KR20230103271A - Masking method on block cipher PIPO to resist side channel attacks - Google Patents

Abstract

The present invention relates to a PIPO cryptographic algorithm masking method corresponding to a side-channel attack, and more particularly, to a PIPO cryptographic algorithm masking method in which a masking operation is directly applied to linear and nonlinear calculation values without using a table.
According to the present invention, after applying masking to the input plaintext, the encryption process is completed without removing the mask value even in the intermediate calculation process, and the mask is finally removed. Provides a PIPO encryption algorithm masking method that can effectively prevent side-channel attacks do. Furthermore, a PIPO encryption algorithm masking method capable of defending against side-channel attacks such as CPA is provided by applying a random mask value to input plaintext during encryption so that the calculation intermediate value cannot be predicted.

Description

PIPO cipher algorithm masking method for responding to side channel attacks {Masking method on block cipher PIPO to resist side channel attacks}

The present invention relates to a PIPO cryptographic algorithm masking method corresponding to a side-channel attack, and more particularly, to a PIPO cryptographic algorithm masking method in which a masking operation is directly applied to linear and nonlinear calculation values without using a table.

1 is a diagram showing the structure and processing unit of PIPO, and FIG. 2 is a diagram showing a key prediction unit and a power leakage unit.

PIPO (Plug-In Plug-Out) is a lightweight block cipher algorithm that can apply efficient masking in consideration of the IoT environment. PIPO uses an 8-byte (64-bit) block size and a 128-bit (or 256-bit) key size.

PIPO consists of 13 rounds for a 128-bit key and 17 rounds for a 256-bit key. Each round consists of S-layer, a nonlinear operation layer, P-layer, a linear operation layer, and Key-XOR operation using a round key.

) 연산들로 구성되어 있다. PIPO 블록 암호 알고리즘은 S-layer를 구현하는 형태에 따라 TLU(Table Look Up) 방식과 BS(Bit Slice) 방식으로 설계된다.The S-layer includes logical AND (∧) and OR (∨), which are non-linear operations, and XOR (, which is a linear operation).

) consists of operations. The PIPO block cipher algorithm is designed in the TLU (Table Look Up) method and BS (Bit Slice) method according to the form of implementing the S-layer.

The TLU version makes the SBox operation result into a pre-operation table (array) and then performs S-layer operation by referencing it, but the BS method performs S-layer operation with bit operations (AND, OR, XOR). do it yourself In the encryption/decryption process, intermediate operation values are placed in a state array composed of 8x8 bits and operations are performed.

)연산을 하는 화이트닝 키(Whitening Key, WK)와 각 라운드에서 사용되는 라운드 키(Round Key, RK)는 마스터 비밀 키의 일부로 구성되며 라운드 키의 일부 바이트는 라운드 상수(RCON)와 XOR 되어 있다. 이때, 인접한 2개 라운드 키를 찾으면 마스터 키를 복구할 수 있다.In the case of implementing the BS method, each variable value of the internal state is stored and processed in units of rows. The input plaintext and the first XOR (

) operation, the Whitening Key (WK) and the Round Key (RK) used in each round are composed of a part of the master secret key, and some bytes of the round key are XORed with the round constant (RCON). At this time, if two adjacent round keys are found, the master key can be recovered.

The side-channel analysis attack predicts the operation value that occurs in the middle of the encryption algorithm under the assumption of a secret key (actually a whitening key or round key), and uses the correlation with the measured side-channel information to determine whether the guessed secret key is correct. It is an attack to recover the secret key by verifying. Among side-channel attacks, an attack that uses power consumption measured in the process of encryption operation is called a power analysis attack. In order to calculate the intermediate operation value of the cipher, all round keys of the previous round must be known, so the 0 round key (whitening key) is found in the encryption process, and based on this, the 1 round key sequence is found and attacked.

When performing a power analysis attack on the BS version, the operation in the state matrix is a bit operation in column units, and the bits constituting the value of each row are independent of each other. Since each bit-by-column operation is independent, 8 bits are bundled and processed in units of bytes per row at a time, so power is used and leaked in units of rows.

In the BS-type implementation of PIPO, 8 bytes (64 bits) is used as a CPA (Correlation Power Analysis) attack method to find a bit with the highest correlation by assuming a secret key by one bit per row and examining the correlation with leakage power. All secret keys can be recovered. After recovering the whitening key and the first round key using a power analysis attack, it can be experimentally confirmed that the 128-bit master key is finally recovered through CPA.

KR 10-1506499 B1

H. Kim, Y. Jeon, G. Kim, J. Kim, B. Sim, D. Han, H. Seo, S. Kim, S. Hong, J. Sung, and D. Hong, "PIPO:A Lightweight Block Cipher with Efficient Higher-Order Masking Software Implementations,” ICISC'20, LNCS 12593, pp. 99-122, 2020.

The present invention was devised to solve this problem, and after applying masking to the input plaintext, the mask value is not removed even in the intermediate calculation process, and the encryption process is completed and the mask is finally removed, thereby effectively preventing side-channel attacks. The purpose is to provide a PIPO encryption algorithm masking method that can be used.

That is, an object of the present invention is to provide a PIPO encryption algorithm masking method capable of defending against side-channel attacks such as CPA by applying a random mask value to an input plaintext during encryption so that a calculated median value cannot be predicted.

In order to achieve the above object, the PIPO encryption algorithm masking system according to the present invention performs the PIPO encryption algorithm masking corresponding to the side-channel attack, including: (a) receiving plain text; (b) applying a mask value to the plain text; (c) taking the masked median value and the mask value as inputs, performing a binary logic operation between the masked median values, and calculating and outputting a new mask value; and (d) separately storing a resultant value obtained by performing a binary logic operation between intermediate values to which the mask is applied and the new mask value, and applying them to the next operation of the encryption process.

To apply the mask value, exclusive OR (XOR) operation may be used.

The binary logic operation of step (c) may be any one of an AND operation, an OR operation, and an XOR operation.

An equation for calculating the new mask value may be generated using a Karnaugh map.

The number of 0's and 1's of the mask value can be the same by XOR'ing the new mask value and the new random number and XOR'ing the same random number to the value obtained by performing the binary logic operation of the intermediate values to which the mask is applied.

After the step (d), (e) may further include removing a mask finally generated after all operations of the encryption process are completed.

According to another aspect of the present invention, a computer program for performing masking of a PIPO cryptographic algorithm corresponding to a side-channel attack is stored in a non-transitory storage medium and includes, by a processor, (a) receiving plain text; (b) applying a mask value to the plain text; (c) taking the masked median value and the mask value as inputs, performing a binary logic operation between the masked median values, and calculating and outputting a new mask value; and (d) a command for performing a step of separately storing a resultant value obtained by performing a binary logic operation between intermediate values to which the mask is applied and the new mask value, and applying the resultant value to the next operation in the encryption process.

According to another aspect of the present invention, a system for performing masking of a PIPO cryptographic algorithm corresponding to a side-channel attack includes at least one processor; and at least one memory for storing computer-executable instructions, wherein the computer-executable instructions stored in the at least one memory include, by the at least one processor, steps of (a) receiving plain text; (b) applying a mask value to the plain text; (c) taking the masked median value and the mask value as inputs, performing a binary logic operation between the masked median values, and calculating and outputting a new mask value; and (d) separately storing a resultant value obtained by performing a binary logic operation between intermediate values to which the mask is applied and the new mask value, and applying the resultant value to the next operation in the encryption process.

According to the present invention, after applying masking to the input plaintext, the encryption process is completed without removing the mask value even in the intermediate calculation process, and the mask is finally removed. Provides a PIPO encryption algorithm masking method that can effectively prevent side-channel attacks has the effect of

Furthermore, there is an effect of providing a PIPO encryption algorithm masking method capable of defending against side-channel attacks such as CPA by applying a random mask value to input plaintext during encryption so that a calculated intermediate value cannot be predicted.

1 shows the structure and processing units of PIPO;
Fig. 2 shows a key prediction unit and a power leakage unit;
3 is a block diagram showing how a conventional PIPO cryptographic implementation system implements PIPO cryptography;
4 is a block diagram showing a method of implementing a PIPO encryption by applying a masking technique in a PIPO encryption implementation system according to the present invention;
5 shows a truth table and Karnaugh map for M _AND ;
Figure 6 shows the truth table and Karnaugh map for M _OR .
Fig. 7 shows a mask application technique for linear operations;
8 is a diagram illustrating a mask application technique for nonlinear operations;

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. Prior to this, the terms or words used in this specification and claims should not be construed as being limited to the usual or dictionary meaning, and the inventor appropriately uses the concept of the term in order to explain his/her invention in the best way. It should be interpreted as a meaning and concept consistent with the technical idea of the present invention based on the principle that it can be defined. Therefore, since the embodiments described in this specification and the configurations shown in the drawings are only one of the most preferred embodiments of the present invention and do not represent all of the technical ideas of the present invention, various alternatives may be used at the time of this application. It should be understood that there may be equivalents and variations.

FIG. 3 is a block diagram illustrating a method in which a conventional PIPO (Plug-In Plug-Out) encryption implementation system 100 implements PIPO encryption.

As shown, no masking is used, and such a system is very vulnerable to side-channel attacks. The present invention is to solve this problem, and a PIPO encryption algorithm masking method corresponding to a side channel attack of the present invention will be described with reference to FIGS. 4 to 8 below.

4 is a block diagram showing a method of implementing PIPO encryption by applying a masking technique in the PIPO encryption implementation system 200 according to the present invention.

One of the counter-channel attack countermeasures against the block cipher algorithm is to apply masking to the plaintext and the value calculated in the middle. After applying masking to the input plain text (S401) (S402), the encryption process (S404) is completed without removing the mask value even in the intermediate calculation process, and finally the mask is removed (S406). In this case, a new mask value is calculated (S405), and the calculated mask value is used as a mask value in the next step of the encryption process. A method of calculating such a new mask value will be described later in detail with reference to FIGS. 5 and 6 .

)와 같은 연산을 이용하는데 이를 부울(Boolean) 마스킹이라 한다.In masking techniques, when applying or removing a mask, XOR (exclusive OR,

), which is called Boolean masking.

The masking technique is not a big problem because the mask value for the result of the next cryptographic operation can be easily calculated when a linear operation such as XOR or Rotation is performed on an intermediate value. However, it is difficult to apply the masking technique to nonlinear operations such as logical AND(∧) or OR(∨) for intermediate values.

,

라 하며, 각각 마스크를

,

, 마스크가 XOR된 값을

,

이라 정의한다. 이 경우 사용하는 이항 논리 연산자“·”(AND, OR 혹은 XOR)에 대하여 수학식 1을 만족하는 마스크

을 찾는 것이다(S405).Operations in PIPO consist of bitwise AND, OR, XOR, and Rotation, which are just logic operations, not arithmetic operations. The intermediate operation value of a cryptographic algorithm

,

, and each mask

,

, the value of which the mask is XORed

,

is defined as In this case, a mask that satisfies Equation 1 for the binary logical operator “·” (AND, OR or XOR) used

is to find (S405).

[Equation 1]

은

로 쉽게 계산될 수 있으며(M_XOR, S405) 이 과정에서

나

의 누출은 없다.If the binary operator · is XOR, the output mask

silver

It can be easily calculated as (M _XOR , S405), and in this process

me

There is no leakage of

을 효과적으로 찾을 수 있어야 한다.In the case of AND or OR operation, which is a non-linear operation, binary operators

should be able to find it effectively.

과

그리고

과

를 알고 있을 때 (a∧b)의 결과의 마스크 값

를 계산하는 것이 중요하다. 그 이유는 수학식 1로부터 (a∧b)를 알 수 있기 때문이다.

는 오직

의 수식으로만 표현되어야 하고 계산 과정에서 마스킹이 제거된

와

는 누출되어서는 안된다.That is, the median value with the mask applied

class

and

class

Mask value of the result of (a∧b) when .

It is important to calculate The reason is that (a∧b) can be known from Equation 1.

is only

must be expressed only as an expression of and masking is removed in the calculation process

and

should not leak.

과

그리고

과

를 알고 있을 때 (a∨b)의 결과 마스크 값

를 계산하는 것이 중요한데, 그 이유는 역시 수학식 1로부터 (a∨b)를 알 수 있기 때문이다.

역시

의 수식으로만 표현되어야 하고 계산 과정에서 마스킹 이 제거된

와

는 누출되어서는 안된다.Similarly, the masked median

class

and

class

Resultant mask value of (a∨b) when .

It is important to calculate , because (a∨b) can also be found from Equation 1.

also

must be expressed only as an expression of and masking has been removed in the calculation process.

and

should not leak.

를 계산(S405)하는 방법을 설명하고, 도 6을 참조하여

를 계산(S405)하는 방법을 설명한다.Below, with reference to Figure 5

Describe the method of calculating (S405), referring to FIG.

A method of calculating (S405) will be described.

5 is a diagram showing a truth table and a Karnaugh map for M _AND .

의 모든 비트의 조합을 고려한 M_AND의 진리표이고, 도 5(b)는 M_AND에 대한 카르노 맵이다.Figure 5 (a) is

It is a truth table of M _AND considering the combination of all bits of , and FIG. 5(b) is a Karnaugh map for M _AND .

는 실제 암호 연산시 계산하는 값이며

은

의 마스크 값으로 계산되어 별도로 저장된다. 즉, 마스크 값

를

만으로 계산해야 비밀 키 누출이 생기지 않는다. 이에 따라

를 새로운 논리식으로 표현하기 위해 카르노 맵 사용하여 다음과 같이 구한다.indicated in the truth table

is the value calculated during the actual cryptographic operation.

silver

It is calculated as a mask value of and stored separately. That is, the mask value

cast

It should be calculated only to avoid secret key leakage. Accordingly

In order to express in a new logical expression, it is obtained as follows using a Karnaugh map.

[Equation 2]

와

의 노출이 없게 되는 장점이 있다.Intermediate result values when calculating mask values like this

and

has the advantage of not being exposed to

에 새로운 랜덤 수

를 XOR한

를 만들 수도 있는데 이 경우 실제 연산도

가 아닌

로 하면 동일한 마스킹 효과를 가진다.Furthermore, if it is necessary to design the number of 0s and 1s to balance the mask result value,

a new random number in

XORed

, in which case the actual operation is also

not

, it has the same masking effect.

을 XOR할 때

은 기존 마스크된 값(

,

)이나 마스크 값(

,

)를 조합하여 대체할 수도 있는데

의 0과 1의 개수가 동일하도록

을 선택해야 한다. 예를 들어,

,

와 같은 방식이다.random number

when XORing

is the existing masked value (

,

) or mask value (

,

) can be replaced by a combination of

so that the number of 0's and 1's in

should choose for example,

,

the same way as

6 is a diagram showing a truth table and a Karnaugh map for M _OR .

의 모든 비트의 조합을 고려한 M_OR의 진리표이고, 도 6(b)는 M_OR에 대한 카르노 맵이다.Figure 6 (a) is

It is a truth table of M _OR considering the combination of all bits of , and FIG. 6(b) is a Karnaugh map for M _OR .

는 실제 암호 연산시 계산하는 값이며

은

의 마스크 값으로 계산되어 별도로 저장된다. 즉, 마스크 값

를

만으로 계산해야 비밀 키 누출이 생기지 않는다. 이에 따라

를 새로운 논리식으로 표현하기 위해 카르노 맵(Karnaugh map)을 사용하여 다음과 같이 구한다.indicated in the truth table

is the value calculated during the actual cryptographic operation.

silver

It is calculated as a mask value of and stored separately. That is, the mask value

cast

It should be calculated only to avoid secret key leakage. Accordingly

In order to express in a new logical expression, a Karnaugh map is used to obtain as follows.

[Equation 3]

와

의 노출이 없게 되는 장점이 있다.Intermediate result values when calculating mask values like this

and

has the advantage of not being exposed to

에 새로운 랜덤 수

를 XOR한

를 만들 수도 있는데 이 경우 실제 연산도

가 아닌

로 하면 동일한 마스킹 효과를 가진다.Furthermore, if it is necessary to design the number of 0s and 1s to balance the mask result value,

a new random number in

XORed

, in which case the actual operation is also

not

, it has the same masking effect.

을 XOR할 때

은 기존 마스크된 값(

,

)이나 마스크 값(

,

)를 조합하여 대체할 수도 있는데

의 0과 1의 개수가 동일하도록

을 선택해야 한다. 예를 들어,

,

와 같은 방식이다.random number

when XORing

is the existing masked value (

,

) or mask value (

,

) can be replaced by a combination of

so that the number of 0's and 1's in

should choose for example,

,

the same way as

7 is a diagram illustrating a mask application technique for linear operations.

과

이 계산되고, 계산된 c_m 및 M_XOR은 별도로 저장되어 PIPO 암호화 과정의 다음 연산까지 유지하여 적용된다.For the linear operation XOR

class

is calculated, and the calculated c _m and M _XOR are separately stored and applied until the next operation of the PIPO encryption process.

8 is a diagram illustrating a mask application technique for nonlinear operation.

과 수학식 2가 계산되고, 계산된 c_m 및 M_AND은 별도로 저장되어 PIPO 암호화 과정의 다음 연산까지 유지하여 적용된다.For the nonlinear operation AND,

and Equation 2 are calculated, and the calculated c _m and M _AND are separately stored and applied until the next operation of the PIPO encryption process.

과 수학식 2이 계산되고, 계산된 c_m 및 M_OR은 별도로 저장되어 PIPO 암호화 과정의 다음 연산까지 유지하여 적용된다.Also for the nonlinear operation OR

and Equation 2 are calculated, and the calculated c _m and M _OR are stored separately and maintained until the next operation of the PIPO encryption process.

As described above, in the PIPO encryption algorithm masking method of the present invention, even when performing an encryption operation after applying XOR masking to the input plaintext in the PIPO encryption, the mask value is stored, and the masking must be removed after encryption to can block an attack. In addition, since the mask value applied to the intermediate ciphertext is not fixed and changes during the operation process, it is necessary to recalculate the mask value and maintain it until the next operation in the encryption process.

The mask value calculation method of the present invention can be used where non-linear Boolean operations are used, including PIPO cryptography.

100: conventional PIPO cryptographic implementation system
200: PIPO encryption implementation system applying the masking technique of the present invention

Claims (8)

A method in which a PIPO cryptographic algorithm masking system performs masking of a PIPO cryptographic algorithm corresponding to a side-channel attack, comprising:
(a) receiving plain text input;
(b) applying a mask value to the plain text;
(c) taking the masked median value and the mask value as inputs, performing a binary logic operation between the masked median values, and calculating and outputting a new mask value; and,
(d) separately storing a result value obtained by performing a binary logic operation between intermediate values to which the mask is applied and the new mask value, and applying them to the next operation in the encryption process.
A PIPO cryptographic algorithm masking method corresponding to a side-channel attack comprising a. The method of claim 1,
Application of the mask value,
Using the XOR (exclusive OR) operation
PIPO cryptographic algorithm masking method for responding to side-channel attacks characterized by. The method of claim 1,
The binary logic operation of step (c) is,
Any one of AND operation, OR operation and XOR operation
PIPO cryptographic algorithm masking method for responding to side-channel attacks characterized by. The method of claim 1,
The formula for calculating the new mask value is,
Generating using Karnaugh maps
PIPO cryptographic algorithm masking method for responding to side-channel attacks characterized by. The method of claim 1,
XOR operation of the new mask value and a new random number;
By performing an XOR operation on the same random number for a value obtained by performing a binary logic operation between intermediate values to which a mask is applied,
Making the number of 0's and 1's in the mask value the same
PIPO cryptographic algorithm masking method for responding to side-channel attacks characterized by. The method of claim 1,
After step (d),
(e) removing the final mask after completing all operations of the encryption process
A PIPO encryption algorithm masking method corresponding to a side-channel attack, characterized in that it further comprises. A computer program for performing masking of a PIPO cryptographic algorithm corresponding to a side-channel attack,
It is stored in a non-transitory storage medium, and by the processor,
(a) receiving plain text input;
(b) applying a mask value to the plain text;
(c) taking the masked median value and the mask value as inputs, performing a binary logic operation between the masked median values, and calculating and outputting a new mask value; and,
(d) separately storing a result value obtained by performing a binary logic operation between intermediate values to which the mask is applied and the new mask value, and applying them to the next operation in the encryption process.
A computer program for performing a masking PIPO cryptographic algorithm corresponding to a side-channel attack comprising instructions for causing the to be executed. A system for performing PIPO cryptographic algorithm masking against side-channel attacks,
at least one processor; and
including at least one memory for storing computer-executable instructions;
The computer-executable instructions stored in the at least one memory are, by the at least one processor,
(a) receiving plain text input;
(b) applying a mask value to the plain text;
(c) taking the masked median value and the mask value as inputs, performing a binary logic operation between the masked median values, and calculating and outputting a new mask value; and,
(d) separately storing a result value obtained by performing a binary logic operation between intermediate values to which the mask is applied and the new mask value, and applying them to the next operation in the encryption process.
A system for performing PIPO cryptographic algorithm masking against side-channel attacks that cause

Images