KR101506499B1 - Method for encrypting with SEED applying mask - Google Patents

Abstract

An encryption method using SEED to which masking is applied is disclosed. The SEED encryption method using masking according to an embodiment of the present invention is a SEED algorithm of a pastel structure that performs rightward XOR operation of the right input encrypted with the round key of each round every round with the left input of the corresponding round, The method comprising: masking an input plaintext with a first random number; And masking the right input of each round with the masked round key after masking the round key of the round with a second random number every round by using the masked input plain text as an initial input. According to embodiments of the present invention, the security of the encryption system can be improved by introducing masking into the SEED algorithm, which is an existing encryption technique, and the increase in the additional cost required for the operation can be minimized.

SEED, Round Key, Side Channel Attack, masking method

Description

Method for Encrypting with SEED applying mask using masking [

The present invention relates to a cryptographic technique, and more particularly, to an encryption method using SEED to which masking for introducing masking is applied to an existing cryptographic technique, SEED algorithm, in order to secure the security of the cryptographic system.

The smart card is a credit card-sized security device with the capability of a small computer, so it is easy to carry. In the cyber world, smart cards are used not only as a means of transferring value but also because they have various applications such as telephone cards, mobile communication security measures, ID cards, transportation cards, and financial IC cards. It shows a rapid increase in utilization. At a time when much of life is shifting to the Internet environment, smart cards are a tool that can play an important role. The safety assessment of these security devices is based on theories such as provable safety and computational safety. However, in 1996, Paul Kocher introduced the concept of Side Channel Attack, which showed that secret information could be leaked by subchannel attack, which is a physical attack, on the theoretically secure cryptosystem. Physical attacks use additional information such as algorithm execution time and power consumption. Timing attack using algorithm execution time is a method of finding the secret key by analyzing the difference between the time it takes the IC chip's encryption algorithm to process the information related to the secret key and the time it takes to process the non-secret data. The power analysis attack also compares and analyzes the amount of power that the IC chip uses when processing data related to the secret key, which includes Simple Power Attack (SPA), Diffrencial Power Attack (DPA ), And so on. Power analysis attacks are known to be one of the most threatening attacks developed by Pol Coacher, among which DPA is developing in many forms as a powerful analysis method and has many applications.

With the introduction of this subchannel attack, many cryptographic system designers have begun to study efficient countermeasures, and a masking method is being actively researched as a countermeasure against differential power analysis (DPA). The masking technique is a method to defend the first-order differential power analysis through modification of the algorithm, and it is cheaper than the hardware countermeasures such as noise insertion, arbitrary delay, and random clock. Thus, masking techniques are generally preferred in equipment such as smart cards with low cost.

의 암호문

을 구한 후, 최종적으로 y를 얻기 위해

의 연산을 수행한다. 물론, 경우에 따라 마스킹 기법은 다르게 구성될 수도 있다. 따라서 암호화 과정에서 중간 값을 알 수 없기 때문에 일반적인 전력 분석 공격은 성공할 수 없다.The masking technique is a method of hiding the intermediate value information during encryption / decryption, so that the encryption device is configured to have a random power consumption so as to be safe in primary differential power analysis. Specifically, in order to obtain the cipher text y for the plain text x,

Ciphertext

And finally, to obtain y

. Of course, the masking scheme may be configured differently in some cases. Therefore, since a median value is not known during the encryption process, a general power analysis attack can not succeed.

의 암호문

에서 m'을 알아야 실제 원하는 암호문 y를 얻을 수 있다. 하지만 블록암호 알고리즘은 비선형 연산을 수행하므로 수정되지 않은 블록 암호 시스템에서 m'값은 x에 따라 다르며 이 값을 중간 값의 누출 없이 아는 것도 상당한 연산을 필요로 한다. 따라서 마스킹 대응법은 이 비선형 연산에 대한 고려가 불가피하다. When such a masking technique is used,

Ciphertext

We need to know m 'in order to get the actual desired ciphertext y. However, since the block cipher algorithm performs nonlinear computation, the m 'value differs from x in the unmodified block cipher system. Knowing this value without leakage of the intermediate value also requires considerable computation. Therefore, it is inevitable to consider this nonlinear operation.

는 'a'와 'b'의 배타적 논리합 (Exclusive-Or) 비트 연산이고,

는

이다.

는 'a'와 'b'의 논리곱 (AND) 비트 연산이다. 또한,

는 X를 s비트 만큼 왼쪽으로 순환 이동하는 연산이고,

는 X를 s비트 만큼 오른쪽으로 순환 이동하는 연산이다. L_i는 i라운드에서 출력된 왼쪽 메시지 블록(상위 64 비트)이고, R_i는 i라운드에서 출력된 오른쪽 메시지 블록(하위 64 비트)이다. 특히, L₀는 입력비트의 상위 64비트를 나타내고, R₀는 입력비트의 하위 64비트를 나타낸다.Hereinafter,

Is an Exclusive-Or bit operation between 'a' and 'b'

The

to be.

Is an AND bit operation between 'a' and 'b'. Also,

Is an operation of cyclically moving X to the left by s bits,

Is an operation of cyclically shifting X by s bits to the right. L _i is the left message block (upper 64 bits) output in the i round, and R _i is the right message block (lower 64 bits) output in the i round. In particular, L ₀ represents the upper 64 bits of the input bit, and R ₀ represents the lower 64 bits of the input bit.

On the other hand, K _i = (K _{i, 0} , K _{i, 1} ) is the i round round key (64 bits). Where K _{i, 0} is the right input key (32 bits) of the i round F function _, and K _{i, 1} is the left input key (32 bits) of the i round F function. KC _i is the i + 1 round constant used in the round key generation process.

Figure 1 shows the flow of a conventional SEED algorithm.

