JP2020134730A - Block cipher device, block cipher method, and program - Google Patents

Abstract

To provide a block cipher device, a block cipher method and a program with which it is possible to construct a safe block cipher for biclique cryptanalysis.SOLUTION: Provided is a block cipher device for encrypting a plain text in block length of n bits using a secret key in key length of b bits. A first process using a round function is repeatedly performed r rounds, by an encryption unit 4, on n-bit data subblocks into which the plain text is divided. A second process using a bijective function is repeatedly performed r rounds, by a key scheduling unit 5, on d n-bit key subblocks into which the secret key is divided. The output of the encryption unit 4 and the output of the key scheduling unit 5 are computed, and a cipher text is outputted. The round function is a d×d matrix arithmetic expression with which the influence of a rounding difference of 1 in the inputted d n-bit data subblocks is spread to all other data subblocks.SELECTED DRAWING: Figure 2

Description

The present invention relates to a block cipher device and a block cipher method for encrypting plaintext, and further relates to a program for realizing these.

Meet-in-the-middle attack is known as one of the decryption methods for block ciphers. A meet-in-the-middle attack is a decryption method that divides a block cipher into two sub-ciphers and narrows down key candidates by checking the match between the intermediate value calculated from the plaintext side and the intermediate value u calculated from the ciphertext side. is there. In recent years, met-in-the-middle attacks have been applied as preimage attacks on hash functions and have been significantly improved. As an improved method of the conventional met-in-the-middle attack, there is a method called Biclique Cryptanalysis (see, for example, Non-Patent Document 1). Biclique Cryptanalysis is an attack in which a private key is divided into a group satisfying a characteristic called Biclique and an intermediate match attack is efficiently performed (see, for example, Non-Patent Document 2).

A. Bogdanov, D. Khovratovich, and C. Rechberger, ‘Biclique Cryptanalysis of the Full AES,’ ASIACRYPT 2011, LNCS 7073, pp.344--371, Springer (2011) W. Diffie, M. E. Hellman: Exhaustive Cryptanalysis of the NBS Data Encryption Standard. Computer 10 (6): 74-84.

However, so far, no method for constructing a secure block cipher for Biclique Cryptanalysis has been proposed, and it has not been possible to construct a secure block cipher.

Therefore, an example of an object of the present invention is to provide a block cipher device, a block cipher method, and a program capable of constructing a secure block cipher for Biclique Cryptanalysis.

In order to achieve the above object, the block cipher device in one aspect of the present invention is a block cipher device that encrypts a plaintext having a block length of b bits using a private key having a key length of b bits.
A plaintext division unit that divides the plaintext into d n-bit data subblocks,
A key dividing unit that divides the private key into d n-bit key subblocks,
An encryption unit that repeats the first process using a round function for r rounds on the d n-bit data subblocks.
A key schedule processing unit that repeats the second processing using the bijective function for r rounds for the d n-bit key subblocks.
An arithmetic unit that calculates the output of the encryption unit and the output of the key schedule processing unit and outputs a ciphertext,
With
In the key schedule processing unit
In the second process of the first round, the d n-bit key subblocks generated by the key division unit are used as the input of the bijective function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the bijective function.
In the encryption unit
In the first process of one round, each of the d n-bit data subblocks generated by the plaintext division unit and each of the d n-bit key subblocks generated by the key division unit are combined. The result of calculation and non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. , The result of performing non-linear conversion processing on the operation result is used as the input of the round function.
The round function is a d × d matrix operation formula that spreads the influence of the rounding difference of 1 in the input d n-bit data subblocks to all other data subblocks. ..

Further, in order to achieve the above object, the block cipher device in one aspect of the present invention is a block cipher device that encrypts a plaintext having a block length of b bits using a private key having a key length of b bits.
A plaintext division unit that divides the plaintext into d n-bit data subblocks,
A key dividing unit that divides the private key into d n-bit key subblocks,
An encryption unit that repeats the first process using a round function for r rounds on the d n-bit data subblocks.
A key schedule processing unit that repeats the second processing using the round function for r rounds for the d n-bit key subblocks.
An arithmetic unit that calculates the output of the encryption unit and the output of the key schedule processing unit and outputs a ciphertext,
With
In the key schedule processing unit
In the second process of the first round, the d n-bit key subblocks generated by the key dividing unit are used as the input of the round function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the round function.
In the encryption unit
In the first process of the first round, each of the d n-bit data subblocks generated by the plaintext division unit and each of the d n-bit key subblocks generated by the key division unit. Is calculated, and the result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. The result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
The round function of the first process and the round function of the second process are d × d matrix operation expressions, respectively.
When the first process and the second process are performed in the forward direction, the n-bit data subblock, the n-bit key subblock, and the difference are put in the free area of the n key subblocks. Comparing the n-bit data subblock and the n-bit key subblock when the first process and the second process are performed in the opposite directions, there is always an overlap of rounding differences. To do.

Further, in order to achieve the above object, the block cipher method in one aspect of the present invention is a block cipher method for encrypting a plaintext having a block length of b bits and using a private key having a key length of b bits.
(A) A step of dividing the plaintext into d n-bit data subblocks, and
(B) A step of dividing the private key into d n-bit key subblocks, and
(C) A step of repeating the first process using the round function for r rounds on the d n-bit data subblocks.
(D) A step of repeating the second process using the bijective function for r rounds for the d n-bit key subblocks.
(E) A step of calculating the output of the step (c) and the output of the step (d) and outputting a ciphertext.
With
In step (d)
In the second process of the first round, the d n-bit key subblocks generated in the step (b) are used as the input of the bijective function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the bijective function.
In step (c)
In the first process of the first round, each of the d n-bit data subblocks generated in the step (a) and the d n-bit key subblocks generated in the step (b). Each of them is calculated, and the result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. , The result of performing non-linear conversion processing on the operation result is used as the input of the round function.
The round function is characterized in that it is a d × d matrix operation formula that spreads the influence of the rounding difference of 1 in the input d n-bit data subblocks to all other data subblocks. To do.

Further, in order to achieve the above object, the block cipher method in one aspect of the present invention is a block cipher method for encrypting a plaintext having a block length of b bits and using a private key having a key length of b bits.
(A) A step of dividing the plaintext into d n-bit data subblocks, and
(B) A step of dividing the private key into d n-bit key subblocks, and
(C) A step of repeating the first process using the round function for r rounds on the d n-bit data subblocks.
(D) A step of repeating the second process using the round function for r rounds for the d n-bit key subblocks.
(E) A step of calculating the output of the step (c) and the output of the step (d) and outputting a ciphertext.
With
In step (d)
In the second process of the first round, the d n-bit key subblocks generated in the step (b) are used as the input of the round function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the round function.
In step (c)
In the first process of one round, each of the d n-bit data subblocks generated in the step (a) and the d n-bit key subblocks generated in the step (b), respectively. And the result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. , The result of performing non-linear conversion processing on the operation result is used as the input of the round function.
The round function of the first process and the round function of the second process are d × d matrix operation expressions, respectively.
When the first process and the second process are performed in the forward direction, the n-bit data subblock, the n-bit key subblock, and the difference are put in the free area of the n key subblocks. Comparing the n-bit data subblock and the n-bit key subblock when the first process and the second process are performed in the opposite directions, there is always an overlap of rounding differences. To do.

Further, in order to achieve the above object, the program in one aspect of the present invention is a program that causes a computer to encrypt a plaintext having a block length of b bits and a private key having a key length of b bits.
On the computer
(A) A step of dividing the plaintext into d n-bit data subblocks, and
(B) A step of dividing the private key into d n-bit key subblocks, and
(C) A step of repeating the first process using the round function for r rounds on the d n-bit data subblocks.
(D) A step of repeating the second process using the bijective function for r rounds for the d n-bit key subblocks.
(E) A step of calculating the output of the step (c) and the output of the step (d) and outputting a ciphertext.
To execute,
In step (d)
In the second process of the first round, the d n-bit key subblocks generated in the step (b) are used as the input of the bijective function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the bijective function.
In step (c)
In the first process of the first round, each of the d n-bit data subblocks generated in the step (a) and the d n-bit key subblocks generated in the step (b). The result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. , The result of performing non-linear conversion processing on the operation result is used as the input of the round function.
The round function is characterized in that it is a d × d matrix operation formula that spreads the influence of the rounding difference of 1 in the input d n-bit data subblocks to all other data subblocks. To do.

Further, in order to achieve the above object, the program in one aspect of the present invention is a program that causes a computer to encrypt a plaintext having a block length of b bits and a private key having a key length of b bits.
On the computer
(A) A step of dividing the plaintext into d n-bit data subblocks, and
(B) A step of dividing the private key into d n-bit key subblocks, and
(C) A step of repeating the first process using the round function for r rounds on the d n-bit data subblocks.
(D) A step of repeating the second process using the round function for r rounds for the d n-bit key subblocks.
(E) A step of calculating the output of the step (c) and the output of the step (d) and outputting a ciphertext.
To execute,
In step (d)
In the second process of the first round, the d n-bit key subblocks generated in the step (b) are used as the input of the round function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the round function.
In step (c)
In the first process of the first round, each of the d n-bit data subblocks generated in the step (a) and the d n-bit key subblocks generated in the step (b). Each of them is calculated, and the result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. , The result of performing non-linear conversion processing on the operation result is used as the input of the round function.
The round function of the first process and the round function of the second process are d × d matrix operation expressions, respectively.
When the first process and the second process are performed in the forward direction, the n-bit data subblock, the n-bit key subblock, and the difference are put in the free area of the n key subblocks. Comparing the n-bit data subblock and the n-bit key subblock when the first process and the second process are performed in the opposite directions, there is always an overlap of rounding differences. To do.

As described above, according to the block cipher device, block cipher method and program of the present invention, a block cipher that is secure against Biclique Cryptanalysis can be configured.

FIG. 1 is a configuration diagram of a block cipher device according to a first embodiment of the present invention. FIG. 2 is a diagram illustrating an algorithm in a block cipher device according to a first embodiment of the present invention. FIG. 3 is a flow chart showing the operation of the block cipher device according to the first embodiment of the present invention. FIG. 4 is a diagram for explaining a method of configuring the Biclique characteristic. FIG. 5 is a diagram showing a state in which the overlap of the differences in FIG. 4 transitions. FIG. 6 is a diagram showing that the Biclique characteristic does not hold in the encryption by the block cipher device according to the first embodiment of the present invention. FIG. 7 is a diagram showing that the Biclique characteristic does not hold in the encryption by the block cipher device according to the first embodiment of the present invention. FIG. 8 is a diagram showing that the Biclique characteristic does not hold in the encryption by the modified example. FIG. 9 is a diagram showing that the Biclique characteristic does not hold in the encryption by the modified example. FIG. 10 is a diagram illustrating an algorithm in a block cipher device according to a second embodiment of the present invention. FIG. 11 is a flow chart showing the operation of the block cipher device according to the second embodiment of the present invention. FIG. 12 is a diagram showing that the Biclique characteristic does not hold in the encryption by the block cipher device in the second embodiment. FIG. 13 is a diagram showing that the Biclique characteristic does not hold in the encryption by the block cipher device in the second embodiment. FIG. 14 is a diagram showing that the Biclique characteristic does not hold in the encryption by the modified example. FIG. 15 is a diagram showing that the Biclique characteristic does not hold in the encryption by the modified example. FIG. 16 is a block diagram showing an example of a computer that realizes the block cipher device according to the first and second embodiments of the present invention.

(Embodiment 1)
Hereinafter, the block cipher device and the block cipher method according to the first embodiment of the present invention will be described with reference to FIGS. 1 to 9.

[Device configuration]
FIG. 1 is a configuration diagram of a block cipher device according to a first embodiment of the present invention.

The block cipher device 1 is a device that blocks-encrypts a plaintext having a block length of b bits using a private key having a key length of b bits. As shown in FIG. 1, the block cipher device 1 includes a plaintext division unit 2, a key division unit 3, an encryption unit 4, a key schedule processing unit 5, and a calculation unit 6.

The plaintext division unit 2 divides the b-bit plaintext input to the block cipher device 1 into d n-bit data subblocks.

The key division unit 3 divides the private key input to the block cipher device 1 into d n-bit key subblocks.

The encryption unit 4 repeats the first process using the round function for r rounds with respect to the d n-bit data subblocks generated by the plaintext division unit 2.

The key schedule processing unit 5 repeats the second processing using the bijective function for r rounds with respect to the d n-bit key subblocks generated by the key dividing unit 3. In this key schedule processing unit, in the second processing of the first round, d n-bit key subblocks generated by the key dividing unit 3 are input to the bijective function. Further, in the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the bijective function.

The calculation unit 6 calculates the output of the encryption unit 4 and the output of the key schedule processing unit 5, and outputs a ciphertext.

In the first round of the encryption unit 4, in each of the d n-bit data subblocks generated by the plaintext division unit 2 and the d n-bit keys generated by the key division unit 3. Calculate with each subblock. The result of performing non-linear conversion processing on this calculation result is used as the input of the round function. Further, in the first process of the i (i = 2 to r) th round, the output of the first process of the (i-1) th round and the (i-1) th round executed by the key schedule processing unit 5 are performed. The output of the second process is calculated. The result of performing non-linear conversion processing on this calculation result is used as the input of the round function.

The round function used in the first processing of the encryption unit 4 is a matrix operation formula that spreads the influence of the rounding difference of 1 in the input n-bit data subblock to all other data subblocks. The operation executed in the first process of the encryption unit 4 is either arithmetic addition, arithmetic subtraction, or exclusive OR.

The block cipher device 1 of the first embodiment can configure a block cipher that is secure against Biclique Cryptanalysis.

Subsequently, the configuration of the block cipher device 1 of the first embodiment will be specifically described with reference to FIGS. 2 to 9.

FIG. 2 is a diagram illustrating an algorithm in the block cipher device 1 according to the first embodiment of the present invention. The block cipher device 1 includes the above-mentioned plaintext division unit 2, a key division unit 3, an encryption unit 4, a key schedule processing unit 5, and a calculation unit 6. As shown in FIG. 2, a plain text and a private key are input to the block cipher device 1. In the first embodiment, the plaintext block length is b bits. The private key has a b-bit key length that is the same as the plaintext block length.

The plaintext division unit 2 divides the plaintext input to the block cipher device 1 into d n-bit data subblocks. Further, the key dividing unit 3 divides the private key input to the block cipher device 1 into d n-bit key subblocks.

The key schedule processing unit 5 has a bijective calculation unit 51. The bijective calculation unit 51 performs calculations using the bijective function for d n-bit key subblocks. The key schedule processing unit 5 sets the calculation process performed by the bijective calculation unit 51 as the second process, and repeats this second process for r rounds.

In the second process of the first round, d n-bit key subblocks generated by the key dividing unit 3 are input to the bijective calculation unit 51. In the second processing after the second round, the result calculated by the bijection calculation unit 51 in the immediately preceding round is input to the bijection calculation unit 51.

The encryption unit 4 has a logical operation unit 41, an S layer unit 42, and a matrix operation unit 43.

The logical operation unit 41 calculates the exclusive OR of the input d n-bit data subblocks and the d n-bit key subblocks. The operation performed by the logical operation unit 41 may be arithmetic addition or arithmetic subtraction.

The S-layer unit 42 performs non-linear conversion on the output of the logical operation unit 41. The S-layer unit 42 functions as an S-box (Substitution Box) in common key cryptography. For example, the S-layer unit 42 performs non-linear conversion based on the stored conversion table.

The matrix calculation unit 43 performs calculation processing using a d × d matrix. The matrix calculation unit 43 functions as data agitation by MDS (Maximum Distance Separation) conversion. The MDS transformation is a transformation using an MDS matrix. In the MDS conversion in the matrix calculation unit 43, if one of the input data subblocks is affected by the exclusive OR difference of the two data, the effect of the difference spreads to all the output data subblocks. To do. The MDS conversion in the matrix calculation unit 43 is expressed by the following equation.

The encryption unit 4 repeats this first process for r rounds, with the process by the logical operation unit 41, the S layer unit 42, and the matrix operation unit 43 as one first process.

In the first process of the first round, the logical operation unit 41 has d n-bit data subblocks generated by the plaintext division unit 2 and d n-bit keys generated by the key division unit 3. Subblocks are entered. Then, the logical operation unit 41 calculates the exclusive OR of the two input data.

In the first processing after the second round, the logical operation unit 41 inputs the result calculated by the matrix operation unit 43 in the immediately preceding round and the result calculated by the bijection calculation unit 51 in the immediately preceding round. Will be done.

The calculation unit 6 calculates the exclusive logic between the output of the encryption unit 4 and the output of the key schedule processing unit 5. The operation performed by the calculation unit 6 may be arithmetic addition or arithmetic subtraction. The output of the encryption unit 4 is the output of the matrix calculation unit 43 of the first processing of the final round (r round). Further, the output of the key schedule processing unit 5 is the output of the bijective calculation unit 51 of the second processing of the final round (r round). The output of the arithmetic unit 6 is a plaintext ciphertext that is block-encrypted by the block cipher device 1.

[Operation description]
Next, the operation of the block cipher device 1 according to the first embodiment of the present invention will be described with reference to FIG. FIG. 3 is a flow chart showing the operation of the block cipher device 1 according to the first embodiment of the present invention. In the following description, FIGS. 1 and 2 will be referred to as appropriate. Further, in the first embodiment, the block cipher method is implemented by operating the block cipher device 1. Therefore, the description of the block cipher method in the present embodiment will be replaced with the following description of the operation of the block cipher device 1.

First, as a premise, it is assumed that a plaintext having a block length of b bits and a secret key having a key length of b bits, which is the same as the block length of the plaintext, are input to the block cipher device 1.

Under the above premise, as shown in FIG. 3, the plaintext division unit 2 divides the b-bit plaintext into d n-bit data subblocks (S1). The key division unit 3 divides the b-bit private key into d n-bit key subblocks (S2).

In the first round, the logical operation unit 41 of the encryption unit 4 is exclusive with the d n-bit data subblocks generated in S1 and the d n-bit key subblocks generated in S2. The logical sum is calculated (S3). Next, the S-layer unit 42 of the encryption unit 4 performs non-linear conversion on the operation result of the exclusive OR of S3 based on the stored conversion table (S4). Then, the matrix calculation unit 43 of the encryption unit 4 performs the MDS conversion using the d × d matrix with respect to the non-linear conversion of S4 (S5). Further, the bijective calculation unit 51 of the key schedule processing unit 5 is S2.
A calculation using a bijective function is performed on the d n-bit key subblocks generated in (S6).

If the processing of S3 to S6 is not the processing of the rth round which is the final round (S7: NO), the processing of S3 to S6 is repeated. In the second and subsequent rounds, the logical operation unit 41 of the encryption unit 4 calculates the exclusive OR of the conversion result of S5 and the calculation result of S6 (S3). Further, the bijective calculation unit 51 of the key schedule processing unit 5 performs a calculation using the bijective function with respect to the calculation result of S6 in the immediately preceding round (S6).

If the processing of S3 to S6 is the processing of the rth round (S7: YES), the arithmetic unit 6 performs the exclusive ethical sum of the conversion result of S5 in the final round and the calculation result of S6 in the final round. Is calculated (S8).

[Effect of Embodiment 1]
With the block cipher device 1 having the above configuration, plaintext can be encrypted so that the Biclique characteristic is not established. In the following description, it is shown that the plaintext can be encrypted so that the Biclique characteristic does not hold by the above algorithm. First, a method of configuring the Biclique characteristic will be described.

FIG. 4 is a diagram for explaining a method of configuring the Biclique characteristic. FIG. 4 shows the difference (color or diagonal line) of the data when the exclusive OR with the private key is calculated for the plaintext and each processing of “SB”, “SR”, and “MC” is performed. Indicates the state in which the block) transitions. The difference is the difference between two plaintext data, and the difference by exclusive OR is often used. In FIG. 4, the difference is treated as a rounded difference in n-bit units. “SB” is a process of performing a non-linear conversion. "SR" is a process of changing the order. "MC" is a process of performing a linear conversion. Further, (1) in FIG. 4 shows a state in which the data difference transitions in the forward direction (from the input direction to the output direction). FIG. 4 (2) shows a state in which the data difference transitions in the reverse direction (from the output to the input direction).

In FIG. 4 (1), a difference is inserted in the key subblock (FIG. 4 (A)). Then, the encryption process is performed in the forward direction (two rounds in FIG. 4). FIG. 4B shows the propagation result of the difference after performing the two-round processing. In FIG. 4 (2), a difference is inserted in the free area of the key subblock so as not to overlap with the difference of the key subblock shown in FIG. 4 (B) (FIG. 4 (C)). Then, the encryption process is performed in the opposite direction for two rounds. FIG. 4D shows the propagation result of the difference after performing the two-round processing in the opposite direction. In FIG. 4, how the difference spreads depends on the algorithm.

FIG. 5 is a diagram showing a state in which the overlap of the differences in FIG. 4 transitions. As shown in FIG. 5, there are no blocks with overlapping differences in the data subblocks.

The difference is used as an important index in evaluating the security of the block cipher. If the difference is biased, the block cipher is evaluated as insecure as the two plaintexts can be easily found. On the other hand, if it is difficult to find the two plaintexts, the block cipher is evaluated as secure. How the difference propagates depends on the algorithm. That is, as shown in FIG. 5, if there is no overlap of differences in the data subblocks, the Biqlique characteristic is established, and it is evaluated as an insecure block cipher.

6 and 7 are diagrams showing that the Biclique characteristic does not hold in the encryption by the block cipher device according to the first embodiment of the present invention. FIG. 6 (1) shows a state in which the data difference changes in the forward direction. FIG. 6 (2) shows a state in which the data difference transitions in the opposite direction.

In FIG. 6 (1), a difference is inserted in the key subblock (FIG. 6 (A)). The key length of the key subblock must be the same as the block length of the data subblock so that the difference between the key subblocks always affects the data subblock. In the first embodiment, since the MDS conversion is performed, when the second round of encryption processing is performed in the forward direction, the difference propagates to all the blocks of the data subblocks as shown in FIG. 6B.

As a result, when a difference is inserted in the key subblock so as not to overlap with the difference of the key subblock shown in FIG. 6 (C) (FIG. 6 (D)) and the encryption process is performed in the opposite direction for two rounds, Even if there is no difference in all of the data blocks (FIG. 6 (E)), as shown in FIG. 7 (A), there are blocks in which the differences overlap (black blocks in FIG. 7). That is, it can be seen that in the above-mentioned block cipher device 1, block cipher is performed in one round of processing, in which the Biqlique characteristic is not established.

As described above, a secure block cipher can be configured for Biclique Cryptanalysis.

[program]
The program according to the first embodiment may be any program that causes a computer to execute steps S1 to S8 shown in FIG. By installing this program on a computer and executing it, the block cipher device 1 and the block cipher method according to the first embodiment can be realized. In this case, the computer processor functions as a plaintext division unit 2, a key division unit 3, an encryption unit 4, a key schedule processing unit 5, and a calculation unit 6 to perform processing.

Further, the program in the first embodiment may be executed by a computer system constructed by a plurality of computers. In this case, for example, each computer may function as one of the plaintext division unit 2, the key division unit 3, the encryption unit 4, the key schedule processing unit 5, and the calculation unit 6, respectively.

(Modification example)
Here, a modified example of the first embodiment will be described. In this modification, the matrix calculation unit 43 uses a d × d matrix having no coefficient of 0 to perform a matrix conversion for the non-linear transformation in the S layer unit 42. In the matrix conversion in the matrix operation unit 43, if one of the input data subblocks is affected by the exclusive OR difference by the logical operation unit 41, the difference always appears in all the output data subblocks. The matrix transformation in the matrix calculation unit 43 is expressed in the same manner as the above equation.

[Effect of modification]
8 and 9 are diagrams showing that the Biclique characteristic does not hold in the encryption according to this modification. FIG. 8 (1) shows a state in which the data difference changes in the forward direction. FIG. 8 (2) shows a state in which the data difference transitions in the opposite direction.

In FIG. 8 (1), a difference is inserted in the key subblock (FIG. 8 (A)). In this modification, since the matrix conversion is performed with a d × d matrix having no coefficient 0, when the second round of encryption processing is performed in the forward direction, as shown in FIG. 8B, the data subblock The difference propagates to all blocks of.

As a result, when a difference is inserted in the key subblock so as not to overlap with the difference of the key subblock shown in FIG. 8 (C) (FIG. 8 (D)) and the encryption process is performed in the opposite direction for two rounds, Even if there is no difference in all of the data blocks (FIG. 8 (E)), as shown in FIG. 9 (A), there are blocks in which the differences overlap (black blocks in FIG. 9). That is, it can be seen that in the above-mentioned block cipher device 1, block cipher is performed in one round of processing, in which the Biqlique characteristic is not established.

(Embodiment 2)
Next, the block cipher device, the block cipher method, and the program according to the second embodiment of the present invention will be described with reference to FIGS. 10 to 16.

[Device configuration]
FIG. 10 is a diagram illustrating an algorithm in the block cipher device 1A according to the second embodiment of the present invention. The block cipher device 1A includes the plaintext division unit 2, the key division unit 3, the encryption unit 4, the key schedule processing unit 5, and the calculation unit 6 described above. In the second embodiment, the round function in the encryption unit 4 and the processing in the key schedule processing unit 5 are different from the first embodiment. Hereinafter, the differences will be mainly described.

The key schedule processing unit 5 repeats the second process using the round function for r rounds for d n-bit key subblocks. In the second processing of the first round in the key schedule processing unit 5, d n-bit key subblocks generated by the key dividing unit 3 are input to the round function. Further, in the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the round function.

The key schedule processing unit 5 has an S layer unit 52 and a matrix calculation unit 53.

The S-layer unit 52 performs non-linear conversion on d n-bit key subblocks. The S-layer unit 52 functions as an S-box (Substitution Box) in common key cryptography. For example, the S-layer unit 52 performs non-linear conversion based on the stored conversion table.

The matrix calculation unit 53 performs calculation processing using a d × d matrix. The matrix calculation unit 53 functions as data agitation by MDS (Maximum Distance Separation) conversion. The MDS transformation is a transformation using an MDS matrix.

The matrix calculation unit 43 of the encryption unit 4 performs calculation processing using a d × d matrix.

The d × d matrix used by the matrix calculation unit 43 of the encryption unit 4 and the matrix calculation unit 53 of the key schedule processing unit 5 is appropriately combined so that the Biqlique characteristic described in the first embodiment is not satisfied. Set. In the second embodiment, the d × d matrix used in the matrix calculation unit 53 is used as the MDS matrix.

[Device operation]
Next, the operation of the block cipher device 1A in the second embodiment will be described with reference to FIG. FIG. 11 is a flow chart showing the operation of the block cipher device 1A according to the second embodiment of the present invention. Further, in the second embodiment, the information processing method is implemented by operating the block cipher device 1A. Therefore, the description of the block cipher method in the second embodiment is replaced with the following description of the operation of the block cipher device 1A.

First, as a premise, it is assumed that a plaintext having a block length of b bits and a secret key having a key length of b bits, which is the same as the block length of the plaintext, are input to the block cipher device 1A.

Under the above premise, as shown in FIG. 11, the plaintext division unit 2 divides the b-bit plaintext into d n-bit data subblocks (S21). The key division unit 3 divides the b-bit private key into d n-bit key subblocks (S22).

In the first round, the logical operation unit 41 of the encryption unit 4 is exclusive with the d n-bit data subblocks generated in S21 and the d n-bit key subblocks generated in S22. The logical sum is calculated (S23). Next, the S-layer unit 42 of the encryption unit 4 performs non-linear conversion on the operation result of the exclusive OR of S23 based on the stored conversion table (S24). Then, the matrix calculation unit 43 of the encryption unit 4 performs a matrix conversion using a d × d matrix with respect to the non-linear conversion of S24 (S24). Further, the S-layer unit 52 of the key schedule processing unit 5 performs non-linear conversion on the d n-bit key subblocks generated in S22 (S26). Then, the matrix calculation unit 53 of the key schedule processing unit 5 performs MDS conversion using a d × d matrix with respect to the non-linear conversion of S26 (S27).

If the processing of S23 to S27 is not the processing of the r-th round which is the final round (S28: NO), the processing of S23 to S27 is repeated. In the second and subsequent rounds, the logical operation unit 41 of the encryption unit 4 calculates the exclusive OR of the conversion result of S25 and the conversion result of S27 (S23). Further, the S layer unit 52 of the key schedule processing unit 5 performs all non-linear conversion on the conversion result of S27 in the immediately preceding round (S26).

If the processing of S23 to S27 is the processing of the rth round (S28: YES), the arithmetic unit 6 performs the exclusive ethical sum of the conversion result of S25 in the final round and the conversion result of S27 in the final round. Is calculated (S29).

[Effect in Embodiment 2]
12 and 13 are diagrams showing that the Biclique characteristic does not hold in the encryption by the block cipher device 1A in the second embodiment.

In FIG. 12 (1), a difference is inserted in the key subblock (FIG. 12 (A)). In the second embodiment, since the MDS conversion is performed on the key subblock, when the second round of encryption processing is performed in the forward direction, as shown in FIG. 12B, all the blocks of the key subblock are displayed. , The difference propagates.

As a result, as shown in FIG. 12 (C), when a difference is inserted in the key subblock and the encryption process is performed in the opposite direction for two rounds, even if there is no difference in all of the data blocks (FIG. 12 (D). )), As shown in FIG. 13A, there is a block in which the differences overlap (black block in FIG. 13) in the key subblock. That is, it can be seen that in the above-mentioned block cipher device 1A, block cipher is performed in one round of processing, in which the Biqlique characteristic is not satisfied.

[program]
The program according to the second embodiment may be any program that causes the computer to execute steps S21 to S29 shown in FIG. By installing this program on a computer and executing it, the block cipher device 1A and the block cipher method according to the second embodiment can be realized. In this case, the computer processor functions as a plaintext division unit 2, a key division unit 3, an encryption unit 4, a key schedule processing unit 5, and a calculation unit 6 to perform processing.

Further, the program in the second embodiment may be executed by a computer system constructed by a plurality of computers. In this case, for example, each computer may function as one of the plaintext division unit 2, the key division unit 3, the encryption unit 4, the key schedule processing unit 5, and the calculation unit 6, respectively.

(Modification example)
Here, a modified example of the second embodiment will be described. In this modification, the matrix calculation unit 53 uses a d × d matrix having no 0 in the coefficient to perform matrix conversion for the non-linear transformation in the S layer unit 52. In the matrix conversion in the matrix calculation unit 53, if one of the input data subblocks is affected by the exclusive OR difference, the difference is always generated in all the output data subblocks. The matrix transformation in the matrix calculation unit 43 is expressed in the same manner as the above equation.

[Effect of modification]

14 and 15 are diagrams showing that the Biclique characteristic does not hold in the encryption according to this modification. In FIG. 14 (1), a difference is inserted in the key subblock (FIG. 14 (A)). In the second embodiment, since the matrix conversion is performed with a d × d matrix having no coefficient 0, when the second round of encryption processing is performed in the forward direction, as shown in FIG. 14B, the data sub Differences propagate to all blocks of the block.

As a result, as shown in FIG. 14 (C), when a difference is inserted in the key subblock and the encryption process is performed in the opposite direction for two rounds, even if there is no difference in all of the data blocks (FIG. 14 (D)). )), As shown in FIG. 15A, there is a block in which the differences overlap (black block in FIG. 15) in the data subblock. That is, it can be seen that in the above-mentioned block cipher device 1A, block cipher is performed in one round of processing, in which the Biqlique characteristic is not satisfied.

The d × d matrix used by the matrix calculation unit 43 of the encryption unit 4 and the matrix calculation unit 53 of the key schedule processing unit 5 is the same as when the first processing and the second processing are performed in the forward direction. An n-bit data subblock and an n-bit key subblock, and an n-bit data subblock when the first and second processes are performed in the opposite directions by putting the difference in the free area of the n key subblocks. And when comparing with the n-bit key subblock, it may be set appropriately so that the overlap of the rounding difference always exists.

(Physical configuration)
Here, a computer that realizes a block cipher device by executing the programs of the first and second embodiments will be described with reference to FIG. FIG. 16 is a block diagram showing an example of a computer that realizes the block cipher device according to the first and second embodiments of the present invention.

As shown in FIG. 16, the computer 110 includes a CPU 111, a main memory 112, a storage device 113, an input interface 114, a display controller 115, a data reader / writer 116, and a communication interface 117. Each of these parts is connected to each other via a bus 121 so as to be capable of data communication. The computer 110 may include a GPU (Graphics Processing Unit) or an FPGA (Field-Programmable Gate Array) in addition to the CPU 111 or in place of the CPU 111.

The CPU 111 expands the programs (codes) of the first and second embodiments stored in the storage device 113 into the main memory 112 and executes them in a predetermined order to perform various operations. The main memory 112 is typically a volatile storage device such as a DRAM (Dynamic Random Access Memory). Further, the programs according to the first and second embodiments are provided in a state of being stored in a computer-readable recording medium 120. The programs in the first and second embodiments may be distributed on the Internet connected via the communication interface 117.

Further, specific examples of the storage device 113 include a semiconductor storage device such as a flash memory in addition to a hard disk drive. The input interface 114 mediates data transmission between the CPU 111 and an input device 118 such as a keyboard and mouse. The display controller 115 is connected to the display device 119 and controls the display on the display device 119.

The data reader / writer 116 mediates data transmission between the CPU 111 and the recording medium 120, reads a program from the recording medium 120, and writes a processing result in the computer 110 to the recording medium 120. The communication interface 117 mediates data transmission between the CPU 111 and another computer.

Specific examples of the recording medium 120 include a general-purpose semiconductor storage device such as CF (Compact Flash (registered trademark)) and SD (Secure Digital), a magnetic recording medium such as a flexible disk, or a CD-. Examples include optical recording media such as ROM (Compact Disk Read Only Memory).

The block cipher device according to the first and second embodiments can also be realized by using hardware corresponding to each part instead of the computer on which the program is installed. Further, the block cipher device may be partially realized by a program and the rest may be realized by hardware.

Part or all of the above-described embodiments 1 and 2 can be expressed by the following descriptions (Appendix 1) to (Appendix 8), but the present invention is not limited to the following description.

(Appendix 1)
A block cipher that encrypts plaintext with a block length of b bits using a private key with a key length of b bits.
A plaintext division unit that divides the plaintext into d n-bit data subblocks,
A key dividing unit that divides the private key into d n-bit key subblocks,
An encryption unit that repeats the first process using a round function for r rounds on the d n-bit data subblocks.
A key schedule processing unit that repeats the second processing using the bijective function for r rounds for the d n-bit key subblocks.
An arithmetic unit that calculates the output of the encryption unit and the output of the key schedule processing unit and outputs a ciphertext,
With
In the key schedule processing unit
In the second process of the first round, the d n-bit key subblocks generated by the key division unit are used as the input of the bijective function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the bijective function.
In the encryption unit
In the first process of one round, each of the d n-bit data subblocks generated by the plaintext division unit and each of the d n-bit key subblocks generated by the key division unit are combined. The result of calculation and non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. , The result of performing non-linear conversion processing on the operation result is used as the input of the round function.
The round function is a d × d matrix operation formula that spreads the influence of the rounding difference of 1 in the input d n-bit data subblocks to all other data subblocks.
A block cipher device characterized by that.

(Appendix 2)
A block cipher that encrypts plaintext with a block length of b bits using a private key with a key length of b bits.
A plaintext division unit that divides the plaintext into d n-bit data subblocks,
A key dividing unit that divides the private key into d n-bit key subblocks,
An encryption unit that repeats the first process using a round function for r rounds on the d n-bit data subblocks.
A key schedule processing unit that repeats the second processing using the round function for r rounds for the d n-bit key subblocks.
An arithmetic unit that calculates the output of the encryption unit and the output of the key schedule processing unit and outputs a ciphertext,
With
In the key schedule processing unit
In the second process of the first round, the d n-bit key subblocks generated by the key dividing unit are used as the input of the round function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the round function.
In the encryption unit
In the first process of the first round, each of the d n-bit data subblocks generated by the plaintext division unit and each of the d n-bit key subblocks generated by the key division unit. Is calculated, and the result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. The result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
The round function of the first process and the round function of the second process are d × d matrix operation expressions, respectively.
When the first process and the second process are performed in the forward direction, the n-bit data subblock, the n-bit key subblock, and the difference are put in the free area of the n key subblocks. Comparing the n-bit data subblock and the n-bit key subblock when the first process and the second process are performed in the opposite directions, there is always an overlap of rounding differences.
A block cipher device characterized by that.

(Appendix 3)
The block cipher device described in Appendix 2
The round function of the second process is a d × d matrix operation formula that spreads the influence of the rounding difference of 1 in the input d n-bit key subblocks to all other data subblocks.
A block cipher device characterized by that.

(Appendix 4)
The block cipher device according to any one of Supplementary note 1 to Supplementary note 3.
The operation performed in the first process of the encryption unit is either arithmetic addition, arithmetic subtraction, or exclusive OR.
The operation performed by the calculation unit is either arithmetic addition, arithmetic subtraction, or exclusive OR.
A block cipher device characterized by that.

(Appendix 5)
A block cipher method that encrypts plaintext with a block length of b bits using a private key with a key length of b bits.
(A) A step of dividing the plaintext into d n-bit data subblocks, and
(B) A step of dividing the private key into d n-bit key subblocks, and
(C) A step of repeating the first process using the round function for r rounds on the d n-bit data subblocks.
(D) A step of repeating the second process using the bijective function for r rounds for the d n-bit key subblocks.
(E) A step of calculating the output of the step (c) and the output of the step (d) and outputting a ciphertext.
With
In step (d)
In the second process of the first round, the d n-bit key subblocks generated in the step (b) are used as the input of the bijective function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the bijective function.
In step (c)
In the first process of the first round, each of the d n-bit data subblocks generated in the step (a) and the d n-bit key subblocks generated in the step (b). Each of them is calculated, and the result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. , The result of performing non-linear conversion processing on the operation result is used as the input of the round function.
The round function is a d × d matrix operation formula that spreads the influence of the rounding difference of 1 in the input d n-bit data subblocks to all other data subblocks.
A block cipher method characterized by that.

(Appendix 6)
A block cipher method that encrypts plaintext with a block length of b bits using a private key with a key length of b bits.
(A) A step of dividing the plaintext into d n-bit data subblocks, and
(B) A step of dividing the private key into d n-bit key subblocks, and
(C) A step of repeating the first process using the round function for r rounds on the d n-bit data subblocks.
(D) A step of repeating the second process using the round function for r rounds for the d n-bit key subblocks.
(E) A step of calculating the output of the step (c) and the output of the step (d) and outputting a ciphertext.
With
In step (d)
In the second process of the first round, the d n-bit key subblocks generated in the step (b) are used as the input of the round function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the round function.
In step (c)
In the first process of one round, each of the d n-bit data subblocks generated in the step (a) and the d n-bit key subblocks generated in the step (b), respectively. And the result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. , The result of performing non-linear conversion processing on the operation result is used as the input of the round function.
The round function of the first process and the round function of the second process are d × d matrix operation expressions, respectively.
When the first process and the second process are performed in the forward direction, the n-bit data subblock, the n-bit key subblock, and the difference are put in the free area of the n key subblocks. Comparing the n-bit data subblock and the n-bit key subblock when the first process and the second process are performed in the opposite directions, there is always an overlap of rounding differences.
A block cipher method characterized by that.

(Appendix 7)
A program that causes a computer to encrypt plaintext with a block length of b bits using a private key with a key length of b bits.
On the computer
(A) A step of dividing the plaintext into d n-bit data subblocks, and
(B) A step of dividing the private key into d n-bit key subblocks, and
(C) A step of repeating the first process using the round function for r rounds on the d n-bit data subblocks.
(D) A step of repeating the second process using the bijective function for r rounds for the d n-bit key subblocks.
(E) A step of calculating the output of the step (c) and the output of the step (d) and outputting a ciphertext.
To execute,
In step (d)
In the second process of the first round, the d n-bit key subblocks generated in the step (b) are used as the input of the bijective function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the bijective function.
In step (c)
In the first process of the first round, each of the d n-bit data subblocks generated in the step (a) and the d n-bit key subblocks generated in the step (b). The result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. , The result of performing non-linear conversion processing on the operation result is used as the input of the round function.
The round function is a d × d matrix operation formula that spreads the influence of the rounding difference of 1 in the input d n-bit data subblocks to all other data subblocks.
A program characterized by that.

(Appendix 8)
A program that causes a computer to encrypt plaintext with a block length of b bits using a private key with a key length of b bits.
On the computer
(A) A step of dividing the plaintext into d n-bit data subblocks, and
(B) A step of dividing the private key into d n-bit key subblocks, and
(C) A step of repeating the first process using the round function for r rounds on the d n-bit data subblocks.
(D) A step of repeating the second process using the round function for r rounds for the d n-bit key subblocks.
(E) A step of calculating the output of the step (c) and the output of the step (d) and outputting a ciphertext.
To execute,
In step (d)
In the second process of the first round, the d n-bit key subblocks generated in the step (b) are used as the input of the round function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the round function.
In step (c)
In the first process of the first round, each of the d n-bit data subblocks generated in the step (a) and the d n-bit key subblocks generated in the step (b). Each of them is calculated, and the result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. , The result of performing non-linear conversion processing on the operation result is used as the input of the round function.
The round function of the first process and the round function of the second process are d × d matrix operation expressions, respectively.
When the first process and the second process are performed in the forward direction, the n-bit data subblock, the n-bit key subblock, and the difference are put in the free area of the n key subblocks. Comparing the n-bit data subblock and the n-bit key subblock when the first process and the second process are performed in the opposite directions, there is always an overlap of rounding differences.
A program characterized by that.

As described above, according to the present invention, a block cipher that is secure against Biclique Cryptanalysis can be constructed.

1, 1A block cipher 2 2 plaintext division 3 key division 4 encryption 5 key schedule processing 6 arithmetic unit 41 logical operation 42 S layer 43 matrix operation 51 bijection calculation unit 52 S layer 53 matrix Calculator

Claims (8)

A block cipher that encrypts plaintext with a block length of b bits using a private key with a key length of b bits.
A plaintext division unit that divides the plaintext into d n-bit data subblocks,
A key dividing unit that divides the private key into d n-bit key subblocks,
An encryption unit that repeats the first process using a round function for r rounds on the d n-bit data subblocks.
A key schedule processing unit that repeats the second processing using the bijective function for r rounds for the d n-bit key subblocks.
An arithmetic unit that calculates the output of the encryption unit and the output of the key schedule processing unit and outputs a ciphertext,
With
In the key schedule processing unit
In the second process of the first round, the d n-bit key subblocks generated by the key division unit are used as the input of the bijective function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the bijective function.
In the encryption unit
In the first process of one round, each of the d n-bit data subblocks generated by the plaintext division unit and each of the d n-bit key subblocks generated by the key division unit are combined. The result of calculation and non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. , The result of performing non-linear conversion processing on the operation result is used as the input of the round function.
The round function is a d × d matrix operation formula that spreads the influence of the rounding difference of 1 in the input d n-bit data subblocks to all other data subblocks.
A block cipher device characterized by that. A block cipher that encrypts plaintext with a block length of b bits using a private key with a key length of b bits.
A plaintext division unit that divides the plaintext into d n-bit data subblocks,
A key dividing unit that divides the private key into d n-bit key subblocks,
An encryption unit that repeats the first process using a round function for r rounds on the d n-bit data subblocks.
A key schedule processing unit that repeats the second processing using the round function for r rounds for the d n-bit key subblocks.
An arithmetic unit that calculates the output of the encryption unit and the output of the key schedule processing unit and outputs a ciphertext,
With
In the key schedule processing unit
In the second process of the first round, the d n-bit key subblocks generated by the key dividing unit are used as the input of the round function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the round function.
In the encryption unit
In the first process of the first round, each of the d n-bit data subblocks generated by the plaintext division unit and each of the d n-bit key subblocks generated by the key division unit. Is calculated, and the result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. The result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
The round function of the first process and the round function of the second process are d × d matrix operation expressions, respectively.
When the first process and the second process are performed in the forward direction, the n-bit data subblock, the n-bit key subblock, and the difference are put in the free area of the n key subblocks. Comparing the n-bit data subblock and the n-bit key subblock when the first process and the second process are performed in the opposite directions, there is always an overlap of rounding differences.
A block cipher device characterized by that. The block cipher device according to claim 2.
The round function of the second process is a d × d matrix operation formula that spreads the influence of the rounding difference of 1 in the input d n-bit key subblocks to all other data subblocks.
A block cipher device characterized by that. The block cipher device according to any one of claims 1 to 3.
The operation performed in the first process of the encryption unit is either arithmetic addition, arithmetic subtraction, or exclusive OR.
The operation performed by the calculation unit is either arithmetic addition, arithmetic subtraction, or exclusive OR.
A block cipher device characterized by that. A block cipher method that encrypts plaintext with a block length of b bits using a private key with a key length of b bits.
(A) A step of dividing the plaintext into d n-bit data subblocks, and
(B) A step of dividing the private key into d n-bit key subblocks, and
(C) A step of repeating the first process using the round function for r rounds on the d n-bit data subblocks.
(D) A step of repeating the second process using the bijective function for r rounds for the d n-bit key subblocks.
(E) A step of calculating the output of the step (c) and the output of the step (d) and outputting a ciphertext.
With
In step (d)
In the second process of the first round, the d n-bit key subblocks generated in the step (b) are used as the input of the bijective function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the bijective function.
In step (c)
In the first process of the first round, each of the d n-bit data subblocks generated in the step (a) and the d n-bit key subblocks generated in the step (b). The result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. , The result of performing non-linear conversion processing on the operation result is used as the input of the round function.
The round function is a d × d matrix operation formula that spreads the influence of the rounding difference of 1 in the input d n-bit data subblocks to all other data subblocks.
A block cipher method characterized by that. A block cipher method that encrypts plaintext with a block length of b bits using a private key with a key length of b bits.
(A) A step of dividing the plaintext into d n-bit data subblocks, and
(B) A step of dividing the private key into d n-bit key subblocks, and
(C) A step of repeating the first process using the round function for r rounds on the d n-bit data subblocks.
(D) A step of repeating the second process using the round function for r rounds for the d n-bit key subblocks.
(E) A step of calculating the output of the step (c) and the output of the step (d) and outputting a ciphertext.
With
In step (d)
In the second process of the first round, the d n-bit key subblocks generated in the step (b) are used as the input of the round function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the round function.
In step (c)
In the first process of one round, each of the d n-bit data subblocks generated in the step (a) and the d n-bit key subblocks generated in the step (b), respectively. And the result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. , The result of performing non-linear conversion processing on the operation result is used as the input of the round function.
The round function of the first process and the round function of the second process are d × d matrix operation expressions, respectively.
When the first process and the second process are performed in the forward direction, the n-bit data subblock, the n-bit key subblock, and the difference are put in the free area of the n key subblocks. Comparing the n-bit data subblock and the n-bit key subblock when the first process and the second process are performed in the opposite directions, there is always an overlap of rounding differences.
A block cipher method characterized by that. A program that causes a computer to encrypt plaintext with a block length of b bits using a private key with a key length of b bits.
On the computer
(A) A step of dividing the plaintext into d n-bit data subblocks, and
(B) A step of dividing the private key into d n-bit key subblocks, and
(C) A step of repeating the first process using the round function for r rounds on the d n-bit data subblocks.
(D) A step of repeating the second process using the bijective function for r rounds for the d n-bit key subblocks.
(E) A step of calculating the output of the step (c) and the output of the step (d) and outputting a ciphertext.
To execute,
In step (d)
In the second process of the first round, the d n-bit key subblocks generated in the step (b) are used as the input of the bijective function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the bijective function.
In step (c)
In the first process of the first round, each of the d n-bit data subblocks generated in the step (a) and the d n-bit key subblocks generated in the step (b). Each of them is calculated, and the result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. , The result of performing non-linear conversion processing on the operation result is used as the input of the round function.
The round function is a d × d matrix operation formula that spreads the influence of the rounding difference of 1 in the input d n-bit data subblocks to all other data subblocks.
A program characterized by that. A program that causes a computer to encrypt plaintext with a block length of b bits using a private key with a key length of b bits.
On the computer
(A) A step of dividing the plaintext into d n-bit data subblocks, and
(B) A step of dividing the private key into d n-bit key subblocks, and
(C) A step of repeating the first process using the round function for r rounds on the d n-bit data subblocks.
(D) A step of repeating the second process using the round function for r rounds for the d n-bit key subblocks.
(E) A step of calculating the output of the step (c) and the output of the step (d) and outputting a ciphertext.
To execute,
In step (d)
In the second process of the first round, the d n-bit key subblocks generated in the step (b) are used as the input of the round function.
In the second process of the i (i = 2 to r) round, the output of the second process of the (i-1) round is used as the input of the round function.
In step (c)
In the first process of the first round, each of the d n-bit data subblocks generated in the step (a) and the d n-bit key subblocks generated in the step (b). Each of them is calculated, and the result of performing non-linear conversion processing on the calculation result is used as the input of the round function.
In the first process of the i (i = 2 to r) round, the output of the first process of the (i-1) round and the output of the second process of the (i-1) round are calculated. , The result of performing non-linear conversion processing on the operation result is used as the input of the round function.
The round function of the first process and the round function of the second process are d × d matrix operation expressions, respectively.
When the first process and the second process are performed in the forward direction, the n-bit data subblock, the n-bit key subblock, and the difference are put in the free area of the n key subblocks. Comparing the n-bit data subblock and the n-bit key subblock when the first process and the second process are performed in the opposite directions, there is always an overlap of rounding differences.
A program characterized by that.