EP1362451A1 - Procede de securisation d'un ensemble electronique mettant en oeuvre un algorithme cryptographique utilisant des operations booleennes et des operations arithmetiques, et systeme embarque correspondant - Google Patents
Procede de securisation d'un ensemble electronique mettant en oeuvre un algorithme cryptographique utilisant des operations booleennes et des operations arithmetiques, et systeme embarque correspondantInfo
- Publication number
- EP1362451A1 EP1362451A1 EP02704839A EP02704839A EP1362451A1 EP 1362451 A1 EP1362451 A1 EP 1362451A1 EP 02704839 A EP02704839 A EP 02704839A EP 02704839 A EP02704839 A EP 02704839A EP 1362451 A1 EP1362451 A1 EP 1362451A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- boolean
- separation
- arithmetic
- operations
- parts
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
Definitions
- the object of the present invention is to propose two new algorithms "BooleanToArithmetic” and "ArithmeticToBoolean”, proven to be safe against DPA attacks.
- Each of these algorithms uses only very simple operations: XOR (or exclusive), AND, subtraction, and the "left shift" of a register.
- Our “BooleanToArithmetic” algorithm uses a constant number (equal to 7) of such elementary operations, while the number of elementary operations involved in our “ArithmeticToBoolean” algorithm is proportional (it is 5R + 5) to the size (Le the number of bits K) of the processor registers.
- DPA Different Power Analysis
- the present invention is concerned with the "masking" method, suggested by Chari et al. [2].
- the basic principle consists in programming the algorithm so that the fundamental assumption above is not checked any more (Le. An intermediate variable never depends on the knowledge of an easily accessible subset of the secret key) . More precisely, by using a key sharing scheme, each of the intermediate variables appearing in the cryptographic algorithm is separated into several parts. In this way, an attacker is forced to analyze distributions of several points, which makes his task exponential in the number of elements of the separation.
- a boolean masking: x ' x ⁇ r.
- An arithmetic masking: A x - r modulo 2 l
- the variable x is masked by the random value r, which gives the masked value x '(or A).
- Our objective is to find an efficient algorithm to pass from boolean masking to arithmetic masking and vice versa, while ensuring that the intermediate variables are decorrelated from the data to be masked, which ensures resistance to DPA.
- the invention relates to a method for securing an electronic assembly comprising a processor and a memory, implementing a cryptographic algorithm stored in the memory and using Boolean operations and arithmetic operations, in which at least one variable is separated into several parts, according to a Boolean separation using a Boolean operation, and according to an arithmetic separation using an arithmetic operation, characterized in that, to pass from any one of these separations to the other, one performs, by means of the processor, a predetermined number of Boolean and arithmetic operations on said parts and at least one random number, so that, for each of the values appearing during the calculation, there is no correlation with said variable, the calculation resulting in a result stored in memory.
- the method comprises the following stages:
- the separation of said parts into at least two elements uses a Boolean operation.
- said grouping of two of said partial results is carried out by means of a Boolean operation.
- the Boolean operation used for the separation of said parts into at least two elements is the "or exclusive" operation.
- the Boolean operation used for grouping said partial results is carried out by means of the "or exclusive" operation.
- the Boolean separation in two parts, using the "or exclusive” operation and the arithmetic separation, in two parts, using the “addition” operation, the method is characterized in that to pass from the Boolean separation to the 'arithmetic operation, we use five operations “or exclusive” and two operations "subtraction".
- At least one variable obtained by means of a predetermined number of successive iterations is defined from an initial value which is a function of at least one hazard, by applications. successive of a transformation based on Boolean and arithmetic operations applying to said parts of the arithmetic separation and to said at least one hazard.
- each part except one of the Boolean separation is obtained by applying Boolean operations to the said variable or said variables obtained by successive iteration, to the said parts of the arithmetic separation and to the said random hazard (s).
- the Boolean operations applied to obtain all the parts except one of the Boolean separation are the "or exclusive” operation and the "logical shift of a bit to the left" operation.
- the arithmetic separation, in two parts, using the "addition” operation and the Boolean separation, in two parts, using the "or exclusive” operation characterized in that that to pass from the boolean separation to the arithmetic operation, one uses (2K + 4) operations “or exclusive”, (2K + 1) operations “and logical”, and K operations "logical shift of a bit to the left” .
- the invention also relates to an on-board system comprising a processor and a memory, and implementing a cryptographic algorithm stored in the memory and using boolean operations and arithmetic operations, in which at least one variable is separated into several parts, according to a boolean separation using a boolean operation, and according to an arithmetic separation using an arithmetic operation, characterized in that, to pass from any one of these separations to the other, it comprises conversion means for effecting, by means of the processor , a predetermined number of Boolean and arithmetic operations on said parts and at least one hazard, so that, for each of the values appearing during the calculation, there is no correlation with said variable, the calculation resulting in a result stored in memory.
- Input: (x ', r) such that x x' ⁇ r.
- Output: (A, r) such that x A + r.
- the "BooleanToArithmetic” algorithm uses 2 auxiliary variables (T and T), 1 call to the random generator, and 7 elementary operations (more precisely: 5 “XOR” and 2 subtractions).
- the "ArithmeticToBoolean” algorithm uses 3 auxiliary variables (T, ⁇ and -T), 1 call to the random generator, and (5 ⁇ . + 5) elementary operations (more precisely (2K + 4) "XOR”, (2K + 1 ) "AND” and K "left shifts”).
- a smart card includes information processing means or CPU 2, information storage means 3,4,5 of different types (RAM, EEPROM, ROM) , input / output means 6 allowing the card to cooperate with a card reader terminal, and a bus 7 allowing these different elements to interact with each other.
- the aforementioned conversion means, suitable for performing Boolean and arithmetic operations, include in particular at least one program stored in the information storage means 3,4,5.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0102091A FR2820914A1 (fr) | 2001-02-15 | 2001-02-15 | Procede de securisation d'un ensemble electronique mettant en oeuvre en algorithme cryptographique utilisant des operations booleennes et des operations arithmetiques, et systeme embarque correspondant |
FR0102091 | 2001-02-15 | ||
PCT/FR2002/000579 WO2002065692A1 (fr) | 2001-02-15 | 2002-02-14 | Procede de securisation d'un ensemble electronique mettant en oeuvre un algorithme cryptographique utilisant des operations booleennes et des operations arithmetiques, et systeme embarque correspondant |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1362451A1 true EP1362451A1 (fr) | 2003-11-19 |
Family
ID=8860075
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP02704839A Withdrawn EP1362451A1 (fr) | 2001-02-15 | 2002-02-14 | Procede de securisation d'un ensemble electronique mettant en oeuvre un algorithme cryptographique utilisant des operations booleennes et des operations arithmetiques, et systeme embarque correspondant |
Country Status (4)
Country | Link |
---|---|
US (1) | US7334133B2 (fr) |
EP (1) | EP1362451A1 (fr) |
FR (1) | FR2820914A1 (fr) |
WO (1) | WO2002065692A1 (fr) |
Families Citing this family (37)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100585119B1 (ko) * | 2004-01-07 | 2006-06-01 | 삼성전자주식회사 | 암호화 장치, 암호화 방법 및 그 기록매체 |
DE102004023902A1 (de) * | 2004-05-13 | 2005-12-01 | Giesecke & Devrient Gmbh | Übergang von einer booleschen Maskierung zu einer arithmetischen Maskierung |
DE102004061312B4 (de) * | 2004-12-20 | 2007-10-25 | Infineon Technologies Ag | Vorrichtung und Verfahren zum Detektieren eines potentiellen Angriffs auf eine kryptographische Berechnung |
US8752032B2 (en) * | 2007-02-23 | 2014-06-10 | Irdeto Canada Corporation | System and method of interlocking to protect software-mediated program and device behaviours |
FR2924879B1 (fr) | 2007-12-07 | 2009-12-18 | Sagem Securite | Procede de codage d'un secret forme par une valeur numerique |
KR101566408B1 (ko) * | 2009-03-13 | 2015-11-05 | 삼성전자주식회사 | 불 마스크와 산술 마스크의 변환 회로 및 변환 방법 |
US8615078B2 (en) * | 2009-08-21 | 2013-12-24 | Electronics And Telecommunications Research Institute | Method and apparatus for processing F-function in seed encryption system |
KR101334040B1 (ko) * | 2010-01-20 | 2013-11-28 | 한국전자통신연구원 | 대칭키 암호화 시스템의 마스킹 연산 방법 및 장치 |
FR2960728B1 (fr) * | 2010-05-26 | 2016-04-15 | Oberthur Technologies | Procede de determination d'une representation d'un produit et procede d'evaluation d'une fonction |
US8874607B2 (en) | 2010-08-17 | 2014-10-28 | Fujitsu Limited | Representing sensor data as binary decision diagrams |
US8930394B2 (en) | 2010-08-17 | 2015-01-06 | Fujitsu Limited | Querying sensor data stored as binary decision diagrams |
US9002781B2 (en) | 2010-08-17 | 2015-04-07 | Fujitsu Limited | Annotating environmental data represented by characteristic functions |
US8495038B2 (en) * | 2010-08-17 | 2013-07-23 | Fujitsu Limited | Validating sensor data represented by characteristic functions |
US9138143B2 (en) | 2010-08-17 | 2015-09-22 | Fujitsu Limited | Annotating medical data represented by characteristic functions |
US8645108B2 (en) | 2010-08-17 | 2014-02-04 | Fujitsu Limited | Annotating binary decision diagrams representing sensor data |
US8583718B2 (en) | 2010-08-17 | 2013-11-12 | Fujitsu Limited | Comparing boolean functions representing sensor data |
US8572146B2 (en) | 2010-08-17 | 2013-10-29 | Fujitsu Limited | Comparing data samples represented by characteristic functions |
KR20120070873A (ko) | 2010-12-22 | 2012-07-02 | 한국전자통신연구원 | 부채널 방지 마스킹 덧셈 연산 장치 |
US8838523B2 (en) | 2011-09-23 | 2014-09-16 | Fujitsu Limited | Compression threshold analysis of binary decision diagrams |
US9177247B2 (en) | 2011-09-23 | 2015-11-03 | Fujitsu Limited | Partitioning medical binary decision diagrams for analysis optimization |
US8719214B2 (en) | 2011-09-23 | 2014-05-06 | Fujitsu Limited | Combining medical binary decision diagrams for analysis optimization |
US8812943B2 (en) * | 2011-09-23 | 2014-08-19 | Fujitsu Limited | Detecting data corruption in medical binary decision diagrams using hashing techniques |
US8781995B2 (en) | 2011-09-23 | 2014-07-15 | Fujitsu Limited | Range queries in binary decision diagrams |
US9075908B2 (en) | 2011-09-23 | 2015-07-07 | Fujitsu Limited | Partitioning medical binary decision diagrams for size optimization |
US8909592B2 (en) | 2011-09-23 | 2014-12-09 | Fujitsu Limited | Combining medical binary decision diagrams to determine data correlations |
US9176819B2 (en) | 2011-09-23 | 2015-11-03 | Fujitsu Limited | Detecting sensor malfunctions using compression analysis of binary decision diagrams |
US8620854B2 (en) | 2011-09-23 | 2013-12-31 | Fujitsu Limited | Annotating medical binary decision diagrams with health state information |
EP2634953A1 (fr) | 2012-03-02 | 2013-09-04 | Gemalto SA | Procédé de contre-mesure contre l'analyse de canal latéral pour algorithmes cryptographiques utilisant des opérations booléennes et opérations arithmétiques |
TWI507989B (zh) * | 2013-08-08 | 2015-11-11 | Nat Univ Tsing Hua | 資源導向之嵌入式系統功率消耗分析方法 |
US9923719B2 (en) | 2014-12-09 | 2018-03-20 | Cryptography Research, Inc. | Location aware cryptography |
US10333699B1 (en) | 2015-09-30 | 2019-06-25 | Cryptography Research, Inc. | Generating a pseudorandom number based on a portion of shares used in a cryptographic operation |
US10871947B2 (en) | 2016-03-03 | 2020-12-22 | Cryptography Research, Inc. | Converting a boolean masked value to an arithmetically masked value for cryptographic operations |
DE102017002153A1 (de) * | 2017-03-06 | 2018-09-06 | Giesecke+Devrient Mobile Security Gmbh | Übergang von einer booleschen Maskierung zu einer arithmetischen Maskierung |
FR3101982B1 (fr) | 2019-10-11 | 2024-03-08 | St Microelectronics Grenoble 2 | Détermination d'un bit indicateur |
FR3101980B1 (fr) | 2019-10-11 | 2021-12-10 | St Microelectronics Grenoble 2 | Processeur |
FR3101983B1 (fr) * | 2019-10-11 | 2021-11-12 | St Microelectronics Grenoble 2 | Détermination d'un bit indicateur |
DE102021003275B3 (de) | 2021-06-24 | 2022-07-14 | Giesecke+Devrient Mobile Security Gmbh | Verfahren zur Berechnung eines Übergangs von einer booleschen zu einer arithmetischen Maskierung |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6182216B1 (en) * | 1997-09-17 | 2001-01-30 | Frank C. Luyster | Block cipher method |
JP4671571B2 (ja) * | 1999-09-29 | 2011-04-20 | 株式会社日立製作所 | 秘密情報の処理装置および秘密情報の処理プログラムを格納するメモリ |
-
2001
- 2001-02-15 FR FR0102091A patent/FR2820914A1/fr active Pending
-
2002
- 2002-02-14 EP EP02704839A patent/EP1362451A1/fr not_active Withdrawn
- 2002-02-14 WO PCT/FR2002/000579 patent/WO2002065692A1/fr not_active Application Discontinuation
- 2002-02-14 US US10/468,130 patent/US7334133B2/en not_active Expired - Fee Related
Non-Patent Citations (1)
Title |
---|
See references of WO02065692A1 * |
Also Published As
Publication number | Publication date |
---|---|
US7334133B2 (en) | 2008-02-19 |
FR2820914A1 (fr) | 2002-08-16 |
WO2002065692A1 (fr) | 2002-08-22 |
US20040139136A1 (en) | 2004-07-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1362451A1 (fr) | Procede de securisation d'un ensemble electronique mettant en oeuvre un algorithme cryptographique utilisant des operations booleennes et des operations arithmetiques, et systeme embarque correspondant | |
Coron et al. | On boolean and arithmetic masking against differential power analysis | |
JP4632950B2 (ja) | 個人鍵を用いた耐タンパ暗号処理 | |
Standaert et al. | An overview of power analysis attacks against field programmable gate arrays | |
Goubin | A sound method for switching between boolean and arithmetic masking | |
US10361854B2 (en) | Modular multiplication device and method | |
US7908641B2 (en) | Modular exponentiation with randomized exponent | |
US8422671B2 (en) | Methods of encryption and decryption using operand ordering and encryption systems using the same | |
Mather et al. | Multi-target DPA attacks: Pushing DPA beyond the limits of a desktop computer | |
JP5823639B2 (ja) | ブール演算および算術演算を用いる暗号アルゴリズムへのサイドチャネル解析に対する対策方法 | |
CN101006677A (zh) | 用于实施加密运算的方法和装置 | |
CN111817842B (zh) | 一种针对rsa-crt运算的能量分析攻击测试装置和方法 | |
Kamoun et al. | Experimental Implementation of 2ODPA attacks on AES design with flash-based FPGA Technology | |
WO2002088933A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme cryptographique du type a cle publique sur une courbe elliptique | |
Roelofs et al. | Online template attack on ECDSA: Extracting keys via the other side | |
Hanley et al. | Unknown plaintext template attacks | |
US7123717B1 (en) | Countermeasure method in an electronic component which uses an RSA-type public key cryptographic algorithm | |
Kim et al. | Practical second‐order correlation power analysis on the message blinding method and its novel countermeasure for RSA | |
Gaspar et al. | Hardware implementation and side-channel analysis of lapin | |
EP1198921A2 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle secrete | |
WO2006067057A1 (fr) | Procede d'exponentiation securisee et compacte pour la cryptographie | |
Park et al. | An improved side channel attack using event information of subtraction | |
Qiao et al. | When NTT Meets SIS: Efficient Side-channel Attacks on Dilithium and Kyber | |
JP2002529777A (ja) | 秘密鍵式暗号化アルゴリズムを利用する電子構成部品内の対抗措置方法 | |
Yen et al. | Improvement on Ha-Moon randomized exponentiation algorithm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20030915 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK RO SI |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: SCHLUMBERGER SYSTEMES SA |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: AXALTO S.A. |
|
17Q | First examination report despatched |
Effective date: 20050422 |
|
17Q | First examination report despatched |
Effective date: 20050422 |
|
17Q | First examination report despatched |
Effective date: 20050422 |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: GEMALTO SA |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20140924 |