At present, the research of practical cryptography is carried out substantially in two directions: a public and private key encryption method represented by Rivest-Shamir-Adleman (RSA), and a block ciphers encryption method of a secret key represented by Data Encryption Standard (DES). The block ciphers algorithm is characterized by fast speed, easy standardization, convenience in hardware and software implementation, etc., usually refers to a core cryptographic algorithm for realizing data encryption, message identification, authentication and key management in information and network security, and is widely applied in the computer communication and information system security. Commonly used block ciphers algorithms include DES, Advanced Encryption Standard (AES) (Rijndael), national secret Super Memory Stick v4 (SMS4), Korean standard ARIA, etc.
The general design principle of the block ciphers algorithm is based on a chaotic principle and a diffusion principle proposed by Shannon. Most of the block ciphers algorithms satisfy the chaotic principle by a non-linear S-box replacement operation and satisfy the diffusion principle by a linear operation. With AES (Rigndael) algorithm as an example, its encryption process includes multiple rounds of S-box (replacement) operation (SubBytes), shift operation (ShiftRows), column mixing operation (MixColumns) and round key operation (AddRoundKey). Its decryption process consists of multiple rounds of inverse operations and round key xor operations. The inverse operations include S-box inverse operation (Inv SubBytes), inverse shift operation (InvShiftRows), and inverse column mixed operation (InvMixColumns). AES is characterized by short key establishment time, good sensitivity, strong anti-attack characteristics, etc., and is widely applied in point of service (POS) machines, smart cards, computer networks and storage systems.
Side channel attack is a way to weaken and compromise the attack from encryption systems by collecting and analyzing information on physical implementation, which is leaked from the encryption systems. The information that can be collected includes time information, power consumption information, electromagnetic radiation information, and the like. Compared to the traditional mathematical method cryptanalysis (algebraic attack), the side channel attack is more efficient in attacking block ciphers algorithms. Differential Power Analysis (DPA) in the side channel attack is one of the most effective attacks on smart card cryptographic equipment. The DPA attack makes use of the dependency of the energy consumption of the cryptographic equipment to data, analyzes the energy consumption of the equipment at a fixed time by using a large number of energy traces, and takes the energy consumption as a function of the processed data. The first-order DPA attack may predict certain intermediate value and may use this prediction value in the attack. The high-order DPA attack makes use of some kind of joint leak, which is based on a plurality of intermediate values that are present in the cryptographic equipment. The high-order DPA attack method that achieves an attack purpose by means of the joint leak of the two intermediate values related to the same mask is referred to as a second-order DPA attack.
An effective way of confrontation energy analysis is to use a masking strategy. The goal of any defensive strategy is to eliminate or hide the correlation between the energy consumption of the cryptographic equipment and the operation performed by the equipment as well as the processed data (intermediate value). The masking technique achieves this goal by randomizing the intermediate values processed by the cryptographic equipment. Its core mechanism lies in that a random number mask (in a digital circuit, it is general to xor ⊕ to have an original operand and a parity long random number) is added in the data operation process and then removed after the operation is completed. In this way, the power consumption, which is generated during the operation, is related to the masked operand, and not statistically related to the original operand.
Mask protection is very easy to implement in digital circuits. In addition, in linear operations, a mask can be added or removed by simple xor, and the results of linear operations with or without masking are consistent. In the block ciphers algorithm, the mask protection is widely used in linear operation steps, such as linear shift (ShiftRows), column mixing (MixColumns) and round keys XOR (AddRoundKey). For the non-linear operation of S-box replacement, it is necessary to adopt an implementation way different from linear operation to achieve an S-box replacement operation with a mask.
Existing S-boxes are generally implemented by adopting lookup tables or finite domain calculations. The S-box that is implemented by adopting the lookup table may be masked in the following way: keeping an input-output mapping relation of the S-box unchanged, and using a fixed random value to xor (exclusive OR) the output value of the S-box to achieve the purpose of outputting a mask; or enabling the input to shift a fixed address and using the fixed random number to xor the output. Such mask S-box implementation method is relatively simple, but poor in the security, and an attacker may eliminate output masks (the output masks of two S-box operation results are identical) by performing XOR processing on the two sampled S-box operation results.
The S-box, which is implemented by adopting the finite domain calculation method, internally contains a series of addition and multiplication operations. Therefore, the mask type S-box needs to satisfy masking for addition and multiplication. However, the mask S-box employing finite domain operations has a dramatic increase in its critical path length and implementation area. The article “A Masked AES ASIC Implementation” pointed out that the implementation area of a composite domain arithmetic mask S-box would increase by 2 to 3 times, and the speed would be reduced by ⅓ to ½ compared with the corresponding original S-box implementation. In addition, the most critical point is that the composite domain arithmetic mask S-box is invalid for the case where the intermediate value is zero, which is determined by the main drawback (invalid for value 0) of mask multiplication. This drawback widely appears in (first order) DPA attacks against such S-boxes.
The literature “Thwarting Higher-Order Side Channel Analysis with Additive and Multiplicative Masking” proposed a method of using the Secure Dirac Function to achieve the conversion between the addition and the multiplication that can resist high-order DPA attack, and the method is implemented using such mask S-boxes. The security conversion between the addition and multiplication provided in this paper requires the following steps: mapping from composite domain (GF(2n)*)m that contains 0 element to composite domain (GF(2n)*)m that does not contain 0 element; conversion from a modular addition operation to a modular multiplication operation; power function operation; conversion from a molecular multiplication operation to a modular addition operation; mapping from composite domain (GF(2n)*)m that does not contain 0 element to composite domain (GF(2n)*)m that contains 0 element, etc. The resistance of this method to any high-order DPA is safe and provable. However, with the increased demand on the resistance to the order number of DPA, circuit complexity, area overhead, critical path, power consumption, which are essential for implementing this method, will rise sharply, and the difficulty of its implementation will increase dramatically.