WO2012077419A1 - 暗号処理装置、および暗号処理方法、並びにプログラム - Google Patents
暗号処理装置、および暗号処理方法、並びにプログラム Download PDFInfo
- Publication number
- WO2012077419A1 WO2012077419A1 PCT/JP2011/074468 JP2011074468W WO2012077419A1 WO 2012077419 A1 WO2012077419 A1 WO 2012077419A1 JP 2011074468 W JP2011074468 W JP 2011074468W WO 2012077419 A1 WO2012077419 A1 WO 2012077419A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- line
- matrix
- unit
- cryptographic processing
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
- G09C1/00—Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0625—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
- H04L2209/122—Hardware reduction or efficient architectures
Definitions
- the present invention relates to a cryptographic processing device, a cryptographic processing method, and a program. More specifically, the present invention relates to a cryptographic processing apparatus, a cryptographic processing method, and a program that execute a common key block cipher having a Feistel structure or a generalized Feistel structure.
- common key block cipher There are various cryptographic processing algorithms, but one of the basic techniques is called common key block cipher.
- the encryption key and the decryption key are common.
- a plurality of keys are generated from the common key, and the data conversion process is repeatedly executed in a certain block unit, for example, a block data unit such as 64 bits, 128 bits, 256 bits.
- DES Data Encryption Standard
- AES Advanced Encryption Standard
- CLEFIA proposed by Sony Corporation in 2007 is one of the common key block ciphers.
- Such a common key block cipher algorithm mainly includes an encryption processing unit having a round function execution unit that repeatedly executes conversion of input data, and a key schedule unit that generates a round key to be applied in each round of the round function unit. It is comprised by.
- the key schedule unit first generates an extended key with an increased number of bits based on a master key (primary key) that is a secret key, and applies it to each round function unit of the cryptographic processing unit based on the generated extended key. Generate a round key (subkey).
- Non-Patent Document 1 Non-Patent Document 2
- Non-Patent Document 2 for example, as documents describing encryption processing using the Feistel structure.
- Non-Patent Document 3 Panu Hamalainen, Timo Alho, Marko Hannikainen, and Timo D.Hamalainen. Design and implementation of low-area and low-power aes encryption hardware core. In DSD, pages 577-583 IEEE Computer cie Society, 2006.9].
- this small packaging method is adapted to the processing sequence unique to the AES algorithm using the SPN structure, and is a cryptographic algorithm having the above-described Feistel structure or generalized Feistel structure different from the SPN structure. There is a problem that even if it is applied to the algorithm as it is, sufficient miniaturization cannot be realized.
- the AES cipher described above is an encryption algorithm using an SPN structure
- the DES cipher and the CLEFIA cipher are encryption algorithms using a Feistel structure or a generalized Feistel structure different from the SPN structure.
- the present invention has been made in view of, for example, the above-described situation, and provides a cryptographic processing device, a cryptographic processing method, and a program that achieve miniaturization in a cryptographic processing configuration using a Feistel structure or a generalized Feistel structure. For the purpose.
- the first aspect of the present invention is: It has a cryptographic processing unit that repeatedly inputs data bits that constitute the data block to be processed into a plurality of lines and repeatedly executes a data conversion process that applies a round function to the transmission data of each line, The cryptographic processing unit The conversion data for the first line data of the plurality of lines is generated, the generated conversion data is calculated with the second line data different from the first line, and the calculation result is input to the next round of input data.
- the computing unit is A matrix calculation execution unit that performs linear transformation applying a matrix to the data of the first line;
- the matrix operation execution unit In the execution cycle of the matrix operation on the data of the first line, the cryptographic processing device executes the operation with the data of the second line when executing the matrix operation of the first cycle.
- the matrix operation execution unit is configured to execute matrix operations on a plurality of unit data sequentially output from a preceding nonlinear conversion unit in a plurality of cycles, In the first cycle of the cycle, the calculation with the data of the second line is executed together with the matrix calculation of the unit data input from the nonlinear conversion unit.
- the cryptographic processing apparatus executes an operation on the data on the second line after completion of an arithmetic cycle necessary for a matrix operation on the data on the first line.
- the independent register for holding the data of the second line necessary for the above is reduced, and the register for holding the intermediate result of the matrix operation for the data of the first line is used as the register for holding the data of the second line. It has a configuration.
- the matrix calculation execution unit performs the matrix calculation process data for the first line and the second line in an initial cycle for executing a matrix calculation for the data of the first line. Performs an exclusive OR operation with the line data.
- the matrix operation execution unit is configured to execute a matrix operation to which a cyclic matrix or a Hadamard matrix is applied.
- the cryptographic processing unit is configured to execute a nonlinear transformation process that performs a nonlinear transformation process and a linear transformation process that performs a linear transformation process using a matrix as the round function execution unit. It has a matrix calculation execution part as a conversion part.
- the matrix operation execution unit sequentially inputs the output of the S-box as the nonlinear conversion unit and executes the matrix operation on the input data as a one-cycle process. .
- the cryptographic processing executed by the cryptographic processing unit is cryptographic processing to which a Feistel structure or a generalized Feistel structure is applied.
- the cryptographic processing executed by the cryptographic processing unit is cryptographic processing according to the CLEFIA cryptographic algorithm.
- the second aspect of the present invention provides A cryptographic processing method for performing cryptographic processing in a cryptographic processing device, A cryptographic processing step in which a cryptographic processing unit repeatedly inputs a constituent bit of a data block to be data processed into a plurality of lines and repeatedly executes a data conversion process that applies a round function to transmission data of each line.
- a conversion process of data of the first line constituting the plurality of lines is executed, an operation is performed on the generated conversion data with data of a second line different from the first line, and the calculation is performed.
- the encryption processing method executes the calculation with the data of the second line in the matrix calculation process of the first cycle.
- the third aspect of the present invention provides A program for executing cryptographic processing in the cryptographic processing device, An encryption processing step for inputting the constituent bits of the data block to be processed into a plurality of lines to the encryption processing unit and repeatedly executing a data conversion process applying a round function to the transmission data of each line Have
- a conversion process of data of the first line constituting the plurality of lines is executed, an operation is performed on the generated conversion data with data of a second line different from the first line, and the calculation is performed.
- the program executes the calculation with the data of the second line in the matrix calculation process of the first cycle.
- the program of the present invention is a program provided by, for example, a storage medium to an information processing apparatus or a computer system that can execute various program codes. By executing such a program by the program execution unit on the information processing apparatus or the computer system, processing according to the program is realized.
- system is a logical set configuration of a plurality of devices, and is not limited to one in which the devices of each configuration are in the same casing.
- the present invention it is possible to reduce the size and power consumption of a cryptographic processing configuration to which a generalized Feistel structure is applied.
- the first line A matrix operation execution unit that executes a linear transformation process that applies a matrix to the data of the data performs an operation of the matrix operation process data and the data of the second line in the first cycle during the execution cycle of the matrix operation.
- Block cipher inputs plaintext P and key K and outputs ciphertext C.
- the bit length of plaintext and ciphertext is called a block size, and is denoted by n here.
- n can take an arbitrary integer value, it is usually a predetermined value for each block cipher algorithm.
- a block cipher with a block length of n is sometimes called an n-bit block cipher.
- the bit length of the key is represented by k.
- the key can take any integer value.
- the bit sizes of plaintext [P], ciphertext [C], and key [K] are indicated as follows.
- Plaintext P n bits
- Ciphertext C n bits
- K k bits
- FIG. 1 is a diagram for explaining an n-bit common key block cipher algorithm corresponding to a k-bit key length.
- the common key block cipher process inputs n-bit plaintext P and k-bit secret key K, executes a predetermined encryption algorithm, and converts n-bit ciphertext C into Output.
- FIG. 1 shows an encryption process for generating ciphertext from plaintext, in the decryption process for generating plaintext from ciphertext, the key input order is reversed and the inverse function of the round function is configured. Thus, the decoding process is performed.
- Block encryption can be divided into two parts.
- One is a key scheduling unit 111 that takes a key K as an input, expands the bit length of the input secret key K by a predetermined step, and outputs an expanded key K ′ (bit length k ′), a plaintext P, and a key scheduling unit 111 receives the round key RK and the like generated from the expanded key K ′ input from 111, inputs the plaintext P, executes encryption processing using the round key RK and the like, and generates the ciphertext C
- a data encryption unit 112 that performs conversion. As described above, the decryption process can be realized by changing the data encryption unit 112.
- the common key block cipher algorithm includes a data encryption unit 112 having a round function that repeatedly executes conversion of input data, and a key schedule unit 111 that generates a round key to be applied in each round of the round function unit. Consists of.
- the key schedule unit 111 inputs the secret key K and generates a round key to be input to each round function. For example, in a block cipher configured to perform r stages of round functions, RK 1 , RK 2 ..., R r round keys are input to the round functions from 1 to r stages, respectively. Further, the key schedule unit 111 outputs IK as an initial key and FK as a final key to the data encryption unit 112, and these keys and processing data are subjected to exclusive OR.
- FIG. 2 shows a specific configuration example of the Feistel structure when the block length is n bits (n-bit).
- the Feistel structure has a structure that converts plaintext into ciphertext by simple repetition of a round function including an F function as a data conversion function.
- F function linear transformation processing and nonlinear transformation processing are executed.
- FIG. 2 shows the overall structure of the Feistel structure on the right side, and a detailed configuration diagram of one F function 120 on the left side.
- the n-bit data is divided into n / 2-bit 2-lines, and one of the n / 2-bits is input to the F function in the round.
- the output is exclusively ORed with the other n / 2-bit.
- Round keys RK 1 to RK r generated from the extended key K ′ input from the key schedule unit 111 are input to the F function in each round.
- an exclusive OR operation unit 121 that performs an exclusive OR operation with a round key
- a non-linear transformation unit [S] 122 called S-box that performs non-linear transformation processing on the output of the logical sum operation unit 121
- linear transformation processing by matrix operation on the output of the non-linear transformation unit [S] 122 A configuration having a linear conversion unit [M] 123 to perform is known.
- FIG. 2 is one of structural examples of the Feistel structure.
- various configurations such as a configuration in which the position where the exclusive OR operation of the initial key IK and the final key FK is changed, for example.
- the configuration shown in FIG. 2 is a configuration in which an n-bit input (for example, plaintext configuration data) P to be processed is divided into two and processed as 2-line by n / 2-bit.
- a configuration in which processing is performed by dividing the input into two in this way is called a Feistel structure.
- the number of divisions of the processing target data is not limited to two, and various settings are possible.
- a Feistel structure in which the number of divisions is not limited to 2 is called a generalized Feistel structure.
- FIG. 3 An example of the generalized Feistel structure will be described with reference to FIG.
- the configuration illustrated in FIG. 3 is a configuration example in which processing target data is divided into four and processed.
- the Feistel structure described with reference to FIG. 2 has a configuration in which n-bit plaintext data, which is data to be processed, is divided into 2-line by n / 2-bit and processed.
- the configuration shown in FIG. 3 has a configuration in which n-bit plaintext data, which is data to be processed, is divided into n / 4-bit 4-lines.
- the configuration shown in FIG. 3 is called a 4-line generalized Feistel structure.
- the 4-line generalized Feistel structure shown in FIG. 3 has a configuration that repeatedly executes a round function having an F function, like the Feistel structure described with reference to FIG.
- n bits are divided into four and the data flow is complicated.
- n-bit data is divided into n / 4-bit 4-lines, each 2-line is input to the F function, and its output is exclusive with the other 2-lines. It is the composition which performs logical OR.
- the F function corresponds to the outputs of the exclusive OR operation unit 121 and the exclusive OR operation unit 121 that perform the exclusive OR operation with the round key.
- a non-linear conversion unit [S] 122 called S-box that executes non-linear conversion processing, and a linear conversion unit [M] 123 that performs linear conversion processing by matrix operation on the output of the non-linear conversion unit [S] 122
- S-box that executes non-linear conversion processing
- M] 123 that performs linear conversion processing by matrix operation on the output of the non-linear conversion unit [S] 122
- FIG. 3 shows a 4-line generalized Feistel structure, but all Feistel structures with processing data of 2-line or more are called generalized Feistel structures.
- the present invention is not limited to a 4-line generalized Feistel structure, any of a 2-line Feistel structure and a generalized Feistel structure having an arbitrary number of processing lines greater than 2 lines (2-line). It is also applicable to.
- Non-Patent Document 3 Panu Hamalainen, Timo Alho, Marko Hannikainen, and Timo D.Hamalainen. Design and implementation of low-area and low-power aes encryption hardware core. In DSD, pages 577-583 IEEE Computer cie Society, 2006.9].
- FIG. 4 is a diagram illustrating a configuration example of a round function execution unit used in the AES encryption algorithm to which the SPN structure is applied.
- the round function shown in FIG. 4 is repeated a plurality of times to generate ciphertext from plaintext or plaintext from ciphertext.
- the round function execution unit shown in FIG. 4 includes the following components.
- a non-linear conversion unit 201 composed of 16 S-boxes of 8-bit input / output for executing non-linear conversion processing; Shift Low execution unit 202 as replacement processing of 8-bit output from the S-box constituting the nonlinear conversion unit 201,
- a linear transformation unit 203 comprising four matrix operation units for executing a linear transformation process by applying an output of the Shift Low execution unit 202 in units of 32 bits and applying a matrix;
- An exclusive OR operation unit 204 composed of four operation units that performs an exclusive OR operation with a 32-bit round key on the 32-bit output from each of the four matrix operation units constituting the linear conversion unit 203. Have.
- a non-linear transformation unit 201, a Shift Low execution unit 202, a linear transformation unit 203, an exclusive OR operation unit 204, and a series of processes to which these are applied are executed as one round function execution process, and this round function is executed a plurality of times.
- 128-bit output for example, ciphertext
- 128-bit input data for example, plaintext
- processing of one round function (1 round) that is, a non-linear conversion unit 201, a shift low execution unit 202, a linear conversion unit 203, an exclusive OR operation unit 204, and a series of processes using these are applied.
- one cycle (1 cycle) at least 16 S-box circuits and 4 matrix operation circuits are required as the configuration of the data encryption unit as shown in FIG.
- Hamalainen et al Realized a reduction in the size of the data encryption unit by setting the processing of one round function (1 round) as serial processing in 16 cycles instead of 1 cycle. In this miniaturized configuration, only one S-box circuit is used, and one matrix operation is executed over 4 cycles (4 cycles). By adopting such an implementation, the matrix operation circuit can be reduced in size.
- Fig. 5 shows the data path of the data encryption unit that executes the AES encryption proposed by Hamalainen et al.
- the configuration shown in FIG. 5 corresponds to a hardware configuration that executes the round function of the AES encryption shown in FIG.
- FIG. 5 shows 19 registers (r01 to r19). Each of the 19 registers (r01 to r19) is an 8-bit register that holds 8-bit data.
- FIG. 4 is an input / output 128-bit round function execution unit
- FIG. 5 shows an input / output 128-bit round function as serial processing of 8-bit unit data.
- FIG. 4 corresponds to the hardware configuration to be executed.
- data replacement is performed by the Shift Low execution unit between the S-box that performs nonlinear transformation and the matrix operation that performs linear transformation.
- the replacement performed in the Shift Low execution unit is realized by introducing multiplexers m01 to m08 before some registers in FIG.
- the output of the S-box 252 is input to the matrix calculation circuit 253, and the matrix calculation circuit 253 executes a linear transformation process using the matrix.
- the processing data by S-box is replaced by the Shift-Low execution unit, and then the matrix operation is performed.
- the output of S-box 252 is the matrix operation.
- the circuit 253 is directly input.
- processing corresponding to the replacement processing in the Shift-Low execution unit is executed by the operations of the multiplexers m01 to m08 in the register groups r01 to r19 shown in FIG.
- the processes of the four matrix operation circuits of the linear conversion unit 203 shown in FIG. 4 are sequentially executed.
- the linear conversion process to which a matrix executed by one matrix operation circuit of the four matrix operation circuits of the linear conversion unit 203 shown in FIG. 4 is executed in four cycles. This process will be described in detail later.
- the exclusive OR operation processing of the exclusive OR operation unit 203 shown in FIG. 4 is executed in the exclusive OR operation units 254a and 254b in FIG.
- exclusive OR operation processing of the processing data and the round key output from the key generation unit 251 is executed.
- the register group 261 in FIG. 6 corresponds to a circuit including the twelve registers r04 to r15 and multiplexers m05 to m08 in FIG. 5, holds 96-bit data, and takes into account Shift Low. Represents a set.
- Equation 1 (x 0 , x 1 , x 2 , x 3 ) shown in Equation 1 is an input to the matrix operation circuit 253 (output from the S-box), (Y 0 , y 1 , y 2 , y 3 ) is the output of the matrix operation circuit 253 (linear conversion result),
- the 4 ⁇ 4 matrix corresponds to a matrix (linear transformation matrix) applied in the matrix operation circuit 253.
- the elements of the 4 ⁇ 4 linear transformation matrix are shown as hexadecimal values.
- each of (x 0 , x 1 , x 2 , x 3 ) is an output per cycle from the S-box 252 and is 8-bit data.
- Each of the outputs (y 0 , y 1 , y 2 , y 3 ) is also 8-bit data.
- the matrix calculation circuit 253 in FIG. 7 performs processing of the linear conversion unit 203 including the four matrix calculation units illustrated in FIG.
- Each of the four matrix operation units shown in FIG. 4 inputs the output (8-bit output) of the non-linearly converted data in the four S-boxes, and executes linear conversion.
- the S-box is reduced to only one S-box 252, and one S-box output from the 16 S-boxes shown in FIG. 4 is output in one cycle. Only done.
- the matrix operation circuit 253 of FIG. 7 outputs (x 0 , x 1 , x 2 , x 3 ) from the four S-boxes shown in FIG. 4 required from one S-box 252 over four cycles are obtained. Will be input.
- the S-box outputs (1) to (4) for the matrix operation circuit 203a shown in FIG. Are sequentially input from the S-box 252 over 4 cycles.
- the matrix conversion circuit 253 shown in FIG. 7 performs this data conversion using a matrix, and the above (Expression 1) expresses this conversion processing by an expression.
- each of the outputs x 0 , x 1 , x 2 , x 3 in each cycle of the S-box 252 is 8-bit data, and y as a linear transformation result obtained by applying the matrix in the matrix calculation circuit 253 0, each of y 1, y 2, y 3 also 8-bit data, respectively.
- processing in each cycle will be described.
- Matrix operation circuit 253 shown in FIG. 7 inputs x 0 as input data in one cycle (1 cycle) eyes (din). At this time, the enable signal (en) input to the AND circuits 271 to 274 is set to 0. Although not shown in FIGS. 5 to 7, control is performed by the control unit.
- x 1 , x 2 , and x 3 are input as input data (din), respectively.
- the second, third, and fourth cycles set the enable signal (en) input to the AND circuits 271 to 274 to 1.
- the exclusive OR units 281 to 284 execute exclusive OR operations of the input data or the multiplied values thereof and the outputs from the AND circuits 271 to 274, and the results are stored in the registers r16 to r19. Will be.
- the processing described with reference to FIG. 7 is a circuit that implements linear transformation processing by matrix operation using a cyclic matrix adopted in AES, but linear transformation processing using another different matrix is also performed by the circuit. This can be realized by changing the setting of the multiplier and the connection configuration.
- a circuit that realizes a matrix operation to which the following Hadamard matrix is applied can be realized by a matrix operation circuit 290 shown in FIG.
- (x 0 , x 1 , x 2 , x 3 ) shown in Expression 2 is an input to the matrix operation circuit 290 shown in FIG. 8 (output from the S-box).
- (Y 0 , y 1 , y 2 , y 3 ) is the output of the matrix operation circuit 290 (linear conversion result)
- the 4 ⁇ 4 matrix corresponds to a matrix (linear transformation matrix) applied in the matrix operation circuit 290.
- the elements of the 4 ⁇ 4 linear transformation matrix are shown as hexadecimal values.
- a difference between a matrix operation circuit 290 that implements a matrix operation using the Hadamard matrix shown in FIG. 8 and a matrix operation circuit 253 that implements a cyclic matrix shown in FIG. 7 is, for example, the following configuration.
- the multipliers 291 to 294 are set to correspond to the elements of the linear transformation matrix composed of the 4 ⁇ 4 Hadamard matrix shown in Equation 2.
- the AND circuit is changed to a multiplexer (Multiplexer) 295 to 298, and the input to each of the registers r16 to r19 is set to select the output from two other registers or 0, one of these three.
- the necessary registers to be applied to one round operation are as follows when simple calculation is performed.
- FIG. 9 is a diagram showing a schematic diagram of a data operation unit circuit when the implementation method of Hamalainen et al. Is applied to a 4-line generalized Feistel structure.
- FIG. 9 as with the AES data path described above with reference to FIG. 6, the replacement operation at the end of the round function of the generalized Feistel structure and the key schedule part are omitted.
- the block size as the processing data size in the round operation is n bits.
- n / 4 bits are input to each of the four lines and sequentially transferred.
- the register group 301 in FIG. 9 corresponds to the register group 261 shown in FIG.
- the register group 301 in FIG. 9 corresponding to the 4-line generalized Feistel structure realizes processing similar to the replacement operation at the end of the round function and the register that holds (3/4) n-bit data. It is configured as a combination of multiplexers and the like. That is, assuming that the data operation unit on the lower side of the register group 301 holds (1/4) n bits of data for one line, the register group 301 in FIG. A register that holds data for bits is required.
- a round function including the F function in the 4-line generalized Feistel structure shown in FIG. 3 is executed using the data path shown in FIG.
- a specific example of the F function in the round function is shown in FIG.
- the F function shown in FIG. 10 has the following components, like the F function of the Feistel structure described above with reference to FIG. (A) an exclusive OR operation unit 321 that performs an exclusive OR operation with a round key; (B) a nonlinear transformation unit [S] 322 composed of an S-box that performs nonlinear transformation processing on the output of the exclusive OR operation unit 321; (C) a linear transformation unit [M] 323 that performs linear transformation processing by matrix operation on the output of the nonlinear transformation unit [S] 322; Having these components.
- the input / output for the F function in the 4-line generalized Feistel structure is n / 4 bits.
- the matrix applied to the linear transformation process as the matrix operation to which the matrix executed by the linear transformation unit [M] 323 is applied is assumed to be a cyclic matrix in which the first row element is (a, b, c, d). is doing. That is, the matrix shown in the following (formula 3).
- the circuit shown in FIG. 9 has only one S-box as in the circuit shown in FIG. This is the S-box 303 shown in FIG.
- This S-box 303 executes the processing of one S-box set in the F function shown in FIG. 10 in one cycle.
- Each S-box shown in FIG. 10 is sequentially processed for each cycle.
- one S-box of the F function is inputted with 1/4 of n / 4 bits that transmit one line of the 4-line generalized Feistel structure, that is, n / 16 bits, and is nonlinear. Conversion processing is executed.
- n / 16 bits are input every cycle, and nonlinear conversion processing is executed.
- n / 16-bit data which is the processing unit of the S-box 303, is output from the register group 301 in units of one cycle.
- the n / 16 bits are first set to the exclusive OR unit.
- a non-linear transformation is executed by an S-box that performs exclusive OR with the configuration data of the round key.
- Data subjected to non-linear conversion in the S-box 303 is input to the next matrix operation circuit 304 in units of 1/16 bits every n / 16 bits.
- the matrix operation circuit 304 linear transformation processing using a predetermined matrix is executed.
- the register gate size is relatively large compared to other cells, and an increase in the number of registers greatly affects the gate size. Therefore, it is important to consider a mounting method that suppresses an increase in registers as one direction for realizing miniaturization.
- the encryption algorithm applying the SPN structure is different from the encryption algorithm applying the generalized Feistel structure.
- the encryption algorithm applying the generalized Feistel structure after obtaining the matrix operation result, This is considered to be caused by the fact that it is set to perform exclusive OR. That is, in the encryption algorithm to which the generalized Feistel structure is applied, both a register that holds the intermediate result of the matrix and a register that holds data of other lines are required.
- the number of necessary registers is reduced by changing the operation order by using the combination rule in exclusive OR operation, that is, the following equation is established.
- the operation order is changed so that the result of the matrix operation is exclusively ORed with the register holding the data of other lines.
- FIG. 11 shows a data path, that is, an arithmetic circuit configuration as an embodiment of the present invention.
- the arithmetic circuit shown in FIG. 11 is a cryptographic algorithm execution circuit to which the 4-line generalized Feistel structure described above with reference to FIG. 3 is applied. Specifically, by replacing the circulant matrix calculation unit with a Hadamard matrix calculation unit, for example, the circuit can be used as an execution circuit for CLEFIA encryption.
- a register group 501 in FIG. 11 corresponds to the register group 301 shown in FIG. That is, the register group 501 includes a register for holding data and a circuit having a function for executing a replacement operation at the end of the round function. However, the register group 501 in FIG. 11 is set to have a smaller number of registers than the register group 301 shown in FIG.
- the register group 301 shown in FIG. 9 is described as a configuration including a register that holds (3/4) n-bit worth of data and a circuit that has a function of executing a replacement operation at the end of the round function. did.
- the registers included in the register group 501 shown in FIG. 11 are only registers that hold n / 2-bit worth of data.
- n 128-bit
- registers of 32 bits are reduced compared to the configuration of FIG.
- FIG. 12 and Table 1 below show a matrix operation sequence in the matrix operation circuit 304 according to the data path shown in FIG.
- FIG. 13 and Table 2 shown below show a matrix operation sequence in the matrix operation circuit 504 according to the data path shown in FIG.
- Table 1 (FIG. 12) showing a matrix operation sequence in the configuration shown in FIG. 9, Differences between the processes will be described with reference to Table 2 (FIG. 13) showing the matrix operation sequence in the configuration shown in FIG.
- the matrix operation circuit 304 outputs the output (y 0 , y 1 , y 2 , y 3 ) generated by the matrix operation to which the matrix is applied to the exclusive OR operation unit 305.
- the exclusive OR operation unit 305 the output (y 0 , y 1 , y 2 , y 3 ) of the matrix operation circuit 304 and the output (E 0 , E 1 , E 2 and E 3 ).
- Outputs (E 0 , E 1 , E 2 , E 3 ) from other lines correspond to, for example, the processing result of the round operation in the previous round.
- each of the inputs (x 0 , x 1 , x 2 , x 3 ) to the matrix operation circuit 304 is n / 16 bits, and from the output (y 0 , y 1 , y 2 , y 3 ) and other lines
- the outputs (E 0 , E 1 , E 2 , E 3 ) are all n / 16-bit data.
- each element of the matrix calculation result based on the input element x 0 to the matrix calculation circuit 304 is stored in the registers R 0 , R 1 , R 2 , and R 3 .
- the enable signal (en) input to the AND circuit 313 is set to 0, and the multiplication result of the multiplication unit 311 based on the input element x 0 is stored in the registers R 0 , R 1 , R 2 , R 3 .
- Register R 0 d ⁇ x 0
- Register R 1 stored value: c ⁇ x
- Register R 2 stored values: b ⁇ x
- Stored value of the register R 3 a ⁇ x 0,
- the input element x 1 is input to the matrix operation circuit 304 in the second cycle.
- the enable signal (en) input to the logical product circuit 313 is set to 1
- the exclusive OR operation unit 312 determines the multiplication result of the multiplication unit 311 of the input element x 1 and the previous cycle.
- An exclusive OR operation with the values stored in the registers R 0 , R 1 , R 2 , R 3 is executed, and the result is stored in the registers R 0 , R 1 , R 2 , R 3 .
- the output element E 0 from the other line is stored in the register R 7 .
- the input element x 3 is input to the matrix operation circuit 304. Input of input data (x 0 , x 1 , x 2 , x 3 ) is completed, and in the fourth cycle, matrix operation results (y 0 , y 1 , y 2 , y 3 ) are registered in registers R 0 , R 1. , R 2 , R 3 .
- Equation 5 corresponds to the round output data (D) of the connection part between rounds shown in FIG.
- the calculation for the first element x ′ 0 of the input values (x ′ 0 , x ′ 1 , x ′ 2 , x ′ 3 ) to the next matrix calculation circuit 304 is performed in the registers R 0 , R 1 , R 2 , R 3 .
- the value shown in the above (formula 6) is stored. These values are stored in the registers R 4 , R 5 , R 6 , and R 7 in the fifth cycle, and input to the register 501 as utilization data for the next round operation via the line 506 shown in FIG.
- the configuration shown in FIG. 11 is a configuration in which the number of registers is reduced from the configuration shown in FIG. 9, but as a result, the same arithmetic processing as shown in FIG. 9 is realized. However, the calculation sequence is different. Processing in each cycle will be described.
- the output (E 0 , E 1 , E 2 , E 3 ) corresponding to the processing result of the round operation in the previous round is output from the register 501.
- the data is sequentially stored in the registers R 7 , R 6 , and R 5 via the 521.
- Register R 5 has E 0
- Register R 6 has E 1
- Register R 7 has E 2
- These data are set in a stored state.
- E 3 is input to the exclusive OR operation unit 512 via the multiplexer 513. Note that these arithmetic controls are performed based on, for example, a control unit (not shown) and control based on clock input information.
- the value E 1 stored in the register R 6 is input to the exclusive OR operation unit 512 via the multiplexer m 0, and the exclusive OR result with d ⁇ x 0 is stored.
- the value E 2 stored in the register R 7 is input to the exclusive OR operation unit 512 via the multiplexer m 1, and the exclusive OR result with c ⁇ x 0 is stored.
- the output value E 3 output from the register group via the line 521 is input to the register R 2 via the multiplexer m 2 to the exclusive OR operation unit 512, and the exclusive OR result with b ⁇ x 0 is obtained.
- the value E 0 stored in the register R 5 is input to the exclusive OR operation unit 512 via the multiplexer m 3, and the exclusive OR result with a ⁇ x 0 is stored. That is, each value shown in the following (Expression 7) is stored in the registers R 0 , R 1 , R 2 , and R 3 .
- the multiplexer 513 (m0 to m3) performs the same processing as the selector that outputs one input selected from two inputs.
- the stored values of the registers R 7 , R 6 and R 5 and the output value of the line 521 are set to be output. These controls are performed by control of a control unit (not shown).
- exclusive OR operation processing with outputs (E 0 , E 1 , E 2 , E 3 ) from other lines is executed in advance. As a result, it is not necessary to hold the outputs (E 0 , E 1 , E 2 , E 3 ) from other lines until the matrix operation period requiring 4 cycles is completed. The number of necessary registers is reduced by this arithmetic sequence change processing.
- the input element x 1 is input to the matrix operation circuit 504 in the second cycle.
- the multiplexer 513 (m0 to m3) is controlled so as to selectively output the stored values of the registers R 0 , R 1 , R 2 , and R 3 .
- the exclusive OR of the exclusive-OR operation unit 512, and the multiplication result of the multiplying unit 511 of the input element x 1, and the value stored in the register R 0, R 1, R 2 , R 3 in the previous cycle The operation is performed and the result is stored in registers R 0 , R 1 , R 2 , R 3 .
- the output element E ′ 0 from the other line is stored in the register R 7 .
- the input element x 3 is input to the matrix operation circuit 504.
- the input of the input data (x 0 , x 1 , x 2 , x 3 ) is completed, and in this fourth cycle, the register R 0 , R 1 , R 2 , R 3 contains the matrix operation result (y 0 , y 1 , y 2 , y 3 ) and the outputs (E 0 , E 1 , E 2 , E 3 ) from other lines are stored as exclusive OR results.
- the output from the next other line is the stored value of the registers R 7 , R 6 , R 5 , and the output of the line 521.
- the exclusive OR operation unit 512 calculates the exclusive OR result of these input values, the new input x ′ 0 to the matrix operation circuit 504, and the multiplication result in the multiplication unit 511, and registers R 0 and R 1. , R 2 , R 3 .
- This register storage value that is, data shown in the following equation (Equation 8) is input to the register group 501 as use data for the next round operation via a line 506 shown in FIG.
- the exclusive OR operation with the outputs (E 0 , E 1 , E 2 , E 3 ) from other lines is executed in advance in the matrix calculation process. Eliminates the need for separate registers for storing outputs from other lines (E 0 , E 1 , E 2 , E 3 ) and for storing intermediate results of matrix operations. By sharing these registers, the total number of necessary registers is reduced.
- exclusive OR operation with outputs (E 0 , E 1 , E 2 , E 3 ) from other lines corresponding to the processing result of the round operation in the previous round is executed in advance.
- the outputs (E 0 , E 1 , E 2 , E 3 ) from other lines are registered. and via the multiplexer 513 is input prior to the exclusive-OR operation unit 512 from such, the first input value for the matrix operation circuit 504 and (x 0) of the multiplying unit 511 multiplies the result in (d ⁇ x 0, etc.) Perform exclusive OR processing.
- the 1-line required in the configuration shown in FIG. It is possible to eliminate the circuit of the minute register, the exclusive logical sum of 1-line, and the logical product of 1-line. In the configuration shown in FIG. 11, the size can be reduced by these differences. In addition, with this miniaturization, low power consumption can be expected. In particular, since the gate size of the register is relatively larger than that of other cells, the reduction of the 1-line register contributes particularly to downsizing.
- the application example to the 4-line generalized Feistel structure has been described as a representative example of the application configuration of the present invention.
- the processing sequence described with reference to FIG. 11 and FIG. 13 (Table 1), that is, applying the output values from other lines to the matrix operation in advance is not possible with generalized Feistel structures other than 4-line.
- the present invention can also be applied to the Feistel structure, and a reduction in the circuit configuration of the register and the like similar to that described with reference to FIG. That is, the present invention can be applied not only to a 4-line generalized Feistel structure but also to a structure in which the inside of a round function is deformed or expanded.
- a 2-line Feistel structure or an arbitrary x (x is 2 or more) This is also applicable to the x-line generalized Feistel structure.
- the matrix applied in the matrix operation circuit is a circulant matrix
- the matrix applied in the matrix operation circuit is not limited to the circulant matrix, and other types of matrices such as Hadamard matrix, for example. It is also possible to apply.
- the matrix applied in the matrix operation circuit is not only a 4 ⁇ 4 matrix, Any xx matrix, where x is a natural number greater than or equal to 2, Such various matrixes can be applied.
- the configuration of the present invention is not limited to the configuration having the F function described above with reference to FIG. 2 but can be applied to any algorithm that executes a round function that does not include nonlinear transformation after matrix calculation. The effect of downsizing can be expected.
- the configuration described in the above embodiment is an example of a type-2 generalized Feistel structure in a 4-line generalized Feistel structure.
- the present invention is not limited to other types of type-1 or type-3.
- the present invention can be applied to a modified Feistel structure, and the same effect can be expected.
- FIG. 14 shows a circuit configuration example as a data path to which the present invention is applied to a 2-line Feistel structure.
- outputs (E 0 , E 1 , E 2 , E 3 ) from the other lines as the calculation results of the previous round are stored in the registers R 4 , R 5 , R 6 , R 7.
- the output from running the exclusive logical sum of the multiplication results of the input value x 0 and multiplying unit 611 from the S-box603 in the first processing, et al cycle of the matrix calculation in the matrix first arithmetic circuit 604 (1 cycle) Store in the registers R 0 , R 1 , R 2 , R 3 .
- matrix operations can be executed in the same processing sequence as described above with reference to FIG. 11, and this process can reduce the hardware configuration by reducing the number of registers. It becomes possible.
- a cyclic matrix, Hadamard matrix, or the like can be used as the matrix applied in the matrix calculation circuit 604, and x ⁇ x (where x ⁇ 2 is an integer). Any matrix can be used.
- the present invention is not limited to the configuration having the F function described with reference to FIG. 2, but may be any round function that does not execute nonlinear transformation after matrix calculation.
- FIG. 15 shows a configuration example of an IC module 700 as a cryptographic processing apparatus that executes cryptographic processing according to the above-described embodiment.
- the above-described processing can be executed in, for example, various information processing apparatuses such as a PC, an IC card, a reader / writer, and the IC module 700 illustrated in FIG. 15 can be configured in these various devices.
- a CPU (Central processing Unit) 701 shown in FIG. 15 is a processor that executes start and end of cryptographic processing, control of data transmission / reception, control of data transfer between components, and other various programs.
- the memory 702 includes a ROM (Read-Only-Memory) that stores programs executed by the CPU 701 or fixed data such as calculation parameters, a program executed in the processing of the CPU 701, and a parameter storage area that changes as appropriate in the program processing, It consists of RAM (Random Access Memory) used as a work area.
- the memory 702 can be used as a storage area for key data necessary for encryption processing, data to be applied to a conversion table (substitution table) or conversion matrix applied in the encryption processing, and the like.
- the data storage area is preferably configured as a memory having a tamper resistant structure.
- the cryptographic processing unit 703 has a cryptographic processing configuration described with reference to FIGS. 11 and 14, for example, a cryptographic process and a decryption process according to a common key block cryptographic process algorithm to which, for example, a generalized Feistel structure or a Feistel structure is applied. Execute.
- the cryptographic processing means is an individual module, but such an independent cryptographic processing module is not provided, for example, a cryptographic processing program is stored in the ROM, and the CPU 701 reads and executes the ROM stored program. You may comprise.
- the random number generator 704 executes random number generation processing necessary for generating a key necessary for encryption processing.
- the transmission / reception unit 705 is a data communication processing unit that performs data communication with the outside.
- the data transmission / reception unit 705 performs data communication with an IC module such as a reader / writer, and outputs ciphertext generated in the IC module or an external reader. Data input from devices such as writers is executed.
- the series of processes described in the specification can be executed by hardware, software, or a combined configuration of both.
- the program recording the processing sequence is installed in a memory in a computer incorporated in dedicated hardware and executed, or the program is executed on a general-purpose computer capable of executing various processing. It can be installed and run.
- the program can be recorded in advance on a hard disk or ROM (Read Only Memory) as a recording medium.
- the program is temporarily or permanently stored on a removable recording medium such as a flexible disk, CD-ROM (Compact Disc Read Only Memory), MO (Magneto optical disc), DVD (Digital Versatile Disc), magnetic disk, or semiconductor memory. It can be stored (recorded).
- a removable recording medium can be provided as so-called package software.
- the program is wirelessly transferred from the download site to the computer, or is wired to the computer via a network such as a LAN (Local Area Network) or the Internet.
- the computer can receive the program transferred in this manner and install it on a recording medium such as a built-in hard disk.
- system is a logical set configuration of a plurality of devices, and the devices of each configuration are not limited to being in the same casing.
- the encryption processing configuration to which the generalized Feistel structure is applied can be reduced in size and power can be saved.
- the first line A matrix operation execution unit that executes a linear transformation process that applies a matrix to the data of the data performs an operation of the matrix operation process data and the data of the second line in the first cycle during the execution cycle of the matrix operation.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
Description
