基于动态补偿的椭圆曲线密码低成本抗功耗攻击策略及硬件结构研究

椭圆曲线密码(ECC)芯片的抗功耗攻击能力往往以电路性能、面积或功耗为代价。该文分析了在椭圆曲线密码 点乘运算中密钥猜测正确与错误时的中间数据汉明距离概率分布差异性，提出一种基于动态汉明距离调控的功耗补偿方法，利用模拟退火算法离线寻找最优的映射矩阵，最终形成椭圆曲线密码硬件电路的等概率映射补偿模型，大大降低了中间数据与功耗的相关性。同时，以该模型为指导设计了低成本的同步功耗补偿电路，在CMOS 40 nm工艺下，防护后的ECC128电路面积增加22.8%。基于Sakura-G开发板开展了测试验证，防护电路的功耗仅增加18.8%，最小泄露轨迹数大于104，抗相关功耗分析能力提升了312倍。该策略在与随机化方法防护能力相当的情况下，不损失电路性能且硬件成本小，适用于高速或资源受限的ECC电路。

Dynamic Compensation Based Low-cost Power-analysis Countermeasure for Elliptic Curve Cryptography and Its Hardware Structure

The power-analysis countermeasure for Elliptic Curve Cryptographic (ECC) chips endures large area, power consumption and performance degradation. In this paper, the difference in the probability distribution of the intermediate data Hamming distance is analyzed when the key guess is correct and incorrect in the point multiplication of ECC. A power compensation method based on dynamic Hamming distance control is proposed, which uses the simulated annealing algorithm offline to find the optimal mapping matrix. Finally, a mapping compensation model of equal probability on the elliptic curve cryptographic hardware is formed, which greatly reduces the correlation between intermediate data and power consumption. At the same time, a low-cost synchronous power compensation circuit is designed in the guidance of this model. Under the CMOS 40 nm process, the area of protected ECC128 is only increased by 22.8%. Experiments and tests are carried out on the Sakura-G board. The power overhead is 18.8%, and the number of minimum leakage traces is greater than 104, which is increased by 312 times. This countermeasure is the same as randomization with low cost and no impact on the throughput rate, which is suitable for high-speed or resource-constrained ECC circuits.