RU2738321C1 - Cryptographic transformation method and device for its implementation - Google Patents

Abstract

FIELD: computer equipment.

SUBSTANCE: disclosed is a cryptographic transformation method for processing a large array, packets or data streams based on a software-hardware implementation in a microprocessor of AES block coding algorithm, including conversion of initial data into structure S consisting of 16-byte blocks, with its subsequent conversion over multiple rounds of reversible transformations, performed cyclically and including sequentially executable steps of forming (KeySchedule) of round encryption keys by nonlinear expansion of secret key of AES cipher, transforming the structure S by substituting (substituting) each byte of the structure using the generated substitution table SBOX (SubBytes), followed by transforming the structure S by shifting the rows and mixing the columns, as well as conversion by adding a round key on each round, characterized by that the additional source key of Kr0 mode is pre-installed and the original AES cipher is complemented by a conjugate transformation, depending on Kr additional mode 128-bit key, which is generated from Kr0 mode source key using two-step conversion with parameters of deceleration degree of program calculations of mode key on processors of general purpose (CPU) on the basis of input data, by serial formation in cycle with preset number of rounds of cycle Nc, array of intermediate mode keys mKrc=(σ1(mKrc−1)), where c=1...Nc is next step of cycle, σ1—first deceleration transformation, and mKr0=Kr0, with subsequent formation of array of actual mode keys aKrc=σ2(mKrc), where c=0...Nc is next cycle step, and σ2 is a second deceleration transformation, based on the original data using a function based on the Frobenius transformation, wherein from each aKrc further conversion is performed, which is specified by matrix and transfer vector, after which combination of constructed transforms is used, which forms mode key of Kr, and SBOX generation is performed by conjugate transformation, depending on mode key, applied to transformation of SubBytes of original AES for generation of SBOX, based on function belonging to family of bijective hard-to-invertible functions, and built on affine transformation, applied to the function of generating S-blocks used in the original AES algorithm.

EFFECT: technical result consists in improvement of protection against software decryption of a data stream coming with large bitrates, on general-purpose microprocessors for embedded devices, including with known encryption key, as a result of application of AES conversion extensions, which depend on additional mode key and changing function of SBOX generation, with SBOX dependence on mode key and deceleration of software implementation, as well as in expansion of known technical means due to said technical solutions.

9 cl, 4 dwg

Description

Purpose and scope

The group of inventions relates to the development, production, operation and modernization of means of cryptographic protection of information in information processing systems for various purposes, including for the protection of HD and 4K video content.

Prior art

Known methods of iterative cryptographic transformation (encryption) of messages of fixed length, presented in digital form, namely in the form of binary data, performed using a secret key, for example, a method implemented in the form of a block cipher algorithm AES (Advanced Encryption Standard) [1].

As follows from the publication [1], cryptographic transformations based on AES block cipher include two modes of use: encryption and decryption. At the same time, when constructing encryption algorithms and their practical implementation, round functions are used, consisting of a sequence of certain actions (data transformations). The main purpose of these transformations is to make the cipher resistant to various types of attacks, on the basis of which it is possible to find out the encryption key, i.e. completely compromise the cryptosystem. Thus, for any mode of use, round encryption keys are generated, calculated using a secret key, and messages of a fixed length are transformed by sequentially performing reversible linear and non-linear operations on them and by bit-wise summing of the message with round keys. Permutation of message bytes and multiplication of the message by a fixed matrix are used as linear operations. Byte substitution operations are used as nonlinear operations. In the encryption step, after each nonlinear transformation, a linear transformation is applied. At the decryption stage, inverse transformations are used, which are applied in reverse order: after each linear transformation, a nonlinear transformation follows.

As you know, one of the important properties of ciphers, including those implemented on the basis of AES, is their resistance to linear and differential cryptanalysis. One of the tools underlying the AES encryption algorithm to resist these types of analysis is data transformation on SBOX substitution blocks, which has non-linear properties. Methods for generating SBOX, as well as their security, are currently devoted to many different works, including those that received further protection as inventions.

Known works [2], which consider the generation of SBOX depending on a certain key and consider the cryptographic properties of the generated SBOX. At the same time, in these works, the goal is not to slow down the software implementation, but on the contrary, the method of generating SBOX, depending on the key, is chosen, which minimally affects the performance. This is achieved by calculating the key-based shift amount (XOR of all bytes of the round key) and performing SBOX shifts of the original AES algorithm by that amount. This method also assumes that the properties of the original SBOX that affect the cryptographic strength of the AES cipher are preserved when the SBOX is shifted.

At the same time, the encryption methods and transformations on the basis of which they are built are also required to be efficiently implemented in the hardware units of the devices that carry them out.

From the publication [3], SBOX construction schemes are known, which are efficient from the point of view of implementation in a hardware unit and which are resistant to cryptanalysis through side channels. Increased security is achieved through the use of a threshold scheme for the implementation of SBOX, and avoids data leakage to SBOX through side channels.

In the patent publication [4] of the US application for the invention, a method and device is disclosed that implement protection of internal AES states (data between rounds) through the combined use of software and hardware processing units. The solution of the encryption method disclosed in the publication at least includes the following transformation steps: containing the transformation of the initial data into a structure S consisting of 16-byte blocks, followed by its transformation over a set of rounds of reversible transformations performed cyclically and including sequentially executed stages of forming (KeySchedule) round encryption keys by nonlinear expansion of the secret key of the AES cipher, transforming the structure S by replacing (substituting) each byte of the structure using the generated SBOX substitution table (SubBytes), with subsequent transformations of the structure S by shifting rows and shuffling columns, as well as transformations by adding a round key at each round. At the same time, a device that implements the encryption method disclosed in the publication at least includes an AES conversion scheme implemented in firmware based on a programmable microprocessor containing at least an AES encryption key expansion unit generating round AES cipher keys based on AES key connected to the input of the block that implements the preliminary round of AES by performing the function of addition with the first round key of the initial data array in the form of a structure S consisting of 16-byte blocks arriving at the first input of the block that implements the preliminary round of AES, and its output connected to the input of a block that implements round operations consisting of blocks of nonlinear transformation SBOX; shifting rows of a state matrix formed from 16 data blocks; mixing columns of the state matrix; addition functions with the next round key, connected in series with the final round unit, coupled with the data memory unit and the key memory unit. Software processing uses special additional transformations to protect states (removal function and a protection function), hardware processing contains fewer instructions and does not add extra. transformations (i.e., in fact, this is a cryptoaccelerator of a round of ordinary AES) and does not distort the used transformations in the program block. Transformations are based on special properties of SBOX (SubBytes operations) - conjugacy classes. Additional lookup tables are built based on these properties, which are used to hide the input / output of the original SBOX table. The circuit is efficient in terms of performance by combining software and hardware blocks. This patent relates to data protection in white-box cryptography.

However, all the above-mentioned analogs do not allow for the implementation of the encryption method and device (cryptographic transformations), which have a much more complex software implementation of the encryption algorithm, which requires significantly more time and money for cryptanalysis of data, while maintaining a simple hardware implementation of the cipher and the ability to protect against software decryption of data arriving at high bitrates.

Moreover, since the time and money spent on cryptanalysis depend on the key length and the complexity of the encryption algorithm, all of the above analogs to protect against software decryption of data arriving at high bitrates require significant complication not only of the software implementation of the encryption algorithm, but also of its hardware implementation, which limits the application of these solutions, including for the protection of HD and 4K video content.

Thus, the disadvantages of the above known solutions include the impossibility of implementing the method of cryptographic transformations (encryption) and devices for its implementation, which provide a much more complex software implementation of the encryption algorithm, with an increase in the time and funds spent on cryptanalysis of information, while maintaining a simple hardware implementation of the cipher and the ability to protect against software decryption of data arriving at high bitrates.

The essence of the claimed invention.

The technical problem (problem) to be solved by the claimed group of inventions consists in eliminating the aforementioned drawbacks of the solutions known from the prior art and proposing a method for cryptographic transformation (in particular, encryption) and a device for its implementation, which provide an increase in the time and money spent on cryptanalysis of encrypted data, while maintaining a simple hardware implementation of the encryption algorithm and the required performance when processing a data stream arriving at high speeds, in particular, such as HD video, 4K video)

The technical result achieved by the claimed group of inventions is to improve the reliability of protection against software decryption of a data stream arriving with high bitrates on general-purpose microprocessors for embedded devices, including, with a known encryption key, as a result of the use of AES conversion extensions that depend on an additional mode key and changing the SBOX generation function, ensuring the dependence of SBOX on the mode key and slowing down the software implementation, as well as expanding the arsenal of known technical means due to the above technical solutions.

The claimed technical result is achieved by using a method of cryptographic transformation for processing a large array, packets or data streams, based on the software and hardware implementation in the microprocessor, the AES block cipher algorithm, containing the transformation of the initial data into a structure S, consisting of 16-byte blocks, with its subsequent transformation over a set of rounds of reversible transformations performed cyclically and including sequentially performed steps of forming (KeySchedule) round encryption keys by nonlinear expansion of the secret key of the AES cipher, transforming structure S by replacing (substitution) each byte of the structure using the generated SBOX substitution table (SubBytes), with subsequent transformations structures S by shifting rows and mixing columns, as well as transformations by adding a round key at each round, characterized by the fact that they introduce an additional initial key of the Kr0 mode and supplement the original w ifr AES by conjugate transformation, depending on an additional 128-bit mode key Kr, which is generated from the original mode key Kr0 using a two-stage transformation with parameters of the degree of deceleration of software computations of the mode key on general-purpose processors (CPUs) based on input data, by sequential formation in loop with the number of rounds Nc, an array of intermediate keys of the mKr mode_from= (σ1 (mKr_c-1)), where с = 1 ... Nc is the next step of the cycle, σ1 Is the first deceleration transformation, and mKr₀= Kr0, with the subsequent formation of an array of actual keys of the aKr mode_c = σ2 (mKr_c), where с = 0 ... Nc is the next step of the cycle, and σ2 - second deceleration transformation, from each aKr_from a transformation is constructed, which is specified by the matrix and the transfer vector, after which a combination of the constructed transformations is used, which forms the Kr mode key, and the SBOX generation is carried out by the conjugate transformation depending on the mode key applied to the SubBytes transformation of the original AES to generate the SBOX.

In a preferred embodiment of the invention, the SBOX is generated by a transform based on a function belonging to the family of bijective hard-to-reversible functions and based on an affine transform applied to the S-box generation function used in the original AES algorithm. Moreover, in one embodiment, when the mode key is set to zero, an SBOX is obtained that is identical to the original AES cipher.

In a possible embodiment of the claimed invention, a function based on the Frobenius transform is preferably used to generate an array of actual mode keys aKr based on the original data. Preferably, functions based on the Frobenius transformation performed in different Galois fields are used to generate an array of actual keys aKr, where σ1 is the Frobenius transformation (automorphism) in the polynomial ring factorized on the field GF (2 ¹²⁷ ), and σ2 is the transformation (automorphism) Frobenius in the ring of polynomials factorizable on the field GF (2 ¹²⁸ ). In this case, the function for generating the array of actual keys is also preferably parameterized with a number that makes it possible to vary the number of rounds of the cycle, with the ability to adapt the algorithm to the clock frequency of the device on which the hardware implementation of the algorithm is performed.

In another possible embodiment of the claimed invention, for any implementation of the claimed encryption method in the process of generating the actual mode key, all data calculated at each round of the cycle is used in the final transformation, the result of which is the mode key. In doing so, transformations to generate the SBOX and the actual mode key can be applied for each 16-byte block of input data or each round of AES performed during the processing of a 16-byte block of data.

The claimed technical result is also achieved by using a cryptographic transformation device for processing a large array, packets or data streams, based on the hardware and software implementation in the microprocessor of the AES block cipher algorithm, including at least an AES encryption key expansion unit, made with the possibility of generating round AES cipher keys based on the AES key, connected to one of the inputs of the block that implements the preliminary round of AES, made with the possibility of implementing the function of adding the array of initial data in the form of a structure S, consisting of 16-byte blocks, with the first round key of the encryption key expansion block , while the output of the block of the preliminary round of AES is connected to the input of the block that implements the round operations, including the series-connected blocks: nonlinear transformation SBOX; shifting the rows of the state matrix formed from the bytes of the data block; mixing columns of the state matrix; addition functions with the next round AES key; sequentially paired with the block of the final round, coupled with blocks of data memory and encryption keys, characterized in that it additionally includes at least a block that implements SBOX transformations according to the method in accordance with claim 1 of the formula, made with the possibility of complementing the AES cipher conjugate transformation, depending on the additional 128-bit mode key Kr and slowing down the software computations of the mode key on general-purpose processors (CPUs) based on input data, which includes a series-connected block for forming an array of actual keys of mode aKr from the original key of mode Kr0, the parameter of which is the number rounds of the cycle Nc, formed by the master block Nc, the output of which is connected to one of the inputs of the block for forming the array of actual keys 12, and the block for forming the SBOX cipher from the array of actual keys aKr, made with the possibility of forming the SBOX by conjugate transformation depending on the mode key and depending on the choice of the operating mode of the device set by the mode master unit, the output of which is connected to one of the inputs of the SBOX forming unit, while the output of the unit that implements the SBOX transformation is connected to the input of the storage unit formed by the conjugate transformation of the SBOX replacement unit connected to one of inputs of the block of nonlinear transformation SBOX, providing the possibility of data transfer of the block of substitutions SBOX ..

In one of the possible embodiments of the claimed device, the unit 10 of the device that implements the described method is a software and hardware module in the composition, implemented in software and hardware based on a microprocessor, a block for generating an array of intermediate keys of the mKr mode, based on the cyclic application of the Frobenius transform in GF (2 ¹²⁷ ) and storing the result in a serially connected block of registers, the output of which is fed to the input of the current key generation unit, which is a static combinational circuit integrated into the SBOX replacement block generation circuit, forming a single block in the form of a combinational circuit that implements the transformation Frobenius in GF (2 ¹²⁸ ), with the formation of an array of 128-bit actual keys of the aKr mode, while the output of the block for generating actual keys is serially connected to the block for generating SBOX cipher, which provides hardware and software implementation of the SBOX generation function based on m assimilation of the current mode keys. In this case, in another possible embodiment, the block for generating the SBOX cipher can be made with the possibility of generating various substitution tables, each of which is used in the next round.

The claimed encryption method and device for its implementation can be implemented in software and hardware on a computer or other programmable devices, including under the control of programmable processors, microprocessors, as a method implemented by a programmable processor, or in dedicated hardware, or in a combination of the above.

In the prior art, no close analogs (prototype) have been identified that provide a solution to the claimed technical problem and achieve the claimed technical result by the specified method and hardware implementation.

Brief description of graphic materials:

The claimed group of inventions is illustrated by the following graphic materials:

1 is a diagram of the SubBytes operation of the encryption algorithm according to the claimed encryption method;

Fig. 2 is a block diagram of an encryption device according to the claimed invention;

Fig. 3 is a block diagram of a block that implements the SBOX transformation, according to the claimed group of inventions

4 is a block diagram of a data stream processing apparatus including a key generator Kr0 of Kr_seed.

