This application claims the benefit of Korean Patent Application No. 10-2012-0064278, filed on Jun. 15, 2012, which is hereby incorporated by reference in its entirety into this application.
1. Technical Field
The present invention relates generally to a low-power encryption apparatus and method and, more particularly, to an encryption apparatus and method that are capable of providing a mobile fast block cipher algorithm that supports low-power encryption.
2. Description of the Related Art
Block ciphers are key elements that are most widely used in encryption applications that are applied to the communication of a variety of types of devices and the security of stored data, and mainly function to encrypt data on a specific length (64-bit or 128-bit) basis and provide confidentiality. Furthermore, block ciphers are used for hash functions, message authentication code, random number generators, etc. In order to meet these purposes, block ciphers should be designed to have features suitable for the characteristics of devices and encryption applications, and are implemented as device-specific chips or software that is run by the CPU of a device.
In the case of hardware chips, the development of the chips has many limitations because of their marketability, developing cost, interoperability with devices, etc. In contrast, the application of software implementation has expanded thanks to the evolution of CPU performance, etc. However, in the case of software implementation, there are many environments that are associated with limited resources. In particular, mobile devices with batteries, such as the smart phones that have been popularized recently, are problematic in that power is consumed by the running of software. It is known that an internationally standardized block cipher having the best performance now increases battery consumption by 70% or higher during continuous encryption, compared to the case of no encryption.
Meanwhile, a block cipher technique that was developed for the purpose of H/W encryption operations in an ultra-light and low-power environment was disclosed in a paper entitled “HIGHT: A New Block Cipher Suitable for Low-Resource Device” and published in the workshop on the Cryptographic Hardware and Embedded Systems in 2006. However, the block cipher technique that was disclosed in this paper is problematic in that it has vulnerability in terms of safety and requests a relatively large number of cycles from a CPU in order to encrypt data in a software environment.
Accordingly, the present invention has been made keeping in mind the above problems occurring in the prior art, and an object of the present invention is to provide an encryption apparatus and method that use a block cipher algorithm that supports low-power encryption.
In order to accomplish the above object, the present invention provides an encryption apparatus, including a user interface unit configured to receive plain text to be encrypted and a master key; a key scheduler unit configured to generate a round key from the master key; an initial conversion unit configured to generate initial round function values from the plain text; a round function processing unit configured to repeatedly process a round function using the round key and the initial round function values; and a final conversion unit configured to generate ciphertext from the resulting values of the round function processed in a final round by the round function processing unit.
The key scheduler unit may include a master key input unit configured to receive the master key from the user interface unit; a key schedule round function value generation unit configured to generate initial key schedule round function values from respective sub-master key values that constitute the master key; and a round key generation unit configured to generate key schedule round function values using the initial key schedule round function values and fixed constant values and generate the round key by consecutively arranging the key schedule round function values.
The round key may have a length of 192 bits, and be formed by consecutively sub-round keys arranging sub-round keys RKi[0], RKi[1], RKi[2]. RKi[3], RKi[4], and RKi[5] each having a length of 32 bits.
The initial conversion unit may extract pieces of sub-plain text P[0], P[1], P[2], and P[3] each having a length of 32 bits from the plain text having a length of 128 bits, and generate initial round function values X0[0], X0[1], X0[2], and X0[3] from the pieces of sub-plain text P[0], P[1], P[2], and P[3], respectively.
The round function processing unit may compute the resulting values Xi+1[0], Xi+1[1], Xi+1[2], and Xi+1[3] of a round function in an i-th round by processing the round function based on the round key and the initial round function values.
The round function processing unit may compute Xi+1[0] using Equation Xi+1[0]←ROL9((Xi[0]⊕RKi[0])+(Xi[1]⊕RKi[1])), compute Xi+1[1] using Equation Xi+1[1]←ROL5((Xi[1]⊕RKi[2])+(Xi[2]⊕RKi[3])), compute Xi+1[2] using Equation Xi+1[2]←ROL3((Xi[2]⊕RKi[4])+(Xi[3]⊕RKi[5])), and compute Xi+1[3] using Equation Xi+1[3]←Xi[0], wherein Xi[0], Xi[1], Xi[2], and Xi[3] denote the results of the round function in an (i−1)-th round, ⊕ denotes an XOR operation, + denotes a modulo 232 addition operation, ROLa(x) denotes the function of circularly shifting value x having a length of 32 bits to the left by “a” bits and outputting the resulting value, and RORa(x) denotes the function of circularly shifting value x having a length of 32 bits to the right by “a” bits and outputting the resulting value.
The final conversion unit may generate the ciphertext by consecutively arranging the resulting values of the round function obtained in the final round.
The encryption apparatus may further include a ciphertext output unit configured to output the ciphertext generated by the final conversion unit.
In order to accomplish the above object, the present invention provides an encryption method, including receiving, by a user interface unit plain text to be encrypted and a master key; generating, by a key scheduler unit, a round key from the master key; generating, by an initial conversion unit, initial round function values from the plain text; repeatedly processing, by a round function processing unit, a round function using the round key and the initial round function values; and generating, by a final conversion unit, ciphertext from resulting values of the round function processed in a final round by the round function processing unit.
The generating a round key from the master key may include receiving, by a master key input unit, the master key from the user interface unit; generating, by a key schedule round function value generation unit, initial key schedule round function values from respective sub-master key values that constitute the master key; and generating, by a round key generation unit, key schedule round function values using the initial key schedule round function values and fixed constant values, and generating, by the round key generation unit, the round key by consecutively arranging the key schedule round function values.
The round key may have a length of 192 bits, and be formed by consecutively sub-round keys arranging sub-round keys RKi[0], RKi[1], RKi[2], RKi[3], RKi[4], and RKi[5] each having a length of 32 bits.
The generating initial round function values from the plain text may include extracting pieces of sub-plain text P[0], P[1], P[2], and P[3] each having a length of 32 bits from the plain text having a length of 128 bits, and generating initial round function values X0[0], X0[1], X0[2], and X0[3] from the pieces of sub-plain text P[0], P[1]. P[2], and P[3], respectively.
The repeatedly processing a round function using the round key and the initial round function values may include computing the resulting values Xi+1[0], Xi+1[1], Xi+1[2], and Xi+1[3] of a round function in an i-th round by processing the round function based on the round key and the initial round function values.
The repeatedly processing a round function using the round key and the initial round function values may include computing Xi+1[0] using Equation Xi+1[0]←ROL9((Xi[0]⊕RKi[0])+(Xi[1]⊕RKi[1])), computing Xi+1[1] using Equation Xi+1[1]←ROL5((Xi[1]⊕RKi[2])+(Xi[2]⊕RKi[3])), computing Xi+1[2] using Equation Xi+1[2]←ROL3((Xi[2]⊕RKi[4])+(Xi[3]⊕RKi[5])), and computing Xi+1[3] using Equation Xi+1[3]←Xi[0], wherein Xi[0], Xi[1], Xi[2], and Xi[3] denote the results of the round function in an (i−1)-th round, ⊕ denotes an XOR operation, + denotes a modulo 232 addition operation, ROLa(x) denotes the function of circularly shifting value x having a length of 32 bits to the left by “a” bits and outputting the resulting value, and RORa(x) denotes the function of circularly shifting value x having a length of 32 bits to the right by “a” bits and outputting the resulting value.
The generating ciphertext from the resulting values of the round function processed in a final round may include generating the ciphertext by consecutively arranging the resulting values of the round function obtained in the final round.
The encryption method may further include outputting, by a ciphertext output unit, the ciphertext generated by the final conversion unit.
The above and other objects, features and advantages of the present invention will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings, in which:
The present invention will be described in detail below with reference to the accompanying drawings. Repealed descriptions and descriptions of known functions and constructions which have been deemed to make the gist of the present invention unnecessarily vague will be omitted below. The embodiments of the present invention are provided in order to fully describe the present invention to a person having ordinary skill in the art. Accordingly, the shapes, sizes, etc. of elements in the drawings may be exaggerated to make the description clear.
The configuration and operation of an encryption apparatus according to the present invention will be described with reference to
Referring to
The user interface unit 100 receives an object to be encrypted, for example, specific text or voice, referred to as “plain text” (hereinafter designated as “P”), from a user. Furthermore, the user interface unit 100 receives a master key (hereinafter designated as “MK”) from the user at the same time it receives the plain text. Here, the master key input to the user interface unit 100 has a length of 128 bits, 192 bits or 256 bits, and includes sub-master keys each having a length of 32 bits. That is, the master key MK includes a plurality of consecutive sub-master keys. A master key having a length of 128 bits, a master key having a length of 192 bits, and a master key having a length of 256 bits may be represented by the following Equations 1 to 3, respectively
MK=K[0]∥K[1]∥K[2]∥K[3] (1)
MK=K[0]∥K[1]∥K[2]∥K[3]∥[4]∥[5] (2)
MK=K[0]∥K[1]∥K[2]∥K[3]∥[4]∥[5]∥[6]∥[7] (3)
In the above equation, K[0] to K[7] are sub-master keys each having a length of 32 bits, which constitute the master key MK.
Meanwhile, the plain text input to the user interface unit 100 has a length of 128 bits, and includes a plurality of pieces of sub-plain text each having a length of 32 bits. That is, the plain text P includes a plurality of pieces of consecutive sub-plain text. The plain text having a length of 128 bits may be presented by the following Equation 4:
P=P[0]∥P[1]|PK[2]∥P[3] (4)
In the above equation, P[0] to P[3] are pieces of sub-plane text each having a length of 32 bits, which constitute the plain text P.
The user interface unit 100 sends the master key MK and the plain text P, received from the user, to the key scheduler unit 200 and the initial conversion unit 300, respectively.
The key scheduler unit 200 receives the master key from the user interface unit 100, and generates a round key (hereinafter designated as “RK”) from the master key. More specifically, the key scheduler unit 200 includes a master key input unit 220, a key schedule round function value generation unit 240, and a round key generation unit 260, as shown in
The master key input unit 220 receives the master key from the user interface unit 100, and sends the master key to the key schedule round function value generation unit 240.
The key schedule round function value generation unit 240 extracts sub-master key values from the master key received from the master key input unit 220, and generates initial key schedule round function values from the extracted sub-master key values, respectively.
In this case, the key schedule round function value generation unit 240, if the received master key has a length of 128 bits, determines initial key schedule round function value T0[1] to T0[3] using the following Equation 5:
T
0
[k]←K[k], 0≦k≦3 (5)
In contrast, the key schedule round function value generation unit 240, if the received master key has a length of 192 bits, determines initial key schedule round function value T0[1] to T0[5] using the following Equation 6:
T
0
[k]←K[k], 0≦k≦5 (6)
In contrast, the key schedule round function value generation unit 240, if the received master key has a length of 256 bits, determines initial key schedule round function value T0[1] to T0[7] using the following Equation 7:
T
0
[k]←K[k], 0≦k≦7 (7)
The round key generation unit 260 generates key schedule round function values using the initial key schedule round function values generated by the key schedule round function value generation unit 240 and fixed constant values, and generates a round key by consecutively arranging the key schedule round function values. Here, the round key generation unit 260 may use fixed constant values δ[0] to δ[7] represented as hexadecimal numbers, for example, as shown in the following Equation 8, in order to generate the key schedule round function values.
δ[0]=0xc3efe9db,
δ[1]=0x44626b02,
δ[2]=0x79e27c8a,
δ[3]=0x78df30ec,
δ[4]=0x715ea49e,
δ[5]=0xc785da0a,
δ[6]=0xe04ef22a,
δ[7]=0xe5c40957 (8)
The round key generation unit 260, if the master key received from the user interface unit 100 has a length of 128 bits, determines key schedule round function values each having a length of 32 bits using the following Equation 9, and generates a round key by consecutively arranging the key schedule round function values using the following Equation 10:
T
i+1[0]←ROL1(Ti[0]+ROLi(δ[i mod 4])).
T
i+1[1]←ROL3(Ti[1]+ROLi+1(δ[i mod 4])),
T
i+1[2]←ROL6(Ti[2]+ROLi+2(δ[i mod 4])),
T
i+1[3]←ROL11(Ti[3]+ROLi+3(δ[i mod 4])), 0≦i≦23 (9)
RKi←Ti+1[0]∥Ti+1[1]∥Ti+1[2]∥Ti+1[1]∥Ti+1[3]∥Ti+1[1] (10)
Furthermore, the round key generation unit 260, if the master key received from the user interface unit 100 has a length of 192 bits, determines key schedule round function values each having a length of 32 bits using the following Equation 11, and generates a round key by consecutively arranging the key schedule round function values using the following Equation 12:
T
i+1[0]←ROL1(Ti[0]+ROLi(δ[i mod 6])).
T
i+1[1]←ROL3(Ti[1]+ROLi+1(δ[i mod 6])),
T
i+1[2]←ROL6(Ti[2]+ROLi+2(δ[i mod 6])),
T
i+1[3]←ROL11(Ti[3]+ROLi+3(δ[i mod 6])),
T
i+1[4]←ROL13(Ti[4]+ROLi+4(δ[i mod 6])),
T
i+1[5]←ROL17(Ti[5]+ROLi+5(δ[i mod 6])), 0≦i≦27 (11)
RKi←Ti+1[0]∥Ti+1[1]∥Ti+1[2]∥Ti+1[3]∥Ti+1[4]∥Ti+1[5] (12)
Furthermore, the round key generation unit 260, if the master key received from the user interface unit 100 has a length of 256 bits, determines key schedule round function values each having a length of 32 bits using the following Equation 13, and generates a round key by consecutively arranging the key schedule round function values using the following Equation 14:
T
i+1[6i mod 8]←ROL1(Ti[6i mod 8]+ROLi(δ[i mod 8]))),
T
i+1[6i+1 mod 8]←ROL3(Ti[6i+1 mod 8]+ROLi+1(δ[i mod 8]))),
T
i+1[6i+2 mod 8]←ROL6(Ti[6i+2 mod 8]+ROLi+2(δ[i mod 8]))),
T
i+1[6i+3 mod 8]←ROL11(Ti[6i+3 mod 8]+ROLi+3(δ[i mod 8]))),
T
i+1[6i+4 mod 8]←ROL13(Ti[6i+4 mod 8]+ROLi+4(δ[i mod 8]))),
T
i+1[6i+5 mod 8]←ROL17(Ti[6i+5 mod 8]+ROLi+5(δ[i mod 8]))),
T
i+1[6i+6 mod 8]←Ti(6i+6 mod 8],
T
i+1[6i+7 mod 8]←Ti[6i+7 mod 8], 0≦i≦31 (13)
RKi←Ti+1[6i mod 8]∥Ti+1[6i+1 mod 8]∥Ti+1[6i+2 mod 8]∥Ti+1[6i+3 mod 8]∥Ti+1[6i+4 mod 8]∥Ti+1[6i+5 mod 8] (14)
In the above equations, the modulo operation “x mod 4” is an operation that calculates the remainder that is obtained by dividing value x by 4, the modulo operation “x mod 6” is an operation that calculates the remainder that is obtained by dividing value x by 6, and the modulo operation “x mod 8” is an operation that calculates the remainder that is obtained by dividing value x by 8.
Meanwhile, the round key RK generated by the round key generation unit 260 is always allowed to have the same length of 128 bits by Equations 10, 12 or 14 even when the master key MK has any one length of 128 bits, 192 bits or 256 bits. Here, the round key RKi having a length of 128 bits may be formed by consecutively arranging sub-round keys RKi[0] to RKi[5] each having a length of 32 bits, as shown in Equation 15:
RKi=RKi[0]∥RKi[1]∥RKi[2]∥RKi[3]∥RKi[4]∥RKi[5] (15)
The initial conversion unit 300 receives plain text from the user interface unit 100, and generates initial round function values from the plain text. That is, the initial conversion unit 300 extracts pieces of sub-plain text P[0], P[1], P[2], and P[3] each having a length of 32 bits from the plain text P having a length of 128 bits which is represented by Equation 4, and generates initial round function values X0[0], X0 [1], X0[2], and X0[3] from the pieces of sub-plain text P[0, P[1], P[2], and P[3], respectively, using the following Equation 16:
X
0
k]←P[k], 0≦k≦3 (16)
The round function processing unit 400 repeatedly processes a round function using the round key generated by the key scheduler unit 200 and the initial round function values generated by the initial conversion unit 300. In this case, the number of times the round function processing unit 400 repeatedly processes the round function is 24 if the master key has a length of 128 bits, 28 if the master key has a length of 192 bits, and 32 if the master key has a length of 256 bits. The round function processing unit 400 processes a round function, such as that shown in the following Equation 17, in an i-th round:
X
i+1[0]←ROL9((Xi[0]⊕RKi[0])+(Xi[1]⊕RKi[1])),
X
i+1[1]←ROL5((Xi[1]⊕RKi[2])+(Xi[2]⊕RKi[3]))
X
i+1[2]←ROL3((Xi[2]⊕RKi[4])+(Xi[3]⊕RKi[5]))
X
i+1[3]←Xi[0] (17)
where Xi[0], Xi[1], X1[2], and Xi[3] denote the results of the round function in an (i−1)-h round, ⊕ denotes an eXclusive OR (XOR) operation, + denotes a modulo 232 addition operation, ROLa(x) denotes the function of circularly shifting value x having a length of 32 bits to the left by “a” bits and outputting the resulting value, and RORa(x) denotes the function of circularly shifting value x having a length of 32 bits to the right by “a” bits and outputting the resulting value.
The above-described processing of the round function of the round function processing unit 400 in the i-th round may be illustrated, as shown in
The final conversion unit 500 generates ciphertext (hereinafter designated as “C”) by consecutively arranging the resulting values of the round function processed by the processing unit 400 in a final round. The final conversion unit 500 generates ciphertext C by consecutively arranging the resulting values Xr[0] to Xr[3] in a final round, that is, an r-th round (where r=24 if the master key has a length of 128 bits, r=28 if the master key has a length of 192 bits, and r=32 if the master key has a length of 256 bits). That is, the final conversion unit 500 converts an output result Xr(=Xr[0]∥Xr[1]∥Xr[2]∥Xr[3]) in the r-th round into ciphertext C (=C[0]∥C[1]∥C[2]∥C[3]) using the following Equation 18:
C[k]←X
r
[k], 0≦k≦3 (18)
Finally, the ciphertext output unit 600 outputs the ciphertext generated by the final conversion unit 500 to a user.
A method of decrypting ciphertext output according to the present invention into plain text is performed by inversely performing the overall encryption process of the encryption apparatus 10 except the operation the key scheduler unit 200. Furthermore, in the decryption process, a mod 232 subtraction operation instead of a mod 232 addition operation should be performed.
The encryption method according to the present invention will be described below. In the following description, descriptions that are the same as descriptions of the operation of the encryption apparatus according to the present invention given in conjunction with
Referring to
Thereafter, the key scheduler unit generates a round key using the master key received from the user interface unit at step S200. In this case, the round key generated at step S200 has a length of 192 bits, and may be formed by consecutively arranging sub-round keys RKi[0], RKi[1], RKi[2], RKi[3], RKi[4], and RKi[5] each having a length of 32 bits.
Thereafter, the initial conversion unit generates initial round function values from the plain text received from the user interface unit at step S300. In this case, at step S300, pieces of sub-plain text P[0], P[1], P[2], and P[3] each having a length of 32 bits may be extracted from the plain text having a length of 128 bits and initial round function values X0[0], X0[1], X0[2], and X0[3] are generated from the pieces of sub-plain text P[0], P[1], P[2], and P[3], respectively.
Thereafter, at step S400, the round function processing unit repeatedly processes a round function using the round key generated at step S200 and the initial round function values generated at step S300. Here, at step S400, the resulting values Xi+1[0]. Xi+1[1], Xi+1[2], and Xi+1[3] of a round function in an i-th round may be computed by processing the round function based on the round key and the initial round function values. Furthermore, at step S400, Xi+1[0] may be computed using Equation Xi+1[0]←ROL9((Xi[0]⊕RKi[0])+(Xi[1]⊕RKi[1])), Xi+1[1] may be computed using Equation Xi+1[1]←ROL5((Xi[1]⊕RKi[2])+(Xi[2]⊕RKi[3])), Xi+1[2] may be computed using Equation Xi+1[3]←ROL3((Xi[2]⊕RKi[4])+(Xi[3]⊕RKi[5])), and Xi+1[3] may be computed using Equation Xi+1[3]←Xi[0]. Here, Xi[0], Xi[1], Xi[2], and Xi[3] denote the results of the round function in an (i−1)-th round, ⊕ denotes an XOR operation, + denotes a modulo 232 addition operation, ROLa(x) denotes the function of circularly shifting value x having a length of 32 bits to the left by “a” bits and outputting the resulting value, and RORa(x) denotes the function of circularly shifting value x having a length of 32 bits to the right by “a” bits and outputting the resulting value.
Thereafter, at step S500, the final conversion unit generates ciphertext from the resulting values of the round function processed in a final round at step S400. In this case, at step S500, ciphertext is generated by consecutively arranging the resulting values of the round function obtained in a final round.
Finally, the ciphertext output unit outputs the ciphertext generated at S500 step to the user at step S600.
Referring to
Thereafter, the round key generation unit generates key schedule round function values using the initial key schedule round function values, generated at step S240, and fixed constant values at step S260, and generates a round key by consecutively arranging the key schedule round function values at step S280.
The above-described encryption method according to the present invention may be implemented as a program and then stored in a computer-readable storage medium (for example, CD-ROM, RAM, a floppy disk, a hard disk, a magneto-optical disk, flash memory, or the like).
The present invention has the advantage of providing an encryption technique that is composed only of Addition, Rotation and XOR (ARX) operations that are generally used in existing CPUs and that are easy to adopt.
Furthermore, the present invention has the advantage of being able to perform encryption using a smaller number of cycles in a CPU because an encryption process is performed using the combination of operations that enable parallel operations using temporary variables.
Moreover, the present invention has the advantage of guaranteeing security against all conventional block cipher attacks.
Although the preferred embodiments of the present invention have been disclosed for illustrative purposes, those skilled in the an will appreciate that various modifications, additions and substitutions are possible, without departing from the scope and spirit of the invention as disclosed in the accompanying claims.
Number | Date | Country | Kind |
---|---|---|---|
10-2012-0064278 | Jun 2012 | KR | national |