CN106788978B - Argument decomposition threshold mask method - Google Patents

Argument decomposition threshold mask method Download PDF

Info

Publication number
CN106788978B
CN106788978B CN201611265089.XA CN201611265089A CN106788978B CN 106788978 B CN106788978 B CN 106788978B CN 201611265089 A CN201611265089 A CN 201611265089A CN 106788978 B CN106788978 B CN 106788978B
Authority
CN
China
Prior art keywords
inv
multiplication
result
mask
domain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611265089.XA
Other languages
Chinese (zh)
Other versions
CN106788978A (en
Inventor
韦永壮
姚富
程月单
刘晓强
丁勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guilin University of Electronic Technology
Original Assignee
Guilin University of Electronic Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guilin University of Electronic Technology filed Critical Guilin University of Electronic Technology
Priority to CN201611265089.XA priority Critical patent/CN106788978B/en
Publication of CN106788978A publication Critical patent/CN106788978A/en
Application granted granted Critical
Publication of CN106788978B publication Critical patent/CN106788978B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]

Abstract

The invention discloses a new method of argument decomposition threshold mask, which is characterized in that in the S box replacement process of a block cipher, the multiplication operation in a sum domain is realized by using the idea of TI mask, thus the requirement of additional new random numbers in the multiplication process can be reduced, and the independence between data can be achieved. The basic framework of the DOM mask adopted by other operations in the sum domain can achieve the purpose of saving chip resources, thereby effectively achieving the purposes of reducing randomness and saving the use area of a chip, and simultaneously ensuring the confidentiality and the safety of data and effectively resisting power consumption attack and side channel cube attack.

Description

Argument decomposition threshold mask method
Technical Field
The invention relates to the field of information security, in particular to a new method for decomposing a threshold mask by using a variable element.
Background
Various security chips are indispensable hardware carriers for information security technology. With the development of science and technology, security chips have become popular. The security chip reveals various bypass information during operation, and the information has close correlation with the key of the cryptographic algorithm. The side channel attack is to attack the security chip by using the correlation. Among side channel attacks, the most effective attack method is Differential Power Attack (DPA). One new security challenge is: in an open environment of the security chip device, how to cancel the correlation between various bypass information leaked out by the security chip in the operation process and the key of the cryptographic algorithm. In response to this problem, professor Svelta Nikova at the university of luxen, belgium proposed ti (threshold expressions) technology. The technology is provided on the basis of key sharing, threshold encryption and a multi-party security computing protocol. The basic design idea of the TI technique is: the intermediate data of the encryption algorithm in the running process is randomized by using a key sharing mechanism, so that no direct correlation exists between the intermediate state data of the encryption process and the power consumption of the intermediate state data, and an attacker cannot guess the key of the corresponding cryptographic algorithm after extracting the leaked bypass information. TI the intermediate state data of this technique is masked by a plurality of random data, so that the masking technique requires too many random numbers and the computational complexity is high as the order against DPA increases. Hannes Gross proposes a DOM (domain-oriented masking) mechanism. The basic design idea of the mask scheme is to make components of each argument operate in its own domain, so that the components in all domains are independent from the components in other domains, thereby realizing the resistance to power consumption attack. This masking scheme can achieve the effect of resisting power consumption attack, and it requires few chips and random numbers and can be applied to a protected circuit of any order, but it is vulnerable to side channel cube attack.
Disclosure of Invention
Aiming at the technical defects, the invention provides a new method for the variable element decomposition threshold mask, and a new mask method is designed by combining the mask algorithms of TI and DOM.
The technical scheme for realizing the purpose of the invention is as follows:
the new method of the argument decomposition threshold mask comprises the following steps:
1) carrying out masking component on 8-bit sensitive variables input by an S box in the running process of a cryptographic algorithm by using a key sharing mechanism;
2) mapping the 8-bit random mask component in step 1) to GF (2)4) Above, are respectively X1=A1x+A0,X2=B1x+B0,X3=C1x+C0…;
3) Under GF (2)4) Are respectively multipliedOperation, inversion operation and squaring operation;
4) under GF (2)4) The multiplication operation is realized by a mask mode of 3 input and 3 output in the TI mask, and in order to meet the uniformity, an additional random number needs to be added to each output component result;
5) the components of each squaring operation and the components of the multiplication result are XOR-ed, thus being at GF (2)4) The value in the domain that needs to be inverted;
6) returning to step 2) to remove GF (2)4) Inv in (1)1,Inv2,Inv3Mapping to GF (2)2) Upper, is Inv respectively1=Inv1ax+Inv1b,Inv2=Inv2ax+Inv2b,Inv3=Inv3ax+Inv3b…;
7) Then, using the steps 3) and 4) to obtain GF (2)2) The result of the squaring and multiplication operations in the domain, due to GF (2)2) The inversion operation and the squaring operation in the domain are the same, so the result of the inversion can be solved by using the squaring operation;
8) using GF (2)2) The result in the domain is mapped reversely;
9) inverse mapping is performed using the result of 8) to obtain the input of multiplication 5 and multiplication 6, and GF (2) is obtained by multiplication 5 and multiplication 68) The inversion result of X in (1);
10) using the result of 9) to perform inverse mapping to obtain the mask component at GF (2)8) The final result in (1).
And 4) performing multiplication operation, wherein the multiplication operation is non-linear operation and takes the requirement of the security of the encryption algorithm into consideration, and the multiplication operation does not use the multiplication operation of a finite field but performs the multiplication operation by adopting a TI mask implementation mode. Since the TI threshold mask method requires much fewer additional random numbers than the DOM mask algorithm in performing the multiplication operation, the number of random numbers is reduced.
Compared with the prior art, the invention discloses a new method for decomposing the threshold mask by the argument,during S-box permutation of block ciphers, at GF (2)4) And GF (2)2) The multiplication operation in the domain uses the idea of TI mask to realize the multiplication operation, so that the requirement of additional new random numbers in the multiplication process can be reduced, and the independence between data can be achieved. At GF (2)4) And GF (2)2) The basic framework of the DOM mask adopted by other operations in the domain can achieve the purpose of saving chip resources, thereby effectively achieving the purposes of reducing randomness and saving the use area of the chip, and simultaneously ensuring the confidentiality and the safety of data and effectively resisting power consumption attack and side channel cube attack.
Drawings
FIG. 1 is a flow diagram of a new method of argument decomposition threshold masking according to an embodiment.
Detailed Description
The invention will be further elucidated with reference to the drawing, without being limited thereto.
Example (b):
referring to fig. 1, a new method of argument decomposition threshold masking based on AES against first order DPA:
1) in the running process of the cryptographic algorithm, 8-bit sensitive variables input by an S box are divided into 3 random mask components with 8 bits by using a key sharing mechanism, namely X is equal to X1+X2+X3
2) 3 random mask components X with 8 bits in the step 1)1,X2,X3Mapping to GF (2)4) Above, are respectively X1=A1x+A0,X2=B1x+B0,X3=C1x+C0
3) Under GF (2)4) The square operation is performed, and the corresponding results of square 1, square 2, and square 3 in FIG. 1 are
A1xorA0=(A1+A0)2(1)
B1xorB0=(B1+B0)2(2)
C1xorC0=(C1+C0)2(3)
4) Under GF (2)4) The multiplication operation is carried out, and because the multiplication operation is a nonlinear operation and the requirement of the security of the encryption algorithm is considered, the multiplication operation does not use the multiplication operation of a finite field, but adopts a TI implementation mode to carry out the multiplication operation. To achieve uniformity in the nature of TI, we add a random mask to each component function. Since the TI threshold mask method requires much fewer additional random numbers than the DOM mask algorithm in performing the multiplication operation, the number of random numbers is reduced. The specific calculation formula for the multiply 1 operation in FIG. 1 is as follows:
Qmul1=B1B0+B1C0+C1B0+Z0(4)
Qmul2=C1C0+A1C0+C1A0+Z1(5)
Qmul3=A1A0+A1B0+B1A0+Z0+Z1(6)
5) taking the outputs of steps 3) and 4) as the inputs in this step, the components of each squaring operation and the components of the multiplication result are exclusive-ored, thus resulting in GF (2)4) The domain needs to be inverted, and the specific calculation formula is as follows:
Inv1=A1xorA0+Qmul1(7)
Inv2=B1xorB0+Qmul2(8)
Inv3=C1xorC0+Qmul3(9)
6) returning to step 2) to remove GF (2)4) 3 of the inverse components Inv1,Inv2,Inv3Mapping to GF (2)2) Upper, is Inv respectively1=Inv1ax+Inv1b,Inv2=Inv2ax+Inv2b,Inv3=Inv3ax+Inv3b
7) Then, using the steps 3) and 4) to obtain GF (2)2) The result of the squaring and multiplication operations in the domain, due to GF (2)2) The inversion operation and the squaring operation in the domain are the same, so the result of the inversion can be obtained by using the squaring operation, and the specific expressions are respectively:
the specific calculation formula of the square 4, square 5 and square 6 operations is as follows:
Inv1axorInv1b=(Inv1a+Inv1b)2(10)
Inv2axorInv2b=(Inv2a+Inv2b)2(11)
Inv3axorInv3b=(Inv3a+Inv3b)2(12)
the result of the multiply 2 operation:
Q1=Inv2aInv2b+Inv2aInv3b+Inv3aInv2b+Z0(13)
Q2=Inv3aInv3b+Inv1aInv3b+Inv3aInv1b+Z1(14)
Q3=Inv1aInv1b+Inv1aInv2b+Inv2aInv1b+Z0+Z1(15)
the specific calculation formula of the operations of inversion 1, inversion 2 and inversion 3 is as follows:
Figure BDA0001200498580000051
Figure BDA0001200498580000052
Figure BDA0001200498580000053
8) using GF (2)2) DomainObtaining GF (2) by inverse mapping of the result of (1)4) The result of inversion is obtained by obtaining Al21,Al22,Al23In time, the xor operation can expose the sensitive data, so an extra random number needs to be added to mask the sensitive data, with the corresponding result:
the corresponding result of the multiply 3 operation is:
Figure BDA0001200498580000054
Figure BDA0001200498580000055
Figure BDA0001200498580000056
the corresponding result of the multiply 4 operation is:
Figure BDA0001200498580000057
Figure BDA0001200498580000058
Figure BDA0001200498580000059
9) inverse mapping is performed using the result of 8) to obtain the input of multiplication 5 and multiplication 6, and GF (2) is obtained by multiplication 5 and multiplication 68) The result of inversion of X in (1) is similarly obtained by obtaining Al41,Al42, Al43An extra random number is needed to mask sensitive data, with the corresponding result as follows:
the inputs to the multiply 5 and multiply 6 operations are:
Figure BDA00012004985800000510
Figure BDA0001200498580000061
Figure BDA0001200498580000062
the corresponding result of the multiply 5 operation is:
Figure BDA0001200498580000063
Figure BDA0001200498580000064
Figure BDA0001200498580000065
the corresponding result of the multiply 6 operation is:
Figure BDA0001200498580000066
Figure BDA0001200498580000067
Figure BDA0001200498580000068
10) using the result of 9) to perform inverse mapping to obtain the mask component at GF (2)8) The specific expression of the final result in (1) is as follows:
Figure BDA0001200498580000069
Figure BDA00012004985800000610
Figure BDA00012004985800000611

Claims (1)

1. the argument decomposition threshold mask method is characterized by comprising the following steps:
1) carrying out masking component on 8-bit sensitive variables input by an S box in the running process of a cryptographic algorithm by using a key sharing mechanism;
2) mapping the 8-bit random mask component in step 1) to GF (2)4) Above, are respectively X1=A1x+A0,X2=B1x+B0, X3=C1x+C0;
3) Under GF (2)4) Respectively carrying out multiplication operation, inversion operation and squaring operation;
4) under GF (2)4) The multiplication operation is realized by a mask mode of 3 input and 3 output in the TI mask, and in order to meet the uniformity, an additional random number needs to be added to each output component result;
5) XOR-ing the components of each squaring operation with the components of the multiplication result, at GF (2)4) Solving an inverse value in the domain;
6) returning to step 2) to remove GF (2)4) Inv in (1)1,Inv2,Inv3Mapping to GF (2)2) Upper, is Inv respectively1=Inv1ax+ Inv1b,Inv2=Inv2ax+ Inv2b,Inv3=Inv3ax+ Inv3b;
7) Then, using the steps 3) and 4) to obtain GF (2)2) The result of the squaring and multiplication operations in the domain, due to GF (2)2) The inversion and squaring operations in the domain are the same, so the values are inverted with a squaring operation;
8) using GF (2)2) The result in the domain is mapped reversely;
9) inverse mapping is performed using the result of 8) to obtain the input of multiplication 5 and multiplication 6, and GF (2) is obtained by multiplication 5 and multiplication 68) The inversion result of X in (1);
10)using the result of 9) to perform inverse mapping to obtain the mask component at GF (2)8) The final result in (1).
CN201611265089.XA 2016-12-30 2016-12-30 Argument decomposition threshold mask method Active CN106788978B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611265089.XA CN106788978B (en) 2016-12-30 2016-12-30 Argument decomposition threshold mask method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611265089.XA CN106788978B (en) 2016-12-30 2016-12-30 Argument decomposition threshold mask method

Publications (2)

Publication Number Publication Date
CN106788978A CN106788978A (en) 2017-05-31
CN106788978B true CN106788978B (en) 2020-04-21

Family

ID=58952219

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611265089.XA Active CN106788978B (en) 2016-12-30 2016-12-30 Argument decomposition threshold mask method

Country Status (1)

Country Link
CN (1) CN106788978B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108718230B (en) * 2018-06-01 2021-08-03 桂林电子科技大学 Novel method for realizing password S box without random number threshold
CN113794549B (en) * 2021-09-15 2023-07-28 桂林电子科技大学 4-bit password S-box automatic threshold masking method
CN114553408B (en) * 2022-02-21 2023-11-03 上海交通大学 Galois ring-based threshold linear encryption and decryption method for RS code

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101938349A (en) * 2010-10-01 2011-01-05 北京航空航天大学 S box applicable to hardware realization and circuit realization method thereof
CN102006161A (en) * 2010-12-02 2011-04-06 北京航空航天大学 Nonlinear transformation method for symmetric key encryption and implementation method thereof
CN103888247A (en) * 2014-03-10 2014-06-25 深圳华视微电子有限公司 Data processing system resistant to differential power attack analysis and data processing method thereof
EP2928111A1 (en) * 2014-03-31 2015-10-07 STMicroelectronics Srl Method for performing an encryption with look-up tables, and corresponding encryption apparatus and computer program product

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8958550B2 (en) * 2011-09-13 2015-02-17 Combined Conditional Access Development & Support. LLC (CCAD) Encryption operation with real data rounds, dummy data rounds, and delay periods

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101938349A (en) * 2010-10-01 2011-01-05 北京航空航天大学 S box applicable to hardware realization and circuit realization method thereof
CN102006161A (en) * 2010-12-02 2011-04-06 北京航空航天大学 Nonlinear transformation method for symmetric key encryption and implementation method thereof
CN103888247A (en) * 2014-03-10 2014-06-25 深圳华视微电子有限公司 Data processing system resistant to differential power attack analysis and data processing method thereof
EP2928111A1 (en) * 2014-03-31 2015-10-07 STMicroelectronics Srl Method for performing an encryption with look-up tables, and corresponding encryption apparatus and computer program product

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于复合域的SM4算法的设计与实现;梁浩等;《微电子学与计算机》;20150505;全文 *
抗旁道攻击的对称密码算法及其硬件实现;赵佳;《中国优秀硕士论文电子期刊网》;20130415;全文 *

Also Published As

Publication number Publication date
CN106788978A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
US8638944B2 (en) Security countermeasures for power analysis attacks
AU2005263805B2 (en) Method and device for carrying out a cryptographic calculation
CN113940028B (en) Method and device for realizing white box password
US9794062B2 (en) Scrambled tweak mode of blockciphers for differential power analysis resistant encryption
RU2586020C2 (en) Method of using countermeasures against attacks by third-party channels
US20150222421A1 (en) Countermeasures against side-channel attacks on cryptographic algorithms
Chen et al. High performance data encryption with AES implementation on FPGA
JP6877889B2 (en) Cryptographic device, encryption method, decryption device, and decryption method
CN106788978B (en) Argument decomposition threshold mask method
JP2020510879A (en) Elliptic curve point multiplication device and method
EP3667647A1 (en) Encryption device, encryption method, decryption device, and decryption method
KR20050076015A (en) Finite field multiplier
Oukili et al. Hardware implementation of AES algorithm with logic S-box
CN106936822B (en) Mask implementation method and system for resisting high-order bypass analysis aiming at SMS4
Shende et al. FPGA based hardware implementation of hybrid cryptographic algorithm for encryption and decryption
US10075290B2 (en) Operator lifting in cryptographic algorithm
Yang et al. An improved AES encryption algorithm based on chaos theory in wireless communication networks
CN109302278B (en) Mask method and mask circuit for resisting energy analysis attack
CN111602367B (en) Method for protecting entropy sources used in countermeasures for securing white-box cryptographic algorithms
Benhadjyoussef et al. Power-based side-channel analysis against aes implementations: Evaluation and comparison
Zhou et al. An improved AES masking method smartcard implementation for resisting DPA attacks
Atha Design & Implementation of AES Algorithm Over FPGA Using VHDL
Serpa et al. A Secure White Box Implementation of AES Against First Order DCA
Jammula Comparative Study on DES and Triple DES Algorithms and Proposal of a New Algorithm Named Ternary DES for Digital Payments
Krishnan et al. Modified AES with random S-box generation to overcome the side channel assaults using cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20170531

Assignee: Guangxi Sujian Technology Co.,Ltd.

Assignor: GUILIN University OF ELECTRONIC TECHNOLOGY

Contract record no.: X2023980046272

Denomination of invention: Argument Decomposition Threshold Mask Method

Granted publication date: 20200421

License type: Common License

Record date: 20231108

Application publication date: 20170531

Assignee: Guangxi Guilin Yunchen Technology Co.,Ltd.

Assignor: GUILIN University OF ELECTRONIC TECHNOLOGY

Contract record no.: X2023980045796

Denomination of invention: Argument Decomposition Threshold Mask Method

Granted publication date: 20200421

License type: Common License

Record date: 20231108