CN105610568A - Fault detection method and fault detection device for block cipher algorithm - Google Patents
Fault detection method and fault detection device for block cipher algorithm Download PDFInfo
- Publication number
- CN105610568A CN105610568A CN201410676242.2A CN201410676242A CN105610568A CN 105610568 A CN105610568 A CN 105610568A CN 201410676242 A CN201410676242 A CN 201410676242A CN 105610568 A CN105610568 A CN 105610568A
- Authority
- CN
- China
- Prior art keywords
- wheel
- block cipher
- computing
- fault
- inverse
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The invention discloses a fault detection method and a fault detection device for a block cipher algorithm. The method comprises steps: an operation round number of the block cipher algorithm is preset to be N, input data In are received, M rounds of operation are carried out on the data, and an operation result S1 is obtained; round operation is continuously executed on the S1 until N rounds of operation are completed, and an operation result Out is obtained; N-M rounds of inverse operation are executed on the Out to obtain an operation result S2; and the S1 and the S2 are compared, if the S1 is equal to the S2, no fault happens, and if the S1 is not equal to the S2, error information is returned. According to the fault detection method for the block cipher algorithm, corresponding rounds of inverse operation are executed after normal operation is completed, the inverse operation result and the normal operation middle result are compared whether to be equal, and whether fault injection happens during the operation process can be detected. A proper inverse operation round number can be selected according to application requirements, the design is convenient and flexible, and compared with the prior art, the method is small in increased cost and high in execution efficiency.
Description
Technical field
The present invention relates to chip detection technical field, particularly, relate to a kind of fault of block cipherDetection method and device.
Background technology
Along with the development of computer and the communication technology, especially, along with the extensive use of Internet, withAnd foundation and the realization of personal communication, Email, the automatic payment by the transfer of accounts system of electronics, the safety of informationIt is more important that protection problem just seems, one of effective means addressing this problem is to use modern password skillArt, the various cryptographic algorithms that bring thus constantly occur. Cryptographic algorithm can be divided into symmetric cryptographic algorithm andAsymmetric cryptographic algorithm, symmetric cryptographic algorithm is that encryption and decryption are used same key or encryption and decryptionBetween key, there is the relation that pushes away mutually simple, that easily calculate. Block cipher is symmetric cryptographic algorithmOne, be the most frequently used cryptographic means, block cipher have speed fast, be easy to standardization and justIn features such as software and hardware realizations. Popular block cipher has DES algorithm, aes algorithm etc. at present.
Along with being widely used of block cipher, continuous to various analyses and the attack method of cryptographic algorithmOccur. There is in recent years a kind of strong attack means, be called fault attacks. The base of fault attacksPresent principles is that crypto chip is placed in to high-intensity magnetic field, or change chip supply voltage, operating frequency,Temperature etc., make register, memory in crypto chip produce random error in encryption and decryption process, certainA little output bits become 1 or 1 from original 0 and become 0. By defeated to correct ciphertext output and wrong ciphertextThe differential comparison going out, through theory analysis, just can obtain the secret data information of chip internal. CommonThe method of opposing fault attacks has: same data are carried out to repeatedly computing, and more repeatedly the result of computing isNo consistent; Certain data is carried out after normal operation, operation result is carried out to inverse operation, relatively inverse operation knotWhether fruit is consistent with original input data.
Existing guard technology is mainly that same data are carried out to repeatedly computing, more repeatedly the result of computingWhether consistent, or certain data is carried out after normal operation, operation result is carried out to inverse operation, relativelyWhether inverse operation result is consistent with original input data. For the realization with existing guard technology, carry outThe time that complete once-through operation is required, is at least the twice of the operation time with guard technology, execution efficiencyLow.
Summary of the invention
For solve in prior art, exist to block cipher fault-resistant time execution efficiency poor askingInscribe, the present invention proposes a kind of fault detection method and device of block cipher.
According to the fault detection method of block cipher of the present invention, comprising:
The wheel operand of default block cipher is N, receives input data In and it is carried out to M wheel fortuneCalculate, obtain operation result S1;
Described S1 is continued to carry out wheel computing until the computing of N wheel finishes, obtain operation result Out;
Described Out is carried out to the inverse operation of N-M wheel, obtain operation result S2;
More described S1 and S2, if equated, do not break down, if do not waited, returns to wrong letterBreath.
The fault detection method of block cipher of the present invention is carried out corresponding after normal operation finishesWheel inverse operation, relatively whether inverse operation result consistent with normal operation intermediate object program, can detectIn calculating process, whether there is fault to inject. The method can be selected suitable inverse operation wheel according to application demandNumber, convenient, flexible when design, compared with prior art, the cost of increase is little, and execution efficiency is high, designPerson can select the wheel number of inverse operation, convenient, flexible, can effectively resist fault attacks.
According to the failure detector of block cipher of the present invention, comprising:
The first computing module, is N for the wheel operand of default block cipher, receives input dataIn also carries out the computing of M wheel to it, obtains operation result S1;
The second computing module,, obtains until the computing of N wheel finishes for described S1 is continued to carry out wheel computingOperation result Out;
The 3rd computing module, for described Out being carried out to the inverse operation of N-M wheel, obtains operation result S2;
Result comparison module, for more described S1 and S2, if equated, does not break down, asFruit is not waited and returns to error message.
The failure detector of block cipher of the present invention is carried out corresponding after normal operation finishesWheel inverse operation, relatively whether inverse operation result consistent with normal operation intermediate object program, can detectIn calculating process, whether there is fault to inject. The method can be selected suitable inverse operation wheel according to application demandNumber, convenient, flexible when design, compared with prior art, the cost of increase is little, and execution efficiency is high, designPerson can select the wheel number of inverse operation, convenient, flexible, can effectively resist fault attacks.
Other features and advantages of the present invention will be set forth in the following description, and, partly fromIn description, become apparent, or understand by implementing the present invention. Object of the present invention and itsHe can tie by specifically noted in write description, claims and accompanying drawing advantageStructure is realized and is obtained.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Brief description of the drawings
Accompanying drawing is used to provide a further understanding of the present invention, and forms a part for description, withEmbodiments of the invention one are used from explanation the present invention, are not construed as limiting the invention. At accompanying drawingIn:
Fig. 1 is the workflow diagram of the inventive method embodiment;
Fig. 2 is the workflow diagram of concrete grammar embodiment of the present invention;
Fig. 3 is the apparatus structure schematic diagram of the embodiment of the present invention.
Detailed description of the invention
Below in conjunction with accompanying drawing, the specific embodiment of the present invention is described in detail, but is to be understood that thisThe protection domain of invention is not subject to the restriction of detailed description of the invention.
For solve in prior art, exist to block cipher fault-resistant time execution efficiency poor askingInscribe, the present invention proposes a kind of fault detection method and device of block cipher. The method can be withLess cost is resisted fault attacks, and user can be according to the contrary fortune of the convenient, flexible selection of application demandThe wheel number of calculating, execution efficiency is high.
As shown in Figure 1, the method comprises:
Step S101: the wheel operand (carrying out the wheel number of normal operation) of supposing block cipherFor N, input data In carries out the computing of M wheel, obtains operation result S1;
M is less than or equal to N-r, and wherein, r depends on that assailant carries out the wheel location of fault attacks,When normal operation, victim injects the inverse wheel number of fault, if assailant is the inverse in normal operationR wheel injects fault, input data In is carried out and is not more than N-r wheel computing (being the computing of M wheel).
Step S102: the operation result S1 in step S101 is continued to carry out wheel computing, until NWheel computing is all finished, and obtains operation result Out;
Step S103: Out is carried out to the inverse operation of N-M wheel, obtain operation result S2;
Inverse operation of the present invention is relative computing, the block cipher computing of for example carrying outBe cryptographic calculation, inverse operation is deciphering, and vice versa.
The wheel of carrying out inverse operation is herein counted N-M, and to count M with the wheel of carrying out computing in step S101 be relativeAnswer, the wheel of the inverse operation of carrying out in step S103 is counted N-M and is at least r, corresponding, step S101The wheel number of middle execution wheel computing mostly is N-r wheel most, and the wheel number of the inverse operation in step S103 often adds oneWheel, the wheel number of the wheel computing in step S101 needs to subtract to take turns. Those skilled in the art shouldSeparate, can select flexibly the wheel number of inverse operation, needing only guarantee S1 and S2 corresponding is same positionWheel operation result.
Step S104: whether the value of more above-mentioned S1 and S2 equates, if equated, illustrate in computingIn process, be not injected into fault, return to operation result Out; If etc., do not return to error message.
Below said method is illustrated, in the present embodiment, the wheel number of inverse operation is elected asR (be more than or equal to r all can, be not limited to this).
Step S201: input data In, In is carried out to the computing of N-r wheel, obtain operation result S1;
In the present embodiment, the wheel number of inverse operation is elected r as, for ensureing the fortune of inverse operation and normal operationCalculate result in same wheel location, therefore, normal operation result is herein chosen for the computing knot of N-r wheelReally.
Step S202: continue to carry out wheel computing, until the computing of N wheel is finished, obtain operation resultOut;
Step S203: Out is carried out to the inverse operation of r wheel, obtain operation result S2;
Step S204: relatively S1 and S2, if equated, illustrates in calculating process and do not notedEnter fault, return to operation result Out; If etc., do not return to error message.
The fault detection method of block cipher of the present invention is carried out corresponding after normal operation finishesWheel inverse operation, relatively whether inverse operation result consistent with normal operation intermediate object program, can detectIn calculating process, whether there is fault to inject. The method can be selected suitable inverse operation wheel according to application demandNumber, convenient, flexible when design, compared with prior art, the cost of increase is little, and execution efficiency is high, designPerson can select the wheel number of inverse operation, convenient, flexible, can effectively resist fault attacks.
As shown in Figure 3, the failure detector of block cipher of the present invention, comprising:
The first computing module 10, is N for the wheel operand of default block cipher, receives input numberCarry out the computing of M wheel according to In and to it, obtain operation result S1;
The second computing module 20, takes turns computing until the computing of N wheel finishes for described S1 is continued to carry out,Obtain operation result Out;
The 3rd computing module 30, for described Out being carried out to the inverse operation of N-M wheel, obtains operation resultS2;
Result comparison module 40, for more described S1 and S2, if equated, does not break down,If etc., do not return to error message.
In technique scheme, described M is less than or equal to N-r, when described r is normal operation, is attackedPerson injects the inverse wheel number of fault.
The failure detector of block cipher of the present invention is carried out corresponding after normal operation finishesWheel inverse operation, relatively whether inverse operation result consistent with normal operation intermediate object program, can detectIn calculating process, whether there is fault to inject. The method can be selected suitable inverse operation wheel according to application demandNumber, convenient, flexible when design, compared with prior art, the cost of increase is little, and execution efficiency is high, designPerson can select the wheel number of inverse operation, convenient, flexible, can effectively resist fault attacks.
The present invention can have multiple multi-form detailed description of the invention, above as an example of scheme-Fig. 3 example in conjunction with attachedFigure is to technical scheme of the present invention explanation for example, and this does not also mean that the applied concrete reality of the present inventionExample can only be confined in specific flow process or example structure, and those of ordinary skill in the art shouldSeparate, the specific embodiments that above provided is some examples in multiple its preferred usage, anyThe embodiment that embodies the claims in the present invention all should be in technical solution of the present invention scope required for protectionWithin.
Finally it should be noted that: the foregoing is only the preferred embodiments of the present invention, and be not used inRestriction the present invention, although have been described in detail the present invention with reference to previous embodiment, for abilityThe technical staff in territory, its technical scheme that still can record aforementioned each embodiment is repaiiedChange, or part technical characterictic is wherein equal to replacement. All the spirit and principles in the present invention itIn, any amendment of doing, be equal to replacement, improvement etc., all should be included in protection scope of the present inventionWithin.
Claims (4)
1. a fault detection method for block cipher, is characterized in that, comprising:
The wheel operand of default block cipher is N, receives input data In and it is carried out to M wheel fortuneCalculate, obtain operation result S1;
Described S1 is continued to carry out wheel computing until the computing of N wheel finishes, obtain operation result Out;
Described Out is carried out to the inverse operation of N-M wheel, obtain operation result S2;
More described S1 and S2, if equated, do not break down, if do not waited, returns to wrong letterBreath.
2. the fault detection method of block cipher according to claim 1, is characterized in that,Described M is less than or equal to N-r, and when described r is normal operation, victim injects the inverse wheel number of fault.
3. a failure detector for block cipher, is characterized in that, comprising:
The first computing module, is N for the wheel operand of default block cipher, receives input dataIn also carries out the computing of M wheel to it, obtains operation result S1;
The second computing module,, obtains until the computing of N wheel finishes for described S1 is continued to carry out wheel computingOperation result Out;
The 3rd computing module, for described Out being carried out to the inverse operation of N-M wheel, obtains operation result S2;
Result comparison module, for more described S1 and S2, if equated, does not break down, asFruit is not waited and returns to error message.
4. the fault detect of block cipher according to claim 3, is characterized in that, described inM is less than or equal to N-r, and when described r is normal operation, victim injects the inverse wheel number of fault.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410676242.2A CN105610568A (en) | 2014-11-21 | 2014-11-21 | Fault detection method and fault detection device for block cipher algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410676242.2A CN105610568A (en) | 2014-11-21 | 2014-11-21 | Fault detection method and fault detection device for block cipher algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105610568A true CN105610568A (en) | 2016-05-25 |
Family
ID=55990117
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410676242.2A Pending CN105610568A (en) | 2014-11-21 | 2014-11-21 | Fault detection method and fault detection device for block cipher algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105610568A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107451471A (en) * | 2016-05-31 | 2017-12-08 | 意法半导体(鲁塞)公司 | The safety execution of algorithm |
| CN109583155A (en) * | 2018-12-10 | 2019-04-05 | 慧翰微电子股份有限公司 | A kind of the IOT mould group and its control method of embedded safety chip |
| CN110401627A (en) * | 2019-01-31 | 2019-11-01 | 中国科学院软件研究所 | A kind of resisting differential fault attacks security assessment method and system suitable for block cipher protection against infection |
| CN113014377A (en) * | 2021-02-01 | 2021-06-22 | 中国科学院软件研究所 | Persistent fault attack protection method and device by utilizing bijective characteristic of block cipher S box |
| CN114095395A (en) * | 2021-11-04 | 2022-02-25 | 中金金融认证中心有限公司 | Method and computer product for analyzing error data generated by fault injection |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050021990A1 (en) * | 2001-09-04 | 2005-01-27 | Pierre-Yvan Liardet | Method for making secure a secret quantity |
| CN103634102A (en) * | 2013-12-16 | 2014-03-12 | 国家电网公司 | Protection method for side channel attack and fault attack |
| CN203840359U (en) * | 2014-05-08 | 2014-09-17 | 国民技术股份有限公司 | Electronic encryption apparatus and electronic device |
-
2014
- 2014-11-21 CN CN201410676242.2A patent/CN105610568A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050021990A1 (en) * | 2001-09-04 | 2005-01-27 | Pierre-Yvan Liardet | Method for making secure a secret quantity |
| CN103634102A (en) * | 2013-12-16 | 2014-03-12 | 国家电网公司 | Protection method for side channel attack and fault attack |
| CN203840359U (en) * | 2014-05-08 | 2014-09-17 | 国民技术股份有限公司 | Electronic encryption apparatus and electronic device |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107451471A (en) * | 2016-05-31 | 2017-12-08 | 意法半导体(鲁塞)公司 | The safety execution of algorithm |
| CN109583155A (en) * | 2018-12-10 | 2019-04-05 | 慧翰微电子股份有限公司 | A kind of the IOT mould group and its control method of embedded safety chip |
| CN109583155B (en) * | 2018-12-10 | 2022-06-21 | 慧翰微电子股份有限公司 | IOT module with embedded security chip and control method thereof |
| CN110401627A (en) * | 2019-01-31 | 2019-11-01 | 中国科学院软件研究所 | A kind of resisting differential fault attacks security assessment method and system suitable for block cipher protection against infection |
| CN110401627B (en) * | 2019-01-31 | 2020-07-10 | 中国科学院软件研究所 | Differential fault attack resistance security evaluation method and system suitable for block cipher algorithm infection protection |
| CN113014377A (en) * | 2021-02-01 | 2021-06-22 | 中国科学院软件研究所 | Persistent fault attack protection method and device by utilizing bijective characteristic of block cipher S box |
| CN114095395A (en) * | 2021-11-04 | 2022-02-25 | 中金金融认证中心有限公司 | Method and computer product for analyzing error data generated by fault injection |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Delvaux et al. | A survey on lightweight entity authentication with strong PUFs | |
| US9875378B2 (en) | Physically unclonable function assisted memory encryption device techniques | |
| KR102447476B1 (en) | Crypto device, storage device having the same, and enc/decryption method thereof | |
| CN105610568A (en) | Fault detection method and fault detection device for block cipher algorithm | |
| CN110830258A (en) | Device for receiving secure software update information from a server | |
| US20070019805A1 (en) | System employing systematic robust error detection coding to protect system element against errors with unknown probability distributions | |
| US10326586B2 (en) | Encryption/decryption apparatus and power analysis protecting method thereof | |
| Salam et al. | Random differential fault attacks on the lightweight authenticated encryption stream cipher grain-128AEAD | |
| Maistri | Countermeasures against fault attacks: The good, the bad, and the ugly | |
| US20180034628A1 (en) | Protecting polynomial hash functions from external monitoring attacks | |
| Dobraunig et al. | Leakage and tamper resilient permutation-based cryptography | |
| Igarashi et al. | Concurrent faulty clock detection for crypto circuits against clock glitch based DFA | |
| Ma et al. | Improved conditional differential attacks on Grain v1 | |
| US10110375B2 (en) | Cryptographic device and secret key protection method | |
| JP4386766B2 (en) | Error detection in data processing equipment. | |
| Ge et al. | Secure memories resistant to both random errors and fault injection attacks using nonlinear error correction codes | |
| US11303436B2 (en) | Cryptographic operations employing non-linear share encoding for protecting from external monitoring attacks | |
| Luo et al. | Faulty clock detection for crypto circuits against differential fault analysis attack | |
| Wang et al. | Scalable and resynchronisable radio frequency identification ownership transfer protocol based on a sliding window mechanism | |
| JP2005340892A (en) | Encryption circuit | |
| WO2016019670A1 (en) | Anti-attack encryption and decryption method and device of block cipher | |
| TWI608381B (en) | Encryption/decryption apparatus and power analysis protecting method thereof | |
| Joshi et al. | Extpfa: extended persistent fault analysis for deeper rounds of bit permutation based ciphers with a case study on gift | |
| JP2016025532A (en) | Communication system, communication apparatus and communication method | |
| Wan et al. | Improved differential fault attack against SIMECK based on two-bit fault model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160525 |