RU2140715C1 - Ciphering unit - Google Patents

Abstract

FIELD: electrical communications and computer engineering. SUBSTANCE: unit has at least one exchange data assembly and W г 2 n-bit series-connected adders, where n is even natural number; first input of first adder is data input of ciphering unit; output of W-th adder is ciphering unit output; novelty is that exchange data assembly is, essentially, controlled exchange data assembly whose data input functions as control input of ciphering unit; output of controlled exchange data assembly is second input of P-th adder, where 1г P г W; control input of controlled exchange data assembly is connected to first input of G-th adder, where 1 г G г W. EFFECT: improved cryptographic stability to differential cryptoanalysis. 3 cl, 7 dwg

Description

The invention relates to the field of telecommunications and computer technology, and more particularly to the field of cryptographic methods and devices for encrypting messages (information). In the aggregate of the features of the proposed method, the following terms are used:
- the secret key is a combination of bits known only to a legitimate user;
- the encryption key is a combination of bits used to encrypt information data signals; the encryption key is a removable cipher element and is used to convert a given message or a given set of messages; the encryption key is generated by deterministic procedures for the secret key; in a number of ciphers, the secret key is used directly as the encryption key;
- a cipher is a set of elementary steps for converting input data using a cipher key; the cipher can be implemented as a computer program or as a separate electronic device;
- a subkey is a part of the encryption key used in individual elementary steps of encryption;
- encryption is a process that implements some way of converting data using a cryptographic key, converting data into a cryptogram, which is a pseudo-random sequence of characters from which obtaining information without knowing the encryption key is practically impossible;
- decryption is the opposite of the encryption process; decryption provides information recovery from the cryptogram with knowledge of the encryption key;
- cryptographic strength is a measure of the reliability of information protection and represents the complexity, measured in the number of elementary operations that must be performed to recover information from the cryptogram with knowledge of the conversion algorithm, but without knowledge of the encryption key.

Known encryption devices made in the form of mechanical machines and electromechanical devices [V. Zhelnikov. Cryptography from papyrus to computer. -M., ABF, 1996, 336 p.]. In addition, electronic encryption devices are known that implement the encryption method described in the Russian standard for cryptographic data protection [USSR Standard GOST 28147-89. Information processing systems. Cryptographic protection. Cryptographic Transformation Algorithm]. A device that implements the Russian encryption standard includes an encryption block consisting of several operational nodes: an adder modulo 2 ³² , a bit adder modulo 2, an operation node performing a cyclic left shift of 11 bits, and an operation node performing a substitution operation.

 The closest in technical essence to the claimed encryption block is the encryption block used in the encryption device that implements the encryption method in accordance with the US federal standard DES [National Bureau of Standards. Data Encryption Standard. Federal Information Processing Standards Punlication 46, January 1977]. This method includes generating a secret key, splitting the input information, presented in the form of a binary code, into sections of 64 bits in length, generating 64-bit data blocks based on them, and converting the blocks under the control of the secret key. Before the conversion, each data block is divided into two 32-bit subunits L and R, which are converted one by one by performing 16 transform rounds of the same type. One round of conversion consists in performing expansion, substitution, permutation, and summation modulo 2 operations that implement the round encryption function over the R subunit, which is written in the form of the formula R: = F (R), where the “: =” sign denotes the assignment operation, F - round encryption function. Each round ends with a permutation of the subunits R and L: T: = R, R: = L, L: = T.

 An encryption device (VIII) implementing the DES encryption standard is shown in block diagram form in FIG. 1 and contains a 64-bit information input 1, consisting of two 32-bit information inputs 1.a and 1.b, to which two 32-bit subunits L and R are supplied, a 64-bit output 2, consisting of two 32-bit outputs 2.a and 2.b, from which the converted 32-bit subunits L and R are removed, control input 9, encryption block 3 (SB), round plug generation block (BGRP), control unit BU and control bus 10. Encryption block contains 32-bit information input 6, 32-bit output 4 and 80-bit control input 5, consisting of 32-bit control 5.1 input and 48-bit control input 5.2. The information input of the encryption unit 6 is connected to the information input 1.b and the output 2. a of the encryption device. The output of the encryption unit 4 is connected to the output 2.b of the encryption device. The control input 5.1 of the encryption unit is connected to the input 1.a of the encryption device. The control input 5.2 of the encryption unit is connected to the output 7 of the round key generation unit. The input of the round key generating unit 8 is connected to the control input of the encryption device 9.

The encryption device (Fig. 1) works as follows. A 56-bit key is supplied to the input of the encryption device, which is converted into a sequence of 48-bit round connections K _r , r = 1,2, ..., 16. For the current rth round, a binary code is set at the output of the round key generation unit, corresponding to the value of the subkey K _r . The encrypted 64-bit data block B is fed to the input of the encryption device. Older than 32 bits of block B, denoted as sub-block L, are fed to input 1.a. The lower 32 bits of block B, denoted as sub-block R, are fed to input 1.b. We denote the initial values of the sub-blocks by the index “0”, and their values after the rth round of encryption is completed, by the index “r”. The encryption block in the rth round converts the value of the subunit R _r-1 to the value R _r = F (R _r-1 , K _r ), which depends on the type of function F and the value of the round subkey K _r . The output value of subunit L in the current round is set equal to the input value of subunit R. Thus, the encryption device performs the following conversion, which can be written using the following iterative formulas
L _r = R _r-1 , (1)
R _r = F (R _r-1 , L _r-1 , K _r ), (2)
where the calculation of the function F from the value of R _{r-1 is} carried out by the encryption block depending on the value of L _r-1 supplied to the input 5.1, and the value of K _r supplied to the input 5.2. The control unit synchronizes the operation of the generation block of the round subkey and the encryption unit and monitors the number of completed conversion rounds. If the current round number is not 16, then the control unit sends the current values of the subunits L _r and R _r at the output of the encryption device to the input of the encryption device for the next round. The values of L ₁₆ and R ₁₆ constitute the output ciphertext block.

The encryption block is shown in FIG. 2 and contains operational nodes 3.1, 3.2, 3.3, 3.4 and 3.5. The information input of the operation node 3.1 is the information input of the encryption block, and the output of the operation node 3.1 is connected to the input of the operation node 3.2. The output of the operation node 3.2 is connected to the information input of the operation node 3.3, etc. The output of the operation node 3.5 is the output of the encryption block. Operation nodes 3.2 and 3.5 contain control inputs connected to control inputs 5.1 and 5.2, respectively. The operation node 3.1 performs the procedure of expanding the 32-bit data subunit R _r-1 into the 48-bit subunit R '. The operation node 3.2 performs bitwise summation modulo 2 of the value R 'with the subkey K _r and outputs the value R ″ = R′⊕ K _r , where the sign ⊕ denotes the operation of bitwise summation modulo 2. The operation node 3.3 performs the substitution operation over 48- bit value R '' and replace it with a 32-bit value R '''in accordance with the replacement tables given in the DES encryption standard. The operation node 3.4 performs the permutation of the bits of the binary value R ″ ″ and outputs the converted value R ^* . The operation node 3.5 performs a bitwise summing operation modulo two over the value R ^* supplied to its information input and the value L _r-1 supplied to its control input. The value at the output of the operation node 3.5 R _r = R ^* ⊕ L _r-1 is the value of the function F (R _k-1 , L _r-1 , K _r ) calculated by the encryption block.

 An encryption device that performs encryption in accordance with the DES standard has a high conversion speed when implemented in the form of specialized electronic circuits.

 However, this device has drawbacks, namely, it does not provide high cryptographic resistance to differential cryptanalysis [Biham E., Shamir A. Differential Cryptanalysis of DES-like Cryptosystems // Journal of Cryptology. 1991. V. 4. N. 1. pp. 3-72]. This drawback is due to the fact that all operational nodes perform fixed conversion operations for all converted data blocks.

 The basis of the invention is the task of developing an encryption block that performs transformations depending on the data block being transformed, thereby increasing the cryptographic resistance to differential cryptanalysis.

 This goal is achieved in that in an encryption block containing n-bit, where n is an even integer, information input, n-bit output, m-bit control input and W ≥ 2 operating nodes, single-bit information inputs of the first operational node are single-bit information inputs of the encryption unit, single-bit outputs of the Vth, where 1 ≤ V <W, of the operating node are connected to single-bit inputs of the (V + 1) -th operating node, the single-bit outputs of the Wth operational node are single-bit outputs to the cipher the unit, and at least one operating unit contains one-bit control inputs connected to the one-bit control inputs of the encryption unit, new according to the invention is that the encryption unit further comprises at least one operation unit made in the form of a node of controlled permutations, one-bit information the inputs of which are connected to the single-bit control inputs of the encryption block, the single-bit outputs of the controlled permutation node are connected to the single-bit control The input inputs of the Pth, where P ≤ W, of the operating unit, the single-bit control inputs of the controlled permutation node are connected to the single-bit inputs of the Gth, where G ≤ W, of the operating unit.

 Thanks to this solution, the encryption block performs permutations on the data subblock and on the subkey, which depend on the input data block, thereby increasing the encryption resistance to differential cryptanalysis.

 Also new is that the node of controlled permutations is made in the form of a matrix of elementary switches, each of which contains a switching circuit, first and second one-bit information inputs, first and second one-bit outputs, and a one-bit control input, and the matrix contains n - 1 row, j- i, where j = 1,2,3 ..., n - 1, the line contains n - j elementary switches, the control single-bit inputs of which are connected to the control single-bit inputs of the node of controlled permutations, the first one-bit information whose first input is connected to the first one-bit information input of the first elementary switch in the first row of the matrix, the remaining n - 1 one-bit information inputs of the managed permutation node are connected bitwise to the second one-bit information inputs of the elementary switches of the first row, the first one-bit information input of the first elementary switch is the jth, where j ≠ 1, the lines are connected to the second single-bit output of the first elementary switch of the (j - 1) -th line, in the j-th, where j-n-1 the matrix of the matrix is the first one-bit information input of the i-th, where 1 <i ≤ n - j, of the elementary switch is connected to the first one-bit output of the (i - 1) -th elementary switch of this row, in the jth, where j ≠ 1 row of the matrix is the second the single-bit information input of the i-th elementary switch is connected to the second single-bit output of the (i + 1) -th elementary switch of the (j - 1) -th line, the first one-bit output of the (n - j) -th elementary switch is connected to the jth single-bit output controlled permutation node, second one-bit output The switch of the (n - 1) th line is connected to the last single-bit output of the controlled permutation node.

 Thanks to this solution, the node of controlled permutations can perform any of n! possible permutations with the corresponding control signal code.

 Also new is the fact that in each j-th, where J = 1,2, ..., n / 2, a line of the controlled permutation node is introduced a decoder, the one-bit outputs of which are connected to the single-bit control inputs of elementary switches in the corresponding lines, one-bit inputs the decoders are connected bitwise with single-bit control inputs of the controlled permutation node.

 Thanks to this solution, the number of one-bit control inputs of the controlled permutation node is reduced.

 Below the essence of the claimed invention is explained in more detail by examples of its implementation with reference to the accompanying drawings.

 In FIG. 1 is a block diagram of an encryption device implementing a DES standard encryption method.

 In FIG. 2 schematically shows the structure of an encryption unit that performs round encryption transformations using the DES standard encryption method.

 In FIG. 3 shows a functional diagram of a managed permutation node.

 In FIG. 4 a schematic representation of an elementary switch is a block diagram of a controlled permutation node (a), a switching table (b) and a table of designations of external outputs (c).

 In FIG. 5 is a functional diagram of a controlled permutation node using decoders.

 In FIG. 6 is a functional diagram of an encryption block, including a controlled permutation node, which transforms round plugs depending on the input data block.

 In FIG. 7 is a functional diagram of an encryption block, including two nodes of controlled permutations, one of which carries out a transformation of the data sub-block L, which depends on the input data block, and the other - transformation of the round subkey.

 The controlled permutation node represented by the functional diagram in FIG. 3, includes a matrix of elementary switches, which provides switching of a given input and a given output discharge. The functional diagram of the elementary switch (Fig. 4 (a)) is given in the book [A. Kalyaev. Microprocessor systems with programmable architecture. M .: Radio and communications, 1984, p. 219, fig. 6.51]. The truth table and the pinout of the elementary switch are shown in tables (b) and (c) in FIG. 4. Controlled permutations are carried out depending on the values of the control inputs of elementary switches. Each elementary switch provides bitwise or cross-switching of two input information single-bit channels and two output single-bit channels and operates in accordance with the truth table (table (b) in Fig. 4). With a zero value of the control single-bit input (U = 0), bitwise switching of information input and output channels occurs: X1 - Y1 and X2 - Y2; at a single value of the control input (U = 1) there is a cross-switching of information input and output channels X1 - Y2 and X2 - Y1.

 The elementary switches in the matrix are connected in such a way that the single-bit information inputs il, where l = 1,2, ..., n, of the controlled permutation node are switched with the single-bit outputs ol, where l = 1,2, ..., n, of the node controlled permutations, and the particular switching is determined by the values of the entire set of control one-bit inputs uk of the node of controlled permutations, which are the control one-bit inputs U of elementary switches S. The number of control one-bit inputs of the node of controlled permutations is equal to in elementary switches in the matrix and is n (n - 1) / 2. Since the number of control single-bit inputs of the managed permutation node is greater than the bit width of the control input of the encryption block, many bits of the control input of the controlled permutation node are connected to one bit of the control input of the encryption block. A particular connection defines a specific dependence of the bit-swapping operation performed on the data sub-block R depending on the data sub-block L and subkey K. Thus, each row Lj, where j = 1,, 2, ..., n - 1, of the matrix forms a value the corresponding single-bit output of the controlled permutation node. The last (n - 1) th line forms the values at the single-bit outputs o. (N - 1) and o.n. Each row corresponds to a group of one-bit control inputs u.k of the node of controlled permutations. The number of elementary switches in the line L.j is n - i, which determines the number of single-bit control inputs u.k corresponding to this line.

 In order to reduce the number of single-bit control inputs of the controlled permutation node, binary-n-decimal decoders D.h can be introduced, where h = 1,2,. .., (n - 2) / 2, the one-bit inputs of which are the control one-bit inputs of the node of controlled permutations, and the one-bit outputs of which are connected to the group of one-bit control inputs of the corresponding two lines (h-th and (n - h) -th lines) elementary switches (see Fig. 5). The single-bit inputs of the line with the number h are connected bitwise with the n - h outputs of the D.h decryptor. The remaining h single-bit outputs of this decoder are connected bitwise with the single-bit control inputs of the (n - h) th line, the number of which is equal to h. A binary (n / 2) decryptor is introduced into the line n / 2, whose n / 2 single-bit outputs are connected bitwise to the control single-bit inputs of the corresponding elementary switches of the line n / 2. Depending on the code combination of the values of their single-bit inputs, a single value is set only on one of its single-bit outputs, and on the other outputs it is set to zero. Due to the fact that the number of single-bit inputs of the decoder is significantly less than the number of its single-bit outputs, the number of control single-bit inputs of the node of controlled permutations is significantly reduced. For example, for n = 32, 15 binary-thirty-two-decryptor decoders with a five-bit input and one binary-hexadecimal decoder (with a four-bit input) can be used, the inputs of which make up the 79-bit control input of the controlled permutation node, which is significantly less than the bit capacity of this node without the use of decoders (in the latter case, the number of control single-bit inputs is n (n - 1) / 2 = 491).

 Consider specific examples of the implementation of an encryption block using a managed permutation node.

где P_r-1(K_r) обозначает операцию перестановки, выполняемую над значением K_r в зависимости от значение R_r-1. Операционный узел 3.2 выполняет операцию суммирования по модулю 2ⁿ над n-битовым подблоком данных R_r-1 и n-битовым двоичным вектором K', представляющим собой преобразованное значение раундового подключа K_r, вырабатывая на выходе n-разрядный подблок данных.Example 1. This example appears in FIG. 6, which shows a functional diagram of an encryption block with one node of controlled permutations P. The encryption block includes operational nodes 3.1, 3.2, and 3.3. The operation node 3.1 performs the operation of the permutation of the bits of the n-bit round subkey K _r depending on the value of the data sub-block R _r-1 , generating an n-bit binary vector at the output of the data sub-block

where P _r-1 (K _r ) denotes a permutation operation performed on the value of K _r depending on the value of R _r-1 . The operation node 3.2 performs the modulo 2 ⁿ summing operation over the n-bit data sub-block R _r-1 and the n-bit binary vector K ', which is the transformed value of the round subkey K _r , generating an n-bit data sub-block at the output.

R '= (R _r-1 + K') mod 2 ⁿ .

The operation node 3.3 performs the operation of bitwise summation modulo 2 over the n-bit data subunit R 'and the n-bit data subunit L _r-1 , generating an n-bit value at the output
R _r = R′⊕ L _r-1 .
The sequential execution of the operations specified by nodes 3.1, 3.2 and 3.3 determines the round encryption function R _r = F (R _r-1 , L _r-1 , K _r ). This encryption block can be used, for example, in the encryption device shown in FIG. 1 to carry out 16 rounds of transformation in accordance with the iterative relations (1) and (2).

2. R′ = R_r-1⊕ K′,
3. L' = P_R'(L_r-1),
4. R_r = (R' + L') mod 2³².Example 2. An example implementation of an encryption block with two controlled permutation blocks is shown in FIG. 7, where the operational node 3.1 performs the permutation of the round subkey bits K _r depending on the value of the subunit R _r-1 , the operational node 3.2 is a bitwise adder modulo 2, the operational node 3.3 is a managed permutation node performing the permutation of the bits of the subunit L _{r- 1} , forming the value L '= P _R' (L _r-1 ) at the output, the operation node 3.4 is an adder modulo 2 ⁿ . The round encryption function R _r = F (R _r-1 , L _r-1 , K _r ) defined by the encryption block shown in FIG. 7 is described by the following sequence of transformations:

2. R ′ = R _r-1 ⊕ K ′,
3. L '= P _R' (L _r-1 ),
4. R _r = (R '+ L') mod 2 ³² .

 The encryption block described in Example 1 can be used, for example, as part of the encryption device shown in FIG. 1.

 The above examples show that the proposed encryption block is technically feasible and allows us to solve the problem.

 The inventive encryption block can be implemented, for example, in specialized cryptographic microprocessors providing an encryption speed of up to 1 Gbit / s, sufficient for real-time encryption of data transmitted via high-speed fiber-optic communication channels.

Claims (3)

 1. An encryption block containing at least one permutation node and W≥2 n-bit, where n is an even natural number of series-connected adders, the first input of the first adder being the information input of the encryption block, the output of the Wth adder is the output of the encryption unit, characterized in that the permutation node is made in the form of a controlled permutation node, the information input of which is the control input of the encryption block, the output of the controlled permutation node is the second input of the Pth adder, where 1≤P≤W, and the control input of the controlled permutation node is connected to the first input of the Gth adder, where 1≤G≤W.  2. The encryption block according to claims 1 and 2, characterized in that the controlled permutation node is made in the form of a matrix of elementary switches containing an n-1 row, j-th, where j = 1,2,3, ..., n- 1, the line contains nj elementary switches, the single-bit control inputs of which are the single-bit control inputs of the controlled permutation node, the first single-bit information input of which is the first single-bit information input of the first elementary switch of the first row, the remaining n-1 single-bit information inputs the nodes of the controlled permutations node are the second one-bit information inputs of the elementary switches of the first row, the first one-bit information input of the first elementary switch of the jth, where j ≠ 1, the lines are the second one-bit output of the first elementary switch of the (j-1) th line, the first one-bit information input of the i-th, where 1 <i≤ nj, of the j-th elementary switch, where j ≠ n-1, of the line is the first single-bit output of the (i-1) -th elementary switch of this line, the second one-bit the formation input of the i-th elementary switch j-th, where j ≠ 1, the line is the second one-bit output of the (i + 1) -th elementary switch of the (j-1) -th line, the first one-bit output of the (nj) -th elementary switch j the ith row is the jth single-bit output of the controlled permutation node, the second one-bit output of the switch of the (n-1) th row is the nth single-bit output of the controlled permutation node.  3. The encryption block according to claim 1, characterized in that in each j-th, where j = 1,2, ..., n / 2, a line of the controlled permutation node is introduced a decoder, the one-bit outputs of which are single-bit control inputs of elementary switches in the corresponding lines, the single-bit inputs of the decoders are single-bit control inputs of the node of controlled permutations.

Images