CN103618595B - A kind of cryptographic algorithm substitution circuit of resisting power consumption analysis - Google Patents
A kind of cryptographic algorithm substitution circuit of resisting power consumption analysis Download PDFInfo
- Publication number
- CN103618595B CN103618595B CN201310417989.1A CN201310417989A CN103618595B CN 103618595 B CN103618595 B CN 103618595B CN 201310417989 A CN201310417989 A CN 201310417989A CN 103618595 B CN103618595 B CN 103618595B
- Authority
- CN
- China
- Prior art keywords
- positions
- look
- input
- power consumption
- substitution circuit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
A kind of cryptographic algorithm substitution circuit of resisting power consumption analysis, including the S boxes with M positions input signal, N positions output signal, S boxes include the look-up table that M positions input signal is corresponded to N positions output signal, and look-up table has K N positions constant input, and the span of K N positions constant is 0 ~ 2N1, S box is input into look-up table with after random number XOR respectively with 1 N positions random number input, K N positions constant.The present invention has and is both difficult to go out true key value by power consumption analysis, the again little advantage of the area of substitution circuit.
Description
Technical field
The present invention relates to a kind of cryptographic algorithm substitution circuit.
Technical background
As the development and popularization of information technology, smart card etc. realize that the circuit of cryptographic algorithm is also increasingly extensive, these are close
Decoding apparatus carry personal and trade secret information more and more.Block cipher is that the encryption devices such as smart card must be supported
Function, and protection information safety key modules.Block cipher typically adopts wheel construction, and encryption or decryption every time is needed
Carry out many next round computings(Such as 12 or 16 times), in each next round computing, all include key participation it is multiple non-linear or
Linear operation.In crypto chip, these computings typically by logic circuit realize, and the power consumed by logic circuit with it is close
In key, the value of each bit is relevant, thus the power consumption of crypto chip and key value exist it is certain associate, this is just for close
The safety of code causes potential threat.
On the other hand, the development of chip breaking techniques, the chip to being applied to information security field cause great prestige
The side of body.Physical attacks belong to traditional chip breaking techniques, that is, destroy the encapsulation of chip, and utilize probe or microscope to obtain core
Key message inside piece.The power consumption analysis technology for occurring in recent years, it is not necessary to destroy chip, simply by measurement chip power
The power consumption information revealed on pin, being sampled becomes some power consumption geometric locuses, then by some algorithms come analysis chip
Using information security algorithm and key.Lot of domestic and international scientific research institution is expanded to power consumption point with chip Chevron Research Company (CRC) at present
The research of analysis technology, using state-of-the-art power consumption analysis technology, can in several seconds cracking trajectory key.So in design information
During the chip of security fields, it is necessary to consider to increase the measure of some opposing breaking techniques, to improve the safety of chip.
To improve the ability that block cipher resists power consumption attack, academia proposes many measures, such as double rail logic, covers
Code algorithm etc..Wherein double rail logic is modified in logic circuit bottom, using the logical structure of special design, when input number
According to a certain position value be 1 or 0 when, its output power consumption it is of substantially equal.Mask algorithm is that widely used a kind of anti-power consumption attack is arranged
Apply, input is first done xor operation with a random number by plain text, again just data recovered after encryption or decryption terminate,
So in the middle of wheel computing, the data in circuit are all the results that actual value and random mask carry out xor operation, so as to key
Value will not be produced on power consumption directly to be affected.
In block cipher, commonly used replacement(substitution)Operate to carry out nonlinear operation, basic generation
The data that unit refers to one group of regular length of input are changed, corresponding another group of data are exported by a look-up table, this two groups
The length of data can be with unequal, typical replacement operation such as the S boxes in DES or aes algorithm.S (X) is made to represent that certain replacement is single
Output of the unit to input X, its nonlinear operation meet:S(A+B) ≠ S(A) + S(B).In crypto chip, block cipher
Perform typically by special hardware accelerator, wherein the circuit structure for realizing replacement operation is substitution circuit.
Existing substitution circuit is included without mask substitution circuit and conventional mask substitution circuit.Without mask substitution circuit as schemed
Shown in 1, there are the input Sbox_in of 1 M position, the output Sbox_out of 1 N position, general satisfaction M without mask substitution circuit>=N.
The function that the circuit module is realized is according to input(Sbox_in)Value, by look-up table(2M-to-1 Lookup Table)
Search a corresponding N bit value and export.By taking the S boxes in DES encryption and decryption circuits as an example, M=6, N=4, i.e. input have 2M
=64 probable values, outfan have 2N=16 probable values, this 16 values including 0 ~ 15 etc. with 4 bits can represent it is whole
Number.When input value is fixed, 1 fixed 4 output valve of correspondence.
Shortcoming without mask substitution circuit is:In without mask substitution circuit, input signal Sbox_in be key with it is bright
Literary data carry out the result of the operations such as XOR, so having certain statistics to close between its output valve Sbox_out and key value
Connection.In differential power attack(DPA)In, key value is fixed, with which to multigroup random plain text encryption, while monitoring block encryption
The power consumption of circuit, through the calculating of some strength, you can guess real key value.Above DPA attack principle be, generation
The change of power consumption of circuit is changed mainly by the Hamming weight of output valve Sbox_out(Hamming Weight)Change is determined, and its Chinese
There is statistical correlation with key value in bright weight.
Conventional mask substitution circuit is as shown in Fig. 2 conventional mask substitution circuit increases on the basis of without mask substitution circuit
Add random number R and of 1 M position, the stochastic signal is merged into the signal of 1 2M position with normal input signal Sbox_in,
It is re-used as look-up table(22M-to-1 Lookup Table)Input signal.By taking the S boxes in DES encryption and decryption circuits as an example, such as adopt
Use this scheme, then look-up table has the input of 2M=12 positions, i.e., will be according to 22M=4096 possible input values select 1 of response
Output is used as Sbox_out.Rand is the random number of a M position, and in each cryptographic operation, Rand values are all different.Here side
In case, as random number R and is just present, output signal Sbox_out is destroyed with the corresponding relation of input signal Sbox_in,
In the other parts of block cipher circuit, some measures can be taken to recover the Sbox_out values without mask substitution circuit.
When DPA attacks are carried out to this conventional mask substitution circuit, although encryption every time uses same key, but due to having
The presence of random number R and, the statistical correlation between key value and output valve Sbox_out are deteriorated to a certain extent, are made
Must be difficult to analyze real key value by the power consumption of block encryption circuit.
The shortcoming of conventional mask substitution circuit is:It is increased dramatically chip area, so as to increased the cost of chip.
The content of the invention
In order to overcome existing monitoring by power consumption without the presence of mask substitution circuit guess real key value, often
Although rule mask substitution circuit can resist the power consumption analysis of some strength, conventional mask substitution circuit is complicated, area is big
Shortcoming, the invention provides one kind had both been difficult to go out true key value by power consumption analysis, the area of substitution circuit is again little anti-
The cryptographic algorithm substitution circuit of power consumption analysis.
A kind of cryptographic algorithm substitution circuit of resisting power consumption analysis, including the S with M positions input signal, N positions output signal
Box, S boxes include the look-up table that M positions input signal is corresponded to N positions output signal, and look-up table has K N positions constant input(One
As take K=2N), the span of K N positions constant is 0 ~ 2N- 1, it is characterised in that:S boxes are with 1 N positions random number input, K N
Position constant is input into look-up table with after random number XOR respectively.
Further, as the final N positions output signal of S boxes after the output signal of look-up table and random number XOR.
The present invention increased random number R and of 1 N position on the basis of without mask substitution circuit, and this random number is first
With K N positions constant(Span is 0 ~ 2N-1)Xor operation is done respectively, and the value after XOR is used as 2MSelect the number to be selected of 1 look-up table
Value.Wherein 2MSelect the internal structure of 1 look-up table identical with without mask substitution circuit, input signal is M positions, output signal is
N positions, but for identical input signal Sbox_in, the output signal value of the look-up table is different from without mask substitution circuit(Remove
It is non-when random number R and be equal to 0 when), the output signal value of look-up table is different with Rand equal to the output valve without mask substitution circuit
Or value.Although the original corresponding relation of look-up table is destroyed by random number R and, by the real output signal of look-up table again with
After Rand does an xor operation, you can recover correct output valve, after the output signal of look-up table and random number XOR
Value as S boxes output signal.Xor operation for recovering output valve can be both placed on inside the substitution circuit of the present invention,
The correct position of data path rear end can be also placed on.
Random number and K N positions constant are carried out XOR by the present invention respectively, can both pass through to introduce random number change S boxes
Power consumption corresponding relation between input signal and output signal, be able to will not be increased using the structure without mask substitution circuit again
The quantity of alternative condition such that it is able to reduce the area amplification of chip.
The present invention has and is both difficult to go out true key value by power consumption analysis, the again little advantage of the area of substitution circuit.
Description of the drawings
Fig. 1 is the schematic diagram without mask substitution circuit.
Fig. 2 is the schematic diagram of conventional mask substitution circuit.
Fig. 3 is the schematic diagram of the present invention.
Fig. 4 is that the present invention is applied to the S boxes of aes algorithm, the schematic diagram of M=N=8.
Specific embodiment
As shown in figure 3, a kind of cryptographic algorithm substitution circuit of resisting power consumption analysis, including with M positions input signal Sbox_in
[M-1:0], N positions output signal Sbox_out [N-1:0] S boxes, S boxes include for M positions input signal corresponding to N positions output signal
Look-up table 2M- to-1 Lookup Table, look-up table have K N positions constant input(K=2 is taken typicallyN), the value of the constant
Scope is 0 ~ 2N- 1, S box with 1 N positions random number Rs and input, K N positions constant respectively with random number R and XOR after input
Look-up table.
As the final N positions output signal Sbox_out [N- of S boxes after the output signal and random number R and XOR of look-up table
1:0]。
The present invention increased random number R and of 1 N position on the basis of without mask substitution circuit, and this random number is first
With K N positions constant(Span 0 ~ 2N-1)Xor operation is done respectively, and the value after XOR is used as 2MSelect the number to be selected of 1 look-up table
Value.Wherein 2MSelect the internal structure of 1 look-up table identical with without mask substitution circuit, input, output signal are all M positions, but
It is that, for identical input signal Sbox_in, the output signal of the look-up table is different from without mask substitution circuit(Unless when random
When number Rand is equal to 0), the output signal of look-up table is equal to the output valve without mask substitution circuit and the XOR value of Rand.Although
The original corresponding relation of look-up table is destroyed by random number R and, but the real output signal of look-up table is done once with Rand again different
Or after operation, you can recover correct output valve, using the value after the output signal of look-up table and random number XOR as S boxes most
Whole output signal.Xor operation for recovering output valve can be both placed on inside the substitution circuit of the present invention, can be also placed on
The correct position of data path rear end.
By taking the S boxes of aes algorithm as an example, the input domain output signal for making the S boxes of aes algorithm is all 8, i.e. M=8, N=8, K=
256, as shown in Figure 4.First, random number R and of 8 and 0 ~ 255 totally 256 constants do xor operation, then by this 256
XOR result as 256 inputs for selecting 1 look-up table, and according to another group of input Sbox_in [7:0] value and preset
Corresponding relation, chooses the output as look-up table from 256 XOR results.The output of look-up table is the true knot of S boxes
Result after fruit and random number R and XOR, therefore, the output result of look-up table and random number R and are done into an XOR behaviour
Make, to obtain the final output signal of S boxes.The present invention is as a result of traditional 2MSelect 1 look-up table, the increase of its chip area
It is derived only from the xor operation that look-up table is respectively input into constant and random number R and.From grouping algorithm circuit integrally in view of, and adopt
Compared with the grouping algorithm circuit without mask substitution circuit, using more than after inexpensive mask substitution circuit, chip area is only
Increase less than 20%.
Random number and K N positions constant are carried out XOR by the present invention respectively, can both pass through to introduce random number change S boxes
Power consumption corresponding relation between input signal and output signal, be able to will not be increased using the structure without mask substitution circuit again
The quantity of alternative condition such that it is able to reduce the area amplification of chip.
The present invention has and is both difficult to go out true key value by power consumption analysis, the again little advantage of the area of substitution circuit.
Content described in this specification embodiment is only enumerating to the way of realization of inventive concept, the protection of the present invention
Scope is not construed as being only limitted to the concrete form stated by embodiment, and protection scope of the present invention is also and in art technology
Personnel according to present inventive concept it is conceivable that equivalent technologies mean.
Claims (2)
1. a kind of cryptographic algorithm substitution circuit of resisting power consumption analysis, including the S boxes with M positions input signal, N positions output signal, S
Box includes the look-up table that M positions input signal is corresponded to N positions output signal, and look-up table has K N positions constant input, K N position
The span of constant is interval [0,2N- 1] integer in, wherein, M, N, K are positive integer, it is characterised in that:S boxes have 1
The random number input of individual N positions, K N positions constant are input into look-up table with after random number XOR respectively;The output signal of look-up table with
As the N positions output signal that S boxes are final after machine number XOR.
2. a kind of cryptographic algorithm substitution circuit of resisting power consumption analysis as claimed in claim 1, it is characterised in that:K=2N。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310417989.1A CN103618595B (en) | 2013-09-13 | 2013-09-13 | A kind of cryptographic algorithm substitution circuit of resisting power consumption analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310417989.1A CN103618595B (en) | 2013-09-13 | 2013-09-13 | A kind of cryptographic algorithm substitution circuit of resisting power consumption analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103618595A CN103618595A (en) | 2014-03-05 |
| CN103618595B true CN103618595B (en) | 2017-03-29 |
Family
ID=50169299
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310417989.1A Active CN103618595B (en) | 2013-09-13 | 2013-09-13 | A kind of cryptographic algorithm substitution circuit of resisting power consumption analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103618595B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10567162B2 (en) * | 2016-12-22 | 2020-02-18 | Shenzhen State Micro Technology Co Ltd | Mask S-box, block ciphers algorithm device and corresponding construction process |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112543094B (en) * | 2020-12-07 | 2022-09-27 | 山东华翼微电子技术股份有限公司 | DES mask anti-side channel attack realization method based on multiple random numbers |
| TWI785952B (en) * | 2021-12-30 | 2022-12-01 | 新唐科技股份有限公司 | Cipher accelerator and differential fault analysis method for encryption and decryption operations |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101009554A (en) * | 2007-01-17 | 2007-08-01 | 华中科技大学 | A byte replacement circuit for power consumption attack prevention |
| CN101197660A (en) * | 2006-12-07 | 2008-06-11 | 上海安创信息科技有限公司 | Encrypting method and chip for anti-attack standard encryption criterion |
| CN101695021A (en) * | 2009-10-22 | 2010-04-14 | 杭州晟元芯片技术有限公司 | System and method for resisting SPA/DPA attack |
| CN102609556A (en) * | 2011-01-25 | 2012-07-25 | 深圳市证通电子股份有限公司 | Method and circuit for designing function of resisting power consumption attack for AES (advanced encryption standard) module |
| CN102752103A (en) * | 2012-07-26 | 2012-10-24 | 上海爱信诺航芯电子科技有限公司 | Enhanced MASK code method for resisting DES (data encryption standard) power consumption attack |
| CN102970132A (en) * | 2011-08-31 | 2013-03-13 | 北京中电华大电子设计有限责任公司 | Protection method for preventing power analysis and electromagnetic radiation analysis on grouping algorithm |
| CN102983964A (en) * | 2012-12-28 | 2013-03-20 | 大唐微电子技术有限公司 | method and device for improving digital encryption standard resisting differential power analysis |
| CN103067155A (en) * | 2012-12-27 | 2013-04-24 | 东南大学 | Method and test circuit for preventing data encryption algorithm (DES) attack based on power analysis |
-
2013
- 2013-09-13 CN CN201310417989.1A patent/CN103618595B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197660A (en) * | 2006-12-07 | 2008-06-11 | 上海安创信息科技有限公司 | Encrypting method and chip for anti-attack standard encryption criterion |
| CN101009554A (en) * | 2007-01-17 | 2007-08-01 | 华中科技大学 | A byte replacement circuit for power consumption attack prevention |
| CN101695021A (en) * | 2009-10-22 | 2010-04-14 | 杭州晟元芯片技术有限公司 | System and method for resisting SPA/DPA attack |
| CN102609556A (en) * | 2011-01-25 | 2012-07-25 | 深圳市证通电子股份有限公司 | Method and circuit for designing function of resisting power consumption attack for AES (advanced encryption standard) module |
| CN102970132A (en) * | 2011-08-31 | 2013-03-13 | 北京中电华大电子设计有限责任公司 | Protection method for preventing power analysis and electromagnetic radiation analysis on grouping algorithm |
| CN102752103A (en) * | 2012-07-26 | 2012-10-24 | 上海爱信诺航芯电子科技有限公司 | Enhanced MASK code method for resisting DES (data encryption standard) power consumption attack |
| CN103067155A (en) * | 2012-12-27 | 2013-04-24 | 东南大学 | Method and test circuit for preventing data encryption algorithm (DES) attack based on power analysis |
| CN102983964A (en) * | 2012-12-28 | 2013-03-20 | 大唐微电子技术有限公司 | method and device for improving digital encryption standard resisting differential power analysis |
Non-Patent Citations (5)
| Title |
|---|
| "分组密码芯片功耗攻击与防御问题研究";李浪;《中国博士学位论文全文数据库信息科技辑》;20130715;第I138-5页 * |
| "功耗攻击防御技术在分组密码中的应用研究";袁征;《中国优秀硕士学位论文全文数据库信息科技辑》;20130615;第I136-358页 * |
| "基于掩码的差分能量分析攻击防范对策";周文锦等;《计算机应用》;20051210;第25卷(第12期);第2725-2726页 * |
| "基于随机掩码的AES算法抗DPA攻击硬件实现";刘海清;《中国优秀硕士学位论文全文数据库信息科技辑》;20100515;第I138-28页 * |
| "抗功耗攻击的安全SoC设计与实现关键技术研究";童元满;《中国博士学位论文全文数据库信息科技辑》;20100415;第I135-19页 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10567162B2 (en) * | 2016-12-22 | 2020-02-18 | Shenzhen State Micro Technology Co Ltd | Mask S-box, block ciphers algorithm device and corresponding construction process |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103618595A (en) | 2014-03-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101834720B (en) | Encryption processing apparatus | |
| Masoumi | Novel hybrid CMOS/memristor implementation of the AES algorithm robust against differential power analysis attack | |
| JP4687775B2 (en) | Cryptographic processing device | |
| CN105871536B (en) | A kind of anti-power consumption attack method towards aes algorithm based on random delay | |
| CN103905182B (en) | Anti-attack method based on middle data storage position dynamic change and circuit implementation | |
| CN104618094B (en) | A kind of password Mask method strengthening anti-attack ability | |
| CN107154843A (en) | A kind of system for implementing hardware of the SM4 algorithms of anti-power consumption attack | |
| CN104301095A (en) | DES round operation method and circuit | |
| CN106487499A (en) | The protection of Rijndael algorithm | |
| CN103618595B (en) | A kind of cryptographic algorithm substitution circuit of resisting power consumption analysis | |
| CN107994980B (en) | An anti-DPA attack method using clock disorder technology and chaotic trigger | |
| Lu | Encryption management of accounting data based on DES algorithm of wireless sensor network | |
| Hu et al. | An effective differential power attack method for advanced encryption standard | |
| CN111339577A (en) | A construction method of S-box with excellent DPA resistance | |
| Shang et al. | High-security asynchronous circuit implementation of AES | |
| Dath et al. | An efficient fault detection scheme for advanced encryption standard | |
| CN101866401A (en) | The Method of Evolving S-Box Against Side-channel Attacks | |
| CN108650072A (en) | It is a kind of to support a variety of symmetric cryptographic algorithm chips and its anti-attack circuit implementation method | |
| CN102509145A (en) | Power-aware power balancing S box unit circuit and application method thereof | |
| CN201039199Y (en) | A byte replacement circuit for resisting power consumption attack | |
| Karri et al. | Parity-based concurrent error detection in symmetric block ciphers | |
| CN110417540B (en) | Information encryption method for resisting differential power analysis | |
| Fu et al. | Linear regression side channel attack applied on constant xor | |
| Shi et al. | A Secure Implementation of a Symmetric Encryption Algorithm in White‐Box Attack Contexts | |
| Putra et al. | Security analysis of BC3 algorithm for differential power analysis attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent for invention or patent application | ||
| CB02 | Change of applicant information |
Address after: Hangzhou City, Zhejiang province Yuhang District 311121 West Street Wuchang No. 998 Building 9 East Applicant after: Hangzhou Shengyuan Chip Technique Co., Ltd. Address before: 310012 room 17, building 1, 103 staff Road, Hangzhou, Zhejiang, Xihu District Applicant before: Hangzhou Shengyuan Chip Technique Co., Ltd. |
|
| CB02 | Change of applicant information |
Address after: Hangzhou City, Zhejiang province Yuhang District 311121 West Street Wuchang No. 998 Building 9 East Applicant after: HANGZHOU SYNODATA SECURITY TECHNOLOGY CO., LTD. Address before: Hangzhou City, Zhejiang province Yuhang District 311121 West Street Wuchang No. 998 Building 9 East Applicant before: Hangzhou Shengyuan Chip Technique Co., Ltd. |
|
| COR | Change of bibliographic data | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |