1. Field of the Invention
The present invention relates to transformation pattern generating devices and encryption function devices, and more particularly to transformation pattern generating devices and encryption function devices for the encryption and decryption of data through a parallel randomization process having a particularly high randomization effect.
2. Description of the Related Arts
In these days, rapidly prevailing computer systems and networks for the interconnection thereof attach a great importance to the security in the networks for the prevention of eavesdrop and falsification of communication data and computer data.
In particular, data encryption is indispensable as a core technology to ensure the network security.
If cryptographic techniques are utilized for data communications not only in military and diplomatic fields but also in civilian businesses and R&D, software applications and the like incorporating a cryptographic system and encryption mechanism may be easily available to everyone, and hence encryption algorithms used therein may be known to many people.
Therefore, cryptographic techniques ensuring the security based on the secrecy of the algorithms thereof are insecure. In this connection, there have been proposed cryptographic techniques that ensure the security based on secret keys and allow anyone to use the algorithms thereof which are open to the public.
One of such cryptographic techniques is DES (Data Encryption Standard; National Bureau of Standard, Federal Information Processing Standards Publications, 46 January 1977).
FIG. 12 is a diagram for explaining an example of DES cryptosystem. In DES, input plaintext to be enciphered is divided into higher-level bits L0 (e.g., 32 bits) and lower-level bits R0 (e.g., 32 bits), and then the lower-level bits or bit sequence data obtained through an exclusive-OR (EOR) operation are subjected to a data randomization process performed by an encryption function f.
As shown in FIG. 12, the bit sequence data obtained through this process are further processed by iterating the exclusive-OR (EOR) operation and data randomization process by the encryption function f several times, and finally transformed into ciphertext data.
In FIG. 13, there is a model of a process performed in a DES encryption function. In the encryption function, the bit sequences of plaintext data are processed through such processing operations as an expansion permutation (E), substitution table (S-box), balanced permutation (P) and exclusive-OR operation by using externally input keys, i.e., secret bit sequences of data. These processing operations are predetermined and fixed.
This encryption function is open to the public, so that anyone can know the algorithm thereof. However, the encryption function is arranged so that the secret keys cannot easily be identified.
Cryptosystems like DES in which a data randomization element called encryption function is repeatedly utilized for encryption are referred to as involution-type cryptosystem. Another example of the involution-type cryptosystem is FEAL (Fast Data Encryption Algorithm; Shimizu et al, Fast Data Encipherment Algorithm FEAL, EUROCRYPT'87, April 1987).
However, the security of these cryptosystems is not enough, because cryptanalyses for breaking the cryptosystems have been proposed. For example, a known plaintext attack called differential attack is widely used as a cryptanalysis that can generally be applied to the involution-type cryptosystems. The differential attack is designed to infer a secret key used for the encryption from ciphertext data and plaintext data, which is detailed in Differential Cryptanalysis of DES-like Cryptosystems, Biham and Shamir, Journal of Cryptology, Vol. 4, pp. 3-72, 1991.
The differential attack is based on the following principle. It is assumed that, when two plaintext sequences with a fixed difference .DELTA.(exclusive OR-value) are enciphered through an N-round involution-type encryption algorithm, a difference .DELTA.' which may take various values is observed in the (N-1)-th round. A differential pair .DELTA. and .DELTA.' is called a characteristic. If the characteristic (.DELTA.,.DELTA.') occurs with a significantly high probability, a secret key in the final round (the N-th round) is identified from the difference .DELTA.' and a ciphertext sequence through a round-robin search.
In DES, the probability of occurrence of the aforesaid particular differential pair (characteristic) can be relatively easily calculated. As shown in FIG. 13, the encryption functions employed for DES include a permutation, block substitution and exclusive-OR with a key, and the permutation and substitution are always fixed. Therefore, probable differential outputs for a particular differential input can be relatively easily counted, and hence the calculation of the probability of occurrence of each differential pair is relatively easy.
To cope with differential attack, there have been various proposals for reducing the probability of occurrence of each differential pair. For example, the probability of occurrence of each differential pair can be reduced by increasing the number of rounds. Even if the number of rounds is increased, however, the probability of occurrence of each differential pair can be calculated. That is, differential attack is still possible, though it may require more labor.