CN116232561B - Redundant encryption optimization method, device and equipment for resisting differential fault attack - Google Patents

Redundant encryption optimization method, device and equipment for resisting differential fault attack Download PDF

Info

Publication number
CN116232561B
CN116232561B CN202310517739.9A CN202310517739A CN116232561B CN 116232561 B CN116232561 B CN 116232561B CN 202310517739 A CN202310517739 A CN 202310517739A CN 116232561 B CN116232561 B CN 116232561B
Authority
CN
China
Prior art keywords
encryption
round
algorithm
preset
output
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310517739.9A
Other languages
Chinese (zh)
Other versions
CN116232561A (en
Inventor
王滨
田峰
陈加栋
王星
沈剑
谭皓文
王晨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Hikvision Digital Technology Co Ltd
Original Assignee
Hangzhou Hikvision Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Hikvision Digital Technology Co Ltd filed Critical Hangzhou Hikvision Digital Technology Co Ltd
Priority to CN202310517739.9A priority Critical patent/CN116232561B/en
Publication of CN116232561A publication Critical patent/CN116232561A/en
Application granted granted Critical
Publication of CN116232561B publication Critical patent/CN116232561B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/004Countermeasures against attacks on cryptographic mechanisms for fault attacks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Detection And Prevention Of Errors In Transmission (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a redundant encryption optimization method, a device and equipment for resisting differential fault attack, wherein the method comprises the following steps: obtaining the output of the K-S round encryption in the original encryption process of the data to be encrypted by using a preset encryption algorithm; taking the output of the K-S round encryption as the input of redundant encryption, sequentially carrying out K-S+1 round encryption to the K round encryption on the output of the K-S round encryption to obtain the output of the K round encryption of redundant encryption; and determining whether a differential fault attack exists according to the output of the original encryption K round encryption and the output of the redundant encryption K round encryption. The method can save the operation resources of the redundant encryption module under the condition of ensuring the accuracy of differential fault attack detection.

Description

Redundant encryption optimization method, device and equipment for resisting differential fault attack
Technical Field
The present application relates to the field of cryptography, and in particular, to a method, an apparatus, and a device for optimizing redundant encryption for resisting differential fault attacks.
Background
The fault attack is widely applied in side channel attack, and has good analysis results for a plurality of cryptographic algorithms. In normal cases, plaintext encryption can obtain the correct ciphertext, but if a calculation error occurs in the encryption process, the obtained ciphertext deviates from the correct ciphertext, and the deviation usually contains important information about the key. The core of fault attack is to research how to introduce fault information in the operation of an algorithm, so that a master key can be acquired more quickly. The fault attack may also be combined with differential analysis, the combined differential fault attack (Differential Fault Analysis) being the dominant implementation of the fault attack.
Therefore, how to effectively resist the differential fault attack becomes a technical problem to be solved.
Disclosure of Invention
In view of the above, the present application provides a method, apparatus and device for optimizing redundant encryption against differential fault attacks.
Specifically, the application is realized by the following technical scheme:
according to a first aspect of an embodiment of the present application, there is provided a redundant encryption optimization method for resisting a differential fault attack, including:
obtaining the output of the K-S round encryption in the original encryption process of the data to be encrypted by using a preset encryption algorithm; the preset encryption algorithm is a block encryption algorithm, K is the total encryption round number of the preset encryption algorithm, S is the safety round number of a redundant algorithm determined according to the nonlinear diffusion capacity of the preset encryption algorithm, and S is more than 1 and less than K;
taking the output of the K-S round encryption as the input of redundant encryption, sequentially carrying out K-S+1 round encryption to the K round encryption on the output of the K-S round encryption to obtain the output of the K round encryption of redundant encryption; the encryption algorithm used by the redundant encryption is the preset encryption algorithm;
and determining whether a differential fault attack exists according to the output of the original encryption K round encryption and the output of the redundant encryption K round encryption.
According to a second aspect of the embodiment of the present application, there is provided a redundant encryption optimization apparatus for resisting a differential fault attack, including:
the original encryption unit is used for carrying out original encryption on the data to be encrypted by utilizing a preset encryption algorithm;
the acquisition unit is used for acquiring the output of the K-S round encryption in the original encryption process of the data to be encrypted by utilizing the preset encryption algorithm; the preset encryption algorithm is a block encryption algorithm, K is the total encryption round number of the preset encryption algorithm, S is the safety round number of a redundant algorithm determined according to the nonlinear diffusion capacity of the preset encryption algorithm, and S is more than 1 and less than K;
the redundancy encryption unit is used for taking the output of the K-S round encryption as the input of redundancy encryption, and sequentially carrying out K-S+1 round encryption to the K round encryption on the output of the K-S round encryption to obtain the output of the K round encryption of redundancy encryption; the encryption algorithm used by the redundant encryption is the preset encryption algorithm;
and the detection unit is used for determining whether differential fault attack exists according to the output of the original encryption K round encryption and the output of the redundant encryption K round encryption.
According to a fifth aspect of embodiments of the present application, there is provided an electronic device comprising a processor and a memory storing machine executable instructions executable by the processor for executing the machine executable instructions to implement the method provided in the first aspect.
According to the redundancy encryption optimization method for resisting the differential fault attack, the output of the K-S round encryption in the original encryption process of the data to be encrypted by using the preset encryption algorithm is obtained, the obtained output of the K-S round encryption is used as the input of redundancy encryption, the K-S+1 round encryption is sequentially carried out on the output of the K-S round encryption to the K round encryption to obtain the output of the K round encryption of redundancy encryption, further, whether the differential fault attack exists or not is determined according to the output of the original K round encryption and the output of the K round encryption of redundancy encryption, the safety round number S of the corresponding redundancy algorithm is determined according to the nonlinear diffusion capacity of the preset encryption algorithm, the diffusion characteristics of different encryption algorithms are fully considered, under the condition that the input of redundancy encryption is the input data without faults, namely, under the condition that the accuracy of the detection of the differential fault attack is ensured, the round number of actual encryption operation is reduced, the operation resources of the redundancy encryption module are effectively saved, and the balance of safety and performance is achieved.
Drawings
FIG. 1 is a flow chart of a redundant encryption optimization method for resisting differential fault attacks according to an exemplary embodiment of the present application;
FIG. 2 is a flow chart of a redundant encryption optimization method for resisting differential fault attacks according to an exemplary embodiment of the present application;
FIG. 3 is a schematic diagram of a redundant encryption optimization apparatus that resists differential fault attacks according to an exemplary embodiment of the present application;
FIG. 4 is a schematic diagram of a redundant encryption optimization apparatus that resists differential fault attacks according to an exemplary embodiment of the present application;
fig. 5 is a schematic diagram of a hardware structure of an electronic device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In order to enable those skilled in the art to better understand the technical solutions provided by the embodiments of the present application, some technical terms related to the embodiments of the present application are explained below.
1. Block cipher: in the cipher algorithm of symmetric cipher system, the plaintext input is block treated and encrypted with the same cipher key.
2. Differential analysis: the characteristics of a plaintext pair with a certain differential relation in round function iteration are researched, and the main idea is to construct a differential path with higher probability by utilizing the property of uneven difference of an algorithm confusion layer so as to recover a corresponding key bit.
3. Side channel attack: the side channel attack is mainly oriented to the physical security of the password implementation, and the physical implementation security is analyzed by adopting methods such as power consumption analysis attack, time sequence attack, fault attack and the like.
4. Fault attack: the main idea is to inject faults in the operation of the algorithm to make the algorithm output error results, and an attacker can acquire key information of the used key and recover the used key according to the key information by analyzing and comparing the correct results and the error results. Fault attacks can also be combined with differential analysis, i.e. differential fault attacks.
5. Redundant encryption: a means for detecting and defending fault attack is to construct a redundant module (not participating in actual operation) to detect the correctness of output ciphertext, thereby judging whether the cryptographic module is attacked.
In order to make the above objects, features and advantages of the embodiments of the present application more comprehensible, the following describes the technical solution of the embodiments of the present application in detail with reference to the accompanying drawings.
It should be noted that, the sequence number of each step in the embodiment of the present application does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present application.
In addition, unless specifically stated otherwise, the encryption algorithms mentioned in the embodiments of the present application refer to block encryption algorithms (or referred to as block cipher algorithms).
Referring to fig. 1, a flow chart of a redundant encryption optimization method for resisting a differential fault attack according to an embodiment of the present application, as shown in fig. 1, may include the following steps:
step S100, obtaining the output of the K-S round encryption in the original encryption process of the data to be encrypted by using a preset encryption algorithm; the preset encryption algorithm is a block encryption algorithm, K is the total encryption round number of the preset encryption algorithm, S is the safety round number of the redundant algorithm determined according to the nonlinear diffusion capacity of the preset encryption algorithm, and S is more than 1 and less than K.
Step S110, taking the output of the K-S round encryption as the input of redundant encryption, and sequentially carrying out K-S+1 round encryption to the K round encryption on the output of the K-S round encryption to obtain the output of the K round encryption of redundant encryption; and the encryption algorithm used for redundancy encryption is the preset encryption algorithm.
In the embodiment of the application, considering that the redundant encryption is usually required to be performed in a module with higher security, under the condition that the security is generally ensured, the calculation efficiency of the module is usually relatively low, that is, the redundant encryption is usually performed in a module with higher security but lower calculation efficiency. Thus, in order to improve the efficiency of the entire redundant encryption scheme against the differential fault attack, it is possible to attempt to reduce the number of operation rounds of the redundant operation.
Furthermore, considering that for most differential fault attacks, it is often chosen to introduce (random/non-random, single bit/byte) faults in the last few rounds of the algorithm. In this case, by analyzing the difference values of the correct and incorrect ciphertext, a method combining the difference analysis can construct a plurality of characteristic paths, and recover the key accordingly. If a fault is introduced in the initial round of the algorithm, for most widely used block cipher algorithms, the diffusion property of the algorithm itself can cause difficulty in finding a characteristic path with high probability, so that the fault is difficult to make effective cipher analysis, or the analysis difficulty is increased.
Based on this, in the process of designing the redundant encryption scheme, it is possible to try to shorten the actual operation round number of the redundant algorithm, that is, to start performing the redundant operation in several rounds in the middle of the algorithm, and collect the operation results of the two encryptions (the original encryption and the redundant encryption) to detect the differential fault attack.
Accordingly, in the embodiment of the application, the diffusion capacity of the encryption algorithm can be evaluated by measuring the nonlinear diffusion degree of the encryption algorithm, and the safety round number S of the redundancy algorithm is determined according to the nonlinear diffusion capacity of the encryption algorithm, namely, when the number of encryption rounds reaches the number S in the encryption process by using the preset encryption algorithm, the nonlinear diffusion degree of the preset encryption algorithm can meet the preset requirement.
Accordingly, for the preset encryption algorithm, the fault is generally introduced after the last S round, so that the number of the encryption rounds after the fault is introduced is smaller than that of the S round, that is, the input/output of each round of encryption before the last S round usually does not have fault information, and therefore, if the number of the operation rounds of the redundancy operation reaches S, whether the differential fault attack exists can be effectively detected.
For example, for a well-spread packet encryption algorithm, random faults can be spread to as many output bits as possible within a short number of rounds. In case this diffusion reaches a certain number of rounds, all bits of the subsequent output can be affected by the fault, in which case it will be difficult to find a high probability of a feature analysis path using the main stream analysis method, making an attack based on the fault difficult.
Therefore, for any block encryption algorithm, the number of operation rounds in the case that the degree of nonlinear diffusion of the block encryption algorithm meets the requirement can be determined according to the nonlinear diffusion capability of the block encryption algorithm, that is, in the case that the number of encryption operation rounds reaches the number of operation rounds, the degree of nonlinear diffusion of the block encryption algorithm will be higher, and in this case, it is difficult to analyze the key information through differential fault attack.
That is, for differential fault attack, it is necessary to ensure that the actual number of calculation rounds is smaller than the number of calculation rounds when a fault is introduced.
Accordingly, for redundant encryption, it is necessary to perform redundant encryption with the encrypted output of the original encryption as an input before determining the number of operation rounds to which the failure is introduced.
In the embodiment of the application, for a preset encryption algorithm, the number S of security rounds of a redundancy algorithm corresponding to the preset encryption algorithm can be determined according to the nonlinear diffusion capability of the preset encryption algorithm, and the output of the K-S round encryption in the original encryption process of the data to be encrypted by using the preset encryption algorithm is obtained.
The output of the K-S round encryption can be used as the input of redundancy encryption, the K-S+1 round encryption to the K round encryption are sequentially carried out on the output of the K-S round encryption, namely, the round keys (also called subkeys) of the K-S+1 round encryption to the K round encryption are sequentially used, and redundancy encryption operation is carried out on the obtained output of the K-S round encryption to obtain the output of the redundancy encryption K round encryption.
The round key of the K-S+1 round is used for carrying out redundant encryption operation on the output of the K-S round encryption to obtain the output of the K-S+1 round redundant encryption; performing redundancy encryption operation on the output of the K-S+1 round of redundancy encryption by using the round key of the K-S+2 round to obtain the output of the K-S+2 round of redundancy encryption; and by analogy, obtaining the output of the K-th round of encryption of the redundant encryption.
For example, assuming that the total number of encryption rounds of the encryption algorithm 1 is 20 and the number of encryption rounds of the encryption algorithm 1 reaches 8, the degree of nonlinear diffusion satisfies the requirement, so for a scene of encryption using the encryption algorithm 1, faults are usually introduced around the 8 th round, and in order to accurately detect the fault differential attack, redundant encryption may be started before the 8 th round. For example, the redundancy encryption is started at the 10 th round of the last round, that is, the output of the 10 th round of encryption in the original encryption process is taken as the input of the redundancy encryption, the 11 th round to the 20 th round of redundancy encryption are sequentially performed, that is, the input is sequentially subjected to the redundancy encryption by using the round keys (also called subkeys) of the 11 th round to the 20 th round of round, and the output of the 20 th round of redundancy encryption is obtained.
And step S120, determining whether a differential fault attack exists according to the output of the original encryption K round encryption and the output of the redundant encryption K round encryption.
In the embodiment of the present application, according to the manner described in steps S100 to S110, on one hand, the output of the original encryption of the kth round of encryption (the output of the K round of encryption on the original plaintext input) may be obtained, and on the other hand, the output of the redundant encryption of the kth round of encryption (the output of the K-S round of encryption in the original encryption process, and the output of the K-s+1 round of encryption to the kth round of encryption are sequentially performed).
Whether a differential fault attack exists can be determined according to the output of the original encryption K round encryption and the output of the redundant encryption K round encryption.
Illustratively, the output of the original encryption K-th round encryption and the output of the redundant encryption K-th round encryption may be subjected to an exclusive-or operation, such as a bit exclusive-or (i.e., an exclusive-or by bit) operation, where the operation result is all 0, it is determined that there is no fault differential attack, and in this case, the output of the original encryption K-th round encryption may be output; in the case where the operation result is not all 0, it may be determined that a fault differential attack exists, in which case, alarm processing may be performed, and it is determined that an external attack is detected.
In the process of the method shown in fig. 1, the output of the K-S round encryption in the original encryption process of the data to be encrypted by using the preset encryption algorithm is obtained, the obtained output of the K-S round encryption is used as the input of the redundant encryption, and the K-s+1 round encryption is sequentially performed on the output of the K-S round encryption to the K round encryption to obtain the output of the K round encryption of the redundant encryption, further, according to the output of the K round encryption of the original encryption and the output of the K round encryption of the redundant encryption, whether the differential fault attack exists is determined, the safety round number S of the corresponding redundant algorithm is determined according to the nonlinear diffusion capability of the preset encryption algorithm, the diffusion characteristics of different encryption algorithms are fully considered, the round number of the actual operation of the redundant encryption is reduced under the condition that the input of the input data without faults is not introduced, namely, the accuracy of differential fault attack detection is ensured, and the operation resource of the redundant encryption module is effectively saved, and the balance of safety and performance is achieved.
In some embodiments, S may be determined by:
randomly selecting M groups of keys and N groups of plaintext data; wherein N > M > 1;
according to the M groups of keys, carrying out reduced round encryption on the N groups of plaintext data by using a preset encryption algorithm;
in the L th 0 Taking the rounds as the start, carrying out statistics of appointed statistics on a preset encryption algorithm round by round according to the encryption intermediate value of the N groups of plaintext data in each round, obtaining the appointed statistics of the preset encryption algorithm in each round, and determining the number s of the encryption rounds, wherein the appointed statistics of the preset encryption algorithm meet preset conditions; wherein the method comprises the steps ofSpecifying statistics for measuring nonlinear diffusion degree of a preset encryption algorithm; 0 < L 0 ≤s<K;
S is determined according to S; wherein S is greater than or equal to S.
For example, to improve the rationality of the security round number S determination, M groups of keys may be randomly selected, as well as N groups of plaintext data.
Alternatively, M > 100, N > 100000.
For example, more than 100 groups of keys, more than 100000 groups of plaintext data, may be randomly selected.
The selected N groups of plaintext data may be subjected to a reduced round of encryption using a predetermined encryption algorithm based on the selected M groups of keys.
For example, assuming a total encryption round number of 32 rounds of a certain encryption algorithm, the actual encryption round number is less than 32 rounds in the case of reduced round encryption of plaintext data with the encryption algorithm.
In one example, the performing the reduced round encryption on the N sets of plaintext data according to the M sets of keys by using a preset encryption algorithm may include:
dividing N groups of plaintext data into M parts, and respectively distributing M groups of secret keys to the M parts;
