CA2337306C - Method and apparatus for symmetric-key encryption - Google Patents

Abstract

The present invention provides a symmetric-key cryptographic technique capable of realizing both high-speed cryptographic processing having a high degree of parallelism and alteration detection. The present invention performs the steps of: dividing plain text composed of redundancy data and a message to generate a plurality of plain text blocks each having a predetermined length; generating a random number sequence based on a secret key; generating a random number block corresponding to one of the plurality of plain text blocks from the random number sequence;
outputting a feedback value obtained as a result of operation on the one of the plurality of plain text blocks and the random number block, the feedback value being fed back to another one of the plurality of plain text blocks;
and performing an encryption operation using the one of the plurality of plain text blocks, the random number block, and a feedback value obtained as a result of operation on still another one of the plurality of plain text blocks to produce a ciphertext block.

Description

METHOD AND APPARATUS FOR SY1~METRIC-KEY ENCRYPTION
BACKGROUND OF THE .INVEN'.t'TON
The present invention relates ~:ca a technique for ensuring security of canfidential information.
Traditional cryptograph~.c processing apparatuses <employ a block cipher or a s~:xwam E~:i_~;>her- for concealing data. Various types of b.~oc~> ~::iph~~rt, gave been proposed including DES and TDEA~rM. C:,~E~ and ID;~_;ATM are c~e:~cribed by Nlenezes, van Oorschot, Vans tone, Harldbaok of Applied Cryptography, CRC Press, 199c~, pp. ~:.'S0-259, pp. 26:i-266.
The security of the total cryptc:~graphic process of each block cipher and ~.ts charact:.eri~tics are discussed based on a block-cipher operat a oz~ mode e.mp7.ayed, such as ECB, CBC, CFB, OfB, or t:he c~;c~~;xr:~t~:r ~rGC.°~de. 1-iowever, only the i.aPCBC mode is known to k>e c,apat~:~e c:,vi: performing b<~~th.
cryptographic processing and c~f~tec:~:. i c;bn of an alteration at the same time, and other: modes cannert detect alterations by themselves. Block-cipher operation modes are described by Schneider, Applied Cryptography, Second Edition, John Wiley & Sons, Inc. , 1996, pp. 189-~:'09.

G
The iaPCBC mode is described by C~li.gor, Donescu, "Integrity-Aware PCBC Hncryptio~n Schemes,"' Preproceedings in Secure Protocol Workshop, Cambridge, 1999, to appear in Lecture Notes in Computer Science series, Springer-Verlag.
The iaPCBC mode is an operation mode that r.zses a b~~.ock cipher. Regards.ng encryption, the iaPCBC mode can perform neither parallel. process>>~ ng rac:~x° prc:px:cocessing, mak~..ng it very difficult to i.mplemE:ent t: he i.<:rPt.:BC; mode ire are extremely high speed processi.nq eruv~.rc:~:rnr~c~nt:.
On the other eland, thex.F3 i.s a :~yst.em t::hat: generates a cryptographic checksum called a "message authentication code" (hereinaft.er referxed to as "MAC"} in order to detect alterations. By implementing a MAC generation process as an independent mechanism, arid executing the process during cryptographic processing in one of the above block-cipher operation modes, it is possible to perform both cryptographic proce~ssirrg anca ~~~et:ect.ior~ of an alteration at the same time. However, i.n t:ra:a.s c~a.=.;e :it i.:~ necessary to share two completely indeperrc.~~:r~t cryptog:ra~>hic ~:ey~>, one for encryption and the r~ther~ ~csr <;r.lt:erat .ora detection.
Furthermore, data to be encrvypted must b~:.a processed twice, once for encryptior: and a second time for MAC generation.
As a result, a realized cryptographic system may be complicated or may not be swit:a~al~: fc~r processing <Bata having an extended length * :Cra. a<~d:i.t:l ~:~r~, the processing speed of the block cipher i,:. ~,sl.~:~we~° trjan the current communication speed, whi_c::ln me~~rr~ that it i.:~ difficult to apply any technique usirng a ~~~c~mr>inc:rtic>n of tl-~F.a black cipher and MAC to processing of the order. of gigabit--per-second or terabit per-second. MAC is described by Menezes, van Oorschot, Vanstone, Handbook of Applied Cryptography, CRC
Press, 1996, pp. 352-368.
In contrast with the block cipher, a stream cipher is an encryption mechanism that uses one of various proposed cryptographic pseudorandcm ruumber generate>rs. 'fhe stream cipher was not able to dete~.a alterations by itself regardless of security or cnar~acteristics of each implementation. We:ll.-knc>wn stream <ciphers, oz:~ ~>seudorandom number generators used fcr ;st:r.earn c°:iphers include SEAL, a linear feedback shift regi.s~t:e.x: i:~sing a n~::>rnl.inean combination generator, a l..ir-Eear feedb,:~ck shift register using a nonlinear filter, ar~cl a csl..ock-cont.rollecl linear feedback shift register. SEAL ..s c~escrir~ed by Schneider, Applied Cryptography, Seconrt F'da_t:i.or~, John Wil.ey & Sons, Inc., 1996, pp. 398-400.

On the other. hand, cyst em a basecY or~a the above feedback shift registers are described ~::~y~ Menr:.ze.;~, van Oorsohot, Vanstone, Handbook of Applied (:rypr:c.~c:,~rayYly, CRC Pros.;, 1996, pp. 203-212. A t.ecr~n~.q~ze us:~rrg a combinatir.n of a stream cipher and a MAC can also perforrrc both cryptographic processing and detection of an alteration at the same time.
Furthermore, processing of a straam cai.pYi.er is 2 to 20 times faster than that of a block ~:..a.pher. Eiowever, as i s the case with the combinatioru c~f_ a ~~locJE: c~i~sher and MA(:",, every 1G MAC generation :~ystrem Crn<~an:ir~c:~ e;rez~y~ c::orrcb:i:n.ation oa: a stream cipher and MAf? requ.r.re:~> sh<:zr :i.ng o.f two different keys, and processing of a message twice. When considered in detail, the MAC generation system requires a particular mechanism in addition to that rler_.essary for the stream cipher itself, and considerab7,.e computational complexity.
For example, MAC: generation sy:~t:em~ ~s~~zc:h as HMAC and UMAC
require a safe hash function tnavi.ng cruaranteed cryptographically-colliaionwt:r:ee one-°way c~haraci~eristics.
This means that it is necessary t:o irt~plemer~t the above safe function in addition to a stream cipher. HMAC is described by Menezes, van Oorschot, Vanstone, Handbook of Applied Cryptography, CF,C Dress, 199, p. 3~~G, Example 9.6"7 while UMAC is described by Black, F~Ialevi, ~;raw~::zyk, KrovE~tz, Rogaway, "UMAC: Fast and Se~::~are~ M(a~>sage A~atherlt~_cat.ion, "

Advances in Crypto Logy, _- CRYE~~1'c~ ' ~~ E,ec°tu.re Noi~tes in Computer Science, Vol. 1666, ~priryer--Verlag, 199!x.
Generally, however, haslu f unctiorrs such as SHA-1 and MD5 are very complicated, and a.re not easy to implement.
5 These hash functions are described by Menezes, van C~orschot, Vanstone, Handbook of .t~ppli.ed Cryptography, CRC
Press, 196, pp. :31'7-39~~, The security of hasrn functions rn.as not yet been studied adequatE:ly in c~ont.rr~v~t: wit.rG study of the. security of block cipher; . 'rheref or~a, a us~ux rr~ay not k:ae able to incorporate a hash function bec:au:>~: trre user cannot: rely on the hash function. In regards to MAC generation systems, MMH uses only a pseudorandorn nurnbex generator, and requires a very small arrlount of additional resources such as circuits and programs to add an alteration detection function t.o the c~:ypt.oc~raphic process.
However, MMH requires a pse~:rr.~~,~x~anc;iom rmzmben~ sequent:e whose length i_s as fang as t:f~~at. of the me;asage, taking long time to generate necessar~~ randc~aT~ numbers. MMH is described by Halevi, Krawczyk, ''MMH; ~Oof~ware Message Authentication in the Gbit/::~econd Rates,°' East Software Encryption, 4th International lrv'orkshop, ~~ ~~E

'97, Lecture Notes in Computer Science, Vol. 1267, Springer-Verlag, 1997. As described above, the prior art techniques are unsatisfactory in terms of ensuring of security and high-speed processing, and therefore a safer and faster cryptographic processing technique is required.
SUMMARY OF THE INVENTION
It is an object. of the present invention to provide a safer and faster symmetric-key cryptographic processing 1.0 technique .
An additional obj~=_ct of the present invention is to provide a symmetric-key cryptographic method that is capable of performing ~~lteration detection and decryption at the same time, and whose safety for data confidentiality 1.5 and data alteration protection is provable.
A further object of the present invention is to provide a symmetric-ke~~r cryptographic method that advantageously has preprocessing and parallel processing functions, and is capable of processing at high speed, 20 capitalizing on the high-speed processing characteristics of the pseudorandom number generator.
Another' object of the present invention is to provide a symmetric-key crypto<~:raphic method whose processing speed is not only faster than that of the conventional block cipher, but can be made st ill faster as the amount of resources employed is increased, and that can attain a high level of parallel operation fox~tiigh-speed processing.
Yet another object of the present invention is to provide a symmetric-key cryptographic method whose processing speed does not drop even when a very short message is processed.
A further object of the present invention is to provide a symmetric-key cryptographic method that can be implemented by adding a very small circuit or program to stream cipher equipment.
An additional object of the present invention is to provide a symmetric-key cryptographic method capable of processing each block using a pseudcrandom number sequence as a key stream, arid detecting an alteration at the same time.
In accordance with one aspect of the present invention there is provided a symmetric-key errcrypt:ion method performed in a cryptographic systerr~ hawing input means for inputting at least a message, a secret data, and a parameter opened to the publ.i_e:, arid output:. means for outputting an encrypted data, said encryption method comprising the steps of: dividiry a plaid text composed of redundancy data and a message to generate a plurality of i.~lairz text black's each h~~ vi x~cl ..z prec::i~~t,ex:m.ined length;
generating a random number seguerice i:>ased on a secret key;
generating a pll.zra:Lity of ranc.lc>rn nurnL;mr blocks from said random number sequence, each afi said rar~~dam number blocks corresponding to one of said pl.ural~..ty of plain text blocks: outputting a first feedback ~,:alue to a second one of said plurality of plain text b:Lack obtained as a result of an operation on a first one of said plurality of plain text blocks and a first one of said xandom number blocks;
and performing an encryptian operatl_c~n using said first one of said plurality of plain text blacks, said first one of said random number blocks, and a secand feedback value obtained as a result of an operation an a third tine of the plurality of plain text blocks, to produce a ciphertext block.
In accordance with another aspect of the present invention there is provided a symmetric-key decrypt: ion method performed ire a c:ryptt:~>G~r2~phic; ~:ystem having input means for inputting at l.eas~~ C~ rnessage~, an encrypted data, and a parameter opened to tine publ_:i.c~~, and output means for outputting a decrypted data, sa:i.d decryption method comprising the steps off:: divid.i.rm~ a c::i.phertext t:a generate a plurality of c.iphertext bi.ack~ eac:r, having a predetermined length; general inc.~ a random number sequence based on a secret key; generating a plurality of random number blocks from said random number sequence, each of said random number blocks corresponda.ng to one of said plurality of ciphertext blocks; outputting a first feedback value to a second one of said plurality of ciphertext blocks obtained as a result of an operation on a first one of said plurality of ciphertext blacks and a first one of said random number blocks; and performing a decryption operation using said first one of said plurality of ciphertext blocks, said first one of said random number blocks, and a second feedback value obtained as a result of an operation on a third one of the plurality of ciphertext blocks, to produce a plain text block.
In accordance with yet another aspect of the present invention there is provided a symmetric-key encryption apparatus for use in a cryptograph:i.c: system having input means for inputting at least a message, 3 secret data, and a parameter opened to the public, and output means for outputting an encrypted data, said encryption apparatus comprising: a circuit for divid:irig a plain text composed of redundancy data and a message t.o c~ermrat~: a plurality of plain text blocks each having a predetermined length: a circuit for generating a rarndarct rmct~er sequence based on a secret key; a circuit for g4nerating a plurality of random number blocks from said random number sequence, each of said random number blocks corresponda.ng to one of said plurality of plain text blocks,; a <:a..rrc~uit for outputting a first feedback vali.re to ra second one of said plurau..ity of 5 plain text blocks obtained as a result of an operation on a first one of said plurality ~:~f p l a:i.r~ text blocks crud a first one of sa~_d random nuctib~~x:~ blac::lr:s; and a c:ircnxit. for performing an encryption operation using said first: one of said plurality of plain text. bl.oc.ks, said first one of said 10 random number ba_acks, anca a =serwcand f:~::redbac:k valrze obtained as a result of an operation orl a third one of the plurality of plain text blocks, to produce a ciphertext block, In accordance with st:i L l yet aracft:her aspect: of the present invent ion there ~. s g:~z cw ided a symmetric--key decryption apparatus for use in a cryptographic system having input means for inputting at least a message, an encrypted data, and a parameter: opened tra t:he ptzbl.i c, and output means for output.t i.ng a decrypted ~dat~a, said decryption apparatus comprising: a circuit for dividing a ciphertext to generate a pl~.zr°al.:~.ty of ciphertext blocks each having a predeterrni.ned Length; a cwir.~cuit fc7r generating a random number sequence based on a secret key;
a circuit for generating a ~~:~.urala.t:y of random number blocks from said random number. sequence, each of: said random number blocks corresponding to ore of said plurality of ciphertext b~_ocks; a c.ir~~:u:i~t, fo~~ c~utputtinc~ a first feedback value to a second one of said plurality of ciphertext blocks obtained as a result of are operation on a first one of sa~_d plurality of c~:iprrex°t:e~st blocPks arad a first one of said random number blocks; and a circuit for performing a dec:ry~.>tion c>perat:;i.c~r~ v.zs~rag said first one of said plurality of cipheri:ext: xa::l.oc~k>, said .first onf,-..~ of said random number blocks, and a second feedbaek value obtained as a result of an oper~atson :~r~ ;~ tk-ci.z~d one of the plurality of ciphertext blocks, tvo produce a plain text block:.
In accordance with still yet another aspect of the present invention t::here ~.s ~~ro::7~rideci a. corrcputer-readable recording medium having r:~eco.rdead t:h~::xeon statement; and instructions for use in the exe~:.ution in a computer of said symmetric-key encryptic:~r~ met~hcrd.
In accordance with still yet: anc>t.her aspect of the present invention there is provided a computer-readable recording mediurr~ t~.aving x~ecc~rdec:~ thereon statements and instructions for use in the executa.on in a computer. of said symmetric-key decryption method.
In accordance with sti::L L yfat: another aspect: of: the present invention there i.s p:rovi.ded a comp~.zter program product, comprising: a memory having computer-readable code embodied therein for implementing a symmetric-key encryption method performed ir~r a cryptographic: systerrr ruaving input means for irrputta.r~c.~ at:.: ~ east a message, a secret data, and a paramete:r~ <:apened tc> tl~e public, and output means for. outputting s.n encrypt.ed data, said computer program product comprising» code means for dividing a plain text composed of redundancy data and a message to generate a plurality of plai..n text blocks each having a predetermined :Length; ~~ode means for genen:ating a random number sequence bG-rsed cm ..;r :secret key; code means for generating a plurality of random number blocks from said random number sequence, each of said random number blocks corresponding to one of said ~:lurality of plain text blocks; code means for outprztt.i.ng a f:ir~st feedback value to a second one of said plura:l:i.ty c:~f~ plain text: blocks obtained as a result of an opera.t:ion on a first one of said plurality of plain text blocks and a first one of said random number blocks; and cede rnear~rs for performing an encryption operation using said f:i.rst one of said plurality of plain text blocks, said ~~Lr~~t~ orre of said random number blocks, and a second feedback va~Lue obtained as a result of an operation on a third one of the plurality of plain text blocks, to produce a ciphertext block.

As for implementation cost., the present .invention can avoid additional imple~nentatior~ that. ~s diffii:u:Lt to make, such as the additional implementation of a hash function.
These and other benefits are described throughout the present specification. A fiarth.er understanding of the nature and advantages o.f the i,nvent~.an may be realized by reference to the remaining portions of t;he spPCific:ation and the attached drawing:>.

BRIEF DESCRIPTION OF THE DRAWINGS
Fig. 1 is a system configuration employed in embodiments of the present invention;
Fig. 2 is a flowchart of a plain text preparation subroutine;
Fig. 3 is a flowchart of a random number generation subroutine;
Fig. 4 is a flowchart of an encryption subroutine;
Fig. 5 is a flawchart of the decryption program shown 7_0 in Fig. 1;
Fig. 6 is a flowchart of the ciphertext preparation subroutine shown in Fig. 5;
Fig. 7 is a flowchart of the decryption subroutine shown in Fig. 5;
~.5 Fig. 8 is a flowchart of the plain text extraction subroutine shown in Fi~~. 5;
Fig. 9 is a flowchart of the redundancy extraction subroutine shown. in Fi~~. 5;
Fig. 10 is a diagram showing data blocks in 20 encryption;
Fig. 11 is a diagram showing data blocks in the decryption shown in Fi~~. 7;

Fig, 12 is a flowchart of the random number generation 2 subroutine according to a second embodiment of the present invention;
Fig. 13 is a flowchart of the encryption 2 subroutine 5 of the second embodiment;
Fig. 14 is a flowchart of the second embodiment;
Fig. 15 is a flowchart of the decryption 2 subroutine of the second embodiment;
Fig. lEi is a diagram showing data blocks in the 7_0 encryption according to the second embodiment;
Fig. 17 is a diagram showing data blocks decryption according to the second embodiment;
Fig. 18 is a flowchart of the encryption program according to a third embodiment of the present invention;
7_5 Fig. 19 is a flowchart of the random number generation 3 subroutine of the third embodiment;
Fig. 20 is a flowchart of the encryption 3 subroutine of the third embodiment;
Fig. 21 is a flowchart of the decryption of the third a0 embodiment;
Fig. 22 is a flowchart of the decryption 3 subroutine of the third embodiment;
Fig. 23 is a diagram showing data blocks in the encryption according to the third embodiment;

Fig. 24 is a diagram showing data blocks in the decryption according to the third embodiment;
Fig. 25 is a flowchart of the parallel encryption program according to a fifth embodiment of the present invention;
Fig. 26 is a flow~~:hart of the parallel decryption program of the fifth embodiment;
Fig. 27 is a diagram showing data blocks in the encryption according to the fifth embodiment;
Fig. 28 is a diagram showing data blocks in the decryption according to the fifth embodiment;
Fig. 29 is a flowchart of the random number generation 4 subroutine according to a fourth embodiment of the present invention;
Fig. 30 is a flowchart of the plain text preparation 2 subroutine of the fours=h embodiment;
Fig. 31. is an exp:Lanatory diagram showing a padding program of operation on a message according to the fourth embodiment;
Fig. 32 is a flowchart of the decryption program of the fourth embodiment;
Fig. 33 is a flowchart of the plain text extraction 2 subroutine shown in Fic~. 32;
Fig. 34 is an exp:Lanatory diagram showing an extraction operation o:n decrypted text according to the fourth embodiment;
Fig. 35 is a diagram showing the configuration of a system for cryptocommu:nications according to a sixth embodiment of the present invention;
Fig. 36 is a diagram showing the configuration of an encryption apparatus employed in a cryptocommunication system according to a aeventh embodiment of the present invention;
1.0 Fig. 37 is a diagram showing the configuration of a contents delivery syst~=_m according to an eighth embodiment of the present inventi«:r~;
Fig. 38 is a diagram showing the configuration of a system according to a ninth embodiment of the present 1.5 invention; and Fig. 39 is a diagram showing the configuration of an encryption/decryption.:router according to a tenth embodiment of the press=_nt inventi.on.

(First Embodiment) Fig. 1 shows the ~~anfigurati.on of a computer system including a computer A 10002 and a computer B 10003 connected to each other through a network 10001 for cryptocommunications from the computer A 10002 to the computer B 10003. The computer A 10002 has an operation unit (hereinafter referred to as "CPU") 10004, a memory unit (volatile or nonvolatile, hereinafter referred to as "RAM") 10005, a network interface 10006 therein, with a display 10007 and a keyboard 10008 externally connected thereto for the user to operate the computer A 10002. The RAM 10005 stores an encryption program PROG1 10009, a random number generation program PROG2 10010, a secret key 7_0 K 10011, that is shared only between the computers A 10002 and B 10003, a redundancy R 10012 and an initial value V
10013 both of which are data shared between the computers A
10002 and B 10003, and encryption-target data 10014 to be transmitted to the computer B 10003. The computer B 10003 .L5 has a CPU 10015, a RAM 10016, and a network interface 10017 with a display 10018 and a keyboard 10019 externally connected thereto for the user to operate the computer B
10003. The RAM 10016 stores a decryption program PROG3 10020, a random number generation program PROG2 10021, the 20 secret key K 10011, the redundancy R 10012, and the initial value V 10013.
The computer A 10002 executes the encryption program PROG1 10009 to generate ciphertext C 10022 from a message M
10014 and transmits the generated ciphertext C 10022 to the network 10001 through 'the network interface 10006.
Receiving the cipherte:Kt C 10022 through the network interface 10017, the computer B 10003 executes the decryption program PROG3 10020, and if no alteration is detected, the computer B 10003 stores the decryption results in the RAM 10016.
Each program empl~~yed can be introduced into each RAM
by receiving the progr~~m from another computer in the form of a transmission sign~~l, which i.s a transmission medium on 1.0 the network 10001, or by using a portable medium such as a CD or an FD. Each pro~~ram can be configured so that it runs under control of 'the operating system (not shown) of each computer.
The encryption pr~~gram PROG1 10009 is read out from 7.5 the RAM 10005, and exe~~uted by the CPU 10004 in the computer A 10002. The encryption program PROG1 10009 internally calls a random number generation program PROG2 10010 as a subroutine to process the input secret key K
10011, the redundancy :R 10012, the initial value V 10013, 20 and the message M 10014 so as to output ciphertext C 10022.
The decryption program PROG3 10020 is read out from the RAM 10016, and executed by the CPU 10015 in the computer B 10003. The decryption program PROG3 10020 internally calls a random number generation program PROG2 10021 as a subroutine to process the input key, the redundancy R 10012, the initial value V 10013, and ciphertext C 10022 so as to output a message or an alteration detection alarm.

5 Description will :be made of the process flow of the encryption program PROG1 10009.
Step 20002 (a data setting subroutine): waits for input of an initial value V, a redundancy R, and a secret key K.
1.0 Step 20003 (a plain text preparation subroutine):
waits for input of plain text, adds predetermined padding and a redundancy to th~~ given plain text, and divides the padded plain text into a series of plain text blocks Pi (1-<i<n) each having 64 bits and outputs these plain text 1.5 blocks .
Step 20004 (a random number generation subroutine) outputs pseudorandom number sequences Ai and Bi (1-<i-<n) based on the secret key K.
Step 20005 (an en~~ryption subroutine): uses the ~;0 pseudorandom number se~~uences Ai and Bi, the series of plain text blocks Pi (~_~=i<n), and the initial value V to output a series of cip:hertext blocks Ci (1-<i_<n).
Step 20006: concatenates the series of ciphertext blocks Ci (1-<i-<n) obtained at step 20005 one after another sequentially to output ciphertext C.
In this specification, the term "padding" used above refers to input of additional data to main data. In the case of padding of digital data, the additional data is often concatenated to 'the main data, simply bits to bits.
Description will he made of the process flow of the plain text preparation subroutine with reference to Fig. 2.
Step 20202: waits for input of an encryption-target message M. The message= M is either input from the keyboard 1.0 10008 or read out from a RAM, or introduced from another medium.
Step 20203: adds padding indicating the length of the message. Specifically, this step adds 64-bit binary data indicating the length ~~f the message M to the head of the 1.5 message M.
Step 20204: adds ,padding to the message so that the length of the message is a multiple of a predetermined number. Specifically, the padded data is set to have an integer multiple of 64 bits for subsequent processing.
When the length of t:he message M to which the data indicating the length is added at step 20203 is L bits, this step adds (64-L(mod 64)) number of Os to the end of the message M.
Step 20205 (addition of redundancy data): further adds a redundancy R of 64 bats to the end of the message.
Step 20206 (division of message data into plain text blocks): divides the d;~ta obtained at step 20205 into blocks P1, P2, . . . Pr" .=ach having 64 bits .
Description will be made of t:he process flow of the random number generation subroutine with reference to Fig. 3.
Step 20302 (input of necessary parameters): obtains number n of blocks making up the padded message, and secret 1.0 key K.
Step 20303 (generation of a pseudorandom number sequence A): calls the random number generation program PROG2 to generate a pseudorandom number sequence having 64*n bits and output it as a pseudorandom number sequence 7. 5 A .
Step 20304 (division of random number sequence A
blocks): divides the pseudorandom number sequence A blocks Al, A2, . . . , An, each having 64 bits.
Step 20305 (initialization of a counter i):
20 initializes a counter so that i=1.
Step 20306 (generation of a random number Bi):
executes PROG2 using the secret key K to generate a random number B;_ having 64 bits.
Step 20307: if the random number Bi generated at step 20306 is 0, returns to step 20306.
Step 20308: if i=:n, performs step 20310.
Step 20309: increments the counter i and returns to step 20306.
Description will :be made of the process flow of the encryption subroutine 'with reference to Fig. 4.
Step 20402: sets .an initial value Fo so that Fo=V.
Step 20403: sets ~~ counter ao that i=1.
Step 20404: calculates a feedback value Fi by the 1.0 formula Fi = Pi~Ai .
Step 20405: calculates a ciphertext block Ci by the formula Ci= (Fi*Bi) ~Fi-1.
Step 20406: if i=:n, performs step 20408.
Step 20407: increments the counter i and returns to 7.5 step 20404.
Description will :be made of the process flow of the decryption program PROG3 10020 with reference to Fig. 5.
Step 20502 (a data setting subroutine): waits for input of the initial value V, the redundancy R, and the ~;0 secret key K.
Step 20503 (a ciphertext preparation subroutine):
waits for input of ciphertext C', and divides the given ciphertext C' into a series of ciphertext blocks C'i (1-<<i~n) each having 64 bits and outputs them.

Step 20504 (a random number generation subroutine):
outputs pseudorandom number sequences Ai and Bi (1-<i_<n) based on the secret keyy K.
Step 20505 (a decryption subroutine): uses the pseudorandom number sequences Ai and Bi, the series of ciphertext blocks C'i ~;1<i<-n), and the initial value V to output a series of plain text blacks P'i (1-<i<n).
Step 20506 (a plain text extraction subroutine):
combines the series of plain text blocks P'i into three 1.0 data strings L', M', and Z' Step 20507 (a redundancy extraction subroutine):
divides Z' into R' and 'r'.
Step 20508: if T=0 and R'=R, proceeds to step 20510.
Step 20509: outputs a rejection indication and proceeds to step 25011.
Step 20510: store; M' into a RAM.
At step 20509 or ?0510, the decryption program outputs a result (acceptance/rE=_jection or the encryption result) to the display 10018 as a notification to the user.
Description will be made of the process flow of the ciphertext preparation subroutine with reference to Fig. 6.
Step 20602: waits for input of ciphertext C' Step 20603: divides the ciphertext C' into blocks C'1, C' 2, . . . , C' ", each having 64 bits .

Description will :be made of the process flow of the decryption subroutine with reference to Fig. 7.
Step 20702: sets an initial value F'o so that F'o=V.
Step 20703: initializes a counter so that i=1.
5 Step 20704: calculates a feedback value F'i by the formula F' i= (C' i~F' w_z) %Bi .
Step 20705: calculates a plain text block P'i by the formula P' i=F' ;~Ai .
Step 20706: if i=n, performs step 20708.
7_0 Step 20707: increments the counter i and returns to step 20704.
Description will be made of the process flow of the plain text extraction subroutine with reference to Fig. 8.
Step 20802: sets L' to the first 64-bit plain text 7_5 block.
Step 20803: sets M' to the L' number of bits starting from the most significant bit of P'2 included in the series of decrypted plain text blocks.
Step 20804: after L' and M' are removed from the :?0 series of decrypted plain text blocks, sets Z' to the remaining decrypted plain text blocks (data).
Description will be made of the process flow of the redundancy extraction subroutine with reference to Fig. 9.
Step 20902: sets R.' to the lower 64 bits of Z' Step 20903: after R' is removed from Z', sets T' to the remaining data.
Fig. 10 is an explanatory diagram showing the encryption process. The encircled plus "(+)" denotes an exclusive OR logic operation between two pieces of data each having a width of 64 bits, while the encircled X mark "(X)" denotes a multiplication operation between two pieces of data each having a width of 64 bits in the finite field F264 .
1.0 The message M 209:31 is added with data 20930 indicating the length, appropriate padding 20932, and a redundancy R 20933 to produce plain text P 20934.
The produced plai~z text P 20934 is divided into blocks P1 20935, PZ 20936, P3 20937, . . . , P~, 20938, each having 64 1.5 bits .
P1 20935 and A1 20~~40 are exclusive-ORed to produce a feedback value Fl 20941 which is then multiplied by B1 20942 in a finite field. The result is exclusive-ORed with an initial value Fo 20939 t.o obtain a ciphertext block C1 2 0 20943 .
Similarly, P2 2093 and A2 20946 are exclusive-ORed to produce a feedback value FZ 20945 which is then multiplied by B2 20946 in a finite field. The result is exclusive-ORed with the feedback value F1 20941 to obtain a ciphertext block C~~20947.
The above procedure is repeated up to Pri 20938, obtaining ciphertext blocks {4.~ ~~0943, C*, ;0947, C3 20951, . . . , C" 2.0955 . 'The ciphertext block: ':~rv~ c.ancatenal:.ed one after another ire that c.a:rder to 'abta:i.r~ r,~iphertext: C 20956.
Fig. 1.1 is an exp.lanatcary diagram showing t=he decryption process . The enc:::~x~c~:~.ed ~~~~.ash " ( / ) '° denotes a division operation between ~::wo piec~ca~s o.f data each having a width of 64 bits ire the f in:i.te :F.i.eld F2~''. In the figure, data introduced to the encirc:lec:~ slash symbol from top i5 the dividend, wr'i:lE~ data introd~.zced from :deft is tree divisor.
Ciphertext C' 20960 i.s d~..vided into blocks C' 1 20962, C'2 2096:3, C'3 20964, ..., C;'n 217t~0'~, each having E.4 bits.
C' 1 and an in:it:ial value F ° ~~ x'0961 are exclusive-ORed, and the result is divided by B1 2(j9~E:~ . 'fhe divis ion result is set as a feedback value (.a'' ~ 2096'l . The feedback value F' 1 20967 and Al 20968 are exclu live-O~~ed to obtain a plain text block P' 1 20969.
The. Other blocks C'~ 2096:3, ~:'' ~ ;~?i:)96~), , . ., C'n 20965 a.re also processed in the srame way as C.:' ; 20962 to obtain plain text blocks P'3 20969, F?'~ 209~~'4', P' ~ 20977, P' n 20981, which are then cancatenate~:~ or:~e after another to produce plain text P' ?0982. Tt~~e plain rext P' 20982 is divided into L' 20983, M' 20984, and Z' 20985.
Furthermore, Z' 20985 is divided into T' 20988 and R' 20989 so as to check the red,~ndancy R' 20989.
The first embodim~=nt uses a pseudorandom number sequence whose length :is about twice as long as that of the message for cryptographic processes. Even though pseudorandom-number processing is faster than block-cipher processing, it has the highest cryptographic process computational complexity. Therefore, it is desirable to 1.0 reduce the number of r;~ndom numbers used.
(Second Embodiment) As described below, a second embodiment of the present invention employs a function different from that used by the first embodiment.. By employing this second embodiment 1.5 function, the number of random numbers used can be reduced by using the same divisor for each iteration in the decryption process. This makes it possible to perform the division operation at substantially the same speed as that of a multiplication operation if the reciprocal is ~;0 calculated beforehand, resulting in very efficient processing.
The second embodiment employs an encryption program PROG1A and a decryption program PROG3A instead of the encryption program PROGl and the decryption PROG3, respectively.
The encryption pr~~gram PROG1A replaces the random number generation subroutine 20004 and the encryption subroutine 20005 employed in the encryption program PROGl 10009 in Fig. 1 by a r;~ndom number generation 2 subroutine 21004 and an encryption 2 subroutine 21005, respectively.
Description will be made of the process flow of the random number generati«:n 2 subroutine 21004 with reference to Fig. 12.
1.0 Step 21102 (input of necessary parameters): obtains number n of message bl«cks making up a padded message and a secret key K.
Step 21103 (generation of pseudorandom number sequence A): calls the random number generation program PROG2 to 1.5 generate a pseudorandom number sequence having 64*n bits and outputs n the number as a pseudorandom number sequence A.
Step 21104 (divis:ion of pseudorandom number sequence A
into blocks): divides v:he pseudorandom number sequence A
20 into blocks Al, A2, . . . , An, each having 64 bits.
Step 21105 (gener~~tion of random number B): executes PROG2 using the secret key K to generate a random number B
having 64 bits.
Step 21106: if the= value of B generated at step 21105 is 0, returns to step 21105.
Description will be made of the process flow of the encryption 2 subroutinE=_ 21005 with reference to Fig. 13.
Step 21202: sets an initial value Fo so that Fo=V.
5 Step 21203: sets a counter so that i=1.
Step 21204: calcu:l~ates a feedback value Fi by the formula Fi=Pi~Ai.
Step 21205: calculates a ciphertext block Ci by the formula Ci= (Fi*B) ~Fi_1.
10 Step 21206: if i=n, performs step 21208.
Step 21207: increments the counter i and returns to step 21204.
Description will he made of the process flow of the decryption program PROG3A corresponding to PROG1A with 15 reference to Fig. 14.
The decryption program PROG3A replaces the random number generation subroutine 20504 and the decryption subroutine 20505 emplo,~ed in the decryption program PROG3 10020 by a random number generation 2 subroutine 21304 and 20 a decryption 2 subroutine 21305, respectively.
Step 21302 (a date setting subroutine): waits for input of the initial value V, the redundancy R, and the secret key K.

Step 21303 (a cip:hertext preparation subroutine):
waits for input of ciphertext C', and divides the given ciphertext C' into a s.=_ries of ci.phertext blocks C' i (1<-i<-n) eacri having 64 :bits and outputs them.
Step 21304 (a random number generation subroutine):
outputs pseudorandom number sequences Ai (1-<i-<n) and B in response to the secret key K.
Step 21.305 (a decryption subroutine): uses the pseudorandom number secxuences Ai and B, the series of ciphertext blocks C'i (1<i<-n), and the initial value V to output a series of plain text blacks P'i (1<i<-n).
Step 21306 (a plain text extraction subroutine:
combines the series of plain text blocks P'i into three data strings L', M', and Z'.
Step 21307 (a redundancy extraction subroutine):
divides Z' into R' and T'.
Step 21308: if T=0 and R'=R, proceeds to step 21310.
Step 21309: outputs a rejection indication and proceeds to step 21311.
Step 21310: store: M' into a RAM.
Description will he made of the process flow of the decryption 2 subroutinf=_ 21305 in Fig. 14 with reference to Fig. 15.

Step 21402: sets ;gin initial value F'o so that F'o=V.
Step 21403: calculates 1/B beforehand.
Step 21404: init.i<~lizes a counter so that i=1.
Step 21405: calculates a feedback value F'i by the formula F' i= (C' i~F' i_1) * ( 1/B) .
Step 21406: calculates a plain text block P'i by the formula P' i=F' i~Ai .
Step 21407: if i=n, performs step 21409.
Step 21.408: increments the counter i and returns to step 21405.
Fig. 16 is an exp:Lanatory diagram showing the encryption process emp:Loyed by the above method of increasing the processing speed.
The message M 214'~l is added with data 21420 indicating the length, appropriate padding 21422, and a redundancy R 21423 to produce plain text P 21424.
The produced plain text is divided into blocks P1 21425, Pz 21426, P3 21427, . . . , Pr, 21428, each having 64 bits.
c0 Pi 21425 and A1 21431 are exclusive-ORed to produce a feedback value F1 21432 that is multiplied by B 21429 in a finite field. The result is exclusive-ORed with an initial value Fo 21430 to obtain a ciphertext block C1 21433.
Similarly, PZ 2142.6 and A2 21434 are exclusive-ORed to produce a feedback value F2 21435 that is then multiplied by B 21429 in a finite field. The result is exclusive-ORed with the feedback value F1 21432 to obtain a ciphertext block CZ 21436.
The above procedure is repeated up to Pn 21428, obtaining ciphertext blocks C1 21433, CZ 21436, C3 21439, ..., Cn 21442. The ci~~hertext blocks are concatenated one after another in that order to obtain ciphertext C 21443.
Fig. 1'7 is an explanatory diagram showing the 7_0 corresponding decryption process.
Ciphertext C' 21450 is divided into blocks C'1 21453, C'z 21454, C'3 21455, ..., C'n 21456, each having 64 bits.
C' 1 and an initia_L value F' 0 21451 are exclusive-ORed, and the result is multiplied by 1/B 21452. The 7_5 multiplication result is set as a feedback value F'1 21457.
The feedback value F'1 21457 and A1 21458 are exclusive-ORed to obtain a plain text block P'1 21459.
The other blocks C'2 21454, C'3 21455, ..., C'n 21456 are also processed in the same way as C'1 21453 to obtain ?0 plain text blocks P'1 21459, P'2 21462, P'3 21465, ..., P'"
21468. These plain text blocks are then concatenated one after another to produce plain text P' 21476. The plain text P' 21476 is divided into L' 21469, M' 21470, and Z' 21471. Furthermore, Z' 21471 is divided into T' 21474 and R' 21475 so as to check the redundancy R' 21475.
The second embodiment uses a 64-bit redundancy, and therefore employs addition and multiplication in the finite field F264 With enhanced efficiency provided by this embodiment, it is possible to realize high-speed cryptographic processing. An implementation example written in the C
programming language achieved a processing speed of 202 7.0 Mbit/sec in encryption processing using a 64-bit processor with a clock frequency of 600 MHz. On the other hand, a processing speed of 207 Mbit/sec was observed in decryption processing.
The above implementation uses such operations as 7_5 pseudorandom number generation, exclusive OR, and multiplication in the finite field F264, which are efficiently implemented especial7_y by hardware. For example, it is estimated that with a gate array fabricated in a 0.35 ~m process, the above operations can be ~:0 implemented by adding an additional circuit having 3 k gates for the pseudorandom number generator. Furthermore, the pseudorandom number generator can be implemented using parallel processing, making it easy to realize a parallel processing device (including the pseudorandom number generator) having a processing speed as high as required.
Thus, it is possible to realize a processing speed of 9.6 Gbit/sec at maximum by adding a circuit having about 36 k gates to a parallel pseudorandom number generator.
5 (Third Embodiment) As described below, a third embodiment of the present invention uses another high-speed processing function to provide processing at :higher speed with the same security level as those of the first and the second embodiments. In 1.0 another aspect, the third embodiment can provide higher security equivalent to F2128 if operations in the finite field F264 employed in the first and second embodiments are also used.
In the aspect of providing processing at higher speed 1.5 described above, the third embodiment uses an operation in the finite field F232 twice. Since multiplication in the field F264 generally requires a computational amount (computational complexity) four times as much as that for the finite field F232, the third embodiment requires only a0 half ((1/4)*2) of the ~~omputational amount (computational complexity) required by an operation in the finite field F264, thereby doubling the processing speed.
In the aspect of ~=nhancing security, the third embodiment can use both an operation in the finite field F264 and a 64-bit feedback value twice to reduce the alteration success rate from 2-64 of the above method to 2-iza .
The third embodiment employs an encryption program PROG1B and a decryption program PROG3B instead of the encryption program PROG1 and the decryption program PROG3.
The encryption program PROG1B replaces the random number generation subroutine (step 20004) and the encryption subroutine (step 20005) employed in the 7_0 encryption program PROG1 10009 in Fig. 1 by a random number generation 3 subroutine 21504 and an encryption 3 subroutine 21505. Description will be made of the process flow of the encryption program PROG1B with reference to Fig. 18.
7_5 Step 21502 (a data setting subroutine): waits for input of an initial value V, a redundancy R, and a secret key K.
Step 21503 (a plain text preparation subroutine):
waits for input of plain text, adds predetermined padding :?0 and a redundancy to the given plain text, and divides the padded plain text into a series of plain text blocks Pi (1<-i<-n) each having 32 bits and outputs these plain text blocks.

Step 21504 (random number generation 3 subroutine):
outputs pseudorandom number sequences Ai (1<i<-n), Ba, and Bb based on the secret key K.
Step 21505 (encryption 3 subroutine): uses the pseudorandom number sequences A1, Ba, and Bb, the series of plain text blocks Pi (.l==i-<n), and the initial value V to output a series of ciphertext blocks Ci (l~i~n).
Step 21506: concatenates the series of ciphertext blocks Cl (1-<i<-n) obtained at step 21505 one after another 7_0 sequentially to output ciphertext C.
Description will be made of the process flow of the random number generation 3 subroutine 21504 with reference to Fig. 19.
Step 21602 (input of necessary parameters): obtains _~5 number n of message blocks making up the padded message the secret key K.
Step 21603 (generation of pseudorandom number sequence A): calls the random number generation program PROG2 to generate a pseudorandore~ number sequence having 32*n bits 20 and outputs it as a pseudorandom number sequence A.
Step 21604 (division of random number sequence A into blocks): divides the pseudorandom number sequence A into blocks Al, A2, . . . , AT" each having 32 bits .

Step 21605 (gener;~tion of random number Ba): executes PROG2 using the secret key K to generate a random number Ba having 32 bits.
Step 21606: if the= value of the random number Ba generated at step 21605 is 0, returns to step 21605.
Step 21607 (gener~~tion of random number Bb): executes PROG2 using the secret key K to generate a random number Bb having 32 bits.
Step 21608: if t.hf= value of the random number Bb generated at step 2160'7 is 0, returns to step 21607.
Description will be made of the process flow of the encryption 3 subroutine°_ 21505 with reference to Fig. 20.
The symbols "*" and """ denote multiplication and addition, respectively, in the finite field F232.
1.5 Step 21702: sets :initial values FAo and FBo so that FAo=FBo=V .
Step 21703: initi;~lizes a counter so that i=1.
Step 21704: calculates a feedback value FAi by the formula FAi=Pi~Ai .
Step 27.705: calculates a feedback value FBi by the formula FBi= (FA;*Ba) ~FAi_1.
Step 21706: calculates a ciphertext block Ci by the formula Ci= (FBi*Bb) ~FBi-1.
Step 21707: if i=n, performs step 21709.

Step 21708: increments the r.ounter i and returns to step 21704.
Description will he made of the process flow of the decryption program PROG3B with reference to Fig. 21. The decryption program PROc~3B replaces the random number generation subroutine 20504 and the decryption subroutine 20505 employed in the decryption program PROG3 10020 by a random number generation 3 subroutine 21804 and a decryption 3 subroutine=_ 21805, respectively.
1.0 Step 21802 (a date setting subroutine): waits for of the initial value V, the redundancy R, and the key K.
Step 21803 (a ciphertext preparation subroutine):
waits for input of ciphertext C', and divides the given ciphertext C' into a series of ci.phertext blocks C'i 1.5 (l~i~n) each having 32 bits and outputs them.
Step 21804 (a random number generation subroutine):
outputs pseudorandom number sequences Ai (lei<-n), Ba, and Bb based on the secret key K.
Step 21805 (a decryption subroutine): uses the 20 pseudorandom number se~4uences Ai, Ba, Bb, the series of ciphertext blocks C'i ~;1-i-<n), and the initial value V to output a series of plain text blocks P'i (1<i-<n).

Step 21806 (a plain text extraction subroutine):
combines the series of plain text blocks P'i into three data strings L', M', Z' Step 21807 (a redundancy extraction subroutine):
5 divides Z' into R' and 'T'.
Step 21808: if T=0 and R=R', proceeds to step 21810.
Step 21.809: outputs a rejection indication and proceeds to step 21811.
Step 21810: stores M' into a RAM.
10 Description will he made of the process flow of the decryption 3 subroutinf=_ 21805 in Fig. 21 with reference to Fig. 22. The symbol "/" denotes division in the finite field F232.
Step 21902: sets :initial values FA'o and FB'o so that 15 FA' o=FB' o=V.
Step 21.903: calcu:Lates 1/Ba and 1/Bb beforehand.
Step 21904: initializes a counter so that i=1.
Step 21905: calcu:Lates a feedback value FB'i by the formula FB'i=(C'i~FB';_1)*(1/Bb) .
20 Step 21.906: calcu:Lates a feedback value FA'i by the formula FA'i=(FB'i~FA'i_l) * (1/Ba) .
Step 21907: calcu:Lates a plain text block P'i by the formula P';=FA'i~Ai.
Step 21908: if i=n, performs step 21910.

Step 21.909: increments the counter i and returns to step 21905.
Fig. 23 is an exp:Lanatory diagram showing the encryption process emp:Loyed by the above method of increasing the processing speed.
The message M 21921 is added with data L 21920 indicating the length, appropriate padding 21922, and a redundancy R. 21923 to produce plain text P 21924.
The produced plain text P 21924 is divided into blocks P1 21925, PZ 21926, P3 27.927, ..., Pn 21928, each having 32 bits.
P1 21925 and A1 21933 are exclusive-ORed to produce a feedback value FA1 21934 that is then multiplied by Ba 21929 in a finite field. The result is exclusive-ORed with an initial value 1?Ao 21930 to obtain a feedback value FB1 21935. The obtained feedback value FB1 21935 is multiplied by Bb 21931 in a finite field, and the multiplication result :Ls exclusive-ORed with an initial value FBo 21932 to obtain a ciphertext block C1 21936.
Similarly, P2 2192;6 and A2 21937 are exclusive-ORed to produce a feedback value FA2 21938 that is multiplied by Ba 21929 in a finite f:Leld. The result is exclusive-ORed with the feedback value FAl 21934 to obtain a feedback value FBz 21939. The obtained FB2 21939 is multiplied by Bb 21931 in a finite field, and the multiplication result is exclusive-ORed with the feedback value FB1 21935 to obtain a ciphertext block CZ 21940.
The above procedure is repeated up to Pn 21928, obtaining ciphertext b.Locks C1 21936, C2 21940, C3 21944, ..., Cn 21950. The ciphertext blocks are concatenated one after another in that order to obtain ciphertext C 21951.
Fig. 24 is an exp_Lanatory diagram showing the corresponding decryption process.
Ciphertext C' 21960 is divided into blocks C'1 21961, C'2 21962, C'3 21963, ..., C'n 21964, each having 32 bits.
C'1 and an initial value FB'o 21965 are exclusive-ORed, and the result i:~ multiplied by 1/Bb 21966. The multiplication result :LS set as a feedback value FB'1 21969. The feedback value FB'1 21969 is exclusive-ORed with an initial value FA'o 21967, and the result is multiplied by 1/Ba 21968 to generate a feedback value FA'1 21970. The feedback v<~:lue FA'1 21970 is exclusive-ORed with A1 21971 to obtain a plain text block P'1 21972.
The other blocks (~'2 21962, C'3 21963, ..., C'" 21964 are also processed in i=he same way as C'1 21961 to obtain plain text blocks P'1 x;1972, P'2 21976, P'3 21980, P'n 21985. These plain te:~t blocks are then concatenated one after another to produce plain text P' 21986. The plain text P' 21986 is divide=_d into L' 21987, M' 21988, and Z' 21989. Furthermore, Z' 21989 is divided into T' 21992 and R' 21993 so as to check the redundancy R' 21993.
( Fourth Embodimeni_ ) As described below, a fourth embodiment of the present invention provides a cryptographic method capable of properly starting encryption/decryption processing without using information on the length of a message to be processed. Accordingly, the fourth embodiment makes it possible to perform cryptographic processing of data (message) of a stream l.ype whose entire length is not known beforehand.
The fourth embodiment replaces the random number generation 2 subroutine and the plain text preparation subroutine in the encryption program PROG1A, and the decryption program PROG:3A employed in the second embodiment by a random number generation 4 subroutine, a plain text preparation 2 subroutine, and a decryption program PROG6, respectively.
Description will be made of the process flow of the random number generation 4 subroutine with reference to Fig. 29.
Step 40212 (input of necessary parameters): obtains the number n of messag<~ blocks making up a padded message, and a secret. key K.
Step 40213 (gener<~tion of pseudorandom number sequence A): calls the random number generation program PROG2 to generate a pseudorandom number sequence having 64*n bits and outputs it as a pseudorandom number sequence A.
Step 40214 (divis:ion of pseudorandom number sequence A
into blocks): divides i~he pseudorandom number sequence A
into blocks Al, A2, . , ., A", each having 64 bits.
Step 40215 (gener<~tion of random number B): executes PROG2 using the secret key K to generate a random number B
having 64 bits.
Step 40216: if the value of B generated at step 40215 is 0, returns to step ~~0215.
Step 40217 (generation of random number Q): executes PROG2 using the secret key K to generate a random number Q
having 64 bits.
Next, description will be made of the process flow of the plain text preparai=ion 2 subroutine with reference to Figs. 30 and 31.
Step 40202: waits for input of an encryption-target message M 40300. The message is either input from the keyboard 10008 or read out from a RAM, or introduced from another medium.

Step 40203: adds padding to the message so that the length of the message is a multiple of a predetermined number. Specifically, the padded data (message) is set to have an integer multiple of 64 bits for subsequent 5 processing. When the :Length of the message M 40300 is L
bits, this step adds (n4-L(mod 64)) number of Os to the end of the message M 40300.
Step 40204 (addition of secret data): further adds 64-bit secret data Q 40302 to the end of the message M 40300.
1.0 The secret data Q 40302 can be known by only a person who holds or has obtained its key (or the key data). The secret data may be a random number generated from the secret key K. The above step 40217 performs this process of generating secret, data.
7.5 Step 40205 (addition of redundancy data): still further adds a redundancy R 40303 of 64 bits to the end of the message M 40300.
Step 40206 (division of message data into plain text blocks): divides the data P 40304 (the padded message) a0 obtained at step 40205 into blocks P1, P2, . . . , Pn, each having 64 bits.
Description will be made of the process flow of the decryption program PROG6 with reference to Figs. 32 and 34.

Step 40402 (a data setting subroutine): waits for input of the initial v;~lue V, the redundancy R, and the secret key K.
Step 40403 (a ciphertext preparation subroutine):
waits for input of ciplzertext C', and divides the given ciphertext C' into a s~=ries of ciphertext blocks C' (1<-i<-n) each having j2 bits and outputs them.
Step 40404 (random number generation 4 subroutine):
outputs pseudorandom number sequences Ai (1<i<-n) and B
based on the secret ke,~ K.
Step 40405 (decryption 3 subroutine): uses the pseudorandom number sequences Ai, B, and Q, the series of the ciphertext blocks C'i (1<-i<-n), and the initial value V
to output a series of ?lain text blocks P'i (1-<i<-n).
Step 40406 (plain 'text extraction 2 subroutine):
combines the series of plain text blocks P'i 40601 into three data strings M' 40602, Q' 40603, and R' 40604.
Step 40407: if Q' 40603=Q 40302 and R' 40604=R 40303, proceeds to step 40409.
Step 40408: outputs a rejection indication and proceeds to step 40410.
Step 40409: stores M' into a RAM.
Step 40410: ends the process.

Next, description will be made of the process flow of the plain text extra.ct:ion 2 subroutine with reference to Fig. 33.
Step 40502: removes the last. 128 bits of the decrypted plain text, and sets a plain text block M' to the remaining decrypted text.
Step 40503: sets ~~' to the upper 64 bits of the removed last 128 bits ~~btained at step 40502.
Step 40504: sets R' to the lower 64 bits of the 1.0 removed last 128 bits.
(Fifth Embodiment) The above first through fourth embodiments of the present invention have a single-processor configuration, that is, they do not. employ parallel processing. However, 1.5 fifth embodiment of the present invention, shows that the present invention can :be easily applied to parallel processing.
The system configuration (not shown) of the fifth embodiment is different from that shown in Fig. 1 in that 20 the computer A 10002 esmploys two CPUs, CPU 1 30004 and CPU
2 30005, instead of the single CPU 10004, and the RAM 10005 stores a parallel encryption program PROG4 30016 in addition to the components shown in Fig. 1. Furthermore, the computer B 10003 employs two CPUs, CPU 1 30017 and CPU

2 30018, instead of th.e single CPU 10015, and the RAM 10016 stores a parallel dESCryption program PROGS 30025 in addition to the components shown in Fig. 1.
The computer A 10002 executes the parallel encryption program PROG4 30016 to generate ciphertext C 10022 from a message M 10014 and transmit the generated ciphertext C
10022. Receiving the ciphertext C 10022, the computer B
10003 executes the parallel decryption program PROG5 30025 and if no alteration is detected, the computer B 10003 7_0 stores the decryption results into the RAM 10016.
The CPUs 1 300C)4 and 2 30005 implement the parallel encryption program PROG4 30016 by executing the program read out from the RAM 10005 in the computer A 10002. The parallel encryption program PROG4 30016 internally calls 1.5 and executes the encryption program PROG1 10009 and the random number generati~~n program PROG2 10010 as its subroutines.
The CPUs 1 3001.7 ;end 2 30018 executes the parallel decryption program PROG5 30025 read out from the RAM 10016 20 in the computer B 1000:3. The parallel decryption program PROG5 30025 calls and r=xecutes the decryption program PROG3 10020 and the random number generation program PROG2 10021 as its subroutines.

The other configurations and operations of the system are the same as those shown in Fig. 1.
Description will be made of the process flow of the parallel encryption program PROG4 30016 with reference to Fig. 25. The expression "AIIB" denotes concatenation of two bit-strings A and B.
Step 40002: divides a message M into two parts, M1 and M2, in message processing performed by the CPU 1.
Step 40003: uses an initial value v+1, a redundancy 7_0 R+1, a secret key K, and the plain text M1 to output ciphertext C1 in encryption processing by the encryption program PROG1 10009 executed by CPU 1.
Step 40004: uses an initial value V+2, a redundancy R+2, the secret key K, and the plain text M2 to output 1.5 ciphertext C2 in encryption processing by the encryption program PROG1 10009 executed by CPU 2.
Step 40005: uses ;gin initial value V, a redundancy R, the secret key K, and plain text (R1 II R2) to output ciphertext C3 in encryption processing by the encryption 20 program PROGl 10009 executed by CPU 1.
Step 40006: generates ciphertext C(C=C1 II CZ II C3) .
Step 40007: store; the ciphertext C into a memory.

Description will be made of the process flow of the parallel decryption program PROG5 30025 with reference to Fig. 26.
Step 40102: divides ciphertext C' into three parts, 5 C' 1, C' 2, and C' C'' 3 has 192 bits , and C' 1 and C' 2 has the same length, where C"' =C' 1 II C' 2II C' 3 .
Step 40103: uses the initial value V+1 and the secret key K to decrypt the ciphertext block C'1 into a message block M'1 and the redundancy R+1 in decryption processing 1.0 by the decryption program PROG3 1.0020 executed by the CPU
1, and stores the mess~~ge block M'1 and the redundancy R+1.
Step 40104: uses 'the initial value V+2 and the secret key K to decrypt the ciphertext block C'2 into a message block M'2 and the redundancy R+2 in decryption processing 1.5 by the decryption program PROG3 10020 executed by CPU 2, and stores the message block M'2 and the redundancy R+2.
Step 40105: if at least one of the decryption results obtained at steps 4010:3 and 40104 is a reject, performs step 40111.
20 Step 40106: uses l~:he initial value V and the secret key K to decrypt the c:iphertext block C'3 into a block and the redundancy R in decryption processing by the decryption program PROG3 10020 executed by the CPU 1, and stores the decryption result (the decrypted block) and the redundancy R.
Step 40107: if the decryption results obtained at step 40106 is a reject, performs step 40111.
Step 40108: if the decrypted block obtained at step 40106 is not equal t:o (R+1)~~(R+2), performs step 40111.
Step 40109: legs M'=M'1IIM'2 (M': decryption result).
Step 40110: stores M' into a memory and performs step 40112.
Step 40111: outputs a rejection indication.
1.0 As described above, the fifth embodiment can provide parallel cryptographic processing using two separate processors.
Fig. 27 is an explanatory diagram showing the encryption process employed by the above parallel cryptographic processing method.
M1 40141 and M2 401.42 obtained as a result of dividing a message M 40140 are <added with redundancies R+1 and R+2, respectively, and denot=ed as blocks 40143 and 40144. The blocks 40143 and 40144 are encrypted by use of encryption processes 40146 and 40:L~47 to obtain ciphertext blocks C1 40149 and CZ 40150, x-espectively. Further, a combination of the redundancies R+:L and R+2, which is set as a message, and another redundancy R are encrypted to obtain a ciphertext block C3 40151.

The ciphertext blocks Cl 40149, C2 40150, and C3 40151 are concatenated one after another to output ciphertext C 40152.
Fig. 28 is an explanatory diagram showing the corresponding parallel decryption process.
Ciphert:ext C' 40160 is divided into three blocks, C'140161, C'2 40162, and C'3 40163. The obtained blocks C' 1 40161, C' 2 40162, arid C' 3 40163 are decrypted by decryption processes 40164, 40165, and 40166 to obtain 1.0 plain text blocks 4016'7, 40168, and 40169, respectively.
If the obtained plain text ~>locks are accepted, and the redundancies included in the plain text blocks 40167 and 40168 are identical to the message portions of the plain text block 40169, and furthermore the redundancy included in the plain text block 40169 is equal to the one shared beforehand, the message portions M'140170 and M'2 40171 are extracted from the plain text blocks 40167 and 40168, respectively, and concatenated to obtain a message M' 40172.
Any CPU capable o~F executing a program can be used for the above embodiments whether it is a general-purpose CPU
or a dedicated one. Even though the above embodiments are each implemented by execution of programs by a CPU (or CPUs), dedicated hardware can be used for each process employed, providing high speed and low cost.
Any of known pseudai.°andom tmzmber generators can be applied to the above embc~dimerut:. s . 'I:'rie known pseudora.ndom number generators include a pseudorandom generator using a linear feedback shift register (LF'SR) with a nonlinear filter, a nonlinear feedY:>ack sru.ift Egiste:r, a c~omtoin.ing generator, a shrinking geanerato.r, a clock-controlled pseudorandom number generator, a Geffe generator, an alternating step gener;~tor, RC:4~~~~", SEAL, PANAMA, 'the UFB
mode of the block c::ipher, t.~ne: cc»zn~::e.x mode of the k~lock cipher, and other pseudoranr.~om number generator s using hash functions.
(Sixth Embodiment!
The above firs t trurough f:a..:Ct:h embodiments eactl provides a crypt.ographi.c process~_ng method. A si.xt.h embodiment of the present invention, on the other hand, shows that the present invention c:an. be applied t:o various information systems.
Fig. 35 is a diagram showing th.e configuration of a system in which computers A 50016 and B 5001 are connected through a network 5000~~ for c:rypt.ocorr~municatians from the computer A 5001E to the c:omputex° 13 5001.7. The computer A
50016 has a CPU 50007, a RAM 50001_, and a network interface device 50008. The RAM 5G00i stores key-exchange protocol software 50002 for executing a key-exchange protocol, a public key 50004 of the authentication center, a secret-key generation program 50003, an encryption program 50006, and communication data 50005 (corresponding to the message M in each embodiment desc:rihed above) to be transmitted using cryptocommunicat.ions. The computer B 50017 has a CPU
50014, a RAM 50010, and a network interface device 50015 therein. The RAM 50010 stores key-exchange protocol software 50011 and a decryption program 50013.
7.0 The computer A executes the secret-key generation program 50003 to generate a secret key used for cryptocommunications with the computer B 50017. The computers A 50016 and :B 50017 execute the key-exchange protocol software 50002 and 50011, respectively, to share 1.5 the secret key generated by the computer A.
After sharing the secret key, the computer A 50016 executes the encryption program 50006 of the present invention to encrypt. t:he communication data 50005 at high speed. The computer A 50016 then transmits the encryption 20 results to the computer B 50017 through the network 50009 using the network interface device 50008.
The computer B 50017 executes the decryption program 50013 of the present invention to decrypt received ciphertext at high speed to restore the communication data.

This embodiment: shows that the present invention can provide high-speed and safe cryptocommunications even when available hardware resources are limited. That is, the present invention is c,~pable of realizing a highly safe 5 cryptocommunication system which is faster than the conventional cryptographic method, and provides confidentiality as wel:1 as a mathematically proven alteration detection. function.
(Seventh Embodiment) 10 The abc>ve sixth. embodiment performs cryptographic processing by use of software. A seventh embodiment of the present invention, on 1=he other hand, shows that the present invention can be realized by hardware implementation.
15 Fig. 36 is a diagram showing the configuration of an encryption apparatus employed in a cryptocommunication system using a network. The computer 50110 has a RAM
50101, a CPU 50104, anc3 a network interface device 50105, and is connected to a network 50106. The RAM 50101 stores 20 communication data 50103 (corresponding to the message M in each embodiment described above) to be encrypted and a communication program 50102, and the CPU 50104 executes the communication program 50102 to output the communication data 50103 to the network interface device 50105. The network interface device 50105 includes a secret-key generation circuit 50107, an encryption circuit 50109, and a key-exchange protocol circuit 50108, and has a public key 50110 of the authentication center stored in its memory area. According to the execution of the communication program 50102, the network interface device 50105 generates a secret key by use of the secret.-key generation circuit 50107, and exchanges the generated secret key with another device on the network using the key-exchange protocol 1.0 circuit 50108 so as to share the generated secret key with the communication destination device. The encryption circuit 50109 in the network interface device 50105 encrypts the input communication data 50103 at high speed using the generated an~~ then shared secret key to generate 1.5 ciphertext, which is tl:~en output to the network 50106.
This embodiment sl:~ows that the present invention can provide safe and fast cryptocommunications using limited hardware resources. P;~rticularly, if this embodiment is combined with the cryptographic processing method of the 20 second embodiment, more efficient and safe cryptocommunications c<~n be realized. This is because addition and multiplication in the finite field F264 employed in the second embodiment are suitable for hardware implementation. The dE=cryption process can also be implemented by hardware in the same way.
As shown by this embodiment, the present invention can provide a cryptographic method whose hardware implementation requires a small number of gates or performs very high-speed processing.
(Eighth Embodiment) By using a computer capable of performing cryptographic processing employed in the sixth or seventh embodiment, it is possible to easily realize a contents 7.0 delivery protected by encryption. An eighth embodiment of the present invention shows an example of a contents delivery.
As shown in Fig. 37, a storage device (whose medium is not limited to a specific type, that is, it is possible to 1.5 use a semiconductor storage device, a hard disk, a magnetic storage device such as one using tape, or an optical storage device such as a DVD or an MO) storing contents 50201 as digital information is connected to a computer 50202 capable of performing encryption processing according 20 to the present invention. An information reproduction device 50205 (an MPEG :reproduction device, a digital TV, a personal computer, etc.) which is to reproduce contents and may be located in a physically remote place is connected to an external coding device 50204 capable of performing decryption processing according to the present invention.
The computer 50202 and the external coding device are connected to each other through a network 50203.
The contents 50201 is encrypted by the computer 50202 capable of encryption, and then transmitted to the network 50203. The external. coding device 50204 capable of decryption decrypts the encrypted contents, and outputs the decryption results t.o the information reproduction device 50205. The informat.io:n reproduction device 50205 stores 1.0 and reproduces input i,zformation.
The contents 50201 handled by the information reproduction device 50:205 include not only electronic files but also multimedia data such as computer software, sound, and image. Contents which require real-time processing, such as sound and movie=_, can be encrypted or decrypted at high speed by applying the present invention, making it possible to secure smooth real-time transmission.
Furthermore, the recei,,ring device can detect data corruption due to alteration or noise during the transmission, ensuring communications free of transmission errors.
(Ninth Embodiment) The eighth embodiment delivers contents by transmission through a network. V~lhen it is necessary to deliver a very large amount of information, however, it is more efficient to deliver ciphertext on a DVD, etc.
beforehand, and then transmit the decryption key at the time of permitting t:he decryption of the ciphertext. Such a system is provided by a ninth embodiment.
As shown in Fig. 38, contents are distributed to the consumer as ciphertext, using a medium such as a DVD-ROM
50307, beforehand. The consumer enters information 50306 (money transfer information) on payment for contents using 7.0 a contents-key exchange program 50305 running on the consumer's personal computer 50304. The contents-key exchange program 50305 then obtains a key from a contents-key table in a key server 50302 through a network 50303. A
decryption program 50308 decrypts the ciphertext contents 1.5 recorded on the DVD-ROI~ 50307 using the obtained key. The decryption results are output to the information reproduction device 50:309 which then reproduces the contents.
This embodiment may be configured such that the 20 contents are not output= to the information reproduction device 50309, and the personal computer 50304 itself reproduces them. In a typical example, the contents is a program to be executed on a personal computer. The above reproduction method of using a personal computer is efficient in such a case. When ciphertext contents recorded on a DVD-ROM can be divided into several parts, and each part is encrypted using a different key, it is possible to control keys transmitted to the contents-key 5 acquisition program 50305 so as to limit contents which can be decrypted by the consumer.
The ninth embodiment was described assuming that data recorded on the DVD-ROM 50307 is to be read out.
Generally, a very large amount (a few tens of megabytes to 1.0 a few hundreds of megabytes) of data is stored on the DVD--ROM 50307, and therefore a fast cryptographic processing method is required for :processing such data. Since the present invention can provide high-speed decryption, the present invention is suitably applied to distribution of 1.5 charged contents using a DVD medium.
(Tenth Embodiment) In a tenth embodiment of the present invention, the present invention is applied to a router which controls packet transfer on a network. This router encrypts packets 20 differently depending on the destination router of each packet at the time of i=heir transmission to the network.
Fig. 39 is a diagram showing the configuration of a cryptographic router. 'the network router 50401 has a routing table 50402, a packet exchanger 50403, network interfaces A 50404, B 50405, and C 50406, and an internal parallel encryption/decryption device 50410 therein. The network interfaces A 50404, B 50405, and C 50406 are connected to external networks A 50407, B 50408, and C
50409, respectively.
The internal parallel encryption/decryption device 50410 has a secret-key table 5041.1, a router-key storage area 50412, and a parallel encryption/decryption circuit 50413 therein.
1.0 A packet sent from the network A 50407 is transmitted to the internal parallel encryption/decryption device 50410 through the network interface A 50404. After recognizing that the received packet is originated from the network A
50407, the internal parallel encryption/decryption device 50410 refers to the secret-key table 50411 to obtain the secret key corresponding to the network A 50407, stores the obtained secret key in the router-key storage area 50412, and decrypts the packer using the parallel encryption/decryption circuit 50413. The internal parallel encryption/decryption device 50410 then transmits the decryption results to l~he packet exchanger 50403.
The following description assumes that this decrypted packet should be transmitted to the network B. The packet exchanger 50403 transfers the packet to the internal parallel encryption/decryption device 50410. The internal parallel encryption/decryption device 50410 refers to the secret-key table 50411 to obtain the secret key corresponding to the network B 50408, stores the obtained secret key in the router-key storage area 50412, and encrypts the packet using the parallel encryption/decryptian circuit 50413. The internal parallel encryption/decryption device 50410 then transmits the encryption results t:o the network interface B 50405 which, 7.0 in turn, transmits the received encrypted packet to the network B 50408.
This embodiment is applied to an application used in an environment in which a large quantity of hardware resources are available and which requires 1.5 cryptocommunications at very high speed. In the CBC mode of the block cipher in which parallel processing is difficult to employ, it is difficult to enhance its processing speed even when a large quantity of hardware resources are availabla_. In contrast, parallel processing 20 is very easy to employ in the present invention (providing a high level. of parall~=_1 operation) since the pseudorandom number generation process is independent from the plain text and ciphertext processing. That is, the present invention can attain a higher communication speed in the environment in which a large quantity of hardware resources suitable for parallel processing are available.

Claims (37)

1. A symmetric-key encryption method performed in a cryptographic system having input: means for inputting at least a message, a secret data, and a parameter opened to the public, and output means for outputting an encrypted data, said encryption method comprising the steps of:
dividing a plain text composed of redundancy data and a message to generate a plurality of plain text blocks each having a predetermined length;
generating a random number sequence based on a secret key;
generating a plurality of random number blocks from said random number sequence, each of said random number blocks corresponding to one of said plurality of plain text blocks;
outputting a first feedback value to a second one of said plurality of plain text blocks obtained as a result of an operation on a first one of said plurality of plain text blocks and a first one of raid random number blocks;
and performing an encryption operation using said first one of said plurality of plain text blocks, said first one of said random number blocks, and a second feedback value obtained as a result of an operation on a third one of the plurality of plain text blocks, to produce a ciphertext block.

2. The symmetric-key encryption method as claimed in claim 1, wherein said encryption operation uses one or more said random number blocks whose total length is longer than a length of said ciphertext block.

3. The symmetric-key encryption method as claimed in claim 2, wherein said plain text further includes secret data of a predetermined length.

4. The symmetric-key encryption method as claimed in claim 2, wherein said encryption operation performs at least one of a binary operation and a monadic operation using one of said plurality of plain text blocks one or more times according to a predetermined procedure, combines a plurality of obtained ciphertext blocks and outputs the combined plurality of ciphertext blocks as ciphertext.

5. The symmetric-key encryption method as claimed in claim 2, wherein said encryption operation includes multiplication and addition in a finite field.

6. The symmetric-key encryption method as claimed in claim 2, wherein said encryption operation includes a combination of a cyclic shift operation and arithmetic multiplication.

7. The symmetric-key encryption method as claimed in claim 2, wherein said symmetric-key encryption method employs a pseudorandom-number generating means for generating said random number sequence based on said secret key.

8. The symmetric-key encryption method of claim 7, further comprising the steps of:
dividing said message into a plurality of message blocks;
generating a number of random number sequences equal to the number of said plurality of message blocks using said pseudorandom-number generating means; and assigning a first one of said message blocks, and a first one of said random number sequences to a first operation unit;
assigning a second one of said message blocks, and a second one of said random number sequences to a second operation unit; and performing parallel processing by said first and second operation units.

9. A symmetric-key decryption method performed in a cryptographic system having input means for inputting at least a message, an encrypted data, and a parameter opened to the public, and output means for outputting a decrypted data, said decryption method comprising the steps of:
dividing a ciphertext to generate a plurality of ciphertext blocks each having a predetermined length;
generating a random number sequence based on a secret key;
generating a plurality of random number blocks from said random number sequence, each of said random number blocks corresponding to one of said plurality of ciphertext blocks;
outputting a first feedback value to a second one of said plurality of ciphertext blocks obtained as a result of an operation on a first one of said plurality of ciphertext blocks and a first one of said random number blocks; and performing a decryption operation using said first one of said plurality of ciphertext blocks, said first one of said random number blocks, and a second feedback value obtained as a result of an operation on a third one of the plurality of ciphertext blocks, to produce a plain text block.

10. The symmetric-key decryption method as claimed in claim 9, wherein said decryption operation uses one or more said random number blocks whose total length is longer than a length of said one of the plurality, of ciphertext blocks.

11. The symmetric-key decryption method as claimed in claim 10, further comprising steps of:
concatenating a plurality of said plain text blocks to generate plain text;
extracting redundancy data included in said plain text; and checking said redundancy data to detect whether said ciphertext has been altered.

12. The symmetric-key decryption method as claimed in claim 11, further comprising steps of:
extracting secret data included in said plain text; and checking said redundancy data and said secret data to detect whether said ciphertext has been altered.

13. A symmetric-key encryption apparatus for use in a cryptographic system having input means for inputting at least a message, a secret data, and a parameter opened to the public, and output means for outputting an encrypted data, said encryption apparatus comprising:
a circuit for dividing a plain text composed of redundancy data and a message to generate a plurality of plain text blocks each having a predetermined length;
a circuit for generating a random number sequence based on a secret key;
a circuit for generating a plurality of random number blocks from said random number sequence, each of said random number blocks corresponding to one of said plurality of plain text blocks;
a circuit for circuit outputting a first feedback value to a second one of said plurality of plain text blocks obtained as a result of an operation on a first one of said plurality of plain text blocks and a first one of said random number blocks; and a circuit for performing an encryption operation using said first one of said plurality of plain text blocks, said first one of said random number blocks, and a second feedback value obtained as a result of an operation on a third one of the plurality of plain text blocks, to produce a ciphertext block.

14. The symmetric-key encryption apparatus as claimed in claim 13, wherein said encryption operation circuit uses one or more said random number blocks whose total length is longer than a length of said ciphertext block.

15. The symmetric-key encryption apparatus as claimed in claim 14, wherein said plain text further includes secret data of a predetermined length.

16. The symmetric-key encryption apparatus of claim 14, wherein said encryption operation circuit includes:
a circuit for performing at least one of a binary operation and a monadic operation using one of said plurality of plain text blocks one or more times according to a predetermined procedure: and a circuit for combining a plurality of obtained ciphertext blocks, and outputting the combined plurality of ciphertext blocks as ciphertext.

17. The symmetric-key encryption apparatus as claimed in claim 14, wherein said encryption operation circuit performs multiplication and addition in a finite field.

18. The symmetric-key encryption apparatus as claimed in claim 14, wherein said encryption operation circuit includes a cyclic shift operation circuit and an arithmetic multiplication circuit.

19. The symmetric-key encryption apparatus as claimed in claim 14, further. comprising; a pseudorandom-number generator for generating said random number sequence based on said secret key.

20. The symmetric-key encryption apparatus; of claim 19, further comprising:
a circuit for dividing said message into a plurality of message blocks a circuit for generating a number of random number sequences equal to the number of said plurality of message blocks using said pseudorandom-number generating means; and a circuit for assigning a first one of said message blocks, and a first one of said random number sequences to a first operation unit;
a circuit for assigning a second one of said message blocks, and a second one of said random number sequences to a second operation unit; and a circuit for performing parallel processing by said first and second operation units.

21. A symmetric-key decryption apparatus for use in a cryptographic system having input means for inputting at least a message, an encrypted data, and a parameter opened to the public, and output means for outputting a decrypted data, said decryption apparatus comprising:
a circuit for dividing a ciphertext to generate a plurality of ciphertext blocks each having a predetermined length;
a circuit for generating a random number sequence based on a secret key;
a circuit for generating a plurality of random number blocks from said random number sequence, each of said random number blocks corresponding to one of said plurality of ciphertext blocks;

a circuit for outputting a first feedback value to a second one of said plurality of ciphertext blocks obtained as a result of an operation on a first one of said plurality of ciphertext blacks and a first one of said random number blocks; and a circuit for performing a decryption operation using said first one of said plurality of ciphertext blocks, said first one of said random number blocks, and a second feedback value obtained as a result of an operation on a third one of the plurality of ciphertext blocks, to produce a plain text block.

22. The symmetric-key decryption apparatus as claimed in claim 21, wherein said decryption operation circuit uses one or more said random number blocks whose total length is longer than a length of said one of the plurality of ciphertext blocks.

23. The symmetric-key decryption apparatus as claimed in claim 22, further comprising:
a circuit for concatenating a plurality of said plain text blocks to generate plain text;
a circuit for extracting redundancy data included in said plain text; and a circuit for checking said redundancy data to detect whether said ciphertext has been altered.

24. The symmetric-key decryption apparatus as claimed in claim 23, further comprising: a circuit for extracting secret data included in said plain text, wherein said circuit for detecting whether said ciphertext has been altered checks said secret data and said redundancy data to detect whether said ciphertext has been altered.

25. A computer-readable recording medium having recorded thereon statements and instructions for use in the execution in a computer of said symmetric-key encryption method of claim 1.

26. The medium storing a program as claimed in claim 25, wherein said encryption operation uses one or more said random number block whose total length is longer than a length of said ciphertext block.

27. The medium storing a program as claimed in claim 26, wherein said plain text further includes secret data of a predetermined length.

28. The medium of claim 26, wherein said encryption operation performs at least one of a binary operation and a monadic operation using one of said plurality of plain text blocks one or more times according to a predetermined procedure, combines a plurality of obtained ciphertext blocks, and outputs the combined plurality of ciphertext blocks as ciphertext.

29. The medium storing a program as claimed in claim 26, wherein said encryption operation includes multiplication and addition in a finite field.

30. The medium storing a program as claimed in claim 26, wherein said encryption operation includes a cyclic shift operation and arithmetic multiplication.

31. The medium storing a program as claimed in claim 26, wherein said symmetric-key encryption method further comprises a step of: generating pseudorandom numbers to generate said random number sequence based on said secret key.

32 . The medium of claim 31, wherein said symmetric-key encryption method further comprises the steps of dividing said message into a plurality of message blocks;
generating a number of random number sequences equal to the number of said plurality of message blocks using said pseudorandom-number generating means; and assigning a first one of said message blocks, and a first one of said random number sequences to a first operation unit;
assigning a second one of said message blocks, and a second one of said random number sequences to a second operation unit; and performing parallel processing by said first and second operation units.

33. A computer-readable recording medium having recorded thereon, statements and instructions for use in the execution in a computer of said symmetric-key decryption method of claim 9.

34. The medium storing a program as claimed in claim 33, wherein said decryption operation uses ore or more said random number blocks whose total length is longer than a length of said one of the plurality of ciphertext blocks.

35. The medium of claim 34, wherein said symmetric-key decryption method further comprises the steps of:
concatenating a plurality of said plain text blocks to generate plain text;
extracting redundancy data included in said plain text; and checking said redundancy data to detect whether said ciphertext has been altered.

36. The medium of claim 35, wherein said symmetric-key decryption method further comprises the steps of:
extracting secret data included in said plain text; and checking said redundancy data and said secret data to detect whether said ciphertext has been altered.

37. A computer program product, comprising: a memory having computer-readable code embodied therein for implementing a symmetric-key encryption method performed in a cryptographic system having input means for inputpting at least a message, a secret data, and a parameter opened to the public, and output means for outputting an encrypted data, said computer program product comprising:
code means for dividing a plain text composed of redundancy data and a messaqe to generate a plurality of plain text blocks each having a predetermined length;
code means for generating a random number.
sequence based on a secret key;
code means for generating a plurality of random.
number blocks from said random number sequence, each of said random number blocks corresponding to one of said plurality of plain text blocks;
code means for outputting a first feedback value to a second one of said plurality of plain text blocks obtained as a result of an operation on a first one of said plurality of plain text blocks and a first one of said random number blocks; and code means for, performing an encryption operation using said first one of said plurality of plain text blocks, said first one of said randam number block's, and a second feedback value obtained as a result of an operation on a third one of the plurality of plain text blocks, to produce a ciphertext block.