CN116192364A - AES white box encryption method for anti-side channel and related equipment - Google Patents

AES white box encryption method for anti-side channel and related equipment Download PDF

Info

Publication number
CN116192364A
CN116192364A CN202310036067.XA CN202310036067A CN116192364A CN 116192364 A CN116192364 A CN 116192364A CN 202310036067 A CN202310036067 A CN 202310036067A CN 116192364 A CN116192364 A CN 116192364A
Authority
CN
China
Prior art keywords
mask
round
white
box
aes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310036067.XA
Other languages
Chinese (zh)
Inventor
周晶
林强
孟庆树
董逢华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Tianyu Information Industry Co Ltd
Original Assignee
Wuhan Tianyu Information Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Tianyu Information Industry Co Ltd filed Critical Wuhan Tianyu Information Industry Co Ltd
Priority to CN202310036067.XA priority Critical patent/CN116192364A/en
Publication of CN116192364A publication Critical patent/CN116192364A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/16Obfuscation or hiding, e.g. involving white box
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

The invention provides an AES white box encryption method for an anti-side channel and related equipment. The method comprises the following steps: randomly generating 16 masks into 4 groups to form a 4 by 4 matrix, wherein the hamming weight of the exclusive or of any two masks of each group is a multiple of 4; constructing a circular Mask to cycle the Mask of each byte in the matrix on the columns, the Mask satisfying Mask r [i]=M[R[i]+((C[i]+r)mod4)]i∈[0,15]Wherein R is a row index of each byte random mask, C is a column index, and R is a round; based on the matrix, mask, and index and round, a round function is constructed to generate a white-box table that is based on a random group index, again randomly in each lookup. According to the invention, through the external dynamic offset of the fixed mask, different initial masks are used for participating in calculation in each encryption and decryption process, so that the real key is difficult to restore through side channel attack, and the data security is improved.

Description

AES white box encryption method for anti-side channel and related equipment
Technical Field
The invention relates to the technical field of information security, in particular to an AES white box encryption method for an anti-side channel and related equipment.
Background
Under the white-box attack environment, an attacker can access the input and output of the cryptographic algorithm and even further track the secret key, thereby controlling the terminal equipment. In this environment, CHOW et al first adopted a method of combining a lookup table, input/output coding and bijection in 2003, hiding the key and coding information in the lookup table. Many white-box encryption schemes are based on the white-box password construction idea of CHOW, and the proposed improvement scheme is adopted. The presence of the look-up table increases the difficulty of the white-box attacker's final key.
However, the white-box scheme can restore the password by using side channel attack by monitoring the energy change of the password algorithm in the running process.
In order for white-box encryption to prevent side-channel attacks, some randomly generated data, called masks, needs to be added to the cryptographic algorithm to mask the intermediate values. However, once the white-box cryptographic table is generated, the randomly generated mask is also fixed, and the nonlinear transformation can be analyzed by means of differential statistics to find the correct key.
Disclosure of Invention
The invention mainly aims to provide an AES white-box encryption method, device and equipment for resisting side channels and a readable storage medium, and aims to solve the technical problem that once a white-box cipher table is generated, a randomly generated mask is also fixed, nonlinear transformation can be analyzed in a differential statistics mode, and a correct key is found.
In a first aspect, the present invention provides an AES white-box encryption method against side channels, the method comprising:
randomly generating 16 masks into 4 groups to form a 4 by 4 matrix, wherein the hamming weight of the exclusive or of any two masks of each group is a multiple of 4;
constructing a circular Mask to cycle the Mask of each byte in the matrix on the columns, the Mask satisfying Mask r [i]=M[R[i]+((C[i]+r)mod 4)]i∈[0,15]Wherein R is a row index of each byte random mask, C is a column index, and R is a round;
based on the matrix, mask, and index and round, a round function is constructed to generate a white-box table that is based on a random group index, again randomly in each lookup.
Wherein after the generating the whitebox table, the method further comprises:
searching an external input coding table in the white box table to confuse the data to be encrypted;
randomly generating a row index R for selecting masks in round functions, so that a mask compensation table and a round function table of each encryption and decryption inquiry are different;
and inquiring the mask compensation table and the round function table in the white box table according to the round until the round is finished, and obtaining the aliasing data of each round.
Wherein after the obtaining of the aliasing data of each round, the method further comprises:
and searching an external output coding table in the white box table to obtain the confused encrypted data, and decrypting the confused encrypted data by using a standard AES algorithm.
Wherein the constructing a round function based on the matrix, mask, and index and round comprises:
constructing a row shift transformation matrix;
the masked byte substitution is constructed in the following manner:
Figure BDA0004048834320000021
Figure BDA0004048834320000022
wherein Nr is the total number of rounds, subByte represents byte substitution transformation of standard AES, X represents a protected intermediate value which is taken as an input of a reconstruction S box, M, M 'respectively represents an input mask and an output mask value which are used for protecting a sensitive intermediate value, and M' are two elements adjacent to the same row in the matrix;
the T-Box is constructed in the following way:
Figure BDA0004048834320000023
Figure BDA0004048834320000024
where x represents one byte in one of the matrices, i represents the input byte, r is the round,
Figure BDA0004048834320000025
for row shift conversion of the expanded key, S is a table look-up operation of S-Box, mask r Is a mask table;
constructing a column confusion transformation matrix in the following construction modes:
Figure BDA0004048834320000026
wherein MC is 0 Representing the first two columns of the matrix, MC 1 Representing the remaining two columns;
based on the wheel boundaries, mask compensation is obtained
Figure BDA0004048834320000027
Where r is the round, MC represents the column confusion transform of standard AES, SR represents the row shift transform of standard.
Wherein the method further comprises:
two 128-bit linear reversible random mappings IN and OUT are randomly generated and used for acting on a plaintext and a ciphertext respectively to be used as external codes;
for the r-th round, r.epsilon.1, nr]With a 128bit nonsingular matrix Y over a finite field r Instead of a row shift transform, it is expressed as:
Figure BDA0004048834320000031
wherein the method comprises the steps of
Figure BDA0004048834320000032
Randomly generating 8 16-bit linear reversible random mappings A and A -1 Let A act on all elements of M, with:
A·M′={A 0 ·M′ 0 ,A 1 ·M′ 1 ,...A 7 ·M′ 7 }
wherein aa=diag (a 0 ,A 1 ,...A 7 ),
Figure BDA0004048834320000033
Randomly generating 4 32bit linear reversible random mappings B and B -1 Column obfuscating a mask with B, making
Figure BDA0004048834320000034
Construction of mask line shift-conversion confusion, expressed as SR (X) =aa·sr·bb -1
Constructing a mask compensation confusion;
for the r-th round, r.epsilon.1, nr]Using T for masking r The operation is expressed as:
Figure BDA0004048834320000035
in a second aspect, the present invention also provides an AES white-box encryption apparatus against side channels, the apparatus comprising:
a generation module for randomly generating 16 masks into 4 groups to form a 4 by 4 matrix, wherein the hamming weight of the exclusive or of any two masks in each group is a multiple of 4;
a first construction module for constructing a circular Mask to cycle the Mask of each byte in the matrix on the columns, the Mask satisfying Mask r [i]=M[R[i]+((C[i]+r)mod 4)] i∈[0,15]Wherein R is a row index of each byte random mask, C is a column index, and R is a round;
a second construction module for constructing round functions based on the matrix, mask, and index and round to generate a white-box table based on a random group index, again randomly in each lookup.
Wherein the device further comprises an encryption module for:
searching an external input coding table in the white box table to confuse the data to be encrypted;
randomly generating a row index R for selecting masks in round functions, so that a mask compensation table and a round function table of each encryption and decryption inquiry are different;
and inquiring the mask compensation table and the round function table in the white box table according to the round until the round is finished, and obtaining the aliasing data of each round.
Wherein the device further comprises a decryption module for:
and searching an external output coding table in the white box table to obtain the confused encrypted data, and decrypting the confused encrypted data by using a standard AES algorithm.
In a third aspect, the present invention also provides an anti-side channel AES white-box encryption apparatus, the anti-side channel AES white-box encryption apparatus including a processor, a memory, and an anti-side channel AES white-box encryption program stored on the memory and executable by the processor, wherein the anti-side channel AES white-box encryption program, when executed by the processor, implements the steps of the anti-side channel AES white-box encryption method described above.
In a fourth aspect, the present invention also provides a readable storage medium having stored thereon an AES white-box encryption program of an anti-side channel, wherein the steps of the AES white-box encryption method of an anti-side channel as described above are implemented when the AES white-box encryption program of an anti-side channel is executed by a processor.
In the invention, 16 masks are randomly generated and divided into 4 groups to form a matrix of 4 times 4, wherein the Hamming weight of exclusive OR of any two masks in each group is a multiple of 4; constructing a circular Mask to cycle the Mask of each byte in the matrix on the columns, the Mask satisfying Mask r [i]=M[R[i]+((C[i]+r)mod 4)]i∈[0,15]Wherein R is a row index of each byte random mask, C is a column index, and R is a round; based on the matrix, mask, and index and round, a round function is constructed to generate a white-box table that is based on a random group index, again randomly in each lookup. According to the invention, through the external dynamic offset of the fixed mask, different initial masks are used for participating in calculation in each encryption and decryption process, so that the real key is difficult to restore through side channel attack, and the data security is improved.
Drawings
FIG. 1 is a flowchart of an embodiment of an AES white-box encryption method for anti-side channels according to the present invention;
FIG. 2 is a diagram of round functions in an embodiment of an AES white-box encryption system with anti-side channels according to the present invention;
FIG. 3 is a schematic diagram of generating and exporting a white-box table in an embodiment of an AES white-box encryption method for anti-side channels according to the present invention;
FIG. 4 is a schematic diagram illustrating data encryption and decryption performed in an embodiment of an AES white-box encryption method for anti-side channels according to the present invention;
FIG. 5 is a schematic diagram of functional blocks of an embodiment of an AES white-box encryption device with anti-side channels according to the present invention;
fig. 6 is a schematic hardware structure of an AES white-box encryption apparatus for anti-side channels according to an embodiment of the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
In a first aspect, an embodiment of the present invention provides an AES white-box encryption method against side channels.
In an embodiment, referring to fig. 1, fig. 1 is a flowchart illustrating an AES white-box encryption method of an anti-side channel according to an embodiment of the present invention. As shown in fig. 1, the method includes:
step S10, randomly generating 16 masks into 4 groups to form a 4-by-4 matrix, wherein the Hamming weight of exclusive OR of any two masks in each group is a multiple of 4;
in this embodiment, 16 masks are randomly generated into 4 groups to form a 4 by 4 matrix, where the hamming weight of the exclusive or of any two masks of each group is a multiple of 4. For example:
Figure BDA0004048834320000051
step S20, constructing a circular Mask, and circulating the Mask of each byte in the matrix on the columns, wherein the Mask meets Mask r [i]=M[R[i]+((C[i]+r)mod 4)]i∈[0,15]Wherein R is a row index of each byte random mask, C is a column index, and R is a round;
in this embodiment, i is a byte, and the mask of each cycle is not fixed by the cyclic mask.
Step S30, constructing a round function based on the matrix, mask, and index and round to generate a white-box table, which is also random in each lookup based on the random group index.
In this embodiment, a round function is constructed based on a 4 by 4 matrix, mask, and index and round, so as to generate a white-box table, and the white-box table is based on a random group index, which is also random in each lookup.
In this embodiment, 16 masks are randomly generated and divided into 4 groups to form a 4 by 4 matrix, wherein the hamming weight of the exclusive or of any two masks in each group is a multiple of 4; constructing a circular Mask to cycle the Mask of each byte in the matrix on the columns, the Mask satisfying Mask r [i]=M[R[i]+((C[i]+r)mod 4)]i∈[0,15]Wherein R is a row index of each byte random mask, C is a column index, and R is a round; based on the matrix, mask, and index and round, a round function is constructed to generate a white-box table that is based on a random group index, again randomly in each lookup. By the embodiment, different initial values are used in each encryption and decryption process by the external dynamic offset of the fixed maskThe mask participates in the calculation, so that the real key is difficult to restore through side channel attack, and the data security is improved.
Further, in an embodiment, a round function is then constructed based on the steps S10 and S20, referring to fig. 2, fig. 2 is a schematic diagram of the round function in an AES white-box encryption system with anti-side channels according to an embodiment of the present invention. Constructing a round function based on the matrix, mask, and index and round, comprising:
constructing a row shift transformation matrix;
the masked byte substitution is constructed in the following manner:
Figure BDA0004048834320000061
Figure BDA0004048834320000062
wherein Nr is the total number of rounds, subByte represents byte substitution transformation of standard AES, X represents a protected intermediate value which is taken as an input of a reconstruction S box, M, M 'respectively represents an input mask and an output mask value which are used for protecting a sensitive intermediate value, and M' are two elements adjacent to the same row in the matrix;
the T-Box is constructed in the following way:
Figure BDA0004048834320000063
Figure BDA0004048834320000064
where x represents one byte in one of the matrices, i represents the input byte, r is the round,
Figure BDA0004048834320000066
for row shift conversion of the expanded key, S is a table look-up operation of S-Box, mask r Is a mask table;
constructing a column confusion transformation matrix in the following construction modes:
Figure BDA0004048834320000065
wherein MC is 0 Representing the first two columns of the matrix, MC 1 Representing the remaining two columns;
based on the wheel boundaries, mask compensation is obtained
Figure BDA0004048834320000071
Where r is the round, MC represents the column confusion transform of standard AES, SR represents the row shift transform of standard.
In this embodiment:
(1) Constructing a row shift transformation matrix; for example, the row shift transform matrix of AES is expressed as:
Figure BDA0004048834320000072
a 128 x 128 byte matrix is constructed so that it meets this matrix.
Specific: first, a 128×128 byte matrix is divided into 4 blocks, so that m= [ M ] 0 M 1 M 2 M 3 ]。
Initial position 0, let M 0 =[x 00 00 00],M 1 =[00 00 00 00],M 2 =[00 00 00 00],M 3 =[00 00 00 00]。
Then move 5 bytes, then there is M 0 =[00 00 00 00],M 1 =[00 00 00 00],M 2 =[00 00 00 00],M 3 =[00 x 00 00]。
Moving 10 bytes again, if there is M 0 =[00 00 00 00],M 1 =[00 00 00 00],M 2 =[00 00 x 00],M 3 =[00 00 00 00]。
Until all elements have been shifted according to the matrix of the row-shift inverse transform.
Wherein the method comprises the steps of
Figure BDA0004048834320000073
I.e. a set of all positions in binary.
(2) The masked byte substitution is constructed in the following manner:
Figure BDA0004048834320000074
Figure BDA0004048834320000075
where SubByte represents byte substitution transformation of standard AES, X represents protected intermediate values as input to the reconstruction S-box, and M, M' represent input mask and output mask values, respectively, for sensitive intermediate value protection. M and M' are two elements in the mask array that are adjacent to a row and column. Such as: M0M 1 is row 0, column 0, 1.
(3) The T-Box is constructed for byte substitution +round key plus +mask conversion in the following construction modes:
Figure BDA0004048834320000076
Figure BDA0004048834320000077
where x represents a byte in a 4 x 4 matrix, i represents the input byte, r is the round,
Figure BDA0004048834320000078
for the row shift transformation of the expansion key, S is a lookup operation of S-Box. Mask r (i.e., mask table) is expressed as:
Figure BDA0004048834320000081
to increase the randomness outside the mask, the row index Routside is randomly generated, and the mask M and the column index C are fixed in the table in generating the white box table. When the value of C [ i ] +r is equal to the maximum value of the column index, C [ i ] +r=c0 ]. Since the exclusive or hamming weight of every two adjacent masks is a multiple of 4, the energies are similar when a non-linear T-Box is performed. So that the side channel cannot get the correct key through the energy change.
(4) A column confusion transformation matrix is constructed. In particular, the 4×4 matrix MC is divided into two 4×2 matrices MC 0 And MC 1 Wherein MC is 0 Representing the first two columns of the matrix MC, with MC 1 Representing the remaining two columns. Using MC 0 And MC 1 The column confusion transformation is carried out by the following structural modes:
Figure BDA0004048834320000082
(5) Mask compensation to cancel out the mask effect of the previous round. From the round boundaries in FIG. 2, mask compensation is obtained
Figure BDA0004048834320000083
Where r is the round, MC represents the column confusion transform of standard AES, SR represents the row shift transform of standard.
Further, in an embodiment, the method further comprises:
two 128-bit linear reversible random mappings IN and OUT are randomly generated and used for acting on a plaintext and a ciphertext respectively to be used as external codes;
for the r-th round, r e [1, nr ], a 128bit nonsingular matrix Yr over a finite field is used to replace the row shift transform, expressed as:
Figure BDA0004048834320000084
wherein the method comprises the steps of
Figure BDA0004048834320000085
Randomly generating 8 16-bit linear reversible random mappings A and A -1 Let A act on all elements of M, with:
A·M′={A 0 ·M′ 0 ,A 1 ·M′ 1 ,...A 7 ·M′ 7 )
wherein aa=diag (a 0 ,A 1 ,...A 7 ),
Figure BDA0004048834320000086
Randomly generating 4 32bit linear reversible random mappings B and B -1 Column obfuscating a mask with B, making
Figure BDA0004048834320000087
Construction of mask line shift-conversion confusion, expressed as SR (X) =aa·sr·bb -1
Constructing a mask compensation confusion;
for the r-th round, r.epsilon.1, nr]Using T for masking r The operation is expressed as:
Figure BDA0004048834320000091
in this embodiment, to increase confusion, a linear invertible matrix is added:
(1) Input-output confusion. Specific: two 128-bit linear reversible random mappings IN (i.e., an external input encoding table) and OUT (i.e., an external output encoding table) are randomly generated for acting on plaintext and ciphertext, respectively, as external codes.
(2) Round function confusion. Specific:
for the r-th round r.epsilon.1, nr]A 128-bit nonsingular matrix Yr over the finite field GF (2) replaces the row shift transformation. Y is Y r The operations may be expressed as:
Figure BDA0004048834320000092
wherein, the liquid crystal display device comprises a liquid crystal display device,
Figure BDA0004048834320000093
Y r i.e. a table of wheel functions.
(3) Mask confusion. Specific:
a. randomly generating 8 16-bit linear reversible random mappings A and A -1 Let a act on all elements of M, namely:
A·M′={A 0 ·M′ 0 ,A 1 ·M′ 1 ,...A 7 ·M′ 7 }
let aa=diag (a 0 ,A 1 ,...A 7 ),
Figure BDA0004048834320000094
b. Randomly generating 4 32B bit linear reversible random mappings B and B -1 The Mask is column-confused by matrix B. Make the following steps
Figure BDA0004048834320000095
c. Construction of mask line shift-conversion confusion, expressed as SR (X) =aa·sr·bb -1
d. Constructing mask compensation confusion, the expression is:
Figure BDA0004048834320000096
e. for the r-th round r.epsilon.1, nr]Using T for masking r The operations may be expressed as:
Figure BDA0004048834320000097
wherein T is r I.e. a mask compensation table.
Further, in an embodiment, after the generating the white-box table, the method further includes:
searching an external input coding table in the white box table to confuse the data to be encrypted;
randomly generating a row index R for selecting masks in round functions, so that a mask compensation table and a round function table of each encryption and decryption inquiry are different;
and inquiring the mask compensation table and the round function table in the white box table according to the round until the round is finished, and obtaining the aliasing data of each round.
IN this embodiment, when data is required to be encrypted, the data to be encrypted is confused by searching the external input encoding table IN the white box table, so as to prevent external injection; further randomly generating a row index R for selecting masks in round functions, so that a mask compensation table and a round function table of each encryption and decryption inquiry are different; and further checking the mask compensation table and the round function table according to the round until the round is finished, and obtaining the aliasing data of each round.
Further, in an embodiment, after the obtaining the aliasing data of each round, the method further includes:
and searching an external output coding table in the white box table to obtain the confused encrypted data, and decrypting the confused encrypted data by using a standard AES algorithm.
In this embodiment, when the encrypted data needs to be decrypted, the data is decrypted by using a standard AES algorithm after the defrobulated encrypted data is obtained by checking the external output encoding table OUT in the white box table.
Further, in an embodiment, referring to fig. 3, fig. 3 is a schematic diagram illustrating generation and export of a white-box table in an embodiment of an AES white-box encryption method of the present invention for anti-side channels. As shown in the figure 3 of the drawings,
the white box table constructing module generates a white box table by using the AES white box encryption method of the anti-side channel, and after the white box table is generated, the white box table generating module outputs the white box table in the memory as a file. Specifically, the white box table generating module inputs parameters including but not limited to a key, a random seed, an input/output file path and output forms including but not limited to a source code file, a JSON file and a binary stream file according to an external instruction. The memory table generates the output file using defined rules including, but not limited to, segment start position, segment offset, segment encryption. IN order to prevent external injection, the external input encoding table IN and the external output encoding table OUT are stored separately. The white box table importing module imports the white box table file, and analyzes the white box table file into a format which can be identified by the encryption and decryption module according to defined rules.
Referring to fig. 4, fig. 4 is a schematic diagram illustrating data encryption and decryption performed in an AES white-box encryption method of an anti-side channel according to an embodiment of the present invention. As shown in fig. 4, a103 is an encryption flow, and a104 is a decryption flow. IN the encryption process, firstly, the data to be encrypted is confused by checking an external input coding table IN, so that external injection is prevented; further randomly generating a row index R for selecting masks in round functions, so that a mask compensation table and a round function table of each encryption and decryption inquiry are different; further checking a Mask compensation Table Mask and a round function Table according to the round until the round is finished, and obtaining the aliasing data of each round; and sending the aliasing data to a decryption end. In the decryption process, firstly, the external output coding table OUT is checked to obtain the confused encrypted data, and then the standard AES algorithm is used for decrypting the confused encrypted data.
In a second aspect, an embodiment of the present invention further provides an AES white-box encryption apparatus for anti-side channels, and referring to fig. 5, fig. 5 is a schematic functional block diagram of an embodiment of the AES white-box encryption apparatus for anti-side channels of the present invention. As shown in fig. 5, the apparatus includes:
a generating module 10, configured to randomly generate 16 masks into 4 groups to form a matrix of 4 by 4, where the hamming weight of the exclusive or of any two masks in each group is a multiple of 4;
a first construction module 20 for constructing a circular Mask for cycling the Mask of each byte in the matrix on the columns, the Mask satisfying Mask r [i]=M[R[i]+((C[i]+r)mod 4)]i∈[0,15]Wherein R is a row index of each byte random mask, C is a column index, and R is a round;
a second construction module 30 for constructing round functions based on the matrix, mask and index and round to generate a white-box table based on a random group index, again randomly in each lookup.
Further, in an embodiment, the apparatus further includes an encryption module configured to:
searching an external input coding table in the white box table to confuse the data to be encrypted;
randomly generating a row index R for selecting masks in round functions, so that a mask compensation table and a round function table of each encryption and decryption inquiry are different;
and inquiring the mask compensation table and the round function table in the white box table according to the round until the round is finished, and obtaining the aliasing data of each round.
Further, in an embodiment, the apparatus further includes a decryption module configured to:
and searching an external output coding table in the white box table to obtain the confused encrypted data, and decrypting the confused encrypted data by using a standard AES algorithm.
Further, in an embodiment, the second construction module 30 is configured to:
constructing a row shift transformation matrix;
the masked byte substitution is constructed in the following manner:
Figure BDA0004048834320000111
Figure BDA0004048834320000121
wherein Nr is the total number of rounds, subByte represents byte substitution transformation of standard AES, X represents a protected intermediate value which is taken as an input of a reconstruction S box, M, M 'respectively represents an input mask and an output mask value which are used for protecting a sensitive intermediate value, and M' are two elements adjacent to the same row in the matrix;
the T-Box is constructed in the following way:
Figure BDA0004048834320000122
Figure BDA0004048834320000123
where x represents one byte in one of the matrices, i represents the input byte, r is the round,
Figure BDA00040488343200001210
for row shift conversion of the expanded key, S is a table look-up operation of S-Box, mask r Is a mask table;
constructing a column confusion transformation matrix in the following construction modes:
Figure BDA0004048834320000124
wherein MC is 0 Representing the first two columns of the matrix, MC 1 Representing the remaining two columns;
based on the wheel boundaries, mask compensation is obtained
Figure BDA0004048834320000125
Where r is the round, MC represents the column confusion transform of standard AES, SR represents the row shift transform of standard.
Further, in an embodiment, the apparatus further includes a confusion enhancing module configured to:
two 128-bit linear reversible random mappings IN and OUT are randomly generated and used for acting on a plaintext and a ciphertext respectively to be used as external codes;
for the r-th round, r.epsilon.1, nr]With a 128bit nonsingular matrix Y over a finite field r Instead of a row shift transform, it is expressed as:
Figure BDA0004048834320000126
wherein the method comprises the steps of
Figure BDA0004048834320000127
Randomly generating 8 16-bit linear reversible random mappings A and A -1 Let A act on all elements of M, with:
A·M′={A 0 ·M′ 0 ,A 1 ·M′ 1 ,...A 7 ·M′ 7 }
wherein aa=diag (a 0 ,A 1 ,...A 7 ),
Figure BDA0004048834320000128
Randomly generating 4 32bit linear reversible random mappings B and B -1 Column obfuscating a mask with B, making
Figure BDA0004048834320000129
Construction of mask line shift-conversion confusion, expressed as SR (X) =aa·sr·bb -1
Constructing a mask compensation confusion;
for the r-th round, r.epsilon.1, nr]Using T for masking r The operation is expressed as:
Figure BDA0004048834320000131
the specific embodiments of the AES white-box encryption method for the anti-side channel are substantially the same as the embodiments of the AES white-box encryption system for the anti-side channel, and are not described in detail herein.
In a third aspect, an embodiment of the present invention provides an AES white-box encryption apparatus for an anti-side channel, where the AES white-box encryption apparatus for an anti-side channel may be an apparatus having a data processing function, such as a personal computer (personal computer, PC), a notebook computer, a server, or the like.
Referring to fig. 6, fig. 6 is a schematic hardware structure of an AES white-box encryption apparatus against side channels according to an embodiment of the present invention. In an embodiment of the present invention, the AES white-box encryption apparatus of the anti-side channel may include a processor 1001 (e.g., a central processor Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein the communication bus 1002 is used to enable connected communications between these components; the user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard); the network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., WIreless-FIdelity, WI-FI interface); the memory 1005 may be a high-speed random access memory (random access memory, RAM) or a stable memory (non-volatile memory), such as a disk memory, and the memory 1005 may alternatively be a storage device independent of the processor 1001. Those skilled in the art will appreciate that the hardware configuration shown in fig. 6 is not limiting of the invention and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
With continued reference to fig. 6, an operating system, a network communication module, a user interface module, and an AES white-box encryption program against side channels may be included in the memory 1005 of fig. 6, which is a type of computer storage medium. The processor 1001 may call the AES white-box encryption program of the anti-side channel stored in the memory 1005, and execute the AES white-box encryption method of the anti-side channel provided in the embodiment of the present invention.
In a fourth aspect, embodiments of the present invention also provide a readable storage medium.
The invention stores the AES white-box encryption program of the anti-side channel on the readable storage medium, wherein the steps of the AES white-box encryption method of the anti-side channel are realized when the AES white-box encryption program of the anti-side channel is executed by a processor.
The method implemented when the AES white-box encryption program of the anti-side channel is executed may refer to various embodiments of the AES white-box encryption method of the anti-side channel of the present invention, and are not described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) as described above, comprising several instructions for causing a terminal device to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.

Claims (10)

1. An AES white-box encryption method of anti-side channels, the method comprising:
randomly generating 16 masks into 4 groups to form a 4 by 4 matrix, wherein the hamming weight of the exclusive or of any two masks of each group is a multiple of 4;
constructing a circular Mask to cycle the Mask of each byte in the matrix on the columns, the Mask satisfying Mask r [i]=M[R[i]+((C[i]·+r)mod 4)]i∈[0,15]Wherein R is a random mask for each byteRow index, C is column index, r is round;
based on the matrix, mask, and index and round, a round function is constructed to generate a white-box table that is based on a random group index, again randomly in each lookup.
2. The AES white-box encryption method of side channels of claim 1, wherein after said generating a white-box table, the method further comprises:
searching an external input coding table in the white box table to confuse the data to be encrypted;
randomly generating a row index R for selecting masks in round functions, so that a mask compensation table and a round function table of each encryption and decryption inquiry are different;
and inquiring the mask compensation table and the round function table in the white box table according to the round until the round is finished, and obtaining the aliasing data of each round.
3. The AES white-box encryption method of side channels in accordance with claim 2, wherein after said obtaining the aliasing data of each round, the method further comprises:
and searching an external output coding table in the white box table to obtain the confused encrypted data, and decrypting the confused encrypted data by using a standard AES algorithm.
4. The AES white-box encryption method of side channels of claim 1, wherein the constructing a round function based on the matrix, mask, and index and round, comprises:
constructing a row shift transformation matrix;
the masked byte substitution is constructed in the following manner:
Figure FDA0004048834310000011
Figure FDA0004048834310000012
wherein Nr is the total number of rounds, subByte represents byte substitution transformation of standard AES, X represents a protected intermediate value which is taken as an input of a reconstruction S box, M, M 'respectively represents an input mask and an output mask value which are used for protecting a sensitive intermediate value, and M' are two elements adjacent to the same row in the matrix;
the T-Box is constructed in the following way:
Figure FDA0004048834310000021
Figure FDA0004048834310000022
where x represents one byte in one of the matrices, i represents the input byte, r is the round,
Figure FDA0004048834310000029
for row shift conversion of the expanded key, S is a table look-up operation of S-Box, mask r Is a mask table;
constructing a column confusion transformation matrix in the following construction modes:
Figure FDA0004048834310000023
wherein MC is 0 Representing the first two columns of the matrix, MC 1 Representing the remaining two columns;
based on the wheel boundaries, mask compensation is obtained
Figure FDA0004048834310000024
Where r is the round, MC represents the column confusion transform of standard AES, SR represents the row shift transform of standard.
5. The anti-side channel AES white-box encryption method of claim 4, further comprising:
two 128-bit linear reversible random mappings IN and OUT are randomly generated and used for acting on a plaintext and a ciphertext respectively to be used as external codes;
for the r-th round, r.epsilon.1, nr]With a 128bit nonsingular matrix Y over a finite field r Instead of a row shift transform, it is expressed as:
Figure FDA0004048834310000025
wherein the method comprises the steps of
Figure FDA0004048834310000026
Randomly generating 8 16-bit linear reversible random mappings A and A -1 Let A act on all elements of M, with:
A·M'={A 0 ·M' 0 ,A 1 ·M' 1 ,…A 7 ·M' 7 }
wherein aa=diag (a 0 ,A 1 ,…A 7 ),
Figure FDA0004048834310000027
Randomly generating 4 32bit linear reversible random mappings B and B -1 Column obfuscating a mask with B, making
Figure FDA0004048834310000028
Construction of mask line shift-conversion confusion, expressed as SR (X) =aa·sr·bb -1
Constructing a mask compensation confusion;
for the r-th round, r.epsilon.1, nr]Using T for masking r The operation is expressed as:
Figure FDA0004048834310000031
6. an AES white-box encryption apparatus that is resistant to side channels, the apparatus comprising:
a generation module for randomly generating 16 masks into 4 groups to form a 4 by 4 matrix, wherein the hamming weight of the exclusive or of any two masks in each group is a multiple of 4;
a first construction module for constructing a circular Mask to cycle the Mask of each byte in the matrix on the columns, the Mask satisfying Mask r [i]=M[R[i]+((C[i]·+r)mod 4)]i∈[0,15]Wherein R is a row index of each byte random mask, C is a column index, and R is a round;
a second construction module for constructing round functions based on the matrix, mask, and index and round to generate a white-box table based on a random group index, again randomly in each lookup.
7. The AES white-box encryption apparatus of side-channel resistance of claim 6, further comprising an encryption module to:
searching an external input coding table in the white box table to confuse the data to be encrypted;
randomly generating a row index R for selecting masks in round functions, so that a mask compensation table and a round function table of each encryption and decryption inquiry are different;
and inquiring the mask compensation table and the round function table in the white box table according to the round until the round is finished, and obtaining the aliasing data of each round.
8. The AES white-box encryption apparatus of side-channel resistance of claim 7, wherein the apparatus further comprises a decryption module to:
and searching an external output coding table in the white box table to obtain the confused encrypted data, and decrypting the confused encrypted data by using a standard AES algorithm.
9. An anti-side channel AES white-box encryption apparatus, characterized in that the anti-side channel AES white-box encryption apparatus comprises a processor, a memory, and an anti-side channel AES white-box encryption program stored on the memory and executable by the processor, wherein the anti-side channel AES white-box encryption program, when executed by the processor, implements the steps of the anti-side channel AES white-box encryption method of any one of claims 1 to 5.
10. A readable storage medium, wherein an AES white-box encryption program of an anti-side channel is stored on the readable storage medium, wherein the AES white-box encryption program of an anti-side channel, when executed by a processor, implements the steps of the AES white-box encryption method of an anti-side channel as claimed in any one of claims 1 to 5.
CN202310036067.XA 2023-01-10 2023-01-10 AES white box encryption method for anti-side channel and related equipment Pending CN116192364A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310036067.XA CN116192364A (en) 2023-01-10 2023-01-10 AES white box encryption method for anti-side channel and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310036067.XA CN116192364A (en) 2023-01-10 2023-01-10 AES white box encryption method for anti-side channel and related equipment

Publications (1)

Publication Number Publication Date
CN116192364A true CN116192364A (en) 2023-05-30

Family

ID=86437785

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310036067.XA Pending CN116192364A (en) 2023-01-10 2023-01-10 AES white box encryption method for anti-side channel and related equipment

Country Status (1)

Country Link
CN (1) CN116192364A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116562229A (en) * 2023-07-10 2023-08-08 武汉芯必达微电子有限公司 Column confusion calculation optimization hardware implementation method and device based on AES algorithm

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116562229A (en) * 2023-07-10 2023-08-08 武汉芯必达微电子有限公司 Column confusion calculation optimization hardware implementation method and device based on AES algorithm
CN116562229B (en) * 2023-07-10 2023-09-22 武汉芯必达微电子有限公司 Column confusion calculation optimization hardware implementation method and device based on AES algorithm

Similar Documents

Publication Publication Date Title
US9954676B2 (en) Protecting a white-box implementation against attacks
US9654280B2 (en) White-box cryptographic system with input dependent encodings
US10097342B2 (en) Encoding values by pseudo-random mask
US8504845B2 (en) Protecting states of a cryptographic process using group automorphisms
US20120170739A1 (en) Method of diversification of a round function of an encryption algorithm
CN110278072A (en) One kind 16 takes turns SM4-128/128 whitepack password implementation method
EP2957062B1 (en) Tamper resistant cryptographic algorithm implementation
US8605894B2 (en) Cryptographic process execution protecting an input value against attacks
EP3169017B1 (en) Split-and-merge approach to protect against dfa attacks
CN1993922A (en) Stream cipher combining system and method
US20120121083A1 (en) Encryption apparatus and method
US8675866B2 (en) Multiplicative splits to protect cipher keys
US9363244B2 (en) Realizing authorization via incorrect functional behavior of a white-box implementation
Agrawal et al. Elliptic curve cryptography with hill cipher generation for secure text cryptosystem
Lavanya et al. Enhancing the security of AES through small scale confusion operations for data communication
CN116192364A (en) AES white box encryption method for anti-side channel and related equipment
KR20190020988A (en) Computer-executable lightweight white-box cryptographic method and apparatus thereof
Xu et al. A white-box AES-like implementation based on key-dependent substitution-linear transformations
Saha et al. White-box cryptography based data encryption-decryption scheme for iot environment
CN109617667B (en) Efficient mask protection method for linear part of AES (advanced encryption Standard) algorithm
EP3413509B1 (en) Cmac computation using white-box implementations with external encodings
Kang et al. Collision attacks on AES-192/256, Crypton-192/256, mCrypton-96/128, and anubis
EP3998738A1 (en) Secured performance of a cryptographic process
Gupta et al. Correlation power analysis of KASUMI and power resilience analysis of some equivalence classes of KASUMI S-boxes
CN114337993B (en) White box SM4 encryption and decryption method and system applied to edge Internet of things proxy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination