FR2987711A1 - Method for accelerating cryptographic calculations in cloud computing, involves providing encrypted coded message with information, and utilizing calculation server for performing encrypted coding of message during application phase - Google Patents

Abstract

The method involves performing encrypted coding of a message (M) by an electronic device (MOB1) e.g. personal digital assistant, where the encrypted coded message is provided with information from the electronic device. A calculation server (CALC S) is utilized for performing encrypted coding of the message during an application phase. The encrypted coded message is arranged with a signature that is read by the calculation server. The signature is checked by the calculation server for allowing decrypting of the encrypted coded message. Independent claims are also included for the following: (1) a computer program comprising instructions for performing a method for accelerating cryptographic calculations (2) a system for accelerating cryptographic calculations.

Description

The invention relates to the field of the acceleration of cryptographic computations, particularly in the context of cloud computing, sometimes called "virtual computing", "cloud computing", "cloud computing", "cloud computing" , or "cloud computing", but the Anglicism Cloud Computing remains the most common expression and best understood by the French skilled person. Cloud computing is the deportation to remote servers of storage and / or computer processing traditionally performed by local servers or a personal computer. These remote servers are the cloud. Access to services hosted by the cloud is usually done by a standard application easily available, mostly a web browser. Cloud users are no longer in charge of their computer servers, which simplifies their task by removing the management of the underlying infrastructure, often complex and expensive, which is thus shared. However, since the applications and data are no longer under the control of the user (on a local computer or on a server supervised by the user), they are potentially accessible to third parties (even the owners or cloud administrators). This can pose serious data privacy issues. In particular, a user may wish to use a storage-type cloud to store his (confidential or personal) data. For the sake of privacy (for personal data) or for security reasons (confidential data, or low protection server), some systems have recently emerged to allow the cloud (or more generally to a third party) such as a server) to store data in an encrypted manner without the latter having the knowledge in clear of the stored data. However, it is necessary, in some cases, that the cloud is able to deliver to the authorized persons (and not only the issuer of the document in question) the data in question. For example, a user holding a key pair as part of a PKI (Public Key Infrastructure, sometimes translated into French by public key infrastructure, and sometimes key management infrastructure) can store his own information, encrypted with his public key, but wish to allow certain people (eg their family) to access some of this information (eg family photos), without disclosing their private key (allowing them to decipher other information, such as tax returns or medical records). For this, existing systems use a cryptographic brick called "proxy re-encryption".

This is described in particular in the article "Improved Proxy Re-encryption Schemes with Applications to Secure Distributed Storage" by Giuseppe Ateniese (Johns Hopkins University) Kevin Fu (University of Massachusetts, Amherst), Matthew Green (The Johns Hopkins University) and Susan Hohenberger (Massachusetts Institute of Technology), published in ACM Transactions on Information and System Security, Volume 9, Issue 1, February 2006, pages 1-30. In such systems, the cloud manages several separate accounts. It is possible to register multiple devices on each account. Whenever a device is registered to an account, a transition key KT is generated for each possible pair of devices registered on that account. Thus, if the account A (for example counts family photos) has three devices 1, 2 and 3 (associated for example with the photographer, his brother and his aunt), it is possible to create the keys of transitions KT12 (between devices 1 and 2), KT13 (between devices 1 and 3), KT23 (between devices 2 and 3), KT21 (between devices 2 and 1), KT31 (between devices 3 and 1) and KT32 (between devices 3 and 2). The devices can be for example computers (portable or fixed), tablets, or mobile phones (traditional or smartphone type). When the user of a device (for example the photographer) wishes to store data, he encrypts the data with his PK public key encryption through the device. The encrypted data is then stored in the cloud. If the user of one of the three devices wishes to retrieve data on the cloud, he asks the latter to use the device. If the device does not hold the decryption private key corresponding to the public key that was used to encrypt the data in question, then the cloud uses the appropriate transition key to re-encrypt the data for the device in question. For example, if the data is encrypted for the device 2, that is to say with the PK2 key, and if it is the device 1 that asks to read the data, then the cloud uses the KT21 transition key ( a priori different from the key KT12 except in a bidirectional system) to obtain an encryption of the data for the device 1. In doing so, the cloud never accesses the data in clear, the re-encryption algorithm transforming an encrypted data with a first key in an encrypted data with a second key without requiring intermediate decryption (the re-encryption is not a decryption followed by an encryption with a different key). If the user of the device 1 ever modifies the data and wishes to store the new version in the cloud, he can, thanks to his device 1, encrypt this new version with his PK1 public key of encryption (or any other key an entity authorized to decrypt this message) and store the new encrypted (data modified again encrypted) on the cloud.

Any of the three devices registered on the account will always be able to access this new version by means of, if necessary (if this new version can not be deciphered by any private key held by the device), a re-encryption. The Ateniese-Fu-Green-Hohenberger system lays the foundations of this system, including the possibility of managing only one key for encryption, the re-encryption keys being systematically calculated from the corresponding private key of the device pointed by a one-way algorithm (preventing to find this private key from the transition key).

The Tysowski-Anwarul system takes the idea of the previous system (described for a server) and adapts it to a situation including a storage cloud. However, all these systems pose performance problems Indeed, if the re-encryption phase can be delegated to the cloud, which can implement a high-performance re-encryption, it is not the same for encryption or decryption, which are implemented by the devices themselves. But these devices may have only very poor performance (for example in the case of a mobile phone) and slow down storage operations in the cloud (which may involve encryption) or reading data stored in the cloud ( which may involve decryption). It is recalled that by definition, a secret key (used in the context of a so-called "secret key" or "symmetric" cryptosystem) is a key that is used interchangeably to encrypt data or to decipher this data once it has been encrypted. is encrypted. Thus the sharing of encrypted data with a secret key involves sharing the secret key (so that the entity receiving the encrypted data can decrypt them). By contrast, a pair of keys (used in the context of a "public key" or "asymmetric" cryptosystem) consisting of a private key held by a single holder and an associated public key, which can be shared with everyone, allows, for example in the context of a PKI, not to share the means of decryption (or more generally the means of signing, authentication, etc.). It is therefore important not to confuse the notion of secret key (which is a symmetric key) with the notion of private key (which is an asymmetric key associated with a public key). However, by misnomer, private keys are sometimes called secret keys when there is no ambiguity. The invention aims to improve the situation.

The invention relates in particular to a method of accelerating cryptographic calculations by a system comprising an electronic device and a calculation server, the method comprising: / a / the implementation, by the electronic device, of at least one a step of a re-encrypted encryption of a message, said at least one step comprising the step or step of the encryption encryption that uses information in clear on the message; / b / the delegation, by the electronic device to the calculation server of the implementation of the re-encryptive encryption steps other than said at least one step implemented by the electronic device during the phase / a /.

This protected is advantageous in that it increases the performance of encryption, thanks to the computing power of the calculation server, without compromising security (the calculation server does not have access to the message in clear). It is also advantageous in that it prevents a set of entities in collusion (for example an entity having access to the calculation server and an entity in charge of a re-encryption of the encrypted message that is re-encrypted) to obtain the message in the clear. The invention also relates to a method of accelerating cryptographic calculations by a system comprising an electronic device and a calculation server, the method comprising: / c / the implementation, by the electronic device, of at least one a step of decrypting a scrambled encrypted message by encryption, said at least one step comprising the one or more decryption steps that use plaintext information on the message; / d / the delegation by the electronic device to the calculation server of the implementation of the step or decryption steps other than said at least one step implemented by the electronic device during phase / c /. This protected is advantageous in that it increases the performance of the decryption, thanks to the computing power of the calculation server, without compromising security (the calculation server does not have access to the message in clear). It is also advantageous in that it prevents a set of entities in collusion (for example an entity having access to the calculation server and an entity in charge of a re-encryption of the encrypted message that is re-encrypted) to obtain the message in the clear.

The invention also relates to a computer program arranged to implement a method according to an embodiment of the invention, when it is executed by one or more processors. Such a computer program provides the advantages of the method that it implements, as well as an increased flexibility compared to a purely material implementation of the method (in particular, modifications or updates of the system can be facilitated ). The invention also relates to a system for accelerating cryptographic calculations, comprising an electronic device and a calculation server, in which: the electronic device is arranged to implement at least one step of a re-encrypable encryption of a message, said at least one step comprising the step or steps of the re-encrypting encryption that use information in clear on the message; the electronic device is arranged to delegate to the calculation server the implementation of the step or steps of encryption re-encryption other than the at least one step implemented by the electronic device.

This system is advantageous in that it makes it possible to increase the performance of the encryption, thanks to the calculation power of the calculation server, without compromising the security (the calculation server having no access to the message in the clear). It is also advantageous in that it prevents a set of entities in collusion (for example an entity having access to the calculation server and an entity in charge of a re-encryption of the encrypted message that is re-encrypted) to obtain the message in the clear. The invention also relates to a system for accelerating cryptographic calculations, comprising an electronic device and a calculation server, in which: the electronic device is arranged to implement at least one step of a decryption of a message encrypted by scramble encryption, said at least one step comprising the one or more decryption steps that use information in clear on the message; the electronic device is arranged to delegate to the calculation server the implementation of the step or steps of decryption other than the at least one step implemented by the electronic device. This system is advantageous in that it makes it possible to increase the performance of the decryption, thanks to the calculation power of the calculation server, without compromising the security (the calculation server having no access to the message in the clear). It is also advantageous in that it prevents a set of entities in collusion (for example an entity having access to the calculation server and an entity in charge of a re-encryption of the encrypted message that is re-encrypted) to obtain the message in the clear. Other aspects, objects and advantages of the invention will appear on reading the description of several of its embodiments. The invention will also be better understood with the aid of the drawings, in which: FIG. 1 illustrates a system according to one embodiment; FIGS. 2 to 5 illustrate embodiments of methods according to the invention; FIGS. 6 to 9 illustrate methods of cryptographic acceleration; FIG. 1 illustrates a system comprising a PDA (Personal Digital Assistant) comprising mobile telephony functions, identified by the reference MOB1, a MOB2 tablet also comprising mobile telephony functions, a CLOUD storage cloud in which the PDA MOB1 and the MOB2 tablet can store information, and a CALC_S calculation server, which is part of a cloud different from the CLOUD cloud storage. The PDA MOB1 comprises a public key PUB_K1 and an associated private key PRI_K 1. It shares its public key PUB_K1 in particular with the calculation server CALC_S. The MOB2 tablet includes a public key PUB_K2 and an associated private key PRI_K2. It shares its public key PUB_K2 notably with the computing server CALC_S. The PDA MOB1 encrypts an M message using its public key PUB_K1. In order to implement this encryption (which is a re-encrypted encryption, that is to say an encryption whose result can be re-encrypted), it performs cooperative calculations (materialized by a double vertical arrow) with the calculation server CALC_S . These cooperative calculations make it possible to accelerate the encryption operation (certain steps being carried out by the calculation server CALC_S and thus lightening the load of the PDA MOB1). These cooperative computations are implemented without having to divulge to the calculation server CALC_S neither the message M nor the private key PRI_K1 or PRI_K2, which is illustrated by a cross blocking the private keys PRI_K1 and PRI_K2 and the message M, at the level of the Calculation server CALC_S. The MOB1 PDA then transmits the encrypted message to the CLOUD storage cloud in order to store it. Then the MOB2 tablet requests access to this message. Since the message encrypted with the key PUB_K1 can only be decrypted with the key PRI_K1, which the tablet MOB2 does not have, the storage cloud CLOUD implements a re-encryption of the encrypted message by means of a transition key TK12 . This re-encryption is implemented without having to disclose the message M nor the private key PRI_K1 or PRI_K2 to the storage cloud CLOUD, which is illustrated by a cross blocking the private keys PRI_K1 and PRI_K2 and the message M, at the level of the cloud. storage. After receiving the re-encrypted message M, the MOB2 tablet implements the decryption of the message using its private key PRI_K2. In order to implement this decryption, it performs cooperative calculations (materialized by a double horizontal arrow) with the calculation server CALC_S. These cooperative calculations make it possible to speed up the decryption operation. These cooperative computations are implemented without having to divulge to the calculation server CALC_S neither the message M nor the private key PRI_K1 or PRI_K2, which is illustrated by a cross blocking the private keys PRI_K1 and PRI_K2 and the message M, at the level of the Calculation server CALC_S. According to one embodiment, a method for accelerating cryptographic calculations is implemented by a system comprising an electronic device MOB1 and a calculation server CALC_S. The electronic device can be a laptop, a desktop, a tablet, a server (such as an enterprise server, under the control of the company, as opposed to the servers of the company). cloud), a mobile phone (traditional or advanced, smartphone type), a digital camera, a digital recorder (such as a recorder integrated into an MP3 player), a USB security key, a security memory card, or still a SIM card. This list of examples is not limiting. Some electronic devices according to the method may inherently have limited performance. For example, the SIM card of a mobile phone has a very weak processor compared to a conventional computer processor, and storage capacities (in RAM and in rewritable memory or not) very limited (much lower , sometimes several orders of magnitude, to those of a conventional computer), the computing capabilities can be negatively affected by each of these restricted capabilities.

However, a SIM card provides an environment that can be much more secure than that of a mobile phone that hosts it, and can therefore be an advantageous electronic device in the context of the invention from the point of view of security. Other electronic devices according to the method, such as servers, may be powerful enough to quickly process an encryption request, but may be unable to process a number of parallel requests greater than a certain threshold. This could be the case, for example, of a company's encryption server, if this server was suddenly solicited by many employees of the company. Other electronic devices according to the method, such as personal computers (portable or not) can see their performance affected by parameters difficult to control. While a server or SIM card park may be supervised by a network administrator, a personal computer is often administered in an unintended manner by an unsuspecting user, and may be subject to miscellaneous software installations (computer software). peer-to-peer, etc.) or unsuitable configurations or infections with viruses. This may affect the performance of the computer. Thus, a personal computer could, while its performance is negatively affected by the presence of many software consuming resources (computing resources, network resources, storage resources, etc.), find it impossible to process requests from encryption of the user within a satisfactory time. For example, the user of a computer might want to make an encrypted archive of his hard drive in the cloud. This could generate the encryption of hundreds of thousands of files and slow down the process in a very perceptible and very annoying way for the user. This is even more noticeable if each file is encrypted independently (and even more if there are many small files). Slowing is further increased if each file is encrypted by a separate session key from the one used for the other files, which may be desirable.

The calculation server CALC_S according to the method may be a software server providing cryptographic calculation services (for example to the electronic device, considered as client of a server client architecture). The calculation server CALC_S according to the method can also be a physical server hosting a software server according to the preceding sentence. It can also be a set of interconnected physical servers cooperating to provide the services of cryptographic calculations through a single logical server. The use of such a set may allow increased performance as well as redundancy improving the quality of service in case of failure of one of the physical servers. It is also possible that the calculation server is hosted by a network of computing devices (called grid, because of the English term, or sometimes French computer grid). According to one possible embodiment, the server is distributed on a set of smart cards. The method comprises the implementation, by the electronic device MOB 1, of steps of a re-encrypable encryption of a message M, said steps comprising the steps of the re-encrypable encryption that use information in the clear message M. It is heard that the plural "steps" covers the situation in which there is only one step. According to one embodiment, the re-encrypable encryption is operated using a public key of the electronic device. The message M can be a secret key (in the strict sense, that is to say a symmetric key), such as a key RC4, DES, 3DES, AES, or other. Thus, an electronic device can generate or cause to generate a secret key, encrypt information (for example photo files, music files, or any other content) with this secret key (according to conventional symmetric encryption), and encrypt this secret key with a public key of its own, according to a re-encrypted encryption. The fact that the encryption of the message M is re-encrypted means, as is well known to those skilled in the art, that it is possible to transform the encrypted message with a public key of the electronic device into the same encrypted message with another public key, without having to decrypt the initial encrypted message (of course the encryption resulting from the re-encryption is different from the initial encryption). Thus, initially encrypted information stored by the user of the electronic device for his own account (for example in the cloud), in combination with the re-encrypted encryption of the secret key used to encrypt this information, can be subsequently shared with the client. other persons, subject to the availability of appropriate re-encryption. For example, after re-encrypting the secret key with the public key of a second electronic device MOB2, this second electronic device can decrypt the secret key (using its private key corresponding to the public key used during the re-encryption), then decrypt the encrypted content with this secret key. According to some embodiments, the information to be shared is very small, and it is possible to encrypt them with the encryption directly, without going through symmetric encryption. Thus, the message M can directly contain the useful information. In this case, it may be advisable, before encrypting the information, to apply a padding (sometimes called filling scheme in French, although the skilled person usually uses the English word padding). According to one embodiment, since the encryption method is re-divided into steps, the electronic device performs only the steps that use information in the clear on the message M. The information in the clear on the message M is the information that makes it possible to directly or indirectly determine at least a part of the message M, without having any key for decrypting the final result of the re-encrypted encryption of the message M nor any part of such a key. The steps performed by the electronic device can thus comprise, for example, a step using a block of the message M (when this message M is divided into several blocks), or else using all or part of the message M that has been the object of an XOR (logical operation of or exclusive) with a determined or determinable mask (such as a standard initialization vector, or non-secret, or constant and easily guessable), or using all or part of the message that has been subject a simple formatting process, even if it is surjective formatting (as long as it is possible to recover at least part of the message from the result of the formatting process), or even using all or part of the message M that has been reversibly manipulated using non-secret or private data. According to one embodiment, the encryption method includes at least one step, which, while not using information in the clear message M, uses information in clear on all or part of secret keys or private or other secret elements used in the context of the encryption re-encryption (although no secret or private element is mandatory in absolute terms). In this case, the electronic device performs this (or these) step (s), in addition to the steps that use information in the message M clear.

According to one embodiment, the electronic device MOB1 also performs at least one step which, while not sensitive (not handling any information in the clear on the message M or on the key or other secrets possibly used), can be processed quickly by the electronic device. Fast processing means processing such that the delegation of all the remaining steps (not performed by the electronic device) nevertheless provides a substantial performance gain compared to a complete absence of delegation. The method comprises the delegation, by the electronic device MOB1 to the calculation server CALC_S of the implementation of the steps of the encryption re-encrypted (it is understood that the plural "steps" covers the situation in which there is only one step) other than those (or that) implemented by the electronic device MOB1. The calculation server may be a server comprising hardware acceleration devices, such as accelerator cards. The calculation server can also be a set of SIM cards. These SIM cards can comprise a TCP / IP server according to a well-known technique, and rely on this TCP / IP server to share the result of the steps that are processed with the electronic device MOB1. These SIM cards can alternatively implement a proprietary server client communication protocol. The SIM cards of an operator network can be requested, considering that in a case of intended use, only a minority sub-set of SIM card users wishes to simultaneously encrypt data (for example to a cloud of data). storage), and therefore all other SIM cards can have sufficient computing power to enable this encryption with satisfactory performance. It may be sufficient for this purpose that the steps delegated by the electronic device (which may itself be a SIM card of the network) are parallelizable with steps executed by the electronic device. This is particularly advantageous when the parallelizable step (s) which must be executed by the electronic device itself take at least as much time as the time required for the requested SIM (s) for the execution of the delegated step (s). It is possible to delegate the same step to several SIMs in parallel, so that if one of the SIM is turned off during the implementation of the step, at least one SIM remains statistically lit and can provide the result expected. Such a server may be advantageous over a physical server (managed for example by a telecom operator SIM cards), especially in the case of users roaming (for example when they are in a country not covered by their operator), these users being able to be near other users having SIM cards of the same operator, and thus reducing the use of third party networks by the operator.

According to one embodiment, a cryptographic computation acceleration method comprises the use, as re-encrypble encryption, of a second-level encryption of the Libert-Vergnaud schema and a delegation of the encryption. The scheme of Libert-Vergnaud is described in particular in "Unidirectional chosen-ciphertext secure proxy re-encryption", Ronald Cramer, Editor, Public Key Cryptography, volume 4939 of Lecture Notes in Computer Science, Benoît Libert and Damien Vergnaud, pages 360-379 , Springer, 2008, the contents of which are incorporated by reference. The delegation comprises sending, by an electronic device MOB1 to a calculation server CALC_S, the signature verification key of the single-use signature scheme used according to the Libert-Vergnaud scheme, denoted svk. The delegation includes the calculation of the product of u at the power svk by v, u and v respectively designating the second and third generators of the Libert-Vergnaud scheme. The delegation comprises sending, by the calculation server CALC_S to the electronic device MOB1, the result of the previous calculation.

According to one embodiment, all the other steps of the re-encrypable encryption of the Libert-Vergnaud scheme are executed by the electronic device MOB1. According to one embodiment, a cryptographic computation acceleration method comprises the use, as re-encrypble encryption, of a second-level encryption of the Canard-Devigne-Laguillaumie scheme, and a delegation of the encryption. The scheme of Canard-Devigne-Laguillaumie is described in particular in Sébastien's "Improving the security of an efficient unidirectional proxy re-encryption scheme", Journal of Internet Services and Information Security, 1 (2/3): 140-160, 2011 Duck, Julien Devigne, and Fabien Laguillaumie, whose contents are incorporated by reference.

The delegation comprises sending, by the electronic device MOB1 to the calculation server CALC_S, parameters E, F and tr calculated according to the scheme of Canard-Devigne-Laguillaumie. The delegation comprises the application by the calculation server CALC_S of the hash function H3 of the diagram of Canard-Devigne-Laguillaumie, the concatenation of the parameter E, the first component of the public key of the electronic device MOB1 according to the schema of Duck-Devigne-Laguillaumie, the parameter tr and the parameter F. The delegation comprises sending, by the calculation server CALC_S to the electronic device MOB1, the result of the calculation of the hash function H3.

The three phases of delegation of the three preceding paragraphs can be partly parallel (that is, for example, that the parameter F or tr can be in transmission according to the first phase whereas the concatenation according to the second phase has already started, or even the calculation of the hash function may have started, even before the concatenation is completed). According to one embodiment, all the other steps of the re-encrypted encryption of the Canard-Devigne-Laguillaumie scheme are executed by the electronic device MOB1. According to one embodiment, a cryptographic computation acceleration method comprises an electronic device MOB2 and a calculation server CALC_S. The method comprises the implementation, by the electronic device MOB2, of steps of a decryption of an encrypted message M encrypted by encryption, said steps comprising the decryption steps that use information in clear on the message M. method comprises the delegation, by the electronic device MOB2 to the calculation server CALC_S implementation of the decryption steps other than those implemented by the electronic device MOB2. It is understood that the plural "steps" covers the situation in which there is only one step. The electronic device MOB2 can be a laptop, a desktop computer (called "desktop" in English terminology), a tablet, a server (such as a corporate server, under the control of the company, as opposed to the servers cloud), a mobile phone (traditional or advanced, smartphone type), a digital camera, an MP3 player, a USB security key, a security card, or a SIM card. It can be any type of device as described in the previous embodiments.

The calculation server CALC_S according to the method may be a software server providing cryptographic calculation services (for example to the electronic device MOB2, considered as client of a server client architecture). The calculation server CALC_S according to the method can also be a physical server hosting a software server according to the preceding sentence. It may also be a set of interconnected physical servers cooperating to provide the services of cryptographic calculations. The use of such a set may allow increased performance as well as redundancy improving the quality of service in case of failure of one of the physical servers. It is also possible that the calculation server is hosted by a network of computing devices (called grid, because of the English term, or sometimes French computer grid). According to one possible embodiment, the server is distributed on a set of smart cards. It can be any type of computing server as described in the previous embodiments.

According to one embodiment, the electronic device MOB2 of the method, which delegates the decryption of the message M, is of the same type as an electronic device MOB1 having implemented a method in which it performs a re-encrypted encryption operation of the message M and delegates a party to a calculation server. According to one embodiment, the calculation server used by the electronic device MOB1 during the delegation of the re-encrypeable encryption is the same as that used by the electronic device MOB2 during the delegation of the decryption. However, it can also be a different server. It can also be the same server but consists of several physical servers, the physical server used for encryption is not necessarily the same as that used for decryption.

According to one embodiment, the decryption method comprises at least one step, which, while not using unencrypted information on the message M, uses information in clear on all or part of secret or private keys or other secret or private elements used in the context of decryption (it being understood that it is necessary to use at least one private key when decrypting the message M). In this case, the electronic device performs this (or these) step (s), in addition to the steps which use information in clear on the message M. According to some embodiments, all the steps using a clear part of a private key (or any secret or private element) also use a clear part of the message, and the distinction between these different steps does not exist. According to one embodiment, the electronic device MOB2 also performs at least one step which, while not sensitive (not handling any information in the clear on the message M or on the key (s) or other secrets possibly used), can be processed quickly by the electronic device. Fast processing means processing such that the delegation of all the remaining steps (not performed by the electronic device) nevertheless provides a substantial performance gain compared to a complete absence of delegation.

According to one embodiment, a cryptographic computation acceleration method comprises the use, as decryption, of a second-level decryption of the Libert-Vergnaud scheme, and a (partial) delegation of the decryption. The delegation understands the obtaining, by the server of computation CALC_S, of the represented representation {C1, C2, C3, C4, sigma} of the message M. The delegation understands the computation, by the server of computation CALC_S, of the result, noted P, the bilinear application e according to the scheme of Libert-Vergnaud applied to the pair formed by C2 and g, where C2 designates the second component of the encrypted representation of the message M and g denotes the first generator of the scheme of Libert-Vergnaud.

The delegation comprises sending the result P by the calculation server CALC_S to the electronic device MOB2.

The delegation understands the calculation, by the calculation server CALC_S, of the product of u to the power Cl by v, u and v respectively designating the second and the third generator of the diagram of Libert-Vergnaud and Cl designating the first component of the representation encrypted message M.

The delegation understands the calculation, by the computing server CALC_S, of the result of the bilinear application e according to the diagram of Libert-Vergnaud applied to the pair formed by C2 and the result obtained by the computation according to the preceding paragraph. The delegation understands the calculation, by the calculation server CALC_S, of the result of the bilinear application e applied to the pair formed by C4 and Xi, where C4 designates the fourth component of the encrypted representation of the message M and Xi designates the public key of the electronic device MOB2 according to the scheme of Libert-Vergnaud. The delegation understands the verification that the results obtained according to the two preceding paragraphs are identical. The delegation includes verifying that sigma, which designates the fifth component of the encrypted representation of the message M, corresponds, according to the single-use signature scheme used according to the Libert-Vergnaud scheme, to a valid signature of the concatenation of C3 and C4, C3 representing the third component of the encrypted representation of the message M, by means of the public key verification key represented by Cl. The delegation comprises the notification, by the calculation server CALC_S, to the electronic device MOB2, results checks carried out according to the two previous paragraphs. The order of these nine phases of delegation (of the preceding nine paragraphs) is not imperative, the only imperative being the functional imperative (if the results of one phase are used by another phase, this other phase must have been performed in advance, at least in part if the relevant results are obtained in a subset of this phase). The order of the steps is likely to affect performance, so you should not change the order arbitrarily if you want to maintain good performance. The steps can be partially parallelized.

According to one embodiment, a cryptographic computation acceleration method comprises the use, as decryption, of a second-level decryption of the Canard-Devigne-Laguillaumie scheme and delegation of the decryption. The delegation comprises obtaining, by the calculation server CALC_S, the encrypted representation {E, F, cr, sr} of the message M.

The delegation understands the computation, by the calculation server CALC_S, of the product of E to the power cr and of the first component of the public key of the electronic device MOB2 according to the diagram of Canard-Devigne-Laguillaumie with the power sr, E designating the first component of the encrypted representation of the message M, cr denoting the third component of the encrypted representation of the message M, sr designating the fourth component of the encrypted representation of the message M, the delegation comprises the calculation, by the calculation server CALC_S, of the result the application of the hash function H3 according to the scheme of Canard-Devigne-Laguillaumie applied to the concatenation of E, the first component of the public key of the electronic device MOB2 according to the scheme of Canard-Devigne-Laguillaumie, the result obtained according to the preceding paragraph, and of F, where F denotes the second component of the encrypted representation of the message M.

The delegation includes the verification, by the calculation server CALC_S, of the equality of cr and the result obtained according to the preceding paragraph. The delegation comprises the notification, by the calculation server CALC_S, to the electronic device MOB2, of the result of the verification carried out according to the preceding paragraph. The order of these five phases of delegation (of the five preceding paragraphs) is not imperative, the only imperative being the functional imperative (if the results of one phase are used by another phase, this other phase must have been performed in advance, at least in part if the relevant results are obtained in a subset of this phase). The order of the steps is likely to affect performance, so you should not change the order arbitrarily if you want to maintain good performance. The steps can be partially parallelized. According to one embodiment, a cryptographic computation acceleration method comprises two electronic devices MOB1 and MOB2 (and possibly a very large number, for example millions of electronic devices) and a calculation server CALC_S.

The method comprises accelerated encryption of a message M using a method as described above, in which a first electronic device MOB1 delegates a re-encrypted encryption of a message M to a calculation server CALC_S. The method comprises re-encrypting the encrypted message M according to the preceding paragraph on behalf of a second electronic device MOB2.

The method comprises accelerated decryption of the message M re-encrypted according to the preceding paragraph, using a method as described above, in which the second electronic device MOB2 delegates decryption to the calculation server CALC_S. According to one embodiment, the re-encrypable encryption of the message M is followed (possibly immediately) storage of the encrypted message M, in a storage server (which can be a cloud server). This may correspond to the recording, by a user of the first device, of information (for example a picture he has just taken with his first smartphone device), in a space reserved for him in the cloud. According to one embodiment, this storage server is also in charge of the re-encryption of the messages. Alternatively, the re-encryption is entrusted to a separate re-encryption proxy. The re-encryption mechanism is well known to those skilled in the art. According to one embodiment, the re-encrypting proxy and the calculation server CALC_S are implemented in the same server or even group of servers, which can be any of the examples of calculation servers indicated above. The re-encryption can be implemented automatically, just after recording the message M encrypted in the cloud (it can complete, without erasing, the message M encrypted by a message M re-encrypted for all devices authorized to use the message M). It is possible to consider this re-encryption as having a low priority, and to wait for a moment when the entity in charge of the re-encryption is little loaded (for example, loaded according to a charge rate of a processor of the entity less than one predetermined threshold, such as a 70% threshold or other appropriate value) before re-encrypting. The re-encryption can also be implemented (this time with maximum priority) only when a second device tries to access (for the first time) the message M, but this alternative is likely to induce a time of additional latency undesirable at the first access to the message M by this second device. According to one embodiment, a computer program is arranged to implement a method as described above when it is executed by one or more processors. It may be in particular one or more processors of the electronic device MOB1, one or more processors of the electronic device MOB2, or one or more processors of the calculation server CALC_S. This program can be written in assembly language, C language, Java language, C # language, or any other suitable language. The language can be different for a part of program located in an electronic device MOB1 or MOB2 and for a part of program located in server of computation CALC_S.

According to one embodiment, a non-transitory computer readable storage medium stores a program according to the preceding paragraph. The storage medium can be a rewritable memory (for example of the EEPROM or Flash type, or battery-backed RAM) or not (for example of the ROM type). This memory can be integrated in a SIM card, a mobile phone or a server.

According to one embodiment, a cryptographic computation acceleration system comprises an electronic device MOB1 and a calculation server CALC_S. The electronic device MOB1 is arranged to implement steps of a re-encrypable encryption of a message M, said steps comprising the steps of the encryption that can be re-encrypted using information in the clear on the message M. For this purpose, it can comprise a encryption circuit. This circuit may be a processor (it may even be an existing processor of the electronic device, such as the main processor of a mobile phone if the electronic device is a mobile phone), associated with a memory storing a suitable program for the implementation of the steps. It can also be a dedicated electronic circuit, such as an ASIC or an FPGA, or even a fully customized electronic circuit. It can also be a processor association and a cryptoprocessor, which can be associated within a microcontroller such as a smart card microcontroller. The electronic device MOB1 is arranged to delegate to the calculation server CALC_S the implementation of the steps of encryption re-encryption other than those implemented by the electronic device MOB1. For this purpose, it may include a delegation circuit. This delegation circuit may be a processor (it may even be an existing processor of the electronic device, such as the main processor of a mobile phone if the electronic device is a mobile phone), associated with a memory storing a device. program adapted for the implementation of this delegation. It can also be a dedicated electronic circuit, such as an ASIC or an FPGA, or even a fully customized electronic circuit. This delegation circuit can be associated with a proxy circuit of the calculation server CALC_S. This proxy circuit may be a processor (it may even be an existing processor of the server, such as one of the processors of the physical server if the calculation server is a multiprocessor physical server), associated with a memory (magnetic or other) storing a suitable program for the implementation of the delegated steps. The proxy circuit may also be a dedicated electronic circuit, such as an ASIC or an FPGA, or even a fully customized electronic circuit. Such a dedicated electronic circuit may take the form of an expansion card to be inserted into a port of a physical server used as a calculation server. According to one embodiment, a cryptographic computation acceleration system comprises an electronic device MOB2 and a calculation server CALC_S.

The electronic device MOB2 is arranged to implement steps of a decryption of an encrypted message M encrypted by encryption, said steps comprising the decryption steps that use information in clear on the message M. For this purpose, it can understand a decryption circuit. This circuit may be a processor (it may even be an existing processor of the electronic device, such as the main processor of a mobile phone if the electronic device is a mobile phone), associated with a memory storing a suitable program for the implementation of the steps. It can also be a dedicated electronic circuit, such as an ASIC or an FPGA, or even a fully customized electronic circuit. It can also be a processor association and a cryptoprocessor, which can be associated within a microcontroller such as a smart card microcontroller. The electronic device MOB2 is arranged to delegate to the calculation server CALC_S the implementation of the decryption steps other than those implemented by the electronic device MOB2. For this purpose, it may include a delegation circuit. This delegation circuit may be a processor (it may even be an existing processor of the electronic device, such as the main processor of a mobile phone if the electronic device is a mobile phone), associated with a memory storing a device. program adapted for the implementation of this delegation. It can also be a dedicated electronic circuit, such as an ASIC or an FPGA, or even a fully customized electronic circuit. This delegation circuit can be associated with a proxy circuit of the calculation server CALC_S. This proxy circuit may be a processor (it may even be an existing processor of the computing server, such as one of the processors of the physical server if the computing server is a multiprocessor physical server), associated with a memory ( magnetic or other) storing a program adapted for the implementation of the delegated steps. This proxy circuit can also be a dedicated electronic circuit, such as an ASIC or an FPGA, or even a fully customized electronic circuit. Such a dedicated electronic circuit may take the form of an expansion card to be inserted into a port of a physical server used as a calculation server.

