GB2443357A - Cryptographic logic circuits and method of performing logic operations - Google Patents

Cryptographic logic circuits and method of performing logic operations Download PDF

Info

Publication number
GB2443357A
GB2443357A GB0801055A GB0801055A GB2443357A GB 2443357 A GB2443357 A GB 2443357A GB 0801055 A GB0801055 A GB 0801055A GB 0801055 A GB0801055 A GB 0801055A GB 2443357 A GB2443357 A GB 2443357A
Authority
GB
United Kingdom
Prior art keywords
logic
data
cryptographic
random
circuit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB0801055A
Other versions
GB0801055D0 (en
GB2443357B (en
Inventor
Yoo-Jin Baek
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020050007705A external-priority patent/KR100725169B1/en
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Priority to GB0801055A priority Critical patent/GB2443357B/en
Publication of GB0801055D0 publication Critical patent/GB0801055D0/en
Publication of GB2443357A publication Critical patent/GB2443357A/en
Application granted granted Critical
Publication of GB2443357B publication Critical patent/GB2443357B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H03ELECTRONIC CIRCUITRY
    • H03KPULSE TECHNIQUE
    • H03K19/00Logic circuits, i.e. having at least two inputs acting on one output; Inverting circuits
    • H03K19/20Logic circuits, i.e. having at least two inputs acting on one output; Inverting circuits characterised by logic function, e.g. AND, OR, NOR, NOT circuits
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/04Masking or blinding
    • H04L2209/046Masking or blinding of operations, operands or results of the operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/08Randomization, e.g. dummy operations or using noise
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry

Abstract

The cryptographic logic circuit, comprising: ```a first logic unit 321 configured to execute at least one logic operation for a plurality of data pairs, the data pairs including random data and random masking data; and ```a second logic unit 307 configured to execute a logic operation for the results of the first logic unit; ```wherein the first logic unit 321 includes: ```a first NOR gate 322 configured to execute a first logic NOR operation with first and second random masking data; ```a first NAND gate 323 configured to execute a first logic NAND operation with the first random masking data X' and second random data S; ```a second NOR gate configured to execute a second logic NOR operation with the first and second random data R, S; and ```a second NAND gate configured to execute a second logic NAND operation with first random data R and the second random masking data Y'. The cryptographic logic circuit may be a cryptographic OR or NOR logic circuit comprising a random masking scheme and having security against a power analysis attack.

Description

CRYPTOGRAPHIC LOGIC CIRCUITS AND METHOD OF PERFORMING
LOGIC OPERATIONS
nA.rli..JKuIJ1NI) [0001] Example embodiments of the present invention relate to cryptographic systems. More particularly, example embodiments of the present invention relate to a cryptographic logic circuits and methods of performing logic operations against power analysis attacks.
2] Various cryptographic technologies are capable of retrieving private information, for example, secret keys by measuring power consumption andlor operation times during an operation. Information leaking out during a cryptographic algorithm is known as side channel information, and attacks using side channel information are known as side channel attacks. Side channel attacks may be classified as timing attacks, fault insertion attacks, and power analysis attacks. Power analysis attacks may be further classified as simple power analysis (SPA) and differential power analysis (DPA).
3] FIG. I is a schematic diagram illustrating a conventional cryptographic system and illustrating an example of a power analysis attack.
4] Referring to FIG. 1, during a cryptographic algorithm for a low power system, for example, a smart card having a secret key embedded therein, an attacker may monitor features of transient voltage (or current) variations of an IC chip of the smart card and then read binary codes involved in various information.
5] A SPA may directly attack a secret key embedded in a smart card by monitoring power consumption pattern of a cryptographic processor operating in the smart card. A DPA may use statistical analysis and/or error correction techniques to retrieve information correlative with a secret key from a collected power consumption data. A DPA may be used to retrieve the secret key with just a few devices (e.g., oscillator, etc.) capable of monitoring voltage variations. A DPA may also carry out fabrication and modulation as well as information analysis by means of statistical analysis. Therefore, it may be important to protect the secret information from the DPA. As a protection scheme against the DPA, a random masking technique may be employed. A random masking technique may be effective against a DPA.
6] A random masking scheme may set a cryptographic algorithm after executing a logic operation with input data and random data. A random masking scheme arranges the input data as a plaintext to be randomized. A random masking scheme may change power consumption features during the cryptographic algorithm even if the same value as the input data may be applied thereto. Thus, it may be possible to prevent secret information from being leaked. There are various methods of randomly masking input data, for example, a logic XOR operation with input data and random data. Assuming, for example, that input data is P and random data is R, random masking data may be set to P R. In order to conduct an operation necessary for the input data as well as secure against a DPA, the operation needs to maintain data, which may arise from the procedure of processing a cryptographic algorithm, in the form of random masking pattern. Data in a form of a random masking pattern or a random masking data means data in which the random data may be combined with an operation result of the input data or a plurality of the input data.
7] For example, in a cryptographic algorithm, which logically XOR-operating (XORing), a plaintext P and a key K, and a random masking data of the plaintext P, for example, P R, may be used instead of the plaintext P in the XOR operation to protect against the DPA. In this case, the logic XOR operation with the random masking data P R and the key K results in (P R) K. The logic XOR operation permits a combination rule, the result may be rewritten into (P R) K = (P K) R. As a result, it may be possible to obtain the result of the logic XOR operation, P K, without disclosing information of the plaintext P. Further, the logic XOR operation result P K need not be disclosed, if the logic XOR operation is not the last operation of the cryptographic algorithm, the random masking method may be sufficient to the condition because its output value may be fonned in (P K) R. This method may also be known as a block cryptographic technique.
8] However, although such a cryptographic technique may be applicable to a logic XOR operation, it may not be possible to apply this technique directly to a cryptographic algorithm employing, for example, a logic AND operation with a plaintext P and a secret key K. A logic AND operation, to which the block cryptographic technique may be applied, may also generate a result (P R) K from a random masking data (P R) and the secret key K. However, because a combination rule is not available for logic AND operation, it may not be possible to get (P R) K =(P K) R.
9] Therefore, it may not be possible for a random masking technique to be applicable to a cryptographic algorithm (e.g., including a composite logic operation mixed with Boolean and arithmetic operations) employing one or more logic operations (e.g., AND, OR, etc.) not available with a combination rule.
SUMMARY OF THE INVENTION
0] In an example embodiment of the present invention, a cryptographic logic circuit may include a first logic unit configured to execute at least one logic operation for a plurality of data pairs, the data pairs including random data and random masking data, and a second logic unit configured to execute a logic operation for the results of the first logic unit.
1] In another example embodiment of the present invention, a cryptographic logic arithmetic circuit of a full adder may include a plurality of first logic units, each of the first logic units including a plurality of AND gates, and a plurality of second logic units, each of the second logic units including a plurality of XOR gates. Each of the AND gates of are configured to receive at least two input of first and second random data, first and second random masking data, first carry random data, and first carry random masking data, and each of the XOR gates are configured to receive at least three inputs of the output of the respective plurality of first logic units, the first carry random data and first carry random masking data.
2] In an example embodiment of the present invention, a method of performing a logic operation in a cryptographic logic circuit may include converting a plurality of input data and random data into a plurality of random masking data, executing a first logic operation on the random data and random masking data, executing a second logic operation on the output of the first logic operation, and outputting the result of the second logic operation random masking data.
BRIEF DESCRIPTION OF THE DRAWINGS
