Scrambled tweak mode of blockciphers for differential power analysis resistant encryption

9,794,062

14/878316

October 08, 2015

A system and method for providing a scrambled tweak mode of block cipher encryption for a device that mitigates the effect of side channel attacks based on differential power analysis (DPA). The scrambled tweak mode encryption engine creates noise at the start of the encryption process by obfuscating the counter value with the use of the very fast mixing function, such as a mixing function based on a XOR tree, substitution-permutation networks, or double-mix Feistel networks. The mixing function uses some secret key material, which diversifies its behavior between different instantiations. Because the counter values are scrambled and the mixing functions operate very fast in parallel hardware, the input of the block cipher is pseudorandom and groups of blocks can't be correlated.

The Boeing Company (Chicago, IL, US)

THE BOEING COMPANY (Chicago, IL, US)

1. A system for improving security of a device comprising: a first mixing unit that scrambles a first initial value for a first segment of data; and a first block cipher operating in a tweak mode that encrypts the first segment of data to produce a first ciphertext message from a first plaintext message; wherein the scrambled first initial value is XORed to the input and output of the first block cipher; and wherein the first mixing unit is selected from the group consisting of a XOR tree mixing unit, substitution-permutation mixing unit, and double-mix Feistel mixing unit.

2. The system of claim 1 wherein the first initial value is selected from the group consisting of an address of the first segment of data, a random number, a sequence number, and a then-current value of real-time clock.

3. The system of claim 1 wherein the first mixing unit maps the first segment of data's block size input with the first segment of data's block size output.

4. The system of claim 1 wherein the first mixing unit is invertible.

5. The system of claim 1 wherein the first mixing unit is non-linear.

6. The system of claim 1 wherein the first block cipher is a Federal Information Processing Standard (FIPS) approved AES cipher.

7. The system of claim 1 further comprising: a second mixing unit that scrambles a second initial value for a second segment of data; and a second block cipher operating in a tweak mode that encrypts the second segment of data to produce a second ciphertext message from a second plaintext message; wherein the scrambled second initial value is XORed to the input and output of the second block cipher.

8. The system of claim 7 wherein the system is parallelizable such that the second ciphertext message can be generated without using the first ciphertext message.

9. The system of claim 7 wherein an identical key is used for first block cipher and the second block cipher.

10. The system of claim 7 wherein the scrambled first initial value has no statistical correlation with the scrambled second initial value.

11. A system for improving security of a device comprising a tweak mode encryption engine that: receives data; applies a block cipher operating in a tweak mode in connection with a counter to a segment of the data; applies a mixing function to the counter of the block cipher; and processes remaining segments of the data with the block cipher while applying the mixing function to the counter for each segment of the data; wherein the mixing function is selected from the group consisting of a XOR tree mixing function, substitution-permutation mixing function, and double-mix Feistel mixing function.

12. A method for of claim for improving security of a device comprising the steps of: scrambling with a first mixing unit a first initial value for a first segment of data; encrypting with a first block cipher the first segment of data to produce a first ciphertext message from a first plaintext message; and XORing the scrambled first initial value to the input and output of the first block cipher; wherein the first mixing unit is selected from the group consisting of a XOR tree mixing unit, substitution-permutation mixing unit, and double-mix Feistel mixing unit.

13. The method of claim 12 wherein the first initial value is selected from the group consisting of an address of the first segment of data, a random number, a sequence number, and a then-current value of real-time clock.

14. The method of claim 12 further comprising the step of mapping the first segment of data's block size input with the first segment of data's block size output.

15. The method of claim 12 wherein the first mixing unit is invertible.

16. The method of claim 12 wherein the first mixing unit is non-linear.

17. The method of claim 12 wherein the first block cipher is a Federal Information Processing Standard (FIPS) approved AES cipher.

18. The method of claim 12 further comprising the steps of: scrambling with a second mixing unit a second initial value for a second segment of data; encrypting with a second block cipher the second segment of data to produce a second ciphertext message from a second plaintext message; and XORing the scrambled second initial value to the input and output of the second block cipher.

19. The method of claim 18 further comprising the step of generating the second ciphertext message without using the first ciphertext message.

20. The method of claim 18 further comprising the step of using an identical key for the first block cipher and the second block cipher.

21. The method of claim 18 wherein the scrambled first initial value has no statistical correlation with the scrambled second initial value.

2011/0255689 October 2011 Bolotov
2012/0121083 May 2012 You
2013/0073850 March 2013 Zaverucha
2016/0080143 March 2016 Kindarji

“Tweakable Block Ciphers”; M Liskov et al;Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge, MA 02139, USA 16 pages; https://people.eecs.berkeley.edu/˜daw/papers/tweak-crypto02.pdf. cited by examiner
“Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers”; By Thomas Peyrin and Yannick Seurin; 31 pages; International Association for Cryptologic Research 2016 M. Robshaw and J. Katz (Eds.): CRYPTO 2016, Part I, LNCS 9814, pp. 33-63, 2016. cited by examiner
U.S. Appl. No. 14/472,978, filed Aug. 29, 2014 to Hars. cited by applicant
U.S. Appl. No. 14/473,006, filed Aug. 29, 2014 to Hars. cited by applicant
U.S. Appl. No. 14/473,042, filed Aug. 29, 2014 to Hars. cited by applicant
“Counter mode (CTR),” 2015, Wikipedia article—http://en.wikipedia.org/wiki/CTR—mode#CTR [Sep. 3, 2015], 14 pages, (see pp. 10-11). cited by applicant
“Output Feedback mode (OFB),” 2015, Wikipedia article—http://en.wikipedia.org/wiki/Output—feedback#OFB [Sep. 3, 2015], 14 pages, (see pp. 9-10). cited by applicant
“XTS encryption mode,” 2015, Wikipedia article—http://en.wikipedia.org/wiki/XTS—mode#XEX-based—tweaked-codebook—mode—with—ciphertext—stealing—.28XTS.29 [May 11, 2015], 6 pages, (see pp. 3-4). cited by applicant
“SHA-2,” 2015, Wikipedia article—http://en.wikipedia.org/wiki/SHA-2 [Oct. 7, 2015], 13 pages. cited by applicant
“Message authentication code,” 2015, Wikipedia article—http://en.wikipedia.org/wiki/Message—authentication—code [Oct. 7, 2015], 4 pages. cited by applicant
Extended European Search Report dated Mar. 9, 2017 for counterpart European patent application No. 16192970.8. cited by applicant
Minematsu, Kazuhiko, et al, “Improvied Security Analysis of XEX and LRW Modes,” Aug. 17, 2006 (Aug. 17, 2006), Network and Parallel Computing; [Lecture Notes in computer Science; Lect. Notes Computer], Springer International Publishing, Cham, pp. 96-113. cited by applicant
Rogaway, Phillip, “Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC Contents”, Sep. 24, 2004 (Sep. 24, 2004). cited by applicant
Liskov, Moses et al., “Tweakable Block Ciphers,” Journal of Cryptology, Jul. 1, 2011 (Jul. 1, 2011), pp. 588-613. cited by applicant

edspgr.09794062