This invention relates to a data processor, a communication system and a recording medium.
Encryption in data transmission is generally performed due to recent progresses in computers and a communication technology. There have been available a public key cryptosystem and a secret key cryptosystem and the DES encryption system is widely accepted as the secret key cryptosystem.
FIGS. 1A to 1C are block diagrams for illustrating the DES encryption system.
In encryption under the DES system, data which are created by applying initial transposition IP to a plain text is further subjected to processing through round functions 16 times. Subsequently, the data which have been subjected to the round function processing receives inverse transposition Ipxe2x88x921 which is inversion of the initial transposition, thereby producing a cipher text. Herein, the processing through round functions are executed by providing the round functions with extended keys generated from an original key.
That is, an encryption device adopted in the DES system is mainly constructed of a data randomize section in which data as an object to be encrypted through numerous round functions are randomized and a key conversion section which provides the round functions of the data randomize section with extended keys.
On the other hand, decryption in the DES system is achieved in such a manner that data as an object to be decrypted are subjected to processing through round functions in the order reverse in the encryption as shown in FIG. 1B. Therefore, extended keys supplied from the key conversion section are generated in the reverse order in which the keys are used in the encryption starting with a key used in the last round function in the encryption.
A first advantage of the DES system is that a considerable part of encryption circuitry is commonly adopted in decryption. That is, round functions for encryption and decryption used in the data randomize section are the same between both processing only with the exception that the order of use of the functions are reversed as shown in FIGS. 1A and 1B.
A second advantage of the DES system is that only one key is always an object of management since the same secret key is used in both ways of encryption and decryption. In the DES system, the following processing is performed in the key conversion section so that extended keys can be generated in the reverse order using the only one key.
That is, in a case of the encryption, the secret key receives a left rotate shift to generate extended keys. At this point, the extended keys can be generated in the reverse order by designating the sum of shifts to a given value. That is, in the decryption, the secret key is only required to be subjected to a right rotate shift to generate the extended keys. Thereby, the last extended key in the encryption and the first extended key in the decryption are the same.
However, in the DES system described above has a problem as follows:
Processing in the key conversion section, first, includes a left rotate shift in encryption and a right rotate shift in decryption, which are different in terms of processing, and therefore, the same circuitry cannot be shared in function between encryption and decryption devices in the key conversion section. That is, when an encryption/decryption device for encrypting and decrypting data is constructed as an actual device, part of the circuitry which is commonly used in both of encryption and decryption is not necessarily much enough. Hence, the overall scale of the encryption/decryption device cannot be constructed to be sufficiently small.
Then, since in the DES system, processing in the key conversion section is performed only through transposition, a security problem arises from the fact that there is an encryption key with a weak security, which is generally called a weak key. In addition, since the processing in the key conversion section is not non-linear, contribution of the processing to the cryptographic robustness of an extended key thus generated cannot be so large. Non-linear part of the DES system is limited to part called as an S-box in a function f in a round function shown in FIG. 1C.
Accordingly, there has been desired a cryptosystem in which extended keys generated from the key conversion section sufficiently contribute to cryptographic robustness.
On the other hand, in order to eliminate a weak point of the key conversion section such as a weak key associated with the DES system, oneway function such as a hash function has been employed in the key conversion section as trial. For example, FEAL calculates extended keys which the data randomize section requires in a case where oneway function is used for the conversion.
While the FEAL is more secure in that no weak keys are not present in the system, extended keys cannot be generated in the reverse order as in the DES system since oneway function is adopted in the key conversion section. Therefore, in order to enable decryption in the FEAL, all kinds of extended keys which can be achieved from a secret key are once generated in the key conversion section same as used for encryption to store them in a buffer. Then, the extended keys already stored in the buffer is retrieved in the order reverse to the order of generation and decryption is thus completed.
In such a way, however, another problem arises since storage of the extended keys requires an increase in the cost, that is, an increase in memory requirement. Besides, thus generated extended keys not only increases a memory requirement, but requires an additional management cost of numerous keys, though temporarily. Furthermore, due to a time period required for key extended conducted in advance in decryption, a time required for decryption is problematically long.
In conventional techniques, as described above, if extended keys are generated in the reverse order, the scale of a secret key encryption device cannot sufficiently be compact and in addition security is deteriorated. On the other hand, if security is desired to be increased, extended keys cannot be generated in the reversed order and thereby not only is a memory resource is largely required, but there arises a necessity for management of numerous keys and a processing time period is extended, which has led to a problem.
The present invention has been made in light of such circumstances and accordingly it is an object of the present invention to provide a data processor, a communication system and a recording medium whereby the scale of a secrete key encryption device can be small, security of a key is increased and further, key management can be made easy.
The essence of the present invention is not only to employ an involution function in which conversion and inverse conversion are same for generation of an extended key, but also to enable generation of an extended key in a reverse order by using the involution function in a reverse order based on a decryption key in decryption which key is a result of processing a encryption key in a key conversion section.
According to the present invention, since there is no limitation on a function to be employed in the key conversion section with the exception that an original key is converted by using an involution function and further it is not necessary for an encryption key and a decryption key to be same, there is only very little limitation imposed on functions which can be employed in the key conversion section. Hence, it is possible that functions by which extended keys with high security are generated are selected and the key conversion section can be constructed of such functions. Besides, since an extended key can be generated from a decryption key in a reverse order, the same key conversion section can be employed in encryption and decryption, which entails a smaller scale of a device circuit.
Further, by employing an asymmetric key in a secrete key cryptosystem through a crucial change, the present inventors have reached the present invention.
Encryption algorithms can classify encryption into two kinds: symmetric key encryption and asymmetric key encryption according to whether or not the same key is employed for encryption and decryption. Further, the algorithms can classify encryption into two kinds: secret key encryption and public key encryption according to whether or not an encryption key is made public and a sender can prepare a cipher text using a public key.
Of combinations of such classifications, only two combinations, that is, of a symmetric, secret key cryptosystem and an asymmetric, public key cryptosystem, have conventionally been known. A symmetric, public key cryptosystem is impractical in terms of principle but an asymmetric, secret key cryptosystem is possible in thought. However, in the case of an asymmetric, secret key cryptosystem, since there arises a necessity to manage a plurality of secret keys for one processing of encryption/decryption, a disadvantage from a management cost and the like cannot be avoidable. Further, in the case, another problem occurs about how to realize asymmetric secret keys. Accordingly, such a cryptosystem has had no chance to be employed in a conventional technology.
On the other hand, in the present invention, there is provided a cryptosystem in which only if one secret key (an encryption key or a decryption key), though asymmetric, is on hand, encryption and decryption are enabled in both ways, and thereby, a problematic management of a plurality of secret keys is avoided and a practically useful asymmetric, secret key cryptosystem is realized. This is because, in the cryptosystem, a cipher text encrypted by an encryption key can be decrypted by a decryption key, while a cipher text encrypted by a decryption key can be decrypted by an encryption key.
That is, in a case where one party has only an encryption key, while the other party has only a decryption key output by converting the encryption key in a key conversion section, encryption and decryption go this way: first, a cipher text prepared from a plain text by one party with an encryption key can be restored to the plain text by processing in a reverse order with a decryption key on the other party side. Then while a cipher text prepared from a plain text by the other party with the decryption key can be restored to the plain text by processing in a reverse order with the encryption key on the one party side.
Then, means of the present invention for realizing the object will be described in detail.
According to a first aspect of the present invention, there is provided a data processor in which at least one of encryption of a plain text to a cipher text by using an encryption key and decryption of a cipher text to a plain text by using a decryption key is performed, comprising:
a key converting section in which a plurality of key conversion functions, which are an involution function, and which conduct key conversions to output extended keys based on one of the encryption key and the decryption key and results of key conversion of one of the encryption key the decryption key are sequentially connected and results of the key conversion are in an order or in another order reverse to the order transferred between the key conversion functions; and
a data randomize section in which at least one processing of encryption of the plain text to the cipher text and decryption of the cipher text to the plain text is performed by using the extended keys output from the key conversion section.
Further according to a second aspect of the present invention, there is provided a data processor of the first aspect,
wherein the data randomize section includes a plurality of round functions which are involution functions and which perform at least one of encryption and decryption by using the extended keys, the plurality of round functions are sequentially connected, and results of the processing by the round functions are transferred in an order or in another order reverse to the order transferred between the plurality of round functions.
The data processor serves as main circuitry which can be used not only in an encryption device but in a decryption device. That is, when a key and data are sequentially processed, data encryption can be realized, while when a key and data are subjected to processing in the reversed order, data decryption can be achieved. The reason why such processing are possible is that the key conversion function and the round function are both of an involution type.
Therefore, when the present invention is utilized in an encryption/decryption device, the device scale of the kind can be small and compact.
Further, according to a third aspect of the present invention, there is provided a data processor of the first aspect,
wherein the key conversion functions not only take first keys and results of conversion of the first keys as objects to be processed in the key conversion, but also perform the key conversion by using a second key.
According to the present invention, processing in the key conversion section is similar to that of the data randomize section and extended keys which have a very low probability to be a weak key or the like can be output. Therefore, robustness of a cryptosystem can be increased.
Further, according to a fourth aspect of the present invention, there is provided a data processor of the third aspect,
wherein the second key is included in at least one of the encryption key and the decryption key.
Further, according to a fifth aspect of the present invention, there is provided a data processor of the fourth aspect,
wherein the second key has different types of keys, at least one of the encryption key and the decryption key includes the different types of keys and at least one of the encryption key and the decryption key is variable in length.
Further, according to a sixth aspect of the present invention, there is provided a data processor of the second aspect,
wherein the key conversion functions include round functions same as that of the data randomize section.
Further, according to the a seventh aspect of the present invention, there is provided a communication system comprising:
one communication device which includes a data processor according to claim 1 and holds one key which serves as the encryption key and the decryption key; and
another device which includes a data processor according to claim 1 and holds other key which serves as the encryption key and the decryption key, and which is a result of key conversion of the one key in the key conversion section of the another device.
According to the present invention, the communication systems can perform any of an encryption and decryption with one key held by each. Incidentally, herein, secret keys of the respective communication systems are not necessarily same as one another. That is, the communication is of an asymmetric, secret key cryptosystem.
Additional objects and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objects and advantages of the invention may be realized and obtained by means of the instrumentalities and combinations particularly pointed out hereinafter.