• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The invention relates to a method for encrypting messages in the clear using a secret key, the encryption method implementing at least one substitution layer (422i) using a substitution table and a diffusion layer (423i). ) using a diffusion matrix, the substitution layer and / or the diffusion layer being dynamically configured by a control parameter obtained by combining the secret key with the output word of a counter (430) and performing a noninvertible transformation (440) on the combination. The counter is incremented at least once between two successive clear messages. The configuration of the substitution layer results in an identical permutation of the bits of each element of the substitution table and the configuration of the diffusion layer results in a permutation of the elements of the diffusion matrix.
    公开号:FR3029719A1
    申请号:FR1461917
    申请日:2014-12-04
    公开日:2016-06-10
    发明作者:Hassan Noura;Damien Courousse
    申请人:Commissariat a lEnergie Atomique CEA;Commissariat a lEnergie Atomique et aux Energies Alternatives CEA;
    IPC主号:
    专利说明:

    [0001] TECHNICAL FIELD The present invention relates to the field of cryptography and more particularly that of symmetric cryptography. A symmetric encryption method is based on sharing a secret key (or symmetric key) between a transmitter (conventionally referred to as Alice) and a receiver (conventionally referred to as Bob). This secret key is supposed to have been shared between Alice and Bob through a secure channel. According to this encryption method, Alice encrypts a plaintext message b by means of the secret key, k, and transmits the encrypted message, c, over a nonsecure transmission channel to Bob. This decrypts the encrypted message to find the original message. The encryption operation can thus be considered as an application g: KxB C where K, B, C respectively represent the space of the secret keys, the space of the messages in the clear and the space of the encrypted messages. Encryption by a key kE K is represented by the function gk: B C such that gk (b) = g (k, b) = c.
    [0002] The encryption function must be resistant to cryptanalysis, that is to say to all techniques to discover the message in clear from the encrypted message or to discover the secret key from the encrypted message. It is important to note that this resistance must be guaranteed even though an interceptor (eavesdropper) would know all the details of the encryption function except the secret key itself (so-called Kerckhoff principle). To obtain strong encryption functions in the above sense, it was shown by Claude Shannon that they must include elementary (or primitive) operations of confusion and diffusion.
    [0003] 3029719 2 Confusion is an encryption operation that masks the relationship between the key and encrypted message. In modern encryption methods, confusion is usually achieved by means of a substitution operation, as described later.
    [0004] Broadcasting is an operation whereby the influence of a symbol of the plaintext message is spread over a large number of symbols of the encrypted message. In other words, if a single bit of a symbol of the plaintext message is changed, a large number of symbols (typically half) of the encrypted message are modified accordingly (property known as the avalanche effect). The broadcast operation makes it possible to mask the statistical properties of the plaintext message to an eventual interceptor. The two best-known symmetric encryption methods are the Data Encryption Standard (DES) method and the Advanced Encryption Standard (AES) method.
    [0005] The DES encryption method is based on a Feistel network structure as shown in FIG. 1. The plaintext message, b, consists of a word of N = 64 bits. It is first subjected to a permutation of its bits, denoted IP.
    [0006] The message resulting from the permutation, IP (b), is then submitted to a Feistel network consisting of 16 successive iterations (or turns), 1201,..., 12016, of identical structure. At each iteration i, the message is divided into two parts of N / 2 bits, noted respectively Li (left part) and R._1 (right part).
    [0007] The right part, Ri 1, is subjected to a nonlinear function, f, parameterized by a subkey (or key of turn) ki. The result obtained, f pki) is combined with the left part, Li 1, using an exclusive OR operation (denoted hereinafter e). The left and right parts are then inverted to form the input message of the next iteration. In other words: 3029719 3 Li = Ri_1 (1-1) Li 1.0 f (Ri pki) (1-2) 5 The function f uses several substitution tables or S-boxes, as well as a permutation. The function f plays both a role of substitution and diffusion. It should be noted that the subkey ki intervenes only in the form of an addition to an intermediate result (expansion E in the figure).
    [0008] At the end of the 16th iteration, the message is subjected to the permutation 1P- 'inverse of the initial permutation, to provide the encrypted message c 1P-1 (46R16) - The subkeys k i of the different iterations are generated from the secret key k, of size N = 64 bits. First, the key k is freed of all its bits having a position multiple of 8 and permuted by means of a PC -1 permutation on the remaining 56 bits. At each iteration, the key is divided into a left part and a right part, of 28 bits, each of these parts being rotated by a number of bits depending on the index i of the iteration in question. The AES encryption method is based on a Substitution Permutation Network (SPN), as shown in FIG. 2. After adding the clear message, b, with an initial subkey, ko, at 210, the message obtained is subjected to a sequence of iterations (also called "rounds" or "rounds") of identical structure.
    [0009] Each iteration 220 comprises a substitution layer (Byte Substitution layer) 221, a diffusion layer 222, and an addition layer 223 with a sub-key of the iteration in question derived. secret key k. The plaintext message, b, consists of 16 bytes Ao, ..., A15.
    [0010] The substitution layer, 221 ,, substitutes for each byte Am, a byte Bm by means of a substitution table (S-box), the 16 substitution tables being of identical composition. The bytes B0, ..., B15 thus obtained are stored in a matrix 4x 4. They are the object of a permutation operation on the lines (ShiftRows sublayer), then of a mixing operation on the columns (MixColumn sublayer) carrying out the diffusion. Each column of the matrix is multiplied by a constant matrix, called diffusion matrix, of size 4x4, the multiplication operations of the different elements being carried out in GF (28).
    [0011] The diffusion layer serves to propagate the change towards the other columns and consequently makes it possible to ensure the aforementioned avalanche effect after a few iterations. Note that the last iteration, 220, h, does not include mixing on columns (MixColumn sublayer). The secret key of the AES encryption method can be 128, 192 or 256 bits. The process of generating subkeys depends on the size of the key but in all cases uses rotation by bytes, substitution by means of S-boxes and summation. A description of DES and AES encryption methods can be found, for example, in the work of Christof Paar and Jan Pelzl. entitled "Understanding 20 cryptography", Springer Edition. In general, the symmetric encryption methods can be represented by a sequence of encryption rounds, each encryption round comprising a substitution operation and a broadcast operation.
    [0012] The substitution operation is a non-linear transformation generally performed by means of S-boxes. The diffusion operation is generally performed by a linear transformation, in particular by multiplication by means of a matrix with coefficients in GF (28).
    [0013] 3029719 FIG. 3 schematically represents the general structure of an encryption method known from the state of the art. It uses a secret key k to encrypt a message in the clear, b. The secret key k serves to generate a sequence of subkeys, each subkey being used by a corresponding encryption round. Specifically, each encryption round includes an add operation with a turn subkey, 321, substitution, 322, and a broadcast step, 323,. Symmetric encryption methods are resistant to conventional cryptanalysis methods (analytic attacks, brute force attacks) but the encryption circuits that implement them are, on the other hand, substantially more vulnerable to physical attacks such as fault attacks, FA, (Fouit). Attacks) or hidden channel attacks, SCA (Sicle Channel Attacks). In general, SCA attacks exploit physical measurements of the encryption circuit (power consumption, electromagnetic radiation, timing of calculations, etc.) while FA 15 attacks exploit the logical errors induced by the interceptor to find the secret key . To counter these physical attacks, various countermeasures have been developed, including so-called masking techniques. In particular, these techniques are aimed at defeating a statistical analysis of physical measurements by randomizing the execution of certain calculations using random numbers. More precisely, masking consists of mixing random values (masks) with the intermediate values at the input of different encryption steps and performing an inverse operation at the output of these steps. This masking technique is, however, particularly complex because of the non-linear nature of certain encryption steps, the inverse operation then requiring significant computational resources.
    [0014] The object of the present invention is to propose a symmetric encryption method which is substantially more robust to physical attacks, simple to implement and requiring less computational resources than the aforementioned masking technique, without presenting an increased vulnerability to classical techniques of cryptanalysis.
    [0015] SUMMARY OF THE INVENTION The present invention is defined by a method of symmetric encryption of plaintext messages using a secret key, the encryption method implementing at least one substitution layer using a substitution table. and a diffusion layer using a diffusion matrix, wherein: a counter is initialized with a seed and said counter is incremented at least once between the encryption of two successive plaintext messages; performing a non-invertible transformation on a combination of said secret key with an output word of said counter to generate a control parameter; The substitution layer and / or the diffusion layer are configured by means of the control parameter, the configuration of the substitution layer resulting in an identical permutation of the bits of each element of the substitution table and the configuration of the layer of diffusion resulting in a permutation of the elements of the diffusion matrix.
    [0016] According to a first embodiment, the encryption method performs a block cipher, each block being subjected to a plurality Ar, of encryption rounds, each ciphering tower comprising a substitution layer and a diffusion layer, the layer of encryption. substitution and the broadcast layer of each cipher tower being controlled using the control parameter.
    [0017] Preferably, a first part and a second part of the corresponding control parameter are extracted and the substitution layer and the diffusion layer are respectively configured by means of the first part and the second part thus extracted. From said first portion of the control parameter, a first permutation vector can be generated and the bits of each element of a static substitution table are exchanged, using said first permutation vector, to generate a dynamic substitution table, dependent on said control parameter. The first permutation vector is advantageously generated by dividing the first portion of the control parameter into a plurality of blocks, each block being stored in a control register, and performing a plurality of permutation steps, each step. permutation apparatus comprising controlling an input data register by a control register for storing elements of an input data register in an output data register, said control consisting of storing elements of the data register; input data at a first end of the output data register, if the bits corresponding to these elements in the control register have a first logic value, and storing these same elements at a second end of the output data register if the bits corresponding to these same elements in the control register have a second logic value. From the second portion of the control parameter, a second row permutation vector and a second column permutation vector can be generated, and the rows and columns of a predetermined broadcast matrix are rotated respectively. according to said second row and column permutation vectors, for generating a dynamic diffusion matrix, dependent on said control parameter.
    [0018] In this case, the second row and column permutation vectors can be respectively generated by dividing the second portion of the control parameter into a first and a second word of the same size, the first and second words being each divided into a plurality. blocks. Advantageously, each block of the first or the second word is stored in a control register, and a plurality of permutation steps are performed, each permutation step comprising a control of an input data register. by a control register for storing elements of an input data register in an output data register, said control consisting of storing elements of the input data register at a first end of the output data register , If the bits corresponding to these elements in the control register have a first logic value, and storing these same elements at a second end of the output data register if the bits corresponding to these same elements in the control register have a second logical value. According to a first variant, the counter is incremented every time the number of blocks in the plaintext message is w.
    [0019] According to a second variant, the counter is incremented every Qr <Ar, enciphering rounds and Q ,, N, are integers first to each other. Advantageously, the combination of the secret key with the output word of the counter is a concatenation.
    [0020] The non-invertible transformation advantageously comprises a hash operation. According to a second embodiment, the encryption method performs a stream encryption, each bit of the plaintext message being added to a corresponding bit of a key stream, the key stream being generated by means of a shift register coupled to a finite state machine, the finite state machine comprising at least one substitution layer using a substitution table and a diffusion layer using a diffusion matrix, the substitution layer and / or the diffusion layer being controlled by means of a corresponding control parameter, the configuration of the substitution layer resulting in an identical permutation of the bits of each element of the substitution table and the configuration of the diffusion layer resulting in a permutation of elements of the diffusion matrix. The present invention also relates to a computer program which, when executed by a computer, performs the steps of the symmetric encryption method defined above. The present invention likewise relates to a computer medium in which the symmetric encryption program in question is stored. The present invention finally relates to a method for decrypting an encrypted message by means of the symmetric encryption method according to the first embodiment, said decryption method implementing at least a second substitution layer using a second substitution table and a second diffusion layer 25 using a second diffusion matrix, and comprising the following steps: a second counter is initialized using the same seed as that used for encryption and said counter is incremented from the same initial value and the same frequency as that used for encryption; The same non-invertible transformation is carried out on the same combination of the secret key used for the encryption with the output word of said counter; the same encryption control parameter is generated from the result obtained by said irreversible transformation; configuring the second substitution layer and / or the second diffusion layer by means of the corresponding control parameter, the configuration of the second substitution layer resulting in an inverse permutation of the bits of each element of the second substitution table relative to the permutation used for the encryption and configuration of the second broadcast layer resulting in an inverse permutation of the elements of the broadcast matrix with respect to the permutation used for encryption. Similarly, the present invention finally relates to a method of decrypting an encrypted message using the symmetric encryption method according to the second embodiment, each bit of the encrypted message being added to a corresponding bit of the same key stream. than that generated during encryption, the key stream being generated by means of a second shift register coupled to a second finite state machine, the second finite state machine comprising at least a second substitution layer using the same substitution table that is used for the encryption 20 and a diffusion layer using the same diffusion matrix as that used for the encryption, each substitution layer and / or each diffusion layer being controlled by means of a corresponding control parameter , the configuration of the substitution layer resulting in a permutation of the bits of each element of the table identical substitution to that used for encryption and the configuration of the diffusion layer resulting in a permutation of the elements of the diffusion matrix identical to that used during encryption. BRIEF DESCRIPTION OF THE DRAWINGS Other characteristics and advantages of the invention will appear on reading a preferred embodiment of the invention with reference to the appended figures in which: FIG. 1 schematically represents an encryption method DES known from the state of the art; Fig. 2 schematically shows an AES encryption method known from the state of the art; Fig. 3 schematically represents the general structure of a symmetric encryption method known from the state of the art; Fig. 4 schematically shows the general structure of a symmetric encryption method 10 according to a first embodiment of the invention; Fig. 5 schematically shows an embodiment of a substitution layer and a dynamic broadcast layer for the encryption method of FIG. 4; Fig. 6 schematically illustrates an example of generating a dynamic substitution table in FIG. 5; Fig.
    [0021] 7A shows an example of a static substitution table in FIG. 6; Fig.
    [0022] 7B represents the substitution table of FIG.
    [0023] 7A after a permutation operation of FIG. 6; Fig. 8 schematically shows an example of generation of a dynamic scattering matrix in FIG. 5; Fig. 9 schematically shows a permutation vector generation module in FIGS. 6 and 8; Figs.
    [0024] 10A and 10B show correlation curves of a second order DPA, respectively for a conventional AES encryption method and an encryption method according to one embodiment of the invention; Fig. 11 shows an example of an encryption method according to a second embodiment of the invention.
    [0025] DETAILED DESCRIPTION OF PARTICULAR EMBODIMENTS We will consider hereinafter a symmetric encryption method comprising a plurality of turns, each revolution comprising an addition layer, a substitution layer and a diffusion layer in the sense defined above.
    [0026] A first principle underlying the invention is to make the substitution and / or dynamic diffusion layers according to a pseudo-random process. A second principle underlying the invention is to preserve the cryptographic properties of these layers using substitution tables and globally invariant diffusion matrices in the sense described below.
    [0027] More specifically, FIG. 4 represents the general structure of an encryption method according to a first embodiment of the invention. The encryption method uses a secret key, k, to encrypt a plaintext message or block to be encrypted, b. It also initiates a counter 430 from a seed shared between Alice and Bob.
    [0028] The output of the counter 430 is combined with the key k, the combination thus obtained being the subject of a non-invertible transformation, 440 such as a cryptographic hash function, for example the SHA-3 function. According to a first variant, the combination can be obtained by means of a concatenation of the bits of the key (or of some of them only) and the bits of the output word of the counter (or of some of them). only). Note the klICTR result of the concatenation where CTR is the output of the counter. According to a second variant, the combination can be obtained by means of a sum (exclusive OR) of the key and the output word of the counter, ie k $ CTR. This sum can also relate only to certain bits of the sum and the key.
    [0029] The result of the hashing, or more generally of the non-invertible transformation, h, is used as a control parameter. This control parameter makes it possible to dynamically control the configuration of the substitution and / or diffusion layers. A first portion of the control parameter may control the substitution layers and a second portion of the control parameter may control the diffusion layers.
    [0030] In a first variant, the counter 430 is incremented every w blocks. In other words, if N is the number of encryption rounds for a block b, a new control parameter is generated every Qr = wN, encryption rounds. Note that FIG. 4 illustrates the case where w = 1, that is, a generation of control parameters at each clear message. According to a second variant, the counter 430 is incremented every 1 c of the ciphering with 1 e <N, in other words, the counter is incremented at a frequency sub-multiple of the tower frequency (or iteration frequency) within the encryption interval. In addition, a and NY prime are advantageously chosen between them. In a particular case of this second variant, it will be possible to choose Q = 1, in other words an update of the control parameter at each encryption round. It will be understood that this second variant makes it possible to obtain a higher resistance to physical attacks than the first variant, at the cost however of greater complexity. According to a third variant the counter 430 is incremented every Qr> N 15 encryption rounds with a and NY prime between them. Whatever the variant envisaged, the counting frequency of the counter is known to Alice and Bob. In general, a control parameter is generated every few minutes of encryption. This control parameter is used to configure the substitution layers 421, and the broadcast layers 422, of the different encryption rounds. Thus, in the first variant, the control parameter is modified every w blocks, that is to say Qr = wN, encryption rounds. In the second variant, the control parameter is generated after an encryption run. Whatever the variant, a first part of a control parameter 25 may serve as a parameter for the substitution layer 422, and a second part may serve as a parameter for the diffusion layer 423. Since the change of the control parameter set leads to a reconfiguration of the substitution and diffusion layers, these can therefore be described as dynamic.
    [0031] More precisely, the control parameter h makes it possible to generate at 450 a dynamic substitution table (dynamic S-box or DS) from a predetermined static substitution table and a dynamic diffusion matrix (DDM). ) from a predetermined static diffusion matrix.
    [0032] It will be understood that the dynamic nature of the substitution and diffusion layers makes the encryption method, or more exactly the circuit that implements it, much more resistant to physical attacks, especially those that try to find the secret key by correlating signals. from the circuit with predetermined reference signals. Indeed, a correlation attack requires having 10 stationary physical signals on a time window having a duration of the order of the encryption time of several messages. This stationarity is broken by the dynamic nature of the substitution and diffusion layers. In addition, the dynamic configuration of the substitution layers 4221, ... 422Nr leaves each of them globally invariant. More precisely, the dynamic configuration of a substitution layer leaves each element of the invariant substitution table in a permutation of its bits. Similarly, the dynamic configuration of the diffusion layers 4231,... 423Nr leaves each of them globally invariant. In other words, the dynamic configuration of a diffusion layer does not affect all the elements of the diffusion matrix but only the distribution of these elements in the matrix. Thus, the configuration does not alter the structure of the encryption method so that it retains its resistance to conventional crypta-lysis techniques. Upstream, surrogate layers 4221,... 42N, and diffusion layers 4231,... 42N, additions layers with encryption tower subkeys are provided at 4211,... perform masking. The subkeys are generated from the key k and an encryption tower counter in a manner known per se, for example according to the method used in the AES algorithm. Decrypting the encrypted message using the encryption method of FIG. 4 is made from the secret key and the same seed used for encryption. A counter is initialized by the seed and incremented with the same counting frequency as that used during encryption. The order of the addition, substitution and diffusion layers is reversed. The turn subkeys are generated in the same way as for the encryption and the addition layers perform the addition with these subkeys. The substitution layers use inverse substitution tables of those used during encryption, the permutation of each element of the table being also the reverse of that used for encryption. In the same way, the diffusion layers use a diffusion matrix having undergone a permutation inverse to that undergone during the encryption. Fig. 5 shows an exemplary embodiment of a substitution layer and a dynamic broadcast layer for the encryption method of FIG. 4. The control parameter for the encryption round is designated h. The control parameter h is divided into a first part RS, which is used to configure the substitution layer, and a second part, RD, which serves to configure the diffusion layer. For example, the first part, RS, is formed from the m most significant bits (MSB) of h and the second part, RD, is formed from the n least significant bits (LSB) of h. At 520, a bit permutation of each byte of a predetermined (static) substitution table 530 is performed to obtain a dynamic substitution table 540, dependent on the first part, RS.
    [0033] Similarly, at 521, a permutation is performed on the rows and columns of a static predetermined diffusion matrix, 531, to obtain a dynamic diffusion matrix, 541, dependent on the second part, RD. Fig. 6 shows an embodiment of the module 540 of FIG. 5.
    [0034] The first part of the subkey, RS, is divided into NS s blocks of qs bits each, ie Ars = m / qs with qs = log2 (L) where L is the static substitution table length, d other words the number of elements in the table. Each element of the table is coded on qs bits.
    [0035] The word RS is used to generate, at 610, a permutation vector Ind of size qs, the elements of the vector Ind being integers 1,..., Qs, each value being represented only once. The method of generating the permutation vector is presented below in connection with FIG. 9.
    [0036] The permutation vector Ind indicates the permutations to be performed on the bits of each element of the substitution table. Each element of the substitution table 620 is thus replaced at 640 by an element whose bits have been permuted. The result is a dynamic substitution table, 650, whose elements depend on the first RS part of the subkey.
    [0037] It is important to note that the permutation on each element of the static substitution table preserves the resistance of the encryption method to conventional cryptanalysis methods. In particular, the immunity against linear and differential attacks is unchanged because the linear probability (PD) and differential (PD) criteria are retained.
    [0038] FIG.
    [0039] 7A substitution table of a conventional AES encryption method. This is of length L = 256 and consists of 16 lines by 16 columns, each element of the table belonging to GF (28). This table is used to substitute an incoming byte for an outgoing byte in the following manner. The incoming byte is divided into two semioctets, a first semioctet giving the line number and a second semioctet giving the column number. The outgoing byte is given by the element stored in the table to the row and the column thus determined. For example, if the incoming byte is (A2) hex, the outgoing byte provided by the substitution table is (E5) nex = 229. Fig.
    [0040] 7B is the result of a swap operation on the substitution table of FIG.
    [0041] 7A.
    [0042] The permutation on the bits of an element, here a byte, of the substitution table is defined by a permutation vector Ind = (p7 P6 p5 p4 p3 p2 191 PO This permutation applies identically to all elements of the table so that the bijectivity of the substitution table is preserved.
    [0043] An element 127126125124b3b2bibo of the table is transformed by the previous permutation into the element bp7bp6bp5bp4bp3bp2bpibpo. In the illustrated example, the permutation vector is Ind = (0 7 2 3 1 5 4 6). Thus, a b7b6b5b4b3b2bibo element of the substitution table is transformed into the element bob7b2b3b1b5b4b6.
    [0044] FIG. 8 shows an embodiment of the module 541 of FIG. 5. The second part, RD, of the sub-key is divided into blocks of qd bits each, ie Nd = n1 qd blocks where qd = log2 (Q) is chosen according to the size QxQ of a diffusion matrix ( static). Then, at 805, a first word consisting of Nd / 2 blocks (for example the Nd / 2 first RD blocks), denoted RDR and a second word consisting of Nd / 2 blocks (for example the Nd last 12 blocks), is formed. RD), noted RDc. The first word, RDR, (respectively, the second word, RDc) is used, at 815, to generate a vector of permutation of lines, IndR (respectively a vector of permutation of columns, Indu). The IndR and Indu vectors are of size Q and have for 20 elements values of 1, ..., Q, each value being represented only once. The permutation of the rows of the DM diffusion matrix is performed, at 830, as a function of the permutation vector of the rows, IndR, and the permutation of the columns is carried out, at 820, as a function of the permutation vector of the columns, Indu.
    [0045] For example, if Q = 4 and the vectors IndR - (a / 3 x 8) and Indu = (e 0 vy), the diffusion matrix: 3029719 DM (d12 d12 of d14 d21 d22 d23 d24 d31 d32 d33 d34 d42 d43 d44 is transformed into the matrix: (ddd dda dd df dy dze dz dy dz d d d d d d d d d d y d d d d d d d y d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d d 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 17 17 17. dependent on the second part, RD, of the subkey This dynamic broadcast matrix is conventionally used to mix a block of Q bytes at the input, for example, assuming that Q = 4 and that we denote a = (a1 a2 a3 a4) T the vector of the input bytes, the vector of the bytes obtained by output diffusion, ad, is none other than: (fi., i ~ ~ (ai "11" 12 d14 ad d21 d22 d23 d24 a2 d31 ii d33 d34 a3 d4 42 d43 d44) a4) where the elements (4 of the matrix DDM are bytes. matrix multiplication are rea in GF (28), that is, by simple bitwise XORs. The multiplications are carried out by considering for each byte the representative polynomial of this byte, ie for a byte bob1 ... 127 where b0 is the LSB and b7 is the MSB, the polynomial b7X ± b6X 6 + ... + b1X / 90. The multiplications between two bytes are carried out by multiplying the corresponding representative polynomials and calculating the remainder of the division of the polynomial thus obtained by a generator polynomial P (X) of GF (21, for example that used in the AES encryption method that is P (X) = X8 + X4 + X3 + X + 1.
    [0046] It is important to note that the permutation between the elements of the diffusion matrix preserves the number of linear diffusion branches and consequently the resistance of the encryption method to conventional cryptanalysis methods. In addition, as with the surrogate layer, the dynamic configuration of the diffusion layer makes the diffusion layer substantially more resistant to physical attacks. Fig. 9 illustrates a method of generating a permutation vector in Figs. 6 and 8. More precisely, this method makes it possible to generate the Ind permutation vector in the module 610 of FIG. 6 and the IndR and Indu permutation vectors in the module 810 of FIG. 8. It is recalled, however, that the permutation vector Ind operates on the bits of an element of the substitution matrix and is therefore of size qs, whereas the IndR and Indu vectors respectively operate on the elements of the static diffusion matrix and are therefore of size qd = Q.
    [0047] The vector Ind is generated from the different blocks of the first RS portion of the control parameter, each block consisting of qs bits. The number of blocks, NS is assumed to satisfy NS Np where Np is a predetermined number of permutations. The IndR vector (Indu respectively) is generated from the Nd / 2 blocks of RDR (RDu respectively), each block consisting of qd bits. The number of 25 Nd / 2 blocks is assumed to satisfy Nd 12 Np. In the remainder of the description, it will be noted for the purposes of a homogeneous presentation, Ind ,, the permutation vector (which may represent indifferently Ind, IndR or Indu), q2, the size of the vector, Ri, ... RN, the NY r first blocks of the starting word R (which can respectively represent RS, RDR and RDc,). The words Ri,... RN, are respectively loaded into NY r successive control registers CR1,..., CRNT, each being of size q, i_.
    [0048] On the other hand, we have Np +1 data registers DR0,..., DR, p. The first data register DR ° is initialized with the word 1, ..., q ,,, corresponding to the case of a permutation equal to the identity. A data register DRp is obtained by a permutation operation called GRP from the data D p 1 contained in the data register DRp-1 and the control word Rp-1 contained in the control register CRP. A description of the GRP permutation method is included in the article by Lee et al. entitled "On permutation operations in cipher design" published in Proc of ITCC 2004 on Information Technology: Coding and Computing, vol. 2, pp. 569-577, 5-7 April 2014. This method will be easily understood in the example illustrated in FIG. 9. It has been assumed in this figure that q2, = 8 The first data register is initialized to C = 12345678, as indicated above. The control register CR1 is initialized with the word R1 = 01011001. The elements of DR ° are respectively controlled by the bits of CR1. More precisely, the elements of DR ° corresponding to a bit value equal to 0 are stored at the left end of DR1 and the elements of DR ° corresponding to a bit value equal to 1 are arranged at the right end of DR1. Thus, the data D1 = 13672458. The process of permutation of the data under control of the control registers continues until p = Np. It is thus understood that at each encryption revolution, there are available, from the control parameter, permutation vectors Ind, IndR, or Indu permuting each element of the static substitution table as well as the rows and columns of the static diffusion matrix.
    [0049] According to one variant, each step of the method for generating a permutation vector is duplicated in the following sense: each data item D is first checked by the control word Rp + 1 and then the resulting data item is checked for a second time. By the control word Rp + 1 (logical inverse of Rp + 1), the number of control operations in FIG. 9 is doubled to obtain an increased randomization.
    [0050] 10A and 10B respectively illustrate the resistance to Differential Power Analysis (DPA) analysis for a conventional AES encryption method and an encryption method according to an embodiment of the invention. The DPA attack of an encryption circuit involves developing a hypothetical consumption model M of this circuit according to the secret key. A correlation is then made between the power consumption, T, as measured over time, and a variable, V (k), representative of the consumption of the encryption circuit, as predicted from the model M. The different secret key hypotheses are tested one after the other and, for each secret key assumption, k, the Pearson coefficient is calculated between T and V (k), ie pi. v (k), 0-TV (k) or CFTV (k) is the covariance between T and V (k), where is the variance CiT CiV (k) of T ov (k) is the variance of V (k) .
    [0051] The secret key est is then determined to be the one that maximizes the value of the Pearson coefficient, that is: i--arg max (((k)). FIG.
    [0052] 10A and 10B the Pearson coefficient according to the secret key assumption k, respectively for the conventional AES encryption method and the encryption method according to an embodiment of the invention. The secret key value (43) was the same in both cases. Note that the curve of FIG.
    [0053] 10A shows a sharp correlation peak for this key value while that of FIG.
    [0054] 10B makes the estimation of the secret key impossible. The largest peak is an erroneous secret key value (80).
    [0055] Although the present invention has been illustrated in the context of block ciphering, it is also applicable in the context of stream cipher. Unlike block cipher methods, stream cipher methods individually encrypt each bit of the plaintext (plaintext) by adding the bit of a keystream. Synchronous flow encryption methods in which the key stream is independent of the message to be encrypted are generally distinguished from asynchronous encryption methods in which the key stream is generated from the message to be encrypted by means of a feedback. . Fig. 11 shows an exemplary flow encryption according to a second embodiment of the invention. The encryption method is here implemented using a linear feedback shift register or LFSR (Linear Feedback Shift Register, 1110, and a Finite State Machine (FSM), 1180. The The shift register is initialized by means of an initial value (here a 16-bit word) giving the contents of the shift register, and several shifts of the shift register feed the finite state machine. several registers Ri, R2, R3 (in this case 32 bits in size) intended to store intermediate results The operations $ MI respectively signify addition operations in GF (2) and GF (232).
    [0056] The word contained in the register R1 is subjected to a first substitution operation 11211 and a first broadcast operation 11221. The word contained in the register R2 is subjected to a second substitution operation 11212 and a second broadcast operation 11222. Each substitution operation uses a corresponding substitution table and each broadcast operation uses a corresponding broadcast matrix. An output of the finite state machine and the output of the shift register are summed to generate the key flow.
    [0057] The bits of the key stream, kt, are added to the bits of the message to be encrypted, bt, in 1190 to give the bits of the encrypted message, c1. This type of stream cipher is used by the standard SNOW 3G algorithm. However, as in the case of the first embodiment, the substitution and diffusion layers are here configured dynamically by means of a control parameter, h. This control parameter is generated by performing a non-invertible transformation, 1140, for example a hash operation, on the combination of a secret key and the output of a counter, 1130, as previously described. The counter is incremented at least once between two messages in the clear. The control parameter dynamically configures the 11221, 11222 and broadcast 11231, 11232 substitution layers. More specifically, the dynamic configuration of each substitution layer is performed by performing an identical bit permutation of each element of a switch table. static substitution, the permutation vector being obtained from a first part of the control parameter.
    [0058] The configuration of each diffusion layer is performed by performing a permutation on the elements of the diffusion matrix, the permutation of the elements of the matrix being obtained from a second part of the control parameter. The decryption of an encrypted message using the encryption method illustrated in FIG. It is performed identically to the encryption. In other words, the generation of the key stream is strictly identical to that of the encryption, with in particular the same shift register, finite state machine, control of the substitution and diffusion layers. The addition of the bits of the encrypted message to the corresponding bits of the key stream makes it possible to restore the message in the clear. 30
    权利要求:
    Claims (17)
    [0001]
    REVENDICATIONS1. Symmetric encryption method for plaintext messages using a secret key, the encryption method implementing at least one substitution layer (422 ,, 1122,) using a substitution table and a diffusion layer (423 , 1123,) using a diffusion matrix, characterized in that: a counter (430, 1130) is initialized with a seed and said counter is incremented at least once between the encryption of two messages in clear successive; performing a non-invertible transformation (440, 1140) on a combination of said secret key with an output word of said counter to generate a control parameter; the substitution layer (421 ,, 1121) and / or the diffusion layer (422 ,, 1122) are configured (450, 1150) by means of the control parameter, the configuration of the substitution layer being translated by a identical permutation of the bits of each element of the substitution table and the configuration of the diffusion layer resulting in a permutation of the elements of the diffusion matrix.
    [0002]
    2. A symmetric encryption method according to claim 1, characterized in that it performs a block cipher, each block being subjected to a plurality NY of ciphering towers (420), each ciphering tower comprising a substitution layer ( 421,) and a diffusion layer (422,) and that the substitution layer and the diffusion layer of each encryption tower are controlled by the control parameter.
    [0003]
    3. Symmetric encryption method according to claim 2, characterized in that a first part and a second part of the corresponding control parameter are extracted and the substitution layer and the diffusion layer are respectively configured by means of the first part and the second part thus extracted. 3029719 24
    [0004]
    4. Symmetric encryption method according to claim 2, characterized in that, from said first part (RS) of the control parameter, a first permutation vector (Ind) is generated and the bits are switched. each element of a static substitution table, using said first permutation vector, to generate a dynamic substitution table, dependent on said control parameter.
    [0005]
    The symmetric encryption method according to claim 4, characterized in that the first permutation vector is generated by dividing the first portion of the control parameter into a plurality of blocks (DP), each block being stored in a control register. (CRp), and performing a plurality (Np)) of permutation steps, each permutation step comprising a control of an input data register (DRp 1) by a control register (CRp) for storing data. elements of an input data register in an output data register, (DR p) said control consisting of storing elements of the input data register at a first end of the output data register 15, if the bits corresponding to these elements in the control register have a first logic value, and to store these same elements at a second end of the output data register if the bits corresponding to these same elements in the control register have a second logical value. 20
    [0006]
    6. Symmetric encryption method according to claim 3 or 4, characterized in that from the second portion (RD) of the control parameter, a second line permutation vector (RDR) and a second vector are generated. permutation of columns (RDc), and that the rows and columns of a predetermined diffusion matrix (DM) are respectively rotated according to said second permutation vectors of rows and columns, to generate a diffusion matrix dynamic (DDM) dependent on said control parameter.
    [0007]
    The symmetric encryption method according to claim 6, characterized in that the second row (IndR) and column (Indu) permutation vectors are respectively generated by dividing the second portion of the control parameter into a first and a second one. second words of the same size, the first and second words being each divided into a plurality of blocks (D ").
    [0008]
    8. symmetric encryption method according to claim 7, characterized in that each block of the first, respectively the second word, is stored in a control register (CRp), and that one carries out a plurality (Np) of steps of permutation, each permutation step comprising a control of an input data register (DRp-1) by a control register (CR P) for storing elements of an input data register in a register of output data, (DRp) said control consisting of storing elements of the input data register at a first end of the output data register, if the bits corresponding to these elements in the control register have a first logical value and storing these same elements at a second end of the output data register 15 if the bits corresponding to these same elements in the control register have a second logic value.
    [0009]
    9. symmetric encryption method according to any one of claims 1 to 8, characterized in that the counter is incremented every Qr = w1V, 20 rounds of encryption where w is the number of blocks in the message in clear.
    [0010]
    10. Symmetric encryption method according to any one of claims 1 to 8, characterized in that the counter is incremented every Qr <N, 25 rounds of encryption and Q ,, N, are prime integers between them.
    [0011]
    11. Symmetric encryption method according to one of the preceding claims, characterized in that the combination of the secret key with the output word of the counter is a concatenation. 3029719 26
    [0012]
    12. Symmetric encryption method according to one of the preceding claims, characterized in that the non-invertible transformation comprises a hash operation. 5
    [0013]
    13. symmetric encryption method according to claim 1, characterized in that it performs a stream encryption, each bit of the plaintext message being added (1190) to a corresponding bit of a key stream, the key flow being generated by a shift register (1110) coupled to a finite state machine (1180), the finite state machine comprising at least one substitution layer (11221, 11222) using a substitution table and a diffusion layer (11231, 11232) using a diffusion matrix, the substitution layer and / or the diffusion layer being controlled by means of a corresponding control parameter, the configuration of the substitution layer resulting in an identical permutation bits of each element of the substitution table and the configuration of the diffusion layer resulting in a permutation of the elements of the diffusion matrix.
    [0014]
    A computer program comprising program code instructions for performing the steps of the symmetric encryption method according to one of the preceding claims when said program is executed on a computer. 20
    [0015]
    15. A computer readable recording medium on which the computer program of claim 14 is recorded.
    [0016]
    16. A method of decrypting an encrypted message by means of the symmetric encryption method according to claim 2, characterized in that it implements at least one second substitution layer using a second substitution table and a second layer. using a second diffusion matrix, the decryption method comprising the following steps: a second counter is initialized using the same seed used for encryption and said counter is incremented from the same initial value and the same frequency as that used for encryption; The same non-invertible transformation is carried out on the same combination of the secret key used for the encryption with the output word of said counter; the same encryption control parameter is generated from the result obtained by said irreversible transformation; configuring the second substitution layer and / or the second diffusion layer by means of the corresponding control parameter, the configuration of the second substitution layer resulting in an inverse permutation of the bits of each element of the second substitution table relative to the permutation used for the encryption and configuration of the second broadcast layer resulting in an inverse permutation of the elements of the broadcast matrix with respect to the permutation used for encryption.
    [0017]
    17. A method of decrypting an encrypted message using the symmetric encryption method of claim 13, wherein each bit of the encrypted message is added to a corresponding bit of the same key stream as that generated during encryption. key being generated by means of a second shift register coupled to a second finite state machine, the second finite state machine comprising at least a second substitution layer using the same substitution table as that used for encryption and a diffusion layer using the same diffusion matrix as that used for the encryption, each substitution layer and / or each diffusion layer being controlled by means of a corresponding control parameter, the configuration of the substitution layer being translated. by a permutation of the bits of each element of the substitution table identical to that used during the encryption and the configuration of the diffusion layer resulting in a permutation of the elements of the diffusion matrix identical to that used during the encryption.
    类似技术:
    公开号 | 公开日 | 专利标题
    EP3228043B1|2019-10-02|Method of encryption with dynamic diffusion and confusion layers
    EP1379023B1|2007-05-30|En- and Decryption Method executed by an integrated Circuit masking a nonlinear transformation as the SUBBYTE operation
    FR2873523A1|2006-01-27|METHOD AND DEVICE FOR PERFORMING A CRYPTOGRAPHIC CALCULATION
    EP2232765A2|2010-09-29|Method and entity for probabilistic symmetrical encryption
    EP1455478A1|2004-09-08|Method for the encryption of an N-digit word
    EP2893431B1|2016-11-02|Protection against side channel attacks
    EP3211823B1|2018-01-03|Method for confidential execution of a program operating on data encrypted by means of homomorphic encryption
    WO2008148784A2|2008-12-11|Cryptographic methods and devices for the pseudo-random generation of data encryption and cryptographic hashing of a message
    EP2166696B1|2016-10-05|protection of encrypted data Integrity using an intermediatecipher state to generate a signature
    EP3139365A1|2017-03-08|Verification of the resistance of an electronic circuit to covert channel attacks
    EP3139363B1|2019-04-17|Protection of a rijndael algorithm
    EP2499773B1|2016-02-17|Low-complexity electronic circuit protected by customized masking
    FR2858731A1|2005-02-11|ENCRYPTION METHOD AND APPARATUS
    EP2296307B1|2018-11-07|Cryptographic data processing method secured against side-channel attacks
    EP3139364B1|2018-01-17|Dpa protection of a rijndael algorithm
    EP3493458A1|2019-06-05|Method and system for encryption/decryption of data with greatly reduced latency for the purpose of storage and/or communication of secure data
    Subbulakshmi et al.2018|Enhanced SPK Encryption Algorithm for File Encryption Using Java
    Huynh2020|Design and Analysis of Lightweight Encryption Schemes
    FR2949887A1|2011-03-11|METHOD FOR CRYPTOGRAPHIC DATA PROCESSING
    Lambooij et al.2017|Cryptanalysis of Simon et al.
    WO2009068658A1|2009-06-04|Methods and devices for encrypting and decrypting a data message with random secret key
    FR2909498A1|2008-06-06|MULTIPLE LENGTH DATA COMPRESSION FUNCTION USING SINGLE LENGTH INTERNAL FUNCTIONS
    EP2173056A1|2010-04-07|Method for countermeasure in an electronic component using a secret key algorithm
    WO2009030857A2|2009-03-12|Generator and method of generating a secret-key pseudo-random function
    Cho2007|New Results on Cryptanalysis of Stream Ciphers
    同族专利:
    公开号 | 公开日
    US20170366339A1|2017-12-21|
    US10903978B2|2021-01-26|
    EP3228043B1|2019-10-02|
    EP3228043A1|2017-10-11|
    WO2016087520A1|2016-06-09|
    FR3029719B1|2017-12-22|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US20100303229A1|2009-05-27|2010-12-02|Unruh Gregory|Modified counter mode encryption|US10171234B2|2015-12-16|2019-01-01|Nxp B.V.|Wide encoding of intermediate values within a white-box implementation|
    US10333906B2|2017-03-30|2019-06-25|Bank Of America Corporation|Network communication decoder using key pattern encryption|
    CN110785960A|2017-06-27|2020-02-11|三菱电机株式会社|Code generation device, code generation method, and code generation program|
    US11165758B2|2018-04-09|2021-11-02|International Business Machines Corporation|Keystream generation using media data|
    法律状态:
    2015-12-31| PLFP| Fee payment|Year of fee payment: 2 |
    2016-06-10| PLSC| Publication of the preliminary search report|Effective date: 20160610 |
    2016-12-29| PLFP| Fee payment|Year of fee payment: 3 |
    2018-01-02| PLFP| Fee payment|Year of fee payment: 4 |
    2019-12-31| PLFP| Fee payment|Year of fee payment: 6 |
    2021-09-10| ST| Notification of lapse|Effective date: 20210806 |
    优先权:
    申请号 | 申请日 | 专利标题
    FR1461917A|FR3029719B1|2014-12-04|2014-12-04|ENCRYPTION METHOD WITH DYNAMIC CONFUSION AND DIFFUSION LAYERS|FR1461917A| FR3029719B1|2014-12-04|2014-12-04|ENCRYPTION METHOD WITH DYNAMIC CONFUSION AND DIFFUSION LAYERS|
    PCT/EP2015/078372| WO2016087520A1|2014-12-04|2015-12-02|Method of encryption with dynamic diffusion and confusion layers|
    US15/532,358| US10903978B2|2014-12-04|2015-12-02|Method of encryption with dynamic diffusion and confusion layers|
    EP15804450.3A| EP3228043B1|2014-12-04|2015-12-02|Method of encryption with dynamic diffusion and confusion layers|
    [返回顶部]