CN102970131A - Circuit structure for preventing power attacks on grouping algorithm - Google Patents
Circuit structure for preventing power attacks on grouping algorithm Download PDFInfo
- Publication number
- CN102970131A CN102970131A CN2011102571865A CN201110257186A CN102970131A CN 102970131 A CN102970131 A CN 102970131A CN 2011102571865 A CN2011102571865 A CN 2011102571865A CN 201110257186 A CN201110257186 A CN 201110257186A CN 102970131 A CN102970131 A CN 102970131A
- Authority
- CN
- China
- Prior art keywords
- power consumption
- computing
- data
- analysis
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
- Design And Manufacture Of Integrated Circuits (AREA)
Abstract
The invention provides technology which can effectively resist to attacks on modules, chips, smart card bodies and the like adopting a grouping encryption and decryption algorithm through power analysis (simple power analysis (SPA) and difference power analysis (DPA)) or electromagnetic radiation analysis (DEMA) to obtain encryption and decryption operation secret keys and a circuit implementation structure of the technology. In application of a high-safety smart card, including but not limited to application areas such as electronic identification cards, debit cards and social security cards, the circuit structure can effectively protect the grouping encryption modules, the chips, the smart card bodies and the like and prevent the encryption and decryption operation secret keys from decoding and obtaining by the power analysis or the electromagnetic radiation analysis. The circuit structure can improve efficiency of encryption operation in continuous encryption operation, improves safety protection strength on the grouping encryption modules, the chips, the smart card bodies and the like, guarantees execution efficiency of the encryption operation, and has good innovation, practical applicability and effectiveness.
Description
Technical field
The present invention relates to information security technology, is a kind of attack protection technology that is applicable to safety chip.
Background technology
In information security field, day by day universal along with application of IC cards and computer network, the application of cryptographic algorithm and special purpose system circuit is also increasingly extensive.And because the development of integrated circuit and the development of application technology, the equipment such as smart card are carrying individual and trade secret information more and more.Along with measuring and the continuous progress of analytical technology, no longer only be confined to cryptographic algorithm itself for the attack of cryptographic algorithm, for the attack of its carrier also increasingly mature and development.The safety problem that the cryptographic smart cards algorithm is realized also gets more and more people's extensive concerning gradually.Wherein side-channel attack is a kind of representative and have a kind of attack method of threat.Because the characteristic of integrated circuit itself when moving cryptographic algorithm thereon, will be revealed inevitably, inject power consumption, time, electromagnetic radiation and error message etc.Utilize above-mentioned information by collection, carry out power consumption curve or electromagnetism curve and collect, signal is processed, and the attacks such as mathematical analysis and the final attack method that obtains sensitive information (such as key) just are called side-channel attack.
Cryptographic algorithm circuit in the smart card is made of a large amount of transistors take semiconductor device as the basis, and when discharging and recharging on the transistor, electronics flows through from silicon substrate, and consumed energy produces electromagnetic radiation simultaneously.The a large amount of transistor circuit upsets that represent 0,1 information can cause power consumption different, make between computing key and power consumption or the electromagnetic radiation to have correlation.Power consumption analysis and emi analysis are exactly the correlation that depends on encryption hardware power consumption consumption and electromagnetic radiation and enciphered message and key in calculating process.
Block cipher is the core technology commonly used of information security.In the common block cipher, data are in the process of actual encrypted and deciphering, through 16 circle computings, each circle computing comprises loading data, introduces key and participates in calculating the operations such as S box computing, these operations adopt combinational logic to realize, finish within the same clock cycle.The assailant through align data, just can easily obtain differential data after having gathered a large amount of power consumptions or electromagnetic radiation curve, by mathematical analysis, thereby obtain whole key information.
Wanting to eliminate power consumption features relevant with password in the integrated circuit course of work or electromagnetic signature, is relatively more difficult thing, and cost is also very large.Since power consumption analysis and the proposition of emi analysis method, for the symmetric block ciphers algorithm, such as DES, AES has proposed many means of defences, and the algorithm level method for distinguishing is arranged, and for example uses random mask, inserts random wait etc. in the crypto-operation process; The method that circuit grade is arranged, coding and double track for example, differential logic etc.These methods are larger to operational performance and area effect, and especially for smart card, the cost that the area that brings thus and power consumption increase is difficult to accept.
Summary of the invention
The invention provides a kind of technology of analyzing for the power consumption analysis of grouping algorithm and electromagnetic radiation of can effectively preventing for integrated circuit, and the circuit structure of realizing the method.This method application standard cell library uses the rtl circuit descriptive language to realize, compares with the standard packet cryptographic algorithms' implementation that does not add protection, and institute's consumption of natural resource increases little.Circuit structure is little to the performance loss of block cipher computing, and especially in the situation of larger data amount, arithmetic speed is approximately equal to the standard packet cryptographic algorithms' implementation.The present invention does not need special door circuit or additional designs special element to cover power consumption information, to construct circuit structure with pipeline system after the cutting of standard packet cryptographic algorithm but adopt, and applying flexible, both can when processing the larger data amount, accelerate for calculating, also can than small data quantity the time, guarantee same protection effect.
The present invention is divided into some substeps with each circle computing of symmetry algorithm, on the basis of the step of dividing, carry out the pile line operation computing, number according to institute's partiting step, realize the streamline of corresponding progression, each level production line calculates different data, guarantees that each clock cycle carries out the nonidentity operation of different pieces of information simultaneously.Each level production line deal with data is applied the random number mask, guarantee the heterogeneite of streamline actual treatment data.
The data of streamline processing at different levels are different plaintexts, can Effective Raise encryption and decryption efficient.The data of streamline processing at different levels can be one or several plaintext (expressly quantity is less than pipeline series), residual stream waterline input random numbers at different levels.Only needing to process in the situation of a small amount of plaintext, still can effectively resist power consumption analysis.
The computing that each clock cycle carries out is the not different operating stack of isolog, mutually do not cover between isolog and/or random number, when the assailant carries out power consumption analysis or electromagnetic radiation analysis, differential power consumption curve corresponding to true key will not have obvious feature, make to attack and lost efficacy, thereby prevent that the assailant from carrying out power consumption analysis or electromagnetic radiation analysis to grouping algorithm.Simultaneously a plurality of plaintexts are carried out concurrent operation, improved the efficient that is in encryption and decryption computing under the high security protection state, only need carry out in the situation of computing a small amount of plaintext, introduce random number and participate in computing, guarantee any input mode is all protected.
Input the data random number masks at different levels are covered, guaranteed the inconsistency of deal with data at different levels, thereby any input is all protected.
Simultaneously a plurality of plaintexts are carried out concurrent operation, improved the efficient that is in encryption and decryption computing under the high security protection state, only need carry out in the situation of computing a small amount of plaintext, introduce the random number mask and participate in computing, guarantee any input mode is all protected.The present invention adopts the method that the input data is applied the random number mask, prevents that the assailant from evading defensive measure by the method that applies identical data.
Circuit structure of the present invention also can adopt with whole circle computing or other computing units of being divided into, and the every one-level as streamline realizes similar multi-stage pipeline arrangement.
The present invention realizes the register of pipeline organization as an example of trigger example, the physics realization carrier of register includes but not limited to the physical memory cells such as trigger, latch and RAM memory.
Description of drawings
The method of work of Fig. 1 the present invention as an example of DES example
Fig. 2 realizes schematic diagram according to the DES hardware of method of work of the present invention
Embodiment
The below illustrates the specific embodiment of the present invention take DES as example.The present invention is divided into FOUR EASY STEPS with the every circle computing of standard DES, be respectively L/R register upset (computing one), XOR key (computing two), S-box tables look-up (computing three) and L/R register XOR (computing four) (but the concrete operations that are not limited to be divided into for four steps and are not limited to each partiting step), between each step, insert register, be used for temporary every grade of result of streamline.Circle computing required hardware carries out multiplexing, so circuit is level Four pipeline organization (deciding according to every circle institute partiting step quantity).
The power consumption formation of cryptographic algorithm circuit comprises following several part usually:
P
total=P
op+P
data+P
el.noise+P
const
P wherein
TotalThe total power consumption of indication circuit, P
OpThe power consumption that expression is caused by different operating in the circuit, P
DataIn the indication circuit different operating data are calculated the power consumption that causes, P
El.noiseAnd P
ConstThe power consumption that electronic noise causes in the indication circuit respectively and the quiescent dissipation of circuit.The pipeline hardware circuit structure that the present invention proposes, its principle is the power consumption P that the different disposal data cause that not only superposeed
Data, the power consumption P that the FOUR EASY STEPS in every circle that also superposeed causes
OpAnd the implementation of streamline has guaranteed four kinds of different operatings of four groups of data are superposeed on same clock edge, accurately applied in time with respect to being attacked noise expressly, so that the assailant is difficult to distinguish the expressly corresponding power consumption component of attacking, upset and attacked the correlation of plaintext with the circuit total power consumption, thereby reached the effect of defending power consumption analysis and electromagnetic radiation to analyze.
Since four groups of data processing in the streamline can be simultaneously clear data, therefore upset each other each other noise, reached the effect that the equal defence power consumption analysis of each bar clear data and electromagnetic radiation are analyzed.
This pipeline organization DES circuit realizes that 100 comprise:
One group of circle arithmetic element 200.In whole DES calculating process, this group circle arithmetic element 200 can be re-used 16 times.Circle arithmetic element 200 comprises:
-register 10 is used for storing the results of intermediate calculations that every level production line operates
-combinational circuit 20 is used for carrying out the correlation computations such as XOR circle key
-combinational circuit 30 is used for carrying out the correlation computations such as S-box tables look-up
-combinational circuit 40 is used for carrying out the correlation computations such as L/R register XOR
-selector 50 is used for circle computing loading data being selected and according to the random number mask of input data selection coupling according to the number of turns of carrying out.
In the first clock cycle, circuit loads circle key one, and data one are subjected to random number mask one, are admitted to the streamline first order, carry out computing one; In the second clock cycle, computing one result of data one is admitted to the streamline second level, carries out computing two, and data two are subjected to random number mask two, are admitted to the streamline first order, carry out computing one; In the 3rd clock cycle, computing two results of data one are admitted to the streamline third level, carry out computing three, computing one result of data two is admitted to the streamline second level, carries out computing two, and data three are subjected to random number mask three, be admitted to the streamline first order, carry out computing one; In the 4th clock cycle, computing three results of data one are admitted to the streamline fourth stage, carry out computing four, computing two results of data two are admitted to the streamline third level, carry out computing three, and computing one result of data three is admitted to the streamline second level, carry out computing two, data four are subjected to random number mask four, are admitted to the streamline first order, carry out computing one; In the 5th clock cycle, circuit loads circle key two, computing four results of data one are admitted to the streamline first order, carry out the computing one of the second circle computing, and computing three results of data two are admitted to the streamline fourth stage, carry out computing four, computing two results of data three are admitted to the streamline third level, carry out computing three, data four, be admitted to the streamline second level, carry out computing two.By that analogy, after the last lap computing of each data finishes, take off the random number mask, export correct operational data.
Present embodiment is that the implementation that the substep with each circle computing is operating as pipelined units is set forth, but is not limited to the substep operation as the implementation of pipelined units, comprises implementation take each circle computing as pipelined units etc.
Present embodiment is set forth as an example of DES example, but the present invention is not only limited to the anti-power consumption analysis of DES enciphering and deciphering algorithm computing and the protection that electromagnetic field radiation is analyzed.The present invention is equally applicable to the anti-power consumption analysis of all symmetrical grouping enciphering and deciphering algorithm computings and the protection that electromagnetic field radiation is analyzed.Such as but not limited to, the protection that the anti-power consumption analysis of the symmetrical grouping such as DES, AES, 3DES enciphering and deciphering algorithm computing and electromagnetic field radiation are analyzed.
Claims (5)
1. resist the method for carrying out power consumption analysis for symmetry algorithm for one kind, it is characterized in that: each circle computing of symmetry algorithm is divided into some substeps, on the basis of the step of dividing, carry out the pile line operation computing, number according to institute's partiting step, realize the streamline of corresponding progression, each level production line calculates different data, guarantee that each clock cycle carries out the nonidentity operation of different pieces of information simultaneously, each level production line deal with data is applied the random number mask, guarantee the heterogeneite of streamline actual treatment data.
2. a kind of method of carrying out power consumption analysis for symmetry algorithm of resisting as claimed in claim 1, the data that it is characterized in that streamline processing at different levels can be one or several plaintext, expressly quantity is less than pipeline series, residual stream waterline input random numbers at different levels, only needing to process in the situation of a small amount of plaintext, still can effectively resist power consumption analysis.
3. a kind of method of carrying out power consumption analysis for symmetry algorithm of resisting as claimed in claim 1, it is characterized in that the computing that each clock cycle carries out is the not different operating stack of isolog, mutually do not cover between isolog and/or random number, when the assailant carries out power consumption analysis or electromagnetic radiation analysis, differential power consumption curve corresponding to true key will not have obvious feature, make to attack and lost efficacy, thereby prevent that the assailant from carrying out power consumption analysis or electromagnetic radiation analysis to grouping algorithm.
4. a kind of method of carrying out power consumption analysis for symmetry algorithm of resisting as claimed in claim 1 is characterized in that input the data random number masks at different levels are covered, and has guaranteed the inconsistency of deal with data at different levels, thereby any input is all protected.
5. a kind of method of carrying out power consumption analysis for symmetry algorithm of resisting as claimed in claim 1, it is characterized in that simultaneously a plurality of plaintexts being carried out concurrent operation, improved the efficient that is in encryption and decryption computing under the high security protection state, only need carry out in the situation of computing a small amount of plaintext, introduce the random number mask and participate in computing, guarantee any input mode is all protected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011102571865A CN102970131A (en) | 2011-08-31 | 2011-08-31 | Circuit structure for preventing power attacks on grouping algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011102571865A CN102970131A (en) | 2011-08-31 | 2011-08-31 | Circuit structure for preventing power attacks on grouping algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102970131A true CN102970131A (en) | 2013-03-13 |
Family
ID=47800026
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011102571865A Pending CN102970131A (en) | 2011-08-31 | 2011-08-31 | Circuit structure for preventing power attacks on grouping algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102970131A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103634102A (en) * | 2013-12-16 | 2014-03-12 | 国家电网公司 | Protection method for side channel attack and fault attack |
| CN105897399A (en) * | 2016-06-14 | 2016-08-24 | 东南大学 | DES (Data Encryption Standard) algorithm oriented power analysis attack resisting method based on register mask |
| CN105897408A (en) * | 2016-06-14 | 2016-08-24 | 东南大学 | Random-delay-based power consumption attack resisting method facing DES (Data Encryption Standard) algorithm |
| CN107181585A (en) * | 2016-03-13 | 2017-09-19 | 华邦电子股份有限公司 | Postponed by changing clock pulse to prevent the system and method for by-pass attack |
| CN112395649A (en) * | 2019-08-16 | 2021-02-23 | 国民技术股份有限公司 | Method, chip and computer readable storage medium for preventing electromagnetic radiation attack |
| CN114397875A (en) * | 2022-01-12 | 2022-04-26 | 浙江大学 | Automatic production line spoofing attack detection method and system based on random control |
| CN114925650A (en) * | 2022-07-22 | 2022-08-19 | 北京智芯微电子科技有限公司 | SOC chip unit hybrid layout method and system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1426547A (en) * | 2000-04-06 | 2003-06-25 | 格姆普拉斯公司 | Countermeasure method for microcontroller based on pipeline architecture |
-
2011
- 2011-08-31 CN CN2011102571865A patent/CN102970131A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1426547A (en) * | 2000-04-06 | 2003-06-25 | 格姆普拉斯公司 | Countermeasure method for microcontroller based on pipeline architecture |
Non-Patent Citations (3)
| Title |
|---|
| PAWEL R.CHODOWIEC: "comparison of the hardware performance of the AES candidates using reconfigurable hardware", 《MASTER THEIS,GEORGE MASON UNIVERSITY 》, 31 December 2002 (2002-12-31) * |
| 付勇智,等: "可重构平台下AES算法的流水线性能优化", 《单片机与嵌入式***应用》, no. 6, 1 June 2009 (2009-06-01) * |
| 章成旻: "基于AMBA总线高速低功耗AES信息安全芯片设计与实现", 《中国优秀硕士论文全文数据库》, no. 12, 15 December 2010 (2010-12-15) * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103634102B (en) * | 2013-12-16 | 2017-11-07 | 国家电网公司 | A kind of means of defence of side-channel attack and fault attacks |
| CN103634102A (en) * | 2013-12-16 | 2014-03-12 | 国家电网公司 | Protection method for side channel attack and fault attack |
| CN107181585B (en) * | 2016-03-13 | 2021-04-20 | 华邦电子股份有限公司 | System and method for preventing bypass channel attack by changing clock delay |
| CN107181585A (en) * | 2016-03-13 | 2017-09-19 | 华邦电子股份有限公司 | Postponed by changing clock pulse to prevent the system and method for by-pass attack |
| CN105897399B (en) * | 2016-06-14 | 2019-01-29 | 东南大学 | A kind of anti-power consumption attack method towards DES algorithm based on register mask |
| CN105897408B (en) * | 2016-06-14 | 2019-01-29 | 东南大学 | A kind of anti-power consumption attack method towards DES algorithm based on random delay |
| CN105897408A (en) * | 2016-06-14 | 2016-08-24 | 东南大学 | Random-delay-based power consumption attack resisting method facing DES (Data Encryption Standard) algorithm |
| CN105897399A (en) * | 2016-06-14 | 2016-08-24 | 东南大学 | DES (Data Encryption Standard) algorithm oriented power analysis attack resisting method based on register mask |
| CN112395649A (en) * | 2019-08-16 | 2021-02-23 | 国民技术股份有限公司 | Method, chip and computer readable storage medium for preventing electromagnetic radiation attack |
| CN112395649B (en) * | 2019-08-16 | 2024-01-26 | 国民技术股份有限公司 | Method, chip and computer readable storage medium for preventing electromagnetic radiation attack |
| CN114397875A (en) * | 2022-01-12 | 2022-04-26 | 浙江大学 | Automatic production line spoofing attack detection method and system based on random control |
| CN114397875B (en) * | 2022-01-12 | 2022-08-05 | 浙江大学 | Automatic production line spoofing attack detection method and system based on random control |
| CN114925650A (en) * | 2022-07-22 | 2022-08-19 | 北京智芯微电子科技有限公司 | SOC chip unit hybrid layout method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Yasin et al. | Security analysis of anti-sat | |
| CN102970132B (en) | Protection method for preventing power analysis and electromagnetic radiation analysis on grouping algorithm | |
| CN102970131A (en) | Circuit structure for preventing power attacks on grouping algorithm | |
| Akkar et al. | Power analysis, what is now possible... | |
| EP2207087B1 (en) | Method for protecting a cryptographic device against SPA, DPA and timing attacks | |
| US7292060B2 (en) | Logic circuit and method thereof | |
| Rahman et al. | Security assessment of dynamically obfuscated scan chain against oracle-guided attacks | |
| CN103795527A (en) | Software mask defense scheme capable of preventing attack on advanced encryption standard (AES) algorithm based on power analysis | |
| Kutzner et al. | On 3-share threshold implementations for 4-bit s-boxes | |
| CN1753357A (en) | Differential power consumption analysis shield circuit for DES encrypted chip | |
| Roy et al. | Circuit CAD tools as a security threat | |
| CN104301095A (en) | DES round operation method and circuit | |
| CN107204841A (en) | A kind of method that many S boxes of the block cipher for resisting differential power attack are realized | |
| Kasper et al. | Side channels as building blocks | |
| US20120159187A1 (en) | Electronic device and method for protecting against differential power analysis attack | |
| Cilio et al. | Side-channel attack mitigation using dual-spacer Dual-rail Delay-insensitive Logic (D 3 L) | |
| CN106936822B (en) | Mask implementation method and system for resisting high-order bypass analysis aiming at SMS4 | |
| Zhang et al. | On Trojan side channel design and identification | |
| CN108123792A (en) | A kind of power consumption method for scrambling of SM4 algorithms circuit | |
| CN105897401A (en) | Bit-based universal differential power consumption analysis method and system | |
| CN105743644B (en) | A kind of mask encryption device of multivariate quadratic equation | |
| Baby et al. | Reconfigurable LUT-based dynamic obfuscation for hardware security | |
| Fei et al. | Two kinds of correlation analysis method attack on implementations of Advanced Encryption Standard software running inside STC89C52 microprocessor | |
| CN105656629B (en) | Safe non-adjacent expression type implementation method in chip | |
| CN105721150B (en) | A kind of mask encryption method of multivariate quadratic equation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 102209 Beijing, Beiqijia, the future of science and technology in the south area of China electronic network security and information technology industry base C building, Applicant after: Beijing CEC Huada Electronic Design Co., Ltd. Address before: 100102 Beijing City, Chaoyang District Lize two Road No. 2, Wangjing science and Technology Park A block five layer Applicant before: Beijing CEC Huada Electronic Design Co., Ltd. |
|
| COR | Change of bibliographic data | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130313 |