It should be noted that the accompanying graphic materials illustrate only some of the most preferred embodiments of the group of inventions and cannot be considered as limiting their content, which obviously includes other embodiments.

Feasibility of the invention.

According to the graphical materials presented in Figs. 1-4, the claimed group of inventions provides the construction of AES transform extensions that depend on the additional key, as well as the construction of transformations that introduce significant delays in software computations of the additional key on general-purpose processors (CPUs), but easily implemented in combinational microcircuits. This property (slow software implementation of the algorithm) remains even with a known encryption key and a known additional key.

The claimed solution uses AES (Rijndael) as the basic encryption algorithm. This algorithm has a fixed list of data block transformations and is simple in both software and hardware implementation, which makes it possible to achieve high data processing speeds at the hardware and software levels.

In the proposed method and device that implements the encryption of a data stream with high bitrates, two additional operations are used that distinguish it from the original AES known from the prior art:

- addition of the original AES cipher with a specialized transformation, which allows you to change the SBOX generation function, which makes the SBOX dependent on an additional 128-bit key (hereinafter referred to as the mode key);

- the use of an additional specialized algorithm with a parameter of the degree of deceleration, which, based on the input data sampled and preset in the processor's memory, generates the mode key used to generate the SBOX and is the main one for decelerating the software implementation.

At the same time, the above specialized transformation used in the SBOX generation is based on a function belonging to the family of bijective hard-to-reversible functions and is based on the affine transformation applied to the S-box generation function (SBOX) used in the original AES encryption algorithm. This approach allows you to preserve the SBOX properties of the original AES, and also allows you to obtain an SBOX identical to the original AES when the mode key is set to zero.

For the purpose of slowing down the software implementation of the AES-based cipher while maintaining an efficient (simple) hardware implementation, the proposed invention uses SBOX generation depending on the additional mode key, for which it is proposed to use the conjugate transformation applied to the SubBytes transformation of the original AES to generate the SBOX. as well as a specialized transformation that forms the SBOX generation key (hereinafter, the Kr mode key) from the initial (input) mode key Kr0. As the above specialized transform, a function based on the Frobenius transform is used. In this case, the function is parameterized with a number that allows you to vary the number of rounds of the generation cycle of the array of actual keys of the aKr mode used to generate the Kr mode key. This parameterization allows the algorithm to be adapted to the clock frequency of the device on which the hardware implementation of the algorithm is performed. Since all the data calculated at each round of the cycle is used in the final transformation, which results in the mode key, the algorithm for generating the current mode key is constructed in such a way that it cannot be parallelized. Thus, in total, the calculation of the SBOX substitution table for processing each data block is the main waste of time in the software implementation, while, due to the properties of the selected transformations, the hardware implementation can be performed efficiently both for the function of calculating the mode key and for constructing an SBOX based on it. ... This function is the main one for slowing down the software implementation.

The above transformations for generating S-boxes and the actual mode key can be applied for each 16-byte block of input data or for each round of AES performed during the processing of a 16-byte block of data, which allows how to obtain the required performance delay in the software implementation of the algorithm and ensure the cryptographic strength and confidentiality of data.

The number of rounds of the conversion cycle is determined by the Nc parameter, which allows choosing the optimal ratio of the complexity of software and hardware implementations at a given clock frequency of the microprocessor.

The construction of a transformation that changes SBOX depending on the key according to the claimed invention is generally carried out as follows:

1. An additional 128-bit additional key of the Kr mode is introduced, which can be represented as a 2-cell matrix Kr = (A | B), where A and B are the sum (L + D + U), where L is the lower left triangular matrix with zero diagonals, D - diagonal matrix, U - upper right triangular matrix with zero diagonals;

2. Synthesize an invertible matrix M = (L + E) (E + U), where E is an 8x8-bit identity matrix, as well as an 8-bit carry vector t;

3. Form an affine transformation T: T (b) = M * b + t space F ₂ ⁸ , represented by the substitution T on the set {0..255} of byte values. The substitution T • S • T ^-1 , coupled with the substitution S of the original S-box (SBOX), yields a clone of the AES cipher with a dependence on an additional 64-bit key, which corresponds to one mode key submatrix.

для зашифрования, и как

для расшифрования, где:4. To use a 128-bit key, a two-way modification of the substitutions is formed: Tleft ^-1 • S • Tright (when encrypted) and Tright ^-1 • S ^-1 • Tleft (when decrypting), i.e. use different affine transformations synthesized from the halves of the mode key (submatrices A and B), which can be written for simplicity as:

for encryption, and how

for decryption, where:

и

- преобразования, построенные на подматрице Ас ключа режима Kr;

and

- transformations built on the submatrix Ac of the Kr mode key;

и

- преобразования, построенные на подматрице Вс ключа режима Kr;

and

- transformations built on the submatrix Bc of the key of the Kr mode;

S - sbox (x), conversion of the original AES algorithm.

Obviously, the above transformation has the following property: if the mode key is zero, this transformation will coincide with the original transformation S of the original AES algorithm.

For the practical implementation of the claimed encryption method, it is necessary to carry out two sequentially performed stages:

Stage 1 - construction of a transformation for calculating the actual keys of the aKr mode based on the initial Kr0,

Stage 2 - construction of the final transformation, SBOX, of the declared encryption method, based on the array of actual keys of the aKr mode.

