RU2204212C2 - Iterative method for block encryption - Google Patents

Abstract

FIELD: electric communications and computer engineering; cryptographic methods for data encryption. SUBSTANCE: method includes generation of private key, division of data block into two sub-blocks, and execution of R≥2 encryption rounds each including generation of binary vector and two control codes for first sub-block, conversion of binary vector, conversion of second sub-block with aid of first control operation depending on value of first control code, superposition of converted binary vector onto second sub-block by means of addition operation, and conversion of second sub-block with aid of control operation depending on value of second control code, two- station controlled operations being used as control operations. EFFECT: enhanced encryption speed. 4 cl, 2 dwg

Description

 The invention relates to the field of telecommunications and computer technology, and more particularly to the field of cryptographic methods and devices for encrypting messages (information).

In the aggregate of the features of the proposed method, the following terms are used:
- the cipher is a set of elementary steps for converting input data using a secret key; the cipher can be implemented as a computer program or as a separate device;
- the secret key is binary information known only to a legitimate user;
- subkey - part of the secret key;
- encryption - the process of converting information that depends on the secret key and converts the source text into ciphertext (cryptogram), which is a pseudorandom sequence of characters from which obtaining information without knowing the secret key is practically impossible;
- decryption - the reverse process of encryption; decryption provides recovery of information from the cryptogram with the knowledge of the secret key;
- the cipher is a set of elementary steps for converting input data using a secret key; the cipher can be implemented as a computer program or as a separate device;
- a binary vector is a sequence of zero and one bits, for example (101101011); a binary vector is interpreted as a binary number, i.e. a binary vector can be matched with a numerical value;
- cryptanalysis - a method of calculating a secret key to obtain unauthorized access to encrypted information;
- cryptographic strength is a measure of the reliability of encrypted information protection and represents the complexity, measured in the number of elementary operations that must be performed to recover information from a cryptogram with knowledge of the conversion algorithm, but without knowledge of the secret key;
- a single operation is an operation performed on a binary vector; the binary vector generated at the output of a unary operation depends only on the input binary vector; examples of single operations are cyclic shift operations;
- double operation is an operation performed on two operands; the result of some given two-place operation depends on the value of each operand; examples of double operations are the operations of addition, subtraction, multiplication, etc.

- the operand is a binary vector over which a two-place or one-place operation is performed;
- a controlled two-place operation is an operation performed on two operands under the control of a binary vector called a control vector; the result of some controlled two-place operation with a fixed control vector depends on the value of each operand, and for fixed values of the operands, on the value of the control vector; examples of the implementation of controlled double operations are described in the patent of the Russian Federation N 2140716 [Moldovyan A.A., Moldovyan N.A., Moldovyan P.A. The method of cryptographic conversion of digital data blocks // Bull. N 30 from 10.27.1999]; in the formulas, the controlled two-place operation will be denoted by the record Z: = Q _V (A, B), where A, B are the operands, V is the control binary vector (control code), Z is the result of the execution of the controlled two-place operation Q _V ;
- control code (or control binary vector) - a set of single and zero signals at the control input of a managed operating unit;
-modification of the controlled two-seater operation - a two-seater operation corresponding to the transformation of two operands with a fixed value of the control vector;
-controlled permutation is an operation performed on one operand under the control of a binary vector called a control vector and consists in the permutation of the bits of the operand depending on the value of the control vector; Examples of the implementation of controlled permutations are described in patent No. 2140714 [Alekseev L.E., Belkin T.G., Moldovyan A.A., Moldovyan N. A. Method of iterative encryption of data blocks // Bull. N 30 from 10.27.1999] and in the article by Guts N.D., Izotov B.V., Moldovyan N.A. "Controlled permutations with a symmetric structure in block ciphers" [f. Information security issues. 2000. N 4. P.57-64] .; in the formulas, the controlled permutation will be denoted by the record P _V , and the transformation of the operand A by performing a controlled permutation on it, by the record A: = P _V (A), where V is the control code;
-modification of controlled permutation - a fixed permutation of the bits of the operand corresponding to a given fixed value of the control vector;
-inverse controlled two-place operation (with respect to some given controlled two-place operation Q is such a controlled two-place operation (denoted as Q ^-1 ), which for any given value of the control vector V and any given value of the operand B satisfies the condition A = Q _V ^{- 1} (Z, B) if Z = Q _V (A, B); options for the implementation of two mutually inverse controlled two-place operations are described in [Guts N.D., Moldovyan A.A., Moldovyan N.A. oriented ciphers based on managed adders // Security issues in 2000. N 1. deformations of S.8-15.];
-reversible controlled two-place operation Q * is such a controlled two-place operation that is controlled by a special invert bit e; different values of e specify two different variants of the controlled two-seater operation, and these variants are mutually inverse; for example, if for e = 0 the operation Q $\genfrac{}{}{0ex}{}{\text{*}}{\text{[e = 0]}}$ , and for e = 1 - operation Q $\genfrac{}{}{0ex}{}{\text{*}}{\text{[e = 1]}}$ , then for these controlled two-place operations the relation Q $\genfrac{}{}{0ex}{}{\text{*}}{\text{[e = 1]}}$ = Q $\genfrac{}{}{0ex}{}{\text{*-1}}{\text{[e = 0]}}$ ; an implementation option of a reversed controlled two-seater operation is described in [Guts N.D., Moldovyan A.A., Moldovyan N.A. Flexible hardware-oriented ciphers based on managed adders // Information security issues. 2000. N 1. S.8-15];
- the concatenation operation is the operation of combining several binary vectors, as a result of which a new binary vector is formed, including all the bits of each of the combined binary vectors, and the relative position of the bits corresponding to the original binary vectors does not change; for example, the concatenation of binary vectors W ₁ = (101101011) and W ₂ = (011101010) is written as W ₁ | W ₂ = (101101011011101010); these binary vectors can be combined by the concatenation operation in yet another way: W ₂ | W ₁ = (01110101010101101011).

Known methods for block data encryption, see, for example, the DES cipher [B. Schneier, "Applied Cryptography", Second Eddition, John Wiley & Sons, Inc., New York, 1966, pp. 270-277]. In this method, the encryption of data blocks is performed by generating a secret key, dividing the converted data block into two subunits L and R and alternating the latter by performing bitwise summing operations modulo two over the subunit L and the binary vector, which is formed as the output value of some function E of the values of the sub-block R. After that, the sub-blocks are rearranged. Function E in the specified method is implemented by performing permutation and substitution operations performed on the sub-block R. This method has a high conversion speed when implemented in the form of specialized electronic circuits. However, the known analogue method uses a small secret key (56 bits), which makes it vulnerable to cryptanalysis based on key selection. The latter is associated with the high computing power of modern computers. Another known method of block data encryption is the method implemented in the RC5 cipher [B. Schneier, "Applied Cryptography", Second Eddition, John Wiley & Sons, Inc., New York, 1966, pp. 344-346]. The analogue method includes the formation of a secret key in the form of a set of subkeys, the splitting of the binary information code into g-bit information blocks and the sequential conversion of g-bit blocks. The conversion of g-bit blocks is carried out by dividing the g-bit data block into n-bit subblocks A and B, and alternately converting the subblocks. Subblocks are converted by performing single and double operations on them. As two-place operations, the addition operations are used modulo 2 ⁿ , where n = g / 2 = 8,16,32,64, and the bitwise summation operation is modulo 2. As the single-seat operation, the operation of cyclic left shift, the number of bits per which the converted subunit is shifted depends on the value of the other subunit, which determines the dependence of the cyclic shift operation at the current step of converting the subunit on the initial value of the input data block. A double operation is performed on the sub-block and under the key, as well as on two sub-blocks. Characteristic of the RC5 method is the use of a cyclic shift operation, depending on the value of the input block. A subblock, for example subblock B, is transformed by superimposing subblock A onto subblock B using the bitwise summing operation modulo 2, i.e. the bitwise summing operation is performed modulo 2 (denoted by the symbol "⊕") over subblocks A and B and the value obtained after performing this operation is assigned to subblock B. This is written as the ratio B: = B⊕A, where the sign ": =" denotes an assignment operation. After that, the operation of cyclic shift to the left by the number of bits equal to the value of the subunit A: B: = B <<< A is performed on subblock B. Then, over the subblock B and one of the subkeys S, the summation operation is performed modulo 2 ⁿ , where n is the length of the subblock in bits: B: = (B + S) mod 2 ⁿ . After that, subunit A is similarly converted. Several such steps are taken to convert both subunits. The disadvantage of the RC5 cipher is the lack of resistance to differential cryptanalysis.

The closest in technical essence to the claimed iterative method of block encryption is the method described in the patent of the Russian Federation 2140714 [Alekseev L.E., Belkin TG, Moldovyan AA, Moldovyan N. A. Method of iterative encryption of data blocks . Bull. N 30 from 10.27.99]. The prototype method includes generating an encryption key, splitting the input binary data block into two subblocks A and B, which are alternately converted by performing several rounds of conversion (iterations). One round of conversion is as follows. On the first subblock (subblock A), a binary vector F and two control codes V and U are formed, the binary vector F is converted by performing the conversion function E on it, the second subblock (subblock B) is converted using the first controlled permutation operation, the modification of which is selected depending from the value of the first control code V, overlay using the summation operation of the binary vector F converted by the function E to the second subunit and transform the second subunit using the second control operation trolled rearrangements, modification of which is selected depending on the value of the second control code U. transformation procedures that implement the function E include the operation of addition modulo 2 ³² on subblock and subkey data, the substitution operation and an operation of cyclic shift.

 However, the prototype method has drawbacks, namely, the permutation operation defines such a transformation of the data subblocks that does not change the Hamming weights of the latter, in particular, the parity of the bits of the converted data block is preserved, therefore, in order to obtain a high encryption conversion strength, it is necessary to perform a rather complicated transformation E, which reduces the speed encryption.

 The basis of the invention is the task of developing an iterative method of block encryption, in which the input data is converted in such a way that the controlled operation performed on the second subblock simultaneously with the binary vector F conversion changes the Hamming weight of the second subblock, which will simplify the E transformations while maintaining a high cryptographic strength, which increases the encryption speed.

 The problem is achieved in that in an iterative method of block encryption, which includes generating a secret key, splitting a data block into two subblocks and performing R≥2 rounds of encryption, consisting of generating a binary vector and two control codes from the first subblock, converting the binary vector, converting the second subblock using the first controlled operation, the modification of which is selected depending on the value of the first control code, overlay using the operation of summing transform of the binary vector to the second subunit and the conversion of the second subunit using the second controlled operation, the modification of which is selected depending on the value of the second control code, new according to the invention is that controlled double-place operations are used as controlled operations.

 Thanks to this solution, it is possible to simplify the F conversion function while maintaining high encryption strength, thereby increasing the encryption speed.

 What is new is the fact that inverted controlled two-place operations are used as controlled double-seat operations.

 Thanks to this solution, it is possible to carry out encryption and decryption procedures using the same electronic circuit by controlling two-place operations with a special bit e that sets the encryption mode at e = 0 or the decryption mode at e = 1.

 Also new is that mutually inverse guided double operations are used as controllable double operations.

 Thanks to this solution, further simplification of the circuitry implementation of the iterative block encryption method is provided.

 In addition, it is new that the control code is generated by the secret key and by the value of one of the subunits.

 Thanks to this solution, an additional increase in cryptographic resistance to attacks based on failures of the encryption device is provided.

 Below the essence of the claimed invention is explained in more detail by examples of its implementation with reference to Fig.1-2.

A generalized scheme of iterative encryption of data blocks based on the proposed method is presented in FIG. 1a, where Q ₁ and Q ₂ are operating units that carry out controlled double operations, the modifications of which are set by the values of the control codes V and U supplied to the control input of the corresponding operating units. A and B are subblocks of the converted data block; the operation unit E denotes the procedures for converting the binary vector F generated in accordance with the formula F: = A. The operation units X ₁ and X ₂ denote the operations used to generate the control codes V and U of the vector. Blocks X ₁ and X ₂ are implemented, for example, in the form of operating blocks that perform bitwise summation modulo two. In this case, the control codes V = A⊕K _r and U = A⊕W _{r are} generated.
FIG. 1a corresponds to encryption transformations, and FIG. 1b - performing decryption transformations. In the decryption scheme, operation blocks are used that carry out controlled two-place operations Q ₁ ^-1 and Q ₂ ^-1 . The options for constructing electronic circuits that implement controlled two-place operations Q ₁ and Q ₂ and the corresponding inverse operations Q ₁ ^-1 and Q ₂ ^-1 are described in [Guts N.D. et al. Flexible hardware-oriented ciphers based on managed adders // Information Security Issues. 2000. N 1. S.8-15]. When decrypting conversions, the subkeys are used in the reverse order, i.e. plug K _r and W _r used on the rth round of encryption, when decrypting, they are used on the (R-r + 1) th round. Thus, for the subkeys K ' ₁ and W' _r used in the rth decryption round, we have the relations K ' _r = K _{R-r + 1} and W' _r = W _{R-r + 1} . After the last (Rth) round of encryption or decryption has been completed, permutation of the data sub-blocks is not performed, as in FIG. 1a and 1b are shown by a horizontal dashed line.

 From the point of view of application in encryption algorithms, managed operations have the advantage that their modifications are selected depending on the variable parameters of the encryption process. Variable parameters can be plug-ins, sub-blocks of the information block, or specially generated values that change with a change in the initial value of the information block. In the general case, the value that controls the two-place operation will be called the control code V. By the formation of the control code V we will mean the formation of signals at the control input of the operating unit that performs the controlled two-place operations.

 In specific examples of the implementation of the proposed iterative method of block encryption, a controlled permutation operation with a 32-bit input for the converted data and a 96-bit control input, to which a control code is received, is used as a procedure for converting the binary vector F, depending on which the modification of the controlled permutation is used. A variant of constructing an operating unit for implementing such a controlled permutation is described in an article by N. Guts and others. "Controlled permutations with a symmetric structure in block ciphers" [g. Information security issues. 2000. N 4. P.62-63].

Example 1: encryption of a 64-bit data block T
Example 1 is illustrated in FIG. 2a, where Q and Q ^-1 are operation blocks with a 32-bit information input and a 32-bit control input. First, a secret key is formed, which is represented as the following set of n-bit round subkeys: K ₁ , K ₂ , ..., K ₁₆ and W ₁ , W ₂ , ..., W ₁₆ . Then the data block is developed into two subunits A = T div 2 ³² and B = T mod 2 ³² . After that, the encryption of the data block is performed in accordance with the following algorithm:
1. Set the counter for the number of rounds of encryption r: = 1.

2. Generate subblock A and on subkey K _r a control code _{V: V: = K r ⊕A} .
3. Depending on the value of V, convert the subunit B by performing the two-place controlled operation Q: B: = Q _V (B, W _r ) on it.

 4. Form a binary vector F: F: = A.

5. Generate on subblock A and is connected to _r and W _r control code V ': V': = A⊕K r ⊕W r.
6. Using the expansion operation unit X, generate the extended 96-bit control code V ″ = V ′ | V ′ | V ′.
7. Convert the binary vector F by performing a controlled permutation operation on it: F: = P _{V "} (F).

8. Using the bitwise summing operation modulo 2, superimpose the transformed binary vector F onto the subblock B: B: = B⊕F.
9. Generate the control code U: = W _r ⊕A from subunit A and connect W _r .
10. Depending on the value of V, convert the subunit B by performing the double-place controlled operation Q ^{-1 on it} : B: = Q _V ^-1 (B, K _r ).

 11. If r <16, then increment r: = r + 1, rearrange subblocks A and B (that is, take binary vector A as binary vector B, and binary vector B as binary vector A) and go to step 2.

 12. STOP.

The cryptogram block C is formed by combining the transformed binary vectors A and B: C = A | B. Decryption of the cryptogram block is performed using the same algorithm, except that when performing steps 2, 5 and 10, the subkey W _{17-r is used} instead of the subkey K _r , and when performing steps 3,5 and 9, the subkey K _{17-r is used} instead W _r .

Example 2: encryption of a 64-bit data block T
Example 2 is illustrated in FIG. 2b, where Q *, are controlled operating units with a 32-bit information input and a 32-bit control input. Generate a secret key, presented in the form of the following combination of 32-bit round subkeys: K ₁ , K ₂ , ..., K ₁₀ and W ₁ , W ₂ , ..., W ₁₀ . Break the data block into two subunits A = T div 2 ³² and B = T mod 2 ³² . Encrypt the data block in accordance with the following algorithm:
1. Set the counter for the number of encryption rounds r: = 1 and the conversion mode parameter z = 0 (encryption).

2. Generate subblock A and on subkey K _r a control code _{V: V: = K r ⊕A} .
3. Depending on the value of V, convert the subblock B by performing the reversible controlled two-place operation Q ^{* on it} : B: = Q $\genfrac{}{}{0ex}{}{\text{*}}{\text{V, [e = z]}}$ (B, W _r ).
4. Form a binary vector F: F: = A.

5. Generate on subblock A and is connected to _r and W _r control code V ': V': = A⊕K r ⊕W r.
6. Using the expansion operation unit X, generate the extended 96-bit control code V ″ = V ′ | V ′ | V ′.
7. Convert the binary vector F by performing a controlled permutation operation on it: F: = P _{V "} (F).

8. Using the bitwise summing operation modulo 2, superimpose the transformed binary vector F onto the subblock B: B: = B⊕F.
9. Generate the control code U: U: = W _r ⊕A from subunit A and connect W _r .
10. Depending on the value of V, convert the subunit B by performing the reversible controlled two-place operation Q ^{* on it} : B: = Q $\genfrac{}{}{0ex}{}{\text{*}}{\text{V, [e = z]}}$ (B, K _r ).
11. If r <10, then increment r: = r + 1, rearrange subblocks A and B (that is, take binary vector A as binary vector B, and binary vector B as binary vector A) and go to step 2.

 12. STOP.

The cryptogram block C is formed by combining the transformed binary vectors A and B: C = A | B. Decryption of the cryptogram block is carried out using the same algorithm, except that in step 1 the value z = 1 is set (decryption) when performing steps 2, 5 and 10, the subkey W _{17-r is used} instead of the subkey K _r , and when performing steps 3 , 5 and 9 - connect to _17-r instead of W _r .

 Direct and reverse controlled double-place operations, as well as reversed double-place operations, are implemented using combinational electronic circuits with high speed. Possible options for the implementation of such operations are described in the article [Guts N.D. et al. Flexible hardware-oriented ciphers based on managed adders // Information Security Issues. 2000. N 1. S. 8-15]. By simplifying the conversion procedures corresponding to function E, the encryption speed is increased.

 The above examples show that the proposed method of cryptographic transformations of binary blocks is technically feasible and allows us to solve the problem.

Claims (4)

 1. An iterative method of block encryption, including generating a secret key, dividing the data block into two subblocks and performing R≥2 rounds of encryption, each of which consists in generating a binary vector and two control codes from the first block, converting the binary vector, converting the second subblock with using the first controlled operation, depending on the value of the first control code, superimposing using the operation of summing the transformed binary vector on the second sub-block and converting w cerned subblock via second controllable operation dependent on the value of the second control code, characterized in that use controlled twin operation as controlled operations.  2. The method according to p. 1, characterized in that as the managed double-seat operations use reversible controlled double-seat operations.  3. The method according to p. 1, characterized in that as a controlled double operations using mutually inverse controlled double operations.  4. The method according to p. 1, characterized in that the control code is generated by the secret key and by the value of one of the subunits.

Images