CN102571331A - Cryptographic algorithm realization protecting method used for defending energy analysis attacks - Google Patents

Cryptographic algorithm realization protecting method used for defending energy analysis attacks Download PDF

Info

Publication number
CN102571331A
CN102571331A CN2012100268567A CN201210026856A CN102571331A CN 102571331 A CN102571331 A CN 102571331A CN 2012100268567 A CN2012100268567 A CN 2012100268567A CN 201210026856 A CN201210026856 A CN 201210026856A CN 102571331 A CN102571331 A CN 102571331A
Authority
CN
China
Prior art keywords
bit
data
box
encode
crypto
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2012100268567A
Other languages
Chinese (zh)
Inventor
韩阳
周永彬
刘继业
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Software of CAS
Original Assignee
Institute of Software of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Software of CAS filed Critical Institute of Software of CAS
Priority to CN2012100268567A priority Critical patent/CN102571331A/en
Publication of CN102571331A publication Critical patent/CN102571331A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a cryptographic algorithm realization protecting method used for defending energy analysis attacks, and belongs to the field of information technology safety. According to the method, intermediate values of a cryptographic algorithm are protected through adding proper encoding and decoding steps to an execution process of the cryptographic algorithm. The method comprises the steps that firstly, before the algorithm, all data participating in the operation, including plain texts, secret keys and possible initial vectors, are encoded; afterwards, in the running process of the algorithm, cryptographic computing is conducted by using the encoded data and corresponding operations according to the steps of the cryptographic algorithm, so as to complete the encryption-decryption process; and finally, after the algorithm is finished, encoded result data are decoded, and normal output of the algorithm is obtained. The method has the advantages that only the intermediate values of the cryptographic algorithm are encoded, so as to guarantee that information is not leaked by the intermediate values; the input and the output of the algorithm are not changed, so that a running result of the algorithm is guaranteed to be accurate; and meanwhile, safety performance higher than that of a mask defense measure can be obtained, and the performance cost is lower.

Description

A kind of cryptographic algorithm that is used to defend energy spectrometer to attack is realized guard method
Technical field
The present invention relates to the guard method that a kind of cryptographic algorithm is realized, relate in particular to a kind of cryptographic algorithm that is used to defend energy spectrometer to attack and realize guard method, belong to the information technology security fields.
Background technology
It is a kind of emerging cryptanalysis method that energy spectrometer is attacked.Energy consumption and performed operation or the correlation between the handled data of equipment that energy spectrometer is attacked when utilizing encryption device to carry out crypto-operation are implemented password cracking; It is low to have the cost of attack; Crack the high characteristics of efficient, the fail safe to embedded cryptography equipment such as smart card, RFID has caused serious realistic threat.The lightweight block cipher is one type and under resource-constrained operational environment, uses block cipher very widely.The maximum characteristics of lightweight block cipher are that block length and key length are shorter relatively, and these characteristics make it receive the threat that energy spectrometer is attacked more easily.
Block cipher is with the clear-text message sequence, is divided into the group that length is n, and every group is downconverted into isometric output sequence in the control of key respectively.Block cipher is widely used in fields such as E-Payment, pay TV and E-Passport.In these fields, block cipher is realized based on Embedded encryption device such as smart card, RFID mostly, and Embedded encryption device is existing strict restriction aspect computing capability and the memory space, generally be called resource-constrained operational environment.The difference of the block cipher of lightweight block cipher and other non-lightweights is that its block length is less relatively, key length is shorter relatively, so its enciphering/deciphering process is lower to the requirement of memory space, computing capability.It is thus clear that the lightweight block cipher is the one type of block cipher that is particularly suitable for resource-constrained operational environment.
In recent years, side-channel attack has received the extensive concern of industrial circle and academia as a kind of novel cryptanalysis method, is developed rapidly.Traditional cryptanalysis realizes password to regard flight data recorder as, only utilizes its input and output to implement password cracking; And side-channel attack is different from the input and output that the notable feature of traditional cryptanalysis method is that it not only considers the password realization; But the physical messages of utilizing password to be implemented in simultaneously to reveal when carrying out cryptographic calculations such as temporal information, energy expenditure information or electromagnetic radiation information are auxiliaryly implemented password cracking.
It is the side-channel attack method that a kind of energy expenditure information when utilizing the encryption device operation is implemented key recovery that energy spectrometer is attacked.Since people such as Kocher proposed differential power analysis (Differential Power Analysis) in 1998; A large amount of effective energy spectrometer attack methods are proposed in succession; Comprise template attack (Template Attack), coefficient correlation analysis (CPA, Correlation Power Analysis), attack (Stochastic Model), mutual information analysis (Mutual Information Analysis), variance energy spectrometer (Variance Power Analysis) etc. based on stochastic model.These attack methods have constituted serious threat to the physical security of Embedded encryption device.
In view of energy spectrometer is attacked grave danger that embedded cryptography equipment such as smart card, RFID are caused, academia and industrial circle have proposed a large amount of defence countermeasures of attacking to energy spectrometer.Based on the defence countermeasure of software approach owing to need not embedded device itself is designed again, so have short, advantage such as lower deployment cost is low of design cycle.The median that software defense countermeasure general using coding techniques (perhaps information sharing technology) will subject to the energy spectrometer attack is expressed as the value (being mask technology) that does not have statistic correlation with it; Perhaps guaranteeing to calculate under the correct prerequisite; Upset the execution flow process of cryptographic algorithm at random; These methods can both effectively reduce the correlation of energy consumption and target median, thereby play the effect that the defence energy spectrometer is attacked.
Short and its host's embedded device (like smart card, RFID label etc.) of the key length of lightweight block cipher does not often have the access control mechanisms of high safety grade, therefore, is easy to receive energy spectrometer and attacks, and must be given special protection.Existing defence countermeasure applicability in the lightweight block cipher is lower.For example, the realization of mask technology needs bigger time and space expense, and this expense is unpractical for resource-constrained applied environment.And the hardware countermeasure of some more efficient, like double grid precharge logical (Dual-rail Precharge Logic) etc., its design and lower deployment cost are higher, and application has difficulties.
Summary of the invention
Based on above-mentioned technical need and predicament; The object of the invention is to provide a kind of cryptographic algorithm that is used to defend energy spectrometer to attack to realize guard method; The present invention is the security solution that is applicable to the lightweight block cipher of a kind of low cost, high-performance, high security, improves the physical security of lightweight block cipher under energy spectrometer is attacked.It is pointed out that this method not only is applicable to the lightweight block cipher, this method is effective equally for other non-lightweight block cipher, and just this method has better applicability for the lightweight block cipher.
Energy spectrometer is attacked the correlation of utilizing between the corresponding energy consumption with it of algorithm median and is implemented key recovery.The assailant guesses the key of equipment, based on known plaintext or cryptogram computation conjecture median.Use statistical method to analyze to the energy consumption of conjecture median and assailant's observed and recorded afterwards, with the correctness of authentication secret conjecture.In case the correlation of median and equipment energy consumption is broken, the assailant just can't utilize this correlation to recover key.The main thought of this method is exactly the statistic correlation of breaking between algorithm median and the equipment energy consumption, makes that different median corresponding equipment energy consumptions are equal basically, thereby makes the assailant can't utilize the key of this correlation restorer.
Technical scheme of the present invention is:
A kind of cryptographic algorithm that is used to defend energy spectrometer to attack is realized guard method, the steps include:
1) input value of the cryptographic algorithm that needs protection is carried out the bit balance code: with bit value in the input traffic is that 0 data bit is encoded to bit 01, is that 1 data bit is encoded to bit 10 with bit value;
2) utilize the data behind the bit balance code to carry out crypto-operation, establishing cryptographic algorithm is n bit groupings cryptographic algorithm; Wherein:
A) for the bit xor operation in the crypto-operation, at first with Encode (A n) and a Bit String (01) 1(01) nCarry out xor operation, then with XOR value that obtains and Encode (B n) carry out xor operation; Encode (A n) be the value of n Bit data A behind the bit balance code, Encode (B n) be the value of n Bit data B behind the bit balance code;
B) for the operation of the bit permutation in the crypto-operation, with the 2i behind the bit balance code, two bits of 2i+1 and 2j, two bits of 2j+1 are replaced; Wherein, i, j are respectively i, the j bit that need replace before the coding;
C) for the bit circulative shift operation in the crypto-operation, the data behind the bit balance code are carried out 2m bit cyclic shift, wherein, the bit cyclic shift number of m for carrying out before encoding;
3) to step 2) output valve of computing decodes, and promptly the dibit with order output is one group, and the value of getting every group of last bit is as output valve.
The method of claim 1, it is characterized in that establishing the crypto-operation wheel sequence that needs protection is M, said input value is the crypto-operation median of N wheel in the cryptographic algorithm.
A kind of cryptographic algorithm that is used to defend energy spectrometer to attack is realized guard method, the steps include:
1) input value of the cryptographic algorithm that needs protection being carried out the bit balance code, is that 0 digital coding is a bit 10 with bit value in the input traffic, will be that 1 digital coding is a bit 01 than characteristic value;
2) utilize the data behind the bit balance code to carry out crypto-operation, establishing cryptographic algorithm is n bit groupings cryptographic algorithm; Wherein:
A) for the bit xor operation in the crypto-operation, at first with Encode (A n) and a Bit String (10) 1(10) nCarry out xor operation, then with XOR value that obtains and Encode (B n) carry out xor operation; Encode (A n) be the value of n Bit data A behind the bit balance code, Encode (B n) be the value of n Bit data B behind the bit balance code;
B) for the operation of the bit permutation in the crypto-operation, with the 2i behind the coding, two bits of 2i+1 and 2j, two bits of 2j+1 are replaced; Wherein, i, j are respectively i, the j bit that need replace before the coding;
C) for the bit circulative shift operation in the crypto-operation, the data behind the bit balance code are carried out 2m bit cyclic shift, wherein, the bit cyclic shift number of m for carrying out before encoding;
3) to step 2) output valve of computing decodes, and promptly the dibit with order output is one group, and the value of getting a bit after every group is as output valve.
Further, establishing the crypto-operation wheel sequence that needs protection is M, and said input value is the crypto-operation median of N wheel in the cryptographic algorithm.
Further,,, then at first S box look-up table is carried out conversion, generate new S box look-up table S ', make S ' [Encode (A if the data of input S box are the bit balance codes for the replacement operation of the S box in the crypto-operation n)]=Encode (S [A n]); According to input data look-up table S ', obtain S box replacement operation dateout then; Wherein, Encode representes data are carried out the operation of bit balance code, S [A n] represent with A nThe output that the S box that obtains as input replaces and operates, A nThe data of expression n bit un-encoded.
Further,, then at first calculate new S box look-up table S if the data of input S box are not pass through coded data ", " [An]=Encode (S [An]) " carries out S box table lookup operation afterwards according to S to make S.
Further, said data A, B can be any bit length.
This method is accomplished the protection to the cryptographic algorithm median through the implementation of cryptographic algorithm is added suitable Code And Decode step.At first, before algorithm begins,, comprise expressly all data of participating in computings, key and possible initial vector do encoding operation.In the algorithm running, use data and corresponding operation after encoding afterwards, carry out cryptographic calculations, accomplish the encryption and decryption process according to the step of cryptographic algorithm.When algorithm finishes, the result data behind the coding is carried out decode operation, obtain algorithm and export normally.This method has just been carried out coding to guarantee its not reveal information to the median of cryptographic algorithm, does not change the input and the output of algorithm, guarantees that the algorithm operation result is correct.The coding-decoding method that uses in the method is the bit balance code.
The bit balance code
The bit balance code promptly through the algorithm median is encoded, makes different medians have identical Hamming weight.Concrete grammar is that two complementary bits of each bit use of algorithm median are encoded, and promptly uses 10 two bit bit 1 to encode, and uses 01 two bit bit 0 to encode.Coding schedule to a Bit data is seen table 1.Represent the algorithm median of n bit with V, i the bit of V [i] expression median V, the median of V ' expression through encoding, j bit of V ' [j] presentation code median afterwards.Coding rule and Hamming weight variation are expressed as follows:
V=V[0]||V[1]||V[2]||...||V[n-2]||V[n-1]
V ′ = V [ 0 ] | | V ~ [ 0 ] | | V [ 1 ] | | V ~ [ 1 ] | | V [ 2 ] | | V ~ [ 2 ] | | . . . | | V [ n - 2 ] | | V ~ [ n - 2 ] | | V [ n - 1 ] | | V ~ [ n - 1 ]
HW(V)=V[0]+V[1]+V[2]+...|V[n-2]+V[n-1]
HW ( V ′ ) = V [ 0 ] + V ~ [ 0 ] + V [ 1 ] + V ~ [ 1 ] + V [ 2 ] + V ~ [ 2 ] + . . . + V [ n - 2 ] + V ~ [ n - 2 ] + V [ n - 1 ] + V ~ [ n - 1 ]
(benefit of
Figure BDA0000134407820000043
expression V [i]).
In the following formula for any i; all equals 1, so the Hamming weight of V ' is only relevant with the bit length of V.Any one bit length is that the uncoded median V of n equals n through its Hamming weight of coding back, and especially, if the bit length of median V is 4, all Hamming weights through the median V ' of coding equal 4 so.The bit balance code makes the encryption device of any leakage median Hamming weight, and the energy consumption that when handling different median, has is much at one revealed, thereby makes the assailant can't utilize the energy consumption of equipment to reveal.
Table 1 bit balance code table
Original Behind the coding
0 01
1 10
The bit balance code has very high applicability in the lightweight block cipher.This is because the typical application scene of lightweight block cipher is some resource-constrained embedded cryptography equipment, and this kind equipment adopts the microprocessor of 8 bits mostly.Simultaneously; Use with of the operation of 4 bits in a large number in the lightweight packet key as unit; As being the displacement of unit with 4 bits, being the operations such as S box replacement of unit with 4 bits; And the transmission of data and computing are that unit carries out with 8 bits all in 8 bit microprocessors, and 4 bits that are not used are so just arranged.The sharpest edges of bit balance code method have been to utilize the bit of 4 free time, have obtained the lifting of bigger fail safe with less calculation cost.
Bit balance code method is equally applicable to the block cipher of non-lightweight.For example, the aes algorithm of on 16 bit process, realizing uses the bit balance code can play very high protective effect equally, can not cause excessive decreased performance simultaneously.
Protection to basic operation
The bit balance code can be protected the input median and output median of different operating in the cryptographic algorithm, like bit xor operation, bit permutation operation, S box replacement operation and bit circulative shift operation.
√ bit xor operation
In the bit xor operation; Directly the input data behind two codings being carried out the result that the bit xor operation obtains is not the data that meet coding rule; Need to use a constant and this result to carry out the bit xor operation once more, just can obtain correct coding output.
The operation of √ bit permutation
In the bit permutation operation, when coded data is not passed through in operation, be that unit replaces with 1 bit; During operation process coded data, need be that unit replaces with two bits, thereby guarantee that the result data that obtains also is the data of correct coding.
√ S box replacement operation
S box look-up tables'implementation is used in S box replacement operation usually, therefore uses bit balance code protection S box replacement action need that S box look-up table is changed.Whether the input data that replacement is operated according to the S box exist the two kind modes of setting up new S box look-up table through coding.If the input data of S box replacement operation are not through encoding, so only need encode to the data in the S box look-up table gets final product.If the input data of S box replacement operation are through encoding, promptly bit length has increased by one times, and the scale of S box look-up table can enlarge so, and in the new look-up table number of elements be in the uncoded look-up table number of elements square.The output of this dual mode all is through coded data.
√ bit circulative shift operation
The bit circulative shift operation comprises ring shift left and ring shift right, and both differences are the direction that is shifted, and this difference is to not influence of encoding operation.Therefore be the protection of example brief bit balance code bit circulative shift operation with the ring shift left.In the operation of bit ring shift left, the most basic operation is that a bit is moved in circulation.One bit in left side is moved to the end of Bit String, with one of all the other bit left.For the data behind the coding, need the dibit in left side be moved to the end of Bit String, two of other bit left.
Compared with prior art, technique effect of the present invention is:
LBlock is proposition lightweight block cipher in 2011.The block length of LBlock is 64 bits, and key length is 80 bits, adopts the Feistel structure, and wherein the input of S box and output are 4 bits.Be that example is described the protection effect of bit balance code method to the lightweight block cipher with this algorithm below.
This method is mainly protected through bit balance code method, therefore adopts the bit balance code that is called below of this method protection to realize.Mask realize be a kind of typically, energy spectrometer attack defense method effectively, use this method and mask defence method to compare, can objectively reflect the effect of this method.Corresponding respectively single order and the second order CPA of adopting of three curves drawing among Fig. 5 attacks the achieving success rate to mask realization and this method implementation.By finding out clearly among the figure, the CPA that mask is realized attacks, and the success rate that its success rate bit balance code is implemented under the CPA attack wants high.This has explained 2 points:
The success rate that the CPA that the realization of-bit balance code makes attacks is minimum; Remain at about 0.065; This guesses the probability that obtains correct key for the wheel sub-key of 4 bits just at random; In other words, bit balance code method makes that it is very approaching realizing attacking with the success rate of obtaining key and the success rate of guessing the acquisition key at random to algorithm.
-basic identical for the second order success attack rate and the single order success attack rate of the realization of bit balance code.Single order CPA attacks the information leakage of having utilized a moment, and second order CPA attacks and then utilized two different information leakage constantly, and single order and second order attack have obtained essentially identical success rate.This point explanation utilize two constantly the bit balance codes effect that realizes attacking with use effect that a moment attacks much at one.In other words, bit balance code implementation has certain resistivity for the attack method of second order.
In sum, the bit balance code realizes for the physical security of lightweight block cipher under energy spectrometer is attacked stronger protective effect being arranged.The bit balance code is realized obtaining realizing realizing higher fail safe with mask than unprotect.
The consumption of table 2 time and space
Figure BDA0000134407820000061
(annotate: the percentage in the bracket is illustrated on this project and the ratio that realizes comparing increase than unprotect)
Fig. 5 has portrayed the lifting to fail safe of bit balance code method, analyzes the influence of bit balance code method to performance (time of program running and space requirement) through table 2 with Fig. 6 below.Table 2 has been listed the contrast table of the time that memory space and the encryption (not comprising the key layout, because the time of the used key layout of these three kinds of implementations is identical) of three kinds of different implementation methods consumed.Fig. 6 is that the bit balance code is realized realizing realizing comparing the comparison on three projects such as program runtime (Execution Time), memory space (Memory) and code volume (ROM) with unprotect with mask.
Can find that from table 2 and Fig. 6 the memory space that the bit balance code increases is realized little than mask, and the time increase is lacked than the mask implementation also.
Comprehensive above fail safe and the comparison that realizes performance, the bit balance code can obtain the fail safe higher than mask defensive measure, and its performance cost is also littler simultaneously.
Description of drawings
The application of Fig. 1 bit balance code in the bit xor operation;
The application of Fig. 2 bit balance code in bit permutation;
The application of Fig. 3 bit balance code in S box replacement operation;
The application of Fig. 4 bit balance code in the bit cyclic shift;
The success rate that Fig. 5 uses CPA that two kinds of protection implementations are attacked;
Fig. 6 bit balance code realizes realizing with mask the comparison of two kinds of implementations;
(a) memory consumption compares, and (b) time of implementation compares, and (c) the code volume ratio.
Embodiment
In the concrete application of this defence method, might run into unusual data, promptly do not meet the data of coding rule, this situation becomes abnormal conditions.Corresponding with it is normal condition.Introduce respectively by the embodiment of defence method to normal condition and abnormal conditions.
Normal condition
This defensive measure provides protection to the median of cryptographic algorithm, according to security requirement all or part of median in the calculating process is protected.For example, under lower demand for security, can only protect the preceding some of algorithm to take turns and last some medians of taking turns, remaining median is not protected.Under higher demand for security, can protection all be provided each median of taking turns to algorithm.This defence method was encoded to the input data before the algorithm operation, carried out computing according to the step of cryptographic algorithm afterwards.It should be noted that when carrying out computing, need to use the corresponding primitive operation of operation replacement of the processing coded data that proposes in the last joint to come coded data is calculated according to the step of cryptographic algorithm.In needs, can decode, median after the decoding carried out the respective operations that computing need be used primitive operation rather than handle coded data, up to data being encoded once more or exporting to the median of coding.Under the situation of the beginning of only protecting algorithm and last n wheel; Need finish laggard row decoding at the n wheel, coding/decoding method is: the dibit with order output is one group, is encoded to 10 if bit 0 is encoded as 01,1; The value of then getting every group of last bit is as output valve; If bit 0 is encoded as 10,1 and is encoded to 01, the value of then getting a bit after every group is carried out normal crypto-operation afterwards as output valve; And at n reciprocal wheel recompile so that in the end use this method to protect in the n wheel.If each takes turns the median of computing the protection algorithm, so only need, all crypto-operations carry out the output that one time decode operation obtains algorithm after finishing.Following mask body is introduced the protection of this defence method for concrete operations.Need to prove, be to being encoded to 01 or be encoded to 10 a certain coded system with 0 with 0 if do not particularly point out the realization of a certain operation, so for the description of this operation with being applicable to two kinds of coded systems simultaneously.
The concrete grammar of bit balance code protection different operating is to use two complementary bits to encode to make the Hamming weight of input and output of this operation identical through each bit to the input of operation, output, thereby reduces the information leakage amount of operation as much as possible.For part operation (like the replacement operation of S box), because performance, may adopt not through the input of the initial data of coding as operation.Bit XOR, bit permutation, the replacement of S box and four kinds of operations of cyclic shift are widely used basic operations in the lightweight block cipher (like PRESENT, LBlock etc.).Therefore, bit balance code practical implementation method in these four kinds of basic operations is described below.
The bit xor operation
The application of bit balance code in the bit xor operation is as shown in Figure 1, and for the median of not passing through coding, the bit xor operation directly carries out XOR with each bit of correspondence position.The truth table of single-bit xor operation see Table 3 and through the coding after xor operation see Table 4.A n, B nRepresent n bit median respectively.
Table 3 xor operation truth table
Figure BDA0000134407820000081
Table 4 bit balance code truth table
Figure BDA0000134407820000082
Encode in the table 4 (x) expression is carried out the bit balance code to median x.Can find by table 4, the median behind the coding is directly carried out bit xor operation (fifth line of table 4), can obtain four illegal coding numerical value.Here illegally be meant four nonsensical under this coding method numbers.This coding method uses the bit of two complementations to encode each bit of former median, and two bits of each data in the fourth line are all identical, therefore, for the bit xor operation, can not use through coded data and directly operate.The 6th line display of table 4 is through the data after the correct coding that should obtain after the xor operation.Observe and find that the result of mistake and the XOR of correct result are equal to 01.In other words, two 1 bits coding of median XOR result of not encoding
Figure BDA0000134407820000091
With the XOR of two 2 bits of encoded medians (promptly
Figure BDA0000134407820000092
) relation, wherein C below the existence 2The constant 01b of expression dibit (annotate: the last b of 01 string representes that this sequence is a binary sequence). Encode ( A 1 ⊕ B 1 ) = Encode ( A 1 ) ⊕ ( Encode ( B 1 ) ⊕ C 2 ) . Median A for any n bit n, B nThere is following relation:
Ebcode ( A n ⊕ B n ) = Encode ( A n ) ⊕ ( Encode ( B n ) ⊕ C 2 n ) .
C wherein 2nThe constant of expression 2n bit.It should be noted that common need earlier carry out XOR with numerical value among the AB and constant, carry out XOR with another numerical value more afterwards, prevent that the result of A and B XOR from being revealed.As Encode (0b)=01b, when promptly bit 0 is encoded to bit 01, C 2n=(01) 1|| (01) 2|| (01) 3|| ... || (01) N-1(01) n, wherein || expression connects the operation of two Bit Strings, (01) iRepresent that i organizes 01 bit.In other words, C 2nEqual to repeat 01 connection n time is obtained the constant Bit String of 2n bit length.For example, for the uncoded median of 4 bits, when two 8 bit medians using process to encode are carried out the bit xor operation, at first to two the 8 bit medians of passing through coding be carried out the bit xor operation; Afterwards, with the result and the constant C of bit xor operation 8Carry out bit xor operation, C here once more 8Equal 0x55 (01010101b), obtain correct XOR result, promptly through coding Encode ( A 4 ⊕ B 4 ) = Encode ( A 4 ) ⊕ Encode ( B 4 ) ⊕ 0 x 55 . Usually in cryptographic calculation procedure,
Figure BDA0000134407820000096
Be secret, therefore usually earlier with Encode (B n) with the constant XOR, afterwards again with Encode (A n) carry out XOR, prevent
Figure BDA0000134407820000097
Result and constant reveal when carrying out xor operation
Figure BDA0000134407820000098
The above is applicable to that being encoded to 01,1 with 0 is encoded to 10 situation.In actual use, can be encoded to 10 with 0, be encoded to 01 1 according to demand.In this case, calculate
Figure BDA0000134407820000099
Formula remain Encode ( A n ⊕ B n ) = Encode ( A n ) ⊕ ( Encode ( B n ) ⊕ C 2 n ) . But, constant C wherein 2nThe length that equals 10 connections are obtained for n time is the Bit String of 2n.
Bit permutation
The application of bit balance code in bit permutation is as shown in Figure 2; For uncoded median, bit permutation operation is to be that unit replaces the median of n bit with 1 bit.Through coding, the bit length of median has increased by one times, has become the 2n bit.Therefore, to have become with 2 bits be the replacement operator of unit for bit permutation operation.For example, the n bit is not replaced through the i bit and the j bit of coded data, and for the data behind the coding, just need be to 2i, two bits of 2i+1 and 2j, two bits of 2j+1 are replaced.
S box replacement operation
The application of bit balance code in the replacement operation of S box is as shown in Figure 3, uses bit balance code method protection S box replacement operation, at first will carry out conversion to S box look-up table, generates new S box look-up table S ', makes S ' [A n]=Encode (S [A n]), the S box of promptly only encoding input (or S ' [Encode (A n)]=Encode (S [A n]), the S box of promptly encoding simultaneously input and output), wherein, Encode representes data are carried out the operation of bit balance code, S [A n] represent with A nThe output that the S box that obtains as input replaces and operates, S [A n] bit length is 2n.In other words, to median A nOriginal S box is exported the output of the S box (being S ') after just having obtained encoding of encoding.Whether the input data based on S box look-up table are through coding, adopt different processing methods.For n bit S box, if the input data of operation through encoding, in other words, the input of S box look-up table has expanded the 2n bit to by the n bit, the scale of S box look-up table is also accordingly from 2 so nIndividual element has expanded 2 to 2nIndividual element.2 of coding back S box look-up table 2nIn the individual possible input, only have 2 nThe individual coding rule that meets, also have only this 2 n2 of individual input correspondence nIndividual output is correct, in addition 2 2n-2 nIndividual byte is nonsensical invalid data.This processing method has guaranteed that the input of S box replacement operation all is constant with the Hamming weight of dateout, but can cause the memory space of each S box look-up table to increase being original 2 nDoubly, under resource-constrained applied environment, might can't use.The input data of S box replacement operation are only encoded to dateout not through coding in the another kind of implementation, and this moment, the memory space of S box look-up table was identical with the S box look-up table that does not add protection.Whether the difference of these two kinds of processing modes only is its input data through coding, and output all is the 2n bit median through coding.
This dual mode corresponding different security demand and application scenarios.When the environment for use of encryption device when relatively safety or hardware resource are not enough, can adopt the implementation of saving the space.On the contrary, if go for higher fail safe, so just need relatively more sufficient hardware resource to realize the S box replacement operation of input through coding.Therefore, in concrete implementation procedure, use which kind of implementation method, need take all factors into consideration the fail safe of environment for use, the demand for security that realizes and the resource situation of the equipment that uses.Usually need and realize in fail safe making a compromise selection between the cost.
The bit circulative shift operation
The application of bit balance code in the bit cyclic shift is as shown in Figure 4, and circulative shift operation has changed the putting in order of each bit of median, can not change the quantity of bit 0 and bit 1.When the median of not passing through coding was carried out circulative shift operation, mobile amount of bits was 1 multiple; Because a bit is encoded as two bits in the bit balance code, therefore, when the median of process coding was carried out cyclic shift, each bit number that moves was 2 multiple.Following formula has been described and has not been adopted bit balance code defensive measure and the circulative shift operation that adopts under two kinds of situation of bit balance code defensive measure.
-do not use the circulative shift operation of bit balance code
V n<<<m=V[m]||V[m+1]||...||V[L-1]||V[0]||...||V[m-1]
Circulative shift operation behind the-use bit balance code
V 2 n < < < 2 m = V [ m ] | | V ~ [ m ] | | V [ m + 1 ] | | V ~ [ m + 1 ] | | . . . | | V [ L - 1 ] | | V ~ [ L - 1 ] | | V [ 0 ] | | V ~ [ 0 ] | | . . . | | V [ m - 1 ] | | V ~ [ m - 1 ]
Wherein, V 2n=Encode (V n).Whether use the difference of two kinds of realizations of bit balance code to find from shifting function, only need the quantity of displacement is enlarged two times, can obtain cyclic shift output through coding.In other words,, need carry out the circulative shift operation of 2m bit so for the median of the 2n bit behind the coding if the uncoded median of n bit is carried out m bit circulative shift operation, 0<m<n, m, n are natural number.
Abnormal conditions
The bit balance code is to represent a bit by the bit of two complementations, when occurring two identical bits like bit of 00 or 11 expressions, it is regarded as illegal coded data.Mean that to a great extent encryption device has received interference or attack, cause its internal arithmetic mistake to occur, thereby code violation occurs that this moment, encryption device was in abnormality.Therefore, in the crypto-operation process,, should stop computing at once so if run into illegal coding, and the report corresponding error, guarantee that encryption device can be with the result of calculation output of mistake.

Claims (10)

1. a cryptographic algorithm that is used to defend energy spectrometer to attack is realized guard method, the steps include:
1) input value of the cryptographic algorithm that needs protection is carried out the bit balance code: with bit value in the input traffic is that 0 data bit is encoded to bit 01, is that 1 data bit is encoded to bit 10 with bit value;
2) utilize the data behind the bit balance code to carry out crypto-operation, establishing cryptographic algorithm is n bit groupings cryptographic algorithm; Wherein:
A) for the bit xor operation in the crypto-operation, at first with Encode (A n) and a Bit String (01) 1(01) nCarry out xor operation, then with XOR value that obtains and Encode (B n) carry out xor operation; Encode (A n) be the value of n Bit data A behind the bit balance code, Encode (B n) be the value of n Bit data B behind the bit balance code;
B) for the operation of the bit permutation in the crypto-operation, with the 2i behind the bit balance code, two bits of 2i+1 and 2j, two bits of 2j+1 are replaced; Wherein, i, j are respectively i, the j bit that need replace before the coding;
C) for the bit circulative shift operation in the crypto-operation, the data behind the bit balance code are carried out 2m bit cyclic shift, wherein, the bit cyclic shift number of m for carrying out before encoding;
3) to step 2) output valve of computing decodes, and promptly the dibit with order output is one group, and the value of getting every group of last bit is as output valve.
2. the method for claim 1, it is characterized in that establishing the crypto-operation wheel sequence that needs protection is M, said input value is the crypto-operation median of N wheel in the cryptographic algorithm.
3. according to claim 1 or claim 2 method; It is characterized in that if the data of input S box are the bit balance codes, then at first S box look-up table being carried out conversion for the replacement of the S box in crypto-operation operation; Generate new S box look-up table S ', make S ' [Encode (A n)]=Encode (S [A n]); According to input data look-up table S ', obtain S box replacement operation dateout then; Wherein, Encode representes data are carried out the operation of bit balance code, S [A n] represent with A nThe output that the S box that obtains as input replaces and operates, A nThe data of expression n bit un-encoded.
4. according to claim 1 or claim 2 method is characterized in that then at first calculating new S box look-up table S if importing the data of S box is not pass through coded data ", make S " [A n]=Encode (S [A n]), " carry out S box table lookup operation afterwards according to S.
5. the method for claim 1 is characterized in that said data A, B can be any bit length.
6. a cryptographic algorithm that is used to defend energy spectrometer to attack is realized guard method, the steps include:
1) input value of the cryptographic algorithm that needs protection being carried out the bit balance code, is that 0 digital coding is a bit 10 with bit value in the input traffic, will be that 1 digital coding is a bit 01 than characteristic value;
2) utilize the data behind the bit balance code to carry out crypto-operation, establishing cryptographic algorithm is n bit groupings cryptographic algorithm; Wherein:
A) for the bit xor operation in the crypto-operation, at first with Encode (A n) and a Bit String (10) 1(10) nCarry out xor operation, then with XOR value that obtains and Encode (B n) carry out xor operation; Encode (A n) be the value of n Bit data A behind the bit balance code, Encode (B n) be the value of n Bit data B behind the bit balance code;
B) for the operation of the bit permutation in the crypto-operation, with the 2i behind the coding, two bits of 2i+1 and 2j, two bits of 2j+1 are replaced; Wherein, i, j are respectively i, the j bit that need replace before the coding;
C) for the bit circulative shift operation in the crypto-operation, the data behind the bit balance code are carried out 2m bit cyclic shift, wherein, the bit cyclic shift number of m for carrying out before encoding;
3) to step 2) output valve of computing decodes, and promptly the dibit with order output is one group, and the value of getting a bit after every group is as output valve.
7. method as claimed in claim 6, it is characterized in that establishing the crypto-operation wheel sequence that needs protection is M, said input value is the crypto-operation median of N wheel in the cryptographic algorithm.
8. like claim 6 or 7 described methods; It is characterized in that if the data of input S box are the bit balance codes, then at first S box look-up table being carried out conversion for the replacement of the S box in crypto-operation operation; Generate new S box look-up table S ', make S ' [Encode (A n)]=Encode (S [A n]); According to input data look-up table S ', obtain S box replacement operation dateout then; Wherein, Encode representes data are carried out the operation of bit balance code, S [A n] represent with A nThe output that the S box that obtains as input replaces and operates, A nThe data of expression n bit un-encoded.
9. like claim 6 or 7 described methods, it is characterized in that then at first calculating new S box look-up table S if importing the data of S box is not pass through coded data ", " [An]=Encode (S [An]) " carries out S box table lookup operation afterwards according to S to make S.
10. method as claimed in claim 6 is characterized in that said data A, B can be any bit length.
CN2012100268567A 2012-02-07 2012-02-07 Cryptographic algorithm realization protecting method used for defending energy analysis attacks Pending CN102571331A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2012100268567A CN102571331A (en) 2012-02-07 2012-02-07 Cryptographic algorithm realization protecting method used for defending energy analysis attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2012100268567A CN102571331A (en) 2012-02-07 2012-02-07 Cryptographic algorithm realization protecting method used for defending energy analysis attacks

Publications (1)

Publication Number Publication Date
CN102571331A true CN102571331A (en) 2012-07-11

Family

ID=46415874

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2012100268567A Pending CN102571331A (en) 2012-02-07 2012-02-07 Cryptographic algorithm realization protecting method used for defending energy analysis attacks

Country Status (1)

Country Link
CN (1) CN102571331A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104811295A (en) * 2015-05-05 2015-07-29 国家密码管理局商用密码检测中心 Side channel energy analysis method for ZUC cryptographic algorithm with mask protection
CN106059746A (en) * 2016-07-22 2016-10-26 武汉大学 Mask protection method and system capable of resisting arbitrary-order side channel attacks
CN106330424A (en) * 2015-06-17 2017-01-11 上海复旦微电子集团股份有限公司 Anti-attack method and device of password module based on SM3 algorithm
CN106936822A (en) * 2017-03-08 2017-07-07 上海观源信息科技有限公司 For the mask realization method and system of the anti-high-order bypass analysis of SMS4
CN107644176A (en) * 2016-07-20 2018-01-30 爱特梅尔公司 The security extension of nonvolatile memory
CN107864035A (en) * 2017-10-13 2018-03-30 华南理工大学 A kind of anti-DPA attack methods realized based on the balanced coding of power consumption in AES circuits
CN109327276A (en) * 2017-07-31 2019-02-12 华为技术有限公司 Secure coding method, coding/decoding method and equipment
CN109743156A (en) * 2018-12-28 2019-05-10 北京思源互联科技有限公司 A kind of grouping encipher-decipher method and device
CN110266468A (en) * 2019-05-20 2019-09-20 陕西师范大学 For the diffusion transform method in block cipher replacement-permutation network block
CN111339577A (en) * 2020-02-12 2020-06-26 南京师范大学 Construction method of S box with excellent DPA resistance
CN111443869A (en) * 2020-03-24 2020-07-24 中国科学院长春应用化学研究所 File storage method, device, equipment and computer readable storage medium
CN112968760A (en) * 2021-01-29 2021-06-15 北京理工大学 Side channel attack related energy analysis method based on ensemble learning

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101013938A (en) * 2007-01-12 2007-08-08 广州市诚毅科技软件开发有限公司 Encryption method of block cipher
CN101197660A (en) * 2006-12-07 2008-06-11 上海安创信息科技有限公司 Encrypting method and chip for anti-attack standard encryption criterion
WO2010084107A1 (en) * 2009-01-20 2010-07-29 Institut Telecom-Telecom Paristech Cryptography circuit particularly protected against information-leak observation attacks by the ciphering thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101197660A (en) * 2006-12-07 2008-06-11 上海安创信息科技有限公司 Encrypting method and chip for anti-attack standard encryption criterion
CN101013938A (en) * 2007-01-12 2007-08-08 广州市诚毅科技软件开发有限公司 Encryption method of block cipher
WO2010084107A1 (en) * 2009-01-20 2010-07-29 Institut Telecom-Telecom Paristech Cryptography circuit particularly protected against information-leak observation attacks by the ciphering thereof

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张婧: ""轻量级分组密码PRESENT功耗攻击的研究"", 《上海交通大学硕士学位论文》, 15 July 2011 (2011-07-15) *
韩阳等: ""防御能量分析攻击的安全轻量级分组密码"", 《ICFWI 2011》, 1 December 2011 (2011-12-01), pages 379 - 390 *

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104811295A (en) * 2015-05-05 2015-07-29 国家密码管理局商用密码检测中心 Side channel energy analysis method for ZUC cryptographic algorithm with mask protection
CN106330424B (en) * 2015-06-17 2019-11-05 上海复旦微电子集团股份有限公司 The anti-attack method and device of crypto module based on SM3 algorithm
CN106330424A (en) * 2015-06-17 2017-01-11 上海复旦微电子集团股份有限公司 Anti-attack method and device of password module based on SM3 algorithm
CN107644176A (en) * 2016-07-20 2018-01-30 爱特梅尔公司 The security extension of nonvolatile memory
CN106059746A (en) * 2016-07-22 2016-10-26 武汉大学 Mask protection method and system capable of resisting arbitrary-order side channel attacks
CN106059746B (en) * 2016-07-22 2019-04-12 武汉大学 A kind of the mask means of defence and system of resistant to arbitrary rank side-channel attack
CN106936822A (en) * 2017-03-08 2017-07-07 上海观源信息科技有限公司 For the mask realization method and system of the anti-high-order bypass analysis of SMS4
CN106936822B (en) * 2017-03-08 2020-03-17 上海观源信息科技有限公司 Mask implementation method and system for resisting high-order bypass analysis aiming at SMS4
CN109327276A (en) * 2017-07-31 2019-02-12 华为技术有限公司 Secure coding method, coding/decoding method and equipment
CN109327276B (en) * 2017-07-31 2021-07-09 华为技术有限公司 Security coding method, decoding method and device
CN107864035A (en) * 2017-10-13 2018-03-30 华南理工大学 A kind of anti-DPA attack methods realized based on the balanced coding of power consumption in AES circuits
CN107864035B (en) * 2017-10-13 2020-06-19 华南理工大学 Method for realizing DPA attack resistance based on power consumption equalization coding in AES circuit
CN109743156A (en) * 2018-12-28 2019-05-10 北京思源互联科技有限公司 A kind of grouping encipher-decipher method and device
CN109743156B (en) * 2018-12-28 2022-03-22 北京思源理想控股集团有限公司 Packet encryption and decryption method and device
CN110266468A (en) * 2019-05-20 2019-09-20 陕西师范大学 For the diffusion transform method in block cipher replacement-permutation network block
CN110266468B (en) * 2019-05-20 2022-05-27 陕西师范大学 Method for diffusion transformation in block cipher substitution-substitution network
CN111339577A (en) * 2020-02-12 2020-06-26 南京师范大学 Construction method of S box with excellent DPA resistance
CN111443869A (en) * 2020-03-24 2020-07-24 中国科学院长春应用化学研究所 File storage method, device, equipment and computer readable storage medium
CN111443869B (en) * 2020-03-24 2021-07-02 中国科学院长春应用化学研究所 File storage method, device, equipment and computer readable storage medium
CN112968760A (en) * 2021-01-29 2021-06-15 北京理工大学 Side channel attack related energy analysis method based on ensemble learning
CN112968760B (en) * 2021-01-29 2022-03-15 北京理工大学 Side channel attack related energy analysis method based on ensemble learning

Similar Documents

Publication Publication Date Title
CN102571331A (en) Cryptographic algorithm realization protecting method used for defending energy analysis attacks
CN101371480B (en) Encryption protection method
CN101739889B (en) Cryptographic processing apparatus
CN103795527A (en) Software mask defense scheme capable of preventing attack on advanced encryption standard (AES) algorithm based on power analysis
CN102752103B (en) Enhanced MASK code method for resisting DES (data encryption standard) power consumption attack
CN110278072A (en) One kind 16 takes turns SM4-128/128 whitepack password implementation method
CN104734845B (en) Bypass attack means of defence based on full Encryption Algorithm pseudo-operation
CN102970132B (en) Protection method for preventing power analysis and electromagnetic radiation analysis on grouping algorithm
CN108809626A (en) A kind of whitepack SM4 cryptographic algorithms scheme and system
CN105530263A (en) Ultra-lightweight RFID bidirectional authentication method based on label ID
CN105940439A (en) Countermeasures against side-channel attacks on cryptographic algorithms using permutations
CN104618094B (en) A kind of password Mask method strengthening anti-attack ability
CN105406957B (en) Encryption device confrontation is protected to realize attack
CN103414549A (en) QR two-dimensional code binary image partition-based key varying chaotic encryption method
CN103905462A (en) Encryption processing device and method capable of defending differential power analysis attack
CN110071794B (en) AES algorithm-based information encryption method, system and related components
CN103404073B (en) Protection for passive monitoring
CN105591734A (en) White-box cryptograph non-linear encoding protection method based on table lookup
CN103020891A (en) Color image encryption method based on compound chaotic sequence and shifting
CN109726565B (en) Using white boxes in anti-leakage primitives
CN104410490B (en) The method of non-linear extruding protection password S boxes
CN104301095A (en) DES round operation method and circuit
CN107204841B (en) Method for realizing multiple S boxes of block cipher for resisting differential power attack
CN105184115A (en) Method For Including An Implicit Integrity Or Authenticity Check Into A White-box Implementation
CN106487499A (en) The protection of Rijndael algorithm

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20120711