These stages are carried out as follows:

Stage 1. Transformation for calculating the actual keys of the aKr mode based on the initial Kr0:

1. On the basis of the initial mode key Kr0, an array of actual mode keys aKr _с is formed in the cycle, where с = 0 ... Nc is the next step of the cycle, and Nc is the number of rounds of the cycle. In this case, the following transformations are performed:

a) the next intermediate mode key is calculated mKr _c = (σ1 (mKr _c-1 )), where σ1 is the Frobenius transformation (automorphism) in the polynomial ring factorizable on the field GF (2 ¹²⁷ ) (block 1, Fig. 3), i.e. .e. σ1 (x) = x ² in GF (2 ¹²⁷ ), and the initial value of the intermediate key mKr ₀ = Kr0 for c = 0 is set, then mKr _{c is} determined at each step of the cycle for c = 1 ... Nc.

b) the next actual key of the mode aKrc = σ2 (mKrc) is calculated, where c is the next step of the cycle (c = 0 ... Nc), and σ2 is the Frobenius transformation (automorphism) in the polynomial ring factorizable on the field GF (2 ¹²⁸ ), m .e. σ2 (x) = x ² in GF (2 ¹²⁸ ).

Stage 2. Construction of the final transformation - SBOX cipher based on the keys aKr.

1. For the actual array aKr mode key _c, where c = 0 ... Nc, the construction of the array operate affine transformations T _c, where T _c each transformation is constructed by the above described method of constructing conversion SBOX changing depending on the key: T _from: T (b) = M * b + t of the space F ₂ ⁸ .

2. The transformations are combined with each other as follows:

– составные отображения пространства F₂ ⁸

- composite maps of the space F ₂ ⁸

– их обратные отображения.

- their inverse mappings.

3. Generation (formation) of SBOX is carried out, parameterized by the 128-bit initial key of the Kr0 mode and the number of rounds of the deceleration cycle Nc, depending on the array of the actual keys of the aKr mode _c , c = 0..Nc, as:

для зашифрования, и SBOX^-1=

для расшифрования, где S – исходное преобразование алгоритма AES.SBOX =

for encryption, and SBOX ^-1 =

for decryption, where S is the original transformation of the AES algorithm.

The described method of cryptographic transformation (encryption) based on a modification of the basic AES algorithm is presented in the block diagram of Fig. 1, which reflects the procedure for performing the SubBytes transformation according to the claimed method of cryptographic transformation, taking into account that the remaining operations of the round of the AES algorithm, as well as the key calculation schemes encryptions for each round of AES (key schedule) remain unchanged.

According to the presented block diagram (figure 1) as input data for the implementation of the claimed encryption method are used:

• Operating mode: encryption / decryption (E / D)

• Original 128-bit mode key Kr0

• Processed, input, data (InState)

The output of the algorithm is the data converted by the cipher (OutState).

More clearly, the claimed group of inventions can be considered on the example of the organization of the encryption device, according to the claimed invention, and the order of its operation. In particular, the schematic solutions of FIGS. 2-4 show examples of the feasibility of the claimed solution.

The claimed technical result is achieved by a device that implements the indicated transformations as part of the AES encoder. The block that generates the array of actual mode keys aKr and the block that implements the SBOX calculation based on the mode keys are embedded in the encryption device shown in the block diagram of FIG. In particular, according to the presented block diagram, the device for implementing the claimed encryption method includes:

• block 10 that implements the claimed method, consisting of: block 12 for generating an array of actual keys of the aKr mode from the initial key Kr0 (11), the parameter of which is the number of cycle rounds (Nc) generated by the master block 60, and block 13 for generating the SBOX cipher from the keys aKr, depending on the mode of operation - encryption or decryption, specified by block 61 modes (Mode). The Nc parameter can be set in software and hardware, depending on the required degree of slowdown and the resources of the hardware unit that implements the declared encryption algorithm.

• Expansion unit (Key schedule) 20 keys 21 Kaes encryption (AES key), generating round 22 keys of the AES cipher: subkey1 ... subkey11 based on the AES key (21)

• A block that implements the preliminary 30 round of AES (ADDRoundKey), consisting of block 31 that implements the addition function with the first round key, represented as an exclusive-or (XOR) operation

• Block 40, which implements round operations, consisting of serially connected:

• block 41 of nonlinear transformation SBOX (SubBytes), formed on the basis of the claimed method of forming SBOX, implemented in block 10,

• block 42 shifting rows of the state matrix formed from 16 data blocks,

• block 43 mixing columns of the state matrix

• block 44 of the addition function with the next round key, represented as an operation "exclusive or" (XOR)

• block 50 of the final round, consisting of three consecutively connected blocks, implementing the following 3 operations in succession:

• nonlinear transformation SBOX (block SubBytes, similar to block 41), formed on the basis of the claimed encryption method, implemented in block (10),

• shift of the rows of the state matrix formed from 16 data blocks (ShiftRows block, similar to block 42),

• addition function with the last round key (AddRoundKey block, similar to block 44), represented as an exclusive or (XOR) operation.

The input values for the device are: the encryption key Kaes (block 21 (AES key)), the initial mode key Kr0 generated by block 11, the operation mode (encryption / decryption) defined by the mode block 61, 16-byte data block 100 (Plain data block ) to be processed. The output data is a converted 16-byte block, represented in the diagram of FIG. 2 as an EDB (Encrypted data block) output data block 101.

As a result of performing the above sequence of actions in the device, a data encryption operation is performed, during which the original data block 100 is encrypted using the inventive cryptographic conversion method.

As follows from the presented block diagram of the claimed device (Fig. 2), the AES encryption key expansion unit 20, generating (generating) round AES cipher keys 22 based on the AES key 21, is made connected to the second input of the AES preliminary round 30 making it possible to perform the function of addition with the first round key of the initial data array in the form of a structure S consisting of 16-byte blocks arriving at the first input of the block 31 (AddRoundKey) of the preliminary round. The output of block 31 (AddRoundKey) of block 30 of the preliminary round is connected to the input of block 40, which implements round operations AES, consisting of: series-connected blocks 41 of non-linear transform SBOX; shifting rows of state matrix 42 formed from 16 data blocks; mixing columns 43 of the state matrix; addition function with the next round key 44, sequentially paired with the block 50 of the final round. At the same time, unit 10, which implements SBOX transformations according to the claimed encryption method, includes a series-connected unit 12 for forming (generating) an array of actual keys of the aKr mode from the original key Kr0 (11), the parameter of which is the number of cycles Nc arriving at the first input of unit 12 and block 13 for generating SBOX cipher from keys aKr and depending on the current mode of operation specified by block 61 of the mode, data about which is received at the first input of the module, while the output of block 10 is connected to the input of the storage module of the generated (generated) block of SBOX replacement, the data of which is received to the second input of block 41 of nonlinear transformation SBOX.

In this case, the unit 10 of the device that implements the described method is a software and hardware module (Fig. 3) in the composition, implemented in software and hardware based on a microprocessor, unit 1 for generating (forming) an array of intermediate keys of the mKr mode, based on cyclic use Frobenius transformation (σ1) into GF (2 ¹²⁷ ) and storing the result in a serially connected block of registers 2 used to configure the block for generating current mode keys. The data from the output of the block of registers 2 is fed to the input of the block 3 for generating (generating) actual keys, which is a static combinational circuit integrated into the circuit for generating (generating) block 4 of SBOX substitutions, forming a single block 5 in the form of a combinational circuit that implements the Frobenius transform ( σ2) in GF (2 ¹²⁸ ), with the formation of an array of 128-bit actual keys of the aKr mode. In this case, the output of the block for generating the actual keys is connected in series with the block 4 for forming the SBOX, which provides a software and hardware implementation of the function of forming the SBOX based on the array of actual mode keys.

The intermediate keys of the mKr _c mode, according to the claimed invention, in the microcircuit are sequentially (cycle by cycle) written into a matrix of Nc 128-bit registers, setting the static (combinational) logic circuit to the desired mode.

The complete sequence of the actual keys of the aKr _c mode is represented in the microcircuit only by the current state of the potentials of the intermediate connecting conductors, and not by the memory register. At the same time, due to the sequential calculation of the actual keys of the aKr _c mode (c = 0 ... Nc), for example, with the number of rounds of the cycle Nc = 20, the complete sequence of the actual keys of the aKr _c mode will exist in the microcircuit only for 1/3 of the working time of processing 16-byte block. The initial 2/3 of the time will be "spent" on the sequential preparation of a complete sequence of actual mode keys, spatially distributed in the microcircuit.

Since all reversible affine transformations of the space F ₂ ⁸ , implemented in blocks 3, 4, are expressed through two operations of the Zhegalkin algebra: "&" (and - multiplication) and "+" (XOR - addition of bits modulo 2), they can be realized combinational circuits based on these operations, which require no more than one processor cycle to perform the entire affine transformation. Software emulation of these transformations requires a number of clock cycles proportional to the number of logical operations.

Referring to the block diagrams of FIG. 2 and 3, modules and device blocks process a 16-byte block using one SBOX substitution table formed in the described manner. However, the device block can be configured to generate various substitution tables, in particular the generation of 11 substitution tables, each of which is used in the next round.

In a device that implements the inventive method for encrypting a large data array consisting of sequentially encrypted 16-byte blocks, the scheme for generating initial keys of the Kr0 mode for each data block based on the initial value Kr_seed, i.e. the key value, generated randomly, can also be applied. This scheme avoids excessive transmission of Kr0 in the stream and uses unique Kr0 values for each 16-byte data block.

A practical implementation of a method for processing a data stream, including a key generator Kr0 from Kr_seed, and a device for its implementation, are presented in a block diagram (Fig. 4). In this diagram, for clarity of the action of the above-disclosed method of cryptographic transformation and the device for its implementation, the operation of the device according to the claimed invention, operating in decryption mode, is presented, giving an idea of how the key generator uses the dependence on the block decrypted in the previous step, which, ultimately, allows you to avoid parallelization in software implementation, because the initial mode keys Kr0_i cannot be calculated in advance. In this case, Kr0_i indicates the processing not of a single data block, but of the next data packet, consisting of a sequence of 16-byte blocks, each of which is supplied with its own initial mode key, while i is the sequence number of the block in the data packet and the corresponding initial key regime.

The device in the block diagram (Fig. 4) consists of the following blocks and modules:

• generator 80 keys of the Kr0_i mode for processing each block of the packet 90 encrypted data, consisting of:

• block 81 of the AES cipher

• block 82 performing an exclusive OR (XOR) operation

• hardware and software module 70 implementing the claimed method for cryptographic transformation of a data block shown in detail in the block diagram of FIG. 2

The scheme of the device for decrypting the data sequence is implemented as follows.

The device is pre-configured to operate in the decryption mode and the number of rounds of the cycle Nc is set in the module for generating the current key of the mode aKr as part of the key generator 80 to provide the required degree of deceleration. The entrance is served:

• sequence of blocks of encrypted data Ei, i = 0 ... n;

• encryption key Kaes;

• the Kr_seed key;

• the initial value of InitValue, from which the keys Kr0_i are formed, where InitValue is some value, random (ideal case) or not random, but which changes quite often, used to generate different keys of the Kr0_0 mode for each 16-byte data packet block.

Generator 80 keys mode Kr0_i encrypts InitValue in the hardware unit AES 81 using the value Kr_seed as a key, thereby generating a key Kr0_0 for the first module 70 implementing the claimed method of cryptographic transformation. Next, the module 70 uses the key Kr0_0 obtained from the generator 80, the key Kaes and decrypts the data E0 (block 91), obtaining the decrypted data block 90 P0, which is stored in the output buffer of the device, and is also fed to the key generator (80) to calculate the next Kr0_i ...

Further, in a similar way, the key Kr0_1 is prepared and the data block E1 is decrypted by means of a module 71, similar to module 70, which implements the next stage of cryptographic transformation.

After that, the generator, starting from the third block E2, uses the operations AES (81) and XOR (82) with the key Kr_seed, the data P_i-2 decrypted in the previous step, and the previous mode key Kr0_i-1 for sequential calculation of Kr0_j, which, in turn , is transmitted to a block that implements the specified method to decrypt the next data E_j (in the block diagram of Fig. 4, all positions associated with blocks 71-73, 92, 93).

In general, the operation of the key generator Kr0_i can be described by the expressions:

• Kr0_0 = AES_enc (Kr_seed, InitValue)

• Kr0_1 = AES_enc (Kr_seed, Kr0_0)

• Kr0_i = AES_enc (Kr_seed, Kr0 _i-1 XOR P _i-2 ) for i = 2 ... n

Where:

• data_enc = AES_enc (key, data) - encryption operation of 'data' with the key 'key' using the AES-128 algorithm in the electronic code book (ECB) mode

• InitValue - some arbitrary (pseudo) random value

• n is the number of 16-byte blocks in the data sequence.

Obviously, the cryptographic transformation method implemented in the claimed group of inventions ensures the elimination of the parallelization process in the software implementation of the method.

The device algorithm described above is given for the ECB encryption mode and, obviously, can be extended to other modes: CBC and CTR.

Thus, the claimed method of cryptographic transformation and a device for its implementation, due to the use of an additional transformation that complicates the software implementation of the encryption algorithm, while maintaining a simple hardware implementation, makes it possible to achieve the set goal of protecting data from software decryption of data arriving with high bitrates on microprocessors without hardware support for a new transformation, even with a known encryption key.

This method and device can be used to protect HD and 4K video content: content can be decrypted and played back only on specialized microprocessors that support the algorithm, while on other microprocessors that are optimized for processing, decoding, decoding a video stream and only support standard algorithms in hardware, there will be insufficient processing power for software decryption of the video stream arriving in real time (on-line broadcast of the signal).

Information sources

1. National Institute of Standards and Technology, U.S. Department of Commerce. "Advanced Encryption Standard", Federal Information Processing Standards Publication 197, Washington, DC, November 2001.

2. Julia Juremi, Ramlan Mahmod, Salasiah Sulaiman, Jazrin Ramli. Enhancing Advanced Encryption Standard S-Box Generation Based on Round Key / International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1 (3): 183-188 The Society of Digital Information and Wireless Communications (SDIWC) 2012 (ISSN: 2305- 0012)

3. Erik Boss, Vincent Grosso, Tim Guneysu, Gregor Leander, Amir Moradi, and Tobias Schneider. Strong 8-bit Sboxes with Efficient Masking in Hardware / IACR-CHES-2016, 22 Jun 2016

4. Farrugia et al. Patent No: US2015 / 0349951 A1. Protecting cryptographic operations using conugacy class functions.

Claims (9)

1. A method of cryptographic transformation for processing a large array, packets or data streams based on the hardware and software implementation in the microprocessor of the AES block cipher algorithm, including the transformation of the original data into a structure S, consisting of 16-byte blocks, followed by its transformation over a set of reversible rounds transformations performed cyclically and including sequentially executed stages of formation (KeySchedule) of round encryption keys by nonlinear expansion of the secret key of the AES cipher, transforming the structure S by replacing (substituting) each byte of the structure using the generated SBOX substitution table (SubBytes), with subsequent transformations of structure S by shifting the rows and mixing columns, as well as transformations by adding a round key at each round, characterized by the fact that they preset an additional initial key of the Kr0 mode and supplement the original AES cipher with a conjugate transformation depending on an additional 128-bit mode key Kr, which is generated from the original mode key Kr0 using a two-stage transformation with parameters of the degree of deceleration of software computations of the mode key on general-purpose processors (CPUs) based on input data, by sequentially forming in a loop with a preset number of rounds of the loop Nc , an array of intermediate mode keys mKrc = (σ1 (mKrc-1)), where c = 1 ... Nc is the next step of the cycle, σ1 is the first deceleration transformation, and mKr0 = Kr0, followed by the formation of an array of actual mode keys aKrc = σ2 (mKrc), where c = 0 ... Nc is the next step of the cycle, and σ2 is the second deceleration transformation, based on the initial data using a function based on the Frobenius transformation, and from each aKrc a transformation is then constructed, which is specified by the matrix and the transfer vector, then a combination of the constructed transformations is used, which forms the Kr mode key, and the SBOX is generated by the conjugate preo a mode key dependent transformation applied to the SubBytes transform of the original AES to generate SBOX, based on a function belonging to the family of bijective hard-to-reversible functions, and built on an affine transform applied to the S-box generation function used in the original AES algorithm. 2. A method according to claim 1, characterized in that when the mode key is set to zero, an SBOX identical to the original AES cipher is obtained. 3. The method according to claim 1, characterized in that functions based on the Frobenius transformation performed in different Galois fields are used to generate the array of actual keys aKr, where σ1 is the Frobenius transformation (automorphism) in the polynomial ring factorized on the field GF (2 ¹²⁷ ), and σ2 is the Frobenius transformation (automorphism) in the polynomial ring factorizable on the field GF (2 ¹²⁸ ). 4. The method according to claim 1, characterized in that the function for generating the array of actual keys is parameterized with a number that makes it possible to vary the number of rounds of the cycle, with the ability to adapt the algorithm to the clock frequency of the device on which the hardware implementation of the algorithm is performed. 5. The method according to any one of claims. 1-4, characterized in that during the generation of the current mode key, all the data calculated at each round of the cycle is used in the final transformation, the result of which is the mode key. 6. The method of claim 5, wherein the transforms to generate the SBOX and the actual mode key are applied for each 16-byte block of input data or each round of AES performed during processing of the 16-byte block of data. 7. A cryptographic conversion device for processing a large array, packets or data streams based on the hardware and software implementation in the microprocessor of the AES block cipher algorithm, including at least an AES encryption key expansion unit, made with the possibility of generating round AES cipher keys based on AES key connected to one of the inputs of the block that implements the preliminary round of AES, made with the possibility of implementing the function of adding the array of initial data in the form of a structure S, consisting of 16-byte blocks, with the first round key of the encryption key expansion block, while the output of the block preliminary round AES is connected to the input of a block that implements round operations, including series-connected blocks: nonlinear transformation SBOX; shifting the rows of the state matrix formed from the bytes of the data block; mixing columns of the state matrix; addition functions with the next round AES key; sequentially paired with the block of the final round, coupled with blocks of data memory and encryption keys, characterized in that it additionally includes at least a block that implements the SBOX transformations according to the method in accordance with claim 1 of the formula, made with the possibility of complementing the AES cipher with the conjugate transformation that depends on an additional 128-bit mode key Kr, and slowing down the software computations of the mode key on general-purpose processors (CPUs) based on input data, including a series-connected block for forming an array of actual keys of the mode aKr from the original mode key Kr0, the parameter of which is the number rounds of the cycle Nc, formed by the master block Nc, the output of which is connected to one of the inputs of the block for generating the array of actual keys, and the block for forming the SBOX cipher from the array of actual keys aKr, made with the possibility of forming the SBOX by a conjugate transformation depending on the mode key, and depending on the choice of the operating mode of the device set by the master mode unit, the output of which is connected to one of the inputs of the SBOX formation unit, while the output of the unit that implements the SBOX transformations is connected to the input of the storage unit of the SBOX replacement unit formed by the conjugate transformation, connected to one of the inputs block of nonlinear transformation SBOX, with the provision of the possibility of data transmission of the block of substitutions SBOX. 8. The device according to claim 7, characterized in that the device block that implements the SBOX transformations according to the method in accordance with claim 1 of the formula is a software and hardware module as part of a microprocessor-based block for forming an array of intermediate mode keys mKr, based on the cyclic application of the Frobenius transform in GF (2 ¹²⁷ ) and storing the result in a serially connected register block, the output of which is fed to the input of the serially connected block for generating actual keys, which is a static combinational circuit integrated into the SBOX replacement block generation circuit , forming a single block in the form of a combinational circuit, made with the possibility of implementing the application of the Frobenius transformation in GF (2 ¹²⁸ ) with the formation of an array of 128-bit actual keys of the aKr mode, while the output of the block for generating actual keys is serially connected to the SBOX formation block , made with the provision of the possibility of software and hardware implementation of the SBOX formation function based on the array of actual mode keys. 9. The device according to claim 7, characterized in that the SBOX forming unit is made with the possibility of generating various substitution tables, each of which is used in the next round.

Images