가 r라운드

를 거쳐 암호문

으로 변환되는 반복 구조이다. SEED is a block cipher developed by the Korea Information Security Agency in 1999 and consists of a Feistel structure using a 128-bit secret key. Tel face structure is n-bit plaintext block composed of L _0, R ₀ of each of n / 2 bits

R round

Cipher text

. ≪ / RTI >

The overall structure of the SEED algorithm is composed of a pastel structure, which uses a 128-bit plaintext block and a 128-bit key as inputs to output 128-bit ciphertext over a total of 16 rounds.

The SEED algorithm is divided into an F-function and a round-key generation function, which are largely in a face-tier structure. The F function includes a G function that contains an S box that has only nonlinearity in SEED. The key generation function receives a 128-bit key and generates a 16-round key of 64 bits.

Fig. 2 shows the structure of the F function.

를 입력으로 받아 32비트 블록 2개

를 출력한다. 여기서, F함수의 입력 중 상위 32비트를 C로 나타내고, 하위 32비트를 D로 나타낸다. 암호화 과정에서 64비트 블록

와 64비트 라운드 키

를 F함수의 입력으로 처리하여 64비트 블록

을 출력한다. The block cipher algorithm with the pastel structure can be classified according to the characteristics of the F function. The F function of SEED consists of a modified 64 bit faceplate format. In FIG. 2, a portion denoted by 'F' denotes an F function, and a portion denoted by '+' denotes an add operation without a carry. The F function consists of two 32-bit blocks

2 blocks of 32 bits

. Here, the upper 32 bits of the input of the F function are denoted by C, and the lower 32 bits are denoted by D. In the encryption process,

And 64-bit round keys

As an input of the F function,

.

The following describes G functions. As described above, the F function of the SEED forms a pastel structure, and the G function including the S box is located in the F function.

The G function is calculated by the following equation (1).

이고, Y는 G함수에서 S박스 (S-box)

의 출력 값(32 비트)으로서

이며, Z는 G함수의 출력 값(32 비트)으로서

이다. m_i는 상수이다. 또한, '||' 는 둘 이상의 비트들을 연속하여 배치하는 연쇄(concatenation)를 나타낸다.Here, X is an input value (32 bits) of the G function

Y is the S-box in the G function,

As the output value (32 bits)

, And Z is the output value (32 bits) of the G function

to be. m _i is a constant. Also, '||' Represents a concatenation in which two or more bits are arranged in succession.

는 수학식 2를 이용하여 생성된다.The following describes the S box. Nonlinear S-boxes used inside G functions

Is generated using Equation (2).

Here, the matrix A ⁽ⁱ⁾ can be expressed by Equation (3).

,

,

The SEED round key generation process divides the 128-bit encryption key by 64 bits in left and right directions, shifts them by 8 bits in a left / right direction alternately, and then performs a simple arithmetic operation and a G function . The round key generation process is designed to easily calculate the required round key from the encryption key in encryption or decryption. This is basically to improve efficiency in applications such as smart cards having limited resources such as not being able to store all round keys.

는 표 1과 같이 생성한다.Round key used for each round i

Are generated as shown in Table 1.

Table 2 shows the rounding constants used in the above algorithm.

Round constant

DPA is an attack based on the association between key and power consumption waveforms used in cryptographic algorithms. That is, the data used in the encryption algorithm affects the power consumption waveform. The method to cope with the DPA attack method is divided into a software method and a hardware method. The advantage of the software method is that it can be flexibly applied in various implementation environments. The hardware method is implemented in a specific hardware, and when the algorithm is changed, the hardware itself must be changed, and there is a disadvantage that additional silicon is needed, but it is more efficient than the software method.

Typical software methods include masking and hiding techniques. The purpose of the masking technique is to mask input and intermediate results at random values to ensure that the intermediate results computed during the cryptographic computation process do not have any probabilistic association with the power consumption waveform. Hiding technique is a method to randomly adjust the order of algorithms to eliminate the data dependency of power consumption, unlike the masking technique which makes it impossible to predict the intermediate result value by applying random masking to the intermediate result value. That is, the algorithm's operation sequence is randomly adjusted so that intermediate results are randomly distributed over time.

Unlike software methods that adjust the intermediate result values computed within the algorithm to be independent of power consumption, the hardware method does not adjust the intermediate result values. That is, in the hardware method, the intermediate result values calculated in the algorithm are not influenced by the DPA correspondence method. For example, a method of randomly precharging a hardware internal bus, masking a bus, or the like is used. Or randomly inserts a dummy cycle or skips a clock pulse, causing more noise in hardware. There is also a countermeasure in which masking is applied to the multiplier or the circuit itself at the cell level.

Conventionally, there are many countermeasures for securing the DPA. Since each of these has advantages and disadvantages, it is necessary to select and apply an appropriate response method in consideration of the environment in which the encryption algorithm is implemented.

The above-mentioned SEED employs both S box operation and addition operation by nonlinear operation, and uses two operations per round three times, so it is not easy to apply masking compared to other block ciphers. For example, in the case of AES, only one S box is the only nonlinear operation. If the masking method is applied to the S box in the design of the masking method, the whole structure can be easily designed. On the other hand, in the case of SEED, the masking method for 32-bit addition operations should be considered in addition to the two S-boxes, and the entire structure for harmonizing the two nonlinear operations must be designed at the same time.

Even if the application of the masking technique to the SEED is not so easy, it is like disclosing secret information of the smart card to the power analysis attacker unless the masking method for the block cipher implemented in the commercial smart card is applied. From a long-term point of view, the development of technologies for securing the security of such cryptographic systems should be urgently considered, considering the hardware and software design and implementation of safer cryptographic systems and the rapidly growing market of smart cards. Therefore, it is necessary to develop a masking technique suitable for SEED when the threat of power analysis attack to smart card is increasing day by day.

An object of the present invention is to provide an encryption method using SEED with masking for introducing masking into an existing encryption algorithm SEED in order to secure the security of the encryption system.

According to another aspect of the present invention, there is provided an encryption method using SEED using masking according to an embodiment of the present invention. In this encryption method, a right input encrypted with a round key of each round is subjected to an exclusive OR (XOR) The method comprising: masking an input plaintext with a first random number; And masking the right input of each round with the masked round key after masking the round key of the round with a second random number every round by using the masked input plain text as an initial input.

Preferably, the encrypting method using SEED to which masking is applied according to an embodiment of the present invention includes a step of XORing the encrypted right input and the left input every round and then masking it with a third random number, Masking with a random number, and keeping the masking value of each round the same.

Preferably, the encrypting method using the SEED with masking according to an embodiment of the present invention may further include removing masking of the right input and the left input in the last round.

Preferably, in the encrypting process, a modified F function for encrypting the right input of each round input value with the masked round key is applied every round. In this case, in the process of applying the modified F function, a modified G function including a masking S box for maintaining masking of the right input and a masking addition operation for maintaining masking can be applied. In this case, the step of applying the modified F function may include: masking a first input and a second input constituting the right input; Outputting a first value by applying a modified G function including a masking S box that XORs the masked first and second inputs and then maintains masking; Masking the first value with the masked first input and applying a modified G function to the result of the masking addition to output a second value; Masking the second value and the first value, and applying a modified G function to the result of the masking addition to output a third value; And masking addition of the second value and the third value.

Preferably, the masking addition operation may include a function for converting the non-algebraic masking to arithmetic masking and a function for converting the arithmetic masking to the algebraic masking.

According to another aspect of the present invention, there is provided an encryption method using SEED using masking according to another embodiment of the present invention. In this encryption method, a right input encrypted with a round key of each round is subjected to an exclusive OR (XOR) A method of encrypting using a SEED algorithm of a pastel structure, the method comprising: masking a 128-bit input plaintext; Masking the round key of the round for each round with the masked input plaintext as an initial input and encrypting the rightmost 64 bits of the input value of each round with the masked round key; And removing masking of the rightmost input of the most significant 64 bits and the left input of the least significant 64 bits in the last round.

Advantageously, in the encrypting step, a modified G function including a masking S box for maintaining masking of the right input and a masking addition operation for maintaining masking can be applied. In this case, the masking addition operation may use a masking conversion function using an arithmetic to non-algebraic masking conversion table FT and a carry table CT for 4 bits.

According to embodiments of the present invention, the security of the encryption system can be improved by introducing masking into the SEED algorithm, which is an existing encryption technique, and the increase in the additional cost required for the operation can be minimized.

Hereinafter, preferred embodiments of the present invention will be described with reference to the drawings. However, the following embodiments of the present invention may be modified into various other forms, and the scope of the present invention is not limited to the embodiments described below.

,

등의 형태로 숨기는 방법이며 이는 마스킹 기법을 사용 했을 경우 중간의 전력을 얻게 되어도 본 연산의 중간 값 a에 대한 전력이 아닌 난수 값 m에 의해 변형된 값에 대한 전력을 얻게 되어 일차 차분 전력 분석 공격에 대한 방어를 가능하게 한다.The masking technique is a safe software countermeasure method for first order differential power analysis. Its cost is relatively low compared to hardware countermeasures such as random delay, random clock, and noise insertion. Therefore, This is the preferred response. The masking technique is a method in which all intermediate values a in which an algorithm is executed in an encryption device are a

,

If the masking technique is used, power is obtained for the value modulated by the random number m instead of the power for the intermediate value a of the present operation even if the intermediate power is obtained. Thus, the primary difference power analysis attack To be able to defend against.

It can be applied variously according to the characteristics of the algorithm. In the case of the block cipher, however, masking is generally applied by an arithmetic or Boolean method. These two masking methods mask the intermediate value x for the random number r as follows.

An example of arithmetic masking is shown in Equation (4). Here, A is a masking output value, and K is an arbitrary integer.

또는

or

An example of non-algebraic masking is shown in Equation (5). Here, x 'is the masking output value.

The masking technique for the block cipher makes the result of the intermediate operation random, making it safe for the first-order differential power analysis. For efficiency of the operation, a method of masking only the first round and the last round, not the whole round of the block cipher has been proposed. However, it has been found that this method is not as secure as the IPA (Inferential Power Analysis) method.

On the other hand, the full round masking method is a method of performing an operation such that intermediate values of all the execution processes of all rounds of the algorithm are randomized by masking. In order to apply masking to all intermediate values in full round masking, it is necessary to know the value of masking to be removed after the execution of the algorithm. In general, masking values for linear operations can be easily deduced from previous masking values, but it is difficult to deduce the conversion of masking values for nonlinear operations, and it is inevitable to consider this part in the design of masking techniques.

Hereinafter, the masking value of the resultant value is examined according to each of the following operations.

, 덧셈 (Addition)

,

에 대한 다항식 곱셈 (Polynomial Multiplication over

), 비트의 퍼뮤테이션 (Bitwise Permutation), 선형변환 (Linear Transformation) 등의 연산들에 대해 입력 값 및 중간 계산 값을 숨기기 위해서 상술한 불대수 마스킹과 산술 마스킹을 사용한다. 두 가지의 마스킹 기법을 사용하여 위의 연산들에 대한 부채널 공격의 대응방법을 구성한다. Table Lookup, Bitwise Boolean, Shift / Rotation, Multiplication,

Addition,

,

Polynomial Multiplication over

), Bitwise permutation, linear transformation, and the like are used to hide the input values and the intermediate calculation values. The above-described algebraic masking and arithmetic masking are used. We use two masking techniques to construct a countermeasure against subchannel attacks on the above operations.

을 통해서 한 번의 랜덤화를 수행하고, 테이블 룩업 연산 수행 이후에

을 이용해서 두 번째 랜덤화를 수행한다. 랜덤화를 수행하는 계산식은 수학식 6과 같다. First, when performing a lookup table operation, it is necessary to perform an operation on the input value x

A randomization is performed once, and after the table look-up operation is performed

The second randomization is performed. The equation for performing the randomization is shown in Equation (6).

는 x에 대한 테이블 룩업 연산을 의미한다. 마스킹을 수행하도록 설계된

은 마스킹된 값을 입력 값으로 받아서 마스킹된 결과 값을 출력한다. 즉

은

으로 마스킹된 입력 값에 대해

으로 마스킹된 결과 값을 출력한다.

Means a table lookup operation on x. Designed to perform masking

Receives the masked value as an input value, and outputs the masked result value. In other words

silver

For input values masked by

And outputs the masked result value.

에 대한 마스킹 값을 각각

라고 할 때 마스킹이 씌워진 값을

와

라고 가정하면, 마스킹이 씌워진 결과 값

이고, 마스킹 값

이다. 또한 AND 연산에 대해서는 다음과 같이 마스킹이 적용될 수 있다. 이 경우에도 XOR에서 정의한 것과 마찬가지로 두 입력 값

에 대해서 마스킹이 적용될 값을 각각

, 마스킹이 씌 워진 값을

와

라고 가정하면, 마스킹이 씌워진 결과 값

이고, 마스킹 값

이다. AND 연산에서 마스킹 연산을 수행하는 도중, x나 y의 값이 마스킹 되지 않고 드러나지 않을 수도 있다. 이부분에 대해서 세심한 구현이 요구된다.Second, it is a Boolean operation. The frequent use of encryption during the Boolean algebra operation is XOR and AND. It is most important to calculate and maintain accurate masking values while performing masking operations on input values. When an XOR operation is performed on two values masked, a masking value can be applied as follows. Two input values

Lt; RTI ID = 0.0 >

The masked value

Wow

, The resultant masked value

And the masking value

to be. Masking can also be applied to the AND operation as follows. In this case as well, as defined by the XOR,

Lt; RTI ID = 0.0 > Masking < / RTI &

, The masked value

Wow

, The resultant masked value

And the masking value

to be. During the masking operation in the AND operation, the values of x and y may not be masked or exposed. A careful implementation is required for this part.

는 x에 대해서

의 마스킹 값을 사용하여 마스킹된 값이라 하면

에 대해서 n비트의 시프트나 로테이션이 수행되었을 때 그 값에 해당하는 마스킹 값은 다음과 같이 계산된다. 즉, 시프트나 로테이션이 수행된 입력 값

일때,

에 해당되는 마스크 값은

이다. 데이터에 의존해서 시프트나 로테이션이 수행되는 경우에는 다음과 같은 방법으로 시프트나 로테이션의 횟수도 랜덤하게 생성할 수 있다. 즉, 시프트나 로테이션이 수행된 입력 값이

일때,

에 해당되는 마스크 값은

이다.Thirdly, when shifting or rotation is performed, the masking is deformed as follows. When an n-bit shift or rotation operation is performed on the input value x,

About x

If the value is masked using the masking value of

The masking value corresponding to the value when the shift or rotation of n bits is performed is calculated as follows. That is, the input value

when,

The mask value for

to be. When a shift or rotation is performed depending on data, the number of shifts or rotations can also be randomly generated in the following manner. That is, when the input value on which the shift or rotation is performed is

when,

The mask value for

to be.

에서의 산술연산의 경우에는 산술 마스킹 방법을 사용한다. 두 데이터

에 대한 마스킹 값을 각각

,

의 마스킹된 값을

라고 가정하면, 두 값의 산술연산 + 및 ×에 대한 연산 결과의 변환된 마스킹 값들은 다음과 같이 정리 된다. 즉, + 에 대 한 연산 결과는

이고, + 에 대한 연산 마스킹 값은

이다. 또한, ×에 대한 연산 결과는

이고, ×에 대한 연산 마스킹 값

이다.Fourth, the case where addition or multiplication is performed will be described.

The arithmetic masking method is used. Two data

Lt; RTI ID = 0.0 >

,

The masked value of

, The converted masking values of the arithmetic operation of the two values and the operation result of X are summarized as follows. That is, the result of the operation on +

, And the operation masking value for +

to be. Also, the calculation result for X is

, And an operation masking value for X

to be.

에서는 데이터에

를 XOR 연산으로 마스킹 하는 것이 산술 마스킹 방법에서

를 더해주는 것과 같은 결과를 낳기 때문에 산술 마스킹 방법을 적용할 수 있다.Fifth, the polynomial multiplication will be described. There are several ways to convert masking values when polynomial multiplication is performed on values to which the algebraic masking method is applied. If the result of the operation is stored in a table, the masking table lookup method may be applied. Also

In the data

Is masked by an XOR operation in an arithmetic masking method

The arithmetic masking method can be applied.

라고 할 때 x의 마스킹된 값을

이라 하자. 이 경우, 퍼뮤테이션 연산이

로 수행되었을 때 마스킹 값 또한

로 계산된다.Sixth, the bit permutation will be described. The masking value for data x

The masked value of x is

. In this case, the permutation operation

The masking value is also < RTI ID = 0.0 >

.

, x의 마스킹된 값을

라고 하자. 선형변환을

라고 할 때,

에 대한 마스킹 값은

로 계산된다.Seventh, in the case of linear transforms, random masking values can be transformed in the same way as in permutation. The masking value for data x is

, the masked value of x

Let's say. Linear transformation

When you say,

The masking value for

.

Implementing the algorithm in this way requires additional computation cost as compared with the general algorithm, because it requires a process of performing the operation and a process of maintaining a random masking value. In addition, additional cost is incurred when the table lookup is performed, such as a portion for generating a table, a portion for converting algebraic masking and arithmetic masking. This additional cost depends on the size of the table and how often the conversion of the masking occurs.

Conventional countermeasures of masking type against DPA attack have a problem of continuously checking the state of masking value in intermediate calculation. In order to solve this problem, a method of knowing the masking value only at a fixed stage and then stripping out the masking value after the end of the algorithm, and restoring the original value has been proposed.

A method has been proposed to overcome the computation cost to create a random S box, which is the biggest disadvantage of the existing masking method. This method is a method of storing a large number of random S boxes in ROM, that is, a fixed masking method, which can be used to implement all ciphers using S box.

Unique masking method is designed to secure block cipher to DPA. The unique masking method uses the modified form of F so that it can perform the same function as the F function entering the block cipher without regard to the presence or absence of the masking value. An example of the DES (Data Encryption Standard) using this method is as follows.

In DES, the F function is constructed by using two S boxes of Equation (7).

는 S박스에서의 역 퍼뮤테이션 (inverse permutation)이다.Where E is the expansion permutation,

Is the inverse permutation in the S box.

는 DES에서

라는 키를 사용해서 수행되는 f함수라고 하고,

와

는

라는 키와

와

를 S박스로 사용해서 구현되는 f함수라고 하자. 3개의 f중에서

는 마스킹 값이 있는 데이터를 마스킹 값이 없는 데이터로 변환하고,

는 마스킹 값이 없는 데이터를 마스킹 값이 있는 데이터로 변환한다.

From DES

This is called the f function,

Wow

The

The key

Wow

Let's say that f is a function implemented using S box. Of the three f

Converts the data having the masking value into data having no masking value,

Converts data having no masking value into data having a masking value.

FIG. 3 shows an example in which rounds of DES are performed in five types with respect to the three f functions thus configured.

In FIG. 3, the solid line indicates the flow of the operation for the data having no masking value, and the dotted line indicates the flow of the data overlaid with the masking value. In order to output the same result as that of the conventional DES through a combination of the five round operations configured as shown in FIG. 3, round operations must be performed by a combination following the operation sequence shown in FIG. An example of performing meaningful operations is BCDCDCEBCDCDCDCE.

로 마스킹 되어있는 것에 의해서 발생할 수 있는 문제를 막기 위해서 수학식 8의 조합으로 수행하는 것을 제안하고 있다.Unique masking methods have been analyzed as being safe for DPA. And the first round and the last round are the same mask

It is proposed to perform the combination of Equation (8) in order to prevent a problem that may be caused by being masked with < RTI ID = 0.0 >

The unique masking method has an advantage that the operation structure of DES can be used as it is.

(mod 2³²)에 대한 덧셈 연산을 비선형 연산으로 모두 사용하기 때문에 그 설계 방법에 따라 효율성이 크게 저하될 수 있다.The masking method can be changed according to the block algorithm, and the masking correction operation and the additional table size are determined according to the designing method. Unlike other block ciphers,

(mod 2 ³² ) is used as a nonlinear operation, the efficiency may be greatly reduced according to the design method.

An embodiment of the present invention provides a safe and efficient masking method of SEED for primary differential power analysis.

로서, x를 y번 연쇄(concatenation)시킨 것을 나타낸다. 또한, a<<b는 a에 대한 b비트 왼쪽 시프트 (left-shift) 연산을 나타내고, a>>b는 a에 대한 b비트 오른쪽 시프트 (right-shift) 연산을 나타낸다. 그리고, +_n은 법

에 대한 덧셈 연산을 나타내고, -_n은 법

에 대한 뺄셈 연산을 나타낸다.Hereinafter, (x) ^y is

, Indicating that x is concatenated y times. Also, a << b represents a b-bit left-shift operation on a, and a >> b represents a b-bit right-shift operation on a. And, + _n is the law

, - _n represents the addition

&Lt; / RTI &gt;

The overall flow of the masking method according to one embodiment of the present invention is as follows.

을 생성 후,

을 계산한다. First, two 8-bit masking random numbers

And then,

.

,

에 대하여 두 개의 마스킹 S박스

,

를 표 5의 알고리즘에 따라 생성한다. 다음, 4 비트 난수

,

,

를 생성하고

,

를 표 6의 알고리즘에 따라 생성한다. 또한 32비트 난수

를 생성한다.Next, S box

,

Two masking S boxes

,

Are generated according to the algorithm of Table 5. Next, a 4-bit random number

,

,

And

,

Are generated according to the algorithm of Table 6. In addition,

.

을

로,

을

로 마스킹 되도록 조정한다.Meanwhile, in the key scheduling process,

of

in,

of

As shown in FIG.

으로 마스킹한다. 그리고, 두 번째 라운드부터 각 라운드 연산 전에

를

과 XOR 연산하고,

를

과 XOR 연산한다. 각 라운드 연산은 도 8의 본 발명의 일 실시 예에 따라 수정된 G함수와 표 6의 수정된 덧셈연산을 이용한다.Next, input 16 bytes of plain text

Lt; / RTI &gt; From the second round, before each round operation

To

Lt; / RTI &gt;

To

Lt; / RTI &gt; Each round operation utilizes a modified G function according to one embodiment of the invention of FIG. 8 and a modified addition operation of Table 6. [

을 벗겨낸다.Finally, the 16-byte masking value of the output plaintext

.

An example of the round function of the SEED masking structure according to an embodiment of the present invention is shown in FIGS. 5 and 6. FIG.

FIG. 5 illustrates a round function according to an embodiment of the present invention except for the last round. FIG. 6 illustrates a final round function according to an embodiment of the present invention.

로 마스킹된 후, 도 5 및 6 에서 보는 바와 같이, 각 라운드의 128 비트 입력 값은

로 마스킹이 유지된다. 입력 값 128비트 중

으로 마스킹 된 하위 64 비트는 본 발명의 일 실시 예에 따라 수정된 F함수의 입력 값으로 들어가며,

으로 마스킹 되어 출력된다.In the above process, the first 128-bit plaintext

As shown in Figures 5 and 6, the 128 bit input value of each round is &lt; RTI ID = 0.0 &gt;

Masking is maintained. Input value is 128 bits

The lower 64 bits masked into the input of the modified F function according to an embodiment of the present invention,

And is output.

로 변형된다.The 64-bit F-function output value is XORed with the upper 64-bit input value of the round input, and then becomes the lower 64-bit input value of the next round. When two values are XORed, the masking value for the intermediate value is

.

과 XOR되면 다음 라운드의 하위 64비트 입력 값은

로 마스킹 값이 변형된다. 또한 다음 라운드의 상위 64비트 입력 값은 이전 라운드의 하위 64비트의 값에

을 XOR한 값으로

으로 마스킹 값이 변형된다. 즉, 다음 라운드 함수의 입력 값 128비트 또한

으로 선택되며, 이 마스킹 값은 본 발명의 일 실시 예에서 동일하게 유지된다. 5,

, The lower 64-bit input value of the next round is

The masking value is modified. Also, the upper 64-bit input value of the next round is the value of the lower 64 bits of the previous round

To the value obtained by XOR

The masking value is modified. That is, the input value 128 bits of the next round function also

And this masking value remains the same in one embodiment of the present invention.

FIG. 6 includes a process of removing masking by a masking technique for the last round.

The nonlinear operation of SEED is the addition operation for S box and law 2 ³² . The masking method for this nonlinear operation is considerably larger than the linear operation and determines the efficiency of the entire masking technique.

Hereinafter, the masking for the S box will be described. There are various kinds of masking methods, but in general, an algorithm that uses masking should be noted as follows. That is, even if the power value used in the algorithm is leaked by using masking in all operations of the cipher, its power value must be random. And, if masking is used, it should not be different from the original algorithm's result even if it affects the original value to be calculated by masking value.

Generally, when using the masking method, the input value is masked to calculate the masked values as a whole, and the masking of the output value is peeled off. In this masking method, the masking value can easily be deduced from the next calculation in a linear arithmetic operation, but it affects the next arithmetic operation in a nonlinear arithmetic operation, so that a value different from the original arithmetic operation value It is necessary to consider the point at which it is calculated.

In many block ciphers, nonlinear operation is performed using S box, and when masking method is applied, S box which nonlinear operation occurs must be considered.

Let's take the DES algorithm as an example.

Table 3 shows a form in which a 6-bit value after 6 rounds of the round key and a 6-bit value of the plain text are XORed in the DES computation process, and the 4-bit value is output by entering the S-box input value.

input

S box
calculate


Print

라 가정 하면 알고리즘을 수행 했을 때 출력 값이

의 형태로 되어 마스킹을

연산으로 벗겨내어 올바른 형태의

가 되어야 한다.The input value of the DES algorithm is masked using the plaintext

Assuming that the output value is

Masking in the form of

To strip out the correct form

.

의 형태로 출력되지 않는다. However, since the DES algorithm includes non-linear operations using S-boxes,

. &Lt; / RTI &gt;

로 수행했을 경우 S박스에서 일어나는 연산을 살펴보면

의 형태로 표 3과 같은 연산이 수행이 되며, 표 4와 같은 연산과정으로 나타낼 수 있다.In the DES algorithm,

If you look at the operations that occur in S box

The operation is performed as shown in Table 3, and it can be represented by the calculation process as shown in Table 4. [

input

S box
calculate



Print

가 선택 되어서 출력되는 것이 아니라 [표2]에서의

,

와 같이 마스킹이 씌워진 값이 선택 되어 출력된다. Therefore, the output values of the S box after the masking method is used are shown in Table 3

Is not selected and output, but the output of [Table 2]

,

The masked value is selected and output.

이 아니라

의 형태로 나오게 되어 원래의 값과 전혀 다른 값이 출력 되게 된다. In other words,

Not

And the output value is completely different from the original value.

Therefore, an S 'box that can satisfy Equation (9) must be generated before the algorithm is executed.

Table 5 shows an example of masking S box generation algorithm for S box of SEED.

에 대하여

으로 마스킹 된 x값이 입력되었을 때,

으로 마스킹 된

의 값을 출력하는 테이블을 생성한다. 이 마스킹 S박스

,

는 F함수의 G함수에서

대신에 사용되며, 이 두 마스킹 S박스의 사용을 위해서

,

의 입력 값은 반드시

으로 마스킹 되도록 전체 구조를 설계해야만 한다.The algorithm in Table 5 is based on two S boxes

about

When the masked x value is input,

Masked with

To generate a table to output the value of This masking S box

,

In the G function of the F function

It is used instead, and for the use of these two masking S boxes

,

The input value of

The entire structure must be designed to be masked.

와 캐리 테이블

의 생성 알고리즘이다.The addition operation, which is a nonlinear operation of SEED, uses an addition operation for the method 2 ³² . Therefore, the masking method according to an embodiment of the present invention considers the masking method of the addition operation of the method 2 ³² . Method 2 If the masking conversion table of ³² addition operations is used, the size of the table is too large to be actually used. This problem must be solved by using masking conversion tables and carry tables for small bits. In the masking technique according to the embodiment of the present invention, the size of the masking conversion table and the carry table is selected by using 16 bits of 4 bits. Although this value is the experimentally selected most efficient size, the contents of the present invention are not limited thereto. The following algorithm is a table that converts from arithmetic on 4 bits to algebraic masking

And carry table

.

테이블은 4비트 난수

,

를 이용, 입력 값

에 대해

를 출력한다. 또한

테이블은

이 16보다 크거나 같을 경우, 즉,

이

보다 작은 경우, 캐리 값을 설정하기 위한 것이다. 이 테이블은 캐리 값이 설정된 경우 1, 설정되지 않는 경우 0값을 얻기 위함이지만, 작은 값에 대해 캐리 값이 1, 큰 값에 대해 캐리 값이 0이 될 확률이 높은 취약점을 방지하기 위해 새로운 4비트 난수

를 이용하며, 실제 본 연산에서는 4비트의 난수

를 다시 빼주는 방법을 사용할 수도 있다.

The table is a 4-bit random number

,

, The input value

About

. Also

The table

Is greater than or equal to 16, i.e.,

this

, It is for setting a carry value. This table is intended to obtain a value of 1 if the carry value is set and a value of 0 if it is not set. However, to prevent a vulnerability with a high carry value of 1 for a small value and a carry value of 0 for a large value, Bit random number

In actual operation, a 4-bit random number

You can also use a method to re-subtract.

으로 마스킹 된 값이며, 출력 값은

으로 마스킹 되어 출력된다. In an F function modified according to an embodiment of the present invention,

And the output value is &lt; RTI ID = 0.0 &gt;

And is output.

Figure 7 illustrates a modified F-function in accordance with an embodiment of the present invention.

으로 마스킹된 입력 값에 대해

으로 마스킹 된 값을 출력한다. 그리고, 본 발명의 일 실시 예에 따른 마스킹 덧셈(MA, Masking Addition)은 두 입력 값

,

에 대해

을 출력한다. In order for the modified F function to operate correctly according to an embodiment of the present invention, the following two conditions must be satisfied. That is, according to one embodiment of the present invention, a modified G function (Modified G function)

For input values masked by

And outputs the masked value. In addition, the masking addition (MA) according to an embodiment of the present invention can be realized by two input values

,

About

.

Figure 8 illustrates a modified G function according to an embodiment of the present invention.

으로 마스킹되어 있으며, 마스킹 S박스 (MS₁, MS₂)를 거친 후,

으로 마스킹 된다. 마스킹 S박스 각각의 출력 값은 수학식 10의 연산을 통해 32비트 출력 값을 결정한다.The 32-bit input value of Figure 8

And after passing through the masking S boxes MS ₁ and MS ₂ ,

Lt; / RTI &gt; The output value of each masking S box determines the 32-bit output value through the operation of Equation (10).

이 되며 이 값을 정리하면

이 된다.

은 G함수의 고정된 상수 값으로 0xff 값이다. 따라서, 본 발명의 일 실시 예에 따라 수정된 G함수의 출력 바이트에 대한 마스킹 값은

이 된다.The masking value for each byte in the 4-byte output value is

And summing up these values

.

Is a fixed constant value of the G function with a value of 0xff. Thus, according to one embodiment of the present invention, the masking value for the output byte of the modified G function is

.

으로 마스킹하며, 덧셈 연산 후에 마스킹 값이

이 되게 한다. 즉, 마스킹 덧셈 연산의 32 비트의 두 입력값

에 대하여

을 출력하는 마스킹 덧셈 연산을 수행해야만 한다. 이때, 입출력 마스킹 값은 마스킹 방법의 효율성을 결정하는 마스킹 보정작업을 최소화하기 위해 선택된다.A masking method according to an embodiment of the present invention is a method in which a 32-bit input value of all masking addition operations used in an F function

, And after the addition operation, the masking value is

. That is, two input values of 32 bits of the masking addition operation

about

It is necessary to perform a masking addition operation to output the masking addition operation. At this time, the input / output masking value is selected to minimize the masking correction operation that determines the efficiency of the masking method.

에 대하여

을 출력하는 마스킹 덧셈 연산 알고리즘이다. Using the masking values thus selected, Table 7 shows that two input values of 32 bits

about

And a masking addition operation algorithm for outputting the masking addition operation algorithm.

함수는 불대수 마스킹을 산술 마스킹으로 변환시키는 함수로 표 8과 같은 과정에 따라 동작한다.

함수를 통해

는

로 변형되며, 4비트 난수

을 이용하여 단계 4의 Z값은

이 된다. 단계 5의

함수는 산술 마스킹이 적용된

값을

의 불대수 마스킹으로 변형시켜주는 함수로서 표 9와 같은 과정에 따라 동작한다.In Table 7, temp ₁ represents a temporary variable. Steps 1 and 3

Function is a function that converts algebraic masking into arithmetic masking.

Through the function

The

And a 4-bit random number

, The Z value in step 4 is

. Step 5

The function can be used with arithmetic masking

Value

Which is a function that transforms the non-algebraic masking of FIG.

In the case where the algebraic masking and the arithmetic masking are to be used in the process of performing various operations as described above, a method of converting the type of masking as shown in Tables 8 and 9 should be performed. In order to maintain the masking value in the SEED, it is necessary to change the masking after the S box and after the addition operation, respectively.

In Table 8, temp ₁ represents a temporary variable.

The method of converting masking from arithmetic to non-algebraic requires a lot of additional computation cost. To solve this problem, a pre-computation table may be used.

,

는 마스킹에 의해 가려진 값을 나타낸다.In Table 9, the conversion table FT and the carry table CT generated in Table 6 are used. In Table 9,

,

Represents the value masked by masking.

)에 따라 일차 차분 전력 분석에 대한 결과를 시뮬레이션한 결과를 설명한다.Hereinafter, in order to verify the safety of the masking technique according to an embodiment of the present invention, a power consumption model proposed by Messarges

) To simulate the results of the first-order differential power analysis.

이 3.72mA, 노이즈가 가우시안 (Gaussian) 정규분포를 따르며 그 분산 값이 6.7236 mA를 따른다고 가정했을 때, 마스킹 방법이 적용되지 않은 SEED는 상관계수가 0.613에 수렴하는 반면, 본 발명의 일 실시 예에 따른 마스킹 방법이 적용된 SEED는 상관계수가 0에 수렴함을 확인할 수 있다. 즉, 옳은 키에 대해 예측한 데이터의 중간 값과 전력사이의 상관성이 존재하지 않으며, 이는 본 발명의 일 실시 예에 따른 마스킹 방법이 일차 차분 전력 분석에 안전함을 의미한다.The offset is 10mA,

Assuming that the noise has a Gaussian normal distribution and the variance thereof follows 6.7236 mA, the SEED in which the masking method is not applied converges to 0.613, whereas in the embodiment of the present invention The SEED with the masking method according to the present invention converges to zero. That is, there is no correlation between the median value of the data predicted for the right key and the power, which means that the masking method according to an embodiment of the present invention is safe for primary differential power analysis.

의 상위 한 바이트와

의 상위 한 바이트를 추측하고 1라운드에서 처음 사용되는 G함수의 첫 S박스에 대한 일차 차분 전력 분석을 시행한 경우, 마스킹 기법이 적용되지 않은 SEED의 옳은 키에 대한 분석결과는 도 9와 같았고, 본 발명의 일 실시 예에 따른 마스킹 기법이 적용된 SEED의 옳은 키에 대한 분석결과는 도 10과 같았다.For a more practical safety check, the first round round key

The upper byte of

And the first difference box power analysis of the first S box of the G function used in the first round is performed. The analysis result of the correct key of the SEED in which the masking technique is not applied is shown in FIG. 9, FIG. 10 shows the result of analyzing the correct key of the SEED to which the masking technique according to an embodiment of the present invention is applied.

As shown in FIG. 9, the first difference power analysis for unmasked SEED shows that the correlation has a peak for the right key, which means that the key can be successfully found.

On the other hand, in the case of the masked SEED as shown in FIG. 10, since the intermediate calculation values are all calculated with a random value, no correlation is found with respect to the correct key. This means that the masking technique according to an embodiment of the present invention is safe for primary differential power analysis.

The present invention can be implemented through software. Preferably, a program for causing a computer to execute an encryption method using SEED to which masking is applied according to an embodiment of the present invention may be recorded in a computer-readable recording medium and provided. When executed in software, the constituent means of the present invention are code segments that perform the necessary tasks. The program or code segments may be stored in a processor readable medium or transmitted by a computer data signal coupled with a carrier wave in a transmission medium or a communication network.

A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the computer readable recording medium include ROM, RAM, CD-ROM, DVD 占 ROM, DVD-RAM, magnetic tape, floppy disk, hard disk, optical data storage, and the like. In addition, the computer-readable recording medium may be distributed to network-connected computer devices so that computer-readable codes can be stored and executed in a distributed manner.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those skilled in the art that various changes and modifications may be made therein without departing from the scope of the present invention. It should be understood that such modifications are within the technical scope of the present invention. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

The present invention relates to an encrypting method using SEED to which masking is introduced to introduce a masking into an SEED algorithm, which is a conventional encryption scheme, to secure the security of the encryption system. The encryption method includes a telephone card, a mobile communication security means, Card, PDA, etc., and other information systems that require security.

Figure 1 shows the flow of a conventional SEED algorithm.

Fig. 2 shows the structure of the F function.

FIG. 3 shows an example of performing rounds of DES in five forms with respect to the modified f function.

FIG. 4 shows a combination of operation sequences for outputting the same result as that of the conventional DES through a combination of five round operations configured as shown in FIG.

FIG. 5 illustrates a round function according to an embodiment of the present invention except for the last round.

FIG. 6 illustrates a final round function according to an embodiment of the present invention.

Figure 7 illustrates an example of a modified F-function according to an embodiment of the present invention.

FIG. 8 shows an example of a modified G function according to an embodiment of the present invention.

FIG. 9 shows a correlation analysis result of the correct key of the SEED to which the masking technique is not applied.

FIG. 10 shows a correlation analysis result of the correct key of the SEED to which the masking technique is applied according to an embodiment of the present invention.

Claims (11)

The encryption method using an SEED algorithm of a pastel structure for performing an XOR operation on a right input encrypted with a round key of the round for each round with the left input of the round, Masking the input plaintext with a first random number; And Masking the round key of the round with a second random number for each round with the masked input plaintext as an initial input and then encrypting the right input of each round with the masked round key And encrypting the encrypted data using the masked SEED. The method according to claim 1, Further comprising the step of: XORing the encrypted right input and the left input every round and then masking the right input with a third random number, and masking the right input with a fourth random number to keep the masking values of the rounds the same Encryption method using SEED with masking. The method according to claim 1, Further comprising the step of removing masking of the right input and the left input in the last round. The method according to claim 1, Wherein the encrypting comprises: Applying a modified F function that encrypts the right input of each round's input with the masked round key every round. 5. The method of claim 4, Wherein applying the modified F function comprises: Applying a masking addition operation to maintain a masking with a modified G function comprising a masking S box maintaining the masking of the right input. 5. The method of claim 4, Wherein applying the modified F function comprises: Masking a first input and a second input constituting the right input; Outputting a first value by applying a modified G function including a masking S box that XORs the masked first and second inputs and then maintains masking; Masking the first value with the masked first input and applying a modified G function to the result of the masking addition to output a second value; Masking the second value and the first value, and applying a modified G function to the result of the masking addition to output a third value; Masking &lt; / RTI &gt; the second value with the third value And encrypting the encrypted data using the masked SEED. 7. The method according to any one of claims 5 to 6, Wherein the masking addition operation comprises: A function for converting the algebraic masking into arithmetic masking, and a function for converting the arithmetic masking into the algebraic masking. The encryption method using an SEED algorithm of a pastel structure for performing an XOR operation on a right input encrypted with a round key of the round for each round with the left input of the round, Masking an input plaintext of 128 bits; Masking the round key of the round for each round with the masked input plaintext as an initial input and encrypting the rightmost 64 bits of the input value of each round with the masked round key; And Steps to remove the masking of the rightmost 64 bits of the left input and the least significant 64 bits of the left input in the last round And encrypting the encrypted data using the masked SEED. 9. The method of claim 8, The encrypting step Applying a masking addition operation to maintain a masking with a modified G function including a masking S box that maintains masking of the right input. 10. The method of claim 9, Wherein the masking addition operation comprises: Wherein a masking conversion function using an arithmetic-to-non-algebraic masking conversion table (FT) and a carry table (CT) for 4 bits is applied. A recording medium on which a program for executing an encryption method according to any one of claims 1 to 6 and 8 to 10 in a computer system is recorded, the recording medium being readable by the computer system.

Images