CN109302278B - Mask method and mask circuit for resisting energy analysis attack - Google Patents
Mask method and mask circuit for resisting energy analysis attack Download PDFInfo
- Publication number
- CN109302278B CN109302278B CN201811492940.1A CN201811492940A CN109302278B CN 109302278 B CN109302278 B CN 109302278B CN 201811492940 A CN201811492940 A CN 201811492940A CN 109302278 B CN109302278 B CN 109302278B
- Authority
- CN
- China
- Prior art keywords
- random number
- domain
- expression
- demasking
- zero
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Abstract
A masking method for defending against an energy analysis attack, comprising the steps of: converting the XOR mask value a ^ m and the random number m into a nonzero value a ^ n and a random number n; under GF (2)8) Inverting the non-zero value a ^ n and the random number n on the domain to obtain a‑1^ n and a random number n; to a‑1Performing zero value recovery on the lambdan and the random number n to obtain a‑1M and a random number m. The problem that a special SRAM is needed is solved, the area cost can be saved, and the integration convenience is improved. The problem of mask value removal in the operation process is solved, and the method does not need to remove codes in the S box mask calculation process, so that the safety is improved. The problem of zero value attack is solved, and the zero value detection function is added in the invention, so that the zero value attack aiming at the AES box is avoided.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a mask method and a mask circuit for resisting energy analysis attacks.
Background
With the continuous popularization of networks, the degree of social informatization is increasing day by day, and the importance of information security is gradually highlighted. Encryption is playing an important role as one of the most powerful weapons in information security. The Advanced Encryption Standard (hereinafter abbreviated as AES) Encryption algorithm has experienced a long test as it became an Advanced Encryption Standard to today.
Any security product or cryptosystem must face a problem of how to defend against attacks and peeking, and in recent years, a new powerful attack method, called bypass attack (SCA), has emerged. The bypass attack is to utilize the bypass information, such as power consumption, time, electromagnetic wave information and the like, leaked by the cryptographic chip in the operation process to attack and spy the cryptographic system. The bypass attack has become a great threat to information security chip products, and the harm of the bypass attack is far greater than that of the traditional mathematical analysis means.
The power consumption attack is one of the bypass attacks, and attacks the key by using the power consumption consumed when the cryptographic chip performs the encryption operation. The power consumption of the chip is different when the chip processes different operations, and even if the same instruction operand is processed, the power consumption is different, so that the power consumption is analyzed, and a secret key can be calculated. The power consumption attack is divided into a simple power consumption analysis attack (SPA) and a differential power consumption analysis attack (DPA), wherein the DPA attack is more effective and has wider application field.
The principle of the DPA attack is an attack method for obtaining a key by utilizing the correlation between the power consumption actually consumed by an attacked device in an encryption process and a middle value of an encryption algorithm. The intermediate value of the encryption algorithm is always calculable from the plaintext input and the guessed key. Therefore, research into methods for combating the energy analysis attack becomes necessary.
The S-box of the AES algorithm is implemented based on complex domain operations, and such an implementation has the following properties: if the input to the S-box is zero, it consumes much less energy than in all other input cases. This can be understood as that in the case of zero input, essentially all multiplications in the S-box are multiplied by zero, which typically requires much less energy consumption than other multiplications, so that a zero-value model based attack method can recover the key of AES very easily.
The S box used in the AES encryption operation and the S box used in the decryption operation are inverse operations, the S box used in the encryption operation is called a forward AES S box, and the S box used in the decryption operation is called a reverse AES S box. Both through primary GF (2)8) Inverse operations on the domain and a linear affine transformation. The AES box is a very complex nonlinear operation, and is the most vulnerable place for information leakage in AES operation. Since the AESS cassette contains GF (2)8) Inversion operation over fields, conventional XOR masking at GF (2)8) The inversion operation on the domain is not applicable, and the conventional method is to construct a mask type S box in advance and store the mask type S box in an SRAM (static random access memory), or to remove the mask in the inversion operation and then mask the S box after the inversion operation is finished. For the former, the security is not reduced, but a special SRAM is needed for storing the mask type S box, which is not realistic for the cost-sensitive embedded type; for the latter, because the decoding operation is executed in the operation process, the plaintext directly participates in the operation, and the safety is highGreatly reducing the cost.
Disclosure of Invention
According to a first aspect, an embodiment provides a masking method for resisting an energy splitting attack, including the steps of:
converting the XOR mask value a ^ m and the random number m into a nonzero value a ^ n and a random number n;
under GF (2)8) Inverting the non-zero value a ^ n and the random number n on the domain to obtain a-1^ n and a random number n;
for the a-1Performing zero value recovery on the lambdan and the random number n to obtain a-1M and a random number m.
In one embodiment, the step of converting the masked data a ^ m and the random number m into non-zero values a ^ n and the random number n comprises the steps of:
s1: detecting whether the input random number m is 0, and if so, directly jumping to the step S3;
s2: detecting whether the input exclusive-or mask value a ^ m is 0, if not, not generating a new non-zero random number n, and keeping the non-zero random number n equal to the random number m, and directly jumping to the step S5;
s3: generating a non-zero random number n;
s4: judging whether the non-zero random number n is equal to a ^ m or not, and returning to the step S3 if the non-zero random number n is equal to a ^ m;
s5: the method comprises the steps of adopting a m to transform an exclusive-or mask value a ^ m in a transform sequence;
s6: obtaining a nonzero value a ^ n and a random number n.
In one embodiment, at GF (2)8) Inverting the non-zero value a ^ n and the random number n on the domain, comprising the steps of:
GF (2)8) Conversion of elements on the field to GF by isomorphic matrices ((2)4)2) The expression of the non-zero value a ^ n and the random number n is respectively as follows:
a^n=(ah+nh)x+(al+nl);
n=nhx+nl;
wherein ah, al ∈ GF (2)4),nh,nl∈GF(24);
Structure GF (2)4) Element n in the DomaindThe expression (c) inverts the random number n;
performing complex domain inversion on a ^ n by constructing the following non-demasking expression:
structure GF (2)4) Elements in the Domain (a)d+nd) Non-demasking expression of (1): (a)d+nd)=fd((ah+nh),(al+nl),p,nh,nl,nd) Wherein p is GF (2)4) A constant over the domain;
GF (2)4) Element on the Domain (a)d+nd) Conversion to GF by isomorphic matrices (2)2)2) At GF (2)2) The expressions on the domain are respectively:
wherein, adh,adl∈GF(22),ndh,ndl∈GF(22);
structure GF (2)2) Elements in the Domain (a)dh′+ndh') non-demasking expression:
structure GF (2)2) Elements in the Domain (a)dl′+ndl') is represented by the non-demasking expression:
structure GF (2)4) Non-demasking expression for element in the domain (ah '+ nh'):
(ah′+nh′)=fah((ah+nh),(a′d+n′d),nh,nh′,n′d);
structure GF (2)4) Non-demasking expression for element in domain (al '+ nl'):
(al′+nl′)=fal((ah′+nh′),(al+nl),(a′d+n′d),nl,nh′,nl′,n′d)。
wherein f isd((ah+nh),(al+nl),p,nh,nl,nd) The non-demasking expression of (c) is:
The formula is as follows:
in one embodiment of the present invention, the substrate is,
wherein f isah((ah+nh),(a′d+n′d),nh,nh′,n′d) The non-demasking expression of (c) is:
wherein f isal((ah′+nh′),(al+nl),(a′d+n′d),nl,nh′,nl′,n′d) The non-demasking expression of (c) is:
according to a second aspect, an embodiment provides a masking circuit for implementing the above masking method, including:
a zero value detection circuit which performs conversion of the exclusive-or mask value a ^ m and the random number m into a non-zero value a ^ n and a random number n;
GF(28) A domain inversion circuit for performing inversion on the non-zero value a ^ n and the random number n to obtain a-1^ n and a random number n;
a zero value recovery circuit performing a recovery of the a-1Performing zero value recovery on the lambdan and the random number n to obtain a-1M and a random number m.
The masking method according to the above embodiment has the following advantages:
1) the problem that a special SRAM is needed is solved, the area cost can be saved, and the integration convenience is improved.
2) The problem of mask value removal in the operation process is solved, and the method does not need to remove codes in the S box mask calculation process, so that the safety is improved.
3) The problem of zero value attack is solved, and the zero value detection function is added in the invention, so that the zero value attack aiming at the AES box is avoided.
Drawings
FIG. 1 is a flow diagram of zero detection;
fig. 2 is a schematic diagram of a masking circuit.
Detailed Description
The present invention will be described in further detail with reference to the following detailed description and accompanying drawings.
In an embodiment of the present invention, a masking method for resisting an energy analysis attack is provided, which specifically includes the following steps.
S100: the XOR mask value a m and the random number m are converted to a non-zero value a n and a random number n.
The implementation process of this step is shown in fig. 1, and specifically includes the following steps:
s1: detecting whether the input random number m is 0, and if so, directly jumping to the step S3;
s2: detecting whether the input exclusive-or mask value a ^ m is 0, if not, not generating a new non-zero random number n, and keeping the non-zero random number n equal to the random number m, and directly jumping to the step S5;
s3: generating a non-zero random number n;
s4: judging whether the non-zero random number n is equal to a ^ m or not, and returning to the step S3 if the non-zero random number n is equal to a ^ m;
s5: the method comprises the steps of adopting a m to transform an exclusive-or mask value a ^ m in a transform sequence;
s6: obtaining a nonzero value a ^ n and a random number n.
Through the above 6 steps, the two numbers a ^ n and n obtained can ensure that both are nonzero values. This avoids zero value information leakage caused by 0 in subsequent operations.
S200: under GF (2)8) Inverting the non-zero value a ^ n and the random number n on the domain to obtain a-1N and a random number n.
Through GF (2)8) The inversion on the domain realizes the inversion of a non-zero value a ^ n after zero value detection conversion, and in the inversion process, the step constructs a non-mask-removing expression so that the deformation of plaintext a and a can not occur in the inversion process, and only the whole body of a ^ n and a random number n occur, so that the inversion implementation scheme of the invention can not generate mask-removing operation in the calculation process, and ensures the safety of information.
Specifically, GF (2) is first added8) Conversion of elements on the field to GF by isomorphic matrices ((2)4)2) The expression of the non-zero value a ^ n and the random number n is respectively as follows:
a^n=(ah+nh)x+(al+nl);(1)
n=nhx+nl;(2)
wherein ah, al ∈ GF (2)4),nh,nl∈GF(24);
Structure GF (2)4) Element n in the DomaindThe non-demasking expression of (2) inverts the random number n.
The specific process of inverting the random number n is as follows:
GF(24) Element n in the DomaindThe expression of (a) is:
nd=(nh2×p)+nl2+(nh×nl),(3)
wherein p is GF (2)4) A constant over the domain;
Calculating nh '═ nh × n'd;(5)
Calculating nl '═ (nh + nl) × n'd;(6)
Calculation (nh. x + nl)-1=nh′x+nl′;(7)
Therefore, in the process of calculating the random number n by the above equations (3) to (7), no plaintext information appears, and no information leakage occurs.
In additive masking, it is required to compute a from the mask input a ^ n and the mask n-1^n-1And all intermediate data must be xor masked with random numbers, so a-1^n-1No plaintext a information can appear during the calculation.
In this example, complex domain inversion is performed on a ^ n by constructing the following non-demasking expression:
structure GF (2)4) Elements in the Domain (a)d+nd) Non-demasking expression of (1):
(ad+nd)=fd((ah+nh),(al+nl),p,nh,nl,nd) Wherein p is GF (2)4) A constant over the domain;
the above expression holds for:
wherein f isd((ah+nh),(al+nl),p,nh,nl,nd) The non-demasking expression of (c) is:
thus, in this step (a) is calculatedd+nd) To (2)In the process, (ah + nh), (al + nl), p, nh, nl and n are useddIn the method, no plaintext a or no plaintext a is transformed, and the operation is performed by using the mask value of a or the transformed mask value of a. .
GF (2)4) Element on the Domain (a)d+nd) Conversion to GF by isomorphic matrices (2)2)2) The expressions are respectively:
wherein, adh,adl∈GF(22),ndh,ndl∈GF(22);
According to the complex domain inversion method, ndCan be regarded as a random number, and can be easily obtained from the formulas (3) to (7)ndh′、ndl' and (n)dhx+ndl)-1=ndh′+ndl′。
the above expression holds for:
Structure GF (2)2) Elements in the Domain (a)dh′+ndh') non-demasking expression:
structure GF (2)2) Elements in the Domain (a)dl′+ndl') is represented by the non-demasking expression:
Structure GF (2)4) Non-demasking expression for element in the domain (ah '+ nh'):
(ah′+nh′)=fah((ah+nh),(a′d+n′d),nh,nh′,n′d) The formula has the following formula holds:
wherein f isah((ah+nh),(a′d+n′d),nh,nh′,n′d) The non-demasking expression of (c) is:
structure GF (2)4) Non-demasking expression for element in domain (al '+ nl'):
(al′+nl′)=fal((ah′+nh′),(al+nl),(a′d+n′d),nl,nh′,nl′,n′d) The formula has the following formula holds:
wherein f isal((ah′+nh′),(al+nl),(a′d+n′d),nl,nh′,nl′,n′d) The non-demasking expression of (c) is:
realizing the non-mask-removal inversion operation of a ^ n by the formulas (8) to (22) to obtain a-1^n。
S300: to a-1Performing zero value recovery on the lambdan and the random number n to obtain a-1M and a random number m.
The step is carried out by a-1The random number n is restored to the random number m, the XOR sequence in this step cannot be changed, and if the XOR sequence is changed, a code-dropping operation is generated, which results in information leakage.
Based on the masking method, this example further provides a masking circuit for implementing the masking method, and a schematic diagram of the masking circuit is shown in fig. 2, which specifically includes:
a zero value detection circuit which performs conversion of the exclusive-or mask value a ^ m and the random number m into a non-zero value a ^ n and a random number n; for the specific implementation process of the zero-value detection circuit, please refer to step S100 above, which is not described herein.
GF(28) A domain inversion circuit for performing inversion on the non-zero value a ^ n and the random number n to obtain a-1^ n and a random number n; with respect to GF (2)8) For the specific implementation process of the domain inversion circuit, refer to the step S200, which is not described herein again.
A zero value recovery circuit performing a recovery of the a-1Performing zero value recovery on the lambdan and the random number n to obtain a-1Please refer to step S300 above for the implementation of the zero value recovery circuit, which is not described herein.
The present invention has been described in terms of specific examples, which are provided to aid understanding of the invention and are not intended to be limiting. For a person skilled in the art to which the invention pertains, several simple deductions, modifications or substitutions may be made according to the idea of the invention.
Claims (9)
1. A masking method for defending against an energy analysis attack, comprising the steps of:
converting the XOR mask value a ^ m and the random number m into a nonzero value a ^ n and a random number n;
under GF (2)8) Inverting the non-zero value a ^ n and the random number n on the domain to obtain a-1^ n and a random number n; the method specifically comprises the following steps:
GF (2)8) Conversion of elements on the field to GF by isomorphic matrices ((2)4)2) The expression of the non-zero value a ^ n and the random number n is respectively as follows:
a^n=(ah+nh)x+(al+nl);
n=nhx+nl;
wherein ah, al ∈ GF (2)4),nh,nl∈GF(24);
Structure GF (2)4) Element n in the DomaindThe expression (c) inverts the random number n;
performing complex domain inversion on a ^ n by constructing the following non-demasking expression:
structure GF (2)4) Elements in the Domain (a)d+nd) Non-demasking expressions in: (a)d+nd)=fd((ah+nh),(al+nl),p,nh,nl,nd) Wherein p is GF (2)4) A constant over the domain;
GF (2)4) Element on the Domain (a)d+nd) Conversion to GF by isomorphic matrices (2)2)2) The expressions are respectively:
wherein, adh,adl∈GF(22),ndh,ndl∈GF(22);
structure GF (2)2) Elements in the Domain (a)dh′+ndh') non-demasking expression:
structure GF (2)2) Elements in the Domain (a)dl′+ndl') is represented by the non-demasking expression:
structure GF (2)4) Non-demasking expression for element in the domain (ah '+ nh'):
(ah′+nh′)=fah((ah+nh),(a′d+n′d),nh,nh′,n′d);
structure GF (2)4) Non-demasking expression for element in domain (al '+ nl'):
(al′+nl′)=fal((ah′+nh′),(al+nl),(a′d+n′d),nl,nh′,nl′,n′d);
for the a-1Performing zero value recovery on the lambdan and the random number n to obtain a-1M and a random number m.
2. The masking method as claimed in claim 1, wherein said converting the masked data a ^ m and the random number m into non-zero values a ^ n and the random number n comprises the steps of:
s1: detecting whether the input random number m is 0, and if so, directly jumping to the step S3;
s2: detecting whether the input exclusive-or mask value a ^ m is 0, if not, not generating a new non-zero random number n, and keeping the non-zero random number n equal to the random number m, and directly jumping to the step S5;
s3: generating a non-zero random number n;
s4: judging whether the non-zero random number n is equal to a ^ m or not, and returning to the step S3 if the non-zero random number n is equal to a ^ m;
s5: the method comprises the steps of adopting a m to transform an exclusive-or mask value a ^ m in a transform sequence;
s6: obtaining a nonzero value a ^ n and a random number n.
9. masking circuitry to implement the masking method of any of claims 1-8, comprising:
a zero value detection circuit which performs conversion of the exclusive-or mask value a ^ m and the random number m into a non-zero value a ^ n and a random number n;
GF(28) A domain inversion circuit for performing inversion on the non-zero value a ^ n and the random number n to obtain a-1^ n and a random number n; the method specifically comprises the following steps:
GF (2)8) Conversion of elements on the field to GF by isomorphic matrices ((2)4)2) The expression of the non-zero value a ^ n and the random number n is respectively as follows:
a^n=(ah+nh)x+(al+nl);
n=nhx+nl;
wherein ah, al ∈ GF (2)4),nh,nl∈GF(24);
Structure GF (2)4) Element n in the DomaindThe expression (c) inverts the random number n;
performing complex domain inversion on a ^ n by constructing the following non-demasking expression:
structure GF (2)4) Elements in the Domain (a)d+nd) Non-demasking expressions in: (a)d+nd)=fd((ah+nh),(al+nl),p,nh,nl,nd) Wherein p is GF (2)4) A constant over the domain;
GF (2)4) Element on the Domain (a)d+nd) Conversion to GF by isomorphic matrices (2)2)2) The expressions are respectively:
wherein, adh,adl∈GF(22),ndh,ndl∈GF(22);
structure GF (2)2) Elements in the Domain (a)dh′+ndh') non-demasking expression:
structure GF (2)2) Elements in the Domain (a)dl′+ndl') is represented by the non-demasking expression:
structure GF (2)4) Non-demasking expression for element in the domain (ah '+ nh'):
(ah′+nh′)=fah((ah+nh),(a′d+n′d),nh,nh′,n′d);
structure GF (2)4) Non-demasking expression for element in domain (al '+ nl'):
(al′+nl′)=fal((ah′+nh′),(al+nl),(a′d+n′d),nl,nh′,nl′,n′d);
a zero value recovery circuit performing a recovery of the a-1Performing zero value recovery on the lambdan and the random number n to obtain a-1M and a random number m.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811492940.1A CN109302278B (en) | 2018-12-07 | 2018-12-07 | Mask method and mask circuit for resisting energy analysis attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811492940.1A CN109302278B (en) | 2018-12-07 | 2018-12-07 | Mask method and mask circuit for resisting energy analysis attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109302278A CN109302278A (en) | 2019-02-01 |
CN109302278B true CN109302278B (en) | 2022-01-14 |
Family
ID=65142777
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811492940.1A Active CN109302278B (en) | 2018-12-07 | 2018-12-07 | Mask method and mask circuit for resisting energy analysis attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109302278B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112131613B (en) * | 2020-09-15 | 2022-02-22 | 郑州信大捷安信息技术股份有限公司 | Mask operation method and device for SM2 algorithm |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107251474A (en) * | 2015-03-09 | 2017-10-13 | 高通股份有限公司 | Use the Cryptographic AES for the finite subregions look-up table in masked operation |
US10498570B2 (en) * | 2013-10-02 | 2019-12-03 | Inphi Corporation | Data communication systems with forward error correction |
-
2018
- 2018-12-07 CN CN201811492940.1A patent/CN109302278B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10498570B2 (en) * | 2013-10-02 | 2019-12-03 | Inphi Corporation | Data communication systems with forward error correction |
CN107251474A (en) * | 2015-03-09 | 2017-10-13 | 高通股份有限公司 | Use the Cryptographic AES for the finite subregions look-up table in masked operation |
Non-Patent Citations (1)
Title |
---|
抗功耗攻击的AES密码算法硬件设计;苑志刚;《CNKI中国硕士学位论文全文数据库信息科技辑》;20141115;第4.1、4.1.2、5.2.1节 * |
Also Published As
Publication number | Publication date |
---|---|
CN109302278A (en) | 2019-02-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110363030B (en) | Method and processing device for performing a trellis-based cryptographic operation | |
US20210256165A1 (en) | Protecting parallel multiplication operations from external monitoring attacks | |
US20050283714A1 (en) | Method and apparatus for multiplication in Galois field, apparatus for inversion in Galois field and apparatus for AES byte substitution operation | |
EP3503460A1 (en) | System and method for boolean masked arithmetic addition | |
US20050147243A1 (en) | Cryptographic apparatus, cryptographic method, and storage medium thereof | |
US20150222423A1 (en) | Protection against side channels | |
JP5876032B2 (en) | Chaotic series generator and corresponding generation system | |
US20210152331A1 (en) | Protecting polynomial hash functions from external monitoring attacks | |
KR100574965B1 (en) | Finite field multiplier | |
Liang et al. | Design of a masked S-box for SM4 based on composite field | |
JP7155173B2 (en) | Protecting Modular Inversion Operations from External Observation Attacks | |
CN109302278B (en) | Mask method and mask circuit for resisting energy analysis attack | |
Vadnala et al. | Faster mask conversion with lookup tables | |
CN106936822B (en) | Mask implementation method and system for resisting high-order bypass analysis aiming at SMS4 | |
CN111931176B (en) | Method and device for defending side channel attack and readable storage medium | |
CN106788978B (en) | Argument decomposition threshold mask method | |
Schamberger et al. | Practical evaluation of masking for ntruencrypt on arm cortex-m4 | |
Chou et al. | A high performance, low energy, compact masked 128-bit AES in 22nm CMOS technology | |
KR100564599B1 (en) | Inverse calculation circuit, inverse calculation method, and storage medium encoded with computer-readable computer program code | |
JP2004531762A (en) | How to encrypt computations that use modular functions | |
AL-Wattar | A New Proposed Lightweight Cipher | |
Charlès et al. | White-box filtering attacks breaking SEL masking: from exponential to polynomial time | |
Won et al. | Novel Leakage Against Realistic Masking and Shuffling Countermeasures: Case Study on PRINCE and SEED | |
Bettale et al. | Collision-correlation attack against a first-order masking scheme for MAC based on SHA-3 | |
Krishnaprabha | Most effective counter measure for Castryck-Decru attackagainst SIDH-Isogeny Problems with masked torsion point images |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address |
Address after: 200233 Room 704, Building 2, No. 2570 Hechuan Road, Minhang District, Shanghai Patentee after: Shanghai Hangxin Electronic Technology Co.,Ltd. Address before: Room 5058, building B, 555 Dongchuan Road, Minhang District, Shanghai Patentee before: SHANGHAI AISINOCHIP ELECTRONIC TECHNOLOGY Co.,Ltd. |
|
CP03 | Change of name, title or address |