EP1362451A1 - Method for securing a computer installation involving a cryptographic algorithm using boolean operations and arithmetic operations and the corresponding embedded system - Google Patents
Method for securing a computer installation involving a cryptographic algorithm using boolean operations and arithmetic operations and the corresponding embedded systemInfo
- Publication number
- EP1362451A1 EP1362451A1 EP02704839A EP02704839A EP1362451A1 EP 1362451 A1 EP1362451 A1 EP 1362451A1 EP 02704839 A EP02704839 A EP 02704839A EP 02704839 A EP02704839 A EP 02704839A EP 1362451 A1 EP1362451 A1 EP 1362451A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- boolean
- separation
- arithmetic
- operations
- parts
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
Definitions
- the object of the present invention is to propose two new algorithms "BooleanToArithmetic” and "ArithmeticToBoolean”, proven to be safe against DPA attacks.
- Each of these algorithms uses only very simple operations: XOR (or exclusive), AND, subtraction, and the "left shift" of a register.
- Our “BooleanToArithmetic” algorithm uses a constant number (equal to 7) of such elementary operations, while the number of elementary operations involved in our “ArithmeticToBoolean” algorithm is proportional (it is 5R + 5) to the size (Le the number of bits K) of the processor registers.
- DPA Different Power Analysis
- the present invention is concerned with the "masking" method, suggested by Chari et al. [2].
- the basic principle consists in programming the algorithm so that the fundamental assumption above is not checked any more (Le. An intermediate variable never depends on the knowledge of an easily accessible subset of the secret key) . More precisely, by using a key sharing scheme, each of the intermediate variables appearing in the cryptographic algorithm is separated into several parts. In this way, an attacker is forced to analyze distributions of several points, which makes his task exponential in the number of elements of the separation.
- a boolean masking: x ' x ⁇ r.
- An arithmetic masking: A x - r modulo 2 l
- the variable x is masked by the random value r, which gives the masked value x '(or A).
- Our objective is to find an efficient algorithm to pass from boolean masking to arithmetic masking and vice versa, while ensuring that the intermediate variables are decorrelated from the data to be masked, which ensures resistance to DPA.
- the invention relates to a method for securing an electronic assembly comprising a processor and a memory, implementing a cryptographic algorithm stored in the memory and using Boolean operations and arithmetic operations, in which at least one variable is separated into several parts, according to a Boolean separation using a Boolean operation, and according to an arithmetic separation using an arithmetic operation, characterized in that, to pass from any one of these separations to the other, one performs, by means of the processor, a predetermined number of Boolean and arithmetic operations on said parts and at least one random number, so that, for each of the values appearing during the calculation, there is no correlation with said variable, the calculation resulting in a result stored in memory.
- the method comprises the following stages:
- the separation of said parts into at least two elements uses a Boolean operation.
- said grouping of two of said partial results is carried out by means of a Boolean operation.
- the Boolean operation used for the separation of said parts into at least two elements is the "or exclusive" operation.
- the Boolean operation used for grouping said partial results is carried out by means of the "or exclusive" operation.
- the Boolean separation in two parts, using the "or exclusive” operation and the arithmetic separation, in two parts, using the “addition” operation, the method is characterized in that to pass from the Boolean separation to the 'arithmetic operation, we use five operations “or exclusive” and two operations "subtraction".
- At least one variable obtained by means of a predetermined number of successive iterations is defined from an initial value which is a function of at least one hazard, by applications. successive of a transformation based on Boolean and arithmetic operations applying to said parts of the arithmetic separation and to said at least one hazard.
- each part except one of the Boolean separation is obtained by applying Boolean operations to the said variable or said variables obtained by successive iteration, to the said parts of the arithmetic separation and to the said random hazard (s).
- the Boolean operations applied to obtain all the parts except one of the Boolean separation are the "or exclusive” operation and the "logical shift of a bit to the left" operation.
- the arithmetic separation, in two parts, using the "addition” operation and the Boolean separation, in two parts, using the "or exclusive” operation characterized in that that to pass from the boolean separation to the arithmetic operation, one uses (2K + 4) operations “or exclusive”, (2K + 1) operations “and logical”, and K operations "logical shift of a bit to the left” .
- the invention also relates to an on-board system comprising a processor and a memory, and implementing a cryptographic algorithm stored in the memory and using boolean operations and arithmetic operations, in which at least one variable is separated into several parts, according to a boolean separation using a boolean operation, and according to an arithmetic separation using an arithmetic operation, characterized in that, to pass from any one of these separations to the other, it comprises conversion means for effecting, by means of the processor , a predetermined number of Boolean and arithmetic operations on said parts and at least one hazard, so that, for each of the values appearing during the calculation, there is no correlation with said variable, the calculation resulting in a result stored in memory.
- Input: (x ', r) such that x x' ⁇ r.
- Output: (A, r) such that x A + r.
- the "BooleanToArithmetic” algorithm uses 2 auxiliary variables (T and T), 1 call to the random generator, and 7 elementary operations (more precisely: 5 “XOR” and 2 subtractions).
- the "ArithmeticToBoolean” algorithm uses 3 auxiliary variables (T, ⁇ and -T), 1 call to the random generator, and (5 ⁇ . + 5) elementary operations (more precisely (2K + 4) "XOR”, (2K + 1 ) "AND” and K "left shifts”).
- a smart card includes information processing means or CPU 2, information storage means 3,4,5 of different types (RAM, EEPROM, ROM) , input / output means 6 allowing the card to cooperate with a card reader terminal, and a bus 7 allowing these different elements to interact with each other.
- the aforementioned conversion means, suitable for performing Boolean and arithmetic operations, include in particular at least one program stored in the information storage means 3,4,5.
Abstract
Description
Claims
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0102091A FR2820914A1 (en) | 2001-02-15 | 2001-02-15 | METHOD OF SECURING AN ELECTRONIC ASSEMBLY USING CRYPTOGRAPHIC ALGORITHM USING BOOLEAN OPERATIONS AND ARITHMETIC OPERATIONS, AND CORRESPONDING ONBOARD SYSTEM |
FR0102091 | 2001-02-15 | ||
PCT/FR2002/000579 WO2002065692A1 (en) | 2001-02-15 | 2002-02-14 | Method for securing a computer installation involving a cryptographic algorithm using boolean operations and arithmetic operations and the corresponding embedded system |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1362451A1 true EP1362451A1 (en) | 2003-11-19 |
Family
ID=8860075
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP02704839A Withdrawn EP1362451A1 (en) | 2001-02-15 | 2002-02-14 | Method for securing a computer installation involving a cryptographic algorithm using boolean operations and arithmetic operations and the corresponding embedded system |
Country Status (4)
Country | Link |
---|---|
US (1) | US7334133B2 (en) |
EP (1) | EP1362451A1 (en) |
FR (1) | FR2820914A1 (en) |
WO (1) | WO2002065692A1 (en) |
Families Citing this family (37)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100585119B1 (en) * | 2004-01-07 | 2006-06-01 | 삼성전자주식회사 | Cryptographic apparatus and cryptographic method , and storage medium thereof |
DE102004023902A1 (en) * | 2004-05-13 | 2005-12-01 | Giesecke & Devrient Gmbh | Transition from Boolean masking to arithmetic masking |
DE102004061312B4 (en) * | 2004-12-20 | 2007-10-25 | Infineon Technologies Ag | Apparatus and method for detecting a potential attack on a cryptographic calculation |
US8752032B2 (en) * | 2007-02-23 | 2014-06-10 | Irdeto Canada Corporation | System and method of interlocking to protect software-mediated program and device behaviours |
FR2924879B1 (en) | 2007-12-07 | 2009-12-18 | Sagem Securite | METHOD OF ENCODING A SECRET FORMED BY A DIGITAL VALUE |
KR101566408B1 (en) * | 2009-03-13 | 2015-11-05 | 삼성전자주식회사 | Conversion circuit and method between boolean and arithmetic masks |
US8615078B2 (en) * | 2009-08-21 | 2013-12-24 | Electronics And Telecommunications Research Institute | Method and apparatus for processing F-function in seed encryption system |
KR101334040B1 (en) * | 2010-01-20 | 2013-11-28 | 한국전자통신연구원 | Method and apparatus for providing masking operations in encryption system |
FR2960728B1 (en) * | 2010-05-26 | 2016-04-15 | Oberthur Technologies | METHOD FOR DETERMINING A REPRESENTATION OF A PRODUCT AND METHOD FOR EVALUATING A FUNCTION |
US8572146B2 (en) | 2010-08-17 | 2013-10-29 | Fujitsu Limited | Comparing data samples represented by characteristic functions |
US8874607B2 (en) | 2010-08-17 | 2014-10-28 | Fujitsu Limited | Representing sensor data as binary decision diagrams |
US8930394B2 (en) | 2010-08-17 | 2015-01-06 | Fujitsu Limited | Querying sensor data stored as binary decision diagrams |
US8645108B2 (en) | 2010-08-17 | 2014-02-04 | Fujitsu Limited | Annotating binary decision diagrams representing sensor data |
US8583718B2 (en) | 2010-08-17 | 2013-11-12 | Fujitsu Limited | Comparing boolean functions representing sensor data |
US8495038B2 (en) * | 2010-08-17 | 2013-07-23 | Fujitsu Limited | Validating sensor data represented by characteristic functions |
US9002781B2 (en) | 2010-08-17 | 2015-04-07 | Fujitsu Limited | Annotating environmental data represented by characteristic functions |
US9138143B2 (en) | 2010-08-17 | 2015-09-22 | Fujitsu Limited | Annotating medical data represented by characteristic functions |
KR20120070873A (en) | 2010-12-22 | 2012-07-02 | 한국전자통신연구원 | Subchannel prevention masked addition operator |
US8781995B2 (en) | 2011-09-23 | 2014-07-15 | Fujitsu Limited | Range queries in binary decision diagrams |
US9176819B2 (en) | 2011-09-23 | 2015-11-03 | Fujitsu Limited | Detecting sensor malfunctions using compression analysis of binary decision diagrams |
US8812943B2 (en) * | 2011-09-23 | 2014-08-19 | Fujitsu Limited | Detecting data corruption in medical binary decision diagrams using hashing techniques |
US9075908B2 (en) | 2011-09-23 | 2015-07-07 | Fujitsu Limited | Partitioning medical binary decision diagrams for size optimization |
US8620854B2 (en) | 2011-09-23 | 2013-12-31 | Fujitsu Limited | Annotating medical binary decision diagrams with health state information |
US8909592B2 (en) | 2011-09-23 | 2014-12-09 | Fujitsu Limited | Combining medical binary decision diagrams to determine data correlations |
US8719214B2 (en) | 2011-09-23 | 2014-05-06 | Fujitsu Limited | Combining medical binary decision diagrams for analysis optimization |
US8838523B2 (en) | 2011-09-23 | 2014-09-16 | Fujitsu Limited | Compression threshold analysis of binary decision diagrams |
US9177247B2 (en) | 2011-09-23 | 2015-11-03 | Fujitsu Limited | Partitioning medical binary decision diagrams for analysis optimization |
EP2634953A1 (en) * | 2012-03-02 | 2013-09-04 | Gemalto SA | Countermeasure method against side channel analysis for cryptographic algorithms using boolean operations and arithmetic operations |
TWI507989B (en) * | 2013-08-08 | 2015-11-11 | Nat Univ Tsing Hua | Method of resource-oriented power analysis for embedded system |
US9923719B2 (en) | 2014-12-09 | 2018-03-20 | Cryptography Research, Inc. | Location aware cryptography |
US10333699B1 (en) | 2015-09-30 | 2019-06-25 | Cryptography Research, Inc. | Generating a pseudorandom number based on a portion of shares used in a cryptographic operation |
US10871947B2 (en) | 2016-03-03 | 2020-12-22 | Cryptography Research, Inc. | Converting a boolean masked value to an arithmetically masked value for cryptographic operations |
DE102017002153A1 (en) | 2017-03-06 | 2018-09-06 | Giesecke+Devrient Mobile Security Gmbh | Transition from Boolean masking to arithmetic masking |
FR3101982B1 (en) | 2019-10-11 | 2024-03-08 | St Microelectronics Grenoble 2 | Determining an indicator bit |
FR3101980B1 (en) | 2019-10-11 | 2021-12-10 | St Microelectronics Grenoble 2 | Processor |
FR3101983B1 (en) * | 2019-10-11 | 2021-11-12 | St Microelectronics Grenoble 2 | Determining an indicator bit |
DE102021003275B3 (en) | 2021-06-24 | 2022-07-14 | Giesecke+Devrient Mobile Security Gmbh | Method for computing a transition from a Boolean to an arithmetic masking |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6182216B1 (en) * | 1997-09-17 | 2001-01-30 | Frank C. Luyster | Block cipher method |
WO2001024439A1 (en) * | 1999-09-29 | 2001-04-05 | Hitachi, Ltd. | Device, program or system for processing secret information |
-
2001
- 2001-02-15 FR FR0102091A patent/FR2820914A1/en active Pending
-
2002
- 2002-02-14 EP EP02704839A patent/EP1362451A1/en not_active Withdrawn
- 2002-02-14 US US10/468,130 patent/US7334133B2/en not_active Expired - Fee Related
- 2002-02-14 WO PCT/FR2002/000579 patent/WO2002065692A1/en not_active Application Discontinuation
Non-Patent Citations (1)
Title |
---|
See references of WO02065692A1 * |
Also Published As
Publication number | Publication date |
---|---|
US20040139136A1 (en) | 2004-07-15 |
US7334133B2 (en) | 2008-02-19 |
WO2002065692A1 (en) | 2002-08-22 |
FR2820914A1 (en) | 2002-08-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1362451A1 (en) | Method for securing a computer installation involving a cryptographic algorithm using boolean operations and arithmetic operations and the corresponding embedded system | |
Coron et al. | On boolean and arithmetic masking against differential power analysis | |
Oswald et al. | Template attacks on masking—resistance is futile | |
JP4632950B2 (en) | Tamper-resistant cryptographic processing using personal keys | |
Standaert et al. | An overview of power analysis attacks against field programmable gate arrays | |
Goubin | A sound method for switching between boolean and arithmetic masking | |
US10361854B2 (en) | Modular multiplication device and method | |
US7908641B2 (en) | Modular exponentiation with randomized exponent | |
JP5823639B2 (en) | Countermeasures for side-channel analysis of cryptographic algorithms using Boolean and arithmetic operations | |
Mather et al. | Multi-target DPA attacks: Pushing DPA beyond the limits of a desktop computer | |
US20110216900A1 (en) | Methods of encryption and decryption and encryption systems using the same | |
CN101006677A (en) | Method and device for carrying out a cryptographic calculation | |
CN111817842B (en) | Energy analysis attack testing device and method for RSA-CRT operation | |
Amiel et al. | Distinguishing multiplications from squaring operations | |
Bauer et al. | Correlation analysis against protected SFM implementations of RSA | |
EP1381936A1 (en) | Countermeasure method in an electronic component using a public key cryptographic algorithm on an elliptic curve | |
Kamoun et al. | Experimental Implementation of 2ODPA attacks on AES design with flash-based FPGA Technology | |
FR3095709A1 (en) | MASKING PROCESS AND SYSTEM FOR CRYPTOGRAPHY | |
Roelofs et al. | Online template attack on ECDSA: Extracting keys via the other side | |
US7123717B1 (en) | Countermeasure method in an electronic component which uses an RSA-type public key cryptographic algorithm | |
EP1994465A1 (en) | Method of securing a calculation of an exponentiation or a multiplication by a scalar in an electronic device | |
EP1198921A2 (en) | Method for countermeasure in an electronic component using a secret key algorithm | |
WO2006067057A1 (en) | Secure and compact exponentiation method for cryptography | |
KR100772550B1 (en) | Enhanced message blinding method to resistant power analysis attack | |
Park et al. | An improved side channel attack using event information of subtraction |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20030915 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK RO SI |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: SCHLUMBERGER SYSTEMES SA |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: AXALTO S.A. |
|
17Q | First examination report despatched |
Effective date: 20050422 |
|
17Q | First examination report despatched |
Effective date: 20050422 |
|
17Q | First examination report despatched |
Effective date: 20050422 |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: GEMALTO SA |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20140924 |