CN113794549B - 4-bit password S-box automatic threshold masking method - Google Patents

4-bit password S-box automatic threshold masking method Download PDF

Info

Publication number
CN113794549B
CN113794549B CN202111078036.8A CN202111078036A CN113794549B CN 113794549 B CN113794549 B CN 113794549B CN 202111078036 A CN202111078036 A CN 202111078036A CN 113794549 B CN113794549 B CN 113794549B
Authority
CN
China
Prior art keywords
masking
component
turning
scheme
mask
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111078036.8A
Other languages
Chinese (zh)
Other versions
CN113794549A (en
Inventor
韦永壮
杨蕊涵
武小年
李灵琛
张润莲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guilin University of Electronic Technology
Original Assignee
Guilin University of Electronic Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guilin University of Electronic Technology filed Critical Guilin University of Electronic Technology
Priority to CN202111078036.8A priority Critical patent/CN113794549B/en
Publication of CN113794549A publication Critical patent/CN113794549A/en
Application granted granted Critical
Publication of CN113794549B publication Critical patent/CN113794549B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/08Randomization, e.g. dummy operations or using noise
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/16Obfuscation or hiding, e.g. involving white box
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/46Secure multiparty computation, e.g. millionaire problem

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Complex Calculations (AREA)

Abstract

The invention discloses a 4-bit password S-box automation threshold masking method, which comprises the following four parts: calculating algebraic normal type, constructing a first order threshold masking scheme, detecting uniformity of the masking scheme and optimizing hardware implementation of the masking scheme. The first order threshold mask is constructed by the following steps: a cubic term algorithm, a quadratic term algorithm and a primary term algorithm. In the hardware-implemented optimization of the masking scheme, optimization of the quadratic term and the cubic term is mainly included. The method can automatically construct a threshold masking scheme for the block cipher algorithm to resist side channel attacks; the first-order threshold mask scheme can be quickly generated, and whether the scheme meets the correlation principle of the threshold mask or not is automatically detected; the random number is only used when the argument is disassembled, and no additional random number is introduced in other mask links; the method has universality and is suitable for the code S box mask protection of a 4-bit block cipher algorithm.

Description

4-bit password S-box automatic threshold masking method
Technical Field
The invention relates to the field of information security, in particular to an automatic threshold masking method for a 4-bit password S box.
Background
The block cipher algorithm is widely applied to the fields of network and information security as a mainstream information encryption means and plays an important role. The proposal of side channel analysis poses a serious threat to cryptographic algorithms, including block cryptographic algorithms. The side channel attack mainly uses the energy consumption leaked in the physical implementation process of the password equipment (such as a chip and the like) to analyze and recover the key information. To effectively defend against side channel attacks, various protection methods have been proposed, with masking protection being one of the most effective methods of defending on an algorithm level to achieve an algorithm level provable security protection.
Masking methods include polynomial masking, ISW masking, threshold masking, DOM masking, multiplication masking, and the like. Threshold masks based on secret sharing and multiparty security computation stand out in numerous masking strategies, which can avoid intermediate values from being detected completely in the presence of glitches. The threshold mask is to satisfy three principles: correctness, imperfection, and uniformity. Where uniformity requires a large number of random bits to ensure, a large amount of chip area is consumed. How to make the scheme satisfy three principles under the condition that a small number of random numbers and even no new random numbers are introduced is an important idea for realizing the threshold mask scheme. In the block cipher algorithm, the cipher S-box is the only nonlinear component; in the side channel attack, the output of the password S box is the key object of the adversary attack. Therefore, in the mask protection of the packet cryptographic algorithm, the protection of the cryptographic S-box is mainly increased.
Because of the variability of the cryptographic algorithms, current masking schemes for cryptographic algorithms require a designer to manually perform the analysis and construction. Existing masking scheme constructions typically employ a method of decomposing the cipher S-box to reduce its algebraic number. Generally, a 4-bit cipher S box is decomposed, and a function part with a low algebraic number and a suitable mask is searched, which generally requires a high calculation amount, has low searching efficiency, and does not have universality. How to quickly and automatically generate a safe mask protection scheme without decomposing a password S box is a problem to be solved at present.
Disclosure of Invention
In order to effectively resist side channel attack and realize the safety protection of a block cipher algorithm, the invention provides a universal 4-bit cipher S box automation threshold masking method, which only uses random numbers in the argument disassembly stage, and other masking links do not introduce additional random numbers, and can generate a first-order masking scheme according to the cipher S box by an automation method and detect the uniformity of the scheme.
The technical scheme for realizing the aim of the invention is as follows:
a universal 4-bit cipher S-box automatic threshold masking method comprises the following steps
(1) Calculating algebraic normal type;
taking a 4-bit password S-box truth table as input, and calculating algebraic normal type of the S-box;
(2) Constructing a first order threshold masking scheme;
taking algebraic normal type of a cipher S box as input, designing constant term processing and 3 algorithms, constructing a constructional subset of a threshold masking scheme according to polynomials of the algebraic normal type, and generating a first-order threshold masking scheme meeting correctness and incompleteness;
the 3 algorithms are a cubic term algorithm, a quadratic term algorithm and a primary term algorithm;
(3) Detecting uniformity of a masking scheme;
taking the generated first-order threshold mask scheme as input, and detecting whether the output mask appears with equal probability under the condition that the input mask is uniform;
(4) Optimizing the hardware implementation of the mask scheme;
the method mainly comprises the steps of optimizing a quadratic term algorithm AND a cubic term algorithm, analyzing the use condition of AND AND XOR devices according to the hardware implementation of a mask scheme, reducing the use of the devices as much as possible under the condition of not affecting the scheme safety, AND reducing the hardware area.
The algebraic normal form is calculated in the step (1), and the specific steps are as follows:
(1.1) inputting a truth table of a 4-bit S box, and calculating each bit binary representation of the S box;
(1.2) calculating the Boolean function of each bit of the S box according to the binary representation, and representing the Boolean function as algebraic normal type to obtain algebraic normal type of the S box.
The step (2) of constructing a first order threshold mask scheme specifically comprises the following steps:
(2.1) first set 4 component functions f 0 ,f 1 ,f 2 ,f 3 The masking scheme is composed of these component functions; each component function realizes the exclusive OR of the existing element and the newly added element, and is empty initially;
(2.2) traversing each term in the normal form of the coefficient, if the term is a primary term transfer step (2.3), if the term is a secondary term transfer step (2.4), if the term is a tertiary term transfer step (2.5), if the term is a constant term transfer step (2.6);
(2.3) according to the correctness of the threshold implementation, disassembling the primary item argument to form a primary item tableThe argument x in the expression is split into 4-shares, i.eFirst randomly generating x 0 、x 1 、x 2 Calculate->Based on 4-sharing, a primary item mask component set { x } is obtained i I e {0,1,2,3}; according to the first-order imperfection realized by the threshold, a first term algorithm is executed to select and combine elements in the mask component set;
the primary term algorithm comprises the following specific steps:
(2.3.1) initializing, to let i=0;
(2.3.2) traversing the one-time item mask component set { x } i };
(2.3.3) component x with subscript i i Placed at the component function f (i+1)mod 4 In (a) and (b);
(2.3.4) let i=i+1, if i.ltoreq.3, turn (2.3.2); otherwise, turning to (2.3.5);
(2.3.5) outputting the one-time item mask scheme subset { f 0 ,f 1 ,f 2 ,f 3 };
(2.3.6) continuing to traverse the coefficient normal form, and if traversing is not completed, turning (2.2); otherwise, turning to (2.8);
(2.4) according to the correctness of the threshold implementation, disassembling the quadratic term argument, and respectively disassembling the argument m and y in the quadratic term expression into 4-shares, namelyFirst randomly generating m 0 、m 1 、m 2 ,y 0 、y 1 、y 2 Calculate->Obtaining a set of quadratic term mask components { m } based on split 4-sharing i y j I, j e {0,1,2,3}; according to the first-order imperfection of threshold implementation, executing a quadratic term algorithm on elements in the setSelecting and combining elements;
the quadratic term algorithm comprises the following specific steps:
(2.4.1) initializing, to make i=0, j=0;
(2.4.2) traversing the set of quadratic term mask components { m ] i y j If i= =j goes to step (2.4.3), if i-j|mod2= 1 goes to step (2.4.4), otherwise go to step (2.4.7);
(2.4.3) masking component m i y j Placement f (i+1)mod 4 Turning to step (2.4.8) in the component function;
(2.4.4) if max (i, j) = 3& (i.j= 0) step (2.4.5); otherwise, turning to the step (2.4.6);
(2.4.5) masking component m i y j Placed at f 1 Turning to step (2.4.8);
(2.4.6) masking component m i y j Placed at f (max(i,j)+1)mod 4 Turning to step (2.4.8) in the component function;
(2.4.7) masking component m i y j Placed at f (i+1)mod 4 Turning to step (2.4.8) in the component function;
(2.4.8) let i=i+1, if i.ltoreq.3, turn (2.4.2); otherwise, let i=0, turn (2.4.9);
(2.4.9) let j=j+1, if j is less than or equal to 3, turn (2.4.2); otherwise, turning to (2.4.10);
(2.4.10) outputting the subset of masking schemes { f 0 ,f 1 ,f 2 ,f 3 };
(2.4.11) continuing to traverse the coefficient normal form, and if traversing is not completed, turning (2.2); otherwise, turning to (2.8);
(2.5) according to the correctness of the threshold implementation, disassembling the three-order item arguments, and respectively disassembling the arguments s, t and z in the three-order item expression into 4-shares, namelyRandomly generating s 0 、s 1 、s 2 ,t 0 、t 1 、t 2 ,z 0 、z 1 、z 2 Calculate->And->Based on the 4-sharing, a set of cubic item mask components { s }, is obtained i t j z k -j, k e {0,1,2,3}; according to the first-order imperfection realized by the threshold, executing a cubic item algorithm to select and combine elements in the set;
the three-term algorithm comprises the following specific steps:
(2.5.1) initializing, to let i=0, j=0, k=0;
(2.5.2) traversing the set of three term mask components { s ] i t j z k -a }; if i= = j= k steps (2.5.3), if (i|=j)&&(j!=k)&&(i +=k) to step (2.5.4), if (i+=j)&&(i +=k) to step (2.5.5), if (i+=k)&&(i|=j) to step (2.5.10), if (j+=k)&&(i | =k) to step (2.5.15);
(2.5.3) masking component s i t j z k Placed at f (i+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.4) masking component s i t j z k Placed at f (6-i-j-k) Turning to step (2.5.20) in the component function;
(2.5.5) if |k-i|mod2= 1 turn (2.5.6); otherwise go to step (2.5.9);
(2.5.6) if max (i, k) = 3 ++= 3 += 0) (2.5.7); otherwise go to step (2.5.8);
(2.5.7) masking component s i t j z k Placed at f 1 Turning to step (2.5.20) in the component function;
(2.5.8) masking component s i t j z k Placed at f (max(i,k)+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.9) masking component s i t j z k Placed at f (i+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.10) if |j-i|mod2= 1 turn (2.5.11); otherwise go to step (2.5.14);
(2.5.11) if max (i, j) = 3& (i.j= 0) step (2.5.12); otherwise go to step (2.5.13);
(2.5.12) masking component s i t j z k Placed at f 1 Turning to step (2.5.20) in the component function;
(2.5.13) masking component s i t j z k Placed at f (max(i,j)+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.14) masking component s i t j z k Placed at f (i+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.15) if |k-i|mod2= 1 turn (2.5.16); otherwise go to step (2.5.19);
(2.5.16) if max (i, k) = 3 ++= 3 += 0) (2.5.17); otherwise go to step (2.5.18);
(2.5.17) masking component s i t j z k Placed at f 1 Turning to step (2.5.20) in the component function;
(2.5.18) masking component s i t j z k Placed at f (max(i,k)+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.19) masking component s i t j z k Placed at f (i+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.20) let i=i+1, if i.ltoreq.3, turn (2.5.2); otherwise, i=0, turn (2.5.21);
(2.5.21) let j=j+1, if j is less than or equal to 3, turn (2.5.2); otherwise, i=j=0, turn (2.5.22);
(2.5.22) let k=k+1, if k.ltoreq.3, turn (2.5.2); otherwise turning (2.5.23);
(2.5.23) output mask scheme subset { f 0 ,f 1 ,f 2 ,f 3 };
(2.5.24) continuing to traverse the coefficient normal form, and if traversing is not completed, turning (2.2); otherwise, turning to (2.8);
(2.6) the first component function f 1 Exclusive or constant term 1;
(2.7) continuing to traverse the normal form of the coefficient, and if the traversing is not completed, turning to (2.2); otherwise, turning to (2.8);
(2.8) output mask scheme { f 0 ,f 1 ,f 2 ,f 3 }。
The uniformity detection of the masking scheme in the step (3) comprises the following specific steps:
(3.1) traversing each argument in the masking scheme assuming the arguments are a, b, c, d, respectively, and assuming the masking component hypotheses for the arguments are { a, respectively 0 ,a 1 ,a 2 ,a 3 },{b 0 ,b 1 ,b 2 ,b 3 },{c 0 ,c 1 ,c 2 ,c 3 },{d 0 ,d 1 ,d 2 ,d 3 };
(3.2) traversing each mask component of the argument;
(3.3) separate statistical masking scheme f 0 ,f 1 ,f 2 ,f 3 The number of occurrences of 0 and 1, respectively, during traversal;
(3.4) if masking scheme f 0 ,f 1 ,f 2 ,f 3 The number of 0 s and the number of 1 s counted in the traversal process are equal, the output masking scheme is uniform, otherwise the output masking scheme is non-uniform.
And (3) optimizing the hardware implementation of the mask scheme, wherein the specific steps are as follows:
(4.1) masking scheme { f for construction 0 ,f 1 ,f 2 ,f 3 An expression in the expression, and a counter is respectively set for each different item in the expression, wherein the initial value of the counter is 0;
(4.2) traversing the masking scheme { f 0 ,f 1 ,f 2 ,f 3 Items in };
(4.3) if a certain item repeatedly appears, adding 1 to the corresponding counter;
(4.4) after traversing all items, if the values of different counters are unequal, turning to the step (4.5); if all the values of the calculators are equal and are 0, turning to the step (4.7);
(4.5) extracting the highest term in all the counters as a factor, and rearranging the mask scheme { f) in a multiplicative bond law manner 0 ,f 1 ,f 2 ,f 3 Entries in the mask scheme to reduce and exclusive or operations in the mask scheme;
(4.6) setting the counter of the formula to 0, and turning to the step (4.2);
(4.7) outputting the mask scheme { f after the extraction of the factors 0 ,f 1 ,f 2 ,f 3 The masking scheme is the result of hardware optimization.
The beneficial effects of the invention are as follows:
(1) The method can automatically construct a threshold masking scheme for the block cipher algorithm to resist side channel attacks;
(2) The method can quickly generate a first-order threshold mask scheme and automatically detect whether the scheme meets the correlation principle of the threshold mask;
(3) The method has universality and is suitable for the code S box mask protection of a 4-bit block code algorithm;
(4) The method only uses random numbers when the argument is disassembled, and no additional random numbers are introduced in other mask links.
Drawings
FIG. 1 is a flow chart of an automated threshold masking method for a 4-bit cipher S-box of the present invention;
FIG. 2 is a flowchart of a three-time item masking algorithm in the masking method of the present invention.
Detailed Description
The present invention will be further described with reference to examples and drawings, but the present invention is not limited thereto.
Examples
Referring to fig. 1, a 4-bit cipher S-box automation threshold masking method includes the steps of:
(1) Calculating algebraic normal type;
(2) Constructing a first order threshold masking scheme;
(3) Detecting uniformity of a masking scheme;
(4) Optimization of masking scheme hardware implementation.
The algebraic normal form is calculated in the step (1), and the specific method is as follows:
(1.1) inputting a truth table of a 4-bit S box, and calculating each bit binary representation of the S box;
(1.2) calculating the Boolean function of each bit of the S box according to the binary representation, and representing the Boolean function as algebraic normal type to obtain algebraic normal type of the S box.
The first order threshold mask scheme is constructed in the step (2), and the specific method is as follows:
(2.1) first set 4 component functions f 0 ,f 1 ,f 2 ,f 3 The masking scheme is composed of these component functions; each component function realizes the exclusive OR of the existing element and the newly added element, and is empty initially;
(2.2) to better illustrate the mask scheme construction process, assuming that the algebraic normal form expression in step (1) is f=x+my+ stz +1, traversing each term in the algebraic normal form, if traversing to x, the term is a one-pass step (2.3); if traversing to my, the item is a secondary item transfer step (2.4); if traversing to stz, the item is three item steps (2.5); if traversing to 1, the item is a constant item step (2.6);
(2.3) according to the correctness of the threshold implementation, the primary term argument is disassembled to split the argument x in the primary term expression into 4-shares, i.eFirst randomly generating x 0 、x 1 、x 2 Calculate->Based on 4-sharing, a primary item mask component set { x } is obtained i I e {0,1,2,3}; according to the first-order imperfection realized by the threshold, a first term algorithm is executed to select and combine elements in the mask component set;
the primary term algorithm comprises the following specific steps:
(2.3.1) initializing, to let i=0;
(2.3.2) traversing the one-time item mask component set { x } i };
(2.3.3) component x with subscript i i Placed at the component function f (i+1)mod 4 In (a) and (b);
(2.3.4) let i=i+1, if i.ltoreq.3, turn (2.3.2); otherwise, turning to (2.3.5);
(2.3.5) outputting the one-time item mask scheme subset { f 0 ,f 1 ,f 2 ,f 3 -wherein the specific result of each function is as follows:
f 0 =x 3
f 1 =x 0
f 2 =x 1
f 3 =x 2
(2.3.6) continuing to traverse the coefficient normal form, and if traversing is not completed, turning (2.2); otherwise, turning to (2.8);
(2.4) according to the correctness of the threshold implementation, disassembling the quadratic term argument, and respectively disassembling the argument m and y in the quadratic term expression into 4-shares, namelyFirst randomly generating m 0 、m 1 、m 2 ,y 0 、y 1 、y 2 Calculate->Obtaining a set of quadratic term mask components { m } based on split 4-sharing i y j I, j e {0,1,2,3}; according to the first-order imperfection realized by the threshold, executing a quadratic term algorithm to select and combine elements in the set;
the quadratic term algorithm comprises the following specific steps:
(2.4.1) initializing, to make i=0, j=0;
(2.4.2) traversing the set of quadratic term mask components { m ] i y j If i= = j-turn step (2.4.3), if i-j mod2= 1 goes to step (2.4.4), otherwise go to step (2.4.7);
(2.4.3) masking component m i y j Placement f (i+1)mod 4 Turning to step (2.4.8) in the component function;
(2.4.4) if max (i, j) = 3& (i.j= 0) step (2.4.5); otherwise, turning to the step (2.4.6);
(2.4.5) masking component m i y j Placed at f 1 Turning to step (2.4.8);
(2.4.6) masking component m i y j Placed at f (max(i,j)+1)mod 4 Turning to step (2.4.8) in the component function;
(2.4.7) masking component m i y j Placed at f (i+1)mod 4 Turning to step (2.4.8) in the component function;
(2.4.8) let i=i+1, if i.ltoreq.3, turn (2.4.2); otherwise, let i=0, turn (2.4.9);
(2.4.9) let j=j+1, if j is less than or equal to 3, turn (2.4.2); otherwise, turning to (2.4.10);
(2.4.10) outputting the subset of masking schemes { f 0 ,f 1 ,f 2 ,f 3 -wherein the specific result of each function is as follows:
(2.4.11) continuing to traverse the coefficient normal form, and if traversing is not completed, turning (2.2); otherwise, turning to (2.8);
(2.5) according to the correctness of the threshold implementation, disassembling the three-order item arguments, and respectively disassembling the arguments s, t and z in the three-order item expression into 4-shares, namelyRandomly generating s 0 、s 1 、s 2 ,t 0 、t 1 、t 2 ,z 0 、z 1 、z 2 Calculate->And->Based on the 4-sharing, a set of cubic item mask components { s }, is obtained i t j z k -j, k e {0,1,2,3}; according to the first-order imperfection realized by the threshold, executing a cubic item algorithm to select and combine elements in the set;
referring to fig. 2, the three-term algorithm specifically comprises the following steps:
(2.5.1) initializing, to let i=0, j=0, k=0;
(2.5.2) traversing the set of three term mask components { s ] i t j z k -a }; if i= = j= k steps (2.5.3), if (i|=j)&&(j!=k)&&(i +=k) to step (2.5.4), if (i+=j)&&(i +=k) to step (2.5.5), if (i+=k)&&(i|=j) to step (2.5.10), if (j+=k)&&(i | =k) to step (2.5.15);
(2.5.3) masking component s i t j z k Placed at f (i+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.4) masking component s i t j z k Placed at f (6-i-j-k) Turning to step (2.5.20) in the component function;
(2.5.5) if |k-i|mod2= 1 turn (2.5.6); otherwise go to step (2.5.9);
(2.5.6) if max (i, k) = 3 ++= 3 += 0) (2.5.7); otherwise go to step (2.5.8);
(2.5.7) masking component s i t j z k Placed at f 1 Turning to step (2.5.20) in the component function;
(2.5.8) masking component s i t j z k Placed at f (max(i,k)+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.9) masking component s i t j z k Placed at f (i+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.10) if |j-i|mod2= 1 turn (2.5.11); otherwise go to step (2.5.14);
(2.5.11) if max (i, j) = 3& (i.j= 0) step (2.5.12); otherwise go to step (2.5.13);
(2.5.12) masking component s i t j z k Placed at f 1 Turning to step (2.5.20) in the component function;
(2.5.13) masking component s i t j z k Placed at f (max(i,j)+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.14) masking component s i t j z k Placed at f (i+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.15) if |k-i|mod2= 1 turn (2.5.16); otherwise go to step (2.5.19);
(2.5.16) if max (i, k) = 3 ++= 3 += 0) (2.5.17); otherwise go to step (2.5.18);
(2.5.17) masking component s i t j z k Placed at f 1 Turning to step (2.5.20) in the component function;
(2.5.18) masking component s i t j z k Placed at f (max(i,k)+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.19) masking component s i t j z k Placed at f (i+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.20) let i=i+1, if i.ltoreq.3, turn (2.5.2); otherwise, i=0, turn (2.5.21);
(2.5.21) let j=j+1, if j is less than or equal to 3, turn (2.5.2); otherwise, i=j=0, turn (2.5.22);
(2.5.22) let k=k+1, if k.ltoreq.3, turn (2.5.2); otherwise turning (2.5.23);
(2.5.23) output mask scheme subset { f 0 ,f 1 ,f 2 ,f 3 };
(2.5.24) continuing to traverse the coefficient normal form, and if traversing is not completed, turning (2.2); otherwise, turning to (2.8);
(2.6) the first component function f 1 Exclusive or constant term 1;
(2.7) continuing to traverse the normal form of the coefficient, and if the traversing is not completed, turning to (2.2); otherwise, turning to (2.8);
(2.8) output mask scheme { f 0 ,f 1 ,f 2 ,f 3 -wherein the specific result of each function is as follows:
the uniformity detection of the masking scheme in the step (3) is specifically implemented as follows:
(3.1) traversing each argument in the masking scheme assuming the arguments are a, b, c, d, respectively, and assuming the masking component hypotheses for the arguments are { a, respectively 0 ,a 1 ,a 2 ,a 3 },{b 0 ,b 1 ,b 2 ,b 3 },{c 0 ,c 1 ,c 2 ,c 3 },{d 0 ,d 1 ,d 2 ,d 3 };
(3.2) traversing each mask component of the argument;
(3.3) separate statistical masking scheme f 0 ,f 1 ,f 2 ,f 3 The number of occurrences of 0 and 1, respectively, during traversal;
(3.4) if masking scheme f 0 ,f 1 ,f 2 ,f 3 The number of 0 s and the number of 1 s counted in the traversal process are equal, the output masking scheme is uniform, otherwise the output masking scheme is non-uniform.
And (3) optimizing the hardware implementation of the mask scheme, wherein the specific method is as follows:
(4.1) masking scheme { f for construction 0 ,f 1 ,f 2 ,f 3 An expression in the expression, and a counter is respectively set for each different item in the expression, wherein the initial value of the counter is 0;
(4.2) traversing the masking scheme { f 0 ,f 1 ,f 2 ,f 3 Items in };
(4.3) if a certain item repeatedly appears, adding 1 to the corresponding counter;
(4.4) after traversing all items, if the values of different counters are unequal, turning to the step (4.5); if all the values of the calculators are equal and are 0, turning to the step (4.7);
(4.5) extracting the highest term in all the counters as a factor, and rearranging the mask scheme { f) in a multiplicative bond law manner 0 ,f 1 ,f 2 ,f 3 Entries in the mask scheme to reduce and exclusive or operations in the mask scheme;
(4.6) setting the counter of the formula to 0, and turning to the step (4.2);
(4.7) outputting the mask scheme { f after the extraction of the factors 0 ,f 1 ,f 2 ,f 3 The masking scheme is the result of hardware optimization.
The method can automatically construct a threshold masking scheme for the block cipher algorithm to resist side channel attacks; the first-order threshold mask scheme can be quickly generated, and whether the scheme meets the correlation principle of the threshold mask or not is automatically detected; the random number is only used when the argument is disassembled, and no additional random number is introduced in other mask links; the method has universality and is suitable for the code S box mask protection of a 4-bit block cipher algorithm.

Claims (4)

1. A 4-bit cipher S-box automation threshold masking method, the method comprising the steps of:
(1) Calculating algebraic normal type;
taking a 4-bit password S-box truth table as input, and calculating algebraic normal type of the S-box;
(2) Constructing a first order threshold masking scheme;
taking algebraic normal type of a cipher S box as input, designing constant term processing and 3 algorithms, constructing a constructional subset of a threshold masking scheme according to polynomials of the algebraic normal type, and generating a first-order threshold masking scheme meeting correctness and incompleteness;
the 3 algorithms are a cubic term algorithm, a quadratic term algorithm and a primary term algorithm;
(3) Detecting uniformity of a masking scheme;
taking the generated first-order threshold mask scheme as input, and detecting whether the output mask appears with equal probability under the condition that the input mask is uniform;
(4) Optimizing the hardware implementation of the mask scheme;
the method mainly comprises the steps of optimizing a quadratic term algorithm AND a cubic term algorithm, analyzing the use conditions of AND AND XOR devices according to the hardware implementation of a mask scheme, AND reducing the use of the devices as much as possible under the condition of not affecting the scheme safety so as to reduce the hardware area;
the step (2) of constructing a first order threshold mask scheme specifically comprises the following steps:
(2.1) first set 4 component functions f 0 ,f 1 ,f 2 ,f 3 The masking scheme is composed of these component functions; each component function realizes the exclusive OR of the existing element and the newly added element, and each component function is initiallyThe individual component functions are all null;
(2.2) traversing each term in the normal form of the coefficient, if the term is a primary term transfer step (2.3), if the term is a secondary term transfer step (2.4), if the term is a tertiary term transfer step (2.5), if the term is a constant term transfer step (2.6);
(2.3) according to the correctness of the threshold implementation, the primary term argument is disassembled to split the argument x in the primary term expression into 4-shares, i.e., x=x 0 ⊕x 1 ⊕x 2 ⊕x 3 First randomly generate x 0 、x 1 、x 2 Calculate x 3 =x 0 ⊕x 1 ⊕x 2 -x; based on 4-sharing, a primary item mask component set { x } is obtained i I e {0,1,2,3}; according to the first-order imperfection realized by the threshold, a first term algorithm is executed to select and combine elements in the mask component set;
(2.4) according to the correctness of the threshold implementation, disassembling the quadratic term argument, and respectively disassembling the argument m and y in the quadratic term expression into 4-shares, namely m=m 0 ⊕m 1 ⊕m 2 ⊕m 3 ,y=y 0 ⊕y 1 ⊕y 2 ⊕y 3 First randomly generate m 0 、m 1 、m 2 ,y 0 、y 1 、y 2 Calculate m 3 =m 0 ⊕m 1 ⊕m 2 ⊕m,y 3 =y 0 ⊕y 1 ⊕y 2 Y; obtaining a set of quadratic term mask components { m } based on split 4-sharing i y j I, j e {0,1,2,3}; according to the first-order imperfection realized by the threshold, executing a quadratic term algorithm to select and combine elements in the set;
(2.5) according to the correctness of the threshold implementation, decomposing the three-order item arguments, and respectively decomposing the arguments s, t and z in the three-order item expression into 4-shares, namely, s=s 0 ⊕s 1 ⊕s 2 ⊕s 3 ,t=t 0 ⊕t 1 ⊕t 2 ⊕t 3 ,z=z 0 ⊕z 1 ⊕z 2 ⊕z 3 Randomly generate s 0 、s 1 、s 2 ,t 0 、t 1 、t 2 ,z 0 、z 1 、z 2 Calculate s 3 =s 0 ⊕s 1 ⊕s 2 ⊕s、t 3 =t 0 ⊕t 1 ⊕t 2 T and z 3 =z 0 ⊕z 1 ⊕z 2 Z; based on the 4-sharing, a set of cubic item mask components { s }, is obtained i t j z k -j, k e {0,1,2,3}; according to the first-order imperfection realized by the threshold, executing a cubic item algorithm to select and combine elements in the set;
(2.6) the first component function f 1 Exclusive or constant term 1;
(2.7) continuing to traverse the normal form of the coefficient, and if the traversing is not completed, turning to (2.2); otherwise, turning to (2.8);
(2.8) output mask scheme { f 0 ,f 1 ,f 2 ,f 3 };
The specific steps of the one-time item algorithm in the step (2.3) are as follows:
(2.3.1) initializing, to let i=0;
(2.3.2) traversing the one-time item mask component set { x } i };
(2.3.3) component x with subscript i i Placed at the component function f (i+1)mod4 In (a) and (b);
(2.3.4) let i=i+1, if i.ltoreq.3, turn (2.3.2); otherwise, turning to (2.3.5);
(2.3.5) outputting the one-time item mask scheme subset { f 0 ,f 1 ,f 2 ,f 3 };
(2.3.6) continuing to traverse the coefficient normal form, and if traversing is not completed, turning (2.2); otherwise, turning to (2.8);
the quadratic term algorithm in the step (2.4) comprises the following specific steps:
(2.4.1) initializing, to make i=0, j=0;
(2.4.2) traversing the set of quadratic term mask components { m ] i y j If i= =j goes to step (2.4.3), if i-j|mod2= 1 goes to step (2.4.4), otherwise go to step (2.4.7);
(2.4.3) masking component m i y j Placement f (i+1)mod 4 In the component function, go to step (2.4).8);
(2.4.4) if max (i, j) = 3& (i.j= 0) step (2.4.5); otherwise, turning to the step (2.4.6);
(2.4.5) masking component m i y j Placed at f 1 Turning to step (2.4.8);
(2.4.6) masking component m i y j Placed at f (max(i,j)+1)mod 4 Turning to step (2.4.8) in the component function;
(2.4.7) masking component m i y j Placed at f (i+1)mod 4 Turning to step (2.4.8) in the component function;
(2.4.8) let i=i+1, if i.ltoreq.3, turn (2.4.2); otherwise, let i=0, turn (2.4.9);
(2.4.9) let j=j+1, if j is less than or equal to 3, turn (2.4.2); otherwise, turning to (2.4.10);
(2.4.10) outputting the subset of masking schemes { f 0 ,f 1 ,f 2 ,f 3 };
(2.4.11) continuing to traverse the coefficient normal form, and if traversing is not completed, turning (2.2); otherwise, turning to (2.8);
the three-time algorithm in the step (2.5) comprises the following specific steps:
(2.5.1) initializing, to let i=0, j=0, k=0;
(2.5.2) traversing the set of three term mask components { s ] i t j z k -a }; if i= = j= k steps (2.5.3), if (i|=j)&&(j!=k)&&(i +=k) to step (2.5.4), if (i+=j)&&(i +=k) to step (2.5.5), if (i+=k)&&(i|=j) to step (2.5.10), if (j+=k)&&(i | =k) to step (2.5.15);
(2.5.3) masking component s i t j z k Placed at f (i+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.4) masking component s i t j z k Placed at f (6-i-j-k) Turning to step (2.5.20) in the component function;
(2.5.5) if |k-i|mod2= 1 turn (2.5.6); otherwise go to step (2.5.9);
(2.5.6) if max (i, k) = 3 ++= 3 += 0) (2.5.7); otherwise go to step (2.5.8);
(2.5.7) masking component s i t j z k Placed at f 1 Turning to step (2.5.20) in the component function;
(2.5.8) masking component s i t j z k Placed at f (max(i,k)+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.9) masking component s i t j z k Placed at f (i+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.10) if |j-i|mod2= 1 turn (2.5.11); otherwise go to step (2.5.14);
(2.5.11) if max (i, j) = 3& (i.j= 0) step (2.5.12); otherwise go to step (2.5.13);
(2.5.12) masking component s i t j z k Placed at f 1 Turning to step (2.5.20) in the component function;
(2.5.13) masking component s i t j z k Placed at f (max(i,j)+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.14) masking component s i t j z k Placed at f (i+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.15) if |k-i|mod2= 1 turn (2.5.16); otherwise go to step (2.5.19);
(2.5.16) if max (i, k) = 3 ++= 3 += 0) (2.5.17); otherwise go to step (2.5.18);
(2.5.17) masking component s i t j z k Placed at f 1 Turning to step (2.5.20) in the component function;
(2.5.18) masking component s i t j z k Placed at f (max(i,k)+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.19) masking component s i t j z k Placed at f (i+1)mod 4 Turning to step (2.5.20) in the component function;
(2.5.20) let i=i+1, if i.ltoreq.3, turn (2.5.2); otherwise, i=0, turn (2.5.21);
(2.5.21) let j=j+1, if j is less than or equal to 3, turn (2.5.2); otherwise, i=j=0, turn (2.5.22);
(2.5.22) let k=k+1, if k.ltoreq.3, turn (2.5.2); otherwise turning (2.5.23);
(2.5.23) output mask scheme subset { f 0 ,f 1 ,f 2 ,f 3 };
(2.5.24) continuing to traverse the coefficient normal form, and if traversing is not completed, turning (2.2); otherwise, turning to (2.8).
2. The 4-bit cipher S-box automation threshold masking method of claim 1, wherein: the algebraic normal form is calculated in the step (1), and the specific steps are as follows:
(1.1) inputting a truth table of a 4-bit S box, and calculating each bit binary representation of the S box;
(1.2) calculating the Boolean function of each bit of the S box according to the binary representation, and representing the Boolean function as algebraic normal type to obtain algebraic normal type of the S box.
3. The 4-bit cipher S-box automation threshold masking method of claim 1, wherein: the uniformity detection of the masking scheme in the step (3) comprises the following specific steps:
(3.1) traversing each argument in the masking scheme assuming the arguments are a, b, c, d, respectively, and assuming the masking component hypotheses for the arguments are { a, respectively 0 ,a 1 ,a 2 ,a 3 },{b 0 ,b 1 ,b 2 ,b 3 },{c 0 ,c 1 ,c 2 ,c 3 },{d 0 ,d 1 ,d 2 ,d 3 };
(3.2) traversing each mask component of the argument;
(3.3) separate statistical masking scheme f 0 ,f 1 ,f 2 ,f 3 The number of occurrences of 0 and 1, respectively, during traversal;
(3.4) if masking scheme f 0 ,f 1 ,f 2 ,f 3 The number of 0 s and the number of 1 s counted in the traversal process are equal, the output masking scheme is uniform, otherwise the output masking scheme is non-uniform.
4. The 4-bit cipher S-box automation threshold masking method of claim 1, wherein: and (3) optimizing the hardware implementation of the mask scheme, wherein the specific steps are as follows:
(4.1) masking scheme { f for construction 0 ,f 1 ,f 2 ,f 3 An expression in the expression, and a counter is respectively set for each different item in the expression, wherein the initial value of the counter is 0;
(4.2) traversing the masking scheme { f 0 ,f 1 ,f 2 ,f 3 Items in };
(4.3) if a certain item repeatedly appears, adding 1 to the corresponding counter;
(4.4) after traversing all items, if the values of different counters are unequal, turning to the step (4.5); if all the values of the calculators are equal and are 0, turning to the step (4.7);
(4.5) extracting the highest term in all the counters as a factor, and rearranging the mask scheme { f) in a multiplicative bond law manner 0 ,f 1 ,f 2 ,f 3 Entries in the mask scheme to reduce and exclusive or operations in the mask scheme;
(4.6) setting the counter of the formula to 0, and turning to the step (4.2);
(4.7) outputting the mask scheme { f after the extraction of the factors 0 ,f 1 ,f 2 ,f 3 The masking scheme is the result of hardware optimization.
CN202111078036.8A 2021-09-15 2021-09-15 4-bit password S-box automatic threshold masking method Active CN113794549B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111078036.8A CN113794549B (en) 2021-09-15 2021-09-15 4-bit password S-box automatic threshold masking method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111078036.8A CN113794549B (en) 2021-09-15 2021-09-15 4-bit password S-box automatic threshold masking method

Publications (2)

Publication Number Publication Date
CN113794549A CN113794549A (en) 2021-12-14
CN113794549B true CN113794549B (en) 2023-07-28

Family

ID=79183318

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111078036.8A Active CN113794549B (en) 2021-09-15 2021-09-15 4-bit password S-box automatic threshold masking method

Country Status (1)

Country Link
CN (1) CN113794549B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106788978A (en) * 2016-12-30 2017-05-31 桂林电子科技大学 Argument decomposes limit door mask new method
CN108718230A (en) * 2018-06-01 2018-10-30 桂林电子科技大学 Password S boxes realize new method without random number thresholding
CN111756521A (en) * 2020-06-25 2020-10-09 桂林电子科技大学 Cipher S box design method based on Feistel-SP structure

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106788974B (en) * 2016-12-22 2020-04-28 深圳国微技术有限公司 Mask S box, grouping key calculation unit, device and corresponding construction method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106788978A (en) * 2016-12-30 2017-05-31 桂林电子科技大学 Argument decomposes limit door mask new method
CN108718230A (en) * 2018-06-01 2018-10-30 桂林电子科技大学 Password S boxes realize new method without random number thresholding
CN111756521A (en) * 2020-06-25 2020-10-09 桂林电子科技大学 Cipher S box design method based on Feistel-SP structure

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种SM4掩码方法和抗DPA攻击分析;裴超;;密码学报(第01期);全文 *

Also Published As

Publication number Publication date
CN113794549A (en) 2021-12-14

Similar Documents

Publication Publication Date Title
Dabosville et al. A new second-order side channel attack based on linear regression
Belaïd et al. Side-Channel Analysis of Multiplications in GF (2128) Application to AES-GCM
CN110401627B (en) Differential fault attack resistance security evaluation method and system suitable for block cipher algorithm infection protection
D'Anvers et al. Higher-order masked ciphertext comparison for lattice-based cryptography
CN107204841B (en) Method for realizing multiple S boxes of block cipher for resisting differential power attack
CN104158796B (en) The appraisal procedure of the anti-linear attack security of block cipher
CN108242994A (en) The treating method and apparatus of key
Hu et al. An effective differential power attack method for advanced encryption standard
Coron et al. On the use of shamir’s secret sharing against side-channel analysis
US11995191B2 (en) Side-channel attack on HMAC-SHA-2 and associated testing
CN108650072B (en) Anti-attack circuit implementation method of chip supporting multiple symmetric cryptographic algorithms
CN104967509B (en) It is a kind of to take turns ZUC stream cipher algorithm mask means of defence of the output for arithmetic mask
Luo et al. Effective simple-power analysis attacks of elliptic curve cryptography on embedded systems
CN113794549B (en) 4-bit password S-box automatic threshold masking method
Maghrebi et al. A first-order leak-free masking countermeasure
Wang et al. A side-channel attack on a bitsliced higher-order masked CRYSTALS-Kyber implementation
CN113438067B (en) Side channel attack method for compressed key guessing space
Yu et al. One-sided countermeasures for side-channel attacks can backfire
Xu et al. Linear cryptanalysis of FASER128/256 and TriviA-ck
Lerman et al. Higher order side-channel attack resilient S-boxes
Belenky et al. Carry-based Differential Power Analysis (CDPA) and its Application to Attacking HMAC-SHA-2
Berzati et al. Public key perturbation of randomized RSA implementations
CN109257395B (en) System for defending against side-channel attack
CN106961331A (en) A kind of method of Random-Rotation key RKR for NTRU preventing side-channel attacks
Sindhiya et al. Analyzing and improving the security of cryptographic algorithm against side channel attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20211214

Assignee: Guangxi Sujian Technology Co.,Ltd.

Assignor: GUILIN University OF ELECTRONIC TECHNOLOGY

Contract record no.: X2023980046272

Denomination of invention: A 4-bit Cryptographic S-box Automated Threshold Mask Method

Granted publication date: 20230728

License type: Common License

Record date: 20231108

Application publication date: 20211214

Assignee: Guangxi Huanzhi Technology Co.,Ltd.

Assignor: GUILIN University OF ELECTRONIC TECHNOLOGY

Contract record no.: X2023980046248

Denomination of invention: A 4-bit Cryptographic S-box Automated Threshold Mask Method

Granted publication date: 20230728

License type: Common License

Record date: 20231108