# Encryption/decryption device, encryption/decryption method, information processing device and computer programme

FIELD: information technology.

SUBSTANCE: invention realises a common key block encryption processing with improved immunity against attacks, such as attack by saturation and algebraic attacks (RYAS attacks). In the encryption device which performs common key encryption processing, S blocks which are used as nonlinear conversion processing modules in round functions established in round function execution modules are configured to use S blocks of at least two different types. Such a configuration can improve immunity against attacks by saturation. Furthermore, the types of S blocks are a mixture of different types. Use of such a configuration can improve immunity against algebraic attacks, thereby realising a highly secure encryption device.

EFFECT: harder cryptanalysis and realisation of a highly secure common key block encryption algorithm.

52 cl, 19 dwg

The technical field to which the invention relates.

The present invention relates to a device processing, encryption/decryption, methods of processing of encryption/decryption devices for information processing and computer programs. More specifically, the present invention relates to a processing device encryption/decryption, the method of processing of encryption/decryption, the information-processing device and computer program for processing a block cipher with the public key.

The level of technology

In recent years, with the development of network communication and electronic Commerce, security during data transfer has become an important issue. One of the ways to ensure security is a cryptographic technology. Currently, the data transfer is actually carried out using different ciphers.

For example, was translated into the practical use of the system in which the processing module encryption built into one small device, such as a card with a chip, and the data transmission/reception performed between the card with the chip and the reader/writer is used as a device read/write data, embodying, thus, the processing of authentication or encryption/decryption of transmitted/received data.

Available p is lichnye processing algorithms encryption. These algorithms can roughly be classified on the public key cryptography in which the encryption key and the decryption key set as different keys, such as public key and secret key cryptography, public key, in which the encryption key and the decryption key is set as the shared key.

There are different algorithms for cryptography with a public key. One algorithm includes generating a set of keys based on the shared key with multiple execution of the conversion processing of data from successive increments of the unit (for example, 64 bits or 128 bits) using the generated keys. A typical algorithm that uses this scheme key generation and processing data conversion is a block cipher with the public key.

It is known that, for example, a typical block cipher algorithms with a common key in the past used the DES algorithm (SSD, data encryption Standard), which in the past was the standard code for the United States of America and the AES (USS, Advanced encryption standard), which is a standard code for the United States of America at present.

These algorithms block cipher with the public key, mainly consist of part of the encryption processing, which includes h the STI run roundboy functions which repeatedly perform the conversion of the input data, and a part of the planning of the key that generates round keys used for the respective rounds of the parts roundboy functions. Part of the planning of key generates an expanded key based on the master key (master key), which is a secret key, by increasing the number of bits, and on the basis of the generated extended key generates round keys (extra keys)used in the relevant parts roundboy function of processing encryption.

As a specific structure for implementation of such algorithm known structure, which repeatedly executes the round function, which includes the linear part conversion and part of the nonlinear transformation. For example, the structure of its combining represents a typical structure. The structure of Teustepe has a structure that converts plaintext to ciphertext by simple repetition roundboy functions (F-functions)used as the transformation function data. In roundway functions (F-functions) handle linear transformation and processing of nonlinear transformations. As documents describing the encryption processing using the structure of its combining can be mentioned, for example. Non-patent on the document 1 and non-Patent document 2.

However, when using a block cipher with the public key there is the problem of leakage of keys in the cryptanalysis. The fact that keys can be easily analyzed using cryptanalysis, means that the cipher has low security, causing a serious problem in the application.

Non-patent document 1: K.Nyberg, "Generalized Feistel networks", ASIACRYPT '96, Springer Verlag, 1996, pp.91-104.

He patent Document 2: Yuliang Zheng, Tsutomu Matsumoto, Hideki Imai: On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypotheses. CRYPTO 1989: 461-480

The invention

Technical task

The present invention was made in view of the above problems, and the purpose of the present invention is to provide a processing device, the encryption/decryption processing method of encryption/decryption, the information-processing device and computer program to increase the difficulty of cryptanalysis and implementation of highly secure block cipher algorithm with a public key.

Technical solution

The first aspect of the present invention is aimed at:

the processing device decryption, comprising: a processing module decryption, which handles the conversion of data using a function F, including S-blocks, as roundboy functions on individual rows of data obtained is here split the input data into a number greater than or equal to two, in which the processing module decryption are performed so that it includes different types of S-units in the respective modules of F-functions that have the same input line and output line, and are located next to each other.

In addition, in the embodiment of the invention, the processing module decoding is configured to perform decryption processing using its combining patterns in which the number of data lines (number of divisions) is equal to two, or a generalized structure its combining, in which the number of data lines (number of divisions) is two or more, and the processing module decoding is configured to perform decryption processing using the F-functions that are used as modules run round distance functions that have the same input line and output line, and that are vertically adjacent to each other, in which the nonlinear transformation processing performed in F-functions are set as different S-blocks that perform different types of processing nonlinear transformation.

In addition, in the embodiment of the invention each of the F-functions that are used as modules run round distance functions, includes many S-units, which vypolnyaemogo nonlinear conversion of the respective pieces of data, divided into data intended for processing, and many S-units include at least two different types of S-blocks.

In another embodiment of the invention each of the F-functions that are used as modules run round distance functions, includes many S-units, which perform the processing of the non-linear conversion of the respective pieces of data divided into data intended for processing, and handling nonlinear transformation performed with successive increments of pieces of data in F-functions that are used as modules run round distance functions that have the same input line and output line and which are vertically adjacent to each other, made with the possibility of installation as other S-units, which perform other types of processing nonlinear transformation.

In addition, in the embodiment of the invention, the types of S-units and the number of individual S-blocks included in each of the F-functions that are used as modules run round distance functions have the same installation of the F-functions.

In addition, in the embodiment of the invention, the processing module decryption is arranged to use, as different s-bit input/output S-units, designed the data for use in the treatment of the nonlinear transformation,
(1) type 1: S-block, using the inverse map: Y=X^{-1}or exponential function Y=X^{q}over the field GF (2^{s}) extension; (2) type 2: S-block is generated by combining many small t-bit S-units, where t<s; and (3) type 3: S-block, randomly selected, at least two different types of S-blocks among the above described three types of S-blocks(1)-(3).

In another embodiment of the invention, the processing module decryption has, in respect of S-units used to perform roundboy functions, (a) a configuration in which some of the S-blocks are S-units, type 1, and the remaining S-blocks are S-units type 2; (b) a configuration in which some of the S-blocks are S-units, type 1, and the remaining S-blocks are S-units type 3; (C) a configuration in which some of the S-blocks represent the S-blocks of type 2, and the remaining S-blocks are S-units type 3; and (d) a configuration in which some of the S-blocks are S-units, type 1, some of the other S-blocks are S-units of type 2, and the rest of S-blocks are S-units type 3, any one of the above configurations (a)-(d).

In addition, in the embodiment of the invention, the processing module decoding includes, in modules run round distance functions, many blocks, performing a nonlinear transformation processing for the respective pieces of data divided into data intended for processing, and the processing module decoding is configured to perform processing using S-blocks of the same type in a single round and S-blocks other types based on from round to round.

In addition, in the embodiment of the invention, the processing module decoding includes, in modules run round distance functions, S-blocks, which perform the processing of the non-linear conversion of the respective pieces of data divided into data intended for processing, and the processing module decryption is performed with the use of different types of S-units in a single round.

In yet another embodiment of the invention, the types of S-units and the number of individual S-blocks included in each of the modules run round distance functions have the same settings in F-functions.

In addition, in the embodiment of the invention, the processing module decoding is configured to perform decryption processing in accordance with cryptography with a public key.

In addition, in the embodiment of the invention, the processing module decoding is configured to perform decryption processing is according to the cryptography block cipher with the public key.

The second aspect of the present invention is directed to a method of decryption processing, consisting in the execution of the decryption processing in the processing device decryption, comprising: a processing step of decrypting, consisting in the implementation, the decryption processing, the conversion processing of data using a function F, including S-blocks, as roundboy functions on individual rows of data, obtained by dividing the input data into a number greater than or equal to two, in which stage of the decryption processing is a step of performing conversion processing of data using different types of S-blocks in F-functions that have the same input line and output line and which are vertically adjacent to each other.

In addition, in the embodiment of the invention at the stage of processing of the decryption process of the decryption, in accordance with cryptography shared key cryptography block cipher with the public key.

The third aspect of the present invention is aimed at: a machine-readable recording medium containing recorded thereon a program, the execution of which by a processing device decryption performs the decryption processing, comprising: a processing step of decryption, wherein the processing module Dechy the simulation performs the processing of converting data using the F-function, includes S-blocks, as roundboy functions on individual rows of data, obtained by dividing the input data into a number greater than or equal to two, in which stage of the decryption processing is a step of performing conversion processing of data using different types of S-blocks in F-functions that have the same input line and output line and which are vertically adjacent to each other.

In addition, in the embodiment of the invention at the stage of processing of the decryption process of the decryption, in accordance with cryptography shared key cryptography block cipher with the public key.

A fourth aspect of the present invention is directed to: a processing device encryption, comprising: a processing module encryption, which handles the conversion of data using a function F, including S-blocks, as roundboy functions on individual rows of data, obtained by dividing the input data into a number that is greater than or equal to two, in which the module of the encryption processing is executed so that it includes different types of S-blocks in F-functions that have the same input line and output line, and are located next to each other.

In addition, in a variant implementation is tvline of the invention, the processing module encryption is configured to perform encryption processing using the structure of its combining in which the number of data lines (number of divisions) is equal to two, or a generalized structure its combining, in which the number of data lines (number of divisions) is two or more, and the processing module encryption is configured to perform encryption processing with the use of F-functions are used as modules run round distance functions that have the same input line and output line, and that are vertically adjacent to each other, in which the nonlinear transformation processing performed in F-functions are set as different S-blocks that perform different types of processing nonlinear transformation.

In addition, in the embodiment of the invention each of the F-functions that are used as modules run round distance functions, includes many S-units, which perform the processing of the non-linear conversion of the respective pieces of data divided into data intended for processing, and many S-units include at least two different types of S-blocks.

In addition, in the embodiment of the invention, each of the R-functions used as modules run round distance functions, includes many S-units, which perform the processing of the non-linear conversion of the respective pieces of data on a cat who are divided data, intended for processing, and handling nonlinear transformation performed with successive increments of pieces of data in F-functions that are used as modules run round distance functions that have the same input line and output line and which are vertically adjacent to each other, made with the possibility of installation as other S-blocks that perform other types of processing nonlinear transformation.

In the embodiment of the invention, the types of S-units and the number of individual S-blocks included in each of the F-functions that are used as modules run round distance functions have the same installation of the F-functions.

In addition, in the embodiment of the invention, the processing module encryption made use of as different s-bit input/output S-units intended for use in the treatment of the nonlinear transformation, (1) type 1: S-block, using the inverse map: Y=X^{-1}or exponential function Y=X^{q}over the field GF (2^{s}) extension; (2) type 2: S-block is generated by combining many small t-bit S-units, where t<s; and (3) type 3: S-block, randomly selected, at least two different types of S-blocks among the above described three types of S-blocks(1)-(3).

In addition,in the embodiment of the invention, the processing module encryption has in respect of S-units used to perform roundboy functions, (a) a configuration in which some of the S-blocks are S-units, type 1, and the remaining S-blocks are S-units type 2; (b) a configuration in which some of the S-blocks are S-units, type 1, and the remaining S-blocks are S-units type 3; (C) a configuration in which some of the S-blocks are S-units of type 2, and other S-blocks are S-units type 3; and (d) a configuration in which some of the S-blocks are S-units, type 1, some of the other S-blocks are S-units of type 2, and the rest of S-blocks are S-units type 3, any one of the above configurations (a)-(d).

In addition, in the embodiment of the invention, the processing module encryption includes, in modules run round distance functions, S-blocks, which perform processing nonlinear transformation for the respective pieces of data divided into data intended for processing, and the processing module encryption is configured to perform processing using S-blocks of the same type in a single round and S-blocks other types based on from round to round.

In addition, in the embodiment of the invention, the processing module encryption includes all the I, the modules run round distance functions, S-blocks, which perform the processing of the non-linear conversion of the respective pieces of data divided into data intended for processing, and the processing module, the encryption is performed with the use of different types of S-units in a single round.

In yet another embodiment of the invention, the types of S-units and the number of individual S-blocks included in each of the modules run round distance functions have the same settings in F-functions.

In addition, in the embodiment of the invention, the processing module encryption is configured to perform encryption processing in accordance with cryptography with a public key.

In addition, in the embodiment of the invention, the processing module encryption is configured to perform encryption processing in accordance with the cryptography block cipher with the public key.

The fifth aspect of the present invention is aimed at: the information-processing device, comprising: a storage device for storing key data required for cryptographic processing, the processor configured to execute various programs and management of encryption processing, and the processing block encryption, which performs the processing transformed the education data using the F-function, includes S-blocks, as roundboy functions on individual rows of data, obtained by dividing the input data into a number that is greater than or equal to two, in which the processing block encryption made so that it includes different types of S-blocks in F-functions that have the same input line and output line, and are located next to each other.

The sixth aspect of the present invention is aimed at: the information-processing device, comprising: a storage device for storing key data required for cryptographic processing, the processor configured to execute various programs and control the decryption processing, and the processing unit of the decryption, which handles the conversion of data using a function F, including S-blocks, as roundboy functions on individual rows of data, obtained by dividing the input data into a number that is greater than or equal to two, in which the processing module decryption are performed so that it includes various types of S-units in the respective modules of F-functions that have the same input line and output line, and are located next to each other.

It should be noted that a computer program in accordance with the laws the AI with the present invention is a computer program, which may be provided via a storage medium such as the recording media, including CD (KD, CD), FD (HD, floppy disk), MO (MO, magneto-optical disk), or a transmission medium such as a network, which allows us to provide the program in a format that is readable by a computer, for example a computer system that allows you to execute various program codes. By providing such a program in machine-readable format, processing in accordance with the program can be executed in a computer system.

