US20190116022A1 - Encryption device and operation method thereof - Google Patents

Encryption device and operation method thereof Download PDF

Info

Publication number
US20190116022A1
US20190116022A1 US16/157,242 US201816157242A US2019116022A1 US 20190116022 A1 US20190116022 A1 US 20190116022A1 US 201816157242 A US201816157242 A US 201816157242A US 2019116022 A1 US2019116022 A1 US 2019116022A1
Authority
US
United States
Prior art keywords
round
virtual
sub
real
operations
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US16/157,242
Inventor
Jae-Hyeok Kim
Hong-Mook Choi
Ji-su Kang
Hyun-il Kim
Jong-Hoon Shin
Hye-Soo Lee
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020180027082A external-priority patent/KR102559583B1/en
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Assigned to SAMSUNG ELECTRONICS CO., LTD. reassignment SAMSUNG ELECTRONICS CO., LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHOI, HONG-MOOK, KANG, JI-SU, KIM, HYUN-IL, KIM, JAE-HYEOK, LEE, HYE-SOO, SHIN, JONG-HOON
Publication of US20190116022A1 publication Critical patent/US20190116022A1/en
Priority to US17/245,309 priority Critical patent/US20210284703A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/556Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
    • AHUMAN NECESSITIES
    • A61MEDICAL OR VETERINARY SCIENCE; HYGIENE
    • A61KPREPARATIONS FOR MEDICAL, DENTAL OR TOILETRY PURPOSES
    • A61K38/00Medicinal preparations containing peptides
    • A61K38/16Peptides having more than 20 amino acids; Gastrins; Somatostatins; Melanotropins; Derivatives thereof
    • A61K38/17Peptides having more than 20 amino acids; Gastrins; Somatostatins; Melanotropins; Derivatives thereof from animals; from humans
    • A61K38/177Receptors; Cell surface antigens; Cell surface determinants
    • A61K38/1793Receptors; Cell surface antigens; Cell surface determinants for cytokines; for lymphokines; for interferons
    • AHUMAN NECESSITIES
    • A61MEDICAL OR VETERINARY SCIENCE; HYGIENE
    • A61KPREPARATIONS FOR MEDICAL, DENTAL OR TOILETRY PURPOSES
    • A61K39/00Medicinal preparations containing antigens or antibodies
    • A61K39/0005Vertebrate antigens
    • A61K39/0011Cancer antigens
    • CCHEMISTRY; METALLURGY
    • C07ORGANIC CHEMISTRY
    • C07KPEPTIDES
    • C07K14/00Peptides having more than 20 amino acids; Gastrins; Somatostatins; Melanotropins; Derivatives thereof
    • C07K14/435Peptides having more than 20 amino acids; Gastrins; Somatostatins; Melanotropins; Derivatives thereof from animals; from humans
    • C07K14/46Peptides having more than 20 amino acids; Gastrins; Somatostatins; Melanotropins; Derivatives thereof from animals; from humans from vertebrates
    • C07K14/47Peptides having more than 20 amino acids; Gastrins; Somatostatins; Melanotropins; Derivatives thereof from animals; from humans from vertebrates from mammals
    • CCHEMISTRY; METALLURGY
    • C07ORGANIC CHEMISTRY
    • C07KPEPTIDES
    • C07K14/00Peptides having more than 20 amino acids; Gastrins; Somatostatins; Melanotropins; Derivatives thereof
    • C07K14/435Peptides having more than 20 amino acids; Gastrins; Somatostatins; Melanotropins; Derivatives thereof from animals; from humans
    • C07K14/46Peptides having more than 20 amino acids; Gastrins; Somatostatins; Melanotropins; Derivatives thereof from animals; from humans from vertebrates
    • C07K14/47Peptides having more than 20 amino acids; Gastrins; Somatostatins; Melanotropins; Derivatives thereof from animals; from humans from vertebrates from mammals
    • C07K14/4701Peptides having more than 20 amino acids; Gastrins; Somatostatins; Melanotropins; Derivatives thereof from animals; from humans from vertebrates from mammals not used
    • C07K14/4748Tumour specific antigens; Tumour rejection antigen precursors [TRAP], e.g. MAGE
    • CCHEMISTRY; METALLURGY
    • C07ORGANIC CHEMISTRY
    • C07KPEPTIDES
    • C07K14/00Peptides having more than 20 amino acids; Gastrins; Somatostatins; Melanotropins; Derivatives thereof
    • C07K14/435Peptides having more than 20 amino acids; Gastrins; Somatostatins; Melanotropins; Derivatives thereof from animals; from humans
    • C07K14/705Receptors; Cell surface antigens; Cell surface determinants
    • CCHEMISTRY; METALLURGY
    • C07ORGANIC CHEMISTRY
    • C07KPEPTIDES
    • C07K7/00Peptides having 5 to 20 amino acids in a fully defined sequence; Derivatives thereof
    • C07K7/04Linear peptides containing only normal peptide links
    • C07K7/06Linear peptides containing only normal peptide links having 5 to 11 amino acids
    • CCHEMISTRY; METALLURGY
    • C07ORGANIC CHEMISTRY
    • C07KPEPTIDES
    • C07K7/00Peptides having 5 to 20 amino acids in a fully defined sequence; Derivatives thereof
    • C07K7/04Linear peptides containing only normal peptide links
    • C07K7/08Linear peptides containing only normal peptide links having 12 to 20 amino acids
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01NINVESTIGATING OR ANALYSING MATERIALS BY DETERMINING THEIR CHEMICAL OR PHYSICAL PROPERTIES
    • G01N33/00Investigating or analysing materials by specific methods not covered by groups G01N1/00 - G01N31/00
    • G01N33/48Biological material, e.g. blood, urine; Haemocytometers
    • G01N33/50Chemical analysis of biological material, e.g. blood, urine; Testing involving biospecific ligand binding methods; Immunological testing
    • G01N33/5005Chemical analysis of biological material, e.g. blood, urine; Testing involving biospecific ligand binding methods; Immunological testing involving human or animal cells
    • G01N33/5008Chemical analysis of biological material, e.g. blood, urine; Testing involving biospecific ligand binding methods; Immunological testing involving human or animal cells for testing or evaluating the effect of chemical or biological compounds, e.g. drugs, cosmetics
    • G01N33/5044Chemical analysis of biological material, e.g. blood, urine; Testing involving biospecific ligand binding methods; Immunological testing involving human or animal cells for testing or evaluating the effect of chemical or biological compounds, e.g. drugs, cosmetics involving specific cell types
    • G01N33/5047Cells of the immune system
    • G01N33/505Cells of the immune system involving T-cells
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01NINVESTIGATING OR ANALYSING MATERIALS BY DETERMINING THEIR CHEMICAL OR PHYSICAL PROPERTIES
    • G01N33/00Investigating or analysing materials by specific methods not covered by groups G01N1/00 - G01N31/00
    • G01N33/48Biological material, e.g. blood, urine; Haemocytometers
    • G01N33/50Chemical analysis of biological material, e.g. blood, urine; Testing involving biospecific ligand binding methods; Immunological testing
    • G01N33/5005Chemical analysis of biological material, e.g. blood, urine; Testing involving biospecific ligand binding methods; Immunological testing involving human or animal cells
    • G01N33/5091Chemical analysis of biological material, e.g. blood, urine; Testing involving biospecific ligand binding methods; Immunological testing involving human or animal cells for testing the pathological state of an organism
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01NINVESTIGATING OR ANALYSING MATERIALS BY DETERMINING THEIR CHEMICAL OR PHYSICAL PROPERTIES
    • G01N33/00Investigating or analysing materials by specific methods not covered by groups G01N1/00 - G01N31/00
    • G01N33/48Biological material, e.g. blood, urine; Haemocytometers
    • G01N33/50Chemical analysis of biological material, e.g. blood, urine; Testing involving biospecific ligand binding methods; Immunological testing
    • G01N33/53Immunoassay; Biospecific binding assay; Materials therefor
    • G01N33/569Immunoassay; Biospecific binding assay; Materials therefor for microorganisms, e.g. protozoa, bacteria, viruses
    • G01N33/56966Animal cells
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01NINVESTIGATING OR ANALYSING MATERIALS BY DETERMINING THEIR CHEMICAL OR PHYSICAL PROPERTIES
    • G01N33/00Investigating or analysing materials by specific methods not covered by groups G01N1/00 - G01N31/00
    • G01N33/48Biological material, e.g. blood, urine; Haemocytometers
    • G01N33/50Chemical analysis of biological material, e.g. blood, urine; Testing involving biospecific ligand binding methods; Immunological testing
    • G01N33/53Immunoassay; Biospecific binding assay; Materials therefor
    • G01N33/569Immunoassay; Biospecific binding assay; Materials therefor for microorganisms, e.g. protozoa, bacteria, viruses
    • G01N33/56966Animal cells
    • G01N33/56972White blood cells
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • AHUMAN NECESSITIES
    • A61MEDICAL OR VETERINARY SCIENCE; HYGIENE
    • A61KPREPARATIONS FOR MEDICAL, DENTAL OR TOILETRY PURPOSES
    • A61K39/00Medicinal preparations containing antigens or antibodies
    • A61K2039/555Medicinal preparations containing antigens or antibodies characterised by a specific combination antigen/adjuvant
    • A61K2039/55511Organic adjuvants
    • A61K2039/55566Emulsions, e.g. Freund's adjuvant, MF59
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01NINVESTIGATING OR ANALYSING MATERIALS BY DETERMINING THEIR CHEMICAL OR PHYSICAL PROPERTIES
    • G01N2333/00Assays involving biological materials from specific organisms or of a specific nature
    • G01N2333/435Assays involving biological materials from specific organisms or of a specific nature from animals; from humans
    • G01N2333/52Assays involving cytokines
    • G01N2333/54Interleukins [IL]
    • G01N2333/5409IL-5
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01NINVESTIGATING OR ANALYSING MATERIALS BY DETERMINING THEIR CHEMICAL OR PHYSICAL PROPERTIES
    • G01N2333/00Assays involving biological materials from specific organisms or of a specific nature
    • G01N2333/435Assays involving biological materials from specific organisms or of a specific nature from animals; from humans
    • G01N2333/52Assays involving cytokines
    • G01N2333/555Interferons [IFN]
    • G01N2333/57IFN-gamma
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/08Randomization, e.g. dummy operations or using noise
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/24Key scheduling, i.e. generating round keys or sub-keys for block encryption

Definitions

  • Apparatuses, devices, and methods consistent with the present disclosure relate to an encryption device and a method of operating the same, and more particularly, to an encryption device for randomly performing a virtual operation and a method of operating the encryption device.
  • Smart cards and integrated circuit (IC) cards include security information of users.
  • encryption/decryption devices for encrypting and transmitting security information transmitted through signature and authorization.
  • One of the important factors to realize encryption/decryption devices is to apply a method of preventing side channel analysis (SCA).
  • SCA side channel analysis
  • a method of operating an encryption device for performing a real operation and a virtual operation including performing a virtual operation; when a real operation request signal is received, determining whether the virtual operation being performed is completed; and in response to the virtual operation being completed, performing a real operation in response to the real operation request signal.
  • a method of operating an encryption device for performing a virtual operation and a real operation each of which includes a plurality of round operations each including a plurality of sub-round operations classified into real sub-round operations and virtual sub-round operations, the method including initializing a count value and a random value regarding the plurality of sub-round operations and starting forming a round comprising a plurality of sub-round operations including one real sub-round operation and a plurality of virtual sub-round operations; deriving a count value by counting the sub-round operations; performing the one real sub-round operation when the count value is equal to the random value, and performing one of the plurality of virtual sub-round operations when the count value is different from the random value; and when the count value is equal to a reference count value, completing the round.
  • an encryption device for performing a virtual operation and a real operation each including a plurality of round operations each including a plurality of sub-round operations classified into real sub-round operations and virtual sub-round operations
  • the encryption device including: a first virtual operation register configured to store first dummy data and a first dummy encryption key on which the virtual sub-round operations are based; a second virtual operation register configured to store second dummy data and a second dummy encryption key on which the virtual sub-round operations are based; and a first multiplexer configured to receive a first output from the first virtual operation register and a second output from the second virtual operation register, select one of the first output or the second output based on a random bit, and output the one of the first output or the second output that is selected.
  • FIG. 1 is a block diagram of a device according to an example embodiment
  • FIG. 2 is a detailed block diagram of an encryption device according to an example embodiment
  • FIG. 3 is a flowchart of a method of operating an encryption device, according to an example embodiment
  • FIG. 4 is a flowchart of a method of operating an encryption device, according to an example embodiment
  • FIG. 5 is a timing diagram for explaining operations of an encryption device, according to an example embodiment
  • FIG. 6 is a diagram illustrating part of an encryption device for performing an encryption operation, according to an example embodiment
  • FIG. 7 is a flowchart of a round formation operation of an encryption device, according to an example embodiment
  • FIG. 8 is a diagram illustrating part of an encryption device for a round formation operation, according to an example embodiment
  • FIG. 9 is a table showing an example of options that may be set when a round formation operation is performed, according to an example embodiment
  • FIG. 10 is a conceptual view of an example in which multiple rounds are performed when the rounds are formed, according to an example embodiment
  • FIG. 11 is a flowchart of a method of operating an encryption device, according to an example embodiment
  • FIG. 12 is a table for explaining operation of an encryption device, according to an example embodiment
  • FIG. 13 is a diagram of part of an encryption device for performing an encryption operation, according to an example embodiment
  • FIG. 14 is a graph showing power waveforms according to operation of an encryption device, according to an example embodiment.
  • FIG. 15 is a block diagram of a memory card according to an example embodiment.
  • FIG. 1 is a block diagram of a device 1 according to an example embodiment.
  • the device 1 may include an encryption device 10 , a processor 20 , an interface (I/F) 30 , and a memory 40 .
  • the device 1 may transceive data DT with an external device.
  • the device 1 may transceive the data DT with a smart card, a memory card, or another device.
  • the processor 20 may transceive the data DT with one or more other devices located outside of the device 1 through the I/F 30 .
  • the processor 20 may perform tasks and may store task results in the memory 40 .
  • the processor 20 may include multiple cores.
  • the memory 40 may store various types of data for operation of the processor 20 .
  • the memory 40 may be embodied as, for example, Dynamic Random Access Memory (DRAM), Mobile DRAM, Static RAM (SRAM), Phase change RAM (PRAM), Ferroelectric RAM (FRAM), Resistive RAM (RRAM or ReRAM), and/or Magnetic RAM (MRAM).
  • DRAM Dynamic Random Access Memory
  • SRAM Static RAM
  • PRAM Phase change RAM
  • FRAM Ferroelectric RAM
  • RRAM or ReRAM Resistive RAM
  • MRAM Magnetic RAM
  • the encryption device 10 may perform encryption and/or decryption on the data DT received from outside of the device 1 .
  • the encryption device 10 may maintain the security of the data DT by performing an encryption operation based on an encryption algorithm.
  • the encryption algorithm may be, for example, an algorithm for generating data encrypted by using an encryption key.
  • the encryption algorithm may include various algorithms such as a Message-Digest algorithm (MD5), a Secure Hash Algorithm (SHA), Rivest Shamir Adleman (RSA), an Advanced Encryption Standard (AES), and a Data Encryption Standard (DES).
  • MD5 Message-Digest algorithm
  • SHA Secure Hash Algorithm
  • RSA Rivest Shamir Adleman
  • AES Advanced Encryption Standard
  • DES Data Encryption Standard
  • the encryption device 10 may perform a real operation for an encryption operation and a virtual operation irrelevant to the real operation.
  • the real operation and the virtual operation may include a real round operation and a virtual round operation, respectively.
  • the real operation and the virtual operation may be encryption/decryption operations including round operations (real round operations or virtual round operations).
  • one virtual round operation and one real round operation may each include sub-round operations.
  • the sub-round operations may be classified into real sub-round operations and virtual sub-round operations.
  • one round of the virtual operation and one round of the real operation may each include one real sub-round operation and a plurality of virtual sub-round operations of a first number. That is, one round of the virtual operation may include one real sub-round operation and a plurality of virtual sub-round operations of a first number, and one round of the real operation may include one real sub-round operation and a plurality of virtual sub-round operations of the first number.
  • an order of performing the real sub-round operation and the virtual sub-round operations in one round may be randomly changed.
  • a sum of the number of real sub-round operations and the number of virtual sub-round operations, both of which are included in one round may be 2 raised to a power. In other words, a value obtained by adding ‘1’ to the first number may be 2 raised to a power.
  • FIG. 2 is a detailed block diagram of an encryption device according to an example embodiment.
  • FIG. 2 may be a detailed block diagram of the encryption device 10 of FIG. 1 .
  • the encryption device 10 may include an encryption/decryption controller 110 , a key scheduler 120 , and a data function module 130 .
  • the encryption/decryption controller 110 may control overall operations of the encryption device 10 .
  • the encryption/decryption controller 110 may include a virtual operation (V-op) controller 112 and virtual operation (V_op) registers 114 .
  • the virtual operation controller 112 may control the number of virtual operations to be performed before the real operation is performed based on a delay number NUM_D indicating a number of delays that is received from the outside of the encryption device 10 .
  • the virtual operation controller 112 may control the data function module 130 in such a manner that the virtual operations are performed by as many as the delay number NUM_D and then the real operation is performed.
  • the delay number NUM_D may be a value that is received from a host (not illustrated) outside the encryption device 10 .
  • the virtual operation controller 112 may control the number of virtual operations to be performed before the real operation is performed, based on a random value R_NUM received from a random number generator located outside of the encryption device 10 .
  • the virtual operation registers 114 may each store a pair of data and an encryption key for a virtual sub-round operation.
  • each virtual operation register 114 may include a first virtual operation register and a second virtual operation register, and each of the first and second virtual operation registers may store a pair of dummy data and a dummy encryption key.
  • one of the first virtual operation register and the second virtual operation register may be selected.
  • One virtual sub-round operation may be performed based on the dummy data and the dummy encryption key which are stored in the selected one of the first virtual operation register and the second virtual operation register. That is, whenever virtual sub-round operations are performed, one of the first virtual operation register and the second virtual operation register may be selected.
  • the above description is merely an example, and the number of virtual operation registers 114 is not limited thereto.
  • the key scheduler 120 may process an encryption key for each sub-round operation.
  • the key scheduler 120 may receive an encryption key stored in a register and may perform a bit-shift operation on the encryption key received based on a rule that is set for each sub-round operation. The rule may be previously set.
  • the register for storing the encryption key may be the virtual operation register 114 , or a real operation register (not illustrated).
  • the key scheduler 120 may provide the processed encryption key to the data function module 130 . Also, the key scheduler 120 may update the processed encryption key to the register that provided the encryption key before processing the same.
  • the data function module 130 may perform an encryption operation on the data DT that is input based on the encryption key.
  • the data function module 130 may perform an encryption operation by performing, for example, a permutation whereby locations of bits of the data DT are mixed based on the encryption key.
  • the data function module 130 may perform the encryption operation by performing a substitution whereby the data is substituted with other mapped data, based on the encryption key.
  • the data function module 130 may update, to the register, the data DT on which the encryption operation is performed.
  • An operation performed by the data function module 130 may be determined as one of a real sub-round operation and a virtual sub-round operation, depending on the data DT and a type of the encryption key.
  • the encryption operation when the data function module 130 performs the encryption operation based on real data and a real encryption key, the encryption operation may be determined as a real sub-round operation.
  • the encryption operation when the data function module 130 performs the encryption operation based on the dummy data and the dummy encryption key, the encryption operation may be determined as a virtual sub-round operation.
  • the example embodiments are not limited thereto.
  • the encryption operation may be determined as a virtual sub-round operation.
  • the data function module 130 may not stop and may continue to perform the virtual operation, which was in the process of being performed when the real operation request signal was received, thereby completing the virtual operation. In other words, the data function module 130 may perform all round operations included in the virtual operation, which was in the process of being performed when the real operation request signal was received, thereby completing the round operations before performing the real operation requested by the real operation request signal.
  • FIG. 3 is a flowchart of a method of operating an encryption device, according to an example embodiment.
  • FIG. 3 may be a flowchart of operations of the encryption device 10 of FIG. 2 .
  • the flowchart of FIG. 3 will be described with reference to FIG. 2 .
  • the encryption device 10 may start performing a virtual operation.
  • a virtual operation in one unit may include plural round operations.
  • Each round operation may be, for example, either a real round operation or a virtual round operation.
  • the virtual operation may be performed by, for example, the data function module 130 .
  • the encryption device 10 may determine whether the real operation request signal is received. When the real operation request signal is not received (S 20 , NO), the encryption device 10 may continue to perform the virtual operation. For example, the encryption device 10 may complete the virtual operation currently being performed and may start performing a new virtual operation.
  • the encryption device 10 may determine whether the virtual operation that is currently being performed is completed. When it is determined that the virtual operation is not completed (S 30 , NO), the encryption device 10 may continue to perform a virtual round operation included in the virtual operation, in operation S 40 . Otherwise, when it is determined that the virtual operation is completed (S 30 , YES), the encryption device 10 may then start performing the real operation, in operation S 50 .
  • the encryption device 10 may not immediately perform the real operation and may continue to perform the virtual operation to complete the same, a real operation part is not specified despite a side channel attack on the encryption device 10 , for example, power waveform analysis of an attacker. That is, a real operation is not immediately started in response to the real operation request signal thus confusing a side channel attack on the encryption device 10 . Accordingly, the encryption device 10 may have an enhanced defense function with respect to the side channel attack.
  • FIG. 4 is a flowchart of a method of operating an encryption device, according to an example embodiment.
  • FIG. 4 may be a flowchart of operations of the encryption device 10 of FIG. 2 .
  • the descriptions already provided with reference to FIG. 3 will not be repeated herein.
  • the encryption device 10 may perform a virtual operation in operation S 110 and may determine whether a real operation request signal is received while the virtual operation is performed in operation S 120 . When the real operation request signal is not received (S 120 , NO), the encryption device 10 may continue to perform the virtual operation.
  • the encryption device 10 may receive a delay number NUM_D indicating a number of delays in operation S 130 .
  • the delay number NUM_D may be a value received from a host (not illustrated) outside the encryption device 10 , or may be a random value received from a random value generator (not illustrated) outside the encryption device 10 .
  • the random value may be generated by, for example, a Linear Feedback Shift Register (LFSR) or a Random Number Generator (RNG) outside the encryption device 10 .
  • LFSR Linear Feedback Shift Register
  • RNG Random Number Generator
  • the encryption device 10 may determine whether the virtual operation is completed, in operation S 140 . When it is determined that the virtual operation is not completed (S 140 , NO), the encryption device 10 may continue to perform a virtual round operation included in the virtual operation, in operation S 150 .
  • the encryption device 10 may repeatedly perform the virtual operation a number of times equal to the delay number NUM_D, in operation S 160 .
  • the delay number NUM_D indicating the number of delays is equal to N (where, N is a natural number equal to or greater than 1)
  • the encryption device 10 may perform virtual operations N ⁇ 1 times in addition to the virtual operation that was being performed when the real operation request signal was received.
  • the example embodiments are not limited thereto.
  • the encryption device 10 may perform virtual operations N times except the virtual operation that was being performed when the real operation request signal was received.
  • the delay number may include or not include the virtual operation that was being performed when the real operation request signal was received.
  • the encryption device 10 may control the number of times that the virtual operations are to be performed before the real operation is performed, in operation S 170 , based on the random value R_NUM received from the outside.
  • the encryption device 10 receives the real operation request signal in operation S 120 and then receives the delay number NUM_D indicating the number of delays in operation S 130 .
  • the example embodiments are not limited thereto. That is, the encryption device 10 may receive the delay number at any time, for example, while the virtual operation is being performed or before performing the virtual operation.
  • the real operation request signal is received, the real operation is not immediately performed, and after the virtual operations are further repeatedly performed by as many times as the delay number NUM_D, the real operation is performed.
  • a real operation part is not specified despite a side channel attack on the encryption device 10 .
  • the encryption device 10 may have an enhanced defense function with respect to the side channel attack.
  • FIG. 5 is a timing diagram for explaining each operation of an encryption device, according to an example embodiment.
  • FIG. 5 may be a timing diagram for explaining operations of the encryption device 10 of FIG. 2 .
  • the timing diagram of FIG. 5 will be described with reference to FIG. 2 .
  • a virtual operation request signal S_V_op may be activated at a first point in time t 1 .
  • the encryption device 10 may be reset, and the virtual operation request signal S_V_op may be activated.
  • the option of performing the virtual operation of the encryption device 10 is turned off, the option of performing the virtual operation of the encryption device 10 is turned on, and the virtual operation request signal S_V_op may be activated.
  • the virtual operation may be performed based on the activated virtual operation request signal S_V_op.
  • the encryption device 10 may receive the delay number NUM_D indicating the number of delays.
  • NUM_D the delay number NUM_D is equal to ‘4’, but this is merely an example for convenience of explanation, and the example embodiments are not limited thereto.
  • a first virtual operation ( ⁇ circle around (1) ⁇ ) and a second virtual operation ( ⁇ circle around (2) ⁇ ) may be performed in response to the virtual operation request signal S_V_op. While a third virtual operation ( ⁇ circle around (3) ⁇ ) is performed in response to the virtual operation request signal S_V_op, a real operation request signal S_R_op may be activated at a second point in time t 2 .
  • the encryption device 10 may not stop and may continue to perform the third virtual operation ( ⁇ circle around (3) ⁇ ) at the second point in time t 2 , thereby completing the third virtual operation ( ⁇ circle around (3) ⁇ ). That is, the encryption device 10 may perform all round operations included in the third virtual operation ( ⁇ circle around (3) ⁇ ) and may complete the third virtual operation ( ⁇ circle around (3) ⁇ ) by a third point in time t 3 .
  • the encryption device 10 may further perform virtual operations, e.g., a fourth virtual operation ( ⁇ circle around (4) ⁇ ), a fifth virtual operation ( ⁇ circle around (5) ⁇ ), and a sixth virtual operation ( ⁇ circle around (6) ⁇ ) shown in FIG. 5 , three times after the third point in time t 3 . That is, since the delay number NUM_D is equal to ‘4’ and the third virtual operation ( ⁇ circle around (3) ⁇ ) is completed by the third point in time t 3 after the real operation request signal S_R_op is activated, the encryption device 10 may further perform the other virtual operations (the fourth to sixth virtual operations ⁇ circle around (4) ⁇ to ⁇ circle around (6) ⁇ ) three times.
  • the encryption device 10 may not count a virtual operation, which is completed at the third point in time t 3 , and may further perform virtual operations four times.
  • Additional virtual operations may be completed by a fourth point in time t 4 , and a real operation may be performed.
  • the real operation may be performed from the fourth point in time t 4 to a fifth point in time t 5 , and the real operation request signal S_R_op may be inactivated at the fifth point in time t 5 .
  • FIG. 6 is a diagram illustrating part of an encryption device for performing an encryption operation, according to an example embodiment.
  • FIG. 6 may illustrate an example of a logic circuit structure for performing the operations of FIG. 4 .
  • the logic circuit structure of FIG. 6 may be included in the virtual operation controller 112 of FIG. 2 .
  • the encryption device 10 may include a logic circuit including a subtractor 210 , a first multiplexer 220 , a second multiplexer 230 , and a third multiplexer 240 , a delay counter 250 , and a comparator 260 so as to perform the operations of FIG. 4 .
  • the first multiplexer 220 may select, as an output value, a value input from the subtractor 210 or a value input from the delay counter 250 .
  • the comparator 260 determines that a counting value of the delay counter 250 is not equal to ‘0’
  • the first multiplexer 220 may select, as an output value, the value input from the subtractor 210 .
  • the second multiplexer 230 may select, as an output value, either the delay number or the value input from the first multiplexer 220 , in response to the real operation request signal S_R_op. For example, in a case in which the real operation request signal S_R_op is activated, the second multiplexer 230 may select the value input from the first multiplexer 220 as the output value.
  • the third multiplexer 240 may select, as an output value, a value input from the delay counter 250 or a value input from the second multiplexer 230 , in response to a last round signal.
  • the last round signal may be a signal activated during a last round operation included in either the virtual operation or the real operation.
  • the third multiplexer 240 may select the value input from the second multiplexer 230 as the output value.
  • the first multiplexer 220 may be set to select the value input from the subtractor 210 as the output value
  • the second multiplexer 230 may be set to select the value input from the first multiplexer 220 as the output value.
  • the third multiplexer 240 may be set to select the value input from the second multiplexer 230 as the output value, based on the last round signal.
  • the delay counter 250 may perform counting by subtracting ‘1’ each time from the delay number NUM_D.
  • the comparator 260 may determine whether the value output from the delay counter 250 is equal to 0, and when the value output from the delay counter 250 is equal to 0, a signal may be output to perform the real operation.
  • the third multiplexer 240 selects the output value based on whether the last round signal is activated, when the delay number NUM_D is equal to ‘0’, although the real operation request signal S_R_op is activated, the encryption device 10 may finish performing a last round operation of the virtual operation having been performed and then may perform a next real operation.
  • FIG. 7 is a flowchart of a round formation operation of an encryption device, according to an example embodiment.
  • FIG. 7 may be a flowchart of operations of the encryption device 10 of FIG. 2 .
  • the flowchart of FIG. 7 will be described with reference to FIG. 2 .
  • the encryption device 10 may initialize a counter and a random value and may start one round.
  • the counter may count sub-round operations that are sequentially performed.
  • the random value may be a value that becomes a basis of a point in time when a real sub-round operation is performed in one round.
  • the random value may be stored in a register.
  • the encryption device 10 may store, in the register, the random value R_NUM input from the outside of the encryption device 10 as an initialization value.
  • the encryption device 10 may count sub-round operations by using the counter and may derive a count value.
  • the encryption device 10 may determine whether the derived count value is equal to an initialized random value. For example, the comparator may compare the count value with the random value and determine whether the output count value is equal to the random value.
  • the encryption device 10 may perform a real sub-round operation, in operation S 240 . Otherwise, when the count value is different from the random value (S 230 , NO), the encryption device 10 may perform a virtual sub-round operation in operation S 250 .
  • a determination as to whether the derived count value is equal to a reference count value may be made.
  • the reference count value may be set in advance.
  • the reference count value may be a max count value.
  • the max count value may be, for example, the number of sub-round operations to be included in one round.
  • the max count value may be ‘a value obtained by subtracting 1 from 2 raised to a power’.
  • the comparator may compare the count value with the reference count value and determine whether the output count value is equal to the reference count value.
  • the encryption device 10 may complete one round. Otherwise, when the count value is different from the reference count value (S 260 , NO), the encryption device 10 may return to operation S 220 again.
  • FIG. 8 is a diagram illustrating part of an encryption device for a round formation operation, according to an example embodiment.
  • FIG. 8 may illustrate an example of a logic circuit structure for performing the operation of FIG. 7 .
  • the logic circuit structure of FIG. 8 may be included in the virtual operation controller 112 of FIG. 2 .
  • the encryption device 10 may include a logic circuit including an adder 310 , a first multiplexer 320 and a second multiplexer 330 , a counter 340 , a register 350 , and a first comparator 360 and a second comparator 370 for the round formation operation.
  • the counter 340 may count sub-round operations that are sequentially performed, and except that an initial value is input, the counter 340 may increase the number of counts by 1.
  • the counter 340 may perform initialization when a count value has a maximum value.
  • the maximum value may be 2′b1111_1111.
  • an initial value I_V 1 of the counter 340 may be a value obtained by subtracting, from the maximum value, the number of times that a real sub-round operation and a virtual sub-round operation included in one round are performed.
  • the second comparator 370 may compare a max count value with a count value of the counter 340 and may output a signal indicating that one round ends, based on whether two values, that is, the max count value and the count value, are equal to each other.
  • the first comparator 360 may compare the count value of the counter 340 with the random value stored in the register 350 . For example, when the count value of the counter 340 is equal to the random value stored in the register 350 , the first comparator 360 may output a real sub-round operation performance signal Sub_Real_on. Accordingly, a point in time when the read sub-round operation is performed in one round may be randomly determined.
  • FIG. 9 is a table showing examples of respective options that may be set during the round formation operation, according to an example embodiment.
  • FIG. 9 shows that the round formation operations described with reference to FIGS. 7 and 8 are performed based on 8 bits.
  • this is merely an example for convenience of explanation, and the example embodiments are not limited thereto.
  • the table of FIG. 9 will be described with reference to FIG. 8 .
  • the initial value I_V 1 of the counter 340 may be expressed as eight different bits.
  • the initial value I_V 2 of the random value which is input to the register 350 , may correspond to the initial value I_V 1 of the counter 340 and may be expressed as eight different bits.
  • ‘rand[ ]’ may be a random function.
  • each of the initial values I_V 1 and I_V 2 is written in a hardware technology language such as Verilog. However, this is merely an example for convenience of explanation, and the example embodiments are not limited thereto.
  • a ratio of performing real sub-round operations and virtual sub-round operations included in one round may be set as an option. For example, when a virtual sub-round operation option is given as n (where, n is an integer equal to or greater than 0), a sum of the number of real sub-round operations and the number of virtual sub-round operations may be set to be 2 n+1 . That is, when one real sub-round operation and virtual sub-round operations are performed in one round, and when the virtual sub-round operation option is given as n, the number of times that the virtual sub-round operations are performed may be set to be 2 n+1 ⁇ 1.
  • the encryption device 10 may set, as an option, a ratio of performing the real sub-round operation and the virtual sub-round operations included in one round, and thus may implement a round formation operation by using a simple logic in a binary register structure.
  • FIG. 10 is a conceptual view of an example of performing rounds when the rounds are formed, according to an example embodiment.
  • FIG. 10 illustrates an example of a result of the round formation operations of FIGS. 7 and 8 .
  • an encryption operation including five round operations is performed.
  • the encryption operation may be the real operation or the virtual operation described with reference to FIG. 5 .
  • FIG. 10 may illustrate that a real sub-round operation and virtual sub-round operations included in each round are performed at a ratio of 1:3. That is, in each of the five round operations, one real sub-round operation and three virtual sub-round operations may be randomly performed. In each round operation, points in time when the virtual sub-round operations are performed may be determined based on random bits included in the initial value I_V 2 . Accordingly, when the encryption operation is performed, randomness of the real sub-round operation may be secured, and the real sub-round operations may be evenly performed.
  • FIG. 11 is a flowchart of a method of operating an encryption device, according to an example embodiment.
  • FIG. 11 may be a flowchart of operations of the encryption device 10 of FIG. 2 .
  • the flowchart of FIG. 11 will be described with reference to FIG. 2 .
  • the encryption device 10 may receive random bits. For example, based on the random bits, one of the virtual operation registers 114 may be selected. In an example embodiment, the random bits may be included in the random value R_NUM received from the outside of the encryption device 10 .
  • the random bits may be generated by, for example, an LFSR or an RNG outside the encryption device 10 as discussed above.
  • the encryption device 10 may select one of the virtual operation registers 114 based on the random bits. For example, selection of one of the virtual operation registers 114 may be performed by a multiplexer operating based on the random bits.
  • each virtual operation register 114 may store a pair of the dummy data and the dummy encryption key for the virtual sub-round operations.
  • the encryption device 10 may perform one sub-round operation based on the dummy data and the dummy encryption key stored in the selected virtual operation register 114 .
  • FIG. 12 is a table for explaining operation of an encryption device, according to an example embodiment.
  • an encryption operation may be performed based on a pair of dummy data and a dummy encryption key, regardless of whether the sub-round operation is the virtual sub-round operation Virtual_sub_round or the real sub-round operation Real_sub_round.
  • the encryption operation may be performed based on a pair of the dummy data and a real encryption key or a pair of real data and the dummy encryption key.
  • the encryption operation in one real operation R_op, in the case of the virtual sub-round operation Virtual_sub_round, the encryption operation may be performed based on the pair of the dummy data and the dummy encryption key.
  • the encryption operation in the case of the virtual sub-round operation Virtual_sub_round, the encryption operation may be performed based on the pair of the dummy data and the real encryption key or the pair of the real data and the dummy encryption key.
  • the encryption operation in one real operation R_op, in the case of the real sub-round operation Real_sub_round, the encryption operation may be performed based on the pair of the real data and the real encryption key.
  • the encryption operation based on the real data and the real encryption key may be the real sub-round operation Real_sub_round in the real operation R_op.
  • FIG. 13 is a diagram of part of an encryption device for performing an encryption operation, according to an example embodiment.
  • FIG. 13 may illustrate an example of a logic circuit structure for implementing the operations of FIG. 11 .
  • the logic circuit structure of FIG. 13 may be included in the virtual operation registers 114 of FIG. 2 .
  • the encryption device 10 may include a logic circuit including a first virtual operation register 410 , a second virtual operation register 420 , a real operation register 430 , and a first multiplexer 440 and a second multiplexer 450 so as to implement the operations of FIG. 11 .
  • one or more embodiments are not limited thereto.
  • the first virtual operation register 410 may store first dummy data and a first dummy encryption key (Dummy Data/Key 1).
  • the second virtual operation register 420 may store second dummy data and a second dummy encryption key (Dummy Data/Key 2).
  • the first multiplexer 440 may receive a pair of the first dummy data and the first dummy encryption key from the first virtual operation register 410 and may receive a pair of the second dummy data and the second dummy encryption key from the second virtual operation register 420 .
  • the first multiplexer 440 may further receive random bits R B and may selectively receive one of the pair of the first dummy data and the first dummy encryption key and the pair of the second dummy data and the second dummy encryption key, based on the random bits R B.
  • the selection of the first multiplexer 440 may be performed in each virtual sub-round operation. Accordingly, even when the virtual sub-round operations are continuously performed, the encryption device 10 may randomly perform switching of registers for data/encryption keys.
  • the second multiplexer 450 may select one of an output from the first multiplexer 440 and an output (i.e. Real Data/Key) from the real operation register 430 and may output the selected output, in response to the real sub-round operation performance signal Sub_Real_on. Since the encryption device 10 according to an example embodiment may randomly perform the switching of the registers regardless of whether continuous sub-round operations are virtual sub-round operations or real sub-round operations, a real operation part is not specified despite a side channel attack, in particular, power waveform analysis. Accordingly, the encryption device 10 may have an enhanced defense function with respect to the side channel attack.
  • FIG. 14 is a graph showing power waveforms according to operations of an encryption device, according to an example embodiment.
  • the graph of FIG. 14 shows transition power between sub-round operations.
  • FIG. 14 may be a power waveform graph according to the operations of the encryption device of FIG. 11 .
  • FIG. 14 shows an example of a power waveform graph when a real sub-round operation and virtual sub-round operations are performed at a ratio of 1:3.
  • this is merely an example for convenience of explanation, and example embodiments are not limited thereto.
  • the virtual sub-round operations VR may be randomly selected, and thus, it may not be commonly inferred that a certain operation is performed before and after a portion where power waveforms are low. Also, as a ratio of the virtual sub-round operations VR is greater than a ratio of the real sub-round operations RR, the interference about locations of the real round operations may be effectively prevented.
  • FIG. 15 is a block diagram of a memory card 1000 according to an example embodiment.
  • the memory card 1000 may include a host interface 1010 , a memory controller 1020 , and a flash memory interface (Flash I/F) 1030 . Also, the memory controller 1020 may further include an encryption device 1022 according to an example embodiment.
  • the host interface 1010 may perform interfacing with a host 900 based on a card protocol so as to exchange various types of data between the host 900 and the memory card 1000 .
  • the memory card 1000 may be applied to a Multimedia Card (MMC), a Security Digital (SD) card, a mini SD card, a Memory Stick, smartmedia, a TransFlash card, or the like.
  • the memory controller 1020 may receive/transmit data from/to a flash memory (not illustrated) through the flash memory interface 1030 .
  • the flash memory may be a non-volatile memory, for example, a NAND flash memory.
  • the memory controller 1020 may control various operations of the flash memory through the flash memory interface 1030 .
  • the memory card 1000 includes the encryption device 1022 according to an example embodiment, and a real operation part is not specified despite a side channel attack on the memory card 1000 . Accordingly, the stability of the memory card 1000 may be improved.

Abstract

An encryption device for performing virtual and real operations and a method of operating the encryption device. The method includes performing a virtual operation; when a real operation request signal is received, determining whether the virtual operation being performed is completed; and in response to the virtual operation being completed, performing a real operation in response to the real operation request signal.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application claims priority from Korean Patent Application No. 10-2017-0134252, filed on Oct. 16, 2017, in the Korean Intellectual Property Office, and Korean Patent Application No. 10-2018-0027082, filed on Mar. 7, 2018, in the Korean Intellectual Property Office, the disclosures of each of which are incorporated by reference herein in their entireties.
    • BACKGROUND
  • Apparatuses, devices, and methods consistent with the present disclosure relate to an encryption device and a method of operating the same, and more particularly, to an encryption device for randomly performing a virtual operation and a method of operating the encryption device.
  • Smart cards and integrated circuit (IC) cards include security information of users. In order to prevent leakage of the security information by hacking, etc., there is a need for encryption/decryption devices for encrypting and transmitting security information transmitted through signature and authorization.
  • One of the important factors to realize encryption/decryption devices is to apply a method of preventing side channel analysis (SCA). A method of randomly or uniformly propagating power and electromagnetic waves that are information collected through a side channel may be used as the above method.
    • SUMMARY
  • It is an aspect to provide an encryption device and a method of operating the same for randomly performing a virtual operation and a real operation and a method of operating the encryption device.
  • According to an aspect of an example embodiment, there is provided a method of operating an encryption device for performing a real operation and a virtual operation, the method including performing a virtual operation; when a real operation request signal is received, determining whether the virtual operation being performed is completed; and in response to the virtual operation being completed, performing a real operation in response to the real operation request signal.
  • According to another aspect of an example embodiment, there is provided a method of operating an encryption device for performing a virtual operation and a real operation, each of which includes a plurality of round operations each including a plurality of sub-round operations classified into real sub-round operations and virtual sub-round operations, the method including initializing a count value and a random value regarding the plurality of sub-round operations and starting forming a round comprising a plurality of sub-round operations including one real sub-round operation and a plurality of virtual sub-round operations; deriving a count value by counting the sub-round operations; performing the one real sub-round operation when the count value is equal to the random value, and performing one of the plurality of virtual sub-round operations when the count value is different from the random value; and when the count value is equal to a reference count value, completing the round.
  • According to another aspect of an example embodiment, there is provided an encryption device for performing a virtual operation and a real operation each including a plurality of round operations each including a plurality of sub-round operations classified into real sub-round operations and virtual sub-round operations, the encryption device including: a first virtual operation register configured to store first dummy data and a first dummy encryption key on which the virtual sub-round operations are based; a second virtual operation register configured to store second dummy data and a second dummy encryption key on which the virtual sub-round operations are based; and a first multiplexer configured to receive a first output from the first virtual operation register and a second output from the second virtual operation register, select one of the first output or the second output based on a random bit, and output the one of the first output or the second output that is selected.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • Example embodiments will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings in which:
  • FIG. 1 is a block diagram of a device according to an example embodiment;
  • FIG. 2 is a detailed block diagram of an encryption device according to an example embodiment;
  • FIG. 3 is a flowchart of a method of operating an encryption device, according to an example embodiment;
  • FIG. 4 is a flowchart of a method of operating an encryption device, according to an example embodiment;
  • FIG. 5 is a timing diagram for explaining operations of an encryption device, according to an example embodiment;
  • FIG. 6 is a diagram illustrating part of an encryption device for performing an encryption operation, according to an example embodiment;
  • FIG. 7 is a flowchart of a round formation operation of an encryption device, according to an example embodiment;
  • FIG. 8 is a diagram illustrating part of an encryption device for a round formation operation, according to an example embodiment;
  • FIG. 9 is a table showing an example of options that may be set when a round formation operation is performed, according to an example embodiment;
  • FIG. 10 is a conceptual view of an example in which multiple rounds are performed when the rounds are formed, according to an example embodiment;
  • FIG. 11 is a flowchart of a method of operating an encryption device, according to an example embodiment;
  • FIG. 12 is a table for explaining operation of an encryption device, according to an example embodiment;
  • FIG. 13 is a diagram of part of an encryption device for performing an encryption operation, according to an example embodiment;
  • FIG. 14 is a graph showing power waveforms according to operation of an encryption device, according to an example embodiment; and
  • FIG. 15 is a block diagram of a memory card according to an example embodiment.
    •  DETAILED DESCRIPTION
  • Hereinafter, one or more example embodiments will be described in detail with reference to the attached drawings.
  • FIG. 1 is a block diagram of a device 1 according to an example embodiment.
  • Referring to FIG. 1, the device 1 may include an encryption device 10, a processor 20, an interface (I/F) 30, and a memory 40. The device 1 may transceive data DT with an external device. For example, the device 1 may transceive the data DT with a smart card, a memory card, or another device.
  • The processor 20 may transceive the data DT with one or more other devices located outside of the device 1 through the I/F 30. The processor 20 may perform tasks and may store task results in the memory 40. For example, the processor 20 may include multiple cores.
  • The memory 40 may store various types of data for operation of the processor 20. The memory 40 may be embodied as, for example, Dynamic Random Access Memory (DRAM), Mobile DRAM, Static RAM (SRAM), Phase change RAM (PRAM), Ferroelectric RAM (FRAM), Resistive RAM (RRAM or ReRAM), and/or Magnetic RAM (MRAM).
  • The encryption device 10 may perform encryption and/or decryption on the data DT received from outside of the device 1. The encryption device 10 may maintain the security of the data DT by performing an encryption operation based on an encryption algorithm. The encryption algorithm may be, for example, an algorithm for generating data encrypted by using an encryption key. The encryption algorithm may include various algorithms such as a Message-Digest algorithm (MD5), a Secure Hash Algorithm (SHA), Rivest Shamir Adleman (RSA), an Advanced Encryption Standard (AES), and a Data Encryption Standard (DES).
  • The encryption device 10 according to an example embodiment may perform a real operation for an encryption operation and a virtual operation irrelevant to the real operation. The real operation and the virtual operation may include a real round operation and a virtual round operation, respectively. In the present specification, the real operation and the virtual operation may be encryption/decryption operations including round operations (real round operations or virtual round operations). In an example embodiment, one virtual round operation and one real round operation may each include sub-round operations. For example, the sub-round operations may be classified into real sub-round operations and virtual sub-round operations.
  • In an example embodiment, one round of the virtual operation and one round of the real operation may each include one real sub-round operation and a plurality of virtual sub-round operations of a first number. That is, one round of the virtual operation may include one real sub-round operation and a plurality of virtual sub-round operations of a first number, and one round of the real operation may include one real sub-round operation and a plurality of virtual sub-round operations of the first number. For example, an order of performing the real sub-round operation and the virtual sub-round operations in one round may be randomly changed. In an example embodiment, a sum of the number of real sub-round operations and the number of virtual sub-round operations, both of which are included in one round, may be 2 raised to a power. In other words, a value obtained by adding ‘1’ to the first number may be 2 raised to a power.
  • FIG. 2 is a detailed block diagram of an encryption device according to an example embodiment. For example, FIG. 2 may be a detailed block diagram of the encryption device 10 of FIG. 1.
  • Referring to FIG. 2, the encryption device 10 may include an encryption/decryption controller 110, a key scheduler 120, and a data function module 130. The encryption/decryption controller 110 may control overall operations of the encryption device 10. The encryption/decryption controller 110 may include a virtual operation (V-op) controller 112 and virtual operation (V_op) registers 114.
  • In an example embodiment, when a real operation is requested, the virtual operation controller 112 may control the number of virtual operations to be performed before the real operation is performed based on a delay number NUM_D indicating a number of delays that is received from the outside of the encryption device 10. For example, when the real operation is requested while the virtual operation is performed on the data function module 130, the virtual operation controller 112 may control the data function module 130 in such a manner that the virtual operations are performed by as many as the delay number NUM_D and then the real operation is performed.
  • For example, the delay number NUM_D may be a value that is received from a host (not illustrated) outside the encryption device 10. As another example, the virtual operation controller 112 may control the number of virtual operations to be performed before the real operation is performed, based on a random value R_NUM received from a random number generator located outside of the encryption device 10.
  • In an example embodiment, the virtual operation registers 114 may each store a pair of data and an encryption key for a virtual sub-round operation. For example, each virtual operation register 114 may include a first virtual operation register and a second virtual operation register, and each of the first and second virtual operation registers may store a pair of dummy data and a dummy encryption key.
  • In an example embodiment, based on certain random bits included in the random value R_NUM, one of the first virtual operation register and the second virtual operation register may be selected. One virtual sub-round operation may be performed based on the dummy data and the dummy encryption key which are stored in the selected one of the first virtual operation register and the second virtual operation register. That is, whenever virtual sub-round operations are performed, one of the first virtual operation register and the second virtual operation register may be selected. However, the above description is merely an example, and the number of virtual operation registers 114 is not limited thereto.
  • The key scheduler 120 may process an encryption key for each sub-round operation. In an example embodiment, the key scheduler 120 may receive an encryption key stored in a register and may perform a bit-shift operation on the encryption key received based on a rule that is set for each sub-round operation. The rule may be previously set. The register for storing the encryption key may be the virtual operation register 114, or a real operation register (not illustrated). After the encryption key is processed by performing the bit-shift operation, the key scheduler 120 may provide the processed encryption key to the data function module 130. Also, the key scheduler 120 may update the processed encryption key to the register that provided the encryption key before processing the same.
  • The data function module 130 may perform an encryption operation on the data DT that is input based on the encryption key. The data function module 130 may perform an encryption operation by performing, for example, a permutation whereby locations of bits of the data DT are mixed based on the encryption key. Alternatively or additionally, the data function module 130 may perform the encryption operation by performing a substitution whereby the data is substituted with other mapped data, based on the encryption key. The data function module 130 may update, to the register, the data DT on which the encryption operation is performed. An operation performed by the data function module 130 may be determined as one of a real sub-round operation and a virtual sub-round operation, depending on the data DT and a type of the encryption key.
  • In an example embodiment, when the data function module 130 performs the encryption operation based on real data and a real encryption key, the encryption operation may be determined as a real sub-round operation. Alternatively, when the data function module 130 performs the encryption operation based on the dummy data and the dummy encryption key, the encryption operation may be determined as a virtual sub-round operation. However, the example embodiments are not limited thereto. When the data function module 130 performs the encryption operation based on the dummy data and the real encryption key, or based on the real data and the dummy encryption key, the encryption operation may be determined as a virtual sub-round operation.
  • In an example embodiment, when a real operation request signal is received by the encryption/decryption controller 110 while the virtual operation is performed by the data function module 130, the data function module 130 may not stop and may continue to perform the virtual operation, which was in the process of being performed when the real operation request signal was received, thereby completing the virtual operation. In other words, the data function module 130 may perform all round operations included in the virtual operation, which was in the process of being performed when the real operation request signal was received, thereby completing the round operations before performing the real operation requested by the real operation request signal.
  • FIG. 3 is a flowchart of a method of operating an encryption device, according to an example embodiment. For example, FIG. 3 may be a flowchart of operations of the encryption device 10 of FIG. 2. Hereinafter, the flowchart of FIG. 3 will be described with reference to FIG. 2.
  • Referring to FIG. 3, in operation S10, the encryption device 10 may start performing a virtual operation. In an example embodiment, a virtual operation in one unit may include plural round operations. Each round operation may be, for example, either a real round operation or a virtual round operation. The virtual operation may be performed by, for example, the data function module 130.
  • Then, in operation S20, the encryption device 10 may determine whether the real operation request signal is received. When the real operation request signal is not received (S20, NO), the encryption device 10 may continue to perform the virtual operation. For example, the encryption device 10 may complete the virtual operation currently being performed and may start performing a new virtual operation.
  • On the other hand, when the real operation request signal is received (S20, YES), the encryption device 10 may determine whether the virtual operation that is currently being performed is completed. When it is determined that the virtual operation is not completed (S30, NO), the encryption device 10 may continue to perform a virtual round operation included in the virtual operation, in operation S40. Otherwise, when it is determined that the virtual operation is completed (S30, YES), the encryption device 10 may then start performing the real operation, in operation S50.
  • According to an example embodiment, although the real operation request signal is received, since the encryption device 10 may not immediately perform the real operation and may continue to perform the virtual operation to complete the same, a real operation part is not specified despite a side channel attack on the encryption device 10, for example, power waveform analysis of an attacker. That is, a real operation is not immediately started in response to the real operation request signal thus confusing a side channel attack on the encryption device 10. Accordingly, the encryption device 10 may have an enhanced defense function with respect to the side channel attack.
  • FIG. 4 is a flowchart of a method of operating an encryption device, according to an example embodiment. For example, FIG. 4 may be a flowchart of operations of the encryption device 10 of FIG. 2. The descriptions already provided with reference to FIG. 3 will not be repeated herein.
  • Referring to FIG. 4, the encryption device 10 may perform a virtual operation in operation S110 and may determine whether a real operation request signal is received while the virtual operation is performed in operation S120. When the real operation request signal is not received (S120, NO), the encryption device 10 may continue to perform the virtual operation.
  • When the real operation request signal is received (S120, YES), the encryption device 10 may receive a delay number NUM_D indicating a number of delays in operation S130. For example, the delay number NUM_D may be a value received from a host (not illustrated) outside the encryption device 10, or may be a random value received from a random value generator (not illustrated) outside the encryption device 10. The random value may be generated by, for example, a Linear Feedback Shift Register (LFSR) or a Random Number Generator (RNG) outside the encryption device 10.
  • After receiving the delay number, the encryption device 10 may determine whether the virtual operation is completed, in operation S140. When it is determined that the virtual operation is not completed (S140, NO), the encryption device 10 may continue to perform a virtual round operation included in the virtual operation, in operation S150.
  • Otherwise, when it is determined that the virtual operation is completed (S140, YES), the encryption device 10 may repeatedly perform the virtual operation a number of times equal to the delay number NUM_D, in operation S160. For example, when the delay number NUM_D indicating the number of delays is equal to N (where, N is a natural number equal to or greater than 1), the encryption device 10 may perform virtual operations N−1 times in addition to the virtual operation that was being performed when the real operation request signal was received. However, the example embodiments are not limited thereto. When the delay number NUM_D is equal to N, the encryption device 10 may perform virtual operations N times except the virtual operation that was being performed when the real operation request signal was received. That is, the delay number may include or not include the virtual operation that was being performed when the real operation request signal was received. As another example, the encryption device 10 may control the number of times that the virtual operations are to be performed before the real operation is performed, in operation S170, based on the random value R_NUM received from the outside.
  • In the present example embodiment, it has been described that the encryption device 10 receives the real operation request signal in operation S120 and then receives the delay number NUM_D indicating the number of delays in operation S130. However, the example embodiments are not limited thereto. That is, the encryption device 10 may receive the delay number at any time, for example, while the virtual operation is being performed or before performing the virtual operation.
  • According to an example embodiment, although the real operation request signal is received, the real operation is not immediately performed, and after the virtual operations are further repeatedly performed by as many times as the delay number NUM_D, the real operation is performed. Thus, a real operation part is not specified despite a side channel attack on the encryption device 10. Accordingly, the encryption device 10 may have an enhanced defense function with respect to the side channel attack.
  • FIG. 5 is a timing diagram for explaining each operation of an encryption device, according to an example embodiment. For example, FIG. 5 may be a timing diagram for explaining operations of the encryption device 10 of FIG. 2. Hereinafter, the timing diagram of FIG. 5 will be described with reference to FIG. 2.
  • Referring to FIG. 5, a virtual operation request signal S_V_op may be activated at a first point in time t1. For example, when an option of performing a virtual operation of the encryption device 10 is turned on, the encryption device 10 may be reset, and the virtual operation request signal S_V_op may be activated. As another example, when the option of performing the virtual operation of the encryption device 10 is turned off, the option of performing the virtual operation of the encryption device 10 is turned on, and the virtual operation request signal S_V_op may be activated.
  • The virtual operation may be performed based on the activated virtual operation request signal S_V_op. Also, at the first point in time t1, the encryption device 10 may receive the delay number NUM_D indicating the number of delays. In the present example embodiment shown in FIG. 5, it is described that each signal is activated in a logic-high state. However, example embodiments are not limited thereto, and the signals may be activated in the logic-low state. In addition, in the present example embodiment, the delay number NUM_D is equal to ‘4’, but this is merely an example for convenience of explanation, and the example embodiments are not limited thereto.
  • A first virtual operation ({circle around (1)}) and a second virtual operation ({circle around (2)}) may be performed in response to the virtual operation request signal S_V_op. While a third virtual operation ({circle around (3)}) is performed in response to the virtual operation request signal S_V_op, a real operation request signal S_R_op may be activated at a second point in time t2. In an example embodiment, the encryption device 10 may not stop and may continue to perform the third virtual operation ({circle around (3)}) at the second point in time t2, thereby completing the third virtual operation ({circle around (3)}). That is, the encryption device 10 may perform all round operations included in the third virtual operation ({circle around (3)}) and may complete the third virtual operation ({circle around (3)}) by a third point in time t3.
  • In an example embodiment, the encryption device 10 may further perform virtual operations, e.g., a fourth virtual operation ({circle around (4)}), a fifth virtual operation ({circle around (5)}), and a sixth virtual operation ({circle around (6)}) shown in FIG. 5, three times after the third point in time t3. That is, since the delay number NUM_D is equal to ‘4’ and the third virtual operation ({circle around (3)}) is completed by the third point in time t3 after the real operation request signal S_R_op is activated, the encryption device 10 may further perform the other virtual operations (the fourth to sixth virtual operations {circle around (4)} to {circle around (6)}) three times. However, the example embodiments are not limited thereto. The encryption device 10 may not count a virtual operation, which is completed at the third point in time t3, and may further perform virtual operations four times.
  • Additional virtual operations may be completed by a fourth point in time t4, and a real operation may be performed. The real operation may be performed from the fourth point in time t4 to a fifth point in time t5, and the real operation request signal S_R_op may be inactivated at the fifth point in time t5.
  • FIG. 6 is a diagram illustrating part of an encryption device for performing an encryption operation, according to an example embodiment. For example, FIG. 6 may illustrate an example of a logic circuit structure for performing the operations of FIG. 4. For example, the logic circuit structure of FIG. 6 may be included in the virtual operation controller 112 of FIG. 2.
  • Referring to FIG. 6, the encryption device 10 may include a logic circuit including a subtractor 210, a first multiplexer 220, a second multiplexer 230, and a third multiplexer 240, a delay counter 250, and a comparator 260 so as to perform the operations of FIG. 4. Based on an output from the comparator 260, the first multiplexer 220 may select, as an output value, a value input from the subtractor 210 or a value input from the delay counter 250. For example, in a case in which the comparator 260 determines that a counting value of the delay counter 250 is not equal to ‘0’, the first multiplexer 220 may select, as an output value, the value input from the subtractor 210.
  • The second multiplexer 230 may select, as an output value, either the delay number or the value input from the first multiplexer 220, in response to the real operation request signal S_R_op. For example, in a case in which the real operation request signal S_R_op is activated, the second multiplexer 230 may select the value input from the first multiplexer 220 as the output value.
  • The third multiplexer 240 may select, as an output value, a value input from the delay counter 250 or a value input from the second multiplexer 230, in response to a last round signal. For example, the last round signal may be a signal activated during a last round operation included in either the virtual operation or the real operation. In a case in which the last round signal is activated, the third multiplexer 240 may select the value input from the second multiplexer 230 as the output value.
  • While the virtual operation is performed, when the real operation request signal S_R_op is activated and the comparator 260 determines that the counting value of the delay counter 250 is not equal to ‘0’, the first multiplexer 220 may be set to select the value input from the subtractor 210 as the output value, and the second multiplexer 230 may be set to select the value input from the first multiplexer 220 as the output value. Also, the third multiplexer 240 may be set to select the value input from the second multiplexer 230 as the output value, based on the last round signal.
  • Accordingly, when the real operation request signal S_R_op is activated, the delay counter 250 may perform counting by subtracting ‘1’ each time from the delay number NUM_D. The comparator 260 may determine whether the value output from the delay counter 250 is equal to 0, and when the value output from the delay counter 250 is equal to 0, a signal may be output to perform the real operation. Also, since the third multiplexer 240 selects the output value based on whether the last round signal is activated, when the delay number NUM_D is equal to ‘0’, although the real operation request signal S_R_op is activated, the encryption device 10 may finish performing a last round operation of the virtual operation having been performed and then may perform a next real operation.
  • FIG. 7 is a flowchart of a round formation operation of an encryption device, according to an example embodiment. For example, FIG. 7 may be a flowchart of operations of the encryption device 10 of FIG. 2. Hereinafter, the flowchart of FIG. 7 will be described with reference to FIG. 2.
  • Referring to FIG. 7, in operation S210, the encryption device 10 may initialize a counter and a random value and may start one round. The counter may count sub-round operations that are sequentially performed. The random value may be a value that becomes a basis of a point in time when a real sub-round operation is performed in one round. For example, the random value may be stored in a register. In an example embodiment, the encryption device 10 may store, in the register, the random value R_NUM input from the outside of the encryption device 10 as an initialization value.
  • In operation S220, the encryption device 10 may count sub-round operations by using the counter and may derive a count value. In operation S230, the encryption device 10 may determine whether the derived count value is equal to an initialized random value. For example, the comparator may compare the count value with the random value and determine whether the output count value is equal to the random value.
  • When the count value is equal to the random value (S230, YES), the encryption device 10 may perform a real sub-round operation, in operation S240. Otherwise, when the count value is different from the random value (S230, NO), the encryption device 10 may perform a virtual sub-round operation in operation S250.
  • In operation S260, a determination as to whether the derived count value is equal to a reference count value may be made. The reference count value may be set in advance. In an example embodiment, the reference count value may be a max count value. The max count value may be, for example, the number of sub-round operations to be included in one round. In an example embodiment, the max count value may be ‘a value obtained by subtracting 1 from 2 raised to a power’. For example, the comparator may compare the count value with the reference count value and determine whether the output count value is equal to the reference count value.
  • When the count value is equal to the reference count value (S260, YES), the encryption device 10 may complete one round. Otherwise, when the count value is different from the reference count value (S260, NO), the encryption device 10 may return to operation S220 again.
  • FIG. 8 is a diagram illustrating part of an encryption device for a round formation operation, according to an example embodiment. For example, FIG. 8 may illustrate an example of a logic circuit structure for performing the operation of FIG. 7. For example, the logic circuit structure of FIG. 8 may be included in the virtual operation controller 112 of FIG. 2.
  • Referring to FIG. 8, the encryption device 10 may include a logic circuit including an adder 310, a first multiplexer 320 and a second multiplexer 330, a counter 340, a register 350, and a first comparator 360 and a second comparator 370 for the round formation operation. In an example embodiment, the counter 340 may count sub-round operations that are sequentially performed, and except that an initial value is input, the counter 340 may increase the number of counts by 1.
  • The counter 340 may perform initialization when a count value has a maximum value. For example, when the count value is expressed as binary numbers of 8 bits, the maximum value may be 2′b1111_1111. For example, an initial value I_V1 of the counter 340 may be a value obtained by subtracting, from the maximum value, the number of times that a real sub-round operation and a virtual sub-round operation included in one round are performed. The second comparator 370 may compare a max count value with a count value of the counter 340 and may output a signal indicating that one round ends, based on whether two values, that is, the max count value and the count value, are equal to each other.
  • The register 350 may store a random value that is a basis of performance of the real sub-round operation. For example, the random value may form at least some bits among bits that form an initial value I_V2. The register 350 may perform initialization of the random value by inputting the initial value I_V2. For example, the initial value I_V2 may be the random value R_NUM that is received from the outside of the encryption device 10.
  • The first comparator 360 may compare the count value of the counter 340 with the random value stored in the register 350. For example, when the count value of the counter 340 is equal to the random value stored in the register 350, the first comparator 360 may output a real sub-round operation performance signal Sub_Real_on. Accordingly, a point in time when the read sub-round operation is performed in one round may be randomly determined.
  • FIG. 9 is a table showing examples of respective options that may be set during the round formation operation, according to an example embodiment. For example, FIG. 9 shows that the round formation operations described with reference to FIGS. 7 and 8 are performed based on 8 bits. However, this is merely an example for convenience of explanation, and the example embodiments are not limited thereto. Hereinafter, the table of FIG. 9 will be described with reference to FIG. 8.
  • Referring to FIG. 9, based on 8 bits, the initial value I_V1 of the counter 340 may be expressed as eight different bits. Also, the initial value I_V2 of the random value, which is input to the register 350, may correspond to the initial value I_V1 of the counter 340 and may be expressed as eight different bits. In a bit formation of the initial value I_V2, ‘rand[ ]’ may be a random function. In the present example shown in FIG. 9, each of the initial values I_V1 and I_V2 is written in a hardware technology language such as Verilog. However, this is merely an example for convenience of explanation, and the example embodiments are not limited thereto.
  • In an example embodiment, a ratio of performing real sub-round operations and virtual sub-round operations included in one round may be set as an option. For example, when a virtual sub-round operation option is given as n (where, n is an integer equal to or greater than 0), a sum of the number of real sub-round operations and the number of virtual sub-round operations may be set to be 2n+1. That is, when one real sub-round operation and virtual sub-round operations are performed in one round, and when the virtual sub-round operation option is given as n, the number of times that the virtual sub-round operations are performed may be set to be 2n+1−1.
  • According to an example embodiment, the encryption device 10 may set, as an option, a ratio of performing the real sub-round operation and the virtual sub-round operations included in one round, and thus may implement a round formation operation by using a simple logic in a binary register structure.
  • FIG. 10 is a conceptual view of an example of performing rounds when the rounds are formed, according to an example embodiment. For example, FIG. 10 illustrates an example of a result of the round formation operations of FIGS. 7 and 8.
  • Referring to FIG. 10, an encryption operation including five round operations is performed. For example, the encryption operation may be the real operation or the virtual operation described with reference to FIG. 5. FIG. 10 may illustrate that a real sub-round operation and virtual sub-round operations included in each round are performed at a ratio of 1:3. That is, in each of the five round operations, one real sub-round operation and three virtual sub-round operations may be randomly performed. In each round operation, points in time when the virtual sub-round operations are performed may be determined based on random bits included in the initial value I_V2. Accordingly, when the encryption operation is performed, randomness of the real sub-round operation may be secured, and the real sub-round operations may be evenly performed.
  • FIG. 11 is a flowchart of a method of operating an encryption device, according to an example embodiment. For example, FIG. 11 may be a flowchart of operations of the encryption device 10 of FIG. 2. Hereinafter, the flowchart of FIG. 11 will be described with reference to FIG. 2.
  • Referring to FIG. 11, in operation S310, the encryption device 10 may receive random bits. For example, based on the random bits, one of the virtual operation registers 114 may be selected. In an example embodiment, the random bits may be included in the random value R_NUM received from the outside of the encryption device 10. The random bits may be generated by, for example, an LFSR or an RNG outside the encryption device 10 as discussed above.
  • In operation S320, the encryption device 10 may select one of the virtual operation registers 114 based on the random bits. For example, selection of one of the virtual operation registers 114 may be performed by a multiplexer operating based on the random bits. In an example embodiment, each virtual operation register 114 may store a pair of the dummy data and the dummy encryption key for the virtual sub-round operations. In operation S330, the encryption device 10 may perform one sub-round operation based on the dummy data and the dummy encryption key stored in the selected virtual operation register 114.
  • FIG. 12 is a table for explaining operation of an encryption device, according to an example embodiment.
  • Referring to FIG. 12, in the table T1, combinations of a virtual operation V_op, a real operation R_op, a virtual sub-round operation Virtual_sub_round, and a real sub-round operation Real_sub_round are shown. In detail, in one virtual operation V_op, the virtual sub-round operation Virtual_sub_round and the real sub-round operation Real_sub_round may be performed. Also, in one real operation R_op, the virtual sub-round operation Virtual_sub_round and the real sub-round operation Real_sub_round may be performed.
  • In an example embodiment, in one virtual operation V_op, an encryption operation may be performed based on a pair of dummy data and a dummy encryption key, regardless of whether the sub-round operation is the virtual sub-round operation Virtual_sub_round or the real sub-round operation Real_sub_round. As another example, in one virtual operation V_op, the encryption operation may be performed based on a pair of the dummy data and a real encryption key or a pair of real data and the dummy encryption key.
  • In an example embodiment, in one real operation R_op, in the case of the virtual sub-round operation Virtual_sub_round, the encryption operation may be performed based on the pair of the dummy data and the dummy encryption key. As another example, in one real operation R_op, in the case of the virtual sub-round operation Virtual_sub_round, the encryption operation may be performed based on the pair of the dummy data and the real encryption key or the pair of the real data and the dummy encryption key.
  • In an example embodiment, in one real operation R_op, in the case of the real sub-round operation Real_sub_round, the encryption operation may be performed based on the pair of the real data and the real encryption key. In other words, in one real operation R_op, the encryption operation based on the real data and the real encryption key may be the real sub-round operation Real_sub_round in the real operation R_op.
  • FIG. 13 is a diagram of part of an encryption device for performing an encryption operation, according to an example embodiment. For example, FIG. 13 may illustrate an example of a logic circuit structure for implementing the operations of FIG. 11. For example, the logic circuit structure of FIG. 13 may be included in the virtual operation registers 114 of FIG. 2.
  • Referring to FIG. 13, the encryption device 10 may include a logic circuit including a first virtual operation register 410, a second virtual operation register 420, a real operation register 430, and a first multiplexer 440 and a second multiplexer 450 so as to implement the operations of FIG. 11. In the present embodiment, there are two virtual operation registers. However, one or more embodiments are not limited thereto.
  • The first virtual operation register 410 may store first dummy data and a first dummy encryption key (Dummy Data/Key 1). The second virtual operation register 420 may store second dummy data and a second dummy encryption key (Dummy Data/Key 2).
  • The first multiplexer 440 may receive a pair of the first dummy data and the first dummy encryption key from the first virtual operation register 410 and may receive a pair of the second dummy data and the second dummy encryption key from the second virtual operation register 420. The first multiplexer 440 may further receive random bits R B and may selectively receive one of the pair of the first dummy data and the first dummy encryption key and the pair of the second dummy data and the second dummy encryption key, based on the random bits R B. The selection of the first multiplexer 440 may be performed in each virtual sub-round operation. Accordingly, even when the virtual sub-round operations are continuously performed, the encryption device 10 may randomly perform switching of registers for data/encryption keys.
  • The second multiplexer 450 may select one of an output from the first multiplexer 440 and an output (i.e. Real Data/Key) from the real operation register 430 and may output the selected output, in response to the real sub-round operation performance signal Sub_Real_on. Since the encryption device 10 according to an example embodiment may randomly perform the switching of the registers regardless of whether continuous sub-round operations are virtual sub-round operations or real sub-round operations, a real operation part is not specified despite a side channel attack, in particular, power waveform analysis. Accordingly, the encryption device 10 may have an enhanced defense function with respect to the side channel attack.
  • FIG. 14 is a graph showing power waveforms according to operations of an encryption device, according to an example embodiment. In particular, the graph of FIG. 14 shows transition power between sub-round operations. For example, FIG. 14 may be a power waveform graph according to the operations of the encryption device of FIG. 11. FIG. 14 shows an example of a power waveform graph when a real sub-round operation and virtual sub-round operations are performed at a ratio of 1:3. However, this is merely an example for convenience of explanation, and example embodiments are not limited thereto.
  • Referring to FIG. 14, power consumed among continuous virtual sub-round operations VR may be the same as power consumed when virtual sub-round operations VR are switched to real sub-round operations RR, for example, in a 50% probability. Accordingly, since it is not commonly inferred that the real sub-round operations RR are performed before and after a portion where power is consumed at most, the stability of the encryption operation may be improved.
  • Also, the virtual sub-round operations VR may be randomly selected, and thus, it may not be commonly inferred that a certain operation is performed before and after a portion where power waveforms are low. Also, as a ratio of the virtual sub-round operations VR is greater than a ratio of the real sub-round operations RR, the interference about locations of the real round operations may be effectively prevented.
  • FIG. 15 is a block diagram of a memory card 1000 according to an example embodiment.
  • Referring to FIG. 15, the memory card 1000 may include a host interface 1010, a memory controller 1020, and a flash memory interface (Flash I/F) 1030. Also, the memory controller 1020 may further include an encryption device 1022 according to an example embodiment.
  • The host interface 1010 may perform interfacing with a host 900 based on a card protocol so as to exchange various types of data between the host 900 and the memory card 1000. The memory card 1000 may be applied to a Multimedia Card (MMC), a Security Digital (SD) card, a mini SD card, a Memory Stick, smartmedia, a TransFlash card, or the like. The memory controller 1020 may receive/transmit data from/to a flash memory (not illustrated) through the flash memory interface 1030. The flash memory may be a non-volatile memory, for example, a NAND flash memory. The memory controller 1020 may control various operations of the flash memory through the flash memory interface 1030. The memory card 1000 includes the encryption device 1022 according to an example embodiment, and a real operation part is not specified despite a side channel attack on the memory card 1000. Accordingly, the stability of the memory card 1000 may be improved.
  • While the inventive concept has been particularly shown and described with reference to example embodiments thereof, it will be understood that various changes in form and details may be made therein without departing from the spirit and scope of the following claims.

Claims (20)

What is claimed is:
1. A method of operating an encryption device, the method comprising:
performing a virtual operation;
when a real operation request signal is received, determining whether the virtual operation being performed is completed; and
in response to the virtual operation being completed, performing a real operation in response to the real operation request signal.
2. The method of claim 1, further comprising receiving a delay number from outside of the encryption device,
wherein the performing of the virtual operation comprises:
in response to the virtual operation being completed, performing the virtual operation a number of times equal to the delay number before the real operation is performed.
3. The method of claim 2, wherein the delay number comprises a value received from a host outside the encryption device.
4. The method of claim 2, wherein the delay number comprises a random value received from a random value generator outside the encryption device.
5. The method of claim 1, wherein each of the virtual operation and the real operation comprises a plurality of round operations, and
one round of the virtual operation and one round of the real operation each comprise a plurality of sub-round operations.
6. The method of claim 5, wherein the plurality of sub-round operations are classified into real sub-round operations and virtual sub-round operations, and
the method further comprises forming a plurality of rounds, each comprising a real sub-round operation and a plurality of virtual sub-round operations of a first number.
7. The method of claim 6, wherein the encryption device further comprises a counter and a real sub-round operation register configured to store a random value, and
the forming of the plurality of rounds comprises:
initializing the counter and the random value and starting forming a first round;
sequentially counting, by the counter, the plurality of sub-round operations and deriving a count value;
performing the real sub-round operation when the count value is equal to the random value, and performing one virtual sub-round operation when the count value is different from the random value; and
completing the first round when the count value is equal to a reference count value.
8. The method of claim 6, wherein the first number is a value obtained by 2n−1, where n is a positive integer.
9. The method of claim 6, wherein the encryption device comprises a plurality of virtual operation registers, each of which is configured to store dummy data and a dummy encryption key on which the virtual sub-round operations are based.
10. The method of claim 9, further comprising:
receiving a plurality of random bits;
selecting one of the plurality of virtual operation registers, based on the plurality of random bits; and
performing a sub-round operation based on the dummy data and the dummy encryption key stored in the one of the plurality of virtual operation registers.
11. A method of operating an encryption device for performing a virtual operation and a real operation, each of which comprises a plurality of round operations each comprising a plurality of sub-round operations classified into real sub-round operations and virtual sub-round operations, the method comprising:
initializing a count value and a random value regarding the plurality of sub-round operations and starting forming a round comprising a plurality of sub-round operations including one real sub-round operation and a plurality of virtual sub-round operations;
deriving a count value by counting the sub-round operations;
performing the one real sub-round operation when the count value is equal to the random value, and performing one of the plurality of virtual sub-round operations when the count value is different from the random value; and
when the count value is equal to a reference count value, completing the round.
12. The method of claim 11, wherein a sum of a first number of times that the one real sub-round operation is performed and a second number of times that the plurality of virtual sub-round operations are performed is equal to 2n, where n is a positive integer, and
wherein the one real sub-round operation and the plurality of virtual sub-round operations are comprised in the round.
13. The method of claim 11, further comprising:
performing the virtual operation;
when a real operation request signal is received, determining whether the plurality of round operations comprised in the virtual operation, which is being performed, are completed; and
in response to the plurality of round operations being completed, performing the real operation in response to the real operation request signal.
14. The method of claim 13, further comprising receiving a delay number from the outside of the encryption device,
wherein the performing of the real operation comprises:
in response to the plurality of round operations being completed, performing the virtual operation a number of times equal to the delay number before the real operation is performed.
15. The method of claim 11, wherein the encryption device comprises a first virtual operation register and a second virtual operation register, each of which is configured to store dummy data and a dummy encryption key on which the plurality of virtual sub-round operations are based,
wherein the method further comprises:
selecting one of the first virtual operation register and the second virtual operation register based on a random bit; and
performing a sub-round operation based on the dummy data and the dummy encryption key stored in the selected one of the first virtual operation register and the second virtual operation register.
16. The method of claim 15, wherein the random value comprises the random bit.
17. An encryption device for performing a virtual operation and a real operation each comprising a plurality of round operations each comprising a plurality of sub-round operations classified into real sub-round operations and virtual sub-round operations, the encryption device comprising:
a first virtual operation register configured to store first dummy data and a first dummy encryption key on which the virtual sub-round operations are based;
a second virtual operation register configured to store second dummy data and a second dummy encryption key on which the virtual sub-round operations are based; and
a first multiplexer configured to receive a first output from the first virtual operation register and a second output from the second virtual operation register, select one of the first output or the second output based on a random bit, and output the one of the first output or the second output that is selected.
18. The encryption device of claim 17, further comprising:
a real operation register configured to store real data and a real encryption key on which the real sub-round operations are based; and
a second multiplexer configured to receive a third output from the real operation register and a fourth output from the first multiplexer, select one of the third output or the fourth output in response to a real sub-round operation performance signal, and output the one of the third output or the fourth output that is selected.
19. The encryption device of claim 17, further comprising:
a data function module configured to perform an encryption operation based on the virtual operation and the real operation; and
an encryption/decryption controller configured to receive a delay number from the outside of the encryption device, and when the data function module receives a real operation performance request while the virtual operation is being performed, control the data function module to perform the virtual operation a number of times equal to the delay number.
20. The encryption device of claim 17, wherein each of the plurality of round operations comprises one real sub-round operation and a plurality of virtual sub-round operations.
US16/157,242 2017-10-16 2018-10-11 Encryption device and operation method thereof Abandoned US20190116022A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/245,309 US20210284703A1 (en) 2017-10-16 2021-04-30 Encryption device and operation method thereof

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR20170134252 2017-10-16
KR10-2017-0134252 2017-10-16
KR10-2018-0027082 2018-03-07
KR1020180027082A KR102559583B1 (en) 2017-10-16 2018-03-07 Encryption device and operation method thereof

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/245,309 Continuation US20210284703A1 (en) 2017-10-16 2021-04-30 Encryption device and operation method thereof

Publications (1)

Publication Number Publication Date
US20190116022A1 true US20190116022A1 (en) 2019-04-18

Family

ID=65910287

Family Applications (2)

Application Number Title Priority Date Filing Date
US16/157,242 Abandoned US20190116022A1 (en) 2017-10-16 2018-10-11 Encryption device and operation method thereof
US17/245,309 Pending US20210284703A1 (en) 2017-10-16 2021-04-30 Encryption device and operation method thereof

Family Applications After (1)

Application Number Title Priority Date Filing Date
US17/245,309 Pending US20210284703A1 (en) 2017-10-16 2021-04-30 Encryption device and operation method thereof

Country Status (3)

Country Link
US (2) US20190116022A1 (en)
CN (1) CN109670301A (en)
DE (1) DE102018125497A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11218291B2 (en) * 2018-02-26 2022-01-04 Stmicroelectronics (Rousset) Sas Method and circuit for performing a substitution operation
US11258579B2 (en) * 2018-02-26 2022-02-22 Stmicroelectronics (Rousset) Sas Method and circuit for implementing a substitution table
US11265145B2 (en) * 2018-02-26 2022-03-01 Stmicroelectronics (Rousset) Sas Method and device for performing substitution table operations
US11328097B2 (en) 2018-10-05 2022-05-10 Samsung Electronics Co., Ltd. Encryption circuit for performing virtual encryption operations
US11477009B2 (en) * 2019-10-30 2022-10-18 Fuji Electric Co., Ltd. Information processing apparatus and method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060256105A1 (en) * 2005-05-13 2006-11-16 Scarlata Vincent R Method and apparatus for providing software-based security coprocessors
US20060256108A1 (en) * 2005-05-13 2006-11-16 Scaralata Vincent R Method and apparatus for remotely provisioning software-based security coprocessors
US20080235756A1 (en) * 2007-03-22 2008-09-25 Searete Llc, A Limited Liability Corporation Of The State Of Delaware Resource authorizations dependent on emulation environment isolation policies
US20130064362A1 (en) * 2011-09-13 2013-03-14 Comcast Cable Communications, Llc Preservation of encryption
US8781111B2 (en) * 2007-07-05 2014-07-15 Broadcom Corporation System and methods for side-channel attack prevention

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6570850B1 (en) * 1998-04-23 2003-05-27 Giganet, Inc. System and method for regulating message flow in a digital data network
JP4111278B2 (en) * 2003-11-20 2008-07-02 独立行政法人産業技術総合研究所 Haptic information presentation system
FR2893796B1 (en) * 2005-11-21 2008-01-04 Atmel Corp ENCRYPTION PROTECTION METHOD
US9495111B2 (en) * 2014-10-10 2016-11-15 The Boeing Company System and method for reducing information leakage from memory

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060256105A1 (en) * 2005-05-13 2006-11-16 Scarlata Vincent R Method and apparatus for providing software-based security coprocessors
US20060256108A1 (en) * 2005-05-13 2006-11-16 Scaralata Vincent R Method and apparatus for remotely provisioning software-based security coprocessors
US20080235756A1 (en) * 2007-03-22 2008-09-25 Searete Llc, A Limited Liability Corporation Of The State Of Delaware Resource authorizations dependent on emulation environment isolation policies
US8781111B2 (en) * 2007-07-05 2014-07-15 Broadcom Corporation System and methods for side-channel attack prevention
US20130064362A1 (en) * 2011-09-13 2013-03-14 Comcast Cable Communications, Llc Preservation of encryption

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11218291B2 (en) * 2018-02-26 2022-01-04 Stmicroelectronics (Rousset) Sas Method and circuit for performing a substitution operation
US11258579B2 (en) * 2018-02-26 2022-02-22 Stmicroelectronics (Rousset) Sas Method and circuit for implementing a substitution table
US11265145B2 (en) * 2018-02-26 2022-03-01 Stmicroelectronics (Rousset) Sas Method and device for performing substitution table operations
US20220085974A1 (en) * 2018-02-26 2022-03-17 Stmicroelectronics (Rousset) Sas Method and circuit for performing a substitution operation
US11824969B2 (en) * 2018-02-26 2023-11-21 Stmicroelectronics (Rousset) Sas Method and circuit for performing a substitution operation
US11328097B2 (en) 2018-10-05 2022-05-10 Samsung Electronics Co., Ltd. Encryption circuit for performing virtual encryption operations
US11477009B2 (en) * 2019-10-30 2022-10-18 Fuji Electric Co., Ltd. Information processing apparatus and method

Also Published As

Publication number Publication date
US20210284703A1 (en) 2021-09-16
DE102018125497A1 (en) 2019-04-18
CN109670301A (en) 2019-04-23

Similar Documents

Publication Publication Date Title
US20210284703A1 (en) Encryption device and operation method thereof
US10291390B2 (en) Endecryptor preventing side channel attack, driving method thereof and control device having the same
US20110123020A1 (en) Endecryptor capable of performing parallel processing and encryption/decryption method thereof
US10146701B2 (en) Address-dependent key generation with a substitution-permutation network
US20160065368A1 (en) Address-dependent key generator by xor tree
US11328097B2 (en) Encryption circuit for performing virtual encryption operations
US11258579B2 (en) Method and circuit for implementing a substitution table
CN105095097B (en) The memory access of randomization
JP2018509833A (en) Side channel analysis resistor architecture
EP3252991B1 (en) Application specific low-power secure key
US20100070779A1 (en) Integrity of ciphered data
US10891396B2 (en) Electronic circuit performing encryption/decryption operation to prevent side- channel analysis attack, and electronic device including the same
US9602281B2 (en) Parallelizable cipher construction
US8351599B2 (en) Cryptographic device for fast session switching
EP3591889B1 (en) Shuffling mechanism for shuffling an order of data blocks in a data processing system
KR102510451B1 (en) Integrated circuit device and operating method of integrated circuit device
Paterson et al. A practical attack against the use of RC4 in the HIVE hidden volume encryption system
KR102559583B1 (en) Encryption device and operation method thereof
US11265145B2 (en) Method and device for performing substitution table operations
US10977365B2 (en) Protection of an iterative calculation against horizontal attacks
EP3616052B1 (en) Random number generator
US20200162113A1 (en) Encryption device and decryption device, and operation method thereof
US20190384894A1 (en) Intrinsic authentication of program code
US20240020383A1 (en) Method and circuit for protecting an electronic device from a side-channel attack
KR20210109947A (en) Authentication method and apparatus of user terminal using physical unclonable function

Legal Events

Date Code Title Description
AS Assignment

Owner name: SAMSUNG ELECTRONICS CO., LTD., KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KIM, JAE-HYEOK;CHOI, HONG-MOOK;KANG, JI-SU;AND OTHERS;REEL/FRAME:047132/0076

Effective date: 20180525

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION