WO2008013083A1 - Générateur de nombres pseudo-aléatoires, dispositif de cryptage de flux et programme - Google Patents
Générateur de nombres pseudo-aléatoires, dispositif de cryptage de flux et programme Download PDFInfo
- Publication number
- WO2008013083A1 WO2008013083A1 PCT/JP2007/064148 JP2007064148W WO2008013083A1 WO 2008013083 A1 WO2008013083 A1 WO 2008013083A1 JP 2007064148 W JP2007064148 W JP 2007064148W WO 2008013083 A1 WO2008013083 A1 WO 2008013083A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- feedback shift
- linear feedback
- shift register
- pseudo
- generation
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/58—Random or pseudo-random number generators
- G06F7/582—Pseudo-random number generators
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/065—Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
- H04L9/0656—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
- H04L9/0662—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/58—Indexing scheme relating to groups G06F7/58 - G06F7/588
- G06F2207/581—Generating an LFSR sequence, e.g. an m-sequence; sequence may be generated without LFSR, e.g. using Galois Field arithmetic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7261—Uniform execution, e.g. avoiding jumps, or using formulae with the same power profile
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/58—Random or pseudo-random number generators
- G06F7/582—Pseudo-random number generators
- G06F7/584—Pseudo-random number generators using finite field arithmetic, e.g. using a linear feedback shift register
Definitions
- the present invention relates to a pseudo-random number generator, a stream cipher processor, and a program, and in particular, uses a plurality of linear feedback registers (hereinafter also referred to as “LFSR”), and controls the operation of the LFSR according to its internal state.
- LFSR linear feedback registers
- the present invention relates to a so-called clock-controlled pseudorandom number generator, a stream cipher processor, and a program.
- Ciphers can be broadly divided into common key ciphers and public key ciphers.
- the former common key encryption is an encryption method that uses the same common key for encryption and decryption, and the key is kept secret.
- the other public key cipher has different keys for encryption and decryption, and either key can be made public.
- Common key cryptography is generally used for high-capacity data communication because of its high speed, and public key cryptography is slow but easy to manage keys.
- Block ciphers encryption is performed by transposition or computation on data divided into blocks, while stream ciphers use pseudorandom numbers output from a pseudorandom number generator to generate a predetermined output unit. Encryption is performed sequentially (eg, 1 to several bits). Of the stream ciphers
- A5Z 1 is a typical algorithm of clock control system that operates LSFR discontinuously.
- A5Z1 is an operation control type algorithm having three LFSRs as components.
- LFSR is used as a pseudo-random number generator, but since it can be easily analyzed mathematically, it cannot be used as it is for encryption. Therefore, in A5 / 1, multiple LFSRs are combined.
- A5Z1 many stream ciphers with multiple LFSRs and operation control units that control their clocks have been proposed.
- FIG. 13 shows a configuration diagram of a stream encryption method using a clock-controlled pseudo-random number generator equipped with N LFSRs and an operation control unit.
- the pseudo random number generator 4 includes LFSRs 801 to 80N, an operation control unit 9 that controls the operation of each LFSR, and an output processing unit 10 that determines an output from N LFSRs.
- the LFSRs 801 to 80N are LFSRs having different bit widths and transition functions, and the operation control unit 9 controls the shift operation of each LFSR based on the respective internal states. After the shift control of each LFSR is completed, the output of each LFSR is processed by the output processing unit and output as the output of the pseudo random number generator 4.
- the pseudo-random number output from the pseudo-random number generator 4 is used for encryption / decryption with the plaintext 5 or ciphertext 6 in the decryption / decryption processing unit 7.
- Specific attack methods for the side channel attack include a timing attack focusing on processing time (see Non-Patent Document 1) and a power analysis attack focusing on power consumption! /
- Power analysis attacks include simple power analysis (SPA) and differential power analysis (DPA) (see Non-Patent Document 2).
- SPA simple power analysis
- DPA differential power analysis
- the document also describes specific attack methods for DPA against DES, a known block cipher.
- Patent Document 1 describes a countermeasure against vulnerability to power analysis attack of the block cipher.
- a dummy round function part that performs dummy operations is provided to make power analysis difficult and attack A common key block cipher encryption device with improved resistance is disclosed.
- Patent Document 1 Japanese Unexamined Patent Publication No. 2006-54568
- Non-patent literature 1 Paul Kocher fimmg Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems ", Crypto '96, pp. 104-113, 1996.
- Non-Patent Document 2 P. Kocher, J. Jaffe, B. Jun, “Introduction to Different Power Analysis and Related Attacks, 1998”
- Patent Document 1 Note that the entire disclosure of Patent Document 1 and Non-Patent Documents 1 and 2 are incorporated herein by reference.
- the present inventor has discovered a very effective attack method for a stream encryption method using a clock-controlled pseudorandom number generator typified by A5Z1. First, this attack method is explained.
- each LFSR 831 to 833 may have an arbitrary bit length.
- the operation control unit 9 makes a majority decision on the register value of an arbitrary bit of each LFSR, and operates the majority LFSR.
- Arbitrary registers (C 1 to C 3 in FIG. 14) referred to in clock control in the operation control unit 9 are referred to as clocking taps.
- Figure 15 shows the relationship between the Clocking tap value and the operating LFSR.
- the number of LFSRs is 3
- the number of LFSRs (number of moves) to be operated by the majority decision is 2 or 3.
- the clocking tap is a node and the time t— Move number power at 1 and time t Use tree search that determines the number of branches.
- the tree search uses a depth-first search. When the depth reaches a certain depth, the contradiction with the output is checked. If a contradiction is confirmed, the branch search is stopped and the next branch is searched. The search is performed until the internal state of all LFSRs is determined.
- Fig. 16 shows the relationship between the number of branches (combination of internal states) determined when the number of moves at time t-1 is 3 (hereinafter, combinations of internal states).
- (X ⁇ ) Y in the move [t] column indicates the move number X at a certain time and the move number Y at the next time;).
- the operation of the LFSR at the next time t + 1 largely depends on the state of the Clocking tap at time t.
- the number of branches is usually eight. However, if the number of moves at time t-1 and time t is used, the maximum is six and the minimum is 1 The number of branches can be greatly reduced with books.
- FIG. 18 is a flowchart showing the flow of processing in a computer program that operates the LFSR by the clock control method and generates pseudo-random numbers.
- the operation of each LFSR is executed sequentially according to the program. For this reason, there is a difference in the amount of processing when the number of moves is 2 and when the number of moves is 3, and the difference appears as a difference in the processing time required for one output generation process. . Therefore, in the case of software implementation, the difference in processing time can be determined from the power waveform, and the number of moves can be determined.
- the pseudo random number generator that operates with the A5Z1 algorithm is configured by hardware such as LSI or FPGA, all processing is executed almost simultaneously.
- the number of LFSRs that operate at the same time changes due to the difference in the number of moves, resulting in a difference in the amount of power consumed for one output generation process (one output unit). Therefore, even in the case of hardware implementation, the number of moves can be determined using the amount of power consumption.
- the stream encryption method that uses the above has the problem that the difficulty of cryptographic analysis is reduced by the attack method using the number of moves.
- the present invention has been made in view of the vulnerability of the clock-controlled pseudo-random number generator, and is a pseudo-random number generator having resistance to the attack method proposed by the inventor.
- An object of the present invention is to provide a stream cipher processing apparatus and program.
- a clock-controlled pseudo-loop that has N LFSRs and generates pseudo-random numbers by controlling the operation of each LFSR according to the internal state of each LFSR.
- a pseudo-random number generating apparatus comprising: means for equalizing a generation processing time of one output unit related to the number of operations of the LFSR, using the pseudo-random number output by the apparatus ⁇ ⁇ ⁇ ⁇ ⁇
- a stream encryption processing device that performs decryption processing and a program that realizes these are provided.
- a clock-controlled pseudo-loop that has N LFSRs and generates pseudo-random numbers by controlling the operation of each LFSR according to the internal state of each LFSR.
- a pseudo-random number generation device comprising a means for varying a generation processing time of one output unit with a fluctuation range larger than a processing time required for at least one LFSR operation,
- a stream encryption processing apparatus that performs a trap decryption process using a pseudo-random number output from the apparatus, and a program for realizing the same.
- a clock-controlled pseudo-loop that has N LFSRs and generates pseudo-random numbers by controlling the operation of each LFSR according to the internal state of each LFSR.
- the random number generation device there is provided a pseudo random number generation device characterized by comprising means for keeping a constant amount of power consumed in the generation processing of one output unit, and the device power performs the decoding process using the pseudo random number output
- a stream cipher processing apparatus and a program for realizing the same are provided.
- a clock-controlled pseudo-loop that has N LFSRs and generates pseudo-random numbers by controlling the operation of each LFSR according to the internal state of each LFSR.
- the random number generator there is provided means for varying the power consumed for the generation process of one output unit with a fluctuation range larger than the power consumption required for at least one LFSR operation.
- a stream cipher processing apparatus that performs encryption / decryption processing using pseudorandom numbers output from the apparatus, and a program for realizing the same.
- the number of LFSR operations required to generate one output unit can be concealed, so that an encryption system with improved resistance to the attack method proposed by the present inventor is obtained. It becomes possible.
- FIG. 1 is a diagram showing a schematic configuration of a wrinkle decoding processing apparatus to which the present invention can be applied.
- FIG. 2 is a block diagram of a stream encryption method according to the first embodiment of the present invention.
- FIG. 3 is a flowchart showing the operation of the pseudo random number generator according to the first embodiment of the present invention.
- FIG. 4 is a configuration diagram of a stream encryption method according to a second embodiment of the present invention.
- FIG. 5 is a flowchart showing the operation of the pseudorandom number generator according to the second embodiment of the present invention.
- FIG. 6 is a configuration diagram of a stream encryption method according to a third embodiment of the present invention.
- FIG. 7 is a flowchart showing the operation of the pseudorandom number generator according to the third embodiment of the present invention.
- FIG. 8 is a block diagram of a stream encryption method according to a fourth embodiment of the present invention.
- FIG. 9 is a configuration diagram of a stream encryption method according to a fifth embodiment of the present invention.
- FIG. 10 is a configuration diagram of a stream encryption method according to the sixth embodiment of the present invention.
- FIG. 11 is a flowchart for explaining a modified embodiment of the present invention.
- FIG. 12 is a configuration diagram for explaining a modified embodiment of the present invention.
- V the stream encryption system
- FIG. 14 is a diagram for explaining a stream cipher system attack method proposed by the present inventors.
- FIG. 16 A table showing the relationship between the number of branches (combination of internal states) determined when the number of moves at time t-1 is three.
- FIG. 17 A table showing the relationship between the number of branches determined when only LFSR831 and LFSR832 operate at time t and Clocking tap value of R3 is 1.
- FIG. 18 is a flowchart showing the flow of processing in a computer program that operates LFSR by a clock control method and generates pseudo-random numbers.
- FIG. 1 is a diagram showing a schematic configuration of a stream decoding processing apparatus to which the present invention can be applied.
- the stream decoding processing device includes an arithmetic processing device 1 that executes arithmetic processing described later under program control, and an input / output device 2 that exchanges ciphertext and data with an external device. And a storage device 3 having a data storage unit 31 and a program storage unit 32.
- the data storage unit 31 of the storage device 3 is a place where various parameters necessary for executing the program are stored, and the secret key 311 for encryption is stored here.
- the program storage unit 32 is a place where various programs necessary for the decryption processing device are stored, and an encryption program (stream encryption processing program) 3 21 for realizing the processing means of each embodiment described later is provided here. In the thread.
- the above-described decryption processing device can be realized in various information processing devices such as a personal computer (PC), a portable terminal, an IC card, and a reader / writer by installing software or hardware as described later. It is.
- PC personal computer
- the arithmetic processing is performed by reading the encryption program 321 stored in the auxiliary storage device such as a magnetic disk into the storage device 3 (not shown). Executable on device 1.
- FIG. 2 is a configuration diagram of the stream encryption method according to the first exemplary embodiment of the present invention.
- the pseudo random number generator (pseudo random number generator) 4 includes N LFSRs 801 to 80N, N delay processing units 811 to 81N that are the same as LFSR801 to 80N, an operation control unit 9 that controls them, and N It consists of an output processing unit 10 that determines output from one LFSR.
- the delay processing means 811 to 81N are the delay processing that consumes the same processing time as the shift processing for the LFSRs 801 to 80N for which the shift control is not selected by the operation control unit 9. It is a means to execute the reason.
- the B-sound decryption processor 7 is means for executing encryption or decryption with the plaintext 5 or the ciphertext 6 by using the pseudorandom number output from the pseudorandom number generator 4.
- N delay processing means 811 to 81N which are the same number as N LFSRs, are added!
- FIG. 3 is a flowchart showing the operation of the pseudorandom number generator 4 according to the present embodiment.
- step A1 when the encryption program 321 is activated by a call from another program (step A1), first, initialization is performed as preparation for generating a pseudo-random number (step A).
- step A2 When the initialization of step A2 is completed, the operation control unit 9 performs L according to a predetermined selection criterion.
- the operation control unit 9 operates the delay processing means (811) and operates LFSR-1 (801 in FIG. 2). A delay process with the same processing time as the shift process is performed (step A10).
- step A5 the above operation determination and each process according to the determination result are performed (step A5, step A6, step All).
- step A7 a pseudo-random number generation process of a predetermined output unit is performed based on the internal state.
- step A3 to step A7 A series of processing from step A3 to step A7 is repeatedly executed, and ends when a pseudo-random number of a specified length can be generated (steps A8 and A9).
- the same amount of delay processing is always performed even when the shift processing is not selected in the operation control unit 9, and therefore the processing time of one operation is All LFSRs have the same processing time as the shift operation, and are made uniform (constant). This makes it difficult to derive a secret key by measuring the processing time from the outside.
- the delay processing means 811-8IN can be realized by using the LFSR having the same size as the LFSR801-80N and performing the shift control by the operation control unit 9. is there.
- means for executing delay processing such as Wait processing can be employed.
- the pseudo random number generation process is performed once by a method different from that of the first embodiment.
- FIG. 4 is a configuration diagram of a stream encryption method according to the second exemplary embodiment of the present invention.
- Pseudo random number generator (pseudo random number generator) 4 consists of N LFSR801 ⁇ 80N and delay processing means 82
- an operation control unit 9 for controlling them, and an output processing unit 10 for determining output from N LFSRs.
- the delay processing means 820 is the LFSR in which the shift processing is not selected by the operation control unit 9.
- a delay processing means 820 is provided instead of the N delay processing units 811 to 81N, which is the same number as the N LFSRs.
- FIG. 5 is a flowchart showing the operation of the pseudorandom number generator 4 according to the present embodiment.
- the operation of this embodiment shown by steps A1—A6, A8, and A9 in FIG. 5 is the same as that of each step Al—A6, A8, and A9 of the first embodiment.
- the operation control unit 9 stores the number of LFSRs for which shift processing has been selected by means of a counter or the like in determining the operation of each LFSR.
- the unit 9 compares whether the number stored in the counter is equal to a predetermined number of shift processes (for example, the number of LFSRs (step A12; delay processing operation determination)).
- the operation control unit 9 uses the delay processing means 820 while incrementing the number stored in the counter. Perform delay processing (step A13).
- Steps A12 and A13 are repeated until the number stored in the counter becomes equal to the number of shift processes specified in advance.
- step A8 a series of processing from step A3 to step A7 (including steps A12 and A13) is repeatedly executed, and ends when a pseudo-random number of a specified length can be generated (step A8, A9).
- bit width information is transmitted to the operation control unit 9 to the delay processing means 820, and a delay comparable to the LFSR that has not been selected for operation is transmitted. It is desirable to make it operate so that the entire processing time of one operation is uniform (constant).
- the above delay processing can be realized by using LFSR as the delay processing means 820 and performing shift control by the operation control unit 9.
- means for executing delay processing such as Wait processing can be employed.
- FIG. 6 is a configuration diagram of a stream encryption method according to the third exemplary embodiment of the present invention.
- the pseudo random number generator (pseudo random number generator) 4 includes N LFSRs 801 to 80N, random delay processing means 11, an operation control unit 9 for controlling these, and output processing for determining output from the N LFSRs. Part 10.
- Random delay processing means 11 is means for executing random delay processing independently of the internal states and behaviors of the N LFSRs 801 to 80N.
- This type of delay processing can be realized by, for example, processing that randomly selects and executes a plurality of operations with different processing times.
- the objective power of concealing the number of LFSR operations (the number of moves) is also obvious, and the fluctuation range per time achieved by this delay processing is at least one LFS R operation (shift processing). ) Is longer than the processing time required.
- FIG. 7 is a flowchart showing the operation of the pseudorandom number generator 4 according to the present embodiment.
- steps A1-A6 and A7-A9 in FIG. 7 are the same as those of steps A1-A6, A7-A9 in the first embodiment, and therefore will be omitted.
- step A6 When step A6 is completed, the operation control section 9 operates the random delay processing means 11 (step A14).
- the processing time of one operation of pseudorandom number generation can be made uneven, and it is difficult to derive a secret key by measuring the processing time from the outside. it can.
- the processing variation due to the random delay processing is described as being larger than the processing time required for at least one LFSR operation (shift processing). It may be difficult to derive the actual processing time if you have fluctuations. Of course you can.
- FIG. 8 is a configuration diagram of a stream encryption method according to the fourth exemplary embodiment of the present invention.
- the pseudo random number generator (pseudo random number generator) 4 includes N LFSR801 to 80N, N dummy LFSR811 to 81N, the number of which is the same as LFSR801 to 80N, and the operation control unit 9 that controls them.
- Output processing unit 10 that determines the output from the LFSR.
- the B-sound decryption processing unit 7 is means for executing encryption or decryption with the plaintext 5 or the ciphertext 6 using the pseudorandom number output from the pseudorandom number generator 4 as well.
- the LFSRs 801 to 80N perform a shift operation based on the operation selection of the operation control unit 9, perform agitation while repeating the shift process on secret information such as a secret key, and the data after the agitation Hold.
- the dummy LFSRs 811 to 81N are LFSRs that operate with the same bit width as the LFSRs 801 to 80N and operate with the same transition function. Shift operation is performed when the corresponding LFSR is stopped.
- the power consumption required for one operation of pseudorandom number generation can be made uniform, and even if the power consumption is measured from the outside, the number of LFSR operations It is difficult to estimate (move number). Therefore, derivation of the secret key by power analysis can be made difficult.
- the dummy LFSRs 811 to 81N have been described as operating with the same bit width and the same transition function as the LFSRs 801 to 80N in order to improve the uniformity of power consumption.
- the tolerance to power analysis attacks can be maintained, it is possible to cover design changes as appropriate.
- not only LFSR it is also possible to adopt a shift register that consumes the same amount of power, or an LFSR with an arbitrary bit width and transition function.
- FIG. 9 is a configuration diagram of a stream encryption method according to the fifth exemplary embodiment of the present invention.
- Pseudorandom number generator (pseudorandom number generator) 4 has N LFSR801 to 80N, M dummy LFSR821 to 82M of the same number as LFSR stopped by the pseudorandom number generation algorithm, and operation to control these It comprises a control unit 9 and an output processing unit 10 that determines output from N LFSRs.
- the difference from the fourth embodiment is that there are fewer M dummy LFSRs 821 to 82M than N dummy LFSRs, instead of preparing N dummy LFSRs.
- the number M of dummy LFSRs can be suppressed to less than half of the total number of LFSRs, for example, when the number of LFSRs to be operated is decided by majority vote.
- the LFSRs 801 to 80N perform a shift operation based on the operation selection of the operation control unit 9, perform agitation while repeating a shift process on secret information such as a secret key, and perform data after the agitation. Hold.
- a dummy LFSR is operated in the same way as an LFSR that has not been subjected to shift processing, and the power consumption required for one operation of pseudorandom number generation can be made uniform. Therefore, in this embodiment, it is difficult to estimate the number of LFSR operations (number of moves), and it is difficult to derive a secret key by power analysis.
- dummy LFSR821 to 81M operating with the same bit width as LFSR801 to 80N and operating with the same transition function may be prepared and selected. This is desirable.
- the dummy LFSRs 821 to 81M are not limited to the LFSR, and a shift register that consumes the same amount of power can be used.
- FIG. 10 is a configuration diagram of a stream encryption method according to the sixth exemplary embodiment of the present invention.
- Pseudo random number generator (pseudo random number generator) 4 consists of N LFSR801 ⁇ 80N and N LFSR801
- An operation control unit 9 that controls up to 80N, a noise generation source 12, and an output processing unit 10 that determines output from N LFSRs.
- the LFSRs 801 to 80N perform a shift operation based on the operation selection of the operation control unit 9, perform agitation while repeating the shift process on secret information given in advance such as a secret key, and the data after the agitation Hold.
- the noise source 12 operates independently of the internal states and behaviors of the N LFSRs 801 to 80N (independently), and has a power larger than that consumed in the shift processing of at least one LFSR. This is a random noise source device with fluctuations of.
- the power consumption of one operation of pseudorandom number generation can be made non-uniform, and it is difficult to derive a secret key by measuring power consumption from the outside. it can.
- the fluctuation range of the power generated by the noise source 12 has been described as being greater than the power consumption required for at least one LFSR operation (shift process).
- derivation of actual LFSR power consumption can be made more difficult by having large fluctuations in power consumption.
- the delay processing means is operated exclusively from the operation of each LFSR, the processing time per time is made uniform (corresponding to the first embodiment above), and at random It is also possible to operate the delay processing means for further analysis.
- dummy LF SRs that operate exclusively with the operations of each LFSR are prepared, and the power consumption per time is made uniform (in the fourth embodiment described above).
- the noise source 12 it is possible to employ a configuration in which the noise source 12 is operated.
- the present invention can be applied to any field that requires a cryptographic system.
- the present invention can be suitably applied to a device that requires tamper resistance and a program thereof. .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP07790903A EP2056275A4 (en) | 2006-07-25 | 2007-07-18 | PSEUDOZUFALLSZAHLENGENERATOR, STREAM ENCRYPTION DEVICE AND PROGRAM |
JP2008526733A JP5136416B2 (ja) | 2006-07-25 | 2007-07-18 | 擬似乱数生成装置、ストリーム暗号処理装置及びプログラム |
US12/374,987 US20090327382A1 (en) | 2006-07-25 | 2007-07-18 | Pseudo-random number generation device, stream encryption device and program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2006-201796 | 2006-07-25 | ||
JP2006201796 | 2006-07-25 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2008013083A1 true WO2008013083A1 (fr) | 2008-01-31 |
Family
ID=38981395
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2007/064148 WO2008013083A1 (fr) | 2006-07-25 | 2007-07-18 | Générateur de nombres pseudo-aléatoires, dispositif de cryptage de flux et programme |
Country Status (4)
Country | Link |
---|---|
US (1) | US20090327382A1 (ja) |
EP (1) | EP2056275A4 (ja) |
JP (1) | JP5136416B2 (ja) |
WO (1) | WO2008013083A1 (ja) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106257860A (zh) * | 2015-06-18 | 2016-12-28 | 松下知识产权经营株式会社 | 随机数处理装置以及集成电路卡 |
WO2018076639A1 (zh) * | 2016-10-25 | 2018-05-03 | 华为技术有限公司 | 一种用于加解密引擎的防止攻击的方法和装置以及芯片 |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8949493B1 (en) * | 2010-07-30 | 2015-02-03 | Altera Corporation | Configurable multi-lane scrambler for flexible protocol support |
US8958550B2 (en) * | 2011-09-13 | 2015-02-17 | Combined Conditional Access Development & Support. LLC (CCAD) | Encryption operation with real data rounds, dummy data rounds, and delay periods |
WO2015146120A1 (ja) | 2014-03-28 | 2015-10-01 | パナソニックIpマネジメント株式会社 | 蓄電デバイスおよびその製造方法 |
JP6542171B2 (ja) * | 2016-09-15 | 2019-07-10 | 東芝メモリ株式会社 | ランダマイザおよび半導体記憶装置 |
CN106548806B (zh) * | 2016-10-13 | 2019-05-24 | 宁波大学 | 一种能够防御dpa攻击的移位寄存器 |
US10263767B1 (en) * | 2018-07-03 | 2019-04-16 | Rajant Corporation | System and method for power analysis resistant clock |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH09179726A (ja) * | 1995-12-25 | 1997-07-11 | Nec Corp | 擬似乱数発生装置 |
JPH1195984A (ja) * | 1997-09-24 | 1999-04-09 | Nec Corp | 擬似乱数発生方法および装置 |
JP2000187619A (ja) * | 1998-12-22 | 2000-07-04 | Nintendo Co Ltd | 記憶媒体の照合装置 |
JP2000305453A (ja) * | 1999-04-21 | 2000-11-02 | Nec Corp | 暗号化装置,復号装置,および暗号化・復号装置 |
JP2001266103A (ja) * | 2000-01-12 | 2001-09-28 | Hitachi Ltd | Icカードとマイクロコンピュータ |
JP2002533825A (ja) * | 1998-12-28 | 2002-10-08 | ブル・セー・ペー・8 | インテリジェントic |
JP2004234153A (ja) * | 2003-01-29 | 2004-08-19 | Toshiba Corp | シード生成回路、乱数生成回路、半導体集積回路、icカード及び情報端末機器 |
JP2006054568A (ja) | 2004-08-10 | 2006-02-23 | Sony Corp | 暗号化装置、復号化装置、および方法、並びにコンピュータ・プログラム |
Family Cites Families (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPS5719806A (en) * | 1980-07-09 | 1982-02-02 | Toyota Central Res & Dev Lab Inc | Fluctuation driving device |
US5436973A (en) * | 1988-05-09 | 1995-07-25 | Hughes Aircraft Company | Pseudo-random signal synthesizer with smooth, flat power spectrum |
US4905176A (en) * | 1988-10-28 | 1990-02-27 | International Business Machines Corporation | Random number generator circuit |
US5057795A (en) * | 1990-10-25 | 1991-10-15 | Aydin Corporation | Digital gaussian white noise generation system and method of use |
JP3358954B2 (ja) * | 1996-09-17 | 2002-12-24 | アイオニクス沖縄株式会社 | 擬似ランダムビット列生成器及びそれを使用する暗号通信方法 |
JPH10222065A (ja) * | 1997-02-03 | 1998-08-21 | Nippon Telegr & Teleph Corp <Ntt> | 冪乗剰余演算方法及び装置 |
EP2280502B1 (en) * | 1998-06-03 | 2018-05-02 | Cryptography Research, Inc. | Using unpredictable information to Resist Discovery of Secrets by External Monitoring |
US6208618B1 (en) * | 1998-12-04 | 2001-03-27 | Tellabs Operations, Inc. | Method and apparatus for replacing lost PSTN data in a packet network |
US6594760B1 (en) * | 1998-12-21 | 2003-07-15 | Pitney Bowes Inc. | System and method for suppressing conducted emissions by a cryptographic device |
FR2801751B1 (fr) * | 1999-11-30 | 2002-01-18 | St Microelectronics Sa | Composant electronique de securite |
EP1111785A1 (en) * | 1999-12-22 | 2001-06-27 | TELEFONAKTIEBOLAGET L M ERICSSON (publ) | Method and device for self-clock controlled pseudo random noise (PN) sequence generation |
DE10003472C1 (de) * | 2000-01-27 | 2001-04-26 | Infineon Technologies Ag | Zufallszahlengenerator |
DE10061998A1 (de) * | 2000-12-13 | 2002-07-18 | Infineon Technologies Ag | Kryptographieprozessor |
JP2005202757A (ja) * | 2004-01-16 | 2005-07-28 | Mitsubishi Electric Corp | 擬似乱数生成装置及びプログラム |
US7940927B2 (en) * | 2005-04-27 | 2011-05-10 | Panasonic Corporation | Information security device and elliptic curve operating device |
JP2010288233A (ja) * | 2009-06-15 | 2010-12-24 | Toshiba Corp | 暗号処理装置 |
-
2007
- 2007-07-18 JP JP2008526733A patent/JP5136416B2/ja not_active Expired - Fee Related
- 2007-07-18 EP EP07790903A patent/EP2056275A4/en not_active Withdrawn
- 2007-07-18 WO PCT/JP2007/064148 patent/WO2008013083A1/ja active Application Filing
- 2007-07-18 US US12/374,987 patent/US20090327382A1/en not_active Abandoned
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH09179726A (ja) * | 1995-12-25 | 1997-07-11 | Nec Corp | 擬似乱数発生装置 |
JPH1195984A (ja) * | 1997-09-24 | 1999-04-09 | Nec Corp | 擬似乱数発生方法および装置 |
JP2000187619A (ja) * | 1998-12-22 | 2000-07-04 | Nintendo Co Ltd | 記憶媒体の照合装置 |
JP2002533825A (ja) * | 1998-12-28 | 2002-10-08 | ブル・セー・ペー・8 | インテリジェントic |
JP2000305453A (ja) * | 1999-04-21 | 2000-11-02 | Nec Corp | 暗号化装置,復号装置,および暗号化・復号装置 |
JP2001266103A (ja) * | 2000-01-12 | 2001-09-28 | Hitachi Ltd | Icカードとマイクロコンピュータ |
JP2004234153A (ja) * | 2003-01-29 | 2004-08-19 | Toshiba Corp | シード生成回路、乱数生成回路、半導体集積回路、icカード及び情報端末機器 |
JP2006054568A (ja) | 2004-08-10 | 2006-02-23 | Sony Corp | 暗号化装置、復号化装置、および方法、並びにコンピュータ・プログラム |
Non-Patent Citations (3)
Title |
---|
P. KOCHER; J. JAFFE; B. JUN, INTRODUCTION TO DIFFERENTIAL POWER ANALYSIS AND RELATED ATTACKS, 1998 |
PAUL KOCHER: "Timing Attacks on Implementations of Diffie-HeHman, RSA, DSS, and Other Systems", CRYPTO, vol. 96, 1996, pages 104 - 113 |
See also references of EP2056275A4 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106257860A (zh) * | 2015-06-18 | 2016-12-28 | 松下知识产权经营株式会社 | 随机数处理装置以及集成电路卡 |
WO2018076639A1 (zh) * | 2016-10-25 | 2018-05-03 | 华为技术有限公司 | 一种用于加解密引擎的防止攻击的方法和装置以及芯片 |
Also Published As
Publication number | Publication date |
---|---|
US20090327382A1 (en) | 2009-12-31 |
JPWO2008013083A1 (ja) | 2009-12-17 |
JP5136416B2 (ja) | 2013-02-06 |
EP2056275A1 (en) | 2009-05-06 |
EP2056275A4 (en) | 2011-05-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1873671B1 (en) | A method for protecting IC Cards against power analysis attacks | |
Coron et al. | Conversion from arithmetic to boolean masking with logarithmic complexity | |
KR102628466B1 (ko) | 메시지 부호화 및 복호화를 위한 블록 암호화 방법 및 이 방법을 구현하기 위한 암호화 장치 | |
KR100594265B1 (ko) | 매스킹 방법이 적용된 데이터 암호처리장치, aes암호시스템 및 aes 암호방법. | |
US8000473B2 (en) | Method and apparatus for generating cryptographic sets of instructions automatically and code generator | |
WO2008013083A1 (fr) | Générateur de nombres pseudo-aléatoires, dispositif de cryptage de flux et programme | |
WO2018017421A1 (en) | Modular exponentiation with side channel attack countermeasures | |
US20150215117A1 (en) | White box encryption apparatus and method | |
US8976960B2 (en) | Methods and apparatus for correlation protected processing of cryptographic operations | |
Ye et al. | On the vulnerability of low entropy masking schemes | |
Grosso et al. | Masking vs. multiparty computation: how large is the gap for AES? | |
Gallais et al. | Hardware trojans for inducing or amplifying side-channel leakage of cryptographic software | |
Igarashi et al. | Concurrent faulty clock detection for crypto circuits against clock glitch based DFA | |
Martinasek et al. | Crucial pitfall of DPA Contest V4. 2 implementation | |
EP3475825B1 (en) | Cryptographic operations employing non-linear share encoding for protecting from external monitoring attacks | |
Schmidt et al. | A probing attack on AES | |
Müller et al. | Low-latency hardware masking of PRINCE | |
Kinsy et al. | Sphinx: A secure architecture based on binary code diversification and execution obfuscation | |
Masoumi et al. | Efficient implementation of power analysis attack resistant advanced encryption standard algorithm on side-channel attack standard evaluation board | |
Kim et al. | New Type of Collision Attack on First‐Order Masked AESs | |
EP4372548A1 (en) | Protecting cryptographic operations againt horizontal side-channel analysis attacks | |
Zhang et al. | Revisiting and Evaluating Software Side-channel Vulnerabilities and Countermeasures in Cryptographic Applications | |
Oswald et al. | Side-channel analysis and its relevance to fault attacks | |
Mozipo | Systematic Characterization of Power Side Channel Attacks for Residual and Added Vulnerabilities | |
US20210117575A1 (en) | Obfuscation of operations in computing devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07790903 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2008526733 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 12374987 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2007790903 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: RU |