such that five S-b oxs of type 1 and type 2 can be executed in parallel, it is possible to repeatedly apply that configuration and execute all round functions of rounds. There is also the merit that cost reduction and miniaturization can be achieved also in terms of mounting. [0151]
  • FIG. 18 shows an example in which a plurality of different types of S-boxes are arranged in each round function execution unit 38;!-386 in the Feiste structure! /.
  • Type 2 S—box created by combining multiple small S—boxes such as 4—bit This type 2 S—box [S],
  • the data input to each round function execution unit 38;! To 386 is divided into four and input to each S box.
  • the odd-numbered divided data d and d of divided data d to d divided into four are
  • a non-linear transformation process to which box is applied will be executed.
  • FIGS. 14 to 18 show a configuration example in which two types of S-boxes of type 1 and type 2 are mixed and used, mixing of different types of S-boxes is shown.
  • (d)-Part 1 is an S-box of type 1, another part is an S-box of type 2 and the other is an S-box of type 3
  • (2A) A configuration in which resistance to a saturation attack is improved by arranging two or more different S-boxes in a Feistel or an extended Feistel type No. using an S-box.
  • (2B) A configuration that improves the resistance to algebraic attacks (XSL attacks) by mixing two or more different S-boxes in a block number using S-boxes.
  • the configuration of (2A) described above is a configuration that improves resistance to a saturation attack by applying two or more types of S-boxes to the Feiste structure or the extended Feistel structure
  • the configuration of (2B) described above Is a configuration that improves resistance to algebraic attacks (XSL attacks) by using two or more types of S-boxes for any block symbol having S-boxes.
  • (2A) and (2B) can be realized together.
  • (2A), (2B) Feiste's hyo which has improved resistance to both attacks simultaneously by using two or more types of S-boxes satisfying the properties required for Feiste's block number with an extended Feistel structure. It is possible to configure.
  • (2A) A configuration in which resistance to a saturation attack is improved by arranging two or more different S-boxes in a Feistel or an extended Feistel type No. using an S-box.
  • (2B) A configuration that improves the resistance to algebraic attacks (XSL attacks) by mixing two or more different S-boxes in a block number using S-boxes.
  • Type 2 S—box created by combining multiple small S—boxes such as 4—bit
  • Type 3 Randomly selected S—box
  • the system is highly resistant to both saturated attacks and algebraic attacks (XSL attacks).
  • the system is highly resistant to both saturated attacks and algebraic attacks (XSL attacks).
  • FIG. 19 shows a configuration example of an IC module 700 as a cryptographic processing device that executes cryptographic processing according to the above-described embodiment.
  • the above-described processing can be executed, for example, in a PC, an IC card, a reader / writer, and various other information processing apparatuses, and an IC module 700 shown in FIG. 19 can be configured in these various devices.
  • a central processing unit (CPU) 701 shown in FIG. 19 executes start and end of license processing, control of transmission and reception of data, control of data transfer between respective components, and other various programs. It is a processor.
  • a memory 702 is a program executed by the CPU 701 or a ROM (Read-Only-Memory) for storing fixed data such as operation parameters, a program executed in the processing of the CPU 701, and a storage area for parameters appropriately changed in the program processing.
  • RAM Random Access Memory
  • the memory 702 can be used as a storage area for key data necessary for encryption processing, data to be applied to a conversion table (permutation table) applied to encryption processing, a conversion matrix, and the like.
  • the data storage area is preferably configured as a memory having a tamper resistant structure.
  • the symbol processing unit 703 has, for example, the various symbol processing configurations described above, that is, (a) SPN (Substitution Permutation Network) structure,
  • the encryption processing unit 703 has a configuration corresponding to each of the embodiments described above, that is,
  • (2-8) 3-1 3 A configuration in which two or more different S-boxes are arranged in the form of «6131161 or extended?
  • the encryption processing means is an individual module
  • the code processing program is stored in the ROM, and the CPU 701 stores the ROM.
  • the program may be configured to be read and executed.
  • the random number generator 704 executes random number generation processing necessary for generation of a key necessary for cryptographic processing and the like.
  • Transmission / reception unit 705 is a data communication processing unit that executes data communication with the outside, and executes data communication with an IC module, such as a reader / writer, for example, and outputs a ciphertext generated in the IC module. Or execute data input from an external device such as a reader / writer.
  • an IC module such as a reader / writer, for example, and outputs a ciphertext generated in the IC module.
  • an external device such as a reader / writer.
  • This IC module 700 has an array of S ⁇ boxes as a non-linear transformation processing unit according to the embodiment described above, and as a result,
  • (2-8) A configuration in which the resistance to a saturation attack is improved by arranging two or more different S-boxes according to 3–1 3 3 (2B) A configuration that improves the resistance to an algebraic attack (XSL attack) by mixing two or more different S-boxes in a block number using an S-box.
  • XSL attack algebraic attack
  • the series of processes described in the specification can be performed by hardware, software, or a composite configuration of both.
  • a program that records the processing sequence is installed in memory in a computer built into dedicated hardware and executed, or a general-purpose computer that can execute various types of processing. It is possible to install and run the program.
  • the program can be recorded in advance on a hard disk or ROM (Read Only Memory) as a recording medium.
  • the program may be temporarily or permanently stored in a removable recording medium such as a flexible disk, a compact disc read only memory (CD), a compact optical read only memory (MO) disc, a digital versatile disc (DVD), a magnetic disc or a semiconductor memory. It can be stored (recorded).
  • a removable recording medium such as a flexible disk, a compact disc read only memory (CD), a compact optical read only memory (MO) disc, a digital versatile disc (DVD), a magnetic disc or a semiconductor memory. It can be stored (recorded).
  • Such removable recording media can be provided as V, as packaged software.
  • the program is installed on the computer from the removable recording medium as described above, and is transferred wirelessly from the download site to the computer, or via a network such as a LAN (Local Area Network) or the Internet.
  • the program can be transferred by wire, and the computer can receive the transferred program and install it on a recording medium such as a built-in hard disk.
  • the various processes described in the specification are not only executed in chronological order according to the description, but also executed in parallel or individually according to the processing capability of the apparatus executing the process or as necessary. It is also good. Further, in the present specification, a system is a logical set configuration of a plurality of devices, and the devices of each configuration are not limited to those in the same casing.
  • the non-linear transformation processing unit set in the round function execution unit and the non-linear transformation processing unit are added to the encryption processing device that executes the common key block encryption processing.
  • an S-box at least two or more different S-boxes are used. This configuration makes it possible to increase the resistance to saturated attacks. Also, according to the configuration of one embodiment of the present invention in which different types of S-types are mixed, it is possible to enhance the resistance to algebraic attacks (XSL attacks), and highly secure cryptographic processing. An apparatus is realized.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Computing Systems (AREA)
  • Facsimile Transmission Control (AREA)
  • Computer And Data Communications (AREA)
PCT/JP2007/066730 2006-09-01 2007-08-29 Dispositif de codage, procédé de codage et programme informatique Ceased WO2008026622A1 (fr)