and for any part of plaintext data, carrying out reduced round encryption on the part of plaintext data by utilizing a preset encryption algorithm according to the distributed secret key. For example, assuming that 100 sets of keys are selected in total, 100000 sets of plaintext data may be equally divided into 100 parts, each 1000 sets of plaintext data, and the 100 parts of plaintext data are encrypted by using 100 sets of keys, i.e. each set of keys needs to encrypt 1000 sets of plaintext data. For example, according to the 1 st group key, using a preset encryption algorithm to encrypt each group of plaintext data in 1000 groups of plaintext data in the 1 st part of plaintext data respectively in a reduced round; respectively carrying out reduced round encryption on each group of plaintext data in 1000 groups of plaintext data in the 2 nd part of plaintext data by utilizing the 2 nd group of secret keys and a preset encryption algorithm; and so on.
It should be noted that, under the condition that the selected N groups of plaintext data are subjected to reduced round encryption by using the preset encryption algorithm according to the selected M groups of keys, the N groups of plaintext data may not be divided into M parts, but each group of plaintext data in the selected N groups of plaintext data may be subjected to reduced round encryption by using the preset encryption algorithm according to each group of keys.
Illustratively, in L 0 The round is started, and according to the encryption intermediate value of the plaintext data in each round, the preset encryption algorithm is counted round by round to obtain the corresponding appointed statistic (which can be called as the test result of the appointed statistic) of the preset encryption algorithm in the round.
For example, the preset encryption algorithm may be counted at the L < th > respectively 0 Round-robin corresponding specified statistics (i.e., L is performed on the selected N groups of plaintext data by using a predetermined encryption algorithm based on the selected M groups of keys) 0 Round encryption), the statistical preset encryption algorithm is set at (L) 0 +1) round, …, and so on.
According to the counted appointed statistic corresponding to the preset encryption algorithm in each round, the number S of the encryption rounds, which enables the appointed statistic corresponding to the preset encryption algorithm to meet the preset condition, can be determined, and then S can be determined according to S.
Exemplary, L 0 The method can be 1, namely, starting from the 1 st round, carrying out statistics of specified statistics on a preset encryption algorithm round by round; alternatively, L 0 May be an empirical value, e.g., L, provided that the encryption algorithm is empirically based on a degree of non-linear diffusion from at least round 5 0 The value can be 5, namely, starting from the 5 th round, the preset encryption algorithm is counted by round to perform the statistics of the appointed statistics.
Illustratively, the specified statistic may be used to measure the degree of non-linear diffusion of the preset encryption algorithm.
Illustratively, specifying that the statistic meets the preset condition may refer to the encryption algorithm meeting the basic requirements of nonlinear diffusion (e.g., meeting the requirements of encryption security).
Illustratively, determining the number of encryption rounds s that satisfies the preset condition for the specified statistic corresponding to the preset encryption algorithm indicates: in the case of s-round encryption of the selected N groups of plaintext data using a preset encryption algorithm, the degree of nonlinear diffusion of the preset encryption algorithm may satisfy the requirement, or may be described as: the reduced round encryption algorithm with the number of encryption rounds s corresponding to the preset encryption algorithm (i.e. the number of encryption rounds of the preset encryption algorithm is reduced from K rounds to s rounds) meets the basic requirement of nonlinear diffusion, for example, the reduced round encryption algorithm has good completeness and/or avalanche effect, and/or meets the strict avalanche criterion.
It should be noted that, since the greater the number of encryption rounds, the greater the degree of nonlinear diffusion of the encryption algorithm, in theory, the above determination of the number of encryption rounds that satisfies the preset condition for the specified statistic corresponding to the preset encryption algorithm is referred to as: and the minimum encryption round number that the appointed statistic corresponding to the preset encryption algorithm meets the preset condition is realized.
Illustratively, S.gtoreq.s.
Optionally, S is greater than or equal to s+2.
In one example, the specified statistic includes d 1 、d 2 、d 3 D 4 One or more of (a) and (b); d, d 1 For measuring the degree of avalanche effect of a preset encryption algorithm, d 2 For measuring the degree of completeness of a predetermined encryption algorithm d 3 For measuring the degree of avalanche effect, d, of a preset encryption algorithm 4 The method is used for measuring the strict avalanche effect degree of a preset encryption algorithm;
the statistics of the specified statistics of the preset encryption algorithm may include:
at the specified statistic including d 1 In the case of (2), d is determined by 1
At the specified statistic including d 2 In the case of (2), d is determined by 2
d 2 =1-#{(i,j)|a ij =0,i=1,...,n,j=1,...,m}/(nm)
At the specified statistic including d 3 In the case of (2), d is determined by 3
At the specified statistic including d 4 In the case of (2), d is determined by 4
The transformation function F is a reduced round encryption algorithm of a preset encryption algorithm, the input of F (namely the packet length of the packet encryption algorithm) is n bits, and the output is m bits; input vector x= (x) 1 ,x 2 ,…,x n ) Is one group of plaintext data in N groups of plaintext data, x k ∈{0,1},k=1,2,…,n;x (i ) An input vector after the ith bit of x is changed; the output vector of the input vector x after being transformed by the transformation function F is F (x), and the input vector x (i) The output vector after being transformed by the transformation function F is F (x (i) ) The method comprises the steps of carrying out a first treatment on the surface of the The input variable of F is taken from a subset of samples# X represents the sample capacity of sample subset X; a, a ij =#{x∈X|(F(x)) j ≠(F(x (i) )) j -representing the input vectors X and X in X (i) The j-th bit number among the corresponding output vectors is different; /> Representing input vectors X and X in X (i) The number of differential hamming weights between the corresponding output vectors is j.
Illustratively, n=m.
Wherein the sample subset is the selected N groups of plaintext data, # X represents the sample size of sample subset X, i.e., #x equals N.
Is finite field Z 2 The n-dimensional linear space on = {0,1} can be understood as an n-dimensional input vector, i.e., x = (x) as described above 1 ,x 2 ,…,x n )。
Illustratively, the measure of the degree of nonlinear diffusion of the encryption algorithm may be implemented by one or more of a measure of the degree of avalanche effect, the degree of completeness, and a measure of the degree of strict avalanche effect.
Where completeness means that each bit of the encryption function output is associated with all bits of the input. Avalanche effect means that a change in any bit of the input should result in a change in the average half of the bits of the output. The strict avalanche criterion means that a change in any bit of the input should cause a change in each bit of the output with a probability of 1/2.
Exemplary, where the specified statistic includes d 1 In the case of (d), d can be determined by 1
At the specified statistic including d 2 In the case of (d), d can be determined by 2
d 2 =1-#{(i,j)|a ij =0,i=1,...,n,j=1,...,m}/(nm)
At the specified statistic including d 3 In the case of (2), d is determined by 3
At the specified statistic including d 4 In the case of (2) by the followingDetermination of d 4
In one example, the specifying the statistic satisfies the preset condition may include: the value of the appointed statistic is in a preset confidence interval.
Wherein, the specified statistic includes d 1 In case d 1 The confidence interval of (2) is:
at the specified statistic including d 2 In case d 2 The confidence interval of (2) is:
p(d 2 =1)=1-2 -#X ≈1.0000
E{d 2 }≈1.0000
at the specified statistic including d 3 In case d 3 The confidence interval of (2) is:
where the specified statistic includes d 4 In case d 4 The confidence interval of (2) is:
wherein E { } is the expected value, var { } isVariance, u obeys a single-sided standard normal distribution, alpha is the confidence level.
In some embodiments, before the obtaining the output of the K-S round encryption in the original encryption process of the data to be encrypted by using the preset encryption algorithm, the method may further include:
determining a current security policy;
and under the condition that the current security policy is determined to be the first security policy, determining to execute the operation of acquiring the output of the K-S round encryption in the original encryption process of the data to be encrypted by using the preset encryption algorithm.
For example, in order to improve the flexibility of the redundant encryption optimization scheme for resisting the differential fault attack, a plurality of different security policies can be set, and under the different security policies, the actual operation round number of the redundant algorithm can be different.
Correspondingly, for the input plaintext data, the current security policy can be determined under the condition that the data to be encrypted needs to be encrypted by using a preset encryption algorithm.
The security policy may include, for example, a first security policy, and at least one other security policy.
In the case where the current security policy is determined to be the first security policy, the processing may be performed according to the method flow shown in fig. 1.
In an example, the redundant encryption optimization method for resisting the differential fault attack provided by the embodiment of the application further may include:
executing the full-round redundancy algorithm operation under the condition that the current safety strategy is determined to be the second safety strategy and the full-round redundancy algorithm operation time is reached; under the condition that the current security policy is determined to be the second security policy and the operation time of the full-round redundancy algorithm is not reached, taking the output of the K-S round encryption in the original encryption process as the input of the redundancy encryption, and executing the S round redundancy algorithm operation; and under the condition that the safety strategy is the second safety strategy, determining that the operation time of the full-round redundancy algorithm is reached every preset time or preset operation times.
The security policy may also include a second security policy, for example.
For application environments where the security requirements are relatively higher, for example, where the security requirements of the application environment are higher than those of the first security policy application environment, the second security policy may be employed.
For the second security policy, the calculation time reaching the full-round redundancy algorithm can be determined at intervals of preset time or preset operation times. And under the condition that the operation time of the full-round redundancy algorithm is reached, the full-round redundancy algorithm operation can be executed so as to further improve the safety.
For the second security policy, under the condition that the operation time of the full-round redundancy algorithm is not reached, the output of the K-S-th round encryption in the original encryption process is used as the input of the redundancy encryption to execute the S-round redundancy algorithm operation, and the specific implementation of the S-round redundancy algorithm operation can be described in the related description in the method flow shown in fig. 1.
In an example, the redundant encryption optimization method for resisting the differential fault attack provided by the embodiment of the application further may include:
and executing the full-round redundancy algorithm operation under the condition that the current security policy is determined to be the third security policy.
For example, for an application environment with high security requirements, such as an application environment with security requirements higher than those of the second security policy application environment, the third security policy may be adopted.
For example, for a scenario where the security requirement is particularly high and the efficiency requirement is relatively low, the security policy may further include a third security policy, and in the case where the current security policy is determined to be the third security policy, a full-round redundancy operation may be performed to ensure security as much as possible, that is, for plaintext input, K-round original encryption may be performed separately, and K-round redundancy encryption may be performed.
Illustratively, the security requirement of the application environment of the third security policy is higher than the security requirement of the application environment of the second security policy, which is higher than the security requirement of the application environment of the first security policy.
In an example, the redundant encryption optimization method for resisting the differential fault attack provided by the embodiment of the application further may include:
and under the environment of trusted protection side channel attack, determining the current security policy as a fourth security policy, and closing the redundancy algorithm.
For example, in order to cope with the application requirement of the scene where the security can be guaranteed, for example, in the environment of the trusted protection side channel attack, the security policy may further include a fourth security policy, and in the case that the current security policy is determined to be the fourth security policy, the redundancy algorithm may be turned off, that is, for plaintext input, redundancy operation may not be required, so as to improve encryption efficiency and save encryption operation resources.
In order to enable those skilled in the art to better understand the technical solution provided by the embodiments of the present application, the technical solution provided by the embodiments of the present application is described below in conjunction with a specific scenario.
Considering that for most differential fault attacks, it is often chosen to introduce (random/non-random, single bit/byte) faults in the last few rounds of the algorithm. In this case, by analyzing the difference values of the correct and incorrect ciphertext, a method combining the difference analysis can construct a plurality of characteristic paths, and recover the key accordingly. If a fault is introduced in the initial round of the algorithm, for most widely used block cipher algorithms, the diffusion property of the algorithm itself can cause difficulty in finding a characteristic path with high probability, so that the fault is difficult to make effective cipher analysis, or the analysis difficulty is increased.
Based on this, in the process of designing the redundant encryption scheme, the actual operation round number of the redundant algorithm can be tried to be shortened, namely, a plurality of rounds start to perform redundant operation in the middle of the algorithm, and the operation results of two times of encryption (original encryption and redundant encryption) are collected to detect the differential fault attack, so that whether the cryptographic module suffers from fault injection can be detected, operation resources can be saved to the maximum extent, and the implementation flow chart can be shown as fig. 2.
As shown in fig. 2, assuming that the total number of encryption rounds of the packet encryption algorithm X is K rounds, round keys (K round keys in total) of encryption in each round of encryption in the K rounds can be determined according to a key arrangement algorithm, and K round original encryption is performed on the input plaintext data by using the round keys of round 1 to round K.
The output of the original encryption of the Kth round of S can be obtained, the output is used as the input of the redundant encryption (namely, the input of the encryption of the Kth round of S+1), and the redundant encryption of the Kth round of S+1 to the Kth round of S (the common round of S) is carried out on the input.
Wherein, the round key used by the redundant encryption of the K-S+1 round to the K round is the same as the round key used by the original encryption of the K-S+1 round to the K round.
In the case where the output of the original encryption Kth round encryption (which may be denoted as ret 1) and the output of the redundant encryption Kth round encryption (which may be denoted as ret 2) are obtained, the output of the original encryption Kth round encryption and the output of the redundant encryption Kth round encryption may be subjected to a bit exclusive OR operation, that isIn the case where the result is 0, ret1 is output; otherwise, it is determined that an external attack is detected.
The implementation of the number of rounds of redundancy algorithm (i.e., the number of rounds of safety of redundancy algorithm) S to determine theoretical safety is described below.
The common practice of the differential fault attack is to introduce random/specific faults in the first round (S' round) of the algorithm, start key recovery from the last round of the algorithm, screen out all possible input/output values because the ciphertext is known, and determine the input values and output values of the S boxes after introducing faults for a plurality of times, so as to deduce the round key of the last round.
A round may then be decrypted and the key of the penultimate round restored in a similar manner, and so on, until the master key is restored.
Due to the better spreading performance of the packet encryption algorithm, random faults can be spread to as many output bits as possible within a short number of rounds. In the case that the spread reaches a certain number of rounds, all bits of the subsequent output can be affected by the fault, and at this time, it is difficult to find a high-probability feature analysis path by using the main stream analysis method, so that an attack based on the fault is difficult to perform.
Based on the thought, the nonlinear diffusion degree of the encryption algorithm can be measured, and a reasonable interval of the safety round number S of the algorithm construction redundancy algorithm is given according to the evaluation result.
Where such a measure must be reasonable and efficient, in general, for algorithms with better nonlinear diffusion performance, the number of redundant algorithm security rounds S can be set to a small value.
In one example, the number of redundant algorithm security rounds S may be inversely related to the nonlinear diffusion performance of the encryption algorithm; the better the nonlinear diffusion performance of the encryption algorithm, the smaller the number of security rounds S of the redundancy algorithm.
For example, the diffusivity of the algorithm may be assessed by means of statistical analysis.
Taking as an example a measure of the degree of non-linear diffusion of the encryption algorithm by means of a measure of the degree of avalanche effect, the degree of completeness.
Completeness means that each bit of the encryption function output is associated with all bits of the input. Avalanche effect means that a change in any bit of the input should result in a change in the average half of the bits of the output. The strict avalanche criterion means that a change in any bit of the input should cause a change in each bit of the output with a probability of 1/2.
Let F be a transform function of an n-bit input m-bit output, and let the input vector be x= (x) 1 ,x 2 ,…,x n ),x k E {0,1}, k=1, 2, …, n. Changing the input vector after only the ith bit of x to x (i) I=1, 2, …, n. The output vector of the input vector x after being transformed by the transformation function F is F (x), and the input vector x (i) The output vector after being transformed by the transformation function F is F (x (i) )。
Let F be the inputThe input variable is taken from a subset of samples # X denotes sample volume of sample subset X, denoted a ij =#{x∈X|(F(x)) j ≠(F(x (i) )) j -representing the input vectors X and X in X (i) The j-th bit number among the corresponding output vectors is different; />Representing input vectors X and X in X (i) The number of differential hamming weights between the corresponding output vectors is j.
Can be respectively d 1 、d 2 、d 3 D 4 To represent a measure of the degree of non-linear diffusion of the algorithm, where d 1 For measuring the degree of avalanche effect, d 2 For measuring degree of completeness d 3 For measuring the degree of avalanche effect, d 4 For measuring the severity of the avalanche effect:
d 2 =1-#{(i,j)|a ij =0,i=1,...,n,j=1,...,m}/(nm)
for a specific algorithm, randomly selecting a plurality of pieces>10 Group key, each group key selects a plurality of keys>10000 Group plaintext data, where the number of encryption rounds (or called iteration rounds) is L 0 (L 0 =1, 2, 3.) calculate statistics d 1 、d 2 、d 3 D 4 In the case where the confidence level is α (α=0.01/0.05), whether all fall within the following confidence intervals:
d 1 the confidence interval of (2) is:
for d 2
p(d 2 =1)=1-2 -#X ≈1.000000
d 3 The confidence interval of (2) is:
d 4 the confidence interval of (2) is:
obtaining d 1 、d 2 、d 3 D 4 The number of encryption rounds s, at which the encryption algorithm satisfies the completeness and avalanche effect, falls within the corresponding confidence interval.
S is more than or equal to s+2, and the number of safety rounds of a redundancy algorithm is used, so that most of existing differential fault attacks can be effectively resisted.
In particular, the number of rounds of the redundancy algorithm can also be dynamically adjusted, namely, the security policy of the algorithm is formulated:
a) The safety strategy one and the normal working state, namely the redundant operation, execute the S round operation, and the specific implementation of the S round operation can be seen from the related description in the above embodiment.
b) The second safety strategy is that the redundancy algorithm executes full-round operation under certain time/operation frequency intervals; the remaining time/number of operations, the redundant operation performs the S-round operation.
c) And the security policy III and the redundancy algorithm execute full-round operation.
d) And the security policy IV closes the redundancy algorithm in the trusted environment of the protection side channel attack.
The method provided by the application is described above. The device provided by the application is described below:
referring to fig. 3, a schematic structural diagram of a redundant encryption optimization apparatus for resisting a differential fault attack according to an embodiment of the present application, as shown in fig. 3, the redundant encryption optimization apparatus for resisting a differential fault attack may include:
an original encryption unit 310, configured to perform original encryption on data to be encrypted using a preset encryption algorithm;
an obtaining unit 320, configured to obtain an output of the K-S round encryption in the original encryption process of the data to be encrypted by using the preset encryption algorithm; the preset encryption algorithm is a block encryption algorithm, K is the total encryption round number of the preset encryption algorithm, S is the safety round number of a redundant algorithm determined according to the nonlinear diffusion capacity of the preset encryption algorithm, and S is more than 1 and less than K;
The redundancy encryption unit 330 is configured to sequentially encrypt the K-s+1-th round to the K-th round of the output of the K-S round by using the K-S-th round encrypted output as a redundancy encrypted input, so as to obtain a redundancy encrypted K-th round encrypted output; the encryption algorithm used by the redundant encryption is the preset encryption algorithm;
and the detecting unit 340 is configured to determine whether a differential fault attack exists according to the output of the original encryption K-th round encryption and the output of the redundant encryption K-th round encryption.
In some embodiments, as shown in fig. 4, the redundant encryption optimization apparatus for resisting the differential fault attack may further include:
a determining unit 350 for determining S by:
randomly selecting M groups of keys and N groups of plaintext data; wherein N > M > 1;
according to the M groups of keys, utilizing the preset encryption algorithm to encrypt the N groups of plaintext data in a reduced round;
in the L th 0 Round as the start, according to the encryption intermediate value of the plaintext data in each round, the round is pairedThe preset encryption algorithm performs statistics of the specified statistics to obtain the specified statistics of the preset encryption algorithm corresponding to each round, and determines the number s of encryption rounds for enabling the specified statistics corresponding to the preset encryption algorithm to meet preset conditions; the appointed statistic is used for measuring the nonlinear diffusion degree of the preset encryption algorithm; 0 < L 0 ≤s<K;
Determining the S according to the S; wherein S is greater than or equal to S.
In some embodiments, the determining unit 350 performs, according to the M sets of keys, a reduced round encryption on the N sets of plaintext data using the preset encryption algorithm, including:
dividing the N groups of plaintext data into M parts, and respectively distributing the M groups of keys to the M parts;
and for any part of plaintext data, carrying out reduced round encryption on the part of plaintext data by utilizing the preset encryption algorithm according to the distributed secret key.
In some embodiments, the specified statistic includes d 1 、d 2 、d 3 D 4 One or more of (a) and (b); d, d 1 For measuring the avalanche effect degree of the preset encryption algorithm, d 2 For measuring the degree of completeness of said predetermined encryption algorithm d 3 For measuring the avalanche effect degree, d, of the preset encryption algorithm 4 The method comprises the steps of measuring the strict avalanche effect degree of the preset encryption algorithm;
the determining unit 350 performs statistics of specified statistics on the preset encryption algorithm, including:
where the specified statistic includes d 1 In the case of (2), d is determined by 1
Where the specified statistic includes d 2 In the case of (2), d is determined by 2
d 2 =1-#{(i,j)|a ij =0,i=1,...,n,j=1,...,m}/(nm)
Where the specified statistic includes d 3 In the case of (2), d is determined by 3
Where the specified statistic includes d 4 In the case of (2), d is determined by 4
The transformation function F is a reduced round encryption algorithm of the preset encryption algorithm, the input (packet length) of F is n bits, and the output is m bits; input vector x= (x) 1 ,x 2 ,…,x n ) X is one set of plaintext data in the N sets of plaintext data k ∈{0,1},k=1,2,…,n;x (i) An input vector after the ith bit of x is changed; the output vector of the input vector x after being transformed by the transformation function F is F (x), and the input vector x (i) The output vector after being transformed by the transformation function F is F (x (i) ) The method comprises the steps of carrying out a first treatment on the surface of the The input variable of F is taken from a subset of samples# X represents the sample capacity of sample subset X; a, a ij =#{x∈X|(F(x)) j ≠(F(x (i) )) j -representing the input vectors X and X in X (i) The j-th bit number among the corresponding output vectors is different;representing input vectors X and X in X (i) The number of differential hamming weights between the corresponding output vectors is j.
In some embodiments, specifying that the statistic meets the preset condition includes: the value of the appointed statistic is in a preset confidence interval;
wherein the specified statistic includes d 1 In case d 1 The confidence interval of (2) is:
where the specified statistic includes d 2 In the case of (a) the number of the cells,
p(d 2 =1)=1-2 -#X ≈1.0000
E{d 2 }≈1.0000
where the specified statistic includes d 3 In case d 3 The confidence interval of (2) is:
where the specified statistic includes d 4 In case d 4 The confidence interval of (2) is:
wherein E { } is the expected value, var { } is the variance, u obeys a single-side standard normal distribution, alpha is the confidence level.
In some embodiments, before the obtaining unit 320 obtains the output of the K-S round encryption in the original encryption process of the data to be encrypted by using the preset encryption algorithm, the obtaining unit further includes:
determining a current security policy;
and under the condition that the current security policy is determined to be the first security policy, determining to execute the operation of acquiring the output of the K-S round encryption in the original encryption process of the data to be encrypted by using the preset encryption algorithm.
In some embodiments, the redundant encryption unit 330 is further configured to perform a full-round redundancy algorithm operation when the current security policy is determined to be the second security policy and the full-round redundancy algorithm operation opportunity is reached; under the condition that the current security policy is determined to be the second security policy and the operation time of the full-round redundancy algorithm is not reached, taking the output of the K-S round encryption in the original encryption process as the input of the redundancy encryption, and executing the S round redundancy algorithm operation; under the condition that the security policy is the second security policy, determining that the operation time of the full-round redundancy algorithm is reached every preset time or preset operation times;
And/or the number of the groups of groups,
executing full-round redundancy algorithm operation under the condition that the current security policy is determined to be the third security policy;
and/or the number of the groups of groups,
and under the environment of trusted protection side channel attack, determining the current security policy as a fourth security policy, and closing the redundancy algorithm.
The embodiment of the application also provides electronic equipment, which comprises a processor and a memory, wherein the memory is used for storing a computer program; and the processor is used for realizing the redundant encryption optimization method for resisting the differential fault attack when executing the programs stored in the memory.
Fig. 5 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application. The electronic device may include a processor 501, a memory 502 storing machine-executable instructions. The processor 501 and the memory 502 may communicate via a system bus 503. Also, the processor 501 may perform the redundant encryption optimization method described above that is resistant to differential fault attacks by reading and executing machine-executable instructions in the memory 502 that correspond to the redundant encryption optimization logic that is resistant to differential fault attacks.
The memory 502 referred to herein may be any electronic, magnetic, optical, or other physical storage device that may contain or store information, such as executable instructions, data, or the like. For example, a machine-readable storage medium may be: RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state drive, any type of storage disk (e.g., optical disk, dvd, etc.), or a similar storage medium, or a combination thereof.
In some embodiments, a machine-readable storage medium, such as memory 502 in fig. 5, is also provided, having stored therein machine-executable instructions that when executed by a processor implement the redundant encryption optimization method described above to resist differential fault attacks. For example, the machine-readable storage medium may be ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
The embodiments of the present application also provide a computer program product storing a computer program and causing a processor to perform the above-described redundant encryption optimization method against differential fault attacks when the processor executes the computer program.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the application.

Claims (9)

1. A redundant encryption optimization method for resisting differential fault attack is characterized by comprising the following steps:
obtaining the output of the K-S round encryption in the original encryption process of the data to be encrypted by using a preset encryption algorithm; the preset encryption algorithm is a block encryption algorithm, K is the total encryption round number of the preset encryption algorithm, S is the safety round number of a redundant algorithm determined according to the nonlinear diffusion capacity of the preset encryption algorithm, and S is more than 1 and less than K;
taking the output of the K-S round encryption as the input of redundant encryption, sequentially carrying out K-S+1 round encryption to the K round encryption on the output of the K-S round encryption to obtain the output of the K round encryption of redundant encryption; the encryption algorithm used by the redundant encryption is the preset encryption algorithm;
determining whether differential fault attack exists according to the output of the original encryption K round encryption and the output of the redundant encryption K round encryption;
Wherein S is determined by:
randomly selecting M groups of keys and N groups of plaintext data; wherein N > M > 1;
according to the M groups of keys, utilizing the preset encryption algorithm to encrypt the N groups of plaintext data in a reduced round;
in the L th 0 Taking the round as the beginning, carrying out statistics of specified statistics on the preset encryption algorithm round by round according to the encryption intermediate value of the plaintext data in each round to obtain the specified statistics of the preset encryption algorithm in each round, and determining that the specified statistics of the preset encryption algorithm meet the requirements of the preset encryption algorithmSetting the number s of encryption rounds of the condition; the appointed statistic is used for measuring the nonlinear diffusion degree of the preset encryption algorithm; 0 < L 0 ≤s<K;
Determining the S according to the S; wherein S is greater than or equal to S.
2. The method of claim 1, wherein said reducing the number of plaintext data sets according to the M sets of keys using the predetermined encryption algorithm comprises:
dividing the N groups of plaintext data into M parts, and respectively distributing the M groups of keys to the M parts;
and for any part of plaintext data, carrying out reduced round encryption on the part of plaintext data by utilizing the preset encryption algorithm according to the distributed secret key.
3. The method of claim 1, wherein the specified statistic comprises d 1 、d 2 、d 3 D 4 One or more of (a) and (b); d, d 1 For measuring the avalanche effect degree of the preset encryption algorithm, d 2 For measuring the degree of completeness of said predetermined encryption algorithm d 3 For measuring the avalanche effect degree, d, of the preset encryption algorithm 4 The method comprises the steps of measuring the strict avalanche effect degree of the preset encryption algorithm;
the counting of the appointed statistic of the preset encryption algorithm comprises the following steps:
where the specified statistic includes d 1 In the case of (2), d is determined by 1
Where the specified statistic includes d 2 In the case of (2), d is determined by 2
d 2 =1-#{(i,j)|a ij =0,i=1,…,n,j=1,…,m}/(nm)
Where the specified statistic includes d 3 In the case of (2), d is determined by 3
Where the specified statistic includes d 4 In the case of (2), d is determined by 4
The transformation function F is a reduced round encryption algorithm of the preset encryption algorithm, the input of F is n bits, the n bits are the packet length of the preset encryption algorithm, and the output is m bits; input vector x= (x) 1 ,x 2 ,…,x n ) X is one set of plaintext data in the N sets of plaintext data k ∈{0,1},k=1,2,…,n;x (i) An input vector after the ith bit of x is changed; the output vector of the input vector x after being transformed by the transformation function F is F (x), and the input vector x (i) The output vector after being transformed by the transformation function F is F (x (i) ) The method comprises the steps of carrying out a first treatment on the surface of the The input variable of F is taken from a subset of samples# X represents the sample capacity of sample subset X; a, a ij =#{x∈X|(F(x)) j ≠(F(x (i) )) j -representing the input vectors X and X in X (i) The j-th bit number among the corresponding output vectors is different; />Representing input vectors X and X in X (i) The number of differential hamming weights between the corresponding output vectors is j.
4. A method according to claim 3, wherein specifying that the statistic meets a preset condition comprises: the value of the appointed statistic is in a preset confidence interval;
wherein the specified statistic includes d 1 In case d 1 The confidence interval of (2) is:
where the specified statistic includes d 2 In case d 2 The confidence interval of (2) is:
p(d 2 =1)=1-2 -#X ≈1.0000
E{d 2 }≈1.0000
where the specified statistic includes d 3 In case d 3 The confidence interval of (2) is:
where the specified statistic includes d 4 In case d 4 The confidence interval of (2) is:
wherein E { } is the expected value, var { } is the variance, u obeys a single-side standard normal distribution, var { u } = 1, α is confidence waterFlat.
5. The method according to claim 1, wherein before the obtaining the output of the K-S round of encryption in the original encryption process of the data to be encrypted using the preset encryption algorithm, the method further comprises:
Determining a current security policy;
and under the condition that the current security policy is determined to be the first security policy, determining to execute the operation of acquiring the output of the K-S round encryption in the original encryption process of the data to be encrypted by using the preset encryption algorithm.
6. The method of claim 5, wherein the method further comprises:
executing the full-round redundancy algorithm operation under the condition that the current safety strategy is determined to be the second safety strategy and the full-round redundancy algorithm operation time is reached; under the condition that the current security policy is determined to be the second security policy and the operation time of the full-round redundancy algorithm is not reached, taking the output of the K-S round encryption in the original encryption process as the input of the redundancy encryption, and executing the S round redundancy algorithm operation; under the condition that the security policy is the second security policy, determining that the operation time of the full-round redundancy algorithm is reached every preset time or preset operation times;
and/or the number of the groups of groups,
executing full-round redundancy algorithm operation under the condition that the current security policy is determined to be the third security policy;
and/or the number of the groups of groups,
under the environment of trusted protection side channel attack, determining the current security policy as a fourth security policy, and closing a redundancy algorithm;
The security requirement of the application environment of the third security policy is higher than the security requirement of the application environment of the second security policy, and the security requirement of the application environment of the second security policy is higher than the security requirement of the application environment of the first security policy.
7. A redundant encryption optimization apparatus that resists differential fault attacks, comprising:
the original encryption unit is used for carrying out original encryption on the data to be encrypted by utilizing a preset encryption algorithm;
the acquisition unit is used for acquiring the output of the K-S round encryption in the original encryption process of the data to be encrypted by utilizing the preset encryption algorithm; the preset encryption algorithm is a block encryption algorithm, K is the total encryption round number of the preset encryption algorithm, S is the safety round number of a redundant algorithm determined according to the nonlinear diffusion capacity of the preset encryption algorithm, and S is more than 1 and less than K;
the redundancy encryption unit is used for taking the output of the K-S round encryption as the input of redundancy encryption, and sequentially carrying out K-S+1 round encryption to the K round encryption on the output of the K-S round encryption to obtain the output of the K round encryption of redundancy encryption; the encryption algorithm used by the redundant encryption is the preset encryption algorithm;
The detection unit is used for determining whether differential fault attack exists according to the output of the original encryption K round encryption and the output of the redundant encryption K round encryption;
wherein the apparatus further comprises:
a determining unit for determining S by:
randomly selecting M groups of keys and N groups of plaintext data; wherein N > M > 1;
according to the M groups of keys, utilizing the preset encryption algorithm to encrypt the N groups of plaintext data in a reduced round;
in the L th 0 Taking rounds as an initial, carrying out statistics of specified statistics on the preset encryption algorithm round by round according to the encryption intermediate value of the plaintext data in each round, obtaining the specified statistics of the preset encryption algorithm in each round, and determining the number s of encryption rounds for enabling the specified statistics of the preset encryption algorithm to meet preset conditions; the appointed statistic is used for measuring the nonlinear diffusion degree of the preset encryption algorithm; 0 < L 0 ≤s<K;
Determining the S according to the S; wherein S is greater than or equal to S.
8. The apparatus of claim 7, wherein the device comprises a plurality of sensors,
the determining unit performs reduced round encryption on the N groups of plaintext data by using the preset encryption algorithm according to the M groups of keys, including:
Dividing the N groups of plaintext data into M parts, and respectively distributing the M groups of keys to the M parts;
for any part of plaintext data, according to the distributed secret key, utilizing the preset encryption algorithm to encrypt the part of plaintext data in a reduced round;
wherein the specified statistic includes d 1 、d 2 、d 3 D 4 One or more of (a) and (b); d, d 1 For measuring the avalanche effect degree of the preset encryption algorithm, d 2 For measuring the degree of completeness of said predetermined encryption algorithm d 3 For measuring the avalanche effect degree, d, of the preset encryption algorithm 4 The method comprises the steps of measuring the strict avalanche effect degree of the preset encryption algorithm;
the determining unit performs statistics of specified statistics on the preset encryption algorithm, including:
where the specified statistic includes d 1 In the case of (2), d is determined by 1
Where the specified statistic includes d 2 In the case of (2), d is determined by 2
d 2 =1-#{(i,j)|a ij =0,i=1,…,n,j=1,…,m}/(nm)
Where the specified statistic includes d 3 In the case of (2), d is determined by 3
Where the specified statistic includes d 4 In the case of (2), d is determined by 4
The transformation function F is a reduced round encryption algorithm of the preset encryption algorithm, the input of F is n bits, the n bits are the packet length of the preset encryption algorithm, and the output is m bits; input vector x= (x) 1 ,x 2 ,…,x n ) X is one set of plaintext data in the N sets of plaintext data k ∈{0,1},k=1,2,…,n;x (i) An input vector after the ith bit of x is changed; the output vector of the input vector x after being transformed by the transformation function F is F (x), and the input vector x (i) The output vector after being transformed by the transformation function F is F (x (i) ) The method comprises the steps of carrying out a first treatment on the surface of the The input variable of F is taken from a subset of samples# X represents the sample capacity of sample subset X; a, a ij =#{x∈X|(F(x)) j ≠(F(x (i) )) j -representing the input vectors X and X in X (i) The j-th bit number among the corresponding output vectors is different; />Representing input vectors X and X in X (i) The number of the differential hamming weights between the corresponding output vectors is j;
wherein the specifying that the statistic satisfies the preset condition includes: the value of the appointed statistic is in a preset confidence interval;
wherein the specified statistic includes d 1 In case d 1 The confidence interval of (2) is:
where the specified statistic includes d 2 In case d 2 The confidence interval of (2) is:
p(d 2 =1)=1-2 -#X ≈1.0000
E{d 2 }≈1.0000
where the specified statistic includes d 3 In case d 3 The confidence interval of (2) is:
where the specified statistic includes d 4 In case d 4 The confidence interval of (2) is:
wherein E { } is the expected value, var { } is the variance, u obeys a single-side standard normal distribution, var { u } = 1, α is the confidence level;
and/or the number of the groups of groups,
the obtaining unit further comprises, before obtaining the output of the K-S round encryption in the original encryption process of the data to be encrypted by using the preset encryption algorithm:
Determining a current security policy;
under the condition that the current security policy is determined to be the first security policy, determining to execute the operation of obtaining the output of the K-S round encryption in the original encryption process of the data to be encrypted by using the preset encryption algorithm;
the redundancy encryption unit is further configured to execute a full-round redundancy algorithm operation when the current security policy is determined to be the second security policy and the full-round redundancy algorithm operation opportunity is reached; under the condition that the current security policy is determined to be the second security policy and the operation time of the full-round redundancy algorithm is not reached, taking the output of the K-S round encryption in the original encryption process as the input of the redundancy encryption, and executing the S round redundancy algorithm operation; under the condition that the security policy is the second security policy, determining that the operation time of the full-round redundancy algorithm is reached every preset time or preset operation times;
and/or the number of the groups of groups,
executing full-round redundancy algorithm operation under the condition that the current security policy is determined to be the third security policy;
and/or the number of the groups of groups,
under the environment of trusted protection side channel attack, determining the current security policy as a fourth security policy, and closing a redundancy algorithm;
The security requirement of the application environment of the third security policy is higher than the security requirement of the application environment of the second security policy, and the security requirement of the application environment of the second security policy is higher than the security requirement of the application environment of the first security policy.
9. An electronic device comprising a processor and a memory, the memory storing machine executable instructions executable by the processor for executing the machine executable instructions to implement the method of any one of claims 1-6.
CN202310517739.9A 2023-05-09 2023-05-09 Redundant encryption optimization method, device and equipment for resisting differential fault attack Active CN116232561B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310517739.9A CN116232561B (en) 2023-05-09 2023-05-09 Redundant encryption optimization method, device and equipment for resisting differential fault attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310517739.9A CN116232561B (en) 2023-05-09 2023-05-09 Redundant encryption optimization method, device and equipment for resisting differential fault attack

Publications (2)

Publication Number Publication Date
CN116232561A CN116232561A (en) 2023-06-06
CN116232561B true CN116232561B (en) 2023-08-25

Family

ID=86591470

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310517739.9A Active CN116232561B (en) 2023-05-09 2023-05-09 Redundant encryption optimization method, device and equipment for resisting differential fault attack

Country Status (1)

Country Link
CN (1) CN116232561B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010045843A1 (en) * 2008-10-23 2010-04-29 国民技术股份有限公司 An aes encryption method of anti-differential power attack
CN110299988A (en) * 2019-07-01 2019-10-01 中国人民解放军战略支援部队信息工程大学 The detection method and detection device of lightweight block cipher anti-attack ability
CN111224770A (en) * 2019-12-25 2020-06-02 中国科学院软件研究所 Comprehensive protection method for resisting side channel and fault attack based on threshold technology
CN111555862A (en) * 2020-05-13 2020-08-18 华南师范大学 White-box AES implementation method of random redundancy round function based on mask protection
CN112187444A (en) * 2020-09-02 2021-01-05 中国科学院软件研究所 Comprehensive protection method for resisting side channel and fault attack
CN113206734A (en) * 2021-04-30 2021-08-03 桂林电子科技大学 Method for detecting and resisting differential fault attack
CN115714641A (en) * 2022-11-08 2023-02-24 东华大学 Method for detecting SATURNIN cryptographic algorithm to resist impossible differential fault attack
CN115883064A (en) * 2022-11-23 2023-03-31 湘潭大学 Bypass attack resisting method based on SM3 password hash algorithm

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11227071B2 (en) * 2017-03-20 2022-01-18 Nanyang Technological University Hardware security to countermeasure side-channel attacks
KR20210058300A (en) * 2019-11-14 2021-05-24 한국전자통신연구원 White-box encryption method for prevention of fault injection attack and apparatus therefor

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010045843A1 (en) * 2008-10-23 2010-04-29 国民技术股份有限公司 An aes encryption method of anti-differential power attack
CN110299988A (en) * 2019-07-01 2019-10-01 中国人民解放军战略支援部队信息工程大学 The detection method and detection device of lightweight block cipher anti-attack ability
CN111224770A (en) * 2019-12-25 2020-06-02 中国科学院软件研究所 Comprehensive protection method for resisting side channel and fault attack based on threshold technology
CN111555862A (en) * 2020-05-13 2020-08-18 华南师范大学 White-box AES implementation method of random redundancy round function based on mask protection
CN112187444A (en) * 2020-09-02 2021-01-05 中国科学院软件研究所 Comprehensive protection method for resisting side channel and fault attack
CN113206734A (en) * 2021-04-30 2021-08-03 桂林电子科技大学 Method for detecting and resisting differential fault attack
CN115714641A (en) * 2022-11-08 2023-02-24 东华大学 Method for detecting SATURNIN cryptographic algorithm to resist impossible differential fault attack
CN115883064A (en) * 2022-11-23 2023-03-31 湘潭大学 Bypass attack resisting method based on SM3 password hash algorithm

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
谢敏.GOST 的差分故障攻击.2021,全文. *

Also Published As

Publication number Publication date
CN116232561A (en) 2023-06-06

Similar Documents

Publication Publication Date Title
Zhang et al. Persistent fault analysis on block ciphers
Veyrat-Charvillon et al. An optimal key enumeration algorithm and its application to side-channel attacks
Tang et al. Defending against internet worms: A signature-based approach
CN108604981B (en) Method and apparatus for estimating secret value
Dabosville et al. A new second-order side channel attack based on linear regression
CN109417466B (en) Secret key estimation method and device
Ashokkumar et al. Highly efficient algorithms for AES key retrieval in cache access attacks
US10073980B1 (en) System for assuring security of sensitive data on a host
Maghrebi et al. Comparison between side-channel analysis distinguishers
Standaert et al. A formal practice-oriented model for the analysis of side-channel attacks
Saha et al. Automatic characterization of exploitable faults: A machine learning approach
Cabrera Aldaya et al. Side‐channel analysis of the modular inversion step in the RSA key generation algorithm
Oren et al. Tolerant algebraic side-channel analysis of {AES}
CN116232561B (en) Redundant encryption optimization method, device and equipment for resisting differential fault attack
Hessam et al. A new approach for detecting violation of data plane integrity in Software Defined Networks
Breunesse et al. Towards fully automated analysis of whiteboxes: perfect dimensionality reduction for perfect leakage
Fouque et al. Practical electromagnetic template attack on HMAC
Guo et al. Extending the classical side-channel analysis framework to access-driven cache attacks
Zhang et al. Statistical analysis for access-driven cache attacks against AES
CN114244517A (en) Data encryption and signature method and device, computer equipment and storage medium
Cho et al. Improved linear cryptanalysis of SMS4 block cipher
Hermelink et al. The Insecurity of Masked Comparisons: SCAs on ML-KEM’s FO-Transform
Won et al. A systematic side-channel evaluation of black box aes in secure mcu: Architecture recovery and retrieval of puf based secret key
Varabei et al. Intelligent Clustering as a Means to Improve K-means Based Horizontal Attacks
Luo Novel Side-Channel Attacks on Emerging Cryptographic Algorithms and Computing Systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant