EP1226681A2 - Procede permettant au traitement de donnees de resister a l'extraction de donnees par l'analyse de signaux de voies laterales indesirables - Google Patents

Procede permettant au traitement de donnees de resister a l'extraction de donnees par l'analyse de signaux de voies laterales indesirables

Info

Publication number
EP1226681A2
EP1226681A2 EP00986837A EP00986837A EP1226681A2 EP 1226681 A2 EP1226681 A2 EP 1226681A2 EP 00986837 A EP00986837 A EP 00986837A EP 00986837 A EP00986837 A EP 00986837A EP 1226681 A2 EP1226681 A2 EP 1226681A2
Authority
EP
European Patent Office
Prior art keywords
data
mapping
algorithm
mappings
mapped
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP00986837A
Other languages
German (de)
English (en)
Inventor
Manfred Von Willich
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cyphermanx Consultants Ltd
Original Assignee
Cyphermanx Consultants Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cyphermanx Consultants Ltd filed Critical Cyphermanx Consultants Ltd
Publication of EP1226681A2 publication Critical patent/EP1226681A2/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/75Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation
    • G06F21/755Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation with measures against power attack
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/0806Details of the card
    • G07F7/0813Specific details related to card security
    • G07F7/082Features insuring the integrity of the data on or in the card
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/0806Details of the card
    • G07F7/0833Card having specific functional components
    • G07F7/084Additional components relating to data transfer and storing, e.g. error detection, self-diagnosis
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1025Identification of user by a PIN code
    • G07F7/1083Counting of PIN attempts
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7219Countermeasures against side channel or fault attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/16Obfuscation or hiding, e.g. involving white box

Definitions

  • This invention relates to data security.
  • this invention relates to reducing the risk of unauthorised access to data.
  • Cryptographic systems have traditionally been depicted with the cipher (encryption or decryption) as a metaphorical black box, in which input data (whether plaintext or ciphertext) is processed internally using a secret key and the only information to leave the black box is the intended output data.
  • a ciphering operation uses a key repetitively
  • the attacker can generally obtain it by observing and analysing the side-channel information during several operations, without resorting to traditional techniques of cryptanalysis.
  • the minimum number of repeated operations that must be observed to extract the value of the key (or any repetitively used internal data) typically changes in inverse proportion to the ratio of the power of the signal he is trying to observe to the power of the noise (the signal-to-noise ratio).
  • the signal-to-noise ratio the signal-to-noise ratio
  • the attacker will typically need to observe in the order of 100 times as many operations to extract the key.
  • DPA Different Power Analysis
  • the order of a DPA attack may be defined as the minimum number of intermediate variables from which the any of the data exposed by the attack may be obtained, where these intermediate variables are each derived from the observations by an averaging process over a large number of observations.
  • a more intuitive (but less accurate) definition may be that it is the number of internal digital states of which direct (if noisy) side-channel observations must be made to obtain any information about the information desired by the attacker.
  • the objective of the techniques of the invention presented here is to reduce the amount of useful information an attacker may obtain from the side-channel signal and to increase the minimum sophistication and complexity of a successful attack.
  • the techniques include defence against first- and higher-order attacks.
  • a design objective in secure devices with regard to data secrecy would be to keep the amount of leaked information about secret data during the life of the secret below acceptable limits. This may be achieved through cryptographic mechanisms of making the process of combining small quantities of leaked information into a useable whole computationally intractable. It may also be achieved by limiting the rate of leakage of information so that the cumulative leakage throughout the life of the secret of information (defined in an information-theoretic sense) about the secret is acceptably low, as is the objective of this invention.
  • a set of data (e.g. bits) may be made mapped onto another set of data in such a way that the original set of data remains entirely unknown to an observer despite the second set of data being known to the observer.
  • the original data (the first set) may be reconstructed from the mapped data (the second set) when the selection of mapping is known.
  • the selection of mapping must be unknown to the observer and the mapping must be selected randomly for every new set of data in such a way that every possible original data set will be mapped to every possible mapped representation with equal probability. This principle is exploited by this invention.
  • Operators for combining one or more operands into a result
  • examples of such operators include a lookup table - a unary operator - modular addition or subtraction, word-wide bit-for-bit exclusive-or, and modulo-/? multiplication (over the set of values 1 to p-1, p being a prime number) - the latter all being binary operators.
  • the well-known IDEA cipher (designed by Xuejia Lai and James Massey) uses three such binary operators, and the well-known DES cipher uses lookup tables, the bit-for-bit exclusive-or operator and bit-permutations.
  • a separately and arbitrarily selected one-to-one mapping may be applied to each of the inputs and to the output of any operator.
  • An equivalent operator may then be defined that generates the correct mapped output from the mapped input values for every selected mapping.
  • this equivalent operator is identical to the original operator and which satisfies requirements for not revealing information about the original data.
  • the principle, including the restriction to an identical operator, is often termed blinding, although the extent of the range of mappings possible for typical operators is seldom realised.
  • mapping of the modulo addition operation ⁇ + y ⁇ z (mod m) - under the constraint that the operator remains unchanged permits the family of mappings from (x, y, z) to (x conveyor yford zj where x, ⁇ a e + b, (mod m), y, ⁇ ay + c, (mod m) and z, ⁇ a? + b, + c, (mod m), where a, is any number that is mutually prime with m, and b, and c, are any numbers.
  • Many field operations (such as addition, multiplication and exponentiation) will exhibit similar properties.
  • the size of the set of mappings available for the exclusive-or operation can significantly reduce the usability of the side-channel signal, and in so doing may permit compromising of some of the requirements for secrecy. Such compromise (e.g. re-use of selection of mapping) can be useful in reducing the complexity of the final design of an algorithm while keeping the amount of information leaked to the attacker acceptably low.
  • mappings may be applied to the same data consecutively to make a composite mapping - e.g. x, Although this is equivalent to a single mapping x k °f detox if arranged correctly the attacker must obtain information about multiple independent sets of data (three in the example - x k , f detox and before obtaining any information about the original data. This increases the order of the DPA attack (typically equal to the number of independent sets of data) and the number of observations required (typically as the power of the number of independent sets of data) before being able to extract useful information from the observations.
  • Unary operators such as a lookup table or a bit-permutation
  • ciphers Mappings that allow the operator to remain unchanged are restricted only when there is data loss in the operation (i.e. it is many-to-one), but may make more sense to modify the operator in these instances, for example by use of a mapping-dependent lookup table.
  • An improved DES implementation of the invention instead uses two 56-bit keys (K1 and K2) and two 64-bit plaintext messages (M1 and M2), each associated with a permutation (i.e., K1 P, K2P and M1 P, M2P) such that K1 P ⁇ K1 ⁇ XOR K2P ⁇ K2 ⁇ equals the "standard” DES key K, and M1 P ⁇ M1 ⁇ XOR M2P ⁇ M2 ⁇ equals the "standard” message.
  • the tables are preferably periodically updated, by introducing fresh entropy into the tables faster than information leaks out, so that attackers will not be able to obtain the table contents by analysis of measurements.
  • the technique may be implemented in cryptographic chip-cards (smartcards), tamper resistant chips, and secure processing systems of all kinds Where blinding is used, the relationship between the number of observations needed to extract useful information via a side-channel and the power SNR of this channel differs from that of inverse proportionality, and no indication of the understanding of this principle is given in the application In the case of blinding as in this proposal (with or without permutation), the number of observations needed should be expected to vary inversely with the square of the power SNR (i e. the fourth power of the magnitude SNR)
  • the technique of the invention provides a practical and effective modification of cryptographic and other processes, such modification being based on data secrecy through varying of the mapping of all secret and intermediate data for computation and storage Examples of such data are cryptographic keys, stored and communicated data.
  • a method of processing of data to reduce the risk of unauthorised access to the data including the steps of: design of algorithms, particularly but not exclusively ciphers, for maximum benefit from this technique; extending the commonly known technique of data blinding to a larger set of mappings; modifying the algorithm implementation to operate on mapped data; - initial mapping of data, especially cryptographic keys, for storage; changing of the data mapping from each prior data mapping by use of a secondary mapping; mapping incoming data for input to the modified algorithm implementation; and mapping data output from the modified algorithm for further use.
  • the method may include the keeping both the secret data and the selection of mapping on the data secret.
  • the data mapping and the secondary data mapping may be in the form of a lookup- table, an algorithm with mapping-selection data, or the like.
  • the methods may include composite (cascaded) but separately applied mappings to reduce the amount of information that may be obtained from a given number of observations by an attacker and to increase the lowest order of a successful DPA attack.
  • the mapped data and the selection of mapping may be transmitted to a remote location.
  • Figure 1 shows, in schematic representation, a prior art cryptographic operation
  • Figure 2 shows, in schematic representation, side channel information leakage in the operation of Figure 1 ;
  • Figure 3 shows, in schematic representation, replacement of a two-input operation with a data-mapped equivalent
  • Figure 4 shows, in schematic representation, combining of consecutive mappings
  • Figure 5 shows, in schematic representation, replacement of a cipher by its modified equivalent
  • Figure 6 shows, in schematic representation, initial mapping of the key for storage
  • Figure 7 shows, in schematic representation, the iterative mapping of a key
  • Figure 8 shows, in schematic representation, a simplistic cipher illustrating the mapping process
  • Figure 9 illustrates aspects of Example 3: Making the DES cipher resistant to both 1 st - and 2 ⁇ d -order DPA attacks.
  • reference numeral 10 generally indicates a traditional "black box” cryptographic operation.
  • the input data 12 is transformed using a key 14 to an output 16.
  • reference numeral 20 generally indicates a traditional cryptographic operation, such as that shown in Figure 1 , further indicating side-channel leakage.
  • the operation 20 includes inputting of data 22, the transformation by key 24 to output data 26 and leakage of signal 28.
  • reference numeral 30 generally indicates the process of replacement of a two-input operation with a data-blinding equivalent.
  • operation 30 a standard two-input operation is represented with inputs 32 and 34 being operated upon by operator 31 to produce an output 36.
  • the data blinding operation again takes inputs 32 and 34, that are then mapped by mappings 35 and 37 before being operated upon by operator 33.
  • the combined output is then mapped by output mapping 39 to provide the hidden output data 36.
  • reference numeral 40 generally indicates the process of combining of consecutive mappings of Figure 3 from cascaded operations.
  • Operators 41 and 47 correspond to two distinct instances of operation 33 of Figure 3.
  • Mapping 43 corresponds to the output mapping 39 in relation to operator 41
  • mapping 45 corresponds to an input mapping (such as 35 or 37) in relation to operator 47.
  • Mapping 49 % d is a single composite mapping derived from 43 and 45 that does not generate any data correlated to the original data even as an intermediate value.
  • reference numeral 50 generally indicates the replacement of a cipher by its modified equivalent (as an intermediate step of deriving a final implementation of the invention). It can be seen that in the unmodified cryptographic operation, input data 52 is acted upon by ciphering operation 53 using key 51 , rendering an output 54. In the modified equivalent, the input data 52 is transformed by transformation 56 into a mapped form prior to being acted upon by modified cipher 57 using a key in mapped form, rendering a mapped output from which the original output 54 may be derived using transformation 58.
  • reference numeral 60 indicates the process of making an unpredictable selection of a mapping.
  • the unmapped key 62 is mapped 63 according to the selection made and stored 64.
  • the mapping selection is stored 68 for use with the mapped key.
  • reference numeral 70 indicates the process of making an unpredictable selection of a secondary mapping.
  • the previously mapped key 72 is further mapped 73 by use of the selected secondary mapping and stored 74, typically replacing 72.
  • the previously stored mapping selection 76 is processed with knowledge of the selection secondary mapping selection to yield the mapping selection applicable to 74, and this is stored 78, typically replacing 76.
  • reference numeral 80 generally indicates the process of replacing of an algorithm with an algorithm that operates on mapped data.
  • the cipher 83 operates on an input text 81 and key 82 to yield an output text block 84.
  • the input text is mapped 85 using one or more suitable mappings.
  • the initial key 82 is similarly mapped 86 to yield a mapped key 89.
  • 89 may be provided from the output of a decryption operation already in mapped form.
  • 86 further refers to repeated changing of the mapping applied to the key.
  • the modified cipher 87 operates on the mapped data, and its mapped output is optionally operated upon 88 by a mapping operation to yield the same data 84 as would have been yielded by the unmodified cipher.
  • reference numeral 90 generally indicates the process of replacing bit- permutations with the manipulation of mapped data and mapping selection data for independently applied mappings for each mapped data bit.
  • Reference numeral 91 similarly indicates the replacement of duplication of a data bit without the introduction of differentiation between the mappings, but with the caveat that care must be applied with regard to recombination of such data introducing unwanted cancellation of unpredictability.
  • Reference numeral 92 represents the same replacement operation, except that unpredictable information 95 is introduced to avoid the caveat mentioned for 91.
  • Reference numeral 93 similarly indicates the replacement of an exclusive-or operation.
  • Reference numeral 94 indicates the replacement of a DES S-function lookup table (having six input bits and four output bits) with a pre-calculated lookup table using mapped values.
  • unpredictable data 96 and all possible input values 97 are combined with the original table to generate all the mapped input-output combinations 98 for writing into the mapped lookup table 99.
  • This pre-calculation may be done for every use or for multiple uses of the table according to design choice.
  • This lookup table 99 is then used in conjunction with adequately isolated re-mapping operations (exclusive or) to operate on mapped data. No two vectors of bits in the diagram can be used to reconstruct the original data. To obtain sufficient isolation, it may be necessary to introduce delays into signal paths (such as through the use of clocked latches between exclusive-or operations).
  • Suitable cipher design can result in the next step (cipher modification) adding very little processing overhead to the cipher.
  • Choosing the set of operations that are used in the cipher is important to minimise complexity and maximise data secrecy in the face of a side-channel attack. Understanding of the following aspects of the technique is essential during the design.
  • mappings may be used for each data value (including the output of every operation) throughout the cipher, or else the mapping may be left unchanged between two operations. The latter is typically not possible when the two operations are unrelated, but when possible may be useful in keeping complexity low. Care must be exercised that the mapping associated with all intermediate computational values adheres to the hiding requirements (for example, where two values that have the same mapping applied are combined through an exclusive-or operator, an original output of zero will always be mapped the value zero).
  • the output mapping 39 (f c ) is determined by the input mappings 35, 37 (f ⁇ andf b ) and any changes to the core operation. For example, where input mappings are composed of adding separate randomly selected values to each of the inputs of an addition operation, the output mapping would be composed of subtracting the sum of the random values from the output, assuming the core addition operation is kept identical.
  • mappings 43 and 45 (f c and f d ) from cascaded operations 41 and 47 into a single mapping 49 (f c _ d ), as illustrated in Figure 4.
  • This mapping must not, even as an intermediate calculation value, derive the original data or any data correlated to the original data. This will in general be achieved when the mapping 49 is constructed only from information that cannot be used to derive information about the original data from the mapped value. Occurrence of correlated data would provide a primary target for a DPA attack. For example, if the two mappings 43 and 45 are modulo addition of separate random values, the mapping 49 will be addition of the sum of these values, from which no information about the individual mapping selections may be deduced.
  • mappings 43 and 45 are correlated (i.e. the selection of one influences the selection of the other), the composite mapping may be somewhat simpler or may even become the identity operation (and hence be omitted).
  • mapping 49 (f C ⁇ d ). If necessary, it may be implemented by use of a lookup table or another operation. If one of the adjacent operations is a lookup table, the resulting cascaded lookup tables may be combined into one lookup table. After this step, aside from the input data, key-data and output data, the data in all computations are kept secret by the mappings. These external mappings are treated separately in the next steps.
  • the original key, input data and output data are still shown as occurring without an applied mapping, and may still the be target of a DPA attack when these are accessed by an operation, in particular for the mapping process.
  • the family of mappings will most commonly be chosen in relation to the operators used in the cipher in which the key is used to avoid unnecessary re-mapping.
  • mapping should be replaced with a fresh, randomly selected mapping subject to the constraints imposed by the design.
  • the original value of the key must not be computed, even as a temporary variable, in this process.
  • f,(q) g,(f,. ⁇ (qj) for any q.
  • the input data 52 (x in Figure 5) is first mapped using the mapping selected for those inputs. This is analogous to the initial mapping of the key (under Initial storage of keys), but may occur with all data to be processed, such as received ciphertext to be decrypted or plaintext to be encrypted for transmission. Where sensitive data (e.g. keys) are to be encrypted, they must already be stored in mapped form and have a mapping substitution performed where appropriate (as in Per-use key mapping).
  • the output may be mapped to its original value where its secrecy is not critical (e.g. where ciphertext has been generated for transmission). Where this data must remain secret (e.g. transmitted cryptographic keys), they and the mapping selection information should be stored without being mapped back to the original form. Thus, the initial mapping of the key mentioned above does not occur with received and decrypted keys. This makes the process of downloading keys resistant to DPA.
  • Example 1 Making an "exclusive-or" based cipher DPA-resistant
  • a simplistic cipher is constructed entirely from modulo-2 addition - exclusive-or - of octets (vectors of eight bits each) and a single lookup table that produces an 8-bit output value for each 8-bit input value. Due to the simplistic nature of the cipher, only a single set of data may be ciphered securely for the use of the key (as in a Vernam cipher or one-time pad), but repeated ciphering of the same data is provided with first-order DPA-resistance. The per-use key mapping has not been shown, and is necessary for DPA- resistance. However, this example is intended to illustrate cipher design for use within a severely constrained computational environment, such as a chip-card. It uses a single lookup table substitution.
  • the subscripts n and / refer respectively to the selection of the octet within each data set and the cipher use count.
  • A is a randomly selected non-singular 8-by-8 matrix of bits and each b care c, and d, is a randomly selected octet.
  • a fresh mapping is performed by selecting new G, and h,.
  • Cipher the mapped input using the original cipher except for the substituted lookup table. Aside from the per-key mapping, the substituted lookup table, the initial mapping and final mapping, there is no change to the computation involved in the cipher.
  • mappings selected for distinct data sets should be independently selected.
  • mapping (Aont bj and the mapped data d, are changed on every use, the processed data (including the key) is not correlated with the original data. Only a function of several bits of data and the mapping is correlated to the original data. Each bit of the original data can be expressed as a function of 17 bits being processed. This example, applied to a cryptographically strong cipher, may be used effectively in chip cards available today, including those that use 8-b ⁇ t processors and modest quantities of storage space
  • Example 2 Making the IDEA cipher DPA-resistant
  • the IDEA cipher was deliberately composed of three mutually incompatible operators based on primitives readily available on most general-purpose computers - binary exclusive- or, addition and multiplication of 16-b ⁇ t quantities To make this cipher DPA-resistant, due to the incompatibility of the operators a lookup table is introduced in every data path in order to map the mapped value from one operator to the next
  • Each exclusive-or may have a mapping as with the example above, except that the vector size is increased to 16 bits
  • each is meant that the random mapping is not constrained to be the same throughout the cipher, and can be independently selected wherever a re-mapping is performed
  • the addition operator has less freedom of selection of mapping than the exclusive-or operator
  • the multiplication operator has mapping selection freedom similar to that of the addition operator Mappings must be randomly selected from a suitable set, the key and data must be mapped accordingly, the lookup tables must be generated and the cipher must be executed
  • the overhead here is a number of lookup tables of 65536 16-b ⁇ t words each, storage of information identifying the mappings applied to the key, and the processing overhead of about twice as many lookups as there are operations performed
  • Example 3 Making the DES cipher DPA-resistant
  • DES Data Encryption Standard
  • TDEA Triple Data Encryption Algorithm
  • DESX a cipher derived from DES
  • DES was not designed with DPA in mind. As is often the case, measures that are intended to increase the cryptographic strength in have reduced the compatibility of mappings that may be economically used for subsequent operations.
  • Three significant operations are used in DES - modulo-2 addition (exclusive-or), expansion (much like a permutation, except that some or all of the input bits are duplicated) and eight 6-to-4-bit lookup tables (termed S or selection functions). Shifts, bit-permutations (re-ordering) and register interchanges are ignored in this discussion, since the mapping selections applied to each bit are simply tracked (assuming the signals are kept isolated) without having to treat these as distinct operations with the chosen mapping strategy.
  • the replacement of unmodified bit-movements by modified bit movements including tracking of the mapping selection is illustrated in 90.
  • mappings involving several bits must inherently be re-mapped to allow use of only six bits at a time as input to each S- function. To consider the eight S-functions collectively as a single entity for this purpose would be prohibitive. For the purpose of simplicity of this example, mappings involving more than one bit will not be considered here. This does not imply that more complex mapping with re-mapping after nearly every operation is necessarily complex. The mapping that will be considered here involves a separate selection for every bit being processed in the algorithm.
  • Isolation of signals in a general-purpose processor is often far less than the functional description would imply. For example, loading a value into a register such as an accumulator may result in hidden operations for potential future use, such as determination of whether the value is zero. Erasure of data from a circuit followed by a time-interval before loading of further data will normally provide sufficient isolation, even though subtle interactions will occur (such as data-dependent heating or ion migration). Interaction between data values in RAM words that are not accessed directly may still be visible during other accesses due to the implementation of the addressing logic.
  • mappings are chosen from a set of two. The first mapping of the set leaves the data bit unchanged, and the second interchanges the two possible values. It will be seen that were the three bits associated with the original bit combined using an exclusive-or operation, the original bit would result. Omitting any single bit of the three would provide secrecy of the original data (assuming each mapping selection is unpredictable, each case is equally probable, and no form of correlation exists between selections).
  • any mapped bit is passed through any permutation as before, tracking the associated mapping bits (90).
  • bit-duplication occurs (including where all bits are duplicated)
  • the resulting duplicates should be made independent unless further analysis indicates this is not necessary (in which case the modification is as in 91).
  • composite mappings with the previous mappings can then be formed.
  • the incoming mapped data may have the two pairs of mappings applied (using the exclusive-or operation separately to re-map data for each duplicate, plus the composite mapping selection being deduced for each of the two mapping selections for each duplicate.
  • the two duplicates are not correlated with each other, and can be used together in further operations without fear of subsequent combination introducing DPA weakness.
  • the exclusive-or operations in the DES cipher under this mapping remain the same, with composite mappings being deduced for the first and second mappings applied to each bit.
  • This determination can be tracked in hardware - when the exclusive-or of two mapped data bits is found, every selection bit is combined with the corresponding selection bit of the other data mapping using the same operation (93).
  • the resulting three bits are then treated as the masked data bit and two applied mappings. Selections may at times be judiciously made in a correlated fashion without reducing the lowest order of a viable DPA attack, with the effect that the additional computational complexity and unpredictable data requirements may be reduced.
  • the approach taken here is to re-map the input data according to fresh mappings selected for the function (lookup table) inputs (thus allowing more than one use of the table) and to combine the input mapping unpredictability with that of the lookup table output mapping.
  • the remapping approach is used here when modifying the S-function lookup table (94), but it will be kept in mind that the output bits of S-functions should be unrelated to those of the inputs.
  • mappings unpredictably and independently of all other mappings for each S- function input and output bit (96), and replacement entries for the S-function table (99) are written (98) for every possible input (generated, in this example, by counter 97) prior to use.
  • the mapped inputs are then re-mapped, the written mapped S-function table applied, and the selected output mappings are propagated combined with the input mapping for added unpredictability, although a simplification may be done.
  • the S-function lookup table is stored in hardware registers (in all this will be 2048 register bits to implement the eight S-functions) or RAM.
  • Each resultant mapped input value is used to address the register file and the mapped value is stored in the selected four register bits.
  • the strength of the side-channel signal correlated to an internal bit increases with the amount of use, and this must be taken into account in determining whether the leakage signal is sufficiently small. In some cases, it may be necessary to retain the unpredictable re-mapping, especially of a bit of the key (which is used several times).
  • Another restriction resulting from this simplification is that the input mapping of a bit of an S-function must be the same for every use prior to replacement of the lookup table content. Rather than restricting the mapping applied to individual bits of data (including the key), the mapping applied to the data must be replaced by the pair of mappings applicable to the inputs to the S-function. This should be done in two steps (using two separated exclusive-or operations), each applying the composite of two mappings (one applicable to the S-function, one to the data).
  • the added complexity for the 2 nd -order resistance amounts to approximately tripling the number of exclusive-or operations and replacing the fixed S-functions with changeably mapped S- function inputs and outputs, including use of unpredictable data.
  • data to be operated upon must be replaced by a mapped value and the mapping selection data, and keys must be initially mapped and subsequently incrementally mapped, and stored including the additional mapped data.
  • the storage requirements for mapped data are tripled.
  • Output data where this is a key for use in DES, must be stored in this form for future use, except that correlation of the output mappings between output bits and due to relatively static S-function mappings should be removed by incrementally mapping the output using a fresh mapping selection.
  • mapping selection data up to this point are similar to those performed on the mapped data.
  • the operations applied to the mapping selection data relate to the mapping selection, and only indirectly to the operations of the algorithm.
  • mapping the input and output of the S- functions the manipulation of the mapping selection data was quite different from adding similar operations upon "shares" derived from the original data.
  • the method increases the order of a DPA attack (essentially the number of points in the observed signal that must be combined to extract any original data). This makes the attack required more sophisticated and complex.
  • mapping used on one data set is related to the selection of mapping for another data set, the larger number of possible mappings might make such a simplification reasonable while not leading to excessive data leakage.
  • the number of observations needed to extract the original data from noisy side-channel observations may increase substantially more than is achievable through hardware shielding, provided the hardware shielding is high enough. This increase may render even high-order DPA attacks ineffective.
  • An example of such a scheme may be to represent each data bit as a pair of bits, the first value being randomly selected and the second being the original bit when the first bit is zero and its Boolean inverse when it is one (binary "exclusive-or").
  • system containing the cryptographic component can remain unaffected (e.g. protocols can remain unchanged), although cipher choice may be optimised to facilitate use of this technique.
  • this technique may be applied with symmetric (having a single, shared secret key) and asymmetric (having distinct but related public and secret keys) ciphers.
  • this technique may be applied in conjunction with other techniques for increasing resistance to DPA, such successively modifying the key by use of a complex function for in a co-ordinated fashion with both encryption and decryption.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de traitement et de stockage de données afin de réduire les risques d'accès non autorisé à ces données, notamment par observations de voies latérales. Le procédé consiste à calculer des algorithmes, en particulier des chiffres, pour tirer le maximum d'avantages de cette technique, à modifier la mise en oeuvre des algorithmes pour agir sur des données mappées, le mappage initial de données, en particulier de clés cryptographiques, pour stockage, à modifier le mappage de données à partir d'un mappage de données antérieur par un mappage secondaire, à mapper les données entrantes à introduire dans la mise en oeuvre de l'algorithme modifié, et à mapper la sortie de données de l'algorithme modifié en vue d'une utilisation ultérieure. Le procédé permet de renforcer la confidentialité des données d'origine ainsi que le mappage sur les données. Le mappage des données et le mappage secondaire des données peuvent se présenter sous la forme d'une table de recherche, d'un algorithme avec données de sélection de mappage, ou analogue. Le mappage des données peut s'appliquer en cascade afin de mieux réduire les risques d'accès non autorisé.
EP00986837A 1999-10-25 2000-10-19 Procede permettant au traitement de donnees de resister a l'extraction de donnees par l'analyse de signaux de voies laterales indesirables Withdrawn EP1226681A2 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US16104799P 1999-10-25 1999-10-25
US161047P 1999-10-25
PCT/ZA2000/000192 WO2001031422A2 (fr) 1999-10-25 2000-10-19 Procede permettant au traitement de donnees de resister a l'extraction de donnees par l'analyse de signaux de voies laterales indesirables

Publications (1)

Publication Number Publication Date
EP1226681A2 true EP1226681A2 (fr) 2002-07-31

Family

ID=22579586

Family Applications (1)

Application Number Title Priority Date Filing Date
EP00986837A Withdrawn EP1226681A2 (fr) 1999-10-25 2000-10-19 Procede permettant au traitement de donnees de resister a l'extraction de donnees par l'analyse de signaux de voies laterales indesirables

Country Status (8)

Country Link
EP (1) EP1226681A2 (fr)
JP (1) JP2003513490A (fr)
CN (1) CN1413398A (fr)
AU (1) AU773982B2 (fr)
CA (1) CA2388971A1 (fr)
EA (1) EA003874B1 (fr)
WO (1) WO2001031422A2 (fr)
ZA (1) ZA200202798B (fr)

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7142670B2 (en) * 2001-08-14 2006-11-28 International Business Machines Corporation Space-efficient, side-channel attack resistant table lookups
EP1486026A1 (fr) * 2002-03-07 2004-12-15 Axalto SA Procede permettant de securiser un ensemble electronique a cryptographie au moyen d'une cle secrete
FR2842376B1 (fr) * 2002-07-10 2004-09-24 Somfy Procede de communication selective entre objets
EP1457858A1 (fr) * 2003-03-14 2004-09-15 SCHLUMBERGER Systèmes Procédé de sécurisation d'un ensemble électronique à cryptoprocesseur
DE10341096A1 (de) 2003-09-05 2005-03-31 Giesecke & Devrient Gmbh Übergang zwischen maskierten Repräsentationen eines Wertes bei kryptographischen Berechnungen
US7620182B2 (en) * 2003-11-13 2009-11-17 Magiq Technologies, Inc. QKD with classical bit encryption
KR101061906B1 (ko) * 2004-02-19 2011-09-02 삼성전자주식회사 전력분석공격에 안전한 기본 연산 장치 및 방법
EP1596278A1 (fr) * 2004-05-11 2005-11-16 Axalto SA Procédé de protection d'un ensemble cryptographique par masquage homographique
FR2873523B1 (fr) * 2004-07-22 2007-08-10 Sagem Procede et dispositif d'execution d'un calcul cryptographique
DE102004043243A1 (de) * 2004-09-07 2006-03-23 Comvenient Gmbh & Co. Kg Verfahren zum Schutz von Schlüsseln
EP1646174A1 (fr) * 2004-10-07 2006-04-12 Axalto SA Méthode et appareil pour générer un jeux d'instructions cryptographique automatiquement et génération d'un code
US7881466B2 (en) 2004-10-28 2011-02-01 Irdeto B.V. Method and system for obfuscating a cryptographic function
JP2008181225A (ja) * 2007-01-23 2008-08-07 Toshiba Corp Icカード
EP2255317B1 (fr) * 2008-03-05 2013-05-15 Irdeto B.V. Système cryptographique
EP2525298B1 (fr) * 2011-05-17 2016-07-13 Nxp B.V. Procédé d'authentification
EP2620890A1 (fr) * 2012-01-25 2013-07-31 Gemalto SA Procédé de détection de défaillance injectée dans des registres de matériel d'un dispositif électronique
DE102012018924A1 (de) 2012-09-25 2014-03-27 Giesecke & Devrient Gmbh Seitenkanalgeschützte Maskierung
US9009495B2 (en) 2013-06-28 2015-04-14 Envieta, LLC High speed cryptographic combining system, and method for programmable logic devices
JP6264935B2 (ja) * 2014-02-24 2018-01-24 大日本印刷株式会社 情報処理装置の認証方法
CN104104587B (zh) * 2014-04-18 2017-12-26 天津大学 一种认证邮件协议的后一致性分析方法
CN105757878B (zh) * 2016-02-19 2018-07-27 广东美的暖通设备有限公司 通讯数据的编码及解码方法、装置和空调器

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0131422A2 *

Also Published As

Publication number Publication date
AU773982B2 (en) 2004-06-10
WO2001031422B1 (fr) 2002-01-10
EA003874B1 (ru) 2003-10-30
WO2001031422A2 (fr) 2001-05-03
AU2301401A (en) 2001-05-08
CA2388971A1 (fr) 2001-05-03
ZA200202798B (en) 2003-09-23
JP2003513490A (ja) 2003-04-08
EA200200468A1 (ru) 2002-10-31
CN1413398A (zh) 2003-04-23
WO2001031422A3 (fr) 2001-12-13

Similar Documents

Publication Publication Date Title
AU773982B2 (en) Method for making data processing resistant to extraction of data by analysis of unintended side-channel signals
US6278783B1 (en) Des and other cryptographic, processes with leak minimization for smartcards and other cryptosystems
US6295606B1 (en) Method and apparatus for preventing information leakage attacks on a microelectronic assembly
US10313128B2 (en) Address-dependent key generator by XOR tree
US20050147243A1 (en) Cryptographic apparatus, cryptographic method, and storage medium thereof
US10790962B2 (en) Device and method to compute a block cipher
JP5823639B2 (ja) ブール演算および算術演算を用いる暗号アルゴリズムへのサイドチャネル解析に対する対策方法
CN108141352B (zh) 密码设备、方法、装置和计算机可读介质和编码设备、方法、装置和计算机可读介质
US10146701B2 (en) Address-dependent key generation with a substitution-permutation network
CN109726565B (zh) 在抗泄漏原语中使用白盒
KR100737171B1 (ko) 아리아에 대한 전력분석공격에 대응하는 저메모리형 마스킹방법
US9602281B2 (en) Parallelizable cipher construction
WO2008064704A1 (fr) Procédé et dispositif de prévention d'attaques par fuite d'informations sur un dispositif mettant en œuvre une fonction cryptographique
CN116796345A (zh) 加解密方法、装置、设备及存储介质
Brier et al. Fast primitives for internal data scrambling in tamper resistant hardware
Golić DeKaRT: A new paradigm for key-dependent reversible circuits
KR20190049875A (ko) 테이블 기반 구현에서의 차수 2 이상의 dca 공격에 대응하는 방법
Misra et al. Analysing the parameters of chaos based image encryption schemes
WO1998036524A1 (fr) Systeme et procede de construction de chiffrements par blocs
Yang et al. SPN-AS: A new white-box cryptographic algorithm based on AS iteration structure
Garay et al. MAC precomputation with applications to secure memory
CN116961880A (zh) 一种基于香农展开的白盒加密方法及系统
Yang et al. WAS: improved white-box cryptographic algorithm over AS iteration
Shiba et al. Cubicle: A family of space‐hard ciphers for IoT
Swayamprakash et al. Design of Advanced Encryption Standard using Verilog HDL

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20020523

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20060503