EP3123461A1 - Masquage protégé contre l'attaque par canal latéral et économe en mémoire - Google Patents

Masquage protégé contre l'attaque par canal latéral et économe en mémoire

Info

Publication number
EP3123461A1
EP3123461A1 EP15713647.4A EP15713647A EP3123461A1 EP 3123461 A1 EP3123461 A1 EP 3123461A1 EP 15713647 A EP15713647 A EP 15713647A EP 3123461 A1 EP3123461 A1 EP 3123461A1
Authority
EP
European Patent Office
Prior art keywords
masked
folded
xor
calculation
masking
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
EP15713647.4A
Other languages
German (de)
English (en)
Inventor
Jürgen PULKUS
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Giesecke and Devrient Mobile Security GmbH
Original Assignee
Giesecke and Devrient GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Giesecke and Devrient GmbH filed Critical Giesecke and Devrient GmbH
Publication of EP3123461A1 publication Critical patent/EP3123461A1/fr
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/04Masking or blinding
    • H04L2209/043Masking or blinding of tables, e.g. lookup, substitution or mapping
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/122Hardware reduction or efficient architectures

Definitions

  • the invention relates to a method for performing a cryptographic calculation using a cryptographic key that is protected against spying the key via page channel attacks.
  • Cryptographic calculations are e.g. often performed by general purpose processors (CPUs), alternatively often by crypto-coprocessors, which are dedicated processors to general processors.
  • CPUs general purpose processors
  • crypto-coprocessors which are dedicated processors to general processors.
  • smart cards for payment or mobile applications often have processors (CPUs) with crypto coprocessors.
  • Many chip cards for payments or mobile applications have crypto coprocessors specially designed for DES or AES (see next paragraph).
  • a secret key processed to output data e.g. Clear text data (input data) encrypted with a key to cipher data (output data) or vice versa Cipher data (input data) decrypted with a key to plain text data (output data).
  • Cipher data input data decrypted with a key to plain text data (output data).
  • AES AES
  • the input data and the key are divided into blocks and processed in blocks.
  • the data is processed byte by byte, so that in each case an input data byte (plaintext byte for encryption or cipher text byte for decryption) is processed with a key byte.
  • AES AES encryption
  • a plaintext P is encrypted with a key K to form a ciphertext C.
  • processor-implemented cryptographic computations are prone to side-channel attacks in which the processor's time-resolved power consumption is measured while performing the computation. In most cases, the power consumption is more closely dependent on the data's hamming weight, that is, the number of ones in the data in the binary representation.
  • the power consumption of the processor during the duration of the calculation, recorded versus the time elapsed during the calculation, is called the current curve. Current curves of a processor for a calculation are recorded, for example, by means of an oscilloscope.
  • a DPA (Differential Power Analysis) attack sometimes referred to as Correlation Power Attack (CPA)
  • CPA Correlation Power Attack
  • a plurality of current curves eg, about 1000
  • output data is calculated using known input data and a secret key.
  • a time-resolved correlation curve between the synchronized current curves and the Hamming weight HW of the output data obtained with each key is calculated.
  • the correlation curves for false keys consist of a more or less uniform noise, similar to the correlation curve shown in FIG.
  • the correlation curve for the key with which the calculation was performed has a statistical conspicuousness in the form of a peak at a previously unknown time, similar to the correlation curve shown in FIG.
  • the attacker records about 1000 current curves of the sub-computation (p varies, k remains the same), synchronizes them and calculates for each possible value 0, ..., 255 of the key byte k the correlation curve between the synchronous Siert measured current curves and the urinary weight HW (x) of the calculated with the respective key byte k intermediate value x.
  • the correlation curves for false key bytes consist of a more or less uniform noise, similar to the correlation curve shown in FIG. 1b.
  • the correlation curve for the correct key byte with which the calculation was performed has a rash at a previously unknown time, similar to the correlation curve shown in FIG. This procedure is performed with each key byte k of the key K until the key K is reconstructed byte by byte.
  • OO / FF masking is provided as a countermeasure against DPA attacks, whereby an intermediate result of a partial calculation in the calculation is randomly calculated either directly, so that the intermediate result is generated or computed complementarily, so that If necessary, the input data (plaintext or ciphertext) and the key must be complemented independently of one another randomly and the output data (ciphertext or plaintext) are complemented at the output of the calculation.
  • the calculation of the ler complement of a value is performed optionally by forcing the value with hexadecimal FF (other notation: Oxff), the provision of the value itself in this case optionally by verifying with 0 at the same place in the calculation process, at which Complement with FF is being carried out. Verxoring with FF complements a value. By zeroing the value remains unchanged. Performing a forgery in both cases disguises when the value and when the ler complement of the value is used.
  • the input data (plaintext or ciphertext) is masked with two random numbers r, s, the key with only a random number r is masked and a compensation masking is performed.
  • the plaintext byte p is thus masked with r and s, the key byte is masked only with s, and in addition the compensation masking with both random numbers r, s is performed.
  • substitution table S '[x] S [x ⁇ rl] ⁇ rl, with rl, r2 independent random numbers. From this it can be seen that a separate substitution table (S-box) S 'is required for all values of the random numbers rl and r2.
  • a substitution table (S-box) S 'masked with r is stored (eg in the chip card or the processor), ie in a 256-byte substitution table (S). Box) eg 256 different 256 byte tables.
  • the substitution table (S-box) is calculated only after the determination of the random number r, preferably in a random access memory RAM assigned to the processor.
  • Applicant's German patent application DE 102012018924.9 discloses an internally "extended masking" method for performing a cryptographic computation using a cryptographic key protected against spying the key via side channel attacks, in particular DPA higher order attacks that key spying is prevented, or at least severely hampered, and at the same time efficient.
  • the method given in 102012018924.9 has in principle the structure of a combination of a base masking - e.g. XOR masking and 00 / FF masking applied to cryptographic computation to guard against secret data from spying.
  • the mask according to the invention is also called internal masking by the applicant.
  • the method of 102012018924.9 is adapted for implementation in a processor (eg, microprocessor, CPU, crypto co-processor, crypto-accelerator) adapted to perform a cryptographic computation, in which input data is generated using a cryptographic key and generated of intermediate values output data are generated.
  • a processor eg, microprocessor, CPU, crypto co-processor, crypto-accelerator
  • An example of such a cryptographic calculation is the AES.
  • a base masking applied by which at least some, preferably all, intermediate values as masked intermediate values are included in the calculation.
  • the method is characterized in that, in carrying out the calculation, a secondary masking is additionally applied, wherein for each intermediate masked by the base masking the one's complement of the masked intermediate value is formed, the masked intermediate value or the one's complement of the masked intermediate value is provided and random controlled the calculation is performed either with the masked intermediate value or with the one's complement of the masked intermediate value.
  • a method of performing a cryptographic calculation using a cryptographic key that is useful against spying the key over page cams. nalangriff e, in particular DPA attacks of higher order, is protected, so that the key spying is prevented or at least severely hampered, and which is also efficient.
  • a disadvantage of the method according to 102012018924.9 is that the memory requirement is increased compared to only a simple masking. Especially in the case of table access, which in practice takes place regularly in the (volatile) main memory, for example RAM, the memory requirement in the (volatile) main memory, eg RAM, is increased.
  • the present invention is based on the object to make the method of 102012018924.9 memory more efficient, preferably with savings in (volatile) memory, for example RAM.
  • a masked table with a plurality of entries is first calculated in a first step, wherein for calculating at least some entries of the masked table, the predetermined mapping is evaluated at at least two locations and the resulting result values, eg T (ql) and T (q2), enter into the calculation of the entry of the masked table. Subsequently, in a second step, the masked result value is calculated using the masked table and the predetermined mapping.
  • the table is folded (this does not mean the mathematical operation also called "convolution") and can thus be stored saving memory.
  • the object of the invention in the present application is to modify the method specified in 102012018924.9 in such a way that the memory requirement compared to the solution in 102012018924.9 is reduced.
  • the solution should be modified so that in the improved masking according to 102012018924.9 the memory requirement compared to a conventional masking such as XOR masking is not increased.
  • the method according to claim 1 is based in the preamble on a so-called "extended masking" according to 102012018924.9 AI
  • extended masking on the one hand a base masking, eg XOR, is used and on the other hand a secondary masking is applied.
  • the calculation eg AES
  • the calculation is carried out either with the masked intermediate value or with the one's complement of the masked intermediate value (eg by random bit b) in that the calculation further performs a folding step of causing at least some intermediate masked intermediate masking values to be provided as folded masked intermediate values, the folded masked intermediate value using the basic masked intermediate value and min at least one further intermediate intermediate value is calculated, wherein the second intermediate value is derived from the base-masked intermediate value using a convolution distance.
  • Secondary masking is applied to the folded masked intermediate value so that randomization is performed on either the folded masked intermediate value or the one's complement associated with the folded masked intermediate value.
  • a value is therefore first basemasked that The masked intermediate value or the one's complement associated with the masked intermediate value is further calculated, if necessary, using a correction element which is entered by the convolution distance. Random access to either the intermediate value or the one's complement of the intermediate value is then performed on intermediate values generated with base masking and the additional step of folding.
  • basemasked intermediate values at two or more locations are evaluated. This corresponds to a folding of the calculation carried out so that at least two intermediate values occur at the same place. This allows you to store two (single fold) or more (multiple fold) intermediate values in a single memory location. The required storage space is therefore reduced.
  • the interfolded and base-masked intermediate values are also expanded masked analogously as indicated in 102012018924.9.
  • the correction item may be required, e.g. only if the one's complement is calculated in order to compensate for the influence of the folding on the calculation result.
  • a memory-saving modification of the method specified in 102012018924.9 is provided.
  • only one of the folded masked intermediate value and the one's complement of the convolved masked intermediate value is computed using a correction term, since only at the intermediate value or the one's complement is a correction term required, eg only at the one's complement.
  • the calculation optionally includes encryption, decryption, signature generation or signatux checking, optionally according to a predetermined algorithm such as AES.
  • a simple or multiple XOR masking, or a disassembly masking, or a series connection of two or more of the aforementioned base masks is provided as basic masking.
  • the computation comprises a partial computation, by which an intermediate value can be generated from an input value by performing a table access to a table which has a plurality of table entries.
  • the table with the basic masking is masked to form a masked table.
  • the sub-calculation is performed by performing a table access.
  • a secondary masking is applied, whereby the secondary masking of a table causes a table access to the table to be performed randomly on either the table itself or the or a complementary table to the table. So far, the table access corresponds to an expanded masked table.
  • the method of claim 3 further characterized in that a step of folding is performed, wherein the table already masked with the base mask is convoluted into a folded masked table, wherein, for at least some table entries of the folded masked table, the table entry using a base-masked input value of the table and at least one further base-masked second input value of the table be with the second input value being derived from the unmasked input value using a convolution distance.
  • the folded masked table is finally filled with the (without folding in DE
  • the one-masked table entry or the one-complement associated with the folded masked table entry is further computed using a correction term and / or a correction table, wherein the convolution distance and the correction table are entered.
  • the table entries in the folded base-masked table, at least some of the table entries, preferably and unless contradicted, generate all table entries with a step of folding, folding the table one or more times so that two or more values of the food are stored one upon the other. For example, if all the table entries are generated by folding two input values together, the table requires only half as much space as without folding.
  • an extended-masked table, the single original table, and a single complementary table that is complementary to it require twice as much space as a base-masked corresponding table. In this constellation-simple folding of the table, so that two input values are always included in each table entry, and extended masking with a single complementary table-the folding thus compensates exactly for the increase in memory requirement produced by the extended masking.
  • the memory requirement is thus exactly that of a basic-only masked table (eg masked with an XOR mask).
  • the folded and extended masking according to the invention is particularly advantageous for sub-calculations formed by table calls. Especially for a table call, a recalculation of the table for each table call would require considerable additional computation effort.
  • the relatively complex nonlinear S-box operation is implemented as a table call. Due to the extended masking, depending on the embodiment, twice to four times as much table memory is required as with a base-masked only - eg XOR-masked - table. By folding the table, the additional requirement for storage is advantageously completely or at least partially canceled in the advantageous case (see above paragraph).
  • complex sub-calculations such as S-box operations at the AES - masked with the folded extended masking, and comparatively simple sub-calculations - eg Shift Row or Mix Column - masked by another, eg stronger but more complex masking, eg re-masking at each partial calculation (calculation step).
  • the entire calculation can also be folded and expanded masked. Partial calculations between table calls should at least not be less masked than table calls.
  • the correction table is masked with a secondary mask, ie extended by (a) complement table / (n).
  • the random accessing of either the folded masked table or the folded masked complementary table is optionally performed by expanding the input value to produce the intermediate value by a table selection section that defines the table to be accessed , The length of the table selection section is chosen to match the one or more complementary tables. If a single complementary table is computed, the table select section is preferably one bit ("select bit") long. If three complementary tables are computed, the table select section is preferably two bits long. eg aa) or interspersed between the bits of the table input (eg xax; axax; etc; see figures).
  • the correction table also has a table selection section that defines the correction table that is accessed.
  • the tabular selection section of the actual table and the table selection section of the correction table are preferably independent of one another. For example, a random bit is thus defined for the table and the correction table.
  • the table optionally has a table input and a table output, and exactly computes a masked complementary table in which both the table input and the table output are complemented by the positions of the table entries in the table are complemented (complementing the input ) and the values of the table entries in the table are complemented (complementation of the output).
  • the table has a table input and a table output, and where three masked complementary tables are calculated, where
  • both the table input and the table output are complemented by complementing both the positions and the values of the table entries in the folded base-masked table.
  • the folded masked table and the at least one (eg, one or alternatively three) complementary table (s) are entered into a single extended table containing the table entries of the folded masked table and the at least one complementary table in a predetermined arrangement.
  • the arrangement of the table entries can be, for example, consecutively (cf., for example, FIG. 11), or alternatively alternating like a checkerboard (starting from the tables from FIG. 11, checkerboard-like scrambling of the table entries, if appropriate with corresponding design of the table selection sections).
  • the processor is a non-volatile memory (eg ROM, EEPROM, ...) and a volatile memory (eg RAM) associated with the table is stored in non-volatile memory, and wherein the folded masked table and the at least one folded masked complementary table in volatile memory.
  • a non-volatile memory eg ROM, EEPROM, 10.1.10
  • a volatile memory eg RAM
  • the original, unmasked S-boxes are stored in non-volatile memory.
  • the folded masked table and its complementary table ⁇ ) are calculated and stored in the volatile memory.
  • the tables eg S-boxes
  • the folded masked table eg FIG.
  • the folding is done here on tables that are generated in the usually rather limited (volatile) memory (for example RAM).
  • volatile for example RAM
  • main memory e.g., RAM
  • the correction table has to be kept in addition does not affect the saving in the working memory, since the correction table is preferably stored in non-volatile memory (for example ROM).
  • the folded masked table and at least one complementary table are used for a plurality of table accesses to the table, optionally for at least one complete execution of the cryptographic calculation (e.g., one pass of the AES), and
  • the calculation or partial calculation is carried out either with the folded masked intermediate value or with the one's complement of the folded masked intermediate value, and the calculation or partial calculation is carried out in accordance with the specification.
  • a convolved masked table e.g., S-box
  • at least one e.g., exactly one or exactly three
  • complementary table ⁇ are calculated, e.g. in the RAM.
  • the predicted tables and Complementary Table ⁇ are used (e.g., from the RAM).
  • the unmasked table is loaded from the nonvolatile memory (e.g., ROM).
  • a RAM table generated in this way may also be used for several AES passes. Otherwise, the RAM table is recalculated before each AES pass.
  • the table has a table input and a table output, and where the masked table
  • FIG. 2 shows a partial calculation in AES, comprising a table access, which is suitable for the extended and folded masking according to the invention
  • FIG. 3 shows computation instructions for basic masking of an intermediate value to a masked intermediate value according to XOR masking and additive masking
  • FIG. 5 is a complemented table to the table of FIG. 4 with only the table input complemented (inverted); FIG.
  • FIG. 6 is a complemented table to the table of FIG. 4 with only the table output complemented;
  • FIG. 7 is a complemented table to the table of FIG. 4 with the table input and the table output complemented;
  • FIG. 9 shows an XOR-randomized table based on the table of FIG. 4, with input mask 00 and output mask 02;
  • FIG. 9 shows an XOR-randomized table based on the table of FIG. 4, with input mask 00 and output mask 02;
  • FIG. 11 is a table simply expanded, starting from the XOR randomized table of FIG. 10, with a single complementary table;
  • FIG. 12 shows a folding distance table 12 folded from the table of FIG. 10
  • FIG. Fig. 13 is a table simply expanded from the folded table of Fig. 12, with selection bit at the top binary bit position, according to an embodiment of the invention
  • FIG. 14 is a table, simply expanded, starting from the folded table of FIG. 12, with selection bits at the lowest binary bit position, according to a further embodiment of the invention.
  • FIG. 15 shows, starting from the folded table from FIG. 12, a table twice expanded, with selection bits at the two uppermost binary bit positions, according to a further embodiment of the invention.
  • Fig. 1 shows correlation curves for a second order DPA attack on a table access in AES a) in XOR masking and b) in extended masking according to embodiments of the invention.
  • the table is an AES S-Box.
  • the correlation curve of Fig. 1a was determined with a second order DPA attack on a table access in the AES when performing table access with the correct key.
  • the table is XOR masked.
  • the significant peak indicates that the correct key k was used. If the table access was performed with a wrong key k, the peak is absent, similar to FIG. 1b.
  • FIG. 1b shows a correlation curve obtained from a second-order DPA attack on the same table access in the course of the AES as the curve from FIG. 1a. In contrast to FIG.
  • FIG. 1b the table is masked with the secondary masking according to the invention, in addition to the base XOR masking.
  • Memory-efficient secondary masking is accomplished by first convolving the XOR masked table underlying FIG. 1a and expanding it to a simply extended table containing the convolved XOR-masked table (first the XOR masked table , then it has been folded) and the complementary table to the folded XOR-masked table includes.
  • the table access is applied to the extended folded XOR-masked table. In this case, either the folded XOR-masked table or the complementary table is randomly accessed within the extended folded XOR-masked table.
  • Table accesses to a two-times extended table comprising the base-masked table and three complementary tables provide similar correlation curves to those shown in Fig. 1b. Even with a table that has been expanded twice, table accesses with the correct key k are therefore indistinguishable from table accesses with a wrong key.
  • the three complementary tables only the table input is complemented from the folded base-masked table; only the table output is complemented, or the table input and the table output are complemented.
  • FIG. 2 shows a partial calculation from AES encryption in which a table access to a table S (S-box, AES substitution table) is carried out.
  • the table access of FIG. 2 is suitable for being masked by the method according to the invention.
  • FIG. 2 shows two tables S in the AES, which are applied at different locations in the algorithm AES, more precisely in different rounds of the AES.
  • the two tables S are shown in FIG. 2 with the same symbols p, k, x, y for plaintext p, key k, input value x of the table S and output value y of FIG Table S to indicate that the arithmetic operation due to the table S is the same for the two tables S.
  • the values of plaintext p, key k, input value x and output value y are usually different for each table S.
  • FIG. 3 shows computational rules for base masking of an intermediate value to a masked intermediate value with XOR masking and additive masking.
  • the calculation rule to mask x with an additive base masking to x add is
  • FIGS. 4-11 show tables S whose table entries are generated without convolution of input values, and if it is expanded masked (FIG. 11), ie according to the solution from 102012018924.9.
  • Figs. 12 and 13 show folded tables.
  • the table of FIG. 12 produced only with wrinkles and without extension masking (secondary masking) corresponds in principle to the solution from DE 10 2004 032893 A1.
  • Tables without convolution are designated by the principle with the symbol S, if necessary with additions such as "'" or "-” etc. to indicate the degree of masking.
  • tables with input values convolved to produce a table entry are generally denoted by T, tables without convolution, or tables in general, however, with S.
  • Fig. 4 shows a table S in unmasked form (original table), e.g. an AES-S box.
  • the table is shown in the quad system with base 4.
  • each bit can take the four values 0, 1, 2, 3.
  • Fig. 5 shows a complemented table S to the table S of Fig. 4, wherein only the table input x is complemented.
  • the table output y is complemented by the fact that the value of the table entry is complemented.
  • Fig. 7 shows a complemented table S to the table S of Fig. 4, wherein the table input x and the table output y are complemented.
  • the input value x is complemented by x.
  • Fig. 8 shows an XOR randomized table S ', with input mask 31 and output mask 00, i. only the table input x is masked, namely with XOR mask 31, and the table output y is unmasked (XOR mask 00, which is equivalent to no masking). Starting from the table S of FIG. 4 this results in input 23 and output 11 (circle).
  • FIG. 10 shows an XOR randomized table S ', with input mask 31 and output mask 02.
  • the complementary table S' is formed by that in the base masked table 5 "of FIG. 10, the table input x and the table output y are complemented.
  • axx is given as an example and may alternatively also be xax or xxa.
  • the entries for the row indexes 00, 01, 02, 03 (top) in which the selection bit a in the table input value axx has the value zero (0) belong to the uncomplemented table masked only with the basic masking (table from FIG. 10).
  • Table output yy 31 (lower half of the table, selection bit in table input 123 has the value 1) is random.
  • AES AES calculation (optionally encryption, decryption, signature generation or signature verification) is started, in FIG. 2 an example of encryption.
  • a table 5 "' which is simply extended according to Figure 11 is used as table S in Figure 2.
  • Fig. 13 shows a table T ', simply extended, starting from the folded table T of Fig. 12, with selection bit at the highest binary bit position, according to an embodiment of the invention.
  • the lower half of Table V of Fig. 13 has inverted output values in reverse order.
  • the marked input value 13 from the table T FIG. 12 is inverted to the input value 20 for generating the table T 'from FIG. 13.
  • At the position 20 of the table T' FIG. 13 is just the one inverted compared to the position 13 of FIG Value 22.
  • Fig. 14 shows a table T ', simply extended, starting from the folded table of Fig. 12, with selection bits at the lowest binary bit position, according to a preferred embodiment of the invention.
  • Table 14 is obtained from Table 13 by alternately selecting one entry from the upper and lower half of Table 13 (line by line). Therefore, the first circled value 22 of the second half of Table 13 immediately appears as a second value in the table 14, and accordingly, the last circled value 11 of the upper half of Table 13 is the penultimate value of FIG Table Fig. 14.
  • Fig. 15 shows a table twice extended starting from the folded table of Fig. 12, with two selection bits, one at the uppermost binary bit position (as in Fig. 13), and one at the second uppermost bit position.
  • the select bit at the top bin decides whether the table output is inverted or not.
  • the selection bit at the second highest binary location decides whether the table input is inverted or not.
  • a preferred embodiment is set forth to generate a folded and expanded masked table T and a correction table T and to perform a table access to a table entry in the table T 'comprising correction of the table entry by means of the
  • Correction table f As T ', for example, the one table as shown in FIG. 13 or 14 may be provided. This is based on the principle of a table S as indicated in Fig. 2 and 4-12. In particular, the same function is implemented by the unmasked table S as by the table S. For example, S is an S-box in the AES according to FIG. 2.
  • Each of the tables T 'and T has the structure of an extended table, ie
  • the following correction table f is stored, where x »i is for a right shift of x by i digits in binary representation, and an overline for one's complement formation. straight x
  • a folded and expanded masked table T ' is generated.
  • XOR masking is used as base masking, with a table input mask i and a table output mask o.
  • a convolution distance d 0 is set at random.
  • a first random bit b is defined, which, like the random distance d, for each calculation of a table T 'in random access memory RAM is newly randomized.
  • the extended XOR-masked table input value x ' is the same
  • the convolution function f d (not meant hereby the mathematical operation of convolution) is formed in the following two steps.
  • the "random" distance d in binary representation is represented by a sequence of 1-bits and 0-bits
  • the bit length of the convolution distance d is generally equal to the bit length of the input value x Value of the random distance d emerges at any given bit position in d the lowest 1-bit z of d, ie the lowest bit which is one and all even lower bits are 0.
  • d d8i (-cT)
  • the bit position of the lowest 1-bit of the random distance d only one of the base-masked input value x 'and the convolutional partner to the base-masked input value x'd has a 1-bit, ie only in either x' or in x'd is the lowest 1-bit z of d (set to the value 1).
  • the zero which is at the bit position of the lowest 1-bit of the random distance d, is extracted from the base-masked input value x '. (the input value x 'is still in binary representation).
  • the calculation shows that the specified algorithm is functionally correct.
  • the security against DPA 2nd order may be due to careful analysis of the individual steps and was virtually verified by an implementation on a smart card.
  • This bit need not be at the bottom, but may be elsewhere. If the bit of the table selection section is inserted elsewhere, the formulas for the tables and the calculation of the indices (u, v) change accordingly.
  • the information for the table selection section is kept separate from the masked data and only the entry for a table call is inserted.
  • a double extension is provided (corresponding to FIG. 15).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé, réalisé dans un processeur, pour l'exécution d'un calcul cryptographique. Lors de l'exécution du calcul, on utilise un masque de base, par lequel des valeurs intermédiaires sont introduites dans le calcul sous forme de valeurs intermédiaires masquées. Lors de l'exécution du calcul, on applique en plus un pliage et un masquage secondaire. Lors du pliage, la valeur intermédiaire masquée est calculée à l'aide de la valeur intermédiaire non masquée et d'au moins une deuxième valeur intermédiaire. Lors du masquage secondaire, pour chaque valeur intermédiaire masquée au moyen du masquage de base, le calcul est exécuté par une commande aléatoire soit avec la valeur intermédiaire masquée, soit avec le complément à un de la valeur intermédiaire masquée.
EP15713647.4A 2014-03-26 2015-03-23 Masquage protégé contre l'attaque par canal latéral et économe en mémoire Ceased EP3123461A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102014004378.9A DE102014004378A1 (de) 2014-03-26 2014-03-26 Speichereffiziente seitenkanalgeschützte Maskierung
PCT/EP2015/000625 WO2015144305A1 (fr) 2014-03-26 2015-03-23 Masquage protégé contre l'attaque par canal latéral et économe en mémoire

Publications (1)

Publication Number Publication Date
EP3123461A1 true EP3123461A1 (fr) 2017-02-01

Family

ID=52785032

Family Applications (1)

Application Number Title Priority Date Filing Date
EP15713647.4A Ceased EP3123461A1 (fr) 2014-03-26 2015-03-23 Masquage protégé contre l'attaque par canal latéral et économe en mémoire

Country Status (3)

Country Link
EP (1) EP3123461A1 (fr)
DE (1) DE102014004378A1 (fr)
WO (1) WO2015144305A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102015015953B3 (de) 2015-12-08 2017-04-27 Giesecke & Devrient Gmbh Kryptoalgorithmus mit schlüsselabhängigem maskiertem Rechenschritt (SBOX-Aufruf)
CN112787800B (zh) * 2021-01-19 2022-06-17 清华大学 基于二阶掩码的加解密方法、装置、电子设备及存储介质

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5398284A (en) * 1993-11-05 1995-03-14 United Technologies Automotive, Inc. Cryptographic encoding process
DE19822217B4 (de) 1998-05-18 2018-01-25 Giesecke+Devrient Mobile Security Gmbh Zugriffsgeschützter Datenträger
FR2820576B1 (fr) * 2001-02-08 2003-06-20 St Microelectronics Sa Procede de cryptage protege contre les analyses de consommation energetique, et composant utilisant un tel procede de cryptage
KR100594265B1 (ko) * 2004-03-16 2006-06-30 삼성전자주식회사 매스킹 방법이 적용된 데이터 암호처리장치, aes암호시스템 및 aes 암호방법.
DE102004032893B4 (de) 2004-07-07 2015-02-05 Giesecke & Devrient Gmbh Ausspähungsgeschütztes Berechnen eines maskierten Ergebniswertes
DE602005002349T2 (de) * 2005-05-10 2008-01-17 Research In Motion Ltd., Waterloo Schlüsselmaskierung für kryptographische Prozesse
JP4936996B2 (ja) * 2007-05-24 2012-05-23 株式会社東芝 非線形データ変換器、暗号化装置、および復号装置
FR2950721B1 (fr) 2009-09-29 2011-09-30 Thales Sa Procede d'execution d'un algorithme de protection d'un dispositif electronique par masquage affine et dispositif associe
DE102012018924A1 (de) 2012-09-25 2014-03-27 Giesecke & Devrient Gmbh Seitenkanalgeschützte Maskierung

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
None *
See also references of WO2015144305A1 *

Also Published As

Publication number Publication date
DE102014004378A1 (de) 2015-10-01
WO2015144305A1 (fr) 2015-10-01

Similar Documents

Publication Publication Date Title
EP2901611B1 (fr) Masquage protégé contre l'attaque par observation
EP3593483B1 (fr) Transition d'un masquage booléen à un masquage arithmétique
DE102012202015B4 (de) Vorrichtung und Verfahren zum Schützen einer Referenzzahl gegen darauf gerichtete Differential Power Analyse-Angriffe und Template-Angriffe
WO2016074782A1 (fr) Procédé pour tester et durcir des applications logicielles
DE60223337T3 (de) Verfahren zur gesicherten verschlüsselung und baustein zur ausführung eines solchen verschlüsselungsverfahrens
DE60207818T2 (de) Gesichertes Verfahren zur kryptographischen Berechnung mit Geheimschlüssel und Bauteil, das ein solches Verfahren anwendet
DE69932740T2 (de) Verfahren und vorrichtung zur kryptographischen datenverarbeitung
EP3387636B1 (fr) Algorithme cryptographique comportant une étape de calcul masquée dépendant d'une clé (appel de sbox)
DE69735290T2 (de) Verfahren zur unsymmetrischen kryptographischen kommunikation und zugehöriger tragbarer gegenstand
EP1664979B1 (fr) Transition entre deux representations masquees d'une valeur lors de calculs cryptographiques
EP3123461A1 (fr) Masquage protégé contre l'attaque par canal latéral et économe en mémoire
WO2021156005A1 (fr) Génération de clé et protocole pace avec protection contre des attaques par canal latéral
EP1615098B1 (fr) Calcul d'une valeur masquée protégée contre l'espionnage.
EP3804209B1 (fr) Procédé avec mesure de défense safe-error
DE60213327T2 (de) Auf einem Blockverschlüsselungsalgorithmus mit Rundenwiederholung basiertes Verfahren und Vorrichtung zur Ausführung des Verfahrens
EP1596527B1 (fr) Passage d'un masquage booléen à un masquage arithmétique
WO2022268364A1 (fr) Procédé de calcul d'une transition d'un masquage booléen à un masquage arithmétique
EP1506473B1 (fr) Inversion modulaire protegee contre les tentatives d'espionnage
EP2675103A2 (fr) Calcul cryptographique protégé contre l'espionnage
WO2004056035A1 (fr) Procede de chiffrement
DE102004032893B4 (de) Ausspähungsgeschütztes Berechnen eines maskierten Ergebniswertes
DE10303723B4 (de) Vorrichtung und Verfahren zum Berechnen von verschlüsselten Daten aus unverschlüsselten Daten oder von unverschlüsselten Daten aus verschlüsselten Daten
DE102010055237A1 (de) Verfahren zum geschützten Ausführen einer kryptographischen Berechnung
DE10149191A1 (de) Verfahren und Vorrichtung zum Ermitteln von Ursprungsausgangsdaten aus Ursprungseingangsdaten auf der Basis einer kryptographischen Operation
WO2013127519A2 (fr) Calcul protégé contre l'espionnage

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20161026

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: GIESECKE+DEVRIENT MOBILE SECURITY GMBH

17Q First examination report despatched

Effective date: 20190716

REG Reference to a national code

Ref country code: DE

Ref legal event code: R003

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED

18R Application refused

Effective date: 20191123