CN116684071A - Method and system for realizing acceleration of white box protection scheme based on Boolean circuit - Google Patents
Method and system for realizing acceleration of white box protection scheme based on Boolean circuit Download PDFInfo
- Publication number
- CN116684071A CN116684071A CN202310817624.1A CN202310817624A CN116684071A CN 116684071 A CN116684071 A CN 116684071A CN 202310817624 A CN202310817624 A CN 202310817624A CN 116684071 A CN116684071 A CN 116684071A
- Authority
- CN
- China
- Prior art keywords
- bit
- encryption
- white
- box
- protection scheme
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 230000001133 acceleration Effects 0.000 title claims abstract description 21
- 230000008569 process Effects 0.000 claims abstract description 23
- 238000004422 calculation algorithm Methods 0.000 claims description 45
- 230000006870 function Effects 0.000 claims description 37
- 230000008707 rearrangement Effects 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 14
- 238000012545 processing Methods 0.000 claims description 12
- 238000006467 substitution reaction Methods 0.000 claims description 12
- 230000000873 masking effect Effects 0.000 claims description 8
- 238000002156 mixing Methods 0.000 claims description 7
- 230000001788 irregular Effects 0.000 claims description 4
- 230000006872 improvement Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 15
- 238000012360 testing method Methods 0.000 description 9
- 238000013461 design Methods 0.000 description 7
- 230000008901 benefit Effects 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000002474 experimental method Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000009466 transformation Effects 0.000 description 3
- 230000003044 adaptive effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000000844 transformation Methods 0.000 description 2
- PXFBZOLANLWPMH-UHFFFAOYSA-N 16-Epiaffinine Natural products C1C(C2=CC=CC=C2N2)=C2C(=O)CC2C(=CC)CN(C)C1C2CO PXFBZOLANLWPMH-UHFFFAOYSA-N 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013144 data compression Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000006073 displacement reaction Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000013598 vector Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000002087 whitening effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
- H04L2209/125—Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/16—Obfuscation or hiding, e.g. involving white box
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/34—Encoding or coding, e.g. Huffman coding or error correction
Abstract
The application belongs to the field of data encryption, and provides an acceleration implementation method and system of a white box protection scheme based on a Boolean circuit, wherein a bit slicing method is adopted, N groups of data can be encrypted in parallel in one encryption process. The scheme uses pure logic operation, and can realize efficient data operation in different hardware environments. The throughput is obviously improved, and the acceleration efficiency is improved in proportion to the parallelism degree. In addition, further improvements in white-box encryption security have been proposed and implemented, including: further confusion realizes structure hiding, improves the key coding mode and the like.
Description
Technical Field
The application belongs to the field of data encryption, and particularly relates to an acceleration implementation method and system of a white box protection scheme based on a Boolean circuit.
Background
The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
With the rapid development of smartphones and the like, more and more encryption implementations are deployed in open environments, and conventional encryption algorithms such as AES have become fragile. The white-box password is used as a key protection mechanism, has strong practical significance, meets the requirement of an unsafe device on a password encryption system, and is widely applied to the scenes of financial security, electronic commerce, the Internet of things, mobile devices and the like.
In white-box cryptography, the cryptographic algorithm is considered as a completely transparent "white-box", which not only provides an encryption (decryption) interface to the outside, but also exposes the internal implementation of the algorithm. On the premise of completely knowing the implementation details of the cryptographic algorithm, an attacker can analyze the internal processing process of the algorithm to acquire important information such as an encryption key or ciphertext and the internal data when the observation modification program runs, so that the attack is realized. With the rapid development of smartphones and wearable devices embedded with third party applications, etc., more and more encryption implementations are deployed in an untrusted environment, resulting in an increasing interest in white-box encryption. The application scenario of the white-box password is mainly in the fields requiring higher security, such as financial payment, digital rights management, intelligent market and the like. Besides the traditional scene, the white box technology can be used in the fields and applications of equipment authentication of the Internet of things and the like, and can prevent hackers from tampering and attacking equipment.
Compared with the traditional table lookup method, the white-box encryption scheme based on the Boolean function has obvious advantages in terms of safety and expandability, but also has the defect of increased encryption time cost. The prior art adopts an encryption scheme comprising a nonlinear mask, all elements in the encryption process are represented by mask values, and then bitwise logic operation is performed. The nonlinear mask is more resistant to side channel attacks than the linear mask. The complex mask form enhances the security of the encryption algorithm, but the calculation process is complex, so that relatively large overhead and performance loss exist.
Disclosure of Invention
In order to solve the technical problems in the background art, the application provides a method and a system for realizing acceleration of a white-box protection scheme based on a Boolean circuit, which make up for the blank of the lack of the encryption algorithm design of the white-box protection scheme at present. The method also realizes an effective confusion scheme for generating the white-box encryption program, and can further improve the security of the white-box scheme in terms of structure hiding. The application is flexible enough, can be adjusted according to different white box protection schemes, and has wide application prospect.
In order to achieve the above purpose, the present application adopts the following technical scheme:
the first aspect of the application provides a method for accelerating the implementation of a white-box protection scheme based on a Boolean circuit. It comprises the following steps:
a method for realizing acceleration of a white-box protection scheme based on a Boolean circuit comprises the following steps:
acquiring a plaintext and a secret key of a white box;
based on the secret key, simultaneously carrying out a plurality of rounds of encryption on a plurality of groups of plaintext, and obtaining ciphertext through mask and rearrangement of the bundles;
generating a round key of each round by using a key expansion algorithm; before encryption, carrying out bit slicing processing on a plaintext and a secret key, and splitting one N-bit data into a plurality of 1-bit data according to bits, so that an ith bit of each input appears in an ith word; the chips are rearranged during rearrangement of the bundles using a shift operation to split each plaintext bit into n-bit encoded representations.
In generating the mask, each bit is represented by a three bit code (a, b, c) such thatWherein a and b are generated from random numbers, c is by +.>And (5) calculating to obtain the product.
In the encryption process, it includes: and using irregular variable names to finish random reuse of the variables of the scope. The random reuse of the variables specifically comprises the following steps: establishing a first list and a second list in the encryption process; the first list stores the names of all the variables currently in the scope, and when each variable finishes the scope, the names of the variables are transferred from the first list to the second list; judging whether the second list is empty or not when a new variable is generated, if so, repeatedly generating a random number and a fixed prefix combination until a new variable name is generated, declaring and inserting the first list; otherwise, randomly selecting a variable name from the second list to be assigned to the new variable, and shifting the name into the first list.
In the encryption process, the method for improving the hard coding mode of the key, namely, combining the round cipher addition and byte substitution of the AES into a new T table in the round key addition process of the AES encryption algorithm; or splitting a shared global variable into three masks, performing exclusive OR operation on the three masks of the global variable by each inverting operation, and replacing the three masks of the global variable by three new masks obtained by a refresh function.
In the S-box process of the AES encryption algorithm, the non-linearity of the S-box is described by using a Boolean function ANF.
In the linear layer passing process of the AES encryption algorithm, linear layer column mixing is carried out by adopting a heuristic search framework;
in the masking process, a second nonlinear masking scheme is employed.
The second aspect of the application provides an acceleration implementation system of a white-box protection scheme based on a boolean circuit.
An accelerated implementation system of a white-box protection scheme based on a boolean circuit, comprising:
a data acquisition module configured to: acquiring a plaintext and a secret key of a white box;
an encryption module configured to: based on the secret key, simultaneously carrying out a plurality of rounds of encryption on a plurality of groups of plaintext, and obtaining ciphertext through mask and rearrangement of the bundles;
an acceleration module configured to: generating a round key of each round by using a key expansion algorithm; before encryption, carrying out bit slicing processing on a plaintext and a secret key, and splitting one N-bit data into a plurality of 1-bit data according to bits, so that an ith bit of each input appears in an ith word; the chips are rearranged during rearrangement of the bundles using a shift operation to split each plaintext bit into n-bit encoded representations.
A third aspect of the present application provides a computer-readable storage medium.
A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps in a method of accelerating the implementation of a boolean circuit based white-box protection scheme as described in the first aspect above.
A fourth aspect of the application provides a computer device.
A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps in a method of accelerating the implementation of a boolean circuit based white box protection scheme as described in the first aspect above when the program is executed.
Compared with the prior art, the application has the beneficial effects that:
the application adopts the bit slicing method, can encrypt N groups of data in parallel in one encryption process, realizes the acceleration of the white-box encryption algorithm based on the Boolean circuit, and has better performance.
The scheme of the application uses pure logic operation, and can realize high-efficiency data operation in different hardware environments. Meanwhile, the application fully utilizes the parallel computing and vectorizing functions in the modern processor, so that the throughput is obviously improved, and the acceleration efficiency is improved in proportion to the parallel degree.
The application further improves and attempts the security aspect aiming at the secondary nonlinear mask scheme, realizes an effective confusion scheme aiming at generating a white-box encryption program, and comprises the following steps: using irregular variable names, expanding all function calls and loops, ending random repeated utilization of the variables of the scope, and the like; particularly, the hard coding mode of the secret key is improved, and the security of the white box scheme can be further improved in terms of structure hiding. The application is flexible enough, can be adjusted according to different white box protection schemes, and has wide application prospect.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application.
FIG. 1 is a block diagram of program logic shown in the present application;
FIG. 2 is a generated partial white-box encryption program in accordance with the present application;
FIG. 3 is a frequency plot of the inverting operation of the present application;
FIG. 4 is a frequency bar graph of the negation operation shown by the present application;
FIG. 5 is a diagram of a beam stored in a 64-bit processor memory and rearranged in accordance with the present application;
FIG. 6 is a block diagram of a 113 logic gate of the AES shown in the present application;
FIG. 7 is a block diagram of an LFSR generator shown in the present application;
fig. 8 is a schematic diagram of the variable multiplexing case shown in the present application.
Detailed Description
The application will be further described with reference to the drawings and examples.
It should be noted that the following detailed description is illustrative and is intended to provide further explanation of the application. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the present application. As used herein, the singular is also intended to include the plural unless the context clearly indicates otherwise, and furthermore, it is to be understood that the terms "comprises" and/or "comprising" when used in this specification are taken to specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof.
It is noted that the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of methods and systems according to various embodiments of the present disclosure. It should be noted that each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the logical functions specified in the various embodiments. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by special purpose hardware-based systems which perform the specified functions or operations, or combinations of special purpose hardware and computer instructions.
Term interpretation:
boolean circuit: the boolean circuit essentially consists of logic gates (logic gates) and wires (wire) connecting them.
Example 1
The embodiment provides an acceleration implementation method of a white-box protection scheme based on a boolean circuit, and the method is applied to a server for illustration, and it can be understood that the method can also be applied to a terminal, can also be applied to a system and a terminal, and can be implemented through interaction of the terminal and the server. The server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and can also be a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network servers, cloud communication, middleware services, domain name services, security services CDNs, basic cloud computing services such as big data and artificial intelligent platforms and the like. The terminal may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, etc. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the present application is not limited herein. In this embodiment, the method includes the steps of:
acquiring a plaintext and a secret key of a white box;
based on the secret key, simultaneously carrying out a plurality of rounds of encryption on a plurality of groups of plaintext, and obtaining ciphertext through mask and rearrangement of the bundles;
generating a round key of each round by using a key expansion algorithm; before encryption, carrying out bit slicing processing on a plaintext and a secret key, and splitting one N-bit data into a plurality of 1-bit data according to bits, so that an ith bit of each input appears in an ith word; the chips are rearranged during rearrangement of the bundles using a shift operation to split each plaintext bit into n-bit encoded representations.
The specific process of the embodiment comprises the following steps:
1. acquiring a plaintext and a secret key;
2. generating a round key of each round by using a key expansion algorithm;
3. slicing the N-bit data into 1-bits such that the i-th bit of each input appears in the i-th word;
lfsr generates pseudo-random numbers;
5. each bit is represented by a 3-bit code (a, b, c) such that a and b are generated from random numbers. c is calculated;
6. based on the key, the plaintext is encrypted in several rounds, each round having four operations of byte substitution (SubBytes), row shifting (ShiftRows), column confusion (MixColumns), and round key addition (AddRoundKey).
7. Ciphertext is obtained through de-masking and beam rearrangement.
The design of this embodiment is divided into two layers as shown in fig. 1.
The upper layer program is realized by using a Python programming language, realizes key expansion, and generates a white-box encryption program.
As shown in FIG. 2, the c++ programming language used by the white-box encrypted program code has a program code length of about 140 ten thousand lines, so that code confusion (shuffle) is realized, irregular Boolean logic operation is performed on the surface of an encrypted main body, and the structure of the code cannot be easily analyzed by a white-box attacker after the code is obtained. The round key is programmed in a hard coding mode and is not explicitly shown in the program, so that the key is further protected.
(1) Key expansion and encoding
The key expansion algorithm is completed in an upper program, so that the key expansion algorithm can be realized based on a table lookup or a Boolean circuit, and the encryption efficiency and the encryption security are not affected. The round key for each round is written in the white-box encryption program by hard coding.
The specific expansion algorithm flow is as follows:
(1-1) splitting the initial key into a plurality of bytes, each byte represented by a tuple of elements.
(1-2) calculating the number of round keys required for expansion according to different AES encryption round numbers.
(1-3) for each round key generated, copying the last byte of the last round key into a temporary array, and then:
(1-3-1) circular left shift of bytes by 1 bit.
(1-3-2) performing a byte substitution operation on the byte, substituting using an S-box in AES.
(1-3-3) fetching 4 bytes from the temporary array, and performing exclusive-or operation with the first 4 bytes of the current round key in turn.
(1-3-4) exclusive-ORing the first byte with a fixed constant rCon, which is equal toWhere i is the serial number of the round key.
Namely:
(1-4) storing the generated round key in a round key array. Until the number of round keys generated is equal to the AES encryption round.
The encryption program is programmed into the key by a common hard coding mode, so that the risk of key leakage is increased, and the security risk of the program is increased.
The steps involved in the inverting operation in AES include two steps of round key addition and S-box. As shown in fig. 3, the negation operation exhibits a significant periodicity. The 11 segments with larger slope are round key addition operations, and a plurality of negation operations are continuously repeated. The 10-segment more gentle segment performs byte substitution (S-box operation), with 4 negation operations per S-box. Immediately following the byte substitution, a small segment has a slope of substantially 0, and the column mix-up operation does not include a negation operation.
Using the python frequency statistics function, the bin parameter is set to the square root of the string length,the "adaptive" grouping method is a kind of "adaptive" grouping method, and the plt.hist () function allocates the data in the positions to bins equidistant intervals, and calculates the amount of data contained in each interval. Fig. 4 is generated, which shows a good periodicity, and also clearly shows the encryption algorithm wheel structure.
An attacker can use this information to crack the encryption algorithm if he is able to learn the round structure of the encryption algorithm. In the round key addition process, the round key is divided into single bits, if the bit is 1, the inversion operation is performed, and a large amount of inversion operation is generated in a short time in the process, so that the whitening key may be directly exposed as a worst result.
To avoid the risk of such key leakage, the keys are typically stored in a configuration file or dynamically generated by cryptographically secure methods to protect the keys from direct exposure to the program. Another possible solution is to combine the round key addition and byte substitution of AES into a new table, but the conversion of the new table into ANF brings the problem of increased overhead, etc.
Using a shared global variable mf, with a value of all 1 (i.e., 0 xff), splits into three masks. Each negation exclusive or is exclusive-ored with 3 masks corresponding to mf. The exclusive or logic operation includes a refresh () function that returns a new random encoding of mf:
replacing the original three masks of mf with the new three masks may conceal the multiplexing of the fixed frequencies of the corresponding three mask variables.
(2) Bit slice
The slicing operation divides one N-bit data into a plurality of 1-bit elements according to the bits, and when parallel calculation is performed, the same operation can be performed on the corresponding 1-bit elements of a plurality of inputs independently. The speed of the overall operation is accelerated by parallel computing. The method is especially suitable for improving the parallelism and the operation speed of the encryption/decryption algorithm when processing a large amount of data.
In a bitslice implementation, instead of storing N digits with a single variable, N variables (i.e., slices) are used. A data block is bitwise split into a plurality of bitwise blocks, the data in each bitwise block being regarded as a certain number of bits, e.g. 32-bit data into 32 1-bit data. The data are then placed in a table, each listed as a set of data on a different bit of the value, each row representing a set of data, all data processed using the same logical operation. In a single logical operation, multiple sets of data are interleaved for parallel operation.
The encryption algorithm is based on a boolean circuit, and if and other conditional statements cannot be used, and the present embodiment adopts a shift operation to implement slice rearrangement.
As shown in fig. 5, the rearrangement of the bundles employs a shift method such that the first bit of each input appears in the first word and the second bit of each input appears in the second word. The rearrangement function is called twice for each encryption of the bundle.
A first call is made to the plaintext before encryption is started and a second call is made to the ciphertext after each bundle of encryption is completed.
(3) Masking mask
In the mask scheme of Biryukov, each bit is represented by a 3-bit code (a, b, c) such thatWherein a and b are generated from random numbers. Is difficult to realize in a white box environmentNow truly random, pseudo-random number generation will be described in detail later. c pass->And (5) calculating to obtain the product.
The upper layer code encapsulates a mask class, the members consisting of 3 mask variables. The member functions of the mask class include operations such as generating a random mask, decoding the mask, reloading And, xor, not, etc., wherein the encryption function first breaks down the plaintext into a mask of 3 bits. The decryption function restores the 3 mask bits to plaintext bits.
After encryption is completed, the formula is utilizedThe mask is restored to ciphertext.
To calculate the encoded variables, XOR, AND NOT functions are defined. These new functions are operated on based on the encoded bits and a new code is returned in the result of the operation.
By refreshing functionsReturning to the new random encoding of a, for any r:
the new code does not show information about the old code, thereby further improving the security of the algorithm.
(4) S-shaped box
The S-box is a non-linear mapping of 128-bit inputs and outputs. S-boxes are one of the most important parts in AES for implementing permutation and substitution in encryption and decryption operations.
The construction of the S-box is the core part in AES, where boolean function ANF (Algebraic Normal Form) is involved. In the S-box configuration of AES, ANF is used to describe the nonlinear characteristics of the S-box. The construction of the S-box requires that it meet certain substitution and non-linear characteristics, while the ANF can help design an S-box that meets these requirements.
The S-box function of the input byte a is defined by two sub-steps:
the reverse: is provided with,/>The multiplication inverse of (c=0 if a=0 does not hold).
Affine transformation: the output isWhere M is a specified 8 x 8 bit matrix, b is a specified byte, and bytes c, b, s are considered as bit vectors.
More specifically:
the AES algorithm uses a specific galois field of 8 bit bytes where the bits are coefficients of a polynomial (i.e. polynomial basis) and the multiplication is for an irreducible polynomialAnd (5) taking a mould. ( The 9-bit binary representation is q (x) = 100011011; in the sense of comparing binary representations, this is the "smallest" 8 th order irreducible polynomial over GF (2) )
Specifically, the S box of AES is implemented by using GF #) The up-conversion (MDS) is combined with a non-linear conversion (SubBytes). The SubBytes transform uses a substitution table composed of 256 elements, each of which is an 8-bit binary number. ANF is used to describe the nonlinear characteristics of the substitution table. In constructing an S-box, it is necessary to find a set of elements such that the fewer the number of terms generated in the ANF, the better, i.e. the highest possible degree of nonlinearity. The goal of improving the nonlinearity of the S-box can be achieved by optimizing the number of terms generated in the ANF.
The number of gates required for the non-optimized S-box is about 3000, and the most advanced AES S-box in the world is based on an ANF of 113 logic gates, and the structure is shown in fig. 6, and is divided into 27 layers.
(5) Over-linear layer
The linear layer of AES is a very important part, including row shifting, column mixing and round key addition operations. In AES, the linear layer is commonly referred to as the "add-permutation layer," which includes some linear transforms and permutation transforms. In the encryption phase of the algorithm, the linear layer receives the output from the round function and mixes the output by performing a series of linear transformations, including bitwise exclusive OR, matrix multiplication and displacement operations, and some permutation operations. These linear transformations include a specific algebraic equation described using the boolean function ANF.
The row shift operation in AES is typically performed as a step of the AES round function, with other operations or implemented in the upper layer program, directly changing the mapping between variables, while round key addition is a simple repeated exclusive or operation, so it is the efficiency of column blending that is important in the encryption program. The embodiment adopts the fastest linear layer column mixing implementation at present, and the heuristic search framework adopts a strategy of iteratively dividing output bits until all input bits appear, so that the method is suitable for low-delay standards. The backward frame ensures that each node reaches a minimum depth, which applies to all matrices. While the forward algorithm is not applicable to some matrices. This function will affect whether the node can be used to generate a new node. Thus, for some matrices, the framework may cover more implementations than before with minimal depth in a limited time.
The heuristic search framework implementation of AES column mix with depth 3 with 103 XOR logic gates is one of the best hardware implementations of the AES linear layer with minimum depth.
(6) Pseudo-random number generator-LFSR
In the mask scheme of Biryukov, each bit is represented by a 3-bit code (a, b, c) such thatWherein a and b are bothIs a random number. However, it is difficult to implement true randomness in a white-box environment, and an attacker can set all exogenously introduced random numbers to 0 to break the mask structure, so that an excellent pseudo-random number generation algorithm is crucial for hiding the mask. A relatively widely used pseudo-random number generator in cryptography includes a pseudo-random number generator based on LFSRs, hash functions, or block encryption algorithms. The pseudo-random number generation algorithm of this embodiment employs the LFSR scheme used by Biryukov.
LFSRs are a simple and fast method of generating pseudo-random numbers, and are widely used in the fields of encryption, verification, data compression, etc. The linear feedback shift register has the advantages of simplicity, easiness in implementation and high efficiency. The hardware structure is composed of a plurality of binary registers and exclusive-or gates, as shown in fig. 7.
The LFSR may generate a pseudo-random sequence using its characteristics of shift and exclusive-or operations. LFSR pseudo-random number generators typically employ a linear equation model, i.e., using the current state in a register, followed by a set of predetermined coefficientsAnd performing a series of exclusive OR operations to obtain the next state, and efficiently realizing pseudo-random number generation. By selecting different coefficients, the LFSR may generate different pseudo-random number sequences. Python and C++11 version ++>The functions are all based on LFSR generation.
The structure of the LFSR is fixed so that the new data generated depends on a state on the register. Because the number of registers is limited, circulation occurs when the number of times of generating random numbers reaches a specific value, and the pseudorandom number period can be longer by selecting a proper primitive polynomial, so that higher safety is realized.
The number of registers in the experiment was fixed to the length 128 of the block cipher, and the primitive polynomial used was
The seed is the ciphertext result of the initial plaintext running 2 rounds of AES in the unmasked state (run-free is that only three steps of byte substitution, row shift, column mixing are performed for the round function of AES, and the round key addition step is ignored).
(7) Variable name design and multiplexing
The present embodiment generates program code that is over 140 ten thousand lines long, but uses only 900 temporary variables to store all intermediate states, and the variable names have good reusability.
The upper layer code establishes two list storage variable names, namely busy and free, wherein all the variable names in the scope are stored in busy, and when each variable finishes the scope, the names of the variables are popped from busy and pressed into the free.
Each time a new variable is generated, if the free is not empty, randomly selecting a variable name from the variable names to be allocated to the variable name, and shifting the name into busy; if free is empty, the generation of the random number and the combination of the fixed prefix "whistebox" are repeated until a new variable name is generated, which is declared and inserted into busy.
In the white-box cipher, the variable multiplexing pair hiding algorithm structure has the advantages that:
(7-1) increasing algorithm complexity: for an attacker, the same variable in the algorithm appears multiple times, and it may be difficult to infer which variables are actually the same, thereby increasing the complexity of the attack algorithm.
(7-2) a blurring operation step: variable multiplexing can also increase the confusion (obfuscation) effect in the algorithm, mixing together the different operation steps in the algorithm implementation, making it difficult for an attacker to distinguish which steps are the actual core encryption operations.
(7-3) design concept of fitting the white box password: one of the design principles of white-box cryptography is to hide implementation details of key derivation functions, including structural and design choices of algorithms. Variable multiplexing is one of the implementation means of this principle, and the algorithm implementation details can be hidden in a complex code structure.
In order to further improve the security, the embodiment adopts a mode of expanding all function calls and loops, namely, a function body and a loop body are directly displayed in a main function, so that the program loses readability and editability, and the security is improved.
As shown in fig. 8, 907 variables appear thousands of times on average at each position before and after the program, well conceal the structure of the encryption algorithm, and have a certain resistance to variable statistics attacks and the like.
(8) Test results and analysis
For encryption using the same mask and pseudo random number, the average time of multiple groups of plaintext is encrypted for three tests without using BitSlice, 8-bit parallel BitSlice and 64-bit parallel BitSlice under the same processor and network conditions.
The test results are shown in the test result statistics of Table 1 (average of 10 running times, precision 1 e-9):
table 1 masking scheme test result statistics
For the followingFor the group plaintext, the encryption speeds of the 8-bit parallel BitSlice and the 64-bit parallel BitSlice are 7.979 times and 61.997 times as high as those of the BitSlice which is not used, and are close to 8 times and 64 times.
For the followingFor the group plaintext, the encryption speeds of the 8-bit parallel BitSlice and the 64-bit parallel BitSlice are 7.855 times and 61.52 times as high as those of the BitSlice which is not used, and are close to 8 times and 64 times.
The test results for the scheme without mask are shown in table 2:
table 2 test result statistics for maskless scenario
For the followingFor the group plaintext, the encryption speeds of the 8-bit parallel BitSlice and the 64-bit parallel BitSlice are 7.168 times and 3.51 times that of the BitSlice which are not used respectively and are smaller than the expected 8 times and 64 times, which indicates that the cost of slicing at the moment cannot be ignored and the encryption speed is in direct proportion to the code quantity.
Both sets of experiments of the masking scheme basically meet the experimental expectations, and the non-masking scheme has poor acceleration effect. Under the condition of large encryption cost, the extra cost generated by slicing can be ignored, and the advantage of a processor can be fully utilized by utilizing the BitSlice to encrypt N groups of data in parallel, so that a better acceleration effect is achieved. This approach can significantly reduce encryption time, improve encryption efficiency and performance, especially on large-scale data sets and high-performance computing environments.
Therefore, the application can be applied to almost any white box protection scheme based on a Boolean circuit, tests an acceleration scheme on the basis of a secondary nonlinear mask scheme, performs multiple experiments, tests and analyzes the 8-bit and 64-bit parallel BitSlice encryption efficiency, improves the encryption speed by approximately 8 times and 64 times, and basically reaches the experimental expectation.
Example two
The embodiment provides an acceleration implementation system of a white box protection scheme based on a Boolean circuit.
An accelerated implementation system of a white-box protection scheme based on a boolean circuit, comprising:
a data acquisition module configured to: acquiring a plaintext and a secret key of a white box;
an encryption module configured to: based on the secret key, simultaneously carrying out a plurality of rounds of encryption on a plurality of groups of plaintext, and obtaining ciphertext through mask and rearrangement of the bundles;
an acceleration module configured to: generating a round key of each round by using a key expansion algorithm; before encryption, carrying out bit slicing processing on a plaintext and a secret key, and splitting one N-bit data into a plurality of 1-bit data according to bits, so that an ith bit of each input appears in an ith word; the chips are rearranged during rearrangement of the bundles using a shift operation to split each plaintext bit into n-bit encoded representations.
It should be noted that the data acquisition module, the encryption module, and the acceleration module are the same as the examples and application scenarios implemented in the first embodiment, but are not limited to the disclosure of the first embodiment. It should be noted that the modules described above may be implemented as part of a system in a computer system, such as a set of computer-executable instructions.
Example III
The present embodiment provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps in the accelerated implementation method of the boolean circuit-based white-box protection scheme as described in the above embodiment.
Example IV
The present embodiment provides a computer device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the steps in the method for implementing the white-box protection scheme based on boolean circuits according to the above embodiment when executing the program.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, magnetic disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random access Memory (Random AccessMemory, RAM), or the like.
The above description is only of the preferred embodiments of the present application and is not intended to limit the present application, but various modifications and variations can be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (10)
1. The method for realizing the acceleration of the white box protection scheme based on the Boolean circuit is characterized by comprising the following steps of:
acquiring a plaintext and a secret key of a white box;
based on the secret key, simultaneously carrying out a plurality of rounds of encryption on a plurality of groups of plaintext, and obtaining ciphertext through mask and rearrangement of the bundles;
generating a round key of each round by using a key expansion algorithm; before encryption, carrying out bit slicing processing on a plaintext and a secret key, and splitting one N-bit data into a plurality of 1-bit data according to bits, so that an ith bit of each input appears in an ith word; the chips are rearranged during rearrangement of the bundles using a shift operation to split each plaintext bit into n-bit encoded representations.
2. The method of accelerated implementation of a boolean-circuit-based white-box protection scheme according to claim 1, characterized in that in generating the mask, each bit is represented by three bit codes (a, b, c) such thatWherein a and b are generated from random numbers, c is by +.>And (5) calculating to obtain the product.
3. The method for accelerating the implementation of a boolean circuit-based white-box protection scheme according to claim 1, characterized in that it comprises, during the encryption process: and using irregular variable names to finish random reuse of the variables of the scope.
4. The method for accelerating the white-box protection scheme based on the boolean circuit according to claim 3, wherein the random reuse of the variables specifically comprises: establishing a first list and a second list in the encryption process; the first list stores the names of all the variables currently in the scope, and when each variable finishes the scope, the names of the variables are transferred from the first list to the second list; judging whether the second list is empty or not when a new variable is generated, if so, repeatedly generating a random number and a fixed prefix combination until a new variable name is generated, declaring and inserting the first list; otherwise, randomly selecting a variable name from the second list to be assigned to the new variable, and shifting the name into the first list.
5. The method for accelerating the white-box protection scheme based on the boolean circuit according to claim 1, characterized in that, in the encryption process, the key hard coding mode is improved, namely, in the round key addition process of the AES encryption algorithm, the round cipher addition and byte substitution of the AES are combined into a new T-table; or splitting a shared global variable into three masks, performing exclusive OR operation on the three masks of the global variable by each inverting operation, and replacing the three masks of the global variable by three new masks obtained by a refresh function.
6. The method for accelerating the implementation of a white-box protection scheme based on a boolean circuit according to claim 5, characterized in that, during the S-box process of the AES encryption algorithm, the nonlinearity of the S-box is described by using the boolean function ANF.
7. The method for accelerating the white-box protection scheme based on the Boolean circuit according to claim 5, wherein in the process of passing the linear layer of the AES encryption algorithm, a heuristic search framework is adopted to perform linear layer column mixing;
or, in the masking process, a masking scheme of a second order nonlinearity is employed.
8. An acceleration implementation system of a white-box protection scheme based on a boolean circuit, comprising:
a data acquisition module configured to: acquiring a plaintext and a secret key of a white box;
an encryption module configured to: based on the secret key, simultaneously carrying out a plurality of rounds of encryption on a plurality of groups of plaintext, and obtaining ciphertext through mask and rearrangement of the bundles;
an acceleration module configured to: generating a round key of each round by using a key expansion algorithm; before encryption, carrying out bit slicing processing on a plaintext and a secret key, and splitting one N-bit data into a plurality of 1-bit data according to bits, so that an ith bit of each input appears in an ith word; the chips are rearranged during rearrangement of the bundles using a shift operation to split each plaintext bit into n-bit encoded representations.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the steps of the accelerated implementation method of the boolean circuit based white-box protection scheme according to any of the claims 1-7.
10. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps in the accelerated implementation method of the boolean circuit-based white-box protection scheme according to any of the claims 1-7 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310817624.1A CN116684071A (en) | 2023-07-05 | 2023-07-05 | Method and system for realizing acceleration of white box protection scheme based on Boolean circuit |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310817624.1A CN116684071A (en) | 2023-07-05 | 2023-07-05 | Method and system for realizing acceleration of white box protection scheme based on Boolean circuit |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116684071A true CN116684071A (en) | 2023-09-01 |
Family
ID=87787430
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310817624.1A Pending CN116684071A (en) | 2023-07-05 | 2023-07-05 | Method and system for realizing acceleration of white box protection scheme based on Boolean circuit |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116684071A (en) |
-
2023
- 2023-07-05 CN CN202310817624.1A patent/CN116684071A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8155306B2 (en) | Method and apparatus for increasing the speed of cryptographic processing | |
| US6879689B2 (en) | Stream-cipher method and apparatus | |
| CN113940028B (en) | Method and device for realizing white box password | |
| US11546135B2 (en) | Key sequence generation for cryptographic operations | |
| US8504845B2 (en) | Protecting states of a cryptographic process using group automorphisms | |
| CN104270247B (en) | Suitable for the efficient general Hash functions authentication method of quantum cryptography system | |
| US20060023875A1 (en) | Enhanced stream cipher combining function | |
| CN107147487B (en) | Symmetric key random block cipher | |
| EP2148462A1 (en) | A differential side-channel analysis countermeasure | |
| JP2016505887A (en) | Random number generator and stream cipher | |
| US9418245B2 (en) | Encryption processing device, encryption processing method, and program | |
| Huang et al. | A novel structure with dynamic operation mode for symmetric-key block ciphers | |
| Lavanya et al. | Enhancing the security of AES through small scale confusion operations for data communication | |
| WO2021176242A1 (en) | Scrambler apparatus and method in particular for cryptographic applications, and descrambler apparatus and method therefor | |
| CN115987490A (en) | Lightweight block cipher algorithm white-box construction method suitable for ARX structure | |
| Misra et al. | A New Encryption/Decryption Approach Using AES | |
| CN116684071A (en) | Method and system for realizing acceleration of white box protection scheme based on Boolean circuit | |
| RU2738321C1 (en) | Cryptographic transformation method and device for its implementation | |
| Assaflia et al. | The Evaluation of Time-Dependent Initialization Vector Advanced Encryption Standard Algorithm for Image Encryption | |
| Nakahara Jr | Lai-Massey Cipher Designs: History, Design Criteria and Cryptanalysis | |
| Abubaker et al. | DAFA-A Lightweight DES Augmented Finite Automaton Cryptosystem | |
| CN115348018B (en) | Data processing method, device and storage medium | |
| CN116961880A (en) | White box encryption method and system based on shannon expansion | |
| CN114745105B (en) | Image encryption method integrating quantum strolling and improving Advanced Encryption Standard (AES) | |
| PRADANA et al. | Improving the SMS Security and Data Capacity Using Advanced Encryption Standard and Huffman Compression |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20240109 Address after: 250100 Jinan Center Science Park, Jingshi East Road, Licheng District, Jinan City, Shandong Province, China Applicant after: Quancheng Provincial Laboratory Applicant after: SHANDONG University Address before: No.72 Binhai Road, Jimo, Qingdao, Shandong Province Applicant before: SHANDONG University |
|
| TA01 | Transfer of patent application right |