一种基于随机求反的S盒抗DPA攻击安全结构  

作　　者：胡晓婷[1] 戴泽龙 覃中平[2] 巩固[1] HU Xiao-ting;DAI Ze-long;QIN Zhong-ping;GONG Gu(School of Computer Science and Technology,Jiangsu Normal University,Xuzhou 221000,China;School of Software,Huazhong University of Science and Technology,Wuhan 430070,China)

机构地区：[1]江苏师范大学计算机科学与技术学院,江苏徐州221000 [2]华中科技大学软件学院,湖北武汉430070

出　　处：《计算机技术与发展》2024年第11期109-116,共8页Computer Technology and Development

基　　金：江苏师范大学博士基金项目(20XSRX014)。

摘　　要：DPA攻击(差分功耗攻击)作为一种重要的侧信道攻击方法,因其成功率较高而成为加密算法面临的主要威胁之一。S盒是分组加密算法(高级加密标准(AES)、国产商业密码(SM4)等)中唯一的非线性运算,很大程度上决定了相关加密算法的安全性。S盒的实现主要分为:查表法、组合逻辑和复合域方法。复合域方法因将S盒中的GF(28)域上的求逆运算分解到低阶域上而使其硬件实现具有高性能、低面积等优势。该文提出了一种基于随机求反的复合域S盒抗DPA攻击安全结构,并据此设计了两类抗DPA攻击的AES安全结构:一种是基于随机取反的AES安全结构(RC-AES安全结构),另一种是基于随机取反与一阶掩码结合的AES安全结构(RC-M-AES安全结构)。实验证明,相较于已知文献中基于掩码保护的AES,该文提出的RC-AES结构只需增加微小的面积开销就能有效抵抗DPA攻击,展现出显著的面积优势。同时,RC-M-AES安全结构能在微小面积开销下,构建出比单独掩码方案更安全的密码芯片结构。此外,提出的S盒安全结构不仅适用于AES,也适用于任何以替换函数作为唯一非线性运算的加密算法,具有较好的通用性。As an important side channel attack method,DPA attack(differential power analysis attack) has become one of the main threats to encryption algorithms due to its high success rate.In the block cipher algorithms(AES,SM4,etc.),S-box is the only one non-linear operation,which significantly influences the security of the corresponding encryption algorithms.Typically,there are usually three methods that can be employed to implement S-Box:look-up table method,combination logic,and composite field method.Comparatively,composite field method can offer advantages in hardware implementation such as high performance and low area by decomposing the inversion operation on GF(28) in S-Box into a low-order field.We propose a composite field S-box secure structure against DPA attack based on random complement,and accordingly design two types of AES security structures against DPA attacks.One is based on random complement of S-box(RC-AES),the other is based on the combination of random complement of S-box and first-order masking(RC-M-AES).Experimental results demonstrated that RC-AES structure can effectively anti-DPA attacks with only a small increase in area overhead compared with AES based on masking protection in known literatures.It implies that the proposed RC-AES structure has a significant area advantage.At the same time,RC-M-AES structure can gain a higher security by combining random complement and first-order masking with a small area overhead compared with that based on pure masking technology.Furthermore,the proposed S-box secure structure has good generality,and it can be applied to not only AES but also any encryption algorithm using substitution functions to be the only non-linear operation.

关 键 词：复合域 S盒 随机求反 抗DPA攻击 安全结构 高级加密标准 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构] TN918.4[自动化与计算机技术—计算机科学与技术]