WO2010024003A1 - 倍ブロック長ブロック暗号化装置、復号装置、暗号化方法及び復号方法、及びそのプログラム - Google Patents
倍ブロック長ブロック暗号化装置、復号装置、暗号化方法及び復号方法、及びそのプログラム Download PDFInfo
- Publication number
- WO2010024003A1 WO2010024003A1 PCT/JP2009/059437 JP2009059437W WO2010024003A1 WO 2010024003 A1 WO2010024003 A1 WO 2010024003A1 JP 2009059437 W JP2009059437 W JP 2009059437W WO 2010024003 A1 WO2010024003 A1 WO 2010024003A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- bit
- block
- adjustment value
- encryption
- intermediate variable
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0625—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/20—Manipulating the length of blocks of bits, e.g. padding or block truncation
Definitions
- the present invention relates to a block cipher operation mode, and more particularly, to a general-purpose and highly secure double block length block encryption device, a decryption device, an encryption method and a decryption method, and a program thereof using an n-bit block cipher.
- the block cipher is a set of substitutions uniquely determined by the key, and the input to the substitution corresponds to plaintext and the output corresponds to the ciphertext.
- the length of plaintext or ciphertext is called the block size.
- a block cipher having a block size of n bits is generally called an n-bit block cipher.
- DES Data Encryption Standard
- Feistel type substitution using a process called a round function having a 32-bit input / output length.
- the processing of the round function is relatively simple and the randomness of the output of the round function itself is low (it can be easily distinguished from random numbers), so the number of Feistel substitutions is sufficiently large. It is necessary to improve the randomness of the entire 64 bits. In the case of DES, the process is repeated 16 times.
- the above block cipher is called “double block length block cipher” in the sense that a 2n bit block size is realized by using an existing n bit block size block cipher as a component.
- storage encryption such as a hard disk is conceivable.
- encryption using a state variable such as a counter is not practical from the viewpoint of securing a storage area for storing the state variable and safety, and plain text and encryption due to system constraints. Since the length of the text is the same, tampering with the message authentication code cannot be prevented (because the ciphertext becomes longer than the plain text with the message authentication code).
- Non-Patent Document 1 Various methods for constructing double block length block ciphers have been proposed, such as a method based on four iterations of Feistel-type substitution disclosed in Non-Patent Document 1 (see FIGS. 13 and 14).
- the security guarantee is limited to the case where the number of encryptions q processed with one key is sufficiently smaller than 2n / 2 (this is expressed as q ⁇ 2n / 2).
- 2n / 2 is called “birthday bounce”, and an attack using the result of encryption about the number of birthday bounces is generally called a birthday attack.
- Such an attack becomes a real threat when using a 64-bit block cipher and is considered a future risk even when using a 128-bit block cipher.
- Non-Patent Document 2 is known as a method of constructing a double block length block cipher that is resistant to a birthday attack. Thus, it is shown that resistance to a birthday attack is obtained by repeating the Feistel type substitution 5 to 6 times.
- n-bit input / output round function is a pseudo-random function having theoretical resistance to a birthday attack.
- a practically safe n-bit block cipher can be considered as pseudo-random substitution, but pseudo-random substitution cannot be a pseudo-random function with theoretical resistance to birthday attacks as long as there is an inverse function. The above result cannot be applied as it is.
- the present invention has been made in view of such problems, and using a realistic block cipher, a double block length block encryption device capable of efficiently constructing a double block length block cipher having theoretical resistance to a birthday attack, It is an object to provide a method, a program thereof, a decoding device, a method, and a program thereof.
- the double block length block encryption apparatus of the present invention applies plaintext input means for inputting 2n-bit plaintext to be encrypted, and universal hash function-based substitution to the 2n-bit plaintext,
- the result of shortening the second intermediate variable to m bits by using the agitation means for generating the first and second intermediate variables each having n bits and the encryption function of the n-bit block cipher with m-bit adjustment value A first unit variable encryption unit with an adjustment value for generating an n-bit third intermediate variable by encrypting the first intermediate variable using the adjustment value as an adjustment value, and an encryption of the n-bit block cipher with the m-bit adjustment value
- the double block length block decryption apparatus of the present invention applies ciphertext input means for inputting 2n-bit ciphertext to be decrypted, and universal hash function-based substitution to the 2n-bit ciphertext, each of which is an n-bit first bit.
- the second intermediate variable is generated using the decryption function of the n-bit block cipher with the m-bit adjustment value and the second intermediate variable, and the second intermediate variable is shortened to m bits as the adjustment value.
- the third First unit block decoding means with an adjustment value for generating a fourth intermediate variable of n bits by encrypting the first intermediate variable using the result of shortening the intermediate variable to m bits as an adjustment value;
- a reverse stirring means for generating a 2n-bit plaintext by applying the inverse permutation of the universal hash functions based by connecting the third and fourth intermediate variable, and a plaintext output means for outputting the 2n-bit plaintext.
- the double block length block encryption method of the present invention applies a plaintext input process for inputting a 2n-bit plaintext to be encrypted, and a universal hash function-based replacement to the 2n-bit plaintext, each of which has n-bit first and Using the agitation processing to generate the second intermediate variable and the encryption function of the n-bit block cipher with m-bit adjustment value, the first intermediate variable is shortened to m bits as the adjustment value.
- the double block length block decryption method of the present invention applies a ciphertext input process for inputting a 2n-bit ciphertext to be decrypted, and a universal hash function-based replacement to the 2n-bit ciphertext, each of which is an n-bit first bit. And the agitation processing for generating the second intermediate variable and the decryption function of the n-bit block cipher with m-bit adjustment value, the result of shortening the first intermediate variable to m bits is used as the adjustment value.
- a double comprising: a reverse agitation process for generating a 2n-bit plaintext by applying a universal hash function-based reverse replacement by concatenating the third and fourth intermediate variables; and a plaintext output process for outputting the 2n-bit plaintext
- the double block length block encryption program of the present invention is a program that causes a computer to execute the double block length block encryption method of the present invention.
- the double block length block decoding program of the present invention is a program that causes a computer to execute the double block length block decoding method of the present invention.
- the double block length block encryption apparatus, method, its program, and decryption apparatus which can comprise efficiently the double block length block cipher which has theoretical tolerance to a birthday attack using a realistic block cipher , Methods and programs thereof can be provided.
- the present invention efficiently realizes an efficient double block length block cipher that guarantees safety beyond birthday bounds.
- the block cipher with adjustment value (m-bit adjustment value, n-bit block) used as a component is theoretically safe, and the number of plaintext / ciphertext pairs used by the attacker is sufficiently smaller than 2 (n + m) / 2 Because it has theoretical safety in some cases, it has theoretical resistance to birthday attacks.
- the block cipher with adjusted value itself needs to be safe beyond birthday bounds, but depending on the length of the adjusted value (determined by the level of security required), it can be realized with ordinary block ciphers, and R Schroeppel, Specification for the Hasty Pudding Cipher, block cipher with adjustment value designed from the beginning like Hasty Pudding Cipher described in http://www.cs.arizona.edu/ ⁇ rcs/hpc/hpc-spec. There are also algorithms, and D. Goldenberg, S. Hohenberger, M. Liskov, E. C. Schwartz, H.
- agitation is required at the beginning and end, but this can be realized with a universal hash function, and it can be operated significantly faster than the block function by optimizing it according to the implementation environment. It is possible.
- FIG. 1 shows the configuration of a double block length block encryption apparatus according to the first embodiment in which the present invention is preferably implemented.
- the double block length block encryption device 10 includes a plaintext input unit 100, a stirring unit 101, a first unit block encryption unit 102 with an adjustment value, a second unit block encryption unit 103 with an adjustment value, an inverse stirring unit 104, And a ciphertext output unit 105.
- the double block length block encryption device 10 can be realized by a CPU, a memory, and a disk. Each functional unit of the double block length block encryption device 10 can be realized by software processing by causing a program stored in a disk to be executed on the CPU.
- FIG. 2 shows a flow of information in the agitation unit 101, the first unit block encryption unit 102 with adjustment value, the second unit block encryption unit 103 with adjustment value, and the reverse agitation unit 104.
- the plaintext input unit 100 inputs 2n-bit plaintext to be encrypted. This is realized by a character input device such as a keyboard.
- the stirring unit 101 applies a simple keyed substitution mix1 to the input 2n-bit plaintext.
- cut is a function that extracts an arbitrary m bit from an n-bit input.
- the least significant m bits may be taken out.
- the probability is defined by the randomness of the mix1 key.
- mix1 can be realized by permutation called Pairwise independent permutation on a 2n-bit space.
- mul (a, b) is the multiplication of elements a and b on GF (22n)
- K1 and K2 are the keys of mix1
- K1 is the same on the set of GF (22n) excluding the zero element.
- K2 is distributed uniformly throughout GF (22n).
- any keyed function (t-bit input s-bit output) F is e-almost universal.
- Pr [F (x) F (x') ] Is at most e.
- a keyed function having such a property is called a universal hash function and can be realized by multiplication on a finite field. Or S. Halevi and H.
- FIG. 3 shows a configuration when the stirring unit 101 is realized by using Feistel type substitution in the case of m ⁇ n.
- the first unit block encryption unit with adjustment value 102 divides the output of the stirring unit 101 into two n-bit blocks, and encrypts the other using one as a parameter.
- the unit block encryption unit 102 with the first adjustment value has an adjustment value as shown in the following equation (5).
- K1 is the key of TWENC1.
- the block cipher with adjustment value refers to block cipher that performs encryption using a parameter called adjustment value (tweak) in addition to the secret key. If the adjustment value and the key are determined, it is a condition that plaintext and ciphertext correspond one-to-one. That is, when there is an encryption function TWENC of the block cipher with adjustment value and a corresponding decryption function TWDEC, the following equation (6) is always satisfied for plaintext M, ciphertext C, key K, and adjustment value T.
- the block cipher with adjustment value used in the first unit block encryption unit 102 with adjustment value has an m-bit adjustment value and an n-bit block size as shown in Equation (5).
- K is an n-bit key for block cipher.
- pad is an appropriate padding of nm bits (for example, all zeros are added).
- FIG. 5 shows TWENC at this time.
- the pad may simply be a process of fixing a nm bit with TE.
- this method requires m ⁇ n / 2 for safety reasons.
- the second unit block encryption unit with adjustment value 103 divides the 2n bits output from the unit block encryption unit 102 with the first adjustment value into two n-bit blocks, and encrypts the other using one as a parameter. .
- the unit block encryption unit 103 with the second adjustment value has the following formula: Using the encryption function TWENC2 (m-bit adjustment value, n-bit block) of the block cipher with adjustment value as shown in (9), 2n bits (UE, VE) are output.
- K2 is the key of TWENC2.
- TWENC2 may be generated as the following equation (10) according to FIG. 5 using an encryption function ENC of an n-bit block and an n-bit key block cipher.
- this method like TWENC1, requires m ⁇ n / 2 for safety reasons.
- the reverse agitation unit 104 applies a simple keyed replacement invmix2 to the 2n-bit output of the unit block encryption unit 103 with the second adjustment value.
- the output is invmix2 (UE, VE).
- mix2 may be a mix of left and right processing of mix1, and invmix2 is uniquely determined by defining mix2.
- invmix2 is the reverse replacement of mix1's Pairwise independent permutation, or if mix1 is a Feistel type replacement, if invmix2 input is (UE, VE) and output is (yL, yR), the following formula (13) and (14) may be used.
- FIG. 3 shows a configuration in the case where the back stirring unit 104 is realized by using Feistel type substitution when m ⁇ n.
- the ciphertext output unit 105 outputs the ciphertext (yL, yR) input from the back agitation unit 104.
- the ciphertext output unit 105 can be realized by a computer display, a printer, or the like.
- the 2n-bit block cipher obtained in this embodiment when used for encryption in communication or data storage, it is conceivable to use the 2n-bit block cipher obtained in this embodiment in some encryption mode. That is, information such as packets to be encrypted is divided every 2n bits, and if it is communication, it will be in CBC mode, T. Krovetz and P. Rogaway.
- the described OCB mode applies.
- the encryption of data storage such as a hard disk can be applied by applying the method described in Document B. In this method, ECB mode encryption is performed while adding a mask value in accordance with a sector of a hard disk and a byte position in the sector (one sector is usually 512 bytes).
- SecNum is a random number corresponding to the sector number (generated by encrypting the sector number with block cipher), and mul (i, SecNum) saw i and SecNum as the origin of the finite field GF (2256) Represents the multiplication of time.
- FIG. 6 shows an operation flow of the double block length block encryption apparatus according to the present embodiment.
- plain text (xL, xR) is input via the plain text input unit 100 (step S101), and an intermediate variable (SE, TE) is obtained by the stirring unit 101 (step S102).
- SE is encrypted according to said Formula (5) using the 1st unit block encryption part 102 with an adjustment value by using m bit part with TE as an adjustment value, and UE is calculated
- TE is encrypted using the m-bit part with the UE as the adjustment value, and VE is obtained (step S104).
- the obtained (UE, VE) is input to the back stirring unit 104, and the ciphertext (yL, yR) is output (step S105).
- FIG. 7 shows the configuration of the double block length block decoding apparatus according to this embodiment.
- the double block length block decryption device 20 includes a ciphertext input unit 200, a stirring unit 201, a second unit block decryption unit with adjustment value 202, a first unit block decryption unit with adjustment value 203, an inverse stirring unit 204, and a plaintext.
- An output unit 205 is included.
- the double block length block decoding device 20 can be realized by a CPU, a memory, and a disk. Each functional unit of the double block length block decoding device 20 can be realized by software processing by causing a program stored on a disk to be executed on the CPU.
- FIG. 8 shows the flow of information in the agitation unit 201, the second unit block decoding unit with adjustment value 202, the first unit block decoding unit with adjustment value 203, and the back agitation unit 104.
- the ciphertext input unit 200 inputs a 2n-bit ciphertext to be decrypted. This is realized by a character input device such as a keyboard.
- the agitation unit 201 applies the keyed substitution mix2 to the input 2n-bit ciphertext.
- mix2 is the reverse replacement of the 2n-bit replacement invmix2 used by the reverse stirring unit 104 in the first embodiment.
- mix2 is about the input ciphertext (yL, yR)
- the following equations (15) and (16) may be obtained and (UD, VD) may be output.
- the second unit block decrypting unit 202 with adjustment value divides the output of the stirring unit 201 into two n-bit blocks, and encrypts the other using one as a parameter.
- the unit block decoding unit 202 with the second adjustment value has the second adjustment value in the first embodiment.
- TWDEC2 Using the decryption function TWDEC2 corresponding to the encryption function TWENC2 of the block cipher with adjustment value used by the unit block encryption unit 102, TD is obtained from (UD, VD) by the following equation (17), and (UD, TD) is obtained.
- the key K2 of TWDEC2 is the same value as K2 in the above equation (9).
- the TWDEC2 uses the encryption function ENC and the decryption function DEC of the block cipher of n-bit block and n-bit key. It can also be realized. Specifically, the following equation (18) is defined for the n-bit key K, the n-bit ciphertext C, and the m-bit adjustment value T. FIG. 11 shows the TWDEC at this time.
- the pad may simply be a process of fixing nm bits with UD.
- this method requires m ⁇ n / 2 for safety reasons, as in the case of TWENC.
- the first unit block decoding unit with adjustment value 203 divides the 2n bits output from the unit block decoding unit 202 with the second adjustment value into two n-bit blocks, and decodes the other using one as a parameter.
- the unit block decoding unit with first adjustment value 203 performs the first implementation.
- TWDEC1 corresponding to the encryption function TWENC1 (m-bit adjustment value, n-bit block) of the block cipher with adjustment value used by the unit block encryption unit 102 with the first adjustment value in the form (UD, TD)
- TWENC1 m-bit adjustment value, n-bit block
- 2n-bit (SD, TD) is output by the following equation (20).
- the key K1 of TWDEC1 is the same value as K1 in the above equation (5).
- TWENC1 is performed using the encryption function ENC of the n-bit block cipher as shown in the above equation (8)
- TWDEC1 uses the encryption function ENC of the n-bit block cipher and the DEC related to the decryption in the same manner as TWDEC2.
- the following equation (21) is obtained.
- the reverse stirring unit 204 applies the keyed replacement invmix1 to the output of the unit block decryption unit 203 with the first adjustment value.
- invmix1 is the reverse substitution of the substitution mix1 used by the stirring unit 101 in the first embodiment.
- the plaintext output unit 205 outputs plaintext (xL, xR) given from the back stirring unit 204.
- the plaintext output unit 205 can be realized by a computer display, a printer, or the like.
- FIG. 12 shows an operation flow of the double block length block decoding device 20 according to the present embodiment.
- the ciphertext (yL, yR) is input via the ciphertext input unit 200 (step S201), and the intermediate variable (UD, VD) is obtained by the stirring unit 201 (step S202).
- VD is decoded according to the above equation (17) using an m-bit part with UD as an adjustment value to obtain TD (step S203).
- the unit block decoding unit 203 with the first adjustment value is used to decode the UD using the m-bit part with TD as the adjustment value to obtain SD (step S204).
- the obtained (SD, TD) is input to the back stirring unit 204, and plain text (xL, xR) is output (step S205).
- each said embodiment is an example of suitable implementation of this invention, and this invention is not limited to these.
- the present invention is applicable to uses such as authentication and encryption in wireless or wired data communication, and uses such as encryption of data on a storage and prevention of tampering.
- double block length block encryption device 20 double block length block decryption device 100 plaintext input unit 101, 201 agitation unit 102 first unit block encryption unit with adjustment value 103 second unit block encryption unit with adjustment value 104, 204 Reverse stirring unit 105 Ciphertext output unit 200 Ciphertext input unit 202 Second unit block decryption unit with adjustment value 203 First unit block encryption unit with adjustment value 205 Plaintext output unit
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
Description
図1に、本発明を好適に実施した第1の実施形態に係る倍ブロック長ブロック暗号化装置の構成を示す。倍ブロック長ブロック暗号化装置10は、平文入力部100、撹拌部101、第1の調整値付き単位ブロック暗号化部102、第2の調整値付き単位ブロック暗号化部103、逆撹拌部104、及び暗号文出力部105を有する。
本発明を好適に実施した第2の実施形態について説明する。
20 倍ブロック長ブロック復号装置
100 平文入力部
101、201 撹拌部
102 第1の調整値付き単位ブロック暗号化部
103 第2の調整値付き単位ブロック暗号化部
104、204 逆撹拌部
105 暗号文出力部
200 暗号文入力部
202 第2の調整値付き単位ブロック復号部
203 第1の調整値付き単位ブロック暗号化部
205 平文出力部
Claims (12)
- 暗号化される2nビット平文を入力する平文入力手段と、
前記2nビット平文へユニバーサルハッシュ関数ベースの置換を適用し、それぞれがnビットの第1及び第2の中間変数を生成する撹拌手段と、
mビット調整値付きnビットブロック暗号の暗号化関数を用いて、前記第2の中間変数をmビットに短縮した結果を調整値として前記第1の中間変数を暗号化してnビットの第3の中間変数を生成する第1の調整値付き単位ブロック暗号化手段と、
前記mビット調整値付きnビットブロック暗号の暗号化関数を用いて、前記第3の中間変数をmビットに短縮した結果を調整値として前記第2の中間変数を暗号化してnビットの第4の中間変数を得る第2の調整値付き単位ブロック暗号化手段と、
前記第3及び第4の中間変数を連結して、ユニバーサルハッシュ関数ベースの逆撹拌を適用し、2nビット暗号文を生成する逆撹拌手段と、
前記2nビット暗号文を出力する暗号文出力手段と、
を有する倍ブロック長ブロック暗号化装置。 - 前記ユニバーサルハッシュ関数ベースの置換及び前記ユニバーサルハッシュ関数ベースの逆置換は、ユニバーサルハッシュ関数をラウンド関数としたFeistel型置換を、m=nの場合は1回、m<nの場合は2回繰り返すことで構成されることを特徴とする、請求項1記載の倍ブロック長ブロック暗号化装置。
- 前記暗号化関数は、平文のブロック長をnビットとし、鍵長をnビットとする暗号化関数であり、
前記第1の調整値付き単位ブロック暗号化手段は、前記調整値をnビットになるようにパディングした値を平文として、該平文をnビット鍵で前記暗号化関数を用いて暗号化し、該暗号化した結果をnビット鍵とし、前記第1の中間変数を平文として、該平文を該nビット鍵で該暗号化関数を用いて暗号化することにより、前記第3の中間変数を生成し、
前記第2の調整値付き単位ブロック暗号化手段は、前記調整値をnビットになるようにパディングした値を平文として、該平文をnビット鍵で前記暗号化関数を用いて暗号化し、該暗号化した結果をnビット鍵とし、前記第3の中間変数を平文として、該平文を該nビット鍵で該暗号化関数を用いて暗号化することにより、前記第4の中間変数を生成する、請求項1又は2記載の倍ブロック長ブロック暗号化装置。 - 前記第1及び第2の調整値付き単位ブロック暗号化手段が用いるmビット調整値付きnビットブロック暗号の暗号化関数は、nビットブロック暗号の暗号化処理における中間変数へ調整値を加算することで調整値付きの暗号化を行うための関数である、請求項1から3のいずれか1項記載の倍ブロック長ブロック暗号化装置。
- 復号される2nビット暗号文を入力する暗号文入力手段と、
前記2nビット暗号文へユニバーサルハッシュ関数ベースの置換を適用し、それぞれがnビットの第1及び第2の中間変数を生成する撹拌手段と、
mビット調整値付きnビットブロック暗号の復号関数を用いて、前記第1の中間変数をmビットに短縮した結果を調整値として前記第2の中間変数を暗号化してnビットの第3の中間変数を生成する第2の調整値付き単位ブロック復号手段と、
前記mビット調整値付きnビットブロック暗号の復号関数を用いて、前記第3の中間変数をmビットに短縮した結果を調整値として前記第1の中間変数を暗号化してnビットの第4の中間変数を生成する第1の調整値付き単位ブロック復号手段と、
前記第3及び第4の中間変数を連結してユニバーサルハッシュ関数ベースの逆置換を適用して2nビット平文を生成する逆撹拌手段と、
前記2nビット平文を出力する平文出力手段と、
を有する倍ブロック長ブロック復号装置。 - ユニバーサルハッシュ関数ベースの置換及びユニバーサルハッシュ関数ベースの逆置換は、ユニバーサルハッシュ関数をラウンド関数としたFeistel型置換を、m=nの場合は1回、m<nの場合は2回繰り返すことで構成されることを特徴とする、請求項5記載の倍ブロック長ブロック復号装置。
- 前記復号関数は、暗号文のブロック長をnビットとし、鍵長をnビットとする復号関数であり、
前記第1の調整値付き単位ブロック復号手段は、前記調整値をnビットになるようにパディングした値を暗号文として、該暗号文をnビット鍵で前記復号関数を用いて復号し、該復号した結果をnビット鍵とし、前記第1の中間変数を暗号文として、該暗号文を該nビット鍵で該復号関数を用いて復号することにより、前記第3の中間変数を生成し、
前記第2の調整値付き単位ブロック復号手段は、前記調整値をnビットになるようにパディングした値を暗号文として、該暗号文をnビット鍵で前記復号関数を用いて復号し、該復号した結果をnビット鍵とし、前記第1の中間変数を暗号文として、該暗号文を該nビット鍵で該復号関数を用いて復号することにより、前記第4の中間変数を生成する、請求項5又は6に記載の倍ブロック長ブロック暗号化装置。 - 前記第1及び第2の調整値付き単位ブロック復号手段が用いるmビット調整値付きnビットブロック暗号の復号関数は、nビットブロック暗号Eの復号処理における中間変数へ調整値を加算することで調整値付きの復号を行うための関数である、請求項5から7の何れか1項記載の倍ブロック長ブロック復号装置。
- 暗号化される2nビット平文を入力する平文入力処理と、
前記2nビット平文へユニバーサルハッシュ関数ベースの置換を適用し、それぞれがnビットの第1及び第2の中間変数を生成する撹拌処理と、
mビット調整値付きnビットブロック暗号の暗号化関数を用いて、前記第2の中間変数をmビットに短縮した結果を調整値として前記第1の中間変数を暗号化してnビットの第3の中間変数を生成する第1の調整値付き単位ブロック暗号化処理と、
前記mビット調整値付きnビットブロック暗号の暗号化関数を用いて、前記第3の中間変数をmビットに短縮した結果を調整値として前記第2の中間変数を暗号化してnビットの第4の中間変数を得る第2の調整値付き単位ブロック暗号化処理と、
前記第3及び第4の中間変数を連結して、ユニバーサルハッシュ関数ベースの逆撹拌を適用し、2nビット暗号文を生成する逆撹拌処理と、
前記2nビット暗号文を出力する暗号文出力処理と、
を有する倍ブロック長ブロック暗号化方法。 - 復号される2nビット暗号文を入力する暗号文入力処理と、
前記2nビット暗号文へユニバーサルハッシュ関数ベースの置換を適用し、それぞれがnビットの第1及び第2の中間変数を生成する撹拌処理と、
mビット調整値付きnビットブロック暗号の復号関数を用いて、前記第1の中間変数をmビットに短縮した結果を調整値として前記第2の中間変数を暗号化してnビットの第3の中間変数を生成する第2の調整値付き単位ブロック復号処理と、
前記mビット調整値付きnビットブロック暗号の復号関数を用いて、前記第3の中間変数をmビットに短縮した結果を調整値として前記第1の中間変数を暗号化してnビットの第4の中間変数を生成する第1の調整値付き単位ブロック復号処理と、
前記第3及び第4の中間変数を連結してユニバーサルハッシュ関数ベースの逆置換を適用して2nビット平文を生成する逆撹拌処理と、
前記2nビット平文を出力する平文出力処理と、
を有する倍ブロック長ブロック復号方法。 - 請求項9記載の倍ブロック長ブロック暗号化方法をコンピュータに実行させる、倍ブロック長ブロック暗号化プログラム。
- 請求項10記載の倍ブロック長ブロック復号方法をコンピュータに実行させる、倍ブロック長ブロック復号プログラム。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2010526596A JPWO2010024003A1 (ja) | 2008-08-29 | 2009-05-22 | 倍ブロック長ブロック暗号化装置、復号装置、暗号化方法及び復号方法、及びそのプログラム |
US13/060,580 US20110150225A1 (en) | 2008-08-29 | 2009-05-22 | Encryption devices for block having double block length, decryption devices, encryption method, decryption method, and programs thereof |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2008221631 | 2008-08-29 | ||
JP2008-221631 | 2008-08-29 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2010024003A1 true WO2010024003A1 (ja) | 2010-03-04 |
Family
ID=41721180
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2009/059437 WO2010024003A1 (ja) | 2008-08-29 | 2009-05-22 | 倍ブロック長ブロック暗号化装置、復号装置、暗号化方法及び復号方法、及びそのプログラム |
Country Status (3)
Country | Link |
---|---|
US (1) | US20110150225A1 (ja) |
JP (1) | JPWO2010024003A1 (ja) |
WO (1) | WO2010024003A1 (ja) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012105352A1 (ja) * | 2011-01-31 | 2012-08-09 | 日本電気株式会社 | ブロック暗号化装置、復号装置、暗号化方法、復号方法およびプログラム |
CN106463069A (zh) * | 2014-05-14 | 2017-02-22 | 三菱电机株式会社 | 加密装置、存储系统、解密装置、加密方法、解密方法、加密程序以及解密程序 |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102447476B1 (ko) | 2015-08-20 | 2022-09-27 | 삼성전자주식회사 | 암복호 장치, 그것을 포함하는 저장 장치 및 그것의 암복호 방법 |
EP3391607B1 (en) * | 2015-12-18 | 2019-12-04 | Telefonaktiebolaget LM Ericsson (publ) | Method of generating a pseudonym associated with a communication device, a network node, computer program and computer program product |
CN111052670B (zh) * | 2017-09-01 | 2024-02-09 | 三菱电机株式会社 | 加密装置、解密装置、加密方法、解密方法和计算机能读取的存储介质 |
TW201919361A (zh) * | 2017-11-09 | 2019-05-16 | 張英輝 | 以雜文加強保護之區塊加密及其解密之方法 |
CN108494554B (zh) * | 2018-03-22 | 2020-10-13 | 武汉大学 | 一种基于双明文的数据对称加密方法 |
US20220006791A1 (en) * | 2021-07-15 | 2022-01-06 | Mohammed Mujib Alshahrani | Secured Node Authentication and Access Control Model for IoT Smart City |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2006064763A1 (ja) * | 2004-12-17 | 2006-06-22 | Nec Corporation | 共通鍵ブロック暗号化装置、共通鍵ブロック暗号化方法及び共通鍵ブロック暗号化プログラム |
WO2007069236A2 (en) * | 2005-12-14 | 2007-06-21 | Nds Limited | Method and system for usage of block cipher encryption |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5949884A (en) * | 1996-11-07 | 1999-09-07 | Entrust Technologies, Ltd. | Design principles of the shade cipher |
US7200227B2 (en) * | 2001-07-30 | 2007-04-03 | Phillip Rogaway | Method and apparatus for facilitating efficient authenticated encryption |
US20020076044A1 (en) * | 2001-11-16 | 2002-06-20 | Paul Pires | Method of and system for encrypting messages, generating encryption keys and producing secure session keys |
US20040131182A1 (en) * | 2002-09-03 | 2004-07-08 | The Regents Of The University Of California | Block cipher mode of operation for constructing a wide-blocksize block cipher from a conventional block cipher |
US8379841B2 (en) * | 2006-03-23 | 2013-02-19 | Exegy Incorporated | Method and system for high throughput blockwise independent encryption/decryption |
JP5402632B2 (ja) * | 2007-08-06 | 2014-01-29 | 日本電気株式会社 | 共通鍵ブロック暗号化装置、共通鍵ブロック暗号化方法及びプログラム |
-
2009
- 2009-05-22 JP JP2010526596A patent/JPWO2010024003A1/ja active Pending
- 2009-05-22 US US13/060,580 patent/US20110150225A1/en not_active Abandoned
- 2009-05-22 WO PCT/JP2009/059437 patent/WO2010024003A1/ja active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2006064763A1 (ja) * | 2004-12-17 | 2006-06-22 | Nec Corporation | 共通鍵ブロック暗号化装置、共通鍵ブロック暗号化方法及び共通鍵ブロック暗号化プログラム |
WO2007069236A2 (en) * | 2005-12-14 | 2007-06-21 | Nds Limited | Method and system for usage of block cipher encryption |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012105352A1 (ja) * | 2011-01-31 | 2012-08-09 | 日本電気株式会社 | ブロック暗号化装置、復号装置、暗号化方法、復号方法およびプログラム |
JP5365750B2 (ja) * | 2011-01-31 | 2013-12-11 | 日本電気株式会社 | ブロック暗号化装置、復号装置、暗号化方法、復号方法およびプログラム |
US8891761B2 (en) | 2011-01-31 | 2014-11-18 | Nec Corporation | Block encryption device, decryption device, encrypting method, decrypting method and program |
CN106463069A (zh) * | 2014-05-14 | 2017-02-22 | 三菱电机株式会社 | 加密装置、存储系统、解密装置、加密方法、解密方法、加密程序以及解密程序 |
Also Published As
Publication number | Publication date |
---|---|
US20110150225A1 (en) | 2011-06-23 |
JPWO2010024003A1 (ja) | 2012-01-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2010024003A1 (ja) | 倍ブロック長ブロック暗号化装置、復号装置、暗号化方法及び復号方法、及びそのプログラム | |
KR101516574B1 (ko) | 형태보존 암호화를 위한 가변길이 블록암호 장치 및 방법 | |
WO2015015702A1 (ja) | 認証暗号装置、認証暗号方法および認証暗号用プログラム | |
JP2010140026A (ja) | 連鎖暗号モードのための方法および装置 | |
JPH0863097A (ja) | データを暗号化するための対称暗号化方法およびシステム | |
WO2011105367A1 (ja) | ブロック暗号化装置、ブロック復号装置、ブロック暗号化方法、ブロック復号方法及びプログラム | |
US8437470B2 (en) | Method and system for block cipher encryption | |
JP5333450B2 (ja) | 調整値付きブロック暗号化装置、方法及びプログラム並びに復号装置、方法及びプログラム | |
JP5365750B2 (ja) | ブロック暗号化装置、復号装置、暗号化方法、復号方法およびプログラム | |
Masoodi et al. | Symmetric algorithms I | |
CN109714154B (zh) | 一种代码体积困难白盒安全模型下的白盒密码算法的实现方法 | |
Rosenthal | A polynomial description of the Rijndael Advanced Encryption Standard | |
Sousi et al. | Aes encryption: Study & evaluation | |
WO2012060685A1 (en) | A method for linear transformation in substitution-permutation network symmetric-key block cipher | |
Djordjevic et al. | Conventional Cryptography Fundamentals | |
Hallappanavar et al. | Efficient implementation of AES by modifying S-Box | |
Salman | New method for encryption using mixing advanced encryption standard and blowfish algorithms | |
Anand et al. | Enhanced AES algorithm using 512 bit key implementation | |
Yan et al. | Secret-Key Cryptography | |
Dash et al. | A survey on symmetric text encryption techniques | |
Darwish | Cryptographic Algorithms (AES, RSA) | |
Kangude et al. | Advanced Encryption Standard | |
WO2009081975A1 (ja) | 暗号化装置、復号装置、暗号化方法、復号方法およびプログラム | |
Rayarikar et al. | An Encryption Algorithm for Secure Data Transmission | |
Cook et al. | Elastic aes |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09809658 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13060580 Country of ref document: US Ref document number: 2010526596 Country of ref document: JP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 09809658 Country of ref document: EP Kind code of ref document: A1 |