RU2186467C2 - Method for iterative block encryption - Google Patents

Abstract

FIELD: electric communications and computer engineering; data encryption. SUBSTANCE: method involves generation of private key in the form of aggregate of sub-keys, division of data block into two sub- blocks, and execution of R≥ encryption rounds each involving conversion of first sub-block by execution of sequence of L₁, L₂,...,L_n operations, and conversion of second sub-block by execution sequence of H₁, H₂,..., H_n, operations, where n≥1, controlled operation being used as 1≤i≤n operation for at least one value of i, where H_i and controlled operation as 1≤j≤n, for at least one value of j, where L_j; used as H_i operation is controlled operation ; control vector is shaped prior to executing L_j operation depending on first sub- block and control vector is shaped prior to executing L₁ operation depending on second sub-block; in addition one of sub-keys is used during execution of at least one of L₂,..., L_n, H₁, H₂,..., H_n operations, sub-blocks being re- arranged upon execution of L_n and H_n operations during each encryption round; sub-blocks are additionally re-arranged and operations reverse to H_i ones, where j = n i + 1, are used at least as n operations of L_j, where i = 1, 2, ..., n. EFFECT: enhanced encryption stability. 4 cl, 4 dwg

Description

 The invention relates to the field of telecommunications and computer technology, and more particularly to the field of encryption methods and cryptographic devices for protecting information transmitted through communication channels or stored in computer systems.

In the aggregate of the features of the proposed method, the following terms are used:
- the secret key is binary information known only to a legitimate user;
- subkey - part of the secret key;
- encryption is the process of converting information that depends on the secret key and converts the source text into ciphertext (cryptogram), which is a pseudo-random sequence of characters from which obtaining information without knowing the secret key is practically impossible;
- decryption is the reverse process of encryption; decryption provides recovery of information from the cryptogram with the knowledge of the secret key;
- the cipher is a set of elementary steps for converting input data using a secret key; the cipher can be implemented as a computer program or as a separate device;
- a binary vector is a sequence of zero and one bits, for example (101101011); a binary vector is interpreted as a binary number, i.e. a binary vector can be matched with a numerical value;
- cryptanalysis - a method of calculating a secret key to obtain unauthorized access to encrypted information;
- cryptographic strength is a measure of the reliability of encrypted information protection and represents the complexity, measured in the number of elementary operations that must be performed to recover information from a cryptogram with knowledge of the conversion algorithm, but without knowledge of the secret key;
- a single operation is an operation performed on a binary vector; the binary vector generated at the output of a unary operation depends only on the input binary vector; examples of single operations are cyclic shift operations;
- two-place operation is an operation performed on two operands; the result of some given two-place operation depends on the value of each operand; examples of double operations are the operations of addition, subtraction, multiplication, etc .;
- the operand is a binary vector over which a two-place or one-place operation is performed;
- a controlled two-place operation is an operation performed on two operands under the control of a binary vector called a control vector; the result of some controlled two-place operation with a fixed control vector depends on the value of each operand, and for fixed values of the operands, on the value of the control vector; examples of the implementation of controlled double operations are described in patent 2140716 [Moldovyan A.A., Moldovyan N.A., Moldovyan P.A. The method of cryptographic conversion of digital data blocks // Patent of the Russian Federation 2140716. IPC ⁶ N 04 L 9/28. Bull. 30 from 10.27.1999]; in the formulas, the controlled two-place operation will be denoted by the record Z: = Q _V (A, B), where A, B are operands, V is the control vector, Z is the binary vector resulting from the execution of the controlled two-place operation Q _V ;
- modification of the controlled two-seater operation - a two-seater operation corresponding to the conversion of two operands with a fixed value of the control vector;
- controlled permutation - this is an operation performed on one operand under the control of a binary vector called a control vector and consisting in the permutation of the bits of the operand depending on the value of the control vector; examples of the implementation of controlled permutations are described in patent 2140714 [Alekseev L.E., Belkin T.G., Moldovyan A.A., Moldovyan N.A. The method of iterative encryption of data blocks // RF Patent 2140714. IPC ⁶ N 04 L 9/20. Bull. 30 from 10.27.1999]; in the formulas, the controlled permutation will be denoted by the record P _V , and the transformation of the operand B by performing a controlled permutation on it, by the record B: = P _V (B), where V is the control vector; controlled permutation is a special case of controlled single operation;
- modification of controlled permutation - a fixed permutation of the bits of the operand corresponding to a given fixed value of the control vector;
- inverse controlled permutation (with respect to some given controlled permutation) is a permutation, all modifications of P ^-1 _{V of} which are inverse with respect to modifications of the permutation P _V , i.e. for any given value of the control vector, the sequential execution of operations P _V and P ^-1 _V on the binary vector B does not change the value of the latter, which can be written analytically in the form
B = P ^-1 _V (P _V (B)) or B = P _V (P ^-1 _V (B));
embodiments of two mutually inverse controlled permutations are described in RF patent 2140714;
is an inverse controlled two-place operation (with respect to some given controlled two-place operation, Q is such a controlled two-place operation (denoted as Q ^-1 ), which for any given value of the control vector V and any given value of the operand B satisfies the condition A = Q ^-1 _V (Z, B) if Z = Q _V (A, B); options for the implementation of two mutually inverse controlled two-place operations are described in [Guts N.D., Moldovyan A.A., Moldovyan N.A. oriented ciphers based on managed adders // Security issues inf 1. S.8-15 rmatsii 2000].;
- the coincidence of the two operations L and H will be denoted by the entry L = H, which means that the operations L and H are the same or equivalent;
- a superposition of operations is a certain resulting operation, which consists in sequentially performing several operations on a given binary vector A; for example, a superposition of operations Q ₁ and Q _{2 is} written as Q ₁ • Q ₂ ; by definition, we have Q ₁ • Q ₂ (A) = Q ₂ (Q ₁ (A)); the superposition of n operations Q ₁ , Q ₂ , ..., Q _{n is} written as
Q ₁ • Q ₂ • ... • Q _n (A) = Q _n (... Q ₂ (Q ₁ (A)));
- identity transformation - a transformation performed on a binary vector and not changing the value of the latter;
- controlled permutation involution is a particular form of the operation of controlled permutation P, for which the controlled permutation inverse to it coincides with it itself, i.e. P ^-1 _V = P _V for all possible values of the control vector; this means that for a controlled permutation involution, the equality B = P _V (P _V (B)) is valid for an arbitrary value of V, an embodiment of a controlled permutation involution is given below in the description of the invention.

 Block iterative encryption methods are known, see, for example, DES cipher [B. Schneier, "Applied Cryptography", Second Eddition, John Wiley & Sons, Inc. New York 1996, pp. 270-277]. In this method, the data is divided into blocks, the encryption of which is performed by generating a secret key, dividing the converted data block into two subunits L and R and alternating the latter by performing bitwise summing operations modulo two over the subunit L and the binary vector, which is formed as the output value some function E on the value of the sub-block R. After this, the sub-blocks are rearranged. Function E in the specified method is implemented by performing permutation and substitution operations performed on the sub-block R. This method has a high conversion speed when implemented in the form of specialized electronic circuits. However, the known analogue method uses a small secret key (56 bits), which makes it vulnerable to cryptanalysis based on key selection. The latter is associated with the high computing power of modern computers.

Another well-known method of block iterative encryption is the method described in the Russian standard for cryptographic data protection [USSR Standard GOST 28147-89. Information processing systems. Cryptographic protection. Cryptographic Transformation Algorithm]. This method includes generating an encryption key in the form of a sequence of 8 subkeys 32 bits long, splitting the input information presented as binary code into sections of 64 bit length, forming 64-bit data blocks on their basis, and converting the blocks under the control of the key encryption. Before conversion, each data block is divided into two 32-bit subunits A and B, which are converted one by one by performing 32 rounds of conversion (iterations). One round of conversion is as follows. Using subunit A and one of the subkeys, the 32-bit value of the round function E is calculated and the obtained value E (A) is superimposed on subunit B using the bitwise summing operation modulo two (⊕) in accordance with the formula B: = B⊕E (A) . The calculation of the round function is carried out in accordance with the following transformation steps. A binary vector F is formed from subunit A. The binary vector F is transformed by superimposing on it the current subkey K _i , which is fixed for a given round and called a round subkey, using the addition operation modulo 2 ³² (+) in accordance with the formula F: = ( R + K _i ) mod2 ³² , where 1≤i≤8, after which the substitution operation (F: = S (F)) is performed on the binary vector F, then the operation of cyclic left shift by eleven bits, i.e. by eleven binary digits in the direction of the higher digits (F: = F <<< 11). After each round of encryption, with the exception of the last round, the subblocks are rearranged. The substitution operation is performed as follows. Binary vector F is divided into 8 binary vectors with a length of 4 bits. Each binary vector is replaced by a binary vector from the lookup table. The 8 4-bit vectors selected from the lookup table are combined into a converted 32-bit binary vector F.

 However, the analogue method has drawbacks, namely, substitution operations are performed on binary vectors of small length (4 bits), which creates the prerequisites for attacking this cipher by differential cryptanalysis [B. Schneier, "Applied Cryptography", Second Eddition, John Wiley & Sons, Inc., New York, 1996, pp. 285-290]. Therefore, to ensure high resistance to differential cryptanalysis, a large number of encryption rounds are required, which reduces the encryption performance.

The closest in technical essence to the claimed method of iterative block encryption is the method described in the patent of the Russian Federation 2141729 [Moldovyan A. A., Moldovyan N.A. "Method of cryptographic conversion of binary data blocks" // RF Patent 2141729. IPC ⁶ H 04 L 9/00. Bull. 32 dated 11/20/1999]. The prototype method includes generating a secret key, dividing the data block into two subunits A and B, and converting the subunits under the control of the encryption key by performing 16 rounds of conversion (iterations) on them. Each round includes the conversion of sub-blocks in turn, with at least two operations performed on each of them. In the particular case of the implementation of the prototype method (see example 1 with r = 1 in the description of patent 2141729), one round includes the following conversion steps:
1. Using the bitwise summing operation modulo two (⊕), a subkey K _{1 is} superimposed on subblock A in accordance with the formula A: = A⊕K ₁ , where the “: =” sign denotes the assignment operation.

2. Using the addition operation modulo 2 ³² (+), a sub-block K _{2 is} superimposed on the subblock B in accordance with the formula B: = B + K ₂ .

3. Subblock B is converted in accordance with the expression B: = P _V (B), where P _V is the modification of the controlled permutation, V is the value of the control vector formed depending on the values of the subblock A and subkey K ₃ .

 4. On subunit A, subunit B is superimposed according to the formula A: = A + B.

5. The operation of controlled permutation A is performed over subblock A: = Р _V (A), where V is the value of the control vector formed depending on the values of subblock B and subkey K ₄ .

6. Subblock B is converted in accordance with the formula B: = B⊕A.
However, the prototype method has drawbacks, namely, when it is implemented in the form of electronic cryptographic devices, it is necessary to use two different electronic circuits to perform encryption and decryption, which complicates its implementation.

 The basis of the invention is the task of developing a method of block iterative encryption in which the input data is converted in such a way that the encryption and decryption procedures can be carried out using the same electronic circuit, using subkeys in reverse order when decrypting in relation to the order of use of subkeys with encryption, which simplifies the circuitry implementation.

The problem is achieved in that in an iterative block encryption method, which includes generating a secret key, splitting a data block into two subblocks and performing R≥2 encryption rounds, including alternating subblock conversion, the first subblock being converted by performing a sequence of operations L _{1 on it} , L _2, ..., L _n, and a second sub-block transformation is performed by performing the above sequence it H _1, H ₂ operations, ..., H _n, where n≥1, wherein at least one and as Operations H _i, where 1≤i≤n, and at least as one of the operations L _j, where 1≤j≤n, using controlled operation, the new invention is that after every round of operations L _n and H _n additionally carry out permutation of the subblocks and, as the operations H _i , where i = 1, 2, ..., n, use operations that are inverse to the operations L _j , where j = n-i + 1.

Thanks to this solution, the execution of the sequence of operations L ₁ , L ₂ , ..., L _n and the sequence of operations H ₁ , H ₂ , ..., H _n define the corresponding pairs of mutually inverse transformations, which, due to the permutation of the subblocks after performing the operations H _n and L _n , provides the ability to encrypt and decrypt a data block using the same electronic circuit by inverting the order in which subkeys are used. This simplifies the circuitry implementation of the method of iterative encryption of discrete data blocks.

Also new is that, as the operations H _i and L _j , where 1 _{i i} , _j n n and n 2 2, controlled permutations and controlled two-place operations are used.

 Thanks to this solution, an increase in the strength of encryption is provided.

In addition, it is new that, as the operations H _i and L _j , where 1 _{i i} , _j n n and n 2 2, controlled permutation involutions and controlled double-place operations are used.

 Thanks to this solution, further simplification of the circuitry implementation of the method of block iterative encryption is provided.

 Below the essence of the claimed invention is explained in more detail by examples of its implementation with reference to the accompanying drawings.

A generalized scheme of block iterative encryption based on the proposed method is represented by the structure of the encryption round shown in figure 1, where
A and B are subblocks of the converted data block;
L ₁ , L ₂ , ..., L _n - operations performed on subunit B;
H ₁ , H ₂ , ..., H _n - operations performed on subunit A, and the conversion operations are selected in such a way that for i = 1,2, ..., n the conditions are satisfied
H ₁ = L ^-1 _n , H ₂ = L ^-1 _n-1 , ..., H _i = L ^-1 _{n-i + 1} , ..., H _n = L ^-1 ₁ ,
which is equivalent to fulfilling the conditions
L ₁ = H ^-1 _n , L ₂ = H ^-1 _n-1 , ..., L _i = H ^-1 _{n-i + 1} , ..., L _n = H ^-1 ₁ ;
V 'and V "are the values of the control vector formed depending on the corresponding data subunit;
E ₁ and E ₂ are the operations used to form the control vector.

The transformation scheme shown in figure 1, a, also performs the decryption procedure with a corresponding change in the order of use of the subkeys. The plugins used in the rth round of encryption, for example, plug W _r and K _r , are used for decryption in the (R-r + 1) th round, and if in the encryption round, plug Wr and Kr are used when performing operations H _i and L _{n-i + 1} , respectively, then in the decryption round these subkeys are used when performing operations L _{n-i + 1} and H _i , respectively. Due to this change in the order of use of the subkeys, the same transformation scheme implements both the encryption procedure and the decryption procedure. This can be shown as follows.

преобразованный блок данных (блок шифртекста), т.е. блок данных, поступающий на вход первого раунда дешифрования;

входной блок данных, т.е. блок данных, поступающий на вход первого раунда шифрования;

преобразованное значение блока шифртекста после выполнения над ним r-ого раунда дешифрования;

преобразованное значение исходного блока данных после выполнения над ним r-ого раунда шифрования.We introduce the following notation:

converted data block (ciphertext block), i.e. a data block arriving at the input of the first round of decryption;

input data block, i.e. a block of data entering the first round of encryption;

the transformed value of the ciphertext block after performing the rth decryption round on it;

the transformed value of the original data block after performing the rth round of encryption on it.

а последовательность преобразований блока шифртекста при его дешифровании можно представить в виде

Таким образом, после R раундов дешифрования получаем исходное значение блока данных A $\genfrac{}{}{0ex}{}{\text{(0)}}{\text{1}}$ |B $\genfrac{}{}{0ex}{}{\text{(0)}}{\text{1}}$ = A|B. Рассмотрим конкретные примеры реализации заявляемого способа блочного итеративного шифрования.Given these notations, the relations A ^(R) ₁ = A ⁽⁰⁾ ₀ and B ^(R) ₁ = B ⁽⁰⁾ ₀ hold. The first round of decryption restores the value of the data block after the (R-1) -th round of encryption. Indeed, when decrypting, for example, the subblock B ⁽⁰⁾ ₀ in the first round, such a superposition of operations
L ⁽¹⁾ _{1 (0)} • L ¹ _{2 (0)} • ... • L ⁽¹⁾ _{n (0)} (B ⁽⁰⁾ ₀ ) = B '. (1)
Hereinafter, the upper index of the operation denotes the number of the round at which this operation is performed, and the conversion mode is indicated in parentheses in the lower index: (0) - decryption or (1) - encryption. Note that the subblock B ⁽⁰⁾ ₀ = B ^(R) _{1 is} obtained from the subblock A ^(R-1) ₁ after the last superposition of operations has been performed on the Rth round of encryption
H ^(R) _{1 (1)} • H ^(R) _{2 (1)} • ... • H ^(R) _{n (1)} (A ^(R-1) ₁ ) = B ⁰ ₀ . (2)
Substituting (2) in (1), we obtain
H ^(R) _{1 (1)} • H ^(R) _{2 (1)} • ... • H ^(R) _{i (1)} • ... • H ^(R) _{n-1 (1)} • H ^(R) _{n (1)} • L ⁽¹⁾ _{1 (0)} • L ⁽¹⁾ _{2 (0)} • ... • L ⁽¹⁾ _{n-i + 1 (0)} • ... • L ⁽¹⁾ _{n- 1 (0)} • L ⁽¹⁾ _{n (0)} (A ^(R-1) ₁ ) = B '. (3)
Due to the above change in the order of use of the subkeys and the fact that according to the distinguishing feature of the proposed method of block iterative encryption for the operations H _i and L _{n-i + 1} , the conditions H _i = L _{n-i + 1} are fulfilled for all values i = 1, 2, ..., n, superpositions of the following pairs of operations:
H ^(R) _{n (1)} • L ⁽¹⁾ _{1 (0)} ; H ^(R) _{n-1 (1)} • L ⁽¹⁾ _{2 (0)} ; ... H ^(R) _{i (1)} • L ⁽¹⁾ _{n-i + 1 (0)} ; ... H ^(R) _{2 (1)} • L ⁽¹⁾ _{n-1 (0)} and H ^(R) _{1 (1)} • L ⁽¹⁾ _{n (0)}
define the identity transformation. With this in mind, it follows from (2) that B '= A ₁ ^(R-1) . For the subblock A ₀ ⁽⁰⁾ to be decoded in the first round, in a similar way, we can obtain
A '= H ⁽¹⁾ _{1 (0)} • H ⁽¹⁾ _{2 (0)} • ... • H ⁽¹⁾ _{n-i + 1 (0)} • ... • H ⁽¹⁾ _{n-1 ( 0)} • H ⁽¹⁾ _{n (0)} (A ⁽⁰⁾ ₀ ) = L ^(R) _{1 (1)} • L ^(R) _{2 (1)} ... • L ^(R) _{i (1)} •. .. • L ^(R) _{n-1 (1)} • L ^(R) _{n (1)} • H ⁽¹⁾ _{1 (0)} • H ⁽¹⁾ _{2 (0)} • ... • H ⁽¹⁾ _{n -i + 1 (0)} • ... • H ⁽¹⁾ _{n-1 (0)} • H ⁽¹⁾ _{n (0)} (B ^(R-1) ₁ ) = B ^(R-1) ₁ . (4)
The first round of decryption ends with a permutation of the subunits A 'and B', as a result of which we get A ⁽¹⁾ ₀ = A ^(R-1) ₁ and B ⁽¹⁾ ₀ = B ^(R-1) ₁ . Thus, the first decryption round restores the value of the data subblock after the (R-1) encryption rounds. Similarly, it can be shown that two rounds of decryption restore the value of the data subblock after (R-2) rounds of encryption, and r rounds of decryption (1≤r≤R) restore the value of the subblock after (Rr) rounds of encryption. The sequence of transformations of the input block A | B during encryption can be written as

and the sequence of transformations of the ciphertext block during its decryption can be represented as

Thus, after R rounds of decryption, we obtain the initial value of the data block A $\genfrac{}{}{0ex}{}{\text{(0)}}{\text{1}}$ | B $\genfrac{}{}{0ex}{}{\text{(0)}}{\text{1}}$ = A | B. Consider specific examples of the implementation of the proposed method of block iterative encryption.

 Example 1

This example is shown in FIG. 1b and explains the implementation of the method for the case n = 1. The data block T has a length of 64 bits and is divided into two 32-bit subunits A and B. In FIG. 1, b, the following notation is used:
Q and Q ^-1 are mutually inverse controlled two-place operations performed on 32-bit binary vectors and having a 32-bit control input.

In example 1, a secret key is generated in the form of the following combination of 32-bit round subkeys: K ₁ , K ₂ , ..., K ₁₆ and W ₁ , W ₂ , ..., W ₁₆ . The data block is divided into two subunits A = Тdiv2 ³² and В = Тmod2 ³² . Data block encryption is performed in accordance with the following algorithm:
1. Set the counter for the number of rounds of encryption r: = 1.

2. Using the current value of subblock B as the current value of the control vector V, apply a subkey W _r to subblock A using operation Q: A: = Q _B (A, W _r ).

3. Using the current value of subunit A as the current value of the control vector V, apply a subkey K _r to subunit B using the operation Q ^-1 : B: = Q ^-1 _A (B, K _r ).

 3. Rearrange subunits A and B.

 4. If r <16, then increment the counter of the number of rounds: r: = r + 1. and go to step 2, otherwise STOP.

The cryptogram block C is formed by combining the transformed binary vectors A and B: C = A | B. The cryptogram block is decrypted using the same algorithm, except that in step 2, the K _17-r subkey is used instead of the W _r subkey, and in step 3, the W _17-r subkey is used instead of K _r . Encryption and decryption are performed using the same algorithm, so both of these procedures can be performed using the same electronic circuit.

Example 2. Encryption of a 64-bit data block T
This example is illustrated in figure 2, and corresponds to the case n = 3. In this example, mutually inverse controlled permutations P and P ^-1 with a 32-bit control input are used, as well as controlled two-place operations Q and F and their corresponding inverse controlled two-place operations Q ^-1 and F ^-1 with a 32-bit control input. Encryption in accordance with example 2 is as follows. The secret key is formed in the form of the following combination of 32-bit round subkeys: K ₁ , K ₂ , ..., K ₈ and W ₁ , W ₂ , ..., W ₈ . The data block T is divided into two 32-bit subunits A and B. Then the data block is encrypted in accordance with the following algorithm:
1. Set the counter for the number of rounds of encryption r: = 1.

 2. Using subblock B, form the control vector V: V: = B.

3. Place subkey K _r on sub-block A according to the formula A: = Q _V (A, K _r ).

 4. Using sub-block A, form the control vector V: V: = A.

5. Place sub-block A on sub-block B according to the formula B: = F ^-1 _V (B, A).

 6. Using subblock B, form the control vector V: V: = B.

7. Convert subblock A according to the formula A: = P _V (A).

 8. Using sub-block A, form the control vector V: V: = A.

9. Convert subblock B according to the formula B: = P ^-1 _V (B).

 10. Using subblock B, form the control vector V: V: = B.

11. Place subblock B on subblock A according to the formula A: = F _V (A, B).

 12. Using sub-block A, form the control vector V: V: = A.

13. Place the subkey W _r on the sub block B according to the formula B: = Q ^-1 _V (B, W _r ).

 14. Rearrange subunits A and B.

 15. If r <8, then increment r: = r + 1 and go to step 2, otherwise STOP.

As a result of the algorithm execution, the cryptogram block C = A | B is formed. Decryption of the cryptogram block is carried out using the same algorithm, except that in step 3, the subkey W _{9-r is used} instead of the subkey K _r and in step 13, the subkey K _{9-r is used} instead of the subkey W _r .

 Example 3

This example is illustrated in FIG. 2b, where Q is a controlled two-place operation with a 32-bit control input and Q ^-1 is the corresponding inverse controlled two-place operation. Example 3 corresponds to the case n = 3 and the use of controlled permutation involutions P 'and P ", and operation P' is used as operations H ₁ and L ₃ , and operation P" is used as operations L ₁ and H ₃ . Due to the fact that involution is an operation inverse to itself, the conditions L ₁ = H ^-1 ₃ and L ₃ = H ^-1 ₁ are satisfied.

Encryption in accordance with example 3 is as follows. The secret key is generated in the form of the following set of 32-bit round subkeys: K ₁ , K ₂ , ..., K ₁₆ and W ₁ , W ₂ , ..., W ₁₆ . The data block T is divided into two 32-bit subunits A and B. The encryption of the data block is carried out in accordance with the following algorithm:
1. Set r: = 1.

 2. Using subblock B, form the control vector V: V: = B.

3. Convert subunit A in accordance with the formula A: = P ' _V (A).

 4. Using sub-block A, form the control vector V: V: = A.

5. Convert subblock B in accordance with the formula B: = P " _V (B).

 6. Using subblock B, form the control vector V: V: = B.

7. Place subkey K _r on sub-block A in accordance with the formula
A: = Q _V (A, K _r ).

 8. Using sub-block A, form the control vector V: V: = A.

9. Place subwire W _r on sub-block B in accordance with the formula
B: = Q ^-1 _V (B, W _r ).

 10. Using subblock B, form the control vector V: V: = B.

11. Convert subblock A according to the formula A: = P " _V (A).

 12. Using sub-block A, form the control vector V: V: = A.

13. Convert subblock B according to the formula B: = P ' _V (B).

 14. Rearrange subunits A and B.

 15. If r <16, then increment r: = r + 1 and go to step 2, otherwise STOP.

As a result of the algorithm execution, the cryptogram block C = A | B is formed. Decryption of the cryptogram block is performed using the same algorithm, except that in step 7, the subkey W _{17-r is used} instead of the subkey K _r , and in step 9, the subkey K _{17-r is used} instead of the subkey W _r . Such a change in the order of use of subkeys in electronic circuits can be easily set depending on the setting of the invert bit E, which sets the encryption mode or decryption mode.

 The operation of controlled permutation involution on binary vectors of length 2n is easily constructed on the basis of two parallel operations of controlled permutation on binary vectors of length n. Example 4 below shows a possible implementation of a controlled permutation involution.

 Example 4. Guided permutation involution.

This example is illustrated in Fig. 3, where P is an arbitrary controlled permutation over binary vectors of length n, P ^-1 is a controlled permutation inverse to P, V is a binary vector of length 2n used as a control vector for the operation of controlled permutation involution R*. The same binary vector V serves as a control vector for both operations P and P ^-1 , due to which, for any given value of V, the implemented modifications of these controlled permutations are mutually inverse, i.e., the operation blocks P and P ^-1 for all values of V carry out two parallel mutually inverse permutations P _V and P ^-1 _V. Figure 3, a shows a transformation scheme of a binary vector A of length 2n, which is divided into two n-bit binary vectors A 'and A ", which are respectively converted using operations P and P ^-1 . Their converted n-bit values B' = P _V (A ') and B "= P _V ^-1 (A") are rearranged and combined in accordance with the formula B = B ″ | B ′. The binary vector B of length 2n is the result of the transformation P * _V (A). On figure 3, b shows the conversion of the binary vector C using the operation P * with the same value of the control vector that he had when performing the conversion Nij binary vector A. This results in a source binary vector, i.e. A = P * _V (B). Thus, the relation _{P * V (P * V (} A)) = A, i.e. circuit transformations in figure 3, and defines a controlled permutation involution for any controlled permutation P (while the choice of P uniquely determines the choice of P ^-1 ).

 Example 5

This example is illustrated in figure 4 and corresponds to the implementation of the method for the case n = 2. A feature of this example is the use of the same operation as a pair of mutually inverse operations H ₂ and L ₁ corresponding to each other, where L ₁ = H ^-1 ₂ . As this operation is used summation operation is bitwise modulo two (⊕), which is the inverse of itself, ie. E. The relation Z = A⊕K _r implies the validity of the ratio A = Z⊕K _r. This example also uses two mutually inverse controlled two-place operations Q and Q ^-1 with a 32-bit control input.

Example 5 uses a secret key in the form of a collection of 32-bit round subkeys: K ₁ , K ₂ , ..., K ₁₆ and W ₁ , W ₂ , ..., W ₁₆ . The data block is divided into two 32-bit subunits A and B. The encryption of the data block is carried out in accordance with the following algorithm:
1. Set the counter for the number of rounds of encryption r: = 1.

2. Using the current value of subblock B as the current value of the control vector V, apply a subkey W _r to subblock A using operation Q: A: = Q _B (A, W _r ).

3. Place subkey K _r on subunit A using operation "⊕": A: = A⊕K _r .
4. Place subkey W _r on subblock B using operation "⊕": B: = B⊕W _r .
5. Using the current value of subunit A as the current value of the control vector V, apply a subkey K _r to subunit B using the operation Q ^-1 : B: = Q ^-1 _A (B, K _r ).

 6. Rearrange subunits A and B.

 7. If r <16, then increment the counter of the number of rounds: r: = r + 1. and go to step 2, otherwise STOP.

After completing this, we have the ciphertext block C = A | B. The cryptogram block is decrypted using the same algorithm, except that in steps 2 and 4, the K _17-r subkey is used instead of the W _r subkey, and in steps 3 and 5, the W _17-r subkey is used instead of K _r .

 The above examples show that the proposed method of iterative encryption of discrete data blocks is technically feasible and allows us to solve the problem.

Claims (4)

1. A method of iterative block encryption, which includes generating a secret key in the form of a set of subkeys, splitting a data block into two subunits and performing R≥ rounds of encryption, each of which consists in converting the first subunit by performing a sequence of operations L ₁ , L ₂ , on it. . . , L _n and the conversion of the second subunit by performing a sequence of operations H ₁ , H ₂ , on it. . . , H _n , where n≥1, moreover, for at least one value i, where 1≤i≤n, as the operation H _i use a controlled operation and at least one value j, where 1≤j ≤n, a controlled operation is used as the operation L _j , and before performing the operation H _i , a control vector is formed depending on the first subunit, and before the operation L _j , a control vector is formed depending on the second subunit, in addition, at least , one of the operations L ₁ , L ₂ ,. . . , L _n , H ₁ , H ₂ ,. . . , H _n use one of the subkeys, characterized in that in each round after performing operations L _n and H _n additionally rearrange the sub-blocks and, at least, as n operations H _i , where i = 1, 2,. . . , n, use operations that are inverse with respect to operations L _j , where j = n-i + 1. 2. The method according to p. 1, characterized in that as a controlled operation H _i use a controlled permutation, and as operations L _{n-i + 1} use a controlled permutation, which is the inverse of the operation H _i . 3. The method according to p. 1, characterized in that as the controlled operations H _i and L _{n-i + 1} , where 1≤i≤n, use controlled double operations, as one of the operands of which use one of the subkeys, and the plugs used in operations H _i and L _{n-i + 1} are different. 4. The method according to p. 1, characterized in that as the controlled operations H _i and L _{n-i + 1} , where 1≤i≤n, use controlled permutation involutions.

Images