WO2021214923A1 - 認証暗号化装置、認証復号装置、認証暗号システム、方法及びコンピュータ可読媒体 - Google Patents

認証暗号化装置、認証復号装置、認証暗号システム、方法及びコンピュータ可読媒体 Download PDF

Info

Publication number
WO2021214923A1
WO2021214923A1 PCT/JP2020/017422 JP2020017422W WO2021214923A1 WO 2021214923 A1 WO2021214923 A1 WO 2021214923A1 JP 2020017422 W JP2020017422 W JP 2020017422W WO 2021214923 A1 WO2021214923 A1 WO 2021214923A1
Authority
WO
WIPO (PCT)
Prior art keywords
nonce
authentication
encryption
plaintext
tag
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2020/017422
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
一彦 峯松
明子 向井
尚文 本間
嶺 上野
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Priority to JP2022516562A priority Critical patent/JP7367860B2/ja
Priority to PCT/JP2020/017422 priority patent/WO2021214923A1/ja
Priority to US17/918,643 priority patent/US20230139104A1/en
Publication of WO2021214923A1 publication Critical patent/WO2021214923A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0637Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD

Definitions

  • the present invention relates to an authentication encryption device, an authentication decryption device, an authentication encryption system, a method, and a computer-readable medium.
  • Authenticated Encryption There is known a technology called Authenticated Encryption (AE) that uses a private key shared in advance to simultaneously apply encryption and authentication tag calculation for tampering detection to plaintext messages.
  • AE Authenticated Encryption
  • the authenticated encryption AE uses a private key shared in advance to simultaneously apply encryption and authentication tag calculation for tampering detection to plaintext messages.
  • OCB Offset Code Book
  • Tweak auxiliary variable
  • a tag is generated by performing the same processing as when performing the above encryption on the exclusive OR of each block obtained by dividing the plaintext.
  • Non-Patent Document 3 discloses a method relating to OCB2f, which is a modified version of the version of OCB described in Non-Patent Document 2.
  • Non-Patent Document 4 discloses an ⁇ CB3 (hereinafter referred to as ThetaCB3) method that abstracts OCB by using a Tweakable block cipher (TBC; twistable block cipher) as a primitive, which is an extension of a block cipher. ..
  • NIST Special Publication 800-38D "Recommendation for Block Cipher Modes of Operation: Galois / Counter Mode (GCM) and GMAC", http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D .pdf "Efficient Instruments of Tweakable Blockciphers and Refinements to Modes OCB and PMAC", Phillip Rogaway, ASIACRYPT2004, http://web.cs.ucdavis.edu/ ⁇ rogaway/papers/offsets.pdf Akiko Inoue, Tetsu Iwata, Kazuhiko Minematsu, Bertram Poettering, "Cryptanalysis of OCB2: Attaches on Authenticity and Confidentiality", IACR Cryptology ePrint Archive 2019: 311 (2019) Ted Krovetz, Phillip Rogaway, "The Software Performance of Authenticated-Encryption Modes", FSE 2011: 306-327 Christof Beierle, Jeremy
  • delay for general encryption methods including authenticated encryption. This refers to the time from the start of processing until the first output result is obtained, and the smaller the time is desirable. On the other hand, it is difficult to suppress delays in encryption and decryption with the above-mentioned techniques related to patent documents and non-patent documents.
  • An object of the present disclosure is to solve such a problem, and an authentication encryption device, an authentication decryption device, an authentication encryption system, a method and a computer capable of suppressing a delay in encryption and decryption. It is to provide a readable medium.
  • the authentication encryption device assists the nonce with an input means for accepting the input of the plain text, a nonce generating means for generating a nonce different from the value generated in the past, and a block obtained by dividing the plain text.
  • a plain text encryption means that generates a cipher statement corresponding to the plain text by encrypting it as a variable, a check sum generation means that generates a check sum using the plain text, and a hash means that acquires a hash value.
  • a nonce encryption means that encrypts the nonce and obtains an encrypted nonce
  • an authentication tag generation means that generates an authentication tag using the check sum, the hash value, and the encryption nonce, and the cipher text and It has an output means for controlling the output of the authentication tag.
  • the authentication / decryption device uses an input means for accepting input of a cipher, an authentication tag, and a nonce, and the nonce as an auxiliary variable for each block in which the cipher is divided, thereby performing the above-mentioned.
  • a plain text decryption means that generates a plain sentence corresponding to a cipher sentence
  • a check sum generation means that generates a check sum using the plain sentence
  • a hash means that obtains a hash value
  • an encrypted nonce that is encrypted to obtain an encrypted nonce.
  • a verification tag generating means that generates a verification tag that is an estimated authentication tag by using the nonce encryption means, the check sum, the hash value, and the encryption nonce, and the authentication tag and the verification. It has a verification means for verifying the presence or absence of tampering by comparing with a hash tag and controlling for outputting the verification result.
  • the authentication encryption system includes an authentication encryption device and an authentication / decryption device that communicates with the authentication encryption device, and the authentication encryption device accepts plain text input.
  • the plain text is encrypted by using the first input means, the nonce generating means that generates a nonce different from the value generated in the past, and the nonce as an auxiliary variable for each block in which the plain text is divided.
  • a plain text encryption means that generates a cipher statement corresponding to the above, a first check sum generation means that generates a check sum using the plain text, a first hash means that obtains a hash value, and the nonce are encrypted.
  • a first nonce encryption means for acquiring an encryption nonce, an authentication tag generation means for generating an authentication tag using the check sum, the hash value, and the encryption nonce, the encryption text, and the authentication tag.
  • the authentication / decryption device has an output means for controlling the output of the above, and the authentication / decryption device is input by the second input means for accepting the input of the encryption text, the authentication tag, and the nonce, and the second input means.
  • a plain text decoding means that generates a plain text corresponding to the cipher text by decrypting the nonce input by the second input means as an auxiliary variable for each block in which the cipher text is divided, and the plain text
  • a second checksum generating means that generates a checksum using the plain text generated by the decrypting means, a second hashing means that acquires a hash value, and the nonce input by the second input means.
  • a second nonce encryption means that encrypts and obtains an encrypted nonce, the checksum generated by the second checksum generating means, the hash value obtained by the second hashing means, and the like.
  • a verification tag generation means for generating a verification tag which is an estimated authentication tag, and a verification tag generation means generated by the authentication tag generation means. It has a verification means for verifying the presence or absence of tampering by comparing the authentication tag and the verification tag and controlling for outputting the verification result.
  • the authentication encryption method accepts plaintext input, generates a nonce different from the value generated in the past, and uses the nonce as an auxiliary variable for each block in which the plaintext is divided.
  • the ciphertext corresponding to the plaintext is generated, the checksum is generated using the plaintext, the hash value is acquired, the nonce is encrypted to obtain the encrypted nonce, and the checksum is used.
  • An authentication tag is generated using the hash value and the encryption nonce, and control is performed to output the ciphertext and the authentication tag.
  • the authentication / decryption method accepts the input of the cipher, the authentication tag, and the nonce, and decrypts the cipher by using the nonce as an auxiliary variable for each block in which the cipher is divided.
  • a corresponding plain sentence is generated, a check sum is generated using the plain sentence, a hash value is acquired, the nonce is encrypted to obtain an encrypted nonce, and the check sum, the hash value, and the encrypted nonce are used.
  • Is used to generate a verification tag which is an estimated authentication tag, and by comparing the authentication tag with the verification tag, the presence or absence of tampering is verified, and control is performed to output the verification result.
  • the program according to the present disclosure uses the nonce as an auxiliary variable for each of a step of accepting an input of plaintext, a step of generating a nonce different from a value generated in the past, and a block in which the plaintext is divided.
  • a step of generating a ciphertext corresponding to the plaintext a step of generating a checksum using the plaintext, a step of acquiring a hash value, and a step of encrypting the nonce to perform an encrypted nonce.
  • a computer is made to execute a step of acquiring and a step of generating an authentication tag using the check sum, the hash value, and the encryption nonce, and controlling the output of the ciphertext and the authentication tag. ..
  • the program according to the present disclosure converts the cipher statement into the cipher text by performing a step of accepting input of a cipher text, an authentication tag and a nonce, and decrypting the cipher text by using the nonce as an auxiliary variable for each divided block.
  • the presence or absence of tampering is verified and verified by comparing the step of generating the verification tag, which is the estimated authentication tag, with the authentication tag and the verification tag using the hash value and the encryption nonce.
  • an authentication encryption device an authentication decryption device, an authentication encryption system, a method, and a computer-readable medium capable of suppressing delays in encryption and decryption.
  • FIG. 5 is a flowchart showing an authentication / decryption method executed by the authentication / decryption device according to the first embodiment. It is a figure which simplified and showed the encryption routine which used the authentication encryption system ThetaCB3 system described in Non-Patent Document 4.
  • Non-Patent Document 4 It is a figure which simplified and showed the decryption routine which used the authentication encryption system ThetaCB3 system described in Non-Patent Document 4. It is a figure which illustrates the encryption process at the time of performing the authentication encryption method which concerns on Embodiment 1 by Tweakable block cipher. It is a figure which illustrates the decryption process when the authentication encryption method which concerns on Embodiment 1 is carried out by Tweakable block cipher. It is a figure which illustrates the encryption function and the decryption function described in Non-Patent Document 2. It is a figure which shows the authentication encryption apparatus which concerns on Embodiment 2. It is a figure which shows the authentication decoding apparatus which concerns on Embodiment 2. It is a block diagram which shows schematic the hardware configuration example of the calculation processing apparatus which can realize the apparatus and system which concerns on each embodiment.
  • the encryption function of the authentication encryption is AEnc, and the decryption function is ADec.
  • the plaintext to be encrypted is set to M, and a variable N called a nonce is introduced.
  • A be the header (associated data; AD).
  • the header A is a value at which tampering is detected but not encrypted.
  • ADec_K (N', A', C', T')
  • ADec_K is a decoding function with the key K as a parameter. If there is tampering in the middle of communication and (N', A', C', T') ⁇ (N, A, C, T), then about ADec_K (N', A', C', T') , An error message (error symbol) indicating that it has been tampered with is output. That is, in this case, tampering is detected.
  • the encryption side uses some state variable such as a counter to prevent nonce matching. That is, typically, by storing the N used immediately before as a state variable and incrementing N each time, it is realized that the nonce N does not overlap with the past value.
  • latency for general encryption methods including authentication encryption. This refers to the time from the start of processing until the first output result is obtained, and the smaller the time is desirable.
  • the delay refers to the time or amount of processing until the first ciphertext block is output when a plaintext consisting of a plurality of blocks is input.
  • the encryption delay in authentication encryption is generally the number of primitive call counts required before the first ciphertext block is output. be.
  • Decryption delay is defined as well.
  • Another index of delay is speed (throughput).
  • the speed is generally the number of message blocks that can be processed per primitive call. This number is also called the rate.
  • the delay may, by definition, include a constant number of calls as described above.
  • OCB described in Patent Document 1 and Non-Patent Document 1 is known as an authentication encryption method using a block cipher as a primitive.
  • the delay is particularly small.
  • the delay in encryption is two block ciphers.
  • the delay in encryption is TBC once, which is theoretically the best as the method using TBC. In other words, in OCB and ThetaCB3, the delay in encryption is small.
  • the encryption and decryption rates are 1 for both OCB and ThetaCB3, and the messages can be executed in parallel in block units. Therefore, it can be said that high-speed processing is possible in OCB and ThetaCB3.
  • the delay in encryption is small, the delay in decryption is larger than the delay in encryption, as will be described later.
  • the delay in the authentication encryption in the present embodiment as described below, the delay can be further reduced while achieving the same speed (that is, rate 1) as OCB and ThetaCB3. That is, in the present embodiment, high-speed and low-delay authentication encryption can be realized.
  • FIG. 1 is a diagram showing the configuration of the authentication encryption system 1 according to the first embodiment.
  • the authentication encryption system 1 includes an authentication encryption device 10 and an authentication decryption device 20.
  • the authentication encryption device 10 and the authentication decryption device 20 may be physically integrated or may be separate. Further, the components of each device described later with reference to FIGS. 2 to 3 may be realized by another device.
  • the length of one block out of a plurality of blocks obtained by dividing a plaintext or a ciphertext is defined as n bits having a predetermined length.
  • the authentication encryption device 10 corresponds to Alice
  • the authentication decryption device 20 corresponds to Bob. That is, communication is performed between the authentication encryption device 10 and the authentication decryption device 20.
  • the plaintext length is always a multiple of the block length n. If a plaintext that is not a multiple of the block length n is handled, padding is required and the length of the ciphertext increases.
  • the limitation that the plaintext length is a multiple of the block length is not a problem for many applications. For example, when considering encryption of a memory, cache, or hard disk sector using AES (Advanced Encryption Standard) described later, the standard length of plaintext is a multiple of the block length (16 bytes) of AES.
  • FIG. 2 is a diagram showing the configuration of the authentication encryption device 10 according to the first embodiment.
  • FIG. 3 is a diagram showing the configuration of the authentication / decryption device 20 according to the first embodiment.
  • FIG. 4 is a flowchart showing an authentication encryption method executed by the authentication encryption device 10 according to the first embodiment.
  • FIG. 5 is a flowchart showing an authentication / decryption method executed by the authentication / decryption device 20 according to the first embodiment.
  • FIG. 6 is a simplified diagram showing an encryption routine using the authenticated encryption method ThetaCB3 method described in Non-Patent Document 4.
  • FIG. 7 is a simplified diagram showing a decryption routine using the authentication encryption method ThetaCB3 method described in Non-Patent Document 4.
  • FIG. 8 is a diagram illustrating an encryption process when the authentication encryption method according to the first embodiment is implemented by a Tweakable block cipher.
  • FIG. 9 is a diagram illustrating a decryption process when the authentication encryption method according to the first embodiment is performed by a Tweakable block cipher.
  • FIG. 10 is a diagram illustrating an encryption function and a decryption function described in Non-Patent Document 2.
  • the authentication encryption device 10 shown in FIG. 2 will be described.
  • the authentication encryption device 10 includes an input unit 100, a nonce generation unit 101, a Tweek encryption unit 102, a checksum generation unit 103, a header hash unit 104, a nonce encryption unit 105, and an addition unit 106. It has a shortening unit 107 and an output unit 108.
  • the authentication encryption device 10 can be realized by, for example, a computer. That is, the authentication encryption device 10 has an arithmetic unit such as a CPU (Central Processing Unit) and a storage device such as a memory or an optical disk.
  • the authentication encryption device 10 realizes each of the above components by, for example, the arithmetic unit executing a program stored in the storage device.
  • the input unit 100 has a function as an input means.
  • the nonce generation unit 101 has a function as a nonce generation means.
  • the Tweek-attached encryption unit 102 has a function as a Tweak-attached encryption means (plaintext encryption means or ciphertext generation means).
  • the checksum generation unit 103 has a function as a checksum generation means.
  • the header hash unit 104 has a function as a header hash means (hash means).
  • the nonce encryption unit 105 has a function as a nonce encryption means.
  • the adding unit 106 has a function as an adding means (additive means).
  • the shortening unit 107 has a function as a shortening means (authentication tag generating means).
  • the output unit 108 has a function as an output means.
  • the input unit 100 accepts the input of the plaintext M and the header A to be encrypted.
  • the input unit 100 may be realized by an input device such as a keyboard, for example.
  • the input unit 100 may accept the input of the plaintext M and the header A from, for example, an external device connected via a network. In some cases, the header does not exist. In this case, the header A is not input.
  • the input unit 100 outputs the plaintext M to the encryption unit 102 with Twake and the checksum generation unit 103. Further, the input unit 100 outputs the header A to the header hash unit 104.
  • the nonce generation unit 101 generates the nonce N so that there is no overlap with the past value. That is, the nonce generation unit 101 generates a nonce N different from the value generated in the past. Specifically, for example, the nonce generation unit 101 first outputs an arbitrary fixed value. In addition, the nonce generation unit 101 stores the value of the nonce generated immediately before. Then, the nonce generation unit 101 outputs a value obtained by adding 1 to the value immediately before being stored when generating the nonce N from the second time onward. In this way, the nonce generation unit 101 generates a nonce N different from the value generated in the past by outputting a value obtained by adding 1 to the value already output immediately before.
  • the nonce generation unit 101 may generate the nonce by a method different from the above-mentioned example.
  • the nonce generation unit 101 outputs the generated nonce N to the Tweek encryption unit 102 and the nonce encryption unit 105. Further, the nonce generation unit 101 may output the generated nonce N to the output unit 108.
  • the encryption unit 102 with Twake divides the plaintext M into n-bit blocks for a predetermined n, uses the nonce N as an auxiliary variable (Tweak), and encrypts the plaintext M in parallel for each block.
  • the encryption unit 102 with Tweak divides the plaintext M into n-bit blocks (that is, blocks of a predetermined length) to generate a series of m blocks M [1] and M [2]. ] ,. .. .. , M [m] is obtained.
  • each block is encrypted in parallel with the Tweakable block cipher.
  • a series of m blocks M [1], M [2] ,. .. .. , M [m] may be divided. Alternatively, the input unit 100 may divide the plaintext M.
  • the Tweek may include an index j indicating the type of processing (difference in whether the encryption target is plaintext or nonce).
  • the index j is 1
  • the encryption function of the Tweakable block cipher is TE (Tweak, message block)
  • C [m] TE ((N, m, j + 1), M [m]) It can be expressed as.
  • the encryption unit 102 with Tweek obtained C [1] ,. .. .. , C [m] are concatenated to obtain the ciphertext C. Then, the encryption unit 102 with Twake outputs the obtained ciphertext C to the output unit 108.
  • the encryption unit 102 with Twake may use an existing algorithm such as SKINNY described in Non-Patent Document 5 as the Tweakable block cipher (TBC).
  • the encryption unit 102 with Tweak may realize the Tweakable block cipher (TBC) in a block cipher use mode (hereinafter referred to as a mode) using a block cipher such as AES (Advanced Encryption Standard).
  • the Twake-attached encryption unit 102 can use the XEX * mode described in Non-Patent Document 2 or the mode described in Non-Patent Document 4, which is a variant thereof, as the mode of the Tweakable block cipher. Is. That is, in the present embodiment, the Tweakable block cipher may be in the XEX * mode using the block cipher.
  • ⁇ 2 means multiplication with the origin (x in the polynomial representation) on the finite field GF (2 ⁇ n)
  • ⁇ 3 is the sum of the origin and the identity element (in a polynomial).
  • x + 1) means multiplication.
  • E (N), 2 ⁇ i, 3 ⁇ j E (N) is regarded as the element of GF (2 ⁇ n), which is multiplied by the i-time generator, and the j-time generator and the unit. It means to take the multiplication with the original sum.
  • Other methods for realizing the block cipher encryption function in the case of n are described in, for example, Non-Patent Document 3.
  • the checksum generation unit 103 generates the checksum S by compressing the plaintext M by a simple calculation. Specifically, the checksum generation unit 103 converts the plaintext M into a series of n-bit blocks M [1], M [2] ,. .. .. , M [m]. Then, the checksum generation unit 103 uses the divided n-bit block series M [1], M [2] ,. .. .. , M [m] is subjected to a simple compression process to generate a checksum S. The checksum generation unit 103 outputs the generated checksum S to the addition unit 106.
  • the checksum S is generated by calculating.
  • the checksum generation unit 103 is not limited to the exclusive OR, and may generate the checksum S by using an arbitrary group or ring operation such as arithmetic addition.
  • the header hash unit 104 acquires the hash value H of the header A by using the header A and the universal hash function. Specifically, the header hash unit 104 uses the header A as a series of n-bit blocks A [1], A [2] ,. .. .. , A [a]. Then, the header hash unit 104 includes a series of divided n-bit blocks A [1], A [2] ,. .. .. , A [a] is applied with a universal hash function to acquire the hash value H of the header. The header hash unit 104 outputs the hash value H of the acquired header to the addition unit 106.
  • the header hash unit 104 may use a polynomial hash function using multiplication as described in Non-Patent Document 6 as the universal hash function.
  • the header hash unit 104 may generate the hash value H of the header by a method using a block cipher or a Tweakable block cipher.
  • the header hash unit 104 uses the method described in Non-Patent Document 2, for example, and uses the TE function used in the encryption unit 102 with Twake as the universal hash function
  • the hash value H is calculated by the following equation 5. May be obtained.
  • the constant is an arbitrary n-bit constant.
  • the Tweakable block cipher may be in the XEX * mode using the block cipher.
  • the header hash unit 104 puts appropriate padding on the header A, and then sets the header A to A [1], A [2] ,. .. .. , A [a].
  • the header hash unit 104 may set the hash value H to an arbitrary constant (for example, all zeros; a constant in which all bit values are 0).
  • the nonce encryption unit 105 encrypts the nonce N and acquires an encrypted nonce V having the same length as the checksum. Specifically, the nonce encryption unit 105 generates an encrypted nonce V by encrypting an arbitrary n-bit constant using the nonce N as an auxiliary variable (Tweak). That is, the nonce encryption unit 105 generates the encrypted nonce V by encrypting with the Tweakable block cipher in which the plaintext of one block is an arbitrary constant by using the Tweak including the nonce N. The nonce encryption unit 105 outputs the generated encrypted nonce V to the addition unit 106. Further, as described above, the Tweakable block cipher may be in the XEX * mode using the block cipher.
  • the addition unit 106 generates the non-abbreviated authentication tag U by summing the checksum S, the encryption nonce V, and the hash value H of the header. Specifically, the addition unit 106 adds the hash value H of the header, the checksum S, and the encryption nonce V. The addition unit 106 acquires this sum as an n-bit non-abbreviated authentication tag U.
  • the addition method may be an exclusive OR, or may be an addition operation of an arbitrary group.
  • the addition unit 106 outputs the obtained non-abbreviated authentication tag U to the shortening unit 107.
  • the shortening unit 107 generates the authentication tag T by shortening the non-shortening authentication tag U generated by the addition unit 106 to t bits by an arbitrary method for a predetermined t (t is an integer of 1 or more and n or less). .. Specifically, the shortening unit 107 generates the authentication tag T by shortening the non-shortening authentication tag U to a predetermined t bit by an arbitrary method. For example, the shortening unit 107 may use the most significant t-bit of the non-shortening authentication tag U as the authentication tag T.
  • the output unit 108 controls to output the ciphertext C and the authentication tag T.
  • the output unit 108 may connect the ciphertext C and the authentication tag T for output.
  • the output unit 108 may control the output device such as a display to display the ciphertext C and the authentication tag T, for example. Further, the output unit 108 may control to output the ciphertext C and the authentication tag T to, for example, an external device connected via a network. Further, the output unit 108 may control to output the nonce N and the header A.
  • the authentication / decryption device 20 includes an input unit 200, a decryption unit 201 with a Twake, a checksum generation unit 202, a nonce encryption unit 203, a header hash unit 204, an addition unit 205, a shortening unit 206, and tag verification. It has a part 207. It can be realized by the authentication decryption device 20, for example, a computer. That is, the authentication / decryption device 20 has an arithmetic unit such as a CPU and a storage device such as a memory or an optical disk. The authentication / decryption device 20 realizes each of the above components by, for example, the arithmetic unit executing a program stored in the storage device.
  • the input unit 200 has a function as an input means.
  • the decoding unit 201 with Twake has a function as a decoding means with Twake (plaintext decoding means or plaintext generating means).
  • the checksum generation unit 202 has a function as a checksum generation means.
  • the nonce encryption unit 203 has a function as a nonce encryption means.
  • the header hash unit 204 has a function as a header hash means (hash means).
  • the adding unit 205 has a function as an adding means (additive means).
  • the shortening unit 206 has a function as a shortening means (verification tag generation means).
  • the tag verification unit 207 has a function as a tag verification means (verification means and output means).
  • the input unit 200 accepts the input of the ciphertext C, the nonce N, the header A, and the authentication tag T to be decrypted.
  • the input unit 200 may be realized by a character input device such as a keyboard, for example.
  • the input unit 200 is realized by an input device such as a keyboard, for example.
  • the input unit 200 may accept the ciphertext C, the nonce N, the header A, and the authentication tag T from, for example, an external device connected via a network. In some cases, the header does not exist. In this case, the header A is not input.
  • the input unit 200 outputs the ciphertext C to the decryption unit 201 with Twake. Further, the input unit 200 outputs the header A to the header hash unit 204. Further, the input unit 200 outputs the nonce N to the decryption unit 201 with Twake and the nonce encryption unit 203. Further, the input unit 200 outputs the authentication tag T to the tag verification unit 207.
  • the decryption unit 201 with Twake performs the decryption process corresponding to the encryption unit 102 with Twake described above.
  • the decryption unit 201 with Twake divides the ciphertext C for each n-bit block for a predetermined n, uses the nonce N as an auxiliary variable (Tweak), and decodes each block in parallel to generate the plaintext M.
  • the decryption unit 201 with Twake has a sequence of m blocks C [1], C [2], generated by dividing the ciphertext C into n-bit blocks. .. .. , C [m] is obtained.
  • the division of the ciphertext C does not need to be performed by the decryption unit 201 with Twake.
  • a series of m blocks C [1], C [2] ,. .. .. , C [m] may be divided.
  • the input unit 200 may divide the ciphertext C.
  • the Week may include an index j indicating the type of processing (difference in whether the encryption target is plaintext or nonce).
  • index j 1 and the decryption function of the Tweakable block cipher is TD (Tweak, message block)
  • M [m] TD ((N, m, j + 1), C [m]) It can be expressed as.
  • the Twake-attached decryption unit 201 may use an existing Tweakable block cipher algorithm such as SKINNY described in Non-Patent Document 5 as the Tweakable block cipher (TBC). .. Alternatively, the decryption unit 201 with Tweak may realize the Tweakable block cipher (TBC) in a mode using a block cipher such as AES. In this case, the decryption unit 201 with Twake can use the XEX * mode described in Non-Patent Document 2 or the mode described in Non-Patent Document 4, which is a variant thereof, as the mode of the Tweakable block cipher. be. That is, in the present embodiment, the Tweakable block cipher may be in the XEX * mode using the block cipher.
  • the checksum generation unit 202 performs substantially the same processing as the checksum generation unit 103 described above. That is, the checksum generation unit 202 generates the checksum S by compressing the plaintext M by a simple calculation. The checksum generation unit 202 outputs the generated checksum S to the addition unit 205.
  • the nonce encryption unit 203 performs substantially the same processing as the nonce encryption unit 105 described above. That is, the nonce encryption unit 203 encrypts the nonce N and acquires an encrypted nonce V having the same length as the checksum. Specifically, the nonce encryption unit 203 generates an encrypted nonce V by encrypting an arbitrary n-bit constant using the nonce N as an auxiliary variable (Tweak). That is, the nonce encryption unit 203 generates the encrypted nonce V by encrypting with the Tweakable block cipher in which the plaintext of one block is an arbitrary constant by using the Tweak including the nonce N. The nonce encryption unit 203 outputs the acquired encrypted nonce V to the addition unit 205. Further, as described above, the Tweakable block cipher may be in the XEX * mode using the block cipher.
  • the header hash unit 204 performs substantially the same processing as the header hash unit 104 described above. That is, the header hash unit 204 acquires the hash value H of the header A by using the header A and the universal hash function. The header hash unit 204 outputs the acquired hash value H to the addition unit 205. When the header A does not exist, the header hash unit 204 may set the hash value H to an arbitrary constant (for example, all zeros; a constant in which all bit values are 0).
  • the addition unit 205 performs substantially the same processing as the above-mentioned addition unit 106. That is, the addition unit 205 generates the non-abbreviated authentication tag U by summing the checksum S, the encryption nonce V, and the hash value H of the header. The addition unit 205 outputs the generated non-abbreviated authentication tag U to the shortening unit 206.
  • the shortening unit 206 uses an estimated authentication tag by shortening the non-shortening authentication tag U generated by the addition unit 205 to t bits by an arbitrary method for a predetermined t (t is an integer of 1 or more and n or less). Generate a verification tag T'.
  • the specific processing of the shortening unit 206 is substantially the same as the processing of the shortening unit 107.
  • the shortening unit 206 outputs the generated verification tag T'to the tag verification unit 207.
  • the tag verification unit 207 compares the authentication tag T output by the input unit 200 with the verification tag T'output by the shortening unit 206 to verify the presence or absence of tampering. Then, the tag verification unit 207 controls to output information based on the verification result.
  • the tag verification unit 207 may perform control for displaying information on an output device such as a display, for example. Further, the tag verification unit 207 may control to output information to, for example, an external device connected via a network.
  • the tag verification unit 207 controls to output the plaintext M generated by the decryption unit 201 with Twake. In the case where the length of the plaintext is not a multiple of n, the tag verification unit 207 may control to output the plaintext M by removing the predetermined padding. On the other hand, when the authentication tag T and the verification tag T'do not match, the tag verification unit 207 controls to output an error symbol indicating that the authentication tag T and the verification tag T'do not match. ..
  • FIG. 4 is a flowchart showing an authentication encryption method executed by the authentication encryption device 10 according to the first embodiment.
  • the nonce generation unit 101 generates nonce N as described above (step S102).
  • the encryption unit 102 with Twake encrypts the plaintext M for each block using the nonce N as the auxiliary variable Tweek, and acquires the ciphertext C (step S104).
  • the checksum generation unit 103 generates the checksum S of the plaintext M as described above (step S106).
  • the header hash unit 104 acquires the hash value H of the header A as described above (step S108).
  • the nonce encryption unit 105 encrypts the nonce N and acquires the encrypted nonce V as described above (step S110).
  • the authentication encryption device 10 acquires the authentication tag T (step S112). Specifically, as described above, the addition unit 106 takes the sum of the checksum S, the encryption nonce V, and the hash value H of the header. The shortening unit 107 acquires the authentication tag T by shortening the sum (non-shortening authentication tag U) to a predetermined t bit. Then, as described above, the output unit 108 controls to output the ciphertext C and the authentication tag T (step S114).
  • FIG. 5 is a flowchart showing an authentication / decryption method executed by the authentication / decryption device 20 according to the first embodiment.
  • the input unit 200 inputs the ciphertext C, the nonce N, the header A, and the authentication tag T to be decrypted (step S202).
  • the nonce encryption unit 203 encrypts the nonce N and acquires the encrypted nonce V as described above (step S204).
  • the decryption unit 201 with Tweek decrypts the ciphertext C for each block using the nonce N as the auxiliary variable Twoak, and acquires the plaintext M (step S206).
  • the header hash unit 204 acquires the hash value H of the header A as described above (step S208).
  • the checksum generation unit 202 generates the checksum S of the plaintext M as described above (step S210).
  • the authentication / decryption device 20 acquires the estimated authentication tag T'(verification tag) (step S212). Specifically, as described above, the addition unit 205 takes the sum of the encryption nonce V, the hash value H of the header, and the checksum S. The shortening unit 206 acquires the estimated authentication tag T'(verification tag T') by shortening the sum (non-shortening authentication tag U) to a predetermined t-bit.
  • the tag verification unit 207 determines whether or not the authentication tag T and the verification tag T'match (step S214). As a result, the presence or absence of tampering is verified. When the authentication tag T and the verification tag T'match (YES in S214), the tag verification unit 207 controls to output the plaintext M as a verification result indicating that the authentication was successful (step S216). ). On the other hand, when the authentication tag T and the verification tag T'do not match (NO in S214), the tag verification unit 207 controls to output an error symbol as a verification result indicating that the authentication has failed (NO). Step S218).
  • the delay in encryption is small, but the delay in decryption is larger than the delay in encryption.
  • the decoding delay is 3
  • the decoding delay is 2.
  • FIG. 6 is a simplified diagram showing an encryption routine using the authenticated encryption method ThetaCB3 method described in Non-Patent Document 4.
  • TE (N, i, j) is a function TE ((N, i, j), in which Tweak (N, i, j) is applied to the first argument of the encryption function of the Tweakable block cipher. *) Represents.
  • trunc is a function for shortening the input.
  • FIG. 7 is a simplified diagram showing a decryption routine using the authentication encryption method ThetaCB3 method described in Non-Patent Document 4.
  • TD (N, i, j) is a function TD ((N, i, j), *) in which Tweak (N, i, j) is applied to the first argument of the decryption function of the Tweakable block cipher. ).
  • the authentication tag T encrypts the sum of plaintext blocks (exclusive OR) called the checksum S with the TE function (TE (Nm2)) of the Tweakable block cipher. Obtained by.
  • TE TE
  • Nm2 the TE function of the Tweakable block cipher.
  • encryption can be executed in parallel for all TE functions when the input of the values required for encryption (nance N, header A, and plaintext M) is determined. Therefore, the delay in encryption is 1.
  • the decryption process shown in FIG. 7 in order to obtain the plaintext block, the corresponding ciphertext block is decrypted by the decryption function TD of the Tweakable block cipher. Then, after the plaintext block is obtained by decryption, the checksum S is generated, and the checksum S is encrypted with the TE function (TE (Nm.2)) to obtain the value of the authentication tag T'and the value of the authentication tag T'. By confirming that the value of the transmitted authentication tag T matches, the presence or absence of tampering is verified.
  • TE TE
  • the delay in decryption is 2. That is, in FIG. 7, the TE function surrounded by the broken line is the plaintext block M [1] ,. .. .. , M [m] cannot be executed unless it is determined. Therefore, the delay is incremented by 1 with the TE function surrounded by the broken line.
  • the nonce in addition to the above processing, in order to realize the TE function and TD function by block cipher, the nonce (realized by the public value used for encryption, counter, etc.) is encrypted by block cipher. Is required. Specifically, in the case of OCB2 or OCB2f described in Non-Patent Document 2 and Non-Patent Document 3, the delay is increased by 1 in encryption and decryption. Therefore, in the case of OCB, the encryption delay is 2 and the decryption delay is 3. That is, in both OCB and ThetaCB3, the decryption delay is increased by 1 as compared with the encryption delay.
  • the method according to the first embodiment has an effect of suppressing the decoding delay regardless of the length of the authentication tag, as compared with the above-mentioned technique. That is, the method according to the first embodiment has an effect that the encryption delay and the decryption delay are both one time of the Tweakable block cipher regardless of the tag length.
  • FIG. 8 is a diagram illustrating an encryption process when the authentication encryption method according to the first embodiment is implemented by a Tweakable block cipher.
  • FIG. 9 is a diagram illustrating a decryption process when the authentication encryption method according to the first embodiment is performed by a Tweakable block cipher.
  • the TE and TD function dependencies do not exist in either encryption (FIG. 8) or decryption (FIG. 9), and the TE and TD functions are completely parallel.
  • the encryption delay and the decryption delay are both 1.
  • the encryption delay is 1, whereas the decryption delay is 2. ..
  • the decoding delay can be set to 1 by changing the decoding procedure.
  • tag length t is less than n bits, it is conceivable to shorten the output of the TE function and TD function related to the generation of the checksum and the generation of the hash value of the header to t bits in advance. This makes it possible to reduce the amount of memory required for encryption or decryption without changing the overall algorithm.
  • ThetaCB3 since the checksum cannot be shortened before being input to the Tweakable block cipher, such a memory amount reduction cannot be performed.
  • the Tweakable block cipher when the Tweakable block cipher is realized in some block cipher use mode (for example, the XEX * mode used in OCB of Non-Patent Document 2), a calculation overhead occurs in the block cipher use mode part. This increases both encryption and decryption delays. Specifically, when XEX * is used, one time due to nonce encryption always occurs as an overhead. However, this is also the case with the existing OCB, and if the method for realizing the Tweakable block cipher is the same, the overhead is the same, and as a result, the decoding in the present embodiment for the technique described in the non-patent document. The advantage of low delay will be preserved.
  • some block cipher use mode for example, the XEX * mode used in OCB of Non-Patent Document 2
  • a calculation overhead occurs in the block cipher use mode part. This increases both encryption and decryption delays. Specifically, when XEX * is used, one time
  • both the encryption delay and the decryption delay are 2.
  • both the encryption delay and the decryption delay are reduced by about 1 as compared with the case where the XEX * mode is used in both OCB3 and the present embodiment. Therefore, in OCB3, the encryption delay is approximately 1, and the decryption delay is approximately 2. On the other hand, in the present embodiment, both the encryption delay and the decryption delay are substantially 1.
  • the rate of encryption and decryption is 1, parallel execution is possible, and provable security is provided. Retains the benefits. Therefore, in the present embodiment, high-speed and low-delay authentication encryption can be realized.
  • the second embodiment shows the outline of the configuration according to the first embodiment.
  • FIG. 11 is a diagram showing an authentication encryption device 30 according to the second embodiment.
  • the authentication encryption device 30 according to the second embodiment corresponds to the authentication encryption device 10 according to the first embodiment.
  • the authentication encryption device 30 according to the second embodiment includes an input unit 31, a nonce generation unit 32, a plaintext encryption unit 33, a checksum generation unit 34, a hash unit 35, a nonce encryption unit 36, and the like. It has an authentication tag generation unit 37 and an output unit 38.
  • the input unit 31 has a function as an input means (first input means).
  • the nonce generating unit 32 has a function as a nonce generating means.
  • the plaintext encryption unit 33 has a function as a plaintext encryption means (encryption means with Twake or ciphertext generation means).
  • the checksum generation unit 34 has a function as a checksum generation means (first checksum generation means).
  • the hash unit 35 has a function as a hash means (first hash means).
  • the nonce encryption unit 36 has a function as a nonce encryption means (first nonce encryption means).
  • the authentication tag generation unit 37 has a function as an authentication tag generation means (addition means and shortening means).
  • the output unit 38 has a function as an output means.
  • the input unit 31 can be realized by substantially the same function as the function of the input unit 100 shown in FIG.
  • the input unit 31 accepts plaintext input. Further, the input unit 31 may accept the input of the header.
  • the nonce generation unit 32 can be realized by a function substantially similar to the function of the nonce generation unit 101 shown in FIG.
  • the nonce generation unit 32 generates a nonce different from the value generated in the past.
  • the plaintext encryption unit 33 can be realized by substantially the same function as the function of the Tweek-attached encryption unit 102 shown in FIG.
  • the plaintext encryption unit 33 generates a ciphertext corresponding to the plaintext by encrypting each block in which the plaintext is divided by using a nonce as an auxiliary variable.
  • the checksum generation unit 34 can be realized by substantially the same function as the function of the checksum generation unit 103 shown in FIG.
  • the checksum generation unit 34 generates a checksum using plain text.
  • the hash unit 35 can be realized by a function substantially similar to the function of the header hash unit 104 shown in FIG.
  • the hash unit 35 acquires the hash value.
  • the hash unit 35 may acquire the hash value by using the header and the hash function (universal hash function).
  • the nonce encryption unit 36 can be realized by a function substantially similar to the function of the nonce encryption unit 105 shown in FIG.
  • the nonce encryption unit 36 encrypts the nonce and acquires the encrypted nonce.
  • the authentication tag generation unit 37 can be realized by substantially the same functions as those of the addition unit 106 and the shortening unit 107 shown in FIG.
  • the authentication tag generation unit 37 generates an authentication tag using a checksum, a hash value, and an encrypted nonce.
  • the authentication tag generation unit 37 may generate an authentication tag based on the sum of the checksum, the hash value, and the encryption nonce. Further, the authentication tag generation unit 37 may generate an authentication tag by shortening this sum.
  • the output unit 38 can be realized by a function substantially similar to the function of the output unit 108 shown in FIG. The output unit 38 controls to output the ciphertext and the authentication tag.
  • FIG. 12 is a diagram showing the authentication / decryption device 40 according to the second embodiment.
  • the authentication / decryption device 40 according to the second embodiment corresponds to the authentication / decryption device 20 according to the first embodiment.
  • the authentication / decryption device 40 according to the second embodiment includes an input unit 41, a plaintext decryption unit 43, a checksum generation unit 44, a hash unit 45, a nonce encryption unit 46, a verification tag generation unit 47, and the like. It has a verification unit 48.
  • the input unit 41 has a function as an input means (second input means).
  • the plaintext decoding unit 43 has a function as a plaintext decoding means (decoding means with Twake or plaintext generating means).
  • the checksum generation unit 44 has a function as a checksum generation means (second checksum generation means).
  • the hash unit 45 has a function as a hash means (second hash means).
  • the nonce encryption unit 46 has a function as a nonce encryption means (second nonce encryption means).
  • the verification tag generation unit 47 has a function as a verification tag generation means (addition means and shortening means).
  • the verification unit 48 has a function as a verification means (tag verification means and output means).
  • the input unit 41 can be realized by substantially the same function as the function of the input unit 200 shown in FIG.
  • the input unit 41 accepts input of a ciphertext, an authentication tag, and a nonce.
  • the input unit 41 may accept header input.
  • the plaintext decoding unit 43 can be realized by substantially the same function as the function of the decryption unit 201 with Twake shown in FIG.
  • the plaintext decryption unit 43 generates the plaintext corresponding to the ciphertext by decrypting each block in which the ciphertext is divided by using the nonce as an auxiliary variable.
  • the checksum generation unit 44 can be realized by substantially the same function as the function of the checksum generation unit 202 shown in FIG.
  • the checksum generation unit 44 generates a checksum using plain text.
  • the hash unit 45 can be realized by a function substantially similar to the function of the header hash unit 204 shown in FIG.
  • the hash unit 45 acquires the hash value.
  • the hash unit 45 may acquire the hash value by using the header and the hash function (universal hash function).
  • the nonce encryption unit 46 can be realized by substantially the same function as the function of the nonce encryption unit 203 shown in FIG.
  • the nonce encryption unit 46 encrypts the nonce and acquires the encrypted nonce.
  • the verification tag generation unit 47 can be realized by substantially the same functions as those of the addition unit 205 and the shortening unit 206 shown in FIG.
  • the verification tag generation unit 47 generates a verification tag, which is an estimated authentication tag, by using the checksum, the hash value, and the encryption nonce.
  • the verification tag generation unit 47 may generate a verification tag based on the sum of the checksum, the hash value, and the encryption nonce. Further, the verification tag generation unit 47 may generate a verification tag by shortening this sum.
  • the verification unit 48 can be realized by substantially the same function as the function of the tag verification unit 207 shown in FIG.
  • the verification unit 48 verifies the presence or absence of tampering by comparing the authentication tag and the verification tag, and controls for outputting the verification result. If the authentication tag and the verification tag match, the verification unit 48 may perform control to output a plain text as a verification result. On the other hand, if the authentication tag and the verification tag do not match, the verification unit 48 may perform control to output an error symbol as a verification result.
  • the authentication encryption device 30 and the authentication decryption device 40 according to the second embodiment can suppress delays in encryption and decryption by the above-described configuration.
  • a delay in encryption and decryption can also be suppressed by an authentication encryption system having an authentication encryption device 30 and an authentication decryption device 40.
  • the authentication encryption method executed by the authentication encryption device 30 and the program that executes the authentication encryption method can also suppress delays in encryption and decryption.
  • the authentication / decryption method executed by the authentication / decryption device 40 and the program that executes the authentication / decryption method can also suppress delays in encryption and decryption.
  • the devices (authentication encryption device and authentication decryption device) according to each embodiment may be physically or functionally realized by using at least two calculation processing devices. Further, the device according to each embodiment may be realized as a dedicated device or a general-purpose information processing device.
  • FIG. 13 is a block diagram schematically showing a hardware configuration example of a calculation processing device capable of realizing the devices and systems according to each embodiment.
  • the calculation processing device 120 includes a CPU 121, a volatile storage device 122, a disk 123, a non-volatile recording medium 124, and a communication IF 127 (IF: Interface). Therefore, it can be said that the device according to each embodiment has a CPU 121, a volatile storage device 122, a disk 123, a non-volatile recording medium 124, and a communication IF 127.
  • the calculation processing device 120 may be connectable to the input device 125 and the output device 126.
  • the calculation processing device 120 may include an input device 125 and an output device 126. Further, the calculation processing device 120 can transmit / receive information to / from other calculation processing devices and the communication device via the communication IF 127.
  • the non-volatile recording medium 124 is, for example, a compact disc (Compact Disc) or a digital versatile disc (Digital Versatile Disc) that can be read by a computer. Further, the non-volatile recording medium 124 may be a USB (Universal Serial Bus) memory, a solid state drive (Solid State Drive), or the like. The non-volatile recording medium 124 holds the program and makes it portable without supplying power. The non-volatile recording medium 124 is not limited to the above-mentioned medium. Further, the program may be supplied via the communication IF 127 and the communication network instead of the non-volatile recording medium 124.
  • the program may be supplied via the communication IF 127 and the communication network instead of the non-volatile recording medium 124.
  • the volatile storage device 122 is readable by a computer and can temporarily store data.
  • the volatile storage device 122 is a memory such as a DRAM (dynamic random Access memory) or a SRAM (static random Access memory).
  • the CPU 121 copies the software program (computer program: hereinafter, simply referred to as "program") stored in the disk 123 to the volatile storage device 122 when executing the software program, and executes arithmetic processing.
  • the CPU 121 reads the data necessary for executing the program from the volatile storage device 122. When display is required, the CPU 121 displays the output result on the output device 126.
  • the CPU 121 acquires the program from the input device 125.
  • the CPU 121 interprets and executes a program corresponding to the function (processing) of each component shown in FIGS. 2, 3, 11, and 12 described above.
  • the CPU 121 executes the processes described in each of the above-described embodiments. In other words, the functions of the respective components shown in FIGS. 2, 3, 11, and 12 described above can be realized by the CPU 121 executing the program stored in the disk 123 or the volatile storage device 122. ..
  • each embodiment can be achieved by the above-mentioned program. Further, it can be considered that each of the above-described embodiments can be achieved by using a non-volatile recording medium in which the above-mentioned program is recorded and which can be read by a computer.
  • the processing order of S104 to S110 is not limited to the order shown in FIG. Further, the processes of S104 to S110 can be executed in parallel.
  • the processing order of S204, S206, and S208 is not limited to the order shown in FIG. Further, the processes of S204, S206, and S208 can be executed in parallel.
  • Non-temporary computer-readable media include various types of tangible storage media.
  • Examples of non-temporary computer-readable media include magnetic recording media (eg flexible disks, magnetic tapes, hard disk drives), magneto-optical recording media (eg magneto-optical disks), CD-ROMs, CD-Rs, CD-R / Ws. , Semiconductor memory (for example, mask ROM, PROM (Programmable ROM), EPROM (Erasable PROM), flash ROM, RAM).
  • the program may also be supplied to the computer by various types of temporary computer readable medium. Examples of temporary computer-readable media include electrical, optical, and electromagnetic waves.
  • the temporary computer-readable medium can supply the program to the computer via a wired communication path such as an electric wire and an optical fiber, or a wireless communication path.
  • (Appendix 1) Input means for accepting plaintext input and A nonce generating means that generates a nonce different from the value generated in the past,
  • a plaintext encryption means that generates a ciphertext corresponding to the plaintext by encrypting each block in which the plaintext is divided by using the nonce as an auxiliary variable.
  • a checksum generation means for generating a checksum using the plaintext
  • Hash means to get the hash value
  • a nonce encryption means that encrypts the nonce and obtains an encrypted nonce
  • An authentication tag generation means that generates an authentication tag using the checksum, the hash value, and the encryption nonce.
  • the authentication tag generation means generates the authentication tag based on the sum of the checksum, the hash value, and the encryption nonce.
  • the authentication encryption device according to Appendix 1. (Appendix 3) The authentication tag generation means generates the authentication tag by shortening the sum.
  • the authentication encryption device according to Appendix 2. (Appendix 4)
  • the nonce encryption means obtains the encrypted nonce having the same length as the checksum.
  • the authentication encryption device according to any one of Appendix 1 to 3. (Appendix 5)
  • the input means accepts a header and
  • the hash means obtains the hash value by using the header and the hash function.
  • the authentication encryption device according to any one of Appendix 1 to 4.
  • the plaintext encryption means sets the plaintext encryption means, which is an auxiliary variable including the nonce and the index i of the plaintext block, with respect to the i-th plaintext block of the block when the plaintext is divided into blocks having a predetermined length.
  • the plaintext is encrypted in parallel for each block with the Tweakable block cipher.
  • the authentication encryption device according to any one of Appendix 1 to 5.
  • the input means accepts a header and
  • the hash means uses Tweek, which is an auxiliary variable including the index i of the header block, with respect to the i-th header block of the block when the header is divided into blocks of a predetermined length, to use the header.
  • the hash value is acquired by encrypting each block in parallel with the Header block cipher.
  • the authentication encryption device according to Appendix 6. The hash means obtains the hash value by adding blocks in which the header is encrypted.
  • the authentication encryption device according to Appendix 7. (Appendix 9)
  • the nonce encryption means obtains the encrypted nonce by performing encryption with a Tweakable block cipher using the auxiliary variable Tweak including the nonce.
  • the authentication encryption device according to any one of Appendix 6 to 8. (Appendix 10)
  • the Tweakable block cipher is an XEX * mode using a block cipher.
  • a verification tag generation means for generating a verification tag, which is an estimated authentication tag, using the checksum, the hash value, and the encryption nonce.
  • a verification that verifies the presence or absence of tampering by comparing the authentication tag and the verification tag and controls for outputting the verification result.
  • the verification tag generation means generates the verification tag based on the sum of the checksum, the hash value, and the encryption nonce.
  • the verification tag generation means generates the verification tag by shortening the sum.
  • the nonce encryption means obtains the encrypted nonce having the same length as the checksum.
  • the input means accepts a header and The hash means obtains the hash value by using the header and the hash function.
  • the authentication decryption device according to any one of Appendix 11 to 14.
  • the plaintext decryption means is the auxiliary variable including the nonce and the index i of the ciphertext block with respect to the i-th ciphertext block of the block when the ciphertext is divided into blocks of a predetermined length. Using Tweak, the ciphertext is decrypted in parallel for each block by the Tweakable block cipher.
  • the authentication decryption device according to any one of Appendix 11 to 15.
  • the input means accepts a header and
  • the hash means uses Tweek, which is an auxiliary variable including the index i of the header block, with respect to the i-th header block of the block when the header is divided into blocks of a predetermined length, to use the header.
  • the hash value is acquired by encrypting each block in parallel with the Header block cipher.
  • the hash means obtains the hash value by adding blocks in which the header is encrypted.
  • the nonce encryption means obtains the encrypted nonce by performing encryption with a Tweakable block cipher using the auxiliary variable Tweak including the nonce.
  • the authentication decryption device according to any one of Appendix 16 to 18.
  • the Tweakable block cipher is an XEX * mode using a block cipher.
  • the authentication decryption device according to any one of Appendix 16 to 19.
  • the authentication encryption device is The first input means that accepts plaintext input, A nonce generating means that generates a nonce different from the value generated in the past, A plaintext encryption means that generates a ciphertext corresponding to the plaintext by encrypting each block in which the plaintext is divided by using the nonce as an auxiliary variable.
  • a first checksum generation means for generating a checksum using the plaintext, The first hashing method to get the hash value and A first nonce encryption means for encrypting the nonce and obtaining an encrypted nonce,
  • An authentication tag generation means that generates an authentication tag using the checksum, the hash value, and the encryption nonce.
  • An output means that controls the output of the ciphertext and the authentication tag, and Have,
  • the authentication decryption device is A second input means that accepts ciphertext, authentication tag and nonce input, The plaintext corresponding to the ciphertext is decrypted by using the nonce input by the second input means as an auxiliary variable for each block obtained by dividing the ciphertext input by the second input means.
  • the plaintext decryption means to generate A second checksum generating means for generating a checksum using the plaintext generated by the plaintext decoding means, and a second checksum generating means.
  • a second hashing method to get the hash value
  • a second nonce encryption means that encrypts the nonce input by the second input means to obtain an encrypted nonce
  • the verification tag generation means to generate the verification tag, which is the estimated authentication tag
  • a verification means that verifies the presence or absence of tampering by comparing the authentication tag generated by the authentication tag generation means with the verification tag, and controls for outputting the verification result.
  • (Appendix 23) Accepts ciphertext, authentication tag and nonce input, By decrypting the ciphertext using the nonce as an auxiliary variable for each divided block, a plaintext corresponding to the ciphertext is generated. Generate a checksum using the plaintext Get the hash value and Encrypt the nonce to obtain the encrypted nonce, Using the checksum, the hash value, and the encryption nonce, a verification tag, which is an estimated authentication tag, is generated. By comparing the authentication tag with the verification tag, the presence or absence of tampering is verified, and control is performed to output the verification result. Authentication decryption method.
  • Steps to accept ciphertext, authentication tag and nonce input A step of generating a plaintext corresponding to the ciphertext by decrypting the ciphertext for each divided block using the nonce as an auxiliary variable. The step of generating a checksum using the plaintext and Steps to get the hash value and The step of encrypting the nonce and obtaining the encrypted nonce, A step of generating a verification tag, which is an estimated authentication tag, using the checksum, the hash value, and the encryption nonce. A step of verifying the presence or absence of tampering by comparing the authentication tag and the verification tag and performing control for outputting the verification result, and A non-transitory computer-readable medium containing a program that causes a computer to execute.
  • Authentication encryption system 10 Authentication encryption device 100 Input unit 101 Nance generation unit 102 Twake encryption unit 103 Check sum generation unit 104 Header hash unit 105 Nance encryption unit 106 Addition unit 107 Shortening unit 108 Output unit 20 Authentication decryption device 200 Input unit 201 Decryption unit with Twake 202 Check sum generation unit 203 Nance encryption unit 204 Header hash unit 205 Addition unit 206 Shortening unit 207 Tag verification unit 30 Authentication encryption device 31 Input unit 32 Nance generation unit 33 Plain text encryption unit 34 Check Thumb generation unit 35 Hash unit 36 Nance encryption unit 37 Authentication tag generation unit 38 Output unit 40 Authentication decryption device 41 Input unit 43 Plain text decryption unit 44 Check sum generation unit 45 Hash unit 46 Nance encryption unit 47 Verification tag generation unit 48 Verification department

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
PCT/JP2020/017422 2020-04-23 2020-04-23 認証暗号化装置、認証復号装置、認証暗号システム、方法及びコンピュータ可読媒体 Ceased WO2021214923A1 (ja)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2022516562A JP7367860B2 (ja) 2020-04-23 2020-04-23 認証暗号化装置、認証復号装置、認証暗号システム、方法及びプログラム
PCT/JP2020/017422 WO2021214923A1 (ja) 2020-04-23 2020-04-23 認証暗号化装置、認証復号装置、認証暗号システム、方法及びコンピュータ可読媒体
US17/918,643 US20230139104A1 (en) 2020-04-23 2020-04-23 Authenticated encryption apparatus, authenticated decryption apparatus, authenticated encryption system, method, and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/017422 WO2021214923A1 (ja) 2020-04-23 2020-04-23 認証暗号化装置、認証復号装置、認証暗号システム、方法及びコンピュータ可読媒体

Publications (1)

Publication Number Publication Date
WO2021214923A1 true WO2021214923A1 (ja) 2021-10-28

Family

ID=78270498

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/017422 Ceased WO2021214923A1 (ja) 2020-04-23 2020-04-23 認証暗号化装置、認証復号装置、認証暗号システム、方法及びコンピュータ可読媒体

Country Status (3)

Country Link
US (1) US20230139104A1 (https=)
JP (1) JP7367860B2 (https=)
WO (1) WO2021214923A1 (https=)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114640547A (zh) * 2022-05-18 2022-06-17 深圳市研强物联技术有限公司 一种用于智能录音设备的语音处理方法
CN115118527A (zh) * 2022-08-26 2022-09-27 深圳市成为信息股份有限公司 超高频模组与pda的双向认证方法及相关设备
WO2024180612A1 (ja) * 2023-02-27 2024-09-06 日本電気株式会社 認証暗号化装置、認証復号装置、認証暗号システム、方法及びコンピュータ可読媒体

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4113341A1 (en) * 2021-06-30 2023-01-04 Giesecke+Devrient Mobile Security GmbH Encryption scheme for providing software updates to an update agent
JP7599450B2 (ja) * 2022-03-31 2024-12-13 Kddi株式会社 暗号化装置、復号装置、暗号化方法及び暗号化プログラム
US12432053B2 (en) * 2023-04-07 2025-09-30 Micro Focus Llc Efficient length preserving encryption of large plaintexts

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015015702A1 (ja) * 2013-08-02 2015-02-05 日本電気株式会社 認証暗号装置、認証暗号方法および認証暗号用プログラム
JP2016075765A (ja) * 2014-10-03 2016-05-12 日本放送協会 認証暗号化装置および認証復号装置、ならびに、それらのプログラム
JP2019015918A (ja) * 2017-07-10 2019-01-31 日本電信電話株式会社 暗号化データ生成装置、復号データ生成装置、追加データ付き認証暗号システム、その方法、及びプログラム
WO2019163032A1 (ja) * 2018-02-21 2019-08-29 日本電気株式会社 暗号化装置、暗号化方法、プログラム、復号装置、復号方法

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE1751566A1 (en) * 2017-12-18 2019-06-19 DeviceRadio AB Encryption methods and devices
US11516013B2 (en) * 2018-06-28 2022-11-29 Intel Corporation Accelerator for encrypting or decrypting confidential data with additional authentication data
CN112640359B (zh) * 2018-08-30 2024-05-03 三菱电机株式会社 消息认证装置、消息认证方法及计算机可读取的存储介质
US11477172B2 (en) * 2020-01-24 2022-10-18 International Business Machines Corporation Securing data compression

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015015702A1 (ja) * 2013-08-02 2015-02-05 日本電気株式会社 認証暗号装置、認証暗号方法および認証暗号用プログラム
JP2016075765A (ja) * 2014-10-03 2016-05-12 日本放送協会 認証暗号化装置および認証復号装置、ならびに、それらのプログラム
JP2019015918A (ja) * 2017-07-10 2019-01-31 日本電信電話株式会社 暗号化データ生成装置、復号データ生成装置、追加データ付き認証暗号システム、その方法、及びプログラム
WO2019163032A1 (ja) * 2018-02-21 2019-08-29 日本電気株式会社 暗号化装置、暗号化方法、プログラム、復号装置、復号方法

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114640547A (zh) * 2022-05-18 2022-06-17 深圳市研强物联技术有限公司 一种用于智能录音设备的语音处理方法
CN115118527A (zh) * 2022-08-26 2022-09-27 深圳市成为信息股份有限公司 超高频模组与pda的双向认证方法及相关设备
CN115118527B (zh) * 2022-08-26 2022-11-25 深圳市成为信息股份有限公司 超高频模组与pda的双向认证方法及相关设备
WO2024180612A1 (ja) * 2023-02-27 2024-09-06 日本電気株式会社 認証暗号化装置、認証復号装置、認証暗号システム、方法及びコンピュータ可読媒体

Also Published As

Publication number Publication date
JP7367860B2 (ja) 2023-10-24
US20230139104A1 (en) 2023-05-04
JPWO2021214923A1 (https=) 2021-10-28

Similar Documents

Publication Publication Date Title
JP7367860B2 (ja) 認証暗号化装置、認証復号装置、認証暗号システム、方法及びプログラム
JP6519473B2 (ja) 認証暗号装置、認証暗号方法および認証暗号用プログラム
JP6740902B2 (ja) 認証暗号化方法、認証復号方法および情報処理装置
JP6665204B2 (ja) データ暗号化装置及び方法、並びにデータ復号化装置及び方法
JP6035459B2 (ja) 暗号化装置、復号化装置、及びプログラム
CN105406969B (zh) 数据加密装置及方法
JP5855696B2 (ja) 完全性検証を含むブロック暗号化方法およびブロック復号化方法
US20150244518A1 (en) Variable-length block cipher apparatus and method capable of format preserving encryption
WO2014007347A1 (ja) 共有秘密鍵生成装置、暗号化装置、復号化装置、共有秘密鍵生成方法、暗号化方法、復号化方法、及びプログラム
WO2011105367A1 (ja) ブロック暗号化装置、ブロック復号装置、ブロック暗号化方法、ブロック復号方法及びプログラム
CN102664740B (zh) 一种基于远程授权的招投标文件加解密方法
WO2016067524A1 (ja) 認証付暗号化装置、認証付復号装置、認証付暗号システム、認証付暗号化方法、プログラム
WO2016088453A1 (ja) 暗号化装置、復号装置、暗号処理システム、暗号化方法、復号方法、暗号化プログラム、及び復号プログラム
JP7323196B2 (ja) 暗号化装置、暗号化方法、プログラム、復号装置、復号方法
US11108552B1 (en) Data encryption method and system
CN115632765A (zh) 加密方法、解密方法、装置、电子设备及存储介质
US20250365130A1 (en) Authenticated encryption apparatus, authenticated decryption apparatus, authenticated encryption system, method, and non-transitory computer readable medium
US20240235811A1 (en) Authenticated encryption apparatus, authenticated decryption apparatus, authenticated encryption system, method, and computer readable medium
KR20080072345A (ko) 암호화 장치 및 그 방법
US20250015984A1 (en) Use Of Quantum Resistant Iterative Keypads For Large Files
CN115603892A (zh) 执行密码操作的方法、对应的处理设备和计算机程序产品
CN117615471B (zh) 一种基于fpga的无线通信数据安全传输系统及方法
US20250070955A1 (en) Information processing apparatus, method, and non-transitory computer readable medium
JP2015082077A (ja) 暗号化装置、制御方法、及びプログラム
JP2024174738A (ja) 認証暗号化装置、認証復号装置、認証暗号システム、方法及びプログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20931825

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2022516562

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20931825

Country of ref document: EP

Kind code of ref document: A1