CN116614217A - Data processing method, key expansion method, device, equipment and storage medium - Google Patents

Data processing method, key expansion method, device, equipment and storage medium Download PDF

Info

Publication number
CN116614217A
CN116614217A CN202310588950.XA CN202310588950A CN116614217A CN 116614217 A CN116614217 A CN 116614217A CN 202310588950 A CN202310588950 A CN 202310588950A CN 116614217 A CN116614217 A CN 116614217A
Authority
CN
China
Prior art keywords
sbox
round
masking
input
mask
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310588950.XA
Other languages
Chinese (zh)
Inventor
顾海华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Haiguang Information Technology Co Ltd
Original Assignee
Haiguang Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Haiguang Information Technology Co Ltd filed Critical Haiguang Information Technology Co Ltd
Priority to CN202310588950.XA priority Critical patent/CN116614217A/en
Publication of CN116614217A publication Critical patent/CN116614217A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a data processing method, a key expansion method, a device, equipment and a storage medium, wherein the data processing method comprises the following steps: obtaining data to be processed, wherein the data to be processed is processed by using a cryptographic algorithm, and the cryptographic algorithm comprises iterative multi-round operation; determining Sbox input after masking in the current round of operation, and mapping the Sbox input after masking to a limited compound domain; wherein the Sbox input after masking is the result of adding the first mask to the Sbox input; inputting the Sbox after masking mapped to the finite compound domain into a pre-constructed masking function for operation to obtain the Sbox output after masking, wherein the Sbox output after masking is the result of adding the second mask into the Sbox output; determining the operation result of the current round operation according to Sbox output after masking; and determining the processing result of the data to be processed according to the operation result of the last round of operation. The embodiment of the application can provide a safe and reliable power consumption analysis defense means on the basis of reducing the hardware implementation area.

Description

Data processing method, key expansion method, device, equipment and storage medium
Technical Field
The embodiment of the application relates to the technical field of data encryption and decryption, in particular to a data processing method, a key expansion method, a device, equipment and a storage medium.
Background
When the data is encrypted or decrypted, a key of a cryptographic algorithm is needed to be used; the cryptographic algorithm may be an algorithm function for encrypting and decrypting data, such as SM4 algorithm, AES (Advanced Encryption Standard ) algorithm, or the like.
The key of the cryptographic algorithm may be cracked by a power consumption analysis means, which is means for analyzing power consumption data released in the operation process of the cryptographic algorithm, so as to crack the key of the cryptographic algorithm. In order to reduce the probability of the key of the cryptographic algorithm being broken by the power consumption analysis means, it is necessary to defend against power consumption analysis during encryption processing or decryption processing of data. In this context, how to provide a data processing scheme for defending against power consumption analysis becomes a technical problem to be solved by those skilled in the art.
Disclosure of Invention
In view of this, the embodiments of the present application provide a data processing method, a key expansion method, a device, an apparatus, and a storage medium, so as to provide a data processing scheme for defending against power consumption analysis, and improve defending performance of power consumption analysis.
In order to achieve the above purpose, the embodiment of the present application provides the following technical solutions.
In a first aspect, an embodiment of the present application provides a data processing method, including:
obtaining data to be processed, wherein the data to be processed is processed by using a cryptographic algorithm, and the cryptographic algorithm comprises iterative multi-round operation;
determining Sbox input after masking in the current round of operation, and mapping the Sbox input after masking to a limited compound domain; the Sbox input after masking is the result of adding the first mask into the Sbox input after masking, the Sbox input after masking is determined according to the input state word of the current round operation and the round key, and the first mask is added into the input state word of the current round operation;
inputting the Sbox after masking mapped to the finite compound domain into a pre-constructed masking function for operation to obtain the Sbox output after masking, wherein the Sbox output after masking is the result of adding the second mask into the Sbox output; the mask function is used for calculating Sbox output corresponding to Sbox operation, and converting a first mask in the masked Sbox input into a second mask in the masked Sbox output;
determining the operation result of the current round operation according to Sbox output after masking;
And determining the processing result of the data to be processed according to the operation result of the last round of operation.
In a second aspect, an embodiment of the present application provides a key expansion method, where the key expansion method is used to provide, for the data processing method described in the first aspect, a masked round key corresponding to each round of operation, where the masked round key corresponding to one round of operation is a result of adding a mask random number to the round key of one round of operation; the key expansion method comprises the following steps:
acquiring a master key, wherein the master key performs round key expansion by using a key expansion algorithm, and the key expansion algorithm comprises iterative multi-round key expansion operation;
determining Sbox input after masking in the current round of key expansion operation, and mapping the Sbox input after masking to a limited compound domain; the Sbox input after masking is the result of adding a third mask into the Sbox input after masking, the Sbox input after masking is determined according to the input key word and round constant of the current round key expansion operation, and the third mask is added into the input key word of the current round key expansion operation;
inputting the Sbox after masking mapped to the finite compound domain into a pre-constructed masking function for operation to obtain the Sbox output after masking, wherein the Sbox output after masking is the result of adding the second mask into the Sbox output; the mask function is used for calculating Sbox output corresponding to Sbox operation, and converting a third mask in the masked Sbox input into a second mask in the masked Sbox output;
And determining a masking back round key output by the current round key expansion operation according to the masking back Sbox output.
In a third aspect, an embodiment of the present application provides a data processing apparatus, including:
the data acquisition module is used for acquiring data to be processed, wherein the data to be processed is processed by using a cryptographic algorithm, and the cryptographic algorithm comprises iterative multi-round operation;
the first input determining module is used for determining a masked Sbox input in the current round of operation and mapping the masked Sbox input to a limited composite domain; the Sbox input after masking is the result of adding the first mask into the Sbox input after masking, the Sbox input after masking is determined according to the input state word of the current round operation and the round key, and the first mask is added into the input state word of the current round operation;
the first output determining module is used for inputting the Sbox after masking mapped to the finite compound domain, inputting the Sbox after masking to a pre-constructed masking function for operation so as to obtain the Sbox output after masking, wherein the Sbox output after masking is the result of adding the second mask to the Sbox output; the mask function is used for calculating Sbox output corresponding to Sbox operation, and converting a first mask in the masked Sbox input into a second mask in the masked Sbox output;
The operation result determining module is used for determining the operation result of the current round of operation according to Sbox output after masking;
and the processing result determining module is used for determining the processing result of the data to be processed according to the operation result of the last round of operation.
In a fourth aspect, an embodiment of the present application provides a key expansion device, where the key expansion device is configured to provide, for the data processing apparatus described in the third aspect, a masked round key corresponding to each round of operation, where the masked round key corresponding to one round of operation is a result of adding a mask random number to the round key of one round of operation; the key expansion device includes:
the master key acquisition module is used for acquiring a master key, wherein the master key uses a key expansion algorithm to perform round key expansion, and the key expansion algorithm comprises iterative multi-round key expansion operation;
the second input determining module is used for determining the Sbox input after the masking in the current round of key expansion operation and mapping the Sbox input after the masking to a limited compound domain; the Sbox input after masking is the result of adding a third mask into the Sbox input after masking, the Sbox input after masking is determined according to the input key word and round constant of the current round key expansion operation, and the third mask is added into the input key word of the current round key expansion operation;
The second output determining module is used for inputting the Sbox after masking mapped to the finite compound domain, inputting the Sbox after masking to a pre-constructed masking function for operation so as to obtain the Sbox output after masking, wherein the Sbox output after masking is the result of adding the second mask to the Sbox output; the mask function is used for calculating Sbox output corresponding to Sbox operation, and converting a third mask in the masked Sbox input into a second mask in the masked Sbox output;
and the mask back round key determining module is used for determining the mask back round key output by the current round key expansion operation according to the output of the mask back Sbox.
In a fifth aspect, embodiments of the present application provide a computer device comprising at least one processor and at least one memory storing one or more computer executable instructions, the processor invoking the one or more computer executable instructions to perform a data processing method as described in the first aspect and/or a key expansion method as described in the second aspect.
In a sixth aspect, embodiments of the present application provide a storage medium storing one or more computer-executable instructions that, when executed, implement a data processing method as described in the first aspect and/or a key expansion method as described in the second aspect.
The data processing method provided by the embodiment of the application can process the data to be processed by utilizing the cryptographic algorithm, wherein the cryptographic algorithm comprises iterative multi-round operation. In order to defend power consumption analysis in the data processing process and improve the defending performance of the power consumption analysis, the embodiment of the application can determine Sbox input after masking in each round of operation of a cryptographic algorithm, the Sbox input after masking can be a result of the Sbox input after adding a first mask, the Sbox input after masking can be determined according to an input state word of each round of operation and a round key, and the input state word of each round of operation is added with the first mask; and the embodiment of the application can realize Sbox operation and mask conversion in each round of operation by constructing a mask function. Therefore, in the current round of operation of the cryptographic algorithm, the embodiment of the application can input the Sbox after masking into the masking function for operation, obtain the Sbox output after masking by using the Sbox operation of the masking function and masking conversion, and further determine the operation result of the current round of operation according to the Sbox output after masking; the masked Sbox output may be a result of the Sbox output adding the second mask; that is, the mask function may calculate the Sbox output corresponding to the Sbox operation, and convert the first mask in the masked Sbox input into the second mask in the masked Sbox output, so as to add the second mask to the Sbox output corresponding to the Sbox operation on the basis of implementing the Sbox operation, so as to obtain the Sbox output protected by using the second mask. Furthermore, when the last round of operation of the cryptographic algorithm is performed, the embodiment of the application can determine the processing result of the data to be processed according to the operation result of the last round of operation, thereby realizing the processing of the data to be processed by the cryptographic algorithm.
It can be seen that, in the embodiment of the application, the Sbox operation can be contained in the mask function of each round of operation of the cryptographic algorithm, so that the Sbox operation is avoided to be realized in a mode of a Sbox lookup table, and the hardware realization area is reduced; meanwhile, the mask protection exists in the input (Sbox input after masking) and the output (Sbox output after masking) of the mask function, and the mask protection exists in the operation process of the mask function, so that the power consumption analysis can be effectively defended, and the probability that the secret key of the cryptographic algorithm is cracked by the power consumption analysis means is reduced. Therefore, the data processing method provided by the embodiment of the application can map Sbox operation of the cryptographic algorithm to a limited compound domain for calculation, and the Sbox operation is contained in a mask function of each round of operation, and mask protection exists in the input, output and operation processes of the mask function, so that the analysis of power consumption can be effectively defended; therefore, the embodiment of the application can provide a safe and reliable power consumption analysis defense means on the basis of reducing the hardware implementation area, and improves the power consumption analysis defense performance of the data processing scheme.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is an exemplary diagram of the operation of the SM4 algorithm.
Fig. 2 is an example diagram of a Sbox look-up table.
Fig. 3 is a flowchart of a data processing method according to an embodiment of the present application.
Fig. 4 is an exemplary diagram of a preset multiplication matrix according to an embodiment of the present application.
Fig. 5 is another flowchart of a data processing method according to an embodiment of the present application.
Fig. 6 is an exemplary diagram of a data processing method according to an embodiment of the present application.
Fig. 7 is a flowchart of a key expansion method according to an embodiment of the present application.
Fig. 8 is an exemplary diagram of a key expansion method according to an embodiment of the present application.
Fig. 9A is a block diagram of a data processing apparatus according to an embodiment of the present application.
Fig. 9B is a block diagram of a key expansion device according to an embodiment of the present application.
Fig. 10 is a block diagram of a computer device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In order to facilitate understanding that the key of the cryptographic algorithm is broken by the power consumption analysis means, the operation process of the cryptographic algorithm is described below by taking the SM4 algorithm as an example. It should be noted that the cryptographic algorithms such as SM4 algorithm may be applied to a data encryption/decryption scenario, for example, encryption/decryption of disk data, encryption/decryption of transmission data, and the like.
