WO2013065241A1 - インクリメンタルmacタグ生成装置、方法及びプログラム並びにメッセージ認証装置 - Google Patents
インクリメンタルmacタグ生成装置、方法及びプログラム並びにメッセージ認証装置 Download PDFInfo
- Publication number
- WO2013065241A1 WO2013065241A1 PCT/JP2012/006586 JP2012006586W WO2013065241A1 WO 2013065241 A1 WO2013065241 A1 WO 2013065241A1 JP 2012006586 W JP2012006586 W JP 2012006586W WO 2013065241 A1 WO2013065241 A1 WO 2013065241A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- block
- plaintext
- intermediate variable
- tag
- padding
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
- G09C1/00—Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/20—Manipulating the length of blocks of bits, e.g. padding or block truncation
Definitions
- the present invention relates to an incremental MAC tag generation device, method and program used for message authentication using a common key, and a message authentication device.
- the message authentication code (hereinafter referred to as MAC) method is a method for guaranteeing that a message is legitimate by attaching a tag that can be calculated only by a person who knows a secret key to the message. If the MAC method is used, for example, in communication between two parties sharing a secret key, it is possible to detect tampering by a third party performed during the communication.
- a secret key shared between the sender and receiver of a message is K
- the tag T ′′ is calculated from the key K shared with M ′. If the received tag T ′ matches the calculated T ′′, it is determined that the plaintext M ′ is sent from a legitimate sender.
- the sent M ′ is a message obtained by performing a specific editing process on the previously sent M
- the calculation result of the tag T performed on M is reused, and There is a method capable of processing the calculation of the tag T ′′ at high speed.
- Such a MAC scheme is called incremental (for its processing).
- the incremental MAC method In the incremental MAC method, the calculation result of the tag T is reused. Therefore, the incremental MAC method can greatly reduce the amount of calculation when the message changes partially or sequentially or when messages with relatively little change continue. As a specific application example, the incremental MAC method is used for guaranteeing the authenticity of documents on a computer, or for protecting a large-capacity memory in hardware such as a game machine from hacking.
- FIG. 8 is a block diagram showing the operation of a general tag generation apparatus using PMAC.
- n-bit block cipher E (K, *) be a part.
- the tag T can be obtained as follows.
- + represents a bitwise exclusive OR (XOR).
- represents concatenation of bit sequences.
- represents the bit length of M [L].
- E (K, M [i]) is encryption of plaintext M [i] with the key K of the block cipher E, and U is ciphertext E (K, 0 ⁇ ) with a constant 0 ⁇ n (all-zero n-bit sequence). n).
- the function f_i represents multiplication of an input value and a constant 2 ⁇ (i-1) on a finite field.
- PMAC can be executed in parallel, unlike general CBC-MAC (Cipher Block Chaining-MAC).
- V D (K, T) + ff_w (U)
- V ′ V + E (K, f_1 (U) + M [1]) + E (K, f_1 (U) + M ′ [1])
- T ′ E (K, V ′ + ff_w (U))
- D (K, *) is a block cipher decryption function.
- w (0 or 1) depends on the length of
- the mask variable f_i stirs the input value M to E (K, *) before encryption.
- processing other than block change for example, insertion, deletion, cut and paste, etc. of a block may be performed.
- M ′ (M [2],.
- the input values to E (K, *) at M and M ′ are respectively M: f_1 + M [1], f_2 + M [2],. . . , F_L-1 + M [L-1] M ': f_1 + M [2], f_2 + M [3],. . . , F_L-1 + M [L-2] It becomes.
- Other existing incremental MACs such as XORMAC described in Non-Patent Document 2 and GMAC described in Non-Patent Document 3 have the same problem.
- Non-Patent Document 5 describes a method in which a message is divided into n-bit blocks, and padding is performed when a block is less than n bits.
- Non-Patent Document 6 describes a block cipher-based pseudo-random function as an example of an encryption function.
- Non-Patent Document 7 describes a linear shift register as an example of processing used for a scramble function described later.
- An object of the present invention is to provide an incremental MAC tag generation device, method and program, and a message authentication device capable of performing an incremental tag calculation that can cope with editing in every block unit without impairing the efficiency of normal tag calculation.
- An incremental MAC tag generation device inputs a final block of plaintext M divided into a plurality of blocks, and performs padding when padding when the length of the final block of plaintext M is less than a predetermined number of bits.
- the parallel encryption means with cache reference compares a block other than the last block of the plaintext M with each block of the plaintext M ′, and there is a block of the plaintext M ′ that matches the block of the plaintext
- the block of the intermediate variable S ′ corresponding to the block of the plaintext M ′ is used as the intermediate variable S, and if there is no plaintext M ′ block that matches the block of the plaintext M, the block of the plaintext M is encrypted. It is used for the intermediate variable S.
- the method for generating an incremental MAC tag inputs a final block of plaintext M divided into a plurality of blocks, performs padding when the length of the final block of plaintext M is less than a predetermined number of bits, A block other than the last block of M, the cached plaintext M ′, and an intermediate variable S ′ obtained by encrypting M ′ are input, and a block other than the last block of plaintext M is compared with each block of plaintext M ′.
- the block of the intermediate variable S ′ corresponding to the block of plaintext M ′ is used as the intermediate variable S, and the plaintext M ′ that matches the block of plaintext M If there is no block, the plaintext M block is encrypted and the intermediate variable S is calculated.
- the intermediate variable S is scrambled and scrambled.
- Each block between variables S, and calculates a hash value V which is the exclusive OR of the last block of the plaintext M, a hash value V whether padding as a parameter, and calculates a tag is encrypted.
- An incremental MAC tag generation program inputs a final block of plaintext M divided into a plurality of blocks to a computer, and performs padding when the length of the final block of plaintext M is less than a predetermined number of bits.
- blocks other than the final block of plaintext M, cached plaintext M ′, and intermediate variable S ′ obtained by encrypting M ′ are input, and blocks other than the final block of plaintext M and each block of plaintext M ′ If there is a block of plaintext M ′ that matches the block of plaintext M, the block of the intermediate variable S ′ corresponding to the block of plaintext M ′ is used as the intermediate variable S to match the block of plaintext M If there is no plaintext M ′ block to be encrypted, the process of calculating the intermediate variable S by encrypting the plaintext M block and scrambling to the intermediate variable S Processing, calculating the hash value V that is the exclusive OR of each block of the intermediate variable S scrambled and the final block of the plaintext
- FIG. FIG. 1 is a block diagram illustrating a configuration of an incremental MAC tag generation device according to a first embodiment of the present invention.
- FIG. 2 is a block diagram illustrating processing of the incremental MAC tag generation device according to the first embodiment of the present invention.
- FIG. 3 is a block diagram illustrating a data flow of the incremental MAC tag generation device according to the first embodiment of the present invention.
- + represents an exclusive OR for each bit, and the length of one message block is n bits.
- the incremental MAC tag generation device 10 of this embodiment includes padding means 101, parallel encryption means 102 with cache reference, scramble hash means 103, and tag generation means 104.
- an input unit 100 and an output unit 105 are connected to the incremental MAC tag generation device 10.
- the incremental MAC tag generation device 10 is realized by, for example, a CPU, a memory, a disk, and the like. Each means of the incremental MAC tag generation device 10 is realized, for example, by storing a program in a computer disk and operating the program on the CPU.
- the plaintext M and the plaintext M ′ are divided into n-bit block units.
- the input unit 100 is realized by a character input device such as a keyboard, for example.
- the input unit 100 may be, for example, a communication interface such as a computer LAN or USB, or an input interface on a program.
- the padding format of the padding means 101 is arbitrary, and for example, all zeros may be connected. However, if the last block is exactly n bits, no processing is performed.
- the cache-referenced parallel encryption means 102 searches for all the cached plaintext M ′ [j] blocks that match the sent plaintext M [i] block, and matches them. Then, S ′ [j] corresponding to the M ′ [j] is used. Therefore, even if M [i] is subjected to processing other than the block unit change, for example, insertion, deletion, cut and paste, etc. of the block, it is possible to perform incremental tag calculation.
- the input length of E is longer than the output length, and in this case, the processing of E may be CBC-MAC or CMAC using n-bit block cipher.
- E is n-bit M [i]
- the processing of E can be a key stream generation function of a stream cipher with IV (initialization vector)
- M [i] can be input instead of IV
- the output can be S [i].
- a block cipher based pseudo-random function such as CENC described in Non-Patent Document 6. In either case, if there is no cached plaintext and intermediate variables, all plaintext blocks may be encrypted.
- the scramble hash means 103 scrambles the intermediate variable S output from the parallel encryption means 102 for each block to obtain a hash value V.
- Scramble function g_i 1,. . . , L ⁇ 1, u — 0 and u — 1 are determined so as to satisfy the conditions shown in the following equation scrcond in order to ensure safety.
- Pr [sum_ ⁇ i in Gset ⁇ g_i (rand) + sum_ ⁇ j in Usage ⁇ u_j (rand) y]
- the scramble function g_i can be expressed as any ⁇ 1,..., Excluding the zero set when rand is an n-bit uniform random number. . . , L ⁇ 1 ⁇ and any ⁇ 0,1 ⁇ subset (ie, ⁇ 0 ⁇ , ⁇ 1 ⁇ , ⁇ 0,1 ⁇ ) Uset including the zero set,
- the n-bit value y may be a sufficiently small numerical value.
- g_i and u_j are configured using cyclic shifts of n-bit prime-length partial sequences.
- X is n bits
- X [ab] is a partial sequence from the a-th bit to the b-th bit
- rot (i, Y) is i-bit left (or right) cyclic shift of Y.
- g_i (X), u_0 (X), and u_1 (X) can be defined as the following equation (+ in the following equation rot represents the sum).
- G_i can be handled up to the maximum block length Lmax of the message by being determined in this way.
- p is a prime number and needs to satisfy the relationship of p ⁇ Lmax + 1 ⁇ n.
- Such a process can be executed at a very high speed because only a cyclic shift process is required as compared with a block cipher that repeats many complex operations.
- X [p + 1 ⁇ n] in (Expression rot) may be an arbitrary fixed series such as all zeros.
- cp ⁇ n for a positive integer c that is a divisor of n X is divided into c pieces, and the same processing as in (expression rot) is performed independently for each n / c bit subsequence. You may apply to.
- g_i and u_j can be realized by multiplication with a constant on a finite field GF (2 ⁇ n), for example.
- a_i and set ⁇ a_1,. . . , A_Lmax + 1 ⁇ form a basis on a finite field GF (2 ⁇ n) (linearly independent)
- g_i (X), u_0 (X), and u_1 (X) can be defined as +
- mul represents the sum).
- mul (A, B) represents multiplication of elements A and B on a finite field.
- g_i and u_j can be realized by, for example, a linear shift register (LFSR) as shown in the following equation (+ in the following equation LFSR represents the sum).
- LFSR linear shift register
- LFSR (i, X) is the content of the register after i times of operation, where X is the register of the linear shift register.
- g_i the register of the linear shift register.
- the calculation of g_i requires i times of LFSR operations.
- Jump LFSR multiple operations are almost equivalent to one operation. It can be done by processing. Therefore, the efficiency can be improved by using such LFSR.
- g_i is a cyclic shift represented by (Expression rot), a multiplication with a constant on a finite field GF (2 ⁇ n) represented by (Expression mul), or a linear shift represented by (Expression LFSR). Realized by registers. Thereby, g_i is determined so as to satisfy the condition shown in the expression scrcond, and safety is ensured.
- the tag generation means 104 generates a tag T by encrypting the hash value V output from the scramble hash means 103, using whether or not the length of the final block M [L] of the plaintext M is n bits as a binary parameter. .
- the tag generation means 104 outputs T obtained by the above (formula fin) as a tag.
- U E (K, 0 ⁇ n).
- the functions u — 0 and u — 1 for generating a mask are, for example, the cyclic shift shown in (Expression rot) described above, multiplication with a constant on the finite field GF (2 ⁇ n) shown in (Expression mul), or (Expression LFSR)
- the tag generation means 104 encrypts whether or not the length of the final block M [L] of the plaintext M is n bits as a binary parameter. Do. As a result, the ambiguity caused by padding (that is, if only the intermediate variable S [L] is used, it is not known whether S [L] is M [L] itself or obtained by padding M [L]). Efficient processing can be realized while eliminating.
- the processing shown in the above (formula fin) and (formula fin2) is a standard technique that is also used in the OMAC described in Non-Patent Document 5, similarly to the function of the padding means 101. Further, when the hash value V is longer than the block cipher block size used, a mode such as CBC-MAC or CMAC may be used.
- the tag T generated by the tag generation unit 104 is output to the output unit 105.
- the output unit 105 outputs the tag T generated by the tag generation unit 104 to, for example, a computer display or a printer.
- FIG. 4 is a flowchart showing the operation of the incremental MAC tag generation device according to the first embodiment of the present invention.
- the padding means 101 performs padding if the final block M [L] of the message is less than n bits, and sets the result as an intermediate variable S [L]. If M [L] is exactly n bits, M [L] is set to S [L] as it is (step G2).
- the tag generation unit 104 encrypts the hash value V using the binary parameter as to whether or not padding is performed on the plaintext final block M [L] (that is, whether M [L] is n bits), and the tag T Is obtained (step G5). Finally, the output means 105 outputs the tag T (step G6).
- the incremental MAC tag generation device 10 of the present embodiment can efficiently perform normal tag calculation while enabling incremental tag recalculation for every block processing.
- the reason for this is that the result of encrypting the block M [i] of each message behaves transparently with respect to any block-by-block editing. Therefore, no new encryption calculation is required.
- each M [i] process can be executed in parallel, and the scramble process is realized by a process that is much simpler than that of the block cipher, so that the overall speed can be significantly increased. If there is no cached plaintext, S can be obtained by encrypting all M [i].
- each g_i process is a replacement (ie, there is an inverse function)
- block insertion, deletion, cut and paste As for the update in units of blocks that do not involve, etc., as in the case of PMAC described in Non-Patent Document 1, even if intermediate variables are not cached, incremental tag calculation can be performed from messages and tags.
- FIG. FIG. 5 is a block diagram showing a configuration of the message authentication device according to the second exemplary embodiment of the present invention.
- the message authentication device according to the second embodiment includes an input unit 200, an incremental MAC tag generation device 10, a local tag verification unit 206, and an output unit 205.
- the configuration and operation of the incremental MAC tag generation device 10 are the same as those shown in the first embodiment.
- the input unit 200 is connected to the incremental MAC tag generation device 10 and the local tag verification unit 206.
- the input unit 200 inputs the plaintext M to be authenticated, the tag T corresponding to the plaintext M, the cached plaintext M ′, and the cached intermediate variable S ′.
- the input unit 200 is realized by a character input device such as a keyboard.
- the input unit 200 may be a communication interface such as a computer LAN or USB, or an input interface on a program.
- the incremental MAC tag generation device 10 is connected to the local tag verification unit 206 and has a function of generating a tag as described in the first embodiment.
- a tag generated by the incremental MAC tag generation device 10 is referred to as a local tag Z.
- the local tag verification unit 206 verifies the local tag Z by comparing the tag T input from the input unit 200 with the local tag Z input from the incremental MAC tag generation device 10.
- the local tag verification unit 206 is connected to the output unit 205.
- the local tag verification unit 206 sends the verification result to the output unit 205.
- the output unit 205 outputs the verification result output from the local tag verification unit 206 to, for example, a computer display or a printer.
- FIG. 6 is a flowchart showing the operation of the message authentication device according to the second exemplary embodiment of the present invention.
- the plaintext M (M [1], M [2],..., M [L]) to be authenticated
- the tag T corresponding to the plaintext M
- the cached plaintext M ′ (M ′ [1],..., M ′ [N])
- intermediate variables S ′ (S ′ [1],..., S ′ [N ⁇ 1]) corresponding to M ′. )
- Is input step V1
- the padding means 101 performs padding if the final block M [L] of the message is less than n bits, and sets the result as an intermediate variable S [L]. If M [L] is exactly n bits, the padding means 101 sets M [L] as S [L] as it is (step V2).
- the tag generation means 104 encrypts the hash value V using the presence / absence of padding in the plaintext final block M [L] (that is, whether it is n bits) as a binary parameter, and obtains a local tag Z (step V5).
- the local tag verification unit 206 verifies whether or not the local tag Z input from the tag generation unit 104 matches the tag T input from the input unit 200 (step V5). Finally, the output unit 205 outputs the verification result of the local tag verification unit 206 (step V6).
- the message authentication device of this embodiment can obtain the same effects as those of the first embodiment. Therefore, message authentication can be performed efficiently.
- FIG. 7 is a block diagram showing a main part of the incremental MAC tag generation device of the present invention.
- the incremental MAC tag generation device 10 includes a cache-referenced parallel encryption unit 12, a padding unit 11, a scramble hash unit 13, and a tag generation unit 14 as minimum components.
- the padding unit 11 inputs a final block of plaintext M divided into a plurality of blocks, and the length of the final block of plaintext M is less than a predetermined number of bits. Padding.
- the parallel encryption unit with cache reference 12 receives a block other than the final block of the plaintext M, the cached plaintext M ′, and the intermediate variable S ′ obtained by encrypting M ′, and calculates the intermediate variable S.
- the scramble hash unit 13 scrambles blocks other than the final block of the intermediate variable S.
- the scramble hash unit 13 calculates a hash value V that is an exclusive OR of each block of the intermediate variable S that has been scrambled and the final block of the plaintext M that is padded by the padding unit 11.
- the tag generation unit 14 calculates a tag by encrypting the hash value V using the presence or absence of padding by the padding unit 11 as a parameter.
- the parallel encryption unit with cache reference 12 compares blocks other than the last block of plaintext M with each block of plaintext M ′.
- the parallel encryption unit with cache reference 12 uses the block of the intermediate variable S ′ corresponding to the block of the plaintext M ′ as the intermediate variable S when there is a block of the plaintext M ′ that matches the block of the plaintext M.
- the parallel encryption unit with cache reference 12 encrypts the plaintext M block and uses it as an intermediate variable S.
- the incremental MAC tag generation device shown in FIG. 7 can perform an incremental tag calculation that can cope with editing in every block without impairing the efficiency of normal tag calculation.
- an incremental MAC tag generation device and a message authentication device as shown in the following (1) to (5) are also disclosed.
- An incremental MAC tag generation device (for example, incremental MAC tag generation device 10) inputs a final block of plaintext M divided into a plurality of blocks, and the length of the final block of plaintext M is a predetermined number of bits.
- Input padding means (for example, padding means 101) that performs padding when less than the above, a block other than the last block of plaintext M, cached plaintext M ′, and intermediate variable S ′ obtained by encrypting M ′,
- Parallel encryption means with cache reference for calculating the intermediate variable S (for example, parallel encryption means 102 with cache reference), each block of the scrambled intermediate variable S, and padding means that scramble the intermediate variable S
- a hash value V that is an exclusive OR of the last block of the plaintext M padded by A scramble hash means for calculating (for example, scramble hash means 103), and a tag generation means (for example, tag generation means 104) for calculating a tag by encrypting the hash value V using the presence or absence of
- the scramble process of the scramble hash means may be configured to cyclically shift a partial sequence having a specific prime length of each block of the input intermediate variable S.
- the scramble process of the scramble hash means is configured to multiply each block of the input intermediate variable S by a specific numerical value that is a constant on a specific finite field. May be.
- the scramble process of the scramble hash means is configured to apply each block of the input intermediate variable S to the linear shift register and operate the same number of times as the number of input blocks. It may be.
- the message authentication device encrypts the incremental MAC tag generation device (for example, the incremental MAC tag generation device 10), the plaintext M, the tag T corresponding to the plaintext M, and the cached plaintext M ′ and M ′.
- the input means for example, the input means 200 for inputting the intermediate variable S ′, the plain tag M, the plain text M ′, and the local tag Z generated by the incremental MAC tag generator using the intermediate variable S ′ and the input means.
- Local tag verification means for example, local tag verification means 206) that compares and verifies the tag T, and output means (for example, output means 205) that outputs the verification result of the local tag verification means.
- the present invention can be applied to uses such as authentication in wireless or wired data communication, detection of database falsification, and verification of the validity of memory on the device.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Power Engineering (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
Description
S[i]=E(K,f_i(U)+M[i]) for i=1,...,L-1
S[L]=M[L] if|M[L]|=n, S[L]=M[L]||0* otherwise
V=S[1]+S[1]+...+S[L]
T=E(K,V+ff_0(U)) if|M[L]|=n, T=E(K,V+ff_1(U)) otherwise
V=D(K,T)+ff_w(U)
V’=V+E(K,f_1(U)+M[1])+E(K,f_1(U)+M’[1])
T’=E(K,V’+ff_w(U))
M:f_1+M[1],f_2+M[2],...,f_L-1+M[L-1]
M’:f_1+M[2],f_2+M[3],...,f_L-1+M[L-2]
となる。
図1は、本発明の実施形態1のインクリメンタルMACタグ生成装置の構成を示すブロック図である。図2は、本発明の実施形態1のインクリメンタルMACタグ生成装置の処理を示すブロック図である。図3は、本発明の実施形態1のインクリメンタルMACタグ生成装置のデータの流れを示すブロック図である。なお、以下の説明において、特に指定しない限り、+はビットごとの排他的論理和を表すものとし、メッセージの1ブロックの長さはnビットとする。
S[i]=S’[j] if M[i]=M’[j] for some j,S[i]=E(K,M[i]) otherwise
キャッシュ参照付き並列暗号化手段102は、この処理をi=1,...,L-1について行い、中間変数S=(S[1],...,S[L-1])を出力する。この場合、S[i]もM[i]もnビットであり、Eの処理としてはnビットブロック暗号の暗号化が考えられる。この処理は、M[1],...,M[L-1]に対するECB(Electric Code Book)モードに相当する。
V=g_1(S[1])+g_2(S[2])+...+g_L-1(S[L-1])+S[L]
ここでS[L]は、パディング手段101から出力されたものであり、メッセージの最終ブロックM[L]へ必要に応じパディングを行った値である。
Pr[sum_{i in Gset}g_i(rand) + sum_{j in Uset} u_j(rand)=y]
ここで、Pr[X=x]という表記は、確率変数Xが値xをとる確率を表す。スクランブル関数g_iは、この式が、randをnビット一様乱数としたとき、ゼロ集合を除いたあらゆる{1,...,L-1}の部分集合Gsetと、ゼロ集合を含めたあらゆる{0,1}の部分集合(すなわち{0},{1},{0,1})Usetとに対して得られる、あらゆるnビット値yが十分小さい数値となればよい。
g_i(X)=rot(i,X[1-p])||X[p+1-n], for i=1,...,Lmax-1
u_0(X)=rot(Lmax,X[1-p])||X[p+1-n]
u_1(X)=rot(Lmax+1,X[1-p])||X[p+1-n]
g_i(X)=mul(a_i,X) for i=1,...,Lmax-1
u_0(X)=mul(a_Lmax,X)
u_1(X)=mul(a_Lmax+1,X)
ここで、mul(A,B)は有限体上の要素A,Bの乗算を表す。g_iは、このように定めることで、メッセージのブロック長最大Lmaxまで対応が可能である。
(式LFSR)
g_i(X)=LFSR(i,X) for i=1,...,Lmax-1
u_0(X)=LFSR(Lmax,X)
u_1(X)=LFSR(Lmax+1,X)
このようにg_iを定めることで、メッセージのブロック長最大Lmaxまで対応が可能である。
(式fin)
T=E(K,u_0(U)+V) if |M[L]|=n,T=E(K,u_1(U)+V) otherwise
(式fin2)
T=E(K1,V) if |M[L]|=n,T=E(K2,V) otherwise
図5は、本発明の実施形態2のメッセージ認証装置の構成を示すブロック図である。図5に示すように、実施形態2のメッセージ認証装置は、入力手段200、インクリメンタルMACタグ生成装置10、ローカルタグ検証手段206及び出力手段205を含む。なお、インクリメンタルMACタグ生成装置10の構成及び動作は実施形態1に示したものと同様である。
11 パディング部
12 キャッシュ参照付き並列暗号化部
13 スクランブルハッシュ部
14 タグ生成部
100 入力手段
101 パディング手段
102 キャッシュ参照付き並列暗号化手段
103 スクランブルハッシュ手段
104 タグ生成手段
105 出力手段
200 入力手段
205 出力手段
206 ローカルタグ検証手段
Claims (7)
- 複数のブロックに分割された平文Mの最終ブロックを入力し、当該平文Mの最終ブロックの長さが所定のビット数に満たない場合にパディングを行うパディング手段と、
前記平文Mの最終ブロック以外のブロック、キャッシュされた平文M’、及びM’を暗号化した中間変数S’を入力し、中間変数Sを算出するキャッシュ参照付き並列暗号化手段と、
前記中間変数Sのスクランブル処理を行い、スクランブル処理された前記中間変数Sの各ブロック、及び前記パディング手段により出力された前記平文Mの最終ブロックの排他的論理和であるハッシュ値Vを算出するスクランブルハッシュ手段と、
前記パディング手段によるパディングの有無をパラメータとして前記ハッシュ値Vを暗号化してタグを算出するタグ生成手段とを備え、
前記キャッシュ参照付き並列暗号化手段は、
前記平文Mの最終ブロック以外のブロックと前記平文M’の各ブロックとを比較し、
前記平文Mのブロックと一致する前記平文M’のブロックが存在する場合、当該平文M’のブロックに対応する前記中間変数S’のブロックを前記中間変数Sに用い、
前記平文Mのブロックと一致する前記平文M’のブロックが存在しない場合、当該平文Mのブロックを暗号化して前記中間変数Sに用いる
ことを特徴とするインクリメンタルMACタグ生成装置。 - スクランブルハッシュ手段のスクランブル処理は、
入力された中間変数Sの各ブロックの特定の素数長の部分系列を巡回シフトさせる
請求項1に記載のインクリメンタルMACタグ生成装置。 - スクランブルハッシュ手段のスクランブル処理は、
入力された中間変数Sの各ブロックに、特定の有限体上の定数であってそれぞれ異なる数値を乗算する
請求項1に記載のインクリメンタルMACタグ生成装置。 - スクランブルハッシュ手段のスクランブル処理は、
入力された中間変数Sの各ブロックを、線形シフトレジスタへ与え、入力されたブロックの数と同数回動作させる
請求項1に記載のインクリメンタルMACタグ生成装置。 - 請求項1から請求項4のうちのいずれか1項に記載されたインクリメンタルMACタグ生成装置と、
平文M、当該平文Mに対応したタグT、キャッシュされた平文M’及びM’を暗号化した中間変数S’を入力する入力手段と、
前記平文M、前記平文M’及び前記中間変数S’を用いて前記インクリメンタルMACタグ生成装置により生成されたローカルタグZと前記入力手段により入力されたタグTとを比較し検証するローカルタグ検証手段と、
前記ローカルタグ検証手段の検証結果を出力する出力手段とを備えた
ことを特徴とするメッセージ認証装置。 - 複数のブロックに分割された平文Mの最終ブロックを入力し、当該平文Mの最終ブロックの長さが所定のビット数に満たない場合にパディングを行い、
前記平文Mの最終ブロック以外のブロック、キャッシュされた平文M’、及びM’を暗号化した中間変数S’を入力し、
前記平文Mの最終ブロック以外のブロックと前記平文M’の各ブロックとを比較し、
前記平文Mのブロックと一致する前記平文M’のブロックが存在する場合、当該平文M’のブロックに対応する前記中間変数S’のブロックを前記中間変数Sに用い、
前記平文Mのブロックと一致する前記平文M’のブロックが存在しない場合、当該平文Mのブロックを暗号化して中間変数Sを算出し、
前記中間変数Sへスクランブル処理を行い、スクランブル処理された前記中間変数Sの各ブロック、及び前記平文Mの最終ブロックの排他的論理和であるハッシュ値Vを算出し、
パディングの有無をパラメータとして前記ハッシュ値Vを暗号化してタグを算出する
ことを特徴とするインクリメンタルMACタグ生成方法。 - コンピュータに、
複数のブロックに分割された平文Mの最終ブロックを入力し、当該平文Mの最終ブロックの長さが所定のビット数に満たない場合にパディングを行う処理と、
前記平文Mの最終ブロック以外のブロック、キャッシュされた平文M’、及びM’を暗号化した中間変数S’を入力し、
前記平文Mの最終ブロック以外のブロックと前記平文M’の各ブロックとを比較し、
前記平文Mのブロックと一致する前記平文M’のブロックが存在する場合、当該平文M’のブロックに対応する前記中間変数S’のブロックを前記中間変数Sに用い、
前記平文Mのブロックと一致する前記平文M’のブロックが存在しない場合、当該平文Mのブロックを暗号化して中間変数Sを算出する処理と、
前記中間変数Sへスクランブル処理を行い、スクランブル処理された前記中間変数Sの各ブロック、及び前記平文Mの最終ブロックの排他的論理和であるハッシュ値Vを算出する処理と、
パディングの有無をパラメータとして前記ハッシュ値Vを暗号化してタグを算出する処理と
を実行させることを特徴とするインクリメンタルMACタグ生成プログラム。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/353,349 US20140317407A1 (en) | 2011-10-31 | 2012-10-15 | Incremental mac tag generation device, method, and program, and message authentication device |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2011239232 | 2011-10-31 | ||
JP2011-239232 | 2011-10-31 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013065241A1 true WO2013065241A1 (ja) | 2013-05-10 |
Family
ID=48191623
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2012/006586 WO2013065241A1 (ja) | 2011-10-31 | 2012-10-15 | インクリメンタルmacタグ生成装置、方法及びプログラム並びにメッセージ認証装置 |
Country Status (3)
Country | Link |
---|---|
US (1) | US20140317407A1 (ja) |
JP (1) | JPWO2013065241A1 (ja) |
WO (1) | WO2013065241A1 (ja) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014136386A1 (ja) * | 2013-03-04 | 2014-09-12 | 日本電気株式会社 | タグ生成装置、タグ生成方法およびタグ生成プログラム |
JP2017073716A (ja) * | 2015-10-09 | 2017-04-13 | 日本電気株式会社 | タグリスト生成装置、タグリスト検証装置、タグリスト更新装置、タグリスト生成方法及びプログラム |
JPWO2016063512A1 (ja) * | 2014-10-23 | 2017-08-03 | 日本電気株式会社 | Macタグリスト生成装置、macタグリスト検証装置、macタグリスト生成方法、macタグリスト検証方法およびプログラム記録媒体 |
JP2019041228A (ja) * | 2017-08-24 | 2019-03-14 | 株式会社デンソー | 電子制御装置 |
WO2021214922A1 (ja) * | 2020-04-23 | 2021-10-28 | 日本電気株式会社 | メモリ処理装置、メモリ検証装置、メモリ更新装置、メモリ保護システム、方法及びコンピュータ可読媒体 |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10015152B2 (en) * | 2014-04-02 | 2018-07-03 | International Business Machines Corporation | Securing data in a dispersed storage network |
EP3228044B1 (en) * | 2014-12-03 | 2019-02-20 | Nagravision S.A. | Block cryptographic method for encrypting/decrypting messages and cryptographic devices for implementing this method |
CN111052670B (zh) * | 2017-09-01 | 2024-02-09 | 三菱电机株式会社 | 加密装置、解密装置、加密方法、解密方法和计算机能读取的存储介质 |
US10944568B2 (en) * | 2017-10-06 | 2021-03-09 | The Boeing Company | Methods for constructing secure hash functions from bit-mixers |
US11552782B2 (en) * | 2019-07-15 | 2023-01-10 | University Of Florida Research Foundation, Incorporated | Securing system-on-chip (SoC) using incremental cryptography |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2675806B2 (ja) * | 1987-03-03 | 1997-11-12 | ヒューレット・パッカード・カンパニー | 情報記憶システム |
US20020051537A1 (en) * | 2000-09-13 | 2002-05-02 | Rogaway Phillip W. | Method and apparatus for realizing a parallelizable variable-input-length pseudorandom function |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6246767B1 (en) * | 1995-04-03 | 2001-06-12 | Scientific-Atlanta, Inc. | Source authentication of download information in a conditional access system |
US6424717B1 (en) * | 1995-04-03 | 2002-07-23 | Scientific-Atlanta, Inc. | Encryption devices for use in a conditional access system |
BR9815610A (pt) * | 1997-08-01 | 2004-06-22 | Scientific Atlanta | Verificação da fonte de informações de programa em sistema de acesso condicional |
US7430670B1 (en) * | 1999-07-29 | 2008-09-30 | Intertrust Technologies Corp. | Software self-defense systems and methods |
US7362864B2 (en) * | 2003-09-11 | 2008-04-22 | Xilinx, Inc. | Framing of transmit encoded data and linear feedback shifting |
US7487194B2 (en) * | 2006-04-05 | 2009-02-03 | Peter Lablans | Binary and n-valued LFSR and LFCSR based scramblers, descramblers, sequence generators and detectors in Galois configuration |
US8468244B2 (en) * | 2007-01-05 | 2013-06-18 | Digital Doors, Inc. | Digital information infrastructure and method for security designated data and with granular data stores |
WO2010086855A2 (en) * | 2009-01-29 | 2010-08-05 | Fortress Applications Ltd. | System and methods for encryption with authentication integrity |
US8776214B1 (en) * | 2009-08-12 | 2014-07-08 | Amazon Technologies, Inc. | Authentication manager |
-
2012
- 2012-10-15 JP JP2013541601A patent/JPWO2013065241A1/ja active Pending
- 2012-10-15 US US14/353,349 patent/US20140317407A1/en not_active Abandoned
- 2012-10-15 WO PCT/JP2012/006586 patent/WO2013065241A1/ja active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2675806B2 (ja) * | 1987-03-03 | 1997-11-12 | ヒューレット・パッカード・カンパニー | 情報記憶システム |
US20020051537A1 (en) * | 2000-09-13 | 2002-05-02 | Rogaway Phillip W. | Method and apparatus for realizing a parallelizable variable-input-length pseudorandom function |
Non-Patent Citations (3)
Title |
---|
BELLARE, M. ET AL.: "Incremental Cryptography and Application to Virus Protection", PROCEEDINGS OF THE 27TH ANNUAL ACM SYMPOSIUM ON THEORY OF COMPUTING, 1995, pages 45 - 56, XP000536465, DOI: doi:10.1145/225058.225080 * |
BONEH, D. ET AL.: "A Survey of Two Signature Aggregation Techniques", CRYPTO BYTES, vol. 6, no. 2, 2003, pages 1 - 10, XP007908032 * |
MARC FISCHLIN: "Incremental Cryptography and Memory Checkers", LECTURE NOTES IN COMPUTER SCIENCE, vol. 1233, 1997, pages 393 - 408 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014136386A1 (ja) * | 2013-03-04 | 2014-09-12 | 日本電気株式会社 | タグ生成装置、タグ生成方法およびタグ生成プログラム |
US9787475B2 (en) | 2013-03-04 | 2017-10-10 | Nec Corporation | Device, method, and program for message authentication tag generation |
JPWO2016063512A1 (ja) * | 2014-10-23 | 2017-08-03 | 日本電気株式会社 | Macタグリスト生成装置、macタグリスト検証装置、macタグリスト生成方法、macタグリスト検証方法およびプログラム記録媒体 |
JP2017073716A (ja) * | 2015-10-09 | 2017-04-13 | 日本電気株式会社 | タグリスト生成装置、タグリスト検証装置、タグリスト更新装置、タグリスト生成方法及びプログラム |
JP2019041228A (ja) * | 2017-08-24 | 2019-03-14 | 株式会社デンソー | 電子制御装置 |
WO2021214922A1 (ja) * | 2020-04-23 | 2021-10-28 | 日本電気株式会社 | メモリ処理装置、メモリ検証装置、メモリ更新装置、メモリ保護システム、方法及びコンピュータ可読媒体 |
JP7428239B2 (ja) | 2020-04-23 | 2024-02-06 | 日本電気株式会社 | メモリ処理装置、メモリ検証装置、メモリ更新装置、メモリ保護システム、方法及びプログラム |
Also Published As
Publication number | Publication date |
---|---|
US20140317407A1 (en) | 2014-10-23 |
JPWO2013065241A1 (ja) | 2015-04-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2013065241A1 (ja) | インクリメンタルmacタグ生成装置、方法及びプログラム並びにメッセージ認証装置 | |
US10009171B2 (en) | Construction and uses of variable-input-length tweakable ciphers | |
KR101809386B1 (ko) | 인증 암호 장치, 인증 암호 방법 및 컴퓨터 판독가능한 기록 매체 | |
US8107620B2 (en) | Simple and efficient one-pass authenticated encryption scheme | |
US8509427B2 (en) | Hybrid mode cryptographic method and system with message authentication | |
JP5704159B2 (ja) | ブロック暗号化装置、ブロック復号装置、ブロック暗号化方法、ブロック復号方法及びプログラム | |
JP2008122967A (ja) | ストリーム暗号を利用したメッセージ認証コード生成方法とストリーム暗号を利用した認証暗号化方法及びストリーム暗号を利用した認証復号化方法 | |
WO2014136386A1 (ja) | タグ生成装置、タグ生成方法およびタグ生成プログラム | |
US11463235B2 (en) | Encryption device, encryption method, program, decryption device, and decryption method | |
JP2004363739A (ja) | 改竄検知可能な、共通鍵暗号の暗号化装置または復号化装置 | |
WO2020213114A1 (ja) | Macタグリスト生成装置、macタグリスト検証装置、方法及びプログラム | |
WO2009115824A1 (en) | Encryption method | |
CN102946315B (zh) | 一种采用分组方式构造mac码的方法及*** | |
Andreeva et al. | AES-COPA v. | |
WO2021084507A1 (en) | System and method for encryption and decryption using logic synthesis | |
KR20080044150A (ko) | 블록암호 해쉬 운영모드의 압축함수 설계 장치 및 방법 | |
Elkamchouchi et al. | A new Secure Hash Dynamic Structure Algorithm (SHDSA) for public key digital signature schemes | |
CN114124354B (zh) | 确定性鉴别加解密装置及方法 | |
Hawkes et al. | The mundja streaming mac | |
Pandey et al. | Architecture based on MD5 and MD5-512 Bit Applications | |
Nu1L Team | Crypto | |
Hasan et al. | Context-Committing Authenticated Encryptions using Tweakable Stream Cipher | |
Lukács et al. | BITMIX: A hardware accelerated randomized symmetric encryption method | |
KR20030001888A (ko) | 키를 사용하지 않고 블록 정보만을 이용하는 암호알고리즘 설계 방법 | |
JP5818768B2 (ja) | マスク生成装置、情報処理装置、及びその方法、プログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12845875 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2013541601 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14353349 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 12845875 Country of ref document: EP Kind code of ref document: A1 |