RU2564243C1 - Cryptographic transformation method - Google Patents

Abstract

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to cryptography and information security means. A method for cryptographic transformation of a message presented in binary form, which includes calculating, based on an available set of iteration keys K₀, …, K_n, a new set of iteration keys KZ₀, …, KZ_n, wherein the zero key in the new set is determined by the formula KZ₀=K₀ and the remaining keys are determined by the formula KZ_j=L^-1(K_j); calculating binary vectors u[i][j] with length w using the formula u[i][j]=π^-1(τ(j))·G_i; calculating a binary vector m with length w, using the new iteration keys KZ₀, …, KZ_n, performing the following: calculating m_n=S(c), wherein S:V_w→V_w, a=a_t-1|…||a₀, where a_i∈V_b; S(a)=S(a_t-1||…||a₀)=π(a_t-1)||…||π(a₀); calculating $$q_j=\underset{i=0\dots t-1}{\oplus }u\left[i\right]\left[{\tau }^{-1}(m_j\left[i\right])\right];$$

m_j-1=X[KZ_j](q_j), where m_j=m_j[t-1]||m_j[t-2]||…||m_j[0]; j=n, …, 1; X[KZ] is linear transformation which depends on the iteration key KZ, wherein X[KZ]:V_w→V_w, X[KZ](a)=KZ⊕a, where KZ, a∈V_w; calculating m=X[KZ₀](S^-1(m₀)).

EFFECT: faster information processing and fewer operations when performing iterative cryptographic transformation.

Description

FIELD OF THE INVENTION

The present invention relates to cryptography and information security and can be used to implement block encryption, hash functions, pseudo-random sequence generators, etc.

State of the art

Known methods for iterative cryptographic conversion of messages of a fixed length, presented in digital form, namely in the form of binary data, performed using a secret key, for example, a method implemented in the form of an AES (Advanced Encryption Standard) block encryption algorithm [1].

The AES block cipher algorithm includes two phases of use: encryption and decryption. At both stages, round encryption keys are computed using the private key. Messages of a fixed length are converted by sequentially performing reversible linear and nonlinear operations on them and bitwise summing the messages with round keys. As linear operations, permutation of message bytes and multiplication of the message by a fixed matrix are used. Byte operations are used as nonlinear operations. At the encryption stage, after each non-linear transformation, a linear transformation is applied. At the decryption stage, the inverse transforms are used, and they are applied in the reverse order: after each linear transformation, a nonlinear transformation follows.

We introduce the following notation:

- V _h is the set of all binary vectors of length h;

- m - message (binary vector) of length w;

- n is the number of iterative keys, with n> 2;

- w is the message size in bits, with w = b · t,

where t, b∈N (the set of natural numbers);

- c - message (binary vector) of length w;

- взаимно-однозначное преобразование, которое ставит в соответствие целому числу из промежутка 0, …, 2^b-1 вектор его двоичного представления, младшие биты числа находятся справа.- $$\tau :Z_{2^h}\to V_b$$

- a one-to-one transformation, which associates an integer from the interval 0, ..., 2 ^b -1 the vector of its binary representation, the least significant bits of the number are on the right.

- A || B - the concatenation operation of two vectors A and B, the result is a vector in which the left part coincides with the vector A, and the right part coincides with the vector B;

- X [K] is a linear transformation depending on the iterative key K, and

X [K]: V _w → V _w ,

X [K] ( a ) = K⊕ a ,

where a is a message (binary vector) of length w,

K∈V _w ;

- S is a nonlinear one-to-one transformation, and

S: V _w → V _w ,

S ( a ) = S ( a _t-1 || ... || a ₀ ) = π ( a _t-1 ) || ... || π ( a ₀ ),

where a ∈V _w ,

a = a _t-1 || ... || a ₀ ,

a _i ∈V _b ,

π is any one-to-one transformation, and

π: V _b → V _b

- L ₁ - linear one-to-one transformation, and

L ₁ : V _w → V _w ;

