KR20140072283A - Method and apparatus of a masking countermeasure against side channel analysis - Google Patents

Method and apparatus of a masking countermeasure against side channel analysis Download PDF

Info

Publication number
KR20140072283A
KR20140072283A KR1020120137167A KR20120137167A KR20140072283A KR 20140072283 A KR20140072283 A KR 20140072283A KR 1020120137167 A KR1020120137167 A KR 1020120137167A KR 20120137167 A KR20120137167 A KR 20120137167A KR 20140072283 A KR20140072283 A KR 20140072283A
Authority
KR
South Korea
Prior art keywords
random number
masking
generating
random
generator
Prior art date
Application number
KR1020120137167A
Other languages
Korean (ko)
Inventor
최용제
최두호
조현숙
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to KR1020120137167A priority Critical patent/KR20140072283A/en
Publication of KR20140072283A publication Critical patent/KR20140072283A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/04Masking or blinding
    • H04L2209/046Masking or blinding of operations, operands or results of the operations

Abstract

The present invention relates to a masking method for preventing a side channel from being analyzed, and more particularly, to a masking method which is capable of generating a new random number by using a pseudo random number generating logic based on LFSR as a random number for masking so that the random number generating time and the calculating time which are taken when using a conventional random number generator can be reduced. In addition, other necessary calculations can be performed by using one random number, so that the memory for storing the random number and complex logic required for masking calculation can be reduced. Therefore, a high-degree side channel analysis can be prevented while effectively performing random number generation and cryptograph calculation.

Description

[0001] METHOD AND APPARATUS FOR A MASKING COUNTERMEASURE AGAINST SIDE CHANNEL ANALYSIS [

The present invention relates to a subchannel analysis prevention masking method, and more particularly, to a method and apparatus for generating a new random number by using a pseudo random number generation logic based on LFSR, for reducing random number generation time or calculation time using a conventional random number generator A subchannel analysis prevention masking method capable of efficiently performing a random number generation and cryptographic operation and preventing a high order subchannel analysis by making it possible to perform the remaining necessary operations using one random number, ≪ / RTI >

Generally, a masking technique is a typical method for preventing subchannel analysis of a cryptographic algorithm. As shown in FIG. 1, masking (S100) is performed on a random input value m with a random number (S102), which is properly modified with respect to the masked value, and unmasks (S104) it again to obtain a normal cryptographic operation value

Figure pat00001
).

The subchannel analysis is a technique for extracting keys using additional information such as power and electromagnetic waves in which a cryptographic algorithm operation appears. When the masking is performed with a random number as described above, the internal calculation value of the cryptographic operation can not be inferred, Can not.

This masking technique is a very powerful subchannel analysis prevention technique. However, in order to ensure safety, the random characteristic of the random number generation logic must be guaranteed. To prevent a high order subchannel analysis, a new random value is used for each round operation. A masking operation must be performed.

However, most systems require a longer computation time and additional logic to generate a random number than a cryptographic computation time to generate a random number with a better random characteristic, and the complexity of the cryptographic computation logic due to such random value masking There is a problem that it increases.

Korean Registered Patent No. 10-0737171 Published Jul. 03, 2007 discloses a technique for a low memory type masking method in response to a power analysis attack on aria.

Therefore, the present invention generates a new random number by using a pseudo random number generation logic based on the LFSR based on the random number for masking, thereby reducing the random number generating time and the arithmetic time using the conventional random number generator, Channel analysis anti-masking method and apparatus capable of efficiently performing a random number generation and a cryptographic operation while preventing a high-order sub-channel analysis.

The present invention is a subchannel analysis prevention masking method using pseudo random generation logic. The method includes generating a first random number of a predetermined bit using a random generator, generating a remaining random number through a pseudo random generator, Generating a second random number of predetermined bits using the random generator and generating a remaining random number through the pseudo random generator to generate a second group random number; , Masking the input data using the first group random number, performing encryption using the second group random number for the masked data, and after encrypting the second random number, And performing unmasking of the second group random number using the second group random number.

The present invention relates to a subchannel analysis prevention masking method, and more particularly, to a method and apparatus for generating a new random number using a LFSR-based pseudo-random number generating logic, in particular a random number for masking, thereby reducing a random number generating time or a calculating time using a conventional random number generator There is an advantage.

In addition, it is possible to perform the remaining necessary operations using one random number, thereby reducing the memory for random number storage and reducing the complex logic required for masking operation, thereby efficiently performing random number generation and cryptographic operation While preventing the analysis of higher order subchannels.

