WO2008026623A1 - Dispositif de codage, procédé de codage et programme informatique - Google Patents

Dispositif de codage, procédé de codage et programme informatique Download PDF

Info

Publication number
WO2008026623A1
WO2008026623A1 PCT/JP2007/066731 JP2007066731W WO2008026623A1 WO 2008026623 A1 WO2008026623 A1 WO 2008026623A1 JP 2007066731 W JP2007066731 W JP 2007066731W WO 2008026623 A1 WO2008026623 A1 WO 2008026623A1
Authority
WO
WIPO (PCT)
Prior art keywords
function
round
data
functions
processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2007/066731
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
Kyoji Shibutani
Taizo Shirai
Toru Akishita
Shiho Moriai
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sony Corp
Original Assignee
Sony Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sony Corp filed Critical Sony Corp
Priority to CN200780040630XA priority Critical patent/CN101553856B/zh
Priority to EP07806208A priority patent/EP2058782A1/en
Priority to US12/439,250 priority patent/US8396210B2/en
Publication of WO2008026623A1 publication Critical patent/WO2008026623A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/122Hardware reduction or efficient architectures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/125Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations

Definitions

  • Cryptographic processing apparatus Cryptographic processing method, and computer 'program technology field
  • the present invention relates to a code processing apparatus, a code processing method, and a computer program. More particularly, the present invention relates to a cryptographic processing apparatus that performs Feistel type common key block cryptographic processing, a cryptographic processing method, and a computer program.
  • a code processing module is embedded in a small device such as an IC card, data is transmitted and received between the IC card and a reader / writer as a data read / write device, and authentication processing or transmission / reception data encryption is performed.
  • a code processing module is embedded in a small device such as an IC card, data is transmitted and received between the IC card and a reader / writer as a data read / write device, and authentication processing or transmission / reception data encryption is performed.
  • Decoding systems have been put to practical use.
  • a common key block cryptosystem is a representative of an algorithm to which such a key generation scheme and data conversion processing are applied.
  • Such an algorithm of the common key block sign is mainly performed in each round of the round function unit and the round function unit having an F function unit that repeatedly executes conversion of input data.
  • the F function part is composed of a key schedule part that generates round keys to be applied.
  • the key schedule unit first generates an expanded key with the number of bits increased based on the master key (primary key) which is a secret key, and based on the generated expanded key, the F function unit of each round of the round function unit Generate a round key (subkey) to be applied in.
  • the Feiste structure is known as a specific structure for executing an algorithm to which such a round function (F function) is applied.
  • the Feistel structure has a structure that converts plaintext into ciphertext by simple repetition of a round function (F function) as a data conversion function.
  • Non-Patent Document 1 and Non-Patent Document 2 as documents describing cryptographic processing to which the Feist el structure is applied.
  • DSM diffusion matrix switching mechanism
  • DSM diffusion matrix switching mechanism
  • Patent Document 1 JP-A-2006-72054
  • Non-patent document 1 K. Nyberg, Generalized Feistel networks, ASIA CRYPT '96, Springer Verlag, 1996, pp. 91-104.
  • Non Patent Literature 2 Yuliang Zheng, Tsutomu Matsumoto, Hideki Imai: On the Constructive Block of lphers Provably Secure and Not Relying on Any Unproved Hypotheses. CRYPTO 1989: 461-480
  • the present invention has been made in view of the above problems, and in the linear transformation unit of the round function (F function) unit of the Feiste structure, two or more different matrices are switched in each round.
  • An encryption processing apparatus that improves the cryptographic processing configuration applying the diffusion matrix switching mechanism (DSM) to perform high-speed cryptographic processing without increasing the implementation cost, a method of processing the digital signal, and a computer program Intended to provide.
  • DSM diffusion matrix switching mechanism
  • a first aspect of the present invention is
  • a data processing unit that executes a plurality of round operations by selectively applying at least two different F functions as round functions
  • a memory storing a plurality of F function correspondence tables in which input values and output values or intermediate values corresponding to the two or more different F functions are associated with each other;
  • An address for accessing the F function correspondence table corresponding to the F function to be applied in each round is acquired in accordance with a pre-defined encryption processing sequence, and the memory access applying the acquisition address allows the F function to correspond to the F function in each round. Read the corresponding table and obtain the output value or the intermediate value for the input value based on the table reference.
  • An encryption processing apparatus is characterized in that it is configured to obtain a data conversion result according to an F function.
  • the data processing unit sets at least two or more different matrices as transformation matrices applied to linear transformation processing in F function of each round. It is characterized in that it is configured to execute cryptographic processing according to the Feiste structure, which has a diffusion matrix switching mechanism (DSM: Diffusion Switching Mechanism) that selectively applies two or more different F-functions.
  • DSM diffusion matrix switching mechanism
  • the data processing unit performs the cryptographic processing according to the setting of the number of data sequences (number of divisions) d 3 3 in which the data to be coded is divided into three or more. It is characterized in that it is configured to execute cryptographic processing based on the extended Feiste structure to be executed.
  • the data processing unit executes a preset encryption function, and applies the F function to be applied in each round when the decryption function is executed.
  • the address for accessing the corresponding F function correspondence table is switched as appropriate for each round, the F function correspondence table corresponding to the F function of each round is read, and the output value or the intermediate value for the input value is acquired based on the table reference. It is characterized in that it is configured to obtain data conversion results according to each F function.
  • the memory includes input values or configuration data of the input values for each F function, output values or intermediate values of the F function, or configuration data thereof. And an F-function correspondence table in which they are associated with each other.
  • the data processing unit there is a data processing step of selectively applying at least two or more different F functions as round functions to execute a plurality of round operations.
  • the data processing step is
  • the data processing unit has a data processing step of selectively applying at least two or more different F functions as round functions to execute a plurality of round operations, the data processing step comprising
  • the computer 'program of the present invention is, for example, a storage medium, communication medium such as a CD or FD which provides various programs' computer capable of executing code' in a computer readable form.
  • a computer program that can be provided by a recording medium such as MO, or a communication medium such as a network.
  • a system is a logical set configuration of a plurality of devices, and the devices of each configuration are not limited to those in the same casing.
  • each F function is supported.
  • Stored in the memory and a table access address corresponding to the F function of each bundle according to a predetermined sign processing sequence.
  • Apply and read the F function correspondence table from the memory obtain the output value or the intermediate value for the input value based on the table reference, and obtain the data conversion result according to each F function.
  • each F function correspondence table can be acquired according to the address changed corresponding to each round, and the output value corresponding to the input value can be efficiently acquired or calculated.
  • various cryptographic processes can be performed simply by applying one cryptographic function and changing the arguments.
  • FIG. 1 is a view for explaining the basic configuration of a Feiste structure.
  • FIG. 2 is a diagram for explaining the configuration of an F function set as a round function unit.
  • FIG. 3 A diagram showing an example of the SPN type Feistel structure where the number of rounds is r.
  • FIG. 4 An example of Feiste structure that realizes the diffusion matrix switching mechanism (DSM) in which two different linear transformation matrices M and M are arranged in the linear transformation layer of the round function (F function) of each round
  • FIG. FIG. 5 is a diagram showing an example of the Feiste structure to which three matrices M, M and M are applied.
  • FIG. 6 is a diagram showing a configuration example of a coding function having an extended Feistel structure (GFN) having a diffusion matrix switching mechanism (DSM).
  • GPN extended Feistel structure
  • DSM diffusion matrix switching mechanism
  • FIG. 7 is a diagram for explaining a table configuration for obtaining an output from an input of an F function.
  • FIG. 8 is a diagram for explaining the cryptographic processing configuration using a plurality of tables corresponding to a plurality of different round functions (F-functions).
  • FIG. 9 is a diagram for explaining tables stored in a memory in order to realize an encryption processing configuration using a plurality of tables corresponding to a plurality of different round functions (F functions).
  • FIG. 10 is a view showing a configuration example of an IC module as an encryption processing device that executes encryption processing according to the present invention.
  • DSM diffusion matrix switching mechanism
  • DSM Diffusion Matrix Switching Mechanism
  • the Feistel structure known as common key block cipher design has a structure that converts plaintext into ciphertext by repeating basic processing units called round functions.
  • the number of rounds r is a parameter determined at the design stage, and is, for example, a value that can be changed according to the length of the input key.
  • the length of the plaintext input as the encryption target is 2 mn bits.
  • m and n are both integers.
  • a plaintext of 2 mn bits is divided by ij into two pieces of input data P [0] 101 and P [l] 102 of m n bits, which are used as input values.
  • the Feiste structure is expressed by repeating basic processing units called round functions, and the data conversion function included in each round is called round function (F function) 120.
  • the configuration of FIG. 1 shows a configuration example in which the round function 120 is repeated r stages.
  • F-function 120 receives input data X of mn bits and round key RK 103 of mn bits input from a key schedule unit (key generation unit) (not shown). After the data conversion process in the round function (F function) 120, the data Y of mn bits is output. The output is the exclusive OR operation in the exclusive OR section 104 with the input data from the other preceding stage (input data P in the case of the first stage) and the operation of the mn bit
  • the result is output to the next round function.
  • This process that is, the round function (F function) is applied repeatedly for the defined number of rounds (r) to complete the encryption process, and the divided data C [0] and C [l] of the ciphertext are output.
  • the decryption process of the Feiste structure in which the round functions (F-functions) to be executed in each round have the same configuration does not need to construct an inverse function, only by reversing the order of inserting the round keys.
  • FIG. Fig. 2 (a) shows the input and output for the round function (F function) 120 in one round
  • Fig. 2 (b) shows the details of the configuration of the round function (F function) 120.
  • FIG. The round function (F function) 120 has a non-linear conversion layer (S layer) and a linear conversion layer (P layer) connected as shown in Fig. 2 (b)! / .
  • the round function (F function) 120 shown in FIG. 2 is a function having an input / output bit length setting of m ⁇ n (m, n: integer) bits.
  • exclusive OR of key data K and data X is first performed, then a non-linear transformation layer (S layer) is applied, and then a linear transformation layer (P layer) is applied.
  • the non-linear transformation layer (S layer) is an n-bit input / output non-linear transformation table called S box (S-box) 121, and m m pieces of non-linear transformation tables are arranged.
  • S box S box
  • m m pieces of non-linear transformation tables are arranged.
  • a non-linear transformation process is performed applying a transformation table.
  • the linear transformation layer (P layer) is constituted by a linear transformation unit 122, and the linear transformation unit 122 receives an output value Z of mn bits, which is output data from the S-box 121, Perform linear conversion and output mn bit result.
  • the linear conversion unit 122 performs linear conversion processing such as input bit position replacement processing, and outputs an output value Y of mn bits. This output value Y is XORed with the input data from the previous stage, and is taken as the input of the F function of the next round.
  • the linear transformation performed by the linear transformation unit 122 as a linear transformation layer (P layer) is defined on GF (2 n )
  • the matrix mn is defined as a linear transformation performed by applying a matrix of mn, and the matrix included in the i-th round is called M.
  • the SPN type Feiste structure with the number of rounds r has a configuration as shown in FIG.
  • a plaintext n — bit P is divided into P [0] and P [l] by 1 ⁇ 2, and a round function F with round key RK input to P [0] is applied, and the result and P [l Perform an exclusive OR operation (EXOR) with this
  • round function F first, the data input to the round function is exclusive to the round key
  • m I I b indicates consolidated data of a and b.
  • Each divided data X is input to nonlinear conversion S of S-bit input / output, that is, S box (S-box).
  • S box S box
  • Set the output of S— box to z, z, ⁇ ⁇ ⁇ , z (Z z
  • Z is further input to the linear transformation unit, and a row to which the mX m matrix MO is applied Column operation is performed to obtain final output Y.
  • the Feiste structure has a structure for converting plaintext into ciphertext by simple repetition of a round function (F function) as a data conversion function.
  • F function round function
  • cryptanalysis may be performed by differential analysis (also called differential cryptanalysis or differential attack) or linear analysis (also called linear cryptanalysis or linear attack) that performs analysis based on plaintext and the corresponding ciphertext.
  • differential analysis also called differential cryptanalysis or differential attack
  • linear analysis also called linear cryptanalysis or linear attack
  • DSM diffusion matrix switching mechanism
  • F function round function
  • This DSM gives a brief overview.
  • DSM diffusion matrix switching mechanism
  • the application matrix in each round of the Feistel structure of r rounds is arranged as the same linear transformation matrix, and at least two or more kinds of matrices are arranged according to a specific rule.
  • DSM diffusion matrix switching mechanism
  • F function F is a round function that executes linear transformation processing applying linear transformation matrix M (F function),
  • F function is a round function (F function) that performs linear transformation processing applying a linear transformation matrix
  • Two linear transformation matrices ⁇ , ⁇ are composed of different matrices.
  • DSM diffusion matrix switching mechanism
  • MIMI ⁇ ⁇ ⁇ ⁇ ⁇ MIMI ⁇ ⁇ ⁇ shows the connection matrix obtained by the concatenation of each matrix ii + 2 ii + 2 tM is the transpose of the matrix M, M- 1 is the inverse of the matrix M.
  • BBB L is, in particular, one jump in the Feiste structure Represents the minimum value of the number of branches of a matrix obtained by combining matrices contained in two consecutive rounds or three rounds of F functions!
  • DSM diffusion matrix switching mechanism
  • a Feistel structure composed of a round function (F function) F that performs 0 1 linear transformation processing, but the number of different linear transformation matrices to be applied is not limited to 2, and 3, 4 ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ ⁇ It can be configured to apply.
  • F function round function
  • FIG. 5 shows an example of a Feistel structure to which three matrices M, M, and M are applied. Feist shown in Figure 5
  • F function F is a round function that executes linear transformation processing applying linear transformation matrix M (F
  • F function F is a round function (F function) that performs linear transformation processing applying a linear transformation matrix
  • F function F is a round function that performs linear transformation processing applying linear transformation matrix ⁇ (F
  • the three linear transformation matrices ⁇ , ⁇ , ⁇ are composed of different matrices.
  • DSM diffusion matrix switching mechanism
  • the Feistel structure described with reference to FIGS. 1 to 5 is configured to execute processing by dividing input data P into two data sequences P [0] and P [l].
  • the number of divisions of input data is called the number of data series (number of divisions).
  • the number of data series (number of divisions) d can be set to 3 or more, and the number of data series (number of divisions) is an arbitrary number of 3 or more:
  • GPN Generalized Feistel Network
  • DSM diffusion matrix switching mechanism
  • DSM diffusion matrix switching mechanism
  • FIG. 6 An example of the configuration of an encryption function having an extended Feistel structure (GFN) having a diffusion matrix switching mechanism (DSM) is shown in FIG.
  • the extended Feistel structure (GFN) having the diffusion matrix switching mechanism (DSM) has two or more different matrices in the linear transformation part of the round function (F function) part of the Feistel structure. It arranges so that it may switch every time. With DSM, it is possible to improve resistance to differential attacks and linear attacks. In the example shown in FIG. 6, the data transformation to which different linear transformation matrices are applied is actually implemented in the F function F and the F function F.
  • the input is the plaintext P
  • the plaintext P is four data series of P [0], P [1], P [2], P [3] ( The number of divisions is 4), and data conversion is performed sequentially by applying the F function F or F function F in each round, and r rounds of variation are performed.
  • the ciphertext C is composed C [0], C [l], C [2], C [3].
  • F function F or F function F of each round the mass supplied from the key schedule section not shown
  • RK [0] and RK [1] are input and applied to data conversion.
  • i of the key RK [n] indicates a round
  • n indicates an identifier of the round key in the same round.
  • swap processing is performed in the switching part of each round to replace each data series.
  • the swap function 211 is applied to the output of each data sequence when switching each round, and sets the input sequence in the next round corresponding to the output of each data sequence.
  • the output of data series 0 of the preceding round is set as the input of data series 3 in the subsequent round.
  • the output of data series 1 of the preceding round is set as the input of data series 0 in the subsequent round.
  • the output of data series 2 of the preceding round is set as the input of data series 1 in the subsequent round.
  • the output of data series 3 of the preceding round is set as the input of data series 2 in the subsequent round.
  • a function that executes such a line permutation process is a step function applied in the encryption process.
  • GPN extended Feiste structure
  • one or more round functions are executed in each round, and then the series switching process is performed. Will be repeated to repeat the subsequent round function execution
  • the above-described cryptographic processing configuration applying the Feiste structure or the extended Feiste structure adopting the diffusion matrix switching mechanism (DSM) has the advantage of greatly improving resistance to differential attacks and linear attacks.
  • DSM diffusion matrix switching mechanism
  • table lookup (table) implementation actual calculations are not performed, and previously calculated calculation results corresponding to various inputs are stored in a memory space in a table (replacement table), and the tables are referred to. It is an implementation method to obtain the output value which it wants to obtain. For example,
  • the table above has a configuration to obtain 0, 1, 8, 27, 64 as output when there are 0, 1, 2, 3, 4 as input direct. This is an example of ftab.
  • the F function applies the table lookup (table) mounting configuration, and an output value corresponding to the required input value of each F function is prepared in advance as a table, and stored in the memory of the cryptographic processing device.
  • the table of each F function has a configuration that can be obtained based on each address indicating the table storage position of the memory. According to this method, it becomes possible to easily replace the F function without reducing the execution speed. Applying this to externally supply only the address of the even-stage F function table, it is possible to change the encryption function and the decryption function without using a function.
  • the round function (F function) shown in FIG. 7A has a configuration including two S-boxes 30 1 and 302 and one linear conversion unit 303.
  • the input X (16-bit) is divided into two 8-bit bits to obtain X and x.
  • the linear transformation in the transform unit 303 is calculated as follows. - 0,0 ' ⁇ ⁇ ® 0,1' ⁇ 2
  • Such non-linear processing in the S-box and matrix operation in the linear conversion unit can be set to obtain an output from an input value by a logic circuit or the like.
  • the process of calculating the operation part in advance, storing the output values corresponding to various inputs in a table, and obtaining the output by referring to the table is optimal for speeding up.
  • the table shown in FIG. 7 (b) is available.
  • the input value [t] is an 8-bit value corresponding to the input values x and ⁇ ⁇ ⁇ ⁇ for the two S-boxes 301 and 302.
  • Output Y is the result obtained by inserting X into TAB [] and TAB
  • TAB [x] (a S (x) I I a S (x))
  • TAB [x] (a S (x) I I a S (x))
  • the above-mentioned table reference processing is applied to the round operation in encryption processing applying the Feiste structure or the extended Feiste structure adopting the diffusion matrix switching mechanism (DSM) described above.
  • DSM diffusion matrix switching mechanism
  • the diffusion matrix switching mechanism (DSM) applies different round functions (F-functions) to which a plurality of different linear transformation matrices are applied.
  • F-functions round functions
  • it is a scheme that can dramatically improve security compared to a scheme using a single F function.
  • safety parameters and implementation characteristics change depending on the number of forces S that use different F functions.
  • DSM diffusion matrix switching mechanism
  • various cryptographic processes are realized by selection control of the round function (F function). For example, when performing cryptographic processing by the SPN type Feiste structure using only one round function (F function) F described above with reference to FIG.
  • the F function F is called and applied.
  • the F function part is externally input as a function.
  • a function that executes multiple F function parts is created, and switching of the F function is realized by inputting them to the encryption function.
  • this method requires multiple F-functions to be called multiple times in the encryption function.
  • the execution time is very short, it is considered that multiple calls to other functions (in this case, the F function) in the encryption function will cause a significant reduction in execution speed. The influence is great. Therefore, it is more desirable to be able to switch without making the F function part a function.
  • a processing configuration will be described in which tables corresponding to different round functions (F-functions) to which different linear transformation matrices are applied are implemented. That is, a table for output value acquisition corresponding to different round functions (F-functions) to which different linear transformation matrices are applied is stored in advance in the memory space of the device.
  • DSM Diffusion Matrix Switching Mechanism
  • a memory address for acquisition of a round function (F function) correspondence table to be applied in each round is set as input information of an encryption function that executes cryptographic processing.
  • a memory address corresponding to each round is applied, and a table corresponding to the round function (F function) to be executed in each round is acquired from the memory, and a predetermined input value is obtained. Get table settings based on.
  • FIG. 8 is a diagram showing a configuration example of the cryptographic processing apparatus 400 according to the present embodiment.
  • the data processing unit 410 executes cryptographic processing to which the above-mentioned SPN type Feiste structure is applied, cryptographic processing according to the Feist el structure to which the diffusion matrix switching mechanism (DSM) is applied, and the like.
  • a memory 420 is a round function (F function) F to which different linear transformation matrices M, M,.
  • F ⁇ ⁇ ⁇ ⁇ corresponding tables ie corresponding to the input values of different F-functions F, F ⁇ ⁇ ⁇
  • a plurality of F function correspondence tables 421 and 422 ⁇ ⁇ 42 ⁇ ⁇ are stored, which store output values or intermediate values necessary to calculate output values, in association with each input value.
  • FIG. 9 shows an example of a plurality of F function correspondence tables 421, 422. .42 ⁇ stored in the memory 420.
  • the F function correspondence table 421 is a table corresponding to the first F function (round function), and is required to calculate each input value for the first F function and an output value or output value corresponding to the input value. The intermediate values are set in association with each other.
  • F function corresponding tape Nore 422 is a table corresponding to the second F function (round function), and it is necessary to calculate each input value for the second F function and an output value or an output value corresponding to the input value. Intermediate values are set in association with each other.
  • the correspondence table of ⁇ pieces of F functions is stored in the memory 420.
  • the input values stored in the table may be input values for the entire F function, or may be partial configuration values of the F function input values, such as input values for each S-box in the F function. Good.
  • the output value may be the output value of the F function, or may be an intermediate value for calculating the output value. That is, the F function correspondence table stored in the memory 420 associates the input value or the input value configuration data for each F function with the output value or the intermediate value of the F function, or the configuration data thereof. It is considered a table.
  • Each of these tables is configured to be readable by applying an access address, and an address corresponding to each table, for example,
  • the read address of each table is set, etc., and the round function execution unit 4 11 shown in FIG. 8 executes table read by applying an address corresponding to the F function to be applied to each round. .
  • Data processing unit 410 shown in FIG. 8 has a round function execution unit 411 for executing round functions, and a memory address corresponding to each tape to be applied to access to an F function correspondence table applied in each round. It has a memory address providing unit 4 12 to be provided to the execution unit 411 and a processing sequence information storage unit 413 storing sequence information of the signature processing.
  • the processing sequence information storage unit is, for example, a sequence of F functions to be executed in each round when executing encryption processing according to the Feiste structure to which the diffusion matrix switching mechanism (DSM) described above is applied.
  • DSM diffusion matrix switching mechanism
  • the round function execution unit 411 receives from the memory address provision unit 412 an access address for a table corresponding to the F function to be executed in each round according to the encryption sequence to be executed, and the memory 420 according to the received address. To obtain the F function correspondence table to be applied in each round, and based on the table reference, the output value corresponding to the input value (intermediate value) is obtained.
  • the round function execution unit 411 only executes the acquisition of the table to be applied in each round according to the address changed corresponding to each round, and the F function for each round is supported as an argument to be applied in a certain cryptographic function. By setting the table addresses sequentially, it is possible to execute various cryptographic processes simply by applying a single cryptographic function and changing the bow I number.
  • Round functions may be executed in parallel. Therefore, in the case of a configuration that executes cryptographic processing to which the extended Feistl structure is applied, it is preferable that the round function execution unit 411 be configured to be able to execute a plurality of round functions (F functions) in parallel.
  • the round function execution unit 411 executes, in parallel, reference processing of the respective F function corresponding tables corresponding to the round functions to be executed in parallel. The processing speed may be reduced, but memory access may be performed sequentially.
  • Such a change in the usage sequence of the F function can be realized only by changing the address applied to each round.
  • the processing required to realize such a sequence only changes the order of the F function call addresses applied in each round, and can be easily changed.
  • Cryptographic processing according to such different F-function usage sequences has input / output different from that of the F-function usage sequence before change, and an encryption function equivalent to security can be configured.
  • the parameter of safety changes depending on the number of different round functions (F-functions) to be applied.
  • F-functions round functions
  • using a number of different round functions (F-functions) is more secure.
  • a memory area capable of storing the maximum number of tables which need to be referred to in accordance with the processing sequence is set as a memory space which can be accessed at high speed.
  • the code processing apparatus 400 is an encryption processing apparatus that executes Feistel type common key block code processing, and as a round function, at least two or more types of different ones are used.
  • a data processing unit 410 that selectively applies an F function to execute round operations of multiple rounds, and associates an input value with an output value or an intermediate value corresponding to each of two or more different F functions.
  • the data processing unit 410 has a memory 420 storing a plurality of F function correspondence tables, and the data processing unit 410 accesses the F function correspondence table corresponding to the F function applied in each round in accordance with a predetermined sign processing sequence.
  • An address is acquired and access to the memory 420 applying the acquisition address causes the F function corresponding table 42 ;! to 42 ⁇ corresponding to the F function of each round to be read, and the output value or input value for the input value is read based on the table reference.
  • DSM diffusion matrix switching mechanism
  • the data processing unit 410 executes a predetermined encryption function, and when executing the encryption function, accesses the F function correspondence table corresponding to the F function to be applied in each round.
  • the address is switched as appropriate for each round, the F function correspondence table corresponding to the F function of each round is read from the memory 420, the output value or intermediate value for the input value is acquired based on the table reference, and each F is Get the data conversion result according to the function.
  • F function correspondence table 42;! To 42 ⁇ stored in memory 420 includes input values or configuration data of input values for each F function, output values or intermediate values of F function, or the like. It is an F-function correspondence table in which configuration data is associated.
  • data processing unit 410 acquires a table according to the address to be changed corresponding to each round of data conversion processing according to the F function of each round. It becomes possible to execute it, and it is possible to apply it in a certain cryptographic function by setting the address of the F-function correspondence table for each round sequentially as an argument. Can perform various cryptographic processes It will be That is, it is not necessary to call different F functions, and the processing result of each round operation (F function) can be obtained at high speed. Moreover, in this configuration, a logic circuit or the like corresponding to each round function is not required, and the apparatus can be miniaturized and the mounting cost can be reduced.
  • FIG. 10 shows a configuration example of an IC module 700 as a cryptographic processing device that executes cryptographic processing according to the above-described embodiment.
  • the above-described processing can be executed, for example, in a PC, an IC card, a reader / writer, and various other information processing apparatuses, and the IC module 700 shown in FIG. 10 can be configured in these various devices.
  • a central processing unit (CPU) 701 shown in FIG. 10 executes start, end, and transmission / reception control of data processing, data transfer control between respective components, and other various programs. It is a processor.
  • a memory 702 is a program executed by the CPU 701 or a ROM (Read-Only-Memory) for storing fixed data such as operation parameters, a program executed in the processing of the CPU 701, and a storage area for parameters appropriately changed in the program processing.
  • RAM Random Access Memory
  • the memory 702 is used as a storage area for key data necessary for cryptographic processing, data to be applied to a transformation table (permutation table) to be applied to the cryptographic processing, and a transformation matrix. Further, as described with reference to FIGS. 8 and 9, the memory 702 is used as a storage area of an F-function correspondence table for obtaining output values corresponding to the different F-functions described above.
  • a plurality of F function correspondence tables are stored in which values required to calculate output values are stored in association with each input value.
  • the data storage area is preferably configured as a memory having a tamper resistant structure.
  • the key processing unit 703 executes, for example, key processing and decryption processing according to the common key block key processing algorithm according to the above-described Feiste structure or extended Feiste structure.
  • the key processing program may be stored in the ROM, and the CPU 701 may be configured to read and execute the ROM storage program without providing the key processing module.
  • the random number generator 704 executes random number generation processing necessary for generation of a key necessary for cryptographic processing and the like.
  • Transmission / reception unit 705 is a data communication processing unit that executes data communication with the outside, and executes data communication with an IC module, such as a reader / writer, for example, and outputs a ciphertext generated in the IC module. Or execute data input from an external device such as a reader / writer.
  • an IC module such as a reader / writer, for example, and outputs a ciphertext generated in the IC module.
  • an external device such as a reader / writer.
  • Execute the issue process executes the sign processing according to the Feistel structure having a diffusion matrix switching mechanism (DSM: Diffusion Switch Mechanism) that selectively applies at least two different F functions in which at least two different matrices are set.
  • DSM diffusion matrix switching mechanism
  • the memory access is performed by sequentially switching to obtain the output value or the intermediate value corresponding to the input value of each F function and execute the round operation.
  • processing according to various encryption sequences can be performed by using one encryption function in which an address for memory access which does not use various encryption functions is set as an argument.
  • the series of processes described in the specification can be performed by hardware, software, or a combined configuration of both.
  • the program that records the processing sequence is installed and executed in the memory in the computer built into dedicated hardware, or It is possible to install and execute the program on a general-purpose computer that can execute seed processing.
  • the program can be recorded in advance on a hard disk or ROM (Read Only Memory) as a recording medium.
  • the program may be temporarily or permanently stored in a removable recording medium such as a flexible disk, a compact disc read only memory (CD), a compact optical read only memory (MO) disc, a digital versatile disc (DVD), a magnetic disc or a semiconductor memory. It can be stored (recorded).
  • a removable recording medium such as a flexible disk, a compact disc read only memory (CD), a compact optical read only memory (MO) disc, a digital versatile disc (DVD), a magnetic disc or a semiconductor memory. It can be stored (recorded).
  • Such removable recording media can be provided as V, as packaged software.
  • the program is installed on the computer from the removable recording medium as described above, and is wirelessly transferred from the download site to the computer, or via a network such as a LAN (Local Area Network) or the Internet.
  • the program can be transferred by wire, and the computer can receive the transferred program and install it on a recording medium such as a built-in hard disk.
  • a system is a logical set configuration of a plurality of devices, and the devices of each configuration are not limited to those in the same casing.
  • a plurality of F function correspondence tables in which input values and output values or intermediate values corresponding to each of the functions are associated are stored in the memory, and a table corresponding to the F function of each round according to a previously defined encryption processing sequence.
  • the access address is applied and the F function correspondence table is read from the memory, the output value or the intermediate value for the input value is obtained based on the table reference, and the data conversion result according to each F function is obtained.
  • each F function corresponding tape it is possible to obtain each F function corresponding tape according to the address changed corresponding to each round, and efficiently obtain or calculate the output value corresponding to the input value.
  • one encryption function is applied to change arguments, and various encryption processes are performed. It becomes power S Kakura.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)
PCT/JP2007/066731 2006-09-01 2007-08-29 Dispositif de codage, procédé de codage et programme informatique Ceased WO2008026623A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN200780040630XA CN101553856B (zh) 2006-09-01 2007-08-29 密码处理装置和密码处理方法
EP07806208A EP2058782A1 (en) 2006-09-01 2007-08-29 Encryption device, encryption method, and computer program
US12/439,250 US8396210B2 (en) 2006-09-01 2007-08-29 Cryptographic processing apparatus and cryptographic processing method, and computer program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2006238226A JP5023624B2 (ja) 2006-09-01 2006-09-01 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム
JP2006-238226 2006-09-01

Publications (1)

Publication Number Publication Date
WO2008026623A1 true WO2008026623A1 (fr) 2008-03-06

Family

ID=39135905

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2007/066731 Ceased WO2008026623A1 (fr) 2006-09-01 2007-08-29 Dispositif de codage, procédé de codage et programme informatique

Country Status (6)

Country Link
US (1) US8396210B2 (https=)
EP (1) EP2058782A1 (https=)
JP (1) JP5023624B2 (https=)
CN (1) CN101553856B (https=)
TW (1) TW200830831A (https=)
WO (1) WO2008026623A1 (https=)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100205455A1 (en) * 2009-02-09 2010-08-12 Vinodh Gopal Diffusion and cryptographic-related operations
WO2011052587A1 (ja) * 2009-10-27 2011-05-05 日本電気株式会社 ブロック暗号装置、ブロック暗号化方法およびプログラム

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4882598B2 (ja) * 2006-07-28 2012-02-22 ソニー株式会社 暗号処理装置、暗号処理アルゴリズム構築方法、および暗号処理方法、並びにコンピュータ・プログラム
WO2009075337A1 (ja) * 2007-12-13 2009-06-18 Nec Corporation 暗号化方法及び復号化方法、装置並びにプログラム
WO2010109516A1 (ja) * 2009-03-23 2010-09-30 富士通株式会社 データ処理装置及びデータ処理方法
TWI452889B (zh) * 2009-04-30 2014-09-11 Sumitomo Electric Industries 加密密鑰產生裝置
JP5605197B2 (ja) * 2010-12-09 2014-10-15 ソニー株式会社 暗号処理装置、および暗号処理方法、並びにプログラム
JP5652363B2 (ja) * 2011-03-28 2015-01-14 ソニー株式会社 暗号処理装置、および暗号処理方法、並びにプログラム
US10127390B2 (en) 2013-03-27 2018-11-13 Irdeto B.V. Tamper resistant cryptographic algorithm implementation
CN103427988A (zh) * 2013-07-26 2013-12-04 青岛海信宽带多媒体技术有限公司 数据加密及解密方法
JP2015191106A (ja) * 2014-03-28 2015-11-02 ソニー株式会社 暗号処理装置、および暗号処理方法、並びにプログラム
US10341090B2 (en) * 2014-10-14 2019-07-02 Sony Corporation Cipher processing apparatus and cipher processing method
JP6877889B2 (ja) * 2016-04-08 2021-05-26 ソニーグループ株式会社 暗号化装置、暗号化方法、復号化装置、及び復号化方法
FR3060804B1 (fr) * 2016-12-21 2021-01-22 Safran Identity & Security Procede de configuration d'un programme cryptographique destine a etre execute par un terminal
CN111373464B9 (zh) * 2017-08-10 2023-09-26 索尼公司 加密装置、加密方法、解密装置以及解密方法
AU2019259262B2 (en) * 2018-04-26 2021-07-22 Ntt, Inc. Secure aggregate median system, secure computation apparatus, secure aggregate median method, and program
JP7572922B2 (ja) * 2021-08-03 2024-10-24 Kddi株式会社 暗号化装置、暗号化方法及び暗号化プログラム
US12401495B1 (en) * 2023-07-24 2025-08-26 The Government Of The United States As Represented By The Director, National Security Agency Universal circuit device for selective block cipher cryptographic processing with space efficient configurational agility
KR20250045878A (ko) * 2023-09-26 2025-04-02 삼성전자주식회사 교집합 연산을 위한 장치 및 방법

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5003597A (en) * 1989-12-21 1991-03-26 Xerox Corporation Method and apparatus for data encryption
JPH0595350A (ja) * 1991-10-02 1993-04-16 Matsushita Electric Ind Co Ltd データ暗号化方法およびデータ暗号化装置
JP2005107078A (ja) * 2003-09-30 2005-04-21 Sony Corp 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム
JP2006072054A (ja) 2004-09-03 2006-03-16 Sony Corp 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム
JP2006206376A (ja) 2005-01-28 2006-08-10 Ngk Spark Plug Co Ltd セラミック焼結体、切削インサート及び切削工具

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2164768C (en) * 1995-12-08 2001-01-23 Carlisle Michael Adams Constructing symmetric ciphers using the cast design procedure
TW367465B (en) * 1997-04-23 1999-08-21 Matsushita Electric Industrial Co Ltd Cryptographic processing apparatus cryptographic processing method, and storage medium storing cryptographic processing program for improving security without greatly increasing hardware scale and processing time
US7292693B1 (en) * 1998-08-13 2007-11-06 Teledyne Technologies Incorporated Deterministically generating block substitution tables which meet a given standard of nonlinearity
TW514844B (en) * 2000-01-26 2002-12-21 Sony Corp Data processing system, storage device, data processing method and program providing media
JP4596686B2 (ja) * 2001-06-13 2010-12-08 富士通株式会社 Dpaに対して安全な暗号化
JP2004212828A (ja) * 2003-01-08 2004-07-29 Sony Corp 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム
FR2851862B1 (fr) * 2003-02-27 2006-12-29 Radiotelephone Sfr Procede de generation d'une permutation pseudo-aleatoire d'un mot comportant n digits
JP4752313B2 (ja) * 2004-09-30 2011-08-17 ソニー株式会社 暗号処理演算方法、および暗号処理装置、並びにコンピュータ・プログラム
WO2006046187A1 (en) * 2004-10-28 2006-05-04 Koninklijke Philips Electronics N.V. Method and system for obfuscating a cryptographic function
WO2007003230A1 (en) * 2005-06-30 2007-01-11 Freescale Semiconductor, Inc Encryption apparatus and method therefor
TW200840238A (en) * 2007-03-27 2008-10-01 Nat Univ Chung Cheng The method of electric circuit encryption with external bits and adjustable time pulses

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5003597A (en) * 1989-12-21 1991-03-26 Xerox Corporation Method and apparatus for data encryption
JPH0595350A (ja) * 1991-10-02 1993-04-16 Matsushita Electric Ind Co Ltd データ暗号化方法およびデータ暗号化装置
JP2005107078A (ja) * 2003-09-30 2005-04-21 Sony Corp 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム
JP2006072054A (ja) 2004-09-03 2006-03-16 Sony Corp 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム
JP2006206376A (ja) 2005-01-28 2006-08-10 Ngk Spark Plug Co Ltd セラミック焼結体、切削インサート及び切削工具

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"The 128-bit Blockcipher CLEFIA Algorithm Specification, Revision 1.0", 1 June 2007 (2007-06-01), XP003020655, Retrieved from the Internet <URL:http://www.sony.co.jp/Products/clefia/technical/index.html> *
K. NYBERG: "ASIACRYPT", vol. 96, 1996, SPRINGERVERLAG, article "Generalized Feistel networks", pages: 91 - 104
MERKLE R.C.: "Fast Software Encryption Functions", LECTURE NOTES IN COMPUTER SCIENCE, vol. 537, 26 December 1991 (1991-12-26), pages 476 - 501, XP000260026 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100205455A1 (en) * 2009-02-09 2010-08-12 Vinodh Gopal Diffusion and cryptographic-related operations
US8363828B2 (en) * 2009-02-09 2013-01-29 Intel Corporation Diffusion and cryptographic-related operations
WO2011052587A1 (ja) * 2009-10-27 2011-05-05 日本電気株式会社 ブロック暗号装置、ブロック暗号化方法およびプログラム
JP5488608B2 (ja) * 2009-10-27 2014-05-14 日本電気株式会社 ブロック暗号装置、ブロック暗号化方法およびプログラム
US8891758B2 (en) 2009-10-27 2014-11-18 Nec Corporation Block encryption device and method and computer program

Also Published As

Publication number Publication date
JP2008058829A (ja) 2008-03-13
JP5023624B2 (ja) 2012-09-12
TWI380659B (https=) 2012-12-21
US8396210B2 (en) 2013-03-12
CN101553856A (zh) 2009-10-07
TW200830831A (en) 2008-07-16
EP2058782A1 (en) 2009-05-13
CN101553856B (zh) 2011-04-20
US20100091991A1 (en) 2010-04-15

Similar Documents

Publication Publication Date Title
WO2008026623A1 (fr) Dispositif de codage, procédé de codage et programme informatique
CN101512620B (zh) 密码处理装置和密码处理方法
CN101512619B (zh) 密码处理装置和密码处理方法
JP5055993B2 (ja) 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム
CN102594546B (zh) 信息处理装置
CN101162557B (zh) 密码处理装置和密码处理方法
CN102594545B (zh) 信息处理装置
JP5680016B2 (ja) 復号処理装置、情報処理装置、および復号処理方法、並びにコンピュータ・プログラム
WO2007083528A1 (ja) 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム
JP5772934B2 (ja) データ変換装置、およびデータ変換方法、並びにコンピュータ・プログラム
JP5223245B2 (ja) 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム
JP2012155349A (ja) 復号処理装置、情報処理装置、および復号処理方法、並びにコンピュータ・プログラム

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200780040630.X

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07806208

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2007806208

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 12439250

Country of ref document: US