FR2995110A1 - Method for optimizing use of e.g. memory, of electronic device i.e. smart card, involves protecting smart card from physical attacks by masking from substitution box and inverse substitution box upon implementing cryptographic algorithm - Google Patents

Abstract

The method involves protecting an electronic device i.e. smart card from physical attacks by masking from a substitution box (SBOX) and an inverse substitution box (INV SBOX) when the smart card implements a cryptographic algorithm. An inverse function (INV F) of the substitution box is closely followed by a closely connected function (AFF F), and a closely connected reciprocal function (R AFF F) of the inverse substitution box is followed by the inverse function. A masked inverse function (MSK INV F) is generated. Independent claims are also included for the following: (1) a computer program for optimizing the use of the memory of an electronic device (2) a non-transitory computer readable storage medium storing a program for optimizing the use of the memory of an electronic device (3) an electronic device.

Description

The invention relates to memory optimization of electronic devices implementing cryptographic algorithms (such as AES) and their protection against physical attacks such as auxiliary channel attacks. Electronic devices implementing cryptographic algorithms often have very limited memory capacity. In particular, the available random access memory (RAM) is sometimes limited to a few thousand or even a few hundred bytes. This is particularly the case of cryptographic smart cards, and in particular the simplest models of such smart cards. Auxiliary channel attacks exploit physical properties of the attacked electronic device when it implements a cryptographic algorithm (the implementation can be software, hardware, or even mixed: software and hardware). The fact that the cryptographic algorithm is secure from a purely mathematical point of view (that is, in theory) does not necessarily guarantee that the practical implementation of this cryptographic algorithm by a given electronic device is secure.

It is thus known to attack an electronic device in a non-invasive manner by making an external observation of some of these operating parameters. An attacker can for example engage in acoustic cryptanalysis consisting of studying the noise possibly generated by the electronic device when it implements the cryptographic algorithm. Indeed, the electronic device can emit a noise (or possibly inaudible vibrations) varying in intensity and nature depending on the operations performed. Capacitors that load or discharge can in particular emit clicks that can be measurable.

It is also known to analyze the electromagnetic emanations of the electronic device, or to analyze its thermal image. Indeed, the electromagnetic radiation of an electronic device, for example a processor, depends on what this device is performing, for example an instruction that the processor is executing or a piece of data that the processor is manipulating.

Attackers can also analyze the power consumption of the electronic device while executing the cryptographic algorithm. Different parts of the cryptographic algorithm can generate characteristic consumptions. It is therefore possible to analyze the instantaneous power consumption of an electronic device, and thus distinguish the tasks performed according to the power consumption they require. These attacks can be combined to obtain secret information such as an encryption key used by the cryptographic algorithm. The implementation of these attacks is usually closely related to the attacked electronic device. Thus, these attacks may, where appropriate, allow, via the use of an auxiliary channel (not envisaged or not sufficiently protected by the designer of the electronic device), such as an acoustic wave channel, an electromagnetic channel, or a thermal channel (the examples of given channels are in no way limiting) to affect the security of the implementation of the cryptographic algorithm considered. A cryptographic algorithm is an algorithm that aims to protect information, for example by ensuring its confidentiality, authenticity, or integrity through mathematics. A cryptographic algorithm often relies on one or more keys, which can be secret, private, or public. Some cryptographic algorithms do not use a key, such as some hash functions (such as SHA-1, MD5, SHA-256, RIPEMD-160, etc.). Among the cryptographic algorithms are in particular encryption algorithms (which make it possible to make information unintelligible) and decryption algorithms (which make it possible to recover the original information from an encrypted information), electronic signature algorithms , signature verification, authentication, authentication verification, etc. Some key-based cryptographic algorithms are called symmetric (eg DES, 3DES, AES, RC4, HMAC, etc.) algorithms. Some symmetric algorithms are specialized (for example the HMAC algorithm is used for signature / signature verification but not for encryption / decryption). Symmetric algorithms get their name from the fact that they use the same key (usually called a secret key) to encrypt and decrypt, or to sign and verify a signature, and so on. Thus, symmetric cryptographic algorithms require two parties using them to secure their communications from sharing keys. The Advanced Encryption Standard (AES) algorithm is notable because it is the algorithm that was chosen in 2000 by the National Institute of Standards and Technology (or "NIST") to become the standard symmetric encryption algorithm for the Government of the United States of America. Other cryptographic algorithms are called asymmetric (eg DSA, RSA, elliptic curves, etc.) because a different key is used by the parties to a communication. Each party has a private key (we speak rather of private key than secret key in such a case, even if one sometimes encounters abuse of language) and of an associated public key. For example, a party may use one of his private keys to sign information, and it is a corresponding public key that is used by the other party to verify the signature, or a party may use a public key belonging to another party. part to encrypt information, and the other party can then use his corresponding private key to decrypt the information. Cryptographic algorithms are often described very precisely in specifications accessible to all, the security of a cryptographic algorithm is generally not related to the secret nature or not of its operation (the algorithms that are only presumed safe because their secret character often end up being broken by reverse engineering). The specifications are used to determine what an algorithm should output when given some input information. This ensures the interoperability of the cryptographic algorithm, that is to say that separate implementations must be able to work between them. For example, it can legitimately be expected that information encrypted by any implementation of an encryption algorithm can be decrypted by any implementation of the corresponding decryption algorithm. However, this does not mean that there is only one possible implementation of each cryptographic algorithm. On the contrary, there are multitudes of possible implementations for each cryptographic algorithm, just as there are multitudes of different ways to perform the same calculation. For example, to calculate X2 + 2X + 1, we can calculate X * X, then 2 * X, add the two terms, add 1, or calculate X + 1, multiply the result by X, and add 1, or else calculate X + 1 and raise the result squared.

One would have thought that the security of a cryptographic algorithm depends only on its mathematical definition (and any keys that are used, when they are secret or private), as it appears from a specification, and not from the exact way in which it calculates the result defined in the specification. In reality, it is not, in general, as was illustrated above using the example of attacks by auxiliary channels. It turns out that the security of a particular implementation of a cryptographic algorithm does not only depend on the cryptographic algorithm itself, but also on the way it is implemented, and other factors such as characteristics of the electronic device responsible for executing it.

It is notably well known that when an unprotected electronic device executes software implementing a cryptographic algorithm in a "naive" manner, that is to say in a manner that merely produces the expected numerical result according to the specification (Such as an encryption result) from a given input, it is often possible to perform a passive listening of the electronic device and to obtain critical information on the progress of the cryptographic algorithm. Passive listening has the advantage of being non-invasive. The electronic device is not damaged, and its owner does not necessarily realize that it has been attacked. Thus, the device could be stolen and returned without its owner suspecting it, or simply used in the absence of the owner, or even spied in the presence of the owner, without the latter noticing (eg by a module hidden between the electronic device and its power supply). Thus, the owner of an electronic device whose AES key has been extracted by an attacker is not required to revoke his AES key (he has no reason to believe that he has been attacked). The attacker can then freely use the AES key until the owner finally realizes that transactions he has not made (eg electronic funds transfers), are allegedly attributed to him, or that a third party obviously had access to confidential information (for example, a competitor repeatedly responding to the same calls for tenders by being the lowest bidder).

Basic passive listening may simply consist in identifying a given characteristic according to a given measurement on the targeted electronic device. This is the case, for example, of so-called SPA (Simple Power Analysis) attacks. For example, during a modular exponentiation carried out in a "naïve" implementation of the RSA algorithm, the electrical consumption is very different when a bit of the exponent is equal to 1 (high consumption) and when this bit is equal at 0 (lower consumption). Indeed, in common implementations, a bit at 1 implies both a squaring operation and a multiplication operation (called "square and multiply" in English, the French translation being able to be: "pupil squared and multiplies ), While a 0 bit implies only a squaring operation. It is thus possible, by observing the trace of the electrical consumption during the modular exponentiation, to identify the series of 1 and 0 of the exponent, which correspond to fluctuations in electrical consumption. However, the RSA exhibitor, in the case of a private exhibitor, is an extremely confidential datum constituting the RSA private key, which in general is not supposed to be known to anyone outside the electronic device. Obtaining a person's private signature key allows you to sign on your behalf, so getting your private decryption key decrypts your messages. However, these plays (simple to implement) are not always effective. We know more sophisticated tapping, such as attacks called DPA (Differential Power Analysis), during which an attacker runs a cryptographic algorithm multiple times, and records each time the traces produced (eg traces of current consumption). Subsequently the attacker performs statistical calculations on the basis of multiple records, and obtains information in a more reliable and more difficult way to prevent. In order to guard against these attacks, it is possible to secure the electronic device itself. For example, a noise can be superimposed on the power supply in order to make its operation more difficult, to smooth the power consumption (for example with capacitors), to limit the electromagnetic emissions by adequate shielding, etc. It is also possible to use a particular internal clock, whose characteristic is to have a frequency of operation which varies randomly, which makes the measurements difficult to exploit (the operations of the cryptographic algorithm being then carried out at a rate which does not stop vary, and which is a priori unknown to the attacker). There are also other techniques, for example to control physical access and / or logical access to the electronic device. For example, smart cards implementing private key cryptographic algorithms generally protect the operations concerned by a PIN code. Thus, a person who temporarily steals the smart card hoping to extract the private key and then return the card to its owner without him realizing it, could not execute the algorithm concerned without presenting the correct PIN code ( that an informed user learns by heart and does not communicate to anyone), and therefore would not necessarily be able to perform the attack.

These countermeasure techniques are useful, but generally insufficient, because they do not protect against all attack scenarios. Another method of protection is to use a method of securing the cryptographic algorithm, consisting in implementing the algorithm in such a way that it generates the minimum of fluctuations (electrical or otherwise). For example, it is possible to modify the implementation of an RSA algorithm using a private key so that it performs operations with the same signature (electrical, electromagnetic, etc.) during a bit 1 or when a 0 bit in the private exponent of the private key. For example one can perform a "square and multiply" anyway, the result of the multiplication operation being used only in the case where the bit is 1. It is obviously necessary to be very vigilant, and s arrange for the implementation to be as symmetrical as possible. For example, if there is a test verifying that the result of the multiplication should be used or not, the test must behave the same regardless of its outcome (or at least as close as possible) ), otherwise a passive listening could target this test to determine whether it was a 0 bit or a 1 bit. Another method of securing (which may be complementary to the previous one) is to hide the sensitive data. The sensitive data may be for example cryptographic keys, and / or an input message to for example be encrypted by the cryptographic algorithm, and / or some intermediate data manipulated during the execution of the cryptographic algorithm. Indeed, in some cases the attacker can know or even choose an input message to be processed by the cryptographic algorithm, and make much more accurate predictions on the current calculation. The fact that the input message and / or the intermediate data are masked in a manner unpredictable by the attacker thus withdraws a portion of the information and can thus singularly complicate the attack. Moreover, as long as the masking is different at each use of the cryptographic algorithm, the statistical analysis can be complicated. For example, several methods of masking protection of the AES algorithm have been proposed to guard against hidden channel attacks. A traditional solution is an additive type masking where the manipulated data x is replaced by masked data x + m (+ hereinafter denoting the "exclusive" or "exclusive"). This makes it easy to go through the linear operations of the algorithm. The (non-linear) substitution tables S [] are then replaced by hidden tables generated on the fly after the drawing of a new mask (or all pre-stored in memory, if the amount of memory permits). Thus, a masked non-linear operation corresponding to a masked substitution box S '[], applied to a datum x masked by a random mask ml can be written in the form: y' = + mil = y + m2 = S [ x] + m2 m2 being a matching mask. At the end of the algorithm, the result is unmasked to obtain the final result (original data encrypted and not masked). There are other attacks against which it can be useful to protect oneself such as for example the invasive attacks (attacks by introduction of faults, DFA attacks, etc.). A common common feature of proposed countermeasures against various existing attacks is their often increased memory consumption. This is problematic in the context of electronic devices with constrained memory. In addition, the technique of re-calculating and masking the commonly used substitution box as described in the article "An AES Smart Card Implementation Resist to Power Analysis Attacks" (Herbst, C., Oswald, E., Mangard, S., In: Zhou, J., Yung, M., Bao, F. (eds.) ACNS 2006. LNCS, vol 3989, pp. 239-252, Springer, Heidelberg 2006) reduces the interest of 'a lighter version in memory of the AES specified in the relevant standard (AES 25 Proposal: Rijndael, Document version 2, Date: 03/09/99, Joan Daemen, Vincent Rijmen, available at the following address, including two m in the word "amended": csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf) Several attacks are likely to compromise the existing protection schemes of the AES, which already often imply a 30 implementation of the AES requiring a higher memory consumption and a longer execution time than an unmodified AES. In addition, the dedicated components (purely hardware solutions) to this AES algorithm are not always available and a software implementation is then required, which may further slow down the execution of the algorithm (and degrade its performance from the point of view of the end user). 5 The AES operates on an input called a status table, which contains 16 bytes (4x4). It can use 128, 192 or 256 bit keys. For simplicity, the examples given will be based on the 128-bit case unless otherwise stated. The structure of the AES encryption operation is that which is illustrated in FIG. 1 (the original function names are retained). The structurally similar AES decryption function is well known to those skilled in the art. In order to implement the AES encryption or decryption function, it is necessary to carry out a key expansion beforehand. From the key AES, one thus creates (via the expansion procedure) an extended key of size much larger than the size of the key. For example, the extended key for the AES-128 is 176 bytes, the extended key for the AES-192 is 208 bytes, and the extended key for the AES-256 is 240 bytes. This is often prohibitive for electronic devices with limited memory such as smart cards. In order to restrict the use of memory, it is possible to take advantage of the fact that the extended key is used only as the encryption (or decryption) proceeds. Thus, for the AES-128, the extended key is used in groups of 16 consecutive bytes. It is thus possible to carry out the expansion of the key only progressively (as and when) in a block of 16 bytes, each new block of 16 bytes extended key overwriting the previous block of 16 bytes already used, and so to use only 16 bytes of memory (typically RAM) instead of 176 bytes for the full extended key. However, the expansion procedure relies on a so-called substitution box (or table) function (often abbreviated as SBOX or S-BOX acronyms from English, or even by S [] notation). As mentioned above, a traditional method of protection against physical attacks is to hide the substitution box. This method typically requires the use of a 256 byte table in RAM memory (for the AES-128). Thus, the progressive expansion procedure, once protected, consumes (for the AES-128), 16 current bytes plus 256 bytes to protect the substitution box, ie 272 bytes. This is a lesser evil in the context of an encryption procedure, because the encryption procedure itself anyway requires the use of the substitution box (and therefore the additional 256 bytes are anyway consumed if the we secure this box of substitution). However, in the case of a decryption procedure, the substitution box is necessary for the expansion of the key, but the decryption uses, instead of this substitution box, a box of inverse substitution (in all rigor one should rather talk of reciprocal substitution box, inverse is an anglicism, but this is not the vocabulary used in practice). This reverse substitution box, if secured by masking, also consumes 256 bytes. We need 16 + 256 + 256 = 528 bytes, which completely cancels the benefit of the progressive expansion. It is more "cost-effective" in terms of memory optimization to perform a full expansion, which consumes 176 + 256 = 432 bytes (176 bytes for the extended key and 256 bytes for the hidden substitution box), and then after full expansion , to recover the 256 bytes occupied by the hidden substitution box to reallocate them to the hidden inverse substitution box necessary for decryption (operated on the basis of the extended key). However, 432 bytes represent a quantity of memory that can be prohibitive.

The invention improves the situation. One aspect of the invention relates to a method of optimizing the use of the memory of an electronic device, when the electronic device implements a cryptographic algorithm by protecting it against physical attacks by masking a box of substitution and an inverse substitution box, the substitution box comprising an inverse function followed by an affine function, the inverse substitution box comprising the inverse function of the affine function followed by the inverse function, the method generating an inverse function hidden.

This method is advantageous in that it makes it possible to protect, for the same memory cost, both the substitution box and the inverse substitution box. This makes it possible to optimize the use of the memory, in particular in the context of a progressive key expansion used for a decryption operation. For example, in the case of AES-128, the method requires only 272 bytes (for both encryption and decryption), rather than 432 for separate full masked expansion (prior to encryption or decryption itself) according to the state of the art. The progressive masked expansion of the state of the art consumes for its part 272 bytes also in the case of an encryption (no gain), but 528 bytes in the case of a decryption (and then requires moreover the calculation of two masks, that of the substitution box and that of the inverse substitution box), which again illustrates an advantage of the proposed method. The amount of memory required indicated below (for example 272 bytes instead of 528 bytes) does not take into account some requirements that are substantially identical regardless of the method implemented. For example, the data to be encrypted and the result of the encryption are generally stored in memory, regardless of the method used for implementing the cryptographic algorithm. In a more rigorous way, one could therefore say that the proposed method requires, in the example considered, 272 + X bytes of memory instead of 528 + X bytes of memory. One aspect of the invention relates to a computer program comprising a series of instructions, which, when executed by a processor of an electronic device, causes the processor to implement a method according to an aspect of the invention.

One aspect of the invention relates to a computer-readable non-transit storage medium, the medium storing a computer program according to one aspect of the invention.

One aspect of the invention relates to an electronic device comprising a memory and a memory optimization circuit, the circuit being arranged, when the electronic device implements a cryptographic algorithm by protecting it against physical attacks by masking a box. substitution and an inverse substitution box, the substitution box comprising an inverse function followed by an affine function, the inverse substitution box comprising the inverse function of the affine function followed by the inverse function, to generate an inverse function hidden. Other aspects, objects and advantages of the invention will appear on reading the description of some of its embodiments. The invention will also be better understood with the aid of the drawings, in which: FIG. 1 illustrates the cryptographic encryption algorithm AES; FIG. 2 illustrates methods according to embodiments of the invention; FIG. 3 illustrates an electronic device according to one embodiment of the invention. FIG. 1 schematically shows the known structure of the AES cryptographic encryption algorithm, and in particular a first AddRoundKey step, followed by a sequence of nine rounds each performing the SubBytes steps (the application of the substitution box to each byte of the AES status table), ShiftRows, MixColumns, then AddRoundKey again, and finally, after the nine rounds, the SubBytes, ShiftRows, and AddRoundKey steps. Figure 1 does not show the preliminary key expansion step that needs to be performed before it can be encrypted.

Figure 2 schematically illustrates the operation of methods according to two possible embodiments. On the left, a first method starts by masking (step MSK), using a random error, the inverse function INV_F of the AES in order to produce a masked inverse function MSK_INV_F. The hazard may be derived from a pseudo-random generator of the electronic device based on hardware elements such as an analog digital converter digitizing an analog noise measured in the electronic device and applying to it a mathematical treatment (for example to the using a cryptoprocessor of the electronic device). One possible way of masking the inverse function is to implement this inverse function in the form of table INV_F and to generate a hidden inverse function table MSK_INV_F according to the following algorithm (for a table with 256 elements), in which m and w are random bytes and the symbol `+ 'designates the operation of" or exclusive ": For i from 0 to 255: MSK_INV_F [i] = INV_F [i + m] + w In a second step, the process applies a box masked SBOX substitution to INPUT input data, and generates a corresponding OUTPUT output. The implementation of the masked substitution box consists of applying the masked inverse function MSK_INV_F to the input data INPUT, then applying the affine function AFF_F of the AES (not masked) to the result of this hidden inversion. This gives a globally masked substitution box.

Similarly, on the right of FIG. 2, a second method starts by masking (step MSK identical to step MSK of the preceding method) the inverse function INV_F of AES in order to produce a masked inverse function MSK_INV_F. In a second step, the method applies a masked inverse substitution box INV_SBOX to input data INPUT, and generates a corresponding output OUTPUT. The implementation of the masked inverse substitution box consists in applying the inverse function R_AFF_F of the affine function AFF_F of the AES (not masked) to the input data INPUT, then in applying to the result of this function the inverse function masked MSK_INV_F. This gives a globally masked inverse substitution box.

Figure 3 shows a smart card SCARD ("smartcard") according to one embodiment of the invention. This smart card is equipped with a microprocessor MP, a memory MEM (which is a random access memory type RAM) and a read-only memory type ROM. The read-only memory ROM stores a table corresponding to a inverse function INV_F (not masked), a table corresponding to an affine function AFF_F and a table corresponding to the reciprocal function R_AFF_F of the affine function AFF_F. The memory MEM stores a table corresponding to a hidden inverse function MSK_INV_F. ROM ROM stores software arranged, when executed by the microprocessor MP, to implement a method according to one embodiment. A smart card is a possible example of an electronic device for which the invention is particularly advantageous, given its many applications in the field of cryptography (SIM cards authenticating a mobile phone user vis-à-vis an operator , bank card authenticating the bearer during a financial transaction, health cards, etc.). However, the invention applies to any other electronic device, such as an electronic passport, an electronic visa, an electronic driver's license, a secure USB key, a secure MMC card, a token (secure token), etc. The invention can also be implemented in a server, an SSL accelerator, an HSM, etc. The majority of servers are less secure against physical attacks than a secure device such as a smart card. This can make these servers vulnerable to attacks that are much simpler to implement (than the attacks against which the invention makes it possible to protect themselves), such as purely software attacks. These software attacks (by viruses, Trojans, etc.) can potentially be carried out remotely without requiring any physical access. It might seem absurd to try to protect against complex and constraining auxiliary channel attacks while an attacker on another continent could take control of the remote server and extract critical information in a much simpler and less dangerous for him (no intrusion, no device theft, etc.). However, some servers with a security vocation are highly secure against purely software attacks, and in this context also protect them against attacks by auxiliary channel is advantageous. In addition, the optimization of their memory can be useful, in particular when they perform a large number of cryptographic operations in parallel (HSMs, SSL / TLS accelerators, etc.).

According to one embodiment, a method optimizes the use of the memory MEM (which is a rewritable memory) of an electronic device SCARD (for example a smart card), when the electronic device implements a cryptographic algorithm by protecting against physical attacks. The protection results in particular from a masking of an SBOX substitution box and a reverse substitution box INV_SBOX. According to one embodiment, the cryptographic algorithm is the AES. However, the cryptographic algorithm may be more generally any Rijndael algorithm other than the Rijndael algorithms selected for the AES, and even any cryptographic algorithm implementing an SBOX substitution box comprising an inverse function INV_F followed by an affine function AFF F and an inverse substitution box INV_SBOX comprising the reciprocal function R_AFF_F of the affine function AFF_F followed by the inverse function INV_F.

