CN111159784B - Method and device for preventing differential power analysis attack in chip - Google Patents

Method and device for preventing differential power analysis attack in chip Download PDF

Info

Publication number
CN111159784B
CN111159784B CN201911301787.4A CN201911301787A CN111159784B CN 111159784 B CN111159784 B CN 111159784B CN 201911301787 A CN201911301787 A CN 201911301787A CN 111159784 B CN111159784 B CN 111159784B
Authority
CN
China
Prior art keywords
result
mask
data
intermediate variable
register
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911301787.4A
Other languages
Chinese (zh)
Other versions
CN111159784A (en
Inventor
陆舟
于华章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feitian Technologies Co Ltd filed Critical Feitian Technologies Co Ltd
Priority to CN201911301787.4A priority Critical patent/CN111159784B/en
Publication of CN111159784A publication Critical patent/CN111159784A/en
Application granted granted Critical
Publication of CN111159784B publication Critical patent/CN111159784B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/75Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation

Abstract

The invention discloses a method and a device for preventing differential power analysis attack in a chip, wherein the method comprises the steps that the chip judges whether data to be processed exist or not, if so, the chip judges whether the length of the data in a second storage area is smaller than a preset length or not, otherwise, the data in the second storage area is filled, compression operation is carried out on the data in the second storage area, and a first storage area is updated according to the result of the compression operation; when the data length in the second storage area is judged to be smaller than the preset length, storing the data to be processed in the second storage area, and returning to the chip to judge whether the data to be processed exists or not; and when the data length in the second storage area is judged to be equal to the preset length, performing compression operation on the data in the second storage area, updating the first storage area according to the compression operation result, and returning to the chip to judge whether the data to be processed exists or not. The method can effectively achieve the purpose of preventing differential power analysis attack.

