Electromagnetic and power noise injection for hardware operation concealment
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- ARM LTD
- Filing Date
- 2021-06-17
- Publication Date
- 2026-06-05
Smart Images

Figure CN116210198B_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to encryption systems. Background Technology
[0002] Side-channel analysis (SCA), specifically differential power analysis (DPA) and electromagnetic interference (EMI), provides experienced attackers with the ability to compromise hardware encryption accelerators. With the advancement of machine learning, machine learning (ML)-assisted DPA / EMI attacks are increasingly prevalent, which may be difficult to suppress with current defenses. Summary of the Invention
[0003] This invention provides operational concealment features for cryptographic systems that generate electromagnetic and power noise during operation. The noise can be strongly correlated with the actual signals of the operation. In some cases, the technique creates randomness across multiple devices, making it more difficult to target sensitive parts of the on-chip system, such that even if one device is compromised and used to generate a model for ML-assisted DPA / EMI, that model is not applicable to other devices.
[0004] An operation concealment method for an encryption system includes selecting which of at least two encryption operation blocks receives a key to apply a valid operation to data and outputs a result, which is then fed back for the next round of computation. This selection can be accomplished using a selection circuit (such as a multiplexer) controlled by a pseudo-random sequence generator or a true random source, or programmably controlled. In some cases, noise can be added by transforming the input data of the other encryption operation blocks among the at least two encryption operation blocks. In some cases, as an additional or alternative, noise can be added by operating these other encryption operation blocks among the at least two encryption operation blocks using a modified key. The modified key can be generated by mixing the key with a block unique identifier, a device secret, a slowly adjusted output of a counter, or a combination thereof. Various specific implementations of this method can lead to changes in noise patterns at several frequencies, which can disrupt the training cycle of a machine learning model.
[0005] During the execution of one cryptographic operation block performing a genuine protected operation, the use of other cryptographic operation blocks can provide relevant, unique, and appropriate electromagnetic emissions that mask the electromagnetic emissions emitted by the genuine protected operation. Furthermore, by switching which cryptographic operation is executing the genuine protected operation, attackers cannot simply ignore the relevant operation.
[0006] In some cases, an encryption system includes at least one encryption operation block distributed across the chip. For example, an encryption system may include an encryption operation block coupled to receive a key and apply operations to data, wherein the encryption operation block comprises multiple sub-blocks and the sub-blocks are distributed across the chip, with other blocks (e.g., secure or insecure circuitry that may be used as part of the encryption system or for different encryption or other systems on the same chip) between the sub-blocks. In some cases, two or more encryption accelerators are close together and intertwined / interwoven, making it difficult to independently detect one of the encryption accelerators.
[0007] In some cases, an encryption system with operation concealment includes at least two encryption operation blocks; and circuitry coupled to the at least two encryption operation blocks, which routes inputs and outputs between the at least two encryption operation blocks in a pseudo-random, random, or programmable manner. In some cases, the circuitry may include selection circuitry (such as a multiplexer) and a pseudo-random sequence generator.
[0008] This summary is provided to introduce a series of concepts in a simplified form, which will be further described in the detailed embodiments below. This summary is not intended to identify key or essential features of the claimed subject matter, nor is it intended to limit the scope of the claimed subject matter. Attached Figure Description
[0009] Figure 1 The standard AES core configuration is shown.
[0010] Figure 2 The first exemplary operational hiding configuration for an encryption system is shown.
[0011] Figure 3 A second exemplary operational hiding configuration for an encryption system is shown.
[0012] Figure 4 A third exemplary operational hiding configuration for an encryption system is shown.
[0013] Figure 5A and Figure 5B A counter configuration for an encryption system with operational concealment is shown.
[0014] Figure 6 A fourth exemplary operation hiding configuration for an encryption system is shown.
[0015] Figure 7 An exemplary configuration of an encryption system with data extraction suppression is shown.
[0016] Figure 8 An exemplary configuration of an encryption system that combines both operation concealment and data extraction suppression is shown.
[0017] Figure 9A An exemplary operational hiding configuration for an encryption system with an interleaved layout is shown.
[0018] Figure 9B and Figure 9C An exemplary representation of the interleaved layout for cryptographic operation blocks is shown. Detailed Implementation
[0019] This invention provides operational concealment features for cryptographic systems that generate electromagnetic and power noise during operation. The noise can be strongly correlated with the actual signals of the operation. In some cases, the techniques and configurations create randomness across multiple devices, making it more difficult to target sensitive parts of the on-chip system, such that even if one device is compromised and used to generate a model for ML-assisted DPA / EMI, that model is not applicable to other devices.
[0020] Various operation concealment layers are provided for encryption systems. These operation concealment features are applicable to symmetric encryption, asymmetric encryption / public key exchange algorithms, cryptographic hashing, and other security-critical algorithms.
[0021] Typically, to achieve high performance in accelerators and other circuits, components are arranged close together to minimize the distance between them, thereby limiting transmission delay and power consumption. In contrast, in some implementations, suppression mechanisms involve distributing portions of the circuitry processing sensitive information across the chip, making it difficult to pick up sensitive information from a probe at a single point. Instead, an attacker would have to pick up emissions from across the entire chip and combine them using an algorithm to recover the information. Therefore, instead of using a single small probe capable of specifically targeting a region of the chip strongly correlated with cryptographic operations, an attacker would need to probe multiple regions or even the entire chip and correlate those measurements while filtering out a large number of noise sources. This type of layout is suitable for applications where the increased delay due to dispersion (including due to slower clocks and lower drive strengths, applied to minimize the effects of additional EMI caused by long wires between some sub-blocks) is acceptable given the increased security. For example, a cloud-hosted hardware security module (HSM) can implement the aforementioned layout against an underlying physical hardware security module that handles long-term keys used to sign keys created by a reasonably trusted environment (e.g., a virtual machine or a regular computing device). The physical hardware security module can then be used at the highest security level, and other operations can be delegated to a faster processor. A second example is a mobile device that slowly and securely evaluates PIN / password inputs and financial transactions while quickly but less securely calculating less critical operations.
[0022] Therefore, in some implementations, instead of spreading the encryption operation temporally (e.g., through clock shaving, virtual operations, etc.), the encryption accelerator can be spread spatially. This can be done for a single accelerator divided into sub-blocks set in different regions, or by using multiple instances of the accelerator for the same data, where the multiple instances are set in different regions (and optionally interleaved).
[0023] In some such cases, automated placement and routing toolchains may include secure placement features that distribute circuitry handling sensitive operations across the chip rather than adjusting the layout for efficiency between components to make signals harder to pick up from that circuitry. In some cases, the specific circuitry involved in the distribution is cryptographic computing blocks.
[0024] In some implementations, a configuration is provided that actively obfuscates the operation of a machine learning network by inserting additional information into the emission. This additional information does not reveal sensitive information but can be strongly correlated with it. In some cases, the additional information is made different for different devices, so that even if a model can be created to train the model on a compromised device, the same model will not work on another device. Using other cryptographic operation blocks during the operation of one cryptographic operation block performing the real protected operation can provide relevant, unique, and appropriate electromagnetic emissions that mask the electromagnetic emissions emitted by the real protected operation. Furthermore, by switching which cryptographic operation is performing the real protected operation, an attacker cannot simply ignore the related operation.
[0025] Inserting additional information into the transmission can be done by using multiple instances of the same cryptographic accelerator, which can be distributed across multiple regions across the SoC. For example, the system may include at least two cryptographic operation blocks; and circuitry coupled to the at least two cryptographic operation blocks, routing inputs and outputs between the at least two cryptographic operation blocks for subsequent computation. This circuitry may support pseudo-random, random, or programmable selection of inputs and outputs. Virtual operations can be executed on all cryptographic accelerators except for one, where non-virtual operations are protected by the transmission from the virtual operations. This method can also provide additional cryptographic computational resources when used for lower security operations (e.g., where DPA / EMI attacks are not a concern).
[0026] Two or more cryptographic accelerators can also be interleaved / wrapped, so that when observed using EMI or DPA techniques, these cryptographic accelerators appear spatially juxtaposed and operations in one cryptographic accelerator cannot be distinguished from operations in other cryptographic accelerators (see, for example...). Figure 9B This makes it difficult to detect one crypto accelerator within another crypto accelerator independently of other crypto accelerators.
[0027] As described above, the operation hiding configuration is applicable to several different encryption systems with encrypted operation blocks. One such encryption system is the AES encryption system.
[0028] Figure 1A standard AES core configuration is shown. In the standard AES core configuration 100, data 110 is input to an AES calculator 120 that encrypts (or decrypts) data 110 based on a key 130. The AES calculator 120 represents the hardware that computes one round of AES calculation. The output of round 140 is fed back to undergo another round of calculation at the AES calculator 120, until the total number of rounds for a specific operation is completed (e.g., 12 rounds). Each block of data can be encrypted (or decrypted) in a specific number of clock cycles (e.g., 12 cycles starting from CLK150).
[0029] Figure 2 A first exemplary operational hiding configuration for an encryption system is shown. See also Figure 2 In the first level of operation concealment, operation concealment configuration 200 may include at least two cryptographic operation blocks: a first AES calculator 210 and a second AES calculator 220; and circuitry coupled to the at least two cryptographic operation blocks, routing inputs and outputs between the at least two cryptographic operation blocks. This circuitry includes selection circuitry and, in this illustration, includes a pseudo-random sequence generator (PRSG). Of course, in other embodiments, a truly random source may be used, or a programmable sequence may be used instead of the PRSG. In this embodiment, the first AES calculator 210 and the second AES calculator 220 use the same key 230 to perform computations on data 240, wherein each round is performed by one of the two AES calculators 210, 220 based on control signals from the PRSG in the form of a linear feedback shift register (LFSR) 250 and selection circuitry including multiple multiplexers (MUX). The LFSR 250 provides signals to control which branch each multiplexer (MUX) uses, causing encryption operations to migrate randomly between blocks (between the two AES calculators 210 and 220). For example, under the control of the LFSR 250, the first MUX 251 can be used to select whether to input key 230 into the first AES calculator 210, and the second MUX 252 can be used to select whether to input key 230 into the second AES calculator 220. The third MUX 253 can be used, under the control of the LFSR 250, to select which output is fed back for the next round of computation (or subsequent computation). In some cases, encryption operations are still performed by both blocks using data 240; however, only one block has key 230. Here, each of the at least two encryption operation blocks performs operations simultaneously, and the circuit selects which output of the at least two encryption operation blocks is used for subsequent computation.
[0030] An operation concealment method using configuration 200 includes: selecting, via a corresponding MUX (e.g., first MUX 251, second MUX 252) controlled by a PRSG (e.g., LFSR 250), which of at least two cryptographic operation blocks (e.g., AES calculator 210, AES calculator 220) receives a key (e.g., key 230) to apply a valid operation to data (e.g., data 240); and selecting, via a third MUX 253 controlled by a PRSG, which of the outputs of the at least two cryptographic operation blocks (e.g., AES calculator 210, AES calculator 220) is fed back for the next round of computation.
[0031] Figure 3 A second exemplary operational concealment configuration for an encryption system is shown. See also Figure 3 In the second level of operation concealment, operation concealment configuration 300 may include at least two cryptographic operation blocks: a first AES calculator 310 and a second AES calculator 320; and circuitry coupled to the at least two cryptographic operation blocks, routing inputs and outputs between the at least two cryptographic operation blocks. This circuitry includes selection circuitry and, in this illustration, includes a PRSG in the form of an LFSR 330. Of course, in other implementations, a truly random source may be used, or a programmable sequence (provided via, for example, a shift register) may be used instead of the LFSR 330. During operation, similar to... Figure 2 In configuration 200, each subsequent computation (e.g., an AES round) is performed by one of two AES calculators 310, 320 based on control signals from an LFSR 330 and selection circuitry including multiple MUXs. However, in this specific implementation, a first block cryptography 340 and a second block cryptography 350 are included to transform the key 360. The block cryptography 340, 350 may provide a unique identifier (“block unique identifier”) for each primitive (and each block on the SoC has its own cryptography, but the block unique identifier can be shared across all SoCs). That is, the block unique identifier can be unique for each hardware block, but can be part of a general design that replicates for all devices of the same type. For example, for devices such as those described here... Figure 3 The device shown with two cryptographic operation blocks has each block cipherbook (e.g., first block cipherbook 340 and second block cipherbook 350) configured with a unique identifier (e.g., first block unique identifier and second block unique identifier). This ensures that the modified key provided to either cryptographic operation block is different. In some cases, block cipherbooks 340 and 350 provide the same block unique identifier, or are implemented as a single block cipherbook providing the same block unique identifier for both AES calculators 310 and 320.
[0032] Two AES calculators use key 360 when actively performing actual calculations on data 370, and modify key 360 using their respective block ciphers 340 and 350, such that transmission occurs even when not selected to operate on the actual data. A first combiner 381 is used to transform key 360 using signals from the first block cipher 340 to generate a first modified key 385, and a second combiner 382 is used to transform key 360 using signals from the second block cipher 350 to generate a second modified key 386. In some cases, the first modified key 385 and the second modified key 386 are the same value. Combiners 381 and 382 can be any suitable circuitry used to combine these two signals. For example, the combiner can be a gate that performs logical or arithmetic operations on its inputs to produce an output, such as an XOR gate, or a hash function that can be used to combine signals and output modified keys 385 and 386. In operation, LFSR 330 provides signals to control which branch each MUX uses. For example, under the control of LFSR 330, the first MUX 391 can be used to select whether key 360 or the first modified key 385 is input into the first AES calculator 310, and the second MUX 392 can be used to select whether key 360 or the second modified key 386 is input into the second AES calculator 320. The third MUX 393 can be used, under the control of LFSR, to select which output is fed back for the next round of calculation (or subsequent calculations).
[0033] An operation concealment method using configuration 300 includes: mixing a block unique identifier (e.g., a first block codebook 340 or a second block codebook 350) with a key (e.g., key 360) to output a modified key (e.g., modified key 385, 386); selecting, via a corresponding MUX (e.g., a first MUX 391 or a second MUX 392) controlled by a PRSG (e.g., AES calculator 310 or AES calculator 320), which of at least two cryptographic operation blocks (e.g., AES calculator 310 or AES calculator 320) receives the key (e.g., key 360) to apply a valid operation to data (e.g., data 370), wherein the corresponding MUX selects between the key and the modified key for each of the at least two cryptographic operation blocks; and selecting, via a third MUX 393 controlled by a PRSG, which output of the at least two cryptographic operation blocks (e.g., AES calculator 310 or AES calculator 320) is fed back for the next round of computation.
[0034] By utilizing two AES calculators to perform calculations, one using the correct key and the other using a transformed / modified key, it can be more challenging for an attacker to determine which signal indicates the correct key. Figure 3In this configuration, although the block cipherbook provides key obfuscation and identifies which AES computation is correct, if an attacker eventually learns how to distinguish between valid and transformed key operations, it can be applied to other devices using the same block cipherbook configuration (e.g., because the block cipherbook can be shared between devices). Therefore, in another operation-hiding configuration, each device uses its own device cipherbook to modify the key.
[0035] Figure 4 A third exemplary operational hiding configuration for an encryption system is shown. See also Figure 4 In the third level of operation hiding, the operation hiding configuration 400 may include at least two cryptographic operation blocks: a first AES calculator 410 and a second AES calculator 420; and circuitry coupled to the at least two cryptographic operation blocks, routing inputs and outputs between the at least two cryptographic operation blocks. This circuitry includes selection circuitry and, in this illustration, includes a PRSG in the form of an LFSR 430. Of course, in other implementations, a truly random source may be used, or a programmable sequence (provided via, for example, a shift register) may be used instead of the usable LFSR 430. During operation, similar to... Figure 2 Configuration 200 and Figure 3 In configuration 300, each subsequent calculation (e.g., AES round) is performed by one of two AES calculators 410, 420 based on control signals from LFSR 430 and selection circuitry including multiple MUXs. However, in this specific implementation, a device cipher 440 is included to transform the key 450.
[0036] Two AES calculators use key 450 when actively performing actual calculations on data 460, and modify key 450 using device password 440, so that transmission occurs even when not selected to operate on actual data. In the illustrated example, a first combiner 471 is used to transform key 450 using a signal from device password 440, and a second combiner 472 is used to transform key 450 using a signal from device password 440 to generate a modified key 475. Combiners 471 and 472 can be a single combiner or two independent combiners that output the same signal. Combiners 471 and 472 can be any suitable circuitry used to combine the two signals. For example, gates that perform logical or arithmetic operations on their inputs to produce an output, such as XOR gates, or hash functions used to combine signals and output the modified key 475. In operation, LFSR 430 provides signals to control which branch each MUX takes. For example, under the control of LFSR 430, the first MUX 481 can be used to select whether key 450 or modified key 475 is input into the first AES calculator 410, and the second MUX 482 can be used to select whether key 450 or modified key 475 is input into the second AES calculator 420. The third MUX 483 can be used, under the control of LFSR 430, to select which output is fed back for the next round of calculation (or subsequent calculations).
[0037] An operation concealment method using configuration 400 includes: mixing a device password (e.g., device password 440) with a key (e.g., key 450) to output a modified key (e.g., modified key 475); selecting, via a corresponding MUX (e.g., first MUX 481 or second MUX 482) controlled by a PRSG (e.g., LFSR 430), which of at least two cryptographic operation blocks (e.g., AES calculator 410 or AES calculator 420) receives the key (e.g., key 450) to apply a valid operation to data (e.g., data 460), wherein the corresponding MUX selects between the key and the modified key for each of the at least two cryptographic operation blocks; and selecting, via a third MUX 483 controlled by a PRSG, which output of the at least two cryptographic operation blocks (e.g., AES calculator 410 or AES calculator 420) is fed back for the next round of computation.
[0038] By utilizing two cryptographic blocks to perform computations, one using the correct key and the other using a transformed / modified key, it can be more challenging for an attacker to determine which signal indicates the correct key. Furthermore, the device password 440 makes the attack non-portable across devices. The device password 440 can be a fixed value / number or a value measured internally by the system (e.g., something measured independently within the device, such as a transistor threshold). For example, when manufacturing chips, process variations can exist between chips on a die and between dies, not only due to their location on the die but also due to potentially different temperatures and humidity in the air over hours and days. The device password does not need to be absolutely unique; it is sufficient that it is unique only between devices. That is, the device password is unpredictable enough to prevent a small number of devices (e.g., 1 to 10 or less than 100) from being used to create attacks portable to a larger number of devices (e.g., more than the small number used to train the attack).
[0039] As indicated above, devices with block cipher configurations can be compromised. Similarly, devices with device cipher configurations can be compromised. To make it more difficult for attacks to repeatedly succeed against a particular device (even if that particular device has already been successfully compromised), the operational hiding configuration may also include a counter to update the values output by the block cipher or device cipher. This can be considered a fourth level of hiding. The counter can be updated very slowly. The “slowness” of the update is set enough that the change is not merely noise that can be easily averaged out. For example, if the counter is updated once every thousand cycles, this results in the data collected during those thousand cycles being unsuitable for the next thousand cycles. Even if a machine learning-based DPA / EMI attack can make good predictions in 100 cycles, the attack will only have 900 more cycles to extract the cipher, because then the information picked up by the attack will no longer match the patterns it has learned.
[0040] Figure 5A and Figure 5B A counter configuration for an encryption system with operational concealment is shown. As described above, the counter can be used to slowly adjust the value used to transform the key. Although all counter bits are available to update the count, only the coupled bits are considered when calculating the block cipherbook and / or device cipher. In some cases, the bits from the counter used by the system can be adjusted. For example, if there are reports of an attacker being able to train their SCA attack on 500 repetitions, more or fewer bits of the counter can be used depending on the desired effect (e.g., disallowing 500 repetitions without changing, or allowing 500 repetitions and then changing).
[0041] In a specific implementation, such as Figure 5AAs shown, only the high-order bits of counter 500 are coupled to the combiner that will be used to modify the block cipherbook and / or device cipher. In this case, the coupling can be a hardwired connection 510 to each bit of the bits that will be used. In some cases, the coupling can be optional, for example, via switches or logic gates coupled to each bit, such as AND gates. Figure 5B As shown, counter 550 has a set of AND gates 560 coupled to each bit to mask unused bits. The other inputs to each AND gate can be controlled by the corresponding value in register 570. Register 570 can be programmably updated to change which bits are used. In another specific implementation (not shown), a shift register can be used instead of switches or AND gates to determine how the bits can be shifted before using their output.
[0042] Apply the counter Figure 3 Configuration 300 may include mixing a count value from a counter with a block unique identifier (e.g., from a first block cipherbook 340 or a second block cipherbook 350) and a key (e.g., key 360) before outputting a modified key (e.g., a first modified key 385 or a second modified key 386), wherein the count value ignores the least significant bit of the counter. In some cases, it is possible to adjust which least significant bits of the counter are to be ignored.
[0043] Apply the counter Figure 4 Configuration 400 may include mixing a count value from a counter with a device password (e.g., device password 440) and a key (e.g., key 450) before outputting a modified key (e.g., modified key 475), where the count value ignores the least significant bit of the counter. Similar to the example above, in some cases, it is possible to adjust which least significant bits of the counter are to be ignored.
[0044] Figure 6 A fourth exemplary operational hiding configuration for an encryption system is shown. See also Figure 6 As shown in operation concealment configuration 600, the various concealment features described above can be combined. Operation concealment configuration 600 may include at least two cryptographic operation blocks: a first AES calculator 610 and a second AES calculator 620; and circuitry coupled to the at least two cryptographic operation blocks, routing inputs and outputs between the at least two cryptographic operation blocks. This circuitry includes selection circuitry and, in this illustration, includes a PRSG in the form of an LFSR 630. Of course, in other specific implementations, a truly random source may be used, or a programmable sequence (provided via, for example, a shift register) may be used instead of the usable LFSR 630. During operation, similar to Figure 2 Configuration 200 Figure 3 Configuration 300 and Figure 4In configuration 400, each subsequent calculation (e.g., an AES round) is performed by one of two AES calculators 610 and 620 based on control signals from an LFSR 630 and a selection circuit including multiple MUXs. In a specific implementation of the hidden operation configuration 600, two block codebooks (e.g., a first block codebook 641 and a second block codebook 642), a device cipher 650, and a counter 660 are included to transform the key 670.
[0045] Two AES calculators 610 and 620 use key 670 when actively performing actual calculations on data 680, and use block cipherbooks 641 and 642, device cipher 650 and counter 660 to modify key 670 so that transmission occurs even when the calculator is not selected to operate on actual data.
[0046] In the illustrated configuration, a first combiner 681 combines the output of counter 660 with device password 650 to output time-varying device password 651; a second combiner 682 combines time-varying device password 651 with the output from a first codebook 641; a third combiner 683 combines time-varying device password 651 with the output from a second codebook 642; a fourth combiner 684 transforms key 670 with the signal from the second combiner 682 to generate a first modified key 675; and a fifth combiner 685 transforms key 670 with the signal from the third combiner 683 to generate a second modified key 676. In some cases, the first modified key 675 and the second modified key 676 are the same value. Combiners 681, 682, 683, 684, and 685 can be any suitable circuitry used to combine these two signals. For example, the combiner can be a gate that performs logical or arithmetic operations on its inputs to produce an output, such as an XOR gate, or a hash function that can be used to combine signals and output modified keys 675, 676. In the illustrated specific implementation, counter 660 is coupled to a first combiner 681, which mixes the output of counter 660 with the device password 650. However, in some cases, the output of counter 660 is coupled to first combine with the block codebook (e.g., via combiners 682 and 683, where the same or different combiners are then used to combine the device password), such that the block codebook output is first mixed with the counter output before being mixed with the device password.
[0047] In operation, the LFSR 630 provides signals to control which branch each MUX uses. For example, under the control of the LFSR 630, the first MUX 691 can be used to select whether key 670 or the first modified key 675 is input to the first AES calculator 610, and the second MUX 692 can be used to select whether key 670 or the second modified key 676 is input to the second AES calculator 620. The third MUX 693 can be used, under the control of the LFSR 630, to select which output is fed back for the next round of calculation (or subsequent calculations).
[0048] An operation concealment method using configuration 600 includes: mixing a count value from a counter (e.g., counter 660), a device password (e.g., device password 650), a block unique identifier (e.g., from a first block codebook 641 or a second block codebook 642), and a key (e.g., key 670) to output a modified key (e.g., modified keys 675, 676); selecting, via a corresponding MUX (e.g., a first MUX 691 or a second MUX 692) controlled by a PRSG (e.g., LFSR 630), which of at least two cryptographic operation blocks (e.g., AES calculator 610 or AES calculator 620) receives the key (e.g., key 670) to apply a valid operation to data (e.g., data 680), wherein the corresponding MUX (e.g., a first MUX 691 or a second MUX 692) receives the key (e.g., key 670) to apply a valid operation to data (e.g., data 680), wherein the corresponding MUX (e.g., a first MUX 691 or a second MUX 692) receives the key (e.g., key 670) to apply a valid operation to data (e.g., data 680). 692) For each of the at least two cryptographic operation blocks, select between a key (e.g., key 670) and a modified key (e.g., modified key 675); and select, via a third MUX 693 controlled by the PRSG, which output of the at least two cryptographic operation blocks (e.g., AES calculator 610 or AES calculator 620) is fed back for the next round of computation.
[0049] Although Figure 2 , Figure 3 , Figure 4 and Figure 6 Discrete combiners are shown, but in some cases, fewer or more discrete combiners can be used to combine appropriate signals. For example, regarding... Figure 6In the specific implementation shown, one or more combiners may be coupled to a key output (e.g., key 670), a counter (e.g., counter 660), a device password output (e.g., device password 650), a first codebook 641, and a second codebook 642 to produce corresponding outputs including modified keys (e.g., modified keys 675, 676). Selection circuitry (e.g., MUX 691, 692, 693) is coupled to receive the modified keys and the key output, and, under the control of LFSR 630, selects whether to output the key from the key output or the modified key to the first encryption operation block or the second encryption operation block (e.g., AES calculator 610 or AES calculator 620). One or more combiners may be implemented using a single combiner, for example, in the form of a 5-input adder.
[0050] In another implementation that can be performed using any of the illustrated system configurations, for any given operation, the system can use the PRSG to select either legitimate data or data with a modified key. An accumulator may be included to count how many legitimate operations have been performed, and the PRSG may be weighted toward the legitimate key if too many operations have occurred using the modified key, or vice versa. Alternatively, a pseudo-random sequence (or programmable sequence) may be pre-computed to ensure a good distribution between the legitimate and modified keys, then loaded into a shift register and shifted out at each step.
[0051] In some cases, the input data is transformed in place of the key or in addition to the key. By transforming the input data, data extraction attacks can be counted. In some cases, two or more data storage blocks are used to store data from computational steps using a single (but distributed) cryptographic operation block. In some cases, at least two cryptographic operation blocks are used.
[0052] Figure 7 An exemplary configuration of an encryption system with data extraction suppression is shown. Here, data is transformed using a block cipherbook instead of a key. In some cases, such as Figure 7As shown in the example, an encryption system 700 with data extraction suppression may include at least two encryption operation blocks: a first AES calculator 710 and a second AES calculator 720; and circuitry coupled to the at least two encryption operation blocks, routing inputs and outputs between the at least two encryption operation blocks. This circuitry includes selection circuitry and, in this illustration, includes a PRSG in the form of an LFSR 730. Of course, in other specific implementations, a truly random source may be used, or a programmable sequence (provided via, for example, a shift register) may be used instead of the LFSR 730. A first block cipherbook 740 and a second cipherbook 750 are included to transform input data 760. The block cipherbooks 740 and 750 may provide a unique identifier (“block unique identifier”) for each primitive (and each block on the SoC has a cipherbook, but the block unique identifier may be shared across all SoCs). That is, the block unique identifier may be unique for each hardware block, but may be part of a general design that replicates for all devices of the same type. For example, for devices such as those described here... Figure 7 The device shown has two cryptographic operation blocks. Each block codebook of configuration 700 (e.g., first block codebook 740 and second block codebook 750) is assigned a unique identifier (e.g., first block unique identifier and second block unique identifier). The block unique identifier is used to modify input data 760 using combiners (e.g., combiners 771, 772). Combiners 771, 772 can be any suitable circuitry used to combine the two signals. For example, the combiner can be a gate that performs logical or arithmetic operations on its inputs to produce an output, such as an XOR gate, or a hash function that can be used to combine signals and output modified input data 761, 762.
[0053] During operation, key 780 is provided to AES calculators 710 and 720, and each subsequent calculation (e.g., AES round) is performed by one of the two AES calculators 710 and 720 according to control signals from LFSR 730 and a selection circuit including multiple MUXs (e.g., first MUX 791, second MUX 792 and third MUX 793).
[0054] For example, the first MUX 791 can be used to select whether input data 760 or modified input data 761 is input to the first AES calculator 710, the second MUX 792 can be used to select whether input data 760 or modified input data 762 is input to the second AES calculator 720, and the third MUX 793 can be used to select which output is fed back for the next round of calculation (or subsequent calculation), all under the control of the LFSR 730. Here, each of the at least two encryption operation blocks performs operations simultaneously, wherein the circuit selects which output of the at least two encryption operation blocks is used for subsequent calculations.
[0055] A data extraction suppression method using configuration 700 includes: mixing a block unique identifier (e.g., a first block codebook 740 or a second block codebook 750) with input data (e.g., data 760) to output modified input data (e.g., modified input data 761, 762); selecting, via a corresponding MUX (e.g., a first MUX 791, a second MUX 792) controlled by a PRSG (e.g., LFSR 730), which of at least two cryptographic operation blocks (e.g., AES calculator 710 or AES calculator 720) receives the input data (e.g., data 760) for valid operation, wherein the corresponding MUX selects between the input data and the modified input data for each of the at least two cryptographic operation blocks; and selecting, via a third MUX 793 controlled by a PRSG, which output of the at least two cryptographic operation blocks (e.g., AES calculator 710 or AES calculator 820) is fed back for the next round of computation.
[0056] Figure 8 An exemplary configuration of an encryption system combining operational concealment and data extraction suppression is shown. See also Figure 8 An exemplary configuration 800 may include at least two cryptographic operation blocks: a first AES calculator 810 and a second AES calculator 820; and circuitry coupled to the at least two cryptographic operation blocks, routing inputs and outputs between the at least two cryptographic operation blocks. This circuitry includes selection circuitry and, in this illustration, includes a PRSG in the form of an LFSR 830. Of course, in other specific implementations, a truly random source may be used, or a programmable sequence (provided via, for example, a shift register) may be used instead of the LFSR 830. A first codebook 840 and a second codebook 850 are included to transform input data 860, such as regarding... Figure 7 As described above. However, in addition to transforming the input data 860 using combiners 871 and 872, block cipherbooks 840 and 850 are also used to transform the key 880, such as regarding... Figure 3 Specifically, the block unique identifier from block cipherbooks 840 and 850 is used to modify key 880 into a first modified key 881 and a second modified key 882 using combiners 873 and 874. Combiners 871, 872, 873, and 874 can be any suitable circuitry used to combine these two signals. For example, the combiner can be a gate that performs logical or arithmetic operations on its inputs to produce an output, such as an XOR gate, or a hash function that can be used to combine (and transform) signals and output modified input data 861 and 862 and modified keys 881 and 882.
[0057] During operation, each subsequent calculation (e.g., an AES round) is performed by one of the two AES calculators 810 and 820 based on control signals from the LFSR 830 and a selection circuit that includes multiple MUXs (e.g., first MUX 891, second MUX 892, third MUX 893, fourth MUX 894, and fifth MUX 895). In operation, the LFSR 830 provides signals controlling which branch each MUX uses. For example, the first MUX 891 can be used to select whether to input data 860 or modified input data 861 into the first AES calculator 810, the second MUX 892 can be used to select whether to input data 860 or modified input data 862 into the second AES calculator 820, the third MUX 893 can be used to select whether to input key 880 or the first modified key 881 into the first AES calculator 810, the fourth MUX 894 can be used to select whether to input key 880 or the second modified key 882 into the second AES calculator 820, and the fifth MUX 895 can be used to select which output of the AES calculator is fed back for the next round of calculation (or subsequent calculation), all of which are under the control of the LFSR 830.
[0058] An operation concealment and data extraction suppression method using configuration 800 includes: mixing a block unique identifier (e.g., a first block codebook 840 or a second block codebook 850) with input data (e.g., data 860) to output modified input data (e.g., modified input data 861, 862); and mixing a block unique identifier (e.g., a first block codebook 840 or a second block codebook 850) with a key (e.g., key 880) to output a modified key (e.g., modified keys 385, 386); and transmitting the modified key via corresponding MUXs (e.g., first MUX 891, second MUX 892, third MUX 893, and fourth MUX) controlled by a PRSG (e.g., LFSR 830). 894) Select which of the at least two cryptographic operation blocks (e.g., AES calculator 810 or AES calculator 820) receives input data (e.g., data 860) and a key (e.g., key 880) for valid operation, wherein the corresponding MUX selects between input data and modified input data and between key and modified key for each of the at least two cryptographic operation blocks; and selects which output of the at least two cryptographic operation blocks (e.g., AES calculator 810 or AES calculator 820) is fed back for the next round of computation via a fifth MUX controlled by the PRSG.
[0059] Although the examples shown include Figure 3 The second exemplary operation hiding configuration, but the data extraction suppression also applies to other configurations, including but not limited to. Figure 4 and Figure 6 The configurations shown. For example, instead of using a block unique identifier, or in addition to using a block unique identifier, a device password can be used to generate modified input data. Additionally, in some cases, the key can be modified in a way different from the input data (e.g., using a device password to modify the key and using a block password to modify the input data).
[0060] As described above, although a detailed description of a specific implementation with PRSG has been shown, the system with operation hiding can use a truly random source or be programmably ordered. In some cases, a system can be used that pre-computes a randomly selected sequence (e.g., for each full AES electronic codebook ECB operation) to load the sequence into a shift register and shift it out one at a time.
[0061] although Figure 2 , Figure 3 , Figure 4 , Figure 6 , Figure 7 and Figure 8 The configuration shown is illustrated using discrete blocks, but cryptographic operation blocks and other blocks can be laid out as described regarding suppression mechanisms that position different parts of the circuit in different regions. For example, elements of one cryptographic operation block can be mixed with elements of other cryptographic operation blocks, making it difficult to identify where a block is located during chip inspection. In practice, for example, if there are four different AES round calculators, these four AES round calculators can be mixed together around the chip, making signal analysis more challenging for attackers.
[0062] Figure 9A An exemplary operational concealment configuration for an encryption system with an interleaved layout is shown. See also Figure 9A The operation hiding configuration 900 with its interwoven layout can implement any of the operation hiding configurations described above. In the illustrated example, the operation hiding configuration 900 is similar to... Figure 2Operation hiding configuration 200. For example, operation hiding configuration 900 includes two cryptographic operation blocks: a first cryptographic operation block 901 and a second cryptographic operation block 902 that perform computations on data 920 using the same key 910; and circuitry coupled to at least two cryptographic operation blocks that pseudo-randomly routes inputs and outputs between at least two cryptographic operation blocks. Each computation of a computation sequence (e.g., cryptographic operation rounds) is performed by one of the two cryptographic operation blocks 901, 902 according to control signals from LFSR 930 and selection circuitry (such as multiple MUXs). LFSR 930 provides signals controlling which branch each MUX takes. For example, under the control of LFSR 930, a first MUX 941 can be used to select whether key 910 is input to the first cryptographic operation block 901, and a second MUX 942 can be used to select whether key 910 is input to the second cryptographic operation block 902. A third MUX 943 can be used, under the control of LFSR 930, to select which output is fed back for the next round of computation (or subsequent computations).
[0063] To further conceal the location on the chip where encryption operations are performed, a portion 951 of the first encryption operation block 901 is interleaved with a portion 952 of the second encryption operation block 902. This interleaving can be similar to... Figure 9B or Figure 9C Complete it as shown.
[0064] Figure 9B and Figure 9C An exemplary representation of the interleaved layout for cryptographic operation blocks is shown. See also Figure 9B The first encryption operation block 960 has sub-blocks 961, 962, 963, 964, 965 and 966, and the second encryption operation block 970 has sub-blocks 971, 972, 973, 974, 975 and 976. These two encryption operation blocks can be interleaved in the area of the chip.
[0065] See Figure 9C The first encryption operation block has sub-blocks (shown in white) 981, 982, 983, 984, 985, and 986, and the second encryption operation block has sub-blocks (shown as stripes) 991, 992, 993, 994, 995, and 996. These two encryption operation blocks can be interleaved on the chip and interspersed with other blocks (shown in gray) 999. The other blocks 999 can be part of the circuitry used for other components of the system—either part of an operation-hidden configuration or part of the overall system.
[0066] In some cases, a single cryptographic block is used to implement an encryption system, such as Figure 1The core configuration of AES. When implementing a single cryptographic operation block, this single cryptographic operation block can be distributed among other blocks in the system, such as... Figure 9C As shown. Additionally, in some cases, a single cryptographic block can utilize a device cipher, a block cipherbook, and / or a counter.
[0067] Although the subject matter has been described in language specific to structural features and / or actions, it should be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or actions described above. Rather, the specific features and actions described above are disclosed as examples of implementing the claims, and other equivalent features and actions are intended to fall within the scope of the claims.
Claims
1. An encryption system, comprising: At least two encryption operation blocks; A circuit coupled to the at least two encryption operation blocks, the circuit routing inputs and outputs between the at least two encryption operation blocks for subsequent computation, wherein the circuit includes a selection circuit and a pseudo-random sequence generator (PRSG), the PRSG being coupled to the selection circuit to control the selection circuit; The first codebook is used to output the first unique identifier; The second codebook is used to output the second unique identifier; A first combiner, coupled to the first codebook, the key output, and the selection circuit, is used to mix the first unique identifier with the key and output a first modified key to the selection circuit, wherein the selection circuit, under the control of the PRSG, selects whether to output the key or the first modified key to the first encryption operation block among the at least two encryption operation blocks. and A second combiner, coupled to the second codebook, the key output, and the selection circuit, is used to mix the second unique identifier with the key and output a second modified key to the selection circuit, wherein the selection circuit, under the control of the PRSG, selects whether to output the key or the second modified key to the second encryption operation block among the at least two encryption operation blocks.
2. The encryption system of claim 1, wherein each of the at least two encryption operation blocks performs operations simultaneously, wherein the circuit selects the output of the at least two encryption operation blocks used for the subsequent calculation.
3. The encryption system according to claim 1, wherein the at least two encryption operation blocks comprise: First encryption operation block; and Second encryption operation block; The selection circuit includes: First Multiplexer (MUX); The second MUX; and The third MUX; The PRSG is coupled to the first MUX, the second MUX, and the third MUX to select the output input of each MUX; The third MUX selects the output fed back from the first and second encryption operation blocks for subsequent computation.
4. The encryption system according to claim 1 further includes: A third combiner, coupled to the first codebook, input data, and the selection circuit, is used to mix the first unique identifier with the input data and output the first modified input data to the selection circuit, wherein the selection circuit, under the control of the PRSG, selects whether to output the input data or the first modified input data to the first encryption operation block among the at least two encryption operation blocks. and A fourth combiner, coupled to the second codebook, the input data, and the selection circuit, is used to mix the second unique identifier with the input data and output second modified input data to the selection circuit, wherein the selection circuit, under the control of the PRSG, selects whether to output the input data or the second modified input data to the second encryption operation block among the at least two encryption operation blocks.
5. The encryption system according to claim 1, further comprising: counter; A third combiner, coupled to the counter, the first block of the keybook, and the first combiner, is used to mix the output of the counter with the first unique identifier before the first combiner mixes the first unique identifier with the key. and A fourth combiner, coupled to the counter, the second block of the codebook, and the second combiner, is used to mix the output of the counter with the second block of the unique identifier before the second combiner mixes the second block of the unique identifier with the key.
6. The encryption system according to claim 1, wherein the encryption operation block of the at least two encryption operation blocks includes a plurality of first sub-blocks, wherein the first sub-blocks of the encryption operation block are distributed across the chip and other blocks are present between the first sub-blocks.
7. The encryption system according to claim 1, wherein the first encryption operation block of the at least two encryption operation blocks includes a plurality of first sub-blocks, and the second encryption operation block of the at least two encryption operation blocks includes a plurality of second sub-blocks, wherein the first sub-blocks and the second sub-blocks are interleaved.
8. An encryption system, further comprising: At least two encryption operation blocks; A circuit coupled to the at least two encryption operation blocks, the circuit routing inputs and outputs between the at least two encryption operation blocks for subsequent computation, wherein the circuit includes a selection circuit and a pseudo-random sequence generator (PRSG), the PRSG being coupled to the selection circuit to control the selection circuit; Device password output, wherein the device password output is used to output the device password; and A combiner, coupled to the device password output, key output, and selection circuit, is used to mix the device password with a key from the key output and output a modified key to the selection circuit, wherein the selection circuit, under the control of the PRSG, selects whether to output the key or the modified key to each of the at least two encryption operation blocks.
9. The encryption system according to claim 8, further comprising: counter; and A third combiner, coupled to the counter, the device password output, and the combiner, is used to mix the output of the counter with the device password before the combiner mixes the device password with the key.
10. The encryption system of claim 8, wherein each of the at least two encryption operation blocks performs operations simultaneously, wherein the circuit selects the output of the at least two encryption operation blocks for subsequent calculations.
11. The encryption system according to claim 8, wherein the at least two encryption operation blocks comprise: First encryption operation block; and Second encryption operation block; The selection circuit includes: First Multiplexer (MUX); The second MUX; and The third MUX; The PRSG is coupled to the first MUX, the second MUX, and the third MUX to select the output input of each MUX; The third MUX selects the output fed back from the first and second encryption operation blocks for subsequent computation.
12. The encryption system of claim 8, wherein the encryption operation block of the at least two encryption operation blocks includes a plurality of first sub-blocks, wherein the first sub-blocks of the encryption operation block are distributed across the chip and other blocks are present between the first sub-blocks.
13. The encryption system of claim 8, wherein the first encryption operation block of the at least two encryption operation blocks comprises a plurality of first sub-blocks, and the second encryption operation block of the at least two encryption operation blocks comprises a plurality of second sub-blocks, wherein the first sub-blocks and the second sub-blocks are interleaved.
14. An encryption system, further comprising: At least two encryption operation blocks; A circuit coupled to the at least two encryption operation blocks, the circuit routing inputs and outputs between the at least two encryption operation blocks for subsequent computation, wherein the circuit includes a selection circuit and a pseudo-random sequence generator (PRSG), the PRSG being coupled to the selection circuit to control the selection circuit; The first codebook is used to output the first unique identifier; The second codebook is used to output the second unique identifier; Device password output, wherein the device password output is used to output the device password; counter; and One or more combiners, coupled to a key output, a counter, a device cryptographic output, a first cryptographic book, and a second cryptographic book, to produce a corresponding output including the modified key. The selection circuit is coupled to receive the modified key and the key output, and under the control of the PRSG, selects whether to output the key from the key output or the modified key to the first encryption block and the second encryption block of the at least two encryption operation blocks.
15. The encryption system of claim 14, wherein each of the at least two encryption operation blocks performs operations simultaneously, wherein the circuit selects the output of the at least two encryption operation blocks for subsequent calculations.
16. The encryption system of claim 14, wherein the at least two encryption operation blocks comprise: First encryption operation block; and Second encryption operation block; The selection circuit includes: First Multiplexer (MUX); The second MUX; and The third MUX; The PRSG is coupled to the first MUX, the second MUX, and the third MUX to select the output input of each MUX; The third MUX selects the output fed back from the first and second encryption operation blocks for subsequent computation.
17. The encryption system of claim 14, wherein the encryption operation block of the at least two encryption operation blocks includes a plurality of first sub-blocks, wherein the first sub-blocks of the encryption operation block are distributed across the chip and other blocks are present between the first sub-blocks.
18. The encryption system of claim 14, wherein the first encryption operation block of the at least two encryption operation blocks comprises a plurality of first sub-blocks, and the second encryption operation block of the at least two encryption operation blocks comprises a plurality of second sub-blocks, wherein the first sub-blocks and the second sub-blocks are interleaved.