WO2015144305A1 - Masquage protégé contre l'attaque par canal latéral et économe en mémoire - Google Patents

Masquage protégé contre l'attaque par canal latéral et économe en mémoire Download PDF

Info

Publication number
WO2015144305A1
WO2015144305A1 PCT/EP2015/000625 EP2015000625W WO2015144305A1 WO 2015144305 A1 WO2015144305 A1 WO 2015144305A1 EP 2015000625 W EP2015000625 W EP 2015000625W WO 2015144305 A1 WO2015144305 A1 WO 2015144305A1
Authority
WO
WIPO (PCT)
Prior art keywords
masked
folded
xor
calculation
masking
Prior art date
Application number
PCT/EP2015/000625
Other languages
German (de)
English (en)
Inventor
Jürgen PULKUS
Original Assignee
Giesecke & Devrient Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Giesecke & Devrient Gmbh filed Critical Giesecke & Devrient Gmbh
Priority to EP15713647.4A priority Critical patent/EP3123461A1/fr
Publication of WO2015144305A1 publication Critical patent/WO2015144305A1/fr

Links

Classifications

    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/04Masking or blinding
    • H04L2209/043Masking or blinding of tables, e.g. lookup, substitution or mapping
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/122Hardware reduction or efficient architectures

Definitions

  • the correlation curves for false key bytes consist of a more or less uniform noise, similar to the correlation curve shown in FIG. 1b.
  • the correlation curve for the correct key byte with which the calculation was performed has a rash at a previously unknown time, similar to the correlation curve shown in FIG. This procedure is performed with each key byte k of the key K until the key K is reconstructed byte by byte.
  • Secondary masking is applied to the folded masked intermediate value so that randomization is performed on either the folded masked intermediate value or the one's complement associated with the folded masked intermediate value.
  • a value is therefore first basemasked that The masked intermediate value or the one's complement associated with the masked intermediate value is further calculated, if necessary, using a correction element which is entered by the convolution distance. Random access to either the intermediate value or the one's complement of the intermediate value is then performed on intermediate values generated with base masking and the additional step of folding.
  • FIG. 1b the table is masked with the secondary masking according to the invention, in addition to the base XOR masking.
  • Memory-efficient secondary masking is accomplished by first convolving the XOR masked table underlying FIG. 1a and expanding it to a simply extended table containing the convolved XOR-masked table (first the XOR masked table , then it has been folded) and the complementary table to the folded XOR-masked table includes.
  • the table access is applied to the extended folded XOR-masked table. In this case, either the folded XOR-masked table or the complementary table is randomly accessed within the extended folded XOR-masked table.
  • FIG. 3 shows computational rules for base masking of an intermediate value to a masked intermediate value with XOR masking and additive masking.
  • the calculation rule to mask x with an additive base masking to x add is
  • the complementary table S' is formed by that in the base masked table 5 "of FIG. 10, the table input x and the table output y are complemented.
  • Fig. 14 shows a table T ', simply extended, starting from the folded table of Fig. 12, with selection bits at the lowest binary bit position, according to a preferred embodiment of the invention.
  • Table 14 is obtained from Table 13 by alternately selecting one entry from the upper and lower half of Table 13 (line by line). Therefore, the first circled value 22 of the second half of Table 13 immediately appears as a second value in the table 14, and accordingly, the last circled value 11 of the upper half of Table 13 is the penultimate value of FIG Table Fig. 14.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé, réalisé dans un processeur, pour l'exécution d'un calcul cryptographique. Lors de l'exécution du calcul, on utilise un masque de base, par lequel des valeurs intermédiaires sont introduites dans le calcul sous forme de valeurs intermédiaires masquées. Lors de l'exécution du calcul, on applique en plus un pliage et un masquage secondaire. Lors du pliage, la valeur intermédiaire masquée est calculée à l'aide de la valeur intermédiaire non masquée et d'au moins une deuxième valeur intermédiaire. Lors du masquage secondaire, pour chaque valeur intermédiaire masquée au moyen du masquage de base, le calcul est exécuté par une commande aléatoire soit avec la valeur intermédiaire masquée, soit avec le complément à un de la valeur intermédiaire masquée.
PCT/EP2015/000625 2014-03-26 2015-03-23 Masquage protégé contre l'attaque par canal latéral et économe en mémoire WO2015144305A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP15713647.4A EP3123461A1 (fr) 2014-03-26 2015-03-23 Masquage protégé contre l'attaque par canal latéral et économe en mémoire

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102014004378.9A DE102014004378A1 (de) 2014-03-26 2014-03-26 Speichereffiziente seitenkanalgeschützte Maskierung
DE102014004378.9 2014-03-26

Publications (1)

Publication Number Publication Date
WO2015144305A1 true WO2015144305A1 (fr) 2015-10-01

Family

ID=52785032

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2015/000625 WO2015144305A1 (fr) 2014-03-26 2015-03-23 Masquage protégé contre l'attaque par canal latéral et économe en mémoire

Country Status (3)

Country Link
EP (1) EP3123461A1 (fr)
DE (1) DE102014004378A1 (fr)
WO (1) WO2015144305A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112787800A (zh) * 2021-01-19 2021-05-11 清华大学 基于二阶掩码的加解密方法、装置、电子设备及存储介质

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102015015953B3 (de) 2015-12-08 2017-04-27 Giesecke & Devrient Gmbh Kryptoalgorithmus mit schlüsselabhängigem maskiertem Rechenschritt (SBOX-Aufruf)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102004032893A1 (de) * 2004-07-07 2006-02-02 Giesecke & Devrient Gmbh Ausspähungsgeschütztes Berechnen eines maskierten Ergebniswertes
US20080292100A1 (en) * 2007-05-24 2008-11-27 Kabushiki Kaisha Toshiba Non-linear data converter, encoder and decoder

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5398284A (en) * 1993-11-05 1995-03-14 United Technologies Automotive, Inc. Cryptographic encoding process
DE19822217B4 (de) 1998-05-18 2018-01-25 Giesecke+Devrient Mobile Security Gmbh Zugriffsgeschützter Datenträger
FR2820576B1 (fr) * 2001-02-08 2003-06-20 St Microelectronics Sa Procede de cryptage protege contre les analyses de consommation energetique, et composant utilisant un tel procede de cryptage
KR100594265B1 (ko) * 2004-03-16 2006-06-30 삼성전자주식회사 매스킹 방법이 적용된 데이터 암호처리장치, aes암호시스템 및 aes 암호방법.
ATE372619T1 (de) * 2005-05-10 2007-09-15 Research In Motion Ltd Schlüsselmaskierung für kryptographische prozesse
FR2950721B1 (fr) 2009-09-29 2011-09-30 Thales Sa Procede d'execution d'un algorithme de protection d'un dispositif electronique par masquage affine et dispositif associe
DE102012018924A1 (de) 2012-09-25 2014-03-27 Giesecke & Devrient Gmbh Seitenkanalgeschützte Maskierung

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102004032893A1 (de) * 2004-07-07 2006-02-02 Giesecke & Devrient Gmbh Ausspähungsgeschütztes Berechnen eines maskierten Ergebniswertes
US20080292100A1 (en) * 2007-05-24 2008-11-27 Kabushiki Kaisha Toshiba Non-linear data converter, encoder and decoder

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112787800A (zh) * 2021-01-19 2021-05-11 清华大学 基于二阶掩码的加解密方法、装置、电子设备及存储介质

Also Published As

Publication number Publication date
EP3123461A1 (fr) 2017-02-01
DE102014004378A1 (de) 2015-10-01

Similar Documents

Publication Publication Date Title
EP2901611B1 (fr) Masquage protégé contre l'attaque par observation
EP3593483B1 (fr) Transition d'un masquage booléen à un masquage arithmétique
WO2016074782A1 (fr) Procédé pour tester et durcir des applications logicielles
DE60223337T3 (de) Verfahren zur gesicherten verschlüsselung und baustein zur ausführung eines solchen verschlüsselungsverfahrens
DE60207818T2 (de) Gesichertes Verfahren zur kryptographischen Berechnung mit Geheimschlüssel und Bauteil, das ein solches Verfahren anwendet
DE69932740T2 (de) Verfahren und vorrichtung zur kryptographischen datenverarbeitung
EP1664979B1 (fr) Transition entre deux representations masquees d'une valeur lors de calculs cryptographiques
EP3123461A1 (fr) Masquage protégé contre l'attaque par canal latéral et économe en mémoire
DE60022840T2 (de) Verfahren zum sichern einer oder mehrerer elektronischer baugruppen, unter zuhilfenahme eines privatschlüssel-krypto-algorithmus, sowie elektronische baugruppe
EP3387636B1 (fr) Algorithme cryptographique comportant une étape de calcul masquée dépendant d'une clé (appel de sbox)
EP4101118A1 (fr) Génération de clé et protocole pace avec protection contre des attaques par canal latéral
EP1615098B1 (fr) Calcul d'une valeur masquée protégée contre l'espionnage.
EP3804209B1 (fr) Procédé avec mesure de défense safe-error
DE60213327T2 (de) Auf einem Blockverschlüsselungsalgorithmus mit Rundenwiederholung basiertes Verfahren und Vorrichtung zur Ausführung des Verfahrens
EP4360247A1 (fr) Procédé de calcul d'une transition d'un masquage booléen à un masquage arithmétique
EP1506473B1 (fr) Inversion modulaire protegee contre les tentatives d'espionnage
DE102012015158A1 (de) Gegen Ausspähen geschützte kryptographische Berechnung
EP1573955A1 (fr) Procede de chiffrement
DE102004032893B4 (de) Ausspähungsgeschütztes Berechnen eines maskierten Ergebniswertes
DE10303723B4 (de) Vorrichtung und Verfahren zum Berechnen von verschlüsselten Daten aus unverschlüsselten Daten oder von unverschlüsselten Daten aus verschlüsselten Daten
DE10149191A1 (de) Verfahren und Vorrichtung zum Ermitteln von Ursprungsausgangsdaten aus Ursprungseingangsdaten auf der Basis einer kryptographischen Operation
WO2013127519A2 (fr) Calcul protégé contre l'espionnage

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15713647

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

REEP Request for entry into the european phase

Ref document number: 2015713647

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2015713647

Country of ref document: EP