The present invention relates to an encryption apparatus and method, and a decryption apparatus and method based on block encryption scheme, and an operating unit used in the encryption and decryption apparatuses.
Typical fundamental structures of common key block encryption scheme include SPN type and Feistel type. For both structures, a design method for improving strength evaluation and resiliency against differential/linear cryptanalysis have been studied (reference [1] V. Rijmen, J. Daemen, B. Preneel, A. Bosselaers & E. Dcwin, “The Cipher SHARK,” Fast Software Encryption, LNCS 1039, 1996, reference [2] Kazumaro Aoki, Kazuo Ota, “More Strict Evaluation of Maximum Mean Differential Probability and Maximum Mean Linear Probability,” SCIS 96-4A, 1996, reference [3], Mitsuru Matsui, “Block encryption scheme MISTY,” ISEC 96-11, 1996).
With the SPN structure, since the number of active S-boxes can be guaranteed, the number of stages for achieving the set strength can be easily determined (reference [1]). However, when the block size increases, and the parallelness of S-boxes becomes high, the process of diffusion layers becomes complicated, resulting in low speed.
SQUARE/Rijndael Cipher can solve this problem (reference [4] J. Daemen, L. R. Knudsen & V. Rijmen, “The Block encryption scheme Square,” Fast Software Encryption, LNCS 1267, 1997, reference [5] J. Daemen & V. Rijmen, “AES Proposal: Rijndael,” http://www.east.kuleuven.ac.be/{tilde over ( )}rijmen/rijdael/ rijndaeldocV2.zip).
In cipher of this type, 16 parallel S-boxes are arranged in a 4×4 matrix to limit linear diffusion within a single column, thus reducing the processing load. By combining rearrangement of byte positions with linear diffusion, the influence of one byte in a given stage is diffused to all bytes two stages later, and 25 or more active S-boxes in four stages (robust against differential/linear cryptanalysis) are achieved.
However, since bytes in a single column do not mix in the next stage, dedicated attack called SQUARE attack is present (reference [1], reference [5]). This results from achievement of both high strength and efficiency under the restriction of only one type of diffusion layers.
The SPN structure allows easy estimation of the lower limit of the number of active S-boxes, and can be designed to guarantee high strength against differential/linear cryptanalysis. However, when the parallelness of S-boxes becomes higher with increasing block size of plaintext/ciphertext, the calculation cost of a coupling portion of diffusion layers becomes high. Also, uniform data diffusion cannot be attained depending on the design of diffusion layers.