KR101665595B1 - Apparatus and Method for Protecting Side channel Attacks on - Google Patents
Apparatus and Method for Protecting Side channel Attacks on Download PDFInfo
- Publication number
- KR101665595B1 KR101665595B1 KR1020150045606A KR20150045606A KR101665595B1 KR 101665595 B1 KR101665595 B1 KR 101665595B1 KR 1020150045606 A KR1020150045606 A KR 1020150045606A KR 20150045606 A KR20150045606 A KR 20150045606A KR 101665595 B1 KR101665595 B1 KR 101665595B1
- Authority
- KR
- South Korea
- Prior art keywords
- value
- round function
- function values
- mask
- masking
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/04—Masking or blinding
- H04L2209/046—Masking or blinding of operations, operands or results of the operations
Abstract
The present invention relates to an apparatus and method for generating a cipher text by calculating a mask value in a first round and removing a mask value in a final round to cope with an LEA subchannel analysis that is safe for LEA subchannel analysis, It is possible to solve the weakness of the intermediate value that can be guessed through the subchannel analysis by making the intermediate value unidentified by using the new value and it becomes impossible to statistically estimate the intermediate value through the new random value every time the algorithm operates. It is safe for channel analysis.
Description
The present invention relates to a Lightweight Encryption Algorithm (LEA) masking counterpart. More specifically, a mask value is calculated in the first round and a mask value is removed in the last round. And an apparatus and method for responding to the analysis.
As the IT environment evolves, the security of the Internet of Things (IoT) becomes an issue, and studies on suitable encryption algorithms are actively being carried out.
Also, in this environment, studies are being actively carried out to optimize memory, CPU performance, and power. Therefore, there is a limit to use the existing Advanced Encryption Standard (AES), ARIA, SEED, and the like.
Therefore, a cryptosystem requiring high speed, light weight, and low power has been required, and accordingly, the Lightweight Encryption Algorithm (LEA) algorithm that is efficiently run on a 32 - bit platform has been proposed.
The LEA is designated as a standard of the Korea Information and Communications Technology Association (TTA) in December 2013. It can perform encryption and decryption in 128-bit block units and can use 128, 192, and 256-bit secret keys. , And XOR operations.
Therefore, the computation speed is faster than other block ciphers, the key scheduling process is simple, and S-boxes are not used, so it is suitable for environments requiring lightweight symmetric key cryptography.
Side Channel Analysis is an attack method that uses additional information such as power signal, electromagnetic wave, and sound generated when the encryption algorithm is activated in the equipment.
Typical subchannel analysis methods include Power Analysis, Timing Attack, and Fault Attack.
Therefore, there are various methods for this subchannel analysis, and it is possible to extract the secret key in the algorithm. In order to cope with such subchannel analysis, it is necessary to design a lightweight symmetric key cryptographic algorithm considering a countermeasure technique to be safe in analysis.
An object of the present invention is to provide an apparatus and method for LEA (Lightweight Encryption Algorithm) masking in order to solve the problem of countermeasures against the subchannel analysis of the LEA of the related art.
The present invention provides an apparatus and method for generating a ciphertext by calculating a mask value in a first round and removing a mask value in a final round to cope with LEA subchannel analysis that is safe for LEA subchannel analysis. have.
The present invention relates to a radio frequency IDentification (RFID), a Zigbee, a CoAP (Constrained Application Protocol), a lwM2M (light weight M2M), a UDP (User) The present invention provides an apparatus and method for responding to LEA sub-channel analysis that can be applied to various network technologies such as an Ethernet, a Datagram Protocol (MQTT), and a Message Queuing Telemetry Transport (MQTT).
The objects of the present invention are not limited to the above-mentioned objects, and other objects not mentioned can be clearly understood by those skilled in the art from the following description.
In order to achieve the above object, an apparatus for responding to LEA subchannel analysis according to the present invention generates mask values m1, a mask value m2 calculated on a round key value, and mask values used for a shift operation correction A mask value m1 is applied to each input round function value X r [0], X r [1], X r [2], X r [ A round key applying unit for generating second masking round function values by applying round key values for which a mask value m2 is calculated to first masking round function values, A mask operation unit for generating third masking round function values by performing a mask addition operation on function values, a shift operation for generating fourth masking round function values by performing a shift operation on the third masking round function values, Number Unit; fourth round masking function to perform an operation using the mask values used for shift operation of the correction value for the output shift operation correction unit for generating a round function value; And a cipher text output unit for outputting a cipher text composed of output round function values.
A method for responding to LEA sub-channel analysis according to the present invention for achieving another object includes generating a mask value m1, a mask value m2 calculated on a round key value, and mask values used for a shift operation correction Mask value generating step for applying a mask value m1 to each input round function value Xr [0], Xr [1], Xr [2], and Xr [ A round key applying step of generating second masking round function values by applying round key values for which a mask value m2 is calculated to first masking round function values, Values of the third masking round function values to generate third masking round function values by performing a mask addition operation on the values of the third masking round function values to generate fourth masking round function values, A shift operation step of performing an arithmetic operation using mask values used for a shift operation correction on the fourth masking round function values to generate output round function values; And a ciphertext output step of outputting a ciphertext composed of output round function values.
The apparatus and method for responding to the LEA subchannel analysis according to the present invention have the following effects.
First, the mask value is calculated in the first round, and the mask value is removed in the last round.
Second, it makes it impossible to guess the intermediate value by using the random value, and it is possible to solve the vulnerability to the intermediate value that can be guessed through the subchannel analysis.
Third, it is safe to perform sub-channel analysis because it is impossible to statistically estimate intermediate values through new random values every time the algorithm operates.
Therefore, it is possible to protect weakness against subchannel analysis which can occur in various environments where LEA, a lightweight block cipher algorithm, is utilized.
1 is a block diagram of an apparatus for supporting LEA sub-channel analysis according to the present invention.
FIG. 2 is a block diagram showing a procedure for generating one round encrypted data of the 128-bit LEA algorithm
3 is a diagram showing a round key generation procedure used in the LEA algorithm
FIG. 4 is a block diagram illustrating an LEA algorithm to which the subchannel-
FIG. 5 is a diagram showing a masking addition operation used in the LEA algorithm to which the subchannel-
Hereinafter, a preferred embodiment of an apparatus and method for supporting LEA subchannel analysis according to the present invention will be described in detail.
The features and advantages of the apparatus and method for responding to the LEA subchannel analysis according to the present invention will be apparent from the following detailed description of each embodiment.
1 is a block diagram of an apparatus for supporting LEA subchannel analysis according to the present invention.
The present invention computes the mask value in the first round and removes the mask value in the last round to generate a cipher text and secure the LEA subchannel analysis.
The present invention relates to a radio frequency IDentification (RFID), a Zigbee, a CoAP (Constrained Application Protocol), a lwM2M (Light Weight M2M), a UDP (User Datagram Protocol), Message Queuing Telemetry Transport (MQTT), and the like.
In the apparatus and method for LEA subchannel analysis according to the present invention, four 8-bit random values are concatenated without using a 32-bit random value M.
This is to solve the problem that the masking value management is inefficient because the time required for extracting the 32-bit random value is large and the number of bits to be managed increases. In order to solve this problem, It is easier and more efficient to apply the operation unit.
Table 1 defines the parameters used in the apparatus and method for responding to the LEA subchannel analysis according to the present invention.
The configuration of an apparatus for coping with the LEA subchannel analysis according to the present invention is the same as in FIG.
An apparatus for coping with LEA subchannel analysis according to the present invention includes a plain
The mask
This shift operation correction the correction value other than m1 When the operation directly from the state (17) (ROR 3 (m1 ), ROR 5 (m1), ROL 9 (m1)) is that the random value is applied when the first operation This is to prevent the intermediate value from being exposed as it is.
Also, the mask value is applied to the round key considering the vulnerability that may occur in the key schedule.
Specifically, the mask value m1, a mask value m2 calculated on the round key value, and m4 = m1
ROR 3 (m 1),Here, the operation in the mask
The operation in the round
The operation in the mask
The operation in the shift
The operation in the shift
Here, the Addition function is a function in which the mask value is calculated
The output value for this is to be.
A method for responding to the LEA subchannel analysis according to the present invention is as follows.
First, the mask value m1, the mask value m2 calculated on the round key value, and m4 = m1
ROR 3 (m 1),A subchannel analysis for an LEA to which an apparatus and method for LEA subchannel analysis according to the present invention is applied will be described below.
FIG. 2 is a block diagram showing a round-robin encryption data generation procedure of the 128-bit LEA algorithm, and FIG. 3 is a configuration diagram illustrating a round key generation procedure used in the LEA algorithm.
Figure 2 shows an LEA primary subchannel analysis using a plain text.
The 128-bit input value is divided into four 32-bit blocks, and the corresponding 32-bit round key is used as the input value of the next round through the XOR operation and the addition operation and the rotation operation.
In the case of the first subchannel analysis using plaintext, the part that can be used as an attack point is the plaintext X 0 [ i ] { i ∈1,2,3,4} and the round key RK 0 [ j ] { j ∈ 1,2 , 3,4,5,6}
You can select where the operation takes place, and if two keys are used You can select where the operation occurs.Therefore,
The most efficient method when estimating a portion in which an operation is used is 8 bits, After analyzing the point where the operation occurred, The analysis is performed with the intermediate value as the point at which the operation is performed.FIG. 2 is a round key generation procedure used in the LEA algorithm. It generates 24 round keys of 192 bits used for encryption through 24 iterations.
In the 128-bit LEA algorithm, RK r [1], RK r [3], and RK r [5] use the same key.
If we know T i + 1 [ j ] we can infer T i [ j ] and vice versa. This feature allows j to infer all the same round keys.
A structure to which the subchannel correspondence technique according to the present invention is applied to correspond to the subchannel analysis for the LEA is as follows.
FIG. 4 is a block diagram illustrating an LEA algorithm to which a subchannel corresponding technique according to the present invention is applied, and FIG. 5 is a diagram illustrating a masking addition operation used in an LEA algorithm to which a subchannel corresponding technique is applied.
As shown in FIG. 4, the input mask of each round is m1, and the round key mask value is m2. Generates 128-bit ciphertexts by calculating the mask value in the first round and removing the mask value in the last round, since it takes the mask value consistently within the round.
The mask values used in this case are shown in Table 2.
In order to take the mask values consistently, the precomputed m4, m5, and m6 are additionally XORed.
That is, the masking round structure in the apparatus and method for responding to the LEA subchannel analysis according to the present invention is as follows.
FIG. 5 shows a masking addition operation used in the LEA algorithm to which the subchannel correspondence technique is applied.
The addition operation is an operation belonging to nonlinear operation. If the first boiling masking technique is applied,
'→' - ',' B 'to A (Boolean to Arithmetic) conversion method and' + '→' 'To A to B (Arithmetic to Boolean) conversion method.
An apparatus and method for responding to LEA subchannel analysis according to the present invention is to provide an apparatus and method for LEA (Lightweight Encryption Algorithm) masking correspondence, which calculates a mask value in the first round, To generate a cipher text and secure the LEA subchannel analysis.
The present invention relates to a radio frequency IDentification (RFID), a Zigbee, a CoAP (Constrained Application Protocol), a lwM2M (Light Weight M2M), a UDP (User Datagram Protocol), and MQTT (Message Queuing Telemetry Transport).
In particular, it is possible to solve the weakness of the intermediate value that can be guessed through the subchannel analysis by making the intermediate value invisible by using the random value, and statistically guessing the intermediate value through the new random value every time the algorithm operates It is safe for sub-channel analysis.
As described above, it will be understood that the present invention is implemented in a modified form without departing from the essential characteristics of the present invention.
It is therefore to be understood that the specified embodiments are to be considered in an illustrative rather than a restrictive sense and that the scope of the invention is indicated by the appended claims rather than by the foregoing description and that all such differences falling within the scope of equivalents thereof are intended to be embraced therein It should be interpreted.
11. Plain
13. Mask
15. Mask
17. Shift
Claims (14)
A mask for generating a first masking round function value by applying a mask value m1 to each of input round function values Xr [0], Xr [1], Xr [2], and Xr [3] Value application;
A round key applying unit for applying second rounding key values to the first masking round function values to generate second masking round function values;
A mask operation performing unit performing a mask addition operation on the second masking round function values to generate third masking round function values;
A shift operation performing unit for performing a shift operation on the third masking round function values to generate fourth masking round function values;
A shift operation correcting unit for performing an operation using mask values used for a shift operation correction on the fourth masking round function values to generate output round function values; And a cipher text output unit outputting a cipher text composed of output round function values.
The mask value m1, the mask value m2 calculated on the round key value, and m4 = m1 ROR 3 (m 1), m 5 = m 1 ROR 5 (m 1), m 6 = m 1 ROL 9 < RTI ID = 0.0 > (m1). ≪ / RTI >
To perform a first masking round function value X r [0] (m1) 4 , Xr [1] (m1) 4 , Xr [2] (m1) 4 , Xr [3] (m1) < RTI ID = 0.0 > 4. < / RTI >
Lt; / RTI >
And performing an LEA sub-channel analysis.
To generate third masking round function values. ≪ Desc / Clms Page number 14 >
And performing a ROL 9 and ROR 5 ROR 3 shift operation by applying the ROL 9 and ROR 5 sub-channel operations.
By applying the operation,
For the fourth masking round function values, the mask value m4 = m1 ROR 3 (m 1), m 5 = m 1 ROR 5 (m 1), m 6 = m 1 ROR 9 (m 1) to calculate the output round function values Wherein the LEA subchannel analysis is performed in a time domain.
A mask for generating a first masking round function value by applying a mask value m1 to each of input round function values Xr [0], Xr [1], Xr [2], and Xr [3] A value application step;
A round key applying step of generating second masking round function values by applying round key values for which a mask value m2 is calculated to first masking round function values;
Performing a mask operation on the second masking round function values to generate third masking round function values;
A shift operation step of performing a shift operation on the third masking round function values to generate fourth masking round function values;
A shift operation correction step of performing an operation using mask values used for a shift operation correction on the fourth masking round function values to generate output round function values; And outputting a ciphertext composed of output round function values.
The mask value m1, the mask value m2 calculated on the round key value, and m4 = m1 ROR 3 (m 1), m 5 = m 1 ROR 5 (m 1), m 6 = m 1 ROL 9 < RTI ID = 0.0 > (m1). ≪ / RTI >
To perform a first masking round function value X r [0] (m1) 4 , Xr [1] (m1) 4 , Xr [2] (m1) 4 , Xr [3] (m1) < RTI ID = 0.0 > 4. < / RTI >
Lt; / RTI >
And performing an LEA sub-channel analysis.
To generate third masking round function values. ≪ Desc / Clms Page number 20 >
And performing a ROL 9 , ROR 5 ROR 3 shift operation by applying an operation to the LEA sub-channel analysis.
By applying the operation,
For the fourth masking round function values, the mask value m4 = m1 ROR 3 (m 1), m 5 = m 1 ROR 5 (m 1), m 6 = m 1 ROR 9 (m 1) to calculate the output round function values To generate ≪ / RTI > wherein the LEA subchannel analysis is performed in a time domain.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150045606A KR101665595B1 (en) | 2015-03-31 | 2015-03-31 | Apparatus and Method for Protecting Side channel Attacks on |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150045606A KR101665595B1 (en) | 2015-03-31 | 2015-03-31 | Apparatus and Method for Protecting Side channel Attacks on |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20160117032A KR20160117032A (en) | 2016-10-10 |
KR101665595B1 true KR101665595B1 (en) | 2016-10-12 |
Family
ID=57146284
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150045606A KR101665595B1 (en) | 2015-03-31 | 2015-03-31 | Apparatus and Method for Protecting Side channel Attacks on |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101665595B1 (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102109895B1 (en) * | 2018-10-12 | 2020-05-12 | 유비벨록스(주) | Block Encryption Method |
KR102109902B1 (en) * | 2018-10-12 | 2020-05-12 | 유비벨록스(주) | Block Encryption Method |
CN115664641B (en) * | 2022-12-26 | 2023-03-14 | 飞腾信息技术有限公司 | Method and device for verifying round key in encryption algorithm |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101601684B1 (en) | 2011-05-18 | 2016-03-09 | 한국전자통신연구원 | Method for implementing symmetric key encryption algorithm against power analysis attacks |
KR101362675B1 (en) | 2012-11-30 | 2014-02-12 | 한국전자통신연구원 | Low power encryption apparatus and method |
-
2015
- 2015-03-31 KR KR1020150045606A patent/KR101665595B1/en active IP Right Grant
Non-Patent Citations (2)
Title |
---|
Yongdae Kim et al., IACR Cryptology ePrint Archive 2014: 999 "First Experimental Result of Power Analysis Attacks on a FPGA Implementation of LEA" (2014.12. 공개) |
박명서 외 1인, 정보보호학회논문지 제24권 제6호 "블록 암호 LEA에 대한 차분 오류 공격" (2014.12. 공개) |
Also Published As
Publication number | Publication date |
---|---|
KR20160117032A (en) | 2016-10-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7899190B2 (en) | Security countermeasures for power analysis attacks | |
Mitali et al. | A survey on various cryptography techniques | |
Saraf et al. | Text and image encryption decryption using advanced encryption standard | |
KR101586811B1 (en) | Apparatus and method for protecting side channel attacks on hight | |
Christina et al. | Optimized Blowfish encryption technique | |
KR101665595B1 (en) | Apparatus and Method for Protecting Side channel Attacks on | |
Jeong et al. | Differential fault analysis on block cipher SEED | |
KR101362675B1 (en) | Low power encryption apparatus and method | |
KR20110120837A (en) | A cryptosystem with a discretized chaotic map | |
Mahmoud et al. | A hill cipher modification based on eigenvalues extension with dynamic key size hcm-exdks | |
Chuah et al. | Key derivation function: the SCKDF scheme | |
Ali et al. | Improved differential fault analysis of CLEFIA | |
KR20100079060A (en) | Method for encrypting with seed applying mask | |
Vasudevan et al. | Jigsaw-based secure data transfer over computer networks | |
Partheeban et al. | Dynamic key dependent AES S-box generation with optimized quality analysis | |
Riyadi et al. | The Dynamic Symmetric Four-Key-Generators System for Securing Data Transmission in the Industrial Control System. | |
WO2013039659A1 (en) | Hybrid encryption schemes | |
Sharma et al. | Cryptography Algorithms and approaches used for data security | |
KR102072335B1 (en) | Power Analysis Attack Defense Technique Application Method for AES Encryption Algorithm Using Scrambler | |
Muthalagu et al. | Modifying LFSR of ZUC to Reduce Time for Key-Stream Generation. | |
Chandrasekaran et al. | Ensemble of blowfish with chaos based s box design for text and image encryption | |
Khan et al. | Robust symmetric cryptography using plain–text variant session key | |
Thwe et al. | Prevention of Man-In-The-Middle Attack in Diffie-Hellman Key Exchange Algorithm using Proposed Hash Function | |
KR20150103394A (en) | Cryptography system and cryptographic communication method thereof | |
Rani et al. | Security against timing analysis attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20190923 Year of fee payment: 4 |