WO2015144305A1

WO2015144305A1 - Memory efficient side-channel-protected masking

Info

Publication number: WO2015144305A1
Application number: PCT/EP2015/000625
Authority: WO
Inventors: Jürgen PULKUS
Original assignee: Giesecke & Devrient Gmbh
Priority date: 2014-03-26
Filing date: 2015-03-23
Publication date: 2015-10-01
Also published as: EP3123461A1; DE102014004378A1

Abstract

The invention creates a method in a processor for performing a cryptographic calculation. The performance of the calculation involves the application of a basic masking, by means of which intermediate values are used in the calculation as masked intermediate values. The performance of the calculation additionally involves the application of a folding and a secondary masking. The folding involves the calculation of the masked intermediate value using the unmasked intermediate value and at least one secondary intermediate value. The secondary masking involves the calculation, for each intermediate value masked by means of the basic masking, under random control, being performed either with the masked intermediate value or with the one's complement of the masked intermediate value.

Description

Memory Efficient Side Channel Protected Masking

The invention relates to a method for performing a cryptographic calculation using a cryptographic key that is protected against spying the key via page channel attacks.

Cryptographic calculations are e.g. often performed by general purpose processors (CPUs), alternatively often by crypto-coprocessors, which are dedicated processors to general processors. In particular, smart cards for payment or mobile applications often have processors (CPUs) with crypto coprocessors. Many chip cards for payments or mobile applications have crypto coprocessors specially designed for DES or AES (see next paragraph). Through a cryptographic calculation, input data is under

Use of a secret key processed to output data, e.g. Clear text data (input data) encrypted with a key to cipher data (output data) or vice versa Cipher data (input data) decrypted with a key to plain text data (output data). Examples of symmetric (encryption key = decryption key) cryptographic computations are the algorithms DES (Data Encryption Standard) and AES (Advanced Encryption Standard).

In AES, which is divided into several rounds (eg 10, 12 or 14), the input data and the key are divided into blocks and processed in blocks. Within each round, the data is processed byte by byte, so that in each case an input data byte (plaintext byte for encryption or cipher text byte for decryption) is processed with a key byte. Thus, for example, in the case of an AES encryption, which is shown schematically in excerpts in FIG. 2, a plaintext P is encrypted with a key K to form a ciphertext C. The plaintext P = pp ... ppp consists of a sequence of plaintext bytes p, the key K = kk ... kkk from a sequence of key bytes k. At the entrance of each round (shown in FIG. 2 in excerpts are the first two rounds R = 1 and R = 2), a partial computation is carried out on the basis of which a DPA attack will be described later by way of example. In the sub-calculation, a plaintext byte p with a key byte k is used (p Θ k), the result of the forgery in a (substitution) table S (S-box) is inserted and thereby an intermediate value x = S through a table access to the table S [p Θ k] is calculated. The intermediate value x is fed within the round to further computing steps such as ShiftRow, MixColumn, which are not shown in FIG. Key expansions and selection of key bits that are performed at AES are also not shown in FIG. Table accesses are particularly vulnerable to DPA attacks.

Because the power consumption of a processor (eg, in a smart card) depends on the data being processed, processor-implemented cryptographic computations are prone to side-channel attacks in which the processor's time-resolved power consumption is measured while performing the computation. In most cases, the power consumption is more closely dependent on the data's hamming weight, that is, the number of ones in the data in the binary representation. The power consumption of the processor during the duration of the calculation, recorded versus the time elapsed during the calculation, is called the current curve. Current curves of a processor for a calculation are recorded, for example, by means of an oscilloscope. In a DPA (Differential Power Analysis) attack, sometimes referred to as Correlation Power Attack (CPA), a plurality of current curves (eg, about 1000) are recorded and synchronized for structurally equal computation performed with randomly varying input data. In the calculation, output data is calculated using known input data and a secret key. For each possible value of the key, a time-resolved correlation curve between the synchronized current curves and the Hamming weight HW of the output data obtained with each key is calculated. The correlation curves for false keys consist of a more or less uniform noise, similar to the correlation curve shown in FIG. The correlation curve for the key with which the calculation was performed has a statistical conspicuousness in the form of a peak at a previously unknown time, similar to the correlation curve shown in FIG.

In a DPA attack of higher (second, third, fourth, ...) order, current curves are recorded at several (two, three, four, ...) times in the time course of the calculation. [PRB10] describes a second-order DPA attack.

In a DPA attack on the partial calculation of the AES of FIG. 2, a plaintext byte p of the known key K is verxort with a key byte k of the secret key K (p @ k), the result of Verxorung in the 256-byte substitution table S (S). Box) and calculated by table access the intermediate value x = S [p Θ k]. The attacker records about 1000 current curves of the sub-computation (p varies, k remains the same), synchronizes them and calculates for each possible value 0, ..., 255 of the key byte k the correlation curve between the synchronous Siert measured current curves and the urinary weight HW (x) of the calculated with the respective key byte k intermediate value x. The correlation curves for false key bytes consist of a more or less uniform noise, similar to the correlation curve shown in FIG. 1b. The correlation curve for the correct key byte with which the calculation was performed has a rash at a previously unknown time, similar to the correlation curve shown in FIG. This procedure is performed with each key byte k of the key K until the key K is reconstructed byte by byte.

According to an in-house unpublished state of the art, "OO / FF masking" is provided as a countermeasure against DPA attacks, whereby an intermediate result of a partial calculation in the calculation is randomly calculated either directly, so that the intermediate result is generated or computed complementarily, so that If necessary, the input data (plaintext or ciphertext) and the key must be complemented independently of one another randomly and the output data (ciphertext or plaintext) are complemented at the output of the calculation. that a partial calculation x = S [p Θ k] is performed, or a complementary partial calculation x = S 'p®k] is performed, with a complemented S-box S' [x] = S [5c] and a complemented plaintext byte and Key Bytes. Will be for one Attack carried out approximately 1000 executions of the cryptographic calculation is statistically calculated in half each with the intermediate value x and the one's complement 3c. For the urinary weight HW x) of the complementing partial computation x = S '\ p®k] the formula HWix) = 8- HW (x), in the hamming weight HW (x) of the non-complemented calculation with a negative sign occurs. As a result, correlations between the current curves and the calculated result obtained with the key cancel each other out at random control on average. Thus, for random-controlled arithmetic with the intermediate value x - S [p Θ k] or the complemented intermediate value x = S 'p & k], a correlation curve such as that shown in FIG. 1b also results when calculating with the correct key byte, as it does without defensive measures only for a wrong guess key bit. Performing the calculation randomly with the intermediate value x = S [p Θ k] or the complemented intermediate value x = S '[p® / c] is thus resistant to the above-described DPA side channel attack with correlation calculation. In addition, the OO / FF masking saves memory.

The calculation of the ler complement of a value is performed optionally by forcing the value with hexadecimal FF (other notation: Oxff), the provision of the value itself in this case optionally by verifying with 0 at the same place in the calculation process, at which Complement with FF is being carried out. Verxoring with FF complements a value. By zeroing the value remains unchanged. Performing a forgery in both cases disguises when the value and when the ler complement of the value is used. This type of random control results in the name "OO / FF masking." In a varied DPA attack, instead of the correlation, another statistic is computed, such as the variance or one-dimensional Kologorov-Smirnov statistic Even if the correct key byte is used, it is not noticeable if randomized with the intermediate value x = S [p Θ k] or complemented intermediate value x - S '[p ® k] is calculated. Thus, it is still recognizable when the right key is expected.

A further countermeasure against DPA attacks consists in the XOR mask, which is described for example in DE 198 22 217 A1, and in which, instead of input data E, a random number r is used to process inputted data E '= E® r.

For XOR masking, it is important that all intermediate values are always masked. If carelessly masked, this is not the case. If an encryption of a masked plaintext byte p '= p® r with a masked key byte k' = k® r is carried out in the AES in a partial calculation, for example that of FIG. 2, (p® r )® (k® r) results - p ® k = x, ie an unmasked encryption result or intermediate result x. That all intermediate results are masked, and never unmasked intermediate results occur, for example, achieved by different masking of input data and keys. For example, the input data (plaintext or ciphertext) is masked with two random numbers r, s, the key with only a random number r is masked and a compensation masking is performed. For example, the masking is carried out in accordance with (((p ® r) ® s) ® (k ® r)) ® (r ® s) = p ® k ® r = x ® r = x _XOR . The plaintext byte p is thus masked with r and s, the key byte is masked only with s, and in addition the compensation masking with both random numbers r, s is performed. As a result, instead of the intermediate result x, an intermediate result x _XOR = x.rar. Masked with r appears, cf. Fig. 3. A calculation with careful XOR masking is resistant to the DPA attack described above, regardless of the statistics used (eg correlation, variance, one-dimensional Kolmogorov-Smirnov statistic). The Interim result of the calculation of FIG. 2 is calculated in accordance with

S '[x] = S [x Θ rl] Θ rl, with rl, r2 independent random numbers. From this it can be seen that a separate substitution table (S-box) S 'is required for all values of the random numbers rl and r2. Optionally, for each possible value of the random number r (= rl or r2), a substitution table (S-box) S 'masked with r is stored (eg in the chip card or the processor), ie in a 256-byte substitution table (S). Box) eg 256 different 256 byte tables. Alternatively, the substitution table (S-box) is calculated only after the determination of the random number r, preferably in a random access memory RAM assigned to the processor. However, this costs computing time and possibly. Memory in RAM RAM. In the course of the implementation of the algorithm, eg the AES, and as soon as the random number is fixed, the same substitution table is always used. In the example from FIG. 2, therefore, the same substitution table is used for all plaintext bytes p of the text P and key bytes k of the key K. 2, carried out for different plaintext bytes p, p 'and key bytes k, k', ie at different times t, t 'in the AES, the calculated intermediate value x _XOR = S [p ® k] @ r or x ' _XOR = S [p''k'] Θ r is masked by the same access number r, which is a weak point.

The fact that the same table (e.g., AES S-Box) is used in XOR masking on all table calls can be used for a higher order DPA attack, such as those used for AES e.g. in [PRB10]. In the second order DPA attack from [PRB10], the current consumption j (), J (t ') is measured and normalized at two points in time t, t'

j ^' t), jf). The correlation between the product j (t) ^■ (t ') and the Hamming weight of the value x ® x' = S [p Θ k] Θ S [p '<®k'] will be for each possible Key pair k, k 'and each pair of times /, /' calculated. For the correct key, a correlation curve such as that shown in FIG. 1a results, with the significant rash at one time. The computational effort for the second-order attack from [PRB10] increases quadratically with the number of times and keys to be taken into account and is therefore significant.

Applicant's German patent application DE 102012018924.9 discloses an internally "extended masking" method for performing a cryptographic computation using a cryptographic key protected against spying the key via side channel attacks, in particular DPA higher order attacks that key spying is prevented, or at least severely hampered, and at the same time efficient.

The method given in 102012018924.9 has in principle the structure of a combination of a base masking - e.g. XOR masking and 00 / FF masking applied to cryptographic computation to guard against secret data from spying. The mask according to the invention is also called internal masking by the applicant.

The method of 102012018924.9 is adapted for implementation in a processor (eg, microprocessor, CPU, crypto co-processor, crypto-accelerator) adapted to perform a cryptographic computation, in which input data is generated using a cryptographic key and generated of intermediate values output data are generated. An example of such a cryptographic calculation is the AES. When carrying out the calculation, a base masking applied by which at least some, preferably all, intermediate values as masked intermediate values are included in the calculation. The method is characterized in that, in carrying out the calculation, a secondary masking is additionally applied, wherein for each intermediate masked by the base masking the one's complement of the masked intermediate value is formed, the masked intermediate value or the one's complement of the masked intermediate value is provided and random controlled the calculation is performed either with the masked intermediate value or with the one's complement of the masked intermediate value.

As described in the introduction, eg with reference to [PRB10], spying on the secret key of an XOR-masked cryptographic calculation is possible with a second-order DPA attack, in which the power consumption j (t), j (t ') at two Times t, t ', ie at two different calculation steps within the calculation, is measured and evaluated. In [PRB10], the considered calculation steps within the calculation are realized by table accesses. The weak point exploited in the attack is that the same table is used at both times. According to the invention, in addition to the basic masking (eg XOR), the secondary masking is used, according to which the intermediate value or the one's complement of the intermediate value is randomly calculated. As a result, calculation steps at different points in time in the course of the calculation, which would be similar in the case of pure XOR masking, are made randomly differentiated. For a partial calculation (computation step) realized as a table access, this means that different tables are used randomly for the different partial computations-or the equivalently different points in time-within the calculation. A statistical evaluation of the power consumption j (t), ^' (f) at two (or more) times t, t' thus provides, as the Applicant could confirm experimentally, no information about the secret key used in the calculation. In particular, correlation curves such as those shown in Fig. 1, even using the correct key, provide the more or less uniform noise (see Fig. 1b) that results when using a wrong key, but not the prominent strike (Fig la) eg with XOR masking and the correct key can be seen. In contrast to the conceivable method of calculating a new XOR table with a new XOR mask for each table call in the case of XOR masking, in the case of the extended masking according to the invention only at the beginning of the calculation the table for table access must be extended by one or more complementary XOR tables. Tables (hence the term extended masking). For subsequent table calls, the pre-calculated extended table can be used without recalculation for each table access. For other partial calculations (calculation steps) than table accesses, eg calculations according to a calculation rule (operation), in AES eg the shift operations "shift row" or "mix column", it is analogous. At the beginning of the calculation, the operation (calculation rule) is masked with the base masking and at least one complementary masked operation is formed. The partial calculations within the calculation are calculated using the previously calculated masked and complementary masked operations. Thus, the extended masking is safe and at the same time efficient.

Therefore, according to 102012018924.9, there is provided a method of performing a cryptographic calculation using a cryptographic key that is useful against spying the key over page cams. nalangriff e, in particular DPA attacks of higher order, is protected, so that the key spying is prevented or at least severely hampered, and which is also efficient. A disadvantage of the method according to 102012018924.9 is that the memory requirement is increased compared to only a simple masking. Especially in the case of table access, which in practice takes place regularly in the (volatile) main memory, for example RAM, the memory requirement in the (volatile) main memory, eg RAM, is increased. The present invention is based on the object to make the method of 102012018924.9 memory more efficient, preferably with savings in (volatile) memory, for example RAM.

Document DE 10 2004 032893 A1 describes a method for spurious-protected calculation of a masked result value from a masked input value according to a predetermined mapping, which is described in US Pat

Form of a table is provided. In the method, a masked table with a plurality of entries is first calculated in a first step, wherein for calculating at least some entries of the masked table, the predetermined mapping is evaluated at at least two locations and the resulting result values, eg T (ql) and T (q2), enter into the calculation of the entry of the masked table. Subsequently, in a second step, the masked result value is calculated using the masked table and the predetermined mapping. By evaluating the mapping in at least two places to calculate a single table entry in the first step, the table is folded (this does not mean the mathematical operation also called "convolution") and can thus be stored saving memory. The object of the invention in the present application is to modify the method specified in 102012018924.9 in such a way that the memory requirement compared to the solution in 102012018924.9 is reduced. Preferably, the solution should be modified so that in the improved masking according to 102012018924.9 the memory requirement compared to a conventional masking such as XOR masking is not increased.

The method according to claim 1 is based in the preamble on a so-called "extended masking" according to 102012018924.9 AI According to the extended masking, on the one hand a base masking, eg XOR, is used and on the other hand a secondary masking is applied. that for each intermediate value masked by means of the basic masking (eg XOR) the calculation (eg AES) is carried out either with the masked intermediate value or with the one's complement of the masked intermediate value (eg by random bit b) in that the calculation further performs a folding step of causing at least some intermediate masked intermediate masking values to be provided as folded masked intermediate values, the folded masked intermediate value using the basic masked intermediate value and min at least one further intermediate intermediate value is calculated, wherein the second intermediate value is derived from the base-masked intermediate value using a convolution distance. Secondary masking is applied to the folded masked intermediate value so that randomization is performed on either the folded masked intermediate value or the one's complement associated with the folded masked intermediate value. A value is therefore first basemasked that The masked intermediate value or the one's complement associated with the masked intermediate value is further calculated, if necessary, using a correction element which is entered by the convolution distance. Random access to either the intermediate value or the one's complement of the intermediate value is then performed on intermediate values generated with base masking and the additional step of folding.

In other words, to generate a single intermediate value masked with wrinkles and with base masking, basemasked intermediate values at two or more locations are evaluated. This corresponds to a folding of the calculation carried out so that at least two intermediate values occur at the same place. This allows you to store two (single fold) or more (multiple fold) intermediate values in a single memory location. The required storage space is therefore reduced. The interfolded and base-masked intermediate values are also expanded masked analogously as indicated in 102012018924.9. The correction item may be required, e.g. only if the one's complement is calculated in order to compensate for the influence of the folding on the calculation result.

Thus, according to claim 1, a memory-saving modification of the method specified in 102012018924.9 is provided. Optionally, only one of the folded masked intermediate value and the one's complement of the convolved masked intermediate value is computed using a correction term, since only at the intermediate value or the one's complement is a correction term required, eg only at the one's complement. The calculation optionally includes encryption, decryption, signature generation or signatux checking, optionally according to a predetermined algorithm such as AES.

Optionally, a simple or multiple XOR masking, or a disassembly masking, or a series connection of two or more of the aforementioned base masks is provided as basic masking.

Optionally, according to claim 3, the computation comprises a partial computation, by which an intermediate value can be generated from an input value by performing a table access to a table which has a plurality of table entries. In accordance with claim 3, in order to carry out the calculation or at least the partial calculation, the table with the basic masking is masked to form a masked table. The sub-calculation is performed by performing a table access. In the table access, as in DE 102012018924.9, a secondary masking is applied, whereby the secondary masking of a table causes a table access to the table to be performed randomly on either the table itself or the or a complementary table to the table. So far, the table access corresponds to an expanded masked table. The method of claim 3 further characterized in that a step of folding is performed, wherein the table already masked with the base mask is convoluted into a folded masked table, wherein, for at least some table entries of the folded masked table, the table entry using a base-masked input value of the table and at least one further base-masked second input value of the table be with the second input value being derived from the unmasked input value using a convolution distance. The folded masked table is finally filled with the (without folding in DE

102012018924.9) so that table access is randomized to either the folded masked table itself or to the complemented table to the folded masked table. If necessary, the one-masked table entry or the one-complement associated with the folded masked table entry is further computed using a correction term and / or a correction table, wherein the convolution distance and the correction table are entered.

