JP6287785B2 - Cryptographic processing apparatus, cryptographic processing method, and program - Google Patents

Description

  The present disclosure relates to a cryptographic processing device, a cryptographic processing method, and a program. More specifically, the present invention relates to a cryptographic processing apparatus, a cryptographic processing method, and a program that execute stream cipher that is one of common key ciphers.

  With the development of the information society, the importance of information security technology for safeguarding the information handled is increasing. One of the components of information security technology is encryption technology, which is currently used in various products and systems.

  There are various cryptographic processing algorithms. One of the basic techniques is common key cryptography. In common key cryptography, an encryption key and a decryption key are common. In both the encryption process and the decryption process, a plurality of keys are generated from the common key, and the data conversion process is repeatedly executed in a certain block unit, for example, a block data unit such as 64 bits, 128 bits, 256 bits or the like.

  Known common key encryption algorithms include DES (Data Encryption Standard), which is a past US standard, and AES (Advanced Encryption Standard), which is a current US standard. Various other common key ciphers continue to be proposed, and CLEFIA proposed by Sony Corporation in 2007 is one of the common key ciphers.

  In addition, as a prior art disclosed about a common key encryption, there exist patent document 1 (Unexamined-Japanese-Patent No. 2012-215813) etc., for example.

Furthermore, there is a stream cipher as one form of the common key cipher. The ciphertext generation process using the stream cipher is performed by executing the following steps (S1) and (S2).
(S1) A pseudo-random number sequence called a key stream is generated from a secret key that is a secret parameter and an initial vector (IV) that is a public parameter.
(S2) The ciphertext is generated by taking the exclusive OR of the plaintext and the generated key stream.

The process of generating plaintext from ciphertext executes the following steps (S3) and (S4).
(S3) A key stream (pseudo-random number sequence) is generated from a secret key that is a secret parameter and an initial vector (IV) that is a public parameter.
(S4) A plaintext is generated by taking an exclusive OR of the ciphertext and the generated key stream.

In the plaintext generation process, the plaintext is obtained by taking the exclusive OR of the ciphertext using the same keystream as the keystream used at the time of ciphertext generation due to the nature of the exclusive OR executed in step (S4). be able to.
That is, encryption and decryption processing can be performed by securely sharing a “secret key” that is common secret information between the sender and the receiver.

  In this stream cipher, the secret key and the key stream generated from the initial vector (IV) are indispensable elements. However, there are various attacks using the bias of the bit values constituting this key stream, and there is a problem with security. There is an indication that there is.

JP 2012-215813 A

  The present disclosure has been made in view of, for example, the above-described situation, and an object thereof is to provide a cryptographic processing device, a cryptographic processing method, and a program that realize a highly secure stream cipher.

The first aspect of the present disclosure is:
A key stream generation unit that generates a key stream that is a data stream composed of encryption key data;
An operation unit that performs operation processing of encryption key data constituting the key stream and encryption processing target data;
The key stream generation unit
A pseudo-random number generator that generates a pseudo-random number based on the first secret key;
A linear feedback register (LFSR) that generates LFSR output data based on a second secret key;
An exclusive OR operation unit that executes an exclusive OR operation process between the pseudo random number generated by the pseudo random number generator and the LFSR output data;
The encryption processing apparatus outputs the output of the exclusive OR operation unit as a key stream.

Furthermore, the second aspect of the present disclosure is:
A key stream generation unit that generates a key stream that is a data stream composed of decryption key data;
An operation unit that performs an operation process between the decryption key data constituting the key stream and the decryption target data;
The key stream generation unit
A pseudo-random number generator that generates a pseudo-random number based on the first secret key;
A linear feedback register (LFSR) that generates LFSR output data based on a second secret key;
An exclusive OR operation unit that executes an exclusive OR operation process between the pseudo random number generated by the pseudo random number generator and the LFSR output data;
The decryption processing apparatus outputs the output of the exclusive OR operation unit as a key stream.

Furthermore, the third aspect of the present disclosure is:
A cryptographic processing method executed in the cryptographic processing device,
A key stream generation step in which a key stream generation unit generates a key stream that is a data stream composed of encryption key data; and
The calculation unit executes a calculation step of performing calculation processing of encryption key data constituting the key stream and encryption processing target data,
The key stream generation step includes:
A pseudo-random number generating unit that generates a pseudo-random number based on the first secret key;
An LFSR output data generation step, wherein a linear feedback register (LFSR) generates LFSR output data based on the second secret key;
An exclusive OR operation unit has an exclusive OR operation step of performing an exclusive OR operation process between the pseudo random number generated by the pseudo random number generator and the LFSR output data;
The encryption processing method outputs the output of the exclusive OR operation unit as a key stream.

Furthermore, the fourth aspect of the present disclosure is:
A program for executing cryptographic processing in the cryptographic processing device,
A key stream generation step for causing the key stream generation unit to generate a key stream that is a data stream composed of encryption key data; and
Causing the calculation unit to execute a calculation step of executing calculation processing of the encryption key data constituting the key stream and the encryption processing target data;
In the key stream generation step, the program includes:
A pseudo-random number generation step for causing the pseudo-random number generator to generate a pseudo-random number based on the first secret key;
An LFSR output data generating step for causing a linear feedback register (LFSR) to generate LFSR output data based on the second secret key;
Causing the exclusive OR operation unit to execute an exclusive OR operation step of executing an exclusive OR operation of the pseudo random number generated by the pseudo random number generation unit and the LFSR output data;
In the program for outputting the output of the exclusive OR operation section as a key stream.

  Note that the program of the present disclosure is a program provided by, for example, a storage medium to an information processing apparatus or a computer system that can execute various program codes. By executing such a program by the program execution unit on the information processing apparatus or the computer system, processing according to the program is realized.

  Other objects, features, and advantages of the present disclosure will become apparent from a more detailed description based on embodiments of the present invention described later and the accompanying drawings. In this specification, the system is a logical set configuration of a plurality of devices, and is not limited to one in which the devices of each configuration are in the same casing.

According to an embodiment of the present disclosure, according to the configuration of the embodiment of the present disclosure, an apparatus and a method for executing stream cipher with improved security are realized.
Specifically, it has a key stream generation unit that generates a key stream that is a data stream composed of encryption key data, and an operation unit that performs an operation process on the encryption key data constituting the key stream and the data to be encrypted. The key stream generation unit includes a pseudo random number generation unit that generates a pseudo random number based on the first secret key, a linear feedback register (LFSR) that generates LFSR output data based on the second secret key, The exclusive OR operation part which performs the exclusive OR operation process of the pseudorandom numbers which the random number generation part produced | generated, and LFSR output data is provided, and the output of an exclusive OR operation part is output as a key stream.
With this configuration, an apparatus and a method for executing stream cipher with improved safety are realized.
Note that the effects described in the present specification are merely examples and are not limited, and may have additional effects.

It is a figure explaining the encryption processing structure according to a stream encryption. It is a figure explaining the decoding process structure over stream encryption. It is a figure explaining the bias | inclination of the key stream in a stream encryption. It is a figure explaining the example of an attack using the bias of the key stream in stream cipher. It is a figure explaining the example of the encryption process to which the stream encryption according to Example 1 of this indication is applied. It is a figure explaining the structural example of a linear feedback shift register (LFSR). It is a figure explaining the structural example of a linear feedback shift register (LFSR). It is a figure explaining the example of the decoding process to which the stream encryption according to Example 1 of this indication is applied. It is a figure explaining the example of the encryption process to which the stream encryption according to Example 2 of this indication is applied. It is a figure explaining the example of the decoding process to which the stream encryption according to Example 2 of this indication is applied. It is a figure explaining the example of the encryption process to which the stream encryption according to Example 3 of this indication is applied. It is a figure explaining the structural example of a key conversion part. It is a figure explaining the example of the decoding process to which the stream encryption according to Example 3 of this indication is applied. It is a figure which shows the structural example of IC module 700 as a cryptographic processing apparatus. It is a figure which shows the structural example of the smart phone which has an encryption process execution function.

Hereinafter, the details of the encryption processing device, the encryption processing method, and the program according to the present disclosure will be described with reference to the drawings. The description will be made according to the following items.
1. 1. Overview of stream cipher 2. Configuration of stream cipher with improved security 2-1. Example (Example 1) which produces | generates a key stream by applying the LFSR output based on a 2nd secret key (KL)
2-2. Example (Example 2) which produces | generates a key stream by applying the LFSR output based on a secret key (Ks)
2-3. Example (Example 3) which produces | generates a key stream by applying the LFSR output based on the conversion data of a 1st secret key (Ks)
3. 3. Configuration example of cryptographic processing device Summary of composition of this disclosure

[1. About stream cipher overview]
First, an overview of stream cipher will be described.
The stream cipher is one of common key ciphers.
An encryption process and a decryption process according to the stream cipher will be described with reference to FIGS.

FIG. 1 is a diagram illustrating an encryption process according to a stream cipher.
The key stream generation unit 50 receives a secret key (Ks) 11 and an initial vector (IV: Initial Vector) 12 and generates a key stream (pseudorandom number) 13.
The secret key (Ks) 11 and the initial vector (IV) 12 are data stored in advance in a device that executes cryptographic processing, for example, a user information processing device.
The secret key (Ks) 11 is secret information, not public data. This is secret information shared between specific users, for example, ciphertext generation users and users who decrypt ciphertexts.
On the other hand, the initial vector (IV) 12 is public data, and is data that can be known by an unspecified number of users.

The key stream generation unit 50 includes a key schedule unit 51 and a pseudo random number generation unit 52.
The key schedule unit 51 generates pseudo random number generation initial data based on the secret key (Ks) 11 and the initial vector (IV) 12 and outputs the generated initial data to the pseudo random number generation unit 52.
The pseudo random number generation unit 52 applies the pseudo random number generation initial data input from the key schedule unit 51 to generate and output the key stream 13 as a pseudo random number.

The key stream 13 output from the pseudo-random number generation unit 52 is configured by a data string composed of data in units of predetermined bits. Specifically, for example, a data string consisting of 1 byte (8 bits) data: Z1, Z2, Z3,.
The pseudo-random number generation unit 52 sequentially outputs data strings: Z1, Z2, Z3,... Each consisting of data of a predetermined length as a key stream.

Each of the predetermined bit unit data: Z1, Z2, Z3,... Which is a key stream component, and each of the divided data: P1, P2, P3,. Are sequentially input to the exclusive OR operation unit 53, and exclusive OR (XOR) operation processing is executed.
The data string C1, C2, C3... Calculated as the exclusive OR operation result is output as the ciphertext 22.

The ciphertexts C1, C2, C3..., The key streams: Z1, Z2, Z3... And the plaintexts P1, P2, P3.
C1 = P1 (+) Z1
C2 = P2 (+) Z2
C3 = P3 (+) Z3
...
In the above formula, (+) means exclusive OR operation.
Also, the plaintext component Pi, the keystream component Zi, the ciphertext component Ci, and each of these components are set to data of the same number of bits, for example, 1 byte (8 bits).

As described above, the ciphertext generation process using the stream cipher is performed by executing the following steps (S1) and (S2).
(S1) Pseudorandom number sequences Z1, Z2, Z3,... Called key streams are generated from a secret key that is a secret parameter and an initial vector (IV: Initial Vector) that is a public parameter.
(S2) The ciphertexts C1, C2, C3... Are obtained by taking the exclusive OR of the plaintext configuration data P1, P2, P3... And the generated key streams Z1, Z2, Z3. Generate.

The ciphertext 22 generated by the processing described with reference to FIG. 1 is transferred via, for example, a network, received by an information processing apparatus of another user, and decrypted.
FIG. 2 is a diagram for explaining the decryption process according to the stream cipher.
The encryption process and the decryption process according to the stream cipher can be executed using the same device configuration.

In the configuration shown in FIG. 2, the key stream generation unit 70 receives a secret key (Ks) 41 and an initial vector (IV) 42 and generates a key stream (pseudo random number) 43.
The secret key (Ks) 41 and the initial vector (IV) 42 are data stored in advance in a device that executes a decryption process, for example, a user information processing device.
The secret key (Ks) 41 is secret information and not public data. This is secret information shared between specific users, for example, ciphertext generation users and users who decrypt ciphertexts.

That is, when the ciphertext 22 to be decrypted is the ciphertext 22 generated by the configuration shown in FIG. 1, the secret key (Ks) 41 is the secret key (Ks) 11 applied in the encryption processing shown in FIG. Is the same key.
On the other hand, the initial vector (IV) 12 is public data, and is data that can be known by an unspecified number of users.
When the ciphertext 22 to be decrypted is the ciphertext 22 generated by the configuration shown in FIG. 1, the initial vector (IV) 42 is also the same as the initial vector (IV) 12 applied in the encryption processing shown in FIG. It is data of.

The key stream generation unit 70 includes a schedule unit 71 and a pseudo random number generation unit 72.
The key schedule unit 71 generates pseudo random number generation initial data based on the secret key (Ks) 41 and the initial vector (IV) 42 and outputs the generated initial data to the pseudo random number generation unit 72.
The pseudo random number generation unit 72 applies the initial data for pseudo random number generation input from the key schedule unit 71 to generate and output a key stream 43 as a pseudo random number.
The generated key stream 43 is the same data when the same secret key (Ks) and the same initial vector (IV) are used.

  In this example, in the configuration shown in FIG. 2, the secret key (Ks) 41 is the same as the secret key (Ks) 11 shown in FIG. 1, and the initial vector (IV) 42 is the initial vector (IV) shown in FIG. ) 12 are identical. Therefore, the key stream 43 generated in the configuration shown in FIG. 2 is the same data as the key stream 13 shown in FIG.

The key stream 43 output from the pseudo-random number generator 72 is composed of a data string that is composed of data in predetermined bit units. Specifically, for example, a data string consisting of 1 byte (8 bits) data: Z1, Z2, Z3,.
The pseudo-random number generation unit 72 sequentially outputs data strings: Z1, Z2, Z3,... Each consisting of data of a predetermined length as a key stream.

Each of the predetermined bit unit data: Z1, Z2, Z3,... Which is a key stream component, and each of the divided data of the predetermined data unit of the ciphertext to be decrypted: C1, C2, C3,. Are sequentially input to the exclusive OR operation unit 73, and an exclusive OR (XOR) operation is executed.
The data string P1, P2, P3... Calculated as the exclusive OR operation result is the plaintext 21 as the decryption result.

The relationship between the plaintexts P1, P2, PC3..., The key streams Z1, Z2, Z3... And the ciphertexts C1, C2, C3.
P1 = C1 (+) Z1
P2 = C2 (+) Z2
P3 = C3 (+) Z3
...
In the above formula, (+) means exclusive OR operation.
Also, the plaintext component Pi, the key stream component Zi, the ciphertext component Ci, and each of these components are data of the same number of bits, for example, 1 byte (8 bits).

As described above, the decryption process using the stream cipher is executed by executing the following steps (S3) and (S4).
(S3) Key streams (pseudo-random number sequences) Z1, Z2, Z3... Are generated from the secret key and the initial vector (IV).
(S4) The plaintexts P1, P2, P3,... Are generated by taking the exclusive OR of the ciphertexts C1, C2, C3... And the generated key streams Z1, Z2, Z3.

In the plaintext generation process, the plaintext is obtained by taking the exclusive OR of the ciphertext using the same keystream as the keystream used at the time of ciphertext generation due to the nature of the exclusive OR executed in step (S4). be able to.
That is, encryption and decryption processing can be performed by securely sharing a “secret key” that is common secret information between the sender and the receiver.

As described with reference to FIGS. 1 and 2, in the stream cipher, processing is performed using a key stream generated by applying a key scheduling algorithm and a pseudo-random number generation algorithm.
In the key scheduling algorithm executed in the key scheduling units 51 and 71 shown in FIGS. 1 and 2, pseudo random number generation initial data is generated from the secret key (Ks) and the initial vector (IV).
The initial data for pseudorandom number generation corresponds to an initial value (initial state) of an internal variable called an internal state of the pseudorandom number generator 52. From the viewpoint of security, the size of the initial data (internal state) for generating pseudo-random numbers is required to be at least twice as large as the secret key (Ks).

In the pseudo-random number generation algorithm executed by the pseudo-random number generators 52 and 72 shown in FIGS. 1 and 2, the word Z1 constituting a fixed-length key stream in each state while updating the initial data (internal state) for generating pseudo-random numbers. , Z2, Z3... Are sequentially generated.
Here, Zi is an output from the pseudorandom number generator at time i, and the size differs depending on the algorithm. For example, in the case of the stream cipher RC4, the size of each word is 1 byte (8 bits).

The configuration of the key stream generation unit is broadly classified into a linear feedback shift register type and a state transition type based on the difference in the configuration of its internal state.
As the name suggests, the linear feedback type is based on a linear feedback shift register, and secures safety by combining a linear filter function and a non-linear feedback shift register. Representative examples include SNOW 3G and KCipher-2.
On the other hand, the state transition type has a configuration in which the register is updated with a non-linear function and a part thereof is output as a key stream. A typical example is RC4.

The following various attacks are typical examples of attacks on stream ciphers.
(1) Identification attack: an attack that identifies a key stream as a true random number,
(2) Prediction attack: An attack that predicts an unknown key stream,
(3) Key recovery attack: An attack that seeks a secret key from a key stream,
(4) Internal state restoration attack: An attack that seeks an internal state equivalent to a secret key from a key stream,
Basically, stream ciphers are required to be resistant to all of the above attacks.

Particularly, the above (3) key recovery attack and (4) internal state restoration attack, these attacks are attacks for obtaining a secret key or an equivalent internal state from a key stream. If these attacks are established, plaintext information can be obtained from all ciphertexts, which is a very powerful attack method.
However, as a premise of the attack, it is required that the attacker knows a sufficient amount (size) of information on the key stream. This means that the attacker needs to keep a large number of plaintext ciphertext pairs. Because of this strong assumption, it is unlikely to be a threat in actual use and is considered a theoretical attack.

  On the other hand, (1) the identification attack is an attack that uses only the statistical bias of the key stream, and is an attack that has been pointed out to be a serious threat in practice. Specifically, plaintext can be recovered only by observing ciphertext generated by applying different secret keys.

(1) A specific example of the identification attack will be described with reference to FIGS. This attack is executed, for example, as a plaintext recovery attack using the bias of the key stream.
An example of the key stream bias will be described with reference to FIG.

The configuration of the key stream generation unit 50 shown on the left in FIG. 3 is the same as the configuration of the key stream generation unit shown in FIGS.
Attention is paid to one component (word) Z2 of the key stream generated by the key stream generation unit 50 shown in FIG.
If one component (word) of the key stream is 1 byte (8 bits), Z2 can take 256 values from 0 to 255.

When ideal randomness is realized, the appearance probabilities of the value of Z2 are all 0 to 255, and as shown in the graph of [(a) ideal] in FIG. The appearance probabilities are all equal to 1/256.
However, in reality, the occurrence probability of the value of the component (word) of the key stream is biased.
As shown in the graph shown in [(b) Reality] in FIG. 3, the measured value of the actual appearance probability for Z2 has a higher appearance probability of 0 than other values.
FIG. 3 shows the verification result for Z2 which is one of the constituent elements (words) of the key stream, but there are values that are likely to appear for the constituent elements of the other key streams.

Based on such statistical deviation of the key stream, it may be possible to obtain the plaintext from the ciphertext using “broadcast setting”.
"Broadcast setting" means "situation where the same plaintext is encrypted with different keys and ciphertext is generated"

A specific example of an attack for obtaining plaintext from ciphertext using “broadcast settings” will be described with reference to FIG.
For example, when a single plaintext P is simultaneously distributed (broadcast) to a large number of users, different secret keys k1 to kx associated with each user are applied to execute encryption processing on the same plaintext, The encrypted data (C1 to Cx) are generated and transmitted.

C1 = E (k1, P)
C2 = E (k2, P)
...
Cx = E (kx, P)
It is.
However, E (ki, P) means an encryption process using the key ki for the plaintext P.

In the case where many different keys k1 to kx are transmitted through the network for the same plaintext P, the malicious third party can obtain a large number of encrypted data (C1 = E) from transmission / reception data through the network. (K1, P) to Cx = E (kx, P)) can be acquired relatively easily.
If there is a statistical bias in the key stream, plaintext calculation based on analysis of a large number of acquired encrypted data becomes easy. This attack is an identification attack for obtaining plaintext from ciphertext using “broadcast settings”.

In this attack, since the attacker only has to observe the ciphertext on the communication path, no special assumption is required and it becomes a very powerful attack technique.
The process of encrypting the content with the key for each user and distributing it over the network is frequently performed, and there is a possibility that the damage caused by this attack will be significant.

  In “broadcast settings”, where the same plaintext is encrypted with different keys and the ciphertext is generated, the usage key is different for each session in many cases, but the same key is used for multiple sessions to send messages. Many “multi-session settings” are also used. The SSL / TLS protocol widely used on the Internet is considered as a use case.

The attack described with reference to FIG. 4 is an attack that can be executed only by collecting a plurality of ciphertexts encrypted with different keys based on the same plaintext. For example, the attack can be executed only by collecting data distributed over the network. Therefore, it is an attack that becomes an actual threat. In order to prevent this attack, it is necessary to prevent the key stream generated in the stream cipher from being biased.
When the output is biased, the plain text recovery attack described with reference to FIG. 4 is easy to perform, and the safety is threatened. Some measures need to be taken to prevent this threat.

Examples of countermeasures for avoiding vulnerabilities due to output bias in the stream cipher algorithm include the following.
(1) Change to another secure stream cipher.
In the simplest way, the vulnerability is removed by changing the biased weak stream cipher to a secure stream cipher throughout the system. As a result, even in the broadcast setting, it is possible to completely prevent a plaintext recovery attack using a key stream due to bias.

(2) Modifying the algorithm to remove the vulnerability Rather than replacing the stream cipher itself, modify the part of the algorithm to remove the vulnerability that produces biased output. For example, as a method for removing output bias, a pseudo-random function (MAC function, etc.) is added, a key stream is substituted for pseudo-random substitution, and the output is set as a new key stream. Can be removed.

  By taking these measures, the problem of the biased key stream can be solved, and the stream cipher can be used safely. However, these measures have the following problems.

(1) Problems of measures for changing to another secure stream cipher It is necessary to change all the ciphers that have already been installed, which increases costs both in terms of cost and time. It also costs new hardware and software development. Furthermore, when devices and systems that have already been shipped are not connected to a network, it is very difficult to cope with software / firmware updates. In particular, hardware changes are basically impossible to update via the network, which is expensive.

(2) Problems in measures to remove vulnerabilities by modifying the algorithm Unlike the method (1), not all algorithms are changed, so the cost of the change is relatively small compared to the method (1). It is expected to become. However, high expertise is required to modify existing algorithms. If you are not the designer of an existing system, you can not grasp all of the design theory, so it can be modified and cause other serious vulnerabilities. And if you really want to use secure encryption. It is necessary to conduct a safety assessment, but this also requires a lot of time and high expertise.
In addition, when the performance is greatly reduced by the correction, the consistency with other systems cannot be obtained, and the performance of the entire system may become unstable. For example, when using the above-mentioned pseudo-random substitution, a significant decrease in speed is expected.

[2. Configuration of stream cipher with improved security]
Next, a configuration example of the stream cipher of the present disclosure in which the security that solves the above-described problem is enhanced will be described.

The stream cipher of this indication has the following features.
(A) The additional mounting cost (both software and hardware) is low.
(B) Safety evaluation can be easily performed.
(C) The implementation performance (especially speed) of the stream cipher can be maintained.

In the stream cipher of the present disclosure, a key stream generated in the existing stream cipher is converted to generate a new key stream.
For example, for a key stream generated in an existing stream cipher, an exclusive OR (XOR) is performed on the output of a linear feedback shift register (LFSR) to which predetermined secret information is input to obtain a new key. Generate and use a stream. With this configuration, a highly secure stream cipher is realized.

  Note that the size of the internal state of the linear feedback shift register is preferably larger than the size of the secret key (Ks) applied in the stream cipher. As specific examples, the following three examples will be sequentially described.

    (Example 1) A second secret key (KL) different from the secret key (Ks) input to the key schedule unit is input to the linear feedback shift register (LFSR) to set the initial state of the LFSR. Data obtained by exclusive OR (XOR) the pseudo random number generated by the processing of the key schedule unit and the pseudo random number generation unit based on the secret key (Ks) and the output from the LFSR based on the second secret key (KL) Is a key stream.

    (Example 2) The same secret key (Ks) as the secret key (Ks) input to the key schedule unit is input to the linear feedback shift register (LFSR) to set the initial state of the LFSR. Data obtained by exclusive ORing (XOR) the pseudorandom numbers generated by the processing of the key schedule unit and the pseudorandom number generation unit based on the secret key (Ks) and the output from the LFSR based on the same secret key (Ks) as a key An example of a stream.

    (Example 3) Data (Ks2) obtained by converting the same secret key (Ks) as the secret key (Ks) input to the key schedule part is input to the linear feedback shift register (LFSR) to set the initial state of the LFSR. To do. Exclusive OR of the pseudo random number generated by the processing of the key schedule unit and the pseudo random number generation unit based on the secret key (Ks) and the output from the LFSR based on the conversion data (Ks2) of the same secret key (Ks) ( An embodiment in which the XOR) data is used as a key stream.

Note that the linear feedback shift register (LFSR) is known to have the following characteristics.
(A) The output sequence is definitive, and the next state can be estimated if the current internal state is known.
(B) The internal state can be restored by observing the output series.
The linear feedback shift register (LFSR) used in each embodiment of the present disclosure preferably has the following features.
(C) The appearance probability of 0 and 1 is statistically the same as the true random number.
Hereinafter, each example will be described sequentially.

[2-1. Embodiment in which LFSR output based on second secret key (KL) is applied to generate a key stream (embodiment 1)]
First, as the first embodiment, an initial state of the LFSR is set by inputting a second secret key (KL) different from the secret key (Ks) input to the key schedule unit to the linear feedback shift register (LFSR). An example will be described.
That is, an exclusive OR (XOR) of the pseudo random number generated by the processing of the key schedule unit and the pseudo random number generation unit based on the secret key (Ks) and the output from the LFSR based on the second secret key (KL) This is an embodiment in which the processed data is used as a key stream.

FIG. 5 shows a configuration example of a cryptographic processing apparatus that executes the cryptographic processing of the first embodiment.
The key stream generation unit 110 receives the first secret key (Ks) 131, the initial vector (IV: Initial Vector) 132, and the second secret key (KL) 133, and generates a key stream (pseudorandom number) 136. Generate.

The first secret key (Ks) 131, the initial vector (IV) 132, and the second secret key (KL) 133 are data stored in advance in a device that performs cryptographic processing, for example, a user information processing device.
The first secret key (Ks) 131 and the second secret key (KL) 133 are secret information and are not public data. This is secret information shared between specific users, for example, ciphertext generation users and users who decrypt ciphertexts.
The first secret key (Ks) 131 and the second secret key (KL) 133 are different key data.
The initial vector (IV) 132 is public data, and is data that can be known by an unspecified number of users.

The key stream generation unit 110 includes a key schedule unit 111, a pseudo random number generation unit 112, a linear feedback shift register (LFSR) 121, and an exclusive OR (XOR) calculation unit 122.
The key schedule unit 111 generates pseudo random number generation initial data based on the first secret key (Ks) 131 and the initial vector (IV) 132 and outputs the generated initial data to the pseudo random number generation unit 112.
The pseudo random number generation unit 112 generates pseudo random numbers 134 by applying the pseudo random number generation initial data input from the key schedule unit 111 and outputs the pseudo random numbers 134. The pseudo random number 134 is a data sequence of Za1, Za2,... Shown in the figure. For example, each of Zai generates a 1-byte (8 bits) pseudorandom sequence: Za1, Za2,. To the logical OR (XOR) operation unit 122.

On the other hand, the second secret key (KL) 133 is input to the linear feedback shift register (LFSR) 121.
A configuration bit of the second secret key (KL) 133 is set in a register configuring the linear feedback shift register (LFSR) 121. This set state of the second secret key (KL) is the initial state of the LFSR.
Thereafter, the linear feedback shift register (LFSR) 121 sequentially executes a prescribed shift operation to generate and output the LFSR output 135.
The LFSR output 135 is a data sequence of O1, O2,. For example, each Oi generates a 1-byte (8-bit) LFSR output sequence: O 1, O 2,... And outputs it to the exclusive OR (XOR) operation unit 122.

The number of registers (number of bits that can be set) set in the linear feedback shift register (LFSR) 121 is not less than the key length k bits of the second secret key (KL) (denoted k ′). A k′-order primitive polynomial is used as a characteristic polynomial for determining the characteristics of the LFSR output sequence so that the period is the longest period 2 ^{k ′} −1.

A configuration example of the linear feedback shift register (LFSR) 121 will be described with reference to FIGS.
In FIG. 6, the second secret key (KL) 133 input to the linear feedback shift register (LFSR) 121 is 128-bit data, and the number of registers (the number of bits that can be set) of the linear feedback shift register (LFSR) 121 is also 128. This is a configuration example of the LFSR.
First, the constituent bits of the second secret key (KL) 133 are set in each of the registers D1 to D128. This state is the initial state.
After that, as a shift process,
The storage bit (X1) of the register D1 is set to the register D2,
The storage bit (X2) of the register D2 is set to the register D3,
...
The storage bit (X127) of the register D127 is set to the register D128,
Thus, 1-bit shift is performed.

The following data (update D1) is stored in the register D1.
Update D1 = X ¹²⁸ (+) X ¹²⁶ (+) X ¹⁰¹ (+) X ⁹⁹
In the above formula, (+) means exclusive OR (XOR).
The LFSR shown in FIG. 6 is an LFSR using the following primitive polynomial f (x) as a characteristic polynomial that determines the characteristics of the output sequence.
f (x) = X ¹²⁸ (+) X ¹²⁶ (+) X ¹⁰¹ (+) X ⁹⁹ (+) 1
The LFSR shown in FIG. 6 is an LFSR having a structure defined by this polynomial f (x).

1-bit data is sequentially output from the register D128. Data of a predetermined unit of the output bits, for example, 1 byte (8 bits) data is set as one LFSR output Oi.
The LFSR output 135 shown in FIG. 5 is a data sequence: O1, O2, and O3 each consisting of 1 byte (8 bits) data, and this is output to the exclusive OR (XOR) operation unit 122 as the LFSR output 135. .

The LFSR shown in FIG. 6 is an example of the LFSR configuration when the second secret key (KL) 133 input to the linear feedback shift register (LFSR) 121 is 128-bit data.
Next, an exemplary LFSR configuration when the second secret key (KL) 133 input to the linear feedback shift register (LFSR) 121 is 64-bit data will be described with reference to FIG.

  In FIG. 7, the second secret key (KL) 133 input to the linear feedback shift register (LFSR) 121 is 64-bit data, and the number of registers (number of bits that can be set) of the linear feedback shift register (LFSR) 121 is also 64. This is a configuration example of the LFSR.

The LFSR shown in FIG. 7 has 1-bit registers D1 to D64. The constituent bits of the second secret key (KL) 133 are set in each of these registers D1 to D64. This state is the initial state.
After that, as a shift process,
The storage bit (X1) of the register D1 is set to the register D2,
The storage bit (X2) of the register D2 is set to the register D3,
...
The storage bit (X63) of register D63 is set in register D64,
Thus, 1-bit shift is performed.

The following data (update D1) is stored in the register D1.
Update D1 = X64 (+) X63 (+) X61 (+) X60
In the above formula, (+) means exclusive OR (XOR).
The LFSR shown in FIG. 7 is an LFSR that uses the following primitive polynomial f (x) as a characteristic polynomial that determines the characteristics of the output sequence.
f (x) = X ⁶⁴ (+) X ⁶³ (+) X ⁶¹ (+) X ⁶⁰ (+) 1

The LFSR shown in FIG. 7 is an LFSR having a structure defined by the polynomial f (x).
1-bit data is sequentially output from the register D64. Data of a predetermined unit of the output bits, for example, 1 byte (8 bits) data is set as one LFSR output Oi.

  In the cryptographic processing configuration shown in FIG. 5, the LFSR output 135 is a data sequence: O1, O2, and O3 each consisting of 1 byte (8 bits) data, and this is used as the LFSR output 135 to perform an exclusive OR (XOR) operation. To the unit 122.

  With reference to FIGS. 6 and 7, the configuration example of the LFSR when the second secret key (KL) is a 128-bit key and a 64-bit key has been described. In addition to these, the LFSR 121 shown in FIG. 5 can be variously set according to the bit length of the second secret key (KL) 133.

In the configuration shown in FIG. 5, the exclusive OR (XOR) operation unit 122 performs the following exclusive OR (XOR) operation of the two data (a) and (b) to generate the key streams Zb1 and Zb2. , Zb3... Are generated and output.
(A) Pseudorandom numbers generated by the processes of the key schedule unit 111 and the pseudorandom number generation unit 112 based on the first secret key (Ks) 131: Za1, Za2, Za3.
(B) LFSR output output from the linear feedback shift register (LFSR) 121 based on the second secret key (KL) 133: O1, O2, O3.

Each of the pseudo random numbers: Za1, Za2, Za3... And the LFSR output: O1, O2, O3... Has the same number of bits, for example, 1 byte (8 bits) data.
In the exclusive OR (XOR) operation unit 122, these two data, that is,
Pseudo-random numbers: Za1, Za2, Za3 ...
LFSR output: O1, O2, O3 ...
An exclusive OR (XOR) operation of these data is executed to generate and output key streams Zb1, Zb2, Zb3.
The key streams Zb1, Zb2, Zb3... Are generated by the following calculation formula.
Zb1 = Za1 (+) O1,
Zb2 = Za2 (+) O2,
Zb3 = Za3 (+) O3,
...
In the above formula, (+) means exclusive OR (XOR).

The key stream 136 is composed of a data string that is composed of data of a predetermined bit unit. Specifically, for example, a data string consisting of 1-byte (8-bit) data: Zb1, Zb2, Zb3,.
As described above, the exclusive OR (XOR) operation unit 122 of the key stream generation unit 110 sequentially outputs the data strings: Zb1, Zb2, Zb3,. .

Each of the predetermined bit unit data: Zb1, Zb2, Zb3,..., Which is a key stream component, is divided into predetermined data units of plaintext 141 to be encrypted by the exclusive OR operation unit 123: P1. , P2, P3,... And an exclusive OR (XOR) operation is performed.
The data string C1, C2, C3... Calculated as the exclusive OR operation result is output as the ciphertext 142.

The ciphertexts C1, C2, C3..., The key streams: Zb1, Zb2, Z3... And the plaintexts P1, P2, P3.
C1 = P1 (+) Zb1
C2 = P2 (+) Zb2
C3 = P3 (+) Zb3
...
In the above formula, (+) means exclusive OR operation.
Also, the plaintext component Pi, the key stream component Zbi, the ciphertext component Ci, and each of these components are data of the same number of bits, for example, 1 byte (8 bits).

As described above, the ciphertext generation process using the stream cipher according to the first embodiment is performed by executing the following steps (Sa1) to (Sa4).
(Sa1) A pseudo random number sequence Za1, Za2, Za3... Is generated from a first secret key (Ks) that is a secret parameter and an initial vector (IV) that is a public parameter.
(Sa2) The LFSR output series O1, O2, O3... Is generated from the second secret key (KL) which is a secret parameter.
(Sa3) Key streams Zb1, Zb2, Zb3,... Are generated by exclusive OR (XOR) of pseudo-random number sequences Za1, Za2, Za3... And LFSR output sequences O1, O2, O3. To do.
(Sa4) The ciphertexts C1, C2, C3... Are obtained by taking the exclusive OR of the plaintext configuration data P1, P2, P3... And the generated key streams Zb1, Zb2, Zb3. Generate.

For example, the ciphertext 142 generated by the processing described with reference to FIG. 5 is transferred via a network, received by an information processing apparatus of another user, and decrypted.
FIG. 8 is a diagram illustrating the decoding process according to the first embodiment.
The encryption process and the decryption process according to the stream cipher of the first embodiment are realized using the same device configuration.

  In the configuration shown in FIG. 8, the key stream generation unit 210 inputs a first secret key (Ks) 231, an initial vector (IV: Initial Vector) 232, and a second secret key (KL) 233. A stream (pseudo random number) 236 is generated.

The first secret key (Ks) 231, the initial vector (IV) 232, and the second secret key (KL) 233 are data stored in advance in a device that performs cryptographic processing, for example, a user information processing device.
The first secret key (Ks) 231 and the second secret key (KL) 233 are secret information and are not public data. This is secret information shared between specific users, for example, ciphertext generation users and users who decrypt ciphertexts.
That is, when the ciphertext 142 to be decrypted is the ciphertext 142 generated by the configuration shown in FIG. 5, the first secret key (Ks) 231 is the first secret key applied in the encryption process shown in FIG. (Ks) 131 is the same key.
The second secret key (KL) 233 is the same key as the second secret key (Ks) 133 applied in the encryption process shown in FIG.

On the other hand, the initial vector (IV) 232 is public data and is data that can be known by an unspecified number of users.
When the ciphertext 142 to be decrypted is the ciphertext 142 generated by the configuration shown in FIG. 5, the initial vector (IV) 232 is also the same as the initial vector (IV) 132 applied in the encryption processing shown in FIG. It is data of.

The key stream generation unit 210 includes a key schedule unit 211, a pseudo random number generation unit 212, a linear feedback shift register (LFSR) 221, and an exclusive OR (XOR) calculation unit 222.
The key schedule unit 211 generates pseudo random number generation initial data based on the first secret key (Ks) 231 and the initial vector (IV) 232 and outputs the generated initial data to the pseudo random number generation unit 212.
The pseudo random number generation unit 212 generates pseudo random numbers 234 by applying the pseudo random number generation initial data input from the key schedule unit 211 and outputs the pseudo random numbers 234. The pseudo random number 234 is a data sequence of Za1, Za2,... Shown in the figure. For example, each of Zai generates a 1-byte (8 bits) pseudorandom sequence: Za1, Za2,. To the logical OR (XOR) operation unit 222.

On the other hand, the second secret key (KL) 233 is input to the linear feedback shift register (LFSR) 221.
A configuration bit of the second secret key (KL) 233 is set in a register configuring the linear feedback shift register (LFSR) 221. This set state of the second secret key (KL) is the initial state of the LFSR.
Thereafter, the linear feedback shift register (LFSR) 221 sequentially executes a prescribed shift operation to generate and output the LFSR output 235.
The LFSR output 235 is a data sequence of O1, O2,... Shown in the figure. For example, each Oi generates a 1-byte (8-bit) LFSR output sequence: O1, O2,. To the logical OR (XOR) operation unit 222.

The configuration of the key stream generation unit 210 illustrated in FIG. 8 is the same as the configuration of the key stream generation unit 110 described with reference to FIG.
Two specific examples of the linear feedback shift register (LFSR) 221 have been described with reference to FIGS. 6 and 7. The LFSR used for the encryption process and the LFSR used for the decryption process have the same configuration.
The configuration of the key stream generation unit 210 shown in FIG. 8 is the same as the configuration of the key stream generation unit 110 described with reference to FIG. 5, and each input data, that is, the first secret key (Ks), the initial vector ( IV), by making the second secret key (KL) the same, the same key stream Zb1, Zb2, Zb3,.

In the configuration shown in FIG. 8, the exclusive OR (XOR) operation unit 222 executes the exclusive OR (XOR) operation of the following two data (a) and (b) to generate the key streams Zb1 and Zb2. , Zb3... Are generated and output.
(A) Pseudorandom numbers generated by the processes of the key schedule unit 211 and the pseudorandom number generation unit 212 based on the first secret key (Ks) 231: Za1, Za2, Za3.
(B) LFSR output output from the linear feedback shift register (LFSR) 221 based on the second secret key (KL) 233: O1, O2, O3.

Each of the pseudo random numbers: Za1, Za2, Za3... And the LFSR output: O1, O2, O3... Has the same number of bits, for example, 1 byte (8 bits) data.
In the exclusive OR (XOR) operation unit 222, these two data, that is,
Pseudo-random numbers: Za1, Za2, Za3 ...
LFSR output: O1, O2, O3 ...
An exclusive OR (XOR) operation of these data is executed to generate and output key streams Zb1, Zb2, Zb3.
The key streams Zb1, Zb2, Zb3... Are generated by the following calculation formula.
Zb1 = Za1 (+) O1,
Zb2 = Za2 (+) O2,
Zb3 = Za3 (+) O3,
...
In the above formula, (+) means exclusive OR (XOR).

The key stream 236 is composed of a data string that is composed of data in predetermined bit units. Specifically, for example, a data string consisting of 1-byte (8-bit) data: Zb1, Zb2, Zb3,.
As described above, the exclusive OR (XOR) calculation unit 222 of the key stream generation unit 210 sequentially outputs a data string consisting of data of a predetermined length: Zb1, Zb2, Zb3,. .

Each of predetermined bit unit data: Zb1, Zb2, Zb3,... Which is a key stream constituent element is divided into predetermined data units of the ciphertext 142 to be decrypted by the exclusive OR operation unit 223: An exclusive OR (XOR) operation is performed with each of C1, C2, C3.
The data string: P1, P2, P3... Calculated as the exclusive OR operation result becomes the plaintext 141 as the decryption result.

The plaintext P1, P2, PC3..., The key streams: Zb1, Zb2, Zb3... And the ciphertexts C1, C2, C3.
P1 = C1 (+) Zb1
P2 = C2 (+) Zb2
P3 = C3 (+) Zb3
...
In the above formula, (+) means exclusive OR operation.
Also, the plaintext component Pi, the key stream component Zbi, the ciphertext component Ci, and each of these components are data of the same number of bits, for example, 1 byte (8 bits).

As described above, the decryption process using the stream cipher according to the first embodiment is performed by executing the following steps (Sb1) to (Sb4).
(Sb1) A pseudo random number sequence Za1, Za2, Za3,... Is generated from a first secret key (Ks) that is a secret parameter and an initial vector (IV) that is a public parameter.
(Sb2) The LFSR output series O1, O2, O3... Is generated from the second secret key (KL) which is a secret parameter.
(Sb3) Key streams Zb1, Zb2, Zb3,... Are generated by exclusive OR (XOR) of pseudo random number sequences Za1, Za2, Za3,... And LFSR output sequences O1, O2, O3,. To do.
(Sb4) By taking an exclusive OR of the ciphertexts C1, C2, C3... And the generated key streams Zb1, Zb2, Zb3..., Plaintext configuration data P1, P2, P3. Generate.

  In the plaintext generation process, the plaintext is obtained by taking the exclusive OR of the ciphertext using the same key stream as the keystream used at the time of ciphertext generation due to the property of the exclusive OR executed in step (Sb4). be able to.

  In the present embodiment, encryption and decryption processing can be performed by securely sharing the first secret key (Ks) and the second secret key (KL) as common secret information between the sender and the receiver. It becomes.

  The first embodiment has, for example, the following advantages over the conventional stream encryption processing configuration described above with reference to FIGS.

(A) Superiority of safety For example, even when the pseudorandom numbers Za1, Za2,... Output from the pseudorandom number generator 112 are biased, these pseudorandom numbers Za1, Za2,. .., And the LFSR outputs O1, O2,... With uniform appearance frequencies of 0, 1 are subjected to an exclusive OR (XOR) operation to generate new key streams Zb1, Zb2,. Thus, the bias can be removed.

Since the key streams Zb1, Zb2,... From which the bias has been removed are applied to plaintext, it is possible to perform encryption processing using a key stream having no bias.
This processing can prevent a plaintext recovery attack using the broadcast setting described above with reference to FIG.

  For example, the LFSR output Oi is generated based on the first secret key (Ks) when the first secret key (Ks) and the second secret key (KL) are randomly given because each value is generated with equal probability. The distribution of values of the LFSR output (Oi) generated based on the pseudo random number (Zi) generated in this way and the second secret key (KL) is uniform.

  Further, if the output of the LFSR is exposed to the attacker, the second secret key (KL) is exposed due to the nature of the LFSR. However, the exposure of the second secret key (KL) does not affect the exposure of the first secret key (Ks). Therefore, it is ensured that the overall security does not deteriorate from the security of the original stream cipher. In order to estimate the output of the LFSR from ciphertext or the like, it is necessary to estimate a pseudo-random number sequence before exclusive OR processing inside the key stream generation unit, and this estimation becomes extremely difficult.

(B) Superiority of mounting cost The linear feedback shift register (LFSR) used in the first embodiment can be mounted only by a register and an exclusive OR (XOR) arithmetic processing configuration, and is H / W (hardware). The implementation cost when configured is small. For this reason, even if it is added to an existing system, the cost will not increase. Also. Even in the case of S / W (software) implementation, high-speed processing is possible, and performance of existing stream ciphers such as RC4 is not deteriorated. Further, the LFSR can be used as a counter necessary for synchronization, and can be used for other purposes.

An example of an existing stream cipher to which the first embodiment is applicable is a 128-bit key RC4 to which a 128-bit key is applied as a secret key (Ks), for example.
When the first embodiment is applied to the 128-bit key RC4, the size of the secret key (Ks) is 128 bits, the bit size of the second secret key (KL), and the number of LFSR registers (number of bits that can be set) The LFSR is selected such that the size of the LFSR is 128 bits and the LFSR cycle is the maximum cycle 2 ¹²⁸ −1.
Specifically, the LFSR has the configuration described above with reference to FIG. 6, and the characteristic polynomial that defines the configuration of the LFSR is the following 128th order primitive polynomial.
f (x) = X ¹²⁸ (+) X ¹²⁶ (+) X ¹⁰¹ (+) X ⁹⁹ (+) 1

  For example, by adding the LFSR described with reference to FIG. 6 and the exclusive OR operation unit to the existing stream cipher RC4, the key stream generation unit 110 described with reference to FIG. 5 can be configured. It is. In other words, it is possible to realize an encryption processing configuration with improved security simply by adding a plurality of components using the existing configuration as it is.

[2-2. Embodiment in which key stream is generated by applying LFSR output based on secret key (Ks) (second embodiment)]
Next, as a second embodiment, the same secret key (Ks) as the secret key (Ks) input to the key schedule unit is input to the linear feedback shift register (LFSR) to set the initial state of the LFSR. explain.
That is, data obtained by performing an exclusive OR (XOR) of a pseudo random number generated by processing of the key schedule unit and the pseudo random number generation unit based on the secret key (Ks) and an output from the LFSR based on the same secret key (Ks) Is a key stream.

FIG. 9 shows a configuration example of a cryptographic processing apparatus that executes the cryptographic processing of the second embodiment.
The key stream generation unit 110 illustrated in FIG. 9 has the same configuration as the key stream generation unit 110 illustrated in FIG. 5 described above as the configuration of the first embodiment.
The difference from the configuration shown in FIG. 1 is that the first secret key (Ks) is input to the linear feedback shift register (LFSR) 121 of the key stream generation unit 110 shown in FIG.

  That is, in the second embodiment, the second secret key (KL) 133 shown in FIG. 5 is not used, and the first secret key (Ks) is input to both the key schedule unit 111 and the linear feedback shift register (LFSR) 121. .

  9 receives a first secret key (Ks) 131 and an initial vector (IV: Initial Vector) 132, and generates a key stream (pseudorandom number) 136.

The key stream generation unit 110 includes a key schedule unit 111, a pseudo random number generation unit 112, a linear feedback shift register (LFSR) 121, and an exclusive OR (XOR) calculation unit 122.
The key schedule unit 111 generates pseudo random number generation initial data based on the first secret key (Ks) 131 and the initial vector (IV) 132 and outputs the generated initial data to the pseudo random number generation unit 112.
The pseudo random number generation unit 112 generates pseudo random numbers 134 by applying the pseudo random number generation initial data input from the key schedule unit 111 and outputs the pseudo random numbers 134. The pseudo random number 134 is a data sequence of Za1, Za2,... Shown in the figure. For example, each of Zai generates a 1-byte (8 bits) pseudorandom sequence: Za1, Za2,. To the logical OR (XOR) operation unit 122.

Further, the first secret key (Ks) 131 is input to the linear feedback shift register (LFSR) 121.
A configuration bit of the first secret key (Ks) 131 is set in a register configuring the linear feedback shift register (LFSR) 121. This set state of the first secret key (Ks) is the initial state of the LFSR.
Thereafter, the linear feedback shift register (LFSR) 121 sequentially executes a prescribed shift operation to generate and output the LFSR output 135.
The LFSR output 135 is a data sequence of O1, O2,... Shown in the figure. For example, each Oi generates a 1-byte (8-bit) LFSR output sequence: O1, O2,. To the logical OR (XOR) operation unit 122.

The number of registers (number of bits that can be set) set in the linear feedback shift register (LFSR) 121 is not less than the key length k bits of the first secret key (Ks) (denoted k ′). A primitive polynomial is used as the characteristic polynomial that determines the characteristics of the output sequence so that the period also becomes the maximum period 2 ^{k ′} −1.
Specifically, for example, the configuration described above with reference to FIGS.

The exclusive OR (XOR) operation unit 122 executes the exclusive OR (XOR) operation of the following two data (a) and (b) to generate the key streams Zb1, Zb2, Zb3. And output.
(A) Pseudorandom numbers generated by the processes of the key schedule unit 111 and the pseudorandom number generation unit 112 based on the first secret key (Ks) 131: Za1, Za2, Za3.
(B) LFSR output output from the linear feedback shift register (LFSR) 121 based on the first secret key (Ks) 131: O1, O2, O3.

Each of the pseudo random numbers: Za1, Za2, Za3... And the LFSR output: O1, O2, O3... Has the same number of bits, for example, 1 byte (8 bits) data.
In the exclusive OR (XOR) operation unit 122, these two data, that is,
Pseudo-random numbers: Za1, Za2, Za3 ...
LFSR output: O1, O2, O3 ...
An exclusive OR (XOR) operation of these data is executed to generate and output key streams Zb1, Zb2, Zb3.
The key streams Zb1, Zb2, Zb3... Are generated by the following calculation formula.
Zb1 = Za1 (+) O1,
Zb2 = Za2 (+) O2,
Zb3 = Za3 (+) O3,
...
In the above formula, (+) means exclusive OR (XOR).

The key stream 136 is composed of a data string that is composed of data of a predetermined bit unit. Specifically, for example, a data string consisting of 1-byte (8-bit) data: Zb1, Zb2, Zb3,.
As described above, the exclusive OR (XOR) operation unit 122 of the key stream generation unit 110 sequentially outputs the data strings: Zb1, Zb2, Zb3,. .

Each of the predetermined bit unit data: Zb1, Zb2, Zb3,..., Which is a key stream component, is divided into predetermined data units of plaintext 141 to be encrypted by the exclusive OR operation unit 123: P1. , P2, P3,... And an exclusive OR (XOR) operation is performed.
The data string C1, C2, C3... Calculated as the exclusive OR operation result is output as the ciphertext 142.

The ciphertexts C1, C2, C3..., The key streams: Zb1, Zb2, Z3... And the plaintexts P1, P2, P3.
C1 = P1 (+) Zb1
C2 = P2 (+) Zb2
C3 = P3 (+) Zb3
...
In the above formula, (+) means exclusive OR operation.
Also, the plaintext component Pi, the key stream component Zbi, the ciphertext component Ci, and each of these components are data of the same number of bits, for example, 1 byte (8 bits).

As described above, the ciphertext generation process using the stream cipher according to the second embodiment is performed by executing the following steps (Sa1) to (Sa4).
(Sa1) A pseudo random number sequence Za1, Za2, Za3... Is generated from a first secret key (Ks) that is a secret parameter and an initial vector (IV) that is a public parameter.
(Sa2) The LFSR output sequences O1, O2, O3,... Are generated from the first secret key (Ks) that is a secret parameter.
(Sa3) Key streams Zb1, Zb2, Zb3,... Are generated by exclusive OR (XOR) of pseudo-random number sequences Za1, Za2, Za3... And LFSR output sequences O1, O2, O3. To do.
(Sa4) The ciphertexts C1, C2, C3... Are obtained by taking the exclusive OR of the plaintext configuration data P1, P2, P3... And the generated key streams Zb1, Zb2, Zb3. Generate.

For example, the ciphertext 142 generated by the processing described with reference to FIG. 9 is transferred via a network, received by an information processing apparatus of another user, and decrypted.
FIG. 10 is a diagram for explaining the decoding process according to the second embodiment.
The encryption process and the decryption process according to the stream cipher of the second embodiment are realized using the same device configuration.

  In the configuration shown in FIG. 10, the key stream generation unit 210 receives a first secret key (Ks) 231 and an initial vector (IV: Initial Vector) 232 and generates a key stream (pseudorandom number) 236.

The first secret key (Ks) 231 and the initial vector (IV) 232 are data stored in advance in a device that performs cryptographic processing, for example, a user information processing device.
The first secret key (Ks) 231 is secret information, not public data. This is secret information shared between specific users, for example, ciphertext generation users and users who decrypt ciphertexts.
On the other hand, the initial vector (IV) 232 is public data and is data that can be known by an unspecified number of users.
When the ciphertext 142 to be decrypted is the ciphertext 142 generated by the configuration shown in FIG. 9, the initial vector (IV) 232 is also the same as the initial vector (IV) 132 applied in the encryption processing shown in FIG. It is data of.

The key stream generation unit 210 includes a key schedule unit 211, a pseudo random number generation unit 212, a linear feedback shift register (LFSR) 221, and an exclusive OR (XOR) calculation unit 222.
The key schedule unit 211 generates pseudo random number generation initial data based on the first secret key (Ks) 231 and the initial vector (IV) 232 and outputs the generated initial data to the pseudo random number generation unit 212.
The pseudo random number generation unit 212 generates pseudo random numbers 234 by applying the pseudo random number generation initial data input from the key schedule unit 211 and outputs the pseudo random numbers 234. The pseudo random number 234 is a data sequence of Za1, Za2,... Shown in the figure. For example, each of Zai generates a 1-byte (8 bits) pseudorandom sequence: Za1, Za2,. To the logical OR (XOR) operation unit 222.

Further, the first secret key (Ks) 231 is input to the linear feedback shift register (LFSR) 221.
A configuration bit of the first secret key (Ks) 231 is set in a register configuring the linear feedback shift register (LFSR) 221. This set state of the first secret key (Ks) is the initial state of the LFSR.
Thereafter, the linear feedback shift register (LFSR) 221 sequentially executes a prescribed shift operation to generate and output the LFSR output 235.
The LFSR output 235 is a data sequence of O1, O2,... Shown in the figure. For example, each Oi generates a 1-byte (8-bit) LFSR output sequence: O1, O2,. To the logical OR (XOR) operation unit 222.

The configuration of the key stream generation unit 210 illustrated in FIG. 10 is the same as the configuration of the key stream generation unit 110 described with reference to FIG.
Two specific examples of the linear feedback shift register (LFSR) 221 have been described with reference to FIGS. 6 and 7. The LFSR used for the encryption process and the LFSR used for the decryption process have the same configuration.
The configuration of the key stream generation unit 210 shown in FIG. 10 is the same as the configuration of the key stream generation unit 110 described with reference to FIG. 9, and each input data, that is, the first secret key (Ks), the initial vector ( By making IV) the same, the same key stream Zb1, Zb2, Zb3,.

In the configuration shown in FIG. 10, the exclusive OR (XOR) operation unit 222 performs the following exclusive OR (XOR) operation of the two data (a) and (b) to generate the key streams Zb1 and Zb2. , Zb3... Are generated and output.
(A) Pseudorandom numbers generated by the processes of the key schedule unit 211 and the pseudorandom number generation unit 212 based on the first secret key (Ks) 231: Za1, Za2, Za3.
(B) LFSR output output from the linear feedback shift register (LFSR) 221 based on the first secret key (Ks) 231: O1, O2, O3.

Each of the pseudo random numbers: Za1, Za2, Za3... And the LFSR output: O1, O2, O3... Has the same number of bits, for example, 1 byte (8 bits) data.
In the exclusive OR (XOR) operation unit 222, these two data, that is,
Pseudo-random numbers: Za1, Za2, Za3 ...
LFSR output: O1, O2, O3 ...
An exclusive OR (XOR) operation of these data is executed to generate and output key streams Zb1, Zb2, Zb3.
The key streams Zb1, Zb2, Zb3... Are generated by the following calculation formula.
Zb1 = Za1 (+) O1,
Zb2 = Za2 (+) O2,
Zb3 = Za3 (+) O3,
...
In the above formula, (+) means exclusive OR (XOR).

The key stream 236 is composed of a data string that is composed of data of predetermined bits. Specifically, for example, a data string consisting of 1-byte (8-bit) data: Zb1, Zb2, Zb3,.
As described above, the exclusive OR (XOR) calculation unit 222 of the key stream generation unit 210 sequentially outputs a data string consisting of data of a predetermined length: Zb1, Zb2, Zb3,. .

Each of the predetermined bit unit data: Zb1, Zb2, Zb3,... Which is a key stream component is divided data of the predetermined data unit of the ciphertext 141 to be decrypted by the exclusive OR operation unit 223: An exclusive OR (XOR) operation is performed with each of C1, C2, C3.
The data string: P1, P2, P3,... Calculated as the exclusive OR operation result becomes the plaintext 142 as the decryption result.

The plaintext P1, P2, PC3..., The key streams: Zb1, Zb2, Zb3... And the ciphertexts C1, C2, C3.
P1 = C1 (+) Zb1
P2 = C2 (+) Zb2
P3 = C3 (+) Zb3
...
In the above formula, (+) means exclusive OR operation.
Also, the plaintext component Pi, the key stream component Zbi, the ciphertext component Ci, and each of these components are data of the same number of bits, for example, 1 byte (8 bits).

As described above, the decryption process using the stream cipher according to the second embodiment is performed by executing the following steps (Sb1) to (Sb4).
(Sb1) A pseudo random number sequence Za1, Za2, Za3,... Is generated from a first secret key (Ks) that is a secret parameter and an initial vector (IV) that is a public parameter.
(Sb2) LFSR output sequences O1, O2, O3,... Are generated from the first secret key (Ks) that is a secret parameter.
(Sb3) Key streams Zb1, Zb2, Zb3,... Are generated by exclusive OR (XOR) of pseudo random number sequences Za1, Za2, Za3,... And LFSR output sequences O1, O2, O3,. To do.
(Sb4) By taking an exclusive OR of the ciphertexts C1, C2, C3... And the generated key streams Zb1, Zb2, Zb3..., Plaintext configuration data P1, P2, P3. Generate.

  In the plaintext generation process, the plaintext is obtained by taking the exclusive OR of the ciphertext using the same key stream as the keystream used at the time of ciphertext generation due to the property of the exclusive OR executed in step (Sb4). be able to.

  In the present embodiment, as the common secret information, the first secret key (Ks) is securely shared between the sender and the receiver, thereby enabling encryption and decryption processing.

  The second embodiment has, for example, the following advantages over the conventional stream cipher processing configuration described above with reference to FIGS.

(A) Regarding the superiority of security For example, even when the pseudorandom numbers Za1, Za2,... Output from the pseudorandom number generator 112 shown in FIG. .. Are output by performing an exclusive OR (XOR) operation on the outputs O1, O2,... Of the LFSRs with uniform appearance frequencies of 0, 1, and new key streams Zb1, Zb2,. By generating ・, it is possible to remove the bias.

Since the key streams Zb1, Zb2,... From which the bias has been removed are applied to plaintext, it is possible to perform encryption processing using a key stream having no bias.
This processing can prevent a plaintext recovery attack using the broadcast setting described above with reference to FIG.

  For example, since each value of the LFSR output Oi is generated with equal probability, when a first secret key (Ks) is randomly given, a pseudo random number (Zi) generated based on the first secret key (Ks) , And LFSR output (Oi) value distribution is uniform.

  Further, if the output of the LFSR is exposed to the attacker, the first secret key (Ks) is exposed due to the nature of the LFSR. However, estimation of LFSR output from ciphertext or the like also requires estimation of a pseudo-random number sequence before exclusive OR processing inside the key stream generation unit, and this estimation is extremely difficult.

(B) Superiority of mounting cost The linear feedback shift register (LFSR) used in the second embodiment can be mounted only by a register and an exclusive OR (XOR) arithmetic processing configuration, and is H / W (hardware). The implementation cost when configured is small. For this reason, even if it is added to an existing system, the cost will not increase. Also. Even in the case of S / W (software) mounting, high-speed processing is possible. Also, since no new key is required and only the LFSR needs to be added, the implementation cost can be minimized.

As an example of an existing stream cipher to which the second embodiment can be applied, for example, there is a 128-bit key RC4 to which a 128-bit key is applied as a secret key (Ks).
When the second embodiment is applied to the 128-bit key RC4, the size of the secret key (Ks) is 128 bits, the size of the number of LFSR registers (number of bits that can be set) is 128 bits, and the period is the maximum period 2 ^128. The LFSR is selected to be -1.
Specifically, the LFSR is configured as described above with reference to FIG. 6, and the characteristic polynomial that determines the output sequence of the LFSR is the following 128th order primitive polynomial.
f (x) = X ¹²⁸ (+) X ¹²⁶ (+) X ¹⁰¹ (+) X ⁹⁹ (+) 1

  The key stream generation unit 110 described with reference to FIG. 9 can be configured by adding the LFSR and the exclusive OR operation unit described with reference to FIG. 6 to the existing stream cipher RC4. is there. That is, an encryption processing configuration with improved security can be realized by using the existing configuration as it is and adding only a few configurations.

[2-3. Embodiment in which LFSR output based on conversion data of first secret key (Ks) is applied to generate a key stream (third embodiment)]
Next, as Example 3, data (Ks2) obtained by converting the same secret key (Ks) as the secret key (Ks) input to the key schedule unit is input to the linear feedback shift register (LFSR), and the initial LFSR An embodiment for setting the state will be described.
In other words, the pseudo-random number generated by the processing of the key schedule unit and the pseudo-random number generation unit based on the secret key (Ks) and the output from the LFSR based on the conversion data (Ks2) of the same secret key (Ks) are exclusive logic. In this embodiment, the sum (XOR) data is used as a key stream.

FIG. 11 shows a configuration example of a cryptographic processing apparatus that executes the cryptographic processing of the third embodiment.
A key stream generation unit 510 illustrated in FIG. 11 has a configuration in which a key conversion unit 521 is added to the key stream generation unit 110 illustrated in FIG. 5 described above as the configuration of the first embodiment.
Further, the difference from the configuration shown in FIG. 1 is that the first secret key (Ks) is input to the key conversion unit 521 added to the preceding stage of the linear feedback shift register (LFSR) 522 of the key stream generation unit 510 shown in FIG. It is a point.

  That is, in the third embodiment, similarly to the second embodiment, the second secret key (KL) 133 shown in FIG. 522 is configured to be input to both the key conversion unit 521 at the preceding stage of 522.

  A key stream generation unit 510 illustrated in FIG. 11 receives a first secret key (Ks) 531 and an initial vector (IV: Initial Vector) 532, and generates a key stream (pseudo random number) 536.

The key stream generation unit 510 includes a key schedule unit 511, a pseudo random number generation unit 512, a key conversion unit 521, a linear feedback shift register (LFSR) 522, and an exclusive OR (XOR) calculation unit 523.
The key schedule unit 511 generates pseudo random number generation initial data based on the first secret key (Ks) 531 and the initial vector (IV) 532 and outputs the generated initial data to the pseudo random number generation unit 512.
The pseudo random number generation unit 512 generates pseudo random numbers 534 by applying the pseudo random number generation initial data input from the key schedule unit 511 and outputs the generated pseudo random numbers 534. The pseudo random number 534 is a data sequence of Za1, Za2,... Shown in the figure. For example, each of Zai generates a 1-byte (8 bits) pseudorandom sequence: Za1, Za2,. To the logical OR (XOR) operation unit 523.

Further, the first secret key (Ks) 531 is input to the key conversion unit 521.
A specific configuration example of the key conversion unit 521 is shown in FIG.
As illustrated in FIG. 12, the key conversion unit 521 includes a hash function (SHA-1) execution unit 551 and a bit number adjustment unit 552.

The hash function (SHA-1) execution unit 551 generates hash data by applying a hash function such as SHA-1 to the first secret key (Ks) that is input data.
The bit number adjustment unit 552 performs bit number adjustment processing on the input from the hash function execution unit 551, and inputs the key conversion data after the bit number adjustment to the linear feedback shift register (LFSR) 522.

Specifically, for example, when the first secret key (Ks) 531 is 128-bit data, the hash function (SHA-1) execution unit 551 performs the following on the first secret key (Ks) that is input data: For example, a one-way hash function such as SHA-1 is applied to generate 160-bit hash data.
The bit number adjustment unit 552 performs bit number adjustment processing on the 160-bit data input from the hash function execution unit 551, generates 128-bit conversion key data (Ks2), and generates a linear feedback shift register (LFSR). Input to 522.
The configuration of the key conversion unit 521 illustrated in FIG. 12 is an example, and the key data conversion unit 521 may be configured to convert the input key data by applying another configuration.

The conversion key data (Ks2) generated by the key data conversion unit 521 based on the first secret key (Ks) 531 is input to the linear feedback shift register (LFSR) 522.
A configuration bit of the conversion key data (Ks2) generated based on the first secret key (Ks) 531 is set in a register configuring the linear feedback shift register (LFSR) 522. The set state of the conversion key data (Ks2) is set as the initial state of the LFSR.
Thereafter, the linear feedback shift register (LFSR) 522 sequentially performs a prescribed shift operation to generate and output an LFSR output 535.
The LFSR output 535 is a data sequence of O1, O2,... Shown in the figure. For example, each Oi generates a 1-byte (8-bit) LFSR output sequence: O1, O2,. To the logical OR (XOR) operation unit 523.

The number of registers (number of bits that can be set) set in the linear feedback shift register (LFSR) 522 is not less than the key length k bits of the first secret key (Ks) (referred to as k ′). A primitive polynomial is used as the characteristic polynomial so that the period is the maximum period 2 ^{k ′} −1.
Specifically, for example, the configuration described above with reference to FIGS.

The exclusive OR (XOR) operation unit 523 executes the exclusive OR (XOR) operation of the following two data (a) and (b) to generate key streams Zb1, Zb2, Zb3,. And output.
(A) Pseudorandom numbers generated by the processes of the key schedule unit 511 and the pseudorandom number generation unit 512 based on the first secret key (Ks) 531: Za1, Za2, Za3.
(B) LFSR output output from the linear feedback shift register (LFSR) 522 based on the conversion key data (Ks2) based on the first secret key (Ks) 531: O1, O2, O3.

Each of the pseudo random numbers: Za1, Za2, Za3... And the LFSR output: O1, O2, O3... Has the same number of bits, for example, 1 byte (8 bits) data.
In the exclusive OR (XOR) operation unit 523, these two data, that is,
Pseudo-random numbers: Za1, Za2, Za3 ...
LFSR output: O1, O2, O3 ...
An exclusive OR (XOR) operation of these data is executed to generate and output key streams Zb1, Zb2, Zb3.
The key streams Zb1, Zb2, Zb3... Are generated by the following calculation formula.
Zb1 = Za1 (+) O1,
Zb2 = Za2 (+) O2,
Zb3 = Za3 (+) O3,
...
In the above formula, (+) means exclusive OR (XOR).

The key stream 536 is composed of a data string that is composed of data in predetermined bit units. Specifically, for example, a data string consisting of 1-byte (8-bit) data: Zb1, Zb2, Zb3,.
As described above, the exclusive OR (XOR) operation unit 523 of the key stream generation unit 510 sequentially outputs the data strings: Zb1, Zb2, Zb3,. .

Each of predetermined bit unit data: Zb1, Zb2, Zb3,... Which is a key stream constituent element is divided into predetermined data unit divided data: P1 of plaintext 141 to be encrypted in the exclusive OR operation unit 524. , P2, P3,... And an exclusive OR (XOR) operation is performed.
The data string C1, C2, C3... Calculated as the exclusive OR operation result is output as ciphertext 542.

The ciphertexts C1, C2, C3..., The key streams: Zb1, Zb2, Z3... And the plaintexts P1, P2, P3.
C1 = P1 (+) Zb1
C2 = P2 (+) Zb2
C3 = P3 (+) Zb3
...
In the above formula, (+) means exclusive OR operation.
Also, the plaintext component Pi, the key stream component Zbi, the ciphertext component Ci, and each of these components are data of the same number of bits, for example, 1 byte (8 bits).

As described above, the ciphertext generation processing by the stream cipher according to the third embodiment is performed by executing the following steps (Sa1) to (Sa4).
(Sa1) A pseudo random number sequence Za1, Za2, Za3... Is generated from a first secret key (Ks) that is a secret parameter and an initial vector (IV) that is a public parameter.
(Sa2) A conversion process of the first secret key (Ks), which is a secret parameter, is executed to generate conversion key data (Ks2), and from the conversion key data (Ks2), the LFSR output sequences O1, O2, O3,. Generate
(Sa3) Key streams Zb1, Zb2, Zb3,... Are generated by exclusive OR (XOR) of pseudorandom number sequences Za1, Za2, Za3,. To do.
(Sa4) The ciphertexts C1, C2, C3... Are obtained by taking the exclusive OR of the plaintext configuration data P1, P2, P3... And the generated key streams Zb1, Zb2, Zb3. Generate.

For example, the ciphertext 542 generated by the processing described with reference to FIG. 11 is transferred via a network, received by an information processing apparatus of another user, and decrypted.
FIG. 13 is a diagram for explaining the decoding process according to the third embodiment.
The encryption process and the decryption process according to the stream cipher of the third embodiment are realized using the same device configuration.

  In the configuration shown in FIG. 13, the key stream generation unit 610 receives a first secret key (Ks) 631 and an initial vector (IV: Initial Vector) 632 and generates a key stream (pseudo random number) 636.

The first secret key (Ks) 631 and the initial vector (IV) 632 are data stored in advance in a device that executes cryptographic processing, for example, a user information processing device.
The first secret key (Ks) 631 is secret information, not public data. This is secret information shared between specific users, for example, ciphertext generation users and users who decrypt ciphertexts.
On the other hand, the initial vector (IV) 632 is public data and is data that can be known by an unspecified number of users.
When the ciphertext 542 to be decrypted is the ciphertext 542 generated by the configuration shown in FIG. 11, the initial vector (IV) 632 is also the same as the initial vector (IV) 532 applied in the encryption processing shown in FIG. It is data of.

The key stream generation unit 610 includes a key schedule unit 611, a pseudo random number generation unit 612, a key conversion unit 621, a linear feedback shift register (LFSR) 622, and an exclusive OR (XOR) calculation unit 623.
The key schedule unit 611 generates pseudo random number generation initial data based on the first secret key (Ks) 631 and the initial vector (IV) 632 and outputs the generated initial data to the pseudo random number generation unit 612.
The pseudo random number generation unit 612 generates pseudo random numbers 634 by applying the pseudo random number generation initial data input from the key schedule unit 611 and outputs the pseudo random numbers 634. The pseudo random number 634 is a data sequence of Za1, Za2,... Shown in the figure. For example, each of Zai generates a 1-byte (8 bits) pseudorandom sequence: Za1, Za2,. To the logical OR (XOR) operation unit 623.

Further, the first secret key (Ks) 631 is input to the key conversion unit 621.
The key conversion unit 621 has the same configuration as the key conversion unit 521 in the configuration of FIG. That is, for example, as shown in FIG. 12, the hash function (SHA-1) execution unit 551 and the bit number adjustment unit 552 are configured.
The conversion key data (Ks2) generated by the key data conversion unit 621 based on the first secret key (Ks) 631 is input to the linear feedback shift register (LFSR) 622.

A configuration bit of converted key data (Ks2) generated based on the first secret key (Ks) 631 is set in a register configuring the linear feedback shift register (LFSR) 622. The set state of the conversion key data (Ks2) is set as the initial state of the LFSR.
Thereafter, the linear feedback shift register (LFSR) 622 sequentially performs a prescribed shift operation to generate and output an LFSR output 635.
The LFSR output 635 is a data sequence of O1, O2,... Shown in the figure. For example, each Oi generates a 1-byte (8-bit) LFSR output sequence: O1, O2,. To the logical OR (XOR) operation unit 623.

The configuration of the key stream generation unit 610 illustrated in FIG. 13 is the same as the configuration of the key stream generation unit 510 described with reference to FIG.
The linear feedback shift register (LFSR) 622 has, for example, the configuration shown in FIGS. 6 and 7 described above as a specific example. Note that the LFSR used for encryption processing and the LFSR used for decryption processing have the same configuration.
The configuration of the key stream generation unit 610 shown in FIG. 13 is the same as the configuration of the key stream generation unit 510 described with reference to FIG. 11, and each data to be input, that is, the first secret key (Ks), the initial vector ( By making IV) the same, the same key stream Zb1, Zb2, Zb3,.

In the configuration shown in FIG. 13, the exclusive OR (XOR) operation unit 623 executes the exclusive OR (XOR) operation of the following two data (a) and (b) to generate the key streams Zb1 and Zb2 , Zb3... Are generated and output.
(A) Pseudorandom numbers generated by the processes of the key schedule unit 611 and the pseudorandom number generation unit 612 based on the first secret key (Ks) 631: Za1, Za2, Za3,.
(B) Based on the conversion key data (Ks2) based on the first secret key (Ks) 631, LFSR outputs output from the linear feedback shift register (LFSR) 622: O1, O2, O3.

Each of the pseudo random numbers: Za1, Za2, Za3... And the LFSR output: O1, O2, O3... Has the same number of bits, for example, 1 byte (8 bits) data.
In the exclusive OR (XOR) operation unit 623, these two data, that is,
Pseudo-random numbers: Za1, Za2, Za3 ...
LFSR output: O1, O2, O3 ...
An exclusive OR (XOR) operation of these data is executed to generate and output key streams Zb1, Zb2, Zb3.
The key streams Zb1, Zb2, Zb3... Are generated by the following calculation formula.
Zb1 = Za1 (+) O1,
Zb2 = Za2 (+) O2,
Zb3 = Za3 (+) O3,
...
In the above formula, (+) means exclusive OR (XOR).

The key stream 636 is composed of a data string that is composed of data in predetermined bit units. Specifically, for example, a data string consisting of 1-byte (8-bit) data: Zb1, Zb2, Zb3,.
As described above, the exclusive OR (XOR) operation unit 623 of the key stream generation unit 610 sequentially outputs the data strings: Zb1, Zb2, Zb3,. .

Each of the predetermined bit unit data: Zb1, Zb2, Zb3,... Which is a key stream component is divided data of the predetermined data unit of the ciphertext 542 to be decrypted by the exclusive OR calculator 624: An exclusive OR (XOR) operation is performed with each of C1, C2, C3.
The data string: P1, P2, P3... Calculated as the exclusive OR operation result becomes the plaintext 541 as the decryption result.

The plaintext P1, P2, PC3..., The key streams: Zb1, Zb2, Zb3... And the ciphertexts C1, C2, C3.
P1 = C1 (+) Zb1
P2 = C2 (+) Zb2
P3 = C3 (+) Zb3
...
In the above formula, (+) means exclusive OR operation.
Also, the plaintext component Pi, the key stream component Zbi, the ciphertext component Ci, and each of these components are data of the same number of bits, for example, 1 byte (8 bits).

As described above, the decryption process using the stream cipher according to the third embodiment is performed by executing the following steps (Sb1) to (Sb4).
(Sb1) A pseudo random number sequence Za1, Za2, Za3,... Is generated from a first secret key (Ks) that is a secret parameter and an initial vector (IV) that is a public parameter.
(Sb2) LFSR output sequences O1, O2, O3... Are generated from the conversion key data (Ks2) generated based on the first secret key (Ks) that is a secret parameter.
(Sb3) Key streams Zb1, Zb2, Zb3,... Are generated by exclusive OR (XOR) of pseudo random number sequences Za1, Za2, Za3,... And LFSR output sequences O1, O2, O3,. To do.
(Sb4) By taking an exclusive OR of the ciphertexts C1, C2, C3... And the generated key streams Zb1, Zb2, Zb3..., Plaintext configuration data P1, P2, P3. Generate.

  In the plaintext generation process, the plaintext is obtained by taking the exclusive OR of the ciphertext using the same key stream as the keystream used at the time of ciphertext generation due to the property of the exclusive OR executed in step (Sb4). be able to.

  In the present embodiment, as the common secret information, the first secret key (Ks) is securely shared between the sender and the receiver, thereby enabling encryption and decryption processing.

  The third embodiment has, for example, the following advantages over the conventional stream cipher processing configuration described above with reference to FIGS.

(A) Superiority of safety For example, even when the pseudorandom numbers Za1, Za2,... Output from the pseudorandom number generator 512 shown in FIG. .. Are output by performing an exclusive OR (XOR) operation on the outputs O1, O2,... Of the LFSRs with uniform appearance frequencies of 0, 1, and new key streams Zb1, Zb2,. By generating ・, it is possible to remove the bias.

Since the key streams Zb1, Zb2,... From which the bias has been removed are applied to plaintext, it is possible to perform encryption processing using a key stream having no bias.
By this processing, it is possible to prevent the plaintext recovery attack at the time of the broadcast setting described above with reference to FIG.

  For example, since each value of the LFSR output Oi is generated with equal probability, when a first secret key (Ks) is randomly given, a pseudo random number (Zi) generated based on the first secret key (Ks) , And LFSR output (Oi) value distribution is uniform.

Also, if the output of the LFSR is exposed to an attacker, the conversion key data (Ks2) generated based on the first secret key (Ks) will be exposed due to the nature of the LFSR. However, the first secret key (Ks) itself is not exposed.
In addition, estimation of LFSR output from ciphertext or the like requires estimation of a pseudo-random number sequence before exclusive OR processing inside the key stream generation unit, and this estimation is extremely difficult.

(B) Superiority of mounting cost The linear feedback shift register (LFSR) used in the third embodiment can be mounted only by a register and an exclusive OR (XOR) arithmetic processing configuration, and is H / W (hardware). The implementation cost when configured is small. For this reason, even if it is added to an existing system, the cost will not increase. Also. Even in the case of S / W (software) mounting, high-speed processing is possible. Also, since no new key is required and only the LFSR needs to be added, the implementation cost can be minimized.

An example of an existing stream cipher to which the third embodiment can be applied is a 128-bit key RC4 to which a 128-bit key is applied as a secret key (Ks), for example.
When the third embodiment is applied to the 128-bit key RC4, the size of the secret key (Ks) is 128 bits, the size of the number of LFSR registers (number of bits that can be set) is 128 bits, and the cycle is the maximum cycle 2 ^The LFSR is selected to be 128-1.
Specifically, the LFSR has the configuration described above with reference to FIG. 6, and the characteristic polynomial that determines the characteristics of the output sequence of the LFSR is the following 128th order primitive polynomial.
f (x) = X ¹²⁸ (+) X ¹²⁶ (+) X ¹⁰¹ (+) X ⁹⁹ (+) 1

  The key stream generation unit 510 described with reference to FIG. 11 is configured by adding the LFSR, the key exclusive conversion unit, and the OR operation unit described with reference to FIG. 6 to the existing stream cipher RC4. It is possible to implement an encryption processing configuration with increased security by using an existing configuration as it is.

[3. About configuration example of cryptographic processor]
Finally, a configuration example of a cryptographic processing apparatus that performs cryptographic processing according to the above-described embodiment will be described.
The cryptographic processing apparatus that performs cryptographic processing according to the above-described embodiments can be mounted on various information processing apparatuses that perform cryptographic processing. Specifically, PC, TV, recorder, player, communication device, RFID, smart card, sensor network device, dent / battery authentication module, health / medical device, self-supporting network device, etc., for example, data processing and communication processing It can be used in various devices that execute cryptographic processing associated with the above.

  FIG. 14 illustrates a configuration example of the IC module 800 as an example of an apparatus that executes the cryptographic processing according to the present disclosure. The above-described processing can be executed in various information processing apparatuses such as a PC, an IC card, a reader / writer, a smartphone, and a wearable device, and the IC module 800 illustrated in FIG. 14 can be configured in these various devices. It is.

  A CPU (Central processing Unit) 801 illustrated in FIG. 14 is a processor that executes the start and end of cryptographic processing, control of data transmission / reception, data transfer control between each component, and other various programs. A memory 802 is a ROM (Read-Only-Memory) that stores programs executed by the CPU 801 or fixed data such as calculation parameters, a program executed in the processing of the CPU 801, and a parameter storage area that changes as appropriate in the program processing, It consists of RAM (Random Access Memory) used as a work area. The memory 802 can be used as a storage area for key data necessary for encryption processing, data to be applied to a conversion table (substitution table) or conversion matrix applied in the encryption processing, and the like. The data storage area is preferably configured as a memory having a tamper resistant structure.

  The cryptographic processing unit 803 has the cryptographic processing configuration described above, and executes cryptographic processing and decryption processing according to a common key block cryptographic processing algorithm.

  Here, an example is shown in which the cryptographic processing means is an individual module, but such an independent cryptographic processing module is not provided, for example, a cryptographic processing program is stored in the ROM, and the CPU 801 reads and executes the ROM stored program. You may comprise.

  The random number generator 804 executes random number generation processing necessary for generating a key necessary for encryption processing.

  The transmission / reception unit 805 is a data communication processing unit that performs data communication with the outside. For example, the data transmission / reception unit 805 performs data communication with an IC module such as a reader / writer, and outputs a ciphertext generated in the IC module or an external reader. Data input from devices such as writers is executed.

Note that the encryption processing apparatus described in the above-described embodiment is not only applicable to encryption processing for encrypting plaintext as input data, but also for decryption processing for restoring ciphertext as input data to plaintext. Applicable.
The configurations described in the above-described embodiments can be applied to both the encryption process and the decryption process.

  FIG. 15 is a block diagram illustrating an example of a schematic configuration of the smartphone 900 that executes the cryptographic processing according to the present disclosure. The smartphone 900 includes a processor 901, a memory 902, a storage 903, an external connection interface 904, a camera 906, a sensor 907, a microphone 908, an input device 909, a display device 910, a speaker 911, a wireless communication interface 913, an antenna switch 914, an antenna 915, A bus 917, a battery 918, and an auxiliary controller 919 are provided.

  The processor 901 may be, for example, a CPU (Central Processing Unit) or a SoC (System on Chip), and controls functions of an application layer and other layers of the smartphone 900 and controls cryptographic processing. The memory 902 includes a RAM (Random Access Memory) and a ROM (Read Only Memory), and stores programs executed by the processor 901 and data. The memory 902 can be used as a storage area for key data necessary for encryption processing, data to be applied to a conversion table (substitution table) or conversion matrix applied in the encryption processing, and the like. The data storage area is preferably configured as a memory having a tamper resistant structure. The storage 903 can include a storage medium such as a semiconductor memory or a hard disk. The external connection interface 904 is an interface for connecting an external device such as a memory card or a USB (Universal Serial Bus) device to the smartphone 900.

  The camera 906 includes, for example, an imaging element such as a charge coupled device (CCD) or a complementary metal oxide semiconductor (CMOS), and generates a captured image. The sensor 907 may include a sensor group such as a positioning sensor, a gyro sensor, a geomagnetic sensor, and an acceleration sensor. The microphone 908 converts sound input to the smartphone 900 into an audio signal. An image generated by the camera 906, sensor data acquired by the sensor 907, an audio signal acquired by the microphone 908, and the like may be encrypted by the processor 901 and transmitted to another device via the wireless communication interface 913. . The input device 909 includes, for example, a touch sensor that detects a touch on the screen of the display device 910, a keypad, a keyboard, a button, or a switch, and receives an operation or information input from a user. The display device 910 has a screen such as a liquid crystal display (LCD) or an organic light emitting diode (OLED) display, and displays an output image of the smartphone 900. The speaker 911 converts an audio signal output from the smartphone 900 into audio.

  The wireless communication interface 913 performs wireless communication, and typically includes a baseband processor, an RF (Radio Frequency) circuit, a power amplifier, and the like. The wireless communication interface 913 may be a one-chip module in which a memory that stores a communication control program, a processor that executes the program, and related circuits are integrated. The wireless communication interface 913 may support other types of wireless communication methods such as a short-range wireless communication method, a proximity wireless communication method, or a cellular communication method in addition to the wireless LAN method.

  The bus 917 connects the processor 901, memory 902, storage 903, external connection interface 904, camera 906, sensor 907, microphone 908, input device 909, display device 910, speaker 911, wireless communication interface 913, and auxiliary controller 919 to each other. . The battery 918 supplies power to each block of the smartphone 900 illustrated in FIG. 15 through a power supply line partially illustrated by a broken line in the drawing. For example, the auxiliary controller 919 operates the minimum necessary functions of the smartphone 900 in the sleep mode.

Note that the encryption processing in the smartphone described in the above-described embodiment is not only applicable to encryption processing for encrypting plaintext as input data, but also for decryption processing for restoring ciphertext as input data to plaintext. Is also applicable.
The configurations described in the above-described embodiments can be applied to both the encryption process and the decryption process.
Further, the IC module 800 shown in FIG. 14 may be mounted on the smartphone 900 shown in FIG. 15, and the encryption processing according to the above-described embodiment may be executed in the IC module 800.

[4. Summary of composition of the present disclosure]
As described above, the embodiments of the present disclosure have been described in detail with reference to specific embodiments. However, it is obvious that those skilled in the art can make modifications and substitutions of the embodiments without departing from the gist of the present disclosure. In other words, the present invention has been disclosed in the form of exemplification, and should not be interpreted in a limited manner. In order to determine the gist of the present disclosure, the claims should be taken into consideration.

The technology disclosed in this specification can take the following configurations.
(1) a key stream generation unit that generates a key stream that is a data stream composed of encryption key data;
An operation unit that performs operation processing of encryption key data constituting the key stream and encryption processing target data;
The key stream generation unit
A pseudo-random number generator that generates a pseudo-random number based on the first secret key;
A linear feedback register (LFSR) that generates LFSR output data based on a second secret key;
An exclusive OR operation unit that executes an exclusive OR operation process between the pseudo random number generated by the pseudo random number generator and the LFSR output data;
An encryption processing apparatus that outputs an output of the exclusive OR operation unit as a key stream.

  (2) The cryptographic processing device according to (1), wherein the first secret key and the second secret key are different secret keys.

  (3) The cryptographic processing device according to (1), wherein the first secret key and the second secret key are the same secret key.

  (4) The cryptographic processing apparatus according to (1), wherein the second secret key is a key generated by a data conversion process based on the first secret key.

(5) The key stream generation unit includes a key conversion unit,
The key conversion unit receives the first secret key, generates a second secret key different from the first secret key, and inputs the second secret key to the linear feedback register (LFSR). Processing equipment.

(6) The key conversion unit
The cryptographic processing apparatus according to (5), which performs data conversion to which a one-way hash function is applied.

(7) The pseudo random number generation unit generates a pseudo random number in units of 1 byte,
The linear feedback register (LFSR) generates an LFSR output in 1-byte units,
The exclusive OR operation unit performs an exclusive OR operation on a 1-byte unit pseudo-random number and a 1-byte unit LFSR output to generate a key stream composed of 1-byte unit encryption key data ( The cryptographic processing device according to any one of 1 to (6).

(8) The linear feedback register (LFSR) has a characteristic polynomial
f (x) = X ¹²⁸ (+) X ¹²⁶ (+) X ¹⁰¹ (+) X ⁹⁹ (+) 1
The cryptographic processing device according to any one of (1) to (7), wherein the cryptographic processing device has a configuration defined by the 128th-order primitive polynomial.

(9) The linear feedback register (LFSR) has a characteristic polynomial
f (x) = X ⁶⁴ (+) X ⁶³ (+) X ⁶¹ (+) X ⁶⁰ (+) 1
The cryptographic processing device according to any one of (1) to (7), wherein the cryptographic processing device has a configuration defined by the 64th order primitive polynomial.

(10) The key stream generation unit
A key schedule unit that inputs the first secret key and generates initial data for generating pseudo-random numbers;
The cryptographic processing device according to any one of (1) to (9), wherein the cryptographic processing device includes a pseudo-random number generation unit that inputs pseudo-random number generation initial data generated by the key schedule unit and outputs a pseudo-random number.

(11) a key stream generation unit that generates a key stream that is a data stream including decryption key data;
An operation unit that performs an operation process between the decryption key data constituting the key stream and the decryption target data;
The key stream generation unit
A pseudo-random number generator that generates a pseudo-random number based on the first secret key;
A linear feedback register (LFSR) that generates LFSR output data based on a second secret key;
An exclusive OR operation unit that executes an exclusive OR operation process between the pseudo random number generated by the pseudo random number generator and the LFSR output data;
A decryption processing device that outputs the output of the exclusive OR operation unit as a key stream.

(12) A cryptographic processing method executed in the cryptographic processing device,
A key stream generation step in which a key stream generation unit generates a key stream that is a data stream composed of encryption key data; and
The calculation unit executes a calculation step of performing calculation processing of encryption key data constituting the key stream and encryption processing target data,
The key stream generation step includes:
A pseudo-random number generating unit that generates a pseudo-random number based on the first secret key;
An LFSR output data generation step, wherein a linear feedback register (LFSR) generates LFSR output data based on the second secret key;
An exclusive OR operation unit has an exclusive OR operation step of performing an exclusive OR operation process between the pseudo random number generated by the pseudo random number generator and the LFSR output data;
An encryption processing method for outputting an output of the exclusive OR operation unit as a key stream.

(13) A program for executing cryptographic processing in the cryptographic processing device,
A key stream generation step for causing the key stream generation unit to generate a key stream that is a data stream composed of encryption key data; and
Causing the calculation unit to execute a calculation step of executing calculation processing of the encryption key data constituting the key stream and the encryption processing target data;
In the key stream generation step, the program includes:
A pseudo-random number generation step for causing the pseudo-random number generator to generate a pseudo-random number based on the first secret key;
An LFSR output data generating step for causing a linear feedback register (LFSR) to generate LFSR output data based on the second secret key;
Causing the exclusive OR operation unit to execute an exclusive OR operation step of executing an exclusive OR operation of the pseudo random number generated by the pseudo random number generation unit and the LFSR output data;
A program for outputting the output of the exclusive OR operation unit as a key stream.

  The series of processing described in the specification can be executed by hardware, software, or a combined configuration of both. When executing processing by software, the program recording the processing sequence is installed in a memory in a computer incorporated in dedicated hardware and executed, or the program is executed on a general-purpose computer capable of executing various processing. It can be installed and run. For example, the program can be recorded in advance on a recording medium. In addition to being installed on a computer from a recording medium, the program can be received via a network such as a LAN (Local Area Network) or the Internet and can be installed on a recording medium such as a built-in hard disk.

  Note that the various processes described in the specification are not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processes or as necessary. Further, in this specification, the system is a logical set configuration of a plurality of devices, and the devices of each configuration are not limited to being in the same casing.

As described above, according to the configuration of an embodiment of the present disclosure, an apparatus and a method for executing stream cipher with improved security are realized.
Specifically, it has a key stream generation unit that generates a key stream that is a data stream composed of encryption key data, and an operation unit that performs an operation process on the encryption key data constituting the key stream and the data to be encrypted. The key stream generation unit includes a pseudo random number generation unit that generates a pseudo random number based on the first secret key, a linear feedback register (LFSR) that generates LFSR output data based on the second secret key, The exclusive OR operation part which performs the exclusive OR operation process of the pseudorandom numbers which the random number generation part produced | generated, and LFSR output data is provided, and the output of an exclusive OR operation part is output as a key stream.
With this configuration, an apparatus and a method for executing stream cipher with improved safety are realized.

11 Secret key 12 Initial vector 13 Key stream (pseudo-random number)
21 plaintext 22 ciphertext 50 key stream generation unit 51 key schedule unit 52 pseudo random number generation unit 53 exclusive OR (XOR) operation unit 41 secret key 42 initial vector 43 key stream (pseudo random number)
70 Key Stream Generation Unit 71 Key Schedule Unit 72 Pseudo Random Number Generation Unit 73 Exclusive OR (XOR) Operation Unit 110 Key Stream Generation Unit 111 Key Schedule Unit 112 Pseudo Random Number Generation Unit 121 Linear Feedback Shift Register (LFSR)
122 Exclusive OR (XOR) Operation Unit 131 First Secret Key (Ks)
132 Initial vector 133 Second secret key (KL)
134 Output pseudo random number 135 LFSR output 136 Key stream (pseudo random number)
141 plaintext 142 ciphertext 210 key stream generation unit 211 key schedule unit 212 pseudorandom number generation unit 221 linear feedback shift register (LFSR)
222 Exclusive OR (XOR) operation unit 231 First secret key (Ks)
232 Initial vector 233 Second secret key (KL)
234 Output pseudo random number 235 LFSR output 236 Key stream (pseudo random number)
510 Key stream generation unit 511 Key schedule unit 512 Pseudo random number generation unit 521 Key conversion unit 522 Linear feedback shift register (LFSR)
523 Exclusive OR (XOR) operation part 531 1st secret key (Ks)
532 Initial vector 534 Output pseudorandom number 535 LFSR output 536 Key stream (pseudorandom number)
541 Plain text 542 Cipher text 551 Hash function execution unit 552 Bit number adjustment unit 610 Key stream generation unit 611 Key schedule unit 612 Pseudo random number generation unit 621 Key conversion unit 622 Linear feedback shift register (LFSR)
623 Exclusive OR (XOR) operation part 631 1st secret key (Ks)
632 Initial vector 634 Output pseudo-random number 635 LFSR output 636 Key stream (pseudo-random number)
800 IC module 801 CPU (Central processing Unit)
802 Memory 803 Encryption processing unit 804 Random number generation unit 805 Transmission / reception unit 900 Smartphone 901 Processor 902 Memory 903 Storage 904 External connection interface 906 Camera 907 Sensor 908 Microphone 909 Input device 910 Display device 911 Speaker 913 Wireless communication interface 914 Antenna switch 915 Antenna 917 918 Battery 919 Auxiliary controller

Claims (13)

A key stream generation unit that generates a key stream that is a data stream composed of encryption key data;
An operation unit that performs operation processing of encryption key data constituting the key stream and encryption processing target data;
The key stream generation unit
A pseudo-random number generator that generates a pseudo-random number based on the first secret key;
A linear feedback register (LFSR) that generates LFSR output data based on a second secret key;
An exclusive OR operation unit that executes an exclusive OR operation process between the pseudo random number generated by the pseudo random number generation unit and the LFSR output data;
The output of the exclusive OR operation unit is output as a key stream ,
The cryptographic processing apparatus , wherein the key stream is a reproducible pseudo-random number whose value is determined according to an input value to the key stream generation unit .   The cryptographic processing apparatus according to claim 1, wherein the first secret key and the second secret key are different secret keys.   The cryptographic processing apparatus according to claim 1, wherein the first secret key and the second secret key are the same secret key.   The cryptographic processing apparatus according to claim 1, wherein the second secret key is a key generated by a data conversion process based on the first secret key. The key stream generation unit includes a key conversion unit,
2. The encryption according to claim 1, wherein the key conversion unit receives the first secret key, generates a second secret key different from the first secret key, and inputs the second secret key to the linear feedback register (LFSR). Processing equipment. The key conversion unit
The cryptographic processing apparatus according to claim 5, wherein data conversion is performed by applying a one-way hash function. The pseudo-random number generator generates a pseudo-random number in 1-byte units,
The linear feedback register (LFSR) generates an LFSR output in 1-byte units,
The exclusive OR operation unit performs an exclusive OR operation on a 1-byte unit pseudo-random number and a 1-byte unit LFSR output to generate a key stream composed of 1-byte unit encryption key data. Item 4. The cryptographic processing device according to Item 1. The linear feedback register (LFSR) has a characteristic polynomial:
f (x) = X ¹²⁸ (+) X ¹²⁶ (+) X ¹⁰¹ (+) X ⁹⁹ (+) 1
The cryptographic processing apparatus according to claim 1, wherein the cryptographic processing apparatus is configured by the 128th-order primitive polynomial. The linear feedback register (LFSR) has a characteristic polynomial:
f (x) = X ⁶⁴ (+) X ⁶³ (+) X ⁶¹ (+) X ⁶⁰ (+) 1
The cryptographic processing apparatus according to claim 1, wherein the cryptographic processing apparatus has a configuration defined by the 64th order primitive polynomial. The key stream generation unit
A key schedule unit that inputs the first secret key and generates initial data for generating pseudo-random numbers;
Cryptographic processing apparatus according to claim 1 which is configured to have a pseudo-random number generator outputting a pseudorandom number by entering the pseudo-random number generator for the initial data generated by the key scheduling part. A key stream generation unit that generates a key stream that is a data stream composed of decryption key data;
An operation unit that performs an operation process between the decryption key data constituting the key stream and the decryption target data;
The key stream generation unit
A pseudo-random number generator that generates a pseudo-random number based on the first secret key;
A linear feedback register (LFSR) that generates LFSR output data based on a second secret key;
An exclusive OR operation unit that executes an exclusive OR operation process between the pseudo random number generated by the pseudo random number generation unit and the LFSR output data;
The output of the exclusive OR operation unit is output as a key stream ,
The decryption processing device , wherein the key stream is a reproducible pseudo-random number whose value is determined according to an input value to the key stream generation unit . A cryptographic processing method executed in the cryptographic processing device,
A key stream generation step in which a key stream generation unit generates a key stream that is a data stream composed of encryption key data; and
The calculation unit executes a calculation step of performing calculation processing of encryption key data constituting the key stream and encryption processing target data,
The key stream generation step includes:
A pseudo-random number generating unit that generates a pseudo-random number based on the first secret key;
An LFSR output data generation step, wherein a linear feedback register (LFSR) generates LFSR output data based on the second secret key;
The exclusive OR operation unit has an exclusive OR operation step of performing an exclusive OR operation process between the pseudo random number generated by the pseudo random number generation unit and the LFSR output data;
An encryption processing method for outputting an output of the exclusive OR operation unit as a key stream ,
The cryptographic processing method, wherein the key stream is a reproducible pseudo-random number whose value is determined according to an input value to the key stream generation unit . A program for executing cryptographic processing in the cryptographic processing device,
A key stream generation step for causing the key stream generation unit to generate a key stream that is a data stream composed of encryption key data; and
Causing the calculation unit to execute a calculation step of executing calculation processing of the encryption key data constituting the key stream and the encryption processing target data;
In the key stream generation step, the program includes:
A pseudo-random number generation step for causing the pseudo-random number generator to generate a pseudo-random number based on the first secret key;
An LFSR output data generating step for causing a linear feedback register (LFSR) to generate LFSR output data based on the second secret key;
Causing the exclusive OR operation unit to execute an exclusive OR operation step of executing an exclusive OR operation process between the pseudo random number generated by the pseudo random number generation unit and the LFSR output data;
A program for outputting the output of the exclusive OR operation unit as a key stream ,
The key stream is a reproducible pseudo-random number whose value is determined according to an input value to the key stream generation unit .

Images