CN102571331A - Cryptographic algorithm realization protecting method used for defending energy analysis attacks - Google Patents

Cryptographic algorithm realization protecting method used for defending energy analysis attacks Download PDF

Info

Publication number
CN102571331A
CN102571331A CN2012100268567A CN201210026856A CN102571331A CN 102571331 A CN102571331 A CN 102571331A CN 2012100268567 A CN2012100268567 A CN 2012100268567A CN 201210026856 A CN201210026856 A CN 201210026856A CN 102571331 A CN102571331 A CN 102571331A
Authority
CN
China
Prior art keywords
bit
data
box
encode
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2012100268567A
Other languages
Chinese (zh)
Inventor
韩阳
周永彬
刘继业
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Software of CAS
Original Assignee
Institute of Software of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Software of CAS filed Critical Institute of Software of CAS
Priority to CN2012100268567A priority Critical patent/CN102571331A/en
Publication of CN102571331A publication Critical patent/CN102571331A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

本发明公开了一种用于防御能量分析攻击的密码算法实现保护方法,属于信息技术安全领域。本方法通过对密码算法的执行过程添加适当的编码和解码步骤完成对密码算法中间值的保护,首先,在算法开始之前,对所有参加运算的数据,包括明文、密钥以及可能的初始向量做编码操作;之后在算法运行过程中使用编码后的数据与对应的操作,按照密码算法的步骤进行密码计算,完成加解密过程;在算法结束时,对编码后的结果数据进行解码操作,得到算法正常的输出。本方法只是对密码算法的中间值进行了编码以保证其不泄露信息,并不改变算法的输入与输出,保证算法运行结果正确;同时可以获得比掩码防御措施更高的安全性,性能开销也更小。

The invention discloses a cryptographic algorithm realization protection method for defending against energy analysis attacks, belonging to the field of information technology security. This method completes the protection of the intermediate value of the cryptographic algorithm by adding appropriate encoding and decoding steps to the execution process of the cryptographic algorithm. First, before the algorithm starts, all the data participating in the operation, including plaintext, key and possible initial vectors, are processed. Encoding operation; then use the encoded data and corresponding operations during the operation of the algorithm, perform cryptographic calculations according to the steps of the cryptographic algorithm, and complete the encryption and decryption process; at the end of the algorithm, decode the encoded result data to obtain the algorithm normal output. This method only encodes the intermediate value of the cryptographic algorithm to ensure that it does not leak information, does not change the input and output of the algorithm, and ensures the correct operation result of the algorithm; at the same time, it can obtain higher security and performance overhead than mask defense measures Also smaller.

Description

一种用于防御能量分析攻击的密码算法实现保护方法A Cryptographic Algorithm Implementation Protection Method for Defending Energy Analysis Attacks

技术领域 technical field

本发明涉及一种密码算法实现的保护方法,尤其涉及一种用于防御能量分析攻击的密码算法实现保护方法,属于信息技术安全领域。The invention relates to a protection method for implementing a cryptographic algorithm, in particular to a protection method for implementing a cryptographic algorithm for defending against energy analysis attacks, and belongs to the field of information technology security.

背景技术 Background technique

能量分析攻击是一种新兴的密码分析方法。能量分析攻击利用密码设备执行密码运算时的能量消耗与设备所执行的操作或者所处理的数据之间的相关性实施密码破解,具有攻击成本低,破解效率高的特点,已经对智能卡、RFID等嵌入式密码设备的安全性造成了严重的现实威胁。轻量级分组密码是一类在资源受限的工作环境下应用非常广泛的分组密码算法。轻量级分组密码最大的特点在于分组长度以及密钥长度相对较短,该特点使其更容易受到能量分析攻击的威胁。Energy analysis attack is a new method of cryptanalysis. Energy analysis attacks use the correlation between the energy consumption of cryptographic equipment to perform cryptographic operations and the operations performed by the equipment or the data processed to implement password cracking. It has the characteristics of low attack cost and high cracking efficiency. It has already attacked smart cards, RFID, etc. The security of embedded cryptographic devices poses serious real-world threats. Lightweight block ciphers are a class of block ciphers that are widely used in resource-constrained environments. The biggest feature of lightweight block ciphers is that the block length and key length are relatively short, which makes them more vulnerable to energy analysis attacks.

分组密码是将明文消息序列,划分成长度为n的组,每组分别在密钥的控制下变换成等长的输出序列。分组密码广泛地应用于电子支付、付费电视以及电子护照等领域。在这些领域中,分组密码大多基于智能卡、RFID等嵌入式的密码设备实现,而嵌入式的密码设备在计算能力与存储空间方面存在着严格的限制,一般称其为资源受限的工作环境。轻量级分组密码与其他非轻量级的分组密码算法的区别在于其分组长度相对较小、密钥长度相对较短,因此其加/解密过程对存储空间、计算能力的要求较低。可见,轻量级分组密码是特别适合资源受限的工作环境的一类分组密码算法。The block cipher is to divide the plaintext message sequence into groups of length n, and each group is transformed into an output sequence of equal length under the control of the key. Block ciphers are widely used in fields such as electronic payment, pay TV, and electronic passports. In these fields, block ciphers are mostly implemented based on embedded cryptographic devices such as smart cards and RFIDs. Embedded cryptographic devices have strict limitations in computing power and storage space, and are generally referred to as resource-constrained working environments. The difference between a lightweight block cipher and other non-lightweight block cipher algorithms is that its block length is relatively small and its key length is relatively short, so its encryption/decryption process has low requirements for storage space and computing power. It can be seen that lightweight block ciphers are a class of block cipher algorithms that are especially suitable for resource-constrained working environments.

近年来,侧信道攻击作为一种新型的密码分析方法受到了产业界和学术界的广泛关注,得到迅速发展。传统的密码分析将密码实现视作黑盒子,只利用其输入与输出实施密码破解;而侧信道攻击区别于传统的密码分析方法的显著特征在于其不仅仅考虑密码实现的输入输出,而是同时利用密码实现在进行密码计算时泄露的时间信息、能量消耗信息或者电磁辐射信息等物理信息,辅助实施密码破解。In recent years, side-channel attack, as a new type of cryptanalysis method, has attracted extensive attention from the industry and academia, and has developed rapidly. Traditional cryptanalysis regards the cipher implementation as a black box, and only uses its input and output to implement password cracking; while the side-channel attack is different from the traditional cryptanalysis method in that it not only considers the input and output of the cipher implementation, but simultaneously Use passwords to realize physical information such as time information, energy consumption information, or electromagnetic radiation information leaked during password calculations, and assist in password cracking.

能量分析攻击是一种利用密码设备运行时的能量消耗信息实施密钥恢复的侧信道攻击方法。自从Kocher等人于1998年提出差分能量分析(Differential Power Analysis)以来,大量行之有效的能量分析攻击方法被相继提出,包括模板攻击(Template Attack)、相关系数分析(CPA,Correlation Power Analysis)、基于随机模型的攻击(Stochastic Model)、互信息分析(MutualInformation Analysis)、方差能量分析(Variance Power Analysis)等。这些攻击方法对嵌入式的密码设备的实际安全性构成了严重的威胁。Energy analysis attack is a side-channel attack method that utilizes the energy consumption information of cryptographic devices to implement key recovery. Since Kocher et al. proposed differential power analysis (Differential Power Analysis) in 1998, a large number of effective energy analysis attack methods have been proposed one after another, including template attack (Template Attack), correlation coefficient analysis (CPA, Correlation Power Analysis), Stochastic Model, Mutual Information Analysis, Variance Power Analysis, etc. These attack methods constitute a serious threat to the actual security of embedded cryptographic devices.

鉴于能量分析攻击对智能卡、RFID等嵌入式密码设备造成的巨大威胁,学术界与产业界提出了大量针对能量分析攻击的防御对策。基于软件方法的防御对策由于无需对嵌入式设备本身进行重新设计,所以具有设计周期短、部署成本低等优点。软件防御对策一般利用编码技术(或者信息共享技术)将易遭受能量分析攻击的中间值表示为与之没有统计相关性的值(即掩码技术),或者在保证计算正确的前提下,随机扰乱密码算法的执行流程,这些方法都能有效的降低能量消耗与目标中间值的相关性,从而起到防御能量分析攻击的作用。In view of the huge threat energy analysis attacks pose to smart cards, RFID and other embedded cryptographic devices, academia and industry have proposed a large number of defensive countermeasures against energy analysis attacks. The defense countermeasure based on the software method has the advantages of short design cycle and low deployment cost because it does not need to redesign the embedded device itself. Software defense countermeasures generally use coding technology (or information sharing technology) to represent the intermediate value that is vulnerable to energy analysis attacks as a value that has no statistical correlation with it (that is, masking technology), or randomly disturb The execution flow of the cryptographic algorithm, these methods can effectively reduce the correlation between energy consumption and the target intermediate value, thus playing a role in defending against energy analysis attacks.

轻量级分组密码的密钥长度较短且其宿主嵌入式设备(如智能卡、RFID标签等)往往没有高安全等级的访问控制机制,因此,很容易受到能量分析攻击,必须被给予特别的保护。现有的防御对策在轻量级分组密码中适用性较低。例如,掩码技术的实现需要较大的时间和空间开销,这种开销对于资源受限的应用环境而言是不现实的。而一些较高效的硬件对策,如双栅预充电逻辑(Dual-rail Precharge Logic)等,其设计和部署成本较高,应用存在困难。The key length of the lightweight block cipher is short and its host embedded device (such as smart card, RFID tag, etc.) often does not have a high-level security access control mechanism. Therefore, it is very vulnerable to energy analysis attacks and must be given special protection . Existing defense countermeasures are less applicable to lightweight block ciphers. For example, the implementation of the masking technique requires a large time and space overhead, which is unrealistic for resource-constrained application environments. However, some more efficient hardware countermeasures, such as dual-rail precharge logic (Dual-rail Precharge Logic), have high design and deployment costs and difficulties in application.

发明内容 Contents of the invention

基于上述技术需求和困境,本发明目的在于提供一种用于防御能量分析攻击的密码算法实现保护方法,本发明是一种低成本、高性能、高安全性的适用于轻量级分组密码的安全解决方案,提高轻量级分组密码算法在能量分析攻击下的物理安全性。需要指出的是,该方法不仅仅适用于轻量级分组密码,该方法对于其他的非轻量级分组密码同样有效,只是该方法对于轻量级分组密码具有更好的适用性。Based on the above-mentioned technical requirements and difficulties, the purpose of the present invention is to provide a cryptographic algorithm protection method for defending against energy analysis attacks. A security solution to improve the physical security of lightweight block ciphers under energy analysis attacks. It should be pointed out that this method is not only applicable to lightweight block ciphers, it is also valid for other non-lightweight block ciphers, but this method has better applicability to lightweight block ciphers.

能量分析攻击利用算法中间值与其相应能耗之间的相关性实施密钥恢复。攻击者猜测设备的密钥,根据已知的明文或密文计算猜测中间值。之后对猜测中间值与攻击者观察记录的能量消耗使用统计方法进行分析,以验证密钥猜测的正确性。一旦中间值与设备能耗的相关性被打破,攻击者就无法利用这种相关性进行恢复密钥。本方法的主要思路就是打破算法中间值与设备能耗之间的统计相关性,使得不同中间值对应的设备能耗基本相等,从而使攻击者无法利用这种相关性恢复设备的密钥。Energy analysis attacks use the correlation between the intermediate value of the algorithm and its corresponding energy consumption to implement key recovery. The attacker guesses the key of the device and calculates the guess intermediate value based on the known plaintext or ciphertext. Afterwards, statistical methods are used to analyze the guessed intermediate value and the energy consumption of the attacker's observation record to verify the correctness of the key guess. Once the correlation between the intermediate value and the device's energy consumption is broken, an attacker cannot use this correlation to recover the key. The main idea of this method is to break the statistical correlation between the intermediate value of the algorithm and the energy consumption of the device, so that the energy consumption of the device corresponding to different intermediate values is basically equal, so that the attacker cannot use this correlation to recover the key of the device.

本发明的技术方案为:Technical scheme of the present invention is:

一种用于防御能量分析攻击的密码算法实现保护方法,其步骤为:A cryptographic algorithm protection method for defending against energy analysis attacks, the steps of which are as follows:

1)对需要保护的密码算法的输入值进行比特平衡编码:将输入数据流中比特值为0的数据比特编码为比特01,将比特值为1的数据比特编码为比特10;1) Bit-balanced encoding is performed on the input value of the cryptographic algorithm that needs to be protected: the data bit with a bit value of 0 in the input data stream is encoded as bit 01, and the data bit with a bit value of 1 is encoded as bit 10;

2)利用比特平衡编码后的数据进行密码运算,设密码算法为n比特分组密码算法;其中:2) Utilize the data after the bit-balanced coding to carry out cryptographic operations, and set the cryptographic algorithm as an n-bit block cipher algorithm; where:

a)对于密码运算中的比特异或操作,首先将Encode(An)与一比特串(01)1…(01)n进行异或操作,然后将得到的异或值与Encode(Bn)进行异或操作;Encode(An)为n比特数据A经比特平衡编码后的值,Encode(Bn)为n比特数据B经比特平衡编码后的值;a) For the bit XOR operation in cryptographic operations, first perform XOR operation on Encode(A n ) and a bit string (01) 1 ... (01) n , and then combine the obtained XOR value with Encode(B n ) Exclusive OR operation; Encode(A n ) is the value of n-bit data A after bit-balanced encoding, and Encode(B n ) is the value of n-bit data B after bit-balanced encoding;

b)对于密码运算中的比特置换操作,将比特平衡编码后的第2i,2i+1两个比特与第2j,2j+1两个比特进行置换;其中,i、j分别为编码前需要置换的第i、j比特;b) For the bit permutation operation in the cryptographic operation, the 2i, 2i+1 two bits after the bit balance encoding are replaced with the 2j, 2j+1 two bits; wherein, i, j are the replacements before encoding The i, j bits of ;

c)对于密码运算中的比特循环移位操作,将比特平衡编码后的数据进行2m比特循环移位,其中,m为编码前要进行的比特循环移位数;c) For the bit cyclic shift operation in the cryptographic operation, carry out 2m bit cyclic shifts to the data after the bit balance encoding, wherein, m is the number of bit cyclic shifts to be carried out before encoding;

3)对步骤2)运算的输出值进行解码,即以顺序输出的两比特为一组,取每组前一比特的值作为输出值。3) Decoding the output value of the step 2) operation, that is, the two bits output in sequence form a group, and the value of the previous bit of each group is taken as the output value.

如权利要求1所述的方法,其特征在于设需保护的密码运算轮序列为M,所述输入值为密码算法中第N轮的密码运算中间值。The method according to claim 1, characterized in that the sequence of cryptographic operations to be protected is M, and the input value is an intermediate value of the cryptographic operations of the Nth round in the cryptographic algorithm.

一种用于防御能量分析攻击的密码算法实现保护方法,其步骤为:A cryptographic algorithm protection method for defending against energy analysis attacks, the steps of which are as follows:

1)对需要保护的密码算法的输入值进行比特平衡编码,将输入数据流中比特值为0的数据编码为比特10,将比特征值为1的数据编码为比特01;1) Carry out bit-balanced encoding to the input value of the cryptographic algorithm that needs protection, encode the data with a bit value of 0 in the input data stream into bit 10, and encode the data with a ratio characteristic value of 1 into bit 01;

2)利用比特平衡编码后的数据进行密码运算,设密码算法为n比特分组密码算法;其中:2) Utilize the data after the bit-balanced coding to carry out cryptographic operations, and set the cryptographic algorithm as an n-bit block cipher algorithm; where:

a)对于密码运算中的比特异或操作,首先将Encode(An)与一比特串(10)1…(10)n进行异或操作,然后将得到的异或值与Encode(Bn)进行异或操作;Encode(An)为n比特数据A经比特平衡编码后的值,Encode(Bn)为n比特数据B经比特平衡编码后的值;a) For the bit XOR operation in cryptographic operations, first perform XOR operation with Encode(A n ) and a bit string (10) 1 ... (10) n , and then combine the obtained XOR value with Encode(B n ) Exclusive OR operation; Encode(A n ) is the value of n-bit data A after bit-balanced encoding, and Encode(B n ) is the value of n-bit data B after bit-balanced encoding;

b)对于密码运算中的比特置换操作,将编码后的第2i,2i+1两个比特与第2j,2j+1两个比特进行置换;其中,i、j分别为编码前需要置换的第i、j比特;b) For the bit permutation operation in the cryptographic operation, replace the encoded 2i, 2i+1 bits with the 2j, 2j+1 bits; where, i and j are respectively the first bits that need to be replaced before encoding i, j bit;

c)对于密码运算中的比特循环移位操作,将比特平衡编码后的数据进行2m比特循环移位,其中,m为编码前要进行的比特循环移位数;c) For the bit cyclic shift operation in the cryptographic operation, carry out 2m bit cyclic shifts to the data after the bit balance encoding, wherein, m is the number of bit cyclic shifts to be carried out before encoding;

3)对步骤2)运算的输出值进行解码,即以顺序输出的两比特为一组,取每组后一比特的值作为输出值。3) Decoding the output value of the operation in step 2), that is, the two bits output in sequence form a group, and the value of the last bit of each group is taken as the output value.

进一步的,设需保护的密码运算轮序列为M,所述输入值为密码算法中第N轮的密码运算中间值。Further, it is assumed that the round sequence of cryptographic operations to be protected is M, and the input value is an intermediate value of cryptographic operations of the Nth round in the cryptographic algorithm.

进一步的,对于密码运算中的S盒代换操作,如果输入S盒的数据是比特平衡编码,则首先对S盒查找表进行变换,生成新的S盒查找表S′,使得S′[Encode(An)]=Encode(S[An]);然后根据输入数据查找表S′,得到S盒代换操作输出数据;其中,Encode表示对数据进行比特平衡编码的操作,S[An]表示以An作为输入得到的S盒代换操作的输出,An表示n比特未经编码的数据。Further, for the S-box substitution operation in cryptographic operations, if the data input into the S-box is bit-balanced coded, the S-box lookup table is first transformed to generate a new S-box lookup table S′, so that S′[Encode (A n )]=Encode(S[A n ]); Then, according to the input data lookup table S', the output data of the S-box substitution operation is obtained; wherein, Encode represents the operation of bit-balanced encoding of the data, and S[A n ] represents the output of the S-box substitution operation with An as input, and An represents n-bit unencoded data.

进一步的,如果输入S盒的数据是未经过编码的数据,则首先计算新的S盒查找表S″,使得S″[An]=Encode(S[An]),之后根据S″进行S盒查表操作。Further, if the data of the input S box is unencoded data, then first calculate the new S box lookup table S ", so that S" [An]=Encode (S [An]), and then carry out the S box according to S " Lookup operation.

进一步的,所述数据A、B可以为任意比特长度。Further, the data A and B may be of any bit length.

本方法通过对密码算法的执行过程添加适当的编码和解码步骤完成对密码算法中间值的保护。首先,在算法开始之前,对所有参加运算的数据,包括明文、密钥以及可能的初始向量做编码操作。之后在算法运行过程中使用编码后的数据与对应的操作,按照密码算法的步骤进行密码计算,完成加解密过程。在算法结束时,对编码后的结果数据进行解码操作,得到算法正常的输出。本方法只是对密码算法的中间值进行了编码以保证其不泄露信息,并不改变算法的输入与输出,保证算法运行结果正确。在本方法中使用的编码解码方法是比特平衡编码。The method completes the protection of the intermediate value of the encryption algorithm by adding appropriate encoding and decoding steps to the execution process of the encryption algorithm. First, before the algorithm starts, encode all the data involved in the operation, including plaintext, key and possible initial vector. Then, during the operation of the algorithm, the encoded data and corresponding operations are used to perform cryptographic calculations according to the steps of the cryptographic algorithm to complete the encryption and decryption process. At the end of the algorithm, decode the encoded result data to get the normal output of the algorithm. This method only encodes the intermediate value of the cryptographic algorithm to ensure that it does not leak information, does not change the input and output of the algorithm, and ensures that the operation result of the algorithm is correct. The codec method used in this method is bit-balanced coding.

比特平衡编码bit-balanced coding

比特平衡编码,即通过对算法中间值进行编码,使不同的中间值具有相同的汉明重量。具体方法是对算法中间值的每一个比特使用两个互补比特进行编码,即使用10两个比特对比特1进行编码,使用01两个比特对比特0进行编码。对一个比特数据的编码表见表1。用V表示n比特的算法中间值,V[i]表示中间值V的第i个比特,V′表示经过编码的中间值,V′[j]表示编码之后的中间值的第j个比特。编码规则以及汉明重量变化表示如下:Bit-balanced encoding, that is, by encoding the intermediate values of the algorithm, so that different intermediate values have the same Hamming weight. The specific method is to use two complementary bits to encode each bit of the intermediate value of the algorithm, that is, use 10 two bits to encode bit 1, and use 01 two bits to encode bit 0. See Table 1 for the encoding table of one bit data. Use V to represent the n-bit algorithmic intermediate value, V[i] represents the i-th bit of the intermediate value V, V' represents the encoded intermediate value, and V'[j] represents the j-th bit of the encoded intermediate value. The encoding rules and Hamming weight changes are expressed as follows:

V=V[0]||V[1]||V[2]||...||V[n-2]||V[n-1]V=V[0]||V[1]||V[2]||...||V[n-2]||V[n-1]

VV ′′ == VV [[ 00 ]] || || VV ~~ [[ 00 ]] || || VV [[ 11 ]] || || VV ~~ [[ 11 ]] || || VV [[ 22 ]] || || VV ~~ [[ 22 ]] || || .. .. .. || || VV [[ nno -- 22 ]] || || VV ~~ [[ nno -- 22 ]] || || VV [[ nno -- 11 ]] || || VV ~~ [[ nno -- 11 ]]

HW(V)=V[0]+V[1]+V[2]+...|V[n-2]+V[n-1]HW(V)=V[0]+V[1]+V[2]+...|V[n-2]+V[n-1]

HWHW (( VV ′′ )) == VV [[ 00 ]] ++ VV ~~ [[ 00 ]] ++ VV [[ 11 ]] ++ VV ~~ [[ 11 ]] ++ VV [[ 22 ]] ++ VV ~~ [[ 22 ]] ++ .. .. .. ++ VV [[ nno -- 22 ]] ++ VV ~~ [[ nno -- 22 ]] ++ VV [[ nno -- 11 ]] ++ VV ~~ [[ nno -- 11 ]]

(

Figure BDA0000134407820000043
表示V[i]的补)。(
Figure BDA0000134407820000043
represents the complement of V[i]).

上式中对于任意i,都等于1,因此V′的汉明重量只与V的比特长度有关。任何一个比特长度为n的未编码的中间值V经过编码后其汉明重量都等于n,特别地,若中间值V的比特长度为4,那么所有经过编码的中间值V′的汉明重量等于4。比特平衡编码使得任何泄露中间值汉明重量的密码设备,在处理不同中间值时具有几乎相同的能耗泄露,从而使攻击者无法利用设备的能耗泄露。For any i in the above formula, are equal to 1, so the Hamming weight of V' is only related to the bit length of V. The Hamming weight of any uncoded intermediate value V with a bit length of n is equal to n after encoding. In particular, if the bit length of the intermediate value V is 4, then the Hamming weight of all encoded intermediate values V′ equal to 4. Bit-balanced coding makes any cryptographic device that leaks the intermediate value Hamming weight have almost the same energy leakage when processing different intermediate values, so that the attacker cannot exploit the energy leakage of the device.

表1比特平衡编码表Table 1 Bit balance coding table

  原始 original   编码后 after encoding   0 0   01 01   1 1   10 10

比特平衡编码在轻量级分组密码中具有很高的适用性。这是因为轻量级分组密码的典型应用场景是一些资源受限的嵌入式密码设备,而这类设备大多采用8比特的微处理器。同时,轻量级分组密钥中大量使用以4比特为单位的操作,如以4比特为单位的置换、以4比特为单位的S盒代换等操作,而在8比特微处理器中数据的传输和运算都是以8比特为单位进行的,这样就有4个没有被使用的比特。比特平衡编码方法的最大优势在于利用了4个空闲的比特,以较小的计算代价而获得了较大的安全性的提升。Bit-balanced coding has high applicability in lightweight block ciphers. This is because typical application scenarios of lightweight block ciphers are embedded cryptographic devices with limited resources, and most of these devices use 8-bit microprocessors. At the same time, a large number of operations in units of 4 bits are used in the lightweight block key, such as replacement in units of 4 bits, S-box replacement in units of 4 bits, etc., while data in an 8-bit microprocessor The transmission and calculation are performed in units of 8 bits, so there are 4 unused bits. The biggest advantage of the bit-balanced encoding method is that it utilizes 4 idle bits, and obtains a greater security improvement with a smaller calculation cost.

比特平衡编码方法同样适用于非轻量级的分组密码。例如,在16比特处理上实现的AES算法,使用比特平衡编码同样可以起到很高的保护作用,同时不会造成过大的性能下降。The bit-balanced encoding method is also applicable to non-lightweight block ciphers. For example, for the AES algorithm implemented on 16-bit processing, the use of bit-balanced coding can also play a high protective role without causing excessive performance degradation.

对基本操作的保护Protection for Essential Operations

比特平衡编码可以保护密码算法中不同操作的输入中间值与输出中间值,如比特异或操作、比特置换操作、S盒代换操作以及比特循环移位操作。Bit-balanced coding can protect the input intermediate value and output intermediate value of different operations in cryptographic algorithms, such as bit XOR operation, bit permutation operation, S-box substitution operation and bit rotation operation.

√比特异或操作√Bit XOR operation

在比特异或操作中,直接对两个编码后的输入数据进行比特异或操作得到的结果不是符合编码规则的数据,需要使用一个常量与该结果再次进行比特异或操作,才可以得到正确的编码输出。In the bit XOR operation, the result obtained by directly performing the bit XOR operation on the two encoded input data does not conform to the encoding rules. It is necessary to use a constant to perform the bit XOR operation with the result again to obtain the correct value. Encoded output.

√比特置换操作√ Bit permutation operation

在比特置换操作中,操作未经过编码的数据时,以1比特为单位进行置换;操作经过编码的数据时,需要以两个比特为单位进行置换,从而保证得到的结果数据也是正确编码的数据。In the bit permutation operation, when operating unencoded data, the permutation is performed in units of 1 bit; when operating encoded data, it is necessary to perform permutation in units of two bits, so as to ensure that the resulting data is also correctly encoded data .

√S盒代换操作√S box replacement operation

S盒代换操作通常使用S盒查找表实现,因此使用比特平衡编码保护S盒代换操作需要对S盒查找表进行改变。根据S盒代换操作的输入数据是否经过编码,存在两种建立新S盒查找表的方式。如果S盒代换操作的输入数据是未经过编码的,那么只需要对S盒查找表中的数据进行编码即可。如果S盒代换操作的输入数据是经过编码的,即比特长度增加了一倍,那么S盒查找表的规模会扩大,且新的查找表中元素数量是未编码的查找表中元素数量的平方。这两种方式的输出都是经过编码的数据。The S-box replacement operation is usually implemented using the S-box lookup table, so using bit-balanced coding to protect the S-box replacement operation requires changes to the S-box lookup table. According to whether the input data of the S-box replacement operation is coded, there are two ways to establish a new S-box lookup table. If the input data of the S-box substitution operation is not encoded, then only the data in the S-box lookup table needs to be encoded. If the input data of the S-box replacement operation is encoded, that is, the bit length is doubled, then the size of the S-box lookup table will be enlarged, and the number of elements in the new lookup table is the number of elements in the unencoded lookup table square. The output of both methods is encoded data.

√比特循环移位操作√Bit rotation operation

比特循环移位操作,包括循环左移与循环右移,两者的不同在于移位的方向,这一不同对编码操作没有影响。因此以循环左移为例概要介绍比特平衡编码对比特循环移位操作的保护。在比特循环左移操作中,最基本的操作是循环移动一个比特。将左侧的一比特移动到比特串的末尾,将其余比特左移一位。对于编码后的数据,需要将左侧的两比特移动到比特串的末尾,其他比特左移两位。The bit rotation operation includes rotation left and rotation right. The difference between the two lies in the direction of the shift, and this difference has no effect on the encoding operation. Therefore, taking cyclic left shift as an example, the protection of bit cyclic shift operation by bit balance coding is briefly introduced. In bit rotate left operation, the most basic operation is to rotate one bit. Shift one bit to the left to the end of the bitstring, and shift the remaining bits one bit to the left. For encoded data, the two bits on the left need to be shifted to the end of the bit string, and the other bits are shifted two bits to the left.

与现有技术相比,本发明的技术效果为:Compared with prior art, technical effect of the present invention is:

LBlock是2011年提出轻量级分组密码。LBlock的分组长度是64比特,密钥长度为80比特,采用Feistel结构,其中S盒的输入与输出均为4比特。下面以该算法为例描述比特平衡编码方法对轻量级分组密码的保护效果。LBlock is a lightweight block cipher proposed in 2011. The block length of LBlock is 64 bits, the key length is 80 bits, and the Feistel structure is adopted, in which the input and output of the S box are both 4 bits. The following uses this algorithm as an example to describe the protection effect of the bit-balanced coding method on the lightweight block cipher.

本方法主要通过比特平衡编码方法进行保护,因此采用本方法保护的在后文中称为比特平衡编码实现。掩码实现是一种典型的、有效地能量分析攻击防御方法,使用本方法与掩码防御方法进行比较,可以客观的反映出本方法的效果。图5中绘制的三条曲线分别对应采用一阶与二阶CPA对掩码实现和本方法实现方式进行攻击获得成功率。由图中可以清晰的看出,对掩码实现的CPA攻击,其成功率比特平衡编码实现在CPA攻击下的成功率要高。这说明了一下两点:This method is mainly protected by a bit-balanced coding method, so the protection using this method is called bit-balanced coding implementation in the following. The mask implementation is a typical and effective energy analysis attack defense method. Using this method to compare with the mask defense method can objectively reflect the effect of this method. The three curves drawn in Figure 5 correspond to the success rate of attacking the mask implementation and the method implementation using the first-order and second-order CPA respectively. It can be clearly seen from the figure that for the CPA attack realized by the mask, the success rate of the bit-balanced coding implementation under the CPA attack is higher. This illustrates two things:

-比特平衡编码实现使的CPA攻击的成功率最低,始终保持在0.065左右,这正是对于4比特的轮子密钥进行随机猜测得到正确密钥的概率,换言之,比特平衡编码方法使得对算法实现进行攻击以获取密钥的成功率与随机猜测获得密钥的成功率是非常接近的。-The implementation of bit-balanced encoding makes the CPA attack the lowest success rate, which is always around 0.065, which is the probability of randomly guessing the correct key for the 4-bit wheel key. In other words, the bit-balanced encoding method makes the algorithm The success rate of attacking to obtain the key is very close to the success rate of random guessing to obtain the key.

-对于比特平衡编码实现的二阶攻击成功率与一阶攻击成功率基本相同。一阶CPA攻击利用了一个时刻的信息泄露,二阶CPA攻击则利用了两个不同时刻的信息泄露,而一阶与二阶攻击获得了基本相同的成功率。这一点说明利用两个时刻对比特平衡编码实现进行攻击的效果与使用一个时刻进行攻击的效果几乎相同。换言之,比特平衡编码实现方式对于二阶的攻击方法具有一定的抵抗能力。- The second-order attack success rate achieved for bit-balanced coding is basically the same as the first-order attack success rate. The first-order CPA attack uses information leakage at one moment, and the second-order CPA attack uses information leakage at two different moments, and the first-order and second-order attacks have basically the same success rate. This shows that attacking bit-balanced encoding implementations with two time instants is nearly as effective as attacking them with one time instant. In other words, the implementation of bit-balanced coding has a certain resistance to second-order attack methods.

综上所述,比特平衡编码实现对于轻量级分组密码在能量分析攻击下的物理安全性有着较强的保护作用。比特平衡编码实现可以获得比无保护实现与掩码实现更高的安全性。To sum up, the implementation of bit-balanced coding has a strong protective effect on the physical security of lightweight block ciphers under energy analysis attacks. A bit-balanced encoding implementation can achieve higher security than an unprotected and masked implementation.

表2时间与空间消耗Table 2 Time and Space Consumption

Figure BDA0000134407820000061
Figure BDA0000134407820000061

(注:括号中的百分比表示在该项目上与比无保护实现相比增加的比例)(Note: The percentage in parentheses indicates the increase in the item compared to the unprotected implementation)

图5刻画了比特平衡编码方法的对安全性的提升,下面通过表2与图6分析比特平衡编码方法对性能(程序运行的时间以及空间需求)的影响。表2列出了三种不同实现方法的存储空间以及加密(不包含密钥编排,因为这三种实现方式所用的密钥编排的时间是相同的)所消耗的时间的对比表。图6是比特平衡编码实现和掩码实现与无保护实现相比在程序运行时间(Execution Time)、存储空间(Memory)以及代码体积(ROM)等三个项目上的比较。Figure 5 depicts the improvement of the security of the bit-balanced encoding method, and the impact of the bit-balanced encoding method on performance (program running time and space requirements) is analyzed through Table 2 and Figure 6 below. Table 2 lists the storage space of the three different implementation methods and the comparison table of the time consumed for encryption (excluding key arrangement, because the key arrangement time used by the three implementation methods is the same). Figure 6 is a comparison of three items of bit-balanced encoding implementation and mask implementation compared with unprotected implementation on program running time (Execution Time), storage space (Memory) and code volume (ROM).

从表2以及图6中可以发现,比特平衡编码增加的存储空间比掩码实现小,而且时间增加也比掩码实现方案少。From Table 2 and Figure 6, it can be found that the increased storage space of bit-balanced coding is smaller than that of mask implementation, and the time increase is also less than that of mask implementation.

综合以上安全性与实现性能的比较,比特平衡编码可以获得比掩码防御措施更高的安全性,同时其性能开销也更小。Based on the above comparison of security and implementation performance, bit-balanced coding can obtain higher security than mask defense measures, and its performance overhead is also smaller.

附图说明 Description of drawings

图1比特平衡编码在比特异或操作中的应用;The application of Fig. 1 bit-balanced coding in bit XOR operation;

图2比特平衡编码在比特置换中的应用;The application of Fig. 2 bit-balanced coding in bit permutation;

图3比特平衡编码在S盒代换操作中的应用;The application of Fig. 3 bit-balanced encoding in the S-box substitution operation;

图4比特平衡编码在比特循环移位中的应用;The application of Fig. 4 bit-balanced coding in bit cyclic shift;

图5使用CPA对两种保护实现方式进行攻击的成功率;Figure 5 The success rate of using CPA to attack the two protection implementation methods;

图6比特平衡编码实现与掩码实现两种实现方式的比较;Figure 6 Comparison of two implementations of bit-balanced coding and masking;

(a)内存消耗比较,(b)执行时间比较,(c)代码体积比较。(a) memory consumption comparison, (b) execution time comparison, (c) code size comparison.

具体实施方式 Detailed ways

在本防御方法的具体应用中,有可能会遇到异常的数据,即不符合编码规则的数据,这种情况成为异常情况。与其对应的是正常情况。针对正常情况和异常情况分别介绍被防御方法的具体实施方式。In the specific application of this defense method, abnormal data may be encountered, that is, data that does not conform to the coding rules, and this situation becomes an abnormal situation. It corresponds to the normal situation. The specific implementation of the defended method is introduced for the normal situation and the abnormal situation respectively.

正常情况normal circumstances

本防御措施针对密码算法的中间值提供保护,根据安全性需求对运算过程中的全部或部分中间值进行保护。例如,在较低的安全需求下,可以只保护算法的前若干轮以及最后若干轮的中间值,其余的中间值不保护。在较高的安全需求下,可以对算法每一轮的中间值都提供保护。本防御方法在算法运行之前对输入数据进行编码,之后按照密码算法的步骤进行运算。需要注意的是,在按照密码算法的步骤进行运算时,需要使用上一节中提出的处理编码数据的操作替换对应的原始操作来对编码数据进行计算。在需要的时候可以对编码的中间值进行解码,对解码之后中间值进行运算需要使用原始操作而不是处理编码数据的对应操作,直到对数据再次编码或者输出。在只保护算法的开始和最后的n轮的情况下,需要在第n轮结束后进行解码,解码方法为:以顺序输出的两比特为一组,如果比特0被编码为01、1编码为10,则取每组前一比特的值作为输出值,如果比特0被编码为10、1编码为01,则取每组后一比特的值作为输出值,之后进行正常的密码运算;并在倒数第n轮重新编码以便在最后n轮中使用本方法进行保护。如果保护算法每一轮运算的中间值,那么只需要在所有密码运算结束后进行一次解码操作得到算法的输出。下面具体介绍本防御方法对于具体操作的保护。需要说明的是,如果没有特别指出某一操作的实现是针对将0编码为01或者是将0编码为10的某一种编码方式,那么对于该操作的描述将同时适用于两种编码方式。This defense measure provides protection for the intermediate value of the cryptographic algorithm, and protects all or part of the intermediate value in the operation process according to the security requirements. For example, under low security requirements, only the intermediate values of the first several rounds and the last several rounds of the algorithm can be protected, and the remaining intermediate values are not protected. Under higher security requirements, the intermediate value of each round of the algorithm can be protected. The defense method encodes the input data before the operation of the algorithm, and then performs operations according to the steps of the cryptographic algorithm. It should be noted that when performing operations according to the steps of the cryptographic algorithm, it is necessary to use the operations proposed in the previous section to process encoded data to replace the corresponding original operations to calculate the encoded data. The encoded intermediate value can be decoded when needed, and the operation on the decoded intermediate value needs to use the original operation instead of the corresponding operation for processing the encoded data until the data is encoded or output again. In the case of only protecting the beginning and the last n rounds of the algorithm, it needs to be decoded after the end of the nth round. The decoding method is: output two bits in sequence as a group. If bit 0 is encoded as 01 and 1 is encoded as 10, then take the value of the previous bit of each group as the output value, if bit 0 is coded as 10, and 1 is coded as 01, then take the value of the last bit of each group as the output value, and then perform normal cryptographic operations; and The last n rounds are re-encoded to use this method for protection in the last n rounds. If the intermediate value of each round of operation of the algorithm is protected, then only one decoding operation is required to obtain the output of the algorithm after all the cryptographic operations are completed. The following specifically introduces the protection of this defense method for specific operations. It should be noted that if it is not specifically indicated that the implementation of a certain operation is for a certain encoding method of encoding 0 as 01 or encoding 0 as 10, then the description of the operation is applicable to both encoding methods.

比特平衡编码保护不同操作的具体方法是通过对操作的输入、输出的每个比特使用互补的两个比特进行编码使得该操作的输入输出的汉明重量相同,从而尽可能地降低操作的信息泄露量。对于部分操作(如S盒代换操作),由于性能的原因,可能会采用未经过编码的原始数据作为操作的输入。比特异或、比特置换、S盒代换以及循环移位四种操作,是轻量级分组密码(如PRESENT,LBlock等)中广泛使用的基本操作。因此,下面描述比特平衡编码在这四种基本操作中具体实施方法。The specific method of bit-balanced encoding to protect different operations is to use two complementary bits to encode each bit of the input and output of the operation so that the input and output of the operation have the same Hamming weight, thereby reducing the information leakage of the operation as much as possible quantity. For some operations (such as the S-box replacement operation), due to performance reasons, unencoded original data may be used as the input of the operation. The four operations of bit XOR, bit permutation, S-box substitution and cyclic shift are the basic operations widely used in lightweight block ciphers (such as PRESENT, LBlock, etc.). Therefore, the specific implementation methods of bit-balanced coding in these four basic operations are described below.

比特异或操作Bit XOR operation

比特平衡编码在比特异或操作中的应用如图1所示,对于没有经过编码的中间值,比特异或操作直接将对应位置的每个比特进行异或。单比特异或操作的真值表见表3以及经过编码后的异或操作见表4。An、Bn分别表示n比特中间值。The application of bit-balanced coding in the bit XOR operation is shown in Figure 1. For the intermediate value that has not been encoded, the bit XOR operation directly XORs each bit in the corresponding position. The truth table of the single-bit XOR operation is shown in Table 3 and the coded XOR operation is shown in Table 4. A n and B n represent n-bit intermediate values, respectively.

表3异或操作真值表Table 3 XOR operation truth table

Figure BDA0000134407820000081
Figure BDA0000134407820000081

表4比特平衡编码真值表Table 4 Bit Balanced Encoding Truth Table

Figure BDA0000134407820000082
Figure BDA0000134407820000082

表4中Encode(x)表示对中间值x进行比特平衡编码。由表4可以发现,对编码后的中间值直接进行比特异或操作(表4的第五行),会得到四个非法的编码数值。这里非法是指在该编码方法下没有意义的四个数。该编码方法将原中间值的每个比特使用两个互补的比特进行编码,而第四行中的每个数据的两个比特均相同,因此,对于比特异或操作,不能够使用经过编码的数据直接进行操作。表4的第六行表示经过异或操作之后应该得到的正确编码之后的数据。观察发现,错误的结果与正确结果的异或均等于01。换言之,两个1比特未编码中间值异或结果的编码

Figure BDA0000134407820000091
与两个2比特编码中间值的异或(即
Figure BDA0000134407820000092
)存在以下关系,其中C2表示两比特的常量01b(注:01串最后的b表示该序列是二进制序列)。 Encode ( A 1 ⊕ B 1 ) = Encode ( A 1 ) ⊕ ( Encode ( B 1 ) ⊕ C 2 ) . 对于任意n比特的中间值An、Bn存在如下关系:Encode(x) in Table 4 indicates that bit-balanced encoding is performed on the intermediate value x. It can be found from Table 4 that if the bit XOR operation is directly performed on the encoded intermediate value (the fifth line of Table 4), four illegal encoded values will be obtained. Illegal here refers to four numbers that have no meaning under this encoding method. This encoding method uses two complementary bits to encode each bit of the original intermediate value, and the two bits of each data in the fourth row are the same, so for the bit XOR operation, the encoded Data is manipulated directly. The sixth line of Table 4 represents the correct coded data that should be obtained after the XOR operation. It is observed that the XOR of the wrong result and the correct result is equal to 01. In other words, the encoding of the XOR result of two 1-bit unencoded intermediate values
Figure BDA0000134407820000091
XOR with two 2-bit coded intermediate values (i.e.
Figure BDA0000134407820000092
) has the following relationship, wherein C 2 represents a two-bit constant 01b (note: the last b of the 01 string indicates that the sequence is a binary sequence). Encode ( A 1 ⊕ B 1 ) = Encode ( A 1 ) ⊕ ( Encode ( B 1 ) ⊕ C 2 ) . For any n-bit intermediate values A n and B n, there is the following relationship:

EbcodeEbcode (( AA nno ⊕⊕ BB nno )) == EncodeEncode (( AA nno )) ⊕⊕ (( EncodeEncode (( BB nno )) ⊕⊕ CC 22 nno )) ..

其中C2n表示2n比特的常量。需要注意的是通常需要先将AB中的一个数值与常量进行异或,之后再与另一个数值进行异或,防止A与B异或的结果被泄露。当Encode(0b)=01b,即比特0编码为比特01时,C2n=(01)1||(01)2||(01)3||...||(01)n-1(01)n,其中||表示连接两个比特串的操作,(01)i表示第i组01比特。换言之,C2n等于重复将01连接n次,得到2n比特长度的常量比特串。例如,对于4比特的未编码的中间值而言,使用经过编码的两个8比特中间值进行比特异或操作时,首先要将经过编码的两个8比特中间值进行比特异或操作;之后,将比特异或操作的结果与常量C8再次进行比特异或操作,这里C8等于0x55(01010101b),得到正确的经过编码的异或结果,即 Encode ( A 4 ⊕ B 4 ) = Encode ( A 4 ) ⊕ Encode ( B 4 ) ⊕ 0 x 55 . 通常在密码计算过程中,

Figure BDA0000134407820000096
是秘密的,因此通常先将Encode(Bn)与常量异或,之后再与Encode(An)进行异或,防止
Figure BDA0000134407820000097
的结果与常量进行异或操作时泄露
Figure BDA0000134407820000098
where C 2n represents a constant of 2n bits. It should be noted that it is usually necessary to XOR a value in AB with a constant first, and then XOR with another value to prevent the XOR result of A and B from being leaked. When Encode(0b)=01b, that is, bit 0 is encoded as bit 01, C 2n =(01) 1 ||(01) 2 ||(01) 3 ||...||(01) n-1 ( 01) n , where || represents the operation of concatenating two bit strings, and (01) i represents the i-th group of 01 bits. In other words, C 2n is equal to repeatedly connecting 01 n times to obtain a constant bit string with a length of 2n bits. For example, for a 4-bit uncoded intermediate value, when using two encoded 8-bit intermediate values to perform a bit-exclusive OR operation, firstly perform a bit-exclusive OR operation on the encoded two 8-bit intermediate values; then , perform the bit-exclusive OR operation on the result of the bit-exclusive OR operation and the constant C 8 again, where C 8 is equal to 0x55 (01010101b), and the correct coded XOR result is obtained, namely Encode ( A 4 ⊕ B 4 ) = Encode ( A 4 ) ⊕ Encode ( B 4 ) ⊕ 0 x 55 . Usually during cryptographic calculations,
Figure BDA0000134407820000096
is secret, so Encode(B n ) is usually XORed with a constant first, and then XORed with Encode(A n ) to prevent
Figure BDA0000134407820000097
Leaked when the result of the XOR operation with a constant
Figure BDA0000134407820000098

以上所述,适用于将0编码为01,1编码为10的情况。在实际使用中,可以根据需求将0编码为10,将1编码为01。在这种情况下,计算

Figure BDA0000134407820000099
的公式仍然是 Encode ( A n ⊕ B n ) = Encode ( A n ) ⊕ ( Encode ( B n ) ⊕ C 2 n ) . 但是,其中的常量C2n等于将10连接n次得到的长度为2n的比特串。The above is applicable to the case where 0 is coded as 01 and 1 is coded as 10. In actual use, 0 can be coded as 10 and 1 can be coded as 01 according to requirements. In this case, calculate
Figure BDA0000134407820000099
The formula is still Encode ( A no ⊕ B no ) = Encode ( A no ) ⊕ ( Encode ( B no ) ⊕ C 2 no ) . However, the constant C 2n is equal to the bit string of length 2n obtained by concatenating 10 n times.

比特置换bit permutation

比特平衡编码在比特置换中的应用如图2所示;对于未编码的中间值,比特置换操作是以1比特为单位对n比特的中间值进行置换。经过编码,中间值的比特长度增加了一倍,变为了2n比特。因此,比特置换操作变为了以2比特为单位的置换操作。例如,对n比特未经过编码的数据的第i比特与第j比特进行置换,而对于编码后的数据,就需要对2i,2i+1两个比特与第2j,2j+1两个比特进行置换。The application of bit-balanced coding in bit permutation is shown in Figure 2; for uncoded intermediate values, the bit permutation operation is to permute n-bit intermediate values in units of 1 bit. After encoding, the bit length of the intermediate value is doubled to 2n bits. Therefore, the bit permutation operation becomes a permutation operation in units of 2 bits. For example, replace the i-th bit and the j-th bit of n-bit unencoded data, and for the encoded data, it is necessary to replace the two bits 2i, 2i+1 and the two bits 2j, 2j+1 replacement.

S盒代换操作S box replacement operation

比特平衡编码在S盒代换操作中的应用如图3所示,使用比特平衡编码方法保护S盒代换操作,首先要对S盒查找表进行变换,生成新的S盒查找表S′,使得S′[An]=Encode(S[An]),即仅编码S盒输入(或S′[Encode(An)]=Encode(S[An]),即同时编码S盒输入与输出),其中,Encode表示对数据进行比特平衡编码的操作,S[An]表示以An作为输入得到的S盒代换操作的输出,S[An]比特长度为2n。换言之,对中间值An对原始S盒输出进行编码就得到了编码后的S盒(即S′)的输出。根据S盒查找表的输入数据是否是经过编码,采用不同的处理方法。对于n比特S盒,如果操作的输入数据是经过编码的,换言之,S盒查找表的输入由n比特扩大到了2n比特,那么S盒查找表的规模也相应的从2n个元素扩大到了22n个元素。编码后S盒查找表的22n个可能的输入中,仅有2n个符合编码规则,也只有这2n个输入对应的2n个输出是正确的,另外的22n-2n个字节是没有意义的非法数据。这种处理方法保证了S盒代换操作的输入与输出数据的汉明重量都是恒定的,但是会导致每个S盒查找表的存储空间增长为原来的2n倍,在资源受限的应用环境下有可能无法使用。另一种实现方式中S盒代换操作的输入数据没有经过编码,只对输出数据进行编码,此时S盒查找表的存储空间与未加保护的S盒查找表相同。这两种处理方式的不同仅在于其输入数据是否经过编码,而输出都是经过编码的2n比特中间值。The application of bit-balanced coding in the S-box replacement operation is shown in Figure 3. Using the bit-balanced coding method to protect the S-box replacement operation, the S-box lookup table must be transformed first to generate a new S-box lookup table S′, Such that S'[A n ]=Encode(S[A n ]), i.e. encode only the S-box input (or S'[Encode(A n )]=Encode(S[A n ]), i.e. encode the S-box input at the same time and output), where Encode represents the operation of performing bit-balanced encoding on data, S[A n ] represents the output of the S-box substitution operation obtained with An as input, and the bit length of S[A n ] is 2n. In other words, the output of the encoded S-box (ie, S') is obtained by encoding the output of the original S-box with the intermediate value An . Depending on whether the input data of the S-box lookup table is coded, different processing methods are adopted. For an n-bit S-box, if the input data of the operation is coded, in other words, the input of the S-box lookup table is expanded from n bits to 2n bits, then the size of the S-box lookup table is correspondingly expanded from 2 n elements to 2 2n elements. Among the 2 2n possible inputs of the S-box lookup table after encoding, only 2 n conform to the encoding rules, and only the 2 n outputs corresponding to these 2 n inputs are correct, and the other 2 2n -2 n words section is meaningless illegal data. This processing method ensures that the Hamming weights of the input and output data of the S-box substitution operation are constant, but it will cause the storage space of each S-box lookup table to increase by 2 n times of the original. It may not be available in the application environment. In another implementation, the input data of the S-box replacement operation is not encoded, and only the output data is encoded. At this time, the storage space of the S-box lookup table is the same as that of the unprotected S-box lookup table. The difference between these two processing methods lies only in whether the input data is encoded, and the output is an encoded 2n-bit intermediate value.

这两种方式对应着不同的安全需求与应用场景。当密码设备的使用环境比较安全或者硬件资源不足时,可以采用较节省空间的实现方案。相反,如果想要获得更高的安全性,那么就需要比较充足的硬件资源以实现输入经过编码的S盒代换操作。因此,在具体的实现过程中使用何种实现方法,需要综合考虑使用环境的安全性、对实现的安全需求以及所使用设备的资源情况。通常需要在安全性与实现代价之间作出一个折衷的选择。These two methods correspond to different security requirements and application scenarios. When the use environment of the cryptographic device is relatively safe or the hardware resources are insufficient, a more space-saving implementation solution may be adopted. On the contrary, if you want to obtain higher security, then you need more sufficient hardware resources to realize the input coded S-box replacement operation. Therefore, which implementation method to use in the specific implementation process needs to comprehensively consider the security of the use environment, the security requirements for implementation, and the resource conditions of the equipment used. There is usually a trade-off between security and implementation cost.

比特循环移位操作bit rotation operation

比特平衡编码在比特循环移位中的应用如图4所示,循环移位操作改变了中间值的各比特的排列顺序,不会改变比特0与比特1的数量。对未经过编码的中间值进行循环移位操作时,移动的比特数量是1的倍数;由于在比特平衡编码中一个比特被编码为两个比特,因此,对经过编码的中间值进行循环移位时,每次移动的比特数是2的倍数。下式描述了未采用比特平衡编码防御措施与采用比特平衡编码防御措施两种情况下的循环移位操作。The application of bit-balanced coding in bit cyclic shift is shown in Figure 4. The cyclic shift operation changes the arrangement order of the bits of the intermediate value, but does not change the number of bits 0 and 1. When the cyclic shift operation is performed on the unencoded intermediate value, the number of shifted bits is a multiple of 1; since one bit is encoded as two bits in bit-balanced encoding, the cyclic shift is performed on the encoded intermediate value , the number of bits moved each time is a multiple of 2. The following formula describes the cyclic shift operation in the two cases of not adopting the defense measure of bit-balanced coding and adopting the defense measure of bit-balanced coding.

-未使用比特平衡编码的循环移位操作- Rotate operation without bit-balanced coding

Vn<<<m=V[m]||V[m+1]||...||V[L-1]||V[0]||...||V[m-1]V n <<< m=V[m]||V[m+1]||...||V[L-1]||V[0]||...||V[m-1 ]

-使用比特平衡编码后的循环移位操作- Rotate operation after encoding with bit balance

VV 22 nno << << << 22 mm == VV [[ mm ]] || || VV ~~ [[ mm ]] || || VV [[ mm ++ 11 ]] || || VV ~~ [[ mm ++ 11 ]] || || .. .. .. || || VV [[ LL -- 11 ]] || || VV ~~ [[ LL -- 11 ]] || || VV [[ 00 ]] || || VV ~~ [[ 00 ]] || || .. .. .. || || VV [[ mm -- 11 ]] || || VV ~~ [[ mm -- 11 ]]

其中,V2n=Encode(Vn)。从移位操作在是否使用比特平衡编码的两种实现的区别可以发现,只需将移位的数量扩大二倍,即可得到经过编码的循环移位输出。换言之,如果要对n比特未编码的中间值进行m比特循环移位操作,那么对于编码后的2n比特的中间值需要进行2m比特的循环移位操作,0<m<n,m、n为自然数。Wherein, V 2n =Encode(V n ). It can be found from the difference between the two implementations of the shift operation whether to use bit-balanced coding, that the coded cyclic shift output can be obtained only by doubling the number of shifts. In other words, if an m-bit cyclic shift operation is to be performed on the n-bit uncoded intermediate value, then a 2m-bit cyclic shift operation needs to be performed on the encoded 2n-bit intermediate value, 0<m<n, where m and n are Natural number.

异常情况abnormal situation

比特平衡编码是由两个互补的比特表示一个比特,当出现两个相同的比特如00或11表示一个比特时,将其视为非法的编码数据。在很大程度上意味着密码设备受到了干扰或者是攻击,导致其内部运算出现错误,从而出现非法编码,此时密码设备处于异常状态。因此,在密码运算过程中,如果遇到了非法的编码,那么应立刻停止运算,并报告相应的错误,保证密码设备不会将错误的计算结果输出。Bit-balanced coding is one bit represented by two complementary bits, when two identical bits such as 00 or 11 represent one bit, it is regarded as illegal coded data. To a large extent, it means that the cryptographic device has been disturbed or attacked, resulting in an error in its internal operation, resulting in illegal coding, and the cryptographic device is in an abnormal state at this time. Therefore, during the cryptographic operation, if an illegal code is encountered, the operation should be stopped immediately and a corresponding error should be reported to ensure that the cryptographic device will not output wrong calculation results.

Claims (10)

1. a cryptographic algorithm that is used to defend energy spectrometer to attack is realized guard method, the steps include:
1) input value of the cryptographic algorithm that needs protection is carried out the bit balance code: with bit value in the input traffic is that 0 data bit is encoded to bit 01, is that 1 data bit is encoded to bit 10 with bit value;
2) utilize the data behind the bit balance code to carry out crypto-operation, establishing cryptographic algorithm is n bit groupings cryptographic algorithm; Wherein:
A) for the bit xor operation in the crypto-operation, at first with Encode (A n) and a Bit String (01) 1(01) nCarry out xor operation, then with XOR value that obtains and Encode (B n) carry out xor operation; Encode (A n) be the value of n Bit data A behind the bit balance code, Encode (B n) be the value of n Bit data B behind the bit balance code;
B) for the operation of the bit permutation in the crypto-operation, with the 2i behind the bit balance code, two bits of 2i+1 and 2j, two bits of 2j+1 are replaced; Wherein, i, j are respectively i, the j bit that need replace before the coding;
C) for the bit circulative shift operation in the crypto-operation, the data behind the bit balance code are carried out 2m bit cyclic shift, wherein, the bit cyclic shift number of m for carrying out before encoding;
3) to step 2) output valve of computing decodes, and promptly the dibit with order output is one group, and the value of getting every group of last bit is as output valve.
2. the method for claim 1, it is characterized in that establishing the crypto-operation wheel sequence that needs protection is M, said input value is the crypto-operation median of N wheel in the cryptographic algorithm.
3. according to claim 1 or claim 2 method; It is characterized in that if the data of input S box are the bit balance codes, then at first S box look-up table being carried out conversion for the replacement of the S box in crypto-operation operation; Generate new S box look-up table S ', make S ' [Encode (A n)]=Encode (S [A n]); According to input data look-up table S ', obtain S box replacement operation dateout then; Wherein, Encode representes data are carried out the operation of bit balance code, S [A n] represent with A nThe output that the S box that obtains as input replaces and operates, A nThe data of expression n bit un-encoded.
4. according to claim 1 or claim 2 method is characterized in that then at first calculating new S box look-up table S if importing the data of S box is not pass through coded data ", make S " [A n]=Encode (S [A n]), " carry out S box table lookup operation afterwards according to S.
5. the method for claim 1 is characterized in that said data A, B can be any bit length.
6. a cryptographic algorithm that is used to defend energy spectrometer to attack is realized guard method, the steps include:
1) input value of the cryptographic algorithm that needs protection being carried out the bit balance code, is that 0 digital coding is a bit 10 with bit value in the input traffic, will be that 1 digital coding is a bit 01 than characteristic value;
2) utilize the data behind the bit balance code to carry out crypto-operation, establishing cryptographic algorithm is n bit groupings cryptographic algorithm; Wherein:
A) for the bit xor operation in the crypto-operation, at first with Encode (A n) and a Bit String (10) 1(10) nCarry out xor operation, then with XOR value that obtains and Encode (B n) carry out xor operation; Encode (A n) be the value of n Bit data A behind the bit balance code, Encode (B n) be the value of n Bit data B behind the bit balance code;
B) for the operation of the bit permutation in the crypto-operation, with the 2i behind the coding, two bits of 2i+1 and 2j, two bits of 2j+1 are replaced; Wherein, i, j are respectively i, the j bit that need replace before the coding;
C) for the bit circulative shift operation in the crypto-operation, the data behind the bit balance code are carried out 2m bit cyclic shift, wherein, the bit cyclic shift number of m for carrying out before encoding;
3) to step 2) output valve of computing decodes, and promptly the dibit with order output is one group, and the value of getting a bit after every group is as output valve.
7. method as claimed in claim 6, it is characterized in that establishing the crypto-operation wheel sequence that needs protection is M, said input value is the crypto-operation median of N wheel in the cryptographic algorithm.
8. like claim 6 or 7 described methods; It is characterized in that if the data of input S box are the bit balance codes, then at first S box look-up table being carried out conversion for the replacement of the S box in crypto-operation operation; Generate new S box look-up table S ', make S ' [Encode (A n)]=Encode (S [A n]); According to input data look-up table S ', obtain S box replacement operation dateout then; Wherein, Encode representes data are carried out the operation of bit balance code, S [A n] represent with A nThe output that the S box that obtains as input replaces and operates, A nThe data of expression n bit un-encoded.
9. like claim 6 or 7 described methods, it is characterized in that then at first calculating new S box look-up table S if importing the data of S box is not pass through coded data ", " [An]=Encode (S [An]) " carries out S box table lookup operation afterwards according to S to make S.
10. method as claimed in claim 6 is characterized in that said data A, B can be any bit length.
CN2012100268567A 2012-02-07 2012-02-07 Cryptographic algorithm realization protecting method used for defending energy analysis attacks Pending CN102571331A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2012100268567A CN102571331A (en) 2012-02-07 2012-02-07 Cryptographic algorithm realization protecting method used for defending energy analysis attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2012100268567A CN102571331A (en) 2012-02-07 2012-02-07 Cryptographic algorithm realization protecting method used for defending energy analysis attacks

Publications (1)

Publication Number Publication Date
CN102571331A true CN102571331A (en) 2012-07-11

Family

ID=46415874

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2012100268567A Pending CN102571331A (en) 2012-02-07 2012-02-07 Cryptographic algorithm realization protecting method used for defending energy analysis attacks

Country Status (1)

Country Link
CN (1) CN102571331A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104811295A (en) * 2015-05-05 2015-07-29 国家密码管理局商用密码检测中心 Side channel energy analysis method for ZUC cryptographic algorithm with mask protection
CN106059746A (en) * 2016-07-22 2016-10-26 武汉大学 Mask protection method and system capable of resisting arbitrary-order side channel attacks
CN106330424A (en) * 2015-06-17 2017-01-11 上海复旦微电子集团股份有限公司 Anti-attack method and device of password module based on SM3 algorithm
CN106936822A (en) * 2017-03-08 2017-07-07 上海观源信息科技有限公司 For the mask realization method and system of the anti-high-order bypass analysis of SMS4
CN107644176A (en) * 2016-07-20 2018-01-30 爱特梅尔公司 The security extension of nonvolatile memory
CN107864035A (en) * 2017-10-13 2018-03-30 华南理工大学 A kind of anti-DPA attack methods realized based on the balanced coding of power consumption in AES circuits
CN109327276A (en) * 2017-07-31 2019-02-12 华为技术有限公司 Secure encoding method, decoding method and device
CN109743156A (en) * 2018-12-28 2019-05-10 北京思源互联科技有限公司 A kind of grouping encipher-decipher method and device
CN110266468A (en) * 2019-05-20 2019-09-20 陕西师范大学 Diffusion transformation method for block cipher substitution-permutation network blocks
CN111339577A (en) * 2020-02-12 2020-06-26 南京师范大学 A construction method of S-box with excellent DPA resistance
CN111443869A (en) * 2020-03-24 2020-07-24 中国科学院长春应用化学研究所 A file storage method, apparatus, device, and computer-readable storage medium
CN112968760A (en) * 2021-01-29 2021-06-15 北京理工大学 Side channel attack related energy analysis method based on ensemble learning
CN118233115A (en) * 2022-12-20 2024-06-21 中国科学院软件研究所 Improved comprehensive protection method based on threshold technology

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101013938A (en) * 2007-01-12 2007-08-08 广州市诚毅科技软件开发有限公司 Encryption method of block cipher
CN101197660A (en) * 2006-12-07 2008-06-11 上海安创信息科技有限公司 Encrypting method and chip for anti-attack standard encryption criterion
WO2010084107A1 (en) * 2009-01-20 2010-07-29 Institut Telecom-Telecom Paristech Cryptography circuit particularly protected against information-leak observation attacks by the ciphering thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101197660A (en) * 2006-12-07 2008-06-11 上海安创信息科技有限公司 Encrypting method and chip for anti-attack standard encryption criterion
CN101013938A (en) * 2007-01-12 2007-08-08 广州市诚毅科技软件开发有限公司 Encryption method of block cipher
WO2010084107A1 (en) * 2009-01-20 2010-07-29 Institut Telecom-Telecom Paristech Cryptography circuit particularly protected against information-leak observation attacks by the ciphering thereof

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张婧: ""轻量级分组密码PRESENT功耗攻击的研究"", 《上海交通大学硕士学位论文》, 15 July 2011 (2011-07-15) *
韩阳等: ""防御能量分析攻击的安全轻量级分组密码"", 《ICFWI 2011》, 1 December 2011 (2011-12-01), pages 379 - 390 *

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104811295A (en) * 2015-05-05 2015-07-29 国家密码管理局商用密码检测中心 Side channel energy analysis method for ZUC cryptographic algorithm with mask protection
CN106330424B (en) * 2015-06-17 2019-11-05 上海复旦微电子集团股份有限公司 The anti-attack method and device of crypto module based on SM3 algorithm
CN106330424A (en) * 2015-06-17 2017-01-11 上海复旦微电子集团股份有限公司 Anti-attack method and device of password module based on SM3 algorithm
CN107644176A (en) * 2016-07-20 2018-01-30 爱特梅尔公司 The security extension of nonvolatile memory
CN106059746A (en) * 2016-07-22 2016-10-26 武汉大学 Mask protection method and system capable of resisting arbitrary-order side channel attacks
CN106059746B (en) * 2016-07-22 2019-04-12 武汉大学 A kind of the mask means of defence and system of resistant to arbitrary rank side-channel attack
CN106936822A (en) * 2017-03-08 2017-07-07 上海观源信息科技有限公司 For the mask realization method and system of the anti-high-order bypass analysis of SMS4
CN106936822B (en) * 2017-03-08 2020-03-17 上海观源信息科技有限公司 Mask implementation method and system for resisting high-order bypass analysis aiming at SMS4
CN109327276A (en) * 2017-07-31 2019-02-12 华为技术有限公司 Secure encoding method, decoding method and device
CN109327276B (en) * 2017-07-31 2021-07-09 华为技术有限公司 Secure encoding method, decoding method and device
CN107864035A (en) * 2017-10-13 2018-03-30 华南理工大学 A kind of anti-DPA attack methods realized based on the balanced coding of power consumption in AES circuits
CN107864035B (en) * 2017-10-13 2020-06-19 华南理工大学 Method for realizing DPA attack resistance based on power consumption equalization coding in AES circuit
CN109743156A (en) * 2018-12-28 2019-05-10 北京思源互联科技有限公司 A kind of grouping encipher-decipher method and device
CN109743156B (en) * 2018-12-28 2022-03-22 北京思源理想控股集团有限公司 Packet encryption and decryption method and device
CN110266468A (en) * 2019-05-20 2019-09-20 陕西师范大学 Diffusion transformation method for block cipher substitution-permutation network blocks
CN110266468B (en) * 2019-05-20 2022-05-27 陕西师范大学 Method for diffusion transformation in block cipher substitution-substitution network
CN111339577A (en) * 2020-02-12 2020-06-26 南京师范大学 A construction method of S-box with excellent DPA resistance
CN111443869A (en) * 2020-03-24 2020-07-24 中国科学院长春应用化学研究所 A file storage method, apparatus, device, and computer-readable storage medium
CN111443869B (en) * 2020-03-24 2021-07-02 中国科学院长春应用化学研究所 A file storage method, apparatus, device, and computer-readable storage medium
CN112968760A (en) * 2021-01-29 2021-06-15 北京理工大学 Side channel attack related energy analysis method based on ensemble learning
CN112968760B (en) * 2021-01-29 2022-03-15 北京理工大学 An energy analysis method for side channel attacks based on ensemble learning
CN118233115A (en) * 2022-12-20 2024-06-21 中国科学院软件研究所 Improved comprehensive protection method based on threshold technology

Similar Documents

Publication Publication Date Title
CN102571331A (en) Cryptographic algorithm realization protecting method used for defending energy analysis attacks
CN113940028B (en) Method and device for realizing white box password
CN110278072A (en) One kind 16 takes turns SM4-128/128 whitepack password implementation method
CN101739889B (en) Cryptographic processing apparatus
CN108809626A (en) A kind of whitepack SM4 cryptographic algorithms scheme and system
CN107147487B (en) Symmetric key random block cipher
CN103795527A (en) Software mask defense scheme capable of preventing attack on advanced encryption standard (AES) algorithm based on power analysis
CN105591734A (en) White-box cryptograph non-linear encoding protection method based on table lookup
CN109450632B (en) Key recovery method based on white-box block cipher CLEFIA analysis
CN109726565B (en) Using white boxes in anti-leakage primitives
CN102970132A (en) Protection method for preventing power analysis and electromagnetic radiation analysis on grouping algorithm
CN104410490B (en) The method of non-linear extruding protection password S boxes
CN104301095A (en) DES round operation method and circuit
CN106487499A (en) The protection of Rijndael algorithm
CN105656622A (en) White-box password nonlinear coding protection method based on combination of table look-up and disturbance scrambling
KR101506499B1 (en) Method for encrypting with SEED applying mask
CN109617667B (en) An Efficient Mask Protection Method for Linear Part of AES Algorithm
CN106936822B (en) Mask implementation method and system for resisting high-order bypass analysis aiming at SMS4
Brier et al. Fast primitives for internal data scrambling in tamper resistant hardware
Gupta et al. Correlation power analysis of KASUMI and power resilience analysis of some equivalence classes of KASUMI S-boxes
CN104753668A (en) Side channel energy attack method aiming at SM4 password linear transformation output
Xu et al. Differential power analysis of 8-bit datapath AES for IoT applications
Orucho et al. Review of algorithms for securing data transmission in mobile banking
CN116796345A (en) Encryption and decryption methods, devices, equipment and storage media
Golić DeKaRT: A new paradigm for key-dependent reversible circuits

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20120711