Thus, in the folded base-masked table, at least some of the table entries, preferably and unless contradicted, generate all table entries with a step of folding, folding the table one or more times so that two or more values of the food are stored one upon the other. For example, if all the table entries are generated by folding two input values together, the table requires only half as much space as without folding. On the other hand, an extended-masked table, the single original table, and a single complementary table that is complementary to it require twice as much space as a base-masked corresponding table. In this constellation-simple folding of the table, so that two input values are always included in each table entry, and extended masking with a single complementary table-the folding thus compensates exactly for the increase in memory requirement produced by the extended masking. The memory requirement is thus exactly that of a basic-only masked table (eg masked with an XOR mask). The folded and extended masking according to the invention is particularly advantageous for sub-calculations formed by table calls. Especially for a table call, a recalculation of the table for each table call would require considerable additional computation effort. In AES, the relatively complex nonlinear S-box operation is implemented as a table call. Due to the extended masking, depending on the embodiment, twice to four times as much table memory is required as with a base-masked only - eg XOR-masked - table. By folding the table, the additional requirement for storage is advantageously completely or at least partially canceled in the advantageous case (see above paragraph). Other, relatively simple sub-calculations, such as shift row or mix column, are formed by directly implemented operations. For these directly implemented simple operations, it can be justifiable from the computational effort to remap each sub-computation. Consequently, the invention is optionally implemented in such a way that table calls are masked with the folded extended masking according to the invention and directly implemented operations are masked with a different, eg stronger but more elaborate, masking. Optionally, complex sub-calculations - such as S-box operations at the AES - masked with the folded extended masking, and comparatively simple sub-calculations - eg Shift Row or Mix Column - masked by another, eg stronger but more complex masking, eg re-masking at each partial calculation (calculation step). Alternatively, the entire calculation can also be folded and expanded masked. Partial calculations between table calls should at least not be less masked than table calls.

Optionally, the correction table is masked with a secondary mask, ie extended by (a) complement table / (n). The random accessing of either the folded masked table or the folded masked complementary table is optionally performed by expanding the input value to produce the intermediate value by a table selection section that defines the table to be accessed , The length of the table selection section is chosen to match the one or more complementary tables. If a single complementary table is computed, the table select section is preferably one bit ("select bit") long. If three complementary tables are computed, the table select section is preferably two bits long. eg aa) or interspersed between the bits of the table input (eg xax; axax; etc; see figures).

Optionally, the correction table also has a table selection section that defines the correction table that is accessed. If necessary, the tabular selection section of the actual table and the table selection section of the correction table are preferably independent of one another. For example, a random bit is thus defined for the table and the correction table.

The table optionally has a table input and a table output, and exactly computes a masked complementary table in which both the table input and the table output are complemented by the positions of the table entries in the table are complemented (complementing the input ) and the values of the table entries in the table are complemented (complementation of the output). Alternatively, alternatively, the table has a table input and a table output, and where three masked complementary tables are calculated, where

in the case of a first folded-masked complementary table, only the table input is complemented by the positions of the table entries in the folded-masked table being complemented,

in a second folded masked complementary table, only the table output is complemented by the values of the table entries in the folded masked table being complemented, and

in the case of a third folded masked complementary table, both the table input and the table output are complemented by complementing both the positions and the values of the table entries in the folded base-masked table. Optionally, the folded masked table and the at least one (eg, one or alternatively three) complementary table (s) are entered into a single extended table containing the table entries of the folded masked table and the at least one complementary table in a predetermined arrangement. The arrangement of the table entries can be, for example, consecutively (cf., for example, FIG. 11), or alternatively alternating like a checkerboard (starting from the tables from FIG. 11, checkerboard-like scrambling of the table entries, if appropriate with corresponding design of the table selection sections). Optionally, the processor is a non-volatile memory (eg ROM, EEPROM, ...) and a volatile memory (eg RAM) associated with the table is stored in non-volatile memory, and wherein the folded masked table and the at least one folded masked complementary table in volatile memory. For example At AES, the original, unmasked S-boxes are stored in non-volatile memory. The folded masked table and its complementary table ^) are calculated and stored in the volatile memory. In particular, preferably at the beginning of the calculation (eg AES) the tables (eg S-boxes) are loaded from the nonvolatile memory into the volatile memory, in the volatile memory the folded masked table (eg FIG. 12) and its complementary table ( n) (this leads eg to FIG. 13, 14 or 15) and in the further course of the calculation (eg AES) always one and the same at the beginning of the calculation (AES) calculated RAM tables (masked table and its complementary table ( n)). For a new pass of the calculation (eg AES), eg a new encryption, decryption, signature calculation, signature verification, new RAM tables (the folded masked table and its complementary table ^)) are calculated.

The folding is done here on tables that are generated in the usually rather limited (volatile) memory (for example RAM). Thus, the scarce main memory (e.g., RAM) is used sparingly. The fact that the correction table has to be kept in addition does not affect the saving in the working memory, since the correction table is preferably stored in non-volatile memory (for example ROM).

According to one embodiment, a method is given, wherein

the folded masked table and at least one complementary table are used for a plurality of table accesses to the table, optionally for at least one complete execution of the cryptographic calculation (e.g., one pass of the AES), and

within the majority of table accesses at least once, preferably randomly for each table access, the calculation or partial calculation is carried out either with the folded masked intermediate value or with the one's complement of the folded masked intermediate value, and the calculation or partial calculation is carried out in accordance with the specification.

In particular, optionally at the beginning of the calculation (e.g., AES), a convolved masked table (e.g., S-box) and from the convoluted-masked table at least one (e.g., exactly one or exactly three) complementary table ^) are calculated, e.g. in the RAM. In the remainder of the calculation (e.g., AES), the predicted tables and Complementary Table ^) are used (e.g., from the RAM). Previously, if necessary, the unmasked table is loaded from the nonvolatile memory (e.g., ROM). Depending on the individual case, a RAM table generated in this way may also be used for several AES passes. Otherwise, the RAM table is recalculated before each AES pass.

Optionally, the table has a table input and a table output, and where the masked table

- either has a masked table input,

- or has a masked table output,

- or has a masked table input and a masked table output, further wherein the table input and the table output are either masked with the same base masking or are masked with different base masks.

The separate masking of table input and table output specified here represents a series connection of the two mappings of table input and table output. In the following the invention will be explained in more detail with reference to exemplary embodiments and with reference to the drawing, in which:

Figure 1 Correlation curves for DPA 2nd order a) with XOR masking b) with extended masking according to the invention;

FIG. 2 shows a partial calculation in AES, comprising a table access, which is suitable for the extended and folded masking according to the invention; FIG.

FIG. 3 shows computation instructions for basic masking of an intermediate value to a masked intermediate value according to XOR masking and additive masking; FIG.

4 shows a table in unmasked form (original table);

FIG. 5 is a complemented table to the table of FIG. 4 with only the table input complemented (inverted); FIG.

FIG. 6 is a complemented table to the table of FIG. 4 with only the table output complemented; FIG.

FIG. 7 is a complemented table to the table of FIG. 4 with the table input and the table output complemented; FIG.

8 shows, starting from the table of FIG. 4, XOR-randomized table with input mask 31 and output mask 00;

FIG. 9 shows an XOR-randomized table based on the table of FIG. 4, with input mask 00 and output mask 02; FIG.

10 shows, starting from the table of FIG. 4, XOR-randomized table, with input mask 31 and output mask 02;

FIG. 11 is a table simply expanded, starting from the XOR randomized table of FIG. 10, with a single complementary table; FIG.

FIG. 12 shows a folding distance table 12 folded from the table of FIG. 10; FIG. Fig. 13 is a table simply expanded from the folded table of Fig. 12, with selection bit at the top binary bit position, according to an embodiment of the invention;

FIG. 14 is a table, simply expanded, starting from the folded table of FIG. 12, with selection bits at the lowest binary bit position, according to a further embodiment of the invention; FIG.

FIG. 15 shows, starting from the folded table from FIG. 12, a table twice expanded, with selection bits at the two uppermost binary bit positions, according to a further embodiment of the invention.

Fig. 1 shows correlation curves for a second order DPA attack on a table access in AES a) in XOR masking and b) in extended masking according to embodiments of the invention. The table is an AES S-Box. The correlation curve of Fig. 1a was determined with a second order DPA attack on a table access in the AES when performing table access with the correct key. The table is XOR masked. The significant peak indicates that the correct key k was used. If the table access was performed with a wrong key k, the peak is absent, similar to FIG. 1b. FIG. 1b shows a correlation curve obtained from a second-order DPA attack on the same table access in the course of the AES as the curve from FIG. 1a. In contrast to FIG. 1a, in FIG. 1b the table is masked with the secondary masking according to the invention, in addition to the base XOR masking. Memory-efficient secondary masking is accomplished by first convolving the XOR masked table underlying FIG. 1a and expanding it to a simply extended table containing the convolved XOR-masked table (first the XOR masked table , then it has been folded) and the complementary table to the folded XOR-masked table includes. The table access is applied to the extended folded XOR-masked table. In this case, either the folded XOR-masked table or the complementary table is randomly accessed within the extended folded XOR-masked table. In performing the table access to the extended table with the correct key, the prominent peak that indicates the presence of the correct key is missing in the correlation of FIG. 1b compared to the correlation of the base-masked table of FIG. Thus, with the simple extended table, table accesses with the correct key are not indistinguishable from table accesses with wrong keys, instead of a merely XOR- masked table.

Table accesses to a two-times extended table comprising the base-masked table and three complementary tables provide similar correlation curves to those shown in Fig. 1b. Even with a table that has been expanded twice, table accesses with the correct key k are therefore indistinguishable from table accesses with a wrong key. In the case of the three complementary tables, only the table input is complemented from the folded base-masked table; only the table output is complemented, or the table input and the table output are complemented.

FIG. 2 shows a partial calculation from AES encryption in which a table access to a table S (S-box, AES substitution table) is carried out. The table access of FIG. 2 is suitable for being masked by the method according to the invention. FIG. 2 shows two tables S in the AES, which are applied at different locations in the algorithm AES, more precisely in different rounds of the AES. The two tables S are shown in FIG. 2 with the same symbols p, k, x, y for plaintext p, key k, input value x of the table S and output value y of FIG Table S to indicate that the arithmetic operation due to the table S is the same for the two tables S. The values of plaintext p, key k, input value x and output value y are usually different for each table S.

FIG. 3 shows computational rules for base masking of an intermediate value to a masked intermediate value with XOR masking and additive masking. The calculation rule for masking x with an XOR base mask to x _XOR is x-> x _XOR = x Θ r. The calculation rule to mask x with an additive base masking to x _add is

x-> x _add = x + r mod 2 "The arithmetic rule for masking x with an affine base masking to x _a is x -> x _a = a - x ® r, is not considered here In the masking according to the invention with folding and widening, the affine masking is of secondary importance, since folding is very inefficient in affine-masked tables.

The example calculations from FIGS. 4-11 show tables S whose table entries are generated without convolution of input values, and if it is expanded masked (FIG. 11), ie according to the solution from 102012018924.9. Figs. 12 and 13 show folded tables. The table of FIG. 12 produced only with wrinkles and without extension masking (secondary masking) corresponds in principle to the solution from DE 10 2004 032893 A1. Tables without convolution are designated by the principle with the symbol S, if necessary with additions such as "'" or "-" etc. to indicate the degree of masking. A folded and expanded masked table is generally designated T. In principle, a table S = T is assumed, as indicated in FIG. 2. In particular, the same function is implemented by the table T through the table S, for example one In order to avoid confusion with between non-convoluted and non-convoluted tables T, tables with input values convolved to produce a table entry are generally denoted by T, tables without convolution, or tables in general, however, with S.

Fig. 4 shows a table S in unmasked form (original table), e.g. an AES-S box. The table is shown in the quad system with base 4. Thus, each bit can take the four values 0, 1, 2, 3. In the case of a table access in the AES according to FIG. 2, with a table according to FIG. 4, the concatenation of the column index and the index index forms the table input x = xx. The value in the table at the location specified by column index and row index is the table output y = yy. FIG. 4 shows an example of a table access with table input xx = 12 and table output yy = 11 (sectional area of the two ellipses).

Fig. 5 shows a complemented table S to the table S of Fig. 4, wherein only the table input x is complemented. The table input x is complemented by the positions of the table entries being supplemented. For example, the entry to the index x = xx = 00 of FIG. 4 in FIG. 5 is shifted to the index x = 33, the entry to the index x = 12 to the index x = 21, etc. The example of FIG. 4, with the mask of FIG. 5, becomes a table access with table input xx = 21 and table output yy = 11 (intersection of the two ellipses).

Fig. 6 shows a complemented table S to the table S of Fig. 4, wherein only the table output y = yy is complemented to y. The table output y is complemented by the fact that the value of the table entry is complemented. For example, the table output value is y = 11 at index x = 12 of Fig. 4 in Fig. 6 to a table output value y = 22, while remaining in the same place. The exemplary table access results with the mask of FIG. 6 table input x = 12 and table output y = 22 (circle).

Fig. 7 shows a complemented table S to the table S of Fig. 4, wherein the table input x and the table output y are complemented. Starting from Fig. 5, e.g. the table entry, which in FIG. 5 leads from the input value x = 21 to the output value y = 11, is complemented to an output value y = 22. Starting from Fig. 6, the output value y = 22 of Fig. 6 is shifted from the index x = 12 to the index Je = 21, i. In addition, the input value x is complemented by x. The table access of FIG. 4 in the mask of FIG. 7 thus becomes table access with table input Je = 21 and table output y = 22 (circle).

8-12 show, starting from the table of FIG. 4, randomized (= masked) tables with XOR masking as base masking. Each input value x of the tables in FIGS. 8-12 is thus masked to x _{XOR in} accordance with the computation rule x- x _XOR = _xR .

Fig. 8 shows an XOR randomized table S ', with input mask 31 and output mask 00, i. only the table input x is masked, namely with XOR mask 31, and the table output y is unmasked (XOR mask 00, which is equivalent to no masking). Starting from the table S of FIG. 4 this results in input 23 and output 11 (circle).

9 shows an XOR-randomized table S ', with input mask 00 and output mask 02, ie only the table output is masked, namely with XOR mask 02, and the table input is unmasked (XOR mask 00). Starting from the table of FIG. 4, this gives input 12 and output 13.

10 shows an XOR randomized table S ', with input mask 31 and output mask 02. FIG. 10 shows a mask masked with XOR masking as a base masking, which is used as the basis for generating single and double (twice) extended masked tables (FIG. 11, 12). Starting from the table of FIG. 4, this results in a table access with input value XXOR ~ 23 and output value y _X0R = 13.

11 shows a simply extended XOR-randomized (= XOR-masked) table S "(simple: extension only in one direction of the table, here to the right), with input mask 31 and output mask 02. In the extended table, the uncomplemented XOR 10) and a complementary table S 'to the XOR base masked table The complementary table S' is formed by that in the base masked table 5 "of FIG. 10, the table input x and the table output y are complemented. The second bit (column index) of the table input x is extended by a preceding selection bit a (= table selection section). Table inputs x thus have the form axx in the table from FIG. 11, and table outputs y have the form yy unchanged. The form axx is given as an example and may alternatively also be xax or xxa. The entries for the row indexes 00, 01, 02, 03 (top) in which the selection bit a in the table input value axx has the value zero (0) belong to the uncomplemented table masked only with the basic masking (table from FIG. 10). The entries for the row indexes 10, 11, 12, 13 (above), in which the selection bit a in the table input value axx has the value one (1) belong to the complementary table. The exemplary table access of FIG. 4 is displayed in the extended mask S " 11 shows a table access with table input axx = 023 and table output yy = 13 or table input axx = 123 and table output yy = 31. Whether the table access with either table input x _XOR = axx = 023 and table output yy = 13 (upper table half, selection bit im Table input 023 has the value 0) or table input x _XOR = axx = 123 and

Table output yy = 31 (lower half of the table, selection bit in table input 123 has the value 1) is random.

The use of a simply expanded table will be explained below with reference to FIGS. 2 and 11. In an AES cryptographic coprocessor, an AES calculation (optionally encryption, decryption, signature generation or signature verification) is started, in FIG. 2 an example of encryption. AES comprises several rounds R = 1,2, .... In each round R, a partial computation is performed in which a plaintext byte p with a key byte x (p k) is used, and the result of the corruption is inserted in a (substitution) table S (S-box) and thereby an intermediate value x = S [p Θ k] is calculated by a table access to the table S.

According to one embodiment of the extended masking, a table 5 "'which is simply extended according to Figure 11 is used as table S in Figure 2. The input value x is extended by one bit as table selection section a ₀ , in FIG. 11, for example, x = 023 if the non-complemented table iS "is accessed, with output y = 13 (as in FIG. 10), and x = 1 10 if the complemented table 5" in FIG S "is accessed, with output value y = 22.

FIG. 12 shows an XOR-randomized table T folded, starting from the table S 'from FIG. 10, with input mask i = 31, output mask o = 02 and convolution distance d = 12. Circled is the table entry on which the table access occurs. The basis is 4. Starting from the table from FIG. 10, the table entry at the position (= at the input value) 23 is merged with the table entry at the position 23 xor 12 = 31. That is, the table S 'is folded to the table T so that the table entries at the positions 23 and 31 come to lie on each other. The convolution distance (at base 4) d = 12 (decimal 6) has the binary representation 0110. If we isolate in the (binary) convolution distance d the lowest bit, which is equal to 1, we get 0010. As said, the entries are at the positions 23 (= binary Olli) and 31 (= binary 1101) combined. For the folded table T we have to select the input value which is 0 at the position 0010, ie the input value 31 (= binary 1101). For the folded table T, we have to delete the 0 at the position 0010, so we have as input value binary 111 (= 13 in the four system). For this reason, the table access in the table T from FIG. 12 is made to the table output value 11 for the table input value 13 (circled).

Now we can check the value 11 there. The merely randomized table S 'from FIG. 10 has the values 13 and 00 at the positions 23 and 31, which results in xx = 13 = 13. Since the original mask o = 02 is lifted out again by the Verxoren, we have to rewrite it once again and thus get 13 xor 02 = 11.

Fig. 13 shows a table T ', simply extended, starting from the folded table T of Fig. 12, with selection bit at the highest binary bit position, according to an embodiment of the invention. Overall, the table T 'of FIG. 13 is thus XOR-randomized, with input mask i = 31 and output mask o = 02, convoluted with convolution distance d = 12 and simply extended, with selection bit at the uppermost binary bit position (first column, first digit). , The The lower half of Table V of Fig. 13 has inverted output values in reverse order. The marked input value 13 from the table T FIG. 12 is inverted to the input value 20 for generating the table T 'from FIG. 13. At the position 20 of the table T' FIG. 13 is just the one inverted compared to the position 13 of FIG Value 22.

Fig. 14 shows a table T ', simply extended, starting from the folded table of Fig. 12, with selection bits at the lowest binary bit position, according to a preferred embodiment of the invention. Table 14 is obtained from Table 13 by alternately selecting one entry from the upper and lower half of Table 13 (line by line). Therefore, the first circled value 22 of the second half of Table 13 immediately appears as a second value in the table 14, and accordingly, the last circled value 11 of the upper half of Table 13 is the penultimate value of FIG Table Fig. 14.

Fig. 15 shows a table twice extended starting from the folded table of Fig. 12, with two selection bits, one at the uppermost binary bit position (as in Fig. 13), and one at the second uppermost bit position. The select bit at the top bin (as in Figure 13) decides whether the table output is inverted or not. The selection bit at the second highest binary location decides whether the table input is inverted or not. In the following, a preferred embodiment is set forth to generate a folded and expanded masked table T and a correction table T and to perform a table access to a table entry in the table T 'comprising correction of the table entry by means of the

Correction table f. As T ', for example, the one table as shown in FIG. 13 or 14 may be provided. This is based on the principle of a table S as indicated in Fig. 2 and 4-12. In particular, the same function is implemented by the unmasked table S as by the table S. For example, S is an S-box in the AES according to FIG. 2. Each of the tables T 'and T has the structure of an extended table, ie

T '[x] =

and f '[x] = f' [x].

In the non-volatile memory (preferably) ROM, the following correction table f is stored, where x »i is for a right shift of x by i digits in binary representation, and an overline for one's complement formation. straight x

ßir x odd In the random access memory RAM, a folded and expanded masked table T 'is generated. XOR masking is used as base masking, with a table input mask i and a table output mask o. On the occasion of each calculation of a table T 'in the main memory RAM, a convolution distance d 0 is set at random. As an unmasked input value for a table call on table T ', x is used, eg x = p®k according to FIG. 2. For the masking of the table input with the mask i, a first random bit b is defined, which, like the random distance d, for each calculation of a table T 'in random access memory RAM is newly randomized. The extended XOR-masked table input value x 'is the same

\ x Θ i if b = 0

[x Θ i if b = 1 The RAM table T 'formed from the masked table input value x' is defined as, with the convolution function f _d ,

(Τ [χ] Θ T [x®d] φ o if b = 0

r ^{lttW << 1) + tl} r-KW «i] if =

The convolution function f _d (not meant hereby the mathematical operation of convolution) is formed in the following two steps. The "random" distance d in binary representation is represented by a sequence of 1-bits and 0-bits The bit length of the convolution distance d is generally equal to the bit length of the input value x Value of the random distance d emerges at any given bit position in d the lowest 1-bit z of d, ie the lowest bit which is one and all even lower bits are 0. The lowest 1-bit is equal to z = d8i (-cT) At the bit position of the lowest 1-bit of the random distance d, only one of the base-masked input value x 'and the convolutional partner to the base-masked input value x'd has a 1-bit, ie only in either x' or in x'd is the lowest 1-bit z of d (set to the value 1).

In the first step of forming the convolution function f _d , the value of x 'and x'd that has a zero at the bit position of the lowest 1-bit of the random distance d is defined as x "if x'& z = 0

x'h- "

if x '& z = z

In the second step, the zero, which is at the bit position of the lowest 1-bit of the random distance d, is extracted from the base-masked input value x '. (the input value x 'is still in binary representation). By removing the zero, x "is converted into the value of the convolution function f _d (x ') at the point x': f _d (x ') ^: = (*" + 0 "& m))» 1, where m = - (x '& z)

For all d 0, the convolution function _d (') shortens its argument x' by one bit and is surjective. Therefore, the table T 'is wherewefined. Since instead of f _d (x) = f _d (x) only / _d () = / _d (x) 0 / _d (z) holds, in the case b = 1 the term f (z for correcting the input value x 'of the RAM table can be used.

Overall, in the present exemplary embodiment, an expanded masked TabeUenaufruf with folded table of the following steps.

Compute the index u = x'®d for the ROM correction table f

For a random bit b '(b', b independent), mask the index u to

u for b '= 0

u '= ue (-b' = {

for b '= 1

3. Compute the index v = f _d (x ') for the RAM table T

4. Calculate the correction

0 for b = 0

= (dec) & (^ ö) = / _d (z) & (- 0) = [

f _d (z for b = l

5. Correct the index v to v '= v®c

6. Read out the ROM correction table T using

y ₀ = f [(u''1) + (b'b ')]

7. Evaluate the RAM table T '(i.e., e.g., the AES S box) by means of

y _i = T '[v' «l) + b] 8. Combine the read table values y _{Q of} the correction table and y _{x of} the table (eg AES S-Box) to the result of the table access (= table output value) y'-y ₀ yi By construction, the result y 'of the table access to the table T 'the value masked with the XOR mask o and extended mask bit' to the unmasked value y = T [x]:

T [u '] for b = b'

y ₀ = T [u '«1) + (b'b')] =

T [u '] for b * b'

Tfred] / ür = b '

T [xd] for b * b '

(T '[v «l] forb = 0

* = r '[((, ec) «i) + *] = ^ _{φ fM) <} ^ _{+ 1} } _{forb = 1}

_ CT '[v «1] = r [ _d ()« 1] forb = 0

The calculation shows that the specified algorithm is functionally correct. The security against DPA 2nd order may be due to careful analysis of the individual steps and was virtually verified by an implementation on a smart card.

In the above embodiment, it was signaled by a table selection section, specifically by means of a bit additionally supplemented at the lowest point, whether an additional complementation of the (base) masked value is given (bit = 1) or not (bit = 0). This bit need not be at the bottom, but may be elsewhere. If the bit of the table selection section is inserted elsewhere, the formulas for the tables and the calculation of the indices (u, v) change accordingly. In addition, the coding can also be reversed, ie bit = 1 is without additional complementation and bit = 0 is with additional complementation. As a rule, the information for the table selection section is kept separate from the masked data and only the entry for a table call is inserted. Optionally, instead of the simple extension provided in the exemplary embodiment (corresponding to FIGS. 13, 14), a double extension is provided (corresponding to FIG. 15).

Cited prior art:

1) DE 198 22 217 AI;

2) EP 2 302 552 AI;

3) DE 102012018924.9

4) DE 10 2004 032893 Al

5) [PRBIO] E. Prouff, M. Rivain, R. Bevan: Statistical Analysis of Second Order Differential Poiure Analysis, http://eprint.iacr.org/ 2010/646.pdf, ffiEE Transactions on Computers 58, p. 799,811 , 2009;

Claims

Patent claims

A method, in a processor, for carrying out a cryptographic calculation (AES), in which output data (C) are generated from input data (P) using a cryptographic key (K) and via the generation of intermediate values (x, y),

wherein in the execution of the calculation (AES) a basic masking (XOR) is applied, by which at least some, preferably all, intermediate values (x, y, ...) are included as masked intermediate values (x _XOR y _WR , -) in the calculation , and

wherein during the execution of the calculation (AES) additionally a secondary masking (00 / FF) is applied which is set up such that for each intermediate value (x _WR ) masked with the secondary masking it is effected that randomly (random bit b) the calculation (AES ) with either the intermediate value (x _XOR) or (with the one's complement x _XOR) of the intermediate value (x _XOR) is performed,

characterized in that

a folding step is performed on the calculation (AES), causing at least some intermediate masked intermediate masking values to be provided as folded masked intermediate values (x _XOR ), the folded masked intermediate value (x _XOR ) using the base-masked intermediate value (x) and at least one further base-masked second intermediate value (x Θ d) is calculated, wherein the second intermediate value (x ® d) is derived from the intermediate value (x) using a convolution distance (d),

- the folded masked intermediate value (x _XOR) the secondary masking is applied, so that randomly calculating either the folded masked intermediate value (x _XOR) or associated with the folded masked intermediate value (x _X0R) one's complement is performed (x _XOR), and if necessary, the folded masked intermediate _value (x _XOR ) or the one-complement (x _X0R ) associated with the folded masked intermediate _value (x _XOR ) is further calculated using a correction _element (; f, c) into which the convolution distance (d) is received.

2. The method of claim 1, wherein as basic masking a single or multiple XOR masking, or a Zerlegungsmaskierung, or a series connection of two or more of the aforementioned base masks is provided.

Method according to claim 1 or 2, wherein the calculation (AES) comprises a partial calculation by which an input value (x-p φ k) is performed by performing a table access to a table (S) containing a plurality of table entries (y). has an intermediate value (y = S [x]) can be generated,

in which, in order to carry out the calculation or at least the partial calculation, the table (S) with the basic masking (XOR) is masked to form a masked table (S '),

- wherein the masked table (S ') is complementable, whereby at least one masked complementary table (5 ") can be generated,

- wherein the sub-calculation is performed by performing a table access, wherein in the table access

a secondary masking (00 / FF) is applied, whereby the secondary masking of a masked table (S ') causes a table access to the masked table (<S ") to be randomized to either the masked table (S') itself or the masked complementary table (S ') to the masked table (-S ") is performed, further characterized in that the masked table (S ') is convoluted into a folded masked table (T), wherein for at least some table entries (y') of the folded masked table (T '),

the table entry (y ') is calculated using a base-masked input value (x = p Θ k) of the table (S) and at least one further base-masked second input value (x Θ d) of the table (S), the second Input value (x Θ d) is derived from the input value (x = p Θ k) using a convolution distance (d),

- the folded masked table (') is masked with the secondary masking so that the table access is randomized to either the folded masked table (Τ') itself or to the complemented table (V) to the folded masked table () and

if necessary, the folded masked table entry (y ') or the one's complement (y') associated with the folded masked table entry (y ') is further calculated using a correction term (c) and a correction table (f), wherein the correction term (c) and the folding distance (d) is entered in the correction table (T).

4. The method of claim 3, wherein the correction table (f), analogous to the table (S), also with a base masking (XOR) and a secondary masking (random bit b ') is masked.

5. A method according to claim 3 or 4, wherein the random accessing of either the masked table (Τ ') or the masked complementary table (Γ') is performed by using the input value (x) to generate the Intermediate value (y = S [x]) is extended by a table selection section (a; a _x ... a _Q ) which defines the table being accessed.

6. The method according to any one of claims 3 to 5, wherein the table (S) has a table input (x) and a table output (y), and wherein exactly one masked complementary table (S ') is calculated, in which both the Table entry (x) and the table output (y) are complemented by the positions of the table entries in the table (S) are complemented and the values of the table entries in the table (S) are complemented.

The method of any of claims 3 to 5, wherein the table (S) has a table entry (x) and a table exit (y), and wherein three folded masked complementary tables () are calculated, wherein

in the case of a first folded masked complementary table (T), only the table input (x) is complemented by the positions of the table entries in the folded masked table (Τ ') being complemented,

in a second folded masked complementary table (16), only the table output (y) is complemented by the values of the table entries in the masked table (16) being complemented, and

in the case of a third folded masked complementary table (V), both the table input (x) and the table output (y) are complemented by the positions of the table entries in the folded masked table (T) being complemented and the values of the table entries in the folded masked table (T) are complemented.

8. The method according to any one of claims 3 to 7, wherein the folded masked table (T) and the at least one complementary table (T) to the folded masked table (Τ ') entered in a single extended table (T ") containing the table entries of the folded masked table (12) and the at least one complementary table (V) in a predetermined order (one after the other, in a checkered pattern;

9. The method according to any one of claims 3 to 8, wherein the processor, a non-volatile memory (ROM) and a volatile random access memory (RAM) are assigned, and wherein the table (S) and the correction table (f) are stored in non-volatile memory (ROM), and wherein the folded masked table (12) and the at least one folded masked complement table (T) are calculated in volatile random access memory (RAM).

10. The method according to any one of claims 3 to 9, wherein

the folded masked table (Γ ') and at least one complementary table (') are used for a plurality of table accesses to the table (S), optionally for at least one entire execution of the cryptographic calculation (AES), and

- Within the plurality of table accesses, at least once, preferably for each table access, it is newly randomized that the calculation (AES) is performed either with the masked intermediate value (* XOR) or with the one's complement (x _XOR ) of the masked intermediate value ( ^X XOR) and the calculation is performed according to the setting.

11. Method according to one of claims 3 to 10, wherein the table (S) has a table input (x) and a table output (y), and wherein the masked table ()

either has a masked table input (x),

- or has a masked table output (y), or a masked table input (x) and a masked table output (y), further wherein the table input (x) and the table output (y) are either masked with the same basic mask (XOR) or masked with different base masks (XOR).

12. The method according to any one of claims 3 to 11, wherein at least the table input (x) of the masked table (Τ ') is corrected by means of the correction table.