EP1362451A1 - Method for securing a computer installation involving a cryptographic algorithm using boolean operations and arithmetic operations and the corresponding embedded system - Google Patents

Method for securing a computer installation involving a cryptographic algorithm using boolean operations and arithmetic operations and the corresponding embedded system

Info

Publication number
EP1362451A1
EP1362451A1 EP02704839A EP02704839A EP1362451A1 EP 1362451 A1 EP1362451 A1 EP 1362451A1 EP 02704839 A EP02704839 A EP 02704839A EP 02704839 A EP02704839 A EP 02704839A EP 1362451 A1 EP1362451 A1 EP 1362451A1
Authority
EP
European Patent Office
Prior art keywords
boolean
separation
arithmetic
operations
parts
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP02704839A
Other languages
German (de)
French (fr)
Inventor
Louis Goubin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Thales DIS France SA
Original Assignee
CP8
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CP8 filed Critical CP8
Publication of EP1362451A1 publication Critical patent/EP1362451A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7219Countermeasures against side channel or fault attacks

Definitions

  • the object of the present invention is to propose two new algorithms "BooleanToArithmetic” and "ArithmeticToBoolean”, proven to be safe against DPA attacks.
  • Each of these algorithms uses only very simple operations: XOR (or exclusive), AND, subtraction, and the "left shift" of a register.
  • Our “BooleanToArithmetic” algorithm uses a constant number (equal to 7) of such elementary operations, while the number of elementary operations involved in our “ArithmeticToBoolean” algorithm is proportional (it is 5R + 5) to the size (Le the number of bits K) of the processor registers.
  • DPA Different Power Analysis
  • the present invention is concerned with the "masking" method, suggested by Chari et al. [2].
  • the basic principle consists in programming the algorithm so that the fundamental assumption above is not checked any more (Le. An intermediate variable never depends on the knowledge of an easily accessible subset of the secret key) . More precisely, by using a key sharing scheme, each of the intermediate variables appearing in the cryptographic algorithm is separated into several parts. In this way, an attacker is forced to analyze distributions of several points, which makes his task exponential in the number of elements of the separation.
  • a boolean masking: x ' x ⁇ r.
  • An arithmetic masking: A x - r modulo 2 l
  • the variable x is masked by the random value r, which gives the masked value x '(or A).
  • Our objective is to find an efficient algorithm to pass from boolean masking to arithmetic masking and vice versa, while ensuring that the intermediate variables are decorrelated from the data to be masked, which ensures resistance to DPA.
  • the invention relates to a method for securing an electronic assembly comprising a processor and a memory, implementing a cryptographic algorithm stored in the memory and using Boolean operations and arithmetic operations, in which at least one variable is separated into several parts, according to a Boolean separation using a Boolean operation, and according to an arithmetic separation using an arithmetic operation, characterized in that, to pass from any one of these separations to the other, one performs, by means of the processor, a predetermined number of Boolean and arithmetic operations on said parts and at least one random number, so that, for each of the values appearing during the calculation, there is no correlation with said variable, the calculation resulting in a result stored in memory.
  • the method comprises the following stages:
  • the separation of said parts into at least two elements uses a Boolean operation.
  • said grouping of two of said partial results is carried out by means of a Boolean operation.
  • the Boolean operation used for the separation of said parts into at least two elements is the "or exclusive" operation.
  • the Boolean operation used for grouping said partial results is carried out by means of the "or exclusive" operation.
  • the Boolean separation in two parts, using the "or exclusive” operation and the arithmetic separation, in two parts, using the “addition” operation, the method is characterized in that to pass from the Boolean separation to the 'arithmetic operation, we use five operations “or exclusive” and two operations "subtraction".
  • At least one variable obtained by means of a predetermined number of successive iterations is defined from an initial value which is a function of at least one hazard, by applications. successive of a transformation based on Boolean and arithmetic operations applying to said parts of the arithmetic separation and to said at least one hazard.
  • each part except one of the Boolean separation is obtained by applying Boolean operations to the said variable or said variables obtained by successive iteration, to the said parts of the arithmetic separation and to the said random hazard (s).
  • the Boolean operations applied to obtain all the parts except one of the Boolean separation are the "or exclusive” operation and the "logical shift of a bit to the left" operation.
  • the arithmetic separation, in two parts, using the "addition” operation and the Boolean separation, in two parts, using the "or exclusive” operation characterized in that that to pass from the boolean separation to the arithmetic operation, one uses (2K + 4) operations “or exclusive”, (2K + 1) operations “and logical”, and K operations "logical shift of a bit to the left” .
  • the invention also relates to an on-board system comprising a processor and a memory, and implementing a cryptographic algorithm stored in the memory and using boolean operations and arithmetic operations, in which at least one variable is separated into several parts, according to a boolean separation using a boolean operation, and according to an arithmetic separation using an arithmetic operation, characterized in that, to pass from any one of these separations to the other, it comprises conversion means for effecting, by means of the processor , a predetermined number of Boolean and arithmetic operations on said parts and at least one hazard, so that, for each of the values appearing during the calculation, there is no correlation with said variable, the calculation resulting in a result stored in memory.
  • Input: (x ', r) such that x x' ⁇ r.
  • Output: (A, r) such that x A + r.
  • the "BooleanToArithmetic” algorithm uses 2 auxiliary variables (T and T), 1 call to the random generator, and 7 elementary operations (more precisely: 5 “XOR” and 2 subtractions).
  • the "ArithmeticToBoolean” algorithm uses 3 auxiliary variables (T, ⁇ and -T), 1 call to the random generator, and (5 ⁇ . + 5) elementary operations (more precisely (2K + 4) "XOR”, (2K + 1 ) "AND” and K "left shifts”).
  • a smart card includes information processing means or CPU 2, information storage means 3,4,5 of different types (RAM, EEPROM, ROM) , input / output means 6 allowing the card to cooperate with a card reader terminal, and a bus 7 allowing these different elements to interact with each other.
  • the aforementioned conversion means, suitable for performing Boolean and arithmetic operations, include in particular at least one program stored in the information storage means 3,4,5.

Abstract

The invention relates to a method for securing a computer installation involving a cryptographic algorithm using boolean operations and arithmetic operations, in which at least one variable is separated into several parts by means of a boolean separation using a boolean operation and an arithmetic separation using an arithmetic operation. The inventive method is characterised in that in order to move from any of said separations to the other, a predetermined number of boolean and arithmetic operations are carried on said parts and at least one variate such that, for each of the values that appear during the calculation, there is no correlation with said variable. The invention also relates to an associated embedded system.

Description

Procédé de sécurisation d'un ensemble électronique mettant en œuvre un algorithme cryptographique utilisant des opérations booléennes et des opérations arithmétiques, et système embarqué correspondant Method for securing an electronic assembly implementing a cryptographic algorithm using Boolean operations and arithmetic operations, and corresponding embedded system
IntroductionIntroduction
Paul Kocher et al. ont introduit en 1998 [5] et publié en 1999 [6] le concept de « Differential Power Analysis », connu aussi sous le nom de DPA. La cible initiale était les cryptosystèmes symétriques, tels que le DES ou les candidats AES, mais les cryptosystèmes à clé publique se sont depuis avérés également vulnérables face aux attaques DPA.Paul Kocher et al. introduced in 1998 [5] and published in 1999 [6] the concept of "Differential Power Analysis", also known as DPA. The initial target was symmetric cryptosystems, such as DES or AES candidates, but public key cryptosystems have since proven to be equally vulnerable to DPA attacks.
En 1999, Chari et al. [2] ont suggéré une contre-mesure générique consistant à séparer toutes les variables intermédiaires. Une méthode similaire de « duplication » a été proposée par Goubin et al. [4], comme cas particulier. Or ces méthodes générales augmentent en général fortement la quantité de mémoire ou le temps de calcul nécessaires, comme l'ont remarqué Chari et al. De plus, il a été montré que même les étapes intermédiaires peuvent être attaquées par DPA, si bien que la séparation des variables doit être effectuée sur toutes les étapes de l'algorithme. Cela rend d'autant plus cruciale la question de la mémoire et du temps de calcul supplémentaires, en particulier pour des systèmes embarqués tels que les cartes à puce.In 1999, Chari et al. [2] suggested a generic countermeasure consisting in separating all the intermediate variables. A similar method of "duplication" has been proposed by Goubin et al. [4], as a special case. However, these general methods generally greatly increase the amount of memory or the computing time required, as noted by Chari et al. In addition, it has been shown that even the intermediate stages can be attacked by DPA, so that the separation of the variables must be carried out on all the stages of the algorithm. This makes the question of additional memory and computing time all the more crucial, in particular for embedded systems such as smart cards.
En 2000, Thomas Messerges [8] a étudié les attaques DPA appliquées aux candidats AES. Il a développé une contre-mesure générale, consistant à masquer toutes les entrées et sorties de chaque opération élémentaire exécutée par le microprocesseur. Cette technique générique lui a permis d'évaluer l'impact de ces contre-mesures sur les cinq candidats AES. Néanmoins, pour des algorithmes qui combinent des fonctions booléennes et des fonctions arithmétiques, on est conduit à utiliser deux sortes de masques. On a donc besoin d'une méthode de conversion entre le masquage booléen et le masquage arithmétique. C'est typiquement le cas pour IDEA [7] et pour trois des candidats AES : MARS [1], RC6 [9] et Twofish [10].In 2000, Thomas Messerges [8] studied the DPA attacks applied to AES candidates. He developed a general countermeasure, consisting in masking all the inputs and outputs of each elementary operation executed by the microprocessor. This generic technique allowed him to assess the impact of these countermeasures on the five AES candidates. However, for algorithms which combine Boolean functions and arithmetic functions, we are led to use two kinds of masks. We therefore need a conversion method between Boolean masking and arithmetic masking. This is typically the case for IDEA [7] and for three of the AES candidates: MARS [1], RC6 [9] and Twofish [10].
T. Messerges [8] a proposé un algorithme pour effectuer cette conversion. Malheureusement, Coron et Goubin [3] ont décrit une attaque spécifique, montrant que l'algorithme « BooleanTo Arithmetic » proposé par T. Messerges est insuffisant pour se prémunir contre la DPA. De même, son algorithme « ArithmeticToBoolean » n'est pas sûr non plus.T. Messerges [8] proposed an algorithm to perform this conversion. Unfortunately, Coron and Goubin [3] described a specific attack, showing that the "BooleanTo Arithmetic" algorithm proposed by T. Messerges is insufficient to protect against DPA. Likewise, its "ArithmeticToBoolean" algorithm is not safe either.
L'objet de la présente invention est de proposer deux nouveaux algorithmes « BooleanToArithmetic » et « ArithmeticToBoolean », prouvés sûrs contre les attaques DPA. Chacun de ces algorithmes n'utilise que des opérations très simples : XOR (ou exclusif), AND, la soustraction, et le « décalage à gauche » d'un registre. Notre algorithme « BooleanToArithmetic » utilise un nombre constant (égal à 7) de telles opérations élémentaires, alors que le nombre d'opérations élémentaires mises en jeu dans notre algorithme « ArithmeticToBoolean » est proportionnel (il vaut 5R+5) à la taille (Le. le nombre de bits K) des registres du processeur.The object of the present invention is to propose two new algorithms "BooleanToArithmetic" and "ArithmeticToBoolean", proven to be safe against DPA attacks. Each of these algorithms uses only very simple operations: XOR (or exclusive), AND, subtraction, and the "left shift" of a register. Our “BooleanToArithmetic” algorithm uses a constant number (equal to 7) of such elementary operations, while the number of elementary operations involved in our “ArithmeticToBoolean” algorithm is proportional (it is 5R + 5) to the size (Le the number of bits K) of the processor registers.
ContexteContext
L'attaque « Differential Power Analysis »The "Differential Power Analysis" attack
La « Differential Power Analysis » (DPA) est une attaque qui permet d'obtenir des informations sur la clé secrète (contenue dans une carte à puce par exemple), en effectuant une analyse statistique des enregistrements de consommation électrique, mesurés sur un grand nombre de calculs avec la même clé.“Differential Power Analysis” (DPA) is an attack which makes it possible to obtain information on the secret key (contained in a smart card for example), by carrying out a statistical analysis of the records of electrical consumption, measured over a large number calculations with the same key.
Cette attaque ne requiert aucune connaissance sur la consommation électrique individuelle de chaque instruction, ni sur la position dans le temps de chacune de ces instructions. Elle s'applique exactement de la même manière dès que l'attaquant connaît les sorties de l'algorithme et les courbes de consommation correspondantes. Elle repose uniquement sur l'hypothèse fondamentale suivante :This attack requires no knowledge of the individual power consumption of each instruction, nor of the time position of each of these instructions. instructions. It is applied in exactly the same way as soon as the attacker knows the outputs of the algorithm and the corresponding consumption curves. It is based solely on the following fundamental assumption:
Hypothèse fondamentale : // existe une variable intermédiaire, apparaissant au cours du calcul de l'algorithme, telle que la connaissance de quelques bits de la clé (en pratique moins de 32 bits) permet de décider si deux entrées (respectivement deux sorties) donnent ou non la même valeur pour cette variable.Fundamental assumption: // there is an intermediate variable, appearing during the calculation of the algorithm, such that the knowledge of a few bits of the key (in practice less than 32 bits) makes it possible to decide if two inputs (respectively two outputs) give or not the same value for this variable.
La méthode de masquageThe masking method
La présente invention s'intéresse à la méthode de « masquage », suggérée par Chari ét al. [2].The present invention is concerned with the "masking" method, suggested by Chari et al. [2].
Le principe de base consiste à programmer l'algorithme de telle sorte que l'hypothèse fondamentale ci-dessus ne soit plus vérifiée (Le. une variable intermédiaire ne dépend jamais de la connaissance d'un sous-ensemble facilement accessible de la clé secrète). Plus précisément, en utilisant un schéma de partage de clé, chacune des variables intermédiaires apparaissant dans l'algorithme cryptographique est séparée en plusieurs parties. De cette manière, un attaquant se trouve obligé d'analyser des distributions de plusieurs points, ce qui rend sa tâche exponentielle en le nombre d'éléments de la séparation.The basic principle consists in programming the algorithm so that the fundamental assumption above is not checked any more (Le. An intermediate variable never depends on the knowledge of an easily accessible subset of the secret key) . More precisely, by using a key sharing scheme, each of the intermediate variables appearing in the cryptographic algorithm is separated into several parts. In this way, an attacker is forced to analyze distributions of several points, which makes his task exponential in the number of elements of the separation.
Le problème de conversionThe conversion problem
Pour des algorithmes qui combinent des fonctions booléennes et des fonctions arithmétiques, deux types de masquage doivent être utilisés :For algorithms that combine Boolean functions and arithmetic functions, two types of masking must be used:
Un masquage booléen : x' = x Φ r. Un masquage arithmétique : A = x - r modulo 2l Ici, la variable x est masquée par la valeur aléatoire r, ce qui donne la valeur masquée x' (ou A). Notre objectif est de trouver un algorithme efficace pour passer du masquage booléen au masquage arithmétique et vice versa, tout en faisant en sorte que les variables intermédiaires soient décorrélées des données à masquer, ce qui assure la résistance à la DPA.A boolean masking: x '= x Φ r. An arithmetic masking: A = x - r modulo 2 l Here, the variable x is masked by the random value r, which gives the masked value x '(or A). Our objective is to find an efficient algorithm to pass from boolean masking to arithmetic masking and vice versa, while ensuring that the intermediate variables are decorrelated from the data to be masked, which ensures resistance to DPA.
Dans tout le présent document, on suppose que le processeur utilise des registres de K bits (en pratique K est la plupart du temps égal à 8, 16, 32 ou 64). Toutes les opérations arithmétiques (comme l'addition « + », la soustraction « - », ou le doublement « z —> 2.z ») sont considérées modulo 2 . Pour des raisons de simplicité, le « modulo 2 » sera souvent omis dans la suite.Throughout this document, it is assumed that the processor uses registers of K bits (in practice K is most of the time equal to 8, 16, 32 or 64). All arithmetic operations (such as the addition "+", the subtraction "-", or the doubling "z -> 2.z") are considered modulo 2. For reasons of simplicity, the "modulo 2" will often be omitted in the following.
L'invention concerne à cet effet un procédé de sécurisation d'un ensemble électronique comprenant un processeur et une mémoire, mettant en oeuvre un algorithme cryptographique stocké dans la mémoire et utilisant des opérations booléennes et des opérations arithmétiques, dans lequel au moins une variable est séparée en plusieurs parties, selon une séparation booléenne utilisant une opération booléenne, et selon une séparation arithmétique utilisant une opération arithmétique, caractérisé en ce que, pour passer de l'une quelconque de ces séparations à l'autre, on effectue, au moyen du processeur, un nombre prédéterminé d'opérations booléennes et arithmétiques sur lesdites parties et au moins un aléa, de manière à ce, pour chacune des valeurs apparaissant au cours du calcul, il n'y ait aucune corrélation avec ladite variable, le calcul aboutissant à un résultat stocké dans la mémoire.To this end, the invention relates to a method for securing an electronic assembly comprising a processor and a memory, implementing a cryptographic algorithm stored in the memory and using Boolean operations and arithmetic operations, in which at least one variable is separated into several parts, according to a Boolean separation using a Boolean operation, and according to an arithmetic separation using an arithmetic operation, characterized in that, to pass from any one of these separations to the other, one performs, by means of the processor, a predetermined number of Boolean and arithmetic operations on said parts and at least one random number, so that, for each of the values appearing during the calculation, there is no correlation with said variable, the calculation resulting in a result stored in memory.
Avantageusement, pour passer de la séparation booléenne à la séparation arithmétique, le procédé comprend les étapes suivantes :Advantageously, to pass from the Boolean separation to the arithmetic separation, the method comprises the following stages:
-séparer toutes les parties sauf une en au moins deux éléments ;-separate all parts except one into at least two elements;
-calculer au moins deux résultats partiels ne dépendant jamais de tous les éléments d'une partie ; -pour obtenir chaque partie sauf une de la séparation arithmétique, regrouper au moins deux desdits résultats partiels. Avantageusement, la séparation desdites parties en au moins deux éléments utilise une opération booléenne.-calculate at least two partial results never depending on all the elements of a part; -to obtain each part except one of the arithmetic separation, group together at least two of said partial results. Advantageously, the separation of said parts into at least two elements uses a Boolean operation.
Avantageusement, ledit regroupement de deux desdits résultats partiels s'effectue au moyen d'une opération booléenne.Advantageously, said grouping of two of said partial results is carried out by means of a Boolean operation.
Avantageusement, l'opération booléenne utilisée pour la séparation desdites parties en au moins deux éléments est l'opération "ou exclusif".Advantageously, the Boolean operation used for the separation of said parts into at least two elements is the "or exclusive" operation.
Avantageusement, l'opération booléenne utilisée pour le regroupement desdits résultats partiels s'effectue au moyen de l'opération "ou exclusif".Advantageously, the Boolean operation used for grouping said partial results is carried out by means of the "or exclusive" operation.
Avantageusement, pour passer de la séparation booléenne à la séparation arithmétique, on utilise uniquement les opérations "ou exclusif" et "soustraction".Advantageously, to pass from the Boolean separation to the arithmetic separation, only the operations "or exclusive" and "subtraction" are used.
Avantageusement, la séparation booléenne, en deux parties, utilisant l'opération "ou exclusif" et la séparation arithmétique, en deux parties, utilisant l'opération "addition", le procédé est caractérisé en ce que pour passer de la séparation booléenne à l'opération arithmétique, on utilise cinq opérations "ou exclusif" et deux opérations "soustraction".Advantageously, the Boolean separation, in two parts, using the "or exclusive" operation and the arithmetic separation, in two parts, using the "addition" operation, the method is characterized in that to pass from the Boolean separation to the 'arithmetic operation, we use five operations "or exclusive" and two operations "subtraction".
Avantageusement, pour passer de la séparation arithmétique à la séparation booléenne, on définit au moins une variable obtenue au moyen d'un nombre prédéterminé d'itérations successives à partir d'une valeur initiale qui est fonction d'au moins un aléa, par applications successives d'une transformation à base d'opérations booléennes et arithmétiques s' appliquant auxdites parties de la séparation arithmétique et audit au moins un aléa.Advantageously, to move from arithmetic separation to Boolean separation, at least one variable obtained by means of a predetermined number of successive iterations is defined from an initial value which is a function of at least one hazard, by applications. successive of a transformation based on Boolean and arithmetic operations applying to said parts of the arithmetic separation and to said at least one hazard.
Avantageusement, ladite transformation est à base des opérations "ou exclusif", "et logique" et "décalage logique d'un bit à gauche". Avantageusement, chaque partie sauf une de la séparation booléenne est obtenue en appliquant des opérations booléennes à ladite ou lesdites variables obtenues par itération successives, auxdites parties de la séparation arithmétique et audit ou auxdits aléas.Advantageously, said transformation is based on the "or exclusive", "and logical" and "logical shift of a bit to the left" operations. Advantageously, each part except one of the Boolean separation is obtained by applying Boolean operations to the said variable or said variables obtained by successive iteration, to the said parts of the arithmetic separation and to the said random hazard (s).
Avantageusement, les opérations booléennes appliquées pour obtenir toutes les parties sauf une de la séparation booléenne sont l'opération "ou exclusif" et l'opération "décalage logique d'un bit vers la gauche".Advantageously, the Boolean operations applied to obtain all the parts except one of the Boolean separation are the "or exclusive" operation and the "logical shift of a bit to the left" operation.
Avantageusement, pour sécuriser un ensemble électronique utilisant des registres de K bits, la séparation arithmétique, en deux parties, utilisant l'opération "addition" et la séparation booléenne, en deux parties, utilisant l'opération "ou exclusif", caractérisé en ce que pour passer de la séparation booléenne à l'opération arithmétique, on utilise (2K+4) opérations "ou exclusif", (2K+1) opérations "et logique", et K opérations "décalage logique d'un bit à gauche".Advantageously, to secure an electronic assembly using K-bit registers, the arithmetic separation, in two parts, using the "addition" operation and the Boolean separation, in two parts, using the "or exclusive" operation, characterized in that that to pass from the boolean separation to the arithmetic operation, one uses (2K + 4) operations "or exclusive", (2K + 1) operations "and logical", and K operations "logical shift of a bit to the left" .
L'invention concerne aussi un système embarqué comprenant un processeur et une mémoire, et mettant en oeuvre un algorithme cryptographique stocké dans la mémoire et utilisant des opérations booléennes et des opérations arithmétiques, dans lequel au moins une variable est séparée en plusieurs parties, selon une séparation booléenne utilisant une opération booléenne, et selon une séparation arithmétique utilisant une opération arithmétique, caractérisé en ce que, pour passer de l'une quelconque de ces séparations à l'autre, il comprend des moyens de conversion pour effectuer, au moyen du processeur, un nombre prédéterminé d'opérations booléennes et arithmétiques sur lesdites parties et au moins un aléa, de manière à ce, pour chacune des valeurs apparaissant au cours du calcul, il n'y ait aucune corrélation avec ladite variable, le calcul aboutissant à un résultat stocké dans la mémoire.The invention also relates to an on-board system comprising a processor and a memory, and implementing a cryptographic algorithm stored in the memory and using boolean operations and arithmetic operations, in which at least one variable is separated into several parts, according to a boolean separation using a boolean operation, and according to an arithmetic separation using an arithmetic operation, characterized in that, to pass from any one of these separations to the other, it comprises conversion means for effecting, by means of the processor , a predetermined number of Boolean and arithmetic operations on said parts and at least one hazard, so that, for each of the values appearing during the calculation, there is no correlation with said variable, the calculation resulting in a result stored in memory.
La description qui suit est accompagnée d'une figure unique représentant la constitution d'une carte à puce propre à exécuter l'invention. Du masquage booléen au masquage arithmétiqueThe description which follows is accompanied by a single figure representing the constitution of a smart card suitable for executing the invention. From boolean masking to arithmetic masking
Pour calculer A = (x Φ r) - r, on utilise l'algorithme suivant :To calculate A = (x Φ r) - r, we use the following algorithm:
Algorithme « BooleanToArithmetic »"BooleanToArithmetic" algorithm
Entrée : (x', r) tel que x = x' Φ r. Sortie : (A, r) tel que x = A + r.Input: (x ', r) such that x = x' Φ r. Output: (A, r) such that x = A + r.
Initialiser Ea une valeur aléatoire γ T <-x' ΦΓInitialize Ea a random value γ T <-x 'ΦΓ
T A- T- ΓT A- T- Γ
T A- T x' r<-r®r A <-X' ΦΓ A <-A - Γ A <-A ΦTT A- T x 'r <-r®r A <-X' ΦΓ A <-A - Γ A <-A ΦT
L'algorithme « BooleanToArithmetic » utilise 2 variables auxiliaires (T et T), 1 appel au générateur aléatoire, et 7 opérations élémentaires (plus précisément : 5 « XOR » et 2 soustractions).The "BooleanToArithmetic" algorithm uses 2 auxiliary variables (T and T), 1 call to the random generator, and 7 elementary operations (more precisely: 5 "XOR" and 2 subtractions).
Du masquage arithmétique au masquage booléenFrom arithmetic masking to Boolean masking
Pour calculer x' = (A + r) Φ r, on utilise l'algorithme suivant :To calculate x '= (A + r) Φ r, we use the following algorithm:
Algorithme « ArithmeticToBoolean »"ArithmeticToBoolean" algorithm
Entrée : (A, r) tel que x = A + r. Sortie : (x', r) tel que x - x' r. Initialiser Eà une valeur aléatoire γ T <-2.r x' <-TΦrInput: (A, r) such that x = A + r. Output: (x ', r) such that x - x' r. Initialize E to a random value γ T <-2.rx '<-TΦr
x' -TΦAx '-TΦA
Γ<-ΓΦX'Γ <-ΓΦX '
Ω<-ΩΦΓ Γ -TΛA Ω<-ΩΦΓΩ <-ΩΦΓ Γ -TΛA Ω <-ΩΦΓ
FOR k=l to K-l r<-T ΛrFOR k = l to K-l r <-T Λr
Γ-ΓΦΩΓ-ΓΦΩ
T<-TΛA Γ-ΓΦTT <-TΛA Γ-ΓΦT
T<-2.ΓT <-2.Γ
ENDFOR x' <-x' ΦTENDFOR x '<-x' ΦT
L'algorithme « ArithmeticToBoolean » utilise 3 variables auxiliaires (T, Ω et -T), 1 appel au générateur aléatoire, et (5Λ.+5) opérations élémentaires (plus précisément (2K+4) « XOR », (2K+1) « AND » et K « décalages à gauche »).The "ArithmeticToBoolean" algorithm uses 3 auxiliary variables (T, Ω and -T), 1 call to the random generator, and (5Λ. + 5) elementary operations (more precisely (2K + 4) "XOR", (2K + 1 ) "AND" and K "left shifts").
En ce qui concerne le nombre des aléas intervenant dans le procédé selon l'invention, on notera qu'il peut y en avoir un ou plusieurs par variable et, dans le cas de plusieurs variables, il y aura en général plusieurs aléas respectivement associés auxdites variables. La figure unique rappelle la constitution générale d'une carte à puce 1. Elle comprend des moyens de traitement d'information ou CPU 2, des moyens de mémorisation d'information 3,4,5 de différents types (RAM, EEPROM, ROM), des moyens d'entrée/sortie 6 permettant à la carte de coopérer avec un terminal lecteur de carte, et un bus 7 permettant à ces différents éléments de dialoguer entre eux. Les moyens de conversion précités, propres à effectuer les opérations booléennes et arithmétiques, comprennent notamment au moins un programme stocké dans les moyens de mémorisation d'information 3,4,5.With regard to the number of hazards involved in the method according to the invention, it should be noted that there may be one or more per variable and, in the case of more than one variable, there will generally be several hazards respectively associated with said variables. variables. The single figure recalls the general constitution of a smart card 1. It includes information processing means or CPU 2, information storage means 3,4,5 of different types (RAM, EEPROM, ROM) , input / output means 6 allowing the card to cooperate with a card reader terminal, and a bus 7 allowing these different elements to interact with each other. The aforementioned conversion means, suitable for performing Boolean and arithmetic operations, include in particular at least one program stored in the information storage means 3,4,5.
BibliographieBibliography
[1] Carolynn Burwick, Don Coppersmith, Edward D'Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas, Luke O'Connor, Mohammad Peyravian, David Safford et Nevenko Zunic, « MARS - A Candidate Cipher for AES », Proposition pour l'AES, Juin 1998. Disponible sur : http://www.research.ibm.com/security/mars.pdf[1] Carolynn Burwick, Don Coppersmith, Edward D'Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas, Luke O'Connor, Mohammad Peyravian, David Safford and Nevenko Zunic, "MARS - A Candidate Cipher for AES ”, Proposal for the AES, June 1998. Available at: http://www.research.ibm.com/security/mars.pdf
[2] Suresh Chari, Charantjit S. Jutla, Josyula R. Rao et Pankaj Rohatgi, « Towards Sound Approaches to Counteract Power-Analysis Attacks », in Proceedings of Advances in Cryptology - CRYPTO'99, Springer-Verlag, 1999, pp. 398-412.[2] Suresh Chari, Charantjit S. Jutla, Josyula R. Rao and Pankaj Rohatgi, "Towards Sound Approaches to Counteract Power-Analysis Attacks", in Proceedings of Advances in Cryptology - CRYPTO'99, Springer-Verlag, 1999, pp. 398-412.
[3] Jean-Sébastien Coron et Louis Goubin, « On Boolean and Arithmetic Masking against Differential Power Analysis », in Proceedings of Workshop on Cryptographie Hardware and Embedded Systems, Springer-Verlag, Août 2000.[3] Jean-Sébastien Coron and Louis Goubin, "On Boolean and Arithmetic Masking against Differential Power Analysis", in Proceedings of Workshop on Cryptographie Hardware and Embedded Systems, Springer-Verlag, August 2000.
[4] Louis Goubin et Jacques Patarin, « DES and Differential Power Analysis - The Duplication Method », in Proceedings of Workshop on Cryptographie Hardware and Embedded Systems, Springer-Verlag, Août 1999, pp. 158-172.[4] Louis Goubin and Jacques Patarin, "DES and Differential Power Analysis - The Duplication Method", in Proceedings of Workshop on Cryptographie Hardware and Embedded Systems, Springer-Verlag, August 1999, pp. 158-172.
[5] Paul Kocher, Joshua Jaffe et Benjamin Jun, « Introduction to Differential Power Analysis and Related Attacks », http://www.cryptography.com dpa/technical, 1998. [6] Paul Kocher, Joshua Jaffe et Benjamin Jun, « Differential Power Analysis », in Proceedings of Advances in Cryptology - CRYPTO'99, Springer-Verlag, 1999, pp. 388-397.[5] Paul Kocher, Joshua Jaffe and Benjamin Jun, "Introduction to Differential Power Analysis and Related Attacks", http://www.cryptography.com dpa / technical, 1998. [6] Paul Kocher, Joshua Jaffe and Benjamin Jun, "Differential Power Analysis", in Proceedings of Advances in Cryptology - CRYPTO'99, Springer-Verlag, 1999, pp. 388-397.
[7] Xuejia Lai et James Massey, « A Proposai for a New Block Encryption Standard », in Advances in Cryptology - EUROCRYPT '90 Proceedings, Springer- Verlag, 1991, pp. 389-404.[7] Xuejia Lai and James Massey, "A Proposai for a New Block Encryption Standard", in Advances in Cryptology - EUROCRYPT '90 Proceedings, Springer-Verlag, 1991, pp. 389-404.
[8] Thomas S. Messerges, « Securing the AES Finalists Against Power Analysis Attacks », in Proceedings of Fast Software Encryption Workshop 2000, Springer- Verlag, Avril 2000.[8] Thomas S. Messerges, "Securing the AES Finalists Against Power Analysis Attacks", in Proceedings of Fast Software Encryption Workshop 2000, Springer-Verlag, April 2000.
[9] Ronald L. Rivest, Matthew J.B. Robshaw, Ray Sidney et Yiqun L. Yin, « The RC6 Block Cipher », vl.l, 20 août 1998. Disponible sur : ftp://ftp.rsasecurity.com/pub/rsalabs/aes/rc6v 11.pdf[9] Ronald L. Rivest, Matthew JB Robshaw, Ray Sidney and Yiqun L. Yin, "The RC6 Block Cipher", vl.l, August 20, 1998. Available at: ftp://ftp.rsasecurity.com/pub/ rsalabs / aes / rc6v 11.pdf
[10] Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall et Niels Ferguson, « Twofish: A 128-Bit Block Cipher », 15 juin 1998, soumission AES disponible sur : http://www.counte ane.com/twofish.pdf [10] Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall and Niels Ferguson, "Twofish: A 128-Bit Block Cipher", June 15, 1998, AES submission available at: http: //www.counte ane. com / twofish.pdf

Claims

Revendications claims
1. Procédé de sécurisation d'un ensemble électronique mettant en oeuvre un algorithme cryptographique utilisant des opérations booléennes et des opérations arithmétiques, dans lequel au moins une variable est séparée en plusieurs parties, selon une séparation booléenne utilisant une opération booléenne, et selon une séparation arithmétique utilisant une opération arithmétique, caractérisé en ce que, pour passer de l'une quelconque de ces séparations à l'autre, on effectue un nombre prédéterminé d'opérations booléennes et arithmétiques sur lesdites parties et au moins un aléa, de manière à ce que, pour chacune des valeurs apparaissant au cours du calcul, il n'y ait aucune corrélation avec ladite variable.1. Method for securing an electronic assembly implementing a cryptographic algorithm using Boolean operations and arithmetic operations, in which at least one variable is separated into several parts, according to a Boolean separation using a Boolean operation, and according to a separation arithmetic using an arithmetic operation, characterized in that, in order to pass from any one of these separations to the other, a predetermined number of boolean and arithmetic operations are carried out on said parts and at least one random number, so that that, for each of the values appearing during the calculation, there is no correlation with said variable.
2. Procédé selon la revendication 1, caractérisé en ce que, pour passer de la séparation booléenne à la séparation arithmétique, le procédé comprend les étapes suivantes :2. Method according to claim 1, characterized in that, to pass from the Boolean separation to the arithmetic separation, the method comprises the following stages:
-séparer toutes les parties sauf une en au moins deux éléments ;-separate all parts except one into at least two elements;
-calculer au moins deux résultats partiels ne dépendant jamais de tous les éléments d'une partie ;-calculate at least two partial results never depending on all the elements of a part;
-pour obtenir chaque partie sauf une de la séparation arithmétique, regrouper au moins deux desdits résultats partiels.-to obtain each part except one of the arithmetic separation, group together at least two of said partial results.
3. Procédé selon la revendication 2, caractérisé en ce que la séparation desdites parties en au moins deux éléments utilise une opération booléenne.3. Method according to claim 2, characterized in that the separation of said parts into at least two elements uses a Boolean operation.
4. Procédé selon la revendication 2, caractérisé en ce que ledit regroupement de deux desdits résultats partiels s'effectue au moyen d'une opération booléenne.4. Method according to claim 2, characterized in that said grouping of two of said partial results is carried out by means of a Boolean operation.
5. Procédé selon la revendication 3, caractérisé en ce que l'opération booléenne utilisée pour la séparation desdites parties en au moins deux éléments est l'opération "ou exclusif". 5. Method according to claim 3, characterized in that the Boolean operation used for the separation of said parts into at least two elements is the "or exclusive" operation.
6. Procédé selon la revendication 4, caractérisé en ce que l'opération booléenne utilisée pour le regroupement desdits résultats partiels s'effectue au moyen de l'opération "ou exclusif".6. Method according to claim 4, characterized in that the Boolean operation used for grouping said partial results is carried out by means of the "or exclusive" operation.
7. Procédé selon la revendication 6, caractérisé en ce que pour passer de la séparation booléenne à la séparation arithmétique, on utilise uniquement les opérations "ou exclusif" et "soustraction".7. Method according to claim 6, characterized in that to pass from the Boolean separation to the arithmetic separation, only the operations "or exclusive" and "subtraction" are used.
8. Procédé selon la revendication 6, la séparation booléenne, en deux parties, utilisant l'opération "ou exclusif" et la séparation arithmétique, en deux parties, utilisant l'opération "addition", caractérisé en ce que pour passer de la séparation booléenne à l'opération arithmétique, on utilise cinq opérations "ou exclusif" et deux opérations "soustraction".8. Method according to claim 6, the Boolean separation, in two parts, using the "or exclusive" operation and the arithmetic separation, in two parts, using the "addition" operation, characterized in that to pass from the separation boolean to the arithmetic operation, we use five "or exclusive" operations and two "subtraction" operations.
9. Procédé selon la revendication 1, caractérisé en ce que, pour passer de la séparation arithmétique à la séparation booléenne, on définit au moins une variable obtenue au moyen d'un nombre prédéterminé d'itérations successives à partir d'une valeur initiale qui est fonction d'au moins un aléa, par applications successives d'une transformation à base d'opérations booléennes et arithmétiques s'appliquant auxdites parties de la séparation arithmétique et audit au moins un aléa.9. Method according to claim 1, characterized in that, to move from arithmetic separation to Boolean separation, at least one variable obtained by means of a predetermined number of successive iterations is defined from an initial value which is a function of at least one hazard, by successive applications of a transformation based on Boolean and arithmetic operations applying to said parts of the arithmetic separation and to said at least one hazard.
10. Procédé selon la revendication 9, caractérisé en ce que ladite transformation est à base des opérations "ou exclusif", "et logique" et "décalage logique d'un bit à gauche".10. Method according to claim 9, characterized in that said transformation is based on the operations "or exclusive", "and logical" and "logical shift of a bit to the left".
11. Procédé selon la revendication 9, caractérisé en ce que chaque partie sauf une de la séparation booléenne est obtenue en appliquant des opérations booléennes à ladite ou lesdites variables obtenues par itération successives, auxdites parties de la séparation arithmétique et audit ou auxdits aléas. 11. Method according to claim 9, characterized in that each part except one of the Boolean separation is obtained by applying Boolean operations to said variable or said variables obtained by successive iteration, to said parts of the arithmetic separation and to said random hazard (s).
12. Procédé selon la revendication 11, caractérisé en ce que les opérations booléennes appliquées pour obtenir toutes les parties sauf une de la séparation booléenne sont l'opération "ou exclusif" et l'opération "décalage logique d'un bit vers la gauche".12. Method according to claim 11, characterized in that the Boolean operations applied to obtain all the parts except one of the Boolean separation are the "or exclusive" operation and the "logical shift of a bit to the left" operation .
13. Procédé selon la revendication 12, pour sécuriser un ensemble électronique utilisant des registres de K bits, la séparation arithmétique, en deux parties, utilisant l'opération "addition" et la séparation booléenne, en deux parties, utilisant l'opération "ou exclusif", caractérisé en ce que pour passer de la séparation booléenne à l'opération arithmétique, on utilise (2K+4) opérations "ou exclusif", (2K+1) opérations "et logique", et K opérations "décalage logique d'un bit à gauche".13. The method of claim 12, for securing an electronic assembly using registers of K bits, the arithmetic separation, in two parts, using the operation "addition" and the Boolean separation, in two parts, using the operation "or exclusive ", characterized in that to pass from the Boolean separation to the arithmetic operation, one uses (2K + 4) operations" or exclusive ", (2K + 1) operations" and logic ", and K operations" logical shift d 'one bit to the left ".
14. Système embarqué comprenant des moyens de traitement d'information et des moyens de stockage d'information, et mettant en oeuvre un algorithme cryptographique utilisant des opérations booléennes et des opérations arithmétiques, dans lequel au moins une variable est séparée en plusieurs parties, selon une séparation booléenne utilisant une opération booléenne, et selon une séparation arithmétique utilisant une opération arithmétique, caractérisé en ce que, pour passer de l'une quelconque de ces séparations à l'autre, il comprend des moyens de conversion pour effectuer un nombre prédéterminé d'opérations booléennes et arithmétiques sur lesdites parties et au moins un aléa, de manière à ce, pour chacune des valeurs apparaissant au cours du calcul, il n'y ait aucune corrélation avec ladite variable. 14. On-board system comprising information processing means and information storage means, and implementing a cryptographic algorithm using Boolean operations and arithmetic operations, in which at least one variable is separated into several parts, according to a Boolean separation using a Boolean operation, and according to an arithmetic separation using an arithmetic operation, characterized in that, in order to pass from any one of these separations to the other, it comprises conversion means for carrying out a predetermined number d 'Boolean and arithmetic operations on said parts and at least one random, so that, for each of the values appearing during the calculation, there is no correlation with said variable.
EP02704839A 2001-02-15 2002-02-14 Method for securing a computer installation involving a cryptographic algorithm using boolean operations and arithmetic operations and the corresponding embedded system Withdrawn EP1362451A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR0102091A FR2820914A1 (en) 2001-02-15 2001-02-15 METHOD OF SECURING AN ELECTRONIC ASSEMBLY USING CRYPTOGRAPHIC ALGORITHM USING BOOLEAN OPERATIONS AND ARITHMETIC OPERATIONS, AND CORRESPONDING ONBOARD SYSTEM
FR0102091 2001-02-15
PCT/FR2002/000579 WO2002065692A1 (en) 2001-02-15 2002-02-14 Method for securing a computer installation involving a cryptographic algorithm using boolean operations and arithmetic operations and the corresponding embedded system

Publications (1)

Publication Number Publication Date
EP1362451A1 true EP1362451A1 (en) 2003-11-19

Family

ID=8860075

Family Applications (1)

Application Number Title Priority Date Filing Date
EP02704839A Withdrawn EP1362451A1 (en) 2001-02-15 2002-02-14 Method for securing a computer installation involving a cryptographic algorithm using boolean operations and arithmetic operations and the corresponding embedded system

Country Status (4)

Country Link
US (1) US7334133B2 (en)
EP (1) EP1362451A1 (en)
FR (1) FR2820914A1 (en)
WO (1) WO2002065692A1 (en)

Families Citing this family (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100585119B1 (en) * 2004-01-07 2006-06-01 삼성전자주식회사 Cryptographic apparatus and cryptographic method , and storage medium thereof
DE102004023902A1 (en) * 2004-05-13 2005-12-01 Giesecke & Devrient Gmbh Transition from Boolean masking to arithmetic masking
DE102004061312B4 (en) * 2004-12-20 2007-10-25 Infineon Technologies Ag Apparatus and method for detecting a potential attack on a cryptographic calculation
US8752032B2 (en) * 2007-02-23 2014-06-10 Irdeto Canada Corporation System and method of interlocking to protect software-mediated program and device behaviours
FR2924879B1 (en) 2007-12-07 2009-12-18 Sagem Securite METHOD OF ENCODING A SECRET FORMED BY A DIGITAL VALUE
KR101566408B1 (en) * 2009-03-13 2015-11-05 삼성전자주식회사 Conversion circuit and method between boolean and arithmetic masks
US8615078B2 (en) * 2009-08-21 2013-12-24 Electronics And Telecommunications Research Institute Method and apparatus for processing F-function in seed encryption system
KR101334040B1 (en) * 2010-01-20 2013-11-28 한국전자통신연구원 Method and apparatus for providing masking operations in encryption system
FR2960728B1 (en) * 2010-05-26 2016-04-15 Oberthur Technologies METHOD FOR DETERMINING A REPRESENTATION OF A PRODUCT AND METHOD FOR EVALUATING A FUNCTION
US8572146B2 (en) 2010-08-17 2013-10-29 Fujitsu Limited Comparing data samples represented by characteristic functions
US8874607B2 (en) 2010-08-17 2014-10-28 Fujitsu Limited Representing sensor data as binary decision diagrams
US8930394B2 (en) 2010-08-17 2015-01-06 Fujitsu Limited Querying sensor data stored as binary decision diagrams
US8645108B2 (en) 2010-08-17 2014-02-04 Fujitsu Limited Annotating binary decision diagrams representing sensor data
US8583718B2 (en) 2010-08-17 2013-11-12 Fujitsu Limited Comparing boolean functions representing sensor data
US8495038B2 (en) * 2010-08-17 2013-07-23 Fujitsu Limited Validating sensor data represented by characteristic functions
US9002781B2 (en) 2010-08-17 2015-04-07 Fujitsu Limited Annotating environmental data represented by characteristic functions
US9138143B2 (en) 2010-08-17 2015-09-22 Fujitsu Limited Annotating medical data represented by characteristic functions
KR20120070873A (en) 2010-12-22 2012-07-02 한국전자통신연구원 Subchannel prevention masked addition operator
US8781995B2 (en) 2011-09-23 2014-07-15 Fujitsu Limited Range queries in binary decision diagrams
US9176819B2 (en) 2011-09-23 2015-11-03 Fujitsu Limited Detecting sensor malfunctions using compression analysis of binary decision diagrams
US8812943B2 (en) * 2011-09-23 2014-08-19 Fujitsu Limited Detecting data corruption in medical binary decision diagrams using hashing techniques
US9075908B2 (en) 2011-09-23 2015-07-07 Fujitsu Limited Partitioning medical binary decision diagrams for size optimization
US8620854B2 (en) 2011-09-23 2013-12-31 Fujitsu Limited Annotating medical binary decision diagrams with health state information
US8909592B2 (en) 2011-09-23 2014-12-09 Fujitsu Limited Combining medical binary decision diagrams to determine data correlations
US8719214B2 (en) 2011-09-23 2014-05-06 Fujitsu Limited Combining medical binary decision diagrams for analysis optimization
US8838523B2 (en) 2011-09-23 2014-09-16 Fujitsu Limited Compression threshold analysis of binary decision diagrams
US9177247B2 (en) 2011-09-23 2015-11-03 Fujitsu Limited Partitioning medical binary decision diagrams for analysis optimization
EP2634953A1 (en) * 2012-03-02 2013-09-04 Gemalto SA Countermeasure method against side channel analysis for cryptographic algorithms using boolean operations and arithmetic operations
TWI507989B (en) * 2013-08-08 2015-11-11 Nat Univ Tsing Hua Method of resource-oriented power analysis for embedded system
US9923719B2 (en) 2014-12-09 2018-03-20 Cryptography Research, Inc. Location aware cryptography
US10333699B1 (en) 2015-09-30 2019-06-25 Cryptography Research, Inc. Generating a pseudorandom number based on a portion of shares used in a cryptographic operation
US10871947B2 (en) 2016-03-03 2020-12-22 Cryptography Research, Inc. Converting a boolean masked value to an arithmetically masked value for cryptographic operations
DE102017002153A1 (en) 2017-03-06 2018-09-06 Giesecke+Devrient Mobile Security Gmbh Transition from Boolean masking to arithmetic masking
FR3101982B1 (en) 2019-10-11 2024-03-08 St Microelectronics Grenoble 2 Determining an indicator bit
FR3101980B1 (en) 2019-10-11 2021-12-10 St Microelectronics Grenoble 2 Processor
FR3101983B1 (en) * 2019-10-11 2021-11-12 St Microelectronics Grenoble 2 Determining an indicator bit
DE102021003275B3 (en) 2021-06-24 2022-07-14 Giesecke+Devrient Mobile Security Gmbh Method for computing a transition from a Boolean to an arithmetic masking

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6182216B1 (en) * 1997-09-17 2001-01-30 Frank C. Luyster Block cipher method
WO2001024439A1 (en) * 1999-09-29 2001-04-05 Hitachi, Ltd. Device, program or system for processing secret information

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO02065692A1 *

Also Published As

Publication number Publication date
US20040139136A1 (en) 2004-07-15
US7334133B2 (en) 2008-02-19
WO2002065692A1 (en) 2002-08-22
FR2820914A1 (en) 2002-08-16

Similar Documents

Publication Publication Date Title
EP1362451A1 (en) Method for securing a computer installation involving a cryptographic algorithm using boolean operations and arithmetic operations and the corresponding embedded system
Coron et al. On boolean and arithmetic masking against differential power analysis
Oswald et al. Template attacks on masking—resistance is futile
JP4632950B2 (en) Tamper-resistant cryptographic processing using personal keys
Standaert et al. An overview of power analysis attacks against field programmable gate arrays
Goubin A sound method for switching between boolean and arithmetic masking
US10361854B2 (en) Modular multiplication device and method
US7908641B2 (en) Modular exponentiation with randomized exponent
JP5823639B2 (en) Countermeasures for side-channel analysis of cryptographic algorithms using Boolean and arithmetic operations
Mather et al. Multi-target DPA attacks: Pushing DPA beyond the limits of a desktop computer
US20110216900A1 (en) Methods of encryption and decryption and encryption systems using the same
CN101006677A (en) Method and device for carrying out a cryptographic calculation
CN111817842B (en) Energy analysis attack testing device and method for RSA-CRT operation
Amiel et al. Distinguishing multiplications from squaring operations
Bauer et al. Correlation analysis against protected SFM implementations of RSA
EP1381936A1 (en) Countermeasure method in an electronic component using a public key cryptographic algorithm on an elliptic curve
Kamoun et al. Experimental Implementation of 2ODPA attacks on AES design with flash-based FPGA Technology
FR3095709A1 (en) MASKING PROCESS AND SYSTEM FOR CRYPTOGRAPHY
Roelofs et al. Online template attack on ECDSA: Extracting keys via the other side
US7123717B1 (en) Countermeasure method in an electronic component which uses an RSA-type public key cryptographic algorithm
EP1994465A1 (en) Method of securing a calculation of an exponentiation or a multiplication by a scalar in an electronic device
EP1198921A2 (en) Method for countermeasure in an electronic component using a secret key algorithm
WO2006067057A1 (en) Secure and compact exponentiation method for cryptography
KR100772550B1 (en) Enhanced message blinding method to resistant power analysis attack
Park et al. An improved side channel attack using event information of subtraction

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20030915

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

AX Request for extension of the european patent

Extension state: AL LT LV MK RO SI

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: SCHLUMBERGER SYSTEMES SA

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: AXALTO S.A.

17Q First examination report despatched

Effective date: 20050422

17Q First examination report despatched

Effective date: 20050422

17Q First examination report despatched

Effective date: 20050422

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: GEMALTO SA

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20140924