WO2008064704A1 - Procédé et dispositif de prévention d'attaques par fuite d'informations sur un dispositif mettant en œuvre une fonction cryptographique - Google Patents

Procédé et dispositif de prévention d'attaques par fuite d'informations sur un dispositif mettant en œuvre une fonction cryptographique Download PDF

Info

Publication number
WO2008064704A1
WO2008064704A1 PCT/EP2006/011490 EP2006011490W WO2008064704A1 WO 2008064704 A1 WO2008064704 A1 WO 2008064704A1 EP 2006011490 W EP2006011490 W EP 2006011490W WO 2008064704 A1 WO2008064704 A1 WO 2008064704A1
Authority
WO
WIPO (PCT)
Prior art keywords
binary word
masked
bit
layer
input
Prior art date
Application number
PCT/EP2006/011490
Other languages
English (en)
Inventor
Jovan Golic
Original Assignee
Telecom Italia S.P.A
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telecom Italia S.P.A filed Critical Telecom Italia S.P.A
Priority to PCT/EP2006/011490 priority Critical patent/WO2008064704A1/fr
Publication of WO2008064704A1 publication Critical patent/WO2008064704A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/76Arrangements for rearranging, permuting or selecting data according to predetermined rules, independently of the content of the data
    • G06F7/764Masking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7219Countermeasures against side channel or fault attacks
    • G06F2207/7223Randomisation as countermeasure against side channel attacks
    • G06F2207/7233Masking, e.g. (A**e)+r mod n
    • G06F2207/7238Operand masking, i.e. message blinding, e.g. (A+r)**e mod n; k.(P+R)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/04Masking or blinding
    • H04L2209/046Masking or blinding of operations, operands or results of the operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/08Randomization, e.g. dummy operations or using noise
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry

Definitions

  • the present invention generally relates to the field of cryptography, particularly to cryptographic methods and devices and, even more particularly, to methods for preventing information leakage attacks on integrated circuits implementing cryptographic functions in hardware or software.
  • Cryptographic functions dealing with secret keys can be implemented either in software or in hardware on microelectronic data-processing devices such as, for example,
  • IC chip cards sometimes also referred to as “smart cards”
  • tamper-resistant IC chips are produced: in such IC chips, special physical countermeasures are specifically provided for, in order to protect the underlying IC against tampering, such as, for example, protective layers and various sensors, detectors, and filters.
  • sensitive information may leak out through various side channels, such as, for example, by measuring signal timings, power consumption, and radiated electromagnetic energy, as well as by monitoring the signals by microprobing.
  • Timing and power analysis attacks are very powerful, as they do not require expensive resources, and, moreover, most implementations of cryptographic functions, especially in software, are vulnerable to such attacks, unless specific countermeasures are incorporated. Timing and power analysis attacks can utilize single or multiple measurements.
  • DPA Differential Power Analysis
  • the basis of power analysis attacks are elementary computations within the device used to implement the cryptographic function (the cryptographic device), computations which depend on the secret key information and on the known input and/or output information. If, in addition, the power consumption corresponding to these elementary computations depends on the values being computed, then the cryptographic device's power consumption curves contain information about the secret key, and such information may be extracted by statistical techniques, so as to reconstruct the secret key.
  • Software implementations of cryptographic functions, in which the operations are synchronized by the clock of the data processing unit, usually a microprocessor, running the algorithm that implements the cryptographic function, are especially vulnerable to power analysis attacks.
  • Hardware implementations of cryptographic functions are also potentially vulnerable to power analysis attacks, although a higher sampling frequency may be required for obtaining the power consumption curves.
  • a general algorithmic strategy to counteract power analysis attacks is to randomize the computations that depend on the secret key, by masking the original data with random masks, and by modifying the computations accordingly. This can be done for software or hardware implementations.
  • An approach of this type given in L. Goubin and J. Patarin, "DES and differential power analysis - The duplication method," Cryptographic Hardware and Embedded Systems - CHES '99, Lecture Notes in Computer Science, vol. 1717, pp.
  • US patent application No. US 2001/0053220 Al contains a similar proposal, except that the data parts can also be bit-permuted.
  • the nonlinear parts of the algorithm, such as the S-boxes, can be implemented as lookup tables being updated accordingly (in Random Access Memory - RAM).
  • the Applicant points out that data splitting technique is essentially equivalent to random masking technique investigated in T. Messerges, "Securing the AES finalists against power analysis attacks," Fast Software Encryption - FSE 2000, Lecture Notes in Computer Science, vol. 1978, pp. 150-164, 2001, except that in the latter, instead of performing duplicate computations on data shares, one performs a modified computation involving original data and random masks applied. All three mentioned approaches are primarily intended for software implementations.
  • a secure computation at the binary word level in software, in general does not imply a secure computation at the bit level, in hardware, although the word-level security may provide more resistance to more sophisticated power analysis attacks such as, for example, the higher-order DPA attacks.
  • the secure computation condition at the bit level is necessary for providing resistance to (the first- order) DPA attacks and may also be sufficient in practice, although individual logic gates do not achieve their final (random) values simultaneously and, in the transition stage, their output values may vary (randomly) and may depend on their previous inputs. This effect is also present in software implementations and, in fact, generally makes the power analysis of non-masked implementations more difficult, especially for logic circuit implementations in hardware.
  • the masking operation that combines the data (input, output, and intermediate) with a random mask is typically adapted to the nature of the mathematical operations used in the cryptographic algorithm, because in this way the required modifications in the computations are minimized.
  • a group operation being, according to the group theory, an operation, defined on a set, that is associative, has an identity element and is such that every element of the set has an inverse element).
  • any group operation for masking is sufficient to perfectly randomize the data; thus, let it be assumed that the inputs x and y are randomized by the same group operation & that produces the output z, and by using the random masks r x and r y , respectively. Then, in view of the fact that:
  • the group operations on binary words that are most frequently used in cryptographic algorithms are the bitwise exclusive OR (XOR) and the addition modulo an integer n which is a power of 2.
  • XOR bitwise exclusive OR
  • the addition modulo 2 of two «-bit words x and y, are hencetoforth denoted as x ⁇ y and x + y, respectively.
  • the random masking based on the addition modulo 2" is commonly called “arithmetic masking”
  • the random masking based on the addition modulo 2 (or bitwise XOR) is commonly called “Boolean masking" or "XOR masking".
  • the x ⁇ y and x + y operations are combined together for the cryptographic security.
  • the best-known examples are the widely used cryptographic hash function SHA-I (National Institute of Standards and Technology, FIPS Publication 180-1, Secure Hash Standard, 1994), the block cipher IDEA (X. Lai and J. Massey, "A proposal for a new block encryption standard,” Advances in Cryptology - Eurocrypt '90, Lecture Notes in Computer Science, vol. 473, pp. 398-404, 1991), and the block cipher RC6 (R. L. Rivest et al., "The RC6 block cipher," v.1.1, Aug.
  • the SHA-I incorporates a secret key if it is used for message authentication, for example, in the so-called HMAC construction.
  • HMAC Hash-I
  • there is a need to convert between the two masks in a computationally secure way i.e., a way secure against power analysis attacks such as DPA.
  • the Applicant has tackled the problem of finding secure solutions for mixed random masking of arbitrary Boolean functions in which the input is masked by an arithmetic mask and the output is masked by an XOR mask, where the Boolean functions can be implemented by lookup tables in software or by logic circuits in hardware. In particular, they may correspond to cryptographic functions involving both arithmetic and
  • Boolean operations The Applicant has also tackled the problem of finding alternative secure solutions for XOR random masking of logic circuits implementing arbitrary Boolean functions, where both input and output are masked by an XOR mask, by combining the proposed solutions for mixed random masking with secure solutions for a conversion from XOR masking to arithmetic masking.
  • a secure solution at the bit level in hardware means that the output value of each logic gate in the digital logic circuit that implements a random masking algorithm or a random mask conversion algorithm should be statistically independent of the input data, the statistical independence being provided by the random masks.
  • security at the bit level in software means that each bit of the output value resulting from each software instruction, taking place in one processor cycle, should be statistically independent of the input data.
  • the underlying assumption for the secure computation is that the random mask is uniformly distributed, where with "uniformly distributed" it is intended, that all the mask values are randomly generated with equal probabilities. In particular, this can be achieved by using a fast random number generator implemented in hardware. Strictly speaking, ideally, a new mask has to be generated for each new input data to the cryptographic function being protected.
  • an efficient way to perform random masking of a multiplexer operation carried out in a cryptographic function comprises receiving the data input, masking the data input by an XOR random mask to obtain an XOR masked data input, receiving the control input, masking the control input by an arithmetic mask (by arithmetic subtraction or arithmetic addition) to obtain an arithmetically masked control input, feeding the XOR masked data input and the arithmetically masked control input to a masked logic circuit implementing the masked multiplexer (MUX) operation so as to obtain an XOR masked output, and then unmasking the XOR masked output.
  • MUX masked multiplexer
  • the masked MUX operation comprises rotating the bits of the XOR masked data input (to the right or to the left) a number of positions corresponding to an integer value expressed by the arithmetic mask and, then, applying the (unmasked) MUX operation to the rotated XOR masked data input by using the arithmetically masked control input.
  • a method of performing random masking of a multiplexer operation used in a cryptographic process is provided as set forth in appended claim 1.
  • the method comprises:
  • arithmetic random masking the second binary word using the arithmetic random mask to obtain a masked second binary word, wherein said arithmetic random masking comprises performing an operation selected from the group comprising an arithmetic subtraction and an arithmetic addition operation;
  • said first binary word may define a truth table of a Boolean function.
  • random mask it is meant a random number used for performing a random masking operation of data; “random masking” is the operation of combining data with a random mask; an XOR random mask is combined as a binary word by the bitwise XOR operation and, in a special case, an n-bit XOR random mask may consist of the same random bit repeated n times as a binary XOR random mask; an n-bit arithmetic random mask is combined as an integer by integer subtraction or addition modulo 2".
  • the masking method according to the present invention is suitable for direct implementation in hardware, for example, by means of combinatorial logic circuits made up of standard logic gates, albeit implementation in software is not to excluded.
  • the random masking method according to the present invention is, from a practical viewpoint, useful for providing protection against power analysis ⁇ e.g., DPA) and other side-channel attacks of hardware implementations of cryptographic algorithms, such as, for example, the keyed hash function SHA-I used for message authentication in a number of widely spread cryptographic protocols or the block cipher standard AES used for message encryption.
  • DPA power analysis
  • cryptographic algorithms such as, for example, the keyed hash function SHA-I used for message authentication in a number of widely spread cryptographic protocols or the block cipher standard AES used for message encryption.
  • aspects of the invention concern a device implementing the above random masking method, an integrated circuit integrating at least one of such logic circuit arrangements, a smart-card including at least one such integrated circuit.
  • a still further aspect of the invention concerns a Subscriber Identity Module (SIM) adapted to be used in conjunction with a user equipment in a communications network and including a smart-card as defined above.
  • SIM Subscriber Identity Module
  • Figure 1 shows schematically an exemplary scenario in which the present invention can be advantageously applied
  • Figure 2 schematically shows, in terms of functional blocks, a logic circuit adapted to implement a random masking method according to an embodiment of the present invention, for protecting software and hardware implementations of cryptographic functions against power analysis and other side-channel attacks;
  • Figure 4 schematically shows the circuit of Figure 3 in an exemplary case of the masking of an logic AND operation
  • Figure 5 schematically shows the circuit of Figure 4, completed with a circuit for the arithmetic masking of the input data.
  • the scenario considered is that of mobile communications systems, e.g., a mobile communications network such as, for example, a GPRS/EDGE or a third- generation, UMTS network, through which users equipped with suitable mobile communications terminals (or user equipments) 100 can communicate with each other, exchange messages and, possibly, multimedia contents, and surf over the Internet.
  • a mobile communications network such as, for example, a GPRS/EDGE or a third- generation, UMTS network
  • SIM Subscriber Identification Module
  • the SIM 105 is a smart-card module, with an IC chip 110 embedded therein.
  • the IC chip 110 typically includes a data processor, e.g., a microcontroller with suitable memory resources (ROM, RAM).
  • ROM read-only memory
  • RAM random access memory
  • the IC chip 110 is more and more required to perform sophisticated functions in addition to user authentication.
  • One of such functions is to implement cryptography; this is for example useful in those end-to-end contexts wherein users of the mobile communication network are allowed to exchange secure, i.e., encrypted and authenticated (SMS) messages as well as to authenticate each other on the end-to-end basis.
  • cryptography may be implemented in hardware, by integrating suitable logic circuitry.
  • random masking can be implemented at the very hardware level, i.e., at the level of the logic circuits that implement the chosen cryptographic function ⁇ e.g., the block cipher AES, used for encrypting the messages, or the hash function SHA-I in the HMAC mode of operation, used for authenticating the messages).
  • a Random Number Generator (RNG) 140 preferably a fast RNG implemented in hardware in the IC chip 110, generates a random number which will be used as a random mask 145.
  • the random mask 145 is used to mask, through a masking operation (implemented in block 120), input data 115 to the cryptographic function to be performed.
  • the masking operation comprises a number of group operations, such as a bitwise XOR or a modulo 2" integer addition/subtraction.
  • group operations such as a bitwise XOR or a modulo 2" integer addition/subtraction.
  • these two operations are the most frequently used group operations that are typically performed on binary data words in nowadays common cryptographic algorithms: using them to mask the data avoids the need of modifying the corresponding elementary computations.
  • the masked input data are then fed to a masked logic circuit (a logic gate ensemble) 125, which performs masked elementary computations comprising the cryptographic algorithm.
  • such a circuit can be composed of logic MUX, AND, OR, XOR, and NOT gates and may possibly also include parts for the conversion between different types of random masks used. If an elementary computation is, e.g., a bitwise XOR (dual considerations apply in the case of a modulo 2" integer addition/subtraction) and the corresponding part of the masking operation is chosen to be the same group operation, then the corresponding part of the masked logic circuit 125 actually coincides with the original, non-masked circuit.
  • the masked logic circuit produces masked output data. At the final output, this masked output data is unmasked in the output block 130, to produce the desired output data 135 of the cryptographic function implemented.
  • the unmasking operation removes the random mask from masked data.
  • the inverse operations are the same bitwise XOR and modular subtraction/addition, respectively.
  • the underlying assumption for the secure computation is that the random mask is uniformly distributed, which can be achieved by using a fast random number generator implemented in hardware. Strictly speaking, ideally, a new mask has to be generated for each new input data to the cryptographic function being protected.
  • NOT operation or binary complement
  • logic AND operation or conjunction or multiplication modulo 2
  • ⁇ or without any symbol just by concatenating the symbols of the operands.
  • the 2-input MUX (“MUltipleXer”) operation which involves three operands, i.e., two data inputs a and b and one control input c, is denoted as MUX( ⁇ , b; c).
  • the MUX operation is equivalent to:
  • r and R are each uniformly distributed and mutually statistically independent, for any fixed values of the data and control inputs.
  • the objective is to compute securely an XOR-masked output bit z - z ® r , where the output masking bit r is the same as the data masking bit (i.e., the XOR mask applied to the output bit z coincides with the XOR mask applied to each data input in K).
  • ROT(K; i) denote an operation of rotation, i.e., of cyclic permutation of the 2"- bit word 7 by i positions to the right, i.e. :
  • a method for securely computing an XOR masked output of a MUX operation performed on XOR masked data inputs and controlled by arithmetically masked control inputs calls for first rotating, e.g.5 to the right, the bits in the data input word a number of positions corresponding to the integer value expressed by the arithmetic mask, and subsequently applying the MUX operation to the rotated data input word by using the arithmetically masked control input.
  • the bits of Y' instead of rotating the bits of K' to the right and subtracting the arithmetic mask from X, the bits of Y' can be rotated to the left and the O arithmetic mask added to X.
  • FIG. 2 there is a schematically shown, in terms of functional blocks, a logic circuit arrangement adapted to implement the mixed random masking method described above, according to an embodiment of the present invention.
  • the logic circuit arrangement globally denoted 200, comprises a block 205 adapted to implement the above described ROT operation, followed by a block 210 adapted to implement the MUX operation. 2" XOR blocks 215, e.g..
  • the 2" masked data inputs y r ' _ t - •• y o ' are fed to the block 205.
  • the block 205 is also fed with the arithmetic mask R - r n _ ⁇ ⁇ ⁇ • r 0 , and performs a rotation, i.e., a cyclic permutation of the 2" bit word y' • • • • y o ' by a number of positions specified by the integer value of the arithmetic mask R.
  • each bit of the masked data input Y' and the control data word X" as a whole are themselves also statistically independent of Y and X.
  • the XOR masking of the data input Y thus satisfies the secure computation condition at the outputs of the XOR logic gates 215; the arithmetic masking of the control input X may or may not satisfy the secure computation condition at the outputs of the logic gates involved in the subtractor block 220; for example, a direct implementation of the subtraction module 2" by the school method for integer subtraction does not satisfy this condition at the level of the carry bits.
  • any method for a secure conversion from an XOR mask X'
  • the 2"-input MUX operation may be performed by means of a table lookup operation. As the integer subtraction operation needed for the arithmetic masking of the control input X and the table lookup operation needed for the 2"-input MUX operation can each be performed in one processor cycle, this implies that the proposed method then satisfies the secure computation condition on the word level in software.
  • the data input 7 may define the truth table of an arbitrary given Boolean function/of n variables.
  • the randomness condition to be satisfied is that the masks r and R are each uniformly distributed and mutually statistically independent, for any fixed value of the control input X.
  • the secure computation condition for the ROT operation is satisfied regardless of how this operation is implemented in hardware, in terms of logic gates and, also, regardless of the joint probability distribution of r and R as long as it is independent of X.
  • the ROT operation can be implemented in hardware in terms of a number n of layers of 2-input MUX gates, each layer being controlled by one bit of the arithmetic mask R.
  • the MUX gates are considered cyclically, in form of ring.
  • the 2"-input MUX operation can also be implemented in terms of n layers of 2-input MUX gates, by using the known lookup table configuration.
  • the layer controlled by the bit x" of the masked control input X' ' contains
  • each 2-input MUX gate in the corresponding logic circuit. More precisely, the output of each 2-input MUX gate is uniformly distributed for each fixed value of the control input X and the data input Y.
  • the ROT operation block 205 is composed of a first layer of four 2-input MUX gates 305-0, 305-1, 305-2, and 305-3 and a second layer of four 2-input MUX gates 310-0, 310-1, 310-2, and 310-3.
  • the 2-input MUX gate 305-0 receives as inputs the bits y'o and y' ⁇
  • the 2-input MUX gate 305-1 receives as inputs the bits y ⁇ and y ⁇
  • the 2-input MUX gate 305-3 receives as inputs the bits y ' 2 and y ' 3
  • the 2-input MUX gate 305-3 receives as inputs the bits y ' 3 and y 'o', as discussed in the foregoing
  • the bits y 'i...y 'o are the four bits of the XOR- masked input data Y. All the MUX gates in the first layer are controlled by the bit r 0 of the arithmetic mask R.
  • the MUX gate 310-0 receives as inputs the outputs of the MUX gate 305-0 and the MUX gate 305-2; the MUX gate 310-1 receives as inputs the outputs of the MUX gate 305-1 and the MUX gate 305-3; the MUX gate 310-2 receives as inputs the outputs of the MUX gate 305-2 and the MUX gate 305-0; the MUX gate 310-3 receives as inputs the outputs of the MUX gate 305-3 and the MUX gate 305-1; all the MUX gates in the second layer are controlled by the bit r ⁇ of the arithmetic mask R.
  • the MUX operation block 210 comprises a first layer of two 2-input MUX gates 315-0 and 315-1 and a second layer of one 2-input MUX gate 320.
  • the output of the MUX gate 320 is the result z ' of the computation.
  • the method of the present invention can in particular be used to mask a 2-input logic AND operation, which corresponds to a 4-input MUX operation.
  • the scheme of Figure 3 can be used, which in this case reduces to the scheme of Figure 4, because the input data 7 reduces to 1 0 0 0 (i.e., the truth table of the logic AND operation); thus, the block 205 that implements the ROT operation can be implemented arbitrarily.
  • the resistance against side-channel attacks such as DPA may be maintained even if different parts of a cryptographic algorithm are masked by the same collection of bits, it is in principle possible to reuse the same masking bits.
  • the number of masking bits needed reduces to 2, whereas the computation involving only the masking bits simplifies to r Q ⁇ ⁇ , r Q v ⁇ , r o r ⁇ , r 0 v -./-, or r 0 v r, , r o -r x , -,r o r x , -,r 0 v -,r, respectively.
  • the MUX gates are implemented in terms of AND, OR, and NOT logic gates (or in terms of NAND gates only), then the secure computation condition remains to be satisfied on the logic gate level for the output MUX gate, but it is not satisfied for the two input MUX gates.
  • the auxiliary XOR masked bits x o ' and x[ are first generated by the 2-input XOR gates
  • the bit x Q ' forms the control input to a 2-input MUX gate 420, which receives as data inputs the bit x[ and an output of a 2-input XOR gate 415 operating on the bit x ⁇ and the arithmetic mask bit ro-
  • the secure computation condition is thus satisfied at the outputs of the involved 2-input MUX and XOR gates.
  • a logic circuit for XOR masking of an «-input AND gate can be obtained by connecting together the logic circuits for XOR masking of the corresponding 2-input AND gates, where the input x o ' is preferably used for the connection, as it induces a smaller delay.
  • a logic circuit for masking a 2-input OR gate can be obtained analogously, e.g., by using the equality x o v X
  • ⁇ r — ⁇ x 0 A — ct, ⁇ —ir .
  • This logic circuit may be called a masked 2-input OR gate.
  • a logic circuit for XOR masking of an n-input OR gate can be obtained analogously.
  • any logic circuit composed of AND, OR, XOR, and NOT gates can be securely masked by XOR random masking.
  • an arbitrary Boolean function / can be securely masked, because it can be implemented by a circuit composed of those logic gates.
  • the constituent AND and OR logic gates are replaced by masked AND and OR gates, respectively, whereas the (linear) XOR and NOT gates are kept intact as they only (linearly) transform the input masking bits.
  • the secure computation condition is satisfied on the logic gate level if the masking bits for each AND and OR gate satisfy the required randomness conditions described above. Thanks to the present invention, secure random masking can be easily implemented both in software and in hardware, for example in IC chips, particularly albeit not limitatively in smart-cards and SIM cards, thereby making cryptographic algorithms implemented thereby secure even against subtle side-channel attacks such as DPA.
  • the masking method according to the present invention presented in a bit-based form (in a sense that all the elementary operations considered are on the bit level) is hence suitable for direct implementation in hardware, for example, by means of combinatorial logic circuits made up of standard logic gates.
  • the random masking method according to the present invention is, from a practical viewpoint, useful for providing protection against power analysis (e.g., DPA) and other side-channel attacks of hardware implementations of cryptographic algorithms, such as, for example, the keyed hash function SHA-I used for message authentication in a number of widely spread cryptographic protocols or the block cipher standard AES used for message encryption.
  • power analysis e.g., DPA
  • other side-channel attacks e.g., the keyed hash function SHA-I used for message authentication in a number of widely spread cryptographic protocols or the block cipher standard AES used for message encryption.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de prévention d'attaques par fuite d'informations pendant l'exécution d'une fonction cryptographique, consistant à effectuer un masquage aléatoire d'une opération de multiplexeur XOR masquant un premier mot binaire de façon bit par bit, pour obtenir un premier mot binaire masqué; à masquer de façon aléatoire et arithmétique un second mot binaire pour obtenir un second mot binaire masqué, le masquage aléatoire arithmétique étant une opération soit de soustraction arithmétique, soit d'addition arithmétique; à faire tourner les bits dans le premier mot binaire masqué d'un nombre de positions vers la gauche ou vers la droite pour obtenir un premier mot binaire masqué tourné, le nombre de positions se rapportant à une valeur d'entier exprimée par le masque aléatoire arithmétique; à sélectionner un bit du premier mot binaire masqué tourné comme dans l'opération de multiplexeur sur la base d'une valeur du second mot binaire masqué. En particulier, ledit premier mot binaire peut définir une table de vérité d'une fonction booléenne.
PCT/EP2006/011490 2006-11-30 2006-11-30 Procédé et dispositif de prévention d'attaques par fuite d'informations sur un dispositif mettant en œuvre une fonction cryptographique WO2008064704A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2006/011490 WO2008064704A1 (fr) 2006-11-30 2006-11-30 Procédé et dispositif de prévention d'attaques par fuite d'informations sur un dispositif mettant en œuvre une fonction cryptographique

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2006/011490 WO2008064704A1 (fr) 2006-11-30 2006-11-30 Procédé et dispositif de prévention d'attaques par fuite d'informations sur un dispositif mettant en œuvre une fonction cryptographique

Publications (1)

Publication Number Publication Date
WO2008064704A1 true WO2008064704A1 (fr) 2008-06-05

Family

ID=38229533

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2006/011490 WO2008064704A1 (fr) 2006-11-30 2006-11-30 Procédé et dispositif de prévention d'attaques par fuite d'informations sur un dispositif mettant en œuvre une fonction cryptographique

Country Status (1)

Country Link
WO (1) WO2008064704A1 (fr)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2967322A1 (fr) * 2010-11-08 2012-05-11 Morpho Protection contre les ecoutes passives
FR2998692A1 (fr) * 2012-11-28 2014-05-30 Oberthur Technologies Procede de traitement cryptographique comprenant des operations booleennes sur des donnees masquees de maniere arithmetique, dispositifs et produit programme d'ordinateur correspondants
WO2015089300A1 (fr) * 2013-12-12 2015-06-18 Cryptography Research, Inc. Masquage niveau-porte
WO2015192206A1 (fr) * 2014-06-16 2015-12-23 Polyvalor, Limited Partnership Procédés pour sécuriser une application et des données
EP3593500A4 (fr) * 2017-03-08 2021-04-28 Robert Bosch GmbH Procédé d'atténuation d'attaques basées sur la tension sur un accord de clé sur un réseau can
US11385893B2 (en) * 2018-04-17 2022-07-12 Thales Dis France Sa Method secured against side-channel attacks performing an arithmetic operation of a cryptographic algorithm mixing Boolean and arithmetic operations
WO2023232951A1 (fr) 2022-06-02 2023-12-07 Katholieke Universiteit Leuven Procédé et circuit de mappage sécurisé d'une variable masquée

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6295606B1 (en) * 1999-07-26 2001-09-25 Motorola, Inc. Method and apparatus for preventing information leakage attacks on a microelectronic assembly
WO2006058561A1 (fr) * 2004-12-01 2006-06-08 Telecom Italia S.P.A. Procede et dispositif de conversion orientee materiel entre un masquage aleatoire arithmetique et booleen

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6295606B1 (en) * 1999-07-26 2001-09-25 Motorola, Inc. Method and apparatus for preventing information leakage attacks on a microelectronic assembly
WO2006058561A1 (fr) * 2004-12-01 2006-06-08 Telecom Italia S.P.A. Procede et dispositif de conversion orientee materiel entre un masquage aleatoire arithmetique et booleen

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
GOUBIN L ED - KOC C K ET AL: "A SOUND METHOD FOR SWITCHING BETWEEN BOOLEAN AND ARITHMETIC MASKING", CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS. 3RD INTERNATIONAL WORKSHOP, CHES 2001, PARIS, FRANCCE, MAY 14 - 16, 2001 PROCEEDINGS, LECTURE NOTES IN COMPUTER SCIENCE, BERLIN : SPRINGER, DE, vol. VOL. 2162, 14 May 2001 (2001-05-14), pages 3 - 15, XP008002644, ISBN: 3-540-42521-7 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9847879B2 (en) 2010-11-08 2017-12-19 Morpho Protection against passive sniffing
WO2012062994A1 (fr) * 2010-11-08 2012-05-18 Morpho Protection contre les ecoutes passives
FR2967322A1 (fr) * 2010-11-08 2012-05-11 Morpho Protection contre les ecoutes passives
FR2998692A1 (fr) * 2012-11-28 2014-05-30 Oberthur Technologies Procede de traitement cryptographique comprenant des operations booleennes sur des donnees masquees de maniere arithmetique, dispositifs et produit programme d'ordinateur correspondants
WO2015089300A1 (fr) * 2013-12-12 2015-06-18 Cryptography Research, Inc. Masquage niveau-porte
US9569616B2 (en) 2013-12-12 2017-02-14 Cryptography Research, Inc. Gate-level masking
US10311255B2 (en) 2013-12-12 2019-06-04 Cryptography Research, Inc. Masked gate logic for resistance to power analysis
US11386236B2 (en) 2013-12-12 2022-07-12 Cryptography Research, Inc. Masked gate logic for resistance to power analysis
US11861047B2 (en) 2013-12-12 2024-01-02 Cryptography Research, Inc. Masked gate logic for resistance to power analysis
WO2015192206A1 (fr) * 2014-06-16 2015-12-23 Polyvalor, Limited Partnership Procédés pour sécuriser une application et des données
EP3593500A4 (fr) * 2017-03-08 2021-04-28 Robert Bosch GmbH Procédé d'atténuation d'attaques basées sur la tension sur un accord de clé sur un réseau can
US11385893B2 (en) * 2018-04-17 2022-07-12 Thales Dis France Sa Method secured against side-channel attacks performing an arithmetic operation of a cryptographic algorithm mixing Boolean and arithmetic operations
WO2023232951A1 (fr) 2022-06-02 2023-12-07 Katholieke Universiteit Leuven Procédé et circuit de mappage sécurisé d'une variable masquée

Similar Documents

Publication Publication Date Title
US8050402B2 (en) Method and related device for hardware-oriented conversion between arithmetic and boolean random masking
Dobraunig et al. Isap v2. 0
US6295606B1 (en) Method and apparatus for preventing information leakage attacks on a microelectronic assembly
Rivain et al. Provably secure higher-order masking of AES
Medwed et al. Fresh re-keying: Security against side-channel and fault attacks for low-cost devices
RU2357365C2 (ru) Способ и устройство для выполнения криптографического вычисления
US7899190B2 (en) Security countermeasures for power analysis attacks
Cheng et al. Puffin: A novel compact block cipher targeted to embedded digital systems
WO2010132895A1 (fr) Système de nonce chiffrement et de déchiffrement d'un message en clair avec authentification
EP2820791A1 (fr) Procédé de contremesure contre l'analyse en canaux latéraux pour des algorithmes de chiffrement utilisant des opérations booléennes et des opérations arithmétiques
Karri et al. Concurrent error detection of fault-based side-channel cryptanalysis of 128-bit symmetric block ciphers
WO2008064704A1 (fr) Procédé et dispositif de prévention d'attaques par fuite d'informations sur un dispositif mettant en œuvre une fonction cryptographique
Golic Techniques for random masking in hardware
KR100737171B1 (ko) 아리아에 대한 전력분석공격에 대응하는 저메모리형 마스킹방법
Yu et al. Zero-correlation linear cryptanalysis of reduced-round SIMON
McEvoy et al. All-or-nothing transforms as a countermeasure to differential side-channel analysis
Li et al. Differential fault analysis on Camellia
Saha et al. White-box cryptography based data encryption-decryption scheme for iot environment
Agrawal et al. RCB: leakage-resilient authenticated encryption via re-keying
Boscher et al. Masking does not protect against differential fault attacks
Gupta et al. Correlation power analysis of KASUMI and power resilience analysis of some equivalence classes of KASUMI S-boxes
Gupta et al. Correlation power analysis on KASUMI: attack and countermeasure
Singh et al. Study & analysis of cryptography algorithms: RSA, AES, DES, T-DES, blowfish
Golić DeKaRT: A new paradigm for key-dependent reversible circuits
Courtois Self-similarity attacks on block ciphers and application to KeeLoq

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 06829192

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06829192

Country of ref document: EP

Kind code of ref document: A1