Various encryption techniques are known.
PTL 1 discloses an encryption method. In the encryption method, an operation of a block cipher mode, in which a block cipher with an arbitrary block length is implemented, provides output ciphertext always in the same size as that of input plaintext. The mode is capable of providing the best possible security in systems of disk-block cipher, some network protocols or the like in which data expansion is not allowed. The mode accepts an additional input which can be used to protect against attacks that falsify the ciphertext by rearranging the ciphertext blocks. The universal hash function from Galois/Counter Mode of operation for block ciphers may be used in an example embodiment for hardware and software efficiency.
PTL 2 discloses a data distribution device. The data distribution device is capable of detecting, in encrypted data, falsification of associated non-encrypted data and, when falsification is detected, disabling normal decryption of the encrypted data. When input data A and non-encrypted data B are input, the data distribution device performs block encryption on the input data A by the use of a hash value computed on the basis of the non-encrypted data B, and distributes encrypted data E(A) and the non-encrypted data B. The data distribution device includes data compression means, block encryption means, and data distribution means. The data compression means computes a hash value on the basis of the non-encrypted data B by the use of the hash function. The block encryption means performs the block encryption on the input data A in a predetermined use mode using the hash value as an initial vector, to thereby generate the encrypted data E(A). The data distribution means multiplexes the encrypted data E(A) generated by the block encryption means and the non-encrypted data B, and distributes a header, the non-encrypted data B, and the encrypted data E(A).
PTL 3 discloses an encryption method. The encryption method improves cipher strength by causing a change in plaintext to affect a wide range. The encryption method has the following configuration. First, in the encryption method, data encryption standard (DES) encryption is performed on an initial vector 1. Secondly, in the encryption method, the exclusive OR of the encrypted initial vector 1 and the first eight-byte small block is computed. Thirdly, in the encryption method, DES encryption is performed on the result. Fourthly, in the encryption method, the exclusive OR of the encrypted result and the next small block is computed. Then, fifthly, in the encryption method, by repeatedly and sequentially performing the same process 32 times, a forward chain process is performed on 256 bytes. Subsequently, sixthly, in the encryption method, the same chain process is performed backward. Seventhly, in the encryption method, DES encryption is performed on the last small block of the chain. Eighthly, in the encryption method, the exclusive OR of the result of the encryption and the first block at this stage is computed. Ninthly, in the encryption method, the entire 256 bytes are permutated on a byte-by-byte basis. Further, tenthly, in the encryption method, the above series of processes is carried out again with a different feedback position.
Authenticated encryption (AE) is a technique of performing encryption and calculation of falsification detection authentication tag at the same time for a plain text message by the use of a secret key shared in advance. By applying AE to a communication path, it is possible to make contents confidential against tapping and to detect unauthorized falsification, whereby the contents being communicated can be protected reliably.
In such a normal authenticated encryption scheme, it is necessary that an initial vector N and a tag T are transmitted, by being combined with the ciphertext C, together with ciphertext C, in addition to the ciphertext C that is encrypted plaintext M and has the same length as plaintext M has. Although each of the initial vector N and the tag T is represented by a short value of approximately 4 bytes to 32 bytes in a normal process, the increase of the communication band due to the addition of the initial vector N and tag T is unignorable, for example, in a case where the plaintext M is as short as the initial vector N and tag T. Such a case frequently occurs in wireless sensor network devices. Since a communication band is an important factor that affects power consumption in such a network, band reduction is an important problem.
When a message authentication function is newly added to a communication path in which encryption without any message authentication function has been performed, to implement an authenticated encryption function as a whole, a change in a protocol is sometimes required irrespective of message length. Such a case may encounter practical difficulty.
As a method of solving such a problem, there is Authenticated Encryption with Replay prOtection (AERO) described in NPL 1. AERO in NPL 1 is a technique in which, for an input (N, M) obtained by combining an initial vector N and plaintext M, C=P_K(N, M) is generated as an overall output through wide pseudorandom permutation (WPRP) P_K of variable-length input/output with K as a key. Here, “P_K” is a function having the key K as a parameter. The length of the ciphertext C is equal to the sum of the lengths of the initial vector N and the plaintext M. The decryption side obtains (N, M) by applying inverse permutation of P_K to the ciphertext C by the use of the shared key K, and determines whether authentication is correctly checked on the basis of whether the decrypted initial vector N matches an expected value.
To determine whether the decrypted initial vector N has the expected value, it is necessary that the decryption side knows in advance the initial vector N that the encryption side is to use. This is possible when the encryption side and the decryption side are synchronized in terms of update of the initial vector N. This is typically enabled by the encryption side storing the initial vector of the most recently transmitted normal ciphertext. This condition is natural in a case where the decryption side is required to detect and eliminate replay.
In NPL 1, the information that the encryption side has to transmit is only the ciphertext C. Since the length of the ciphertext C is equal to the sum of the lengths of the initial vector N and the plaintext M, the increase of the band due to the encryption corresponds to the initial vector N only. For this reason, the band corresponding to the tag T can be reduced in comparison with the above-described general authenticated encryption scheme. In addition, owing to the nature of WPRP, the plaintext obtained as a result of decrypting ciphertext excluding replay is randomized overall. This makes it difficult for attackers to perform such a control as to set the part originally including the initial vector, at a particular value, which reduces the probability of the initial vector N having the value expected by the decryption side to a negligible extent.
Additionally, NPL 1 suggests to use, as WPRP, a block cipher use mode called the eXtended CodeBook (XCB) mode disclosed in PTL 1.