JP5293612B2 - ENCRYPTION DEVICE, DECRYPTION DEVICE, ENCRYPTION METHOD, DECRYPTION METHOD, AND PROGRAM - Google Patents

Abstract

An encryption device comprises a first super-pseudorandom encryption section (102) which defines a first n bit as an MR block and the remaining n bits as an MR block and which encrypts the ML block to generate an n-bit SL block when 2n-bit plaintext to be encrypted is inputted, a first weak-pseudorandom encryption section (103) for encrypting the sum of the ML block and SL block to generate an n-bit TL block, a second super-pseudorandom encryption section (104) for encrypting the sum of the TL block and MR block to generate an n-bit CR block, a second weak-pseudorandom encryption section (105) for encrypting the sum of the TL block, MR block, and CR block to generate an n-bit TR block, and a cipher text generating section (106) for linking a CL block which are the sum of the SL block and TR block and the CR block to generate 2n-bit cipher text.

Description

  The present invention relates to a common key block encryption system, and relates to an encryption device, a decryption device, an encryption method, a decryption method, and a program for causing a computer to execute the method using a block cipher having a large block size.

  Many approaches for constructing new ciphers using block ciphers and hash functions as components are known.

  For example, in encryption of storage such as a hard disk, in order to facilitate processing of encrypted data in units of sectors, a block cipher with a standard block size (such as 128 bits) is used to support the sector size. Research is being conducted to construct block ciphers with larger block sizes (512 bits, etc.).

  The security required here is the security against the selected ciphertext attack. A block cipher that theoretically has security against selective ciphertext attacks is called strong pseudorandom substitution. In practice, it is assumed that the actual block cipher is a strong pseudo-random replacement. In this research, if a strong pseudo-random replacement of 2n-bit block size can be configured using strong pseudo-random replacement of n-bit blocks (this is called a strong pseudo-random replacement of double block length), this configuration method Since a strong pseudo-random permutation with an arbitrarily large block size can be constructed by repeating the above, the construction method of the double block length is particularly important.

  Moni Naor and Omer Reingold, “On the Construction of Pseudo-Random Permutations: Luby-Rackoff” describes how to construct strong pseudorandom permutations for large block sizes when the block cipher used as a component is a strong pseudorandom permutation. Revisited, Electronic Colloquium on Computational Complexity (ECCC) 4 (5): (1997) ”(hereinafter referred to as Document 1). Hereinafter, the method disclosed in this document is referred to as an NR method.

  The NR method is configured by arranging strong pseudorandom permutations E of n-bit blocks in parallel and sandwiching the top and bottom by permutation using a keyed function called a universal hash function. Therefore, the number of calls of strong pseudorandom permutation E per input block is one.

  However, when the universal hash function is not used, it is necessary to call the strong pseudorandom permutation E of the n-bit block almost twice per block. According to Luby and Rackoff, when a strong pseudo-random permutation of double block length is composed of E, a system is shown in which strong pseudo-random permutation E is called four times as a Feistel cipher round function. This method is called 4-stage random Feistel encryption. This is described, for example, in Document 1 above. Thus, in order to reduce the number of calls of strong pseudo-random replacement E from two per block, it is necessary to introduce a universal hash function.

An algebraic construction method is well known for the universal hash function, and can be constructed by, for example, a product operation on a finite field GF (2 ⁿ ). However, when a modern block cipher implementation is highly optimized, it often happens that it is faster than a finite field product.

  In such a case, the double block length block cipher configuration method based on the NR mode or the like that relies on the universal hash function has no advantage compared to the four-stage random Feistel cipher. Furthermore, since it is necessary to separately implement a product operation of a finite field, there is an influence such as an increase in program size.

  An approach that uses a weak pseudo-random function instead of a universal hash function can be considered for this problem. The weak pseudorandom function is a cryptographic function that guarantees only security against a known plaintext attack (an attack that uses random plaintext), and is generally a weaker function than strong pseudorandom substitution. A weak function is considered to be faster than a potentially strong function, so if a strong pseudo-random replacement is replaced with a weak pseudo-random function, it is considered that it contributes to speeding up.

  For example, the two-stage random Feistel cipher is a WPRF (weak pseudorandom function family), which is about 30% more efficient than the three-stage random Feistel cipher becomes a PRF (pseudorandom function family).

  The method of constructing double block length permutation by combining strong pseudorandom permutation and weak pseudorandom function is described in “Hybrid Symmetric Encryption Using Known-Plaintext Attack-Secure Components, Information Security and Cryptology-ICISC 2005, 8th International Conference, Seoul, Korea, December 1-2, 2005, Revised Selected Papers. Lecture Notes in Computer Science 3935 Springer 2006, pp. 242-260 ”(hereinafter referred to as Reference 2). However, it has the same problem as the NR mode in that a universal hash function is always required.

  Apart from the above research, a block cipher with an additional parameter (called tweak) was developed by Liskov et al., “Tweakable Block Ciphers, Advances in Cryptology-CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August. 18-22, 2002, Proceedings. Lecture Notes in Computer Science 2442 Springer 2002: pp. 31-46 "(hereinafter referred to as Document 3). The purpose of this is to make it possible to obtain independent ciphertexts even with block ciphers using the same key and the same plaintext by changing the additional parameters.

  Document 3 shows a method of converting an arbitrary strong pseudo-random substitution into a strong pseudo-random substitution with an additional parameter. This method is described by Phillip Rogaway, “Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC, Advances in Cryptology-ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, December 5 -9, 2004, Proceedings. Lecture Notes in Computer Science 3329 Springer 2004: pp. 16-31 "(hereinafter referred to as Reference 4).

  A large block size strong pseudo-random replacement with additional parameters is suitable for storage encryption such as disk sector encryption. In the case of disk sector encryption, the sector number is set as an additional parameter, and encryption is performed on a sector-by-sector basis. It can be difficult to obtain.

  When constructing double block length (2n bits) strong pseudo-random permutation using block cipher E which is n-bit strong pseudo-random permutation, efficiency is higher than that of 4-stage random Feistel cipher that uses block cipher E four times Needs to use a universal hash function. However, as described above, using a universal hash function may not always increase the efficiency.

  An example of an object of the present invention is to execute an encryption device, a decryption device, an encryption method, a decryption method, and a method thereof on a computer that can safely and rapidly execute a process related to a double block length block cipher. It is to provide a program for making it happen.

  The encryption device according to one aspect of the present invention encrypts an ML block when a 2n-bit plaintext to be encrypted is input in which the first n bits are an ML block and the remaining n bits are an MR block. a first strong pseudorandom encryption unit that generates an n-bit SL block; a first weak pseudorandom encryption unit that encrypts the sum of the ML block and the SL block to generate an n-bit TL block; A second strong pseudo-random encryption unit that encrypts the sum of the TL block and the MR block to generate an n-bit CR block; and an n-bit TR block that encrypts the sum of the TL block, the MR block, and the CR block A 2n-bit ciphertext is generated by concatenating the second weak pseudo-random encryption unit that generates the data, the CL block that is the sum of the SL block and the TR block, and the CR block. A ciphertext generating unit that is configured to have a.

  On the other hand, the decryption device according to one aspect of the present invention decrypts a CR block when a 2n-bit ciphertext to be decrypted is input, in which the first n bits are CR blocks and the remaining n bits are CL blocks. A first strong pseudorandom decoding unit that generates an n-bit SR block; a first weak pseudorandom encryption unit that encrypts the sum of the CR block and the SR block to generate an n-bit TR block; A second strong pseudo-random decoder that decrypts the sum of the TR block and the CL block to generate an n-bit ML block; and encrypts the sum of the TR block, the CL block, and the ML block to generate an n-bit TL block The second weak pseudo-random encryption unit to be generated, the MR block that is the sum of the SR block and the TL block, and the ML block are concatenated to generate a 2n-bit plaintext. A generation unit is configured to have a.

  An encryption method according to an aspect of the present invention is a 2n-bit plaintext encryption method in which the first n bits are an ML block and the remaining n bits are an MR block, the first strong pseudo-random encryption The encryption block encrypts the ML block to generate an n-bit SL block, and the first weak pseudo-random encryption unit encrypts the sum of the ML block and the SL block to generate an n-bit TL block. The strong pseudo-random encryption unit 2 encrypts the sum of the TL block and the MR block to generate an n-bit CR block, and the second weak pseudo-random encryption unit adds the TL block, the MR block, and the CR block. Is encrypted to generate an n-bit TR block, and a CL block and a CR block, which are the sum of the SL block and the TR block, are concatenated to generate a 2n-bit ciphertext. It is intended to be generated.

  Furthermore, the decryption method according to one aspect of the present invention is a decryption method of 2n-bit ciphertext in which the first n bits are CR blocks and the remaining n bits are CL blocks, and the first strong pseudo-random decryption unit The CR block is decrypted to generate an n-bit SR block, and the first weak pseudorandom encryption unit encrypts the sum of the CR block and the SR block to generate an n-bit TR block. The strong pseudorandom decoding unit decrypts the sum of the TR block and the CL block to generate an n-bit ML block, and the second weak pseudorandom encryption unit encrypts the sum of the TR block, the CL block, and the ML block. The n-bit TL block is generated and the MR block, which is the sum of the SR block and the TL block, and the ML block are connected to generate a 2n-bit plaintext. Than is.

FIG. 1 is a block diagram illustrating a configuration example of the encryption apparatus according to the first embodiment. FIG. 2 is a diagram for explaining the operation of the encryption apparatus according to the first embodiment. FIG. 3 is a flowchart showing an operation procedure of the encryption apparatus according to the first embodiment. FIG. 4 is a block diagram illustrating a configuration example of the encryption apparatus according to the second embodiment. FIG. 5 is a diagram for explaining the operation of the encryption apparatus according to the second embodiment. FIG. 6 is a flowchart showing an operation procedure of the encryption apparatus according to the second embodiment. FIG. 7 is a block diagram illustrating a configuration example of the decoding device according to the third embodiment. FIG. 8 is a diagram for explaining the operation of the decoding apparatus according to the third embodiment. FIG. 9 is a flowchart showing an operation procedure of the decoding apparatus according to the third embodiment. FIG. 10 is a block diagram illustrating a configuration example of the decoding device according to the fourth embodiment. FIG. 11 is a diagram for explaining the operation of the decoding device according to the fourth embodiment. FIG. 12 is a flowchart showing an operation procedure of the decoding apparatus according to the fourth embodiment.

Explanation of symbols

107, 207, 307, 407 Control unit 110, 210 Encryption device 310, 410 Decryption device

An embodiment of the present invention will be described. This embodiment relates to a double block length encryption technique.
(First embodiment)
The configuration of the encryption apparatus according to this embodiment will be described. FIG. 1 is a block diagram showing a configuration example of the encryption apparatus according to the present embodiment.

  As illustrated in FIG. 1, the encryption apparatus 110 according to the present embodiment is an information processing apparatus that includes an input unit 101, a control unit 107, and an output unit 108. The control unit 107 is provided with a CPU (Central Processing Unit) (not shown) for executing processing according to a program and a memory (not shown) for storing the program.

  The control unit 107 includes a first strong pseudo-random encryption unit 102, a first weak pseudo-random encryption unit 103, a second strong pseudo-random encryption unit 104, and a second weak pseudo-random encryption unit. 105 and a ciphertext generation unit 106. When the CPU executes the program, each unit in the control unit 107 is virtually configured in the encryption apparatus.

  The input unit 101 receives plain text to be encrypted. Here, it is assumed that the plaintext to be encrypted includes an ML block and an MR block. The input unit 101 is an interface such as a keyboard, a magnetic reading device, or a communication unit.

  When the first strong pseudo-random encryption unit 102 receives the ML block from the input unit 101, the first strong pseudo-random encryption unit 102 generates an SL block by encrypting with the n-bit block cipher E. If the key of the block cipher E is K and the encryption using K is E [K], the equation SL = E [K] (ML) is established.

  Here, the block cipher E needs to be a strong pseudo-random cipher that is safe against the selected ciphertext attack. This can be realized by using a block cipher such as AES (Advanced Encryption Standard) that has been widely verified for security against selected ciphertext attacks.

The first weak pseudorandom encryption unit 103 encrypts the sum of the ML block and the SL block with the n-bit block cipher F, and generates an n-bit TL block. The sum operation may be a bitwise exclusive OR, or an arbitrary group operation such as an arithmetic sum of mod2 ⁿ . The calculation of the sum is executed by the control unit 107.

  When the key of the block cipher F is L, the equation TL = F [L] (ML + SL) is established. Here, the block cipher F is required to be a weak pseudorandom cipher that is safe against known plaintext attacks. That is, when an attacker obtains a ciphertext (here, a TL block) while randomly giving plaintext (here, the sum of an ML block and an SL block), the TL block is discriminated from a true random number. Satisfy what is difficult.

  The block cipher E used by the first strong pseudorandom encryption unit 102 already satisfies this condition, and the known plaintext attack is a weaker class attack than the selected ciphertext attack. Therefore, even if simplification such as omission of a part of the block cipher E is performed, it can be considered that in reality it has high security against known plaintext attacks. Therefore, the block cipher F can be obtained as a part of the block cipher E.

  Since the block cipher F does not need to be replaced, the block cipher F may be a function having, for example, an initial vector of a stream cipher with an initial vector as an input.

The second strong pseudo-random encryption unit 104 encrypts the sum of the TL block and the MR block with the n-bit block cipher E ′ to generate an n-bit CR block. If the key of the block cipher E ′ is K ′, the equation CR = E ′ [K ′] (TL + MR) is established. The sum operation may be a bitwise exclusive OR, or an arbitrary group operation such as an arithmetic sum of mod2 ⁿ .

  The block cipher E ′ needs to be a strong pseudo-random cipher, and may use the same algorithm as the block cipher E used by the first strong pseudo-random encryption unit 102. In that case, the key K ′ of the block cipher E ′ may be the same as or different from the key K used by the block cipher E.

The second weak pseudo-random encryption unit 105 encrypts the sum of the TL block, the MR block, and the CR block with the n-bit block cipher F ′, and generates an n-bit TR block. The sum operation may be a bitwise exclusive OR, or an arbitrary group operation such as an arithmetic sum of mod2 ⁿ .

  If the key used by the block cipher F ′ is L ′, the equation TR = F ′ [L ′] (TL + MR + CR) holds. The block cipher F ′ is required to be a weak pseudorandom cipher. The block cipher F ′ may be the same algorithm as the n-bit block cipher F used by the first weak pseudorandom encryption unit 103. The key L ′ of the block cipher F ′ may be the same as or different from the key L of the block cipher F.

  The ciphertext generation unit 106 generates a ciphertext by connecting the CR block to the CL block that is the sum of the TR block and the SL block. The generated ciphertext is output via the output unit 108. The output unit 108 is an output device such as a display device or a printer.

  Next, the operation procedure of the encryption apparatus according to this embodiment will be described.

  FIG. 2 is a diagram for explaining the operation of the encryption apparatus according to the present embodiment. FIG. 3 is a flowchart showing the operation procedure of the encryption apparatus of this embodiment. The sum calculation shown in FIG. 2 is executed in the control unit 107.

  When plain text including the ML block and the MR block is input via the input unit 101 (step 1001), the first strong pseudo-random encryption unit 102 encrypts the ML block to generate an SL block (step 1002). . Subsequently, the first weak pseudo-random encryption unit 103 encrypts the sum of the ML block and the SL block to generate a TL block (step 1003).

  The second strong pseudo-random encryption unit 104 encrypts the sum of the TL block and the MR block to generate a CR block (step 1004). The second weak pseudorandom encryption unit 105 encrypts the sum of the TL block, MR block, and CR block to generate a TR block (step 1005). Further, the ciphertext generation unit 106 generates a ciphertext by connecting the CL block, which is the sum of the SL block and the TR block, to the CR block, and outputs the ciphertext to the output unit 108 (step 1006).

  In the present embodiment, the security is ensured only for the n-bit block cipher E that is safe against the selected ciphertext attack and the known plaintext attack that is a weaker attack, and instead, the n-bit block cipher F that is faster than the block cipher E Are combined. The combination is such that the sum of the input and output of the block cipher E is always the input of the block cipher F, and the resulting 2n-bit input n-bit output processing (input (x1, x2), output (E (x1), x2 + F (x1 + E (x1)))) is performed twice with the message left and right interchanged.

  As described above, the n-bit block strong pseudo-random cipher is called twice, and the n-bit block weak pseudo-random cipher is called twice to construct the double block-length strong pseudo-random cipher, Random replacement can be done efficiently without universal hash function.

  As described in the background art, there are four-stage random Feistel ciphers and NR modes for double block length encryption techniques. However, the four-stage random Feistel cipher needs to call the round function E four times. On the other hand, in this embodiment, since the level of security required for the block cipher F is lower than that for the block cipher E, a four-stage random Feistel cipher is constructed with the block cipher E as a result. Can be expected to be faster.

  In the NR mode, the block cipher E may be used twice, but an n-bit input / output universal hash function needs to be called twice. Both the universal hash function and the weak pseudorandom cipher are strictly weaker functions than the strong pseudorandom cipher, and there is no mutual relationship. In other words, there are examples in which a universal hash function is not a weak pseudorandom cipher, and vice versa. Therefore, whether the universal hash function or the weak pseudorandom cipher is suitable for practical use depends on the premise of the implementation platform and what kind of cryptographic algorithm implementation can be used.

  For example, a universal hash function is known to have an algebraic construction method such as a product over a finite field, but it is known that a simple implementation may be slower than a highly optimized block cipher. . Also, when using an algebraic configuration method, since there is generally no common part with block ciphers, implementation costs such as program size increase. On the other hand, the weak pseudo-random cipher may be obtained by shortening the strong pseudo-random cipher or the like, and in some cases, the implementation can be implemented while suppressing an increase in the program size as compared with the case where the universal hash function is used.

(Second Embodiment)
The configuration of the encryption apparatus according to this embodiment will be described.

  FIG. 4 is a block diagram showing a configuration example of the encryption apparatus according to the present embodiment. In addition, about the structure similar to 1st Embodiment, the same code | symbol is attached | subjected and the detailed description is abbreviate | omitted.

  As illustrated in FIG. 4, the encryption apparatus 210 according to the present embodiment is an information processing apparatus that includes an input unit 101, a control unit 207, and an output unit 108. The control unit 207 is provided with a CPU (Central Processing Unit) (not shown) for executing processing according to a program and a memory (not shown) for storing the program.

  The control unit 207 includes an encryption unit 202 with a first strong pseudorandom additional parameter, a first weak pseudorandom encryption unit 103, an encryption unit 204 with a second strong pseudorandom additional parameter, a second A weak pseudorandom encryption unit 105 and a ciphertext generation unit 106 are included. When the CPU executes the program, each unit in the control unit 207 is virtually configured in the encryption apparatus.

  The plaintext to be encrypted is a plaintext including an ML block and an MR block, as in the first embodiment. The plain text and the additional parameter TW are input via the input unit 101.

  Upon receiving the ML block and the additional parameter TW from the input unit 101, the first strong pseudo-random additional parameter-attached encryption unit 202 encrypts the ML block using the additional parameter TW and the encryption Q with the additional parameter of the n-bit block. To generate an SL block. If the key of the encryption parameter-added encryption Q is K, and encryption using the additional parameter TW and the key K is represented by E [K, TW], the equation SL = Q [K, TW] (ML) is established.

  The cipher with additional parameter Q needs to be a strong pseudo-random additional parameter-encrypted cipher that is safe against a selected ciphertext attack. This can be realized by converting a block cipher such as AES, which has been widely verified to be safe against a selected ciphertext attack, into a cipher with an additional parameter using the XEX mode disclosed in Document 4.

The second strong pseudo-random additional parameter-attached encryption unit 204 encrypts the sum of the TL block and the MR block using the additional parameter TW using the encryption Q ′ with the additional parameter of the n-bit block, and the n-bit CR block Is generated. If the key is K ′, the equation CR = Q ′ [K ′, TW] (TL + MR) holds. The sum operation may be a bitwise exclusive OR, or an arbitrary group operation such as an arithmetic sum of mod2 ⁿ . The calculation of the sum is executed by the control unit 207.

  The cipher Q ′ with additional parameter needs to be a cipher with strong pseudo-random additional parameter, and the same algorithm as the cipher Q with additional parameter used by the first strong pseudo-random additional parameter encryption unit 202 may be used. . In this case, the key K ′ of the encryption Q ′ with additional parameter may be the same as or different from the key K used by the encryption Q with additional parameter.

  Next, the operation procedure of the encryption apparatus according to this embodiment will be described.

  FIG. 5 is a diagram for explaining the operation of the encryption apparatus according to this embodiment. FIG. 6 is a flowchart showing the operation procedure of the encryption apparatus of this embodiment. The sum calculation shown in FIG. 5 is executed in the control unit 207.

  When the plaintext including the ML block and the MR block and the additional parameter TW are input via the input unit 101 (step 1011), the first strong pseudo-random additional parameter-containing encryption unit 202 uses the additional parameter TW to perform ML. The block is encrypted to generate an SL block (step 1012). Subsequently, the first weak pseudo-random encryption unit 103 encrypts the sum of the ML block and the SL block to generate a TL block (step 1013).

  The second strong pseudo-random additional parameter-attached encryption unit 204 encrypts the sum of the TL block and the MR block using the additional parameter TW to generate a CR block (step 1014). The second weak pseudo-random encryption unit 105 encrypts the sum of the TL block, MR block, and CR block to generate a TR block (step 1015). Further, the ciphertext generation unit 106 generates a ciphertext by connecting the CL block, which is the sum of the SL block and the TR block, to the CR block, and outputs the ciphertext to the output unit 108 (step 1016).

  According to the present embodiment, the same effect as that of the first embodiment can be obtained even when there is an additional parameter in the plaintext having a double block length.

  Note that, in each of the first and second embodiments, the first and second strong pseudorandom encryption units use the block cipher E by repetition of a round function, and the first and second weak pseudorandom encryption units. Alternatively, the block cipher E ′ obtained by reducing the number of repetitions of the round function of the block cipher E may be used. In this case, safety is improved by repeating the round function. In addition, since the two strong pseudo-random encryption units use the common block cipher E and the two weak pseudo-random encryption units use the common block cipher E ′, the size of the program executed by the CPU can be reduced.

(Third embodiment)
The configuration of the decoding device of this embodiment will be described. FIG. 7 is a block diagram illustrating a configuration example of the decoding apparatus according to the present embodiment.

  As illustrated in FIG. 7, the decoding device 310 according to the present embodiment is an information processing device including an input unit 301, a control unit 307, and an output unit 308. The control unit 307 is provided with a CPU (Central Processing Unit) (not shown) for executing processing according to a program and a memory (not shown) for storing the program.

  The control unit 307 includes a first strong pseudorandom decryption unit 302, a first weak pseudorandom encryption unit 303, a second strong pseudorandom decryption unit 304, and a second weak pseudorandom encryption unit 305. And a plaintext generation unit 306. When the CPU executes the program, each unit in the control unit 307 is virtually configured in the encryption apparatus.

  The input unit 301 receives a ciphertext to be decrypted. Here, it is assumed that the ciphertext to be decrypted includes a CR block and a CL block. The input unit 301 is an interface such as a keyboard, a magnetic reading device, or a communication unit.

  The first strong pseudorandom decoding unit 302 generates an SR block by decoding the CR block received from the input unit 301 with the n-bit block cipher E. If the key of the block cipher E is K and the decryption using the key K is represented by Einv [K], the equation SR = Einv [K] (CR) holds.

  Here, the block cipher E needs to be a strong pseudo-random cipher that is safe against the selected ciphertext attack. This can be realized by using a block cipher that has been widely verified for security against a selected ciphertext attack such as AES.

The first weak pseudo-random encryption unit 303 encrypts the sum of the CR block and the SR block with the n-bit block cipher F to generate an n-bit TR block. The sum operation may be a bitwise exclusive OR, or an arbitrary group operation such as an arithmetic sum of mod2 ⁿ . The calculation of the sum is executed by the control unit 307.

  Since the block cipher F does not need to be replaced, the block cipher F may be a function having, for example, an initial vector of a stream cipher with an initial vector as an input.

  When the key of the block cipher F is L, the equation TL = F [L] (ML + SL) is established. Here, the block cipher F is required to be a weak pseudorandom cipher that is safe against known plaintext attacks. The block cipher E used by the first strong pseudorandom decryption unit 302 already satisfies this condition, and the known plaintext attack is a weaker class attack than the selected ciphertext attack. Therefore, even if simplification such as omission of a part of the block cipher E is performed, it can be considered that in reality it has high security against known plaintext attacks. Therefore, the block cipher F can be obtained as a part of the block cipher E.

The second strong pseudo-random decoding unit 304 decodes the sum of the TR block and the CL block using the n-bit block cipher E ′ to generate an n-bit ML block. If E′inv is an inverse function of E ′ and the key is K ′, the equation CR = E′inv [K ′] (TL + MR) holds. The sum operation may be a bitwise exclusive OR, or an arbitrary group operation such as an arithmetic sum of mod2 ⁿ .

  The block cipher E ′ needs to be a strong pseudorandom cipher, and the same algorithm as the block cipher E used by the first strong pseudorandom decryption unit 302 may be used. In that case, the key K ′ of the block cipher E ′ may be the same as or different from the key K used by the block cipher E.

The second weak pseudo-random encryption unit 305 encrypts the sum of the TR block, the CL block, and the ML block with the n-bit block cipher F ′, and generates an n-bit TL block. The sum operation may be a bitwise exclusive OR, or an arbitrary group operation such as an arithmetic sum of mod2 ⁿ .

  If the key used by the block cipher F ′ is L ′, the equation TR = F ′ [L ′] (TL + MR + CR) holds. The block cipher F ′ is required to be a weak pseudorandom cipher. The block cipher F ′ may be the same algorithm as the n-bit block cipher F used by the first weak pseudorandom encryption unit 303. The key L ′ of the block cipher F ′ may be the same as or different from the key L of the block cipher F.

  The plaintext generation unit 306 generates plaintext by connecting the ML block to the MR block that is the sum of the TL block and the SR block. The generated plaintext is output via the output unit 308. The output unit 308 is an output device such as a display device or a printer.

  Next, the operation procedure of the decoding device of this embodiment will be described.

  FIG. 8 is a diagram for explaining the operation of the decoding apparatus of this embodiment. FIG. 9 is a flowchart showing the operation procedure of the decoding apparatus of this embodiment. The sum calculation shown in FIG. 8 is executed in the control unit 307.

  When the ciphertext including the CR block and the CL block is input via the input unit 301 (step 1021), the first strong pseudo-random decoding unit 302 decrypts the CR block and generates an SR block (step 1022). . Subsequently, the first weak pseudo-random encryption unit 303 encrypts the sum of the CR block and the SR block to generate a TR block (step 1023).

  The second strong pseudorandom decoding unit 304 decodes the sum of the TR block and the CL block to generate an ML block (step 1024). The second weak pseudorandom encryption unit 305 encrypts the sum of the TR block, CL block, and ML block to generate a TL block (step 1025). Further, the plaintext generation unit 306 generates a plaintext by connecting the MR block, which is the sum of the SR block and the TL block, to the ML block, and outputs the plaintext to the output unit 308 (step 1026).

  According to the present embodiment, even when a process opposite to the process described in the first embodiment is performed, the same effect as in the first embodiment can be obtained.

(Fourth embodiment)
The configuration of the decoding device of this embodiment will be described.

  FIG. 10 is a block diagram illustrating a configuration example of the decoding apparatus according to the present embodiment. In addition, about the structure similar to 3rd Embodiment, the same code | symbol is attached | subjected and the detailed description is abbreviate | omitted.

  As illustrated in FIG. 10, the decoding device 410 according to the present embodiment is an information processing device including an input unit 301, a control unit 407, and an output unit 308. The control unit 407 is provided with a CPU (Central Processing Unit) (not shown) for executing processing according to a program and a memory (not shown) for storing the program.

  The control unit 407 includes a first strong pseudo-random additional parameter-added decrypting unit 402, a first weak pseudo-random encrypted unit 303, a second strong pseudo-random additional parameter-added decrypting unit 404, and a second weak pseudo-random parameter. A random encryption unit 305 and a plaintext generation unit 306 are included. When the CPU executes the program, each unit in the control unit 407 is virtually configured in the encryption apparatus.

  The ciphertext to be decrypted is a ciphertext including a CR block and a CL block, as in the third embodiment. The ciphertext and the additional parameter TW are input via the input unit 301.

  Upon receiving the CR block and the additional parameter TW from the input unit 301, the first strong pseudorandom additional parameter-added decrypting unit 402 decrypts the CR block using the additional parameter TW and the encryption Q with the additional parameter of the n-bit block. An SR block is generated. When Qinv is an inverse function of Q, the key of the encryption Q with additional parameter is K, and decryption using the additional parameter TW and the key K is expressed by Qinv [K, TW], SR = Qinv [K, TW] (CR ) Holds.

  The cipher with additional parameter Q needs to be a strong pseudo-random additional parameter-encrypted cipher that is safe against a selected ciphertext attack. This can be realized by converting a block cipher such as AES, which has been widely verified to be safe against a selected ciphertext attack, into a cipher with an additional parameter using the XEX mode disclosed in Document 4.

The second strong pseudo-random additional parameter decryption unit 404 decrypts the sum of the TR block and the CL block with the additional parameter TW using the encryption Q ′ with the additional parameter of the n-bit block, and converts the n-bit ML block into the n-bit ML block. Generate. If the key is K ′, the equation CR = Q′inv [K ′, TW] (TL + MR) holds. The sum operation may be a bitwise exclusive OR, or an arbitrary group operation such as an arithmetic sum of mod2 ⁿ . The calculation of the sum is executed by the control unit 407.

  The cipher with additional parameter Q ′ needs to be a cipher with strong pseudo-random additional parameter, and the same algorithm as the cipher with additional parameter Q used by the first strong pseudo-random additional parameter-decrypting unit 402 may be used. In this case, the key K ′ of the encryption Q ′ with additional parameter may be the same as or different from the key K used by the encryption Q with additional parameter.

  Next, the operation procedure of the decoding device of this embodiment will be described.

  FIG. 11 is a diagram for explaining the operation of the decoding apparatus of this embodiment. FIG. 12 is a flowchart showing the operation procedure of the decoding apparatus of this embodiment. The sum calculation shown in FIG. 11 is executed in the control unit 407.

  When the ciphertext including the CR block and the CL block and the additional parameter TW are input via the input unit 301 (step 1031), the first strong pseudo-random additional parameter decryption unit 402 uses the additional parameter TW to perform CR The block is decoded to generate an SR block (step 1032). Subsequently, the first weak pseudo-random encryption unit 303 encrypts the sum of the CR block and the SR block to generate a TR block (step 1033).

  The second strong pseudo-random additional parameter-added decoding unit 404 generates the ML block by decoding the sum of the TR block and the CL block using the additional parameter TW (step 1034). The second weak pseudorandom encryption unit 305 encrypts the sum of the TR block, CL block, and ML block to generate a TL block (step 1035). Further, the plaintext generation unit 306 generates a plaintext by connecting the MR block, which is the sum of the SR block and the TL block, to the ML block, and outputs the plaintext to the output unit 308 (step 1036).

  According to the present embodiment, the same effect as that of the third embodiment can be obtained even when the double block length ciphertext has an additional parameter.

  In each of the third and fourth embodiments, the first and second strong pseudorandom decoding units use a block cipher E based on repetition of a round function, and the first and second weak pseudorandom encryption units use A block cipher E ′ obtained by reducing the number of repetitions of the round function of the block cipher E may be used. In this case, the size of the program to be executed by the CPU can be reduced by using the common block cipher E for the two strong pseudo-random decryption units and the common block cipher E ′ for the two weak pseudo-random encryption units.

  As an example of the effect of the present invention, a strong pseudo-random replacement with a double block length can be efficiently performed without using a universal hash function.

  An application example of the present invention will be described.

  The present invention can be applied to a system that performs encrypted communication between two parties. When a telephone or a message is exchanged between two parties via a network such as the Internet, an information terminal that can execute the encryption method and the decryption method of the present invention is provided. One information terminal encrypts data before transmitting data. The other information terminal decodes the received data. In this way, if data is exchanged between the two parties, information leakage can be prevented.

  The present invention can also be applied to a content distribution system. With the development of communication technology, the communication speed is increasing year by year. For this reason, it has become possible to exchange large-capacity information such as movies and music with personal information terminals via a network. However, there is a problem that copyrighted works such as movies and music are easily copied illegally. This problem can be prevented by applying the present invention to a system for safely distributing contents such as movies and music. The encryption device of the present invention is provided in a server that provides content such as movies and music, and the decryption device of the present invention is provided in each client information terminal that receives the content. When the server encrypts the content using the encryption device and distributes the content to the information terminal of each client, the information terminal on each client side decrypts the encrypted content using the decryption device. In this way, only those who have the right to receive content can be prevented from leaking and can be provided with high-speed processing.

  Furthermore, the present invention can be applied to a system for safely operating data on a computer server as follows. Data to be concealed is encrypted by the encryption method of the present invention and stored in the server. The decryption device of the present invention is provided in advance only in an information terminal of a person who is permitted to browse data to be kept secret. The person who is permitted to browse can operate the information terminal to execute the decryption method of the present invention on the data received from the server and view the target data if the data to be kept secret is necessary. Become. Those who are not allowed to browse cannot display the encrypted data on their information terminals. In this way, it is possible to provide confidential information more safely and at high speed only to those who are permitted to browse.

  While the present invention has been described with reference to the embodiments and examples, the present invention is not limited to the above embodiments and examples. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.

  This application incorporates all the contents of Japanese Patent Application No. 2007-334443 filed on December 26, 2007, and claims priority based on this Japanese application.

Claims (16)

When a 2n-bit plaintext to be encrypted is input, with the first n bits being an ML block and the remaining n bits being an MR block, the ML block is encrypted to generate an n-bit SL block. Strong pseudo-random encryption part of
A first weak pseudorandom encryption unit that encrypts a sum of the ML block and the SL block to generate an n-bit TL block;
A second strong pseudorandom encryption unit that encrypts the sum of the TL block and the MR block to generate an n-bit CR block;
A second weak pseudorandom encryption unit that encrypts a sum of the TL block, the MR block, and the CR block to generate an n-bit TR block;
A ciphertext generation unit that generates a 2n-bit ciphertext by concatenating the CL block, which is the sum of the SL block and the TR block, and the CR block;
An encryption device. When an additional parameter is input together with the plaintext,
The first strong pseudo-random encryption unit encrypts the ML block using the additional parameter to generate the n-bit SL block,
The second strong pseudo-random encryption unit encrypts the sum of the TL block and the MR block using the additional parameter to generate the CR block of n bits. Encryption device. The first and second strong pseudo-random encryption units encrypt using a first block cipher by repetition of a round function;
The first and second weak pseudo-random encryption units perform encryption using a second block cipher obtained by reducing the number of repetitions of the round function of the first block cipher. Or the encryption apparatus of Claim 2. The first and second strong pseudo-random encryption units encrypt using a block cipher;
The encryption apparatus according to claim 1 or 2, wherein the first and second weak pseudorandom encryption units perform encryption using a stream cipher with an initial vector. When a 2n-bit ciphertext to be decrypted is input, with the first n bits as a CR block and the remaining n bits as a CL block, the CR block is decrypted to generate an n-bit SR block. A strong pseudo-random decoding unit of
A first weak pseudorandom encryption unit that encrypts a sum of the CR block and the SR block to generate an n-bit TR block;
A second strong pseudorandom decoding unit that decodes a sum of the TR block and the CL block to generate an n-bit ML block;
A second weak pseudorandom encryption unit that encrypts a sum of the TR block, the CL block, and the ML block to generate an n-bit TL block;
A plaintext generator that generates a 2n-bit plaintext by concatenating the MR block, which is the sum of the SR block and the TL block, and the ML block;
A decoding device. When an additional parameter is input together with the ciphertext,
The first strong pseudo-random decoding unit generates the n-bit SR block by decoding the CR block using the additional parameter,
The decoding according to claim 5, wherein the second strong pseudo-random decoding unit decodes a sum of the TR block and the CL block using the additional parameter to generate the n-bit ML block. apparatus. The first and second strong pseudo-random decryption units decrypt using a first block cipher by repetition of a round function;
The first and second weak pseudo-random encryption units perform encryption using a second block cipher obtained by reducing the number of repetitions of the round function of the first block cipher. Or the decoding apparatus of Claim 6. The first and second strong pseudorandom decryption units decrypt using a block cipher;
The decryption device according to claim 5 or 6, wherein the first and second weak pseudo-random encryption units perform encryption using a stream cipher with an initial vector. A 2n-bit plaintext encryption method in which the first n bits are ML blocks and the remaining n bits are MR blocks,
The ML block is encrypted by a first strong pseudo-random encryption unit to generate an n-bit SL block,
A first weak pseudorandom encryption unit encrypts the sum of the ML block and the SL block to generate an n-bit TL block;
A second strong pseudo-random encryption unit encrypts the sum of the TL block and the MR block to generate an n-bit CR block;
A second weak pseudo-random encryption unit encrypts the sum of the TL block, the MR block, and the CR block to generate an n-bit TR block;
An encryption method for generating a 2n-bit ciphertext by concatenating a CL block, which is the sum of the SL block and the TR block, and the CR block. If the plaintext is accompanied by additional parameters,
In the first strong pseudo-random encryption unit, the ML block is encrypted using the additional parameter to generate the n-bit SL block,
The second strong pseudo-random encryption unit encrypts the sum of the TL block and the MR block using the additional parameter to generate the CR block of n bits. Encryption method. A method of decrypting 2n-bit ciphertext in which the first n bits are CR blocks and the remaining n bits are CL blocks,
The first strong pseudorandom decoding unit decodes the CR block to generate an n-bit SR block;
A first weak pseudo-random encryption unit encrypts the sum of the CR block and the SR block to generate an n-bit TR block;
A second strong pseudorandom decoding unit decodes the sum of the TR block and the CL block to generate an n-bit ML block,
A second weak pseudorandom encryption unit encrypts the sum of the TR block, the CL block, and the ML block to generate an n-bit TL block;
A decoding method, wherein an MR block, which is a sum of the SR block and the TL block, and the ML block are connected to generate a 2n-bit plaintext. When the ciphertext is accompanied by an additional parameter,
In the first strong pseudo-random decoding unit, the CR block is decoded using the additional parameter to generate the SR block of n bits,
The decoding according to claim 11, wherein the second strong pseudo-random decoding unit generates the n-bit ML block by decoding the sum of the TR block and the CL block using the additional parameter. Method. A program for causing a computer to execute encryption of 2n-bit plaintext in which the first n bits are ML blocks and the remaining n bits are MR blocks,
The ML block is encrypted by a first strong pseudo-random encryption unit to generate an n-bit SL block,
A first weak pseudorandom encryption unit encrypts the sum of the ML block and the SL block to generate an n-bit TL block;
A second strong pseudo-random encryption unit encrypts the sum of the TL block and the MR block to generate an n-bit CR block;
A second weak pseudo-random encryption unit encrypts the sum of the TL block, the MR block, and the CR block to generate an n-bit TR block;
A program for causing the computer to execute a process of generating a 2n-bit ciphertext by concatenating a CL block, which is the sum of the SL block and the TR block, and the CR block. If the plaintext is accompanied by additional parameters,
In the first strong pseudo-random encryption unit, the ML block is encrypted using the additional parameter to generate the n-bit SL block,
The second strong pseudorandom encryption unit further includes a process of generating the n-bit CR block by encrypting the sum of the TL block and the MR block using the additional parameter. Program described in the section. A program for causing a computer to execute decryption of 2n-bit ciphertext in which the first n bits are CR blocks and the remaining n bits are CL blocks,
The first strong pseudorandom decoding unit decodes the CR block to generate an n-bit SR block;
A first weak pseudo-random encryption unit encrypts the sum of the CR block and the SR block to generate an n-bit TR block;
A second strong pseudorandom decoding unit decodes the sum of the TR block and the CL block to generate an n-bit ML block,
A second weak pseudorandom encryption unit encrypts the sum of the TR block, the CL block, and the ML block to generate an n-bit TL block;
A program for causing the computer to execute a process of generating a 2n-bit plaintext by connecting the MR block, which is the sum of the SR block and the TL block, and the ML block. When the ciphertext is accompanied by an additional parameter,
In the first strong pseudo-random decoding unit, the CR block is decoded using the additional parameter to generate the SR block of n bits,
The second strong pseudorandom decoding unit further includes a process of generating an n-bit ML block by decoding the sum of the TR block and the CL block using the additional parameter. The listed program.

Images