The SM4 algorithm is a block cipher algorithm with a packet size of 128 bits. The SM4 algorithm involves an encryption algorithm, a decryption algorithm, and a key expansion algorithm; the encryption algorithm relates to multiple rounds of encryption operation, the decryption algorithm relates to multiple rounds of decryption operation, and the key expansion algorithm is used for generating round keys used by each round of encryption operation and each round of decryption operation. In the SM4 algorithm, the encryption algorithm and the key expansion algorithm can both adopt 32 rounds of nonlinear iterative structures, and the encryption algorithm and the decryption algorithm adopt the same round key structure and algorithm structure (both are 32 rounds of operations), except that the order of round keys used by the encryption algorithm and the decryption algorithm is reversed. That is, the encryption algorithm is identical in structure to the decryption algorithm, but the encryption algorithm is used in reverse order with the round keys of the decryption algorithm (i.e., the round keys of the decryption algorithm are in reverse order with the round keys of the encryption algorithm).
Taking the encryption algorithm of the SM4 algorithm as an example, fig. 1 exemplarily shows an exemplary diagram of the operation procedure of the SM4 algorithm. As shown in fig. 1, the input of the SM4 algorithm is plaintext X, and after 32 rounds of iterative encryption operation and 1 time of reverse order transformation, ciphertext Y is output; the packet size based on the SM4 algorithm is 128 bits, and the plaintext X and ciphertext Y may each be 128 bits.
In the 32 rounds of iterative encryption operation, each round of encryption operation needs a round key generated by a key expansion algorithm, and the output of the previous round of encryption operation can obtain the output of the round of encryption operation after the round key of the previous round of encryption operation is used for encryption operation; the round key may be derived by a key expansion algorithm based on an input master key expansion, which may also be 128 bits in length.
Referring to fig. 1, a round of encryption operation may be implemented using a round function F, and in the (i+1) -th round of encryption operation, the input of the round function F may be (X i ,X i+1 ,X i+2 ,X i+3 ) The output may be (X i+1 ,X i+2 ,X i+3 ,X i+4 ) And the round key used for the encryption operation of the (i+1) th round is rk i The method comprises the steps of carrying out a first treatment on the surface of the Wherein i belongs to an integer of 0 to 31, and i+1 belongs to an integer of 1 to 32.
Specifically, the method comprisesIn round 1 encryption operation, the input of round function F is plaintext (X 0 ,X 1 ,X 2 ,X 3 ) And round function F uses round key rk 0 After the encryption operation, the output (X 1 ,X 2 ,X 3 ,X 4 ) The method comprises the steps of carrying out a first treatment on the surface of the In the round 2 encryption operation, the input of the round function F is (X 1 ,X 2 ,X 3 ,X 4 ) And round function F uses round key rk 1 After the encryption operation, the output (X 2 ,X 3 ,X 4 ,X 5 ) The method comprises the steps of carrying out a first treatment on the surface of the And so on, until in the encryption operation of round 32, the input of round function F is (X 31 ,X 32 ,X 33 ,X 34 ) And round function F uses round key rk 31 After the encryption operation, the output (X 32 ,X 33 ,X 34 ,X 35 )。
Output of round 32 encryption operation (X 32 ,X 33 ,X 34 ,X 35 ) After the reverse order transformation R, the output ciphertext Y, may be represented as (Y 0 ,Y 1 ,Y 2 ,Y 3 ). In one implementation example, the reverse order transformation may be expressed as: (Y) 0 ,Y 1 ,Y 2 ,Y 3 )=R(X 32 ,X 33 ,X 34 ,X 35 )=(X 35 ,X 34 ,X 33 ,X 32 )。
It can be seen that one round of encryption operations can be used to calculate the next new state word, e.g., in the (i+1) th round of encryption operations, the round function F can be applied to the input (X i ,X i+1 ,X i+2 ,X i+3 ) In the case of (1) calculating the next new state word X i+4 Thereby outputting (X i+1 ,X i+2 ,X i+3 ,X i+4 ). Optionally, the next new state word X i+4 May for example be:
X i+4 =F(X i ,X i+1 ,X i+2 ,X i+3 ,rk i ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein F represents a round function.
That is, in the encryption operation of the i+1th roundThe input of the round function F may be (X i ,X i+1 ,X i+2 ,X i+3 ) Combined with round keys rk i A new next state X can be calculated i+4
Further, F (X) i ,X i+1 ,X i+2 ,X i+3 ,rk i ) Can be expressed as:i.e. < ->
Wherein T is a compound operation, which is one The complex operation T may be compounded by a nonlinear transformation τ and a linear transformation L, e.g., T may be expressed as: t () =l (τ ()).
As shown in connection with fig. 1, for a linear transformation L, in one implementation example, the linear transformation L may be represented as:
wherein < denotes a 32-bit cyclic left shift operation; />Representing a 32-bit exclusive-or operation.
For a nonlinear transformation τ, the nonlinear transformation τ may include a plurality of parallel Sbox (transpose box) operations. As shown in connection with fig. 1, the nonlinear transformation τ may include 4 parallel Sbox operations; in one implementation example, assume that the input of the nonlinear transformation τ is E, and e= (E) 0 ,e 1 ,e 2 ,e 3 ) τ (E) may be expressed as:
τ(E)=(Sbox(e 0 ),Sbox(e 1 ),Sbox(e 2 ),Sbox(e 3 ))。
in each round of operation of the cryptographic algorithm such as SM4 algorithm, as an implementation example, the nonlinear transformation τ may be implemented by looking up a table by looking up a Sbox lookup table. For example, for each Sbox operation of the nonlinear transformation, the first 4 bits of the 8-bit input of the Sbox are used as rows and the last 4 bits are used as columns, so that the values of the corresponding rows and columns are looked up by the Sbox lookup table to obtain the output of the Sbox. Fig. 2 illustrates an example diagram of a Sbox look-up table, which may be referenced.
The above describes the operation of the encryption algorithm of the SM4 algorithm, since the decryption algorithm in the SM4 algorithm is the inverse operation of the encryption algorithm, round keys with the order of the encryption algorithm reversed are used, for example, the round keys used by the decryption algorithm are in the order (rk 31 ,rk 32 ,…,rk 0 ) The content of the decryption algorithm can be derived with reference to the content of the encryption algorithm described above, and will not be explained here.
The cryptographic algorithms such as SM4 algorithm release power consumption data in the running process, so that an attacker can crack the key of the cryptographic algorithm through a power consumption analysis means, and the key of the cryptographic algorithm is at risk of being cracked and revealed. For example, an attacker may collect power consumption data released during multiple operations of the cryptographic algorithm, draw the power consumption data during multiple operations as power consumption graphs, respectively, so as to align the power consumption data during multiple operations by using common power consumption features in the power consumption graphs (for example, align the power consumption data during multiple operations by using power consumption peaks in the power consumption graphs), amplify the power consumption features related to the key through statistical analysis, and crack the key of the cryptographic algorithm.
Taking an SM4 algorithm as an example, an attacker can run the SM4 algorithm for multiple times when carrying out power consumption analysis on the SM4 algorithm, and collect power consumption data in the process of running the SM4 algorithm for multiple times; then, an attacker can draw the power consumption data in the process of repeatedly running the SM4 algorithm into a power consumption curve graph, and align the power consumption data by utilizing common power consumption characteristics in the power consumption curve graph, for example, when the SM4 algorithm performs Sbox operation, the power consumption of the SM4 algorithm can appear a peak, so that the power consumption data of the Sbox operation in the SM4 algorithm can be aligned through the power consumption peak in the power consumption curve graph; furthermore, the attacker can amplify the power consumption characteristics related to the key of the SM4 algorithm through statistical analysis, so as to crack the key of the SM4 algorithm.
In order to reduce the probability of the key of the cryptographic algorithm being cracked by the power consumption analysis means, the means for defending the power consumption analysis can be applied in the running process of the cryptographic algorithm such as the SM4 algorithm; for example, when a cryptographic algorithm such as SM4 algorithm is used to encrypt or decrypt data, a means for preventing power consumption analysis may be used to reduce the probability that a key of the cryptographic algorithm is broken by the means for analyzing power consumption.
One idea of defending against power consumption analysis is to introduce a mask in the running process of the cryptographic algorithm, so that an attacker cannot find common power consumption characteristics in the running process of the cryptographic algorithm for many times, and further cannot align power consumption data of the cryptographic algorithm in the running process of the cryptographic algorithm for many times, so that the statistical analysis result of the attacker is invalid, and the probability that a secret key of the cryptographic algorithm is cracked by the attacker by using a power consumption analysis means is reduced.
In an alternative implementation, the mask may be introduced during the execution of the cryptographic algorithm: a mask is introduced in the Sbox operation based on the Sbox look-up table. However, introducing a mask in a Sbox operation based on a Sbox look-up table has the following problems in a manner of defending against power consumption analysis:
the Sbox operation is based on an Sbox lookup table, and the Sbox lookup table occupies a larger memory space, which increases the hardware implementation area of cryptographic algorithms such as SM4 algorithm, especially when masks are used for defending against power consumption analysis.
Based on the above, the embodiment of the application provides a novel data processing scheme to defend against power consumption analysis and improve the defending performance of the power consumption analysis.
As an alternative implementation, fig. 3 illustrates an alternative flowchart of a data processing method provided by an embodiment of the present application. The data processing method provided by the embodiment of the application can be implemented by executing the computer equipment, for example, the devices such as a processor in the computer equipment can run the cryptographic algorithm of the SM4 algorithm to encrypt or decrypt the data, and the data processing method provided by the embodiment of the application is utilized to defend against power consumption analysis in the process of encrypting or decrypting the data so as to reduce the probability that the secret key of the cryptographic algorithm is cracked by the power consumption analysis means.
Referring to fig. 3, the method flow may include the following steps.
In step S310, data to be processed is acquired, the data to be processed being processed using a cryptographic algorithm, the cryptographic algorithm comprising iterative rounds of operations.
The data to be processed can be input data of a cryptographic algorithm, and the embodiment of the application can process the data to be processed by utilizing the cryptographic algorithm, for example, encrypt plaintext data by utilizing an encryption algorithm and decrypt ciphertext data by utilizing a decryption algorithm. Accordingly, the data to be processed may be plaintext data to be encrypted or ciphertext data to be decrypted. Taking the encryption algorithm of the SM4 algorithm as an example, the data to be processed may be plaintext data.
Cryptographic algorithms such as the SM4 algorithm may include iterative rounds of operations, e.g., the encryption algorithm of the SM4 algorithm includes iterative rounds of encryption operations, and the decryption algorithm of the SM4 algorithm includes iterative rounds of decryption operations.
In step S311, in the current round of operation, determining a masked Sbox input, and mapping the masked Sbox input to a limited composite field; the Sbox input after masking is a result of adding a first mask to the Sbox input after masking, the Sbox input after masking is determined according to an input state word of the current round operation and a round key, and the first mask is added to the input state word of the current round operation.
Each round of the cryptographic algorithm may be implemented based on a Sbox algorithm, for example, in the case of the SM4 algorithm, in the current round of operation, a complex operation of the nonlinear transformation τ and the linear transformation L may be used to determine an operation result of the current round of operation (e.g., a new state word of the current round of operation), and the nonlinear transformation τ may include a plurality of parallel Sbox operations (e.g., 4 parallel Sbox operations).
To solve the problem of Sbox operation based on Sbox lookup tableThe problem of large hardware implementation area can map Sbox input to a limited compound domain, so that Sbox operation is realized through calculation of the limited compound domain, and Sbox output is obtained. In one example, let the Sbox input be e, which may be mapped to GF (2 8 ) Or GF (((2) 2 ) 2 ) 2 ) Or GF ((2) 4 ) 2 ) -finite compound domains; according to the preset addition vector and the preset multiplication matrix, carrying out inversion operation on Sbox input e mapped to the limited composite domain to obtain an inversion operation result; and further, the inversion operation result is converted back to a limited composite domain based on a preset addition vector and a preset multiplication matrix, and Sbox output is obtained. For example, the Sbox operation formula for obtaining the Sbox output can be expressed as:
Sbox(e)=(e·A+C) -1 ·A+C;
where e is the Sbox input, mapped to GF (2 8 ) Or GF (((2) 2 ) 2 ) 2 ) Or GF ((2) 4 ) 2 ) -finite compound domains; a is a preset multiplication matrix, and an example of the preset multiplication matrix a can be shown with reference to fig. 4; c is a preset addition vector, which can be expressed as (11001011).
In order to defend against power consumption analysis, the embodiment of the present application may perform mask protection on the Sbox input, for example, add a first mask to the Sbox input, and for convenience of explanation, a result obtained after performing mask protection on the Sbox input may be referred to as a masked Sbox input, for example, a result obtained after adding the first mask to the Sbox input.
In an optional implementation, the embodiment of the application may perform exclusive-or processing on the data to be processed and the first random number, so that the second random number is added to the input status word of each round of operation of the cryptographic algorithm, so that the second random number is added to the Sbox input of each round of operation of the cryptographic algorithm (the masked Sbox input is determined according to the input status word of the current round of operation and the round key, and in the case that the second random number is added to the input status word of the current round of operation, the masked Sbox input correspondingly carries the second random number, that is, the masked Sbox input is the result of the Sbox input after the first mask is added), and the second random number may be split data of the first random number, for example, the first random number may be split into 4 pieces of 32 bits of data, and the second random number may be one piece of 4 pieces of 32 bits of data split by the first random number.
In one example, taking an encryption algorithm of SM4 algorithm as an example, the plaintext X may be xored with the first random number M, so that the second random number M is added to the input status word of each round of encryption operation, and further the second random number M is added to the Sbox input e of each round of encryption operation, so as to obtain a masked Sbox input (e+m) of each round of encryption operation; wherein the second random number M may be one of 4 32-bit data split by the first random number M.
Thus, in an alternative implementation, the first mask may be the second random number referred to above, e.g., for Sbox input e, the masked Sbox input is e+m.
After the masked Sbox input is obtained, the masked Sbox input may be mapped to a finite complex domain, e.g., the masked Sbox input e+m may be mapped to GF (2) 8 ) Or GF (((2) 2 ) 2 ) 2 ) Or GF ((2) 4 ) 2 ) And the like. As an optional implementation, the embodiment of the present application may set a target set (defined as a target set F) corresponding to the limited composite domain, where the target set F is isomorphic to GF (2) 8 ) Or GF (((2) 2 ) 2 ) 2 ) Or GF ((2) 4 ) 2 ) For the limited composite domain, the embodiment of the application can use the elements in the target set to represent the masked Sbox input so as to realize mapping of the masked Sbox input to the limited composite domain.
For ease of understanding, with GF (2 8 ) For example, let the expression of the target set F be { (x+1) mod (x) 9 +1) > U {0}, +, where +represents addition and point represents multiplication in the above expression, the above expression can be understood as an expression in algebraic numerology; in the target set F there is a total of 2 8 Each element is formed by (x+1) mod (x 9 +1) generation, wherein x, in lowercase herein, represents an unknown in an element;under the definition above, the target set F is isomorphic to the finite complex field GF (2 8 ) Therefore, the finite complex field GF (2 8 ) Which may be represented by elements in the target set F.
In one implementation example, 9 bits may represent a finite field GF (2 8 ) Is an element of (a); for example, let a (x) and b (x) be finite fields GF (2) 8 ) A (x) can be expressed as a (x) =a 0 +a 1 x+...+a 8 x, b (x) can be expressed as b (x) =b 0 +b 1 x+...+b 8 x; in the above example, a (x) and b (x) may be expressed as polynomials.
As an alternative implementation, after the current round operation, the Sbox input after masking may be determined according to the input state word of the current round operation and the round key (based on the data to be processed and the first random number, the input state word of the current round operation is xored, so the second random number is added). For example, the last three status words in the input status words of the current round operation are exclusive-ored with the round key of the current round operation to obtain the masked Sbox input. Taking the current round of operation as the (i+1) th round of encryption operation as an example, the embodiment of the application can input a status word (X i ,X i+1 ,X i+2 ,X i+3 ) The last three state words X of (a) i+1 、X i+2 And X i+3 With round key rk i And performing exclusive OR operation to obtain Sbox input after masking.
Optionally, if the round key of the current round operation is protected by using a mask in the key expansion algorithm, the round key of the current round operation protected by using the mask needs to be subjected to mask removal processing, so that the embodiment of the application can obtain the mask round key corresponding to the current round operation and the mask random number corresponding to the mask round key; and determining the masked Sbox input of the current round operation according to the input state word of the current round operation, the masked back round key and the mask random number corresponding to the masked back round key. For example, the embodiment of the application can perform exclusive or operation on the last three state words in the input state words of the current round operation, the mask back round key and the mask random number corresponding to the mask back round key to obtain the mask back Sbox input of the current round operation.
For convenience of explanation, taking the current round of operation as the i+1st round of encryption operation as an example, the round key of the i+1st round of encryption operation is rk i Round key rk if in the key expansion algorithm i When the mask random number m0 is used for mask protection, the key expansion algorithm outputs a mask back round key mrk i Mask back round key mrk i May be a round key rk i Masking the result by using the masking random number m 0; then mask the back-wheel key mrk i The round key rk is obtained by performing demasking processing by using the mask random number m0 i The method comprises the steps of carrying out a first treatment on the surface of the Thereby masking the back-wheel key mrk i Mask random number m0, and input state word (X) of the (i+1) -th round of encryption operation i ,X i+1 ,X i+2 ,X i+3 ) The last three state words X of (a) i+1 、X i+2 And X i+3 An exclusive or operation may be performed to obtain a masked Sbox input.
In step S312, the masked Sbox input mapped to the finite complex domain is input to a pre-constructed mask function to perform an operation to obtain a masked Sbox output, where the masked Sbox output is a result of adding the second mask to the Sbox output.
The mask function is used for calculating Sbox output corresponding to Sbox operation, and converting a first mask in the masked Sbox input into a second mask in the masked Sbox output.
The embodiment of the application can pre-construct the mask function, and the mask function has the main functions of realizing Sbox operation and mask conversion. For example, in the current round of operation, after the masked Sbox input is mapped to the finite complex field, the masking function may implement the Sbox operation based on the masked Sbox input, and convert a first mask in the masked Sbox input into a second mask added to the Sbox output, thereby obtaining a masked Sbox output (the masked Sbox output is a result of adding the second mask to the Sbox output). That is, a masking function may be used to calculate a Sbox output corresponding to the Sbox operation and convert a first mask in the masked Sbox input to a second mask in the masked Sbox output.
To facilitate an understanding of alternative forms of the masking function, an alternative construction process for the masking function is described below. As described above, since the data to be processed is xored with the first random number M, in each round of operation of the cryptographic algorithm, the Sbox input e is added with the second random number M (that is, e is added with the second random number M for the Sbox input e, which is an addition mask, and the second random number M is an addition mask value), so that the masked Sbox input is e+m; to remove the addition mask value m in the masked Sbox input e+m, a function f may be constructed, so that the operation of the function f is performed according to the masked Sbox input, the second random number m, and the third random number n to remove the addition mask value m, for example, the function f may be expressed as:
f(e+m,m,n)=[n·((e+m)·A+C)-mnA] -1 ·A=[n·e·A+n·C] -1 a, where n is a third random number, as a multiplication mask value.
It can be seen that the operation of the function f removes the addition mask value m (i.e., the second random number m), and the result of the function f carries the third random number n, which is a multiplication mask because the third random number n is carried by multiplication, and the corresponding third random number n is a multiplication mask value; it should be noted that the function f may be regarded as a sub-function in the mask function.
In order to ensure the accuracy of the operation result of the cryptographic algorithm, in the case that the result of f (e+m, m, n) carries a multiplication mask value n, the result of the function f needs to be stripped of the multiplication mask value n; it is thus possible to construct a masking function that takes off the multiplication mask value n for the result of the function f and appends an addition mask to the result on the basis of the function f. Let the mask function be g, the mask function g can be expressed as:
g(e+m,m,m’,n)=(f(e+m,m,n)+m’)·n+C=([n·e·A+n·C] -1 ·A+m’)·n+C=Sbox(e)+m’·n;
wherein m' is a fourth random number.
It can be seen that the formula ([ n.e.A+n.C)] -1 The multiplication mask value n in A+m')n+C is eliminatedThen (e.A+C) can be obtained -1 A+c+m'. N, wherein Sbox (e) = (e.a+c) -1 A+c, so the result of the masking function g is the result of the operation of Sbox (i.e. Sbox (e)), plus m' ·n.
That is, the result of the masking function g is a masked Sbox output, i.e., sbox (e) +m' ·n; accordingly, the second mask may be a product (i.e., m '·n) of the third random number n and the fourth random number m', for example, a product (m '·n) of the third random number and the fourth random number is added to the Sbox output (Sbox (e)), and the product is used as the masked Sbox output, i.e., sbox (e) +m' ·n.
It can be seen that the masking function g may convert an additive masking value (e.g., m in e+m) in the masked Sbox input to an additive masking value (e.g., m 'n in Sbox (e) +m' n) in the masked Sbox output, and thus the masking function g may add a second mask to the Sbox output based on calculating the Sbox output to which the Sbox operation corresponds, that is, the masking function g has the ability to implement the Sbox operation and the ability to mask conversion.
Meanwhile, in the operation process of the mask function g, the protection of the second random number m, the third random number n and the fourth random number m' exists, so that the intermediate operation process of the mask function g can also be protected by the random numbers. That is, the embodiment of the application can protect the input of the mask function g (namely, the Sbox input after masking) by adopting a random number, protect the intermediate operation process of the mask function g by adopting a random number, and protect the result of the mask function g (the Sbox output after masking) by adopting a random number, thereby carrying out multi-azimuth defending power consumption analysis and improving the defending effect of the power consumption analysis.
In alternative implementations, embodiments of the present application may use exclusive-or masks and addition masks for linear operations and multiplication masks for nonlinear operations; the add mask and the multiply mask are contained within a mask function. In one example, the linear operation includes exclusive or, shift, preset addition vector C, and preset multiplication matrix a, where preset addition vector C and preset multiplication matrix a occur in algebraic operations of Sbox, e.g., sbox (e) = (e·a+c) -1 ·A+C。
In one implementation example, the maskThe Sbox input after the codes is mapped to a limited compound domain, so that the Sbox output is calculated through the limited compound domain and can be converted into addition operation; while nonlinear operations are involved in the inversion of finite complex fields, e.g., sbox (e) = (e.a+c) -1 In A+C (e.A+C) -1 Is the inversion operation of the finite complex domain.
Based on the mask function constructed by the embodiment of the present application, the embodiment of the present application inputs the masked Sbox mapped to the finite complex domain, and inputs the masked Sbox input to the pre-constructed mask function to perform operation, so as to obtain an optional process of the masked Sbox output may, for example:
performing operation of a masking function according to the masked Sbox input (e.g. e+m), the second random number m, the third random number n, and the fourth random number m' to obtain masked Sbox output; wherein the first mask in the masked Sbox input is the second random number m, and the second mask in the masked Sbox output is determined according to the third random number n and the fourth random number m '(e.g., the second mask is a product of the third random number n and the fourth random number m').
In a more specific optional implementation, based on the fact that a subfunction f exists in a mask function g, the embodiment of the application can perform operation of the subfunction of the mask function according to Sbox input (e.g. e+m), a second random number m and a third random number n after masking, so that the second random number m is removed from an operation result of the subfunction, and the third random number n is carried; and further, processing the operation result of the sub-function according to the third random number n and the fourth random number m' to obtain a masked Sbox output.
Alternative formulaic forms of the masking function g and the sub-function f may be referred to in the foregoing description and are not developed here.
In step S313, the operation result of the current round operation is determined from the masked Sbox output.
After the current round of operation is obtained, the embodiment of the application can determine the operation result of the current round of operation according to the Sbox output after the masking. For example, the subsequent operation processing and the demapping processing of the current round operation are performed according to the Sbox output after masking, so as to obtain the operation result of the current round operation.
In one example, taking the encryption operation of the SM4 algorithm as an example, after the current round of encryption operation and the masked Sbox output is obtained, the embodiment of the present application may perform linear transformation processing according to the masked Sbox output, and perform demapping processing on the result of the linear transformation processing by using the fifth random number N to obtain a composite operation result (for example, performing exclusive or processing on the result of the linear transformation processing and the fifth random number N to remove part or all of the mask); further, the composite operation result and the first state word in the input state words of the current round of encryption operation are subjected to exclusive OR operation, so that the next state word calculated by the current round of encryption operation is obtained; for example, in the encryption operation of the (i+1) th round, the result of the operation is combined with the input state word (X i ,X i+1 ,X i+2 ,X i+3 ) First state word X of (a) i Performing exclusive OR operation to obtain the next state word X i+4
In step S314, the processing result of the data to be processed is determined according to the operation result of the last round of operation.
Each round of operation of the cryptographic algorithm can be performed with reference to the contents of steps S311 to S313, so that after a plurality of rounds of operation iterated by the cryptographic algorithm, the embodiment of the application can obtain the operation result of the last round of operation in the last round of operation of the cryptographic algorithm, and further determine the processing result of the data to be processed according to the operation result of the last round of operation.
In an alternative implementation, the embodiment of the application can obtain the candidate processing result of the data to be processed according to the operation result of the last round of operation, and because the data to be processed and the first random number M are subjected to exclusive-or processing before the iterative rounds of operation are performed, the candidate processing result of the data to be processed and the first random number M can be subjected to exclusive-or processing to obtain the target processing result of the data to be processed (namely, the final processing result of the data to be processed). For example, in the data encryption processing process using the SM4 algorithm as an example, the embodiment of the present application may perform inverse sequence transformation on the operation result of the last round of encryption operation to obtain the candidate ciphertext data of the plaintext data, so as to perform exclusive-or processing on the candidate ciphertext data and the first random number M, to obtain the target ciphertext data (i.e., the final encrypted data of the plaintext data) of the plaintext data.
The data processing method provided by the embodiment of the application can process the data to be processed by utilizing the cryptographic algorithm, wherein the cryptographic algorithm comprises iterative multi-round operation. In order to defend power consumption analysis in the data processing process and improve the defending performance of the power consumption analysis, the embodiment of the application can determine Sbox input after masking in each round of operation of a cryptographic algorithm, the Sbox input after masking can be a result of the Sbox input after adding a first mask, the Sbox input after masking can be determined according to an input state word of each round of operation and a round key, and the input state word of each round of operation is added with the first mask; and the embodiment of the application can realize Sbox operation and mask conversion in each round of operation by constructing a mask function. Therefore, in the current round of operation of the cryptographic algorithm, the embodiment of the application can input the Sbox after masking into the masking function for operation, obtain the Sbox output after masking by using the Sbox operation of the masking function and masking conversion, and further determine the operation result of the current round of operation according to the Sbox output after masking; the masked Sbox output may be a result of the Sbox output adding the second mask; that is, the mask function may calculate the Sbox output corresponding to the Sbox operation, and convert the first mask in the masked Sbox input into the second mask in the masked Sbox output, so as to add the second mask to the Sbox output corresponding to the Sbox operation on the basis of implementing the Sbox operation, so as to obtain the Sbox output protected by using the second mask. Furthermore, when the last round of operation of the cryptographic algorithm is performed, the embodiment of the application can determine the processing result of the data to be processed according to the operation result of the last round of operation, thereby realizing the processing of the data to be processed by the cryptographic algorithm.
It can be seen that, in the embodiment of the application, the Sbox operation can be contained in the mask function of each round of operation of the cryptographic algorithm, so that the Sbox operation is avoided to be realized in a mode of a Sbox lookup table, and the hardware realization area is reduced; meanwhile, the mask protection exists in the input (Sbox input after masking) and the output (Sbox output after masking) of the mask function, and the mask protection exists in the operation process of the mask function, so that the power consumption analysis can be effectively defended, and the probability that the secret key of the cryptographic algorithm is cracked by the power consumption analysis means is reduced. Therefore, the data processing method provided by the embodiment of the application can map Sbox operation of the cryptographic algorithm to a limited compound domain for calculation, and the Sbox operation is contained in a mask function of each round of operation, and mask protection exists in the input, output and operation processes of the mask function, so that the analysis of power consumption can be effectively defended; therefore, the embodiment of the application can provide a safe and reliable power consumption analysis defense means on the basis of reducing the hardware implementation area, and improves the power consumption analysis defense performance of the data processing scheme.
Furthermore, the masks (e.g., the first mask and the second mask) used in the embodiment of the application may be in the form of random numbers, so that compared with the masks using fixed constants, the masks used in the embodiment of the application have higher security, and the probability that the secret key of the cryptographic algorithm is cracked by the power consumption analysis means can be effectively reduced. Meanwhile, sbox operation is mapped to a limited compound domain for calculation and is contained in a mask function, and the embodiment of the application can support inverse operation under various types of limited compound domains, is not limited to a specific limited compound domain, so that a limited compound domain with higher operation speed can be used, and the operation performance is improved.
In order to facilitate understanding of the data processing method provided by the embodiment of the present application, taking as an alternative implementation, a data encryption scenario of an encryption algorithm as an example, fig. 5 schematically illustrates another alternative flowchart of the data processing method provided by the embodiment of the present application, and fig. 6 schematically illustrates an exemplary diagram of the data processing method provided by the embodiment of the present application. As shown in fig. 5 and fig. 6, in the context of data encryption of an encryption algorithm, the flow of the data processing method provided by the embodiment of the present application may include the following steps.
In step S510, plaintext data is acquired, which is processed using an encryption algorithm that includes iterative rounds of encryption operations.
In step S511, the plaintext data and the first random number are subjected to exclusive-or processing to obtain an input status word of the first round of encryption operation, where the input status word is added with a second random number, and the second random number is split data of the first random number.
In order to protect power consumption analysis, the embodiment of the application can use the first random number to carry out mask protection on the plaintext data, thereby obtaining the input state word with mask protection of the first round of encryption operation.
In one example, as shown in connection with FIG. 6, the first random number M may be exclusive-ored with the plaintext X, resulting in an input state word (X 0 ,X 1 ,X 2 ,X 3 ) I.e. the first 4 status words.
After splitting the plaintext data into input state words (X 0 ,X 1 ,X 2 ,X 3 ) In the case of the first round of encryption operation, the input state word of the first round of encryption operation is added with split data of the first random number M because the plaintext data is exclusive-or of the first random number M, and for convenience of explanation, the split data of the first random number M is called a second random number and is defined as the second random number M, so that the input state word of the first round of encryption operation is added with the second random number M, and mask protection can be performed on the input state word of the first round of encryption operation through the second random number M. In one example, the first random number M may be split into 4 32-bit data, and the second random number may be one of the 4 32-bit data split by the first random number M.
Since the rounds of operations of the cryptographic algorithm are iterative and the output of the previous round serves as the input for the next round, for example, in the (i+1) th round of the cryptographic algorithm, the input of round function F may be (X i ,X i+1 ,X i+2 ,X i+3 ) The output may be (X i+1 ,X i+2 ,X i+3 ,X i+4 ) Thus, in the case that the input state word of the first round of encryption operation is added with the second random number m, the input state word of each round of encryption operation of the cryptographic algorithm is added with the second random number m based on the iterative properties of the rounds of operationNumber m.
In step S512, in the current round of encryption operation, a masked Sbox input is determined according to the input state word of the current round of encryption operation, the masked back round key, and the masked random number corresponding to the masked back round key, and the masked Sbox input is mapped to the finite complex field.
Taking the example of outputting a mask back round key by a key expansion algorithm aiming at each round of encryption operation, in the current round of encryption operation of the encryption algorithm, the embodiment of the application can carry out exclusive or processing on the last three state words in the input state words of the current round of operation, the mask back round key and mask random numbers corresponding to the mask back round key, thereby obtaining the masked Sbox input. The method comprises the steps of carrying out exclusive OR processing on a masking back round key and a masking random number corresponding to the masking back round key, so that the masking back round key can be removed from the mask, and a round key with correct current round encryption operation can be obtained; the second random number is added to the input state word based on the current round of operation, so that after the round key of the current round of encryption operation is exclusive-or processed with the last three state words in the input state word of the current round of encryption operation, the obtained result also carries information of the second random number, that is, the obtained result is the masked Sbox input (e.g. e+m) of the current round of operation.
In one example, and as illustrated in connection with FIG. 6, taking the i+1st round of encryption operations as an example, if in the key expansion algorithm, the round key rk i When the mask random number m0 is used for mask protection, the key expansion algorithm outputs a mask back round key mrk i Then in the (i+1) th round of encryption operation, the back round key mrk is masked i The demasked processing is performed by using the mask random number m0, and is matched with the input state word (X i ,X i+1 ,X i+2 ,X i+3 ) The last three state words X of (a) i+1 、X i+2 And X i+3 And performing exclusive OR operation to obtain Sbox input after masking.
After determining the masked Sbox input of the current round of encryption operation, the embodiment of the application can map the masked Sbox input to a limited composite domain.
In step S513, the masked Sbox input mapped to the finite complex field is input to a mask function constructed in advance to perform an operation to obtain a masked Sbox output.
Optionally, for the masked Sbox input (e.g., e+m) mapped to the finite complex domain, embodiments of the present application may operate according to the following formula of the masking function:
g(e+m,m,m’,n)=(f(e+m,m,n)+m’)·n+C=
([n·e·A+n·C] -1 ·A+m’)·n+C=Sbox(e)+m’·n。
in one example, and as shown in connection with FIG. 6, at round i+1, the round key mrk is masked i Mask random number m0, input state word X i+1 、X i+2 And X i+3 After exclusive or operation, the result may be input as a masked Sbox and fed into the masking function g for processing to obtain a masked Sbox output, e.g., sbox (e) +m' ·n, output by the masking function g.
The construction process and principle of the masking function can be referred to the description of the corresponding parts above, and will not be expanded here.
In step S514, the masked Sbox output is subjected to linear transformation processing, and the result of the linear transformation processing is subjected to demapping processing to obtain a composite operation result.
After the masked Sbox output is obtained, the embodiment of the present application may be regarded as having completed the nonlinear transformation τ in the current round of encryption operation (the nonlinear transformation τ includes a plurality of parallel Sbox operations, and the mask function includes the Sbox operations, so that the mask function outputs the masked Sbox output and may be regarded as having completed the nonlinear transformation τ), except that the result of the nonlinear transformation τ has a mask; based on the above, the embodiment of the application can perform linear transformation processing on the Sbox output after masking, and perform de-masking processing on the result of the linear transformation processing to obtain a composite operation result corresponding to the current round of encryption operation.
In one example, as shown in fig. 6, after the i+1-th round of encryption operation, the Sbox output after the masking output by the masking function g may be processed by the linear transformation L, where the processing result of the linear transformation L may be xored with the fifth random number N, so that part or all of the masking in the processing result of the linear transformation L may be stripped, to obtain a composite operation result. In one example, after the processing result of the linear transformation L is exclusive-ored with the fifth random number N, a partial mask in the processing result of the linear transformation L may be stripped.
In step S515, the next state word calculated by the current round of encryption operation is determined according to the composite operation result; the next state word calculated by the current round of encryption operation and the last three state words in the input state words of the current round of encryption operation are used as operation results of the current round of encryption operation.
After the composite operation result of the front-wheel encryption operation is obtained, the embodiment of the application can carry out exclusive-or processing on the composite operation result and the first state word in the input state words of the current-wheel encryption operation, thereby obtaining the next state word calculated by the current-wheel encryption operation.
In one example, as shown in connection with FIG. 6, after the processing result of the linear transformation L is exclusive-ORed with the fifth random number N in the (i+1) th round of encryption operation, the processing result (i.e., the complex operation result) may be exclusive-ORed with the input state word (X i ,X i+1 ,X i+2 ,X i+3 ) First state word X of (a) i Exclusive or processing is carried out to obtain the next state word X i+4 The method comprises the steps of carrying out a first treatment on the surface of the Thus, the next state word X calculated by the (i+1) th round of encryption operation i+4 And inputting a status word (X i ,X i+1 ,X i+2 ,X i+3 ) The last three state words X of (a) i+1 、X i+2 And X i+3 Can be used as the operation result (X i+1 ,X i+2 ,X i+3 ,X i+4 )。
If the current round of encryption operation also has the next round of encryption operation, the operation result of the current round of encryption operation can be used as the input status word of the next round of encryption operation.
In step S516, ciphertext data corresponding to the plaintext data is determined according to the result of the last round of encryption operation and the first random number.
As an optional implementation, when the last round of encryption operation is performed, the embodiment of the application can perform reverse order transformation on the operation result of the last round of encryption operation to obtain the candidate ciphertext data of the plaintext data; based on the exclusive OR of the plaintext data and the first random number M, the embodiment of the application can exclusive OR the candidate ciphertext data and the first random number M, thereby obtaining the target ciphertext data of the plaintext data and guaranteeing the accuracy of the encryption result.
In one example, as shown in connection with FIG. 6, upon proceeding to the 32 nd round of encryption operations, the encryption algorithm proceeds to the last round of encryption operations such that the result of the last round of encryption operations is (X 32 ,X 33 ,X 34 ,X 35 ) The method comprises the steps of carrying out a first treatment on the surface of the The embodiment of the application can ensure that the operation result (X 32 ,X 33 ,X 34 ,X 35 ) Performing reverse order transformation to obtain candidate ciphertext data (Y 0 ,Y 1 ,Y 2 ,Y 3 ) The method comprises the steps of carrying out a first treatment on the surface of the Further, the candidate ciphertext data (Y 0 ,Y 1 ,Y 2 ,Y 3 ) And performing exclusive OR with the first random number M to obtain target ciphertext data Y corresponding to the plaintext X, thereby guaranteeing the accuracy of the final encryption result of the encryption algorithm.
In an alternative implementation, the embodiment of the application may provide a round calculation instruction of the cryptographic algorithm, where the round calculation instruction is used to implement each round of operation of the cryptographic algorithm; for example, for the encryption algorithm of the SM4 algorithm, embodiments of the present application may provide a round computation instruction (such as the SM4RD instruction) so that each round of operation of the cryptographic algorithm is implemented by the SM4RD instruction. According to the embodiment of the application, the Sbox operation and the mask protection are carried out by using the mask function in each round of operation, so that the mask function can be borne in the round calculation instruction of the cryptographic algorithm, and the mask function is operated in each round of operation of the cryptographic algorithm by executing the round calculation instruction of the cryptographic algorithm, thereby realizing the Sbox operation and the mask protection.
In one example, as shown in connection with FIG. 6, the SM4RD instruction may implement one round of encryption operations of the SM4 algorithm, for example, the (i+1) th round of encryption operations, in round encryptionIn the case where the key is protected by a mask, the input of the SM4RD instruction is X i ,X i+1 ,X i+2 ,X i+3 Mask back round key mrk i Mask random number m0, output as X i+1 ,X i+2 ,X i+3 ,X i+4 . The instruction content and functionality of the SM4RD instruction may correspond to what was described above for the current round of encryption operations. The first random number M is xored with the plaintext X before the first round of encryption operation, and is xored with the candidate ciphertext data (Y after the last round of encryption operation 0 ,Y 1 ,Y 2 ,Y 3 ) And performing exclusive OR.
As an optional implementation, the embodiment of the application can also use a mask function to mask and protect round keys of each round of key expansion algorithm, thereby obtaining a mask back round key of each round of key expansion algorithm, preventing power consumption analysis by using the mask function in the operation process of each round of key expansion algorithm, and reducing the probability that the round key of each round of key expansion algorithm is cracked by a power consumption analysis means. It should be noted that the key expansion algorithm is used to provide round keys for each round of operations of the cryptographic algorithm, for example, the key expansion algorithm may determine round keys used for each round of encryption operations or each round of decryption operations of the cryptographic algorithm. In the embodiment of the application, in order to defend against power consumption analysis, the round key provided by the key expansion algorithm uses mask protection, and is a mask back round key; that is, the key expansion method provided by the embodiment of the present application may provide the masked round keys corresponding to each round of operation of the cryptographic algorithm, where the masked round keys corresponding to one round of operation are the result of adding the masked random number to the round keys of one round of operation.
Optionally, fig. 7 is an exemplary flowchart showing an optional key expansion method provided by an embodiment of the present application, where the key expansion method provided by the embodiment of the present application may be implemented by executing the computer device. Referring to fig. 7, the method flow may include the following steps.
In step S710, a master key is obtained, which is round-key expanded using a key expansion algorithm that includes iterative rounds of key expansion operations.
In cryptographic algorithms such as SM4 algorithm, the round key used by each round of encryption operation and each round of decryption operation may be obtained by expanding the round key by a key expansion algorithm, which may include iterative rounds of key expansion operations.
For example, in a cryptographic algorithm such as the SM4 algorithm, the initial 4 key words (K 0 ,K 1 ,K 2 ,K 3 ) As an input key word for the first round of key expansion operations, so that at each round of key expansion operations, a next key word is determined based on the input key word. For example, in round i+1 key expansion operations, the input key word may be (K i ,K i+1 ,K i+2 ,K i+3 ) The determined next key word may be K i+4 (i is an integer from 0 to 31) to complete the determination of a plurality of key words in this iteration.
In one example, the first round key expansion algorithm may expand the initial 4 key words (K 0 ,K 1 ,K 2 ,K 3 ) As an input key word, the 4 th key word K is determined 4 And so on, and in the last round of key expansion operation the first 4 key words (K 31 ,K 32 ,K 33 ,K 34 ) As an input key word, the 35 th key word K is determined 35
Wherein the (i+4) th key word K i+4 As the ith round key rk i And is used as a round key obtained by the i+1th round key expansion operation; for example, the 4 th key word K 4 As the 0 th round key rk 0 And is used as round key obtained by round 1 key expansion operation, and the 35 th key word K is obtained finally by pushing the round key 35 As 31 st round key rk 31 And is used as round key obtained by 32 nd round key expansion operation.
Optionally, the initial 4 key words (K 0 ,K 1 ,K 2 ,K 3 ) May be determined from the master key. For example, it can be based on128-bit master key K, determines 4 32-bit encryption keys (MK 0 ,MK 1 ,MK 2 ,MK 3 ) Thus 4 32-bit encryption keys (MK 0 ,MK 1 ,MK 2 ,MK 3 ) And 4 key constants (FK 0 ,FK 1 ,FK 2 ,FK 3 ) Can generate 4 key words (K 0 ,K 1 ,K 2 ,K 3 ) The formula may be:
wherein FK 0 ,FK 1 ,FK 2 ,FK 3 As 4 key constants, the values thereof can be set.
Alternatively, the next state word may be obtained by the following formula:
for example, a->
Wherein CK is i (i=0, 1, … 31) is the ith wheel constant, and the number of each wheel constant is fixed; t 'and T are substantially identical in transform structure, except that the L' transform is used in place of the L transform in T,
it can be seen that for the key expansion algorithm, there is also a complex operation T ' for each round of key expansion operation of the key expansion algorithm, and the complex operation T ' may be composited by a nonlinear transformation and a linear transformation L ', and the nonlinear transformation may include a plurality of parallel Sbox operations, so that each round of key expansion operation of the key expansion algorithm also involves an Sbox operation.
In step S711, in the current round of key expansion operation, a masked Sbox input is determined, and the masked Sbox input is mapped to a limited composite field; and the Sbox input after masking is the result of adding a third mask into the Sbox input after masking, the Sbox input after masking is determined according to the input key word and round constant of the current round key expansion operation, and the third mask is added into the input key word of the current round key expansion operation.
Alternatively, to defend against power consumption analysis, the initial 4 key words (K 0 ,K 1 ,K 2 ,K 3 ) In the method, the sixth random number M0 can be introduced to mask and protect the master key K to determine the initial key word added with split data of the sixth random number, so that the split data of the sixth random number is added to the input key word of each round of key expansion operation of the key expansion algorithm, and a third mask is added to the Sbox input of each round of key expansion operation.
Optionally, the embodiment of the present application may perform exclusive-or processing on the master key K, the key constant FK, and the sixth random number M0, so that the seventh random number is added to the initial key word of the key expansion algorithm, where the seventh random number may be split data of the sixth random number M0, for example, the sixth random number M0 may be split into 4 pieces of 32-bit data, and the seventh random number may be one of the 4 pieces of 32-bit data split by the sixth random number M0. Based on the iterative nature of the multiple rounds of key expansion operations of the key expansion algorithm, the input key word of each round of key expansion operations is added with a seventh random number, and the Sbox input of each round of key expansion operations is further added with a seventh random number (the third mask may be the seventh random number). For ease of illustration, the seventh random number may be defined as m1.
In an alternative implementation, based on the masked Sbox input of each round of key expansion operation, the determination is made according to the input key word and the round constant, and in the case that the seventh random number m1 is added to the input key word of the current round of key expansion operation, the masked Sbox input carries the seventh random number m1 correspondingly, that is, the masked Sbox input is the result of adding the third mask to the Sbox input.
As an alternative implementation, inThe current round of key expansion operation, the Sbox input after masking can be determined according to the input key word of the current round of key expansion operation and round constants (the input key word of the current round of key expansion operation is subjected to exclusive OR processing based on the master key K and the sixth random number M0, and therefore the seventh random number M1 is added to the input key word of the current round of key expansion operation). For example, the last three key words in the input key words of the current round of key expansion operation are exclusive-ored with round constants of the current round of key expansion operation to obtain a masked Sbox input. Taking the i+1st round of key expansion operation as an example, the embodiment of the application can input a key word (K i ,K i+1 ,K i+2 ,K i+3 ) The last three key words K of (a) i+1 、K i+2 And K i+3 And the wheel constant CK i And performing exclusive OR operation to obtain Sbox input after masking.
In one example, assuming the Sbox input in the key expansion operation is e, the masked Sbox input may be defined as e+m1.
After the masked Sbox input is obtained, the masked Sbox input may be mapped to a finite complex domain, e.g., the masked Sbox input e+m1 may be mapped to GF (2) 8 ) Or GF (((2) 2 ) 2 ) 2 ) Or GF ((2) 4 ) 2 ) And the like. As an alternative implementation, the embodiment of the present application may use elements in the target set corresponding to the finite compound domain to represent the masked Sbox input, so as to map the masked Sbox input to the finite compound domain.
In step S712, the masked Sbox input mapped to the finite complex field is input to a pre-constructed mask function for operation to obtain a masked Sbox output, which is a result of adding the second mask to the Sbox output.
The mask function is used for calculating Sbox output corresponding to Sbox operation, and converting a third mask in the masked Sbox input into a second mask in the masked Sbox output.
The masking function constructed in the embodiment of the present application is the same as the masking function described above, and may be referred to with each other, except that in the current round of key expansion operation, the mask carried by the Sbox input after masking is the third mask (for example, the seventh random number m 1).
In an alternative implementation, in the current round of key expansion operation, the embodiment of the application can perform operation of a masking function according to the masked Sbox input, the seventh random number, the third random number and the fourth random number so as to obtain masked Sbox output; wherein the second mask in the masked Sbox output is determined from the third random number and the fourth random number.
In a more specific implementation, the embodiment of the application can perform the operation of the subfunction of the mask function according to the Sbox input after masking, the seventh random number and the third random number, so as to remove the seventh random number from the operation result of the subfunction and carry the third random number; and processing the operation result of the sub-function according to the third random number and the fourth random number to obtain a Sbox output after masking.
In one implementation example, the second mask is a product of the third random number and the fourth random number, and the mask function is formulated as:
the meaning of the parameters in the masking function may refer to the description of the corresponding part in the foregoing, and since in the current round of key expansion operation, the mask carried by the Sbox input after masking is the seventh random number m1, m in the foregoing formula is replaced by m1.
In step S713, the masked back round key output by the current round key expansion operation is determined from the masked Sbox output.
After the current round of key expansion operation and the Sbox output after the mask is obtained, the embodiment of the application can perform linear transformation processing on the Sbox output after the mask; exclusive or processing is carried out on the result of the linear transformation processing and the eighth random number N0, so that partial masks in the result of the linear transformation processing are removed, a composite operation result is obtained, the residual masks in the composite operation result are mask random numbers M0, and the mask random numbers M0 can be the highest 32-bit numerical value of the sixth random number M0;
Further, performing exclusive OR operation on the composite operation result and the first key word in the input key words of the current round of key expansion operation, so as to obtain the next key word calculated by the current round of key expansion operation; since the remaining mask of the composite operation result is the mask random number m0, the next key word calculated by the current round key expansion operation is added with the mask random number m0, and thus the next key word calculated by the current round key expansion operation and added with the mask random number m0 can be regarded as the mask back-round key provided by the current round key expansion operation.
For example, in the (i+1) -th round key expansion operation, the result of the complex operation (the residual mask is the mask random number m 0) is combined with the input key word (K i ,K i+1 ,K i+2 ,K i+3 ) First key word K in (a) i Performing exclusive-or operation to obtain the next key word K added with the mask random number m0 i+4 Mask back round key mrk provided as an i+1th round key expansion operation i
Thus, in the (i+1) -th round of encryption operation, the back-round key mrk is masked i The demasked processing is performed by using the mask random number m0, and is matched with the input state word (X i ,X i+1 ,X i+2 ,X i+3 ) The last three state words X of (a) i+1 、X i+2 And X i+3 Combining to obtain Sbox input after masking of the (i+1) th round of encryption operation; for example, in the (i+1) -th round of encryption operation, the back-round key mrk is masked i Masking random number m0 and input state word (X) of the (i+1) -th round of encryption operation i ,X i+1 ,X i+2 ,X i+3 ) The last three state words X of (a) i+1 、X i+2 And X i+3 And performing exclusive OR operation to obtain Sbox input after the mask of the (i+1) th round of encryption operation.
It can be seen that, in the embodiment of the application, the Sbox operation in the key expansion operation can be contained in the mask function of each round of key expansion operation, so that the Sbox operation is avoided being realized in a Sbox lookup table manner, and the hardware realization area is reduced; meanwhile, the mask protection exists in the input (Sbox input after masking) and the output (Sbox output after masking) of the mask function, and the mask protection exists in the operation process of the mask function, so that the power consumption analysis can be effectively defended, and the probability that the secret key of the cryptographic algorithm is cracked by the power consumption analysis means is reduced. Therefore, the embodiment of the application can provide a safe and reliable power consumption analysis defense means on the basis of reducing the hardware implementation area, and improves the power consumption analysis defense performance in the data processing scheme.
In order to facilitate understanding of the key expansion method provided by the embodiment of the present application, as an optional implementation, fig. 8 schematically shows an exemplary diagram of the key expansion method provided by the embodiment of the present application. As shown in fig. 8:
The master key K (128 bits), the key constant FK, and the sixth random number M0 are exclusive-ored to obtain the initial 4 key words (K 0 ,K 1 ,K 2 ,K 3 ) As the input key word of the first round of key expansion operation, since the master key K is exclusive-or processed with the sixth random number M0, the seventh random number M1 is added to the input key word of each round of key expansion operation of the key expansion algorithm, and the seventh random number M1 is split data of the sixth random number M0;
taking the i+1st round of key expansion operation as an example, the input key word is (K i ,K i+1 ,K i+2 ,K i+3 ) Thereby inputting K in the key word i+1 ,K i+2 ,K i+3 And the wheel constant CK i Performing exclusive OR operation to obtain Sbox input after masking;
the masked Sbox input may be input to the masking function g, such that the masked Sbox output is output by the masking function g; the construction process and principle of the mask function can refer to the description of the corresponding parts, and are not expanded here;
after masking, the Sbox output is processed through linear transformation L ', the processing result of the linear transformation L ' and the eighth random number N0 are subjected to exclusive OR processing, so that partial masking in the processing result of the linear transformation L ' is removed, the residual masking is the masking random number M0 (the masking random number M0 can be the highest 32-bit numerical value of the sixth random number M0), and a composite operation result (the composite operation result carries the masking random number M0) is obtained;
Further, the result of the operation is combined with the input key word (K i ,K i+1 ,K i+2 ,K i+3 ) First key word K in (a) i Performing exclusive-or operation to obtain the next key word K added with the mask random number m0 i+4 Mask back round key mrk provided as an i+1st round key expansion operation i
In an alternative implementation, the embodiment of the application may provide a key expansion instruction of the cryptographic algorithm, where the key expansion instruction is used to implement each round of key expansion operation of the cryptographic algorithm; for example, for a key expansion algorithm of the SM4 algorithm, embodiments of the present application may provide a key expansion instruction (such as an SM4RK instruction) so that each round of key expansion operation of the cryptographic algorithm is implemented by the SM4RK instruction. According to the embodiment of the application, the Sbox operation and the mask protection are carried out by using the mask function in each round of key expansion operation, so that the mask function can be carried in a key expansion instruction of a cryptographic algorithm.
In one example, as shown in connection with FIG. 8, the SM4RK instruction may implement one round of key expansion operation of the SM4 algorithm, taking the i+1st round of key expansion operation as an example, the SM4RK instruction is input as K i ,K i+1 ,K i+2 ,K i+3 Wheel constant CK i Output is mask back-wheel key mrk i The method comprises the steps of carrying out a first treatment on the surface of the Further, the SM4RK instruction may also output a corresponding mask random number m0; the instruction content and function of the SM4RK instruction may correspond to what was described above for the current round key expansion operation. Note that, the sixth random number M0 is xored with the master key K before the first round of key expansion operation is performed.
In an implementation example, taking a round of encryption operation as an example, the data processing method and the key expansion method provided by the embodiment of the application can provide a safe and reliable power consumption analysis defense means on the basis of reducing the hardware implementation area by adding 4 times of multiplication, 1 time of subtraction, 1 time of addition and 2 times of exclusive or.
For the mask function g, the present application is trueEmbodiments may first calculate a subfunction f, whose expression is f (e+m, m, n) = [ n· ((e+m) ·a+c) -mnA] -1 A, then (f (e+m, m, n) +m'). N+C is calculated, compared to Sbox (e) = (e.A+C) -1 A+c, the embodiment of the application adds 4 multiplications, 1 subtraction, 1 addition; and 2 exclusive-or can be regarded as exclusive-or masking the random number m0 when the masked Sbox is input, and exclusive-or the processing result of the linear transformation L with the fifth random number N.
According to the data processing scheme provided by the embodiment of the application, sbox operation of a cryptographic algorithm can be mapped to a limited compound domain for calculation and is contained in a mask function of each round of operation, mask protection exists in the input, output and operation processes of the mask function, and power consumption analysis can be effectively defended; therefore, the embodiment of the application can provide a safe and reliable power consumption analysis defense means with smaller calculation cost on the basis of reducing the hardware realization area, and improves the power consumption analysis defense performance in the data processing scheme.
The following description of the data processing apparatus according to the embodiments of the present application may be regarded as a functional module of a computer device, where the following description may be referred to correspondingly with the foregoing description.
As an alternative implementation, fig. 9A illustrates an alternative block diagram of a data processing apparatus provided by an embodiment of the present application, where the apparatus may be applied to a computer device, and referring to fig. 9A, the apparatus may include:
a data acquisition module 910, configured to acquire data to be processed, where the data to be processed is processed using a cryptographic algorithm, and the cryptographic algorithm includes iterative rounds of operations;
a first input determining module 911, configured to determine a masked Sbox input in a current round of operation, and map the masked Sbox input to a limited composite domain; the Sbox input after masking is the result of adding the first mask into the Sbox input after masking, the Sbox input after masking is determined according to the input state word of the current round operation and the round key, and the first mask is added into the input state word of the current round operation;
a first output determining module 912, configured to input the masked Sbox mapped to the finite complex domain to a pre-configured mask function for operation, so as to obtain a masked Sbox output, where the masked Sbox output is a result of adding the second mask to the Sbox output; the mask function is used for calculating Sbox output corresponding to Sbox operation, and converting a first mask in the masked Sbox input into a second mask in the masked Sbox output;
The operation result determining module 913 is configured to determine an operation result of the current round of operation according to the Sbox output after masking;
the processing result determining module 914 is configured to determine a processing result of the data to be processed according to an operation result of the last round of operation.
Optionally, referring to fig. 9A, the data processing apparatus provided in the embodiment of the present application may further include:
the first input exclusive-or module 915 is configured to exclusive-or process the data to be processed with the first random number before performing iterative multi-round operations, so that the second random number is added to the input status word of each round of operations of the cryptographic algorithm, where the second random number is split data of the first random number; wherein the first mask is a second random number.
Optionally, the first output determining module 912 is configured to input the masked Sbox input mapped to the finite complex domain to a pre-configured mask function for operation, so as to obtain a masked Sbox output, where the masked Sbox output includes:
performing operation of a masking function according to the masked Sbox input, the second random number, the third random number and the fourth random number to obtain masked Sbox output; wherein the second mask in the masked Sbox output is determined from the third random number and the fourth random number.
Optionally, the first output determining module 912 is configured to perform an operation of a masking function according to the masked Sbox input, the second random number, the third random number, and the fourth random number, so as to obtain a masked Sbox output, where the masking output includes:
according to the Sbox input after masking, the second random number and the third random number, carrying out operation of a sub-function of the masking function so as to remove the second random number from an operation result of the sub-function and carry the third random number;
and processing the operation result of the sub-function according to the third random number and the fourth random number to obtain a Sbox output after masking.
Optionally, the second mask is a product of a third random number and a fourth random number; the formula of the mask function is:
g(e+m,m,m’,n)=(f(e+m,m,n)+m’)·n+C=([n·e·A+n·C] -1 ·A+m’)·n+C=Sbox(e)+m’·n;
wherein g represents a mask function, e is a Sbox input, m is a second random number, the masked Sbox input is e+m, n is a third random number, m 'is a fourth random number, f represents a sub-function, C is a preset addition vector, A is a preset multiplication matrix, sbox (e) is a Sbox output, and the masked Sbox output is Sbox (e) +m'. N; and Sbox (e) = (e·a+c) -1 ·A+C。
Optionally, the formula of the subfunction is:
f(e+m,m,n)=[n·((e+m)·A+C)-mnA] -1 ·A=[n·e·A+n·C] -1 ·A。
optionally, the first input determining module 911 is configured to determine, in the current round of operation, the masked Sbox input includes:
If the round key of the current round operation is protected by using a mask in a key expansion algorithm, acquiring a mask back round key corresponding to the current round operation and a mask random number corresponding to the mask back round key;
and determining the masked Sbox input of the current round operation according to the input state word of the current round operation, the masked back round key and the mask random number corresponding to the masked back round key.
Optionally, the first input determining module 911 is configured to determine, according to an input status word of the current round operation, a masked back round key, and a masked random number corresponding to the masked back round key, a masked Sbox input of the current round operation includes:
and performing exclusive or operation on the last three state words in the input state words of the current round operation, the mask back round key and the mask random number corresponding to the mask back round key to obtain the mask back Sbox input of the current round operation.
Optionally, the first input determining module 911 is configured to map the masked Sbox input to the limited complex domain, including:
the masked Sbox input is represented using elements in the target set corresponding to the finite compound field to map the masked Sbox input to the finite compound field.
Optionally, the operation result determining module 913 is configured to determine, according to the masked Sbox output, an operation result of the current round of operation, where the operation result includes:
Performing linear transformation processing on the Sbox output after masking, and performing de-masking processing on the linear transformation processing result to obtain a composite operation result;
determining the next state word calculated by the current round of operation according to the composite operation result; the next state word calculated by the current round operation and the last three state words in the input state words of the current round operation are used as operation results of the current round operation.
Optionally, the operation result determining module 913 is configured to perform demapping processing on a result of the linear transformation processing, including:
exclusive-or processing is performed on the result of the linear transformation processing and the fifth random number to separate a partial mask in the result of the linear transformation processing.
Optionally, the processing result determining module 914 is configured to determine, according to an operation result of the last round of operation, a processing result of the data to be processed, where the determining includes:
according to the operation result of the last round of operation, obtaining a candidate processing result of the data to be processed;
and carrying out exclusive OR processing on the candidate processing result of the data to be processed and the first random number to obtain a target processing result of the data to be processed.
Optionally, the cryptographic algorithm is an encryption algorithm, the encryption algorithm comprises iterative rounds of encryption operation, and the data to be processed is plaintext data; the processing result determining module 914, configured to obtain, according to an operation result of the last round of operations, a candidate processing result of the data to be processed, includes:
The operation result of the last round of encryption operation is subjected to reverse order transformation to obtain candidate ciphertext data of plaintext data;
optionally, the processing result determining module 914 is configured to perform exclusive or processing on the candidate processing result of the data to be processed and the first random number, and obtaining the target processing result of the data to be processed includes:
and performing exclusive OR processing on the candidate ciphertext data and the first random number to obtain target ciphertext data of the plaintext data.
The embodiment of the application also provides a key expansion device, which can be regarded as a functional module required to be set by computer equipment for realizing the key expansion method provided by the embodiment of the application, and the following description content and the above description content can be referred to correspondingly.
As an optional implementation, fig. 9B illustrates an optional block diagram of a key expansion device provided by an embodiment of the present application, where the key expansion device is applicable to a computer device, and the key expansion device is configured to provide, for the data processing device shown in fig. 9A, a masked back-round key corresponding to each round of operation, where the masked back-round key corresponding to one round of operation is a result of adding a mask random number to the round key of one round of operation; referring to fig. 9B, the key expansion device may include:
A master key obtaining module 920, configured to obtain a master key, where the master key performs round key expansion by using a key expansion algorithm, and the key expansion algorithm includes iterative rounds of key expansion operations;
a second input determining module 921, configured to determine a masked Sbox input during a current round of key expansion operation, and map the masked Sbox input to a limited composite domain; the Sbox input after masking is the result of adding a third mask into the Sbox input after masking, the Sbox input after masking is determined according to the input key word and round constant of the current round key expansion operation, and the third mask is added into the input key word of the current round key expansion operation;
a second output determining module 922, configured to input the masked Sbox mapped to the finite complex domain to a pre-configured mask function for operation, so as to obtain a masked Sbox output, where the masked Sbox output is a result obtained by adding the second mask to the Sbox output; the mask function is used for calculating Sbox output corresponding to Sbox operation, and converting a third mask in the masked Sbox input into a second mask in the masked Sbox output;
and the mask back round key determining module 923 is used for determining the mask back round key output by the current round key expansion operation according to the output of the mask back box.
Optionally, as shown in fig. 9B, the key expansion device provided in the embodiment of the present application may further include:
a second input exclusive-or module 924, configured to exclusive-or process the master key, the key constant, and the sixth random number before performing iterative rounds of key expansion operation, so that a seventh random number is added to the input key word of each round of key expansion operation of the key expansion algorithm, where the seventh random number is split data of the sixth random number; wherein the third mask is a seventh random number.
Optionally, the second output determining module 922 is configured to input the masked Sbox input mapped to the finite complex domain to a pre-configured mask function to perform an operation, so as to obtain a masked Sbox output, where the masked Sbox input includes:
performing operation of a masking function according to the masked Sbox input, the seventh random number, the third random number and the fourth random number to obtain masked Sbox output; wherein the second mask in the masked Sbox output is determined from the third random number and the fourth random number.
Optionally, the second output determining module 922 is configured to perform an operation of a masking function according to the masked Sbox input, the seventh random number, the third random number, and the fourth random number, so as to obtain a masked Sbox output, where the masking function includes:
According to the Sbox input after masking, the seventh random number and the third random number, carrying out operation of a sub-function of the masking function so as to remove the seventh random number from an operation result of the sub-function and carry the third random number; and processing the operation result of the sub-function according to the third random number and the fourth random number to obtain a Sbox output after masking.
Optionally, the second mask is a product of a third random number and a fourth random number; the formula of the mask function is:
wherein g represents a mask function, e is a Sbox input, m1 is a seventh random number, the Sbox input after masking is e+m1, n is a third random number, m 'is a fourth random number, f represents a subfunction, C is a preset addition vector, A is a preset multiplication matrix, sbox (e) is a Sbox output, and the Sbox output after masking is Sbox (e) +m'. N; and Sbox (e) = (e·a+c) -1 ·A+C。
Optionally, the mask back round key determining module 923 is configured to determine, according to the mask back box output, a mask back round key output by the current round key expansion operation, where the mask back round key includes:
outputting the Sbox after masking, and performing linear transformation processing;
exclusive or processing is carried out on the result of the linear transformation processing and the eighth random number, so that partial masks in the result of the linear transformation processing are removed, a composite operation result is obtained, the residual masks in the composite operation result are mask random numbers, and the mask random numbers are the highest 32-bit numerical values of the sixth random numbers;
And performing exclusive OR operation on the composite operation result and the first key word in the input key words of the current round key expansion operation to obtain the next key word added with the mask random number, wherein the next key word is used as the mask back round key provided by the current round key expansion operation.
The embodiment of the application also provides a computer device, which can be provided with the data processing device provided by the embodiment of the application to realize the data processing method provided by the embodiment of the application, and/or provided with the key expansion device provided by the embodiment of the application to realize the key expansion method provided by the embodiment of the application. The computer device may be a data encryption and decryption device running a key algorithm such as SM4 algorithm, and may be a terminal device or a server device. As an alternative implementation, fig. 10 illustrates an alternative block diagram of a computer device provided by an embodiment of the present application, and referring to fig. 10, the computer device may include: at least one processor 1, at least one communication interface 2, at least one memory 3 and at least one communication bus 4.
In the embodiment of the present application, the number of the processor 1, the communication interface 2, the memory 3 and the communication bus 4 is at least one, and the processor 1, the communication interface 2 and the memory 3 complete communication with each other through the communication bus 4.
Alternatively, the communication interface 2 may be an interface of a communication module for performing network communication.
Alternatively, the processor 1 may be a CPU (central processing unit), GPU (Graphics Processing Unit, graphics processor), NPU (embedded neural network processor), FPGA (Field Programmable Gate Array ), TPU (tensor processing unit), AI chip, specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement embodiments of the present application, or the like.
The memory 3 may comprise a high-speed RAM memory or may further comprise a non-volatile memory, such as at least one disk memory.
The memory 3 stores one or more computer executable instructions, and the processor 1 invokes the one or more computer executable instructions to execute the data processing method provided by the embodiment of the present application and/or the key expansion method provided by the embodiment of the present application.
As an alternative implementation, the computer executable instructions may be round calculation instructions (such as SM4RD instructions), and/or key expansion instructions (such as SM4RK instructions).
The embodiment of the application also provides a storage medium, which stores one or more computer executable instructions, and when the one or more computer executable instructions are executed, the data processing method provided by the embodiment of the application and/or the key expansion method provided by the embodiment of the application are realized.
The foregoing describes several embodiments of the present application, and the various alternatives presented by the various embodiments may be combined, cross-referenced, with each other without conflict, extending beyond what is possible embodiments, all of which are considered to be embodiments of the present application disclosed and disclosed. Although the embodiments of the present application are disclosed above, the present application is not limited thereto. Various changes and modifications may be made by one skilled in the art without departing from the spirit and scope of the application, and the scope of the application should be assessed accordingly to that of the appended claims.

Claims (22)

1. A method of data processing, comprising:
obtaining data to be processed, wherein the data to be processed is processed by using a cryptographic algorithm, and the cryptographic algorithm comprises iterative multi-round operation;
determining Sbox input after masking in the current round of operation, and mapping the Sbox input after masking to a limited compound domain; the Sbox input after masking is the result of adding the first mask into the Sbox input after masking, the Sbox input after masking is determined according to the input state word of the current round operation and the round key, and the first mask is added into the input state word of the current round operation;
Inputting the Sbox after masking mapped to the finite compound domain into a pre-constructed masking function for operation to obtain the Sbox output after masking, wherein the Sbox output after masking is the result of adding the second mask into the Sbox output; the mask function is used for calculating Sbox output corresponding to Sbox operation, and converting a first mask in the masked Sbox input into a second mask in the masked Sbox output;
determining the operation result of the current round operation according to Sbox output after masking;
and determining the processing result of the data to be processed according to the operation result of the last round of operation.
2. The method of claim 1, wherein prior to performing the iterative rounds of operations, the method further comprises:
exclusive-or processing is carried out on the data to be processed and the first random number, so that a second random number is added to the input state word of each round of operation of the cryptographic algorithm, and the second random number is split data of the first random number;
wherein the first mask is a second random number.
3. The method of claim 2, wherein inputting the masked Sbox input mapped to the finite complex domain to a pre-constructed masking function for operation to obtain a masked Sbox output comprises:
Performing operation of a masking function according to the masked Sbox input, the second random number, the third random number and the fourth random number to obtain masked Sbox output; wherein the second mask in the masked Sbox output is determined from the third random number and the fourth random number.
4. The method of claim 3, wherein performing the operation of the masking function based on the masked Sbox input, the second random number, the third random number, and the fourth random number to obtain the masked Sbox output comprises:
according to the Sbox input after masking, the second random number and the third random number, carrying out operation of a sub-function of the masking function so as to remove the second random number from an operation result of the sub-function and carry the third random number;
and processing the operation result of the sub-function according to the third random number and the fourth random number to obtain a Sbox output after masking.
5. The method of claim 4, wherein the second mask is a product of a third random number and a fourth random number; the formula of the mask function is:
g(e+m,m,m’,n)=(f(e+m,m,n)+m’)·n+C=([n·e·A+n·C] -1 ·A+m’)·n+C=Sbox(e)+m’·n;
wherein g represents a maskThe function e is Sbox input, m is a second random number, the Sbox input after masking is e+m, n is a third random number, m 'is a fourth random number, f represents a subfunction, C is a preset addition vector, A is a preset multiplication matrix, sbox (e) is Sbox output, and Sbox output after masking is Sbox (e) +m'. N; and Sbox (e) = (e·a+c) -1 ·A+C。
6. The method of claim 5, wherein the formula of the sub-function is:
f(e+m,m,n)=[n·((e+m)·A+C)-mnA] -1 ·A=[n·e·A+n·C] -1 ·A。
7. the method of any of claims 1-6, wherein determining the masked Sbox input at the current round of operations comprises:
if the round key of the current round operation is protected by using a mask in a key expansion algorithm, acquiring a mask back round key corresponding to the current round operation and a mask random number corresponding to the mask back round key;
and determining the masked Sbox input of the current round operation according to the input state word of the current round operation, the masked back round key and the mask random number corresponding to the masked back round key.
8. The method of claim 7, wherein determining the masked Sbox input for the current round operation based on the input state word for the current round operation, the masked back round key, and the masked random number corresponding to the masked back round key comprises:
and performing exclusive or operation on the last three state words in the input state words of the current round operation, the mask back round key and the mask random number corresponding to the mask back round key to obtain the mask back Sbox input of the current round operation.
9. The method of any of claims 1-6, wherein mapping the masked Sbox input to a finite complex domain comprises:
The masked Sbox input is represented using elements in the target set corresponding to the finite compound field to map the masked Sbox input to the finite compound field.
10. The method according to any one of claims 1-6, wherein determining the operation result of the current round operation according to the masked Sbox output includes:
performing linear transformation processing on the Sbox output after masking, and performing de-masking processing on the linear transformation processing result to obtain a composite operation result;
determining the next state word calculated by the current round of operation according to the composite operation result; the next state word calculated by the current round operation and the last three state words in the input state words of the current round operation are used as operation results of the current round operation.
11. The method of claim 10, wherein demapping the results of the linear transformation process comprises:
exclusive-or processing is performed on the result of the linear transformation processing and the fifth random number to separate a partial mask in the result of the linear transformation processing.
12. The method according to any one of claims 2-6, wherein determining the processing result of the data to be processed according to the operation result of the last round of operation comprises:
According to the operation result of the last round of operation, obtaining a candidate processing result of the data to be processed;
and carrying out exclusive OR processing on the candidate processing result of the data to be processed and the first random number to obtain a target processing result of the data to be processed.
13. The method of claim 12, wherein the cryptographic algorithm is an encryption algorithm comprising iterative rounds of encryption operations, the data to be processed being plaintext data; the step of obtaining the candidate processing result of the data to be processed according to the operation result of the last round of operation comprises the following steps:
the operation result of the last round of encryption operation is subjected to reverse order transformation to obtain candidate ciphertext data of plaintext data;
performing exclusive or processing on the candidate processing result of the data to be processed and the first random number to obtain a target processing result of the data to be processed, wherein the method comprises the following steps:
and performing exclusive OR processing on the candidate ciphertext data and the first random number to obtain target ciphertext data of the plaintext data.
14. A key expansion method, characterized in that the key expansion method is used for providing a masking back-round key corresponding to each round of operation for the data processing method according to any one of claims 1-13, wherein the masking back-round key corresponding to one round of operation is the result of adding a masking random number to the round key of one round of operation; the key expansion method comprises the following steps:
Acquiring a master key, wherein the master key performs round key expansion by using a key expansion algorithm, and the key expansion algorithm comprises iterative multi-round key expansion operation;
determining Sbox input after masking in the current round of key expansion operation, and mapping the Sbox input after masking to a limited compound domain; the Sbox input after masking is the result of adding a third mask into the Sbox input after masking, the Sbox input after masking is determined according to the input key word and round constant of the current round key expansion operation, and the third mask is added into the input key word of the current round key expansion operation;
inputting the Sbox after masking mapped to the finite compound domain into a pre-constructed masking function for operation to obtain the Sbox output after masking, wherein the Sbox output after masking is the result of adding the second mask into the Sbox output; the mask function is used for calculating Sbox output corresponding to Sbox operation, and converting a third mask in the masked Sbox input into a second mask in the masked Sbox output;
and determining a masking back round key output by the current round key expansion operation according to the masking back Sbox output.
15. The method of claim 14, wherein prior to performing the iterative rounds of key expansion operations, the method further comprises:
Exclusive-or processing is carried out on the master key, the key constant and the sixth random number, so that a seventh random number is added to an input key word of each round of key expansion operation of the key expansion algorithm, and the seventh random number is split data of the sixth random number;
wherein the third mask is a seventh random number.
16. The method of claim 15, wherein inputting the masked Sbox input mapped to the finite complex domain to a pre-constructed masking function for operation to obtain a masked Sbox output comprises:
performing operation of a masking function according to the masked Sbox input, the seventh random number, the third random number and the fourth random number to obtain masked Sbox output; wherein the second mask in the masked Sbox output is determined from the third random number and the fourth random number.
17. The method of claim 16, wherein the second mask is a product of a third random number and a fourth random number; the formula of the mask function is:
g(e+m1,m1,m’,n)=(f(e+m1,m1,n)+m’)·n+C=([n·e·A+n·C] -1 ·A+m’)·n+C=Sbox(e)+m’·n;
wherein g represents a mask function, e is a Sbox input, m1 is a seventh random number, the Sbox input after masking is e+m1, n is a third random number, m 'is a fourth random number, f represents a subfunction, C is a preset addition vector, A is a preset multiplication matrix, sbox (e) is a Sbox output, and the Sbox output after masking is Sbox (e) +m'. N; and Sbox (e) = (e·a+c) -1 ·A+C。
18. The method according to any one of claims 15-17, wherein determining the masked back round key of the current round key expansion operation output from the masked Sbox output comprises:
outputting the Sbox after masking, and performing linear transformation processing;
exclusive or processing is carried out on the result of the linear transformation processing and the eighth random number, so that partial masks in the result of the linear transformation processing are removed, a composite operation result is obtained, the residual masks in the composite operation result are mask random numbers, and the mask random numbers are the highest 32-bit numerical values of the sixth random numbers;
and performing exclusive OR operation on the composite operation result and the first key word in the input key words of the current round key expansion operation to obtain the next key word added with the mask random number, wherein the next key word is used as the mask back round key provided by the current round key expansion operation.
19. A data processing apparatus, comprising:
the data acquisition module is used for acquiring data to be processed, wherein the data to be processed is processed by using a cryptographic algorithm, and the cryptographic algorithm comprises iterative multi-round operation;
the first input determining module is used for determining a masked Sbox input in the current round of operation and mapping the masked Sbox input to a limited composite domain; the Sbox input after masking is the result of adding the first mask into the Sbox input after masking, the Sbox input after masking is determined according to the input state word of the current round operation and the round key, and the first mask is added into the input state word of the current round operation;
The first output determining module is used for inputting the Sbox after masking mapped to the finite compound domain, inputting the Sbox after masking to a pre-constructed masking function for operation so as to obtain the Sbox output after masking, wherein the Sbox output after masking is the result of adding the second mask to the Sbox output; the mask function is used for calculating Sbox output corresponding to Sbox operation, and converting a first mask in the masked Sbox input into a second mask in the masked Sbox output;
the operation result determining module is used for determining the operation result of the current round of operation according to Sbox output after masking;
and the processing result determining module is used for determining the processing result of the data to be processed according to the operation result of the last round of operation.
20. A key expansion device, characterized in that the key expansion device is configured to provide, for the data processing device of claim 19, a masked round key corresponding to each round of operation, where the masked round key corresponding to one round of operation is a result of adding a masked random number to the round key of one round of operation; the key expansion device includes:
the master key acquisition module is used for acquiring a master key, wherein the master key uses a key expansion algorithm to perform round key expansion, and the key expansion algorithm comprises iterative multi-round key expansion operation;
The second input determining module is used for determining the Sbox input after the masking in the current round of key expansion operation and mapping the Sbox input after the masking to a limited compound domain; the Sbox input after masking is the result of adding a third mask into the Sbox input after masking, the Sbox input after masking is determined according to the input key word and round constant of the current round key expansion operation, and the third mask is added into the input key word of the current round key expansion operation;
the second output determining module is used for inputting the Sbox after masking mapped to the finite compound domain, inputting the Sbox after masking to a pre-constructed masking function for operation so as to obtain the Sbox output after masking, wherein the Sbox output after masking is the result of adding the second mask to the Sbox output; the mask function is used for calculating Sbox output corresponding to Sbox operation, and converting a third mask in the masked Sbox input into a second mask in the masked Sbox output;
and the mask back round key determining module is used for determining the mask back round key output by the current round key expansion operation according to the output of the mask back Sbox.
21. A computer device comprising at least one processor and at least one memory storing one or more computer-executable instructions that are invoked by the processor to perform the data processing method of any of claims 1-13, and/or the key expansion method of any of claims 14-18.
22. A storage medium storing one or more computer-executable instructions which, when executed, implement the data processing method of any one of claims 1-13 and/or the key expansion method of any one of claims 14-18.
CN202310588950.XA 2023-05-23 2023-05-23 Data processing method, key expansion method, device, equipment and storage medium Pending CN116614217A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310588950.XA CN116614217A (en) 2023-05-23 2023-05-23 Data processing method, key expansion method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310588950.XA CN116614217A (en) 2023-05-23 2023-05-23 Data processing method, key expansion method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116614217A true CN116614217A (en) 2023-08-18

Family

ID=87676118

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310588950.XA Pending CN116614217A (en) 2023-05-23 2023-05-23 Data processing method, key expansion method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116614217A (en)

Similar Documents

Publication Publication Date Title
CN106788974B (en) Mask S box, grouping key calculation unit, device and corresponding construction method
CA2723319C (en) A closed galois field cryptographic system
JP5242560B2 (en) ENCRYPTION DEVICE, DECRYPTION DEVICE, ENCRYPTION METHOD, AND INTEGRATED CIRCUIT
US7899190B2 (en) Security countermeasures for power analysis attacks
CN101006677B (en) Method and device for carrying out a cryptographic calculation
US11546135B2 (en) Key sequence generation for cryptographic operations
EP2058781B1 (en) Encryption device, encryption method, and computer program
JP2002366029A (en) Encipherment safe against dpa(differential power analysis)
JP6575532B2 (en) Encryption device, decryption device, encryption processing system, encryption method, decryption method, encryption program, and decryption program
JP2000066585A (en) Encryption and decryption apparatus, encryption and decryption method and their program memory medium
US11606189B2 (en) Method and apparatus for improving the speed of advanced encryption standard (AES) decryption algorithm
JP6517436B2 (en) Encryption device and encoding device
CN113098675A (en) Binary data encryption system and method based on polynomial complete homomorphism
CN107070629A (en) A kind of template attack method exported for SM4 cryptographic algorithms wheel
JP6890589B2 (en) Computational devices and methods
Chou et al. A high performance, low energy, compact masked 128-bit AES in 22nm CMOS technology
Tayal et al. Analysis of various cryptography techniques: a survey
Bajaj et al. AES algorithm for encryption
CN116614217A (en) Data processing method, key expansion method, device, equipment and storage medium
RU2580060C1 (en) Method to encrypt messages, represented as a multi-bit binary number
JP2013205437A (en) Method and apparatus for calculating nonlinear function s-box
CN117527198A (en) Data security processing method, device, computer equipment and storage medium
Olowofela et al. DEVELOPMENT AND TESTING OF THREE-PHASE AUTOMATIC PHASE DISCRIMINATOR
CN114239090A (en) Multi-party secure computing method, device and system
Sadiq et al. Proposal for Scrambled Method based on NTRU

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination