CN112235259B - Clock-free password chip fault injection attack detection and protection system and method - Google Patents
Clock-free password chip fault injection attack detection and protection system and method Download PDFInfo
- Publication number
- CN112235259B CN112235259B CN202011026317.4A CN202011026317A CN112235259B CN 112235259 B CN112235259 B CN 112235259B CN 202011026317 A CN202011026317 A CN 202011026317A CN 112235259 B CN112235259 B CN 112235259B
- Authority
- CN
- China
- Prior art keywords
- data
- register
- feedback
- module
- illegal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 68
- 238000002347 injection Methods 0.000 title claims abstract description 24
- 239000007924 injection Substances 0.000 title claims abstract description 24
- 238000000034 method Methods 0.000 title claims description 26
- 230000001360 synchronised effect Effects 0.000 claims abstract description 81
- 230000008569 process Effects 0.000 claims description 10
- 238000006243 chemical reaction Methods 0.000 claims description 9
- 230000009471 action Effects 0.000 claims description 8
- 230000000644 propagated effect Effects 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 6
- 230000001052 transient effect Effects 0.000 claims description 5
- 238000004519 manufacturing process Methods 0.000 claims description 4
- 230000001902 propagating effect Effects 0.000 claims description 4
- 238000013479 data entry Methods 0.000 claims description 2
- 238000013500 data storage Methods 0.000 claims description 2
- 230000008713 feedback mechanism Effects 0.000 claims description 2
- 230000009191 jumping Effects 0.000 claims 1
- 238000013461 design Methods 0.000 abstract description 10
- 238000004458 analytical method Methods 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 4
- 230000007123 defense Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000009977 dual effect Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 239000007983 Tris buffer Substances 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000010206 sensitivity analysis Methods 0.000 description 1
- 238000004904 shortening Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Synchronisation In Digital Transmission Systems (AREA)
Abstract
The invention designs a clock-free password chip fault injection attack detection and protection system, which comprises a synchronization module, a synchronous self-feedback randomizing tower register, a propagation delay matching module and an illegal data detection and removal module.
Description
Technical Field
The invention relates to the technical field of design of a password chip for resisting fault injection attack, in particular to a clock-free password chip fault injection attack detection and protection system and method.
Technical Field
Traditionally, the security of a cryptographic chip depends on the complexity of the cryptographic algorithm, the authentication method and the security protocol used, and the security analysis of the cryptographic chip is often performed in view of the above aspects. However, in the implementation of the cryptographic chip, the cryptographic algorithm and the related protocol need to be implemented in software or hardware based on a specific physical device, and the physical device inevitably interacts with the environment where the physical device is located. It is possible for an attacker to actively engineer and detect such interactions and thereby generate information that facilitates cryptanalysis. In a broad sense, such information may be referred to as "physical leakage information" (including physical signal leakage associated with intermediate value calculation and erroneous output after normal operation of the circuit is disturbed); all attacks based on the generalized concept of "physical leakage information" can be called "physical attacks" (including non-invasive attacks such as energy analysis attacks and electromagnetic analysis attacks and invasive attacks such as fault attacks).
In a plurality of attack means based on physical leakage information, a fault attack can be actively planned by an attacker, and the fault output can effectively reveal the data correlation, so that more possibilities are provided for successfully guessing sensitive information such as a key. In addition, by combining the fault attack and the bypass attack method (such as energy analysis attack and the like), various existing bypass safety protection systems can be broken through, and serious threat is caused to the safety of password application.
In view of the serious threat of fault attack, in 2011 for 10 months, the National Institute of Standards and Technology (NIST) issues a FIPS 140-3 version of the cryptographic chip security standard, and the fault attack is specifically proposed to the "section 4.6 physical security" part of the standard for the first time; in the newly published ISO/IEC 19790 Information technology-Security technologies-Security requirements for cryptographic modules and GB/T37092-.
For fault attack protection, a reverse checking design method based on redundancy and a defense scheme based on fault detection codes are commonly used at present. The redundancy-based reverse check design method greatly increases the actual manufacturing cost of the chip and reduces the cryptographic operation efficiency; the defense scheme based on the fault detection code has the problems that the fault coverage rate is limited, and the fault protection effect is difficult to ensure. Therefore, the design of the password chip fault injection attack detection and protection structure which is compatible with the existing chip design method and manufacturing process and has high fault detection rate and high reliability has very important practical significance for protecting the security of sensitive data such as keys.
Reference documents: boher B N, Beroulle V, Hly D, Damiens J, Candelaer P. clock generator assisted modifying for supplying voltage gain attack effects analysis [ J ]. Microprocessors & Microsystems,2016,47(PA):37-43.
Vincent I,Robert S and Florian U.Your Rails Cannot Hide from Localized EM:How dual-rail logic fails on FPGAs[C].Cryptographic Hardware and Embedded Systems(CHES 2017),Taipei,Taiwan,China,2017:403–424.
Krautter J,Dennis R E G and Tahoori M B.FPGAhammer:Remote voltage fault attacks on shared FPGAs,suitable for DFA on AES[C].Cryptographic Hardware and Embedded Systems(CHES 2018),Amsterdam,The Netherlands,2018:44–68.
Disclosure of Invention
The invention aims to provide a clock-free password chip fault injection attack detection and protection system and method, which mainly consider the possible threats of a password chip in a complex high-risk environment, and construct a circuit-level clock-free fault attack detection and protection structure by comprehensively using means such as inter-rail signal synchronization, propagation delay matching, illegal code detection, self-feedback and the like, can realize effective fault detection at a lower cost, inhibit and block the propagation of various faults, and can be conveniently expanded to the automatic comprehensive process of chip design.
The system is characterized by comprising a synchronization module, a synchronous self-feedback randomizing tower register, a propagation delay matching module, an illegal data detecting and clearing module and a self-feedback module, wherein the synchronization module is used for carrying out synchronization processing on plaintext input data or ciphertext input data or intermediate state data of cryptographic operation on time dimension and transmitting the data subjected to the synchronization processing to a cryptographic wheel operation module to implement grouped cryptographic wheel conversion, and meanwhile, a synchronization control signal SYN of the synchronization moduleinputIs set to 1 and input to a propagation delay matching module which compares the synchronization control signal SYN with a reference synchronization control signalinputThe maximum propagation delay path of the password wheel operation module is realized, and the output signal SYN of the propagation delay matching module is ensuredtrWhen the jump is changed from 0 to 1, each double-track data line at the output end of the password wheel operation module generates normal output;
when the cipher wheel operation module generates a positive transient or steady state fault which is propagated before normal data, the synchronous control signal SYN is matched by the propagation delay matching moduleinputDelay function of, illegal data detection and illegal data detection signal SYN of the clearing moduleillegalWill precede the propagation delay matching module output signal SYNtrEfficient, self-feedback module 1.6 output synchronous self-feedback randomizer tower register input enable signal SYNOThe current cipher wheel operation module is always kept at a low level to prevent the current cipher wheel operation module from outputting current wheel conversion state data to a synchronous self-feedback randomizer register which inputs an enabling signal SYNOIs SYNillegal、SYNtrAnd the sum signal of the self-feedback signal output by each stage of synchronous self-feedback randomizing tower register, and the illegal data detecting and clearing module resets the signal ResetiAnd setting the value to be 1, and clearing the password round operation module by using the NULL wave front.
The invention fully considers the fault attack threat scene which may be faced by the cipher chip under the complex high-risk environment, establishes a multilayer multistage fault detection and response mechanism, can detect illegal data in time under the condition that the cipher chip suffers fault injection, starts the clearing operation, effectively blocks the fault propagation path, prevents the output of cipher operation fault data, and ensures the safety of sensitive data such as a secret key. Compared with the existing reverse check design method based on redundancy and the defense scheme based on the fault detection code, the method has the following advantages that:
the synchronous self-feedback randomizing tower register designed by the invention can effectively monitor steady-state faults and transient faults, and can keep higher detection rate no matter the propagation phase difference of fault data and normal data is negative, zero or positive, thereby realizing the blocking of fault propagation and having obvious advantage of high safety protection level.
The fault detection network and the random path switching module designed by the invention can effectively detect the occurrence of fault behavior under the condition that the temporary data in the synchronous self-feedback randomization register is tampered, clear the data in the tower by using NULL wave front, and input the data again, thereby having obvious advantages in the aspect of reliability.
Drawings
FIG. 1 is a general functional block diagram of the present invention;
FIG. 2 is a block diagram of a synchronous self-fed randomizer register according to the present invention;
FIG. 3 is a block diagram of a random path switching module according to the present invention;
the system comprises a 1.1-synchronization module, a 1.2-synchronization self-feedback randomizing tower register, a 1.3-propagation delay matching module, a 1.4-illegal data detecting and clearing module, a 1.5-password wheel operation module, a 1.6-self-feedback module, a 2.1-fault detection network, a 2.2-zero level ring register, a 2.3-first level ring register, a 2.4-second level ring register, a 2.5-random path switching module, a 3.1-illegal double-track data detecting module, a 3.2-true random number generator and a 3.3-path selection module.
In FIG. 1, Sr_0 0、Sr_0 1、Sr_n 0、Sr_n 1Double-track data respectively representing the 0 th bit and the nbit of input data of the password round operation of the current round (the r-th round); kr_0 0、Kr_0 1、Kr_n 0、Kr_n 1Double-track data of 0bit and nbit are input into the round key respectively representing the cipher round operation of the current round; cr_0 0、Cr_0 1、Cr_n 0、Cr_n 1Respectively representing the double-track data of the 0 th bit and the nbit of the operation result data of the current round of password wheel; ki0、Ki1Is an inter-wheel handshake signal;
in FIG. 2, Cr_i 0、Cr_i 1The data is dual-track data of the ibit of the operation result data of the current round of the password wheel; SYNfeed i(i is more than or equal to 0 and less than or equal to n) is a self-feedback signal output by each stage of synchronous self-feedback randomizing tower registers; SYNOTo input an enable signal; clear0、Clear1Clearing the instruction for the signal; lock0、Lock1Is to input the lock-up signal; alarm is a fault Alarm signal; CD (compact disc)0、CD1、CD2Register completion signals output for the ring registers of each stage; invaid0、Invaid1、Invaid2Illegal data detection signals output by the annular registers at all levels;
in FIG. 3, Pi0 0、Pi0 1(i is more than or equal to 0 and less than or equal to 2) is the first path input data, Pi of each level of random path switching module in FIG. 21 0、Pi1 1Inputting data for the second path of each level of random path switching module; invaidi(i is more than or equal to 0 and less than or equal to 2) is illegal data detection signal and CD of each level of random path switching moduleiAnd (i is more than or equal to 0 and less than or equal to 2) is a registration completion signal input by each stage of annular register.
Detailed Description
The invention is described in further detail below with reference to the following figures and specific examples:
the invention relates to a clock-free password chip fault injection attack detection and protection system, which comprises a synchronization module 1.1, a synchronous self-feedback randomizing tower register 1.2, a propagation delay matching module 1.3, an illegal data detection clearing module 1.4 and a self-feedback module 1.6, wherein the synchronization module 1.1 is used for carrying out time-dimensional synchronization processing on plaintext input data or ciphertext input data or password operation intermediate state data and transmitting the data subjected to the synchronization processing to a password wheel operation module 1.5 to implement grouped password wheel conversion, and meanwhile, a synchronization control signal SYN of the synchronization module 1.1inputIs set to 1 and input to a propagation delay matching module 1.3, the propagation delay matching module 1.3 is controlled by a pair synchronization control signal SYNinputRealizes the maximum propagation delay path of the cipher round operation module 1.5 and ensures the output signal SYN of the propagation delay matching moduletr(Signal SYN)trIs a signal SYNinputOutput signal after passing through propagation delay matching module 1.3) is changed from 0 jump to 1, each double-track data line at the output end of cipher wheel operation module 1.5 has generated normal output { (C)r_0 0,Cr_0 1)、…、(Cr_n 0,Cr_n 1) A cryptographic wheel operation module outputs a cryptographic wheel transform result, which is represented in a dual-rail data form. In the dual-track data format, {0,0} indicates "no data NULL", {1,0} indicates "0", {0,1} indicates 1, and {1,1} indicates "illegal data");
operation mode of code wheelWhen block 1.5 generates a positive transient or steady state fault that propagates prior to normal data, matching module 1.3 pairs the synchronization control signal SYN due to propagation delayinputDelay function of (1), illegal data detection and removal module 1.4 illegal data detection signal SYNillegalWill precede the propagation delay matching module output signal SYNtrEfficient, self-feedback module 1.6 output synchronous self-feedback randomizer tower register input enable signal SYNOThe current cipher wheel operation module 1.5 is always kept at low level to prevent the current round conversion state data from being output to the synchronous self-feedback randomizing tower register 1.2, and the synchronous self-feedback randomizing tower register inputs an enabling signal SYNOIs SYNillegal、SYNtrAnd self-feedback signal SYN output by each stage of synchronous self-feedback randomizing tower registerfeed i(0. ltoreq. i. ltoreq.n) with a signal only if SYNillegal、SYNtrAnd self-feedback signals SYN of various stagesfeed i(i is more than or equal to 0 and less than or equal to n, i represents the serial number of each level of synchronous self-feedback randomizer register in the graph 1) when the signals are all high level, SYNOIs high level, and meanwhile, the illegal data detection and clearing module 1.4 will Reset the signal ResetiSetting to 1, clear operation is performed on the code wheel operation module 1.5 by using a NULL wavefront (in the NCL circuit, data state {0,0} indicates "no data NULL", {1,0} indicates "0", {0,1} indicates 1, and {1,1} indicates "illegal data". in the NCL pipeline, adjacent handshake units perform handshake through a request signal and a response signal to ensure that two valid data in the pipeline are always isolated by NULL data.a NULL wavefront means a NULL data propagation process when clearing operation is performed on the pipeline by using dual rails {0,0} before valid data is transmitted).
In the above technical solution, the synchronous self-feedback randomizing tower register 1.2 is composed of a fault detection network 2.1, a zero-level ring register 2.2, a first-level ring register 2.3, a second-level ring register 2.4 and 3 random path switching modules 2.5, and once valid data (the valid data indicates a dual-rail data state {1,0} represents "0" or {0,1} represents "1") is input to the synchronous self-feedback randomizing tower register 1.2 from an external or pipeline previous stage, the synchronous sub-feedback randomizing tower register 1.2 feeds back the valid data (the valid data indicates a dual-rail data state {1,0} represents "0") and the synchronous sub-feedback randomizing tower register 1.2Randomizing the self-feedback signal SYN generated by the tower register 1.2feed i(i is more than or equal to 0 and less than or equal to n) is set to 0, and the synchronizing self-feedback randomizer register input enable signal SYN is input through the self-feedback module 1.6OIs set to 0, i.e. when SYN is presentfeed i(i is more than or equal to 0 and less than or equal to n) is zero, SYNOThe data is zero, so that fault data arriving after normal data is prevented from being input into the synchronous self-feedback randomizing tower register 1.2, under the control of the random path switching module 2.5, data temporarily stored in the register is randomly switched among register units in a register ring formed by the zero-level ring register 2.2, the first-level ring register 2.3 and the second-level ring register 2.4, dynamic randomization of a data storage position is realized, and the fault detection network 2.1 is used for discovering fault injection behaviors. When the failure of the output end of the code wheel operation module 1.5 is generated in the signal SYNOIn the effective time period, and when the data is input into the synchronous self-feedback randomizing tower register 1.2, because two data wavefronts flow in the tower at the same time, under the action of the fault detection network 2.1 in the synchronous self-feedback randomizing tower register, the fault Alarm signal Alarm is set to be 1 and is based on the Clear instruction Clear0Clearing the data in the tower by using NULL wave front and inputting the data again; when NULL wave front generated by the previous round of password round operation reaches the current-stage password round operation, clearing operation is carried out on the current-stage self-feedback randomizing tower register based on a clearing instruction Clear 1; when an attacker implements fault attack on the synchronous self-feedback randomizing tower register 1.2, the attacker is difficult to determine the attack position due to the random propagation characteristic of the data, so that the data temporarily stored in the tower cannot be accurately turned. Furthermore, when an attacker mistakenly selects an attack location, more than 1 valid data will be present in the tower at the same time. At this time, under the action of the fault detection network, the fault Alarm signal Alarm will be set to 1, the NULL wavefront is used to clear the data in the tower, and the data is input again, as shown in fig. 2.
In the above technical solution, the random path switching module 2.5 includes an illegal dual-track data detecting module 3.1, a true random number generator 3.2, and a path selecting module 3.3, and when the zero-level ring register 2.2 and the first-level ring register are used as the first-level ring register2.3, the two-rail data output by the two-stage ring register 2.4 reaches the first path Pi in the random path switching module0 0,Pi0 1Or the second path Pi1 0,Pi1 1(i is more than or equal to 0 and less than or equal to 2), the illegal dual-track data detection module 3.1 judges whether the data is legal or not based on the dual-track data definition ({1,1} is illegal data), and if the data is illegal dual-track data, the illegal data detection signal Invaid output by the random path switching module 2.5iSetting to 1, and clearing the signal Clear instruction Clear in the synchronous self-feedback randomizing tower register 1.2 through the fault detection network 2.1 and the illegal data detecting and clearing module 1.40Setting to 1, starting clear operation, and inputting round conversion result data in cipher round operation module 1.5 again, otherwise, outputting register completion signal CD in zero-level ring register 2.2, first-level ring register 2.3 and second-level ring register 2.40、CD1、CD2Under the control of the falling edge, the true random number generator 3.2 generates a random number output, and according to the specific value of the random number, the data input into the random path switching module by the ring register will simultaneously appear in the input path (Pi)0 0,Pi0 1) And (Pi)1 0,Pi1 1) And will output the path (P (i + 1)) in the path selection block 3.30 0,P(i+1)0 1) And path (P (i +1)1 0,P(i+1)1 1) Randomly selected and output as shown in fig. 3.
Compared with a synchronous circuit, the invention eliminates the dependence on clock signals, has extremely strong tolerance on signal delay and environmental factors (voltage, temperature and the like), can effectively prevent fault sensitivity analysis attack, and has obvious advantages in fault attack resistance. In addition, the circuit structure can be completely integrated by a common EDA tool, so that a more effective and convenient low-cost implementation mode is provided for the password chip fault injection attack detection and protection structure design based on the clock-free circuit.
The detection and protection system for the clock-free fault injection attack can describe the detection and protection of the fault attack behavior in three scenes, namely 1) the fault data is transmitted before the normal data; 2) fault data and normal data are propagated simultaneously; 3) propagating fault data later than normal data; 4) the fault data is generated internally within the randomizer tower register.
The invention relates to a fault injection attack detection and protection method, which comprises the following steps:
step 1: judging fault data generated by a positive transient fault or a steady fault generated by the password wheel operation module 1.5;
step 2: when the judgment structure in step 1 shows that the double-track data line output by the code wheel operation module 1.5 { (C)r_0 0,Cr_0 1)、…、(Cr_n 0,Cr_n 1) When fault data which is transmitted before normal data occurs, the step 2.1 is carried out;
step 2.1: due to the synchronous control signal SYNinputAnd said propagation delay matching module output signal SYNtrWith time delay between, dual rail data line { (C)r_0 0,Cr_0 1)、…、(Cr_n 0,Cr_n 1) Before the fault signal is input into the synchronous self-feedback randomizing tower register 1.2, illegal double-track data is formed and captured by an illegal data detecting and clearing module 1.4, so that an illegal data detecting signal SYN is generatedillegalSetting to 0;
step 2.2: illegal data detection signal SYNillegalAfter setting to 0, self-feedback module 1.6 inputs enable signal SYN to register of synchronous self-feedback randomizing towerOForce pull down, preventing fault data from entering synchronous self-feedback randomizer register 1.2, and Reset signal ResetiIs set to 1;
step 2.3: the illegal data detection and removal module 1.4 starts the reset process of the synchronization module 1.1 to remove the fault data, and since the reset operation does not generate external influence (such as pipeline reset and deadlock) on the operation of the pipeline, the attack on the double-track coding can be resisted;
step 2.4: when NULL wavefront arrives at the cipherIllegal data detection signal SYN at output end of round operation moduleillegalIs set to 1 and will Reset signal Reset accordinglyiSetting to 0;
step 2.5: the data at the output of the synchronization module 1.1 is re-input to the cipher wheel operation module 1.5, and simultaneously, the synchronization control signal SYNinputReset to 1 and propagate along the propagation delay matching module 1.3 again, the propagation delay matching module outputs a signal SYNtrSetting the propagation delay matching module 1.3 to be 1, setting the signal delay of the propagation delay matching module 1.3 to be tspreadDue to illegal data detection signal SYN in step 1.1illegalOutput signal SYN of matching module prior to propagation delaytrActive, thus slave synchronous control signal SYNinputEffective to propagation delay matching module output signal SYNtrEffective time delay tdelay1>2×tspread;
Step 2.6: matching module output signal SYN due to propagation delaytrAnd self-feedback signal SYNfeed iI is more than or equal to 0 and less than or equal to n and is 1, and the SYN is input into the register of the synchronous self-feedback randomization towerOWill be set to 1, allowing data to be input to the synchronous self-fed randomizer register 1.2;
step 2.7: after data is input into a synchronous self-feedback randomizing tower register 1.2, a self-feedback signal SYN is generatedfeed i(i is more than or equal to 0 and less than or equal to n), synchronizing and feeding back the input of the randomizing tower register to enable SYNOWill be set to 0, preventing subsequent data entry;
and step 3: when the judgment structure in step 1 shows that the password wheel operation module 1.5 outputs fault data and normal data to be simultaneously transmitted, a synchronous control signal SYN is generatedinputAnd propagation delay matching module output signal SYNtrTime delay tdelay1Under the action of (2), illegal data detection signal SYNillegalWill be prior to the synchronous self-feedback randomizing tower register input enabling SYNOIs set to 0, thereby preventing the fault data from being input into the synchronous self-feedback randomizing tower register 1.2 and using the illegal data detecting and clearing module 1.4 to clear the fault data.
Step 4, judging in step 1Broken structure shows that when any pair of double-track data lines (C)r_i 0,Cr_i 1) (0 ≦ i ≦ n) normal data propagation after failure and resulting from SYNC-SELF FEEDBACK randomizer register input enable SYNOIn the valid period of time, since the signal SYN is detected from the illegal data illegal0 to synchronous self-feedback randomizer register input enable SYNOSignal set 0 with time delay tdelay2The fault is input into a synchronous self-feedback randomizing tower register 1.2;
step 4.1: due to the double-track data line (C)r_i 0,Cr_i 1) (i is more than or equal to 0 and less than or equal to n) fault data generated by synchronizing self-feedback randomizer input enable signal SYNOValid period of time when fault data is in the process of propagating with (C)r_i 0,Cr_i 1) When the above normal data do not overlap in the time dimension, the fault data are isolated in the upper stage ring register in the synchronous self-feedback randomizing tower register 1.2 and cleared by NULL wave front because the fault data are propagated behind the normal data;
step 4.2: when the double-track data line (C)r_i 0,Cr_i 1) When fault data on (i is more than or equal to 0 and less than or equal to n) is overlapped with normal data in the time dimension in the process of propagation, illegal double-track data is formed, when the illegal double-track data is propagated in the synchronous self-feedback randomizing tower register 1.2, the double-track data detecting module 3.1 in the random path switching module 2.5 detects the existence of the illegal data, and an illegal data detecting signal Invaid output by the random path switching module 2.5 is used for detecting the illegal dataiSetting to be 1, starting an internal reset process, and clearing fault data;
step 4.3: when the double-track data line (C)r_i 0,Cr_i 1) (i is 0. ltoreq. n) is not generated by the SYNC SELF-FEEDBACK randomizer register input enable signal SYNOIn valid time period, by self-feedback signal SYNfeed i(0 ≦ i ≦ n) feedback mechanism that will be blocked from input synchronous self-feedback randomizer registerIn the device 1.2;
and 5, when the judgment structure in the step 1 shows that the data of the password wheel transformation result is input into the synchronous self-feedback randomizing tower register 1.2, under the action of the random path switching module 2.5, the data is randomly transmitted in a three-level ring register structure (each ring register 2.2/2.3/2.4 comprises 2 registration units) of the synchronous self-feedback randomizing tower register 1.2, and the probability of turning over the temporary storage data is 1/6 before the synchronous self-feedback randomizing tower register 1.2 is not adopted on the assumption that an attacker can accurately control the occurrence position of the control fault. In addition, as the number of layers and the number of stages of the synchronous self-feedback randomizer register 1.2 increase, the probability of successfully causing the internal data to flip is further reduced. If the number of layers of the synchronous self-feedback randomizing tower is n and the number of stages is m (m is an odd number), the probability P of the temporary storage data being turned over is setflipComprises the following steps:
when an attacker induces a fault at the wrong location (due to dual rail data (Pi)0 0,Pi0 1) And (Pi)1 0,Pi1 1) Under the action of the random path switching module, the path (P (i + 1))0 0,P(i+1)0 1) And path (P (i +1)1 0,P(i+1)1 1) And selecting and outputting the data. When the random path switching module selects the path (P (i +1)0 0,P(i+1)0 1) Then, if the attacker tests on the path (P (i +1)1 0,P(i+1)1 1) If a fault is induced, it is considered to be induced at the wrong location), two sets of valid data will be present in the synchronous self-fed randomizer register 1.2 (now on path (P (i + 1))0 0,P(i+1)0 1) Sum Path (P (i +1)1 0,P(i+1)1 1) There is valid data, which is not allowed by the system), the fault detection network 2.1 will detect the occurrence of a fault at this pointAnd clearing the data in the tower by using the NULL wave front.
The invention discloses a cipher chip fault injection attack detection and protection structure design and a safety mechanism based on a clock-free randomization self-feedback mode, which comprises the following steps: 1, designing a synchronization module, a synchronous self-feedback randomizing tower register, a propagation delay matching module and a fault clearing module specifically; 2, detecting and protecting mechanism of the clock-free fault injection attack detecting and protecting structure aiming at fault attack behavior.
By means of reducing signal propagation delay, shortening output window time and the like, the invention can greatly improve the detection rate of fault data, reduce the propagation probability of fault signals in a production line and achieve the purpose of resisting fault attacks on the premise of realizing the purpose without modifying a password operation module. In addition, the invention can be conveniently expanded to various automatic comprehensive processes, and can remarkably improve the automatic design efficiency and effect of various cryptographic circuits needing high-level fault attack resistance.
Those not described in detail in this specification are well within the skill of the art.
Claims (5)
1. A clock-free password chip fault injection attack detection and protection system is characterized by comprising a synchronization module (1.1), a synchronous self-feedback randomizing tower register (1.2), a propagation delay matching module (1.3), an illegal data detection and removal module (1.4) and a self-feedback module (1.6), wherein the synchronization module (1.1) is used for carrying out time-dimensional synchronization processing on plaintext input data or ciphertext input data or password operation intermediate state data and transmitting the data subjected to the synchronization processing to a password wheel operation module (1.5) to implement grouped password wheel conversion, and meanwhile, a synchronization control signal SYN of the synchronization module (1.1)inputIs set to be 1 and is input to a propagation delay matching module (1.3), and the propagation delay matching module (1.3) controls the synchronization signal SYN through a pair ofinputThe maximum propagation delay path of the code wheel operation module (1.5) is realized, and the output signal SYN of the propagation delay matching module is ensuredtrWhen jumping from 0 to 1Each double-track data line at the output end of the password wheel operation module (1.5) generates normal output;
when the cipher round operation module (1.5) generates a fault which is propagated before normal data, the matching module (1.3) synchronizes the synchronous control signal SYN due to propagation delayinputDelay function of, illegal data detection and illegal data detection signal SYN of the clearing module (1.4)illegalWill precede the propagation delay matching module output signal SYNtrEfficient, self-feedback module (1.6) output synchronous self-feedback randomizing tower register input enable signal SYNOThe current cipher wheel operation module (1.5) is always kept at a low level to prevent the current round conversion state data from being output to a synchronous self-feedback randomizing tower register (1.2), and the synchronous self-feedback randomizing tower register inputs an enabling signal SYNOIs SYNillegal、SYNtrAnd the sum signal of the self-feedback signal output by each stage of synchronous self-feedback randomizing tower register, and simultaneously, the illegal data detecting and clearing module (1.4) resets the Reset signaliSetting to be 1, clearing the code wheel operation module (1.5) by using NULL wave front;
the synchronous self-feedback randomizing tower register (1.2) is composed of a fault detection network (2.1), a zero-level ring register (2.2), a first-level ring register (2.3), a second-level ring register (2.4) and 3 random path switching modules (2.5), once effective data is input to the synchronous self-feedback randomizing tower register (1.2) from the external or the previous stage of a production line, a self-feedback signal SYN generated based on the synchronous sub-feedback randomizing tower register (1.2)feed i(i is more than or equal to 0 and less than or equal to n) is set to 0, and the synchronizing self-feedback randomizer register input enable signal SYN is input through the self-feedback module (1.6)OSetting to 0, thereby preventing the fault data arriving after the normal data from being input into the synchronous self-feedback randomizing tower register (1.2), under the control of the random path switching module (2.5), the data temporarily stored in the register will be randomly switched among the register units in the register ring formed by the zero-level ring register (2.2), the first-level ring register (2.3) and the second-level ring register (2.4), so as to realize the dynamic randomization of the data storage position, the fault detection network (2.1) is used for sending out the fault data to the synchronous self-feedback randomizing tower register (1.2)A fault injection action is performed;
the random path switching module (2.5) comprises an illegal double-track data detection module (3.1), a true random number generator (3.2) and a path selection module (3.3), when double-track data output by the zero-level annular register (2.2), the first-level annular register (2.3) and the second-level annular register (2.4) reaches a first path (Pi) in the random path switching module0 0,Pi0 1) Or the second path (Pi)1 0,Pi1 1) If the data is illegal, the illegal double-track data detection module (3.1) judges whether the data is legal or not based on the double-track data definition, and if the data is illegal, the illegal data detection signal Invaild output by the random path switching module (2.5)iSetting the value to be 1, and clearing a signal Clear instruction Clear in a synchronous self-feedback randomizing tower register (1.2) through a fault detection network (2.1) and an illegal data detection and clearing module (1.4)0Setting to be 1, starting a clearing operation, and inputting round conversion result data in a password round operation module (1.5) again, otherwise, under the control of a falling edge of a registration completion signal output by a zero-level annular register (2.2), a first-level annular register (2.3) and a second-level annular register (2.4), a true random number generator (3.2) generates random number output, and according to the specific value of the random number, the data input into the random path switching module by the annular register is simultaneously displayed in an input path (Pi)0 0,Pi0 1) And (Pi)1 0,Pi1 1) And in the path selection module (3.3) and the output path (P (i +1)0 0,P(i+1)0 1) Sum Path (P (i +1)1 0,P(i+1)1 1) And randomly selecting and outputting the data.
2. The method for detecting and protecting against fault injection attacks based on the clockless cryptographic chip fault injection attack detection and protection system of claim 1, comprising the steps of:
step 1: judging positive transient state or steady state fault data generated by the password wheel operation module (1.5);
and 2, step: when the judgment structure in the step 1 shows that the password wheel operation module (1.5) outputs a double-track data line (C)r_i 0,Cr_i 1) When fault data which is transmitted before normal data occurs on the condition that i is more than or equal to 0 and less than or equal to n, entering the step 2.1;
step 2.1: due to the synchronous control signal SYNinputAnd said propagation delay matching module output signal SYNtrWith time delay between, dual-track data lines (C)r_i 0,Cr_i 1) The fault signal (i is more than or equal to 0 and less than or equal to n) forms illegal double-track data with normal data before being input into the synchronous self-feedback randomizing tower register (1.2) and is captured by an illegal data detecting and clearing module (1.4), so that an illegal data detecting signal SYN is detectedillegalSetting to 0;
step 2.2: illegal data detection signal SYNillegalAfter setting to 0, the synchronous self-feedback randomizing tower register input enable signal SYNOIs forced to be pulled down, thereby preventing the fault data from being input into the synchronous self-feedback randomizing tower register (1.2), and simultaneously, the Reset signal ResetiIs set to 1;
step 2.3: the illegal data detection and removal module (1.4) starts the reset process of the synchronization module (1.1) to remove fault data;
step 2.4: when NULL wave front reaches the output end of the code wheel operation module, illegal data detection signal SYNillegalIs brought to 1 and then Reset signal Reset is providediSetting to 0;
step 2.5: the data at the output end of the synchronization module (1.1) is input into the password wheel operation module (1.5) again, and meanwhile, a synchronization control signal SYNinputReset to 1 and propagate along the propagation delay matching module (1.3) again, and output signal SYN of the propagation delay matching moduletrSetting the signal time delay of a propagation delay matching module (1.3) as 1 and setting the signal time delay as tspreadDue to illegal data detection signal SYN in step 1.1illegalOutput signal SYN of matching module prior to propagation delaytrActive, thus slave synchronous control signal SYNinputEffective to propagation delay matching module output signal SYNtrEffective time delay tdelay1>2×tspread;
Step 2.6: matching module output signal SYN due to propagation delaytrAnd self-feedback signal SYNfeed iI is more than or equal to 0 and less than or equal to n is 1, and SYN is enabled by the register input of the synchronous self-feedback randomizing towerOWill be set to 1, allowing data to be input to the synchronous self-fed randomizer register (1.2);
step 2.7: after data is input into the synchronous self-feedback randomizing tower register (1.2), the self-feedback signal SYNfeed i(i is more than or equal to 0 and less than or equal to n), synchronizing and feeding back the input of the randomizing tower register to enable SYNOWill be set to 0 and subsequent data entry will be blocked.
3. The fault injection attack detection and protection method for the clock-less cryptographic chip fault injection attack detection and protection system according to claim 2, wherein: it also includes step 3, when the judging structure in step 1 shows that the cipher wheel operation module (1.5) outputs fault data and normal data and simultaneously propagates, in the synchronous control signal SYNinputAnd propagation delay matching module output signal SYNtrUnder the action of time delay, illegal data detection signal SYNillegalWill be preceded by a synchronous self-feedback randomizing tower register input enable SYNOIs set to 0, thereby preventing the fault data from being input into the synchronous self-feedback randomizing tower register (1.2) and clearing the fault data by the illegal data detecting and clearing module (1.4).
4. The fault injection attack detection and protection method for the clock-less cryptographic chip fault injection attack detection and protection system according to claim 3, wherein: it also includes step 4, when the judging structure of step 1 shows, the double-track data line (C)r_i 0,Cr_i 1) (i is 0-n) is propagated after normal data and generated in the SYNC self-feedback randomizer register input enable SYNOIn the valid period of time, since the signal SYN is detected from the illegal dataillegal0 to synchronous self-feedback randomizer input enable SYNOWhen the signal is set to be 0, time delay exists, and faults are input into a synchronous self-feedback randomizing tower register (1.2);
step 4.1: if the double track data line (C)r_i 0,Cr_i 1) (i is more than or equal to 0 and less than or equal to n) is generated by a synchronous self-feedback randomizing tower register input enabling signal SYNOValid period of time when fault data is in the process of propagating with the dual-rail data line (C)r_i 0,Cr_i 1) When the normal data on (i is more than or equal to 0 and less than or equal to n) has no overlapping in the time dimension, the fault data is isolated in an upper level ring register in a synchronous self-feedback randomizing tower register (1.2) and is cleared by a NULL wave front because the fault data is propagated behind the normal data;
step 4.2: when fault data is in the process of propagating, the fault data is connected with the double-rail data line (C)r_i 0,Cr_i 1) When normal data on (i is more than or equal to 0 and less than or equal to n) are overlapped in the time dimension, illegal double-track data are formed, when the illegal double-track data are propagated in a synchronous self-feedback randomizing tower register (1.2), a double-track data detection module (3.1) in a random path switching module (2.5) detects the existence of the illegal data, and an illegal data detection signal Invaid output by the random path switching module (2.5) is used for detecting the illegal dataiSetting to be 1, starting an internal reset process, and clearing fault data;
step 4.3: when the double-track data line (C)r_i 0,Cr_i 1) (i is 0. ltoreq. n) is not generated by the SYNC SELF-FEEDBACK randomizer register input enable signal SYNOIn a valid time period, by means of a self-feedback signal SYNfeed i(0 ≦ i ≦ n) feedback mechanism that will be prevented from entering the synchronous self-feedback randomizer register (1.2).
5. The fault injection attack detection and protection method for the clock-less cryptographic chip fault injection attack detection and protection system according to claim 4, wherein: the method also comprises a step 5, when the judgment structure in the step 1 shows that the data of the conversion result of the password wheel is input into the synchronous self-feedback randomizer register (1.2), under the action of the random path switching module (2.5), the data is randomly transmitted in a three-level annular register structure of the synchronous self-feedback randomizer register (1.2);
when an attacker induces a fault at the wrong location, two sets of valid data will exist simultaneously in the synchronous self-feedback randomized tower register (1.2), at which time the fault detection network (2.1) will detect the occurrence of the fault and clear the tower data with a NULL wavefront.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011026317.4A CN112235259B (en) | 2020-09-25 | 2020-09-25 | Clock-free password chip fault injection attack detection and protection system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011026317.4A CN112235259B (en) | 2020-09-25 | 2020-09-25 | Clock-free password chip fault injection attack detection and protection system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112235259A CN112235259A (en) | 2021-01-15 |
| CN112235259B true CN112235259B (en) | 2022-07-12 |
Family
ID=74108198
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011026317.4A Expired - Fee Related CN112235259B (en) | 2020-09-25 | 2020-09-25 | Clock-free password chip fault injection attack detection and protection system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112235259B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2629447A1 (en) * | 2012-02-17 | 2013-08-21 | Gemalto SA | Method and device for protecting an electronic device against fault attack(s) |
| CN106656460A (en) * | 2016-11-22 | 2017-05-10 | 浙江大学 | Defense device for electromagnetic pulse fault analysis of password chip |
-
2020
- 2020-09-25 CN CN202011026317.4A patent/CN112235259B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2629447A1 (en) * | 2012-02-17 | 2013-08-21 | Gemalto SA | Method and device for protecting an electronic device against fault attack(s) |
| CN106656460A (en) * | 2016-11-22 | 2017-05-10 | 浙江大学 | Defense device for electromagnetic pulse fault analysis of password chip |
Non-Patent Citations (1)
| Title |
|---|
| "Circuit Level Defences Against Fault Attacks in Pipelined NCL Circuits";Qingyu Ou等;《IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS》;20150930;第29卷(第9期);第I-III章 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112235259A (en) | 2021-01-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Li et al. | New fault-based side-channel attack using fault sensitivity | |
| Pahlevanzadeh et al. | Assessing CPA resistance of AES with different fault tolerance mechanisms | |
| US8955160B2 (en) | Method for detecting abnormalities in a cryptographic circuit protected by differential logic, and circuit for implementing said method | |
| Patranabis et al. | Fault tolerant infective countermeasure for AES | |
| Moradi et al. | One attack to rule them all: Collision timing attack versus 42 AES ASIC cores | |
| Clavier et al. | Reverse engineering of a secret AES-like cipher by ineffective fault analysis | |
| Bokhari et al. | Cryptanalysis techniques for stream cipher: a survey | |
| Dey et al. | Improved practical differential fault analysis of Grain-128 | |
| Zheng et al. | A persistent fault-based collision analysis against the advanced encryption standard | |
| CN112235259B (en) | Clock-free password chip fault injection attack detection and protection system and method | |
| Igarashi et al. | Concurrent faulty clock detection for crypto circuits against clock glitch based DFA | |
| Dofe et al. | Strengthening SIMON implementation against intelligent fault attacks | |
| Li et al. | Revisit fault sensitivity analysis on WDDL-AES | |
| JP5976220B2 (en) | Semiconductor device | |
| CN103139219A (en) | Attack detection method of spanning tree protocol based on credible switchboard | |
| Guo et al. | EOP: An encryption-obfuscation solution for protecting PCBs against tampering and reverse engineering | |
| Mestiri et al. | Fault attacks resistant aes hardware implementation | |
| CN112000996B (en) | Method for preventing differential cryptanalysis attack | |
| CN115883064A (en) | Bypass attack resisting method based on SM3 password hash algorithm | |
| Li et al. | Advanced conditional differential attack on Grain‐like stream cipher and application on Grain v1 | |
| Shahmirzadi et al. | Clock Glitch versus SIFA | |
| Wang et al. | A new zero value attack combined fault sensitivity analysis on masked AES | |
| Renaudin et al. | Asynchronous design: fault robustness and security characteristics | |
| Wang et al. | An area-efficient shuffling scheme for AES implementation on FPGA | |
| Zhou et al. | A new method for resisting collision attack based on parallel random delay S-box |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20220712 |