RU2127024C1 - Encrypting unit - Google Patents

Abstract

FIELD: communication devices, computer engineering, in particular, cryptography. SUBSTANCE: device has W n-bit operation units, which are connected in series (W is not less than 2, n is even integer). Some operation units are designed as adders, others as permutation calculation units. Input of first operation unit serves as information input of device, which output is output of W-th operation unit. One of control inputs is another input of each adder. In addition at least one permutation calculation unit is designed as controlled permutation unit, which control input is connected to either one input of an adder or input of first operation unit. EFFECT: increased reliability of ENCRYPTING. 4 cl, 10 dwg

Description

The invention relates to the field of telecommunications and computer technology, and more particularly to the field of cryptographic methods and devices for encrypting messages (information). In the aggregate of the features of the proposed method, the following terms are used:
- the secret key is a combination of bits known only to a legitimate user;
- the encryption key is a combination of bits used to encrypt information data signals; the encryption key is a removable cipher element and is used to convert a given message or a given set of messages; the encryption key is generated by deterministic procedures for the secret key; in a number of ciphers, the secret key is used directly as the encryption key;
- a cipher is a set of elementary steps for converting input data using a cipher key; the cipher can be implemented as a computer program or as a separate electronic device;
- a subkey is a part of the encryption key used in individual elementary steps of encryption;
- encryption is a process that implements some way of converting data using a cipher key, converting data into a cryptogram, which is a pseudo-random sequence of characters from which obtaining information without knowing the encryption key is practically impossible;
- decryption is the opposite of the encryption process; decryption provides information recovery from the cryptogram with knowledge of the encryption key;
- cryptographic strength is a measure of the reliability of information protection and represents the complexity, measured in the number of elementary operations that must be performed to recover information from the cryptogram with knowledge of the conversion algorithm, but without knowledge of the encryption key.

Known encryption devices made in the form of mechanical machines and electromechanical devices [V. Zhelnikov. Cryptography from papyrus to computer. -M., ABF, 1996, 336 p.]. In addition, electronic encryption devices are known that implement the encryption method described in the Russian standard for cryptographic data protection [USSR Standard GOST 28147-89. Information processing systems. Cryptographic protection. Cryptographic Transformation Algorithm]. A device that implements the Russian standard for encryption includes an encryption unit consisting of several operational nodes: an adder modulo 2 ³² , a bit adder modulo 2, an operation unit performing a cyclic left shift of 11 bits, and an operation unit performing a substitution operation.

The closest in technical essence to the claimed encryption block is the encryption block used in the encryption device that implements the encryption method in accordance with the US federal standard DES [National Bureau of Standards. Data Encryption Standard. Federal 1nformation Processing Standards Publication 46, January 1977]. This method includes generating a secret key, dividing the input information, presented in the form of a binary code, into sections of 64 bits in length, forming 64-bit data blocks on their basis and converting the blocks under the control of the secret key. Before the conversion, each data block is divided into two 32-bit subunits L and R, which are converted one by one by performing 16 transform rounds of the same type. One round of conversion consists in performing the operations of expansion, substitution, permutation, and summation modulo 2, realizing the round encryption function over the subunit R, which is written in the form of the formula R: = F (R), where the sign ": =" denotes the assignment operation, F - round encryption function. Each round ends with a permutation of the subunits R and L:
T: = R,
R: = L,
L: = T.

 An encryption device (USH) implementing the DES encryption standard is shown in block diagram form in FIG. 1 and contains a 64-bit information input 1, consisting of two 32-bit information inputs 1.a and 1.b, to which two 32-bit subunits L and R are supplied, a 64-bit output 2, consisting of two 32-bit outputs 2.a and 2.b, from which the converted 32-bit subunits L and R are removed, control input 9, encryption block 3 (BS), round sub-block generation block (BGRP), control unit BU and control bus 10. Encryption block contains 32-bit information input 3, 32-bit output 4, and 80-bit control input 5, consisting of a 32-bit control 5.1 input and 48-bit input 5.2. The information input of the encryption unit 6 is connected to the information input 1.b and the output 2.a of the encryption device. The output of the encryption block 4 is connected to the output 2.b of the encryption device. The control input 5.1 of the encryption unit is connected to input 1. of the encryption device. The control input 5.2 of the encryption block is connected to the output 7 of the round key generation block. The input of the round key generation unit 7 is connected to the control input of the encryption device 8. The round key generation unit contains an input 8 connected to the control input of the encryption device, and an output 7.

The encryption device (Fig. 1) works as follows. A 56-bit key is supplied to the input of the encryption device, which is converted into a sequence of 48-bit round connections K _r , r = 1, 2, ..., 16. For the current rth round, a binary code is set at the output of the round key generation unit, corresponding to the subkey value K _r . The encrypted 64-bit data block B is fed to the input of the encryption device. The high 32 bits of block B, denoted as sub block L, are fed to input 1.a. The lower 32 bits of block B, denoted as sub-block R, are fed to input 1.b. We denote the initial values of the sub-blocks by the index “0”, and their values after the rth round of encryption is completed, by the index “r”. The encryption block in the rth round converts the value of the subunit R _r-1 to the value R _r = F (R _r-1 , K _r ), which depends on the type of function F and the value of the round subkey K _r . The output value of the subblock L in the current round is set equal to the input value of the subblock R. Thus, the encryption device performs the conversion, which can be written using the following iterative formulas:
L _r = R _r-1 , (1)
R _r = F (R _r-1 , L _r-1 , K _r ), (2)
where the calculation of the function F from the value of R _{r-1 is} carried out by the encryption unit depending on the value of L _r-1 supplied to the input 5.1, and the value of K _r supplied to the input 5.2. The control unit synchronizes the operation of the generation block of the round subkey and the encryption block and monitors the number of completed conversion rounds. If the current round number is not 16, then the control unit sends the current values of the subunits L _r and R _r at the output of the encryption device to the input of the encryption device for the next round. The values of L ₁₆ and R ₁₆ constitute the output ciphertext block.

The encryption block is shown in FIG. 2 and contains operational nodes 3.1, 3.2, 3.3, 3.4 and 3.5. The information input of the operation node 3.1 is the information input of the encryption block, and the output of the operation node 3.1 is connected to the input of the operation node 3.2. The output of the operation node 3.2 is connected to the information input of the operation node 3.3, etc. The output of the operational node 3.5 is the output of the encryption block. Operation nodes 3.2 and 3.5 contain control inputs connected to control inputs 5.1 and 5.2, respectively. The operation node 3.1 performs the procedure of expanding the 32-bit data subunit R _r-1 into the 48-bit subunit R '. Operation node 3.2 performs bitwise summing modulo 2 of the value of R 'with subkey K _r and outputs the value R ″ = R′⊕ K _r , where the sign ⊕ denotes the operation of bitwise summation modulo 2. Operation node 3.3 performs the substitution operation over 48 -bit value of R '' and replaces it with a 32-bit value of R '''in accordance with the replacement tables given in the DES encryption standard. The operation node 3.4 performs the permutation of the bits of the binary value R ″ ″ and outputs the converted value R ^* . The operation node 3.5 performs a bitwise summing operation modulo two over the value R ^* supplied to its information input and the value L _r-1 supplied to its control input. The value at the output of the operational node 3.5 R _r = R ^* ⊕ L _r-1 is the value of the function F (R _r-1 , L _r-1 , K _r ) calculated by the encryption unit.

 An encryption device that performs encryption in accordance with the DES standard has a high conversion speed when implemented in the form of specialized electronic circuits.

 However, this device has disadvantages, namely, it does not provide high cryptographic resistance to differential cryptanalysis [Biham E., Shamir A. Differential Cryptanalysis of DES-like Cryptosystems // Journal of Cryptology, 1991, V. 4, No. 1, p. 3-72]. This drawback is due to the fact that all operational nodes perform fixed conversion operations for all converted data blocks.

 The basis of the invention is the task of developing an encryption block that implements transformations depending on the data block being converted, thereby increasing the cryptographic resistance to differential cryptanalysis.

 The problem is achieved in that in an encryption block containing n-bit, where n is an even integer, information input, n-bit output, m-bit control input and W≥2 operating nodes, one-bit information inputs of the first operational node are single-bit information inputs of the encryption block, the single-bit outputs of the Vth, where 1≤V≤W, of the operating node are connected to the single-bit inputs of the (V + 1) -th operating node, the single-bit outputs of the Wth operational node are single-bit outputs of the block encryption, and at least one operational node contains one-bit control inputs connected to one-bit control inputs of the encryption block, new according to the invention is that at least one operational node is made in the form of a node of controlled permutations, one-bit control inputs of which are connected to single-bit inputs encryption block.

 Thanks to this solution, the encryption block performs permutation operations on the data subblock, which depend on the input data block, thereby increasing the encryption resistance to differential cryptanalysis.

 Also new is the fact that the controlled permutation node is made in the form of a matrix of elementary switches, each of which contains a switching circuit, first and second one-bit information inputs, first and second one-bit outputs, and a one-bit control input, and the matrix contains n-1 row, j- i, where j = 1,2,3, ..., n-1, the line contains nj elementary switches, the control single-bit inputs of which are connected to the control single-bit inputs of the node of controlled permutations, the first one-bit information in the path of which is connected to the first single-bit information input of the first elementary switch in the first row of the matrix, the remaining n-1 single-bit information inputs of the managed permutation node are connected bitwise to the second single-bit information inputs of the elementary switches of the first row, the first single-bit information input of the first elementary switch is j-th, where j ≠ 1, lines connected to the second single-bit output of the first elementary switch of the (j-1) -th line, in the j-th, where j ≠ n - 1 line m the first one-bit information input of the i-th, where 1 <i ≤ nj, of the elementary switch is connected to the first single-bit output of the (i-1) -th elementary switch of this row, in the jth, where j ≠ 1 row of the matrix is the second one-bit information input the i-th elementary switch is connected to the second single-bit output of the (i + 1) -th elementary switch of the (j-1) -th line, the first single-bit output of the (nj) -th elementary switch is connected to the jth single-bit output of the controlled permutation node, the second single-digit output switch STUDIO (n-1) th row is connected with the last one-bit output node controlled permutations.

 Thanks to this solution, the node of controlled permutations can implement any of n! possible permutations with the corresponding control signal code.

 Also new is the fact that in each j-th, where j = 1, 2, ..., n / 2, a line of the controlled permutation node is introduced a decoder, the single-bit outputs of which are connected to the single-bit control inputs of elementary switches in the corresponding lines, single-bit inputs the decoders are connected bitwise with single-bit control inputs of the controlled permutation node.

 Thanks to this solution, the number of single-bit control inputs of the controlled permutation node is reduced.

 Below the essence of the claimed invention is explained in more detail by examples of its implementation with reference to the accompanying drawings.

 In FIG. 1 is a block diagram of an encryption device implementing a DES standard encryption method.

 In FIG. 2 schematically shows the structure of an encryption block performing round encryption transformations using the DES standard encryption method.

 In FIG. 3 shows a functional diagram of a managed permutation node.

 In FIG. 4 is a functional diagram of a controlled permutation node using decoders.

 In FIG. 5 a schematic representation of an elementary switch is a block diagram of a controlled permutation node (a), a switching table (b), and a table of designations of external outputs (c).

 In FIG. 6 is a functional diagram of an encryption block including a managed permutation node.

 In FIG. 7 is a block diagram of an encryption device based on the encryption block of Example 1.

 In FIG. 8 is a functional diagram of an encryption block including two nodes of controlled permutations.

 The controlled permutation node represented by the functional diagram in FIG. 3, includes a matrix of elementary switches, which provides switching of a given input and a given output discharge. The functional diagram of the elementary switch (Fig. 4 (a)) is given in the book [A. Kalyaev. Microprocessor systems with programmable architecture. M .: Radio and communications, 1984, p. 219, fig. 6.51]. The truth table and the pinout of the elementary switch are shown in tables (b) and (c) in FIG. 4. Controlled permutations are carried out depending on the values of the control inputs of elementary switches. Each elementary switch provides bitwise or cross-switching of two input information single-bit channels and two output single-bit channels and operates in accordance with the truth table (table (b) in Fig. 4). With a zero value of the control single-bit input (U = 0), bitwise switching of information input and output channels occurs: X1 - Y1 and X2 - Y2; at a single value of the control input (U = 1) there is a cross-switching of information input and output channels X1 - Y2 and X2 - Y1. The elementary switches in the matrix are connected in such a way that the single-bit information inputs il, where l = 1,2, ..., n, of the controlled permutation node are switched with the single-bit outputs ol, where l = 1,2, ..., n, of the node controlled permutations, and the particular switching is determined by the values of the entire set of control one-bit inputs uk of the node of controlled permutations, which are the control one-bit inputs U of elementary switches S. The number of control one-bit inputs of the node of controlled permutations is equal to the number Elementary switches in the matrix and is n (n-1) / 2. Since the number of control single-bit inputs of the managed permutation node is greater than the bit width of the control input of the encryption block, many bits of the control input of the controlled permutation node are connected to one bit of the control input of the encryption block. A particular connection defines a specific dependence of the bit swapping operation performed on the data sub-block R depending on the data sub-block L and subkey K. Thus, each row Lj, where j = 1,2, ..., n-1, of the matrix forms the value of the corresponding single-bit output node managed permutations. The last (n-1) -th line forms the values at the single-bit outputs o. (N-1) and o. n Each row corresponds to a group of one-bit control inputs u.k of the node of controlled permutations. The number of elementary switches in the line L. j is equal to n-j, which sets the number of control single-bit inputs u.k corresponding to this line.

 In order to reduce the number of control single-bit inputs of the controlled permutation node, binary-n-binary decoders Dh can be introduced, where h = 1,2, ..., (n-2) / 2, the single-bit inputs of which are the control single-bit inputs of the controlled permutation node , and the one-bit outputs of which are connected to a group of one-bit control inputs of the corresponding two lines (h-th and (nh) -th lines) of elementary switches (see Fig. 5). The single-bit inputs of the line with the number h are connected bitwise with the n-h outputs of the D.h. decoder. The remaining h single-bit outputs of this decoder are connected bitwise with single-bit control inputs of the (n-h) -th line, the number of which is equal to h. A binary (n / 2) decryptor is introduced into the line with the number n / 2, the n / 2 single-bit outputs of which are connected bitwise to the control single-bit inputs of the corresponding elementary switches of the line with the number n / 2. Depending on the code combination of the values of their single-bit inputs, a single value is set only on one of its single-bit outputs, and on the other outputs it is set to zero. Due to the fact that the number of single-bit inputs of the decoder is significantly less than the number of its single-bit outputs, the number of control single-bit inputs of the node of controlled permutations is significantly reduced. For example, for n = 32, 15 binary-thirty-two-decryptor decoders with a five-bit input and one binary-hexadecimal decoder (with a four-bit input) can be used, the inputs of which make up the 79-bit control input of the controlled permutation node, which is significantly less than the bit capacity of this node without the use of decoders (in the latter case, the number of control single-bit inputs is n (n-1) / 2 = 491).

 Consider specific examples of the implementation of an encryption block using a managed permutation node.

 Example 1

Операционный узел 3.3 выполняет операцию поразрядного суммирования по модулю 2 над n-битовым подблоком данных R'' и n-битовым подблоком данных L_r-1, вырабатывая на выходе n-разрядное значение R_r = R″⊕ L_r-1. Последовательное выполнение операций, задаваемых узлами 3.1, 3.2 и 3.3, определяет раундовую функцию шифрования
R_r = F(R_r-1,L_r-1,K_r),
которая осуществляется устройством шифрования Q раз, где Q - число раундов преобразования. Данный блок шифрования может быть использован, например, в составе устройства, показанного на фиг. 7, где использованы обозначения такие же, как и для фиг. 1. В этом случае шифрование осуществляется в соответствии со следующими итеративными соотношениями:
R_r = L_r-1
L_r = F(R_r-1,L_r-1,K_r).This example is illustrated in FIG. 6, which shows a functional diagram of an encryption block with one managed permutation node P. The encryption block includes operational nodes 3.1, 3.2, and 3.3. The operation node 3.1 performs a modulo 2 "summation operation on the n-bit data sub-block R _r-1 and the round n-bit sub-block K _r , generating an n-bit data sub-block R '= (R _r-1 + K _r ) mod 2 ⁿ . The operation node 3.2 performs the operation of the permutation of the bits of the n-bit data subunit R 'depending on the value of the data subunit L _r-1 , generating an output subunit

The operation node 3.3 performs the operation of bitwise summation modulo 2 over the n-bit data subunit R ″ and the n-bit data subunit L _r-1 , generating an n-bit value R _r = R ″ ⊕ L _r-1 at the output. The sequential execution of operations specified by nodes 3.1, 3.2 and 3.3 determines the round encryption function
R _r = F (R _r-1 , L _r-1 , K _r ),
which is carried out by the encryption device Q times, where Q is the number of conversion rounds. This encryption block can be used, for example, as part of the device shown in FIG. 7, where the notation used is the same as for FIG. 1. In this case, encryption is carried out in accordance with the following iterative relationships:
R _r = L _r-1
L _r = F (R _r-1 , L _r-1 , K _r ).

 Example 2

R″ = R′⊕ K_r,

R_r = (R'''+L_r-1)mod2ⁿ
Блок шифрования, рассмотренный в примере 2 может быть использован, например, в составе устройства шифрования, показанного на фиг. 1 и осуществляющего шифрование в соответствии с итеративными соотношениями (1) и (2).This example implementation of an encryption block is shown in FIG. 8, where the operation node 3.1 performs the permutation of the bits of the data sub-block R _r-1 depending on the value of the round subkey K _r , the operation node 3.2 is a bitwise adder modulo 2, the operation node 3.3 is the managed permutation node depending on the value of the sub-block R _r-1 , operating unit 3.4 is an adder modulo 2 ⁿ . The round encryption function R _r = F (R _r-1 , L _r-1 , K _r ) defined by the encryption block shown in FIG. 7 is described by the following sequence of transformations:

R ″ = R′⊕ K _r ,

R _r = (R '''+ L _r-1 ) mod2 ⁿ
The encryption block described in Example 2 can be used, for example, as part of the encryption device shown in FIG. 1 and performing encryption in accordance with the iterative relations (1) and (2).

 The above examples show that the proposed encryption block is technically feasible and allows you to solve the problem.

 The inventive encryption block can be implemented, for example, in specialized cryptographic microprocessors providing an encryption speed of up to 1 Gbit / s, sufficient for real-time encryption of data transmitted via high-speed fiber-optic communication channels.

Claims (4)

 1. An encryption block containing W ≥ 2 n-bit, where n is an even natural number of consecutively connected operating nodes, some of which are made in the form of adders, and others are in the form of permutation nodes, the input of the first operational node being the information input of the block encryption, the output of the Wth operational node is the output of the encryption block, the other input of each of the adders is one of the control inputs of the encryption block, characterized in that at least one permutation node is made in the form of a control node th permutation control input of which is connected to one input of one of the adders.  2. An encryption block containing W ≥ 2 n-bit, where n is an even natural number of operating nodes connected in series, some of which are made in the form of adders, and others are in the form of permutation nodes, the input of the first operational node being the information input of the block encryption, the output of the Wth operational node is the output of the encryption block, the other input of each of the adders is one of the control inputs of the encryption block, characterized in that at least one permutation node is made in the form of a control node th permutation control input of which is connected to the input of the first operational unit.  3. The encryption block according to claim 1 or 2, characterized in that the controlled permutation node is made in the form of a matrix of elementary switches containing n - 1 row, j-th, where j = 1, 2, 3, ..., n - 1, the line contains n - j elementary switches, the single-bit control inputs of which are the single-bit control inputs of the controlled permutation node, the first single-bit information input of which is the first single-bit information input of the first elementary switch of the first line, the remaining n - 1 single-bit information of the inputs of the controlled permutation node are the second one-bit information inputs of the elementary switches of the first row, the first one-bit information input of the first elementary switch of the jth, where j ≠ 1, the line is the second one-bit output of the first elementary switch of the (j - 1) -th line, the first one-bit information input of the i-th, where 1 <i ≤ n - j, of the elementary switch j-th, where j ≠ n - 1, of the line is the first single-bit output of the (i - 1) -th elementary switch of this line, the second one bit information input of the i-th elementary switch j-th, where j ≠ 1, the line is the second single-bit output of the (i + 1) -th elementary switch (j - 1) -th line, the first one-bit output of the (n - j) -th the j-th row elementary switch is the j-th single-bit output of the controlled permutation node, the second one-bit output of the (n - 1) -th row switch is the n-th single-bit output of the controlled permutation node.  4. The encryption block according to claim 1, characterized in that in each j-th, where j = 1, 2, ..., n / 2, a line of the controlled permutation node is introduced a decoder, the one-bit outputs of which are single-bit control inputs of elementary switches in the corresponding lines, the single-bit inputs of the decoders are single-bit control inputs of the node of controlled permutations.

Images