CN-122027120-A - Data processing method, computing device, storage medium and computer program product

Abstract

The embodiment of the specification provides a data processing method, which realizes masking of round constants in an SM3 compression function, avoids the condition that an attacker presumes a key-related intermediate value through a known round constant, and improves the performance of the data processing method for resisting side channel attacks. Specifically, in the data processing method provided in this embodiment, the round constants are replaced with mask constants, which participate in the operation in a randomized form, so that an attacker cannot predict intermediate results including the round constants, thereby breaking the basis of establishing a differential model. Furthermore, to ensure proper operation of the mask constants in the SM3 compression function, the first mask of the mask round constants is compatible with the second mask of the mask state variables, in that both are the same random number or exist in a certain mathematical relationship and are in the same mask domain at the same operation step. This ensures that both can operate directly and securely within the mask field without exposing the plaintext.

Inventors

• Su changshan
• WANG BO
• LI GEN
• TANG YUXING

Assignees

• 飞腾信息技术有限公司

Dates

Publication Date

20260512

Application Date

20260114

Claims (12)

1. 1. A method of data processing, comprising: Receiving input data, and processing the input data based on an SM3 compression function to obtain target data; the processing of the input data based on the SM3 compression function includes a multi-round iterative process, wherein, The iterative process includes: Reading mask constants corresponding to a current iteration round from a constant table, wherein the constant table comprises a plurality of mask constants, the mask constants are in one-to-one correspondence with the round constants in an SM3 algorithm, and a first mask in the mask constants is compatible with a second mask in a state variable in an iteration process; completing iteration of the current round based on the mask constant and the state variable of the current round; The compatibility characterizes at least one of the following conditions between two masks: the two masks are the same random numbers, or a certain mathematical relationship exists between the two masks; In different operation steps of the SM3 algorithm, the first mask and the second mask are in the same mask field, which includes one of a boolean field and an arithmetic field.
2. 2. The method of claim 1, wherein the logical AND operation of the SM3 compression function is implemented using a secure AND module, the modulo addition operation of the SM3 compression function is implemented using a secure modulo addition module, the Boolean domain conversion operation of the SM3 compression function is implemented using a first conversion module or a second conversion module, wherein, The safety AND module is used for receiving two n-order Boolean mask variables, and performing logical AND operation on the received Boolean mask variables in a Boolean domain to obtain Boolean mask output variables; the safety modulo addition module is used for receiving two n-order Boolean mask variables, calling the safety sum module to calculate a carry bit by bit, and realizing carry propagation in a Boolean domain through iteration, so that modulo addition operation is completed in the Boolean domain; The first conversion module is used for receiving an n-order arithmetic mask variable, dividing n arithmetic fragments of the arithmetic mask variable into two subgroups, respectively recursively converting the two subgroups into Boolean fragments, and then adding the Boolean fragments corresponding to the two subgroups through the safety module to obtain the Boolean mask variable corresponding to the arithmetic mask variable; The second conversion module is configured to receive an n-order boolean mask variable, assign random values to the first n-1 output slices of the boolean mask variable, call the first conversion module and the secure modulo addition module, and calculate a compensation value as an n-th output slice, so that the sum of all the output slices is equal to the exclusive or value of the input n-order boolean mask variable.
3. 3. The method according to claim 2, wherein the security and module is specifically configured to generate a random number for each pair of different slice indexes, the slice indexes being used to characterize input slices of two boolean mask variables of an input, calculate complementary slices based on the input slices corresponding to the slice indexes and the random number, and calculate output slices based on the input slices and the complementary slices such that an exclusive or of all output slices is equal to a result of a logical sum of the two boolean mask variables of the input; the complementary fragments satisfy the following calculation formula: r_j, i= (r_i, j = (x_i ∈y_j)) (x_j ∈y_i), where (i, j) represents the slice index, x_i, x_j, y_i, and y_j are all input slices corresponding to the slice index, r_j, i represents the output slices, x represents exclusive or, r_i, j represents the random number, Λ represents a logical AND operation.
4. 4. The method according to claim 2, wherein the safety modulo addition module is specifically configured to call the safety AND module to calculate a carry generation term of the input two n-order boolean mask variables, calculate an exclusive or result of the input two n-order boolean mask variables as a sum term, perform multiple rounds of carry variable update iteration based on the carry generation term and the sum term to update carry variables, and take the exclusive or result of the sum term and the carry variables as a modulo addition result of the input two n-order boolean mask variables after the multiple rounds of carry variable update iteration are completed; The carry variable updating iterative process comprises the steps of calling a safety AND module to calculate a logic AND result of a carry variable and the sum term, carrying out exclusive OR on the logic AND result and the carry generation term, shifting the exclusive OR result of the logic AND result and the carry generation term by one bit to the left, and taking the left shift result as an updated carry variable.
5. 5. The method as recited in claim 2, further comprising: Receiving configuration data, and configuring the orders n of the security modulo module, the security sum module, the first conversion module and the second conversion module to correspond to the configuration data; The mask constant also corresponds to the configuration data.
6. 6. The method of claim 1, wherein the target data comprises a message authentication code and the input data comprises a message and a key; The processing the input data based on the SM3 compression function to obtain target data includes: Performing inner hash processing based on the SM3 compression function and the masked input data to obtain a first masked hash value; And executing outer hash processing based on the SM3 compression function and the first masking hash value to obtain the message verification code, wherein in the inner hash processing and the outer hash processing, an iterative process is executed based on the mask constants corresponding to the constant table, and a third mask for masking the input data is compatible with the first mask and the second mask.
7. 7. The method of claim 6, wherein performing inner hash processing based on the SM3 compression function and masked input data comprises: performing exclusive-or operation on the masked secret key and a first preset constant in a first mask domain to obtain a first intermediate mask variable, splicing the first intermediate mask variable and the masked message to form first spliced data, and calling the SM3 compression function to process the first spliced data to obtain a first masked hash value; Performing outer hash processing based on the SM3 compression function and the first masked hash value, wherein the performing outer hash processing comprises performing exclusive OR operation on the masked key and a second preset constant in the first mask domain to obtain a second intermediate mask variable, splicing the second intermediate mask variable and the first masked hash value to form second spliced data, and calling the SM3 compression function to process the second spliced data to obtain the target data; the first preset constant and the second preset constant are ipad and opad constants defined in an HMAC algorithm respectively, and the first mask domain is a boolean domain.
8. 8. A computing device, comprising: a processing unit configured to: Receiving input data, and processing the input data based on an SM3 compression function to obtain target data; the processing of the input data based on the SM3 compression function includes a multi-round iterative process, wherein, The iterative process includes: Reading mask constants corresponding to a current iteration round from a constant table, wherein the constant table comprises a plurality of mask constants, the mask constants are in one-to-one correspondence with the round constants in an SM3 algorithm, and a first mask in the mask constants is compatible with a second mask in a state variable in an iteration process; completing iteration of the current round based on the mask constant and the state variable of the current round; The compatibility characterizes at least one of the following conditions between two masks: the two masks are the same random numbers, or a certain mathematical relationship exists between the two masks; In different operation steps of the SM3 algorithm, the first mask and the second mask are in the same mask field, which includes one of a boolean field and an arithmetic field.
9. 9. The computing device of claim 8, wherein the processing unit comprises a general purpose processor and a special purpose processor, wherein, The general processor is configured to receive the input data, mask the input data to obtain masked input data, and send a processing instruction to the special processor; The special purpose processor is configured to process the masked input data based on the SM3 compression function in response to the processing instruction.
10. 10. The computing device of claim 9, wherein the general purpose processor is further configured to receive configuration data, send configuration instructions to the special purpose processor; the special purpose processor comprises a configurable mask computing core, an extensible status register file, a round function controller and a true random number generator, wherein, The configurable mask core is configured to adjust a mask order n and perform a multi-round iterative process of an SM3 compression function in response to the configuration instruction; The configurable mask computation core includes: The high-order safety AND gate array is used for executing masked logical AND operation in parallel, wherein the masked logical AND operation comprises the steps of receiving two n-order Boolean mask variables, and performing logical AND operation on the received Boolean mask variables in a Boolean domain to obtain Boolean mask output variables; a mask arithmetic logic unit for performing modulo addition, exclusive or, and cyclic shift operations within the mask domain; the mask domain conversion module is used for realizing the safety conversion between the Boolean domain and the arithmetic domain; The depth of the scalable state register file is configured as the mask order n for storing slices of intermediate state variables of SM3 compression functions; A round function controller is connected with the configurable mask calculation core and the general purpose processor and is configured to respond to the processing instruction, control a 64-round iteration process of an SM3 compression function and return an operation result to the general purpose processor after the iteration process is completed, wherein the control operation of the round function controller comprises loading a mask constant corresponding to a current round, loading a message word of the current round and sending an operation instruction to the configurable mask calculation core to trigger the configurable mask calculation core to execute a safety operation corresponding to the current round; And the true random number generator is used for generating random numbers required by the segmentation.
11. 11. A storage medium having a computer program stored thereon, which when executed by a processor, implements the data processing method of any of claims 1 to 7.
12. 12. A computer program product, characterized in that the computer program product comprises a computer program which, when being executed by a processor, implements the data processing method according to any of claims 1-7.

Description

Data processing method, computing device, storage medium and computer program product Technical Field The present description relates to the field of computer technology, and more particularly, to a data processing method, a computing device, a storage medium, and a computer program product. Background The SM3 algorithm (SM 3 Cryptographic Hash Algorithm, SM3 password hash algorithm) is a password hash algorithm which is independently researched and developed in China, and has important application in a plurality of scenes. For example, the SM3 algorithm may implement the generation of a message authentication code in conjunction with a HMAC (Hash-Based Message Authentication Code ) algorithm. Besides, the SM3 algorithm can be applied to the scenes of digital signature and authentication, data integrity protection, key management and the like, and can be used as a hash algorithm for data processing. At present, in the process of utilizing an SM3 algorithm to process data, a certain security risk exists, so that the security of the data processing process is necessarily improved, and the risk of data leakage is reduced. Disclosure of Invention Embodiments of the present disclosure provide a data processing method, a computing device, a storage medium, and a computer program product, so as to achieve the purpose of improving the performance of the data processing method against side channel attacks. In order to achieve the technical purpose, the embodiment of the specification provides the following technical scheme: In a first aspect, an embodiment of the present specification provides a data processing method, including: Receiving input data, and processing the input data based on an SM3 compression function to obtain target data; the processing of the input data based on the SM3 compression function includes a multi-round iterative process, wherein, The iterative process includes: Reading mask constants corresponding to a current iteration round from a constant table, wherein the constant table comprises a plurality of mask constants, the mask constants are in one-to-one correspondence with the round constants in an SM3 algorithm, and a first mask in the mask constants is compatible with a second mask in a state variable in an iteration process; completing iteration of the current round based on the mask constant and the state variable of the current round; The compatibility characterizes at least one of the following conditions between two masks: the two masks are the same random numbers, or a certain mathematical relationship exists between the two masks; In different operation steps of the SM3 algorithm, the first mask and the second mask are in the same mask field, which includes one of a boolean field and an arithmetic field. In a second aspect, one embodiment of the present specification also provides a computing device, comprising a processing unit configured to: Receiving input data, and processing the input data based on an SM3 compression function to obtain target data; the processing of the input data based on the SM3 compression function includes a multi-round iterative process, wherein, The iterative process includes: Reading mask constants corresponding to a current iteration round from a constant table, wherein the constant table comprises a plurality of mask constants, the mask constants are in one-to-one correspondence with the round constants in an SM3 algorithm, and a first mask in the mask constants is compatible with a second mask in a state variable in an iteration process; completing iteration of the current round based on the mask constant and the state variable of the current round; The compatibility characterizes at least one of the following conditions between two masks: the two masks are the same random numbers, or a certain mathematical relationship exists between the two masks; In different operation steps of the SM3 algorithm, the first mask and the second mask are in the same mask field, which includes one of a boolean field and an arithmetic field. In a third aspect, an embodiment of the present specification further provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a data processing method as described above. In a fourth aspect, embodiments of the present description provide a computer program product or a computer program, the computer program product comprising a computer program stored on a computer readable storage medium, a processor of the computer device reading the computer program from the computer readable storage medium, the processor implementing the steps of the data processing method described above when executing the computer program. Alternatively, the computer program may be stored on a readable storage medium or a cloud of a computer device, from which the processor of the computer device reads the computer program. According to the technical scheme, the mask of the round c