- L ₂ - linear one-to-one transformation, and

L ₂ : V _w → V _w ;

- L is a linear one-to-one transformation, and

L: V _w → V _w ;

L ( a ) = a

where D is a non-degenerate matrix of size w × w;

G = D ^-1 is the inverse matrix with respect to D;

G _i - matrix of size b × w, consisting of consecutive rows of matrix G with numbers

(t-1-i) b + 1, (t-1-i) b + 2, ..., (t-i) b

where i = 0, ..., t-1, a ∈V _w ;

L is a composition of linear transformations L ₁ and L ₂ :

L ( a ) = L ₁ (L ₂ ( a )).

In the indicated notation, the AES encryption algorithm is written as

c = X [K _n ] L ₂ S ... X [K ₁ ] LSX [K ₀ ] (m),

and decryption algorithm:

m = X [K ₀ ] S ^-1 L ^-1 ... S ^-1 L ^-1 X [K _n-1 ] S ^-1 L ₂ ^-1 X [K _n ] (c),

where K _i are round keys K _i ∈V _w , i = 0, ..., n.

There is a method of implementing an encryption algorithm that uses a composition of LS transforms (first S is executed, then L), on universal computing platforms with sufficient memory. The main idea of the method is to combine these transformations into one and its tabular implementation. This method is described, for example, in [2, 3].

The decryption algorithm requires a composition of transformations S ^-1 L ^-1 (first L ^-1 , then S ^-1 ). This method of combining these transformations and its tabular implementation in the general case is practically not applicable due to the extremely large volume of tables, which is its drawback.

Disclosure of invention

The technical result is to increase the speed of information processing and reduce the number of operations when implementing iterative cryptographic conversion.

The claimed result is achieved by replacing the original composition of the transformations with equivalent transformations with their subsequent effective implementation.

Note that for one iteration, due to the linearity of the transformation L ^-1 for any message a , the relation

L ^-1 X [K _i ] S ^-1 ( a ) = L ^-1 X [K _i ] (S ^-1 ( a )) = L ^-1 (S ^-1 ( a ) ⊕K _i ) = L ^-1 (S ^-1 ( a )) ⊕L ^-1 (K _i ) = L ^-1 S ^-1 ( a ) ⊕L ^-1 (K _i ) = X [L ^-1 (K _i )] L ^-1 S ^{- 1} ( a )

Then the original iterative cryptographic transformation

m = X [K ₀ ] S ^-1 L ^-1 ... S ^-1 L ^-1 X [K _n-1 ] S ^-1 L ^-1 X [K _n ] (c)

is replaced by an equivalent in which S ^-1 precedes L ^-1 :

m = X [KZ ₀ ] S ^-1 X [KZ ₁ ] L ^-1 S ^-1 ... X [KZ _n-1 ] L ^-1 S ^-1 X [KZ _n ] L ^-1 S ^-1 S (c) ,

where KZ ₀ = K ₀ ,

and the rest are calculated by the formula

KZ _j = L ^-1 (K _j ),

where j = 1, ..., n

Such a representation will require computing new iterative keys, as shown above.

Thus, the use of composition S ^-1 L ^-1 is reduced to the use of composition L ^-1 S ^-1 , the implementation of which requires the same amount of computing resources as the implementation of LS, which means that it is effectively implemented by the method specified in [2, 3] and in complexity is equivalent to the transformation L.

Consider the composition Y of the transformations L ^-1 and S ^-1

Y ( a ) = L ^-1 (S ^-1 ( a ))

First to post a transform is applied

S ^-1 ( a ) = S ^-1 ( a _t-1 || ... || a ₀ ) = π ^-1 ( a _t-1 ) || ... || π ^-1 ( a ₀ ),

the result is a new message (binary vector)

d = S ^-1 ( a )

Then, a linear transformation is performed on the vector d, which is equivalent to multiplying the vector d by a given matrix G, which corresponds to the linear transformation L ^-1

L ^-1 S ^-1 (a) = dG

Vector d is divided into parts

d = d _t-1 || ... || d ₀

and for each value of the part, an intermediate vector is calculated

$$u{}_i{}^j=\tau (j)\cdot G_i,$$

where i = 0, ..., t-1;

j = 0, ..., 2 ^b -1

To calculate the result of multiplying the vector d by the matrix G, it is necessary to add the corresponding intermediate vectors

$$$$

$$L^{-\mathrm{one}}(d)=d\cdot G=(d_{t-\mathrm{one}}\Vert ...\Vert d_0)\cdot \left(\begin{array}{c}{G}_{t-\mathrm{one}}\\ G_{t-2}\\ ...\\ G_0\end{array}\right)=\underset{i=0...t-\mathrm{one}}{\oplus }{u}_i^{{\tau }^{-\mathrm{one}(d_i)}}\text{(one)}$$

Given that

d = (d _t-1 || ... || d ₀ ) = (π ^-1 ( a _t-1 ) || ... || π ^-1 (a ₀ )),

from (1) we obtain

$$\begin{array}{l}Y(a)=L^{-\mathrm{one}}(S^{-\mathrm{one}}(a))=L^{-\mathrm{one}}(d)=d\cdot G=\\ =(d_{t-\mathrm{one}}\Vert ...\Vert d_0)\cdot \left(\begin{array}{c}{G}_{t-\mathrm{one}}\\ G_{t-2}\\ ...\\ G_0\end{array}\right)=\underset{i=0...t-\mathrm{one}}{\oplus }{u}_i^{{\tau }^{-\mathrm{one}}(d_i)}=\underset{i=0...t-\mathrm{one}}{\oplus }{u}_i^{{\tau }^{-\mathrm{one}}({\pi }^{-\mathrm{one}}(a_i))}\text{(2)}\end{array}$$

In order to exclude π ^-1 transformations, we need to calculate the corresponding intermediate values

$$u{ƒ}_i^j={\pi }^{-\mathrm{one}}(\tau (i))\cdot G_i$$

Note the relation of values

$$u{ƒ}_i^j=u_i^{{\tau }^{-\mathrm{one}}({\pi }^{-\mathrm{one}}(\tau (j)))}$$

Then from (2) we obtain

$$Y(a)=\underset{i=0...t-\mathrm{one}}{\oplus }{u}_i^{{\tau }^{-\mathrm{one}}({\pi }^{-\mathrm{one}}(a_t))}=\underset{i=0...t-\mathrm{one}}{\oplus }u{ƒ}_i^{{\tau }^{-\mathrm{one}}(a_i)}$$

The described method allows you to combine two transformations L ^-1 and S ^-1 into one, the complexity is equal to one transformation L.

Let us conduct a comparative assessment of the known and proposed methods.

A method for directly implementing cryptographic conversion according to a known expression

m = X [K ₀ ] S ^-1 L ^-1 ... X [K _n-1 ] S ^-1 L ^-1 X [K _n ] (c)

requires performing n times transformations equal in complexity to L transformations, performing n times transformations of type S, and performing n + 1 times transformations of type X [K _i ].

Implementation of cryptographic conversion by the proposed method, according to the expression

m = X [KZ ₀ ] S ^-1 X [KZ ₁ ] L ^-1 S ^-1 ... X [KZ _n-1 ] L ^-1 S ^-1 X [KZ _n ] L ^-1 S ^-1 S (c) ,

requires performing n times transformations, equal in complexity to L transformations, two transformations of type S and performing n + 1 times transformations of type X [KZ _i ], it is also necessary to calculate new iterative keys once

KZ ₀ = K ₀ ,

KZ _i = L ^-1 (K _i ),

where i = 1, ..., n,

which will require performing n times transformations of type L.

If an L-type operation requires l processor cycles, and an S chip operation requires s processor cycles, we find that the proposed method becomes faster than the known initial conversion if the number of messages of length w is processed more than the integer part of

$$r=\frac{l\cdot n}{(n-2)\cdot s},\text{(3)}$$

provided that the iterative keys remain unchanged and are calculated only once for all messages of length w.

We also note that in the proposed method it is possible to perform one transformation of type S less, but this will lead to the fact that in the calculation two different transformations will be used, in complexity equal to the transformations L: the first transformation L ^-1 S ^-1 , the second L ^-1 . Then the transformation will take the form

m = X [KZ ₀ ] S ^-1 X [KZ ₁ ] L ^-1 S ^-1 ... X [KZ _n-1 ] L ^-1 S ^-1 X [KZ _n ] L ^-1 (c),

and it will require performing n times transformations in complexity equal to L transformations, one transformation of type S and n + 1 times transformations of type X [K _i ].

The class of iterative cryptographic transformations under consideration implements the so-called permutation-permutation network, which is widely used in the creation of cryptographic algorithms. In particular, based on such transformations, block ciphers, cryptographic hash functions, pseudo-random sequence generators, and other cryptographic primitives can be constructed.

The implementation of the invention

Consider the implementation of the proposed method on the example of a block cipher, in its structure coinciding with AES. The difference is that during encryption the last linear transformation L ₂ is replaced by the transformation L, that is, the transformation L ₁ is additionally added to maintain the uniformity of the linear transformation.

Then the encryption algorithm of the message (binary vector) m of length 128 bits to binary vector c of length 128 bits will also look like (it is known that when encrypting according to the AES standard, a total of 15 iteration keys are used with the length of the original secret key of 256 bits):

c = X [K ₁₄ ] LS ... X [K ₁ ] LSX [K ₀ ] (m),

and decryption algorithm:

m = [K ₀ ] S ^-1 L ^-1 ... X [K ₁₃ ] S ^-1 L ^-1 X [K ₁₄ ] (c)

We show how to implement the decryption algorithm of the proposed method. We consider that iterative keys are set.

First, select transformations from the valid sets:

V _h is the set of all binary strings of length h,

X [K _i ]: V ₁₂₈ → V ₁₂₈ is defined as follows:

X [K _i ] ( a ) = K _i ⊕ a ,

where K _i is the iterative key of the original cryptographic transformation, and K _i , a ∈V ₁₂₈ , i = 0, ..., 14;

L: V ₁₂₈ → V ₁₂₈ - a linear one-to-one transformation is uniquely determined by defining a 128 × 128 non-degenerate binary matrix D.

L ( a ) = a

inverse matrix

G = D ^-1 ;

S: V ₁₂₈ → V ₁₂₈ is a nonlinear one-to-one transformation, and

a = a ₁₅ || ... || a ₀ ,

where a _i ∈V ₈ ;

S ( a ) = S ( a ₁₅ || ... || a ₀ ) = π ( a ₁₅ ) || ... || π ( a ₀ ),

where π: V ₈ → V ₈ is any one-to-one transformation, it uniquely determines the transformation S ( a ),

τ: Z ₂₅₆ → V ₈ is a one-to-one transformation that maps a whole number from the interval 0 ... 255 to the vector of its binary representation, the least significant bits of the number are on the right.

Then, iterative keys KZ ₀ , ..., KZ ₁₄ are calculated based on the existing set of iterative keys K ₀ , ..., K ₁₄ , and the zero key in the new set is determined by the formula

KZ ₀ = K ₀ ,

and the rest according to the formula

KZ _j = L ^-1 (K _j ),

where j = 1, ..., 14.

After that, binary vectors u [i] [j] of length 128 bits are calculated by the formula

u [i] [j] = π ^-1 (τ (j)) · G _i ,

where G _i is the matrix consisting of rows of rows of the matrix G, which corresponds to the linear transformation L ^-1 , with the numbers (15-i) · 8 + 1, (15-i) · 8 + 2, ..., (16-i ) · 8, where i = 0, ..., 15; j = 0, ..., 255.

At the end, m is calculated:

m ₁₄ = S (c);

, $$q_j=\underset{i=0...\mathrm{fifteen}}{\oplus }u\left[i\right]\left[{\tau }^{-\mathrm{one}}(m_j\left[i\right])\right]$$

,

m _j-1 = X [KZ _j ] (q _j ),

Where

m _j = m _j [15] || m _j [14] || ... || m _j [0];

j = 14, ..., 1,

m = X [KZ ₀ ] (S ^-1 (m ₀ )).

To implement all the calculations and operations, a program (program complex) may well be formed by a programming specialist (programmer) in any well-known universal programming language (for example, C language) based on the above relations. Then this program can be executed on the computer.

In the given example, n = 14. Substituting this value into formula (3), we find that the proposed method becomes faster than the original conversion if the processing of the number of messages of length 128 bits longer than the integer part

$$r=\frac{7\cdot l}{6\cdot s},$$

provided that the iterative keys remain unchanged and are calculated only once for all messages of 128 bits in length.

It should be noted that other options for implementing the proposed method are possible, which differ from the one described above and depend on personal preferences when programming individual actions and functions.

Information sources

1. National Institute of Standards and Technology, U.S. Department of Commerce. "Advanced Encryption Standard", Federal Information Processing Standards Publication 197, Washington, DC, November 2001.

2. P.A. Lebedev. Comparison of the old and new RF standards for cryptographic hash function on CPU and NVIDIA GPUs. Mathematical Problems of Cryptography, Volume 4, no. 2, 2013, p. 73-80.

3. O. Kazymyrov, V. Kazymyrova, Algebraic Aspects of the Russian Hash Standard COST R 11/31/2012, 2nd Workshop on Current Trends in Cryptology (CTCrypt 2013) June 23-25. 2013. pp. 160-176.

Claims (1)

The method of cryptographic conversion of message c, presented in binary form, which consists in calculating, based on the existing set of iterative keys K ₀ , ..., K _{n, a} new set of iterative keys KZ ₀ , ..., KZ _n , and the zero key in the new set is determined by formula KZ ₀ = K ₀ , and the rest according to the formula
KZ _j = L ^-1 (K _j ), where j = 1, ..., n; L is a linear one-to-one transformation, moreover, L: V _w → V _w ; L ( a ) = a · D, where V _n is the set of all binary strings of length n,
w is the message size in bits, with w = b · t,
where t, b∈N (the set of natural numbers);
D is a non-degenerate matrix of size w × w;
a is a message (binary vector) of length w;
KZ _i , K _i ∈V _w ,
where i = 0, ..., n;
binary vectors u [i] [j] of length w are calculated by the formula
u [i] [j] = π ^-1 (τ (j)) · G _i ,
where j = 0, ..., 2 ^b -1;
G _i is a b × w matrix consisting of rows of matrices G in a row arranged with numbers (t-1-i) · b + 1, (t-1-i) · b + 2, ..., (ti) · b;
i = 0, ..., t-1;
G = D ^-1 is the inverse matrix with respect to D:
$$\tau :Z_{2^b}\to V_b$$

- a one-to-one transformation, which associates an integer from the interval 0, ..., 2 ^b -1 the vector of its binary representation, the least significant bits of the number are on the right;
π is any one-to-one transformation, and
π: V _b → V _b ;
calculate the binary vector m of length w using the new iterative keys KZ ₀ , ..., KZ _n , by performing the following steps:
calculate
m _n = S ( c ),
where S is a nonlinear one-to-one transformation, and
S: V _w → V _w ,
a = a _t-1 || ... || a ₀ ,
where a _i ∈V _b ;
S ( a ) = S ( a _t-1 || ... || a ₀ ) = π ( a _t-1 ) || ... || π ( a ₀ );
calculate

m _j-1 = X [KZ _j ] (q _j ),
where m _j = m _j [t-1] || m _j [t-2] || ... || m _j [0];
j = n, ..., 1;
X [KZ] is a linear transformation depending on the iterative key KZ, and
X [KZ]: V _w → V _w ,
X [KZ] ( a ) = KZ⊕ a ,
where KZ, and ∈V _w ;
calculate
m = X [KZ ₀ ] (S ^-1 (m ₀ )).