FR2920617A1 - GENERATOR AND PROCESS FOR GENERATING A PSEUDO-RANDOM SECRET KEY FUNCTION. - Google Patents

Abstract

The invention relates to a pseudo-random function generator with secret key K from an input block of m bits to an output block of n bits using a determined number alpha of cryptographic schemes Phi1 (m1, n1), .. ., Phii (mi, ni), ..., Phialpha (malpha, nalpha) nested in layers according to a recursive structure, each current cryptographic scheme Phii (mi, ni) associating at mi input bits nor output bits into one number of turns ri, each turn using an internal elementary function f <(i)> built from ti cryptographic schemes Phii + 1 (mi + 1, ni + 1) from ni + 1 bits to mi + 1 bits, with ni +1 <Ni, mi + 1 <Mi and ti> = 1, each cryptographic scheme Phii (mi, ni) defining a minimum number of operations comp (mi, ni, ri), depending on said number of turns ri, necessary for distinguish it from a random function associating mid input bits nor output bits, the generator comprising calculation means (7) for calculating, for each cryptographic scheme Phii (mi, ni), said number of turns ri so that said number of operations comp (mi, ni, ri) associated with it is greater than or equal to a predetermined number 2 <c>, c being an integer.

Description

Title of the invention Generator and method for generating a pseudo-random function with a secret key.

Technical Field of the Invention The invention relates to the field of generating pseudo-random functions for which there is proof which links their security to the complexity of the best attacks for very simple schemes to analyze. In particular, the invention relates to the field of symmetric cryptography, and relates to a block ciphering method. In particular, the invention finds a very advantageous application in that it allows symmetric encryption / decryption having a high degree of security and ensuring a simple and efficient implementation in hardware and software. Note that, symmetric encryption is widely used in all types of communications, such as mobile communications, the Internet, smart cards, etc.

Background of the invention In symmetric cryptography, the sender and the recipient of an encrypted data exchange must share, prior to any exchange, the knowledge of a secret key K Encryption and decryption algorithms configured by the key K respectively allow the sender to transform a clear message into a cryptogram and the recipient to recover the clear message from the cryptogram. Block cipher, along with stream cipher, is one of the two main methods of symmetric encryption. With the secret key K, a block cipher algorithm associates an ciphering function, that is to say, a one-to-one transformation EK of the set .fi ') 1 In clac tin, hl'FC farta mnnf etreNIA. . "LL. 4 1.., - 1 I l IL / Lw., R I ,,, I 1 L U1UL-D. R OR 1 LI IIi 1 1 Z1 Ul 1 clear message M of any length, you can chain calls to the EK function according to different operating modes, There are many known block cipher algorithms, for example Data Encryption Standard (DES), Advanced Encryption Standard (AES), MISTY, RC6, MEA, etc. Mathematically , these block cipher algorithms constitute pseudo-random permutation generators, that is to say that with a relatively short key they associate a permutation of the set of blocks of n bits such that if the key is chosen randomly, the permutation obtained is difficult to distinguish from a truly random permutation. ator of pseudo-random permutations is that of generator of pseudo-random functions of n bits towards n bits (where m is an integer equal or not equal to n) difficult to distinguish from functions of n bits towards m perfectly random bits. A pseudo-random function generator can be used according to various operating modes for the construction of cryptographic algorithms and in particular of block cipher, message authentication, or stream cipher algorithms.

The most widely used and recognized existing block cipher algorithms, such as AES and DES, operate on keys consisting of a relatively short binary word and having no particular structure. Thus, for example, the secret keys of the DES consist of words of length 56 bits, those of the AES of words of length of 128, 192 or 256 bits. There are a few rare block algorithms operating on keys having a particular structure which uses 8 secret permutations of the set 0, .., 255j of bytes, but there is no mathematical argument allowing to establish a greater confidence. in the security of these algorithms than in those whose key consists of words of sufficient length, for example 128 bits.

We con if, .., habituellenc r, r, r, l '41 Oit, r duc t.JLJLAI UI 1 ciijvl IL! I! I IU pal blocks (or more generally a generator of functions or pseudo-random permutations) is safe, it must be impossible, given the limitation of the computing resources likely to be available in the years or decades to come, to an adversary having an arbitrary number N of "black box" access to the encryption and / or decryption functions associated with an unknown secret key K, to carry out one of the following types of attack: reconstitute the key secret K; -more generally, predict a new pair of clear-encrypted messages (X, Y) satisfying Y = EK (X) distinct from the N pairs of clear-encrypted messages (X, Yi) resulting from the N accesses of the adversary to the functions of encryption and / or decryption; -more generally still, to distinguish with a non-negligible probability of success a function EK associated with a random key K from a perfectly random permutation of the set {M} "of blocks of n bits, this by means of an algorithm of test using the result of the N black box accesses to the function and / or its inverse This constitutes the most general definition of the security of an algorithm in the sense that guarding against this type of attack ensures absolute security of the algorithm from a mathematical point of view (ie excluding attacks by hidden channels, etc.). It is generally accepted that the computing resources likely to be implemented, currently or in the years to come, by any adversary (including a coalition of millions of Internet users) are strictly less than 280 elementary operations. Currently, in public key cryptography, we speak of "security evidence", "partial security evidence" or "security evidence reduct ionnists "of a diagram when we have been able to reduce in a proven way the security of this diagram to the resolution of a problem deemed difficult. The most classic problems known to be difficult which are used to date in public key cryptography are the problem of factorization of integers the problem of the discrete logarithm on various finite groups. As opposed to the situation in the field of public key cryptography, the security of known block algorithms, including those considered to be the most secure such as AES, rests in the current state of knowledge on very empirical foundations. For no known block algorithm, there are no mathematical arguments available allowing a lower bound to be established on the complexity of attacks of one of the types described above. The main types of arguments on which is based the confidence that one can have in the security of algorithms considered to be the most secure are the following - no known attack of complexity lower than the desired level of security, for example of complexity less than 280 or less than 2 /, where / K / is the length of the keys of the algorithm expressed in bits; - provable resistance to particular attack methods, for example resistance to differential cryptanalysis and linear cryptanalysis; -finally, in the case of certain algorithms such as DES, the existence of 20 proofs of resistance to the most general type of attack mentioned above in the security model known as Luby and Rackoff in which certain components are replaced of the real algorithm (for example the key-dependent functions used in the different rounds) by perfectly random ideal functions. Although this type of proof does not provide a lower bound on the complexity of attacks against the real algorithm, it can be taken as an assurance that the general structure of the algorithm (for example the use of the so-called Feistel in the case of DES) does not present any intrinsic weakness defect 30 In particular, it is described in the document "Efficient metric-Key 0; ohers Based on an NP-Comp / ete Sub, oroblem" by Matt Rla7cs mtrinrifhmm encryption key knows iiiit Ci 1,1 se r "#e This ClIMOI ILI Hi built from several nested Feistel schemes in layers. Each Feistel Fi scheme associates with neither input bits nor output bits in an identical number of turns which is equal to 4 for each nested Feistel Fi scheme. However, this algorithm was cryptanalyzed by an attack on the Feistel scheme belonging to the upper layer of the nesting. It was demonstrated in the documents "Generic Attacks on Feistel Schemes "and" Security of Rando m Feistel Schemes with 5 or more Rounds "of 3. Patarin that to avoid this attack, it is necessary that the Feistel Scheme of the upper layer of the nesting associates with neither input bits nor output bits in at least 6 turns. More particularly, this document ("Security of Random Feistel Schemes with 5 or more Rounds") describes an attack on Feistel schemes with 5 turns in 2 'operations, which for the case of Feistel schemes with 64 input bits gives an attack in 2 <280. Thus, it takes at least 6 turns. However, even taking a number of turns equal to 6 for the Feistel scheme belonging to the upper layer, there is no guarantee that this type of algorithm will remain resistant to future attacks.

Also, taking this same number of turns for Feistel schemes belonging to lower layers, there could still be attacks on these schemes, then destroying the security of the whole algorithm. Thus, none of the known methods of stiff encryption of a block algorithm (and more generally no algorithm for generating functions or pseudo-random permutations) reconciles the following two conditions: 1 °) the existence of mathematical arguments allowing to support the conjecture that even when using the algorithm beyond the uniqueness distance defined by Shannon, there is no replisable attack in less than 2 'operations, where c is a number large enough to ensure strong security of the algorithm (for example greater than or equal to 80). 2) the existence of software implementations of speed close to that of the currently most used block algorithms, such as AES or DES requiring realistic computing resources, time, memory, etc.),

Ob 'and summary of the invention The present invention relates to a method for generating a pseudo-random function with a secret key K from an input block of m bits to an output block of n bits using a determined number (x of cryptographic schemes Oc ,, (ma, n) nested in layers according to a recursive structure, each current cryptographic scheme 01 (ml, nd associating with m, input bits nor output bits in a number of turns ri, each turn using an internal elementary function i constructed from cryptographic schemes of '7 / .0.1 bits to mi + l bits, with <<mi and ti 1, each cryptographic scheme (1), (mi, ni) defining a minimum number of operations cornp (mi, n ,, r,), depending on said number of turns r ,, necessary to distinguish it from a random function associating at mi input bits nor output bits, for each cryptographic scheme 0, (m, , n,) said number of turns r, being chosen so that said number of camp operations (m ,, n ,,) associated with it or greater than or equal to a predetermined number, e being an integer. Thus, by modulating the number of turns, a proof of security is provided for each of the cryptographic schemes and therefore for the entire process for generating the pseudo-random function. Thus, the best known attacks for distinguishing each cryptographic scheme from a random function require a number of calculation steps greater than or equal to the predetermined number 2c which can be chosen to be very large. Advantageously, said determined number (x of cryptographic schemes is chosen such that the most internal elementary functions fa) constituting the cryptographic schemes ma) of the innermost layer are random functions defining a minimum size of said secret key. Thus, the pseudo-random function generation method is highly efficient with a secret key of reasonable size. Advantageously, said predetermined number 2c is equal to 280. Thus, the pseudo-random function generation method cannot be distinguished from a random function associating with m input bits n output bits in less than 280 steps of calculation, which is the current security standard. According to a feature of the present invention, said cryptographic schemes (1) .i (mi, ni), ..., Oa (ma, na) correspond to cryptographic permutation schemes 111 (ni), ...,, Ila (na), each cryptographic permutation 17i (nd implementing a permutation of the blocks of ni bits. Thus, the pseudo-random function generation method can be implemented using cryptographic permutation schemes which are more numerous and better. studied than cryptographic schemes performing non-bijective functions. Thus, the pseudo-random function generation method can be used to perform secret-key encryption in a simple and secure manner. Advantageously, said cryptographic permutation schemes 111 (ni) , ..., 171 (ni), ... 17a (na) correspond to symmetrical Feistel schemes FI (ni), ..., Fi (ni) ,., Fa.

Thus, the pseudo-random function generation process can be implemented very efficiently, the Feistel schemes being well studied and simple to perform. For each symmetric Feistel scheme F, (n,) said number of turns r1 depends on the number of bits n, and on said integer number e according to an inequality defined by r ,. 2c./n,+4, Thus, the pseudo-random function generation method cannot be distinguished from a random permutation of blocks of n bits using known attacks. The invention also relates to a method of pseudo-random encryption with a secret key K from an input block of m bits to an output block of n bits using the method for generating a pseudo-random function according to any one of the characteristics. above. The invention is also aimed at a pseudo-random function generator with a secret key K from an input block of m bits to an output block of n bits using a determined number oz of cryptographic schemes 1) 1 'ni) Y '' There are (ma, na) nested in layers according to a recursive structure, each current cryptographic scheme 01 (min associating at mi input bits nor output bits in a number of turns 20 each turn using an internal elementary function constructed from from t1 cryptographic schemes Oi.ii (m, + l, ni + l) from bits to mi, il bits, with ni.i.1 <ni, mi 1 <m, and t ,. 1, each cryptographic scheme 0 , (mi, ni) defining a minimum number of operations comp (m ,, n1, r1), depending on said number of turns ri, necessary to distinguish it from a random function associating with m, input bits n, output bits, the generator comprising calculation means for calculating, for each cryptographic scheme, said number of turns r, so that said number of operations comp ( m ,, n ,, ri) which is associated with it is greater than or equal to a predetermined number c being an integer, the invention also relates to a device d.-r-t + ni% el 1i111'gr 1 1 .1, trt1 II, 1.10esUUU- random secret key K from an input block of m bits to an output block of n bits, the device comprising a pseudo-random function generator according to the above characteristics.

The invention also relates to a computer program which can be downloaded from a communication network and / or stored on a medium readable by a computer and / or executable by a microprocessor, the program comprising code instructions for the execution of the steps of the process. generating pseudo-random functions according to at least any one of the above characteristics, when executed on a computer. The invention also provides a computer program which can be downloaded from a communication network and / or stored on a medium readable by a computer and / or executable by a microprocessor, the program comprising code instructions for the execution of the steps of the encryption method. according to the above characteristics, when executed on a computer.

Brief description of the drawings Other features and advantages of the invention will emerge on reading the description given below, by way of indication but not by way of limitation, with reference to the appended drawings, in which: FIG. 1 illustrates in a manner schematically a pseudo-random function generator, according to the invention; FIG. 2 schematically illustrates an algorithm for generating a function from m bits to n bits, according to the invention; and FIGS. 3A to 3C schematically illustrate an embodiment, according to the invention. Detailed description of embodiments According to the invention, FIG. 1 is a schematic figure of a generator 1 of pseudo functions. random key K from an input block 3 of m bits to an output block 5 of n bits. This generator 1 uses primitives or cryptographic schemes 0, (m ,, n,) from m, bits to n, bits. Indeed, the pseudo-random function generator 1 comprises data processing or calculation means 7 which construct a determined number or of cryptographic schemes 01 (ml, n1), Oc., (Ma, na) nested in layers according to a recursive structure. The first cryptographic scheme 01 (mi, n 1) is that of the outermost layer and the last cryptographic scheme Oor (ma, n, y) is that of the innermost layer. Each current cryptographic scheme 0, (m ,, n,) associates with m, input bits n, output bits in a number of turns ri, each turn using an internal elementary function P. Each internal elementary function el ° is constructed from t1 cryptographic schemes 0'4 (from n1 + 1 bits to ml + l bits, with n1 + 1 <n ,, m1 + 1 <m, and ti ..- ?. 1. Each cryptographic scheme. A (m ,, ni) is characterized by a minimum number of operations com (m ,, ni, r,) necessary to distinguish it from a random function associating with input bits n1 output bits. This minimum number d 'operations comp (m ,, ni, r,) is a so-called complexity function which depends on the number of turns r, and possibly on the parameters mi and n, involved in the construction of cryptographic schemes. This complexity function is representative of the complexity of generic attacks (i.e., attacks that distinguish the cryptographic scheme from a truly random function when the s elementary functions are random). 2920617 Il Drtt f, knell Cr'hArt l''MIrd'Irnriktirti If% 7r- tete. .. "^ x Irsr, r A, s, .-, ut tr..4mu Iç4% ... 1 y Fits..11 upl IIIJU .kt (1111, i, 1 1 IV y Zl IZ calculation 7 determine the number of turns 1-, necessary so that the minimum number of operations cony; (m ,, n ,, r,) which is associated with it is greater than or equal to a predetermined number e, c being an integer. 5 current security standard one can choose the predetermined number 2c equal to 280. Thus, the generator 1 of the present invention allows to generate a pseudo-random function such that an opponent whose computing power is limited to 2c operations is unable to distinguish a function generated by this generator 1 and a random key from a truly random permutation This can be proved by means of a security proof which relies on the study of the security of the "bricks". intermediaries used, namely: theorems concerning the so-called unconditional security of these bricks, i.e. security bounds valid for an attack nt having unlimited computing power; conjectures, supported by several years of research by the cryptographic community, on the complexity of the best possible attacks on the bricks used (called "generic attacks" because they apply to schemes where the elementary functions f (l) are really random functions). In addition, the calculation means are suitable for calculating the determined number (x of cryptographic schemes so that the most internal elementary functions (a ') constituting the 00e cryptographic schemes (m (yn) of the innermost layer are random functions defining a minimum size of the secret key K. Advantageously, the cryptographic schemes, (I) (m ..,, (m, ri) can be bijective and correspond in particular to cryptographic permutation schemes Hdn,), , Hcy mat) which are very numerous and well studied. Each cryptographic permutation 17 (n,) implements a permutation of the blocks of n, bits. In particular, the cryptographic permutations H1 (nd, -, 111 (na) can correspond to Symmetric Feistel diagrams Fei), ..., F, (n,),, Fa, (na) which are simple to realize. In this case, for each symmetric Feistel diagram F (n,) the number of turns r , depends on the number of bits n, and on the integer c according to a defined inequality inie by r, .2c / n, + 4. Thus, by modulating according to the invention, for each Feistel Fi scheme, the number of turns required by providing proof of safety for each of these schemes, proof of safety is provided for the entire generation process. FIG. 2 illustrates an algorithm for generating a function of 15 m bits to n bits or a permutation of n bits resistant to any attacker having a computation capacity less than or equal to or c is for example 80. In a first step E1, one construct this function or permutation from a certain cryptographic scheme 01 (ml, ni) or 20 (for example a Feistel scheme), with and fixing the number of turns r1 used such as Com, o (rl) This requires r1 elementary functions or permutations t'l). In a second step E2, each of these elementary functions or permutations t'eV will in turn be implemented using 25 t1 cryptographic schemes Oz (i.7T y72) or I12 (n) (which may be identical or different from that of the first step) by fixing the number of turns r2 used such that Como (r2) = The construction then requires r1 times t1 times r2 elementary functions or permuations f (2) irte; YYS. And the r-, e es e-Res, eRR, R Rn, tinontinüÇr I can thus V 1 nt i-nR.RZUZ jUJt.Rp- Ri Ci Ul IC step E3 where the elementary functions or permutations of the cryptographic primitive internal will be truly random and will constitute the key K of the generation process. Usually there is a number of steps that will minimize the size of the secret key. The generator of functions from m bits to n bits or of permutations of n pseudo-random bits thus obtained then has a proven security against any adversary having a computation capacity less than or equal to 2 'in the direction or to succeed in attacking the generator 1 would amount to improving generic attacks on the primitives used, which is very improbable. In addition, this generator is very convenient to use because it is very efficient and has a reasonable key size. In the case where a permutation is obtained, it can be used according to the usual operating modes of block ciphers.

In the case where a function is obtained, it can be used according to certain particular modes, such as the counter mode to carry out in-stream encryption or the CBC MAC mode to carry out message authentication. The intermediate cryptographic constructions used to obtain the generation of a random function are potentially numerous. By way of example, one can use the Feistel schemes described for example by Michael Luby and Charles Rackoff in the document How to Construct Pseuclorano'om Permutations [rom Pseuo'orano'om Functions, SIAM 1 Comput. 17 (2): 373-386 (1988). The best conjectured attacks against these Feistel schemes have been described by Jacques Patarin in the document Generic Attacks Feiste / Schemes. Note that a Feistel scheme is an even bijection. Thus, when the Feistel diagrams are nested, the diagrams are constructed with even bijections.

Besides, it is put on laughter% '"F., Iu, J UIJUI1.9UZI U11 Feistel scheme of a random function than of a bijection. It is also easier to distinguish a Feistel scheme from a bijection than an even bijection. Indeed, the more one tries to distinguish a Feistel diagram from a large set, the simpler it is. In fact, whatever the number of turns of the Feistel diagram, it is always it is possible to distinguish it from a random function with 2n operations and from a bijection in 22n operations (which is independent of the number of turns). It is only when trying to distinguish it from an even bijection that the number of necessary operations increases with the number of turns of the Feistel scheme, Feistel schemes also have so-called generalized or asymmetric variants. Thus, for a generalized Feistel scheme one can use bricks which are either random functions or random bijections, that is, even random bijections tories, typically this concerns the innermost Feistel scheme in the nesting. Typically, Feistel diagrams using only even bijections as a brick, are higher level Feistel diagrams than the innermost Feistel diagram. For asymmetric Feistel diagrams, the plaintext is split into two blocks of different size, more specifically, this may relate to the lower level Feistel diagram. On the other hand, for symmetric Feistel diagrams, the plain text is divided into two blocks of identical size. In particular, this concerns higher level Feistel schemes. Furthermore, for intermediate cryptographic constructions, one can also create a function from n bits to n bits from two random permutations P, and Pj from n bits to n bits by calculating the exclusive or bit-by-bit XOR of the output. of the two permutations 1D YCID P3) Of the t-% rnl IlIcàr security. 77..it. V1, J II tGIiGJ also exist for this construction (for example, in the document by Jacques Patarin On Linear Systems of Equations with Distinct Variables and Sma / 1 Block Size ICISC 2299-32), We can also use the so-called Benes diagrams which make it possible to obtain functions from 2n bits to 2n bits from random functions from n bits to n bits. Unconditional safety proofs also exist for these patterns. Thus, it is possible to carry out the present invention according to several embodiments. Indeed, FIGS. 3A to 3C illustrate an embodiment for the generation of a pseudo-random function among the many possible examples, according to the invention. For this example, Feistel diagrams F, (nd symmetrical with ri turns and the construction R XOR Pi are used for this example to obtain a pseudo-random permutation 11128 from 128 bits to 128 bits, with a security in 280 operations. FIGS. 3A to 3C describe the different stages of the construction starting from the outermost stage (figure 3A) to the innermost stage (figure 3C). Thus, the stage of figure 3A consists of a Feistel diagram with ri turns, where ri is determined by the following security criterion: the best attacks conjectured on a Feistel scheme with ri turns have a complexity in, irin operations, where n is half the number of bits of the cipher blocks. we want this complexity to be greater than 280, we must take ri = 6. By contenting ourselves with this single step, we need 6 elementary functions (random and independent) fil), ..., of 64 bits for the key. to 64 bits, so the total key size is 6x64x264 bits, which is too much great for practical use.

So, we seek to obtain the 6 functions from 64 bits to 64 bits from a second step (FIG. 3B). For this, we use the construction Pi XOR Pi, applied to two Feistel schemes with r2 turns from 64 bits to 64 bits. The 6 elementary functions e), fe thus obtained will be used to construct the Feistel scheme of the step described previously. The same criterion as before shows that it is necessary to use r2 = 7tours to obtain permutations from 64 bits to 64 bits indistinguishable from random permutations in less than 280 calculations. Each of the 6 elementary functions f?), ..., f /) necessary to build the Feistel diagram of the upper stage requires 2x7 elementary functions from 32 bits to 32 bits, so the total size of the key at this stage is 6x (2x7) x32x232 bits. For the sake of simplicity, FIG. 3B illustrates the construction of the elementary function f?) Of the upper step (FIG. 3A) from the 14 elementary functions f "7,2w.

Of course, this construction can be continued until the basic building block consists of elementary functions from 1 bit to 1 bit. However, there is a number of steps for which the size of the key is minimal. Indeed, for the parameters (block size of 128 bits, security level of 280 operations), the optimal number of steps is 4 (FIG. 3C). For the sake of simplicity, FIG. 3C illustrates the construction of the elementary function f1, / 3) of the upper step (not shown) from the 28 elementary functions fi J4), ..., fm,) '4i). In this case, the number of turns of the Feistel diagrams to be used is respectively ri = 6, r2 = 7, r3 = 9 and r4 = 14. The basic functions required are then functions from 8 bits to 8 bits and the size of the key is given by 6x (2x7) x (2x9) x (2x14) x8x28 bits, or 10.8 MB, which is well within the memory capacities of current personal computers. 1 finl, nni-ir r $ A .-- 1;. ,, f- ", 11.11111 is also aimed at a U VI program downloadable from a communication network comprising program code instructions for the execution of the steps of the generation and / or of the encryption method according to the invention when it is executed on a computer. This computer program can be stored on a computer readable medium. This program can use any programming language, and be in the form of source code, object code, or of intermediate code between source code and object code, such as in a partially compiled form, or in any other desirable form. The invention also relates to a readable information medium by a computer, and comprising instructions from a computer program as mentioned above.

The information medium can be any entity or device capable of storing the program. For example, the medium may comprise a storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or else a magnetic recording means, for example a floppy disk or a disk. hard.

Claims (2)

1. Method for generating a pseudo-random function with a secret key K from an input block of m bits to an output block of n bits using a determined number of cryptographic schemes 5 5 5 5 Oi (Mif nt),. 5 5 5, n) nested in layers according to a recursive structure, each current cryptographic scheme çPi (mi, ni) associating with nli input bits ni output bits in a number of turns r ,, each turn using an internal elementary function t constructed from t, cryptographic schemes Oi, I (mi.fimi, o) from n, 1 bits to m1.i. 1 bits, with n, + 1 <n ,, m1 + 1 <m, and t, each cryptographic scheme Oi (mi, ni) defining a minimum number of operations comp (mi, depending on the said number of turns necessary to distinguish it from a random function associating with m, input bits n1 output bits, characterized in that that for each cryptographic scheme Oi (mi, ni) said number of turns ri is chosen so that said number of operations comp (mi, n ,,) which is associated with it is greater than or equal to a predetermined number c being a number whole. 2. Method according to claim 1, characterized in that said determined number o of cryptographic schemes is chosen such that the most internal elementary functions fi> constituting the cryptographic schemes Ocy (mty, na) of the innermost layer are functions random variables defining a minimum size of said secret key. 3. Method according to any one of claims 1 to 2, characterized in that said predetermined number 2c is equal to 280.A, ^ e ,, te, ...,. S es, 1 ,, "1 * . r I IJLCUC DCIUI 1 t Ul IC LiUCILUI LIU UUZ 1 UVUI 1UR., 01.1VI la 1. 1 CiLLZ 1 1 ZZ CI 1 that said cryptographic schemes, ..., m ma) correspond to cryptographic permutation schemes 1 -11 (ni), ..., H, (ni), ... TI (na), each cryptographic permutation H., (N) implementing a permutation of the blocks of n, bits. 5. Method according to claim 4 , characterized in that said cryptographic permutation schemes 111 (n1), ..., 17; (n),, 17 (na) correspond to symmetrical Feistel schemes F, (n,), ..., Fa ( 6. Method according to claim 5, characterized in that for each symmetric Feistel diagram Fi (n,) said number of turns ri depends on the number of bits ni and on said integer c according to an inequality defined by r, k .2cIn, + 4. 7. Pseudo-random encryption method with secret key K of a bl oc of input of m bits to an output block of n bits using the pseudo-random function generation method according to any one of claims 1 to 6. 8. Pseudo-random function generator with secret key K d ' an input block of m bits to an output block of n bits using a determined number of cryptographic schemes (1) (miin) i "., ii (rni.n) nested in layers according to a recursive structure, each cryptographic scheme current (P (ni ,, n,) associating with m, input bits n, output bits in a number of turns r, fl 1 such as ballast, rt; r.tr'S. Al Arys.es, F,; r% -1 s-vul uttitzul 1; vl tLuvt I LCIII Il lt.Zl I IZ 1 LVI IJlr UILC from t, cryptographic schemes 0, + 1 (m, n, 4 from bits to m, i ,, l bits, with n, + 1 <n ,, m, and t, each cryptographic scheme (Mi, n,) defining a minimum number of operations comp (m ,, n ,, r, depending on said number of turns r ,, necessary to distinguish it from a random function associating with m, input bits n, output bits, characterized in that it comprises calculation means for calculating, for each cryptographic scheme 0, (rn ,, n,) , said number of revolutions r, so that said number of operations comp (m ,, n ,, which is associated with it is greater than or equal to a predetermined number cet being an integer. 9. Generator according to claim 8, characterized in that said calculating means are suitable for calculating said determined number or of cryptographic schemes so that the most internal elementary functions fea) constituting the cryptographic schemes 0a (rn, na) of the most internal layer internal are random functions defining a minimum size of said secret key. 10. Device for pseudo-random encryption with secret key K of an input block of m bits to an output block of n bits, characterized in that it comprises a pseudo-random function generator according to any one of claims 8 and 9. 11. Computer program downloadable from a communication network and / or stored on a computer readable medium and / or executable by a microprocessor, characterized in that it comprises program code instructions for the execution of the steps of the method for generating pseudo-random functions according to at least one of the revpnriir> finnc t .141,141.1, J. r ,,, A lnrcnt .a Ç v, ^ 1 / i..n.11.4 rr computer shooting. 12. Computer program downloadable from a communication network and / or stored on a computer readable medium and / or executable by a microprocessor, characterized in that it comprises program code instructions for the execution of the steps of the computer. Encryption method according to claim 7, when executed on a computer. 'tee on a