データ処理対象となるデータブロックの構成ビットを複数のラインに分割して入力し、各ラインの伝送データに対してラウンド関数を適用したデータ変換処理を繰り返して実行する暗号処理部を有し、
前記暗号処理部は、
前記複数ラインの第1ラインのデータに対する変換データを生成し、生成した変換データに対して前記第1ラインと異なる第2ラインのデータとの演算を行い、該演算結果を次ラウンドの入力データとする演算を繰り返し実行する演算部と、
前記演算部の演算結果を保持するレジスタを有し、
前記演算部は、前記レジスタから順次、データを取得して取得データ順の演算を実行して演算結果を前記レジスタに格納する構成であり、
前記演算部は、
前記第1ラインのデータに対する行列を適用した線形変換を実行する行列演算実行部を有し、
前記行列演算実行部は、
前記第1ラインのデータに対する行列演算の実行サイクル中、最初のサイクルの行列演算の実行に際して前記第2ラインのデータとの演算を実行する暗号処理装置にある。
暗号処理装置において暗号処理を実行する暗号処理方法であり、
暗号処理部が、データ処理対象となるデータブロックの構成ビットを複数ラインに分割して入力し、各ラインの伝送データに対してラウンド関数を適用したデータ変換処理を繰り返して実行する暗号処理ステップを有し、
前記暗号処理ステップにおいて、前記複数ラインを構成する第1ラインのデータの変換処理を実行し、生成した変換データに対して前記第1ラインと異なる第2ラインのデータとの演算を行い、該演算結果を次ラウンドの入力データとする演算を繰り返し実行し、
前記第1ラインのデータの変換データ生成処理において実行する行列演算処理の実行サイクル中、最初のサイクルの行列演算処理に際して前記第2ラインのデータとの演算を実行する暗号処理方法にある。
暗号処理装置において暗号処理を実行させるプログラムであり、
暗号処理部に、データ処理対象となるデータブロックの構成ビットを複数ラインに分割して入力し、各ラインの伝送データに対してラウンド関数を適用したデータ変換処理を繰り返して実行させる暗号処理ステップを有し、
前記暗号処理ステップにおいて、前記複数ラインを構成する第1ラインのデータの変換処理を実行し、生成した変換データに対して前記第1ラインと異なる第2ラインのデータとの演算を行い、該演算結果を次ラウンドの入力データとする演算を繰り返し実行させ、
前記第1ラインのデータの変換データ生成処理において実行する行列演算処理の実行サイクル中、最初のサイクルの行列演算処理に際して前記第2ラインのデータとの演算を実行させるプログラムにある。
具体的には、データを複数ラインに分割入力し、各ラインの伝送データに対してラウンド関数を適用したデータ変換処理を繰り返して実行する一般化Feistel構造を適用した暗号処理構成において、第1ラインのデータに対する行列を適用した線形変換処理を実行する行列演算実行部が行列演算の実行サイクル中、最初のサイクルにおいて行列演算過程データと第2ラインのデータとの演算を実行する。本構成により、第2ラインのデータ保持用のレジスタと第1ラインの行列演算途中結果保持用のレジスタの共有化が可能となり、総レジスタ数の削減、小型化が実現される。さらに回路構成の小型化、エレメント数の削減により電力消費量の削減も可能となる。
1.共通鍵ブロック暗号の概要
2.SPN構造を適用したAES暗号アルゴリズムにおける小型実装手法の概要について
3.SPNの小型実装構成における行列演算回路の構成と処理の詳細について
4.SPN構造の小型実装構成の一般化Feisel構造への適用と問題点について
5.一般化Feistel構造の小型化の実現構成について
6.本発明の構成による効果および変形例について
7.暗号処理装置のICカードとしての構成例について
まず、本発明の適用可能な共通鍵ブロック暗号の概要について説明する。本明細書において、共通鍵ブロック暗号(以下ではブロック暗号)は、以下に定義するものを指すものとする。
平文[P]、暗号文[C]、鍵[K]の各ビットサイズは、以下のように示される。
平文P:nビット
暗号文C:nビット
鍵K:kビット
図2には右側にFeistel構造の全体構造を示し、左側に1つのF関数120の詳細構成図を示している。
各ラウンドにおけるF関数には、鍵スケジュール部111から入力する拡大鍵K'から生成されるラウンド鍵RK1~RKrが入力される。
処理対象データの分割数は2分割に限らず、様々な設定が可能である。分割数を2に限定しないFeistel構造を一般化Feistel構造と呼ぶ。
図2を参照して説明したFeistel構造は、処理対象データであるn-bitの平文データを、n/2-bitずつの2-lineに分割し、処理を行なう構成であった。これに対して、図3に示す構成は、処理対象データであるn-bitの平文データを、n/4-bitずつの4-lineに分割して処理を行なう構成を持つ。
次に、本発明の実施例の説明の前提として、既に提案されているSPN構造を適用したAES暗号アルゴリズムにおける小型実装手法の概要について説明する。
まず、図4を参照してSPN構造を適用したAES暗号アルゴリズムのラウンド関数の構造について説明する。
なお、SPN構造を適用したAES暗号アルゴリズムにおいてもFeistel構造と同様、ラウンド関数を複数回、繰り返し実行する構成を持つ。
図4は、SPN構造を適用したAES暗号アルゴリズムにおいて利用されるラウンド関数実行部の構成例を示す図である。AESでは、図4に示すラウンド関数を、複数回、繰り返して平文から暗号文、または暗号文から平文の生成を行う。
非線形変換処理を実行する8ビット入出力の16個のS-boxからなる非線形変換部201、
非線形変換部201を構成するS-boxからの8ビット出力の入れ替え処理としてのShift Low実行部202、
Shift Low実行部202の出力を32ビット単位で入力して行列を適用した線形変換処理を実行する4つの行列演算部からなる線形変換部203、
線形変換部203を構成する4つの行列演算部各々からの32ビット出力に対して32ビットのラウンド鍵との排他的論理和演算を実行する4つの演算部からなる排他的論理和演算部204を有する。
この小型化構成では、S-boxの回路は1個しか用いず、さらに、4サイクル(4cycle)かけて1つの行列演算を実行する。このような実装とすることで、行列演算回路の小型化を実現している。
レジスタ数は、図5に示すように152ビット分のレジスタ(8ビットレジスタ×19)となっている。なお、鍵生成部251にも128ビット鍵データを保持する128ビットレジスタが必要となる。
次に、図5を参照して説明したSPNの小型実装構成における行列演算回路の構成と処理の詳細について説明する。
説明の簡単化のため、図6のように、Shift Low実行部によるデータ置換を行なう回路や、鍵スケジュール部については省略したデータパスを用いて説明する。
(y0、y1、y2、y3)は、行列演算回路253の出力(線形変換結果)、
4×4の行列は、行列演算回路253において適用する行列(線形変換行列)に対応する。
なお、4×4の線形変換行列の要素は16進数値として示している。
本例では、(x0、x1、x2、x3)の各々は、S-box252からの1サイクルあたりの出力であり8ビットデータである。出力(y0、y1、y2、y3)の各々も8ビットデータである。
例えば図7の行列演算回路253において、図4に示す行列演算回路203aの行列演算処理を実行する場合、図4に示す行列演算回路203aに対するS-box出力(1)~(4)が図7に示す行列演算回路253に順次S-box252から4サイクルかけて入力されることになる。
第1サイクルにおいてデータx0、
第2サイクルにおいてデータx1、
第3サイクルにおいてデータx2、
第4サイクルにおいてデータx3、
これらのデータであり、このデータを用いて行列を適用した線形変換結果としての(y0,y1,y2,y3)を出力する。
前述したように、S-box252の各サイクルにおける出力x0、x1、x2、x3、の各々はそれぞれ8ビットデータであり、行列演算回路253における行列を適用した線形変換結果としてのy0,y1,y2,y3の各々もそれぞれ8ビットデータである。
以下、各サイクルにおける処理について説明する。
2番目のラインL2でも、入力データ(din)=x0がそのまま排他論理和部282を通過してレジスタr17に格納される。
x0・2、
x0・3、
これらを計算する。
これらの演算結果が、排他論理和部283,284を通過してレジスタr18,r19に格納される。
この設定により、排他論理和部281~284では、入力データまたはその乗算値と論理積回路271~274からの出力との排他的論理和演算が実行され、その結果がレジスタr16~r19に格納されることになる。
(dout0,dout1,dout2,dout3)
=(y0,y1,y2,y3)
となる。
このように、図7に示す行列演算回路253により、4サイクルの処理で上記(式1)に従った行列演算が実行されることになる。
(y0、y1、y2、y3)は、行列演算回路290の出力(線形変換結果)
4×4の行列は、行列演算回路290において適用する行列(線形変換行列)に対応する。
なお、4×4の線形変換行列の要素は16進数値として示している。
乗算部291~294が式2に示す4×4のアダマール行列からなる線形変換行列の要素に対応した設定となっている。
論理積回路を、マルチプレクサ(Multiplexer)295~298に変更して、各レジスタr16~r19への入力を、2つの他レジスタからの出力か0、これら3つの内から1つ選択する設定としている。
これらの構成が変更点である。
(1)ラウンド鍵格納用の128ビットレジスタ
(2)処理データ格納用の128ビットレジスタ
(3)線形変換行列を適用した行列演算において演算途中結果を格納するための32ビットレジスタ
データ演算部には、(2),(3)のレジスタが必要となり、128+32=160ビットレジスタが必要となると計算される。
Hamalainenらの提案した構成は、S-boxから行列演算回路へ入力が済んだ値(8ビット)が次のラウンドでは不要となる。このことに着目し、行列演算回路へS-boxから入力する32-bitのうち、はじめに入力する8-bit分のレジスタを行列演算回路内のレジスタと共有する構成とすることで、8-bit分のレジスタを削減したものである。
上述したように、HamalainenらはSPN構造の小型化を実現している。しかし、この小型化構成はSPN構造に対応した特有の構成であり、この小型実装構成を一般化Feisel構造へ適用しても十分な小型化の効果は得られない。以下、この問題点について説明する。なお、以下の説明では、一般化Feisel構造はFeisel構造を含む概念であるものとして説明する。
ラウンド関数内のF関数の具体例を図10に示す。
(a)ラウンド鍵との排他的論理和演算を実行する排他的論理和演算部321、
(b)排他的論理和演算部321の出力に対して非線形変換処理を実行するS-boxからなる非線形変換部[S]322、
(c)非線形変換部[S]322の出力に対して、行列演算により線形変換の処理を行なう線形変換部[M]323、
これらの構成要素を持つ。
ただし、4-line一般化Feistel構造におけるF関数に対する入出力は、n/4ビットとなる。
n=128-bit
とする。
図9に示すS-box303には、n/16ビットずつがサイクル毎に入力され非線形変換処理が実行される。
また、排他的論理和演算回路の数も増加している。
レジスタの増加は回路規模に大きく影響するため、ブロック長分のみのレジスタで構成できる実装法が実現できれば、そのほうが望ましい。
次に、本発明の構成、すなわち、一般化Feistel構造の小型化の実現構成について説明する。
Hamalainenらの実装法を、一般化Feistel構造を持つ暗号アルゴリズムの実行構成に適用した場合には、前節で説明したようにレジスタと排他的論理和の回路が増加してしまい、小型化が実現されない。
すなわち、一般化Feistel構造を適用した暗号アルゴリズムでは、行列の途中結果を保持するレジスタと他のラインのデータを保持するレジスタの両方が必要となる。
しかし、図11中のレジスタ群501は、図9に示すレジスタ群301よりも少ないレジスタ数に設定されている。
これに対して、図11に示すレジスタ群501に含まれるレジスタは、n/2-bit分のデータを保持するレジスタのみである。
n=128-bit
とする。
レジスタ群301に、(3/4)n-bit=96-bit
レジスタ群301以外の演算部に8ビットレジスタが8個の8×8=64-bit
総計で、
96+64=160-bit
のレジスタが必要となっている。
レジスタ群501に、(1/2)n-bit=64-bit
レジスタ群501以外の演算部に8ビットレジスタが8個の8×8=64-bit
総計で、
64+64=128-bit
のレジスタが必要となっている。
以下、詳細に説明するが、図11に示す本発明の構成では、行列演算回路において、他ラインからの出力(E0、E1、E2、E3)を利用した演算を先行して実行することで、これらの出力データ(E0、E1、E2、E3)を行列演算期間中、保持するためのレジスタ(8×4=32ビット)を削減したことによる。
レジスタ削減を実現するため、本発明の処理では、演算シーケンス、特に、線形変換を行う行列演算回路における行列を適用した演算シーケンスの設定を特別な設定とした。以下、図11に示す本発明に従ったデータパスである回路構成を適用した演算シーケンスの詳細について説明する。
さらに、図13および以下に示す表2に図11に示すデータパスに従った行列演算回路504における行列演算シーケンスを示す。
図11に示す構成における行列演算シーケンスを示す表2(図13)を用いて各処理の差異について説明する。
排他的論理和演算部305では、行列演算回路304の出力(y0,y1,y2,y3)と、4-line一般化Feistel構造における他ラインからの出力(E0、E1、E2、E3)と排他的論理和される。他ラインからの出力(E0、E1、E2、E3)は、例えば前ラウンドにおけるラウンド演算の処理結果に相当する。
レジスタR0の格納値:d・x0、
レジスタR1の格納値:c・x0、
レジスタR2の格納値:b・x0、
レジスタR3の格納値:a・x0、
これらのデータが各レジスタに格納される。
また、この2サイクル目において、他ラインからの出力要素E0がレジスタR7に格納される。
また、この3サイクル目において、他ラインからの出力要素E0がレジスタR6に格納され、E1がレジスタR7に格納される。
このレジスタ格納値、すなわち、下記式(式5)に示すデータが図9に示すライン306を介して次のラウンド演算の利用データとしてレジスタ群301に入力される。
また、この5サイクル目では、次の行列演算回路304への入力値(x'0,x'1、x'2,x'3)の始めの要素x'0に対する演算がレジスタR0、R1、R2、R3に格納される。
図11に示す構成は、図9に示す構成よりレジスタ数が削減された構成であるが、結果としては図9に示すと同様の演算処理を実現している。ただし、演算シーケンスが異なっている。
各サイクルにおける処理について説明する。
レジスタR5にはE0、
レジスタR6にはE1、
レジスタR7にはE2、
これらのデータが格納された状態に設定される。
d・x0、
c・x0、
b・x0、
a・x0、
これらの各値との排他的論理和演算が実行される。この排他的論理和演算結果が、レジスタR0、R1、R2、R3に格納される。
レジスタR0には、レジスタR6に格納された値E1が、マルチプレクサm0を介して排他論理和演算部512に入力されて、d・x0との排他論理和結果が格納される。
レジスタR1には、レジスタR7に格納された値E2が、マルチプレクサm1を介して排他論理和演算部512に入力されて、c・x0との排他論理和結果が格納される。
レジスタR2には、レジスタ群からライン521を介して出力される出力値E3が、マルチプレクサm2を介して排他論理和演算部512に入力されて、b・x0との排他論理和結果が格納される。
レジスタR3には、レジスタR5に格納された値E0が、マルチプレクサm3を介して排他論理和演算部512に入力されて、a・x0との排他論理和結果が格納される。
すなわち、以下の(式7)に示す各値がレジスタR0、R1、R2、R3に格納される。
第1サイクルでは、レジスタR7、R6、R5の格納値、ライン521の出力値を出力するように設定される。なお、これらの制御は図示しない制御部の制御によって行われる。
この結果、排他論理和演算部512において、入力要素x1の乗算部511の乗算結果と、前サイクルでレジスタR0、R1、R2、R3に格納された値との排他的論理和演算が実行され、その結果がレジスタR0、R1、R2、R3に格納される。
また、この2サイクル目において、他ラインからの出力要素E'0がレジスタR7に格納される。
また、この3サイクル目において、他ラインからの出力要素E'0がレジスタR6に格納され、E'1がレジスタR7に格納される。
排他論理和演算部512は、これらの入力値と、行列演算回路504に対する新たな入力x'0と乗算部511での乗算結果との排他論理和結果を算出して、レジスタR0、R1、R2、R3に格納する。
この時点で、レジスタR0、R1、R2、R3に格納された値は、レジスタR4、R5、R6、R7に格納される。
このレジスタ格納値、すなわち、下記式(式8)に示すデータが図10に示すライン506を介して次のラウンド演算の利用データとしてレジスタ群501に入力される。
図11に示す本発明に従った一般化Feistel構造を適用した暗号処理を実行するデータパスでは、上述したように、先行した処理結果をラウンド演算における行列演算の最初のサイクル(1サイクル目)で排他論理和演算処理を実行してしまう構成としている。
図11を参照して説明したように、行列演算回路504における行列演算の最初の処理として実行する第1サイクルにおいて、他ラインからの出力(E0、E1、E2、E3)をレジスタ等からマルチプレクサ513を介して排他論理和演算部512に先行して入力させて、行列演算回路504に対する最初の入力値(x0)の乗算部511での乗算結果(d・x0等)と排他論理和処理を実行する。
また、この小型化に伴い、低消費電力化も期待できる。
特に、レジスタのゲートサイズは、他のセルに比べて比較的大きなものとなるため、1-line分のレジスタを削減できたことは小型化に特に寄与する。
任意のx×x行列、ただし、xは2以上の自然数、
このような様々な行列の適用が可能である。
図14に示すデータパスにおいて、例えば前ラウンドの演算結果としての他ラインからの出力(E0、E1、E2、E3)をレジスタR4、R5、R6、R7に格納し、行列第1演算回路604における行列演算の最初の処理らサイクル(1サイクル目)においてS-box603からの入力値x0と乗算部611における乗算結果との排他論理和を実行してその結果をレジスタR0、R1、R2、R3に格納する。
このように、先に図11を参照して説明したと同様の処理シーケンスで行列演算を実行することが可能であり、この処理により、レジスタ数の削減などによりハードウェア構成を小型化することが可能となる。
最後に、上述した実施例に従った暗号処理を実行する暗号処理装置としてのICモジュール700の構成例を図15に示す。上述の処理は、例えばPC、ICカード、リーダライタ、その他、様々な情報処理装置において実行可能であり、図15に示すICモジュール700は、これら様々な機器に構成することが可能である。
具体的には、データを複数ラインに分割入力し、各ラインの伝送データに対してラウンド関数を適用したデータ変換処理を繰り返して実行する一般化Feistel構造を適用した暗号処理構成において、第1ラインのデータに対する行列を適用した線形変換処理を実行する行列演算実行部が行列演算の実行サイクル中、最初のサイクルにおいて行列演算過程データと第2ラインのデータとの演算を実行する。本構成により、第2ラインのデータ保持用のレジスタと第1ラインの行列演算途中結果保持用のレジスタの共有化が可能となり、総レジスタ数の削減、小型化が実現される。さらに回路構成の小型化、エレメント数の削減により電力消費量の削減も可能となる。
112 データ暗号化部
120 F関数
121 排他的論理和演算部
122 非線形変換部
123 線形変換部
201 非線形変換部
202 Shift Low実行部
203 線形変換部
204 排他的論理和演算部
251 鍵生成部
252 S-box
253 行列演算回路
254 排他的論理和演算部
271~274 論理積回路
281~284 排他的論理和演算部
285~286 乗算部
290 行列演算回路
291~294 乗算部
295~298 マルチプレクサ
301 レジスタ群
302 排他的論理和演算部
303 S-box
304 行列演算回路
305 排他的論理和部
311 乗算部
312 排他的論理和部
313 論理積回路
321 排他的論理和演算部
322 非線形変換部[S]
323 線形変換部[M]
501 レジスタ群
502 排他的論理和演算部
503 S-box
504 行列演算回路
511 乗算部
512 排他的論理和部
513 マルチプレクサ
603 S-box
604 行列演算回路
611 乗算部
613 マルチプレクサ
700 ICモジュール
701 CPU(Central processing Unit)
702 メモリ
703 暗号処理部
704 乱数生成部
705 送受信部
Claims (11)
- データ処理対象となるデータブロックの構成ビットを複数のラインに分割して入力し、各ラインの伝送データに対してラウンド関数を適用したデータ変換処理を繰り返して実行する暗号処理部を有し、
前記暗号処理部は、
前記複数ラインの第1ラインのデータに対する変換データを生成し、生成した変換データに対して前記第1ラインと異なる第2ラインのデータとの演算を行い、該演算結果を次ラウンドの入力データとする演算を繰り返し実行する演算部と、
前記演算部の演算結果を保持するレジスタを有し、
前記演算部は、前記レジスタから順次、データを取得して取得データ順の演算を実行して演算結果を前記レジスタに格納する構成であり、
前記演算部は、
前記第1ラインのデータに対する行列を適用した線形変換を実行する行列演算実行部を有し、
前記行列演算実行部は、
前記第1ラインのデータに対する行列演算の実行サイクル中、最初のサイクルの行列演算の実行に際して前記第2ラインのデータとの演算を実行する暗号処理装置。 - 前記行列演算実行部は、
前段の非線形変換部から順次出力される複数の単位データに対する行列演算を複数サイクルで実行する構成であり、前記複数サイクルの最初のサイクルで、前記非線形変換部から入力する単位データの行列演算に併せて前記第2ラインのデータとの演算を実行する請求項1に記載の暗号処理装置。 - 前記暗号処理装置は、
前記第1ラインのデータに対する行列演算に必要な演算サイクルの完了後に前記第2ラインのデータとの演算を実行する場合に必要となる前記第2ラインのデータ保持用の独立したレジスタを削減し、
前記第1ラインのデータに対する行列演算の途中結果の保持用レジスタを前記第2ラインのデータ保持用のレジスタとして利用した構成を有する請求項1に記載の暗号処理装置。 - 前記行列演算実行部は、
前記第1ラインのデータに対する行列演算を実行する初期サイクルにおいて、前記第1ラインに対する行列演算過程データと前記第2ラインのデータとの排他的論理和演算を実行する請求項1に記載の暗号処理装置。 - 前記行列演算実行部は、
巡回行列またはアダマール行列を適用した行列演算を実行する構成である請求項1に記載の暗号処理装置。 - 前記暗号処理部は、前記ラウンド関数の実行部として、
非線形変換処理を実行する非線形変換部と、行列を適用した線形変換処理を実行する線形変換部としての行列演算実行部を有する請求項1に記載の暗号処理装置。 - 前記行列演算実行部は、
前記非線形変換部としてのS-boxの出力を、順次入力して入力データに対する行列演算を1サイクル処理として実行する請求項1に記載の暗号処理装置。 - 前記暗号処理部の実行する暗号処理は、Feistel構造または一般化Feistel構造を適用した暗号処理である請求項1に記載の暗号処理装置。
- 前記暗号処理部の実行する暗号処理は、CLEFIA暗号アルゴリズムに従った暗号処理である請求項1に記載の暗号処理装置。
- 暗号処理装置において暗号処理を実行する暗号処理方法であり、
暗号処理部が、データ処理対象となるデータブロックの構成ビットを複数ラインに分割して入力し、各ラインの伝送データに対してラウンド関数を適用したデータ変換処理を繰り返して実行する暗号処理ステップを有し、
前記暗号処理ステップにおいて、前記複数ラインを構成する第1ラインのデータの変換処理を実行し、生成した変換データに対して前記第1ラインと異なる第2ラインのデータとの演算を行い、該演算結果を次ラウンドの入力データとする演算を繰り返し実行し、
前記第1ラインのデータの変換データ生成処理において実行する行列演算処理の実行サイクル中、最初のサイクルの行列演算処理に際して前記第2ラインのデータとの演算を実行する暗号処理方法。 - 暗号処理装置において暗号処理を実行させるプログラムであり、
暗号処理部に、データ処理対象となるデータブロックの構成ビットを複数ラインに分割して入力し、各ラインの伝送データに対してラウンド関数を適用したデータ変換処理を繰り返して実行させる暗号処理ステップを有し、
前記暗号処理ステップにおいて、前記複数ラインを構成する第1ラインのデータの変換処理を実行し、生成した変換データに対して前記第1ラインと異なる第2ラインのデータとの演算を行い、該演算結果を次ラウンドの入力データとする演算を繰り返し実行させ、
前記第1ラインのデータの変換データ生成処理において実行する行列演算処理の実行サイクル中、最初のサイクルの行列演算処理に際して前記第2ラインのデータとの演算を実行させるプログラム。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2011800580020A CN103238291A (zh) | 2010-12-09 | 2011-10-24 | 代码处理装置、代码处理方法和程序 |
US13/990,829 US9031230B2 (en) | 2010-12-09 | 2011-10-24 | Encryption processing device, encryption processing method, and program |
EP11846328.0A EP2651070B1 (en) | 2010-12-09 | 2011-10-24 | Code processing device, code processing method, and program |
KR1020137014092A KR20130126924A (ko) | 2010-12-09 | 2011-10-24 | 암호 처리 장치 및 암호 처리 방법, 및 프로그램 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2010274807A JP5605197B2 (ja) | 2010-12-09 | 2010-12-09 | 暗号処理装置、および暗号処理方法、並びにプログラム |
JP2010-274807 | 2010-12-09 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2012077419A1 true WO2012077419A1 (ja) | 2012-06-14 |
Family
ID=46206922
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2011/074468 WO2012077419A1 (ja) | 2010-12-09 | 2011-10-24 | 暗号処理装置、および暗号処理方法、並びにプログラム |
Country Status (7)
Country | Link |
---|---|
US (1) | US9031230B2 (ja) |
EP (1) | EP2651070B1 (ja) |
JP (1) | JP5605197B2 (ja) |
KR (1) | KR20130126924A (ja) |
CN (1) | CN103238291A (ja) |
TW (1) | TWI456542B (ja) |
WO (1) | WO2012077419A1 (ja) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10341090B2 (en) * | 2014-10-14 | 2019-07-02 | Sony Corporation | Cipher processing apparatus and cipher processing method |
CN118014031A (zh) * | 2018-03-22 | 2024-05-10 | 亚马逊技术股份有限公司 | 针对多个输入数据集的处理 |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003345244A (ja) * | 2002-05-23 | 2003-12-03 | Mitsubishi Electric Corp | データ変換装置及びデータ変換方法及びデータ変換プログラム及びデータ変換プログラムを記録したコンピュータ読み取り可能な記録媒体 |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100976750B1 (ko) * | 2002-05-09 | 2010-08-18 | 오니시스 그룹 엘.에이., 엘엘시 | 암호 장치 및 방법, 암호 시스템 |
JP4622222B2 (ja) * | 2003-09-30 | 2011-02-02 | ソニー株式会社 | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム |
US20050276413A1 (en) * | 2004-06-14 | 2005-12-15 | Raja Neogi | Method and apparatus to manage heterogeneous cryptographic operations |
US8127144B2 (en) * | 2005-10-12 | 2012-02-28 | Panasonic Corporation | Program loader operable to verify if load-destination information has been tampered with, processor including the program loader, data processing device including the processor, promgram loading method, and integrated circuit |
JP4882598B2 (ja) * | 2006-07-28 | 2012-02-22 | ソニー株式会社 | 暗号処理装置、暗号処理アルゴリズム構築方法、および暗号処理方法、並びにコンピュータ・プログラム |
JP5050454B2 (ja) * | 2006-09-01 | 2012-10-17 | ソニー株式会社 | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム |
JP5023624B2 (ja) * | 2006-09-01 | 2012-09-12 | ソニー株式会社 | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム |
JP2008058830A (ja) * | 2006-09-01 | 2008-03-13 | Sony Corp | データ変換装置、およびデータ変換方法、並びにコンピュータ・プログラム |
JP4967544B2 (ja) * | 2006-09-01 | 2012-07-04 | ソニー株式会社 | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム |
-
2010
- 2010-12-09 JP JP2010274807A patent/JP5605197B2/ja not_active Expired - Fee Related
-
2011
- 2011-10-21 TW TW100138376A patent/TWI456542B/zh not_active IP Right Cessation
- 2011-10-24 US US13/990,829 patent/US9031230B2/en not_active Expired - Fee Related
- 2011-10-24 CN CN2011800580020A patent/CN103238291A/zh active Pending
- 2011-10-24 KR KR1020137014092A patent/KR20130126924A/ko not_active Application Discontinuation
- 2011-10-24 EP EP11846328.0A patent/EP2651070B1/en not_active Not-in-force
- 2011-10-24 WO PCT/JP2011/074468 patent/WO2012077419A1/ja active Application Filing
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003345244A (ja) * | 2002-05-23 | 2003-12-03 | Mitsubishi Electric Corp | データ変換装置及びデータ変換方法及びデータ変換プログラム及びデータ変換プログラムを記録したコンピュータ読み取り可能な記録媒体 |
Non-Patent Citations (7)
Also Published As
Publication number | Publication date |
---|---|
US9031230B2 (en) | 2015-05-12 |
CN103238291A (zh) | 2013-08-07 |
KR20130126924A (ko) | 2013-11-21 |
EP2651070B1 (en) | 2018-08-22 |
EP2651070A1 (en) | 2013-10-16 |
US20130251144A1 (en) | 2013-09-26 |
EP2651070A4 (en) | 2017-01-18 |
JP2012123259A (ja) | 2012-06-28 |
TWI456542B (zh) | 2014-10-11 |
TW201225024A (en) | 2012-06-16 |
JP5605197B2 (ja) | 2014-10-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2096786B1 (en) | Combining instructions including an instruction that performs a sequence of transformations to isolate one transformation | |
JP4905000B2 (ja) | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム | |
JP5055993B2 (ja) | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム | |
EP2058781B1 (en) | Encryption device, encryption method, and computer program | |
KR101068367B1 (ko) | 병렬 연산 모드에서 aes 암호화 및 암호 해독을 최적화하는 방법 및 장치 | |
US8165288B2 (en) | Cryptographic processing apparatus and cryptographic processing method, and computer program | |
US8396210B2 (en) | Cryptographic processing apparatus and cryptographic processing method, and computer program | |
WO2009087972A1 (ja) | データ送信装置、データ受信装置、これらの方法、記録媒体、そのデータ通信システム | |
JP5652363B2 (ja) | 暗号処理装置、および暗号処理方法、並びにプログラム | |
JP5605197B2 (ja) | 暗号処理装置、および暗号処理方法、並びにプログラム | |
CN110071927B (zh) | 一种信息加密方法、系统及相关组件 | |
KR100788902B1 (ko) | 믹스컬럼블록 장치 및 이를 이용한 곱셈연산방법 | |
JP5223245B2 (ja) | 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11846328 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2011846328 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 20137014092 Country of ref document: KR Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13990829 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |