CN111339577B - Construction method of S box with excellent DPA resistance - Google Patents
Construction method of S box with excellent DPA resistance Download PDFInfo
- Publication number
- CN111339577B CN111339577B CN202010088063.2A CN202010088063A CN111339577B CN 111339577 B CN111339577 B CN 111339577B CN 202010088063 A CN202010088063 A CN 202010088063A CN 111339577 B CN111339577 B CN 111339577B
- Authority
- CN
- China
- Prior art keywords
- box
- value
- input
- loss function
- elements
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/75—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation
- G06F21/755—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation with measures against power attack
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/727—Modulo N arithmetic, with N being either (2**n)-1,2**n or (2**n)+1, e.g. mod 3, mod 4 or mod 5
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
Abstract
The invention discloses a construction method of an S box with excellent DPA resistance, which relates to the technical field of information security, can obtain the S box with excellent DPA resistance, can also be used for improving the DPA resistance of the existing S box, and simultaneously can retain other important cryptology properties such as nonlinearity, algebraic times, difference consistency, absolute value indexes and the like. By contrast, the S box obtained by the method has the DPA resistance obviously superior to that of the existing practical S box, and other various important cryptology properties are the same, so that the S box has stronger safety and practicability.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a construction method of an S box with excellent DPA resistance.
Background
The S-box is the only nonlinear component in the block cipher, and the cryptographic property directly influences the security of the related cipher system. Therefore, the S-box plays a very important role in symmetric cryptography. The defense against various attack means is started from constructing an S box with good cryptology properties, such as nonlinearity, difference consistency, algebraic times, absolute value indexes and the like. A sufficiently safe S-box should have a high degree of non-linearity, not low algebraic degree, low differential consistency, low absolute value index, etc.
In 1996, the side channel attack proposed by Kocher posed a serious threat to the security of physical cryptographic devices. Among the types of side channel attacks, Differential Power Analysis (DPA) is one of the most effective attack means. Compared with the traditional attack means such as linear attack, algebraic attack, differential attack and the like, the attack means has very strong attack efficiency, and can extract the key information only by needing little physical information, thereby successfully attacking an encryption system. Especially the widely used AES, which uses S-boxes with very poor resistance to DPA attacks. Therefore, many researchers have been exploring in recent years how to construct an S-box with excellent DPA resistance, thereby increasing DPA resistance of the relevant cryptographic device at a small cost. The transparent order is a cryptographic property that has been proven in practice to be an effective measure of resistance to S-box DPA. Recent studies have focused on the S-box resulting in DPA resistance, which has been greatly improved over AES. However, the S-boxes obtained by these techniques have important cryptographic properties such as non-linearity, difference consistency, absolute value index, etc. which cannot satisfy the requirements of security and practicability.
Disclosure of Invention
The technical problem to be solved by the invention is to overcome the defects of the prior art and provide a construction method of an S box with excellent DPA resistance, and meanwhile, the important cryptology properties of nonlinearity, difference consistency, algebraic times, absolute value indexes and the like also meet the requirements of safety and practicability.
The invention adopts the following technical scheme for solving the technical problems:
according to the invention, the construction method of the S box with excellent DPA resistance comprises the following steps:
step 1, giving an n-bit input and balanced S box F, wherein the S box F is used as an initial input of an iterative construction process, and the S box F is put into a set SF; the iterative construction process is step 2-step 7;
step 2, generating a candidate pool according to the input truth table of the S box F, wherein the candidate pool comprises all bit positions capable of being reversed;
step 3, b elements are taken out from the candidate pool, and the b elements are b bit positions; then, carrying out bit inversion operation on the b bit positions of the S box to generate a new S box;
the b elements taken out need to meet the following requirements: 1) b 2k, k 1,2, …,2n-1(ii) a 2) The same component function attributed to the S-box; 3) the Hamming weight of the vector composed of the bits corresponding to the b elements is 2b-1;
Step 4, repeating the process of step 3 until the elements in the candidate pool are emptied, and generating all new S boxes associated with the F;
step 5, calculating the value of the loss function of each newly generated S box, and putting the S box and the corresponding value of the loss function into a list L;
step 6, judging whether the list L is empty, if so, increasing the value of b, and meanwhile, b meets the requirements 1), 2) and 3) in the step 3, and executing the step 3-5; if L is not empty, selecting an S box with the minimum loss function value from the list L;
and 7, judging whether the S box selected in the step 6 exists in the set SF:
if yes, deleting the S box and the corresponding loss function value from the list L, and executing the step 6;
if not, judging whether the S box meets the preset safety requirement or not: if yes, outputting the S box, and terminating the iterative construction process; if not, putting the S box into the set SF, and taking the S box as an input S box of the next iteration construction process, namely taking the S box as the input S box in the step 2; and steps 2-7 are performed.
As a further optimization of the construction method of an S-box with excellent DPA resistance according to the present invention, the loss function in step 5 is:
where n represents the S-box as n input bits,is an n-dimensional vector space over a binary domain,is a non-zero n-dimensional vector space, W, over a binary domainF(c, b) is Walsh spectrum value of S-box relative to vector c, b, beta is N-dimensional vector on binary domain, c, alpha is non-zero N-dimensional vector on binary domain, R is constant, sigma (alpha, beta) is difference spectrum value of S-box relative to vector alpha, beta, N4(σ (α, β)) is a function for determining whether σ (α, β) is greater than 4, τFIs a transparent step of the S-box.
As a further optimization of the construction method of an S-box with excellent DPA resistance according to the present invention, the preset safety requirements in step 7 are: the nonlinearity of the S-box is 112, the algebraic degree is greater than 3, the difference consistency is 4, the absolute value index is 32, and the transparency level is less than 6.9160.
As a further optimization scheme of the construction method of the S box with excellent DPA resistance, R is set to be 2-5.
Compared with the prior art, the invention adopting the technical scheme has the following technical effects:
(1) the method can generate the S box with excellent DPA resistance, very high nonlinearity, low difference consistency, low absolute value index and high algebraic times, and compared with the prior art research scheme, the S box obtained by construction has stronger safety and practicability;
(2) the invention can improve the DPA resistance of the existing S box, and simultaneously reserve other important cryptology properties such as nonlinearity, difference consistency, algebraic times, absolute value indexes and the like; the S box of the invention has strong enough capability of resisting other attacks, so that the S box of the invention can have higher security to meet the practical requirement.
Drawings
FIG. 1 is a process of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in detail with reference to the accompanying drawings and specific embodiments.
FIG. 1 is a process of the present invention, which is specifically embodied as follows:
step 1, an n-bit input and balanced S box F is given as an initial input of an iterative construction process and is put into a set SF. The iterative construction process is step 2-7:
step 2, according to the truth table of the S-box F as input, adding all the bit positions of the S-box into a candidate pool PF, wherein the pool contains all the possible reversal bit positions, and the total number is n x 2nAnd (4) each element.
And 3, taking out b elements, namely bit positions, from the candidate pool. The b elements taken out need to meet the requirements: 1) b 2k, (k 1,2, …, 2)n-1). 2) The same component function attributed to the S-box. 3) The Hamming weight of the vector composed of the bits corresponding to the b elements is 2b-1. The bit reversal operation is then performed at these b positions of the S-box, generating a new S-box F'.
Step 4, repeat the process of step 3 until all elements in the candidate pool are emptied, generating all S-boxes F' associated with F.
And 5, calculating the value CF of the loss function of each newly generated S box F ', and putting the S box F' and the corresponding loss function value CF into the list L. Where the loss function used for the calculation is:
where n represents the number of input bits of S-box F,is an n-dimensional vector space over a binary domain,the vector space is a non-zero n-dimensional vector space on a binary domain, and R is a constant and is set to be 2-5.
WF(c, b) is the Walsh spectrum value of the S-box with respect to vector c, b, defined as:
wherein x is (x)1,x2,…,xn),b=(b1,b2,…,bn) Is an n-dimensional vector on a binary domain, "·" is an inner product operation, i.e. x · b ═ x1b1⊕x2b2⊕…⊕xnbn. ≧ is addition on the binary field, i.e., modulo-2 addition.
N4(σ (α, β)) is a judgment function that judges whether the S-box has a difference spectrum value σ (α, β) greater than 4 with respect to the n-dimensional vector α, β on the binary domain, and if greater than 4, returns 1, otherwise returns 0. Wherein σ (α, β) is defined asWhere # represents the number of collection elements.
τFTransparent order for S-box F, defined as:
Where max is the maximum value, and β ═ β (β)0,β1,…,βn) Is an n-dimensional vector over a binary field, and F ═ F1,f2,…,fn),fi(x),fj(x) As a function of the component of S-box F, betai,βjIs the bit information of i and j positions in the vector beta, wherein 0 is less than or equal to i, j, and less than or equal to n.
For a given S-box F, the loss function value designed above is calculated, and the smaller the calculated value is, the higher the nonlinearity, the lower the difference consistency, the smaller the absolute value index, the lower the transparency level and the higher the DPA resistance are possessed in the cryptographic property of the S-box. Therefore, the S box can resist attacks such as DPA attack, linear attack, algebraic attack, differential attack and the like, and the safety and the practicability of relevant equipment are improved.
And 6, judging whether the list L is empty, if so, increasing the value of b, and simultaneously b meets the requirements 1), 2) and 3) in the step 3). Step 3 in the starting iterative construction process is reproduced. If L is not empty, selecting an S box in the list L, wherein the S box needs to meet the requirement of having the minimum loss function value;
and 7, judging whether the S box selected in the step 6 exists in the set SF or not. If yes, deleting the S box and the corresponding loss function value from the list L, and repeating the step 6; if not, whether the S box meets the safety requirement designed in advance is judged. The method comprises the following specific steps:
and calculating whether the properties of the S box, such as nonlinearity, transparent order, difference consistency, algebraic times, absolute value index and the like, meet the requirement that the nonlinearity is equal to 112, the transparent order is less than 6.9160, the algebraic times is greater than 3, the difference consistency is equal to 4, and the absolute value index is equal to 32. The specific calculation process is as follows:
if yes, outputting the S box, and terminating the iterative construction process. If not, the S box is put into the set SF and is used as an input S box of the next iteration construction process, and the iteration construction process is repeated, namely the steps 2-7.
The cryptographic properties of the S-box of the AES of the present invention are shown in Table 1
TABLE 1
Degree of non-linearity | Degree of algebra | Differential coherency | Index of absolute value | Transparent stage | |
The method of the invention | 112 | 7 | 4 | 32 | 6.8930 |
AES S box | 112 | 7 | 4 | 32 | 6.9160 |
The method of the invention constructs the S box as follows: [65,158,207,138,121,103,233,69,72,60,88,51,244, 215,34,37,164,28,30,78,129,172,77,153,56,122,95,235,17,251,18,200,82,71, 14,66,180,15,86,39,232,64,203,214,166,97,204,202,156,234,189,11,197,175, 218,245,24,136,196,253,9,128,100,239,41,165,35,93,114,7,127,33,8,90,160, 135,171,22,19,188,116,254,32,89,249,229,38,107,10,83,73,176,230,67,101, 26,206,45,117,194,62,94,212,5,146,226,205,87,109,108,250,237,140,185,68, 184,80,98,223,126,167,4,25,192,178,221,119,70,61,20,243,210,145,177,174, 75,57,157,3,154,112,191,247,144,143,132,104,173,208,151,195,149,213,23, 139,181,48,137,1,222,74,186,228,255,16,65,44,120,252,179,242,76,21,147, 134,53,91,133,124,169,36,155,216,219,115,113,161,190,79,50,187,141,123, 231,99,150,58,52,225,238,31,209,47,42,46,106,96,2,148,201,131,241,102, 152,43,13,182,248,54,183,227,125,159,118,246,198,105,220,162,85,92,193, 40,6,49,27,240,111,199,63,236,211,170,130,12,55,224,142,217,84,110,29, 168,59,16,163]
The above embodiments are only for illustrating that the present invention aims to improve DPA resistance of S-boxes, and do not limit the present invention to take only the above parameter values and parameter forms, and it is obvious to those skilled in the art that the present invention can be changed in various forms without departing from the spirit of the present invention, so the protection scope of the present invention is not limited to the above embodiments. Any modifications, equivalents, improvements and the like which come within the spirit of the invention are intended to be included within the scope of the claims.
Claims (3)
1. A method of constructing an S-cassette with excellent DPA resistance, comprising the steps of:
step 1, giving an n-bit input and balanced S box F, wherein the S box F is used as an initial input of an iterative construction process, and the S box F is put into a set SF; the iterative construction process is step 2-step 7;
step 2, generating a candidate pool according to the input truth table of the S box F, wherein the candidate pool comprises all bit positions capable of being reversed;
step 3, b elements are taken out from the candidate pool, and the b elements are b bit positions; then, carrying out bit inversion operation on the b bit positions of the S box to generate a new S box;
the b elements taken out need to meet the following requirements: 1) b 2k, k 1,2, …,2n-1(ii) a 2) The same component function attributed to the S-box; 3) the Hamming weight of the vector composed of the bits corresponding to the b elements is 2b-1;
Step 4, repeating the process of step 3 until the elements in the candidate pool are emptied, and generating all new S boxes associated with the F;
step 5, calculating the value of the loss function of each newly generated S box, and putting the S box and the corresponding value of the loss function into a list L;
step 6, judging whether the list L is empty, if so, increasing the value of b, and simultaneously b meets the requirements 1), 2) and 3) in the step 3, and executing the step 3 to the step 5; if L is not empty, selecting an S box with the minimum loss function value from the list L;
and 7, judging whether the S box selected in the step 6 exists in the set SF:
if yes, deleting the S box and the corresponding loss function value from the list L, and executing the step 6;
if not, judging whether the S box meets the preset safety requirement: if yes, outputting the S box, and terminating the iterative construction process; if not, putting the S box into the set SF, and taking the S box as an input S box of the next iteration construction process, namely taking the S box as the input S box in the step 2; and executing the step 2 to the step 7;
the loss function in step 5 is:
where n represents the S-box as n input bits,is an n-dimensional vector space over a binary domain,is a non-zero n-dimensional vector space, W, over a binary domainF(c, b) Walsh spectrum values of S-box with respect to vector c, b, β are N-dimensional vectors in binary domain, c, α are non-zero N-dimensional vectors in binary domain, R is a constant, σ (α, β) is a differential spectrum value of S-box with respect to vector α, β, N4(σ (α, β)) is a function for determining whether σ (α, β) is greater than 4, τFIs a transparent step of the S-box.
2. The method of claim 1, wherein the safety requirements predetermined in step 7 are: the nonlinearity of the S-box is 112, the algebraic degree is greater than 3, the difference consistency is 4, the absolute value index is 32, and the transparency level is less than 6.9160.
3. The method of claim 1, wherein R is set to 2-5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010088063.2A CN111339577B (en) | 2020-02-12 | 2020-02-12 | Construction method of S box with excellent DPA resistance |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010088063.2A CN111339577B (en) | 2020-02-12 | 2020-02-12 | Construction method of S box with excellent DPA resistance |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111339577A CN111339577A (en) | 2020-06-26 |
CN111339577B true CN111339577B (en) | 2022-06-07 |
Family
ID=71181504
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010088063.2A Active CN111339577B (en) | 2020-02-12 | 2020-02-12 | Construction method of S box with excellent DPA resistance |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111339577B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112636899B (en) * | 2020-09-21 | 2022-03-18 | 中国电子科技集团公司第三十研究所 | Lightweight S box design method |
CN112511293B (en) * | 2020-09-21 | 2022-03-18 | 中国电子科技集团公司第三十研究所 | S-box parameterization design method based on bit sum operation and storage medium |
CN114124351B (en) * | 2021-11-15 | 2023-06-27 | 中国电子科技集团公司第三十研究所 | Rapid calculation method of nonlinear invariant |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB0211812D0 (en) * | 2002-05-23 | 2002-07-03 | Koninkl Philips Electronics Nv | S-box encryption in block cipher implementations |
JP2006019872A (en) * | 2004-06-30 | 2006-01-19 | Sony Corp | Encryption processing apparatus |
CN101729241B (en) * | 2008-10-23 | 2012-01-25 | 国民技术股份有限公司 | AES encryption method for resisting differential power attacks |
