WO2015146430A1 - Dispositif de traitement de chiffrage, et procédé et programme de traitement de chiffrage - Google Patents

Dispositif de traitement de chiffrage, et procédé et programme de traitement de chiffrage Download PDF

Info

Publication number
WO2015146430A1
WO2015146430A1 PCT/JP2015/055280 JP2015055280W WO2015146430A1 WO 2015146430 A1 WO2015146430 A1 WO 2015146430A1 JP 2015055280 W JP2015055280 W JP 2015055280W WO 2015146430 A1 WO2015146430 A1 WO 2015146430A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
conversion
round
function
cryptographic processing
Prior art date
Application number
PCT/JP2015/055280
Other languages
English (en)
Japanese (ja)
Inventor
香士 渋谷
孝典 五十部
Original Assignee
ソニー株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ソニー株式会社 filed Critical ソニー株式会社
Publication of WO2015146430A1 publication Critical patent/WO2015146430A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/24Key scheduling, i.e. generating round keys or sub-keys for block encryption

Definitions

  • the present disclosure relates to a cryptographic processing device, a cryptographic processing method, and a program. More specifically, the present invention relates to a cryptographic processing apparatus, a cryptographic processing method, and a program that execute common key encryption.
  • common key block cipher There are various cryptographic processing algorithms, but one of the basic techniques is called common key block cipher.
  • the encryption key and the decryption key are common.
  • a plurality of keys are generated from the common key, and the data conversion process is repeatedly executed in a certain block unit, for example, a block data unit such as 64 bits, 128 bits, 256 bits.
  • DES Data Encryption Standard
  • AES Advanced Encryption Standard
  • CLEFIA proposed by Sony Corporation in 2007 is one of the common key block ciphers.
  • Patent Document 1 Japanese Patent Laid-Open No. 2012-215813.
  • Such a common key block cipher algorithm mainly includes an encryption processing unit having a round function execution unit that repeatedly executes conversion of input data, and a key schedule unit that generates a round key to be applied in each round of the round function unit. It is comprised by.
  • the key schedule unit first generates an extended key with an increased number of bits based on a master key (primary key) that is a secret key, and applies it to each round function unit of the cryptographic processing unit based on the generated extended key. Generate a round key (subkey).
  • a structure for repeatedly executing a round function having a linear conversion unit and a non-linear conversion unit is known.
  • typical structures include an SPN (Substitution-Permutation Network) structure, a Feistel structure, and an extended Feistel structure.
  • Cryptographic processing devices are required to have resistance to these various attacks, high-speed processing, or downsizing.
  • the present disclosure has been made in view of, for example, the above-described situation, and an encryption processing device that realizes improvements in various elements required for an encryption processing device, such as safety, high speed, and downsizing, and encryption processing It is an object to provide a method and a program.
  • the first aspect of the present disclosure is: An encryption processing unit that performs round operation on input data to generate output data; A key schedule unit that outputs a round key applied in a round operation in the cryptographic processing unit to the cryptographic processing unit;
  • the key schedule part A key register storing a secret key K;
  • a key conversion unit that generates a conversion key Kd by a conversion process in which a conversion function G is applied to the secret key K;
  • the secret key K and the conversion key Kd are configured to be a round key that is output to the encryption processing unit, or round key generation data.
  • the conversion function G is in a cryptographic processing device which is an involution function in which the inverse function G ⁇ 1 is the same function as the function G.
  • the second aspect of the present disclosure is: An encryption processing unit that performs round operation on input data to generate output data; A key schedule unit that outputs a round key applied in a round operation in the cryptographic processing unit to the cryptographic processing unit;
  • the key schedule part A key register storing a secret key K;
  • a key conversion unit that generates a conversion key Kd by a conversion process in which a conversion function G is applied to the secret key K;
  • the secret key K and the conversion key Kd are configured to be a round key that is output to the encryption processing unit, or round key generation data.
  • Each of the secret key K and the conversion key Kd is a state composed of m ⁇ n elements each having 1 bit or more
  • the conversion function G is in the cryptographic processing apparatus in which all the state elements of the secret key K are functions having full diffusion that affects all the state elements of the conversion key Kd.
  • the third aspect of the present disclosure is: A cryptographic processing method executed in the cryptographic processing device,
  • the cryptographic processing device includes: An encryption processing unit that performs round operation on input data to generate output data;
  • a key schedule unit that outputs a round key applied in a round operation in the cryptographic processing unit to the cryptographic processing unit;
  • the key schedule part A conversion key Kd is generated by a conversion process in which a conversion function G is applied to the secret key K stored in the key register, A process of setting the secret key K and the conversion key Kd as a round key to be output to the cryptographic processing unit or data for generating a round key;
  • the conversion function G is in a cryptographic processing method that is an involution function in which the inverse function G ⁇ 1 is the same function as the function G.
  • the fourth aspect of the present disclosure is: A cryptographic processing method executed in the cryptographic processing device,
  • the cryptographic processing device includes: An encryption processing unit that performs round operation on input data to generate output data;
  • a key schedule unit that outputs a round key applied in a round operation in the cryptographic processing unit to the cryptographic processing unit;
  • the key schedule part A conversion key Kd is generated by a conversion process in which a conversion function G is applied to the secret key K stored in the key register, A process of setting the secret key K and the conversion key Kd as a round key to be output to the cryptographic processing unit or data for generating a round key;
  • Each of the secret key K and the conversion key Kd is a state composed of m ⁇ n elements each having 1 bit or more,
  • the conversion function G is in a cryptographic processing method in which all the state elements of the secret key K are functions having full diffusion properties that affect all the state elements of the conversion key Kd.
  • the fifth aspect of the present disclosure is: A program for executing cryptographic processing in the cryptographic processing device,
  • the cryptographic processing device includes: An encryption processing unit that performs round operation on input data to generate output data; A key schedule unit that outputs a round key applied in a round operation in the cryptographic processing unit to the cryptographic processing unit;
  • the program is stored in the key schedule unit.
  • the conversion function G is in a program having an involution property in which the inverse function G ⁇ 1 is the same function as the function G.
  • the sixth aspect of the present disclosure is: A program for executing cryptographic processing in the cryptographic processing device,
  • the cryptographic processing device includes: An encryption processing unit that performs round operation on input data to generate output data; A key schedule unit that outputs a round key applied in a round operation in the cryptographic processing unit to the cryptographic processing unit;
  • the program is stored in the key schedule unit.
  • Each of the secret key K and the conversion key Kd is a state composed of m ⁇ n elements each having 1 bit or more,
  • the conversion function G is in a program in which all the state elements of the secret key K are functions having full diffusion that affects all the state elements of the conversion key Kd.
  • the program of the present disclosure is a program provided by, for example, a storage medium to an information processing apparatus or a computer system that can execute various program codes. By executing such a program by the program execution unit on the information processing apparatus or the computer system, processing according to the program is realized.
  • system is a logical set configuration of a plurality of devices, and is not limited to one in which the devices of each configuration are in the same casing.
  • a highly secure cryptographic processing configuration with improved resistance to various attacks has a cryptographic processing unit that repeats a round operation on input data to generate output data, and a key schedule unit that outputs a round key applied in the round operation in the cryptographic processing unit to the cryptographic processing unit.
  • the unit includes a key register that stores the secret key K, and a key conversion unit that generates a conversion key Kd by a conversion process in which the conversion function G is applied to the secret key K.
  • the secret key K and the conversion key Kd are The round key to be output to the encryption processing unit or round key generation data.
  • the conversion function G As the conversion function G, an involution property in which the inverse function G ⁇ 1 is the same function as the function G and a function having a full diffusion property are applied. With this configuration, diffusion characteristics are improved, and a highly secure cryptographic processing configuration with improved resistance to various attacks is realized. Note that the effects described in the present specification are merely examples and are not limited, and may have additional effects.
  • n bit common key block encryption algorithm corresponding to the key length of k bits. It is a figure explaining the decoding algorithm corresponding to the n bit common key block cipher algorithm corresponding to the key length of k bit shown in FIG. It is a figure explaining the relationship between a key schedule part and an encryption process part. It is a figure explaining the structural example of an encryption processing part. It is a figure explaining the example of the round function of a SPN structure. It is a figure explaining an example of the round function of a Feistel structure. It is a figure explaining an example of an extended Feistel structure. It is a figure explaining an example of an extended Feistel structure. It is a figure explaining the structural example of a nonlinear transformation part.
  • S box (S-box) of the nonlinear transformation part of an encryption processing part It is a figure explaining the structural example of S box (S-box) of the nonlinear transformation part of an encryption processing part. It is a figure explaining the structural example of S box (S-box) of the nonlinear transformation part of an encryption processing part. It is a figure explaining the structural example of S box (S-box) of the nonlinear transformation part of an encryption processing part. It is a figure explaining one structural example of a cryptographic processing apparatus. It is a figure which shows the structural example of IC module 700 as a cryptographic processing apparatus. It is a figure which shows the structural example of the smart phone which has an encryption process execution function.
  • the common key block cipher (hereinafter sometimes referred to as block cipher) refers to the one defined below.
  • the block cipher takes as input plaintext P and key K and outputs ciphertext C.
  • n can take an arbitrary integer value, it is usually a predetermined value for each block cipher algorithm.
  • a block cipher with a block length of n is sometimes called an n-bit block cipher.
  • the bit length of the key is represented by k.
  • the key can take any integer value.
  • Plaintext P n bits
  • Ciphertext C n bits
  • K k bits
  • FIG. 1 shows a diagram of an n-bit common key block cipher algorithm E corresponding to a key length of k bits.
  • the decryption algorithm D corresponding to the encryption algorithm E can be defined as the inverse function E ⁇ 1 of the encryption algorithm E, receives the ciphertext C and the key K as input, and outputs the plaintext P.
  • FIG. 2 shows a diagram of a decryption algorithm D corresponding to the encryption algorithm E shown in FIG.
  • Block ciphers can be considered in two parts.
  • One is the secret key K, and the “key schedule part” that outputs the round key to be applied in each round of the cryptographic processing part in a certain step.
  • the other is the round key from the plaintext P and the key schedule part.
  • it is a “cryptographic processing unit” that performs data conversion and outputs ciphertext C.
  • the relationship between the two parts is shown in FIG.
  • the encryption processing unit is configured to be able to execute decryption processing in which the ciphertext C is input and the plaintext P is output. Also in this case, the decryption process using the round key supplied from the key schedule unit is executed. The relationship between the two parts is shown in FIG.
  • the cryptographic processing unit used in the following embodiments can be divided into processing units called round functions.
  • the round function performs predetermined data conversion on input data and outputs converted data.
  • the input data for the round function is, for example, n-bit data being encrypted.
  • the output of the round function in one round is supplied as the input of the next round.
  • one configuration of the round function includes a calculation configuration with a round key generated based on the key output from the key schedule unit. Specifically, an exclusive OR operation is performed on the n-bit data being encrypted and the round key.
  • the total number of round functions is called the total number of rounds, and is a value determined in advance for each cryptographic algorithm.
  • Round function Depending on the block cipher algorithm, the round function can take various forms. Round functions can be classified according to the structure adopted by the cryptographic algorithm. As typical structures, an SPN (Substitution-Permutation Network) structure, a Feistel structure, and an extended Feistel structure are exemplified here.
  • SPN substitution-Permutation Network
  • Feistel structure Feistel structure
  • extended Feistel structure extended Feistel structure
  • a SPN (Substitution-Permutation Network) structure round function A configuration in which exclusive OR operation with a round key, nonlinear transformation, linear transformation processing, etc. are applied to all n-bit input data. The order of each operation is not particularly determined.
  • FIG. 5 shows an example of a round function having an SPN structure.
  • the linear conversion unit may be referred to as a P layer (Permutation-layer).
  • (A) Feistel structure The n-bit input data is divided into two n / 2-bit data.
  • a function (F function) having one of the data and the round key as inputs is applied, and the output is exclusively ORed with the other data. After that, the left and right data are exchanged as output data.
  • F function function having one of the data and the round key as inputs
  • the output is exclusively ORed with the other data.
  • the left and right data are exchanged as output data.
  • There are various types of internal structure of the F function but basically, it is realized by a combination of exclusive OR operation, non-linear operation, and linear transformation with round key data as in the SPN structure.
  • FIG. 6 shows an example of the round function of the Feistel structure.
  • the extended Feistel structure is an extended Feistel structure in which the number of data divisions is 2 and is divided into 3 or more. If the number of divisions is d, various extended Feistel structures can be defined by d. Since the input / output size of the F function is relatively small, it is said that it is suitable for small packaging.
  • Nonlinear conversion unit tends to increase the cost in mounting as the size of input data increases. In order to avoid this, it is often the case that the target data is divided into a plurality of units and nonlinear transformation is performed on each of the units. For example, the input size is set to ms bits, and these are divided into m pieces of data of s bits, and nonlinear conversion having s bits input / output is performed on each of them.
  • These non-linear conversion execution units in s bit units are called S-boxes. An example of the S box (S-box) is shown in FIG.
  • the input data consisting of ms bits is divided into m s-bit data, and each divided data is input to m S-boxes that execute s-bit nonlinear conversion processing,
  • the output of each S box is concatenated to obtain an ms-bit nonlinear conversion result.
  • the linear conversion unit can be defined as a matrix due to its nature.
  • the matrix elements can be expressed in various ways, such as a body element of the extension field GF (2 8 ) or an element of GF (2).
  • FIG. 10 shows an example of a linear conversion unit having an ms-bit input / output and defined by an m ⁇ m matrix defined on GF (2 s ).
  • FIG. 11 shows an example in which input data is represented as A, output data after data conversion for input data A is represented as B, and input data A and output data B are represented as states each having an m ⁇ n array.
  • the input data A is an element of the extension field GF (2 s ) mn
  • Input data A (a 0 a 1 a 2 ... A mn ⁇ 2 a mn ⁇ 1 ).
  • a 0 MSB
  • a mn-1 is the bit data of the LSB side.
  • the output data B is an element of the extension field GF (2 s ) mn
  • Output data B (b 0 b 1 b 2 ... B mn ⁇ 2 b mn ⁇ 1 ).
  • B 0 is MSB and b mn ⁇ 1 is bit data on the LSB side.
  • an m ⁇ n array state includes m ⁇ n elements.
  • state A shown in FIG. 11 includes mn elements a 0 to a nm ⁇ 1 .
  • the elements of state B are mn elements from b 0 to b nm ⁇ 1 .
  • each element is bit data such as 4-bit data and 8-bit (1 byte) data, for example.
  • bit data such as 4-bit data and 8-bit (1 byte) data
  • FIG. 12 shows an example of the 4 ⁇ 4 state when each of the 16 elements included in the 4 ⁇ 4 state is 4-bit data.
  • the input data is A
  • the output data after some data conversion is B
  • the input data A is an element of the extension field GF (2 4 ) 4 ⁇ 4
  • Input data A (a 0 a 1 a 2 ... A 14 a 15 ).
  • a 0 is MSB
  • a 15 is the bit data of the LSB side.
  • the output data B is an element of the expansion field GF (2 4 ) 4 ⁇ 4
  • Output data B (b 0 b 1 b 2 ... B 14 b 15 ).
  • B 0 is MSB and b 15 is bit data on the LSB side.
  • the example shown in FIG. 12 is an example in which input data A and output data B are expressed as a state having a 4 ⁇ 4 arrangement in which each element is composed of 4-bit data.
  • state A shown in FIG. 12 includes 16 elements a 0 to a 15 , each of which is 4-bit data. That is, when the 64-bit input data A is shown as a state, each element shown in FIG. 12 can be expressed as a state A having a 4 ⁇ 4 arrangement of 4-bit data.
  • state B shown in FIG. 12 includes 16 elements b 0 to b 15 , each of which is 4-bit data. That is, when the 64-bit output data B is shown as a state, each element shown in FIG. 12 can be expressed as a state B having a 4 ⁇ 4 array of 4-bit data.
  • the output data B is calculated by an exclusive OR operation between the round key K output from the key schedule unit and the input data A. All of the input data A, the round key K, and the output data B are 64-bit data expressed in a state composed of 16 4-bit elements.
  • (XOR) indicates an exclusive OR operation.
  • One round operation is set by a combination of operations that sequentially execute the above operations (1) to (3) in a predetermined sequence.
  • a round operation is repeatedly executed on the input data to generate and output output data, for example, encrypted data.
  • the basic round operation is set such that exclusive OR operation with a round key, linear conversion processing, and nonlinear conversion processing are executed once each.
  • an irregular round operation configuration can be set in the round operation executed in the cryptographic processing sequence.
  • many configurations are used in which only the operation with the round key is executed at the beginning or end of the cryptographic processing sequence. This process is called a key whitening process and is not generally counted as the number of rounds.
  • Each of X 0 , X 1 ,..., X n ⁇ 1 is an m ⁇ m matrix in which each element is composed of elements on GF (2 s ).
  • FIG. MC [X 0 , X 1 ,..., X n ⁇ 1 ]
  • the elements of the state columns (0 to n ⁇ 1) and the matrix X 0 , X 1, ..., X n ⁇ 1 corresponding to each column are applied to the elements of the state expression data.
  • Matrix operations are defined as column diffusion operations. Note that MC means diffusion (Mix) in units of columns (Column), that is, (MixColumn).
  • a matrix operation in which one matrix X k is applied to an element of one column of the state is performed.
  • the matrix X k applied to each of a plurality of columns constituting the state can be set to be the same matrix or set to be different.
  • an arithmetic expression for calculating the state B, which is output data, by executing a column diffusion operation on the state A, which is input data can be expressed as follows.
  • B MC [X 0 , X 1 ,..., X n ⁇ 1 ] (A)
  • t (b 1 b 2 ... B k ) represents a transposed matrix of (b 1 b 2 ... B k ).
  • FIG. Input data A is 64-bit data and state A is state A consisting of 16 4-bit data elements.
  • the output data B is also 64-bit data, and the state B is a state B composed of 16 4-bit data elements.
  • the elements of state B calculated by the above arithmetic expression are as follows.
  • t (b 0 b 1 b 2 b 3 ) X 0 ⁇ t (a 0 a 1 a 2 a 3 ),
  • t (b 4 b 5 b 6 b 7) X 1 ⁇ t (a 4 a 5 a 6 a 7),
  • t (b 8 b 9 b 10 b 11) X 2 ⁇ t (a 8 a 9 a 10 a 11),
  • t (b 12 b 13 b 14 b 15 ) X 3 ⁇ t (a 12 a 13 a 14 a 15 )
  • the above arithmetic expressions are shown in accordance with the actual element arrays of states A and B, the following arithmetic expressions are obtained as shown in the lower part of FIG.
  • MC [X] when performing a matrix operation applying the same matrix X to each column element of the state, MC [X] Sometimes expressed. That is, MC [X] and MC [X, X,.
  • Each of X 0 , X 1 ,..., X m ⁇ 1 is an n ⁇ n matrix in which each element is composed of elements on GF (2 s ).
  • MR [X 0 , X 1 ,..., X m ⁇ 1 ]
  • a matrix operation in which the above operation is applied to the elements of the state expression data by applying the elements of each row (0 to n ⁇ 1) of the state and the matrix X 0 , X 1, ..., X m ⁇ 1 corresponding to each row. Is defined as a row diffusion operation.
  • MR means diffusion (Mix) in units of rows, that is, (MixRow).
  • a matrix operation in which one matrix X k is applied to elements in one row of the state is performed.
  • the matrix X k applied to each of a plurality of rows constituting the state can be set to be the same matrix or different matrix settings.
  • an arithmetic expression for calculating the state B that is the output data by performing the row diffusion operation on the state A that is the input data can be expressed as follows.
  • B MR [X 0 , X 1 ,..., X m ⁇ 1 ] (A)
  • This row diffusion calculation process is the process shown in the lower part of FIG.
  • FIG. Input data A is 64-bit data and state A is state A consisting of 16 4-bit data elements.
  • the output data B is also 64-bit data, and the state B is a state B composed of 16 4-bit data elements, Row diffusion operation: MR [X 0 , X 1 , X 2 , X 3 ] It is the figure which showed the example of application processing.
  • the elements of state B calculated by the above arithmetic expression are as follows.
  • t (b 0 b 4 b 8 b 12) X 0 ⁇ t (a 0 a 4 a 8 a 12),
  • t (b 1 b 5 b 9 b 13 ) X 1 ⁇ t (a 1 a 5 a 9 a 13 ),
  • t (b 2 b 6 b 10 b 14 ) X 2 ⁇ t (a 2 a 6 a 10 a 14 ),
  • t (b 3 b 7 b 11 b 15 ) X 3 ⁇ t (a 3 a 7 a 11 a 15 )
  • the above arithmetic expression is shown according to the actual element arrangement of states A and B, the following arithmetic expression is obtained as shown in the lower part of FIG.
  • MR [X] when performing a matrix operation applying the same matrix X to each row element of the state, MR [X] Sometimes expressed. That is, MR [X] and MR [X, X,..., X] are the same calculation.
  • D (C, k1, k2,..., Kr) E (C, KR,..., K2, K1) That is, when the decryption function D is configured to use the same function only by reversing the order of application of the round keys in the encryption function E, This common key block cipher is said to have involution.
  • the common key block cipher that can form the decryption function D only by changing the input order of the round keys using the encryption function E has involution.
  • the Feistel type common key block cipher usually has an involution property because it is known that the encryption function and the decryption function can be performed by the same circuit only by reversing the use order of the round keys to be used.
  • An involution common key block cipher basically implements an encryption function and implements an encryption function and a decryption function only by implementing an encryption function, so it requires fewer circuits and can be reduced in weight (miniaturized). Yes, mounting efficiency is high.
  • the differential attack is an attack in which data having a specific difference is input to the cryptographic apparatus, data that reflects the input difference is detected from the output, and a key is estimated. Note that the propagation probability of the difference value is called the difference probability.
  • a linear attack is an attack that attempts to estimate a key by observing the correlation between the exclusive OR of specific bits at the input and the exclusive OR of specific bits at the output, and finding a strong correlation. is there. Note that the correlation coefficient of specific bits of input and output is called linear probability.
  • Highly secure ciphers are ciphers that are highly resistant to various attacks as described above, that is, ciphers that are difficult to decipher secret information applied to cryptographic processing, such as keys.
  • ciphers that are difficult to decipher secret information applied to cryptographic processing, such as keys.
  • cryptographic processing such as keys.
  • a plurality of data serving as the security index of the encryption algorithm will be described.
  • Branch n ( ⁇ ) min ⁇ ⁇ 0 ⁇ hw n ( ⁇ ) + hw n ( ⁇ ( ⁇ )) ⁇
  • min ⁇ ⁇ 0 ⁇ X ⁇ represents the minimum value of all X ⁇ satisfying ⁇ ⁇
  • hw n (Y) is a function that returns the number of elements in which all n-bit data is not 0 (non-zero) when the bit string Y is divided into n bits.
  • a mapping ⁇ such that the branch number Branch n ( ⁇ ) is b + 1 is called an optimal diffusion mapping (Optical Diffusion Mappings).
  • the MDS matrix is a matrix in which an arbitrary small matrix constituting the matrix is a regular matrix.
  • a regular matrix is a matrix having an inverse matrix, where the matrix is A and the inverse matrix is A ⁇ 1 .
  • an S box (S-box) that performs nonlinear transformation in units of s bits is used for the nonlinear transformation unit set in the common key block cipher.
  • S-box an S box that performs nonlinear transformation in units of s bits
  • a minimum number of differential active S-boxes included in a differential path expressing a differential connection relationship that is, a minimum differential active S-box number.
  • the difference path is a specific difference value specified for all data parts except key data in the encryption function.
  • the difference value is not freely determined, and the difference values before and after the conversion process are related to each other.
  • the relationship between the input difference and the output difference is determined one-to-one.
  • the relationship between the input difference and the output difference is not one-to-one, but the concept of probability is introduced.
  • the probability for a certain input difference and output difference can be calculated in advance. The sum of the probabilities for all outputs is 1.
  • the difference path having a probability other than 0 is a set of difference data starting from the difference value for the plaintext (input) and reaching the difference value for the ciphertext (output), and for all S-boxes.
  • Difference values given before and after have a probability other than zero.
  • a difference value input to an S-box of a certain differential path having a probability other than 0 is not 0, and is called a differential active S-box.
  • the smallest number among the differential active S-box numbers of all differential paths having a probability other than 0 is called the minimum differential active S-box number, and this value is well known as a safety index against differential attacks.
  • the linear path is often called a linear approximation, but the term “path” is used here in order to correspond to the difference.
  • the linear path is a path in which a specific linear mask value is designated for all data portions except key data in the encryption function.
  • the linear mask value is not freely determined, and the linear mask values before and after the conversion process are related to each other. Before and after the linear conversion process, the relationship between the input linear mask value and the output linear mask value is determined one-to-one.
  • the relationship between the input linear mask value and the output linear mask value is not determined one-to-one, but the concept of probability is introduced.
  • For an input linear mask value there is a set of one or more linear mask values that can be output, and the probability that each will be output can be calculated in advance. The sum of the probabilities for all outputs is 1.
  • a linear path having a probability other than 0 is a set of linear mask value data starting from a linear mask value for plaintext (input) to a linear mask value for ciphertext (output).
  • the linear mask values given before and after the box (S-box) have a probability other than zero.
  • a non-zero linear mask value input to an S box (S-box) of a certain linear path having a probability other than 0 is referred to as a linear active S box (S-box).
  • the smallest number of active S-boxes (S-boxes) of all linear paths with non-zero probabilities is called the minimum linear active S-box (S-box) number, and this number is a safety measure against linear attacks.
  • S-box The minimum linear active S-box
  • the cryptographic processing device of the present disclosure described below is a device that executes a common key block cipher (block cipher), and is a device that has a Substitution-Permutation Network (SPN) structure round function.
  • block cipher common key block cipher
  • SPN Substitution-Permutation Network
  • the cryptographic processing apparatus 100 includes a key schedule unit 110 and a cryptographic processing unit 120.
  • the key schedule unit 110 receives the secret key K and outputs a round key to be applied in each round of the encryption processing unit 120 according to a predetermined key generation algorithm.
  • the cryptographic processing unit 120 receives the round key from the key scheduling unit 110, converts the plaintext P data, and outputs the ciphertext C.
  • the encryption processing unit 120 can also execute a decryption process in which the ciphertext C is input and the plaintext P is output. When executing the decryption process, a process in which the round keys supplied from the key schedule unit 110 are applied in the reverse order of the encryption process is executed.
  • the encryption processing unit 120 An exclusive OR unit 121 that performs an exclusive OR operation between the input data and the round key, A non-linear transformation unit 122 that performs non-linear transformation processing on input data; A linear transformation unit 123 that performs linear transformation processing on input data; Have
  • the cryptographic processing unit 120 of the cryptographic processing device 100 of the present disclosure has a configuration in which an exclusive OR unit 121, a nonlinear conversion unit 122, a linear conversion unit 123, and these three different data conversion processes are repeatedly executed. Have.
  • the plaintext P as input data and the ciphertext C as output data are the state expression data described above, and each element is composed of 4 bits and 16 elements of 4 ⁇ 4. This is 64-bit data. Note that the round key input from the key schedule unit 110 is also 64-bit data expressed in a state consisting of 16 4-bit data elements.
  • the non-linear conversion process executed in the non-linear conversion unit of the cryptographic processing unit 120 is executed using a plurality of S boxes (S-boxes) as shown in FIG. 22 (1), for example.
  • the linear transformation process performed in the linear transformation part of the encryption processing part 120 is performed as a matrix calculation process as shown, for example in FIG. 22 (2).
  • the cryptographic processing unit 120 of the cryptographic processing device 100 has a configuration in which an exclusive OR operation, a non-linear conversion, and a linear conversion process with a round key are repeatedly executed for a plurality of rounds. .
  • One of the features of the cryptographic processing apparatus according to the present disclosure is that the linear conversion process executed in each round is executed as a different process for each round.
  • details of the linear conversion processing executed by the cryptographic processing device according to the present disclosure will be described.
  • FIG. 23 is a diagram illustrating a configuration example of a different linear conversion unit included in the cryptographic processing unit of the cryptographic processing device according to the present disclosure.
  • the configuration diagram of FIG. 23 is a configuration diagram in which the exclusive OR unit is omitted.
  • Linear converters P1, 201, Linear converters P2, 202, Linear converters P3, 203 These three different linear conversion units are configured to execute any one of these three different linear conversion processes in each round, and different linear conversion processes are performed without continuing the same linear change process in successive rounds. It is in setting.
  • the above four different matrices M 0 to M 3 are used in combination.
  • the above four matrices are non-MDS matrices that are not the above-described MDS (Maximum Distance Separable) matrix.
  • MDS Maximum Distance Separable
  • FIG. 24 (2) is a diagram illustrating a specific matrix calculation mode of the linear conversion processes P1 to P3.
  • a 4 ⁇ 4 rectangle shown in FIG. 24 (2) indicates a state composed of 16 elements each having 4 bits for a linear conversion process. That is, it is a 64-bit 4 ⁇ 4 state.
  • a matrix operation using a combination of the matrices M 0 to M 3 is executed on the 4 ⁇ 4 state input data.
  • the linear transformation process P1 is For each column element of 4 ⁇ 4 state input data, a matrix operation is performed by applying one matrix M 0 for each column. This is the column diffusion operation (MixColumn) described above with reference to FIGS.
  • the linear transformation process P1 is MC [M 0 ] It is a column diffusion calculation (MC) shown by the above formula.
  • MC [M 0 ] is an expression indicating a matrix operation in which the same matrix M 0 is applied to each column of the state, and an expression individually indicating a matrix to be applied to each column of the state, MC [M 0 , M 0 , M 0 , M 0 ] It has the same meaning as the above formula.
  • the linear transformation process P2 is MR [M 0 , M 1 , M 2 , M 3 ]
  • This is a row diffusion operation (MixRow) represented by the above equation.
  • the linear conversion process P3 will be described. Similarly to the linear conversion process P2, the linear conversion process P3 performs a matrix operation in which a different matrix is applied to each row element of 4 ⁇ 4 state input data as shown in FIG. 24 (2). . Unlike the linear transformation process P2, the linear transformation process P3 executes a matrix operation that applies the following matrix to the first to fourth rows. 1st row: application matrix M 2 , Second row: application matrix M 0 , 3rd row: application matrix M 1 , 4th row: application matrix M 3 , This is the row diffusion operation (MixRow) described above with reference to FIGS.
  • the linear transformation process P2 is performed as row diffusion calculation type 1 (MixRow1)
  • the linear transformation process P3 is performed by row diffusion calculation type 2 (MixRow2), Call it.
  • the linear transformation process P1 is a column diffusion calculation (MixColumn).
  • FIG. 25 is a diagram for explaining a specific calculation process example of the linear conversion process P1, that is, the column diffusion calculation (MixColumn).
  • Input A is a state composed of 16 elements a 0 to a 15 of n-bit data.
  • the output B is also a state composed of 16 elements b 0 to b 15 of n-bit data.
  • n 4
  • each element has 4-bit data
  • both input A and output B are 64 bits.
  • FIG. 25 (2) shows a specific calculation process example of the linear conversion process P1, that is, the column diffusion calculation (MixColumn).
  • the column diffusion operation (MixColumn) performed as the linear transformation process P1 is a matrix operation according to the following equation.
  • the 16 elements b 0 to b 15 of the output B are calculated by the following calculation based on the matrix M 0 and the 16 elements a 0 to a 15 of the input A.
  • b 0 a 1 (+) a 2 (+) a 3
  • b 1 a 0 (+) a 2 (+) a 3
  • b 2 a 0 (+) a 1 (+) a 3
  • b 3 a 0 (+) a 1 (+) a 2
  • b 4 a 5 (+) a 6 (+) a 7
  • b 5 a 4 (+) a 6 (+) a 7
  • b 6 a 4 (+) a 5 (+) a 7
  • b 7 a 4 (+) a 5 (+) a 6
  • b 8 a 9 (+) a 10 (+) a 11
  • b 9 a 8 (+) a 10 (+) a 11
  • b 10 a 8 (+) a 9 (+) a 9 (+) a 10 (+
  • the column diffusion calculation (MixColumn) performed as the linear conversion process P1 is performed according to the calculation process described above, based on the matrix M 0 and the 16 elements a 0 to a 15 of the input A to the 16 elements b 0 to b of the output B. to calculate the b 15.
  • FIG. 26 is a diagram for explaining a specific calculation process example of the linear conversion process P2, that is, the row diffusion calculation type 1 (MixRow1).
  • Input A is a state composed of 16 elements a 0 to a 15 of n-bit data.
  • the output B is also a state composed of 16 elements b 0 to b 15 of n-bit data.
  • n 4
  • each element has 4-bit data
  • both input A and output B are 64 bits.
  • FIG. 26 (2) shows a specific calculation process example of the linear conversion process P2, that is, the row diffusion calculation type 1 (MixRow1).
  • the row diffusion calculation type 1 (MixRow1) performed as the linear transformation process P2 is a matrix calculation according to the following equation.
  • the 16 elements b 0 to b 15 of the output B are calculated by the following calculation based on the matrices M 0 , M 1 , M 2 , and M 3 and the 16 elements a 0 to a 15 of the input A. .
  • b 0 a 4 (+) a 8 (+) a 12
  • b 1 a 1 (+) a 5 (+) a 13
  • b 2 a 2 (+) a 6 (+) a 10
  • b 3 a 3 (+) a 11 (+) a 15
  • b 4 a 0 (+) a 8 (+) a 12
  • b 5 a 1 (+) a 5 (+) a 9
  • b 6 a 2 (+) a 6 (+) a 14
  • b 7 a 7 (+) a 11 (+) a 15
  • b 8 a 0 (+) a 4 (+) a 12
  • b 9 a 5 (+) a 9 (+) a 13
  • b 10 a 2 (+) a 10 (+) a 14
  • b 11 a 3 (+) a 7 (+) a 11
  • b 12 a 0 (+) a 4 (+) a 12
  • b 9 a 5 (+) a 9 (+) a 13
  • the row diffusion calculation type 1 (MixRow1) performed as the linear conversion process P2 is based on the matrix M 0 , M 1 , M 2 , M 3 and the 16 elements a 0 to a 15 of the input A according to the above calculation process.
  • 16 elements b 0 to b 15 of the output B are calculated.
  • FIG. 27 is a diagram for explaining a specific calculation example of the linear conversion process P3, that is, the row diffusion calculation type 2 (MixRow2).
  • Input A is a state composed of 16 elements a 0 to a 15 of n-bit data.
  • the output B is also a state composed of 16 elements b 0 to b 15 of n-bit data.
  • n 4
  • each element has 4-bit data
  • both input A and output B are 64 bits.
  • FIG. 27 (2) shows a specific calculation process example of the linear conversion process P2, that is, the row diffusion calculation type 2 (MixRow2).
  • the row diffusion calculation type 2 (MixRow2) performed as the linear conversion process P3 is a matrix calculation according to the following equation.
  • the 16 elements b 0 to b 15 of the output B are calculated by the following calculation based on the matrices M 0 , M 1 , M 2 , and M 3 and the 16 elements a 0 to a 15 of the input A. .
  • b 0 a 0 (+) a 4 (+) a 8
  • b 1 a 5 (+) a 9 (+) a 13
  • b 2 a 2 (+) a 6 (+) a 14
  • b 3 a 3 (+) a 11 (+) a 15
  • b 4 a 0 (+) a 4 (+) a 12
  • b 5 a 1 (+) a 9 (+) a 13
  • b 6 a 2 (+) a 6 (+) a 10
  • b 7 a 7 (+) a 11 (+) a 15
  • b 8 a 0 (+) a 8 (+) a 12
  • b 9 a 1 (+) a 5 (+) a 13
  • b 10 a 6 (+) a 10 (+) a 14
  • b 11 a 3 (+) a 7 (+) a 11
  • the row diffusion calculation type 2 (MixRow2) performed as the linear conversion process P3 is based on the matrix M 0 , M 1 , M 2 , M 3 and the 16 elements a 0 to a 15 of the input A according to the calculation process.
  • 16 elements b 0 to b 15 of the output B are calculated.
  • the number of active S boxes in the cryptographic processing device of the present disclosure that is, the cryptographic processing device that executes three different types of linear transformation processing P1 to P3 and the cryptographic processing device that repeatedly executes a single type of linear transformation processing of the conventional type Verified.
  • the cryptographic processing device of the present disclosure has a configuration in which three types of linear conversion processing are used in the cryptographic processing sequence, and these are switched and executed for each round.
  • the exclusive OR operation unit with the round key is omitted.
  • the number of non-linear conversion units is the number of rounds.
  • seven round keys of the round keys RK 1 to RK 7 are applied. However, since there are six layers of non-linear conversion units, it is assumed that the encryption processing apparatus is six rounds.
  • Linear transformation processing P1 is a sequence spreading operation of applying the matrix M 0 (MixColumn).
  • the linear transformation process P2 is a row diffusion calculation type 1 (MixRow1) to which the matrices M 0 , M 1 , M 2 , and M 3 are applied.
  • the linear transformation process P3 is a row diffusion calculation type 2 (MixRow2) to which the matrices M 0 , M 1 , M 2 , and M 3 are applied.
  • FIG. 29 shows an example of a cryptographic processing apparatus that executes a conventional single linear conversion process for the cryptographic processing apparatus shown in FIG.
  • the cryptographic processing apparatus shown in FIG. 29 also has a 6-round configuration, but the linear conversion processing in each round is configured to perform the same linear conversion processing.
  • Both the configurations of FIG. 28 and FIG. 29 are settings for executing the encryption process on the 64-bit input plaintext P and outputting the 64-bit ciphertext C.
  • the S box is set in each nonlinear conversion unit, and each S box is configured to execute a 4-bit input / output nonlinear conversion as described above with reference to FIG.
  • FIG. 30 shows the result of counting the number of minimum differential / linear differential active S boxes by configuring cryptographic processing apparatuses having different round numbers of 4 to 24 rounds.
  • the number of active S-boxes is 4 and the same value in both the conventional configuration in which the same linear conversion unit is repeatedly executed and the configuration in which the different linear conversion processing of the present disclosure is executed. In all cases (except 8), the number of active S boxes is larger in the configuration in which the different linear transformation processing of the present disclosure is performed in any case. This result is shown as a graph in FIG.
  • the input data is a state composed of 4 ⁇ 4 elements each having 4 bits
  • the linear conversion unit uses four types of matrices M 0 , M 1 , M 2 , and M 3 .
  • the configuration for executing the linear transformation process by the matrix operation has been described. However, when the above process is generalized, the following setting is made.
  • the linear conversion unit applies a column spreading operation for performing a linear conversion by applying a matrix for each column element of the state, and a state
  • the matrix operation is performed in a round operation in one of row diffusion operations in which a matrix is applied in units of each row element to perform linear transformation.
  • the linear conversion unit is configured to execute linear conversion processing by matrix operation using a plurality of types of matrices M0 to Mk (k is an integer of 1 or more), and the matrix M0 to Mk for each column element of the state.
  • a column diffusion operation that performs linear transformation by applying a selection matrix selected from the above to each column in a specific order, and a selection matrix selected from the matrices M0 to Mk for each row element of the state is applied to each row in a specific order
  • the row diffusion operation for performing linear transformation is switched and executed according to the round transition.
  • An example of a specific linear transformation processing configuration is, for example, the following configuration.
  • A a column diffusion operation that performs linear transformation by applying a selection matrix selected from the matrices M0 to Mk to each column in a specific order for each column element of the state;
  • B a row diffusion operation type 1 that performs linear transformation by applying a selection matrix selected from the matrices M0 to Mk to each row in a specific order A for each row element of the state;
  • C A row diffusion operation type 2 for performing linear transformation by applying a selection matrix selected from the matrices M0 to Mk in each row element unit of the state to each row in a different order B from a specific order A.
  • a cryptographic processing apparatus that executes by switching according to round transition.
  • a column diffusion operation for performing linear transformation by applying a selection matrix selected from the matrices M0 to Mk to each row in a specific order for each row element of the state
  • B a row diffusion operation type 1 that performs linear transformation by applying a selection matrix selected from the matrices M0 to Mk to each column in a specific order A for each column element of the state
  • C A row diffusion operation type 2 for performing linear transformation by applying a selection matrix selected from the matrices M0 to Mk to each column in a sequence B different from the specific sequence A in units of column elements of the state,
  • a cryptographic processing apparatus that executes by switching according to round transition.
  • the linear conversion unit is configured to execute linear conversion processing by matrix calculation using four types of matrices M0, M1, M2, and M3.
  • A a column diffusion operation for performing linear transformation by applying the matrix M0 in units of column elements of the state
  • B Row diffusion operation type 1 that performs linear transformation by applying each matrix in the order of the matrices M0, M1, M2, and M3 in units of each row element of the state
  • C a row diffusion operation type 2 that performs linear transformation by applying each matrix in a different order from the type 1 for each row element of the state
  • a cryptographic processing apparatus that switches and executes the three types of matrix operations in accordance with a round transition.
  • the combination of the matrix applied in units of each row element of the state in the row diffusion calculation type 1 and the matrix applied in units of each row element of the state in the row diffusion calculation type 2 is combined in any two rows of the state.
  • a total of four matrices that is, two matrices applied in type 1 and two matrices applied in type 2 are assumed to be combinations composed of at least three types of matrices.
  • a matrix to be applied to each row of 4 ⁇ 4 states first to fourth rows, M1, M3, M0, M2
  • each row of 4 ⁇ 4 states the matrix applied to the first to fourth rows, M0, M2, M3, M1
  • a total of four matrices including two matrices applied in type 1 and two matrices applied in type 2 for any two rows of 4 ⁇ 4 states are composed of at least three types of matrices. It becomes a combination.
  • the above setting is a combination of at least three types of matrixes including a total of four matrices including two matrices applied in type 1 and two matrices applied in type 2 in any other combination of two rows. .
  • the linear conversion unit is configured to execute linear conversion processing by matrix calculation using four types of matrices M0, M1, M2, and M3.
  • A a row diffusion operation for performing linear transformation by applying the matrix M0 for each row element of the state;
  • B Column diffusion operation type 1 that performs linear transformation by applying each matrix in the order of matrices M0, M1, M2, and M3 in units of column elements of the state;
  • C Column diffusion operation type 2 for performing linear transformation by applying each matrix in the order different from type 1 for each column element of the state;
  • a cryptographic processing apparatus that switches and executes the three types of matrix operations in accordance with a round transition.
  • the combination of the matrix applied in units of each column element of the state in the row diffusion calculation type 1 and the matrix applied in units of each column element of the state in the row diffusion calculation type 2 is an arbitrary state. Assume that a total of four matrices including two matrices applied in type 1 and two matrices applied in type 2 for two columns are composed of at least three types of matrices.
  • the cryptographic processing apparatus 100 includes the key schedule unit 110 and the cryptographic processing unit 120.
  • the key schedule unit 110 generates a round key to be applied in each round of the cryptographic processing unit 120 according to a predetermined key generation algorithm based on the secret key K, for example, and outputs the round key to the cryptographic processing unit 120.
  • the cryptographic processing unit 120 receives the round key from the key scheduling unit 110, converts the plaintext P data, and outputs the ciphertext C. Note that the same processing is performed in the decoding processing.
  • the configuration and processing of the key schedule unit 110 that executes the round key generation and supply processing will be described.
  • FIG. 32 is a diagram illustrating a configuration example of a key schedule unit in the cryptographic processing device according to the present disclosure.
  • the key scheduling part 300 includes a key supply unit (key register) 301 as a storage unit for storing a secret key K 1.
  • the key schedule unit 300 outputs the key K 1 to the exclusive OR unit (round key calculation unit) 321 of the first round of the cryptographic processing unit 320. That key K 1 is used as a round key for the first round.
  • the key scheduling part 300 inputs the key K 1 in the key conversion unit 302a.
  • the key conversion unit 302a generates a conversion key Kd 1 executes a predetermined operation on the key K 1. Further, the conversion key Kd 1 generated by the key conversion unit 302 a is output to the exclusive OR unit (round key calculation unit) 322 of the second round of the encryption processing unit 320. That is, the conversion key Kd 1 is used as a round key for the second round.
  • the key scheduling part 300 inputs the conversion key Kd 1 in the key conversion unit 302b.
  • the key conversion unit 302b generates the key K 1 by performing a predetermined operation on the conversion key Kd 1.
  • This key K 1 is the same key as the key K 1 that is the generation source of the conversion key Kd 1 .
  • the key schedule unit 300 outputs the key K 1 generated by the key conversion unit 302 b to the third round exclusive OR unit (round key calculation unit) 323 of the encryption processing unit 320. That key K 1 is used as a round key for the third round.
  • the key conversion unit 302c ⁇ f, the key K 1 and the key K 1d are alternately generated, and outputs the generated key to the exclusive OR unit 324 to 327 of the encryption processing unit.
  • All of the key conversion units 302a to 302f execute the same calculation. That is, by the same arithmetic processing, A conversion key Kd 1 is generated from the key K 1 , A key K 1 is generated from the conversion key Kd 1 .
  • FIG. 33 shows the key K 1 described in FIG. 32 as the base key K and the conversion key Kd 1 as the conversion key Kd.
  • Each key shown in FIG. 33 is expressed as 4 ⁇ 4 states of 16 4-bit elements. That is, both are 64-bit key data.
  • FIG. 34 is a diagram for explaining processing for generating the conversion key Kd from the base key K.
  • the process of generating the conversion key Kd from the base key K is configured by the following two steps.
  • S1 An intermediate key S is generated by executing an operation to which the intermediate key generation sequence spreading operation (MixColumn_KSF ()) is applied to the base key K.
  • S2 The conversion key Kd is generated by executing an operation to which the conversion key generation sequence spreading operation (MixRow_KSF ()) is applied to the intermediate key S.
  • the column diffusion operation (MixColumn) executed in step S1 and the row diffusion operation (MixRow) executed in step S2 are matrix application operations similar to those described above with reference to FIGS. However, the matrix M D to be applied in this key conversion processing is a matrix shown below.
  • Matrix M D shown above is a matrix called Hadamard (Hadamard) MDS matrix.
  • the MDS matrix is a matrix in which an arbitrary small matrix constituting the matrix is a regular matrix.
  • a regular matrix is a matrix having an inverse matrix, where the matrix is A and the inverse matrix is A ⁇ 1 .
  • a matrix A having an inverse matrix A ⁇ 1 in which the above equation holds is a regular matrix.
  • the mapping ⁇ in which the branch number Branch ( ⁇ ) is b + 1 is called an optimal diffusion transformation
  • the MDS matrix is a matrix that performs the optimum diffusion transformation.
  • the Hadamard (Hadamard) MDS matrix M D is applied, to perform a column spreading operation in step S1 shown in FIG. 34, the row spreading operation in step S2.
  • the column diffusion calculation in step S1 is represented by the following calculation expression.
  • MC [M D ] MC [M D , M D , M D , M D ]
  • the row diffusion calculation in step S2 is expressed by the following calculation expression.
  • MR [M D ] MR [M D , M D , M D , M D ]
  • the column spreading operation in step S1 is run against all four columns of the state representation data of 4 ⁇ 4 consisting of 4-bit elements, the applied matrix operation the same Hadamard (Hadamard) MDS matrix M D .
  • the row spreading operation in Step S2 is for all four rows of four states represent data ⁇ 4 consisting of 4-bit elements to perform the applied matrix operation the same Hadamard (Hadamard) MDS matrix M D .
  • the column diffusion operation MC [M D ] in step S1 shown in FIG. 34 is a matrix operation according to the following equation.
  • the row diffusion operation MR [M D ] in step S2 shown in FIG. 34 is a matrix operation according to the following equation.
  • the key conversion unit 302 of the key scheduling part 300 shown in FIG. 32 in step S1 shown in FIG. 34, and executes the sequence spreading operation MC of applying the matrix M D [M D], the matrix M in step S2 A row diffusion operation MR [M D ] to which D is applied is executed.
  • the conversion key Kd is generated from the base key K by continuously executing these two matrix operations.
  • the function G composed of continuous processing of the column diffusion operation MC [M D ] and the row diffusion operation MR [M D ] has involution properties and is in the forward direction. Since the function G and the backward function G ⁇ 1 are the same, the original value is calculated by repeating twice.
  • the key conversion unit 302 constitutes a column spreading operation MC of applying the matrix M D [M D], by executing the matrix M D applied row diffusion operation MR [M D], the input data 4
  • All of the x4 state components i.e. all 16 components, can affect all 16 components of the output data. That is, data diffusion is performed between all elements in the input / output state.
  • Such a data conversion mode is defined as “full diffusion conversion” or diffusion having full diffusion properties.
  • the input and output are states each consisting of 16 n-bit elements, and a conversion function f to be applied to the input is assumed.
  • B f (A)
  • the output state B is set to be calculated according to the above formula.
  • Input state A (a 0 , a 1 , a 2 ,... A 15 )
  • Output state B (b 0 , b 1 , b 2 ,... B 15 ) It is.
  • a i and b i are elements of states A and B.
  • the execution function G of the key conversion unit 302 is a function having the following two properties. (1) Full diffusion property that realizes full diffusion conversion, (2) Involution property in which the forward function G and the backward function G ⁇ 1 are the same, It has these two properties.
  • the base key K is input to the exclusive OR unit 331 of the encryption processing unit, and an exclusive OR operation with the input state A is performed. Thereafter, the nonlinear / linear conversion unit (S & P) 332 performs nonlinear conversion processing and linear conversion processing. Further, an exclusive OR operation with the conversion key Kd is executed in the exclusive OR operation unit 333 for the output. The output of the exclusive OR operation unit 333 is set to state B.
  • This property can be said to be a property that contributes to the safety and implementation performance of the cryptographic processing device. Specifically, improvement of data diffusibility by a key is realized, and high diffusion performance can be exhibited even if the number of rounds is reduced. As a result, it is possible to increase resistance to various attacks. For example, it is possible to further improve resistance to key analysis processing based on an intermediate value matching attack using key dependency.
  • the diffusion performance of the data to be converted in the encryption processing unit is improved, and the resistance to various attacks such as encryption processing that is safe with a smaller number of rounds, such as key analysis, is high.
  • Cryptographic processing is realized.
  • FIG. (1) Cryptographic processing configuration in which the same round key is applied without performing key conversion in each round
  • 2 3 shows an example of one encryption processing configuration.
  • the box G shown in FIG. 36 (2) corresponds to the key conversion unit 302 shown in FIG.
  • the number of rounds necessary for spreading the configuration information (bit string) of the applied key to all the bits of the input plaintext P that is the conversion target data is (Full diffusion).
  • R the round function
  • the configuration information (bit string) of the applied key is diffused (Full diffusion) to all the bits of the input plaintext P that is the conversion target data.
  • the number of rounds required for the number of rounds is the number of rounds in which two base keys K 1 and two conversion keys Kd 1 are used. In the example shown in the figure, there are one round.
  • the processing of the present disclosure is applied, the diffusion of the configuration information of the key data with respect to the conversion target data is realized in one round, and a larger diffusion performance is guaranteed without depending on the processing of the round function (R). That is, secure cryptographic processing with high resistance to attacks is realized with a small number of rounds. As a result, high-speed processing and weight reduction are realized.
  • the key conversion unit 302 of the key schedule unit 300 of the present disclosure realizes the forward function G and the backward function G- 1 with the same function. Has involution properties. Hereinafter, the effect based on this involution property will be described.
  • the cryptographic processing unit includes a number of round function execution units corresponding to the specified number of rounds as hardware.
  • the effect of the involution property of the key conversion unit of the present disclosure when the cryptographic processing unit is unrolled-mounted will be described.
  • FIG. 37 and FIG. 38 show implementation examples of the following cryptographic processing apparatuses.
  • FIG. 37 (1) Hardware implementation example when the key conversion unit (F) does not have the involution property
  • FIGS. 38 (2a) and (2b) The key conversion unit (G) has the involution property.
  • FIGS. 38 (2a) and (2b) are hardware implementation examples when the key conversion unit (G) has the involution property.
  • the example shown in FIG. 38 (2a) is for generating an input key (round key) for the exclusive OR part (round key operation part) of the encryption processing part, similarly to the hardware configuration shown in FIG. 37 (1).
  • the key conversion unit G is set in association with each round.
  • FIG. 38 (2b) as set a key transformation unit G of only one, the base key K 1 held in advance, exclusive of the cryptographic processing unit to convert the key Kd 1 generated by the key conversion unit G
  • This is a configuration in which input is alternately performed with respect to the sum part (round key calculation part).
  • keys generated by repetition of conversion processing by the key conversion unit are repetitions of K 1 , Kd 1 , K 1 , Kd 1 , K 1 .
  • a base key K 1 the conversion key Kd 1 produced by a single key conversion process performed by the key conversion unit G encryption It becomes possible to alternately input to the exclusive OR part (round key operation part) of the processing part.
  • the number of key conversion units G can be reduced to one, and the weight reduction (miniaturization) of hardware mounting is realized.
  • FIG. 39 shows a configuration example of a cryptographic processing apparatus corresponding to the configuration shown in FIG. 38 (2b).
  • the key conversion unit (G) 302 of the key schedule unit 300 has only one base key held in advance for each exclusive OR unit (round key operation unit) of the encryption processing unit 320. and K 1, it is possible to enter the conversion key Kd 1 generated by the key conversion unit G alternately.
  • FIG. 40 shows (a1) cryptographic processing configuration and (a2) round implementation example when the key conversion unit does not have involution property.
  • FIG. 41 shows (b1) encryption processing configuration and (b2) round implementation example when the key conversion unit has involution property.
  • the encryption processing configuration shown in FIG. 40 (a1) is the same as the configuration described above with reference to FIG. That is, since the key conversion unit F does not have the involution property, the keys obtained as conversion results by the key conversion unit F are sequentially different keys. As shown in FIG. 40 (a1), Kd1, Kd2, Kd3, Kd4, Kd5, and Kd6 are sequentially generated based on the key K1 by the conversion process of the key conversion unit F, and each of these keys is used as a round key. It becomes a structure which inputs sequentially to the exclusive OR part (round key calculating part) of a cryptographic processing part.
  • the cryptographic processing unit 350 can be configured with one exclusive OR unit (round key calculation unit) 351 and one nonlinear / linear conversion unit 352.
  • the key schedule unit 360 includes a key register 361 for storing and supplying the base key K 1 , a key register 362 for storing and supplying the conversion keys Kd 1 to Kd 6 , a key conversion unit (F) 363, a key
  • the switch 364 executes the output switching of the registers 361 and 362.
  • the cryptographic processing configuration shown in FIG. 41 (b1) is similar to the configuration described above with reference to FIG. 38 (2b), and the cryptographic processing configuration in which the key conversion unit G has the involution property. It is. That is, since the key conversion unit G has involution properties, the keys generated by repeating the conversion process by the key conversion unit are K 1 , Kd 1 , K 1 , Kd 1 , K 1 . Repeat. Based on this property, as one key conversion unit G as shown in FIG. 41 (b1), a base key K 1, the conversion key Kd 1 produced by a single key conversion process performed by the key conversion unit G encryption It becomes possible to alternately input to the exclusive OR part (round key operation part) of the processing part.
  • the cryptographic processing unit 350 can be configured with one exclusive OR unit (round key calculation unit) 351 and one nonlinear / linear conversion unit 352.
  • the key schedule unit 370 includes a key register 371 that stores and supplies the base key K 1 and the conversion key Kd 1 and a key conversion unit (G) 372.
  • the key schedule unit 360 requires two key registers, one key conversion unit, and one switch. It becomes.
  • the key schedule unit 370 having a round implementation configuration when the key conversion unit (G) illustrated in FIG. 41 (b2) has the involution property is configured by one key register and one key conversion unit. It is proved that the weight reduction (miniaturization) of the hardware configuration is realized.
  • a key register for sequentially generating, storing, and supplying a plurality of different conversion keys And a new hardware circuit corresponding to the number of gates for the key register is required.
  • the key conversion unit of the key schedule unit configured in the cryptographic processing device of the present disclosure has the following two characteristics. (1) Full diffusion property that realizes full diffusion conversion, (2) Involution property in which the forward function G and the backward function G ⁇ 1 are the same, It has these two characteristics.
  • FIG. 42 is a diagram illustrating a configuration example of an encryption processing apparatus including a key schedule unit 380 having a key conversion unit having the above-described two characteristics.
  • the cryptographic processing apparatus shown in FIG. 42 includes a key schedule unit 380 and a cryptographic processing unit 385.
  • the key register 381 of the key schedule unit 380 stores a secret key K generated in advance.
  • the secret key K is a consolidated data of the key K 1 and the key K 2.
  • the keys K 1 and K 2 are 64-bit keys, and the concatenated data, the secret key K, is 128-bit data.
  • G shown in the figure is a key conversion unit, and a function G having these two characteristics, full diffusion property and involution property, is applied, similar to the key conversion unit 302 described above with reference to FIG. A key conversion unit that performs key conversion processing.
  • the key schedule unit 380 shown in FIG. 42 includes keys K 1 and K 2 that are divided data of the secret key K stored in the key register 381, and a conversion key Kd obtained by converting these keys in the key conversion unit (G). 1 and Kd 2 are sequentially output to the exclusive OR unit (round key operation unit) of the encryption processing unit 385.
  • the keys K 1 and K 2 are 64-bit keys
  • the plaintext P to be converted by the encryption processing unit 385 is also 64-bit data.
  • the output order of the keys is as follows. Key K 1 , Key K 2 , Conversion key Kd 1 , Conversion key Kd 2 , Key K 1 , Key K 2 , Conversion key Kd 1 , In this order, four types of keys are input to the encryption processing unit 385. Various settings can be made for the key input order.
  • FIG. 42 shows a plurality of key conversion units (G).
  • this key conversion unit (G) has only one configuration. Is possible.
  • FIG. 43 shows the following figures.
  • A Configuration of key schedule unit
  • b Key output configuration by key schedule unit
  • a secret key K generated in advance is stored in the key register 391 of the key schedule unit.
  • the secret key K is a consolidated data of the key K 1 and the key K 2.
  • the keys K 1 and K 2 are 64-bit keys, and the concatenated data, the secret key K, is 128-bit data.
  • the key schedule unit shown in FIG. 43A includes a key conversion unit G393 and exclusive OR units 392 and 394. Similar to the key conversion unit 302 described above with reference to FIG. 32 and subsequent drawings, the key conversion unit G393 performs key conversion processing using a function G having the two characteristics of full diffusion and involution. It is a conversion unit.
  • the key schedule unit shown in FIG. 43 (a) generates the following six types of keys based on these components. Key K 1 , Key K 2 , Conversion key Kd 1 , Conversion key Kd 2 , Exclusive OR key K 1 (+) K 2 , Exclusive OR operation conversion key Kd 1 (+) Kd 2 , The key schedule unit shown in FIG. 43A generates these six types of keys and sequentially outputs them to the encryption processing unit.
  • the plaintext P to be converted by the encryption processing unit is also 64-bit data.
  • the key output order is as follows. Key K 1 , Key K 2 , Conversion key Kd 1 , Conversion key Kd 2 , Exclusive OR key K 1 (+) K 2 , Exclusive OR operation conversion key Kd 1 (+) Kd 2 , Exclusive OR key K 1 (+) K 2 , Exclusive OR operation conversion key Kd 1 (+) Kd 2 , Exclusive OR key K 1 (+) K 2 , Conversion key Kd 2 , Conversion key Kd 1 , Key K 2 , Key K 1 , In this order, six types of keys are input to the encryption processing unit.
  • the key input sequence is the same sequence in the reverse order. This means that the key input order in the encryption process for generating the ciphertext C from the plaintext P and the key input order in the decryption process for generating the plaintext P from the ciphertext C can be set to the same setting. This means that hardware and programs applied to encryption processing and decryption processing can be shared, and is a setting that contributes to weight reduction (downsizing) of the apparatus.
  • the specific configuration of the cryptographic processing apparatus having the key schedule unit shown in FIG. 43 will be further described later.
  • FIG. 44 is a diagram showing that the full diffusion property of the internal state S of the input data (P) is guaranteed when the key conversion function G has full diffusion property.
  • the base key K 1 is input to the exclusive OR of the encryption processing unit, is XORed with the input state is made. Thereafter, the round calculation unit R 1 further performs non-linear conversion processing and linear conversion processing. Further, an exclusive OR operation with the conversion key Kd 1 is performed on the output in the exclusive OR operation unit.
  • the output (S) of the exclusive OR operation unit Consider the output (S) of the exclusive OR operation unit.
  • Full diffusion property is guaranteed between the base key K 1 and the conversion key Kd 1.
  • This property can be said to be a property that contributes to the safety and implementation performance of the cryptographic processing device. Specifically, improvement of data diffusibility by a key is realized, and high diffusion performance can be exhibited even if the number of rounds is reduced. As a result, it is possible to increase resistance to various attacks. For example, it is possible to further improve resistance to key analysis processing based on an intermediate value matching attack using key dependency.
  • the round necessary for spreading the configuration information (bit string) of the applied key to all the bits of the input plaintext P that is the conversion target data (Full diffusion).
  • the number will depend on the round function (R) processing.
  • the number of rounds required for spreading the configuration information (bit string) of the applied key to all the bits of the input plaintext P that is the conversion target data is (Full diffusion).
  • the diffusion of the configuration information of the key data with respect to the conversion target data is realized in one round, and a larger diffusion performance is guaranteed without depending on the processing of the round function (R). That is, secure cryptographic processing with high resistance to attacks is realized with a small number of rounds. As a result, high-speed processing and weight reduction are realized.
  • G function having the full diffusion property
  • the G function described below is configured by a combination of the following two functions.
  • Df 4 Full diffusion 4-bit function
  • B 16-bit replacement function
  • the full diffusion 4-bit function is a conversion function with input / output 4 bits, and has a function of full diffusion in which the influence of the input 4 bits appears on all the bits of the output 4 bits. That is, Input: x 0, x 1, x 2, x 3 ( each 1bit) Output: y 0 , y 1 , y 2 , y 3 (1 bit each)
  • i 0, 1, 2, 3 It is a function with the above properties.
  • FIG. 46 shows an example of a 16-bit replacement function (Bp 16 ).
  • the input X is 16 bit data of x 0 , x 1 , x 2 ,... X 15 ,
  • After input X is input to conversion function G and converted,
  • X i and y i are 1-bit data of 0 or 1, respectively.
  • B) 16-bit replacement function (Bp 16 ) It is a figure which shows the key conversion process example (processing example 1) which applied G function with the full diffusion property comprised from these two functions.
  • the base key is A and the conversion key B. Both are 4 ⁇ 4 state data of 4 bits for each element.
  • the process of generating the conversion key B from the base key A includes the following four steps.
  • S11 Each of the 16 4-bit elements of the base key A is converted by applying a full diffusion 4-bit function (Df 4 ).
  • a 16-bit replacement function (Bp 16 ) is applied to each column of 16-bit data of the data (4 ⁇ 4 states) generated by the conversion process in step S11 and converted.
  • the full diffusion 4-bit function (Df 4 ) is applied to each of the 16 4-bit elements of the data (4 ⁇ 4 states) generated by the conversion process in step S12.
  • a 16-bit replacement function (Bp 16 ) is applied to each row of 16-bit data of the data (4 ⁇ 4 states) generated by the conversion process in step S13.
  • the conversion key B is generated from the base key A.
  • the elements b 0 to b 15 of the conversion key B are data affected by the elements a 0 to a 15 of the base key A, and the full diffusion property is guaranteed between the base key A and the conversion key B.
  • FIG. 48 also shows (A) Full diffusion 4-bit function (Df 4 ) (B) 16-bit replacement function (Bp 16 ) It is a figure which shows the key conversion process example (processing example 2) which applied G function with the full diffusion property comprised from these two functions.
  • the base key is A and the conversion key B. Both are 4 ⁇ 4 state data of 4 bits for each element.
  • the process of generating the conversion key B from the base key A is configured by the following five steps.
  • S21 Each of the 16 4-bit elements of the base key A is converted by applying the full diffusion 4-bit function (Df 4 ).
  • the 16-bit replacement function (Bp 16 ) is applied to each column of 16-bit data of the data (4 ⁇ 4 states) generated by the conversion process in step S21.
  • the full diffusion 4-bit function (Df 4 ) is applied to each of the 16 4-bit elements of the data (4 ⁇ 4 states) generated by the conversion process in step S22.
  • the 16-bit replacement function (Bp 16 ) is applied to each row of 16-bit data of the data (4 ⁇ 4 states) generated by the conversion process in step S23.
  • the full diffusion 4-bit function (Df 4 ) is applied to each of the 16 4-bit elements of the data (4 ⁇ 4 states) generated by the conversion process in step S24.
  • the conversion key B is generated from the base key A.
  • the elements b 0 to b 15 of the conversion key B are data affected by the elements a 0 to a 15 of the base key A, and the full diffusion property is guaranteed between the base key A and the conversion key B.
  • B) 16-bit replacement function (Bp 16 ) It is a figure which shows the key conversion process example (processing example 3) which applied G function with the full diffusion property comprised from these two functions.
  • the base key is A and the conversion key B. Both are 4 ⁇ 4 state data of 4 bits for each element.
  • Applied in Processing Example 3 (a) Full diffusion 4-bit function (Df 4 ) Is a function that also has involution properties.
  • the process of generating the conversion key B from the base key A is configured by the following five steps.
  • S31 Each of the 16 4-bit elements of the base key A is converted by applying a 4-bit function (Df 4 ) having involution characteristics and full diffusion characteristics.
  • S32 The 16-bit replacement function (Bp 16 ) is applied to each column of 16-bit data of the data (4 ⁇ 4 states) generated by the conversion process in step S31.
  • S33 A 4-bit function (Df 4 ) having involution property and full diffusion property for each of the 16 4-bit elements of the data (4 ⁇ 4 states) generated by the conversion process of step S32 Apply to convert.
  • (S34) The 16-bit replacement function (Bp 16 ) is applied to each row of 16-bit data of the data (4 ⁇ 4 states) generated by the conversion process in step S33.
  • (S35) A 4-bit function (Df 4 ) having involution property and full diffusion property for each of the 16 4-bit elements of the data (4 ⁇ 4 states) generated by the conversion process of step S34 Apply to convert.
  • the conversion key B is generated from the base key A.
  • the elements b 0 to b 15 of the conversion key B are data affected by the elements a 0 to a 15 of the base key A, and the full diffusion property is guaranteed between the base key A and the conversion key B.
  • the process of generating the conversion key B from the base key A is configured by the following five steps.
  • a 16-bit replacement function (Bp 16 ) is applied to each column of 16-bit data of the base key A (4 ⁇ 4 states) for conversion.
  • a 4-bit function (Df 4 ) having involution property and full diffusion property for each of the 16 4-bit elements of the data (4 ⁇ 4 states) generated by the conversion process of step S41 Apply to convert.
  • a 16-bit replacement function (Bp 16 ) is applied to each column of 16-bit data of the data (4 ⁇ 4 states) generated by the conversion process in step S42.
  • the conversion key B is generated from the base key A.
  • the elements b 0 to b 15 of the conversion key B are data affected by the elements a 0 to a 15 of the base key A, and the full diffusion property is guaranteed between the base key A and the conversion key B.
  • FIG. (A) Full diffusion 4-bit function (Df 4 ) (B) 16-bit replacement function (Bp 16 ) It is a figure which shows the key conversion process example (processing example 5) to which G function with the full diffusion property comprised from these two functions is applied.
  • the base key is A and the conversion key B. Both are 4 ⁇ 4 state data of 4 bits for each element.
  • (A) Full diffusion 4-bit function (Df 4 ) Is a function that also has involution properties.
  • the process of generating the conversion key B from the base key A includes the following five steps.
  • S51 Each of the 16 4-bit elements of the base key A is converted by applying a 4-bit function (Df 4 ) having involution property and full diffusion property.
  • Df 4 4-bit function
  • S52 A 16-bit replacement function (Bp 16 ) is applied to each row of 16-bit data of the data (4 ⁇ 4 states) generated by the conversion process in step S51.
  • S53 A 4-bit function (Df 4 ) having involution property and full diffusion property for each of the 16 4-bit elements of the data (4 ⁇ 4 states) generated by the conversion process of step S52 Apply to convert.
  • the conversion key B is generated from the base key A.
  • the elements b 0 to b 15 of the conversion key B are data affected by the elements a 0 to a 15 of the base key A, and the full diffusion property is guaranteed between the base key A and the conversion key B.
  • the configuration examples of the five key conversion functions G have been described with reference to FIGS. These key conversion functions are applicable when generating a conversion key from the base key K, and the conversion process for the split key generated by dividing the base key K described above with reference to FIG. It is also possible to apply to. Furthermore, the key conversion function applied to the two split keys may be set differently.
  • the cryptographic processing apparatus shown in FIG. 52 includes a key schedule unit 380 and a cryptographic processing unit 385.
  • the key register 381 of the key schedule unit 380 stores a secret key K generated in advance.
  • the secret key K is a consolidated data of the key K 1 and the key K 2.
  • the keys K 1 and K 2 are 64-bit keys, and the concatenated data, the secret key K, is 128-bit data.
  • G1 and G2 shown in the figure are key conversion units. These have at least full diffusion properties. Or it has these two characteristics, full diffusion property and involution property.
  • the combination of the key conversion functions G1 and G2 can be set as follows, for example.
  • (C) G1, G2 both having a full diffusion resistance, it sets G1 and G2 is the inverse function, i.e., a relationship of G2 G1 -1.
  • Various combinations as described above are possible as combinations of the key conversion functions G1 and G2.
  • a conventional constant input configuration there is a configuration as shown in FIG. 53 are round function execution units including an exclusive OR unit (round key calculation unit), a nonlinear conversion unit, and a linear conversion unit in the cryptographic processing unit.
  • Constants 1 (CON1) to 4 (CON4) are sequentially input to the round operation units 401a to 401d.
  • the input constant CON is subjected to an exclusive OR operation with conversion data or a round key in each round operation unit. In this way, by performing operations with various constants in each round, it is possible to eliminate the identity between the round operations and increase resistance to various attacks.
  • the encryption processing and the decryption processing can be executed by the same device.
  • the configuration of a plurality of conversion functions applied to the cryptographic processing unit of the cryptographic processing device is divided from the center to the left and right, the left half and the right half are inverse functions.
  • encryption processing and decryption processing can be executed by the same device. This is called a cryptographic processing device having involution properties.
  • the conversion functions E and 411 and the conversion functions E ⁇ 1 and 413 have an inverse function relationship.
  • the central linear conversion unit M outputs an output B to the input A and outputs an output A to the input B.
  • the conversion functions E and 411, the linear conversion unit 412, and the conversion functions E ⁇ 1 and 413 are applied to the plaintext P in this order.
  • each conversion unit is applied to the ciphertext C in the same order. That is, the original plaintext P is obtained by applying the conversion functions E and 411, the linear conversion unit 412, and the conversion functions E ⁇ 1 and 413 in this order.
  • Such a cryptographic processing device is called a cryptographic processing device having involution properties.
  • a cryptographic processing device having involution properties not only the execution sequence of the round function is the same sequence in both the forward and reverse directions, but the input order of the round keys applied in each round is also forward and reverse. Some of them have the same direction.
  • the key input sequence described above with reference to FIG. 43 is one key input sequence for realizing the involution property of the cryptographic processing device.
  • the linear conversion unit 412 performs linear conversion on the output values from the conversion functions E and 411, but the values of some of the constituent data (bits) may be output without change. Note that a point at which input / output values are the same in linear transformation is called a fixed point, and there are several fixed points in linear transformation processing applied in many cryptographic processing devices.
  • the input value X to the linear conversion unit 412 becomes the output X of the linear conversion unit 412 as it is due to the action of the fixed point of the linear conversion unit 412.
  • the value X is input to the conversion function E ⁇ 1 413. Since the conversion functions E ⁇ 1 and 413 are inverse functions of the conversion functions E and 411, the input value X is returned to the original value Y. That is, some output values Y constituting the ciphertext C become the same values as the configuration values Y of the input plaintext P. That is, a fixed point where the input / output value does not change occurs in the entire cryptographic processing apparatus.
  • Such a property is a property that brings vulnerability to various attacks, and is an undesirable property that impairs the security of the cryptographic processing device.
  • FIG. 55 (b) is a cryptographic processing device having the involution property similar to FIG. 55 (a).
  • the conversion function E, 411 performs an operation by inputting a constant 1 (CON1), and the conversion function E ⁇ . 1 and 413 are input to a constant 2 (CON2).
  • CON1 constant 1
  • CON2 constant 2
  • X the conversion result of the conversion functions E and 411 for the data Y.
  • the input value X to the linear conversion unit 412 is converted to X + ⁇ A by the linear conversion process by the linear conversion unit 412.
  • the value X + ⁇ A is input to the conversion function E ⁇ 1 413.
  • the conversion functions E ⁇ 1 and 413 are inverse functions of the conversion functions E and 411, and are configured to execute an operation that receives a constant 2 (CON 2), and a conversion that executes an operation that receives a constant 1 (CON 1). It is not a complete inverse function of functions E and 411. However, depending on how the constants are selected, as shown in the figure, the output value corresponding to the input X + ⁇ A for the conversion function E ⁇ 1 , 413 may be set to Y + ⁇ B.
  • the correspondence between the input and output values of the linear conversion unit is X, X + ⁇ A
  • the correspondence between the input / output values of the cryptographic processor is Y, Y + ⁇ B
  • Such a relationship between input and output data is also a property that causes vulnerability to various attacks, and is an undesirable property that impairs the security of the cryptographic processing device.
  • FIG. 56 is a diagram for explaining a constant input configuration example for the cryptographic processing unit according to the present embodiment.
  • FIG. 56A shows an encryption processing unit composed of a data conversion unit having involution properties, as described with reference to FIG. That is, the cryptographic processing unit Conversion functions E, 431, Linear conversion unit 432, Conversion functions E ⁇ 1 , 433, These data conversion units are provided, and the conversion functions E ⁇ 1 and 433 are inverse functions of the conversion function E 431.
  • the constant (CON) 435 is input to the conversion function E ⁇ 1 433.
  • the conversion functions E ⁇ 1 and 433 are configured by a plurality of round functions, and a constant (CON) is input to one or more round function units.
  • the constant (CON) input unit is set to be input to the conversion function E ⁇ 1 , 433, but may be set to be input to the conversion function E 431 side.
  • the encryption processing unit has involution property that sequentially executes the conversion function E 431 and the inverse function of the conversion function E 431, the conversion function E ⁇ 1 433, and the conversion function E or the inverse function E Only one of ⁇ 1 is configured to execute a round operation to which one or more constants are applied.
  • FIG. 56B shows a specific example of the input configuration of the constant (CON) 435.
  • the constant (CON) 435 is input to the exclusive OR unit 436 in the preceding stage of the linear conversion unit 437 of the encryption processing unit.
  • An exclusive OR operation is performed with the input data A to the exclusive OR unit 436.
  • the exclusive OR unit 436 is a round key operation unit that performs an exclusive OR operation with the round key Kr.
  • the exclusive OR unit 436 is an output from the previous round operation unit shown in the figure.
  • An exclusive OR operation of the data A, the round key Kr, and the constant CON is executed. That is, the exclusive OR unit 436 calculates B as a result of the following calculation execution and outputs it to the linear transformation processing unit 437 of the subsequent round calculation unit.
  • B A (+) Kr (+) CON In the above formula, (+) indicates an exclusive OR operation.
  • condition A linear conversion unit adjacent to the exclusive OR unit 437, and in the example shown in the figure, the input / output value difference in the linear conversion process in the linear conversion unit 437 is set to a value that does not decrease.
  • the above condition is that all elements obtained as a result of matrix operation between the constant CON and the linear transformation matrix applied in the linear transformation unit 437 are non-zero, that is, non-zero values.
  • FIG. 57 shows a 4 ⁇ 4 matrix constituting the constant CON435 input to the exclusive OR unit 436 and a linear transformation matrix M used in the linear transformation unit 437.
  • the constant CON435 is a 4 ⁇ 4 state in which each element (con 0 to con 15 ) is 4-bit data, and is 64-bit data.
  • the linear transformation matrix M is 4 ⁇ 4 matrix data. That is, the following linear transformation matrix.
  • the condition of the constant CON is that all elements obtained as a result of matrix operation between the constant CON and the linear transformation matrix applied in the linear transformation unit 437 are non-zero, that is, non-zero values. That is, all values obtained by the following matrix operation are non-zero.
  • the constant CON is set so that the 16 values calculated by the matrix arithmetic expression are not all zero, that is, non-zero. With such a setting, it is possible to prevent the difference between the input and output values of the linear conversion processing in the linear conversion unit adjacent to the exclusive OR unit that inputs the constant CON, in the example shown in FIG. As a result, the number of minimum differential active S boxes can be maintained at a predetermined number or more.
  • the linear conversion unit 437 adjacent to the exclusive OR unit 436 to which the constant CON435 is input is set as the linear conversion unit P1 described above with reference to FIGS.
  • this is an example in which column diffusion calculation (MixColumn) is applied to which the following matrix is applied.
  • the linear conversion unit 437 applies column diffusion calculation (MixColumn) to which the matrix M 0 is applied, that is, MC [M 0 ] Execute.
  • the condition of the constant CON is that all elements obtained as a result of matrix operation between the linear transformation matrix M 0 applied in the linear transformation unit 437 and the constant CON are non-zero, that is, non-zero values. is there.
  • An example of such a constant CON is the constant CON shown in FIG. 58, which is a 4 ⁇ 4 state having the following element configuration.
  • FIG. 59 is a diagram showing an example of the input configuration and calculation configuration of the round key and the constant CON for the cryptographic processing unit of the cryptographic processing device having the input configuration of the constant CON that satisfies the above-described constant conditions.
  • plaintext P is input from the lower left
  • ciphertext C is output from the lower right.
  • the cryptographic processing unit 451 (E) of the cryptographic processing device shown in FIG. 59 corresponds to the conversion functions E and 431 shown in FIG. 56 (a).
  • the linear conversion unit (P2) 452 corresponds to the linear conversion unit 432 illustrated in FIG.
  • the cryptographic processing unit 453 (E ⁇ 1 ) corresponds to the conversion functions E ⁇ 1 and 433 shown in FIG.
  • the cryptographic processing device configuration shown in FIG. 59 is a cryptographic processing device having involution properties.
  • the round key input example shown in FIG. 59 corresponds to the configuration example described above with reference to FIG. That is, the input order of round keys to the exclusive OR unit configured in the encryption processing unit is as follows. Key K 1 , Key K 2 , Conversion key Kd 1 , Conversion key Kd 2 , Exclusive OR key K 1 (+) K 2 , Exclusive OR operation conversion key Kd 1 (+) Kd 2 , Exclusive OR key K 1 (+) K 2 , Exclusive OR key K 1 (+) K 2 , Exclusive OR operation conversion key Kd 1 (+) Kd 2 , Exclusive OR key K 1 (+) K 2 , Conversion key Kd 2 , Conversion key Kd 1 , Key K 2 , Key K 1 ,
  • the exclusive OR key K 1 (+) K 2 is set to be input to the round calculation unit R 6.
  • the linear conversion unit 452 is set. Before and after, the exclusive OR key K 1 (+) K 2 is repeatedly input.
  • the round key supply unit of the key schedule unit outputs six types of keys in the above order.
  • This key input sequence is the same sequence in the reverse order.
  • the key input order in the encryption process for generating the ciphertext C from the plaintext P and the key input order in the decryption process for generating the plaintext P from the ciphertext C can be set to the same setting.
  • it is a key input sequence having involution properties, and can be used in common with hardware and programs applied to encryption processing and decryption processing, and is a setting that contributes to weight reduction (downsizing) of the apparatus.
  • the constant CON includes an exclusive OR unit 461, an exclusive OR unit 463, an exclusive OR unit 465, and each of these exclusive OR units of the encryption processing unit 453 (E ⁇ 1 ). To enter.
  • constants CON are, for example, the 4 ⁇ 4 state constants CON described with reference to FIG.
  • the linear transformation units 462, 464, and 466 adjacent to these three exclusive OR units 461, 463, and 465 are all column diffusion operations (MixColumns) to which the matrix M 0 is applied, that is, MC [M 0 ] Execute.
  • the cryptographic processing unit shown in FIG. 59 has an involution property that can generate plaintext P from ciphertext C by executing a sequence that generates ciphertext C from plaintext P and a reverse sequence.
  • the encryption process and the decryption process can be performed by applying the same hardware or the same program.
  • the key supply processing of the key schedule unit can be executed as processing using the same hardware or the same program.
  • an S box that performs nonlinear transformation in units of s bits is used for the nonlinear transformation unit set in the common key block cipher.
  • S-box an S box that performs nonlinear transformation in units of s bits is used for the nonlinear transformation unit set in the common key block cipher.
  • an index for improving resistance against a differential attack there is a minimum number of differential active S boxes included in a differential path expressing a differential connection relationship, that is, a minimum differential active S box number.
  • the non-linear transformation is only the processing part by the S box.
  • data P1 and P2 having a specific difference ⁇ X are individually input to a block cipher apparatus that executes block cipher to obtain cryptographic processing results C1 and C2. .
  • an S box into which a difference value is input is defined as an active S box.
  • the ease of analysis increases. In other words, resistance to attacks is weakened.
  • the number of S boxes into which difference values generated when two inputs P1 and P2 having a predetermined difference ⁇ X are set is defined as an active S box.
  • Safety evaluation is performed by counting the number.
  • FIG. 61 shows an encryption processing unit including the data conversion unit having the involution property shown in FIG. 56 (a). That is, the cryptographic processing unit Conversion functions E, 431, Linear conversion unit 432, Conversion functions E ⁇ 1 , 433, These data conversion units are provided, and the conversion functions E ⁇ 1 and 433 are inverse functions of the conversion function E 431.
  • the constant (CON) 435 is input to the conversion function E ⁇ 1 433.
  • the conversion functions E ⁇ 1 and 433 are configured by a plurality of round functions, and a constant (CON) is input to one or more round function units.
  • the cryptographic processing unit has an involution property of sequentially executing the conversion function E 431 and the inverse function of the conversion function E 431 and the conversion function E ⁇ 1 433, and the conversion function E or the inverse function E ⁇ 1. In only one of these, a round operation is applied to which one or more constants are applied.
  • the input S 1 is input from the linear conversion unit 432 side to the conversion function E 431 to obtain the output T.
  • the two functions i.e., the conversion function E431, transformation function E -1 is an inverse function of the conversion function E431, relative to 433, as shown in FIG. 61, the input value S1, which in the opposite direction has a difference [Delta] X, S2
  • S is input, among the S boxes at corresponding positions in each function, the S box into which the difference is input is set as the active S box.
  • FIG. 62 is a diagram for explaining the configuration for calculating the number of active S boxes in the cryptographic processing configuration shown in FIG. 59 described above.
  • the input value S1 is input from the linear conversion unit 452 side of the cryptographic processing unit 451 (E) of the cryptographic processing device shown in FIG. 62, and cryptographic processing to which the cryptographic processing unit 451 (E) is applied is executed.
  • the input value S2 in which the difference ⁇ X is set with respect to the input value S1 is input from the linear conversion unit 452 side of the encryption processing unit 453 (E ⁇ 1 ) which is an inverse function of the encryption processing unit 451 (E), and the encryption processing is performed.
  • the encryption process to which the unit 453 (E ⁇ 1 ) is applied is executed.
  • the S box into which the difference is input is set as the active S box among the S boxes at the corresponding positions in the cryptographic processing units (E) and (E ⁇ 1 ).
  • the function E or the inverse function E ⁇ 1 is applied to the encryption processing apparatus having the involution property that sequentially executes the data conversion function E and the inverse function E ⁇ 1 of the data conversion function E.
  • a configuration has been described in which the constant CON is input to only one of them and the round operation is performed by applying the constant. With such a setting, it is possible to prevent the difference between the input and output values of the linear conversion processing in the linear conversion unit adjacent to the exclusive OR unit that inputs the constant CON, in the example shown in FIG. As a result, the number of minimum differential active S boxes can be maintained at a predetermined number or more.
  • This constant input configuration is not limited to only one of the functions E or the inverse function E -1,, performing round operations to which the one or more constants in both function E, and the inverse function E -1 It is good also as a structure.
  • the constant application position is not a corresponding position of the function E and the inverse function E- 1 , but is a position shifted from the corresponding position (non-corresponding position).
  • FIG. 63 shows a configuration example of a cryptographic processing apparatus having this constant input configuration.
  • plaintext P is input from the lower left
  • ciphertext C is output from the lower right.
  • the encryption processing unit 451 (E) of the encryption processing apparatus shown in FIG. 63 corresponds to the conversion functions E and 431 shown in FIG. 56 (a).
  • the linear conversion unit (P2) 452 corresponds to the linear conversion unit 432 illustrated in FIG.
  • the cryptographic processing unit 453 (E ⁇ 1 ) corresponds to the conversion functions E ⁇ 1 and 433 shown in FIG.
  • the configuration of the cryptographic processing unit shown in FIG. 63 is a cryptographic processing unit having involution properties.
  • the round key input example shown in FIG. 63 corresponds to the configuration example described above with reference to FIG. That is, the input order of round keys to the exclusive OR unit configured in the encryption processing unit is as follows. Key K 1 , Key K 2 , Conversion key Kd 1 , Conversion key Kd 2 , Exclusive OR key K 1 (+) K 2 , Exclusive OR operation conversion key Kd 1 (+) Kd 2 , Exclusive OR key K 1 (+) K 2 , Exclusive OR key K 1 (+) K 2 , Exclusive OR operation conversion key Kd 1 (+) Kd 2 , Exclusive OR key K 1 (+) K 2 , Conversion key Kd 2 , Conversion key Kd 1 , Key K 2 , Key K 1 ,
  • the exclusive OR key K 1 (+) K 2 is set to be input to the round calculation unit R 6.
  • the linear conversion unit 452 is set. Before and after, the exclusive OR key K 1 (+) K 2 is repeatedly input.
  • the round key supply unit of the key schedule unit outputs six types of keys in the above order.
  • This key input sequence is the same sequence in the reverse order.
  • the key input order in the encryption process for generating the ciphertext C from the plaintext P and the key input order in the decryption process for generating the plaintext P from the ciphertext C can be set to the same setting.
  • it is a key input sequence having involution properties, and can be used in common with hardware and programs applied to encryption processing and decryption processing, and is a setting that contributes to weight reduction (downsizing) of the apparatus.
  • the constant CON is The data is input to the exclusive OR unit 471, the exclusive OR unit 472, and each of these exclusive OR units of the encryption processing unit 451 (E). Further, the data is also input to the exclusive OR unit 473 of the encryption processing unit 453 (E ⁇ 1 ).
  • the constant CON is, for example, the 4 ⁇ 4 state constant CON described with reference to FIG.
  • the linear transformation units 481, 482, 483 adjacent to these three exclusive OR units 471, 472, 473 are all column diffusion operations (MixColumn) to which the matrix M 0 is applied, that is, MC [M 0 ] Execute.
  • constant input structure function E or inverse not limited to only one of E -1, function E, and both the applied round operations once or more constants in the inverse function E -1, It is good also as a structure which performs.
  • the constant application position is not a corresponding position of the function E and the inverse function E ⁇ 1 but a shifted position (non-corresponding position).
  • the encryption processing unit shown in FIG. 63 has an involution property that can generate plaintext P from ciphertext C by executing a sequence that generates ciphertext C from plaintext P and a reverse sequence.
  • the encryption process and the decryption process can be performed by applying the same hardware or the same program.
  • the key supply processing of the key schedule unit can be executed as processing using the same hardware or the same program.
  • the involution of the cryptographic processing unit 120 that is, the hardware or program that generates and outputs the ciphertext C from the plaintext P and the plaintext P from the ciphertext C are generated.
  • the non-linear conversion unit 122 configured in the cryptographic processing unit 120 is also required to have involution.
  • the non-linear transformation unit 122 in the cryptographic processing unit 120 of the cryptographic processing apparatus 100 illustrated in FIG. 19 includes a plurality of S boxes as illustrated in FIG. (S-box).
  • This 4-bit input / output S box (S-box) needs to have a configuration with involution. That is, when a 4-bit output value is obtained for a 4-bit input value, the original 4-bit input value must be obtained when the 4-bit output value is input to the same S box. It is.
  • f (x) having the involution property is obtained for all input values x.
  • f (f (x)) x A function that satisfies the above.
  • the nonlinear conversion unit 122 configured in the cryptographic processing unit 120 is required to be the function f (x) having the involution property.
  • FIG. 64 (1) is a diagram illustrating a configuration example of the nonlinear conversion unit, similar to FIG. 22 (1) described above. That is, this is a configuration example of the non-linear conversion unit 122 configured in the cryptographic processing unit 120 of the cryptographic processing apparatus 100 illustrated in FIG.
  • the nonlinear conversion unit 122 has a configuration in which a plurality of S boxes (S-boxes) for executing nonlinear conversion processing are arranged. Each S box performs non-linear transformation of 4-bit data.
  • S-boxes S boxes
  • FIG. 64 (2) shows a configuration of one S box (S-box) configured in the nonlinear conversion unit.
  • S box (S-box) Nonlinear conversion layer 1,521, Linear transformation layer 522, Nonlinear conversion layer 2,523, It can be divided into these three layers.
  • the nonlinear conversion layers 2 and 523 are inverse functions of the nonlinear conversion layers 1 and 521.
  • FIG. 65 shows a specific circuit configuration example of the S box (S-box).
  • the nonlinear conversion layers 1 and 521 are configured by two exclusive OR operation units (XOR) and two basic operators.
  • XOR exclusive OR operation units
  • FIG. 65 an example in which a NOR circuit is set as a basic operator is shown.
  • the basic operator performs an arithmetic operation of any one of two inputs and one output of an AND circuit, an OR circuit, and a NAND circuit. It can be replaced with a basic operator.
  • the two basic operators may be a combination of the same basic operators or a combination of different basic operators.
  • the linear conversion layer 522 is a linear conversion layer that performs an input 4-bit replacement process, and basically has involution properties.
  • the nonlinear conversion layers 2 and 523 are configured by an inverse function of the nonlinear conversion layers 1 and 521.
  • the S box circuit constituted by these three layers is a non-linear conversion circuit having involution properties.
  • the lower part of FIG. 65 shows correspondence data between the input value (in) and the output value (out) for the S box shown in FIG.
  • the input / output values are all 4-bit data and are 0000 to 1111 data.
  • the table shown in FIG. 65 shows a correspondence table between input values and output values of 0 to 15 in which 0000 to 1111 are expressed in decimal notation. As can be understood from this table, an output value Y obtained from an arbitrary input value X and an output value obtained as the input value Y is the original input value X.
  • the 4-bit input / output S box shown in FIG. 65 is a non-linear conversion circuit having involution characteristics.
  • FIG. 66 shows a data conversion formula using this S box (S-box). 4-bit input to S box (S-box) a in , b in , c in , d in , 4-bit output from S box (S-box) a out , b out , c out , d out , And
  • the data conversion formula using the S box (S-box) is as follows.
  • y) indicates negation of the value in () (NOT). Specifically, the output value of the NOR circuit when the input values to the NOR circuit are x and y is shown.
  • the S box that performs data conversion represented by the above arithmetic expression has involution.
  • the S box circuit shown in FIG. 66 has a difference probability and a linear probability of 2-2 , and has sufficient safety.
  • the encryption processing unit configuration described with reference to FIG. 54 that is, Conversion function E411, Linear conversion unit 412, Conversion function E ⁇ 1 413,
  • the S function shown in FIGS. 64 to 66 for the conversion function E411 in the encryption processing unit having these configurations and the nonlinear conversion unit in the conversion function E ⁇ 1 413, the entire encryption processing unit is installed. The volume is realized.
  • FIG. 67 shows a setting example of the linear conversion layer in the 4-bit input / output S box. Similar to the S box described with reference to FIGS. 65 and 66, Nonlinear conversion layer 1, Linear transformation layer, Nonlinear conversion layer 2, In the 4-bit input / output S box having these three-layer configurations, the linear conversion layer has, for example, one of the settings shown in FIG.
  • the condition of the permutation function P4 of the linear conversion layer that performs 4-bit permutation can be expressed by the following equation.
  • the above (a) is a conditional expression indicating that the replacement function P4 has involution properties.
  • (B) is a conditional expression indicating that the input / output bits are not the same.
  • the linear conversion layer needs to be configured to perform replacement processing that satisfies the above conditions.
  • Nonlinear conversion layer 1,531 Linear transformation layer 532
  • Nonlinear conversion layer 2,533 This is a 4-bit input / output S box having these three layers.
  • the nonlinear conversion layers 1 and 531 include two exclusive OR operation units (XOR), a NAND circuit, and a NOR circuit.
  • the linear conversion layer 532 is a linear conversion layer that performs an input 4-bit replacement process, and has involution properties.
  • the nonlinear conversion layers 2 and 533 are configured by an inverse function of the nonlinear conversion layers 1 and 531.
  • the S box circuit constituted by these three layers is a non-linear conversion circuit having involution properties.
  • 68 shows correspondence data between the input value (in) and the output value (out) for the S box shown in FIG.
  • the input / output values are all 4-bit data and are 0000 to 1111 data.
  • the table shown in FIG. 68 is a correspondence table of input values and output values of 0 to 15 in which 0000 to 1111 are represented in decimal notation. As can be understood from this table, an output value Y obtained from an arbitrary input value X and an output value obtained as the input value Y is the original input value X.
  • the 4-bit input / output S box shown in FIG. 68 is a non-linear conversion circuit having involution characteristics.
  • FIG. 69 shows a data conversion formula using this S box (S-box). 4-bit input to S box (S-box) a in , b in , c in , d in , 4-bit output from S box (S-box) a out , b out , c out , d out , And
  • the data conversion formula using the S box (S-box) is as follows.
  • y) indicate the output values of the NOR circuit when the input values to the NOR circuit are x and y.
  • ⁇ (x & y) indicate output values of the NAND circuit when the input values to the NAND circuit are x and y.
  • the S box that performs data conversion represented by the above arithmetic expression has involution.
  • the S box circuit shown in FIG. 69 has a difference probability and a linear probability of 2-2 , and has sufficient safety.
  • the S box shown in FIG. 69 includes four exclusive OR operators (XOR), two NOR circuits, and two NAND circuits.
  • the encryption processing unit configuration described with reference to FIG. 54 that is, Conversion function E411, Linear conversion unit 412, Conversion function E ⁇ 1 413
  • the S function shown in FIG. 69 for the conversion function E411 in the encryption processing unit having these configurations and the nonlinear conversion unit in the conversion function E ⁇ 1 413, the involution of the entire encryption processing unit can be improved. Realized.
  • the nonlinear conversion layers 1 and 541 are configured by two exclusive OR operation units (XOR) and two OR circuits.
  • the linear conversion layer 542 is a linear conversion layer that performs an input 4-bit replacement process, and has involution properties.
  • the nonlinear conversion layer 2 543 is configured by an inverse function of the nonlinear conversion layer 1 541.
  • the S box circuit constituted by these three layers is a non-linear conversion circuit having involution properties.
  • the lower part of FIG. 70 shows correspondence data between the input value (in) and the output value (out) for the S box shown in FIG.
  • the input / output values are all 4-bit data and are 0000 to 1111 data.
  • the table shown in FIG. 70 is a correspondence table between input values and output values of 0 to 15 in which 0000 to 1111 are represented in decimal notation. As can be understood from this table, an output value Y obtained from an arbitrary input value X and an output value obtained as the input value Y is the original input value X.
  • the 4-bit input / output S box shown in FIG. 70 is a non-linear conversion circuit having involution characteristics.
  • FIG. 71 shows a data conversion formula using this S box (S-box). 4-bit input to S box (S-box) a in , b in , c in , d in , 4-bit output from S box (S-box) a out , b out , c out , d out , And
  • the data conversion formula using the S box (S-box) is as follows.
  • y) indicates the output value of the OR circuit when the input values to the OR circuit are x and y.
  • the S box that performs data conversion represented by the above arithmetic expression has involution.
  • the S box circuit shown in FIG. 71 has a difference probability and a linear probability of 2-2 , and has sufficient safety.
  • the S box shown in FIG. 71 is composed of four exclusive OR operators (XOR) and four OR circuits.
  • the encryption processing unit configuration described with reference to FIG. 54 that is, Conversion function E411, Linear conversion unit 412, Conversion function E ⁇ 1 413,
  • Conversion function E411 the encryption processing unit having these configurations
  • the non-linear conversion unit in the conversion function E ⁇ 1 413 the involution of the entire encryption processing unit is achieved. Realized.
  • a cryptographic processing apparatus 700 shown in FIG. 72 is a diagram illustrating an example of a cryptographic processing apparatus having all the above-described configurations.
  • the cryptographic processing apparatus 700 includes a key schedule unit 720 and a cryptographic processing unit 750.
  • the cryptographic processing unit 750 includes data conversion units such as an exclusive OR unit 751, a non-linear conversion unit 752, and a linear conversion unit 753, and has a configuration that repeatedly executes these processes.
  • the key schedule unit 720 outputs the round key RKn to each of the exclusive OR units configured in the encryption processing unit 750, and executes the exclusive OR operation with the conversion target data.
  • the key schedule unit 720 includes a round key supply unit 721 and a constant supply unit (constant register) 725.
  • the round key supply unit 721 includes a key register 722 that stores the secret key K and a key conversion unit 723.
  • each round key RKn is also 64 bits.
  • Each of these 64-bit data is a 4 ⁇ 4 state composed of 16 elements each having 4 bits.
  • the cipher processing unit 750 can output the ciphertext C as output data by repeating the round operation using the plaintext P as input data, and sets the execution sequence of the round operation in reverse order using the ciphertext C as input data. It is the structure which has the involution property which can produce
  • each conversion process is executed from the upper stage to the lower stage of the cryptographic processing unit 750 shown in the figure.
  • each conversion process is executed from the lower stage to the upper stage of the cryptographic processing unit 750 shown in the figure.
  • the round key supply unit 721 of the key schedule unit 720 has an involution property in which the key supply sequence when the ciphertext C is generated from the plaintext P and the key supply sequence when the plaintext P is generated from the ciphertext C match. It is the structure which performs the key supply process which has. Note that the key schedule unit 720 performs a calculation using a constant on a part of the supplied key during the key supply process to the encryption processing unit 750, and outputs key data as a calculation result to the encryption processing unit 750.
  • each conversion function is in the sequence of the conversion function E, the linear conversion function, and the conversion function E- 1.
  • the configuration is set and has involution properties.
  • the linear conversion processing unit 750 the item [4.
  • the linear conversion processing unit that executes three different types of linear conversion processing is set. That is, Linear converter P1, Linear converter P2, Linear converter P3, These three different linear conversion units are included, and the linear conversion process executed for each round is changed in the encryption process. That is, the same linear conversion processing is not performed in the continuous round.
  • Linear transformation unit P1 for each column of elements of the input data of 4 ⁇ 4 states, in units of columns, performs the applied matrix operation of one of the matrix M 0. This is the column diffusion operation (MixColumn) described above with reference to FIGS. That is, the linear transformation processing unit P1 MC [M 0 ] A column diffusion operation (MC) indicated by the above formula is executed.
  • MC [M 0 ] is an expression indicating a matrix operation in which the same matrix M 0 is applied to each column of the state, and an expression individually indicating a matrix to be applied to each column of the state, MC [M 0 , M 0 , M 0 , M 0 ] It has the same meaning as the above formula.
  • the linear conversion unit P2 performs a matrix operation that applies a different matrix for each row to the elements in each row of the input data in the 4 ⁇ 4 state. .
  • a matrix operation to which the following matrix is applied is executed for the upper first to fourth rows.
  • the row diffusion calculation (MixRow) indicated by the above formula is executed.
  • the linear transformation processing unit P3 also performs matrix calculation by applying a different matrix for each row element to each row element of 4 ⁇ 4 state input data, as shown in FIG. 24 (2). I do. Unlike the linear transformation process P2, the linear transformation process P3 executes a matrix operation that applies the following matrix to the first to fourth rows. 1st row: application matrix M 2 , Second row: application matrix M 0 , 3rd row: application matrix M 1 , 4th row: application matrix M 3 , This is the row diffusion operation (MixRow) described above with reference to FIG. That is, the linear transformation processing unit P3 MR [M 2 , M 0 , M 1 , M 3 ] The row diffusion calculation (MixRow) indicated by the above formula is executed.
  • the number of active S boxes can be increased as described above with reference to FIG. This enables encryption processing (encryption processing and decryption processing) with higher security.
  • the encryption processing unit 750 shown in FIG. 72 executes data conversion processing in which the following data conversion units are sequentially applied.
  • Non-linear converter S An exclusive OR part for performing an exclusive OR operation with the round key RK 7 ;
  • Linear converter P2 An exclusive OR part for performing an exclusive OR operation with the round key RK 7 ;
  • Non-linear converter S
  • An exclusive OR part for performing an exclusive OR operation with the round key RK 8 Linear converter P1, Non-linear converter S, An exclusive OR part for performing an exclusive OR operation with the round key RK 9 ; Linear converter P3, Non-linear converter S, An exclusive OR part for performing an exclusive OR operation with the round key RK 10 ; Linear converter P1, Non-linear converter S, An exclusive OR part for performing an exclusive OR operation with the round key RK 11 , Linear converter P2, Non-linear converter S, An exclusive OR part for performing an exclusive OR operation with the round key RK 12 ; Linear converter P1, Non-linear converter S, An exclusive OR part for performing an exclusive OR operation with the round key RK 13 ;
  • the round key supply unit 721 of the key schedule unit 720 includes a key register 722 and a key conversion unit 723.
  • the processing executed by the round key supply unit 721 is performed by the item [5.
  • the secret key K stored in the key register is 128-bit key data which is concatenated data of 64-bit base keys K 1 and K 2 .
  • the key conversion unit 723 generates a conversion key Kd 1 based on the base key K 1 and generates a conversion key Kd 2 by conversion processing based on the base key K 2 .
  • This conversion process is expressed as follows using the conversion function G and the inverse function G ⁇ 1 .
  • Kd 1 G (K 1 )
  • K 1 G ⁇ 1 (Kd 1 )
  • G G ⁇ 1 Is established. That is, the data conversion function G applied to the key conversion in the key conversion unit 723 is involution property, that is, the property that the forward function G and the backward function G ⁇ 1 are the same function as shown in FIG. have.
  • the column spreading operation in step S1 of FIG. 34 with respect to all four columns of four states represent data ⁇ 4 consisting of 4-bit elements, matrix operation of applying the same Hadamard (Hadamard) MDS matrix M D Execute.
  • the row spreading operation in Step S2 is for all four rows of four states represent data ⁇ 4 consisting of 4-bit elements to perform the applied matrix operation the same Hadamard (Hadamard) MDS matrix M D .
  • the function G consisting of continuous processing of the column diffusion operation MC [M D ] and the row diffusion operation MR [M D ] has involution properties, and the forward function G and the backward function G ⁇ 1 are the same. By repeating twice, the original value is calculated.
  • the data diffusion between all the elements in the input / output state is performed by the column diffusion operation MC [M D ] applying the matrix M D executed in the key conversion unit 723 and the row diffusion operation MR [M D ] applying the matrix M D.
  • Diffusion ie, “full diffusion conversion” is performed.
  • the round key supply configuration executed by the round key supply unit 721 is as follows. (1) Full diffusion property that realizes full diffusion conversion, (2) Involution property in which the forward function G and the backward function G ⁇ 1 are the same, It has these two properties. These two characteristics bring about the following effects as described above.
  • the diffusion of the configuration information of the key data with respect to the conversion target data is realized with a small number of rounds, and is larger without depending on the processing of the round function (R). Diffusion performance is guaranteed. That is, secure cryptographic processing with high resistance to attacks is realized with a small number of rounds. As a result, high-speed processing and weight reduction are realized.
  • the round key supply unit 721 outputs keys in the following order. Key K 1 , Key K 2 , Conversion key Kd 1 , Conversion key Kd 2 , Exclusive OR key K 1 (+) K 2 , Exclusive OR operation conversion key Kd 1 (+) Kd 2 , Exclusive OR key K 1 (+) Kd 2 , Exclusive OR operation conversion key Kd 1 (+) Kd 2 , Exclusive OR key K 1 (+) K 2 , Conversion key Kd 2 , Conversion key Kd 1 , Key K 2 , Key K 1 , In this order, 6 types of keys are output.
  • round keys K 1 to K 13 input to the cryptographic processing unit 750 are generated by using the above keys as they are or by applying a constant CON.
  • the exclusive OR key K 1 (+) K 2 is repeatedly used as the round key K 7 before and after the linear conversion unit P2 at the center position of the cryptographic processing unit 750.
  • the round keys RK 8 , RK 10 , and RK 12 are generated by exclusive ORing the constant CON supplied from the constant supply unit 725 with the key supplied from the round key supply unit 721.
  • the key input sequence is the same as the sequence described above with reference to FIG. 59, and the reverse order is the same sequence.
  • the round key supply unit 721 performs key generation and output in the same sequence in the key input order in the encryption process for generating the ciphertext C from the plaintext P and in the decryption process for generating the plaintext P from the ciphertext C.
  • the constant supply unit 725 set in the key schedule unit 720 first sets the item [6. In the configuration for realizing improvement in safety by inputting constants], constant supply processing according to the processing described with reference to FIGS. 53 to 59 is executed.
  • the constant (CON) is Round key RK 8 , Round key RK 10 Round key RK 12 , When these round keys are generated, an exclusive OR operation is performed on the key data generated by the round key supply unit.
  • RK 1 K 1
  • RK 2 K 2
  • RK 3 Kd 1
  • RK 4 Kd 2
  • RK 5 K 1 (+) K 2
  • RK 6 Kd 1 (+) Kd 2
  • RK 7 K 1 (+) K 2
  • RK 7 K 1 (+) K 2
  • RK 8 Kd 1 (+) Kd 2 (+) CON
  • RK 9 K 1 (+) K 2
  • RK 10 Kd 2 (+) CON
  • RK 11 Kd 1
  • RK 12 K 2 (+) CON
  • RK 13 K 1
  • (+) means exclusive OR operation.
  • RK 7 is set to input the same round key twice before and after the linear conversion unit (P2).
  • the constant (CON) is subjected to exclusive OR processing on the key generated by the round key supply unit when the round key is generated.
  • a constant may be input to the exclusive OR unit of the encryption processing unit separately from the round key to perform exclusive OR processing with the converted data. In this case, the result is the same.
  • the constant (CON) is the result of matrix operation between the constant CON and the linear transformation matrix applied in the linear transformation unit adjacent to the exclusive OR unit of the encryption processing unit that inputs the constant CON.
  • a constant (CON) is used in which all elements are non-zero, that is, a non-zero value.
  • the non-linear conversion unit set in the encryption processing unit 750 is the item [7. Specific example of configuration of S box (S-box) applied to non-linear conversion unit]], 4-bit input / output k and box (S-box) having the involution described with reference to FIGS.
  • This is a configuration in which a plurality of are set.
  • the cryptographic processing unit 750 includes a conversion function E, a linear conversion unit, and a conversion function E ⁇ 1 , and the conversion function E and the non-linear conversion unit of the conversion function E ⁇ are shown in FIG. With the configuration using the S box shown in FIG. 66, the involution property of the entire cryptographic processing unit is realized.
  • the cryptographic processing apparatus that performs cryptographic processing according to the above-described embodiments can be mounted on various information processing apparatuses that perform cryptographic processing. Specifically, PC, TV, recorder, player, communication device, RFID, smart card, sensor network device, dent / battery authentication module, health / medical device, self-supporting network device, etc., for example, data processing and communication processing It can be used in various devices that execute cryptographic processing associated with the above.
  • FIG. 73 shows a configuration example of the IC module 800 as an example of an apparatus that executes the cryptographic processing of the present disclosure.
  • the above-described processing can be executed in various information processing apparatuses such as a PC, an IC card, a reader / writer, a smartphone, and a wearable device, and the IC module 800 illustrated in FIG. 73 can be configured in these various devices. It is.
  • a CPU (Central processing Unit) 801 shown in FIG. 73 is a processor that executes start and end of cryptographic processing, control of data transmission / reception, data transfer control between each component, and other various programs.
  • a memory 802 is a ROM (Read-Only-Memory) that stores programs executed by the CPU 801 or fixed data such as calculation parameters, a program executed in the processing of the CPU 801, and a parameter storage area that changes as appropriate in the program processing, It consists of RAM (Random Access Memory) used as a work area.
  • the memory 802 can be used as a storage area for key data necessary for encryption processing, data to be applied to a conversion table (substitution table) or conversion matrix applied in the encryption processing, and the like.
  • the data storage area is preferably configured as a memory having a tamper resistant structure.
  • the cryptographic processing unit 803 has the cryptographic processing configuration described above, and executes cryptographic processing and decryption processing according to the common key block cryptographic processing algorithm.
  • the cryptographic processing means is an individual module, but such an independent cryptographic processing module is not provided, for example, a cryptographic processing program is stored in the ROM, and the CPU 801 reads and executes the ROM stored program. You may comprise.
  • the random number generator 804 executes random number generation processing necessary for generating a key necessary for encryption processing.
  • the transmission / reception unit 805 is a data communication processing unit that performs data communication with the outside.
  • the data transmission / reception unit 805 performs data communication with an IC module such as a reader / writer, and outputs a ciphertext generated in the IC module or an external reader. Data input from devices such as writers is executed.
  • the encryption processing apparatus described in the above-described embodiment is not only applicable to encryption processing for encrypting plaintext as input data, but also for decryption processing for restoring ciphertext as input data to plaintext. Applicable.
  • the configurations described in the above-described embodiments can be applied to both the encryption process and the decryption process.
  • FIG. 74 is a block diagram illustrating an example of a schematic configuration of the smartphone 900 that executes the cryptographic processing according to the present disclosure.
  • the smartphone 900 includes a processor 901, a memory 902, a storage 903, an external connection interface 904, a camera 906, a sensor 907, a microphone 908, an input device 909, a display device 910, a speaker 911, a wireless communication interface 913, an antenna switch 914, an antenna 915, A bus 917, a battery 918, and an auxiliary controller 919 are provided.
  • the processor 901 may be, for example, a CPU (Central Processing Unit) or an SoC (System on Chip), and controls the functions of the application layer and other layers of the smartphone 900 and also controls encryption processing.
  • the memory 902 includes a RAM (Random Access Memory) and a ROM (Read Only Memory), and stores programs and data executed by the processor 901.
  • the memory 902 can be used as a storage area for key data necessary for encryption processing, data to be applied to a conversion table (substitution table) or conversion matrix applied in the encryption processing, and the like.
  • the data storage area is preferably configured as a memory having a tamper resistant structure.
  • the storage 903 can include a storage medium such as a semiconductor memory or a hard disk.
  • the external connection interface 904 is an interface for connecting an external device such as a memory card or a USB (Universal Serial Bus) device to the smartphone 900.
  • the camera 906 includes, for example, an imaging element such as a charge coupled device (CCD) or a complementary metal oxide semiconductor (CMOS), and generates a captured image.
  • the sensor 907 may include a sensor group such as a positioning sensor, a gyro sensor, a geomagnetic sensor, and an acceleration sensor.
  • the microphone 908 converts sound input to the smartphone 900 into an audio signal.
  • An image generated by the camera 906, sensor data acquired by the sensor 907, an audio signal acquired by the microphone 908, and the like may be encrypted by the processor 901 and transmitted to another device via the wireless communication interface 913. .
  • the input device 909 includes, for example, a touch sensor that detects a touch on the screen of the display device 910, a keypad, a keyboard, a button, or a switch, and receives an operation or information input from a user.
  • the display device 910 has a screen such as a liquid crystal display (LCD) or an organic light emitting diode (OLED) display, and displays an output image of the smartphone 900.
  • the speaker 911 converts an audio signal output from the smartphone 900 into audio.
  • the wireless communication interface 913 performs wireless communication, and typically includes a baseband processor, an RF (Radio Frequency) circuit, a power amplifier, and the like.
  • the wireless communication interface 913 may be a one-chip module in which a memory that stores a communication control program, a processor that executes the program, and related circuits are integrated.
  • the wireless communication interface 913 may support other types of wireless communication methods such as a short-range wireless communication method, a proximity wireless communication method, or a cellular communication method in addition to the wireless LAN method.
  • the bus 917 connects the processor 901, memory 902, storage 903, external connection interface 904, camera 906, sensor 907, microphone 908, input device 909, display device 910, speaker 911, wireless communication interface 913, and auxiliary controller 919 to each other.
  • the battery 918 supplies power to each block of the smartphone 900 shown in FIG. 74 via a power supply line partially shown by a broken line in the drawing.
  • the auxiliary controller 919 operates the minimum necessary functions of the smartphone 900 in the sleep mode.
  • the encryption processing in the smartphone described in the above-described embodiment is not only applicable to encryption processing for encrypting plaintext as input data, but also for decryption processing for restoring ciphertext as input data to plaintext. Is also applicable.
  • the configurations described in the above-described embodiments can be applied to both the encryption process and the decryption process.
  • the IC module 800 shown in FIG. 73 may be mounted on the smartphone 900 shown in FIG. 74, and the encryption processing according to the above-described embodiment may be executed in the IC module 800.
  • the technology disclosed in this specification can take the following configurations.
  • the key schedule part A key register storing a secret key K;
  • the secret key K and the conversion key Kd are configured to be a round key that is output to the encryption processing unit, or round key generation data.
  • the conversion function G is a cryptographic processing device which is an involution function in which the inverse function G ⁇ 1 is the same function as the function G.
  • Each of the secret key K and the conversion key Kd is a state composed of m ⁇ n elements each having 1 or more bits, and the conversion function G is a state element of the secret key K.
  • the conversion function G applies a column spreading operation for performing a linear transformation by applying a matrix for each column element of the state of the secret key K, and a matrix for each row element of the state of the secret key K.
  • Each of the secret key K and the conversion key Kd is a state composed of 4 ⁇ 4 elements each having 4 bits, and the conversion function G includes all the state elements of the secret key K.
  • the cryptographic processing device according to any one of (1) to (3), wherein is a function having a full diffusion property that affects all the state elements of the conversion key Kd.
  • the conversion function G includes a column spreading operation that performs linear conversion by applying a Hadamard MDS matrix in units of each column element of the state of the secret key K, and each row element of the state of the secret key K
  • the cryptographic processing apparatus according to (4), wherein the conversion key Kd is generated by executing a row diffusion operation for performing linear conversion by applying a Hadamard MDS (Hadamard MDS) matrix in units.
  • the secret key K is concatenated data of split keys K1 and K2, and the key conversion unit converts the conversion function G applied to each of the split keys K1 and K2.
  • the key conversion unit converts the conversion function G applied to each of the split keys K1 and K2.
  • the cryptographic processing device according to any one of the above.
  • the key schedule part (A) the split keys K1, K2, (B) the conversion keys Kd1, Kd2, (C) a key generated by an exclusive OR operation between the split key K1 and the split key K2. (D) a key generated by an exclusive OR operation between the conversion key Kd1 and the conversion key Kd2.
  • the cryptographic processing device wherein the six types of keys (a) to (d) are used as round keys to be output to the cryptographic processing unit or round key generation data.
  • the cipher processing unit repeats the round operation using the plaintext P as input data, outputs ciphertext C as output data, and uses the ciphertext C as input data to reverse the execution sequence of the round operations.
  • the cryptographic processing apparatus according to any one of (1) to (7), wherein the cryptographic processing apparatus has an involution property that can generate the plaintext P as output data by the set data conversion processing.
  • the key schedule unit has an involution property in which the key supply sequence when the ciphertext C is generated from the plaintext P and the key supply sequence when the plaintext P is generated from the ciphertext C match.
  • the key schedule unit performs a calculation with a constant on a part of the supplied key during the key supply process to the cryptographic processing unit, and outputs key data as a calculation result to the cryptographic processing unit.
  • the cryptographic processing device according to any one of the above.
  • the round operation executed by the cryptographic processing unit is an operation including a linear conversion process by a linear conversion unit, and the linear conversion unit changes the linear conversion mode according to the round transition.
  • the cryptographic processing device according to any one of the above.
  • the round operation includes a non-linear transformation process, and the S box that executes the non-linear transformation process has an involution property in which the input value can be obtained by re-inputting an output value obtained from the input value.
  • the cryptographic processing device according to any one of (1) to (11), wherein
  • (13) a cryptographic processing unit that performs a round operation on input data to generate output data;
  • a key schedule unit that outputs a round key applied in a round operation in the cryptographic processing unit to the cryptographic processing unit;
  • the key schedule part A key register storing a secret key K;
  • a key conversion unit that generates a conversion key Kd by a conversion process in which a conversion function G is applied to the secret key K;
  • the secret key K and the conversion key Kd are configured to be a round key that is output to the encryption processing unit, or round key generation data.
  • Each of the secret key K and the conversion key Kd is a state composed of m ⁇ n elements each having 1 bit or more
  • the conversion function G is a cryptographic processing device in which all the state elements of the secret key K have a full diffusion property that affects all the state elements of the conversion key Kd.
  • Each of the secret key K and the conversion key Kd is a state composed of 4 ⁇ 4 elements each having 4 bits, and the conversion function G includes a full diffusion 4-bit conversion function and 16 bits.
  • the secret key K is concatenated data of the split keys K1 and K2, and the key conversion unit obtains the conversion key Kd1 by a conversion process using a conversion function G1 for the split key K1.
  • the cryptographic processing device according to any one of (13) to (15), which is a combination of any of (a) to (c) above.
  • a cryptographic processing method executed in the cryptographic processing device includes: An encryption processing unit that performs round operation on input data to generate output data; A key schedule unit that outputs a round key applied in a round operation in the cryptographic processing unit to the cryptographic processing unit;
  • the key schedule part A conversion key Kd is generated by a conversion process in which a conversion function G is applied to the secret key K stored in the key register, A process of setting the secret key K and the conversion key Kd as a round key to be output to the cryptographic processing unit or data for generating a round key;
  • the conversion function G is a cryptographic processing method in which the inverse function G ⁇ 1 is a function having an involution property in which the function G is the same as the function G.
  • a cryptographic processing method executed in the cryptographic processing device includes: An encryption processing unit that performs round operation on input data to generate output data; A key schedule unit that outputs a round key applied in a round operation in the cryptographic processing unit to the cryptographic processing unit;
  • the key schedule part A conversion key Kd is generated by a conversion process in which a conversion function G is applied to the secret key K stored in the key register, A process of setting the secret key K and the conversion key Kd as a round key to be output to the cryptographic processing unit or data for generating a round key;
  • Each of the secret key K and the conversion key Kd is a state composed of m ⁇ n elements each having 1 bit or more,
  • the conversion function G is a cryptographic processing method in which all the state elements of the secret key K have a full diffusion property that affects all the state elements of the conversion key Kd.
  • a program for executing cryptographic processing in the cryptographic processing device includes: An encryption processing unit that performs round operation on input data to generate output data; A key schedule unit that outputs a round key applied in a round operation in the cryptographic processing unit to the cryptographic processing unit;
  • the program is stored in the key schedule unit.
  • the conversion function G is a program having an involution property in which the inverse function G ⁇ 1 is the same function as the function G.
  • a program for executing cryptographic processing in the cryptographic processing device includes: An encryption processing unit that performs round operation on input data to generate output data; A key schedule unit that outputs a round key applied in a round operation in the cryptographic processing unit to the cryptographic processing unit;
  • the program is stored in the key schedule unit.
  • Each of the secret key K and the conversion key Kd is a state composed of m ⁇ n elements each having 1 bit or more,
  • the conversion function G is a program in which all the state elements of the secret key K have a full diffusion property that affects all the state elements of the conversion key Kd.
  • the series of processes described in the specification can be executed by hardware, software, or a combined configuration of both.
  • the program recording the processing sequence is installed in a memory in a computer incorporated in dedicated hardware and executed, or the program is executed on a general-purpose computer capable of executing various processing. It can be installed and run.
  • the program can be recorded in advance on a recording medium.
  • the program can be received via a network such as a LAN (Local Area Network) or the Internet and installed on a recording medium such as a built-in hard disk.
  • the various processes described in the specification are not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processes or as necessary.
  • the system is a logical set configuration of a plurality of devices, and the devices of each configuration are not limited to being in the same casing.
  • a highly secure cryptographic processing configuration with improved resistance to various attacks has a cryptographic processing unit that repeats a round operation on input data to generate output data, and a key schedule unit that outputs a round key applied in the round operation in the cryptographic processing unit to the cryptographic processing unit.
  • the unit includes a key register that stores the secret key K, and a key conversion unit that generates a conversion key Kd by a conversion process in which the conversion function G is applied to the secret key K.
  • the secret key K and the conversion key Kd are The round key to be output to the encryption processing unit or round key generation data.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention réalise une structure de traitement de chiffrage à haute sécurité qui améliore la résistance à diverses attaques. La structure comporte : une unité de traitement de chiffrage qui génère des données de sortie en répétant une opération circulaire sur des données d'entrée; et une unité de programmation de clé qui délivre à l'unité de traitement de chiffrage une clé circulaire à appliquer dans les opérations circulaires par l'unité de traitement de chiffrage. L'unité de programmation de clé comporte un registre de clés qui contient une clé secrète (K) et une unité de conversion de clé qui génère une clé de conversion (Kd) par un traitement de conversion qui applique une fonction de conversion (G) à la clé secrète (K), et qui utilise la clé secrète (K) et la clé de conversion (Kd) comme clé circulaire à délivrer à l'unité de traitement de chiffrage ou comme données permettant de générer la clé circulaire. Une fonction qui présente des propriétés d'involution dans laquelle la fonction inverse (G−1) devient la même fonction que la fonction (G) et qui présente des propriétés de diffusion complète est utilisée comme fonction de conversion (G).
PCT/JP2015/055280 2014-03-28 2015-02-24 Dispositif de traitement de chiffrage, et procédé et programme de traitement de chiffrage WO2015146430A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2014-068291 2014-03-28
JP2014068291A JP2015191107A (ja) 2014-03-28 2014-03-28 暗号処理装置、および暗号処理方法、並びにプログラム

Publications (1)

Publication Number Publication Date
WO2015146430A1 true WO2015146430A1 (fr) 2015-10-01

Family

ID=54194964

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2015/055280 WO2015146430A1 (fr) 2014-03-28 2015-02-24 Dispositif de traitement de chiffrage, et procédé et programme de traitement de chiffrage

Country Status (2)

Country Link
JP (1) JP2015191107A (fr)
WO (1) WO2015146430A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110785960A (zh) * 2017-06-27 2020-02-11 三菱电机株式会社 码生成装置、码生成方法和码生成程序
CN111373464A (zh) * 2017-08-10 2020-07-03 索尼公司 加密装置、加密方法、解密装置以及解密方法
US11838402B2 (en) 2019-03-13 2023-12-05 The Research Foundation For The State University Of New York Ultra low power core for lightweight encryption

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109375019A (zh) * 2018-11-06 2019-02-22 格力电器(武汉)有限公司 电器设备的检测方法、装置和系统
JP7244060B2 (ja) * 2019-02-20 2023-03-22 Necソリューションイノベータ株式会社 ブロック暗号装置、ブロック暗号方法およびプログラム

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000066586A (ja) * 1998-08-24 2000-03-03 Toshiba Corp データ処理装置及び通信システム並びに記録媒体
JP2002023622A (ja) * 2000-07-12 2002-01-23 Toshiba Corp 暗号化装置、復号装置及び拡大鍵生成装置、拡大鍵生成方法並びに記録媒体
JP2005107078A (ja) * 2003-09-30 2005-04-21 Sony Corp 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム
WO2008026625A1 (fr) * 2006-09-01 2008-03-06 Sony Corporation Dispositif de codage, procédé de codage et programme informatique
WO2009087972A1 (fr) * 2008-01-09 2009-07-16 Nec Corporation Dispositif d'émission de données, dispositif de réception de données, procédés pour ceux-ci, support d'enregistrement et système de communication de données pour ceux-ci
JP2012070048A (ja) * 2010-09-21 2012-04-05 Toshiba Corp 暗号化装置および復号装置

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000066586A (ja) * 1998-08-24 2000-03-03 Toshiba Corp データ処理装置及び通信システム並びに記録媒体
JP2002023622A (ja) * 2000-07-12 2002-01-23 Toshiba Corp 暗号化装置、復号装置及び拡大鍵生成装置、拡大鍵生成方法並びに記録媒体
JP2005107078A (ja) * 2003-09-30 2005-04-21 Sony Corp 暗号処理装置、および暗号処理方法、並びにコンピュータ・プログラム
WO2008026625A1 (fr) * 2006-09-01 2008-03-06 Sony Corporation Dispositif de codage, procédé de codage et programme informatique
WO2009087972A1 (fr) * 2008-01-09 2009-07-16 Nec Corporation Dispositif d'émission de données, dispositif de réception de données, procédés pour ceux-ci, support d'enregistrement et système de communication de données pour ceux-ci
JP2012070048A (ja) * 2010-09-21 2012-04-05 Toshiba Corp 暗号化装置および復号装置

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
BARRETO, P. S.L.M. ET AL., THE ANUBIS BLOCK CIPHER, FIRST OPEN NESSIE WORKSHOP, November 2000 (2000-11-01), Retrieved from the Internet <URL:https://www.cosic.esat.kuleuven.be/nessie/workshop/submissions/anubis.zip,anubis/B/Anubis.pdf> [retrieved on 20150521] *
BORGHOFF, J. ET AL.: "PRINCE - A Low-latency Block Cipher for Pervasive Computing Applications", CRYPTOLOGY EPRINT ARCHIVE, 13 September 2012 (2012-09-13), Retrieved from the Internet <URL:https://eprint.iacr.org/2012/529/20120913:093817> [retrieved on 20150521] *
WANG, C. ET AL.: "AN ULTRA COMPACT BLOCK CIPHER FOR SERIALIZED ARCHITECTURE IMPLEMENTATIONS", 2009 CANADIAN CONFERENCE ON ELECTRICAL AND COMPUTER ENGINEERING, 2009, pages 1085 - 1090, XP031477492 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110785960A (zh) * 2017-06-27 2020-02-11 三菱电机株式会社 码生成装置、码生成方法和码生成程序
CN111373464A (zh) * 2017-08-10 2020-07-03 索尼公司 加密装置、加密方法、解密装置以及解密方法
US11838402B2 (en) 2019-03-13 2023-12-05 The Research Foundation For The State University Of New York Ultra low power core for lightweight encryption

Also Published As

Publication number Publication date
JP2015191107A (ja) 2015-11-02

Similar Documents

Publication Publication Date Title
JP6406350B2 (ja) 暗号処理装置、および暗号処理方法、並びにプログラム
CN106233660B (zh) 加密处理设备、加密处理方法和程序
US9363074B2 (en) Encryption processing apparatus, encryption processing method, and computer program
DK1686722T3 (en) Block encryption device and block encryption method comprising rotation key programming
US9083507B2 (en) Data processing device, data processing method, and program
JP2007041620A5 (fr)
JP2008058830A (ja) データ変換装置、およびデータ変換方法、並びにコンピュータ・プログラム
WO2015146430A1 (fr) Dispositif de traitement de chiffrage, et procédé et programme de traitement de chiffrage
US20120314857A1 (en) Block encryption device, block decryption device, block encryption method, block decryption method and program
WO2016059870A1 (fr) Appareil de traitement de chiffrement, procédé de traitement de chiffrement, et programme
JP5680016B2 (ja) 復号処理装置、情報処理装置、および復号処理方法、並びにコンピュータ・プログラム
US20050147244A1 (en) Method for cryptographic transformation of binary data blocks
WO2015146432A1 (fr) Dispositif de traitement cryptographique, procédé de traitement cryptographique, et programme
JP6292107B2 (ja) 暗号処理装置、および暗号処理方法、並びにプログラム
JP5772934B2 (ja) データ変換装置、およびデータ変換方法、並びにコンピュータ・プログラム
Hassan New Approach for Modifying DES Algorithm Using 4-States Multi-keys

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15768977

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase
122 Ep: pct application non-entry in european phase

Ref document number: 15768977

Country of ref document: EP

Kind code of ref document: A1