• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The invention relates to a method for checking the sensitivity of an electronic circuit (6) executing a Rijndael-type algorithm to non-hidden channel attacks, in which: each block of data to be encrypted or decrypted is masked by a first mask (m) before applying a block substitution nonlinear operation from a substitution table, and is then unmasked by a second mask after substitution; the substitution table is recalculated, block by block, before application of the non-linear operation, the processing order of the blocks of the substitution table being subjected to a random permutation; and a hidden channel attack is performed on the steps of block-by-block recalculation of the substitution table.
    公开号:FR3040515A1
    申请号:FR1558117
    申请日:2015-09-02
    公开日:2017-03-03
    发明作者:Nicolas Bruneau
    申请人:STMicroelectronics Rousset SAS;
    IPC主号:
    专利说明:

    CHECKING THE RESISTANCE OF AN ELECTRONIC CIRCUIT TO
    HIDDEN CANAL ATTACKS
    Field
    The present description generally relates to electronic circuits and, more particularly, to circuits executing encryption algorithms known under the name Rijndael which implement the same transformation on different parts of data to be encrypted. The present description relates more particularly to the protection of a calculation executed by such an algorithm against attacks by differential consumption analysis (DPA).
    Presentation of the prior art
    In many applications, electronic circuits implement encryption algorithms, verification, signature, and more generally algorithms manipulating data, said secret, that is to say, we want to reserve access to certain users or circuits. Among the Rijndael algorithms, the LES algorithm, often referred to as the Advanced Encryption Standard, FI PS PUB 197, deals with 128-bit fixed data blocks and is a widely used encryption algorithm. The present description takes this algorithm as an example. The AES applies, to a word or message cut into blocks, the same transformation several times in succession from different sub-keys from the same key.
    Many methods, called attacks, exist to try to discover or hack the secret data. Among these attacks, so-called hidden channel attacks (Side Channel Attacks) consist in analyzing the influence of the calculation executed by the electronic circuit on parameters such as its consumption, its electromagnetic radiation, etc. A hidden channel attack, particularly widespread and which will be taken as an example in the remainder of this description, is the attack known under the name DPA (Differential Power Analysis). Such an attack consists in correlating the consumption of the integrated circuit executing the algorithm with calculation results involving the secret keys used during encryption or decryption. In practice, from a message to be encrypted and assumptions on the secret key, a statistical correlation curve is established as a function of time between the consumption of the circuit for the encryption of the message and an intermediate value calculated by the circuit. Such attacks by consumption analysis are widely described in the literature (see for example the article "Differential Power Analysis" by Paul Rocher, Joshua Jaffe and Benjamin Jun, published in 1999, conference CRYPTO 99, pages 388 to 397, published by Springer-Verlag LNCS 1666).
    There is a need to improve the protection of data manipulated by Rijndael type algorithms and more particularly by an AES against hidden channel attacks.
    There is also a need to check the sensitivity of an electronic circuit to hidden channel attacks. summary
    One embodiment overcomes all or part of the disadvantages of the usual methods and circuits for protecting against hidden channel attacks.
    One embodiment proposes a solution that is particularly suitable for an AES type algorithm.
    One embodiment proposes a method for calculating an AES algorithm that overcomes all or part of the disadvantages of the usual methods.
    An embodiment provides a method of verifying the sensitivity of an electronic circuit executing an AES algorithm to a hidden channel attack.
    Thus, an embodiment provides a method for verifying the sensitivity of an electronic circuit executing a Rijndael type algorithm to non hidden channel attacks, in which: each block of data to be encrypted or decrypted is masked by a first mask before applying a block substitution non-linear operation from a substitution table, and is then unmasked by a second mask after substitution; the substitution table is recalculated, block by block, before application of the non-linear operation, the processing order of the blocks of the substitution table being subjected to a random permutation; and a hidden channel attack is performed on the steps of block-by-block recalculation of the substitution table.
    According to one embodiment, the attack is a differential analysis of the consumption of at least the second order.
    According to one embodiment, the circuit is considered sensitive to the attack if the latter makes it possible to directly or indirectly determine the value of at least one of the masks.
    According to one embodiment, the recalculation of the substitution table involves the second mask as well as third and fourth masks, the sum of the third and fourth masks being equal to the first mask.
    According to one embodiment: successively for each block of the first table: the rank of the current block is subjected to said permutation and the result is combined with the third mask; the current block of a second table is replaced by the combination of the second mask with the block of the first table identified by the result of the permutation; and successively, for each block of the second table: the rank of the current block is subjected to said permutation and the result is combined with the fourth mask; the current block of the first table is replaced by the block of the second table identified by the result of the permutation.
    According to one embodiment, the method comprises the following steps: successively for each block of the first table: in a first step, apply the permutation to the rank of the current block, combine the result with the first mask and store the result in a first variable ; in a second step, storing in a second variable the result of the combination of the second mask with the block of the first table having for rank the result of the permutation applied to the rank of the current block; and storing the result of the second step in a block, identified by the result of the first step, of a second table; successively for each block of the second table: in a third step, apply the permutation to the rank of the current block, combine the result with the second mask and store the result in the first variable; in a fourth step, storing in the second variable the block of the second table having for rank the result of the permutation applied to the current rank; and storing the result of the fourth step in a block, identified by the result of the third step, of the first table.
    According to one embodiment: the blocks of the first table are copied into a second table; successively, for each block of the second table: the rank of the current block is subjected to said permutation and the result is combined with the third mask; the current block of the first table is replaced by the combination of the second mask with the block of the second table identified by the result of the permutation; and successively, for each block of the first table: the rank of the current block is subjected to said permutation and the result is combined with the fourth mask; the current block of the second table is replaced by the block of the first table identified by the result of the permutation.
    According to one embodiment, the method comprises the following steps: the blocks of the first table are copied into a second table; successively for each block of the second table: in a first step, apply the permutation to the rank of the current block, combine the result with the first mask and store the result in a first variable; in a second step, storing in a second variable the result of the combination of the second mask block of the second table having for rank the result of the permutation applied to the rank of the current block; and storing the result of the second step in a block of the first table, identified by the result of the first step; successively for each block of the first table: in a third step, apply the permutation to the rank of the current block, combine the result with the second mask and store the result in the first variable; in a fourth step, storing in the second variable the block of the first table having for rank the result of the permutation applied to the current rank; and storing the result of the fourth step in a block, identified by the result of the third step, of the second table.
    According to one embodiment, the random permutation is commutative with the nonlinear substitution operation.
    According to one embodiment: successively, for each block of the substitution table: in a first step, the rank of the block is subjected to said permutation and is combined with the first mask; in a second step, the block is subjected to the permutation and the result is combined with the second mask; and the block, identified by the result of the first step, is substituted by the result of the second step.
    According to one embodiment, the method comprises the following steps: successively for each block of the substitution table: in a first step, apply the permutation to the rank of the current block, combine the result with the first mask and store the result in a first variable; in a second step, apply the permutation to the current block, combine the result with the second mask and store the result in a second variable; and replace the block of the substitution table having for ranking the result of the first step by the result of the second step.
    According to one embodiment, the masks are random numbers.
    According to one embodiment, the masks are all the same size as a block.
    According to one embodiment, the combinations are of the exclusive-OR type.
    According to one embodiment, the method is applied to the AES.
    One embodiment provides an electronic circuit adapted to, configured for, or programmed to implement the method.
    Brief description of the drawings
    These and other features and advantages will be set forth in detail in the following description of particular embodiments made without implied limitation in relation to the appended figures in which: FIG. 1 illustrates, by a simplified flowchart, the steps main features of an AES algorithm; FIG. 2 schematically shows, in block form, an example of masking of a substitution table of a block cipher; FIG. 3 schematically shows, in block form, an example of masking a substitution table that is recalculated with a random order; FIG. 4 schematically shows in the form of blocks an embodiment of a method for protecting the execution of an AES algorithm; FIG. 5 schematically shows in block form another embodiment of a method for protecting the execution of an AES algorithm; FIG. 6 schematically shows, in block form, yet another embodiment of a method for protecting the execution of an AES algorithm; and FIG. 7 represents an example of an electronic circuit adapted to the implementation of the methods described. detailed description
    The same elements have been designated with the same references in the various figures. In particular, the structural and / or functional elements common to the different embodiments may have the same references and may have identical structural, dimensional and material properties. For the sake of clarity, only the elements useful for understanding the described embodiments have been shown and will be detailed. In particular, the applications of the ciphers / decryptions executed or those of the electronic circuits executing them have not been detailed, the described embodiments being compatible with the usual applications.
    The embodiments will be described later in connection with an example of application to the AES. However, all that is described later applies more generally to any block algorithm involving a non-linear substitution operation, such as Rijndael-type algorithms. The AES is generally executed by integrated circuits, either by means of wired logic state machines or by means of microprocessors executing a program in memory (generally a read-only memory). The algorithm uses secret keys specific to the integrated circuit or to the user, which are exploited to encrypt the data. More specifically, the AES applies, to a word or data code divided into blocks, the same transformation several times in succession from different encryption sub-keys (parts of a binary word constituting a key). AES is often used in electronic devices like microcircuit card, decoder, mobile phone, etc.
    FIG. 1 illustrates, by a simplified flowchart, the main steps of an AES type algorithm. We will content ourselves with describing the encryption, the deciphering taking up the inverse transformations. For more details, please refer to the book "The Design of Rijndael" by Joan Daemen and Vincent Rijmen, published by Springer-Verlag (ISBN 3-540-42580-2) and AES (FIPS PUB). 197).
    This algorithm encodes a word or code TO of a determined number of bits into another word or code Tn of the same size. The data (message) to be processed is actually cut into several words or codes all of the same size (128 bits for the AES). Encryption and decryption rely on a secret key whose length (128, 192 or 256 bits for the AES) determines the security of the encryption.
    In practice, each step of the AES processes a matrix of four lines and four columns, representing a word, and each element of which is a byte or block of the processed 128-bit code. To simplify the description which follows, reference will be made, for each step, to a state considered to be a matrix. For example, an AES algorithm is applied to 32-bit words divided into bytes, which is the most common case.
    We start by producing, from the secret key on 128, 192 or 256 bits, respectively 11, 13 or 15 subkeys each also comprising 128 bits. These subkeys are intended to be used by the algorithm described in relation with FIG.
    Starting from an initial state TO (block 10, STATE INIT) of the code or data word to be encrypted.
    A first phase of the AES is an operation (block 11, ADDROUNDKEY) which consists of performing an XOR-type combination, noted + in the figures, of the initial state TO with the first sub-key KO. A first intermediate state T1 is obtained. In practice, the operations are performed byte by byte.
    A second phase consists in performing several turns or cycles of the same transformation M involving, at each turn i, the state Ti-1 obtained in the previous turn and a current sub-key Ki. The number of transformation turns M corresponds to n-1, that is to say the number n + 1 of derived subkeys, minus 2. Each turn transformation M consists of four operations successively applied.
    A first operation (block 12, SHIFTROWS) is to rotate the last three rows of the matrix.
    Typically, the first row of the matrix remains unchanged. The second row is rotated by one byte, the third row is rotated by two bytes, and the fourth row is rotated by three bytes.
    A second operation (block 13, SUBBYTES) of turn transformation M constitutes a nonlinear transformation in which each byte of the matrix constituting the current state is replaced by its image, taken in a substitution table, generally called SBOX. This substitution table can be obtained by two combined transformations. A first transformation consists of inverting the byte considered
    O (the element of the matrix) in the finite field of order 2 (to correspond to the byte), the byte 00 constituting its own image. This inversion is followed by an affine transformation.
    A third operation (block 14, MIXCOLUMNS) of the turn transformation M consists in considering each column of the matrix resulting from the preceding step as a polynomial on the
    O finite field of order 2, and to multiply each of these polynomials by a polynomial of combination modulo another polynomial.
    A fourth and last operation (block 15, ADDROUNDKEY) of turn transformation M of rank i consists in applying the subkey Ki to the resulting matrix of the preceding state to obtain a matrix in which each byte of the resulting matrix of the previous state has been combined by an exclusive O-bit, bit by bit, with a byte k, or Ki (j, 1), of the subkey Ki, j representing the rank between 0 and 3 of the line in the matrix and 1 representing the rank between 0 and 3 of the column in the matrix. This operation is the same as the operation 11 of the first phase of the encryption, but performed with a different subkey. At the end of the operation 15, for a turn of rank i, a state Ti = M (Ki, Ti-1) is obtained. The four operations of the turn transformation are repeated n-1 times, i.e. after step 15, operation 12 is returned to perform a turn with a next subkey.
    The third phase of the AES consists of a last round comprising the operations 12, 13 and 15 of the turn transformation M except for the third (MIXCOLUMNS) with, as key for the operation 15, the last sub-step. Kn-1 key.
    We then obtain the state Τη = M '(Kn, Tn-1). This result is, if necessary, formatted (block 16, RESULT FORM) for later use. The order of operations 12, 13, 14, and 15 in turn transformation T may vary. In particular, the introduction of the subkey (step 15) can take place before the substitution operation 13.
    Various countermeasures have already been proposed to reduce the sensitivity of AES type algorithmic processing to hidden channel attacks and in particular to attacks by analyzing the current consumption of the circuit executing the algorithm. Generally, these countermeasures mask the calculations by introducing random numbers at certain stages considered sensitive. In particular, the substitution table is considered an attack-sensitive step due to the non-linear nature of the operation it performs. A surrogate table typically represents a 256-byte array that needs to be precalculated and then read into a storage memory 16 times each turn of the AES algorithm. In some cases, a table is stored with the results of the substitution table (also called SBOX) and the column transformation MIXCOLUMNS, the stored table and the results of the two transformations being applied to one byte of each state.
    To hide a substitution table, we recalculate a hidden substitution table that is involved in the turn transformation. To hide a table of substitution imposes to take into account, for its computation, of the mask which will be used for the unmasking of the quantified result.
    Figure 2 schematically shows in block form an example of masking a substitution table of a block cipher.
    In the example of FIG. 2, it is assumed that the substitution (step 13, FIG. 1) is performed after step 15 in which the turn key intervenes. Moreover, it is considered that step 14 (MIXCOLUMNS) is integrated in the substitution operation, that is to say that the substitution table performs both operations 13 and 14. For simplicity, it does not take into account of operation 12 (SHIFTROWS).
    We start (block 20, m = random), (block 21, m '= random), by defining two masks (random numbers) m and m', respectively masking and unmasking. The numbers m and m 'represent bytes.
    Then, successively for each byte S [co] of rank co of the substitution table S, we combine (block 22, z = co + m) by an exclusive OR (that we note by an operation + of addition bitwise) the rank co of the byte to the mask m by placing the result in a temporary variable z. We then combine (block 23, z '= S [co] + m') the byte S [co] with the mask m 'by placing the result in a temporary variable z'. Then (block 24, S '[z] = z'), the value contained in this variable z 'is assigned to the byte S' [z] of rank z of the hidden substitution table S '.
    For example, a counter co is initialized to 0 (block 27, co = 0) and is incremented by 1 (block 28, co = co + 1) at each processing of a byte of the table S as all the bytes n have not been processed (output N of block 29, co = nl ).
    Once the n bytes S [co] of the substitution table S have been processed (output Y of block 29), the masked substitution table S 'is used to process the byte byte message (block by block).
    Thus, each byte t of the message is combined (block 31, t = t + m) by an exclusive-OR to the mask m by placing the result in the variable t (by overwriting the byte t), then is combined (block 32 , t = t + k) by an exclusive-OR to a byte k of the sub-key by overwriting the byte t in the variable t, then is substituted (block 33, S '[t]) by its image S' [t] in the masked substitution table S '. The variable t containing this image S '[t] is then unmasked (block 34, t = t + m') by combining it with an exclusive-OR to the mask m '. We then return the contents of the variable t.
    Steps 31 to 35 are reproduced for all the bytes t of the message.
    The calculation illustrated in FIG. 2 can also be written in the following way: m <- random (block 20) m '<- random (block 21)
    For co = 0 to n-1 (block 27, output N of block 29, block 28): z <- ω + m (block 22) z '<- S [co] + m' (block 23) S '[ z] = z1 (block 24)
    End of loop (Y output of block 29) t <- t + m (block 31) t <- t + k (block 32) t <- S '[t] (block 33) t <- t + m' ( block 34)
    Return t (block 35).
    Second-order or higher-order DPA attacks have made AES algorithms even more vulnerable, even when using a random mask. Second-order DPA attacks consist in isolating, in the same current trace, the signature of the mask and that of the data (in the example of the AES, the table) masked. By combining the signatures and, in the case of the AES by replaying the attack several times, it is possible to discover directly or indirectly the mask (the random number).
    To improve the protection of a substitution table against this type of attack, it has recently been proposed to mix the order in which the substitution table S is recalculated to obtain the masked table S '.
    For example, a random permutation φ is used which is used to define the order in which the S [co] bytes of the substitution table are masked by the numbers m and m '.
    Figure 3 schematically shows in block form an example of masking a substitution table recalculated with a random order.
    With respect to the solution described in relation with FIG. 2, this amounts to selecting (block 25, (p = random permutation) a random permutation φ applicable in the set of n ranks co, and to replacing, in steps 22 and 23, taking into account the rank of the octets of the substitution table by taking into account the result φ (ω) of the application of the permutation function φ to the rank co (block 22 ', z = cp (co) ) + m and block 23 ', z' = S [φ (co)] + m ') This amounts to modifying the order in which the bytes of the substitution table are recalculated and thus masked. relationship with Figure 2 are not modified.
    The calculation illustrated in FIG. 3 can also be written in the following way: m <- random (block 20) m '<- random (block 21) φ <- random permutation (block 25)
    For co = 0 to n-1 (block 27, output N of block 29, block 28): z <- cp (co) + m (block 22 ') z' <- S [cp (co)] + m ' (block 23 ') S' [z] = z '(block 24)
    End of loop (Y output of block 29) t <- t + m (block 31) t <- t + k (block 32) t <- S '[t] (block 33) t <- t + m' ( block 34)
    Return t (block 35). The inventor, however, saw a weakness making this countermeasure vulnerable to a DPA attack of a higher order.
    This weakness comes from hiding the substitution table itself. Indeed, the fact that the random permutation φ is unknown brings the advantage that the value of the rank ω in the loop (blocks 22 ', 23', 24) remains unknown to a possible attacker. However, twice in each loop, (steps 22 'and 23'), the rank ω is manipulated. Therefore, it is possible for an attacker to exploit the security "leak" related to the two manipulations at each loop of the current rank ω. In particular, the consequence of step 23 'is that the function φ is present on the entire substitution table, in practice 256 times, which represents as many leaks. By combining the results of steps 22 'and 23', the contribution of the function φ is eliminated. An attack on step 32, although more complicated than in FIG. 2, becomes effective again.
    In fact, the embodiment of FIG. 3 solves the problem of second-order attacks on the value of the mask m. However, a third-order attack makes it possible to pierce the secret from the moment when the attacker is able to identify, in the current trace, the stages 22 'and 23', thus the vanishing points.
    According to a first aspect, it is desired to evaluate the resistance of an electronic circuit to an attack as described above. For that, the attack is executed and one detects if it is or not effective.
    According to second and third aspects, it is desired to improve the resistance of a Rijndael type block cipher algorithm against concealed channel attacks.
    It is then expected to ensure that the operation of step 22 '(Figure 3) does not appear in the recalculation of the table.
    According to the second aspect, provision is made to divide the random number m into two and to mask the substitution table in two steps.
    Figure 4 schematically shows in block form an embodiment according to this second aspect.
    We start (block 41, ml = random), (block 42, m2 = random, m = ml + m2), by defining two masks (random numbers) ml and m2 such that their combination by an exclusive-OR represents a random number m (the number that will be used in step 31). We then define, as previously, the random value m 'of unmasking (block 21, m' = random) and a random permutation (block 25, (p = random permutation) applicable in the set of n ranks co. , m2, m, and m 'represent bytes, and block (43, S' = S) is also a masked substitution table S 'with the values of the unmasked substitution table S. The order of steps 21 and 43 (or 43 and 21) compared to steps 41 and 42 does not matter.
    Then, we cut the recalculation of the substitution table in two loops, a first time with the intervention of the hazard ml on the table S ', a second time with the intervention of the hazard m2 on the table S issue of the first loop.
    Thus, successively for each byte S '[co] of rank co of the substitution table S', we apply the permutation function φ to the rank co and we combine (block 44, z = cp (co) + ml) by a OR-Exclusive the result cp (co) to the mask ml by placing the result in a temporary variable z. We then combine (block 45, z '= S' [φ (Q)] + m ') the byte S' [cp (co)] with the mask m 'by placing the result in a temporary variable z'. Then (block 46, S [z] = z '), the value contained in this variable z' is assigned to the byte S [z] of rank z of the unmasked substitution table S.
    For example, a counter co is initialized to 0 (block 27, co = 0) and is incremented by 1 (block 28, co = co + 1) at each processing of a byte of the table S 'as all the bytes have not been processed (output N of block 29, co = nl ).
    Once the n bytes S '[co] of the substitution table S' initialized at 43 have been processed (output Y of block 29) with the part ml of the number m, the bytes of the resulting substitution table S are taken again. of the first loop to hide them with the m2 part.
    Thus, successively for each byte S [co] of rank co of the substitution table S, we apply the permutation function φ to the rank co and we combine (block 47, z = cp (co) + m2) by an OR. Exclusive the result cp (co) to the mask m2 by placing the result in the variable z. Next, (block 48, z '= S [(p (co)]), the byte S [(p (co)] of the substitution table S resulting from the first loop, in the variable z'. (block 24, S '[z] = z1), the value contained in this variable z' is assigned to the byte S '[z] of rank z of the hidden substitution table S'.
    For example, for the loop calculation, a counter c 0 is again initialized to 0 (block 27 ', co = 0) and is incremented by 1 (block 28', ω = ω + 1) at each processing of a byte of the table S resulting from the first loop, until all the bytes have been processed (output N of the block 29 ', co = nl ).
    Once (output Y of the block 29 ') the n bytes S [(p (co)] of the substitution table S resulting from the first loop have been processed with the part m2 of the number m, the substitution table is used. masked resultant S 'for processing the byte message by byte (block by block) and performing steps 31 to 35 as described in FIGS. 2 and 3.
    The calculation illustrated in FIG. 4 can also be written in the following way: ml <- random (block 41) m2 <- random (block 42) m '<- random (block 21) S' <- S (block 43 ) φ <- random permutation (block 25)
    For co = 0 to n-1 (block 27, output N of block 29, block 28): z <- (p (co) + ml (block 44) z '<- S' [(p (co)] + m '(block 45) S [z] = z' (block 46)
    End of loop (Y output of block 29)
    For co = 0 to n-1 (block 27 ', output N of block 29', block 28 '): z <- φ (ω) + πι2 (block 47) z' <- S [(p (co)] (block 48) S '[z] = z' (block 24)
    End of loop (Y output of block 29 ') t <- t + m (block 31, FIG. 3) t <- t + k (block 32, FIG. 3) t <- S' [t] (block 33, FIG. 3) t <- t + m '(block 34, FIG. 3)
    Return t (block 35, figure 3).
    Figure 5 schematically shows in block form another embodiment according to this second aspect.
    We start (block 41, ml = random), (block 42, m2 = random, m = ml + m2), by defining two masks (random numbers) ml and m2 such that their combination by an exclusive-OR represents a random number m (the number that will be used in step 31). We then define, as previously, the random value m 'of unmasking (block 21, m' = random) and a random permutation (block 25, (p = random permutation) applicable in the set of n ranks co. , m2, m and m 'are bytes, and the order of steps 21 and 43 (or 43 and 21) with respect to steps 41 and 42 is not important.
    Then, we cut the recalculation of the substitution table in two loops, a first time with the intervention of the hazard ml on the table S, a second time with the intervention of the hazard m2 on the table S 'issue of the first loop.
    Thus, successively for each byte S [co] of rank co of the substitution table S ', we apply the permutation function φ to rank co and we combine (block 44, z = cp (co) + ml) with an OR -Exclusive the result cp (co) to the mask ml by placing the result in a temporary variable z. We then combine (block 23 ', z' = S [cp (co)] + m ') the byte S [cp (œ)] with the mask m' by placing the result in a temporary variable z '. Then (block 24, S '[z] = z'), the value contained in this variable z 'is assigned to the byte S' [z] of rank z of the hidden substitution table S '.
    For example, a counter ω is initialized to 0 (block 27, ω = 0) and is incremented by 1 (block 28, 0 = 0 + 1) at each processing of a byte of the table S as all the bytes n have not been processed (output N of block 29, 0 = nl ).
    Once the n bytes S [co] of the substitution table S have been processed (output Y of the block 29) with the part ml of the number m, the bytes of the substitution table S 'resulting from the first loop are taken again. to hide them with the m2 part.
    Thus, successively for each byte S '[ω] of rank co of the substitution table S', we apply the permutation function φ to rank ω and we combine (block 47, z = (p (co) + m2) by an exclusive-OR the result φ (ω) to the mask m2 by placing the result in the variable z, then place (block 48, z '= S' [φ (ω)]), the byte S '[(p (co)] of the substitution table S 'resulting from the first loop, in the variable z' Then (block 49, S [z] = z '), we assign the value contained in this variable z' to the byte S [z] of rank z of substitution table S.
    For example, for the loop calculation, a counter ω is again initialized to 0 (block 27 ', co = 0) and is incremented by 1 (block 28', ω = ω + 1) at each processing of one byte of the table S 'resulting from the first loop, until all the bytes have been processed (output N of the block 29', co = nl ).
    Once (output Y of the block 29 ') the n bytes S [(p (co)] of the substitution table S' resulting from the first loop have been treated with the part m2 of the number m, the table of resulting substitution S, which here constitutes the masked substitution table for processing the octet message byte (block by block) Thus, the step 33 described in relation with FIGS. 2 and 3 takes the bytes of the table S and not those of the table S '(block 33', t = S [t]) The steps 31, 32, 34 and 35 are not modified with respect to the embodiment of FIGS.
    Compared with the embodiment of FIG. 4, the initialization of the table S '(block 43, FIG. 4) is saved.
    The calculation illustrated in FIG. 4 can also be written in the following way: ## EQU1 ## (random block) )
    For co = 0 to n-1 (block 27, output N of block 29, block 28): z <- φ (ω) + πι1 (block 44) z '<- S [(p (co)] + m' (block 23 ') S' [z] = z 1 (block 24)
    End of loop (Y output of block 29)
    For co = 0 to n-1 (block 27 ', output N of block 29', block 28 '): z <- φ (ω) + πι2 (block 47) z' <- S '[φ (ω)] (block 48 ') S [z] = z' (block 49)
    End of loop (Y output of block 29 ') t <- t + m (block 31, FIG. 3) t <- t + k (block 32, FIG. 3) t <- S [t] (block 33') t <- t + m '(block 34, FIG. 3)
    Return t (block 35, figure 3).
    Cutting the mask m into two parts ml and m2 and performing twice the calculation of the substitution table makes the attack more difficult.
    According to the third aspect, provision is made to use, during the recalculation of the substitution table, a commutative permutation function with the substitution operation.
    Figure 6 schematically shows in block form an embodiment according to this third aspect.
    We begin (block 20, m = random), (block 21, m '= random), as in FIG. 2, by defining two masks (random numbers) m and m', respectively masking and unmasking.
    Then, we select (block 25 ', y = random permutation, yoS = Soy) a random permutation having a commutative property with the substitution table).
    Then, successively for each byte S [co] of rank ω of the substitution table S, we apply the permutation function γ to rank ω and we combine (block 51, z = y (co) + m) with an OR Exclusive the result γ (ω) to the mask m by placing the result in a temporary variable z. We then combine (block 52, z '= y (S [co]) + m') the result of the application of the function γ to the byte S [(co)] to the mask m 'by placing the result in a temporary variable z '. Then (block 24, S '[z] = z'), the value contained in this variable z 'is assigned to the byte S' [z] of rank z of the hidden substitution table S '. As in the preceding examples, a counter co is for example initialized to 0 (block 27, co = 0) and is incremented by 1 (block 28, ω = ω + 1) at each processing of a byte S [co] of the table S, until all the bytes have been processed (output N of block 29, co = nl ).
    Once the n bytes S [co] of the substitution table S has been processed (output Y of block 29), the resulting masked substitution table S 'is used to process the byte message by byte (block by block) and perform steps 31 to 35 as described in Figures 2 and 3.
    Compared with FIG. 3, the value γ (ω) appears only once per loop. It is therefore not possible to combine it within the loop to exploit a current trace. However, since the function γ is commutative with the substitution operation S, the result of step 52 is the same as that of step 23 'of FIG. 3, which allows the unmasking.
    The calculation illustrated in FIG. 5 can also be written in the following way: m <- random (block 20) m '<- random (block 21) γ <- commutative random permutation with the substitution operation S (block 25 ')
    For co = 0 to n-1 (block 27, output N of block 29, block 28): z <- y (co) + m (block 51) z '<- y (S [co]) + m' ( block 52) S '[z] = z' (block 24)
    End of loop (Y output of block 29) t <- t + m (block 31) t <- t + k (block 32) t <- S '[t] (block 33) t <- t + m' ( block 34)
    Return t (block 35). As a particular embodiment, we can use, as a commutative function γ with the substitution operation, the elevation to any power, preferably random, of the substitution table.
    The implementation of the attack sensitivity verification method according to the first aspect also makes it possible to verify whether the countermeasure described in connection with FIG. 4 or in relation to FIG. 5 is implemented or not by the electronic circuit.
    In practice, different values, bytes, variables, etc. are physically stored in registers of one or more electronic circuits and the contents of these registers can be read and / or written according to control signals depending on the steps of the method. The electronic circuit is, for example, an execution processor of the described algorithm having input, output, and manipulation registers of the different values. The calculation and substitution steps are, for example, performed by wired logic elements integrated into the processor.
    FIG. 7 very schematically shows an example of an electronic circuit 6 of the type to which the embodiments which will be described will be applied.
    The circuit 6 comprises: a computing entity 61 (CPU), for example a state machine, a microprocessor, a programmable logic circuit, etc., including or using registers 62, containing different variables used for the calculation, and represented arbitrarily in Figure 7 outside entity 61; one or more zones 63 (MEM) of volatile and / or non-volatile storage for storing all or part of the data and keys; one or more buses 65 of data, addresses and / or commands between the various elements internal to the circuit 6 and an input / output interface 67 (I / O) of communication with the outside of the circuit 6.
    The circuit 6 may include various other circuits depending on the application, symbolized in FIG. 7 by a block 69 (FCT).
    Various embodiments have been described. Various variations and modifications will be apparent to those skilled in the art. In particular, the integration of the steps described above in the turn processing of the AES algorithm is within the abilities of those skilled in the art from the description above. Finally, the practical implementation of the embodiments that have been described is within the abilities of those skilled in the art from the functional indications given above.
    权利要求:
    Claims (16)
    [1" id="c-fr-0001]
    A method of verifying the sensitivity of an electronic circuit (6) executing a Rijndael type algorithm to non-hidden channel attacks, wherein: each block (t) of data to be encrypted or decrypted is masked (31) by a first mask (m) before application (33) of a block substitution non-linear operation from a substitution table (S '), then is unmasked (34) by a second mask (m') after substitution the substitution table is recalculated, block by block, before application of the non-linear operation, the order of processing of the blocks of the substitution table being subjected to a random permutation (φ, γ), and an attack by channels hidden is performed on the steps of recalculation, block by block, of the substitution table.
    [2" id="c-fr-0002]
    The method of claim 1, wherein the driving is a differential analysis of the at least second order consumption.
    [3" id="c-fr-0003]
    3. The method of claim 1 or 2, wherein the circuit is considered responsive to the attack if the latter can determine directly or indirectly the value of at least one of the masks.
    [4" id="c-fr-0004]
    4. Method according to any one of claims 1 to 3, wherein the recalculation of the substitution table involves the second mask (m ') and the third (ml) and fourth (m2) masks, the sum of the third and fourth masks being equal to the first mask (m).
    [5" id="c-fr-0005]
    5. Method according to claim 4, wherein: successively for each block of the first table (S): the rank (ω) of the current block is subjected (44) to said permutation (φ) and the result is combined with the third mask (ml); the current block of a second table (S ') is replaced (24) by the combination (23') of the second mask (m ') with the block of the first table identified by the result of the permutation; and successively, for each block of the second table (S '): the rank (ω) of the current block is subjected (47) to said permutation (φ) and the result is combined with the fourth mask (m2); the current block of the first table (S) is replaced (48 ', 49) by the block of the second table identified by the result of the permutation.
    [6" id="c-fr-0006]
    6. Method according to claim 4 or 5, comprising the following steps: successively for each block of the first table (S): in a first step (44), apply the permutation (φ) to the rank (ω) of the current block, combining the result with the first mask (ml) and storing the result in a first variable (z); in a second step (23 '), storing in a second variable (z1) the result of the combination of the second mask (m1) with the block of the first table having for rank the result (φ (ω)) of the permutation applied to the rank of the current block, and storing (24) the result of the second step in a block, identified by the result of the first step, of a second table (S '), successively for each block of the second table (S' ): in a third step (47), apply the permutation (φ) to the rank (co) of the current block, combine the result with the second mask (m2) and store the result in the first variable, (z), in a fourth step (48 '), storing in the second variable (z1) the block of the second table having for rank the result (φ (ω)) of the permutation applied to the current rank, and storing (49) the result of the fourth step in a block, identified by the result of the third step, of the first table (S).
    [7" id="c-fr-0007]
    7. The method of claim 4, wherein: the blocks of the first table (S) are copied (43) in a second table (S '); successively, for each block of the second table (S '): the rank (ω) of the current block is subjected (44) to said permutation (φ) and the result is combined with the third mask (ml); the current block of the first table (S) is replaced (46) by the combination (45) of the second mask (mf) with the block of the second table identified by the result of the permutation; and successively, for each block of the first table (S): the rank (ω) of the current block is subjected (47) to said permutation (φ) and the. result is combined with the fourth mask (m2); the current block of the second table (S ') is replaced (48, 24) by the block of the first table identified by the result of the permutation,
    [8" id="c-fr-0008]
    8. The method of claim 4 or 5, comprising the following steps: the blocks of the first table (S) are recopied (43) in a second table (S '); successively for each block of the second table (S1): in a first step (44), apply the permutation (φ) to the rank (ω) of the current block, combine the result with the first mask (ml) and store the result in a first variable (z); in a second step (45), storing in a second variable (z ') the result of the combination of the second mask (m') with the block of the second table having for rank the result (cp (©)) of the permutation applied to the rank of the current block; and storing (46) the result of the second step in a block of the first table (S), identified by the result of the first step; successively for each block of the first table (S): in a third step (47), apply the permutation (φ) to the rank (ω) of the current block, combine the result with the second mask (m2) and store the result in the first variable (z); in a fourth step (48), storing in the second variable (z ') the block of the first table having for rank the result (φ (ω)) of the permutation applied to the current rank; and storing (24) the result of the fourth step in a block, identified by the result of the third step, of the second table (S ')'.
    [9" id="c-fr-0009]
    The method of any one of claims 1 to 3, wherein the random permutation (y) is commutative with the nonlinear substitution operation.
    [10" id="c-fr-0010]
    The method according to claim 9, wherein: successively, for each block of the substitution table: in a first step (51), the rank (ω) of the block is subjected to said permutation (γ) and is combined with the first mask (m); in a second step (52), the block (S [œ]) is subjected to the permutation ·· y) and the result is combined with the second mask (m '); and the block, identified by the result of the first step, is substituted by the result of the second step.
    [11" id="c-fr-0011]
    11. The method of claim 9 or 10, comprising the following steps: successively for each block of the substitution table (S): in a first step (51), apply the permutation (γ) to the rank {ω) of the current block combine the result with the first mask (m) and store the result in a first variable (z); in a second step (52), apply the permutation (γ) to the current block (3 [ω)), combine the result with the second mask (m) and store the result in a second variable {z '); and replacing (24) the block of the substitution table having for rank the result of the first step by the result of the second step.
    [12" id="c-fr-0012]
    The method of any one of claims 1 to 11, wherein the masks (ml, m 2, m, m ', m, m') are random numbers.
    [13" id="c-fr-0013]
    The method of any one of claims 1 to 12, wherein the masks (ml, m2, m, m ', m', m ') are all the same size as a block.
    [14" id="c-fr-0014]
    The method of any one of claims 1 to 13, wherein the combinations are of the exclusive-OR type.
    [15" id="c-fr-0015]
    15. Process according to any one of claims 1 to 14, applied to the AES.
    [16" id="c-fr-0016]
    16. Electronic circuit (6) adapted to the implementation of the method according to any one of claims 1 to 15.
    类似技术:
    公开号 | 公开日 | 专利标题
    EP3139365B1|2018-06-13|Verification of the resistance of an electronic circuit to covert channel attacks
    EP1379023B1|2007-05-30|En- and Decryption Method executed by an integrated Circuit masking a nonlinear transformation as the SUBBYTE operation
    EP1733502B1|2009-09-30|Processor for executing an aes-type algorithm
    EP3139363B1|2019-04-17|Protection of a rijndael algorithm
    CA2570617C|2015-08-04|Method and device for carrying out a cryptographic calculation
    JP5646612B2|2014-12-24|White box cryptosystem with configurable keys using intermediate data modification
    EP1638245B1|2009-11-11|Protection of a DES algorithm
    EP1798888B1|2011-02-09|DES-algorithm execution protection
    EP2893431B1|2016-11-02|Protection against side channel attacks
    FR2873523A1|2006-01-27|METHOD AND DEVICE FOR PERFORMING A CRYPTOGRAPHIC CALCULATION
    EP2166696B1|2016-10-05|protection of encrypted data Integrity using an intermediatecipher state to generate a signature
    EP2320595A1|2011-05-11|Protection of a cryptographic key
    EP3139364B1|2018-01-17|Dpa protection of a rijndael algorithm
    EP2159952B1|2011-04-13|Protection of an encryption algorithm
    WO2016087520A1|2016-06-09|Method of encryption with dynamic diffusion and confusion layers
    EP1615369A1|2006-01-11|Block encryption of the content of a memory external to a processor
    Sharma et al.2016|Comparative Analysis of Block Key Encryption Algorithms
    FR2949887A1|2011-03-11|METHOD FOR CRYPTOGRAPHIC DATA PROCESSING
    FR3097348A1|2020-12-18|Encryption Algorithm Execution Protection
    FR2924550A1|2009-06-05|METHODS AND DEVICES FOR ENCRYPTING AND DECRYPTING A DATA MESSAGE WITH A RANDOM SECRET KEY.
    同族专利:
    公开号 | 公开日
    FR3040515B1|2018-07-27|
    EP3139365B1|2018-06-13|
    CN106487498B|2020-03-24|
    EP3139365A1|2017-03-08|
    US20170063522A1|2017-03-02|
    US10243728B2|2019-03-26|
    CN106487498A|2017-03-08|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US7142670B2|2001-08-14|2006-11-28|International Business Machines Corporation|Space-efficient, side-channel attack resistant table lookups|
    US7403620B2|2002-07-02|2008-07-22|Stmicroelectronics S.A.|Cyphering/decyphering performed by an integrated circuit|
    JP4357815B2|2002-09-11|2009-11-04|株式会社東芝|Cryptographic operation circuit|
    FR2871969B1|2004-06-18|2006-12-01|Sagem|METHOD AND DEVICE FOR PERFORMING A CRYPTOGRAPHIC CALCULATION|
    CN101009554A|2007-01-17|2007-08-01|华中科技大学|A byte replacement circuit for power consumption attack prevention|
    WO2008146482A1|2007-05-30|2008-12-04|Panasonic Corporation|Encryption device, decryption device, encryption method, and integrated circuit|
    EP2195761B1|2007-10-01|2013-04-03|Research In Motion Limited|Substitution table masking for cryptographic processes|
    US20100246808A1|2007-12-05|2010-09-30|Nec Corporation|Side channel attack tolerance evaluation apparatus, method and program|
    FR2941342B1|2009-01-20|2011-05-20|Groupe Des Ecoles De Telecommunications Get Ecole Nat Superieure Des Telecommunications Enst|CRYPTOGRAPHIC CIRCUIT PROTECTED AGAINST ATTACKS IN OBSERVATION, IN PARTICULAR OF HIGH ORDER.|
    EP2509252B1|2011-04-08|2016-08-10|STMicroelectronics SAS|Secured cryptographic calculation method, in particular against DFA and one-way attacks, and corresponding component|
    FR2974693B1|2011-04-26|2013-04-26|Cassidian Sas|METHOD FOR APPLYING HIGH ENTROPY MASKING MEASURE IN A BLOCK ENCRYPTION ALGORITHM, AND LOGIC INTEGRATED CIRCUIT USING SUCH A METHOD|
    US8971526B2|2011-07-26|2015-03-03|Crocus-Technology Sa|Method of counter-measuring against side-channel attacks|
    FR2985624B1|2012-01-11|2014-11-21|Inside Secure|ENCRYPTION METHOD PROTECTED AGAINST AUXILIARY CHANNEL ATTACKS|
    CN102983964A|2012-12-28|2013-03-20|大唐微电子技术有限公司|method and device for improving digital encryption standard resisting differential power analysis|
    US9118441B2|2013-01-25|2015-08-25|Freescale Semiconductor, Inc.|Layout-optimized random mask distribution system and method|
    CN103647638A|2013-12-03|2014-03-19|北京中电华大电子设计有限责任公司|DES masking method for resisting side-channel attack|
    US20160105276A1|2014-10-10|2016-04-14|Qualcomm Incorporated|Rotation-based cipher|CN107547190A|2016-06-28|2018-01-05|埃沙尔公司|For protecting method of the replacement operation for using substitution table from side Multiple Channel Analysis|
    EP3422176A1|2017-06-28|2019-01-02|Gemalto Sa|Method for securing a cryptographic process with sbox against high-order side-channel attacks|
    US11218291B2|2018-02-26|2022-01-04|StmicroelectronicsSas|Method and circuit for performing a substitution operation|
    FR3078463A1|2018-02-26|2019-08-30|StmicroelectronicsSas|METHOD AND DEVICE FOR REALIZING SUBSTITUTED TABLE OPERATIONS|
    FR3078464A1|2018-02-26|2019-08-30|StmicroelectronicsSas|METHOD AND CIRCUIT FOR IMPLEMENTING A SUBSTITUTION TABLE|
    US11032061B2|2018-04-27|2021-06-08|Microsoft Technology Licensing, Llc|Enabling constant plaintext space in bootstrapping in fully homomorphic encryption|
    法律状态:
    2016-08-22| PLFP| Fee payment|Year of fee payment: 2 |
    2017-03-03| PLSC| Search report ready|Effective date: 20170303 |
    2017-08-22| PLFP| Fee payment|Year of fee payment: 3 |
    2018-08-22| PLFP| Fee payment|Year of fee payment: 4 |
    2019-08-20| PLFP| Fee payment|Year of fee payment: 5 |
    2021-06-11| ST| Notification of lapse|Effective date: 20210506 |
    优先权:
    申请号 | 申请日 | 专利标题
    FR1558117A|FR3040515B1|2015-09-02|2015-09-02|VERIFYING THE RESISTANCE OF AN ELECTRONIC CIRCUIT TO HIDDEN CHANNEL ATTACKS|FR1558117A| FR3040515B1|2015-09-02|2015-09-02|VERIFYING THE RESISTANCE OF AN ELECTRONIC CIRCUIT TO HIDDEN CHANNEL ATTACKS|
    EP16155061.1A| EP3139365B1|2015-09-02|2016-02-10|Verification of the resistance of an electronic circuit to covert channel attacks|
    US15/046,092| US10243728B2|2015-09-02|2016-02-17|Verification of the resistance of an electronic circuit to side-channel attacks|
    CN201610109672.5A| CN106487498B|2015-09-02|2016-02-26|Verification of the resistance of an electronic circuit to side-channel attacks|
    [返回顶部]