JP2008233683A - Cryptographic processing apparatus and program - Google Patents

Abstract

An object of the present invention is to prevent a mask value for a round key arrangement from becoming zero and reduce the complexity of mask management.
The mask state of the first column of the S box input protection mask, the S box output protection mask, and the round key protection mask is selected from seven types of mask states, and the mask state of the S box output protection mask and the first column are selected. And the mask state of the second column of the round key protection mask different from the “masked state of the S box output protection mask and the result of the exclusive OR of the mask state of the first column”. Select the state, select the mask states of the third and fourth columns, calculate the mask states from the first column to the fourth column after updating the round key, and this mask state includes the prohibited state “000” If not, the basic mask values are exclusively ORed with each selected mask state to calculate a combined mask value corresponding to each mask state.
[Selection] Figure 5

Description

  The present invention relates to a cryptographic processing apparatus and program, and more particularly to a cryptographic processing apparatus and program that can improve resistance to decryption by power analysis.

  In general, a personal computer is widely known as a computer that performs encryption processing such as data encryption and authentication, and is also called a smart card or IC card, and is a card-shaped device equipped with an IC module. It has been known.

  For this type of encryption processing, DES (data encryption standard) and triple DES (for example, see Non-Patent Document 1) and AES (advance encryption standard) listed in Non-Patent Document 2 (for example, non-patent) A common key encryption algorithm such as Reference 2) or an arbitrary public key encryption algorithm is used.

  As a decryption method for these encryption techniques, there is a technique for recovering secret information such as plaintext and secret key from available information such as ciphertext. In such cryptanalysis technology, whether or not the secret key can be recovered is often used as an index for security evaluation. Information used for decryption is not limited to information that can be obtained, such as ciphertext, but information using a key whose value is different from the secret key to be specified can also be used. In other words, in order to specify an important secret key value, a decryption technique is also conceivable in which a user uses a cryptographic processing device with an arbitrary combination of keys and specifies a target secret key from the obtained information.

  As an example of this decoding technique, a power analysis attack is known (for example, see Non-Patent Document 3). The power analysis attack focuses on the fact that the hardware or software of the cryptographic processing device installed in a device such as a personal computer or IC card has a correlation between the content of the cryptographic processing and the power consumption. This is a method for estimating internal secret key and plaintext information from information. The power analysis includes simple power analysis (hereinafter referred to as SPA) and differential power analysis (hereinafter referred to as DPA). SPA is a method for extracting the characteristics of power consumption of cryptographic processing and using it for decryption, and DPA is a method for decrypting by using a difference or correlation between power consumption during cryptographic processing slightly different for each data.

  Conventional countermeasures for power analysis include a method of disturbing the measurement of power consumption for cryptographic processing with a noise generator and degrading measurement accuracy, and a difficulty in measuring fluctuations in power consumption related to processing by improving transistors and wiring Proposals have been made to reduce the level to a certain level and to make the decryption difficult by power analysis by taking measures to implement the cryptographic algorithm.

  A so-called masking method is widely known as a method for taking measures against the implementation of a cryptographic algorithm (for example, see Non-Patent Document 4). The masking method focuses on the principle of power analysis that uses the correlation between processing content and power consumption, and applies a random number R called a mask to the data to be processed, thus disturbing power consumption and making analysis difficult. is there. Specifically, the cryptographic processing apparatus disturbs power consumption by cryptographically processing internal data D ′ = D xor R obtained by exclusive OR (XOR) the random number R with the internal data D. . Further, in non-linear replacement called S box (hereinafter also referred to as S-box), a replacement table modified by applying a mask to input and output is used.

  Note that the masking method is not limited to the mask method, for example, a method using addition / subtraction, or a method that uses redundant expressions for internal data and replaces some bits with random numbers to disturb the correlation between encryption processing and power consumption. There are also.

  In the field of decryption, as a concept including a power analysis attack for observing power consumption, an attack method for observing information related to cryptographic processing such as power consumption is collectively referred to as a side channel attack. Observed information is also called side channel information, and in addition to power consumption, there are various things such as slight fluctuations in processing time, fluctuations in heat dose emitted from devices, radiated electric and magnetic fields, etc. is there.

  In addition, the masking method conceals the internal data and disturbs the side channel information, so it is effective as a countermeasure against a failure-use attack or differential failure-use attack that obtains side channel information from the result of malfunctioning the cryptographic processor. In some cases.

  Such a masking method can be applied to DES and triple DES relatively easily. For example, in DES and triple DES, the key schedule unit that generates a subkey from a secret key does not perform an operation between bits, and once applied with a mask, it remains applied until it is intentionally removed. Mask management is easy. On the other hand, the data encryption unit that calculates the ciphertext by applying the subkey to the plaintext uses 8 different S-boxes, but each has 6-bit input and 4-bit output, and the scale is small. It is easy to apply a masking method using a mask with different random numbers.

  However, in the case of AES, which is the successor technology of DES and Triple DES, mask management becomes complicated due to the circuit scale or the complexity of increase and control of resources used in both the key schedule unit and the data encryption unit. There's a problem.

(General AES encryption processing: FIG. 21)
FIG. 21 is a flowchart for explaining a general encryption process by the AES encryption method. Now, in the cryptographic processing apparatus, it is assumed that the AES encryption processing program is started by the operator's operation and the round key stored in the nonvolatile memory is written in the round key array (ST1). In the cryptographic processing apparatus, it is assumed that an encryption request is input after 128-bit plaintext data is written in the RAM (ST2) by an operator's operation.

  Upon receiving this encryption request, the cryptographic processing apparatus sets the number of stages (number of rounds) N to 1 (ST3), and starts the N-th stage encryption process as an iterative process based on the specifications of the AES encryption method. (ST4). In the AES encryption method, 10 iterations are executed for a 128-bit key, 12 iterations are executed for a 192-bit key, and 14 iterations are executed for a 256-bit key. Execute. A unit of repeated processing is generally called a “stage” or “round”.

  In the one-stage process, the cryptographic processing apparatus executes a key addition (AddRoundKey) process for adding the round key in the round key array to the stored contents of the internal state array (ST5).

  After the key addition process, the cryptographic processing device executes a byte substitution conversion (SubByte) process with reference to the S box for the storage contents of the internal state array of 4 rows and 4 columns, and obtains 16 byte substitution conversion results. If obtained (ST6), the byte substitution conversion result is written into the internal state array of the RAM.

  Subsequently, the cryptographic processor rearranges (ShiftRow) the stored contents of the internal state array (ST7), and executes a mix column conversion process for each row of the obtained internal data (ST8).

  When the mixed column conversion process is executed for all the columns, the cryptographic processing apparatus ends the N-th stage encryption process (ST9), increments the number of stages N by 1 (ST10), and is defined in the specifications of the AES encryption method. It is determined whether or not it is the last stage (ST11). If it is not the last stage, the process returns to step ST4 and the encryption process is repeated.

  On the other hand, in the last stage, after executing the round key update and key addition processing, the obtained ciphertext data is output and the encryption processing is terminated.

  The above is a general AES encryption processing procedure, but the processing order can be changed within a range that does not contradict data consistency. For example, steps ST1 and ST2 can be interchanged.

  Further, the decryption process by the AES encryption method is executed in the reverse procedure while performing the reverse conversion in each part of the flowchart shown in FIG. 21, and outputs the plaintext corresponding to the input key and the ciphertext.

  Next, the round key update process of the AES encryption process with the key lengths of the 128-bit key, the 192-bit key, and the 256-bit key will be described with reference to FIGS.

(128-bit key update processing: FIG. 22)
The cryptographic processing apparatus writes a 128-bit key to a 4 × 4 round key array (ST21), sets the number of stages N to 1 (ST22), and starts updating the Nth round key (ST23). .

  The cryptographic processing device performs the reordering (RotWord) processing defined in the AES specification on the 4th byte in the fourth column of the round key array, the byte substitution (SubByte) processing based on the S box information, and the XOR (exclusive logic) with the key constant. (Sum operation) processing is executed to create a work variable V (ST24).

  Thereafter, the cryptographic processing apparatus performs XOR processing on the work variable V in the first column of the round key array and updates the 4 bytes in the first column (ST25). Then, the cryptographic processing apparatus performs XOR processing on the updated 4 bytes of the first column to the second column of the round key array to update the second column (ST26), and thereafter, in the same manner, the updated 2 bytes The fourth byte of the column is XORed to the third column to update the third column (ST27), and the updated fourth byte of the third column is XORed to the fourth column to update the fourth column. (ST28).

When the XOR process is executed on all the columns, the cryptographic processing apparatus ends the N-th stage encryption process (ST29), increments the number N of stages by +1 (ST30), and ends with the last specified in the specification of the AES encryption method. It is determined whether or not it is a stage (ST31). If it is not the last stage, the process returns to step ST23 to repeat the round key update process.
On the other hand, in the last stage, the round key update process is terminated.

  The 128-bit key AES encryption process uses 10 rounds and 11 round keys. Since round key update is necessary before the second and subsequent round key uses, 10 round key updates are performed.

(192-bit key update processing: FIG. 23)
The cryptographic processing apparatus writes a 192-bit key to a 4 × 6 round key array (ST41), sets the number of stages N to 1 (ST42), and starts updating the Nth round key (ST43). .

  Cryptographic processing device performs rearrangement (RotWord) processing, byte substitution (SubByte) processing, XOR (exclusive OR operation) processing with key constants, as defined in the AES specification on 4 bytes in the sixth column of the round key array To create a work variable V (ST44).

  Thereafter, the cryptographic processing apparatus performs XOR processing on the work variable V in the first column of the round key array and updates the 4 bytes in the first column (ST45). Then, the cryptographic processing apparatus performs XOR processing on the updated 4 bytes of the first column to the second column of the round key array to update the second column (ST46), and thereafter, in the same manner, the updated 2 bytes The fourth byte of the column is XORed to the third column to update the third column (ST47), and the updated fourth byte of the third column is XORed to the fourth column to update the fourth column. (ST48) The 4th byte in the 4th column after the update is XORed to the 5th column to update the 5th column (ST49), and the 4th byte in the 5th column after the update is XORed to the 6th column. The sixth column is updated (ST50).

When the XOR process is executed for all the columns, the cryptographic processing apparatus ends the N-th stage encryption process (ST51), increases the number of stages N by +1 (ST52), and finally performs the final step as defined in the specification of the AES encryption method. It is determined whether or not it is a stage (ST53). If it is not the last stage, the process returns to step ST43 to repeat the round key update process.
On the other hand, in the last stage, the round key update process is terminated.

  Although the round key array is 4 rows and 6 columns, since only 4 rows and 4 columns are used in one round of AES encryption processing, round key update processing is performed twice for three rounds of encryption processing. Distribute the key.

  The 192-bit key AES encryption process uses 12 rounds and 13 round keys. The round key update is necessary before the second and subsequent round keys are used, and eight round key updates are performed.

(256-bit key update processing: FIG. 24)
The cryptographic processing apparatus writes a 256-bit key into a 4 × 8 round key array (ST61), sets the number of stages N to 1 (ST62), and starts update processing of the Nth round key (ST63). .

  Cryptographic processing device performs rearrangement (RotWord) processing, byte substitution (SubByte) processing, XOR (exclusive OR operation) processing with key constants, as defined in AES specifications on 4 bytes in the 8th column of the round key array To create a work variable V (ST64).

  Thereafter, the cryptographic processing apparatus performs XOR processing on the work variable V in the first column of the round key array and updates the 4 bytes in the first column (ST65). Then, the cryptographic processing apparatus performs XOR processing on the updated 4 bytes of the first column to the second column of the round key array to update the second column (ST66), and thereafter, in the same manner, the updated 2 bytes The 4th byte of the column is XORed to the 3rd column to update the 3rd column (ST67), the updated 3rd column is subjected to byte substitution (SubByte), and then the 4th column is XORed to The fourth column is updated (ST68), the updated fourth column is XORed to the fifth column and the fifth column is updated (ST69), and the updated fifth column is XORed to the sixth column. The sixth column is updated (ST70), the updated sixth column is XORed to the seventh column to update the seventh column (ST71), and the updated seventh column is XORed to the eighth column. The eighth column is updated by processing (ST72).

When the XOR process is executed for all the columns, the cryptographic processing apparatus ends the N-th stage encryption process (ST73), increments the number N of stages by +1 (ST74), and ends with the last specified in the specification of the AES encryption method. It is determined whether or not it is a stage (ST75). If it is not the last stage, the process returns to step ST63 to repeat the round key update process.
On the other hand, in the last stage, the round key update process is terminated.

  Although the round key array is 4 rows and 8 columns, since only 4 rows and 4 columns are used in one round of AES encryption processing, round key update processing is performed once every two rounds of encryption processing. Distribute the key.

  The 256-bit key AES encryption process uses 14 rounds and 15 round keys. The round key update is necessary after the third round and before the round key is used every two stages, and the round key update is performed seven times.

(AES encryption processing by masking method: Fig. 25)
Next, AES encryption processing using a masking method will be described.

  The encryption process using the masking method has a process (ST2-2) of adding an AES internal data protection mask to the internal state array written in step ST2 by XOR (adding) with respect to the encryption process shown in FIG. In addition to using the above-mentioned byte substitution processing (STByte ′) instead of the above-described byte substitution processing, the masked mixed column (SubByte) conversion processing (ST8) is used instead of the above-described mix column conversion processing. ') Is different from the point of having a process (ST12) of XORing (removing) the AES internal data protection mask from the encrypted data to be output.

  Note that the byte substitution processing with mask in step ST6 ′ is a process of adding an S box input protection mask of 4 rows and 4 columns by XOR (adding) and a process of removing the round row protection mask of 4 rows and 4 columns by XOR (by removal). Byte substitution processing (SubByte) processing referring to masked S box information, processing to add 4 rows and 4 columns AES internal data protection mask by XOR (by XOR), and 4 rows and 4 columns S box protection mask to XOR ( The process to be removed) is sequentially executed. Here, as shown in FIG. 26, the S box information with mask has an S box input protection mask added by XOR before the normal S box information, and an S box output protection mask is added after the S box information. It is S box information obtained by modifying normal S box information so as to be added by XOR. Note that the S mask input protection mask and the S box output protection mask use the same mask value for each element in 4 rows and 4 columns.

  In the byte substitution (SubByte) process with a mask in step ST6 ′, the S-box input protection mask of 4 rows and 4 columns is added by XOR (by) and the round key protection mask of 4 rows and 4 columns is removed by XOR (by). Processing, Byte substitution (SubByte) processing with reference to masked S box information, processing to add 4 rows by 4 columns AES internal data protection mask, and 4 rows by 4 columns S box protection mask by XOR (Removed) is sequentially executed.

  The mixed column (MixColumn) conversion process with mask in step ST8 ′ is a process of adding a 4 × 4 mix column input protection mask by XOR (by adding) and a 4 × 4 round key protection mask by XOR (by removing). Processing, mixing column (MixColumn) conversion processing, processing of adding 4 rows and 4 columns of mixed column output by XOR (processing), processing of removing 4 rows and 4 columns of AES internal data protection mask by XOR (processing 9 Are sequentially executed.

  As described above, in the AES encryption process using the masking method, the internal data is encrypted with the mask added. A mask is added to the round key in step ST1 by the masking method. Subsequently, round key update processing by this masking method will be described in the order of 128-bit key, 192-bit key, and 256-bit key.

(128-bit key update processing by masking method: FIGS. 27 and 28)
The update process of the 128-bit key by the masking method includes a process (ST21-2) of adding a round key protection mask to the round key array written in step ST21 by XOR (adding) with respect to the update process shown in FIG. In place of the work variable V creation process described above, the masked work variable V creation process (ST24 ′) is used, and the mask change process is performed after the update process for each column (ST25, ST26, ST27, ST28). (ST25-2, ST26-2, ST27-2, ST28-2).

  Note that the work variable creation process with mask in step ST24 ′ includes the process of XORing (adding) the fourth column of the S box input protection mask to the fourth column of the round key and the fourth column of the round key protection mask. Is XOR (removed) by XOR, and a process of creating one column of work variables V by byte substitution (SubByte) processing referring to masked S-box information is sequentially executed.

  The mask change process in step ST25-2 includes a process of XORing (adding) the first column of the round key protection mask with respect to the first column after updating the round key, and the first column of the S box output protection mask. XOR (removed by) is sequentially executed.

  The mask change process of step ST26-2 includes a process of adding the random number R1 to the second column after the round key is updated (XOR) and a process of removing the first column of the round key protection mask (XOR). And the process of removing the random number R1 by XOR (by removal).

  Similarly, the mask changing process in steps ST27-2 and ST28-2 includes a process of XORing (adding) a random number R (n-1) to the nth column after the round key is updated, and round key protection. The process of removing the (n−1) th column of the mask by XOR (by removal) and the process of removing the random number R (n−1) by XOR (by removal) are sequentially executed.

  As described above, in the 128-bit key update process using the masking method, the round key is updated with the mask added.

(192-bit key update processing by masking method: FIG. 29)
The update process of the 192-bit key by the masking method has a process (ST41-2) of adding a round key protection mask to the round key array written in step ST41 (by addition of XOR) with respect to the update process shown in FIG. Then, instead of the work variable V creation process described above, the masked work variable V creation process (ST44 ′) is used, and the mask change process (ST45-2) is performed after the update process (ST45 to ST50) for each column. To ST50-2).

  The work variable creation process with mask in step ST44 ′ includes XOR (adding) the sixth column of the S box input protection mask and XOR the sixth column of the round key protection mask with respect to the sixth column of the round key. The process of (removing) and the process of creating one column of work variables V by the byte substitution (SubByte) process referring to the S box information with mask are sequentially executed.

  The mask change process in step ST45-2 includes a process of XORing (adding) the first column of the round key protection mask and the first column of the S box output protection mask with respect to the first column after updating the round key. XOR (removed by) is sequentially executed.

  The mask changing process of step ST46-2 includes a process of adding the random number R1 to the second column after the round key is updated, and a process of XORing (removing) the first column of the round key protection mask. And the process of removing the random number R1 by XOR (by removal).

  Similarly, the mask changing process in steps ST47-2 to ST50-2 includes a process of adding a random number R (n-1) to the nth column after the round key update, and round key protection. The process of removing the (n−1) th column of the mask by XOR (by removal) and the process of removing the random number R (n−1) by XOR (by removal) are sequentially executed.

  As described above, in the 192-bit key update process using the masking method, the round key is updated with the mask added.

(Update processing of 256-bit key by masking method: FIG. 30)
The update process of the 192-bit key by the masking method includes a process (ST61-2) of adding a round key protection mask to the round key array written in step ST61 by XOR (adding) with respect to the update process shown in FIG. Then, instead of the work variable V creation process described above, the masked work variable V creation process (ST64 ′) is used, and the mask change process (ST65-2) is performed after the update process for each column (ST65 to ST72). To ST72-2).

  The work variable creation process with mask in step ST64 ′ includes the process of XORing (adding) the eighth column of the S box input protection mask and the XOR of the eighth column of the round key protection mask with respect to the eighth column of the round key. The process of (removing) and the process of creating one column of work variables V by the byte substitution (SubByte) process referring to the S box information with mask are sequentially executed.

  In step ST65-2, the mask change process includes a process of XORing (adding) the first column of the round key protection mask and the first column of the S box output protection mask with respect to the first column after updating the round key. XOR (removed by) is sequentially executed.

  The mask changing process of step ST66-2 is a process of adding a random number R1 to the second column after the round key is updated by XOR (adding) and a process of removing the first column of the round key protection mask by XOR (by removing). And the process of removing the random number R1 by XOR (by removal).

  Similarly, the mask changing process in steps ST67-2 to ST72-2 includes a process of adding a random number R (n-1) to the nth column after the round key is updated, and round key protection. The process of removing the (n−1) th column of the mask by XOR (by removal) and the process of removing the random number R (n−1) by XOR (by removal) are sequentially executed.

  As described above, in the 256-bit key update process using the masking method, the round key is updated with the mask added.

(Mask value by masking method)
Next, application of the masking method to the above round key will be described. FIG. 31 shows the state of the round key arrangement after adding a mask by the conventional masking method (after ST21-2). As an example, in the round key update process of the 128-bit key AES encryption process, the element in the first row and second column of the round key array is updated from y (1,2) to y ′ (1,2). y '(1,2) is updated by y' (1,2) = y (1,1) XOR y (1,2) using y (1,1) and y (1,2) The

  If a random number r (i, j) is used for the true value y (i, j) of each element in the i-th row and j-th column of the round key array by the masking method, the 1st row and the 1st column of the round key array and 1 The values with the mask of each element in the second column are y (1,1) XOR r (1,1) and y (1,2) XOR r (1,2) respectively. , Y '(1,2) XOR r (1,1) XOR r (1,2) = (y (1,1) XOR r (1,1)) XOR (y (1,2) XOR r (1 , 2)), and the result of XORing the masks of the first row and the first column and the first row and the second column before the update becomes a mask for the element of the first row and the second column after the update. Similarly, an update process is performed for each of i × j elements.

  Here, since the AES processing uses 8 bits as a processing unit, if the mask is similarly considered as 8 bits, there are 256 mask values. In the AES round key update using a 128-bit key, the above update process is performed 4 × 4 = 16 times. Assuming that the mask value is uniformly random, there is a known problem that the updated mask value becomes 0 with a probability of about 50%, according to the Parsday paradox theorem.

  As a countermeasure against this, a method is conceivable in which a mask value is calculated according to a round key update method before AES processing, and the mask value is not guaranteed to be zero. However, this method has a problem that when the mask value is selected randomly and without duplication, the mask value 0 is generated with a probability of 5 to 10% or more that cannot be ignored even if it is repeated 10 times.

  As another masking method, there is known a method in which the mask of the element in the first row and the second column is updated without changing r (1,2). In this case, y '(1,2) XOR r (1,2) = (y (1,1) XOR r (1,1)) XOR (y (1,2) XOR r (1,2) ) Calculate XOR r (1,1). In this method, the possibility that the above-described mask value becomes 0 can be considerably reduced, but one XOR operation increases when each element of the round key array is updated.

  On the other hand, in the case of AES, as described above, there is a problem that the mask management is complicated due to the circuit scale or the increase of resources used and the complexity of control. For example, the data encryption unit uses 16 8-bit input 8-bit output S boxes in one stage of processing. When masks are used with different random numbers, the circuit scale or the code size of the realized software and the amount of memory used are expected to increase. A general estimate requires 16 times the amount of memory compared to DES and triple DES. In the key schedule part, a maximum of four-stage cascade connection XOR or four-input one-output XOR operation is required.

As described above, in the case of AES, if masks using different random numbers are used, there arises a problem that management of the mask becomes complicated.
National Institute of Standards and Technology: "Data Encryption Standard (DES)", Federal Information Processing Standards 46-3, 1999 National Institute of Standards and Technology: "Advanced Encryption Standard", Federal Information Processing Standards 197, 2001 Paul Kocher, Joshua Jaffe, and Benjamin Jun, "Differential Power Analysis" in proceedings of Advances in Cryptology-CRYPTO'99, Springer-Verlag, pp.388-397, 1999 Tomas Messerges, "Securing the AES Finalists Against Power Analysis Attacks," in proceedings of Fast Software Encryption Workshop 2000, Springer-Verlag, 2000. ISO / IEC 10118-3 “WHIRLPOOL”, English Wikipedia, http://en.wikipedia.org/wiki/WHIRLPOOL

  As described above, when the conventional masking method is applied to the AES encryption method as it is, there arises a problem that the mask value for the round key arrangement becomes 0 and the mask management becomes complicated. Such a problem is not limited to the AES encryption method, but, for example, in a Whirlpool having an 8 × 8 internal state similar to the 4 × 4 internal state of AES (see, for example, Non-Patent Documents 5 and 6). Are thought to exist as well.

  The present invention has been made in view of the above circumstances, and provides a cryptographic processing apparatus and program capable of preventing the mask value for the round key array from becoming zero and reducing the complexity of mask management. Objective.

  A first invention is an encryption processing apparatus that executes an AES encryption method using a round key protection mask, an S box input protection mask, and an S box output protection mask, and sets the mask state of the S box input protection mask to “001”. ”,“ 010 ”,“ 011 ”,“ 100 ”,“ 101 ”,“ 110 ”and“ 111 ”, and an input selection means for selecting the mask state of the selected S box input protection mask. A mask state different from the mask state of the S box output protection mask selected from the seven types of mask states as a mask state of the S box output protection mask, and a mask state different from the mask state of the selected S box output protection mask A first column selection means for selecting from the seven types of mask states as the mask state of the first column of the round key protection mask; The mask state of the selected S box output protection mask, the mask state of the selected first column, and “the operation of the exclusive OR of the mask state of the S box output protection mask and the mask state of the first column” A second column means for selecting a mask state different from the “result” from the seven types of mask states as a second column mask state of the round key protection mask; a third column and a fourth column of the round key protection mask; The third and fourth column selection means for selecting the mask state from the seven types of mask states, the mask state of the selected S box output protection mask, and the masks from the selected first column to the fourth column A mask state calculation means for calculating a mask state from the first column to the fourth column after the round key update by the AES encryption method using the state, and prohibition to the calculated mask state Forbidden state determination means for determining whether or not the state “000” is included, and three basic mask values respectively corresponding to “001”, “010” and “100” among the seven types of mask states When the stored basic mask value storage means and the prohibited state are not included, the selected basic mask value is synthesized by exclusive ORing the basic mask values corresponding to the selected mask states. And a mask value calculating means for calculating each combined mask value corresponding to each mask state.

  Although the first invention is expressed as “device”, the present invention is not limited thereto, and may be expressed as “program”, “computer-readable storage medium storing program”, or “method”.

(Function)
According to the first invention, the mask value for the round key array becomes 0 by the configuration in which different mask states are selected for each column while realizing resistance to side channel attacks equivalent to the conventional masking method. The configuration of generating the composite mask value from the basic mask value can reduce the complexity of mask management.

  As described above, according to the present invention, it is possible to prevent the mask value for the round key array from becoming 0, and to reduce the complexity of mask management.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. Each of the following devices can be implemented for each device with either a hardware configuration or a combined configuration of hardware resources and software. As the software of the combined configuration, a program that is installed in advance on a computer of a corresponding device from a network or a storage medium and that realizes the function of the corresponding device is used.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

(First embodiment)
FIG. 1 is a schematic diagram showing the configuration of the cryptographic processing apparatus according to the first embodiment of the present invention. The cryptographic processing device 10 is a device that executes an AES encryption method to which a masking method is applied, and may be realized by either an IC card or a personal computer.

  Specifically, the cryptographic processing apparatus 10 has a configuration in which a ROM 1, a RAM 2, a nonvolatile memory 3, a CPU 4 and an input / output unit 5 are connected to each other via a bus 6.

  Here, the ROM 1 is a read-only memory that can be read from the CPU 5, and stores the OS of the cryptographic processing apparatus 10 in advance.

  The RAM 2 is a random access memory that can be read / written from the CPU 5, and the stored contents of the nonvolatile memory 3 are read out, and the ciphertext, key, mask state, mask value during the round key update process and the AES encryption process Used to temporarily store count values, data being processed, decrypted plaintext, and the like. The round key array and the internal state array (State array) are formed in a partial area of the RAM 2, and are an array of 4 rows and 4 columns in the case of a 128-bit key, and 4 rows in the case of a 192-bit key. In the case of a 256-bit key, it is an array of 4 rows and 8 columns.

  The non-volatile memory 3 is a memory that can be read / written from the CPU 5 and whose stored contents are not erased even when the power is turned off. For example, an operation program for AES encryption processing installed from an external storage medium, an S box with mask (S -box) information, basic key values A, B, and C for generating a round key protection mask are stored in advance, and a common key shared with an external AES decryption device (not shown) is stored as appropriate. Is done. However, the S box information with mask (S-box) information, basic mask values A, B, C, and the common key are not limited to being stored in the nonvolatile memory 3 in advance. Sometimes created. When creating each time encryption processing is performed, masked S-box information, basic mask values A, B, and C, and a common key are stored in the RAM 2 but not in the nonvolatile memory 3. Note that the key length of the shared key (common key) may be 128 bits, 192 bits, or 256 bits as in the specification of the AES encryption.

  The CPU 4 executes AES encryption processing on plaintext data input from the input / output unit 5 and executes AES encryption processing for outputting the obtained ciphertext data from the input / output unit 5. Has a function of executing mask state update processing, round key update processing, and AES encryption processing as shown in FIGS.

  For example, the CPU 4 has a function of selecting the mask state of the S box input protection mask from seven mask states of “001”, “010”, “011”, “100”, “101”, “110”, and “111”. A mask state different from the mask state of the selected S-box input protection mask, a mask state of the S-box output protection mask, and a mask state of the selected S-box output protection mask Has a function for selecting different mask states from the seven mask states as the mask state of the first column of the round key protection mask, the mask state of the selected S-box output protection mask, the mask state of the selected first column, and A mask different from “the operation result of exclusive OR between the mask state of the S box output protection mask and the mask state of the first column” A function for selecting the state from the seven mask states as the mask state for the second column of the round key protection mask, and the mask states for the third and fourth columns of the round key protection mask from each of the seven mask states. And the mask state of the selected S box output protection mask and the mask state of the selected first column to the fourth column, the first column to the fourth column after the round key update by the AES encryption method are used. A function for calculating a mask state, a function for determining whether the calculated mask state includes a prohibited state “000”, and the like, and among the seven types of mask states, “001”, “010”, and “100” A function for writing three basic mask values A, B, and C respectively corresponding to the RAM 2 and a basic mask value A, B, and C corresponding to each selected mask state when the prohibited state is not included. By synthesized by exclusive OR, and has a function of calculating the respective composite mask values corresponding to each mask while the selected.

  The input / output unit 5 has an input / output function such as data between an external device (not shown) and the cryptographic processing device 10, and further, when the cryptographic processing device 10 is an IC card, from the outside to the cryptographic processing device 10. It has a power input function.

  Next, the operation of the cryptographic processing apparatus configured as described above will be described with reference to the flowchart of FIG. In the cryptographic processing apparatus 10, it is assumed that the AES cryptographic processing program is activated by the operation of the operator and the storage contents of the nonvolatile memory 3 are written in the RAM 2. Further, in the cryptographic processing apparatus 10, it is assumed that the plaintext data is written to the RAM 2 via the input / output unit 5 and then the cryptographic processing request is input via the input / output unit 5 by the operation of the operator.

(Overall operation of mask state selection: FIG. 2)
First, the CPU 4 selects a mask state of each element of the round key array (ST81), and writes the mask state in the RAM 2. Next, the CPU 4 initializes the count value N of the number of stages (rounds) with N = 1. In this case, the value 10 corresponding to the 128-bit key is used as the number of stages, but in the case of a 192 or 256-bit key, 12 or 14 is used as the number of stages.

  Subsequently, as shown in FIG. 3, CPU 4 calculates the mask state of each element of the round key array after the round key update (ST83). The processing in step ST83 uses the mask state of the round key protection mask in use stage 1 in FIG. 3 as the round key stored in step ST21 in FIG. 22, and the byte substitution (SubByte) processing included in step ST24 in FIG. 3 can be executed by using the mask state of the S box output protection mask in FIG.

  Next, the CPU 4 determines whether or not each element of the round key array includes a masked state prohibition state (ST84). If included, the process returns to step ST81. Advances to step ST85. Here, the prohibited state of the mask state is a mask corresponding to a mask value that is not desirable in applying the masking method, for example, when all bits of the mask value are 0 or when all bits are 1. State. In FIG. 2, steps ST83 and ST84 are shown as a single process, but actually, as shown in FIG. 4, the updating of the mask state and the determination of the prohibited state are repeatedly performed for each column. (ST83-1, ST84-1, ..., ST83-4, ST84-4).

  If the result of step ST84 is that the masked state prohibition state is not included, the CPU 4 adds 1 to the count value N of the number of stages N (ST85), determines whether it is the last stage (ST86), and the last stage. If not, the process returns to step ST83, and if it is the last stage, the mask state selected with reference to the RAM 2 is output (ST87).

(Details of step ST81: FIG. 5)
Here, the selection of the mask state in step ST81 will be described in detail.

  The CPU 4 selects one of the seven mask states of the S box input protection mask used in the byte substitution (SubByte) processing in the AES round key update (ST81-1). The seven mask states are states of 001, 010, 011, 100, 101, 110, and 111. In the S box input protection mask, each element in 4 rows and 1 column has the same mask state.

  In addition, CPU 4 selects one of the seven mask states of the S box output protection mask used in the byte substitution processing in the AES round key update (ST81-2). In the S box output protection mask, each element in 4 rows and 1 column has the same mask state.

  Furthermore, CPU 4 selects one mask state that does not overlap with the mask state selected in step ST81-2 as the mask state of the first column in the round key protection mask (ST81-3).

  Further, the CPU 4 sets “S box output protection mask”, “the first column of the round key protection mask”, and “S box output protection mask and 1 of the round key protection mask” as mask states of the second column in the round key protection mask. One of the four mask states excluding the total of three mask states in “Result of XOR operation with column” is selected (ST81-4).

  Furthermore, the CPU 4 selects the mask states of the third column and the fourth column in the round key protection mask from the seven types of mask states (ST81-5). In the round key protection mask, each element in 4 rows and 4 columns is in a different mask state for each column.

  In addition, the CPU 4 uses the mask states from the first to fourth columns of the S box output protection mask and the round key protection mask determined in steps ST81-2 to ST81-5 to 1 to 4 after the round key update processing. The mask states up to the fourth column are calculated (ST81-6). Note that the processing in step ST81-6 can be executed in the same manner as in step ST83 described above.

  Further, the CPU 4 determines whether or not the mask state obtained in step ST81-6 includes a prohibition state (ST81-7). If included, the process returns to step ST81-5 and is included. If not, the process ends and the process proceeds to step ST82.

(AES encryption processing by masking method: Fig. 6)
As shown in FIG. 2, the CPU 4 determines the mask state of each element of the first round key array (ST81 to ST87). Subsequently, the CPU 4 selects a mask value corresponding to at least 7 or more types of mask states (ST91), and stores the mask state and mask value in the RAM 2. Here, as shown in FIG. 7, the mask value is selected by performing an XOR operation on the basic mask values A, B, and C based on the mask state, and selecting the resultant composite mask value. Here, if the mask state is cba, the basic mask values C, B, A corresponding to 100,010,001 and the composite mask value M have the following relationship.
M = c · C (+) b · B (+) a · A
However, (+): exclusive OR, cba: any one of 001 to 111 (c, b, a are 0 or 1 respectively).

  Subsequently, the CPU 4 determines whether or not the selected mask value includes a prohibited state (ST92). When the selected mask value includes the prohibited state, the CPU 4 returns to step ST81, and when not included, the AES encryption process (ST93) and A round key update process (ST94) is executed.

(Mask status update result)
In FIG. 3, 001, 010, 011, 100, 101, 110, and 111 represent mask states of the S box output protection mask and the round key protection mask synthesized by XOR of three independent basic mask values. In the round key protection mask, for example, mask values of 0x02, 0x10, 0x12, 0x40, 0x42, 0x50, or 0x52 are assigned to each column.

  In the mask state table of FIG. 3, there is no mask state corresponding to a mask value that is not appropriate for the masking method, such as 000 corresponding to a mask value of 0x00, or 0xff. For this reason, the masking method can operate appropriately as a countermeasure against side channel attacks. Further, in the round key update process, the mask value applied to each element of the round key array is automatically changed according to the mask state shown in FIG. 3 by the update operation of the round key array. In the conventional method of explicitly changing the mask value of each element of the round key array, it is necessary to refer to the mask value of each element. On the other hand, according to the present embodiment, it is not necessary to refer to the mask value every time the round key array update process is performed, but an appropriate mask value is applied to each element, and the side channel is equal to or better than the conventional method. The effect of countermeasures against attacks can be obtained.

  As described above, according to the present embodiment, since the mask is generated with a small number of random numbers while realizing resistance to side channel attacks equivalent to the conventional masking method, the complexity of mask management can be reduced, Since a different mask state is used for each column, it is possible to prevent the mask value for the round key array from becoming zero.

(Second Embodiment)
FIG. 8 is a flowchart for explaining the operation of the cryptographic processing apparatus according to the second embodiment of the present invention. The same parts as those in the above-mentioned drawings are denoted by the same reference numerals, and detailed description thereof is omitted. The differences are mainly described. In the following embodiments, the same description is omitted.

  That is, this embodiment is a modification of step ST91 that generates a mask value from the mask state in the first embodiment.

  Specifically, the CPU 4 replaces the three basic mask values A, B, and C with a function for generating a random number r as one basic mask value, and calculates the remaining two basic mask values 2r and 4r from the random number r. And a function of generating a composite mask value from these three basic mask values r, 2r, and 4r by an XOR operation based on the mask state.

Supplementally, the CPU 4 has a function of generating a random number r having the same number of bits as the number of bits “n” of the mask value, and a function of selecting an n-th irreducible polynomial having the same value as the number of bits. ing. The basic mask values are a random number r and values 2r and 4r obtained by doubling and quadrupling the random number r, respectively. Further, the CPU 4 calculates a composite mask value by associating a vector representation of the Galois field GF (2 ⁿ ) using a polynomial with the mask state. Here, the case of n = 8 bits will be described as an example, but the number of bits n can be arbitrarily selected in the range of 3 ≦ n ≦ 32.

  Next, the operation of the cryptographic processing apparatus configured as described above will be described with reference to the flowchart of FIG.

  Now, as described above, assume that the mask state of each element of the first round key array is determined as shown in FIG. 3 (ST81 to ST87).

  The CPU 4 generates an n-bit mask random number r (ST91'-1) and selects an n-th irreducible polynomial (ST91'-2).

  Thereafter, using this irreducible polynomial, CPU 4 calculates a mask value corresponding to at least 7 or more types of mask states as shown in FIG. 9 (ST91'-3), and stores the mask state in RAM 2. And the mask value.

  Thereafter, the AES encryption process (ST93) and the round key update process (ST94) are executed as described above.

(About mask value generation)
In the first embodiment, in order to generate mask values of seven or more types of mask states, at least three different mask values are required. In the present embodiment, one type of mask value is used. A mask value corresponding to the mask state can be generated by calculating a polynomial of GF (2 ⁿ ) using an irreducible polynomial from the value.

That is, in the present embodiment, the mask value is generated by associating the mask state shown in FIG. 3 with the vector representation of the Galois field GF (2 ⁿ ) using an arbitrary irreducible polynomial. In this case, the mask states 001, 010,011, 100, 101, 110, 111 are respectively 1, x, x + 1, x ^ 2, x ^ 2 + 1, x ^ 2 + x, x Corresponds to ^ 2 + x + 1. For example, when generating an 8-bit data mask, the random number r is an extension field GF (2 ⁸ ) using an irreducible polynomial (x ^ 8 + x ^ 7 + x ^ 5 + x ^ 3 + x + 1) When corresponding to the vector representation, if the hexadecimal representation of the vector representation of the random number r is 0x2C (hereinafter, in the case of the hexadecimal representation, 0x is used at the beginning), the mask states 001, 010, 011 are based on the random number r. , 100, 101, 110, and 111 are generated as 0x2C, 0x58, 0x74, 0xB0, 0x9C, 0xE8, and 0xC4, respectively, as shown in FIG.

  In addition, since the mask state that is not appropriate for the masking method does not appear in the mask state table of FIG. 3, the masking method can appropriately operate as a countermeasure against the side channel attack. Similarly, in the round key update process, the mask value of the round key protection mask automatically changes according to the mask state shown in FIG. Therefore, according to the present embodiment, unlike the conventional case, it is not necessary to refer to the mask value every time the round key array update process is performed. Further, according to the present embodiment, an appropriate mask value is applied to each element, and an effect of countermeasures against side channel attacks equal to or higher than that of the conventional method can be obtained.

  As described above, according to the present embodiment, since the mask value is calculated from the random number r in addition to the effect of the first embodiment, the mask value can be easily selected as compared with the first embodiment.

  When generating a mask value from a mask state, a relational expression between the mask state and the mask value is calculated to create a correspondence table between the two, and the mask values corresponding to the seven mask states may be referred to. In this case, compared to the case where the mask value itself is directly calculated, the processing is the same regardless of the mask value, so that leakage of side channel information can be suppressed and resistance to side channel attacks is enhanced.

  In each embodiment, the mask state table in FIG. 3 shows the method of sequential calculation in the round key update process (ST94) in FIG. 8 and the key length for performing the encryption process prior to the AES encryption process (ST93). Any method of creating a table of mask states of the corresponding round keys or a method of creating a table of individual or common mask states for each cryptographic processing apparatus in advance and referring to the table during AES encryption processing Can be realized.

  In each embodiment, 8-bit data is used for explanation, but the masking method according to the present invention is not limited to 8 bits. In AES, since each element of the round key array is 8 bits, n = 8 is suitable. However, n can be arbitrarily selected as long as it is in the range of 3 to 32.

(Third embodiment)
Next, a cryptographic processing apparatus according to the third embodiment of the present invention will be described.

  This embodiment is a modification of the first or second embodiment, which complicates the method of applying a mask state to each element of the round key array and improves resistance to side channel attacks.

  Specifically, as shown in FIG. 10, “101” is used as the mask state of the S box output protection mask from the use stage 1 to the use stage 5, and from the use stage 6 to the final use stage, the S is used. In this configuration, “111” is used as the mask state of the box output protection mask.

  Supplementally, in the present embodiment, the first or second embodiment is executed twice, that is, once from the use stage 1 to the use stage 5 and once from the use stage 6 to the final use stage. It is. At this time, the CPU 4 sets the mask state of the S box output protection mask from the use stage 1 to the use stage 5 to the mask state different from the mask state of the S box output protection mask from the use stage 6 to the final use stage. Choose to do. However, the two mask states “101” and “111” described above are merely examples, and the present invention is not limited to this. Any mask state can be used for the S box output protection mask as long as the values are different from each other. ing.

  In the masking method, if the S-box input protection mask or the S-box output protection mask is different, different S-box information with a mask (reference table) with different contents is required, and the required amount of storage area increases. The application will become even more difficult, and the effect as a countermeasure against side channel attacks will be improved.

  Therefore, according to the above configuration, in addition to the effects of the first or second embodiment, resistance to side channel attacks can be improved.

(Fourth embodiment)
Next, a cryptographic processing apparatus according to the fourth embodiment of the present invention will be described with reference to FIG. In this embodiment, the first or second embodiment is applied to a 192-bit key.

  In the 192-bit key AES, as shown in FIG. 11, the round key array is represented by an array of 4 rows and 6 columns. Accordingly, when a 192-bit key is used as the round key, the CPU 4 sets the mask states of the fifth and sixth columns of the round key protection mask to “1000”, “1001”, “1010” in addition to the functions described above. , “1011”, “1100”, “1101”, “1110”, and “1111”, respectively, and a function based on the calculated fourth column mask state, and a round based on the AES encryption method. A function of calculating the mask states of the fifth and sixth columns after the key update, and a function of determining whether or not the prohibited state “0000” or the like is included in the calculated mask states of the fifth and sixth columns. Among the eight mask states, when the basic mask value corresponding to “1000” is written to the RAM 2 and the prohibited state “0000” is not included, the selected fifth and sixth columns A function of calculating respective composite mask values corresponding to the respective mask states in the fifth column and the sixth column by synthesizing the basic mask values corresponding to each mask state by exclusive OR. I have.

Here, when the mask state is dcba, the basic mask values D, C, B, A corresponding to 1000,0100,0010,0001 and the combined mask value M have the following relationship.
M = d · D (+) c · C (+) b · B (+) a · A
However, (+): exclusive OR, dcba: any value from 0001 to 1111 (d, c, b, a are 0 or 1 respectively).

  The fifth and sixth columns of the last used stage are mask states for unused round keys, and are not necessary depending on the implementation.

  In FIG. 11, 0001, 0010,0011, 0100, 0101, 0110, 0111, 1000, 1001, 1010, 1011, 1100, 1101, 1110, and 1111 are S synthesized by XOR of four independent basic mask values. The mask state of the box output protection mask and the round key protection mask is shown. In the round key protection mask, for example, as shown in FIG. 12, the mask values of 0x02, 0x10, 0x12, 0x40, 0x42, 0x50, 0x52, 0x60, 0x62, 0x70, 0x72, 0xA0, 0xA2, 0xB0, or 0xB2 are arranged. Assigned every time.

  In the mask state table of FIG. 11, there is no mask state corresponding to a mask value that is not appropriate for the masking method, such as 0000 corresponding to 0x00 or 0xff. For this reason, the masking method can operate appropriately as a countermeasure against side channel attacks. Further, in the round key update process, the mask value applied to each element of the round key array is automatically changed according to the mask state shown in FIG. 11 by the update operation of the round key array. In the conventional method of explicitly changing the mask value of each element of the round key array, it is necessary to refer to the mask value of each element. According to the present embodiment, it is not necessary to refer to the mask value every time the round key array update process is performed, but an appropriate mask value is applied to each element, and the side channel attack is equivalent to or better than the conventional method. The effect of this measure can be obtained.

As shown in the second embodiment, as an example of a mask generation method corresponding to 15 mask states from 0001 to 1111, a Galois field GF (2 ⁿ ) using an arbitrary irreducible polynomial is used. It is also possible to correspond to the vector expression. In this case, in terms of polynomial expression, they correspond to 1, x, x + 1, x ^ 2, x ^ 2 + 1, x ^ 2 + x, x ^ 2 + x + 1, respectively. For example, when generating an 8-bit data mask, the random number r is an extension field GF (2 ⁿ ) using an irreducible polynomial (x ^ 8 + x ^ 7 + x ^ 5 + x ^ 3 + x + 1). When corresponding to the vector representation, if the hexadecimal representation of the vector representation of the random number r is 0x2C, the mask states 0001, 0010, 0011, 0100, 0101, 0110, 0111, 1000, 1001, 1010, 1011, based on the random number r The mask values generated corresponding to 1100, 1101, 1110, and 1111 are respectively 0x2C, 0x58, 0x74, 0xB0, 0x9C, 0xE8, 0xC4, 0x4B, 0x67, 0x13, 0x3F, 0xFB, as shown in FIG. 0xD7, 0xA3, 0x8F. In FIG. 13, the basic mask value uses a random number r and values 2r, 4r, and 8r obtained by multiplying the random number r by 2 times, 4 times, and 8 times, respectively.

  In any case, the cryptographic processing apparatus 10 uses the 15 different mask values corresponding to the mask states in FIG. 11 based on the four different mask values as shown in FIG. An effective masking method can be provided while eliminating the value. In addition, as shown in FIG. 14, the transition of the mask state according to FIG. 11 includes a mask state synthesized from three types of mask values from the first column to the fourth column of the S box output protection mask and the round key protection mask. Because it is used, it is highly consistent with the 128-bit key AES processing, and is excellent in mountability when used in a cryptographic processing device that supports a plurality of key lengths.

  As described above, according to the present embodiment, the effects of the first or second embodiment can be obtained even with a 192-bit key of 4 rows and 6 columns.

(Fifth embodiment)
Next, a cryptographic processing apparatus according to the fifth embodiment of the present invention will be described with reference to FIG. In this embodiment, the first or second embodiment is applied to a 256-bit key.

  Accordingly, when a 256-bit key is used as the round key, the CPU 4 executes the processes of steps ST81-3 to ST81-7 and the processes of steps ST91 and ST92 again to thereby set the round key protection mask 5 It has a function to obtain the mask values of the 8th column from the column.

  Note that in AES with a 256-bit key, as shown in FIG. 15, the round key array is represented by an array of 4 rows and 8 columns. As described above, in the round key update of a 256-bit key, the result of applying the byte substitution (SubByte) process to the key array of the fourth column is used for updating the key array of the fifth column. Between the mask state of the eye and the mask state of the fifth column, the mask state of the S box output protection mask used in the byte substitution (SubByte) process is described.

  In FIG. 15, 001, 010, 011, 100, 101, 110, and 111 represent mask states of the S box output protection mask and the round key protection mask synthesized by XOR of three independent basic mask values. In the round key protection mask, for example, as shown in FIG. 7 or FIG. 9, a mask value corresponding to each mask state is assigned to each column.

  Similarly to the above, since the mask state corresponding to the inappropriate mask value does not appear in the mask state table of FIG. 15, it can operate appropriately as a countermeasure against the side channel attack. Similarly, in the round key update process, the mask value of the round key protection mask automatically changes according to the mask state shown in FIG. Therefore, according to the present embodiment, unlike the conventional case, it is not necessary to refer to the mask value every time the round key array update process is performed. Further, according to the present embodiment, an appropriate mask value is applied to each element, and a countermeasure effect against a side channel attack equal to or higher than that of the conventional method can be obtained.

  In addition, since the mask state transition according to FIG. 15 uses a mask state synthesized from three types of mask values for the S box output protection mask and the round key protection mask, consistency with the 128-bit key AES processing is also achieved. When used in a cryptographic processing apparatus that supports a plurality of key lengths, it is excellent in mountability.

  As described above, according to the present embodiment, the effects of the first or second embodiment can be obtained even with a 256-bit key of 4 rows and 8 columns. In this embodiment, mask values corresponding to each mask state are generated using three different mask values, but each mask state can be generated by the same method as long as there are three or more different mask values. For example, it is obvious that the generation using four different masks exemplified in the fourth embodiment is also within the scope of this method.

(Sixth embodiment)
Next, a cryptographic processing apparatus according to the sixth embodiment of the present invention will be described with reference to FIGS. This embodiment is a modification of each of the first to fifth embodiments with a 128-bit key as a representative example. As shown in FIGS. 16 and 17, from the use stage 1 to the final use stage. The S-box output protection mask (4 rows and 1 column) of the first row to the fourth row of the mask state is mutually changed, and the mask states of the first to fourth rows for each column of the round key protection mask are mutually changed. It has become the composition. Accordingly, in step ST81-2, the CPU 4 selects the first to fourth mask states of the S box output protection mask as different states, and the above-described steps ST81-3 to ST81-. 5 has a function of selecting the mask states of the first row to the fourth row as different states for each column of the round key protection mask. FIG. 18 shows mask values corresponding to the mask states shown in FIGS.

  In the first to fifth embodiments, as an example of the mask value, a 32-bit mask value obtained by repeatedly expanding four 8-bit mask values to one column is used. However, if the mask value of 0x00 is excluded, 8-bit mask values are used. The mask values are limited to 255, and the randomness or diversity of the mask values is limited.

However, according to the sixth embodiment, by selecting four independent mask values for each row of the key array, the mask value combinations can be increased to 255 ⁴ ways, that is, 16,581,375 ways, It can provide a wide variety of uses for side channel attacks by masking methods.

  As described above, according to the present embodiment, in addition to the effects of the first to fifth embodiments, the combination of the mask values of the S-box output protection mask and the round key protection mask can be increased, and thus resistance to side channel attacks. Can be improved.

  Since the 4 bytes of the mask value of the S box output protection mask are independent values, if mounted as they are, four times as many S box information with masks are required, but the S box output protection mask of FIGS. By using a mask value that repeats four 8-bit mask values different from the mask value of 4 for the S box output protection mask and applying a unique mask value to the output, the S box output shown in FIGS. An implementation for converting the mask value of the protection mask is also within the scope of the present embodiment.

(Seventh embodiment)
Next, a cryptographic processing apparatus according to the seventh embodiment of the present invention will be described with reference to FIG. 19 and FIG.

  In the data encryption part of the AES encryption method, the intermediate state represented by 4 rows and 4 columns is subjected to byte substitution (SubByte) processing and mix column (MixColumn) processing for each column, and one column of new intermediate state is calculated. This process is repeated to realize four columns of conversion.

  Here, in the side channel attack, it is known that when a process having a similar relationship is executed using different values, the attack is particularly easy.

  According to the conventional technology, the countermeasure against the side channel attack is performed by disturbing the internal state of 4 rows and 4 columns with different mask values. The prior art will be described with reference to FIG. 31. The internal state matrix y (i, j) (+) r (i, j) is data stored in the i-th row and j-th column of the internal state of AES. Symbol (+) is an exclusive OR, y (i, j) is a true internal state component of i row and j column, and r (i, j) is a mask value of i row and j column. Corresponds to each component.

  In byte substitution processing, different mask values are used for each element in the internal state of 4 rows and 4 columns, and therefore S box information with a mask using individual mask values for a total of 16 S box information is required. Become. In this case, in order to realize the S box information of 16 types of different masks, for example, when stored in the RAM, a storage capacity of 8 kilobytes is required, and an increase in hardware scale becomes a problem. The above is the background art of this embodiment.

  This embodiment can be executed simultaneously with the first to sixth embodiments, and is intended to reduce the storage capacity required for masked byte substitution (SubByte) processing, as shown in FIG. Each of the S box input protection mask and the S box output protection mask is composed of two types of mask values rA and rB. As shown in FIG. 20, the CPU 4 adds the S box input protection mask and outputs the S box based on the mask state. The configuration is such that the removal of the protective mask is executed by the XOR operation of the mask values rA and rB.

  Supplementally, in the RAM 2, as shown in FIG. 19, the mask state of the S box input protection mask and the S box output protection mask, the first mask value rA corresponding to each bit value “0” of the mask state, Reference table data in which the second mask value rB corresponding to each bit value “1” in the mask state is associated with each other is stored.

  The CPU 4 refers to the reference table data in the RAM 2 based on the mask state of the selected S box input protection mask and S box output protection mask, and corresponds to each bit value “0” or “1” in the mask state. And a function of selecting the first mask value rA or the second mask value rB.

  Here, y (i, j) (+) r (j) in the internal state matrix shown in FIG. 20 is data stored in the i-th row and j-th column of the internal state of AES, and the symbol (+) is This is an exclusive OR, and y (i, j) corresponds to the component of the true internal state in the i-th row and j-th column, and r (j) corresponds to the component of the mask value in the j-th column.

  The mask value is determined by the CPU 4 referring to the reference table data of FIG. 19 based on the mask state. Specifically, the CPU 4 selects rA or rB as four mask values in each column from r (1) to r (4) corresponding to 16 types of mask states from mask states 0000 to 1111. The mask value of the S box input protection mask and / or the S box output protection mask is changed for each column. As a result, the masked S-box information table referenced in the similar process is selected from two types of tables for each column, so that the probability that the mask values of the S-box information match between arbitrary columns. A half.

  In the second to sixth embodiments, seven or fifteen types of mask values synthesized from three or four basic mask values are used for the masking method to the round key. On the other hand, in the AES encryption processing, the mask value corresponding to the mask state in FIG. 19 is changed in reference to the S box information in the masked byte substitution processing.

  As described above, according to the present embodiment, one or two basic mask values rA and rB are used as mask values for the S box input protection mask or the S box output protection mask, and are switched by selection processing by the CPU 4. Alternatively, the mask value of the S box protection mask can be changed for each round and for each column, information leakage effective for side channel attacks can be reduced, and safety can be improved.

  In each of the embodiments described above, the processing procedure of the AES encryption process has been described. However, a person skilled in the art can perform various modifications of the above-described embodiment for a decryption process that is symmetric to the encryption process. Is clear.

  In addition, among the embodiments, the seventh embodiment related to the data encryption unit is not limited to the AES encryption method, but is an algorithm similar to the AES encryption method, for example, the word pool Whirlpool described in ISO / IEC 10118-3. Is also applicable. Here, the word pool Whirlpool has a data encryption unit similar to the AES encryption method, and has no key schedule unit. Accordingly, the seventh embodiment can be applied to the word pool Whirlpool.

  A modification of the Warpool Whirlpool is the same as the encryption processing program shown in FIG. 1 that uses the S-box input protection mask and the S-box output protection mask to execute the Warpool Whirlpool described in ISO / IEC 10118-3. do it. By executing this program, the CPU 4 sets the mask state of the S box input protection mask to seven masks of “001”, “010”, “011”, “100”, “101”, “110”, and “111”. An input selection function for selecting from the state, an output selection function for selecting a mask state different from the mask state of the selected S box input protection mask from seven types of mask states as the mask state of the S box output protection mask, and S The mask state of the box input protection mask and the S box output protection mask, the first mask value corresponding to each bit value “0” of the mask state, and the second mask corresponding to each bit value “1” of the mask state Based on the mask state selected by the function of writing the reference table data associated with the values in the RAM 2 and the input selection function and the output selection function. And a mask value selection function for referring to the reference table data in the RAM 2 and selecting the first mask value or the second mask value corresponding to each bit value “0” or “1” in the mask state. Yes. According to the modified example related to the word pool Whirlpool, the mask value of the S box protection mask can be changed for each process or round and for each column as in the seventh embodiment. Leakage can be reduced and safety is improved.

  Each embodiment can be applied to a device that performs cryptographic processing, for example, an IC card having a cryptographic processing module or other cryptographic processing apparatus. Also, by applying the configuration of each embodiment, it becomes difficult to leak cryptographic processing keys and algorithms in the IC module by power analysis, and thus a device or apparatus having a cryptographic processing execution function with a high security level is provided. Can do.

  Note that the method described in the above embodiment is a program that can be executed by a computer, such as a magnetic disk (floppy (registered trademark) disk, hard disk, etc.), an optical disk (CD-ROM, DVD, etc.), a magneto-optical disk (MO). ), And can be distributed in a storage medium such as a semiconductor memory.

  In addition, as long as the storage medium can store a program and can be read by a computer, the storage format may be any form.

  In addition, an OS (operating system) running on a computer based on an instruction of a program installed in the computer from a storage medium, MW (middleware) such as database management software, network software, and the like realize the above-described embodiment. A part of each process may be executed.

  Furthermore, the storage medium in the present invention is not limited to a medium independent of a computer, but also includes a storage medium in which a program transmitted via a LAN or the Internet is downloaded and stored or temporarily stored.

  Further, the number of storage media is not limited to one, and the case where the processing in the above embodiment is executed from a plurality of media is also included in the storage media in the present invention, and the media configuration may be any configuration.

  The computer according to the present invention executes each process in the above-described embodiment based on a program stored in a storage medium, and is a single device such as a personal computer or a system in which a plurality of devices are connected to a network. Any configuration may be used.

  In addition, the computer in the present invention is not limited to a personal computer, but includes an arithmetic processing device, a microcomputer, and the like included in an information processing device, and is a generic term for devices and devices that can realize the functions of the present invention by a program. .

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined.

It is a schematic diagram which shows the structure of the encryption processing apparatus which concerns on the 1st Embodiment of this invention. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a figure which shows the mask state in the same embodiment. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a schematic diagram for demonstrating the calculation of the mask value in the same embodiment. It is a flowchart for demonstrating operation | movement of the encryption processing apparatus which concerns on the 2nd Embodiment of this invention. It is a schematic diagram for demonstrating the calculation of the mask value in the same embodiment. It is a figure which shows the mask state of the encryption processing apparatus which concerns on the 3rd Embodiment of this invention. It is a figure which shows the mask state of the encryption processing apparatus which concerns on the 4th Embodiment of this invention. It is a schematic diagram for demonstrating the calculation of the mask value in the same embodiment. It is a schematic diagram for demonstrating the calculation of the mask value in the same embodiment. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a figure which shows the mask state of the encryption processing apparatus which concerns on the 5th Embodiment of this invention. It is a figure which shows the mask state of the encryption processing apparatus which concerns on the 6th Embodiment of this invention. It is a figure which shows the mask state of the encryption processing apparatus in the embodiment. It is a figure which shows the mask value of the encryption processing apparatus in the embodiment. It is a figure which shows the mask value of the encryption processing apparatus which concerns on the 7th Embodiment of this invention. It is a schematic diagram for demonstrating the operation | movement in the embodiment. It is a flowchart for demonstrating the general encryption process in an AES encryption system. It is a flowchart for demonstrating the general update process of the 128 bit key in an AES encryption system. It is a flowchart for demonstrating the general update process of a 192 bit key in an AES encryption system. It is a flowchart for demonstrating the general update process of a 256 bit key in an AES encryption system. It is a flowchart for demonstrating the encryption process using the masking method in an AES encryption system. It is a schematic diagram for demonstrating S box information with a mask in the masking method. It is a flowchart for demonstrating the update process of the 128 bit key by the masking method of an AES encryption system. It is a flowchart for demonstrating the update process of the 128 bit key by the masking method of an AES encryption system. It is a flowchart for demonstrating the update process of a 192 bit key by the masking method of an AES encryption system. It is a flowchart for demonstrating the update process of a 256 bit key by the masking method of an AES encryption system. It is a schematic diagram showing the state of the round key arrangement | sequence after mask addition by the conventional masking method.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 10 ... Cryptographic processing apparatus, 1 ... ROM, 2 ... RAM, 3 ... Nonvolatile memory, 4 ... CPU, 5 ... Input-output part, 6 ... Bus.

Claims (12)

An encryption processing apparatus that executes an AES encryption method using a round key protection mask, an S box input protection mask, and an S box output protection mask,
An input selection means for selecting the mask state of the S box input protection mask from seven mask states of “001”, “010”, “011”, “100”, “101”, “110”, and “111”; ,
Output selecting means for selecting a mask state different from the mask state of the selected S box input protection mask from the seven types of mask states as a mask state of the S box output protection mask;
First column selection means for selecting a mask state different from the mask state of the selected S box output protection mask from the seven types of mask states as the mask state of the first column of the round key protection mask;
The mask state of the selected S box output protection mask, the mask state of the selected first column, and “the exclusive OR of the mask state of the S box output protection mask and the mask state of the first column” A second column means for selecting a mask state different from the “operation result” from the seven types of mask states as the second column mask state of the round key protection mask;
Third and fourth column selection means for selecting the mask states of the third and fourth columns of the round key protection mask from the seven types of mask states, respectively.
Using the mask state of the selected S-box output protection mask and the selected mask state from the first column to the fourth column, from the first column to the fourth column after the round key update by the AES encryption method Mask state calculation means for calculating the mask state of
Forbidden state determining means for determining whether or not the calculated mask state includes a forbidden state “000”;
A basic mask value storage means for storing three basic mask values respectively corresponding to “001”, “010” and “100” among the seven types of mask states;
When the prohibition state is not included, each of the basic mask values corresponding to each of the selected mask states is synthesized by exclusive OR, thereby combining each of the selected mask states. An encryption processing apparatus comprising: a mask value calculation means for calculating a mask value. The cryptographic processing device according to claim 1,
When a 256-bit key is used as the round key, the first column selection unit, the second column selection unit, the third and fourth column selection unit, the mask state calculation unit, the prohibition state determination unit, the mask value calculation An encryption processing apparatus comprising means for obtaining mask values in the fifth to eighth columns of the round key protection mask by executing the means again. The cryptographic processing device according to claim 1,
When a 192-bit key is used as the round key, the mask states of the fifth and sixth columns of the round key protection mask are “1000”, “1001”, “1010”, “1011”, “1100”, “1101”. 5th and 6th column selection means for selecting from 8 types of mask states, “1110” and “1111” respectively;
Second mask state calculation means for calculating the mask states of the fifth column and the sixth column after the round key update by the AES encryption method, using the calculated mask state of the fourth column;
Second prohibition state determination means for determining whether or not the calculated mask states of the fifth and sixth columns include a prohibition state “0000”;
A second basic mask value storage means storing a basic mask value corresponding to “1000” among the eight types of mask states;
When the prohibited state “0000” is not included, the basic mask values are synthesized by exclusive OR in correspondence with the selected mask states of the fifth column and the sixth column. And a second mask value calculating means for calculating respective composite mask values corresponding to the mask states in the columns and the sixth column. The cryptographic processing apparatus according to any one of claims 1 to 3,
Means for generating a random number r having the same number of bits as the number of bits “8” of the basic mask value;
Means for selecting an eighth degree irreducible polynomial having the same value as the number of bits,
The basic mask values are the random number r, and values 2r and 4r obtained by doubling and quadrupling the random number r, respectively.
The cryptographic processing apparatus, wherein the mask value calculation means calculates the mask value by associating a vector representation of a Galois field GF (2 ⁸ ) using the irreducible polynomial with the mask state. The cryptographic processing apparatus according to any one of claims 1 to 4, wherein
The mask state of the S box input protection mask and the S box output protection mask, the first mask value corresponding to each bit value “0” of the mask state, and the bit value “1” of the mask state Mask value correspondence information storage means for storing the second mask value in association with each other;
Based on the mask state selected by the input selection means and the output selection means, the mask value correspondence information storage means is referred to, and the first value corresponding to each bit value “0” or “1” of the mask state is referred to. An encryption processing apparatus comprising: mask value selection means for selecting one mask value or a second mask value. An encryption processing device that executes the word pool Whirlpool described in ISO / IEC 10118-3 using an S box input protection mask and an S box output protection mask,
An input selection means for selecting the mask state of the S box input protection mask from seven mask states of “001”, “010”, “011”, “100”, “101”, “110”, and “111”; ,
Output selecting means for selecting a mask state different from the mask state of the selected S box input protection mask from the seven types of mask states as a mask state of the S box output protection mask;
The mask state of the S box input protection mask and the S box output protection mask, the first mask value corresponding to each bit value “0” of the mask state, and the bit value “1” of the mask state Mask value correspondence information storage means for storing the second mask value in association with each other;
Based on the mask state selected by the input selection means and the output selection means, the mask value correspondence information storage means is referred to, and the first value corresponding to each bit value “0” or “1” of the mask state is referred to. An encryption processing apparatus comprising: mask value selection means for selecting one mask value or a second mask value. A program of an encryption processing apparatus that executes an AES encryption method using a round key protection mask, an S box input protection mask, and an S box output protection mask,
A computer of the cryptographic processing apparatus;
An input selection means for selecting the mask state of the S box input protection mask from seven mask states of “001”, “010”, “011”, “100”, “101”, “110” and “111”;
Output selecting means for selecting a mask state different from the mask state of the selected S box input protection mask from the seven types of mask states as a mask state of the S box output protection mask;
A first column selection means for selecting a mask state different from the mask state of the selected S box output protection mask from the seven types of mask states as a mask state of the first column of the round key protection mask;
The mask state of the selected S box output protection mask, the mask state of the selected first column, and “the exclusive OR of the mask state of the S box output protection mask and the mask state of the first column” A second column means for selecting a mask state different from the “calculation result” from the seven types of mask states as the second column mask state of the round key protection mask;
Third and fourth column selection means for selecting the mask states of the third column and the fourth column of the round key protection mask from the seven types of mask states, respectively.
Using the mask state of the selected S-box output protection mask and the selected mask state from the first column to the fourth column, from the first column to the fourth column after the round key update by the AES encryption method Mask state calculating means for calculating the mask state of
Prohibition state determination means for determining whether or not the calculated mask state includes a prohibition state “000”;
Means for writing three basic mask values respectively corresponding to “001”, “010” and “100” among the seven types of mask states to the memory of the computer;
When the prohibition state is not included, each of the basic mask values corresponding to each of the selected mask states is synthesized by exclusive OR, thereby combining each of the selected mask states. Mask value calculation means for calculating a mask value;
Program to function as. The program according to claim 7,
The computer,
When a 256-bit key is used as the round key, the first column selection unit, the second column selection unit, the third and fourth column selection unit, the mask state calculation unit, the prohibition state determination unit, the mask value calculation A program for functioning as means for obtaining mask values in the fifth to eighth columns of the round key protection mask by executing the means again. The program according to claim 7,
The computer,
When a 192-bit key is used as the round key, the mask states of the fifth and sixth columns of the round key protection mask are “1000”, “1001”, “1010”, “1011”, “1100”, “1101”. 5th and 6th column selection means for selecting from 8 types of mask states, “1110” and “1111”,
Second mask state calculation means for calculating the mask states of the fifth column and the sixth column after the round key update by the AES encryption method, using the calculated mask state of the fourth column;
Second prohibition state determination means for determining whether or not the calculated mask states of the fifth and sixth columns include a prohibition state “0000”;
Means for writing a basic mask value corresponding to “1000” among the eight mask states to the memory;
When the prohibited state “0000” is not included, the basic mask values are synthesized by exclusive OR in correspondence with the selected mask states of the fifth column and the sixth column. Second mask value calculation means for calculating respective composite mask values corresponding to the mask states in the columns and the sixth column,
Program to function as. The program according to any one of claims 7 to 9,
The computer,
Means for generating a random number r having the same number of bits as the number of bits “8” of the basic mask value;
Function as a means for selecting an eighth degree irreducible polynomial having the same value as the number of bits,
The basic mask values are the random number r, and values 2r and 4r obtained by doubling and quadrupling the random number r, respectively.
The mask value calculating means calculates the mask value by associating a vector representation of a Galois field GF (2 ⁸ ) using the irreducible polynomial with the mask state. A program according to any one of claims 7 to 10,
A computer of the cryptographic processing apparatus;
The mask state of the S box input protection mask and the S box output protection mask, the first mask value corresponding to each bit value “0” of the mask state, and the bit value “1” of the mask state Means for writing the reference table data associated with the second mask value into the memory of the computer;
Based on the mask state selected by the input selection means and the output selection means, the reference table data in the memory is referred to, and the first value corresponding to each bit value “0” or “1” of the mask state is referred to. Mask value selection means for selecting one mask value or second mask value;
Program to function as. A program of a cryptographic processing apparatus that executes a word pool Whirlpool described in ISO / IEC 10118-3 using an S box input protection mask and an S box output protection mask,
A computer of the cryptographic processing apparatus;
An input selection means for selecting the mask state of the S box input protection mask from seven mask states of “001”, “010”, “011”, “100”, “101”, “110” and “111”;
Output selecting means for selecting a mask state different from the mask state of the selected S box input protection mask from the seven types of mask states as a mask state of the S box output protection mask;
The mask state of the S box input protection mask and the S box output protection mask, the first mask value corresponding to each bit value “0” of the mask state, and the bit value “1” of the mask state Means for writing the reference table data associated with the second mask value into the memory of the computer;
Based on the mask state selected by the input selection means and the output selection means, the reference table data in the memory is referred to, and the first value corresponding to each bit value “0” or “1” of the mask state is referred to. Mask value selection means for selecting one mask value or second mask value;
Program to function as.

Images