WO2022254513A1 - Cryptographic device, method, and program - Google Patents

Cryptographic device, method, and program Download PDF

Info

Publication number
WO2022254513A1
WO2022254513A1 PCT/JP2021/020665 JP2021020665W WO2022254513A1 WO 2022254513 A1 WO2022254513 A1 WO 2022254513A1 JP 2021020665 W JP2021020665 W JP 2021020665W WO 2022254513 A1 WO2022254513 A1 WO 2022254513A1
Authority
WO
WIPO (PCT)
Prior art keywords
difference
input
output
cipher
probability
Prior art date
Application number
PCT/JP2021/020665
Other languages
French (fr)
Japanese (ja)
Inventor
洋介 藤堂
悠 佐々木
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to JP2023525161A priority Critical patent/JP7529154B2/en
Priority to PCT/JP2021/020665 priority patent/WO2022254513A1/en
Publication of WO2022254513A1 publication Critical patent/WO2022254513A1/en

Links

Images

Classifications

    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system

Definitions

  • the present invention relates to cryptographic devices, methods, and programs.
  • a cryptographic method that encrypts plaintext with a certain key and uses the same key to decrypt the ciphertext is called symmetric key cryptography, and a method called block cipher is known as a type of symmetric key cryptography.
  • a block cipher is a method in which data to be encrypted is divided into appropriate lengths called blocks (for example, 64 bits or 128 bits) and each block is encrypted.
  • Block ciphers include, for example, DES cipher (Non-Patent Document 1), Lilliput cipher (Non-Patent Document 2), and the like. Among these, the Lilliput cipher is assumed to be implemented on a device with poor computational resources, and is also called a lightweight cipher.
  • a block is encrypted by repeatedly applying a function called a round function to the block multiple times.
  • Round functions include, for example, Feistel type round functions.
  • Both the DES cipher and the Lilliput cipher are block ciphers using a Feistel type round function.
  • a derivative of the Feistel type is the generalized Feistel type, and the block shuffle generalized Feistel type (Non-Patent Document 3) and the extended generalized Feistel type (Non-Patent Document 2) are known as those with increased stirring speed.
  • the extended generalized Feistel type round function is a round function used in the Lilliput cipher, and is composed of a nonlinear part, a linear part, and a permutation part.
  • Non-Patent Document 4 the evaluation for differential cryptanalysis
  • An embodiment of the present invention has been made in view of the above points, and aims to improve the security against differential cryptanalysis of block ciphers using extended generalized Feistel type round functions.
  • a cryptographic device is a cryptographic device that encrypts plaintext or decrypts ciphertext by a block cipher using an extended generalized Feistel round function, wherein: a permutation table generation processing unit that generates a permutation table of a determined predetermined size in which there is no high-probability propagation with the same input-output difference; and a cryptographic processing unit that performs the encryption or the decryption by, and the high-probability propagation with the same input-output difference is given the input difference representing two inputs to the permutation table, the It is the propagation in which the transition probability to the output difference having the same value as the input difference among the output differences representing the output difference corresponding to the input difference is maximized.
  • FIG. 4 is a diagram showing the round function of the Feistel cipher;
  • FIG. 10 is a diagram showing the round function of the generalized Feistel cipher;
  • FIG. 4 is a diagram showing the round function of the Lilliput cipher;
  • FIG. 10 is a diagram showing a differential distribution table of S-Boxes of the Lilliput cipher;
  • FIG. 11 shows the best differential properties up to 13 rounds of the Lilliput cipher;
  • FIG. 10 is a diagram showing an example of a difference distribution table of an S-Box that does not have high-probability propagation with the same input-output difference;
  • FIG. 10 is a diagram showing an example of the best differential characteristics up to 12 rounds of an S-Box that does not have high-probability propagation with the same input-output differential. It is a figure which shows an example of the hardware constitutions of the encryption apparatus based on this embodiment. It is a figure which shows an example of a functional structure of the cryptographic apparatus based on this embodiment.
  • FIG. 10 is a diagram for explaining an example of permutation table generation processing and encryption processing according to the embodiment;
  • FIG. 10 is a diagram showing a comparison example between the Lilliput cipher and the case where its S-Box is replaced with Equation (2);
  • the block length of the block cipher is n bits.
  • the probability of outputting two ciphertexts with a specific ciphertext difference ⁇ C for two plaintexts with a specific plaintext difference ⁇ P is 2 ⁇ n .
  • Block ciphers are considered vulnerable to differential cryptanalysis when there is a bias in the agitation algorithm of the block cipher to be attacked, and ⁇ P, ⁇ C with the above probabilities greater than 2 ⁇ n exist. Conversely, block cipher designers aim to make the above probability smaller than 2 ⁇ n for arbitrary ⁇ P and ⁇ C.
  • ⁇ P Whether or not there exist ⁇ P, ⁇ C with the above probabilities greater than 2 ⁇ n depends on how the round function is constructed and the number of iterations of the round function.
  • a Feistel type is known as one of the methods of configuring the round function.
  • a block cipher using a Feistel-type round function is also called a Feistel-type cipher.
  • a block cipher that uses a Feistel-type round function
  • one block of data is divided into two pieces of data. Divided data is called a branch.
  • Figure 1 shows the round function of the Feistel-type cipher.
  • the right branch and the subkey are input to the F-function, whose output is XORed with the left branch.
  • the right and left branches are then exchanged.
  • the DES cipher has a block length of 64 bits and splits the 64-bit input into two 32-bit values.
  • a generalized Feistel type is a derivative of the Feistel type.
  • the data of each branch is further divided into a plurality of data. These divided data are called bytes.
  • Figure 2 shows the round function of the generalized Feistel-type cipher.
  • the round function of the generalized Feistel cipher consists of a nonlinear part and a permutation part.
  • the value obtained by XORing the subkey with respect to each byte of the right branch is transformed using a permutation table called S-Box, and this transformed value is exclusive with the corresponding byte of the right branch.
  • S-Box a permutation table in which output values corresponding to all input values (16 input values for 4 bits, 256 input values for 8 bits) are recorded. Note that "S" in the figure represents the S-Box.
  • the right branch is moved to the left branch, and the left branch is moved to the right branch.
  • the byte positions are cyclically shifted.
  • the generalized Feistel-type cipher has the advantage of making the implementation circuit smaller, but the input data churning speed is inferior to the normal Feistel-type cipher.
  • Generalized Feistel ciphers with increased agitation speed include block shuffle generalized Feistel ciphers and extended generalized Feistel ciphers.
  • the block-shuffle generalized Feistel-type cipher improves the agitation speed by changing the permutation part from permutation of left and right branches and cyclic shift of the left branch to permutation (block shuffle) in units of blocks based on the deBruijn graph. .
  • the extended generalized Feistel-type cipher further inserts a linear part between the nonlinear part and the permutation part to improve the stirring speed.
  • An example of an extended generalized Feistel-type cipher is the Lilliput cipher with a block length of 64 bits.
  • Figure 3 shows the round function of the Lilliput cipher.
  • the round function of the Lilliput cipher consists of a nonlinear part, a linear part, and a permutation part.
  • the non-linear part is composed of subkey XOR, S-Box and right branch XOR
  • the linear part is composed of multiple exclusive ORs
  • the replacement part is composed of block shuffle. Since the block length of the Lilliput cipher is 64 bits, the branch length is 32 bits and the byte length is 4 bits.
  • the S-Box is a permutation table that converts a 4-bit input value into a 4-bit output value.
  • the number of iterations of the round function is r
  • the difference between two plaintexts is ⁇ 0
  • the difference after i rounds is ⁇ r
  • DP F [ ⁇ A , ⁇ B ] be the probability (difference transition probability) that two inputs with a difference ⁇ A are converted into two inputs with a difference ⁇ B after application of the function F.
  • DCP[ ⁇ 0 , ⁇ r ] of the differential characteristics ( ⁇ 0 , ⁇ 1 , . . . , ⁇ r ) is calculated as follows.
  • Block cipher designers must therefore ensure that DCP[ ⁇ 0 , ⁇ r ] is less than 2 ⁇ n when the block length is n bits.
  • an excellent design is one that minimizes the number of iterations of the round function and minimizes the differential characteristic probability.
  • the difference ⁇ out of the two outputs corresponding to the two inputs is determined with a probability of one. Therefore, the linear part alone does not improve security against differential cryptanalysis.
  • the difference ⁇ in input to a certain part, transformation, function, etc. is referred to as an input difference
  • the difference ⁇ out output corresponding to it is referred to as an output difference.
  • the transition from a certain input difference ⁇ in to a certain output difference ⁇ out is stochastic, and the probability depends on the specifications of the nonlinear conversion, that is, the specifications of the S-Box.
  • the probability (differential transition probability of the S-Box) is calculated by counting the number of times the differential transition is satisfied in all combinations of the input difference ⁇ in and the output difference ⁇ out . Specifically, let s be the size of the S-Box and compute the following for all combinations of ⁇ in and ⁇ out .
  • Linear cryptanalysis is known as a cryptanalysis method as important as differential cryptanalysis, and there is a maximum linear transition probability corresponding to the maximum differential transition probability. It is known that the 4-bit S-Box that minimizes both the maximum differential transition probability and the maximum linear transition probability exists only by applying affine transformation to the inputs and outputs of the 16 S-Boxes shown in Table 1 below. It is
  • a new S-Box generated by applying an affine transformation to the input and output of an S-Box is said to be affine equivalent to the original S-Box. It is known that the maximum differential transition probability and the maximum linear transition probability always match in affine equivalent S-Boxes. Many existing designs using 4-bit S-Boxes, including the Lilliput cipher, use S-Boxes that are affine equivalent to any of the 16 S-Boxes shown in Table 1.
  • FIG. 4 shows the values of the numerator of equation (1) for all combinations of the input difference ⁇ in and the output difference ⁇ out for the S-Box actually used in the Lilliput cipher (that is, the difference from ⁇ in to ⁇ out The number of occurrences of transitions) is calculated. This is called a difference distribution table.
  • the probability of transition from the input difference ⁇ in to the output difference ⁇ out (difference transition probability of S-Box) is obtained by dividing the value in the difference distribution table by 24 .
  • the following describes a method that can reduce the differential characteristic probability with a smaller number of iterations than existing designs, targeting block ciphers that use an extended generalized Feistel type round function, such as the Lilliput cipher.
  • the proposed method uses a permutation table (S-Box) that satisfies properties that are effective for block ciphers that use extended generalized Feistel-type round functions.
  • the linear part of the round function XORs the bytes of the right branch with the bytes of the left branch.
  • this XOR cancels the difference in the left branch and results in bytes with no difference, the number of S-Boxes to which the bytes with difference are input decreases in the next round function.
  • the differential characteristic probability has the characteristic of being maximized when the number of bytes with the differential as input of the S-Box is minimized. Therefore, in a differential characteristic in which the differential characteristic probability is maximized, the linear part often cancels the difference of the bytes in the left branch to zero difference.
  • This proposed method uses an S-Box in which there is no high-probability propagation with the same input-output difference.
  • FIG. 4 shows a differential distribution table of S-Boxes used in the Lilliput cipher.
  • the difference distribution table shown in FIG. 4 portions with the same input/output difference are shown in bold.
  • Fig. 5 shows the best differential characteristics (difference characteristics with the highest differential characteristic probability) when the round function of the Lilliput cipher is repeated 13 times.
  • ⁇ L represents the difference in the left branch after i iterations of the round function
  • ⁇ R represents the difference in the right branch after i iterations of the round function.
  • round 0 is the plaintext difference.
  • ⁇ Y is obtained by rearranging the difference of the output of the S-Box obtained by inputting ⁇ R into the S-Box.
  • the ⁇ R of round 0 is "00000600”, which means that the difference in the third byte from the right in the right branch is 0x6, and there is no difference in the other bytes.
  • the ⁇ L of round 0 is "66660600”, which means that in the left branch, the difference between the 3rd, 5th, 6th, 7th, and 8th bytes from the right is 0x6, and the other bytes are It shows that there is no difference.
  • the ⁇ Y of round 0 is “00600000”, which is the first from the right of the difference after applying the subkey XOR to the ⁇ R of round 0 and transforming it with the S-Box.
  • It indicates that the difference after moving to the 6th byte, the 5th byte from the right, the 4th byte from the right, the 3rd byte from the right, the 2nd byte from the right, and the 1st byte from the right is "00600000".
  • the S-Box shown below is a specific example in which high-probability propagation with the same input-output difference does not exist.
  • FIG. 6 shows the difference distribution table of this S-Box.
  • FIG. 7 shows the best differential characteristics when this S-Box is used instead of the S-Box of the Lilliput cipher and the round function is repeated 12 times. As shown in FIG. 7, the difference between each byte is no longer a simple value that is all 0x6. Therefore, the linear part of the round function can prevent the difference between the bytes of the left branch from being canceled and result in a zero difference, and the difference characteristic probability can be further reduced.
  • the hardware of the cryptographic device 10 that performs cryptographic processing (encryption, decryption, or both) by block cipher using an extended generalized Feistel type round function that uses the S-Box described in the proposed method in the nonlinear part
  • the hardware configuration is shown in FIG.
  • the encryption device 10 according to this embodiment has an input device 101, a display device 102, an external I/F 103, a communication I/F 104, a processor 105, and a memory device . Each of these pieces of hardware is communicably connected via a bus 107 .
  • the input device 101 is, for example, a keyboard, mouse, touch panel, various physical buttons, and the like.
  • the display device 102 is, for example, a display. Note that the cryptographic device 10 may not include at least one of the input device 101 and the display device 102, for example.
  • the external I/F 103 is an interface with an external device such as the recording medium 103a.
  • the cryptographic device 10 can perform reading and writing of the recording medium 103 a via the external I/F 103 .
  • Examples of the recording medium 103a include CD (Compact Disc), DVD (Digital Versatile Disk), SD memory card (Secure Digital memory card), USB (Universal Serial Bus) memory card, and the like.
  • the communication I/F 104 is an interface for connecting the cryptographic device 10 to a communication network.
  • the processor 105 is, for example, various arithmetic units such as a CPU (Central Processing Unit) and an MPU (Micro-Processing Unit).
  • the memory device 106 is, for example, various storage devices such as HDD (Hard Disk Drive), SSD (Solid State Drive), flash memory, RAM (Random Access Memory), and ROM (Read Only Memory).
  • the cryptographic device 10 has the hardware configuration shown in FIG. 8, so that it can implement various processes described later. Note that the hardware configuration shown in FIG. 8 is merely an example, and the cryptographic device 10 may have various hardware other than the illustrated hardware.
  • FIG. 9 shows the functional configuration of a cryptographic device 10 that performs cryptographic processing by block cipher using an extended generalized Feistel type round function that uses the S-Box described in the proposed method in the nonlinear section.
  • the encryption device 10 according to this embodiment has a substitution table generation processing unit 201 and an encryption processing unit 202 . These units are implemented by, for example, processing that one or more programs installed in the cryptographic device 10 cause the processor 105 to execute.
  • the substitution table generation processing unit 201 generates a substitution table (S-Box) by the proposed method described above. That is, the permutation table generation processing unit 201 generates an input-output difference in an S-Box having the same size as the S-Box used in the nonlinear part of the extended generalized Feistel type round function of the block cipher that realizes the encryption processing unit 202.
  • the S-Box that does not have the same high-probability propagation is generated as the S-Box used in the cryptographic processing unit 202 .
  • the permutation table generation processing unit 201 selects 16 S-Boxes shown in Table 1 and their affine equivalent S-Boxes, and the input/output difference is An S-Box that does not have the same high-probability propagation is generated as an S-Box to be used in cryptographic processing section 202 .
  • the permutation table generation processing unit 201 may, for example, identify and generate an S-Box that has the same input-output difference and does not have high-probability propagation from the difference distribution table of the S-Box of the corresponding size.
  • the encryption processing unit 202 uses the S-Box generated by the replacement table generation processing unit 201 to perform encryption processing using a predetermined block cipher (eg, Lilliput encryption, etc.). That is, the encryption processing unit 202 generates, for example, a ciphertext from a plaintext and transmits the generated ciphertext to another cryptographic device, or decrypts a ciphertext received from another cryptographic device.
  • a predetermined block cipher eg, Lilliput encryption, etc.
  • FIG. 9 is an example, and for example, the replacement table generation processing unit 201 and the encryption processing unit 202 may be provided in different devices. Specifically, for example, the permutation table generation device having the permutation table generation processing unit 201 and the encryption device having the encryption processing unit 202 may be configured.
  • FIG. 10 shows the flow of permutation table generation processing and encryption processing executed by the cryptographic device 10 according to this embodiment.
  • the replacement table generation processing unit 201 generates an S-Box used by the encryption processing unit 202 (S101). Note that the generation of the S-Box may be executed before the cryptographic processing, for example, it may be executed in advance, or may be executed immediately before the cryptographic processing is executed each time.
  • the encryption processing unit 202 uses the S-Box generated by the replacement table generation processing unit 201 to perform encryption processing (encryption of plaintext or decryption of ciphertext) by a predetermined block cipher (S102).
  • the encryption processing unit 202 encrypts plaintext to generate a ciphertext, and then transmits the ciphertext to another encryption device.
  • the cryptographic processor 202 decrypts ciphertexts received from other cryptographic devices.
  • FIG. 11 shows how the maximum differential characteristic probability changes with respect to the number of iterations of the round function when the S-Box of the Lilliput cipher is replaced with the S-Box shown in Equation (2).
  • the Lilliput cipher has a block length of 64 bits and is a block cipher using an extended generalized Feistel type round function, and its S-Box has high-probability propagation with the same input-output difference.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

A cryptographic device according to an embodiment encrypts a plain text or decrypts a cipher text by a block cipher that uses an extended generalized Feistel-type round function, and comprises: a substitution table generation processing unit that generates a substitution table of a predetermined size which is determined according to the block cipher and in which there is no high probability propagation with the same input and output differences; and a cryptographic processing unit that performs the encryption or the decryption by the block cipher using the generated substitution table. The high probability propagation with the same input and output differences is propagation through which, when an input difference indicating two inputs to the substitution table is given, transition probability to an output difference having the same value as the input difference among output differences indicating output differences corresponding to the input difference becomes maximum.

Description

暗号装置、方法、及びプログラムCRYPTOGRAPHIC APPARATUS, METHOD, AND PROGRAM
 本発明は、暗号装置、方法、及びプログラムに関する。 The present invention relates to cryptographic devices, methods, and programs.
 平文をある鍵により暗号化し、その暗号文の復号でも同一の鍵を利用する暗号方式は共通鍵暗号と呼ばれており、共通鍵暗号の一種としてブロック暗号と呼ばれる方式が知られている。ブロック暗号とは、暗号化対象のデータをブロックと呼ばれる適当な長さ(例えば、64ビットや128ビット)に分割し、そのブロックごとに暗号化する方式のことである。ブロック暗号には、例えば、DES暗号(非特許文献1)、Lilliput暗号(非特許文献2)等がある。このうち、Lilliput暗号は、計算リソースが貧弱なデバイス上での実装が想定されており、軽量暗号とも呼ばれる。 A cryptographic method that encrypts plaintext with a certain key and uses the same key to decrypt the ciphertext is called symmetric key cryptography, and a method called block cipher is known as a type of symmetric key cryptography. A block cipher is a method in which data to be encrypted is divided into appropriate lengths called blocks (for example, 64 bits or 128 bits) and each block is encrypted. Block ciphers include, for example, DES cipher (Non-Patent Document 1), Lilliput cipher (Non-Patent Document 2), and the like. Among these, the Lilliput cipher is assumed to be implemented on a device with poor computational resources, and is also called a lightweight cipher.
 ブロック暗号では、ラウンド関数と呼ばれる関数をブロックに対して複数回繰り返し適用することでそのブロックを暗号化する。ラウンド関数には、例えば、Feistel型ラウンド関数等が存在する。DES暗号、Lilliput暗号はいずれもFeistel型ラウンド関数を用いるブロック暗号である。 In block ciphers, a block is encrypted by repeatedly applying a function called a round function to the block multiple times. Round functions include, for example, Feistel type round functions. Both the DES cipher and the Lilliput cipher are block ciphers using a Feistel type round function.
 Feistel型の派生として一般化Feistel型があり、その攪拌速度を速めたものとしてブロックシャッフル一般化Feistel型(非特許文献3)と拡張一般化Feistel型(非特許文献2)が知られている。拡張一般化Feistel型のラウンド関数はLilliput暗号で用いられているラウンド関数であり、非線形部、線形部、置換部で構成されている。 A derivative of the Feistel type is the generalized Feistel type, and the block shuffle generalized Feistel type (Non-Patent Document 3) and the extended generalized Feistel type (Non-Patent Document 2) are known as those with increased stirring speed. The extended generalized Feistel type round function is a round function used in the Lilliput cipher, and is composed of a nonlinear part, a linear part, and a permutation part.
 ラウンド関数の繰り返し回数が多いほどデータが良く攪拌され安全性が高まるが、一方でラウンド関数の繰り返し回数が多いほど演算量が多くなり暗号処理の性能が低下する。したがって、安全性を確保できる範囲内で、ラウンド関数の繰り返し回数を最小する必要がある。このとき、ラウンド関数の繰り返し回数は様々な解読法に対する安全性評価の実施により決定されるが、差分解読法(非特許文献4)に対する評価が最も重要とされている。 The more iterations of the round function, the better the data will be mixed and the higher the security. Therefore, it is necessary to minimize the number of iterations of the round function within the range where safety can be ensured. At this time, the number of iterations of the round function is determined by conducting security evaluations for various cryptanalysis methods, but the evaluation for differential cryptanalysis (Non-Patent Document 4) is considered to be the most important.
 しかしながら、軽量暗号は計算リソースが貧弱なデバイス上での実装が想定されているため、拡張一般化Feistel型ラウンド関数の非線形部や線形部で複雑な演算を実行することができない。このため、差分解読法に対する安全性を効率的に高めることが難しく、ラウンド関数の繰り返し回数が増加し、それに伴う暗号処理の性能低下が発生し得る。 However, since lightweight cryptography is assumed to be implemented on devices with poor computational resources, it is not possible to perform complex operations in the nonlinear and linear parts of the extended generalized Feistel round function. For this reason, it is difficult to efficiently improve security against differential cryptanalysis, the number of iterations of the round function increases, and the performance of cryptographic processing may deteriorate accordingly.
 本発明の一実施形態は、上記の点に鑑みてなされたもので、拡張一般化Feistel型ラウンド関数を用いるブロック暗号の差分解読法に対する安全性を向上させることを目的とする。 An embodiment of the present invention has been made in view of the above points, and aims to improve the security against differential cryptanalysis of block ciphers using extended generalized Feistel type round functions.
 上記目的を達成するため、一実施形態に係る暗号装置は、拡張一般化Feistel型ラウンド関数を用いるブロック暗号により平文を暗号化又は暗号文を復号する暗号装置であって、前記ブロック暗号に応じて決定される所定のサイズの置換表であって、入出力差分が同一な高確率伝搬が存在しない置換表を生成する置換表生成処理部と、生成された前記置換表を用いて、前記ブロック暗号により前記暗号化又は前記復号を行う暗号処理部と、を有し、前記入出力差分が同一な高確率伝搬は、前記置換表への2つの入力を表す入力差分が与えられたときに、前記入力差分に対応する出力の差分を表す出力差分のうち、前記入力差分と同一の値となる出力差分への遷移確率が最大となる伝搬のことである。 To achieve the above object, a cryptographic device according to one embodiment is a cryptographic device that encrypts plaintext or decrypts ciphertext by a block cipher using an extended generalized Feistel round function, wherein: a permutation table generation processing unit that generates a permutation table of a determined predetermined size in which there is no high-probability propagation with the same input-output difference; and a cryptographic processing unit that performs the encryption or the decryption by, and the high-probability propagation with the same input-output difference is given the input difference representing two inputs to the permutation table, the It is the propagation in which the transition probability to the output difference having the same value as the input difference among the output differences representing the output difference corresponding to the input difference is maximized.
 拡張一般化Feistel型ラウンド関数を用いるブロック暗号の差分解読法に対する安全性を向上させることができる。 It is possible to improve the security against differential cryptanalysis of block ciphers using extended generalized Feistel type round functions.
Feistel暗号のラウンド関数を示す図である。FIG. 4 is a diagram showing the round function of the Feistel cipher; 一般化Feistel暗号のラウンド関数を示す図である。FIG. 10 is a diagram showing the round function of the generalized Feistel cipher; Lilliput暗号のラウンド関数を示す図である。FIG. 4 is a diagram showing the round function of the Lilliput cipher; Lilliput暗号のS-Boxの差分分布表を示す図である。FIG. 10 is a diagram showing a differential distribution table of S-Boxes of the Lilliput cipher; Lilliput暗号の13ラウンドまでの最良差分特性を示す図である。FIG. 11 shows the best differential properties up to 13 rounds of the Lilliput cipher; 入出力差分が同一な高確率伝搬を持たないS-Boxの差分分布表の一例を示す図である。FIG. 10 is a diagram showing an example of a difference distribution table of an S-Box that does not have high-probability propagation with the same input-output difference; 入出力差分が同一な高確率伝搬を持たないS-Boxの12ラウンドまでの最良差分特性の一例を示す図である。FIG. 10 is a diagram showing an example of the best differential characteristics up to 12 rounds of an S-Box that does not have high-probability propagation with the same input-output differential. 本実施形態に係る暗号装置のハードウェア構成の一例を示す図である。It is a figure which shows an example of the hardware constitutions of the encryption apparatus based on this embodiment. 本実施形態に係る暗号装置の機能構成の一例を示す図である。It is a figure which shows an example of a functional structure of the cryptographic apparatus based on this embodiment. 本実施形態に係る置換表生成処理及び暗号処理の一例を説明するための図である。FIG. 10 is a diagram for explaining an example of permutation table generation processing and encryption processing according to the embodiment; Lilliput暗号とそのS-Boxを式(2)に置き換えた場合との比較例を示す図である。FIG. 10 is a diagram showing a comparison example between the Lilliput cipher and the case where its S-Box is replaced with Equation (2);
 以下、本発明の一実施形態について説明する。 An embodiment of the present invention will be described below.
 <理論的構成>
 以下、本実施形態で提案する手法の理論的構成とその説明に必要な各種技術や概念等について説明する。 <Theoretical configuration>
The theoretical configuration of the technique proposed in this embodiment and various techniques, concepts, etc. necessary for the explanation thereof will be described below.
  ≪差分解読法≫
 差分解読法では、ある平文とそれを暗号化した暗号文との組(P,C)と別の組(P',C')とがあるとき、2つの組の差分に注目する。2つのデータの差分Δは、排他的論理和 ≪Differential cryptanalysis≫
In differential cryptanalysis, when there is a set (P,C) of a plaintext and its encrypted ciphertext and another set (P',C'), attention is paid to the difference between the two sets. The difference Δ between the two data is the exclusive OR
Figure JPOXMLDOC01-appb-M000001
 で定義される。平文の差分ΔPは
Figure JPOXMLDOC01-appb-M000001
 defined by The plaintext difference ΔP is
Figure JPOXMLDOC01-appb-M000002
 であり、暗号文の差分ΔCは
Figure JPOXMLDOC01-appb-M000002
 and the ciphertext difference ΔC is
Figure JPOXMLDOC01-appb-M000003
 である。
Figure JPOXMLDOC01-appb-M000003
 is.
 ブロック暗号のブロック長をnビットとする。理想的なブロック暗号の場合は、特定の平文差分ΔPを持つ2つの平文に対して、特定の暗号文差分ΔCを持つ2つの暗号文が出力される確率は2-nである。 Assume that the block length of the block cipher is n bits. In the case of an ideal block cipher, the probability of outputting two ciphertexts with a specific ciphertext difference ΔC for two plaintexts with a specific plaintext difference ΔP is 2 −n .
 攻撃対象となるブロック暗号の攪拌アルゴリズムに偏りがあり、上記の確率が2-nより大きいΔP、ΔCが存在するとき、ブロック暗号は差分解読法に対して脆弱であるとみなされる。なお、逆に、ブロック暗号の設計者は任意のΔP、ΔCに対して、上記の確率が2-nより小さくなることを目指す。 Block ciphers are considered vulnerable to differential cryptanalysis when there is a bias in the agitation algorithm of the block cipher to be attacked, and ΔP, ΔC with the above probabilities greater than 2 −n exist. Conversely, block cipher designers aim to make the above probability smaller than 2 −n for arbitrary ΔP and ΔC.
 上記の確率が2-nより大きいΔP、ΔCが存在するかどうかは、ラウンド関数の構成方法と、ラウンド関数の繰り返し回数とに依存する。 Whether or not there exist ΔP, ΔC with the above probabilities greater than 2 −n depends on how the round function is constructed and the number of iterations of the round function.
  ≪Feistel型ラウンド関数≫
 ラウンド関数の構成方法の1つとしてFeistel型が知られている。Feistel型のラウンド関数を用いるブロック暗号をFeistel型暗号ともいう。 <<Feistel type round function>>
A Feistel type is known as one of the methods of configuring the round function. A block cipher using a Feistel-type round function is also called a Feistel-type cipher.
 Feistel型のラウンド関数を用いるブロック暗号では、1ブロックのデータを2つのデータに分割する。分割されたデータをブランチと呼ぶ。 In a block cipher that uses a Feistel-type round function, one block of data is divided into two pieces of data. Divided data is called a branch.
 Feistel型暗号のラウンド関数を図1に示す。図1に示すように、Feistel型暗号のラウンド関数では、右ブランチと副鍵がF関数に入力され、その出力は左ブランチと排他的論理和される。その後、右ブランチと左ブランチが交換される。例えば、DES暗号はブロック長が64ビットであり、64ビットの入力を2個の32ビットの値に分割する。 Figure 1 shows the round function of the Feistel-type cipher. As shown in FIG. 1, in the Feistel-type cipher round function, the right branch and the subkey are input to the F-function, whose output is XORed with the left branch. The right and left branches are then exchanged. For example, the DES cipher has a block length of 64 bits and splits the 64-bit input into two 32-bit values.
 Feistel型の派生として一般化Feistel型がある。一般化Feistel型では、各ブランチのデータを更に複数のデータに分割する。これらの分割されたデータをバイトと呼ぶ。 A generalized Feistel type is a derivative of the Feistel type. In the generalized Feistel type, the data of each branch is further divided into a plurality of data. These divided data are called bytes.
 一般化Feistel型暗号のラウンド関数を図2に示す。図2に示すように、一般化Feistel型暗号のラウンド関数は、非線形部と置換部で構成されている。 Figure 2 shows the round function of the generalized Feistel-type cipher. As shown in FIG. 2, the round function of the generalized Feistel cipher consists of a nonlinear part and a permutation part.
 非線形部では、右ブランチの各バイトに対して副鍵を排他的論理和した値を、S-Boxと呼ばれる置換表を用いて変換し、この変換された値を右ブランチの対応するバイトと排他的論理和する。ここで、副鍵とは、鍵(共通鍵又は共有鍵等とも呼ばれる。)を鍵スケジュール関数に入力し、ラウンド関数の繰り返し回数分得られる値のことである。副鍵の排他的論理和は差分解読法の確率の計算に影響しないことが知られているため、詳細な説明は省略する。また、S-Boxとは、すべての入力値(4ビットなら16個、8ビットなら256個の入力値)に対してその入力値に対応する出力値を記録した置換表のことである。なお、図中の「S」がS-Boxを表している。 In the non-linear part, the value obtained by XORing the subkey with respect to each byte of the right branch is transformed using a permutation table called S-Box, and this transformed value is exclusive with the corresponding byte of the right branch. Logically OR. Here, a subkey is a value obtained by inputting a key (also called a common key or a shared key, etc.) to a key scheduling function and repeating the round function. Since it is known that the XOR of subkeys does not affect the calculation of differential cryptanalysis probabilities, a detailed description is omitted. The S-Box is a permutation table in which output values corresponding to all input values (16 input values for 4 bits, 256 input values for 8 bits) are recorded. Note that "S" in the figure represents the S-Box.
 置換部では、右ブランチを左ブランチへ、左ブランチを右ブランチへ移動させる。ここで、左ブランチを右ブランチに移動させる際に、バイト位置を巡回シフトさせる。 In the replacement part, the right branch is moved to the left branch, and the left branch is moved to the right branch. Here, when moving the left branch to the right branch, the byte positions are cyclically shifted.
 一般化Feistel型暗号は、実装回路が小さくなる利点がある一方で、入力データの攪拌速度は通常のFeistel型暗号より劣る。一般化Feistel型暗号の攪拌速度は早めたものとしてブロックシャッフル一般化Feistel型暗号と拡張一般化Feistel型暗号がある。ブロックシャッフル一般化Feistel型暗号は置換部を左右ブランチの交換と左ブランチの巡回シフトから、deBruijnグラフに基づくブロック単位の置換(ブロックシャッフル)に変更することで、攪拌速度を向上させたものである。拡張一般化Feistel型暗号は更に線形部を非線形部と置換部の間に挿入することで、攪拌速度を向上させたものである。 The generalized Feistel-type cipher has the advantage of making the implementation circuit smaller, but the input data churning speed is inferior to the normal Feistel-type cipher. Generalized Feistel ciphers with increased agitation speed include block shuffle generalized Feistel ciphers and extended generalized Feistel ciphers. The block-shuffle generalized Feistel-type cipher improves the agitation speed by changing the permutation part from permutation of left and right branches and cyclic shift of the left branch to permutation (block shuffle) in units of blocks based on the deBruijn graph. . The extended generalized Feistel-type cipher further inserts a linear part between the nonlinear part and the permutation part to improve the stirring speed.
 拡張一般化Feistel型暗号の一例として、ブロック長が64ビットであるLilliput暗号がある。 An example of an extended generalized Feistel-type cipher is the Lilliput cipher with a block length of 64 bits.
 Lilliput暗号のラウンド関数を図3に示す。図3に示すように、Lilliput暗号のラウンド関数は、非線形部と線形部と置換部で構成されている。また、非線形部は副鍵XORとS-Boxと右ブランチXOR、線形部は複数の排他的論理和、置換部はブロックシャッフルでそれぞれ構成されている。Lilliput暗号のブロック長は64ビットであるため、ブランチ長は32ビット、バイト長は4ビットとなる。また、S-Boxは4ビットの入力値を4ビットの出力値に変換する置換表である。 Figure 3 shows the round function of the Lilliput cipher. As shown in FIG. 3, the round function of the Lilliput cipher consists of a nonlinear part, a linear part, and a permutation part. The non-linear part is composed of subkey XOR, S-Box and right branch XOR, the linear part is composed of multiple exclusive ORs, and the replacement part is composed of block shuffle. Since the block length of the Lilliput cipher is 64 bits, the branch length is 32 bits and the byte length is 4 bits. The S-Box is a permutation table that converts a 4-bit input value into a 4-bit output value.
  ≪差分特性確率≫
 Feistel型ラウンド関数で平文差分ΔPを持つ2つの平文から暗号文差分ΔCを持つ2つの暗号文が得られる確率を計算する際、通常、各ラウンド後の差分値を定め、各ラウンドの差分遷移確率の積で評価する。 ≪Differential characteristic probability≫
When calculating the probability of obtaining two ciphertexts with a ciphertext difference ΔC from two plaintexts with a plaintext difference ΔP with a Feistel-type round function, the difference value after each round is usually determined, and the differential transition probability of each round is Evaluate by the product of
 すなわち、ラウンド関数の繰り返し回数をrとし、2つの平文の差分をΔ、iラウンド後の差分(i=1,2,・・・,r)をΔとする。また、DP[Δ,Δ]を、差分Δを持つ2入力が関数F適用後に差分Δを持つ2入力に変換される確率(差分遷移確率)とする。このとき、差分特性(Δ,Δ,・・・,Δ)の差分特性確率DCP[Δ,Δ]は以下で計算される。 That is, the number of iterations of the round function is r, the difference between two plaintexts is Δ 0 , and the difference after i rounds (i=1, 2, . . . , r) is Δr . Let DP FA , Δ B ] be the probability (difference transition probability) that two inputs with a difference Δ A are converted into two inputs with a difference Δ B after application of the function F. At this time, the differential characteristic probability DCP[Δ 0 , Δ r ] of the differential characteristics (Δ 0 , Δ 1 , . . . , Δ r ) is calculated as follows.
Figure JPOXMLDOC01-appb-M000004
  したがって、ブロック暗号の設計者は、ブロック長がnビットのとき、DCP[Δ,Δ]が2-nよりも小さいことを保証しなければならない。
Figure JPOXMLDOC01-appb-M000004
 Block cipher designers must therefore ensure that DCP[Δ 0r ] is less than 2 −n when the block length is n bits.
 実装性能を考慮すると、ラウンド関数の繰り返し回数をできるだけ少なくし、差分特性確率をできるだけ小さくする設計が優れた設計である。 Considering implementation performance, an excellent design is one that minimizes the number of iterations of the round function and minimizes the differential characteristic probability.
 任意の線形変換に対して、ある差分Δinを持つ2入力が与えられたとき、その2入力に対応する2出力の差分Δoutは確率1で定まる。したがって、線形部単独では差分解読法に対する安全性は向上しない。以下、ある部、変換、関数等に入力される差分Δinを入力差分、それに対応して出力される差分Δoutを出力差分という。 When two inputs having a certain difference Δ in are given to an arbitrary linear transformation, the difference Δ out of the two outputs corresponding to the two inputs is determined with a probability of one. Therefore, the linear part alone does not improve security against differential cryptanalysis. Hereinafter, the difference Δin input to a certain part, transformation, function, etc. is referred to as an input difference, and the difference Δout output corresponding to it is referred to as an output difference.
 一方で、非線形変換の場合、ある入力差分Δinからある出力差分Δoutへの遷移は確率的であり、その確率は非線形変換の仕様、つまりS-Boxの仕様に依存する。 On the other hand, in the case of nonlinear transformation, the transition from a certain input difference Δ in to a certain output difference Δ out is stochastic, and the probability depends on the specifications of the nonlinear conversion, that is, the specifications of the S-Box.
 このような性質から既存の設計の多くは線形変換の詳細は無視し、S-Boxの最大差分遷移確率を最小化するように設計している。S-Boxの最大差分遷移確率は、入力差分Δinと出力差分Δoutの全組み合わせにおいて、その差分遷移が満たされる回数を数え上げ、確率(S-Boxの差分遷移確率)を計算する。具体的には、sをS-Boxのサイズとし、ΔinとΔoutの全組み合わせに対して以下を計算する。 Because of this property, most existing designs ignore the details of linear transformations and are designed to minimize the maximum differential transition probability of S-Boxes. For the maximum differential transition probability of the S-Box, the probability (differential transition probability of the S-Box) is calculated by counting the number of times the differential transition is satisfied in all combinations of the input difference Δ in and the output difference Δ out . Specifically, let s be the size of the S-Box and compute the following for all combinations of Δ in and Δ out .
Figure JPOXMLDOC01-appb-M000005
  なお、S-Boxのサイズsとは、S-Boxの入出力値のビット数のことである。例えば、4ビットの入出力値を取るS-Boxのサイズはs=4であり、8ビットの入出力値を取るS-Boxのサイズはs=8である。
Figure JPOXMLDOC01-appb-M000005
 The size s of the S-Box is the number of bits of the input/output value of the S-Box. For example, the size of an S-Box that takes 4-bit input/output values is s=4, and the size of an S-Box that takes 8-bit input/output values is s=8.
 差分がない状況に相当するΔin=Δout=0の場合を除くすべての(Δin,Δout)の中で最も確率が高いものがS-Boxの最大差分遷移確率である。 The highest probability among all (Δ in , Δ out ) is the S-Box's maximum differential transition probability, except for the case of Δ inout =0, which corresponds to the situation of no difference.
  ≪線形解読法≫
 差分解読法と同等に重要な解読法として線形解読法が知られており、最大差分遷移確率に対応するものとして最大線形遷移確率がある。最大差分遷移確率と最大線形遷移確率がともに最小となる4ビットのS-Boxは、以下の表1に示す16個のS-Boxの入出力にアフィン変換をかけたものしか存在しないことが知られている。 ≪Linear cryptanalysis≫
Linear cryptanalysis is known as a cryptanalysis method as important as differential cryptanalysis, and there is a maximum linear transition probability corresponding to the maximum differential transition probability. It is known that the 4-bit S-Box that minimizes both the maximum differential transition probability and the maximum linear transition probability exists only by applying affine transformation to the inputs and outputs of the 16 S-Boxes shown in Table 1 below. It is
Figure JPOXMLDOC01-appb-T000006
  S-Boxの入出力にアフィン変換をかけて生成された新しいS-Boxは、元のS-Boxとアフィン等価であるという。最大差分遷移確率と最大線形遷移確率はアフィン等価なS-Boxにおいて常に一致することが知られている。Lilliput暗号を含む4ビットS-Boxを用いる既存の設計の多くは、表1に示す16個のS-BoxのいずれかのS-Boxとアフィン等価なS-Boxを用いている。
Figure JPOXMLDOC01-appb-T000006
 A new S-Box generated by applying an affine transformation to the input and output of an S-Box is said to be affine equivalent to the original S-Box. It is known that the maximum differential transition probability and the maximum linear transition probability always match in affine equivalent S-Boxes. Many existing designs using 4-bit S-Boxes, including the Lilliput cipher, use S-Boxes that are affine equivalent to any of the 16 S-Boxes shown in Table 1.
 図4に、Lilliput暗号で実際に用いられているS-Boxについて、入力差分Δinと出力差分Δoutの全組み合わせについて式(1)の分子の値(つまり、ΔinからΔoutへの差分遷移の出現回数)を計算したものを示す。これは差分分布表と呼ばれる。入力差分Δinから出力差分Δoutへ遷移する確率(S-Boxの差分遷移確率)は、差分分布表の値を2で割ったものである。図4においてΔin=Δout=0の場合を除いた最大値は4であるため、S-Boxの最大差分遷移確率は4/2=2-2であることがわかる。 FIG. 4 shows the values of the numerator of equation (1) for all combinations of the input difference Δ in and the output difference Δ out for the S-Box actually used in the Lilliput cipher (that is, the difference from Δ in to Δ out The number of occurrences of transitions) is calculated. This is called a difference distribution table. The probability of transition from the input difference Δ in to the output difference Δ out (difference transition probability of S-Box) is obtained by dividing the value in the difference distribution table by 24 . In FIG. 4, the maximum value is 4 except for the case of Δ inout =0, so it can be seen that the maximum differential transition probability of S-Box is 4/2 4 =2 −2 .
  ≪提案手法≫
 Lilliput暗号のような軽量暗号は、IoT機器等の比較的計算リソースが貧弱なデバイス上での実装が想定されているため、拡張一般化Feistel型ラウンド関数の非線形部や線形部で複雑な演算を実行することができない。このため、差分解読法に対する安全性を効率的に高めることが難しく、ラウンド関数の繰り返し回数が増加し、それに伴う暗号処理の性能低下が発生し得る。なお、拡張一般化Feistel型暗号は一般化Feistel型暗号と比較すると攪拌性能が向上しているものの、通常のFeistel型暗号と比較すると依然として遅いため、差分解読法に対する安全性を効率的に高めることが難しく、ラウンド関数の繰り返し回数が増加し得ることに変わりはない。 <<Proposed method>>
Lightweight ciphers such as Lilliput ciphers are expected to be implemented on devices with relatively poor computational resources, such as IoT devices. cannot be executed. For this reason, it is difficult to efficiently improve security against differential cryptanalysis, the number of iterations of the round function increases, and the performance of cryptographic processing may deteriorate accordingly. Although the extended generalized Feistel-type cipher has improved agitation performance compared to the generalized Feistel-type cipher, it is still slower than the normal Feistel-type cipher. is still difficult and the number of iterations of the round function can increase.
 そこで、以下では、Lilliput暗号のように拡張一般化Feistel型ラウンド関数を用いるブロック暗号を対象として、既存の設計よりも少ない繰り返し回数で差分特性確率を小さくすることが可能な手法について説明する。本提案手法では、拡張一般化Feistel型ラウンド関数を用いるブロック暗号にとって有効な性質を満たす置換表(S-Box)を利用する。 Therefore, the following describes a method that can reduce the differential characteristic probability with a smaller number of iterations than existing designs, targeting block ciphers that use an extended generalized Feistel type round function, such as the Lilliput cipher. The proposed method uses a permutation table (S-Box) that satisfies properties that are effective for block ciphers that use extended generalized Feistel-type round functions.
 拡張一般化Feistel型暗号では、ラウンド関数の線形部によって右ブランチのバイトが左ブランチのバイトに排他的論理和される。この排他的論理和によって左ブランチの差分が打ち消され、差分のないバイトとなるとき、次のラウンド関数において差分を持つバイトが入力となるS-Boxの数が減少する。 In the extended generalized Feistel-type cipher, the linear part of the round function XORs the bytes of the right branch with the bytes of the left branch. When this XOR cancels the difference in the left branch and results in bytes with no difference, the number of S-Boxes to which the bytes with difference are input decreases in the next round function.
 差分特性確率は、S-Boxの入力として差分を持つバイトの数が最小化されるとき、最大化される特徴を持つ。したがって、差分特性確率が最大化される差分特性では、線形部によって左ブランチのバイトの差分が打ち消されゼロ差分となる場合が多い。 The differential characteristic probability has the characteristic of being maximized when the number of bytes with the differential as input of the S-Box is minimized. Therefore, in a differential characteristic in which the differential characteristic probability is maximized, the linear part often cancels the difference of the bytes in the left branch to zero difference.
 上記の性質を考慮して、以下の性質を満たす置換表(S-Box)を用いることで、差分解読法に対する安全性の向上が期待できる。 Considering the above properties, using a substitution table (S-Box) that satisfies the following properties can be expected to improve security against differential cryptanalysis.
 S-Boxの差分遷移確率の中で高確率な値を取る(Δin,Δout)にのみ注目する(ただし、ΔinとΔoutは非ゼロであるものとする。)。このような入力差分と出力差分のペア(Δin,Δout)を高確率伝搬と呼ぶ。ある差分Δin=Δが高確率で差分Δout=Δに伝搬するような入出力差分が同一な高確率伝搬の存在を考える。 We focus only on (Δ in , Δ out ) that take high probability values among the differential transition probabilities of the S-Box (where Δ in and Δ out are assumed to be non-zero). Such a pair of input difference and output difference (Δ in , Δ out ) is called high-probability propagation. Consider the existence of high-probability propagation with the same input-output difference such that a certain difference Δ in =Δ propagates to the difference Δ out =Δ with high probability.
 本提案手法では、入出力差分が同一な高確率伝搬が存在しないS-Boxを利用する。なお、既存の暗号方式の設計で入出力差分が同一な高確率伝搬の存在に着目したものは存在しないと考えられる。 This proposed method uses an S-Box in which there is no high-probability propagation with the same input-output difference. In addition, it is considered that there is no existing cryptosystem design that focuses on the existence of high-probability propagation with the same input-output difference.
 Lilliput暗号で用いられているS-Boxの差分分布表を図4に示す。図4に示す差分分布表において、入出力差分が同一の箇所は太字で示されている。図4に示す差分分布表では、ΔinとΔoutが共に0x6である出現回数は4であり、この入力差分Δin=0x6と出力差分Δout=0x6のペアは高確率伝搬となっている。 FIG. 4 shows a differential distribution table of S-Boxes used in the Lilliput cipher. In the difference distribution table shown in FIG. 4, portions with the same input/output difference are shown in bold. In the difference distribution table shown in FIG. 4, the number of appearances where both Δ in and Δ out are 0x6 is 4, and the pair of this input difference Δ in =0x6 and output difference Δ out =0x6 is highly probable propagation. .
 Lilliput暗号のラウンド関数を13回繰り返した際の最良差分特性(差分特性確率が最も高くなる差分特性)を図5に示す。図5において、ΔLはラウンド関数をi回繰り返した後の左ブランチの差分を表し、ΔRはラウンド関数をi回繰り返した後の右ブランチの差分を表す。なお、ラウンド0は平文の差分である。また、ΔYはΔRをS-Boxに入力して得られるS-Boxの出力の差分を並び替えたものである。 Fig. 5 shows the best differential characteristics (difference characteristics with the highest differential characteristic probability) when the round function of the Lilliput cipher is repeated 13 times. In FIG. 5, ΔL represents the difference in the left branch after i iterations of the round function, and ΔR represents the difference in the right branch after i iterations of the round function. Note that round 0 is the plaintext difference. ΔY is obtained by rearranging the difference of the output of the S-Box obtained by inputting ΔR into the S-Box.
 例えば、ラウンド0のΔRは「00000600」であるが、これは、右ブランチのうち、右から3番目のバイトの差分は0x6であり、他のバイトには差分がないことを表している。同様に、例えば、ラウンド0のΔLは「66660600」であり、これは、左ブランチのうち、右から3、5、6、7、8番目のバイトの差分は0x6であり、他のバイトには差分がないことを表している。 For example, the ΔR of round 0 is "00000600", which means that the difference in the third byte from the right in the right branch is 0x6, and there is no difference in the other bytes. Similarly, for example, the ΔL of round 0 is "66660600", which means that in the left branch, the difference between the 3rd, 5th, 6th, 7th, and 8th bytes from the right is 0x6, and the other bytes are It shows that there is no difference.
 また、例えば、ラウンド0のΔYは「00600000」であり、これは、ラウンド0のΔRに対して副鍵XORを適用し、それをS-Boxで変換した後の差分の右から1番目、右から2番目、右から3番目、右から4番目、右から5番目、右から6番目、右から7番目、右から8番目の各バイトを、右から8番目、右から7番目、右から6番目、右から5番目、右から4番目、右から3番目、右から2番目、右から1番目のバイトにそれぞれ移動させた後の差分が「00600000」であることを表している。 Also, for example, the ΔY of round 0 is “00600000”, which is the first from the right of the difference after applying the subkey XOR to the ΔR of round 0 and transforming it with the S-Box. 2nd byte from right, 3rd byte from right, 4th byte from right, 5th byte from right, 6th byte from right, 7th byte from right, 8th byte from right, 8th byte from right, 7th byte from right, 8th byte from right It indicates that the difference after moving to the 6th byte, the 5th byte from the right, the 4th byte from the right, the 3rd byte from the right, the 2nd byte from the right, and the 1st byte from the right is "00600000".
 図5に示すように、Lilliput暗号では差分を持つすべてのバイトが0x6となっていることがわかる。また、図4に示すように、入出力差分が共に0x6である場合は高確率伝搬となる。  As shown in Fig. 5, it can be seen that all bytes with a difference are 0x6 in the Lilliput cipher. Also, as shown in FIG. 4, when the input and output differences are both 0x6, the propagation is highly probable.
 入出力差分が同一な高確率伝搬を持たないS-Boxを利用することで、差分解読法に対する安全性を向上させることができる。  By using an S-Box that does not have high-probability propagation with the same input-output difference, it is possible to improve security against differential cryptanalysis.
 例えば、以下に示すS-Boxは入出力差分が同一な高確率伝搬が存在しない具体例である。 For example, the S-Box shown below is a specific example in which high-probability propagation with the same input-output difference does not exist.
Figure JPOXMLDOC01-appb-M000007
  このS-Boxの差分分布表を図6に示す。図6に示すように、入出力差分が同一の場合(図6中で太字の箇所)、差分伝搬確率は高々2/16=2-3である。このS-BoxをLilliput暗号のS-Boxの代わりに用いて、ラウンド関数を12回繰り返した際の最良差分特性を図7に示す。図7に示すように、各バイトの差分は、すべてが0x6となるような単純な値ではなくなる。このため、ラウンド関数の線形部によって左ブランチのバイトの差分が打ち消されゼロ差分となる場合が抑止され、差分特性確率をより小さくすることができる。
Figure JPOXMLDOC01-appb-M000007
 FIG. 6 shows the difference distribution table of this S-Box. As shown in FIG. 6, when the input and output differences are the same (shown in bold in FIG. 6), the difference propagation probability is at most 2/16= 2-3 . FIG. 7 shows the best differential characteristics when this S-Box is used instead of the S-Box of the Lilliput cipher and the round function is repeated 12 times. As shown in FIG. 7, the difference between each byte is no longer a simple value that is all 0x6. Therefore, the linear part of the round function can prevent the difference between the bytes of the left branch from being canceled and result in a zero difference, and the difference characteristic probability can be further reduced.
 なお、本実施形態では、主に、拡張一般化Feistel型ラウンド関数の非線形部で4ビットのS-Boxを用いるブロック暗号(特に、Lilliput暗号等の軽量暗号)を対象に説明したが、拡張一般化Feistel型ラウンド関数の非線形部で任意のサイズのS-Boxを用いるブロック暗号に対しても同様に適用可能であることは言うまでもない。 Note that, in the present embodiment, mainly block ciphers (in particular, lightweight ciphers such as Lilliput ciphers) using a 4-bit S-Box in the nonlinear part of the extended generalized Feistel type round function have been described. It goes without saying that this method can be similarly applied to block ciphers using S-Boxes of any size in the nonlinear part of the Feistel-type round function.
 <暗号装置10のハードウェア構成>
 次に、本提案手法で説明したS-Boxを非線形部で利用する拡張一般化Feistel型ラウンド関数を用いたブロック暗号により暗号処理(暗号化、復号、又はその両方)を行う暗号装置10のハードウェア構成を図8に示す。図8に示すように、本実施形態に係る暗号装置10は、入力装置101と、表示装置102と、外部I/F103と、通信I/F104と、プロセッサ105と、メモリ装置106とを有する。これらの各ハードウェアは、それぞれがバス107により通信可能に接続される。 <Hardware Configuration of Encryption Device 10>
Next, the hardware of the cryptographic device 10 that performs cryptographic processing (encryption, decryption, or both) by block cipher using an extended generalized Feistel type round function that uses the S-Box described in the proposed method in the nonlinear part The hardware configuration is shown in FIG. As shown in FIG. 8, the encryption device 10 according to this embodiment has an input device 101, a display device 102, an external I/F 103, a communication I/F 104, a processor 105, and a memory device . Each of these pieces of hardware is communicably connected via a bus 107 .
 入力装置101は、例えば、キーボードやマウス、タッチパネル、各種物理ボタン等である。表示装置102は、例えば、ディスプレイ等である。なお、暗号装置10は、例えば、入力装置101及び表示装置102のうちの少なくとも一方を有していなくてもよい。 The input device 101 is, for example, a keyboard, mouse, touch panel, various physical buttons, and the like. The display device 102 is, for example, a display. Note that the cryptographic device 10 may not include at least one of the input device 101 and the display device 102, for example.
 外部I/F103は、記録媒体103a等の外部装置とのインタフェースである。暗号装置10は、外部I/F103を介して、記録媒体103aの読み取りや書き込み等を行うことができる。なお、記録媒体103aとしては、例えば、CD(Compact Disc)、DVD(Digital Versatile Disk)、SDメモリカード(Secure Digital memory card)、USB(Universal Serial Bus)メモリカード等が挙げられる。 The external I/F 103 is an interface with an external device such as the recording medium 103a. The cryptographic device 10 can perform reading and writing of the recording medium 103 a via the external I/F 103 . Examples of the recording medium 103a include CD (Compact Disc), DVD (Digital Versatile Disk), SD memory card (Secure Digital memory card), USB (Universal Serial Bus) memory card, and the like.
 通信I/F104は、暗号装置10を通信ネットワークに接続するためのインタフェースである。プロセッサ105は、例えば、CPU(Central Processing Unit)やMPU(Micro-Processing Unit)等の各種演算装置である。メモリ装置106は、例えば、HDD(Hard Disk Drive)やSSD(Solid State Drive)、フラッシュメモリ、RAM(Random Access Memory)、ROM(Read Only Memory)等の各種記憶装置である。 The communication I/F 104 is an interface for connecting the cryptographic device 10 to a communication network. The processor 105 is, for example, various arithmetic units such as a CPU (Central Processing Unit) and an MPU (Micro-Processing Unit). The memory device 106 is, for example, various storage devices such as HDD (Hard Disk Drive), SSD (Solid State Drive), flash memory, RAM (Random Access Memory), and ROM (Read Only Memory).
 本実施形態に係る暗号装置10は、図8に示すハードウェア構成を有することにより、後述する各種処理を実現することができる。なお、図8に示すハードウェア構成は一例であって、暗号装置10は、図示したハードウェア以外にも様々なハードウェアを有していてもよい。 The cryptographic device 10 according to the present embodiment has the hardware configuration shown in FIG. 8, so that it can implement various processes described later. Note that the hardware configuration shown in FIG. 8 is merely an example, and the cryptographic device 10 may have various hardware other than the illustrated hardware.
 <暗号装置10の機能構成>
 次に、本提案手法で説明したS-Boxを非線形部で利用する拡張一般化Feistel型ラウンド関数を用いたブロック暗号により暗号処理を行う暗号装置10の機能構成を図9に示す。図9に示すように、本実施形態に係る暗号装置10は、置換表生成処理部201と、暗号処理部202とを有する。これら各部は、例えば、暗号装置10にインストールされた1以上のプログラムがプロセッサ105に実行させる処理により実現される。 <Functional Configuration of Encryption Device 10>
Next, FIG. 9 shows the functional configuration of a cryptographic device 10 that performs cryptographic processing by block cipher using an extended generalized Feistel type round function that uses the S-Box described in the proposed method in the nonlinear section. As shown in FIG. 9, the encryption device 10 according to this embodiment has a substitution table generation processing unit 201 and an encryption processing unit 202 . These units are implemented by, for example, processing that one or more programs installed in the cryptographic device 10 cause the processor 105 to execute.
 置換表生成処理部201は、上記で説明した提案手法により置換表(S-Box)を生成する。すなわち、置換表生成処理部201は、暗号処理部202を実現するブロック暗号の拡張一般化Feistel型ラウンド関数の非線形部で利用されるS-Boxと同一サイズのS-Boxの中で入出力差分が同一な高確率伝搬を持たないS-Boxを、暗号処理部202で用いるS-Boxとして生成する。例えば、暗号処理部202がLilliput暗号等で実現される場合、置換表生成処理部201は、表1に示す16個のS-Box及びそれらのアフィン等価なS-Boxのうち、入出力差分が同一な高確率伝搬を持たないS-Boxを、暗号処理部202で用いるS-Boxとして生成する。なお、置換表生成処理部201は、例えば、該当のサイズのS-Boxの差分分布表から、入出力差分が同一な高確率伝搬を持たないS-Boxを特定及び生成すればよい。 The substitution table generation processing unit 201 generates a substitution table (S-Box) by the proposed method described above. That is, the permutation table generation processing unit 201 generates an input-output difference in an S-Box having the same size as the S-Box used in the nonlinear part of the extended generalized Feistel type round function of the block cipher that realizes the encryption processing unit 202. The S-Box that does not have the same high-probability propagation is generated as the S-Box used in the cryptographic processing unit 202 . For example, when the encryption processing unit 202 is realized by Lilliput encryption or the like, the permutation table generation processing unit 201 selects 16 S-Boxes shown in Table 1 and their affine equivalent S-Boxes, and the input/output difference is An S-Box that does not have the same high-probability propagation is generated as an S-Box to be used in cryptographic processing section 202 . Note that the permutation table generation processing unit 201 may, for example, identify and generate an S-Box that has the same input-output difference and does not have high-probability propagation from the difference distribution table of the S-Box of the corresponding size.
 暗号処理部202は、置換表生成処理部201で生成されたS-Boxを用いて、所定のブロック暗号(例えば、Lilliput暗号等)により暗号処理を行う。すなわち、暗号処理部202は、例えば、平文から暗号文を生成した上で他の暗号装置に送信したり、他の暗号装置から受信した暗号文を復号したりする。 The encryption processing unit 202 uses the S-Box generated by the replacement table generation processing unit 201 to perform encryption processing using a predetermined block cipher (eg, Lilliput encryption, etc.). That is, the encryption processing unit 202 generates, for example, a ciphertext from a plaintext and transmits the generated ciphertext to another cryptographic device, or decrypts a ciphertext received from another cryptographic device.
 なお、図9は一例であって、例えば、置換表生成処理部201と暗号処理部202のそれぞれを異なる装置が有していてもよい。具体的には、例えば、置換表生成処理部201を有する置換表生成装置と、暗号処理部202を有する暗号装置とで構成されていてもよい。 Note that FIG. 9 is an example, and for example, the replacement table generation processing unit 201 and the encryption processing unit 202 may be provided in different devices. Specifically, for example, the permutation table generation device having the permutation table generation processing unit 201 and the encryption device having the encryption processing unit 202 may be configured.
 <置換表生成処理及び暗号処理>
 次に、本実施形態に係る暗号装置10が実行する置換表生成処理及び暗号処理の流れを図10に示す。図10に示すように、まず、置換表生成処理部201は、暗号処理部202で用いるS-Boxを生成する(S101)。なお、このS-Boxの生成は暗号処理よりも前に実行されていればよく、例えば、事前に予め実行されてもよいし、暗号処理を実行する直前に都度実行されてもよい。次に、暗号処理部202は、置換表生成処理部201で生成されたS-Boxを用いて、所定のブロック暗号により暗号処理(平文の暗号化又は暗号文の復号)を行う(S102)。なお、暗号装置10が暗号化装置として機能する場合は、暗号処理部202は、平文を暗号化して暗号文を生成した上で他の暗号装置に送信する。一方で、暗号装置10が復号装置として機能する場合は、暗号処理部202は、他の暗号装置から受信した暗号文を復号する。 <Permutation table generation processing and encryption processing>
Next, FIG. 10 shows the flow of permutation table generation processing and encryption processing executed by the cryptographic device 10 according to this embodiment. As shown in FIG. 10, first, the replacement table generation processing unit 201 generates an S-Box used by the encryption processing unit 202 (S101). Note that the generation of the S-Box may be executed before the cryptographic processing, for example, it may be executed in advance, or may be executed immediately before the cryptographic processing is executed each time. Next, the encryption processing unit 202 uses the S-Box generated by the replacement table generation processing unit 201 to perform encryption processing (encryption of plaintext or decryption of ciphertext) by a predetermined block cipher (S102). When the encryption device 10 functions as an encryption device, the encryption processing unit 202 encrypts plaintext to generate a ciphertext, and then transmits the ciphertext to another encryption device. On the other hand, when the cryptographic device 10 functions as a decryption device, the cryptographic processor 202 decrypts ciphertexts received from other cryptographic devices.
 <実験結果>
 以下では、提案手法の効果を確認するために行った実験の結果について説明する。 <Experimental results>
In the following, the results of experiments conducted to confirm the effectiveness of the proposed method will be explained.
 Lilliput暗号のS-Boxを式(2)に示すS-Boxに置き換えた場合におけるラウンド関数の繰り返し回数に対する最大差分特性確率の変化の様子を図11に示す。なお、Lilliput暗号はブロック長64ビットで、拡張一般化Feistel型ラウンド関数を用いるブロック暗号であり、そのS-Boxは入出力差分が同一の高確率伝搬を持つ。 FIG. 11 shows how the maximum differential characteristic probability changes with respect to the number of iterations of the round function when the S-Box of the Lilliput cipher is replaced with the S-Box shown in Equation (2). The Lilliput cipher has a block length of 64 bits and is a block cipher using an extended generalized Feistel type round function, and its S-Box has high-probability propagation with the same input-output difference.
 図11中で「original」はLilliput暗号で従来のS-Boxを用いた場合であり、「ours」はLilliput暗号で式(2)に示すS-Boxを用いた場合である。なお、横軸はラウンド関数の繰り返し回数、縦軸は最大差分特性確率(MDCP)に対してlogの取った値を表す。 In FIG. 11, "original" indicates the case where the conventional S-Box is used in the Lilliput cipher, and "ours" indicates the case where the S-Box shown in Equation (2) is used in the Lilliput cipher. The horizontal axis represents the number of iterations of the round function, and the vertical axis represents the value obtained by log 2 with respect to the maximum differential characteristic probability (MDCP).
 図11に示すように、入出力差分が同一の高確率伝搬を持つoriginalのLilliput暗号では最大差分特性確率が2-64より小さいことを保証するためにはラウンド数を14回繰り返さなければならない。 As shown in FIG. 11, in the original Lilliput cipher with high-probability propagation of the same input-output difference, 14 rounds must be repeated in order to ensure that the maximum differential characteristic probability is less than 2-64 .
 一方で、式(2)に示すS-Boxに置き換えたLilliput暗号(ours)では、13回の繰り返しで最大差分特性確率が2-64より小さいことを保証することができている。このように、差分解読法に対してラウンド関数の繰り返し回数1回分以上の安全性向上が得られる場合、同じ安全性を保ったまま繰り返し回数を削減することができるため、暗号処理の処理性能を改善できる。また、置き換え前と同一の繰り返し回数とした場合には、差分解読法に対する安全性を向上させることができる。 On the other hand, in the Lilliput cipher (ours) replaced with the S-Box shown in Equation (2), it is possible to guarantee that the maximum differential characteristic probability is smaller than 2 −64 after 13 iterations. In this way, when security is improved by one or more iterations of the round function compared to differential cryptanalysis, the number of iterations can be reduced while maintaining the same security. It can be improved. Also, if the number of iterations is the same as before replacement, the security against differential cryptanalysis can be improved.
 本発明は、具体的に開示された上記の実施形態に限定されるものではなく、請求の範囲の記載から逸脱することなく、種々の変形や変更、既知の技術との組み合わせ等が可能である。 The present invention is not limited to the specifically disclosed embodiments described above, and various modifications, alterations, combinations with known techniques, etc. are possible without departing from the scope of the claims. .
 10    暗号装置
 101   入力装置
 102   表示装置
 103   外部I/F
 103a  記録媒体
 104   通信I/F
 105   プロセッサ
 106   メモリ装置
 107   バス
 201   置換表生成処理部
 202   暗号処理部 10 encryption device 101 input device 102 display device 103 external I/F
103a recording medium 104 communication I/F
105 Processor 106 Memory Device 107 Bus 201 Permutation Table Generation Processing Unit 202 Encryption Processing Unit

Claims (5)

  1.  拡張一般化Feistel型ラウンド関数を用いるブロック暗号により平文を暗号化又は暗号文を復号する暗号装置であって、
     前記ブロック暗号に応じて決定される所定のサイズの置換表であって、入出力差分が同一な高確率伝搬が存在しない置換表を生成する置換表生成処理部と、
     生成された前記置換表を用いて、前記ブロック暗号により前記暗号化又は前記復号を行う暗号処理部と、
     を有し、
     前記入出力差分が同一な高確率伝搬は、前記置換表への2つの入力を表す入力差分が与えられたときに、前記入力差分に対応する出力の差分を表す出力差分のうち、前記入力差分と同一の値となる出力差分への遷移確率が最大となる伝搬のことである、暗号装置。     A cryptographic device that encrypts plaintext or decrypts ciphertext by block cipher using an extended generalized Feistel type round function,
    a permutation table generation processing unit that generates a permutation table of a predetermined size determined according to the block cipher, in which there is no high-probability propagation with the same input-output difference;
    a cryptographic processing unit that performs the encryption or the decryption by the block cipher using the generated permutation table;
    has
    In the high-probability propagation with the same input-output difference, when an input difference representing two inputs to the permutation table is given, among the output differences representing the difference of the output corresponding to the input difference, the input difference A cryptographic device that maximizes the transition probability to the output difference that has the same value as .
  2.  前記ブロック暗号はLilliput暗号、前記サイズは4ビットである、請求項1に記載の暗号装置。 The cryptographic device according to claim 1, wherein the block cipher is Lilliput cipher, and the size is 4 bits.
  3.  前記置換表生成処理部は、
     予め決められた16個の置換表と前記置換表への入力及び出力に対してアフィン変換をかけた置換表の中から、前記入出力差分が同一な高確率伝搬が存在しない置換表を生成する、請求項2に記載の暗号装置。     The replacement table generation processing unit
    A permutation table in which there is no high-probability propagation with the same input/output difference is generated from 16 predetermined permutation tables and a permutation table obtained by applying an affine transformation to the input and output of the permutation table. 3. A cryptographic device according to claim 2.
  4.  拡張一般化Feistel型ラウンド関数を用いるブロック暗号により平文を暗号化又は暗号文を復号する暗号装置が、
     前記ブロック暗号に応じて決定される所定のサイズの置換表であって、入出力差分が同一な高確率伝搬が存在しない置換表を生成する置換表生成処理手順と、
     生成された前記置換表を用いて、前記ブロック暗号により前記暗号化又は前記復号を行う暗号処理手順と、
     を実行し、
     前記入出力差分が同一な高確率伝搬は、前記置換表への2つの入力を表す入力差分が与えられたときに、前記入力差分に対応する出力の差分を表す出力差分のうち、前記入力差分と同一の値となる出力差分への遷移確率が最大となる伝搬のことである、方法。     A cryptographic device that encrypts plaintext or decrypts ciphertext by block cipher using an extended generalized Feistel type round function,
    a permutation table generation processing procedure for generating a permutation table of a predetermined size determined according to the block cipher, in which there is no high-probability propagation with the same input-output difference;
    a cryptographic processing procedure for performing the encryption or the decryption by the block cipher using the generated permutation table;
    and run
    In the high-probability propagation with the same input-output difference, when an input difference representing two inputs to the permutation table is given, among the output differences representing the difference of the output corresponding to the input difference, the input difference is the propagation that maximizes the transition probability to the output difference that is the same value as .
  5.  コンピュータを、請求項1乃至3の何れか一項に記載の暗号装置として機能させるプログラム。 A program that causes a computer to function as the cryptographic device according to any one of claims 1 to 3.
PCT/JP2021/020665 2021-05-31 2021-05-31 Cryptographic device, method, and program WO2022254513A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2023525161A JP7529154B2 (en) 2021-05-31 2021-05-31 Cryptographic device, method, and program
PCT/JP2021/020665 WO2022254513A1 (en) 2021-05-31 2021-05-31 Cryptographic device, method, and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/020665 WO2022254513A1 (en) 2021-05-31 2021-05-31 Cryptographic device, method, and program

Publications (1)

Publication Number Publication Date
WO2022254513A1 true WO2022254513A1 (en) 2022-12-08

Family

ID=84323948

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/020665 WO2022254513A1 (en) 2021-05-31 2021-05-31 Cryptographic device, method, and program

Country Status (2)

Country Link
JP (1) JP7529154B2 (en)
WO (1) WO2022254513A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001282102A (en) * 2000-01-26 2001-10-12 Fujitsu Ltd Cipher designing device, cipher designing program and recording medium

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001282102A (en) * 2000-01-26 2001-10-12 Fujitsu Ltd Cipher designing device, cipher designing program and recording medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SASAKI YU, TODO YOSUKE: "Tight Bounds of Differentially and Linearly Active S-Boxes and Division Property of Lilliput", IEEE TRANSACTIONS ON COMPUTERS, IEEE, USA, vol. 67, no. 5, 1 May 2018 (2018-05-01), USA , pages 717 - 732, XP093013008, ISSN: 0018-9340, DOI: 10.1109/TC.2017.2775640 *

Also Published As

Publication number Publication date
JPWO2022254513A1 (en) 2022-12-08
JP7529154B2 (en) 2024-08-06

Similar Documents

Publication Publication Date Title
JP5402632B2 (en) Common key block encryption apparatus, common key block encryption method, and program
JP4735644B2 (en) Message authentication apparatus, message authentication method, message authentication program and recording medium thereof
JP5229315B2 (en) Encryption device and built-in device equipped with a common key encryption function
WO2009087972A1 (en) Data transmission device, data reception device, methods therefor, recording medium, and data communication system therefor
TWI595460B (en) Data processing device, information processing device, data processing method and program
CN113078997B (en) Terminal protection method based on lightweight cryptographic algorithm
US20080192924A1 (en) Data encryption without padding
Arshad et al. New extension of data encryption standard over 128-bit key for digital images
Achkoun et al. SPF-CA: A new cellular automata based block cipher using key-dependent S-boxes
Rudnytskyi et al. Cryptographic encoding in modern symmetric and asymmetric encryption
CN102713994B (en) Encryption device
WO2018212015A1 (en) Secure computation device, comparison method, comparison program recording medium, and secure computation system
Srilaya et al. Performance evaluation for des and AES algorithms-an comprehensive overview
WO2022254511A1 (en) Encryption apparatus, method, and program
JP5202350B2 (en) Cryptographic processing apparatus, cryptographic processing method, and cryptographic processing program
WO2022254513A1 (en) Cryptographic device, method, and program
KR20080072345A (en) Apparatus for encryption and method using the same
JP2012143011A (en) Decryption processing unit, information processing unit, decryption processing method, and computer program
CN112367159A (en) Medical data safety storage oriented hybrid encryption and decryption method and system
JP5578422B2 (en) ENCRYPTED COMMUNICATION SYSTEM, TRANSMISSION DEVICE, RECEPTION DEVICE, ENCRYPTION / DECRYPTION METHOD, AND PROGRAM THEREOF
Zhang et al. A unified improvement of the AES algorithm
JP7244060B2 (en) Block cipher device, block cipher method and program
Yu et al. Image encryption algorithm based on self-adaptive symmetrical-coupled toggle cellular automata
JP5772934B2 (en) Data conversion apparatus, data conversion method, and computer program
JP5500277B2 (en) Encryption device and built-in device equipped with a common key encryption function

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21944023

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023525161

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21944023

Country of ref document: EP

Kind code of ref document: A1