CN105656619A - AES (Advanced Encryption Standard) encryption method and power attack resisting method based on the same - Google Patents

Abstract

The invention discloses an AES encryption method and an anti-power consumption attack method based on and. The AES encryption method includes: grouping plaintext data; performing XOR operation on the input of the round function and the extended key; using 8-bit input, The 32-bit output S box performs data replacement; the 32-bit data output through the S box is shifted; the 32-bit data output by the row shift operation is correspondingly XORed; the extended key is XORed; use 8 bits Input, 8-bit output S-box for data replacement; XOR with extended key; output ciphertext data. The invention has the following advantages: the main operations required by each operation in the encryption method are table lookup, shift and XOR, which are relatively simple and efficient in terms of logic implementation. The anti-power attack method has column confusion, and the anti-power attack effect is good.

Description

An AES encryption method and an anti-power consumption attack method based on

technical field

The invention relates to the technical field of information security, in particular to an AES encryption method and an anti-power consumption attack method based on and.

Background technique

With the development of informatization, information security issues are becoming more and more important. People have proposed various cryptographic algorithms in this process. Among these various cryptographic algorithms, AES (Advanced Encryption Standard, Advanced Encryption Standard) is widely used all over the world. It is used and has become an internationally common symmetric encryption algorithm. With its advantages of short key establishment time, high sensitivity, and low memory requirements, it is widely used in information security fields, such as e-commerce and communication encryption.

As people analyze the AES algorithm at various levels, there are many ways to attack and crack the AES algorithm. Among the many attack methods, the power consumption attack analyzes the relationship between the execution of the cryptographic algorithm and the The key inside the encryption chip of this algorithm is analyzed mathematically, such as Simple Power Analysis (SPA) and Differential Power Analysis (DPA), etc., and the key is finally obtained, which has caused a great impact on the security of the encryption chip. threaten.

In the implementation of the traditional AES encryption algorithm, the main operation can be divided into four steps: "S-box transformation, row transformation, column confusion, XOR with extended key". Defense strategies against power consumption attacks. The present invention is aimed at an improved AES implementation scheme, which simplifies the complex column confusion operation in the AES implementation process, and combines the implementation scheme to propose a method for resisting power consumption attacks. This method is based on power consumption The Hamming weight model theory balances power consumption through complementary operations at the algorithm level, so that the power consumption information calculated on the chip can be hidden, and the purpose of resisting power consumption attacks can be achieved.

The existing AES-128 is taken as an example. Figure 1 shows the implementation process of the AES-128 algorithm. In this implementation process, bytes are used as the basic operation unit, and "S-box transformation, row transformation, column confusion, and The XOR of the extended key is operated 10 times as a round function. Among them, all mathematical operations are for operations on the G(2^8) field.

For this kind of AES encryption implementation, people have proposed many different anti-power consumption attack methods. The common one is to perform masking operation on the intermediate data. This method uses a random mask to compare with the intermediate data generated by the encryption operation. Perform a certain combination of operations to randomize the intermediate data; or use a power balance circuit to keep the power consumption of the operation balanced and independent of the processed data; there is also a method of inserting a random delay to make the execution time of the encryption operation uncertain. .

An improved implementation of AES encryption can simplify the four-step operation of the round function, so that there is no complicated column confusion operation in the encryption process. This implementation requires only four lookup tables, four XORs per column per round, and additional storage to store these data.

However, the existing methods for resisting power consumption attacks on AES are mainly designed for traditional AES implementation schemes, and there is a lack of anti power consumption attack strategies for this kind of non-column confusion and more efficient encryption implementation process.

Contents of the invention

The present invention aims to solve at least one of the above-mentioned technical problems.

For this reason, the first purpose of the present invention is to propose a kind of AES encryption method.

The second purpose of the present invention is to propose an anti-power consumption attack method based on the AES encryption method.

In order to achieve the above object, the embodiment of the present invention discloses an AES encryption method, including the following steps: S1: group the plaintext data; S200: initialize the number of cycles to 0; S201: combine the input of the round function with the extended key Perform XOR operation; S202: Use N-bit input, M-bit output S-box for data replacement, where N and M are both natural numbers, M>N and M is divisible by N; S203: M output through the S-box Bit data is shifted to obtain the data of a column of the grouping matrix column confusion operation; S204: Correspondingly XOR operation is performed on the M-bit data output by the row shift operation to obtain the output value of a round function, and the number of cycles is increased by 1; S205: Judging whether the current number of cycles reaches the preset number, if no current cycle number reaches the preset number, go to step S3, otherwise return to step S201; S3: XOR the extended key; S4: use N-bit input, P-bit The output S box performs data replacement, where P is a natural number and P is divisible by N; S5: XOR with the extended key; S6: Output ciphertext data.

According to the AES encryption method of the embodiment of the present invention, the main operations required for each operation are table lookup, shift and XOR, which are relatively simple and efficient in logic implementation.

In addition, the AES encryption method according to the foregoing embodiments of the present invention can also have the following additional technical features:

Further, N is 8, M is 32 and P is 8.

In order to achieve the above object, the embodiment of the present invention discloses an anti-power consumption attack method based on the AES encryption method, comprising the following steps: SA: obtain plaintext data; SB: use the AES encryption method described in claim 1 or 2 to The plaintext data is encrypted, and a complementary operation is introduced in the process of encrypting the plaintext data so that the sum of the power consumption generated by the encryption operation and the power consumption generated by the complementary operation is approximately a constant, and the complementary operation Including XOR with the reverse of the extended key, reverse S-box data replacement, row shift of reverse data and XOR operation; SC: output ciphertext.

Additional aspects and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.

Description of drawings

The above and/or additional aspects and advantages of the present invention will become apparent and comprehensible from the description of the embodiments in conjunction with the following drawings, wherein:

Fig. 1 is the flowchart of the AES-128 realization process of related art;

Fig. 2 is the flowchart of the AES encryption method of an embodiment of the present invention;

Fig. 3 is the data transformation figure of part operation in the AES encryption method of an embodiment of the present invention;

FIG. 4 is a block diagram of an anti-power consumption attack implementation block diagram of an anti-power consumption attack method based on an AES encryption method according to an embodiment of the present invention.

detailed description

Embodiments of the present invention are described in detail below, examples of which are shown in the drawings, wherein the same or similar reference numerals designate the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the figures are exemplary only for explaining the present invention and should not be construed as limiting the present invention.

In describing the present invention, it should be understood that the terms "center", "longitudinal", "transverse", "upper", "lower", "front", "rear", "left", "right", " The orientations or positional relationships indicated by "vertical", "horizontal", "top", "bottom", "inner" and "outer" are based on the orientations or positional relationships shown in the drawings, and are only for the convenience of describing the present invention and Simplified descriptions, rather than indicating or implying that the device or element referred to must have a particular orientation, be constructed and operate in a particular orientation, and thus should not be construed as limiting the invention. In addition, the terms "first" and "second" are used for descriptive purposes only, and should not be understood as indicating or implying relative importance.

In the description of the present invention, it should be noted that unless otherwise specified and limited, the terms "installation", "connection" and "connection" should be understood in a broad sense, for example, it can be a fixed connection or a detachable connection. Connected, or integrally connected; it can be mechanically connected or electrically connected; it can be directly connected or indirectly connected through an intermediary, and it can be the internal communication of two components. Those of ordinary skill in the art can understand the specific meanings of the above terms in the present invention in specific situations.

These and other aspects of embodiments of the invention will become apparent with reference to the following description and drawings. In these descriptions and drawings, some specific implementations of the embodiments of the present invention are specifically disclosed to represent some ways of implementing the principles of the embodiments of the present invention, but it should be understood that the scope of the embodiments of the present invention is not limited by This restriction. On the contrary, the embodiments of the present invention include all changes, modifications and equivalents coming within the spirit and scope of the appended claims.

The following describes the AES encryption method according to the embodiment of the present invention with reference to the accompanying drawings.

FIG. 1 is a flowchart of an AES encryption method according to an embodiment of the present invention. Please refer to Figure 1, an AES encryption method, including the following steps:

S1: Group plaintext data.

S200: The number of initialization cycles is 0.

S201: Execute an XOR operation on the input of the round function and the extended key. This step is exactly the same as the implementation of the original AES, and the input of the round function and the extended key are performed to perform a modulo 2 addition operation, which is logically expressed as an XOR operation.

S202: Use an S-box with N-bit input and M-bit output to perform data replacement, where N and M are both natural numbers, M>N and M is divisible by N. In an example of the present invention, N is 8 and M is 32, that is, byte replacement is performed by using an 8-bit input, 32-bit output modified S-box. The 32-bit output is pre-set on the basis of the 8-bit output data transformed by the S-box during the original AES encryption process.

S203: Shift the M-bit data output by the S-box to obtain the data of one column of the grouping matrix column obfuscation operation in the original AES algorithm.

S204: Correspondingly perform an XOR operation on the M-bit data output by the row shift operation to obtain an output value of a round function, and add 1 to the number of cycles. Specifically, modulo 2 addition (exclusive OR) is performed on the 32-bit data output by the row shift operation, and finally the output value of the primary round function is obtained.

S205: Determine whether the current number of cycles reaches the preset number, if no current cycle number reaches the preset number, go to step S3, otherwise return to step S201.

S3: XOR the extended key.

S4: Use an S-box with N-bit input and P-bit output for data replacement, where P is a natural number and P is divisible by N. Among them, P is 8.

S5: XOR with the extended key.

S6: Output ciphertext data.

According to the AES encryption method of the embodiment of the present invention, the main operations required by each operation are only table lookup, shift and XOR, which is relatively simple and efficient in logic implementation, and the difference from traditional algorithm implementation is that "improved The three operations of S-box transformation, row shift, and 32-bit data XOR".

Fig. 3 is the data transformation diagram of part operation in the AES encryption method of an embodiment of the present invention, and in an example of the present invention, each Sxx all represents a byte data in Fig. 3, and the coefficient before the byte data represents G ( 2^8) multiplication operation on the finite field (multiplied by the coefficient), "+" is the addition (logically XOR) operation on the G(2^8) finite field, {a,b,c,d} Represents the 32-bit data spliced by the four bytes of data a, b, c, and d.

A method for resisting power consumption attacks based on an AES encryption method according to an embodiment of the present invention will be described below with reference to the accompanying drawings.

Please refer to Figure 4, an anti-power consumption attack method based on the AES encryption method, including the following steps:

SA: Obtain plaintext data.

SB: Encrypt the plaintext data through the above-mentioned AES encryption method, and introduce a complementary operation in the process of encrypting the plaintext data so that the sum of the power consumption generated by the encryption operation and the power consumption generated by the complementary operation is a constant, and the complementary operation includes XOR with the inverse of the extended key, inverse S-box data replacement, row displacement of inverse data, and exclusive OR operation.

Specifically, in the AES encryption method of the above-mentioned embodiment, with the difference of input data, the Hamming weight of the intermediate data generated during the operation process will be very different. According to the Hamming weight model, the corresponding difference in the power consumption of the operation will also be It is clear. A typical power consumption attack method (such as DPA) is realized by capturing the power consumption curve generated when guessing different keys, and using the difference in power consumption generated during the operation of different intermediate data. For the implementation of the improved AES algorithm proposed above, a complementary operation is simultaneously introduced during the execution of the encryption operation.

In the encryption process, it is assumed that an operation can be regarded as a function F(x), and the generated Hamming weight is HW(F(x)), and the corresponding power consumption is:

P≈kHW(F(x))+d

At the same time, the complementary operation performs the F'(x) operation, and the resulting Hamming weight is HW(F'(x)) and the operations of F' and F are approximately the same (that is, the following formula k is the same), corresponding The power consumption is:

P′≈kHW(F′(x))+d

The entire hardware power consumption in this process is L=L1+L', so as long as it is guaranteed:

HW(F(x))+HW(F'(x))=C

This makes the sum of the power consumption generated by the complementary operation and the normal encryption operation approximately constant, regardless of the value of the intermediate data generated by the encryption operation, which hides the power consumption and data information during the operation process and realizes anti-power purpose of the attack.

In the complementary operation of balancing power consumption, the specific operations that need to be introduced are: XOR with the inverse of the extended key, reverse S-box byte replacement, row shift of inverse data, and exclusive OR operation.

Complementary operation one: XOR with the inverse of the extended key. At the same time as the XOR operation of the extended key, the complementary operation "XOR with the inverse of the extended key" is performed, and the outputs of the two are the inverse data of each other, and the sum of the Hamming weights of the two will be constant as a constant, thus realizing Power consumption is approximately balanced.

The data x is XORed with the key:

F1(x)=x⊕k1

Complementary operations:

$\mathrm{<span\; class="notranslate">\; f</span>}{\mathrm{<span\; class="notranslate">\; 1</span>}}^{<span\; class="notranslate">\; ,</span>}<span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; x</span>}<span\; class="notranslate">\; )</span><span\; class="notranslate">\; =</span>\mathrm{<span\; class="notranslate">\; x</span>}<span\; class="notranslate">\; \&CirclePlus;</span>\stackrel{<span\; class="notranslate">\; \&OverBar;</span>}{\mathrm{<span\; class="notranslate">\; k</span>}\mathrm{<span\; class="notranslate">\; 1</span>}}$

can guarantee

HW(F1(x))⊕HW(F1′(x))＝C1

Among them, k1 is an extended key, and C1 is a constant.

Complementary operation two: reverse S-box byte replacement. In the AES encryption method of the foregoing embodiment, the improved S-box replacement is 8-bit input and 32-bit output. This process is often realized by a matrix lookup table, and the transformation function is denoted as F2 (x), then:

F2(x)={x',x',3x',2x'}

Complementary operations make the output the inverse of the normal encrypted output:

$\mathrm{<span\; class="notranslate">\; f</span>}{\mathrm{<span\; class="notranslate">\; 2</span>}}^{<span\; class="notranslate">\; \&prime;</span>}<span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; x</span>}<span\; class="notranslate">\; )</span><span\; class="notranslate">\; =</span><span\; class="notranslate">\; \{</span>\stackrel{<span\; class="notranslate">\; \&OverBar;</span>}{{\mathrm{<span\; class="notranslate">\; x</span>}}^{<span\; class="notranslate">\; \&prime;</span>}}<span\; class="notranslate">\; ,</span>\stackrel{<span\; class="notranslate">\; \&OverBar;</span>}{{\mathrm{<span\; class="notranslate">\; x</span>}}^{<span\; class="notranslate">\; \&prime;</span>}}<span\; class="notranslate">\; ,</span>\stackrel{<span\; class="notranslate">\; \&OverBar;</span>}{\mathrm{<span\; class="notranslate">\; 3</span>}{\mathrm{<span\; class="notranslate">\; x</span>}}^{<span\; class="notranslate">\; \&prime;</span>}}<span\; class="notranslate">\; ,</span>\stackrel{<span\; class="notranslate">\; \&OverBar;</span>}{\mathrm{<span\; class="notranslate">\; 2</span>}{\mathrm{<span\; class="notranslate">\; x</span>}}^{<span\; class="notranslate">\; \&prime;</span>}}<span\; class="notranslate">\; \}</span>$

Among them, x' represents the byte output obtained by transforming the traditional byte input through the S-box. "{}" represents the splicing of data, which can also guarantee:

HW(F2(x))+HW(F2'(x))=C2

In this way, the Hamming weight is also constant, and the corresponding total power consumption is approximately constant, regardless of the median value of the encrypted data.

Complementary operation three: row shifting of inverse data. In the process of performing row shifting, since the output of the upper-level operation, in addition to a normal output, there is also an output of reverse data, thus, an additional operation is introduced while shifting the data row, that is, its reverse The data performs the same row shift, and the sum of the power consumption of the two is also balanced under the model of Hamming weight.

Complementary operation four: same-or operation. In the AES encryption method of the above-mentioned embodiment, the 32-bit data XOR is performed for the XOR operation of 4 data, and three XOR operations need to be performed sequentially. While performing the first XOR operation, the complementary operation performs the XOR operation, and the operation The input data is the same as the input data of the normal encryption operation, and the complementary operation of the last two encrypted XOR operations is also an XOR operation, so the intermediate data obtained by the introduction operation and the useful encrypted intermediate data are always in a complementary relationship. A constant Hamming weight can also be achieved, and there is still an approximate constant computational power consumption independent of the intermediate data.

In addition, other configurations and functions of an AES encryption method and an and-based anti-power consumption attack method in the embodiment of the present invention are known to those skilled in the art, and will not be repeated in order to reduce redundancy.

In the description of this specification, descriptions referring to the terms "one embodiment", "some embodiments", "example", "specific examples", or "some examples" mean that specific features described in connection with the embodiment or example , structure, material or characteristic is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

Although the embodiments of the present invention have been shown and described, those skilled in the art can understand that various changes, modifications, substitutions and variations can be made to these embodiments without departing from the principle and spirit of the present invention. The scope of the invention is defined by the claims and their equivalents.

Claims (3)

1. an AES encryption method, is characterized in that, comprises the steps: S1: Group plaintext data; S200: the number of initialization cycles is 0; S201: XOR the input of the round function and the extended key; S202: Use an S box with N-bit input and M-bit output to perform data replacement, where N and M are both natural numbers, M>N and M is divisible by N; S203: shifting the M-bit data output by the S box to obtain the data of one column of the grouping matrix column confusion operation; S204: Correspondingly perform an XOR operation on the M-bit data output by the row shift operation to obtain an output value of a round function, and add 1 to the number of cycles; S205: Judging whether the current number of cycles reaches the preset number, if no current cycle number reaches the preset number, enter step S3, otherwise return to step S201; S3: XOR the extended key; S4: Use an S-box with N-bit input and P-bit output for data replacement, where P is a natural number and P is divisible by N; S5: XOR with the extended key; S6: output ciphertext data. 2. The AES encryption method according to claim 1, wherein N is 8, M is 32 and P is 8. 3. An anti-power consumption attack method based on AES encryption method, is characterized in that, comprises the following steps: SA: Obtain plaintext data; SB: The plaintext data is encrypted by the AES encryption method described in claim 1 or 2, and a complementary operation is introduced in the process of encrypting the plaintext data so that the power consumption generated by the encryption operation is equal to the complementary operation The sum of the generated power consumption is approximately a constant, and the complementary operation includes XOR with the reverse of the extended key, reverse S-box data replacement, row displacement of reverse data and exclusive OR operation; SC: output ciphertext.