Other aims, characteristics and preferred effects of the present invention will be understood from the following detailed description of embodiments of the present invention and the drawings appended thereto. It should be noted that the system in the present description refers to a logical node from a variety of devices and is not limited to the site in which the device with separate configuration are contained in one case.

Preferred effects

In accordance with the configuration of a variant embodiment of the present invention in the processing device encryption, which performs the processing block cipher with the public key, it is configured to use at least two different types of S-blocks as S-blocks used as the nonlinear processing module is anago conversion, in the runtime roundboy functions. When using this configuration, you can better defend against attacks by way of saturation. In addition, in accordance with the configuration of a variant embodiment of the present invention, in which the type S blocks represent a mixture of different types, it is possible to improve the resistance against algebraic attacks (XSL attacks (CASSOCKS, extensible style language)), implementing, therefore, highly secure processing device encryption.

Brief description of drawings

1 shows a diagram representing the basic configuration of the block cipher algorithm with a public key.

Figure 2 shows a diagram describing an internal configuration of a module of ITS processing block cipher with the public key, illustrated in figure 1.

Figure 3 shows a diagram describing a detailed configuration of the module 12 of the encryption processing, illustrated in figure 2.

Figure 4 shows a diagram describing the round function SPN-structure used as an example of the configuration of the runtime roundboy functions.

Figure 5 shows a diagram describing the structure of its combining is used as an example of the configuration of the runtime roundboy functions.

Figure 6 shows a diagram describing a generalized structure its combining is used as an example of the configuration of the runtime roundboy functions.

7 shows the scheme described is the one specific example of the processing module of the nonlinear transformation.

On Fig shows a diagram describing a specific example of the processing module linear transformation.

Figure 9 shows a diagram describing an example of the General configuration of its combining patterns or generalized structure its combining.

Figure 10 shows a diagram describing a configuration example of the structure of its combining or generalized structure its combining, which is composed of different S-boxes.

Figure 11 shows a diagram describing an example configuration in which different S-blocks are established to improve immunity against attacks by way of saturation.

On Fig shows a diagram describing an example configuration in which different S-blocks are established to improve immunity against attacks by way of saturation.

On Fig shows a diagram describing an example configuration in which different S-blocks are established to improve immunity against attacks by way of saturation.

On Fig shows a diagram describing an example configuration in which different types of S-units is set to improve immunity against algebraic attacks (attacks ROBES).

On Fig shows a diagram describing an example configuration in which different types of S-blocks are placed so that they improve the immunity against algebraic attacks (attacks ROBES).

On Fig shows a diagram describing an example configuration in which different types of S-block size is prevented to improve immunity against algebraic attacks (attacks ROBES).

On Fig shows a diagram describing an example configuration that hosts different types of S-blocks to improve immunity against algebraic attacks (attacks ROBES).

On Fig shows a diagram describing an example configuration in which different types of S-blocks placed to improve immunity against algebraic attacks (attacks ROBES).

On Fig shows a diagram describing an example configuration of the module with the chip that is used as a processing device encryption, which performs encryption processing in accordance with the present invention.

Detailed description of the invention

The processing device encryption processing method of encryption and computer program in accordance with the present invention will be described in detail below. Description will be given in accordance with the following sections:

1. Schematic representation of a block cipher with the public key

2. A configuration in which improved immunity by placing a variety of different S-blocks

(2A) a Configuration in which the immune system attacks the way to improve saturation by placing two or more different types of S-block in the cipher its combining or cipher its combining generic type using S-blocks

(2B) a Configuration in which immunity against algebraic attacks (attacks the ROBED) improve by shmesani the two or more S-units of various types in a block cipher, using S-blocks

(2C) a Configuration in which the above-described approaches (2A) and (2B) at the same time implement the cipher its combining or cipher its combining generalized type, using S-blocks

3. An example of the configuration of the processing device encryption

[1. Schematic representation of a block cipher with the public key]

First will be described the circuit block cipher with the public key that can be used in the present invention. In this description of block ciphers with a shared key (below called block ciphers) are block ciphers defined below.

In a block cipher comes plaintext P and key K as input, and block cipher outputs a ciphertext C. the Length of bits of the plain text and encrypted text is called the block size, which is here marked with the letter n. Although n can be any integer in the General case, n is a preset value for each block cipher algorithm. A block cipher, the block length is equal to n, can be called n-bit block cipher.

The length in bits of the key designated as k. The key can be any integer. A block cipher algorithm with a public key is designed to work with one or multiple key sizes. For example, one algorithm And a block cipher has a block size n=128 and may be the issue is linen with the ability to handle various sizes, that is, the length in bits k=128, k=192 k=256 key.

Individual sizes of bits of the plain text [P], ciphertext [I] and key [K] denote as follows:

plaintext P: n bits

encrypted text: n bits

the key To k bits

Algorithm E is a block cipher with the public key of length n bits, allowing for a key length of k bits, represented in figure 1. As shown in figure 1, in a module of ITS processing block cipher with the public key serves an n-bit plaintext P and a k-bit key K, it performs the specified encryption algorithm and outputs the n-bit ciphertext C. it Should be noted that, although the encryption processing, consisting in generating ciphertext from plaintext, shown in figure 1, when the decryption processing, consisting in generating plaintext from the cipher text, usually use the callback function is E10. It should be noted that, depending on the structure of the module E10 processing encryption, the same module E10 processing block cipher with the public key can also be applied to decryption processing and the decryption processing allows you to change the sequence, such as the order of the input keys or the like.

With reference to figure 2, will be described internal configuration module E10 processing block cipher with the public key, illustrated in figure 1. The block Chi is R can be viewed as having two separate modules. One module is a module 11 planning key, which takes a key as input, extends the length of bits of the input key K by performing the specified steps, and outputs the expanded key K' (length k' in bits), and the other module is a module 12 of the encryption processing that converts the data to generate the encrypted text, taking the extended key K', the input module 11 planning key, receiving a plaintext P as input, and performing encryption processing, applying the extended key K'. It should be noted that, as described above, depending on the structure of the module 12, the encryption processing module 12 of the encryption processing is applicable to the processing of decrypting the data, consisting in converting the ciphertext back into plaintext.

Next, with reference to figure 3, will be described the detailed configuration of the module 12 of the encryption processing, illustrated in figure 2. As shown in figure 3, the processing module 12 encryption is configured to repeatedly execute data conversion, applying module 20 run roundboy functions. Thus, the module 12, the encryption processing can be divided into modules for processing, which constitute the module 20 run roundboy functions. Each module 20 run roundboy function when imeet two pieces of data,
as input, the output, X_{i}module execution roundboy functions in the previous step and round key PK_{i}generated on the basis of an extended key, performs the processing of converting data, and outputs the output data X_{i+1}in the next module execution roundboy functions. It should be noted that the entrance in the first round is an open text or data processing initialization for open text. In addition, the output of the last round is an encrypted text.

In the example illustrated in figure 3, the module 12, the encryption processing has r modules 20 run roundboy functions and made reusable data transformation run r times in the modules perform roundboy function to generate the encrypted text. The number of times of execution roundboy function is called the number of rounds. In the present example, the number of rounds is r.

The input data X_{i}each module execution roundboy functions represent the n-bit data through encryption. The output X_{i+1}roundboy functions in a particular round serves as input to the next round. As the other input to each module execution roundboy functions use data based on the extended key K', the output of module planning the Finance key.
The key entered in each module execution roundboy functions and used to perform roundboy function is called rounder so key. Scheme round key used in the i-th round is denoted as RK_{i}. The extended key K' is designed as, for example, the combined data round distance keys RK_{1}-RK_{r}for r rounds.

The configuration illustrated in figure 3, represents the configuration module 12 of the encryption processing in which the input data in the first round, when they are considered from the input module 12 processing encryption, denoted as X_{0}data output from the i-th roundboy function, denoted as X_{i}and round key denoted as RK_{i}. It should be noted that, depending on the structure of the module 12 of the encryption processing, for example, by setting the sequence of application used for round distance keys, so that they are opposite to the keys in the encryption processing, and when the input encrypted text in the module 12, the encryption processing module 12 of the encryption processing can be executed with the ability to output plain text.

The modules 20 run roundboy function module 12 processing encryption, shown in figure 3, can take various forms. Round functions can be classified in accordance with the structures adopted by the relevant al what oramai encryption. Representative structures include the following:

(a) the SPN structure (WBS, network with the use of substitution-permutation);

(b) the Structure of its combining; and

(c) Generalized structure of its combining.

This specific structure will be described below with reference to figure 4-6.

(a) Round function structure WBS

First of all, with reference to figure 4, will be described round function structure WBS that is used as an example of the configuration of the module 20 run roundboy functions. Module 20A execution roundboy structure functions SPP has the so-called structure of type SP (PP, substitution-permutation), which is connected non-linear transformation level (level S) and a linear transformation level (P-level). As shown in figure 4, the module 20A execution roundboy function structure WBS is built from the module 21 of the calculation of the exclusive OR, which performs an exclusive OR operation (EXOR, OR) for all n-bit input data and the round key, the module 22 processing nonlinear transformation, which takes the result of the operation received by the module 21 of the calculation of the "exclusive OR" as input, and performs a nonlinear transformation of these inputs, module 23 processing linear transformation that takes the result of the nonlinear conversion received by the module 22 processing Nelly is Nanoha conversion as the input data, and performs processing linear transformation of the input data, and the like, the processing Result of the linear transformation obtained by the module 23 processing a linear transformation output in the next round. The output of the last round is an encrypted text. It should be noted that, although the sequence processing module 21 of the calculation of the exclusive-OR module 22 processing nonlinear conversion module 23 processing linear transformation is illustrated in the example shown in figure 4, the sequence of processing modules is not limited to this, and the processing may be performed in other sequences.

(b) the Structure of its combining

Next, with reference to figure 5, will be described the structure of its combining is used as an example of the configuration of the module 20 run roundboy functions. The structure performs its combining, as shown in figure 5, the processing by dividing the n-bit input data from the previous round (input text in the first round) into two equal module data length n/2-bit and extends these two data module for each other based from round to round.

When processing with application module 20b perform roundboy functions with the structure of its combining, as shown in the drawing, one module n/2-bit data and a round key is introduced into the portion 30 F-function. Part 30 F-function is as described the above structure, WBS, the so-called structure of the PP-type, in which the level of the nonlinear transformation (S level) and the level of linear transformations (P level) are connected to each other.

One part of n/2-bit data from the previous round and round key is introduced into the module 31 of the calculation of the exclusive-OR part 30 F-functions and processes "exclusive OR" (OR). In addition, these resulting data is introduced into the processing module 32 nonlinear transformations for nonlinear conversion. In addition, the nonlinear transformation is introduced into the module 33 a linear transformation for a linear transformation. The result is a linear transformation output as obtained from the data processing F-function.

Also, the yield function F and the other module n/2-bit data input from the previous round, served in the module 34 calculating exclusive-OR, and perform the exclusive OR operation (OR). The execution result is set as the input F-function the next round. It should be noted that n/2 bits set as input for the F function i-th round is presented on the scheme used in the exclusive OR operation with the output of the F-function the next round. Thus, the structure of its combining performs the processing of converting data, using the function F, when the exchange of inputs with each other based from round to round is.

(C) Generalized structure of its combining

Further, with Simcoe figure 6, will be described generalized structure of its combining is used as an example of the configuration of the module 20 run roundboy functions. The structure of its combining, which was described above with reference to figure 5, performs processing by dividing the n-bit plaintext into two equal parts having n/2 bits. Thus, the number of divisions d is equal to two when processing. It should be noted that the number of divisions may also be called " number of rows of data.

Generalized structure of its combining sets the number of rows d data (number of divisions), equal to any whole number greater than or equal to two. Various General structure of its combining can be determined in accordance with the value of the number d of data lines (number of divisions). In the example shown in Fig. 6, the number of rows d data (number of divisions) is equal to four, and n/4-bit data type in each line of data. In each round perform one or more of F-functions that are used as round functions. Illustrated example is an example of the configuration of a run round distance operations, using two modules of F-functions in each round.

The configuration of the modules 41 and 42 F-function is similar to the configuration of the module 30 F-functions described above with the reference to figure 5. The modules 41 and 42 F-function is arranged to perform the exclusive OR operation on the round key and the input value, the processing nonlinear transformation and processing of linear transformations. It should be noted that the round key input in each of the modules F-function, regulate in such a way that the number of bits round key coincides with the number of bits of the input bits. In the present example, the number of bits round distance of the keys entered in the appropriate modules 41 and 42 function F, is equal to n/4 bits. These keys are generated by partitioning the bits of each round distance of the keys that make up the advanced key. It should be noted that, let d represents the number of data lines (number of divisions), then the data entered in each line, form n/d bits, and the number of bits of the key entered in each F-function is adjusted so that it was n/d bits.

It should be noted that the generalized structure of its combining is shown in Fig. 6 is a configuration example in which, let d be equal to the number of data lines (number of divisions), then d/2 F-functions in parallel with each other in each round. Generalized structure of its combining may be configured to perform at least one and less than or equal to d/2 number of F-functions in the CA is the home of the round.

As described with reference to Fig.4-6, the module 20 run roundboy function module 12 processing of the encryption block cipher with the public key can have one of the following structures:

(a) SPP (network structure using substitution-permutation);

(b) the Structure of its combining; and

(c) Generalized structure of its combining.

Each of these modules perform roundboy function has the so-called structure-type PP, which are connected to the level of the nonlinear transformation (level S) and a linear transformation (P-level). Thus, each Executive module roundboy function has a processing module of the nonlinear transformation, which performs a nonlinear transformation processing, and the processing module linear transformation that performs the processing of linear transformations. Such configuration of the conversion processing will be described below.

(Module processing nonlinear transformation)

With reference to Fig.7, will be described a specific example of the processing module of the nonlinear transformation. As shown in Fig.7, the module 50 processing nonlinear transformation includes, in particular, an array of m tables nonlinear transformation called S-blocks 51, each of which is s bits as input and generates the s bits as output data, in which the s-bit input data is divided into equal parts s-bit data, and part of these data is injected into the corresponding S-blocks 51 and transform. Each of S-blocks 51 performs the processing of the nonlinear transformation by applying, for example, a mapping table.

There is a tendency that consists in the fact that as the input size increases, also increases the cost of implementation. To prevent this, in many cases, as shown in Fig.7, use the configuration of the separation data X intended for processing into many parts and perform a nonlinear transformation of each part. For example, if the input size is equal to the ms bits of the input data is divided into m pieces of data of size s bits, and m parts s data of size s bits enter into the corresponding S-blocks 51 for the nonlinear transformation by applying, for example, conversion tables, and m pieces of output s-bit data are combined to obtain the ms-bit nonlinear transformation result.

(Module processing a linear transformation)

With reference to Fig, will be described a specific example of the processing module linear transformation. The processing module linear transformation takes as input data, the input value, such as the output value by size ms bits, which represents the output of the S-blocks as input values X, applies linearly the conversion to these input data, and outputs the result size ms bits. Processing linear transformation performs a linear transformation processing, such as processing permutation of the positions of the input bits, and outputs the output value Y of size ms bits. Processing linear transformation applies, for example, the matrix of a linear transformation to the input data, and allows processing permutation of the positions of the input bits. An example of a matrix represents a linear transformation shown in Fig.

The elements of the matrix of the linear transformation applied to the processing module linear transformation, can be, in General, performed as different representations applicable to the matrix, such as the elements in the extension fields GF(2^{8}or elements in the field GF(2). In Fig. 8 illustrates an example configuration of the module processing a linear transformation that receives the ms-bit input and which generate ms-bit output data, and which is defined by a matrix m×m obtained through GF (2^{S}).

[2. A configuration in which improved immunity by placing a variety of different S-blocks]

As described above, a block cipher with a shared key configured to perform encryption processing by multiple runs roundboy functions. Processing block cipher with a public key to them is no problem of leakage of keys in the cryptanalysis. The fact that keys can be easily analyzed using cryptanalysis, means that the cipher has low security, which leads to a serious problem during the application. Hereinafter will be described the configuration of the encryption processing in which the immune system is improved by placing a variety of different S blocks.

As described with reference to Fig.7, the processing module nonlinear transformations that are included in each module execution roundboy functions, includes many S-units, which perform the processing of the nonlinear transformation. If necessary, the table processing General nonlinear transformation is applied to all S-blocks, S-blocks are made so that they had a common non-linear processing of the conversion.

In the present invention proposed a configuration in which attention is paid to the vulnerabilities associated with such similarity to the S-blocks, that is, susceptibility to attacks, namely, cryptanalysis, such as a key analysis, and increase immunity by setting the number of different S-boxes.

Below, as variations of the embodiment of the present invention will be successively described the following three options for implementation.

(2A) a Configuration in which the immune system attacks the way to improve saturation by placing two or more different types of S-block in the cipher Fe is stale or cipher its combining generic type using S-blocks

(2B) a Configuration in which immunity against algebraic attacks (attacks the ROBED) improve by mixing two or more S-units of various types in a block cipher using S-blocks

(2C) a Configuration in which the above-described approaches (2A) and (2B) at the same time implement the cipher its combining or cipher its combining generalized type, using S-blocks

(2A) a Configuration in which the immune system attacks the way to improve saturation by placing two or more different types of S-block in the cipher its combining or cipher its combining generic type using S-blocks

First of all, will be described a configuration in which improved immunity against attacks by way of saturation, due to the placement of two or more different types of S-block in the cipher its combining or cipher its combining generic type using S-boxes.

(2A-1. Brief description of the attack by way of saturation)

First of all, will be described attacks by way of saturation, known as attacks against block ciphers. There are many types of attacks by way of saturation. The first type is the process of attack that uses a feature consisting in that, if the 256 types of values injected simultaneously at a certain position data of the plain text after conversion processing in the round will be done is on for many rounds, all 256 value types appear in a certain position byte output value.

In addition, as another type of attack way to fill the technology exists to attack, which is characteristic, consisting in the fact that the sum of the values appearing in a particular position of the byte after the conversion in the round will be performed for a variety of rounds, is always zero.

For example, the 256 types plaintext P_{0}-R_{255}that is introduced into the processing unit block cipher with the public key that performs the round function, consistently enter data types plaintext P_{0}-P_{255}

P_{0}=(0, 0, 0, 0, 0, 0, 0, 0)

P_{1}=(0, 0, 0, 0, 0, 0, 0, 1)

...

P_{255}=(0, 0, 0, 0, 0, 0, 0, 255)

It should be noted that, in the above representation, each [0] indicates 1 byte data 0.

When consistently give these types plaintext P_{0}-P_{255}, the output values obtained after processing the data conversion will be performed for certain rounds, denoted as_{0}-C_{255}as follows:

With_{0}=(C_{0}, ?, ?, ?, ?, ?, ?, ?)

With_{1}=(c_{1}, ?, ?, ?, ?, ?, ?, ?)

...

C_{255}=(C_{255}, ?, ?, ?, ?, ?, ?, ?)

In the above-described output values [?] can represent any bit value.

This is the output values With_{
0}-S have, as described above, the characteristic, which is that all 256 value types with_{0}-C_{255}appear at a certain position of the byte (the first byte location in the above example). If you know in advance, as noted above, when the values from 0 to 255 appear once, without distinction of order of appearance, the attack can be performed using this characteristic. It is known that the round keys can be estimated by analyzing the output values resulting from successive changes of the input values.

In addition, in the case when sum (OR) of values with a_{0}-C_{255}in a certain position byte included in the output From_{0}-C_{255}zero, it is possible to perform the attack (cryptanalysis), using this feature. Thus, the keys can be assessed by serial input 256 types plaintext P_{0}-P_{255}and analyzing the output in a certain position bytes.

When the results of the conversion modules roundboy functions have output with a certain regularity, such as described above, that is, see all 236 value types with_{0}-C_{255}or

sum (OR) of values with a_{0}-C_{255}in a certain position of the byte is equal to zero,

at the conclusion with the manifestation of such regularity, attack with the special saturation is a technology attacks (analysis), performed on the basis of this regularity.

Therefore, in order to obtain the cipher-protected against attacks by way of saturation, at the stage of designing cipher effectively perform the configuration of the cipher in such a way as not to generate such specific output, as the output modules roundboy functions. It should be noted that the attack method of saturation are not limited to analysis based on the from-byte-to-byte (8 bits); attacks using a similar characterization can be performed on arbitrary length bits.

(2A-2) Problems in the processing of encryption using its combining patterns or generalized structure its combining

Next will be described the problems encountered in the processing of encryption, using its combining patterns or generalized structure its combining.

As regards the structure of its combining or generalized structure its combining both of them are made so as to repeat the round operation using the module function F PP-type, which includes the processing module nonlinear transformation and processing module linear transformation as described above with reference to figure 5 and 6. In the structure of its combining the number of data lines (number of divisions) is limited to two; however, in the generalized structure of its combining the difference is that the number of rows of data (the number under the s) is set to any number, greater than or equal to.

In the following description assumes a configuration in which, when the encryption processing using its combining patterns or generalized structure its combining use of S-blocks in terms of handling nonlinear transformations, each F-function, which represents the runtime roundboy functions. As described above with reference to Fig.7, S-blocks, respectively, is performed, for example, by applying tables nonlinear conversion processing nonlinear transformation of the m parts of the s-bit data, which is shared by the data size ms bits, which is introduced into the processing module nonlinear transformation.

As described above, as for the F-functions used to perform round distance functions in a conventional block cipher, the same F-function repeatedly used in each round. The structure of its combining or generalized structure of its combining, in which one and also F-funky installed in each round, are more susceptible to the above attacks by way of saturation. The reason for this will be described with reference to Fig.9.

Figure 9 shows a diagram representing the configuration of the cut out section of its combining patterns or generalized structure its combining. Thus, two modules that perform round function, namely, F-functions 101 and 102 included in the cipher with the structure of uroi its combining or generalized structure of its combining it is shown in Fig. 9. These two F-functions 101 and 102 are F-functions that have the same line (x) of the input data and row (y) of the output data, and are vertically adjacent to each other.

Two F-funkii 101 and 102 include modules calculating the exclusive-OR who count function "XOR" with rounder so the key, the processing modules of the nonlinear transformation and the processing modules linear transformation. In this example, the processing function F 101 and 102 are designed to run 32-bit input and output processing. Each module handles nonlinear transformations include four S-block, and each of S-blocks accepts 8-bit input data, and generates 8-bit output.

Position from a to J shown in Fig. 9, represent different types of data that is indicated by the following data types.

A: login to the previous F-function 101;

In: the output of the previous function F 101;

With the entrance to the next F-function 102;

D: the output of the subsequent F-function, 102;

E: data of the exclusive OR operation with the output of the previous function F 101;

F: data of the exclusive OR operation with the data And;

G: the result of exclusive OR operation on the data In and data E;

N: the result of exclusive OR operation on the data D and data G;

I: input round key of the previous F-function 101; and

J:input round key in the next F-function 102

In the following description, when 32-bit data intended for processing each of the F-functions 101 and 102, is presented in increments of 1 byte (eight bits), for example, if the data And represent a 32-bit data, they represent the combined data of 1 byte (8 bits) data[0], [1], [2] and [3], and the data will be presented, as described above:

And=[0])[1])[2])[3].

Here it is assumed that, for example, 256 data types used outdoor the text to enter in the configuration of the encryption processing shown in Fig.9

P_{0}=(0, 0, 0, 0)

P_{1}=(1, 0, 0, 0)

...

P_{255}=(255, 0, 0, 0),

these types plaintext P_{0}-P_{255}sequentially injected. It should be noted that in the above representation, each[0], [1], ... [255] denotes the data size of 1 byte.

It is assumed that these input values are used as input data for the previous function F 101 shown in Fig.9. Data And represent the data, such that, as described above, when watching 256 data types, it is assumed that all of these 256 values from 0 to 255 appear in the first byte And[0], and the remaining provisions of bytes are fixed with the same value (this is due to the fact that the attacker attempting to start the attack by way of the saturation signal in order to generate such a situation, controlling the input of plain text).

In addition, assuming that the data value F for the exclusive OR operation with the data And remains fixed all the time when processing serial input described above 256 data types And ensures that all 256 values from 0 to 255 appear in the first byte [0] of the input data With the subsequent F-function 102, and that the other provisions of bytes are fixed with the same value.

In this case, depending on combinations of the following values of data elements:

I: round key entered in the previous F-function 101;

J: round key input in the next F-function 102; and

F: data for the operation of exclusive-OR data And,

always satisfies the following equation:

[0] (OR) I [0] = FROM [0] (OR) J [0]

The above equation can be fair.

It should be noted that (OR) denotes the exclusive OR operation, and that

[0] (OR) I [0] denotes the exclusive OR operation for the data [0] and data [0], and

[0] (OR) J [0] denotes the exclusive OR operation for data [0] and data J [0].

Equation: A [0] (OR) I [0] = FROM [0] (OR) J [0]

This equation means that the same value is always injected into two S-block in the two F-functions 101 and 102. These S-blocks perform the same processing nonlinear transformation, and output the same you the same value for the same input values. Therefore, these two S-block of the two F-functions 101 and 102 always have the same outputs. The same output S-blocks linearly transform with the matrix of processing modules linear transformation of the individual F-functions 101 and 102, and the results display in the modules calculate the "exclusive OR" on-line data (y) from the right side. These modules calculate the exclusive OR represent modules 111 and 112, shown in the diagram.

Values In a and D, the output of these two F-funky 101 and 102 modules 111 and 112 of the calculation of the "exclusive OR", respectively, have specific differential value Δ. Thus,

(OR) Δ=D.

In this case, the module 111 calculation of the exclusive-OR calculates data G by calculating

G=B (OR) E,

and the module 112 calculation of the "exclusive OR" counts

N=G (OR) D.

Since G=B (OR) E and b (OR) Δ=D, the above equation H=G (OR) D represents:

H=B (OR) E (OR) (OR) Δ

= E (OR) Δ.

Thus, the result of exclusive OR operation on values that have a fixed differential value is a fixed value of Δ, and, as a result of

H = B (OR) E (OR) (OR) Δ

= Δ (OR) E

= E (OR) Δ.

Thus, the output N of the module 112 calculation of the exclusive-OR is the result of exclusive OR operation on the data E and the fixed value is Δ. Although the round function (F-function) is performed in two stages, as a result of these data do not perform the permutation. Using this characteristic, can be easily obtained evaluation round key of the subsequent round. Thus, if there is a subsequent round, temporarily set the key used in this round to decrypt the data until the data N, and check that it is possible or not to observe this characteristic, probabilisticly way of identifying whether temporarily used the correct key or not. In other words, we can estimate the round key, and you can analyze using the attack by way of saturation.

To eliminate such situations, the plot of the matrix used in the processing of linear transformations, can be changed depending on the position of each F-function. When the S-blocks separate F-functions are the same, if there is a condition, similar to that described above, depending on the relationship between the elements of the matrix of linear transformation, some of the bytes may offset each other when the output D last F-function 102 is subjected to the processing of exclusive-OR data G, resulting in a favorable situation for the attacker.

Accordingly, when processing non-linear transformation is the same configuration used at least, for many of the F-functions that output data in a single row, you can assess the keys to attack by way of saturation. In addition, depending on the S-blocks, as a result of their operations (OR), i.e.,

S (A [0] (OR) I [0] (OR) S (S [0] (OR) J [0])

as a result, their results cannot be considered desirable case, when there are all 256 values from 0 to 255. In normal conditions, even in the case when both o And [0] and [0] output 256 different types of values, results of operations (OR) a [0] and [0] may not necessarily occupy all of the 256 types of output values. However, this situation may occur depending on the S-blocks. If there is an unexpected situation, information that can be used to perform attacks (information indicating that all values are different), retain for the next stage, resulting in a favorable situation for the attacker.

(2A-3) a Method of improving immunity using many types of S-blocks

An example configuration to increase the difficulty of assessing keys when performing the attack by way of saturation will be described below. Thus, even when satisfied the above conditions, the processing modules of the nonlinear transformation of individual F-functions, namely, S-blocks, made in affect, the, data data before and after performing roundboy functions not be equivalent due to the displacement data.

A specific example will be described below with reference to figure 10. Configuration illustrated in figure 10, represents, as in figure 9, the configuration of the cut out section of its combining patterns or generalized structure its combining. Figure 10 illustrates the F-function 201 and 202, which have the same input row (x) data and the output line (y) data, and which are vertically adjacent to each other.

These two F-functions 201 and 202 include modules calculating the exclusive-OR who count function "XOR" with raundovyj keys, the processing modules of the nonlinear transformation and the processing modules linear transformation. F-function 201 and 202 is configured to perform processing 32-bit input and output data. Each processing module of the nonlinear transformation includes four S-block, and each of S-blocks accepts 8-bit input data, and generates 8-bit output.

Same as figure 9, the positions A-J, presented in figure 10, indicate the following data types:

A: login to the previous F-function 201;

In: the output of the previous function F 201;

With the entrance to the next F-function 202;

D: the output of the subsequent F-function, 202;

E: the data for operation except for the surrounding OR from the output from the previous F-function, 201;

F: data for the operation of exclusive-OR data And;

G: the result of exclusive OR operation on the data In and data E;

N: the result of exclusive OR operation on the data D and data G;

I: round key entered in the previous F-function 201; and

J: round key input in the next F-function 202

In the configuration shown in Fig. 10, S-blocks nonlinear transformation modules installed in the previous F-function 201 and subsequent F-function 202, respectively, are executed with the use of different S-blocks [S1] and [S2].

Thus, S-blocks [S1], handles the nonlinear transformation in the previous F-function 201 and S-blocks [S2]that handles the nonlinear transformation in the next F-function 202, performs various types of processing nonlinear transformation. In particular, S-blocks [S1] and [S2] handle nonlinear transformation using, for example, different tables nonlinear transformation. S-blocks [S1] and [S2], may not have the same output for the same input data.

Here it is assumed that the individual S-blocks S1 and S2 represent two different S-block, satisfying the following conditions.

Assuming that separate S-blocks S1 and S2 are S-units that handle non-linear transformation from an n-bit input given is burnt and n-bit output data, the following conditions are met:

(Condition 1)

If all parts of the S-bit data, namely, 2^{s}data x, sequentially injected into any of the S-bit data,

the output S1 (x) of the first S-block [S1] for the input data [x]

the output S2 (x (OR) S-block [S2] for the input data [x (OR) s]

have at least one different value.

Thus,

S1 (x) (OR) S2 (x (OR) s)

the above equation does not receive a fixed value.

In addition,

(Condition 2)

if all parts of the S-bit data, namely, 2^{s}data x, sequentially injected into any S-bit data,

the output S1 (x) of the first S-block [S1] for the input data [x]

the output S2 (x (OR) S-block [S2] for the input data [x (OR) s] has at least one value is a duplicate. Thus,

S1 (x) (OR) S2 (x (OR) s)

in the above equation will never see all 2^{s}.

This represents a condition, which is that if figure 10 suggest that

data And represent [x], and

data F are [C]

the output S1 (x) S-block [S1] previous F-function 201 and

the output S2 (x (OR) S-block [S2] subsequent F-function 202

will not be the same, or not all the results of exclusive OR operation on the outputs will represent different values.

Two S-block [S1] and [S2], udovletvoryushih the conditions installed, as shown in figure 10.

Thus, a particular function F uses the module handle nonlinear transformation using only the S-blocks [S1], and the next F-function uses module processing nonlinear transformation using only S-blocks [S2]. If there are additional rounds after that, the S-blocks [S1] and [S2] similarly set in this order in the processing modules nonlinear transformation of the individual F-functions.

When configuring processing nonlinear transformation so that she was different, that is, when you install many different S-blocks in vertically adjacent F-functions with the same input line and output line, you can significantly reduce the probability of occurrence of data in the output string so that they have a strong correlation with what appears in the same line of output before performing roundboy functions.

Thus, the use of S-units conform to the above (condition 1), ensures that even in the case when the two inputs S-block having a fixed difference, results of operation "exclusive OR" on their outputs have different values, at least once, which guarantees, in such a way that the outputs will not be completely offset from each other.

In addition, the use of S-BL the Cove, conform to the above (condition 2), ensures that even in the case when the inputs in these two S-block having a fixed difference, results of operation "exclusive OR" on their outputs have duplicate values, at least once, thus, degrades the characteristics that you can use when organizing the attacks. Therefore, when the two S-blocks in the manner described above, it is possible to minimize conditions favorable for the attacker, who organize attacks by way of saturation. Thus, it is possible to expect improvement of immunity against attacks.

Thus, even when the values entered in the S-blocks separate F-functions 201 and 202, equal figure 10, that is, even if

[0] (OR) I [0] = FROM [0] (OR) J [0],

the values output from the S-blocks in a separate F-functions, namely,

S1[0](OR) I [0])

S2 (WITH [0] (OR) J [0])

will not be the same in all cases. As a result, the output b and D F-function the F-function 201 and 202 will not be completely identical. If this does not occur such a situation, as described with reference to Fig.9, when true

E=N (OR) Δ

and you can resolve the situation when the probability of the data in one row of data before and after the execution roundboy functions (F-functions), has a fixed difference.

When many different S-units, which is haunted perform different types of processing nonlinear transformation in vertically adjacent F-functions have the same input line and output line, the difficulty of the attack by way of saturation can be significantly improved, and you can improve the immunity against attacks.

(System 1 development)

In the above with reference to figure 10 configuration taking into account only the relationship between the two F-functions and receive the condition, consisting in the fact that different S-blocks set in the two F-functions. A similar idea is applicable to three or more F-functions. For example, it is possible to expect improvement of immunity against attacks by way of saturation when many different S-blocks in F-functions, as shown in figure 11.

Figure 11 illustrates the configuration of the cut out section of its combining patterns or generalized structure its combining. Figure 11 illustrates the three F-functions 211-213, which have the same row (x) of the input data and row (y) of the output and which are vertically adjacent to each other.

S-blocks [S1] is set in the module processing nonlinear transformation function F 211;

S-blocks [S2] is set in the module processing nonlinear transformation function F 212; and

S-blocks [S3] set in the module processing nonlinear transformation function F 213.

It should be noted that S1≠S2≠S3.

Thus, the conditions required for many S-units must submit with the battle:

(Condition 1)

Set sets S1, S2, ..., Sk for k (k>2) S-blocks and a pair of two different S-block S_{i}and S_{j}(i≠j). If all possible 2s data x will be set as the input data for any with,

S_{i}(x) and

S_{j}(x (OR) s)

the output of these S-blocks are not completely contradict each other, and S-units take different values at least once. Thus,

the result of the operation "exclusive OR" S_{i}(x) and S_{j}(x (OR) s) does not lead to a fixed value.

In addition,

(Condition 2) is given by the sets S1, S2, ..., Sk for k (k>2) S-blocks, and a pair of two different S-block S_{i}and S_{j}(i≠j). If all possible 2^{n}data x will be set as inputs for any with,

S_{i}(x) and

S_{j}(x (OR) s)

the outputs of these S-blocks do not have all the 2^{n}values that appear once. Thus, the outputs of S-blocks have at least one value is a duplicate.

When installing the sets S1, S2, ..., Sk of S-blocks that meet these conditions and when placing these F-functions in the set of F-functions that have the same line (x) of the input data and row (y) of the output data, and which are arranged in series vertically next to each other, the possibility of data inconsistencies that appear in the output string data that appear in the same line of output before the implementation of the m roundboy functions can be significantly reduced. As a result, it is possible to significantly increase the difficulty of the attack by way of saturation, and can be improved immunity against attacks.

(System 2 development)

Considering practical ways embodiment, even when multiple types of S-blocks included in a single function F, it may be desirable to have the same combination of S-blocks was included in each F-function.

Thus, when the data conversion corresponding to F-functions, perform, using, for example, hardware or software, if the same combination of S-blocks will be included in each F-function hardware or software tools used as F-function, can be performed as the same hardware or software means, and data conversion based on the F-functions can be performed in each round only when the input and output data in each round, in accordance with need.

A specific example will be described with reference to Fig. As figure 10, Fig illustrates the configuration of the cut out section of its combining patterns or generalized structure its combining. On Fig illustrates the F-function, 221 and 222 that have the same line (x) of the input data and row (y) of the output data which are vertically adjacent to each other.

Four S-block, including the ones in the previous F-function 221, are arranged in the order S1, S2, S1 and S2 from the top down, and S-blocks included in the next F-function 222 in the next round, are arranged in the order S2, S1, S2 and S1 from top to bottom.

It should be noted that S1≠S2.

With this installation, if embodied configuration that allows you to perform two S1 and two S2 parallel to each other, F-function, 221 and 222 can be performed using this configuration. Accordingly, it is possible to reduce the cost of the incarnation, and the device can be made more compact.

Also, in the configuration presented on Fig, processing nonlinear transformation is applied to the respective row of bits in a separate F-functions 221 and 222 in the following order:

from S1 to S2, or

from S2 to S1,

and processing of the respective bit data (for example, in each module the size of a byte) is a processing similar to the processing described with reference to figure 10. As a result, a similar effect can be achieved, that is, the probability of data inconsistencies that appear in the output string with data that appear in the same output line, before performing roundboy function, can be significantly reduced. As a result, the difficulty of the attack by way of saturation can be significantly increased, and it is possible to improve the immunity against these attacks.

Another concrete example is presented nafig. As figure 11, Fig illustrates the configuration of the cut out section of its combining patterns or generalized structure its combining. On Fig illustrates three F-functions 231-233, which have the same row (x) of the input data and row (y) of the input data which are vertically adjacent to each other.

Four S-block included in the initial F-function 231, are arranged in the order S1, S2, S3 and S4 from the top down. Four S-block included in the average F-function 232 in the next round, are arranged in the order S2, S3, S4 and S1 from the top down. Then four S-block included in the average F-function 233 in the next round, are in the order of S3, S4, S1 and S2 from top to bottom.

It should be noted that S1≠S2≠S3≠S4.

With this installation, will be realized if the configuration allows you to perform S1-S4 parallel to each other, all F-function, 231 and 233 can be performed using this configuration. In line with this, the price of the embodiment can be reduced, and the device can be made more compact.

Also in the configuration shown in Fig, processing nonlinear transformation applied to the respective bit lines in a separate F-functions 231-233 presented in the following order:

S1, S2, S3, S4, S1, S2, ...,

and processing of the respective bit data (for example, each module the size of a byte) is a treatment which, similar to the processing described with reference to figure 10 or 11. As a result, can be achieved a similar effect, that is, the probability of inconsistent data in the output string with data that appear in the same output line, before performing roundboy functions can be significantly reduced. As a result, it is possible to significantly increase the difficulty of the attack by way of saturation, and can be improved immunity against attacks.

(2B) a Configuration in which immunity against algebraic attacks (attacks the ROBED) improve by mixing two or more S-units of various types in a block cipher using S-blocks

Next will be described a configuration in which improved immunity against algebraic attacks (attacks the ROBED) by mixing different types of S-blocks in a block cipher using S-boxes.

(2B-1) a Brief description of algebraic attacks (attacks the ROBED)

First will be described an algebraic attacks (attacks the ROBED), which are known as attacks on block ciphers. Algebraic attacks (attacks the ROBED) on block ciphers are attacks that use algebraic representation of S-blocks. When the input and output of S-blocks are represented as algebraic expressions, you can display the set of expressions. The complexity of the calculations to attack varies from Maxim is a high order of expressions and the number of members, included in the expression.

As one example of an algebraic attack (attack of VESTMENTS), there is a way using Boolean expressions. For example, given a block cipher, includes many S-units, each of which receives 8-bit input data, and generates 8-bit output, and let the input bits and output bits from each S-box with 8-bit input/output will be expressed as follows:

input X: (x1, x2, x3, x4, x5, x6, x7, x8), and

output Y: (y1, y2, y3, y4, y5, y6, y7, y8),

then estimate the number of expressions that Express using square or lower-order Boolean expressions.

More specifically, they estimate the number of polynomials, including square or lower order members, such as

(1, xi, yi, xixj, yiyj, xiyj),

which can be obtained by expressing the above-described input X and output Y data as a Boolean expression.

When expression of a lower order, such as expressions in which the maximum order is a second order, choose from all of the Boolean expressions represented thus, if you choose a more independent expressions, and if the number of members is small, the situation becomes more beneficial to the attacker. Therefore, if you choose a more independent expressions, in which Maxim the local order is limited to the second order or the like, and if the number of members is small, the situation is advantageous for the attacker and is poor immunity against attacks.

In addition to Boolean expressions, if algebraic expressions low order can be withdrawn within the field definitions, such as field GF (2^{8}extension, a similar technique can be used to easily organize algebraic attack (attack of the ROBES), which means poor immunity against attacks.

(2B-2) the Problem of the use of S-blocks of the same type

Next will be described a configuration problem, in which the use of S-units of only one type in a block cipher using S-blocks, that is, the problem consisting in the fact that increases the likelihood of implementation in practice of algebraic attacks (attacks of ROBES).

There are the following three representative type s-bit S-units, which perform non-linear transformation using the n-bit input and obtaining the n-bit output:

type 1: S-block using an inverse maps: Y=X^{-1}or exponential functions Y=X^{p}within the field extension GF (2^{s});

type 2: S-blocks generated by combining many S-units, the input and output bits of which is smaller than s bits, for example, four bits; and

type 3: S-block is selected randomly.

These three types are representative of the I.

In particular, type 1 and type 2 are S-units, which are often used because of low cost hardware (H/W, AC).

Below, for each of the above types 1-3 will be described problem associated with the configuration, which uses S-units of only one type, that is the problem, consisting in the fact that increases the likelihood of algebraic attacks (attacks of ROBES).

<Problem type 1>

Problem type 1, that is, the problem of S-blocks, using the inverse map: Y=X^{-1}or exponential functions Y=X^{p}for GF (2s), will be described below.

For example, in the case when the S-block, using the inverse map on GF (2^{8}) is represented as a Boolean expression, it is known that the representation includes approximately twenty-independent quadratic expressions and approximately eighty members. Similar simple matching can be found in the case of exponential functions. In addition, a similar line is expected to be valid for S-blocks defined not only in GF (2^{8}), but also in GF (2^{s}).

Using such representations in the form of polynomials, we can estimate the computational complexity for algebraic attacks (attacks the ROBED). During development of the cipher you want to use a sufficient number of S-units in order to ensure that the residual high complexity of the calculations to ensure safety.
In addition, S-block, using the inverse map on GF (2^{s}) can be obtained algebraic representation, such as XY=1 in GF (2^{s}), and can be derived polynomials of low order. It is known that there are ways to exploit these characteristics. A similar result can be applied to exponential functions.

Since two types of algebraic characteristics are used in the cipher using S-blocks using inverse map or exponential functions on GF (2^{s}), the design of the cipher should consider these two types of algebraic specifications.

It should be noted that the same applies to the S-blocks generated by adding the affine transformation before/after inverse maps and exponential functions.

<Problem type 2>

Next will be described the problem type 2, that is, the problem of S-block is generated by combining many smaller (for example, 4-bit S-boxes.

Consider the 8-bit S-block is generated by combining many small S-units, taking into account, for example, 4-bit input data and the formation of the 4-bit output. It is known that 8-bit S-block can be performed using three to five 4-bit S-boxes. For the organization of algebraic attacks (attacks the ROBED), square-or lower-order Boolean mnogokr which are output from the input and output bits of 4-bit S-boxes. Since the sum of the input and output bits is eight, it is known that there are approximately twenty or so independent expressions, represented by polynomials of low order. Therefore, using this feature, you can organize an attack. This trend is applicable to the case in order to make the S-block with large input/output data, configure larger S-block using a smaller S-boxes.

However, as the advantages of this method, since the probability of a simple algebraic relation that exists in the field GF (2^{s}), for example, as in the case of the use of S-blocks using inverse map on GF (2^{8}), is significantly reduced, it is known that the computational complexity for the attack increases. This means that, compared with the previous S-blocks, there are both advantages and disadvantages against algebraic attacks (attacks ROBES).

<3>

Next will be described the problem of type 3, i.e., the problem of randomly selected S-block. It is expected that the S-blocks, selected randomly, are not algebraically weak characteristics, as described above, and therefore, these S-units, is expected to provide high protection against algebraic attacks (attacks the ROBED). However, the hardware cost is about the incarnation is very high. Therefore, it is preferable not to do all S-blocks, S-blocks, randomly selected.

Configuration (2B-3), in which the immune system is increased by the use of many types of S-blocks having different algebraic specifications

Taking into account the above issues the following is a description of the configuration in which immunity against algebraic attacks (attacks the ROBED) using Boolean polynomials and against algebraic attacks (attacks the ROBED) using GF (2^{s}) can be improved through the use of two or more types of S-blocks having different algebraic characteristics, and in which the efficiency of the embodiment in the form of hardware (a/C) improved to an even greater extent than in the case when all S-blocks are S-units, randomly selected.

As described above, there are three representative type s-bit S-units, which perform non-linear transformation, given an s-bit input data, and form s-bit output:

type 1: S-block using an inverse maps: Y=X^{-1}or exponential functions Y=X^{p}in the field GF (2s) extension;

type 2: S-block is generated by combining many small t-bit S-boxes (where t<s); and

type 3: S-block is selected randomly.

These three types are representative of the type is.

In this variant embodiment the mixed use of these different types of S-units makes it possible to implement a configuration in which improves immunity against algebraic attacks (attacks of VESTMENTS), and increases the efficiency of the incarnation in the form of hardware (a/C). Thus, the mixed use of two or more S-units of different types in a block cipher using S-units makes it possible to implement a configuration in which improves immunity against algebraic attacks (attacks the ROBED). It should be noted that it is only necessary that the configuration of the encryption processing, which is applicable to the present variant embodiment, must be a configuration of the encryption processing with S-blocks that handle nonlinear transformation. For example, the configuration of the encryption processing is applicable to any of the following configuration of the encryption processing, which have been described above, that is:

(a) structure of PSC (Network lookup-permutations);

(b) the Structure of its combining; and

(c) generalized structure of its combining.

In this example, the processing of S-blocks used as the processing modules nonlinear transformations included in the round function to perform conversion processing of the data, represent any one of the following units (a)to(d):

(a) a configuration in which the neck is that of S-blocks are S-units, type 1, and the rest of S-blocks are S-units type 2;

(b) a configuration in which some of the S-blocks are S-units, type 1, and the remaining S-blocks are S-units type 3;

(c) a configuration in which some of the S-blocks are S-units of type 2, and the remaining S-blocks are S-units type 3; and

(d) a configuration in which some of the S-blocks are S-units, type 1, some of the other S-blocks are S-units of type 2, and the remaining S-blocks are S-units type 3.

For example, in the case described above setup (a)

it is necessary to consider theoretical cipher, in which half of the S-blocks used as the processing modules nonlinear transformations included in the round function to perform conversion processing for data of type 1, i.e., S-blocks, using the inverse map on GF (2^{8}), and the remaining S-blocks are excluded. Assess the complexity of the calculation in the organization algebraic attacks (attacks the ROBED), using Boolean expressions on theoretical cipher. If it is judged sufficient computational complexity, the rest of S-blocks configured as S-blocks of type 2, that is, 8-bit S-blocks generated by combining many small 4-bit S-boxes.

When using the configuration of the encryption processing with mesh type 1 and type 2
as described in the above item (a), if a sufficient immunity can be provided based on the evaluation of computational complexity in GF (2^{8}), a block cipher in which the immunity is improved, can be generated in comparison with a case in which use separately S-blocks of each type.

This effect is not limited to the above-described installation. Similarly, in any of the above cases (a)-(d), the configuration processing encryption installed in such a way that even a limited number of S-units makes it possible to provide a sufficiently strong immunity against algebraic attacks (attacks of VESTMENTS), and the remaining S-units can be identified with regard to the effectiveness of the incarnation or the like.

Specific examples of the configuration of the encryption processing, which includes the layout of the different types of S-blocks, as in the above cases (a) through (d)will be described with reference to Fig-18. Each of the examples shown in Fig-18, represents the configuration of the encryption processing with the modules perform roundboy functions in six rounds. Each module execution roundboy function includes the processing module nonlinear transformation, which includes a set of S-blocks, and the processing module linear transformation.

On Fig illustrates an exemplary block cipher SPP with six rounds, and ka is every round includes ten S-blocks. Block cipher SPP performs data conversion, including the level of non-linear transformation (S-level) and level linear transformation (P level) in each round. Ten S-blocks included in each round, take the appropriate parts of the input data, which divide the input data as input, processes of nonlinear transformation, and display part of the data after nonlinear transformation of a linear transformation (P level). Data after linear transformation output in the module perform the following roundboy functions. The output of the execution engine roundboy function at the last stage represents the encrypted text.

In separate modules 301-306 run roundboy functions shown in the diagram, [S_{1}] and [S_{2}] denote the S-block of type 1 and S-block type 2, respectively, which represent the S-blocks used as various types of processing modules nonlinear transformation, as described above.

In the example shown in Fig, presents an example configuration in which,

type 1: S-block using an inverse maps: Y=X^{-1}or exponential functions Y=X^{p}through the field GF (2^{s}) extensions

S-blocks of type 1 are placed in the modules 301-303 run roundboy functions in the previous three rounds, and

type 2: S-block is generated by combining many small S-blocks, such as 4-bit S blocks

S-blocks of type 2 are located in the modules 301-303 roundboy functions in the last three rounds.

In the configuration shown in Fig, processing nonlinear transformations in previous rounds perform processing using S-units, type 1, and the processing of the nonlinear transformation in the last rounds perform processing using S-blocks of type 2. Algebraic attack (attack the ROBED) usually organized on the basis of the assumption that all S-blocks are blocks of the same type. When the S-blocks of different types are mixed as described above, attack, namely, the analysis becomes difficult. As a result, the implemented configuration of the encryption processing with a strong immunity against cryptanalysis, such as algebraic attacks (attacks of ROBES).

On Fig presents an exemplary block cipher SPP with six rounds, and each round includes ten S-blocks, as Fig.

In the example shown in Fig, presents an example configuration in which,

type 1: S-block, which uses the inverse map: Y=X^{-1}or the exponential function Y=X^{p}over the field GF (2s) extension

S-blocks of type 1 are placed in the modules 321, 323 and 325 run roundboy functions, the first, third and fifth rounds with not is to maintain the rooms, and

type 2: S-block is generated by combining many small S-blocks, such as 4-bit S blocks

S-blocks of this type 2 is posted in modules 322, 324, and 326 run roundboy functions, in the second, fourth and sixth rounds or rounds with even numbers.

In the configuration shown in Fig, processing nonlinear transformation rounds with odd numbers perform the processing of the application of S-units of type 1, and the processing of nonlinear transformations in rounds even-numbered perform processing using S-blocks of type 2. As in the configuration shown in Fig, a mixture of different types of S-units installed in this configuration. In line with this, the implemented configuration of the encryption processing with a strong immunity against cryptanalysis, such as algebraic attacks (attacks of ROBES).

On Fig illustrates an exemplary block cipher SPP with six rounds, and each round includes ten S-blocks, as shown in Fig and Fig.

In the example shown in Fig, presents an example configuration in which

type 1: S-block, using the inverse map: Y=X^{-1}or exponential functions Y=X^{p}over the field GF (2^{s}) extensions

S-blocks of this type 1 placed half of the S-blocks in modules 341-346 run roundboy functions in all rounds, and

type 2: S-block, the generated is output by combining many small S-blocks, such as 4-bit S-blocks

S-blocks of this type 2 is posted, as the other half of S-blocks. Thus, five S-blocks type 1 [S_{1}] and five S-blocks type 2 [S_{2}] included in each of the modules 341-346 run roundboy functions.

Data entered in each of the modules 341-346 run roundboy functions, divided into ten equal parts, and these ten parts enter into the corresponding S-blocks. Among the ten equal parts of d_{1}-d_{10}data, the first half of the pieces of data d_{1}-d_{5}introducing S-units, type 1, and executes the processing of the nonlinear transformation with the use of S-block type 1; and the second half of the pieces of data d_{6}-d_{10}introducing S-blocks of type 2, and the nonlinear transformation processing is performed by using an S-blocks of type 2.

As in the configuration shown in Fig and Fig, a mixture of different types of S-blocks are installed in the configuration shown in Fig. In line with this, the implemented configuration of the encryption processing with a strong immunity against cryptanalysis, such as algebraic attacks (attacks of ROBES).

On Fig illustrates an exemplary block cipher SPP with six rounds, and each round includes ten S-blocks, as shown in Fig-16.

As in the example shown in Fig, the example shown in Fig, is an example of a configuration in which the Oh,

type 1: S-block using an inverse maps: Y=X^{-1}or exponential functions Y=X^{p}over the field GF (2^{s}) extensions

S-blocks of this type 1 placed half of the S-blocks in modules 361-366 run roundboy functions in all rounds, and

type 2: S-block is generated by combining many small S-blocks, such as 4-bit S-blocks

S-blocks of this type 2 is posted as the remaining half of the S-blocks. Thus, five S-blocks type 1 [S_{1}] and five S-blocks type 2 [S_{2}] included in each part 361-366 run roundboy

Data entered in each of the modules 361-366 run roundboy functions, divided into ten equal parts, and these ten parts enter into the corresponding S-blocks. Among the ten equal parts of d_{1}-d_{10}the data part of the odd-numbered data d_{1}d_{3}d_{5}d_{7}and d_{9}introducing S-units, type 1, and executes the processing of the nonlinear transformation with the use of S-block type 1; and part of the even-numbered data d_{2}d_{4}d_{6}d_{8}and d_{10}introducing S-blocks of type 2, and perform the processing of nonlinear transformations, with the use of S-blocks of type 2.

As in the configuration shown in Fig-16, a mixture of different types of S-blocks set in the configuration Fig. In line with this, implement the configuration of the treatments is key encryption with a strong immunity against cryptanalysis, such as algebraic attacks (attacks of ROBES).

In the configurations shown in Fig and Fig, S-blocks, are designed to run parallel to each other in each round, there are five S-blocks type 1 and five S-blocks of type 2. This property is common to all rounds. Therefore, if there be embodied configuration that allows you to perform five S-blocks type 1 and five S-block type 2 in parallel to each other, this configuration can be repeatedly used to run round distance functions in all rounds, resulting in a benefit consisting in reducing the cost of implementation and reducing the size.

An example in which the S-blocks of different types are placed in separate modules 381-386 run round distance functions in the structure of its combining shown in Fig.

The example illustrated on Fig, is an example of a configuration in which,

type 1: S-block, using the inverse map: Y=X^{-1}or exponential functions Y=XP over the field GF (2s) extension

S-blocks of this type 1 placed half of the S-blocks in modules 381-386 run roundboy functions in all rounds, and

type 2: S-block is generated by combining many small S-blocks such as 4-bit S-blocks

S-blocks of this type 2 is placed in the remaining half of the S-blocks. Thus, the two S-block type 1 [S_{1}] and two S-block type 2 [S_{2
] included in each of the modules 381-386 run roundboy functions.}

Data entered in each of the modules 381-386 run roundboy functions, divided into four equal parts, and these four pieces served in the appropriate S-blocks. Of the four equal parts of d_{1}-d_{4}the data part of the odd-numbered data d_{1}and d_{3}introducing S-units, type 1, and executes the processing of the nonlinear transformation with the use of S-block type 1; and part of the even-numbered data d_{2}and d_{4}introducing S-blocks of type 2, and perform the processing of nonlinear transformations, with the use of S-blocks of type 2.

As in the configuration shown in Fig-17, a mixture of different types of S-blocks are installed in the configuration shown in Fig. In line with this, the implemented configuration of the encryption processing with a strong immunity against cryptanalysis, such as algebraic attacks (attacks of ROBES).

It should be noted that, in the examples shown in Fig-18, are illustrated configuration examples, using a mixture of two different types of S-blocks, S-blocks type 1 and type 2. As a configuration with a mixture of different types of S-blocks, a possible configuration with the following different types of mixtures, as described above:

(a) a configuration in which some of the S-blocks are a type 1, and the remaining S-blocks are with the fight type 2;

(b) a configuration in which some of the S-blocks are a type 1, and the remaining S-blocks are a type 3;

(c) a configuration in which some of the S-blocks are a type 2, and the remaining S-blocks are a type 3; and

(d) a configuration in which some of the S-blocks are a type 1, some of the other S-blocks are a type 2, and the remaining S-blocks are of type 3.

In any case, is implemented improved immunity against algebraic attacks (attacks ROBES).

(2C) a Configuration in which the above-described approaches (2A) and (2B) at the same time implement the cipher its combining or cipher its combining generalized type, using S-blocks

Below is a description of an example configuration for the simultaneous implementation of the above-described cases (2A) and (2B) in the cipher its combining or generalized cipher its combining with the use of S-blocks, that is:

(2A) a Configuration in which the immune system attacks the way saturation improved by placing two or more S-units of different type in the code, Fastema or cipher its combining generic type using S-blocks; and

(2B) a Configuration in which immunity against algebraic attacks (attacks the ROBED) improved by mixing two or more different types of S-blocks in a block cipher using S-boxes.

Configuration the Oia in the case described above (2A) is made to improve immunity against attacks by way of saturation, by applying two or more types of S-units in the structure of its combining or generalized structure of its combining. The configuration in the above-described case (2B) is performed to improve immunity against algebraic attacks (attacks the ROBED), using two or more types of S-units in any block cipher using S-boxes.

These configurations in cases (2A) and (2B) can be combined and implemented as a single configuration. Thus, it becomes possible to configure a block cipher having the structure of its combining or generalized structure of its combining with two or more types of S-blocks that satisfy the characteristics required in cases (2A) and (2B), thus simultaneously improve immunity against both types of attacks.

In particular, for each of the S blocks [S1], [S2], [S3], [S4], ... which perform various types of processing non-linear transformation used in each of the configurations in figure 10-13, described in section

The configuration in which the immune system attacks the way to improve saturation by placing two or more different types of S-block in the cipher its combining or cipher its combining generic type using S-units

different types of S-blocks, described in section

(2B) a Configuration in which immunity against algebraic attacks (attacks the ROBED) improve by mixing the two is whether more S-units of various types in a block cipher, using S-blocks

that is,

type 1: S-block, using the inverse map: Y=X^{-1}or exponential functions Y=X^{p}over the field GF (2^{s}) expansion;

type 2: S-block is generated by combining many small S-blocks, such as 4-bit S-blocks; and

type 3: S-block, random,

these three types are installed in mutual communication.

For example, in the configuration shown in figure 10,

by setting the S-blocks [S1] and S-blocks [S2] as S-units of various types, described in section (2B),

implemented configuration with strong immunity against attacks by way of saturation and algebraic attacks (attacks ROBES).

The same applies to the configurations presented on 11-13.

By setting the S-blocks [S1], [S2], ... as different types of S-blocks, described in section (2B),

implemented configuration with strong immunity against attacks by way of saturation and algebraic attacks (attacks ROBES).

[3. An example of the configuration of the processing device encryption]

Finally, an example configuration of the module 700 with chip, is used as the processing device encryption, which performs encryption processing in accordance with the above-described variants of the embodiment shown in Fig. The above processing can be executed by different devices of information processing, such as PC, personal the computer), card with chip, block read / write, etc. Module 700 with the chip, shown in Fig may be implemented as any one of these devices.

The CPU (Central processing unit) 701 shown in Fig is a processor which controls the starting and stopping of processing of the encryption, transmission/reception of data, and data transfer among the individual elements, and performs various other programs. Storage device 702 includes, for example, ROM, a permanent storage device), which contains a program that runs on the CPU (CPU) 701, or fixed data, such as operating parameters, and RAM (RAM, random access memory)used as a save area or work area for a program executed in the processing performed by the CPU 701, and settings, changing, as necessary, during the processing of the executable program. In addition, the storage device 702 can be used as an area of accumulation, for example, for the data keys necessary for encryption processing, conversion tables (tables permutation)used in the processing of encryption, and data supplied to the transformation matrix. It should be noted that the save area data, preferably made as a mass storage device with the structure, protected from aktsionirovannogo intervention.

The processor 703 encryption performs encryption processing and decryption processing in accordance with processing algorithm block cipher with the public key, using one of the following structures in the respective configurations, that is, for example, described above, various configurations of processing encryption:

(a) structure of PSC (Network lookup-permutations);

(b) the Structure of its combining; and

(c) Generalized structure of its combining.

In addition, the processor 703 encryption includes S-blocks used as the processing modules nonlinear transformation, having a configuration corresponding to the variants mentioned above embodiment, that is, the configuration corresponding to any one of the following configurations:

(2A) a Configuration in which two or more different types of S-blocks placed in the cipher its combining or cipher its combining generic type using S-units;

(2B) a Configuration in which two or more different types of S-blocks are mixed in a block cipher using S-blocks; and

(2C) a Configuration in which the above-described cases (2A) and (2B) are simultaneously implemented in the code its combining or cipher its combining generic type using S-boxes.

It should be noted that, although the example in which the processing means encryption is a separate module that was described above, instead of before the provision of such an independent processing module encryption for example, the processing program encryption may be stored in ROM, and the CPU 701 may be configured to read and execute this program, stored in ROM.

Generator 704 random numbers performs the processing of generating random numbers that are needed, for example, to generate the key used for encryption processing.

The transmitter/receiver 705 is a CPU data transfer, which performs data communication with external devices. For example, the transmitter/receiver 705 performs data exchange with the module with the chip, such as the block read/write, and performs the output cipher text generated in the module with the chip, or receives data from a device such as an external block read/write, as input.

The module 700 with the chip layout has S-blocks used as the processing modules nonlinear transformations, in accordance with the above-described variant embodiments. As a result, the module 700 with chip has one of these configurations:

(2A) a Configuration in which the immune system attacks the way saturation improved by placing two or more different types of S-block in the cipher its combining or cipher its combining generic type using S-units;

(2B) a Configuration in which the immune system against algebraic the ski attacks (attacks the ROBED) improved by mixing two or more different types of S-blocks in a block cipher using S-blocks; and

(2C) a Configuration in which the above-described cases (2A) and (2B) are simultaneously implemented in the code its combining or cipher its combining generalized type, using S-boxes.

In line with this, the module 700 with chip has a configuration in which improved immunity against attacks by way of saturation and algebraic attacks (attacks ROBES).

The present invention was described above with reference to specific variants of the embodiment. However, it should be understood that modifications or alternative variants of the embodiment can be performed by a specialist in the art without going beyond the scope of the present invention. Thus, the present invention has been disclosed in the examples and the disclosure should not be construed as restrictive. To determine the scope of the present invention should refer to the attached claims.

It should be noted that the processing sequence described in the description, can be performed using hardware, software or combinations thereof. When the processing sequence is performed using software, a program that recorded the processing sequence may be installed in a memory device in the computer, which is built in dedicated hardware, and mo is et to be performed. Alternatively, the program may be installed in a General-purpose computer, which allows you to perform various processing, and can be made in this style.

For example, the program may be pre-recorded on the hard disk or ROM (read only memory device)that is used as a recording medium. Alternatively, the program may be stored (recorded) temporarily or permanently on a removable recording medium such as flexible disk, CD-ROM, a persistent storage device on the CD-ROM), disk, MO (magneto-optical disk), DVD (PUD, digital versatile disc), magnetic disk or semiconductor storage device. Such removable recording media can be supplied in the form of a so-called package software.

It should be noted that, in addition to installing the program with the above-described removable recording medium into the computer, the program may be transferred wirelessly transfer data from a download site to the computer or can be transferred by wire to a computer via a network such as a LAN (LAN - local area network) or the Internet, providing the ability for the computer to receive the program transferred as described above, and install the program on the internal recording media such as a hard disk.

The following is the duty to regulate to note, that the various processing described in the description, do not necessarily have to be executed sequentially in the described order, and can be performed in parallel or individually in accordance with the characteristics or needs of the processing device that performs this processing. In addition, the system in the present description refers to the logical layout of a variety of devices and is not limited to a configuration in which devices having individual configuration are contained in one case.

Industrial applicability

As described above, in accordance with the configuration of a variant embodiment of the present invention, the processing device encryption, which performs the processing block cipher with the public key, S-blocks used as the processing modules nonlinear transformations that are installed in the modules perform roundboy function, implemented as at least two different types of S-blocks. When using this configuration can be improved immunity against attacks by way of saturation. In addition, in accordance with the configuration of a variant embodiment of the present invention, in which the types of S-blocks are a mixture of different types of immunity against algebraic attacks (attacks the ROBED) can be improved, resulting implements the processing device encryption from high above is a possibility.

1. The processing device decryption containing:

the processing module decryption, which handles the conversion of data using a function F, including S-blocks, as roundboy functions on individual rows of data, obtained by dividing the input data into a number that is greater than or equal to two,

where the processing module decryption are performed so that it includes different types of S-units in the respective modules of F-functions that have the same input line and output line, and are located next to each other.

2. The processing device decryption according to claim 1, characterized in that:

the processing module decoding is configured to perform decryption processing using its combining patterns in which the number of data lines (number of divisions) is equal to two, or a generalized structure its combining, in which the number of data lines (number of divisions) is two or more, and

the processing module decoding is configured to perform decryption processing using the F-functions that are used as modules run round distance functions that have the same input line and output line, and that are vertically adjacent to each other, in which the processing nainan the th conversion,
running F-functions are set as different S-blocks that perform different types of processing nonlinear transformation.

3. The processing device decryption according to claim 2, characterized in that each of the F-functions that are used as modules run round distance functions, includes many S-units, which perform the processing of the non-linear conversion of the respective pieces of data divided into data intended for processing, and

many S-units include at least two different types of S-blocks.

4. The processing device decryption according to claim 2, characterized in that each of the F-functions that are used as modules run round distance functions, includes many S-units, which perform the processing of the non-linear conversion of the respective pieces of data divided into data intended for processing, and

processing nonlinear transformation performed with successive increments of pieces of data in F-functions that are used as modules run round distance functions that have the same input line and output line and which are vertically adjacent to each other, made with the possibility of installation as other S-blocks that perform other types of processing nonlinear transformation.

5. The device is in the decryption processing according to claim 2, characterized in that the types of S-units and the number of individual S-blocks included in each of the F-functions that are used as modules run round distance functions have the same installation of the F-functions.

6. The processing device decryption according to claim 1, characterized in that the processing module decryption is made use of,

as different s-bit input/output S-units intended for use in the treatment of the nonlinear transformation,

(1) type 1: S-block, using the inverse map: Y=X^{-1}or exponential function Y=X^{q}over the field GF (2^{s}) extension;

(2) type 2: S-block is generated by combining many small t-bit S-units, where t<s; and

(3) type 3: S-block, randomly selected, at least two different types of S-blocks among the above described three types of S-blocks(1)-(3).

7. The processing device decryption according to claim 6, characterized in that the processing module decoding has

in respect of S-units used to perform roundboy functions

(a) a configuration in which some of the S-blocks are S-units, type 1, and the remaining S-blocks are S-units type 2;

(b) a configuration in which some of the S-blocks are S-units, type 1, and the remaining S-blocks are S-units type 3;

(c) a configuration in which toroi some of the S-blocks are S-units type 2
and the rest of S-blocks are S-units type 3; and

(d) a configuration in which some of the S-blocks are S-units, type 1, some of the other S-blocks are S-units of type 2, and the rest of S-blocks are S - units type 3

any one of the above configurations (a)-(d).

8. The processing device decryption according to claim 6, characterized in that:

the processing module decoding includes, in modules run round distance functions, S-blocks, which perform processing nonlinear transformation for the respective pieces of data divided into data intended for processing, and

the processing module decoding is configured to perform processing using S-blocks of the same type in a single round and S-blocks other types based on from round to round.

9. The processing device decryption according to claim 6, characterized in that:

the processing module decoding includes, in modules run round distance functions, S-blocks, which perform the processing of the non-linear conversion of the respective pieces of data divided into data intended for processing, and

the processing module decryption is performed with the use of different types of S-units in a single round.

10. The processing unit Gashimov the deposits according to claim 9, characterized in that the types of S-units and the number of individual S-blocks included in each of the modules run round distance functions have the same settings in F-functions.

11. The processing device decryption according to any one of claims 1 to 10, characterized in that:

the processing module decoding is configured to perform decryption processing in accordance with cryptography with a public key.

12. The processing device decryption according to any one of claims 1 to 10, characterized in that:

the processing module decoding is configured to perform decryption processing in accordance with the cryptography block cipher with the public key.

13. The processing method of decryption, consisting in the execution of the decryption processing in the processing device decryption containing:

the processing stage decryption, consisting in the implementation, the decryption processing, the conversion processing of data using a function F, including S-blocks, as roundboy functions on individual rows of data, obtained by dividing the input data into a number greater than or equal to two,

in which stage of the decryption processing is a step of performing conversion processing of data using different types of S-blocks in F-functions that have the same input line and the rock of the output and which are vertically adjacent to each other.

14. The way the decryption processing according to item 13, characterized in that:

at the processing stage of the decryption process of the decryption, in accordance with cryptography shared key cryptography block cipher with the public key.

15. The computer-readable recording medium containing recorded thereon a program, the execution of which by a processing device decryption performs the decryption processing, containing:

the processing stage decryption, wherein the processing module performs decryption processing of the data conversion using the function F, including S-blocks, as roundboy functions on individual rows of data, obtained by dividing the input data into a number greater than or equal to two,

in which stage of the decryption processing is a step of performing conversion processing of data using different types of S-blocks in F-functions that have the same input line and output line and which are vertically adjacent to each other.

16. The computer-readable recording medium according to item 15, characterized in that:

at the processing stage of the decryption process of the decryption, in accordance with cryptography shared key cryptography block cipher with the public key.

17. The processing device encryption, containing the:

the processing module encryption, which handles the conversion of data using a function F, including S-blocks, as roundboy functions on individual rows of data, obtained by dividing the input data into a number that is greater than or equal to two,

in which module the encryption processing is executed so that it includes different types of S-blocks in F-functions that have the same input line and output line, and are located next to each other.

18. The processing device encryption 17, characterized in that:

the processing module encryption is configured to perform encryption processing with the use of its combining patterns in which the number of data lines (number of divisions) is equal to two, or a generalized structure its combining, in which the number of data lines (number of divisions) is two or more, and

the processing module encryption is configured to perform encryption processing with the use of F-functions are used as modules run round distance functions that have the same input line and output line, and that are vertically adjacent to each other, in which the nonlinear transformation processing performed in F-functions are set as different S-blocks, which perform the different types of processing nonlinear transformation.

19. The processing device encryption p, characterized in that each of the F-functions that are used as modules run round distance functions, includes many S-units, which perform the processing of the non-linear conversion of the respective pieces of data divided into data intended for processing, and

many S-units include at least two different types of S-blocks.

20. The processing device encryption p, characterized in that each of the F-functions that are used as modules run round distance functions, includes many S-units, which perform the processing of the non-linear conversion of the respective pieces of data divided into data intended for processing, and

processing nonlinear transformation performed with successive increments of pieces of data in F-functions that are used as modules run round distance functions that have the same input line and output line and which are vertically adjacent to each other, made with the possibility of installation as other S-blocks that perform other types of processing nonlinear transformation.

21. The processing device encryption p, characterized in that the types of S-units and the number of individual S-blocks included in each of the F-function, the th, used as modules run round distance functions have the same installation of the F-functions.

22. The processing device encryption 17, wherein the processing module encryption made use of,

as different s-bit input/output S-units intended for use in the treatment of the nonlinear transformation,

(1) type 1: S-block, using the inverse map: Y=X^{-1}or exponential function Y=X^{q}over the field GF (2^{s}) extension;

(2) type 2: S-block is generated by combining many small t-bit S-units, where t<s; and

(3) type 3: S-block, randomly selected,

at least two different types of S-blocks among the above described three types of S-blocks(1)-(3).

23. The processing device encryption item 22, wherein the processing module encryption has

in respect of S-units used to perform roundboy functions

(a) a configuration in which some of the S-blocks are S-units, type 1, and the remaining S-blocks are S-units type 2;

(b) a configuration in which some of the S-blocks are S-units, type 1, and the remaining S-blocks are S-units type 3;

(c) a configuration in which some of the S-blocks are S-units of type 2, and the remaining S-blocks are S-b is Oki type 3;
and

(d) a configuration in which some of the S-blocks are S-units, type 1, some of the other S-blocks are S-units of type 2, and the rest of S-blocks are S-units type 3

any one of the above configurations (a)-(d).

24. The processing device encryption p.22, characterized in that:

the processing module encryption includes, in modules run round distance functions, S-blocks, which perform processing nonlinear transformation for the respective pieces of data divided into data intended for processing, and

the processing module encryption is configured to perform processing using S-blocks of the same type in a single round and S-blocks other types based on from round to round.

25. The processing device encryption p.22, characterized in that:

the processing module encryption includes, in modules run round distance functions, S-blocks, which perform the processing of the non-linear conversion of the respective pieces of data divided into data intended for processing, and

the processing module encryption is performed with the use of different types of S-units in a single round.

26. The processing device encryption A.25, characterized in that the types of S-units and the number of individual who's S-blocks, included in each of the modules run round distance functions have the same settings in F-functions.

27. The processing device encryption on any of PP-26, characterized in that:

the processing module encryption is configured to perform encryption processing in accordance with cryptography with a public key.

28. The processing device encryption on any of PP-26, characterized in that:

the processing module encryption is configured to perform encryption processing in accordance with the cryptography block cipher with the public key.

29. The information-processing device, comprising: a storage device for storing data

keys needed for cryptographic processing,

a processor configured to execute various programs and control the processing of encryption, and

the processing block encryption, which handles the conversion of data using a function F, including S-blocks, as roundboy functions on individual rows of data, obtained by dividing the input data into a number that is greater than or equal to two,

in which the processing block encryption made so that it includes different types of S-blocks in F-functions that have the same input line and output line, is located next to each other.

30. The information-processing device according to clause 29, characterized in that:

the processing unit of encryption is configured to perform encryption processing with the use of its combining patterns in which the number of data lines (number of divisions) is equal to two, or a generalized structure its combining, in which the number of data lines (number of divisions) is two or more, and

the processing unit of encryption is configured to perform encryption processing with the use of F-functions are used as modules run round distance functions that have the same input line and output line, and that are vertically adjacent to each other, in which the nonlinear transformation processing performed in F-functions are set as different S-blocks that perform different types of processing nonlinear transformation.

31. The information-processing device according to item 30, wherein each of the F-functions that are used as modules run round distance functions, includes many S-units, which perform the processing of the non-linear conversion of the respective pieces of data divided into data intended for processing, and

many S-units include at least two different types of S-blocks.

32. The information-processing device according to item 30, ex is different, however,
what each of the F-functions that are used as modules run round distance functions, includes many S-units, which perform the processing of the non-linear conversion of the respective pieces of data divided into data intended for processing, and

processing nonlinear transformation performed with successive increments of pieces of data in F-functions that are used as modules run round distance functions that have the same input line and output line and which are vertically adjacent to each other, made with the possibility of installation as other S-blocks that perform other types of processing nonlinear transformation.

33. The information-processing device according to item 30, wherein the types of S-units and the number of individual S-blocks included in each of the F-functions that are used as modules run round distance functions have the same installation of the F-functions.

34. The information-processing device according to clause 29, wherein the processing unit of the encryption made use of,

as different s-bit input/output S-units intended for use in the treatment of the nonlinear transformation,

(1) type 1: S-block, using the inverse map: Y=X^{-1}or exponential function Y=X^{q
over the field GF (2s) extension;(2) type 2: S-block is generated by combining many small t-bit S-units, where t<s; and(3) type 3: S-block, randomly selected,at least two different types of S-blocks among the above described three types of S-blocks(1)-(3).}

35. The information-processing device according to clause 34, wherein the processing unit of the encryption is,

in respect of S-units used to perform roundboy functions

(a) a configuration in which some of the S-blocks are S-units, type 1, and the remaining S-blocks are S-units type 2;

(b) a configuration in which some of the S-blocks are S-units, type 1, and the remaining S-blocks are S-units type 3;

(c) a configuration in which some of the S-blocks are S-units of type 2, and the remaining S-blocks are S-units type 3; and

(d) a configuration in which some of the S-blocks are S-units, type 1, some of the other S-blocks are S-units of type 2, and the rest of S-blocks are S-units type 3

any one of the above configurations (a)-(d).

36. The information-processing device according to 34, characterized in that:

block encryption processing includes, in modules run round distance functions, S-blocks, which perform the processing block is anago conversion for the respective pieces of data,
divided into data intended for processing, and

the processing unit of encryption is configured to perform processing using S-blocks of the same type in a single round and S-blocks other types based on from round to round.

37. The information-processing device according to 34, characterized in that:

block encryption processing includes, in modules run round distance functions, S-blocks, which perform the processing of the non-linear conversion of the respective pieces of data divided into data intended for processing, and

processing unit of the encryption is performed with the use of different types of S-units in a single round.

38. The information-processing device according to clause 37, wherein the types of S-units and the number of individual S-blocks included in each of the modules run round distance functions have the same settings in F-functions.

39. The information-processing device according to any one of p-38, characterized in that:

the processing unit of encryption is configured to perform encryption processing in accordance with cryptography with a public key.

40. The information-processing device according to any one of p-38, characterized in that:

the processing unit of encryption is configured to perform encryption processing in accordance with the foi what cografya block cipher with the public key.

41. The information-processing device, comprising:

a storage device for storing data

keys needed for cryptographic processing,

a processor configured to execute various programs and control the processing of decryption, and

processing unit of the decryption, which handles the conversion of data using a function F, including S-blocks, as roundboy functions on individual rows of data, obtained by dividing the input data into a number that is greater than or equal to two,

where the processing module decryption are performed so that it includes different types of S-units in the respective modules of F-functions that have the same input line and output line, and are located next to each other.

42. The information-processing device according to paragraph 41, characterized in that:

the processing unit decrypt configured to perform decryption processing using its combining patterns in which the number of data lines (number of divisions) is equal to two, or a generalized structure its combining, in which the number of data lines (number of divisions) is two or more, and

the processing unit decrypt configured to perform decryption processing using the receiving F-functions,
used as modules run round distance functions that have the same input line and output line,and

which are vertically adjacent to each other, in which the nonlinear transformation processing performed in F-functions are set as different S-blocks that perform different types of processing nonlinear transformation.

43. The information-processing device according to § 42, characterized in that each of the F-functions that are used as modules run round distance functions, includes many S-units, which perform the processing of the non-linear conversion of the respective pieces of data divided into data intended for processing, and

many S-units include at least two different types of S-blocks.

44. The information-processing device according to § 42, characterized in that each of the F-functions that are used as modules run round distance functions, includes many S-units, which perform the processing of the non-linear conversion of the respective pieces of data divided into data intended for processing, and

processing nonlinear transformation performed with successive increments of pieces of data in F-functions that are used as modules run round distance functions that have the same line of the input given the s and output line and which are vertically adjacent to each other,
made with the possibility of installation as other S-blocks that perform other types of processing nonlinear transformation.

45. The information-processing device according to § 42, characterized in that the types of S-units and the number of individual S-blocks included in each of the F-functions that are used as modules run round distance functions have the same installation of the F-functions.

46. The information-processing device according to paragraph 41, wherein the processing unit of the decryption performed with use,

as different s-bit input/output S-units intended for use in the treatment of the nonlinear transformation,

(1) type 1: S-block, using the inverse map: Y=X^{-1}or exponential function Y=X^{q}over the field GF (2^{s}) extension;

(2) type 2: S-block is generated by combining many small t-bit S-units, where t<s; and

(3) type 3: S-block, randomly selected,

at least two different types of S-blocks among the above described three types of 8 blocks(1)-(3).

47. The information-processing device according to item 46, wherein the processing unit decoding has

in respect of S-units used to perform roundboy functions

(a) a configuration in which some of the S-blocks are S-units, type 1, and the remaining S-blocks predstavljaetsja S-blocks type 2;

(b) a configuration in which some of the S-blocks are S-units, type 1, and the remaining S-blocks are S-units type 3;

(c) a configuration in which some of the S-blocks are S-units of type 2, and the remaining S-blocks are S-units type 3; and

(d) a configuration in which some of the S-blocks are S-units, type 1, some of the other S-blocks are S-units of type 2, and the rest of S-blocks are S - units type 3

any one of the above configurations (a)-(d).

48. The information-processing device according to item 46, characterized in that:

the processing unit decrypt includes, in modules run round distance functions, S-blocks, which perform processing nonlinear transformation for the respective pieces of data divided into data intended for processing, and

the processing unit decrypt configured to perform processing using S-blocks of the same type in a single round and S-blocks other types based on from round to round.

49. The information-processing device according to item 46, characterized in that:

the processing unit decrypt includes, in modules run round distance functions, S-blocks, which perform the processing of the nonlinear transformation of the relevant parts of the data, n is separated data
designed to handle, and

processing unit of the decryption is performed with the use of different types of S-units in a single round.

50. The information-processing device according to § 49, characterized in that the types of S-units and the number of individual S-blocks included in each of the modules run round distance functions have the same settings in F-functions.

51. The information-processing device according to any one of p-50, characterized in that:

the processing unit decrypt configured to perform decryption processing in accordance with cryptography with a public key.

52. The information-processing device according to any one of p-50, characterized in that:

the processing unit decrypt configured to perform decryption processing in accordance with the cryptography block cipher with the public key.

**Same patents:**

FIELD: radio engineering, communication.

SUBSTANCE: method of concealing data encryption in a communication network involves the following operations: generating a set of characters using a set of encryption keys as input into a pseudorandom function, wherein each character corresponds to an indicator value; subdividing the encrypted data into a plurality of parts; partitioning each part into a plurality of groups; encoding each part by mapping each group with a character in the set of characters in accordance with its indicator value; and transmitting the mapped characters over a communication network.

EFFECT: high probability of identifying encrypted data in a communication network.

20 cl, 4 dwg

FIELD: radio engineering, communication.

SUBSTANCE: method for secure transmission of information includes generating an information signal with encoded information, adaptive summation of said signal with a chaotic masking signal, transmitting the resultant signal over a communication channel to a receiving device, detecting information; during detection, the information signal is identified based on a neural network technique.

EFFECT: high information security.

2 cl, 4 dwg

FIELD: information technology.

SUBSTANCE: block cipher with common key processing configuration is implemented with improved immunity against such attacks as saturation attacks and algebraic attacks ("РЯС" attack). In the encryption processing device which executes processing of block cipher with common key, S-blocks used as modules of nonlinear transformation processing in round function and installed in round functions execution modules are made capable to use S-blocks of at least two different types. With such configuration, immunity against saturation attacks can be improved. Additionally, types of S-blocks represent mixture of various types.

EFFECT: increased difficulty of cryptanalysis and implementation of highly protected algorithm of block cipher with common key.

14 cl, 19 dwg

FIELD: physics, communications.

SUBSTANCE: invention relates to data transmission. The system includes a first and a second communication device. One of the communication devices encrypts transmitted data in order to generate encrypted data and transmits said data to the other communication device which decrypts the received encrypted data. Before encryption, each of the communication devices divides transmitted data into portions with given number of bits. Each of the communication devices changes the number of bits of the transmitted divided data and mixes with the transmitted divided data, except portions with the highest number of bits, and includes fictitious data, the size of which ensures coincidence of the number of bits of the transmitted divided data with the highest number of bits.

EFFECT: low probability of cracking of data by a third party.

19 cl, 6 dwg, 1 ex

FIELD: information technology.

SUBSTANCE: binary sequence of a secret identification key and a binary sequence of a secret embedding key, a cryptographic function and several Fourier coefficients of the electronic image are pre-generated for the sender and the receiver. An electronic image certified by a digital watermark is created for the sender, for which the electronic image is divided into M units with pixel size n×n. An identifier for the m-th unit of the electronic image is created. The binary sequence of the digital watermark of the m-th unit of the electronic image is determined. The digital watermark is embedded into the m-th unit of the electronic image and operations for certifying units of the electronic image for the sender with the digital watermark are repeated until completion. The receiver is sent the electronic image certified with the digital watermark. Authenticity of the electronic image received by the receiver is checked.

EFFECT: invention increases security of an electronic image certified by a digital watermark from deliberate altering of the content of the image.

3 cl, 9 dwg

FIELD: physics, communications.

SUBSTANCE: invention relates to a method and a device for encryption in a mobile broadcast system. The technical result is achieved due to that in a mobile broadcast system, BCAST service subscription management (BSM) manages terminal subscriber information and sends a first delivery message for BCAST service distribution/adaptation (BSD/A), where the said message contains registration key material (RKM) for registering the broadcast service for the terminal, and also at least one service or content identifier. BSD/A sends a first message to BSM for confirming delivery, where the said message contains information indicating success/failure of receiving the first delivery message, and sends the RKM to the terminal.

EFFECT: increased efficiency of encrypting transmitted content.

21 cl, 18 dwg, 7 tbl

FIELD: engineering of systems for protecting communication channels, which realize claimed method for user authentication on basis of biometric data by means of provision and extraction of cryptographic key and user authentication.

SUBSTANCE: in accordance to the invention, neither biometric template nor cryptographic user key are explicitly represented in information storage device, without provision of biometric sample and information storage device with a pack stored on it, any cryptographic operations with data are impossible.

EFFECT: creation of biometric access system and method for provision/extraction of cryptographic key and user authentication on basis of biometry, increased key secrecy level, increased reliability, expanded functional capabilities and simplified system creation process.

2 cl, 2 dwg

FIELD: automatics and computer science, in particular, identification means for controlling access to autonomous resources.

SUBSTANCE: method includes changing identification information during each new query of autonomous resource, which information is used for identification of carrier during following queries to autonomous resources, by including it in algorithmically converted form on information carrier and in database of central device and checking of its correspondence in a row of previous queries to autonomous resources. Each autonomous resource has memory block for storing conversion algorithms and signs of these algorithms and block for reading/recording carrier information. Central device contains at appropriate data bank addresses the virtual memory blocks for storing information for identification of carriers and memory block for storing a set of algorithms for converting code from one type to another and signs of these algorithms, and for each carrier - information storage address which was used during previous accesses. Carrier contains energy-independent additional memory block for recording, storing and reading additional information code after identification of carrier, available both during manufacture of carrier and its submission to autonomous resource.

EFFECT: increased level of protection from unsanctioned access.

3 cl, 1 dwg

FIELD: engineering of methods for cryptographic transformation of data, possible use in communication, computer and informational systems for cryptographic encryption of information and computation of numbers close to random.

SUBSTANCE: device contains two memory blocks, current time moment timer, two concatenation blocks, two hash-function computation blocks, operation block, computing block.

EFFECT: increased complexity of encryption analysis and decreased probability of reliable prediction of next values of pseudo-random series bits while increasing operation speed of generator.

1 dwg

FIELD: information technology.

SUBSTANCE: block cipher with common key processing configuration is implemented with improved immunity against such attacks as saturation attacks and algebraic attacks ("РЯС" attack). In the encryption processing device which executes processing of block cipher with common key, S-blocks used as modules of nonlinear transformation processing in round function and installed in round functions execution modules are made capable to use S-blocks of at least two different types. With such configuration, immunity against saturation attacks can be improved. Additionally, types of S-blocks represent mixture of various types.

EFFECT: increased difficulty of cryptanalysis and implementation of highly protected algorithm of block cipher with common key.

14 cl, 19 dwg

FIELD: technology for processing digital data by means of electric devices, in particular, engineering of devices for administrative, commercial, managing, controlling and analytic use.

SUBSTANCE: method for exchanging confidential information, including, in particular, operations for reproducing at a server of single information data block system for remote client terminal performed with decryption of identification address of remote terminal of client and with cryptographic transformation of information data, while transmission of single information data block for remote client terminal is performed in conjunction with generation and dispatching of any number of fake information data blocks.

EFFECT: prevented unauthorized access to information pertaining to connections between participants of confidential information exchange.

5 cl, 3 dwg

FIELD: medicine.

SUBSTANCE: round device realising a sequence of actions for each data encryption device, comprises a summation unit CM1, a substitution box K, a shift unit R, an extra register PREG. In view of using the extra register, a maximum clock frequency in the data flow chart is determined by a maximum delay in the unit CM1, and in the boxes S and R.

EFFECT: higher clock frequency of the encryption device.

3 dwg

FIELD: radio engineering, communication.

SUBSTANCE: disclosed is a method of protecting information based on identification data, which involves encrypting a source message and subsequent decryption using a secret key generator and by applying a computational technique, characterised by that the following procedures are performed: at the initial initialisation step, calculating a secret master key and a system public key; at the second step, sending the secret master key to the input of an algorithm which executes the secret key computation step and generates, at the request of the decryption algorithm, a secret key for the new system user; at the encryption step, encrypting the source message using the identifier of the new user and the system public key obtained at the initial initialisation step; at the decryption step, transmitting to the input of the decryption algorithm the secret key for the new user and decrypting the message obtained at the encryption step.

EFFECT: high security.

5 cl, 5 dwg

FIELD: information technology.

SUBSTANCE: device for encrypting data includes a GOST 28147-89 conversion circuit, an AES conversion circuit, an AES key conversion unit, a first multiplexer, a second multiplexer, a data storage and a key storage; the output of the data storage is connected to the first input of the GOST 28147-89 conversion circuit and to the first input of the AES conversion circuit; the output of the key storage is connected to the second input of the GOST 28147-89 conversion circuit, the second input of the AES conversion circuit, the input of the AES key conversion unit and the second input of the second multiplexer; outputs of the GOST 28147-89 conversion circuit and the AES conversion circuit are connected to the first and second inputs of the first multiplexer, respectively; the output of the first multiplexer is connected to the input of the data storage; the output of the AES key conversion unit is connected to the first input of the second multiplexer; the output of the second multiplexer is connected to the input of the key storage; encryption algorithm selection signals are transmitted to the control inputs of the first and second multiplexers.

EFFECT: reducing the amount of memory required to encrypt data.

3 dwg

FIELD: information technology.

SUBSTANCE: in the method for block encryption of a message M, which is presented in form of a multibit binary number, a private key and a cryptogram, which depends on the message M and the private key, are generated, wherein the private key is generated in form of a set of subkeys K_{1}, K_{2},…, K_{h}, where h≥1, and auxiliary multibit binary numbers p_{1}, p_{2},…, p_{u}, p_{u+1}, where u≥1; auxiliary multibit binary numbers R_{1,} R_{2},…, R_{u}, D are generated and a cryptogram is generated in form of a multibit binary number C, which satisfies the comparison system C≡R_{1} mod p_{1}, C≡R_{2} mod p_{2},…, C≡R_{u} mod p_{u}, C=D mod p_{u+1}, where at least one of the numbers R_{1}, R_{2},…,R_{u} depends on the message M and one of the subkeys K_{1}, K_{2},…, K_{h}.

EFFECT: higher stability of the cryptogram.

3 cl, 2 ex, 1 app

FIELD: information technology.

SUBSTANCE: method for steganographic transmission of information, wherein a secret text is transformed via cryptographic transformation into encrypted text; a pseudorandom mask is generated based on a key, which determines the order of transmitting information and masking segments; when transmitting a masking segment on an open network, a TCP segment which does not contain secret data is transmitted, and to transmit an information TCP segment based on the key, a pseudorandom binary value with the length of the open text is formed, whose unit bits are replaced with secret data bits, after which a TCP segment which contains the obtained value of camouflaging data is formed and then sent over the network.

EFFECT: high cryptographic and steganographic stability of inclusions.

FIELD: electricity.

SUBSTANCE: method of unit coding of a message M represented in a binary form includes the following sequence of actions: generation of a secret key in the form of a set of subkeys K_{1}, K_{2}, …, K_{h}, where h≥1, generation of auxiliary multidigit binary numbers (MBN) p, Q_{1} ^{(1)},Q_{2} ^{(1)},…,Q_{d} ^{(1)}, Q_{1} ^{(2)}, Q_{2} ^{(2)}, …, Q_{d} ^{(2)},…, Q_{1} ^{(k)}, Q_{2} ^{(u)},…, Q_{d} ^{(u)}, R_{1}, R_{2}, …, R_{u}, where 1<d and 1<u<d, generation of a cryptogram in the form of a set of MBN, C_{1}, C_{2}, …, C_{d}, which complies with a system of equations Q_{1} ^{(1)}, C_{1} + Q_{2} ^{(1)}C_{2} +… + Q_{d} ^{(1)}C_{d} = R_{1} mod p, Q_{1} ^{(2)}C_{1}+Q_{2} ^{(2)}C_{2}+…+ Q_{d} ^{(2)}Cd =R_{2} mod p, …,Q_{1} ^{(u)}C_{1}+Q_{2} ^{(u)}C_{2}+…+Q_{d} ^{(u)}C_{d} =R_{u} mod p, where at least one of multidigit binary numbers R_{1}, R_{2},…, R_{u} depends on an M message, and at least one of multidigit binary numbers Q_{2} ^{(1)},…,Q_{d} ^{(1)}, Q_{1} ^{(2)}, Q_{2} ^{(1)},…,Q_{d} ^{(2)},…,Q_{d} ^{(2)},…,Q_{1} ^{(u)}, Q_{2} ^{(u)},…,Q_{d} ^{(u)} depends on one of subkeys K_{1} K_{2}, …, K_{h}.

EFFECT: increased resistance of a cryptogram.

3 cl, 1 ex

FIELD: electricity.

SUBSTANCE: method of unit coding of a message M represented in a binary form includes the following sequence of actions: generation of a secret key in the form of a set of subkeys K, Q_{1}, Q_{2},…Q_{u}. R_{1}, R_{2}…,R_{h}, where h≥1, breakdown of the message into subunits M_{1} M_{2},…,M_{U}; M_{u+1}, M_{u+2},…,M_{2u};…; M_{iu+1} M_{iu+2},…,M_{(i+1)u};…; M_{(w}._{1)u+1},…, M_{wu}, where i=1, 2,…, w, u≥1 and w≥1, formation of data units B_{i}, where i=1, 2,…, w, by generation of additional messages T^{(1)}, T^{(2)},…, T^{(h)} , breakdown of messages T^{(j)} where j=1, 2,…, h, into subunits T_{1} ^{(i)} T_{2} ^{(j)}…T_{w} ^{(j)}, coding of subunits M_{(i-1)u+1} M_{(i-1)u+2},… M_{jU} depending on subkeys Q_{1} Q_{2},…, Q_{U}, coding of subunits T_{i} ^{(1)}, T_{i} ^{(2)},…, T_{i} ^{(h)} depending on subkeys R_{1} R_{2},…,Rh and combination of transformed subunits M_{(i-1)u+1} M_{(i-1)u+2},…, M_{iu}, T_{i} ^{(1)}, T_{i} ^{(2)},…, T_{j} ^{(h)}, and coding of data units B_{i} depending on a subkey K.

EFFECT: increased information capacitance of a cryptogram without reduction in its resistance level.

3 cl, 1 ex

FIELD: information technology.

SUBSTANCE: block cipher with common key processing configuration is implemented with improved immunity against such attacks as saturation attacks and algebraic attacks ("РЯС" attack). In the encryption processing device which executes processing of block cipher with common key, S-blocks used as modules of nonlinear transformation processing in round function and installed in round functions execution modules are made capable to use S-blocks of at least two different types. With such configuration, immunity against saturation attacks can be improved. Additionally, types of S-blocks represent mixture of various types.

EFFECT: increased difficulty of cryptanalysis and implementation of highly protected algorithm of block cipher with common key.

14 cl, 19 dwg