基于復(fù)合域通用低熵高階掩碼的設(shè)計與實(shí)現(xiàn)

姜久興; 趙玉迎; 黃海; 謝光輝; 厚嬌; 馮新新

doi:10.11999/JEIT190257

基于復(fù)合域通用低熵高階掩碼的設(shè)計與實(shí)現(xiàn)

doi: 10.11999/JEIT190257

1.
哈爾濱理工大學(xué)理學(xué)院哈爾濱 150080
2.
哈爾濱理工大學(xué)軟件與微電子學(xué)院哈爾濱 150080
3.
哈爾濱理工大學(xué)計算機(jī)科學(xué)與技術(shù)學(xué)院哈爾濱 150040

基金項(xiàng)目: 國家自然科學(xué)基金(61604050, 51672062)，黑龍江省普通本科高等學(xué)校青年創(chuàng)新人才培養(yǎng)計劃(UNPYSCT-2017081)，黑龍江省博士后科研啟動基金(LBH-Q18065)

詳細(xì)信息

作者簡介:
姜久興：男，1963年生，教授，研究方向?yàn)榧呻娐吩O(shè)計

趙玉迎：女，1990年生，碩士生，研究方向?yàn)橛嬎銠C(jī)網(wǎng)絡(luò)與信息安全

黃海：男，1982年生，副教授，研究方向?yàn)樾畔踩?，?shù)字信號處理及集成電路設(shè)計等

厚嬌：女，1988年生，碩士生，研究方向?yàn)橛嬎銠C(jī)網(wǎng)絡(luò)與信息安全

馮新新：男，1991年生，碩士生，研究方向?yàn)橛嬎銠C(jī)網(wǎng)絡(luò)與信息安全

通訊作者:
黃?！?a href="mailto:ic@hrbust.edu.cn">ic@hrbust.edu.cn

中圖分類號: TN918.4; TP309.7
計量
- 文章訪問數(shù): 4550
- HTML全文瀏覽量: 1174
- PDF下載量: 73
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2019-04-16
- 修回日期: 2019-09-16
- 網(wǎng)絡(luò)出版日期: 2019-10-14
- 刊出日期: 2020-03-19

Design and Implementation of Generic Low-entropy High-order Composite Field Based Masking Scheme

1.
School of Sciences, Harbin University of Science and Technology, Harbin 150080, China
2.
School of Software and Microelectronics, Harbin University of Science and Technology, Harbin 150080, China
3.
School of Computer Sciences and Technology, Harbin University of Science and Technology, Harbin 150040, China

Funds: The National Natural Science Foundation of China (61604050, 51672062), The University Nursing Program for Young Scholars with Creative Talents in Heilongjiang Province (UNPYSCT-2017081), The Heilongjiang Postdoctoral Funds for Scientific Research Initiation (LBH-Q18065)

摘要

摘要:
通過對基于復(fù)合域S-box構(gòu)造算法的深入研究，該文提出一種低面積復(fù)雜度的通用低熵高階掩碼算法。在有限域GF(2⁴)上引入低熵掩碼思想，并采用部分模塊復(fù)用設(shè)計，有效降低了基于復(fù)合域S-box求逆運(yùn)算的乘法數(shù)量。該算法能夠適用于由求逆運(yùn)算構(gòu)成的任意分組加密算法，進(jìn)一步將本方案應(yīng)用于分組加密算法高級加密標(biāo)準(zhǔn)(AES)，給出了詳細(xì)的綜合仿真結(jié)果并進(jìn)行了版圖面積優(yōu)化，較傳統(tǒng)的掩碼方案相比有效減少了邏輯資源的使用，此外，對其安全性進(jìn)行了理論驗(yàn)證。
- 高階掩碼 /
- 復(fù)合域算法 /
- S-box /
- 低熵 /
- 高級加密標(biāo)準(zhǔn)
Abstract:
Based on the in-depth research on the S-box constitution arithmetic of composite, an area optimized generic low-entropy higher-order masking scheme is proposed in this paper. The low entropy masking method is introduced on GF(2⁴), and the partial module reusing design is adopted, which reduces effectively the number of multiplications based on the S-box inversion operation of the composite. The algorithm can be applied to any order masking scheme of arbitrary S-box composed of inversion operation. This scheme is applied to AES, gives detailed simulation results and optimizes the layout area, compared with the traditional masking scheme, reduces effectively the use of logical resources. In addition, the security is theoretically proved.
- High-order masking /
- Composite arithmetic /
- S-box /
- Low entropy /
- Advanced Encryption Standard(AES)

HTML全文

圖 1 AES高階掩碼實(shí)現(xiàn)流程

下載: 全尺寸圖片幻燈片

圖 2 有限域GF(2⁸)求逆算法結(jié)構(gòu)

下載: 全尺寸圖片幻燈片

圖 3 S-box, AES的不同掩碼功能驗(yàn)證結(jié)果

下載: 全尺寸圖片幻燈片

圖 4 S-box不同掩碼階數(shù)的版圖

下載: 全尺寸圖片幻燈片

圖 5 AES不同掩碼階數(shù)的版圖

下載: 全尺寸圖片幻燈片

表 1 低熵通用高階掩碼算法

算法1　低熵通用高階掩碼算法
輸入：經(jīng)掩碼值$x = a + {m_1} + {m_2} + ··· + {m_d}$，掩碼值${m_1},{m_2}, ··· ,{m_d}$
輸出：輸入值的求逆${a^{ - 1}} + {m_1} + {m_2} + ··· + {m_d}$
(1) 通過同構(gòu)矩陣$ \delta $，將有限域${\rm{GF}}({2^k})$上的輸入值$x,$m₁, m₂, ··· ,m_d分別映射到有限域${\rm{GF}}({2^n})$上，$({x_h},{x_l}){\rm{ }} \leftarrow x$; $({m_{h1}},{m_{l1}}) \leftarrow {m_1}$; $({m_{h2}},{m_{l2}}) \leftarrow {m_2}$; ··· ; $({m_{hd}},{m_{ld}}) \leftarrow {m_d}$；
(2) 將有限域${\rm{GF}}({2^k})$上的求逆運(yùn)算轉(zhuǎn)化成有限域${\rm{GF}}({2^n})$上的加法、乘法，求逆運(yùn)算；
(3) 利用有限域${\rm{GF}}({2^n})$上的運(yùn)算求取$d$的掩碼防護(hù)值$d + {m_{h1} } + {m_{h2} } + ··· + {m_{hd} }$，$\begin{align} d + {m_{h1}} + {m_{h2}} + ··· + {m_{hd}} = & {f_d}({x_h},({x_l} + {m_{h1}} + {m_{h2}} + ··· + {m_{hd}} + {m_{l1}} + {m_{l2}} + ··· + {m_{ld}}),\\&({x_h} + {x_l} + {m_{l1}} + {m_{l2}} + ··· + {m_{ld}}),{m_{h1}},{m_{h2}}, ··· ,{m_{hd}},{m_{l1}},{m_{l2}}, ··· ,{m_{ld}},{{\rm{P}}_0})\\ =& {a_h}^2 \times {{\rm{P}}_0} + {a_h} \times {a_l} + {a_l}^2 + {m_{h1}} + {m_{h2}} + ··· + {m_{hd}};\end{align}$
(4) 在有限域${\rm{GF}}({2^n})$上對$d + {m_{h1}} + {m_{h2}} + ··· + {m_{hd}}$進(jìn)行掩碼求逆，求逆結(jié)果為${d^{ - 1}} + {m_{h1}} + {m_{h2}} + ··· + {m_{hd}}$；
(5) 利用有限域${\rm{GF}}({2^n})$上的運(yùn)算求取${x_h},{x_l}$的掩碼防護(hù)值${x_h}^\prime + {m_{h1}} + {m_{h2}} + ··· + {m_{hd}}$, ${x_l}^\prime + {m_{l1} } + {m_{l2} } + ··· + {m_{ld} }$, $\begin{align}\quad\quad\ \; {x_h}^\prime + {m_{h1}} + {m_{h2}} + ··· + {m_{hd}} =& {f_{bh}}({x_h},({d^{ - 1}} + {m_{h1}} + {m_{h2}} + ··· + {m_{hd}}),\\&({x_h} + {m_{h1}} + {m_{h2}} + ··· + {m_{hd}} + {d^{ - 1}} + {m_{h1}} + {m_{h2}} + ··· + {m_{hd}}){\rm{ }},{m_{h1}},{m_{h2}}, ··· ,{m_{hd}})\\ = & {a_h} \times {d^{ - 1}} + {m_{h1}} + {m_{h2}} + ··· + {m_{hd}};\end{align}$$\begin{align}\quad\quad\ \; {x_l}^\prime + {m_{l1}} + {m_{l2}} + ··· + {m_{ld}} =& {f_{bl}}({x_h},({d^{ - 1}} + {m_{h1}} + {m_{h{\rm{2}}}} + ··· + {m_{hd}}), ({x_l} + {m_{h1}} + {m_{h{\rm{2}}}} + ··· + {m_{hd}} + {m_{l1}} + {m_{l2}} + ··· + {m_{ld}}),\\&({x_h} + {x_l} + {m_{l1}} + {m_{l2}} + ··· + {m_{ld}}) ,{m_{h1}},{m_{h2}}, ··· ,{m_{hd}},{m_{l1}},{m_{l2}}, ··· ,{m_{ld}})\\ =& ({a_h} + {a_l}) \times {d^{ - 1}} + {m_{l1}} + {m_{l2}} + ··· + {m_{ld}};\end{align}$
(6) 通過同構(gòu)逆矩陣${{ \delta} ^{ - 1} }$，將有限域${\rm{GF}}({2^n})$上的求逆結(jié)果映射回有限域${\rm{GF}}({2^k})$上，得到有限域${\rm{GF}}({2^k})$上求逆結(jié)果 ${a^{ - 1}} + {m_1} + {m_2} + {\rm{ }} ··· + {m_d}$。

下載: 導(dǎo)出CSV

表 2 AES低熵通用高階掩碼算法

算法2　有限域${\rm{GF}}({2^k})$上對掩碼單元$a' = a + {m_1} + {m_2}$求逆
輸入：$(x = a + {m_1} + {m_2},{m_1},{m_2}) \in {\rm{GF}}({2^k})$
輸出：$(x' = {a^{ - 1}} + {m_1} + {m_2})$
(1) 映射${ \delta} ({m_1}) \to ({m_{h1} },{m_{l1} }) \in {\rm{GF} }({2^n})$，映射$\delta ({m_2}) \to ({m_{h2}},{m_{l2}}) \in {\rm{GF}}({2^n})$；
(2) 映射$\delta (x) \to ({x_h},{x_l}) \in {\rm{GF}}({2^n})$，即$\{ ({x_h},{x_l}) = ({a_h} + {m_{h1}} + {m_{h2}},{a_h} + {m_{l1}} + {m_{l2}})\} $；　$\begin{align}(3) \ d + {m_{h1}} + {m_{h2}} =& {({x_h})^2}{{\rm{P}}_0} + {m_h}{_1^2}{{\rm{P}}_0} + {m_h}{_2^2}{{\rm{P}}_0} + {({x_l} + {m_{h1}} + {m_{h2}} + {m_{l1}} + {m_{l2}})^2} + {x_h}({x_l} + {m_{h1}} + {m_{h2}} + {m_{l1}} + {m_{l2}})\\ &+ ({x_h} + {x_l} + {m_{l1}} + {m_{l2}})({m_{h1}} + {m_{h2}}) + {m_h}{_1^2} + {m_h}{_2^2} + {m_{h1}} + {m_{h2}};\end{align}$
(4) ${d^{ - 1} } + {m_{h1} } + {m_{h2} } =\text{算法}2.(d + {m_{h1} } + {m_{h2} },{m_{h1} },{m_{h2} })$；
(5) ${x_h}^\prime + {m_{h1}} + {m_{h2}} = {x_h}({d^{ - 1}} + {m_{h1}} + {m_{h2}}) + ({x_h} + {d^{ - 1}} + {m_{h1}} + {m_{h2}} + {m_{h1}} + {m_{h2}})({m_{h1}} + {m_{h2}}) + {m_{h1}} + {m_{h2}}$；　$\begin{align}(6) \ {x_l}^\prime + {m_{l1}} + {m_{l2}} =& {x_h}({d^{ - 1}} + {m_{h1}} + {m_{h2}}) + ({x_l} + {m_{h1}} + {m_{h2}} + {m_{l1}} + {m_{l2}})({d^{ - 1}} + {m_{h1}} + {m_{h2}}) + ({x_h} + {x_l} + {m_{l1}} + {m_{l2}})({m_{h1}} \\&+ {m_{h2}}) + {m_h}{_1^2} + {m_h}{_2^2} + {m_{l1}} + {m_{l2}}{text{；}}\end{align}$
(7) 映射${\delta ^{ - 1}}({x_h}^\prime + {m_{h1}} + {m_{h2}},{x_l}^\prime + {m_{l1}} + {m_{l2}}) \to {\rm{ }}({a^{ - 1}} + {m_1} + {m_2})$。

下載: 導(dǎo)出CSV

表 3 不同方案的S-box實(shí)現(xiàn)對比

	乘法	標(biāo)量乘法	平方
非掩碼	3	1	1
Oswald^[12]	9	2	2
汪鵬君^[17]	6	2	2
Ahn^[18]	6	2	0
本文方法	5	2	2

下載: 導(dǎo)出CSV

表 4 不同S-box方案實(shí)現(xiàn)結(jié)果對比情況

思想	總的邏輯單元	總的寄存器
非掩碼	102(<1%)	8(<1%)
Oswald^[12] 1階掩碼	247(<1%) (142.2%)	8(<1%)
汪鵬君^[17] 1階掩碼	202(<1%) (98%)	8(<1%)
Ahn^[18] 1階掩碼	188(<1%) (84.3%)	8(<1%)
本文方法 1階掩碼	178(<1%) (74.5%)	8(<1%)
本文方法 2階掩碼	193(<1%) (89.2%)	8(<1%)

下載: 導(dǎo)出CSV

表 5 不同AES方案實(shí)現(xiàn)結(jié)果對比方案

思想	總的邏輯單元	組合邏輯	總的寄存器
非掩碼	23890(21%)	19811(17%)	10769(9%)
Oswald^[12] 1階掩碼	45549(40%) (90.7%)	40368(35%) (103.8%)	16036(14%) (48.9%)
汪鵬君^[17] 1階掩碼	42161(37%) (76.5%)	36584(32%) (84.7%)	13780(12%) (28%)
Ahn^[18] 1階掩碼	42087(37%) (76.2%)	36510(32%) (84.3%)	12820(11%) (19%)
本文方法 1階掩碼	38456(34%) (60.9%)	32879(28%) (66.1%)	12820(11%) (19%%)
本文方法 2階掩碼	44475(39%) (86.1%)	38282(33%) (93.2%)	18980(17%) (76.2%%)

下載: 導(dǎo)出CSV

表 6 本方案S-box不同掩碼階數(shù)的綜合結(jié)果

掩碼階數(shù)	邏輯名稱	邏輯面積(μm²)	合計(μm²)
非掩碼S-box	組合邏輯，緩沖器/反相器邏輯，非組合邏輯	221, 14, 46	268
1階掩碼S-box	組合邏輯，緩沖器/反相器邏輯，非組合邏輯	489, 19, 88	577
2階掩碼S-box	組合邏輯，緩沖器/反相器邏輯，非組合邏輯	551, 22, 88	639

下載: 導(dǎo)出CSV

表 7 本方案AES不同掩碼階數(shù)的綜合結(jié)果

掩碼階數(shù)	邏輯名稱	邏輯面積(μm²)	合計(μm²)
非掩碼AES	組合邏輯，緩沖器/反相器邏輯，非組合邏輯	14484, 586, 53834	67518
1階掩碼AES	組合邏輯，緩沖器/反相器邏輯，非組合邏輯	53626, 2888, 59614	113241
2階掩碼AES	組合邏輯，緩沖器/反相器邏輯，非組合邏輯	116797, 4594, 100564	217361

下載: 導(dǎo)出CSV

參考文獻(xiàn)(18)

HUANG Hai, LIU Leibo, HUANG Qihuan, et al. Low area-overhead low-entropy masking scheme (LEMS) against correlation power analysis attack[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2019, 38(2): 208–219. doi: 10.1109/TCAD.2018.2802867

歐慶于, 羅芳, 葉偉偉, 等. 分組密碼算法抗故障攻擊能力度量方法研究[J]. 電子與信息學(xué)報, 2017, 39(5): 1266–1270. doi: 10.11999/JEIT160548

OU Qingyu, LUO Fang, YE Weiwei, et al. Metric for defences against fault attacks of block ciphers[J]. Journal of Electronics &Information Technology, 2017, 39(5): 1266–1270. doi: 10.11999/JEIT160548

CORON J S, GREUET A, PROUFF E, et al. Faster evaluation of sboxes via common shares[C]. The 18th International Conference on Cryptographic Hardware and Embedded Systems, Santa Barbara, USA, 2016: 498–514. doi: 10.1007/978-3-662-53140-2_24.

臧鴻雁, 黃慧芳. 基于均勻化混沌系統(tǒng)生成S盒的算法研究[J]. 電子與信息學(xué)報, 2017, 39(3): 575–581. doi: 10.11999/JEIT160535

ZANG Hongyan and HUANG Huifang. Research on algorithm of generating s-box based on uniform chaotic system[J]. Journal of Electronics &Information Technology, 2017, 39(3): 575–581. doi: 10.11999/JEIT160535

汪鵬君, 張躍軍, 張學(xué)龍. 防御差分功耗分析攻擊技術(shù)研究[J]. 電子與信息學(xué)報, 2012, 34(11): 2774–2784. doi: 10.3724/SP.J.1146.2012.00555

WANG Pengjun, ZHANG Yuejun, and ZHANG Xuelong. Research of differential power analysis countermeasures[J]. Journal of Electronics &Information Technology, 2012, 34(11): 2774–2784. doi: 10.3724/SP.J.1146.2012.00555

王建新, 方華威, 段曉毅, 等. 基于滑動平均的能量分析攻擊研究與實(shí)現(xiàn)[J]. 電子與信息學(xué)報, 2017, 39(5): 1256–1260. doi: 10.11999/JEIT160637

WANG Jianxin, FANG Huawei, DUAN Xiaoyi, et al. Research and implementation of power analysis based on moving average[J]. Journal of Electronics &Information Technology, 2017, 39(5): 1256–1260. doi: 10.11999/JEIT160637

CORON J S. Higher order masking of look-up tables[C]. The 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques Advances in Cryptology, Berlin, Germany, 2014: 441–458.

徐佩. 智能卡AES加密模塊抗側(cè)信道攻擊掩碼技術(shù)研究與實(shí)現(xiàn)[D]. [碩士論文], 重慶大學(xué), 2015: 26–53.

XU Pei. Research and implementation with mask technology on AES encryption module of smartcard against side channel attack[D]. [Master dissertation], The Chongqing University, 2015: 26–53.

CARLET C and PROUFF E. Polynomial evaluation and side channel analysis[M]. RYAN P Y A, NACCACHE D, and QUISQUATER J J. The New Codebreakers: Essays Dedicated to David Kahn on the Occasion of His 85th Birthday. Berlin, Heidelberg: Springer, 2016: 315–341. doi: 10.1007/978-3-662-49301-4_20.

黃海, 馮新新, 劉紅雨, 等. 基于隨機(jī)加法鏈的高級加密標(biāo)準(zhǔn)抗側(cè)信道攻擊對策[J]. 電子與信息學(xué)報, 2019, 41(2): 348–354. doi: 10.11999/JEIT171211

HUANG Hai, FENG Xinxin, LIU Hongyu, et al. Random addition-chain based countermeasure against side-channel attack for advanced encryption standard[J]. Journal of Electronics &Information Technology, 2019, 41(2): 348–354. doi: 10.11999/JEIT171211

NASSAR M, SOUISSI Y, GUILLEY S, et al. RSM: A small and fast countermeasure for AES, secure against 1st and 2nd-order zero-offset SCAs[C]. 2012 Design, Automation & Test in Europe Conference & Exhibition, Dresden, Germany, 2012: 1173–1178.

OSWALD E, MANGARD S, PRAMSTALLER N, et al. A side-channel analysis resistant description of the AES s-box[C]. The 12th International Workshop on Fast Software Encryption, Paris, France, 2005: 413–423. doi: 10.1007/11502760_28.

ZAKERI B, SALMASIZADEH M, MORADI A, et al. Compact and secure design of masked AES s-box[C]. The 9th International Conference on Information and Communications Security, Zhengzhou, China, 2007: 216–229.

TRICHINA E and KORKISHKO T. Secure AES hardware module for resource constrained devices[C]. Proceedings of the 1st European Workshop on Security in Ad-hoc and Sensor Networks, Heidelberg, Germany, 2005: 215–229. doi: 10.1007/978-3-540-30496-8_18.

OSWALD E and SCHRAMM K. An efficient masking scheme for AES software implementations[C]. The 6th International Workshop on Information Security Applications. Jeju Island, Korea, 2006: 292–305.

KIM H S, HONG S, and LIM J. A fast and provably secure higher-order masking of AES s-box[C]. Proceedings of the 13th International Conference on Cryptographic Hardware and Embedded Systems. Nara, Japan, 2011: 95–107.

汪鵬君, 郝李鵬, 張躍軍. 防御零值功耗攻擊的AES SubByte模塊設(shè)計及其VLSI實(shí)現(xiàn)[J]. 電子學(xué)報, 2012, 40(11): 2183–2187. doi: 10.3969/j.issn.0372-2112.2012.11.007

WANG Pengjun, HAO Lipeng, and ZHANG Yuejun. Design of AES subbyte module of anti-zero value power attack and its VLSI implementation[J]. Acta Electronica Sinica, 2012, 40(11): 2183–2187. doi: 10.3969/j.issn.0372-2112.2012.11.007

AHN S and CHOI D. An improved masking scheme for s-box software implementations[C]. The 16th International Workshop on Information Security Applications, Jeju Island, Korea, 2016: 200–212.

相關(guān)文章

施引文獻(xiàn)

資源附件(0)

訪問統(tǒng)計