In order to prevent side channel attack, a method of masking random value is usually used. According to the method of masking random value, a plain text to be encrypted is masked by perform XOR operation with an arbitrary random value at the beginning of an encryption process, and after finishing the encryption process, a cipher, which is a result of the encryption process, is unmasked by perform XOR operation again with the arbitrary random value.
Meanwhile, a symmetric encryption algorithm uses an addition operation such as SEED. Such addition operation unit is constructed by combination of carry save adders, as shown in FIG. 1.
As shown in FIG. 1, conventional addition operation unit calculates a sum bit sumi by performing XOR operation between two inputs ‘ai’ and ‘bi’, and previous carry input cai-1, and performing AND operation between two inputs ‘ai’ and ‘bi’, and the previous carry input cai-1. Then, the conventional addition operation unit performs XOR operation to the result of the AND operation above, and then outputs a carry cai.
An addition operation unit of N bits can be constructed by connecting carries of the above explained addition operation unit.
However, such addition operation unit may be vulnerable to a side channel attack since the operation is performed with two inputs ‘ai’ and ‘bi’ exposed. Moreover, such addition operation unit has a difficulty in processing a masked data input in an encryption algorithm. To solve this, general addition operation units calculate a masked random valued before input not with XOR operation but with addition operation. However, when using the addition operation, it causes a lot of additional operation, increase of hardware area, and performance degradation. Moreover, it has to add XOR masking operation after performing a masking addition operation.
Due to above mentioned drawbacks, a masked value is changed due to the addition operation in the symmetric encryption algorithm using the addition operation. Accordingly, it is hard to unmask the masked value. In this algorithm, a XOR masking operation needs to be converted to a masking addition operation before the addition operation, and, after the addition operation, the converted operation needs to be re-converted. Such converting operation requires too complex algorithm that increase complexity of hardware and decreases efficiency of operation.