WO2023199379A1 - Information processing device, method, and program - Google Patents

Abstract

An information processing device according to one aspect comprises a tag generation unit that uses a tag generation function MAC1_K (where K is a key) for a message authentication code, which is secure against a white-box attack, so as to generate a tag T=MAC1_K(X) for verifying the authenticity of data X, wherein the tag generation function MAC1_K is configured using: an encryption function E_K for a block cipher that is secure against a white-box attack and has an input/output length of n bits; a prescribed hash function H that has an output length of m≥2n bits; and prescribed functions f1,f2:{0,1}^m→{0,1}ⁿ and f3:{0,1}ⁿ×{0,1}ⁿ→{0,1}ⁿ.

Description

Information processing device, method and program

The present disclosure relates to an information processing device, method, and program.

In general, cryptographic technology is designed to ensure security against black box attacks. A black box attack is an attack in which an attacker can know the input/output pairs of an encryption function or a decryption function. On the other hand, an attack in which an attacker can see not only the input/output pairs but also the contents of the software that implements the encryption and decryption functions is called a white box attack. Safe against black box attacks is also called "black box safe", and safe against white box attacks (to a certain extent) is also called "white box safe".

Encryption technology is primarily a technology to obtain confidentiality, but in recent years, technology to obtain not only confidentiality but also authenticity has become important. Message Authentication Code (MAC) is known as a technique for obtaining authenticity. Further, as a technology that can obtain not only confidentiality but also authenticity at the same time, a technique called authenticated encryption or AEAD (Authenticated Encryption with Associated Data) is known (for example, Non-Patent Document 1). AEAD is often configured by combining a common key encryption such as CTR or CBC with a message authentication code.

Phillip Rogaway and Thomas Shrimpton. A provable-security treatment of the key-wrap problem. In Serge Vaudenay, editor, Advances in Cryptology - EUROCRYPT 2006, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St Petersburg, Russia, May 28 - June 1, 2006, Proceedings, Vol. 4004 of Lecture Notes in Computer Science, pp. 373-390. Springer, 2006.

However, until now there has been no white box safe AEAD. On the other hand, many AEADs can be configured by combining a common key encryption code and a message authentication code, so if a white box secure message authentication code can be realized, by combining it with a white box safe common key encryption code, it will be possible to create a white box secure message authentication code. AEAD can be configured.

The present disclosure has been made in view of the above points, and provides a technology for realizing a white box secure message authentication code.

An information processing apparatus according to an aspect of the present disclosure uses a tag generation function MAC1 _K (where K is a key) of a message authentication code that is safe against white box attacks, and a tag for verifying the authenticity of data X. a tag generation unit configured to generate T= _MAC1K (X), and the tag generation function _MAC1K is a block cipher that is secure against white box attacks and has an input/output length of n bits. An encryption function E _K , a predetermined hash function H with an output length of m≧2n bits, and a predetermined function f1, f2: {0,1} ^m → {0,1} ⁿ and f3: {0,1} It is constructed using ⁿ ×{0,1} ⁿ →{0,1} ⁿ .

A technique is provided to implement a white box secure message authentication code.

FIG. 3 is a diagram illustrating an example of an algorithm of a verification function. FIG. 3 is a diagram illustrating an example of an algorithm of an SIV encryption function. FIG. 3 is a diagram illustrating a configuration example of an SIV encryption function. FIG. 3 is a diagram illustrating an example of an algorithm of an SIV decoding function. FIG. 3 is a diagram illustrating an example of an algorithm for a tag generation function of a white box secure message authentication code. FIG. 2 is a diagram illustrating a configuration example of a white box secure message authentication code. FIG. 1 is a diagram illustrating a configuration example of a communication system according to a first embodiment. FIG. 2 is a diagram illustrating a configuration example of a communication system according to a second embodiment. 1 is a diagram showing an example of a hardware configuration of a computer.

Hereinafter, a first embodiment and a second embodiment of the present invention will be described. In the first embodiment, a communication system 1 that configures a white box safe message authentication code and enables data communication that satisfies authenticity using this message authentication code will be described. Furthermore, in the second embodiment, a communication system 1 will be described in which an AEAD is configured from the message authentication code configured in the first embodiment, and the AEAD enables data communication that satisfies confidentiality and authenticity.

Note that the communication system 1 according to the first embodiment is applicable to various systems in which data communication that requires ensuring authenticity occurs. Similarly, the communication system 1 according to the second embodiment is applicable to various systems in which data communication that requires ensuring confidentiality and authenticity occurs.

[Preparation]
Hereinafter, terms, techniques, etc. used in the first embodiment and the second embodiment will be explained.

<Confidentiality and authenticity>
Confidentiality and authenticity are important concepts in information security. Confidentiality is a state in which a malicious attacker cannot illegally obtain information about the data you want to protect. Techniques for obtaining confidentiality include common key cryptography and public key cryptography. Furthermore, authenticity refers to a state in which the data to be protected has not been illegally tampered with by an attacker, or a state in which an attacker cannot illegally fabricate the data. Techniques for obtaining authenticity include message authentication codes and digital signatures.

<Common key encryption technology>
Common key cryptography is a cryptography technology in which users use a common secret key. For example, when one person encrypts data using common key cryptography and sends it to another person, it is necessary to use the same private key for encryption and decryption. Unlike public key cryptography such as RSA cryptography, common key cryptography cannot make (part of) the key public. On the other hand, it has the advantage that it does not require algebraic problems such as prime factorization problems, and processing is fast. Many data protection technologies, such as SSL/TLS, are realized by skillfully combining the advantages of both public key cryptography, which allows (part of) the key to be made public, and high-speed common key cryptography. Both public key cryptography and common key cryptography are essential security technologies. The first embodiment and second embodiment described below relate to common key encryption technology.

Hereinafter, the term "common key encryption" refers to a narrowly defined common key encryption whose main purpose is to protect confidentiality by encrypting data of various lengths. Common key encryption in a narrow sense includes secret modes such as CTR mode and CBC mode, stream encryption such as KCipher-2, and the like. Note that block ciphers such as AES (Advanced Encryption Standard), Camellia, SPACE (Reference 1), and SPNBox (Reference 2) can also be classified as common key ciphers in a narrow sense; For convenience of explanation, in this book, when we refer to ``common key cryptography (in a narrow sense)'', we do not include block ciphers.

In recent years, common key cryptography has been widely used to provide not only confidentiality but also authenticity when encrypting data. Such a cipher is called an authenticated cipher or AEAD. Representative examples of AEAD include GCM, CCM, SIV (Synthetic Initialization Vector) (Non-Patent Document 1), and the like. AEAD is often configured by combining a narrowly defined common key encryption and a message authentication code (MAC). Here, the message authentication code is a common key encryption technology whose purpose is to provide only authenticity without considering confidentiality. The first embodiment described below relates to a message authentication code, and the second embodiment relates to an AEAD.

Hereinafter, the block cipher, common key cipher in a narrow sense, message authentication code, and AEAD will be explained in more detail. We also discuss cryptographic hash functions. Note that in this specification, it is assumed that all data and input/output of functions are represented by bit strings.

・Block cipher A block cipher is a cipher that takes as input a key K of fixed length (e.g. 256 bits) and plaintext M of fixed length (e.g. 128 bits) and outputs ciphertext C of the same length as the plaintext. It's about E. The fact that C is a ciphertext corresponding to M and K is written as C=E _K (M). _EK is also called an encryption function. Block ciphers are required to be decryptable. That is, there is a decryption function D _K that restores the cipher text, and D _K (E _K (M))=M holds true for any plain text M. Further, D _K (E _K (C))=C holds true for any ciphertext C. Representative examples of block ciphers include AES, Camellia, and the like.

It should be noted here that even if there is a good block cipher that can safely encrypt short, fixed-length data, it is not obvious how to securely encrypt arbitrary-length data (especially long data).

・Common key encryption in the narrow sense In this specification, common key encryption in the narrow sense refers to a cipher E that takes as input a fixed-length key K, a fixed-length initial vector IV, and an arbitrary-length plaintext M, and outputs a ciphertext C. It shall be assumed that Here, the IV is, in principle, a value that changes each time the encryption process is performed. The IV may be randomly selected for each encryption process. There are also schemes that allow a single IV to be used repeatedly. In the block cipher, M has a fixed length (eg, 128 bits), but in the narrowly defined common key cipher, M has an arbitrary length, and for example, M may be 1 bit or 1 gigabyte. The fact that C is a ciphertext corresponding to (K, IV, M) is written as C=Enc _K (IV, M). Enc _K is also called an encryption function. Similar to block ciphers, common key ciphers in a narrow sense can also be decrypted. That is, there is a decryption function Dec _K that restores the ciphertext to its original state, and Dec _K (IV, Enc _K (IV, M))=M holds true for any plaintext M.

A common key cipher for encrypting plaintext of arbitrary length is often created using a block cipher. A structure such as a common key cipher in a narrow sense, a message authentication code, or an AEAD that uses a block cipher is called a block cipher usage mode or simply a mode. In this mode, a common key encryption technique other than a block cipher may be used as necessary. In this specification, a mode for creating a common key encryption in a narrow sense will be particularly referred to as a secret mode. Representative examples of secret modes include CTR mode and CBC mode.

・Message authentication code (MAC)
The message authentication code consists of a function (tag generation function) MAC _K (M) that takes a fixed-length key K and an arbitrary-length message M as input and outputs a fixed-length output T called a tag, and (K, M, T) as input and the symbol

を出力する検証関数ＶＥＲ_Ｋ（Ｍ，Ｔ）とで構成される。ここで、

It is composed of a verification function VER _K (M,T) that outputs . here,

は「ＴがＭとＫから生成された正当なタグである」ということを意味し、ＶＥＲ_Ｋ（Ｍ，Ｔ）＝⊥は「Ｔは不正に生成されたタグである」ということを意味する。安全なメッセージ認証符号は大雑把にいえば「秘密鍵Ｋを知っている者しか正当なＴの値を計算することはできない」、「異なるメッセージに対応するタグの値は異なる」という性質を満たし、不正な改ざんの検知（つまり、真正性の獲得）に用いることができる。

means "T is a valid tag generated from M and K", and VER _K (M, T) = ⊥ means "T is an illegally generated tag" . Roughly speaking, a secure message authentication code satisfies the following properties: ``Only someone who knows the private key K can calculate the valid value of T'' and ``tag values corresponding to different messages are different.'' It can be used to detect unauthorized tampering (that is, to obtain authenticity).

In this specification, only message authentication codes in which the verification function VER _K is calculated as in Algorithm 1 shown in FIG. 1 will be considered. In other words, the verification function VER _K takes the message M and the tag T as input, calculates T'←MAC _K (M) (first line), and then determines that if T'=T, T is a valid tag. A symbol indicating that something is true is output (lines 2 and 3), and if not, a symbol indicating that T is an invalid tag is output (lines 4 and 5).

Similar to common key encryption in the narrow sense, message authentication codes (tag generation functions) may also be realized using block ciphers (that is, as a block cipher usage mode). A typical example of a message authentication code in which the tag generation function is realized as a block cipher usage mode is CMAC.

・Authenticated encryption (AEAD)
The encryption function E of AEAD also takes as input the related data A of arbitrary length in addition to the inputs (K, IV, M) that the common key cryptography in a narrow sense takes as inputs. Furthermore, this encryption function E outputs a tag T in addition to the ciphertext C. The fact that (T, C) is the tag and ciphertext corresponding to (K, IV, A, M) is written as (T, C)=E _K (IV, A, M). Similar to common key encryption in the narrow sense, there is a decryption function D _K that returns the ciphertext to its original state, and D _K (IV, A, E _K (IV, A, M)) = M for any plaintext M. It works.

The AEAD decoding function _DK has a tampering detection function similar to the message authentication code verification function. In other words, if the ciphertext C and tag T are illegally generated values, D _K outputs the symbol ⊥ indicating that verification has failed (that is, D _K (IV, A, (T, C)). =⊥.). If T and C are values correctly calculated by the encryption function, the original message M is output as described above.

A secure AEAD protects confidentiality by converting message M into ciphertext C, and also protects it from tampering to ensure authenticity. The attacker cannot tell what the value of M is just by looking at C. On the other hand, the confidentiality of related data A is not guaranteed. That is, roughly speaking, it is assumed that the value of A is not encrypted and is visible to the attacker. However, the authenticity of A is guaranteed and protected from falsification. That is, if A is tampered with another value A' on the way, the decryption function will fail in verification and D _K (IV, A', (T, C)) = ⊥. Therefore, A is data that does not need to be confidential but whose authenticity should be guaranteed (for example, the header of an IP packet).

AEAD is often configured by combining a narrowly defined common key encryption and a message authentication code. Typical examples of such configurations include GCM, CCM, and SIV (Non-Patent Document 1). For example, it is assumed that narrowly defined common key cryptography (Enc _K' , Dec _K' ) and a tag generation function MAC _K of a message authentication code are given. At this time, the SIV encryption function E _{(K, K')} is defined by Algorithm 2 shown in FIG. 2, for example. That is, the SIV encryption function E _{(K, K')} takes (IV, A, M) as input, and T←MAC _K (pad (IV, A, M)) and C←Enc _K' (adj After calculating (T), M) (1st and 2nd lines), (T, C) is output (3rd line). The encryption function E _{(K, K')} configured in this way is schematically represented as shown in FIG. Here, pad is a function that takes as input a triplet of bit strings (IV, A, M) and outputs a single bit string IV||A||M||len(M). Note that x||y represents a bit combination of two bit strings x and y, and len(M) represents the bit length of M by some bit string. In addition, adj takes T, which is the output of MAC _K , as input, and the length of T (hereinafter, this length is referred to as τ bits) is the length of the IV used in Enc _K' and Dec _K'. (Hereafter, this length will be referred to as ν bits. Please note that this IV is different from the IV that SIV takes as input.) This is a function that adjusts the length to ν bits by adding extra bits. Specifically, when τ=ν, adj(T) outputs the input T as is. On the other hand, when τ>ν, adj(T) outputs the lower ν bits of the input T. Further, when τ<ν, adj(T) outputs 0 ^ν−τ ||T. Here, 0 ^ν-τ is a bit string of (ν-τ) bits such that all bits are 0.

Further, the SIV decoding function D _{(K, K')} is defined by Algorithm 3 shown in FIG. 4, for example. That is, the SIV decoding function D _{(K, K')} takes (IV, A, T, C) as input, and M←Dec _K' (adj(T), C) and T'←MAC _K (pad (IV, A, M)) (lines 1 and 2), if T=T', outputs M (lines 3 and 4), otherwise outputs ⊥ (lines 5 and 4). 6th line).

Note that Algorithm 2 shown in FIG. 2 and Algorithm 3 shown in FIG. 4 use independent and different keys (K and K') for MAC, Enc, and Dec, but K and K' are not independent (that is , K=K').

For convenience of explanation, Algorithm 2 shown in FIG. 2 and Algorithm 3 shown in FIG. 4 have some changes from the original paper (Non-Patent Document 1) in which the structure of SIV was proposed. First, in the original paper, the IV is not taken as an input (it is regarded as part of A), but in Algorithm 2 shown in FIG. 2 and Algorithm 3 shown in FIG. 4, the IV is also taken as an input. Furthermore, in the original paper, instead of combining MAC _K and pad, a pseudorandom function that can take a set of bit strings as input is used. adj is also introduced into Algorithm 2 shown in FIG. 2 and Algorithm 3 shown in FIG. 4 for convenience of explanation. The essence of SIV is ``input (IV and) A and M to the keyed function and use the output T in place of the IV of Enc _K' , so the above changes do not change its essence. .

・Cryptographic hash function A cryptographic hash function (hereinafter simply referred to as a hash function) H takes arbitrary length data M as input and outputs a fixed length (e.g. 256 bits) bit string H(M). . Hash functions are basically fixed functions whose specifications are made public and anyone can calculate them. In particular, hash functions do not take a key as input. A secure hash function is required to be resistant to original image attacks and collision attacks. Examples of safe and widely used hash functions include SHA-2 and SHA-3. Although hash functions do not take a key as input, they are conventionally classified as secret-key cryptographic techniques.

<White box encryption technology>
Generally, cryptographic techniques are designed to ensure security against black box attacks. A black box attack is an attack in which an attacker can know the input/output pairs of an encryption function or a decryption function. For example, if the attack target is a block cipher, the attacker is allowed to select any plaintext M and know the corresponding ciphertext C:=E _K (M) (or the attacker can select any plaintext M It is allowed to know the plaintext M:=D _K (C) for C.). After learning ciphertexts that correspond to multiple plaintexts, the attacker reveals the secret key K or discovers that there is some kind of bias in the ciphertexts, which should originally appear completely random. Aim for that.

The important point here is that an attacker using a black box attack cannot know how the cryptographic algorithm is implemented. The attacker is only allowed to learn the input/output pairs of the encryption function _EK or the decryption function _DK .

On the other hand, it is possible to carry out an attack in which an attacker can see not only the input/output pairs of E _K or D _K , but also the contents of the software that implements E _K or D _K (including information about private keys). It's called a white box attack. An example of a white box attack is when malware sneaks into a PC that uses software with cryptographic technology and sends the software's data to the outside. Cryptographic technology that can guarantee a certain degree of security against white box attacks is called white box cryptographic technology.

Of course, implementations where short private keys of tens to thousands of bits are simply embedded in software cannot guarantee security at all against white box attacks. This is because if an attacker sees and copies the short private key, he or she can freely decrypt all ciphertext. Further, in a situation where an attacker can freely execute software in which cryptographic technology is implemented, security cannot be guaranteed at all. For example, if an attacker can freely execute software with a decryption function installed at any time, the attacker can freely decrypt any ciphertext and view the original plaintext.

Therefore, when discussing security against white box attacks, settings such as 1 and 2 below are assumed.

1. The private key has somehow been expanded to a very large amount of data (e.g. tens of gigabytes).

2. There are certain limitations on the attacker's abilities. For example, there may be an upper limit on the amount of software implementation data that can be sent externally, or there may be an upper limit on the amount of time the software can be viewed.

Block ciphers such as SPACE (Reference 1) and SPNBox (Reference 2) exist as existing technologies that are white box safe in the above settings. Currently, there are no known white box attacks that break the security claimed by these block ciphers.

White-box attacks are clearly more powerful than black-box attacks, and the attacker has more flexibility. Note, therefore, that white-box secure cryptography is black-box secure.

[First embodiment]
The first embodiment will be described below.

Authenticity is as important as confidentiality, so when encrypting with symmetric key cryptography, the latest symmetric key method is to use AEAD to guarantee both confidentiality and authenticity at the same time. This is the main flow of cryptographic design. However, to date, no white-box secure AEAD has existed. Existing AEADs such as GCM and CCM do not take white box attacks into account. In particular, GCM and CCM are block cipher usage modes, but even if the block cipher used is white box safe, GCM and CCM as AEADs are not necessarily white box safe.

On the other hand, as mentioned above, AEAD is often configured by combining a common key encryption in a narrow sense and a message authentication code. Therefore, if a white box safe message authentication code can be realized, a white box safe AEAD can be constructed by combining this message authentication code with a white box safe narrow-sense common key encryption.

Therefore, in the first embodiment, a communication system 1 that configures a white box safe message authentication code and enables data communication that satisfies authenticity using this message authentication code will be described.

<Summary of ideas for constructing a white box secure message authentication code>
A message authentication code or AEAD needs to generate a short fixed-length tag T from an arbitrary-length input. In particular, when the input is very long, the long data must be compressed into short data in some way. Existing methods such as GCM and CCM (which do not take white box attacks into consideration) perform compression using a method that relies on the secret key K. GCM and CCM are safe against black box attacks because black box attackers cannot see the compression process, but white box attackers can see the contents of the software and therefore can see the compression process. This ``visibility of the compression process'' could lead to breaking the security of message authentication codes and AEADs.

Therefore, consider performing most of the compression in the message authentication code (and AEAD tag generation) using a cryptographic hash function H that does not depend on the secret key K. Since the hash function was originally designed on the premise that ``a long bit string is compressed into a short bit string'' and ``the compression process is visible to an attacker,'' the compression is performed using a cryptographic hash function H. A tag generation function like this can be expected to be secure against white box attacks.

On the other hand, in order to ensure authenticity, the value of tag T must depend on the private key. Since the hash function does not take a private key as input, H alone cannot guarantee security. Therefore, we aim to ensure authenticity by calling a (white box safe) block cipher multiple times after compressing with a hash function.

<Example of configuration of white box secure message authentication code>
- Notation E _{Let K} be an encryption function of a block cipher with an input/output length of n bits, and H be a cryptographic hash function with an output length of m≧2n bits. Also, let (Enc _K' , Dec _K' ) be a common key encryption in a narrow sense. In addition, set f1, f2: {0,1} ^m → {0,1} ⁿ and f3: {0,1} ⁿ × {0,1} ⁿ → {0,1} ⁿ to the following setting example 1 or Let it be a function determined by either setting example 2.

<<Setting example 1 of f1 to f3>>
f1: Outputs the upper n bits of the m-bit input x.

f2: First, extract the upper 2n bits from the m-bit input x, and set this as d. The lower n bits of this d are output. Note that if m=2n, f2 simply outputs the lower n bits of the input, and x=f1(x)||f2(x) holds true.

f3: Input (x, y) ∈ {0, 1} ⁿ × {0, 1} When ⁿ is given, the exclusive OR of x and y, that is

を出力する。

Output.

≪Setting example 2 for f1 to f3≫
f1: Among the m-bit input x, the upper n bits are first set as _d1 . The lower (n-2) bits of this d ₁ are set as d ₁ ', and 01||d ₁ ' is output.

f2: First, extract the upper 2n bits of the m-bit input x, and set this as d. The lower (n-2) bits of this d are set as d ₂ ', and 10||d ₂ ' is output.

f3: Input (x, y) ∈ {0, 1} ⁿ × {0, 1} When ⁿ is given, the lower (n-2) bits of the exclusive OR of x and y are set as s ₃ , and 11 ||s Outputs ₃ .

・Tag generation function for white box secure message authentication code Under the above notation and settings, and based on the idea mentioned above, take arbitrary length data X as input and create tag T as shown in Algorithm4 shown in Figure Consider a tag generation function that calculates and outputs =MAC1 _K (X). That is, after taking arbitrary length data X as input and calculating h←H(X) (first line), s ₁ ←E _K (f1(h)) and s ₂ ←E _K (f2(h) ) (second line), and then calculates and outputs T←E _K (f3( _{s 1} , s ₂ )) (third and fourth lines). At this time, if hash function H is secure and E _K is white box secure, then MAC1 _K can also be expected to be white box secure. The tag generation function _MAC1K configured in this way is schematically represented as shown in FIG.

Note that when setting example 2 of f1 to f3 is used, the input of the block cipher encryption function _EK , which is called three times, does not overlap. Therefore, it is expected that the safety will be improved compared to the setting example 1 of f1 to f3.

・White box secure message authentication code verification function In Algorithm 1 shown in Figure 1, the input "message M and tag T" is "data X and tag T", and the first line is "T'←MAC _K (M)". By respectively changing ``T'←MAC1 _K (X)'', a white box safe message authentication code verification function (this is expressed as VER1 _K (X, T)) can be constructed.

<Example of configuration of communication system 1>
FIG. 7 shows a configuration example of the communication system 1 according to the first embodiment. As shown in FIG. 7, in the communication system 1 according to the first embodiment, a communication terminal 10 that is a transmitting side terminal and a communication terminal 20 that is a receiving side terminal are connected via a communication network 30 such as the Internet. Connected for communication. Note that examples of the communication terminal 10 and the communication terminal 20 include various communicable information processing devices such as a PC, a smartphone, a tablet terminal, a wearable device, an on-vehicle device, an electric appliance, and the like.

The communication terminal 10 includes an authentication section 101 and a transmission section 102. The authentication unit 101 and the transmission unit 102 are realized, for example, by a process in which one or more programs installed in the communication terminal 10 are caused to be executed by a processor such as a CPU (Central Processing Unit).

The authentication unit 101 generates a tag T for the message X=M to be transmitted using a tag generation function MAC1 _K (X). Transmitting section 102 transmits (X, T) to communication terminal 20. Thereby, the communication terminal 10 can generate the tag T=MAC1 _K (X) for the message can.

The communication terminal 20 includes a receiving section 201 and a verification section 202. The receiving unit 201 and the verification unit 202 are realized, for example, by a process that causes a processor such as a CPU to execute one or more programs installed in the communication terminal 20.

Receiving section 201 receives (X, T) from communication terminal 10 . The verification unit 202 verifies the received (X, T) using VER1 _K (X, T). Thereby, the communication terminal 20 can receive (X, T) from the communication terminal 10 by the receiving unit 201, and can verify the authenticity of the received (X, T) by the verifying unit 202.

<Modified example>
Below, a modification of the algorithm of the tag generation function _MAC1K (Algorithm 4 shown in FIG. 5) will be described.

・Modification 1-1
“h←H(X)” in the first line of Algorithm 4 shown in FIG. 5 is changed to “h←H(E _K (0 ⁿ )||X)”. By additionally combining E _K (0 ⁿ ), which is a value that depends on the secret key, it is expected that security will be improved.

・Modification 1-2
“T←E _K (f3(s ₁ , s ₂ ))” in the third line of Algorithm 4 shown in Figure 5

に変更する。ブロック暗号の暗号化関数Ｅ_Ｋを呼び出す回数が削減されるため、処理効率の向上が期待できる。

Change to Since the number of calls to the block cipher encryption function _EK is reduced, processing efficiency can be expected to improve.

・Modification 1-3
Modification 1-1 and Modification 1-2 are combined. That is, "h←H(X)" in the first line of Algorithm4 shown in FIG. 5 is changed to "h←H(E _K (0 ⁿ )||X)" and "T←E in the third line _K (f3(s ₁ , s ₂ ))” is changed to “T←(exclusive OR of s ₁ and s ₂ )”. Improvements in processing efficiency can be expected without significantly compromising safety.

[Second embodiment]
The second embodiment will be described below. In the second embodiment, a communication system 1 will be described in which an AEAD is configured from the message authentication code configured in the first embodiment, and the AEAD enables data communication that satisfies confidentiality and authenticity.

<Example of configuration of white box safe AEAD>
In addition to a secure hash function H and a white box secure block cipher encryption function _EK , if there is a common key cipher (Enc _K' , Dec _K' ) in the narrow sense that is white box secure. , MAC1 _K described in the first embodiment and (Enc _K' , Dec _K' ) to configure the SIV, it is possible to configure a white box safe AEAD.

That is, let (Enc _K' , Dec _K' ) be a narrow-sense common key encryption that is white box safe. At this time, "T←MAC _K (pad (IV, A, M))" in the first line of Algorithm2 shown in Figure 2 is changed to "T←MAC1 _K (pad (IV, A, M))" and the SIV encryption is construct a function E _{(K, K')} . In addition, "T'←MAC _K (pad (IV, A, M))" in the second line of Algorithm3 shown in Figure 4 is changed to "T'←MAC1 _K (pad (IV, A, M))" in SIV. Construct a decoding function D _{(K, K')} . This makes it possible to realize data communication that guarantees both authenticity and confidentiality even against extremely powerful attacks such as white box attacks.

Note that there are other configurations other than SIV for obtaining AEAD from message authentication codes and narrowly defined common key cryptography, but SIV is a strong It is preferable to use SIV to ensure security against white box attacks.

<Example of configuration of communication system 1>
FIG. 8 shows a configuration example of a communication system 1 according to the second embodiment. As shown in FIG. 8, in the communication system 1 according to the second embodiment, a communication terminal 10 that is a transmitting side terminal and a communication terminal 20 that is a receiving side terminal are connected via a communication network 30 such as the Internet. Connected for communication. Note that examples of the communication terminal 10 and the communication terminal 20 include various communicable information processing devices such as a PC, a smartphone, a tablet terminal, a wearable device, an on-vehicle device, an electric appliance, and the like.

The communication terminal 10 includes an encryption section 103 and a transmission section 102. The encryption unit 103 and the transmission unit 102 are realized, for example, by a process in which one or more programs installed in the communication terminal 10 are caused to be executed by an arithmetic device such as a CPU.

The encryption unit 103 converts the ciphertext C of the message X=M to be sent and the tag T for the message X using the white box secure AEAD encryption function E _{(K, K')} (IV, A, M). The encryption unit 103 includes an authentication unit 101, and when generating a tag _T for a message , the first line of Algorithm2 shown in FIG. 2). Transmitting section 102 transmits (T, C) to communication terminal 20. Thereby, the communication terminal 10 generates the ciphertext C of the message X to be transmitted and the tag T for the message can do.

The communication terminal 20 includes a receiving section 201 and a decoding section 203. The receiving unit 201 and the decoding unit 203 are realized, for example, by a process in which one or more programs installed in the communication terminal 20 are caused to be executed by an arithmetic device such as a CPU.

Receiving section 201 receives (T, C) from communication terminal 10 . The decryption unit 203 verifies the tag T using the white box secure AEAD decryption function D _{(K, K')} (IV, A, T, C), and if the verification is successful, decrypts the ciphertext C. Decrypt. The decryption unit 203 includes a verification unit 202, and when verifying the tag T, the verification unit 202 generates a tag T' using the MAC1 _K , and determines whether this tag T' matches the tag T or not. (For example, lines 2 and 3 of Algorithm 4 shown in FIG. 4). Thereby, the communication terminal 20 can receive (T, C) from the communication terminal 10 by the receiving unit 201, and can verify the authenticity of (T, C) and decrypt it by the decoding unit 203.

<Modified example>
In the following, a modified example of the white box secure SIV encryption function E _{(K, K')} and decryption function D _{(K, K')} algorithm will be described. The algorithm of the SIV encryption function E _{(K, K')} is to change "T←MAC _K (pad (IV, A, M))" in the first line of Algorithm 2 shown in Figure 2 to "T←MAC1 _K (pad (IV, A, M)). In addition, the algorithm of the SIV decoding function D _{(K, K')} is to convert "T'←MAC _K (pad (IV, A, M))" in the second line of Algorithm 3 shown in FIG. 4 to "T'←MAC1 _K (pad (IV, A, M)).

・Modification 2-1
MAC1 _K realized by any algorithm of Modifications 1-1 to 1-3 of the first embodiment is used.

・Modification 2-2
Let K'=K. This reduces the length of the private key that must be held, and can be expected to improve processing efficiency.

・Modification 2-3
Modification 2-1 and Modification 2-2 are combined. That is, MAC1 _K realized by any algorithm of Modifications 1-1 to 1-3 of the first embodiment is used, and K'=K.

[Hardware configuration example]
The communication terminal 10 and the communication terminal 20 according to the first embodiment and the second embodiment can be realized, for example, by the hardware configuration of a computer 500 shown in FIG. 9. The computer 500 shown in FIG. 9 includes an input device 501, a display device 502, an external I/F 503, a communication I/F 504, a RAM (Random Access Memory) 505, a ROM (Read Only Memory) 506, and an auxiliary memory. It has a device 507 and a processor 508. Each of these pieces of hardware is communicably connected via a bus 509.

The input device 501 is, for example, a keyboard, mouse, touch panel, physical button, or the like. The display device 502 is, for example, a display, a display panel, or the like. Note that the computer 500 does not need to include at least one of the input device 501 and the display device 502, for example.

The external I/F 503 is an interface with an external device such as a recording medium 503a. The computer 500 can read from and write to the recording medium 503a via the external I/F 503. Examples of the recording medium 503a include a flexible disk, a CD (Compact Disc), a DVD (Digital Versatile Disk), an SD memory card (Secure Digital memory card), and a USB (Universal Serial Bus) memory card.

The communication I/F 504 is an interface for connecting to a communication network. The RAM 505 is a volatile semiconductor memory (storage device) that temporarily holds programs and data. The ROM 506 is a nonvolatile semiconductor memory (storage device) that can retain programs and data even when the power is turned off. The auxiliary storage device 507 is, for example, a storage device such as an HDD (Hard Disk Drive), an SSD (Solid State Drive), or a flash memory. The processor 508 is, for example, an arithmetic device such as a CPU.

The communication terminal 10 and the communication terminal 20 according to the first embodiment and the second embodiment can implement the various processes described above by having the hardware configuration of the computer 500 shown in FIG. Note that the hardware configuration of the computer 500 shown in FIG. 9 is an example, and is not limited to this. For example, the computer 500 shown in FIG. 9 may include multiple auxiliary storage devices 507 and multiple processors 508, or may include various hardware other than the illustrated hardware.

The present invention is not limited to the above-described specifically disclosed embodiments, and various modifications and changes, combinations with known techniques, etc. are possible without departing from the scope of the claims. .

[References]
Reference 1: Andrey Bogdanov and Takanori Isobe. White-box cryptography revisited: Space-hard ciphers. In Indrajit Ray, Ninghui Li, and Christopher Kruegel, editors, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO , USA, October 12-16, 2015, pp. 1058-1069. ACM, 2015.
Reference 2: Andrey Bogdanov, Takanori Isobe, and Elmar Tischhauser. Towards practical whitebox cryptography: Optimizing efficiency and space hardness. In Jung Hee Cheon and Tsuyoshi Takagi, editors, Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part I, Vol. 10031 of Lecture Notes in Computer Science,
pp. 126-158, 2016.

1 Communication System 10 Communication Terminal 20 Communication Terminal 30 Communication Network 101 Authentication Unit 102 Transmission Unit 103 Encryption Unit 201 Receiving Unit 202 Verification Unit 203 Decryption Unit 500 Computer 501 Input Device 502 Display Device 503 External I/F
503a Recording medium 504 Communication I/F
505 RAM
506 ROM
507 Auxiliary storage device 508 Processor 509 Bus

Claims (8)

Using the tag generation function MAC1 _K (where K is a key) of a message authentication code that is safe against white box attacks, a tag T=MAC1 _K (X) for verifying the authenticity of data X is generated. It has a tag generation unit configured to,
The tag generation function MAC1 _K is
A block cipher encryption function _EK that is safe against white box attacks and has an input/output length of n bits, a predetermined hash function H with an output length of m≧2n bits, and predetermined functions f1, f2: {0, 1} ^m → {0,1} ⁿ and f3: {0,1} ⁿ × {0,1} ⁿ → {0,1} ⁿ . The tag generation function MAC1 _K is
Taking the data X as input,
h←H(X) or h←H(E _K (0 ⁿ ) ||X) (where || is a bit combination),
s ₁ ←E _K (f1(h)), s ₂ ←E _K (f2(h)),
T←E _K (f3 (s ₁ , s ₂ )) or T← (exclusive OR of s ₁ and s ₂ ),
The information processing device according to claim 1, wherein the information processing device outputs the tag T. The function f1 outputs the upper n bits of the m-bit input,
The function f2 extracts the upper 2n bits of the m-bit input, and then outputs the lower n bits of the upper 2n bits,
The information processing according to claim 2, wherein the function f3 outputs an exclusive OR of x and y when (x, y) ∈ {0, 1} ⁿ × {0, 1} ⁿ is input. Device. The function f1 extracts the upper n bits of the m-bit input, then further extracts d ₁ representing the lower (n-2) from the upper n bits, and outputs 01||d ₁ ,
The function f2 extracts the upper 2n bits of the m-bit input, then further extracts _d2 representing the lower (n-2) from the upper 2n bits, and outputs 10|| _d2 ,
The function _f3 represents the lower (n-2) bits of the exclusive OR of x and y when (x, y) ∈ {0, 1} ⁿ × {0, 1} ⁿ is input. The information processing device according to claim 2, wherein the information processing device extracts 11||s ₃ and outputs 11||s 3. Using an encryption function E _{(K, K')} (where K' is a key) of an authenticated cipher that is safe against white box attacks, a ciphertext C of data M is generated, and the tag T is used to generate a ciphertext C of data M. an encryption unit configured to cause the tag generation unit to generate a tag for verifying the authenticity of the ciphertext C;
The encryption function E _{(K, K')} is
The information processing device according to any one of claims 1 to 3, configured using the tag generation function _MAC1K and a common key cryptographic encryption function EncK _{' that} is safe against white box attacks. . The encryption function E _{(K, K')} is
Taking initial vector IV, related data A, and said data M as input,
The tag T←MAC1 _K (X ),
C←Enc _K' (adj(T), M) (where adj(T) is a predetermined function that adjusts the length of T to the length of the initial vector of the common key encryption);
The information processing device according to claim 5, which outputs the tag T and the ciphertext C. Using the tag generation function MAC1 _K (where K is a key) of a message authentication code that is safe against white box attacks, a tag T=MAC1 _K (X) for verifying the authenticity of data X is generated. The computer executes the tag generation procedure configured in
The tag generation function MAC1 _K is
A block cipher encryption function _EK that is safe against white box attacks and has an input/output length of n bits, a predetermined hash function H with an output length of m≧2n bits, and predetermined functions f1, f2: {0, 1} ^m → {0,1} ⁿ and f3: {0,1} ⁿ × {0,1} ⁿ → {0,1} ⁿ . Using the tag generation function MAC1 _K (where K is a key) of a message authentication code that is safe against white box attacks, a tag T=MAC1 _K (X) for verifying the authenticity of data X is generated. cause the computer to execute the tag generation procedure configured in
The tag generation function MAC1 _K is
A block cipher encryption function _EK that is safe against white box attacks and has an input/output length of n bits, a predetermined hash function H with an output length of m≧2n bits, and predetermined functions f1, f2: {0, 1} ^m → {0,1} ⁿ and f3: {0,1} ⁿ × {0,1} ⁿ → {0,1} ⁿ .

Images