WO2017152056A1  Converting a boolean masked value to an arithmetically masked value for cryptographic operations  Google Patents
Converting a boolean masked value to an arithmetically masked value for cryptographic operations Download PDFInfo
 Publication number
 WO2017152056A1 WO2017152056A1 PCT/US2017/020670 US2017020670W WO2017152056A1 WO 2017152056 A1 WO2017152056 A1 WO 2017152056A1 US 2017020670 W US2017020670 W US 2017020670W WO 2017152056 A1 WO2017152056 A1 WO 2017152056A1
 Authority
 WO
 WIPO (PCT)
 Prior art keywords
 value
 input
 share
 share value
 random number
 Prior art date
Links
Classifications

 G—PHYSICS
 G06—COMPUTING; CALCULATING OR COUNTING
 G06F—ELECTRIC DIGITAL DATA PROCESSING
 G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
 G06F7/76—Arrangements for rearranging, permuting or selecting data according to predetermined rules, independently of the content of the data
 G06F7/764—Masking

 G—PHYSICS
 G06—COMPUTING; CALCULATING OR COUNTING
 G06F—ELECTRIC DIGITAL DATA PROCESSING
 G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
 G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
 G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
 G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits

 G—PHYSICS
 G06—COMPUTING; CALCULATING OR COUNTING
 G06F—ELECTRIC DIGITAL DATA PROCESSING
 G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled

 G—PHYSICS
 G06—COMPUTING; CALCULATING OR COUNTING
 G06F—ELECTRIC DIGITAL DATA PROCESSING
 G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
 G06F7/58—Random or pseudorandom number generators

 G—PHYSICS
 G06—COMPUTING; CALCULATING OR COUNTING
 G06F—ELECTRIC DIGITAL DATA PROCESSING
 G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
 G06F7/58—Random or pseudorandom number generators
 G06F7/588—Random number generators, i.e. based on natural stochastic processes

 G—PHYSICS
 G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
 G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
 G09C1/00—Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
 H04L9/002—Countermeasures against attacks on cryptographic mechanisms

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
 H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for blockwise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
 H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
 H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

 G—PHYSICS
 G06—COMPUTING; CALCULATING OR COUNTING
 G06F—ELECTRIC DIGITAL DATA PROCESSING
 G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
 G06F2207/72—Indexing scheme relating to groups G06F7/72  G06F7/729
 G06F2207/7219—Countermeasures against side channel or fault attacks
 G06F2207/7223—Randomisation as countermeasure against side channel attacks
 G06F2207/7233—Masking, e.g. (A**e)+r mod n

 G—PHYSICS
 G06—COMPUTING; CALCULATING OR COUNTING
 G06F—ELECTRIC DIGITAL DATA PROCESSING
 G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
 G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
 G06F2221/2107—File encryption

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
 H04L2209/04—Masking or blinding

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
 H04L2209/04—Masking or blinding
 H04L2209/046—Masking or blinding of operations, operands or results of the operations
Definitions
 FIG. 1 illustrates an example device using a masked value conversion component for cryptographic operations in accordance with some embodiments.
 FIG. 2 is a block diagram of a masked value conversion component to provide a conversion from a Boolean masked value to an arithmetically masked value for cryptographic operations in accordance with some embodiments.
 FIG. 3A is a flow diagram of an example method to perform a conversion of a Boolean masked value to an arithmetically masked value for cryptographic operations in accordance with some embodiments of the present disclosure.
 FIG. 3B illustrates a series of operations to perform the conversion of the Boolean masked value to the arithmetically masked value for cryptographic operations in accordance with some embodiments of the present disclosure.
 FIG. 3C illustrates another series of operations to perform the conversion of the Boolean masked value to the arithmetically masked value for cryptographic operations in accordance with some embodiments of the present disclosure.
 FIG. 3D illustrates another series of operations to perform a third order conversion of the Boolean masked value to the arithmetically masked value in accordance with some embodiments of the present disclosure.
 FIG. 4 is an example implementation of a hardware architecture to convert a Boolean masked value to an arithmetically masked value in accordance with some embodiments.
 FIG. 5A is an example implementation of another hardware architecture to convert a Boolean masked value to an arithmetically masked value in accordance with some embodiments of the present disclosure.
 FIG. 5B is an example implementation of another hardware architecture to convert a Boolean masked value to an arithmetically masked value in accordance with some embodiments.
 FIG. 6 illustrates a block diagram of an embodiment of a computer system in which some embodiments of the disclosure may operate.
 aspects of the present disclosure are directed to converting a Boolean masked value to an arithmetically masked value for cryptographic operations.
 An integrated circuit may perform a cryptographic operation that may result in susceptibility of the integrated circuit to a sidechannel attack where an attacker (e.g., an unauthorized entity) may obtain information as the
 An example of a sidechannel attack includes, but is not limited to, Differential Power Analysis (DPA) where the attacker who seeks to obtain a secret key used in the cryptographic operation may study the differences in power consumption of the integrated circuit as the cryptographic operation is performed.
 DPA Differential Power Analysis
 An attacker may be an
 the attacker may be able to retrieve the secret key that is used to encrypt the plaintext to the ciphertext by observing the power consumption of the integrated circuit as the cryptographic operation is performed to encrypt the plaintext into the ciphertext.
 the attacker may uncover a cryptographic (e.g., secret or private) key that is used to encrypt the plaintext as the cryptographic operation is performed by the integrated circuit.
 Masking may be used to obfuscate or hide the input to the cryptographic operation with random data and then the cryptographic operation may be performed with the masked input. Such masking may render the intermediate states or values of the cryptographic operation
 the plaintext may be subject to a Boolean operation such as an exclusiveor (XOR) operation with a random value before the cryptographic operation encodes the plaintext into the ciphertext.
 the plaintext may be subject to an arithmetic operation such as an addition operation with a random value before the cryptographic operation encodes the plaintext into ciphertext.
 a Boolean masked value corresponding to the input x may be x' that represents (x ⁇ r) where r is a random number.
 an arithmetically masked value x' may represent (x + r) where r is the random number.
 Certain cryptographic operations may use both a Boolean operation and an arithmetic operation during the performance of the cryptographic operation.
 a cryptographic operation may perform both an XOR operation and an arithmetic (e.g., summation or subtraction) operation with masked values.
 the cryptographic operation may perform a first operation based on Boolean masked values and may subsequently perform a second operation based on arithmetically masked values.
 the Boolean masked values may need to be converted to arithmetically masked values.
 the conversion between the Boolean masked values to arithmetically masked values may need to be secure so that the conversion does not result in some DPA leakage (e.g., the attacker identifying information from observable differences in power consumption of the integrated circuit).
 the DPA leakage may result in an attacker may being able to obtain the secret key (or secretkey dependent data) used in the cryptographic operation while performing the conversion between the Boolean masked value to the arithmetically masked value.
 a process to efficiently and securely convert a Boolean masked value to an arithmetically masked value may be used to perform a cryptographic operation.
 Such a process may initiate a conversion between the Boolean masked value to the arithmetically masked value when an arithmetic operation is to be performed during the cryptographic operation.
 the conversion may be performed and may be implemented in an integrated circuit to prevent DPA leaks that allow an attacker to retrieve an input to the cryptographic operation (e.g., the unmasked value).
 the conversion may be performed with a fewer number of operations.
 aspects of the present disclosure provide additional security to an integrated circuit performing a cryptographic operation as well as an increased efficiency in the performance (e.g., less computation time) of the cryptographic operation when a Boolean masked value is to be converted to an arithmetically masked value.
 Fig. 1 illustrates an example device including a masked value conversion component.
 the device 100 may include an integrated circuit that is associated with a masked value conversion component 111, a memory 112, and cryptographic components 113.
 the masked value conversion component 111 of the integrated circuit may receive a Boolean masked input value and may convert the Boolean masked input value to an arithmetically masked input value for use in a cryptographic operation performed by the cryptographic components 113.
 the device 100 may include a masked value conversion component 111 that may convert a masked input value of a first type to a second type of masked input value.
 the masked value component 111 may receive a Boolean masked input value or share from the memory 112 and may perform a series of operations to convert the Boolean masked input value to an arithmetically masked input value.
 the masked value component 111 may further receive randomly generated numbers from a random number generation component.
 the memory 112 may be used to store the randomly numbers that are generated by the random number generation component and the stored random numbers may be retrieved by the masked value conversion component 111.
 the masked value conversion component 111 may receive the random numbers from the random number generation component without the random numbers being stored at the memory 112.
 the device components 113 may subsequently use the arithmetically masked input value in a cryptographic operation. Examples of such cryptographic operations include, but are not limited to, generating a digital signature to authenticate the device 100 or a component of the device 100, encrypting or decrypting data, etc.
 the masked value conversion component 111 may convert a Boolean masked input value to an arithmetically masked input value for use by the cryptographic components 113.
 the cryptographic components 113 may perform a cryptographic operation based on the arithmetically masked input value.
 Examples of such cryptographic operations may be based on, but are not limited to, Secure Hash Algorithm (SHA)l, SHA2, International Data Encryption Algorithm (IDEA), Rivest Cipher 6 (RC6), Extended Tiny Encryption Algorithm (XTEA), ChaCha20, Salsa20, etc.
 SHA Secure Hash Algorithm
 SHA2 SHA2
 SHA2 SHA2
 RC6 Rivest Cipher 6
 XTEA Extended Tiny Encryption Algorithm
 ChaCha20 Salsa20, etc.
 the cryptographic components 113 may perform a cryptographic operation. At a first part of the cryptographic operation, the operations that are performed by the
 cryptographic components 113 may correspond to Boolean operations. For example, an exclusive or (XOR) operation may be performed with a Boolean masked input value that is received from the memory 112 or from another component of the device 100. At a second part of the
 the operations that are performed by the cryptographic components 113 may correspond to arithmetic operations. For example, an addition operation with integers may be performed.
 the cryptographic operation may switch from being based on, or using, Boolean operations to being based on, or using, arithmetic operations.
 the Boolean masked input value may first be converted to arithmetically masked values so that the arithmetic operations may then be performed.
 the cryptographic components 113 may provide a request to the masked value conversion component 111 to convert a Boolean masked input value stored at the memory 112.
 the Boolean masked input value may be converted to an arithmetically masked input value and then used by the cryptographic components 113 to perform arithmetic operations as part of the cryptographic operation that is being performed. Further details with regard to converting a Boolean masked input value to an arithmetically masked input value are described in conjunction with Fig. 3A.
 Fig. 2 is a block diagram of a masked value conversion component 200 to convert a Boolean masked input value to an arithmetically masked input value.
 the masked value conversion component 200 may correspond to the masked value conversion component 111 of Fig. ⁇ .
 the masked value conversion component 200 may be implemented by or in processing logic that may include hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, integrated circuit, hardware of a device, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof.
 the masked value conversion component 200 may include a shares receiver subcomponent 210, a conversion indicator subcomponent 220, a random number generator subcomponent 230, a converter subcomponent 240, a combination subcomponent 250, and an output masked value subcomponent 260.
 the functionality of one or more of the subcomponents may be combined or divided.
 the masked value conversion component 200 may include a shares receiver subcomponent 210 that may receive shares corresponding to a masked input value.
 the masked value conversion component 200 may receive three or more shares that correspond to the masked input value.
 a value 'x' may be masked by combining the value 'x' with a first random number and a second random number.
 the combination of the value 'x' with the first and second random numbers may be the first share.
 the first random number may be the second share and the second random number may be the third share.
 a shares receiver subcomponent 210 may receive shares corresponding to a masked input value.
 the masked value conversion component 200 may receive three or more shares that correspond to the masked input value.
 a value 'x' may be masked by combining the value 'x' with a first random number and a second random number.
 the combination of the value 'x' with the first and second random numbers may be the first share
 the masked value conversion component 200 may further include a conversion indicator subcomponent 220 that may receive an indication that a cryptographic component that has been performing a cryptographic operation based on a Boolean operation is now performing the cryptographic operation based on an arithmetic operation.
 the shares receiver subcomponent 210 may receive the first, second, and third shares from another component or a memory of a device that includes the masked value conversion component 200.
 the random number generator subcomponent 230 may generate random numbers for use in the conversion of the Boolean masked input value to an arithmetically masked input value.
 the converter subcomponent 240 may perform an operation with a value represented by a combination of three values that are subjected to an exclusiveor (XOR) operation as described in further detail with regards to Fig. 3A.
 the converter subcomponent 240 may convert one of the three received shares.
 the combination subcomponent 250 may combine multiple values to generate the arithmetically masked output value.
 the combination subcomponent may perform an addition operation, an XOR operation, and/or a subtraction operation with multiple values.
 the output masked value subcomponent 260 may provide the result of the combination subcomponent as the converted masked value to a cryptographic component performing a cryptographic operation.
 Fig. 3A is a flow diagram of an example method 300 to perform a conversion of a Boolean masked value to an arithmetically masked value for cryptographic operations.
 the method 300 may be performed by processing logic that may include hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof.
 the method 300 may be performed by the masked value conversion component 111 of Fig. 1 or the masked value conversion component 200 of Fig. 2.
 the method 300 may begin, at block 310, with processing logic receiving a first share ( ⁇ '), a second share (r ), and a third share (r 2 ) where the first share represents a combination of an input value, the second share, and the third share (x ⁇ ri ⁇ r 2 ).
 the first share may represent an input value (e.g., x) that is masked by combining the input value with the second share and the third share based on XOR operations.
 the first share may correspond to a Boolean value as the first share is based on the XOR operations.
 the second share and the third share may correspond to random numbers.
 each of the second share and the third share may correspond to different random numbers.
 multiple shares i.e., input shares
 corresponding to a Boolean input value may be received.
 the processing logic may further convert the first share to a summation between the input value and an intermediate value that is representative of the second share exclusiveor
 the received first share (x ⁇ ⁇ ® r 2 ) may be converted to (x + (ri ⁇ r 2 )).
 an extra random value may be used where the first share is changed to (x ⁇ ri ⁇ r 2 ® a) and converted to (x + (ri ⁇ r 2 ⁇ a)) where a may correspond to a new random number.
 another extra random value ⁇ may be used where the first share is first changed to (x ⁇ ri ⁇ r 2 ⁇ a) and converted to (x + (ri ⁇ r 2 ⁇ a)) followed by an XOR operation between the intermediate value and the extra random value ((x + (ri ⁇ r 2 ⁇ )) ⁇ ⁇ ) and converted to (x + (ri ⁇ r 2 ⁇ )) + ⁇ .
 the processing logic may further generate a random number (v) (block 330). In some embodiments, the random number may be different than the random number of the second share and the third share. Furthermore, the processing logic may combine the random number with the intermediate value (v ⁇ ri ⁇ r 2 )
 an XOR operation may be performed between the generated random value and the second share and the third share.
 the random number may first be combined with one of the second share or the third share and the result may subsequently be combined with the other of the second share or the third share so that the random number is not stored separately in a memory element or register.
 the combined value may be stored in a register where random number and the second share are combined to generate an intermediate value and the intermediate value is then combined with the third share to generate the combined value.
 the random number may be combined with the intermediate value that corresponds to (v + (ri ⁇ r 2 ⁇ a)) as described above.
 an XOR operation may be performed between the generated random value, the second share, the third share, and the new random number 'a.'
 the processing logic may further convert the combined value of the random number and the intermediate value to a summation between the random number and the intermediate value (v + (ri ⁇ r 2 )) (block 350).
 the combined value of the random number with the second share and the third share may be converted to a summation (or subtraction) between the random number and a value that represents the second share combined with the third share by an XOR operation.
 the processing logic may convert the combined value of the random number and the intermediate value to a subtraction between the random number and the intermediate value (v  (ri ⁇ r 2 )).
 the processing logic may further generate additional random numbers (si, s 2 ) (block 360).
 the additional random numbers that are generated may be different than the random numbers corresponding to the second share and the third share. In alternative embodiments, the additional random numbers that are generated may be the same as the random numbers corresponding to the second share and the third share.
 the additional random numbers may correspond to two new random mask values used with the original input value (e.g., x).
 the processing logic may further combine the converted first share (x + (ri ⁇ r 2 )) with the additional random numbers (si, s 2 ) and the converted combined value (v + (ri ⁇ r 2 )) (block 370). For example, the converted first share may be added with each of the additional random numbers and the converted combined value may be subtracted from the result.
 the processing logic may perform a summation operation based on the converted first share and additional random numbers and a subtraction operation with the converted combined value (x + (ri ⁇ r 2 )) + si + s 2 + v  (v + (ri ⁇ r 2 )), (x + (ri ⁇ r 2 ⁇ a)) + si + s 2 + v  (v + (ri ⁇ r 2 ⁇ a)), or (x + (ri ⁇ r 2 ⁇ a)) + ⁇ + si + s 2 + v  (v + (ri ⁇ r 2 ⁇ a))  ⁇ .
 the first share may correspond to a value that is equal to or represents x + si + s 2 that is a result of the combining of the converted first share with the additional random numbers and the converted combined value
 the second share may correspond to the value si
 the third share may correspond to the value s 2 .
 the processing logic may further combine the converted first share with one of the additional random numbers (si, s 2 ) with the converted combined value that is represented by (v  (ri ⁇ r 2 )) or (v  (ri ⁇ r 2 ⁇ a)).
 the subtraction operation with the converted combined value may be replaced by a value based on the second additional random number that is summed with the results of an XOR operation between the second share and the third share (s 2 + (ri ⁇ r 2 )).
 an operation corresponding to the following equations may be performed: (x + (ri ⁇ r 2 )) + si + (s 2  (ri ⁇ r 2 )), (x + (ri ⁇ r 2 ⁇ a)) + si + (s 2  (ri ⁇ r 2 ⁇ a)), or (x + (ri ⁇ r 2 ⁇ a)) + ⁇ + si + (s 2  (ri ⁇ r 2 ⁇ a))  ⁇ .
 one or more additional random numbers e.g., v
 Each of the operations may result in a value that corresponds to x + si + s 2 that may be used as an arithmetic first share.
 three or more shares may be received where a first share corresponds to a Boolean based share and the other shares correspond to random numbers.
 Operations may be performed to convert the Booleanbased share to an arithmetic based share.
 the operations may be performed in constant time (e.g., does not depend on the input length of the Boolean masked input value) and in fewer computation steps or operations.
 the following table illustrates that the present disclosure operates in fewer lowlevel instructions (Add, Subtract, XOR, etc.) than typical Boolean to arithmetic conversion processes.
 the following table shows the number of lowlevel instructions required by the current stateoftheart compared to that required by this disclosure based on different security orders (e.g., the number of masked shares that are used):
 the method 300 may be performed by the series of operations as illustrated with respect to Fig. 3B.
 the series of operations may include 31 computational operations or steps to perform the method 300.
 the series of operations as illustrated with respect to Fig. 3C may be performed.
 the series of operations of Fig. 3C may correspond to an implementation based on an XOR sum performed at the end of the conversion process.
 the Boolean to arithmetic conversion process may also be based on more than three input share values. For example, four or more input share values may be used in the conversion process.
 the series of operations of Fig. 3D may correspond to an implementation using four input share values (e.g., a thirdorder Booleantoarithmetic mask conversion).
 Fig. 4 is an hardware architecture 400 to convert a Boolean masked value to an arithmetically masked value.
 the architecture 400 may correspond to the masked value conversion component 111 of Fig. 1 or the masked value conversion component 200 of Fig. 2.
 the architecture 400 may include a first group of memory elements 410 (e.g., registers), a second group of memory elements 420, and a third group of memory elements 430.
 the first group of memory elements 410 may receive the first share, the second share, and the third share as previously described.
 a first register of the first group of memory elements 410 may store x' which may represent a Boolean value of (x ⁇ ri ⁇ r 2 ) where x is the unmasked input value, ri is a random number and the second share, and r 2 is another random number and the third share.
 the second register of the first group of memory elements 410 stores the second share ri and the third register of the first group of memory elements 410 stores the third share r 2 .
 the second group of memory elements 420 may receive and store various random numbers that are generated for use in the converting of the Boolean shares to the arithmetic shares.
 the registers of the second group of memory elements 420 may store random numbers to convert the first share and additional randomly generated numbers as previously described.
 the architecture 400 may include a series of exclusiveor (XOR) gates, adders, and subtracter components as illustrated in Fig. 4.
 the outputs of the architecture 400 may be stored at the third group of memory elements 430.
 a combination of the values stored at registers of the first group 410 and the second group 420 may be used to generate the arithmetic share that is converted from the Boolean share.
 a first register of the third group of memory elements 430 may store the converted first share (e.g., x')
 a second and third register of the third group of memory elements 430 may store additional mask values (e.g., si and s 2 ).
 the first group of memory elements 410 may store the shares corresponding to the Boolean masked input
 the second group of memory elements 420 may store randomly generated numbers that are used in the conversion process
 the third group of memory elements 430 may store the shares corresponding to the arithmetically masked value.
 Fig. 5A is an example implementation of a hardware architecture 500 to convert a Boolean masked value to an arithmetically masked value.
 the architecture 500 may correspond to the masked value conversion component 111 of Fig. 1 or the masked value conversion component 200 of Fig. 2.
 the architecture 500 may include a first group of memory elements 510 and a second group of memory elements 520.
 the first group of memory elements 510 may store the first share, the second share, and the third share corresponding to a Boolean masked input value as previously described.
 Various functions corresponding to the functionality of the logic of architecture 400 may split or divide the process of converting the Boolean masked input value to an arithmetically masked input value.
 each of the functions Fi, F 2 , and F 3 may perform a portion of the conversion process or include a portion of the logic of the architecture 400.
 each of the functions Fi, F 2 , and F 3 may receive a subset of the shares.
 each of the functions may receive two of the three shares corresponding to the Boolean masked input value. Subsequently, the outputs of the functions may be combined and stored at the second group of memory elements 520 to store the first share, second share, and third share for the arithmetically masked input value that has been converted from the Boolean masked input value. In alternative embodiments, the outputs of the functions may not be combined.
 Fig. 5B is another hardware architecture 550 to convert a Boolean masked value to an arithmetically masked value.
 the architecture 550 may correspond to the masked value conversion component 111 of Fig. 1 or the masked value conversion component 200 of Fig. 2.
 the architecture 500 may include a first group of memory elements 560, a second group of memory elements 570, and a third group of memory elements 580.
 the registers of the first group of memory elements 560 may receive and store the first share, the second share, and the third share corresponding to a Boolean masked input value that is to be converted to the arithmetically masked input value.
 a first set of functions Fn, F 12 , Fi 3 , and Fi 4 may perform a first portion of the conversion process and the results of the first portion of the conversion process may be stored at the registers of the second group of memory elements 570.
 the number of shares may be increased or expanded by using additional functions as shown in Fig.
 the Boolean masked input value of three shares may be increased to four intermediate shares and stored at the second group of memory elements 570.
 a second set of functions F 21 , F 22 , and F 23 may perform a second portion of the conversion process and the results of the second portion of the conversion process may be stored at the registers of the third group of the memory elements 580.
 the second set of functions may receive the four intermediate shares and generate a fewer number of shares that correspond to the arithmetically masked input value.
 four intermediate shares may be used by the three functions of the second set of functions to generate the three shares corresponding to the arithmetically masked input value.
 Fig. 5B illustrates two sets of functions
 the architecture to convert the Boolean masked value to the arithmetically masked value may include any number of sets of functions.
 Fig. 6 illustrates an example machine of a computer system 600 within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed.
 the machine may be connected (e.g., networked) to other machines in a LAN, an intranet, an extranet, and/or the Internet.
 the machine may operate in the capacity of a server or a client machine in client server network environment, as a peer machine in a peertopeer (or distributed) network environment, or as a server or a client machine in a cloud computing infrastructure or environment.
 the machine may be a personal computer (PC), a tablet PC, a settop box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine.
 PC personal computer
 PDA Personal Digital Assistant
 STB settop box
 STB settop box
 a Personal Digital Assistant PDA
 a cellular telephone a web appliance
 server a server
 network router a network router
 switch or bridge any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine.
 machine shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
 the example computer system 600 includes a processing device 602, a main memory 604 (e.g., readonly memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM) or Rambus DRAM (RDRAM), etc.), a static memory 606 (e.g., flash memory, static random access memory (SRAM), etc.), and a data storage device 618, which communicate with each other via a bus 630.
 main memory 604 e.g., readonly memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM) or Rambus DRAM (RDRAM), etc.
 DRAM dynamic random access memory
 SDRAM synchronous DRAM
 RDRAM Rambus DRAM
 static memory 606 e.g., flash memory, static random access memory (SRAM), etc.
 SRAM static random access memory
 Processing device 602 represents one or more generalpurpose processing devices such as a microprocessor, a central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLTW) microprocessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 602 may also be one or more specialpurpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. The processing device 602 is configured to execute instructions 626 for performing the operations and steps discussed herein.
 ASIC application specific integrated circuit
 FPGA field programmable gate array
 DSP digital signal processor
 the computer system 600 may further include a network interface device 608 to communicate over the network 620.
 the computer system 600 also may include a video display unit 610 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 612 (e.g., a keyboard), a cursor control device 614 (e.g., a mouse), a graphics processing unit 622, a signal generation device 616 (e.g., a speaker), graphics processing unit 622, video processing unit 628, and audio processing unit 632.
 a video display unit 610 e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)
 an alphanumeric input device 612 e.g., a keyboard
 a cursor control device 614 e.g., a mouse
 graphics processing unit 622 e.g., a graphics processing unit 622
 the data storage device 618 may include a machinereadable storage medium 624 (also known as a computerreadable medium) on which is stored one or more sets of instructions or software 626 embodying any one or more of the methodologies or functions described herein.
 the instructions 626 may also reside, completely or at least partially, within the main memory 604 and/or within the processing device 602 during execution thereof by the computer system 600, the main memory 604 and the processing device 602 also constituting machine readable storage media.
 the instructions 626 include instructions to implement functionality corresponding to a masked value conversion component (e.g., masked value conversion component 111 of Fig. 1 or masked value conversion component 200 of Fig. 2). While the machinereadable storage medium 624 is shown in an example implementation to be a single medium, the term "machinereadable storage medium" should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions.
 a masked value conversion component e.g., masked value conversion component 111 of Fig. 1 or masked value conversion component 200 of Fig. 2
 machinereadable storage medium 624 is shown in an example implementation to be a single medium, the term "machinereadable storage medium" should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions.
 machinereadable storage medium shall also be taken to include any medium that is capable of storing or encoding a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present disclosure.
 machinereadable storage medium shall accordingly be taken to include, but not be limited to, solidstate memories, optical media and magnetic media.
 the present disclosure also relates to an apparatus for performing the operations herein.
 This apparatus may be specially constructed for the intended purposes, or it may comprise a general purpose computer selectively activated or reconfigured by a computer program stored in the computer.
 a computer program may be stored in a computer readable storage medium, such as, but not limited to, any type of disk including floppy disks, optical disks, CDROMs, and magneticoptical disks, readonly memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, each coupled to a computer system bus.
 the present disclosure may be provided as a computer program product, or software, that may include a machinereadable medium having stored thereon instructions, which may be used to program a computer system (or other electronic devices) to perform a process according to the present disclosure.
 a machine readable medium includes any mechanism for storing information in a form readable by a machine (e.g., a computer).
 a machinereadable (e.g., computerreadable) medium includes a machine (e.g., a computer) readable storage medium such as a read only memory (“ROM”), random access memory (“RAM”), magnetic disk storage media, optical storage media, flash memory devices, etc.
Landscapes
 Engineering & Computer Science (AREA)
 Theoretical Computer Science (AREA)
 Physics & Mathematics (AREA)
 General Physics & Mathematics (AREA)
 Computer Security & Cryptography (AREA)
 General Engineering & Computer Science (AREA)
 Signal Processing (AREA)
 Computer Networks & Wireless Communication (AREA)
 Computer Hardware Design (AREA)
 Pure & Applied Mathematics (AREA)
 Mathematical Optimization (AREA)
 Mathematical Analysis (AREA)
 Computational Mathematics (AREA)
 Mathematical Physics (AREA)
 Software Systems (AREA)
 Computing Systems (AREA)
 Storage Device Security (AREA)
 Image Processing (AREA)
 Executing MachineInstructions (AREA)
Abstract
A first input share value, a second input share value, and a third input share value may be received. The first input share value may be converted to a summation or subtraction between an input value and a combination of the second input share value and the third input share value. A random number value may be generated and combined with the second input share value and the third input share value to generate a combined value. Furthermore, a first output share value may be generated based on a combination of the converted first input share value, the combined value, and additional random number values.
Description
CONVERTING A BOOLEAN MASKED VALUE TO AN ARITHMETICALLY MASKED VALUE FOR CRYPTOGRAPHIC OPERATIONS
BRIEF DESCRIPTION OF THE DRAWINGS
[001] The present disclosure will be understood more fully from the detailed description given below and from the accompanying drawings of various implementations of the disclosure.
[002] FIG. 1 illustrates an example device using a masked value conversion component for cryptographic operations in accordance with some embodiments.
[003] FIG. 2 is a block diagram of a masked value conversion component to provide a conversion from a Boolean masked value to an arithmetically masked value for cryptographic operations in accordance with some embodiments.
[004] FIG. 3A is a flow diagram of an example method to perform a conversion of a Boolean masked value to an arithmetically masked value for cryptographic operations in accordance with some embodiments of the present disclosure.
[005] FIG. 3B illustrates a series of operations to perform the conversion of the Boolean masked value to the arithmetically masked value for cryptographic operations in accordance with some embodiments of the present disclosure.
[006] FIG. 3C illustrates another series of operations to perform the conversion of the Boolean masked value to the arithmetically masked value for cryptographic operations in accordance with some embodiments of the present disclosure.
[007] FIG. 3D illustrates another series of operations to perform a third order conversion of the Boolean masked value to the arithmetically masked value in accordance with some embodiments of the present disclosure.
[008] FIG. 4 is an example implementation of a hardware architecture to convert a Boolean masked value to an arithmetically masked value in accordance with some embodiments.
[009] FIG. 5A is an example implementation of another hardware architecture to convert a Boolean masked value to an arithmetically masked value in accordance with some embodiments of the present disclosure.
[0010] FIG. 5B is an example implementation of another hardware architecture to convert a Boolean masked value to an arithmetically masked value in accordance with some embodiments.
[0011] FIG. 6 illustrates a block diagram of an embodiment of a computer system in which some embodiments of the disclosure may operate.
DETAILED DESCRIPTION
[0012] Aspects of the present disclosure are directed to converting a Boolean masked value to an arithmetically masked value for cryptographic operations. An integrated circuit may perform a cryptographic operation that may result in susceptibility of the integrated circuit to a sidechannel attack where an attacker (e.g., an unauthorized entity) may obtain information as the
cryptographic operation is performed. An example of a sidechannel attack includes, but is not limited to, Differential Power Analysis (DPA) where the attacker who seeks to obtain a secret key used in the cryptographic operation may study the differences in power consumption of the integrated circuit as the cryptographic operation is performed. An attacker may be an
unauthorized entity that may obtain the input (e.g., the secret key) to the cryptographic operation by analyzing power consumption measurements of the integrated circuit over a period of time. Accordingly, when the sender transmits a ciphertext to a receiver by encrypting plaintext via a cryptographic operation, the attacker may be able to retrieve the secret key that is used to encrypt the plaintext to the ciphertext by observing the power consumption of the integrated circuit as the cryptographic operation is performed to encrypt the plaintext into the ciphertext. For example, the attacker may uncover a cryptographic (e.g., secret or private) key that is used to encrypt the plaintext as the cryptographic operation is performed by the integrated circuit.
[0013] Masking may be used to obfuscate or hide the input to the cryptographic operation with random data and then the cryptographic operation may be performed with the masked input. Such masking may render the intermediate states or values of the cryptographic operation
indistinguishable from random data when an attacker of the integrated circuit observes power consumption of the integrated circuit when performing the cryptographic operation. For example, the plaintext may be subject to a Boolean operation such as an exclusiveor (XOR) operation with a random value before the cryptographic operation encodes the plaintext into the ciphertext. Alternatively, the plaintext may be subject to an arithmetic operation such as an addition operation with a random value before the cryptographic operation encodes the plaintext into ciphertext. As an example, for an input x, a Boolean masked value corresponding to the input x may be x' that represents (x Θ r) where r is a random number. Furthermore, for the input x, an arithmetically masked value x' may represent (x + r) where r is the random number.
[0014] Certain cryptographic operations may use both a Boolean operation and an arithmetic operation during the performance of the cryptographic operation. For example, a cryptographic operation may perform both an XOR operation and an arithmetic (e.g., summation or subtraction) operation with masked values. The cryptographic operation may perform a first operation based on Boolean masked values and may subsequently perform a second operation based on
arithmetically masked values. Thus, in order to perform the arithmetic operation, the Boolean masked values may need to be converted to arithmetically masked values. The conversion between the Boolean masked values to arithmetically masked values may need to be secure so that the conversion does not result in some DPA leakage (e.g., the attacker identifying information from observable differences in power consumption of the integrated circuit). The DPA leakage may result in an attacker may being able to obtain the secret key (or secretkey dependent data) used in the cryptographic operation while performing the conversion between the Boolean masked value to the arithmetically masked value.
[0015] Accordingly, a process to efficiently and securely convert a Boolean masked value to an arithmetically masked value may be used to perform a cryptographic operation. Such a process may initiate a conversion between the Boolean masked value to the arithmetically masked value when an arithmetic operation is to be performed during the cryptographic operation. The conversion may be performed and may be implemented in an integrated circuit to prevent DPA leaks that allow an attacker to retrieve an input to the cryptographic operation (e.g., the unmasked value). Furthermore, the conversion may be performed with a fewer number of operations. Thus, aspects of the present disclosure provide additional security to an integrated circuit performing a cryptographic operation as well as an increased efficiency in the performance (e.g., less computation time) of the cryptographic operation when a Boolean masked value is to be converted to an arithmetically masked value.
[0016] Fig. 1 illustrates an example device including a masked value conversion component. In general, the device 100 may include an integrated circuit that is associated with a masked value conversion component 111, a memory 112, and cryptographic components 113. The masked value conversion component 111 of the integrated circuit may receive a Boolean masked input value and may convert the Boolean masked input value to an arithmetically masked input value for use in a cryptographic operation performed by the cryptographic components 113.
[0017] As shown in Fig. 1, the device 100 may include a masked value conversion component 111 that may convert a masked input value of a first type to a second type of masked input value. For example, the masked value component 111 may receive a Boolean masked input value or share from the memory 112 and may perform a series of operations to convert the Boolean masked input value to an arithmetically masked input value. The masked value component 111 may further receive randomly generated numbers from a random number generation component. For example, in some embodiments, the memory 112 may be used to store the randomly numbers that are generated by the random number generation component and the stored random numbers may be retrieved by the masked value conversion component 111. In the same or alternative
embodiments, the masked value conversion component 111 may receive the random numbers from the random number generation component without the random numbers being stored at the memory 112. The device components 113 may subsequently use the arithmetically masked input value in a cryptographic operation. Examples of such cryptographic operations include, but are not limited to, generating a digital signature to authenticate the device 100 or a component of the device 100, encrypting or decrypting data, etc. Accordingly, the masked value conversion component 111 may convert a Boolean masked input value to an arithmetically masked input value for use by the cryptographic components 113. Furthermore, the cryptographic components 113 may perform a cryptographic operation based on the arithmetically masked input value.
Examples of such cryptographic operations may be based on, but are not limited to, Secure Hash Algorithm (SHA)l, SHA2, International Data Encryption Algorithm (IDEA), Rivest Cipher 6 (RC6), Extended Tiny Encryption Algorithm (XTEA), ChaCha20, Salsa20, etc.
[0018] In operation, the cryptographic components 113 may perform a cryptographic operation. At a first part of the cryptographic operation, the operations that are performed by the
cryptographic components 113 may correspond to Boolean operations. For example, an exclusive or (XOR) operation may be performed with a Boolean masked input value that is received from the memory 112 or from another component of the device 100. At a second part of the
cryptographic operation, the operations that are performed by the cryptographic components 113 may correspond to arithmetic operations. For example, an addition operation with integers may be performed. Thus, the cryptographic operation may switch from being based on, or using, Boolean operations to being based on, or using, arithmetic operations. However, since the first part of the cryptographic operation is based on the Boolean operations produces Booleanmasked values, the Boolean masked input value may first be converted to arithmetically masked values so that the arithmetic operations may then be performed. When the cryptographic components 113 perform the arithmetic operations, then the cryptographic components 113 may provide a request to the masked value conversion component 111 to convert a Boolean masked input value stored at the memory 112. The Boolean masked input value may be converted to an arithmetically masked input value and then used by the cryptographic components 113 to perform arithmetic operations as part of the cryptographic operation that is being performed. Further details with regard to converting a Boolean masked input value to an arithmetically masked input value are described in conjunction with Fig. 3A.
[0019] Fig. 2 is a block diagram of a masked value conversion component 200 to convert a Boolean masked input value to an arithmetically masked input value. The masked value conversion component 200 may correspond to the masked value conversion component 111 of
Fig. \. Furthermore, the masked value conversion component 200 may be implemented by or in processing logic that may include hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, integrated circuit, hardware of a device, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof. In some embodiments, the masked value conversion component 200 may include a shares receiver subcomponent 210, a conversion indicator subcomponent 220, a random number generator subcomponent 230, a converter subcomponent 240, a combination subcomponent 250, and an output masked value subcomponent 260. In alternative embodiments, the functionality of one or more of the subcomponents may be combined or divided.
[0020] As shown in Fig. 2, the masked value conversion component 200 may include a shares receiver subcomponent 210 that may receive shares corresponding to a masked input value. The masked value conversion component 200 may receive three or more shares that correspond to the masked input value. For example, a value 'x' may be masked by combining the value 'x' with a first random number and a second random number. The combination of the value 'x' with the first and second random numbers may be the first share. The first random number may be the second share and the second random number may be the third share. In some embodiments, a
combination of the first share, second share, and the third share may result in the value of 'x.'
[0021] The masked value conversion component 200 may further include a conversion indicator subcomponent 220 that may receive an indication that a cryptographic component that has been performing a cryptographic operation based on a Boolean operation is now performing the cryptographic operation based on an arithmetic operation. In response to receiving the indication, the shares receiver subcomponent 210 may receive the first, second, and third shares from another component or a memory of a device that includes the masked value conversion component 200. The random number generator subcomponent 230 may generate random numbers for use in the conversion of the Boolean masked input value to an arithmetically masked input value.
[0022] Furthermore, the converter subcomponent 240 may perform an operation with a value represented by a combination of three values that are subjected to an exclusiveor (XOR) operation as described in further detail with regards to Fig. 3A. For example, the converter subcomponent 240 may convert one of the three received shares. The combination subcomponent 250 may combine multiple values to generate the arithmetically masked output value. For example, the combination subcomponent may perform an addition operation, an XOR operation, and/or a subtraction operation with multiple values. Additionally, the output masked value subcomponent 260 may provide the result of the combination subcomponent as the converted
masked value to a cryptographic component performing a cryptographic operation.
[0023] Fig. 3A is a flow diagram of an example method 300 to perform a conversion of a Boolean masked value to an arithmetically masked value for cryptographic operations. The method 300 may be performed by processing logic that may include hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof. In some embodiments, the method 300 may be performed by the masked value conversion component 111 of Fig. 1 or the masked value conversion component 200 of Fig. 2.
[0024] As shown in Fig. 3A, the method 300 may begin, at block 310, with processing logic receiving a first share (χ'), a second share (r ), and a third share (r_{2}) where the first share represents a combination of an input value, the second share, and the third share (x Θ ri Θ r_{2}). Thus, the first share may represent an input value (e.g., x) that is masked by combining the input value with the second share and the third share based on XOR operations. The first share may correspond to a Boolean value as the first share is based on the XOR operations. In some embodiments, the second share and the third share may correspond to random numbers. For example, each of the second share and the third share may correspond to different random numbers. As such, multiple shares (i.e., input shares) corresponding to a Boolean input value may be received.
[0025] The processing logic may further convert the first share to a summation between the input value and an intermediate value that is representative of the second share exclusiveor
(XOR) with the third share (x + (ri Θ r_{2})) (block 320). Thus, the received first share (x Θ \ ® r_{2}) may be converted to (x + (ri Θ r_{2})). In some embodiments, an extra random value may be used where the first share is changed to (x Θ ri Θ r_{2}® a) and converted to (x + (ri Θ r_{2} Θ a)) where a may correspond to a new random number. In some embodiments, another extra random value μ may be used where the first share is first changed to (x Θ ri Θ r_{2} Θ a) and converted to (x + (ri θ r_{2} Θ a)) followed by an XOR operation between the intermediate value and the extra random value ((x + (ri Θ r_{2} Θ )) Θ μ) and converted to (x + (ri Θ r_{2} Θ )) + μ. The processing logic may further generate a random number (v) (block 330). In some embodiments, the random number may be different than the random number of the second share and the third share. Furthermore, the processing logic may combine the random number with the intermediate value (v Θ ri Θ r_{2})
(block 340). For example, an XOR operation may be performed between the generated random value and the second share and the third share. In some embodiments, the random number may first be combined with one of the second share or the third share and the result may subsequently
be combined with the other of the second share or the third share so that the random number is not stored separately in a memory element or register. For example, the combined value may be stored in a register where random number and the second share are combined to generate an intermediate value and the intermediate value is then combined with the third share to generate the combined value. In an alternative embodiment, the random number may be combined with the intermediate value that corresponds to (v + (ri Θ r_{2} Θ a)) as described above. For example, an XOR operation may be performed between the generated random value, the second share, the third share, and the new random number 'a.'
[0026] Referring to Fig. 3A, the processing logic may further convert the combined value of the random number and the intermediate value to a summation between the random number and the intermediate value (v + (ri Θ r_{2})) (block 350). For example, the combined value of the random number with the second share and the third share may be converted to a summation (or subtraction) between the random number and a value that represents the second share combined with the third share by an XOR operation. In the alternative embodiment, the processing logic may convert the combined value of the random number and the intermediate value to a subtraction between the random number and the intermediate value (v  (ri Θ r_{2})). The processing logic may further generate additional random numbers (si, s_{2}) (block 360). In some embodiments, the additional random numbers that are generated may be different than the random numbers corresponding to the second share and the third share. In alternative embodiments, the additional random numbers that are generated may be the same as the random numbers corresponding to the second share and the third share. The additional random numbers may correspond to two new random mask values used with the original input value (e.g., x). The processing logic may further combine the converted first share (x + (ri Θ r_{2})) with the additional random numbers (si, s_{2}) and the converted combined value (v + (ri Θ r_{2})) (block 370). For example, the converted first share may be added with each of the additional random numbers and the converted combined value may be subtracted from the result. For example, the processing logic may perform a summation operation based on the converted first share and additional random numbers and a subtraction operation with the converted combined value (x + (ri Θ r_{2})) + si + s_{2} + v  (v + (ri Θ r_{2})), (x + (ri Θ r_{2} Θ a)) + si + s_{2} + v  (v + (ri Θ r_{2} Θ a)), or (x + (ri Θ r_{2} Θ a)) + μ + si + s_{2} + v  (v + (ri Θ r_{2} Θ a))  μ. Subsequently, cryptographic operations based on arithmetic operations may be performed. For example, the first share may correspond to a value that is equal to or represents x + si + s_{2} that is a result of the combining of the converted first share with the additional random numbers and the converted combined value, the second share may correspond to the value si, and
the third share may correspond to the value s_{2}. In the alternative embodiment, the processing logic may further combine the converted first share with one of the additional random numbers (si, s_{2}) with the converted combined value that is represented by (v  (ri Θ r_{2})) or (v  (ri Θ r_{2} θ a)).
[0027] In some embodiments, the subtraction operation with the converted combined value may be replaced by a value based on the second additional random number that is summed with the results of an XOR operation between the second share and the third share (s_{2} + (ri Θ r_{2})). For example, an operation corresponding to the following equations may be performed: (x + (ri Θ r_{2})) + si + (s_{2}  (ri Θ r_{2})), (x + (ri Θ r_{2} Θ a)) + si + (s_{2}  (ri Θ r_{2} Θ a)), or (x + (ri Θ r_{2} Θ a)) + μ + si + (s_{2}  (ri Θ r_{2} Θ a))  μ. Thus, one or more additional random numbers (e.g., v) may not be generated. Each of the operations may result in a value that corresponds to x + si + s_{2} that may be used as an arithmetic first share.
[0028] As such, three or more shares may be received where a first share corresponds to a Boolean based share and the other shares correspond to random numbers. Operations may be performed to convert the Booleanbased share to an arithmetic based share. The operations may be performed in constant time (e.g., does not depend on the input length of the Boolean masked input value) and in fewer computation steps or operations. For example, the following table illustrates that the present disclosure operates in fewer lowlevel instructions (Add, Subtract, XOR, etc.) than typical Boolean to arithmetic conversion processes. The following table shows the number of lowlevel instructions required by the current stateoftheart compared to that required by this disclosure based on different security orders (e.g., the number of masked shares that are used):
[0029] In some embodiments, the method 300 may be performed by the series of operations as illustrated with respect to Fig. 3B. For example, the series of operations may include 31
computational operations or steps to perform the method 300. In alternative embodiments of the Boolean to arithmetic conversion, the series of operations as illustrated with respect to Fig. 3C may be performed. The series of operations of Fig. 3C may correspond to an implementation based on an XOR sum performed at the end of the conversion process. The Boolean to arithmetic conversion process may also be based on more than three input share values. For example, four or more input share values may be used in the conversion process. The series of operations of Fig. 3D may correspond to an implementation using four input share values (e.g., a thirdorder Booleantoarithmetic mask conversion).
[0030] Fig. 4 is an hardware architecture 400 to convert a Boolean masked value to an arithmetically masked value. The architecture 400 may correspond to the masked value conversion component 111 of Fig. 1 or the masked value conversion component 200 of Fig. 2.
[0031] As shown in Fig. 4, the architecture 400 may include a first group of memory elements 410 (e.g., registers), a second group of memory elements 420, and a third group of memory elements 430. The first group of memory elements 410 may receive the first share, the second share, and the third share as previously described. For example, a first register of the first group of memory elements 410 may store x' which may represent a Boolean value of (x Θ ri Θ r_{2}) where x is the unmasked input value, ri is a random number and the second share, and r_{2} is another random number and the third share. Furthermore, as shown, the second register of the first group of memory elements 410 stores the second share ri and the third register of the first group of memory elements 410 stores the third share r_{2}. The second group of memory elements 420 may receive and store various random numbers that are generated for use in the converting of the Boolean shares to the arithmetic shares. For example, the registers of the second group of memory elements 420 may store random numbers to convert the first share and additional randomly generated numbers as previously described.
[0032] The architecture 400 may include a series of exclusiveor (XOR) gates, adders, and subtracter components as illustrated in Fig. 4. The outputs of the architecture 400 may be stored at the third group of memory elements 430. For example, a combination of the values stored at registers of the first group 410 and the second group 420 may be used to generate the arithmetic share that is converted from the Boolean share. Thus, a first register of the third group of memory elements 430 may store the converted first share (e.g., x'), and a second and third register of the third group of memory elements 430 may store additional mask values (e.g., si and s_{2}).
[0033] Thus, the first group of memory elements 410 may store the shares corresponding to the Boolean masked input, the second group of memory elements 420 may store randomly generated numbers that are used in the conversion process, and the third group of memory elements 430
may store the shares corresponding to the arithmetically masked value.
[0034] Fig. 5A is an example implementation of a hardware architecture 500 to convert a Boolean masked value to an arithmetically masked value. The architecture 500 may correspond to the masked value conversion component 111 of Fig. 1 or the masked value conversion component 200 of Fig. 2.
[0035] As shown in Fig. 5A, the architecture 500 may include a first group of memory elements 510 and a second group of memory elements 520. The first group of memory elements 510 may store the first share, the second share, and the third share corresponding to a Boolean masked input value as previously described. Various functions corresponding to the functionality of the logic of architecture 400 may split or divide the process of converting the Boolean masked input value to an arithmetically masked input value. For example, each of the functions Fi, F_{2}, and F_{3} may perform a portion of the conversion process or include a portion of the logic of the architecture 400. Furthermore, each of the functions Fi, F_{2}, and F_{3} may receive a subset of the shares. For example, each of the functions may receive two of the three shares corresponding to the Boolean masked input value. Subsequently, the outputs of the functions may be combined and stored at the second group of memory elements 520 to store the first share, second share, and third share for the arithmetically masked input value that has been converted from the Boolean masked input value. In alternative embodiments, the outputs of the functions may not be combined.
[0036] Fig. 5B is another hardware architecture 550 to convert a Boolean masked value to an arithmetically masked value. The architecture 550 may correspond to the masked value conversion component 111 of Fig. 1 or the masked value conversion component 200 of Fig. 2.
[0037] As shown in Fig. 5B, the architecture 500 may include a first group of memory elements 560, a second group of memory elements 570, and a third group of memory elements 580. The registers of the first group of memory elements 560 may receive and store the first share, the second share, and the third share corresponding to a Boolean masked input value that is to be converted to the arithmetically masked input value. A first set of functions Fn, F_{12}, Fi_{3}, and Fi_{4} may perform a first portion of the conversion process and the results of the first portion of the conversion process may be stored at the registers of the second group of memory elements 570. In some embodiments, the number of shares may be increased or expanded by using additional functions as shown in Fig. 5B. For example, the Boolean masked input value of three shares may be increased to four intermediate shares and stored at the second group of memory elements 570. Subsequently, a second set of functions F_{21}, F_{22}, and F_{23} may perform a second portion of the conversion process and the results of the second portion of the conversion process may be stored at the registers of the third group of the memory elements 580. The second set of functions may
receive the four intermediate shares and generate a fewer number of shares that correspond to the arithmetically masked input value. For example, four intermediate shares may be used by the three functions of the second set of functions to generate the three shares corresponding to the arithmetically masked input value. Although Fig. 5B illustrates two sets of functions, the architecture to convert the Boolean masked value to the arithmetically masked value may include any number of sets of functions.
[0038] Fig. 6 illustrates an example machine of a computer system 600 within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed. In alternative implementations, the machine may be connected (e.g., networked) to other machines in a LAN, an intranet, an extranet, and/or the Internet. The machine may operate in the capacity of a server or a client machine in client server network environment, as a peer machine in a peertopeer (or distributed) network environment, or as a server or a client machine in a cloud computing infrastructure or environment.
[0039] The machine may be a personal computer (PC), a tablet PC, a settop box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while a single machine is illustrated, the term "machine" shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
[0040] The example computer system 600 includes a processing device 602, a main memory 604 (e.g., readonly memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM) or Rambus DRAM (RDRAM), etc.), a static memory 606 (e.g., flash memory, static random access memory (SRAM), etc.), and a data storage device 618, which communicate with each other via a bus 630.
[0041] Processing device 602 represents one or more generalpurpose processing devices such as a microprocessor, a central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLTW) microprocessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 602 may also be one or more specialpurpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. The processing device 602 is configured to execute instructions 626 for performing the operations and steps discussed
herein.
[0042] The computer system 600 may further include a network interface device 608 to communicate over the network 620. The computer system 600 also may include a video display unit 610 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 612 (e.g., a keyboard), a cursor control device 614 (e.g., a mouse), a graphics processing unit 622, a signal generation device 616 (e.g., a speaker), graphics processing unit 622, video processing unit 628, and audio processing unit 632.
[0043] The data storage device 618 may include a machinereadable storage medium 624 (also known as a computerreadable medium) on which is stored one or more sets of instructions or software 626 embodying any one or more of the methodologies or functions described herein. The instructions 626 may also reside, completely or at least partially, within the main memory 604 and/or within the processing device 602 during execution thereof by the computer system 600, the main memory 604 and the processing device 602 also constituting machine readable storage media.
[0044] In one implementation, the instructions 626 include instructions to implement functionality corresponding to a masked value conversion component (e.g., masked value conversion component 111 of Fig. 1 or masked value conversion component 200 of Fig. 2). While the machinereadable storage medium 624 is shown in an example implementation to be a single medium, the term "machinereadable storage medium" should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The term "machinereadable storage medium" shall also be taken to include any medium that is capable of storing or encoding a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present disclosure. The term "machinereadable storage medium" shall accordingly be taken to include, but not be limited to, solidstate memories, optical media and magnetic media.
[0045] Some portions of the preceding detailed descriptions have been presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the ways used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a selfconsistent sequence of operations leading to a desired result. The operations are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, combined, compared, and otherwise manipulated. It has proven
convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.
[0046] It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the above discussion, it is appreciated that throughout the description, discussions utilizing terms such as "identifying" or "determining" or "executing" or "performing" or "collecting" or "creating" or "sending" or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage devices.
[0047] The present disclosure also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the intended purposes, or it may comprise a general purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but not limited to, any type of disk including floppy disks, optical disks, CDROMs, and magneticoptical disks, readonly memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, each coupled to a computer system bus.
[0048] The algorithms and displays presented herein are not inherently related to any particular computer or other apparatus. Various general purpose systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct a more specialized apparatus to perform the method. The structure for a variety of these systems will appear as set forth in the description below. In addition, the present disclosure is not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the disclosure as described herein.
[0049] The present disclosure may be provided as a computer program product, or software, that may include a machinereadable medium having stored thereon instructions, which may be used to program a computer system (or other electronic devices) to perform a process according to the present disclosure. A machine readable medium includes any mechanism for storing information in a form readable by a machine (e.g., a computer). For example, a machinereadable (e.g., computerreadable) medium includes a machine (e.g., a computer) readable storage medium such as a read only memory ("ROM"), random access memory ("RAM"), magnetic disk storage
media, optical storage media, flash memory devices, etc.
[0050] In the foregoing specification, implementations of the disclosure have been described with reference to specific example implementations thereof. It will be evident that various modifications may be made thereto without departing from the broader spirit and scope of implementations of the disclosure as set forth in the following claims. The specification and drawings are, accordingly, to be regarded in an illustrative sense rather than a restrictive sense.
Claims
1. A system comprising:
a first set of registers to store a first input share value, a second input share value, and a third input share value, the first input share value representing a Boolean combination between an input value, the second input share value, and the third input share value;
a second set of registers to store a first output share value, a second output share value, and a third output share value, the first output share value representing an arithmetic combination between the input value, the second output share value, and the third output share value;
a cryptographic component to perform a cryptographic operation based on a Boolean operation and an arithmetic operation; and
a processing device, operatively coupled with the first set of registers and the second set of registers, to:
receive an indication that the cryptographic operation being performed by the cryptographic component has switched from using the Boolean operation to using the arithmetic operation;
in response to the indication, receive the first, second, and third input share values from the first set of registers;
convert the first input share value to a summation or a subtraction between the input value and a combination of the second input share value and the third input share value;
generate a random number value;
combine the random number value with the second input share value and the third input share value to generate a combined value;
generate additional random number values; and
generate the first output share value based on a combination of the converted first input share value, the combined value, and the additional random number values.
2. The system of claim 1, wherein a first random number of the additional random number values corresponds to the second output share value and a second random number of the additional random number values corresponds to the third output share value, and wherein the first output share value represents a summation or a subtraction between the input value, the first random number, and the second random number.
3. The system of claim 1, wherein the processing device is further to:
receive at least one additional input share value, the generating of the first output share value being further based on the at least one additional input share value.
4. The system of claim 1, wherein to combine the random number value with the second input share value and the third input share value to generate the combined value, the processing device is further to:
at a first time, perform an XOR operation between the random number value and the second input share value to generate an intermediate value;
at a second time after the first time, perform the XOR operation between the intermediate value and the third input share value to generate a second intermediate value; and
convert the second intermediate value to the combined value.
5. The system of claim 1, wherein the second output share value and the third output share value are the same as the second input share value and the third input share value.
6. The system of claim 1, wherein the second output share value and the third output share value are each different than the second input share value and the third input share value.
7. The system of claim 1, wherein to generate the first output share value, the processing device is further to:
perform a summation or a subtraction between the converted first input share value and the additional random number values; and
perform a subtraction operation between a result of the summation or the subtraction and the combined value.
8. A method comprising:
performing a cryptographic operation with a Boolean operation;
receiving an indication that the cryptographic operation has switched from using the Boolean operation to an arithmetic operation;
in response to receiving the indication, receiving a first input share value, a second input share value, and a third input share value;
converting the first input share value to a summation or a subtraction between an input value and a combination of the second input share value and the third input share value;
generating a random number value;
combining the random number value with the second input share value and the third input
share value to generate a combined value;
generating, by a processing device, a first output share value based on a combination of the converted first input share value, the combined value, and additional random number values; and
performing the cryptographic operation with the arithmetic operation by using the first output share.
9. The method of claim 8, wherein combining the random number value with the second input share value and the third input share value to generate the combined value comprises:
at a first time, performing an XOR operation between the random number value and the second input share value to generate an intermediate value;
at a second time after the first time, performing the XOR operation between the intermediate value, the third input share value, and another random number value to generate a second intermediate value; and
convert the second intermediate value to the combined value
10. The method of claim 8, further comprising:
receiving at least one additional input share value, the generating of the output share value being further based on the at least one additional input share value.
11. The method of claim 8, wherein combining the random number value with the second input share value and the third input share value to generate the combined value comprises:
at a first time, perform an XOR operation between the random number value and the second input share value to generate an intermediate value;
at a second time after the first time, perform the XOR operation between the intermediate value and the third input share value to generate a second intermediate value; and
convert the second intermediate value to the combined value.
12. The method of claim 8, wherein a second output share value and a third output share value associated with the first output share value are the same as the second input share value and the third input share value.
13. The method of claim 8, wherein a second output share value and a third output share value associated with the first output share value are each different than the second input share value and the third input share value.
14. The method of claim 8, wherein generating the first output share value comprises:
performing a summation or a subtraction between the converted first input share value and the additional random number values; and
performing a subtraction operation between a result of the summation or the subtraction and the combined value.
15. A nontransitory computer readable medium including data that, when accessed by a processing device, cause the processing device to perform operations comprising:
performing a cryptographic operation with a Boolean operation;
receiving an indication that the cryptographic operation has switched from using the Boolean operation to an arithmetic operation;
in response to receiving the indication, receiving a first input share value, a second input share value, and a third input share value;
converting the first input share value to a summation or a subtraction between an input value and a combination of the second input share value and the third input share value;
generating a random number value;
combining the random number value with the second input share value and the third input share value to generate a combined value;
generating a first output share value based on a combination of the converted first share value, the combined value, and additional random number values; and
performing the cryptographic operation with the arithmetic operation by using the first output share.
16. The nontransitory computer readable medium of claim 15, wherein to combine the random number value with the second input share value and the third input share value to generate the combined value , the operations further comprise:
at a first time, perform an XOR operation between the random number value and the second input share value to generate an intermediate value;
at a second time after the first time, perform the XOR operation between the intermediate value, the third input share value, and another random number value to generate a second intermediate value; and
convert the second intermediate value to the combined value.
17. The nontransitory computer readable medium of claim 15, the operations further comprising:
receiving at least one additional input share value, the generating of the output share value
being further based on the at least one additional input share value.
18. The nontransitory computer readable medium of claim 15, wherein to combine the random number value with the second input share value and the third input share value to generate the combined value, the operations further comprise:
at a first time, perform an XOR operation between the random number value and the second input share value to generate an intermediate value;
at a second time after the first time, perform the XOR operation between the intermediate value and the third input share value to generate a second intermediate value; and
convert the second intermediate value to the combined value.
19. The nontransitory computer readable medium of claim 15, wherein to generate the first output share value, the operations further comprise:
performing a summation or a subtraction between the converted first input share value and the additional random number values; and
performing a subtraction operation between a result of the summation or the subtraction and the combined value.
20. The nontransitory computer readable medium of claim 15, wherein a second output share value and a third output share value associated with the first output share value are the same as the second input share value and the third input share value.
21. The system of claim 1, wherein the processing device is further to:
receive another random number value, wherein the converting of the first input share value is further based on an addition or subtraction of the another random number value.
22. The method of claim 8, further comprising:
receiving another random number value, wherein the converting of the first input share value is further based on an addition or subtraction of the another random number value.
23. The nontransitory computer readable medium of claim 15, wherein the operations further comprise:
receiving another random number value, wherein the converting of the first input share value is further based on an addition or subtraction of the another random number value.
Priority Applications (4)
Application Number  Priority Date  Filing Date  Title 

CN201780009651.9A CN108604987B (en)  20160303  20170303  Converting Boolean mask values to arithmetic mask values for cryptographic operations 
EP17760902.1A EP3424175B1 (en)  20160303  20170303  Converting a boolean masked value to an arithmetically masked value for cryptographic operations 
US16/080,147 US10871947B2 (en)  20160303  20170303  Converting a boolean masked value to an arithmetically masked value for cryptographic operations 
US17/124,374 US11620109B2 (en)  20160303  20201216  Converting a boolean masked value to an arithmetically masked value for cryptographic operations 
Applications Claiming Priority (6)
Application Number  Priority Date  Filing Date  Title 

US201662303270P  20160303  20160303  
US62/303,270  20160303  
US201662385773P  20160909  20160909  
US62/385,773  20160909  
US201662438254P  20161222  20161222  
US62/438,254  20161222 
Related Child Applications (2)
Application Number  Title  Priority Date  Filing Date 

US16/080,147 A371OfInternational US10871947B2 (en)  20160303  20170303  Converting a boolean masked value to an arithmetically masked value for cryptographic operations 
US17/124,374 Continuation US11620109B2 (en)  20160303  20201216  Converting a boolean masked value to an arithmetically masked value for cryptographic operations 
Publications (1)
Publication Number  Publication Date 

WO2017152056A1 true WO2017152056A1 (en)  20170908 
Family
ID=59743249
Family Applications (1)
Application Number  Title  Priority Date  Filing Date 

PCT/US2017/020670 WO2017152056A1 (en)  20160303  20170303  Converting a boolean masked value to an arithmetically masked value for cryptographic operations 
Country Status (4)
Country  Link 

US (2)  US10871947B2 (en) 
EP (1)  EP3424175B1 (en) 
CN (1)  CN108604987B (en) 
WO (1)  WO2017152056A1 (en) 
Cited By (1)
Publication number  Priority date  Publication date  Assignee  Title 

US11386239B2 (en) *  20170306  20220712  Giesecke+Devrient Mobile Security Gmbh  Transition from a Boolean masking to an arithmetic masking 
Families Citing this family (15)
Publication number  Priority date  Publication date  Assignee  Title 

EP3424175B1 (en) *  20160303  20240221  Cryptography Research, Inc.  Converting a boolean masked value to an arithmetically masked value for cryptographic operations 
DE102018107114A1 (en) *  20180326  20190926  Infineon Technologies Ag  Side channel hardened operation 
EP3557813A1 (en) *  20180417  20191023  Gemalto Sa  Method secured against sidechannel attacks performing an arithmetic operation of a cryptographic algorithm mixing boolean and arithmetic operations 
WO2020092257A1 (en) *  20181029  20200507  Cryptography Research, Inc.  Constant time secure arithmetictoboolean mask conversion 
EP3935543A4 (en) *  20190305  20220511  Cryptography Research, Inc.  Sidechannelattackresistant memory access on embedded central processing units 
CN110750233B (en) *  20190919  20210622  太原理工大学  Random number generator based on logic gate asymmetric autonomous Boolean network 
US11507699B2 (en) *  20190927  20221122  Intel Corporation  Processor with private pipeline 
FR3101983B1 (en)  20191011  20211112  St Microelectronics Grenoble 2  Determining an indicator bit 
FR3101980B1 (en) *  20191011  20211210  St Microelectronics Grenoble 2  Processor 
FR3101982B1 (en)  20191011  20240308  St Microelectronics Grenoble 2  Determining an indicator bit 
US11431688B2 (en)  20191213  20220830  TripleBlind, Inc.  Systems and methods for providing a modified loss function in federatedsplit learning 
US11363002B2 (en)  20191213  20220614  TripleBlind, Inc.  Systems and methods for providing a marketplace where data and algorithms can be chosen and interact via encryption 
US11599671B1 (en) *  20191213  20230307  TripleBlind, Inc.  Systems and methods for finding a value in a combined list of private values 
US11792646B2 (en)  20210727  20231017  TripleBlind, Inc.  Systems and methods for providing a multiparty computation system for neural networks 
TWI778902B (en) *  20211230  20220921  新唐科技股份有限公司  Addition mask generator, encryptor and method for generating stream key 
Citations (7)
Publication number  Priority date  Publication date  Assignee  Title 

US20010002486A1 (en) *  19980102  20010531  Cryptography Research, Inc.  Leakresistant cryptographic method and apparatus 
US20040139136A1 (en) *  20010215  20040715  Louis Goubin  Method for securing a computer installation involving a cryptographic algorithm using boolean operations and arithmetic operations and the corresponding embedded system 
US20050147243A1 (en) *  20040107  20050707  Samsung Electronics Co., Ltd.  Cryptographic apparatus, cryptographic method, and storage medium thereof 
US20090158054A1 (en) *  20071213  20090618  Massachusetts Institute Of Technology  Private data processing 
US20100235417A1 (en) *  20090313  20100916  Samsung Electronics Co., Ltd.  Circuit and method converting boolean and arithmetic masks 
US20150169904A1 (en) *  20131212  20150618  Cryptography Research, Inc.  Gatelevel masking 
US20150180652A1 (en) *  20131220  20150625  Cryptography Research, Inc.  Modular exponentiation optimization for cryptographic systems 
Family Cites Families (5)
Publication number  Priority date  Publication date  Assignee  Title 

EP1860630B1 (en) *  20050316  20181226  Mitsubishi Electric Corporation  Data converting apparatus and data converting method 
KR101026439B1 (en) *  20090720  20110407  한국전자통신연구원  The Masking Method for Protecting Power Analysis Attacks in SEED 
CN104852795B (en) *  20150505  20180330  国家密码管理局商用密码检测中心  It is a kind of to take turns ZUC stream cipher algorithm mask means of defence of the output for boolean's mask 
CN104967509B (en) *  20150505  20180518  国家密码管理局商用密码检测中心  It is a kind of to take turns ZUC stream cipher algorithm mask means of defence of the output for arithmetic mask 
EP3424175B1 (en) *  20160303  20240221  Cryptography Research, Inc.  Converting a boolean masked value to an arithmetically masked value for cryptographic operations 

2017
 20170303 EP EP17760902.1A patent/EP3424175B1/en active Active
 20170303 US US16/080,147 patent/US10871947B2/en active Active
 20170303 CN CN201780009651.9A patent/CN108604987B/en active Active
 20170303 WO PCT/US2017/020670 patent/WO2017152056A1/en active Application Filing

2020
 20201216 US US17/124,374 patent/US11620109B2/en active Active
Patent Citations (7)
Publication number  Priority date  Publication date  Assignee  Title 

US20010002486A1 (en) *  19980102  20010531  Cryptography Research, Inc.  Leakresistant cryptographic method and apparatus 
US20040139136A1 (en) *  20010215  20040715  Louis Goubin  Method for securing a computer installation involving a cryptographic algorithm using boolean operations and arithmetic operations and the corresponding embedded system 
US20050147243A1 (en) *  20040107  20050707  Samsung Electronics Co., Ltd.  Cryptographic apparatus, cryptographic method, and storage medium thereof 
US20090158054A1 (en) *  20071213  20090618  Massachusetts Institute Of Technology  Private data processing 
US20100235417A1 (en) *  20090313  20100916  Samsung Electronics Co., Ltd.  Circuit and method converting boolean and arithmetic masks 
US20150169904A1 (en) *  20131212  20150618  Cryptography Research, Inc.  Gatelevel masking 
US20150180652A1 (en) *  20131220  20150625  Cryptography Research, Inc.  Modular exponentiation optimization for cryptographic systems 
NonPatent Citations (1)
Title 

See also references of EP3424175A4 * 
Cited By (1)
Publication number  Priority date  Publication date  Assignee  Title 

US11386239B2 (en) *  20170306  20220712  Giesecke+Devrient Mobile Security Gmbh  Transition from a Boolean masking to an arithmetic masking 
Also Published As
Publication number  Publication date 

EP3424175B1 (en)  20240221 
US11620109B2 (en)  20230404 
CN108604987A (en)  20180928 
US20190050204A1 (en)  20190214 
CN108604987B (en)  20220329 
US20210173618A1 (en)  20210610 
EP3424175A1 (en)  20190109 
EP3424175A4 (en)  20191016 
US10871947B2 (en)  20201222 
Similar Documents
Publication  Publication Date  Title 

US11620109B2 (en)  Converting a boolean masked value to an arithmetically masked value for cryptographic operations  
US11251935B2 (en)  Multiplicative blinding for cryptographic operations  
US11822704B2 (en)  Constant time secure arithmetictoBoolean mask conversion  
Li et al.  Breaking a novel image encryption scheme based on improved hyperchaotic sequences  
US20230379133A1 (en)  Multiplicative masking for cryptographic operations  
US8615084B2 (en)  Extending a secret bit string to safeguard the secret  
EP3202079B1 (en)  Exponent splitting for cryptographic operations  
US11863657B2 (en)  Using cryptographic blinding for efficient use of montgomery multiplication  
US11902432B2 (en)  System and method to optimize generation of coprime numbers in cryptographic applications  
US11418334B2 (en)  Protecting modular inversion operation from external monitoring attacks  
US11101981B2 (en)  Generating a pseudorandom number based on a portion of shares used in a cryptographic operation  
Sadkhan et al.  A proposed ANFIS evaluator for RSA cryptosystem used in cloud networking  
Nayak et al.  Video Encryption Using Optimization Lightweight Algorithm for Secure Internet of Things 
Legal Events
Date  Code  Title  Description 

NENP  Nonentry into the national phase 
Ref country code: DE 

WWE  Wipo information: entry into national phase 
Ref document number: 2017760902 Country of ref document: EP 

ENP  Entry into the national phase 
Ref document number: 2017760902 Country of ref document: EP Effective date: 20181004 

121  Ep: the epo has been informed by wipo that ep was designated in this application 
Ref document number: 17760902 Country of ref document: EP Kind code of ref document: A1 