CN107204841A - A kind of method that many S boxes of the block cipher for resisting differential power attack are realized - Google Patents

A kind of method that many S boxes of the block cipher for resisting differential power attack are realized Download PDF

Info

Publication number
CN107204841A
CN107204841A CN201710150435.8A CN201710150435A CN107204841A CN 107204841 A CN107204841 A CN 107204841A CN 201710150435 A CN201710150435 A CN 201710150435A CN 107204841 A CN107204841 A CN 107204841A
Authority
CN
China
Prior art keywords
boxes
box
displacement
random number
block cipher
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710150435.8A
Other languages
Chinese (zh)
Other versions
CN107204841B (en
Inventor
杨晓元
张帅伟
张敏情
钟卫东
韩益亮
周潭平
张卓
杨海滨
薛帅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Engineering University of Chinese Peoples Armed Police Force
Original Assignee
Engineering University of Chinese Peoples Armed Police Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Engineering University of Chinese Peoples Armed Police Force filed Critical Engineering University of Chinese Peoples Armed Police Force
Priority to CN201710150435.8A priority Critical patent/CN107204841B/en
Publication of CN107204841A publication Critical patent/CN107204841A/en
Application granted granted Critical
Publication of CN107204841B publication Critical patent/CN107204841B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

本发明涉及一种抵御差分功耗攻击的分组密码多S盒实现的方法,首先对多个并行S盒进行转换,得到4×4S盒置换,并对4×4S盒置换进行编号,然后对所有的4×4S盒置换进行分组密码多S盒随机化输入技术,使得差分功耗攻击的攻击者无法在获取功耗曲线之后按照相关的统计差分方法对齐曲线,因此导致差分功耗攻击失败,提高了分组密码实现的安全性,而且本方案只采用了g(n)个比特的随机数,相比于其它掩码方案减少很多;大幅提高了差分功耗攻击在数据处理时的攻击难度;速度方面,由于本方案将原来并行的S盒转化成多维串行可复用的S盒框架,因此可以采用流水线方法,使得速度相比于原始方案减小30%。

The present invention relates to a block cipher multi-S-box implementation method for resisting differential power consumption attacks. First, multiple parallel S-boxes are converted to obtain 4×4S-box replacements, and the 4×4S-box replacements are numbered, and then all The 4×4S box replacement of block cipher multi-S box randomized input technology makes it impossible for the attacker of the differential power consumption attack to align the curve according to the relevant statistical difference method after obtaining the power consumption curve, which leads to the failure of the differential power consumption attack and improves the The security achieved by the block cipher is improved, and this scheme only uses g(n) bits of random numbers, which is much reduced compared to other masking schemes; it greatly improves the attack difficulty of differential power consumption attacks in data processing; the speed On the one hand, since this scheme transforms the original parallel S-box into a multi-dimensional serial reusable S-box framework, the pipeline method can be adopted to reduce the speed by 30% compared with the original scheme.

Description

一种抵御差分功耗攻击的分组密码多S盒实现的方法A Multi-S-box Implementation Method of Block Cipher Against Differential Power Attack

技术领域technical field

本发明信息安全系统中侧信道攻击与防御理论技术领域,具体涉及一种抵御差分功耗攻击的分组密码多S盒实现的方法。The invention relates to the technical field of side channel attack and defense theory in an information security system, and in particular relates to a block cipher multi-S-box implementation method for resisting differential power consumption attacks.

背景技术Background technique

差分功耗攻击是1999年由美国专家Paul Kocher首次提出来的一种针对密码芯片的物理攻击,该方案首先收集芯片在运行分组密码算法时产生的功耗,然后利用功耗与关键数据的相关性,采用统计差分的方法恢复密钥。因其实现效率高成本代价小的优点,给信息安全系统的安全性带来了极大的威胁和挑战,其相关理论发展了将近二十年,至今仍是专家门研究的热点。Differential power consumption attack is a physical attack on cryptographic chips first proposed by American expert Paul Kocher in 1999. This scheme first collects the power consumption generated by the chip when running the block cipher algorithm, and then uses the correlation between power consumption and key data to In order to recover the key, the method of statistical difference is used. Because of its advantages of high efficiency and low cost, it has brought great threats and challenges to the security of information security systems. Its related theories have been developed for nearly 20 years, and it is still a hot spot for experts to study.

伴随着差分功耗攻击理论的成熟,许多防御方案也应运而生。其中有两种比较流行,第一种是随机掩码技术,该技术是在密码算法中插入适当的随机数,在不改变加解密结果的同时,对差分功耗攻击中的目标关键数据进行随机异或操作,从而使得关键数据对应的功耗发生改变,达到保护密钥的目的;第二种是引入噪声技术,该技术是在密码算法电路中人为加入噪声,使得攻击者利用差分功耗攻击的效率降低,甚至无法恢复密钥,达到保护密钥的目的。With the maturity of differential power attack theory, many defense schemes have emerged. Two of them are more popular. The first one is random masking technology, which inserts appropriate random numbers into the cryptographic algorithm, and randomizes the key data of the target in the differential power attack without changing the encryption and decryption results. XOR operation, so that the power consumption corresponding to the key data is changed to achieve the purpose of protecting the key; the second is to introduce noise technology, which is to artificially add noise in the cryptographic algorithm circuit, so that the attacker uses differential power consumption to attack The efficiency is reduced, and even the key cannot be recovered, so as to achieve the purpose of protecting the key.

但是以上两种技术有一个共同的弊端,即显著地增加硬件消耗的资源或降低了运算速度,这也严重的制约着安全芯片的发展。由于S盒是分组密码中唯一的非线性组件,其实现以后消耗的资源占总体资源的50%-70%,同时,因为其非线性性也是导致功耗攻击中会泄漏敏感信息的原因,因此如何对S盒实现有效的保护是近几年来研究防御差分功耗攻击的重点。However, the above two technologies have a common drawback, that is, significantly increasing the resources consumed by the hardware or reducing the computing speed, which seriously restricts the development of security chips. Since the S-box is the only non-linear component in the block cipher, the resources consumed after its implementation account for 50%-70% of the total resources. At the same time, because its non-linearity is also the reason for the leakage of sensitive information in the power attack, so How to effectively protect the S-box is the focus of research on defense against differential power attacks in recent years.

发明内容Contents of the invention

本发明的目的是提供一种抵御差分功耗攻击的分组密码多S盒实现的方法,以便提高S盒实现有效的保护。The purpose of the present invention is to provide a block cipher multi-S-box realization method against differential power consumption attack, so as to improve S-boxes and realize effective protection.

为此,本发明提供了一种抵御差分功耗攻击的分组密码多S盒实现的方法,其特征在于,包括如下步骤:For this reason, the present invention provides a kind of block cipher multi-S box realization method that resists differential power consumption attack, it is characterized in that, comprises the steps:

步骤一:选定一种分组密码算法,对多个并行S盒进行转换,得到n 个4×4 S盒置换,并对4×4 S盒置换进行从0到n-1编号;Step 1: Select a block cipher algorithm, convert multiple parallel S-boxes to obtain n 4×4 S-box permutations, and number the 4×4 S-box permutations from 0 to n-1;

具体的操作步骤为:The specific operation steps are:

A、通过压缩算法将n个独立并行的S盒转换成一个多维串行可复用的 S盒框架S′,A. Convert n independent parallel S-boxes into a multi-dimensional serial reusable S-box framework S′ through compression algorithm,

B、对S′中的4×4 S盒置换进行编号,即B. Number the 4×4 S-box permutations in S′, that is

其中,mn-1代表第n-1个4比特S盒置换的输入,Sn-1(mn-1)代表第n-1个4 比特S盒置换的输出,S′代表多维串行可复用的S盒框架。Among them, m n-1 represents the input of the n-1 4-bit S-box permutation, S n-1 (m n-1 ) represents the output of the n-1 4-bit S-box permutation, and S′ represents the multidimensional serial Reusable S-box framework.

步骤二:进行S盒运算,产生一个随机数,并选择随机数对应的4×4 S 盒置换;Step 2: Perform S-box operation to generate a random number, and select the 4×4 S-box corresponding to the random number to replace;

具体的操作步骤为:The specific operation steps are:

1)电路进行S盒运算前,产生一个随机数R1,即1) Before the circuit performs the S-box operation, a random number R 1 is generated, namely

R1=(r1,r2,…rg(n)) (2)R 1 =(r 1 ,r 2 ,...r g(n) ) (2)

其中,0≤R1≤n-1,g(n)代表实际参与运算4×4 S盒的个数n所对应的2进制比特位数;Wherein, 0≤R 1≤n- 1 , g(n) represents the number of binary bits corresponding to the number n of 4×4 S-boxes actually participating in the operation;

2)通过R1的值选择对应的进入S′的4×4 S盒置换,即该置换为其中表示4×4 S盒置换的结果。2) According to the value of R 1 , select the corresponding 4×4 S-box permutation into S′, that is, the permutation is in Indicates the result of 4 × 4 S-box permutation.

步骤三:通过随机数更新算法产生下一个随机数,并选择与该随机数对应4×4S盒置换;Step 3: Generate the next random number through the random number update algorithm, and select the 4×4S box replacement corresponding to the random number;

即:将随机数R1与选定的第一个进入S′的4×4 S盒置换的输出进行异或操作,得到的结果作为选择下一个4×4 S盒置换的随机数R2,即That is: the random number R 1 is XORed with the output of the selected first 4×4 S-box replacement entering S′, and the obtained result is used as the random number R 2 for selecting the next 4×4 S-box replacement, which is

步骤四:重复步骤三,若发现新生成的随机数所对应的4×4 S盒置换已经选择过,那么将新生成的随机数,逐位进行异或操作,得到1比特数;Step 4: Repeat Step 3. If it is found that the 4×4 S-box replacement corresponding to the newly generated random number has been selected, then perform an XOR operation on the newly generated random number bit by bit to obtain a 1-bit number;

具体的操作步骤为:The specific operation steps are:

a)重复步骤三,若发现新生成的随机数Ri所对应的4×4 S盒置换已经选择过,那么执行步骤b),直到现新生成的随机数Ri所对应的4×4 S盒置换未被选择过为止;a) Repeat step 3. If it is found that the 4×4 S box permutation corresponding to the newly generated random number R i has been selected, then perform step b) until the 4×4 S box corresponding to the newly generated random number R i is found. until box replacement is not selected;

b)将Ri逐位进行异或操作,得到Ri *,即b) Execute the XOR operation on R i bit by bit to get R i * , that is

步骤五:选择区分函数,重新选择下一个4×4 S盒置换,若仍然是已经选择过的4×4 S盒置换,则继续执行步骤五,直到找到的4×4 S盒置换是之前未选择过的并跳回步骤三;Step 5: Select the distinguishing function, re-select the next 4×4 S-box replacement, if it is still the 4×4 S-box replacement that has been selected, continue to step 5 until the found 4×4 S-box replacement is the one not previously selected. Selected and skip back to step 3;

具体操作为:选择一个区分函数f(Ri *)The specific operation is: choose a distinguishing function f(R i * )

若Ri逐位进行异或操作的结果Ri *为“0”时,则选择置换 Ri *为“1”时则选择置换若选择之后仍然是已经选择过的4×4 S 盒置换,继续执行本步骤,直到找到的4×4 S盒置换是之前未选择过的置换。If the result of the XOR operation on R i bit by bit, R i * is "0", select the replacement When R i * is "1", the replacement is selected If the selected 4×4 S-box replacement is still selected, continue to perform this step until the found 4×4 S-box replacement is a replacement that has not been selected before.

步骤六:重复步骤三至步骤五,直到所有4×4 S盒置换全部选择完结束。Step 6: Repeat steps 3 to 5 until all 4×4 S box replacements are selected.

本发明的有益效果:本发明提供的这种抵御差分功耗攻击的分组密码多S盒实现的方法,占用资源与现有技术提供抵御差分功耗攻击的方法基本相同,消耗资源只增加了总资源的3%,但是只采用了一个g(n)个比特的随机数,相比于其它掩码方案减少很多,大幅提高了差分功耗攻击在数据处理时的攻击难度;由于区分函数f(Ri *)的随机性,使得攻击者每次获取S盒关键数据的功耗曲线长度不同,因此大幅提高了DPA的在后期对功耗数据对齐时的难度。Beneficial effects of the present invention: the block cipher multi-S box implementation method for resisting differential power consumption attacks provided by the present invention occupies the same resources as the method provided by the prior art for resisting differential power consumption attacks, and consumes resources only increasing the total 3% of resources, but only a random number of g(n) bits is used, which is much reduced compared to other masking schemes, and greatly improves the attack difficulty of differential power consumption attacks in data processing; since the distinguishing function f( The randomness of R i * ) makes the length of the power consumption curve of the attacker to obtain the key data of the S box different each time, thus greatly increasing the difficulty of aligning the power consumption data in the later stage of DPA.

以下将结合附图对本发明做进一步详细说明。The present invention will be described in further detail below in conjunction with the accompanying drawings.

附图说明Description of drawings

图1为抵御差分功耗攻击的分组密码多S盒实现的方法计算过程的流程图。Fig. 1 is a flow chart of the calculation process of the block cipher multi-S box implementation method against differential power consumption attack.

图2多维串行可复用的S盒框架S′示意图。Fig. 2 Schematic diagram of multi-dimensional serial reusable S-box framework S'.

图3Sbox所对应的寄存器。Figure 3 Registers corresponding to Sbox.

图4Reg内部结构。Figure 4 Internal structure of Reg.

图5触发器内部结构。Figure 5 The internal structure of the flip-flop.

具体实施方式detailed description

为进一步阐述本发明达成预定目的所采取的技术手段及功效,以下结合附图及实施例对本发明的具体实施方式、结构特征及其功效,详细说明如下。In order to further illustrate the technical means and effects adopted by the present invention to achieve the intended purpose, the specific implementation, structural features and effects of the present invention will be described in detail below in conjunction with the accompanying drawings and examples.

实施例1Example 1

为了提高S盒实现有效的保护,本发明提供了一种如图1所示的的抵御差分功耗攻击的分组密码多S盒实现的方法,利用流水线技术,在多维串行可复用的S盒框架中间加入三级寄存器,使得密码运算的速度相比原始方案不会下降的太多,提高了效率。In order to improve the effective protection of the S-boxes, the present invention provides a block cipher multi-S-box implementation method for resisting differential power consumption attacks as shown in FIG. A three-level register is added in the middle of the box frame, so that the speed of cryptographic operations will not drop too much compared with the original scheme, and the efficiency is improved.

利用分组密码多S盒随机化输入技术,使得差分功耗攻击的攻击者无法在获取功耗曲线之后按照相关的统计差分方法对齐曲线,因此导致差分功耗攻击失败,提高了分组密码实现的安全性。Using the block cipher multi-S-box randomized input technology, the attacker of the differential power consumption attack cannot align the curve according to the relevant statistical difference method after obtaining the power consumption curve, thus resulting in the failure of the differential power consumption attack and improving the security of the block cipher implementation sex.

具体的方案包括如下步骤:The specific plan includes the following steps:

步骤一:选定一种分组密码算法,对多个并行S盒进行转换,得到4×4 S盒置换,并对4×4 S盒置换进行编号从0到n-1(此处变化,根据Nikova 的理论,当输入的比特位数n≥4时,这样的置换才具有安全性,并且我们注意到现在的密码方案中,最小的S盒也都是4×4的规模,因此,本方案假设产生的S盒框架中最小的置换为4×4是符合逻辑的);Step 1: Select a block cipher algorithm, convert multiple parallel S-boxes to obtain 4×4 S-box permutations, and number the 4×4 S-box permutations from 0 to n-1 (change here, according to According to Nikova's theory, when the number of input bits n≥4, such a permutation is safe, and we noticed that in the current cryptographic scheme, the smallest S-box is also 4×4 in size, so this scheme It is logical to assume that the smallest permutation in the resulting S-box frame is 4×4);

具体的操作步骤为:The specific operation steps are:

A、通过压缩算法将n个独立并行的S盒转换成一个多维串行可复用的 S盒框架S′,A. Convert n independent parallel S-boxes into a multi-dimensional serial reusable S-box framework S′ through compression algorithm,

B、对S′中的4×4 S盒置换进行编号,即B. Number the 4×4 S-box permutations in S′, that is

其中,mn-1代表第n-1个4比特S盒置换的输入,Sn-1(mn-1)代表第n-1 个4比特S盒置换的输出,S′代表多维串行可复用的S盒框架。Among them, m n-1 represents the input of the n-1 4-bit S-box permutation, S n-1 (m n-1 ) represents the output of the n-1 4-bit S-box permutation, and S′ represents the multidimensional serial Reusable S-box framework.

步骤二:电路进行S盒运算,产生一个随机数,随机数的取值范围在 4×4 S盒置换进行编号范围内,并选择与随机数相对应的4×4 S盒置换;Step 2: The circuit performs the S-box operation to generate a random number. The value range of the random number is within the numbering range of the 4×4 S-box replacement, and select the 4×4 S-box replacement corresponding to the random number;

具体的操作步骤为:The specific operation steps are:

1)电路进行S盒运算前,产生一个随机数R1,即1) Before the circuit performs the S-box operation, a random number R 1 is generated, namely

R1=(r1,r2,…rg(n)) (2)R 1 =(r 1 ,r 2 ,...r g(n) ) (2)

其中,0≤R1≤n-1,g(n)代表实际参与运算4×4 S盒的个数n所对应的2进制比特位数;Wherein, 0≤R 1≤n- 1 , g(n) represents the number of binary bits corresponding to the number n of 4×4 S-boxes actually participating in the operation;

2)通过R1的值选择对应的进入S′的4×4 S盒置换,即该置换为其中表示4×4 S盒置换的结果。2) According to the value of R 1 , select the corresponding 4×4 S-box permutation into S′, that is, the permutation is in Indicates the result of 4 × 4 S-box permutation.

步骤三:通过随机数更新算法产生下一个随机数,并选择与该随机数对应4×4S盒置换;Step 3: Generate the next random number through the random number update algorithm, and select the 4×4S box replacement corresponding to the random number;

即:将随机数R1与选定的第一个进入S′的4×4 S盒置换的输出进行异或操作,得到的结果作为选择下一个4×4 S盒置换的随机数R2,即That is: the random number R 1 is XORed with the output of the selected first 4×4 S-box replacement entering S′, and the obtained result is used as the random number R 2 for selecting the next 4×4 S-box replacement, which is

步骤四:重复步骤三,若发现新生成的随机数所对应的4×4 S盒置换已经选择过,那么将新生成的随机数,逐位进行异或操作,得到1比特数;Step 4: Repeat Step 3. If it is found that the 4×4 S-box replacement corresponding to the newly generated random number has been selected, then perform an XOR operation on the newly generated random number bit by bit to obtain a 1-bit number;

具体的操作步骤为:The specific operation steps are:

a)重复步骤三,若发现新生成的随机数Ri所对应的4×4 S盒置换已经选择过,那么执行步骤b),直到现新生成的随机数Ri所对应的4×4 S盒置换未被选择过为止;a) Repeat step 3. If it is found that the 4×4 S box permutation corresponding to the newly generated random number R i has been selected, then perform step b) until the 4×4 S box corresponding to the newly generated random number R i is found. until box replacement is not selected;

b)将Ri逐位进行异或操作,得到Ri *,即b) Execute the XOR operation on R i bit by bit to get R i * , that is

步骤五:选择区分函数,重新选择下一个4×4 S盒置换,若仍然是已经选择过的4×4 S盒置换,则继续执行步骤五,直到找到的4×4 S盒置换是之前未选择过的并跳回步骤三;Step 5: Select the distinguishing function, re-select the next 4×4 S-box replacement, if it is still the 4×4 S-box replacement that has been selected, continue to step 5 until the found 4×4 S-box replacement is the one not previously selected. Selected and skip back to step 3;

具体操作为:选择一个区分函数f(Ri *)The specific operation is: choose a distinguishing function f(R i * )

若Ri逐位进行异或操作的结果Ri *为“0”时,则选择置换 Ri *为“1”时则选择置换若选择之后仍然是已经选择过的4×4 S 盒置换,继续执行本步骤,直到找到的4×4 S盒置换是之前未选择过的置换。If the result of the XOR operation on R i bit by bit, R i * is "0", select the replacement When R i * is "1", the replacement is selected If the selected 4×4 S-box replacement is still selected, continue to perform this step until the found 4×4 S-box replacement is a replacement that has not been selected before.

步骤六:重复步骤三至步骤五,直到所有4×4 S盒置换全部选择完结束。Step 6: Repeat steps 3 to 5 until all 4×4 S box replacements are selected.

该抵御差分功耗攻击的分组密码多S盒实现的方法具有如下优点:This block cipher multi-S-box implementation method for resisting differential power consumption attacks has the following advantages:

(1)本方案只采用了g(n)个比特的随机数,相比于其它掩码方案减少很多,(1) This scheme only uses a random number of g(n) bits, which is much reduced compared to other masking schemes.

(2)由于区分函数f(Ri *)的随机性,使得攻击者每次获取S盒关键数据的功耗曲线长度不同,因此大幅提高了DPA的在后期对功耗数据对齐时的难度。(2) Due to the randomness of the distinguishing function f(R i * ), the length of the power consumption curve of each time the attacker obtains the key data of the S box is different, which greatly increases the difficulty of aligning the power consumption data in the later stage of DPA.

(3)资源方面,本方案无论是基于查找表实现还是基于逻辑门实现,与原有实现方案相比消耗资源并不会增加很多。(3) In terms of resources, whether this solution is implemented based on a lookup table or a logic gate, compared with the original implementation, the resource consumption will not increase much.

(4)速度方面,由于本方案将原来并行的S盒转化成串行的S盒,因此可以采用PIPELINE方法,使得速度相比于原始方案并不会减少太多。(4) In terms of speed, since this scheme converts the original parallel S-boxes into serial S-boxes, the PIPELINE method can be used, so that the speed will not decrease much compared to the original scheme.

实施例2Example 2

以分组密码算法DES为例,对本发明做进一步详细说明。Taking the block cipher algorithm DES as an example, the present invention is further described in detail.

虽然我们知道56bit密钥的DES算法在很多应用中被证明是不安全的。但是我们知道Triple-DES仍然在电子支付领域有着广泛的应用,因为其拥有 112bits的密钥,所以被证明是安全的。Although we know that the DES algorithm of the 56bit key has been proved to be insecure in many applications. But we know that Triple-DES is still widely used in the field of electronic payment, because it has a key of 112bits, so it is proved to be safe.

DES算法为密码体制中的对称密码体制,又被称为美国数据加密标准,是1972年美国IBM公司研制的对称密码体制加密算法。明文按64位进行分组,密钥长64位,密钥事实上是56位参与DES运算(第8、16、24、 32、40、48、56、64位是校验位,使得每个密钥都有奇数个1)分组后的明文组和56位的密钥按位替代或交换的方法形成密文组的加密方法。The DES algorithm is a symmetric cryptosystem in the cryptographic system, also known as the American Data Encryption Standard. It is a symmetric cryptosystem encryption algorithm developed by IBM Corporation in the United States in 1972. The plaintext is grouped by 64 bits, the key length is 64 bits, and the key is actually 56 bits to participate in the DES operation (the 8th, 16th, 24th, 32nd, 40th, 48th, 56th, and 64th bits are check bits, so that each key All keys have an odd number of 1) grouped plaintext groups and 56-bit keys that are replaced or exchanged bit by bit to form an encryption method for a ciphertext group.

根据DES算法的内容,其S盒是由8个6×4的S盒并行组成,在每个S 盒中其6比特输入的第1位和第6位是用来确定其第2位到第5位所组成的4比特输入进入4个4×4置换中的哪一个。因此,实际上8个6×4 S盒是由32个4×4 S盒组成。我们根据方案中的流程对DES算法S盒进行实现,具体步骤如下:According to the content of the DES algorithm, its S box is composed of eight 6×4 S boxes in parallel, and the 1st and 6th bits of its 6-bit input in each S box are used to determine its 2nd to 6th bits. A 4-bit input consisting of 5 bits goes into which of the 4 4x4 permutations. Therefore, actually 8 6×4 S-boxes are composed of 32 4×4 S-boxes. We implement the DES algorithm S-box according to the process in the scheme. The specific steps are as follows:

1、将DES算法中8个6×4的S盒转换成32个4×4 S盒,利用Bilgin 的复用思想通过压缩算法将n个独立并行的S盒转换成一个多维串行可复用的S盒框架S′,转换后的逻辑图如图2所示,其中GK,GL,F,Aij,Bij, Cij为已知的置换,具体的置换参考文献[1]。1. Convert 8 6×4 S-boxes in the DES algorithm into 32 4×4 S-boxes, and use Bilgin’s multiplexing idea to convert n independent parallel S-boxes into a multi-dimensional serial reusable through compression algorithm The converted logic diagram of the S-box frame S′ is shown in Figure 2, where GK, GL, F, A ij , B ij , and C ij are known permutations, and the specific permutations refer to [1].

2、由于实际参与DES算法S盒运算的4×4 S盒有8个,因此n=8,那么g(n)=3。为了满足后续的算法要求,我们对g(n)进行一个修正。2. Since there are 8 4×4 S-boxes actually participating in the DES algorithm S-box operation, so n=8, then g(n)=3. In order to meet the subsequent algorithm requirements, we make a correction to g(n).

令g(n)′=g(n)+1=4,因此生成的随机数R1=(r1,r2,…rg(n)′)=(r1,r2,r3,r4), 0≤R1≤15。Let g(n)′=g(n)+1=4, so the generated random number R 1 =(r 1 ,r 2 ,…r g(n)′ )=(r 1 ,r 2 ,r 3 , r 4 ), 0≤R 1 ≤15.

3、设R1′=(r2,r3,r4),通过R1′的值选择第一个进入S′的4×4 S盒置换,即该置换为 3. Set R 1 ′=(r 2 , r 3 , r 4 ), select the first 4×4 S box that enters S′ to be replaced by the value of R 1 ′, that is, the replacement is

4、将随机数R1与选定的第一个进入S′的4×4 S盒置换的输出进行异或操作,得到的结果作为选择下一个4×4 S盒置换的随机数。4. XOR the random number R 1 with the output of the selected first 4×4 S-box replacement entering S′, and the obtained result is used as the random number for selecting the next 4×4 S-box replacement.

5、重复步骤3、4,若发现新生成的随机数Ri所对应的4×4 S盒置换已经选过了,那么执行步骤6。5. Repeat steps 3 and 4. If it is found that the 4×4 S-box permutation corresponding to the newly generated random number R i has already been selected, then perform step 6.

6、将Ri逐位进行异或操作,得到Ri *。即6. Perform an exclusive OR operation on R i bit by bit to obtain R i * . which is

7、选择一个区分函数f(Ri *)7. Choose a distinguishing function f(R i * )

若Ri逐位进行异或操作的结果Ri *为“0”时,则选择置换为“1”时则选择置换若选择之后仍然是已经选择过的4×4 S盒置换,继续执行本步骤,直到找到的4×4 S盒置换是之前未选择过的置换并跳回步骤3。If the result of the XOR operation on R i bit by bit, R i * is "0", select the replacement When it is "1", the replacement is selected If the selected 4×4 S-box replacement is still selected, continue to perform this step until the found 4×4 S-box replacement is an unselected replacement and return to step 3.

8、重复进行以上步骤,直到8个4×4 S盒置换全部选择完并进入多维串行可复用的S盒框架结束。8. Repeat the above steps until all 8 4×4 S-box replacements are selected and enter the multi-dimensional serial reusable S-box framework.

最后对本发明方案的安全性进行说明。Finally, the security of the scheme of the present invention is described.

本方案安全性分析Security analysis of this program

功耗分析的理论Theory of Power Analysis

DPA功耗攻击目标针对的是密码算法电路中S盒所对应的寄存器的输出,以4×4Sbox为例,如图是具体的电路图,图3的power region是攻击者想要收集功耗的区域。The target of the DPA power consumption attack is the output of the register corresponding to the S box in the cryptographic algorithm circuit. Taking 4×4Sbox as an example, the figure is a specific circuit diagram, and the power region in Figure 3 is the area where the attacker wants to collect power consumption. .

该区域是由4个1bit的寄存器构成,而其中每一个reg对应一个bit的 Sbox的输出,reg内部结构如图4。This area is composed of four 1-bit registers, and each reg corresponds to the output of a bit Sbox. The internal structure of reg is shown in Figure 4.

其中一个reg是由少量的控制器件和一个D触发器构成,如图5所示, D触发器又由6个与非门构成。One of the regs is composed of a small number of control devices and a D flip-flop, as shown in Figure 5, and the D flip-flop is composed of 6 NAND gates.

因此,当输入D产生跳变,那么会有约8个与门,1个或门和一个非门内部的CMOS晶体管产生瞬时的动态功耗,攻击者可以根据收集的这些功耗利用DPA对该设备进行攻击。Therefore, when the input D jumps, there will be about 8 AND gates, 1 OR gate and 1 NOT gate internal CMOS transistors to generate instantaneous dynamic power consumption, and the attacker can use DPA to detect the power consumption based on the collected power consumption. The device is attacked.

本方案采用了随机输入4×4 S盒的技术,使得在多维串行可复用的S盒框架中,必须同时猜测出密钥与随机数时才有可能恢复正确密钥。其猜测密钥和随机数对应的关键数据和功耗值的可能性如表1所示。This scheme adopts the technology of randomly inputting 4×4 S-boxes, so that in the framework of multi-dimensional serial reusable S-boxes, it is possible to recover the correct key only when the key and the random number must be guessed at the same time. The possibility of guessing the key data and power consumption value corresponding to the key and the random number is shown in Table 1.

猜测密钥guess the key 猜测随机数guess random number 关键数据key data 功耗值power consumption 可能性1Possibility 1 正确correct 正确correct 可确定can be determined 可确定can be determined 可能性2Possibility 2 正确correct 错误mistake 随机random 随机random 可能性3Possibility 3 错误mistake 正确correct 随机random 随机random 可能性4Possibility 4 错误mistake 错误mistake 随机random 随机 randomly

表1Table 1

接下来计算攻击者恢复密钥的概率。猜对一组密钥的概率为:1/16,猜对4×4S盒的概率为:1/8,设在差分功耗攻击中,攻击者选用n组明文。Next calculate the probability of an attacker recovering the key. The probability of guessing a set of keys is: 1/16, and the probability of guessing a 4×4S box is: 1/8. In the differential power attack, the attacker chooses n groups of plaintext.

分析出第i组4×4 S盒所对应密钥的可能性不超过(1/2)3(n+4)The possibility of analyzing the key corresponding to the i-th group of 4×4 S-boxes is no more than (1/2) 3(n+4) .

由于差分功耗攻击中一般情况下n的取值大约为1000~2000之间,因此可看出只有攻击者同时猜出密钥和随机数时,才有可能确认正确的密钥。但在后期数据处理中,由于本发明运用了区分函数f(Ri *),所以攻击者要想对齐所有目标曲线也是非常困难的。Since the value of n is generally between 1000 and 2000 in differential power consumption attacks, it can be seen that only when the attacker guesses the key and the random number at the same time can it be possible to confirm the correct key. However, in the later data processing, since the present invention uses the discrimination function f(R i * ), it is very difficult for an attacker to align all target curves.

以上内容是结合具体的优选实施方式对本发明所作的进一步详细说明,不能认定本发明的具体实施只局限于这些说明。对于本发明所属技术领域的普通技术人员来说,在不脱离本发明构思的前提下,还可以做出若干简单推演或替换,都应当视为属于本发明的保护范围。The above content is a further detailed description of the present invention in conjunction with specific preferred embodiments, and it cannot be assumed that the specific implementation of the present invention is limited to these descriptions. For those of ordinary skill in the technical field of the present invention, without departing from the concept of the present invention, some simple deduction or replacement can be made, which should be regarded as belonging to the protection scope of the present invention.

[1]Bilgin B,Knezevic M,Nikov V,et al.Compact Implementations ofMulti-Sbox Designs[C]//International Conference on Smart Card Research andAdvanced Applications. Springer International Publishing,2015:273-285。[1] Bilgin B, Knezevic M, Nikov V, et al.Compact Implementations of Multi-Sbox Designs[C]//International Conference on Smart Card Research and Advanced Applications. Springer International Publishing, 2015:273-285.

Claims (6)

1. a kind of method that many S boxes of the block cipher for resisting differential power attack are realized, it is characterised in that comprise the following steps:
Step one:A kind of block cipher is selected, multiple parallel S boxes are changed, n 4 × 4S boxes displacements are obtained, and it is right The displacement of 4 × 4S boxes carries out 0 to n-1 and numbered;
Step 2:S box computings are carried out, a random number are produced, and select the corresponding 4 × 4S boxes displacement of random number;
Step 3:Next random number is produced by random number more new algorithm, and selects 4 × 4S boxes corresponding with the random number to put Change;
Step 4:Repeat step three, if finding, 4 × 4S boxes corresponding to newly-generated random number replace chosen mistake, then By newly-generated random number, xor operation is carried out by turn, obtains 1 bit number;
Step 5:Selective discrimination function, reselects next 4 × 4S boxes displacement, if being still 4 × 4S boxes of chosen mistake Displacement, then continue executing with step 5, non-selected mistake and rebound step 3 before the 4 × 4S boxes displacement found is;
Step 6:Repeat step three is to step 5, until the displacement of all 4 × 4S boxes all selects the beam that finishes.
2. a kind of method that many S boxes of the block cipher for resisting differential power attack are realized, it is characterised in that the step one is specific Operating procedure is:
A, the S boxes of n independent parallel are converted into by the serial reusable S box frameworks S ' of a multidimensional by compression algorithm,
B, in S ' 4 × 4S boxes displacement be numbered, i.e.,
Wherein, mn-1Represent the input of (n-1)th 4 bit S boxes displacement, Sn-1(mn-1) represent what (n-1)th 4 bit S box was replaced Output, S ' represents the serial reusable S box frameworks of multidimensional.
3. the method that a kind of new many S boxes of the block cipher for resisting differential power attack according to claim 1 are realized, its It is characterised by, the step 2 comprises the following steps:
1) carry out before S box computings, produce a random number R1, i.e.,
R1=(r1,r2,…rg(n)) (2)
Wherein, 0≤R1≤ n-1, g (n) represent 2 system number of bits corresponding to the number n of actual participation computing 4 × 4S boxes;
2) R is passed through1Value select corresponding entrance S ' 4 × 4S boxes displacement, i.e., this is replaced intoWhereinRepresent 4 × 4S boxes The result of displacement.
4. the method that a kind of new many S boxes of the block cipher for resisting differential power attack according to claim 1 are realized, its It is characterised by, the step 3 concrete operations are:
By random number R1Xor operation is carried out with the output that the selected first 4 × 4S box for entering S ' is replaced, obtained result is made To select the random number R of next 4 × 4S boxes displacement2, i.e.,
5. the method that a kind of new many S boxes of the block cipher for resisting differential power attack according to claim 1 are realized, its It is characterised by, the step 4 comprises the following steps:
A) repeat step three, if finding newly-generated random number RiCorresponding 4 × 4S boxes replace chosen mistake, then perform Step b), until now newly-generated random number RiUntill corresponding 4 × 4S boxes replace not selected mistake;
B) by RiXor operation is carried out by turn, obtains Ri *, i.e.,
6. the method that a kind of new many S boxes of the block cipher for resisting differential power attack according to claim 1 are realized, Characterized in that, the concrete operations of the step 5 are:Select a distinguishing funotion f (Ri *)
If RiThe result R of xor operation is carried out by turni *During for " 0 ", then selection displacementRi *Then selected during for " 1 " DisplacementIf being still 4 × 4S boxes displacement of chosen mistake after selection, this step is continued executing with, until finding 4 × 4S boxes displacement be before non-selected mistake displacement.
CN201710150435.8A 2017-03-14 2017-03-14 A method for implementing multiple S-boxes of block ciphers against differential power attack Active CN107204841B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710150435.8A CN107204841B (en) 2017-03-14 2017-03-14 A method for implementing multiple S-boxes of block ciphers against differential power attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710150435.8A CN107204841B (en) 2017-03-14 2017-03-14 A method for implementing multiple S-boxes of block ciphers against differential power attack

Publications (2)

Publication Number Publication Date
CN107204841A true CN107204841A (en) 2017-09-26
CN107204841B CN107204841B (en) 2020-01-07

Family

ID=59904891

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710150435.8A Active CN107204841B (en) 2017-03-14 2017-03-14 A method for implementing multiple S-boxes of block ciphers against differential power attack

Country Status (1)

Country Link
CN (1) CN107204841B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107222304A (en) * 2017-06-06 2017-09-29 河南大学 A kind of circuit structure of the parallel S boxes of many bodies
CN108737067A (en) * 2018-04-04 2018-11-02 中国电子科技集团公司第三十研究所 A kind of dividing method based on S boxes
CN110336656A (en) * 2019-06-04 2019-10-15 湖北大学 A Class of Binomial APN Functions Over Finite Fields with Odd Characters and Its Generation Method
CN110401627A (en) * 2019-01-31 2019-11-01 中国科学院软件研究所 A security evaluation method and system for anti-differential fault attack security applicable to block cipher algorithm infection protection
CN111339577A (en) * 2020-02-12 2020-06-26 南京师范大学 A construction method of S-box with excellent DPA resistance

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070140478A1 (en) * 2005-12-15 2007-06-21 Yuichi Komano Encryption apparatus and encryption method
CN101866401A (en) * 2010-05-17 2010-10-20 武汉大学 The Method of Evolving S-Box Against Side-channel Attacks
CN103647638A (en) * 2013-12-03 2014-03-19 北京中电华大电子设计有限责任公司 DES masking method for resisting side-channel attack
CN103795527A (en) * 2014-03-03 2014-05-14 重庆大学 Software mask defense scheme capable of preventing attack on advanced encryption standard (AES) algorithm based on power analysis
CN104410490A (en) * 2014-12-16 2015-03-11 桂林电子科技大学 Method for protecting cryptographic S-box (substitution-box) through nonlinear extrusion

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070140478A1 (en) * 2005-12-15 2007-06-21 Yuichi Komano Encryption apparatus and encryption method
CN101866401A (en) * 2010-05-17 2010-10-20 武汉大学 The Method of Evolving S-Box Against Side-channel Attacks
CN103647638A (en) * 2013-12-03 2014-03-19 北京中电华大电子设计有限责任公司 DES masking method for resisting side-channel attack
CN103795527A (en) * 2014-03-03 2014-05-14 重庆大学 Software mask defense scheme capable of preventing attack on advanced encryption standard (AES) algorithm based on power analysis
CN104410490A (en) * 2014-12-16 2015-03-11 桂林电子科技大学 Method for protecting cryptographic S-box (substitution-box) through nonlinear extrusion

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
BODHISATWA MAZUMDAR ; DEBDEEP MUKHOPADHYAY ; INDRANIL SENGUPTA: "Design for Security of Block Cipher S-Boxes to Resist Differential Power Attacks", 《2012 25TH INTERNATIONAL CONFERENCE ON VLSI DESIGN》 *
张帅伟,杨晓元,钟卫东,魏悦川: "一种针对分组密码S盒的组合侧信道攻击方法", 《计算机应用研究》 *
李浪: "分组密码芯片功耗攻击与防御问题研究", 《中国博士学位论文全文数据库 信息科技辑》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107222304A (en) * 2017-06-06 2017-09-29 河南大学 A kind of circuit structure of the parallel S boxes of many bodies
CN108737067A (en) * 2018-04-04 2018-11-02 中国电子科技集团公司第三十研究所 A kind of dividing method based on S boxes
CN110401627A (en) * 2019-01-31 2019-11-01 中国科学院软件研究所 A security evaluation method and system for anti-differential fault attack security applicable to block cipher algorithm infection protection
CN110401627B (en) * 2019-01-31 2020-07-10 中国科学院软件研究所 Differential fault attack resistance security evaluation method and system suitable for block cipher algorithm infection protection
CN110336656A (en) * 2019-06-04 2019-10-15 湖北大学 A Class of Binomial APN Functions Over Finite Fields with Odd Characters and Its Generation Method
CN111339577A (en) * 2020-02-12 2020-06-26 南京师范大学 A construction method of S-box with excellent DPA resistance

Also Published As

Publication number Publication date
CN107204841B (en) 2020-01-07

Similar Documents

Publication Publication Date Title
CN107204841B (en) A method for implementing multiple S-boxes of block ciphers against differential power attack
US9628265B2 (en) Encryption processing device and method capable of defending differential power analysis attack
KR20180002069A (en) A protection method and device against a side-channel analysis
US20140298458A1 (en) Device and method for processing data
Shi et al. Improved linear (hull) cryptanalysis of round-reduced versions of SIMON
CN103795527A (en) Software mask defense scheme capable of preventing attack on advanced encryption standard (AES) algorithm based on power analysis
CN105933108B (en) A kind of pair of SM4 algorithm realizes the method cracked
CN113919012B (en) Strong PUF anti-machine learning attack method and circuit based on sequence cipher
CN102571331A (en) Cryptographic algorithm realization protecting method used for defending energy analysis attacks
CN105871536A (en) AES-algorithm-oriented power analysis attack resistant method based on random time delay
Duan et al. Differential power analysis attack and efficient countermeasures on PRESENT
Joshi et al. SSFA: Subset fault analysis of ASCON-128 authenticated cipher
Ye A novel image encryption scheme based on generalized multi-sawtooth maps
CN114866217B (en) SM4 encryption circuit for resisting power consumption attack based on digital true random number generator
CN107994980A (en) It is a kind of using the out of order technology of clock and the anti-DPA attack methods of chaos trigger
CN103636159B (en) Method for generating a random output bit sequence
Hu et al. An effective differential power attack method for advanced encryption standard
CN111339577A (en) A construction method of S-box with excellent DPA resistance
CN101866401B (en) Method for resisting side channel attacks by evolutive S boxes
CN114428979A (en) Data processing method, device, equipment and system
CN108650072A (en) It is a kind of to support a variety of symmetric cryptographic algorithm chips and its anti-attack circuit implementation method
Mishra et al. A Chaotic encryption algorithm: Robustness against Brute-force attack
CN109981247A (en) A kind of dynamic S-box generation method based on integer chaotic maps
CN114244495B (en) An AES Encryption Circuit Based on Random Mask Infection Mechanism
CN116522296A (en) Strong PUF-oriented machine learning-resistant CRP confusion method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant