Patent Grant
8265273
The present invention relates to an encryption device, a decryption device, an encryption method, and an integrated circuit that are secured against attack methods for analyzing encryption keys embedded in encryption modules by measuring power consumption when performing encryption processing.
In recent years, different cryptanalysis methods for analyzing encryption keys using side information when encryption modules implemented in hardware or software perform encryption processing have been formulated. For instance, in an analysis method called a timing attack, an encryption key is analyzed by using a fact that a time required for an encryption module to perform encryption processing slightly varies according to a value of the encryption key being used in the encryption processing. To put it differently, in the timing attack, cryptanalysis of the encryption key is performed using side information that is a processing time when performing the encryption processing. Among those cryptanalysis methods, different methods such as a simple power analysis and a differential power analysis have been formulated as cryptanalysis methods for performing cryptanalysis using, as side information, power consumption when performing encryption processing. It has been reported that the methods of cryptanalysis can be used to analyze an actual product, such as an IC card, in which a cipher is implemented, partly because high-performance measuring devices have recently become available at a low price. Furthermore, a great number of analysis methods, such as a method for performing cryptanalysis using, as side information, the strength of an electromagnetic wave generated in an encryption module when performing encryption processing, have been formulated. In the following description, cryptanalysis methods for analyzing encryption keys using power consumption of encryption modules when performing encryption processing are collectively called a “power analysis attack”. Although the following gives a description using the power analysis attack as an example, the present invention is also effective for other analysis methods in which side information is used. In other words, the present invention can be applied to not only the power analysis attack but also analysis methods for inferring keys using side information generated in encryption modules during encryption processing.
The power analysis attack performs a key analysis using a correlation between power consumption of an encryption module and an intermediate value in encryption processing. Thus, as a countermeasure for the power analysis attack, it is thought that the correlation between the power consumption and the intermediate value in encryption processing is obscured by randomizing the intermediate value with a random number generated in the encryption module. Randomizing the intermediate value in encryption processing in the above manner is called “masking” the intermediate value. Moreover, methods for making the key analysis of the power analysis attack difficult by masking the intermediate value are collectively called a “masking method”.
Patent Reference 1 discloses the masking method (hereinafter referred to as Conventional Technique 1) for the U.S. Data Encryption Standard (DES) cipher.
(Summary of Conventional Technique 1)
According to Conventional Technique 1, a randomized Sbox table in which a table Sbox for data conversion used for the DES cipher is randomized based on a random number generated in an encryption module is created prior to encryption processing and temporarily stored. Using the randomized Sbox table allows an intermediate value for encryption processing to be masked, which makes power analysis attack difficult. Here, in Conventional Technique 1, a RAM for temporarily storing the randomized Sbox table is needed. Thus, in the case where there are strict limits on RAM capacity, there is a problem that Conventional Technique 1 cannot be used. Moreover, in the case where the encryption module is implemented in hardware, an Sbox table is generally implemented in a logic circuit. Thus, since the randomized Sbox table cannot be created, there is a problem that Conventional Technique 1 cannot be used.
(Summary of Conventional Technique 2)
Non-patent Reference 1 discloses a masking method (hereinafter referred to as Conventional Technique 2) for the U.S. Advanced Encryption Standard (AES) cipher. Since the Sbox table can be implemented in the logic circuit and, as with Conventional Technique 1, the randomized Sbox table does not need to be created, Conventional Technique 2 is suitable for hardware implementation. The following will describe the summary of Conventional Technique 2.
It is known that an inverse element calculation (“X^Y” indicates “raising X to the Y power”) in an extension field GF(2^8) and processing in which predetermined affine transformation is preformed are equivalent in an Sbox table for AES cipher. In addition, an example of methods for implementing in a circuit the inverse element calculation for an element X in the extension field GF(2^8) includes the following existing method.
(1) Transform X into an element A in a composite field GF(((2^2)^2)^2) that is the same type as GF(2^8).
(2) Calculate an inverse element A^(−1) of A in the composite field.
(3) Inversely transform A^(−1) into an element in an extension field to obtain X^(−1).
In this method, it is possible to implement the inverse element calculation with a small circuit size by performing the inverse element calculation in the composite field.
When the Sbox table for AES cipher is implemented through the above inverse element calculation and affine transformation and a masking method is applied to the Sbox table for AES cipher, it is possible to increase a resistance to the power analysis attack with the small circuit size. At this time, a point is how a portion of the inverse element calculation is masked. The following will briefly describe the masking method for the portion of the inverse element calculation in Conventional Technique 2.
<Randomized 8-Bit Inverse Element Calculation Unit 81>
As shown in
Here, as shown in
Furthermore, as shown in
Moreover, as shown in
Here, as shown in
In addition, as shown in
Furthermore, as shown in
As described above, the randomized 8-bit inverse element calculation unit 81 (
Conventional Technique 2 discloses the encryption device that is designed to be suitable for hardware implementation by providing the randomized 8-bit inverse element calculation unit 81 (
However, due to the above mentioned recursive configuration of the randomized 8-bit inverse element calculation unit 81 (
The critical paths of the randomized 8-bit inverse element calculation unit 81 (
First, the following is a critical path in
The seventeenth power calculation unit 810 the exclusive OR unit 813
the exclusive OR unit 814
the randomized 4-bit inverse element calculation unit 815 (
the 4-bit output calculation unit 817 (
the exclusive OR unit 818
the exclusive OR unit 819
Here, critical paths in the 4-bit output calculation unit 817 (
First, the following is the critical path in the 4-bit output calculation unit 817 (
The 4-bit multiplication unit 816a the exclusive OR unit 816e
the exclusive OR unit 816f
the exclusive OR unit 816i
the exclusive OR unit 816j
The following is the critical path in the randomized 4-bit inverse element calculation unit 815 (
The fifth power calculation unit 820 the exclusive OR unit 823
the exclusive OR unit 824
the randomized 2-bit inverse element calculation unit 825 (
the 2-bit output calculation unit 827 (
the exclusive OR unit 828
the exclusive OR unit 829
The 2-bit output calculation unit 827 (
First, the following is the critical path in the 2-bit output calculation unit 827 (
The 2-bit multiplication unit 826a the exclusive OR unit 826e
the exclusive OR unit 826f
the exclusive OR unit 826i
the exclusive OR unit 826j
The following is the critical path in the randomized 2-bit inverse element calculation unit 825 (
The exclusive OR unit 825a the exclusive OR unit 825b
Therefore, the maximum number of logical steps in the randomized 8-bit is the number of logical steps at the time of serially processing the following processes.
Seventeenth power calculation×1 time
Fifth power calculation×1 time
4-bit multiplication×1 time
2-bit multiplication×1 time
Exclusive OR operation×18 times
It is to be noted that, here, 18 in “Exclusive OR operation×18 times” is obtained through the following calculation: 18=4+4+4+4+2.
As mentioned above, Conventional Technique 2 has had the problem that the maximum number of logical steps becomes large.
The present invention has been conceived to solve the problem in encryption processing of Conventional Technique 2, and has an objective of providing an encryption device which can reduce the maximum number of logical steps more than Conventional Technique 2 has done, by using an implementation method for Sbox table in which an inverse element calculation in a composite field GF (((2^2)^2)^2) is performed in the same manner as Conventional Technique 2.
The present invention adopts the following structure in order to solve the above problem.
In other words, an encryption device which generates encrypted text from plain text using a key, the encryption device being structured to include a first randomization inverse element data generation unit which receives randomization input data and an input mask value, and which generates randomization output data that is obtained by adding, to an inverse element in a predetermined first finite field of the input data, an output mask value that is an inverse element in the predetermined first finite field of the received input mask value, wherein the encryption device generates the encrypted text from the randomized input data, the randomization input data being obtained by adding, to input data on which predetermined processing is performed with the key, an input mask value determined depending on a random number.
The present invention can realize the encryption device in which the output mask value is the inverse element of the input mask value and which has a simple structure and the fewer number of logical steps.
The present invention can realize the encryption device having the simple structure and the fewer number of logical steps.
An encryption device according to an aspect (of the present invention) is an encryption device which generates encrypted text from plain text using a key, the encryption device including: a random number generation unit configured to generate a random number; a randomized input data generation unit configured to receive the plain text, and generate randomized input data that is obtained by adding, to input data that is obtained by performing predetermined processing on the plain text using the key, a predetermined input mask value determined depending on the random number; a first randomized inverse element data generation unit configured to receive the randomized input data generated by the randomized input data generation unit and the input mask value, and generate randomized output data that is obtained by adding, to an inverse element of the input data in a predetermined first finite field, an output mask value that is an inverse element of the received input mask value in the first finite field; and an output data processing unit configured to receive the randomized output data generated by the first randomized inverse element data generation unit, and generate the encrypted text from the received randomized output data.
According to the present aspect, the following are performed in order to prevent an analysis of a key used for generating encrypted text from plain text through measurement of side information. Specifically, randomized output data to which an output mask value is added is generated from randomized input data that is obtained by adding, to input data on which predetermined processing is performed with the key, an input mask value. In addition, the output mask value is an inverse element of the input mask value at the time of the generation. Accordingly, the encryption device simple structure can have a simple structure and the smaller number of logical steps.
It is to be noted that the encryption device may further include a mask value generation unit which receives the generated random number and generates the input mask value from the received random number, and that the first randomization inverse element data generation unit may receive the generated input mask value and perform the generation. In this manner, a structure in which the input mask value is inputted from the outside to the encryption device becomes unnecessary, thereby simplifying a system structure.
In an encryption device according to an other aspect (of the present invention), the first randomized inverse element data generation unit includes: a first exponential operation unit configured to perform, with a predetermined first exponent, an exponential operation on the randomized input data and the input mask value, and generate, through the exponential operations, first exponential randomized input data and a first exponential input mask value, respectively; a correction data generation unit configured to generate predetermined correction data from the randomized input data and the input mask value; an addition unit configured to add the generated correction data to the calculated first exponential randomized input data, and generate side randomized input data; a second randomized inverse element data generation unit configured to receive the side randomized input data and the first exponential input mask value, and generate randomized side output data that is obtained by adding, to an inverse element of the side randomized input data in a predetermined second finite field, a mask value that is an inverse element of the first exponential input mask value in the second finite field; and a randomized output data generation unit configured to generate the randomized output data from the randomized side output data, the randomized input data, the input mask value, and the first exponential input mask value.
According to the other present aspect, the randomized output data is generated through a simple structure, and an encryption device can be realized with a simple structure having the smaller number of logical steps which reduces trouble and malfunction as well as facilitates design.
Furthermore, in an encryption device according to aspect A (an aspect of the present invention), a conventional operation of a randomized composite field inverse element calculation unit, in which X=M+R is converted into Y=M^(−1)+R, is replaced with an operation in which X=M+R is converted into Y=M^(−1)+R^(−1). Accordingly, it becomes possible to achieve an advantage of the conventional methods that compact implementation is possible while reducing the maximum number of logical steps more than the conventional methods.
Moreover, an encryption device according to aspect B (an other aspect of the present invention) is an encryption device which performs, on plain text, predetermined encryption processing based on a key, the encryption device including: a random number generation unit which generates a random number; a first randomized inverse element calculation unit which receives randomized input data and an input mask value, performs an inverse element calculation in a first finite field, and output randomized output data, wherein the randomized input data is a value that is masked by adding the input mask value and the input data, the randomized output data is a value that is masked by adding an output mask value and output data, the input mask value is a value that is determined depending on the random number, the output data is an inverse element in the first finite field of the input data, and the output mask value is an inverse element in the first finite field of the input mask value.
Here, in the encryption device according to aspect B, the first randomized inverse element calculation unit may include: a first exponential operation unit configured to perform, with a predetermined first exponent, an exponential operation on the randomized input data and the input mask value, and generate, through the exponential operations, first exponential randomized input data and a first exponential input mask value, respectively; a correction data generation unit configured to generate predetermined correction data from the randomized input data and the input mask value; an addition unit configured to add the generated correction data to the calculated first exponential randomized input data, and generate side randomized input data; a second randomized inverse element data generation unit configured to receive the side randomized input data and the first exponential input mask value, and generate randomized side output data that is obtained by adding, to an inverse element of the side randomized input data in a predetermined second finite field, a mask value that is an inverse element of the first exponential input mask value in the second finite field; and a randomized output data generation unit configured to generate the randomized output data from the randomized side output data, the randomized input data, the input mask value, and the first exponential input mask value.
Further, in the encryption device according to aspect B, the randomization output data generation unit may include: second exponential operation unit configured to perform, with a predetermined second exponent, an exponential operation on each of the randomized input data and the input mask value, and generate, through each of the exponential operations, second exponential randomized input data and a second exponential input mask value, respectively; an inverse element calculation unit configured to perform, on the first exponential input mask value, an inverse element calculation in the second finite field, and generate an inverse element exponential input mask value that is the inverse element of the first exponential input mask value in the second finite field; and a randomized output data generation unit configured to generate the randomized output data from the randomized side output data, the second exponential randomized input data, the second exponential input mask value, and the inverse element exponential input mask value.
Moreover, a decryption device according to aspect C (still another aspect of the present invention) is a decryption device which performs, on encrypted text, predetermined decryption processing based on a key, the decryption device including: a random number generation unit configured to generate a random number; a randomized input data generation unit configured to receive the encrypted text, and generate randomized input data that is obtained by adding, to input data that is obtained by performing predetermined processing on the encrypted text using the key, a predetermined input mask value determined depending on the random number; a first randomized inverse element data generation unit configured to receive the randomized input data generated by the randomized input data generation unit and the input mask value, and generate randomized output data that is obtained by adding, to an inverse element of the input data in a predetermined first finite field, an output mask value that is an inverse element of the received input mask value in the first finite field; and an output data processing unit configured to receive the randomized output data generated by to the first randomized inverse element data generation unit, and generate the decrypted text from the received randomized output data.
The following will describe an embodiment of the present invention with reference to the drawings.
It is to be noted that although operations in a composite field GF(((2^2)^2)^2) and its subfields GF((2^2)^2), and GF(2) are used in the embodiment, the composite field and the subfields have the following relationships.
The GF(2^2) is obtained by performing, with an irreducible polynomial x^2+x+1, secondary extension on the GF(2).
The GF((2^2)^2) is obtained by performing, with an irreducible polynomial x^2+x+φ, the secondary extension on the GF(2^2).
The GF(((2^2)^2)^2) is obtained by performing, with an irreducible polynomial x^2+x+λ (binary digit), the secondary extension on the GF((2^2)^2).
Here, since φ=α and λ=α^3+α, where a root of x^2+x+1=0 is α, φ and λ each are represented in bit notation as φ=10 (binary digit) and λ=1100 (binary digit).
Before describing actual processing in detail, a summary of the embodiment will be initially described while comparing with the conventional approach disclosed in Non-patent Reference 1, that is, Conventional Technique 2.
In the conventional technique disclosed in Non-patent Reference 1, that is, Conventional Technique 2, the randomized 8-bit inverse element calculation unit 81 (
In the embodiment according to the present invention, the above randomized 8-bit inverse element calculation processing is performed on the input data X=M(+)R through the randomized inverse element calculation using the random number R, and output data Y=M^(−1)(+) R^(−1) is generated. Stated differently, whereas a random mask value of the output data is R in Conventional Technique 2, it is R^(−1) in the present invention. Since, as stated above, the structure of the present invention in which the output data is calculated has been made different from that of Conventional Technique 2, as will be described later, it becomes possible to reduce the maximum number of logical steps more than Conventional Technique 2.
In addition,
As shown in
The randomized Round_t 12X (the randomized Round_n 12 shown in
As shown in
The encryption device 1 (
The following will describe the processing of the encryption device 1 in detail.
<Encryption Device 1>
The encryption device 1 (
The encryption device 1 (
It is to be noted that there are the Substitution Permutation Network (SPN) structure and the Feistel structure in which rounds of operations in encryption processing are repeated and that is a representative configuration method of so-called repeated encryption, and the AES encryption is more specifically encryption in which the former SPN structure is adopted.
Here, the encryption device 1 may be, for instance, included in an IC card.
The key storage unit 1c stores the key K that is pre-set in the encryption device 1. The key K may be set at the time of manufacturing of the encryption device 1 or may be generated in the encryption device 1 and set in the key storage unit 1c after the encryption device 1 is manufactured. When the plain text P is inputted, the encryption device 1 performs the following processing.
(1) The key storage unit 1c inputs the key K stored therein to the round key generation unit 1b.
(2) The round key generation unit 1b generates, from the key K, round keys RK0 to RK10 (each having 128 bits) according to round key generation processing of the AES encryption scheme, and inputs the round keys RK0 to RK10 to the encryption unit 1a. It is to be noted that, being described in Non-patent Reference 2 and publicly known, the round key generation processing will not be described here.
(3) The encryption unit 1a performs, on the plain text P, encryption processing to be described later using the round keys RK0 to RK10, generates encrypted text C, and outputs the encrypted text C.
Next, the processing performed by the encryption unit 1a will be described.
<Encryption Unit 1a>
As shown in the figure, the encryption unit 1a (
The encryption unit 1a performs, on plain text P (128 bits), the encryption processing using the round keys RK0 to RK10 (128 bits×11), generates encrypted text C (128 bits), and outputs the encrypted text C. Among the round keys RK0 to RK10 to be inputted, the encryption unit 1a inputs the round key RK0 to the AddRoundKey 11, round keys RKn (n=1 to 9) to the randomized Round_n 12 (
The encryption unit 1a performs the following processing.
(1) The random number generation unit 15 randomly generates a random number R0 (8 bis). Then, the random number generation unit 15 temporarily stores the generated random number R0 in the random number temporary storage unit 16. It is to be noted that, as an example, each time new plain text P is inputted to the encryption device 1 and the encryption device 1 starts new encryption processing, the random number generation unit 15 newly generates the random number R0 in time of the starting and causes the generated random number R0 to be stored.
(2) The mask processing unit 10 performs the following exclusive OR operation on the plain text P using the random number R0 stored in the random number temporary storage unit 16, and obtains data A (128 bits). The plain text P is masked with a random mask value R0 through the above processing.
A=P(+)(R0, R0, R0, . . . , R0)
Here, (R0, R0, R0, . . . , R0) represents 128-bit data obtained by combining 16 pieces of R0 (8 bis). It is to be noted that hereinafter the 128-bit data obtained by combining 16 pieces of 8-bit data X will be shown as (X, X, X, . . . X), if not otherwise specified.
It is to be noted that P shown in
(3) The random number update unit 17 performs, on the random number R0 stored in the random number temporary storage unit 16, random number update processing, which will be described later, to generate R1, and updates the random number R0 to R1.
(4) The AddRoundKey 11 performs, on the above A obtained by the random number generation unit 15 in the above (2), key addition processing using the following RK0, and obtains B1. This is the AddRoundKey processing defined in the AES cipher algorithm specification.
B1=A(+)RK0
(5) Next, the randomized Round_n 12 repeatedly performs the following processing in the case where n=1, 2, 3, . . . , 9.
(5-1) The randomized Round_n 12 performs, on Bn (nth B among B that are input data to the randomized Round_n 12), randomized Round_n processing, which will be described later, using a round key RKn and a random number Rn stored in the random number temporary storage unit, and generates Bn+1. Then, the randomized Round_n 12 inputs, to the randomized Round_1013, D as D=B10, in the case where n=9, that is, B(n+1) to be generated is B(n+1)=B10, and inputs again, to the randomized Round_n 12, B(n+1) to be generated, in the case where n≠9, that is, n=1, 2, . . . , 9 and the B(n+1) to be generated is any one of B2, B3, . . . , B9.
(5-2) The random number update unit 17 performs, on the random number Rn stored in the random number temporary storage unit 16, the random number update processing to generate Rn+1, and updates the random number Rn to Rn+1. The random number update unit 17 generates, from the random number R0 generated by the random number generation unit 15, a random number R1, a random number R2, . . . , a random number 11 and updates each of the random numbers stored in the random number temporary storage unit 16 to a corresponding one of the random numbers generated, thereby providing each of the updated random numbers to a corresponding one of the mask processing unit 10, the randomized Round_n 12, the randomized Round_1013, and the unmask processing unit 14. The random number update unit 17 provides, via the random number temporary storage unit 16, the random number R0 to the mask processing unit 10, the random numbers R1 to R9 to the randomized Round_n 12, the random number R10 to the randomized Round_1013, and the random number R11 to the unmask processing unit 14.
(5-3) The encryption unit 1a completes a loop of repetition processing and moves to the next processing of the randomized Round_1013 in the case where n=9, and adds 1 to a value n and performs again the above processes (5-1) to (5-3) in the case where n≠9.
(6) The randomized Round_1013 performs, on the input data D (128 bits) to the randomized Round_1013, randomized Round_10 processing, which will be described later, using the round key RK10 and the random number R10 stored in the random number temporary storage unit 16, the input data D being obtained through the above process (5). The randomized Round_1013 inputs data E to the unmask processing unit 14.
Moreover, the random number update unit 17 performs, on the random number R10 stored in the random number temporary storage unit 16, the random number update processing, and updates the random number R10 to the random number R11. With the updating to the random number R11, the random number update unit 17 provides the random number R11 to the unmask processing unit 14.
(7) The unmask processing unit 14 performs, on the data E obtained from the randomized Round_1013 in the above (6), the following exclusive OR operation, using the random number R11 stored in the random number temporary storage unit 16, and generates encrypted text C (128 bits). The data E that has been masked is unmasked (the effect of masking is removed) through the above process, and the encrypted text C that is not masked is obtained.
C=E(+)R11
(8) The encryption unit 1a outputs, as output data of the encryption unit 1a, the encrypted text C obtained in (7).
Next, the configurations of the randomized Round_n 12 and the randomized Round_1013 that are used in the encryption unit 1a (
<Randomized Round_n 12>
As shown in
The randomized Round_n 12 performs, on input data X to the randomized Round_n 12 (corresponding to the data Bn in the description (FIG. 9) of the processing of the encryption unit 1a), the randomized Round_n processing, using the random number Rn and the round key RKn (n=1, 2, . . . 9), and generates output data Y (corresponding to the data Bn+1 (
It is to be noted that the randomized Round_n processing performed by the randomized Round_n 12 is nothing but processing for generating a round processing result Y=P(+)(Rn+1, Rn+1, . . . , Rn+1) by performing, on input data X=M(+)(Rn, Rn, . . . , Rn), one-round processing defined in the AES cipher algorithm specification, the processing result being obtained by masking P with a mask value (Rn+1, Rn+1, . . . , Rn+1), the input data being obtained by masking M with a mask value (Rn, Rn, . . . , Rn). P corresponds to a result of performing, on M, the one-round processing defined in the AES cipher algorithm specification. Here, X is the input data Bn (n=1, 2, . . . , 9) in the randomized Round_n processing in the description of
It is to be noted that X in
Specifically, the randomized Round_n 12 (
(1) The randomized SubBytes 120 (
(2) The ShiftRows 121 (
(3) Next, the MixColumns 122 (
(4) Then, the AddRoundKey 123 performs, on the data C generated in the above (3), the AddRoundKey processing defined in the AES cipher algorithm specification, using the round key RKn, and generates data Y (128 bits). The AddRoundKey 123 outputs, as output data of the randomized Round_n 12, the generated data Y. It is to be noted that, being publicly known through Non-patent Reference 2, the AddRoundKey 123 will not be described in detail.
It is to be noted that the data A in
<Randomized Round_1013>
The randomized Round_1013 (
As shown in
It is to be noted that the randomized Round_10 processing is nothing but processing for generating a final round processing result Y=P(+)(R11, R11, . . . , R11) by performing, on input data X=M(+)(R10, R10, . . . , R10), the final-round processing defined in the AES cipher algorithm specification, the final round processing result being obtained by masking P with a mask value (R11, R11, . . . , R11), the input data being obtained by masking M with a mask value (R10, R10, . . . , R10). P corresponds to a result of performing, on M, the final-round processing defined in the AES cipher algorithm specification.
It is to be noted that, here, X is the data D in the description of
On the other hand, the data A in
Next, the randomized SubBytes 120 and 130 (
<Randomized SubBytes 120 and 130>
The randomized SubBytes 120X performs, on input data X (128 bits), randomized S-Box processing using a random number R (8 bis), and generates output data Y (128 bits). The input data X here corresponds to the data X in the description (
It is to be noted that X in
The randomized SubBytes 120X includes randomized S-Boxes 120a to 120p.
The randomized SubBytes 120X (the randomized S-Boxes 120a to 120p) performs the following processing.
(1) The randomized SubBytes 120X divides, for every 8 bis from the high order, input data into X[0], X[1], . . . X[15] (
(2) The randomized S-Boxes 120a to 120p perform, on each of X[0], X[1], . . . , X[15] that are obtained by the division, the randomized S-Box processing using the random number R, and each generate Y[0], Y[1], . . . , Y[15]. The randomized S-Box processing will be described in detail later.
(3) Then, the randomized SubBytes 120X generates 128-bit data Y by concatenating the generated Y[0], Y[1], . . . , Y[15] in descending order. The randomized SubBytes 120X then outputs, as output data thereof, the data Y.
It is to be noted that the processing performed by the randomized SubBytes 120 and 130 is nothing but processing for generating a processing result Y=P(+)(S, S, . . . , S) by performing, on input data X=M(+)(R, R, . . . , R), the SubBytes processing defined in the AES cipher algorithm specification, the processing result being obtained by masking P with a mask value (S, S, . . . , S), the input data being obtained by masking M with a mask value (R, R, . . . , R). P corresponds to a result of performing the SubBytes processing defined in the AES cipher algorithm specification, and the mask value S corresponds to a result of performing, on the mask value R, the random number update processing that is performed by the random number update unit 17.
It is to be noted that, in
Next, the randomized S-Boxes 120a to 120p that are used in the randomized SubBytes 120X (the randomized SubBytes 120 and 130) will be described in detail.
<Randomized S-Boxes 120a to 120p>
The randomized S-Box 121X (
The randomized S-Box 121X performs, on input data X (8 bis), the randomized S-Box processing using a random number R (8 bis), and obtains output data Y (8 bis). The input data X here corresponds to one of the data X[0], X[1], . . . X[15] in the description of the processing of the randomized SubBytes 120X (
It is to be noted that, in
The randomized S-Box 121X performs the following processing.
(1) The composite field conversion unit 100 divides, for every 1 bit from the high order, X (8 bis) into X7, X6, . . . , X0. Then, the composite field conversion unit 100 performs a matrix calculation shown by the following Equation 1, and generates input data A (8 bis) of the composite field conversion unit 100 by concatenating, in descending order, A7, A6, . . . , A0 obtained through the matrix operation. It is to be noted that the following matrix calculation is performed in mod 2. Stated differently, in the following matrix calculation, 0+0=1+1=0, and 0+1=1+0=1.
(2) Then, the other composite field conversion unit 103 divides, for every 1 bit from the high order, R (8 bis) in the same manner as the above (1), performs the matrix calculation shown by Equation 1, and generates S (8 bis) from R (8 bis).
(3) Next, the randomized 8-bit inverse element calculation unit 101 performs, on the input data A (8 bits) generated in the above (1), the randomized 8-bit inverse element calculation, which will be described later, using the random number S (8 bits) generated in the above (2), and generates output data B (8 bits).
(4) The extension field conversion and matrix conversion unit 102 divides, based on the matrix calculation shown by Equation 2, the data B (8 bits) generated in the above (3), in the same manner as the above (1), that is, for every 1 bit from the high order, performs the matrix calculation, and generates data C (8 bits).
(5) The exclusive OR unit 104 performs the bit-basis exclusive OR operation on the data C (8 bits) generated in the above (4) and constant 0110011 (binary digit), and generates data Y (8 bits).
The randomized S-box 121X outputs, as output data of the randomized S-Box 121X, Y generated in the above (5).
It is to be noted that the processing performed by the randomized S-Boxes 120a to 120p is nothing but processing for generating a processing result Y=P(+)(S, S, . . . , S) by performing, on input data X=M(+)(R, R, . . . , R), S-Box table conversion included in the SubBytes processing defined in the AES cipher algorithm specification, the processing result being obtained by masking P with the mask value (S, S, . . . , S), the input data being obtained by masking M with the mask value (R, R, . . . , R). P corresponds to a result of performing the S-Box table conversion included in the SubBytes processing defined in the AES cipher algorithm specification, and the mask value S corresponds to a result of performing, on the mask value R, the random number update processing that is performed by the random number update unit 17.
It is to be noted that, in
Next, the randomized 8-bit inverse element calculation unit 101 that is used in the respective randomized S-Boxes 120a to 120p will be described in detail.
<Randomized 8-Bit Inverse Element Calculation Unit 101>
The randomized 8-bit inverse element calculation unit 101 (
The randomized 8-bit inverse element calculation unit 101 (
It is to be noted that, in
The randomized 8-bit inverse element calculation unit 101 performs the following processing.
(1) The randomized 8-bit inverse element calculation unit 101 first divides, for every 4 bits from the high order, the data X (8 bits) into X0 (4 bits) and X1 (4 bits). Then, the randomized 8-bit inverse element calculation unit 101 divides, for every 4 bits from the high order, the random number R (8 bits) into R0 (4 bits) and R1 (4 bits) likewise. Finally, the randomized 8-bit inverse element calculation unit 101 inputs X0 and X1 to the seventeenth power calculation unit 110, X0, X1, R0, and R1 to the 4-bit correction term calculation unit 111, and R0 and R1 to the seventeenth power calculation unit 112, respectively.
(2) Next, the seventeenth power calculation unit 110 performs, on X0 and X1 that are inputted, seventeenth power calculation processing, which will be described later, and generates output data A (4 bits). In the same manner, the other seventeenth power calculation unit 112 performs, on R0 and R1 that are inputted, the seventeenth power calculation processing, and generates output data C (4 bits).
(3) On the other hand, the 4-bit correction term calculation unit 111 performs, on X0, X1, R0, and R1 that are inputted, 4-bit correction term calculation processing, which will be described later, and generates output data B (4 bits).
(4) Then, the exclusive OR unit 113 performs an exclusive OR operation on the data A generated in (2) and the data B generated in (3), and generates data D (8 bits).
(5) Next, the randomized 4-bit inverse element calculation unit 114 performs, on the data D generated in the above (4), randomized 4-bit inverse element calculation processing, which will be described later, using the data C (4 bits) generated in the above (2), and generates data E (4 bits).
(6) In addition, the sixteenth power calculation unit 115 performs, on the data X (8 bits) inputted to the randomized 8-bit inverse element calculation unit 101, sixteenth power calculation processing, which will be described later, and generates data F (8 bits). The randomized 8-bit inverse element calculation unit 101 then divides, for every 4 bits from the high order, the generated data F into F0 (4 bits) and F1 (4 bits). Likewise, the other sixteenth power calculation unit 117 performs the sixteenth power calculation processing on the data R (8 bits) inputted to the randomized 8-bit inverse element calculation unit 101, and generates data H. As with the above data F, the randomized 8-bit inverse element calculation unit 101 divides, for every 4 bits from the high order, the generated data H into H0 (4 bits) and H1 (4 bits).
(7) On the other hand, the 4-bit inverse element calculation unit 116 performs, on the data C (4 bits) generated in the above (2) by the seventeenth power calculation unit 112 shown at the bottom edge of
(8) Then, the 4-bit output calculation unit 118 performs, on the data E (4 bits) generated in the above (5), the data G generated in the above (7), the data F0 (4 bits) that is divided from the data F in the above (6), and the data H0 (4 bits) that is also divided from the data H in the above (6), 4-bit output calculation processing, which will be described later, and generates data Y0 (4 bits). Likewise, the other 4-bit output calculation unit 119 performs, on the data E (4 bits), the data G (4 bits), the data F1 (4 bits), and the data H1 (4 bits), the 4-bit output calculation processing, and generates data Y1 (4 bits). Then, the randomized 8-bit inverse element calculation unit 101 generates 8-bit data Y by concatenating, in descending order, the generated data Y0 and the generated data Y1. Lastly, the randomized 8-bit inverse element calculation unit 101 outputs, as output data thereof, the concatenated data Y.
It is to be noted that the processing performed by the randomized 8-bit inverse element calculation unit 101 is nothing but processing for generating a processing result Y=X^(−1)(+)R^(−1) by performing, on input data X=M(+) R, an inverse element calculation in a composite field GF(((2^2)^2)^2), the processing result being obtained by masking X^(−1) with a mask value R^(−1), the input data being obtained by masking M with a mask value R. X^(−1) is an inverse element of X in the composite field GF(((2^2)^2)^2), and the mask value R^(−1) is an inverse element of R in the composite field GF(((2^2)^2)^2).
Next, the seventeenth power calculation units 110 and 112 (a seventeenth power calculation unit 110X shown in
<Seventeenth Power Calculation Units 110 and 112>
The seventeenth power calculation unit 110X (
The seventeenth power calculation unit 110X performs, on input data X0 (4 bits) and X1 (4 bits), the seventeenth power calculation processing in the composite field GF(((2^2)^2)^2), and generates a data processing result Y (4 bits). A result of performing, on 8-bit data X that is obtained by concatenating, in descending order, the input data X0 and X1, the seventeenth power calculation processing in the composite field GF(((2^2)^2)^2) is Y, which is expressed as below.
Y=X^(17) in GF(((2^2)^2)^2)
At this time, Y^15=(X^17)^15=X^255, and since X is an element in GF(((2^2)^2)^2), Y^15=X^255=1. That is to say, and order of Y becomes 15, and Y becomes an element in the subfield GF((2^2)^2). In short, Y becomes 4-bit data.
Moreover, the input data X0 and X1 here correspond to either the data X0 and X1 or R0 and R1 in the description (
Here, the seventeenth power calculation unit 110X performs the following calculation in the subfield GF((2^2)^2), and generates the output data Y.
Y=1100(binary digit)×(X0^2)+X1×(X0+X1) in GF((2^2)^2)
Addition in GF((2^2)^2) is a bit-basis exclusive OR operation (the exclusive OR units 110a and 110e). Multiplication (the 4-bit multiplication units 110b to 110d) in GF((2^2)^2) will be described in detail later (
<4-Bit Correction Term Calculation Unit 111>
The 4-bit correction term calculation unit 111 (
The 4-bit correction term calculation unit 111 performs, on input data X0 (4 bits), X1 (4 bits), R0 (4 bits), and R1 (4 bits), the 4-bit correction term calculation processing, and generates output data B (4 bits). The input data X0, X1, R0, and R1 here correspond to the data X0, X1, R0, and R1 in the description (
Here, the 4-bit correction term calculation unit 111 performs the following calculation in the subfield GF((2^2)^2), and generates the output data B.
B=X0×R1+X1×R0 in GF((2^2)^2)
Here, addition in GF((2^2)^2) is a bit-basis exclusive OR operation (the exclusive OR units 111c). Multiplication (the 4-bit multiplication units 111a and 111b) in GF((2^2)^2) will be described in detail later (
<Sixteenth Power Calculation Units 115 and 117>
The sixteenth power calculation unit 115X performs, on input data X (8 bits), the sixteenth power calculation in the composite field GF(((2^2)^2)^2), and outputs a result of the calculation as Y (8 bits). The result of performing, on the input data X, the sixteenth power calculation in the composite field GF(((2^2)^2)^2) is Y, which is expressed as below.
Y=X^(16) in GF(((2^2)^2)^2)
Furthermore, the input data X here corresponds to either the data X or R in the description (
Here, the sixteenth power calculation units 115 and 117 first divide, for every 4 bits from the high order, the input data X into X0 and X1, and then obtains Y0 and Y1 by performing the following calculation in GF((2^2)^2).
Y0=X0
Y1=X0+X1 in GF((2^2)^2)
Here, addition in GF((2^2)^2) is the bit-basis exclusive OR operation (the exclusive OR unit 115a). The sixteenth power calculation unit 115X generates 8-bit data Y by concatenating, in this order, Y0 and Y1 that are obtained in the above manner. Y becomes the output data of the sixteenth power calculation units 115 and 117.
<4-Bit Output Calculation Units 118 and 119>
The 4-bit output calculation unit 118X includes 4-bit multiplication units 118a, 118b, and 118d (
The 4-bit output calculation unit 118X performs, on input data E (4 bits), G (4 bits), F (4 bits), and H (4 bits), the 4-bit output calculation processing, and generates output data Y. The input data E, G, F, and H here correspond to the input data E, G, F0, and H0 to the 4-bit output calculation unit 118 and to the input data E, G, F1, and H1 to the 4-bit output calculation unit 119, respectively, the input data E, G. F0, F1, H0, and H1 being in the description (
Y=E×F+G×F+E×H in GF((2^2)^2)
Here, the addition in GF((2^2)^2) is the bit-basis exclusive OR operation (the exclusive OR units 118c and 118e). The multiplication (the 4-bit multiplication units 118a, 118b, and 118d) in GF((2^2)^2) will be described in detail later (
Next, each 4-bit multiplication unit used in each kind of processing described above, that is, the 4-bit multiplication units 110b and 110c shown in
<4-Bit Multiplication Unit 20>
Although the 4-bit multiplication unit 20 is described here, the 4-bit multiplication units that are used in each kind of the processing described above have the same configuration as the 4-bit multiplication unit 20. It is to be noted that the above point is the same as a point that the above 4-bit output calculation units 118 and 119 have the same configuration as the 4-bit output calculation unit 118X shown in
The 4-bit multiplication unit 20 includes 2-bit multiplication units 200 to 203 and 206 (
The 4-bit multiplication unit 20 performs, on input data X (4 bits) and Y (4 bits), multiplication in GF((2^2)^2), and outputs a result of the multiplication Z (4 bits). At this time, Z=X×Y in GF((2^2)^2).
The 4-bit multiplication unit 20 divides, for every 2 bits from the high order, the input data X into XO (2 bits) and X1 (2 bits) and the input data Y into Y0 (2 bits) and Y1 (2 bits). Then, Z0 and Z1 are obtained by performing the following calculation in GF(2^2).
Z0=X0×Y1+X1×Y0+X0×Y0 in GF(2^2)
Z1=10 (binary digit)×X0×Y0+X1×Y1 in GF(2^2)
The 4-bit multiplication unit 20 outputs, as an output thereof, 4-bit data Z that is generated by concatenating Z0 and Z1 in descending order.
Here, addition in GF(2^2) is a bit-basis exclusive OR operation (the exclusive OR units 204, 205, and 207). Multiplication (the 2-bit multiplication unit s 200 to 203 and 206 in
<2-Bit Multiplication Unit 21>
Although the 2-bit multiplication unit 21 is described here, the 2-bit multiplication units that are used in each kind of the processing described above have the same configuration as the 4-bit multiplication unit 21. It is to be noted that the 2-bit multiplication units 143 and 144 shown in
The 2-bit multiplication unit 21 includes AND units 210 to 213 and exclusive OR units 214 to 216.
The 2-bit multiplication unit 21 performs, on input data X (2 bits) and Y (2 bits), multiplication in GF(2^2), and outputs a result of the multiplication Z (2 bits). At this time, Z=X×Y in GF(2^2).
The 2-bit multiplication unit 21 then divides, for every 1 bit from the high order, the input data X into X0 (1 bit) and X1 (1 bit) and the input data Y into Y0 (1 bit) and Y1 (1 bit). The 2-bit multiplication unit 21 then obtains Z0 and Z1 by performing the following calculation in GF(2).
Z0=X0×Y1+X1×Y0+X0×Y0 in GF(2^)
Z1=X0×Y0+X1×Y1 in GF(2)
The 2-bit multiplication unit 21 then concatenates Z0 and Z1 in descending order to generate 2-bit data Z, and outputs, as an output thereof, the concatenated 2-bit data Z.
Here, addition in GF(2) is the bit-basis exclusive OR operation (the exclusive OR units 214 to 216). Multiplication in GF(2) is AND (the AND units 210 to 213).
Next, the 4-bit inverse element calculation unit 116 that is used in the randomized 8-bit inverse element calculation unit 101 (
<4-Bit Inverse Element Calculation Unit 116>
The 4-bit inverse element calculation unit 116 includes a fifth power calculation unit 141 (
The 4-bit inverse element calculation unit 116 then performs, on input data X (4 bits), an inverse element calculation in GF((2^2)^2), and generates output data Y (4 bits) that is a result of the calculation. Here, the calculation is expressed as below:
Y=X^(−1) in GF((2^2)^2)
The input data X here corresponds to the input data C to the 4-bit inverse element calculation unit 116 in the description (
(1) The 4-bit inverse element calculation unit 116 first divides, for every 2 bits from the high order, the input data X into X0 and X1. The 4-bit inverse element calculation unit 116 then inputs X0 that is obtained by the division to the exclusive OR unit 140, the fifth power calculation unit 141, and the 2-bit multiplication unit 143. In addition, the 4-bit inverse element calculation unit 116 inputs X1 that is also obtained by the division to the exclusive OR unit 140 and the fifth power calculation unit 141.
(2) The fifth power calculation unit 141 performs, on X0 and X1 that are inputted, the fifth power calculation in GF((2^2)^2), and obtains a result of the calculation A (2 bits). Here, a result of raising data X that is obtained by combining X0 and X1 in this order to the fifth power in GF((2^2)^2) is A, which is expressed as below.
A=X^5 in GF((2^2)^2)
Furthermore, since an order of A is 3 as A^3=X^15=1 in GF((2^2)^2), A is also an element in GF(2^2). Thus, A is 2-bit data power calculation unit 141 will be described in detail later (
(3) Then, the 2-bit inverse element calculation unit 142 included in the 4-bit inverse element calculation unit 116 shown in
B=A^(−1) in GF(2^2)
The 2-bit inverse element calculation unit 142 will be described in detail later (
(4) Next, based on the results of the above calculations, the 2-bit multiplication units 143 and 144 included in the 4-bit inverse element calculation unit 116 shown in
Y0=X0×B in GF(2^2)
Y1=(X0+X1)×B in GF(2^2)
Then, the 4-bit inverse element calculation unit 116 outputs, as an output thereof, 4-bit data Y that is obtained by concatenating, in descending order, Y0 and Y1 obtained in the above manner.
Here, the addition in GF(2^2) is the bit-basis exclusive OR operation (the exclusive OR unit 140). The multiplication (the 2-bit multiplication units 143 and 144) in GF(2^2) is as described in detail above (the 2-bit multiplication unit 21 shown in
Next, the 2-bit inverse element calculation unit 142 that is used in the 4-bit inverse element calculation unit 116 (
<2-Bit Inverse Element Calculation Unit 142>
The 2-bit inverse element calculation unit 142 includes an exclusive OR unit 142a.
The 2-bit inverse element calculation unit 142 performs, on input data X (2 bits), the inverse element calculation in GF(2^2), and outputs a result of the calculation Y (2 bits), which is expressed as below.
Y=X^(−1) in GF(2^2)
The 2-bit inverse element calculation unit 142 divides a higher-order 1 bit and a lower-order 1 bit of X as X0 and X1, respectively, and obtains X0 and Y1 through the following equations.
Y0=X0
Y1=X1+X0
2-bit data Y that is obtained by combining Y0 and Y1 in this order is outputted.
Next, the randomized 4-bit inverse element calculation unit 114 that is used in the randomized 8-bit inverse element calculation unit 101 (
<Randomized 4-Bit Inverse Element Calculation Unit 114>
The randomized 4-bit inverse element calculation unit 114 (
The randomized 4-bit inverse element calculation unit 114 generates output data Y (4 bits) by performing randomized 4-bit inverse element calculation processing on input data X using a random number R (4 bits). The input data X here corresponds to the input data D to the randomized 4-bit inverse element calculation unit 114 in the description (
It is to be noted that the processing performed by the randomized 4-bit inverse element calculation unit 114 is nothing but processing for generating a processing result Y=X^(−1)(+)R^(−1) by performing, on input data X=M(+) R, an inverse element calculation in a composite field GF((2^2)^2), the processing result being obtained by masking X^(−1) with a mask value R^(−1), the input data being obtained by masking M with a mask value R. X^(−1) is an inverse element of X in GF((2^2)^2), and the mask value R^(−1) is an inverse element of R in GF((2^2)^2.
<Fifth Power Calculation Units 141, 150, and 152>
The fifth power calculation unit 141X includes 2-bit multiplication units 150b to 150d and exclusive OR units 150a and 150e. Here, the 2-bit multiplication units 150b to 150d each have the same configuration as the 2-bit multiplication unit 21 shown in
The fifth power calculation 141X (the fifth power calculation units 141, 150, and 152) performs, on input data X0 (2 bits) and X1 (2 bits), fifth power calculation processing in GF((2^2)^2), and outputs output data Y (2 bits). The input data X0 and X1 here correspond to X0 and X1 in the description (
In addition, when 4-bit data that is obtained by concatenating the input data X0 and X1 in this order is X, the output data Y is expressed as below.
Y=X^5 in GF((2^2)^2)
Here, as Y^3=X^15=1 in GF((2^2)^2), an order of Y is 3, and Y is an element in GF(2^2). Thus, Y becomes 2-bit data.
It is to be noted that since a flow of the processing performed by the fifth power calculation unit 141X (the fifth power calculation units 141 (
<2-Bit Correction Term Calculation Unit 151>
The 2-bit correction term calculation unit 151 includes the 2-bit multiplication units 151a and 151b (
The 2-bit correction term calculation unit 151 performs, on input data X0 (2 bits), X1 (2 bits), R0 (2 bits), and R1 (2 bits), correction term calculation processing in GF((2^2)^2), and outputs output data B (2 bits). The input data X0, X1, R0, and R1 here correspond to X0, X1, R0, and R1 in the description (
Here, since a flow of processing performed by the 2-bit correction term calculation unit 151 is basically the same as that of the processing performed by the above-mentioned 4-bit correction term calculation unit 111 (
<Fourth Power Calculation Units 155 and 157>
The fourth power calculation unit 155X includes an exclusive OR unit 155a.
The fourth power calculation unit 155X performs, on input data X (4 bits), fourth power calculation in a composite field GF((2^2)^2), and outputs a result of the calculation Y (4 bits). A result of performing, on the input data X, the fourth power calculation in the composite field GF((2^2)^2) is Y, which is expressed as below.
Y=X^4 in GF((2^2)^2)
Moreover, the input data X here corresponds to either the data X or R in the description (
Then, the fourth power calculation unit 155X divides, for every 2 bits from the high order, the input data X into X0 and X1, and obtains Y0 and Y1 by performing the following calculations in GF(2^2).
Y0=X0
Y1=X0+X1 in GF(2^2)
Here, the addition in GF(2^2) is a bit-basis exclusive OR operation (the exclusive OR unit 155a). The sixteenth power calculation unit 155X generates 8-bit data Y by concatenating the obtained Y0 and Y1 in this order. Y becomes the output data of the fourth power calculation units 155 and 157.
<2-Bit Output Calculation Units 158 and 159>
The 2-bit output calculation unit 158X includes the 2-bit multiplication units 158a, 158b, and 158d (
The 2-bit output calculation unit 158X performs, on input data E (2 bits), G (2 bits), F (2 bits), and H (2 bits), 2-bit output calculation processing, using each of the above components, and generates output data Y. The input data E, G, F, and H here correspond to the input data E, G, F0, and H0 to the 2-bit output calculation unit 158 and to the input data E, G, F1, and H1 to the 2-bit output calculation unit 159, respectively, the input data E, G. F0, F1, H0, and H1 being in the description (
Y=E×F+G×F+E×H in GF(2^2)
Here, the addition in GF(2^2) is the bit-basis exclusive OR operation (the exclusive OR units 158c and 158e). Multiplication (the 2-bit multiplication units 158a, 158b, and 158d) in GF(2^2) is the same as the multiplication performed by the 2-bit multiplication unit 21 (
<Randomized 2-Bit Inverse Element Calculation Unit 154>
The randomized 2-bit inverse element calculation unit 154 includes an exclusive OR unit 154c.
The randomized 2-bit inverse element calculation unit 154 generates output data Y (2 bits) by performing randomized 2-bit inverse element calculation processing on input data X (2 bits) using the exclusive OR unit 154c. The input data X here corresponds to the input data D to the randomized 2-bit inverse element calculation unit 154 (
Y0=X0
Y1=X0+X1 in GF(2^2)
Here, the addition in GF(2^2) is an exclusive OR operation (the exclusive OR unit 154c). Data Y that is obtained by combining Y0 and Y1 in descending order is outputted.
It is to be noted that the processing of the randomized 2-bit inverse element calculation unit 154 is nothing but processing for generating a processing result Y=X^(−1)(+)R^(−1) by performing, on input data X=M(+) R, the inverse element calculation in the composite field GF(2^2), the processing result being obtained by masking X^(−1) with a mask value R^(−1), the input data being obtained by masking M with a mask value R. X^(−1) is an inverse element of X in GF(2^2), and the mask value R^(−1) is an inverse element of R in GF(2^2).
Next, the random number update unit 17 (
<Random Number Update Unit 17>
The random number update unit 17 includes a composite field conversion unit 170, an 8-bit inverse element calculation unit 171, and an extension field conversion and matrix conversion unit 172.
The random number update unit 17 performs random number update processing on an input random number X (input data X) (8 bits), and outputs an updated random number Y as output data. The input data X here corresponds to the input random number Rn (8 bits) in the description (
(1) First, the composite field conversion unit 170 divides, for every 1 bit from the high order, the input data X into X7, X6, . . . , X0, and obtains A7, A6, . . . , A0 by performing the matrix calculation of the above-mentioned Equation 1. Then, the composite field conversion unit 170 generates 8-bit data A that is obtained by concatenating, in descending order, A7, A6, . . . , A0.
(2) Next, the 8-bit inverse element calculation unit 171 obtains B (8 bits) by performing, on A generated in the above (1), inverse element calculation processing in GF(((2^2)^2)^2), which is expressed as below.
B=A^(−1) in GF(((2^2))^2)^2)
The inverse element calculation processing in GF(((2^2)^2)^2) will be described in detail later.
(3) Then, the extension field conversion and matrix conversion unit 172 divides, for every 1 bit from the high order, B calculated in the above (2) into B7, B6, . . . , B0, and obtains Y7, Y6, . . . , Y0 by performing the matrix calculation of the above-mentioned Equation 2.
Then, the extension field conversion and matrix conversion unit 172 outputs, as output data of the random number update unit 17, 8-bit data Y that is obtained by concatenating, in this order, Y7, Y6, . . . , Y0 that have been obtained in the above manner.
Next, the 8-bit inverse element calculation unit 171 that is used in the random number update unit 17 will be described in detail.
<8-Bit Inverse Element Calculation Unit 171>
The 8-bit inverse element calculation unit 171 (
The 8-bit inverse element calculation unit 171 performs, on input data X (8 bits), an inverse element calculation in GF(((2^2)^2)^2), and generates output data Y (8 bits) that is a result of the calculation, which is expressed as below.
Y=X^(−1) in GF((2^2)^2)
The input data X here corresponds to the input data A to the 8-bit inverse element calculation unit 171 in the description (
(1) The 8-bit inverse element calculation unit 171 first divides, for every 4 bits from the high order, the input data X into X0 and X1. Then, the 8-bit inverse element calculation unit 171 inputs, to the exclusive OR unit 171a, the seventeenth power calculation unit 171b, and the 4-bit multiplication unit 171d, X0 that is obtained by the division. Furthermore, the 8-bit inverse element calculation unit 171 inputs, to the exclusive OR unit 171a and the seventeenth power calculation unit 171b, X1 that is obtained by the division.
(2) Then, the seventeenth power calculation unit 171b performs, on X0 and X1 that are inputted thereto, a seventeenth power calculation in GF(((2^2)^2)^2), and obtains a result of the calculation A (4 bits). He result of raising, to the seventeenth power in GF(((2^2)^2)^2), data X (8 bits) that is obtained by combining X0 and X1 in this order, which is expressed as below.
A=X^17 in GF(((2^2)^2)^2)
In addition, since an order of A is 15 as A^15=X^255=1 in GF(((2^ 2)^2)^2), A is an element in GF((2^2)^2). Thus, A is 4-bit data. Details of the seventeenth power calculation unit 171b are the same as those of the above-mentioned seventeenth power calculation unit 110X (
(3) Next, the 4-bit inverse element calculation unit 171c (
B=A^(−1) in GF(((2^2)^2)^2)
Details of the 4-bit inverse element calculation unit 171c are the same as those of the above-mentioned 4-bit inverse element calculation unit 116 (
(4) Then, the 8-bit inverse element calculation unit 171 causes the 4-bit multiplication units 171d and 171e to obtain the following Y0 (4 bits) and Y1 (4 bits), respectively, through the following calculations, using B (4 bits) generated in the above (3) and X0 and X1 that are obtained by the division in the above (1).
Y0=X0×B in GF((2^2)^2)
Y1=(X0+X1)×B in GF(2^2)^2)
Then, the 8-bit inverse element calculation unit 171 outputs, as an output thereof, 8-bit data Y that is obtained by concatenating Y0 and Y1 in descending order.
Addition in GF((2^2)^2) is a bit-basis exclusive OR operation (the exclusive OR unit 171a). The multiplication (the 4-bit multiplication units 171d and 171e) in GF((2^2)^2) is as described in detail above (the 4-bit multiplication unit 20 shown in
As seen above, all of the details of the operations of the encryption device 1 have been described.
Next, that the randomized S-boxes 120a to 120p (
<Principle of Randomized 8-Bit Inverse Element Calculation Unit 101>
The randomized 8-bit inverse element calculation unit 101 (
An output value A of the seventeenth power calculation unit 110 (
Here, since GF(((2^2)^2)^2) is GF((2^2)^2) that is secondary extended by irreducible polynomial x^2+x+1100 (binary digit), when a root of x^2+x+1100 (binary digit)=0 is α, M and R can be expressed as below.
M:M0×α+M1
R:R0×α+R1
M^16×R+M×R^16 can be calculated, using the nature of the extension field and the like, as below.
The above calculation is equal to X0×R1+X1×R0 in the processing of the randomized 8-bit inverse element calculation unit 101 shown in
A=M^17+R^17+X0×R1+X1×R0
In the meantime, since the 4-bit correction term calculation unit 111 (
As described later, the randomized 4-bit inverse element calculation unit 114 outputs an output E=M^(−17)+R^(−17) with respect to an input D=M^17+R^17, C=R^17. This is equal to the following calculations being separately performed by the 4-bit output calculation units 118 and 119 for every higher-order 4 bits and lower-order 4 bits.
Calculating the above equation results in Y=M^(−1)+R^(−1), and it becomes obvious that the randomized 8-bit inverse element calculation unit 101 converts X=M+R into Y=M^(−1)+R^(−1).
Since the randomized 4-bit inverse element calculation unit 114 (
As stated above, that the randomized 8-bit inverse element calculation unit 101 converts the element X=M+R in the composite field GF(((2^2)^2)^2) into Y=M^(−1)+R^(−1) has been described.
<Operating Principle of Randomized S-Boxes 120a to 120p>
Next, an operating principle of the randomized S-boxes 120a to 120p (
Next, as described earlier, the randomized 8-bit inverse element calculation unit 101 generates B=T(M)^(−1)+T(R)^(−1) (OD8t=T1(V8t)^(−1)+T1(Rt)^(−1) in
C=Mat(M^(−1)+Mat(R^(−1))
(Mat(V8t^(−1)+Mat(R^(−1)) is outputted. Here, Mat(X) is a result of performing, on X, the above matrix operation, that is, the matrix calculation included in the affine transformation defined in the S-box for AES cipher. Although the exclusive OR unit 104 (
Y={Mat(M^(−1)+011000111}+Mat(R^(−1))
The above equation corresponds to Mat(V8t^(−1))+0110011+Mat(Rt^(−1)) in
Y=S-box[M]+Mat(R^(−1))
The above equation corresponds to S-box(V8t)+Mat(Rt^(−1)) in
<Operating Principle of Encryption Device 1>
Next, that the encryption device 1 maintains AES cipher algorithm and compatibility will be described.
First, plain text data P (128 bits) is masked with a random number R0 (8 bits) in
Where an input value (that is, an original value) of the randomized Round_n 12 when the masking is not performed is M, an input X can be expressed as X=M+(R0, R0, . . . , R0) in
X=(M0, M1, . . . , M15)+(R0, R0, . . . , R0)
Here, based on the above description of the operating principle of the randomized S-boxes 120a to 120p, an output Y of the randomized SubBytes 120 can be expressed as Y=(S-box[M0], S-box[M1], . . . , S-box[M15])+(Mat[R0^(−1)], Mat[R0^(−1)], . . . , Mat[R0^(−1)]). In other words,
Y=SubBytes(M)+(Mat[R0^(−1)], Mat[R0^(−1)], . . . , Mat[R0^(−1)])
Stated differently, the output data of the randomized SubBytes 120 has been masked with (Mat[R0^(−1)], Mat[R0^(−1)], . . . , Mat[R0^(−1)]). Next, it becomes obvious that a ShiftRows processing result and a MixColumn processing result, in which the output data are masked with (Mat[R0^(−1)], Mat[R0^(−1)], . . . , Mat[R0^(−1)]), are obtained by performing, on an output of the ShiftRows 121 and an output of the MixColumn 122, the ShiftRows processing and the MixColumn processing that are defined in the AES cipher algorithm. Thus, when the input value of the processing of the randomized Round_n 12 is masked with R, an output value of the randomized Round_n 12, which is masked with Mat[R0^(−1)], is outputted. Thus, when the processing of the randomized Round_n 12 is performed, where n=1, the input data that is masked with R1=Mat[R0^(−1)] is outputted as the output data that is masked with R2=Mat[R1^(−1)]. It is to be noted that the processing Mat[R0^(−1)] and Mat[R1^(−1)] is nothing but the random number update processing shown in
Moreover, as is obvious from the description of the operating principle, intermediate data in encryption processing is always masked with either the random number R0 or a value that is calculated with a predetermined operation starting from R0. Therefore, it is difficult to analyze a key in the encryption device 1 with the power analysis attack.
Plain text U is inputted to the encryption unit 1a (
Here, a symbol Vt (t=1 to 11) shown in
The random number temporary storage unit 16 (
IAt=Vt+{Rt, Rt, . . . , Rt} (B or D in
IBt=IAt=Vt+{Rt, Rt, . . . , Rt} (X in
8-bit IC8t=IB8t=V8t+Rt (one of X[0], X[1], . . . , X[15] in
ID8t=T1(IC8t)+T1(Rt) that is based on the above IC8t inputted to the randomized S-Box 121X and RDt=T1(Rt) (S in
Here, the randomized S-Box 121X (
Then, the randomized SubBytes 120X (
Accordingly, the randomized Round_t 12X calculates, from the outputted OBt, OAt=V(t+1)+{R(t+1), R(t+1), . . . , R(t+1)} by, for example, performing the ShiftRows processing, and inputs, as randomized input data IAt of a next round of the randomized Round_t 12X, that is, the tth+1 round, the calculated OAt to the randomized Round_t 12X.
As a result, OAt=OA10=V11+{R11, R11, . . . , R11} is inputted to the unmask processing unit 14 by the randomized Round_t 12X when t=10 and a random number R11 (E in
As described above, the encryption device 1 generates the encrypted text C (
Furthermore, in the encryption device 1, the randomized 8-bit inverse element calculation unit 101 includes: the seventeenth power calculation units 110 and 112 (
Here, the “other components” include: the sixteenth calculation units 115 and 117 which generate the second exponentiation randomized input data (F in
Moreover, the encryption device 1 performs the Advanced Encryption Standard (AES) cipher encryption processing on the plain text U and generates the encrypted text C with the AES cipher. The inverse element T1(V8t)^(−1) of the input data is a result of performing, on the input data T1(V8t), an inverse calculation, between the inverse calculation and an affine that are equivalent to the Sbox table for AES cipher.
For this reason, the encryption device 1 can perform the inverse element calculation for the AES cipher encryption due to its simple structure and the smaller number of logical steps, and further perform the AES cipher encryption processing.
In addition, the encryption device 1 Further includes a mask value generation unit (the random number update unit 17 and the composite field conversion unit 103 (
This allows an input mask value to be generated in the encryption device 1, which simplifies a system configuration.
Furthermore, in the encryption device 1, the mask input data generation unit includes: the first component (the mask processing unit 10 (
It is to be noted that here, in the encryption device 1, the first component (the mask processing unit 10 (
It is to be noted that the mask value generation unit includes: a holding unit (the random number temporary storage unit 16 (
Accordingly, since the random number Rt is held, the (t+1)th input mask value is calculated from the held random number Rt through simple processing, and each of input mask values can be calculated through the simple processing.
It is to be noted that the “random number generation unit” recited in CLAIMS may correspond to, for instance, all of the random number generation unit 15, the random number temporary storage unit 16, and the random number update unit 17. In this case, the “mask value generation unit” recited in CLAIMS may be thought to correspond not to the random number update unit 17 and the composite field conversion unit 103 as described above but to only the composite field conversion unit 103.
It is to be noted that the encryption device 1 may include an integrated circuit which includes circuits achieving each of the above components, and the integrated circuit may execute the above-mentioned method by causing each component to perform the above-mentioned functions.
<Decryption Device 3>
and, in an extension field conversion unit 302 also shown in
is used.
Accordingly, the decryption device 3 which generates decrypted text from encrypted text using a key, the decryption device 3 being structured to include: a random number generation unit 35 (
<Estimation of Maximum Number of Logical Steps>
The maximum number of logical steps of the randomized 8-bit inverse element calculation unit 101 (
A critical path of the randomized 8-bit inverse element calculation unit 101 is as follows in
The seventeenth power calculation unit 110 the exclusive OR unit 113
the randomized 4-bit inverse element calculation unit 114
the 4-bit output calculation unit 118
A critical path of the 4-bit output calculation unit 118 that is on the above critical path is as follows (
The 4-bit multiplication unit 118a the exclusive OR unit 118c
the exclusive OR unit 118e
Moreover, a critical path of the randomized 4-bit inverse element calculation unit 114 that is on the path shown in
The fifth power calculation unit 150 the exclusive OR unit 153
the randomized 2-bit inverse element calculation unit 154
the 2-bit output calculation unit 158
A critical path of the 2-bit output calculation unit 158 that is shown in
The 2-bit multiplication unit 158a the exclusive OR unit 158c
the exclusive OR unit 158e
A critical path of the randomized 2-bit inverse element calculation unit 154 that is on the critical path shown in
The exclusive OR unit 154c
Therefore, the maximum number of logical steps in the randomized 8-bit inverse element calculation unit 101 (
Seventeenth power calculation×1 time
Fifth power calculation×1 time
4-bit multiplication×1 time
2-bit multiplication×1 time
Exclusive OR operation×7 times
It is to be noted that, here, “7 times” in the above “Exclusive OR operation×7 times” is obtained through the following calculation: 7=1+2+1+2+1. In other words, the number of times the exclusive OR operation is performed is reduced by 11 times compared to the randomized 8-bit inverse element calculation unit 81 (
(Modification)
It is to be noted that although a cipher to be protected from the power analysis attack is the AES cipher in the present embodiment, such a cipher is not limited to the AES cipher. Encryption schemes in which an inverse element calculation is used in encryption processing or table conversion processing used in the encryption processing can be configured based on the inverse element calculation can be applied to the present embodiment. An other example of the encryption schemes includes Camellia cipher described in ISO/IEC 18033-3: 2005, “Information technology—Security technique—Encryption algorithms—Part 3: Block ciphers” (Non-patent Reference 3).
Furthermore, even in the case where functions of the above embodiment are implemented in software, since it is unnecessary to hold a conversion table as a matrix, the above embodiment produces effects of saving code size as with conventional techniques and reducing encryption processing time more than the conventional techniques.
Moreover, although the above embodiment has described a case where the whole processing is implemented in an operational circuit, a part of the processing may be implemented as the conversion table. For instance, in the case of the randomized 4-bit inverse element calculation unit 114, the randomized 4-bit inverse element calculation unit 114 may be implemented in a matrix Inv4[16] that includes 4 bits×16 elements, and a 4-bit output may be outputted as Inv4[X] with respect to a 4-bit input X.
It is to be noted that although the present invention has been described based on the above embodiment, the present invention is not obviously limited to the above embodiment. The present invention includes the following cases.
(1) Each of the aforementioned devices is specifically a computer system including a micro processor, a ROM, a RAM, a hard disk unit, a display unit, a keyboard, a mouse, and so on. A computer program is stored in the RAM or hard disk unit. Each device achieves it functions through the microprocessor's operation according to the computer program. Here, the computer program is configured by combining plural instruction codes indicating instructions for a computer, so as to achieve predetermined functions.
(2) A part or all of the components included in each device may be configured from a single system large-scale integration (LSI). The system LSI is a super-multifunctional LSI manufactured by integrating components on one chip, and is specifically a computer system configured by including a microprocessor, a ROM, a RAM, and so on. A computer program Is stored in the RAM. The system LSI achieves it functions through the microprocessor's operation according to the computer program.
(3) A part or all of the components included in each device may be configured as an IC card which can be attached to and detached from each device or as a stand-alone module. The IC card or the module is a computer system including a microprocessor, a ROM, a RAM, and so on. The IC card or the module may also be included in the super-multifunctional LSI. The IC card or the module achieves its functions through the microprocessor's operation according to a computer program. The IC card or the module may also have tamper-resistance.
(4) The present invention may be the aforementioned methods. In addition, the present invention may be a computer program for realizing these methods or may be a digital signal including the computer program.
Furthermore, the present invention may also be realized by storing the computer program or the digital signal in a computer-readable recording medium such as a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, a DVD-ROM, a DVD-RAM, a BD (Blu-ray Disc), and a semiconductor memory. Moreover, the present invention also includes the digital signal recorded in these recording media.
In addition, the present invention may also be realized by transmitting the computer program or the digital signal via a telecommunication line, a wireless or wired communication line, a network represented by the Internet, a data broad cast, and so on.
Furthermore, the present invention may also be a computer system including a microprocessor and a memory, in which the memory stores the computer program and the microprocessor operates according to the computer program.
Moreover, an other independent computer system may perform execution by transferring the computer program or the digital signal that are recorded on the recording medium or by transferring the computer program or the digital signal via the network and so on.
(5) It is to be noted that the mask value generation unit may generate, in parallel with a calculation, performed by the randomized 8-bit inverse element calculation unit 101 (
(6) In addition, the present invention may adopt the following aspect.
To put it differently, the present invention may adopt an aspect of an encryption processing program which is an encryption processing program used in a computer for generating encrypted text by performing predetermined encryption processing on plain text based on a key, the encryption processing program causing the computer to execute the following information processing: generating a random number; and receiving randomized input data and an input randomized mask value to perform an inverse element calculation in the first infinite field, and generating randomized output data, wherein the randomized input data is a value that is masked by adding the input mask value and input data, the randomized output data is a value that is masked by adding an output mask value and output data, the input mask value is a value determined depending on the random number, the output data is an inverse element of the input data in the first finite field, and the output mask value is an inverse element of the input mask value in the first finite field.
Furthermore, the present invention may take the following aspect. Stated differently, the present invention may adopt an aspect of a computer program which is a computer program used in a computer for generating encrypted text from plain text using a key, the computer program causing the computer to execute: generating a random number; receiving the plain text and generating randomized input data that is obtained by adding, to input data that is obtained by performing predetermined processing on the plain text, a predetermined input mask value determined depending on the random number; receiving the randomized input data generated in the receiving the plain text and generating the randomized input data and the input mask value, and generating randomized output data that is obtained by adding, to an inverse element of the input data in the first finite field, an output mask value that is a predetermined inverse element of the received input mask value in the first finite field; and receiving the randomized output data generated in the receiving the randomized input data and the mask value and generating the randomized out put data, and generating the encrypted text from the received randomized output data.
It is to be noted that the encryption processing program and the computer program each may be executed by a multiprocessor or the like which executes mutually different processes in parallel, and in this case, the computer program may cause the computer to generate the input mask value in parallel with generation of the randomized output data from the randomized input data.
(7) The above embodiment and the above modifications may be combined respectively.
Characterized by reducing encryption processing amount more than the conventional techniques while preventing the power analysis attack, the encryption device according to the present invention is useful for realizing an encryption device of which a high processing speed and low manufacturing costs are required.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2007-143242 | May 2007 | JP | national |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/JP2008/001304 | 5/26/2008 | WO | 00 | 6/2/2009 |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2008/146482 | 12/4/2008 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 6295606 | Messerges et al. | Sep 2001 | B1 |
| Number | Date | Country |
|---|---|---|
| 1 596 278 | Nov 2005 | EP |
| 2007-235913 | Sep 2007 | JP |
| 2005109183 | Nov 2005 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20100086126 A1 | Apr 2010 | US |
