CN108964874B - AES encryption method for resisting path difference attack - Google Patents
AES encryption method for resisting path difference attack Download PDFInfo
- Publication number
- CN108964874B CN108964874B CN201710348988.4A CN201710348988A CN108964874B CN 108964874 B CN108964874 B CN 108964874B CN 201710348988 A CN201710348988 A CN 201710348988A CN 108964874 B CN108964874 B CN 108964874B
- Authority
- CN
- China
- Prior art keywords
- round
- key
- register
- path
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
Abstract
The invention discloses an AES encryption method for resisting path difference attack, which respectively calculates respective round keys based on each round and accurately controls a round key path and a round data path in each round, so that the time for the round keys to reach the next calculation unit is kept consistent to eliminate the path difference, thereby preventing side channel attack based on the path difference; meanwhile, by using a pipeline technology in a hardware circuit, pipeline segmentation is carried out on each round of the AES encryption algorithm, so that all segmented parts can work in parallel, and the speed and the efficiency of the whole encryption algorithm are greatly increased.
Description
Technical Field
The invention relates to the technical field of AES encryption, in particular to an AES encryption method for resisting path difference attack.
Background
The Advanced Encryption Standard (AES) was created by two Belgium cryptologists Vincent Rijmen and Joan Daemenn, replacing the old Data Encryption Standard (DES). The AES algorithm is divided into 10 rounds in total, each round containing byte substitution, row displacement, column obfuscation, and round key plus 4 operations (except for the last round, which has no column obfuscation). The standard belongs to a block cipher algorithm, and is also a symmetric cipher algorithm which is widely used at present. Under different occasions, the requirements on the AES algorithm are different, sometimes the AES algorithm is required to be small in size, the AES algorithm can be conveniently written into a chip with small capacity, sometimes the AES algorithm is required to be very high in encryption speed, and therefore the design for realizing the AES algorithm is also continuously updated.
In addition, it is because AES is widely used that various attacks are faced. The path difference attack is a side channel attack which attacks the AES algorithm by aiming at the fact that a certain difference exists between the time when the key and the data of each round of the middle round of the AES algorithm arrive at the next calculation unit; however, there is currently no effective defense scheme.
Disclosure of Invention
The invention aims to provide an AES encryption method for resisting path difference attack, which can effectively ensure that the AES algorithm cannot be attacked by path difference and can improve the speed and the efficiency of the whole AES encryption algorithm.
The purpose of the invention is realized by the following technical scheme:
an AES encryption method for resisting path difference attack, comprising:
splitting an original key expansion subprogram in an AES encryption algorithm, and distributing the split key expansion subprogram to each round;
when the AES encryption algorithm is executed to the ith round, taking out the round data calculated in the previous round from the data register, and then sequentially carrying out S replacement, row transformation and column confusion calculation of the current round to obtain the round data of the current round, wherein the calculation path is called a round data path; meanwhile, taking out the round key of the previous round from the round key register, and performing round key expansion calculation by using the round key to obtain the round key of the current round, wherein the calculation path is called a round key path;
before the last round of key addition calculation of the ith round comes, delaying the round key of the current round by a delay unit by comparing the difference of two paths, so that the delayed round key of the current round and the round data of the current round simultaneously reach a calculation unit for the round key addition operation;
and after the round key adding operation is carried out, correspondingly putting the round data of the round and the round key of the round into the data register and the round key register at the end of the round respectively.
The method is based on a pipeline technology to divide the whole AES encryption process;
wherein, each round is divided by using a register among the rounds;
for the round in-round division, in the round data path part, if the S replacement part is realized by adopting a lookup table, a register is respectively arranged for division after S replacement, row transformation and column confusion are carried out, and the arrangement position of the register is called as a division point; if the S replacement is realized by adopting a domain expansion method, each operation in the S replacement is also divided by using a register; and for the round key path part, carrying out round key expansion calculation to set a register, wherein the position of the register is consistent with the position of the register subjected to S replacement by the round data path part, and subsequent delay processing is carried out, so that a corresponding number of registers are added according to the segmentation result of the round data path part, and the positions of the registers are kept in one-to-one correspondence, thereby forming a delay unit in the round data path.
The method is realized based on a high-speed FPGA.
According to the technical scheme provided by the invention, the respective round key is calculated based on each round, and the precise control on the round key path and the round data path in each round is realized, so that the time for reaching the next calculation unit is kept consistent, the path difference is eliminated, and the side channel attack based on the path difference is prevented; meanwhile, by using a pipeline technology in a hardware circuit, pipeline segmentation is carried out on each round of the AES encryption algorithm, so that all segmented parts can work in parallel, and the speed and the efficiency of the whole encryption algorithm are greatly increased.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a schematic diagram of an AES encryption method against path difference attack according to an embodiment of the present invention;
FIG. 2 is a schematic view of an inter-round pipeline division provided in an embodiment of the present invention;
fig. 3 is a schematic diagram of the in-wheel assembly line division according to the embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides an AES encryption method for resisting path difference attack, which calculates round keys of AES separately by round, then adds a delay unit of the time difference on a round key transmission path by calculating the time difference between the round data transmission path and the round key transmission path, so that the transmission time of the final two paths is consistent, as shown in figure 1, the method mainly comprises the following steps:
1. splitting an original key expansion subprogram in the AES encryption algorithm, and distributing the split key expansion subprogram to each round.
2. When the AES encryption algorithm is executed to the ith round, taking out the round data calculated in the previous round from the data register, and then sequentially carrying out S replacement, row transformation and column confusion calculation of the current round to obtain the round data of the current round, wherein the calculation path is called a round data path; and meanwhile, taking out the round key of the previous round from the round key register, and performing round key expansion calculation by using the round key to obtain the round key of the current round, wherein the calculation path is called a round key path.
3. Before the last round of key addition calculation of the ith round comes, by comparing the difference between the two paths, the round key of the current round is subjected to delay processing by a delay unit (generally, the round data path takes longer than the round key path), so that the delayed round key of the current round and the round data of the current round simultaneously reach a calculation unit for the round key addition operation (the round key and the round data are subjected to exclusive or operation).
4. And after the round key adding operation is carried out, correspondingly putting the round data of the round and the round key of the round into the data register and the round key register at the end of the round respectively.
In addition, the embodiment of the invention also utilizes a pipeline technology in a hardware circuit to perform pipeline segmentation aiming at each round of the AES encryption algorithm. Pipelining is a technique that can divide multiple successive, but feedback-free, computational units so that the parts can work in parallel at the same time. In the AES encryption algorithm, there is no feedback between each part, and the computation speed of the whole algorithm can be greatly increased by using the pipeline division method shown in fig. 2 and fig. 3, thereby realizing high-speed encryption.
As shown in fig. 2, since there is no feedback link between each round of AES, we can pipeline it, and the operations performed in each round of AES are the same (the last round is slightly different), so it is simple to divide it from round to round, and only a register is needed to divide each round (as shown in fig. 2).
For the in-wheel split, as shown in fig. 3, in the wheel data path portion, two cases are divided: 1) if the S replacement part is realized by adopting a lookup table, respectively setting a register for division after S replacement, row conversion and column confusion, wherein the setting position of the register is called a division point; 2) if the S permutation is implemented by using the domain expansion method, the operations in the S permutation are further divided by using a register to achieve the optimal operation (not shown in fig. 3); for the round key path part, a register is set by performing round key expansion calculation, the position of the register is consistent with the position of the register after S replacement of the round data path part, and subsequent delay processing is performed, a corresponding number of registers are added according to the division result of the round data path part, and the positions of the registers are kept in one-to-one correspondence (the registers participating in the delay processing form delay units in the round key path), as can be seen from fig. 3, the number of registers set by the round key path part is the same as the number and the positions of the registers set by the round data path part.
Illustratively, the method of the present invention can be implemented based on a high-speed FPGA.
Compared with the prior art, the method mainly has the following advantages and technical effects:
1. the respective round keys are calculated on a per round basis, and the precise control of the round key path and the round data path in each round is realized so that the time of reaching the next calculation unit is consistent to eliminate the path difference, thereby preventing the side channel attack based on the path difference.
2. The pipeline technology in a hardware circuit is utilized to divide the pipeline of each round of the AES encryption algorithm, so that the divided parts can work in parallel, and the speed and the efficiency of the whole encryption algorithm are greatly improved.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (3)
1. An AES encryption method for resisting path difference attack, which is characterized by comprising the following steps:
splitting an original key expansion subprogram in an advanced encryption standard AES encryption algorithm, and distributing the split key expansion subprogram to each round;
when the AES encryption algorithm is executed to the ith round, taking out the round data calculated in the previous round from the data register, and then sequentially carrying out S replacement, row transformation and column confusion calculation of the current round to obtain the round data of the current round, wherein the calculation path of the round data is called as a round data path; meanwhile, taking out the round key of the previous round from the round key register, and performing round key expansion calculation by using the round key to obtain the round key of the current round, wherein the calculation path of the round key is called a round key path;
for the round key path part, carrying out round key expansion calculation, setting a register, wherein the position of the register is consistent with the position of the register subjected to S replacement by the round data path part, and subsequent delay processing is carried out, increasing a corresponding number of registers according to the segmentation result of the round data path part, keeping the register positions of the round key path part and the round data path part in one-to-one correspondence, wherein the registers participating in the delay processing form a delay unit in the round data path;
before the last round of key addition calculation of the ith round comes, delaying the round key of the current round by a delay unit by comparing the difference between a round data path and a round key path, so that the delayed round key of the current round and the round data of the current round simultaneously reach a calculation unit for the round key addition operation;
and after the round key adding operation is carried out, correspondingly putting the round data of the round and the round key of the round into the data register and the round key register at the end of the round respectively.
2. The AES encryption method for resisting path difference attack as claimed in claim 1, wherein the method is based on pipelining to segment the entire AES encryption process;
wherein, each round is divided by using a register among the rounds;
for the round in-round division, in the round data path part, if the S replacement part is realized by adopting a lookup table, a register is respectively arranged for division after S replacement, row transformation and column confusion are carried out, and the arrangement position of the register is called as a division point; if the S permutation is realized by using a domain expansion method, each operation in the S permutation is also divided by using a register.
3. The AES encryption method for resisting path difference attack as claimed in claim 1, wherein the method is implemented based on a high-speed field programmable gate array FPGA.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710348988.4A CN108964874B (en) | 2017-05-17 | 2017-05-17 | AES encryption method for resisting path difference attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710348988.4A CN108964874B (en) | 2017-05-17 | 2017-05-17 | AES encryption method for resisting path difference attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108964874A CN108964874A (en) | 2018-12-07 |
| CN108964874B true CN108964874B (en) | 2020-10-27 |
Family
ID=64461731
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710348988.4A Active CN108964874B (en) | 2017-05-17 | 2017-05-17 | AES encryption method for resisting path difference attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108964874B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101729241A (en) * | 2008-10-23 | 2010-06-09 | 国民技术股份有限公司 | AES encryption method for resisting differential power attacks |
| CN103516512A (en) * | 2013-10-21 | 2014-01-15 | 深圳市芯通信息科技有限公司 | Encryption and decryption method and encryption and decryption device based on AES (advanced encryption standard) algorithm |
| CN105871536A (en) * | 2016-06-14 | 2016-08-17 | 东南大学 | AES-algorithm-oriented power analysis attack resistant method based on random time delay |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101847195B (en) * | 2010-06-26 | 2012-01-04 | 上海交通大学 | Defensive attack method based on Cache time characteristics |
| US8958550B2 (en) * | 2011-09-13 | 2015-02-17 | Combined Conditional Access Development & Support. LLC (CCAD) | Encryption operation with real data rounds, dummy data rounds, and delay periods |
| CN104639314A (en) * | 2014-12-31 | 2015-05-20 | 深圳先进技术研究院 | Device based on AES (advanced encryption standard) encryption/decryption algorithm and pipelining control method |
| CN106452725B (en) * | 2016-06-14 | 2019-05-31 | 东南大学 | A kind of anti-power consumption attack method towards aes algorithm based on register mask |
-
2017
- 2017-05-17 CN CN201710348988.4A patent/CN108964874B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101729241A (en) * | 2008-10-23 | 2010-06-09 | 国民技术股份有限公司 | AES encryption method for resisting differential power attacks |
| CN103516512A (en) * | 2013-10-21 | 2014-01-15 | 深圳市芯通信息科技有限公司 | Encryption and decryption method and encryption and decryption device based on AES (advanced encryption standard) algorithm |
| CN105871536A (en) * | 2016-06-14 | 2016-08-17 | 东南大学 | AES-algorithm-oriented power analysis attack resistant method based on random time delay |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108964874A (en) | 2018-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wang et al. | FPGA-based 40.9-Gbits/s masked AES with area optimization for storage area network | |
| Renauld et al. | Algebraic side-channel attacks on the AES: Why time also matters in DPA | |
| Zhang et al. | Digital image encryption based on advanced encryption standard (AES) | |
| CA2827761C (en) | Cryptographic processing device, cryptographic processing method, and program | |
| US9288040B2 (en) | Encryption device | |
| Jovanovic et al. | An algebraic fault attack on the LED block cipher | |
| CN107204841B (en) | Method for realizing multiple S boxes of block cipher for resisting differential power attack | |
| CN103795527A (en) | Software mask defense scheme capable of preventing attack on advanced encryption standard (AES) algorithm based on power analysis | |
| CN114175572A (en) | System and method for performing equality and subordination operations on encrypted data using quasigroup operations | |
| CN104484615B (en) | Suitable for reconfigurable arrays framework based on space randomization fault-resistant attack method | |
| CN108964874B (en) | AES encryption method for resisting path difference attack | |
| CN109347621B (en) | Random delay S-box-based high-speed AES encryption circuit capable of defending collision attack | |
| US8538017B2 (en) | Encryption device | |
| CN106027222A (en) | Intelligent card encryption method and device for preventing differential power consumption analysis | |
| CN103873229B (en) | Rapid protection method for resisting timing and cache side channel attack under KLEIN encryption AVR environment | |
| CN115603896A (en) | Privacy protection method and system for optimizing AES encryption under MPC | |
| Liao et al. | A high-efficient fault attack on AES S-box | |
| Bae et al. | Differential fault analysis on AES by round reduction | |
| CN104077739A (en) | Color image quick encryption method | |
| CN104871476A (en) | Method and apparatus for a computable, large, variable and secure substitution box | |
| Wang et al. | A new zero value attack combined fault sensitivity analysis on masked AES | |
| Yu et al. | A compact hardware implementation for the SCA-resistant present cipher | |
| EP3391583A1 (en) | A computation device and method | |
| James et al. | An Optimized Parallel Mix column and Sub bytes’ design in Lightweight Advanced Encryption Standard | |
| Miyajan et al. | Accelerating higher-order masking of AES using composite field and SIMD |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |