Patent Application
20160306973
The invention relates to a computing device comprising an electronic storage and an electronic processor coupled to the storage, the storage storing table networks, the processor being configured to compute a function by applying the table networks.
The invention further relates to a method of computing, a compiler, and corresponding computer programs.
In traditional cryptography it was typically assumed that an attacker only gains access to the input and output values of a secure system. For example, the attacker would be able to observe a plain text going into a system and observe an encrypted text going out of the system. Although an attacker could try to gain an advantage by analyzing such input/output pairs, possibly even using computationally intense methods, he was not thought to have direct access to the system that implemented the input/output behavior.
Recently, it has become necessary to take threat models into account in which it is assumed that an attacker has some knowledge of the implementations. For example, one may consider the threat of side-channel analysis and of reverse engineering. Furthermore, the concerns that previously were mostly associated with security problems have extended to other fields, such as privacy. Although cryptographic systems processing security information such as cryptographic keys remain a prime concern, protection of other programs, e.g., those processing privacy relevant information has also become important.
It has long been known that computer systems leak some information through so-called side-channels. Observing the input-output behavior of a computer system may not provide any useful information on sensitive information, such as secret keys used by the computer system. But a computer system has other channels that may be observed, e.g., its power consumption or electromagnetic radiation; these channels are referred to as side-channels. For example, small variations in the power consumed by different instructions and variations in power consumed while executing instructions may be measured. The measured variation may be correlated to sensitive information, such as cryptographic keys. This additional information on secret information, beyond the observable and intended input-output behavior is termed a side-channel. Through a side-channel a computer system may ‘leak’ secret information during its use. Observing and analyzing a side-channel may give an attacker access to better information than may be obtained from cryptanalysis of input-output behavior only. One known type of side-channel attack is the so-called differential power analysis (DPA).
Current approaches to the side-channel problem introduce randomness in the computation. For example, in between genuine operations that execute the program dummy instructions may be inserted to blur the relationship between power consumption and the data the program is working on.
An even stronger attack on a computer is so called reverse engineering. In many security scenarios attackers may have full access to the computer. This gives them the opportunity to disassemble the program and obtain any information about the computer and program. Given enough effort any key hidden say in a program may be found by an attacker.
Protecting against this attack scenario has proven very difficult. One type of counter measure is so-called white-box cryptography. In white-box cryptography, the key and algorithm are combined. The resulting algorithm only works for one particular key. Next the algorithm may be implemented as a so-called, lookup table network. Computations are transformed into a series of lookups in key-dependent tables. See for example, “White-Box Cryptography and an AES Implementation”, by S. Chow, P. Eisen, H. Johnson, P. C. van Oorschot, for an example of this approach.
The known countermeasures against side-channel attacks against computer systems are not entirely satisfactory. For example, the introduction of randomness may countered by statistical analysis. The obfuscation of software may be countered by more advanced analysis of the operation of the program. There is thus a need for more and better countermeasures.
It has been found that this problem is addressed by the introduction of table networks that operate on multiple input values at the same time. The table network may apply a different function to different inputs or groups of inputs. Using an encoding which encrypts into a single value two or more of the multiple inputs together into a single value, it becomes impossible for an attacker to determine for what function the table network is intended since, indeed, it performs two functions. See the US provisional application with number U.S. 61/740,691, and title “Computing device comprising a table network” filed on 21 Dec. 2012, and/or the European patent application of the same title “Computing device comprising a table network”, with filing date in 27 Dec. 2012 and file number EP12199387.
Although this system adds considerably to the security, there remains a vector of attack, especially if the attack model is widened further. We assume not only that an attacker has full access so that he may observe everything that happens in the system, we also prepare for an attacker who is able to modify the program. We consider two such modifications, modification to table entries and modification to variables. The first type of modification assumes less on the attacker since the modification could be made before program execution has started; the latter type of modification is done while the program is running and is therefore considered harder. For example, an attacker may try the following attack (most likely in an automated fashion). He modifies an entry in a table and runs the modified program for a variety of inputs. If none of the runs show any difference in the output of the original program and the modified program, he concludes that the modified table entry and the unmodified table entry are equal insofar relevant data is concerned and only differ in obfuscating computations, i.e., the so called state variables and state functions. Given sufficient time a map may be built up of classes of values that are equal insofar correct computation is concerned. Effectively, the state variable is thus eliminated. To be clear, because of encoding the attacker will not be able to observe directly if the data values are the same while state values are different, but he may be able to deduce this from analyzing the effect of table modifications.
It would be advantageous to have a computing device configured to compute a data function on a function-input value with increased resilience against program modifications.
Reference is made to European patent application 13156302, with title “Computing device configured with a table network” filed by the same applicant on 22 Feb. 2013, and is included herein by reference. That application contains additional examples of encoding, table networks and the like.
A computing device configured to compute a data function on a function-input value is provided, which addresses at least this concern.
The computing device comprises an electronic storage and an electronic processor coupled to the storage. The storage stores a series of table networks. The processor is configured to compute an iterated function on a global data-input and a global state-input by applying table networks of the series of table networks.
The table networks of the series are configured for a corresponding data-function and state-function and is configured to map a data-input to a data-output according to the corresponding data-function, and to simultaneously map a state-input to a state-output according to a state-function.
The electronic processor is configured to iterate applying the table networks of the series, a table network, i.e., a first table network, of the iteratively applied table networks to the global data-input and global state-input, and a successive table network of said iteration to the data-output and state-output of a preceding table network of the series, the iterated application of the series determines a global data function on the global data-input and determines a global state function on the global state-input, thus obtaining an intermediate data-output and an intermediate state-output.
The electronic storage is further storing a protecting table network configured to cooperate with the series of table networks for countering modifications made to table networks of the series, the protecting table network being configured to receive as input: the intermediate state-output, and a global state-input. The protecting table network is configured to verify that the global state-function applied to the global state-input produces the intermediate state-output.
It would be advantageous if the code obfuscation which is possible with white-box cryptography could be more generally applied. Traditional white box cryptography is static; it transforms an algorithm into a fixed table network and transforms the network using table obfuscation, e.g., encoding of inputs and outputs. This type of obfuscation may be improved by encoding data variables together with state variables. It would be advantageous if the security of table based computations, e.g. as used in white-box cryptography, could be applied in non-static computations. For example, one impediment to using table based computations is to apply the systems to iterative structures such as loops, while-do, for-until constructs, and the like.
The system provides a series of tables or table networks that are applied iteratively. Together with a data function, the series also computes a state functions. By verifying the state function, the whole iteration is verified. The table networks in the series are applied in an order of the series, the series is iterated by applying all tables networks multiple times in the same order. In an embodiment, the series is applied 2 or more times.
Verifying a series of combined data and state computations is further improved if the series acts on data variables (input or outputs) that are encrypted together with state variables. In an embodiment, the global data-input and a global state-input are encoded together into a single global input. In an embodiment, the data-input and the state-input of a table network of the series are encoded together into a single input. In an embodiment, the data-output and the state-output of a table network of the series are encoded together into a single output. In an embodiment, the intermediate data-output and the intermediate state-output are encoded together into a single intermediate output. In an embodiment, the protected data-output and the protected state-output are encoded together into a single protected output.
The state function that is obtained by applying the table networks of the series once is referred to as the single-iteration state function. It was an insight of the inventors that the single-iteration state function may be selected independently from the data functions. The single-iteration state function may be chosen so that implementation as a table network requires fewer tables than are used in the series, and also requires less storage than the table networks in the first series do together. Moreover, the single-iteration state function may be chosen so that iterating the single-iteration state function requires few tables and/or storage. In an embodiment, the state table network comprises fewer tables than the table networks in the series together. In an embodiment, the size of the state table network on the storage is smaller than the size of the series on the storage. The state table network and/or the protection table network are not iterated and applied only once, even if the first series is iterated.
For example, an advantageous choice for the single-iteration state function is an idempotent function. Multiple iterations of an idempotent function give the same result as one iteration of the function. Accordingly, to obtain the same state function as multiple applications of the first series, the single-iteration state function need only be applied once. This simplifies the construction of the protection network considerably.
Another advantageous choice for the single-iteration state function is a nilpotent function. A nilpotent function has an associated number q, such that q applications of the function is the identity. This means that the protection network need only be able to verify up-to q application of the single-iteration state function, since the q+1′ the application is equal to the single-iteration state function itself.
In an embodiment, the protecting table network is configured to receive a further input dependent upon the number of iterations of the series. This allows the protection network to look-up the result of that many application of the single-iteration state function. Receiving the number of iterations is well suited to using a nilpotent single-iteration state function. In that case a state network may look up the combination of the global state input and the number of iterations, to obtain the verification state.
For example, the further input may be the number of iterations, possibly in encoded form. For idempotent functions it is sufficient if the further input indicates if the number of iterations is 0 or larger than 0; this can be represented as a single bit. Nevertheless, larger encodings are possible. Likewise, for permutations of order q, the number of iterations mod q is sufficient. In an embodiment, a loop is implemented as two table networks, one for iterations up to a predetermined number of iterations, and another for an unlimited number of iterations. The former table network, may receive the further input, limited to the predetermined number of iterations, whereas the latter table network, may not receive the further input. The computing device could then contain control logic for selecting a table network from the two table network in dependence upon the number of iterations.
In an embodiment, control code is configured to count the number of iterations of the series and to supply number of iterations as an input to the protecting network.
A particularly interesting choice for the single-iteration state function is the identity. In this case the individual state functions implemented by the table networks of the series may be any function, as long as their function composition is the identity. This can be used by verifying that the global state input equals the final state output of the last table network of the last iteration of the series.
The protection network may act on the same global state input as the series receive, but this is not necessary. The state input of the protection network and the first series may come from different sources. The different sources are arranged so that in the absence of tampering both states are the same. After applying the iterated first series and the protection network, a difference in states causes the data value to be changed.
In an embodiment, at least one table network in the series receive additional input, e.g., from a further source other than the preceding table network. The intermediate data output of the table network may depend on the additional input, the intermediate state output does not depend on the additional input. The additional input may or may not be encrypted together with additional state input. In this way, the additional input does not disturb the relationship between the intermediate state output and verification state. Even though the additional input does not contribute to state changes, modification in a table that receives the additional input likely will change the state output of the table. Accordingly, still a check is made on computations involving such additional input. For example, the additional input may be round key, in case the series represents a single round of a block cipher.
An aspect of the invention concerns a computing device comprising an electronic storage and an electronic processor coupled to the storage, configured to apply a series of table networks. The series has a single-iteration state function that allows efficient implementation in the protection network. The series need not be applied iteratively. If iteration is nevertheless required, one could iterate both the first series and the protection network, instead of only iterating the first series but not the protection network.
The computing device is an electronic device, for example, a mobile electronic device, e.g., a mobile phone, set-top box, computer, etc.
An aspect of the invention concerns a compiler configured for obtaining a series of data functions and for producing a first series of table networks and a protecting table network and computer code. The computer code is configured to control iterative application of the first series followed by application of the protection table network. The compiler may be implemented as a computer program or as a compiler device, etc. The compiler device may comprise an electronic processor and electronic memory, the memory storing computer code configuring the processor as the compiler.
An aspect of the invention concerns a computing method. A method according to the invention may be implemented on a computer as a computer implemented method, or in dedicated hardware, or in a combination of both. Executable code for a method according to the invention may be stored on a computer program product. Examples of computer program products include memory devices, optical storage devices, integrated circuits, servers, online software, etc. Preferably, the computer program product comprises non-transitory program code means stored on a computer readable medium for performing a method according to the invention when said program product is executed on a computer
In a preferred embodiment, the computer program comprises computer program code means adapted to perform all the steps of a method according to the invention when the computer program is run on a computer. Preferably, the computer program is embodied on a computer readable medium.
These and other aspects of the invention are apparent from and will be elucidated with reference to the embodiments described hereinafter. In the drawings,
It should be noted that items which have the same reference numbers in different Figures, have the same structural features and the same functions, or are the same signals. Where the function and/or structure of such an item has been explained, there is no necessity for repeated explanation thereof in the detailed description.
While this invention is susceptible of embodiment in many different forms, there is shown in the drawings and will herein be described in detail one or more specific embodiments, with the understanding that the present disclosure is to be considered as exemplary of the principles of the invention and not intended to limit the invention to the specific embodiments shown and described.
Computing devices may be protected against attacks by executing all or part of the computations of the computing devices through networks of tables. A table network can be protected by encoding the variables and tables. Nevertheless, attacks remain a concern. One possible attack vector is to the modify tables, run the computation, and see what effects the modification has. In this way an attacker may gain insight in the encryptions used. To counter this one may introduce state variables in addition to data variables. State variables are variables that mirror the computational path of the data variables, or part thereof. However, the nature of the computation that is performed on the state variable may differ from the computation performed on the data variable. State variables may be verified in various ways during the computation. Because state and data variables are often encoded together in a single variable, it is difficult for an attacker to modify tables so that data variable are affected but the state variable is not. When it is detected that a state variable has been tampered with, the device may take appropriate action. Often this detection can be done implicitly, rather than through an explicit check. Moreover, because of state variables the same data has multiple representations. Checking the consistency of these state variables makes it is possible to detect some types of attacks.
Composite table network 100 comprises a series of table networks 110 and a protecting table network 150.
Series 110 comprises one or more table networks. In
For larger computations there is a tradeoff between representing a computation or part thereof as a single table or as a table network. The latter offers more points at which an attacker could try to attack the system, but on the other hand the network may require less storage space. Some computations do not have a practical representation as a single table, as it would be too large, in this case a table network is required. For example, a full AES computation may be represented by a table network, but not by a single table. Typically, a table can be replaced by a table network which is being functionally the same. When distinguishing from a table network is needed, we refer to a table as a ‘single table’ or a ‘monolithic table’.
In addition to series 110, the computing device may combine many more table networks and/or series of table networks to compute some computation result.
For simplicity, we refer to the elements of series 110 as table networks, keeping in mind that a table network may be a single table or multiple cooperating tables. Series 110 may comprise one or multiple table networks. Shown in
For protecting table network 150 the same reasoning applies; it may be represented as a single table, in fact some of the choices given below make protecting table network 150 well-suited to representation as single table. For simplicity, we will refer to protecting table network 150 as a table network, keeping in mind that its input-output behavior could completely be replaced by one table.
The processor is configured to compute an iterated function on a global data-input (121, w0) and a global state-input (121, s0) by applying the table networks of series 110. That is, the table networks of series 110 are applied more than once on the global data and state input.
The table networks in series 110 each receive a data-input and a state-input. Data-variables are referred to with the letter w and state variables with the letter s. A table network Ti of series 110, e.g., table networks 112 and 114, are configured for a corresponding data-function ƒi and state-function gi.
In this way, a series of variables is produced, e.g., for two table networks and two iterations we may get the following (reference numbers refer to
The number of iterations may be larger than 2. If there are exactly 2 iterations, then reference numeral 124 refers to the same data as numeral 123. Each table network in the iteration maps a data-input wi-1 to a data-output wi according to the corresponding data-function and simultaneously maps a state-input si-1 to a state-output si according to a state-function gi. Data wi-1 and state input si-1 are the outputs of a previous table, except for a first table, in which case it is the input.
We use the notation (w, s) to indicate the joint encryption of a data and state variable. For example, one may define a encoding function E(w,s) that maps a data and state variable to a variable u in which both data and state are combined. The mapping E is injective, e.g. invertible, i.e., given the joint encryption one can recover the original data and state values. The inverse mappings are indicated by ρ and σ for the data and state extractors respectively; so that E(ρ(u), σ(u))=u.
State and data variables may have various sizes. If series 110 contains only single tables, these size are usually somewhat moderate, e.g. data size of 4 to 8 bits. State sizes may be equal to the data size or slightly smaller, say, 2-8 bits. However, if series 110 contain table networks the data and state values, are in principle unlimited, say, 128 bit, 256 bits etc.
Generally, during the iterated application of series 110, the data inputs and outputs are encrypted together with its corresponding state inputs or outputs.
The iterated application of the series determines a global data function on the global data-input and determines a global state function. If series 110 comprises two table networks the global data function is given by ƒ=ƒ2∘ƒ1∘ƒ2∘ƒ1 and the global state function by g=g2∘g1∘g2◯g1. on the global state-input, thus obtaining an intermediate data-output (126, winter=ƒ(w0)) and an intermediate state-output (126, sinter=g(s0)). Also the sinter and winter are encrypted together in a single value, referred to as 126.
The number of iterations may be fixed, or controlled through a loop control variable. A loop control variable is sometimes referred to as ‘i’ or ‘index’. Especially in the latter case, the processor may be configured with control logic to apply series 110 a loop control variable number of times. For example, the control logic may access a loop control variable representing the number of iterations. The control logic decreases the loop control variable with each iteration. Operations on the control loop control variable may be implemented as a table network itself.
When the loop control variable is not zero, control is returned after the iteration to so that a new iteration is performed, if the loop control variable is zero, control is passed on. Even this control may be represented as a table network. For example, a table may compute a machine address to jump to in dependence of the variable.
Instead of using the loop control variable to control the number of iterations, the number of iterations may be controlled by other means, e.g. a while-condition. In this case, the loop control variable counts the number of iterations that were actually performed.
Protecting table network 150 is configured to cooperate with the series of table networks for countering modifications made to table networks of the series. The protecting table network 150 is configured to receive as input: the intermediate state-output sinter and a global state-input 131.
The global state-input 131 that protecting table network 150 receives may be a copy of the global state-input to which series 110 is applied (s0). For example, one may apply a state extractor table 160 to input 121 to obtain the state. The extracted state will be in encoded form. This possibility is shown in
Protecting table network 150 is configured to verify that the global state-function (g) applied to the global state-input (s0) produces the intermediate state-output, symbolically denoted as sinter=g(s0)?.
In
Align table 140 receives verification state-output 132, sc and the intermediate data/state-output (147, u=(winter, sinter)) and produces as output a protected data and state output 143 and optionally also a protected state output 145. If the state in the intermediate data/state-output 147, u is the same as the verification state-output 132, then the data in data and state output 143 equals the data in intermediate data/state-output 147, u, and the state in data and state output 143 equals the verification state-output 132, sc (or the state in u, they are the same in this case), to which state permutation 144 has been applied. The permutation may be omitted, but its presence ensures that the output of align table 140 differs from its input 147 even if no error was detected.
Align table 140 may be constructed from a function z 142 and an optional permutation 144. The verification state-output 132, and the intermediate data/state-output 147, u=(winter, sinter) are inputs to z-function 142. Here z(u, sc)=ρ(u) if σ(u)=sc; The functions ρ and σ are data and state extractors respectively. Align table 140 thus verifies that the verification state-output equals the intermediate state-output (sinter=sc?).
If σ(u)≠sc, the output of z may be a random data output; One may require that the output is always different from ρ(u) or often different, say in at least 90% of the case. The output should at least differ for some input values.
Permutation 144 applies a permutation (perm) to a state, here the state is obtained from intermediate data/state-output 147, but the verification state was also possible. Having a permutation in the align table ensures that the output of the table may change, regardless of the fact whether an error, i.e., an unauthorized table modification, has been detected or not. This avoids an attack in which a change in table 140 is used to determine the changes introduced by tampering.
That data-output obtained from the z-function and the state from permutation 144 are encoded together in protected data and state output 143 (z(u, sc), Perm(sc)). The state output may also be output encoded separately as state output 145, Perm(sc). Having output 143 and 145 allows a following computation to use these as inputs, like inputs 131 and 121. Outputs 143 and 145 are referred to a ‘protected outputs’.
Table 140 may be a single table, in which functions 142 and 144 are not separately visible. Table network 130 may also be implemented as a single table, so that protection table network 150 comprises two single tables. In an embodiment, state table network 130 and/or align table 140 are a table network having more than one table. Protection table network 150 may be a single table, e.g., if the single iteration state function is the identity.
The state functions used in series 110 may be chosen independently from the data-functions. This means that advantageous choices can be made. For example, one may select all state-functions (gi) corresponding to a table network (Ti) in the series to be equal (g0), even if the data-functions are not. By making appropriate choices for the state-functions their function composition may be simple to compute, even though the function composition of the data-functions may not be simple to compute.
The function on the state input determined by a single iteration of the table networks of series 110 is referred to as a single-iteration state function ({tilde over (g)}=g2∘g1). One may choose the individual state function gi so that the single-iteration state function g is particularly simple. If the series has only a single table network then {tilde over (g)}=g0. When the series of table networks is applied iteratively, the single-iteration state function {tilde over (g)} is thus applied itereratively.
In an embodiment, the single-iteration state function ({tilde over (g)}) is idempotent. An idempotent function has the property that {tilde over (g)}({tilde over (g)}(x))={tilde over (g)}(x), applying an idempotent function once may change the input, but applying it more than once does not change the function further. In particular, {tilde over (g)} may be idempotent, but not the identity. A random idempotent function may be selected as follows: First partition all state value in fixed points and non-fixed points, there should be at least one fixed point, next for each non-fixed point x select a fixed point y and set {tilde over (g)}(x)=y. This algorithm is well-suited for implementation in tables. The partition and selections may be random.
If the number of iterations is known to be at least one, and {tilde over (g)} is idempotent, then state table network 130 may be configured for {tilde over (g)}, without having to know the precise number of iterations.
In an embodiment, on or more or all of the table networks in the series receive additional input from a further source other than the preceding table network. The data output of the table network may depend on the additional input. The additional input may or may not be encrypted together with additional state input, nevertheless the state input does not depend on the additional input. In this way, the additional input does not disturb the relationship between the intermediate state output and verification state.
Typically, the computing device comprises a microprocessor (not shown) which executes appropriate software stored at the device; for example, that software may have been downloaded and/or stored in a corresponding memory, e.g., a volatile memory such as RAM or a non-volatile memory such as Flash (not shown).
If {tilde over (g)} is idempotent, and the number of iterations may be zero, than state table network 130 need only be configured for two values of input 133, i.e., zero and non-zero.
In an embodiment is {tilde over (g)} is nilpotent, i.e., there exists an integer q so that q compositions of the function {tilde over (g)} equals the identity. Examples of such functions are permutations having a cycle decomposition that has only cycles with a length that divides q, i.e., {tilde over (g)} is a permutation of order q so that q compositions of {tilde over (g)} equals the identity. In such a case state table network 130 need only be large enough to compute at most q compositions of g. In this case, also the further input 133 may be simplified, as only its value modulo q is needed.
If {tilde over (g)} is the identity, the protecting table network 150 may more easily be implemented as a single table.
One way to select the gi to obtain a desired single-iteration state function is as follows. Assume series 110 has n table networks, defining n functions gi. First select {tilde over (g)} and represent {tilde over (g)} as a permutation on all values of the state variable. Next select random permutation for g1, . . . , gn-1. Finally, select, the final state function gn from the single iteration g function and the inverses of the random permutations, e.g., as gn={tilde over (g)}g1−1 g2−1 . . . gn-1−1. This algorithm may be applied, e.g., when {tilde over (g)} is the identity, or nilpotent. In an embodiment, the single-iteration state function differs from the state-function (gi) of at least one table network (Ti) of the series, more in particular, e.g., even if the single-iteration state function is nil-potent or idempotent. In an embodiment, the single-iteration state function differs from each state-function (gi) of any table network (Ti) of the series, more in particular even if the single-iteration state function is nil-potent or idempotent.
Storage device 410 is typically one or more non-volatile memories, but may also be a hard disc, optical disc, etc. Storage device 410 may also be a volatile memory comprising downloaded or otherwise received data. Computing device 400 comprises a processor 450. The processor typically executes code 455 stored in a memory. For convenience the code may be stored in storage device 410. The code causes the processor to execute a computation. Device 400 may comprise an optional I/O device 460 to receive input values and/or transmit results. I/O device 460 may be a network connection, removable storage device, etc.
Storage device 410 contains one or more table networks according to one of the
In an embodiment, the computing device may work as follows during operation: computing device 400 receives input values. The input values are encoded, e.g. by using an encoding table 441. Thus the input values are obtained as encoded input values. Note that the input values could be obtained as encoded input values directly, e.g. through device 460. Encoding an input value to an encoded input value implies that a state input has to be chosen. There are several ways to do so, for example the state input may be chosen randomly, e.g., by a random number generator. The state input may be chosen according to an algorithm; the algorithm may be complicated and add to the obfuscation. The state input value may also be constant, or taken sequentially from a sequence of numbers, say the sequence of integers having a constant increment, say of 1, and starting at some starting point; the starting point may be zero, a random number, etc. Choosing the state inputs as a random number and increasing with 1 for each next state input choice is a particular advantageous choice. If the state inputs are chosen off-device the attacker has no way to track where state input values are chosen and what they are.
Processor 450 executes a program 455 in storage device 410. The program causes the processor to apply look-up tables to the encoded input values, or to resulting output values. Look-up tables may be created for any logic or arithmetic function thus any computation may be performed by using a sequence of look-up tables. This helps to obfuscate the program. In this case the look-up tables are encoded for obfuscation and so are the intermediate values. In this case the obfuscation is particularly advantageous because a single function input value may be represented by multiple encoded input values. Furthermore, some or all table and/or table networks have the multiple function property, of the table networks that have the multiple function property some or all are paired with a second table network for verification of the results.
At some point a result value is found. If needed the result may be decoded, e.g. using a decoding table 442. But the result may also be exported in encoded form. Input values may also be obtained from input devices, and output values may be used to show on a screen.
The computation is performed on encoded data words. The computation is done by applying a sequence of table look-up accesses. The input values used may be input values received from outside the computing device, but may also be obtained by previous look-up table access. In this way intermediate results are obtained which may then be used for new look-up table accesses. At some point one of the intermediate results is the encoded result of the function.
Computing device 400 may comprise a random number generator for assigning state input values to data function inputs.
For example, composite table network 500 may represent a block cipher having multiple rounds, say AES, DES, etc. Each round of the block cipher is computed by a table network of series 110, wherein the data-function represents the block cipher round. Each data-function is coupled with a state-function. The state functions are chosen so that the global state function is the identity. For example, in the first half of the rounds the state functions are equal to the data-functions but in the second half of the rounds the state functions are the inverses of the state functions in the first half. As a result the series computes the block cipher with the data-functions but computes the identity with the state functions.
The compiler is configured to identify function or functions. In that case, in step 640 code generation is done by a code generator. During code generation some code is generated and a series 110 of table networks. Also a protection table network 150 is generated. The generated code is configured to iteratively apply series 110. To the result protecting table network 150 is applied, as indicated above.
In step 655 the generated tables are merged to a table base, since it may well happen that some tables are generated multiple times; in that case it is not needed to store them multiple times. E.g. an add-table may be needed and generated only once. When all code is merged and all tables are merged the compilation is finished. Optionally, there may be an optimization step.
Typically, the compiler uses encoded domains, i.e., sections of the program in which all value, or at least all values corresponding to some criteria, are encoded, i.e., have code word bit size (n). In the encoded domain, operations may be executed by look-up table execution. When the encoded domain is entered all values are encoded, when the encoded domain is left, the values are decoded. A criterion may be that the value is correlated, or depends on, security sensitive information, e.g., a cryptographic key.
An interesting way to create the compiler is the following. In step 630 an intermediate compilation is done. This may be to an intermediate language, e.g. register transfer language or the like, but may also be a machine language code compilation. This means that for steps 610-630 of
The method comprising iteratively applying 710 the table networks of the series (T1, T2, T1, T2), a table network (T1) of the iteratively applied table networks to the global data-input (w0) and global state-input (s0), and a successive table network (T2, T1, T2) of said iteration to the data-output and state-output of a preceding table network of the series, the iterated application of the series determines a global data function (ƒ=ƒ2∘ƒ1∘ƒ2∘ƒ1) on the global data-input and determines a global state function (g=g2∘g1∘g2∘g1) on the global state-input, thus obtaining an intermediate data-output (winter=ƒ(w0)) and an intermediate state-output (sinter=g(s0)), and
Verifying 720 that the global state-function (g) applied to the global state-input (s0) produces the intermediate state-output (sinter=g(s0)?) by applying a protecting table network (150) configured to cooperate with the series of table networks for countering modifications made to table networks of the series, the protecting table network being configured to receive as input: the intermediate state-output (125; 126, sinter), and a global state-input (131, s0), the protecting table network being configured to verify that the global state-function (g) applied to the global state-input (s0) produces the intermediate state-output (sinter=g(s0)?).
Many different ways of executing the method are possible, as will be apparent to a person skilled in the art. For example, the order of the steps can be varied or some steps may be executed in parallel. Moreover, in between steps other method steps may be inserted. The inserted steps may represent refinements of the method such as described herein, or may be unrelated to the method. For example, steps 710 and 720 may be executed, at least partially, in parallel. For example, if table 130 is used in step 720, then table 130 may be run completely in parallel to series 110.
Moreover, a given step may not have finished completely before a next step is started.
A method according to the invention may be executed using software, which comprises instructions for causing a processor system to perform method 700. Software may only include those steps taken by a particular sub-entity of the system. The software may be stored in a suitable storage medium, such as a hard disk, a floppy, a memory etc. The software may be sent as a signal along a wire, or wireless, or using a data network, e.g., the Internet. The software may be made available for download and/or for remote usage on a server. A method according to the invention may be executed using a bitstream arranged to configure programmable logic, e.g., a field-programmable gate array (FPGA), to perform a method according to the invention.
It will be appreciated that the invention also extends to computer programs, particularly computer programs on or in a carrier, adapted for putting the invention into practice. The program may be in the form of source code, object code, a code intermediate source and object code such as partially compiled form, or in any other form suitable for use in the implementation of the method according to the invention. An embodiment relating to a computer program product comprises computer executable instructions corresponding to each of the processing steps of at least one of the methods set forth. These instructions may be subdivided into subroutines and/or be stored in one or more files that may be linked statically or dynamically. Another embodiment relating to a computer program product comprises computer executable instructions corresponding to each of the means of at least one of the systems and/or products set forth.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments.
In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. Use of the verb “comprise” and its conjugations does not exclude the presence of elements or steps other than those stated in a claim. The article “a” or “an” preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
| Number | Date | Country | Kind |
|---|---|---|---|
| 13195809.2 | Dec 2013 | EP | regional |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/EP2014/074952 | 11/19/2014 | WO | 00 |
