The present invention relates to cipher systems and, more particularly, to advanced encryption standard (AES) hardware devices.
With advances in information technology, increasing attention has been directed to protection of information, which has, in turn, increased the importance of ciphers. In addition, with advances in technology, the lengths of cipher keys are getting longer as one approach to increasing security of high-level security processing systems. However, as processing systems become smaller and lighter, the ability to lengthen cipher keys is generally limited by the memory capacity and/or processing capabilities of the systems.
A data encryption standard (DES) had been used as a general cipher standard and, for security reasons, an advanced encryption standard (AES) has subsequently been adopted as a new block cipher algorithm standard. As such, it is expected that the DES used in many applications will be replaced by the AES. Also, in some applications, it may be desirable to implement the AES in hardware as well as in software. Where the AES is implemented in hardware, adequate hardware should be provided for protecting the AES from various attacks.
One of the methods used to attack a cipher system is a power analysis attack in which an attacker finds out cipher information about the cipher system by analyzing power characteristics of the cipher system when the cipher system operates. A power analysis attack generally presumes a plurality of bits included in plain data, i.e., unencrypted data, is distributed between two values logic high (“1”) and logic low (“0”). A power curve of this information is analyzed to find out data before encryption.
There are a variety of ways to defend against a power analysis attack. One of them is a masking method. In the masking method, original data is generally not processed alone. Instead, the original data may be combined with a predetermined number and then processed. For example, a cipher system using the masking method may combine original data with random data before performing an encryption or decryption operation. After the encryption or decryption operation, the random data is separated from processed data, thereby producing a cipher text or a plain text.
When the masking method is used, it is generally difficult to guess or estimate the original data as a combination of the original data and random data are processed during encryption or decryption operations.
To provide a potentially highly efficient system secure against a power analysis attack, random data may thus be used for encryption or decryption operations. In addition, the encryption or decryption of the random data may be performed repeatedly using a round method, and a value of the random data may be updated every round. Conventional countermeasures against various attacks are discussed in the papers “An Implementation of DES and AES, Secure against Some Attacks,” CHES '01 by M. Akkar, C. Giraud and “Simplified Adaptive Multiplicative Masking for AES,” CHES '02 by E. Trichina, D. De Seta, and L. Germani.
FIG. 1A is a block diagram of a cipher system module not using a masking method. FIG. 1B is a block diagram of a cipher system module using a masking method. Note that, as used herein, ⊕ denotes an XOR gate.
Referring now to FIG. 1A, the module 110, which performs a predetermined processing operation without using a masking method, receives original data “a,” processes the original data “a” according to a function (f) provided by an operation block 111 included in the module 110, and generates an output f(a), which is a function of the original data “a.” As described above, as the module 110 does not use a masking method, it may be possible to guess/estimate/predict the original data “a” by analyzing a power curve of the operation block 111.
As shown in FIG. 1B, a module 120, using a masking method, processes data as defined by the following equations:a′=a⊕r  (1)f(a′)=f(a⊕r)=b′  (2)f(r)=s,  (3)where “a” and “r” indicate original data and random data, respectively, and r is generated by a random data generator (not shown).
In the case of a linear function, ƒ(a⊕r)=ƒ(a)⊕ƒ(r). Therefore, a final value output from an XOR 124 performing an XOR operation may be expressed as:
                                                                                          b                  ′                                ⊕                s                            =                                                f                  ⁡                                      (                                          a                      ′                                        )                                                  ⊕                                  f                  ⁡                                      (                    r                    )                                                                                                                          =                                                f                  ⁡                                      (                                          a                      ⊕                      r                                        )                                                  ⊕                                  f                  ⁡                                      (                    r                    )                                                                                                                          =                                                f                  ⁡                                      (                    a                    )                                                  ⊕                                  f                  ⁡                                      (                    r                    )                                                  ⊕                                  f                  ⁡                                      (                    r                    )                                                                                                                          =                              f                ⁡                                  (                  a                  )                                                                                        (        4        )            For the case of a linear function, ƒ(a⊕r)=ƒ(a)⊕ƒ(r). Therefore, b′⊕s=ƒ(a) as illustrated in Equation 4.
Both the module 110 of FIG. 1A and the module 120 of FIG. 1B produce the same result value f(a), but may have a quite different effectiveness against power analysis attacks. When the masking method is not used, as illustrated in FIG. 1A, attackers may be able to easily extract the original data a through power analysis attacks. However, when the making method is used, as illustrated in FIG. 1B, it may be difficult or practically impossible to extract the original data “a” as a power curve analyzed by the attackers is not solely related to the original data “a.”
However, when f is a non-linear function, ƒ(a⊕r)≠ƒ(a)⊕ƒ(r). As a result, a different method is generally needed to satisfy Equation 4.