Classifications

• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
  • G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
  • G06F7/723—Modular exponentiation
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/002—Countermeasures against attacks on cryptographic mechanisms
  • H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
  • G06F2207/7219—Countermeasures against side channel or fault attacks
  • G06F2207/7223—Randomisation as countermeasure against side channel attacks
  • G06F2207/7233—Masking, e.g. (A**e)+r mod n
  • G06F2207/7238—Operand masking, i.e. message blinding, e.g. (A+r)**e mod n; k.(P+R)
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/04—Masking or blinding

Definitions

• the invention relates to methods for protecting cryptographic devices against side channel attacks, and to cryptographic devices embedding such methods.
• cryptographic devices are devices implementing cryptographic mechanisms.
• Examples of cryptographic devices include smart cards, USB keys, dongles, Personal Digital Assistants (a.k.a PDAs), mobile phones, personal computers (a.k.a PCs), etc.
• Such cryptographic devices are used in particular for securing a user's electronic transactions.
• the expression "electronic transaction" is to be taken in its broadest meaning. I.E. it is not limited to financial transaction but also contain any Internet transaction, any transaction occurring through a telecommunication network etc.
• Securing electronic transactions may comprise the cryptographic mechanisms of digitally signing electronic documents, decrypting electronic documents, negotiating session keys with a third party and/or authenticating a user.
• the above four cryptographic mechanisms are well known in the art. They are not limitative (other cryptographic mechanisms exist), and not mandatory (for example a cryptographic device does not necessarily embed a digital signature mechanism).
• Cryptographic mechanisms have an input and an output.
• an encryption mechanism may have an input consisting of a plaintext and an output consisting of a ciphertext.
• an input consisting of a plaintext
• an output consisting of a ciphertext.
• side channel attacks rely on the fact that a cryptographic device has input and output means other than the legitimate input and output means.
• use of illegitimate input means may comprise altering cryptographic operations by heating the cryptographic device, by modifying its clock (e.g.
• illegitimate output means may comprise analyzing the power consumption of the cryptographic device (e.g. an electronic component requires more electric power to perform a complex operation such as "square and multiply” than it does for a simple operation such as "square only"), analyzing the electromagnetic field created by the cryptographic device, analyzing the sounds emitted by the cryptographic device, etc.
• Well-known side channel attacks include Simple Power Analysis (SPA), Differential Power Analysis (DPA) or Differential Fault Analysis (DFA).
• Cryptographic mechanisms consist of mechanisms involving at least a secret D which is supposed to be stored securely in a cryptographic device. D should not be leaked outside the cryptographic device through any attack.
• D can be represented in the form of an n-bit number (do, d-i, ... d n -i)2, where dj is a bit (for each integer i between 0 and n-1).
• the exponent D will be denoted ⁇ d 0 , d-i, ... d n- i ⁇ 2 instead of (do, d-i, ...
• a monoid (M, 1) is defined as an algebraic set, the set being closed under an associative binary operation 1, the set having an identity element. Contrary to a group, in a monoid every element does not necessarily have an inverse.
• the operation 1 can also be represented with other symbols. For example, the operation 1 can be represented as an additive operation (symbol +), as a multiplicative operation (symbol *), etc. This representation is purely formal and does not affect the properties of the monoid.
• monoids will be represented with the multiplicative operation *, and will be denoted ⁇ M, * ⁇ instead of (M, *) in order not to introduce any ambiguity with the reference signs placed in the claims between parentheses as per the European Patent Convention.
• Monoids are widespread in cryptography. The most widespread monoids in the field of cryptography are large monoids having many invertible elements, e.g. 2 80 invertible elements. For example, with the RSA algorithm, almost all elements are invertible (the exceptions being in particular the multiples of p and q).
• M * denotes the set containing all invertible elements of the set M of the monoid ⁇ M, * ⁇ .
• X 2 is called a squaring operation and stands for X*X.
• X n stands for X*X*... * X where X appears n times.
• Y*Z is called a multiplication operation.
• the invention improves the resistance of above-mentioned particularly sensitive cryptographic mechanisms to side channel attacks. Examples of such mechanisms include elliptic curve point multiplications, and modular exponentiations used when performing an RSA operation or a Diffie Hellman key establishment.
• the invention also limits the amount of processing required for securing the cryptographic mechanisms. It does so by introducing a particular type of masking mechanism (also known as blinding mechanism).
• Figure 2 represents a cryptographic mechanism with a first level of protection against side channel attacks, known in the art as the "balanced modular exponentiation algorithm”.
• Figure 3 represents a cryptographic mechanism with a second level of protection against side channel attacks, known in the art as "Joye & Al. modular exponentiation algorithm”.
• Figure 4 represents a possible masking mechanism for modular exponentiation.
• Figure 5 represents a preferred cryptographic mechanism according to the invention, offering a higher level of protection against side channel attacks.
• Figure 6 and Figure 7 represent variants of the mechanism of Figure 5.
• Figure 1 describes an example of cryptographic mechanism consisting of a modular exponentiation. This sort of modular exponentiations is implemented in particular with RSA and Diffie Hellman algorithms.
• step 2 for each bit dj of the exponent D, a modular squaring is performed (sub-step 2.i). When dj is equal to 1 , a modular multiplication is performed (sub-step 2. N). D is usually derived from a random number. In general, the hamming weight of D is approximately n/2. Therefore, in general the method of Figure 1 involves n modular squaring operations and around n/2 modular multiplications.
• this type of cryptographic mechanisms is extremely sensitive even to the simplest side channel attacks such as SPA. Indeed, the power consumption is not the same during the execution of the multiplication operation and of the squaring operation. Therefore, one can put a probe on the cryptographic device implementing the cryptographic mechanism, measure the power consumption, and distinguish the multiplication and the squaring in the power trace, thereby identifying the value of all bits dj. The exponent D is then recovered by the attacker.
• Figure 2 describes an example of cryptographic mechanism comprising a first level of protection against side channel attacks, known in the art as the "balanced modular exponentiation algorithm"
• This method is similar to the one of Figure 1 , except that when dj is equal to 0, a third step iii is added, in which a dummy multiplication is executed. Thanks to this third step, the power consumption is very close whether the bit is equal to 0 or to 1.
• this method remains very sensitive to another side channel attack known as the SE attack (safe error attack). Indeed, if the cryptographic mechanism is disrupted during a dummy multiplication, the multiplication fails, but the final result remains unaffected since the dummy multiplication is not used for the final result. Therefore an attacker can find out the dummy bits, which are bits equal to 0 in this example, and infer that all other bits are equal to 1 , which results in the secret value of D being recovered.
• SE attack safety error attack
• Figure 3 describes an example of known cryptographic mechanism comprising a second level of protection against side channel attacks, known in the art as "Joye & Al. modular exponentiation algorithm", and disclosed at CHES 2002 by Joye and Yen. It is based on the Montgomery Ladder algorithm.
• the cryptographic mechanism of Figure 3 aims at overcoming the limitation of the cryptographic mechanism of Figure 2. To this end, there is no more dummy operation. Instead, The result of all multiplications is used in the final result (except in the last round). Therefore disturbing the mechanism always leads to an erroneous output.
• the masking may consist in multiplying the input element with a random number, thereby rendering the prediction step of the DPA attacks impossible.
• the technique shown on Figure 4 requires approximately 4*n operations, which makes it twice slower than previous techniques.
• the technique shown on Figure 4 also performs the modular exponentiation twice. A first time for the masked input, and another time for the mask used for the masking. Due to this double modular exponentiation, the secret exponent D is used twice, which potentially weakens the mechanism.
• a cryptographic mechanism involves a secret D which can be represented as an n-bit number ⁇ d 0 , di, ... d n- i ⁇ 2-
• the cryptographic mechanism is arranged to calculate an output element OUT equal to X D , X being an element of a monoid ⁇ M, * ⁇ .
• the mechanism comprises a first variable VAR 0 and a second variable VARi.
• the cryptographic mechanism comprises n steps
• Each step SQi is executed after the step MULj for any i between 0 and n-1
• each step MULM is executed after step MULj for any i between 1 and n-1.
• the mechanism is characterized in that it comprises the steps of: a. generating a random element MSKJNPUT, b.
• step d occurs at any time between step a and step e, and wherein the steps a, b, c, e are consecutive.
• the computation of the output mask can take place together with the computation of the masked output element.
• this computation can also take place serially (either after, as shown on step 4 of the figure, or before). It is also possible to perform this computation in parallel, for example inside two different threads, as depicted on Figure 7 (CF. steps 3a and 3b).
• the DPA attack is no longer applicable, as the attacker does not know the mask and does not have the possibility to make assumptions regarding the intermediate results.
• the element X can be an input element supplied to the cryptographic mechanism by another mechanism, or can be generated inside the cryptographic mechanism.
• the current time may be determined securely inside the mechanism and then digitally signed inside the mechanism.
• the output element OUT can be communicated by the cryptographic mechanism to another mechanism, can be kept internally in the cryptographic mechanism, or can be post-processed in the cryptographic mechanism and sent to another mechanism in the post-processed form.
• the cryptographic mechanism according to the invention is such that the random element MSKJNPUT belongs to M * (the set of invertible elements of M, as seen above).
• MSKJNPUT is equal to a value R, we denote by R "1 the inverse of R for the operation * of the monoid ⁇ M, * ⁇ .
• R the inverse of R for the operation * of the monoid ⁇ M, * ⁇ .
• This is advantageous in particular for mechanisms associated with a function g such that the computation of the function g may be executed by involving the steps R_SQj. More specifically, in a preferred mechanism according to the invention,
• the masked element MASKED_X is equal to X*R and the output element OUT is equal to MASKED_OUT*MSK 0 , MSK n being equal to R "1 , the initial value of the first variable VAR 0 being set to the value R of the random element, the initial value of the second variable VARi being set to the value of the masked element MASKED_X, each step MULj consisting in calculating VAR 1 -(ZVARdI and storing the result in VAR-i-di, each step SQi consisting in calculating VARd * VARdi and storing the result in VAR d ⁇ .
• Figure 5 describes an example of such preferred embodiment of the invention comprising:
• a first step in which a random number is generated This can be done for example by a hardware random number generator embedded in a cryptographic device implementing the cryptographic mechanism. Indeed, the random number is preferably as unpredictable as possible, which is best achieved with hardware means as known in the art;
• the cryptographic mechanism uses the element X and the secret D as inputs.
• the secret D is stored securely and therefore does not need to be passed to the cryptographic mechanism each time the cryptographic mechanism is invoked.
• the element X is generally passed to the cryptographic mechanism as an input parameter, but may also be determined by the cryptographic mechanism itself (e.g. as seen above with time stamps based on a clock available in the cryptographic mechanism, etc.).
• the invention also concerns a cryptographic device storing a secret D and implementing a cryptographic mechanism as described above.
• the invention concerns more particularly cryptographic devices of the smart card type.
• the invention is particularly advantageous for embedded systems such as smart cards as it has very few additional requirements compared to state of the art cryptographic mechanisms. It is well suited to the RSA algorithm. Indeed, it does not require any additional information on the key material compared to traditional cryptographic mechanisms. In particular, it does not require the public exponent of the RSA key pair to be available to the cryptographic mechanism.
• the complexity of the preferred embodiment of Figure 5 involves approximately 2*n square operations and n multiplications, i.e. around 3*n CPU intensive operations, which is only 50% more than the closest method (Montgomery ladder of Figure 3), and does not require much more RAM (50% at most).
• This situation corresponds to a weak output mask, since it is equivalent to not having an output mask (the masked output and the output are equal).
• This weakness is hard to exploit, and is very unlikely to happen.
• the probability of a random element leading to a weak mask is very low. For example, it is estimated that for RSA 2048, the probability of picking a weak random element is at most equal to 1.9*10 '7 .
• the probability depends on the value of the RSA key, and in practice it is often much lower than the above value.
• the probability can be made arbitrarily small by picking several invertible random elements and multiplying them together (only if all elements are weak will the product of the elements be weak).

Landscapes

• Engineering & Computer Science (AREA)
• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Pure & Applied Mathematics (AREA)
• Computational Mathematics (AREA)
• Mathematical Analysis (AREA)
• Mathematical Optimization (AREA)
• Computer Security & Cryptography (AREA)
• Theoretical Computer Science (AREA)
• Signal Processing (AREA)
• Computer Networks & Wireless Communication (AREA)
• Computing Systems (AREA)
• Mathematical Physics (AREA)
• General Engineering & Computer Science (AREA)
• Storage Device Security (AREA)

Priority Applications (3)

Applications Claiming Priority (2)

Publications (1)

Family

ID=36688104

Family Applications (1)

Country Status (4)

Families Citing this family (38)

Citations (3)

Family Cites Families (14)

• 2006
  • 2006-03-31 EP EP06300320A patent/EP1840732A1/en not_active Withdrawn
• 2007
  • 2007-03-23 US US12/282,210 patent/US8402287B2/en not_active Expired - Fee Related
  • 2007-03-23 EP EP07734060A patent/EP2002331A1/en not_active Withdrawn
  • 2007-03-23 WO PCT/IB2007/000728 patent/WO2007116262A1/en not_active Ceased
  • 2007-03-23 JP JP2009502237A patent/JP5412274B2/ja not_active Expired - Fee Related

Patent Citations (3)

Non-Patent Citations (3)

Also Published As

Similar Documents

Legal Events