In the case of the AES, the inverse function is the inverse multiplicative in the finite group GF (28) defined in the AES, and the affine function is the affine function of the AES, namely the function that 'byte B associates byte B' such that: 16 0 0 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 1 0 0 0 1 1 0 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 o 0 1 1 1 1 1 0 0 1 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 The process generates a masked inverse function MSK_INV_F by masking the inverse function INV_F (which also makes it possible to secure well the substitution box as the inverse substitution box). According to one embodiment, the method does not mask the affine function AFF_F nor the inverse function R_AFF_F of the affine function AFF_F. The inverse function INV_F masked can not be stored in non-rewritable memory (such as ROM) since by definition it is defined randomly during the use of the method. It is thus generated (from the inverse function INV_F) then stored in the memory MEM, which is a rewritable memory. According to one embodiment, the inverse function INV_F, the affine function AFF_F and the inverse function R_AFF_F of the affine function AFF_F are, in turn, recorded in a memory of the electronic device other than its memory MEM. For example, they are stored in non-rewritable memory (for example in ROM). Indeed, according to one embodiment, these functions are constant and can therefore be defined during manufacture (once and for all, in ROM). They can also be recorded in a non-volatile rewritable memory (such as a flash memory or EEPROM for example) other than the MEM memory. They can then be recorded during a configuration (and possibly a reconfiguration) of the electronic device. It is indeed more and more common to use for the operating system and the constant data of certain electronic devices (such as smart cards) not a ROM memory, but a non-volatile rewritable memory (often a 2). 9 9 5 1 1 0 17 Flash memory) in order to increase the flexibility of the manufacture of the electronic device (it is not necessary to hide a ROM component in a melter each time an element that is located in ROM and can not be modified by softmask). The method can thus use the affine function AFF_F and the reciprocal function R_AFF_F of the affine function AFF_F (during the implementation of a substitution box or an inverse substitution box) without consuming additional memory MEM, or if necessary by consuming a marginal amount of MEM memory with respect to the memory optimization obtained. This possible amount of "lost" marginal memory can be linked for example to the call of a function (AFF_F or R_ AFF _F) which can, for example, according to its implementation, cause the recording in a stack of the MEM memory of certain information (for example two bytes encoding the return address to use to continue the execution once AFF_F or R_AFF_F executed, etc.). The equivalent of this information would not necessarily have been required (as a record in the MEM memory) in an implementation of the state of the art masking the entire box of substitution in table form. But in any case, the few bytes possibly lost (for example two bytes in the example above) are negligible compared to the 160 or 256 bytes of MEM memory saved by the method for decryption in AES-128 by related to the known secure decryption methods. The data manipulated by the affine function AFF_F (and by the reciprocal affine function R_AFF_F) are preferably masked. It is not necessary to modify the affine function or the inverse affine function, however, initially designed for unmasked data. Indeed, these functions are linear. It is therefore possible to determine, from the result of the affine function (respectively of the reciprocal affine function) applied to a masked datum and the value of the mask, the result of the affine function (respectively of the reciprocal affine function) applied. to the data not masked. Indeed, for a linear function L, a datum x and a mask m, we have L (x + m) = L (x) + L (m) and therefore L (x) = L (x + m) + L (m) (the `+ 'operation designates the" exclusive or "). According to one embodiment, the memory MEM is a volatile memory, such as a RAM, or more precisely an SRAM, a DRAM, an MRAM, a DDRAM, an SDRAM, a RDRAM, a DDR SDRAM, a DDR2 SDRAM, a DDR3 SDRAM, an XDR DRAM, etc. The volatile memory of the electronic device is often the most critical memory because little available (there is much less than nonvolatile memory). For example, there are often only a few hundred or thousands of bytes of RAM against several tens of thousands of bytes of EEPROM in a smart card. Similarly, there are often only a few gigabytes of RAM in a server against terabytes in a server hard drive. The RAM memory is generally very fast both for reading and writing, but requires a permanent power supply, the interruption of power leading to a loss of recorded data. According to another embodiment, the memory MEM comprises, for the purposes of implementing the cryptographic algorithm, a rewritable non-volatile memory (such as an EEPROM or Flash memory) for the storage of temporary information such as the extended key, or such as the hidden inverse function. However, writing in such memories is much more complex and slow than writing in RAM type volatile memory. This leads to substantially reduced performance in terms of speed of execution. It is also likely to give rise more easily to attacks by auxiliary channels. In addition, the number of writes in a rewritable non-volatile memory is generally limited. For example, the operation of some EEPROMs is only guaranteed for 100,000 writes. This number of writes (100000) could be reached for certain applications, imposing the non-use of the areas having reached the threshold of use, which would thus be lost. This would increase the consumption of non-volatile memory. According to one embodiment, the use of a nonvolatile memory MEM thus completes the use of a RAM included in the memory MEM, RAM which may prove to be of insufficient size (depending on the applications in progress). execution, etc.). The memory MEM can thus combine a RAM memory and (for the case where the RAM is full) of the non-volatile memory (for example EEPROM or Flash). For this purpose, the method can use, for example, a technique similar to the so-called SWAP techniques between the random access memory and the hard disk of a conventional personal computer (a page of used random access memory being temporarily copied to the hard disk to release this page). Depending on the case, it may be possible, instead of performing a SWAP, to simply use the non-volatile memory as an extension (slower and more constraining) of the volatile memory. According to one embodiment, the non-volatile memory of the memory MEM can be a magnetic memory (for example a hard disk) and can then implement a conventional SWAP technique. According to one embodiment, the memory MEM comprises a physical nonvolatile memory component. According to one embodiment, the memory MEM comprises a logical nonvolatile memory which constitutes a logical subset of a given physical nonvolatile memory. For example, a 64KB EEPROM memory chip of the electronic device can be divided into three parts. A first part of 4Ko can be allocated to the MEM memory. A second part of 16K can be allocated to softmasks (possible bug fixes to an operating system stored in ROM, disabling certain operating system functions, or additional features for this operating system). A third part of 44K (the main part) can be allocated to a user storage function of the electronic device (equivalent of a hard disk on a conventional computer) in which it is possible for example to create directories and subdirectories (for example according to IS0-7816-4), or to record Javacard applets, or data files. The sizes of the three parts can obviously be any.

According to one embodiment, the method comprises a key expansion phase using the SBOX substitution box. The key expansion phase is implemented as and when encryption or decryption (encryption or decryption performed using the implementation of the cryptographic algorithm). This maximizes the optimization resulting from the masking of the inverse function (excluding the affine and reciprocal functions of the affine function, which are not masked), particularly in the case where the method implements a decryption operation. A comparison between two known techniques and a method according to a particular implementation of the embodiment which has just been described is shown in the following table: Memory occupied Memory occupied Number of (encryption) (decryption) masks Masking Expansion 432 bytes 432 bytes 1 complete (separate) Masked expansion 272 bytes 528 bytes 2 progressive (parallel) Embodiment 272 bytes 272 bytes 1 (progressive masked expansion, parallel) The first known technique starts with a full expansion (requiring 176 bytes) then performs full encryption using a hidden substitution box (256 bytes) for a total of 176 + 256 = 432 bytes. The first technique also allows a decryption in which one starts by carrying out a complete expansion (which requires 176 bytes) then realizes a complete decryption using a masked inverse substitution box (256 bytes) that is a total of 176 + 256 = 432 bytes. The second known technique performs in parallel an expansion of the key and an encryption. At each iteration, the expansion requires 16 bytes (for the 16 bytes out of 176 that are being generated), plus 256 bytes for the hidden substitution box that is a total of 16 + 256 = 272 bytes. In parallel, the second technique performs an encryption based on the 16 key bytes that have just been generated, which requires 256 bytes for the encrypted substitution box (however these 256 bytes were already allocated so it does not change the memory requirements). The second known technique also allows parallel expansion of the key and decryption. At each iteration, the expansion requires 16 bytes (for the 5 16 bytes out of 176 that are being generated), plus 256 bytes for the masked substitution box that is a total of 16 + 256 = 272 bytes. In parallel, the second technique decrypts on the basis of the 16 key bytes that have just been generated, which requires 256 bytes for the encrypted inverse substitution box. These 256 bytes add to the 272 bytes required for expansion, which implies a memory requirement of 272 + 256 = 528 bytes. Finally, the particular implementation of the aforementioned embodiment is to apply it to the AES-128. Thus, a gradual masked expansion is performed, and in parallel encryption (or decryption) using a substitution box (or a reverse substitution box) masked by masking the inverse function. This only requires 272 bytes. According to one embodiment, the masked inverse function MSK_INV_F, the affine function AFF_F and the inverse function R_AFF_F of the affine function AFF_F are implemented in the form of tables. According to one embodiment, these three functions apply to one byte and return one byte. They may be, for example, tables of 256 bytes each, the first byte of which contains the result of the function considered applied to byte 00, the second byte the result of the function considered applied to byte 01, and so on. immediately until the 256th byte, containing the result of the function considered applied to the FF byte (255 in hexadecimal). According to one embodiment, the method is implemented in the form of software stored elsewhere than in the memory MEM (for example in a non-volatile memory such as an EEPROM or Flash, or even a non-rewritable memory, such as a ROM). The method can provide fixed addresses for the three tables (or for some of them only). For example, the method can provide two predetermined addresses in ROM (or in an EEPROM or Flash other than that possibly included in the memory MEM) for the tables representing the affine function AFF_F and the inverse function R_AFF_F of the affine function AFF_F, and a predetermined address in the memory MEM to store the table corresponding to the hidden inverse function MSK_INV_F. This saves the MEM memory that might be needed to store the value of these addresses. In addition the use of a table is a possibility to get rid of a function call. The software implementing the method can for example read the result of the masked inverse function applied to any byte by reading the memory MEM directly to the predefined address of the table representing this masked inverse function to which the value of the memory is added. 'byte. For example, if the table is stored at the address $ 12F0, the method can obtain the hidden inverse of the byte having the value B7 by reading the contents of the address $ 13A7.

According to one embodiment, a method implements several methods of encrypting or decrypting data in the context of the same session using a method according to one of the preceding embodiments.

The session may correspond to the interval between the power-on and the power off of the electronic device (eg introduction of a smart card into a reader, transaction, and removal of the smart card). The session can also be a logical session, for example a session following the PKCS # 11 C_OpenSession () command that allows you to open a cryptographic session with a PKCS # 11 compatible electronic device (whether it is a card smart or a larger computer, for example a server or an HSM, the English "Hardware Security Module"). Encryption and decryption operations can be implemented in a multitasking environment. It can be cooperative multitasking ("false multitasking") or preemptive multitasking ("true multitasking"). In a cooperative multitasking system, an electronic device provides different functions (in this case cryptographic functions), and the call to several functions is possible in parallel if the various functions make the hand. In a preemptive multitasking, an operating system (rather than the function itself) allocates portions of the processor's available time (see separate processors, in the case of a multiprocessor electronic device) to each function (task). Some electronic devices, although having a large amount of MEM memory (for example a large RAM), may be limited because of the large number of parallel calculations implementing the cryptographic algorithm. This may be the case, for example, with an HSM or with a TLS / SSL accelerator. Although in such cases it is possible to hide the inverse function only once for all the instances in progress, it may be preferable from the point of view of security to use a different masking for each instance. method being then advantageous by the memory saving it confers. According to one embodiment, a computer program comprises a series of instructions, which when executed by a processor MP of an electronic device SCARD, causes the processor MP to implement a method according to an embodiment . The electronic device can thus be an SCARD chip card, comprising a microcontroller, the microcontroller comprising an MP processor connected to other components such as one or more memories (RAM, EEPROM, Flash, ROM, etc.), components input-output, etc. The computer program can be written in assembler language, or possibly in high level language (such as C language for example) compiled and whose resulting assembly code is possibly retouched for optimization and / or securing purposes.

According to one embodiment, a non-transitory computer readable storage medium stores a computer program according to one embodiment. This storage medium can be in particular a memory (for example EEPROM, Flash or ROM), possibly integrated into a system such as a USB key, a smart card, a memory card, etc. According to one embodiment, an electronic device SCARD comprises a memory MEM and a memory optimization circuit MP. The circuit MP is arranged when the electronic device SCARD implements a cryptographic algorithm by protecting it against physical attacks by masking an SBOX substitution box and an inverse substitution box INV_SBOX (the substitution box SBOX comprising a inverse function INV_F followed by an affine function AFF_F, the inverse substitution box INV_SBOX comprising the reciprocal function R_AFF_F of the affine function AFF_F followed by the inverse function INV_F), to generate a masked reverse function MSK_INV_F by masking the inverse function INV_F. The protection circuit MP may be a processor of the user electronic device associated with a non-volatile memory storing software adapted for the implementation of the method by the processor. But it can also be a dedicated electronic circuit integrated in the electronic device, such as an ASIC, an FPGA (or PAL, EPLD, PLD, CPLD, PLA variants, etc.) suitably configured (for example in VHDL ), or dedicated dedicated electronics. It is thus possible to secure a hardware implementation of a cryptographic algorithm. According to one embodiment, the electronic device is arranged to implement a key expansion phase (for example by the MP circuit), using the substitution box SBOX, as and when the implementation of encryption or decryption using the cryptographic algorithm. According to one embodiment, the electronic device is arranged to implement (for example by the MP circuit) the masked inverse function MSK_INV_F, the affine function AFF_F and the inverse function R_AFF_F of the affine function AFF_F in the form of tables. According to one embodiment, the electronic device is arranged to implement (for example by the MP circuit) several methods of encrypting or decrypting data in the context of the same session by minimizing the memory consumption MEM (thanks to the implementation of a method according to the invention). Of course, the present invention is not limited to the embodiments described above as examples; it extends to other variants. In addition, the method according to the invention is not exclusive of the use of other methods. For example, it is possible to combine the method according to the invention with other countermeasures or optimization of the use of the memory.

Claims (10)

REVENDICATIONS1. A method for optimizing the use of the memory (MEM) of an electronic device (SCARD), when the electronic device (SCARD) implements a cryptographic algorithm (AES) by protecting it against physical attacks by masking a substitution box (SBOX) and an inverse substitution box (INV SBOX), the substitution box (SBOX) comprising an inverse function (INV_F) followed by an affine function (AFF_F), the inverse substitution box ( INV_SBOX) comprising the reciprocal function (R_AFF_F) of the affine function (AFF_F) followed by the inverse function (INV_F), the method generating a hidden inverse function (MSK_INV_F). 2. Method according to claim 1, comprising a key expansion phase using the substitution box (SBOX), the key expansion phase being implemented as and when implementing encryption or decryption using the cryptographic algorithm (AES). 3. Method according to claim 1 or 2, the hidden inverse function (MSK_INV_F), the affine function (AFF_F) and the reciprocal function (R_AFF_F) of the affine function (AFF_F) being implemented in the form of tables. 4. A method implementing several methods of encryption or decryption of data in the context of the same session using a method according to one of the preceding claims. A computer program comprising a series of instructions, which when executed by a processor (MP) of an electronic device (SCARD), causes the processor (MP) to implement a method according to the one of the preceding claims.7 6. Non-transitory computer-readable storage medium, the medium storing a computer program according to claim 5. 7. Electronic device (SCARD) comprising a memory (MEM) and a memory optimization circuit (MP), the circuit (MP) being arranged, when the electronic device (SCARD) implements a cryptographic algorithm (AES) in protecting against physical attacks by masking a substitution box (SBOX) and an inverse substitution box (INV SBOX), the substitution box (SBOX) comprising an inverse function (INV_F) followed by an affine function (AFF_F), the inverse substitution box (INV_SBOX) including the inverse function (R_AFF_F) of the affine function (AFF_F) followed by the inverse function (INV_F), to generate a hidden inverse function (MSK_INV_F). 8. Electronic device (SCARD) according to claim 7, arranged to implement a key expansion phase, using the substitution box (SBOX), as and when implementing encryption or encryption. decryption using the cryptographic algorithm (AES). 9. electronic device (SCARD) according to claim 7 or 8, arranged to implement the masked inverse function (MSK_INV_F), the affine function (AFF_F) and the inverse function (R_AFF_F) of the affine function (AFF_F) in the form of tables. 10. Electronic device (SCARD) according to one of claims 7 to 9, arranged to implement several methods of encryption or decryption of data in the context of the same session by minimizing memory consumption (MEM).