According to one embodiment, a cryptographic computation acceleration system comprises a plurality of electronic devices (MOB1, MOB2 and potentially hundreds of thousands of others) and a calculation server CALC_S. This system may include a re-encryption proxy, which may be integrated with a cloud storage server.

Cryptographic algorithms that can be implemented in the context of the above embodiments are described below. When a communication is established between two entities (for example between a telephone MOB1 and a server CALC_S), with each emission of a data by one entity towards the other entity corresponds a subsequent reception of said data by the other entity, and reciprocally at each reception by an entity from the other entity corresponds to a prior transmission of said data by the other entity. However, in order to facilitate the reading of the figures, only one of the two steps is (artificially) represented, namely that which is associated with the electronic device delegating calculations to the calculation server. Implicitly, a corresponding step is implemented by the server. calculation. However, the step of transmitting an entity can be controlled by the receiving entity (for example by various techniques such as a direct memory access technique, of the DMA type) and conversely the reception by an entity can be forced by the other entity (which can force the writing, also by a DMA technique or other, according to the envisaged system). It is recalled that the scheme of Libert-Vergnaud works in the following way. he Li 1) 1: 1,1 inc user is capable of (111 '... 11 [.Tiil, i..1: 11-`" .. ii S =; I 1, 111'10 14.11, j ^ 1; 1; [El ^ 111; 11 .11: LJ iL LIfl t 1: 1011X 11 liii: it'J 'Lu: Ji 1111! Bilini..i111.1.- the Cl' Ho, = LH cf. (1), (1), (1), (1), (1), (1), (1). The symbol $ denotes a random (or, more strictly, pseudo-random) selection The secret key xi is a private key (which is described above as a secret key by abuse of language).

According to a conventional use of the Libert-Vergnaud scheme, it is possible to perform first level encryption (not allowing re-encryption) or second level encryption (allowing re-encryption). 1 r.iiil -H public, dun in (and (f.alp) 11hli Ili., Il, 1, wire L 1! Liai C '(the level 1 d lt 1, i'11,11 r1 (-? ## EQU1 ## where: ## EQU1 ## : 11V1.nll says CLI.GREEN111ENT 1) 1., A 1ii.:1(--- of the parameters (... 1'11 [1 Gr and crmiciii11iiu_ \ .i [di.nie 1.Iflil .n cle.1n 117-.:* S.Ii.r.`, - (: 1 iloo -, - 2. (1H '11 (Il: (4. = The 2riti iii is then C = (C`:. ( PL!] [1- DL. R, s (it L Jk i S.VERIF (Ci = 1. 2. ", deuleri = 7/10 F: \ IT 1") 1 1 1-1 19 of a. h 1 air lu lu air air air.. ((((((((C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 Xi Xi Xi Xi Xi Xi Xi Xi Xi / 7-`It is proposed to delegate a first-level encryption as shown in figure 6. Such a delegation makes it possible to accelerate the encryption, but in a context that does not require re-encryption. first device (such as a mobile phone MOB1) and a computing cloud (such as a service calculation CALC_S), so that it does not obtain relevant information on the message m to encrypt (relevant from the point of view of a person seeking to know the content at least partial message m). The mobile telephone implements the steps S1 to S9 and the calculation server implements the steps D1 to D4. it is possible, according to the single-use signature scheme considered, to divide steps 51 and S9 between the mobile phone and the calculation server.The order of the steps may be different from that shown in FIG. to speed up the processing, not all orders are equal (some may lead to slower executions than others) In one embodiment, a method delegates second level encryption as shown in Figure 2. Such a delegation makes it possible to accelerate the encryption in a context likely to require a re-encryption, thus dividing the calculations between a first device (such as a mobile phone MOB1) and a calculation cloud (such as a calculation server CALC_S ), of such so that the latter does not obtain relevant information on the message m to encrypt (relevant from the point of view of a person seeking to know the at least partial content of the message m). The (il-Fr "le") tid au dune, h,:, 1, H The mobile phone implements steps 51 to S9 and the calculation server implements the step Dl. not shown, it is possible, according to the single-use signature scheme considered, to divide steps 51 and S9 between the mobile telephone and the calculation server.The order of the steps may be different from that shown in FIG. in particular, it matters only that: S2 is performed after S1, S3 after S1, D1 after S3, and S5 after D1, S6 after S4, S7 after S4, S8 after S4 and S5, S9 after S1, S7 and S8. to speed up processing, not all orders are equal (some may lead to slower executions than others).

Conversely, still in the framework of the Libert-Vergnaud scheme, it is proposed to delegate a first level decryption as indicated in FIG. 7. This makes it possible to distribute the calculations between the mobile phone MOB2 and the calculation server CALC_S. so that the latter does not obtain any relevant information on the private key xi or on the message m to be decrypted (relevant from the point of view of a person seeking to know the at least partial content of the message m or the private key xi). The order of the steps may be different from that shown in Figure 7. However, to speed up processing, not all orders are equal (some may lead to slower runs than others).

According to one embodiment, a method delegates a second-level decryption as indicated in FIG. 3. This makes it possible to distribute the calculations between the mobile phone MOB2 and the calculation server CALC_S, so that the latter does not obtain no relevant information on the private key xi or on the message m to decipher (relevant from the point of view of a person seeking to know the at least partial content of the message m or the private key xi).

The order of the steps may be different from that shown in FIG. 3, in particular, it only matters that: S2 is executed after S1, and 51 after D1. It is advantageous if S2 is executed as soon as possible because the electronic device MOB1 is often slow. To speed up processing, not all orders are equal (some may lead to slower runs than others).

It is recalled that the scheme of Canard-Devigne-Laguillaumie works in the following way. The indicated values of 160 bits or 140 bits are illustrative (and correspond to advantageous embodiments). It is also possible to use different values. (: u.vu: ATION DL: - the. \ 1:., .. S ... Ei.1.1 I. ~ utj, and (.1 two prunner numbers such as (111) - 1 and f, 1 end., q far 11i0 bit: - The, 1 Vil [.: [; -; 1 11-1 II. 'I pli in', 4 HU '.' 2.141,11,1 'of Z, 7 * (iii), (iii), (iii), (iii), (iii), (1) and (iii). ... 1., -. ^ HlL 10,11H. Llr - Wlilf 1 - 110 a tiit ..- .. tiiR. N1-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, L1: 1 - 10 lii f0,111,1-1, - 113 {0,} * Z * and The figures of the global ring are - 1). (.1, EM: PATION from it, hrain (very As a result, each user is able to generate his / her key to the public key, the public key, a lot, and a user. One of the most important tools in the world for the first time is the 11th edition of the 11.11.C. ) .1111-1 etw e_ 10,1111 calculates, t = wi (h11, or 11) {'iit 1I dice 2. C.1, alt.I11 ,,. = 3 Define 1? -. The key to rechiffrelnent of. is then The ski key is a private key qualified secret key by abuse of language. This ski key is indifferently noted ski or xi. According to a conventional use of the Canard-Devigne-Laguillaumie scheme, it is possible to perform first-level encryption (not allowing re-encryption) or second-level encryption (allowing re-encryption). Ciurrta .., t1, t 1 1 public parameters. mess. 1.11. leliiiI. ## STR1 ## wherein: ## STR1 ## H. hoisir, / hut: r- = t E = 4. (. (1.1 {0.1} / 1 tq- (Rtetil (r = 1.2 = 7-12 (Ye The lei iv ier + lu in 11) I = (E _Il -.XX). x cti the public key eorre-pondanie = Pl til.CONI) A inf {0.1 and a 14 pulldic liîif1 C 1 level 2; He then follows, at this point, to read 1. Clause 10.1111 and calculate r = t 1! 2.t... 1 F = W2ffi? uT2 3. ^ Ino 1,1 Sch.riorr r such that fty: and, tu, nr,; roof-had rr E t, - niCUler Cr = (..; (E der Sr = r, - F) and 1 q) The figure of 211d tiii. ' and: ## EQU1 ## where ## EQU1 ## is T = Pr, [111-111: ME :: 71 "IP ;; I: ni1i: P N1..EI _ \ itublif-s. If possible, read: 1 [H o_t, -ji.1) 1,: éiit (h "the following way: l + rrS exit Irt, if not return 1. 1111: 1- l) 1 :. '(Y. \ 11) LEVF In the I, - do: -. 1) ;: ln.L.:(1 1. (1'11110. T possl ble roitvei itp.ssagi ....., sub- ia (elo la 1. -1, s1: 211at1ire = Four (- ^ ta 1 cr e, n! lnn rh pi 2. (E = (pkoi ': -, t it In _L. It is proposed to delegate a first level encryption in the manner indicated in FIG. 8. Such delegation makes it possible to accelerate the encryption, but in a context that does not require re-encryption. The calculations are thus distributed between a first device (such as a mobile phone MOB1) and a calculation cloud (such as a calculation server CALC_S), so that the latter does not obtain relevant information on the message m to be encrypted (relevant from the point of view of a person seeking to know the at least partial content of the message m).

The mobile telephone uses steps S1 to S10 and the calculation server implements steps D1 to D6. The order of the steps may be different from that shown in Figure 8. However, to speed up processing, not all orders are equal (some may lead to slower executions than others).

According to one embodiment, a method delegates second-level encryption as indicated in FIG. 4. Such delegation makes it possible to accelerate the encryption in a context that may require re-encryption. The calculations are thus distributed between a first device (such as a mobile phone MOB1) and a calculation cloud (such as a calculation server CALC_S), so that the latter does not obtain relevant information on the message m to be encrypted (relevant from the point of view of a person seeking to know the at least partial content of the message m). 2iid level (hi niess <tt + .do, = ./ '17 = The mobile phone implements steps 51 to S9 and the calculation server implements step Dl.

The order of the steps may be different from that shown in FIG. 4. In particular, the step S7 may be divided, for example, into three steps S7a, S7b and S7c respectively corresponding to the transmission of the information E, F and tr, or in two steps, one combining two of the three information E, F and tr, and the other comprising the third of this information. It matters only that: S2 is executed after S1, S3 after S2, S4 after S2, S7 or its variant S7a (or any variant of S7 comprising the sending of information E) after S3, S7 or its variant S7b (or any variant of S7 comprising sending the information F) after S4, S7 or its variant S7c (or any variant of S7 comprising sending the information tr) after S6, S6 after S5 (S5 corresponding to a random generation of ri), Dl after S7 (or after the S7 decomposition into sub-stages having transmitted the three information E, F and tr), S8 after D1, and S9 after S8. However, to speed up processing, not all orders are equal (some may lead to slower executions than others). Conversely, still in the framework of the Canard-Devigne-Laguillaumie scheme, it is proposed to delegate a first-level decryption as indicated in FIG. 9. This makes it possible to distribute the calculations between the mobile phone MOB2 and the calculation server. CALC_S, so that the latter does not obtain any relevant information on the private key ski (also noted xi) or on the message m to decipher (relevant from the point of view of a person seeking to know the at least partial content of the message m or private ski key). The order of the steps may be different from that shown in Figure 9. However, to speed up the processing, all orders are not equal (some may lead to slower executions than others). According to one embodiment, a method delegates a second-level decryption as indicated in FIG. 5. This makes it possible to distribute the calculations between the mobile telephone MOB2 and the calculation server CALC_S, so that the latter does not obtain no relevant information on the private ski key (also noted xi) or on the message m to decipher (relevant from the point of view of a person seeking to know the at least partial content of the message m or the private key ski). The order of the steps may be different from that shown in FIG. 5, in particular, D1 and 51 need not be executed simultaneously. It matters only that S1, S2 and S3 are executed in order. To speed up processing, not all orders are equal (it is preferable that Dl be executed as soon as possible, and its result notified to the MOB2 device as soon as possible). Thus, various embodiments make it possible to delegate cryptographic calculations related to encryption and / or decryption to a dedicated computing cloud (including a calculation server). To store a document on the storage cloud, a first device can interact with the compute cloud to encrypt the secret key of the document. Once the encrypted document received via the storage cloud, a second device (possibly the same as the first) can interact with the computing cloud to obtain the secret key of the document and decrypt it. These embodiments can be implemented in particular within the framework of Ilab UK's ConfidenShare project, which allows two mobile phones to communicate with each other (via an NFC link) in order to exchange the public keys. One of the devices then calculates the re-encryption key and sends the cloud (storage) this key and an identifier of the document in question. The cloud re-encrypts the document and stores it at a location linked to an url that is sent back to the first mobile. The latter sends the url to the other mobile who is then able to connect to it, then use his private decryption key to obtain the document in clear.

This type of project can be deployed in multiple contexts, such as the storage of any personal data, the storage of shared calendars or health data, or the management of loss of authentication means. Of course, the examples given above are in no way limiting. Devices other than those listed in the various examples could be used (eg digital dictaphones, WiFi telephones using the ToIP, connected GPS devices, drink dispensers with M2M modules, etc.). The first level encryption or decryption acceleration methods may be implemented separately from, or in addition to, the other embodiments. Thus, a device can at the same time not allow any sharing of certain encrypted data (using first-level encryption), and allow, via a re-encryption, sharing of other encrypted data (using 'second level encryption). In addition, reference has been made by way of example to the Libert-Vergnaud and Canard-Devigne-Laguillaumie schemes, but other schemes could be used, for example bidirectional schemes, or multi-hop schemes.

The method embodiments can be transposed to the devices, and vice versa.

Claims (10)

REVENDICATIONS1. A method of accelerating cryptographic calculations by a system comprising an electronic device (MOB1) and a calculation server (CALC_S), the method comprising: / a / the implementation, by the electronic device (MOB1), of at least a step of a re-encrypted encryption of a message (M), said at least one step comprising the step or steps of the re-encrypable encryption that use information in clear on the message (M); / b / the delegation, by the electronic device (MOB1) to the calculation server (CALC_S) of the implementation of the step or step of the encryption re-encryption other than the at least one step implemented by the electronic device (MOB1) during phase / a /. 2. Method according to claim 1, comprising the use, as re-encrypted encryption, of a second-level encryption of the Libert-Vergnaud scheme, in which the delegation according to the / b / phase comprises: / b11 / the sending, by the electronic device (MOB1) to the calculation server (CALC_S), the signature verification key of the single-use signature schema used according to the LibertVergnaud schema, denoted svk, / b12 / the calculation of the product from u to the power svk by v, u and v respectively designating the second and third generators of the Libert-Vergnaud scheme, / b13 / sending, by the calculation server (CALC_S) to the electronic device (MOB1), the result of the calculation of phase / b12 /. 3. Method according to claim 1, comprising the use, as a re-encrypted encryption, of a second-level encryption of the Canard-Devigne-Laguillaumie scheme, in which the delegation according to the / b / phase comprises: / b21 / l sending, by the electronic device (MOB1) to the calculation server (CALC_S), parameters E, F and tr calculated according to the scheme of Canard-Devigne-Laguillaumie, / b22 / the application by the calculation server (CALC_S) of the hash function H3 of the Canard-Devigne-Laguillaumie scheme, the concatenation of the parameter E, the first component of the public key of the electronic device (MOB1) according to the Canard-Devigne-Laguillaumie scheme, the parameter tr and the parameter F, / b23 / sending, by the calculation server (CALC_S) to the electronic device (MOB1), the result of the calculation of the hash function H3. 4. A method for accelerating cryptographic calculations by a system comprising an electronic device (MOB2) and a calculation server (CALC_S), the method comprising: / c / the implementation, by the electronic device (MOB2), of at least one step of decrypting a scrambled encrypted message (M), said at least one step comprising the decryption step (s) that uses plaintext information on the message (M); / d / the delegation, by the electronic device (MOB2) to the calculation server (CALC_S) of the implementation of the step or decryption steps other than the at least one step implemented by the electronic device (MOB2) during phase / c /. 5. Method according to claim 4, comprising the use, as decryption, of a second-level decryption of the Libert-Vergnaud scheme, in which the delegation according to the / d / phase comprises: / d11 / obtaining, by the calculation server (CALC_S), the encrypted representation {C1, C2, C3, C4, sigma} of the message (M), / d12 / the calculation, by the calculation server (CALC_S), of the result, denoted P, the bilinear application e according to the Libert-Vergnaud scheme applied to the pair formed by C2 and g, where C2 denotes the second component of the encrypted representation of the message (M) and g denotes the first generator of the Libert-Vergnaud scheme, / d13 / the sending of the result P by the computing server (CALC_S) to the electronic device (MOB2), / d14 / the computation, by the computing server (CALC_S), of the product of u to the power Cl by v, u and v respectively designating the second and the third generator of the Libert-Vergnaud scheme and Cl designating the first first component of the encrypted representation of the message (M), / d15 / the computation, by the calculation server (CALC_S), of the result of the bilinear application e according to the Libert-Vergnaud scheme applied to the pair formed by C2 and the result obtained during the phase / d14 /, / d16 / the computation, by the calculation server (CALC_S), of the result of the bilinear application e applied to the pair formed by C4 and Xi, where C4 designates the fourth component of the representation encrypted message (M) and Xi designates the public key of the electronic device (MOB2) according to the Libert-Vergnaud scheme, / d17 / checking that the results obtained during phase / d15 / and during phase / d16 / are identical, / dl 8 / verifying that sigma, which designates the fifth component of the encrypted representation of the message (M), corresponds, according to the single-use signature scheme used according to the Libert-Vergnaud scheme, to a valid signature of the concatenated of C3 and C4, C3 representing the third component of the encrypted representation of the message (M), thanks to the public verification key represented by Cl, / d19 / the notification, by the calculation server (CALC_S), to electronic device (MOB2), results of the checks carried out during phases / d17 / and / d18 /. 6. Method according to claim 4, comprising the use, as decryption, of a second-level decryption of the Canard-Devigne-Laguillaumie scheme, in which the delegation according to the / d / phase comprises: / d21 / obtaining , by the calculation server (CALC_S), of the encrypted representation {E, F, cr, sr} of the message (M), / d22 / the calculation, by the calculation server (CALC_S), of the product of E to the power cr and the first component of the public key of the electronic device (MOB2) according to the scheme of Canard-Devigne-Laguillaumie to the power sr, E designating the first component of the encrypted representation of the message (M), cr denoting the third component of the encrypted representation of the message (M), sr designating the fourth component of the encrypted representation of the message (M), / d23 / the calculation, by the calculation server (CALC_S), of the result the application of the function of H3 hash according to the scheme of Canard-Devigne-Laguillaumie app liquefied to the concatenation of E, the first component of the public key of the electronic device (MOB2) according to the Canard-Devigne-Laguillaumie scheme, the result of the phase / d22 /, and F, where F designates the second component the encrypted representation of the message (M), / d24 / the verification, by the calculation server (CALC_S), of the equality of cr and the result of the phase / d23 /, / d25 / the notification, by the server of computation (CALC_S), with the electronic device (MOB2), of the result of the check carried out during the phase / d24 /. A method for accelerating cryptographic calculations by a system comprising two electronic devices (MOB1, MOB2) and a calculation server (CALC_S), the method comprising: / aa / accelerated encryption of a message (M) to the using a method according to claim 1, by a first electronic device (MOB1) and the calculation server (CALC_S), / bb / the re-encryption of the message (M) encrypted during the phase / aa / on behalf of a second electronic device (MOB2), / cc / the accelerated decryption of the re-encrypted message during the / bb / phase, using a method according to claim 4, by the second electronic device (MOB2) and the calculation server ( CALC_S) 8. Computer program arranged to implement the method of claim 1 when executed by one or more processors. 9. System for accelerating cryptographic calculations, comprising an electronic device (MOB1) and a calculation server (CALC_S), in which: the electronic device (MOB1) is arranged to implement at least one step of a re-encrypable encryption a message (M), said at least one step comprising the step or step of the encryption encryption that uses information in clear on the message (M); the electronic device (MOB1) is arranged to delegate to the calculation server (CALC_S) the implementation of the step or steps of the encryption rechiffrable other than the at least one step implemented by the electronic device (MOB1). A system for accelerating cryptographic calculations, comprising an electronic device (MOB2) and a calculation server (CALC_S), in which: the electronic device (MOB2) is arranged to implement at least one step of decryption a scrambled encrypted encrypted message (M), said at least one step comprising the one or more decryption steps that use plaintext information on the message (M); the electronic device (MOB2) is arranged to delegate to the calculation server (CALC_S) the implementation of the one or more decryption steps that the at least one step implemented by the electronic device (MOB2) .20