Description

Method and device for preventing differential power analysis attack in chip
Technical Field
The invention relates to a method and a device for preventing differential power analysis attack in a chip.
Background
The DPA (Differential Power Analysis) attack technique has strong aggressiveness and decryption efficiency. When the chip executes different instructions to perform various operations, the corresponding power consumption also changes correspondingly. The changes are detected and analyzed by using a special electronic measuring instrument and a mathematical statistic technology, so that specific key information in the chip is obtained, and an attacker can analyze a cryptographic algorithm and a password by using the current change of the instruction, so that the attack effect is achieved.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a method and a device for preventing differential power analysis attack in a chip.
The invention provides a method for preventing differential power analysis attack in a chip, which comprises the following steps:
step S1: the chip judges whether the data to be processed exists, if so, the step S2 is executed, otherwise, the step S5 is executed;
step S2: the chip judges whether the data length in the second storage area is smaller than the preset length, if so, the step S3 is executed, otherwise, the step S4 is executed;
step S3: the chip stores the data to be processed in a second storage area, and the step S1 is returned;
step S4: the chip performs compression operation on the data in the second storage area, updates the first storage area according to the result of the compression operation, and returns to the step S1;
step S5: the chip fills the data in the second storage area, performs compression operation on the data in the second storage area, and updates the first storage area according to the compression operation result;
the compressing the data in the second storage area and updating the first storage area according to the result of the compressing operation includes:
step R1: the chip stores data which accord with preset length into the first sixteen data of a first sub-storage area of the second storage area, generates hardware random numbers with quarter of preset length and stores the hardware random numbers into the second sub-storage area of the second storage area, carries out XOR operation on the first sixteen data in the first sub-storage area and one hardware random number corresponding to the first sixteen data, and updates XOR operation results into the first sixteen data of the first sub-storage area;
step R2: the chip carries out preset operation according to the first sixteen data of the first sub storage area and the second sub storage area and stores results into the seventeenth data to sixty-eighth data of the first sub storage area and the second sub storage area;
step R3: the chip randomly generates masks with the number of eighths of preset length, updates the first data to the eighth data of the first storage area into a first register to an eighth register, performs exclusive-or operation on the data in the first register to the eighth register and one corresponding mask, and updates the exclusive-or operation results into the first register to the eighth register;
step R4: the chip updates an intermediate variable and performs cyclic shift operation on the intermediate variable, data in the first register to the eighth register and each mask;
step R5: and the chip carries out operation on the first data of the first storage area, the data in the first register and the first mask, updates the result to the first data of the first storage area, sequentially executes the operation until the eighth data of the first storage area, the data in the eighth register and the eighth mask are operated, and updates the result to the eighth data of the first storage area.
The invention provides a device for preventing differential power analysis attack in a chip, which comprises:
the first judgment module is used for judging whether the data to be processed exists or not, if so, the second judgment module is triggered, and otherwise, the filling operation module is triggered;
the second judging module is used for judging whether the length of the data in the second storage area is smaller than the preset length, if so, the storage module is triggered, and otherwise, the compression operation module is triggered;
the storage module is used for storing the data to be processed into a second storage area and triggering a first judgment module;
the compression operation module is used for performing compression operation on the data in the second storage area, updating the first storage area according to the compression operation result and triggering the first judgment module;
the filling operation module is used for filling the data in the second storage area, performing compression operation on the data in the second storage area, and updating the first storage area according to a compression operation result;
the compression operation module comprises:
the first generation operation submodule is used for storing data which accords with a preset length into the first sixteen data of the first sub-storage area of the second storage area, generating hardware random numbers which are quarter of the preset length and are stored into the second sub-storage area of the second storage area, carrying out exclusive OR operation on the first sixteen data in the first sub-storage area and one hardware random number corresponding to the first sixteen data, and updating the exclusive OR operation results into the first sixteen data of the first sub-storage area;
the second generation operation submodule is used for carrying out preset operation according to the first sixteen data of the first sub storage area and the second sub storage area and storing results into seventeenth to sixty-eighth data of the first sub storage area and the second sub storage area;
the third generation operation submodule is used for randomly generating masks with the number of eighths of the preset length, updating the first data to the eighth data of the first storage area into the first register to the eighth register, performing exclusive-or operation on the data in the first register to the eighth register and one corresponding mask, and updating the exclusive-or operation result into the first register to the eighth register;
the updating submodule is used for updating an intermediate variable and performing cyclic shift operation on the intermediate variable, the data in the first register to the eighth register and each mask;
and the operation updating submodule is used for performing operation on the first data of the first storage area, the data in the first register and the first mask, updating the result to the first data of the first storage area, sequentially executing the operation until the eighth data of the first storage area, the data in the eighth register and the eighth mask are operated, and updating the result to the eighth data of the first storage area.
Compared with the prior art, the invention has the following advantages:
the invention provides a method for preventing differential power analysis attack in a chip, which can effectively achieve the purpose of preventing differential power analysis attack.
Drawings
Fig. 1 is a method for preventing differential power analysis attack in a chip according to an embodiment of the present invention;
fig. 2 is a method for preventing differential power analysis attack in a chip according to a second embodiment of the present invention;
FIG. 3 is a detailed flowchart illustrating a second embodiment of the present invention, in which a chip performs a compression operation on data in a second storage area and updates a compression operation result in a first storage area;
fig. 4 is a block diagram of an apparatus for preventing a differential power analysis attack in a chip according to a third embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
An embodiment of the present invention provides an implementation method for preventing differential power analysis attack in a chip, as shown in fig. 1, including:
step S1: the chip judges whether the data to be processed exists, if so, the step S2 is executed, otherwise, the step S5 is executed;
step S2: the chip judges whether the data length in the second storage area is smaller than the preset length, if so, the step S3 is executed, otherwise, the step S4 is executed;
step S3: the chip stores the data to be processed in the second storage area, and returns to the step S1;
step S4: the chip performs compression operation on the data in the second storage area, updates the first storage area according to the compression operation result, and returns to the step S1;
step S5: the chip fills the data in the second storage area, performs compression operation on the data in the second storage area, and updates the first storage area according to the compression operation result;
performing a compression operation on the data in the second storage area, and updating the first storage area according to the compression operation result includes:
step R1: the chip stores data which accord with preset length into the first sixteen data of a first sub-storage area of a second storage area, generates hardware random numbers with quarter of preset length and stores the hardware random numbers into the second sub-storage area of the second storage area, carries out XOR operation on the first sixteen data in the first sub-storage area and a corresponding hardware random number, and updates XOR operation results into the first sixteen data of the first sub-storage area;
step R2: the chip carries out preset operation according to the first sixteen data of the first sub storage area and the second sub storage area and stores results into the seventeenth data to sixty-eighth data of the first sub storage area and the second sub storage area;
step R3: randomly generating masks with the number of eighths of the preset length by the chip, updating the first data to the eighth data of the first storage area into the first register to the eighth register, performing exclusive-or operation on the data in the first register to the eighth register and one corresponding mask, and updating the exclusive-or operation result into the first register to the eighth register;
step R4: updating an intermediate variable by the chip, and performing cyclic shift operation on the intermediate variable, data in the first register to the eighth register and each mask;
step R5: the chip calculates the first data of the first storage area, the data in the first register and the first mask, updates the result to the first data of the first storage area, sequentially executes the operations until the eighth data of the first storage area, the data in the eighth register and the eighth mask are calculated, and updates the result to the eighth data of the first storage area.
Example two
An embodiment of the present invention provides an implementation method for preventing differential power analysis attack in a chip, as shown in fig. 2, including:
step 101: the chip initializes a first storage area, a second storage area and a ninth register;
specifically, the chip initializes the data in the first storage area as first preset data, and sets the data in the second storage area and the ninth register as zero;
wherein the first preset data is 7380166f 4914b2b 9172442 d7 da8a0600 a96f30bc 163138aa e38dee4d b0fb0e4 e;
the ninth register is used for storing the length of the data in the second storage area;
step 102: the chip acquires the current data to be processed, judges whether the length of the current data to be processed is larger than a first preset value, if so, executes the step 103, otherwise, executes the step 106;
specifically, the chip acquires the current data to be processed byte by byte; for example, if the total data is 0x61,0x62,0x63, the chip first obtains 0x61, and then determines whether the length thereof is greater than a first preset value, if so, step 103 is executed, otherwise, step 106 is executed;
specifically, the first preset value is 0;
step 103: the chip judges whether the data in the ninth register is smaller than a preset length, if so, the step 104 is executed, otherwise, the step 105 is executed;
in this embodiment, preferably, the preset length is 64;
step 104: the chip stores the current data to be processed in the second storage area, updates the data in the ninth register, and returns to step 102;
specifically, the data in the ninth register is updated, and 1 is added to the data in the ninth register every time one byte of data is stored;
step 105: the chip performs compression operation on the data in the second storage area, updates the first storage area according to the result of the compression operation, updates the data in the ninth register, and returns to the step 102;
in this embodiment, the updating of the data in the ninth register is specifically to zero clearing of the data in the ninth register;
in this embodiment, the implementation process of performing, by the chip, compression operation on data in the second storage area and updating the first storage area with the result of the compression operation is shown in fig. 3, and specifically includes:
step 201: the chip stores data which accord with preset length into the first sixteen data of a first sub-storage area of a second storage area, generates sixteen hardware random numbers to be stored into the second sub-storage area of the second storage area, carries out XOR operation on the first sixteen data in the first sub-storage area and a hardware random number corresponding to the first sixteen data respectively, updates the XOR operation result into the first sixteen data of the first sub-storage area respectively, carries out preset operation according to the first sixteen data of the first sub-storage area and the first sixteen data of the second sub-storage area, and stores the result into the seventeenth data to the sixteenth data of the first sub-storage area and the sixteenth data of the second sub-storage area;
specifically, the first sixteen data of the first sub-memory area are
0x61626380,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000;
Sixteen hardware random numbers of
0x0D1681F3,0xA224F286,0xECAAF1F8,0x267775AD,0x582FA4BD,0x02273788,0x9C0820B1,0x129193C3,0x655A5DAF,0x74BBADB1,0x3BCF6EF5,0xFCAE1205,0xB50D5E82,0x43E0C1E7,0x33B33D40,0x0D99E729;
Respectively carrying out XOR operation on the first sixteen data in the first sub-storage area and a hardware random number corresponding to the data, and obtaining the result
0x6C74E273,0xA224F286,0xECAAF1F8,0x267775AD,0x582FA4BD,0x02273788,0x9C0820B1,0x129193C3,0x655A5DAF,0x74BBADB1,0x3BCF6EF5,0xFCAE1205,0xB50D5E82,0x43E0C1E7,0x33B33D40,0x0D99E731;
In this embodiment, performing a preset operation according to the first sixteen data of the first sub-storage area and the second sub-storage area to store the result into the seventeenth to sixteenth eight data of the first sub-storage area and the second sub-storage area specifically includes:
step 201-1: the chip sets the initial value of the first counter to be 17 as the current count value j;
step 201-2: the chip circularly shifts the j-3 th data of the first sub storage area by 15 bits to the left, and performs exclusive OR operation on the j-16 th data and the j-9 th data of the first sub storage area to obtain a first operation result;
step 201-3: the chip carries out exclusive OR operation on the first operation result, the first operation result circularly leftwards shifted by 15 bits and the first operation result circularly leftwards shifted by 23 bits to obtain a second operation result;
step 201-4: the chip carries out exclusive OR operation on the second operation result, the j-13 th data of the first sub storage area circularly shifted to the left by 7 bits and the j-6 th data of the first sub storage area to obtain the j data, and the j data is stored in the j bit of the first sub storage area;
step 201-5: the chip circularly shifts the j-3 th data of the second sub storage area by 15 bits to the left, and performs exclusive or operation on the j-16 th data and the j-9 th data of the second sub storage area to obtain a third operation result;
step 201-6: the chip carries out exclusive OR operation on the third operation result, the third operation result circularly leftwards shifted by 15 bits and the third operation result circularly leftwards shifted by 23 bits to obtain a fourth operation result;
step 201-7: the chip carries out exclusive OR operation on the fourth operation result, the j-13 th data of the second sub storage area circularly shifted to the left by 7 bits and the j-6 th data of the second sub storage area to obtain the j data, and the j data is stored in the j bit of the second sub storage area;
step 201-8: the chip adds 1 to the count value j, judges whether the result is smaller than a second preset value, if so, returns to the step 201-2, otherwise, executes the step 202;
specifically, the second preset value is 69;
specifically, the chip circularly shifts the fourteenth data of the first sub-storage area by 15 bits to the left, and performs exclusive or operation on the fourteenth data and the eighth data of the first sub-storage area to obtain a first operation result; the chip carries out exclusive OR operation on the first operation result, the first operation result circularly leftwards shifted by 15 bits and the first operation result circularly leftwards shifted by 23 bits to obtain a second operation result; the chip carries out exclusive OR operation on the second operation result, the fourth data of the first sub-storage area circularly shifted left by 7 bits and the eleventh data of the first sub-storage area to obtain seventeenth data;
specifically, the seventeenth data is 0x564C6C 45;
the chip circularly and leftwards shifts the fourteenth data of the first sub-storage area by 15 bits to obtain 0x3BBAD693, performs exclusive OR operation on the fourteenth data and the eighth data of the first sub-storage area to obtain a first operation result of 0x1E16D040, and performs exclusive OR operation on the first operation result, the first operation result circularly and leftwards shifted by 15 bits and the first operation result circularly and leftwards shifted by 23 bits to obtain a second operation result of 0x5639D 423; the chip performs exclusive-or operation on the second operation result, the fourth data of the first sub-storage area circularly shifted to the left by 7 bits and the eleventh data of the first sub-storage area to obtain seventeenth data which is 0x564C6C 45;
the chip circularly shifts the fifteenth data of the first sub-storage area by 15 bits to the left, and carries out XOR operation with the second data and the ninth data of the first sub-storage area to obtain a first operation result, circularly shifts the first operation result by 15 bits to the left and circularly shifts the first operation result by 23 bits to obtain a second operation result, circularly shifts the second operation result, the fifth data of the first sub-storage area by 7 bits to the left and carries out XOR operation with the twelfth data of the first sub-storage area to obtain eighteenth data;
specifically, the eighteenth datum is 0x91F639 ED;
by analogy, the chip circularly shifts the sixty-five data of the first sub-storage area by 15 bits to the left, performs exclusive-or operation on the sixty-five data of the first sub-storage area, the fifth and the fifty-ninth data of the first sub-storage area to obtain a first operation result, circularly shifts the first operation result by 15 bits to the left, and circularly shifts the first operation result by 23 bits to the left to obtain a second operation result, circularly shifts the second operation result, the fifty-five data of the first sub-storage area by 7 bits to the left, and performs exclusive-or operation on the sixty-two data of the first sub-storage area to obtain sixty-eight data;
specifically, the sixty-eighth datum is 0x568C 7578;
specifically, the fourteenth data of the second sub-storage area is circularly shifted to the left by 15 bits and is subjected to exclusive or operation with the first data and the eighth data of the second sub-storage area to obtain a first operation result, the first data and the first operation result are circularly shifted to the left by 15 bits and are circularly shifted to the left by 23 bits to obtain a second operation result, and the second operation result, the fourth data of the second sub-storage area, the second data and the eleventh data of the second sub-storage area are circularly shifted to the left by 7 bits and are subjected to exclusive or operation to obtain seventeenth data;
specifically, the seventeenth data of the second sub-storage area is 0xC6DE8E 45;
circularly left-shifting the fifteenth data of the second sub-storage area by 15 bits, carrying out XOR operation on the fifteenth data of the second sub-storage area and the second data and the ninth data of the second sub-storage area to obtain a first operation result, circularly left-shifting the first operation result by 15 bits and circularly left-shifting the first operation result by 23 bits to obtain a second operation result, circularly left-shifting the second operation result, the fifth data of the second sub-storage area by 7 bits and carrying out XOR operation on the twelfth data of the second sub-storage area to obtain eighteenth data;
specifically, the eighteenth data of the second sub storage area is 0x91F639 ED;
by analogy, performing exclusive-or operation on sixty-five data of the second sub-storage area circularly shifted to the left by 15 bits and the fifty-ninth data and the fifth-twelfth data of the second sub-storage area to obtain a first operation result, performing exclusive-or operation on the first operation result, the first operation result circularly shifted to the left by 15 bits and the first operation result circularly shifted to the left by 23 bits to obtain a second operation result, and performing exclusive-or operation on the second operation result, the fifty-five data of the second sub-storage area circularly shifted to the left by 7 bits and the sixty-two data of the second sub-storage area to obtain sixty-eight data;
specifically, the eighteenth datum of the second sub storage area is 0xEF 10703D;
step 202: the chip randomly generates eight masks;
specifically, the first mask is 0x 22222222; the second mask is 0x 33333333; the third mask is 0x 4444444444; the fourth mask is 0x 555555555555; the fifth mask is 0x 6666666666; the sixth mask is 0x 77777777; the seventh mask is 0x 88888888; the eighth mask is 0x 99999999;
step 203: the chip updates the first data to the eighth data of the first storage area into the first register to the eighth register;
specifically, the data in the first storage area is 7380166f 4914b2b 9172442 d7 da8a0600 a96f30bc 163138aa e38dee4d b0fb0e4e, the data in the first register is 7380166f, the data in the second register is 4914b2b9, and so on, the data in the eighth register is b0fb0e4 e;
step 204: the chip carries out exclusive OR operation on the data in the first register to the eighth register and one mask corresponding to the data, and updates the exclusive OR operation results to the first register to the eighth register respectively;
specifically, the chip performs exclusive or operation on the data in the first register and the first mask to obtain 0x51a2344D, and updates an exclusive or operation result 0x51a2344D into the first register;
specifically, the chip performs exclusive or operation on the data in the second register and the second mask to obtain 0x7a27818A, and updates an exclusive or operation result 0x7a27818A into the second register;
in analogy, the chip performs exclusive or operation on the data in the eighth register and the eighth mask to obtain 0x296297D7, and updates an exclusive or operation result 0x296297D7 into the eighth register;
step 205: updating an intermediate variable by the chip, and performing cyclic shift operation on the intermediate variable, data in the first register to the eighth register and eight masks;
in this embodiment, step 205 specifically includes:
step 205-1: the chip sets the initial value of the second counter to be 0 as the current count value i;
step 205-2: the chip updates the first intermediate variable and the first intermediate variable in the mask form;
in this embodiment, step 205-2 specifically includes:
step 205-2-1: the chip circularly moves the data in the first register to the left by 12 bits to obtain a first temporary calculation result, circularly moves the first mask to the left by 12 bits to obtain a second temporary calculation result, uses a first function to calculate the first temporary calculation result and the second temporary calculation result to obtain a first intermediate variable, and assigns the second temporary calculation result to the first intermediate variable in the form of the mask;
in this embodiment, the obtaining a first intermediate variable by using a first function to calculate the first temporary calculation result and the second temporary calculation result specifically includes:
step 1: the chip uses the random number extracting function to operate the address of the security parameter to obtain a fifth operation result, and the fifth operation result is used as the first parameter;
step 2: the chip performs AND operation on the first temporary calculation result and the first parameter to obtain a sixth operation result, and the sixth operation result is used as a second parameter;
and step 3: the chip subtracts the second parameter from the first parameter to obtain a seventh operation result, and updates the seventh operation result to the second parameter;
and 4, step 4: the chip performs AND operation on the second parameter and the first temporary calculation result to obtain an eighth operation result, and updates the eighth operation result to the second parameter;
and 5: the chip performs AND operation on the first parameter and the second temporary calculation result to obtain a ninth operation result, and updates the ninth operation result to the first parameter;
step 6: the chip performs AND operation on the first temporary calculation result and the first parameter to obtain a tenth operation result, and the tenth operation result is used as a third parameter;
and 7: the chip subtracts the third parameter from the first parameter to obtain an eleventh operation result, and updates the eleventh operation result to the third parameter;
and 8: the chip performs AND operation on the third parameter and the second parameter to obtain a twelfth operation result, the twelfth operation result is updated to the third parameter, and the third parameter is used as a first intermediate variable;
step 205-2-2: the chip uses the first function to operate the data in the fifth register and the fifth mask, the obtained result and the first intermediate variable are subjected to arithmetic addition operation, the result is updated to the first intermediate variable, the first intermediate variable in the mask form and the fifth mask are subjected to arithmetic addition operation, and the result is updated to the first intermediate variable in the mask form;
step 205-2-3: chip constant TiShifting the i bit left to perform arithmetic addition operation with a first intermediate variable, and updating the result to the first intermediate variable;
specifically, when i is 0 or more and 15 or less, the constant Ti79cc 4519; when i is equal to or greater than 16 and equal to or less than 63, the constant TiIs 7a879d8 a;
step 205-2-4: the chip uses a second function to operate the first intermediate variable and the first intermediate variable in the mask form to obtain a third temporary calculation result, the first intermediate variable in the mask form is assigned to a fourth temporary calculation result, the third temporary calculation result is circularly shifted left by 7 bits to be updated to the first intermediate variable, the fourth temporary calculation result is circularly shifted left by 7 bits to be updated to the first intermediate variable in the mask form, the first function is used to operate the first intermediate variable and the first intermediate variable in the mask form, and the result is updated to the first intermediate variable;
in this embodiment, the operation of the chip on the first intermediate variable and the first intermediate variable in the form of a mask by using the second function to obtain the third temporary calculation result specifically includes:
step A: the chip uses the random number extracting function to operate the address of the security parameter to obtain a thirteenth operation result, and the thirteenth operation result is used as the first parameter;
and B: the chip circularly shifts the first parameter by 1 bit to the left to obtain a fourteenth operation result, and the fourteenth operation result is used as a second parameter;
and C: the chip performs AND operation on the first parameter and the first intermediate variable in the mask mode to obtain a fifteenth operation result, and the fifteenth operation result is used as a fifth parameter;
step D: the chip performs AND operation on the first parameter and the fifth parameter to obtain a sixteenth operation result, and the sixteenth operation result is used as a fourth parameter;
step E: the chip performs AND operation on the second parameter and the first intermediate variable to obtain a seventeenth operation result, and updates the seventeenth operation result to a fifth parameter;
step F: the chip performs AND operation on the first parameter and the fifth parameter to obtain an eighteenth operation result, and updates the eighteenth operation result to the first parameter;
step G: the chip performs AND operation on the first parameter and the first intermediate variable in the mask mode to obtain a nineteenth operation result, and updates the nineteenth operation result to the first parameter;
step H: the chip performs AND operation on the fourth parameter and the first parameter to obtain a twentieth operation result, and updates the twentieth operation result to the fourth parameter;
step I: the chip performs AND operation on the second parameter and the first intermediate variable to obtain a twenty-first operation result, and updates the twenty-first operation result to the first parameter;
step J: the chip performs AND operation on the fourth parameter and the first parameter to obtain a twenty-second operation result, and updates the twenty-second operation result to the fourth parameter;
step K: the chip sets the initial value of the third counter to be 1 as the current count value k;
step L: the chip judges whether the count value k is smaller than 31, if so, the step M is executed, otherwise, the step S is executed;
step M: the chip performs AND operation on the second parameter and the first intermediate variable in the mask mode to obtain a twenty-third operation result, and updates the twenty-third operation result to the first parameter;
and step N: the chip performs AND operation on the first parameter and the fourth parameter to obtain a twenty-fourth operation result, and updates the twenty-fourth operation result to the first parameter;
step O: the chip performs AND operation on the second parameter and the first intermediate variable to obtain a twenty-fifth operation result, and updates the twenty-fifth operation result to the second parameter;
step P: the chip performs AND operation on the first parameter and the second parameter to obtain a twenty-sixth operation result, and updates the twenty-sixth operation result to the first parameter;
step Q: the chip circularly shifts the first parameter by 1 bit to obtain a twenty-seventh operation result, and updates the twenty-seventh operation result to the second parameter;
step R: the chip adds 1 to the count value k and returns to the step L;
step S: the chip performs AND operation on the fifth parameter and the second parameter to obtain a twenty-eighth operation result, updates the twenty-eighth operation result to the fifth parameter, and takes the fifth parameter as a third temporary calculation result;
step 205-3: the chip updates the second intermediate variable and the second intermediate variable in the mask form;
specifically, the chip uses a second function to operate a first intermediate variable and a first intermediate variable in a mask form to obtain a second intermediate variable, assigns the first intermediate variable in the mask form to the second intermediate variable in the mask form, performs an and operation on the second intermediate variable and a first temporary calculation result, updates the result to the second intermediate variable, performs an and operation on the second intermediate variable in the mask form and the second temporary calculation result, and updates the result to the second intermediate variable in the mask form;
step 205-4: the chip updates the third intermediate variable and the third intermediate variable in the mask form;
in this embodiment, step 205-4 specifically includes:
step 205-4-1: the chip performs AND operation on the (i + 1) th data and the (i + 5) th data of the first sub-storage area to obtain a fifth temporary calculation result, performs AND operation on the (i + 1) th data and the (i + 5) th data of the second sub-storage area to obtain a sixth temporary calculation result, performs operation on the fifth temporary calculation result and the sixth temporary calculation result by using a first function, updates the result to a third intermediate variable, and assigns the sixth temporary calculation result to the third intermediate variable in a mask mode;
step 205-4-2: the chip uses the first function to operate the second intermediate variable and the second intermediate variable in the form of the mask, the result and the third intermediate variable are subjected to arithmetic addition operation, the result is updated to the third intermediate variable, the second intermediate variable in the form of the mask and the third intermediate variable in the form of the mask are subjected to arithmetic addition operation, the result is updated to the third intermediate variable in the form of the mask, the first function is used to operate the data in the fourth register and the fourth mask, the result and the third intermediate variable are subjected to arithmetic addition operation, the result is updated to the third intermediate variable, the fourth mask and the third intermediate variable in the form of the mask are subjected to arithmetic addition operation, and the result is updated to the third intermediate variable in the form of the mask;
step 205-4-3: the chip uses the first Boolean function to operate the data in the first register, the second register and the third register to obtain a seventh temporary calculation result, uses the first Boolean function to operate the first mask, the second mask and the third mask to obtain an eighth temporary calculation result, the chip uses the first function to operate the seventh temporary calculation result and the eighth temporary calculation result, performs an arithmetic addition operation on the result and a third intermediate variable, updates the result to a third intermediate variable, performs an arithmetic addition operation on the eighth temporary calculation result and a third intermediate variable in a mask form, and updates the result to a third intermediate variable in a mask form;
when the count value i is greater than or equal to 0 and less than or equal to 15, performing exclusive-or operation on data in the first register, the second register and the third register to obtain a seventh temporary calculation result;
when the count value i is greater than or equal to 16 and less than or equal to 63, performing an and operation on the data in the first register and the second register, the data in the first register and the third register, and the data in the second register and the third register to obtain a seventh temporary calculation result;
when the count value i is greater than or equal to 0 and less than or equal to 15, performing exclusive-or operation on the first mask, the second mask and the third mask to obtain an eighth temporary calculation result;
when the count value i is greater than or equal to 16 and less than or equal to 63, performing an or operation on a result of the and operation of the first mask and the second mask, a result of the and operation of the first mask and the third mask, and a result of the and operation of the second mask and the third mask to obtain an eighth temporary calculation result;
step 205-5: the chip updates the fourth intermediate variable and the fourth intermediate variable in the mask form;
in this embodiment, step 205-5 specifically includes:
step 205-5-1: the chip uses a second Boolean function to operate data in the fifth register, the sixth register and the seventh register to obtain a ninth temporary calculation result, uses the second Boolean function to operate a fifth mask, a sixth mask and a seventh mask to obtain a tenth temporary calculation result, uses the first function to operate the ninth temporary calculation result and the tenth temporary calculation result and assign the ninth temporary calculation result and the tenth temporary calculation result to a fourth intermediate variable in a mask mode, and assigns the tenth temporary calculation result to the fourth intermediate variable in the mask mode;
when the count value i is greater than or equal to 0 and less than or equal to 15, performing exclusive-or operation on data in the fifth register, the sixth register and the seventh register to obtain a ninth temporary calculation result;
when the count value i is greater than or equal to 16 and less than or equal to 63, carrying out AND operation on the data in the fifth register and the sixth register; performing a non-operation on the data in the fifth register and performing an AND operation on the data in the seventh register, and performing an OR operation on the two results to obtain a ninth temporary calculation result;
when the count value i is greater than or equal to 0 and less than or equal to 15, performing exclusive-or operation on the fifth mask, the sixth mask and the seventh mask to obtain a tenth temporary calculation result;
when the count value i is greater than or equal to 16 and less than or equal to 63, performing an and operation on the result of the fifth mask and the sixth mask, performing a non-operation on the result of the fifth mask and performing an and operation on the result of the seventh mask, and performing an or operation on the two results to obtain a tenth temporary calculation result;
step 205-5-2: the chip calculates the data in the eighth register and the eighth mask by using the first function, performs arithmetic addition operation on the result and the fourth intermediate variable, updates the result to the fourth intermediate variable, performs arithmetic addition operation on the eighth mask and the fourth intermediate variable in the mask form, and updates the result to the fourth intermediate variable in the mask form;
step 205-5-3: the chip performs arithmetic addition operation on the first intermediate variable and the fourth intermediate variable, updates the result to the fourth intermediate variable, performs arithmetic addition operation on the first intermediate variable in the mask form and the fourth intermediate variable in the mask form, and updates the result to the fourth intermediate variable in the mask form;
step 205-5-4: the chip uses a first function to operate the (i + 1) th data of the first sub-storage area and the (i + 1) th data of the second sub-storage area, performs arithmetic addition operation on the result and a fourth intermediate variable, updates the result to the fourth intermediate variable, performs arithmetic addition operation on the (i + 1) th data of the second sub-storage area and a fourth intermediate variable in a mask form, and updates the result to the fourth intermediate variable in the mask form;
step 205-6: the chip updates the data in the third register to a fourth register, the data in the second register is circularly and leftwards shifted by 9 bits and updated to the third register, the data in the first register is updated to the second register, the third mask is used as a fourth mask, the second mask is circularly and leftwards shifted by 9 bits and used as a third mask, and the first mask is used as a second mask;
step 205-7: the chip uses a second function to operate the third intermediate variable and the third intermediate variable in the form of the mask, the result is updated into the first register, and the third intermediate variable in the form of the mask is used as the first mask;
step 205-8: updating data in a seventh register of the chip into an eighth register, circularly shifting 19 bits of data in a sixth register to the left to update the seventh register, updating data in a fifth register into the sixth register, taking a seventh mask as an eighth mask, circularly shifting 19 bits of the sixth mask to the left to serve as a seventh mask, and taking the fifth mask as a sixth mask;
step 205-9: the chip uses a second function to operate a fourth intermediate variable and a fourth intermediate variable in a mask form to obtain a twenty-ninth operation result, the twenty-ninth operation result, a result of circularly left-shifting the twenty-ninth operation result by 9 bits and a result of circularly left-shifting the twenty-ninth operation result by 17 bits are subjected to exclusive-or operation, the result is updated into a fifth register, the fourth intermediate variable in the mask form, the result of circularly left-shifting the fourth intermediate variable in the mask form by 9 bits and the result of circularly left-shifting the fourth intermediate variable in the mask form by 17 bits are subjected to exclusive-or operation, and the result is updated into a fifth mask;
step 205-10: the chip adds 1 to the count value i, judges whether the count value i is smaller than a third preset value, if so, returns to the step 205-2, otherwise, executes the step 206;
in this embodiment, preferably, the third preset value is 64;
specifically, when i is equal to 0, the first intermediate variable is 0x0CF2424E, the first intermediate variable in the form of a mask is 0x 444444444444, the second intermediate variable is 0x363617CC, the second intermediate variable in the form of a mask is 0x 6666666666, the third intermediate variable is 0x53a38ACD, the third intermediate variable in the form of a mask is 0x664a365E, the fourth intermediate variable is 0x3BD9E552, and the fourth intermediate variable in the form of a mask is 0x848DF 969;
the data in the first register is 0 xFA 7F775, the data in the second register is 0x51A2344D, the data in the third register is 0x4F0314F4, the data in the fourth register is 0x53600693, the data in the fifth register is 0xDF010A8F, the data in the sixth register is 0xCF0956DA, the data in the seventh register is 0x7EEB0A32, and the data in the eighth register is 0x6B0566C 5;
the first mask is 0x664a365E, the second mask is 0x22222222, the third mask is 0x 6666666666, the fourth mask is 0x44444444, the fifth mask is 0x6DAC237B, the sixth mask is 0x 6666666666, the seventh mask is 0xbbbbbb, the eighth mask is 0x 88888888;
specifically, the first intermediate variable when i is 63 is 0xD180F5D3, the first intermediate variable in the form of a mask is 0x2D4F5043, the second intermediate variable is 0xDC5C2AE0, the second intermediate variable in the form of a mask is 0x877A6E49, the third intermediate variable is 0x405B7B8F, the third intermediate variable in the form of a mask is 0xD4EC6B0C, the fourth intermediate variable is 0x74D001E7, and the fourth intermediate variable in the form of a mask is 0xA 3525868;
the data in the first register is 0xC1AB8D97, the data in the second register is 0xCB50FC33, the data in the third register is 0x84599590, the data in the fourth register is 0x7B7C4B39, the data in the fifth register is 0x5F3B3BB1, the data in the sixth register is 0x96E6AF9E, the data in the seventh register is 0xF151a18A, and the data in the eighth register is 0xED101 FBF;
the first mask is 0xD4EC6B0C, the second mask is 0xE0AAA353, the third mask is 0x428F032C, the fourth mask is 0x7DE6A9DB, the fifth mask is 0xB733CF8A, the sixth mask is 0xDC256096, the seventh mask is 0x3BA1EFEC, and the eighth mask is 0xD2A0B 911;
step 206: the chip calculates the first data of the first storage area, the data in the first register and the first mask, updates the result to the first data of the first storage area, sequentially executes the operations until the eighth data of the first storage area, the data in the eighth register and the eighth mask are calculated, and updates the result to the eighth data of the first storage area.
Specifically, the chip performs exclusive or operation on the first data in the first storage area, the data in the first register and the first mask to obtain 0x66C7F0F4, and updates the result to the first data in the first storage area;
the chip carries out exclusive OR operation on the second data of the first storage area, the data in the second register and the second mask to obtain 0x62EEEDD9, and the result is updated to the second data of the first storage area;
in this way, the chip performs exclusive or operation on the eighth data in the first storage area, the data in the eighth register and the eighth mask to obtain 0x8F4BA8E0, and updates the result to the eighth data in the first storage area;
step 106: the chip fills the data in the second storage area, performs compression operation on the data in the second storage area, and updates the first storage area according to the compression operation result.
Specifically, bit "1" is first complemented to the end of the message, then both are complemented by 0 until the length satisfies 448 which is the remainder modulo 512, and then a 64-bit string is added, which represents the length of the message.
EXAMPLE III
An embodiment of the present invention provides a device for preventing differential power analysis attack in a chip, as shown in fig. 4, including:
the first judging module 11 is used for judging whether data to be processed exists or not, if so, the second judging module 12 is triggered, and if not, the filling operation module 15 is triggered;
the second judging module 12 is used for judging whether the data length in the second storage area is smaller than the preset length, if so, the storage module 13 is triggered, and if not, the compression operation module 14 is triggered;
the storage module 13 is used for storing the data to be processed into the second storage area and triggering the first judgment module 11;
the compression operation module 14 is used for performing compression operation on the data in the second storage area, updating the first storage area according to the compression operation result, and triggering the first judgment module 11;
the filling operation module 15 is used for filling the data in the second storage area, performing compression operation on the data in the second storage area, and updating the first storage area according to the compression operation result;
the compression operation module 14 includes:
the first generation operation submodule is used for storing data which accord with the preset length into the first sixteen data of the first sub-storage area of the second storage area, generating hardware random numbers which are quarter of the preset length and are stored into the second sub-storage area of the second storage area, carrying out exclusive OR operation on the first sixteen data in the first sub-storage area and one hardware random number corresponding to the first sixteen data, and updating the exclusive OR operation results into the first sixteen data of the first sub-storage area;
the second generation operation submodule is used for carrying out preset operation according to the first sixteen data of the first sub storage area and the second sub storage area and storing results into seventeenth to sixty-eighth data of the first sub storage area and the second sub storage area;
the third generation operation submodule is used for randomly generating masks with the number of eighths of the preset length, updating the first data to the eighth data of the first storage area into the first register to the eighth register, performing exclusive-or operation on the data in the first register to the eighth register and one corresponding mask, and updating the exclusive-or operation result into the first register to the eighth register;
the updating submodule is used for updating the intermediate variable and performing cyclic shift operation on the intermediate variable, the data in the first register to the eighth register and each mask;
and the operation updating submodule is used for performing operation on the first data of the first storage area, the data in the first register and the first mask, updating the result to the first data of the first storage area, sequentially executing the operation until the eighth data of the first storage area, the data in the eighth register and the eighth mask are operated, and updating the result to the eighth data of the first storage area.
Optionally, in this embodiment, the apparatus further includes an initializing module, configured to initialize the first storage area to a first preset value, and initialize the second storage area to zero.
Optionally, in this implementation, the second generating operator module includes:
a first counting unit for setting an initial value of the first counter to 17 as a current count value j;
the first arithmetic unit is used for circularly and leftwards shifting the j-3 th data of the first sub storage area by 15 bits, and carrying out exclusive OR operation on the j-16 th data and the j-9 th data of the first sub storage area to obtain a first arithmetic result;
the second operation unit is used for carrying out exclusive OR operation on the first operation result, the first operation result circularly left-shifted by 15 bits and the first operation result circularly left-shifted by 23 bits to obtain a second operation result;
the third arithmetic unit is used for carrying out exclusive OR operation on the second arithmetic result, the j-13 th data of the first sub storage area circularly shifted to the left by 7 bits and the j-6 th data of the first sub storage area to obtain the j data, and storing the j data in the j bit of the first sub storage area;
the fourth operation unit is used for circularly and leftwards shifting the j-3 th data of the second sub storage area by 15 bits, and carrying out exclusive OR operation on the j-16 th data and the j-9 th data of the second sub storage area to obtain a third operation result;
the fifth operation unit is used for performing exclusive-or operation on the third operation result, the third operation result circularly shifted left by 15 bits and the third operation result circularly shifted left by 23 bits to obtain a fourth operation result;
the sixth arithmetic unit is used for carrying out exclusive OR operation on the fourth arithmetic result, the j-13 th data of the second sub-storage area circularly shifted to the left by 7 bits and the j-6 th data of the second sub-storage area to obtain the j data, and storing the j data in the j bit of the second sub-storage area;
and the first operation judgment unit is used for performing 1 addition operation on the first counting unit, judging whether the current counting value j is smaller than a second preset value or not, if so, triggering the first operation unit, and otherwise, triggering the third generation operation submodule.
Optionally, in this implementation, the update submodule includes:
a second counting unit for setting an initial value of the second counter to 0 as a current count value i;
the first shift calculation unit is used for circularly shifting the data in the first register to the left by 12 bits to obtain a first temporary calculation result, circularly shifting the first mask to the left by 12 bits to obtain a second temporary calculation result, using a first function to calculate the first temporary calculation result and the second temporary calculation result to obtain a first intermediate variable, and using the second temporary calculation result as a first intermediate variable in a mask form;
a seventh operation unit, configured to perform an arithmetic addition operation on a result obtained by performing an operation on the data in the fifth register and the fifth mask and the first intermediate variable using the first function, update the result to the first intermediate variable, perform an arithmetic addition operation on the first intermediate variable in the mask form and the fifth mask, and update the result to the first intermediate variable in the mask form;
a second shift calculation unit for shifting the constant TiShifting the i bit left to perform arithmetic addition operation with a first intermediate variable, and updating the result to the first intermediate variable;
a third shift calculation unit, configured to use a second function to perform operation on the first intermediate variable and the first intermediate variable in the mask form to obtain a third temporary calculation result, use the first intermediate variable in the mask form as a fourth temporary calculation result, update the third temporary calculation result to the first intermediate variable by circularly shifting left by 7 bits, update the fourth temporary calculation result to the first intermediate variable in the mask form by circularly shifting left by 7 bits, perform operation on the first intermediate variable and the first intermediate variable in the mask form by using the first function, and update the result to the first intermediate variable;
an eighth operation unit, configured to perform an operation on the first intermediate variable and the first intermediate variable in the mask form using a second function to obtain a second intermediate variable, use the first intermediate variable in the mask form as a second intermediate variable in the mask form, perform an and operation on the second intermediate variable and the first temporary calculation result, update the result to the second intermediate variable, perform an and operation on the second intermediate variable in the mask form and the second temporary calculation result, and update the result to the second intermediate variable in the mask form;
the ninth operation unit is used for performing AND operation on the (i + 1) th data and the (i + 5) th data in the first sub-storage area to obtain a fifth temporary calculation result, performing AND operation on the (i + 1) th data and the (i + 5) th data in the second sub-storage area to obtain a sixth temporary calculation result, performing operation on the fifth temporary calculation result and the sixth temporary calculation result by using a first function, updating the result to a third intermediate variable, and taking the sixth temporary calculation result as a third intermediate variable in a mask form;
a tenth operation unit configured to perform an operation on the second intermediate variable and the second intermediate variable in the form of a mask using the first function, perform an arithmetic addition operation on the result and the third intermediate variable, update the result to the third intermediate variable, perform an arithmetic addition operation on the second intermediate variable in the form of a mask and the third intermediate variable in the form of a mask, update the result to the third intermediate variable in the form of a mask, perform an operation on the data in the fourth register and the fourth mask using the first function, perform an arithmetic addition operation on the result and the third intermediate variable, update the result to the third intermediate variable, perform an arithmetic addition operation on the fourth mask and the third intermediate variable in the form of a mask, and update the result to the third intermediate variable in the form of a mask;
an eleventh operation unit, configured to perform an operation on data in the first register, the second register, and the third register using a first boolean function to obtain a seventh temporary calculation result, perform an operation on the first mask, the second mask, and the third mask using the first boolean function to obtain an eighth temporary calculation result, perform an operation on the seventh temporary calculation result and the eighth temporary calculation result using the first function, perform an arithmetic addition operation on the result and a third intermediate variable, update the result to a third intermediate variable, perform an arithmetic addition operation on the eighth temporary calculation result and a third intermediate variable in a mask form, and update the result to a third intermediate variable in a mask form;
a twelfth operation unit, configured to perform an operation on data in the fifth register, the sixth register, and the seventh register using a second boolean function to obtain a ninth temporary calculation result, perform an operation on the fifth mask, the sixth mask, and the seventh mask using the second boolean function to obtain a tenth temporary calculation result, perform an operation on the ninth temporary calculation result and the tenth temporary calculation result using the first function, use the operation result as a fourth intermediate variable, and use the tenth temporary calculation result as a fourth intermediate variable in a mask form;
a thirteenth operation unit configured to calculate the data in the eighth register and the eighth mask using the first function, perform an arithmetic addition operation on the result and the fourth intermediate variable, update the result to the fourth intermediate variable, perform an arithmetic addition operation on the eighth mask and the fourth intermediate variable in the mask form, and update the result to the fourth intermediate variable in the mask form;
a fourteenth operation unit, configured to perform an arithmetic addition operation on the first intermediate variable and the fourth intermediate variable, update the result to the fourth intermediate variable, perform an arithmetic addition operation on the first intermediate variable in the mask form and the fourth intermediate variable in the mask form, and update the result to the fourth intermediate variable in the mask form;
a fifteenth operation unit, configured to perform an operation on the (i + 1) th data in the first sub-storage area and the (i + 1) th data in the second sub-storage area using the first function, perform an arithmetic addition operation on the result and a fourth intermediate variable, update the result to the fourth intermediate variable, perform an arithmetic addition operation on the (i + 1) th data in the second sub-storage area and the fourth intermediate variable in the mask form, and update the result to the fourth intermediate variable in the mask form;
a cyclic shift unit for performing a cyclic shift operation;
and the second operation judgment unit is used for performing 1 addition operation on the second counting unit, judging whether the current counting value is smaller than a third preset value or not, if so, triggering the first shift calculation unit, and otherwise, triggering the operation updating submodule.
Optionally, in this implementation, the first shift calculating unit includes:
the first operation is used as a subunit and used for operating the address of the security parameter by using the random number extracting function to obtain a fifth operation result, and the fifth operation result is used as the first parameter;
the second operation is used as a subunit for performing an and operation on the first temporary calculation result and the first parameter to obtain a sixth operation result, and the sixth operation result is used as a second parameter;
the first operation updating subunit is used for subtracting the first parameter from the second parameter to obtain a seventh operation result, and updating the seventh operation result to the second parameter;
the second operation updating subunit is used for performing AND operation on the second parameter and the first temporary calculation result to obtain an eighth operation result, and updating the eighth operation result to the second parameter;
the third operation updating subunit is used for performing and operation on the first parameter and the second temporary calculation result to obtain a ninth operation result, and updating the ninth operation result to the first parameter;
the third operation is used as a subunit for performing an and operation on the first temporary calculation result and the first parameter to obtain a tenth operation result, and the tenth operation result is used as a third parameter;
the fourth operation updating subunit is used for subtracting the first parameter from the third parameter to obtain an eleventh operation result, and updating the eleventh operation result to the third parameter;
and the fourth operation is used as a subunit for performing and operation on the third parameter and the second parameter to obtain a twelfth operation result, updating the twelfth operation result to the third parameter, and using the third parameter as the first intermediate variable.
Optionally, in this implementation, the third shift calculating unit includes:
the fifth operation is used as a subunit, and is used for operating the address of the security parameter by using the random number extraction function to obtain a thirteenth operation result, and taking the thirteenth operation result as the first parameter;
the first shift is used as a subunit, and is used for circularly shifting the first parameter by 1 bit to the left to obtain a fourteenth operation result, and the fourteenth operation result is used as a second parameter;
the sixth operation is used as a subunit, configured to perform an and operation on the first parameter and the first intermediate variable in the mask form to obtain a fifteenth operation result, and use the fifteenth operation result as a fifth parameter;
the seventh operation is used as a subunit for performing and operation on the first parameter and the fifth parameter to obtain a sixteenth operation result, and the sixteenth operation result is used as a fourth parameter;
the eighth operation is used as a subunit for performing and operation on the second parameter and the first intermediate variable to obtain a seventeenth operation result, and updating the seventeenth operation result to the fifth parameter;
the fifth operation updating subunit is used for performing and operation on the first parameter and the fifth parameter to obtain an eighteenth operation result, and updating the eighteenth operation result to the first parameter;
a sixth operation updating subunit, configured to perform an and operation on the first parameter and the first intermediate variable in the mask form to obtain a nineteenth operation result, and update the nineteenth operation result to the first parameter;
the seventh operation updating subunit is configured to perform and operation on the fourth parameter and the first parameter to obtain a twentieth operation result, and update the twentieth operation result to the fourth parameter;
the eighth operation updating subunit is configured to perform an and operation on the second parameter and the first intermediate variable to obtain a twenty-first operation result, and update the twenty-first operation result to the first parameter;
a ninth operation updating subunit, configured to perform an and operation on the fourth parameter and the first parameter to obtain a twenty-second operation result, and update the twenty-second operation result to the fourth parameter;
the first counting subunit is used for setting the initial value of the third counter to be 1 as the current counting value k;
the first judgment subunit is used for judging whether the count value k is smaller than 31, if so, triggering the tenth operation updating subunit, and otherwise, triggering the ninth operation as the subunit;
the tenth operation updating subunit is configured to perform and operation on the second parameter and the first intermediate variable in the mask form to obtain a twenty-third operation result, and update the twenty-third operation result to the first parameter;
the eleventh operation updating subunit is configured to perform an and operation on the first parameter and the fourth parameter to obtain a twenty-fourth operation result, and update the twenty-fourth operation result to the first parameter;
the twelfth operation updating subunit is configured to perform an and operation on the second parameter and the first intermediate variable to obtain a twenty-fifth operation result, and update the twenty-fifth operation result to the second parameter;
the thirteenth operation updating subunit is configured to perform an and operation on the first parameter and the second parameter to obtain a twenty-sixth operation result, and update the twenty-sixth operation result to the first parameter;
the first shift updating subunit is used for circularly shifting the first parameter by 1 bit to the left to obtain a twenty-seventh operation result, and updating the twenty-seventh operation result to the second parameter;
the operation returning subunit is used for performing 1 addition operation on the first counting subunit and triggering the first judging subunit;
and the ninth operation is used as a subunit for performing an and operation on the fifth parameter and the second parameter to obtain a twenty-eighth operation result, updating the twenty-eighth operation result to the fifth parameter, and using the fifth parameter as a third temporary calculation result.
Optionally, in this implementation, the eleventh operation unit is configured to use the first boolean function to operate on data in the first register, the second register, and the third register to obtain a seventh temporary operation result, specifically:
when the count value i is greater than or equal to 0 and less than or equal to 15, carrying out exclusive OR operation on data in the first register, the second register and the third register to obtain a seventh temporary calculation result;
and when the count value i is greater than or equal to 16 and less than or equal to 63, performing OR operation on the result of performing AND operation on the data in the first register and the second register, the result of performing AND operation on the data in the first register and the third register and the result of performing AND operation on the data in the second register and the third register to obtain a seventh temporary calculation result.
Optionally, in this implementation, the eleventh operation unit is configured to use the first boolean function to operate the first mask, the second mask, and the third mask to obtain an eighth temporary operation result, specifically:
when the count value i is greater than or equal to 0 and less than or equal to 15, performing exclusive-or operation on the first mask, the second mask and the third mask to obtain an eighth temporary calculation result;
and when the count value i is greater than or equal to 16 and less than or equal to 63, performing an or operation on a result of the and operation of the first mask and the second mask, a result of the and operation of the first mask and the third mask, and a result of the and operation of the second mask and the third mask to obtain an eighth temporary calculation result.
Optionally, in this embodiment, the twelfth operation unit is configured to use the second boolean function to operate the data in the fifth register, the sixth register, and the seventh register to obtain a ninth temporary operation result, specifically:
when the count value i is greater than or equal to 0 and less than or equal to 15, performing exclusive-or operation on data in the fifth register, the sixth register and the seventh register to obtain a ninth temporary calculation result;
and when the count value i is greater than or equal to 16 and less than or equal to 63, performing an AND operation on the data in the fifth register and the data in the sixth register, performing a NOT operation on the data in the fifth register and the data in the seventh register, and performing an OR operation on the two results to obtain a ninth temporary calculation result.
Optionally, in this embodiment, the twelfth operation unit is configured to use the second boolean function to operate the fifth mask, the sixth mask, and the seventh mask to obtain a tenth temporary operation result, specifically:
when the count value i is greater than or equal to 0 and less than or equal to 15, performing exclusive-or operation on the fifth mask, the sixth mask and the seventh mask to obtain a tenth temporary calculation result;
and when the count value i is greater than or equal to 16 and less than or equal to 63, performing an AND operation on the result of the fifth mask and the sixth mask, performing a NOT operation on the result of the fifth mask and performing an AND operation on the result of the seventh mask, and performing an OR operation on the two results to obtain a tenth temporary calculation result.
Optionally, in this embodiment, the cyclic shift unit specifically includes:
the first cyclic shift is used as a subunit for updating the data in the third register into the fourth register, the data in the second register is circularly shifted left by 9 bits and updated into the third register, the data in the first register is updated into the second register, the third mask is used as a fourth mask, the second mask is circularly shifted left by 9 bits and used as a third mask, and the first mask is used as a second mask;
a tenth operation as a subunit, configured to perform an operation on the third intermediate variable and a third intermediate variable in the form of a mask using a second function, update a result to the first register, and use the third intermediate variable in the form of the mask as the first mask;
the second cyclic shift is used as a subunit to update the data in the seventh register to the eighth register, the data in the sixth register is updated to the seventh register by shifting left 19 bits, the data in the fifth register is updated to the sixth register, the seventh mask is used as an eighth mask, the sixth mask is used as a seventh mask after being shifted left 19 bits, and the fifth mask is used as a sixth mask;
and the third cyclic shift is used as a subunit for operating the fourth intermediate variable and the fourth intermediate variable in the mask form by using a second function to obtain a twenty-ninth operation result, performing exclusive-or operation on the twenty-ninth operation result, a result of cyclic left shift of the twenty-ninth operation result by 9 bits and a result of cyclic left shift of the twenty-ninth operation result by 17 bits, updating the result into a fifth register, performing exclusive-or operation on the fourth intermediate variable in the mask form, a result of cyclic left shift of the fourth intermediate variable in the mask form by 9 bits and a result of cyclic left shift of the fourth intermediate variable in the mask form by 17 bits, and updating the result into a fifth mask.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (18)

1. An implementation method for preventing differential power analysis attacks in a chip is characterized by comprising the following steps:
step S1: the chip judges whether the data to be processed exists, if so, the step S2 is executed, otherwise, the step S5 is executed;
step S2: the chip judges whether the data length in the second storage area is smaller than the preset length, if so, the step S3 is executed, otherwise, the step S4 is executed;
step S3: the chip stores the data to be processed in a second storage area, and the step S1 is returned;
step S4: the chip performs compression operation on the data in the second storage area, updates the first storage area according to the result of the compression operation, and returns to the step S1;
step S5: the chip fills the data in the second storage area, performs compression operation on the data in the second storage area, and updates the first storage area according to the compression operation result;
the compressing the data in the second storage area and updating the first storage area according to the result of the compressing operation includes:
step R1: the chip stores data which accord with preset length into the first sixteen data of the first sub-storage area of the second storage area, generates sixteen hardware random numbers to be stored into the second sub-storage area of the second storage area, carries out exclusive OR operation on the first sixteen data in the first sub-storage area and a hardware random number corresponding to the first sixteen data, and updates the exclusive OR operation result into the first sixteen data of the first sub-storage area;
step R2: the chip carries out preset operation according to the first sixteen data of the first sub storage area and the second sub storage area and stores results into the seventeenth data to sixty-eighth data of the first sub storage area and the second sub storage area;
step R3: the chip randomly generates eight masks, updates the first data to the eighth data of the first storage area into a first register to an eighth register, performs exclusive-or operation on the data in the first register to the eighth register and one corresponding mask, and updates the exclusive-or operation result into the first register to the eighth register;
step R4: the chip updates an intermediate variable and performs cyclic shift operation on the intermediate variable, data in the first register to the eighth register and each mask;
step R5: the chip carries out operation on the first data of the first storage area, the data in the first register and the first mask, updates the result to the first data of the first storage area, sequentially executes the operation until the eighth data of the first storage area, the data in the eighth register and the eighth mask are operated, and updates the result to the eighth data of the first storage area;
the step R2 specifically includes:
step M1: the chip sets the initial value of the first counter to be 17 as the current count value j;
step M2: the chip circularly shifts the j-3 th data of the first sub storage area by 15 bits to the left, and performs exclusive OR operation on the j-16 th data and the j-9 th data of the first sub storage area to obtain a first operation result;
step M3: the chip carries out exclusive OR operation on the first operation result, the first operation result circularly leftwards shifted by 15 bits and the first operation result circularly leftwards shifted by 23 bits to obtain a second operation result;
step M4: the chip carries out exclusive OR operation on the second operation result, the j-13 th data of the first sub storage area circularly shifted to the left by 7 bits and the j-6 th data of the first sub storage area to obtain the j data, and the j data is stored in the j bit of the first sub storage area;
step M5: the chip circularly shifts the j-3 th data of the second sub storage area by 15 bits to the left, and performs exclusive or operation on the j-16 th data and the j-9 th data of the second sub storage area to obtain a third operation result;
step M6: the chip carries out exclusive OR operation on the third operation result, the third operation result circularly leftwards shifted by 15 bits and the third operation result circularly leftwards shifted by 23 bits to obtain a fourth operation result;
step M7: the chip carries out exclusive OR operation on the fourth operation result, the j-13 th data of the second sub storage area circularly shifted to the left by 7 bits and the j-6 th data of the second sub storage area to obtain the j data, and the j data is stored in the j bit of the second sub storage area;
step M8: the chip performs 1 adding operation on the current count value j, judges whether the current count value j is smaller than a second preset value, if so, returns to the step M2, otherwise, executes the step R3;
the step R4 specifically includes:
step R4-1: the chip sets the initial value of the second counter to be 0 as the current count value i;
step R4-2: the chip circularly and leftwards shifts data in a first register by 12 bits to obtain a first temporary calculation result, circularly and leftwards shifts a first mask by 12 bits to obtain a second temporary calculation result, the first temporary calculation result and the second temporary calculation result are operated by using a first function to obtain a first intermediate variable, and the second temporary calculation result is used as a first intermediate variable in a mask form;
step R4-3: the chip uses the first function to perform arithmetic addition operation on a result obtained by operating the data and the fifth mask in the fifth register and the first intermediate variable, updates the result to the first intermediate variable, performs arithmetic addition operation on the first intermediate variable in the mask form and the fifth mask, and updates the result to the first intermediate variable in the mask form;
step R4-4: the chip performs arithmetic addition operation on a constant Ti by shifting the constant Ti by i bit and the first intermediate variable, and updates the result to the first intermediate variable;
step R4-5: the chip uses a second function to operate the first intermediate variable and the first intermediate variable in the mask form to obtain a third temporary calculation result, the first intermediate variable in the mask form is used as a fourth temporary calculation result, the third temporary calculation result is circularly shifted left by 7 bits to be updated to the first intermediate variable, the fourth temporary calculation result is circularly shifted left by 7 bits to be updated to the first intermediate variable in the mask form, the first function is used to operate the first intermediate variable and the first intermediate variable in the mask form, and the result is updated to the first intermediate variable;
step R4-6: the chip uses the second function to operate the first intermediate variable and the first intermediate variable in the mask form to obtain a second intermediate variable, the first intermediate variable in the mask form is used as a second intermediate variable in the mask form, the second intermediate variable and the first temporary calculation result are subjected to AND operation, the result is updated to the second intermediate variable, the second intermediate variable in the mask form and the second temporary calculation result are subjected to AND operation, and the result is updated to the second intermediate variable in the mask form;
step R4-7: the chip performs AND operation on the (i + 1) th data and the (i + 5) th data of the first sub-storage area to obtain a fifth temporary calculation result, performs AND operation on the (i + 1) th data and the (i + 5) th data of the second sub-storage area to obtain a sixth temporary calculation result, performs operation on the fifth temporary calculation result and the sixth temporary calculation result by using the first function, updates the result to a third intermediate variable, and uses the sixth temporary calculation result as a third intermediate variable in a mask mode;
step R4-8: the chip uses the first function to operate the second intermediate variable and the mask-form second intermediate variable, performs an arithmetic addition operation on a result and the third intermediate variable, updates the result to the third intermediate variable, performs an arithmetic addition operation on the mask-form second intermediate variable and the mask-form third intermediate variable, updates the result to the mask-form third intermediate variable, uses the first function to operate data and a fourth mask in a fourth register, performs an arithmetic addition operation on the result and the third intermediate variable, updates the result to the third intermediate variable, performs an arithmetic addition operation on the fourth mask and the mask-form third intermediate variable, and updates the result to the mask-form third intermediate variable;
step R4-9: the chip uses a first Boolean function to operate data in the first register, the second register and the third register to obtain a seventh temporary calculation result, uses the first Boolean function to operate the first mask, the second mask and the third mask to obtain an eighth temporary calculation result, uses the first function to operate the seventh temporary calculation result and the eighth temporary calculation result, performs an arithmetic addition operation on the result and the third intermediate variable, updates the result to the third intermediate variable, performs an arithmetic addition operation on the eighth temporary calculation result and the third intermediate variable in the form of the mask, and updates the result to the third intermediate variable in the form of the mask;
step R4-10: the chip uses a second Boolean function to operate data in the fifth register, the sixth register and the seventh register to obtain a ninth temporary calculation result, uses the second Boolean function to operate a fifth mask, a sixth mask and a seventh mask to obtain a tenth temporary calculation result, uses the first function to operate the ninth temporary calculation result and the tenth temporary calculation result, uses the operation result as a fourth intermediate variable, and uses the tenth temporary calculation result as a fourth intermediate variable in a mask form;
step R4-11: the chip calculates the data in the eighth register and the eighth mask by using the first function, performs arithmetic addition operation on the result and the fourth intermediate variable, updates the result to the fourth intermediate variable, performs arithmetic addition operation on the eighth mask and the fourth intermediate variable in the mask form, and updates the result to the fourth intermediate variable in the mask form;
step R4-12: the chip performs arithmetic addition operation on the first intermediate variable and the fourth intermediate variable, updates the result to the fourth intermediate variable, performs arithmetic addition operation on the first intermediate variable in the mask form and the fourth intermediate variable in the mask form, and updates the result to the fourth intermediate variable in the mask form;
step R4-13: the chip uses the first function to operate the (i + 1) th data of the first sub-storage area and the (i + 1) th data of the second sub-storage area, perform arithmetic addition operation on the result and the fourth intermediate variable, update the result to the fourth intermediate variable, perform arithmetic addition operation on the (i + 1) th data of the second sub-storage area and the fourth intermediate variable in the mask form, and update the result to the fourth intermediate variable in the mask form;
step R4-14: the chip carries out cyclic shift operation;
step R4-15: and the chip adds 1 to the count value i, judges whether the current count value is smaller than a third preset value or not, returns to the step R4-2 if the current count value is smaller than the third preset value, and otherwise executes the step R5.
2. The method of claim 1, wherein the step S1 is preceded by: the chip initializes the first storage area to a first preset value and initializes the second storage area to zero.
3. The method of claim 1, wherein the operating the first temporary calculation result and the second temporary calculation result using the first function to obtain the first intermediate variable specifically comprises:
step 1: the chip uses an extraction random number function to operate the address of the security parameter to obtain a fifth operation result, and the fifth operation result is used as a first parameter;
step 2: the chip performs AND operation on the first temporary calculation result and the first parameter to obtain a sixth operation result, and the sixth operation result is used as a second parameter;
and step 3: the chip subtracts the second parameter from the first parameter to obtain a seventh operation result, and updates the seventh operation result to the second parameter;
and 4, step 4: the chip performs AND operation on the second parameter and the first temporary calculation result to obtain an eighth operation result, and updates the eighth operation result to the second parameter;
and 5: the chip performs AND operation on the first parameter and the second temporary calculation result to obtain a ninth calculation result, and updates the ninth calculation result to the first parameter;
step 6: the chip performs AND operation on the first temporary calculation result and the first parameter to obtain a tenth operation result, and the tenth operation result is used as a third parameter;
and 7: the chip subtracts the third parameter from the first parameter to obtain an eleventh operation result, and updates the eleventh operation result to the third parameter;
and 8: and the chip performs AND operation on the third parameter and the second parameter to obtain a twelfth operation result, updates the twelfth operation result to the third parameter, and takes the third parameter as a first intermediate variable.
4. The method of claim 3, wherein the chip operating the first intermediate variable and the masked first intermediate variable using the second function to obtain the third temporary calculation result specifically includes:
step A: the chip uses the random number extracting function to operate the address of the safety parameter to obtain a thirteenth operation result, and the thirteenth operation result is used as the first parameter;
and B: the chip circularly shifts the first parameter by 1 bit to the left to obtain a fourteenth operation result, and the fourteenth operation result is used as the second parameter;
and C: the chip performs AND operation on the first parameter and the first intermediate variable in the mask form to obtain a fifteenth operation result, and the fifteenth operation result is used as a fifth parameter;
step D: the chip performs AND operation on the first parameter and the fifth parameter to obtain a sixteenth operation result, and the sixteenth operation result is used as a fourth parameter;
step E: the chip performs AND operation on the second parameter and the first intermediate variable to obtain a seventeenth operation result, and updates the seventeenth operation result to the fifth parameter;
step F: the chip performs AND operation on the first parameter and the fifth parameter to obtain an eighteenth operation result, and updates the eighteenth operation result to the first parameter;
step G: the chip performs AND operation on the first parameter and the first intermediate variable in the mask mode to obtain a nineteenth operation result, and updates the nineteenth operation result to the first parameter;
step H: the chip performs AND operation on the fourth parameter and the first parameter to obtain a twentieth operation result, and updates the twentieth operation result to the fourth parameter;
step I: the chip performs AND operation on the second parameter and the first intermediate variable to obtain a twenty-first operation result, and updates the twenty-first operation result to the first parameter;
step J: the chip performs AND operation on the fourth parameter and the first parameter to obtain a twenty-second operation result, and updates the twenty-second operation result to the fourth parameter;
step K: the chip sets the initial value of the third counter to be 1 as the current count value k;
step L: the chip judges whether the count value k is smaller than 31, if so, the step M is executed, otherwise, the step S is executed;
step M: the chip performs AND operation on the second parameter and the first intermediate variable in the mask mode to obtain a twenty-third operation result, and updates the twenty-third operation result to the first parameter;
and step N: the chip performs AND operation on the first parameter and the fourth parameter to obtain a twenty-fourth operation result, and updates the twenty-fourth operation result to the first parameter;
step O: the chip performs AND operation on the second parameter and the first intermediate variable to obtain a twenty-fifth operation result, and updates the twenty-fifth operation result to the second parameter;
step P: the chip performs AND operation on the first parameter and the second parameter to obtain a twenty-sixth operation result, and updates the twenty-sixth operation result to the first parameter;
step Q: the chip circularly shifts the first parameter by 1 bit to the left to obtain a twenty-seventh operation result, and updates the twenty-seventh operation result to the second parameter;
step R: the chip adds 1 to the count value k and returns to the step L;
step S: and the chip performs AND operation on the fifth parameter and the second parameter to obtain a twenty-eighth operation result, updates the twenty-eighth operation result to the fifth parameter, and takes the fifth parameter as the third temporary calculation result.
5. The method of claim 4, wherein the operation of the chip on the data in the first register, the second register, and the third register using the first Boolean function to obtain the seventh temporary calculation result is specifically:
when the count value i is greater than or equal to 0 and less than or equal to 15, performing exclusive-or operation on data in the first register, the second register and the third register to obtain a seventh temporary calculation result;
and when the count value i is greater than or equal to 16 and less than or equal to 63, performing an and operation on the data in the first register and the second register, performing an and operation on the data in the first register and the third register, and performing an and operation on the data in the second register and the third register to obtain a seventh temporary calculation result.
6. The method of claim 5, wherein the operating the first mask, the second mask, and the third mask using the first boolean function to obtain an eighth temporary calculation result is specifically:
when the count value i is greater than or equal to 0 and less than or equal to 15, performing exclusive-or operation on the first mask, the second mask and the third mask to obtain an eighth temporary calculation result;
and when the count value i is greater than or equal to 16 and less than or equal to 63, performing an or operation on a result of performing an and operation on the first mask and the second mask, a result of performing an and operation on the first mask and the third mask, and a result of performing an and operation on the second mask and the third mask to obtain an eighth temporary calculation result.
7. The method of claim 6, wherein the operation of the chip on the data in the fifth register, the sixth register, and the seventh register using the second boolean function to obtain the ninth temporary calculation result is specifically:
when the count value i is greater than or equal to 0 and less than or equal to 15, performing exclusive-or operation on data in the fifth register, the sixth register and the seventh register to obtain a ninth temporary calculation result;
when the count value i is greater than or equal to 16 and less than or equal to 63, performing AND operation on the data in the fifth register and the data in the sixth register; and performing a not operation on the data in the fifth register and an and operation on the data in the seventh register, and performing an or operation on the two results to obtain a ninth temporary calculation result.
8. The method as claimed in claim 7, wherein the operation of the fifth mask, the sixth mask and the seventh mask by using the second boolean function to obtain a tenth temporary calculation result is specifically:
when the count value i is greater than or equal to 0 and less than or equal to 15, performing exclusive-or operation on the fifth mask, the sixth mask and the seventh mask to obtain a tenth temporary calculation result;
and when the count value i is greater than or equal to 16 and less than or equal to 63, performing an and operation on the result of the fifth mask and the sixth mask, performing a non-operation on the fifth mask and performing an and operation on the result of the seventh mask, and performing an or operation on the two results to obtain a tenth temporary calculation result.
9. The method according to claim 8, wherein the steps R4-14 specifically include:
step R4-14-1: the chip updates the data in the third register to the fourth register, the data in the second register is circularly left-shifted by 9 bits and updated to the third register, the data in the first register is updated to the second register, the third mask is used as the fourth mask, the second mask is circularly left-shifted by 9 bits and used as the third mask, and the first mask is used as the second mask;
step R4-14-2: the chip uses the second function to operate the third intermediate variable and the third intermediate variable in the mask form, updates the result into the first register, and uses the third intermediate variable in the mask form as the first mask;
step R4-14-3: the chip updates the data in the seventh register to the eighth register, the data in the sixth register is updated to the seventh register by shifting left 19 bits, the data in the fifth register is updated to the sixth register, the seventh mask is used as the eighth mask, the sixth mask is used as the seventh mask after being shifted left 19 bits, and the fifth mask is used as the sixth mask;
step R4-14-4: the chip uses the second function to operate the fourth intermediate variable and the fourth intermediate variable in the mask form to obtain a twenty-ninth operation result, performs exclusive-or operation on the twenty-ninth operation result, the result of circularly left-shifting the twenty-ninth operation result by 9 bits and the result of circularly left-shifting the twenty-ninth operation result by 17 bits, updates the result into the fifth register, performs exclusive-or operation on the fourth intermediate variable in the mask form, the result of circularly left-shifting the fourth intermediate variable in the mask form by 9 bits and the result of circularly left-shifting the fourth intermediate variable in the mask form by 17 bits, and updates the result into the fifth mask.
10. An apparatus for preventing differential power analysis attacks in a chip, comprising:
the first judgment module is used for judging whether the data to be processed exists or not, if so, the second judgment module is triggered, and otherwise, the filling operation module is triggered;
the second judging module is used for judging whether the length of the data in the second storage area is smaller than the preset length, if so, the storage module is triggered, and otherwise, the compression operation module is triggered;
the storage module is used for storing the data to be processed into a second storage area and triggering a first judgment module;
the compression operation module is used for performing compression operation on the data in the second storage area, updating the first storage area according to the compression operation result and triggering the first judgment module;
the filling operation module is used for filling the data in the second storage area, performing compression operation on the data in the second storage area, and updating the first storage area according to a compression operation result;
the compression operation module comprises:
the first generation operation submodule is used for storing data which accords with a preset length into the first sixteen data of the first sub-storage area of the second storage area, generating sixteen hardware random numbers to be stored into the second sub-storage area of the second storage area, carrying out exclusive OR operation on the first sixteen data in the first sub-storage area and one hardware random number corresponding to the first sixteen data, and updating the exclusive OR operation results into the first sixteen data of the first sub-storage area;
the second generation operation submodule is used for carrying out preset operation according to the first sixteen data of the first sub storage area and the second sub storage area and storing results into seventeenth to sixty-eighth data of the first sub storage area and the second sub storage area;
the third generation operation submodule is used for randomly generating eight masks, updating the first data to the eighth data of the first storage area into the first register to the eighth register, performing exclusive-or operation on the data in the first register to the eighth register and one corresponding mask, and updating the exclusive-or operation result into the first register to the eighth register;
the updating submodule is used for updating an intermediate variable and performing cyclic shift operation on the intermediate variable, the data in the first register to the eighth register and each mask;
the operation updating submodule is used for performing operation on the first data of the first storage area, the data in the first register and the first mask, updating the result to the first data of the first storage area, sequentially executing the operation until the eighth data of the first storage area, the data in the eighth register and the eighth mask are operated, and updating the result to the eighth data of the first storage area;
the second generation operation submodule comprises:
a first counting unit for setting an initial value of the first counter to 17 as a current count value j;
the first arithmetic unit is used for circularly and leftwards shifting the j-3 th data of the first sub storage area by 15 bits, and carrying out exclusive OR operation on the j-16 th data and the j-9 th data of the first sub storage area to obtain a first arithmetic result;
the second operation unit is used for carrying out exclusive OR operation on the first operation result, the first operation result circularly left-shifted by 15 bits and the first operation result circularly left-shifted by 23 bits to obtain a second operation result;
the third arithmetic unit is used for carrying out exclusive OR operation on the second arithmetic result, the j-13 th data of the first sub storage area circularly shifted to the left by 7 bits and the j-6 th data of the first sub storage area to obtain the j data, and storing the j data in the j bit of the first sub storage area;
the fourth operation unit is used for circularly and leftwards shifting the j-3 th data of the second sub storage area by 15 bits, and carrying out exclusive OR operation on the j-16 th data and the j-9 th data of the second sub storage area to obtain a third operation result;
a fifth operation unit, configured to perform an exclusive or operation on the third operation result, the third operation result circularly shifted left by 15 bits, and the third operation result circularly shifted left by 23 bits to obtain a fourth operation result;
a sixth arithmetic unit, configured to perform xor operation on the fourth arithmetic result, the j-13 th data of the second sub-storage area shifted to the left by 7 bits in a circulating manner, and the j-6 th data of the second sub-storage area to obtain a j data, and store the j data in the j bit of the second sub-storage area;
the first operation judging unit is used for performing 1 addition operation on the first counting unit, judging whether the current counting value j is smaller than a second preset value, if so, triggering the first operation unit, otherwise, triggering the third generation operation submodule;
the update sub-module includes:
a second counting unit for setting an initial value of the second counter to 0 as a current count value i;
the first shift calculation unit is used for circularly shifting the data in the first register to the left by 12 bits to obtain a first temporary calculation result, circularly shifting the first mask to the left by 12 bits to obtain a second temporary calculation result, using a first function to calculate the first temporary calculation result and the second temporary calculation result to obtain a first intermediate variable, and using the second temporary calculation result as a first intermediate variable in a mask form;
a seventh operation unit, configured to perform an arithmetic addition operation on a result obtained by operating the data in the fifth register and the fifth mask with the first function and the first intermediate variable, update the result to the first intermediate variable, perform an arithmetic addition operation on the first intermediate variable in the mask form and the fifth mask, and update the result to the first intermediate variable in the mask form;
the second shift calculation unit is used for performing arithmetic addition operation on a constant Ti by shifting the constant Ti by i bits left and the first intermediate variable and updating a result to the first intermediate variable;
a third shift calculation unit, configured to perform an operation on the first intermediate variable and the first intermediate variable in the mask form using a second function to obtain a third temporary calculation result, use the first intermediate variable in the mask form as a fourth temporary calculation result, circularly shift the third temporary calculation result by 7 bits and update the third temporary calculation result to the first intermediate variable, circularly shift the fourth temporary calculation result by 7 bits and update the fourth temporary calculation result to the first intermediate variable in the mask form, perform an operation on the first intermediate variable and the first intermediate variable in the mask form using the first function, and update a result to the first intermediate variable;
an eighth operation unit, configured to perform an operation on the first intermediate variable and the first intermediate variable in the mask form using the second function to obtain a second intermediate variable, use the first intermediate variable in the mask form as a second intermediate variable in the mask form, perform an and operation on the second intermediate variable and the first temporary calculation result, update a result to the second intermediate variable, perform an and operation on the second intermediate variable in the mask form and the second temporary calculation result, and update a result to the second intermediate variable in the mask form;
a ninth operation unit, configured to perform an and operation on the (i + 1) th data and the (i + 5) th data in the first sub-storage area to obtain a fifth temporary calculation result, perform an and operation on the (i + 1) th data and the (i + 5) th data in the second sub-storage area to obtain a sixth temporary calculation result, perform an operation on the fifth temporary calculation result and the sixth temporary calculation result using the first function, update the result to a third intermediate variable, and use the sixth temporary calculation result as a third intermediate variable in a mask form;
a tenth operation unit configured to perform an arithmetic addition operation on the second intermediate variable and the mask-type second intermediate variable using the first function, perform an arithmetic addition operation on a result and the third intermediate variable, update the result to the third intermediate variable, perform an arithmetic addition operation on the mask-type second intermediate variable and the mask-type third intermediate variable, update the result to the mask-type third intermediate variable, perform an operation on data in a fourth register and a fourth mask using the first function, perform an arithmetic addition operation on the result and the third intermediate variable, update the result to the third intermediate variable, perform an arithmetic addition operation on the fourth mask and the mask-type third intermediate variable, and update the result to the mask-type third intermediate variable;
an eleventh operation unit, configured to perform an operation on data in the first register, the second register, and the third register using a first boolean function to obtain a seventh temporary calculation result, perform an operation on the first mask, the second mask, and the third mask using the first boolean function to obtain an eighth temporary calculation result, perform an operation on the seventh temporary calculation result and the eighth temporary calculation result using the first function, perform an arithmetic addition operation on a result and the third intermediate variable, update the result to the third intermediate variable, perform an arithmetic addition operation on the eighth temporary calculation result and the third intermediate variable in the form of the mask, and update the result to the third intermediate variable in the form of the mask;
a twelfth operation unit, configured to perform an operation on data in the fifth register, the sixth register, and the seventh register using a second boolean function to obtain a ninth temporary calculation result, perform an operation on the fifth mask, the sixth mask, and the seventh mask using the second boolean function to obtain a tenth temporary calculation result, perform an operation on the ninth temporary calculation result and the tenth temporary calculation result using the first function, use an operation result as a fourth intermediate variable, and use the tenth temporary calculation result as a fourth intermediate variable in a mask form;
a thirteenth operation unit configured to calculate the data in the eighth register and the eighth mask using the first function, perform an arithmetic addition operation on the result and the fourth intermediate variable, update the result to the fourth intermediate variable, perform an arithmetic addition operation on the eighth mask and the fourth intermediate variable in the form of the mask, and update the result to the fourth intermediate variable in the form of the mask;
a fourteenth operation unit, configured to perform an arithmetic addition operation on the first intermediate variable and the fourth intermediate variable, update a result to the fourth intermediate variable, perform an arithmetic addition operation on the first intermediate variable in the mask form and the fourth intermediate variable in the mask form, and update a result to the fourth intermediate variable in the mask form;
a fifteenth operation unit, configured to perform an operation on the (i + 1) th data in the first sub-storage area and the (i + 1) th data in the second sub-storage area using the first function, perform an arithmetic addition operation on the result and the fourth intermediate variable, update the result to the fourth intermediate variable, perform an arithmetic addition operation on the (i + 1) th data in the second sub-storage area and the fourth intermediate variable in the mask form, and update the result to the fourth intermediate variable in the mask form;
a cyclic shift unit for performing a cyclic shift operation;
and the second operation judgment unit is used for performing 1 addition operation on the second counting unit, judging whether the current counting value is smaller than a third preset value, if so, triggering the first shift calculation unit, and otherwise, triggering the operation updating submodule.
11. The apparatus of claim 10, further comprising an initialization module to initialize the first storage area to a first preset value and initialize the second storage area to zero.
12. The apparatus of claim 10, wherein the first shift calculation unit comprises:
the first operation is used as a subunit and used for operating the address of the security parameter by using the random number extracting function to obtain a fifth operation result, and the fifth operation result is used as a first parameter;
the second operation is used as a subunit for performing an and operation on the first temporary calculation result and the first parameter to obtain a sixth operation result, and the sixth operation result is used as a second parameter;
the first operation updating subunit is configured to subtract the first parameter from the second parameter to obtain a seventh operation result, and update the seventh operation result to the second parameter;
a second operation updating subunit, configured to perform an and operation on the second parameter and the first temporary calculation result to obtain an eighth operation result, and update the eighth operation result to the second parameter;
a third operation updating subunit, configured to perform an and operation on the first parameter and the second temporary calculation result to obtain a ninth operation result, and update the ninth operation result to the first parameter;
a third operation as a subunit, configured to perform an and operation on the first temporary calculation result and the first parameter to obtain a tenth operation result, and use the tenth operation result as a third parameter;
a fourth operation updating subunit, configured to subtract the first parameter from the third parameter to obtain an eleventh operation result, and update the eleventh operation result to the third parameter;
and the fourth operation is used as a subunit for performing and operation on the third parameter and the second parameter to obtain a twelfth operation result, updating the twelfth operation result to the third parameter, and using the third parameter as a first intermediate variable.
13. The apparatus of claim 12, wherein the third shift calculation unit comprises:
a fifth operation as a subunit, configured to perform an operation on the address of the security parameter by using the random number extracting function to obtain a thirteenth operation result, and use the thirteenth operation result as the first parameter;
a first shift unit as a subunit, configured to shift the first parameter by 1 bit circularly to the left to obtain a fourteenth operation result, and use the fourteenth operation result as the second parameter;
a sixth operation as a subunit, configured to perform an and operation on the first parameter and the first intermediate variable in the mask form to obtain a fifteenth operation result, and use the fifteenth operation result as a fifth parameter;
a seventh operation as a subunit, configured to perform an and operation on the first parameter and the fifth parameter to obtain a sixteenth operation result, and use the sixteenth operation result as a fourth parameter;
the eighth operation is used as a subunit for performing and operation on the second parameter and the first intermediate variable to obtain a seventeenth operation result, and updating the seventeenth operation result to the fifth parameter;
a fifth operation updating subunit, configured to perform an and operation on the first parameter and the fifth parameter to obtain an eighteenth operation result, and update the eighteenth operation result to the first parameter;
a sixth operation updating subunit, configured to perform an and operation on the first parameter and the first intermediate variable in the mask form to obtain a nineteenth operation result, and update the nineteenth operation result to the first parameter;
a seventh operation updating subunit, configured to perform an and operation on the fourth parameter and the first parameter to obtain a twentieth operation result, and update the twentieth operation result to the fourth parameter;
an eighth operation updating subunit, configured to perform an and operation on the second parameter and the first intermediate variable to obtain a twenty-first operation result, and update the twenty-first operation result to the first parameter;
a ninth operation updating subunit, configured to perform an and operation on the fourth parameter and the first parameter to obtain a twenty-second operation result, and update the twenty-second operation result to the fourth parameter;
the first counting subunit is used for setting the initial value of the third counter to be 1 as the current counting value k;
the first judgment subunit is used for judging whether the count value k is smaller than 31, if so, triggering the tenth operation updating subunit, and otherwise, triggering the ninth operation as the subunit;
the tenth operation updating subunit is configured to perform an and operation on the second parameter and the first intermediate variable in the mask form to obtain a twenty-third operation result, and update the twenty-third operation result to the first parameter;
an eleventh operation updating subunit, configured to perform an and operation on the first parameter and the fourth parameter to obtain a twenty-fourth operation result, and update the twenty-fourth operation result to the first parameter;
a twelfth operation updating subunit, configured to perform an and operation on the second parameter and the first intermediate variable to obtain a twenty-fifth operation result, and update the twenty-fifth operation result to the second parameter;
a thirteenth operation updating subunit, configured to perform an and operation on the first parameter and the second parameter to obtain a twenty-sixth operation result, and update the twenty-sixth operation result to the first parameter;
the first shift updating subunit is configured to circularly shift the first parameter by 1 bit to the left to obtain a twenty-seventh operation result, and update the twenty-seventh operation result to the second parameter;
the operation return subunit is used for performing 1 addition operation on the first counting subunit and triggering the first judgment subunit;
and the ninth operation is used as a subunit for performing an and operation on the fifth parameter and the second parameter to obtain a twenty-eighth operation result, updating the twenty-eighth operation result to the fifth parameter, and using the fifth parameter as the third temporary calculation result.
14. The apparatus as claimed in claim 13, wherein the eleventh operation unit is configured to operate on the data in the first register, the second register and the third register using the first boolean function to obtain a seventh temporary operation result by:
when the count value i is greater than or equal to 0 and less than or equal to 15, performing exclusive-or operation on data in the first register, the second register and the third register to obtain a seventh temporary calculation result;
and when the count value i is greater than or equal to 16 and less than or equal to 63, performing an and operation on the data in the first register and the second register, performing an and operation on the data in the first register and the third register, and performing an and operation on the data in the second register and the third register to obtain a seventh temporary calculation result.
15. The apparatus as claimed in claim 14, wherein the eleventh operation unit is configured to perform an operation on the first mask, the second mask, and the third mask by using the first boolean function to obtain an eighth temporary operation result, specifically:
when the count value i is greater than or equal to 0 and less than or equal to 15, performing exclusive-or operation on the first mask, the second mask and the third mask to obtain an eighth temporary calculation result;
and when the count value i is greater than or equal to 16 and less than or equal to 63, performing an or operation on a result of performing an and operation on the first mask and the second mask, a result of performing an and operation on the first mask and the third mask, and a result of performing an and operation on the second mask and the third mask to obtain an eighth temporary calculation result.
16. The apparatus as claimed in claim 15, wherein the twelfth operation unit is configured to perform an operation on the data in the fifth register, the sixth register and the seventh register using a second boolean function to obtain a ninth temporary operation result, specifically:
when the count value i is greater than or equal to 0 and less than or equal to 15, performing exclusive-or operation on data in the fifth register, the sixth register and the seventh register to obtain a ninth temporary calculation result;
when the count value i is greater than or equal to 16 and less than or equal to 63, performing AND operation on the data in the fifth register and the data in the sixth register; and performing a not operation on the data in the fifth register and an and operation on the data in the seventh register, and performing an or operation on the two results to obtain a ninth temporary calculation result.
17. The apparatus as claimed in claim 16, wherein the twelfth operation unit is configured to perform an operation on the fifth mask, the sixth mask and the seventh mask by using the second boolean function to obtain a tenth temporary operation result, specifically:
when the count value i is greater than or equal to 0 and less than or equal to 15, performing exclusive-or operation on the fifth mask, the sixth mask and the seventh mask to obtain a tenth temporary calculation result;
and when the count value i is greater than or equal to 16 and less than or equal to 63, performing an and operation on the result of the fifth mask and the sixth mask, performing a non-operation on the fifth mask and performing an and operation on the result of the seventh mask, and performing an or operation on the two results to obtain a tenth temporary calculation result.
18. The apparatus as claimed in claim 17, wherein the cyclic shift unit specifically comprises:
a first cyclic shift as a subunit, configured to update the data in the third register into the fourth register, update the data in the second register into the third register by shifting left by 9 bits, update the data in the first register into the second register, use the third mask as the fourth mask, use the second mask as the third mask after shifting left by 9 bits, and use the first mask as the second mask;
a tenth operation as a subunit, configured to perform an operation on the third intermediate variable and the third intermediate variable in the mask form using the second function, update a result into the first register, and use the third intermediate variable in the mask form as the first mask;
a second cyclic shift as a subunit, configured to update the data in the seventh register into the eighth register, update the data in the sixth register into the seventh register by shifting left by 19 bits, update the data in the fifth register into the sixth register, use the seventh mask as the eighth mask, use the sixth mask as the seventh mask after shifting left by 19 bits, and use the fifth mask as the sixth mask;
and a third cyclic shift as a subunit, configured to perform an operation on the fourth intermediate variable and the fourth intermediate variable in the mask format using the second function to obtain a twenty-ninth operation result, perform an exclusive-or operation on the twenty-ninth operation result, a result of cyclic left shift of the twenty-ninth operation result by 9 bits, and a result of cyclic left shift of the twenty-ninth operation result by 17 bits, update the result into the fifth register, perform an exclusive-or operation on the fourth intermediate variable in the mask format, a result of cyclic left shift of the fourth intermediate variable in the mask format by 9 bits, and a result of cyclic left shift of the fourth intermediate variable in the mask format by 17 bits, and update the result into the fifth mask.
CN201911301787.4A 2019-12-17 2019-12-17 Method and device for preventing differential power analysis attack in chip Active CN111159784B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911301787.4A CN111159784B (en) 2019-12-17 2019-12-17 Method and device for preventing differential power analysis attack in chip

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911301787.4A CN111159784B (en) 2019-12-17 2019-12-17 Method and device for preventing differential power analysis attack in chip

Publications (2)

Publication Number Publication Date
CN111159784A CN111159784A (en) 2020-05-15
CN111159784B true CN111159784B (en) 2022-02-01

Family

ID=70557545

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911301787.4A Active CN111159784B (en) 2019-12-17 2019-12-17 Method and device for preventing differential power analysis attack in chip

Country Status (1)

Country Link
CN (1) CN111159784B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078746A (en) * 2013-02-07 2013-05-01 飞天诚信科技股份有限公司 Generation method for data packet
CN103593299A (en) * 2013-11-12 2014-02-19 飞天诚信科技股份有限公司 Data processing method for saving memory space
CN104603755A (en) * 2012-09-28 2015-05-06 英特尔公司 Loop vectorization methods and apparatus
CN105007490A (en) * 2015-08-03 2015-10-28 深圳市哈工大交通电子技术有限公司 OmapL138-chip-based Jpeg compression algorithm
CN106603222A (en) * 2016-09-27 2017-04-26 江冠成 System used for realizing SM3 hash algorithm and SM3 hash algorithm realizing method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5037952B2 (en) * 2007-01-15 2012-10-03 株式会社日立製作所 Storage system and storage system control method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104603755A (en) * 2012-09-28 2015-05-06 英特尔公司 Loop vectorization methods and apparatus
CN103078746A (en) * 2013-02-07 2013-05-01 飞天诚信科技股份有限公司 Generation method for data packet
CN103593299A (en) * 2013-11-12 2014-02-19 飞天诚信科技股份有限公司 Data processing method for saving memory space
CN105007490A (en) * 2015-08-03 2015-10-28 深圳市哈工大交通电子技术有限公司 OmapL138-chip-based Jpeg compression algorithm
CN106603222A (en) * 2016-09-27 2017-04-26 江冠成 System used for realizing SM3 hash algorithm and SM3 hash algorithm realizing method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
On-Chip Cube-Based Constrained-Random Stimuli Generation for Post-Silicon Validation;Xiaobing Shi等;《网页在线公开:https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7275125》;20150924;第1-14页 *
一种用于驱动芯片的图像数据压缩处理技术的研究与实现;齐郾琴等;《集成电路应用》;20180829(第4期);第1-5页 *
利用整数存储无理数的测试数据编码压缩方法;詹文法等;《数字化设计与制造》;20160913;第28卷(第9期);第1-8页 *

Also Published As

Publication number Publication date
CN111159784A (en) 2020-05-15

Similar Documents

Publication Publication Date Title
CN102638341B (en) For calculating equipment and the method for the result of scalar multiplication
US11362802B2 (en) Cryptographic device arranged to compute a target block cipher
CN107111966B (en) Method for testing and reinforcing software application
JP4668931B2 (en) Encryption processor with tamper resistance against power analysis attacks
CN109791517B (en) Protecting parallel multiplication operations from external monitoring attacks
US10263768B2 (en) Protection of a calculation against side-channel attacks
JP7076482B2 (en) How to secure cryptographic processes with SBOX from higher-order side-channel attacks
WO2007116262A1 (en) Protection against side channel attacks
CN106487498B (en) Verification of the resistance of an electronic circuit to side-channel attacks
CN1989726A (en) Method and device for executing cryptographic calculation
JP2001337599A (en) Scalar-fold calculating method and device for elliptic curve cipher, and storage medium
US20060193471A1 (en) Encryption method and system
CN108242994A (en) The treating method and apparatus of key
CN111159784B (en) Method and device for preventing differential power analysis attack in chip
US9780946B2 (en) Elliptic curve encryption method comprising an error detection
JP2009505148A (en) Circuit arrangement and method for performing inversion operation in encryption operation
CN107534550B (en) Cryptographic apparatus, cryptographic method, computing apparatus, and computer-readable storage medium
CN108370311A (en) Computing device and method
JP2006054568A (en) Encryption apparatus, decryption apparatus and method, and computer program
Bucci et al. Testing power-analysis attack susceptibility in register-transfer level designs
JP5233473B2 (en) Cryptographic processing device
CN113965324B (en) Private key recovery method and system for realizing modular reduction attack based on RSA-CRT (rivest-Shamir-Adleman-Critical) of template
EP3975470A1 (en) Method for securing an execution of an algorithm of a cryptographic process
EP4343537A1 (en) Method for securing an operation using a private key against side-channel attacks
Alpirez Bock SCA resistent implementation of the Montgomery kP-algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant