WO2020213114A1 - Macタグリスト生成装置、macタグリスト検証装置、方法及びプログラム - Google Patents

Macタグリスト生成装置、macタグリスト検証装置、方法及びプログラム Download PDF

Info

Publication number
WO2020213114A1
WO2020213114A1 PCT/JP2019/016582 JP2019016582W WO2020213114A1 WO 2020213114 A1 WO2020213114 A1 WO 2020213114A1 JP 2019016582 W JP2019016582 W JP 2019016582W WO 2020213114 A1 WO2020213114 A1 WO 2020213114A1
Authority
WO
WIPO (PCT)
Prior art keywords
matrix
tag list
mac
group test
test matrix
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2019/016582
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
一彦 峯松
典史 神谷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Priority to US17/601,136 priority Critical patent/US11824993B2/en
Priority to PCT/JP2019/016582 priority patent/WO2020213114A1/ja
Priority to JP2021514734A priority patent/JP7347501B2/ja
Publication of WO2020213114A1 publication Critical patent/WO2020213114A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0637Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator

Definitions

  • the present invention relates to a MAC tag list generator, a MAC tag list verification device, a MAC tag list generation method, a MAC tag list verification method, and a program.
  • a message authentication code (hereinafter, simply referred to as “message authentication” or "MAC”) is a tag that can be calculated only by a person who knows the private key to the message, thereby indicating that the message is valid. It is a guaranteed technology. For example, if message authentication is used, it is possible to detect tampering by a third party during communication between two parties sharing a private key. Specifically, when the sender sends a message and a tag to the recipient, the recipient calculates the tag from the received message and confirms that it matches the received tag, so that the message is a legitimate sender. You can judge whether it was sent from. This tag is called an "authentication tag” or a "MAC tag”.
  • Bob determines whether the message was sent from Alice by confirming the match between T'and MAC_K (M'). By confirming the match between T'and MAC_K (M'), it is possible to know whether the received message (M', T') is a pair of the originally sent (message, authentication tag) of Alice, and whether or not it has been tampered with. Can be checked.
  • Non-Patent Document 1 CMAC
  • Non-Patent Document 2 HMAC
  • An example of this method is to take a MAC for each file or each disk sector for the data on the hard disk.
  • this method has a problem that the amount of data to be stored increases greatly because m tags are generated for m items.
  • Non-Patent Document 3 there is an approach in which messages are allowed to overlap each other, decomposed into a plurality of subseries having different lengths, and MAC is applied to each subseries.
  • CGT combination group test
  • NCGT non-adaptive combination group test
  • H binary matrix H (referred to here as a test matrix) of t rows and m columns is constructed, and tests are performed according to H. If the element in the i-th row and j-th column of H is 1, it means that the i-th item is included in the test in the j-th test.
  • test matrix should satisfy the property of d-disjunct when it is desired to efficiently identify at most d tampering with respect to m items.
  • the fact that the t-row m-column binary matrix H is d-disjunct means that the remaining md is when the Boolean sum (logical sum for each bit) of any d-column of H is X. It means that no one of the columns is included in X.
  • I (S) the row index set in which 1 stands for X is I (S)
  • I (Y) is not a subset of I (X) for any one column Y selected from the remaining md columns. Point to.
  • t_min (d, m) O (d 2 log m) Is known to be.
  • d 1, and can be configured from a Hamming code parity check matrix or the like.
  • Non-Patent Document 6 [PR08] is known as a method for generally achieving O (d 2 log m), but the actual efficiency including constants rather than orders is unknown. Further, it is known that it is theoretically impossible to construct a non-trivial (that is, not a unit matrix) d-disjunct matrix for d which is large to some extent with respect to m.
  • Patent Document 1 discloses a tag list generator of a message authentication code (MAC) that can obtain information not only about the presence or absence of falsification but also about the falsified position.
  • this tag list generator has a message input unit for inputting a message composed of m items (m is a positive integer) M [1] ... [m], and a group test matrix generator. It has a unit and a tag list generation unit. Then, the group test matrix generation unit generates a group test matrix of s rows and m columns that determines the combination group test for the number of tags s (s is a positive integer) of the message authentication code to be generated.
  • the tag list generation unit uses the group test matrix, a pseudo-random function with variable-length input and fixed-length output, and a pseudo-random function with fixed-length input / output from s tags related to the message. Generate a tag list that becomes. Then, it is described that the tag list generation unit performs tag calculation for each of the m items M [1] ... M [m] forming the message in parallel while sharing the calculation result in the middle. ing.
  • Patent Document 2 discloses an example of an authenticated encryption device that can efficiently prevent an increase in bandwidth. Further, the same document discloses a configuration including an initial vector generation means (fixed length value generation unit) that generates an n-bit initial vector N (fixed length value, nonce) different from the value generated in the past. (See FIG. 1 of Patent Document 2).
  • initial vector generation means fixed length value generation unit
  • N fixed length value, nonce
  • Patent Document 3 discloses an authentication tag generator that can suppress an increase in the amount of calculation for generating an authentication tag.
  • the authentication tag generator calculates a hash function for each item in a subseries of input messages divided according to a group test matrix representing a combination group test for the message. Then, the authentication tag generation device generates the authentication tag of the partial series from the value obtained by combining the hash values with the combiner. Then, in the combiner of the authentication tag generation device, the hash values of the empty series items are used as the unit element of the calculation, and the hash values are combined and calculated.
  • Non-Patent Document 7 is a document that proposes that the aggregation node A obtains and transmits a plurality of partial sums of tags according to the d-disjunct matrix.
  • Non-Patent Document 8 [BGR95] is a document that proposes a MAC function used for tag generation.
  • Non-Patent Document 9 is a document that introduces a method for constructing a d-disjunct matrix.
  • Non-Patent Documents 10 to 12 are examples of a Tweakable block cipher having a block cipher use mode using a block cipher such as AES (Advanced Encryption Standard).
  • the first object of the present invention is to perform message authentication that can obtain information not only about the presence or absence of falsification but also about the falsified position, as compared with methods such as Non-Patent Document 3 [GAT05] and Non-Patent Document 4 [Min15]. It is to build more efficiently.
  • Non-Patent Document 3 [GAT05] and Non-Patent Document 4 [Min15] a test matrix used for tag generation is directly constructed from the theory of non-adaptive combination group test (NCGT).
  • NCGT non-adaptive combination group test
  • a test matrix is constructed by a d-disjunct matrix, so that parameters (d, and) that are difficult to construct a d-disjunct matrix are used.
  • an effective method cannot be realized for the number of items m and the number of tests t).
  • An object of the present invention is a MAC tag list generator, a MAC tag list verification device, a MAC tag list generation method, which can contribute to further efficiency of message authentication that can obtain information not only about the presence or absence of tampering but also about the tampered position.
  • An object of the present invention is to provide a MAC tag list verification method and a program.
  • m items M [1], which are the targets of the message authentication code (MAC). .. .. , M [m] message M (M [1], ..., M [m]) input unit and the number s (s is a positive integer) of the MAC to be generated.
  • a MAC tag list generator including a MAC tag list output unit that outputs the MAC tag list generated by the above.
  • the decipherable linear group test MAC application unit sets the group test matrix H, the pseudo-random function F of the variable length input and the fixed length output, and the row index of the group test matrix H as Tweek for the message M.
  • the pseudo-random function F is combined with the M [j. ]
  • the index j and the sum of all the outputs of the obtained pseudo-random function F is taken to obtain the i-th intermediate tag S [i], and the tweakable block cipher G Tweakable with the i as the Tweak.
  • the message M (M [1], ..., M [m]) consisting of m items to be verified by the MAC tag list using the message authentication code (MAC).
  • the process of inputting M [j] and the index j into the pseudo-random function F, summing all the outputs of the obtained F, and setting it as the i-th verification intermediate tag S * [i]. All j 1, 1. .. ..
  • the intermediate tag list expansion unit is a subset of the row index specified by the test matrix expansion rule R by using the intermediate tag list S, the verification intermediate tag list S *, and the test matrix expansion rule R.
  • the augmented intermediate tag list exS and the augmented intermediate tag list exS * for verification are output by linearly combining S and S * respectively.
  • the intermediate tag list verification unit compares the expanded intermediate tag list exS with the verification expanded intermediate tag list exS * to verify each item in the message M and specify the falsification position, and the verification result is obtained. Is output as.
  • m items M [1], which are the targets of the message authentication code (MAC). .. .. , M [m] message M (M [1], ..., M [m]) is combined with the number s (s is a positive integer) of the MAC to be generated.
  • T to generate the MAC tag list T (T [1], ..., T [t]) and the step to output the MAC tag list obtained by the decodable linear group test MAC application means.
  • a MAC tag list generation method including. This method is linked to a specific machine called a computer that outputs a MAC tag list by inputting the above-mentioned message M.
  • the message M (M [1], ..., M [m]) consisting of m items to be verified by the MAC tag list using the message authentication code (MAC).
  • a step of inputting a MAC tag list T (T [1], ..., T [t]), which is a list of t MACs, and a group test matrix H of t rows and m columns are generated.
  • a step to output a test matrix expansion rule R which is a subset of the row index of a plurality of binary group test matrices H, and an element T of the MAC tag list T (T [1], ..., T [t]).
  • test matrix augmented rule R are used to linearly combine S and S * corresponding to the subset of the row index specified by the test matrix augmented rule R, respectively, and the augmented intermediate tag list exS, and outputting the verification enlarged intermediate tag list EXS *, certain verification and alteration position of each item in said enlarged intermediate tag list EXS the message by comparing the verification enlarged intermediate tag list EXS * M
  • a MAC tag list verification method including a step of performing and outputting as a verification result and a step of outputting a verification result output by the intermediate tag list verification means is provided. This method is linked to a specific machine called a computer that outputs a verification result by inputting the above-mentioned message M and MAC tag list T.
  • a computer program for realizing the functions of the MAC tag list generator and the MAC tag list verification device described above is provided.
  • this program can be recorded on a computer-readable (non-transitional) storage medium. That is, the present invention can also be embodied as a computer program product.
  • FIG. 1 is a diagram showing a configuration of a MAC tag list generator according to the first embodiment of the present invention.
  • a MAC tag list generator 10 including a message input unit 101, a group test matrix generation unit 102, a decodable linear group test MAC application unit 103, and a MAC tag list output unit 104 It is shown.
  • the message input unit 101 is a means for inputting the target message M.
  • a message input unit 101 can be realized by a communication interface that receives data from a character input device such as a keyboard or another device, for example.
  • each item may have a different length or may have the same value.
  • each item may be the contents of one sector of the hard disk, one entry of the database, or one character of text information.
  • the group test matrix generation unit 102 generates a combination group test for specifying the tampering position. Specifically, the group test matrix generation unit 102 generates a binary matrix H in t rows and m columns according to the number of tests (that is, the number of MACs) t and the maximum value d of the number of identifiable tampering items. Generate.
  • the configuration of this matrix H is arbitrary, but it can be, for example, a GF (2) basis of the existing d-disjunct matrix D.
  • the matrix H can be said to be a matrix consisting of all linearly independent row vectors of the d-disjunct matrix D, or a matrix obtained by performing a row basic operation (sum of rows) on the entire linearly independent row vector. ..
  • Example 2 is a 6-by-4 matrix, which is 2-disjunct. Since 6> 4, it is not suitable as a test matrix, that is, the self-explanatory method of tagging each item is superior because it requires only four tags.
  • the GF (2) basis of the above matrix is [1 0 0 1] [0 1 0 1] [0 0 1 1] Therefore, it is possible to identify two items with three tags.
  • Non-Patent Document 3 [GAT05] and Non-Patent Document In 4 [Min15] and Non-Patent Document 7 [HS18], it is impossible to construct a meaningful method.
  • a pseudo-random function (pseudo-random function, PRF) F with variable length input and fixed length output and a Tweakable block cipher (TBC) G are used to generate a MAC tag.
  • This Tweakable block cipher G is a Tweakable block cipher in which the row index of the matrix H is Tweak.
  • the pseudo-random function F can be a pseudo-random function configured by using a standard block cipher such as AES or a hash function such as SHA-2, for example, CMAC or HMAC (Non-Patent Document 1). , 2).
  • the Tweakable block cipher G can also use a block cipher use mode using a block cipher such as AES (for example, the LRW mode of Non-Patent Document 10 [LRW] or the XEX mode of Non-Patent Document 11 [XEX]). Is. Further, as the Tweakable block cipher G, it is also possible to use SKINNY of a specially designed Tweakable block cipher (for example, Non-Patent Document 12 [SKINNY]).
  • the output length of the pseudo-random function F and the block length of the Tweakable block cipher G are assumed to be equal. However, when the output length of the pseudo-random function F and the block length of the Tweakable block cipher G are different, the length can be adjusted to the output of the pseudo-random function F and the Tweakable block cipher G by appropriately padding or shortening. Further, the pseudo-random function F and the Tweakable block cipher G may be different cryptographic primitives using different keys, or the same key with the same block cipher using an appropriate key generation function or block cipher mode of operation. May be generated using.
  • FIG. 8 shows which item is included in the MAC tag calculation in the i-th row vector H [i] of the matrix H in the i-th test.
  • M [j] and j are concatenated and input to F to obtain F (M [j], j).
  • F (M [j], j) For each j, take the sum of all Fs (M [j], j) (eg, exclusive OR). Further, the sum of all F (M [j], j) and the value obtained by inputting i to G are set as the MAC value T [i] corresponding to the i-th test.
  • the MAC tag list output unit 104 outputs the MAC tag list output by the decodable linear group test MAC application unit 103 to a computer display, a printer, or the like.
  • the MAC tag list generator 10 as described above can be realized by a CPU, a memory, and a disk. Each processing unit of the MAC tag list generator can be realized by storing a program on a disk and operating this program on a CPU (see FIG. 11).
  • the message input unit 101 inputs a message M composed of m target items (step 1 in FIG. 2).
  • the group test matrix generation unit 102 generates the group test matrix H, which is a binary matrix of t rows and m columns (step 2 in FIG. 2).
  • the decodable linear group test MAC application unit 103 refers to the group test matrix H and generates a MAC tag list T composed of t MAC tags (step 3 in FIG. 2).
  • the t MAC tags are generated by applying a decipherable linear group test MAC using a pseudo-random function F and a Tweakable block cipher G to M.
  • the MAC tag list output unit 104 outputs the obtained MAC tag list T (step 4 in FIG. 2).
  • the MAC tag list generator 10 that operates as described above can be summarized as follows. Hereinafter, description will be made with reference to FIG.
  • the message input unit 101 has m items M [1], which are the targets of MAC. .. .. , M [m] to enter a message.
  • the group test matrix generation unit 102 generates a binary group test matrix H of t rows and m columns, which is a parameter of the combination group test, for the number s of MACs to be generated.
  • the message M and the binary group test matrix H are input to the decodable linear group test MAC application unit 103.
  • the decodable linear group test MAC application unit 103 takes the sum of all the outputs obtained by inputting to the pseudo-random function F, and sets it as the i-th intermediate tag S [i]. Further, the decipherable linear group test MAC application unit 103 encrypts the intermediate tag S [i] with the Tweakable encryption function G in which i is Tweak, and sets the obtained output as the tag T [i].
  • the MAC tag list output unit 104 outputs the MAC tag list T obtained by the decodable linear group test MAC application unit.
  • FIG. 4 is a block diagram showing a configuration of the MAC tag list verification device of the second embodiment.
  • the message input unit 201, the group test matrix generation and expansion unit 202, the tag decoding unit 203, the decodable linear group test intermediate tag generation unit 204, the intermediate tag list expansion unit 205, and the intermediate A configuration including a tag list verification unit 206 and a verification result output unit 207 is shown.
  • the message input unit 201 is a means for inputting the target message M and the MAC tag list T output by the MAC tag list generator 10 of the first embodiment.
  • Such a message input unit 201 can be realized by a communication interface that receives data from a character input device such as a keyboard or another device, for example.
  • the group test matrix generation and expansion unit 202 generates the same matrix H generated by the group test matrix generation unit 102 of the MAC tag list generation device 10 of the first embodiment and the test matrix expansion rule R.
  • the test matrix augmented rule R is a rule required to generate a matrix having a larger number of rows based on the matrix H.
  • the test matrix augmented rule R is composed of v (where v> t) elements, which are a subset of the row indexes of the matrix H.
  • the encryption process using the Tweakable block cipher G with Tweeak as i and the plaintext as M is referred to as G (i, M), and the decryption process with Twake as i and the ciphertext as C is G -1 (. Notated as i, M).
  • the intermediate tag list expansion unit 205 linearly combines the elements of the verification MAC tag list S * according to the test matrix expansion rule R and expands them to generate the verification expansion MAC tag list exS * .
  • test matrix augmented rule R has v (however, v> t) elements R [1] ,. .. .. , R [v], and each R [i] is ⁇ 1,. .. .. , T ⁇ is a subset.
  • the intermediate tag list verification unit 206 verifies the message M by comparing the augmented MAC tag list exS * for verification and the augmented MAC tag list exS using the group test matrix H and the test matrix augmented rule R. Specifically, the intermediate tag list verification unit 206 determines whether or not the message M has been tampered with by comparing the expanded MAC tag list exS * for verification with the expanded MAC tag list exS. Further, when the intermediate tag list verification unit 206 determines that the item has been tampered with, the intermediate tag list verification unit 206 identifies the tampered item and outputs the index to the verification result output unit 207.
  • exH [i] XOR_ ⁇ i: i ⁇ R [i] ⁇ H [i]
  • XOR_S is the exclusive OR for everything contained in the set S). It is natural that the group test matrix H itself is also used as a test, in which case exH includes H.
  • the intermediate tag list verification unit 206 performs the above processing, determines that all items that have not been determined to be tampered with have been tampered with, and outputs all the indexes thereof. If there is no tampering, no index will be output.
  • this procedure corresponds to a process called a naive decoder when the extended test matrix exH is used as a test matrix.
  • the expanded test matrix exH is d-disjunct, it is possible to identify all tampered items when the number of tampered items is d or less by the above procedure.
  • Non-Patent Document 5 [CJS09] it does not occur that the item determined to have not been tampered with has actually been tampered with. Therefore, even if the desired d is not d-disjunct, it is generally used. It has the effect of narrowing the range of potential tampering.
  • the verification result output unit 207 outputs the index information of the tampered item output by the intermediate tag list verification unit 206 to a computer display, a printer, or the like.
  • the MAC tag list verification device 20 as described above can be realized by a CPU, a memory, and a disk.
  • Each processing unit of the MAC tag list generator can be realized by storing a program on a disk and operating this program on a CPU (see FIG. 11).
  • the message input unit 201 inputs a message M composed of m target items and a MAC tag list T (step 101 in FIG. 5).
  • the group test matrix generation and expansion unit 202 generates a group test matrix H and a test matrix expansion rule R, which are binary matrices of t rows and m columns (step 102 in FIG. 5).
  • the decodable linear group test intermediate tag generation unit 204 refers to the group test matrix H, generates an intermediate tag of the linear group test MAC using the pseudo-random function F for the message M, and verifies it.
  • Intermediate tag list for S * (S * [1], ..., S * [t]) is generated (step 104 in FIG. 5).
  • the intermediate tag list expansion unit 205 expands both the MAC tag list S and the verification MAC tag list S * by linearly combining them according to the test matrix expansion rule R, and expands both the MAC tag list S and the verification MAC tag list exS, respectively. Generate an augmented MAC tag list exS * for use (step 105 in FIG. 5).
  • the intermediate tag list verification unit 206 compares the results of each element of the expanded intermediate tag list exS and the expanded intermediate tag list exS * for verification, and the expanded test matrix exH in which the rows of the test matrix H are expanded according to the expansion rule R. Is used to output an index set of tampered items in the message M (step 106 in FIG. 5).
  • the verification result output unit 207 outputs the index set of the falsified items detected by the intermediate tag list verification unit 206 as the verification result (step 107 in FIG. 5).
  • the MAC tag list verification device 20 that operates as described above can be summarized as follows. Hereinafter, description will be made with reference to FIG.
  • the group test matrix generation and expansion unit 202 generates a binary group test matrix H of t rows and m columns. Further, the group test matrix generation and expansion unit 202 sets a test matrix expansion rule R composed of v (where v> t) elements R [i], which is a subset of the row indexes of the group test matrix H. Output.
  • the intermediate tag list expansion unit 205 uses the intermediate tag list S, the verification intermediate tag list S *, and the test matrix expansion rule R to perform S and S * corresponding to the subset of the row index specified by R, respectively. Performs a linear combination with, and outputs the augmented intermediate tag list exS and the augmented intermediate tag list exS * for verification.
  • the intermediate tag list verification unit 206 compares the expanded intermediate tag list exS with the expanded intermediate tag list exS * for verification, verifies each item in the message M, identifies the tampering position, and outputs the verification result. ..
  • the verification result output unit 207 outputs the verification result output from the intermediate tag list verification unit 206.
  • the methods such as Non-Patent Document 3 [GAT05] and Non-Patent Document 4 [Min15] are used.
  • the effect is that the number of tags can be reduced.
  • the linear combination of tags is also configured to be used for tampering identification. Linear combinations of tags do not provide any useful information because in the prior art the tags are the output of the input message with a pseudo-random function applied.
  • Non-Patent Document 3 [GAT05] and Non-Patent Document 4 [Min15]
  • the tag is the output to which the pseudo-random function is applied to the input message
  • the linear combination of the tags brings any useful information. Absent.
  • the value of the intermediate tag is encrypted with a decryptable Tweakable block cipher to generate the tag, so that the intermediate tag obtained by decrypting the tag has a certain linearity. It has, which makes it possible to use the sum of intermediate tags as a new test.
  • the Tweakable block cipher is defined in Non-Patent Document 10 [LRW].
  • the Tweakable block cipher has additional information t called Tweak in addition to the input / output of the normal block cipher (plaintext M, key K, ciphertext C). Encryption and decryption are possible by specifying a pair of key and tweak. Unlike the key, twake is a publicly available value.
  • test matrix augmented rule R indicates which tag to be summed, and is a set having a subset of the row index of the group test matrix H as an element. In the above example, it corresponds to the set ⁇ 1,2 ⁇ as an element of the test matrix augmented rule R.
  • the number of rows in H_b is the number of linearly independent rows in the original group test matrix H (ie, the rank of the matrix), which at worst matches the original number of rows, so the number of rows is reduced (ie, the tag list to send). (Reduction of the number of elements) can be expected.
  • Non-Patent Document 3 It is equivalent to the method of GAT05], Non-Patent Document 4 [Min15] and the like.
  • Non-Patent Document 8 [BGR95] is a proposal for a single MAC function, and does not describe the use of a group test or the identification of a falsified item.
  • the first configuration is that the MAC tag list is generated by the linear group test MAC application unit (Linear Database tagging) that can decode the message M stored in the large-scale storage (Large Storage (DB)).
  • the MAC tag list generation device 10 of the embodiment corresponds to the MAC tag list generation device 10 of the embodiment.
  • an intermediate tag list S * for verification is created by the linear group test intermediate tag generation unit (Linear Deterministic CGTMAC intermediating tagging) that can be decoded, and the intermediate tag list S and the MAC tag list S * for verification are tested respectively.
  • the MAC tag list verification device 20 of the second embodiment has a configuration in which an augmented MAC tag list exS and a verification augmented MAC tag list exS * are created using the matrix expansion rule R to specify the presence or absence of tampering and the location. Equivalent to.
  • the Macula matrix is a (n, d) x (n, k) matrix with respect to the parameter (n, k, d), and the columns and rows are indexed in an appropriate order ((n, d)).
  • D is included in K for the element K of ((n, k)) with the element D of ((n, d)) corresponding to the element of ((n, k))
  • the (D, K) entry of the matrix is set to 1, and the others are set to 0.
  • Non-Patent Document 9 the Macula matrix is d-disjunct.
  • This GF (2) basis is the test matrix H.
  • the GF (2) basis is generally not unique.
  • the expansion test matrix exH, the test matrix H, and the expansion rule R are described under the row index according to [Example 2] as follows. ⁇ Expansion test matrix exH [1 0 0 1] [0 1 0 1] [0 0 1 1] [1 1 0 0] [1 0 1 0] [0 1 1 0] ⁇ Test matrix H [1 0 0 1] [0 1 0 1] [0 0 1] ⁇ Expansion rule R Since the expansion rule R expresses each row of the exH matrix by the sum of the rows of the test matrix H, it becomes as follows.
  • the GF (2) basis is used as in [Example 2]. It is possible to construct a test matrix smaller than the number of columns.
  • the third embodiment is summarized as follows.
  • the group test matrix generation unit 102 of the MAC tag list generation device 10 and the group test matrix generation and expansion unit 202 of the MAC tag list verification device 20 described above generate the group test matrix H defined below.
  • the group test matrix H is a (n, d) row (n, k) column binary matrix, and the columns and rows are indexed in an appropriate order with the elements of ((n, d)) and ((n, d)).
  • the matrix It consists of the bases on the finite field GF (2) of the matrix, where the (D, K) entry is 1 and the others are 0.
  • the first row and the first column are deleted from the Hadamard matrix Had (r), and among the entries consisting of 1 and -1, -1 is replaced with 0 (this is referred to as modHad (r)). It is a thing.
  • the group test matrix H may select a submatrix (generally, a plurality of submatrixes) on which the modHad (r) is based, and the test matrix augmented rule R is selected so that the row sum of the submatrix forms a modHad (r). Is done. At this time, t becomes r + 1.
  • the group test matrix H is one of the bases [0 1 0 1 0 1 0]. [1 0 0 1 1 0 0] [0 0 1 1 0 0 1] [1 1 1 0 0 0] And the corresponding test matrix augmented rules R are ( ⁇ 1 ⁇ , ⁇ 2 ⁇ , ⁇ 3 ⁇ , ⁇ 4 ⁇ , ⁇ 2,3,4 ⁇ , ⁇ 1,3,4 ⁇ , ⁇ 1,2,4 ⁇ ).
  • falsification of up to 2 items can be identified by using the number of tests of approximately log m in this way, and the efficiency is significantly improved as compared with the method of using the 2-disjunct matrix itself as the group test matrix H. It will be.
  • the fourth embodiment is summarized as follows.
  • the group test matrix generation unit 102 of the MAC tag list generation device 10 and the group test matrix generation and expansion unit 202 of the MAC tag list verification device 20 described above generate the group test matrix H defined below.
  • the group test matrix H in the fifth embodiment is a submatrix consisting of t linearly independent row vectors of a square matrix P having 2 (2s) + 2 s + 1 rows and columns for a positive integer s.
  • the square matrix P is a connection matrix determined from all points and straight lines in a two-dimensional projection space having a finite body GF (2 s ) as a coordinate component, and the test vector generated by the test matrix expansion rule R is described. Let all row vectors of the square matrix P be.
  • Each row of the square matrix P corresponds to 2 (2s) + 2 s + 1 points in a two-dimensional projective space having the finite field GF (2 s ) as a coordinate component, and each column of P is in the two-dimensional projective space.
  • the (i, j) th component of P is set to 1 only when the j-th straight line passes through the i-th point of the two-dimensional projective space, and is set to 0 otherwise.
  • the square matrix P is (2 s ) -disjunct, and by making the entire test vector generated by the test matrix augmented rule R all the row vectors of the square matrix P, 2 s or less of tampering positions are specified. be able to.
  • the four row vectors of the first to fourth rows of P are linearly independent, and the 4 ⁇ 7 matrix consisting of these four row vectors is defined as the group test matrix H, and the test matrix generated by the test matrix augmented rule R. If P is, the matrix P is 2-disjunct, so that two or less tampering positions can be specified.
  • the second column is the number of rows (number of columns) of the square matrix P, and the rank and the threshold value represent the rank of P and the discjunct parameter, respectively. That is, if rank x, threshold y, a group test matrix H row number x, enlarged group test matrices by a test matrix expansion rule R H (i.e. H R) has a y-disjunct.
  • R H i.e. H R
  • the fifth embodiment is summarized as follows.
  • the group test matrix generation unit 102 of the MAC tag list generation device 10 and the group test matrix generation and expansion unit 202 of the MAC tag list verification device 20 described above generate the group test matrix H defined below.
  • the group test matrix H is a submatrix consisting of t linearly independent row vectors of a square matrix P having 2 (2s) + 2 s + 1 rows and columns for a positive integer s, and the square matrix P is ,
  • the group test matrix H in the sixth embodiment has a number of rows of r ⁇ (2 s -1) + 1 and a number of columns of 2 (2 s) -1 + r for a positive integer s and an integer r of 3 or more and 2 s + 1 or less. It is a submatrix consisting of t first-order independent row vectors in the matrix A_r, and the matrix A_r is a predetermined r matrix passing through the origin of a two-dimensional affine space having a finite body GF (2 s ) as a coordinate component.
  • connection matrix determined by r ⁇ (2 s -1) + 1 points on the straight line of, and 2 (2 s ) -1 + r straight lines passing through any of those points, and is determined by the test matrix expansion rule R.
  • Let the generated test vector be all the row vectors of the matrix A_r.
  • the (i, j) th component of A_r is the i-th point of the set consisting of the r ⁇ (2 s -1) + 1 points in the two-dimensional affine space, and the 2 (2 s ) -1 + r straight lines. It is set to 1 only when the j-th straight line in the set of is passed, and it is set to 0 otherwise.
  • the linearly independent row vector number t of the matrix A_r is given by the following equation [Equation 2]. [Number 2]
  • the t ⁇ (2 ⁇ (2s) -1 + r) matrix consisting of t linearly independent row vectors of the matrix A_r is the group test matrix H.
  • the matrix A_r is (r-2) -disjunct, and r-2 or less tampering positions are specified by setting the entire test vector generated by the test matrix augmented rule R as all the row vectors of the matrix A_r. be able to.
  • the eight row vectors in the first to eighth rows of A_3 are linearly independent, and the 8 ⁇ 18 matrix consisting of these eight row vectors is defined as the group test matrix H, and the test matrix generated by the test matrix augmented rule R. If A_3 is set to A_3, since A_3 is 1-disjunct, one tampering position can be specified by this embodiment.
  • the second column and the third column are the number of rows and columns of A_r, and the rank and the threshold value represent the rank of A_r and the discjunct parameter, respectively. That is, if rank x, threshold y, a group test matrix H row number x, expanded test matrices by test matrix expansion rule R A_R (i.e. H R) has a y-disjunct.
  • the sixth embodiment is summarized as follows.
  • the group test matrix generation unit 102 of the MAC tag list generation device 10 and the group test matrix generation and expansion unit 202 of the MAC tag list verification device 20 described above generate the group test matrix H defined below.
  • the group test matrix H is linearly independent in the matrix A_r with the number of rows r ⁇ (2 s -1) + 1 and the number of columns 2 (2s) -1 + r for a positive integer s and an integer r of 3 or more and 2 s + 1 or less. It is a sub-matrix consisting of t row vectors, and the matrix A_r is on r lines specified in advance passing through the origin of a two-dimensional affine space having a finite body GF (2 s ) as a coordinate component. It is a connection matrix determined by ⁇ (2 s -1) + 1 points and 2 (2s) -1 + r straight lines passing through any of those points, and is a test vector generated by the test matrix expansion rule R. Is all the row vectors of the matrix A_r.
  • a computer (9000 in FIG. 11) that functions as a constituent device of the MAC tag list generation device 10 and the MAC tag list verification device 20 as these devices. It can be realized by a program that realizes the functions of.
  • a computer is exemplified in a configuration including a CPU (Central Processing Unit) 9010, a communication interface 9020, a memory 9030, and an auxiliary storage device 9040 in FIG. That is, the CPU 9010 in FIG. 11 may execute a tag list calculation program or a tag list verification program, and update each calculation parameter held in the auxiliary storage device 9040 or the like.
  • a CPU Central Processing Unit
  • the group test matrix H includes rows in which all the elements are 1.
  • the group test matrix H containing rows in which all the elements are 1 not only the purpose of specifying the tampering location but also the security as a MAC against an attacker who performs a selective plaintext attack is guaranteed.
  • a configuration in which the group test matrix generation unit 102 or the group test matrix generation and expansion unit 202 generates a group test matrix H having such rows can also be adopted.
  • each part (processing means, function) of each device shown in the first to sixth embodiments described above executes each of the above processes by using the hardware of the processor mounted on these devices. It can be realized by a computer program.
  • the group test matrix H is a submatrix consisting of t linearly independent row vectors of a square matrix P having 2 (2s) + 2 s + 1 rows and columns for a positive integer s.
  • the square matrix P is a connection matrix determined by points and straight lines in a two-dimensional projective space having a finite field GF (2 s ) as a coordinate component.
  • the test vector generated by the test matrix augmented rule R may be all the row vectors of the square matrix P.
  • the group test matrix H is linearly independent in the matrix A_r in which the number of rows is r ⁇ (2 s -1) + 1 and the number of columns is 2 (2s) -1 + r for a positive integer s and an integer r of 3 or more and 2 s + 1 or less. It is a submatrix consisting of t row vectors.
  • the matrix A_r includes r ⁇ (2 s -1) + 1 points on r lines specified in advance passing through the origin of the two-dimensional affine space whose coordinate component is the finite field GF (2 s ). It is a connection matrix determined by 2 (2s) -1 + r straight lines passing through any of those points.
  • the test vector generated by the test matrix augmented rule R may be all the row vectors of the matrix A_r.
  • [Sixth form] (Refer to the MAC tag list verification device from the second viewpoint above)
  • [7th form] (Refer to the MAC tag list generation method from the third viewpoint above)
  • [8th form] (Refer to the MAC tag list verification method from the fourth viewpoint above)
  • [9th form] (Refer to the computer program from the fifth viewpoint above)
  • the sixth to ninth forms can be developed into the second to fifth forms in the same manner as the first form.
  • the present invention can be applied to wireless or wired data communication, or for applications such as database, file system, virus scanning, and tampering detection and tampering location identification in version control systems.
  • MAC tag list generator 20 MAC tag list verification device 101 Message input unit 102 Group test matrix generator 103 Decryptable linear group test MAC application unit 104 MAC tag list output unit 201 Message input unit 202 Group test matrix generation and expansion unit 203 Tag decoding unit 204 Decoding linear group test Intermediate tag generation unit 205 Intermediate tag list expansion unit 206 Intermediate tag list verification unit 207 Verification result output unit 9000 Computer 9010 CPU 9020 Communication interface 9030 Memory 9040 Auxiliary storage

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
PCT/JP2019/016582 2019-04-18 2019-04-18 Macタグリスト生成装置、macタグリスト検証装置、方法及びプログラム Ceased WO2020213114A1 (ja)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US17/601,136 US11824993B2 (en) 2019-04-18 2019-04-18 MAC tag list generation apparatus, MAC tag list verification apparatus, method, and program
PCT/JP2019/016582 WO2020213114A1 (ja) 2019-04-18 2019-04-18 Macタグリスト生成装置、macタグリスト検証装置、方法及びプログラム
JP2021514734A JP7347501B2 (ja) 2019-04-18 2019-04-18 Macタグリスト生成装置、macタグリスト検証装置、方法及びプログラム

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/016582 WO2020213114A1 (ja) 2019-04-18 2019-04-18 Macタグリスト生成装置、macタグリスト検証装置、方法及びプログラム

Publications (1)

Publication Number Publication Date
WO2020213114A1 true WO2020213114A1 (ja) 2020-10-22

Family

ID=72837146

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/016582 Ceased WO2020213114A1 (ja) 2019-04-18 2019-04-18 Macタグリスト生成装置、macタグリスト検証装置、方法及びプログラム

Country Status (3)

Country Link
US (1) US11824993B2 (https=)
JP (1) JP7347501B2 (https=)
WO (1) WO2020213114A1 (https=)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023162151A1 (ja) * 2022-02-25 2023-08-31 日本電気株式会社 データ保管装置、データ保管方法及び、プログラム

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11824993B2 (en) * 2019-04-18 2023-11-21 Nec Corporation MAC tag list generation apparatus, MAC tag list verification apparatus, method, and program
CN117097559B (zh) * 2023-10-17 2023-12-19 天津德科智控股份有限公司 Eps转向角度报文传输验证方法

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016063512A1 (ja) * 2014-10-23 2016-04-28 日本電気株式会社 Macタグリスト生成装置、macタグリスト検証装置、macタグリスト生成方法、macタグリスト検証方法およびプログラム記録媒体
JP2017073716A (ja) * 2015-10-09 2017-04-13 日本電気株式会社 タグリスト生成装置、タグリスト検証装置、タグリスト更新装置、タグリスト生成方法及びプログラム

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7200227B2 (en) * 2001-07-30 2007-04-03 Phillip Rogaway Method and apparatus for facilitating efficient authenticated encryption
US8577032B2 (en) * 2007-08-06 2013-11-05 Nec Corporation Common key block encryption device, common key block encryption method, and program
JPWO2016067524A1 (ja) 2014-10-30 2017-08-10 日本電気株式会社 認証付暗号化装置、認証付復号装置、認証付暗号システム、認証付暗号化方法、プログラム
WO2017056150A1 (ja) 2015-09-28 2017-04-06 三菱電機株式会社 メッセージ認証子生成装置、メッセージ認証子生成方法及びメッセージ認証子生成プログラム
US9794062B2 (en) * 2015-10-08 2017-10-17 The Boeing Company Scrambled tweak mode of blockciphers for differential power analysis resistant encryption
JP6632959B2 (ja) 2016-12-02 2020-01-22 Kddi株式会社 検証システム、検証方法及び検証プログラム
JP6844696B2 (ja) 2017-04-17 2021-03-17 日本電気株式会社 認証タグ生成装置、認証タグ検証装置、方法及びプログラム
US11824993B2 (en) * 2019-04-18 2023-11-21 Nec Corporation MAC tag list generation apparatus, MAC tag list verification apparatus, method, and program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016063512A1 (ja) * 2014-10-23 2016-04-28 日本電気株式会社 Macタグリスト生成装置、macタグリスト検証装置、macタグリスト生成方法、macタグリスト検証方法およびプログラム記録媒体
JP2017073716A (ja) * 2015-10-09 2017-04-13 日本電気株式会社 タグリスト生成装置、タグリスト検証装置、タグリスト更新装置、タグリスト生成方法及びプログラム

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023162151A1 (ja) * 2022-02-25 2023-08-31 日本電気株式会社 データ保管装置、データ保管方法及び、プログラム
JPWO2023162151A1 (https=) * 2022-02-25 2023-08-31

Also Published As

Publication number Publication date
JPWO2020213114A1 (https=) 2020-10-22
US20220173909A1 (en) 2022-06-02
US11824993B2 (en) 2023-11-21
JP7347501B2 (ja) 2023-09-20

Similar Documents

Publication Publication Date Title
CN101202623B (zh) 消息验证码产生方法、验证/加密和验证/解密方法
US10009171B2 (en) Construction and uses of variable-input-length tweakable ciphers
US20020048364A1 (en) Parallel block encryption method and modes for data confidentiality and integrity protection
US8180048B2 (en) Method and system for computational transformation
JPWO2015015702A1 (ja) 認証暗号装置、認証暗号方法および認証暗号用プログラム
JP6171649B2 (ja) 暗号化装置、復号装置、暗号化方法および暗号化プログラム
JPWO2016027454A1 (ja) 認証暗号化方法、認証復号方法および情報処理装置
US11349668B2 (en) Encryption device and decryption device
JPWO2013065241A1 (ja) インクリメンタルmacタグ生成装置、方法及びプログラム並びにメッセージ認証装置
JP2010522477A (ja) 平文メッセージを暗号化する方法、コンピュータ・プログラム、及び装置(単純且つ効率的なワン・パス認証暗号化方式)
JP7347501B2 (ja) Macタグリスト生成装置、macタグリスト検証装置、方法及びプログラム
WO2020095382A1 (ja) 認証暗号化装置、認証復号装置、認証暗号化方法、認証復号方法、認証暗号化プログラムおよび認証復号プログラム
US11463235B2 (en) Encryption device, encryption method, program, decryption device, and decryption method
KR102945948B1 (ko) 비밀키 생성 장치 및 방법, 연산키 생성 장치 및 방법
JP6743702B2 (ja) Macタグリスト生成装置、macタグリスト検証装置、macタグリスト生成方法、macタグリスト検証方法およびプログラム
CN109088721B (zh) 一种可委托揭序加密方法
US11750398B2 (en) MAC tag list generation apparatus, MAC tag list verification apparatus, aggregate MAC verification system and method
JP2017073716A (ja) タグリスト生成装置、タグリスト検証装置、タグリスト更新装置、タグリスト生成方法及びプログラム
US20250015984A1 (en) Use Of Quantum Resistant Iterative Keypads For Large Files
Chen Code-based butterfly key expansion for pseudonymous certificates
JP5489115B2 (ja) 原本性保証装置、原本性保証プログラム、及びこのプログラムを記録する記録媒体
CN115603892A (zh) 执行密码操作的方法、对应的处理设备和计算机程序产品
CN114676452A (zh) 一种数据安全存储方法和装置
JP5818768B2 (ja) マスク生成装置、情報処理装置、及びその方法、プログラム
JP2015082077A (ja) 暗号化装置、制御方法、及びプログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19925036

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021514734

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19925036

Country of ref document: EP

Kind code of ref document: A1