Block cipher using key data merged with an intermediate block generated from a previous block

Abstract

A cryptographic processing apparatus for performing cryptographic processing using input data to generate output data is provided. The cryptographic processing apparatus includes a storage unit for storing chain data which is used for reflecting present cryptographic processing on next cryptographic processing, and for renewing the chain data each time cryptographic processing is performed, a merging unit for merging the chain data stored in the storage unit with the input data to generate merged data, and a main cryptographic processing unit for performing main cryptographic processing using the merged data to generate output data and for outputting intermediate data generated during a generation of the output data, wherein the storage unit renews the chain data by storing the intermediate data outputted by the main cryptographic processing unit as the new chain data, which is used for the next cryptographic processing.

Claims

What is claimed is:

1. An encryption apparatus for performing encryption processing using input data that includes key data and target data which is to be encrypted, to generate output data, comprising:

storage means for storing chain data which is based on preceding encryption processing and is used to influence present encryption processing, and renewing the chain data each time encryption processing is performed;

conversion means for performing a predetermined conversion on the chain data stored in the storage means, to generate converted data;

merging means for merging the converted data with the key data included in the input data, to generate merged key data;

subkey generation means for generating a plurality of subkeys from the merged key data; and

main encryption processing specified by the plurality of subkeys on the target data included in the input data, wherein the main encryption means

(a) provides intermediate data generated at a stage where the target data has undergone encryption specified by at least one of the plurality of subkeys during the main encryption processing, and

(b) provides output data generated when the intermediate data has undergone encryption specified by the rest of the plurality of subkeys and the main encryption processing has completed,

wherein the storage means renews the chain data by storing the intermediate data as new chain data,

main encryption means for performing main encryption processing on the target data included in the input data, the main encryption processing being made up of a plurality of stages which are each specified by a different one of the plurality of subkeys, wherein the main encryption means

(a) performs encryption on the target data by at least one of the plurality of stages, to generate intermediate data, and

(b) performs encryption on the intermediate data by the rest of the plurality of stages, to generate output data,

wherein the storage means renews the chain data by storing, as new chain data, the intermediate data which is generated by the least one of the plurality of stages, the new chain data being used for the next encryption processing.

2. The encryption apparatus of claim 1,

wherein the predetermined conversion performed by the conversion means is one of a bit transposition and a bit conversion.

3. The encryption apparatus of claim 1,

wherein the main encryption means performs a plurality of partial processes respectively in a plurality of stages,

wherein data obtained in each stage except a last stage is subjected to a partial process of a next state,

wherein data obtained in the last stage is the output data, and data obtained in each stage except the last stage is intermediate data,

wherein the storage means stores intermediate data which is obtained in one of the plurality of stages except the last stage and outputted by the main encryption means, as the new chain data,

wherein the subkey generation means generates a subkey for use in a partial process of a separate one of the plurality of stages in the main encryption means, and supplies the generated plurality of subkeys to the main encryption means, and

wherein the main encryption means generates the output data from the target data by performing the plurality of partial processes, which are specified by the respective plurality of subkeys, in the plurality of stages.

4. A decryption apparatus for performing decryption processing using input data that includes key data and target data which is to be decrypted, to generate output data, comprising:

storage means for storing chain data which is based on preceding decryption processing and is used to influence present decryption processing, and renewing the chain data each time decryption processing is performed;

conversion means for performing a predetermined conversion on the chain data stored in the storage means, to generate converted data;

merging means for merging the converted data with the key data included in the input data, to generate merged key data;

subkey generation means for generating a plurality of subkeys from the merged key data; and

main decryption means for performing main decryption processing on the target data included in the input data, the main decryption processing being made up of a plurality of stages which are each specified by a different one of the plurality of subkeys, wherein the main decryption means

(a) performs decryption on the target data by at least one of the plurality of stages, to generate intermediate data, and

(b) performs decryption on the intermediate data by the rest of the plurality of stages, to generate output data, wherein the storage means renews the chain data by storing, as new chain data, the intermediate data which is generated by the at least one of the plurality of stages, the new chain data being used for the next decryption processing.

5. The decryption apparatus of claim 4,

wherein the predetermined conversion performed by the conversion means is one of a bit transposition and a bit conversion.

6. The decryption apparatus of claim 4,

wherein the main decryption means performs a plurality of partial processes respectively in a plurality of stages,

wherein data obtained in each stage except a last stage is subjected to a partial process of a next stage,

wherein data obtained in the last stage is the output data, and data obtained in each stage except the last stage is intermediate data,

wherein the storage means stores intermediate data which is obtained in one of the plurality of stages except the last stage and outputted by the main decryption means, as the new chain data,

wherein the subkey generation means generates a subkey for use in a partial process of a separate one of the plurality of stages in the main decryption means, and supplies the generated plurality of subkeys to the main decryption means, and

wherein the main decryption means generates the output data from the target data by performing the plurality of partial processes, which are specified by the respective plurality of subkeys, in the plurality of stages.

7. An encryption method for performing encryption processing using input data that includes key data and target data which is to be encrypted, to generate output data, where chain data which is based on preceding encryption processing and is used to influence present encryption processing is stored in storage means, the encryption method comprising:

a conversion step for performing a predetermined conversion on the chain data stored in the storage means, to generate converted data;

a merging step for merging the converted data with the key data included in the input data, to generate merged key data;

a subkey generation step for generating a plurality of subkeys from the merged key data;

a main encryption step for performing main encryption processing on the target data included in the input data, the main encryption processing being made up of a plurality of stages which are each specified by a different one of the plurality of subkeys, wherein the main encryption step

(a) performs encryption on the target data by at least one of the plurality of stages, to generate intermediate data,

(b) performs encryption on the intermediate data by the rest of the plurality of stages, to generate output data, and

(c) renews the chain data by storing in the storage means, as new chain data, the intermediate data which is generated by the at least one of the plurality of states, the new chain data being used for the next encryption processing.

8. The encryption method of claim 7 wherein the renewal step stores as new chain data one of the outputted intermediate data generated during the encryption processing.

9. The encryption method of claim 7 wherein the renewal state stores as new chain data the target which is to be encrypted.

10. The encryption method of claim 7 wherein the renewal step stores as new chain data the converted data.

11. The encryption method of claim 7 wherein the renewal step stores as new chain data the output data.

12. A decryption method for performing decryption processing using input data that includes key data and target data which is based on preceding decryption processing and is used to influence present decryption processing is stored in storage means, the decryption method comprising:

a conversion step for performing a predetermined conversion on the chain data stored in the storage means, to generate converted data;

a merging step for merging the converted data with the key data included in the input data, to generate merged key data;

a subkey generation step for generating a plurality of subkeys from the merged key data;

a main decryption step for performing main decryption processing on the target data included in the input data, the main decryption processing being made up of a plurality of stages which are each specified by a different one of the plurality of subkeys, wherein the main decryption step

(a) performs decryption on the target data by at least one of the plurality of stages, to generate intermediate data,

(b) performs decryption on the intermediate data by the rest of the plurality of stages, to generate output data, and

(c) renews the chain data by storing in the storage means, as new chain data, the intermediate data which is generated by the at least one of the plurality of stages, the new chain data being used for the next decryption processing.

13. A computer-readable storage medium storing an encryption program for performing encryption processing using input data that includes key data and target data which is to be encrypted, to generate output data, where chain data which is based on preceding encryption processing and is used to influence present encryption processing is stored in storage means, the encryption program comprising:

a conversion step for performing a predetermined conversion on the chain data stored in the storage means, to generate converted data;

a merging step for merging the converted data with the key data included in the input data, to generate merged key data;

a subkey generation step for generating a plurality of subkeys from the merged key data;

a main encryption step for performing main encryption processing on the target data included in the input data, the main encryption processing being made up of a plurality of stages which are each specified by a different one of the plurality of subkeys, wherein the main encryption step

(a) performs encryption on the target data by at least one of the plurality of stages, to generate intermediate data,

(b) performs encryption on the intermediate data by the rest of the plurality of stages, to generate output data, and

(c) renews the chain data by storing in the storage means, as new chain data, the intermediate data which is generated by the at least one of the plurality of stages, the new chain data being used for the next encryption processing.

14. A computer-readable storage medium storing a decryption program for performing decryption processing using input data that includes key data and target data which is to be decrypted, to generate output data, where chain data which is based on preceding decryption processing and is used to influence present decryption processing is stored in storage means, the decryption program comprising:

a conversion step for performing a predetermined conversion on the chain data stored in the storage means, to generate converted data;

a merging step for merging the converted data with the key data included in the input data, to generate merged key data;

a subkey generation step for generating a plurality of subkeys from the merged key data;

a main decryption step for performing main decryption processing on the target data included in the input data, the main decryption processing being made up of a plurality of stages which are each specified by a different one of the plurality of subkeys, wherein the main decryption step

(a) performs decryption on the target data by at least one of the plurality of stages, to generate intermediate data,

(b) performs decryption on the intermediate data by the rest of the plurality of stages, to generate output data, and

(c) renews the chain data by storing in the storage means, as new chain data, the intermediate data which is generated by the at least one of the plurality of stages, the new chain data being used for the next decryption processing.

Description

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a cryptographic processing apparatus, a cryptographic processing method, and a storage medium storing a cryptographic processing program for encrypting or decrypting data which is to be subjected to cryptographic processing in units of blocks using secret keys, and especially to a cryptographic processing apparatus, a cryptographic processing program for improving security without greatly increasing hardware scale and processing time.

2. Description of the Prior Art

In recent years, as transferring of a variety of types of information and remittance by digital communication become widespread, there have been increasing needs for techniques which can improve security for protecting important information against attacks by third parties such as eavesdropping and information alteration. One technique for improving security is cryptography.

In communication systems using cryptography, an original communication text is referred to as "plaintext", while a text converted from the plaintext, from which it is difficult for third parties to derive the plaintext, is referred to as "ciphertext". Conversion from the plaintext to the ciphertext is referred to as "encryption", while inverse conversion for restoring the original plaintext from the ciphertext is referred to as "decryption".

The cryptographic content of ciphertext/plaintext is determined by an algorithm and a key which is a parameter of the algorithm. The algorithm specifies a conversion family composed of a plurality of conversions, while the key specifies one conversion out of the plurality of conversions in the conversion family. Generally, the algorithm corresponds to a fixed part in the apparatus, where the key is occasionally changed.

It is assumed that ciphertexts are apt to suffer from eavesdropping. An act by an unauthorized party such as an eavesdropper of decrypting a stolen ciphertext to obtain an original plaintext without the algorithm or the key is called "cryptanalysis".

A third party who attempts to decrypt a ciphertext (hereinafter, "cryptanalyst") does so in the assumption that the ciphertext is known.

A cryptanalysis method in which a secret plaintext or key is derived only from a ciphertext is called "ciphertext-only attack". On the other hand, a cryptanalysis method in which a plurality of unspecified pairs of a ciphertext and a plaintext are used to determine a secret key, which is then used to obtain a plaintext corresponding to an arbitrary ciphertext, is called "known plaintext attack".

The pseudo-random-number-sum-type cryptography is described below as an example.

In this cryptographic processing method, a transmitter and a receiver share the same secret key which is used by each device as a seed to generate a random number of a predetermined number of bits (hereinafter, "block") in a random number generator, where the random number generators of both devices have the same algorithm. Then the transmitter generates a ciphertext by performing an exclusive-OR operation on the random number and a plaintext for each corresponding bit in units of blocks. On receiving thee ciphertext, the receiver generates the original plaintext by performing the an exclusive-OR operation on the random number and the ciphertext for each corresponding bit in units of blocks.

Here, when a block in the plaintext is represented as "M" a block in the ciphertext as "C", the random number as "R", and the exclusive-OR operation for each corresponding bit as "(+)", the encryption can be described as the following "Formula 1", the decryption as the following "Formula 2":

C=M(+)R (Formula 1)

M=C(+)R (Formula 2)

A drawback with this cryptographic processing method is that, it is vulnerable against the "known-plaintext attack".

For instance, when a pair of a plaintext and a ciphertext is known concerning one block, the random number R can be obtained by the following "Formula 3", and as a result the whole plaintext can be obtained:

R-M(+)C (Formula 3)

Accordingly, the cryptanalyst can decrypt the pseudo-random-number-sum-type ciphertext without difficulty by the known-plaintext attack.

Cryptographic processing methods which are relatively secure against the known-plaintext attack include Data Encryption Standard (DES) and Fast Data Encipherment Algorithm (FEAL). These methods are explained in detail in Eiji Okamoto An Introduction to Encryption Theory, published by Kyoritsu.

In these cryptography methods, data is intensely shuttled in units of block (64 bits per block). For example, in the DES algorithm, a process which combines transposition with substitution is repeated for sixteen stages.

Cipher Block Chaining mode (hereinafter, CBC mode) has been proposed in order to improve security or the DES methods against cryptanalysis and other unauthorized acts. The CBC mode is explained in detail in Nobuichi Ikeno and Kenji Koyama Modern Encryption Theory, published by Institute of Electronic Information and Communication (pp. 66-67).

FIG. 1 shows the construction of an encryption apparatus 30 which realizes the CBC mode.

The encryption apparatus 30 includes an exclusive-OR unit 301, a data encryption unit 302, and a register 303.

The register 303 stores one ciphertext block which was obtained immediately before processing a present plaintext block. It should be noted that an initial value IV of one block is set in advance for encrypting a first plaintext block.

The exclusive-OR unit 301 performs, for each corresponding bit, an exclusive-OR operation on the immediately preceding ciphertext block which is stored in the register 303 and the present plaintext block to be encrypted, and sends the obtained data to the data encryption unit 302. When encrypting the first plaintext block, an exclusive-OR operation is performed on the initial value IV and the first plaintext block for each corresponding bit.

The data encryption unit 302 encrypts the 64-bit data sent from the exclusive-OR unit 301 using the DES algorithm 64-bit key data.

Thus, the encryption apparatus 30 first performs an exclusive-OR operation on the initial value IV and the first plaintext block for each corresponding bit and encrypts the result using the 64-bit key data to obtain one ciphertext block. The encryption apparatus 30 then performs an exclusive-OR operation on the ciphertext block and a next plaintext block for each corresponding bit and encrypts the result to obtain another ciphertext block.

When a block in the plaintext is represented as "Mi", a block in the ciphertext as "Ci" (i is a block number 2, 3, . . . ), the 64-bit key data as "K", the encryption using the key data K as "Ek", and the exclusive-OR operation for each corresponding bit as "(+)", the CBC mode can be described by the following "Formula 4" and "Formula 5":

C1=Ek(M1(+)IV) (Formula 4)

Ci=Ek(Mi(+)Ci-1)(i=2, 3) (Formula 5)

In the CBC mode, each Ci depends un all ciphertext data preceding Ci, so that statistical characteristics of the plaintext are disturbed. As a result, the CBC mode is relatively secure against cryptanalysis and other unauthorized acts.

A drawback with the DES methods, the FEAL methods, the CBC mode in the DES methods and the like is that an algorithm is known and the length of a key is limited, so that it is possible to discovery the proper key by performing decryption using every possible key in the known plaintext attack. It should be noted here that each key of 64 bits in the DES methods includes 8 parity bits, so that the valid key length is 56 bits. Accordingly, the number of possible keys is 2.

When, as in DES methods, the key is around 56 bits long, it is believed that it would be possible with current technology to succeed in decoding by trying all possible keys, though this would require a tremendous cost. However, if encryption is performed in a multilevel manner using a plurality of separate keys, it would be impossible with the current technology to succeed in decoding by trying all possible keys.

On the other hand, in view of rapid improvement in the processing ability of computers in recent years, it is not unthinkable that in the future it may become possible to succeed in decoding by trying all possible keys despite the multilevel encryption.

Also, though the larger the scale of the multilevel encryption, the further the security of the system will improve, it is not desirable to simply make conventional encryption apparatuses perform encryption in multilevel, as it causes profound increases in hardware scale and processing time.

Conventional techniques which can improve the security of the CBC mode and the like without performing multilevel encryption are taught in JPN. 52-130504 (cryptographic apparatus) and JPN. 8-12537 (encryption apparatus). In the former reference, key data is renewed based on an immediately preceding cryptographic processing result such as a ciphertext and the renewed key is used for present cryptographic processing. In the latter reference, on the other hand, a plurality of intermediate keys which have been generated from an encryption key beforehand are each used for performing bit conversion in order to generate intermediate key renewal information, based on which each of the plurality of intermediate keys is renewed.

However, apparatuses such as the conventional cryptographic processing apparatuses described above are still not definitely secure against unauthorized attacks, thus leaving more room for improvement in the security of such systems.

SUMMARY OF THE INVENTION

In view of the above stated problems, it is an object of the present invention to provide a cryptographic processing apparatus, a cryptographic processing method, and a storage medium storing a cryptographic processing program, which can improve security without greatly increasing hardware scale and processing time.

The above object can be fulfilled by a cryptographic processing apparatus for performing cryptographic processing using input data to generate output data, including: a storage unit for storing chain data which in used for reflecting present cryptographic processing on the next cryptographic processing, and for renewing the chain data each time cryptographic processing is performed; a merging unit for merging the chain data stored in the storage unit with the input data to generate merged data; and a main cryptographic processing unit for performing main cryptographic processing using the merged data to generate the output data and for outputting intermediate data which is generated during a generation of the output data, wherein the storage unit renews the chain data by storing the intermediate data outputted by the main cryptographic processing unit as the new chain data, which is used for the next cryptographic processing.

With the stated construction, the intermediate data generated during the cryptographic processing is stored as the chain data, which is merged with the input data such as key data or cryptographic-processing object data which is to be subjected to the cryptographic processing next time the cryptographic processing is performed. By doing so, the chain data is renewed each time the cryptographic processing is performed, so that each set of output data will depend on all preceding data. Accordingly, statistical characteristics of the plaintext are disturbed by each chain data, making the cryptanalysis difficult without greatly increasing the hardware scale and the processing time. Also, even if a cryptanalyst obtains a pair of a ciphertext and a plaintext, it will practically be impossible to obtain chain data used for the cryptographic processing. In addition, since an algorithm for generating the chain data and an initial value of the chain data are secret, the cryptanalysis by the known-plaintext attack becomes further difficult, and so does cryptanalysis by trying all possible keys.

As a result, it is possible to improve security of the cryptography without greatly increasing the hardware scale and the processing time.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other objects, advantages and features of the invention will become apparent from the following description thereof taken in conjunction with the accompanying drawings that illustrate a specific embodiment of the invention. In the drawings:

FIG. 1 shows the construction of the encryption apparatus 30 which realizes the CBC mode;

FIG. 2 shows the construction of the encrypted communication system of First Embodiment of the present invention;

FIG. 3 shows the detailed construction of the data encryption apparatus 10 of First Embodiment of the present invention;

FIG. 4 shows the detailed construction of the first to eighth encryption units 105a-105h;

FIG. 5 shows the detailed construction of a unit which calculates the function "f";

FIG. 6 shows the substitution table of the choice functions S1-S8;

FIG. 7 shows the detailed construction of the fraction data processing unit 106 of First Embodiment of the present invention;

FIG. 8 shows the detailed construction of the data decryption apparatus 20 of First Embodiment of the present invention;

FIG. 9 shows the detailed construction of the fraction data processing unit 206 of First Embodiment of the present invention;

FIG. 10 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of First Embodiment of the present invention;

FIG. 11 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of First Embodiment of the present invention;

FIG. 12 shows the detailed construction of the data encryption apparatus 10 of Second Embodiment of the present invention;

FIG. 13 shows the detailed construction of the data decryption apparatus 20 of Second Embodiment of the present invention;

FIG. 14 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Second Embodiment of the present invention;

FIG. 15 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Second Embodiment of the present invention;

FIG. 16 shows the detailed construction of the data encryption apparatus 10 of Third Embodiment of the present invention;

FIG. 17 shows the detailed construction of the data decryption apparatus 20 of Third Embodiment of the present invention;

FIG. 18 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Third Embodiment of the present invention;

FIG. 19 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Third Embodiment of the present invention;

FIG. 20 shows the detailed construction of the data encryption apparatus 10 of Fourth Embodiment of the present invention;

FIG. 21 shows the detailed construction of the data decryption apparatus 20 of Fourth Embodiment of the present invention;

FIG. 22 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Fourth Embodiment of the present invention;

FIG. 23 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Fourth Embodiment of the present invention;

FIG. 24 shows the detailed construction of the data encryption apparatus 10 of Fifth Embodiment of the present invention;

FIG. 25 shows the detailed construction of the data decryption apparatus 20 of Fifth Embodiment of the present invention;

FIG. 26 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Fifth Embodiment of the present invention;

FIG. 27 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Fifth Embodiment of the present invention;

FIG. 28 shows the detailed construction of the data encryption apparatus 10 of Sixth Embodiment of the present invention;

FIG. 29 shows the detailed construction of the data decryption apparatus 20 of Sixth Embodiment of the present invention;

FIG. 30 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Sixth Embodiment of the present invention;

FIG. 31 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Sixth Embodiment of the present invention;

FIG. 32 shows the detailed construction of the data encryption apparatus 10 of Seventh Embodiment of the present invention;

FIG. 33 shows the detailed construction of the data decryption apparatus 20 of Seventh Embodiment of the present invention;

FIG. 34 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Seventh Embodiment of the present invention;

FIG. 35 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Seventh Embodiment of the present invention;

FIG. 36 shows the detailed construction of the data encryption apparatus 10 of Eighth Embodiment of the present invention;

FIG. 37 shows the detailed construction of the data decryption apparatus 20 of Eighth Embodiment of the present invention;

FIG. 38 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Eighth Embodiment of the present invention;

FIG. 39 shows the detailed construction of the data encryption apparatus 10 of Ninth Embodiment of the present invention;

FIG. 40 shows the detailed construction of the data decryption apparatus 20 of Ninth Embodiment of the present invention;

FIG. 41 shows the detailed construction of the data encryption apparatus 10 of Tenth Embodiment of the present invention;

FIG. 42 shows the detailed construction of the data decryption apparatus 20 of Tenth Embodiment of the present invention;

FIG. 43 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Tenth Embodiment of the present invention;

FIG. 44 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Tenth Embodiment of the present invention;

FIG. 45 shows the detailed construction of the data encryption apparatus 10 Eleventh Embodiment of the present invention;

FIG. 46 shows the detailed construction of the data decryption apparatus 20 of Eleventh Embodiment of the present invention;

FIG. 47 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Eleventh Embodiment of the present invention;

FIG. 48 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Eleventh Embodiment of the present invention;

FIG. 49 shows the detailed construction of the fraction data processing unit 106 of Twelfth Embodiment of the present invention; and

FIG. 50 is a flowchart showing the fraction data processing of the data encryption apparatus 10 of Twelfth Embodiment of the present invention.

DESCRIPTION OF THE PREFERRED EMBODIMENT

First Embodiment

First Embodiment of the present invention is composed of an encryption apparatus which generates ciphertext data from plaintext data and a decryption apparatus which generates the plaintext data from the ciphertext data (the encryption apparatus and the decryption apparatus are both referred to as "cryptographic processing apparatus which generates output data from cryptographic-processing object data which is to be subjected to cryptographic processing") by performing encryption processing and decryption processing which are specified by key data (the encryption processing and the decryption processing are both referred to as "cryptographic processing"). In this cryptographic processing apparatus of First Embodiment, each time the cryptographic processing is performed on one block, an intermediate block which is generated during the cryptographic processing is stored as a chain block, which is then merged with the key data next time the cryptographic processing is performed.

Construction

Construction of Encrypted Communication System

FIG. 2 shows the construction of an encrypted communication system of First Embodiment of the present invention.

This encrypted communication system includes a transmitter 1 which encrypts plaintext data and transmits the obtained ciphertext data and a receiver 2 which decrypts the received ciphertext data. A transmission path 3 via which the ciphertext data is transmitted from the transmitter 1 to the receiver 2 is also shown in the figure.

As shown in the figure, the transmitter 1 is equipped with a data encryption apparatus 10 and a transmission unit 11.

The data encryption apparatus 10 encrypts input plaintext data in units of blocks, which are each composed of a predetermined number of bits, using key data which has been determined in advance and a predetermined algorithm, in order to obtain ciphertext data from the input plaintext data. The key data has been secretly shared by the transmitter 1 and the receiver 2 in advance, while the predetermined algorithm, which specifies a conversion family, is unique to each apparatus. The key data specifies one conversion out of the conversions included in the conversion family. The plaintext data is digital information which is obtained by digitally coding audio and image information, graphic character codes, or the like. In the present explanation, one block which is composed of a predetermined number of bits is, for instance, set as 64 bits.

The transmission unit 11 outputs transmission data which is generated by performing processing such as modulation and amplification on the ciphertext data onto the transmission path 3.

As shown in FIG. 2, the receiver 2 is equipped with a data decryption apparatus 20 and a reception unit 21.

The reception unit 21 receives the transmission data via the transmission path 3, and after performing processing such as demodulation on the transmission data, sends the ciphertext data to the data decryption apparatus 20.

The data decryption apparatus 20 decrypts the ciphertext data in units of blocks using the key data and a predetermined algorithm to obtain the plaintext data.

Construction of Data Encryption Apparatus 10

FIG. 3 shows the detailed construction of the data encryption apparatus 10, which is shown in FIG. 2, of First Embodiment of the present invention.

The data encryption apparatus 10 includes a block dividing unit 101, a block storage unit 102, a key data merging unit 103, a subkey generation unit 104, first to eighth encryption units 105a-105h, a fraction data processing unit 106, and a block integration unit 107.

When comparing the conventional encryption apparatus 30 shown in FIG. 1 and the data encryption apparatus 10 of First Embodiment of the present invention, the exclusive-OR unit 301 corresponds to the key data merging unit 103, the data encryption unit 302 corresponds to the block dividing unit 101, the subkey generation unit 104, the first to eighth encryption units 105a-105h, the fraction data processing unit 106, and the block integration unit 107, and the register 303 corresponds to the block storage unit 102.

The block dividing unit 101 divides input plaintext data into 64-bit blocks of plaintext data (hereinafter, "plaintext block"), which are then sent in turn to the first encryption unit 105a. When fraction plaintext data which is smaller than 64 bits is left behind after the plaintext data is divided into plaintext blocks, the fraction plaintext data is sent to the fraction data processing unit 106. In the present example, plaintext data of 200 bits is inputted and divided into a first plaintext block composed of the first to 64th bits, a second plaintext block composed of the 65th to 128th bits, a third plaintext block composed of the 129th to 192th bits, and fraction plaintext data composed of the 193th to 200th bits. The block dividing unit 101 then sends in turn the first to third plaintext blocks to the first encryption unit 105a, and the fraction plaintext data to the fraction data processing unit 106.

When each plaintext block is processed, the block storage unit 102 stores a chain block which is used for reflecting a present block on a next block. It should be noted that an initial value IV of the chain block is stored in the block storage unit 102 in advance for processing the first plaintext block.

The key data merging unit 103 merges the chain block stored in the block storage unit 102 with key data to generate merged key data. In the present example, for processing the first plaintext block, an exclusive OR operation is performed on the initial value IV of the 64-bit chain block and 64-bit input key data which has been determined in advance for each corresponding bit. For processing the second and third plaintext blocks, an exclusive-OR operation is performed, for each corresponding bit, on the 64-bit key data and a 64-bit chain block generated during the processing of the immediately preceding plaintext block.

The subkey generation unit 104 generates a number of subkeys corresponding to a number of encryption units from the merged key data which has been generated by the key data merging unit 103. In the present example, eight 48-bit subkeys are generated from the 64-bit merged key data.

The first encryption unit 105a generates a first intermediate block from a plaintext block using a first subkey.

The second to seventh encryption units 105b-105g generate second to seventh intermediate blocks from the first to sixth intermediate blocks using second to seventh subkeys, respectively.

The eighth encryption unit 105h generates one block of ciphertext data (hereinafter, "ciphertext block") from the seventh intermediate block using an eighth subkey.

The first to eighth encryption units 105a-105h have the same construction, in which conversion processing is performed in eight stages, the conversion processing being composed of a process of converting higher 32 bits of a 64 bit input block using lower 32 bits of the 64-bit input block based on a conversion specified by a 48-bit subkey and a process of replacing the converted higher 32 bits with the lower 32 bits in series. In the present example, first to seventh intermediate blocks are progressively generated for each of the first to third plaintext blocks, with first to third ciphertext blocks being generated from the resulting intermediate blocks.

FIG. 4 shows the detailed construction of the first to eighth encryption units 105a-105h.

A 64-bit plaintext block is divided into higher 32 bits and lower 32 bits. When the higher 32-bit is represented as "H0", the lower 32-bit as "L0", input of an "n"th encryption unit as "{H(n-1), L(n-1)}", and output as "(Hn, Ln)", Hn and Ln are described by the following "Formula 6" and "Formula 7":

Hn=L(n-1) (Formula 6)

Ln=H(n-1)(+)f{L(n-1), Kn} (Formula 7)

Here, "(1)" represents the exclusive-OR operation for each corresponding bit, "Kn" represents a 48 bit subkey inputted into the "n"th encryption unit, and "f" represents a function for outputting 32-bit data using "L(n-1)" and "Kn".

FIG. 5 shows the detailed construction of a unit which calculates the function "f",

32 bits of L(n-1) are expanded to 48 bits and rearranged according to expansion E shown in the following table (Table 1).

          TABLE 1
          32        1        2        3        4         5
           4        5        6        7        8         9
           8        9       10       11       12        13
          12       13       14       15       16        17
          16       17       18       19       20        21
          20       21       22       23       24        25
          24       25       26       27       28        29
          28       29       30       31       32         1

              TABLE 2
              16           7           20           21
              29           12          28           17
               1           15          23           26
               5           18          31           10
               2           8           24           14
              32           27           3           9
              19           13          30           6
              22           11           4           25

      TABLE 3
        57      49      41      33       25       17       9
         1      58      50      42       34       26      18
        10       2      59      51       43       35      27
        19      11       3      60       52       44      36
        63      55      47      39       31       23      15
         7      62      54      47       38       30      22
        14       6      61      53       45       37      29
        21      13       5      28       20       12       4

    TABLE 4
    subkey number         1    2    3    4    5    6    7    8
    number of shifting times  2    4    8   12   16   20   24   26

          TABLE 5
          14       17       11       24        1         5
           3       28       15        6       21        10
          23       19       12        4       26         8
          16        7       27       20       13         2
          41       52       31       37       47        55
          30       40       51       45       33        48
          44       49       39       56       34        53
          46       42       50       36       29        32