CN109714152B - White-box AES encryption method based on large affine coding - Google Patents
White-box AES encryption method based on large affine coding Download PDFInfo
- Publication number
- CN109714152B CN109714152B CN201910043431.9A CN201910043431A CN109714152B CN 109714152 B CN109714152 B CN 109714152B CN 201910043431 A CN201910043431 A CN 201910043431A CN 109714152 B CN109714152 B CN 109714152B
- Authority
- CN
- China
- Prior art keywords
- bit
- vector
- bit vector
- transformation function
- affine transformation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Compression Or Coding Systems Of Tv Signals (AREA)
- Compression, Expansion, Code Conversion, And Decoders (AREA)
Abstract
The invention discloses a white-box AES encryption method based on large affine coding, which comprises the following steps: 1. constructing an external input code; 2. constructing two affine transformation functions; 3. generating a decoding table De; 4. randomly selecting a column of unselected state vectors from a state matrix of an Advanced Encryption Standard (AES); 5. constructing three affine transformation functions; 6. generating an encryption table MSK; 7. judging whether all column vectors in a state matrix of an Advanced Encryption Standard (AES) are selected; 8. constructing an affine transformation function; 9. generating a shift table SR; 10. 48 look-up tables are generated that are required to perform an advanced encryption standard, AES, round of encryption in a white-box environment. The invention adopts the large affine coding protection lookup table, carries out data encryption by looking up the table, and does not reveal intermediate values, so that the invention has the advantages of high safety and high encryption efficiency during data encryption.
Description
Technical Field
The invention belongs to the technical field of information, and further relates to a white-box advanced Encryption standard AES (advanced Encryption Standard) Encryption method based on large affine coding in the technical field of information security. The invention applies the white-box AES encryption method to the encryption and decryption of the unsafe terminal, and embeds the key into the lookup table, so that an attacker can not directly extract the key through memory analysis, thereby avoiding the attacker from having the functions used by a legal user and protecting the right of the legal user.
Background
With the development of communication and information security technologies, terminal products such as notebooks and tablet computers are widely used, people have an increasing demand for digital information such as videos and audios, attackers have more and more channels for acquiring information, and even can directly acquire keys by analyzing memories or circuits. This seriously impairs the rights of legitimate users and therefore it is desirable to have a method for effectively protecting keys at insecure terminals. The white-box cryptographic model assumes that an attacker can fully access the execution process of the cryptographic algorithm, obtain all details of the execution of the cryptographic algorithm, and even change the intermediate values of the execution. In order to protect the right of a legal user, how to construct a secure white-box encryption method becomes a great research focus in the field of current white-box passwords.
Rory et al discloses an improved white-box AES encryption method in its published paper "a look-up table-based white-box AES implementation applying non-linear obfuscation" (shanghai university of transportation, great graduate paper 2015). The method converts the row shift operation into a lookup table, adopts the 16-32bit lookup table, uses the 32-bit affine transformation to confuse the output of the column mixing operation, and embeds the cascaded nonlinear codes into the lookup table to provide greater white box security. Since the method adopts nonlinear coding to mix up the output, the scheme introduces an exclusive-or table for nonlinear decoding and exclusive-or operation. The method can resist existing BGE attack and De Mulder attack and prevent the key from being extracted. The method has the disadvantages that the embedded affine code is cancelled when the lookup table is combined and analyzed, the analysis of the combination table is changed into the analysis of the 16-bit affine transformation when the key extraction attack is carried out, the calculation amount required for breaking the scheme is greatly reduced, the safety is reduced, the exclusive or operation in the scheme is completed by the lookup table, the times of the lookup table are greatly increased, and the efficiency is reduced.
The Guilin electronic science and technology university discloses a nonlinear protection method based on a white-box password in a look-up table form in the patent document 'a white-box password nonlinear coding protection method based on a look-up table' (patent application No.: 201510202424.0 patent publication No.: CN 105591734A). The method divides m arguments into n groups, each group is 16-bit, n nonlinear transformations are introduced, the nonlinear transformations, encryption, S-box and column mixing operations are integrated into one table, and in order to avoid overlarge lookup tables, a column mixing matrix is divided into 2 sub-matrices and applied to the two tables. And directly carrying out exclusive OR on the outputs of the 2 lookup tables corresponding to the column mixing matrix, and then carrying out m-bit nonlinear coding on n/2 outputs subjected to exclusive OR to obtain the output of the current round. The method has the disadvantages that the data after the column confusion is diffused by using the reversible nonlinear transformation function, and the data after the confusion is obtained by calculation, so that the encryption efficiency is reduced.
Disclosure of Invention
The invention aims to provide a white-box AES encryption method based on large affine coding, aiming at the defects of the prior art.
The idea of achieving the purpose of the invention is to break the round limit of 10 rounds of encryption of AES, advance the execution of row shift to before encryption key and byte transformation, combine the row shift of the first round into the outer code, shift the row shift of the second round to the tenth round up to the previous round, and encapsulate the operation of each round of AES in two types of tables.
The method comprises the following concrete implementation steps:
(1) constructing an external input code:
(1a) dividing input 128-bit data into 16 groups according to each 8bits data, sequentially arranging each 4 groups of data into a line, performing shift operation on each row of data to obtain 4 32-bit vectors, and cascading the 4 32-bit vectors into a 128-bit vector according to a line sequence;
(1b) performing aliasing coding on the 128-bit vector to obtain a 128-bit vector according to the following formula:
wherein Y represents an obfuscated codeThe latter 128-bit vector is then used,
representing an exclusive or addition operation, B represents a randomly generated vector of 128-bits,
representing a compounding operation, L represents a randomly selected 128 x 128 invertible matrix;
(2) two affine transformation functions for output encoding were constructed:
(2a) constructing a first affine transformation function by using a 128 x 128 diagonal matrix formed by 16 randomly generated 8 x 8 reversible matrices;
(2b) constructing a second affine transformation function by using a 128 x 128 diagonal matrix formed by 16 randomly generated 8 x 8 reversible matrices;
(3) generating a decoding table De for obfuscating the encoding decoding and affine encoding of the row shift operation:
(3a) randomly selecting unselected state vectors in a state matrix of an Advanced Encryption Standard (AES);
(3b) constructing an array with the length of 256, and initializing each element in the array into an 8-bit vector;
(3c) performing a decoding operation on the obfuscated encoding of the row shifting operation:
randomly selecting an unselected 8-bit vector from an array with the length of 256, taking the unselected 8-bit vector as an input vector, and performing decoding operation on the 8-bit input vector to obtain a decoded 128-bit vector;
(3d) judging whether the row number of the state vector in the state matrix is less than 2, if so, executing the step (3e), otherwise, executing the step (3 f);
(3e) carrying out affine coding on the 128-bit vector by using a first affine transformation function to obtain a 128-bit vector;
(3f) carrying out affine coding on the 128-bit vector by using a second affine transformation function to obtain a 128-bit vector;
(3g) judging whether all 8-bit vectors in the array with the length of 256 are selected, if so, executing the step (3h), otherwise, executing the step (3 c);
(3h) judging whether each state vector in the state matrix of the AES is selected, if so, executing the step (4), otherwise, executing the step (3 a);
(4) randomly selecting a column of unselected state vectors from a state matrix of an Advanced Encryption Standard (AES);
(5) three affine transformation functions for the alias coding and the output coding are constructed:
(5a) constructing a first affine transformation function by using a 32 x 32 diagonal matrix consisting of 4 randomly generated 8 x 8 reversible matrices;
(5b) constructing a second affine transformation function by using a 32 x 32 diagonal matrix consisting of 4 randomly generated 8 x 8 reversible matrices;
(5c) taking a randomly generated 32 x 32 reversible matrix as a linear part of a third affine transformation function, and taking a randomly generated 32-bit vector as a constant part of the third affine transformation function;
(6) generating an encryption table MSK for performing encryption key, byte transformation and column obfuscation operations:
(6a) randomly selecting an unselected state vector from the selected list of state vectors;
(6b) constructing an array with the length of 65536, and initializing each element of the array into a 16-bit vector;
(6c) performing an input decoding operation on the input vector:
randomly selecting a 16-bit vector from an array with the length of 65536, taking the 16-bit vector as an input vector, performing decoding operation on the 16-bit input vector by using a 16-bit affine transformation function to obtain a decoded 16-bit vector, equally dividing the 16-bit vector into 28-bit vectors, and performing exclusive OR operation on the 28-bit vectors to obtain an 8-bit vector;
(6d) keying, byte transformation and column obfuscation operations on the 8-bit vector:
carrying out XOR operation on the 8-bit vector and the 8-bit round key to obtain an 8-bit vector, carrying out byte transformation operation on the 8-bit vector to obtain an 8-bit vector, carrying out column confusion operation on the 8-bit vector to obtain a 32-bit vector, and carrying out confusion coding on the 32-bit vector by using a third affine transformation function to obtain a 32-bit vector;
(6e) judging whether the row number of the state vector in the state matrix column is less than 2, if so, executing the step (6f), otherwise, executing the step (6 g);
(6f) carrying out affine coding on the output vector of the 32-bit by using first affine transformation to obtain a vector of the 32-bit;
(6g) carrying out affine coding on the 32-bit output vector by using second affine transformation to obtain a 32-bit vector;
(6h) judging whether all 16-bit vectors in an array with the length of 65536 are selected, if so, executing the step (6i), otherwise, executing the step (6 c);
(6i) judging whether all the state vectors in the selected row of state vectors are selected, if so, executing the step (7), otherwise, executing the step (6 a);
(7) judging whether all column vectors in a state matrix of the AES are selected, if so, executing the step (8), otherwise, executing the step (4);
(8) an affine transformation function for confusion coding is constructed:
randomly generating a reversible matrix L of 128 multiplied by 128 as a linear part of an affine transformation function, and randomly generating a zero vector B of 128-bit as a constant part of the affine transformation function;
(9) generating a shift table SR for performing a row shift operation:
(9a) randomly selecting a state vector in an advanced encryption standard AES state matrix;
(9b) constructing an array with the length of 65536, and initializing a 16-bit vector by each element of the array;
(9c) performing an input decoding operation on the input vector:
randomly selecting a 16-bit vector from an array with the length of 65535, using the 16-bit vector as an input vector, performing decoding operation on the 16-bit input vector to obtain a decoded 16-bit vector, equally dividing the 16-bit vector into 28-bit vectors, and performing exclusive OR operation on the 28-bit vectors to obtain an 8-bit vector;
(9d) the 8-bit vector is subjected to a row shift operation:
performing confusion decoding on the 8-bit vector to obtain a 32-bit vector, and performing left multiplication on the 32-bit vector by using a 128 multiplied by 32 matrix to obtain a 128-bit vector;
(9e) carrying out confusion coding operation on the 128-bit vector by using an affine transformation function to obtain a 128-bit vector, and writing the 128-bit vector into an array with the length of 65536;
(9f) judging whether all 16-bit vectors in an array with the length of 65536 are selected, if so, executing the step (9g), otherwise, executing the step (9 c);
(9g) judging whether all state vectors in the state matrix are selected, if so, executing the step (10), otherwise, executing the step (9 a);
(10) the 48 look-up tables required to perform an AES round of encryption in a white-box environment are obtained.
Compared with the prior art, the invention has the following advantages:
firstly, two affine transformation functions are constructed for performing 128-bit affine output coding on the generated decoding table De, so that the problems that in the prior art, when a lookup table is subjected to combined analysis, an embedded affine coding is cancelled, and when a key extraction attack is performed, the analysis on the combined table is changed into the analysis on 16-bit affine transformation, the calculated amount required by the scheme is greatly reduced, and the safety is reduced are solved.
Secondly, because the invention generates 3 types of lookup tables, the 3 types of lookup tables can be used for encrypting the plaintext by looking up, and the 3 types of tables are respectively a decoding table De for performing obfuscated code decoding and affine coding of a row shift operation, an encryption table MSK for performing encryption key, byte transformation and column obfuscation operations and a shift table SR for performing row shift operation, thereby overcoming the problems that in the prior art, the data after column obfuscation is diffused by using a reversible nonlinear transformation function, and the obfuscated data is obtained by calculation, and the encryption efficiency is reduced, so that the invention encrypts the plaintext data by using the 3 types of lookup tables, only needs the table lookup time, does not need calculation, and has the advantage of high encryption efficiency.
Drawings
FIG. 1 is a flow chart of the present invention;
FIG. 2 is a flowchart of the decoding table De generated in step 3 according to the present invention;
FIG. 3 is a block diagram of the decoding table De in step 3 according to the present invention;
FIG. 4 is a flowchart of the step 6 of generating the encryption table MSK of the present invention;
FIG. 5 is a block diagram of the structure of the step 6 encryption table MSK of the present invention;
FIG. 6 is a flowchart of the step 9 of generating the shift table SR according to the present invention;
FIG. 7 is a block diagram of a step 9 shift table SR according to the present invention;
Detailed Description
The invention is further described below with reference to the accompanying drawings.
The specific steps of the present invention are further described with reference to fig. 1.
Step 1, constructing an external input code.
Dividing input 128-bit data into 16 groups according to each 8bits data, arranging each 4 groups of data into a line in sequence, performing shift operation on each row of data to obtain 4 32-bit vectors, and cascading the 4 32-bit vectors into a 128-bit vector according to a line sequence.
The line shift operation is to change the round limit of the AES encryption, shift down each round of encryption key operation except the tenth round to the next round, put the encryption key before the first round to the first round, advance the line shift of each round to the front of the encryption key and the byte transformation, combine the line shift of the first round into the external code, advance the line shift of the second round to the tenth round by one round, so that the operation steps of each round except the tenth round are encryption key, byte transformation, column mixing and line shift. Since the row shift is performed before the keying and byte conversion, the key of each round needs to be shifted before the keying operation is performed.
Performing aliasing coding on the 128-bit vector to obtain a 128-bit vector according to the following formula:
wherein Y represents a vector of 128-bits after the aliasing coding,
representing an exclusive or addition operation, B represents a randomly generated vector of 128-bits,
representing a complex operation, i.e. a second operation on the result of the first operation, L represents a randomly generated 128 x 128 invertible matrix.
And 2, constructing two affine transformation functions for outputting codes.
The first affine transformation function is constructed with a 128 x 128 diagonal matrix of randomly generated 16 8 x 8 invertible matrices.
A second affine transformation function is constructed with a 128 x 128 diagonal matrix of randomly generated 16 8 x 8 invertible matrices.
The affine transformation function is that 16 8 × 8 reversible matrixes which are randomly generated are assembled into a 128 × 128 diagonal matrix to be used as a linear part of the affine transformation function, and a 128-bit zero vector which is randomly generated is used as a constant part of the affine transformation function.
And 3, generating a decoding table De for obfuscating encoding and decoding and affine encoding of the row shifting operation.
The specific steps for generating the 16 decoding tables De are further described with reference to fig. 2.
And (3.1) randomly selecting unselected state vectors in the state matrix of the advanced encryption standard AES.
The state matrix is that the advanced encryption standard AES inputs 128-bit plaintext into each 8bits to form a group, the group is divided into 16 groups, the 16 groups are sequentially arranged into a state matrix with 4 rows and 4 columns, and each 8-bit plaintext is called a state vector.
(3.2) constructing an array with the length of 256, and initializing each element in the array to be an 8-bit vector.
And (3.3) performing a decoding operation on the aliasing code of the row shifting operation.
Randomly selecting an unselected 8-bit vector from the array with the length of 256, using the unselected 8-bit vector as an input vector, and performing a confusion decoding operation on the 8-bit input vector by referring to fig. 3 to obtain a decoded 128-bit vector.
The decoding operation refers to calculating an inverse affine transformation function of a 128-bit affine transformation function adopted by the confusion coding, dividing the inverse affine transformation function into 16 8-bit sub-transformation functions by using a matrix blocking method, and taking the sub-transformation functions as the affine transformation function of the decoding operation.
The matrix blocking operation method comprises the following specific steps:
in step 1, the matrix of the linear part of the affine transformation function is divided into 16 groups of 128 × 8 sub-matrices, with 8 columns each.
And 2, dividing the matrix of the constant part of the affine transformation function into a group of every 8-bit into 16 groups of 8-bit sub-vectors.
And step 3, forming an 8-bit sub-transformation function by using a 128 multiplied by 8 sub-matrix and an 8-bit vector.
And (3.4) judging whether the row number of the state vector in the state matrix is less than 2, if so, executing the step (3.5), otherwise, executing the step (3.6).
(3.5) carrying out cascade affine coding on the decoded 128-bit vector by using a first affine transformation function to obtain 16 8-bit vectors shown in FIG. 3.
The affine coding means that a 128-bit vector is obtained by coding a 128-bit vector with an affine transformation function, and is subjected to exclusive or operation with a randomly generated 128-bit vector S to obtain a 128-bit vector, the vector is written into an array with the length of 256, the 128-bit vector S and a constant part of the affine transformation function are subjected to exclusive or operation, and the 128-bit vector after the exclusive or operation is written into a vector of a constant part of the affine transformation function. Where the vector S is generated randomly, it is xor-ed with the 128-bit vector, which is in fact the constant part of the affine code is being changed, so that the affine code of the 8 De tables corresponding to the first 2 rows of the state matrix has the same linear part, different constant parts. The vector of the constant part of the affine transformation is changed continuously in the process of the loop, and when the loop is ended, the vector becomes the exclusive or result of the constant part of the affine coding of the first 8 tables, and the constant part of the affine decoding of the first 128-bit of the input data of the encryption table MSK.
(3.6) carrying out cascade affine coding on the decoded 128-bit vector by using a second affine transformation function to obtain 16 8-bit vectors shown in the figure 3.
The vector of the constant part of the affine transformation is changed continuously in the circulation process, and at the end of the circulation, the vector of the constant part of the affine transformation is the exclusive or result of the vectors of the constant parts of the affine coding of the next 8 tables and is also the constant part of the affine decoding of the last 128-bit of the input data of the encryption table MSK.
And (3.7) judging whether all 8-bit vectors in the array with the length of 256 are selected, if so, executing the step (3.8), otherwise, executing the step (3.3).
And (3.8) judging whether each state vector in the state matrix is selected, if so, executing the step 4, otherwise, executing the step (3.1).
Referring to fig. 3, the decoding table De is a look-up table for 8-bit input, 128-bit output decoding operations to obfuscate the row shift operation. The invention adopts two different 128-bit affine codes for the output of 16 decoding tables De, and during encryption, the output of every 8 De tables adopting the same affine code is directly subjected to XOR operation to obtain the input of two 128-bits, and because the linear parts of the affine codes of 2 data of 128-bits are different, the XOR operation cannot be directly carried out, thereby ensuring that an attacker cannot obtain an effective intermediate value in the encryption process, and ensuring that the affine codes of 128-bits cannot be cancelled during lookup table combination analysis.
And 4, randomly selecting a row of unselected state vectors from the state matrix of the advanced encryption standard AES.
And 5, constructing three affine transformation functions for confusion coding and output coding.
The first affine transformation function is constructed with a 32 x 32 diagonal matrix of 48 x 8 invertible matrices generated randomly. The outputs of the encryption tables MSK corresponding to the first two rows of the state matrix are cascade affine encoded.
A second affine transformation function is constructed with a 32 x 32 diagonal matrix of 48 x 8 invertible matrices generated randomly. And performing cascade affine coding on the outputs of the encryption tables MSK corresponding to the last two rows of the state matrix.
The affine transformation function is that 4 randomly generated 8 × 8 invertible matrixes are combined into a 32 × 32 diagonal matrix to serve as a linear part of the affine transformation function, and a 32-bit zero vector which is randomly generated is used as a constant part of the affine transformation function. And performing cascade affine coding on the outputs of the encryption tables MSK corresponding to the last two rows of the state matrix.
The randomly generated 32 x 32 invertible matrix is used as the linear part of the third affine transformation function, and the randomly generated 32-bit vector is used as the constant part of the third affine transformation function. For obfuscating the output data of the column obfuscation operation.
And 6, generating an encryption table MSK for performing encryption key, byte transformation and column obfuscation operations.
The specific steps for generating the 16 encryption tables MSK will be further described with reference to FIG. 4.
(6.1) randomly selecting an unselected state vector from the selected list of state vectors.
(6.2) construct an array of length 65536, each element of the array initialized to a 16-bit vector. Where the 16-bit vector is a binary representation of the array subscript.
And (6.3) carrying out input decoding operation on the input vector.
Randomly selecting a 16-bit vector from an array with the length of 65536, using the 16-bit vector as an input vector, performing decoding operation on the 16-bit input vector by using a 16-bit affine transformation function to obtain a decoded 16-bit vector, equally dividing the 16-bit vector into 28-bit vectors, and performing exclusive OR operation on the 28-bit vectors to obtain an 8-bit vector.
The affine transformation function of 16-bit means that the specific implementation steps are as follows:
step 1, dividing the inverse function of the first 128-bit affine transformation function into 16 sub-transformation functions 1 by using a matrix blocking method, and sequentially arranging the sub-transformation functions.
And 2, dividing the inverse function of the second 128-bit affine transformation function into 16 sub-transformation functions 2 by using a matrix blocking method, and sequentially arranging the sub-transformation functions.
And 3, respectively selecting one sub-transformation function with the same order from the two groups of 16 sub-transformation functions.
And 4, removing all-zero blocks from the matrix of the linear part of the selected sub-transformation function 1 to obtain an 8 x 8 matrix, removing all-zero blocks from the matrix of the linear part of the selected sub-transformation function 2 to obtain an 8 x 8 matrix, forming the two 8 x 8 matrices into a 16 x 16 matrix, and linking the 8-bit vectors of the constant parts of the two sub-transformation functions into a 16-bit vector.
And 5, combining the 16 multiplied by 16 matrix and the 16-bit vector into a 16-bit affine transformation function.
(6.4) keying, byte transforming and column obfuscating operations are performed on the 8-bit vector.
And carrying out XOR operation on the decoded 8-bit vector and the 8-bit round key to obtain an 8-bit vector, carrying out byte transformation operation on the 8-bit vector to obtain an 8-bit vector, carrying out column confusion operation on the 8-bit vector to obtain a 32-bit vector, and carrying out confusion coding on the 32-bit vector by using a third affine transformation function to obtain a 32-bit vector.
The column scrambling means that the present invention uses a 32 × 32 reversible matrix to represent the column scrambling in the 1 st to 9 th rounds, and since there is no column scrambling in the 10 th round of AES, one identity matrix is used instead of the column scrambling.
And (6.5) judging whether the row number of the state vector in the state matrix column is less than 2, if so, executing the step (6.6), otherwise, executing the step (6.7).
(6.6) affine coding the output vector of 32-bit with the first affine transformation, resulting in 4 vectors of 8-bit as shown in FIG. 5.
(6.7) affine-encode the 32-bit output vector with a second affine transformation, resulting in 4 8-bit vectors as shown in FIG. 5.
The affine coding means that affine coding is performed on a 32-bit vector by affine transformation to obtain a 32-bit vector, exclusive or operation is performed on the 32-bit vector and a randomly selected 32-bit vector s to obtain a 32-bit vector, the 32-bit vector is written into an array with the length of 65536, exclusive or operation is performed on the 32-bit vector s and a constant part of the affine transformation function, and the 32-bit vector after the exclusive or operation is written into a vector of a constant part of the affine transformation function.
(6.8) judging whether all 16-bit vectors in the array with the length of 65536 are selected, if so, executing the step (6.9), otherwise, executing the step (6.3).
(6.9) judging whether all the state vectors in the selected row of state vectors are selected, if so, executing the step 7, otherwise, executing the step (6.1).
Referring to FIG. 5, the encryption table MSK is a 16-bit input, 32-bit output lookup table used for encryption key, byte translation and column obfuscation operations.
And 7, judging whether all column vectors in the state matrix are selected, if so, executing the step 8, and otherwise, executing the step 4.
And 8, constructing an affine transformation function for confusion coding.
A reversible matrix L of 128 x 128 is randomly generated as the linear part of the affine transformation function, and a zero vector B of 128-bit is randomly generated as the constant part of the affine transformation function. It is used for aliasing coding the output data of the row shifting operation.
And 9, generating a shift table SR for performing the row shift operation.
The specific steps for generating the 16 shift tables SR will be further described with reference to fig. 6.
(9.1) randomly selecting one state vector in the AES state matrix.
(9.2) constructing an array with the length of 65536, and initializing a 16-bit vector by each element of the array;
and (9.3) performing a decoding operation on the input vector.
Randomly selecting a 16-bit vector from an array with the length of 65535, using the 16-bit vector as an input vector, performing decoding operation on the 16-bit input vector with reference to fig. 7 to obtain a decoded 16-bit vector, equally dividing the 16-bit vector into 28-bit vectors, and performing exclusive-or operation on the 28-bit vectors to obtain an 8-bit vector.
(9.4) performing a row shift operation on the 8-bit vector.
The 8-bit vector is alias decoded to obtain a 32-bit vector, and the 32-bit vector is pre-multiplied by a 128 x 32 matrix to obtain a 128-bit vector as shown in fig. 7.
The line shift operation means that in the first to 9 th rounds of encryption, the present invention uses a 128 × 128 matrix to represent the line shift operation, and in the tenth round, since the present invention shifts the line shift operation of the advanced encryption standard AES 10 th round of encryption to the 9 th round, the 10 th round of line shift operation is represented by a 128 × 128 unit matrix.
(9.5) performing an affine transformation function on the 128-bit vector to obtain a 16 8-bit vector as shown in FIG. 7, concatenating the 16 8-bit vector into a 128-bit vector, and writing the 128-bit vector into an array of 65536 length.
(9.6) judging whether all 16-bit vectors in the array with the length of 65536 are selected, if so, executing the step (9.7), otherwise, executing the step (9.3).
(9.7) judging whether all the state vectors in the state matrix are selected, if so, executing the step 10, otherwise, executing the step (9.1).
Referring to fig. 7, the shift table SR is a 16-bit input, 128-bit output look-up table for performing a shift operation.
Step 10, 48 look-up tables are generated which are required to perform a round of AES encryption in a white-box environment.
The steps 2 to 10 are repeatedly performed nine times, and 480 lookup tables required for performing the AES in the white-box environment are generated.
The process of AES encryption for 128bit plaintext is further described below using 480 look-up tables.
Step 1, executing step 1 on the 128-bit plaintext to obtain a 128-bit vector Y after encoding.
And step 2, forming a state matrix by using 128-bit vectors Y, wherein each state vector is an 8-bit sub-vector. And taking each state vector as the input of the De table, and searching a corresponding output vector. The resulting 16 128-bit vectors are XOR'd to yield two 128-bit vectors S1 and S2.
And step 3, respectively forming 2 state matrixes by the vector S1 and the vector S2, wherein the state vectors with the same row and column positions in the two state matrixes correspond to one another. And connecting the 2 state vectors in one-to-one correspondence to form a 16-bit vector, using the 16-bit vector as the input of the encryption table MSK, searching the corresponding encryption table MSK to obtain a corresponding 32-bit output vector, and performing XOR and cascade operation on the obtained 16 32-bit vectors to obtain 2 128-bit vectors S3 and S4.
And step 4, respectively forming the vector S3 and the vector S4 into 2 state matrixes, wherein the state vectors with the same row and column positions in the two state matrixes correspond to one another. And connecting the 2 state vectors in one-to-one correspondence to form a 16-bit vector, using the 16-bit vector as the input of the shift table SR, searching the corresponding encryption table MSK to obtain a corresponding 32-bit output vector, and performing XOR operation on the obtained 16 128-bit vectors to obtain 1 128-bit vector Y.
And 5, repeating the steps 2 to 4 for 9 times to obtain a final 128-bit ciphertext Y.
Claims (10)
1. A white-box AES encryption method based on large affine coding is characterized in that each round of operation of an AES is packaged in an encryption table MSK and a shift table SR, an input code and an output code are set for each encryption table MSK and shift table SR, the output code and the input code both adopt large affine transformation, and a decoding table De is constructed to decode obfuscated codes and affine codes of row shift operation, and the method comprises the following steps:
(1) constructing an external input code:
(1a) dividing input 128-bit data into 16 groups according to each 8bits data, sequentially arranging each 4 groups of data into a line, performing shift operation on each row of data to obtain 4 32-bit vectors, and cascading the 4 32-bit vectors into a 128-bit vector according to a line sequence;
(1b) performing aliasing coding on the 128-bit vector to obtain a 128-bit vector according to the following formula:
wherein Y represents a vector of 128-bits after the aliasing coding,
representing an exclusive or addition operation, B representing a randomly generated 128-bit vector representing a complex operation, L representing a randomly selected 128 x 128 invertible matrix;
(2) two affine transformation functions for output encoding were constructed:
(2a) constructing a first affine transformation function by using a 128 x 128 diagonal matrix formed by 16 randomly generated 8 x 8 reversible matrices;
(2b) constructing a second affine transformation function by using a 128 x 128 diagonal matrix formed by 16 randomly generated 8 x 8 reversible matrices;
(3) generating a decoding table De for obfuscating the encoding decoding and affine encoding of the row shift operation:
(3a) randomly selecting unselected state vectors in a state matrix of an Advanced Encryption Standard (AES);
(3b) constructing an array with the length of 256, and initializing each element in the array into an 8-bit vector;
(3c) performing a decoding operation on the obfuscated encoding of the row shifting operation:
randomly selecting an unselected 8-bit vector from an array with the length of 256, taking the unselected 8-bit vector as an input vector, and performing decoding operation on the 8-bit input vector to obtain a decoded 128-bit vector;
(3d) judging whether the row number of the state vector in the state matrix is less than 2, if so, executing the step (3e), otherwise, executing the step (3 f);
(3e) carrying out affine coding on the 128-bit vector decoded in the step (3c) by using a first affine transformation function to obtain a 128-bit vector;
(3f) carrying out affine coding on the 128-bit vector decoded in the step (3c) by using a second affine transformation function to obtain a 128-bit vector;
(3g) judging whether all 8-bit vectors in the array with the length of 256 are selected, if so, executing the step (3h), otherwise, executing the step (3 c);
(3h) judging whether each state vector in the state matrix of the AES is selected, if so, executing the step (4), otherwise, executing the step (3 a);
(4) randomly selecting a column of unselected state vectors from a state matrix of an Advanced Encryption Standard (AES);
(5) three affine transformation functions for the alias coding and the output coding are constructed:
(5a) constructing a first affine transformation function by using a 32 x 32 diagonal matrix consisting of 4 randomly generated 8 x 8 reversible matrices;
(5b) constructing a second affine transformation function by using a 32 x 32 diagonal matrix consisting of 4 randomly generated 8 x 8 reversible matrices;
(5c) taking a randomly generated 32 x 32 reversible matrix as a linear part of a third affine transformation function, and taking a randomly generated 32-bit vector as a constant part of the third affine transformation function;
(6) generating an encryption table MSK for performing encryption key, byte transformation and column obfuscation operations:
(6a) randomly selecting an unselected state vector from the selected list of state vectors;
(6b) constructing an array with the length of 65536, and initializing each element of the array into a 16-bit vector;
(6c) performing an input decoding operation on the input vector:
randomly selecting a 16-bit vector from an array with the length of 65536, taking the 16-bit vector as an input vector, performing decoding operation on the 16-bit input vector by using a 16-bit affine transformation function to obtain a decoded 16-bit vector, equally dividing the 16-bit vector into 28-bit vectors, and performing exclusive OR operation on the 28-bit vectors to obtain an 8-bit vector;
(6d) performing keying, byte transformation and column obfuscation operations on the 8-bit vector obtained in step (6 c):
carrying out XOR operation on the 8-bit vector obtained in the step (6c) and the 8-bit round key to obtain an 8-bit vector, carrying out byte transformation operation on the 8-bit vector to obtain an 8-bit vector, carrying out column confusion operation on the 8-bit vector to obtain a 32-bit vector, and carrying out confusion coding on the 32-bit vector by using a third affine transformation function to obtain a 32-bit vector;
(6e) judging whether the row number of the state vector in the state matrix column is less than 2, if so, executing the step (6f), otherwise, executing the step (6 g);
(6f) carrying out affine coding on the output vector of the 32-bit by using the first affine transformation function constructed in the step (5a) to obtain a vector of the 32-bit;
(6g) carrying out affine coding on the output vector of the 32-bit by using the second affine transformation function constructed in the step (5b) to obtain a vector of the 32-bit;
(6h) judging whether all 16-bit vectors in an array with the length of 65536 are selected, if so, executing the step (6i), otherwise, executing the step (6 c);
(6i) judging whether all the state vectors in the selected row of state vectors are selected, if so, executing the step (7), otherwise, executing the step (6 a);
(7) judging whether all column vectors in a state matrix of the AES are selected, if so, executing the step (8), otherwise, executing the step (4);
(8) an affine transformation function for confusion coding is constructed:
randomly generating a reversible matrix L of 128 multiplied by 128 as a linear part of an affine transformation function, and randomly generating a zero vector B of 128-bit as a constant part of the affine transformation function;
(9) generating a shift table SR for performing a row shift operation:
(9a) randomly selecting a state vector in an advanced encryption standard AES state matrix;
(9b) constructing an array with the length of 65536, and initializing a 16-bit vector by each element of the array;
(9c) performing an input decoding operation on the input vector:
randomly selecting a 16-bit vector from an array with the length of 65535, using the 16-bit vector as an input vector, performing decoding operation on the 16-bit input vector to obtain a decoded 16-bit vector, equally dividing the 16-bit vector into 28-bit vectors, and performing exclusive OR operation on the 28-bit vectors to obtain an 8-bit vector;
(9d) the 8-bit vector is subjected to a row shift operation:
performing confusion decoding on the 8-bit vector to obtain a 32-bit vector, and performing left multiplication on the 32-bit vector by using a 128 multiplied by 32 matrix to obtain a 128-bit vector;
(9e) carrying out confusion coding operation on the 128-bit vector by using an affine transformation function to obtain a 128-bit vector, and writing the 128-bit vector into an array with the length of 65536;
(9f) judging whether all 16-bit vectors in an array with the length of 65536 are selected, if so, executing the step (9g), otherwise, executing the step (9 c);
(9g) judging whether all state vectors in the state matrix are selected, if so, executing the step (10), otherwise, executing the step (9 a);
(10) the 48 look-up tables required to perform an AES round of encryption in a white-box environment are obtained.
2. The white-box AES encryption method based on large-scale affine coding as claimed in claim 1, wherein the affine transformation function in step (2a) and step (2b) is formed by assembling 16 randomly generated 8 x 8 invertible matrices into a 128 x 128 diagonal matrix as the linear part of the affine transformation function and randomly generating a 128-bit zero vector as the constant part of the affine transformation function.
3. The white-box AES encryption method based on large affine coding as claimed in claim 1, wherein the state matrix in step (3a), step (4) and step (9a) is that the AES inputs 128-bit plaintext into each 8-bit group, the groups are divided into 16 groups, the groups are sequentially arranged into a state matrix with 4 rows and 4 columns, and each 8-bit plaintext is called a state vector.
4. The white-box AES encryption method based on large-scale affine coding as claimed in claim 1, wherein the decoding operation in step (3c) is to calculate an inverse affine transformation function of the 128-bit affine transformation function used for aliasing coding, and divide the inverse affine transformation function into 16 8-bit sub-transformation functions by using a matrix blocking method as the affine transformation function of the decoding operation.
5. The white-box AES encryption method based on large-scale affine coding as claimed in claim 1, wherein the affine coding in step (3e) and step (3f) is that a 128-bit vector is obtained by encoding a 128-bit vector with an affine transformation function, and then the 128-bit vector is subjected to XOR operation with a randomly generated 128-bit vector S to obtain a 128-bit vector, and then the vector is written into an array with a length of 256, and then the 128-bit vector S is subjected to XOR operation with a constant part of the affine transformation function, and then the 128-bit vector after the XOR operation is written into a vector of a constant part of the affine transformation function.
6. The white-box AES encryption method based on large affine coding as claimed in claim 4, wherein the matrix blocking operation method comprises the following specific steps:
firstly, every 8 columns of a matrix of a linear part of an affine transformation function are arranged into a group, and the matrix is divided into 16 groups of 128 multiplied by 8 sub-matrixes;
secondly, dividing every 8-bit matrix of the constant part of the affine transformation function into a group into 16 groups of 8-bit sub-vectors;
and thirdly, forming an 8-bit sub-transformation function by using a 128 multiplied by 8 sub-matrix and an 8-bit sub-vector.
7. The white-box AES encryption method based on large-scale affine coding as claimed in claim 1, wherein the affine transformation function in step (5a) and step (5b) is formed by building 4 randomly generated 8 x 8 invertible matrices into a 32 x 32 diagonal matrix as the linear part of the affine transformation function and using the randomly generated zero vector of 32-bit as the constant part of the affine transformation function.
8. The white-box AES encryption method based on large affine coding as claimed in claim 1, wherein the affine transformation function of 16-bit in step (6c) comprises the following specific steps:
firstly, dividing an inverse function of a first 128-bit affine transformation function into 16 sub-transformation functions 1 by using a matrix blocking method, and sequentially arranging the sub-transformation functions;
secondly, dividing the inverse function of the second 128-bit affine transformation function into 16 sub-transformation functions 2 by using a matrix blocking method, and sequentially arranging the sub-transformation functions;
thirdly, respectively selecting one sub-transformation function with the same order from the two groups of 16 sub-transformation functions;
fourthly, removing all-zero blocks from the matrix of the linear part of the selected sub-transformation function 1 to obtain an 8 x 8 matrix, removing all-zero blocks from the matrix of the linear part of the selected sub-transformation function 2 to obtain an 8 x 8 matrix, forming the two 8 x 8 matrices into a 16 x 16 matrix, and linking the 8-bit vectors of the constant parts of the two sub-transformation functions into a 16-bit vector;
and fifthly, forming a 16-bit affine transformation function by the 16 multiplied by 16 matrix and the 16-bit vector.
9. The white-box AES encryption method based on large-scale affine coding as claimed in claim 1, wherein the affine coding in step (6f) and step (6g) is that affine coding is performed on a 32-bit vector by affine transformation to obtain a 32-bit vector, and exclusive OR operation is performed on the 32-bit vector with a random selection to obtain a 32-bit vector, and the 32-bit vector is written into an array with a length of 65536, exclusive OR operation is performed on the 32-bit vector s and a constant part of the affine transformation function, and the 32-bit vector after exclusive OR operation is written into a vector of a constant part of the affine transformation function.
10. The white-box AES encryption method based on large-scale affine coding as claimed in claim 1, wherein the obfuscating coding in step (9e) is to encode a 128-bit vector with an affine transformation function to obtain a 128-bit vector, perform XOR operation on the 128-bit vector S and a randomly generated 128-bit vector S to obtain a 128-bit vector, perform XOR operation on the 128-bit vector S and a 128-bit vector B of a constant part of the affine transformation function, and replace the vector B of the constant part of the affine transformation function with the 128-bit vector after the XOR operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910043431.9A CN109714152B (en) | 2019-01-17 | 2019-01-17 | White-box AES encryption method based on large affine coding |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910043431.9A CN109714152B (en) | 2019-01-17 | 2019-01-17 | White-box AES encryption method based on large affine coding |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109714152A CN109714152A (en) | 2019-05-03 |
| CN109714152B true CN109714152B (en) | 2020-04-07 |
Family
ID=66262174
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910043431.9A Active CN109714152B (en) | 2019-01-17 | 2019-01-17 | White-box AES encryption method based on large affine coding |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109714152B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116155620B (en) * | 2023-04-14 | 2023-07-18 | 深圳市聚力得电子股份有限公司 | Transaction data secure transmission method for card reader |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018010843A1 (en) * | 2016-07-12 | 2018-01-18 | Giesecke+Devrient Mobile Security Gmbh | White box aes implementation |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2443786A1 (en) * | 2009-06-19 | 2012-04-25 | Irdeto B.V. | White-box cryptographic system with configurable key using intermediate data modification |
| JP6502945B2 (en) * | 2013-12-20 | 2019-04-17 | コーニンクレッカ フィリップス エヌ ヴェKoninklijke Philips N.V. | Secure data conversion |
| US9692592B2 (en) * | 2015-06-05 | 2017-06-27 | Apple Inc. | Using state reordering to protect against white box attacks |
-
2019
- 2019-01-17 CN CN201910043431.9A patent/CN109714152B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018010843A1 (en) * | 2016-07-12 | 2018-01-18 | Giesecke+Devrient Mobile Security Gmbh | White box aes implementation |
Non-Patent Citations (2)
| Title |
|---|
| 一种应用非线性混淆的基于查找表的白盒AES实现;罗睿;《中国优秀硕士学位论文全文数据库 信息科技辑》;20160715;全文 * |
| 白盒攻击环境下的任务规划***安全传输方法;崔西宁等;《计算机应用》;20170210;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109714152A (en) | 2019-05-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kumar et al. | Development of modified AES algorithm for data security | |
| Benvenuto | Galois field in cryptography | |
| US20120170739A1 (en) | Method of diversification of a round function of an encryption algorithm | |
| JP6406350B2 (en) | Cryptographic processing apparatus, cryptographic processing method, and program | |
| US20120121083A1 (en) | Encryption apparatus and method | |
| KR101393806B1 (en) | Multistage physical unclonable function system | |
| CN108964872B (en) | Encryption method and device based on AES | |
| CN110071794B (en) | AES algorithm-based information encryption method, system and related components | |
| CN111555862B (en) | White-box AES implementation method of random redundant round function based on mask protection | |
| JP2015191106A (en) | Encryption processing device, encryption processing method, and program | |
| CN105099666A (en) | White-box cryptography system for confusing wheel boundary and method | |
| Agrawal et al. | Elliptic curve cryptography with hill cipher generation for secure text cryptosystem | |
| RU2124814C1 (en) | Method for encoding of digital data | |
| CN105184115A (en) | Method For Including An Implicit Integrity Or Authenticity Check Into A White-box Implementation | |
| Gabidulin et al. | On improving security of GPT cryptosystems | |
| WO2015146430A1 (en) | Encryption processing device, and encryption processing method and program | |
| CN109714152B (en) | White-box AES encryption method based on large affine coding | |
| Xu et al. | A white-box AES-like implementation based on key-dependent substitution-linear transformations | |
| CN116796345A (en) | Encryption and decryption method, device, equipment and storage medium | |
| CN115987490A (en) | Lightweight block cipher algorithm white-box construction method suitable for ARX structure | |
| CN107493164B (en) | DES encryption method and system based on chaotic system | |
| Kumar et al. | Implementation of AES algorithm using VHDL | |
| RU2188513C2 (en) | Method for cryptographic conversion of l-bit digital-data input blocks into l-bit output blocks | |
| KR100350207B1 (en) | Method for cryptographic conversion of l-bit input blocks of digital data into l-bit output blocks | |
| CN114254372B (en) | Data encryption processing method and system and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |