阅读说明：本技术 一种混合物理不可克隆函数结构及sbox掩码方法 (Mixed physical unclonable function structure and SBOX mask method ) 是由 郑朝霞 赵娅岐 蒋思航 徐尚成 王超 余国义 于 2021-06-16 设计创作，主要内容包括：本发明公开了一种混合物理不可克隆函数结构及SBOX掩码方法,属于数字集成电路设计以及机器人安全领域。本发明的掩码方法适用于AES、DES、SM4等使用SBOX进行非线性变换的分组加解密算法,以及对上述算法的SBOX进行参数化实现的可重构SBOX。其中,混合PUF为基本PUF以及环境感知PUF响应结果经过位拼接而成,均为基于SR锁存器的PUF结构,可根据芯片内以及片外环境特性产生唯一输出；SBOX掩码方法基于目前已有随机掩码方法,通过进一步添加混合PUF响应结果在SBOX输入与输出分别进行掩码以及补偿,从而实现不仅能够抗功耗攻击,同时还支持芯片级防伪。(The invention discloses a hybrid physical unclonable function structure and an SBOX mask method, and belongs to the field of digital integrated circuit design and robot safety. The mask method of the invention is suitable for AES, DES, SM4 and other packet encryption and decryption algorithms which use SBOX to carry out nonlinear transformation, and the reconfigurable SBOX which carries out parameterization realization on the SBOX of the algorithms. The hybrid PUF is formed by bit splicing of basic PUF and environment sensing PUF response results, is a PUF structure based on an SR latch, and can generate unique output according to the environment characteristics in a chip and outside a chip; the SBOX mask method is based on the existing random mask method, and mask and compensation are respectively carried out on SBOX input and output by further adding mixed PUF response results, so that power consumption attack resistance is achieved, and chip-level anti-counterfeiting is supported.)

1. A hybrid physical unclonable function structure comprising a first PUF array and a second PUF array;

the first PUF array comprises a plurality of stages of basic PUF units which are sequentially connected, wherein the basic PUF units are SR latches formed by NAND gates;

the second PUF array comprises a plurality of stages of environment sensing PUF units which are sequentially connected, and each environment sensing PUF unit comprises a first NAND gate and a second NAND gate;

the first input end of the first NAND gate is connected with the first input end of the second NAND gate to serve as a switch control end, the second input end of the first NAND gate is connected with the output end of the second NAND gate, and the second input end of the second NAND gate is connected with the output end of the first NAND gate;

chip output pins are led out from the output ends of the first NAND gate and the second NAND gate, and chip input pins are led out from the second input ends of the first NAND gate and the second NAND gate.

2. The hybrid physically unclonable function structure of claim 1, wherein a number of basic PUF cells in the first PUF array is equal to a number of context-aware PUF cells in the second PUF array.

3. The hybrid physical unclonable function structure of claim 2, wherein a number of basic PUF cells in the first PUF array depends on input data bit-widths.

4. A masking method based on the hybrid physical unclonable function structure of claim 1, wherein the masking method is used in a block cipher algorithm, comprising the steps of:

s1, in each round of transformation, reading a response value of the mixed physical unclonable function structure to generate a mask r_PUFaThen, the generated random number r is added_RNGPerforming exclusive-or operation according to bit to obtain data mask r_a；

S2. the data mask r_aGenerating a row transformation matrix Rx and a column transformation matrix Ry, generating a mask matrix MS using random numbers, generating a new S-box SBOX using the row transformation matrix Rx, the column transformation matrix Ry and the random number matrix MS_new；

For each byte input a, a new S-box transformation result SBOX is obtained_new(a^r_a)；

S3, exciting the mixed physical unclonable function structure to obtain real-time response r_PUFbIs then compared with the random number r_RNGPerforming exclusive-or operation according to bit to obtain data mask r_b；

For each byte input a, obtaining the transformation result MS (a ^ r) of the byte input a after passing through the mask matrix MS_b)；

S4, carrying out linear transformation of the block cipher algorithm on the new S box transformation result and the transformation result after the mask matrix MS to obtain a first linear transformation result L (SBOX)_new(a^r_a) And a second linear transformation result L (MS (a ^ r)_b))；

And S5, carrying out XOR on the first linear transformation result and the second linear transformation result to obtain the output of the current round of transformation.

5. The mask method of claim 4, wherein the data mask r in the step S2 is formed by_aGenerating the row transform matrix Rx and the column transform matrix Ry includes:

masking the data r_aAccording to r_a＝x·2⁴+ y is divided into high and low four digits, the high four digits are x, and the low four digits are y; the ith row of the row transform matrix Rx is the ith x row of the identity matrix and the jth column of the column transform matrix Ry is the jth y column of the identity matrix.

6. Masking method as claimed in claim 4, characterized in that said new S-box SBOX_newThe obtaining method is as follows: SBOX_new＝Rx·SBOX·Ry^MS。

7. The masking method as claimed in claim 4, wherein the response value of the hybrid physically unclonable function structure in the step S1 is stored in the OTP in advance.

8. A masking method as claimed in any one of claims 4 to 7 in which the output of the round of transformations is compared with the results of the non-SBOX mask, and if they match, this indicates that the chip has not been tampered with, otherwise the result of the operation is erroneous, resulting in the failure of the cryptographic function of the chip.

Technical Field

The invention belongs to the field of digital integrated circuit design and robot safety, and particularly relates to a hybrid physical unclonable function structure and an SBOX mask method.

Background

In the packet encryption and decryption algorithm, such as AES, DES, SM4, etc., the non-linear step SBOX is an important ring for ensuring the process safety. In the circuit, the data inversion operation of 0 and 1 can cause the charging and discharging of corresponding capacitors, so that different power consumption change information is generated, and a key in the encryption and decryption process can be deduced through a large amount of data operation and statistics of power consumption information in the process, namely, the algorithm is cracked through power consumption attack. The mainstream anti-power consumption attack scheme of the current algorithm is that masking is carried out on a plaintext and a secret key through random numbers, so that data turnover probabilities in different operation processes are the same, power consumption characteristics in the operation processes are covered, and anti-power consumption attack is achieved.

Meanwhile, in some specific application scenes, such as an embedded robot, by dismantling the original equipment chip which is scrapped but has the normal chip function and assembling the chip with some low-cost functional similar peripherals, product counterfeiting can be carried out without destroying the chip, and no better active anti-counterfeiting measure exists at present.

Disclosure of Invention

In view of the defects of the related art, the present invention aims to provide a hybrid physical unclonable function structure and an SBOX masking method, which are aimed at resisting the power consumption attack of a block cipher algorithm and preventing the problem of the removal and forgery of a robot chip.

To achieve the above object, an aspect of the present invention provides a hybrid physical unclonable function structure including a first PUF array and a second PUF array;

the first PUF array comprises a plurality of stages of basic PUF units which are sequentially connected, wherein the basic PUF units are SR latches formed by NAND gates;

the second PUF array comprises a plurality of stages of environment sensing PUF units which are sequentially connected, and each environment sensing PUF unit comprises a first NAND gate and a second NAND gate;

the first input end of the first NAND gate is connected with the first input end of the second NAND gate to serve as a switch control end, the second input end of the first NAND gate is connected with the output end of the second NAND gate, and the second input end of the second NAND gate is connected with the output end of the first NAND gate;

chip output pins are led out from the output ends of the first NAND gate and the second NAND gate, and chip input pins are led out from the second input ends of the first NAND gate and the second NAND gate.

Further, the number of basic PUF cells in the first PUF array is equal to the number of context aware PUF cells in the second PUF array.

Further, the number of elementary PUF cells in the first PUF array depends on the input data bit-width.

Another aspect of the present invention provides a masking method based on the above mixed physical unclonable function structure, where the masking method is used in a block cipher algorithm, and includes the following steps:

s1, in each round of transformation, reading a response value of the mixed physical unclonable function structure to generate a mask r_PUFaThen, the generated random number r is added_RNGPerforming exclusive-or operation according to bit to obtain data mask r_a；

S2. the data mask r_aGenerating a row transformation matrix Rx and a column transformation matrix Ry, generating a mask matrix MS using random numbers, generating a new S-box SBOX using the row transformation matrix Rx, the column transformation matrix Ry and the random number matrix MS_new；

For each byte input a, a new S-box transformation result SBOX is obtained_new(a^r_a)；

S3, exciting the mixed physical unclonable function structure to obtain real-time response r_PUFbIs then compared with the random number r_RNGCarrying out exclusive or operation according to bits to obtain a data mask rb;

for each byte input a, obtaining the transformation result MS (a ^ r) of the byte input a after passing through the mask matrix MS_b)；

S4, carrying out linear transformation of the block cipher algorithm on the new S box transformation result and the transformation result after the mask matrix MS to obtain a first linear transformation result L (SBOX)_new(a^r_a) And a second linear transformation result L (MS (a ^ r)_b))；

And S5, carrying out XOR on the first linear transformation result and the second linear transformation result to obtain the output of the current round of transformation.

Further, the data mask r in the step S2_aGenerating the row transform matrix Rx and the column transform matrix Ry includes:

masking the data r_aAccording to r_a＝x·2⁴+ y is divided into high and low four digits, the high four digits are x, and the low four digits are y; the ith row of the row transform matrix Rx is the ith x row of the identity matrix and the jth column of the column transform matrix Ry is the jth y column of the identity matrix.

Further, the novel S-box SBOX_newThe obtaining method is as follows: SBOX_new＝Rx·SBOX·Ry^MS。

Further, the response value of the hybrid physically unclonable function structure in step S1 is stored in the OTP in advance.

And further, comparing the output of the round conversion with a result without the SBOX mask, wherein if the result is consistent, the chip is not disassembled and forged, otherwise, the operation result is wrong, and the password function of the chip is invalid.

Through the technical scheme, compared with the prior art, the invention has the following beneficial effects:

(1) according to the invention, the data 0 and 1 turnover probabilities in the process of the block encryption and decryption algorithm are close through a mask method, so that the power consumption information in the encryption and decryption process is covered, and the power consumption attack resistance is realized;

(2) by combining the mask method with the hybrid PUF, any action of detaching the chip destroys the unique response of the hybrid PUF, so that the SBOX mask compensation error in the encryption and decryption process is caused, and the function of an algorithm module is invalid, thereby preventing the product from being forged by using the waste chip and realizing active anti-counterfeiting.

Drawings

FIG. 1 is a basic flow diagram of the masking method of the present invention;

FIG. 2 is a circuit diagram of a hybrid PUF according to an embodiment of the present invention;

fig. 3 is a schematic diagram of the masking method of the present invention, which is exemplified by SM4 algorithm.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.

Aiming at the problems of power consumption attack resistance of a packet encryption and decryption algorithm and the problem of detachment and counterfeiting of a robot chip, the invention provides an SBOX mask method based on a mixed PUF. The masking method of the invention is suitable for packet encryption and decryption algorithms which use SBOX to carry out nonlinear transformation, including AES, DES, SM4, and reconfigurable SBOX which carries out parameterization on SBOX of the algorithms.

One aspect of an embodiment of the present invention provides a hybrid physical unclonable function structure, including a first PUF array and a second PUF array;

the first PUF array comprises a plurality of stages of basic PUF units which are sequentially connected, wherein the basic PUF units are SR latches formed by NAND gates;

the second PUF array comprises a plurality of stages of environment sensing PUF units which are sequentially connected, and each environment sensing PUF unit comprises a first NAND gate and a second NAND gate;

the first input end of the first NAND gate is connected with the first input end of the second NAND gate to serve as a switch control end, the second input end of the first NAND gate is connected with the output end of the second NAND gate, and the second input end of the second NAND gate is connected with the output end of the first NAND gate;

chip output pins are led out from the output ends of the first NAND gate and the second NAND gate, and chip input pins are led out from the second input ends of the first NAND gate and the second NAND gate.

Further, the number of basic PUF cells in the first PUF array is equal to the number of context aware PUF cells in the second PUF array.

Further, the number of elementary PUF cells in the first PUF array depends on the input data bit-width.

Another aspect of the embodiments of the present invention provides a masking method based on the above hybrid physical unclonable function structure, where the masking method is used in a block cipher algorithm, and includes the following steps:

s1, in each round of transformation, reading a response value of the mixed physical unclonable function structure to generate a mask r_PUFaThen, the generated random number r is added_RNGPerforming exclusive-or operation according to bit to obtain data mask r_a；

S2. the data mask r_aGenerating a row transformation matrix Rx and a column transformation matrix Ry, generating a mask matrix MS using random numbers, generating a new S-box SBOX using the row transformation matrix Rx, the column transformation matrix Ry and the random number matrix MS_new；

For each byte input a, a new S-box transformation result SBOX is obtained_new(a^r_a)；

S3, exciting the mixed physical unclonable function structure to obtain real-time response r_PUFbIs then compared with the random number r_RNGPerforming exclusive-or operation according to bit to obtain data mask r_b；

For each byte input a, obtaining the transformation result MS (a ^ r) of the byte input a after passing through the mask matrix MS_b)；

S4, carrying out linear transformation of the block cipher algorithm on the new S box transformation result and the transformation result after the mask matrix MS to obtain a first linear transformation result L (SBOX)_new(a^r_a) And a second linear transformation result L (MS (a ^ r)_b))；

And S5, carrying out XOR on the first linear transformation result and the second linear transformation result to obtain the output of the current round of transformation.

Further, the data mask r in the step S2_aGenerating the row transform matrix Rx and the column transform matrix Ry includes:

masking the data r_aAccording to r_a＝x·2⁴+ y is divided into high and low four digits, the high four digits are x, and the low four digits are y; the ith row of the row transform matrix Rx is the ith x row of the identity matrix and the jth column of the column transform matrix Ry is the jth y column of the identity matrix.

Further, the novel S-box SBOX_newThe obtaining method is as follows: SBOX_new＝Rx·SBOX·Ry^MS。

Further, the response value of the hybrid physically unclonable function structure in step S1 is stored in the OTP in advance.

And further, comparing the output of the round conversion with a result without the SBOX mask, wherein if the result is consistent, the chip is not disassembled and forged, otherwise, the operation result is wrong, and the password function of the chip is invalid.

The contents of the above embodiments will be described with reference to a preferred embodiment.

Fig. 1 shows a general calculation flow of this embodiment, which includes a total of 6 steps from S0 to S5.

S0 is an initialization step before encryption and decryption, and the mask r is generated by reading the response value stored in OTP of hybrid PUF_PUFaWherein r is_PUFaThe data bit width of the encryption and decryption algorithm is required to be the same; and simultaneously generating an SBOX mask matrix MS using a random number generator; then the steps enter into encryption and decryption algorithms and are carried out in each step of round conversion.

S1 generates 8-bits random number r for every 8-bits input data_RNGAnd r with_PUFaGenerating a data mask r by XOR of corresponding bits_aAnd generating a row transformation matrix Rx and a column transformation matrix Ry by random numbers, and calculating SBOX by using Rx, Ry and MS_new(abbreviation S)_n) And storing; in this step, r_aCan be decomposed into r according to the high and low 4bits_a＝x·2⁴+ y, here Rx i is the i x th row of the unit matrix, Ry j is the j y column of the unit matrix; also, every 8bits of input data will produce an SBOX_new。

S2 calculating SBOX for every 8bits input a_new(a^r_a) A new transformation result is obtained.

S3 exciting mixed PUF to obtain real-time response r_PUFbTheoretically, there will be r_PUFa＝r_PUFb(ii) a And will r_PUFbCorresponding digit to the previous random number r_RNGXOR to get the data mask r_b(ii) a At this time, MS (a ^ r) is calculated using the mask matrix MS_b)。

S4 Pre-use SBOX_newThe matrix and the result of the MS matrix calculation are subjected to a linear transformation following the algorithm, i.e. calculating L (SBOX)_new(a^r_a) And L (MS (a ^ r)_b))。

S5, the mask operation before XOR compensation is carried out on the two paths of linear transformation results, and the output of the round of transformation is obtained. If the chip is not subjected to the PUF response change caused by means of disassembly, counterfeiting and the like, the output at the moment is consistent with the result of no mask, and the circuit realizes that the intermediate information in the encryption and decryption process is covered by the mask; otherwise, the operation result will be wrong, which results in the failure of the encryption and decryption functions of the chip.

Fig. 2 is a circuit diagram of the hybrid PUF, where the PUF includes a basic PUF array and a context-aware PUF array, the number of cells in the array may be determined according to the actual data bit width, and the number of cells in the two arrays is the same, and a certain redundancy unit may be reserved. All PUF units are of an SR latch-based structure, specifically, two NAND gates form one PUF unit, the output end of one NAND gate is connected to one input end of the other NAND gate, and the other input ends of the two NAND gates are used as switches for control. In the structure, signals are transmitted between two NAND gates to oscillate after the switches are enabled; however, the driving capability of the two nand gates is different due to manufacturing errors of actual chips, and the nand gates are latched to a fixed value finally.

As shown in fig. 2, the PUF supporting environmental sensing is connected to an off-chip PCB through a pin of the chip between the output of the nand gate and the input of the other nand gate, and then back on-chip through the other pin, thereby coupling pin parasitic RC information into the PUF circuit and generating a response associated therewith. If the chip is dismantled, parasitic RC information of the pin is inevitably and irreversibly changed, so that response of the PUF is changed, the mask compensation process of normal encryption and decryption is influenced to obtain an error result, and the anti-counterfeiting effect is achieved.

Fig. 3 illustrates the hybrid PUF-based SBOX masking method of the present invention in detail by taking SM4 algorithm as an example:

s0, reading mixed PUF response R stored in OTP_PUFaAnd generating the matrix MS using the random numbers. Since the bit width of each round of operation data in the SM4 algorithm is 32bits, R is_PUFaIs also 32bits, divided into 4 8bits of data, i.e., R_PUFa＝(r_pufa0，r_pufa1，r_pufa2，r_pufa3) (ii) a Meanwhile, the MS is a 16 × 16 matrix, and each matrix element is 8bits of data. Thereafter, a wheel change is entered.

Input data Ai, A_i+1、A_i+2、A_i+3And round key rk_iExclusive-or is performed to obtain 32bits input a, which can be divided into 4 8bits, i.e. a ═ a₀，a₁，a₂，a₃) Where the round key rk_iThe generation process is also performed using the SBOX masking method of the present invention;

s1, generating 32bits random number R_RNGAlso divided into 4 8bits, i.e. R_RNG＝(r_RNG0，r_RNG1，r_RNG2，r_RNG3) And calculating a data mask R_a＝R_PUFa^R_RNG＝(r_a0，r_a1，r_a2，r_a3) (ii) a At this time, the data mask r is masked for each 8bits_aiGenerating Rx_i、Ry_iAnd calculating the masked S_ni＝SBOX_newi＝Rx_i·SBOX·Ry_iMS, thus 4 new SBOX is generated for 4 8bits inputs of input A.

S2, forA＝(a₀，a₁，a₂，a₃) Using the new SBOX, i.e. b is calculated separately_S0＝S_n0(a₀^r_a0)、b_S1＝S_n1(a₁^r_a1)、b_S2＝S_n2(a₂^r_a2)、b_S3＝S_n3(a₃^r_a3) And obtaining a result B of the input data after mask conversion by the new SBOX_S＝(b_S0，b_S1，b_S2，b_S3)。

S3, exciting the mixed PUF to obtain a real-time response R_PUFbAnd with the above-mentioned random number R_RNGPerforming XOR operation to obtain mask R_b＝R_PUFb^R_RNG＝(r_b0，r_b1，r_b2，r_b3). If the chip pin is not disassembled and the circuit works normally, then there is a relation R_PUFa＝R_PUFbAnd R_a＝R_b. Thereafter, for R of every 8bits_bCalculate b_MS0＝MS(a₀^r_b0)、b_MS1＝MS(a₁^r_b1)、b_MS2＝MS(a₂^r_b2)、b_MS3＝MS(a₃^r_b3) And obtaining a result B of the input data after the mask is processed by a mask matrix MS_MS＝(b_MS0，b_MS1，b_MS2，b_MS3)。

S4, for SM4, the following linear operation is to cyclically shift and XOR the SBOX result, calculate L (B)_S)＝B_S^(B_S＜＜＜2)^(B_S＜＜＜10)^(B_S＜＜＜18)^(B_S< 24), and calculating L (B)_MS)＝B_MS^(B_MS＜＜＜2)^(B_MS＜＜＜10)^(B_MS＜＜＜18)^(B_MS＜＜＜24)。

S5, pair B_SAnd B_MSThe result of the linear transformation is subjected to an exclusive OR operation to perform mask compensation, i.e., L (B) is calculated_S)^L(B_MS) Obtaining an output result A_i+4. Due to the use of chip pinsThe parasitic RC of (1) performs mixed PUF response and the response is applied to B in real time_MSIn the production process, if the chip is not disassembled and damaged at the moment, the chip A at the moment_i+4And the original input A_i、A_i+1、A_i+2、A_i+3Results obtained without SBOX masking operations are consistent, otherwise erroneous results are obtained.

By the SBOX mask method, the intermediate information in the encryption and decryption processes can be covered, and power consumption attack resistance is effectively realized; meanwhile, the mixed PUF response is combined into the SBOX mask method, if the unique response of the PUF is damaged by the chip dismounting and counterfeiting, the SBOX mask compensation error in the encryption and decryption process can be caused, and the error calculation result is obtained, so that the product counterfeiting by recycling the chip can be effectively prevented.

It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.