CN103634102A - Protection method for side channel attack and fault attack - Google Patents
Protection method for side channel attack and fault attack Download PDFInfo
- Publication number
- CN103634102A CN103634102A CN201310690055.5A CN201310690055A CN103634102A CN 103634102 A CN103634102 A CN 103634102A CN 201310690055 A CN201310690055 A CN 201310690055A CN 103634102 A CN103634102 A CN 103634102A
- Authority
- CN
- China
- Prior art keywords
- computing
- production line
- level production
- channel attack
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a protection method for side channel attack and fault attack. The protection method comprises the following steps of I. dividing operation of block cipher algorithm into a plurality of stages of pipelines; II. inputting real plaintext into two stages of pipelines selected at random, and inputting random number into other stages of pipelines; III. carrying out operation, and then comparing whether the operation results of the two real data are consistent after the operation is finished. The protection method can resist both side channel attack and fault attack, and has strong safety and high execution efficiency.
Description
Technical field
The present invention relates to the method in a kind of intelligent card chip field, be specifically related to the means of defence of a kind of side-channel attack and fault attacks.
Background technology
Along with improving constantly of the development of computer technology, social informatization degree, information security issue is more and more subject to people's extensive reproduction.Encryption plays an important role as a strong weapon in information security, and various cryptographic algorithm continue to bring out, and popular block cipher has DES, AES etc. at present.Block cipher is the algorithm that the plaintext of regular length is encrypted.It is by expressly by certain length grouping, and plaintext and key obtain ciphertext through cryptographic calculation.During deciphering, ciphertext and key are reduced into expressly through decrypt operation.
Along with the progress of Measurement and analysis method, various attack method is development also.Side-channel attack and fault attacks are two kinds of representative and stronger to the chip menace attack methods that in recent years propose.Side-channel attack has utilized the side information of encryption device run duration leakage and the median of cryptographic algorithm to have certain correlation, then carries out statistical analysis, and then obtain key information by repeatedly measuring side information.The basic principle of fault attacks is that crypto chip is placed in to high-intensity magnetic field, or the supply voltage of change chip, operating frequency, temperature etc., make register, memory in crypto chip produce random error in encryption and decryption process, some output bit becomes 1 or 1 from original 0 and becomes 0.By the comparison to correct ciphertext output and the output of wrong ciphertext, through theory analysis, obtain the secret data information of chip internal.The method of common defence side-channel attack is mainly that data or key are carried out to random mask etc., and whether the method for common defence fault attacks has identical twice then comparison operation result of data calculating consistent.
Existing method is that each is taken turns computing and is divided into some steps by grouping algorithm, carries out pile line operation computing on the basis of institute's partiting step.Each level production line calculates different data, and each clock cycle is carried out the nonidentity operation of different pieces of information, and each level production line deal with data is applied to random number mask, guarantees the heterogeneite of actual treatment data.
Power consumption analysis is as a kind of method of side-channel attack, and prior art can only be resisted power consumption attack, can not resist fault attacks.If want, can resist side Multiple Channel Analysis, can resist fault attacks again, prior art also needs to increase other means of defences, when realizing, can take more resource.And in prior art, each circle computing of symmetry algorithm is divided into some sub-steps, in general symmetry algorithm can include a plurality of circle computings, if each circle computing is divided into some sub-steps, when algorithm moves, efficiency can be very low, and executing an enciphering/deciphering computing meeting needs a lot of clock cycle just can complete.
Summary of the invention
In order to overcome the defect of above-mentioned prior art, the invention provides the means of defence of a kind of side-channel attack and fault attacks, the method can be resisted side-channel attack, can resist fault attacks again, high safety, and execution efficiency is high.
In order to realize foregoing invention object, the present invention takes following technical scheme:
A means of defence for side-channel attack and fault attacks, its improvements are: said method comprising the steps of: I, the computing of block cipher is divided into streamline;
II, select two level production lines inputs expressly real at random, other are at different levels is input as random number;
III, carry out computing, when computing finishes, whether two True Datas that comparison operation result is determined are consistent.
Further, described method is passed through in the different data of synchronization pipeline operation not at the same level, and random number participates in the side information of computing generation as the side information of noise takeover True Data, thus opposing side-channel attack.
Further, described method contrasts by the result after two true ciphertext computings are finished, if two operation results are consistent, think in calculating process and do not break down, thus opposing fault attacks.
Further, described step I comprises:
Setting block cipher wheel operand is 2N, and N is positive integer, and each level production line comprises the computing of k wheel;
Whole computing is divided into n level production line, n=2N/k, 2N/k is integer.
Further, described Step II comprises:
Choose at random the real plaintext that is input as of A level production line and B level production line, be left the random number that is input as of (n-2) level production line.
Further, described Step II I comprises:
Expressly entering A level production line carries out computing, residue (n-1) level production line input random number, and the side information that computing produces is as the noise takeover true side information that expressly P computing produces;
Expressly entering B level production line carries out computing, residue (n-2) level production line input random number, and the side information that computing produces is as the noise takeover true side information that expressly P computing produces;
Until the computing of 2N wheel finishes, obtain respectively two ciphertexts, judge that whether two ciphertexts are consistent, unanimously think calculating process fault-free, otherwise send a warning.
Compared with prior art, beneficial effect of the present invention is:
1, method of the present invention has solved and in prior art, has had the problems such as execution efficiency is low, consumption of natural resource is large, or often only consider preventing side-channel attack, and ignored opposing fault attacks, or contrary, so the not high problem of fail safe, method of the present invention can be resisted side-channel attack, can resist fault attacks again, high safety, and execution efficiency is high.
2, method of the present invention is selected suitable pipeline series according to the restriction of hardware resource, and convenient, flexible while realizing, execution efficiency is high.
3, method of the present invention combines the means of defence of opposing side-channel attack and fault attacks, greatly reduces the extra resource increasing due to protection, is convenient to realize.
4, method of the present invention, when mass data is carried out to encryption and decryption computing, not only can keep higher operation efficiency, also has stronger security protection ability simultaneously.
Accompanying drawing explanation
Fig. 1 is for using the flow chart of the inventive method;
Fig. 2 is for using the inventive method to carry out the flow chart of DES algorithm
Embodiment
Below in conjunction with accompanying drawing, the invention will be further described.
The invention provides a kind of means of defence of resisting side-channel attack and fault attacks, the method adopts pipelining.Method of the present invention is: the computing of block cipher is divided into some level production lines, and random two level production lines of selecting wherein, the real plaintext of input of this two level production line, other are at different levels is input as random number.
Owing to being that different data participate in computing at synchronization streamline not at the same level, the side information that random number produces while participating in computing as noise takeover True Data participate in the side information that computing produces, thereby can resist side-channel attack.
By relatively whether the operation result of two True Datas is consistent when computing finishes, if unanimously think and there is no fault attacks, thereby can resist fault attacks.Described computing refers to encryption or the decrypt operation of block cipher.
General, the wheel operand of block cipher is even number, supposes that block cipher wheel operand is 2N, and N is positive integer, supposes that each level production line comprises the computing of k wheel.Whole computing is divided into n=2N/k level production line, and k needs to decompose 2N, and 2N/k is integer, can select suitable pipeline series according to the restriction of hardware resource, convenient, flexible while realizing.Choose at random the real plaintext of being input as of two level production lines, be left the random number that is input as of (n-2) level production line.
As shown in Figure 1, Fig. 1 is for using the flow chart of the inventive method; In the present embodiment, suppose that block cipher wheel operand is 2N, N is positive integer, and 2N/k is integer; Suppose the real plaintext P of being input as of the first order and second level streamline, the third level to the n level production line be input as random number.The step in calculating process is as follows:
1, at Time1 constantly, first plaintext P enters the computing that first order streamline carries out the 1st to k wheel, now the second level to the n level production line be input as random number, the side information that the computing of the second level and n level production line produces can be as the noise takeover true side information that expressly P computing produces.
2, at Time2 constantly, first plaintext P enters the computing that second level streamline carries out k+1 to the 2k wheel, second plaintext P enters the computing that first order streamline carries out the 1st to k wheel, now the third level to the n level production line be input as random number, the side information that its computing produces can be as the noise takeover true side information that expressly P computing produces.
3, at Time3 constantly, first plaintext P enters the computing that third level streamline carries out 2k+1 to the 3k wheel, second plaintext P enters the computing that second level streamline carries out k+1 to the 2k wheel, random number enters the computing that first order streamline carries out the 1st to k wheel, now the fourth stage to the n level production line be input as random number, the side information that its computing produces can be as the noise takeover true side information that expressly P computing produces.
4, by that analogy, at Time n constantly, first plaintext P enters the computing that n level production line carries out (n-1) k+1 to the nk wheel, and so far first plaintext P encrypts and finishes, and obtains first ciphertext C.
5, Time n+1 constantly second expressly P also can encrypt completely, obtain second ciphertext C; Relatively whether first ciphertext C and second ciphertext C equate, if these two ciphertexts equate to illustrate, do not inject fault in calculating process, encrypted result can be used; Otherwise can produce corresponding warning message.
Using DES algorithm is that example describes, and DES algorithm has 16 to take turns computing, is divided into level Four streamline, and each level production line comprises 4 and takes turns computing, and figure bend partly represents that random number participates in this level production line computing.Concrete steps are as follows:
1, at Time1 constantly, first plaintext P enters first order streamline and carries out the 1st to 4 computings of taking turns, now the second level is to the random number that is input as of fourth stage streamline, and the second level to the side information of the computing generation of fourth stage streamline can be as the noise takeover true side information that expressly P computing produces.
2, at Time2 constantly, first plaintext P enters second level streamline and carries out the 5th to 8 computings of taking turns, second plaintext P enters first order streamline and carries out the 1st to 4 computings of taking turns, now the third level is to the random number that is input as of fourth stage streamline, and the side information that its computing produces can be as the noise takeover true side information that expressly P computing produces.
3, at Time3 constantly, first plaintext P enters third level streamline and carries out the 9th to 12 computings of taking turns, second plaintext P enters second level streamline and carries out the 5th to 8 computings of taking turns, random number enters first order streamline and carries out the 1st to 4 computings of taking turns, now fourth stage streamline be input as random number, the side information that its computing produces can be as the noise takeover true side information that expressly P computing produces.
4, at Time4 constantly, first plaintext P enters fourth stage streamline and carries out the 13rd to 16 computings of taking turns, and so far first expressly P encryption end, obtains first ciphertext C;
Second expressly P enter third level streamline and carry out the 9th to 12 computings of taking turns, random number enters respectively that the second level, first order streamline carry out the 5th to 8 taking turns, the 1st to 4 computings of taking turns.
5, Time5 constantly second expressly P also can encrypt completely, obtain second ciphertext C.
Relatively whether first ciphertext C and second ciphertext C equate, if these two ciphertexts are equal, illustrate and in calculating process, do not inject fault, encrypted result can be used; Otherwise can produce corresponding warning message.
Finally should be noted that: above embodiment is only in order to illustrate that technical scheme of the present invention is not intended to limit, although the present invention is had been described in detail with reference to above-described embodiment, those of ordinary skill in the field are to be understood that: still can modify or be equal to replacement the specific embodiment of the present invention, and do not depart from any modification of spirit and scope of the invention or be equal to replacement, it all should be encompassed in the middle of claim scope of the present invention.
Claims (6)
1. a means of defence for side-channel attack and fault attacks, is characterized in that: said method comprising the steps of: I, the computing of block cipher is divided into streamline;
II, select two level production lines inputs expressly real at random, other are at different levels is input as random number;
III, carry out computing, when computing finishes, whether two True Datas that comparison operation result is determined are consistent.
2. the means of defence of a kind of side-channel attack as claimed in claim 1 and fault attacks, it is characterized in that: described method is passed through in the different data of synchronization pipeline operation not at the same level, random number participates in the side information of computing generation as the side information of noise takeover True Data, thus opposing side-channel attack.
3. the means of defence of a kind of side-channel attack as claimed in claim 1 and fault attacks, it is characterized in that: described method contrasts by the result after two true ciphertext computings are finished, if two operation results are consistent, think in calculating process and do not break down, thus opposing fault attacks.
4. the means of defence of a kind of side-channel attack as claimed in claim 1 and fault attacks, is characterized in that: described step I comprises:
Setting block cipher wheel operand is 2N, and N is positive integer, and each level production line comprises the computing of k wheel;
Whole computing is divided into n level production line, n=2N/k, 2N/k is integer.
5. the means of defence of a kind of side-channel attack as claimed in claim 1 and fault attacks, is characterized in that: described Step II comprises:
Choose at random the real plaintext that is input as of A level production line and B level production line, be left the random number that is input as of (n-2) level production line.
6. the means of defence of a kind of side-channel attack as claimed in claim 1 and fault attacks, is characterized in that: described Step II I comprises:
Expressly entering A level production line carries out computing, residue (n-1) level production line input random number, and the side information that computing produces is as the noise takeover true side information that expressly P computing produces;
Expressly entering B level production line carries out computing, residue (n-2) level production line input random number, and the side information that computing produces is as the noise takeover true side information that expressly P computing produces;
Until the computing of 2N wheel finishes, obtain respectively two ciphertexts, judge that whether two ciphertexts are consistent, unanimously think calculating process fault-free, otherwise send a warning.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310690055.5A CN103634102B (en) | 2013-12-16 | 2013-12-16 | A kind of means of defence of side-channel attack and fault attacks |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310690055.5A CN103634102B (en) | 2013-12-16 | 2013-12-16 | A kind of means of defence of side-channel attack and fault attacks |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103634102A true CN103634102A (en) | 2014-03-12 |
CN103634102B CN103634102B (en) | 2017-11-07 |
Family
ID=50214762
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310690055.5A Active CN103634102B (en) | 2013-12-16 | 2013-12-16 | A kind of means of defence of side-channel attack and fault attacks |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103634102B (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016019670A1 (en) * | 2014-08-06 | 2016-02-11 | 国家电网公司 | Anti-attack encryption and decryption method and device of block cipher |
CN105610568A (en) * | 2014-11-21 | 2016-05-25 | 南方电网科学研究院有限责任公司 | Fault detection method and device for block cipher algorithm |
CN105809063A (en) * | 2014-12-29 | 2016-07-27 | 联想(北京)有限公司 | Data processing method and security chip apparatus |
CN105933108A (en) * | 2016-05-30 | 2016-09-07 | 清华大学 | Implementation method for breaking SM4 algorithm |
CN106156614A (en) * | 2015-03-25 | 2016-11-23 | 北京南瑞智芯微电子科技有限公司 | A kind of means of defence resisting fault attacks and device |
CN109039590A (en) * | 2017-06-09 | 2018-12-18 | 深圳九磊科技有限公司 | Memory, electronic equipment and its encipher-decipher method for preventing side-channel attack |
CN111224770A (en) * | 2019-12-25 | 2020-06-02 | 中国科学院软件研究所 | Comprehensive protection method for resisting side channel and fault attack based on threshold technology |
CN111600873A (en) * | 2020-05-13 | 2020-08-28 | 江苏芯盛智能科技有限公司 | Method for preventing side channel attack and related device |
CN112187444A (en) * | 2020-09-02 | 2021-01-05 | 中国科学院软件研究所 | Comprehensive protection method for resisting side channel and fault attack |
CN112653546A (en) * | 2020-12-15 | 2021-04-13 | 电子科技大学 | Fault attack detection method based on power consumption analysis |
IT202000013390A1 (en) * | 2020-06-05 | 2021-12-05 | Milano Politecnico | An IT platform to prevent side channel attacks |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101872294A (en) * | 2009-04-23 | 2010-10-27 | 索尼公司 | Signal conditioning package, operation verifying method and program |
US20110225432A1 (en) * | 2010-03-12 | 2011-09-15 | Stmicroelectronics (Rousset) Sas | Method and circuitry for detecting a fault attack |
US20110299678A1 (en) * | 2010-06-07 | 2011-12-08 | Alexander Roger Deas | Secure means for generating a specific key from unrelated parameters |
CN102970131A (en) * | 2011-08-31 | 2013-03-13 | 北京中电华大电子设计有限责任公司 | Circuit structure for preventing power attacks on grouping algorithm |
-
2013
- 2013-12-16 CN CN201310690055.5A patent/CN103634102B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101872294A (en) * | 2009-04-23 | 2010-10-27 | 索尼公司 | Signal conditioning package, operation verifying method and program |
US20110225432A1 (en) * | 2010-03-12 | 2011-09-15 | Stmicroelectronics (Rousset) Sas | Method and circuitry for detecting a fault attack |
US20110299678A1 (en) * | 2010-06-07 | 2011-12-08 | Alexander Roger Deas | Secure means for generating a specific key from unrelated parameters |
CN102970131A (en) * | 2011-08-31 | 2013-03-13 | 北京中电华大电子设计有限责任公司 | Circuit structure for preventing power attacks on grouping algorithm |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105376046A (en) * | 2014-08-06 | 2016-03-02 | 国家电网公司 | Anti-attack block cipher encryption method, anti-attack block cipher decryption method, anti-attack block cipher encryption device and anti-attack block cipher decryption device |
WO2016019670A1 (en) * | 2014-08-06 | 2016-02-11 | 国家电网公司 | Anti-attack encryption and decryption method and device of block cipher |
CN105376046B (en) * | 2014-08-06 | 2018-08-17 | 国家电网公司 | A kind of encipher-decipher method and device of block cipher attack protection |
CN105610568A (en) * | 2014-11-21 | 2016-05-25 | 南方电网科学研究院有限责任公司 | Fault detection method and device for block cipher algorithm |
CN105809063A (en) * | 2014-12-29 | 2016-07-27 | 联想(北京)有限公司 | Data processing method and security chip apparatus |
CN106156614B (en) * | 2015-03-25 | 2018-12-28 | 北京南瑞智芯微电子科技有限公司 | A kind of means of defence and device for resisting fault attacks |
CN106156614A (en) * | 2015-03-25 | 2016-11-23 | 北京南瑞智芯微电子科技有限公司 | A kind of means of defence resisting fault attacks and device |
CN105933108A (en) * | 2016-05-30 | 2016-09-07 | 清华大学 | Implementation method for breaking SM4 algorithm |
CN105933108B (en) * | 2016-05-30 | 2019-04-12 | 清华大学 | A kind of pair of SM4 algorithm realizes the method cracked |
CN109039590A (en) * | 2017-06-09 | 2018-12-18 | 深圳九磊科技有限公司 | Memory, electronic equipment and its encipher-decipher method for preventing side-channel attack |
CN111224770A (en) * | 2019-12-25 | 2020-06-02 | 中国科学院软件研究所 | Comprehensive protection method for resisting side channel and fault attack based on threshold technology |
CN111600873A (en) * | 2020-05-13 | 2020-08-28 | 江苏芯盛智能科技有限公司 | Method for preventing side channel attack and related device |
CN111600873B (en) * | 2020-05-13 | 2023-03-10 | 江苏芯盛智能科技有限公司 | Method for preventing side channel attack and related device |
IT202000013390A1 (en) * | 2020-06-05 | 2021-12-05 | Milano Politecnico | An IT platform to prevent side channel attacks |
WO2021245101A1 (en) * | 2020-06-05 | 2021-12-09 | Politecnico Di Milano | A computing platform for preventing side channel attacks |
CN112187444A (en) * | 2020-09-02 | 2021-01-05 | 中国科学院软件研究所 | Comprehensive protection method for resisting side channel and fault attack |
CN112653546A (en) * | 2020-12-15 | 2021-04-13 | 电子科技大学 | Fault attack detection method based on power consumption analysis |
Also Published As
Publication number | Publication date |
---|---|
CN103634102B (en) | 2017-11-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103634102A (en) | Protection method for side channel attack and fault attack | |
Zhang et al. | A framework for the analysis and evaluation of algebraic fault attacks on lightweight block ciphers | |
US11507705B2 (en) | Determining cryptographic operation masks for improving resistance to external monitoring attacks | |
US9871651B2 (en) | Differential power analysis countermeasures | |
CN108964872B (en) | Encryption method and device based on AES | |
Zhao et al. | Improving and evaluating differential fault analysis on LED with algebraic techniques | |
CN102546157A (en) | Random mixed encryption system for resisting energy analysis and implementation method thereof | |
Kumar et al. | A cryptographic model based on logistic map and a 3-D matrix | |
Jia et al. | A New Method of Encryption Algorithm Based on Chaos and ECC. | |
Zhao et al. | Algebraic differential fault attacks on LED using a single fault injection | |
El-Moursy et al. | Chaotic clock driven cryptographic chip: Towards a DPA resistant AES processor | |
CN104158652A (en) | Circulating-unfolded-structured AES encryption/decryption circuit based on data redundancy real-time error detection mechanism | |
Allam et al. | Security analysis of neural cryptography implementation | |
Iavich et al. | Investigating CRYSTALS-Kyber Vulnerabilities: Attack Analysis and Mitigation | |
Huang et al. | A Formal Verification Based on Yu-Cao Delayed Chaotic Neural Network | |
Shengiian et al. | A fast hybrid data encryption for FPGA based edge computing | |
WO2017036251A1 (en) | Advanced encryption standard encryption and decryption method, device, and storage medium | |
Huang et al. | The nonlinear filter Boolean function of LILI-128 stream cipher generator is successfully broken based on the complexity of nonlinear 0 1 symbol sequence | |
Liu et al. | A 128-Gbps Pipelined SM4 Circuit With Dual DPA Attack Countermeasures | |
CN115664638A (en) | Lightweight sequence password generation method and system | |
Jain et al. | Security Enhancement Algorithm for Data Transmission for Next Generation Networks | |
Zhang et al. | An Automated Framework for Analysis and Evaluation of Algebraic Fault Attacks on Lightweight Block Ciphers | |
Pan et al. | Obfuscation Algorithm Design Based on Fully Homomorphism | |
Wang et al. | Efficient Countermeasures against Fault Attacks for 3DES Crypto Engine in Bank IC Card | |
Lee et al. | Hardware implementation and performance analysis of nlm-128 stream cipher |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |