WO2013190782A1 - Circuit de traitement de cryptage et circuit de traitement de décryptage - Google Patents

Circuit de traitement de cryptage et circuit de traitement de décryptage Download PDF

Info

Publication number
WO2013190782A1
WO2013190782A1 PCT/JP2013/003456 JP2013003456W WO2013190782A1 WO 2013190782 A1 WO2013190782 A1 WO 2013190782A1 JP 2013003456 W JP2013003456 W JP 2013003456W WO 2013190782 A1 WO2013190782 A1 WO 2013190782A1
Authority
WO
WIPO (PCT)
Prior art keywords
encryption
data
processing circuit
plaintext
processing
Prior art date
Application number
PCT/JP2013/003456
Other languages
English (en)
Japanese (ja)
Inventor
哲孝 山下
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2014520902A priority Critical patent/JPWO2013190782A1/ja
Publication of WO2013190782A1 publication Critical patent/WO2013190782A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms

Definitions

  • the present invention relates to an encryption processing circuit and a decryption processing circuit, and more particularly to an encryption processing circuit and a decryption processing circuit having tamper resistance that makes side channel attacks difficult.
  • One of the side channel attacks is a power analysis attack that measures the power consumption of a cryptographic module and analyzes secret information such as a key from the power consumption.
  • power analysis attacks differential power analysis, in which analysis is performed by performing statistical processing on a plurality of power consumption waveforms, is a particularly powerful attack method (see, for example, Non-Patent Document 1).
  • Non-Patent Document 2 when the transition probability of the logic gate is biased, the number of bits that become 1 (Hamming weight) in the data string and the power consumption are correlated (for example, Non-Patent Document 2). ).
  • Non-Patent Document 3 when generating a ciphertext by executing a predetermined encryption process a predetermined number of times, it is assumed that there is a correlation between register bit transition (Hamming distance) and power consumption before and after the encryption process (for example, Non-Patent Document 3).
  • Wave Differential Dynamic Logic has been proposed as an example of a countermeasure method against an attack focusing on the Hamming weight and the Hamming distance (see, for example, Non-Patent Document 4).
  • WDDL Wave Differential Dynamic Logic
  • a calculation is performed using a complementary circuit to achieve uniform power consumption. By eliminating the difference in current consumption due to the difference in bit value during computation, a countermeasure for differential power analysis is realized.
  • precharge is required for operation, but the operation speed is reduced by performing precharge. Further, since a complementary circuit is required, the circuit area is increased. As a result, there is a problem that the performance area ratio is reduced in WDDL.
  • Non-Patent Document 5 proposes a cryptographic processing circuit having tamper resistance against attacks based on the Hamming distance by preparing a plurality of encrypted blocks and registers and alternately using them for processing, and further shifting the processing start timing. Has been. In addition, the performance area ratio is improved by using pipeline processing. However, since no countermeasure is taken for the intermediate value written in the register, no countermeasure is taken for the attack based on the Hamming weight.
  • Patent Document 1 two round operation circuits are connected in series, and a normal round operation to which a normal round key is applied and a dummy round operation to which a dummy round key is applied are alternately switched to execute a cryptographic processing operation.
  • An encryption processing apparatus having a tamper resistance with respect to a DPA (Differential Power Analysis) attack is disclosed.
  • the circuit scale is doubled. As a result, there is a problem that the performance area ratio decreases.
  • Patent Document 2 discloses a technology in which plaintext is divided into a plurality of blocks, and when encryption is performed independently for each block, encryption for each block is performed by pipeline processing by the CPU. Yes.
  • Non-Patent Document 4 the circuit scale is doubled and the processing speed is also halved by precharging. Therefore, the performance area ratio falls to about 1 ⁇ 4 compared with a circuit not using the technology.
  • Non-Patent Document 5 does not cause an increase in circuit scale, a reduction in processing speed, and a reduction in performance area ratio, but it is not resistant to attacks based on Hamming weights.
  • Pipeline processing as in the invention described in Patent Document 2 has weak tamper resistance against side channel attacks as described later.
  • an object of the present invention is to provide an encryption processing circuit and a decryption processing circuit that can suppress leakage of secret information by a method using a Hamming distance or a Hamming weight while suppressing an increase in the performance area ratio. .
  • An encryption processing circuit includes a plurality of encryption processing units that input plaintext or a plurality of data that are intermediate values in encryption of the plaintext, and perform encryption in multiple steps using an encryption key.
  • the processing unit includes a plurality of registers that randomly store and output either the data or the inverted other data, and a plurality of ciphers that encrypt and output the data output from the paired registers. If the encryption step is before the final step, the intermediate value encrypted by the encryption block is output to another encryption processing unit, and the other encryption processing unit The intermediate value is input as the data, and when the encryption in the final step is completed, the data encrypted by the encryption block is output as ciphertext. .
  • the decryption processing circuit includes a plurality of decryption processing units that input ciphertext or a plurality of data that are intermediate values in decryption of the ciphertext, and perform decryption in a plurality of steps using an encryption key.
  • the intermediate value decoded by the decoding block is output to another decoding processing unit, and the other decoding processing unit outputs the intermediate value Is input as the data, and when the decryption of the final step is completed, the data decrypted by the decryption block is output as plain text.
  • the present invention it is possible to suppress leakage of secret information from a hamming weight or a hamming distance while suppressing an increase in the performance area ratio.
  • FIG. 1 is a block diagram showing a configuration of an embodiment of an encryption processing circuit according to the present invention.
  • the encryption processing circuit according to the present embodiment includes an encryption unit 100 and a key generation unit 200.
  • a timing adjustment circuit 160 that adjusts the input timing of plaintext may be provided in the preceding stage of the encryption processing circuit. Note that the timing adjustment circuit 160 may be included in the encryption processing circuit. In that case, the timing adjustment circuit 160 is provided between the input registers 141 and 142 and the preprocessing units 111 and 112, for example.
  • the encryption unit 100 includes pre-processing units 111 and 112, a loop processing unit 120, post-processing units 131 and 132, input registers 141 and 142, and output registers 143 and 144.
  • the encryption unit 100 encrypts the data based on the input data and the encryption key received from the key generation unit 200, and outputs a ciphertext.
  • the pre-processing units 111 and 112 perform the first-stage processing of the loop processing performed in the second-stage encryption block in the encryption processing. For example, when AES (Advanced Encryption Standard) is used, the preprocessing units 111 and 112 perform a process of obtaining an exclusive OR of the secret key and the plaintext before the round process. Further, the pre-processing units 111 and 112 are configured to have an IP processing function when DES (Data Encryption Standard) is used. Further, when the plain text is divided and input, the preprocessing units 111 and 112 may accumulate the input plain text data. In this case, the preprocessing units 111 and 112 send data to the subsequent encrypted block when a certain amount of data is accumulated. Note that the encryption processing circuit of the present embodiment may be configured not to include the preprocessing units 111 and 112.
  • the loop processing unit 120 receives data from the pre-processing units 111 and 112 at the preceding stage, performs encryption processing on the data, and outputs the data to the post-processing units 131 and 132 at the subsequent stage.
  • FIG. 2 is a block diagram showing the configuration of the loop processing unit of the encryption processing circuit.
  • the loop processing unit 120 includes encryption blocks 1211 to 1214, registers 1221 to 1224, selectors 1231 to 1236, and a random number generation unit 1240.
  • the encryption blocks 1211 to 1214 receive data from the immediately preceding register, perform encryption processing for one step, and output to the subsequent register. For example, in AES, the encryption blocks 1211 to 1214 consider the round process of SubByte, ShiftRow, MixColumn, and AddRoundKey as a process for one step. Also, the encryption block 1211 or the pair of encryption blocks 1212 is processed as one step, and the next-stage encryption block 1213 or the pair of encryption blocks 1214 is processed as one step. In each step, a pair of encrypted blocks performs processing alternately.
  • the encryption block 1211 and the encryption block 1212 are paired, and the input / output values of the encryption block 1211 and the input / output values of the encryption block 1212 have a complementary relationship.
  • a value complementary to the value input to the encryption block 1211 is input to the encryption block 1212, a value complementary to the output value of the encryption block 1211 is encrypted by an inversion process described later. The output value of the block 1212 is obtained.
  • the encryption block 1213 and the encryption block 1214 are paired.
  • Registers 1221 to 1226 have a function of storing the input plaintext and output values from the encryption block and outputting them to the subsequent encryption block.
  • the selector 1231 selects which value of the plaintext or the output value of the encryption block 1213 is to be passed to the selector 1233 and the selector 1234 in the subsequent stage.
  • the selector 1231 performs this selection depending on whether the loop is completed in the process of the encryption block 1213. If the loop is completed, the plaintext is selected, and if not, the output value of the encryption block 1213 is selected.
  • selector 1232 selects either the plaintext or the output value of the encrypted block 1214 to be passed to the subsequent selector 1233 and selector 1234.
  • the selector 1233 determines which of the values passed from the previous stage selector 1231 and the selector 1232 is passed to the register 1221 according to the random number passed from the random number generation unit 1240. For example, if the random number is 0, the value of the selector 1231 is selected, and if the random number is 1, the value of the selector 1232 is selected.
  • the selector 1234 determines which of the values passed from the preceding selector 1231 and the selector 1232 is to be passed to the register 1222 according to the random number passed from the random number generator 1240. For example, if the random number is 0, the value of the selector 1232 is selected, and if the random number is 1, the value of the selector 1231 is selected.
  • the selector 1235 and the selector 1236 also select values passed from the encryption block 1211 and the encryption block 1212 by random numbers and output the selected values to the subsequent registers 1223 and 1224.
  • the inverted value is passed.
  • the output value of the encryption block 1211 is passed to the selector 1236.
  • the inverted value is passed.
  • the output value of the encryption block 1212 is passed to the selector 1235.
  • the encryption block or register on the left always operates on the inverted value, while the encryption block or register on the right always processes on the normal value. It will be. Therefore, even if the plaintext 1 and the plaintext 2 are the same data, processing for different values is performed on the left side and the right side.
  • the loop processing unit 120 does not necessarily need to perform a plurality of loop processes, and is configured to end encryption and output ciphertext when a plurality of steps of encryption is completed. Good.
  • the random number generator 1240 generates a random number.
  • the value to be selected is switched by the random number generated in the random number generation unit 1240, and it is determined whether to process a normal value or an inverted value in each register and encryption block.
  • a random number generation method a method using a linear feedback shift register (LFSR), a method using a physical random number generator that generates a random number using a circuit element as a noise source such as a thermal noise of a resistor, a random number from the outside of the circuit The method of taking in can be considered.
  • the bit length of the random number to be output can be set to only 1 bit, or the value switching can be determined based on the number of bits that are output as a plurality of bits and become 1.
  • FIG. 3 is a block diagram showing the configuration of the loop processing unit 120 that selects the output of the encryption processing circuit.
  • the encrypted result of plaintext 1 may be output to ciphertext 2.
  • the encryption processing circuit of the present embodiment may be configured to select which encryption result is output by the selector 1237 and the selector 1238 as shown in FIG.
  • the post-processing unit 120 and the post-processing unit 132 may replace the encryption results without performing the process of replacing the encryption results by the loop processing unit 120.
  • the post-processing unit 131 and the post-processing unit 132 have a function of executing a subsequent process performed in the preceding loop processing unit 120 in the encryption process.
  • the post-processing unit 131 and the post-processing unit 132 have a function of FP (Final Permutation) processing. If the ciphertext cannot be output at once, the post-processing unit 131 and the post-processing unit 132 may store the ciphertext and divide and output the ciphertext every clock.
  • FIG. 4 is a block diagram showing a configuration of an encryption processing circuit in which post-processing units are connected.
  • the encryption processing circuit is configured to connect the post-processing unit 131 and the post-processing unit 132 shown in FIG. 1 to form a post-processing unit 130, and to have a function of replacing the output values. May be.
  • the encryption processing circuit may be configured not to include the post-processing unit 131 and the post-processing unit 132 in FIG.
  • the input register 141 and the input register 142 temporarily store input data input from the input unit.
  • the output register 143 and the output register 144 temporarily store the processing results in the post-processing unit 131 and the post-processing unit 132.
  • the key generation unit 200 generates a key used by the encryption unit 100 based on the input secret key.
  • the preprocessing unit 111, the preprocessing unit 112, the postprocessing unit 131, and the postprocessing unit 132 may use keys. Therefore, the key generation unit 200 generates a plurality of keys according to each process, and outputs the generated keys to the encryption unit 100.
  • the key generation method all the keys to be used are generated and stored in advance before the processing in the encryption unit 100 is started, and the keys stored in the processing in the encryption unit 100 are stored. Or a method of generating and outputting a key in parallel with the processing in the encryption unit 100.
  • the encryption processing circuit of the present embodiment has the same number of key generation units 200 as the number of encryption blocks, and each key generation unit 200 generates a key for the corresponding encryption block. It may be.
  • FIG. 5 is a flowchart showing the operation of the encryption processing circuit according to the embodiment of the present invention.
  • FIG. 6 is a timing chart showing the operation of the encryption processing circuit according to the embodiment of the present invention.
  • FIG. 5 shows a flowchart when focusing on one data
  • FIG. 6 shows a timing chart of the entire encryption processing circuit.
  • step A1 plaintext is input to the encryption processing circuit (step A2). Then, the plaintext inputted by the input register 141 or the input register 142 is stored.
  • the preprocessing unit 111 or the preprocessing unit 112 inputs the plain text stored in the input register 141 or the input register 142.
  • the preprocessing unit 111 or the preprocessing unit 112 performs preprocessing on plaintext (step A3).
  • the plaintext after the preprocessing is input to the loop processing unit 120.
  • Either plaintext 1 or plaintext 2 in the loop processing unit 120 is assigned to the input plaintext (step A4).
  • an inversion process is performed on the plaintext 2 (step A5).
  • the selector 1233 and the selector 1234 input data that has passed through the selector 1231 or the selector 1232.
  • the selector 1233 and the selector 1234 determine whether the random value is 0 or 1 (steps A6-1 and A6-2). At this time, if the random number is 1, the selector 1233 selects the value output from the selector 1232 and inverted and outputs it to the register 1221 (step A7-1). If the random number is 0, the selector 1233 The output value is selected and output to the register 1221 (step A7-3). If the random number is 1, the selector 1234 selects the inverted value output from the selector 1231 and outputs it to the register 1222 (step A7-2). If the random number is 0, the selector 1234 outputs the value. A value is selected and output to the register 1222 (step A7-4).
  • the first pair of encryption block 1211 or encryption block 1212 performs encryption processing for one step.
  • the encryption block 1211 performs an encryption process on the normal value (step A8-1).
  • the encryption block 1212 performs encryption processing for the inverted value (step A8-2).
  • the encrypted result is input to the selector 1235 and the selector 1236.
  • the selector 1235 and the selector 1236 determine whether the random value is 0 or 1 (steps A9-1 and A9-2). At this time, if the random number is 1, the selector 1235 selects the value output from the encryption block 1212 and inverted and outputs it to the register 1223 (step A10-1). The value output from the conversion block 1211 is selected and output to the register 1223 (step A10-3). If the random number is 1, the selector 1236 selects the value output from the encryption block 1211 and inverted and outputs it to the register 1224 (step A10-2). If the random number is 0, the selector 1236 Is selected and output to the register 1224 (step A10-4).
  • the second pair of encryption block 1213 or encryption block 1214 performs encryption processing for one step.
  • the encryption block 1213 performs an encryption process on the regular value (step A11-1).
  • the encryption block 1214 performs encryption processing for the inverted value (step A11-2).
  • control unit determines whether or not the number of steps of the encryption process performed so far satisfies a predetermined number (steps A12-1 and A12-2). If the predetermined number of times has not been satisfied, the process returns to step A6-1 or step A6-2 and the process is repeated.
  • the processing in the loop processing unit 120 ends. Since the data output from the encryption block 1214 is inverted, the inversion process is performed (step A13).
  • the post-processing unit 131 and the post-processing unit 132 perform post-processing, thereby generating a ciphertext and storing the ciphertext in the output register 143 or the output register 144 (step A14). Finally, the output register 143 or the output register 144 outputs the ciphertext (step A15), and the encryption processing for the plaintext input to the encryption processing circuit is completed (step A16). If the number of encryption processes is an odd number, steps A12-1 and A12-2 are performed after steps A8-1 and A8-2.
  • FIG. 6 is a timing chart showing the operation of the encryption processing circuit according to the embodiment of the present invention.
  • the timing chart shown in FIG. 6 shows a value stored in each register in the encryption processing circuit at each clock and a change in random number. It is assumed that a key corresponding to the process is sent from the key generation unit 200 to each pre-processing unit, each encrypted block, the post-processing unit 131, and the post-processing unit 132. In addition, it is assumed that the number of steps of input / output and encryption processing is appropriately controlled by a control unit (not shown).
  • the encryption processing circuit performs encryption processing by inputting plaintext for each set.
  • the number of steps involved in the encryption process is 1 step for input, 1 step for pre-processing, 6 steps for encryption processing, and 1 step for post-processing and output.
  • the next set of plaintexts is input every three steps.
  • (1-1, P) represents the plaintext of the first data in the first set
  • (1-2, P) represents the plaintext of the second data in the first set
  • ( i ⁇ k, P) represents the plaintext of the k-th data in the i-th set.
  • (I ⁇ k, 0) indicates data for which the pre-processing of the k-th data in the i-th set is completed.
  • (Ik, n) represents data in which the k-th data in the i-th set has undergone the n-th encryption process.
  • (Ik, C) represents a ciphertext that has been subjected to pre-processing, repeated encryption processing, and post-processing for the k-th plaintext in the i-th set.
  • timing adjustment circuit 160 sequentially reads one set of plaintexts from the storage unit storing the plaintexts every predetermined clock, and supplies the plaintexts to the encryption processing circuit.
  • the first set of plaintexts (1-1, P) and (1-2, P) are first input.
  • the loop processing unit 120 performs encryption processing for six steps.
  • the random number becomes 1, the data is inverted, and the register to be stored is switched. For example, since the random number is 1 at the third clock, the register to be stored is switched, and at the third clock, the intermediate value (1-1, 1) of the first data of the first set stored in the register 1224 is After being processed by the encryption block 1214 and converted into (1-1, 2), it is stored in the register 1221 at the fourth clock.
  • next set of plaintext is input 3 clocks after a set of plaintext is input, and encryption processing is performed in parallel with the previously input set of data.
  • post-processing is performed in the post-processing unit 131 and the post-processing unit 132, and the ciphertext is stored in the output register 141 and the output register 142.
  • one set of ciphertext is output at the next clock.
  • the last ciphertext set is stored in the output register 141 and the output register 142 at the 29th clock, and the ciphertext set is output at the 30th clock, and the encryption process ends.
  • the previous processing result is stored as it is, random value or fixed value dummy data is stored, or encryption is performed. Processing such as continuing processing and saving the result is performed.
  • continuous the encryption process means that any data is continuously encrypted with an unused encryption block, and the result is stored in a register.
  • the first pair of encryption block 1212, encryption block 1213, register 1222, and register 1221 are unused, but the following processing is performed.
  • the register 1221 and the register 1222 store data (7-1, 6) and data (7-2, 6).
  • the first pair of encryption block 1211 and encryption block 1212 perform encryption processing on data (7-1, 6) and data (7-2, 6).
  • the register 1223 and the register 1224 store the result (7-1, 7) and the result (7-2, 7).
  • the second pair of encryption block 1213 and encryption block 1214 further encrypts the above result of the encryption process by the first pair of encryption blocks.
  • Registers 1221 and 1222 store the results.
  • FIG. 16 is a block diagram showing a configuration of a general encryption processing circuit that performs sequential processing.
  • the encryption processing circuit of this embodiment shown in FIG. 1 has a register, an encryption block, a selector, and the like added.
  • the scale of the encryption processing circuit of this embodiment shown in FIG. 1 is about four times the scale of the encryption processing circuit shown in FIG. become.
  • FIG. 17 is a timing chart showing the operation of a general encryption processing circuit that performs sequential processing.
  • the processing time of the sequential processing circuit shown in FIG. 16 is a maximum of 144 clocks when 16 plaintexts are sequentially processed, and when the input / output of one data and the encryption processing of another data can be processed simultaneously. Is 98 clocks as shown in FIG.
  • two pairs of encrypted blocks operate simultaneously, and the paired encrypted blocks are used for processing different data.
  • encryption processing is performed on four data at the same time.
  • the number of data for parallel processing is 2 at the beginning and the end, if the number of data to be processed increases, the processing speed of the circuit of this embodiment shown in FIG. 4 times.
  • the encryption processing circuit of the present embodiment shown in FIG. 1 has a circuit area four times that of the sequential encryption processing circuit shown in FIG.
  • the performance area ratio is almost the same.
  • the attacker analyzes the power consumption, and further uses the bit transition (or Hamming distance) of the encryption target data itself and the correlation between the power consumption and the bit transition of the encryption target data itself ( Alternatively, the secret key can be estimated based on the bit transition.
  • the encryption processing circuit of the present embodiment selects a register to be written at random, even if an attacker can grasp the data stored in the register 1223, for example, the data stored next is stored in the register Whether the data processing result of 1221 or the data processing result of the register 1222 cannot be determined. Therefore, an attacker cannot calculate a physical bit transition (or Hamming distance).
  • the physical bit transition (or Hamming distance) of the register 1221 and the encryption target data itself are compared when the processing before and after each encryption step is compared. It is possible to avoid the occurrence of correlation in the bit transition (or Hamming distance).
  • the bit transition (or Hamming distance) and power consumption of the data to be encrypted itself It is possible to avoid the occurrence of correlation in the change of In addition, since there is no correlation between the bit transition (or Hamming distance) of the encryption target data itself and the change in power consumption, even if the change in power consumption is analyzed, the bit transition ( Alternatively, the estimation of the Hamming distance) can be avoided, so that the estimation of the secret key can also be avoided based on the bit transition.
  • the data stored in the register 1221 is data as it is as an intermediate value after a certain step in encryption.
  • the number of bits of the register 1221 or Hamming weight
  • the number of bits in the register 1221 or Hamming weight
  • power consumption Therefore, there is a correlation between the number of bits (or Hamming weight) of the encryption target data itself and the power consumption.
  • the attacker analyzes the power consumption, and further uses the correlation between the number of bits (or Hamming weight) of the encryption target data itself and the power consumption, thereby The number (or Hamming weight) is estimated, and the secret key can be estimated based on the number of bits.
  • FIG. 18 is a block diagram showing a configuration of a general encryption processing circuit that performs processing by replacing a register for storing data every step.
  • the encryption processing circuit shown in FIG. 18 it is possible to eliminate the correlation between the bit transition (or Hamming distance) of the data itself and the change in power consumption, but the bit of the data to be encrypted itself The number of (or Hamming weights) remains the same. Therefore, it is possible to estimate the secret key from the number of bits (or Hamming weight) of the encryption target data itself.
  • FIG. 19 is a block diagram showing a configuration of a general pipeline type encryption processing circuit.
  • FIG. 20 is a timing chart showing the operation of a general pipeline type encryption processing circuit.
  • the data stored in the register 1222 is data I (2, 1) after data I (1, 1). If it is possible to reversely calculate post-processing and one-step cryptographic processing using the estimated cryptographic key, based on the measured ciphertext C (1) and ciphertext C (2), data I (1, 1) and data I (2,1) can be calculated. Therefore, the bit transition from data I (1, 1) to data I (2, 1) can be calculated.
  • This bit transition is not only a physical bit transition of the register 1222 but also a bit transition of the data to be encrypted itself. There is a correlation between the bit transition and the change in the power consumption of the register 1222. Therefore, the calculated bit transition and the register are calculated by calculating the bit transition from the data I (1, 1) to the data I (2, 1) using the individual encryption keys of the estimated large number of encryption keys. A correlation between 1222 measured power consumption is determined. Then, by checking which estimated encryption key is used when the correlation is high, it is known which estimated encryption key is the actually used encryption key.
  • the processed data is 1224 if the random number is 1. Is remembered. At this time, the data stored in the register 1224 is not the data itself after one step of the original encryption process, but a value obtained by inverting the original value. Therefore, the correlation between the number of bits in the register 1224 (or Hamming weight) and the number of bits in the encryption target data itself (or Hamming weight) is lost. Therefore, it becomes difficult to estimate the secret key by analyzing the power consumption and further using the correlation between the number of bits (or Hamming weight) of the encryption target data itself and the power consumption.
  • FIG. 7 is a block diagram showing another configuration of the embodiment of the encryption processing circuit according to the present invention.
  • FIG. 7 is different from the configuration shown in FIG. 1 in that two pairs of encryption blocks and registers are paired, for a total of four sets.
  • FIG. 8 is a block diagram showing still another configuration of the embodiment of the encryption processing circuit according to the present invention.
  • the configuration shown in FIG. 1 is a configuration in which the encryption block has two stages and each stage is used alternately.
  • the configuration shown in FIG. 8 has three or more encrypted blocks, and each stage is used sequentially.
  • FIG. 9 is a timing chart showing the operation of the encryption processing circuit when the input timing is shifted.
  • the timing chart shown in FIG. 6 shows an example in which two plaintexts are input and processed at the same time, it is not necessary to input two plaintexts simultaneously.
  • the encryption processing circuit inputs the second plaintext one clock after the first plaintext is input, inputs the third plaintext one clock later, and then 4 after one clock.
  • the second plaintext may be entered and processed in parallel.
  • the data width required for one input / output is the data width for one plaintext (one ciphertext). Therefore, the encryption processing circuit that performs the operation shown in FIG. 9 does not require the input register 142 and the output register 144.
  • the input data is processed by an encryption block that is not used for processing other data among the encryption block 1211 and the encryption block 1212.
  • Example As an example of the encryption processing circuit of this embodiment, an example of an AES encryption circuit implemented using the encryption processing circuit of this embodiment (no post-processing) is shown.
  • FIG. 10 is a block diagram showing the configuration of the AES encryption processing circuit in the embodiment.
  • the exclusive OR circuits (XOR) 111a and XOR 112a realized by the preprocessing unit 111 and the preprocessing unit 112 perform exclusive OR operation between the plaintext and the secret key as preprocessing of AES.
  • a post-processing unit is not necessary.
  • the configuration of the loop processing unit 120 in the present embodiment is the same as the configuration shown in FIG.
  • Each of the encryption block 1211 and the encryption block 1213 performs processing for one stage of AES round processing with respect to a regular value, and a series of processing of SubByte, ShiftRow, MixColumn, AddRoundKey is processed for one step. . Note that the MixColumn process is skipped at the 10th round.
  • each of the encryption block 1212 and the encryption block 1214 performs processing for one stage of AES round processing on the inverted value, and performs a series of processing of SubByte, ShiftRow, MixColumn, AddRoundKey, and inversion Outputting the current value is a process for one step. Similar to the encryption block 1211 and the encryption block 1213, the encryption block 1212 and the encryption block 1214 skip the MixColumn process at the 10th round. Since the encryption block 1212 and the encryption block 1214 return the inverted output value with respect to the inverted input value, the components of the encryption block 1212 and the encryption block 1214 have the following characteristics.
  • FIG. 11 is an explanatory diagram showing a SubByte table for the normal value of AES in the embodiment.
  • FIG. 12 is an explanatory diagram illustrating a SubByte table for complementary values of AES in the embodiment.
  • the numerical values shown in FIGS. 11 and 12 are hexadecimal numbers.
  • SubByte is a value obtained by inverting the input value and the output value with respect to the normal SubByte. For example, if the regular input value is 00, the encryption block 1211 outputs 63. On the other hand, since the input value is inverted in the encryption block 1212, FF becomes the input value. When FF is input, the encryption block 1212 outputs 9C.
  • the encryption block 1211 and the encryption block 1212 have a relationship in which both the input value and the output value are inverted.
  • the key generation unit 200 uses an exclusive OR circuit (XOR) 111a and XOR 112a as a preprocessing unit, and an encryption block 1211 to an encryption block 1214 that perform round processing on the round key generated from the secret key and the secret key. Output to.
  • XOR exclusive OR circuit
  • FIG. 13 is a timing chart showing the operation of the 128-bit AES encryption processing circuit in the embodiment.
  • 16 plaintexts and 8 sets of plaintexts are encrypted by AES.
  • (1-1, P) indicates the plaintext of the first data in the first set
  • (1-2, P) indicates 2 in the first set.
  • the plaintext of the ith data is shown
  • (ik, P) shows the plaintext of the kth data in the i-th set.
  • (i ⁇ k, 0) indicates data for which the pre-processing of the k-th data in the i-th set is completed.
  • (Ik, n) indicates data for which the k-th data in the i-th set has been subjected to the n-th encryption process.
  • (Ik, C) indicates a ciphertext that has been subjected to pre-processing, repeated encryption processing, and post-processing for the k-th plaintext in the i-th set.
  • the encryption processing circuit uses 1 clock for input processing, 1 clock for preprocessing, 10 clocks for round processing, and 1 clock for output processing, and operates at a total of 13 clocks.
  • the time interval from the start of processing of one plaintext to the start of processing of the next plaintext is an interval of 5 clocks.
  • FIG. 14 is a block diagram showing the configuration of the loop processing unit of the decoding processing circuit according to the present invention.
  • the decryption processing circuit shown in FIG. 14 replaces “encryption block” in the configuration of the encryption processing circuit shown in FIG. 2 with “decryption block”, replaces the input data from “plaintext” to “ciphertext”, and outputs the data. Data is replaced from “ciphertext” to “plaintext”.
  • the overall configuration of the decryption processing circuit is the same as that of the encryption processing circuit shown in FIG. 1 except for input / output data.
  • “encryption” in the operation of the encryption processing circuit may be replaced with “decryption”. Note that the decryption process is a process for returning ciphertext to plaintext.
  • the above encryption processing circuit can be realized by hardware, software, or a combination thereof.
  • the encryption processing method performed by the above-described encryption processing circuit and other devices can be realized by hardware, software, or a combination thereof.
  • "realized by software” means realized by a computer reading and executing a program.
  • the first to nth registers 141 to 14N are registers included in the CPU, memory entries such as a main memory and a cache memory, and the like.
  • Non-transitory computer readable media include various types of tangible storage media.
  • Examples of non-transitory computer-readable media include magnetic recording media (for example, flexible disks, magnetic tapes, hard disk drives), magneto-optical recording media (for example, magneto-optical disks), CD-ROMs ( Read Only Memory), CD-R, CD-R / W, semiconductor memory (for example, mask ROM, PROM (Programmable ROM), EPROM (Erasable PROM), flash ROM, RAM (Random access memory)).
  • the program may be supplied to the computer by various types of temporary computer readable media.
  • Examples of transitory computer readable media include electrical signals, optical signals, and electromagnetic waves.
  • the transitory computer readable medium can supply the program to the computer via a wired communication path such as an electric wire and an optical fiber, or a wireless communication path.
  • FIG. 15 is a block diagram showing the configuration of the main part of the encryption processing circuit according to the present invention.
  • the encryption processing circuit according to the present invention as a main configuration, inputs plaintext or a plurality of data that are intermediate values in the encryption of the plaintext, and performs a multi-step encryption using an encryption key.
  • a plurality of cryptographic processing units 1251 to 1252 and each of the cryptographic processing units 1251 to 1252 includes a plurality of registers 1221 to 1224 for randomly storing and outputting either data or another inverted data, A plurality of encryption blocks 1211 to 1214 for encrypting and outputting the data output from the register, and when the encryption step is before the final step, the intermediate value encrypted by the encryption block is , When output to another encryption processing unit, the other encryption processing unit inputs the intermediate value as data, and the encryption of the final step is completed, Goka block outputs the encrypted data as ciphertext.
  • a plurality of encryption processing units (for example, encryption processing units 1251 and 1252) that input plaintext or a plurality of data that are intermediate values in encryption of the plaintext and perform encryption in a plurality of steps using an encryption key.
  • the encryption processing unit includes a plurality of registers (for example, registers 1221 to 1228) for randomly storing and outputting either data or another inverted data, and data output from a pair of registers.
  • a plurality of encrypted blocks (for example, encrypted blocks 1211-1218, 121A, 121B) that are encrypted and output, and if the encryption step is before the final step, The value is output to another encryption processing unit, and the other encryption processing unit inputs the intermediate value as data, and the encryption of the final step is completed. If the encryption processing circuit for outputting data encryption block is encrypted as ciphertext.
  • the encryption processing circuit during at least one clock, includes one plaintext of a plurality of plaintexts or an intermediate value in the encryption of the plaintext, and a plaintext different from the plaintext or an encryption of the other plaintext.
  • the intermediate value in the conversion may be encrypted at the same time. According to such an encryption processing circuit, encryption processing can be performed at high speed by performing encryption processing in parallel.
  • One plaintext of a plurality of plaintexts or an intermediate value in the encryption of an intermediate value in the encryption of the plaintext is added to the next clock, or an intermediate in the encryption of another plaintext. It may be configured to encrypt the value. According to such an encryption processing circuit, it is possible to perform encryption processing at high speed by performing encryption processing without leaving a gap in a plurality of clocks.
  • a timing adjustment circuit (for example, the timing adjustment circuit 160) that adjusts the timing of a clock that inputs a plurality of plaintexts may be provided.
  • the present invention can be applied to an encryption module of an information terminal such as a portable terminal.
  • Encryption unit 111 112 Pre-processing unit 120 Loop processing unit 1211 to 1218, 121A, 121B Encryption block 1221 to 1228 Register 1231 to 1238, 123A to 123F Selector 1241 to 1244 Decoding block 130 to 132 Post-processing unit 141 , 142 Input register 143, 144 Output register 160 Timing adjustment circuit 200 Key generation unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne une pluralité de processeurs (1251 à 1252) de cryptage, destinés à réaliser un cryptage dans une pluralité d'étapes, à l'aide d'une clé de cryptage. Les processeurs (1251 à 1252) de cryptage comprennent une pluralité de registres (1221 à 1224), afin de mémoriser et de produire aléatoirement des données ou des données inversées séparées, ainsi qu'une pluralité de blocs de cryptage (1211 à 1214) afin de crypter les données produites et de produire les données cryptées. Lorsque l'étape de cryptage survient avant une étape finale, une valeur intermédiaire cryptée par le bloc de cryptage est produite vers un processeur de cryptage séparé. Le processeur de cryptage séparé accepte l'entrée de la valeur intermédiaire sous forme de données. Lorsque le cryptage de l'étape finale est terminé, les données cryptées par les blocs de cryptage sont produites sous forme de texte crypté.
PCT/JP2013/003456 2012-06-22 2013-05-31 Circuit de traitement de cryptage et circuit de traitement de décryptage WO2013190782A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2014520902A JPWO2013190782A1 (ja) 2012-06-22 2013-05-31 暗号化処理回路および復号処理回路

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2012141153 2012-06-22
JP2012-141153 2012-06-22

Publications (1)

Publication Number Publication Date
WO2013190782A1 true WO2013190782A1 (fr) 2013-12-27

Family

ID=49768397

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2013/003456 WO2013190782A1 (fr) 2012-06-22 2013-05-31 Circuit de traitement de cryptage et circuit de traitement de décryptage

Country Status (2)

Country Link
JP (1) JPWO2013190782A1 (fr)
WO (1) WO2013190782A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11838402B2 (en) 2019-03-13 2023-12-05 The Research Foundation For The State University Of New York Ultra low power core for lightweight encryption

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002311826A (ja) * 2001-04-16 2002-10-25 Hitachi Ltd 暗号化・復号化装置、暗号化・復号化方法、データの暗号化方法及びicカード
JP2003526134A (ja) * 1998-11-03 2003-09-02 コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ 電力消費が不明確であるデータキャリア
JP2005031471A (ja) * 2003-07-07 2005-02-03 Sony Corp 暗号処理装置、および暗号処理方法
WO2005027403A1 (fr) * 2003-09-11 2005-03-24 Renesas Technology Corp. Dispositif de traitement d'informations
JP2006025366A (ja) * 2004-07-09 2006-01-26 Sony Corp 暗号化装置及び半導体集積回路
JP2011002790A (ja) * 2009-06-22 2011-01-06 Sony Corp 暗号処理装置

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003526134A (ja) * 1998-11-03 2003-09-02 コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ 電力消費が不明確であるデータキャリア
JP2002311826A (ja) * 2001-04-16 2002-10-25 Hitachi Ltd 暗号化・復号化装置、暗号化・復号化方法、データの暗号化方法及びicカード
JP2005031471A (ja) * 2003-07-07 2005-02-03 Sony Corp 暗号処理装置、および暗号処理方法
WO2005027403A1 (fr) * 2003-09-11 2005-03-24 Renesas Technology Corp. Dispositif de traitement d'informations
JP2006025366A (ja) * 2004-07-09 2006-01-26 Sony Corp 暗号化装置及び半導体集積回路
JP2011002790A (ja) * 2009-06-22 2011-01-06 Sony Corp 暗号処理装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SHIN'ICHI IKENO ET AL.: "Gendai Ango Riron, 1st edition", DENSHI TSUSHIN GAKKAI, 1 September 1986 (1986-09-01), pages 43 - 46 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11838402B2 (en) 2019-03-13 2023-12-05 The Research Foundation For The State University Of New York Ultra low power core for lightweight encryption

Also Published As

Publication number Publication date
JPWO2013190782A1 (ja) 2016-02-08

Similar Documents

Publication Publication Date Title
JP5229315B2 (ja) 共通鍵暗号機能を搭載した暗号化装置及び組込装置
US8737603B2 (en) Cryptographic processing apparatus, cryptographic processing method, and computer program
US8290148B2 (en) Encryption processing apparatus, encryption processing method, and computer program
CN100511331C (zh) 密码处理装置、密码处理方法及其计算机程序
US8369522B2 (en) Encryption processing apparatus, encryption method, and computer program
JP5364840B2 (ja) 暗号化装置
JP5268609B2 (ja) 暗号処理装置及び演算方法
KR101770874B1 (ko) 암호 처리 장치, 암호 처리 방법, 컴퓨터로 판독가능한 기록 매체, 및 정보 처리 장치
EP2058782A1 (fr) Dispositif de codage, procédé de codage et programme informatique
JP5327493B1 (ja) 暗号化処理回路及び復号処理回路、その方法並びにそのプログラム
WO2009142190A1 (fr) Structure de circuit de codage ou décodage avec capacité de détection d’erreur
Murtaza et al. Fortification of aes with dynamic mix-column transformation
WO2013190782A1 (fr) Circuit de traitement de cryptage et circuit de traitement de décryptage
Dogan et al. Analyzing and comparing the AES architectures for their power consumption
JP5605197B2 (ja) 暗号処理装置、および暗号処理方法、並びにプログラム
JP6089668B2 (ja) 暗号化処理回路及び復号処理回路とその方法並びにそのプログラム
JP5500277B2 (ja) 共通鍵暗号機能を搭載した暗号化装置及び組込装置
WO2017036251A1 (fr) Procédé, dispositif et support d'informations de chiffrement et de déchiffrement de norme de chiffrement perfectionnée
Tang et al. A generic table recomputation-based higher-order masking
JP2009206593A (ja) 暗号化方法および装置
JP6371197B2 (ja) 暗号処理装置
JP6292107B2 (ja) 暗号処理装置、および暗号処理方法、並びにプログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13806668

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2014520902

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13806668

Country of ref document: EP

Kind code of ref document: A1