3] The accompanying drawings are included to provide a further understanding of example embodiments of the present invention, and are incorporated in and constitute a part of this specification. The drawings illustrate example embodiments of the present invention and, together with the description, serve to explain example embodiments of the present invention. In the drawings: [0014] FIG. 1 is a schematic diagram illustrating a conventional cryptographic system; [0015] FIG. 2 is a flow chart illustrating a logic operation procedure in accordance with an example embodiment of the present invention; [0016] FIGS. 3A through 3D and 4A through 4D are circuit diagrams illustrating cryptographic logic circuits in accordance with example embodiments of the present invention; [0017] FIGS. 5A and SB are circuit diagrams illustrating cryptographic logic circuits in accordance with other example embodiments of the present invention; [0018] FIGS. 6A through 6D and 7A through 7D are circuit diagrams illustrating cryptographic logic circuits in accordance with other example embodiments of the present invention;
] FIGS. 8A and 8B are circuit diagrams illustrating logic NOR cryptographic logic circuits in accordance with example embodiments of the present invention; [0020] FIG. 9 is a circuit diagram illustrating a cryptographic logic circuit in accordance with an example embodiment of the invention; [0021] FIG. 10 is a circuit diagram illustrating a cryptographic logic circuit in accordance with an example embodiment of the present invention; 10022] FIG. Ills a circuit diagram illustrating a cryptographic logic circuit in accordance with an example embodiment of the present invention; and [0023] FIGS. 12 through 16 are circuit diagrams illustrating arithmetic cryptographic logic circuits according to example embodiments of the present invention.
DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS
4] Example embodiments of the present invention will be described below in more detail with reference to the accompanying drawings. The present invention may, however, be embodied in different forms and should not be constructed as limited to the example embodiments set forth herein. Rather, these example embodiments are provided as working examples. Like numerals may refer to like elements throughout
the specification.
5] Cryptographic logic circuits and methods to perform a logic operation may adapt a random masking technique for logic operations for AND, OR, NAND, NOR, XOR, XNOR, and NOT. Cryptographic logic circuits having the above described configuration may be applicable to a composite logic operation mixed with more than two logic operations (e.g., Boolean and arithmetic operations), to protect a cryptographic algorithm or an arithmetic operation unit against a power analysis attack.
6] FIG. 2 is a flow chart illustrating a logic operation procedure in accordance with an example embodiment of the present invention. The logic operation illustrated in FIG. 2 may be operable with a random masking scheme having security against a power analysis attack. The logic operation may also be applicable for circuits (or units), which may or may not be available with a combination rule. in example embodiments of the preset invention, a cryptographic logic circuit may be configured to conduct at least one logic operation among AND, OR, NAND, NOR, XOR, XNOR, and NOT.
7] Referring to FIG. 2, the logic operation method in a cryptographic logic circuit (or unit) according to an example embodiment of the present invention may generate random data, e.g., R and S (S1000). The random data R and S generated at S 1000 are input for a logic XOR operation together with input data X and Y. After completing the logic XOR operation, random masking data X' and Y' may be generated (Si 100). The first random masking data X' may be obtained from the logic XOR operation with a first input data X and the first random data R, while the second random masking data Y' may be obtained from a logic XOR operation with the second input data Y and the second random data R. [0028] The random masking data X' and Y' and the random data R and S may be combined to form data pairs (X', Y'), (X', S), (R, Y'), (R, S), and so forth (S 1200).
One or more logic operations (first logic operation) may be carried out on data pairs (X', Y'), (X', S), (R, Y'), (R, 5), and so forth (S 1300). In S 1300, in addition to an XOR logic circuit, an AND, OR, NAND, and NOR logic circuit may be available to conduct logic operations. During SI 300, one or more logic operations may be carried out for the data pairs (X', Y'), (X', 5), (R, Y'), (R, S). After executing one or more logic operations for the data pairs, results of the operations may be combined to be matched with the logic operation value to be used in a cryptographic logic circuit (S 1400). In SI 400, at least one of logic XOR and XNOR operations (second logic operation) may be carried out for the combined results of the first logic operation. A result of the second logic operation, may be formed in a pattern of the random masking data. Output data in the form of the random masking data may be output as a logic operation result of the cryptographic logic circuit (S 1500).
9] The cryptographic logic circuits may be applicable to a composite logic operation (e.g., mixed Boolean and arithmetic operations for one of the logic operations). Output data and data used in logic operations may be composed in a form of random masking data. The operation unit with this configuration may be applicable to an arithmetic cryptographic logic circuit executing at least one of addition, subtraction, multiplication, and division. Both the result of the logic operation and data to be used in the arithmetic operation may be formed in a pattern of the random masking data, so that the original data may not be disclosed by power analysis attacks.
In addition, the cryptographic logic circuits may be able to be constructed in a hardware architecture each capable of performing a logic operation (AND, OR, NAND, NOR, XOR, XNOR, and NOT). Therefore, it may be possible to design a cryptographic system capable executing a complicated algorithm by combining various cryptographic logic circuits (or units) against the power analysis attacks.
0] Example embodiments of various cryptographic logic circuits applicable to the logic operations scheme are illustrated in FIG. 2. The cryptographic logic circuits described herein below may be applicable to a random masking scheme to secure against power analysis attacks, and compatible with either logic operations available or unavailable to the combination rule. The cryptographic logic circuits may be configured to execute one of logic operations AND, OR, NAND, NOR, XOR, XNOR, and NOT.
(0031] FIGS. 3A through 3D and 4A through 4D are circuit diagrams illustrating cryptographic AND logic circuits, 10-16 and 20 -26, in accordance with example embodiments of the present invention.
2] Referring to FIG. 3A, a cryptographic AND logic circuit 10 may be comprised of a first logic operation unit 101 and a second logic operation unit 107. The first logic operation unit 101 may be composed of first through fourth logic circuits 102 105. Each of the logic circuits may be an AND gate. The first logic operation circuit 102 may execute a logic AND operation X'Y' with a first random masking data X' and a second random masking data Y'. The second logic operation circuit 103 may execute a logic AND operation X'S with the first random masking data X' and a second random data S. The third logic operation circuit 104 may execute a logic AND operation RY' with a first random data R and the second random masking data Y'. The fourth logic operation circuit 105 may execute a logic AND operation RS with the first random data R and the second random data S. The random data R and S and the random masking data X' and Y' input to the first through fourth logic operation circuits 102 105 may be randomly generated at each clock cycle. The first random masking data X' may be a result of a logic XOR operation with the first input data X and the first random data R, while the second random masking data Y' may be a result of a logic XOR operation with the second input data Y and the second random data S. [0033] Results of the first through fourth logic operation circuits 102 105 may be combined by the second logic operation unit 107, and the combined results may be output in a form of block masking data. The second logic operation unit 107 may be comprised of a first logic combination circuit 108 and a second logic combination circuit 109, and each may be constructed of an XOR gate. The first logic combination circuit 108 may execute a logic XOR operation with the result of the logic AND operation by the first logic operation circuit 102, X'Y', the result of the logic AND operation by the second logic operation circuit 103, X'S, and the second random masking data Y'. The second logic combination circuit 109 may execute a logic XOR operation with the result of the logic AND operation by the third logic operation circuit 104, RY', the result of the logic AND operation by the fourth logic operation circuit 105, RS, and the second random masking data Y'.
4] The results of the logic XOR operations by the first and second logic combination circuits 108 and 109 may be output as results of the cryptographic logic circuit 10. The logic AND operation may result from the cryptographic AND logic circuit 10, Y'e(RY')(RS) and Y'e(X'Y')(X'S), may all be generated in a form of random masking data. If a further XOR operation is carried out for the two logic AND operation results Y' (RY') e (RS) and Y' (X'Y') (X'S), the required operation result XP may be obtained.
5] The result may be summarized by Equation I as follows.
[Equation 1] {Y' (X'Y') (X'S)} {Y' (RY')(RS)) = {(X'Y') (X'S)} {(RY')(RS)} = (X'(Y'eS)}{R(Y'S)) =(Y'S)(X'R) = ((Ye S) S))((X R) R)) = (Y (S S))((X (R R)) =Y.x =x.Y [00361 According to the cryptographic AND logic circuit 10, when the four 1-bit data, X'(X R), Y'(=Y e S), R, and S, are provided thereto, the data used in the operation and the data as the result of the operation, as well as the input data X and Y, are all formed in the random masking data pattern. Thus, secret information may not be disclosed during a logic operation. As the probability distribution of the intermediate calculating values is independent from the input data X and Y, it may be possible to obtain the logic operation result originally intended when the results of the cryptographic AND logic circuit 10 are each put into the logic XOR operations.
7] The features shown in FIGS. 3B through 3D may be modifications of the cryptographic AND logic circuit 10 illustrated in FIG. 3A. Comparing cryptographic AND logic circuits 12, 14, and 16 with the cryptographic AND logic circuits 10 of FIG. 3A, design of each circuits are similar, except for the arrangement of combination with data to be used in operation. Thus for brevity, similar features will not be described; in addition, same reference numbers are used. It should also be noted that the cryptographic AND logic circuits 12 16 may further be modified by adjusting the various arrangement of combination with the random masking data X' and Y' and the random data R and S. Similar to the cryptographic AND logic circuit 10 illustrated in FIG. 3A, if an XOR operation is carried out by the cryptographic AND logic circuits 12 16, the results obtained by each of the cryptographic AND logic circuits may be the required operation result XY for the two input data X and Y. [0038] The cryptographic AND logic circuits 20 26 illustrated in FIGS. 4A through 4D may be modifications of corresponding cryptographic AND logic circuits 16 illustrated in FIGS. 3A through 3D, respectively. The cryptographic AND logic circuits 20 26 may be constructed by substituting NAND gates for the AND gates used in the cryptographic AND logic circuits 10 -16 of FIGS. 3A through 3D.
Therefore, the cryptographic AND logic circuits 20 -26 may be similar to those of FIGS. 3A through 3D, except for the structure of first logic operation units. Thus, redundant details will not be described.
9] As is well known by those skilled in the art, a NAND gate has a smaller size than an AND gate. Therefore, it will be understood that substituting NAND gates for AND gates enables a hardware architecture to be simpler to provide for a smaller chip size. Such reduced in hardware architecture arises from the characteristic of a logic XOR operation defined in Equation 2 as follows.
[Equation 2] xey [0040] The truth table X Y and X Y described in Equation 1 may be arranged as follows.
[Table 1] ________________________ _______________________ x Y xY o 0 0 o 1 1 I 1 0 [Table 2] ___________________________ ___________________________ 1 0 1 0 1 0 1 1 0 0 0 [0041] Referring to Equation 2, Table 1, and Table 2, the AND operation results, Y' e (X'Y')e(X'*S) and Y' (RY') (RS), may be transformed into Y'e(X'.Y') (X'S) and Y'(R Y) e (R S), respectively. With such a characteristic of the XOR operation, the AND gates included in the cryptographic AND logic circuit 10, for example, the logic operation circuits 102 105 may be substituted with NAND gates 202 -205 as illustrated in FIG. 4A.
2] The cryptographic NAND logic circuit 22 as illustrated in FIG. 4B may be reduced from the cryptographic AND logic circuits 12 illustrated in FIG. 3B, and the cryptographic NAND logic circuit 24 illustrated in FIG. 4C may be reduced from the cryptographic AND logic circuit 14 illustrated in FIG. 3C. The cryptographic NAND logic circuit 26 illustrated in FIG. 4D may be reduced from the cryptographic AND logic circuit 16 illustrated in FIG. 3D. Thus, further description of the cryptographic NAND logic circuits 20 -26 will be omitted.
3] FIG. 5A and 5B are circuit diagrams illustrating cryptographic OR logic circuits 30 and 32 capable of executing logic OR operations for the first and second input data X and Y in accordance with other example embodiments of the present invention.
4] Referring to FIG. 5A, the OR logic circuit 30 may be comprised of a first logic operation unit 301 and a second logic operation unit 307. The first logic operation unit 301 may be composed of first through fourth logic operation circuits 302 -305.
Each of the logic operations circuits 302 305 may be either an AND gate, an OR gate, or a combination thereof. The first logic operation circuit 302 may execute a logic OR operation X'+Y' with a first random masking data X' and a second random masking data Y'. The second logic operation circuit 303 may execute a logic AND operation X'S with the first random masking data X' and a second random data S. The third logic operation circuit 304 may execute a logic AND operation RY' with a first random data R and the second random masking data Y'. The fourth logic operation circuit 305 may execute a logic OR operation R+S with the first random data R and the second random data S. The random data R and S and the random masking data X' and Y' input to first through fourth logic operation circuits 302 -305 may be randomly generated at each clock cycle. The first random masking data X' may be a result of a logic XOR operation with the first input data X and the first random data R, while the second random masking data Y' may be a result of a logic XOR operation with the second input data Y and the second random data S. [0045] The results from the first through fourth logic operation circuits 302 -305 may be combined by the second logic operation unit 307, and the combined results may be output as block masking data. The second logic operation unit 307 may be comprised of a first logic combination circuit 308 and a second logic combination circuit 309. Each of the logic combination circuits may be an XOR gate. The first logic combination circuit 308 may execute a logic XOR operation with the result of the logic OR operation by the first logic operation circuit 302, X'+Y', and the result of the logic AND operation by the second logic operation circuit 303, X'S. The second logic combination circuit 309 may execute a logic XOR operation with the result of the logic AND operation by the third logic operation circuit 104, RY', and the result of the logic OR operation by the fourth logic operation circuit 105, R+S.
6] The results of the logic XOR operations by the first and second logic combination circuits 308 and 309 may be output as results of the cryptographic OR logic circuit 30. The logic AND operation results from the cryptographic OR logic circuit 30, (X'+Y')(X'S) and (RY')(R+S), may all be generated in the form of random masking data. If a further XOR operation is carried out for the two logic OR operation results (X'+Y') e (X.S) and (RY') (R+S), the required operation result X+Y may be required.
7] Referring to FIG. 5B, the logic OR operation circuit 30 may be modified to form the cryptographic OR logic circuit 32 by replacing AND gates with NAND gates.
Therefore, the cryptographic OR logic circuits 32 may be similar to the cryptographic OR logic circuit 30 of FIG. 5A. Therefore, details of similar elements andlor operations will be omitted. Hardware architecture reduction with the cryptographic OR logic circuit 32 arises from the characteristic of the logic XOR operation defined in Equation 2.
8] In the cryptographic OR logic circuits 30 and 32 shown in FIGS. 5A and 5B, when a four 1-bit data, X'(=X R), Y'(=Y S), R, and S, are given thereto, the data used in the operation and the data as the result of the operation, as well as the input data X and Y, may all be formed in a random masking data pattern. Thus, there may not be a disclosure of secret information during a logic operation by a power analysis attack. As the probability distribution of the intermediate calculating values may be independent from the input data X and Y, it may be possible to obtain the logic operation result originally intended when the results of the cryptographic OR logic circuits 30 and 32 are each put into the logic XOR operations.
9] FIGS. 6A through 6D and 7A through 71) are circuit diagrams illustrating cryptographic NAND logic circuits, 40 46 and 50 -56, respectively, in accordance with example embodiments of the present invention, capable of executing logic NAND operations for first and second input data X and Y. Comparing the cryptographic NAND logic circuit 40 46 and 50 56 illustrated in FIGS. 6A through 7D with the cryptographic AND logic circuit 10-16 and 20 -26 illustrated in FIGS. 3A through 4D, the circuits are similar to each other, except for a second logic operation units 407.
Therefore, further detail description of similar elements/or and operations will be omitted.
0] According to the cryptographic NAND logic circuit 40 -46 and 50 -56, when four 1-bit data, X'(=XR), Y'(=YS), R, and S, are given thereto, the data used in the operation and the data as the result of the operation, as well as the input data X and Y, may all be formed in a random masking data pattern. Thus, secret information may not be disclosed during the logic operation against power analysis attacks. As the probability distribution of the intermediate calculating values may be independent from input data X and Y, it may be possible to obtain the logic operation result originally intended when the results of the cryptographic NAND logic circuits 40 -46 and 50 -56 are each put into the logic XOR operations.
1] FIG. 8A and 8B are circuit diagrams illustrating cryptographic NOR logic circuits 60 and 62 in accordance with another example embodiments of the present invention, capable of executing logic NOR operations for first and second input data X and Y. The cryptographic NOR logic circuits 60 and 62 illustrated in FIGS. 8A and 8B may output results of the logic NOR operations, altering the logic combinations of the first logic operation units 301 and 321 of the cryptographic OR logic circuits 30 and 32 as illustrated in FIGS. 5A and 5B. The cryptographic NOR logic circuits 60 and 62 of FIGS. 8A and 8B may be similar to the cryptographic OR logic circuits 30 and 32, except for the construction of the second logic operation units 607. Thus, further detail description of similar elements and/or operations will be omitted.
2] For example, according to the cryptographic NOR logic circuits 60 and 62 as illustrated in FIGS. 8A and SB, when four 1-bit data, X'(=X R), Y'(=Y 5), R, and S, are given thereto, the data used in the operation and the data as the result of the operation, as well as the input data X and Y, may all be formed in a random masking data pattern. Thus, secret information during a logic operation may not be disclosed against power analysis attacks. As the probability distribution of the intermediate calculating values is independent from the input data X and Y, it may be possible to obtain the logic operation result originally intended when the results of cryptographic NOR logic circuits 60 and 62 are each put into the logic XOR operations.
3] FIG. 9 is a circuit diagram illustrating a cryptographic logic circuit 70 in accordance with an example embodiment of the present invention, and FIG. 10 is a circuit diagram illustrating another cryptographic logic circuit 80 in accordance with an example embodiment ofthe present invention.
4] Referring to FIG. 9, the cryptographic logic circuit 70 may be comprised of a first logic operation unit 701 and a second logic operation unit 705. The first logic operation unit 701 may execute a logic XOR operation X' Y' with a first random masking data X' and a second random masking data Y'. The second logic operation circuit 705 may execute a logic XOR operation R S with a first random data R and a second random data S. The results of the logic XOR operations by the first and second logic operation circuits 701 and 705, X' Y' and R S, may be output as results of the cryptographic logic circuit 70.
[0055) Referring to FIG. 10, the cryptographic logic circuit 80 may be comprised of a first logic operation unit 801 and a second logic operation unit 805. The first logic operation unit 801 may execute a logic XOR operation X' Y' with a first random masking data X' and a second random masking data Y'. A second logic operation circuit 805 may execute a logic XOR operation R S with a first random data R and a second random data S. The results of the logic XOR operations by the first and second logic operation circuits 801 and 805, X' Y' and R S, may be output as results of the cryptographic logic circuit 80.
6] According to the cryptographic logic circuits 70 and 80, when four 1-bit data, X'(=X R), Y'(Y S), R, and S, are given thereto, the data used in the operation and the data as the result of the operation, as well as the input data X and Y, may all be formed in the random masking data pattern. Therefore, secret information may not be disclosed during a logic operation against power analysis attacks. In this case, as the probability distribution of the intermediate calculating values is independent from the input data X and Y, it may be possible to obtain the logic operation result originally intended when the results of the cryptographic logic circuits 70 and 80 are each put into the logic XOR operations.
7] FIG. 11 is a circuit diagram illustrating a cryptographic NOT logic circuit in accordance with an example embodiment of the present invention.
8] Referring to FIG. 11, the cryptographic NOT logic circuit may be comprised of a logic operation unit 901 that executes a logic NOT operation R with a first random data R. The result of the logic NOT operations by the logic operation circuit 901, and the first random masking data X' may be output as results of the cryptographic NOT logic circuit 90.
9] According to the cryptographic NOT logic circuit 90 two 1-bit data, X'(=X R) and R, are given thereto, the data used in the operation and the data as the result of the operation, as well as the input data X and Y, may all be formed in the random masking data pattern. Therefore, secret information may not be disclosed during a logic operation against power analysis attacks. In this case, as the probability distribution of the intermediate calculating values is independent from the input data X and Y, it may be possible able to obtain the logic operation result originally intended when the results of the cryptographic NOT logic circuit 90 are each put into the logic XOR operation.
(0060] FIGS. 12 through 16 are circuit diagrams illustrating cryptographic arithmetic logic circuit according to example embodiments of the present invention.
FIG. 12 illustrates a circuit structure of a full adder 100 composed of three cryptographic logic AND circuits 20a 20c and two cryptographic XOR logic circuits 70a and 70b. FIG. 13 illustrates a circuit structure of a full adder 200 composed of two cryptographic AND logic circuits 20a and 20b, two cryptographic logic XOR circuit 70a and 70b, and a single cryptographic OR logic circuit 32. FIG. 14 illustrates a circuit structure of a full adder 300 composed of three cryptographic logic AND circuits 50a - 50c and two cryptographic XOR logic circuits 70a and 70b.
(0061] The full adders 100 -300 illustrated in FIGS. 12 through 14 may all carry out similar functions, but may be constructed in different circuit patterns according to design rules. The cryptographic logic circuits included in each of the full adders 100 300 may also be varied. For instance, the cryptographic AND logic circuits 20a 20c employed in the full adder 100 of FIG. 12 may be substituted each with the cryptographic AND logic circuits 10 -16 and 20 26 illustrated in FIGS. 3A through 4D. These various constructions may also be available for other cryptographic logic circuits (e.g., cryptographic OR logic circuits, cryptographic NAND logic circuits, the logic NOR operation apparatuses, and so forth). Thus, the full adders 100 -300 illustrated in FIGS. 12 through 14 may be varied in accordance with the types of the cryptographic logic circuits employed therein.
2] FIG. 15 illustrates a symbolic circuit diagram of the full adder 100 illustrated in FIG. 12, while FIG. 16 illustrates a ripple carry adder 400 composed of pluralities of full adders similar to that illustrated in FIG. 15. As stated above, the cryptographic logic circuits may be all adoptable to a random masking scheme. The random masking scheme may be available to a full adder 100 composed of cryptographic logic circuits, as well as a ripple carry adder 400 constructed with full adders 110 140. Therefore, the cryptographic arithmetic logic circuit (or apparatuses) arid the cryptographic logic circuit may be equipped with the security against power analysis attacks.
3] Although the present invention has been described in connection with example embodiments of the present invention illustrated in the accompanying drawings, example embodiments of the present invention may not be limited thereto. It will be apparent to those skilled in the art that various substitution, modifications and changes may be thereto without departing from the scope of the example embodiments of the present invention.

Claims (3)

  1. CLAIMS: I. The cryptographic logic circuit, comprising: a first logic
    unit configured to execute at least one logic operation for a plurality of data pairs, the data pairs including random data and random masking data; and a second logic unit configured to execute a logic operation for the results of the first logic unit; wherein the first logic unit includes: a first NOR gate configured to execute a first logic NOR operation with first and second random masking data; a second NAND gate configured to execute a first logic NAND operation with the first random masking data and second random data; a second NOR gate configured to execute a second logic NOR operation with the first and second random masking data; and a second NAND gate configured to execute a second logic NAND operation with second random data and the second random masking data;
  2. 2. A cryptographic logic circuit as set forth in claim 1, wherein the second logic unit comprises: a first XOR gate configured to execute a first logic XOR operation with the output of the first NOR gate and the first NAND gate; and a second XOR gate configured to execute a second logic XOR operation with the output of the second NOR gate and the second NAND gate.
  3. 3. The cryptographic logic circuit as set forth in claim 1, wherein the second logic unit comprises: a first XOR gate configured to execute a first logic XOR operation with the output of the first NOR gate and the first NAND gate; and a first XNOR gate configured to execute a first logic XOR operation with the output of the second NOR gate and the second NAND gate.
GB0801055A 2005-01-27 2006-01-13 Cryptographic logic circuits and method of performing logic operations Expired - Fee Related GB2443357B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0801055A GB2443357B (en) 2005-01-27 2006-01-13 Cryptographic logic circuits and method of performing logic operations

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
KR1020050007705A KR100725169B1 (en) 2005-01-27 2005-01-27 Apparatus and method for performing logical operation being secure against differential power analysis
GB0600690A GB2422693B (en) 2005-01-27 2006-01-13 Cryptographic logic circuits and method of performing logic operations
GB0801055A GB2443357B (en) 2005-01-27 2006-01-13 Cryptographic logic circuits and method of performing logic operations

Publications (3)

Publication Number Publication Date
GB0801055D0 GB0801055D0 (en) 2008-02-27
GB2443357A true GB2443357A (en) 2008-04-30
GB2443357B GB2443357B (en) 2008-10-08

Family

ID=39273320

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0801055A Expired - Fee Related GB2443357B (en) 2005-01-27 2006-01-13 Cryptographic logic circuits and method of performing logic operations

Country Status (1)

Country Link
GB (1) GB2443357B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3503460A1 (en) * 2017-12-22 2019-06-26 Secure-IC SAS System and method for boolean masked arithmetic addition

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1553490A2 (en) * 2004-01-07 2005-07-13 Samsung Electronics Co., Ltd. Cryptographic apparatus, cryptographic method, and storage medium thereof
US20050184760A1 (en) * 2004-02-19 2005-08-25 Elena Trichina Logic circuit and method thereof
US20050207571A1 (en) * 2004-03-16 2005-09-22 Ahn Kyoung-Moon Data cipher processors, AES cipher systems, and AES cipher methods using a masking method
WO2006058561A1 (en) * 2004-12-01 2006-06-08 Telecom Italia S.P.A. Method and related device for hardware-oriented conversion between arithmetic and boolean random masking

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1553490A2 (en) * 2004-01-07 2005-07-13 Samsung Electronics Co., Ltd. Cryptographic apparatus, cryptographic method, and storage medium thereof
US20050184760A1 (en) * 2004-02-19 2005-08-25 Elena Trichina Logic circuit and method thereof
US20050207571A1 (en) * 2004-03-16 2005-09-22 Ahn Kyoung-Moon Data cipher processors, AES cipher systems, and AES cipher methods using a masking method
WO2006058561A1 (en) * 2004-12-01 2006-06-08 Telecom Italia S.P.A. Method and related device for hardware-oriented conversion between arithmetic and boolean random masking

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Electronics Letters, IEE, 29 April 2004, vol. 40, no. 9, pp526-528, "Universal masking on logic gate level", Golic and Menicocci, Telecom Italia Lab. Telecom Italia, Turin, Italy *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3503460A1 (en) * 2017-12-22 2019-06-26 Secure-IC SAS System and method for boolean masked arithmetic addition
WO2019121780A1 (en) * 2017-12-22 2019-06-27 Secure-Ic Sas System and method for boolean masked arithmetic addition
US11733966B2 (en) 2017-12-22 2023-08-22 Secure-Ic Sas Protection system and method

Also Published As

Publication number Publication date
GB0801055D0 (en) 2008-02-27
GB2443357B (en) 2008-10-08

Similar Documents

Publication Publication Date Title
GB2422693A (en) Cryptographic logic circuits and method of performing logic operations
Aghaie et al. Impeccable circuits
US20200195417A1 (en) Cryptography circuit particularly protected against information-leak observation attacks by the ciphering thereof
Subramanian et al. Reliable hardware architectures for cryptographic block ciphers LED and HIGHT
Mozaffari-Kermani et al. Reliable and error detection architectures of Pomaranch for false-alarm-sensitive cryptographic applications
EP1836554B1 (en) Method and related device for hardware-oriented conversion between arithmetic and boolean random masking
De Meyer et al. M&M: Masks and macs against physical attacks
Aghaie et al. Fault diagnosis schemes for low-energy block cipher Midori benchmarked on FPGA
Kermani et al. Error detection reliable architectures of Camellia block cipher applicable to different variants of its substitution boxes
Aghaie et al. Reliable and fault diagnosis architectures for hardware and software-efficient block cipher KLEIN benchmarked on FPGA
Baksi et al. A Novel Duplication-Based Countermeasure to Statistical Ineffective Fault Analysis
GB2443358A (en) Cryptographic logic circuits and method of performing logic operations
JP4386766B2 (en) Error detection in data processing equipment.
GB2443355A (en) Cryptographic logic circuits and method of performing logic operations
GB2443357A (en) Cryptographic logic circuits and method of performing logic operations
Rashidi Fault-tolerant and error-correcting 4-bit S-boxes for cryptography applications with multiple errors detection
Chhabra et al. Design and analysis of logic encryption based 128-bit aes algorithm: A case study
GB2443356A (en) Cryptographic logic circuits and method of performing logic operations
GB2443359A (en) Cryptographic logic circuits and method of performing logic operations
Kaur et al. A Survey on the Implementations, Attacks, and Countermeasures of the Current NIST Lightweight Cryptography Standard
Ngo et al. Attacking Trivium at the bitstream level
Shahmirzadi et al. Low-latency and low-randomness second-order masked cubic functions
Aghaie Efficient Error detection Architectures for Low-Energy Block Ciphers with the Case Study of Midori Benchmarked on FPGA
Akdemir et al. Non-linear error detection for finite state machines
Lozachmeur et al. A RISC-V Instruction Set Extension for Flexible Hardware/Software Protection of Cryptosystems Masked at High Orders

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee

Effective date: 20150113