自动化门限掩码新方法  

作　　者：杨蕊涵 韦永壮[1] 李灵琛 Yang Ruihan;Wei Yongzhuang;Li Lingchen(Guangxi Key Laboratory of Cryptography&Information Security,Guilin University of Electronic Technology,Guilin Guangxi 541004,China)

机构地区：[1]桂林电子科技大学广西密码学与信息安全重点实验室,广西桂林541004

出　　处：《计算机应用研究》2022年第5期1546-1550,1556,共6页Application Research of Computers

基　　金：国家自然科学基金资助项目(61872103,62062026);广西创新研究团队项目(2019GXNSFGA245004);广西青年科学基金资助项目(2020GXNSFBA297076);广西科技基地和人才专项资助项目(桂科AD20238082)。

摘　　要：为了有效抵御差分功耗攻击,密码芯片通常在算法级使用掩码防护。现有的门限掩码方法主要依赖于手工对密码核心部件的分解、推算及随机比特数的配置,其明显的缺点是计算及验证过程复杂、烦琐,而且掩码方案实现效率往往较低。如何在不注入额外随机数的情况下,自动化地生成掩码方案是目前业界讨论的热点问题。基于依赖函数的最小共享数目提出一种自动化门限掩码新方法。该方法仅需在拆分变元时用到随机数,而其他掩码环节不需引入额外随机数。实验结果表明:该方法应用于轻量级密码LBlock算法及16类最优4 bit密码S盒上的一阶门限掩码防护时,其T-test的峰值较于不加防护情形下的峰值缩小10倍以上;在实际平台的差分功耗攻击下,使用100万条能量迹也无法恢复出LBlock密码算法的任何密钥比特。这证实该掩码防护是新型有效的。此外,针对SKINNY、Midori、PRESENT和PRINCE等轻量级密码算法使用的密码S盒还分别给出其一阶自动化门限掩码新方案。In order to effectively against differential power attacks(DPA),masking schemes are usually used to protect the cryptographic primitives at the algorithm level.The existing threshold implementations mainly relies on the manual decomposition,calculation of the core components of the cryptography and the configuration of fresh randomness.Its obvious disadvantage regarding to both the calculation and verification process is quite complicated and cumbersome.In particular,the realization efficiency of these masking schemes is rather low.How to automatically generate a mask scheme without any fresh randomness appears to be a hot issue currently discussed in the industry.This paper proposed a new automatic threshold implementation,which was based on the minimum shared number of dependent functions.More precisely,random numbers of this scheme were only inserted in the variable decomposition phase.The experimental results illustrate that the peak value of T-test is reduced by more than 10 times(compared with the original peak value without protection),where the method is applied to the lightweight encryption algorithm LBlock,and 16 different optimal 4 bit S-boxes.On the other hand,in the practical DPA scenario and simulation platform,any users secret key bits of LBlock encryption algorithm cannot be captured even using 1 million power traces.This directly means that the mask protection scheme is rather effective.Similarly,this paper also presented an automation technique to design the first-order masked implementation schemes without any fresh randomness for the S-boxes used in SKINNY,Midori,PRESENT,and PRINCE encryption ciphers.

关 键 词：侧信道分析 差分功耗攻击 门限掩码 LBlock 自动化掩码 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]