WO2010024004A1 - Tweakable block encrypting device, tweakable block encrypting method, tweakable block encrypting program, tweakable block decrypting device, tweakable block decrypting method, and tweakable block decrypting program - Google Patents

Tweakable block encrypting device, tweakable block encrypting method, tweakable block encrypting program, tweakable block decrypting device, tweakable block decrypting method, and tweakable block decrypting program Download PDF

Info

Publication number
WO2010024004A1
WO2010024004A1 PCT/JP2009/059438 JP2009059438W WO2010024004A1 WO 2010024004 A1 WO2010024004 A1 WO 2010024004A1 JP 2009059438 W JP2009059438 W JP 2009059438W WO 2010024004 A1 WO2010024004 A1 WO 2010024004A1
Authority
WO
WIPO (PCT)
Prior art keywords
adjustment value
value
bit
block
key
Prior art date
Application number
PCT/JP2009/059438
Other languages
French (fr)
Japanese (ja)
Inventor
一彦 峯松
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2010526597A priority Critical patent/JP5333450B2/en
Publication of WO2010024004A1 publication Critical patent/WO2010024004A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/04Masking or blinding
    • H04L2209/046Masking or blinding of operations, operands or results of the operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry

Definitions

  • the present invention relates to an operation mode of a block cipher, and more particularly, to a block encryption device, method and program with adjustment value, and a decryption device, method and program which are versatile and highly secure by n-bit block cipher.
  • the block cipher is a set of substitutions uniquely determined by the key, and the input to the substitution corresponds to plaintext and the output corresponds to the ciphertext.
  • the length of plaintext or ciphertext is called the block size.
  • a block cipher having a block size of n bits is generally called an n-bit block cipher.
  • the block cipher with adjustment value is a block cipher having an adjustment value called tweak in addition to the input / output (plaintext, ciphertext, key) of a normal block cipher, and is also called a tweakable block cipher. If the adjustment value and the key are determined, it is a condition that plaintext and ciphertext correspond one-to-one. That is, the encryption function TWENC of a block cipher with an arbitrary adjustment value and the corresponding decryption function TWDEC always satisfy the following formula (1) for the plaintext M, ciphertext C, key K, and adjustment value T.
  • Non-Patent Document 1 discloses the formal definition and security requirements of a block cipher with an adjustment value including equation (1). To put it simply, in the case of a block cipher with adjusted values, the output of two block ciphers with different adjusted values is independent of the attacker even if the adjusted value and input are known to the attacker. It is required that it looks like a random value. When this property is satisfied, the block cipher with adjustment value is said to be secure.
  • Non-Patent Document 1 a theoretically safe block cipher with an adjustment value is obtained as a normal block cipher operation mode (hereinafter referred to as a mode), in other words, obtained as a conversion using a block cipher as a black box. It has been shown that However, the theoretical security here means that the security of the block cipher with adjustment value obtained as a mode of a certain block cipher can be reduced to the security of the original block cipher, that is, as long as a safe block cipher is used. It shows that the obtained block cipher with adjustment value is also safe.
  • a mode normal block cipher operation mode
  • security includes security when an attacker can only use a selected plaintext attack (chosen-plaintext attack, CPA), a selected plaintext attack and a selected ciphertext attack (chosen-ciphertext attack, CCA).
  • CPA plaintext attack
  • CCA ciphertext attack
  • Secure block cipher with adjustment value is known to be a key technology for realizing advanced encryption functions.
  • Non-Patent Document 2 if a block cipher with an adjustment value having CCA-security is used, a very efficient cipher with an authentication function can be realized, and if a block cipher with an adjustment value having CCA-security is used, the efficiency is improved. It is pointed out that a message authentication code that can be executed in parallel can be realized. It is also known that the block cipher with adjustment value having CCA-security is an indispensable technique for storage encryption such as disk sector encryption.
  • LRW mode the mode proposed in Non-Patent Document 1 is referred to as LRW mode.
  • 9A and 9B show the LRW mode using the n-bit block cipher E.
  • Enc Enc
  • decryption function Dec
  • ciphertext is expressed by the following equation (2). Get C.
  • K1 is a block cipher key
  • K2 is a keyed function F (called an offset function) that is added before and after block cipher processing.
  • F must have a property satisfying the following expression (4) for any c, x, x ′ (x ⁇ x ′) when the security parameter is e (0 ⁇ e ⁇ 1). .
  • + represents an exclusive OR (XOR).
  • f (K, *) is said to be e-almost XOR universal (e-AXU).
  • the e-AXU function is a kind of universal hash function.
  • F (K2, T) mul (K2, T) using multiplication mul on a finite field GF (2n).
  • F is 1 / 2n-AXU.
  • the e-AXU function can be realized by a method proposed in Non-Patent Document 3 other than mul. These are known to be several times faster than general block ciphers in a specific implementation environment.
  • Non-Patent Document 1 As a configuration method of the block cipher with adjustment value using the n-bit block cipher, there are the LRW mode of Non-Patent Document 1 and the XE and XEX modes of Non-Patent Document 2 which are variants thereof.
  • the LRW mode and the XEX mode have the formats shown in the above formulas (2) and (3) and have CCA-security.
  • the XE mode has the form of the following formula (5) with the outside offset omitted, and has CPA-security.
  • K2 In LRW mode, K2 is independent of K1, whereas in XE mode and XEX mode, K2 uses the result of encrypting a fixed plaintext (for example, all n bits of n bits) with Enc (K1, *). To improve the efficiency of the key size.
  • the security guarantee is limited to the case where the number of encryptions q processed with one key is sufficiently smaller than 2n / 2 (this is expressed as q ⁇ 2n / 2). It is. 2n / 2 is called birthday bound, and an attack using the result of encryption of the number of times about birthday bound is generally called birthday attack. Such an attack becomes a real threat when using a 64-bit block cipher, and it is considered a future risk even when a 128-bit block cipher is used.
  • Non-Patent Document 4 describes a configuration method of a block cipher with an adjustment value that is safe when the encryption count q is q ⁇ 2n. This is because the original block cipher is a Feistel cipher with a 2n-bit block. The problem is different because it deals with time (only the security up to the birthday bound of the block cipher block size (2n bits) is guaranteed).
  • Non-Patent Document 5 and other conventional methods include a method of preparing a plurality of n-bit block cipher keys for each adjustment value. This method is simple and useful when the key length is sufficiently longer than n bits (for example, 2n or 3n bits), or when the key length is n bits and the adjustment value is very short. Provide safety beyond bounds. However, if the adjustment value has a certain length (for example, n / 2 bits) and the key length is n bits, this method generally cannot guarantee safety beyond the birthday bound.
  • the block cipher with adjustment value using the block cipher has only been realized by a method that can be broken by a birthday attack.
  • the present invention has been made in view of the above problems, and an adjustment value-attached block encryption apparatus, method, and method that can form an adjustment value-attached block cipher having theoretical resistance to a birthday attack using a realistic block cipher. It is an object to provide a program, a decoding device, a method, and a program.
  • the present invention provides, as a first aspect, an input means for inputting n-bit plaintext and an n-bit adjustment value, and encrypting the adjustment value with an n-bit block cipher function.
  • a value less than n / 2 is assumed to be m, and any nm bits of the encrypted result are fixed to an arbitrary value, and the fixed result is encrypted by an encryption process having n-bit input.
  • the adjustment value-dependent key derivation means for generating the adjustment value-dependent key the mask value is generated by inputting the adjustment value to the keyed function, the mask value is added to the plaintext, and the addition result is Encrypted with n-bit block cipher using the adjustment value-dependent key as a key, and adds a mask value to the encrypted result to generate a ciphertext, and a masked block encryption means for outputting the ciphertext Means and There is provided a tweakable block cipher apparatus.
  • the present invention provides, as a second aspect, input means for inputting an n-bit ciphertext and an n-bit adjustment value, and encrypting the adjustment value with an n-bit block cipher.
  • a value greater than 1 and less than n / 2 is assumed to be m, and any nm bits of the encrypted result are fixed to an arbitrary value, and the fixed result is encrypted by an encryption process having n-bit input.
  • An adjustment value-dependent key derivation unit for generating an adjustment value-dependent key, and generating a mask value by inputting the adjustment value to a keyed function, adding the mask value to the plaintext, and adding the result Is decrypted with a decryption function corresponding to the n-bit block cipher using the adjustment value-dependent key as a key, and the plaintext is generated by adding the mask value to the decrypted result and the plaintext is output Plaintext
  • a tweakable block decoding device comprising a force means.
  • the present invention provides, as a third aspect, an input process for inputting n-bit plaintext and an n-bit adjustment value, and encrypting the adjustment value with an n-bit block cipher function.
  • a value less than n / 2 is assumed to be m, and any nm bits of the encrypted result are fixed to an arbitrary value, and the fixed result is encrypted by an encryption process having n-bit input.
  • the adjustment value-dependent key derivation process for generating the adjustment value-dependent key the mask value is generated by inputting the adjustment value to the keyed function, the mask value is added to the plaintext, and the addition result is Encrypted with an n-bit block cipher using the adjustment value-dependent key as a key, and adds a mask value to the encrypted result to generate a ciphertext, and an output to output the ciphertext Processing and Tweakable block encryption method is to provide a.
  • the present invention provides, as a fourth aspect, an input process for inputting an n-bit ciphertext and an n-bit adjustment value, and encrypting the adjustment value with an n-bit block cipher.
  • a value greater than 1 and less than n / 2 is assumed to be m, and any nm bits of the encrypted result are fixed to an arbitrary value, and the fixed result is encrypted by an encryption process having n-bit input.
  • Adjustment value dependency key derivation processing for generating an adjustment value dependency key, and generating a mask value by inputting the adjustment value to a keyed function, adding the mask value to the plaintext, and the result of the addition Is decrypted with a decryption function corresponding to the n-bit block cipher using the adjustment value-dependent key as a key, and the plaintext is generated by adding the mask value to the decrypted result and the plaintext is output.
  • Plaintext There is provided a tweakable block decoding method having a force canceling, the.
  • the present invention causes a computer to execute the block encryption method with adjustment value according to the third aspect of the present invention.
  • a program is provided.
  • a block decoding with adjustment value characterized by causing a computer to execute the block decoding method with adjustment value according to the fourth aspect of the present invention.
  • a program is provided.
  • the block encryption apparatus with an adjustment value which can form the block cipher with an adjustment value which has theoretical tolerance to a birthday attack using a realistic block cipher, a method and a program, and a decoding apparatus, a method and a program Can provide.
  • the present invention efficiently implements an efficient block cipher with an adjustment value that guarantees safety beyond birthday bounds.
  • the block cipher E (n-bit key, n-bit block) used as a component is theoretically safe and m ⁇ n / 2 is a security parameter
  • the number of plaintext / ciphertext used by the attacker This is because it has theoretical security when is sufficiently smaller than 2 (n + m) / 2, that is, has theoretical resistance to a birthday attack by 2n / 2 encryptions.
  • the strength of resistance can be controlled by m.
  • the number of key variations is limited to 2m using the mpad function, and by adding mask value addition depending on the adjustment value before and after the block cipher, the security beyond the birthday bound in the selected ciphertext attack can be increased. Guaranteed. If the addition of the mask value on the ciphertext side is omitted, only the security beyond the birthday bound against the selected plaintext attack is guaranteed instead of slightly simplifying the processing.
  • FIG. 1 shows a configuration of a block encryption apparatus with adjustment values according to the present embodiment.
  • the block encryption device with adjustment value 10 includes an input unit 100, an adjustment value dependency key deriving unit 101, a block encryption unit with mask 102, and an output unit 103.
  • the block encryption device with adjustment value 10 can be realized by a CPU, a memory, and a disk.
  • Each functional unit of the block encryption device with adjustment value can be realized by storing a program on a disk and operating the program on the CPU.
  • the block cipher to be used is n-bit block, n'-bit key
  • m (1 ⁇ m ⁇ n / 2) is a security parameter, which determines safety.
  • the input unit 100 inputs an n-bit plaintext M to be encrypted and an n-bit adjustment value T.
  • the input unit 100 is realized as a character input device such as a keyboard.
  • FIG. 2 shows a flow of information in the adjustment value-dependent key derivation unit 101 and the block encryption unit 102 with mask. As shown in FIG. 3, if the ciphertext side mask value addition is omitted, only the security beyond the birthday bound against the selected plaintext attack is guaranteed instead of slightly simplifying the processing.
  • the adjustment value-dependent key deriving unit 101 generates a new block cipher key called an adjustment value-dependent key, depending on the input adjustment value T and key K.
  • the adjustment value-dependent key L can be realized as the following equation (6).
  • the block cipher keys K1 and K2 are derived from the device key K by any method (for example, K is 2n bits or more, the first n bits are K1, and the next n bits are K2). Can be realized).
  • Mpad is a function that fixes any n-m bits (m is a security parameter) of n bits to an arbitrary value. For example, this can be realized by setting the upper n-m bits to all zeros.
  • the encryption process using the key K2 can be realized by an arbitrary encryption function having an n-bit input and an n′-bit output, such as a one-way hash function with a key.
  • the encryption process with key K2 is Stefan Lucks, The Sum of PRPs Is a Secure PRF, EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Technologies, Bruges, Belgium-May 14, Belgium- May. 18, 2000, Proceeding. Lecture Notes in Computer Science 1807 Springer 2000, pp. 470-484. This can also be realized by using the SUM mode described in T. Iwata, New Blockcipher Modes of Operation if n '> n.
  • the masked block encryption unit 102 encrypts plaintext M into ciphertext C using the mask value based on the adjustment value dependency key L and the adjustment value T output from the adjustment value dependency key derivation unit 101.
  • ciphertext C is expressed by the following formula (7)
  • plaintext selection attack is assumed
  • K3 is a key derived from the key K of the device in the same manner as K1 and K2 in the above equation (6), and F (K3, T) inputs T to the keyed function F using the key K3.
  • F needs to be an e-AUX function defined by the above equation (4) for two different adjustment values T and T ′. This can be realized, for example, by taking the multiplication mul (K3, T) on the finite field GF (2n) of the n-bit key K3 and the adjustment value T. At this time, F is defined by the following equation (9), and F is a 1 / 2n-AXU function.
  • the output unit 103 outputs the ciphertext C output from the block cipher unit 102 with mask.
  • the output unit 103 can be realized by a computer display, a printer, or the like.
  • the block encryption device with adjustment value according to the present embodiment When the block encryption device with adjustment value according to the present embodiment is specifically used for encryption in communication or data storage, the block cipher of the n-bit block and the n-bit adjustment value obtained in the present embodiment in some encryption mode It is possible to use it. For example, it can be used in Tweak Block Chaining, Tweak Chain Hash, Tweakable Authenticated Encryption, etc., which are described in Non-Patent Document 1, which are block cipher modes with adjustment values.
  • the modes discussed in the standardization of storage encryption methods in IEEE can be applied.
  • encryption is performed in parallel as in the ECB mode while adding a mask value according to the sector of the hard disk and the byte position in the sector (one sector is usually 512 bytes).
  • n 128, and the encryption function of the 128-bit block and 128-bit adjustment value-attached block cipher obtained in this embodiment is set to TENC (key K, adjustment value T, plaintext M encryption is TENC ( K, T, M)), the sector contents are first divided into 128 bits (16 bytes). The result of division is (m1, m2, ..., m32), where mi is 16 bytes.
  • SecNum is a sector number, and
  • FIG. 4 shows an operation flow of the block encryption apparatus with adjustment value according to the present embodiment.
  • n-bit plaintext M and n-bit adjustment value T are input via the input means (step S101), and the adjustment value-dependent key derivation unit 101 obtains the adjustment value-dependent key L according to the above equation (6).
  • Step S102 the block encryption unit 102 generates a mask value S according to the above equation (7) (step S103), and further performs encryption with M mask according to the above equation (7) using L as a key and S as a mask value.
  • a ciphertext C is obtained (step S104).
  • the obtained ciphertext C is output by the output unit 103 (step S105).
  • a block cipher with an adjustment value having theoretical resistance to a birthday attack can be formed using a realistic block cipher.
  • FIG. 5 shows the configuration of the block decoding apparatus with adjustment values according to the present embodiment.
  • the block decoding device with adjustment value 20 includes an input unit 200, an adjustment value dependent key derivation unit 201, a block decoding unit 202 with mask, and an output unit 203.
  • the block decoder with adjustment value 20 can be realized by a CPU, a memory, and a disk.
  • Each functional unit of the block decoder with adjustment value can be realized by storing a program on a disk and operating the program on the CPU.
  • FIG. 6 shows the flow of information in the adjustment value-dependent key derivation unit 201 and the masked block decryption unit 302.
  • FIG. 7 if the ciphertext side mask value addition is omitted, the process can be slightly simplified, but only the security beyond the birthday bound against the selected plaintext attack is guaranteed.
  • a block cipher to be used is an n-bit block, an n′-bit key (n ′ ⁇ n), and a security parameter is m (1 ⁇ m ⁇ n / 2).
  • the input unit 200 inputs an n-bit ciphertext C to be decrypted and an n-bit adjustment value T.
  • the input unit 200 can be realized by a character input device such as a keyboard.
  • the adjustment value dependency key derivation unit 201 is the same as the adjustment value dependency key derivation unit 101 in the first embodiment.
  • the block decryption unit with mask 202 decrypts the ciphertext C into plaintext M using the mask value based on the adjustment value dependency key L and the adjustment value T output from the adjustment value dependency key derivation unit 201. Specifically, if the decryption function of the block cipher is Dec (key K, decryption of ciphertext C is Dec (K, C)), and the assumed ciphertext attack by an attacker is assumed, plaintext M is expressed by the following formula (10) When only the selected plaintext attack is assumed, the following equation (11) is obtained.
  • K3 is a key derived from the device key K, and the keyed function F is the same as that used by the masked block encryption unit 102 in the first embodiment.
  • the output unit 203 outputs the plaintext M output by the block decryption unit with mask 202.
  • the output unit 203 can be realized by a computer display, a printer, or the like.
  • FIG. 8 shows an operation flow of the block decoding apparatus with adjustment values according to the present embodiment.
  • the n-bit ciphertext C and the adjustment value T are input using the input unit 200 (step S201), and the adjustment value dependency key L is obtained by the adjustment value dependency key derivation unit 201 according to the above equation (6) (step S201).
  • the mask value block decoding unit 202 generates a mask value S according to the above equation (10) (step S203).
  • decryption with a mask is performed on the ciphertext C according to the above equation (10) using L as a key and S as a mask value to obtain plaintext M (step S204).
  • the obtained plaintext M is output by the output unit 203 (step S205).
  • each said embodiment is an example of suitable implementation of this invention, and this invention is not limited to these.
  • the present invention is applicable to uses such as authentication and encryption in wireless or wired data communication, and uses such as encryption of data on a storage and prevention of tampering.
  • Block encryption apparatus with adjustment value
  • Block decryption apparatus with adjustment value 100
  • Input part 101
  • Adjustment value dependence key derivation part
  • Block encryption part with mask 103
  • Output part 202 Block decryption part with mask

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A tweakable block encrypting device includes an input means for inputting an n-bit plain text and an n-bit tweak, a tweak-dependent key deriving means for deriving a tweak-dependent key by encrypting the tweak using an n-bit block encryption function, fixing a given (n-m)-bits (where 1 < m < n/2) out of the result of the encryption to a given value, and encrypting the result of the fixing by cipher processing having an n-bit input, a means for block encryption using a mask by substituting the tweak in a keyed function, thereby generating a mask value, adding the mask value to the plain text, encrypting the result of the addition by using the n-bit block ciphers and by using the tweak-dependent key, adding the mask value to the result of the encryption, and thereby generating an encrypted text, and an output means for outputting the encrypted text.

Description

調整値付きブロック暗号化装置、調整値付きブロック暗号化方法及び調整値付きブロック暗号化プログラム並びに調整値付きブロック復号装置、調整値付きブロック復号方法及び調整値付きブロック復号プログラムBlock encryption device with adjustment value, block encryption method with adjustment value, block encryption program with adjustment value, block decryption device with adjustment value, block decryption method with adjustment value, and block decryption program with adjustment value
 本発明は、ブロック暗号の運用モードに関し、特にnビットブロック暗号による汎用的で高い安全性を持つ調整値付きブロック暗号化装置、方法及びプログラム並びに復号装置、方法及びプログラムに関する。 The present invention relates to an operation mode of a block cipher, and more particularly, to a block encryption device, method and program with adjustment value, and a decryption device, method and program which are versatile and highly secure by n-bit block cipher.
 ブロック暗号とは、鍵により一意に定まる置換の集合であり、置換への入力が平文、出力が暗号文にそれぞれ相当する。平文や暗号文の長さをブロックサイズという。ブロックサイズがnビットのブロック暗号を、一般的にnビットブロック暗号という。ブロック暗号化・復号に関連する技術としては、特許文献1に開示される「暗号化方法および装置」がある。 The block cipher is a set of substitutions uniquely determined by the key, and the input to the substitution corresponds to plaintext and the output corresponds to the ciphertext. The length of plaintext or ciphertext is called the block size. A block cipher having a block size of n bits is generally called an n-bit block cipher. As a technique related to block encryption / decryption, there is an “encryption method and apparatus” disclosed in Patent Document 1.
 調整値付きブロック暗号とは、通常のブロック暗号が持つ入出力である(平文、暗号文、鍵)以外にtweakと呼ばれる調整値を持つブロック暗号のことであり、tweakableブロック暗号とも呼ばれる。調整値と鍵とが定まれば、平文と暗号文とが一対一に対応することが条件である。すなわち、任意の調整値付きブロック暗号の暗号化関数TWENCと、対応する復号関数TWDECとは、平文M、暗号文C、鍵K、調整値Tについて、常に下記式(1)を満たす。 The block cipher with adjustment value is a block cipher having an adjustment value called tweak in addition to the input / output (plaintext, ciphertext, key) of a normal block cipher, and is also called a tweakable block cipher. If the adjustment value and the key are determined, it is a condition that plaintext and ciphertext correspond one-to-one. That is, the encryption function TWENC of a block cipher with an arbitrary adjustment value and the corresponding decryption function TWDEC always satisfy the following formula (1) for the plaintext M, ciphertext C, key K, and adjustment value T.
Figure JPOXMLDOC01-appb-M000001
Figure JPOXMLDOC01-appb-M000001
 式(1)を含めた調整値付きブロック暗号の形式的な定義と安全性要件とは、非特許文献1に開示されている。安全性要件について簡単に言えば、調整値付きブロック暗号においては、調整値が異なる二つのブロック暗号の出力が、調整値と入力が攻撃者に既知であっても、その攻撃者には互いに独立でランダムな値に見えることが要求される。この性質が満たされるとき、調整値付きブロック暗号は安全であるという。 Non-Patent Document 1 discloses the formal definition and security requirements of a block cipher with an adjustment value including equation (1). To put it simply, in the case of a block cipher with adjusted values, the output of two block ciphers with different adjusted values is independent of the attacker even if the adjusted value and input are known to the attacker. It is required that it looks like a random value. When this property is satisfied, the block cipher with adjustment value is said to be secure.
 また、非特許文献1において、理論的に安全な調整値付きブロック暗号が通常のブロック暗号の運用モード(以下、モードという)として得られる、換言すると、ブロック暗号をブラックボックスとして用いた変換として得られるということが示されている。ただし、ここでいう理論的安全性とは、あるブロック暗号のモードとして得られる調整値付きブロック暗号の安全性が、元となるブロック暗号の安全性に帰着できる、すなわち安全なブロック暗号を用いる限り、得られる調整値付きブロック暗号も安全であると言うことを示す。 Further, in Non-Patent Document 1, a theoretically safe block cipher with an adjustment value is obtained as a normal block cipher operation mode (hereinafter referred to as a mode), in other words, obtained as a conversion using a block cipher as a black box. It has been shown that However, the theoretical security here means that the security of the block cipher with adjustment value obtained as a mode of a certain block cipher can be reduced to the security of the original block cipher, that is, as long as a safe block cipher is used. It shows that the obtained block cipher with adjustment value is also safe.
 さらに、安全性の定義には、攻撃者が選択平文攻撃(chosen-plaintext attack, CPA)のみ可能な場合の安全性と、選択平文攻撃と選択暗号文攻撃(chosen-ciphertext attack, CCA)とを組み合わせて実行可能な場合の安全性との2種類があり、前者をCPA-security、後者をCCA-securityと呼ぶ。 In addition, the definition of security includes security when an attacker can only use a selected plaintext attack (chosen-plaintext attack, CPA), a selected plaintext attack and a selected ciphertext attack (chosen-ciphertext attack, CCA). There are two types, safety when executable in combination. The former is called CPA-security and the latter is called CCA-security.
 安全な調整値付きブロック暗号は、高度な暗号化機能の実現のための鍵となる技術であることが知られている。例えば、非特許文献2には、CCA-securityを有する調整値付きブロック暗号を用いると大変効率の良い認証機能付き暗号が実現できることや、CCA-securityを有する調整値付きブロック暗号を用いると、効率の良い、並列実行可能なメッセージ認証コードを実現できることが指摘されている。また、CCA-securityを有する調整値付きブロック暗号は、ディスクセクタ暗号化などのストレージ暗号化のための必須の技術であることも知られている。 Secure block cipher with adjustment value is known to be a key technology for realizing advanced encryption functions. For example, in Non-Patent Document 2, if a block cipher with an adjustment value having CCA-security is used, a very efficient cipher with an authentication function can be realized, and if a block cipher with an adjustment value having CCA-security is used, the efficiency is improved. It is pointed out that a message authentication code that can be executed in parallel can be realized. It is also known that the block cipher with adjustment value having CCA-security is an indispensable technique for storage encryption such as disk sector encryption.
 ここで、非特許文献1で提案されたモードをLRWモードと称することとする。また、nビットブロック暗号Eを用いたLRWモードを図9(a)、(b)に示す。nビットブロック暗号(暗号化関数をEnc、復号関数をDecとする)を用いたLRWモードは、一般に、鍵K、調整値T、平文Mが与えられたとき、下記式(2)によって暗号文Cを得る。 Here, the mode proposed in Non-Patent Document 1 is referred to as LRW mode. 9A and 9B show the LRW mode using the n-bit block cipher E. In the LRW mode using an n-bit block cipher (encryption function is Enc and decryption function is Dec), in general, when key K, adjustment value T, and plaintext M are given, ciphertext is expressed by the following equation (2). Get C.
Figure JPOXMLDOC01-appb-M000002
Figure JPOXMLDOC01-appb-M000002
 暗号文Cから平文Mへの復号は、下記式(3)となる。 Decryption from ciphertext C to plaintext M is expressed by the following equation (3).
Figure JPOXMLDOC01-appb-M000003
Figure JPOXMLDOC01-appb-M000003
 K1はブロック暗号の鍵、K2はブロック暗号の処理の前後に足される鍵付き関数F(オフセット関数と呼ばれる)。ここで、Fは、セキュリティパラメータをe(0≦e≦1)としたとき、任意のc、x、x’(x≠x’)について、下記式(4)を満たす性質を持つ必要がある。ただし、+は排他的論理和(XOR)を表す。 K1 is a block cipher key, and K2 is a keyed function F (called an offset function) that is added before and after block cipher processing. Here, F must have a property satisfying the following expression (4) for any c, x, x ′ (x ≠ x ′) when the security parameter is e (0 ≦ e ≦ 1). . However, + represents an exclusive OR (XOR).
Figure JPOXMLDOC01-appb-M000004
Figure JPOXMLDOC01-appb-M000004
 この性質を持つとき、f(K,*)はe-almost XOR universal (e-AXU)であるという。e-AXU関数はユニバーサルハッシュ関数の一種である。これを実現するには、例えば有限体GF(2n)上の乗算mulを用いて、F(K2,T) = mul(K2,T)とすることがよく知られている。このときは、Fは1/2n-AXUである。 When it has this property, f (K, *) is said to be e-almost XOR universal (e-AXU). The e-AXU function is a kind of universal hash function. In order to realize this, for example, it is well known that F (K2, T) = mul (K2, T) using multiplication mul on a finite field GF (2n). In this case, F is 1 / 2n-AXU.
 e-AXU関数はmul以外にも、非特許文献3などで提案されている方式で実現可能である。これらは特定の実装環境においては一般的なブロック暗号より数倍高速となることが知られている。 The e-AXU function can be realized by a method proposed in Non-Patent Document 3 other than mul. These are known to be several times faster than general block ciphers in a specific implementation environment.
 nビットブロック暗号を用いた調整値付きブロック暗号の構成方法としては、非特許文献1のLRWモードと、その変種である非特許文献2のXE、XEXモードがある。LRWモードやXEXモードは、上記式(2)、(3)で示される形式を持ち、CCA-securityを有する。 As a configuration method of the block cipher with adjustment value using the n-bit block cipher, there are the LRW mode of Non-Patent Document 1 and the XE and XEX modes of Non-Patent Document 2 which are variants thereof. The LRW mode and the XEX mode have the formats shown in the above formulas (2) and (3) and have CCA-security.
 一方、XEモードは、外側のオフセットを省略した下記式(5)という形式をしており、CPA-securityを有している。 On the other hand, the XE mode has the form of the following formula (5) with the outside offset omitted, and has CPA-security.
Figure JPOXMLDOC01-appb-M000005
Figure JPOXMLDOC01-appb-M000005
 LRWモードではK2はK1と独立であるのに対して、XEモード、XEXモードではK2は固定平文(例えばnビットの全ゼロ値)をEnc(K1,*)で暗号化した結果を用いることで、鍵サイズの効率化を図っている。重要なのは、いずれにおいても、その安全性保証は、一つの鍵で処理する暗号化回数qが2n/2よりも十分に小さい(これをq≪2n/2と表す)場合に限られていることである。2n/2はバースデーバウンドと呼ばれ、バースデーバウンド程度の回数の暗号化の結果を用いた攻撃は一般にバースデー攻撃と呼ばれる。このような攻撃は、64ビットブロック暗号を用いた場合には現実的な脅威となり、また128ビットブロック暗号を用いた場合でも将来的なリスクと考えられるため、対策が必要である。 In LRW mode, K2 is independent of K1, whereas in XE mode and XEX mode, K2 uses the result of encrypting a fixed plaintext (for example, all n bits of n bits) with Enc (K1, *). To improve the efficiency of the key size. Importantly, in any case, the security guarantee is limited to the case where the number of encryptions q processed with one key is sufficiently smaller than 2n / 2 (this is expressed as q << 2n / 2). It is. 2n / 2 is called birthday bound, and an attack using the result of encryption of the number of times about birthday bound is generally called birthday attack. Such an attack becomes a real threat when using a 64-bit block cipher, and it is considered a future risk even when a 128-bit block cipher is used.
 非特許文献4では、暗号化回数qがq≪2nのときに安全な調整値付きブロック暗号の構成方法が記載されているが、これは、元のブロック暗号が2nビットブロックのFeistel型暗号のときを扱っているため、問題が異なる(ブロック暗号のブロックサイズ(2nビット)のバースデーバウンドまでの安全性のみを保証している)。 Non-Patent Document 4 describes a configuration method of a block cipher with an adjustment value that is safe when the encryption count q is q << 2n. This is because the original block cipher is a Feistel cipher with a 2n-bit block. The problem is different because it deals with time (only the security up to the birthday bound of the block cipher block size (2n bits) is guaranteed).
 非特許文献5など、従来よく行われている方法として、調整値ごとに複数のnビットブロック暗号の鍵を用意する方法がある。この方法は鍵の長さがnビットより十分長い(例えば2nや3nビット)場合か、鍵の長さがnビットであっても調整値の長さがごくわずかである場合は、簡便でバースデーバウンドを超えた安全性を提供する。しかし調整値の長さがある程度あって(例えばn/2ビット)、さらに鍵の長さがnビットである場合は、この方法では一般にバースデーバウンドを超えた安全性は保証できない。 Non-Patent Document 5 and other conventional methods include a method of preparing a plurality of n-bit block cipher keys for each adjustment value. This method is simple and useful when the key length is sufficiently longer than n bits (for example, 2n or 3n bits), or when the key length is n bits and the adjustment value is very short. Provide safety beyond bounds. However, if the adjustment value has a certain length (for example, n / 2 bits) and the key length is n bits, this method generally cannot guarantee safety beyond the birthday bound.
特開平9-230787号公報JP-A-9-230787
 このように、ブロック暗号を用いた調整値付きブロック暗号は、バースデー攻撃によって破れる方式しか実現されていなかった。 As described above, the block cipher with adjustment value using the block cipher has only been realized by a method that can be broken by a birthday attack.
 本発明は係る問題に鑑みてなされたものであり、現実的なブロック暗号を用いて、バースデー攻撃への理論的耐性を持つ調整値付きブロック暗号を形成できる調整値付きブロック暗号化装置、方法及びプログラム並びに復号装置、方法及びプログラムを提供することを目的とする。 The present invention has been made in view of the above problems, and an adjustment value-attached block encryption apparatus, method, and method that can form an adjustment value-attached block cipher having theoretical resistance to a birthday attack using a realistic block cipher. It is an object to provide a program, a decoding device, a method, and a program.
 上記目的を達成するため、本発明は、第1の態様として、nビットの平文とnビットの調整値とを入力する入力手段と、前記調整値をnビットブロック暗号関数で暗号化し、1より大きくn/2未満の値をmとして、暗号化した結果のうちの任意のn-mビットを任意の値に固定し、固定した結果を、nビットの入力を持つ暗号処理で暗号化することにより、調整値依存鍵生成する調整値依存鍵導出手段と、前記調整値を鍵付き関数へ入力することによりマスク値を生成し、該マスク値を前記前記平文へ加算し、加算した結果を、前記調整値依存鍵を鍵としたnビットブロック暗号で暗号化し、暗号化した結果に前記マスク値を加算することにより暗号文を生成するマスク付きブロック暗号化手段と、前記暗号文を出力する出力手段と、を有する調整値付きブロック暗号化装置を提供するものである。 To achieve the above object, the present invention provides, as a first aspect, an input means for inputting n-bit plaintext and an n-bit adjustment value, and encrypting the adjustment value with an n-bit block cipher function. A value less than n / 2 is assumed to be m, and any nm bits of the encrypted result are fixed to an arbitrary value, and the fixed result is encrypted by an encryption process having n-bit input. The adjustment value-dependent key derivation means for generating the adjustment value-dependent key, the mask value is generated by inputting the adjustment value to the keyed function, the mask value is added to the plaintext, and the addition result is Encrypted with n-bit block cipher using the adjustment value-dependent key as a key, and adds a mask value to the encrypted result to generate a ciphertext, and a masked block encryption means for outputting the ciphertext Means and There is provided a tweakable block cipher apparatus.
 また、上記目的を達成するため、本発明は、第2の態様として、nビットの暗号文とnビットの調整値とを入力する入力手段と、前記調整値をnビットブロック暗号で暗号化し、1より大きくn/2未満の値をmとして、暗号化した結果のうちの任意のn-mビットを任意の値に固定し、固定した結果を、nビットの入力を持つ暗号処理で暗号化することにより、調整値依存鍵生成する調整値依存鍵導出手段と、前記調整値を鍵付き関数へ入力することによりマスク値を生成し、該マスク値を前記前記平文へ加算し、加算した結果を、前記調整値依存鍵を鍵としたnビットブロック暗号に対応する復号関数で復号し、復号した結果に前記マスク値を加算することにより平文を生成するマスク付きブロック復号手段と前記平文を出力する平文出力手段と、を有する調整値付きブロック復号装置を提供するものである。 In order to achieve the above object, the present invention provides, as a second aspect, input means for inputting an n-bit ciphertext and an n-bit adjustment value, and encrypting the adjustment value with an n-bit block cipher. A value greater than 1 and less than n / 2 is assumed to be m, and any nm bits of the encrypted result are fixed to an arbitrary value, and the fixed result is encrypted by an encryption process having n-bit input. An adjustment value-dependent key derivation unit for generating an adjustment value-dependent key, and generating a mask value by inputting the adjustment value to a keyed function, adding the mask value to the plaintext, and adding the result Is decrypted with a decryption function corresponding to the n-bit block cipher using the adjustment value-dependent key as a key, and the plaintext is generated by adding the mask value to the decrypted result and the plaintext is output Plaintext There is provided a tweakable block decoding device comprising a force means.
 上記目的を達成するため、本発明は、第3の態様として、nビットの平文とnビットの調整値とを入力する入力処理と、前記調整値をnビットブロック暗号関数で暗号化し、1より大きくn/2未満の値をmとして、暗号化した結果のうちの任意のn-mビットを任意の値に固定し、固定した結果を、nビットの入力を持つ暗号処理で暗号化することにより、調整値依存鍵生成する調整値依存鍵導出処理と、前記調整値を鍵付き関数へ入力することによりマスク値を生成し、該マスク値を前記前記平文へ加算し、加算した結果を、前記調整値依存鍵を鍵としたnビットブロック暗号で暗号化し、暗号化した結果に前記マスク値を加算することにより暗号文を生成するマスク付きブロック暗号化処理と、前記暗号文を出力する出力処理と、を有する調整値付きブロック暗号化方法を提供するものである。 In order to achieve the above object, the present invention provides, as a third aspect, an input process for inputting n-bit plaintext and an n-bit adjustment value, and encrypting the adjustment value with an n-bit block cipher function. A value less than n / 2 is assumed to be m, and any nm bits of the encrypted result are fixed to an arbitrary value, and the fixed result is encrypted by an encryption process having n-bit input. The adjustment value-dependent key derivation process for generating the adjustment value-dependent key, the mask value is generated by inputting the adjustment value to the keyed function, the mask value is added to the plaintext, and the addition result is Encrypted with an n-bit block cipher using the adjustment value-dependent key as a key, and adds a mask value to the encrypted result to generate a ciphertext, and an output to output the ciphertext Processing and Tweakable block encryption method is to provide a.
 また、上記目的を達成するため、本発明は、第4の態様として、nビットの暗号文とnビットの調整値とを入力する入力処理と、前記調整値をnビットブロック暗号で暗号化し、1より大きくn/2未満の値をmとして、暗号化した結果のうちの任意のn-mビットを任意の値に固定し、固定した結果を、nビットの入力を持つ暗号処理で暗号化することにより、調整値依存鍵生成する調整値依存鍵導出処理と、前記調整値を鍵付き関数へ入力することによりマスク値を生成し、該マスク値を前記前記平文へ加算し、加算した結果を、前記調整値依存鍵を鍵としたnビットブロック暗号に対応する復号関数で復号し、復号した結果に前記マスク値を加算することにより平文を生成するマスク付きブロック復号処理と前記平文を出力する平文出力処理と、を有する調整値付きブロック復号方法を提供するものである。 In order to achieve the above object, the present invention provides, as a fourth aspect, an input process for inputting an n-bit ciphertext and an n-bit adjustment value, and encrypting the adjustment value with an n-bit block cipher. A value greater than 1 and less than n / 2 is assumed to be m, and any nm bits of the encrypted result are fixed to an arbitrary value, and the fixed result is encrypted by an encryption process having n-bit input. Adjustment value dependency key derivation processing for generating an adjustment value dependency key, and generating a mask value by inputting the adjustment value to a keyed function, adding the mask value to the plaintext, and the result of the addition Is decrypted with a decryption function corresponding to the n-bit block cipher using the adjustment value-dependent key as a key, and the plaintext is generated by adding the mask value to the decrypted result and the plaintext is output. Plaintext There is provided a tweakable block decoding method having a force canceling, the.
 上記目的を達成するため、本発明は、第5の態様として、上記本発明の第3の態様に係る調整値付きブロック暗号化方法をコンピュータに実行させることを特徴とする調整値付きブロック暗号化プログラムを提供するものである。 To achieve the above object, the present invention, as a fifth aspect, causes a computer to execute the block encryption method with adjustment value according to the third aspect of the present invention. A program is provided.
 また、上記目的を達成するため、本発明は、第6の態様として、上記本発明の第4の態様に係る調整値付きブロック復号方法をコンピュータに実行させることを特徴とする調整値付きブロック復号プログラムを提供するものである。 In order to achieve the above object, according to a sixth aspect of the present invention, there is provided a block decoding with adjustment value, characterized by causing a computer to execute the block decoding method with adjustment value according to the fourth aspect of the present invention. A program is provided.
 本発明によれば、現実的なブロック暗号を用いて、バースデー攻撃への理論的耐性を持つ調整値付きブロック暗号を形成できる調整値付きブロック暗号化装置、方法及びプログラム並びに復号装置、方法及びプログラムを提供できる。 ADVANTAGE OF THE INVENTION According to this invention, the block encryption apparatus with an adjustment value which can form the block cipher with an adjustment value which has theoretical tolerance to a birthday attack using a realistic block cipher, a method and a program, and a decoding apparatus, a method and a program Can provide.
本発明を好適に実施した第1の実施形態に係る調整値付きブロック暗号化装置の構成を示す図である。It is a figure which shows the structure of the block encryption apparatus with an adjustment value which concerns on 1st Embodiment which implemented this invention suitably. 調整値依存鍵導出部及びマスク付きブロック暗号化部におけるデータの流れを示す図である。It is a figure which shows the data flow in the adjustment value dependence key derivation | leading-out part and the block encryption part with a mask. 暗号文側のマスク値の付加を省略した場合の調整値依存鍵導出部及びマスク付きブロック暗号化部におけるデータの流れを示す図である。It is a figure which shows the data flow in the adjustment value dependence key derivation | leading-out part at the time of omitting addition of the mask value by the side of a ciphertext, and a block encryption part with a mask. 第1の実施形態に係る調整値付きブロック暗号化装置の動作の流れを示す図である。It is a figure which shows the flow of operation | movement of the block encryption apparatus with an adjustment value which concerns on 1st Embodiment. 本発明を好適に実施した第2の実施形態に係る調整値付きブロック復号装置の構成を示す図である。It is a figure which shows the structure of the block decoding apparatus with an adjustment value which concerns on 2nd Embodiment which implemented this invention suitably. 調整値依存鍵導出部及びマスク付きブロック復号部におけるデータの流れを示す図である。It is a figure which shows the data flow in the adjustment value dependence key derivation | leading-out part and the block decoding part with a mask. 暗号文側のマスク値の付加を省略した場合の調整値依存鍵導出部及びマスク付きブロック復号部におけるデータの流れを示す図である。It is a figure which shows the data flow in the adjustment value dependence key derivation | leading-out part and the block decoding part with a mask at the time of omitting addition of the mask value by the side of a ciphertext. 第2の実施形態に係る調整値付きブロック復号装置の動作の流れを示す図である。It is a figure which shows the flow of operation | movement of the block decoding apparatus with an adjustment value which concerns on 2nd Embodiment. LRWモードにおける暗号化及び復号の動作を示す図である。It is a figure which shows the operation | movement of encryption and a decoding in LRW mode.
 本発明は、バースデーバウンドを超えた安全性を保証する効率的な調整値付きブロック暗号を効率よく実現するものである。 The present invention efficiently implements an efficient block cipher with an adjustment value that guarantees safety beyond birthday bounds.
 本発明においては、部品として用いる(nビット鍵、nビットブロックの)ブロック暗号Eが理論的に安全で、m<n/2をセキュリティパラメータとした場合、攻撃者が用いる平文・暗号文の数が2(n+m)/2よりも十分に小さい場合に理論的安全性を持ち、すなわち2n/2回の暗号化によるバースデー攻撃に対する理論的耐性を持つためである。耐性の強さはmでコントロールできる。 In the present invention, when the block cipher E (n-bit key, n-bit block) used as a component is theoretically safe and m <n / 2 is a security parameter, the number of plaintext / ciphertext used by the attacker This is because it has theoretical security when is sufficiently smaller than 2 (n + m) / 2, that is, has theoretical resistance to a birthday attack by 2n / 2 encryptions. The strength of resistance can be controlled by m.
 また、鍵がnよりも長い場合にはさらに高い安全性を持つ。これは、調整値ごとに新たなブロック暗号の鍵を導出して暗号化・復号に用いていることによるが、単純に調整値ごとにランダムな鍵を導出するだけでは、攻撃において調整値のバリエーションが2n/2程度ある場合、nビットの鍵が偶然一致する確率はほぼ1となり、この事実を用いたバースデー攻撃が成立するためである。 Also, if the key is longer than n, it has higher security. This is due to the fact that a new block cipher key is derived for each adjustment value and used for encryption / decryption. Is about 2n / 2, the probability that the n-bit keys coincide by chance is almost 1, and a birthday attack using this fact is established.
 これを防ぐため、mpad関数により鍵のバリエーションを高々2m個に抑えつつ、調整値に依存したマスク値加算をブロック暗号の前後に入れることにより、選択暗号文攻撃におけるバースデーバウンドを超えた安全性が保証される。なお、暗号文側のマスク値加算を省略すると、若干処理を簡略化できる代わりに、選択平文攻撃へのバースデーバウンドを超えた安全性のみが保証される。 To prevent this, the number of key variations is limited to 2m using the mpad function, and by adding mask value addition depending on the adjustment value before and after the block cipher, the security beyond the birthday bound in the selected ciphertext attack can be increased. Guaranteed. If the addition of the mask value on the ciphertext side is omitted, only the security beyond the birthday bound against the selected plaintext attack is guaranteed instead of slightly simplifying the processing.
 以下、本発明の好適な実施の形態について説明する。 Hereinafter, preferred embodiments of the present invention will be described.
 〔第1の実施形態〕
 本発明を好適に実施した第1の実施形態について説明する。 [First Embodiment]
A first embodiment in which the present invention is suitably implemented will be described.
 図1に、本実施形態に係る調整値付きブロック暗号化装置の構成を示す。調整値付きブロック暗号化装置10は、入力部100、調整値依存鍵導出部101、マスク付きブロック暗号化部102、及び出力部103を有する。 FIG. 1 shows a configuration of a block encryption apparatus with adjustment values according to the present embodiment. The block encryption device with adjustment value 10 includes an input unit 100, an adjustment value dependency key deriving unit 101, a block encryption unit with mask 102, and an output unit 103.
 調整値付きブロック暗号化装置10はCPUとメモリとディスクにより実現可能である。 The block encryption device with adjustment value 10 can be realized by a CPU, a memory, and a disk.
 調整値付きブロック暗号化装置の各機能部は、プログラムをディスクに格納しておき、このプログラムをCPU上で動作させることにより実現できる。 Each functional unit of the block encryption device with adjustment value can be realized by storing a program on a disk and operating the program on the CPU.
 用いるブロック暗号を、nビットブロック、n’ビット鍵 The block cipher to be used is n-bit block, n'-bit key
Figure JPOXMLDOC01-appb-M000006
 とし、調整値の長さをnビットとする。m(1< m<n/2)をセキュリティパラメータとし、これが安全性を決める。
Figure JPOXMLDOC01-appb-M000006
 And the length of the adjustment value is n bits. m (1 <m <n / 2) is a security parameter, which determines safety.
 入力部100は、暗号化の対象となるnビットの平文Mとnビットの調整値Tとを入力する。入力部100は、キーボードなどの文字入力装置として実現される。 The input unit 100 inputs an n-bit plaintext M to be encrypted and an n-bit adjustment value T. The input unit 100 is realized as a character input device such as a keyboard.
 図2に、調整値依存鍵導出部101及びマスク付きブロック暗号化部102における情報の流れを示す。なお、図3に示すように、暗号文側のマスク値加算を省略すると、若干処理を簡略化できる代わりに、選択平文攻撃へのバースデーバウンドを超えた安全性のみが保証される。 FIG. 2 shows a flow of information in the adjustment value-dependent key derivation unit 101 and the block encryption unit 102 with mask. As shown in FIG. 3, if the ciphertext side mask value addition is omitted, only the security beyond the birthday bound against the selected plaintext attack is guaranteed instead of slightly simplifying the processing.
 調整値依存鍵導出部101は、入力された調整値Tと鍵Kとに依存して、調整値依存鍵と呼ばれる新たなブロック暗号の鍵を生成する。 The adjustment value-dependent key deriving unit 101 generates a new block cipher key called an adjustment value-dependent key, depending on the input adjustment value T and key K.
 具体的には、n’=nの場合、調整値依存鍵Lは、下記式(6)として実現できる。 Specifically, when n ′ = n, the adjustment value-dependent key L can be realized as the following equation (6).
Figure JPOXMLDOC01-appb-M000007
Figure JPOXMLDOC01-appb-M000007
 ただし、ブロック暗号の鍵K1、K2は、装置の鍵Kから任意の方法で導出されるものとする(例えば、Kを2nビット以上とし最初のnビットをK1、次のnビットをK2とすることで実現できる)。また、mpadはnビットのうち任意のn-mビット(mはセキュリティパラメータ)を任意の値に固定する関数である。例えば、上位n-mビットを全ゼロとすることで実現できる。 However, the block cipher keys K1 and K2 are derived from the device key K by any method (for example, K is 2n bits or more, the first n bits are K1, and the next n bits are K2). Can be realized). Mpad is a function that fixes any n-m bits (m is a security parameter) of n bits to an arbitrary value. For example, this can be realized by setting the upper n-m bits to all zeros.
 鍵K2による暗号化処理は、nビットの入力とn’ビットの出力とを持つ任意の暗号関数、例えば鍵付きの一方向性ハッシュ関数などでも実現可能である。特に、n’=nの場合では鍵K2による暗号化処理は、Stefan Lucks, The Sum of PRPs Is a Secure PRF, EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000, Proceeding. Lecture Notes in Computer Science 1807 Springer 2000, pp. 470-484に記載のSUMモードを用いることでも実現でき、また、n’>nの場合は、Tetsu Iwata, New Blockcipher Modes of Operation with Beyond the Birthday Bound Security, Fast Software Encryption, 13th International Workshop, FSE 2006, Graz, Austria, March 15-17, 2006, Revised Selected Papers. Lecture Notes in Computer Science 4047 Springer 2006, pp. 310-322に記載のCENCモードを用いることでも実現できる。 The encryption process using the key K2 can be realized by an arbitrary encryption function having an n-bit input and an n′-bit output, such as a one-way hash function with a key. In particular, when n '= n, the encryption process with key K2 is Stefan Lucks, The Sum of PRPs Is a Secure PRF, EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Technologies, Bruges, Belgium-May 14, Belgium-May. 18, 2000, Proceeding. Lecture Notes in Computer Science 1807 Springer 2000, pp. 470-484. This can also be realized by using the SUM mode described in T. Iwata, New Blockcipher Modes of Operation if n '> n. With Beyond the Birthday Bound Security, Fast Software Encryption, 13th International Workshop, FSE 2006, Graz, Austria, March 15-17, 2006, Revised Selected Papers.Lecture Notes in Computer Science, 4047 Spring 40, 322 It can also be realized by using CENC mode.
 マスク付きブロック暗号化部102は、調整値依存鍵導出部101が出力する調整値依存鍵Lと調整値Tとによるマスク値を用いて平文Mを暗号文Cへ暗号化する。 The masked block encryption unit 102 encrypts plaintext M into ciphertext C using the mask value based on the adjustment value dependency key L and the adjustment value T output from the adjustment value dependency key derivation unit 101.
 具体的には、攻撃者による選択暗号文攻撃を想定した場合、暗号文Cは、下記式(7)となり、平文選択攻撃のみを想定した場合は、下記式(8)となる。 Specifically, when a ciphertext attack selected by an attacker is assumed, ciphertext C is expressed by the following formula (7), and when only plaintext selection attack is assumed, the following formula (8) is expressed.
Figure JPOXMLDOC01-appb-M000008
Figure JPOXMLDOC01-appb-M000008
 ここで、K3は、上記式(6)におけるK1、K2と同様に、装置の鍵Kから導出される鍵であり、F(K3,T)は鍵K3を用いる鍵付き関数FへTを入力した結果(nビット)である。Fは、異なる二つの調整値TとT'とについて上記式(4)で定義されるe-AUX関数である必要がある。これは、例えば、nビットの鍵K3と調整値Tとの有限体GF(2n)上の乗算mul(K3,T)をとることで実現できる。このときFは、下記式(9)で定義され、Fは1/2n-AXU関数である。 Here, K3 is a key derived from the key K of the device in the same manner as K1 and K2 in the above equation (6), and F (K3, T) inputs T to the keyed function F using the key K3. The result (n bits). F needs to be an e-AUX function defined by the above equation (4) for two different adjustment values T and T ′. This can be realized, for example, by taking the multiplication mul (K3, T) on the finite field GF (2n) of the n-bit key K3 and the adjustment value T. At this time, F is defined by the following equation (9), and F is a 1 / 2n-AXU function.
Figure JPOXMLDOC01-appb-M000009
Figure JPOXMLDOC01-appb-M000009
 出力部103は、マスク付きブロック暗号部102が出力する暗号文Cを出力する。出力部103は、コンピュータディスプレイやプリンタなどで実現可能である。 The output unit 103 outputs the ciphertext C output from the block cipher unit 102 with mask. The output unit 103 can be realized by a computer display, a printer, or the like.
 本実施形態に係る調整値付きブロック暗号化装置を具体的に通信やデータストレージにおける暗号化に使用する場合、本実施形態で得られるnビットブロック、nビット調整値のブロック暗号を何らかの暗号モードで使用することが考えられる。例えば、非特許文献1に記載されている、調整値付きブロック暗号のモードであるTweak Block ChainingやTweak Chain Hash, Tweakable Authenticated Encryptionなどで使用することが可能である。 When the block encryption device with adjustment value according to the present embodiment is specifically used for encryption in communication or data storage, the block cipher of the n-bit block and the n-bit adjustment value obtained in the present embodiment in some encryption mode It is possible to use it. For example, it can be used in Tweak Block Chaining, Tweak Chain Hash, Tweakable Authenticated Encryption, etc., which are described in Non-Patent Document 1, which are block cipher modes with adjustment values.
 さらにハードディスクなどデータストレージの暗号化においては、IEEEにおけるストレージ暗号方式標準化で議論されているモードが適用可能である。これは、ハードディスクのセクタとセクタ中のバイトポジション(1セクタは通常512バイト)に応じてマスク値を足しつつECBモードのように並列に暗号化を行うものである。この方法では、例えばn=128とし、本実施形態で得られる128ビットブロック、128ビット調整値付きブロック暗号の暗号化関数をTENC(鍵K、調整値T、平文Mでの暗号化はTENC(K,T,M))とすると、まずセクタの内容を128ビット(16バイト)ごとに分割する。分割した結果を(m1,m2,...,m32)、ただしmiは16バイトとする。このとき、mi(i=1,...,32)をTENC(K, (SecNum || i), mi)と暗号化する。ただしSecNumはセクタ番号であり、||はビット系列の連結を表す。すなわち、セクタ番号SecNumの第iブロックを、調整値(SecNum || i)で暗号化するものである。 Furthermore, for data storage encryption such as hard disks, the modes discussed in the standardization of storage encryption methods in IEEE can be applied. In this method, encryption is performed in parallel as in the ECB mode while adding a mask value according to the sector of the hard disk and the byte position in the sector (one sector is usually 512 bytes). In this method, for example, n = 128, and the encryption function of the 128-bit block and 128-bit adjustment value-attached block cipher obtained in this embodiment is set to TENC (key K, adjustment value T, plaintext M encryption is TENC ( K, T, M)), the sector contents are first divided into 128 bits (16 bytes). The result of division is (m1, m2, ..., m32), where mi is 16 bytes. At this time, mi (i = 1, ..., 32) is encrypted as TENC (K, (SecNum || i), mi). However, SecNum is a sector number, and || represents concatenation of bit sequences. That is, the i-th block of the sector number SecNum is encrypted with the adjustment value (SecNum || i).
 図4に、本実施形態に係る調整値付きブロック暗号化装置の動作の流れを示す。 FIG. 4 shows an operation flow of the block encryption apparatus with adjustment value according to the present embodiment.
 まず、入力手段を介してnビットの平文Mとnビットの調整値Tとを入力し(ステップS101)、調整値依存鍵導出部101により、上記式(6)に従って調整値依存鍵Lを求める(ステップS102)。次に、ブロック暗号化部102により上記式(7)に従ってマスク値Sを生成し(ステップS103)、さらにLを鍵、Sをマスク値として上記式(7)に従ってMのマスク付き暗号化を行い暗号文Cを得る(ステップS104)。最後に、得られた暗号文Cを出力部103によって出力する(ステップS105)。 First, n-bit plaintext M and n-bit adjustment value T are input via the input means (step S101), and the adjustment value-dependent key derivation unit 101 obtains the adjustment value-dependent key L according to the above equation (6). (Step S102). Next, the block encryption unit 102 generates a mask value S according to the above equation (7) (step S103), and further performs encryption with M mask according to the above equation (7) using L as a key and S as a mask value. A ciphertext C is obtained (step S104). Finally, the obtained ciphertext C is output by the output unit 103 (step S105).
 このように、本実施形態によれば、現実的なブロック暗号を用いて、バースデー攻撃への理論的耐性を持つ調整値付きブロック暗号を形成できる。 Thus, according to the present embodiment, a block cipher with an adjustment value having theoretical resistance to a birthday attack can be formed using a realistic block cipher.
 〔第2の実施形態〕
 本発明を好適に実施した第2の実施形態について説明する。 [Second Embodiment]
A second embodiment in which the present invention is suitably implemented will be described.
 図5に、本実施形態に係る調整値付きブロック復号装置の構成を示す。調整値付きブロック復号装置20は、入力部200、調整値依存鍵導出部201、マスク付きブロック復号部202、及び出力部203を有する。 FIG. 5 shows the configuration of the block decoding apparatus with adjustment values according to the present embodiment. The block decoding device with adjustment value 20 includes an input unit 200, an adjustment value dependent key derivation unit 201, a block decoding unit 202 with mask, and an output unit 203.
 調整値付きブロック復号装置20は、CPUとメモリとディスクにより実現可能である。 The block decoder with adjustment value 20 can be realized by a CPU, a memory, and a disk.
 調整値付きブロック復号装置の各機能部は、プログラムをディスクに格納しておき、このプログラムをCPU上で動作させることにより実現できる。 Each functional unit of the block decoder with adjustment value can be realized by storing a program on a disk and operating the program on the CPU.
 調整値付きブロック復号装置を構成する各機能部について説明する。 Each functional unit constituting the block decoding device with adjustment value will be described.
 図6に、調整値依存鍵導出部201及びマスク付きブロック復号部302における情報の流れを示す。なお、図7に示すように、暗号文側のマスク値加算を省略すると、若干処理を簡略化できる代わりに、選択平文攻撃へのバースデーバウンドを超えた安全性のみが保証される。 FIG. 6 shows the flow of information in the adjustment value-dependent key derivation unit 201 and the masked block decryption unit 302. As shown in FIG. 7, if the ciphertext side mask value addition is omitted, the process can be slightly simplified, but only the security beyond the birthday bound against the selected plaintext attack is guaranteed.
 上記第1の実施形態と同様に、用いるブロック暗号を、nビットブロック、n’ビット鍵(n’≧n)とし、セキュリティパラメータをm(1<m<n/2)とする。 As in the first embodiment, a block cipher to be used is an n-bit block, an n′-bit key (n ′ ≧ n), and a security parameter is m (1 <m <n / 2).
 入力部200は、復号の対象となるnビットの暗号文Cとnビットの調整値Tとを入力する。入力部200は、キーボードなどの文字入力装置によって実現できる。 The input unit 200 inputs an n-bit ciphertext C to be decrypted and an n-bit adjustment value T. The input unit 200 can be realized by a character input device such as a keyboard.
 調整値依存鍵導出部201は、第1の実施形態における調整値依存鍵導出部101と同様である。 The adjustment value dependency key derivation unit 201 is the same as the adjustment value dependency key derivation unit 101 in the first embodiment.
 マスク付きブロック復号部202は、調整値依存鍵導出部201が出力する調整値依存鍵Lと調整値Tとによるマスク値を用いて暗号文Cを平文Mへ復号する。具体的には、ブロック暗号の復号関数をDec(鍵K、暗号文Cの復号はDec(K,C))、攻撃者による選択暗号文攻撃を想定した場合、平文Mは下記式(10)とし、選択平文攻撃のみを想定した場合は下記式(11)となる。 The block decryption unit with mask 202 decrypts the ciphertext C into plaintext M using the mask value based on the adjustment value dependency key L and the adjustment value T output from the adjustment value dependency key derivation unit 201. Specifically, if the decryption function of the block cipher is Dec (key K, decryption of ciphertext C is Dec (K, C)), and the assumed ciphertext attack by an attacker is assumed, plaintext M is expressed by the following formula (10) When only the selected plaintext attack is assumed, the following equation (11) is obtained.
Figure JPOXMLDOC01-appb-M000010
Figure JPOXMLDOC01-appb-M000010
 ここで、K3は装置の鍵Kから導出される鍵であり、鍵付き関数Fは第1の実施形態におけるマスク付きブロック暗号化部102が用いるものと同様である。 Here, K3 is a key derived from the device key K, and the keyed function F is the same as that used by the masked block encryption unit 102 in the first embodiment.
 出力部203は、マスク付きブロック復号部202が出力する平文Mを出力する。出力部203は、コンピュータディスプレイやプリンタなどで実現可能である。 The output unit 203 outputs the plaintext M output by the block decryption unit with mask 202. The output unit 203 can be realized by a computer display, a printer, or the like.
 図8に、本実施形態に係る調整値付きブロック復号装置の動作の流れを示す。 FIG. 8 shows an operation flow of the block decoding apparatus with adjustment values according to the present embodiment.
 まず、入力部200を用いてnビットの暗号文Cと調整値Tとを入力し(ステップS201)、調整値依存鍵導出部201によって上記式(6)に従って調整値依存鍵Lを求める(ステップS202)。次に、マスク付きブロック復号部202によって上記式(10)に従ってマスク値Sを生成する(ステップS203)。さらに、Lを鍵、Sをマスク値として上記式(10)に従って暗号文Cにマスク付き復号を行い平文Mを得る(ステップS204)。最後に、得られた平文Mを出力部203によって出力する(ステップS205)。 First, the n-bit ciphertext C and the adjustment value T are input using the input unit 200 (step S201), and the adjustment value dependency key L is obtained by the adjustment value dependency key derivation unit 201 according to the above equation (6) (step S201). S202). Next, the mask value block decoding unit 202 generates a mask value S according to the above equation (10) (step S203). Further, decryption with a mask is performed on the ciphertext C according to the above equation (10) using L as a key and S as a mask value to obtain plaintext M (step S204). Finally, the obtained plaintext M is output by the output unit 203 (step S205).
 このように、本実施形態によれば、現実的なブロック暗号を用いて形成したバースデー攻撃への理論的耐性を持つ調整値付きブロック暗号を復号できる。 As described above, according to this embodiment, it is possible to decrypt a block cipher with an adjustment value that has theoretical resistance to a birthday attack formed by using a realistic block cipher.
 なお、上記各実施形態は本発明の好適な実施の一例であり、本発明はこれらに限定されることはない。 In addition, each said embodiment is an example of suitable implementation of this invention, and this invention is not limited to these.
 例えば、本発明は、無線又は有線のデータ通信における認証と暗号化といった用途や、ストレージ上のデータの暗号化と改ざん防止といった用途に適用可能である。 For example, the present invention is applicable to uses such as authentication and encryption in wireless or wired data communication, and uses such as encryption of data on a storage and prevention of tampering.
 このように、本発明は様々な変形が可能である。 Thus, the present invention can be variously modified.
 この出願は、2008年8月29日に出願された日本出願特願2008-221657を基礎として優先権の利益を主張するものであり、その開示の全てを引用によってここに取り込む。 This application claims the benefit of priority based on Japanese Patent Application No. 2008-221657 filed on August 29, 2008, the entire disclosure of which is incorporated herein by reference.
 10  調整値付きブロック暗号化装置
 20  調整値付きブロック復号装置
 100、200  入力部
 101、201  調整値依存鍵導出部
 102  マスク付きブロック暗号化部
 103、203  出力部
 202  マスク付きブロック復号部 DESCRIPTION OF SYMBOLS 10 Block encryption apparatus with adjustment value 20 Block decryption apparatus with adjustment value 100, 200 Input part 101, 201 Adjustment value dependence key derivation part 102 Block encryption part with mask 103, 203 Output part 202 Block decryption part with mask

Claims (8)

  1.  nビットの平文とnビットの調整値とを入力する入力手段と、
     前記調整値をnビットブロック暗号関数で暗号化し、1より大きくn/2未満の値をmとして、暗号化した結果のうちの任意のn-mビットを任意の値に固定し、固定した結果を、nビットの入力を持つ暗号処理で暗号化することにより、調整値依存鍵生成する調整値依存鍵導出手段と、
     前記調整値を鍵付き関数へ入力することによりマスク値を生成し、該マスク値を前記前記平文へ加算し、加算した結果を、前記調整値依存鍵を鍵としたnビットブロック暗号で暗号化し、暗号化した結果に前記マスク値を加算することにより暗号文を生成するマスク付きブロック暗号化手段と、
     前記暗号文を出力する出力手段と、
     を有する調整値付きブロック暗号化装置。     an input means for inputting an n-bit plaintext and an n-bit adjustment value;
    The adjusted value is encrypted with an n-bit block cipher function, and a value greater than 1 and less than n / 2 is set as m, and arbitrary nm bits of the encrypted result are fixed to an arbitrary value, and the fixed result , And an adjustment value dependent key derivation means for generating an adjustment value dependency key by encrypting with an encryption process having an n-bit input,
    A mask value is generated by inputting the adjustment value to a keyed function, the mask value is added to the plaintext, and the addition result is encrypted with an n-bit block cipher using the adjustment value-dependent key as a key. A block encryption means with a mask for generating a ciphertext by adding the mask value to the encrypted result;
    Output means for outputting the ciphertext;
    A block encryption device with an adjustment value, comprising:
  2.  前記調整値依存鍵導出手段は、装置の鍵を元にnビットのブロック暗号の鍵を生成し、生成した前記ブロック暗号の鍵を前記暗号処理において用いることを特徴とする請求項1に記載の調整値付きブロック暗号化装置。 The adjustment value-dependent key derivation unit generates an n-bit block cipher key based on a device key, and uses the generated block cipher key in the cryptographic processing. Block encryption device with adjustment value.
  3.  nビットの暗号文とnビットの調整値とを入力する入力手段と、
     前記調整値をnビットブロック暗号で暗号化し、1より大きくn/2未満の値をmとして、暗号化した結果のうちの任意のn-mビットを任意の値に固定し、固定した結果を、nビットの入力を持つ暗号処理で暗号化することにより、調整値依存鍵生成する調整値依存鍵導出手段と、
     前記調整値を鍵付き関数へ入力することによりマスク値を生成し、該マスク値を前記前記平文へ加算し、加算した結果を、前記調整値依存鍵を鍵としたnビットブロック暗号に対応する復号関数で復号し、復号した結果に前記マスク値を加算することにより平文を生成するマスク付きブロック復号手段と
     前記平文を出力する平文出力手段と、
     を有する調整値付きブロック復号装置。     an input means for inputting an n-bit ciphertext and an n-bit adjustment value;
    The adjusted value is encrypted with an n-bit block cipher, and a value greater than 1 and less than n / 2 is set to m, and any nm bits of the encrypted result are fixed to an arbitrary value, and the fixed result is , An adjustment value-dependent key derivation means for generating an adjustment value-dependent key by encrypting with an encryption process having an n-bit input;
    A mask value is generated by inputting the adjustment value to a keyed function, the mask value is added to the plaintext, and the addition result corresponds to an n-bit block cipher using the adjustment value-dependent key as a key. A block decoding unit with mask for generating a plaintext by decrypting with a decryption function and adding the mask value to the decrypted result; a plaintext output unit for outputting the plaintext;
    A block decoding apparatus with an adjustment value.
  4.  前記調整値依存鍵導出手段は、装置の鍵を元にnビットのブロック暗号の鍵を生成し、生成した前記ブロック暗号の鍵を前記暗号処理において用いることを特徴とする請求項3に記載の調整値付きブロック復号装置。 The adjustment value-dependent key derivation unit generates an n-bit block cipher key based on a device key, and uses the generated block cipher key in the cryptographic process. Block decoder with adjustment value.
  5.  nビットの平文とnビットの調整値とを入力する入力処理と、
     前記調整値をnビットブロック暗号関数で暗号化し、1より大きくn/2未満の値をmとして、暗号化した結果のうちの任意のn-mビットを任意の値に固定し、固定した結果を、nビットの入力を持つ暗号処理で暗号化することにより、調整値依存鍵生成する調整値依存鍵導出処理と、
     前記調整値を鍵付き関数へ入力することによりマスク値を生成し、該マスク値を前記前記平文へ加算し、加算した結果を、前記調整値依存鍵を鍵としたnビットブロック暗号で暗号化し、暗号化した結果に前記マスク値を加算することにより暗号文を生成するマスク付きブロック暗号化処理と、
     前記暗号文を出力する出力処理と、
     を有する調整値付きブロック暗号化方法。     an input process for inputting an n-bit plaintext and an n-bit adjustment value;
    The adjusted value is encrypted with an n-bit block cipher function, and a value greater than 1 and less than n / 2 is set as m, and arbitrary nm bits of the encrypted result are fixed to an arbitrary value, and the fixed result , And an adjustment value-dependent key derivation process for generating an adjustment value-dependent key by encrypting with an encryption process having an n-bit input,
    A mask value is generated by inputting the adjustment value to a keyed function, the mask value is added to the plaintext, and the addition result is encrypted with an n-bit block cipher using the adjustment value-dependent key as a key. A block encryption process with a mask for generating a ciphertext by adding the mask value to the encrypted result;
    An output process for outputting the ciphertext;
    A block encryption method with an adjustment value comprising:
  6.  nビットの暗号文とnビットの調整値とを入力する入力処理と、
     前記調整値をnビットブロック暗号で暗号化し、1より大きくn/2未満の値をmとして、暗号化した結果のうちの任意のn-mビットを任意の値に固定し、固定した結果を、nビットの入力を持つ暗号処理で暗号化することにより、調整値依存鍵生成する調整値依存鍵導出処理と、
     前記調整値を鍵付き関数へ入力することによりマスク値を生成し、該マスク値を前記前記平文へ加算し、加算した結果を、前記調整値依存鍵を鍵としたnビットブロック暗号に対応する復号関数で復号し、復号した結果に前記マスク値を加算することにより平文を生成するマスク付きブロック復号処理と
     前記平文を出力する平文出力処理と、
     を有する調整値付きブロック復号方法。     an input process for inputting an n-bit ciphertext and an n-bit adjustment value;
    The adjusted value is encrypted with an n-bit block cipher, and a value greater than 1 and less than n / 2 is set to m, and any nm bits of the encrypted result are fixed to an arbitrary value, and the fixed result is , An adjustment value-dependent key derivation process for generating an adjustment value-dependent key by encrypting with an encryption process having an n-bit input;
    A mask value is generated by inputting the adjustment value to a keyed function, the mask value is added to the plaintext, and the addition result corresponds to an n-bit block cipher using the adjustment value-dependent key as a key. Decrypting with a decryption function, adding a mask value to the decrypted result and generating a plaintext by masking, a plaintext output process for outputting the plaintext,
    A block decoding method with adjustment value, comprising:
  7.  請求項5記載の調整値付きブロック暗号化方法をコンピュータに実行させることを特徴とする調整値付きブロック暗号化プログラム。 A block encryption program with adjustment value, which causes a computer to execute the block encryption method with adjustment value according to claim 5.
  8.  請求項6記載の調整値付きブロック復号方法をコンピュータに実行させることを特徴とする調整値付きブロック復号プログラム。 A block decoding program with adjustment value, which causes a computer to execute the block decoding method with adjustment value according to claim 6.
PCT/JP2009/059438 2008-08-29 2009-05-22 Tweakable block encrypting device, tweakable block encrypting method, tweakable block encrypting program, tweakable block decrypting device, tweakable block decrypting method, and tweakable block decrypting program WO2010024004A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2010526597A JP5333450B2 (en) 2008-08-29 2009-05-22 Block encryption device with adjustment value, method and program, and decryption device, method and program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2008-221657 2008-08-29
JP2008221657 2008-08-29

Publications (1)

Publication Number Publication Date
WO2010024004A1 true WO2010024004A1 (en) 2010-03-04

Family

ID=41721181

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2009/059438 WO2010024004A1 (en) 2008-08-29 2009-05-22 Tweakable block encrypting device, tweakable block encrypting method, tweakable block encrypting program, tweakable block decrypting device, tweakable block decrypting method, and tweakable block decrypting program

Country Status (2)

Country Link
JP (1) JP5333450B2 (en)
WO (1) WO2010024004A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011105367A1 (en) * 2010-02-24 2011-09-01 日本電気株式会社 Block encryption device, block decryption device, block encryption method, block decryption method and program
WO2012105352A1 (en) * 2011-01-31 2012-08-09 日本電気株式会社 Block encryption device, decryption device, encryption method, decryption method, and program
JP2013538376A (en) * 2010-09-24 2013-10-10 インテル・コーポレーション Tunable cipher mode for memory encryption protected against replay attacks
JP2014523020A (en) * 2011-06-29 2014-09-08 インテル・コーポレーション Method and apparatus for encrypting memory with integrity check and protection against replay attacks
US10326589B2 (en) 2015-09-28 2019-06-18 Mitsubishi Electric Corporation Message authenticator generating apparatus, message authenticator generating method, and computer readable recording medium
US11177936B2 (en) 2017-02-22 2021-11-16 Mitsubishi Electric Corporation Message authenticator generation apparatus
US11522712B2 (en) 2018-08-30 2022-12-06 Mitsubishi Electric Corporation Message authentication apparatus, message authentication method, and computer readable medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004023715A1 (en) * 2002-09-03 2004-03-18 The Regents Of The University Of California Block cipher mode of operation for constructing a wide-blocksize block cipher from a conventional block cipher
WO2008018303A1 (en) * 2006-08-10 2008-02-14 Nec Corporation Adjusting function-equipped block encryption device, method, and program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004023715A1 (en) * 2002-09-03 2004-03-18 The Regents Of The University Of California Block cipher mode of operation for constructing a wide-blocksize block cipher from a conventional block cipher
WO2008018303A1 (en) * 2006-08-10 2008-02-14 Nec Corporation Adjusting function-equipped block encryption device, method, and program

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"Draft Proposal for Tweakable Narrow-block Encryption", DRAFT 1.00:00, IEEE, 6 August 2004 (2004-08-06), Retrieved from the Internet <URL:http://siswg.net/docs/LRW-AES-10-19-2004.pdf> [retrieved on 20090612] *
"Draft Proposal for Tweakable Wide-block Encryption", DRAFT 1.00:00, IEEE, 22 March 2003 (2003-03-22), Retrieved from the Internet <URL:http://siswg.net/docs/EME-AES-03-22-2004.pdf> [retrieved on 20090612] *
M. LISKOV ET AL.: "Tweakable Block Ciphers", LECTURE NOTES IN COMPUTER SCIENCE, vol. 2442, no. 3, 2002, Retrieved from the Internet <URL:http://www.cs.berkeley.edu/daw/papers/tweak-crypto02.pdf> [retrieved on 20090612] *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011105367A1 (en) * 2010-02-24 2011-09-01 日本電気株式会社 Block encryption device, block decryption device, block encryption method, block decryption method and program
JP5704159B2 (en) * 2010-02-24 2015-04-22 日本電気株式会社 Block encryption device, block decryption device, block encryption method, block decryption method, and program
JP2013538376A (en) * 2010-09-24 2013-10-10 インテル・コーポレーション Tunable cipher mode for memory encryption protected against replay attacks
WO2012105352A1 (en) * 2011-01-31 2012-08-09 日本電気株式会社 Block encryption device, decryption device, encryption method, decryption method, and program
JP5365750B2 (en) * 2011-01-31 2013-12-11 日本電気株式会社 Block encryption device, decryption device, encryption method, decryption method, and program
US8891761B2 (en) 2011-01-31 2014-11-18 Nec Corporation Block encryption device, decryption device, encrypting method, decrypting method and program
JP2014523020A (en) * 2011-06-29 2014-09-08 インテル・コーポレーション Method and apparatus for encrypting memory with integrity check and protection against replay attacks
US10326589B2 (en) 2015-09-28 2019-06-18 Mitsubishi Electric Corporation Message authenticator generating apparatus, message authenticator generating method, and computer readable recording medium
US11177936B2 (en) 2017-02-22 2021-11-16 Mitsubishi Electric Corporation Message authenticator generation apparatus
US11522712B2 (en) 2018-08-30 2022-12-06 Mitsubishi Electric Corporation Message authentication apparatus, message authentication method, and computer readable medium

Also Published As

Publication number Publication date
JP5333450B2 (en) 2013-11-06
JPWO2010024004A1 (en) 2012-01-26

Similar Documents

Publication Publication Date Title
JP5704159B2 (en) Block encryption device, block decryption device, block encryption method, block decryption method, and program
JP4712017B2 (en) Message authentication code generation method using stream cipher, authentication encryption method using stream cipher, and authentication decryption method using stream cipher
JP6519473B2 (en) Authentication encryption apparatus, authentication encryption method and program for authentication encryption
CN101202623B (en) Method of generating message authentication code, authentication/encryption and authentication/decryption methods
JP5333450B2 (en) Block encryption device with adjustment value, method and program, and decryption device, method and program
JPH0863097A (en) Method and system for symmetric encoding for encoding of data
EP2058781B1 (en) Encryption device, encryption method, and computer program
US8189770B2 (en) Tweakable block encryption apparatus, method, and program
JP7031580B2 (en) Cryptographic device, encryption method, decryption device, and decryption method
US8526602B2 (en) Adjustment-value-attached block cipher apparatus, cipher generation method and recording medium
US11463235B2 (en) Encryption device, encryption method, program, decryption device, and decryption method
WO2010024003A1 (en) Device for encrypting block with double block length, decrypting device, encrypting method, decrypting method, and program therefor
TW201545524A (en) Technologies for modifying a first cryptographic cipher with operations of a second cryptographic cipher
WO2016067524A1 (en) Authenticated encryption apparatus, authenticated decryption apparatus, authenticated cryptography system, authenticated encryption method, and program
Reyad et al. Key-based enhancement of data encryption standard for text security
CN109714154B (en) Implementation method of white-box cryptographic algorithm under white-box security model with difficult code volume
US8891761B2 (en) Block encryption device, decryption device, encrypting method, decrypting method and program
JP2011107407A (en) Homomorphic cryptosystem, homomorphic encryption method, and program
WO2021171543A1 (en) Authentication encryption device, authentication decryption device, authentication encryption method, authentication decryption method, and storage medium
Wahba Memristive Coupled Neural Network Based Audio Signal Encryption
WO2009081975A1 (en) Encryption device, decryption device, encryption method, decryption method, and program
Tiwari et al. Differential Cryptanalysis on Block Ciphers: New Research Directions
RU2542880C1 (en) Method of encrypting binary data unit
Ramesh et al. UMARAM: A novel fast encryption algorithm for data security in local area network
KR20030001888A (en) Cipher algorithm design method using block information without using key

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09809659

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2010526597

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09809659

Country of ref document: EP

Kind code of ref document: A1