1. Field of the Invention
The present invention relates to a masking method of defending a differential power analysis attack in a SEED encryption, and more particularly, to a method of improving an operation speed and memory efficiency at the time of a masking operation for defending a differential power analysis attack in a SEED encryption algorithm.
2. Discussion of Related Art
Unlike a differential cryptanalysis or a linear cryptanalysis, which are mathematical analysis methods, a side channel analysis attack introduced by Paul C. Kocher in 1996 uses side channel information generated in an encryption device in which an encryption algorithm is implemented. The side channel analysis attack is a large threat to equipments in which an encryption algorithm is implemented, and thus smart card application products perform a security test for the side channel analysis attack.
The side channel analysis attack uses extra information such as time in which an algorithm is performed, power consumption, or electromagnetic emission. A power analysis attack which uses power consumption is known as one of the most powerful side channel analysis attacks.
In the power analysis attack, when an encryption algorithm operates, a characteristic of power consumption measured in an encryption module at a point in time in which data related to a secret key is processed is analyzed to reveal a secret key. The power analysis attack is divided into a simple power analysis attack (SPA) and a differential power analysis attack (DPA).
FIG. 1 is a view illustrating a general differential power analysis attack process.
Referring to FIG. 1, an attacker establishes an estimation model 120 using information which can be typically acquired for an encryption device which it desires to attack. After establishing the estimation model 120, an estimated key and a plain text are input to the estimation model 120 to compute an intermediate value of an encryption algorithm and determine estimation power consumption according to the intermediate value.
The same plain text as the plain text input to the estimation model 120 is input to an attack target encryption device 110, and power consumption expended in the encryption device 110 during an operation of an encryption algorithm is measured. The measured power consumption is analyzed together with the estimation power consumption. Through the analysis, the attacker can finally acquire a key which is secret information of the encryption device.
Various methods of defending the different power analysis attack have been researched up to now. A masking technique is usually used because it can be relatively easily applied to an encryption algorithm at low cost.
In the masking technique, an intermediate value generated during an operation of an encryption algorithm is randomized so that an attacker cannot know it, and correlation between power consumption estimated by an attacker through an estimation model and power consumption generated in an actual encryption device is removed. For example, an addition masking which is one of masking techniques replaces an intermediate value “a” generated at the time of encryption with a value “am=a⊕ma” which an attacker cannot know using “ma” which is randomly generated. Here, “ma” is referred to as a mask, and this value is a value which is independently uniformly distributed.
However, most masking techniques which have been researched are based on an advanced encryption standard (AES), and the SEED which was developed in Korea has a structure different from the AES. Therefore, there is a problem in that masking techniques of the AES which has been suggested so far cannot be applied to the SEED as is.
For the foregoing reason, there is a need for a masking technique suitable for a SEED encryption algorithm which is used in low memory and low-speed operation environments such as smart cards.