EP1044533A1 - Verschlüsselungsverfahren zum ausführen von kryptographischen operationen - Google Patents
Verschlüsselungsverfahren zum ausführen von kryptographischen operationenInfo
- Publication number
- EP1044533A1 EP1044533A1 EP99948819A EP99948819A EP1044533A1 EP 1044533 A1 EP1044533 A1 EP 1044533A1 EP 99948819 A EP99948819 A EP 99948819A EP 99948819 A EP99948819 A EP 99948819A EP 1044533 A1 EP1044533 A1 EP 1044533A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- bit
- data
- sub
- control signal
- cryptographic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
- G06F2207/7233—Masking, e.g. (A**e)+r mod n
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/08—Randomization, e.g. dummy operations or using noise
Definitions
- the invention relates to an encryption method, wherein at least one cryptographic partial operation k;) of data Xi, ki stored digitally as data bit words, and the respective result or respective intermediate results yj are digitally stored or buffered as data bit words, according to the preamble of claim 1.
- the invention further relates to an encryption device with a calculation unit and registers Rj , wherein the computing unit at least one cryptographic sub-operation k;) of operands x ;, k; stored digitally in the registers Rj of the encryption device as data bit words; executes and the respective result or intermediate results y; digital in the registers R; stores or temporarily stores the encryption device as data bit words, according to the preamble of claim 8.
- cryptographic operations serve to protect the operation of these devices or to protect data carried in the device.
- the calculation operations required for this are carried out both by standard arithmetic units and by dedicated crypto arithmetic units.
- a typical example of the latter are chip cards or IC cards.
- intermediate results yi are stored in memory areas or registers R; stored or finally the result of the calculation is stored in memory areas or registers for further processing.
- the register r is located between a previous i-th cryptographic calculation and a subsequent (i + l) -th cryptographic calculation.
- To calculate the cryptographic algorithms logical links between operands k or intermediate results yi or j, x 1 + 1 are carried out in the data processing devices. Depending on the technology used, these operations, in particular loading the memory areas or registers with data, lead to increased power consumption by the data processing devices.
- Adequate extraction of the information could be made possible, for example, in the case of very small signal changes, by performing several current measurements on the data processing device. On the other hand, several current measurements could enable the formation of a difference, if necessary.
- This type of cryptanalysis is also referred to as "differential power analysis", by means of which an outsider can successfully carry out a possibly unauthorized cryptanalysis of the cryptographic operations, algorithms, operands or data by simply observing changes in the power consumption of the data processing device.
- control signal r since the control signal r; is not known or predetermined, there is no correlation between the current changes and the bit values of the data and results, so that a "differential power analysis" no longer leads to successful cryptanalysis. In other words, the average power consumption of the overall operation does not contain any useful information about the partial operands used or intermediate results in the partial operations. Further developments of the device are preferably described in claims 2 to 7.
- One or more XOR operations are expediently carried out in the cryptographic partial operations.
- the data include, for example, cryptographic keys and / or operands.
- intermediate results y are temporarily stored in a register Rj between the execution of successive cryptographic partial operations and are supplied as operand x 1 + 1 to the subsequent cryptographic partial operations.
- bit sequence x 1 + 1 y, obtained from the intermediate result yi of a previous partial operation i. for a subsequent sub-operation i + 1 bitwise, +1 complemented if the data x "k, of the previous sub-operation i was bitwise complemented.
- Bit values or all bit values of a data bit word x "k" or y inverted. It is particularly advantageous here if an inversion of bit values or bit addresses of a
- At least one inverter controllable by a control signal r, for at least one of the data x "k, and / or the result or at least one intermediate result y" is a random number generator, which
- Control signal r optionally converting the bit sequences x “k, or y, to their bit-wise complement x,, k t or y t or leaving them unchanged.
- At least one register R an inverter is connected downstream, which receives the identical control signal rj as the inverter upstream of the i-th sub-operation for the data x ;, ki.
- This inverter connected downstream of a register Rj of the i-th sub-operation is preferably combined with one of the following (i + 1) th sub-operations upstream for an input data x 1 + 1 .
- the combined inverter expediently receives both the control signal r; the previous i-th sub-operation as well as the control signal r ⁇ +1 of the subsequent (i + l) -th sub-operation.
- the data include, for example, cryptographic keys and / or
- a register R stores; an intermediate result yj of the previous i-th sub-operation between a previous i-th sub-operation and a subsequent (i + l) -th sub-operation and forwards this intermediate result as input value x 1 + 1 to the subsequent (i + l) -th sub-operation.
- the bit-wise complementation expediently inverts at least one bit value, in particular the even bit values, the odd bit values or all bit values, of a data bit word x 1; kj, or y ,.
- FIG. 1 shows a flowchart of a part of a cryptographic operation according to the prior art
- FIG. 2 shows a flowchart of a part of a first preferred
- FIG. 3 shows a flow diagram of part of a second preferred embodiment of a cryptographic operation according to the invention.
- a cryptographic overall operation is carried out by a chain of partial operations fi (xi, kj) within which one or more logical XOR operations (exclusive-OR operation) are carried out.
- Two sub-operations are shown, namely the i-th sub-operation 10 and the (i + l) -th sub-operation 12, each sub-operation being carried out by a calculation unit.
- Each sub-operation 10, 12 is a memory cell or a register Rj 14 or a memory cell or a register R; 16 downstream.
- Each sub-operation 10, 12 has a data Xj, Xj + i and an operand ki, k as input value; +1 , which are available as data bit words.
- a controllable inverter 18 or 20 for the data Xj, xj + i and a controllable inverter 22, 24 for the operands kj, kj +1 are connected in front of each suboperation 10, 12. Furthermore, a controllable inverter 26, 28 for the intermediate result yj, y 1 + 1 is connected downstream of the respective register Rj 14 or R 1 + 1 16 for each partial operation 10, 12, this
- Sub-operations 10, 12 are calculated one after the other by the same unit and thus the sub-results have to be buffered.
- the repeated execution of the overall calculation ensures that each data path changes from “0” to the same number "0", changes from “0" to "1", from “1” to “0” and from "1" to "1".
- the average power consumption of the overall operation therefore contains no useful information about the partial operands kj used or intermediate results y; in sub-operations 10, 12.
- the inverter 26, 28 connected downstream of the register 14, 16 restores the original, non-inverted value for the following sub-operation 12.
- the second preferred embodiment of the encryption method according to the invention shown in FIG. 3 corresponds to the first embodiment of FIG. 2 with the only difference that the inverters 26, 28 connected downstream of the registers 14, 16 combine with the respective input inverter 20 of the following stage 12 to form an inverter 30 are.
- the inverters also invert only a part of the bit values of the respective data bit word. For example, only the even or odd bit words or bit addresses are inverted.
- the bit values are inverted, for example, by means of an XOR operation (exclusive-OR operation).
- controllable inverters for yj 28 controllable inverters for yj +1
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Applications Claiming Priority (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE19845095 | 1998-09-30 | ||
DE19845095 | 1998-09-30 | ||
DE19936918 | 1999-08-05 | ||
DE19936918A DE19936918A1 (de) | 1998-09-30 | 1999-08-05 | Verschlüsselungsverfahren zum Ausführen von kryptographischen Operationen |
PCT/EP1999/007012 WO2000019656A1 (de) | 1998-09-30 | 1999-09-17 | Verschlüsselungsverfahren zum ausführen von kryptographischen operationen |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1044533A1 true EP1044533A1 (de) | 2000-10-18 |
Family
ID=26049210
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP99948819A Withdrawn EP1044533A1 (de) | 1998-09-30 | 1999-09-17 | Verschlüsselungsverfahren zum ausführen von kryptographischen operationen |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP1044533A1 (de) |
JP (1) | JP2003524916A (de) |
WO (1) | WO2000019656A1 (de) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4317607B2 (ja) * | 1998-12-14 | 2009-08-19 | 株式会社日立製作所 | 情報処理装置、耐タンパ処理装置 |
US6760440B1 (en) * | 1999-12-11 | 2004-07-06 | Honeywell International Inc. | One's complement cryptographic combiner |
DE10139514A1 (de) | 2001-08-10 | 2003-02-20 | Bosch Gmbh Robert | Transmissionsdetektor für einen Fensterkörper, insbesondere die Windschutzscheibe eines Kraftfahrzeuges, sowie Reinigungsvorrichtung für einen Sichtbereich eines Fensterkörpers |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4176247A (en) * | 1973-10-10 | 1979-11-27 | Sperry Rand Corporation | Signal scrambler-unscrambler for binary coded transmission system |
US5091941A (en) * | 1990-10-31 | 1992-02-25 | Rose Communications, Inc. | Secure voice data transmission system |
US5297201A (en) | 1992-10-13 | 1994-03-22 | J.D. Technologies, Inc. | System for preventing remote detection of computer data from tempest signal emissions |
FR2776445A1 (fr) | 1998-03-17 | 1999-09-24 | Schlumberger Ind Sa | Procede de securisation de donnees mettant en oeuvre un algorithme cryptographique |
-
1999
- 1999-09-17 JP JP2000573037A patent/JP2003524916A/ja not_active Withdrawn
- 1999-09-17 WO PCT/EP1999/007012 patent/WO2000019656A1/de active Application Filing
- 1999-09-17 EP EP99948819A patent/EP1044533A1/de not_active Withdrawn
Non-Patent Citations (1)
Title |
---|
See references of WO0019656A1 * |
Also Published As
Publication number | Publication date |
---|---|
JP2003524916A (ja) | 2003-08-19 |
WO2000019656A1 (de) | 2000-04-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE60222052T2 (de) | Verschlüsselung gesichert gegen Angriffe durch die Analyse der Leistungsaufnahme (DPA) | |
DE602004013206T2 (de) | Verfahren und diesbezügliche einrichtung zur hardwareorientierten umsetzung zwischen arithmetik- und boolscher zufallsmaskierung | |
DE69118977T2 (de) | Verschlüsselungssystem auf Grundlage der Chaostheorie | |
DE102005012098B4 (de) | Datenchiffrierprozessor sowie AES-Chiffriersystem und AES-Chiffrierverfahren | |
DE60302512T2 (de) | Feistel-Verschlüsselungsverfahren und -vorrichtung mit Schutz gegen DPA-Angriffe | |
DE60019432T2 (de) | Eine technik, um einen parameter, wie z.b. eine prüfsumme, durch ein primitiv zu erzeugen, welche elementare register-operationen verwendet | |
DE60223337T3 (de) | Verfahren zur gesicherten verschlüsselung und baustein zur ausführung eines solchen verschlüsselungsverfahrens | |
DE10339999B4 (de) | Pseudozufallszahlengenerator | |
DE69911815T2 (de) | Selbstkorrigierendes zufallsverschlüsselungssystem und -verfahren | |
DE10347455B4 (de) | Pseudozufallszahlengenerator für einen Stream Cipher | |
EP1298834A1 (de) | Verfahren und Vorrichtung zum Verschlüsseln und Entschlüsseln von Daten | |
DE10304451B3 (de) | Modulare Exponentiation mit randomisiertem Exponenten | |
EP0616429B1 (de) | Verfahren und Schaltungsanordnung zum Erzeugen einer Pseudozufallsfolge sowie deren Verwendung | |
DE19936918A1 (de) | Verschlüsselungsverfahren zum Ausführen von kryptographischen Operationen | |
DE102004061312B4 (de) | Vorrichtung und Verfahren zum Detektieren eines potentiellen Angriffs auf eine kryptographische Berechnung | |
DE102018116572A1 (de) | Schutz gegen seitenkanalangriffe | |
DE102004013480A1 (de) | Zufallszahlengenerator und Verfahren zum Erzeugen von Zufallszahlen | |
WO2000019656A1 (de) | Verschlüsselungsverfahren zum ausführen von kryptographischen operationen | |
DE10224742B4 (de) | Datenverarbeitungsschaltung und Verfahren zum Übertragen von Daten | |
DE102004037814B4 (de) | Vorrichtung und Verfahren zum Erzeugen einer Folge von Zahlen | |
EP1446711B1 (de) | Schiebevorrichtung und verfahren zum verschieben | |
DE102004043480B3 (de) | Vorrichtung und Verfahren zum Erkennen einer Störung einer kryptographischen Einheit vorzugsweise des AES-Algorithmus | |
DE10201450B4 (de) | Carry-Skip-Addierer für verschlüsselte Daten | |
DE112020007024T5 (de) | Vertrauliche-information-verarbeitungssystem, verschlüsselungsvorrichtung, verschlüsselungsverfahren und verschlüsselungsprogramm | |
DE102020102796A1 (de) | Datenverarbeitungsvorrichtung und verfahren zum verarbeiten von geheimen daten |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE |
|
17P | Request for examination filed |
Effective date: 20001006 |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: PHILIPS CORPORATE INTELLECTUAL PROPERTY GMBH Owner name: KONINKLIJKE PHILIPS ELECTRONICS N.V. |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: PHILIPS INTELLECTUAL PROPERTY & STANDARDS GMBH Owner name: KONINKLIJKE PHILIPS ELECTRONICS N.V. |
|
RBV | Designated contracting states (corrected) |
Designated state(s): AT DE FR GB |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: PHILIPS INTELLECTUAL PROPERTY & STANDARDS GMBH Owner name: NXP B.V. |
|
17Q | First examination report despatched |
Effective date: 20080122 |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: NXP B.V. |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20091229 |