WO2024127530A1 - Authentication tag generation device, authentication tag generation method, and authentication tag generation program - Google Patents

Authentication tag generation device, authentication tag generation method, and authentication tag generation program Download PDF

Info

Publication number
WO2024127530A1
WO2024127530A1 PCT/JP2022/045937 JP2022045937W WO2024127530A1 WO 2024127530 A1 WO2024127530 A1 WO 2024127530A1 JP 2022045937 W JP2022045937 W JP 2022045937W WO 2024127530 A1 WO2024127530 A1 WO 2024127530A1
Authority
WO
WIPO (PCT)
Prior art keywords
output
authentication tag
outputs
block cipher
tag generation
Prior art date
Application number
PCT/JP2022/045937
Other languages
French (fr)
Japanese (ja)
Inventor
勇 古谷
明子 向井
一彦 峯松
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to PCT/JP2022/045937 priority Critical patent/WO2024127530A1/en
Publication of WO2024127530A1 publication Critical patent/WO2024127530A1/en

Links

Images

Definitions

  • the present invention relates to an authentication tag generation device, an authentication tag generation method, and an authentication tag generation program.
  • MAC Message authentication
  • MAC Message Authentication Code
  • the message and tag received by the receiver via the communication channel are called message M' and tag T', respectively.
  • the receiver who receives message M' and tag T' calculates tag T'' using the received message M' and key K shared with the sender. Here, by checking whether the received tag T' matches or does not match T'', it can be determined whether message M' was sent from a legitimate sender.
  • Message authentication can also be used to verify the authenticity of data stored in storage, not just to authenticate messages between senders and receivers.
  • the objects to which tags are added using message authentication are not limited to one-dimensional bit strings, and may also be vector data.
  • message authentication compatible with vector data is also known (see, for example, Non-Patent Documents 1 and 2).
  • Non-Patent Document 1 supports variable-length vectors, but only has n/2-bit security
  • the message authentication described in Non-Patent Document 2 supports only fixed-length vectors, but has n-bit security. In other words, no message authentication has n-bit security and supports variable-length vectors.
  • the object of the present invention is to provide an authentication tag generation device, an authentication tag generation method, and an authentication tag generation program that have n-bit security and contribute to supporting variable-length vectors.
  • an authentication tag generation device generates an authentication tag from input data in a vector format, in which each element has an arbitrary length and the vector length r is arbitrary, using an n-bit input/output tweakable block cipher, the device comprising: r element processing units that receive each element of the input data, divide the element into n-bit parts and encrypt each of the n-bit parts using the tweakable block cipher, add up the encrypted results to output a first output, and output a result of repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero nonidentity constant as a second output;
  • An authentication tag generation device is provided that includes an aggregation unit that receives the first outputs, adds them together, and outputs a third output, and receives the second outputs from each of the r element processing units, and outputs a result of repeated addition of each of the second outputs and constant multiplication by any nonzero nonidentity element as a fourth output, and a tag generation unit that
  • an authentication tag generation method in which an information processing device having r element processing units, an aggregation unit, and a tag generation unit uses an n-bit input/output tweakable block cipher to generate an authentication tag from input data in a vector format in which each element has an arbitrary length and the vector length r is arbitrary, in which the r element processing units accept each element of the input data, divide the element into n-bit parts and encrypt each of the parts with the tweakable block cipher, add up the encrypted results to output a first output, and output a result of repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero nonidentity constant as a second output;
  • the authentication tag generation method is provided in which the aggregation unit receives the first outputs from each of the r element processing units, adds them together, and outputs a third output, and receives the second outputs from each of the r element processing units, and outputs a result of repeatedly adding each of the second outputs
  • an authentication tag generation program for generating an authentication tag from input data in a vector format, in which each element has an arbitrary length and the vector length r is arbitrary, using a bit-input/output tweakable block cipher to be executed on an information processing device including a processor, a memory for storing instructions executed by the processor, r element processing units, an aggregation unit, and a tag generation unit, the program receiving each element of the input data, dividing the element into n bits, encrypting each of the n bits with the tweakable block cipher, adding up the encrypted results to output a first output, and repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero nonidentity constant.
  • the aggregation unit receives the first outputs from each of the r element processing units and adds them together to output a third output, and also receives the second outputs from each of the r element processing units and outputs a result of repeated addition of each of the second outputs and constant multiplication by an arbitrary nonzero nonidentity element as a fourth output, and the tag generation unit encrypts the third output with a tweakable block cipher using the fourth output and the vector length r as a tweak, and encrypts the fourth output with a tweakable block cipher using the third output and the vector length r as a tweak to generate an authentication tag.
  • the program can be recorded on a computer-readable storage medium.
  • the storage medium can be a non-transient medium such as a semiconductor memory, a hard disk, a magnetic recording medium, an optical recording medium, etc.
  • the present invention can also be embodied as a computer program product.
  • an authentication tag generation device an authentication tag generation method, and an authentication tag generation program that have n-bit security and contribute to supporting variable-length vectors.
  • FIG. 1 is a conceptual diagram showing the configuration of an authentication tag generating device according to a first embodiment of the present invention.
  • FIG. 2 is a diagram showing an example of the internal configuration of the element processing unit.
  • FIG. 3 is a diagram illustrating an example of an internal configuration of the aggregation unit.
  • FIG. 4 is a diagram illustrating an example of the internal configuration of the tag generating unit.
  • FIG. 5 is a conceptual diagram showing the configuration of an authentication tag generating device according to the second embodiment of the present invention.
  • FIG. 6 is a diagram illustrating an example of the internal configuration of the tag generating unit.
  • FIG. 7 is a diagram illustrating an example of a hardware configuration of the authentication tag generating device.
  • FIG. 1 is a conceptual diagram showing the configuration of an authentication tag generating device according to a first embodiment of the present invention.
  • the authentication tag generating device 10 includes r element processing units 11, an aggregation unit 12, and a tag generating unit 13.
  • the authentication tag generating device 10 generates an authentication tag from vector-format input data M, in which each element has an arbitrary length and the vector length r is arbitrary, using a tweakable block cipher with n-bit input/output.
  • the vector length r of the vector-format input data M is the number of data elements constituting the input data M, and is not fixed but variable.
  • each element of the vector-format input data M is composed of a bit string, and the length of the bit string is also arbitrary.
  • the authentication tag generating device 10 has an input unit 14 and an output unit 15, and the vector-format input data M is input to the input unit 14, and the generated authentication tag is output from the output unit 15.
  • the r element processing units 11 accept each element of the input data M, divide the element into n-bit parts and encrypt each part using a tweakable block cipher, add up the encrypted results to output a first output, and output the result of repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero, nonidentity constant as a second output.
  • the aggregation unit 12 uses a configuration described in detail later, receives first outputs from each of the r element processing units 11, adds them together, and outputs a third output, and also receives second outputs from each of the r element processing units, and outputs the result of repeatedly adding each of the second outputs and multiplying them by a constant of any nonzero, nonidentical element as a fourth output.
  • the tag generation unit 13 uses a configuration described in detail below to encrypt the third output with a tweakable block cipher that uses the fourth output and the vector length r as a tweak, and encrypts the fourth output with a tweakable block cipher that uses the third output and the vector length r as a tweak to generate an authentication tag.
  • FIG. 2 is a diagram showing an example of the internal configuration of an element processor.
  • r element processors 11 receive each element M i of input data M, divide the element M i into n bits, and encrypt M i [1], ..., M i [m i ] with tweakable block ciphers E K 0,i,1 ,..., E K 0,i,mi, respectively.
  • the r element processors 11 add the encryption results Z i [1],..., Z i [m i ] to output a first output X i , and output a result of repeating the addition of the encryption results and multiplication by an arbitrary nonzero nonidentity constant (2 in the example shown in the figure) as a second output Y i .
  • FIG. 3 is a diagram showing an example of the internal configuration of the aggregation unit 12.
  • the aggregation unit 12 receives the first outputs Xi from each of the r element processing units 11, adds them together, and outputs a third output V, and also receives the second outputs Yi from each of the r element processing units, and outputs a result of repeatedly adding each of the second outputs and multiplying them by a constant of any nonzero, nonidentical element (3x in the example shown in the figure) as a fourth output W.
  • the tag generating unit 13 encrypts the third output V with the tweakable block cipher E K 1 using the fourth output W and the vector length r as tweaks, and encrypts the fourth output W with the tweakable block cipher E K 2 using the third output V and the vector length r as tweaks to generate an authentication tag.
  • the information of the variable vector length r is reflected in the tweak of the tweakable block cipher, when the vector length r is changed as a result of tampering or the like, the change in the vector length r is reflected in the authentication tag generated through the tweak of the tweakable block cipher.
  • the authentication tag generated by the authentication tag generating device 10 it is possible to detect even tampering that causes a change in the vector length r.
  • FIG. 5 is a conceptual diagram showing the configuration of an authentication tag generating device according to a second embodiment of the present invention.
  • the authentication tag generating device 10 includes r element processing units 11, an aggregation unit 12, a tag generating unit 13, and a verification unit 16.
  • the authentication tag generating device 10 generates an authentication tag from vector-format input data M, in which each element has an arbitrary length and the vector length r is arbitrary, using a tweakable block cipher with n-bit input/output.
  • the vector length r of the vector-format input data M is not fixed but variable.
  • each element of the vector-format input data M is composed of a bit string, and the length of the bit string is also arbitrary.
  • the r element processing units 11 and the aggregation unit 12 in the second embodiment can be configured in the same manner as in the first embodiment, so their description will be omitted here, and the verification unit 16 and the tag generating unit 13 will be described.
  • the authentication tag generation device 10 has a verification unit 16, and the authentication tag generated by the tag generation unit 13 is input to the verification unit 16, which verifies whether it matches the authentication tag generated in advance. If it matches the authentication tag generated in advance, it means that the input data M has not changed since the authentication tag was generated in advance. Conversely, if it does not match the authentication tag generated in advance, it means that the input data M has been changed since the authentication tag was generated in advance.
  • Fig. 6 is a diagram showing an example of the internal configuration of the tag generation unit.
  • the tag generation unit 13 encrypts the third output V with a tweakable block cipher E K 1 using the fourth output W and the vector length r as a tweak, and encrypts the fourth output W with a tweakable block cipher E K 2 using the third output V and the vector length r as a tweak to generate an authentication tag.
  • the vector length r is used as a tweak after being encrypted with a tweakable block cipher.
  • the vector length r is encrypted with the tweakable block cipher E K 3,1 , then added to the fourth output W, and used as a tweak for the tweakable block cipher E K 1.
  • the vector length r is also encrypted with the tweakable block cipher E K 3,3 , then added to the third output V, and used as a tweak for the tweakable block cipher E K 2.
  • the vector length r is also encrypted with the tweakable block cipher E K 3,0 , then added to the third output V, and used as an input for the tweakable block cipher E K 1.
  • the vector length r is encrypted with the tweakable block cipher E K 3,2 , then added to the fourth output W, and used as an input for the tweakable block cipher E K 2 .
  • the length of the tweak is generally set to be approximately the same as the length of the input and output (n bits).
  • the tweak may be longer than n bits, which is contrary to this general setting and may cause practical inconvenience.
  • the tag generation unit 13 shown in Figure 6 even if the vector length r is too large to fit into the tweak, it is encrypted with the tweakable block cipher and then used as the tweak, so that it falls within the range of the general setting of the tweak, and the effect of being able to detect even tampering that changes the vector length r can be maintained.
  • FIG. 7 is a diagram showing an example of a hardware configuration of an authentication tag generation device.
  • An information processing device (computer) employing the hardware configuration shown in Fig. 7 makes it possible to realize each function of the authentication tag generation device 10 described above.
  • the hardware configuration example shown in Fig. 7 is an example of a hardware configuration that realizes each function of the authentication tag generation device 10, and is not intended to limit the hardware configuration of the authentication tag generation device 10.
  • the authentication tag generation device 10 may include hardware not shown in Fig. 7.
  • the hardware configuration 40 that may be adopted by the authentication tag generation device 10 includes a CPU (Central Processing Unit) 41, a main memory device 42, an auxiliary memory device 43, and an IF (Interface) unit 44, which are interconnected by, for example, an internal bus.
  • a CPU Central Processing Unit
  • main memory device 42 main memory
  • auxiliary memory device 43 main memory
  • IF Interface
  • the CPU 41 executes each command included in the program executed by the authentication tag generation device 10.
  • the main storage device 42 is, for example, a RAM (Random Access Memory), and temporarily stores various programs executed by the authentication tag generation device 10 for processing by the CPU 41.
  • the auxiliary storage device 43 is, for example, a HDD (Hard Disk Drive), and is capable of storing various programs executed by the authentication tag generation device 10 on a medium to long term basis.
  • the various programs can be provided as program products recorded on a non-transitory computer-readable storage medium.
  • the auxiliary storage device 43 can be used to store various programs recorded on a non-transitory computer-readable storage medium on a medium to long term basis.
  • the IF unit 44 provides an interface for communication with the authentication tag generation device 10.
  • An information processing device that employs the above hardware configuration 40 can realize each function of the authentication tag generation device 10.
  • An authentication tag generation device that generates an authentication tag from vector-format input data in which each element has an arbitrary length and a vector length r is arbitrary, using an n-bit input/output tweakable block cipher, r element processing units that receive each element of the input data, divide the element into n-bit parts, encrypt each of the n-bit parts using a tweakable block cipher, add up the encrypted results to output a first output, and output a result of repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero nonidentity constant as a second output; an aggregation unit that receives the first outputs from each of the r element processing units, adds them together, and outputs a third output, and also receives the second outputs from each of the r element processing units, and outputs a result of repeatedly adding the second outputs and multiplying them by a constant of any nonzero, nonidentical element as a fourth output; a tag generator that encrypts the third output with
  • the authentication tag generation device according to claim 1, wherein the tag generation unit encrypts the vector length r with a tweakable block cipher and then uses the encrypted vector length r as a tweak.
  • Appendix 3 3.
  • the authentication tag generation device according to claim 1 or 2, further comprising a verification unit that verifies the consistency between the authentication tag generated by the tag generation unit and an authentication tag generated in advance.
  • An authentication tag generation method in which an information processing device including r element processing units, an aggregation unit, and a tag generation unit generates an authentication tag from input data in a vector format, in which each element has an arbitrary length and the vector length r is an arbitrary vector length, by using an n-bit input/output tweakable block cipher,
  • the r element processing units receive each element of the input data, divide the element into n bits and encrypt each of the n bits using a tweakable block cipher, add up the encrypted results to output a first output, and output a result of repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero nonidentity constant as a second output;
  • the summation unit receives the first outputs from each of the r element processing units, adds them together, and outputs a third output, and receives the second outputs from each of the r element processing units, and outputs a result of repeatedly adding each of the second outputs and multiplying them by a constant of any non-
  • An authentication tag generation program for generating an authentication tag from input data in a vector format, each element of which has an arbitrary length and a vector length r, using a bit-input/output tweakable block cipher to be executed on an information processing device having a processor, a memory for storing instructions executed by the processor, r element processing units, an aggregation unit, and a tag generation unit, the program comprising: The r element processing units receive each element of the input data, divide the element into n bits and encrypt each of the n bits using a tweakable block cipher, add up the encrypted results to output a first output, and output a result of repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero nonidentity constant as a second output; the summation unit receives the first outputs from each of the r element processing units, adds them together, and outputs a third output, and receives the second outputs from each of the r element processing units, and outputs a result of repeatedly adding

Landscapes

  • Storage Device Security (AREA)

Abstract

This authentication tag generation device generates an authentication tag, using a tweakable block cipher whose inputs and outputs are of n bits in size, from vector-form input data in which the length of each element is arbitrary and a vector length r is arbitrary, the authentication tag generation device comprising: r element processing units that receive each element of the input data, divide the elements in units of n bits, encrypt each of the units using a tweakable block cipher, add the encryption results together, and then output a first output, as well as outputting, as a second output, the result of having repeated the addition of the encryption results and the multiplication of an arbitrary non-zero non-unit element constant; an aggregation unit that receives and adds together the first output from each of the r element processing units and then outputs a third output, as well as receiving the second output from each of the r element processing units and then outputting, as a fourth output, the result of having repeated the addition of each of the second outputs and the multiplication of an arbitrary non-zero non-unit element constant; and a tag generation unit that encrypts the third output using a tweakable block cipher in which the fourth output and the vector length r are used as tweaks, as well as encrypting the fourth output using a tweakable block cipher in which the third output and the vector length r are used as tweaks, and then generates an authentication tag.

Description

認証タグ生成装置、認証タグ生成方法、および認証タグ生成プログラムAuthentication tag generation device, authentication tag generation method, and authentication tag generation program
 本発明は、認証タグ生成装置、認証タグ生成方法、および認証タグ生成プログラムに関するものである。 The present invention relates to an authentication tag generation device, an authentication tag generation method, and an authentication tag generation program.
 メッセージ認証(Message Authentication Code;MAC)とは、メッセージに対して共通鍵を知るものだけが計算できるタグを付与することで、メッセージが正当であることを保証する技術である。例えば、メッセージ認証を用いれば、共通鍵を共有した2者の通信において、第三者により通信の間に行われた改ざんを検知することが可能となる。具体的には、メッセージの送信者と受信者で共有される共通鍵をK、メッセージをMとすると、送信者はメッセージMとともにタグT=MAC(K,M)を受信者に送る。なお、MAC(K,M)は、MとKを入力して、タグTを出力する関数Fを示す。 Message authentication (Message Authentication Code; MAC) is a technology that guarantees the authenticity of a message by assigning a tag that can only be calculated by someone who knows the common key. For example, message authentication makes it possible to detect tampering by a third party during communication between two parties who share a common key. Specifically, if the common key shared by the sender and receiver of a message is K and the message is M, then the sender sends the tag T = MAC(K,M) along with the message M to the receiver. Note that MAC(K,M) refers to a function F that inputs M and K and outputs the tag T.
 通信路を介して受信者側で受け取られたメッセージとタグをそれぞれメッセージM’、タグT’と記す。メッセージM’とタグT’を受け取った受信者は、受信メッセージM’と、送信者と共有する鍵Kとを用いてタグT’’を計算する。ここで、受信したタグT’とT’’の一致/不一致を確認することで、メッセージM’が正当な送信者から送られたものかどうかを判断できる。 The message and tag received by the receiver via the communication channel are called message M' and tag T', respectively. The receiver who receives message M' and tag T' calculates tag T'' using the received message M' and key K shared with the sender. Here, by checking whether the received tag T' matches or does not match T'', it can be determined whether message M' was sent from a legitimate sender.
 また、メッセージ認証は、送信者と受信者の間におけるメッセージの認証に限らず、ストレージに保存されているデータの真正性の確認にも用いることができる。ストレージに保存されているデータをMとし、このデータに対するタグT=MAC(K,M)をデータと共に保管しておく。すると、データMを利用する際にタグT=MAC(K,M)を計算し、保管してあるタグTとの一致を確認することで、データMが改ざん等の被害にあっていないことを確認することができる。 Message authentication can also be used to verify the authenticity of data stored in storage, not just to authenticate messages between senders and receivers. Let the data stored in storage be M, and store the tag T = MAC(K,M) for this data together with the data. Then, when using data M, it is possible to calculate tag T = MAC(K,M) and verify that it matches the stored tag T, thereby verifying that data M has not been tampered with or otherwise compromised.
 なお、上記先行技術文献の各開示を、本書に引用をもって組み込むものとする。以下の分析は、本発明者らによってなされたものである。 The disclosures of the above prior art documents are incorporated herein by reference. The following analysis was conducted by the present inventors.
 ところで、メッセージ認証によってタグを付与する対象は、1次元のビット列に限らず、ベクトルデータであることもある。実際、ベクトルデータに対応したメッセージ認証も知られている(例えば、非特許文献1および非特許文献2参照)。 By the way, the objects to which tags are added using message authentication are not limited to one-dimensional bit strings, and may also be vector data. In fact, message authentication compatible with vector data is also known (see, for example, Non-Patent Documents 1 and 2).
 しかしながら、非特許文献1に記載のメッセージ認証は、可変長ベクトルに対応しているものの、安全性がn/2-bit securityであり、非特許文献2に記載のメッセージ認証は、安全性がn-bit securityであるものの、固定長ベクトルのみに対応している。つまり、安全性がn-bit securityであり、可変長ベクトルに対応しているメッセージ認証は存在していなかった。 However, the message authentication described in Non-Patent Document 1 supports variable-length vectors, but only has n/2-bit security, while the message authentication described in Non-Patent Document 2 supports only fixed-length vectors, but has n-bit security. In other words, no message authentication has n-bit security and supports variable-length vectors.
 本発明の目的は、上述した課題を鑑み、安全性がn-bit securityであり、可変長ベクトルに対応することに寄与する認証タグ生成装置、認証タグ生成方法、および認証タグ生成プログラムを提供することである。 In view of the above-mentioned problems, the object of the present invention is to provide an authentication tag generation device, an authentication tag generation method, and an authentication tag generation program that have n-bit security and contribute to supporting variable-length vectors.
 本発明の第1の視点では、nビット入出力のtweakableブロック暗号を用いて各要素の長さは任意であってベクトル長rが任意であるベクトル形式の入力データから認証タグを生成する認証タグ生成装置であって、前記入力データの各要素を受理し、当該要素をnビットずつに分割してそれぞれをtweakableブロック暗号で暗号化し、暗号化結果を足し合わせて第1出力を出力し、かつ暗号化結果の加算と任意の非零非単位元の定数の乗算を繰り返した結果を第2出力として出力するr個の要素処理部と、前記r個の要素処理部の各々から前記第1出力を受理して足し合わせて第3出力を出力し、かつ前記r個の要素処理部の各々から前記第2出力を受理して、前記第2出力の各々の加算と任意の非零非単位元の定数乗算を繰り返した結果を第4出力として出力する集約部と、前記第4出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第3出力を暗号化し、かつ前記第3出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第4出力を暗号化して認証タグを生成するタグ生成部と、を備える認証タグ生成装置が提供される。 In a first aspect of the present invention, an authentication tag generation device generates an authentication tag from input data in a vector format, in which each element has an arbitrary length and the vector length r is arbitrary, using an n-bit input/output tweakable block cipher, the device comprising: r element processing units that receive each element of the input data, divide the element into n-bit parts and encrypt each of the n-bit parts using the tweakable block cipher, add up the encrypted results to output a first output, and output a result of repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero nonidentity constant as a second output; An authentication tag generation device is provided that includes an aggregation unit that receives the first outputs, adds them together, and outputs a third output, and receives the second outputs from each of the r element processing units, and outputs a result of repeated addition of each of the second outputs and constant multiplication by any nonzero nonidentity element as a fourth output, and a tag generation unit that encrypts the third output with a tweakable block cipher using the fourth output and the vector length r as a tweak, and encrypts the fourth output with a tweakable block cipher using the third output and the vector length r as a tweak to generate an authentication tag.
 本発明の第2の視点では、r個の要素処理部と集約部とタグ生成部とを備える情報処理装置がnビット入出力のtweakableブロック暗号を用いて各要素の長さは任意であってベクトル長rが任意であるベクトル形式の入力データから認証タグを生成する認証タグ生成方法であって、前記r個の要素処理部が前記入力データの各要素を受理し、当該要素をnビットずつに分割してそれぞれをtweakableブロック暗号で暗号化し、暗号化結果を足し合わせて第1出力を出力し、かつ暗号化結果の加算と任意の非零非単位元の定数の乗算を繰り返した結果を第2出力として出力し、前記集約部が前記r個の要素処理部の各々から前記第1出力を受理して足し合わせて第3出力を出力し、かつ前記r個の要素処理部の各々から前記第2出力を受理して、前記第2出力の各々の加算と任意の非零非単位元の定数乗算を繰り返した結果を第4出力として出力し、前記タグ生成部が前記第4出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第3出力を暗号化し、かつ前記第3出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第4出力を暗号化して認証タグを生成する、認証タグ生成方法が提供される。 In a second aspect of the present invention, there is provided an authentication tag generation method in which an information processing device having r element processing units, an aggregation unit, and a tag generation unit uses an n-bit input/output tweakable block cipher to generate an authentication tag from input data in a vector format in which each element has an arbitrary length and the vector length r is arbitrary, in which the r element processing units accept each element of the input data, divide the element into n-bit parts and encrypt each of the parts with the tweakable block cipher, add up the encrypted results to output a first output, and output a result of repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero nonidentity constant as a second output; The authentication tag generation method is provided in which the aggregation unit receives the first outputs from each of the r element processing units, adds them together, and outputs a third output, and receives the second outputs from each of the r element processing units, and outputs a result of repeatedly adding each of the second outputs and multiplying them by a constant of any nonzero nonidentity element as a fourth output, and the tag generation unit encrypts the third output with a tweakable block cipher using the fourth output and the vector length r as a tweak, and encrypts the fourth output with a tweakable block cipher using the third output and the vector length r as a tweak to generate an authentication tag.
 本発明の第3の視点では、プロセッサと前記プロセッサが実行する指令を記憶するメモリとr個の要素処理部と集約部とタグ生成部とを備える情報処理装置上で実行させるビット入出力のtweakableブロック暗号を用いて各要素の長さは任意であってベクトル長rが任意であるベクトル形式の入力データから認証タグを生成する認証タグ生成プログラムであって、前記r個の要素処理部が前記入力データの各要素を受理し、当該要素をnビットずつに分割してそれぞれをtweakableブロック暗号で暗号化し、暗号化結果を足し合わせて第1出力を出力し、かつ暗号化結果の加算と任意の非零非単位元の定数の乗算を繰り返した結果を第2出力として出力し、前記集約部が前記r個の要素処理部の各々から前記第1出力を受理して足し合わせて第3出力を出力し、かつ前記r個の要素処理部の各々から前記第2出力を受理して、前記第2出力の各々の加算と任意の非零非単位元の定数乗算を繰り返した結果を第4出力として出力し、前記タグ生成部が前記第4出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第3出力を暗号化し、かつ前記第3出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第4出力を暗号化して認証タグを生成する、認証タグ生成プログラムが提供される。
 なお、このプログラムは、コンピュータが読み取り可能な記憶媒体に記録することができる。記憶媒体は、半導体メモリ、ハードディスク、磁気記録媒体、光記録媒体等の非トランジェント(non-transient)なものとすることができる。本発明は、コンピュータプログラム製品として具現することも可能である。 In a third aspect of the present invention, there is provided an authentication tag generation program for generating an authentication tag from input data in a vector format, in which each element has an arbitrary length and the vector length r is arbitrary, using a bit-input/output tweakable block cipher to be executed on an information processing device including a processor, a memory for storing instructions executed by the processor, r element processing units, an aggregation unit, and a tag generation unit, the program receiving each element of the input data, dividing the element into n bits, encrypting each of the n bits with the tweakable block cipher, adding up the encrypted results to output a first output, and repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero nonidentity constant. the aggregation unit receives the first outputs from each of the r element processing units and adds them together to output a third output, and also receives the second outputs from each of the r element processing units and outputs a result of repeated addition of each of the second outputs and constant multiplication by an arbitrary nonzero nonidentity element as a fourth output, and the tag generation unit encrypts the third output with a tweakable block cipher using the fourth output and the vector length r as a tweak, and encrypts the fourth output with a tweakable block cipher using the third output and the vector length r as a tweak to generate an authentication tag.
The program can be recorded on a computer-readable storage medium. The storage medium can be a non-transient medium such as a semiconductor memory, a hard disk, a magnetic recording medium, an optical recording medium, etc. The present invention can also be embodied as a computer program product.
 本発明の各視点によれば、安全性がn-bit securityであり、可変長ベクトルに対応することに寄与する認証タグ生成装置、認証タグ生成方法、および認証タグ生成プログラムを提供することができる。 According to each aspect of the present invention, it is possible to provide an authentication tag generation device, an authentication tag generation method, and an authentication tag generation program that have n-bit security and contribute to supporting variable-length vectors.
図1は、本発明の第1実施形態に係る認証タグ生成装置の構成を示す概念図である。FIG. 1 is a conceptual diagram showing the configuration of an authentication tag generating device according to a first embodiment of the present invention. 図2は、要素処理部の内部構成例を示す図である。FIG. 2 is a diagram showing an example of the internal configuration of the element processing unit. 図3は、集約部の内部構成例を示す図である。FIG. 3 is a diagram illustrating an example of an internal configuration of the aggregation unit. 図4は、タグ生成部の内部構成例を示す図である。FIG. 4 is a diagram illustrating an example of the internal configuration of the tag generating unit. 図5は、本発明の第2実施形態に係る認証タグ生成装置の構成を示す概念図である。FIG. 5 is a conceptual diagram showing the configuration of an authentication tag generating device according to the second embodiment of the present invention. 図6は、タグ生成部の内部構成例を示す図である。FIG. 6 is a diagram illustrating an example of the internal configuration of the tag generating unit. 図7は、認証タグ生成装置のハードウェア構成例を示す図である。FIG. 7 is a diagram illustrating an example of a hardware configuration of the authentication tag generating device.
 以下、図面を参照しながら、本発明の実施形態について説明する。ただし、以下に説明する実施形態により本発明が限定されるものではない。また、各図面において、同一または対応する要素には適宜同一の符号を付している。さらに、図面は模式的なものであり、各要素の寸法の関係、各要素の比率などは、現実のものとは異なる場合があることに留意する必要がある。図面の相互間においても、互いの寸法の関係や比率が異なる部分が含まれている場合がある。 Below, an embodiment of the present invention will be described with reference to the drawings. However, the present invention is not limited to the embodiment described below. In addition, the same or corresponding elements in each drawing are appropriately given the same reference numerals. Furthermore, it should be noted that the drawings are schematic, and the dimensional relationships and ratios of each element may differ from the actual ones. There may also be parts in which the dimensional relationships and ratios differ between the drawings.
〔第1実施形態〕
 図1は、本発明の第1実施形態に係る認証タグ生成装置の構成を示す概念図である。図1に示すように、認証タグ生成装置10は、r個の要素処理部11と集約部12とタグ生成部13とを備えている。認証タグ生成装置10は、nビット入出力のtweakableブロック暗号を用いて各要素の長さは任意であってベクトル長rが任意であるベクトル形式の入力データMから認証タグを生成する。なお、ベクトル形式の入力データMのベクトル長rは、入力データMを構成するデータの要素の個数であり、固定ではなく可変である。また、ベクトル形式の入力データMの各要素は、ビット列で構成されており、ビット列の長さも任意である。認証タグ生成装置10は、入力部14および出力部15を有しており、ベクトル形式の入力データMは入力部14に入力され、生成された認証タグは出力部15から出力される。 First Embodiment
FIG. 1 is a conceptual diagram showing the configuration of an authentication tag generating device according to a first embodiment of the present invention. As shown in FIG. 1, the authentication tag generating device 10 includes r element processing units 11, an aggregation unit 12, and a tag generating unit 13. The authentication tag generating device 10 generates an authentication tag from vector-format input data M, in which each element has an arbitrary length and the vector length r is arbitrary, using a tweakable block cipher with n-bit input/output. The vector length r of the vector-format input data M is the number of data elements constituting the input data M, and is not fixed but variable. In addition, each element of the vector-format input data M is composed of a bit string, and the length of the bit string is also arbitrary. The authentication tag generating device 10 has an input unit 14 and an output unit 15, and the vector-format input data M is input to the input unit 14, and the generated authentication tag is output from the output unit 15.
 r個の要素処理部11は、後に詳述する構成を用いて、入力データMの各要素を受理し、当該要素をnビットずつに分割してそれぞれをtweakableブロック暗号で暗号化し、暗号化結果を足し合わせて第1出力を出力し、かつ暗号化結果の加算と任意の非零非単位元の定数の乗算を繰り返した結果を第2出力として出力する。 The r element processing units 11, using a configuration described in detail later, accept each element of the input data M, divide the element into n-bit parts and encrypt each part using a tweakable block cipher, add up the encrypted results to output a first output, and output the result of repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero, nonidentity constant as a second output.
 集約部12は、後に詳述する構成を用いて、r個の要素処理部11の各々から第1出力を受理して足し合わせて第3出力を出力し、かつr個の要素処理部の各々から第2出力を受理して、第2出力の各々の加算と任意の非零非単位元の定数乗算を繰り返した結果を第4出力として出力する。 The aggregation unit 12, using a configuration described in detail later, receives first outputs from each of the r element processing units 11, adds them together, and outputs a third output, and also receives second outputs from each of the r element processing units, and outputs the result of repeatedly adding each of the second outputs and multiplying them by a constant of any nonzero, nonidentical element as a fourth output.
 タグ生成部13は、後に詳述する構成を用いて、第4出力とベクトル長rをtweakとして用いるtweakableブロック暗号で第3出力を暗号化し、かつ第3出力とベクトル長rをtweakとして用いるtweakableブロック暗号で第4出力を暗号化して認証タグを生成する。 The tag generation unit 13 uses a configuration described in detail below to encrypt the third output with a tweakable block cipher that uses the fourth output and the vector length r as a tweak, and encrypts the fourth output with a tweakable block cipher that uses the third output and the vector length r as a tweak to generate an authentication tag.
 図2は、要素処理部の内部構成例を示す図である。図2に示すように、r個の要素処理部11は、入力データMの各要素Mを受理し、当該要素Mをnビットずつに分割してそれぞれM[1],...,M[m]をそれぞれtweakableブロック暗号E 0,i,1,...,E 0,i,miで暗号化する。r個の要素処理部11は、暗号化結果Z[1],...,Z[m]を足し合わせて第1出力Xを出力し、かつ暗号化結果の加算と任意の非零非単位元の定数(図の例では2)の乗算を繰り返した結果を第2出力Yとして出力する。 2 is a diagram showing an example of the internal configuration of an element processor. As shown in FIG. 2, r element processors 11 receive each element M i of input data M, divide the element M i into n bits, and encrypt M i [1], ..., M i [m i ] with tweakable block ciphers E K 0,i,1 ,..., E K 0,i,mi, respectively. The r element processors 11 add the encryption results Z i [1],..., Z i [m i ] to output a first output X i , and output a result of repeating the addition of the encryption results and multiplication by an arbitrary nonzero nonidentity constant (2 in the example shown in the figure) as a second output Y i .
 図3は、集約部の内部構成例を示す図である。図3に示すように、集約部12は、r個の要素処理部11の各々から第1出力Xを受理して足し合わせて第3出力Vを出力し、かつr個の要素処理部の各々から第2出力Yを受理して、第2出力の各々の加算と任意の非零非単位元の定数乗算(図の例では3倍)を繰り返した結果を第4出力Wとして出力する。 3 is a diagram showing an example of the internal configuration of the aggregation unit 12. As shown in Fig. 3, the aggregation unit 12 receives the first outputs Xi from each of the r element processing units 11, adds them together, and outputs a third output V, and also receives the second outputs Yi from each of the r element processing units, and outputs a result of repeatedly adding each of the second outputs and multiplying them by a constant of any nonzero, nonidentical element (3x in the example shown in the figure) as a fourth output W.
 図4は、タグ生成部の内部構成例を示す図である。図4に示すように、タグ生成部13は、第4出力Wとベクトル長rをtweakとして用いるtweakableブロック暗号E で第3出力Vを暗号化し、かつ第3出力Vとベクトル長rをtweakとして用いるtweakableブロック暗号E で第4出力Wを暗号化して認証タグを生成する。このように、本発明の実施形態では、可変のベクトル長rの情報をtweakableブロック暗号のtweakに反映しているので、改ざん等の結果、ベクトル長rに変更が生じたときに、ベクトル長rの変更がtweakableブロック暗号のtweakを通じて生成される認証タグに反映される。つまり、認証タグ生成装置10が生成した認証タグを用いれば、ベクトル長rに変更が生じるような改ざん等であっても検知することが可能である。 4 is a diagram showing an example of the internal configuration of the tag generating unit. As shown in FIG. 4, the tag generating unit 13 encrypts the third output V with the tweakable block cipher E K 1 using the fourth output W and the vector length r as tweaks, and encrypts the fourth output W with the tweakable block cipher E K 2 using the third output V and the vector length r as tweaks to generate an authentication tag. In this way, in the embodiment of the present invention, since the information of the variable vector length r is reflected in the tweak of the tweakable block cipher, when the vector length r is changed as a result of tampering or the like, the change in the vector length r is reflected in the authentication tag generated through the tweak of the tweakable block cipher. In other words, by using the authentication tag generated by the authentication tag generating device 10, it is possible to detect even tampering that causes a change in the vector length r.
〔第2実施形態〕
 図5は、本発明の第2実施形態に係る認証タグ生成装置の構成を示す概念図である。図5に示すように、認証タグ生成装置10は、r個の要素処理部11と集約部12とタグ生成部13と検証部16とを備えている。認証タグ生成装置10は、nビット入出力のtweakableブロック暗号を用いて各要素の長さは任意であってベクトル長rが任意であるベクトル形式の入力データMから認証タグを生成する。なお、ベクトル形式の入力データMのベクトル長rは、固定ではなく可変である。また、ベクトル形式の入力データMの各要素は、ビット列で構成されており、ビット列の長さも任意である。第2実施形態におけるr個の要素処理部11と集約部12は、第1実施形態と同一構成とすることができるので、ここでは説明を省略し、検証部16とタグ生成部13の説明を行う。 Second Embodiment
FIG. 5 is a conceptual diagram showing the configuration of an authentication tag generating device according to a second embodiment of the present invention. As shown in FIG. 5, the authentication tag generating device 10 includes r element processing units 11, an aggregation unit 12, a tag generating unit 13, and a verification unit 16. The authentication tag generating device 10 generates an authentication tag from vector-format input data M, in which each element has an arbitrary length and the vector length r is arbitrary, using a tweakable block cipher with n-bit input/output. Note that the vector length r of the vector-format input data M is not fixed but variable. In addition, each element of the vector-format input data M is composed of a bit string, and the length of the bit string is also arbitrary. The r element processing units 11 and the aggregation unit 12 in the second embodiment can be configured in the same manner as in the first embodiment, so their description will be omitted here, and the verification unit 16 and the tag generating unit 13 will be described.
 認証タグ生成装置10は、検証部16を有しており、タグ生成部13が生成した認証タグは、検証部16に入力され、検証部16は、事前に生成された認証タグとの一致性を検証する。事前に生成された認証タグと一致している場合、認証タグを事前に生成したときから入力データMが不変であることを意味している。逆に、事前に生成された認証タグと一致しない場合、認証タグを事前に生成したときから入力データMが変更されたことをしている。 The authentication tag generation device 10 has a verification unit 16, and the authentication tag generated by the tag generation unit 13 is input to the verification unit 16, which verifies whether it matches the authentication tag generated in advance. If it matches the authentication tag generated in advance, it means that the input data M has not changed since the authentication tag was generated in advance. Conversely, if it does not match the authentication tag generated in advance, it means that the input data M has been changed since the authentication tag was generated in advance.
 図6は、タグ生成部の内部構成例を示す図である。図6に示すように、タグ生成部13は、第4出力Wとベクトル長rをtweakとして用いるtweakableブロック暗号E で第3出力Vを暗号化し、かつ第3出力Vとベクトル長rをtweakとして用いるtweakableブロック暗号E で第4出力Wを暗号化して認証タグを生成する。この点においては第1実施形態と同様であるが、第2実施形態のタグ生成部13では、ベクトル長rをtweakableブロック暗号で暗号化した後にtweakとして用いている。 Fig. 6 is a diagram showing an example of the internal configuration of the tag generation unit. As shown in Fig. 6, the tag generation unit 13 encrypts the third output V with a tweakable block cipher E K 1 using the fourth output W and the vector length r as a tweak, and encrypts the fourth output W with a tweakable block cipher E K 2 using the third output V and the vector length r as a tweak to generate an authentication tag. This is the same as in the first embodiment, but in the tag generation unit 13 of the second embodiment, the vector length r is used as a tweak after being encrypted with a tweakable block cipher.
 ベクトル長rは、tweakableブロック暗号E 3,1で暗号化した後に、第4出力Wに加算され、tweakableブロック暗号E のtweakとして用いられている。また、ベクトル長rは、tweakableブロック暗号E 3,3で暗号化した後に、第3出力Vに加算され、tweakableブロック暗号E のtweakとして用いられている。さらに、ベクトル長rは、tweakableブロック暗号E 3,0で暗号化した後に、第3出力Vに加算され、tweakableブロック暗号E の入力として用いられている。ベクトル長rは、tweakableブロック暗号E 3,2で暗号化した後に、第4出力Wに加算され、tweakableブロック暗号E の入力として用いられている。 The vector length r is encrypted with the tweakable block cipher E K 3,1 , then added to the fourth output W, and used as a tweak for the tweakable block cipher E K 1. The vector length r is also encrypted with the tweakable block cipher E K 3,3 , then added to the third output V, and used as a tweak for the tweakable block cipher E K 2. The vector length r is also encrypted with the tweakable block cipher E K 3,0 , then added to the third output V, and used as an input for the tweakable block cipher E K 1. The vector length r is encrypted with the tweakable block cipher E K 3,2 , then added to the fourth output W, and used as an input for the tweakable block cipher E K 2 .
 理論上は、tweakの長さに特段の制約はないが、tweakableブロック暗号では、tweakの長さは入出力の長さ(n bits)と同程度とする設定が一般的である。第1実施形態の構成ではtweakはn bitsよりも長くなることもあるので、このような一般的設定に反し、実用上の不都合を生じる場合が考えられる。一方、図6に示したタグ生成部13の構成であれば、ベクトル長rがtweakに収まらない大きさであってもtweakableブロック暗号で暗号化した後にtweakとして用いているので、tweakの一般的な設定の範囲に収まるとともに、ベクトル長rに変更が生じるような改ざん等であっても検知することが可能であるという効果も維持することができる。 In theory, there are no particular restrictions on the length of the tweak, but in tweakable block ciphers, the length of the tweak is generally set to be approximately the same as the length of the input and output (n bits). In the configuration of the first embodiment, the tweak may be longer than n bits, which is contrary to this general setting and may cause practical inconvenience. On the other hand, in the configuration of the tag generation unit 13 shown in Figure 6, even if the vector length r is too large to fit into the tweak, it is encrypted with the tweakable block cipher and then used as the tweak, so that it falls within the range of the general setting of the tweak, and the effect of being able to detect even tampering that changes the vector length r can be maintained.
〔ハードウェア構成例〕
 図7は、認証タグ生成装置のハードウェア構成例を示す図である。図7に示すハードウェア構成を採用した情報処理装置(コンピュータ)は、上記説明した認証タグ生成装置10の各機能を実現することを可能にする。ただし、図7に示すハードウェア構成例は、認証タグ生成装置10の各機能を実現するハードウェア構成の一例であり、認証タグ生成装置10のハードウェア構成を限定する趣旨ではない。認証タグ生成装置10は、図7に示さないハードウェアを含むことができる。 [Hardware configuration example]
Fig. 7 is a diagram showing an example of a hardware configuration of an authentication tag generation device. An information processing device (computer) employing the hardware configuration shown in Fig. 7 makes it possible to realize each function of the authentication tag generation device 10 described above. However, the hardware configuration example shown in Fig. 7 is an example of a hardware configuration that realizes each function of the authentication tag generation device 10, and is not intended to limit the hardware configuration of the authentication tag generation device 10. The authentication tag generation device 10 may include hardware not shown in Fig. 7.
 図7に示すように、認証タグ生成装置10が採用し得るハードウェア構成40は、例えば内部バスにより相互に接続される、CPU(Central Processing Unit)41、主記憶装置42、補助記憶装置43、およびIF(Interface)部44を備える。 As shown in FIG. 7, the hardware configuration 40 that may be adopted by the authentication tag generation device 10 includes a CPU (Central Processing Unit) 41, a main memory device 42, an auxiliary memory device 43, and an IF (Interface) unit 44, which are interconnected by, for example, an internal bus.
 CPU41は、認証タグ生成装置10が実行するプログラムに含まれる各指令を実行する。主記憶装置42は、例えばRAM(Random Access Memory)であり、認証タグ生成装置10が実行する各種プログラムなどをCPU41が処理するために一時記憶する。 The CPU 41 executes each command included in the program executed by the authentication tag generation device 10. The main storage device 42 is, for example, a RAM (Random Access Memory), and temporarily stores various programs executed by the authentication tag generation device 10 for processing by the CPU 41.
 補助記憶装置43は、例えば、HDD(Hard Disk Drive)であり、認証タグ生成装置10が実行する各種プログラムなどを中長期的に記憶しておくことが可能である。各種プログラムは、非一時的なコンピュータ可読記録媒体(non-transitory computer-readable storage medium)に記録されたプログラム製品として提供することができる。補助記憶装置43は、非一時的なコンピュータ可読記録媒体に記録された各種プログラムを中長期的に記憶することに利用することが可能である。IF部44は、認証タグ生成装置10の通信に関するインターフェイスを提供する。 The auxiliary storage device 43 is, for example, a HDD (Hard Disk Drive), and is capable of storing various programs executed by the authentication tag generation device 10 on a medium to long term basis. The various programs can be provided as program products recorded on a non-transitory computer-readable storage medium. The auxiliary storage device 43 can be used to store various programs recorded on a non-transitory computer-readable storage medium on a medium to long term basis. The IF unit 44 provides an interface for communication with the authentication tag generation device 10.
 上記のようなハードウェア構成40を採用した情報処理装置は、認証タグ生成装置10の各機能を実現することができる。 An information processing device that employs the above hardware configuration 40 can realize each function of the authentication tag generation device 10.
 上記の実施形態の一部又は全部は、以下の付記のようにも記載され得るが、以下には限られない。 Some or all of the above embodiments may be described as follows, but are not limited to the following:
[付記1]
 nビット入出力のtweakableブロック暗号を用いて各要素の長さは任意であってベクトル長rが任意であるベクトル形式の入力データから認証タグを生成する認証タグ生成装置であって、
 前記入力データの各要素を受理し、当該要素をnビットずつに分割してそれぞれをtweakableブロック暗号で暗号化し、暗号化結果を足し合わせて第1出力を出力し、かつ暗号化結果の加算と任意の非零非単位元の定数の乗算を繰り返した結果を第2出力として出力するr個の要素処理部と、
 前記r個の要素処理部の各々から前記第1出力を受理して足し合わせて第3出力を出力し、かつ前記r個の要素処理部の各々から前記第2出力を受理して、前記第2出力の各々の加算と任意の非零非単位元の定数乗算を繰り返した結果を第4出力として出力する集約部と、
 前記第4出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第3出力を暗号化し、かつ前記第3出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第4出力を暗号化して認証タグを生成するタグ生成部と、
 を備える認証タグ生成装置。
[付記2]
 前記タグ生成部は、前記ベクトル長rをtweakableブロック暗号で暗号化した後にtweakとして用いる、付記1に記載の認証タグ生成装置。
[付記3]
 前記タグ生成部が生成した前記認証タグと、事前に生成された認証タグとの一致性を検証する検証部を備える付記1または付記2に記載の認証タグ生成装置。
[付記4]
 r個の要素処理部と集約部とタグ生成部とを備える情報処理装置がnビット入出力のtweakableブロック暗号を用いて各要素の長さは任意であってベクトル長rが任意であるベクトル形式の入力データから認証タグを生成する認証タグ生成方法であって、
 前記r個の要素処理部が前記入力データの各要素を受理し、当該要素をnビットずつに分割してそれぞれをtweakableブロック暗号で暗号化し、暗号化結果を足し合わせて第1出力を出力し、かつ暗号化結果の加算と任意の非零非単位元の定数の乗算を繰り返した結果を第2出力として出力し、
 前記集約部が前記r個の要素処理部の各々から前記第1出力を受理して足し合わせて第3出力を出力し、かつ前記r個の要素処理部の各々から前記第2出力を受理して、前記第2出力の各々の加算と任意の非零非単位元の定数乗算を繰り返した結果を第4出力として出力し、
 前記タグ生成部が前記第4出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第3出力を暗号化し、かつ前記第3出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第4出力を暗号化して認証タグを生成する、
 認証タグ生成方法。
[付記5]
 前記タグ生成部は、前記ベクトル長rをtweakableブロック暗号で暗号化した後にtweakとして用いる、付記4に記載の認証タグ生成方法。
[付記6]
 前記情報処理装置は、前記タグ生成部が生成した前記認証タグと、事前に生成された認証タグとの一致性を検証する検証部を備える付記4または付記5に記載の認証タグ生成方法。
[付記7]
 プロセッサと前記プロセッサが実行する指令を記憶するメモリとr個の要素処理部と集約部とタグ生成部とを備える情報処理装置上で実行させるビット入出力のtweakableブロック暗号を用いて各要素の長さは任意であってベクトル長rが任意であるベクトル形式の入力データから認証タグを生成する認証タグ生成プログラムであって、
 前記r個の要素処理部が前記入力データの各要素を受理し、当該要素をnビットずつに分割してそれぞれをtweakableブロック暗号で暗号化し、暗号化結果を足し合わせて第1出力を出力し、かつ暗号化結果の加算と任意の非零非単位元の定数の乗算を繰り返した結果を第2出力として出力し、
 前記集約部が前記r個の要素処理部の各々から前記第1出力を受理して足し合わせて第3出力を出力し、かつ前記r個の要素処理部の各々から前記第2出力を受理して、前記第2出力の各々の加算と任意の非零非単位元の定数乗算を繰り返した結果を第4出力として出力し、
 前記タグ生成部が前記第4出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第3出力を暗号化し、かつ前記第3出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第4出力を暗号化して認証タグを生成する、
 認証タグ生成プログラム。
[付記8]
 前記タグ生成部は、前記ベクトル長rをtweakableブロック暗号で暗号化した後にtweakとして用いる、付記7に記載の認証タグ生成プログラム。
[付記9]
 前記情報処理装置は、前記タグ生成部が生成した前記認証タグと、事前に生成された認証タグとの一致性を検証する検証部を備える付記7または付記8に記載の認証タグ生成プログラム。 [Appendix 1]
An authentication tag generation device that generates an authentication tag from vector-format input data in which each element has an arbitrary length and a vector length r is arbitrary, using an n-bit input/output tweakable block cipher,
r element processing units that receive each element of the input data, divide the element into n-bit parts, encrypt each of the n-bit parts using a tweakable block cipher, add up the encrypted results to output a first output, and output a result of repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero nonidentity constant as a second output;
an aggregation unit that receives the first outputs from each of the r element processing units, adds them together, and outputs a third output, and also receives the second outputs from each of the r element processing units, and outputs a result of repeatedly adding the second outputs and multiplying them by a constant of any nonzero, nonidentical element as a fourth output;
a tag generator that encrypts the third output with a tweakable block cipher using the fourth output and the vector length r as a tweak, and encrypts the fourth output with a tweakable block cipher using the third output and the vector length r as a tweak to generate an authentication tag;
An authentication tag generating device comprising:
[Appendix 2]
2. The authentication tag generation device according to claim 1, wherein the tag generation unit encrypts the vector length r with a tweakable block cipher and then uses the encrypted vector length r as a tweak.
[Appendix 3]
3. The authentication tag generation device according to claim 1 or 2, further comprising a verification unit that verifies the consistency between the authentication tag generated by the tag generation unit and an authentication tag generated in advance.
[Appendix 4]
An authentication tag generation method in which an information processing device including r element processing units, an aggregation unit, and a tag generation unit generates an authentication tag from input data in a vector format, in which each element has an arbitrary length and the vector length r is an arbitrary vector length, by using an n-bit input/output tweakable block cipher,
The r element processing units receive each element of the input data, divide the element into n bits and encrypt each of the n bits using a tweakable block cipher, add up the encrypted results to output a first output, and output a result of repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero nonidentity constant as a second output;
the summation unit receives the first outputs from each of the r element processing units, adds them together, and outputs a third output, and receives the second outputs from each of the r element processing units, and outputs a result of repeatedly adding each of the second outputs and multiplying them by a constant of any non-zero, non-identical element as a fourth output;
the tag generation unit encrypts the third output with a tweakable block cipher using the fourth output and the vector length r as a tweak, and encrypts the fourth output with a tweakable block cipher using the third output and the vector length r as a tweak to generate an authentication tag;
Authentication tag generation method.
[Appendix 5]
The authentication tag generation method according to claim 4, wherein the tag generation unit encrypts the vector length r with a tweakable block cipher and then uses the encrypted vector length r as a tweak.
[Appendix 6]
The authentication tag generation method according to claim 4 or 5, wherein the information processing device is provided with a verification unit that verifies the consistency between the authentication tag generated by the tag generation unit and an authentication tag generated in advance.
[Appendix 7]
An authentication tag generation program for generating an authentication tag from input data in a vector format, each element of which has an arbitrary length and a vector length r, using a bit-input/output tweakable block cipher to be executed on an information processing device having a processor, a memory for storing instructions executed by the processor, r element processing units, an aggregation unit, and a tag generation unit, the program comprising:
The r element processing units receive each element of the input data, divide the element into n bits and encrypt each of the n bits using a tweakable block cipher, add up the encrypted results to output a first output, and output a result of repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero nonidentity constant as a second output;
the summation unit receives the first outputs from each of the r element processing units, adds them together, and outputs a third output, and receives the second outputs from each of the r element processing units, and outputs a result of repeatedly adding each of the second outputs and multiplying them by a constant of any non-zero, non-identical element as a fourth output;
the tag generation unit encrypts the third output with a tweakable block cipher using the fourth output and the vector length r as a tweak, and encrypts the fourth output with a tweakable block cipher using the third output and the vector length r as a tweak to generate an authentication tag;
Authentication tag generator.
[Appendix 8]
8. The authentication tag generation program according to claim 7, wherein the tag generation unit encrypts the vector length r with a tweakable block cipher and then uses the encrypted vector length r as a tweak.
[Appendix 9]
The authentication tag generation program according to claim 7 or 8, wherein the information processing device is provided with a verification unit that verifies the consistency between the authentication tag generated by the tag generation unit and an authentication tag generated in advance.
 本発明で、アルゴリズム、ソフトウエア、ないしフローチャート或いは自動化されたプロセスステップが示された場合、コンピュータが用いられることは自明であり、またコンピュータにはプロセッサ及びメモリないし記憶装置が付設されることも自明である。よってその明示を欠く場合にも、本願には、これらの要素が当然記載されているものと解される。 When algorithms, software, flow charts, or automated process steps are shown in the present invention, it is self-evident that a computer is used, and it is also self-evident that the computer is equipped with a processor and memory or storage devices. Therefore, even if they are not explicitly stated, it is understood that these elements are naturally described in the present application.
 なお、引用した上記の特許文献等の各開示は、本書に引用をもって繰り込むものとする。本発明の全開示(請求の範囲を含む)の枠内において、さらにその基本的技術思想に基づいて、実施形態ないし実施例の変更・調整が可能である。また、本発明の全開示の枠内において種々の開示要素(各請求項の各要素、各実施形態ないし実施例の各要素、各図面の各要素等を含む)の多様な組み合わせ、ないし、選択(部分的削除を含む)が可能である。すなわち、本発明は、請求の範囲を含む全開示、技術的思想にしたがって当業者であればなし得るであろう各種変形、修正を含むことは勿論である。特に、本書に記載した数値範囲については、当該範囲内に含まれる任意の数値ないし小範囲が、別段の記載のない場合でも具体的に記載されているものと解釈されるべきである。さらに、上記引用した文献の各開示事項は、必要に応じ、本発明の趣旨に則り、本発明の開示の一部として、その一部又は全部を、本書の記載事項と組み合わせて用いることも、本願の開示事項に含まれるものと、みなされる。 The disclosures of the above cited patent documents are incorporated herein by reference. Within the framework of the entire disclosure of the present invention (including the scope of claims), and further based on the basic technical ideas, modifications and adjustments of the embodiments and examples are possible. Furthermore, within the framework of the entire disclosure of the present invention, various combinations and selections (including partial deletions) of various disclosed elements (including each element of each claim, each element of each embodiment or example, each element of each drawing, etc.) are possible. In other words, the present invention naturally includes various modifications and corrections that a person skilled in the art would be able to make in accordance with the entire disclosure, including the scope of claims, and the technical ideas. In particular, with regard to the numerical ranges described in this document, any numerical value or small range included within the range should be interpreted as being specifically described even if not otherwise specified. Furthermore, the disclosures of the above cited documents, when necessary, in accordance with the spirit of the present invention, may be used in part or in whole in combination with the descriptions in this document as part of the disclosure of the present invention, and are considered to be included in the disclosures of this application.
 10 認証タグ生成装置
 11 要素処理部
 12 集約部
 13 タグ生成部
 14 入力部
 15 出力部
 16 検証部
 40 ハードウェア構成
 41 CPU(Central Processing Unit)
 42 主記憶装置
 43 補助記憶装置
 44 IF(Interface)部 REFERENCE SIGNS LIST 10 Authentication tag generating device 11 Element processing unit 12 Aggregation unit 13 Tag generating unit 14 Input unit 15 Output unit 16 Verification unit 40 Hardware configuration 41 CPU (Central Processing Unit)
42 Main memory device 43 Auxiliary memory device 44 IF (Interface) section

Claims (9)

  1.  nビット入出力のtweakableブロック暗号を用いて各要素の長さは任意であってベクトル長rが任意であるベクトル形式の入力データから認証タグを生成する認証タグ生成装置であって、
     前記入力データの各要素を受理し、当該要素をnビットずつに分割してそれぞれをtweakableブロック暗号で暗号化し、暗号化結果を足し合わせて第1出力を出力し、かつ暗号化結果の加算と任意の非零非単位元の定数の乗算を繰り返した結果を第2出力として出力するr個の要素処理部と、
     前記r個の要素処理部の各々から前記第1出力を受理して足し合わせて第3出力を出力し、かつ前記r個の要素処理部の各々から前記第2出力を受理して、前記第2出力の各々の加算と任意の非零非単位元の定数乗算を繰り返した結果を第4出力として出力する集約部と、
     前記第4出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第3出力を暗号化し、かつ前記第3出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第4出力を暗号化して認証タグを生成するタグ生成部と、
     を備える認証タグ生成装置。     An authentication tag generation device that generates an authentication tag from vector-format input data in which each element has an arbitrary length and a vector length r is arbitrary, using an n-bit input/output tweakable block cipher,
    r element processing units that receive each element of the input data, divide the element into n-bit parts, encrypt each of the n-bit parts using a tweakable block cipher, add up the encrypted results to output a first output, and output a result of repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero nonidentity constant as a second output;
    an aggregation unit that receives the first outputs from each of the r element processing units, adds them together, and outputs a third output, and also receives the second outputs from each of the r element processing units, and outputs a result of repeatedly adding the second outputs and multiplying them by a constant of any nonzero, nonidentical element as a fourth output;
    a tag generator that encrypts the third output with a tweakable block cipher using the fourth output and the vector length r as a tweak, and encrypts the fourth output with a tweakable block cipher using the third output and the vector length r as a tweak to generate an authentication tag;
    An authentication tag generating device comprising:
  2.  前記タグ生成部は、前記ベクトル長rをtweakableブロック暗号で暗号化した後にtweakとして用いる、請求項1に記載の認証タグ生成装置。 The authentication tag generation device according to claim 1, wherein the tag generation unit encrypts the vector length r with a tweakable block cipher and then uses it as a tweak.
  3.  前記タグ生成部が生成した前記認証タグと、事前に生成された認証タグとの一致性を検証する検証部を備える請求項1または請求項2に記載の認証タグ生成装置。 The authentication tag generating device according to claim 1 or 2, further comprising a verification unit that verifies the consistency between the authentication tag generated by the tag generating unit and an authentication tag generated in advance.
  4.  r個の要素処理部と集約部とタグ生成部とを備える情報処理装置がnビット入出力のtweakableブロック暗号を用いて各要素の長さは任意であってベクトル長rが任意であるベクトル形式の入力データから認証タグを生成する認証タグ生成方法であって、
     前記r個の要素処理部が前記入力データの各要素を受理し、当該要素をnビットずつに分割してそれぞれをtweakableブロック暗号で暗号化し、暗号化結果を足し合わせて第1出力を出力し、かつ暗号化結果の加算と任意の非零非単位元の定数の乗算を繰り返した結果を第2出力として出力し、
     前記集約部が前記r個の要素処理部の各々から前記第1出力を受理して足し合わせて第3出力を出力し、かつ前記r個の要素処理部の各々から前記第2出力を受理して、前記第2出力の各々の加算と任意の非零非単位元の定数乗算を繰り返した結果を第4出力として出力し、
     前記タグ生成部が前記第4出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第3出力を暗号化し、かつ前記第3出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第4出力を暗号化して認証タグを生成する、
     認証タグ生成方法。     An authentication tag generation method in which an information processing device including r element processing units, an aggregation unit, and a tag generation unit generates an authentication tag from input data in a vector format, in which each element has an arbitrary length and the vector length r is an arbitrary vector length, by using an n-bit input/output tweakable block cipher,
    The r element processing units receive each element of the input data, divide the element into n bits and encrypt each of the n bits using a tweakable block cipher, add up the encrypted results to output a first output, and output a result of repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero nonidentity constant as a second output;
    the summation unit receives the first outputs from each of the r element processing units, adds them together, and outputs a third output, and receives the second outputs from each of the r element processing units, and outputs a result of repeatedly adding each of the second outputs and multiplying them by a constant of any non-zero, non-identical element as a fourth output;
    the tag generation unit encrypts the third output with a tweakable block cipher using the fourth output and the vector length r as a tweak, and encrypts the fourth output with a tweakable block cipher using the third output and the vector length r as a tweak to generate an authentication tag;
    Authentication tag generation method.
  5.  前記タグ生成部は、前記ベクトル長rをtweakableブロック暗号で暗号化した後にtweakとして用いる、請求項4に記載の認証タグ生成方法。 The authentication tag generation method according to claim 4, wherein the tag generation unit encrypts the vector length r with a tweakable block cipher and then uses it as a tweak.
  6.  前記情報処理装置は、前記タグ生成部が生成した前記認証タグと、事前に生成された認証タグとの一致性を検証する検証部を備える請求項4または請求項5に記載の認証タグ生成方法。 The authentication tag generation method according to claim 4 or 5, wherein the information processing device includes a verification unit that verifies the consistency between the authentication tag generated by the tag generation unit and an authentication tag generated in advance.
  7.  プロセッサと前記プロセッサが実行する指令を記憶するメモリとr個の要素処理部と集約部とタグ生成部とを備える情報処理装置上で実行させるビット入出力のtweakableブロック暗号を用いて各要素の長さは任意であってベクトル長rが任意であるベクトル形式の入力データから認証タグを生成する認証タグ生成プログラムであって、
     前記r個の要素処理部が前記入力データの各要素を受理し、当該要素をnビットずつに分割してそれぞれをtweakableブロック暗号で暗号化し、暗号化結果を足し合わせて第1出力を出力し、かつ暗号化結果の加算と任意の非零非単位元の定数の乗算を繰り返した結果を第2出力として出力し、
     前記集約部が前記r個の要素処理部の各々から前記第1出力を受理して足し合わせて第3出力を出力し、かつ前記r個の要素処理部の各々から前記第2出力を受理して、前記第2出力の各々の加算と任意の非零非単位元の定数乗算を繰り返した結果を第4出力として出力し、
     前記タグ生成部が前記第4出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第3出力を暗号化し、かつ前記第3出力と前記ベクトル長rをtweakとして用いるtweakableブロック暗号で前記第4出力を暗号化して認証タグを生成する、
     認証タグ生成プログラム。     An authentication tag generation program for generating an authentication tag from input data in a vector format, each element of which has an arbitrary length and a vector length r, using a bit-input/output tweakable block cipher to be executed on an information processing device having a processor, a memory for storing instructions executed by the processor, r element processing units, an aggregation unit, and a tag generation unit, the program comprising:
    The r element processing units receive each element of the input data, divide the element into n bits and encrypt each of the n bits using a tweakable block cipher, add up the encrypted results to output a first output, and output a result of repeatedly adding up the encrypted results and multiplying them by an arbitrary nonzero nonidentity constant as a second output;
    the summation unit receives the first outputs from each of the r element processing units, adds them together, and outputs a third output, and receives the second outputs from each of the r element processing units, and outputs a result of repeatedly adding each of the second outputs and multiplying them by a constant of any non-zero, non-identical element as a fourth output;
    the tag generation unit encrypts the third output with a tweakable block cipher using the fourth output and the vector length r as a tweak, and encrypts the fourth output with a tweakable block cipher using the third output and the vector length r as a tweak to generate an authentication tag;
    Authentication tag generator.
  8.  前記タグ生成部は、前記ベクトル長rをtweakableブロック暗号で暗号化した後にtweakとして用いる、請求項7に記載の認証タグ生成プログラム。 The authentication tag generation program according to claim 7, wherein the tag generation unit encrypts the vector length r with a tweakable block cipher and then uses it as a tweak.
  9.  前記情報処理装置は、前記タグ生成部が生成した前記認証タグと、事前に生成された認証タグとの一致性を検証する検証部を備える請求項7または請求項8に記載の認証タグ生成プログラム。 The authentication tag generation program according to claim 7 or 8, wherein the information processing device includes a verification unit that verifies the consistency between the authentication tag generated by the tag generation unit and an authentication tag generated in advance.
PCT/JP2022/045937 2022-12-13 2022-12-13 Authentication tag generation device, authentication tag generation method, and authentication tag generation program WO2024127530A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/045937 WO2024127530A1 (en) 2022-12-13 2022-12-13 Authentication tag generation device, authentication tag generation method, and authentication tag generation program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/045937 WO2024127530A1 (en) 2022-12-13 2022-12-13 Authentication tag generation device, authentication tag generation method, and authentication tag generation program

Publications (1)

Publication Number Publication Date
WO2024127530A1 true WO2024127530A1 (en) 2024-06-20

Family

ID=91484539

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/045937 WO2024127530A1 (en) 2022-12-13 2022-12-13 Authentication tag generation device, authentication tag generation method, and authentication tag generation program

Country Status (1)

Country Link
WO (1) WO2024127530A1 (en)

Similar Documents

Publication Publication Date Title
CN101938499B (en) Efficient encryption and authentication for data processing systems
CN100576789C (en) Be used for the effective encryption and the authentication of data handling system
US9158931B2 (en) Block encryption method and block decryption method having integrity verification
CN101202623B (en) Method of generating message authentication code, authentication/encryption and authentication/decryption methods
US11349668B2 (en) Encryption device and decryption device
JPWO2007007836A1 (en) Authentication system, authentication method, certification device, verification device, program and recording medium thereof
US11438137B2 (en) Encryption device, decryption device, encryption method, decryption method, and computer readable medium
EP4144040A1 (en) Generating shared private keys
Kumar et al. A survey on current key issues and status in cryptography
JPWO2017056150A1 (en) Message authenticator generating apparatus, message authenticator generating method, and message authenticator generating program
US8290147B2 (en) Systems and methods for efficiently creating digests of digital data
WO2020213114A1 (en) Mac tag list generation device, mac tag list verification device, method, and program
JP2011002810A (en) Encryption device, program, encryption system, and encryption method
WO2024127530A1 (en) Authentication tag generation device, authentication tag generation method, and authentication tag generation program
Aggarwal et al. Hash_RC6—Variable length Hash algorithm using RC6
WO2020095382A1 (en) Authenticated encryption device, authenticated decryption device, authenticated encryption method, authenticated decryption method, authenticated encryption program, and authenticated decryption program
Velioğlu et al. A New Approach to Cryptographic Hashing: Color Hidden Hash Algorithm
Tiwari et al. Cryptographic hash function: an elevated view
JP2007521676A (en) Generation and verification of Diffie-Hellman digital signatures
Rubayya et al. Memory optimization of HMAC/SHA-2 encryption
Bodapati et al. Observations on the Theory of Digital Signatures and Cryptographic Hash Functions
WO2022239163A1 (en) Authenticated encryption device, authenticated decryption device, authenticated cryptograph system, method and computer readable medium
WO2022215249A1 (en) Encryption device, decryption device, encryption method, encryption program, decryption method, and decryption program
WO2023095249A1 (en) Authenticated encryption device, authenticated decryption device, authenticated encryption system, method and computer readable medium
Spasova et al. Comparative Analysis of Key Generation Algorithms used in Blockchain