CN101848081A (en) * | 2010-06-11 | 2010-09-29 | 中国科学院软件研究所 | S box and construction method thereof |
US8971526B2 (en) * | 2011-07-26 | 2015-03-03 | Crocus-Technology Sa | Method of counter-measuring against side-channel attacks |
CN102546157B (en) * | 2011-12-14 | 2014-06-18 | 北京航空航天大学 | Random mixed encryption system for resisting energy analysis and implementation method thereof |
CN102571331A (en) * | 2012-02-07 | 2012-07-11 | 中国科学院软件研究所 | Cryptographic algorithm realization protecting method used for defending energy analysis attacks |
CN103888245A (en) * | 2012-12-20 | 2014-06-25 | 北京握奇数据系统有限公司 | S box randomized method and system for smart card |
CN103647637B (en) * | 2013-11-19 | 2017-01-04 | 国家密码管理局商用密码检测中心 | A kind of SM4 algorithm to simple mask carries out second order side channel energy and analyzes method |
MY162666A (en) * | 2013-12-04 | 2017-06-30 | Mimos Berhad | A method to construct bijective substitution box from non-permutation power functions using heuristic techniques |
CN106788974B (en) * | 2016-12-22 | 2020-04-28 | 深圳国微技术有限公司 | Mask S box, grouping key calculation unit, device and corresponding construction method |
CN107204841B (en) * | 2017-03-14 | 2020-01-07 | 中国人民武装警察部队工程大学 | Method for realizing multiple S boxes of block cipher for resisting differential power attack |
AU2018101651A4 (en) * | 2018-11-03 | 2018-12-20 | JAIN (Deemed-to-be-University) | An apparatus and method based on dynamic key dependent S-Box for Symmetric Encryption in wireless networks using symmetric ciphers. |
CN109525384A (en) * | 2018-11-16 | 2019-03-26 | 成都信息工程大学 | The DPA attack method and system, terminal being fitted using neural network |
CN109921899B (en) * | 2019-04-18 | 2019-11-19 | 衡阳师范学院 | A kind of S box implementation method of complete snowslide 4 × 4 |
-
2020
- 2020-02-12 CN CN202010088063.2A patent/CN111339577B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN111339577A (en) | 2020-06-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111339577B (en) | Construction method of S box with excellent DPA resistance | |
Carlet et al. | Further properties of several classes of Boolean functions with optimum algebraic immunity | |
CN105846814B (en) | For the building method of the quantum current distribution of encryption technology field multiplying | |
CN105631796A (en) | Quantum chaotic image encryption method based on bit scrambling | |
CN107204841B (en) | Method for realizing multiple S boxes of block cipher for resisting differential power attack | |
Li et al. | Constructing S-boxes for lightweight cryptography with Feistel structure | |
Demirtaş | A new RGB color image encryption scheme based on cross-channel pixel and bit scrambling using chaos | |
Maitra et al. | Modifications of Patterson-Wiedemann functions for cryptographic applications | |
Lui et al. | Chaos-based joint compression and encryption algorithm for generating variable length ciphertext | |
Saha et al. | Symmetric random function generator (SRFG): A novel cryptographic primitive for designing fast and robust algorithms | |
CN115766962A (en) | Multi-key image encryption method based on five-dimensional conservative hyperchaotic system | |
Hu et al. | An effective differential power attack method for advanced encryption standard | |
CN103310157B (en) | Based on the image encryption method of RT-DNA cellular automaton | |
CN109981247B (en) | Dynamic S box generation method based on integer chaotic mapping | |
Xiao et al. | Improving the security of a parallel keyed hash function based on chaotic maps | |
CN108650072A (en) | It is a kind of to support a variety of symmetric cryptographic algorithm chips and its anti-attack circuit implementation method | |
Zaibi et al. | On dynamic chaotic S-Box | |
CN109936437B (en) | power consumption attack resisting method based on d +1 order mask | |
Kölbl et al. | Differential cryptanalysis of Keccak variants | |
Mohammed et al. | DNA-based steganography using neural networks | |
Khadem et al. | Construction of Side Channel Attacks Resistant S-boxes using Genetic Algorithms based on Coordinate Functions | |
Zhou et al. | On the signal-to-noise ratio for Boolean functions | |
Burnett et al. | Efficient Methods for Generating MARS-like S-boxes | |
Sharma et al. | On security of Hill cipher using finite fields | |
CN107864035B (en) | Method for realizing DPA attack resistance based on power consumption equalization coding in AES circuit |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |