Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
  • G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
  • G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/002—Countermeasures against attacks on cryptographic mechanisms
  • H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
  • H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
  • H04L9/0625—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/08—Randomization, e.g. dummy operations or using noise

Definitions

• the present invention relates to a method of block ciphering executed by a microcircuit and protected against attacks by auxiliary channels, for the transformation of a message into an encrypted message, from a secret key.
• the present invention particularly relates to smart card integrated circuits or hardware cryptographic components integrated on the motherboards of computers and other consumer electronic and computer equipment requiring security means (USB sticks, TV channel decoders, game consoles, etc.), known as "TPM” (Trusted Platform Module).
• TPM Trusted Platform Module
• Such microcircuits are equipped with a CPU (central processing unit) which generally comprises an 8-bit CISC core or an 8, 16 or 32-bit RISC core.
• a CPU central processing unit
• Some are equipped with a coprocessor dedicated to cryptographic computation, for example a DES (Data Encryption Standard) or AES (Advanced Encryption Standard) coprocessor. They have thousands of logical gates that switch differently depending on the operations performed. These switches create variations in current consumption of short duration, for example of a few nanoseconds, which are measurable.
• CMOS integrated circuits comprise logic gates that only consume current when they are switched, corresponding to the transition to 1 or 0 of a logical node. Thus, power consumption depends on the data handled by the CPU and its various peripherals: memory, data traveling on the data or address bus, cryptographic coprocessor, etc.
• Such microcircuits are subjected to so-called auxiliary channel attacks, based on the observation of their current consumption, their magnetic or electromagnetic radiation. Such attacks are aimed at discovering the secret data they use, including their cryptography keys.
• auxiliary channel attacks implement statistical analysis methods such as DPA ("Differential Power Analysis”) or CPA ("Correlation Power Analysis”) analysis.
• DPA Different Power Analysis
• CPA Correlation Power Analysis
• the CPA analysis is based on a linear model of current consumption and consists in calculating a correlation coefficient between, on the one hand, the measured consumption points which form the captured consumption curves and, on the other hand, a value consumption estimate, calculated from the linear consumption model and a hypothesis on the operation performed by the microcircuit and on the value of the cryptographic key.
• countermeasures are generally provided.
• the most commonly used countermeasures are masking or multiple execution.
• a masking countermeasure uses a random mask (binary number) that is combined with the key and / or message during the execution of the encryption process. This type of countermeasure is effective but requires a coprocessor specially designed for its implementation, in the case of execution by a coprocessor, or a program of greater complexity, in the case of execution by the CPU of the microcircuit.
• a multiple execution countermeasure can be implemented with a conventional coprocessor that does not include countermeasure means. It simply consists in executing the encryption process several times by means of false keys.
• a countermeasure program which controls the encryption program or the coprocessor, and makes it execute the encryption process several times with the false keys, so that the execution of the encryption process with the right key (ie the authentic key) is "drowned" in a set of dummy executions.
• the present invention more particularly relates to multiple execution countermeasures applied to symmetric type block ciphering methods such as the DES, TDES and AES methods. These classic countermeasures will be better understood after recalling the structure of these encryption methods.
• FIG. 1A schematically shows the architecture of a block ciphering method CP1.
• the process is symmetric, which means that it uses the same secret key for encryption or decryption.
• the method receives as input a message M and a secret key K, and provides an encrypted message C. It comprises Nr round RDi,
• the method comprises intermediate rounds RD 2 , ... RD ,, ... RDN -
• the method may also include an initial operation IO to prepare the message before the execution of the rounds, by means of a first transformation function, and a final operation FO to transform the result of the last round by means of a second transformation function, to obtain the encrypted message C.
• Each round RD (i being considered here as an index ranging from 1 to Nr) generally uses a subkey SK, derived from the key K or derived from the subkey used by the previous round. Each round provides the next round a secret intermediate result that is not accessible to an attacker, this result being for example stored temporarily in a protected memory.
• the first round RD 1 receives, as input data, the message M or a data item resulting from the message transformation by the initial operation I0, and provides a first secret intermediate result to the next round RD 2 .
• Each intermediate round RD receives as input the secret intermediate result provided by the previous round, and provides a secret intermediate result to the next round.
• the last round receives as input the intermediate secret result provided by the last round RDN and provides a final result forming the encrypted message C or forming the encrypted message after transformation by the final operation FO.
• each RD round generally comprises sub-rounds SRD1, SRD2, .... SRD n .
• each RD round of the DES process includes four PermutationExpansive, OR Exclusive, Substitution, and SimpleSwap sub-rounds.
• FIG. 2 represents in the form of a flowchart "AES1" the classical structure of an AES encryption method.
• the method comprises an initial operation comprising the operation "AddRoundKey” using a first sub-key SK 0 , nine rounds RD, (RD ⁇ to RD 9 ) using nine other sub-keys SK, and each comprising four sub-rounds "SubBytes”, “ShiftRows", “MixColumns” and “AddRoundKey”, and one last round RDi 0 including three sub-rounds "SubBytes", “ShiftRow” and "AddRoundKey” using a tenth sub-key SK 0 .
• FIG. 3 schematically represents an example of method CP2 protected against attacks by auxiliary channels by the multiple execution technique.
• the method comprises an initial step of generating N1 -1 false keys K 1 , K 2 , K N ii, the correct key K being for example the key K 0 .
• the method CP2 comprises N1 executions of the method CP1 of FIG.
• the CP1 process is executed a first time with the key K 0 , then with the first false key Ki, then the second false key K 2 , etc. until the N1 th execution with the KNI-I key.
• Each execution provides a result Co, CI, ... CNI-I from the corresponding key and message M. Only one of these results is valid and the others are dummy.
• the order in which the keys are used is random (the regular order shown in Fig. 3 being just an example) so that an attacker does not know which run uses the correct key.
• Embodiments of the invention relate to a symmetric encryption method executed by a microcircuit, for transforming a message into an encrypted message, from a secret key, comprising a first round, intermediate rounds and a last round, comprising several executions of the first and last round, respectively from the secret key and a first set of false keys, and a number of executions of at least one intermediate round less than the number of executions of the first and last rounds, respectively from the secret key and a set of false keys included in the first set of false keys.
• the method comprises a second round, a penultimate round and several intermediate rounds, the first two rounds are executed a greater number of times than the intermediate rounds, and both last rounds are executed more times than the intermediate rounds.
• the method comprises only one execution of at least one intermediate round.
• the method comprises, for a determined number of successive rounds starting from the first, a number of executions of the decreasing rounds according to a rule of decay which is a function of the rank of the rounds considered relative to the first round, then, for a given number of successive rounds until the last one, a number of executions of the rounds growing according to a rule of growth which is function of the rank of the rounds considered relative to the last round.
• the decay rule is a rule in 1 / (2n), where n is a parameter depending on the rank of the rounds considered relative to the first or the last round.
• each round includes sub-rounds, and the multiple execution of each round includes the multiple execution of each sub-round of the round.
• each round includes sub-rounds, and the multiple execution of a round includes the multiple execution of at least one sub-round, and a single run of at least one other sub-round .
• the single execution of the sub-round is a masked execution in single or multiple order.
• the multiple execution of the sub-round is a masked execution in simple order.
• the method complies with the DES, triple DES, or AES specifications.
• Embodiments of the invention also relate to a microcircuit configured to execute a symmetric encryption method, making it possible to transform a message into an encrypted message, from a secret key, the method comprising a first round, intermediate rounds, and a last round, the microcircuit being configured to execute several times the first and the last round, respectively from the secret key and a first set of false keys, and to execute at least one intermediate round a number of times lower the number of executions of the first and last rounds, respectively from the secret key and a set of false keys included in the first set of false keys.
• the microcircuit is configured to execute only once at least one intermediate round.
• the microcircuit is configured to execute rounds comprising sub-rounds, and to execute the same number of times all the sub-rounds of a round, during a multiple execution of a round.
• the microcircuit is configured to execute rounds comprising sub-rounds, and to execute only once at least one sub-round and execute several times another sub-round, during an execution. multiple of a round.
• the microcircuit comprises a modular coprocessor configured to execute individually encryption operations included in sub-rounds. Embodiments of encryption methods and a microcircuit according to the invention will be described in the following with reference to nonlimiting reference to the appended figures, among which:
• FIG. 1A previously described represents the structure of a conventional round ciphering method
• FIG. 1B previously described represents the structure of a round of the process of FIG.
• FIG. 2 previously described represents the structure of a conventional AES encryption method
• FIG. 3 previously described represents the structure of a conventional encryption method protected against attacks by auxiliary channels
• FIG. 4 represents the structure of an embodiment of an encryption method according to the invention
• FIG. 5 illustrates an advantage of the method of FIG. 4,
• FIG. 6 represents the structure of an AES encryption method according to the invention
• FIG. 7 represents the structure of another embodiment of an encryption method according to the invention
• FIG. 8 represents an embodiment of a secure microcircuit according to the invention.
• Embodiments of the invention include the finding that all rounds of a symmetric encryption method do not require the same level of protection against aux channel attacks. The rounds most exposed to this type of attack and especially to an attack by DPA or CPA analysis are first of all the first round and the last round. Indeed, a DPA or CPA analysis can not be conduct against a round only if an entry or exit data of the round is known to the attacker, the key being the object of the attack.
• the first round RD-i receives input data that is known to an attacker.
• This is the message M or data resulting from the transformation of the message by the initial operation IO.
• the initial operation is also known to the attacker because described by applicable standards, the input data can be calculated from the message if it is not the message itself.
• the last round RD Nr provides a result known to the attacker.
• This is the encrypted message C or data whose encrypted message C is issued, after transformation of the data by the final operation FO. Since the final operation is also known to the attacker, this data can be retrieved from the encrypted message C, by means of the inverse function of the function used by the final operation FO.
• Embodiments of the invention thus relate to an encryption method in which the number of executions of the intermediate rounds RD, (RD2, RD3, ... RDj, RDN) is smaller than the number of executions of the first and the last round, to reduce the total number of round runs and reduce the overall execution time of the encryption process.
• the second and second-last rounds RD 2 , RD N are considered more exposed to attack than other intermediate rounds, and are executed more times than other rounds. intermediate.
• "central" intermediate rounds ie those furthest away from the first and last rounds) are executed only once.
• FIG. 4 schematically shows the structure of a block encryption method CP3 according to the invention, of symmetrical type, protected against attacks by auxiliary channels.
• the method provides an encrypted message C, from a message M and a secret key K, and comprises Nr rounds RD-i, RD 2l ... RD, ... RD Nr - i, RDNr-
• the method may comprise an initial operation IO for preparing the message M before the execution of the rounds, and a final operation FO for transforming the result of the last round by means of a known transformation function, for obtain the encrypted message C. It also comprises an initial step of generating N1 -1 false keys Ki, K 2 , ..., KNI-I in addition to the secret key K.
• the method thus uses an initial set of N1 keys Kj (K 0 , ⁇ - ⁇ , K 2 , ..., KNI-I) in which only the key Ko is authentic.
• the method CP3 comprises the following steps:
• the round RDi is executed N1 times by means of N1 subkeys SK- (SK-i, 0 , SKi , i, SK-1, 2, ..., SK-I, NI-I) generated from the initial set of N1 keys Kj (K 0 , KL K 2 , ..., KNM),
• the round RD 2 is executed N2 times, with N2 ⁇ N1, by means of N2 subkeys SK 2 j (SK 2 , o, SK 2 , -I, SK 2 2 , ..., SK 2 N 2 -i ) generated from a subset of key N2 K j (Ko, Ki, K 2 , ..., KN 2 -I) which is included in the initial set of key N1,
• the round RD is executed N, times, with N, ⁇ , ⁇ being the number of executions of the preceding round, by means of N, subkeys SKg (SK ii0 , ⁇ ,, ⁇ , SKi, 2 , ..., SKi, N ii) generated from a set of N, keys K j (Ko, Ki, K 2 , ..., KNM) which is included in the initial set of N1 keys,
• the round RD Nr- i is executed N Nr -i times, with N Nr -i ⁇ N NR -2, N Nr-2 being the number of executions of the previous round, by means of N N sub-keys SK Nr -i, j (SK Nr- i, o > SK Nr -i, i, SK Nr -i, 2 SK (Nr-1, N Nr -i-1) generated from a set of NN keys Kj (K 0 , K 1 , K 2 , ..., K (N N -1)) which is included in the initial set of N 1 keys, and the last round RD Nr is executed N Nr times, with ⁇ ⁇ ⁇ N Nr -i, by means of ⁇ ⁇ subkeys SK Nr , j (SK Nr , o, SK Nr , i, SKNr, 2, -.
• SK (Nr, NNr1)) generated from a set of ⁇ ⁇ keys Kj (K 0 , ⁇ - ⁇ , K 2 K (NN)) which is included in the initial set of N1 keys.
• the relationship between the number of executions of each RD round is governed by a first countermeasure rule, which can be formalized in the manner indicated below, reference being made to rounds RD- ⁇ , RD 2 , RD 3 , RD ) ... RD RD Nr -3 > RD Nr -2,
• N Nr N Nr -i> N Nr-2 . >. N Nr-3 ...> Ni
• the distribution of the number of executions could be different on the first and last rounds, for example:
• Is being a threshold defining the "distance" of a round relative to the first and last rounds.
• the threshold Is can be chosen greater than the number of rounds to obtain a total symmetry of the process with regard to the number of execution of the rounds, relative to the central rounds.
• Rule 3 the execution of certain intermediate rounds is not repeated, in particular that of the central rounds.
• NTP a number of rounds to protect relative to the first and last round
• the number of rounds to be protected represents the number of rounds to be executed several times. Rounds that do not belong to the group of rounds to be protected are considered as "central” rounds and are executed only once, with the correct key Ko (ie the authentic key).
• Rule 3 can be formalized as indicated below.
• NRtoP number of rounds to protect
• NRtoP 3 (i.e. 3 rounds to protect),
• rounds RD 4 , RD 5 , RD 6 , RD 7 , RD 8 , RD 9 , RD 10 , RDn, RD 1 2 , RD 13 are only executed once.
• the number of executions N, of each round RD (for i ranging from 1 to Nr) can be determined by means of a relation which is a function of the rank i of the round considered.
• Rule 4 below is an example of a relation in 1 / (2 n ), where n is a variable function of i.
• Rule 4 includes Rule 2 with respect to rounds to be protected and includes Rule 3 with respect to rounds that are not to be protected.
• NRtoP number of rounds to protect
• Nr-NRtoP Nr-i and N
• N1 / (2 n )
• NRtoP number of rounds to protect:
• n min (i-1, Nr-i)
• the maximum execution number N1 is equal to 8 for the embodiments CP31 to CP34, CP36, and is equal to 12 for the embodiment CP35.
• the embodiment designated by the reference CP30 does not implement rule 1 and is not considered to be included in the invention since it provides no advantage in terms of calculation time. It represents the number of round executions that would require a conventional countermeasure consisting of 8 successive executions of the encryption process, which would require 8 * 16 or 128 rounds executions.
• the column T gives the total number of execution of rounds
• the column CT gives the calculation time of each embodiment CP31 to CP36 relative to the calculation time of the embodiment CP30, in percentage, or time relative calculation.
• This relative calculation time CT is equal to the total number of execution of rounds divided by the total number of rounds execution in the case of embodiment CP30, ie (T / 128) * 100.
• Column G or "Gain time "is the complement to 100 of the relative computation time CT, ie G 100 - CT.
• the rule 3 is modified so that the number of executions of the "central" rounds is fixed but greater than 1, which corresponds for example to the embodiments CP31 and CP32 where the central rounds are executed two times.
• Table 3 on page 1 of Annex 1 describes the total number T of round executions as a function of the number of rounds Nr as well as the relative calculation time CT (relative to the embodiment CP30) when the Rule 4 is used to determine the number of executions, and when the number of rounds to be protected NRtoP is equal to 4.
• FIG. 5 represents the curve CR1 of the total number T of round executions as a function of the number of rounds Nr when the rule 4 is used, and when the number of rounds to be protected NRtoP is equal to 4.
• the curve takes the form of a straight line and its slope is determined by the NRtoP parameter.
• the curve CR2 of the total number T of round executions as a function of the number of rounds Nr is also represented in the case of a conventional implementation.
• Appendix 2 an integral part of the description, which describes executable algorithms as exemplary embodiments of protected encryption methods according to the invention. The sub-round operations that each encryption process performs are recalled in Tables 4 and 5 of Annex 1.
• the encryption method is executed using a PDES1 algorithm ("Protected DES”) and a PRDES1 algorithm ("Protected Round Protected”) or round algorithm.
• the PRDES1 round algorithm is a sub-function of the PDES1 algorithm which is called by the latter at each new iteration of the variable i, which forms a round number.
• a first pair of values (L 0 , Ro) is calculated in step 4 from the message M, after permutation thereof in step 3, for the execution of the first round by the algorithm PRDES1.
• steps 5, 6, 6.1, 6.2, 7, and 7.1 implement rule 4 described above, and thus determine the number of executions of a round according to its rank and the NRtoP parameter.
• Steps 6.3 and 7.2 are calls to the round function executed by the PRDES1 algorithm.
• the cryptography tables C, D, E, F in practice bit strings
• the random permutation operations the subkey generation, the concatenation operator "
• the sub-rounds 1 to 4 are included in the loop 13 and are thus repeated each as many times as the number of iterations of the variable j.
• the variable j has N, values determined by the PDES1 algorithm.
• the loop 13 only includes a value of j and the sub-rounds are thus executed only once with the sub key corresponding to the correct key K 0 .
• the random permutation performed in step 12 makes it possible both to select the N, first sub-keys of the set of subkeys SK ,, o to SK Î , NI-I to form a set of subkeys SKj , p0 to SKj, pj for j ranging from 0 to N r 1, where p is an element of rank j in random permutation P.
• ⁇ , 1; only the correct SKi.o subkey is used (ie the subkey corresponding to the correct KB key).
• This random permutation also makes it possible to classify the subkeys in a random order for the execution of the loop 13.
• the algorithm PRDES1 returns the pair of values (L ,, Ri) which is thus a function of the initial pair of values received at the input (L, R ⁇ ), of the number i of the round (which determines the values of the subkeys) and the number N, of execution of the round.
• the subkeys necessary for the execution of the rounds are generated in advance and are stored in a protected memory. This method requires some memory space, which may not be suitable for some applications,
• the sub-keys needed for the round are generated on the fly according to the keys or sub-keys of the round immediately previously associated with the key being used. All subkeys are generated in each round, including those whose PRDES1 algorithm does not need to be used when the round is executed a number of times less than the number of keys, so that the PRDES1 algorithm has, for the execution of the next round, of all the previous sub-keys necessary for the generation of the subkeys of the round considered.
• step 1 The second aforementioned solution has been retained here and appears in step 1 1, where N1 subkeys are generated at each round from the key N1 or subkey N1 generated during the execution of the previous round, independently the number of executions of the round considered and therefore the number of subkeys whose algorithm PRDES1 really needs for the execution of the round.
• the encryption method according to the invention is here executed using a PTDES algorithm ("TDES Protégé") in Appendix 2 and PDES1 and PRDES1 algorithms described above.
• the TDES encryption conventionally comprises a first DES encryption step of the message with a first key K, ie DES (M, K), then a reverse encryption step DES "1 , with a second key K ', of the result of the first step or DES "1 (DES (M, K), K '), and finally an encryption step DES, with the first key K, of the result of the second step, that is:
• the first encryption step DES (step 20) is performed by using the PDES1 algorithm itself is call to the algorithm PRDES1, after having defined the maximum number N1 of execution of rounds and the number of rounds to protect NRtoP
• the second step of encryption DES "1 can be executed by means of a method DES " 1 conventional no protected against attacks by auxiliary channels (step 21 a), or by means of the algorithm PDES1 "1 , the inverse algorithm of the PDES1 algorithm described in Annex 2 (step 21 b).
• step 22 the last step of DES encryption (step 22) is protected and is executed using the algorithm PDES1 which itself call to the PRDES1 algorithm, defining the maximum number N1 of round execution and the number of rounds to protect NRtoP Application to AES 128 encryption
• the example described in Annex 2 concerns the 10-round AES 128, but the invention can also be applied to the 12-round AES 192 and the 14-round AES 256.
• the method is executed using a PAES1 ("Protected AES") algorithm and a PRAES1 ("Protected AES Round”) algorithm or round algorithm.
• the PRAES1 algorithm is a sub-function of the PAES1 algorithm which is called by the latter at each new iteration of the round number i.
• Steps 33, 34, 34.1, 34.2, 35, 35.1 implement the rule 4 described above, and thus determine the number of executions of a round according to its rank and the NRtoP parameter. .
• Steps 34.3 and 35.2 are calls to the round function performed by the PRAES algorithm.
• the PRAES1 algorithm executes the sub-round operations described in Table 5 in Appendix 1 (AddRoundKey, SubByte, ShiftRow and MixColumn), as known to those skilled in the art.
• the structure of the rounds executed by the algorithm PRAES1 is represented in FIG. 6 in the form of a flowchart "AES2".
• the flow chart AES2 differs from the flow chart AES1 of FIG.
• the operation AddRoundKey is integrated in the first round RD1, and at the beginning of each following round, so that it implicates, in each next rank round ij a subkey SKi.-i j of rank i-1, j.
• the AddRoundKey operation is followed by the SubByte, ShiftRow, and MixColumn operations in Rounds RD1 through RD9.
• the last round RD10 includes two executions of the AddRoundKey operation involving the last two subkeys SK 9 and SKi 0 of the current key of rank j.
• the operations SubByte and ShiftRow are executed between these two operations.
• the AddRoundKey, SubByte, ShiftRow sub-rounds are included in the iterative loop 43 and are thus repeated each as many times as the number of iterations of the variable j.
• the MixColumn operation is also included in the loop 43 for any value of the round number i different from 10.
• the loop 43.6 is executed when i is equal to 10 and is included in the loop 43 only for the round 10. It includes a next generation of subkeys (step 43.6.1) and the second execution of the AddRoundKey operation (step 43.6.2).
• the random permutation operation executed in step 42 makes it possible both to select the N, the first subkeys of the set of subkeys SKi, 0 to SKj Ni-1 to form a set of sub-keys.
• SK iiP o to SK iiPj for j ranging from 0 to Nj-1.
• This random permutation operation also makes it possible to classify the subkeys in a random order for the execution of the loop 43.
• the multiple execution of a round includes:
• FIG. 7 represents an encryption method CP4 according to the invention, for example the DES method.
• the method CP4 is built on the same model of multiple execution of the rounds that the CP3 process, and differs from it by the fact that only the sub-round SRD3 of each round RD-i, RD 2 RD Nr is executed several times.
• the method CP4 thus comprises the following steps:
• the sub-round SRD3 of the round RD- ⁇ is executed N1 times while the other sub-rounds are executed only once with the key K 0 ,
• This embodiment makes it possible to accelerate the execution time of the encryption process even more, by limiting within the rounds executed several times the number of sub-rounds which are themselves executed several times. It can include the prediction of several independent hardware functions or "hardware modules" each executing a sub-round or a sub-round operation, instead of a single round hardware function containing all sub-rounds.
• This modularity makes it possible on the one hand to multiply the calls to the sub-functions during a round and to vary the number of these calls according to the round in which one is, but also to define sub-functions usable by several encryption methods.
• embodiments of the invention provide several hardware accelerators used by several encryption methods, each implementing a sub-round operation.
• each sub-round SRD1 to SRD4 can be executed by means of a dedicated hardware accelerator.
• a countermeasure may be provided to protect sub-rounds that are only executed once against auxiliary channel attacks.
• This countermeasure can in particular be a countermeasure by masking.
• the SRD1 sub-round, SRD2, SRD4 of RDi round are protected by a random mask U1
• the SRD1 sub-round, SRD2, SRD4 DR Round 2 are protected by a random mask U2 etc.
• the sub-rounds SRD1, SRD2, SRD4 of round RD Nr are protected by a random mask LV-
• the choice of the protection mode of a sub-round, by masking or multiple execution, can be made according to the nature of the operation that includes sub-round.
• the sub-rounds that include a linear operation and those that include a non-linear operation in the mathematical sense of the term.
• an operation whose execution rests on a determined table, stored in memory is non-linear.
• the protected operation produces the same result as the unprotected operation.
• An attack by analysis DPA or CPA knowing M can make it possible to find the key K by predicting the value S (X,).
• a masking countermeasure has the drawback of consuming a large memory space in the case of a nonlinear operation, since hiding a table with a plurality of masks requires a large memory space.
• the same mask is generally used for all the sub-rounds of the round or for all the values of the table, for example an 8-bit mask.
• Masking is then called "simple order" as opposed to higher order masking, which uses a plurality of random masks.
• the linear operations are protected by multiple executions, or by multiple order masking, or by single order masking and multiple executions, while the nonlinear operations are preferably protected by single order masking and multiple executions.
• the sub-round SRD3 is executed several times per round, with a simple order masking
• the sub-round SRD3 is executed several times per round, with a simple order masking
• Countermeasure 4 offers a higher level of security than countermeasures 2 and 3 which themselves offer a level of security superior to countermeasure 1.
• countermeasures 2 and 3 already provide excellent protection.
• random executions can be added within these operations.
• the method is executed using a PDES2 algorithm and a PRDES2 round algorithm in Annex 3.
• the PDES2 algorithm differs from the PDES1 algorithm in that it includes initial steps 54, 55 of generating a first mask U 0 and generating left and right portions U 0, L and U 0, R of the mask, followed by a step 56 of masking the left and right parts Lo, Ro of the message M.
• step 6.3 of call to the algorithm PRDES1 is replaced by a step 58.3 of call to the algorithm PRDES2
• step 7.2 of call to the algorithm PRDES1 is replaced by a step 59.2 of call to the PRDES2 algorithm.
• the round algorithm PRDES2 uses the same operations and has the same sub-rounds as the algorithm PRDES1, but implements the concept of modularity. It receives as input data, as before:
• the round algorithm PRDES2 additionally receives, as input data, a random mask UM. This is the mask U 0 generated by the algorithm PDES2 in step 54, or the mask UM returned by the previous execution of the algorithm PRDES2, calculated in step 78.
• Sub-round 1 comprises the Expansive Permutation linear operation and is executed only once in step 75 with multiple-order masking.
• the sub-round 2 arranged in the iterative loop 76 comprises the linear operation XOR and is executed several times in the step 76.1 with multiple-order masking.
• the sub-round 3 includes the non-linear operation Substitution is also present in the loop 76 and is executed several times in step 76.3 in unmasked form, preceded by a step of unmasking 76.2.
• step 76.4 The result of this operation is then masked again in step 76.4.
• the sub-round 4 which comprises the linear operation XOR is executed only once with multiple-order masking in step 77.
• a mask U, of rank i for the next round is then calculated at step 78 and an update of the mask U is performed in step 79.
• the algorithm then returns the result L ⁇ , R ⁇ and the mask Uj.
• the method is executed using a PAES2 algorithm and a PRAES2 rounding algorithm in Annex 3.
• the PAES2 algorithm differs from the PAES1 algorithm in that it comprises a step 92 of generating a mask initial random Uo and a step 93 of masking the message M.
• the step 34.3 of calling the algorithm PRAES1 is replaced by a step 95.3 of calling the algorithm PRAES2 and the step 35.2 of call to the PRAES1 algorithm is replaced by a step 96.2 of calling the PRAES2 algorithm.
• the final result C is unmasked in step 97 to obtain the encrypted message C.
• the PRAES2 round algorithm uses the same encryption operations and has the same sub-rounds as the PRAES1 algorithm, but implements the concept of modularity.
• the sub-round 1 comprising the AddRoundKey linear operation (step 104.1) is included in the iterative loop 104 and is executed multiple times with multi-order masking.
• the sub-round 2 comprising the non-linear operation SubByte (step 104.3) is executed several times in non-masked form, after a step of unmasking 104.2. The result of this sub-round is then masked again in step 104.4.
• the sub-round 3 which comprises the linear operation ShiftRow is outside the loop 04 and is executed only once in step 105, with multiple-order masking.
• the sub-round 4 of the rounds 1 to 9, which includes the linear operation MixColumn (step 106.1) is also outside the loop 104 and is executed only once, with multiple-order masking.
• Sub-round 4 of round 10 (step 107.3.1) comprising the AddRoundKey linear operation is executed multiple times with multi-order masking within loop 107 after a new generation of subkeys (step 107.1). ) and a step of updating the mask (step 107.2).
• Embodiments of the invention are generally applicable to any symmetrical block ciphering method comprising rounds.
• Embodiments of the invention based on the concept of modularity apply to any such process in which each round has a plurality of sub-rounds.
• Embodiments of an encryption method according to the invention may implement only the second aspect of the invention relating to the modularity of the sub-rounds, without the first aspect of the invention providing a number of executions variable round according to their rank. Such embodiments may therefore comprise an identical number of executions of each round, but a different number of executions of each sub-round within a round executed several times. Sometimes, some sub-rounds being executed once, preferably in masked form, others being executed several times, in masked form or not.
• a microcircuit configured to execute a method according to the invention is itself capable of various embodiments.
• the algorithms in Appendix 2 and Appendix 3 can be run by the CPU of the main processor or in part by the CPU and a coprocessor.
• the PDES1, PDES2, PTDES, PAES1, PAES2 algorithms can be executed by the CPU and the rounding algorithms PRDES1, PRDES2, PRAES1, PRAES2 can be executed by a coprocessor or hardware accelerators.
• the PRDES2 and PRAES2 algorithms based on the principle of modularity can advantageously be executed by a modular coprocessor or several hardwares in parallel forming the equivalent of a modular coprocessor, allowing the CPU to call the sub-round functions each independently of the other, with or without masking, for single or multiple execution of these functions.
• FIG. 8 schematically represents an example of an SDV secure device comprising an MCT microcircuit according to the invention, mounted on a CD medium, for example a plastic card.
• the microcircuit MCT comprises a processor PROC including a central processing unit (CPU), a coprocessor CPROC coupled to the processor, an ICCT communication interface coupled to the processor, a memory MEM1 coupled to the main processor, a random or pseudo-random generator RGEN coupled to the processor main and / or coprocessor.
• PROC, CPROC, ICCT MEM1, RGEN can be integrated on the same semiconductor chip or, for some, be integrated in different semiconductor chips which are interconnected by a printed circuit or other interconnect medium.
• the ICCT circuit can be of the contact type (wired communication port) or contactless (NFC interface, Wifi, Bluetooth®, etc.) or both.
• the message to be encrypted M is received via the communication interface circuit ICCT and the encrypted message C is also communicated externally by the intermediate of this interface circuit.
• the memory MEM1 may comprise a volatile memory zone and an electrically programmable non-volatile memory zone.
• the non-volatile program memory may comprise a secure zone comprising a secret key K.
• the random or pseudo-random generator RGEN is used by the processor or the coprocessor to generate the false keys and / or random masks of the type described above.
• the coprocessor may be dedicated to executing the rounds of a determined encryption method, or may be of modular type as described above, for the execution of hardware functions allowing the processor to execute the sub-rounds independently of each other. the other.
• T R PermutationExpansive (T R ) [Sub-round 1]
• T R SimpleSwitch (T R ) XOR T l [Sub-round 4]
• W AddRoundKey (W, SKi 0 , pj );
• R 0 32 weakest bits of M (lower part)
• T R PermutationExpansive (T R ) [Masked Sub-Round 1]

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Physics & Mathematics (AREA)
• Computer Hardware Design (AREA)
• Theoretical Computer Science (AREA)
• Mathematical Physics (AREA)
• Software Systems (AREA)
• General Engineering & Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=47666406

Family Applications (1)

Country Status (5)

Families Citing this family (17)

Citations (1)

Family Cites Families (9)

• 2012
  • 2012-01-11 FR FR1250272A patent/FR2985624B1/fr active Active
  • 2012-12-21 WO PCT/FR2012/000546 patent/WO2013104837A1/fr active Application Filing
  • 2012-12-21 EP EP12821282.6A patent/EP2803161A1/de not_active Withdrawn
  • 2012-12-21 CN CN201280066783.2A patent/CN104094553B/zh active Active
  • 2012-12-21 US US14/371,049 patent/US20140351603A1/en not_active Abandoned

Patent Citations (1)

Non-Patent Citations (2)

Also Published As

Similar Documents

Legal Events