EP1595357A4 - Dispositif et procede de manipulation de donnees masquees - Google Patents

Dispositif et procede de manipulation de donnees masquees

Info

Publication number
EP1595357A4
EP1595357A4 EP04708426A EP04708426A EP1595357A4 EP 1595357 A4 EP1595357 A4 EP 1595357A4 EP 04708426 A EP04708426 A EP 04708426A EP 04708426 A EP04708426 A EP 04708426A EP 1595357 A4 EP1595357 A4 EP 1595357A4
Authority
EP
European Patent Office
Prior art keywords
data
mask
representation
input
output
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP04708426A
Other languages
German (de)
English (en)
Other versions
EP1595357A2 (fr
Inventor
Shay Gueron
Ori Parzanchevski
Or Zuk
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DISCRETIX TECHNOLOGIES Ltd
Original Assignee
DISCRETIX TECHNOLOGIES Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DISCRETIX TECHNOLOGIES Ltd filed Critical DISCRETIX TECHNOLOGIES Ltd
Publication of EP1595357A2 publication Critical patent/EP1595357A2/fr
Publication of EP1595357A4 publication Critical patent/EP1595357A4/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/724Finite field arithmetic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7209Calculation via subfield, i.e. the subfield being GF(q) with q a prime power, e.g. GF ((2**m)**n) via GF(2**m)
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7219Countermeasures against side channel or fault attacks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7219Countermeasures against side channel or fault attacks
    • G06F2207/7223Randomisation as countermeasure against side channel attacks
    • G06F2207/7233Masking, e.g. (A**e)+r mod n
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/04Masking or blinding
    • H04L2209/046Masking or blinding of operations, operands or results of the operations

Definitions

  • the present invention relates generally to computations in finite fields and, more particularly, to masked data manipulation in finite fields.
  • Data manipulation algorithms may include performing an inverse operation on data elements of finite fields.
  • an Advanced Encryption Standard provides a Rijndael Block Cipher Algorithm ("the Rijndael algorithm"), which includes a ByteSub bit level operation on input data including a vector, e.g., byte, x.
  • the ByteSub operation includes an encryption mode and a decryption mode.
  • the encryption mode includes an inverse operation and an affine transformation, e.g., x is converted into Ax " +b, wherein A and b are predetermined parameters.
  • the •decryption mode includes an affine transformation followed by an inverse operation, e.g., x is transformed into (A 1 (x+b)) "1 .
  • the inverse operation is preformed over a Galois Field, GF(2 8 ).
  • Block Cipher algorithms which implement an inversion operation in the GF(2 8 ).
  • These algorithms include, for example, a Camelia cipher algorithm described by K. Aoki et al. in "Specification of Camellia - a 128-bit Block Cipher", http://info.isl.ntt.co.jp/camellia/, and a Zodiac cipher algorithm described by C. H. Lee in “Zodiac: Block Cipher Proposal", http://www.safedigm.com/productpds/download/Safedigm_Zodiac.pdf.
  • a Differential Power Analysis (DP A) attack may use a correlation between an input and an output of the data manipulation algorithm to reveal a secret key implemented by the algorithm.
  • a random input mask denoted R
  • R may be added, e.g., over GF(2), to the input vector (e.g., byte), x, before performing the algorithm, to obtain masked data.
  • the random mask may include a random vector having a bit-length equal to the length of x.
  • a method described by Trichina, E. et al in "Simplified Adaptive Multiplicative Masking for AES and its Securized Implementation ", CHES 2002 includes the steps of multiplying the masked input vector, x+R, by R to obtain xR+R 2 , adding R 2 to the result to obtain XR, inverting XR to obtain 7 R "; , adding 1 to ; R '7 to obtain X ; R "; +1, and multiplying the result by R to obtain AR.
  • Performing a masked inversion of AES data using the method described by Trichina, E. et al may require two multiplications, one squaring, and two additions over the GF(2 ).
  • a hardware implementation of such an inversion may be relatively complex and/or power consuming.
  • the hardware implementation may require using a square Look Up Table (LUT) having a size of 256 bytes, and two multiplication circuits for multiplication in the GF(2 8 ).
  • LUT square Look Up Table
  • Embodiments of the invention provide a method and a device for efficiently manipulating masked data provided in a first representation of a finite field, e.g., for implementing an inversion of masked input data provided in the first representation, by converting the masked input data into a second representation and performing in the second representation operations equivalent to operations of the first representation to obtain masked manipulated data.
  • the method of manipulating masked data may include converting the masked input data in the first representation into converted data in the second representation of the finite field, and manipulating the converted data to obtain masked manipulated data.
  • the method may also include converting an input mask of the masked input data into an updated mask in the second representation.
  • Manipulating the converted data may include manipulating the converted data using the updated mask.
  • converting the input data may result in the converted data being masked by the updated mask.
  • Manipulating the converted data may result in the manipulated data being masked by the updated mask.
  • manipulating the converted data may include performing at least one operation equivalent to at least one desired operation in the first representation.
  • manipulating the converted data may include multiplying the converted data by the updated mask to obtain first intermediate data, adding to the first intermediate data a square of the updated mask to obtain second intermediate data, inverting the second intermediate data to obtain third intermediate data, adding a unit data bit to the third intermediate data to obtain fourth intermediate data, and multiplying the fourth intermediate data by the updated mask to obtain masked inverted data in the second representation.
  • the method may include de-converting the manipulated data to obtain de-converted data in the first representation.
  • De-converting the manipulated data may result in the de-converted data being masked by a linear transformation of the input mask.
  • the finite field may include a Galois Field (GF).
  • the first representation may include a GF(2 2s ) and the second representation may include a GF((2 S ) 2 ).
  • s may equal four, i.e., the first representation may include a GF(2 8 ) and the second representation may include a GF((2 4 ) 2 ).
  • a device for manipulating masked input data may include a conversion block to convert the masked input data in the first representation into converted data in the second representation.
  • the conversion block may also convert an input mask of the masked input data into an updated mask.
  • the device may also include a manipulation block to manipulate the converted data in the second representation, and a de-conversion block to convert the manipulated data into de-converted data in the first representation.
  • the manipulation block may include an inversion block to invert the converted data in the second representation.
  • the de-converted data may be masked by an affine transformation of the input mask.
  • the conversion block may include an input conversion module to convert the masked input data in the first representation into corresponding converted data in the second representation.
  • the conversion block may also include a mask conversion module to convert the input mask into the updated mask.
  • the conversion of the input mask performed by the mask conversion module may be related to the conversion performed by the input conversion module.
  • the inversion block may include a first multiplier to multiply an output of the input conversion module with an output of the mask conversion module, and a squaring module to provide a square of the output of the mask conversion module.
  • the inversion block may also include a first adder to add an output of the squaring module to an output of the first multiplier, a zero detector to provide an output of a zero value if an output of the first adder is non-zero, and an AND gate to provide an output corresponding to a logical AND of an output of the zero detector and an output of the mask conversion module.
  • the inversion block may further include a second adder to add an output of the AND gate to an output of the first adder, an inversion module to invert an output of the second adder, a third adder to add a unit value to an output of the inversion module, a second multiplier to multiply the output of the mask conversion module with an output of the second adder, and a fourth adder to add an output of the second multiplier to an output of the AND gate.
  • the de-conversion block may include an output de-conversion module to de-convert the manipulated data in the second representation into corresponding de-converted data in the first representation.
  • the de-conversion block may also include a mask de-conversion module to de-convert the updated mask.
  • the de-conversion of the updated mask performed by the mask de-conversion module may be related to the conversion performed by the output de-conversion module.
  • FIG. 1 is a flow chart illustration of a method of manipulating masked data, in accordance with embodiments of the invention
  • FIG. 2 is a schematic illustration of a circuit implementation of a device for manipulating masked data, in accordance with some exemplary embodiments of the invention
  • FIG. 3A is a schematic illustration of a circuit implementation of a multiplier, in accordance with some exemplary embodiments of the invention.
  • FIG. 3B is a schematic illustration of a circuit implementation of a squaring module, in accordance with some exemplary embodiments of the invention.
  • Fig. 3C is a schematic illustration of a circuit implementation of an inversion module, in accordance with some exemplary embodiments of the invention.
  • FIG. 4 is a schematic illustration of a circuit implementation of an AES compatible device for encrypting/decrypting masked data, in accordance with some exemplary embodiments of the present invention
  • FIG. 5A is a schematic illustration of a circuit implementation of a data conversion module, in accordance with some exemplary embodiments of the invention.
  • FIG. 5B is a schematic illustration of a circuit implementation of a mask conversion module, in accordance with some exemplary embodiments of the invention.
  • FIG. 6A is a schematic illustration of a circuit implementation of an output de-conversion module, in accordance with some exemplary embodiments of the invention.
  • Fig. 6B is a schematic illustration of a circuit implementation of a mask de-conversion module, in accordance with some exemplary embodiments of the invention.
  • GF(2 2s ) refers to a representation of a Galois Field (GF) of order 2 2s as an extension field of GF(2) consisting a plurality of polynomials over GF(2) modulo p(t), wherein p(t) is an irreducible polynomial of the degree 2s over GF(2).
  • a polynomial may be represented in the GF(2 2s ) representation, by a string of 2s bits.
  • the GF(2 S ) is represented as an extension field of GF(2) consisting of a plurality of polynomials over GF(2) modulo q(t), wherein q(t) is an irreducible polynomial of a second degree over GF(2).
  • An element, z, in the GF((2 S ) 2 ) representation may be defined by a 2s-digit binary number representing a linear polynomial z ⁇ m> t+z ⁇ >, wherein and are elements of GF(2 S ) represented by polynomials modulo q(t).
  • Some exemplary embodiments of the invention described herein may refer to data in a binary field representation, e.g., a GF(2 s ) representation, of a finite field, e.g., a GF.
  • a binary field representation e.g., a GF(2 s ) representation
  • a finite field e.g., a GF.
  • embodiments of the invention may be implemented for data in any other representations, e.g., a GF(g h ) representation, wherein g and h may have any desired value.
  • Masking input data including a vector, x, of a predetermined finite field may include adding to x an input random mask, denoted R, wherein R is an element randomly chosen from the predetermined finite field, i.e., to obtain masked input data, e.g., x+R.
  • FIG. 1 schematically illustrates a flow chart of a method of manipulating masked data, in accordance with some embodiments of the invention.
  • the method may include converting masked input data, e.g., including a combination of input data and an input random mask, in a first representation of a predetermined finite field, e.g., a GF, into masked converted data in a second representation of the predetermined finite field, e.g., by applying to the masked input data in the first representation a conversion operator, as described in detail below.
  • a predetermined finite field e.g., a GF
  • the method may include converting the input random mask in the first representation into an updated mask in the second representation, as described in detail below.
  • the method may also include manipulating the converted data, e.g., using the updated mask, to obtain masked manipulated data in the second representation, as described in detail below.
  • the method may further include de-converting the manipulated data back into the first representation by applying a de-conversion operator to obtain masked de-converted data in the first representation, as described in detail below.
  • the method may also include unmasking the masked de-converted data, e.g., as described below.
  • the method may also include generating the input random mask, e.g., as described below.
  • the method may also include masking input data, e.g., using the input mask to obtain the masked input data, for example, by adding the input mask may be added to the input data, as is known in the art.
  • the conversion operator may include any suitable operator for converting data in the first representation into corresponding data in the second representation.
  • the conversion operator may include a representation-transformation matrix corresponding to the desired transformation, e.g., as described in International Application PCT/IL03/00647, entitled “Method and device of manipulating data in Finite Fields", filed August 6, 2003 and assigned to the assignee of the present application, the disclosure of which is incorporated herein by reference.
  • the conversion operator may include a combination of the representation-transformation matrix and an affine transformation, e.g., a decryption or an encryption affine transformation, as described below.
  • an isomorphism may exist between two representations of a predetermined finite field, e.g., a GF(2"), denoted Rej-»; and Rep 2 , respectively.
  • Each of the two representations may be a linear space of dimension n over GF(2) , and each isomorphism may be a linear transformation between the representations.
  • an nxn binary representation-transformation matrix, M may be computed for transforming, e.g. by matrix multiplication, elements in Repi into corresponding elements in Rep 2 .
  • an inverse representation-transformation matrix, M 1 may exist for each representation-transformation.
  • An irreducible polynomial, po, having n roots may represent Repi.
  • Each root of po is a generator of the GF(2 n ) and invariant under field isomorphism.
  • a pair of corresponding generators of representations Repi and Rep 2 respectively, may uniquely determine an isomorphism between Repi and Rep 2 , since a multiplicative group of the GF(2") is cyclic.
  • Equation System 1 includes 2 n linear equations, which may be solved to determine the representation-transformation matrix, M, corresponding to the pair of generators ⁇ and r 2 .
  • Equation System 1 may include redundant equations, which may be ignored in order to reduce the number of computations. For example, only the first n equations may be used to provide one representation-transformation matrix.
  • Another representation-transformation matrix may be provided by a solution of Equation System 1 using a different pair of generators rj and r 2 .
  • there may be n different equation systems corresponding to the n different generators in Rep 2 each defining an "image" of , thereby providing n different representation-transformation matrices from Repi to Rej_> 2 .
  • each root of the irreducible polynomial over GF(2 S ) may be a generator of the GF(2 S ) field.
  • eight possible representation-transformation matrices • corresponding to the eight roots of the irreducible polynomial, respectively, may be computed for each field extension of GF(2 S ) .
  • Polynomial representations of GF(2 4 ) over GF(2) may be defined by each of three irreducible reduction polynomials over GF(2 4 ) , e.g., 1 + t + t 4 , 1 + t 3 + t 4 , 1 + t + 1 2 + t 3 + t 4 .
  • Field extensions of one or more of the polynomial representations of GF(2 4 ) in GF(2 S ) may be computed using irreducible extension polynomials, e.g., polynomials of the type t 2 + ⁇ t + ⁇ , wherein ⁇ and ⁇ may be elements of GF(2 4 ), such that t 2 + ⁇ t + ⁇ ⁇ ' s irreducible over GF(2 4 ).
  • ⁇ values there may be fifteen different ⁇ values and 8 different ⁇ values providing 120 possible irreducible extension polynomials of the form t 2 + ⁇ t + ⁇ .
  • the three different reduction polynomials and the 120 irreducible extension polynomials result in 360 different GF((2 4 ) 2 ) representations of GF(2 8 ) as an extension of GF(2). Therefore, according to these exemplary embodiments, there may be 2880 possible representation-transformation matrices, corresponding to the 360 field extensions.
  • each of the possible representation-transformation matrices may enable transformation from the standard AES representation into a different GF((2 4 ) 2 ) representation of GF(2 S ) corresponding to a different extension of GF(2 4 ) .
  • the representation-transformation matrix, M may be pre-selected according to any desired criteria, e.g., complexity of a hardware implementation corresponding to the selected M.
  • Input data including vector x in a first representation may be converted into a second representation by applying the representation-transformation, e.g., representation-transformation matrix M.
  • An operation x > x "1 , denoted T(x), in the second representation may be performed on the converted data, e.g., M ⁇ x.
  • a de-conversion of the manipulated data back to the first representation, F(x) may be obtained by applying an inverse of the representation-transformation, e.g., M 1 .
  • F(x) and T(M • x) may be provided by the following nonlinear equation:
  • masked input data, x+R, in the first representation may be converted into converted data, Mx+MR, in the second representation.
  • the representation-transformation matrix, M is a regular matrix because the conversion between the first representation and the second representation is an invertible transformation, as described above.
  • MR may have, in correspondence to R, any non-zero value of the finite field.
  • the converted data, Mx+MR may include masked converted data wherein the mask includes an updated mask, e.g., MR.
  • the input mask the input mask
  • R may have a non-zero value.
  • Any suitable non-zero random mask generator e.g., as described below, may be implemented in order to obtain the non-zero random mask.
  • manipulating the converted data may include inverting the converted data, e.g., as described below. Inverting the converted data may include using the updated mask, e.g., as described below.
  • inverting the masked converted data may include multiplying the converted data, e.g., Mx+MR, by the updated mask, MR, to obtain first intermediate data, e.g., MxMR+(MR) 2 . Inverting the masked converted data may also include adding a square, e.g., (MR) 2 , of the updated mask to the first intermediate data to obtain second intermediate data, e.g., MxMR.
  • Inverting the converted data may further include inverting the second intermediate data, MxMR, to obtain third intermediate data, e.g., (MxMR) "1 .
  • Inverting the converted data may further include adding a unit data bit, i.e., 1, to the third intermediate data to obtain fourth intermediate data, e.g., (MxMRj ⁇ +l.
  • Inverting the converted data may further include multiplying the fourth intermediate data by the updated mask MR to obtain masked inverted data in the second representation, e.g., (MX)AMR.
  • At least some of the operations, e.g., addition, multiplication and/or inversion may be performed in the second representation.
  • the operations in the second representation may be implemented by any suitable circuitry and/or Look Up Tables (LUTs), e.g., as described below.
  • LUTs Look Up Tables
  • the de-conversion operator may include any suitable operator for de-converting data in the second representation back into corresponding data in the first representation.
  • M masked inverted data in the first representation
  • e.g., x "; + R may be obtained by applying the de-conversion operator to the masked inverted data in the second representation, e.g., (Mx)A MR.
  • the de-conversion operator may include a combination of the matrix M 1 and an affine transformation, e.g., a decrypt or an encrypt affine transformation, e.g., as described below.
  • FIG. 2 schematically illustrates a circuit implementation of a device 200 for manipulating masked data, in accordance with some exemplary embodiments of the invention.
  • device 200 may include a conversion block 202 to convert masked input data in a first representation into corresponding masked data in a second representation.
  • Block 202 may also be adapted to convert the mask R into an updated mask in the second representation.
  • Device 200 may also include a manipulation block, e.g., inversion block 204, to manipulate, e.g., invert, the converted data in the second representation, and a de-conversion block 206 to de-convert the manipulated data into de-converted data in the first representation.
  • a manipulation block e.g., inversion block 204
  • manipulate e.g., invert
  • de-conversion block 206 to de-convert the manipulated data into de-converted data in the first representation.
  • block 202 may include an input conversion module 208 to convert the masked input data, x+R, in the first representation into corresponding converted data in the second representation.
  • Block 202 may also include a mask conversion module 210 to convert input mask R into the updated mask.
  • the conversion of the mask performed by module 210 may be related to the conversion performed by module 208, e.g., as described below.
  • Module 208 and/or module 210 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to convert data in a first representation into corresponding data in a second representation, e.g., as described below.
  • LUTs Look-Up Tables
  • modules 208 and 210 may be implemented in one combined-conversion module, e.g., to convert the masked input data and the input mask sequentially.
  • block 204 may include a first multiplier 212 associated with an output 226 of module 210 and with an output 228 of module 208.
  • Block 204 may also include a squaring module 214 associated with output 226, and a first adder 216 associated with an output 230 of module 214 and with an output 232 of multiplier 212.
  • Block 204 may further include an inversion module 218 associated with an output 234 of adder 216, and a second adder 220 associated with an output 236 of module 218 and having an input 240 to receive a signal having the unit value, i.e., the value 1.
  • Block 204 may further include a second multiplier 222 associated with output 228 and with an output 242 of adder 220.
  • Multiplier 212 and/or multiplier 222 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to multiply two elements of the first representation using the second representation, e.g., as described below.
  • Unit 214 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to provide a square of an element of the first representation using the second representation, e.g., as described below.
  • Inversion module 218 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to invert data of the first representation using the second representation, e.g., as described below.
  • Adders 216 and 220 may include any software and/or hardware to implement an addition of two elements.
  • adder 216 and/or adder 220 may include a XOR gate, as is known in the art.
  • block 206 may include a de-conversion module 224 associated with an output 243 of block 204.
  • Module 224 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to de-convert data in the second representation into corresponding de-converted data in the first representation, e.g., as described below.
  • LUTs Look-Up Tables
  • output 208, 210 and/or 224 may include a multiplier, e.g., as described below, to " implement a multiplication by M, M and M "1 , respectively.
  • output 228 may have a value corresponding to Mx+MR
  • output 226 may have a value corresponding to MR.
  • output 243 may have a value corresponding to (Mx) "] +MR
  • an output 244 of block 206 may have a value corresponding to x "7 +R.
  • the outputs of blocks 202 and 204 may be masked by the updated mask MR
  • the output of block 206 may be masked by input mask R.
  • the outputs of blocks 202, 204, 206 may be masked by either the input mask or the updated mask.
  • device 200 may include at least two XOR gates 216 and 220, two multiplication circuits 212 and 222 in the second representation, one squaring circuit or LUT 214 in the second representation, and three multiplication circuits 208, 210 and 224 for multiplying an nxn bit matrix, e.g., M, by a vector, e.g., as described below.
  • a hardware implementation of a device for manipulating masked data may be less complex, and thus more compact, in comparison with conventional masked-inversion devices.
  • the first representation includes a GF(2 2s ) representation
  • the second representation includes a GF((2 S ) 2 ) representation
  • a squaring LUT in the second representation may include 2 s s bits.
  • the bit size of the squaring LUT may be much smaller compared to the bit-size, e.g., 2 2s+1 s, of a squaring LUT in the first representation.
  • conventional masked-inversion devices may require implementing multiplication circuits to perform multiplications in the first representation. These circuits may be more complex in comparison with the multipliers implemented by embodiments of the invention.
  • the method and/or device described above may be implemented for encryption and/or decryption of masked input data, x+R, for example, by performing masked AES S-box encryption decryption operations, as described below.
  • 5 equals four. These embodiments are useful for converting data in a GF(2 ) representation into a GF((2 4 ) 2 ) representation.
  • an encryption block to perform encryption, and/or a decryption block to perform decryption may be implemented in embedded electrical circuitry, e.g., of the type that may be used in a smartcard.
  • the conversion operator that may be used for converting the data to and from the AES GF(2 S ) representation to and from the GF((2 4 ) 2 ) representation may be pre-programmed, e.g., into a smart card. Other configurations may be used additionally or alternatively.
  • the conversion circuitry or software may include circuitry implementing the representation-transformation matrix M.
  • the circuitry or software implementing the representation-transformation matrix M may be combined with the circuitry or software implementing a linear transformation, e.g., A.
  • the conversion circuitry or software may include four multiplication modules, e.g., as described below, for multiplication by AM 1 ' , MA '1 ' , M, and ⁇ f 1 , respectively.
  • the conversion circuitry may consist of a combination of applying an affine transformation, e.g., multiplication by A and/or addition of b, and the predetermined representation-transformation, e.g. multiplication by M.
  • an affine transformation e.g., multiplication by A and/or addition of b
  • the predetermined representation-transformation e.g. multiplication by M.
  • the use of such operation modules may enhance the efficiency of the conversion circuitry.
  • a hardware implementation of matrix multiplication may include any hardware implementation of matrix multiplication, as is known in the art.
  • values of v may be computed using Equation 7. This may be achieved by determining which of the elements of row are nonzero and performing a XOR operation of the corresponding values of x 7 .
  • operations e.g. inversion, addition, and/or multiplication operations, equivalent to AES operations may be defined in the second representation, e.g., a GF((2 4 ) 2 ) representation, as described below.
  • An element x of a GF(2 8 ) may be defined by an eight-digit binary number and an element z of a GF(2 4 ) may be defined by a four-digit binary number
  • GF(2 4 ) may have a polynomial representation defined by a reduction polynomial over GF(2), e.g., may be represented by the polynomial zo+zjt+Z 2 t 2 +z 3 t 3 .
  • Multiplication of elements in the GF may be defined by multiplying the polynomials representing the elements and reducing the result modulo the reduction polynomial.
  • a bit octet, of GF(2 ) may be analogous to a linear polynomial z ⁇ m> t+ ⁇ ⁇ ⁇ > , wherein and are elements of GF(2 4 ).
  • the second representation may include elements _? ⁇ , supplement > and _. ⁇ /> ofGF(2 4 ).
  • multiplication and addition operations in the second representation may be defined in terms of operations on GE(2 4 ) .
  • Provided below is one possible definition of multiplication and addition in the second representation in terms of operations over GF(2 4 ) . It will be appreciated that other definitions may also be used as part of some embodiments of the present invention.
  • Addition and subtraction of two elements of the first representation, e.g., a,d e GF(2 S ) , in the second representation may be defined as a bitwise XOR of the two elements, as is known in the art.
  • the product of the two elements, a and d may be defined as a polynomial product
  • the product of elements a and d in the AES i.e., GF(2 S )
  • the product of elements a and d in the AES representation may be calculated using a series of addition and multiplication operations over GF(2 4 ), e.g., according to Equation Set 9.
  • the minus sign and the plus sign are interchangeable.
  • the minus sign of the first equation of Equation Set 9 may be replaced with a plus sign, e.g., as described below.
  • FIG. 3 A schematically illustrates a circuit implementation of a multiplier 302, in accordance with some exemplary embodiments of the invention.
  • Multiplier 302 may include multiplication units 304, 306 and 316 for multiplying two GF(2 4 ) elements, and a ⁇ -multiplication unit 308 for multiplying two GF(2 4 ) elements and for multiplying the product of the two elements by ⁇ .
  • Units 304, 306, 308 and 316 may include any suitable LUTs and/or circuitry for performing a multiplication of two GF(2 4 ) elements, e.g., as described below.
  • Multiplier 302 may also include XOR gates 310, 312 and 314, as are known in the art.
  • Equation Set 9 the following Equation Set may be used, e.g., if the minus sign of the first equation of Equation Set 9 is replaced by a plus sign, as described above:
  • FIG. 3B schematically illustrates a circuit implementation of a squaring unit 320, in accordance with some exemplary embodiments of the invention.
  • Squaring unit 320 may include square LUTs 322 and 324 including values corresponding to a square of a GF(2 4 ) element, respectively, and a ⁇ -square LUT 326 including values corresponding to a multiplication by ⁇ of square of a GF(2 4 ) element.
  • LUTs 322, 324 and 326 may include any suitable LUTs, e.g., as described below.
  • Squaring unit 320 may also include XOR gate 328 as is known in the art.
  • Ox + 1 (c ⁇ m> a ⁇ m> a + c ⁇ m> a ⁇ t> + c ⁇ ;> -. ⁇ m> )t + c ⁇ l>a ⁇ l> + c ⁇ m> a ⁇ m> ⁇
  • Equation Set 11 may be translated into the following system of liner equations over GF(2) :
  • a > 0 ⁇ /> + a ⁇ m> a)(a; m> ⁇ + a 2 l> + a ⁇ l>a ⁇ m> a
  • the values of C ⁇ m> and C ⁇ > may be calculated, as described above.
  • the inverse of element x in the AES representation may be calculated using a series of addition, multiplication, squaring and inversion operations over GF(2 ), e.g., in accordance with Equation Set 12.
  • FIG. 3C schematically illustrates a circuit implementation of an inversion module 330, in accordance with some exemplary embodiments of the invention.
  • Inversion module 330 may include multiplication units 334, 342 and
  • Module 330 may also include a square LUT 331 including values corresponding to a square of a GF(2 4 ) element, and a ⁇ -square LUT 332 including values corresponding to a multiplication by ⁇ of a square of a GF(2 4 ) element, e.g., as described below.
  • Module 330 may further include an inverse LUT 344 including values corresponding to an inverse of a GF(2 4 ) element, e.g., as described below.
  • Module 330 may also include XOR gates 340 and 338, as are known in the art.
  • GE(2 4 ) may be performed more efficiently by defining GF(2 4 ) multipliers and selecting the appropriate multiplier in each case, as explained below.
  • the solutions of the multiplication of two elements may be as follows:
  • An appropriate GF(2 4 ) multiplier may be constructed for a given representation-transformation matrix. Since each representation-transformation matrix may be defined by one of the three irreducible reduction polynomials over GF(2 4 ) in combination with an extension polynomial, as described above, theGE(2 4 ) multipliers may be predetermined. It will be appreciated by persons skilled in the art that other suitable implementations of GE(2 4 ) multipliers may be used additionally or alternatively in accordance with exemplary embodiments of the invention.
  • Inversion, denoted INV, and squaring, denoted SQR, in GF(2 4 ) may be implemented by two respective, relatively small, Look-Up-Tables (LUTs), for example, having a size of 8-bytes each, e.g., 16 nibbles.
  • coefficient ⁇ may be predetermined.
  • the value ⁇ g 2 for an element g e GF(2 4 ) may also be stored in an 8-byte LUT, which may be denoted ⁇ SQR, thereby eliminating one multiplication fiom the set of computations required for computing Equation Set 12.
  • SQR, INV and/or ⁇ SQR in GE(2 4 ) may be implemented by any suitable circuit, as is known in the art.
  • [a ,a 2 ,a ⁇ ,ao] [a 2 , a ⁇ +a 2 , a 2 +a 3 , a 0 +a 2 ]
  • circuitry implementation of embodiments of the invention may be more compact than the corresponding LUT implementation.
  • a LUT may provide more efficient processing of the data.
  • FIG. 4 schematically illustrates a circuit implementation of an AES compatible device 400 for encrypting/decrypting masked data, in accordance with some exemplary embodiments of the present invention.
  • device 400 may include an input conversion block 412, a manipulation block, e.g., e.g., an inversion block 414, and an output de-conversion block 416.
  • Device 400 may have an encryption mode of operation and/or a decryption mode of operation, e.g., as described below.
  • block 412 may include an input conversion module 418 to receive a masked input data signal 438, e.g., corresponding to a 32-bit column vector of x+R, in AES representation, e.g., in a GF(2 8 ) representation, and to convert this data into data in a GF((2 4 ) 2 ) representation.
  • conversion module 418 may also apply the decrypt affine transformation to x+R, e.g., according to Equation 6 above.
  • Block 412 may also include a mask conversion module 420 to convert input mask R into an updated mask. In order to obtain an updated mask corresponding to the converted masked data, the conversion of the mask performed by module 420 may include a linear transformation corresponding to the linear transformation performed by module 418.
  • conversion module 420 may multiply R by M, i.e., to obtain MR.
  • conversion module 420 may multiply R by MA "1 , i.e., to obtain MA "! R.
  • Module 418 and/or module 420 may include any circuitry, Look-Up
  • Tables (LUTs) and/or any suitable hardware and or software to convert data in a first representation into corresponding data in a second representation and/or to perform an affine transformation, e.g., as described below.
  • FIG. 5 A schematically illustrates a circuit implementation of an input conversion module 500, in accordance with some exemplary embodiments of the invention.
  • module 500 may include a multiplier 506 to implement a multiplication of the x+R by M.
  • Module 500 may also include a XOR gate 508 to implement a XOR operation of x+R and b, and a multiplier 510 to implement a multiplication of an output 518 of XOR gate 508 by MA '1 .
  • Multipliers 506 and/or 510 may include any suitable multiplier for multiplying an nxn matrix by a vector, e.g., as described above.
  • Module 500 may also include a multiplexer 512, as is known in the art, to select between the encryption and decryption modes of operation, e.g., by selecting between an output signal 514 of multiplier 506 and an output signal 516 of multiplier 510.
  • a multiplexer 512 as is known in the art, to select between the encryption and decryption modes of operation, e.g., by selecting between an output signal 514 of multiplier 506 and an output signal 516 of multiplier 510.
  • FIG. 5B schematically illustrates a circuit implementation of a mask conversion module 530, in accordance with some exemplary embodiments of the invention.
  • module 530 may include a multiplier 532 to implement a multiplication of R by M.
  • Module 530 may also include a multiplier 534 to implement a multiplication of R by MA "1 .
  • Multipliers 532 and/or 534 may include any suitable multiplier for multiplying an nxn matrix by a vector, e.g., as described above.
  • Module 530 may also include a multiplexer 536, as is known in the art, to select between the encryption and decryption modes of operation, e.g., by selecting between an output signal 533 of multiplier 532 and an output signal 535 of multiplier 534.
  • Inversion block 414 may include any circuitry and/or LUTs and/or any suitable hardware and or software to invert the converted data in the second representation.
  • block 414 may include a first multiplier 470 to receive signal 440 and signal 442, and to provide a signal 471, e.g., corresponding to the value (x t +R)Rt.
  • Block 414 may also include a squaring unit 472 to receive signal 472 and to provide a signal 473, e.g., corresponding to the value R 2 , and a first adder 474 to receive signal 471 and signal 473 and to provide a signal 475, e.g., corresponding to the value o ⁇ x t R t .
  • Block 414 may further include a Zero Detection (ZD) module 480 to receive signal 475 and to provide a signal, e.g., having a zero value if x t R t ?0, and a non-zero value, e.g., 1, if x t R t -0.
  • Block 414 may also include an AND gate 482, e.g., as is known in the art, to receive signal 442 and signal 481 and to provide a signal 483.
  • Block 414 may further include an inversion module 478 to receive signal 485 and to provide a signal 487, e.g., corresponding to a value of (xtR) '1 if x t R t ?0 and to the value of R 1 if x . R .
  • Multiplier 470 and/or multiplier 486 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to multiply two elements of the first representation using the second representation, e.g., as described above.
  • Unit 472 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to provide a square of an element of the first representation using the second representation, e.g., as described above.
  • Inversion module 478 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to invert data of the first representation using the second representation, e.g., as described above.
  • Adder 474, adder 476, adder 479, and/or adder 484 may include any software and/or hardware to implement an addition of two elements.
  • adder 474, adder 476, adder 479, and or adder 484 may include a XOR gate, as is known in the art.
  • Module 480 may include, for example, any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to implement a logical NOT followed by a logical AND of signal 481.
  • the input to inversion module 478 i.e., signal 485
  • inversion block 414 may be implemented to inhibit a DPA attack, e.g., using a zero input, on the AES device.
  • block 414 may include any other suitable configuration, e.g., a configuration analogous to the configuration of inversion block 204, as described above with reference to Fig. 2.
  • signal 444 may have, for example, a value corresponding to ((MX) ⁇ MR) in the encryption mode of operation, and a value corresponding to ((MA) '1 (x+b) '1 +MA '1 R) in the decryption mode of operation, as described above.
  • block 416 may include an output de-conversion module 424 to receive the output of block 414, e.g., signal 444, in the second representation, e.g., in a GF((2 4 ) 2 ) representation, and to de-convert this data into de-converted data in the first, e.g., GF(2 8 ), representation.
  • conversion module 424 may also apply the encrypt affine transformation, e.g., according to Equation 7 above.
  • R ' may be used as a mask, since R' may correspond to a regular linear transformation of the mask R.
  • Block 416 may also include a mask de-conversion module 422 to de-convert the updated mask.
  • the de-conversion performed by module 422 may include a linear transformation corresponding to the linear transformation performed by module 420.
  • de-conversion module 422 may multiply A '1 MR by 1 , i.e., to obtain A '! R.
  • de-conversion module 422 may multiply MR by AM 1 , i.e., to obtain AR.
  • an output mask signal 432 may include a value corresponding to R'.
  • Module 422 and/or module 424 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to convert data in a first representation into corresponding data in a second representation and/or to perform an affine transformation, e.g., as described below.
  • LUTs Look-Up Tables
  • FIG. 6 A schematically illustrates a circuit implementation of an output de-conversion module 600, in accordance with some exemplary embodiments of the invention.
  • module 600 may include a multiplier 602 to implement a multiplication of the manipulated data, e.g., signal 444, by M 1 .
  • Module 600 may also include a multiplier 604 to implement a multiplication of the manipulated data by AM 1 , and a XOR gate 606 to implement a XOR operation of an output of multiplier 604 and b.
  • Multipliers 602 and/or 604 may include any suitable multiplier for multiplying an nxn matrix by a vector, e.g., as described above.
  • Module 600 may also include a multiplexer 608, as is known in the art, to select between the decryption and encryption modes of operation, e.g., by selecting between an output signal 614 of multiplier 602 and an output signal 616 of multiplier 606.
  • FIG. 6B schematically illustrates a circuit implementation of a mask de-conversion module 630, in accordance with some exemplary embodiments of the invention.
  • module 630 may include a multiplier 632 to implement a multiplication of the updated mask, e.g., signal 442, by AM 1 .
  • Module 630 may also include a multiplier 634 to implement a multiplication of the updated mask by ⁇ f 7 .
  • Multipliers 632 and/or 634 may include any suitable multiplier for multiplying an nxn matrix by a vector, e.g., as described above.
  • Module 630 may also include a multiplexer 636, as is known in the art, to select between the decryption and encryption modes of operation, e.g., by selecting between an output signal 633 of multiplier 632 and an output signal 635 of multiplier 634.
  • device 400 may also include a mix-column module 455 to provide a signal 456 corresponding to a mix-column operation on signal 434.
  • the mix-column operation may include multiplying signal 434, e.g., including the 32-bit column vector x'+R ', with a Rijndael mix-column matrix, as is known in the art.
  • the mix-column operation may be calculated as follows:
  • pre-set equal values may ensure that the product of the vector (R ';, R '_>, R ' 3 , R ' 4 ) with the Rijndael column-mix matrix is always non-zero.
  • Other pres-set values may also be used to ensure non-zero result of the Rijndael column-mix multiplication in accordance with embodiments of the invention.
  • the AES round may also include performing a shift-row operation, as is known in the art.
  • the shift-row operation may include shifting between elements of each row of a 4x4 data matrix representing 4 columns of masked data, as is known in the art.
  • all sixteen elements of R may have pre-set equal values, i.e., in order to ensure the mask of the subsequent round is not distorted. Other pres-set values may also be used to ensure non-zero result of the Rijndael row-mix multiplication in accordance with embodiments of the invention. It will be appreciated by those skilled in the art that pre-setting all sixteen elements of the mask R as described above may have a relatively negligible effect on the brute-force required for a DPA attack.
  • the value of signal 432 may not be updated in correspondence to the mix-column operation performed on signal 432.
  • module 400 may further include a mask-removing module 460 for unmasking the masked de-converted data, e.g., after a final AES round.
  • module 460 may include a XOR gate 462 to provide an output signal 464 corresponding to a sum of a first input corresponding to signal 456 and a second input. After the final AES round the second input of gate 462 may be associated with signal 432.
  • the value of the updated mask may be XORed with the masked de-converted data after the last round, such that the mask is removed from the manipulated data.
  • device 400 may further include a mask-input module 450 capable of using a new mask in a succeeding AES round, as described below.
  • Module may include a first XOR gate 428 to provide a sum of a first input corresponding to the value, e.g., x"+R ', of a signal 465 of a previous AES round, and a second input corresponding to a value, e.g., R, of a random mask signal 452.
  • an output signal 454 of XOR gate 428 may correspond to the value x"+R '+R.
  • Configuration 450 may also include a second XOR gate 426 to provide block 412 with signal 438 corresponding to a sum of signal 454 and signal 432.
  • signal 438 may have a value corresponding to x"+R.
  • each of the XOR gates of configuration 450 may include a mask, i.e., R and/or R '.
  • the representation-transformation matrix M implemented by device 400 may be predetermined based on desired optimization criteria, e.g., minimal circuit area for implementing device 400, as described below.
  • each one of the circuits may be synthesized using a DC Shell 2001.08-spl (DC Expert) available from Synopsis.
  • a target library TSMC 0.18 ⁇ SAAG-X Artisane
  • the synthesis may be performed for various timings, e.g., time propagation delays, for example, ranging from 12nSec to 6nSec.
  • a random bit generator may be implemented to produce the non-zero mask, R, e.g., as described below. However, it will be appreciated by those skilled in the art that any other suitable device and/or method may be implemented to produce non-zero mask R.
  • the generator may generate log v +v-l bits.
  • the first log v bits may be used to define a first number, w, wherein 0?w ⁇ v.
  • the remaining v-1 bits may be used to define a second number, p.

Abstract

Des modes de réalisation de l'invention concernent un procédé et un dispositif de manipulation de données consistant à convertir des données masquées d'une première représentation d'un corps de Galois en données converties d'une seconde représentation du corps de Galois, et à manipuler les données converties afin d'obtenir des données masquées manipulées.
EP04708426A 2003-02-06 2004-02-05 Dispositif et procede de manipulation de donnees masquees Withdrawn EP1595357A4 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US44524703P 2003-02-06 2003-02-06
US445247P 2003-02-06
PCT/IL2004/000116 WO2004070510A2 (fr) 2003-02-06 2004-02-05 Dispositif et procede de manipulation de donnees masquees

Publications (2)

Publication Number Publication Date
EP1595357A2 EP1595357A2 (fr) 2005-11-16
EP1595357A4 true EP1595357A4 (fr) 2006-03-01

Family

ID=32850978

Family Applications (1)

Application Number Title Priority Date Filing Date
EP04708426A Withdrawn EP1595357A4 (fr) 2003-02-06 2004-02-05 Dispositif et procede de manipulation de donnees masquees

Country Status (3)

Country Link
EP (1) EP1595357A4 (fr)
JP (1) JP2006517036A (fr)
WO (1) WO2004070510A2 (fr)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2871969B1 (fr) 2004-06-18 2006-12-01 Sagem Procede et dispositif d'execution d'un calcul cryptographique
DE102005024609A1 (de) * 2005-05-25 2006-11-30 Siemens Ag Bestimmung einer modularen Inversen
JP4968443B2 (ja) * 2006-01-31 2012-07-04 大日本印刷株式会社 暗号演算処理方法および暗号演算処理装置
US7995757B2 (en) * 2007-05-31 2011-08-09 Harris Corporation Closed galois field combination
DE102008033962B4 (de) 2008-07-21 2011-11-24 Siemens Aktiengesellschaft Verfahren und Prozessor-Einrichtung zum Implementieren einer Charakteristik-2-Multiplikation
JP5268609B2 (ja) * 2008-12-09 2013-08-21 株式会社東芝 暗号処理装置及び演算方法
US8504845B2 (en) 2011-03-30 2013-08-06 Apple Inc. Protecting states of a cryptographic process using group automorphisms
FR3111440B1 (fr) * 2020-06-16 2024-02-16 St Microelectronics Rousset Protection d'un algorithme de chiffrement

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100296958B1 (ko) * 1998-05-06 2001-09-22 이석우 블록 데이터 암호화 장치
CA2327911A1 (fr) * 2000-12-08 2002-06-08 Cloakware Corporation Fonctions logicielles d'obscurcissement
DE60202495D1 (de) * 2001-03-27 2005-02-10 Amphion Semiconductor Ltd Vorrichtung zur wählbaren Ver- bzw. Entschlüsselung von Daten
US7508937B2 (en) * 2001-12-18 2009-03-24 Analog Devices, Inc. Programmable data encryption engine for advanced encryption standard algorithm

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
GUERON S, PARZANCHEVSKY O, ZUK O: "Masked Inversion in GF(2^N) Using Mixed Field Representations and its efficient Implementation for AES", EMBEDDED CRYPTOGRAPHIC HARDWARE: METHODOLOGIES AND ARCHITECTURES, N. NEDJAH AND L. M. MOURELLE, EDS. NOVA SCIENCE PUBLISHERS, November 2004 (2004-11-01), pages 1 - 17, XP002361189, ISBN: 1-5945-4012-8, Retrieved from the Internet <URL:http://www.weizmann.ac.il/home/fezuk/> [retrieved on 20051229] *
OSWALD E, MANGARD S, PRAMSTALLER N: "Secure and Efficient Masking of AES - A Mission Impossible? (version 1.0)", TECHNICAL REPORT. TECHNISCHE UNIVERSITÄT GRAZ. INSTITUTE FOR APPLIED INFORMATION PROCESSING AND COMMUNICATIONS, 4 June 2004 (2004-06-04), XP002315432 *
RUDRA A, DUBEY P K, JUTLA C S, KUMAR V, RAO J R, ROHATGI P: "EFFICIENT RIJNDAEL ENCRYPTION IMPLEMENTATION WITH COMPOSITE FIELD ARITHMETIC", CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS. 3RD INTERNATIONAL WORKSHOP, CHES 2001, PARIS, FRANCCE, MAY 14 - 16, 2001 PROCEEDINGS, LECTURE NOTES IN COMPUTER SCIENCE, BERLIN : SPRINGER, DE, vol. VOL. 2162, 14 May 2001 (2001-05-14), pages 171 - 184, XP001176598, ISBN: 3-540-42521-7 *
TRICHINA E, KORKISHKO T, LEE K H: "Small Size, Low Power, Side Channel-Immune AES Coprocessor: Design and Synthesis Results", ADVANCED ENCRYPTION STANDARD-AES. 4TH INTERNATIONAL CONFERENCE (LECTURE NOTES IN COMPUTER SCIENCE, SPRINGER VERLAG), vol. 3373, 12 May 2004 (2004-05-12), Bonn, Germany, pages 113 - 127, XP019011726, ISBN: 3-540-26557-0 *
TRICHINA: "Combinational Logic Design for AES SubByte Transformation on Masked Data", CRYPTOLOGY EPRINT ARCHIVE: REPORT 2003/236, 11 November 2003 (2003-11-11), pages 1 - 13, XP002361190, Retrieved from the Internet <URL:http://eprint.iacr.org/2003/236> [retrieved on 20051229] *
WOLKERSTORFER J, OSWALD E, LAMBERGER M: "An ASIC Implementation of the AES Sboxes", LECTURE NOTES IN COMPUTER SCIENCE, SPRINGER VERLAG, NEW YORK, NY, US, vol. 2271, 2002, pages 67 - 78, XP002315433, ISSN: 0302-9743 *

Also Published As

Publication number Publication date
WO2004070510A3 (fr) 2004-10-21
EP1595357A2 (fr) 2005-11-16
JP2006517036A (ja) 2006-07-13
WO2004070510A2 (fr) 2004-08-19

Similar Documents

Publication Publication Date Title
US10050778B2 (en) Method and apparatus for efficiently implementing the advanced encryption standard
KR100610367B1 (ko) 정보 누출 공격을 방지하기 위한 갈로아 필드 상의 곱셈방법 및 장치, 역변환 장치 그리고 aes 바이트 치환연산장치
US7532721B2 (en) Implementation of a switch-box using a subfield method
Sklavos et al. Architectures and VLSI implementations of the AES-proposal Rijndael
CN110166223B (zh) 一种国密分组密码算法sm4的快速实现方法
Karthigaikumar et al. Simulation of image encryption using AES algorithm
EP2293487A1 (fr) Procédé de diversification d&#39;une fonction de tour d&#39;un algorithme de chiffrement
JP2005215688A (ja) S−box演算を用いるハードウェア暗号化/復号化装置及び、その方法
Jaffe A first-order DPA attack against AES in counter mode with unknown initial counter
US20030002663A1 (en) Method and apparatus for data encryption
Singh et al. An efficient hardware design and implementation of advanced encryption standard (AES) algorithm
WO2004070510A2 (fr) Dispositif et procede de manipulation de donnees masquees
Naskar et al. A secure symmetric image encryption based on bit-wise operation
Kim et al. Efficient masking methods appropriate for the block ciphers ARIA and AES
Mellu et al. AES: Asymmetric key cryptographic System‖
Jyrwa et al. An area-throughput efficient FPGA implementation of the block cipher AES algorithm
EP1573956A1 (fr) Petite implementation materielle de la fonction sous-octet de rijndael
Venkatesha et al. AES based algorithm for image encryption and decryption
Abdul-Karim et al. High Throughput and Fully Pipelined FPGA Implementation of AES-192 Algorithm
Canright et al. A more compact AES
Beuchat et al. A low-area unified hardware architecture for the AES and the cryptographic hash function ECHO
EP1547301A1 (fr) Procede et dispositif de manipulation de donnees dans des champs de galois
RU2206961C2 (ru) Способ итеративного блочного шифрования двоичных данных
Jing et al. The diversity study of AES on FPGA application
US20040071287A1 (en) Encryption circuit arrangement and method therefor

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20050906

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 9/06 20060101ALI20051230BHEP

Ipc: H04L 9/00 20060101AFI20050909BHEP

A4 Supplementary search report drawn up and despatched

Effective date: 20060113

DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20060404