Protection method for side channel attack and fault attack

[0029] The present invention will be further described below in conjunction with the accompanying drawings.

[0030] The present invention provides a protection method against side channel attacks and fault attacks, which adopts pipeline technology. The method of the invention is as follows: the operation of the block cipher algorithm is divided into several stages of pipelines, and two stages of pipelines are randomly selected.

[0031] Since the pipelines of different stages at the same time are involved in the operation of different data, the side information generated when the random number participates in the operation is used as noise to mask the side information generated by the real data participating in the operation, so that it can resist side channel attacks.

[0032] By comparing whether the operation results of the two real data are consistent at the end of the operation, if they are consistent, it is considered that there is no fault attack, so that the fault attack can be resisted. The operation refers to an encryption or decryption operation of a block cipher.

[0033] Generally, the number of round operations of a block cipher algorithm is even. It is assumed that the number of round operations of the block cipher algorithm is 2N, and N is a positive integer. It is assumed that each stage of the pipeline contains k round operations. Divide the entire operation into n=2N/k-level pipelines, and k needs to be able to decompose 2N, that is, 2N/k is an integer, and an appropriate number of pipeline stages can be selected according to the limitations of hardware resources, which is convenient and flexible to implement. The input of the two-stage pipeline is randomly selected as the real plaintext, and the input of the remaining (n-2) pipelines is a random number.

[0034] like figure 1 shown, figure 1 In this embodiment, it is assumed that the number of round operations of the block cipher algorithm is 2N, N is a positive integer, and 2N/k is an integer; it is assumed that the input of the first stage and the second stage pipeline is the real plaintext P, the input of the third stage to the nth stage pipeline is a random number. The steps in the operation process are as follows:

[0035] 1. At Time1, the first plaintext P enters the first stage of the pipeline to perform operations from the 1st to the kth round. At this time, the input of the second to nth stage pipelines is a random number, and the second and nth stage pipelines The side information generated by the operation of P will be used as noise to mask the real side information generated by the operation of the plaintext P.

[0036] 2. At Time2, the first plaintext P enters the second-stage pipeline for the k+1 to 2k rounds of operations, and the second plaintext P enters the first-stage pipeline for the 1st to kth rounds of operations. The input of the third stage to the nth stage pipeline is a random number, and the side information generated by its operation will be used as noise to mask the real side information generated by the plaintext P operation.

[0037] 3. At Time3, the first plaintext P enters the third-stage pipeline for operations from 2k+1 to 3k rounds, and the second plaintext P enters the second-level pipeline for operations from k+1 to 2k rounds. The random number enters the first-stage pipeline to perform the operations from the 1st to the k-th round. At this time, the input of the fourth-stage to the n-th pipeline is a random number, and the side information generated by the operation will be used as noise to mask the real side generated by the plaintext P operation. information.

[0038] 4. By analogy, at Time n, the first plaintext P enters the nth stage pipeline to perform operations from (n-1)k+1 to nkth rounds. At this point, the encryption of the first plaintext P is completed, and the first ciphertext C.

[0039] 5. At Time n+1, the second plaintext P will also be encrypted, and the second ciphertext C will be obtained; compare whether the first ciphertext C and the second ciphertext C are equal, if the two ciphertexts are equal It means that no fault is injected during the operation, and the encrypted result is available; otherwise, a corresponding alarm message will be generated.

[0040] Using the DES algorithm as an example to illustrate, the DES algorithm has 16 rounds of operations, which are divided into four-stage pipelines. Each stage of the pipeline contains 4 rounds of operations. The slashed part in the figure indicates that random numbers participate in the pipeline operation of this stage. Specific steps are as follows:

[0041] 1. At Time1, the first plaintext P enters the first-stage pipeline for the first to fourth rounds of operations. At this time, the input of the second-stage to the fourth-stage pipeline is a random number, and the second-stage to the fourth-stage pipeline The side information generated by the operation will act as noise to mask the real side information generated by the plaintext P operation.

[0042] 2. At Time2, the first plaintext P enters the second-stage pipeline for the fifth to eighth rounds of operations, and the second plaintext P enters the first-stage pipeline for the first to fourth rounds of operations. At this time, the third stage to The input of the fourth-stage pipeline is a random number, and the side information generated by its operation will be used as noise to mask the real side information generated by the plaintext P operation.

[0043]3. At Time3, the first plaintext P enters the third-stage pipeline for the 9th to 12th rounds of operations, the second plaintext P enters the second-stage pipeline for the 5th to 8th rounds of operations, and the random number enters the first stage. The pipeline performs the first to fourth rounds of operations. At this time, the input of the fourth-stage pipeline is a random number, and the side information generated by the operation will be used as noise to mask the real side information generated by the plaintext P operation.

[0044] 4. At Time4, the first plaintext P enters the fourth-stage pipeline for the 13th to 16th rounds of operations. At this point, the encryption of the first plaintext P is completed, and the first ciphertext C is obtained;

[0045] The second plaintext P enters the third-stage pipeline for the 9th to 12th rounds of operations, and the random numbers enter the second-stage and first-stage pipelines respectively for the 5th to 8th rounds and the 1st to 4th rounds of operations.

[0046] 5. At Time5, the second plaintext P will also be encrypted, and the second ciphertext C will be obtained.

[0047] Compare whether the first ciphertext C and the second ciphertext C are equal. If the two ciphertexts are equal, it means that no fault was injected during the operation, and the encryption result is available; otherwise, a corresponding alarm message will be generated.

[0048] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention rather than to limit them. Although the present invention has been described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: the present invention can still be The specific embodiments of the present invention are modified or equivalently replaced, and any modifications or equivalent replacements that do not depart from the spirit and scope of the present invention shall be included in the scope of the claims of the present invention.