CN101866401A - Method for resisting side channel attacks by evolutive S boxes - Google Patents

Method for resisting side channel attacks by evolutive S boxes Download PDF

Info

Publication number
CN101866401A
CN101866401A CN201010181237A CN201010181237A CN101866401A CN 101866401 A CN101866401 A CN 101866401A CN 201010181237 A CN201010181237 A CN 201010181237A CN 201010181237 A CN201010181237 A CN 201010181237A CN 101866401 A CN101866401 A CN 101866401A
Authority
CN
China
Prior art keywords
box
content
component
conversation
counter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201010181237A
Other languages
Chinese (zh)
Other versions
CN101866401B (en
Inventor
唐明
伍前红
高思
窦青
沈菲
李渡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University WHU
Original Assignee
Wuhan University WHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University WHU filed Critical Wuhan University WHU
Priority to CN2010101812376A priority Critical patent/CN101866401B/en
Publication of CN101866401A publication Critical patent/CN101866401A/en
Application granted granted Critical
Publication of CN101866401B publication Critical patent/CN101866401B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention relates to the technical field of password security application, in particular to a method for resisting side channel attacks by evolutive S boxes, which comprises the following steps: using a random number generator to generate random numbers; determining which component in a constant multiplication conversation component, a one-plus conversation component and an inverse conversation component the content of a buffer memory can be sent into according to the value of the random values; sending the content into the buffer memory after the conversation; sending the content into the constant multiplication conversation component, the one-plus conversation component and the inverse conversation component at a next beat; simultaneously sending the content into an arbiter to judge whether the indexes of the box are qualified or not; carrying out zero clearing on a counter if the box is a qualified box; adding 1 to the counter if the box is not qualified; and resetting the content of the buffer memory into identical permutation if the value of the counter reaches a threshold value. Through the proper frequency change, the invention finally reaches the goal that the complexity required by the attacks reaches or exceeds the exhaustivity level, and the effect of the evolutive S boxes and dynamic S boxes on the side channel attacks such as standard DPA and the like is obvious.

Description

The method that evolution S box antagonism bypass type is attacked
Technical field
The present invention relates to the cipher safety applied technical field, relate in particular to the method that a kind of S of evolution box antagonism bypass type is attacked.
Background technology
Password is the key point of information security, and how the password application system of design safety is the emphasis that cryptography is studied.Cryptographic algorithm can be divided into symmetric cryptography and asymmetric cryptography, and symmetric cryptography can be divided into stream cipher, block cipher, hash algorithm again.The S box all has the important safety effect in the design of symmetric cryptographies such as stream cipher, block cipher and hash function, be main or unique nonlinear transformation parts.Dynamic S box method for designing is applied to resist a series of bypass types attacks such as DPA, can make and attack the horizontal exponentially level lifting of complexity, the result is, by suitable frequency shift, the final required complexity of attack that makes meets or exceeds exhaustive rank, and then reaches immunity.
Bypass type is attacked and is comprised a series of attack methods such as TA, DFA, DPA, SPA, and the main cause of generation is the separation between security mechanism and its realization.
DPA (Differential Power Analysis) is that differential power consumption is attacked, and most modern password equipment are realized by the logic semiconductor door, more precisely, are made of transistor.When the logic gate charge and discharge, electron stream flows through siliceous substrate, consumed energy (power consumption), generation electromagnetic radiation.Use specific statistical function, still can be used for attacking cryptographic system.The energy attack scope is wide, and is easy to implement and cost is low, do not need manual intervention, makes it be difficult to be detected.The specifying information that does not need chip to realize; Be not only theory, also do not limit to and smart card (successful attack nearly 50 kinds of different products).
DFA (Differential Fault Analysis) is the abbreviation that difference mistake (fault) is attacked or difference mistake (fault) is analyzed, compare with cryptography mistake correct, thereby separate out the key of secret Tibetan, microprocessor in the smart card requires to work under stable voltage, and the interruption of energy supply just looks like unexpected impact program run or reset circuit.Yet, a weak point and pulse cleverly can cause the program error of single step and microprocessor still can continue executive routine.
Bypass attack has characteristics such as more practical, more hidden, quicker than other attack pattern.In the password application, particularly in the cryptographic algorithm hardware implementation method, the effect that bypass type is attacked is comparatively obvious, since proposing, the security of a lot of cryptographic systems has been constituted serious threat.At present, many Secure Application and main Valuation Standard all should increase the bypass attack prevention methods.Domestic relevant product is fewer at present, and such attack is especially obvious for the effect in fields such as smart card.In case attack equipment flows into domestic, its consequence will be very serious.
Summary of the invention
At the technical matters of above-mentioned existence, the purpose of this invention is to provide the method that a kind of S of evolution box antagonism bypass type is attacked, attack the potential safety hazard that cryptographic system is brought with the antagonism bypass type.
For achieving the above object, the present invention adopts following technical scheme:
Utilize randomizer to produce random number;
According to the value of random number, the content of decision buffer is sent into constant multiplication transform component, is added 1 transform component, which parts in the inverse transformation parts;
Through after the above-mentioned conversion, send into buffer;
Send into constant multiplication transform component at next beat, add 1 transform component, the inverse transformation parts, whether and it is qualified with the index of judging box to send into arbiter simultaneously;
If a qualified box, then counter O reset, if box is defective, then counter adds 1, if the value of counter reaches a certain threshold value, the content of the buffer of then resetting is identical permutation.
The present invention has the following advantages and good effect:
1) attacks for a series of bypass types such as DPA with dynamic S box design, can make and attack complexity lifting at double;
2) by suitable frequency shift, the final required complexity of attack that makes meets or exceeds exhaustive rank, promptly reaches the effect of attacking immunity;
3) evolution S box and dynamic S-box are apparent in view for the effect of bypass types such as standard DPA attack.
Description of drawings
Fig. 1 is the overall construction drawing of the S box rapid evolution algorithm that proposes of the present invention.
Fig. 2 is the process flow diagram of evolution S box antagonism bypass type that the present invention the proposes method of attacking.
Fig. 3 is the structural representation that utilizes the method that evolution S box antagonism bypass type that the present invention proposes attacks in AES.
Embodiment
The invention will be further described in conjunction with the accompanying drawings with specific embodiment below:
The method that the evolution S box antagonism bypass type that the present invention proposes is attacked, specifically by the following technical solutions, as shown in Figure 1:
Accompanying drawing 1 is the overall construction drawing of S box rapid evolution algorithm.Parts 11 are stochastic sources, generate random number 0,1,2 at random; Parts 12 are the conversion of constant multiplication, and constant is a primitive element of corresponding field; Parts 13 are to add 1 conversion; Parts 14 are inverse transformations; Parts 15 are arbiters, are used for calculating the cryptography index of box, and according to preset threshold box are accepted or rejected; Parts 16 are buffers, are used for the S box that buffer memory generates, and also are the initialization parts;
Accompanying drawing 2 is process flow diagrams of evolution S box antagonism bypass type that the present invention the proposes method of attacking, and concrete steps are as follows:
Step 1: parts 11 produce random number, and according to the value of random number, the content of decision buffer parts 16 is sent into parts 12,13 or 14.
Step 2: according to the value of random number, the content of decision buffer is sent into and is taken advantage of transform component, adds transform component, and parts in the inverse transformation parts are sent into buffer memory parts 16 afterwards.
Step 3: send into transform component 12 at next beat, 13 or 14, and send into parts 15 simultaneously and carry out the calculating of cryptography character and judge whether the index of box is qualified, if qualified box, then counter O reset, if box is defective, then counter adds 1, if the value of counter reaches a certain threshold value, the content of the buffer of then resetting is identical permutation.
The cryptographic property of S box has a lot, and these cryptographic properties are described the ability of the anti-various cryptographic attacks of this S box from different levels, different angles.Specifically, these cryptographic properties have orthogonality, nonlinearity, autocorrelation, algebraic degree, algebraic expression item number, difference homogeneity, robust degree etc.
1. orthogonality:
This cryptographic property is used to portray the distribution of S box output, general property or harmony such as is also referred to as, and the S box in the password network structures such as SP type must quadrature, otherwise used S box is just not unique during deciphering.Usually, when the S box satisfied n>=m, the S box of strong cipher character must possess orthogonality, otherwise at random evenly under the input, some output vector of S box will frequently occur, and cryptanalysis person can utilize this unbalancedness to attack cipher system based on this S box.But, meaningful when obviously this definition has only n>=m, concerning the S box of cast class cryptographic algorithm, orthogonality is undefined.
2. nonlinearity:
The nonlinearity of S box is used to portray anti-linear attacking ability, and its definition is that the nonlinearity according to Boolean function draws, and the nonlinearity of Boolean function is relevant with its circulation Walsh spectrum.
N * m (n advance m go out) S box F=(f 1, f 2..., f m) nonlinearity be:
NL ( S n × m ) = min { NL ( β · F ) | β ≠ 0 . β ∈ GF 2 n }
= 2 n - 1 - 2 - 1 max i max x | W ( g i ) ( x ) |
The span of this character is 0~2 N-1-2 [n/2]-1([] is for rounding symbol), and the anti-linear attacking ability of the big more then S box of value is strong more, but in the S of quadrature, maximal value can not reach, because nonlinearity is 0~2 N-1-2 [n/2]-1The Boolean function imbalance, the S box of being made up of these Boolean functions is non-orthogonal certainly, so the S box of quadrature is necessarily less than 0~2 N-1-2 [n/2]-1, and when n>=2, be even number.
3. autocorrelation:
S box autocorrelation is once more by the description feature of Boolean function, and it is mainly used in portrayal resisting differential attacking ability.
S N * mBox F=(f 1, f 2..., f m) autocorrelation be:
C ( S n × m ) = max i max x . x ≠ 0 | C g i ( x ) |
Wherein, g i=a i(f 1, f 2..., f m), a i=(a 1, a 2..., a m), | wherein component is not 0 entirely, and is the 0-1 variable, f 1, f 2..., f mBe m Boolean function of S box correspondence, || refer to take absolute value.The span of this quantized value is 0~2 n, show that then S box resisting differential attacking ability is strong more but its value is more little.
4. algebraic degree:
Algebraic degree is the one side that is used to portray the anti-linear attacking ability of S box.The cryptographic property of top S box calculates and all is based on the truth table of Boolean function, and will calculate algebraic degree, then must represent by means of the algebraically normal type of Boolean function.
5. algebraic expression item number:
The algebraic expression item number of S box is mainly portrayed anti-interpolation attacking ability.Previously defined algebraic degree is the minimum value of the algebraic expression number of times of the Boolean function in the S box, and being meant the S box, said algebraic expression makes as a whole input/output relation here, the algebraic expression that is called the S box, usually, ask for this algebraic expression and can adopt Lagrange's interpolation, and this method requires the input size to equal output, and therefore, the definition here is only meaningful to the displacement box.
6. difference homogeneity:
The difference homogeneity of S box is an important cryptographic property of S box, is used to portray the resisting differential attacking ability.
S N * mBox F (x)=(f 1(x) ..., f m(x)) difference homogeneity is defined as:
Figure GSA00000129208100041
The span of this character is 2 N-m~2 n(n 〉=m), the more little then S of value box resisting differential attacking ability is strong more.
7. robust degree:
The robust degree of S box is used to portray the anti-higher difference attacking ability of S box.
Given S N * mDifference profile matrix A (F)=(λ of box n) and difference uniformity coefficient δ (F), note
Figure GSA00000129208100042
And
Figure GSA00000129208100043
Then remember
Figure GSA00000129208100044
Be S N * mThe robust degree of box.
Following table is main cryptography property list:
Figure GSA00000129208100045
Accompanying drawing 3 is the structural drawing of taking turns the AES encryption method.Total Addroundkey, Sbox, Shiftrow, four parts of Mixcolumn and four registers.Input, output and key are 128bit.
Addroundkey promptly encloses key and adds conversion;
Sbox (conversion of S box) is unique nonlinear transformation of AES, is the key of AES safety.In original AES, use 16 identical Sbox, in the present invention, use the Sbox that dynamically generates to replace the Sbox of former AES kind;
Shiftrow (row displacement) carries out ring shift to the row of state, and the row shift transformation belongs to displacement, and essence is data are upset rearrangement;
Mixcolumn (row are obscured) conversion is considered as polynomial expression a (x) on the GF (28) to the row of state, multiply by a fixing polynomial expression c (x), and mould x4+1.
The course of work is as follows: the Sbox that will dynamically generate replaces the Sbox among the former AES, can adopt online updating or off-line to upgrade dual mode renewal hardware design circuit during specific implementation, and this dual mode all is that the chip development merchant supports at present.
Above-mentioned example is used for the present invention that explains, rather than limits the invention, and in the protection domain of spirit of the present invention and claim, the present invention is made any modification and change, all falls into protection scope of the present invention.

Claims (1)

1. the method that the S box antagonism bypass type that develops is attacked is characterized in that, may further comprise the steps:
Utilize randomizer to produce random number;
According to the value of random number, the content of decision buffer is sent into constant multiplication transform component, is added 1 transform component, which parts in the inverse transformation parts;
Through after the above-mentioned conversion, send into buffer;
Send into constant multiplication transform component at next beat, add 1 transform component, the inverse transformation parts, whether and it is qualified with the index of judging box to send into arbiter simultaneously;
If a qualified box, then counter O reset, if box is defective, then counter adds 1, if the value of counter reaches a certain threshold value, the content of the buffer of then resetting is identical permutation.
CN2010101812376A 2010-05-17 2010-05-17 Method for resisting side channel attacks by evolutive S boxes Expired - Fee Related CN101866401B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010101812376A CN101866401B (en) 2010-05-17 2010-05-17 Method for resisting side channel attacks by evolutive S boxes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010101812376A CN101866401B (en) 2010-05-17 2010-05-17 Method for resisting side channel attacks by evolutive S boxes

Publications (2)

Publication Number Publication Date
CN101866401A true CN101866401A (en) 2010-10-20
CN101866401B CN101866401B (en) 2012-06-27

Family

ID=42958123

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010101812376A Expired - Fee Related CN101866401B (en) 2010-05-17 2010-05-17 Method for resisting side channel attacks by evolutive S boxes

Country Status (1)

Country Link
CN (1) CN101866401B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103324467A (en) * 2013-05-28 2013-09-25 戴葵 Side-channel attack resisting processor architecture based on random instruction delay
CN106383691A (en) * 2016-09-18 2017-02-08 北京智芯微电子科技有限公司 Random number generation method and random number generator
CN106462701A (en) * 2014-06-12 2017-02-22 密码研究公司 Performing cryptographic data processing operations in a manner resistant to external monitoring attacks
CN107204841A (en) * 2017-03-14 2017-09-26 中国人民武装警察部队工程大学 A kind of method that many S boxes of the block cipher for resisting differential power attack are realized
CN107979457A (en) * 2016-10-25 2018-05-01 航天信息股份有限公司 A kind of processing system, the method and device of side channel signal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《计算机工程》 20080831 王念平 一类S盒的设计研究 第34卷, 第15期 2 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103324467A (en) * 2013-05-28 2013-09-25 戴葵 Side-channel attack resisting processor architecture based on random instruction delay
CN103324467B (en) * 2013-05-28 2015-09-16 戴葵 A kind of anti-bypass attack processor architecture postponed based on stochastic instruction
CN106462701A (en) * 2014-06-12 2017-02-22 密码研究公司 Performing cryptographic data processing operations in a manner resistant to external monitoring attacks
US10897344B2 (en) 2014-06-12 2021-01-19 Cryptography Research, Inc. Performing cryptographic data processing operations in a manner resistant to external monitoring attacks
US11757617B2 (en) 2014-06-12 2023-09-12 Cryptography Research, Inc. Performing cryptographic data processing operations in a manner resistant to external monitoring attacks
CN106383691A (en) * 2016-09-18 2017-02-08 北京智芯微电子科技有限公司 Random number generation method and random number generator
CN107979457A (en) * 2016-10-25 2018-05-01 航天信息股份有限公司 A kind of processing system, the method and device of side channel signal
CN107204841A (en) * 2017-03-14 2017-09-26 中国人民武装警察部队工程大学 A kind of method that many S boxes of the block cipher for resisting differential power attack are realized
CN107204841B (en) * 2017-03-14 2020-01-07 中国人民武装警察部队工程大学 Method for realizing multiple S boxes of block cipher for resisting differential power attack

Also Published As

Publication number Publication date
CN101866401B (en) 2012-06-27

Similar Documents

Publication Publication Date Title
US10567162B2 (en) Mask S-box, block ciphers algorithm device and corresponding construction process
Kumar et al. Development of modified AES algorithm for data security
CN107070630B (en) A kind of fast and safely hardware configuration of aes algorithm
CN101739889B (en) Cryptographic processing apparatus
JP5198526B2 (en) Encryption device and decryption device
CN101866401B (en) Method for resisting side channel attacks by evolutive S boxes
CN101009554A (en) A byte replacement circuit for power consumption attack prevention
US20140351603A1 (en) Encryption process protected against side channel attacks
CN103067155A (en) Method and test circuit for preventing data encryption algorithm (DES) attack based on power analysis
CN103795527A (en) Software mask defense scheme capable of preventing attack on advanced encryption standard (AES) algorithm based on power analysis
CN104618094B (en) A kind of password Mask method strengthening anti-attack ability
CN110401627B (en) Differential fault attack resistance security evaluation method and system suitable for block cipher algorithm infection protection
KR20120109501A (en) Low-complexity electronic circuit protected by customized masking
CN104301095A (en) DES round operation method and circuit
CN104410490B (en) The method of non-linear extruding protection password S boxes
Bhaskar et al. An advanced symmetric block cipher based on chaotic systems
Huang et al. Low area-overhead low-entropy masking scheme (LEMS) against correlation power analysis attack
CN108650072A (en) It is a kind of to support a variety of symmetric cryptographic algorithm chips and its anti-attack circuit implementation method
Shahapure et al. Variation and security enhancement of block ciphers by embedding
Rahma et al. A modified matrices approach in advanced encryption standard algorithm
CN201039199Y (en) A byte replacement circuit for resisting power consumption attack
Jie et al. A power analysis resistant DES cryptographic algorithm and its hardware design
Boey et al. How resistant are sboxes to power analysis attacks?
Yoshikawa et al. Security verification simulator for fault analysis attacks
Li et al. FPGA implementation of AES algorithm resistant power analysis attacks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120627

CF01 Termination of patent right due to non-payment of annual fee