KR-102964314-B1 - Method and apparatus for resisting side channel attacks on post-quantum cryptography system

Abstract

The present invention relates to a method for performing decryption to counter side-channel attacks in a quantum-resistant cryptographic system and an apparatus for performing decryption. More specifically, the invention relates to a decryption method for countering side-channel attacks that measures and analyzes side-channel signals, such as power consumption signals, during the decryption of a quantum-resistant encrypted ciphertext, and an apparatus for performing the method. According to the present invention, a method is provided to defend against side-channel attacks by randomly dividing an input ciphertext into two and performing operations, thereby making it impossible for an attacker to predict the intermediate value processed in the coefficient-wise multiplication of the two actual polynomials and thus making it impossible to calculate the correlation with the waveform. In addition, by randomizing the position of the coefficient performed first in the coefficient-wise multiplication of the two polynomials, the power waveform cannot be aligned to a specific coefficient value, thereby eliminating the correlation between the waveform and the coefficients and thus enabling defense against side-channel attacks.

Inventors

• 하재철

Assignees

• 주식회사 토브커넥트

Dates

Publication Date

20260513

Application Date

20220415

Claims (10)

1. A method in which a device performing decryption in a lattice-based quantum-resistant cryptographic system (hereinafter referred to as the "decryption device") performs decryption that responds to a side-channel attack, (a) receiving a lattice-based quantum-resistant encrypted ciphertext polynomial of order n-1; (b) a step of generating a transformed ciphertext and a transformed private key by performing a Number Theoretic Transform (NTT) transformation on each of the above ciphertext polynomial and private key polynomial; (c) performing coefficient-wise multiplication of the transformed ciphertext and the transformed private key, wherein the transformed ciphertext is divided into two random first divided ciphertext polynomials and second divided ciphertext polynomials that, when combined, result in the transformed ciphertext, and coefficient-wise multiplication of the transformed private key is performed with each of the first divided ciphertext polynomials and second divided ciphertext polynomials, or the transformed private key is divided into two random first divided private key polynomials and second divided private key polynomials that, when combined, result in the transformed private key, and coefficient-wise multiplication of the transformed ciphertext is performed with each of the first divided private key polynomials and second divided private key polynomials; (d) a step of calculating a polynomial by summing the two polynomials calculated in step (c); and, (e) A step of performing an INTT (Inverse NTT) transformation on the polynomial calculated in step (d) above. Includes, The coefficient-wise multiplication of the above step (c) is, After randomly determining a starting index representing the degree of a polynomial term corresponding to the coefficient at which multiplication begins, as an integer between 0 and n-1, the process is performed sequentially in an upward or downward direction starting from the coefficient of the degree term corresponding to the determined starting index. By making the above-mentioned starting index random, the power waveform cannot be aligned to a specific coefficient value, thereby eliminating the correlation between the waveform and the coefficient to counter an attacker's side-channel attack. Decryption method to counter side-channel attacks.
2. delete
3. delete
4. delete
5. As a device for performing decryption in a lattice-based quantum-resistant cryptographic system, At least one processor; and It includes at least one memory that stores computer-executable instructions, The computer-executable instruction stored in the above at least one memory is, by the above at least one processor, (a) receiving a lattice-based quantum-resistant encrypted ciphertext polynomial of order n-1; (b) a step of generating a transformed ciphertext and a transformed private key by performing a Number Theoretic Transform (NTT) transformation on each of the above ciphertext polynomial and private key polynomial; (c) performing coefficient-wise multiplication of the transformed ciphertext and the transformed private key, wherein the transformed ciphertext is divided into two random first divided ciphertext polynomials and second divided ciphertext polynomials that, when combined, result in the transformed ciphertext, and coefficient-wise multiplication of the transformed private key is performed with each of the first divided ciphertext polynomials and second divided ciphertext polynomials, or the transformed private key is divided into two random first divided private key polynomials and second divided private key polynomials that, when combined, result in the transformed private key, and coefficient-wise multiplication of the transformed ciphertext is performed with each of the first divided private key polynomials and second divided private key polynomials; (d) a step of calculating a polynomial by summing the two polynomials calculated in step (c); and, (e) A step of performing an INTT (Inverse NTT) transformation on the polynomial calculated in step (d) above. To ensure that it runs, The coefficient-wise multiplication of the above step (c) is, After randomly determining a starting index representing the degree of a polynomial term corresponding to the coefficient at which multiplication begins, as an integer between 0 and n-1, the process is performed sequentially in an upward or downward direction starting from the coefficient of the degree term corresponding to the determined starting index. By making the above-mentioned starting index random, the power waveform cannot be aligned to a specific coefficient value, thereby eliminating the correlation between the waveform and the coefficient to counter an attacker's side-channel attack. A device that performs decryption in a lattice-based quantum-resistant cryptographic system.
6. A computer program stored on a computer-readable, non-transient storage medium for performing decryption in a lattice-based quantum-resistant cryptographic system, It is stored on a non-transient storage medium, and by a processor, (a) receiving a lattice-based quantum-resistant encrypted ciphertext polynomial of order n-1; (b) a step of generating a transformed ciphertext and a transformed private key by performing a Number Theoretic Transform (NTT) transformation on each of the above ciphertext polynomial and private key polynomial; (c) performing coefficient-wise multiplication of the transformed ciphertext and the transformed private key, wherein the transformed ciphertext is divided into two random first divided ciphertext polynomials and second divided ciphertext polynomials that, when combined, result in the transformed ciphertext, and coefficient-wise multiplication of the transformed private key is performed with each of the first divided ciphertext polynomials and second divided ciphertext polynomials, or the transformed private key is divided into two random first divided private key polynomials and second divided private key polynomials that, when combined, result in the transformed private key, and coefficient-wise multiplication of the transformed ciphertext is performed with each of the first divided private key polynomials and second divided private key polynomials; (d) a step of calculating a polynomial by summing the two polynomials calculated in step (c); and, (e) A step of performing an INTT (Inverse NTT) transformation on the polynomial calculated in step (d) above. Includes a command that causes it to be executed, The coefficient-wise multiplication of the above step (c) is, After randomly determining a starting index representing the degree of a polynomial term corresponding to the coefficient at which multiplication begins, as an integer between 0 and n-1, the process is performed sequentially in an upward or downward direction starting from the coefficient of the degree term corresponding to the determined starting index. By making the above-mentioned starting index random, the power waveform cannot be aligned to a specific coefficient value, thereby eliminating the correlation between the waveform and the coefficient to counter an attacker's side-channel attack. A computer program stored on a computer-readable, non-transient storage medium for performing decryption in a lattice-based quantum-resistant cryptographic system.
7. delete
8. delete
9. delete
10. delete

Description

Method and apparatus for resisting side channel attacks on post-quantum cryptography system The present invention relates to a method for performing decryption to counter side-channel attacks in a quantum-resistant cryptographic system and an apparatus for performing decryption. More specifically, the invention relates to a decryption method for countering side-channel attacks that measures and analyzes side-channel signals, such as power consumption signals, during the decryption of a quantum-resistant encrypted ciphertext, and an apparatus for performing the method. Quantum-resistant cryptographic systems are public-key based cryptographic systems that use the counterparty's public key for encryption and the recipient's private key for decryption of plaintext data. In this case, there is a problem where the private key is exposed by side-channel attacks, which involve implementing a multiplication algorithm for a secret private key and a known polynomial in a microprocessor to measure and analyze leaked side-channel signals (e.g., power consumption signals) during data decryption; therefore, countermeasures are currently required. Figure 1 is a block diagram showing a conventional decoding method in a lattice-based quantum-resistant cryptographic system. FIG. 2 is a block diagram illustrating the decoding method of the present invention in a lattice-based quantum-resistant cryptographic system. FIG. 3 is a flowchart for performing the decoding method of the present invention in a lattice-based quantum-resistant cryptographic system. FIG. 4 is a diagram showing the configuration of a device for performing the decoding method of the present invention in a lattice-based quantum-resistant cryptographic system. Preferred embodiments of the present invention will be described in detail below with reference to the attached drawings. Prior to this, terms and words used in this specification and claims should not be interpreted as being limited to their ordinary or dictionary meanings, but should be interpreted in a meaning and concept consistent with the technical spirit of the present invention, based on the principle that the inventor can appropriately define the concept of the terms to best describe his invention. Accordingly, the embodiments described in this specification and the configurations illustrated in the drawings are merely one preferred embodiment of the present invention and do not represent all aspects of the technical spirit of the present invention; therefore, it should be understood that various equivalents and modifications capable of replacing them may exist at the time of filing this application. Figure 1 is a block diagram showing a conventional decoding method in a lattice-based quantum-resistant cryptographic system. A quantum-resistant cryptographic system is a public-key-based cryptographic system that uses the counterparty's public key for encryption and the recipient's private key for decryption to decrypt plaintext data. Among quantum-resistant cryptographic systems, lattice-based cryptography such as Saber and Kyber has been proposed. Among quantum-resistant cryptographic algorithms, Kyber is an algorithm based on the Ring-Learning With Errors (RLWE) problem, where operations are performed on a polynomial ring, and polynomial multiplication is the most important operation. A ring that performs polynomial operations Define as, but or It is expressed as such, and the coefficients of the polynomial are defined to be smaller than q. q is a decimal integer representing the coefficient value of the polynomial. That is, each coefficient of the polynomial has a value from 0 to q-1. In particular, when decrypting ciphertext encrypted with plaintext, it is decrypted back into plaintext through a polynomial multiplication process using a private key. The input for the decryption operation is an already known ciphertext polynomial. and private key polynomial They are multiplied together as shown in the following equation. Here, × represents convolution multiplication, where each coefficient is multiplied once. Since the operation of multiplying two polynomials of degree n-1 with n coefficients is calculated using the convolution method because each coefficient must be multiplied together, It is inefficient because it requires operations. To perform convolutional multiplication efficiently, the two polynomials are subjected to the Number Theoretic Transform (NTT) to perform coefficient-wise multiplication. After multiplying the two NTT-transformed polynomials coefficient-wise, the inverse transformation, INTT, is calculated to complete the final multiplication. , Here, ⓧ signifies coefficient-wise multiplication, and in practice, represents the multiplication of coefficients of the same degree of two polynomials. The result of multiplying the two polynomials is It becomes plaintext after undergoing additional operations, so it is the result of an intermediate step in the decryption process. In