Priority Applications (4)

Application Number Priority Date Filing Date Title
CN2007800408061A CN101536062B (zh) 2006-09-01 2007-08-29 密码处理装置和密码处理方法
EP07806207.2A EP2058781B1 (en) 2006-09-01 2007-08-29 Encryption device, encryption method, and computer program
US12/439,464 US8577023B2 (en) 2006-09-01 2007-08-29 Encryption processing method, apparatus, and computer program utilizing different types of S-boxes
US14/049,854 US9363074B2 (en) 2006-09-01 2013-10-09 Encryption processing apparatus, encryption processing method, and computer program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2006-238225 2006-09-01
JP2006238225A JP5050454B2 (ja) 2006-09-01 2006-09-01 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム

Related Child Applications (2)

Application Number Title Priority Date Filing Date
US12/439,464 A-371-Of-International US8577023B2 (en) 2006-09-01 2007-08-29 Encryption processing method, apparatus, and computer program utilizing different types of S-boxes
US14/049,854 Continuation US9363074B2 (en) 2006-09-01 2013-10-09 Encryption processing apparatus, encryption processing method, and computer program

Publications (1)

Publication Number Publication Date
WO2008026622A1 true WO2008026622A1 (fr) 2008-03-06

Family

ID=39135904

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2007/066730 Ceased WO2008026622A1 (fr) 2006-09-01 2007-08-29 Dispositif de codage, procédé de codage et programme informatique

Country Status (7)

Country Link
US (2) US8577023B2 (https=)
EP (1) EP2058781B1 (https=)
JP (1) JP5050454B2 (https=)
CN (2) CN102594545B (https=)
RU (2) RU2449482C2 (https=)
TW (2) TW200830232A (https=)
WO (1) WO2008026622A1 (https=)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112667994A (zh) * 2020-12-10 2021-04-16 山东大学 一种面向计算机的对称密码形式化描述方法及系统

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4882598B2 (ja) * 2006-07-28 2012-02-22 ソニー株式会社 暗号処理装置、暗号処理アルゴリズム構築方法、および暗号処理方法、並びにコンピュータ・プログラム
US20090245510A1 (en) * 2008-03-25 2009-10-01 Mathieu Ciet Block cipher with security intrinsic aspects
TWI452889B (zh) * 2009-04-30 2014-09-11 Sumitomo Electric Industries 加密密鑰產生裝置
JP5605197B2 (ja) * 2010-12-09 2014-10-15 ソニー株式会社 暗号処理装置、および暗号処理方法、並びにプログラム
JP5652363B2 (ja) * 2011-03-28 2015-01-14 ソニー株式会社 暗号処理装置、および暗号処理方法、並びにプログラム
RU2618684C2 (ru) * 2013-04-26 2017-05-10 Закрытое акционерное общество "Лаборатория Касперского" Система и способ автоматического развертывания системы шифрования для пользователей, ранее работавших на ПК
JP2014240921A (ja) * 2013-06-12 2014-12-25 株式会社東芝 暗号装置、暗号処理方法及び暗号処理プログラム
RU2572423C2 (ru) * 2014-04-02 2016-01-10 Открытое Акционерное Общество "Информационные Технологии И Коммуникационные Системы" Способ формирования s-блоков с минимальным количеством логических элементов
KR102376506B1 (ko) * 2014-10-20 2022-03-18 삼성전자주식회사 암복호화기, 암복호화기를 포함하는 전자 장치 및 암복호화기의 동작 방법
RU2607613C2 (ru) * 2015-06-03 2017-01-10 Открытое Акционерное Общество "Информационные Технологии И Коммуникационные Системы" Способ формирования S-блока
CN106712925A (zh) * 2015-11-13 2017-05-24 航天信息股份有限公司 一种基于Logistic映射的S-box获取方法及获取装置
US10128864B2 (en) 2016-01-15 2018-11-13 Psemi Corporation Non-linear converter to linearize the non-linear output of measurement devices
CN108650072B (zh) * 2018-03-28 2021-04-20 杭州朔天科技有限公司 一种支持多种对称密码算法的芯片的抗攻击电路实现方法
CN112636899B (zh) * 2020-09-21 2022-03-18 中国电子科技集团公司第三十研究所 一种轻量化s盒设计方法
CN112511293B (zh) * 2020-09-21 2022-03-18 中国电子科技集团公司第三十研究所 基于比特与运算的s盒参数化设计方法及存储介质
US12476786B2 (en) * 2023-12-05 2025-11-18 Nxp B.V. Statistical ineffective fault analysis protection of Sbox
KR20250178812A (ko) * 2024-06-20 2025-12-29 삼성전자주식회사 암호화 장치, 암호화 장치의 동작 방법, 및 암호화 장치를 포함하는 스토리지 장치

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS5945269B2 (ja) * 1975-02-24 1984-11-05 インタ−ナショナル ビジネス マシ−ンズ コ−ポレ−ション 暗号装置

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS5945269A (ja) 1982-09-03 1984-03-14 Nissan Motor Co Ltd フロントピラ−結合構造
US4791669A (en) * 1985-11-30 1988-12-13 Nec Corporation Encryption/decryption system
US5003597A (en) * 1989-12-21 1991-03-26 Xerox Corporation Method and apparatus for data encryption
CA2164768C (en) * 1995-12-08 2001-01-23 Carlisle Michael Adams Constructing symmetric ciphers using the cast design procedure
US5745577A (en) * 1996-07-25 1998-04-28 Northern Telecom Limited Symmetric cryptographic system for data encryption
US6182216B1 (en) * 1997-09-17 2001-01-30 Frank C. Luyster Block cipher method
RU2188513C2 (ru) * 1997-11-28 2002-08-27 Открытое акционерное общество "Московская городская телефонная сеть" Способ криптографического преобразования l-битовых входных блоков цифровых данных в l-битовые выходные блоки
JP4317607B2 (ja) * 1998-12-14 2009-08-19 株式会社日立製作所 情報処理装置、耐タンパ処理装置
TWI275049B (en) * 2000-03-09 2007-03-01 Nippon Telegraph & Telephone Block cipher apparatus using auxiliary transformation
EP1281254A4 (en) * 2000-04-20 2003-06-04 Noel D Matchett CRYPTOGRAPHIC SYSTEM FOR DATA ENCRYPTION STANDARD
KR100889465B1 (ko) * 2000-07-04 2009-03-20 코닌클리케 필립스 일렉트로닉스 엔.브이. 대칭-키 암호들을 위한 치환-박스
US20020021801A1 (en) * 2000-07-13 2002-02-21 Takeshi Shimoyama Computing apparatus using an SPN structure in an F function and a computation method thereof
CA2486713A1 (en) * 2002-05-23 2003-12-04 Atmel Corporation Advanced encryption standard (aes) hardware cryptographic engine
TW200616407A (en) * 2004-11-05 2006-05-16 Cb Capital Man S A Methods of encoding and decoding data
TW200615868A (en) * 2004-11-05 2006-05-16 Synaptic Lab Ltd A method of encoding a signal
TWI290426B (en) * 2005-02-03 2007-11-21 Sanyo Electric Co Encryption processing circuit

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS5945269B2 (ja) * 1975-02-24 1984-11-05 インタ−ナショナル ビジネス マシ−ンズ コ−ポレ−ション 暗号装置

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
"The 128-bit Blockcipher CLEFIA Design Rationale, Revision 1.0", 1 June 2007 (2007-06-01), XP003020655, Retrieved from the Internet <URL:http://www.sony.co.jp/Products/clefia/technical/index.html> *
BROWN L. ET AL.: "LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications", LECTURE NOTES IN COMPUTER SCIENCE, vol. 453, 26 December 1991 (1991-12-26), pages 229 - 236, XP003021267 *
K. NYBERG: "ASIACRYPT '96", 1996, SPRINGER VERLAG, article "Generalized Feistel networks", pages: 91 - 104
MERKLE R.C.: "Fast Software Encryption Functions", LECTURE NOTES IN COMPUTER SCIENCE, vol. 537, 26 December 1991 (1991-12-26), pages 476 - 501, XP000260026 *
REZNY M. ET AL.: "A Block Cipher Method using Combinations of Different Methods under the Control of the User Key", LECTURE NOTES IN COMPUTER SCIENCE, vol. 718, 26 December 1991 (1991-12-26), pages 531 - 534, XP000470470 *
YULIANG ZHENG; TSUTOMU MATSUMOTO; HIDEKI IMAI: "On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypotheses", CRYPTO, 1989, pages 461 - 480

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112667994A (zh) * 2020-12-10 2021-04-16 山东大学 一种面向计算机的对称密码形式化描述方法及系统
CN112667994B (zh) * 2020-12-10 2023-01-20 山东大学 一种面向计算机的对称密码形式化描述方法及系统

Also Published As

Publication number Publication date
EP2058781B1 (en) 2018-05-02
EP2058781A4 (en) 2017-05-17
RU2011149646A (ru) 2013-06-20
CN102594545A (zh) 2012-07-18
US9363074B2 (en) 2016-06-07
US8577023B2 (en) 2013-11-05
RU2009107223A (ru) 2010-09-10
CN102594545B (zh) 2015-05-06
TW200830232A (en) 2008-07-16
CN101536062B (zh) 2013-09-18
JP2008058828A (ja) 2008-03-13
TWI338872B (https=) 2011-03-11
TW201044334A (en) 2010-12-16
US20100104093A1 (en) 2010-04-29
TWI447683B (zh) 2014-08-01
CN101536062A (zh) 2009-09-16
RU2502201C2 (ru) 2013-12-20
EP2058781A1 (en) 2009-05-13
JP5050454B2 (ja) 2012-10-17
US20140192973A1 (en) 2014-07-10
RU2449482C2 (ru) 2012-04-27

Similar Documents

Publication Publication Date Title
WO2008026622A1 (fr) Dispositif de codage, procédé de codage et programme informatique
CN101512618B (zh) 共用密钥块密码处理装置和共用密钥块密码处理方法
CN101162557B (zh) 密码处理装置和密码处理方法
CN101553857B (zh) 加密处理装置、加密处理方法以及计算机程序
WO2008026625A1 (fr) Dispositif de codage, procédé de codage et programme informatique
EP2293487A1 (en) A method of diversification of a round function of an encryption algorithm
CN100511331C (zh) 密码处理装置、密码处理方法及其计算机程序
WO2008026621A1 (en) Encryption device, encryption method, and computer program
TWI595460B (zh) Data processing device, information processing device, data processing method and program
WO2009122464A1 (ja) 共通鍵暗号機能を搭載した暗号化装置及び組込装置
WO2008026623A1 (fr) Dispositif de codage, procédé de codage et programme informatique
JP5680016B2 (ja) 復号処理装置、情報処理装置、および復号処理方法、並びにコンピュータ・プログラム
KR101506499B1 (ko) 마스킹이 적용된 seed를 이용한 암호화 방법
JP5772934B2 (ja) データ変換装置、およびデータ変換方法、並びにコンピュータ・プログラム
JP5338945B2 (ja) 復号処理装置、情報処理装置、および復号処理方法、並びにコンピュータ・プログラム
JP5223245B2 (ja) 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム
HK1096758B (en) Encryption device, encryption method, and computer program

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200780040806.1

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07806207

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 884/CHENP/2009

Country of ref document: IN

ENP Entry into the national phase

Ref document number: 2009107223

Country of ref document: RU

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 2007806207

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 12439464

Country of ref document: US