KR20170025523A - Method of encrypting with lea applying mask and shuffling scheme - Google Patents
Method of encrypting with lea applying mask and shuffling scheme Download PDFInfo
- Publication number
- KR20170025523A KR20170025523A KR1020150122061A KR20150122061A KR20170025523A KR 20170025523 A KR20170025523 A KR 20170025523A KR 1020150122061 A KR1020150122061 A KR 1020150122061A KR 20150122061 A KR20150122061 A KR 20150122061A KR 20170025523 A KR20170025523 A KR 20170025523A
- Authority
- KR
- South Korea
- Prior art keywords
- masking
- round
- lea
- arithmetic
- shuffling
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
Description
The present invention relates to an encryption method using an LEA with masking and shuffling, and more particularly, to a method for encrypting a round function and a key schedule function of an LEA algorithm by applying a masking technique and a shuffling technique.
Recently, the development of the Internet of Things (IoT) has increased the need for lightweight and fast encryption algorithms. The LEA (Lightweight Encryption Algorithm) developed by the National Institute of Security Research in 2012 is a high-speed encryption algorithm suitable for the Internet of Things. 128-bit-based block cipher LEA supports 128, 192, and 256-bit key lengths and has high-speed, lightweight, and low-power implementations for 32-bit platforms.
In addition, the LEA algorithm eliminates the S-Box structure used in encryption algorithms such as AES (Advanced Encryption Standard), DES (Data Encryption Standard), ARIA (Academy, Research Institute, Agency) (Addition, Rotation, XOR) structure. It is possible to operate at a higher speed than the conventional encryption algorithm using S-Box.
In terms of safety, it is safe against the latest algebraic attack methods such as Differential Cryptanalysis (DC) and Linear Cryptalaysis (LC).
However, even if safety is verified mathematically, leakage of information that the designer can not consider at the implementation stage may occur.
The Side Channel Attack, first proposed by Kocher in 1999, is an attack technique that can detect the value of a secret key through leakage of this information. Since the introduction of various subchannel attacks, cryptographic designers must design cryptographic algorithms securely against subchannel attacks as well as mathematical safety.
SUMMARY OF THE INVENTION It is an object of the present invention to provide an encryption method using an LEA to which masking is applied by introducing masking into an LEA algorithm to ensure subchannel security of the encryption system.
Another object of the present invention is to provide a LEA key scheduling masking method that is safe for key scheduling attacks and a shuffling technique for LEA round operations.
According to an aspect of the present invention, there is provided a method for generating a random function of a LEA encryption algorithm, the method comprising: generating four random numbers in a round function of the LEA encryption algorithm; performing unmasking by applying the random numbers to four round state values; (XOR) a round key to which a non-masking is applied and a round state value to which the non-masking is applied, and converting the result of the exclusive operation from arithmetic masking to arithmetic masking; Performing an addition operation between two adjacent exclusive operation result values among the operation result values and converting the addition operation result value from the arithmetic masking to the non-masking, and adding the masking value of the next round to the addition operation result value converted into the non- And the result of the corrected addition operation is shifted, It is configured to include the step of storing the de-state value.
The encryption method using the LEA to which masking and shuffling are applied according to the present invention is characterized in that the random number is shifted by shifting only the position where the random number value of the initially generated four random numbers is applied and the random number is initialized And the four random numbers are the same.
In the encrypting method using LEA to which masking and shuffling are applied according to the present invention, the round function using the LEA includes a step of applying shuffling to two start rounds and two final rounds.
In the encrypting method using the LEA using masking and shuffling according to the present invention, the step of applying the shuffling may include adding the shuffling to the addition operation performed in the addition round No. 6 and the
The present invention also provides a method of generating a key schedule function for an LEA encryption algorithm, the method comprising: generating a random number in a key schedule function of an LEA encryption algorithm; applying arithmetic masking to an internal state variable using the random number; And a step of converting the result of the addition operation into a non-masking value and using the resultant value as a round key.
In the encrypting method using the LEA employing the masking and shuffling according to the present invention, the result converted into the non-masking is converted into the arithmetic masking for updating with the internal state variable after using the round key.
According to the encryption method using the LEA to which the masking and shuffling is applied, the encryption method using the LEA with masking is introduced by introducing masking into the LEA algorithm to ensure the subchannel safety of the encryption system .
Also, it is possible to provide LEA key scheduling masking method that is safe for key scheduling attack and shuffling method for LEA round operation.
1 is a diagram showing the LEA round function.
2 is a diagram showing an LEA-128 encryption key schedule function.
3 is a diagram showing the B2A algorithm.
4 is a diagram showing the A2B algorithm.
FIG. 5 is a flowchart illustrating a method of applying a masking and shuffling scheme to a round function of an LEA according to a preferred embodiment of the present invention.
6 is a diagram showing a method of encrypting the round function of the present invention using masking.
7 is a diagram showing a method of decoding the round function of the present invention by using masking.
8 is a diagram showing a first-order masking addition / subtraction algorithm to the round function of the present invention.
9 is a diagram showing a method of encrypting a round function of the present invention by applying shuffling.
10 is a diagram showing the number of 61 stored cases among the random order of the shuffling applied to the round function of the present invention.
11 is a flowchart illustrating a method of applying a masking scheme to a key schedule function of an LEA according to an embodiment of the present invention.
12 is a diagram showing a method of encrypting a key schedule function of the present invention using masking.
BRIEF DESCRIPTION OF THE DRAWINGS The present invention may be embodied in many different forms and with various embodiments, and particular implementations thereof are shown by way of example in the drawings and will herein be described in detail. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.
Before describing the present invention, the encryption algorithms will be described. First, the Lightweight Encryption Algorithm (LEA) is a block cipher algorithm that encrypts 128-bit data blocks. The LEA round function consists of only 32-bit ARX operations as shown in FIG. 1, and operates at a high speed on a 32-bit software platform supporting these operations.
Here, the detailed symbols X i [0 ~ 3] of the round function means the state value of the i-th round, RK [0-5] is the round key and ROR i is the bit cyclic place shift , ROL i means the bit cyclic shift of the left by i times. In addition, the ARX operation arrangement inside the round function ensures sufficient stability, and at the same time, it is possible to realize a light weight by excluding the use of the S-box.
The encryption key schedule function of the LEA is shown in FIG. Referring to FIG. 2, the LEA round function requires a 192-bit encryption round key. The key schedule function updates four 32-bit internal state variables T, Key. The constants δ used in the schedule function are shown in Table 1.
Next, the masking method will be described as an effective countermeasure against differential power analysis (DPA), which is one of sub-channel attacks.
The masking technique can be broadly divided into Boolean masking and Arithmetic masking. In the case of non-masking, intermediate values are hidden in the form of exclusive OR (XOR). In the case of arithmetic masking, intermediate values such as addition, subtraction, multiplication, .
This masking technique can be applied to the LEA algorithm. Specifically, the LEA algorithm is composed of an arithmetic operation which is a Boolean operation and an addition operator, which is a circular motion and an XOR operator, and a conversion algorithm is required between the two operations when the masking technique is applied to the Boolean operation and the arithmetic operation.
The above conversion algorithm includes a B2A algorithm for converting from non-masking to arithmetic masking and an A2B algorithm for converting from arithmetic masking to non-masking.
First, the B2A algorithm for converting from fire masking to arithmetic masking can be converted into arithmetic masking only by performing an additional operation that implements non-masking on an arbitrary bit size as shown in FIG.
Next, the A2B algorithm for converting the arithmetic masking to the non-masking is based on a ripple-carry adder as shown in FIG. 4, and this operation is generated in the lower bit for the A2B conversion of the upper bit You need to raise it.
The encryption algorithm has been described above in the present invention. Hereinafter, the present invention will be described with reference to the drawings.
FIG. 5 is a flowchart illustrating a method of applying a masking and shuffling scheme to a round function of an LEA according to a preferred embodiment of the present invention. Referring to FIG. 5, first, four random numbers are generated in the round function of the LEA, and four random numbers are applied to four round state values using the generated random number to perform masking (S10). Here, the four random numbers m [i to i + 3] perform a non-masking operation with the round state value X i [0 to 3], which is an input value, with a 32-bit random number and an exclusive operation.
Next, the round key to which the non-masking is applied and the round state value to which the non-masking is applied are subjected to exclusive operation (XOR) using the four random numbers, and the result of the exclusive operation is converted from arithmetic masking to arithmetic masking (S20). Here, the round key to which the fire masking is applied is composed of a total of six, and the method of converting from the non-masking to the arithmetic masking uses the B2A algorithm described in FIG.
Next, an addition operation is performed between the two exclusive operation result values out of the six exclusive operation result values converted into the arithmetic masking, and the result of the addition operation is converted from arithmetic masking to non-masking (S30). Here, the six exclusive operation results converted into the arithmetic masking are added up by two adjacent ones. Therefore, there are three addition result values output through the addition operation.
Next, the result of the addition operation converted to the non-masking is corrected using a ReMask function, which is a masking value of the next round, and the corrected result of the addition operation is shifted and stored in the next round state value (S40). Here, the re-mask function is a random number value of the next round. When one round is progressed, the masking value of four random numbers is shifted by one space. Therefore, after the addition operation, the value which is changed through the non-masking conversion is converted into the random number value again.
In this case, if the random number value is continuously used, it is difficult to operate normally in the system to which the algorithm is applied, and it is difficult for the user to grasp it and release the masking after the end of the round. Therefore, the four random numbers generated during the whole round are shifted only after the first generation, and there is no change in the value.
The above-described steps can be specifically confirmed with reference to FIG. FIG. 6 is a diagram showing a method of encrypting the round function of the present invention by using masking, wherein input values, calculation values, shift positions, and the like of each step can be confirmed by specific expressions.
Referring to FIG. 6, it can be seen that the rounding function is performed by using four random numbers for four round state values. Also, it can be confirmed that the six round keys are also masked using random numbers.
Here, the part denoted by MA is a process of converting two inputs of the non-masking state into arithmetic masking, adding two inputs converted to arithmetic masking, and then converting them into non-masking. This can be converted into an algorithm as shown in FIG.
That is, the algorithm described in FIG. 8 is converted by using the B2A conversion algorithm described in FIG. 3, and then the addition operation is performed, and then the conversion is performed using the A2B conversion algorithm described in FIG.
Thereafter, the masking value of the deformed unmasked state is corrected to the masking value of the next round by using the remask function, and this method will be described as an example.
Using X i [2] and X i [3] in Fig. 6, the input of the MA algorithm is Xi [3]
m [i + 3]. This is because the result (X i [2] + X i [3]) calculated in Fig. (m [i + 2] + m [i + 3]). If this intermediate value passes the ROR 3 function, ROR 3 (X i [2] + X i [3]) ROR 3 (m [i + 2] + m [i + 3]). now ROR 3 (m [i + 2] + m [i + 3]) m [i + 3]. Note that the secret value (X i [2] + X i [3]) is not exposed in the intermediate operation m [i + 3] ROR 3 (m [i + 2] + m [i + 3]).As described above, a method of encrypting the round function by applying masking has been described with reference to FIG. Here, the encrypted round function is decoded as shown in FIG.
7 is a diagram showing a method of decoding the round function of the present invention by using masking. FIG. 7 is a flowchart illustrating a method of applying a reparming function to a round state value to which a non-masking is applied in the reverse order of the method described with reference to FIG. 6, converting a non-masking into an arithmetic masking as a subtraction operation instead of an addition operation, Again, convert the arithmetic masking to fire masking. Hereinafter, the round key and exclusive operation are performed as shown in FIG. 6, and a detailed description thereof will be omitted.
Thus, a method of encrypting a round function using a masking technique has been described. Now let's go back to Figure 5 and show how to use shuffling in the round function.
In the round function after step S40, shuffling is applied to two start rounds in the first and second rounds, a last round before the last round, and two rounds in the final round (S50). Here, a method of applying the shuffling technique will be described with reference to FIG.
9 is a diagram showing a method of encrypting a round function of the present invention by applying shuffling. Referring to FIG. 9, six addition operations are performed in two rounds to be connected. In the case of an operation without shuffling, arithmetic operations are performed in order of 1, 2, 3, 4, 5, 6 or 3, 2, 1, 6, 5, If such a sequence of operations is rearranged in a random order, the subchannel attacker can not correctly follow the point matching process necessary for the attack, and as a result, the subchannel attack is likely to fail. However, due to the characteristics of the LEA algorithm, a complete random operation may not operate the algorithm.
For example, if
Thus, shuffling encrypts the round operation by applying two connected rounds, two start rounds and two last rounds.
In the above, a method of encrypting the round function of the LEA using the masking and shuffling techniques has been described. Next, a method of encrypting the key schedule function of the LEA using the masking technique will be described with reference to FIGS. 11 to 12. FIG.
FIG. 11 is a flowchart illustrating a method of applying a masking scheme to a key schedule function of an LEA according to an embodiment of the present invention. FIG. 12 is a diagram illustrating a method of encrypting a key schedule function of the present invention using masking. to be. 11, a random number is generated in the key schedule function of the LEA, and arithmetic masking is applied to the internal state variable using the generated random number (S110). In the case of the 128-bit LEA key scheduling function, the round key is generated by updating four 32-bit internal state variables T [k] (k = {0,1,2,3} .
Next, the key scheduling constant to which the arithmetic masking is applied is summed with the internal state variable (S120). Here, the initial internal state variable is arithmetic masking applied to -M k .
Next, the result of the addition operation is converted into a non-masking value, and the converted result value is used as a round key (S130). Here, the internal state variable of the arithmetic masking state and the key scheduling constant are added, and then the result is transformed into the non-masking state, which is converted to use the round key as the non-masking state.
Finally, after using the round key, it is converted into arithmetic masking to update the internal state variable (S140). In this case, it is converted into arithmetic masking by converting it into a non-masking for use as a round key and then updating it to an internal state variable.
As described above, a method of encrypting internal state variables and performing addition operations has been described. A more specific method will be described with reference to FIG.
12 is a diagram showing a method of encrypting a key schedule function of the present invention using masking. First, in the case of key scheduling, Differential Power Attacks (DPA) are not considered because only the power consumption of the fixed secret key is measured. Therefore, we focus on hiding the Hamming weight of the secret key.
Referring to FIG. 12, the internal state variable T [k] is an arithmetic masking state masked with -M k , and is converted into a non-masking state after the addition operation. At this time, the key scheduling constant δ is masked in the form of - (ROR j (M k ) -M k ) after the rotation operation in order to maintain the shape of the masking.
Then, the internal state variable of the non-masking state is used as a round key, and the internal state variable is converted into arithmetic masking to update the internal state variable. For the other three internal state variables, the masked round key can be obtained in the same way. The four round keys thus obtained can be used in a method of encryption using the masking and shuffling techniques in the round function of the LEA.
The embodiments of the present invention described in the present specification and the configurations shown in the drawings relate to the most preferred embodiments of the present invention and are not intended to encompass all of the technical ideas of the present invention so that various equivalents It should be understood that water and variations may be present. Therefore, it is to be understood that the present invention is not limited to the above-described embodiments, and that various modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims. , Such changes shall be within the scope of the claims set forth in the claims.
S10: Random number generation and round state value non-masking step
S20: Round key and round state value exclusive operation and result value arithmetic masking step
S30: Addition operation and result value non-masking step
S40: Correction using the remask function and storage of the corrected result value
S50: Apply shuffling to two start rounds and two final rounds
S110: Random number generation and internal state variable arithmetic masking step
S120: key scheduling constant and internal state variable addition operation step
S130: Use as round key by unmasking result of summing operation
S140: Internal state variable arithmetic masking step
Claims (6)
Generating four random numbers and performing the unmasking by applying the respective random numbers to the four round state values;
(XOR) a round key to which a non-masking is applied using the four random numbers and a round state value to which the non-masking is applied, and converting the result of the exclusive operation from non-masking to arithmetic masking;
Performing an addition operation between two adjacent exclusive operation result values among the six exclusive operation result values converted into the arithmetic masking and converting the addition operation result value from arithmetic masking to non-masking; And
Correcting the addition resultant value converted to the non-masking by using a masking value of a masking value of the next round, and shifting the result of the corrected addition operation to save in a next round state value; Encryption method using LEA with ring applied.
The random number,
Wherein the initial generated four random numbers are shifted only by a position to which the random number is applied, and the random number is the same as the initial random number generated until the end of the round. The encryption using the LEA with masking and shuffling Way.
The round function using the LEA includes:
And applying shuffling to two start rounds and two last rounds, wherein the shuffling is applied to the start round and the last round.
Wherein applying the shuffling comprises:
The add operation 6 performed in two start rounds and the add operation 6 performed in two last rounds are rearranged in a random order,
Wherein the random order is rearranged in order of the addition operation using a randomly selected order in the number of 61 stored cases.
Generating a random number and applying arithmetic masking to the internal state variable using the random number;
Adding the internal state variable to which arithmetic masking is applied and the key scheduling constant to which arithmetic masking is applied; And
And converting the result of the addition operation into a non-masking and using the converted result as a round key, wherein the masking and shuffling are applied.
The resultant value converted into the non-
Wherein the encryption key is converted into an arithmetic masking for updating to the internal state variable after use of the round key, and the masking and shuffling is applied.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150122061A KR20170025523A (en) | 2015-08-28 | 2015-08-28 | Method of encrypting with lea applying mask and shuffling scheme |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150122061A KR20170025523A (en) | 2015-08-28 | 2015-08-28 | Method of encrypting with lea applying mask and shuffling scheme |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20170025523A true KR20170025523A (en) | 2017-03-08 |
Family
ID=58403770
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150122061A KR20170025523A (en) | 2015-08-28 | 2015-08-28 | Method of encrypting with lea applying mask and shuffling scheme |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20170025523A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20200067414A (en) * | 2018-12-04 | 2020-06-12 | 고려대학교 산학협력단 | Method of switching arithmetic to boolean masking, computer readable medium for performing the method |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20140072283A (en) | 2012-11-29 | 2014-06-13 | 한국전자통신연구원 | Method and apparatus of a masking countermeasure against side channel analysis |
-
2015
- 2015-08-28 KR KR1020150122061A patent/KR20170025523A/en not_active Application Discontinuation
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20140072283A (en) | 2012-11-29 | 2014-06-13 | 한국전자통신연구원 | Method and apparatus of a masking countermeasure against side channel analysis |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20200067414A (en) * | 2018-12-04 | 2020-06-12 | 고려대학교 산학협력단 | Method of switching arithmetic to boolean masking, computer readable medium for performing the method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1989726B (en) | Method and device for executing cryptographic calculation | |
US9143325B2 (en) | Masking with shared random bits | |
CN108964872B (en) | Encryption method and device based on AES | |
US20170104586A1 (en) | Scrambled tweak mode of blockciphers for differential power analysis resistant encryption | |
US20110138182A1 (en) | Method for Generating a Cipher-based Message Authentication Code | |
US20150244518A1 (en) | Variable-length block cipher apparatus and method capable of format preserving encryption | |
US20130236005A1 (en) | Cryptographic processing apparatus | |
KR101586811B1 (en) | Apparatus and method for protecting side channel attacks on hight | |
US11153068B2 (en) | Encryption device, encryption method, decryption device and decryption method | |
CN111555862B (en) | White-box AES implementation method of random redundant round function based on mask protection | |
CN104639502B (en) | A kind of mask method and device of the anti-Attacks of SM4 algorithms | |
KR101623503B1 (en) | Apparatus and method for white-box cryptography implementation of LEA block cipher | |
Kumar et al. | Lightweight data security model for IoT applications: a dynamic key approach | |
CN104184579A (en) | Lightweight block cipher VH algorithm based on dual pseudo-random transformation | |
CN111314050B (en) | Encryption and decryption method and device | |
JP5612007B2 (en) | Encryption key generator | |
KR20190020988A (en) | Computer-executable lightweight white-box cryptographic method and apparatus thereof | |
Yan et al. | DBST: a lightweight block cipher based on dynamic S-box | |
Andreeva et al. | AES-COPA v. | |
Patranabis et al. | Using Tweaks To Design Fault Resistant Ciphers (Full Version) | |
KR20170025523A (en) | Method of encrypting with lea applying mask and shuffling scheme | |
CN109936437B (en) | power consumption attack resisting method based on d +1 order mask | |
CN107231229B (en) | Low-entropy mask leakage protection method for protecting SM4 password chip and implementation system thereof | |
Sharma et al. | On security of Hill cipher using finite fields | |
CN111314051B (en) | Encryption and decryption method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application |