The present invention relates to data encryption, and more particularly to the improvements in processing efficiency of encryption and cipher strength to any cryptanalysis. Furthermore, the present invention relates to the encryption involving data compression and more particularly to the improvements in processing efficiency of data compression and encryption and resistance to cryptanalysis.
With increase of the computerized central information of a system and the data communication through a network, importance is now being placed on a technique of encrypting data for keeping the computerized data from being tapped and tampered. As described in pages 27 to 32 of xe2x80x9cIntroduction to Cryptography Theoryxe2x80x9d Kyoritu edit., 1993, the encryption is roughly divided into a symmetric key cryptosystem and an asymmetric key cryptosystem. The present invention is intended for the improvement in symmetric cryptosystem which is suitable for encrypting a large amount of data. Later, a secret key cryptosystem is simply called cryptosystem.
At first, the description will be oriented to the basic terms about the cryptosystem. As is described in pages 33 to 59 of the foregoing writing, the cryptosystem is executed to convert plaintext into ciphertext through secret parameters. The decryptosystem is executed to transform the ciphertext into the original plaintext through the effect of reverse transform with the same secret parameters as those used in the cryptosystem. The secret parameters are generally called a crypt-key (or just a key). The encrypting procedure is composed of repetition of one or more kinds of fundamental functions. The repetitive times are called rounds. In applying the encrypting procedure, the input data is divided into parts each of which has the same size and the encrypting procedure is applied to each data part. Each data part is called a crypt-block (or just a block).
In designing and promoting the encryption, an important factor is a defense for various kinds of decrypting methods. The most frequently used decrypting method is an extensive search for keys. In recent days, however, remarks are placed on more efficient differential cryptanalysis and linear cryptanalysis than the extensive search.
In the pages 163 to 166 of the aforementioned writing and the linear cryptanalysis of the DES (Data Encryption Standard) published in xe2x80x9cThe 1993 Symposium on Cryptography and Information Securityxe2x80x9d, the differential and the linear cryptanalyses utilize the correlation among the plaintext, the ciphertext, and the keys, which are proper to the encrypting system, and is executed to collect lots of inputs and outputs (plaintext and ciphertext) to be encrypted or decrypted by the same key and perform the statistical operation about these inputs and outputs for estimating the key.
The conventional method for defending the differential or linear cryptanalysis in the conventional encrypting system is executed to reduce the correlation among the plaintext, the ciphertext, and the key by increasing the rounds.
The processing time of encryption or decryption is proportional to the rounds. The defense for the differential and the linear cryptanalyses through the effect of the increase of the rounds entails a large shortcoming, that is, the increase of the processing time. Hence, it is an object of the present invention to improve the processing performance and the security of the cryptosystem by establishing the method for protecting ciphertext from the differential and the linear cryptanalyses without increasing the processing time.
As described above, the differential and the linear cryptanalyses are executed to collect lots of inputs and outputs (plaintext and ciphertext) encrypted and decrypted through the same key and perform a statistical operation about the inputs and outputs for estimating the key. In accordance with a first aspect of the present invention, an information processing method includes the steps of entering or receiving a plaintext and encrypting the plaintext, wherein the method utilizes as a key of a block of the plaintext an intermediate result given in the process of encrypting another block or a value derived on the intermediate result. This method uses a different key to each block depending upon the plaintext data. The present method thus disallows execution of the foregoing statistical operation and allows the ciphertext to be protected from the differential and the linear cryptanalyses.
The foregoing first method disables to use the intermediate result given in the process of encrypting another block for the first block of the plaintext to be encrypted. Hence, the key is constant. The first method, therefore, allows the key of the first block to be estimated by collecting the inputs and the outputs of the first block over lots of plaintext and the overall ciphertext to be cryptanalyzed with the estimated key as a clue. In order to overcome this problem, in accordance with a second aspect of the present invention, an information processing method includes the steps of entering or receiving the plaintext and encrypting the plaintext, wherein the method of the second aspect is executed to generate a random number for each plaintext and use the random number as the key of the first block of the plaintext to be encrypted. This second method, therefore, has a different key of the first block to each plaintext and thus enables to overcome the problem of the foregoing first method.
Further, the encryption is often executed in association with data compression. As is described in pages 21 to 247 of xe2x80x9cThe Data Compression Bookxe2x80x9d in Japanese Toppan (1994), the compression is executed to replace a bit train of the plaintext with a shorter bit train. A plurality of correspondences are provided between the bit trains of the block of the plaintext and the compressed data. In accordance with a third aspect of the invention, the information processing method includes the steps of entering or receiving data and compressing the data, wherein the method of the third aspect is executed to determine the correspondence between the bit trains of the block of the plaintext and the compressed data depending upon the intermediate result given in the process of encrypting another block. The third aspect method, therefore, enables to change the correspondence between the bit train of the block of the plaintext and the bit train of the compressed data for each block depending upon the plaintext data. Further, the intermediate result given in the process of encrypting the data cannot be estimated if the key is obtained. It is therefore impossible to grasp how the correspondence between the bit train of the block of the plaintext and the bit train of the compressed data is changed unless the key is obtained. The third aspect method, therefore, enables to use the compression as a kind of cryptosystem, offer the same effect as the increase of the rounds, and thereby prevent the differential and the linear cryptanalyses.