METHOD AND APPARATUS FOR GENERATING KEY STREAM

Abstract

A method for generating a key stream according to an embodiment includes generating r round keys that are each N-dimensional integer vectors including elements of an integer set custom-character defined based on a prime number t, based on a random bit string, an encryption counter, and a secret key that is an N-dimensional integer vector consisting of elements of the integer set , generating a first round output vector x.sub.1 by performing a modular addition operation on an initial vector and a first round key RK.sub.1 of the r round keys with the prime number t as a modulus, and generating a key stream that is an N-dimensional integer vector consisting of elements of the integer set custom-character from the first round output vector x.sub.1 by using a second to r-th round keys of the r round keys, and one or more first round functions and a second round function.

Claims

1. A method for generating a key stream, the method comprising: generating r round keys, where r is a natural number of r≥3, that are each N-dimensional integer vectors, where N=n.sup.2, n is an integer of 2 or more, consisting of elements of an integer set custom-character defined based on a prime number t, based on a random bit string, an encryption counter, and a secret key that is an N-dimensional integer vector consisting of elements of the integer set ; generating a first round output vector x.sub.1 by performing a modular addition operation on an initial vector and a first round key RK.sub.1 of the r round keys with the prime number t as a modulus; and generating a key stream that is an N-dimensional integer vector consisting of elements of the integer set custom-character from the first round output vector x.sub.1 by using a second to r-th round keys of the r round keys, and one or more first round functions and a second round function.

2. The method of claim 1, wherein the one or more first round functions are sequentially performed, and generate each a j+1-th round output vector x.sub.j+1 by using a j-th round output vector x.sub.j, where j is a natural number for 1≤j≤r−1, and a j+1-th round key RK.sub.j+1 of the r round keys; and the second round function generates the key stream by using an r−1-th round output vector x.sub.r−1 generated by a first round function performed last among the one or more first round functions and an r-th round key RK.sub.r of the r round keys.

3. The method of claim 2, wherein each of the one or more first round functions comprises: a linear layer for generating a vector y.sub.j that is an N-dimensional integer vector consisting of elements of the integer set custom-character by performing a linear transform on the j-th round output vector x.sub.j; a nonlinear layer for generating a vector z.sub.j that is an N-dimensional integer vector consisting of elements of the integer set by performing a nonlinear transform on the vector y.sub.j; and an addition layer for generating the j+1-th round output vector x.sub.j+1 by performing a modular addition operation on the vector z.sub.j and the j+1-th round key RK.sub.j+1 with the prime number t as a modulus.

4. The method of claim 3, wherein the linear layer performs the linear transform by using a predefined first matrix of size n×n consisting of elements of the integer set custom-character and a second matrix that is a transposed matrix of the first matrix.

5. The method of claim 4, wherein the linear layer converts the j-th round output vector x.sub.j into a matrix X.sub.j of size n×n, generates a matrix Y.sub.j of size n×n by performing modular multiplication on the matrix X.sub.j, the first matrix, and the second matrix with the prime number t as a modulus, and converts the matrix Y.sub.j into the vector y.sub.j.

6. The method of claim 5, wherein the linear layer generates the matrix Y.sub.j using Equation 1:
Y.sub.j=A.Math.X.sub.j.Math.B (mod t) ∈ custom-character [Equation 1] where A is the first matrix and B is the second matrix.

7. The method of claim 3, wherein the nonlinear layer performs the nonlinear transform by using a nonlinear function having an m-th-order polynomial component, where m is a natural number for m≥2.

8. The method of claim 2, wherein the second round function comprises: a first linear layer for generating a vector y.sub.r−1 that is an N-dimensional integer vector consisting of elements of the integer set custom-character by performing a linear transform on the r−1-th round output vector x.sub.r−1; a nonlinear layer for generating a vector z.sub.r−1 that is an N-dimensional integer vector consisting of elements of the integer set by performing a nonlinear transform on the vector y.sub.r−1; a second linear layer for generating a vector s that is an N-dimensional integer vector consisting of elements of the integer set custom-character by performing a linear transform on the vector z.sub.r−1; and an addition layer for generating the key stream by performing a modular addition operation on the vector s and the r-th round key RK.sub.r with the prime number t as a modulus.

9. The method of claim 8, wherein each of the first linear layer and the second linear layer performs the linear transform by using a predefined first matrix of size n×n consisting of elements of the integer set custom-character and a second matrix that is a transposed matrix of the first matrix.

10. The method of claim 9, wherein the first linear layer converts the r−1-th round output vector x.sub.r−1 into a matrix X.sub.r−1 of size n×n, generates a matrix Y.sub.r−1 of size n×n by performing modular multiplication on the matrix X.sub.r−1, the first matrix, and the second matrix with the prime number t as a modulus, and converts the matrix Y.sub.r−1 into the vector y.sub.r−1; and the second linear layer converts the vector z.sub.r−1 into a matrix Z.sub.r−1 of size n×n, generates a matrix S of size n X n by performing modular multiplication on the matrix Z.sub.r−1, the first matrix, and the second matrix with the prime number t as a modulus, and converts the matrix S into the vector s.

11. The method of claim 10, wherein the first linear layer generates the matrix Y.sub.r−1 using Equation 2:
Y.sub.r−1=A.Math.X.sub.r−1.Math.B (mod t) ∈ custom-character [Equation 2] where A is the first matrix and B is the second matrix; and the second linear layer generates the matrix S using Equation 3:
S=A.Math.Z.sub.r−1.Math.B (mod t) ∈ [Equation 3] where A is the first matrix and B is the second matrix.

12. The method of claim 8, wherein the nonlinear layer performs a nonlinear transform by using a nonlinear function having an m-th-order polynomial component, where m is a natural number for m≥2.

13. The method of claim 1, wherein the generating of the round key comprises: generating a seed bit string based on the random bit string and the encryption counter; generating r vectors that are each N-dimensional integer vectors consisting of elements of the integer set custom-character from the seed bit string by using a predefined generation function; and generating the r round keys by performing modular multiplication operation on each of the r vectors and the secret key with the prime number t as a modulus.

14. The method of claim 13, wherein the generating of the r round keys comprises generating the r round keys using Equation 4:
RK.sub.i=k20 rc.sub.i (mod t) [Equation 4] where RK.sub.i is an i-th round key of the r round keys, k is the secret key, rc.sub.i is an i-th vector of the r vectors, i is a natural number for 1≤i≤r, and ° is an elementwise product between two vectors.

15. An apparatus for generating a key stream, the apparatus comprising: a memory that stores one or more instructions; and one or more processors that execute the one or more instructions, wherein the one or more processors are configured to: generate r round keys (where r is a natural number of r≥3) that are each N-dimensional integer vectors (where N=n.sup.2, n is an integer of 2 or more) consisting of elements of an integer set custom-character defined based on a prime number t, based on a random bit string, an encryption counter, and a secret key that is an N-dimensional integer vector consisting of elements of the integer set ; generate a first round output vector x.sub.1 by performing a modular addition operation on an initial vector and a first round key RK.sub.1 of the r round keys with the prime number t as a modulus; and generate a key stream that is an N-dimensional integer vector consisting of elements of the integer set custom-character from the first round output vector x.sub.1 by using a second to r-th round keys of the r round keys, and one or more first round functions and a second round function.

16. The apparatus of claim 15, wherein the one or more first round functions are sequentially performed, and generate each a j+1-th round output vector x.sub.j+1 by using a j-th round output vector x.sub.j, where j is a natural number for 1≤j≤r−1, and a j+1-th round key RK.sub.j+1 of the r round keys; and the second round function generates the key stream by using an r−1-th round output vector x.sub.r−1generated by a first round function performed last among the one or more first round functions and an r-th round key RK.sub.r of the r round keys.

17. The apparatus of claim 16, wherein each of the one or more first round functions comprises: a linear layer for generating a vector y.sub.j that is an N-dimensional integer vector consisting of elements of the integer set custom-character by performing a linear transform on the j-th round output vector x.sub.j; a nonlinear layer for generating a vector z.sub.j that is an N-dimensional integer vector consisting of elements of the integer set by performing a nonlinear transform on the vector y.sub.j; and an addition layer for generating the j+1-th round output vector x.sub.j+1 by performing a modular addition operation on the vector z.sub.j and the j+1-th round key RK.sub.j+1 with the prime number t as a modulus.

18. The apparatus of claim 17, wherein the linear layer performs the linear transform by using a predefined first matrix of size n×n consisting of elements of the integer set custom-character and a second matrix that is a transposed matrix of the first matrix.

19. The apparatus of claim 18, wherein the linear layer converts the j-th round output vector x.sub.j into a matrix X.sub.j of size n×n, generates a matrix Y.sub.j of size n×n by performing modular multiplication on the matrix X.sub.j, the first matrix, and the second matrix with the prime number t as a modulus, and converts the matrix Y.sub.j into the vector y.sub.j.

20. The apparatus of claim 19, wherein the linear layer generates the matrix Y.sub.j using Equation 1:
Y.sub.j=A.Math.X.sub.j.Math.B (mod t) ∈ custom-character [Equation 1) where A is the first matrix and B is the second matrix.

21. The apparatus of claim 17, wherein the nonlinear layer performs the nonlinear transform by using a nonlinear function having an m-th-order polynomial component, where m is a natural number for m≥2.

22. The apparatus of claim 16, wherein the second round function comprises: a first linear layer for generating a vector y.sub.r−1 that is an N-dimensional integer vector consisting of elements of the integer set custom-character by performing a linear transform on the r−1-th round output vector x.sub.r−1; a nonlinear layer for generating a vector z.sub.r−1 that is an N-dimensional integer vector consisting of elements of the integer set by performing a nonlinear transform on the vector y.sub.r−1; a second linear layer for generating a vector s that is an N-dimensional integer vector consisting of elements of the integer set custom-character by performing a linear transform on the vector z.sub.r−1; and an addition layer for generating the key stream by performing a modular addition operation on the vector s and the r-th round key RK.sub.r with the prime number t as a modulus.

23. The apparatus of claim 22, wherein each of the first linear layer and the second linear layer performs the linear transform by using a predefined first matrix of size n×n consisting of elements of the integer set custom-character and a second matrix that is a transposed matrix of the first matrix.

24. The apparatus of claim 23, wherein the first linear layer converts the r−1-th round output vector x.sub.r−1 into a matrix X.sub.r−1 of size n×n, generates a matrix Y.sub.r−1 of size n×n by performing modular multiplication on the matrix X.sub.r−1, the first matrix, and the second matrix with the prime number t as a modulus, and converts the matrix Y.sub.r−1 into the vector y.sub.r−1; and the second linear layer converts the vector z.sub.r−1 into a matrix Z.sub.r−1 of size n×n, generates a matrix S of size n×n by performing modular multiplication on the matrix Z.sub.r−1, the first matrix, and the second matrix with the prime number t as a modulus, and converts the matrix S into the vector s.

25. The apparatus of claim 24, wherein the first linear layer generates the matrix Y.sub.r−1 using Equation 2:
Y.sub.r−1=A.Math.X.sub.r−1.Math.B (mod t) ∈ custom-character [Equation 2] where A is the first matrix and B is the second matrix; and the second linear layer generates the matrix S using Equation 3:
S=A.Math.Z.sub.r−1.Math.B (mod t) ∈ [Equation 3] where A is the first matrix and B is the second matrix.

26. The apparatus of claim 22, wherein the nonlinear layer performs the nonlinear transform by using a nonlinear function having an m-th-order polynomial component (where m is a natural number for m≥2).

27. The apparatus of claim 15, wherein the one or more processors are further configured to: generate a seed bit string based on the random bit string and the encryption counter; generate r vectors that are each N-dimensional integer vectors consisting of elements of the integer set custom-character from the seed bit string by using a predefined generation function; and generate the r round keys by performing modular multiplication operation on each of the r vectors and the secret key with the prime number t as a modulus.

28. The apparatus of claim 27, wherein the one or more processors are further configured to generate the r round keys using Equation 4:
RK.sub.i=k ° rc.sub.i (mod t) [Equation 4] where RK.sub.i is an i-th round key of the r round keys, k is the secret key, rc.sub.i is an i-th vector of the r vectors, i is a natural number for 1≤i≤r, and ° is an elementwise product between the two vectors.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0040] FIG. 1 is a block diagram of an apparatus for generating a key stream according to an embodiment.

[0041] FIG. 2 is a block diagram for illustrating a process of generating a key stream performed by a key stream generator according to an embodiment.

[0042] FIG. 3 is a diagram for illustrating a configuration of a first round function according to an embodiment.

[0043] FIG. 4 is a diagram for illustrating a configuration of a second round function according to an embodiment.

[0044] FIG. 5 is a flowchart of a method for generating a key stream according to an embodiment.

[0045] FIG. 6 is a flowchart showing a process of generating a round key according to an embodiment.

[0046] FIG. 7 is a flowchart showing a process of generating a key stream using one or more first round functions and a second round function according to an embodiment.

[0047] FIG. 8 is a block diagram for exemplarily illustrating a computing environment including a computing device according to an embodiment.

DETAILED DESCRIPTION

[0048] Hereinafter, specific embodiments of the present disclosure will be described with reference to the accompanying drawings. The following detailed description is provided to assist in a comprehensive understanding of the methods, devices and/or systems described herein. However, the detailed description is only for illustrative purposes and the present disclosure is not limited thereto.

[0049] In describing the embodiments of the present disclosure, when it is determined that detailed descriptions of known technology related to the present disclosure may unnecessarily obscure the gist of the present disclosure, the detailed descriptions thereof will be omitted. The terms used below are defined in consideration of functions in the present disclosure, but may be changed depending on the customary practice or the intention of a user or operator. Thus, the definitions should be determined based on the overall content of the present specification. The terms used herein are only for describing the embodiments of the present disclosure, and should not be construed as limitative. Unless expressly used otherwise, a singular form includes a plural form. In the present description, the terms “including”, “comprising”, “having”, and the like are used to indicate certain characteristics, numbers, steps, operations, elements, and a portion or combination thereof, but should not be interpreted to preclude one or more other characteristics, numbers, steps, operations, elements, and a portion or combination thereof.

[0050] FIG. 1 is a block diagram of an apparatus for generating a key stream according to an embodiment.

[0051] Referring to FIG. 1, an apparatus 100 for generating a key stream according to an embodiment includes a round key generator 110 and a key stream generator 120.

[0052] According to an embodiment, the apparatus 100 for generating a key stream (key stream generating apparatus) is an apparatus for generating a key stream to be used for symmetric key encryption based on a modular operation. According to an embodiment, the round key generator 110 and the key stream generator 120 may be implemented using one or more physically separated devices, or may be implemented by one or more hardware processors or a combination of one or more hardware processors and software, and may not be clearly distinguished in specific operations, unlike the illustrated example.

[0053] The round key generator 110 generates r round keys (where r is a natural number for r≥3) based on a secret key, a random bit string, and an encryption counter. In this case, the secret key and the r round keys are each N-dimensional integer vectors (where N=n.sup.2 and n is an integer of 2 or more) consisting of elements of an integer set custom-character defined based on a prime number t.

[0054] Specifically, the integer set custom-character may be defined as in Equation 1 below

custom-character ={0,1, 2, . . . , t−1}. (Equation 1)

[0055] In addition, the secret key and the r round keys may be each N-dimensional vectors satisfying Equation 2 below

k ∈ custom-character , RK.sub.i∈. (Equation 2)

[0056] In Equation 2, custom-character represents an N-dimensional vector space defined by elements of the integer set , k represents the secret key, and RK, represents the i-th round key (where i is a natural number satisfying 1≤i≤r) of the r round keys, and they will be used to indicate the same meanings hereinafter. Meanwhile, the prime number t and the number r of round keys to be generated may be set in advance as public parameters for encryption and decryption.

[0057] The random bit string means a randomly generated bit string, and the length of the random bit string may be determined based on the security strength required for encryption and decryption.

[0058] The encryption counter is a public parameter indicating the number of times encryption has been performed. According to an embodiment, the encryption counter may be a bit string of a preset length that is increased by a preset size whenever a key stream is generated using a secret key k.

[0059] According to an embodiment, the round key generator 110 may generate a seed bit string for generating round keys based on the random bit string and the encryption counter. For example, the round key generator 110 may generate a seed bit string by concatenating a random bit string and an encryption counter as shown in Equation 3 below

seed=nc|∥ctr ∈{0,1}*. (Equation 3)

[0060] In Equation 3, seed represents a seed bit string, nc represents a random bit string, and ctr represents an encryption counter, and they will be used to indicate the same meanings hereinafter.

[0061] Meanwhile, according to an embodiment, the round key generator 110 may generate r N-dimensional vectors from the seed bit string using a predefined generation function. In this case, each of the generated r vectors may satisfy Equation 4 below

rc.sub.i ∈ custom-character . (Equation 4)

[0062] In Equation 4, rc.sub.i represents an i-th vector of r N-dimensional vectors generated by the generation function, and it will be used to indicate the same meanings hereinafter.

[0063] Meanwhile, the generation function may be, for example, an extensible output function (XOF) such as a SHA3-based SHAKE-256 function. However, the generation function is not necessarily limited to the above-described example, and according to embodiments, in addition to the above-described hash function, various functions that may have one-way and generate an arbitrary sequence based on an input bit string may be used as the generation function.

[0064] Meanwhile, according to an embodiment, after generating rc.sub.i, the round key generator 110 may generate the i-th round key of r round keys based on the secret key k and rc.sub.i. Specifically, the round key generator 110 may generate the i-th round key of the r round keys, for example, by performing a modular multiplication operation on the secret keys k and rc.sub.i with t as a modulus, as shown in Equation 5 below.

RK.sub.i=k ° rc.sub.i(mod t). (Equation 5)

[0065] In Equation 5, the operator “°” represents an elementwise product (also referred to as a Hadamard product) between two vectors.

[0066] The key stream generator 120 generates a key stream that is an N-dimensional integer vector consisting of elements of the integer set custom-character by using a plurality of round functions performed based on the r round keys generated by the round key generator 110.

[0067] Specifically, FIG. 2 is a block diagram for illustrating a process of generating a key stream performed by the key stream generator 120 according to an embodiment.

[0068] Referring to FIG. 2, the key stream generator 120 may generate a key stream by using round key addition 210, one or more first round functions 220 and a second round function 230.

[0069] The round key addition 210 refers to an operation of generating a first round output vector by performing a modular addition operation on the initial vector and the first round key of the r round keys with the prime number t as a modulus.

[0070] Specifically, the key stream generator 120 may perform the round key addition 210 using, for example, Equation 6 below

x.sub.1=x.sub.0+RK.sub.1 (mod t) ∈ custom-character . (Equation 6)

[0071] In Equation 6, x.sub.1 represents a first round output vector, x.sub.0 represents a preset initial vector, and RK.sub.1 represents the first round key, respectively.

[0072] The one or more first round functions 220 may be sequentially performed, and the j-th first round function of the one or more first round functions 220 (where j is a natural number satisfying 1≤j≤r−2) may generate a j+1-th round output vector x.sub.j+1 by using the j-th round output vector x.sub.j and a j+1-th round key RK.sub.j+1 of the r round keys.

[0073] Meanwhile, the number of the first round functions 220 is not necessarily limited to a specific number, and may be changed according to the required encryption strength.

[0074] FIG. 3 is a diagram for illustrating a configuration of the first round function 220 according to an embodiment.

[0075] Referring to FIG. 3, the one or more first round functions 220 according to an embodiment may each include a linear layer 221, a nonlinear layer 222, and an addition layer 223.

[0076] The linear layer 221 may perform a linear transform on the j-th round output vector x.sub.j.

[0077] Specifically, when the linear layer 221 is a linear layer included in a first round function performed first (that is, j=1) among the one or more first round functions 220, the j-th round output vector x.sub.j input to the linear layer 221 may be the first round output vector generated through the round key addition 210 illustrated in FIG. 2 (that is, x.sub.j=x.sub.1).

[0078] On the other hand, when the linear layer 221 is a linear layer included in a first round function performed second or subsequently (that is, 1<j≤r−2) among the one or more first round functions 220, the j-th round output vector x.sub.j input to the layer 221 may be a round output vector generated by the first round function performed immediately before (that is, j−1-th) among the one or more first round functions 220.

[0079] Meanwhile, according to an embodiment, the linear layer 221 may perform the linear transform by using a predefined first matrix of size n×n consisting of elements of the integer set custom-character and a second matrix that is a transposed matrix of the first matrix.

[0080] Specifically, the linear layer 221 may convert the j-th round output vector x.sub.j into a matrix X.sub.j of size n×n. For example, when the j-th round output vector x.sub.j is a 16-dimensional (that is, N=16) vector as shown in Equation 7 below, the linear layer 221 may convert the j-th round output vector x.sub.j into a matrix X.sub.j of size 4×4, as shown in Equation 8 below,

x.sub.j={x.sub.j,1, . . . , x.sub.j,16} ∈ custom-character (Equation 7)

[0081] and

[00001] $\begin{matrix} X_{j} = [\begin{matrix} x_{j, 1} & .Math. & x_{j, 4} \\ .Math. & ⋱ & .Math. \\ x_{j, 13} & .Math. & x_{j, 16} \end{matrix}] \in ℤ_{t}^{4 \times 4} . & (Equation 8) \end{matrix}$

[0082] Then, the linear layer 221 may generate a matrix Y.sub.j of size n×n by performing modular multiplication on the converted matrix X.sub.j, the first matrix, and the second matrix with the prime number t as a modulus, and then convert the matrix Y.sub.j back into an N-dimensional vector y.sub.j and output the vector y.sub.j.

[0083] Specifically, the matrix Y.sub.j may be generated using, for example, Equation 9 below

Y.sub.j=A.Math.X.sub.j.Math.B (mod t) ∈ custom-character (Equation 9)

[0084] where the operator [.] represents matrix multiplication, A represents the first matrix, and B represents the second matrix. In this case, the first matrix A and the second matrix B may satisfy Equations 10 and 11 below,

A, B ∈ custom-character (Equation 10)

[0085] and

B=A.sup.T. (Equation 11)

[0086] Meanwhile, in an embodiment, when N=16, the matrix A may be predefined as, for example, Equation 12 below.

[00002] $\begin{matrix} A = [\begin{matrix} 2 & 3 & 1 & 1 \\ 1 & 2 & 3 & 1 \\ 1 & 1 & 2 & 3 \\ 3 & 1 & 1 & 2 \end{matrix}] & (Equation 12) \end{matrix}$

[0087] However, the matrix A is not necessarily limited to Equation 12 and may be variously changed depending on embodiments.

[0088] Meanwhile, after generating the matrix Y.sub.j, the linear layer 221 may convert the matrix Y.sub.j into the N-dimensional vector y.sub.j consisting of elements of the integer set custom-character and output the vector y.sub.j (that is, y.sub.j ∈).

[0089] For example, when N=16 and the matrix Y.sub.j is a matrix of size 4×4 as shown in Equation 13, the matrix Y.sub.j may be converted into the 16-dimensional vector y.sub.j as shown in is Equation 14,

[00003] $\begin{matrix} Y_{j} = [\begin{matrix} y_{j, 1} & .Math. & y_{j, 4} \\ .Math. & ⋱ & .Math. \\ y_{j, 13} & .Math. & y_{j, 16} \end{matrix}] \in ℤ_{t}^{4 \times 4} & (Equation 13) \end{matrix}$

[0090] and

y.sub.j={y.sub.j,1, . . . , y.sub.j,16} ∈ custom-character . (Equation 14)

[0091] Meanwhile, the nonlinear layer 222 may perform a nonlinear transform on the vector y.sub.j generated by the linear layer 221.

[0092] Specifically, according to an embodiment, the nonlinear layer 222 may convert the vector y.sub.j into an N-dimensional vector z.sub.j consisting of elements of the integer set custom-character by using a predefined nonlinear function F:.fwdarw. having an m-th order polynomial component (where m is a natural number m≥2), and output the vector z.sub.j (that is, z.sub.1 ∈).

[0093] For example, when the vector y.sub.j is the same as Equation 14 described above, the nonlinear layer 222 may convert the vector y.sub.j into the vector z using Equation 15 below

z.sub.j={z.sub.j,1, . . . , z.sub.j,16}={F(y.sub.j,1), . . . , F(y.sub.j,16)} ∈ custom-character . (Equation 15)

[0094] As a more specific example, when the nonlinear function F is a polynomial F(x)=x.sup.2 having a quadratic (that is, m=2) polynomial component, the vector z.sub.j generated by the nonlinear layer 222 is as Equation 16 below

z.sub.j={z.sub.j,1, . . . , z.sub.j,16}={y.sub.j,1.sup.2, . . . , y.sub.j,16.sup.2} ∈ custom-character . (Equation 16)

[0095] Meanwhile, the addition layer 223 may generate the j+1-th round output vector x.sub.j+1 by performing a modular addition operation on the vector z.sub.j generated by the nonlinear layer 222 and the j+1-th round key RK.sub.j+1 of the z round keys with the prime number t as a modulus.

[0096] Specifically, the addition layer 223 may generate the j+1-th round output vector x.sub.j+1 by is using, for example, Equation 17 below

x.sub.j+1=z.sub.j+RK.sub.j+1 (mod t) ∈ custom-character . (Equation 17)

[0097] Referring back to FIG. 2, the second round function 230 may generate the key stream by using an r−1-th round output vector xr−1 generated by a first round function performed last among the one or more first round functions 220 and an r-th round key RK.sub.r of the r round keys.

[0098] Specifically, FIG. 4 is a diagram for illustrating the configuration of the second round function 230 according to an embodiment.

[0099] Referring to FIG. 4, the second round function 230 according to an embodiment may include a first linear layer 231, a nonlinear layer 232, a second linear layer 233, and an addition layer 234.

[0100] The first linear layer 231 may generate a vector y.sub.r−1 that is an N-dimensional integer vector consisting of elements of the integer set custom-character by performing a linear transform on the r−1-th round output vector x.sub.r−1 generated by the first round function performed last among the one or more first round functions 220.

[0101] According to an embodiment, the first linear layer 231 may perform a linear transform by using the first matrix A and the second matrix B.

[0102] Specifically, the first linear layer 231 may convert the r−1-th round output vector x.sub.r−1 into the matrix X.sub.r−1 of size n×n. For example, when the output vector x.sub.r−1 is a 16-dimensional (that is, N=16) vector as shown in Equation 18 below, the first linear layer 231 may convert the r−1-th round output vector x.sub.r−1 into the matrix X.sub.r−1 of size 4×4, as shown in Equation 19 below,

x.sub.r−1={x.sub.r−1,1, . . . , x.sub.r−1,16} ∈ custom-character (Equation 18)

[0103] and

[00004] $\begin{matrix} X_{r - 1} = [\begin{matrix} x_{r - 1, 1} & .Math. & x_{r - 1, 4} \\ .Math. & ⋱ & .Math. \\ x_{r - 1, 13} & .Math. & x_{r - 1, 16} \end{matrix}] \in ℤ_{t}^{4 \times 4} . & (Equation 19) \end{matrix}$

[0104] Then, the first linear layer 231 may generate a matrix Y.sub.r−1 of size n×n by performing modular multiplication on the converted matrix X.sub.r−1, the first matrix A, and the second matrix B with the prime number t as a modulus.

[0105] Specifically, the matrix Y.sub.r−1 may be generated using, for example, Equation 20 below

Y.sub.r−1=A.Math.X.sub.r−1.Math.B (mod t) ∈ custom-character . (Equation 20)

[0106] Meanwhile, after generating the matrix Y.sub.r−1, the first linear layer 231 may convert the matrix Y.sub.r−1 into the N-dimensional vector y.sub.jr−1, consisting of elements of the integer set custom-character , and output the vector y.sub.jr−1 (that is, y.sub.r−1 ∈).

[0107] For example, when N=16 and the matrix Y.sub.r−1 is a matrix of size 4×4 as shown in Equation 21, the matrix Y.sub.r−1 may be converted into the 16-dimensional vector y.sub.r−1 as shown in Equation 22,

[00005] $\begin{matrix} Y_{r - 1} = [\begin{matrix} y_{r - 1, 1} & .Math. & y_{r - 1, 4} \\ .Math. & ⋱ & .Math. \\ y_{r - 1, 13} & .Math. & y_{r - 1, 16} \end{matrix}] \in ℤ_{t}^{4 \times 4} & (Equation 21) \end{matrix}$

[0108] and

y.sub.r−1={y.sub.r−1,1, . . . , t.sub.r−1,16} ∈ custom-character . (Equation 22)

[0109] The nonlinear layer 232 may perform a nonlinear transform on the vector y.sub.r−1 generated by the first linear layer 231. In this case, according to an embodiment, the nonlinear transform by the nonlinear layer 232 may be performed in the same manner as the nonlinear transform performed by the nonlinear layer 222 included in the first round function 220.

[0110] Specifically, according to an embodiment, the nonlinear layer 232 may convert the vector y.sub.r−1 into an N-dimensional vector z.sub.r−1 consisting of elements of the integer set custom-character by using a predefined nonlinear function F:.fwdarw. having an m-th order polynomial component of, and output the vector z.sub.r−1 (that is, z.sub.j ∈).

[0111] For example, when the vector y.sub.r−1 is the same as Equation 22 described above, the nonlinear layer 232 may convert the vector y.sub.r−1 into the vector z.sub.r−1 using Equation 23 below

z.sub.r−1={z.sub.r−1,1, . . . , z.sub.r−1,16}β{F(y.sub.r−1,1), . . . , F(y.sub.r−1,16)} ∈ custom-character . (Equation23)

[0112] Meanwhile, the second linear layer 233 performs the same operation as the first linear layer 231 except that the input vector is a vector generated by the nonlinear layer 232.

[0113] Specifically, the second linear layer 233 may convert the vector z.sub.r−1 generated by the nonlinear layer 232 into a matrix Z.sub.r−1 of size n×n. For example, when the vector z.sub.r−1 generated by the nonlinear layer 232 is a 16 dimensional (that is, N=16) vector as in Equation 23 described above, the second linear layer 233 may convert the vector z.sub.r−1 into the matrix Z.sub.r−1 of size 4×4 as shown in Equation 24 below.

[00006] $\begin{matrix} Z_{r - 1} = [\begin{matrix} Z_{r - 1, 1} & .Math. & Z_{r - 1, 4} \\ .Math. & ⋱ & .Math. \\ Z_{r - 1, 13} & .Math. & Z_{r - 1, 16} \end{matrix}] \in ℤ_{t}^{4 \times 4} & (Equation 24) \end{matrix}$

[0114] Then, the second linear layer 233 may generate a matrix S of size n×n by performing modular multiplication on the converted matrix Z.sub.r−1, the first matrix A, and the second matrix B with the prime number t as a modulus.

[0115] Specifically, the matrix S may be generated using, for example, Equation 25 below

S=A.Math.Z.sub.r−1.Math.B (mod t) ∈ custom-character . (Equation 25)

[0116] Meanwhile, after generating the matrix S, the second linear layer 233 may convert the matrix S into an N-dimensional vectors consisting of elements of the integer set custom-character , and output the vector s (that is, s ∈).

[0117] For example, when N=16 and the matrix S is a matrix of size 4×4 as shown in Equation 26, the matrix S may be converted into the 16-dimensional vector s as shown in Equation 27,

[00007] $\begin{matrix} S = [\begin{matrix} S_{1} & .Math. & S_{4} \\ .Math. & ⋱ & .Math. \\ S_{13} & .Math. & S_{16} \end{matrix}] \in ℤ_{t}^{4 \times 4} & (Equation 26) \end{matrix}$

[0118] and

s={s.sub.1, . . . , s.sub.16} ∈ custom-character . (Equation 27)

[0119] Meanwhile, the addition layer 234 may generate a key stream ks by performing a modular addition operation on the vector s generated by the second linear layer 233 and the last (that is, the r-th) round key RK.sub.r of the z round keys with the prime number t as a modulus.

[0120] Specifically, the addition layer 234 may generate the key stream ks using, for example, Equation 28 below

ks=s+RK.sub.r (mod t) ∈ custom-character . (Equation 28)

[0121] Meanwhile, encryption using the key stream ks may be performed through a modular addition operation on a message M to be encrypted and the key stream ks with the prime number t as a modulus, as shown in Equation 29 below

C=M−ks (mod t). (Equation 29)

[0122] In Equation 29, the message M to be encrypted may be an N-dimensional vector consisting of elements of an integer set custom-character (that is, M ∈).

[0123] In addition, the message M encrypted using the key stream ks may be decrypted by performing a modulo subtraction operation on a ciphertext C and the key stream ks with the prime number t as a modulus, as shown in Equation 30 below

M=C−ks (mod t). (Equation 30)

[0124] FIG. 5 is a flowchart of a method for generating a key stream according to an embodiment.

[0125] The method illustrated in FIG. 5 may be performed, for example, by the key stream generating apparatus 100 illustrated in FIG. 1.

[0126] Referring to FIG. 5, first, the key stream generating apparatus 100 generates r round keys based on the secret key k, the random bit string nc, and the encryption counter ctr (510).

[0127] Then, the key stream generating apparatus 100 generates a first round output vector xi by performing a modular addition operation on the first round key RK.sub.1 of the r round keys and the initial vector with the prime number t as a modulus (520).

[0128] Then, the key stream generating apparatus 100 generates a key stream from the first round output vector x.sub.1 by using the second to r-th round keys of the r round keys, one or more first round functions 220, and a second round function 230 (530).

[0129] Meanwhile, in the flowchart illustrated in FIG. 5, at least some of the steps may be performed in a different order, performed together in combination with other steps, omitted, performed in subdivided steps, or performed by adding one or more steps not illustrated.

[0130] FIG. 6 is a flowchart showing a process of generating a round key according to an embodiment.

[0131] The process illustrated in FIG. 6 may be performed, for example, by the key stream generating apparatus 100 illustrated in FIG. 1.

[0132] Referring to FIG. 6, first, the key stream generating apparatus 100 generates a seed bit string based on the random bit string nc and the encryption counter ctr (610).

[0133] Then, the key stream generating apparatus 100 generates r vectors that are each N-dimensional integer vectors consisting of elements of the integer set custom-character from the seed bit string by using a predefined generation function (620).

[0134] Then, the key stream generating apparatus 100 generates r round keys by performing modular multiplication operation on each of the r vectors and the secret key k with the prime number t as a modulus (630).

[0135] Meanwhile, in the flowchart illustrated in FIG. 6, at least some of the steps may be performed in a different order, performed together in combination with other steps, omitted, performed in subdivided steps, or performed by adding one or more steps not illustrated.

[0136] FIG. 7 is a flowchart showing a process of generating a key stream using one or more first round functions and a second round function according to an embodiment.

[0137] The method illustrated in FIG. 7 may be performed, for example, by the key stream generating apparatus 100 illustrated in FIG. 1.

[0138] Referring to FIG. 7, first, the key stream generating apparatus 100 sets an index value j, which indicates the number of times the first round function 220 is performed, to an initial value of 1 (710).

[0139] Then, the key stream generating apparatus 100 generates the j+1-th round output vector x.sub.j+1 from the j-th round output vector x.sub.j by using the j-th first round function of one or more first round functions 220 (720).

[0140] Then, the key stream generating apparatus 100 determines whether j=r−2 (730).

[0141] At this time, when j≠r−2, the key stream generating apparatus 100 increases j by 1 (740) and then the process returns to step 720.

[0142] On the other hand, when j=r−2, the key stream generating apparatus 100 generates the key stream ks from the r-l-th round output vector x.sub.r−1generated by an r−2-th first round function of the one or more first round functions 220 by using the second round function 230 (750).

[0143] Meanwhile, in the flowchart illustrated in FIG. 7, at least some of the steps may be performed in a different order, performed together in combination with other steps, omitted, performed in subdivided steps, or performed by adding one or more steps not illustrated.

[0144] FIG. 8 is a block diagram for exemplarily illustrating a computing environment including a computing device according to an embodiment. In the illustrated embodiment, each component may have different functions and capabilities in addition to those described below, and additional components may be included in addition to those described below.

[0145] The illustrated computing environment 110 includes a computing device 12. In an embodiment, the computing device 12 may be one or more components included in the key stream data generating apparatus 100 illustrated in FIG. 1.

[0146] The computing device 12 includes at least one processor 14, a computer-readable storage medium 16, and a communication bus 18. The processor 14 may cause the computing device 12 to operate according to the above-described exemplary embodiments. For example, the processor 14 may execute one or more programs stored in the computer-readable storage medium 16. The one or more programs may include one or more computer-executable instructions, which may be configured to cause, when executed by the processor 14, the computing device 12 to perform operations according to the exemplary embodiments.

[0147] The computer-readable storage medium 16 is configured to store computer-executable instructions or program codes, program data, and/or other suitable forms of information. A program 20 stored in the computer-readable storage medium 16 includes a set of instructions executable by the processor 14. In an embodiment, the computer-readable storage medium 16 may be a memory (a volatile memory such as a random access memory, a non-volatile memory, or any suitable combination thereof), one or more magnetic disk storage devices, optical disc storage devices, flash memory devices, other types of storage media that are accessible by the computing device 12 and may store desired information, or any suitable combination thereof.

[0148] The communication bus 18 interconnects various other components of the computing device 12, including the processor 14 and the computer-readable storage medium 16.

[0149] The computing device 12 may also include one or more input/output interfaces 22 that provide an interface for one or more input/output devices 24, and one or more network communication interfaces 26. The input/output interface 22 and the network communication interface 26 are connected to the communication bus 18. The input/output device 24 may be connected to other components of the computing device 12 via the input/output interface 22. The exemplary input/output device 24 may include a pointing device (a mouse, a trackpad, or the like), a keyboard, a touch input device (a touch pad, a touch screen, or the like), a voice or sound input device, input devices such as various types of sensor devices and/or imaging devices, and/or output devices such as a display device, a printer, a speaker, and/or a network card. The exemplary input/output device 24 may be included inside the computing device 12 as a component constituting the computing device 12, or may be connected to the computing device 12 as a separate device distinct from the computing device 12.

[0150] According to the disclosed embodiments, it is possible to achieve highly efficient modular operation-based encryption without the need to apply an additional rebooting technique during homomorphic ciphertext conversion using the ciphertext conversion framework.

[0151] Although the present disclosure has been described in detail through the representative embodiments as above, those skilled in the art will understand that various modifications may be made thereto without departing from the scope of the present invention. Therefore, the scope of rights of the present disclosure should not be limited to the described embodiments, but should be defined not only by the claims set forth below but also by equivalents of the claims.

METHOD AND APPARATUS FOR GENERATING KEY STREAM

Inventors

Cpc classification

Classification Explorer

G06F7/722

PHYSICS

Classification Explorer

H04L9/0861

ELECTRICITY

Classification Explorer

G06F17/16

PHYSICS

Classification Explorer

H04L9/14

ELECTRICITY

Classification Explorer

H04L9/0819

ELECTRICITY

Classification Explorer

H04L9/0637

ELECTRICITY

Classification Explorer

H04L9/0662

ELECTRICITY

International classification

Classification Explorer

H04L9/08

ELECTRICITY

Classification Explorer

G06F17/16

PHYSICS

Classification Explorer

G06F7/72

PHYSICS

Classification Explorer

H04L9/14

ELECTRICITY

Abstract

Claims

Description