CN108173642A - A kind of AES hardware implementation methods of anti-higher difference power consumption attack - Google Patents

A kind of AES hardware implementation methods of anti-higher difference power consumption attack Download PDF

Info

Publication number
CN108173642A
CN108173642A CN201810234498.6A CN201810234498A CN108173642A CN 108173642 A CN108173642 A CN 108173642A CN 201810234498 A CN201810234498 A CN 201810234498A CN 108173642 A CN108173642 A CN 108173642A
Authority
CN
China
Prior art keywords
linear
multiplication
aes
shiftrows
mixcolumns
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810234498.6A
Other languages
Chinese (zh)
Inventor
孙海林
高洪波
周婉婷
李磊
金瓯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201810234498.6A priority Critical patent/CN108173642A/en
Publication of CN108173642A publication Critical patent/CN108173642A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention belongs to technical field of integrated circuits, and in particular to a kind of AES hardware implementation methods of anti-higher difference power consumption attack.The core concept of the present invention is that complicated nonlinear Sbox is decomposed into the non-linear partial and linear segment of low dimensional, so as to reduce the complexity for adding to non-linear partial and covering.Beneficial effects of the present invention are that the present invention has the effect of anti-d ranks DPA attacks, and is revealed without any low order;Algorithm it is complicated relatively low, linear segment only has O (d), and non-linear partial only has O (d (d 1));And the extremely suitable application-specific integrated circuit of this method (ASIC) is realized, is very easy to allow it is suitable for the scenes of different rates with the algorithm for folding and being inserted into flowing water.

Description

A kind of AES hardware implementation methods of anti-higher difference power consumption attack
Technical field
The invention belongs to technical field of integrated circuits, and in particular to a kind of AES hardware of anti-higher difference power consumption attack is real Existing method.
Background technology
Advanced Encryption Standard (AES) is the encryption technology that American National Standard technical research institute 2001 issues, due to its hardly possible It is widely used in by frontal attack and conducive to using hardware realization.Front is all difficult to crack AES encryption all the time, but It is differential power attack (DPA) technology so that key can be obtained by the analysis to power consumption.
DPA is to find out key by way of the statistical analysis and attacks.First, attacker selects a function Some position, this function is the result that is calculated with part of key in plain text.Common selection is the first of AES encryption or decryption The a certain position of the output of the byte substitution of wheel.Or first certain position of secondary key and the result of plaintext xor operation can also be chosen It selects.By step-by-step each step for performing attack, attacker can find out the part position of key.In the worst situation Under, attacker needs the situation that is possible to of part of detecting key, but because attacker is that key segmentation is attacked, because This practical attack strength index is reduced.Such as if attacker selects first Sbox of the first round of AES encryption First of (the non-linear replacement component in cryptography) output is attacked, then the object attacked every time is 8 bit sub-keys, then He needs to do 256 conjectures in the worst cases, if the total bit of key is 128, he needs point 16 attacks.Sum is 256*16, i.e., 212.And if directly guessed 128 keys, intensity 2128, and this intensity is in the significant time In the range of can not by attack out.
It is attacked for DPA, IBM team proposes in paper [CRYPTO 1999] can be effective using the scheme of mask Inhibition side channel information leakage, but realize scheme be difficult to use hardware realization.Univ Graz Tech is in paper [ACNS 2006] leakage of side channel information is covered in proposition using random number, but finds that effect was unsatisfactory later.Paper The anti-DPA schemes that [Chari-Jutla-Rao-Rohatgi CRYPTO'99] is proposed also are proved under certain conditions can It sets up.Ishai-Sahai-Wagner Scheme (ISW) protectiving schemes of anti-d ranks DPA attacks prove there was only d/2 ranks by Ishai Safety.Also there is the safety leakage of d/2 ranks during the d of Sbox adds and covers in classical RP10 algorithms.And ISW algorithms pair Area is excessive for hardware realization, and RP10 algorithms are also unfavorable for hardware with the increase of exponent number, algorithm complexity exponential increase It realizes.
Invention content
The purpose of the present invention, aiming at the above problem, it is proposed that a kind of AES hardware implementation methods of new anti-high-order, It can effective secrete key.
The technical solution adopted in the present invention is:
The AES hardware implementation methods of anti-higher difference power consumption attack, which is characterized in that include the following steps:
A, by the encrypted input plaintext x of AES point for the exclusive or of d+1 stochastic variable and:
X=x0+x1+…+xd (1)
B, the row in AES encryption circuit shifted, arrange the module obscured and taken turns secret key and add, resisted according to linear function D ranks, which add, to be covered:
AddRound (x)=addRound (x0)+addRound(x1)+…+addRound(xd) (2)
ShiftRows (x)=shiftRows (x0)+shiftRows(x1)+…+shiftRows(xd) (3)
MixColumns (x)=mixColumns (x0)+mixColumns(x1)+…+mixColumns(xd) (4)
Wherein, shiftRows represents the row displacement of AES circuits, and the row that mixColumns represents AES circuits are obscured, AddRoundKey represents the InvAddRoundKey of AES circuits;
C, to non-linear partial Sbox, the anti-DPA of non-linear partial Sbox is designed as the core of the present invention, and main thought is just It is the non-linear partial and linear segment that complicated nonlinear Sbox is decomposed into low dimensional, so as to reduce to non-linear partial Add the complexity covered, be broken down into the non-linear partial and linear segment of low dimensional, specially:
Sbox is that the data of 128 bits are decomposed into the parallel data of 8bit to handle, i.e. x=(x0,x1,…,x7), The data processing of each 8bit is the same, so to first 8bitx therein0It illustrates:
C1, Sbox is decomposed into affine transformation Af and GF (28) domain multiplication against Inv:
Sbox (x)=Af (Inv (x)) (5)
C2, affine transformation Af are linear operations, are carried out plus are covered using following formula:
Af (x)=Af (x0+x1+…+xd) (6)
C3, by GF (28) domain inverse of multiplication dimensionality reduction to GF ((24)2) domain, linear segment GF (2 is obtained after dimensionality reduction8) Domain mapping, GF (24) constant multiplication × λ and addition, non-linear partial GF (24) multiplication against Inv4 and multiplication Mult, line Property part plus cover with abovementioned steps similarly;
c4、GF(24) multiplication Mult's plus to cover process as follows:
C41, a, b is set to be two multipliers respectively, a=a0+a1+…+ad, b=b0+b1+…+bd
C42, arrange parameter i, from i=0 to d, iteration performs step c43:
C43, arrange parameter j, from j=i+1 to d, r represents random number, and n is random number seed, and iteration performs:
ri,j←rand(n)
C44, from i=0 to d, c is the product of a and b, and iteration performs:
ci←ajbi
C45, from i=0 to d, under constraints j ≠ i, iteration perform:
c5、GF(24) multiplication it is inverse plus cover such as following formula:
x-1=x14=x2x4x8 (7)
x2, x4, x8It is linear, mode is covered using linearly adding.
Beneficial effects of the present invention are that the present invention has the effect of anti-d ranks DPA attacks, and is revealed without any low order; Algorithm it is complicated relatively low, linear segment only has O (d), and non-linear partial only has O (d (d-1));And this method is extremely suitable Application-specific integrated circuit (ASIC) is realized, is very easy to allow it is suitable for different rates with the algorithm for folding and being inserted into flowing water Scene.
Description of the drawings
Fig. 1 Sbox are from GF (28) domain drops to GF (24) circuit structure diagram;
Fig. 2 GF (24) square operation circuit figure;
Fig. 3 GF (24) constant multiplying operational circuit figure;
Fig. 4 GF (24) multiplying structure chart;
Fig. 5 GF (24) multiplication anti-d ranks DPA attack protection;
Fig. 6 GF (24) multiplication it is inverse anti-d ranks DPA attack protection.
Specific embodiment
The concrete methods of realizing of the present invention is provided below in conjunction with the accompanying drawings:
In the solution of the present invention, the generation of random number is generated using linear feedback shift register (LSFR), then will be defeated Enter the sum for being expressed as d+1 random number in plain text;
ShiftRows, mixColumns, addRoundKey are the primal algorithm modules of AES circuits, can be according to calculation Method standard is directly with reference to realization;
The circuit of Sbox dimensionality reductions realizes that block diagram is as shown in Figure 1.Fig. 2, Fig. 3, Fig. 4 represent to correspond to the reality of block diagram in Fig. 1 respectively It is existing.Dimensionality reduction and then the method for the linear block invention content of circuit is handled, nonlinear block method as described below Processing:
Fig. 5 realizes the GF (2 of an anti-d=4 rank4) the anti-DPA schemes of multiplication.Wherein x=x0+x1+x2+x3, y=y0+y1 +y2+y3Represent GF (24) domain ordinary multiplications,Represent GF (24) domain add operation, r represents random number.Output
Fig. 6 realizes GF (24) multiplication it is inverse anti-DPA attack.X is exactly GF (24) domain number, hereRepresent GF (24) domain Square operation.If z=X4=z1+z2+z3+z4, then refresh module represents refresh the random number of z-component so that Z=X4=z5+z6+z7+z8, thus can and X2Random number component correlation removal, so as to anti-DPA attack.

Claims (1)

1. the AES hardware implementation methods of anti-higher difference power consumption attack, which is characterized in that include the following steps:
A, by the encrypted input plaintext x of AES point for the exclusive or of d+1 stochastic variable and:
X=x0+x1+…+xd (1)
B, the row in AES encryption circuit shifted, arrange the module obscured and taken turns secret key and add, anti-d ranks are carried out according to linear function Add and cover:
AddRound (x)=addRound (x0)+addRound(x1)+…+addRound(xd) (2)
ShiftRows (x)=shiftRows (x0)+shiftRows(x1)+…+shiftRows(xd) (3)
MixColumns (x)=mixColumns (x0)+mixColumns(x1)+…+mixColumns(xd) (4)
Wherein, shiftRows represents the row displacement of AES circuits, and the row that mixColumns represents AES circuits are obscured, AddRoundKey represents the InvAddRoundKey of AES circuits;
C, to non-linear partial Sbox, the non-linear partial and linear segment of low dimensional are broken down into, specially:
C1, Sbox is decomposed into affine transformation Af and GF (28) domain multiplication against Inv:
Sbox (x)=Af (Inv (x)) (5)
C2, affine transformation Af are linear operations, are carried out plus are covered using following formula:
Af (x)=Af (x0+x1+…+xd) (6)
C3, by GF (28) domain inverse of multiplication dimensionality reduction to GF ((24)2) domain, linear segment GF (2 is obtained after dimensionality reduction8) domain reflects It penetrates, GF (24) constant multiplication × λ and addition, non-linear partial GF (24) multiplication against Inv4 and multiplication Mult, linear segment Plus cover with abovementioned steps similarly;
c4、GF(24) multiplication Mult's plus to cover process as follows:
C41, a, b is set to be two multipliers respectively, a=a0+a1+…+ad, b=b0+b1+…+bd
C42, arrange parameter i, from i=0 to d, iteration performs step c43:
C43, arrange parameter j, from j=i+1 to d, iteration performs:
ri,j←rand(n)
rj,i←(rj,i⊕aibj)⊕ajbi
Wherein r is random number, and n is random number seed;
C44, from i=0 to d, iteration perform:
ci←ajbi
C is the intermediate variable of a and b products;
C45, from i=0 to d, under constraints j ≠ i, iteration perform:
ci←ci⊕rj,i
c5、GF(24) multiplication it is inverse plus cover such as following formula:
x-1=x14=x2x4x8 (7)
x2, x4, x8It is linear, mode is covered using linearly adding.
CN201810234498.6A 2018-03-21 2018-03-21 A kind of AES hardware implementation methods of anti-higher difference power consumption attack Pending CN108173642A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810234498.6A CN108173642A (en) 2018-03-21 2018-03-21 A kind of AES hardware implementation methods of anti-higher difference power consumption attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810234498.6A CN108173642A (en) 2018-03-21 2018-03-21 A kind of AES hardware implementation methods of anti-higher difference power consumption attack

Publications (1)

Publication Number Publication Date
CN108173642A true CN108173642A (en) 2018-06-15

Family

ID=62512114

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810234498.6A Pending CN108173642A (en) 2018-03-21 2018-03-21 A kind of AES hardware implementation methods of anti-higher difference power consumption attack

Country Status (1)

Country Link
CN (1) CN108173642A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109936437A (en) * 2019-04-10 2019-06-25 衡阳师范学院 A kind of anti-power consumption attack method based on d+1 rank mask
CN116866038A (en) * 2023-07-12 2023-10-10 北京兆讯恒达技术有限公司 Dynamic mask encryption method and dynamic mask encryption device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729241A (en) * 2008-10-23 2010-06-09 国民技术股份有限公司 AES encryption method for resisting differential power attacks
US20120069998A1 (en) * 2010-09-17 2012-03-22 Endo Tsukasa Encryption device
US20160269175A1 (en) * 2015-03-09 2016-09-15 Qualcomm Incorporated Cryptographic cipher with finite subfield lookup tables for use in masked operations
CN106788974A (en) * 2016-12-22 2017-05-31 深圳国微技术有限公司 Mask S boxes, packet key computing unit, device and corresponding building method
CN107070633A (en) * 2017-03-20 2017-08-18 江苏大学 A kind of AES mask encryption methods of anti-high-order power consumption analysis

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729241A (en) * 2008-10-23 2010-06-09 国民技术股份有限公司 AES encryption method for resisting differential power attacks
US20120069998A1 (en) * 2010-09-17 2012-03-22 Endo Tsukasa Encryption device
US20160269175A1 (en) * 2015-03-09 2016-09-15 Qualcomm Incorporated Cryptographic cipher with finite subfield lookup tables for use in masked operations
CN106788974A (en) * 2016-12-22 2017-05-31 深圳国微技术有限公司 Mask S boxes, packet key computing unit, device and corresponding building method
CN107070633A (en) * 2017-03-20 2017-08-18 江苏大学 A kind of AES mask encryption methods of anti-high-order power consumption analysis

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HEESEOK KIM: "《A Fast and Provably Secure Higher-Order Masking of AES S-Box》", 《CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS,CHES 2011》 *
MATTHIEU RIVAIN: "《rovably Secure Higher-Order Masking of AES》", 《CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS,CHES 2010》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109936437A (en) * 2019-04-10 2019-06-25 衡阳师范学院 A kind of anti-power consumption attack method based on d+1 rank mask
CN109936437B (en) * 2019-04-10 2020-01-31 衡阳师范学院 power consumption attack resisting method based on d +1 order mask
CN116866038A (en) * 2023-07-12 2023-10-10 北京兆讯恒达技术有限公司 Dynamic mask encryption method and dynamic mask encryption device
CN116866038B (en) * 2023-07-12 2024-06-11 北京兆讯恒达技术有限公司 Dynamic mask encryption method and dynamic mask encryption device

Similar Documents

Publication Publication Date Title
CN106788974B (en) Mask S box, grouping key calculation unit, device and corresponding construction method
Goubin et al. Protecting AES with Shamir’s secret sharing scheme
Canright et al. A very compact “perfectly masked” S-box for AES
Tupsamudre et al. Differential fault analysis on the families of SIMON and SPECK ciphers
US8369516B2 (en) Encryption apparatus having common key encryption function and embedded apparatus
Tunstall et al. Differential fault analysis of the advanced encryption standard using a single fault
Li et al. Differential fault analysis on the ARIA algorithm
EP2293487A1 (en) A method of diversification of a round function of an encryption algorithm
Benhadjyoussef et al. Implementation of CPA analysis against AES design on FPGA
CN104301095A (en) DES round operation method and circuit
Liang et al. Design of a masked S-box for SM4 based on composite field
CN108173642A (en) A kind of AES hardware implementation methods of anti-higher difference power consumption attack
Kim et al. DES with any reduced masked rounds is not secure against side-channel attacks
Li et al. Differential fault analysis on Camellia
Lin et al. A new Feistel-type white-box encryption scheme
Qu et al. Differential power analysis of stream ciphers with LFSRs
Benhadjyoussef et al. Optimized power trace numbers in CPA attacks
Chen et al. A circuit design of sms4 against chosen plaintext attack
Ali et al. Differential fault analysis of AES using a single multiple-byte fault
Canright et al. A very compact" perfectly masked" S-Box for AES (corrected)
Moradi et al. Comprehensive evaluation of AES dual ciphers as a side-channel countermeasure
Miyajan et al. An efficient high-order masking of AES using SIMD
Silva-Garcia et al. The triple-DES-96 cryptographic system
Pham et al. An efficient masking method for AES using tower fields
JP5500277B2 (en) Encryption device and built-in device equipped with a common key encryption function

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20180615

WD01 Invention patent application deemed withdrawn after publication