Search

CN-122027109-A - Key management method, computing device, storage medium, and computer program product

CN122027109ACN 122027109 ACN122027109 ACN 122027109ACN-122027109-A

Abstract

In the key management method, in the iterative process of generating multiple sets of round keys, multiple masks (a first mask, a second mask and a third mask) which are generated randomly and independent of each other are used for masking input data, intermediate data and output data in each round of key expansion process, so that a side channel signal observed by an attacker is a result after randomization processing and cannot directly reflect a real key or data, and the attacker cannot easily count mask values by observing the same data point for multiple times. And the first mask is updated in each round of iterative process, and the second mask and the third mask are updated when the initial key is replaced, so that an attacker cannot crack the mask value by collecting data for a long time, and the improvement of the anti-side channel attack performance in the round of key expansion process is facilitated.

Inventors

  • Su changshan
  • WANG BO
  • Yan Bingze
  • TANG YUXING
  • LI GEN

Assignees

  • 飞腾信息技术有限公司

Dates

Publication Date
20260512
Application Date
20251217

Claims (13)

  1. 1. A key management method, comprising: responding to a key generation request carrying an initial key, and executing a multi-round iteration process to obtain a plurality of sets of round keys; The iterative process includes: The method comprises the steps of obtaining a set of round keys based on a target replacement box by using a first mask, a second mask, a third mask and round input data, wherein the round input data is obtained based on an initial key or an output of a previous round of iterative process, the first mask is used for masking the round input data, the second mask is used for masking round function intermediate values, the third mask is used for masking the output of the target replacement box, the target replacement box is obtained based on the initial replacement box, the second mask and the third mask, the second mask is used for masking the input of the initial replacement box, the third mask is used for masking the output of the initial replacement box, the first mask is updated in each round of iterative process, and the second mask and the third mask are updated when the initial key changes.
  2. 2. The method of claim 1, wherein obtaining a set of round keys based on the target replacement box using the first mask, the second mask, the third mask, and the present round input data comprises: Masking the input data of the present round by using the first mask to obtain masked input data; Performing mask switching based on the first mask, the second mask and a portion of the masked input data to obtain a first pre-whitened value protected by the second mask; Using the first pre-whitening value as an input to the target replacement box to obtain a first output result of the target replacement box; And obtaining a group of round keys based on a first output result of the target replacement box and a first derivative mask, wherein the first derivative mask is obtained based on the third mask.
  3. 3. The method of claim 2, wherein masking the current round of input data with the first mask to obtain masked input data comprises: Performing exclusive-or operation on the first mask and the input data of the present round respectively to obtain a plurality of mask input data; the performing mask switching based on the first mask, the second mask, and a portion of the masked input data to obtain a first pre-whitened value protected by the second mask includes: Sequentially xoring an odd number of the mask input data and the second mask to obtain a first mask round input; And exclusive-or the first mask wheel input and the first mask to switch the mask in the first mask wheel input into the second mask, so as to obtain the first pre-whitened value.
  4. 4. The method of claim 2, wherein using the first pre-whitening value as an input to the target replacement box to obtain a first output result of the target replacement box comprises: decomposing the first pre-whitening value into a plurality of first sub-whitening values, and taking the plurality of first sub-whitening values as the inputs of a plurality of target replacement boxes to obtain a first output result of each target replacement box; the obtaining a set of round keys based on the first output result of the target replacement box and a first derivative mask includes: Splicing the first output results of the target replacement boxes into first replacement box output combinations, and performing linear transformation on the first replacement box output combinations to obtain first linear transformation results; exclusive or is carried out on the first linear transformation result and mask input data which does not participate in the calculation of the first pre-whitening value in the mask input data, so that a first round of output intermediate value is obtained; and sequentially performing exclusive OR on the first round output intermediate value, the first derivative mask and the first mask to obtain the round key.
  5. 5. The method of claim 1, wherein the process of obtaining the target replacement cassette comprises: decomposing the second mask into a plurality of second sub-masks, and decomposing the third mask into a plurality of third sub-masks, wherein the number of the second sub-masks and the number of the third sub-masks are the same as the number of the original substitution boxes; The inputs of the plurality of original substitution boxes are respectively masked by using a plurality of the second sub masks, and the outputs of the plurality of original substitution boxes are respectively masked by using a plurality of the third sub masks to obtain the target substitution box.
  6. 6. The method as recited in claim 1, further comprising: responding to an encryption request carrying data to be encrypted, and executing a multi-round encryption process on the data to be encrypted by utilizing a plurality of sets of round keys; the encryption process includes: The first mask, the second mask, the third mask and the round of data to be encrypted are utilized, the target replacement box and a plurality of sets of round keys are utilized to obtain round of encrypted data, the round of data to be encrypted comprises the data to be encrypted protected by the first mask or the output of the last round of encryption process protected by the first mask, the first mask is also used for protecting the round of data to be encrypted and the round of encrypted data, the second mask is also used for protecting the data input into the target replacement box in the encryption process, and the third mask is also used for protecting the output of the target replacement box in the encryption process.
  7. 7. The method of claim 6, wherein obtaining the round of encrypted data based on the target replacement box using the first mask, the second mask, the third mask, and the round of data to be encrypted comprises: Masking the data to be encrypted of the round by using the first mask to obtain masked data to be encrypted; Performing mask switching based on the first mask, the second mask, the round key of the round and part of the data to be encrypted of the mask to obtain a second pre-whitened value which is protected by the second mask and encrypted by the round key of the round; Using the second pre-whitening value as an input of the target replacement box to obtain a second output result output by the target replacement box; And obtaining the round of encrypted data based on the second output result and a second derivative mask, wherein the second derivative mask is obtained based on the third mask, the first mask is updated in each round of iterative process, and the second mask and the third mask are updated when the initial key changes.
  8. 8. The method of claim 7, wherein masking the round of data to be encrypted with the first mask to obtain masked data to be encrypted comprises: Performing exclusive-or operation on the first mask and the data to be encrypted of the round respectively to obtain a plurality of mask data to be encrypted; The performing mask switching based on the first mask, the second mask, the round key of the round, and part of the data to be encrypted by the mask to obtain a second pre-whitened value which is protected by the second mask and encrypted by the round key of the round includes: Sequentially xoring the data to be encrypted of the odd number of masks and round keys of the round, and xoring the exclusive-or result with a second mask to obtain second mask round input; and exclusive-or the second mask round input and the first mask to switch the mask in the second mask round input into the second mask to obtain the second pre-whitened value.
  9. 9. The method of claim 7, wherein using the second pre-whitened value as an input to the target replacement box to obtain a second output result of the target replacement box output comprises: decomposing the second pre-whitening value into a plurality of second sub-whitening values, and taking the plurality of second sub-whitening values as the inputs of a plurality of target replacement boxes to obtain a second output result output by each target replacement box; the obtaining the round of encrypted data based on the second output result and the second derivative mask includes: splicing the second output results into a second replacement box output combination, and performing linear transformation on the second replacement box output combination to obtain a second linear transformation result; Exclusive or is carried out on the second linear transformation result and mask data to be encrypted which do not participate in the calculation of a second pre-whitening value in the mask data to be encrypted so as to obtain a second round of output intermediate value; and performing exclusive OR on the second round of output intermediate value and the second derivative mask to obtain the round of encrypted data.
  10. 10. The method according to any one of claims 1 to 9, wherein before performing a plurality of rounds of iterative processes to obtain a plurality of sets of round keys in response to a key generation request carrying an initial key, the method further comprises: Randomly generating the first mask, the second mask, and the third mask; The third mask, the first shift result and the second shift result are exclusive-ored to obtain a first derivative mask, wherein the first shift result is a result of circularly shifting the third mask by a first bit number to the left, the second shift result is a result of circularly shifting the third mask by a second bit number to the left, and the first bit number and the second bit number are different; Exclusive or is performed on the third mask, the third shift result, the fourth shift result and the fifth shift result to obtain a second derivative mask, the third shift result is a result of shifting the third mask by a third bit number in a circle, the fourth shift result is a result of shifting the third mask by a fourth bit number in a circle, the fifth shift result is a result of shifting the third mask by a fifth bit number in a circle, and the third bit number, the fourth bit number and the fifth bit number are different from each other.
  11. 11. A computing device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the key management method of any one of claims 1-10 when executing the computer program.
  12. 12. A storage medium having a computer program stored thereon, which when executed by a processor implements the key management method of any of claims 1 to 10.
  13. 13. A computer program product, characterized in that the computer program product comprises a computer program which, when being executed by a processor, implements the key management method according to any of claims 1-10.

Description

Key management method, computing device, storage medium, and computer program product Technical Field The present disclosure relates to the field of computer applications, and more particularly, to an encryption technique in the field of computer applications, and more particularly, to a key management method, a computing device, a storage medium, and a computer program product. Background The key is a core element for guaranteeing the security and effectiveness of the encryption algorithm, and various key generation algorithms are widely applied to various cipher devices. However, due to the advent and utilization of side channel attacks, these cryptographic devices face a serious threat from side channel attacks. Disclosure of Invention Embodiments of the present disclosure provide a key management method, a computing device, a storage medium, and a computer program product to improve the performance of a key against side channel attacks. In order to achieve the technical purpose, the embodiment of the specification provides the following technical scheme: in a first aspect, an embodiment of the present specification provides a key management method, including: responding to a key generation request carrying an initial key, and executing a multi-round iteration process to obtain a plurality of sets of round keys; The iterative process includes: The method comprises the steps of obtaining a set of round keys based on a target replacement box by using a first mask, a second mask, a third mask and round input data, wherein the round input data is obtained based on an initial key or an output of a previous round of iterative process, the first mask is used for masking the round input data, the second mask is used for masking round function intermediate values, the third mask is used for masking the output of the target replacement box, the target replacement box is obtained based on the initial replacement box, the second mask and the third mask, the second mask is used for masking the input of the initial replacement box, the third mask is used for masking the output of the initial replacement box, the first mask is updated in each round of iterative process, and the second mask and the third mask are updated when the initial key changes. In a second aspect, one embodiment of the present specification also provides a computing device including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the key management method as described above when executing the computer program. In a third aspect, an embodiment of the present specification further provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the key management method as described above. In a fourth aspect, embodiments of the present description provide a computer program product or a computer program, the computer program product comprising a computer program stored in a computer readable storage medium, a processor of the computer device reading the computer program from the computer readable storage medium, the processor implementing the steps of the key management method described above when executing the computer program. Alternatively, the computer program may be stored on a readable storage medium or a cloud of a computer device, from which the processor of the computer device reads the computer program. As can be seen from the above technical solutions, in the key management method provided in the embodiments of the present disclosure, in an iteration process of generating multiple sets of round keys, multiple masks (a first mask, a second mask, and a third mask) that are independent of each other and are randomly generated are used to perform mask processing on input data, intermediate data, and output data in each round of key expansion process, so that a side channel signal observed by an attacker is a result after randomization processing, a real key or data cannot be directly reflected, and it is difficult for the attacker to count a mask value by observing the same data point multiple times. And the first mask is updated in each round of iterative process, and the second mask and the third mask are updated when the initial key is replaced, so that an attacker cannot crack the mask value by collecting data for a long time, and the improvement of the anti-side channel attack performance in the round of key expansion process is facilitated. In addition, the input and output of the target replacement box are protected by different masks (a second mask and a third mask), which means that even if an attacker can observe the power consumption or electromagnetic signals accessed by the target replacement box, the attacker cannot directly infer the real input and output values, thereby being beneficial to enhancing the side channel attack resistance in the key expansion process. And the target repl