OA12153A - Multi-module encryption method. - Google Patents

Abstract

When an encrypting-decrypting module is being used, there are various methods for determining the key or keys used by said module by analysing the module input or output data. To remedy this inconvenience, the inventive multiple module method is characterised in that the downstream module starts its encrypting-decrypting operations as soon as part of the results of the upstream module is available.

Description

MULTI-MODULATING ENCRYPTION METHOD 012153

The present invention relates to the field of encryption, or encryption, and decryption or decryption of data, and particularly data to remain inaccessible to persons or devices not authorized in the context of pay-TV systems. In such systems, the data are encrypted in a secure environment, housing significant computing powers, and called encoding systems, and sent, by means known per se, to at least one decentralized subsystem where they are decrypted, usually using an IRD (Integrated Receiver Decoder) and with the help of a smart card. This smart card and the decentralized subsystem that cooperates with it are easily accessible by a possibly unauthorized person.

It is known to link various encryption-decryption means in a decryption-deciphering system. In the following, we will call encryption - decryption a particular encryption means used in a larger system of encryption-decryption.

It has long been sought to optimize the operation of these systems in terms of speed, space occupied in memory and security. Speed is understood in the sense of the time needed to decipher the data received.

It is known encryption systems - decryption with symmetric keys. Their inherent safety can be qualified according to several criteria.

The first criterion is that of physical security, relative to the ease or the difficulty of a method of investigation by extraction of certain components, followed by their possible replacement by other components. These relocation components, intended to inform the unauthorized person about the nature and operation of the encryption-decryption system, are chosen by him so as not to be detected, or as little as possible, by the rest of the system.

A second criterion is that of system security, in the context of which the attacks are not intrusive from a physical point of view but call for mathematical analysis. Typically, these attacks will be carried out by

DUPLICATA -2 - 012153 high-power computers that will attempt to break algorithms and encryption codes.

Encryption means - decryption symmetric keys are for example systems called DES (Data Encryption Standard). These means, relatively old, offer more than a system security and a physical security touterelatives. It is for this reason that more and more, the DES, whose key lengths are too small to meet the security system requirements, is replaced by new encryption or decryption means or with longer keys. In general, these symmetric key means involve algorithms comprising rounds of encryption. Other attack strategies are called Simple Power Analysis, and TimingAnalysis. In Simple Power Analysis, we use the fact that a microprocessor that is responsible for encrypting or decrypting data is connected to a voltage source (typically 5 volts). When at rest, it is traversed by a current fixed'intensity i. When it is active, the instantaneous intensity i is a function, not only of the incoming data, but also of the encryption algorithm. The Simple PowerAnalysis consists in measuring the current i as a function of time. One can thus reduce the type of algorithm that the microprocessor performs.

In the same way, the Timing Analysis method consists of measuring the duration of the calculation according to a sample presented to the decryption module. Thus, the relationship between the sample presented and the calculation time of the result makes it possible to find the secret decryption module parameters such as the key. Such a system is described for example in the document "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems" published by PaulKocher, Cryptography Research, 870 Market St, Suite 1088, San Francisco, CA-USA.

To improve the security of the encryption system, it has been proposed asymmetric key algorithms, such as so-called RSA systems (Rivest, Shamir and Adleman). These systems include the generation of a pair of paired keys, one called public key for encryption, and the other said private serving for encryption. These algorithms have a high level of security both system

DUPLICATE -3- 012153 that physical. On the other hand, they are slower than traditional systems, especially encryption austade.

The most recent attack techniques make use of the so-called DPA concept of English Differential Power Analysis. These methods are based on checks, verifiable after a large number of tests, on the presence of a 0 or a 1 in a given position of the encryption key. They are virtually non-destructive, which gives them good undetectability, and involve both a physical intrusion component and a mathematical analysis component. Their operation is reminiscent of oilfield investigation techniques, where an explosion of known power is generated on the surface and where earphones and probes, placed at distances also known from the site of explosion, make it possible to make assumptions about the stratigraphic composition of the sub-surface. -sol without too much digging, thanks to the reflection of shock waves by the limits of sedimentary layers in this basement. DPA attacks are described in particular in § 2.1. of the document "A Cautionary Note RegardingEvaluation of AES Candidates on Smart-Cards", published on February 1, 1999 bySuresh Chari, Charanjit Jutla, Josyula R. Rao and Pankaj Rohatgi, IBM T.J.Watson Research Center, Yorktown Heights, NY. The requirement of having to resist DPA attacks requires the use of "whitening" scrambling systems, either in the input information or at the output of an encryption-decryption algorithm. The technique of whitening is described in § 3.5 of the same document cited above.

Moreover, the fact that computational powers are limited in the decentralized subsystem of a pay-TV system creates a problem, which has never yet been satisfactorily solved, to perform the chaining described above to a sufficient extent.

The object of the present invention is to provide an encryption-decrying method that is resistant to modern methods of investigation as described above.

The object of the present invention is achieved by the method described in the characterizing feature of claim 1.

DUPLICATE -4- 012153

The peculiarity of the method lies in the fact that an intermediate module does not start when the result of the previous (or upstream) module has finished but starts as soon as some of the information is available. Therefore, for an external observer, it is not possible to establish the input or output conditions of this module.

Since the decryption takes place in the decentralized subsystem co-operating with the smart card, this smart card containing only relatively limited computation powers with respect to the encoding subsystem, it is for example interesting to use a public asymmetric key , in relativementrapide operation, during the last stages of deciphering. This makes it possible, on the one hand, to preserve the invulnerability characteristics of the system at the end of the process and, on the other hand, to concentrate the computing power, mainly related to the encryption using the private key, in the encoding subsystem .

It has been discovered that additional security is provided by the ability to deconcatenate, or partially interleave, two encryption-decryption means that follow sequentially. By this concatenation or partial interleaving, which is a translation of the English "interleaving", is meant the process of starting the action of the second encryption-decryption means on the data at a time when the first encryption-decryption means has not yet finished working on these same data. This makes it possible to hide the data as it would result from the work of the first module and before it is submitted to the action of the second module.

The chaining can start as soon as data calculated at the output of the first module is partially available for processing by the second module. The invention makes it possible to guard against the aforementioned attacks by combining various encryption-decryption means in an encryption-decryption system, and possibly associating a concatenation or partial nesting with the sequence in which these means follow.

In a particular embodiment of the invention, the encryption-decryption system comprises an encoding subsystem where three algorithms are used sequentially: duplicate -5- 012153 a) an asymmetric A1 algorithm with private key d1. This algorithm A1 performs a signature on data in the clear, represented by a message m, this operation issuing a first cryptogram c1, by means of mathematical operations generally noted in the profession by the formula: c1 = m exponent d1, modulon1. In this formula, n1 is part of the public key of the asymmetric algorithm A1, modulo represents the well-known mathematical operator of congruences in the set of relative integers, and d1 is the private key of algorithm A. b) an algorithm S symmetric using a secret key K. This algorithm converts the cryptogram c1 into a cryptogram c2. c) an asymmetric A2 algorithm with a private key d2. This algorithm A2 converts the encryption c2 into a cryptogram c3, by means of the mathematical operation, as previously, by: c3 = c2 exponent d2 mod n2, in which formula n2 is part of the public key of the asymmetric algorithm A2, and d2 is laclé private algorithm A2

The cryptogram c3 starts from the encoding subsystem and reaches the decentralized subsystem by means known per se. In the case of pay-TV systems, it may be both video data and messages.

The decentralized subsystem uses, in the inverse order of the previous one, three algorithms ΑΓ, S 'and A2'. These three algorithms are part of three means decryption-decryption Α1-ΑΓ, S-S 'and A2-A2', distributed between the subsystem of encoding and the decentralized subsystem, and representing the system of encryption-decryption. d) the algorithm A2 'performs on c3 a mathematical operation restoring c2 etnotée: c2 = c3 exponent e2 mod n2. In this formula, the set consisting of e2 and n2 is the public key of the asymmetric algorithm A2-A2 '. e) the symmetric symmetric algorithm S 'using the secret key K restores the ecryptogram d. f) the asymmetric public key algorithm e1, n1 finds m by performing the mathematical operation noted: m = c1 exponent e1 mod n1.

DUPLICATE -6- 012153

The concatenation, in the decentralized subsystem, consists of starting the decoding step e) while c2 has not yet been completely restored by the preceding step d), and starting the decoding step f) while c1 was not etetotally restored by step e. The advantage is to foil an attack which would aim firstly to extract, in the decentralized subsystem, the cryptogrammec1 at the end of step e, to compare it with the data in clear m, then by means of dec1 and m to attack the algorithm ΑΓ, then to trace the coding chain near by.

Concatenation is not necessary in the encoding subsystem, which is installed in a secure physical environment. On the other hand, it is useful in the decentralized system. In the case of pay-TV, the IRD is indeed installed at the subscriber and may be the object of attacks of the pre-written type.

It is conceivable that an attack of a combination of three concatenated decryption algorithmsAT, S 'and A2' is much less likely to succeed than if the c1 and c2 encryptograms are fully reconstructed between each step d), e) and f). On the other hand, the fact that the algorithms AT and A2 'are used with public keys e1, n1 and e2, n2 means that the calculation means required in the decentralized subsystem are much smaller than in the encoding subsystem. . As an example and to fix the ideas, the steps a) and c) that is to say the steps of encryption with private keys, are 20 times longer than the steps d) and f) dedecryption with public keys .

In a particular embodiment of the invention, derived from the previous one, the algorithms A1 and A2 are identical as are their counterparts AT and A2 '.

In a particular embodiment of the invention, also derived from the previous one, in step c), the public key e2, n2 of the asymmetric algorithm A2 is used, whereas in step d) the cryptogram c3 is decrypted with the keyprivate d2 of this algorithm. This form constitutes a possible alternative when the resources of the decentralized subsystem in computing power are far from being destroyed.

DUPLICATE -7 - 012153

Although smart cards are mostly used for decrypting data, there are also smart cards with the capabilities to perform encryption operations. In this case, the attacks described above will also be applied to these encryption cards that operate outside of protected places such as a management center. This is why the method according to the invention also applies to serial encryption operations, ie the downstream module starts its encryption operation as soon as part of the information delivered by the upstream module is available. This method has the advantage of nesting the different encryption modules with the result that the result of the upstream module is not available completely at a given time. In addition, the downstream module does not start operations with a complete result but on parts which makes it impracticable to interpret the operation of a module in relation to a known input or output state.

The present invention will be understood in more detail by the following non-limiting drawings, in which: FIG. 1 shows the encryption operations; FIG. 2 represents the decryption operations; FIG. 3 represents an alternative to the encryption method;

In Figure 1, a set of data m is introduced into the encryption chain.

A first element A1 performs an encryption operation using the so-called private key composed of the exponent d1 and modulo n1. The result of this operation is represented by C1. According to the operating mode of the invention, as soon as a part of the result C1 is available, the following module starts its operation. This next module S performs its encryption operation with a secret key. The result C2does only partially available is transmitted to the module A2 for the thirdoperation of encryption using the so-called private key composed of the exponent d2 and dumodulo n2. The final result, referred to herein as C3, is ready to be transmitted by known channels such as over-the-air or cable.

FIG. 2 represents the decryption system composed of the three encryption modules ΑΓ, S ', A2' similar to those used for encryption, but ordered

DUPLICATE -8- 012153 conversely. Thus, we first start with the module A2 'which performs its decryption operation on the basis of the so-called public key composed of the exponent2 and modulo n2. In the same way as for the encryption, as soon as a part of the result C2 of the module A2 'is available, it is transmitted to the module S' for the second decryption operation. To end the decryption, the module ΑΓ performs its operation on the basis of the so-called public key composed of the exponent e1and the modulo n1.

In a particular form of the invention, the keys of the two modules A1 and A2 are identical, that is to say that the encryption side, d1 = d2 and n1 = n2. By analogy, during decryption, e1 = e2 and n1 = n2. In this case, we speak of the private key d, n and the public key e, n.

In another form of the invention, as illustrated in FIGS. 3 and 4, modute A2 uses the so-called public key in place of the so-called private key. At the time of the encryption, the public key e2, n2 is used by the module A2, (see FIG. 3) and during the decryption (see FIG. 4), the module A2 'uses the private key d2, n2 to operate. Although this configuration presents a work overload to the encryption set, the use of a private key enhances the security offered by the A2 module. The example illustrated in FIGS. 3 and 4 is not restrictive for other combinations. For example, it is possible to configure the module A1 to perform the encryption operation with the public key and the decryption. with the private key.

It is also possible to replace the secret key encryption-decryption module S by an asymmetric key type module of the same type as the modules A1 and A2.

DUPLICATE

Claims (10)

-9- 012153 CLAIMS A method of encryption and decryption using multiple modules of serial decryption-decryption, characterized in that the downstream encryption-decryption module starts its operation as soon as a part of the result of the upstream encryption-decryption module is available . 2. Method according to claim 1, characterized in that the downstream encryption module begins its decryption operation as soon as part of the result of the upstream decryption module is available. 3. Method according to claim 1, characterized in that the downstream encryption module starts its encryption operation as soon as part of the result of the upstream module is available. 4. Method according to claims 1 to 3, characterized in that it implements three modules (A1, S, A2), the central module (S) being of type secret keystone (k). 5. Method according to the preceding claim, characterized in that the firstmodule (A1) and the last module (A2) for encryption and the first module (A2) and the last module (A1) for decryption are of the RSA key type asymmetrical with either a private key and a public key. 6. Method according to the preceding claim, characterized in that the two modules (A1, A2) use the so-called private key (d, n, d1, n1, d2, n2) for the so-called public encryption and laclee (e, n; e1, n1; e2, n2) for decryption. 7. Method according to the preceding claim, characterized in that the two modules (A1, A2) use the same set of private key (d, n) and public (e, n). 8. Method according to claim 6, characterized in that the two modules (A1, A2) use a different set of private keys (d1, n1, d2, n2) and public keys (e1, n1, e2, n2). DUPLICATE -10- 012153 9. Method according to claim 5, characterized in that during the encryption, the last module (A2) uses the so-called public key (e2, n2) and during decryption, the first module (A2) uses the so-called private key ( d2, n2). 10. Method according to claims 1 to 3, characterized in that it implements three modules (A1, A, A2) encryption-decryption asymmetric keys. DUPLICATE