WO2022049655A1 - 情報処理装置、情報処理方法、及びプログラムが格納された非一時的なコンピュータ可読媒体 - Google Patents

情報処理装置、情報処理方法、及びプログラムが格納された非一時的なコンピュータ可読媒体 Download PDF

Info

Publication number
WO2022049655A1
WO2022049655A1 PCT/JP2020/033183 JP2020033183W WO2022049655A1 WO 2022049655 A1 WO2022049655 A1 WO 2022049655A1 JP 2020033183 W JP2020033183 W JP 2020033183W WO 2022049655 A1 WO2022049655 A1 WO 2022049655A1
Authority
WO
WIPO (PCT)
Prior art keywords
input
replacement
processing
bit
nibble
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2020/033183
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
一彦 峯松
孝典 五十部
光星 阪本
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
University of Hyogo
Original Assignee
NEC Corp
University of Hyogo
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp, University of Hyogo filed Critical NEC Corp
Priority to US18/024,195 priority Critical patent/US20230297693A1/en
Priority to JP2022546765A priority patent/JP7527541B2/ja
Priority to PCT/JP2020/033183 priority patent/WO2022049655A1/ja
Publication of WO2022049655A1 publication Critical patent/WO2022049655A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/16Matrix or vector computation, e.g. matrix-matrix or matrix-vector multiplication, matrix factorization
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/582Pseudo-random number generators
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators

Definitions

  • the present disclosure relates to a non-temporary computer-readable medium in which an information processing device, an information processing method, and a program are stored.
  • latency For general common key encryption methods. This refers to the time from the start of processing until the first output result is obtained, and a smaller value is desirable.
  • protection of the memory bus inside the computer and communication that requires real-time processing, such as control of online games and unmanned aerial vehicles, are particularly problematic, so low delay is desirable.
  • memory protection has become particularly widespread.
  • CPUs Central Processing Units
  • Non-Patent Document 1 There is.
  • delay refers to the time or amount of processing until the first ciphertext block appears when a plaintext consisting of multiple blocks is input.
  • the amount of encryption processing per hour (throughput) can be improved by parallelizing the processing with hardware.
  • parallelization is not effective in reducing the delay.
  • a full unrolled implementation that expands the loop processing inside the encryption processing is common. At this time, the delay is determined by the length of the critical path of the circuit of the fully unrolled implementation.
  • PRINCE is a type of 64-bit block lightweight block cipher.
  • ordinary lightweight block ciphers repeat a lot of relatively simple round functions
  • PRINCE uses a relatively large amount of round functions and processes the replacement layer without a key in the middle of the encryption process. It has been devised such as putting it in. As a result, we have succeeded in ensuring safety with a small number of rounds and, as a result, reducing delays.
  • the lightweight block cipher Midori of Non-Patent Document 3 is a block cipher having 64-bit block and 128-bit block versions. It was originally designed for energy saving, but the number of rounds is relatively small and low. It is also excellent as a delayed cipher.
  • QARMA of Non-Patent Document 4 is a lightweight twistable block cipher, which is a low-delay cipher developed for the purpose of memory encryption.
  • Non-Patent Document 5 discloses a GCM mode, which is a block cipher cipher use mode. Further, Non-Patent Document 6 discloses a pseudo-random function (PRF) having high security.
  • GCM mode which is a block cipher cipher use mode.
  • PRF pseudo-random function
  • PRINCE is a 64-bit block cipher
  • the input width is 64 bits
  • the key is approximately at the stage when O (2 ⁇ 32) blocks are processed. Need to be updated. This poses practical difficulties for applications that process large amounts of data at high speeds, such as memory protection.
  • Midori's 128-bit input width version (Midori-128) and QARMA's 128-bit input width version have low delay, but due to the large block size, the low delay is not as good as PRINCE.
  • a cryptographic primitive with a 128-bit input width and excellent low latency is important.
  • the amount of data required for the above-mentioned birthday attack is an O (2 ⁇ 64) block, which greatly improves security.
  • the present disclosure has been made to solve such problems, and an object of the present disclosure is to provide an information processing device, an information processing method, and a program capable of realizing an encryption process having a low delay and a large input width. do.
  • the information processing apparatus is An input receiving means that accepts plaintext input with 128 bits as the unit of one block, A first replacement processing means that outputs the first intermediate sentence by repeating the first replacement process a times (where a is a predetermined integer) with the plaintext for one block as the first input. A second replacement processing means that outputs the second intermediate sentence by repeating the second replacement process b times (where b is a predetermined integer) with the first intermediate sentence as the first input. It has a terminal processing means for performing terminal processing to output a ciphertext by inputting the second intermediate sentence.
  • the first replacement process is Addition processing that adds a round key and a round constant to the input, S-box processing that applies a 4-bit S-box, which is a non-linear function that converts a 4-bit input to a 4-bit output for each nibble, and Bit replacement processing that sorts the input bit by bit, It is a permutation process in which the input is divided into 8 words for every 4 nibbles, and the matrix product processing that applies the Almost MDS matrix transformation of 4 rows and 4 columns to each word is performed in order.
  • the second replacement process is With the addition process With the S-box processing Nibble replacement processing that sorts the input by nibble, It is a substitution process in which the matrix product process and the matrix product process are performed in order.
  • the termination process is With the S-box processing This is a replacement process in which the addition process and the addition process are performed in order.
  • the first substitution process is repeated a times (where a is a predetermined integer), and the first intermediate sentence is output.
  • the second substitution process is repeated b times (where b is a predetermined integer) to output the second intermediate sentence.
  • the termination process of outputting the ciphertext with the second intermediate sentence as an input is performed.
  • the first replacement process is Addition processing that adds a round key and a round constant to the input, S-box processing that applies a 4-bit S-box, which is a non-linear function that converts a 4-bit input to a 4-bit output for each nibble, and Bit replacement processing that sorts the input bit by bit, It is a permutation process in which the input is divided into 8 words for every 4 nibbles, and the matrix product processing that applies the Almost MDS matrix transformation of 4 rows and 4 columns to each word is performed in order.
  • the second replacement process is With the addition process With the S-box processing Nibble replacement processing that sorts the input by nibble, It is a substitution process in which the matrix product process and the matrix product process are performed in order.
  • the termination process is With the S-box processing This is a replacement process in which the addition process and the addition process are performed in order.
  • the program according to the third aspect of the present disclosure is An input reception step that accepts plaintext input with 128 bits as the unit of one block, A first replacement processing step that outputs the first intermediate sentence by repeating the first replacement process a times (where a is a predetermined integer) with the plaintext for one block as the first input. A second replacement processing step that outputs the second intermediate sentence by repeating the second replacement process b times (where b is a predetermined integer) with the first intermediate sentence as the first input.
  • the computer is made to execute the termination processing step of performing the termination processing of outputting the ciphertext by inputting the second intermediate sentence.
  • the first replacement process is Addition processing that adds a round key and a round constant to the input, S-box processing that applies a 4-bit S-box, which is a non-linear function that converts a 4-bit input to a 4-bit output for each nibble, and Bit replacement processing that sorts the input bit by bit, It is a permutation process in which the input is divided into 8 words for every 4 nibbles, and the matrix product processing that applies the Almost MDS matrix transformation of 4 rows and 4 columns to each word is performed in order.
  • the second replacement process is With the addition process With the S-box processing Nibble replacement processing that sorts the input by nibble, It is a substitution process in which the matrix product process and the matrix product process are performed in order.
  • the termination process is With the S-box processing This is a replacement process in which the addition process and the addition process are performed in order.
  • an information processing device an information processing method, and a program capable of realizing an encryption process having a low delay and a large input width.
  • FIG. It is a block diagram which shows an example of the structure of the information processing apparatus which concerns on the outline of embodiment. It is a schematic diagram which shows an example of the structure of the information processing apparatus which concerns on Embodiment 1.
  • FIG. It is a schematic diagram explaining the first condition. It is a schematic diagram explaining the second condition. It is a flowchart which shows an example of the operation flow of the information processing apparatus which concerns on Embodiment 1.
  • FIG. It is a schematic diagram which shows the round function of the first substitution processing (however, excluding the addition processing of a round key and a round constant with respect to an input).
  • It is a schematic diagram which shows the round function of the 2nd substitution processing (however, excluding the addition processing of a round key and a round constant with respect to an input).
  • FIG. 1 It is a schematic diagram which shows the round function of the comparative example (however, excluding the addition processing of a round key and a round constant with respect to an input). It is a schematic diagram which shows an example of the structure of the information processing apparatus which concerns on Embodiment 2.
  • FIG. 2 It is a flowchart which shows an example of the operation flow of the information processing apparatus which concerns on Embodiment 2.
  • FIG. 1 is a block diagram showing an example of the configuration of the information processing apparatus 10 according to the outline of the embodiment.
  • the information processing apparatus 10 includes an input receiving unit 11, a first replacement processing unit 12, a second replacement processing unit 13, and a terminal processing unit 14.
  • the input reception unit 11 accepts plaintext input with 128 bits as a unit of one block.
  • the first replacement processing unit 12 repeats the first replacement processing a times with the plaintext for one block received by the input reception unit 11 as the first input, and outputs the first intermediate sentence.
  • a is an arbitrary predetermined integer.
  • the second replacement processing unit 13 takes the first intermediate sentence output by the first replacement processing unit 12 as the first input, repeats the second replacement process b times, and outputs the second intermediate sentence.
  • b is an arbitrary predetermined integer.
  • the termination processing unit 14 performs termination processing for outputting a ciphertext by inputting a second intermediate sentence output by the second replacement processing unit 13.
  • the first replacement process described above is a replacement process in which the addition process, the S-box process, the bit replacement process, and the matrix product process are performed in order.
  • the addition process is a process of adding a round key and a round constant to an input.
  • the S-box process is a process that applies a 4-bit S-box to each nibble for input.
  • the 4-bit S-box is a non-linear function that converts a 4-bit input into a 4-bit output.
  • the bit replacement process is a process of rearranging inputs in bit units.
  • the matrix multiplication process is a process in which the input is divided into eight words for every four nibbles, and the Almost MDS matrix transformation of 4 rows and 4 columns is applied to each word.
  • the second replacement process described above is a replacement process in which the addition process, the S-box process, the nibble replacement process, and the matrix product process are performed in order.
  • the addition process, the S-box process, and the matrix product process performed in the second replacement process are the same processes as the process performed in the first replacement process.
  • a nibble replacement process is performed instead of the bit replacement process.
  • the nibble replacement process is a process of rearranging inputs in nibble units.
  • termination processing is a replacement processing in which the S-box processing and the addition processing are performed in order.
  • the S-box processing and the addition processing performed in the termination processing are the same processing as the processing performed in the first replacement processing.
  • the information processing apparatus 10 having such a configuration, it is possible to realize an encryption process having a low delay and a large input width.
  • FIG. 2 is a schematic diagram showing an example of the configuration of the information processing apparatus 100 according to the first embodiment.
  • the information processing apparatus 100 includes an input receiving unit 110, a first replacement processing unit 120, a second replacement processing unit 130, a termination processing unit 140, and an output control unit 150. ..
  • the input receiving unit 110, the first replacement processing unit 120, the second replacement processing unit 130, and the termination processing unit 140 are the input receiving unit 11, the first replacement processing unit 12, and the second.
  • the information processing device 100 according to the present embodiment is also referred to as a block encryption device. Further, in the present embodiment, the length of one block is 128 bits. Therefore, the information processing device 100 is a block encryption device having an input width of 128 bits.
  • the input receiving unit 110 is a hardware circuit that receives an input to the information processing device 100.
  • the input receiving unit 110 receives data input via an input device such as a keyboard.
  • the input receiving unit 110 accepts the input of the plaintext M.
  • the input receiving unit 110 accepts plaintext input with 128 bits as a unit of one block.
  • the first replacement processing unit 120 performs processing with the block as a processing unit.
  • the first replacement processing unit 120 is a hardware circuit that outputs the first intermediate sentence S1 by repeating the first replacement processing a times with the plaintext for one block received by the input reception unit 110 as the first input. Is. In the second and subsequent times in the repeated first replacement process, the processing result of the previous first replacement process is used for inputting the first replacement process.
  • the value of a that defines the number of repetitions is predetermined.
  • the first replacement processing unit 120 performs addition processing 161 first, then S-box processing 162, and then bit replacement processing 163 as the first replacement processing. Finally, the matrix product processing 164 is performed.
  • the addition process 161 is a process of adding a round key and a round constant to the input.
  • the input of the addition process 161 is 128-bit data.
  • the addition process 161 will be specifically described.
  • the following process is performed using the 128-bit input X, the secret key K, and the loop counter i.
  • the round key K_i which is a value determined by the secret key K and the counter i
  • the round constant c_i which is a value determined by the counter i
  • the length of the round key K_i calculated from the private key K and the counter i and the round constant c_i calculated from the counter i is at most 128 bits, and if the number of bits is less than 128 bits, zero padding is performed. Is adjusted to 128 bits.
  • the private key K may be one received by the input receiving unit 110, or predetermined key data stored in advance by the information processing apparatus 100 may be used.
  • the private key K is, for example, an arbitrary bit string of 128 bits or 256 bits, but the number of bits of the private key K is not limited to these.
  • the round key K_i and the round constant c_i are derived as follows.
  • the private key K is 128 bits
  • the round key K_i is the first 64 bits of the secret key K if the counter i is even, and the latter 64 bits if the counter i is odd.
  • the round constant c_i is 4 bits extracted from the bit representation of the pi (3.14159 7) according to the value of the counter i.
  • addition process 161 a process of adding the round constant c_i and the round key K_i to the input X is performed next.
  • this addition is, for example, an exclusive OR, it may be an arithmetic addition or the like.
  • a 128-bit data string is output as the addition result.
  • the S-box process 162 is a process of applying a 4-bit S-box, which is a 4-bit nonlinear function, in parallel to an input. Since the input is 128 bits in this embodiment, 32 4-bit S-boxes are applied in parallel in the S-box process 162. As described above, in the S-box process 162, the 4-bit S-box is applied to the input for each nibble. Then, the S-box process 162 outputs a 128-bit data string.
  • the S-box is required to be full diffusion in the 4-bit range. That is, if the 4-bit input of the S-box is x and the 4-bit output of the S-box is y, it is required that each bit of y depends on all the bits of x.
  • x [i] is the i-th bit of x and y [i] is the i-th bit of y
  • y [i] is x [1], x [2], x [3], x [ It is required to be expressed by a logical formula using all of 4].
  • Any S-box can be used as such an S-box, but as an example, Midori's Sb 1 defined as a substitution as shown in the table below may be used. In the table below, the input x and the output Sb 1 (x) are expressed in hexadecimal.
  • the bit replacement process 163 is a process of rearranging the input in bit units, rearranging the input 128-bit (that is, 32 nibbles) data string, and outputting a 128-bit data string.
  • the loop consisting of addition processing 161, S-box processing 162, bit replacement processing 163, and matrix product processing 164 is one round, if bit replacement is optimal in terms of spreading performance, 128-bit data is fully spread in 2.5 rounds. Can be shown to do.
  • the 2.5 round means to perform up to the middle of the third round, and more specifically, to perform the addition process 161 and the S-box process 162 of the third round. Therefore, the value of the number of repetitions a of the first replacement process may be 3.
  • the input 32 nibbles are X (1), ..., X (32)
  • the output 32 nibbles are Y (1), ..., Y (32)
  • the outputs are grouped by 4 nibbles.
  • W (1) [Y (1), Y (2), Y (3), Y (4)]
  • the nibbles to which the 4-bit B (i, 1), B (i, 2), B (i, 3), B (i, 4) of the input X (i) are mapped are Y (a), Y, respectively. (b), Y (c), Y (d) (however, a, b, c, d are all integers of 1 or more and 32 or less).
  • the bit replacement process 163 for guaranteeing total diffusion in 2.5 rounds is a process for performing sorting that satisfies the following first condition and second condition.
  • the nibble position at inputs X (1), ..., X (32) is Y (j [1]), Y (j [2]), at Y (1), ..., Y (32).
  • Map covers more than one nibble in all of W (1), ..., W (8).
  • FIG. 3 is a schematic diagram illustrating the first condition.
  • 32 S-box 170s applied in parallel in the S-box process 162 and 8 matrices 171 applied in parallel in the matrix product processing 164 described later are shown, and the bit replacement process 163 is shown. Is represented as an arrow extending from the output of the S-box 170 to the input of the matrix 171.
  • the output of a total of 32 nibbles by each S-box 170 corresponds to the inputs X (1), ..., X (32) of 32 nibbles in the bit replacement process 163.
  • the input of a total of 32 nibbles in each matrix 171 corresponds to the outputs Y (1), ..., Y (32) of 32 nibbles in the bit substitution process 163.
  • the output 4 bits of each S-box 170 are mapped to the inputs of different matrices 171.
  • FIG. 3 only the 4-bit (X (1)) map destination output from the leftmost S-box 170 is shown so as not to impair the legibility of the figure.
  • the first bit B (1,1) of X (1) is mapped to the Y (1) that makes up W (1)
  • the second bit B (1,1) of X (1). 2 is mapped to Y (6) which constitutes W (2)
  • the third bit B (1,3) of X (1) is mapped to Y (15) which constitutes W (4).
  • the fourth bit B (1,4) of X (1) is mapped to Y (18), which constitutes W (5).
  • FIG. 4 is a schematic diagram illustrating the second condition. Also in FIG. 4, similarly to FIG. 3, 32 S-box 170s applied in parallel in the S-box processing 162 and 8 matrices 171 applied in parallel in the matrix product processing 164 described later are shown. .. Then, the bit replacement process 163 is represented as an arrow extending from the output of the S-box 170 to the input of the matrix 171.
  • the input 12 nibbles X (j [1]), X (j [2]), ...., X (j [12]) maps More than 2 nibbles are covered in all of W (1), ..., W (8).
  • 12 nibbles X (j [1]), X (j [2]), ...., X (j [12]) are input X (1), ..., X (32).
  • the position of the nibble corresponds to the position of Y (j [1]), Y (j [2]), ...., Y (j [12]) in Y (1), ..., Y (32).
  • Y (j [1]), Y (j [2]), ...., Y (j [12]) is the 4-bit B (i, 1) of the input X (i). W (to which the nibble Y (a), Y (b), Y (c), Y (d) to which, B (i, 2), B (i, 3), B (i, 4) are mapped It is 12 nibbles excluding Y (a), Y (b), Y (c), and Y (d) from j).
  • the 4-bit B of the input X (1) is defined as the 4-bit B (i, 1), B (i, 2), B (i, 3), B (i, 4) of the input X (i).
  • An example is shown when considering (1,1), B (1,2), B (1,3), B (1,4).
  • Y (a), Y (b), Y (c), and Y (d) are nibbles of the map destination indicated by the dashed arrow, and specifically, Y (1). ), Y (6), Y (15), Y (18).
  • Y (j [1]), Y (j [2]), ...., Y (j [12]) are nibbles Y (1), Y (6), Y (15), Y ( It is 12 nibbles excluding Y (1), Y (6), Y (15), and Y (18) from W (j) to which 18) belongs.
  • Y (1) belongs to W (1)
  • Y (6) belongs to W (2)
  • Y (15) belongs to W (4)
  • Y (18) belongs to W (5).
  • Y (j [1]), Y (j [2]), ...., Y (j [12]) are specifically Y (2), Y (3), With Y (4), Y (5), Y (7), Y (8), Y (13), Y (14), Y (16), Y (17), Y (19), Y (20) be. Therefore, 12 nibbles X (j [1]), X (j [2]), ...., X (j [12]) are specifically X (2), X (3), X. (4), X (5), X (7), X (8), X (13), X (14), X (16), X (17), X (19), X (20). ..
  • the maps of, X (17), X (19), and X (20) are shown by thick arrows, but only some of the bits are shown so as not to impair the legibility of the figure.
  • W (j) is also applied to W (2), W (3), W (4), W (5), W (6), W (7), and W (8). ), Two or more of the four Y (k), Y (k + 1), Y (k + 2), and Y (k + 3) are selected as map destinations.
  • the matrix multiplication process 164 is a process of dividing the input into eight words for every four nibbles, applying the Almost MDS matrix transformation of four rows and four columns to each word, and outputting a total of 128-bit data strings. ..
  • the matrix product processing 164 performed as the first replacement processing the words W (1), ... Almost MDS matrix conversion is performed for each of W (8).
  • the matrix product processing 164 may be performed as a second replacement processing. In this case, the output of the nibble replacement processing 165 is divided into eight words for every four nibbles. Almost MDS matrix conversion is performed.
  • the following matrix is the Almost MDS matrix.
  • b_1 a_2 + a_3 + a_4
  • b_2 a_1 + a_3 + a_4
  • b_3 a_1 + a_2 + a_4
  • b_4 a_1 + a_2 + a_3
  • the first replacement processing unit 120 repeats the first replacement processing a times and outputs the first intermediate sentence S1.
  • the addition process 161 is performed on the plaintext for one block received by the input reception unit 110.
  • the S-box process 162 is performed on the result of the addition process 161
  • the bit replacement process 163 is performed on the result of the S-box process 162
  • the matrix product process 164 is performed on the result of the bit replacement process 163. Is done.
  • the result of the matrix product processing 164 in the first substitution processing is used for the input of the addition processing 161 in the second first substitution processing.
  • the S-box process 162 in the second first replacement process is performed on the result of the addition process 161 in the second first replacement process. After that, the process is performed in the same manner, and the first replacement process is repeated a times.
  • the first replacement processing unit 120 repeats the first replacement processing a times, the first replacement processing unit 120 outputs the final processing result as the first intermediate sentence S1 to the second replacement processing unit 130.
  • the second replacement processing unit 130 repeats the second replacement processing b times with the first intermediate sentence S1, which is a 128-bit data string output by the first replacement processing unit 120, as the first input. It is a hardware circuit that outputs the second intermediate sentence S2. In the second and subsequent times in the repeated second replacement process, the processing result of the previous second replacement process is used for inputting the second replacement process.
  • the value of b that defines the number of repetitions is predetermined.
  • the second replacement processing unit 130 performs addition processing 161 first, then S-box processing 162, and then nibble replacement processing 165 as the second replacement processing. Finally, the matrix product processing 164 is performed. Since the addition process 161, the S-box process 162, and the matrix product process 164 performed as the second replacement process are the same as these processes performed as the first replacement process, the description thereof will be omitted.
  • the nibble replacement process 165 is a process of sorting the input in nibble units, sorts the input 32 nibble (that is, 128 bits) data string, and outputs 32 nibble (that is, 128 bits) data string. ..
  • a process is performed so that the number of Active S-boxes reaches a predetermined value in a small number of rounds.
  • the predetermined value is specifically a value in which the product of the index of the maximum difference probability of the S-box and the number of Active S-boxes is -128. In the case of a 4-bit S-box, the maximum difference probability of the S-box is 2 ⁇ -2, so this predetermined value is specifically 64.
  • the nibble replacement process 165 guarantees an Active S-box number of 64, for example, in 5 rounds. Therefore, the value of the number of repetitions b of the second replacement process may be 5. For example, the following nibble replacement process 165 guarantees an Active S-box number of 64 in 5 rounds.
  • An index from 0 to 31 is sequentially assigned to the input bit string every 4 bits, and the rearrangement of the nibble replacement process 165 is expressed by changing the order of the indexes. For example, in the nibble replacement process 165, the index sequence at the time of input is (0, 1, ..., 31), and the index sequence at the time of output is (10, 27, 5, 1, 30, 23, 16).
  • the index sequence at the time of input is (0, 1, ..., 31)
  • the index sequence at the time of output is (26, 13, 7, 11, 29, 0, 17, 21, 23, 5, 18, 25, 12, 10, 28, 2, 14, 19, 24, 22, 1, 8, 4, 4, 31, 15, 6, 27, 9, 16, This is the sorting process of 30, 20, 3).
  • the nibble replacement process 165 has a predetermined condition that the number of rounds (number of repetitions of the process) of the nibble replacement process 165 required for the number of Active S-boxes to be equal to or greater than a predetermined value. It is a process that satisfies.
  • the second replacement processing unit 130 repeats the second replacement processing b times and outputs the second intermediate sentence S2.
  • the addition processing 161 is performed on the data string output by the first replacement processing unit 120.
  • the S-box process 162 is performed on the result of the addition process 161
  • the nibble replacement process 165 is performed on the result of the S-box process 162
  • the matrix product process 164 is performed on the result of the nibble replacement process 165. Is done.
  • the result of the matrix multiplication process 164 in the first second substitution process is used for the input of the addition process 161 in the second second substitution process.
  • the S-box process 162 in the second second replacement process is performed on the result of the addition process 161 in the second second replacement process. After that, the process is performed in the same manner, and the second replacement process is repeated b times.
  • the second replacement processing unit 130 repeats the second replacement processing b times, the second replacement processing unit 130 outputs the final processing result as the second intermediate sentence S2 to the termination processing unit 140.
  • the termination processing unit 140 is a hardware circuit that performs termination processing to output the ciphertext C by inputting the second intermediate sentence S2, which is a 128-bit data string output by the second replacement processing unit 130.
  • the termination processing unit 140 first performs the S-box process 162, and then performs the addition process 161. That is, the termination processing unit 140 first performs the S-box processing 162 with respect to the second intermediate sentence S2 output by the second replacement processing unit 130, and then with respect to the result of the S-box processing 162. , Addition processing 161 is performed. Then, the termination processing unit 140 outputs the result of the addition processing 161 as the ciphertext C.
  • the output control unit 150 is a hardware circuit that controls to output the processing result of the termination processing unit 140 to an output device such as a display. That is, the output control unit 150 controls to output the ciphertext C to the output device.
  • FIG. 5 is a flowchart showing an example of the operation flow of the information processing apparatus 100.
  • the operation flow of the information processing apparatus 100 will be described with reference to FIG.
  • step S10 the input receiving unit 110 accepts the input of the plaintext M.
  • step S11 the first replacement processing unit 120 performs the addition processing 161.
  • step S12 the first replacement processing unit 120 performs the S-box processing 162.
  • step S13 the first replacement processing unit 120 performs the bit replacement processing 163.
  • step S14 the first replacement processing unit 120 performs the matrix product processing 164.
  • step S15 the first replacement processing unit 120 determines whether or not the series of processes from step S11 to step S14 has been repeated a times. If the process is not repeated a times, the first replacement processing unit 120 repeats a series of processes from step S11 to step S14 again. On the other hand, when the process is repeated a times, step S16 is performed.
  • the value of a is 3.
  • step S16 the second replacement processing unit 130 performs the addition processing 161.
  • step S17 the second replacement processing unit 130 performs the S-box processing 162.
  • step S18 the second replacement processing unit 130 performs the nibble replacement processing 165.
  • step S19 the second substitution processing unit 130 performs the matrix product processing 164.
  • step S20 the second replacement processing unit 130 determines whether or not the series of processes from step S16 to step S19 has been repeated b times. If the process is not repeated b times, the second replacement processing unit 130 repeats a series of processes from step S16 to step S19 again. On the other hand, when the process is repeated b times, step S21 is performed.
  • the value of b is 5.
  • step S21 the termination processing unit 140 performs S-box processing 162.
  • step S22 the termination processing unit 140 performs the addition processing 161.
  • step S23 the output control unit 150 outputs the 128-bit bit string obtained in step S22 to the display or the like as ciphertext C.
  • the value of a may be greater than 3 and the value of b may be greater than 5 for greater security.
  • the round function of this embodiment is based on the Substitution-Permutation Network (SPN) using the Almost MDS matrix introduced in Midori, but unlike Midori, it uses a plurality of different linear layers. Specifically, bit substitution is used in the first half round (first substitution processing) (see FIG. 6), and nibble substitution is used in the second half round (second substitution processing) (see FIG. 7).
  • SPN Substitution-Permutation Network
  • FIG. 6 is a schematic diagram showing a round function of the first substitution processing (however, excluding the addition processing of the round key and the round constant with respect to the input). Further, FIG.
  • FIG. 7 is a schematic diagram showing a round function of the second replacement process (however, excluding the round key and the round constant addition process for the input).
  • Midori-128 also uses bit substitution and nibble substitution, but Midori is different from this embodiment in that both are used in a single round.
  • the bit substitution of Midori-128 is used to arrange two 4-bit S-boxes side by side and make them function as an 8-bit S-box, and the bit substitution of Midori-128 contains 8 bits. This is achieved by arranging the bit substitutions of the output (see FIG. 8).
  • FIG. 8 is a schematic diagram showing Midori's round function (however, excluding the round key and round constant addition processing for the input).
  • bit substitution of the present embodiment is for stirring the entire 128 bits.
  • the reason why this embodiment uses bit substitution in the first half of the round is that there are few rounds in which full diffusion, which is important in cryptographic security evaluation, that is, changes in arbitrary input data spread to the entire output. This is to secure by number. Bit substitution can improve the diffusion performance because it divides the data into smaller pieces than nibble substitution.
  • addition process 161, S-box process 162, bit replacement process 163, and matrix product process 164 are converted into one round, any bit replacement satisfying the above-mentioned first condition and second condition. For example, total diffusion is guaranteed in 2.5 rounds.
  • the 2.5 round means to perform up to the middle of the third round, and more specifically, to perform the addition process 161 and the S-box process 162 of the third round.
  • bit substitution instead of bit substitution
  • at least 4 rounds are required to guarantee total diffusion.
  • bit substitution and nibble substitution are combined as described above, but since the spread width of the change of bit substitution is small, total diffusion requires 3 rounds.
  • Midori-128 finally requires 20 rounds in total.
  • This embodiment uses nibble substitution in the latter round (second substitution processing) is to secure an advantage in the number of Active S-boxes, which is a typical safety evaluation index.
  • the number of Active S-boxes reflects the security against differential attacks, which is an important cryptographic analysis method. If it can be shown that the minimum value of the number of Active S-boxes is equal to or more than a predetermined value for any different input pair in a certain cipher, it can be said that the cipher has sufficient resistance to a differential attack.
  • bit substitution has a fine particle size, so it is difficult to accurately derive the minimum number of Active S-boxes.
  • the number of rounds required to ensure that the minimum number of Active S-boxes is greater than or equal to a predetermined value increases. Therefore, it is possible to ensure safety with a small number of rounds by the configuration of the present embodiment in which bit substitution is used in the first half round and the nibble substitution is switched to after full diffusion. Since the implementation of low-latency cryptography is generally a full unroll implementation, it is a hardware implementation problem that the configuration changes between the first half round (first replacement process) and the second half round (second replacement process). It does not become.
  • FIG. 9 is a schematic diagram showing an example of the configuration of the information processing apparatus 200 according to the second embodiment.
  • the information processing apparatus 200 includes an input reception unit 210, a first block encryption unit 220, a second block encryption unit 230, an addition unit 240, and an output control unit 250. It has and generates a pseudo-random number by using the encryption process described in the first embodiment.
  • the information processing device 200 according to this embodiment is also referred to as a pseudo-random function device.
  • the input receiving unit 210 is a hardware circuit that performs the same processing as the input receiving unit 110. That is, the input receiving unit 210 receives the input corresponding to the plaintext M in the first embodiment.
  • the input receiving unit 210 receives data input to the information processing device 200 via an input device such as a keyboard.
  • the first block encryption unit 220 and the second block encryption unit 230 are both hardware circuits that perform the encryption processing shown in the first embodiment. That is, the first block encryption unit 220 and the second block encryption unit 230 sequentially perform the processing of the first replacement processing unit 120, the second replacement processing unit 130, and the termination processing unit 140 described above.
  • the 128-bit data string received by the input reception unit 210 is encrypted. That is, both the first block encryption unit 220 and the second block encryption unit 230 output the ciphertext for the input M.
  • the first block cipher unit 220 and the second block cipher unit 230 output two different ciphertexts to the input M (that is, the same plaintext).
  • the first block cipher unit 220 outputs the first ciphertext X
  • the second block cipher unit 230 outputs the second ciphertext Y.
  • the first block cipher unit 220 and the second block cipher unit 230 may output different ciphertexts X and Y by using different private keys (round keys), or different nibble substitutions. May output different ciphertexts X and Y by performing. When performing different nibble substitutions, the first block cipher unit 220 and the second block cipher unit 230 may use the same private key (round key).
  • the second ciphertext Y may be a ciphertext obtained by using a key (round key) different from the key (round key) used for generating the first ciphertext X. .. Further, the second ciphertext Y is a ciphertext obtained by using the nibble replacement process 165 in which the rearrangement is different from the rearrangement in the nibble replacement process 165 used for generating the first ciphertext X. May be.
  • the different sorts in the nibble replacement process 165 may be the two sorts described above. That is, when an index from 0 to 31 is sequentially assigned to the input bit string every 4 bits and the rearrangement of the nibble replacement process 165 is expressed by changing the order of the index, a different order in the nibble replacement process 165 is expressed.
  • the replacement may be as follows. In the nibble replacement process 165 that performs the first sorting, the index order at the time of input is (0, 1, ..., 31), and the index order at the time of output is (10, 27, 5, 1,). 30, 23, 16, 13, 21, 31, 6, 14, 0, 25, 11, 18, 15, 28, 19, 24, 7, 8, 22, 3, 4, 29, 9, 2, 26, 20, 12, 17) This is the sorting process.
  • the index order at the time of input is (0, 1, ..., 31)
  • the index order at the time of output is (26, 13, 7,). 11, 29, 0, 17, 21, 23, 5, 18, 25, 12, 10, 28, 2, 14, 19, 24, 22, 1, 8, 4, 31, 15, 6, 27, 9, 16, 30, 20, 3)
  • the first ciphertext X is the ciphertext obtained by performing the first predetermined rearrangement as the nibble replacement process 165
  • the second ciphertext Y is the second ciphertext as the nibble replacement process 165. It may be a ciphertext obtained by performing a predetermined rearrangement of.
  • the first block cipher unit 220 and the second block cipher unit 230 output the first ciphertext X and the second ciphertext Y to the addition unit 240.
  • the addition unit 240 is a hardware circuit that takes the first ciphertext X and the second ciphertext Y as inputs, adds the first ciphertext X and the second ciphertext Y, and outputs them as pseudo-random numbers. .. That is, the addition unit 240 generates a pseudo-random number C by adding the first ciphertext X and the second ciphertext Y, and outputs the pseudo-random number C. As a result, a 128-bit pseudo-random number C is output as a processing result of the addition unit 240.
  • this addition is, for example, an exclusive OR, it may be an arithmetic addition or the like.
  • the output control unit 250 is a hardware circuit that controls to output the processing result of the addition unit 240 to an output device such as a display. That is, the output control unit 250 controls to output the pseudo-random number C to the output device.
  • FIG. 10 is a flowchart showing an example of the operation flow of the information processing apparatus 200. Hereinafter, the operation flow of the information processing apparatus 200 will be described with reference to FIG. 10.
  • step S30 the input receiving unit 210 receives the input M.
  • step S31 the first block cipher unit 220 generates the first ciphertext X
  • the second block cipher unit 230 generates the second ciphertext Y.
  • step S32 the addition unit 240 adds the first ciphertext X and the second ciphertext Y to generate a pseudo-random number C.
  • step S33 the output control unit 250 outputs the bit string obtained in step S22 to the display or the like as a pseudo-random number C.
  • the amount of data required for a birthday attack will be an O (2 ⁇ 64) block, which greatly improves security.
  • the 128-bit input width pseudo-random function realized by the information processing apparatus 200 is used in general encryption and authentication encryption modes (for example, counter mode and GCM mode).
  • the amount of data required for an attack is an O (2 ⁇ 128) block. Therefore, encryption with sufficient security is possible even in the long term.
  • FIG. 2 or FIG. 9 have been described as a hardware configuration, but the present invention is not limited to this. Some or all of these elements can also be achieved by having the computer's processor execute a computer program.
  • FIG. 11 is a block diagram showing an example of the configuration of the computer 300 that realizes the elements shown in FIG. 2 or 9. As shown in FIG. 11, the computer 300 includes an input / output interface 301, a memory 302, and a processor 303.
  • the input / output interface 301 is used to communicate with any other device.
  • the memory 302 is composed of, for example, a combination of a volatile memory and a non-volatile memory.
  • the memory 302 is used to store software (computer program) or the like including one or more instructions executed by the processor 303.
  • the processor 303 reads software (computer program) from the memory 302 and executes it to process each component shown in FIG. 2 or FIG. 9 described above.
  • the processor 303 may be, for example, a microprocessor, an MPU (Micro Processor Unit), a CPU (Central Processing Unit), or the like.
  • the processor 303 may include a plurality of processors.
  • Non-temporary computer-readable media include various types of tangible storage media (tangible studio media).
  • Examples of non-temporary computer-readable media include magnetic recording media (eg, flexible disks, magnetic tapes, hard disk drives), magneto-optical recording media (eg, magneto-optical disks), CD-ROMs (Read Only Memory) CD-Rs, CDs. -R / W, including semiconductor memory (for example, mask ROM, PROM (Programmable ROM), EPROM (Erasable PROM), flash ROM, RAM (Random Access Memory)).
  • the program may also be supplied to the computer by various types of temporary computer-readable media.
  • Examples of temporary computer readable media include electrical, optical, and electromagnetic waves.
  • the temporary computer-readable medium can supply the program to the computer via a wired communication path such as an electric wire and an optical fiber, or a wireless communication path.
  • (Appendix 1) An input receiving means that accepts plaintext input with 128 bits as the unit of one block, A first replacement processing means that outputs the first intermediate sentence by repeating the first replacement process a times (where a is a predetermined integer) with the plaintext for one block as the first input.
  • a second replacement processing means that outputs the second intermediate sentence by repeating the second replacement process b times (where b is a predetermined integer) with the first intermediate sentence as the first input. It has a terminal processing means for performing terminal processing to output a ciphertext by inputting the second intermediate sentence.
  • the first replacement process is Addition processing that adds a round key and a round constant to the input, S-box processing that applies a 4-bit S-box, which is a non-linear function that converts a 4-bit input to a 4-bit output for each nibble, and Bit replacement processing that sorts the input bit by bit, It is a permutation process in which the input is divided into 8 words for every 4 nibbles, and the matrix product processing that applies the Almost MDS matrix transformation of 4 rows and 4 columns to each word is performed in order.
  • the second replacement process is With the addition process With the S-box processing Nibble replacement processing that sorts the input by nibble, It is a substitution process in which the matrix product process and the matrix product process are performed in order.
  • the termination process is with the S-box processing
  • An information processing device that is a replacement process that performs the addition process in order.
  • the bit replacement process is Input 32 nibbles are X (1), ..., X (32), output 32 nibbles are Y (1), ..., Y (32), and output is W (1) for every 4 nibbles.
  • the information processing apparatus according to Appendix 1, which is a process for sorting according to the following first condition and second condition.
  • the nibble position at inputs X (1), ..., X (32) is Y (j [1]), Y (j [2]), at Y (1), ..., Y (32). ..., 12 nibbles of input corresponding to the position of Y (j [12]) X (j [1]), X (j [2]), ...., X (j [12] ) Map covers more than one nibble in all of W (1), ..., W (8).
  • the nibble replacement process is The information processing apparatus according to Appendix 1 or 2, wherein the number of rounds of the nibble replacement process required for the number of active S-boxes to exceed a predetermined value satisfies a predetermined value.
  • the first predetermined sort is expressed.
  • the index sequence at the time of input is (0,1, ..., 31)
  • the index sequence at the output is (10,27,5,1,30,23,16).
  • 13,21,31,6,14,0,25,11,18,15,28,19,24,7,8,22,3,4,29,9,2,26,20,12,17 ) Is a process
  • the second predetermined sort is expressed.
  • the index sequence at the time of input is (0,1, ..., 31), and the index sequence at the output is (26,13,7,11,29,0,17). , 21,23,5,18,25,12,10,28,2,14,19,24,22,1,8,4,31,15,6,27,9,16,30,20,3
  • Appendix 4 which is a process of).
  • Appendix 6 Accepts plaintext input with 128 bits as the unit of one block, With the plaintext for one block as the first input, the first substitution process is repeated a times (where a is a predetermined integer), and the first intermediate sentence is output.
  • the second substitution process is repeated b times (where b is a predetermined integer) to output the second intermediate sentence.
  • the termination process for outputting the ciphertext with the second intermediate sentence as input is performed.
  • the first replacement process is Addition processing that adds a round key and a round constant to the input, S-box processing that applies a 4-bit S-box, which is a non-linear function that converts a 4-bit input to a 4-bit output for each nibble, and Bit replacement processing that sorts the input bit by bit, It is a permutation process in which the input is divided into 8 words for every 4 nibbles, and the matrix product processing that applies the Almost MDS matrix transformation of 4 rows and 4 columns to each word is performed in order.
  • the second replacement process is With the addition process With the S-box processing Nibble replacement processing that sorts the input by nibble, It is a substitution process in which the matrix product process and the matrix product process are performed in order.
  • the termination process is With the S-box processing An information processing method that is a replacement process in which the addition process and the addition process are performed in order. (Appendix 7) An input reception step that accepts plaintext input with 128 bits as the unit of one block, A first replacement processing step that outputs the first intermediate sentence by repeating the first replacement process a times (where a is a predetermined integer) with the plaintext for one block as the first input.
  • a second replacement processing step that outputs the second intermediate sentence by repeating the second replacement process b times (where b is a predetermined integer) with the first intermediate sentence as the first input.
  • the computer is made to execute the termination processing step of performing the termination processing of outputting the ciphertext by inputting the second intermediate sentence.
  • the first replacement process is Addition processing that adds a round key and a round constant to the input, S-box processing that applies a 4-bit S-box, which is a non-linear function that converts a 4-bit input to a 4-bit output for each nibble, and Bit replacement processing that sorts the input bit by bit, It is a permutation process in which the input is divided into 8 words for every 4 nibbles, and the matrix product processing that applies the Almost MDS matrix transformation of 4 rows and 4 columns to each word is performed in order.
  • the second replacement process is With the addition process With the S-box processing Nibble replacement processing that sorts the input in nibble units, It is a substitution process in which the matrix product process and the matrix product process are performed in order.
  • the termination process is With the S-box processing A non-temporary computer-readable medium containing a program that is a replacement process that performs the addition process in sequence.
  • Information processing device 11 Input receiving unit 12 First replacement processing unit 13 Second replacement processing unit 14 Termination processing unit 100 Information processing device 110 Input receiving unit 120 First replacement processing unit 130 Second replacement processing unit 140 Termination Processing unit 150 Output control unit 161 Addition processing 162 S-box processing 163 Bit replacement processing 164 Matrix product processing 165 Nible replacement processing 170 S-box 171 Matrix 200 Information processing device 210 Input reception unit 220 First block encryption unit 230 Second block encryption unit 240 Addition unit 250 Output control unit 300 Computer 301 Input / output interface 302 Memory 303 Processor

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Algebra (AREA)
  • Databases & Information Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Storage Device Security (AREA)
PCT/JP2020/033183 2020-09-02 2020-09-02 情報処理装置、情報処理方法、及びプログラムが格納された非一時的なコンピュータ可読媒体 Ceased WO2022049655A1 (ja)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US18/024,195 US20230297693A1 (en) 2020-09-02 2020-09-02 Information processing apparatus, information processing method, and non-transitory computer readable medium storing program
JP2022546765A JP7527541B2 (ja) 2020-09-02 2020-09-02 情報処理装置、情報処理方法、及びプログラム
PCT/JP2020/033183 WO2022049655A1 (ja) 2020-09-02 2020-09-02 情報処理装置、情報処理方法、及びプログラムが格納された非一時的なコンピュータ可読媒体

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/033183 WO2022049655A1 (ja) 2020-09-02 2020-09-02 情報処理装置、情報処理方法、及びプログラムが格納された非一時的なコンピュータ可読媒体

Publications (1)

Publication Number Publication Date
WO2022049655A1 true WO2022049655A1 (ja) 2022-03-10

Family

ID=80490808

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/033183 Ceased WO2022049655A1 (ja) 2020-09-02 2020-09-02 情報処理装置、情報処理方法、及びプログラムが格納された非一時的なコンピュータ可読媒体

Country Status (3)

Country Link
US (1) US20230297693A1 (https=)
JP (1) JP7527541B2 (https=)
WO (1) WO2022049655A1 (https=)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008026624A1 (fr) * 2006-09-01 2008-03-06 Sony Corporation Dispositif de conversion de données, procédé de conversion de données et programme informatique
WO2009087972A1 (ja) * 2008-01-09 2009-07-16 Nec Corporation データ送信装置、データ受信装置、これらの方法、記録媒体、そのデータ通信システム
WO2012132622A1 (ja) * 2011-03-28 2012-10-04 ソニー株式会社 データ処理装置、およびデータ処理方法、並びにプログラム

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008026624A1 (fr) * 2006-09-01 2008-03-06 Sony Corporation Dispositif de conversion de données, procédé de conversion de données et programme informatique
WO2009087972A1 (ja) * 2008-01-09 2009-07-16 Nec Corporation データ送信装置、データ受信装置、これらの方法、記録媒体、そのデータ通信システム
WO2012132622A1 (ja) * 2011-03-28 2012-10-04 ソニー株式会社 データ処理装置、およびデータ処理方法、並びにプログラム

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SAKAMOTO, KOSEI ET AL.: "The Design of Low-latency Block Cipher Using Multiple Permutations", PROCEEDINGS OF THE 2020 SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY, 21 January 2020 (2020-01-21) *

Also Published As

Publication number Publication date
US20230297693A1 (en) 2023-09-21
JPWO2022049655A1 (https=) 2022-03-10
JP7527541B2 (ja) 2024-08-05

Similar Documents

Publication Publication Date Title
US7970129B2 (en) Selection of a lookup table with data masked with a combination of an additive and multiplicative mask
Zhao et al. Generalized related-key rectangle attacks on block ciphers with linear key schedule: applications to SKINNY and GIFT
Paar et al. The advanced encryption standard (AES)
Li et al. Chaotic hash function based on the dynamic S-Box with variable parameters
US8787563B2 (en) Data converter, data conversion method and program
US10903978B2 (en) Method of encryption with dynamic diffusion and confusion layers
Biryukov et al. Cryptanalysis of Feistel networks with secret round functions
CA2302784A1 (en) Improved block cipher method
TW201918926A (zh) 用於自位元混合器建構安全雜湊函數之方法
CN112199696B (zh) 基于白盒分组密码的加解密方法
Zhang et al. Survey of design and security evaluation of authenticated encryption algorithms in the CAESAR competition
Greene et al. ARADI and LLAMA: low-latency cryptography for memory encryption
Alawida Tree-Feistel Cipher Standard for IoT Communication System
Gligoroski et al. π-cipher: Authenticated encryption for big data
Tezcan et al. Differential attacks on lightweight block ciphers PRESENT, PRIDE, and RECTANGLE revisited
Shoukat et al. Randomized substitution method for effectively secure block ciphers in IOT environment
WO1999014889A1 (en) Improved block cipher method
Sakallı et al. On the construction of 20× 20 and 24× 24 binary matrices with good implementation properties for lightweight block ciphers and hash functions
WO2022049655A1 (ja) 情報処理装置、情報処理方法、及びプログラムが格納された非一時的なコンピュータ可読媒体
Zajac et al. Cryptographic properties of small bijective S-boxes with respect to modular addition
Rajashekarappa et al. Study on cryptanalysis of the tiny encryption algorithm
Zhao Secure and efficient masking of lightweight ciphers in software and hardware
Qin et al. On the cryptanalysis of two cryptographic algorithms that utilize chaotic neural networks
CN120934740B (zh) 动态可变分组密码算法实现方法和装置
US20260005834A1 (en) Redundancy aes masking basis for attack mitigation using lookup tables

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20952395

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2022546765

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20952395

Country of ref document: EP

Kind code of ref document: A1