JP2014115579A - Encryption processing device and method, and encryption processing program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve resistance to side channel attacks or the like by suppressing increase in operation time and operation costs of encryption.SOLUTION: An encryption processing device comprises: table generation means for setting a value to which a random number of a second bit number generated in random number generation means is connected, to a value of a first bit number related to encryption processing, for each element of a table which outputs a value of a reference element; random number connection means for generating a value obtained by connecting plaintext data of a first bit number to a random number of a second bit number generated in the random number generation means; pointer update means for updating a pointer indicating a reference address of the table; encryption means for performing encryption processing including processing for referring the table at an address computed by defining a connection value of data of the first bit number and the random number of the second bit number as an index, with the updated pointer as the standard; and random number deletion means for deleting a random number from output of the encryption means.

Description

  The present invention relates to a cryptographic processing apparatus and method, and a cryptographic processing program.

Encryption is a technique for protecting data stored in a recording medium and data flowing on a communication path from threats such as eavesdropping. Only the data that knows the key used for encryption can be decrypted correctly.
As a typical encryption algorithm, for example, there is an AES (Advanced Encryption Standard) of a block cipher scheme having an SPN (substitution permutation network) structure. AES is secure against typical cryptanalysis methods (eg, differential cryptanalysis and linear cryptanalysis). There is no known method for obtaining a key more efficiently than a brute force attack of a secret key. AES is safe because it takes an enormous amount of time to search for all secret keys.

  In recent years, in devices (encryption modules) that implement encryption, the threat of attack methods that exploit the power consumed by the encryption module when the encryption function operates and the accompanying electromagnetic waves using the electromagnetic waves associated therewith have been pointed out. ing. Information on power consumption and electromagnetic waves obtained as a side effect is called “side channel information”, and an attack using the information is called “side channel attack”.

  Explain the principle of side-channel attacks.

The Hamming weight h (d) of the n-bit data d is
h (d) ∈ {0,1,2, ..., n}
It is. The Hamming weight is a number of 1 when data is expressed in binary. For example, if n = 8,
h (00000000) = 0,
h (00001000) = 1,
h (00100011) = 3,
h (11111111) = 8
It becomes.

  If the cryptographic module to be analyzed is based on the Hamming weight model, it is assumed that the Hamming weight of data, power consumption, and leakage electromagnetic waves are directly proportional. An analysis procedure (related technology) of the cryptographic algorithm based on the Hamming weight model will be described below. FIG. 1 is a diagram for explaining r-round Feistel encryption (related technology) having a block length of 2n bits.

The 2n-bit plaintext P is divided into n-bit data x ⁰ _L and x ⁰ _R. The processing of the i-th round (i = 1, 2,..., R−1) is as shown in equations (1) and (2).

x ⁱ _R = x ⁱ⁻¹ _L (1)

はビット毎の排他的論理和（bitwise XOR）の演算子である。 In addition,

Is a bitwise XOR operator.

In the final round (r-th round), right and left crossing of data is not performed. x ^r _L and x ^r _R are as shown in the equations (3) and (4).

^{_{x r L = x r-1}} L ··· (3)

x ^r _L and ^x _{r R} was ligated 2n-bit data ^x _{r L} || ^x _{r R} is the ciphertext C. Note that || is a concatenation operator.

FIG. 2 is a diagram illustrating a configuration example (related technology) of the F function 10 of FIG. Referring to FIG. 2, the result of performing an exclusive OR operation on data x ⁱ _L and key K ⁱ is subjected to operation S in nonlinear processing 11 to generate output data z ⁱ . That means
z ⁱ = S (x ⁱ _L ^ K ⁱ ) (5)
It is. Note that ^ is a bitwise XOR operator used in C language or the like (hereinafter, ^ is used as an exclusive OR operator).

Next, a procedure for obtaining the final round key K ^r-1 using the side channel information will be described. Analysis consists of a data collection phase and an analysis phase.

In the data collection phase, m plaintexts P _j (j = 0, 1,..., M−1) are encrypted to obtain m ciphertexts C _j . At this time, power consumption during encryption processing is measured using a measuring instrument (waveform analyzer) such as an oscilloscope or a spectrum analyzer. Here, the power waveform measured when encrypting the plaintext P _j is defined as w _j .

  A differential power analysis (DPA) will be described as an example of the analysis phase.

Since there are 2 ⁿ candidates for the key K ^r−1 , all n bits are assumed in order from 0.

Since x ^r−1 _L (= x ^r _L ) is known from the ciphertext C _j , the output data z ⁱ of the F function can be calculated by assuming the key K ^r−1 .

Here, paying attention to a specific bit of z ⁱ , it is classified into waveform data corresponding to a ciphertext in which the bit is 0 and waveform data corresponding to a ciphertext in which the bit is 1. A set of waveforms in which the value of the bit is classified as 0 is defined as W ₀ , and a set of waveforms in which the value of the bit is classified as ₁ is defined as W ₁ .

Next, the average power consumption values W _0avg and W _1avg are calculated for each of W ₀ and W ₁ .

Based on the Hamming weight model, the power consumption of W ₁ becomes larger than W ₀ at the time when the calculation of z ⁱ is performed (the remaining n−1 bits are noise components, but the average of many waveforms is calculated). I think it will be leveled. Therefore, if the classification of the waveforms set of ciphertext particular 1 bit of the z ⁱ becomes 0 and 1 if correctly performed, is significantly different Subtracting W _0Avg from W _1Avg appears (Fig. 9 ( B)).

However, when the assumption of the key K ^r-1 is incorrect, the key K ^r-1 is not correctly classified (W ₀ (W ₁ ) includes a waveform having a bit value of 1 (0)). For this reason, there is no difference between W _0avg and W _1avg (see FIG. 9A).

  Therefore, by examining the peak value of the average waveform, it is possible to distinguish whether the key assumption is correct.

  On the other hand, a masking technique is one of tamper resistant techniques against side channel attacks. A reference example of the operation when the masking technique is applied to the encryption processing of FIG. 1 will be described with reference to FIG. This reference example is premised on encryption processing implemented by software.

In FIG. 3, α ₁ , α ₂ , and α ₃ are n-bit random number data,
α ₃ = α ₁ ^ α ₂ (6)
It is.

Then, a nonlinear process 30 is used instead of the nonlinear process 11 of FIG. As shown in FIG. 3 (B), the nonlinear processing 30 performs the nonlinear processing 11 with respect to exclusive-OR of the input data and alpha _1. Then, the exclusive OR operation result of the output data of the nonlinear process 11 and α ₃ is used as the output data of the nonlinear process 30.

In general, in the case of implementation by software, nonlinear processing is implemented by a table (lookup table), for example. If the input data for nonlinear processing is n bits, the table has 2 ⁿ entries. The input data becomes an index of the table, and the operation result for the input data is held in each entry of the table. At the time of non-linear processing, a calculation result (non-linear processing result) can be obtained by referring to the table once.

In the masking method, each time α ₁ and α ₂ are determined, a new table S ′ is generated based on the table S.

When performing the encryption process, first, the divided plaintexts x ⁰ _L and x ⁰ _R are exclusively ORed with α ₁ and α ₂ , respectively.

Then, an exclusive OR with the key K ⁰ is taken with respect to the exclusive OR (x ⁰ _L ^ α ₁ ) between x ⁰ _L and α ₁ and input to the nonlinear processing 30. The input data of the nonlinear process 30 is
((X ⁰ _L ^ α ₁ ) ^ K ⁰ ) = (x ⁰ _L ^ α ₁ ^ K ⁰ ) (7)
It is.

In FIG. 3A, in the non-linear process 30, since the exclusive OR of the input data and α ₁ is taken, α ₁ is canceled and the data input to the non-linear process 11 is equivalently:
(X ⁰ _L ^ K ⁰ ) (8)
It becomes.

3A, the output data z ⁰ of the non-linear process 30 is obtained by performing an exclusive OR with α _{3 on} the output S (x ⁰ _L ^ K ⁰ ) of the non-linear process 11 in FIG. 3B. It is what I took.
z ⁰ = (S (x ⁰ _L ^ K ⁰ ) ^ α ₃ ) (9)

In FIG. 3A, in the exclusive OR 31,
z ⁰ ^ (x ⁰ _R ^ α ₂ ) (10)
Is done. Therefore, α ₁ is generated by exclusive OR of α ₃ and α ₂ . That is,
(S (x ⁰ _L ^ K ⁰ ) ^ α ₃ ) ^ (x ⁰ _R ^ α ₂ )
= S (x ⁰ _L ^ K ⁰ ) ^ (α ₁ ^ α ₂ ) ^ (x ⁰ _R ^ α ₂ )
= S (x ⁰ _L ^ K ⁰ ) ^ α ₁ ^ α ₂ ^ α ₂ ^ x ⁰ _R
= S (x ⁰ _L ^ K ⁰ ) ^ α ₁ ^ x ⁰ _R (11)

Since S (x ⁰ _L ^ K ⁰ ) ^ x ⁰ _R in equation (11) corresponds to x ¹ _L in FIG.
x ¹ _L ^ α ₁
It is expressed.

Therefore, the output data x ¹ _L of the first round is generated in a state masked with α ₁ .

on the other hand,
x ¹ _R = x ⁰ _L ^ α ₁ ^ α ₃ = x ⁰ _L ^ α ₂ (12)
It is.

Since x ⁰ _L in equation (12) corresponds to x ¹ _R in FIG. 1, equation (12) becomes
x ¹ _R ^ α ₂
It is expressed.

Thus, the input data x ⁱ _L of the (i + 1) -th round is masked with α ₁ ,
x ⁱ _R is masked with α ₂ .

The data x ^r _L and x ^r _R in the final round are respectively
x ^r-1 _L ^ α ₁ (13)
_{^{S (x r-1 L ^}} K r-1) ^ α 1 ^ x r-1 R ··· (14)
And both are masked with α ₁ .

For this reason, by taking an exclusive OR with α ₁ in each of (13) and (14), x ^r _L and x ^r _R become equations (15) and (16).

_{^{x r L = (x r-}} 1 L ^ α 1) ^ α 1 = x r-1 L ··· (15)
_{^{x r R = (S (x}} r-1 L ^ K r-1) ^ α 1 ^ x r-1 R) ^ α 1
= (S ( ^xr- _1L ^ ^Kr-1 ) ^ ^xr- _1R ) (16)

x ^r _L, none of ^x _{r R} mask is released, the ciphertext _{^{C (= x r-1 L}} || x r R) is obtained.

  Thus, in the masking method, since it is always masked with a random number, even if the differential power analysis is applied, the power waveform is masked with a random number. Therefore, if the random value is unknown, the correlation between the intermediate value calculated using the key assumption and the actual power consumption is lost, so that the differential power analysis becomes difficult. However, if the random value is also assumed at the same time, the analysis by the differential power analysis becomes possible, and therefore it is necessary to change the random value for each encryption process.

  In Patent Document 1 searched by prior art document search performed by the applicant in connection with the present case, the power consumption at the time of executing the cryptographic process is measured, so that the encryption embedded in the cryptographic module is performed. Randomly obtained by adding a predetermined input mask value determined depending on a random number to input data subjected to predetermined processing by the key as an encryption device that is secure against an attack method for analyzing the key Randomized 8 bits for receiving randomized input data and the input mask value, and generating randomized output data in which an output mask value which is an inverse element of the input mask value is added to an inverse element of the input data A configuration that includes an inverse element calculation unit and generates ciphertext from the generated randomized output data is disclosed. Further, in Patent Document 2 as an encryption device that is safe for differential power analysis (DPA), the encryption device selects a random number generator means for generating a random number and one of q fixed values according to the random number. And a selector that selects one set in q fixed tables according to a random number, and the exclusive OR means excludes a fixed value, a key exclusive OR, and an input. A configuration is disclosed in which non-linear conversion means performs non-linear conversion according to a set of fixed tables. Patent Document 3 discloses an encryption circuit including a function key kc for executing an encryption algorithm as an encryption circuit for countering a DPA or EMA (Electro-Magnetic Analysis) type attack, A configuration is disclosed that includes a second key ki that allows the circuit to be protected from attacks using the side channel of the circuit, which is unique to each example of the circuit apart from kc.

Special republication WO2008-146482 JP 2002-366029 A JP-T-2002-516094

  The analysis of related technology is given below.

  As described above, the masking technique is effective for protecting the software-implemented cryptographic module from the threat of side channel attacks. However, the random value used for the mask must be changed for each encryption process. When the random value is changed, it is necessary to generate a table holding the nonlinear processing result according to the random number. The generation time of this table causes an increase in the encryption processing time, leading to a decrease in performance.

  Even in the case of an encryption algorithm using a single table, if the mask value changes for each table reference, it is necessary to have a table for each mask value. For this reason, the memory area increases.

  The present invention was devised to solve the above problems, and its purpose is to suppress an increase in computation time and computation cost of encryption processing and improve resistance to side channel attacks and the like, It is to provide a method and a program.

According to the present invention, in each element of the table that outputs the value of the element to be referred to, the second bit number generated by the random number generation means is set to the first bit number value related to the encryption process of the common key cryptosystem. A table generating means for setting a value obtained by concatenating random numbers of bits;
The random number generating means for generating a random number of a second number of bits;
Random number concatenating means for generating a value obtained by concatenating a first bit number of plaintext data with a second bit number random number generated by the random number generating means;
Pointer updating means for updating a pointer pointing to the reference address of the table;
A cipher that performs an encryption process including a process of referring to the table at an address calculated from a concatenated value of the data of the first bit number and the random number of the second bit number with the updated pointer as a reference And
Random number deletion means for removing random numbers from the output of the encryption means;
A cryptographic processing device is provided.

According to the present invention, there is provided an encryption processing method by a data processing device including a storage device that stores a table that outputs values of elements to be referenced,
In the table creation process, each element of the table is a value obtained by concatenating the first bit number value related to the encryption process of the common key cryptosystem to the random number of the second bit number generated in the random number generation process. Set
In the random number concatenation process, a value obtained by concatenating the plaintext data of the first number of bits with the random number of the second number of bits generated in the random number generation process is generated.
In the pointer update process, the pointer pointing to the reference address in the table is updated,
In the encryption process, an encryption process including a process of referring to the table with an address obtained from a concatenated value of the first bit number data and the second bit number random number is performed using the updated pointer as a reference. ,
In the random number deletion processing, a cryptographic processing method is provided that removes random numbers from the output of the encryption processing.

According to the present invention, a computer provided with a storage device that stores a table for outputting values of elements to be referenced is provided.
Table generation in which each element of the table is set to a value obtained by concatenating the random number of the second bit number generated in the random number generation process to the value of the first bit number related to the encryption process of the common key cryptosystem Processing,
The random number generation processing for generating the random number of the second number of bits;
A random number concatenation process for generating a value obtained by concatenating the random number of the second bit number generated in the random number generation process to the plain text data of the first bit number;
A pointer update process for updating a pointer to the reference address of the table;
An encryption process for performing an encryption process including a process of referring to the table with an address obtained from a concatenated value of data of a first bit number and a random number of a second bit number with reference to the updated pointer;
Random number deletion processing for removing random numbers from the output of the encryption processing;
A program for executing is provided. According to the present invention, a recording medium (semiconductor memory, magnetic / optical disk or the like) on which the program is recorded is provided.

  According to the present invention, it is possible to suppress an increase in computation time and computation cost of encryption, and to improve resistance to side channel attacks and the like.

It is a figure which shows an example of Feistel type | mold encryption. It is a figure explaining the structure of F function of FIG. It is a figure explaining the example of application of the masking method with respect to FIG. It is a figure which shows the structural example of the encryption processing apparatus of one Embodiment of this invention. It is a figure which shows the structural example of an encryption means. It is a figure explaining the example of application of this invention with respect to FIG. It is the figure which showed the example of the table | surface to which the encryption original table | surface and the random number were provided. It is a figure which shows the process sequence of one Embodiment of this invention with a flowchart. (A) is a figure explaining the example of the average waveform in case (B) is correct, when the estimation of the key at the time of performing a difference power analysis is incorrect.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. According to the present invention, the data obtained by concatenating the random number generated by the random number generating means and the plaintext is encrypted, and then the random number is deleted.

  As described below, the present invention is preferably applied to tamper resistance against side channel attacks of a common key block cipher for concealing data during data communication and storage.

According to the embodiment of the present invention, each element of the table (S ′) that outputs the value of the element to be referred to has a value of the first number of bits (n bits) related to the encryption process of the common key cryptosystem. Table generation means (71 in FIG. 5) for setting a value obtained by concatenating the random numbers of the second number of bits (s bits) generated by the random number generation means;
The random number generating means (70 in FIG. 5) for generating a random number of the second number of bits;
Random number concatenating means (72 in FIG. 5) for generating a value obtained by concatenating the random number of the second bit number generated by the random number generating means (70 in FIG. 5) to the plaintext data of the first bit number;
The reference address (for example, the start address) of the table (S ′) so that the table (S ′) can be referred to using the concatenated value of the encrypted data of the first number of bits and the random number of the second number of bits as an index. Pointer updating means (74 in FIG. 5) for updating a pointer (S'addr) pointing to
A process of referring to the table with an address calculated by using a concatenated value of the encrypted data of the first bit number and the random number of the second bit number as an index with the updated pointer (S'addr) as a reference Encryption means (73 in FIG. 5) for performing encryption processing including:
Random number deletion means (75 in FIG. 5) for removing random numbers from the output of the encryption means.

The first bit number is n, and the table (S ′) includes 2 ⁿ elements having a bit width m (where 1 ≦ n <m), and the second bit number is s (where 1 ≦ n s <(mn)). The table generation means (71 in FIG. 5) sets a value related to the encryption process in the lower n bits in each of the m bits of the table (S ′), and sets the higher bits than the lower n bits. An s-bit random number (α _i , i = 0 to 2 ⁿ −1 in FIG. 7B) is set. The random number concatenation unit (72 in FIG. 5) generates a value obtained by concatenating s-bit random numbers to the upper bits of n-bit plaintext data. The pointer update means (74 in FIG. 5) calculates, for example, a calculation result (y∩1 ⁽ mn) where the lower n bits of the concatenated value (y) of the lower n bits of data and the upper s bits of random number 0. || 0 ⁽ⁿ⁾ ) is converted into the address of the element in the table (S ′) (y <<t;<< t is a t-bit left shift operation, and t is the number of bytes per element in the table). The value subtracted from the pointer indicating the head address of the table is the updated pointer (S'addr). The encryption means (73 in FIG. 5) converts an index composed of a concatenated value (y) of lower n-bit data and upper s-bit random number into an address in the updated pointer (S'addr). With reference to the element of the table (S ′) at the address to which the value (y << t) is added, the n-bit value and s bit related to the encryption process are determined from the m-bit element output from the table. Get the value concatenated with the random number. The encryption handled in the encryption process is a common key block cipher.

The encryption means (73 in FIG. 5) performs round processing including processing to refer to the table a predetermined number of times, and the random number deletion means (75 in FIG. 5) generates random numbers from the output of the final round processing. Is deleted. The random number concatenation means (72 in FIG. 5) converts the first and second s-bits from the input plaintext to the high-order bits of the n-bit first and second plaintext data (x ⁰ _L , x ⁰ _R ). _M- bit first and second data (β ₁ || x ⁰ _L , β ₀ || x ⁰ _R ) are generated by connecting the random numbers (β ₀ , β ₁ ). Although not particularly limited, in the encryption means (73 in FIG. 5), the first data (β ₁ || x ⁰ _L ) is converted into the lower n-bit round key (K ⁰ ) and the upper (mn). ) A first exclusive OR operation unit that performs an exclusive OR operation with a value obtained by concatenating bits 0 (0 ^(mn) || K ⁰ ), and the exclusive OR operation result as the index, Using the update pointer (S′addr), a non-linear processing unit (301) referring to the table (S ′), an m-bit output (z ⁰ ) of the non-linear processing unit (301), and the second A second exclusive OR operation unit that performs an exclusive OR operation with the data (β ₀ || x ⁰ _R ), and the first data and the output of the second exclusive OR operation unit May be used as the first and second data of the next round. The random number deleting means (75 in FIG. 5) deletes β _r || x ^r _L random numbers β _r and β _{r + 1} || x ^r _R random numbers β _{r + 1} output from the final round. Of course, the index referring to the table (S ′) is not limited to exclusive OR (key addition: Add-Round-Key) of data and a round key. For example, the present invention can be applied to a configuration in which a pre-calculation result is mounted on a table in a process such as a mix column (Mix-Columns) of each round of AES.

  In addition, in Patent Documents 1-3 and the like described above, an encryption process is performed on data obtained by concatenating a random number generated by a random number generation unit and plaintext, and then the random number is deleted, thereby suppressing an increase in calculation cost of the encryption process. The structure to do is not disclosed.

  Referring to FIG. 4, an encryption device 1 according to an embodiment includes an input / output device 2, a CPU (Central Processing Unit) 3, a RAM (Random Access Memory) 4, and a ROM (Read Only Memory) 5 connected via a bus 6. Take the configuration. The ROM 5 stores an encryption processing program 7. When the encryption processing program is executed, the encryption processing program is read from the ROM 5 and loaded into the RAM 4. The CPU 3 reads (fetches) a program from the RAM 4, interprets it, and executes it to execute encryption processing. However, the encryption processing program may be loaded from the outside via the input / output device 2 and expanded in the RAM 4. The encryption key may be stored in the ROM 5 or may be input from the input / output device 2 from the outside. The ROM 5 may be an electrically rewritable and erasable nonvolatile memory (ROM). Alternatively, the encryption processing program 7 may be stored in a non-volatile auxiliary storage device such as an HDD (Hard Disk Drive).

  The operation of the encryption processing program with the tamper resistant function will be described below. Referring to FIG. 5, the encryption processing program 7 is divided into modules (or function divisions) into random number generation means 70, table generation means 71, random number connection means 72, encryption means 73, pointer update means 74, and random number deletion means 75. Is done. The function / operation of each means will be described.

  The random number generating means 70 generates a random number of s bits (1 ≦ s <mn).

  The table generation means 71 updates the table referred to by the encryption means 73 using the random number of s bits (for example, s = 22) generated by the random number generation means 70 to create a table S ′. The table S ′ is stored in the RAM 4 of the encryption device 1.

A specific example will be described with reference to Table S in FIG. In FIG. 7A, description is made assuming that m = 32 and n = 8. Table S is composed of 256 (= 2 ⁸ ) elements, and one element is 32 bits. In the lower 8 bits of each element, a value related to the encryption processing (FIG. 7 shows hexadecimal notation (1 hexadigit = 4 bits: 0 to F), and the upper 24 bits are all 0s. The symbol || between the lower 8 bits and the upper 24 bits represents concatenation, and the upper 24 bits and the lower 8 bits are concatenated to 32 bits.

  Many cryptographic algorithms have a form (Look Up Table: LUT) in which a certain calculation process is pre-calculated and the calculation result is held in a tabular form. At the time of encryption processing, the calculation result is obtained by referring to the table using the pre-calculation data as a table index.

The table generation unit 71 sets the s-bit random number generated by the random number generation unit 70 at a position where 0 of each element of the table is set (an area (m−n) higher than the lower n bits). . Note that the set random numbers may be different for each element of the table, or all may be the same. The table S ′ of FIG. 7B is different from the table S of FIG. 7A in that the random number α _i (i∈ {0, 1, 2,..., 255}) generated by the random number generation means 70. ) Is a table after setting.

  The random number concatenation unit 72 is input with the plaintext data to be encrypted and the random number generated by the random number generation unit 70. The b × n-bit plaintext is divided into b n-bit plaintext data, and each is held in an m-bit variable (m> n, m = 24, n = 8). Plain text is set in the lower n bits of the m-bit variable, and an s-bit random number is set in the upper bit (mn) area.

  The processing of the encryption unit 73 and the pointer update unit 74 will be described with reference to FIG. FIG. 6 corresponds to a tamper resistant version of the encryption process shown in FIGS.

In FIG. 6, β ₁ || x ⁰ _L and β ₀ || x ⁰ _R are s-bit random numbers respectively in the upper bits of the n-bit plaintexts x ⁰ _L and x ⁰ _R divided by the random number linking means 72. This is data in which β ₀ and β ₁ are connected.

β ₁ || x ⁰ _L is subjected to an exclusive OR operation with an m-bit key 0 ^(mn) || K ^0, and the operation result is converted by the non-linear conversion processing 301. Incidentally, the key ^{0 (m-n)} || ^K higher (m-n) bits 0 of ^0, the lower n bits are ^{K 0.}

  The non-linear conversion processing 301 executes the non-linear processing by a look-up table (LUT) method by referring to the table S ′ generated by the table generating means 71.

A general table reference procedure is shown. The table is data continuously arranged on the memory, and is held as a pointer (address pointer) _Saddr that points to data at the head address of the table. Since the index x in the table is a displacement from the head address, the index is added to the pointer to obtain the memory address where the data is stored. More precisely, when the table element is 2 ^t bytes, the displacement x from the head address is (x << t) bytes. << is a bit-wise left shift operator. For example, in FIG. 7, the element is shifted from the 32 bits = 4 bytes = 2 ² = 2 ^t bytes to the left 2 bits with respect to the index x = 2 (“00000010”) where t = 2 (2 << 2). Is 8 (= "00001000"). The fourth byte (one element) of the eighth byte from the head address of the table is accessed for index x = 2. Therefore, the access address X _addr of the table element referred to by the index x is calculated by the equation (17).

X _addr = S _addr + (x << t) (17)

Here, if the number of entries (total number of elements) in the table is 2 ⁿ , the index x is 0 ≦ x ≦ 2 ⁿ −1. In the case of m = 32, n = 8, and t = 2 in FIG. 7, X _addr is S _{addr to} S _addr +10 20. If the address used as the reference for table access is not the head address of the table but the address (S _addr ) that points to the last element (index = 2 ⁿ −1) of the table, index x (0 ≦ x ≦ 2 ⁿ -1), the address X _addr is
X _addr = S _addr − {(2 ⁿ −1−x) << t)} (17) ′
Given in.

  However, when a value other than 0 is set in the high-order bits of the index as in this embodiment, the above procedure cannot correctly calculate the element address.

In FIG. 6, the higher-order (mn) of the exclusive OR operation result β ₁ || (x ⁰ _L ^ K ⁰ ) of β ₁ || x ⁰ _L and the key 0 ^(mn) || K ⁰ In the bit, an s-bit random number β ₁ (a value other than 0) is set. The lower n bits of β ₁ || (x ⁰ _L ^ K ⁰ ) are encrypted data x ⁰ _L ^ K ⁰ . This β ₁ || (x ⁰ _L ^ K ⁰ ) is input to the nonlinear transformation processing 301.

Therefore, the pointer updating unit 74 changes (updates) the pointer of the head address of the table S ′ from (random number || encrypted data), for example, (β ₁ || (x ⁰ _L ^ K ⁰ )).

The pointer update unit 74 uses a variable y (random number in the upper bits and encrypted data in the lower n bits, as in the above β ₁ || (x ⁰ _L ^ K ⁰ ), which is an index for table reference. In order to make it possible to refer to the table, data is generated by left-shifting t bits (where t is the number of bytes in the elements in Table 1), with the upper bit random number remaining and the lower n bits set to 0. By subtracting the value subtracted from the pointer S _addr indicating the head address of the new head address pointer, using the variable y (β ₁ || (x ⁰ _L ^ K ⁰ ) above, the encrypted data x ⁰ _L ^ Each element (0 ≦ index ≦ (2 ⁿ −1)) of the table corresponding to K ⁰ is accessed.

That is, S _addr is updated by equation (18) to generate a pointer S ′ _addr .

S ′ _addr = S _addr − ((y∩1 ^(mn) || 0 ⁽ⁿ⁾ ) << t) (18)

In equation (18), ∩ is an operator that performs a bitwise AND operation. ^{1 (m-n) || 0} (n) of ^{0 (n)} is the lower n bits 0 ^{data, 1 (m-n)} is 1 data of the upper (m-n) bits. An index m-bit variable y (concatenation of s-bit random number arranged in upper (mn) bit area and lower n-bit encrypted data) and m-bit information 1 ^(mn) || A bitwise AND operation result with 0 ⁽ⁿ⁾ (sbit random number in the upper (mn) bit area, lower n bit is 0), and a value left shifted by t bits is a pointer S _addr By subtracting from, the pointer S ′ _addr is obtained.

When the table S ′ is accessed with y = β ₁ || (x ⁰ _L ^ K ⁰ ) in the nonlinear conversion process 301, the access address X _addr of the table element to be referred to with the index y is calculated as follows. .

X _addr = S ' _addr + (y << t) (19)

Each time the encryption unit 73 performs a table reference, the pointer update unit 74 is called to generate a pointer S ′ _addr corresponding to the variable. The table S ′ (see FIG. 7B) is referenced using S ′ _addr , and the element (α _i || value of the encryption process) becomes z ⁰ .

Therefore, the output β ₂ || x ¹ _L of the first round is
z ⁰ ^ (β ₀ || x ⁰ _R ) (20)
Calculated by

In this case, the random number alpha _i of the upper (m-n) bits of ^{z 0,} the exclusive OR of the upper (m-n) bits of the random number beta ₀ of (β ₀ || ^x _{0 R)} is beta ₂ Become.

β ₂ = β ₀ ^ α _i (0 ≦ i ≦ 255) (21)

  The above processing is repeated for a predetermined number of rounds.

The random number deletion means 75 outputs the final round (r-th round) output data:
β _r || x ^r _L ,
β _{r + 1} || x ^r _R
Then, random numbers β _{r and} β _{r + 1} are removed from each of them (lower n bits: x ^r _L and x ^r _R are extracted) to generate ciphertext C = x ^r _L || x ^r _R.

  FIG. 8 shows a processing procedure of the present embodiment.

  The random number generation means 70 generates a random number to be embedded in the table (step S1).

  The table generation means 71 embeds random numbers in the table using the random numbers generated by the random number generation means 70 (step S2).

  The random number generation means 70 generates a random number for encrypted data (step S3).

  The random number connection means 72 divides the plain text and connects random numbers to each of the divided pieces (step S4).

  Thus, round processing is performed by the encryption means 73.

  Note that the encryption unit 73 is a process specific to the encryption algorithm, and thus description thereof is omitted.

  The encryption unique process 1 is, for example, an exclusive OR operation of key data and encrypted data (step S5).

  Prior to the table reference process (step S7), a pointer update process (step S6) is performed. This is performed as many times as the table reference is performed.

  The cipher unique process 2 (step S8) is, for example, a linear conversion process (specifically, AES MixColumns process) that mixes the results of a plurality of table references.

If the number of rounds determined by the encryption algorithm (predetermined number of times) and the round process have not been repeated, the process returns to S5 and the round process is repeated. If it has been repeated a predetermined number of times, the process branches to S10.
The random number deleting means 75 removes the random number from the data and uses the combined data as ciphertext (step S10).

In the related art masking technique, the calculation cost of table reconstruction is high. In order to generate the countermeasured non-linear processing 30 of FIG. 3, it is necessary to perform the calculation of Expression (22). Note that the for sentence is a for-loop in C language, and the process S ′ [i] = S [i ^ α ₁ ] ^ α ₃ is repeated from i = 0 to i = 2 ⁿ −1. Here, ^ is an exclusive OR operator in C language, pow is a power function, and pow (2, n) is 2 ⁿ . i ++ means an increment of i.

for (i = 0; i <pow (2, n); i ++) S ′ [i] = S [i ^ α1] ^ α3 (22)

In this series of processing,
XOR twice,
Load S [] once,
Store to S ′ [] once.

On the other hand, in the table generation process (FIG. 7) according to this embodiment,
Only one store to S ′ [] is required (when the random number α matches the size of the store instruction).

  Since table generation processing must be performed for each block of encryption processing, the lower the processing cost, the lower the processing performance from those without a tamper-resistant function, that is, high-speed processing. is there.

In the related art, if α ₁ is different, a different table S ′ is obtained. Even if there is only one type of table S, if it is an encryption algorithm that makes reference multiple times, there must be as many tables S 'as there are, and there is a problem that the memory area used increases. For example, in the AES SubBytes process, since the table is referred to 16 times, the table has a maximum 16 times.

  On the other hand, the table S ′ according to the embodiment has no limitation on the number of connected random numbers, and therefore the table S ′ does not increase. For this reason, there is a merit in terms of memory cost.

  It should be noted that the disclosures of the above patent documents are incorporated herein by reference. Within the scope of the entire disclosure (including claims) of the present invention, the embodiments and examples can be changed and adjusted based on the basic technical concept. Various disclosed elements (including each element of each claim, each element of each embodiment, each element of each drawing, etc.) can be combined or selected within the scope of the claims of the present invention. . That is, the present invention of course includes various variations and modifications that could be made by those skilled in the art according to the entire disclosure including the claims and the technical idea.

1 Encryption Device 2 Input / Output Device 3 CPU
4 RAM
5 ROM
6 Bus 7 Cryptographic processing program 10 F function 11 Non-linear processing S
30 Nonlinear processing with random number mask S
31 Exclusive OR 70 Random number generating means 71 Table generating means 72 Random number concatenating means 73 Encryption means 74 Pointer updating means 75 Random number deleting means 301 Non-linear transformation processing

Claims (9)

Concatenating the random number of the second number of bits generated by the random number generation means to the value of the first number of bits related to the encryption processing of the common key cryptosystem to each element of the table that outputs the value of the referenced element A table generation means for setting the values obtained;
The random number generating means for generating a random number of a second number of bits;
Random number concatenating means for generating a value obtained by concatenating a first bit number of plaintext data with a second bit number random number generated by the random number generating means;
Pointer updating means for updating a pointer pointing to the reference address for table reference;
An encryption unit including a process of referring to the table with an address calculated from a concatenated value of a first bit number data and a second bit number random number with the updated pointer as a reference;
Random number deletion means for removing random numbers from the output of the encryption means;
An encryption processing apparatus comprising: The first bit number is n,
The table includes 2 ⁿ elements having a bit width m (where 1 ≦ n <m),
The second number of bits is s (where 1 ≦ s <(mn)),
The table generation means sets a value related to the encryption processing in the lower n bits in each element of m bits of the table, and the random number generation means generates s in higher bits than the lower n bits. Set a random number of bits,
The random number concatenation unit generates n-bit plaintext data as lower n bits, and generates a value obtained by concatenating the upper bits with the s-bit random number generated by the random number generation unit,
The pointer updating means converts a value obtained by converting a value in which the lower n bits of an index composed of a concatenated value of lower n bits of data and higher random number of s bits into 0 to the address of the element in the table, The value subtracted from the pointer that points to the top address of the table is the updated pointer,
The encryption means refers to the element in the table with an address obtained by adding an address conversion value of the index consisting of a concatenated value of lower n-bit data and upper s-bit random numbers to the updated pointer. 2. The cryptographic processing apparatus according to claim 1, wherein a value obtained by concatenating an n-bit value related to an encryption process and an s-bit random number is obtained from an m-bit element output from the table. . The encryption means performs a round process including a process of referring to the table a predetermined number of times,
The cryptographic processing apparatus according to claim 1, wherein the random number deleting unit deletes a random number from an output of a final round process. An encryption processing method by a data processing device comprising a storage device for storing a table for outputting values of elements to be referenced,
In the table creation process, each element of the table is a value obtained by concatenating the first bit number value related to the encryption process of the common key cryptosystem to the random number of the second bit number generated in the random number generation process. Set
In the random number concatenation process, a value obtained by concatenating the plaintext data of the first number of bits with the random number of the second number of bits generated in the random number generation process is generated.
Updating a pointer to the reference address for reference to the table;
In the encryption process, with reference to the updated pointer, a process of referring to the table with an address obtained from a concatenated value of the first bit number data and the second bit number random number,
In the random number deletion process, the random number is removed from the output of the encryption process.
And a cryptographic processing method. The first bit number is n,
The table includes 2 ⁿ elements having a bit width m (where 1 ≦ n <m),
The second number of bits is s (where 1 ≦ s <(mn)),
In the table generation process, in each element of m bits of the table, a value related to the encryption process is set in the lower n bits, and an s-bit random number is set in the higher bits than the lower n bits,
In the random number concatenation process, n-bit plaintext data is set to lower n bits, and a value obtained by concatenating s-bit random numbers to the upper bits is generated.
In the pointer update processing, a value obtained by converting the value of the lower n bits 0 of the index composed of the concatenation value of the lower n bits of data and the upper s bits of the random number into the address of the element in the table is used. The value subtracted from the pointer that points to the start address of
In the encryption process, with reference to the elements in the table at an address obtained by adding an address conversion value of an index composed of a concatenated value of lower n-bit data and upper s-bit random numbers to the updated pointer, 5. The encryption processing method according to claim 4, wherein a value obtained by concatenating an n-bit value related to encryption processing and an s-bit random number is acquired from an m-bit element output from the table. In the encryption process, a round process including a process of referring to the table is performed a predetermined number of times,
6. The cryptographic processing method according to claim 5, wherein in the random number deletion process, a random number is deleted from an output of a final round. A computer having a storage device for storing a table for outputting values of referenced elements;
Table generation in which each element of the table is set to a value obtained by concatenating the random number of the second bit number generated in the random number generation process to the value of the first bit number related to the encryption process of the common key cryptosystem Processing,
The random number generation processing for generating the random number of a second number of bits;
A random number concatenation process for generating a value obtained by concatenating the random number of the second bit number generated in the random number generation process to the plain text data of the first bit number;
A pointer update process for updating a pointer to the reference address of the table;
An encryption process including a process of referring to the table with an address obtained from a concatenated value of a first bit number data and a second bit number random number with reference to the updated pointer;
Random number deletion processing for removing random numbers from the output of the encryption processing;
A program that executes The first bit number is n,
The table includes 2 ⁿ elements having a bit width m (where 1 ≦ n <m),
The second number of bits is s (where 1 ≦ s <(mn)),
In the table generation process, in each element of m bits of the table, a value related to the encryption process is set in the lower n bits, and an s-bit random number is set in the higher bits than the lower n bits,
In the random number concatenation process, n-bit plaintext data is set to lower n bits, and a value obtained by concatenating s-bit random numbers to the upper bits is generated.
In the pointer update processing, a value obtained by converting the value of the lower n bits 0 of the index composed of the concatenation value of the lower n bits of data and the upper s bits of the random number into the address of the element in the table is used. The value subtracted from the pointer that points to the start address of
In the encryption process, with reference to the elements in the table at an address obtained by adding an address conversion value of an index composed of a concatenated value of lower n-bit data and upper s-bit random numbers to the updated pointer, 8. The program according to claim 7, wherein a value obtained by concatenating an n-bit value related to encryption processing and an s-bit random number is acquired from an m-bit element output from the table. In the encryption process, a round process including a process of referring to the table is performed a predetermined number of times,
9. The program according to claim 8, wherein in the random number deletion process, random numbers are deleted from the output of the last round.

Images