EP2702720A1 - Method for applying a high entropy masking countermeasure in a block encryption algorithm, and a logic integrated circuit implementing such a method - Google Patents
Method for applying a high entropy masking countermeasure in a block encryption algorithm, and a logic integrated circuit implementing such a methodInfo
- Publication number
- EP2702720A1 EP2702720A1 EP12721434.4A EP12721434A EP2702720A1 EP 2702720 A1 EP2702720 A1 EP 2702720A1 EP 12721434 A EP12721434 A EP 12721434A EP 2702720 A1 EP2702720 A1 EP 2702720A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- substitution
- masked
- encryption
- substitution tables
- encryption algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000004422 calculation algorithm Methods 0.000 title claims abstract description 55
- 230000000873 masking effect Effects 0.000 title claims abstract description 36
- 238000006467 substitution reaction Methods 0.000 claims abstract description 65
- 239000011159 matrix material Substances 0.000 claims abstract description 35
- 230000008569 process Effects 0.000 claims description 21
- 230000006870 function Effects 0.000 description 23
- 238000004364 calculation method Methods 0.000 description 11
- 230000009466 transformation Effects 0.000 description 11
- 238000000844 transformation Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 238000003780 insertion Methods 0.000 description 3
- 230000037431 insertion Effects 0.000 description 3
- 238000007792 addition Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000009792 diffusion process Methods 0.000 description 2
- 238000002360 preparation method Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000005265 energy consumption Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000012886 linear function Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/04—Masking or blinding
- H04L2209/043—Masking or blinding of tables, e.g. lookup, substitution or mapping
Definitions
- the present invention relates to a method for applying a high entropy masking countermeasure in a block encryption algorithm. It also relates to a device for implementing such a method .
- a countermeasure often proposed against side channel attacks is in particular a masking system.
- Data masking consists in randomizing all the data by adding random values called masks to them. The masks are renewed at each encryption so that the observable characteristics become independent of the sensitive data : thus, it is more difficult for a fraudulent person to recover the key.
- the plain text to be encrypted is cut into 128 bit blocks which then are put into a square matrix of 16 elements termed "State", each element of this State representing one byte.
- the encryption key is also put into a matrix form.
- the encryption process is iterative and comprises several runs or rounds. Each run is made of several linear and non-linear transformations which are applied to the State. The non-linear transformations generally imply substitution tables which otherwise are strongly sensitive to side channel attacks.
- the decryption process is similar to the encryption, the transformations being replaced by their inverses.
- the number of rounds depends on the size of the encryption key.
- the prior art uses a single substitution table because this calculation is very expensive in terms of calculating time and use of random access memory (RAM).
- the encryption algorithms implemented in I-bit cryptographic processors and protected against side channel attacks generally use an y output bit mask for the SBox.
- the global entropy is suboptimal to counteract the sophisticated side channel attacks in particular of the second order (this kind of attacks combines side channel measurements at different times so as to remove the masks).
- Fig. 1 describes a masking process for the block encryption according to prior art.
- an encryption key 1 which should be derived via a round key preparation module 2 (key Schedule) before being used by an encryption algorithm or an assembly of round subkeys 3 derived beforehand from the encryption key 1 can be seen.
- These subkeys can be calculated on the fly or precalculated.
- SBox 4 stored in memory is considered.
- the centre of Fig. 1 includes a frame 5 illustrating a setting process wherein the masking is made from a random source 6.
- This random source 6 is used to generate masks.
- the access and use of random values strongly depend on the platform implementing the algorithm (tables of pre-generated random values, use of a random source, etc.).
- the plain text 7 (input) and the subkeys 3 should be masked at the start of the block encryption calculation : the selection module 8 enables s values to be obtained from the random source 6, these s values being used for encrypting the plain text 7 and the subkeys 3. Therefore, a masked input and masked subkeys are obtained.
- SBox 4 is also masked.
- a masking module Sbox 9 is used for generating a single masked Sbox substitution table 10 from Sbox 4 and x and y values from the random source via the selection module 8.
- An encryption algorithm 11 will be supplied with the masked input, masked subkeys and masked Sbox 10. Most block encryption algorithms use at least one non-linear operation to produce a confusion effect and linear operations to produce a diffusion effect.
- the SBox layer 12 symbolizes the non-linear operation by use of the single masked Sbox 10. Operations A - Z symbolize the linear operations.
- the key insertion layer enables masked subkeys to be inserted one by one by combination with the masked plain text. This round of operation series is executed r times, as many times as there are subkeys. Locally, a re-masking process 14 can be necessary.
- the encrypted text 16 is unmasked thanks to the layer 15.
- An SBox table can be implemented as a "Lookup Table" which means that for each possible input e, the output is stored in a memory at the corresponding index in a table S.
- the input and subkeys are masked .
- the AES algorithm typically includes four transformations: AddRoundKey, SubBytes, ShiftRows and MixColumns.
- AddRoundKey is the insertion procedure of the subkey at each run : the subkey and the State matrix undergo an XOR (exclusive-OR) operation. This is a modulo-2 addition of each byte of the State matrix with its homologue in the matrix of the subkey.
- the State matrix obtained after an AddRoundKey operation is a matrix the bytes of which are masked.
- SubBytes is the only non-linear operation of AES. It is to replace each byte of the State matrix by the corresponding byte in the SBox which is a two-dimensional array consisting of 256 bytes. Each byte of the State matrix is represented as two hexadecimal digits, the first digit being used to address the rows of the array, and the second digit being used to address the columns of the array. The replacement byte is that of the SBox located at the addressed row and column.
- ShiftRows is a function which offsets the rows of the State matrix. This is a simple permutation not modifying the masks.
- MixColumns is a function which mixes the bytes of the State matrix.
- the output mask is different from the input mask (property of the operation). However, it can be predicted (precalculated) because it is a linear operation.
- Fig. 2 illustrates the masking process undergone by the State matrix for an AES algorithm according to prior art.
- Six independent masks of 8- bits are used, m and rri are the input mask and the output mask respectively of the SubBytes operation.
- the 4 other 8-bit masks m l ,m 2 ,m 3 ,m 4 are input masks for the MixColumns function.
- the SubBytes function changes the masks m into m' at each byte of the State matrix.
- the ShiftRows function does not change the masking.
- a remasking step is performed: on column j, the mask is changed from rri to nt j with 7 e ⁇ 1,2,3,4 ⁇ .
- the MixColumns function changes the mask (m l ,m 2 ,m 3 ,m 4 ) into (m ,m' 2 ,m' 3 ,m ) which are the mask values of the run beginning.
- the same process can be repeated r times.
- the masks can be removed.
- the masked AES algorithm generally results in a high calculation time mainly because of the masking SBox.
- An object of the present invention is therefore to overcome the drawbacks of prior art by providing a new method equivalent in calculation time.
- Another object of the present invention is to increase the protection on the linear and non-linear functions as well as all the sensitive data. Another object of the invention is also to provide high entropy.
- this method includes:
- the elements of the State matrix are substituted by elements from said independent and masked substitution tables.
- a countermeasure process is expensive in terms of memory and execution time.
- a good protection is obtained because a good trade-off between security gain and performance degradation is made. This protection is ensured by high entropy. Indeed, using several of independent and masked substitution tables strongly improves the security against side channel attacks. A good performance is preserved because the substitution tables are processed in parallel.
- the AES algorithm can be advantageously used as a block encryption algorithm.
- all the substitution tables are managed in parallel by byte packets, the size of each processed packet being the same as the width of the microprocessor implementing the encryption algorithm.
- the substitution tables can be managed in parallel by means of a microprocessor the size of which is 32 bits, 64 bits or 128 bits, these numbers thus corresponding to the number of bits on which an operation is performed by the microprocessor.
- the masking process according to the invention proposes to use 1-bit instead of y-bit I being the size of the microprocessor and y the size of the output data of a substitution table.
- This characteristic increases the entropy provided by the masks, and consequently the security of any implementation against the side channel attacks of the second order.
- the process for masking the substitution tables is timed by several parallel counters, one counter is used per one substitution table, each counter being represented by hexadecimal digits of a word the width of which the same as the width of the microprocessor implementing the encryption algorithm.
- each counter is stored in a same word of 32 bits taken in hexadecimal form.
- Each counter uses two hexadecimal digits ranging from 00 to FF.
- Each counter remains independent because counting up to 256 is made possible without a pair of hexadecimal digits altering a neighbouring pair. Indeed, there is no ripple carry between different bytes when additions between 0 and 255 are made.
- the substitution tables can be generated from a single initial table to which different independent masks from random values are applied. This is an initial table stored in memory.
- An iterative block encryption algorithm is advantageously used, wherein the random numbers from which the masking of substitution tables is made are renewed. This renewal is made at each run of the encryption process.
- the substitution tables are made in parallel using a parallel access instruction of the microprocessor implementing the encryption algorithm.
- This instruction can be called PSTL ("Parallel Substitution Table Lookup") and thus enables the increase in the calculation time to be restricted; which increase is due to the use of several substitution tables and the application of masks.
- PSTL Parallel Substitution Table Lookup
- the number of substitution tables used depends in particular on the size of the PSTL instruction.
- SBOX substitution tables can be ideally set in parallel. At the beginning of a masking phase, the substitution tables should be recalculated as a function of the value of the masks. The PSTL instruction avoids that this phase impacts the calculation time.
- a non-transitory logic integrated circuit encoded with instructions which, when executed, implement a block encryption algorithm based encryption method comprising a masking countermeasure and a non-linear substitution of the elements of a State matrix.
- the instructions comprise for each encryption of a block:
- This logic integrated circuit can consist of a programmable logic circuit or an ASIC type specific integrated circuit.
- this logic integrated circuit comprises at least one microprocessor and memory components configured to implement the instructions according to the invention.
- Fig. 1 is a schematic view illustrating an encryption process according to the AES algorithm according to prior art
- Fig. 2 is a schematic view illustrating a succession of masks according to prior art
- Fig. 3 is a schematic view illustrating the method according to the invention applied to an AES algorithm.
- Fig. 4 is a schematic view illustrating a succession of masks according to the invention.
- the operational unit is advantageously the word of the microprocessor and not the base element of the algorithm (for the AES, that is the byte).
- the entropy is increased since one masked substitution table is used per one word of the State matrix. Not one masked substitution table is used for the entire State matrix.
- the masks are randomly and independently selected for each substitution table.
- the single substitution table is 8x8 bits.
- the State matrix is a 128-bit long matrix.
- a preferred embodiment of the present invention recommends instead to use the word as an operational unit, that is for example 32 bits when the algorithm is implemented by a 32-bit microprocessor. This amounts to managing four substitution tables.
- a parallel processing of the substitution tables is advantageously provided .
- a specific instruction working on I bits is used, I being the size of the word of the microprocessor. This specific instruction found in some microprocessors can be called PSTL for "Parallel Substitution Table Lookup".
- the number of substitution tables to be used is l/y.
- the output mask of the SubBytes function is adjusted with the size of the processor, thus the security against side channel attacks is raised .
- the masks are greater, the entropy too.
- the masking module 30 in Fig. 3 is configured to perform n maskings in parallel from an initial matrix 32 producing n masked "Sboxes".
- an assembly of subkeys 3 is generated via the key preparation module 2 (Key Schedule). These subkeys can be calculated on the fly or pre-calculated .
- the random source 33 is used to generate the masks.
- the input 34 and the subkeys 35 should be masked at the beginning of the block encryption calculation : the selection module 36 enables s values to be obtained from the random source 33, these s values being used for encrypting the input 34 and the subkeys 35. Thus, a masked input and masked subkeys are obtained.
- the encryption algorithm 37 will be supplied with the masked input, the masked subkeys and the masked Sboxes 31.
- the SBox layer 38 symbolizes the non-linear operation by use of n masked Sboxes 31.
- the operations A - Z symbolize the linear operations.
- the key insertion layer enables the masked subkeys to be inserted one by one by combination with the masked input. This series of operations is executed r times, as many times as there are subkeys.
- a remasking process 39 is provided .
- the encrypted text 41 of the output is unmasked thanks to the layer 40.
- Fig. 4 describes the succession of masks on the State matrix according to the invention, taking as an operational unit a 32-bit word .
- the encryption according to the invention uses 6 independent 32-bit masks. (m 1
- the AddRoundKey changes the masks at the row j from
- the SubBytes function changes the masks m. into m on each row of the State matrix.
- the ShiftRows function does not change the masking.
- a remasking step is performed : on the column j, the mask is changed from m into m y with j e ⁇ l,2,3,4 ⁇ . Then, the MixColumns function changes the mask from
- the same procedure can be repeated r times.
- the masks can be removed .
- the method according to the invention modifies a small number of steps of the AES algorithm with respect to prior art, so that the calculation overload is mainly due to the pre-calculations.
- these precalculations are optimized by a parallel processing in the present invention .
- Another advantageous characteristic of the invention is the use of four counters in a single word for the parallel processing of the substitution tables.
- all SBoxes must be masked .
- the following algorithm is used, which takes into account the 32-bit size of the processor used for the implementation of the method .
- This algorithm for masking Sbox uses the PSTL instruction to access these values of the four SBoxes at the same time (in parallel) .
- This algorithm can be adapted to other processor sizes.
- a word c in hexadecimal form is used, wherein four counters are defined, one counter per one SBox. If the masking in the AES algorithm according to prior art is compared to that of the present invention, it can be seen that the entropy has been increased, which represents a security gain against side channel attacks.
- Prior art proposes a 48-bit entropy (6 masks of 8 bits), whereas the method according to the present invention injects 192 bits of entropy (4 times more). The security is thus globally increased . But this security is also locally increased both on the SubBytes function and the MixColumns function of AES. Protecting the SBoxes with a greater mask than in prior art adds security. Furthermore, the masking process according to the invention uses a 128-bit mask for the MixColumns function, which also adds locally security on this function.
- the different embodiments of the present invention comprise various steps. These steps can be implemented by instructions of a machine executable by means of a microprocessor for example.
- these steps can be performed by specific integrated circuits comprising a wired logic to execute the steps, or by any combination of programmable components and personalized components.
- the present invention can also be provided as a computer program product which can comprise a non-transitory computer memory medium containing instructions executable on a computer machine, which instructions can be used to program a computer (or any other electronic device) to execute the method.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
A method for applying a high entropy masking countermeasure in a block encryption algorithm, and a logic integrated circuit implementing such a method. The invention relates to a block encryption algorithm based encryption method implementing a masking countermeasure and comprising a step of non-linear substitution of the elements of the State matrix. According to the invention, this method comprises for each encryption of the block: - a precalculation step, during which several independent and masked substitution tables are generated in parallel, and - during the non-linear substitution step, the elements of the State matrix are substituted by elements from said independent and masked substitution tables.
Description
"Method for applying a high entropy masking countermeasure in a block encryption algorithm, and a logic integrated circuit implementing such a method"
The present invention relates to a method for applying a high entropy masking countermeasure in a block encryption algorithm. It also relates to a device for implementing such a method .
It finds a particularly interesting application in the field of data encryption by means of specific algorithms for masking all the intermediate values in order to protect sensitive data against possible attacks.
Generally, upon implementing cryptographic primitives, it is necessary to take into account and to protect oneself against any fraudulent extraction attempts of sensitive data such as the encryption key. Such attempts can be Side Channel Attacks (SCA). The terms side channel are used because these attacks are generally performed by alternative ways. In such attacks, any characteristic emanating from a circuit (energy consumption, electromagnetic emanations, etc.) implementing an encryption algorithm in order to deduce sensitive data therefrom is analysed. Indeed, there is a correlation between these characteristics and processed data. This analysis can be simple or differential (DPA for "Differential Power Analysis").
A countermeasure often proposed against side channel attacks is in particular a masking system. Data masking consists in randomizing all the data by adding random values called masks to them. The masks are renewed at each encryption so that the observable characteristics become independent of the sensitive data : thus, it is more difficult for a fraudulent person to recover the key.
Most prior art masking processes are performed by Boolean masking : the masks are added by exclusive-OR (XOR).
Most block encryption algorithms use a non-linear transformation to produce a confusion effect and a linear transformation to produce a diffusion effect. When the variables implied in these transformations are masked, the consequences of the introduction of the input mask on the
output of the transformation (which will also be masked) should be predicted. One should be able to give a non-masked result at the end of the algorithm. Adding an input mask on the linear transformation results in easily predictable consequences. This is not the case for non-linear transformations.
In an encryption and decryption algorithm such as for example AES, the plain text to be encrypted is cut into 128 bit blocks which then are put into a square matrix of 16 elements termed "State", each element of this State representing one byte. The encryption key is also put into a matrix form. The encryption process is iterative and comprises several runs or rounds. Each run is made of several linear and non-linear transformations which are applied to the State. The non-linear transformations generally imply substitution tables which otherwise are strongly sensitive to side channel attacks.
The decryption process is similar to the encryption, the transformations being replaced by their inverses. The number of rounds depends on the size of the encryption key.
A substitution table (or "Sbox") accepts x input bits and delivers y output bits (for example, for AES, x = y = 8). Numerous encryption algorithm implementations on I-bit size processors have been published (for example, for AES, generally I = 8 or 32 for a 128-bit State). This nonlinear transformation should be recalculated as a function of the masks for each new encryption . The prior art uses a single substitution table because this calculation is very expensive in terms of calculating time and use of random access memory (RAM).
The encryption algorithms implemented in I-bit cryptographic processors and protected against side channel attacks generally use an y output bit mask for the SBox. Finally, by taking account of the entropy provided by the masks, the global entropy is suboptimal to counteract the sophisticated side channel attacks in particular of the second order (this kind of attacks combines side channel measurements at different times so as to remove the masks). Within the context of the AES algorithm, the global number of independent necessary masks (having an 8-bit length) is 6 for a 32-bits (I = 32) architectural implementation. Thus, the entropy
provided by the masks in a 128-bits AES algorithm is equal to 6 x 8 = 48 bits, which is suboptimal.
Fig. 1 describes a masking process for the block encryption according to prior art.
On the left-hand side of figure 1, an encryption key 1 which should be derived via a round key preparation module 2 (key Schedule) before being used by an encryption algorithm or an assembly of round subkeys 3 derived beforehand from the encryption key 1 can be seen. These subkeys can be calculated on the fly or precalculated.
At the beginning, a substitution table termed SBox 4 stored in memory is considered.
The centre of Fig. 1 includes a frame 5 illustrating a setting process wherein the masking is made from a random source 6. This random source 6 is used to generate masks. The access and use of random values strongly depend on the platform implementing the algorithm (tables of pre-generated random values, use of a random source, etc.).
The plain text 7 (input) and the subkeys 3 should be masked at the start of the block encryption calculation : the selection module 8 enables s values to be obtained from the random source 6, these s values being used for encrypting the plain text 7 and the subkeys 3. Therefore, a masked input and masked subkeys are obtained.
SBox 4 is also masked. To do this, a masking module Sbox 9 is used for generating a single masked Sbox substitution table 10 from Sbox 4 and x and y values from the random source via the selection module 8.
An encryption algorithm 11 will be supplied with the masked input, masked subkeys and masked Sbox 10. Most block encryption algorithms use at least one non-linear operation to produce a confusion effect and linear operations to produce a diffusion effect. In Fig . 1, the SBox layer 12 symbolizes the non-linear operation by use of the single masked Sbox 10. Operations A - Z symbolize the linear operations. The key insertion layer enables masked subkeys to be inserted one by one by combination with the masked plain text. This round of operation series is executed r times, as many times as there are subkeys.
Locally, a re-masking process 14 can be necessary.
At the end of the r rounds, the encrypted text 16 is unmasked thanks to the layer 15.
A generic process to mask an Sbox according to prior art will now be described. The effect of a Boolean masking on linear operations is simple to be predicted. This is not the case for non-linear operations.
An SBox table can be implemented as a "Lookup Table" which means that for each possible input e, the output is stored in a memory at the corresponding index in a table S.
To mask such a table, a masked table Sm should be produced with the property Sm (e © m) = S(e) © m' , where m and m' are the input mask and the output mask respectively. Even if it is a simple procedure, it can be very expensive: one should browse all the inputs e, recover S(e) and store
S(e) ® m' for all the couples (m, m') in the masked table. Consequently, the calculation demand and the memory amount increase with the number of masks used : that is why in most applications, a single couple (m, m') is used . However, using a single mask rri provides little entropy and security against side channel attacks.
The masking process in an AES algorithm according to prior art will now be described .
At the beginning of the calculation algorithm, the input and subkeys are masked .
The AES algorithm typically includes four transformations: AddRoundKey, SubBytes, ShiftRows and MixColumns.
AddRoundKey is the insertion procedure of the subkey at each run : the subkey and the State matrix undergo an XOR (exclusive-OR) operation. This is a modulo-2 addition of each byte of the State matrix with its homologue in the matrix of the subkey. The State matrix obtained after an AddRoundKey operation is a matrix the bytes of which are masked.
SubBytes is the only non-linear operation of AES. It is to replace each byte of the State matrix by the corresponding byte in the SBox which is a two-dimensional array consisting of 256 bytes. Each byte of the State
matrix is represented as two hexadecimal digits, the first digit being used to address the rows of the array, and the second digit being used to address the columns of the array. The replacement byte is that of the SBox located at the addressed row and column.
ShiftRows is a function which offsets the rows of the State matrix. This is a simple permutation not modifying the masks.
MixColumns is a function which mixes the bytes of the State matrix. The output mask is different from the input mask (property of the operation). However, it can be predicted (precalculated) because it is a linear operation.
Fig. 2 illustrates the masking process undergone by the State matrix for an AES algorithm according to prior art. Six independent masks of 8- bits are used, m and rri are the input mask and the output mask respectively of the SubBytes operation. The 4 other 8-bit masks ml,m2,m3,m4 are input masks for the MixColumns function.
At the beginning of the processing, a masked SBox table Sm is precalculated such that Sm (e © rri) = S(e) © rri and the 4 output masks of 8- bits (m ,m'2,m'3,m'4) for the MixColumns by calculating (m ,m , rri 3 , rri 4 ) = MixColumns(ml ,m2,m3,m4) .
At the beginning of each AES run, the State matrix is masked with
. Then, the AddRoundKey function changes the masks
(m ,m'2,m'3,m'4) into m at each byte of the State matrix. The SubBytes function changes the masks m into m' at each byte of the State matrix. The ShiftRows function does not change the masking. Before performing the MixColumns function, a remasking step is performed: on column j, the mask is changed from rri to ntj with 7 e {1,2,3,4} . Then, the MixColumns function changes the mask (ml,m2,m3,m4) into (m ,m'2,m'3,m ) which are the mask values of the run beginning. Thus, the same process can be repeated r times. At the end of the algorithm, the masks can be removed.
The masked AES algorithm generally results in a high calculation time mainly because of the masking SBox.
An object of the present invention is therefore to overcome the drawbacks of prior art by providing a new method equivalent in calculation time.
Another objet of the present invention is to increase the protection on the linear and non-linear functions as well as all the sensitive data. Another object of the invention is also to provide high entropy.
At least one of the abovementioned objects is reached with a block encryption algorithm based encryption method implementing a masking countermeasure and comprising at least one step of non-linear substitution of the elements. According to the invention, for each encryption of a block, this method includes:
a precalculation step, during which several independent and masked substitution tables are generated in parallel, and
during the non-linear substitution step, the elements of the State matrix are substituted by elements from said independent and masked substitution tables.
Generally, a countermeasure process is expensive in terms of memory and execution time. With the method according to the invention, a good protection is obtained because a good trade-off between security gain and performance degradation is made. This protection is ensured by high entropy. Indeed, using several of independent and masked substitution tables strongly improves the security against side channel attacks. A good performance is preserved because the substitution tables are processed in parallel.
By way of example, the AES algorithm can be advantageously used as a block encryption algorithm.
According to an advantageous characteristic of the invention, all the substitution tables are managed in parallel by byte packets, the size of each processed packet being the same as the width of the microprocessor implementing the encryption algorithm. Thus, all the available capacity in the hardware architecture is used to process data.
For example, the substitution tables can be managed in parallel by means of a microprocessor the size of which is 32 bits, 64 bits or 128 bits, these numbers thus corresponding to the number of bits on which an operation is performed by the microprocessor.
The masking process according to the invention proposes to use 1-bit instead of y-bit I being the size of the microprocessor and y the size of the output data of a substitution table. This characteristic increases the entropy provided by the masks, and consequently the security of any implementation against the side channel attacks of the second order. For example, for the AES algorithm with a 32 bit microprocessor, the present invention has an entropy of 6 x 32 = 192 bits, which is four times higher than 6 x 8 = 48 bits of entropy proposed by prior art. It can be noted that this new 192 bit maximum is higher than the size of the AES state (128 bits), which means that the security provided by the method according to the invention is theoretically high.
According to a preferred embodiment, the process for masking the substitution tables is timed by several parallel counters, one counter is used per one substitution table, each counter being represented by hexadecimal digits of a word the width of which the same as the width of the microprocessor implementing the encryption algorithm. In other words, when for example four substitution tables are used in parallel, four counters are stored in a same word of 32 bits taken in hexadecimal form. Each counter uses two hexadecimal digits ranging from 00 to FF. Each counter remains independent because counting up to 256 is made possible without a pair of hexadecimal digits altering a neighbouring pair. Indeed, there is no ripple carry between different bytes when additions between 0 and 255 are made.
According to an advantageous embodiment, the substitution tables can be generated from a single initial table to which different independent masks from random values are applied. This is an initial table stored in memory.
An iterative block encryption algorithm is advantageously used, wherein the random numbers from which the masking of substitution
tables is made are renewed. This renewal is made at each run of the encryption process.
According to an advantageous embodiment, the substitution tables are made in parallel using a parallel access instruction of the microprocessor implementing the encryption algorithm. This instruction can be called PSTL ("Parallel Substitution Table Lookup") and thus enables the increase in the calculation time to be restricted; which increase is due to the use of several substitution tables and the application of masks. Thus, several tables can be processed in parallel for the same duration as the processing of a single table. The number of substitution tables used depends in particular on the size of the PSTL instruction.
In the case of an AES type algorithm for example on a 32-bit processor, four ( = l/y, y being equal to 8 bits) SBOX substitution tables can be ideally set in parallel. At the beginning of a masking phase, the substitution tables should be recalculated as a function of the value of the masks. The PSTL instruction avoids that this phase impacts the calculation time.
According to another aspect of the present invention, it is provided a non-transitory logic integrated circuit, encoded with instructions which, when executed, implement a block encryption algorithm based encryption method comprising a masking countermeasure and a non-linear substitution of the elements of a State matrix. According to the invention, the instructions comprise for each encryption of a block:
a precalculation to generate in parallel several independent and masked substitution tables, and
a non-linear substitution of the elements of the State matrix by elements from said independent and masked substitution tables.
This logic integrated circuit can consist of a programmable logic circuit or an ASIC type specific integrated circuit.
Preferably, this logic integrated circuit comprises at least one microprocessor and memory components configured to implement the instructions according to the invention.
Further advantages and characteristics of the invention will appear upon reading the detailed description of an embodiment in no way limiting, and the appended drawings, wherein :
Fig. 1 is a schematic view illustrating an encryption process according to the AES algorithm according to prior art;
Fig. 2 is a schematic view illustrating a succession of masks according to prior art;
Fig. 3 is a schematic view illustrating the method according to the invention applied to an AES algorithm; and
Fig. 4 is a schematic view illustrating a succession of masks according to the invention.
Even though the invention is not limited thereto, the encryption method according to the invention applied to an AES algorithm will now be described. The encryption process provided has high entropy. The number of random values used directly impacts the security of the whole.
It is provided to use several masked substitution tables, this number being a function of the hardware and/or software architecture implementing the method according to the invention. The operational unit is advantageously the word of the microprocessor and not the base element of the algorithm (for the AES, that is the byte). The entropy is increased since one masked substitution table is used per one word of the State matrix. Not one masked substitution table is used for the entire State matrix. The masks are randomly and independently selected for each substitution table.
For example, typically in the conventional AES algorithm, the single substitution table is 8x8 bits. The State matrix is a 128-bit long matrix.
With the present invention, it is provided to use several substitution tables: 128 / 8 = 16 of them could then be used. This implies calculating 16 different masked substitution tables. A preferred embodiment of the present invention recommends instead to use the word as an operational unit, that is for example 32 bits when the algorithm is implemented by a 32-bit microprocessor. This amounts to managing four substitution tables.
To succeed in using several substitution tables by limiting the calculation time, a parallel processing of the substitution tables is advantageously provided . In particular, a specific instruction working on I bits is used, I being the size of the word of the microprocessor. This specific instruction found in some microprocessors can be called PSTL for "Parallel Substitution Table Lookup". If y is the output size of a substitution table, the number of substitution tables to be used is l/y. With the present invention, the output mask of the SubBytes function is adjusted with the size of the processor, thus the security against side channel attacks is raised . The masks are greater, the entropy too.
In Fig . 3, it can be seen how the masking and encryption principle is modified with respect to Fig . 1 of prior art.
One of these essential differences which is visible in Fig. 3 with respect to prior art is the presence of several masked substitution tables 31, also called Sbox, herein four to process in parallel the four bytes of a single row of the State matrix (4x4 matrix). A single byte is processed per one substitution table, but all four substitution tables are processed in parallel.
The masking module 30 in Fig. 3 is configured to perform n maskings in parallel from an initial matrix 32 producing n masked "Sboxes".
From the encryption key 1 (cipher key), an assembly of subkeys 3 is generated via the key preparation module 2 (Key Schedule). These subkeys can be calculated on the fly or pre-calculated .
In Fig . 3, the random source 33 is used to generate the masks.
The input 34 and the subkeys 35 should be masked at the beginning of the block encryption calculation : the selection module 36 enables s values to be obtained from the random source 33, these s values being used for encrypting the input 34 and the subkeys 35. Thus, a masked input and masked subkeys are obtained.
The encryption algorithm 37 will be supplied with the masked input, the masked subkeys and the masked Sboxes 31. The SBox layer 38 symbolizes the non-linear operation by use of n masked Sboxes 31. The operations A - Z symbolize the linear operations. The key insertion layer
enables the masked subkeys to be inserted one by one by combination with the masked input. This series of operations is executed r times, as many times as there are subkeys.
A remasking process 39 is provided . At the end of the r runs, the encrypted text 41 of the output is unmasked thanks to the layer 40.
Fig. 4 describes the succession of masks on the State matrix according to the invention, taking as an operational unit a 32-bit word .
The encryption according to the invention uses 6 independent 32-bit masks. (m1 |m2|m3 |m4 ) and
are the 32-input and output bit masks of the SubBytes function respectively. The four other 32-bit masks
(mu
) a re the input masks for the MixColumns function.
At the beginning of encryption, are pre-calculated :
- four masked SBox tables S such that:
[Sni (e) ® m, (e) ® m2 (e) ® m,
and,
e four 32-bit out ut mask
for the MixColumns function by calculating :
= MixColumns^ l,ml 2,ml 3 ,ml 4,m2 l 7m2 2,m2 3,m2 4,m3 l 7m3 2,m3 3,m3 4,m4 l,m4 2 ,m4 3 ,m4 4 ) At the beginning of each AES run, the State matrix is masked with
5
Then, the AddRoundKey changes the masks at the row j from
5
to m. with j e {1,2,3,4} .
The SubBytes function changes the masks m. into m on each row of the State matrix.
The ShiftRows function does not change the masking.
Before performing the MixColumns function, a remasking step is performed : on the column j, the mask is changed from m into my with j e {l,2,3,4} . Then, the MixColumns function changes the mask from
to
1 ' 2 ' 3 ' 4 ' ^½ 1 ' ^½ 2 ' ^½ 3 ' ^½ 4 ' ^3 1 ' ^3 2 ' ^3 3 ' ^3 4 ' ^4 1 ' ^4 2 ' ^4 3 ' ^4 4 / which are the mask values of the run beginning .
Thus, the same procedure can be repeated r times. At the end of the algorithm, the masks can be removed .
The method according to the invention modifies a small number of steps of the AES algorithm with respect to prior art, so that the calculation overload is mainly due to the pre-calculations. Advantageously, these precalculations are optimized by a parallel processing in the present invention .
Another advantageous characteristic of the invention is the use of four counters in a single word for the parallel processing of the substitution tables. Actually, after the input and output masks of the SBox have been selected, all SBoxes must be masked . To do this, the following algorithm is used, which takes into account the 32-bit size of the processor used for the implementation of the method . This algorithm for masking Sbox uses the PSTL instruction to access these values of the four SBoxes at the same time (in parallel) . This algorithm can be adapted to other processor sizes.
«
S-Boxes masking
Inputs : SB {S-box address),
m (input mask),
m' (output mask)
Output : SBm (masked S-boxes addresses)
c «- 0;
For c = 0 to 232 - 1 by step16843009= (01010101)Λ
«- c φ m;
x' = SB[x];
SB7n [c] — x' φ 771 ','
End for
»
A word c in hexadecimal form is used, wherein four counters are defined, one counter per one SBox.
If the masking in the AES algorithm according to prior art is compared to that of the present invention, it can be seen that the entropy has been increased, which represents a security gain against side channel attacks. Prior art proposes a 48-bit entropy (6 masks of 8 bits), whereas the method according to the present invention injects 192 bits of entropy (4 times more). The security is thus globally increased . But this security is also locally increased both on the SubBytes function and the MixColumns function of AES. Protecting the SBoxes with a greater mask than in prior art adds security. Furthermore, the masking process according to the invention uses a 128-bit mask for the MixColumns function, which also adds locally security on this function.
Of course, the invention is not limited to the examples just described and numerous alterations can be provided to these examples without departing from the scope of the invention.
The different embodiments of the present invention comprise various steps. These steps can be implemented by instructions of a machine executable by means of a microprocessor for example.
Alternatively, these steps can be performed by specific integrated circuits comprising a wired logic to execute the steps, or by any combination of programmable components and personalized components.
The present invention can also be provided as a computer program product which can comprise a non-transitory computer memory medium containing instructions executable on a computer machine, which instructions can be used to program a computer (or any other electronic device) to execute the method.
Claims
1. A block encryption algorithm based encryption method implementing a masking countermeasure and comprising a step of non-linear substitution of the elements of a State matrix, characterised in that this method comprises for each encryption of a block:
a precalculation step, during which several independent and masked substitution tables are generated in parallel, and
during the non-linear substitution step, the elements of the State matrix are substituted by elements from said independent and masked substitution tables.
2. The method according to claim 1, characterised in that the substitution tables are all managed in parallel by byte packets, the size of each processed packet being the same as the width of the microprocessor implementing the encryption algorithm.
3. The method according to claim 2, characterised in that a process for masking the substitution tables is timed by several parallel counters, one counter is used per one substitution table, each counter being represented by hexadecimal digit of a word the width of which is the same as the width of the microprocessor implementing the encryption algorithm.
4. The method according to any of the preceding claims, characterised in that the substitution tables are generated from a single initial table to which different independent masks from random numbers are applied .
5. The method according to any of the preceding claims, characterised in that an AES (Advanced Encryption Standard) algorithm is used as a block encryption algorithm, wherein the step of MixColumns is masked with a mask having the size of the State matrix.
6. The method according to any of the preceding claims, characterised in that an iterative block encryption algorithm is used, wherein the random numbers from which the masking of the substitution tables is performed are renewed .
7. The method according to any of the preceding claims, characterised in that the substitution tables are managed in parallel using a parallel access instruction of the microprocessor implementing the encryption algorithm.
8. The method according to any of the preceding claims, characterised in that the substitution tables are managed in parallel by means of a microprocessor the size of which is 32 bits, 64 bits or 128 bits.
9. A non-transitory logic integrated circuit, encoded with instructions which, when executed, implement a block encryption algorithm based encryption method comprising a masking countermeasure and a non-linear substitution of the elements of a State matrix, characterised in that the instructions comprise for each encryption of a block:
a precalculation to generate in parallel several independent and masked substitution tables, and
a non-linear substitution of the elements of the State matrix by elements from said independent and masked substitution tables.
10. The logic integrated circuit according to claim 9, characterised in that it consists of a programmable logic circuit.
11. The logic integrated circuit according to claim 9, characterised in that it consists of an ASIC type specific integrated circuit.
12. The logic integrated circuit according to one of claims 9 to 11, characterised in that it comprises at least a microprocessor and memory components configured to implement the instructions.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| FR1153547A FR2974693B1 (en) | 2011-04-26 | 2011-04-26 | METHOD FOR APPLYING HIGH ENTROPY MASKING MEASURE IN A BLOCK ENCRYPTION ALGORITHM, AND LOGIC INTEGRATED CIRCUIT USING SUCH A METHOD |
| PCT/EP2012/057325 WO2012146550A1 (en) | 2011-04-26 | 2012-04-20 | Method for applying a high entropy masking countermeasure in a block encryption algorithm, and a logic integrated circuit implementing such a method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| EP2702720A1 true EP2702720A1 (en) | 2014-03-05 |
Family
ID=46085894
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| EP12721434.4A Ceased EP2702720A1 (en) | 2011-04-26 | 2012-04-20 | Method for applying a high entropy masking countermeasure in a block encryption algorithm, and a logic integrated circuit implementing such a method |
Country Status (3)
| Country | Link |
|---|---|
| EP (1) | EP2702720A1 (en) |
| FR (1) | FR2974693B1 (en) |
| WO (1) | WO2012146550A1 (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3131228A1 (en) * | 2015-08-13 | 2017-02-15 | Gemalto Sa | Method to secure keccak algorithm against side-channel attacks |
| FR3040514B1 (en) * | 2015-09-02 | 2017-09-15 | Stmicroelectronics Rousset | DPA PROTECTION OF A RIJNDAEL ALGORITHM |
| FR3040513B1 (en) * | 2015-09-02 | 2018-11-16 | Stmicroelectronics (Rousset) Sas | PROTECTION OF A RIJNDAEL ALGORITHM |
| FR3040515B1 (en) | 2015-09-02 | 2018-07-27 | St Microelectronics Rousset | VERIFYING THE RESISTANCE OF AN ELECTRONIC CIRCUIT TO HIDDEN CHANNEL ATTACKS |
| WO2019003321A1 (en) * | 2017-06-27 | 2019-01-03 | 三菱電機株式会社 | Code generation device, code generation method and code generation program |
| EP3484095A1 (en) * | 2017-11-10 | 2019-05-15 | Nagravision S.A. | Computer-implemented cryptographic method and device for implementing this method |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7346161B2 (en) * | 2000-01-26 | 2008-03-18 | Fujitsu Limited | Method and apparatus for designing cipher logic, and a computer product |
| US7848514B2 (en) * | 2004-05-24 | 2010-12-07 | Research In Motion Limited | Table masking for resistance to power analysis attacks |
| EP2195761B1 (en) * | 2007-10-01 | 2013-04-03 | Research In Motion Limited | Substitution table masking for cryptographic processes |
-
2011
- 2011-04-26 FR FR1153547A patent/FR2974693B1/en active Active
-
2012
- 2012-04-20 WO PCT/EP2012/057325 patent/WO2012146550A1/en active Application Filing
- 2012-04-20 EP EP12721434.4A patent/EP2702720A1/en not_active Ceased
Non-Patent Citations (2)
| Title |
|---|
| FISKIRAN A M ET AL: "Fast Parallel Table Lookups to Accelerate Symmetric-Key Cryptography", INFORMATION TECHNOLOGY: CODING AND COMPUTING, 2005. ITCC 2005. INTERNA TIONAL CONFERENCE ON LAS VEGAS, NV, USA 04-06 APRIL 2005, IEEE COMPUTER SOCIETY, LOS ALAMITOS, CALIF. [U.A.], vol. 1, 4 April 2005 (2005-04-04), pages 526 - 531, XP010795902, ISBN: 978-0-7695-2315-6 * |
| See also references of WO2012146550A1 * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2012146550A1 (en) | 2012-11-01 |
| FR2974693A1 (en) | 2012-11-02 |
| FR2974693B1 (en) | 2013-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8553877B2 (en) | Substitution table masking for cryptographic processes | |
| AU2005263805B2 (en) | Method and device for carrying out a cryptographic calculation | |
| US7899190B2 (en) | Security countermeasures for power analysis attacks | |
| CN107005404B (en) | Processor apparatus implementing executable white-box mask implementations of cryptographic algorithms | |
| JP5892887B2 (en) | How to counter side-channel attacks | |
| US20060177052A1 (en) | S-box encryption in block cipher implementations | |
| US10790962B2 (en) | Device and method to compute a block cipher | |
| EP2702720A1 (en) | Method for applying a high entropy masking countermeasure in a block encryption algorithm, and a logic integrated circuit implementing such a method | |
| KR100737171B1 (en) | A low memory masking method for aria to resist against differential power attack | |
| US8958556B2 (en) | Method of secure cryptographic calculation, in particular, against attacks of the DFA and unidirectional type, and corresponding component | |
| CN106936822B (en) | Mask implementation method and system for resisting high-order bypass analysis aiming at SMS4 | |
| EP3286869B1 (en) | High-speed aes with transformed keys | |
| KR102327771B1 (en) | How to counter a degree 2 or higher DCA attack in a table-based implementation | |
| KR20160117032A (en) | Apparatus and Method for Protecting Side channel Attacks on | |
| CN112910630B (en) | Method and device for replacing expanded key | |
| Scripcariu et al. | On the substitution method of the AES algorithm | |
| Abdulwahed | Chaos-Based Advanced Encryption Standard | |
| EP2293488B1 (en) | Method for cryptographic processing of data units | |
| WO2018165949A1 (en) | Des software dpa attack prevention method and device | |
| Serpa et al. | A Secure White Box Implementation of AES Against First Order DCA | |
| Karunakaran et al. | FPGA based Fault Analysis for Encrypted Code | |
| Oliynykov | Next generation of block ciphers providing high-level security | |
| Kinge et al. | Design of AES Pipelined Architecture for Image Encryption/Decryption Module | |
| Sahu et al. | Proposed Work for Modification of AES Mix Column | |
| TW201312982A (en) | A method of counter-measuring against side-channel attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
| 17P | Request for examination filed |
Effective date: 20131104 |
|
| AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
| RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: THUILLET, CELINE Inventor name: FRANCQ, JULIEN |
|
| DAX | Request for extension of the european patent (deleted) | ||
| RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: AIRBUS DS SAS |
|
| STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
| 17Q | First examination report despatched |
Effective date: 20170307 |
|
| REG | Reference to a national code |
Ref country code: DE Ref legal event code: R003 |
|
| STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED |
|
| 18R | Application refused |
Effective date: 20200214 |