1 is a conceptual diagram of a cryptographic operation for preventing subchannel analysis,
2 is a block diagram of a masking apparatus using a random number in a cryptographic algorithm using a conventional S-box,
FIGS. 3A and 3B are conceptual diagrams of a random number generator capable of reducing a random number generation time according to an embodiment of the present invention;
FIG. 4 is a block diagram of a subchannel analysis prevention mask apparatus using pseudo random number generation logic according to an embodiment of the present invention. FIG.

Hereinafter, the operation principle of the present invention will be described in detail with reference to the accompanying drawings. In the following description of the present invention, detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The following terms are defined in consideration of the functions of the present invention, and may be changed according to the intentions or customs of the user, the operator, and the like. Therefore, the definition should be based on the contents throughout this specification.

FIG. 2 is a schematic block diagram of a masking device using a random number in a cryptographic operation algorithm using an S-box as in the conventional AES or ARIA. In order to perform a round operation of a normal cryptographic operation, We need a random number.

First, the random number of the first group of RND0 to RND15 and the random number of the second group of RND0 'to RND15' shown in FIG. 2 are random numbers for the masking operation. The random number RND (random) is a value for masking the initial data (data0, data15) and the keys (key0 and key15) of the round operation. When the data and the key are XORed by the XOR units 200 and 250, XOR operations together to mask the two values.

In the encrypting units 202 and 252 using the S-box, the two random numbers (RND0 and RND0 ') are all input to the S-box operation to unmask the first group random number RND0 and generate a new second group random number RND0 'To output an S-box operation value.

Subsequently, the S-box operation value masked with the second group random number RND 'such as RND0', ... RND15 ', and the like is performed through the operation unit 254. The subsequent operation performed by the operation unit 254 may be, for example, a ShiftRow / MixColumn / Diffusion operation.

At this time, in order to unmask the masking value of the RND 'that performs the operation in the post-S-box operation unit 254, the operation unit 254' implemented in the same manner as the operation unit 254 separately for the RND ' / Diffusion and the like and performs XOR operation on the result by the XOR unit 260 to unmask.

However, in the conventional masking apparatus, it is necessary that the random numbers RND0, RND1 ... RND15, RND0 ', RND1' ... RND15 'are all different from each other in order to prevent the higher order subchannel analysis, And the above operation is performed. However, it is not easy to generate a random number of data length in order to satisfy the above condition, and it takes a lot of calculation time. In addition, the same ShiftRow / MixColumn / Diffusion operation is required for unmasking the RND value.

Therefore, it is necessary to implement a masking device capable of efficiently performing a random number generation and cryptographic operation while preventing a high order subchannel analysis.

FIGS. 3A and 3B illustrate examples of a random number generator proposed to reduce a random number generation time according to an embodiment of the present invention.

3A, in the present invention, a random number generator 300 generates a random number of a small bit such as 8 bits to 16 bits, and the remaining random values are generated using an LFSR-based pseudo random number generator and a random number generator (302). At this time, the LFSR carries out a reduction operation by a minimal polynomial while shifting the bits one bit at a time. However, in order to minimize the similarity with RND0, the LFSR shifts n bits at a time and performs a reduction operation. These implementations can be implemented simply by formulas, which can prevent higher order subchannel analysis. In addition, the random number generator logic and the computation time for extracting the necessary number of bits can be remarkably reduced.

Referring to FIG. 3B, RND0 'value is generated through the random number generator 350, and then RND1' to RND15 'are generated for the RND' for masking the S- Is generated in the pseudo random number generator (352).

In this case, since the values of RND1 'to RND15' are values generated by calculation from RND0 ', operations can be performed with simpler logic without having to perform operations such as ShiftRow / MixColumn / Diffusion with RND'. In other words, in unmasking RND ', all values of RND0' to RND15 'are not required and similar operations such as ShiftRow / MixColumn / Diffusion are performed through the similar operation unit 404 with only RND0' Masking can be performed. This is because the random number of RND1'-RND15 'is a random number generated through the operation of the formula using RND0'.

FIG. 4 is a block diagram of a subchannel analysis anti-masking apparatus for efficiently performing a random number generation and cryptographic operation according to an embodiment of the present invention and preventing a high-order subchannel analysis.

The subchannel analysis prevention masking apparatus of the present invention shown in FIG. 4 is applied to the concept of the random number generators 300 and 350 of FIGS. 3A and 3B. After the S-Box calculation through the encryption units 402 and 452, Masking of the RND 'is performed by inputting only the RND0' value to the similar operation unit 404 in the process of unmasking the RND '.

Accordingly, the memory for storing the random number can be reduced, and the area of the masking device can be reduced, so that the complex logic of the masking device can be relatively simplified.

As described above, according to the present invention, in the subchannel analysis prevention masking method, in particular, a random number for masking is generated by a pseudo random number generation logic based on LFSR, and a random number generation time using a conventional random number generator The computation time can be reduced. In addition, it is possible to perform the remaining necessary operations using one random number, thereby reducing the memory for random number storage and reducing the complex logic required for masking operation, thereby efficiently performing random number generation and cryptographic operation While avoiding high order subchannel analysis.

While the invention has been shown and described with reference to certain preferred embodiments thereof, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention. Accordingly, the scope of the invention should not be limited by the described embodiments but should be defined by the appended claims.

300: random number generator 302: pseudo random number generator
400, 450: XOR unit 402, 452:
404: Similar operation section 454:

Claims (1)

Generating a first random number of predetermined bits using a random generator and generating a remaining random number through a pseudo random generator to generate a first group random number;
Generating a second random number of predetermined bits using the random generator and generating a remaining random number through the pseudo random generator to generate a second group random number;
Masking the input data using the first group random number;
Performing encryption using the second group random number for the masked data,
Performing unmasking of the second group random number using the second random number after the encrypting step
Wherein the subchannel analysis masking method comprises:
KR1020120137167A 2012-11-29 2012-11-29 Method and apparatus of a masking countermeasure against side channel analysis KR20140072283A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020120137167A KR20140072283A (en) 2012-11-29 2012-11-29 Method and apparatus of a masking countermeasure against side channel analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020120137167A KR20140072283A (en) 2012-11-29 2012-11-29 Method and apparatus of a masking countermeasure against side channel analysis

Publications (1)

Publication Number Publication Date
KR20140072283A true KR20140072283A (en) 2014-06-13

Family

ID=51126153

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020120137167A KR20140072283A (en) 2012-11-29 2012-11-29 Method and apparatus of a masking countermeasure against side channel analysis

Country Status (1)

Country Link
KR (1) KR20140072283A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20170025523A (en) 2015-08-28 2017-03-08 고려대학교 산학협력단 Method of encrypting with lea applying mask and shuffling scheme
KR101981621B1 (en) 2017-12-11 2019-08-28 국민대학교산학협력단 System and Method for Key bit Parameter Randomizating of public key cryptography

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20170025523A (en) 2015-08-28 2017-03-08 고려대학교 산학협력단 Method of encrypting with lea applying mask and shuffling scheme
KR101981621B1 (en) 2017-12-11 2019-08-28 국민대학교산학협력단 System and Method for Key bit Parameter Randomizating of public key cryptography

Similar Documents

Publication Publication Date Title
EP3154217B1 (en) Scrambled tweak mode of block ciphers for differential power analysis resistant encryption
CN105940439B (en) Countermeasure to side-channel attacks on cryptographic algorithms using permutation responses
CN101006677B (en) Method and device for carrying out a cryptographic calculation
US10142103B2 (en) Hardware assisted fast pseudorandom number generation
US9515820B2 (en) Protection against side channels
US9455833B2 (en) Behavioral fingerprint in a white-box implementation
KR102397579B1 (en) Method and apparatus for white-box cryptography for protecting against side channel analysis
EP3363142B1 (en) A cryptographic device and an encoding device
US8619985B2 (en) Table splitting for cryptographic processes
JP2013511057A (en) Low complexity electronics protected by customized masking
EP3477889B1 (en) Using white-box in a leakage-resilient primitive
Aldaya et al. AES T-Box tampering attack
US9729310B2 (en) Scrambled counter mode for differential power analysis resistant encryption
EP3891925B1 (en) A computation device using shared shares
US8958556B2 (en) Method of secure cryptographic calculation, in particular, against attacks of the DFA and unidirectional type, and corresponding component
CN109804596B (en) Programmable block cipher with masked input
KR20140072283A (en) Method and apparatus of a masking countermeasure against side channel analysis
JP6194136B2 (en) Pseudorandom number generation device and pseudorandom number generation program
EP2940917B1 (en) Behavioral fingerprint in a white-box implementation
JP6397921B2 (en) Operator lifting in cryptographic algorithms
JP2007334016A (en) Data enciphering device and method
CN106161000A (en) The method and system that data file is encrypted and decrypted
KR102404223B1 (en) Apparatus and method for encryption generating using key dependent layer, computer-readable storage medium and computer program
Shi et al. On security of a white-box implementation of SHARK
Serpa et al. A Secure White Box Implementation of AES Against First Order DCA

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination