FR2924550A1 - METHODS AND DEVICES FOR ENCRYPTING AND DECRYPTING A DATA MESSAGE WITH A RANDOM SECRET KEY. - Google Patents

Abstract

A method of encrypting a data message S comprising at least one calculation step (102) of at least one random key Kal, 0 from at least one random number Nbal and at least one secret key Ksecret, and encrypting (105) the data S from the random key Kal, O and a plurality of diversified random keys Kal, 1 to Kal, N calculated from the random key Kal, 0.

Description

METHODS AND DEVICES FOR ENCRYPTING AND DECRYPTING A DATA MESSAGE WITH A RANDOM SECRET KEY

TECHNICAL FIELD The invention relates to the field of secret key data cryptography. The invention may especially be used in any type of information processing processor, for example a smart card. STATE OF THE PRIOR ART Encryption algorithms are used in information processing processors for example to protect confidential information (medical file), to authorize access to particular services (pay television) or to identify people (ePassport). These processors are the subject of fraudulent manipulation, commonly called 20 attacks, to obtain the keys used by the encryption algorithms, to know and / or corrupt confidential information, to access services for free or to pose as a third. To perform data encryption, it is known to use an algorithm called AES (Advanced Encryption Standard). FIG. 1 schematically represents the data coding steps implemented by an AES algorithm.

The data to be encrypted are first cut into blocks of 128 bits, represented as a 4 × 4 matrix (reference 2 in FIG. 1) of 8-bit words.

The AES algorithm uses a secret key 4 whose size can be equal to 128 bits, 192 bits or even 256 bits. In the example of Figure 1, the key 4 comprises 128 bits represented in the form of a matrix size 4 X 4.

During this coding, the algorithm executes several sets of steps, called rounds, whose number Nr depends on the size of the key used (Nr = 10 for a key of 128 bits, Nr = 12 for a key of 192 bits and Nr = 14 for a 256-bit key).

Whatever the size of the key used, the algorithm performs an initial round consisting of a step 6 of adding a round key, which is the secret key 4, with data 2. This addition step 6 is called AddRoundKey and is performed by an Exclusive OR. Then, we run (Nr-1) rounds performing the following four functions: - SubBytes (step 8 in Figure 1). each word of the data matrix obtained in the preceding step is replaced by another word of similar size given by a correspondence table. It is a non-linear transformation. ShiftRows (step 10 in FIG. 1): this is a transposition that cyclically shifts the words of the lines of the data matrix obtained at the output of SubBytes. The words of the rows of the matrix are shifted with a left circular shift, the number of squares of the shift depending on the line: the words of the first line of the matrix are not shifted, the words of the second line are shifted by a box to the left, the words of the third line are shifted two boxes to the left and the words of the fourth line are shifted three squares to the left. MixColumns (step 12 in FIG. 1): this is a matrix multiplication between a constant matrix and the data matrix obtained at the output of ShiftRows. AddRoundKey (step 14 in FIG. 1): this is an addition (exclusive OR) between the data matrix obtained at the output of MixColumns and a diversified key 16, or round key, obtained after a diversification operation of the previous round key, called KeySchedule and performed at each round.

The KeySchedule function performs a diversification operation from a key that is either the secret key 4 after the initial round, or an (i-1) th round key 16 when executing the ith round, with i number natural integer between 2 and (N, -1). After having repeated (N, -1) times these functions, the algorithm carries out a final final round (10th round in the case of a secret key 4 of 128 bits) consisting of the implementation of a function SubBytes (reference 18 in FIG. 1), a ShiftRows function (reference 20 in FIG. 1) and an AddRoundKey function (reference 22 in FIG. 1). At the output of the function 22 is obtained a matrix 24, of size equal to 4 × 4 of words of a size similar to the words of the matrix 2, encrypted data. The decryption of these data can then be performed from the coded data by performing functions that are opposite to those performed for encryption. Knowledge of the secret key is therefore necessary to achieve the decryption of the data. Various solutions, called countermeasures, have been proposed to render inoperative different types of attacks on such an algorithm. For example, to counter hidden channel type attacks, it is known to artificially add noise to the signals emitted by the chip, thus reducing their correlation with the manipulated data. Ad hoc software countermeasures are also introduced to make the analysis of the various extracted signals more complex. Against fault attacks, error detection and correction techniques as well as data redundancy are also known. Physical countermeasures, found on the electronic component implementing the algorithm, to guard against invasive attacks or faults are also known. These physical countermeasures, for example light sensors, are capable of detecting abnormal operation of the chip. In case of intrusion or injection of faults, various actions can be taken ranging from a simple reset of the chip to a partial or full erasure of all the information stored in the memories of the chip. Devices more specific to the protection of the circuit against a reverse engineering phase can also be integrated (metal shield, dummy lines, etc.). However, these solutions generally involve significant extra costs both at the hardware level (many additional logical functions necessary for the implementation of encryption and decryption) and at the time of execution of the algorithm, both for the encryption and decryption. DISCLOSURE OF THE INVENTION An object of the present invention is to propose a new method and a new encryption / decryption device offering better data protection, rendering ineffective attacks such as those carried out on an AES algorithm, and not involving or little material and overhead cost over the countermeasures of the prior art.

For this purpose, the present invention proposes a method of encrypting a data message S comprising at least one step of calculating at least one random key Kat, o from at least one random number Nbal and at least one a secret key Ksecret and an encryption of the data S from the random key Kai, o and a plurality of diversified random keys Kat, 1 to Ka1, N calculated from the random key Kat, o with, for example, at least one non-linear step. By adding to the secret key Ksecret a random number, or variable, Nba1r all the information is encrypted with a different key, which renders ineffective the attacks known from the prior art. This method therefore makes it possible to improve the security of the electronic device in which this method is implanted.

The present invention may also relate to a cryptographic method for an electronic device, for protecting data against attacks performed on the device, comprising calculating at least one random key Kat, o from at least one random number Nba1 and d at least one secret key Ksecret, and to perform an encryption of the data s from the random key Kat, o and a plurality of diversified random keys Ka1,1 to Ka1, N calculated from the random key Kat, o.

The electronic device may comprise a central unit equipped with at least one working memory used to perform the cryptographic process calculations and encryption, and a rewritable memory used to store device-specific and / or command-specific data. to execute to implement the cryptographic method. The cryptographic method can also be implemented in a hardware way by programming it directly in an FPGA, an ASIC (specific application integrated circuit) or in a smart card, or in a crypto-processor dedicated to data encryption. The encrypted data obtained can therefore be a signal that can be transmitted securely over a network to another electronic device to be decrypted. The encryption method can calculate N diversified random keys Ka1,1 to Ka1, N, N being a natural number strictly greater than 1 equal to the number of rounds of the encryption method. The N random diversified keys Ka1,1 to Ka1, N can be obtained at least by the following steps. calculating a first diversified random key Ka1,1 from the random key Ka1, o; calculating each of the N-1 diversified random keys Ka1, i, with a natural integer such that 2 <- i <- N, from a previous diversified random key The encryption of the data S can be carried out at least by the following steps: calculation of coded data Scod, o from the random key Kal, and data S to be encrypted; calculation of N coded data Scod, 1 to Scod, N, each of the N coded data Scod, i, with i such that 1 <- i <- N, being calculated from previous coded data Scod, i_1 and lem diversified random key Ka1, i; the Nth coded data S cod, N can be encrypted data Z.

The encryption method may further comprise the following steps: calculation of at least one first diversified key Kdiv, 1 from the secret key Ksecret; - calculation of N-1 diversified keys Kdiv, 2 to v, N, each of the N-1 diversified keys Kdiv, r with i such that 2 <- i <-N, being calculated from a previous diversified key Kdiv, i_1; calculating a difference DifKm between a diversified random key meme Ka1, m and a diversified key meme Kdiv, m, with m natural integer such that 1 <- m <- N. The data encryption S can be achieved by: a) a step of adding the random key Ka1, o to a matrix formed by the data S to be encrypted, forming coded data Scod, o; then b) N-1 executions of the following steps: substitution of each word of a matrix formed by (i-1) th coded data Scod, i 1, with i such that 1 <- i <- N-1 by another word of similar size; cyclic transposition of the words of a matrix formed by the data obtained after the preceding substitution-matrix multiplication step between a constant matrix and a matrix formed by the data obtained after the previous transposition step; adding between a matrix formed by the data obtained after the preceding multiplication step and a diversified random key key Ka1, i, with i such that 1 <- i <-N-1, the data obtained being thi th coded data S COd, i; then c) the following steps. substituting each word of a matrix formed by the (N-1) coded Scod (N-1) data with another word of similar size; cyclic transposition of the words of a matrix formed by the data obtained after the preceding substitution step; adding between a matrix formed by the data obtained after the preceding transposition step and the Nth diversified random key Ka1, N, the data obtained being encrypted data Z.

The present invention also relates to a device for encrypting a data message S comprising at least means for calculating at least one random key Ka1, o from at least one random number Nba1 and at least one key secret Ksecret, and means for encrypting the data S from a plurality of diversified random keys Ka1,1 to Ka1, N calculated from the random key Ka1, o, with N natural number strictly greater than 1. N may be equal to the number of rounds performed by the encryption device. The encryption device may further comprise: means for calculating at least a first diversified random key Ka1, 1 from the random key Kai, o; means for calculating each of the N-1 diversified random keys Ka1, i, with a natural integer such that 2 <- i <- N, from a previous diversified random key Ka1, i-1 • The means encryption of the data S may comprise at least. means for calculating coded data S d, 0 from the random key Ka1, o and data S to be encrypted; means for calculating N coded data Scod, 1 to Scod, N, each of N coded data Scod, i, with i such that 1 <- i <- N, being calculated from previous coded data Scod, i 1 and the ith diversified random key Ka1, i; the Nth coded data Scod, N possibly being encrypted data Z. The encryption device may further comprise: means for calculating at least a first diversified key Kdiv, 1 from the secret key Ksecret; means for calculating a diversified key meme Kdiv, m from a (m-1) th diversified key Kdiv, (m-1), with m natural integer such that 2 <- m <- N; means for calculating a difference DifKm between a diversified random keymem Ka1, m and the diversified keymem Kdiv, m. The data encryption means S may comprise: means for adding the random key Ka1, o and diversified random keys Kat, 1 to Kat, N to matrices of data; means for substituting each word 5 of a data matrix with another word of similar size; means for cyclically transposing the words of a data matrix; - Matrix multiplication means 10 between a data matrix and a constant matrix. The present invention also relates to a method for decrypting an encrypted data message Z comprising at least one step of calculating a diversified random key N1 Ka1, N from a secret key Ksecret and a difference DifKm between a diversified random key meme Ka1, m and a diversified key meme Kdiv, m, an inverse diversification step carried out from the diversified random Nth key Ka1, N calculating N-1 diversified random keys Ka1, N-1 to Ka1,1 20 and a random key Ka1, o, and a decryption of the data Z from the N diversified random keys Kat, 1 to Ka1, N and the random key Kat, o, with N natural integer strictly greater than 1 and m number The present invention may also relate to a cryptographic method for an electronic device, making it possible to decrypt data protected against attacks made on the device. tif, consisting of calculating a diversified random Nth key Ka1, N from a secret key Ksecret and a difference DifKm between a diversified random keymem Ka1, m and a diversified keyemem v, m, performing an inverse diversification starting from the Nth diversified random key Ka1, N calculating N-1 diversified random keys Ka1, N-1 to Ka1,1 and a random key Ka1, o, and performing a decryption of the data Z from the N diversified random keys Ka1,1 to Ka1, N and random key Kat, o, with N natural number strictly greater than 1 and m natural number such that 1 <- m <- N. N can be the number of rounds of the process of decryption. The calculation of the Nth diversified random key Ka1, N can be obtained at least by the following steps. calculating at least a first diversified key KdjV, 1 from the secret key Ksecret; calculating m-1 diversified keys v, 2 to Kdiv, m, each of the diversified m-1 keys KdiV, i, with a natural integer such that 2 <- i <- m, being calculated from a previous diversified key KdiV, i_1; - addition of the diversified key meme Kdiv, m previously calculated and the difference DifKm between the diversified random meme key Ka1, m and the diversified key meme Kdiv, m; calculation of (N-m + 1) diversified random keys Ka1, m + 1a Ka1, N, each of these diversified random keys Kat,, with j natural number such that m + 1 <j <- N, being calculated from a previous random random key Kat, _1. Reverse diversification can perform the calculation of N-1 diversified random keys Ka1, N-1 to Ka1,1 and the random key Ka1, o, each of these keys Ka1, i, with a natural integer such that that 0 N-1, being calculated from a previous diversified random key Kai, i + 1 • The decryption of the encrypted data Z can be achieved at least by the following steps: - computation of decoded data Sdecod, O from the Nth diversified random key Ka1, N and encrypted data Z; calculation of N decoded data Sdecod, I to Sdecod, N, each of N decoded data Sdecod, i, with i such that 1 <- i <- N, being calculated from previous decoded data Sdecod, i-1 and the (N-i + 1) random diversified key Ka1, N-i + 1; the Nth decoded data Sdecod, N being able to be decrypted data S. The decryption of data can be achieved by: a) the following steps. adding the Nth diversified random key Ka1, N to a matrix formed by the encrypted data Z, thus forming decoded data Sdecod, O; cyclic transposition of the words of a matrix formed by the data obtained after the preceding step of addition; replacing each word of a matrix formed by the data obtained after the preceding cyclic transposition step with another word of similar size, thereby forming first decoded data Sdecod, 1; then b) N-1 executions of the following steps: adding between a matrix formed by (i-1) decoded data Sdecod, i-1 and a diversified ieme key Kaki, with i such that 2 <- i <- N; matrix multiplication between a matrix formed by the data obtained after the previous addition step and a constant matrix; cyclic transposition of the words of a matrix formed by the data obtained after the preceding multiplication step; replacing each word of a matrix formed by the data obtained after the preceding cyclic transposition step, the data obtained being decoded second data S decod, i; then c) a step of adding between a matrix formed by the Nth decoded data Sdecod, N and the random key Ka1, o, the data obtained being decrypted data S. The present invention also relates to a device for decrypting a message encrypted data comprising at least means for calculating a diversified random key N1 Ka1, N from a secret key Ksecret and a difference DifKm between a diversified random key meme Ka1, m and a diversified key meme Kdiv, m, means of inverse diversification from the nth diversified random key Ka1, N calculating N-1 diversified random keys Ka1, N-1 to Ka1,1 and the random key Kat, o, and means for decrypting the data Z from the N random diversified keys Ka1,1 to Ka1, N and the random key Ka1, o, with N natural number strictly greater than 1 and m natural integer such that 1 <- m <- N. The means of calculation of the N Diversified random key Ka1, N may comprise at least: means for calculating at least one first diversified key Kdiv, 1 from the secret key Ksecret; means for calculating diversified key m-1 Kdiv, 2 to Kdiv, m, each of the diversified m-keys Kdiv, i, with a natural integer such that 2 <- i <- m, being calculated from an earlier diversified key Kd v, i; means for adding the diversified differential meme Kdiv m previously calculated and the difference DifKm between the diversified random multiemem Ka1 m and the diversified keymem Kdiv m; means for calculating (N-m + 1) diversified random keys Ka1, m + 1a Ka1, N, each of these diversified random keys Ka1, ~, with j natural integer such that m + 1 <j <- N, being calculated from a previous diversified random key Ka1, j-1 The inverse diversification means can calculate N-1 diversified random keys Ka1, N-1 to Kat, 1 and the random key Kat, o, each of these keys Ka1, i, with i natural number such that 0 N-1, being calculated from a previous diversified random key Kai, i + 1 • The data decryption means may comprise at least. decoded data calculation means Sdecod, O from the diversified Nth random key Kal, N and encrypted data Z; means for calculating N decoded data Sdecod, the Sdecod, N, each of the N decoded data Sdecod, with i such that 1 <- i <- N, being calculated from previous decoded data Sdecod, i-1 and the (N-i + 1) th diversified random key Kal, N- + 1; the Nth decoded data Sdecod, N being able to be decrypted data S. The data decryption means may comprise: means for adding the random key Kal, o and diversified random keys Kal, l to Kal, N to data matrices; means for cyclically transposing the words of a data matrix; means for substituting each word of a data matrix with another word of similar size; - Matrix multiplication means between a data matrix and a constant matrix. The invention also relates to a signal processing device for implementing a method of encrypting a data message and / or a method for decrypting an encrypted data message as described above. The invention also relates to a smart card comprising at least one device for encrypting a data message and / or a device for decrypting an encrypted data message as described above. The invention also relates to a data carrier, readable by a computer system, comprising data in coded form, for implementing an encryption method and / or a decryption method as described above. Finally, the invention relates to a software product comprising a data medium that can be read by a computer system, making it possible to implement an encryption method and / or a decryption method as described above. The invention applies in particular for an AES type algorithm. However, the principles of the invention can be applied to other types of algorithms, for example any encryption and / or decryption algorithm using a non-trivial key calculation, for example comprising at least one non-trivial step. linear substitution and / or a permutation step on calculated keys. BRIEF DESCRIPTION OF THE DRAWINGS The present invention will be better understood on reading the description of exemplary embodiments given purely by way of indication and in no way limiting, with reference to the appended drawings in which: FIG. 1 schematically represents the data coding steps; implemented by an algorithm AES according to the prior art, - Figure 2 shows the steps performed during the implementation of an exemplary embodiment of a data encryption method according to the invention, - Figure 3 schematically represents the steps implemented during a data encryption performed during an exemplary embodiment of a data encryption method according to the invention, - Figure 4 shows a correspondence table used during a substitution operation. executed during an exemplary embodiment of a data encryption method according to the invention, - FIG. FIGS. 6 and 6 show schematically the steps implemented during a data decryption performed during an example. embodiment of a method for decrypting encrypted data according to the invention, FIG. 7 represents a correspondence table used during a substitution operation executed during an exemplary embodiment of a method for decrypting encrypted data according to FIG. FIG. 8 represents an example of a circuit intended to implement a data encryption method according to the invention; FIG. 9 represents an example of a circuit intended to implement a decryption method; data according to the invention.

Identical, similar or equivalent parts of the different figures described below bear the same numerical references so as to facilitate the passage from one figure to another.

The different possibilities (variants and embodiments) must be understood as not being exclusive of each other and can be combined with one another. DETAILED DESCRIPTION OF PARTICULAR EMBODIMENTS Referring to FIG. 2, which represents the steps performed during the implementation of an exemplary embodiment of a random secret key data encryption method. The data message to be encrypted, referenced S in FIG. 2, is first cut into 128-bit blocks represented in the form of a 4 × 4 matrix whose inputs are respectively 8-bit words (bytes). These blocks are then encrypted independently of one another to obtain, at the end of the encryption method, encrypted data blocks, referenced Z in FIG. 2, which can then be concatenated and form an encrypted data message. In the exemplary embodiment of the method described, all the arithmetic operations are performed on 8-bit words arranged in a 4 × 4 matrix. It is therefore possible to place, for the calculations, in a finite field called the extended Galois field noted GF (28), having as primitive polynomial: P (X) = x8 + x4 + x3 + x + 1.

A first set of functions, called the initial round, is produced, comprising firstly the computation of a random key Kai, o from a random number Nba1r, for example nonzero, and a secret key Ksecret, for example also non-zero. The random key Ka1, o is obtained by an addition 102 between the secret key Ksecret and the random number Nba1. The size of the secret key Ksecret can be equal to 128 bits, 192 bits or even 256 bits, and here is chosen equal to the size of the data blocks to be encrypted. In the example of FIG. 2, the secret key Ksecret comprises 128 bits represented in the form of a 4 × 4 matrix whose inputs are 8-bit words. The size of the random number Nba1 is chosen equal to the size of the secret key Ksecret. This addition 102 is performed by an Exclusive OR between the secret key Ksecret and the random number Nba1. The random key Kat, 0 is obtained at the output of the addition 102. During the initial round, the random key Ka1, o is used. In the next round, the calculation of a first diversified random key Ka1,1, or first random round key, obtained from the random key Ka1, o by a diversification operation 103, called KeySchedule, of this key is carried out. random Kat, o. So we have Kat, 1 = KeySchedule (Ka1, o). This function 103 KeySchedule makes it possible to calculate N diversified random keys Ka1,1 to Ka1, N, N being the number of rounds realized during the encryption process. The value of N is a function of the size of the secret key Ksecret used: for a secret key Ksecret of 128 bits, one has N = 10; N = 12 for a 192-bit key; and N = 14 for a 256-bit key. The KeySchedule function will be detailed later in the description. These diversified random keys Ka1,1 to Kai, N and the random key Ka1, o are used to perform an encryption 105 of the data S detailed below in connection with FIG. 3. In this exemplary embodiment, the keys Ka1, o at Ka1, N are computed in parallel with the execution of the encryption 105. In a variant, it is possible for the diversified random keys Ka1,1 to Ka1, N and the random key Ka1, o to be calculated before the execution of the encryption 105 Firstly, the encryption 105 completes the initial round by computing Scod coded data, o from the random key Ka1, o and data S. A function 104, called AddRoundKey, performs this calculation. So we have: Scod, o = AddRoundKey (Kao, o, S). The AddRoundKey calculation of Scod coded data, o is here an addition operation, performed by an Exclusive OR, between the initial data S and the random key Kai, o. The initial round being completed, we execute N rounds. Each of the round iemes, with a natural integer such that 1 <- i <- N-1, has four functions which are detailed below. During each of these rounds, the method 30 first executes a function 106, called SubBytes, during which each word of the encoded data matrix 25 obtained in the previous step (the coded data Scod, o when one has just completed the execution of the initial round, where the (i-1) scoded data Scod, i-1 when executing an ieme round with 2 <- i <- N-1) is replaced by a another word. For this, an elementary transformation called sub is applied to each Scod word (c, d) of coded data Scod such that: sub (Scod (c, d)) is non-zero, or * -1 a Scod (c, d) + b if Scod (c, d) sub (Scod (c, d)) = b if Scod (c, d) is zero, with c and d natural numbers, b = {63} (hexadecimal notation), and / 1 0 0 0 1 1 1 1` 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 a = 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 ~ 0 0 0 1 1 1 1 1) The operator * represents the multiplication of matrices in the Galois field GF (28), and Scod (c, d) -1 represents a word inverse of Scod coded data The SubBytes function is therefore a nonlinear substitution function. This substitution function can also be represented in the form of a table comprising the substitution values of the words of the coded Scod data. A word Scod (c, d) (here a byte) whose value is denoted by X, y, where x and y respectively represent the bits of high and low weight, is therefore substituted by the word whose value is in the table shown in FIG. 4, at the intersection of the line x and the corresponding column y. For example, if the word Scod1 (1, 1) has the value {04}, then we have: SubBytes (Scod1 c 1, 1>) = {F2}. A function 108 called ShiftRows is then executed on the data obtained at the output of SubBytes 106. This function 108 consists of a transposition that shifts the words of the lines of the matrix obtained at the output of SubBytes cyclically. The words of the lines are shifted with a left circular shift, the number of squares of the shift depends on the line: the words of the first line of the matrix are not shifted, the words of the second line are shifted by one square to the left, the words in the third line are shifted two squares to the left and the words in the fourth line are shifted three squares to the left.

For example, if the input of the ShiftRows function has a matrix M such that: (Mo0 Mo3 Mot Mo3 M1.0 Ml, l M1.2 M1.3 M20 M21 M22 M23 M3 MMM, 0 3.1 3.2 3 , 3 the matrix is then output: (Mo o Mo 1 Mo 2 Mo 3 M1.1 M1 2 M13 Mi o M2.2 M2 3 M2.0 M21 M32) M = ShWRows (M) = A function 110, called MixColumns then performs a matrix multiplication in GF (28) between the matrix obtained at the output of ShiftRows and a constant matrix Ao such that: (02 03 01 010 01 02 03 01 A ° 01 01 02 03 X03 01 01 02 This calculation s' by column, that is to say that each column depends on the entire input column, then the function KeySchedule 103 (represented in FIG. 2) is executed, carrying out a diversification operation of the previously used key, which is either the random key Kai, o when one carries out the initial round, or a (i-1) th diversified random key Ka1, i_1 when one realizes the other rounds. the (i-1) th diversified random key Ka, i_1 in the form: Kal, i-1 ko, o kl, o k2 0 k3.0 k01 k0 2 4.1 k1 2 k21 k22 k3 1 k3 2 k0.3 k1,3 k2 3 k3,3 / the ith diversified random key Ka1, i obtained is then of the form: Kal, i / ka ke ki ~ kmkb k, kf kg k1 kk kka kka: "kh kl kp25 With ka = sub (k1 3) k0 0 Rcon (Z) kb = sub (k1,3) O + ko, mm = 0 2 ka = sub (k1,3) O + ko, mm = 0 3 kd = sub (k1,3) O + 1 ko, mm = 0 ke = sub (k23) ~ k1.0 kf = sub (k23) O + klm m = o 2 kg = sub (k2 3) O + kl mm = o 3 kh = sub (k2,3) 0 k1, mm = o k1 = sub (k33) k20k. = sub (k3 3) 0 k2, mm = 0 2 kk = sub (k3,3) 0 k2, mm = 0 3 k1 = sub (k3,3) 0 k2, mm = 0 km = sub (k0,3) k3,0 kn = sub (k0,3) 0 k3, mm = 0 2 ko = sub (k0,3) 0 k3, mm = 0 3 kp = sub (k0,3) 0 k3, mm = 0 26

  sub is the nonlinear transformation function described above for the SubBytes function. Rcon is a one-dimensional table of constants (in hexadecimal), indexed by the number of the current round: Round i 1 2 3 4 5 6 7 8 9 10 Rcon 01 02 04 08 10 20 40 80 1B 36 So we have Kat, i = KeySchedule (Kat, i-1)

Finally, the ith round, with i such that 1 <- i <- N-1, ends with the computation (function 112 called AddRoundKey) of the first coded data Scod, i from the ith diversified random key Ka1, i and data obtained at the MixColumns 110 output. This AddRoundKey function is similar to the AddRoundKey 104 function performed during the initial round. The Nth round is then executed. With respect to the second round, with i such that 1 <- i <- N-1, this last round N has only three functions 114, 116, 118 respectively similar to the functions 106 SubBytes, 108 ShiftRows and 112 AddRoundKey. At the end of this last round, the encrypted data Z is output. These steps are repeated for each of the data blocks. Thus, the encryption performed makes it possible to encrypt each block of information by a different key. Moreover, since this key is random for each block of data, the known attacks used against the AES algorithm are ineffective here.

The random key must, however, be known for decrypting the encrypted data. For this, in parallel with the steps described above, the method also performs, during the first round, a function KeySchedule, shown in Figure 2, from the secret key Ksecret, thus delivering a first diversified key Kdiv, l. This function 107 KeySchedule is also repeated during the next rounds using each time the diversified key Kdiv calculated previously. By calculating the difference between a diversified random key mn Kal, m and a diversified key meme Kdiv, m (operation 109 in FIG. 2), with m natural integer such that 1 <- m <- N, DifKm information is obtained. usable to realize the decryption of the data. It is then possible to perform the decryption from this information DifKm and the secret key Ksecret. It is preferable to calculate the difference DifKm during a round that is substantially in the middle of the set of rounds. In the example described above, the encryption being performed on 10 rounds, so we choose to achieve this difference during the fifth round (m = 5), that is to say to calculate the difference DifK5 = Ka, 5 - Kdiv 5. However, it is possible to choose another value of m. A method for decrypting the previously encrypted data will now be described in connection with FIG. 5. Firstly, a KeySchedule function 202 is produced, similar to the KeySchedule function performed during the data encryption process, thereby realizing a diversification of the data. secret key Ksecret. KeySchedule is executed N times, N being the number of rounds made during the encryption process.

When the KeySchedule function has computed the diversified key meme Kdiv, m, the information Difxm = Ka1, m ù Kdiv, m is added to the same diversified key Kdiv, m • We then obtain the same diversified random key Ka1, m • On then continues the KeySchedule function 202 from the same random multi-key key Kai, m, thus making it possible to obtain the last diversified random key Ka1, N • A reverse key diversification function 204, called InvKeySchedule, then makes it possible to output the N diversified random keys Kam_, 1 to Kai, N used during data encryption. This InvKeySchedule function performs the inverse matrix operation of the KeySchedule function The obtained by the form Kai, i-1 if. (i-1) The diversified random key Ka1, i-1 InvKeySchedule function is then of InvKeySchedule (Khaki), that is to say that Kal, l ko, o 4.0 k2 0 k3.0 kb, 1 k1 , 1 k2 1 k3,1 then the (i-1) èmeclé random Ka1, i-1 is written in the form:

(ko oe sub (ko 2 O + ko, 3) O + Rcon (t -1) ko 1 O + ko o ko 2 O + ko 1 ko 3 O + ko 2 k1 0 O + sub (k12 O + k13) k1 1 O + k1 o k12 O k11 k13 O + k12 k2 0 sub (k2,2 k2,3) k2,1 O + k2,0 k2,2 k2,1 k2,3 O + k2,2 k30 sub (k32 k33) k31 ek30 k32 k31 k33 Ok32) From of the N diversified random keys obtained, a decryption 206 of the data Z is then carried out. This decryption will be detailed with reference to FIG. 6. An AddRoundKey function 208 is produced which is similar to the AddRoundKey function 118. This step is similar for the Encryption and decryption because the OR addition operation is also its own inverse operation. An exclusive OR is thus realized between the encrypted data Z and the last (Nth) diversified random key. A function 210 InvShiftRows is then executed on the data obtained at the output of AddRoundKey 208. This function 210 is the inverse function of ShiftRows. This function InvShiftRows consists of a transposition cyclically shifting the words of the rows of the matrix obtained at the output of AddRoundKey 208. The words of the lines are shifted according to a circular shift to the right, the number of squares of the shift depending on the line: the words of the first line of the matrix are not shifted, the words of the second line are shifted one box to the right, the words of the third line are shifted two squares to the right and the words of the fourth line are shifted three boxes to the right.

For example, if the input of the InvShiftRows function has a matrix M such that: / M0.0 M0.1 Ml, 0 M1.1 M 21 M3.0 M3.1 M0.3 M1.3 M23 M3.3% M = M12 M then obtained at the output the matrix: / MO, O Mo Mo 2 M0 3 M13 M10 Mil Mie M2.2 M2.3 M2.0 Al2.1 M3.3 M3.0% The decryption method then executes a function 212, called InvSubBytes, in which each word of the matrix obtained in the previous step is replaced by another word. For this, an elementary transformation called invsub is applied to each word to transform. For this, we carry out the inverse of the affine transformation used for the elementary transformation sub, then we apply the multiplicative inverse on the result. The InvSubBytes function is therefore a nonlinear substitution function. This substitution operation can also be represented in the form of a table comprising the substitution values of the words of the coded data. A word (here an octet) whose value is denoted x, y, where x and y respectively represent the bits of high and low weight, is therefore substituted by the word whose value is in the table represented in the figure. 7, at the intersection of the line x and the column InvShifiRows (M) = y corresponding. For example, if the word to substitute has the value {04}, then we have: SubBytes ({04}) = {30}. These functions performed above correspond to the inverse functions of those performed during the last round of the encryption process. The four inverse functions of those corresponding to rounds 1 to N-1 of the encryption method are then performed. First, an AddRoundKey function 214, for example similar to the AddRoundKey function 208, is executed using the diversified random key heme Ka1, h corresponding to the round number h. A function 216, called InvMixColumns, corresponding to the inverse of the MixColumns function, then performs a matrix multiplication in GF (28) between the matrix obtained at the output of the AddRoundKey function 214 and a constant matrix Bo such that: / Oe Ob Od 09 This calculation is carried out by column, that is to say that each column depends on the entire input column. An InvShiftRows function 218, for example similar to the InvShiftRows function 210, is then executed on the data obtained at the output of InvMixColumns 216. The round is terminated by an InvSubBytes function 220, for example similar to the InvSubBytes function 212. The decryption of the data Z is then finished by performing the last round, corresponding to the inverse of the first round, or initial round, of the encryption. This last round consists of an AddRoundKey 222 function similar to the other AddRoundKey functions performed. The output of this AddRoundKey function 222 is the decrypted data S. FIG. 8 represents an exemplary implementation of a circuit 300 implementing the random secret key encryption method described above. The data to be encrypted is entered on a 32 bit bus 302, and the encrypted data is output from the circuit 300 on an output bus 304 also 32 bits. The secret key is entered on a bus 306 also 32 bits. Conversion means 308 converts four 32-bit words of data into a single 128-bit length S data contained in a register. Likewise, converting means 310 converts the secret key into a single 128-bit, 192-bit or 256-bit Ksecret data. At the output of the circuit 300, converting means 312 converts the 128-bit Z encrypted data into 32-bit words on the output bus 304.

A state controller 314 speeds the diversification of KeySchedule random keys realized by means of diversification 316 and the encryption of the data by encryption means 318. These encryption means 318 execute the functions SubBytes, ShiftRows, MixColumns and AddRoundKey. The diversification of the secret key (function 107 of FIG. 2) can be achieved by the diversification means 316 if they are fast enough to carry out two distinct diversifications during a round, as is the case in FIG. 8, or by other means of diversification. In both cases, the output value of the circuit 300 will also be delivered with the value of the difference Difxm = Kal, m ù Kdiv, m making it possible to perform a subsequent decryption of the data. Each round is performed on a cycle, with the diversified random keys being produced in parallel with the execution of the rounds. This calculation synchronization is carried out by the state controller 314. Different control signals are also exchanged between the various components of the circuit 300. At the end of the N rounds, the state controller 314 authorizes the sending of the encrypted text to conversion means 312. The random number Nbam_ used in this encryption method can be obtained from a random number generator outside the circuit 300, or by using an internal state of said circuit 300 for implementing the encryption method. The random number Nbal used by the encryption method can be directly this internal state or the number obtained at the output of the generator, or be the result of the addition of the previous random key (used for the coding of a previous block of data) to the internal state or to the number obtained at the output of the generator. One can also choose randomly between these different possibilities for each block of data to be encrypted.

FIG. 9 represents an exemplary implementation of a circuit 400 implementing the random secret key decryption method described above. The data to be decrypted is entered on a 32 bit bus 402, and the decrypted data is output from the circuit 400 on an output bus 404 also of 32 bits. The secret key, as well as the value of the difference DifKm, are input on a bus 406 also of 32 bits.

Conversion means 408 converts four 32-bit words of data into a single 128-bit length data contained in a register. Likewise, converting means 410 converts the secret key and the difference DifKm into 128-bit, 192-bit or 256-bit data. At the output of the circuit 400, converting means 412 converts the 128-bit decrypted data into 32-bit words on the output bus 404. A state controller 414 speeds the diversification of the KeySchedule secret key performed by means 416, making it possible to obtain the last diversified random key from the secret key and the key difference information DifKm. These means 416 then perform the inverse diversification making it possible to obtain the diversified random keys. The state controller 414 also speeds the decryption of the data by decryption means 418. These decryption means 418 execute the functions InvSubBytes, InvShiftRows, InvMixColumns and AddRoundKey.

Each round is performed on a cycle, with the diversified random keys being produced in parallel with the execution of the rounds. This calculation synchronization is carried out by the state controller 414. Different control signals are also exchanged between the different components of the circuit 400. At the end of the N rounds, the state controller 414 authorizes the sending of the decrypted text to conversion means 412.

The fact of using the difference DifKm in the middle of the encryption (for example in the fifth or sixth round if the encryption is done in 10 rounds) makes it possible to output this number DifKm without losing time in the level of the encryption (a method realizing the encryption in 10 rounds on a 32-bit bus can finish extracting this value in 4 rounds and thus before the end of the execution of the encryption) and limit the loss of time in decryption.30

Claims (26)

1. A method of encrypting a data message S comprising at least one calculation step (102) of at least one random key Kat, o from at least one random number Nba1 and at least one secret key Ksecret, and an encryption (105) of the data S from the random key Ka1, o and a plurality of diversified random keys Ka1,1 to Ka1, N calculated from the random key Kat, o. 2. Encryption method according to claim 1, calculating N diversified random keys Ka1,1 to Ka1, N, N being a natural number strictly greater than 1 equal to the number of rounds of the encryption method. 3. Encryption method according to claim 2, the N random diversified keys Ka1,1 to Ka1, N being obtained at least by the following steps. calculating a first diversified random key Ka1, 1 from the random key Ka1, o; calculating each of the N-1 diversified random keys Kaki, with a natural integer such that 2 <-i <- N, from a previous diversified random key Kai, i_1. 4. Encryption method according to claim 3, the encryption (105) of the data S being performed at least by the following steps: 37 - computation (104) coded data S cod, 0 from the random key Ka1, o and S data to encrypt; calculation of N coded data Scod, 1 to sd, N, each of N coded data Scod, i, with i such that 1 <- i <- N, being calculated from previous coded data Scod, i_1 and the ith diversified random key Kat, i; the Nth Scod encoded data, N being encrypted data Z. 5. Encryption method according to one of claims 3 or 4, further comprising the following steps. calculating (107) at least a first diversified key Kd V, 1 from the secret key Ksecret; calculation (107) of N-1 diversified keys Kdiv, 2 to KdiV, N, each of the N-1 diversified keys Kdiv, i, with i such that 2 <- i <- N, being calculated from a previous key diversified Kdiv, i_1; calculating (109) a difference DifKra between a diversified random key mn Ka1, m and a diversified key meme Kdiv, m, with m natural integer such that 1 <- m <-N. 6. Encryption method according to one of claims 4 or 5, the encryption (105) of data S being achieved by: a) a step of adding (104) the random key Ka1, o to a matrix formed by the data to be encrypted, forming coded data Scod, o; then 38 b) N-1 executions of the following steps: substitution (106) of each word of a matrix formed by (i-1) th coded data Scod, i-1, with i such that 1 <- i < -N-1 by another word of similar size; cyclic transposition (108) of the words of a matrix formed by the data obtained after the preceding substitution step (106); matrix multiplication (110) between a constant matrix and a matrix formed by the data obtained after the preceding transposition step (108); adding (112) between a matrix formed by the data obtained after the preceding multiplication step (110) and a diversified random ith key Ka1, i, with i such that 1 <- i <- N-1, the data obtained being the second coded data S cod, i; then c) the following steps. substituting (114) each word of a matrix formed by the (N-1) Scod encoded data (N-1) with another word of similar size; cyclic transposition (116) of the words of a matrix formed by the data obtained after the preceding substitution step (114); adding (118) between a matrix formed by the data obtained after the preceding transposition step (116) and the Nth diversified random key Ka1, N, the data obtained being encrypted data Z. 7. Device for encrypting (300) a data message S comprising at least calculation means (316) for at least one random key Ka1, o from at least one random number Nba1 and at least one a secret key Ksecret, and encryption means (318) of the data S from a plurality of diversified random keys Ka1,1 to Ka1, N calculated from the random key Kat, o, with N natural number strictly greater than 1. 8. An encryption device (300) according to claim 7, further comprising: calculating means (316) of at least a first diversified random key Ka1,1 from the random key Kat, o; calculating means (316) of each of the diversified random key N-1 Kaki, with a natural integer such that 2 <- i <- N, from a previous diversified random key Ka1, i-1 • 9. Encrypting device (300) according to claim 8, the encryption means (318) of the data S comprising at least: coded data calculation means S d, 0 from the random key Ka1, o and S data to be encrypted; means for calculating N coded data Scod, 1 to Scod, N, each of N coded data Scod, i, with i such that 1 <- i <- N, being calculated from previous coded data Scod, i_1 and of the ith diversified random key Ka1, i, the Nth coded data Scod, N being encrypted data Z. 10. Encrypting device (300) according to one of claims 8 or 9, further comprising: calculating means (316) of at least a first diversified key Kdiv, 1 from the secret key Ksecret; calculating means (316) of a diversified key meme Kdiv, m from a diversified (m-1) th key Kdiv, (m-1), with m natural integer such that 2 <-m <- NOT ; calculating means (318) for a difference DifKm between a diversified random key meme Ka1, m and the diversified key meme Kdiv, m 11. Encrypting device (300) according to one of claims 9 or 10, the encryption means (318) of the data S comprising: - means for adding the random key Ka1, o and diversified random keys Ka1, 1 to Kat, N to matrices of data; means for substituting each word of a data matrix with another word of similar size; means for cyclically transposing the words of a data matrix; means for matrix multiplication between a data matrix and a constant matrix. 12. A method for decrypting an encrypted data message Z comprising at least one step of calculating (202) a diversified random key N1 Ka1, N from a secret key Ksecret and a difference DifKm between a meme diversified random key Ka1, m and the same diversified key Kdiv, m, an inverse diversification step (204) carried out from the nth diversified random key Ka1, N calculating N-1 diversified random keys Ka1, N-1 to Ka1, 1 and a random key Ka1, o, and a decryption (206) of the data Z from the N diversified random keys Ka1,1 to Ka1, N and the random key Ka1, o, with N natural integer strictly greater than 1 and m natural integer such that 1 <- m <- N. 13. decryption method according to claim 12, N being the number of rounds of the decryption method. 14. decryption method according to one of claims 12 or 13, the calculation (202) of the Nth diversified random key Ka1, N being obtained at least by the following steps - calculating at least a first diversified key Kdiv, 1 from the secret key Ksecret; calculation of m-1 diversified keys Kdiv, 2 to v, m, each of the diversified m-1 keys Kdiv,, with i natural number such that 2 <- i <- m, being calculated from a previous key diversified Kdiv, i-1; - addition of the diversified key meme Kdiv, m previously calculated and the difference DifKm between the diversified random meme key Ka1, m and the diversified key meme Kdiv, m; calculation of (N-m + 1) diversified random keys Kai, m + 1 to Ka1, Nr each of these diversified random keys Kat, with j natural number such that m + 1 <j <- N, being calculated at from a previous diversified random key 15. decryption method according to one of claims 12 to 14, the inverse diversification (204) performing the calculation of N-1 diversified random keys Ka1, N-1 to Ka1,1 and random key Ka1, o, each of these keys kaki, with i natural number such as 0 N-1, being calculated from a previous diversified random key Ka1, i + 1. 16. decryption method according to one of claims 12 to 15, the decryption (206) encrypted data Z being achieved at least by the following steps: - calculation of decoded data Saw, od, 0 from the nth random key diversified Ka1, N and encrypted data Z; calculating N decoded data Sdecod, i to Sdecod, N, each of N decoded data Sdecod, i, with i such that 1 <- i <- N, being calculated from previous decoded data Sdecod, i-1 and of the (N-i + 1) diversified random key Kal, N_i + 1; the Nth decoded data S ecod, N being decoded data D S. 43 17. decryption method according to one of claims 12 to 16, the decryption (206) of data being achieved by: a) the following steps - addition (208) of the Nth diversified random key Ka1, N to a matrix formed by the encrypted data Z, thus forming decoded data Sdec d 0; cyclic transposition (210) of the words of a matrix formed by the data obtained after the preceding step of adding (208); substituting (212) each word of a matrix formed by the data obtained after the previous cyclic transposition step (210) by another word of similar size, thereby forming first decoded data Sdecod, 1; then b) N-1 executions of the following steps: -addition (214) between a matrix formed by i-1 decoded data S () decod, i-1 and a diversified random Ith key Kali, with i such that 2 < - i <- N; matrix multiplication (216) between a matrix formed by the data obtained after the preceding addition step (214) and a constant matrix; cyclic transposition (218) of the words of a matrix formed by the data obtained after the preceding step of multiplication (216) - substitution (220) of each word of a matrix formed by the data obtained after the preceding step of cyclic transposition (218), the data obtained being deceded second data Sdecod, i; then c) an addition step (222) between a matrix formed by the Nth decoded data Sdecod, N and the random key Ka1, o, the data obtained being decrypted data S. 18. Device for decrypting (400) an encrypted data message Z comprising at least calculation means (416) of a diversified random key N1 Ka1, N from a secret key Ksecret and a difference DifKm between a diversified random key mn Ka1, m and a diversified key meme Kdiv, m, inverse diversification means (416) from the diversified random Nth key Ka1, N calculating N-1 diversified random keys Ka1, N-1 to Ka1,1 and the random key Ka1, o, and means for decrypting (418) the data Z from the N diversified random keys Ka1,1 to Ka1, N and the random key Ka1, o, with N natural integer strictly greater than 1 and m natural integer such that 1 <- m <- N. 19. decryption device (400) according to claim 18, the calculation means (416) of the Nth diversified random key Ka1, N comprising at least: - means for calculating at least a first diversified key Kdiv, 1 to from the secret key Ksecret; means for calculating diversified key m-1 Kdiv, 2 to Kdiv, m, each of the diversified key m-1 Kdiv, i, with a natural integer such that 2 <- i <- m, being calculated from an earlier diversified key Kdiv, i-1; means for adding the diversified differential meme Kdiv m previously calculated and the difference DifKm between the diversified random multiemem Ka1 m and the same diversified key Kdiv m; means for calculating (N-m + 1) diversified random keys Ka1, m + 1a Ka1, N, each of these diversified random keys with a natural integer number such that m + 1 <j <- N, being calculated from a previous diversified random key Ka1, j-1 20. decryption device (400) according to one of claims 18 or 19, the means (416) of inverse diversification calculating N-1 diversified random keys Ka1, N-1 to Ka1,1 and the random key Ka1, o, each of these keys Kaki, with i natural number such as 0 N-1, being calculated from a previous diversified random key Ka1, i + 1. 21. decryption device (400) according to one of claims 18 to 20, the decryption means (418) of data comprising at least: - decoded data calculation means Sdecod, O from the Neme diversified random key Ka1, N and encrypted data Z; means for calculating N decoded data Sdecod, Sdecod, N, each of N decoded data Sdecod, i, with i such that 1 <- i <- N, being calculated from previous decoded data Sdecod, i-1 and of the (N-i + 1) th diversified random key Kal, N_i + 1, the Nth decoded data S decod, N being decrypted data S. 22. decryption device (400) according to one of claims 18 to 21, the decryption means (418) of data comprising: - means of adding the random key Ka1, o and diversified random keys Ka1,1 at Ka1, N to data matrices; means for cyclically transposing the words of a data matrix; means for substituting each word of a data matrix with another word of similar size; - Matrix multiplication means between a data matrix and a constant matrix. 23. A signal processing device for implementing a method for encrypting a data message according to one of claims 1 to 6 and / or a method for decrypting an encrypted data message according to one of the claims 12 to 17. 24. Smart card comprising at least one device (300) for encrypting a data message according to one of claims 7 to 11 and / or a device (400) for decrypting an encrypted data message according to the one of claims 18 to 22. 25. Data carrier, readable by a computer system, comprising coded data, for implementing a method of encrypting a data message according to one of claims 1 to 6 and / or a decryption method an encrypted data message according to one of claims 12 to 17. 26. Software product comprising a data medium that can be read by a computer system, enabling the implementation of a method for encrypting a data message according to one of claims 1 to 6 and / or a method decryption of an encrypted data message according to one of claims 12 to 17.