Method for realizing block cipher multiple S-boxes for resisting differential power attack

A differential power consumption attack and block cipher technology, which is applied in countermeasures against encryption mechanisms, encryption devices with shift registers/memory, digital transmission systems, etc., can solve the problem of reducing computing speed, increasing hardware consumption resources, and restricting security chips Development and other issues to achieve the effect of increasing difficulty and increasing attack difficulty

Active Publication Date: 2017-09-26
ENG UNIV OF THE CHINESE PEOPLES ARMED POLICE FORCE
5 Cites 8 Cited by

AI-Extracted Technical Summary

Problems solved by technology

[0004] However, the above two technologies have a common disadvantage, that is, significantly increasing the resources co...
View more

Method used

Realize effective protection in order to improve S box, the present invention provides a kind of method that the block cipher multi-S box that resists differential power consumption attack as shown in Figure 1 realizes, utilizes pipeline technology, in multi-dimensional serial reproducible A third-level register is added in the middle of the S-box frame used, so that the speed of cryptographic operations will not drop too much compared with the original scheme, and the efficiency is improved.
Utilize block cipher multi-S box...
View more

Abstract

The invention relates to a method for realizing block cipher multiple S-boxes for resisting differential power attack. Firstly a plurality of parallel S-boxes are converted for obtaining 4*4 S-box replacements. Furthermore the 4*4 S-box replacements are numbered. Then block cipher multiple S-box random input technology is performed on all 4*4 S-boxes so that an attacker who performs the differential power attack cannot align a curve according to a related statistics differential method after obtaining a power consumption curve, and therefore the differential power attack fails, thereby improving safety in realizing a block cipher. Furthermore according to the method, only g(n) bits of random numbers are utilized and the random numbers are greatly reduced than that in other mask solutions. Attack difficulty in data processing of the differential power attack is greatly increased. In a speed aspect, because the original parallel S-boxes are converted to a multidimensional serial reusable S-box frame according to the method, a streamline method can be used, thereby reducing speed by 30% than an original solution.

Application Domain

Encryption apparatus with shift registers/memoriesCryptographic attack countermeasures

Technology Topic

Differential methodData processing +7

Image

  • Method for realizing block cipher multiple S-boxes for resisting differential power attack
  • Method for realizing block cipher multiple S-boxes for resisting differential power attack
  • Method for realizing block cipher multiple S-boxes for resisting differential power attack

Examples

  • Experimental program(2)

Example Embodiment

[0041] Example 1
[0042] In order to improve the effective protection of the S box, the present invention provides a figure 1 The block cipher multi-S-box implementation method for resisting differential power consumption attacks shown above uses pipeline technology to add three-level registers in the middle of the multi-dimensional serial reusable S-box frame, so that the speed of cryptographic operations is lower than that of the original scheme. It will drop too much and improve efficiency.
[0043] Using the block cipher multi-S-box randomized input technology, the attacker of the differential power consumption attack cannot align the curve according to the relevant statistical difference method after obtaining the power consumption curve, thus resulting in the failure of the differential power consumption attack and improving the security of the block cipher implementation sex.
[0044] The specific plan includes the following steps:
[0045] Step 1: Select a block cipher algorithm, convert multiple parallel S-boxes to obtain 4×4 S-box permutations, and number the 4×4 S-box permutations from 0 to n-1 (change here, according to According to Nikova's theory, when the number of input bits n≥4, such a permutation is safe, and we noticed that in the current cryptographic scheme, the smallest S-box is also 4×4 in size, so this scheme It is logical to assume that the smallest permutation in the resulting S-box frame is 4×4);
[0046] The specific operation steps are:
[0047] A. Convert n independent parallel S-boxes into a multi-dimensional serial reusable S-box framework S′ through compression algorithm,
[0048] B. Number the 4×4 S-box permutations in S′, that is
[0049]
[0050] Among them, m n-1 represents the input of the n-1th 4-bit S-box permutation, S n-1 (m n-1 ) represents the output of the n-1th 4-bit S-box permutation, and S' represents a multi-dimensional serial multiplexable S-box frame.
[0051] Step 2: The circuit performs the S-box operation to generate a random number. The value range of the random number is within the numbering range of the 4×4 S-box replacement, and select the 4×4 S-box replacement corresponding to the random number;
[0052]The specific operation steps are:
[0053] 1) Before the circuit performs the S-box operation, a random number R is generated 1 ,Right now
[0054] R 1 =(r 1 ,r 2 ,...r g(n) ) (2)
[0055] Among them, 0≤R 1 ≤n-1, g(n) represents the number of binary bits corresponding to the number n of 4×4 S boxes actually involved in the operation;
[0056] 2) via R 1 The value of selects the corresponding 4×4 S-box permutation into S′, that is, the permutation is in Indicates the result of 4 × 4 S-box permutation.
[0057] Step 3: Generate the next random number through the random number update algorithm, and select the 4×4S box replacement corresponding to the random number;
[0058] That is: the random number R 1 XOR operation is performed with the output of the selected first 4×4 S box replacement entering S′, and the obtained result is used as a random number R for selecting the next 4×4 S box replacement 2 ,Right now
[0059]
[0060] Step 4: Repeat Step 3. If it is found that the 4×4 S-box replacement corresponding to the newly generated random number has been selected, then perform an XOR operation on the newly generated random number bit by bit to obtain a 1-bit number;
[0061] The specific operation steps are:
[0062] a) Repeat step 3, if a newly generated random number R is found i The corresponding 4×4 S-box permutation has been selected, then perform step b) until the newly generated random number R i The corresponding 4×4 S box replacement has not been selected;
[0063] b) put R i XOR bit by bit to get R i * ,Right now
[0064]
[0065] Step 5: Select the distinguishing function, re-select the next 4×4 S-box replacement, if it is still the 4×4 S-box replacement that has been selected, continue to step 5 until the found 4×4 S-box replacement is the one not previously selected. Selected and skip back to step 3;
[0066] The specific operation is: choose a distinguishing function f(R i * )
[0067]
[0068] If R i The result of bitwise XOR operation R i * When it is "0", the replacement is selected R i * When it is "1", the replacement is selected If the selected 4×4 S-box replacement is still selected, continue to perform this step until the found 4×4 S-box replacement is a replacement that has not been selected before.
[0069] Step 6: Repeat steps 3 to 5 until all 4×4 S box replacements are selected.
[0070] This block cipher multi-S-box implementation method for resisting differential power consumption attacks has the following advantages:
[0071] (1) This scheme only uses a random number of g(n) bits, which is much reduced compared to other masking schemes.
[0072] (2) Since the distinguishing function f(R i * ) makes the length of the power consumption curve of each time the attacker obtains the key data of the S box is different, thus greatly increasing the difficulty of aligning the power consumption data in the later stage of DPA.
[0073] (3) In terms of resources, whether this solution is implemented based on a lookup table or a logic gate, compared with the original implementation, the resource consumption will not increase much.
[0074] (4) In terms of speed, since this scheme converts the original parallel S-boxes into serial S-boxes, the PIPELINE method can be used, so that the speed will not decrease much compared to the original scheme.

Example Embodiment

[0075] Example 2
[0076] Taking the block cipher algorithm DES as an example, the present invention is further described in detail.
[0077] Although we know that the DES algorithm of the 56bit key has been proved to be insecure in many applications. But we know that Triple-DES is still widely used in the field of electronic payment, because it has a key of 112bits, so it is proved to be safe.
[0078] The DES algorithm is a symmetric cryptosystem in the cryptographic system, also known as the American Data Encryption Standard. It is a symmetric cryptosystem encryption algorithm developed by IBM Corporation in the United States in 1972. The plaintext is grouped by 64 bits, the key length is 64 bits, and the key is actually 56 bits to participate in the DES operation (the 8th, 16th, 24th, 32nd, 40th, 48th, 56th, and 64th bits are check bits, so that each key All keys have an odd number of 1) grouped plaintext groups and 56-bit keys that are replaced or exchanged bit by bit to form an encryption method for a ciphertext group.
[0079] According to the content of the DES algorithm, its S box is composed of eight 6×4 S boxes in parallel, and the 1st and 6th bits of its 6-bit input in each S box are used to determine its 2nd to 6th bits. A 4-bit input consisting of 5 bits goes into which of the 4 4x4 permutations. Therefore, actually 8 6×4 S-boxes are composed of 32 4×4 S-boxes. We implement the DES algorithm S-box according to the process in the scheme. The specific steps are as follows:
[0080] 1. Convert 8 6×4 S-boxes in the DES algorithm into 32 4×4 S-boxes, and use Bilgin’s multiplexing idea to convert n independent parallel S-boxes into a multi-dimensional serial reusable through compression algorithm The S-box frame S′, the converted logic diagram is as follows figure 2 Shown, where GK, GL, F, A ij , B ij , C ij For known substitutions, refer to [1] for specific substitutions.
[0081] 2. Since there are 8 4×4 S-boxes actually participating in the DES algorithm S-box operation, so n=8, then g(n)=3. In order to meet the subsequent algorithm requirements, we make a correction to g(n).
[0082] Let g(n)'=g(n)+1=4, so the generated random number R 1 =(r 1 ,r 2 ,...r g(n)′ )=(r 1 ,r 2 ,r 3 ,r 4 ), 0≤R 1 ≤15.
[0083] 3. Set R 1 '=(r 2 ,r 3 ,r 4 ), via R 1 ' selects the first 4×4 S-box permutation into S', that is, the permutation is
[0084] 4. The random number R 1 XOR operation is performed with the output of the selected first 4×4 S box replacement entering S′, and the obtained result is used as a random number for selecting the next 4×4 S box replacement.
[0085]
[0086] 5. Repeat steps 3 and 4, if a newly generated random number R is found i The corresponding 4×4 S-box replacement has been selected, then go to step 6.
[0087] 6. Put R i XOR bit by bit to get R i *. which is
[0088]
[0089] 7. Choose a discriminant function f(R i * )
[0090]
[0091] If R i The result of bitwise XOR operation R i * When it is "0", the replacement is selected When it is "1", the replacement is selected If the selected 4×4 S-box replacement is still selected, continue to perform this step until the found 4×4 S-box replacement is a replacement that has not been selected before and jump back to step 3.
[0092] 8. Repeat the above steps until all 8 4×4 S-box replacements are selected and enter the multi-dimensional serial reusable S-box framework.
[0093] Finally, the security of the scheme of the present invention is described.
[0094] Security analysis of this program
[0095] Theory of Power Analysis
[0096] The target of the DPA power consumption attack is the output of the register corresponding to the S-box in the cryptographic algorithm circuit. Taking 4×4Sbox as an example, the specific circuit diagram is shown in the figure. image 3 The power region is the region where the attacker wants to collect power consumption.
[0097] This area is composed of four 1-bit registers, and each reg corresponds to the output of a bit Sbox. The internal structure of reg is as follows Figure 4.
[0098] One of the regs is composed of a small number of control devices and a D flip-flop, such as Figure 5 As shown, the D flip-flop is composed of 6 NAND gates.
[0099] Therefore, when the input D jumps, there will be about 8 AND gates, 1 OR gate and 1 NOT gate. The internal CMOS transistors will generate instantaneous dynamic power consumption. The attacker can use DPA to detect the power consumption based on the collected power consumption. The device is attacked.
[0100] This scheme adopts the technology of randomly inputting 4×4 S-boxes, so that in the multi-dimensional serial reusable S-box framework, it is possible to recover the correct key only when the key and the random number must be guessed at the same time. The possibility of guessing the key data and power consumption value corresponding to the key and the random number is shown in Table 1.
[0101]
[0102] Table 1
[0103]Next calculate the probability of an attacker recovering the key. The probability of guessing a group of keys is: 1/16, and the probability of guessing a 4×4S box is: 1/8. In the differential power attack, the attacker chooses n groups of plaintext.
[0104] The possibility of analyzing the key corresponding to the i-th group of 4×4 S-boxes is no more than (1/2) 3(n+4).
[0105] Since the value of n is generally between 1000 and 2000 in differential power consumption attacks, it can be seen that only when the attacker guesses the key and the random number at the same time can it be possible to confirm the correct key. But in later stage data processing, because the present invention has used distinguishing function f(R i * ), so it is very difficult for an attacker to align all target curves.

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.

Similar technology patents

Application processing method and related product

ActiveCN110909319AAvoid cracking and plagiarismIncrease the difficulty
Owner:OPPO CHONGQING INTELLIGENT TECH CO LTD

Verification method and device

InactiveCN107483385AIncrease the difficultylower pass rate
Owner:CHINA MOBILE COMM LTD RES INST +1

Wireless connection authentication method and device

ActiveCN105744518AIncrease the difficultyIncreased flexibility of use
Owner:VIVO MOBILE COMM CO LTD

Classification and recommendation of technical efficacy words

  • Increase the difficulty

Credible safety computer

InactiveCN101324912ASolve the problem of real-time encrypted storageIncrease the difficulty
Owner:706 INST SECOND RES INST OF CHINAAEROSPACE SCI & IND
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products