Patent Grant
8615079
This application is a National Stage of International patent application PCT/EP2010/050546, filed on Jan. 18, 2010, which claims priority to foreign French patent application No. FR 09 50341, filed on Jan. 20, 2009, the disclosures of which are incorporated by reference in their entirety.
The present invention relates to a cryptography circuit protected against observation attacks. It applies notably for the protection of cryptography circuits against high-order observation attacks on installations based on masking.
The aims of cryptography are notably to protect:
Cryptography uses mathematical procedures, which have been demonstrated to lead to secure systems. For example, an encryption is presumed secure when it is proven that there do not exist, in the current state of the published knowledge, any procedures of attack significantly faster than exhaustive attack, corresponding to the trying of all the possible keys.
In general, encryption procedures involve complex computations, necessary for the security of systems. This complexity does not pose any particular problems to computers but is a serious drawback in the case of devices that do not have high computational power, generally driven by low-cost “8-bit” microprocessors. The consequences may be of several kinds, such as:
To alleviate this difficulty without increasing the price of systems, it is customary to append a system for aiding the central unit of the device used, in the form of a coprocessor dedicated to cryptography.
However, whether it be implemented by the central unit or by a specialized coprocessor, the cryptography algorithm is implemented by a physical device, currently of electronic type. These physical devices exhibit inevitable imperfections, related to properties inherent in the basic laws of electricity.
Thus, cryptography systems that are secure from the mathematical point of view may be attacked by exploiting the inherent imperfections of the physical systems implementing the algorithm, thus:
Any imperfection of a physical device implementing a cryptography algorithm and liable to leak information related to the secrets held in the memory of the device is called a hidden channel.
Protections against these attacks on the hidden channels have been proposed, on the basis notably:
These two techniques make it possible to increase the difficulty of attacks aimed at retrieving information, but they remain vulnerable, however, to attacks which would profit from implementational defects. There exist numerous examples of potential or substantiated vulnerabilities, for example:
An aim of the invention is notably to allow effective protection against high-order observation attacks. For this purpose, the subject of the invention is a cryptography circuit comprising at least one register R providing a variable x masked by a mask variable m, characterized in that said masked variable being encrypted by a first substitution box S in a cyclic manner, said circuit comprises a mask register M delivering at each cycle a transformed mask mt equal to the mask m transformed by a modification function, this mask m being encrypted by a second substitution box S′, the new mask m′ obtained on output from this box S′ being used to mask the variable.
The new transformed mask m′t is for example introduced into the mask register M after having been subjected to the inverse modification on output from the second substitution box S′.
In a first possible mode of implementation, the modification may be a bijection B such that the transformed mask mt is stored in the register M, the mask m applied to the substitution box being equal to B(mt) and the new value to be stored in the register being B−1, m′ being the output from the second substitution box S′ (21).
The bijection B is for example such that the Hamming weight of the mask m is not always identical to the Hamming weight of its image under the bijection B(m).
In a second possible mode of implementation, the modification of the mask m may be performed by decomposition into two sub-masks m1 and m2 such that m=m1θm2 where θ is a group composition law, the first sub-mask m1 being stored in a first mask register M1 and the second sub-mask m2 being stored in a second mask register M2, the new value to be stored in the register M1 being m′1=m′θ−1m′2 and the new value to be stored being m′2, m′ being the value of the mask on output from the second substitution box S″.
The composition law is for example the XOR “exclusive or” operation, the addition operation, the multiplication operation or else the operation of the type s=a*b+(a+b)/2, * being multiplication and + being addition.
The of composition has for example a Hamming distance between two consecutive sub-masks m2 from one cycle to another, Δm2, that is non-zero.
The sub-masks m1, m2 having an even number of bits, the group composition law (α) making it possible to obtain the mask m on the basis of the sub-masks m1, m2 satisfies for example:
The circuit comprises for example a random-values generator, said generator delivering the value of the second sub-mask m′2.
This sub-mask m1 arising from the first mask register M1 may be saved in the second mask register M2 at the end of the cycle, the first register M1 receiving for its part the new mask m′1 so as to reconstruct the new complete mask m′=m′1θm′2.
The encipherment algorithm being of the DES type, the path of the data x, m being split into two parts, left and right, said circuit comprises for example in addition to the left mask register ML and the right mask register MR a third mask register M, the register MR containing the right sub-mask mr1 and the register ML containing the left sub-mask ml2, the register M containing the sub-mask mr2 equal to the sub-mask ml1, the effective values of the right mask mr and of the left mask ml being such that:
mr=mr1θmr2
ml=ml1θml2.
The second substitution box S′ comprises for example two boxes identical to the first substitution box S and two XOR gates, the outputs of the two boxes being connected to an XOR gate whose output delivers the new mask m′, the masked variable (x⊕m) entering a box and the other XOR gate whose other input receives the mask m, the output of this gate entering the other box.
A ROM memory carries out for example the logic of the XOR gates and the substitution of the boxes.
Other characteristics and advantages of the invention will become apparent with the aid of the description which follows offered in relation to appended drawings which represent:
a and 1b, an illustration of the principle of masking of a substitution box;
a, 11b and 11c, exemplary embodiments of a second substitution box used in a circuit according to the invention.
a and 1b illustrate the principle of the masking of a substitution box 1, called generally an “S-box”, with a constant mask m. An S-box applies to a message a non-linear function the aim of which is notably to render the message entropic on output from the S-box.
In
b shows the masking of the S-box with a constant mask m. The technique of masking relies on the garbling of the internal variables sensitive dependent on a secret by a mask m. In the example of
This type of masking is particularly suitable for the protection of the DES (Data Encryption Standard) and AES (Advanced Encryption Standard) algorithms, where the linear operations are performed in a binary field. The mask may be applied to the internal variables which are generally vectors of bits, words, cryptographic functions. The masking at the level of a word renders it applicable both to software implementations and to hardware implementations. The realization of the masking is simple when the function ƒ where the masked variable is applied is linear as a function of the group law, i.e. ƒ(xθm)=ƒ(x)θƒ(m).
The value of ƒ(x) may be reconstructed on the basis of ƒ(xθm) and m. ƒ(x) is thus extracted right at the end of the algorithm so as to avoid a leakage of information emanating from the variable x. The computations on xθm and m being decorrelated from x, there are no direct leakages of secrets.
If the function ƒ is non-linear, the masking mechanism becomes more complex since ƒ(x) cannot be recreated mathematically on the basis of ƒ(xθm) and ƒ(m). In the symmetric encryption algorithms, the non-linear part corresponds to the substitution boxes or S-box, thus for example the S-box 1 of
Sm(x⊕m)=S(x)⊕m
S being the function of the S-box before masking.
Consequently, the size of the memory goes from 2n for S to 22n for Sm, n being the number of bits of the mask.
This realization is not secure with a hardware installation where an iteration of the encryption algorithm is performed in a clock cycle. In this case, the transfers at the level of a register demask the data automatically. Indeed, considering by way of example the operator ⊕, a transfer may be described by the following relation:
x⊕m⊕S(x)⊕m=x⊕S(x)
The term x⊕m of this relation is the initial value on input to the S-box Sm, and the term S(x)⊕m is the final value on output from the S-box, the operator ⊕ between these two terms indicating the transition. The above relation shows indeed that the result of the transition x⊕S(x) is independent of the mask m.
The effectiveness afforded by the masking may be proved against first-order attacks which considers only the internal variable x, as shown notably in the document by J. Blomer et al: Provably Secure Masking of AES, In LNCS, editor, Proceedings of SAC'04, volume 3357, pages 69-83, Springer, August 2004, Waterloo, Canada. The information leakages emanating from the masking circuit may, however, be subjected to a second-order attack, or indeed one of a much higher order.
A second-order attack considers two variables x1 and x2. For example if x1 and x2 are masked by the same mask, the second-order attack utilizes the fact that x1⊕x2=x1⊕m⊕x2⊕m.
Implementations have been studied to overcome high-order attacks, as shown notably in the document by M. Akkar et al: A generic protection against High-oder differential Power Analysis, In LNCS, editor, Proceedings of FSE'03, volume 2887 of LNCS, Springer, 2003, Berlin, this document using constant masks. However, to obtain significant effectiveness a large increase in complexity is necessary. By way of example, it has been demonstrated that the DES algorithm requires at least three different masks and six extra S-boxes for each S-box in order to be resistant to high-order attacks by this procedure, as shown in the document by J. Lv et al, Enhanced DES implementation secure against differential power analysis in smart-cards, In Information Security and Privacy, 10th Australasian Conference, volume 3574 of LNCS, pages 195-206, Brisbane, July 2005, Springer Verlag.
In another known procedure, a new mask m is computed at each iteration. This procedure is notably described in the document by F-X. Standaert et al, FPGA Implementations of the DES and Triple-DES Masked Against Power Analysis Attack, In Proceedings of FPL 2006, August 2006, Madrid. The masked variable x⊕m of a register R is associated at each round with a new mask m arising from a register M. Thus at the end of a round, the variable x⊕m is transformed into S(x)⊕m′ where the new mask m′ is computed as a function of m and of x⊕m with the aid of a new S-box with function S′. This procedure offers a good complexity compromise since it associates only a single new S-box S′ with each existing S-box S.
This implementation remains, however, prone to second-order attacks as shown notably in the document by E. Peeters et al, Improved Higher-Order Side-Channel Attacks with FPGA Experiments, In CHES, volume 3659 of LNCS, pages 309-323, Springer-Verlag, 2005.
The loopbacks to the registers R and M are each done in a clock tick. For simplicity reasons, the representation of
The HO-DPA attack described in Peeters et al pertains to the variables x⊕m and m which arise from registers. The principle consists in studying the distributions of the activity at the output of registers for various values of the variable x. In CMOS logic, a model of activity denoted A may be the Hamming distance denoted DH between two consecutive words. In particular:
A(x⊕m,m)=DH(xi⊕mi,xi-1⊕mi-1)+DH(mi,mi-1) (1)
i.e.
A(x⊕m,m)=PH(Δx⊕Δm)+PH(Δm) (2)
PH corresponds to the Hamming weight and Δx to the Hamming distance between two consecutive words xi, xi-1 of the variable x.
If x and m have a single bit, the activity corresponds to 2. PH(Δm) if Δx=0.
If Δx=1, the activity corresponds to PH(Δ
The knowledge of the distributions of consumption for each Δx thus makes it possible to construct the HO-DPA attack by observing the consumption distributions and by comparing them with the predicted activity for an assumption regarding a key k included in the variable x.
If x and m are coded on 4 bits, the Hamming weight PH can take five values: 0, 1, 2, 3, 4. Therefore the activity A(x⊕m,m)=PH(Δx⊕Δm)+PH(Δm) can take nine values: 0, 1, 2, 3, 4, 5, 6, 7, 8.
To compare the effectiveness of various masking solutions, it is possible to use a metric quantity for comparing the distributions 31, 32, 33, 34, 35 which is inspired by a known test, the χ2 test, defined by the following relation:
where:
The reference distribution is considered to be the mean of the 16 distributions obtained for all the values of z when the mask is coded on 4 bits. The value of χ2 in this case makes it possible to judge the homogeneity of all the distributions. By way of reference, χ2 equals 21.89 for the distribution with a mask of 4 bits. This value must be as low as possible to avoid discriminations between the distributions 31, 32, 33, 34, that are liable to be exploited by HO-DPA attacks. Stated otherwise, this value of the χ2 must be as low as possible to guard against HO-DPA attacks.
The invention makes it possible to guard against such observation attacks, including those of high order, by reducing the discriminations, or the differences, between the various distributions of activity for one and the same mask. By way of example, a mask coded on 4 bits will be considered hereinafter.
In particular, referring for example to
The mask m′ on output from S-box S′ is that actually used by the masked variable.
m=m1θm2
θ realizing a group internal composition law, like the operator θ mentioned previously. θ being a group operator, it admits an inverse operator θ−1.
The register M of the previous figures is therefore replaced with two registers 231, 232. One register M1 contains the value m1 and one register M2 contains the value m2. The output of these registers is linked to a circuit 61 realizing the composition law θ. On output from this operator 61, the mask m is recomposed by the operation m=m1θm2 before being transformed into a new mask m′ by the S-box S′, 21 as in the previous paths illustrated notably in
The inverse operation θ−1 is performed by an operator 62 placed at the output of the S-box S′ 21. This operator makes it possible to separate the mask m′ into m′1 and m′2 such that m′1=m′θ−1m′2. The mask m′2 may be generated by a random generator RNG as illustrated in
The activity A at the level of the register R containing the masked variable x⊕m and of the two registers M1 and M2 therefore becomes:
A(x⊕m)=PH(Δx⊕Δm)+PH(Δm1)+PH(Δm2) (4)
Considering this activity model, the χ2 test is applied for various laws θ and the results are illustrated, by way of example, by the chart hereinbelow:
This chart shows that the simple operators like addition + and multiplication * may be used to obtain balanced distributions, the results obtained being respectively 0.31 and 0.36, thereby pushing back the attack to an extremely high number of consumption traces to be acquired in order to discriminate between the distributions. The transformation by bijection B makes it possible to obtain a result of 1.85.
Advantageously the law α, described subsequently, makes it possible to have a zero χ2 that is to say distributions that are perfectly identical in the sense of the activity model considered and therefore resistant to high-order attacks.
The distributions obtained with the XOR logical operator do not allow a sufficient reduction in the value of χ2 since they engender two large classes of distribution as a function of the parity of the Hamming weight of Δx, PH(Δx⊕m). If Δx is even, the activity always has even values while if Δx is odd the activity always has even values.
As regards the DES algorithm, the data path is split into two parts, left and right, as in any Feistel scheme. In particular, the masked-variables register 22 of the previous examples is split into two registers, a left register 221 and a right register 222.
As regards the masking part, in addition to the two mask registers 91, 92, one the right register MR and the other the left register ML, a third register 232, denoted M, is added so as to decompose the two masks, left and right. The implementation of the DES algorithm utilizes the solution set forth previously, in relation to
mr=mr1θmr2
ml=ml1θml2.
Operators 611, 612 carrying out the group relation θ are placed at the output of the registers MR, M, ML so as to perform the above two operations. The right mask mr is transformed by the S-box S′, 21 into a new right mask m′r, the other input of the S-box 21 being the masked variable xr⊕mr, thereafter encrypted, coming from the right register R 222. The new right mask m′r is combined with the mask ml to give m′r⊕ml on input to the operator 62 carrying out the operation θ−1. The latter combines m′r⊕ml with m′r2. In a manner analogous to the example of
The chart hereinbelow presents the masks used equally well in the mask registers 91, 92, 93, in the last three columns and in the masked-variables registers 221, 222, in the previous two columns, for three consecutive rounds:
This chart shows that the masks used in the mask registers as well as those used in the masked-variables registers are different and consequently make it possible to avoid notably an attack of the HO-DPA type.
An implementation of the function α making it possible to have balanced distributions, therefore χ2 zero.one is illustrated by
This law relies on the fact that Δm2 is never zero. Indeed if the variation of m, Δm=Δm2=0, the group law θ implies that Δm1 is also equal to 0. In this case, the activity given by the previous equation (4) may be zero only if Δx is zero. As no other values of Δx for obtaining a zero activity exist, this shows that the activity will never be perfectly balanced for all values of Δx. On the other hand, if the value of Δm2 is non-zero, laws may exist which make it possible to satisfy the perfect balance of the activity distributions and thus to obtain χ2=0. With respect to the proof of impossibility of masking, such as envisaged notably in the document by G. Piret et al: Security Analysis of Higher-Order Boolean Masking Schemes for Block Ciphers, IET Information Security, 2(1):1-11, 2008, the invention provides a linking relation between the two masks m1 and m2, this not being taken into account in the document by G. Piret et al.
Considering by way of example the sub-masks per successive packets of 2 bits, the mask then having an even number of bits, which is often the case, the following law called α makes it possible to obtain a balanced distribution whatever the values of Δx. The 2-bit group formed of the high-order bit of the sub-mask m2, denoted m2MSB, and of the low-order bit, denoted m2LSB, conditions in the following manner the generation of the mask by the law α:
This law α is involutive and is implemented by the operator 61 on input to the S-box 21.
The circuit 100 uses a random generator 71 to produce the sub-mask m2. The random variable delivered by this generator 71 selects, in a coder 102 which receives as input m′2MSB and m′2LSB, either an incrementation or a decrementation on the register M2 which is Gray coded (or reflected binary code) so as to ensure the condition Δm′2=1. Starting from the mask m′ produced by the S-box 21, the operator 62 delivers a sub-mask m′1 whose high-order bit m′1MSB is equal to m′MSB⊕m2MSB, m′MSB being the high-order bit of m′ and m′2MSB taking the value 0 or 1 according to the random variable generated on input to the coder 102. The low-order bit m′1LSB is equal to m′MSB or to m′LSB⊕m′2LSB if the value of m′2MSB is respectively equal to 0 or to 1.
a, 11b and 11c present possible improvements for producing the substitution box S′, 21 which produces the new mask m′. The box S′ may be produced with a mixture of XOR gates and of ROM memories, according to several levels of robustness and complexity.
a presents a first solution using two boxes S, 1 and two XOR gates 111, 112 to reconstruct the non-masked information x and the new mask m′. Thus, x=m⊕x⊕m is obtained through the first gate 111, and the second gate 112 delivers the new mask m′ as output from the box S′ with m′=S(x⊕m)⊕S(x).
A second solution, illustrated by
c presents a third solution which may be applied for a spatial decomposition without random register 71. This solution uses a ROM memory 114 receiving three words x⊕m, m1 and m2. This memory integrates the logic and the function 115 that are carried out by the memory 113 of the solution of
| Number | Date | Country | Kind |
|---|---|---|---|
| 0950341 | Jan 2009 | FR | national |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/EP2010/050546 | 1/18/2010 | WO | 00 | 8/3/2011 |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2010/084106 | 7/29/2010 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 20040028224 | Liardet et al. | Feb 2004 | A1 |
| 20080260145 | Trichina | Oct 2008 | A1 |
| Number | Date | Country |
|---|---|---|
| 1398901 | Mar 2004 | EP |
| 1995906 | Nov 2008 | EP |
| 0161916 | Aug 2001 | WO |
| Entry |
|---|
| P.C. Kocher: “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,” Proceedings of CRYPT0'96, vol. 1109 of LNCS, (1996), pp. 104-113. |
| T. S. Messerges et al.: “Investigations of Power Analysis Attacks on Smartcards,” USENIX—Smartcard '99, pp. 151-162, May 10-11, 1999, Chicago, USA. |
| S. Guilley et al.: “Differential Power Analysis Model and Some Results,” Proceedings of WCC/CARDIS, pp. 127-142, Aug. 2004, Toulouse, France. |
| J. Blomer et al.: “Provably Secure Masking of AES,” Proceedings of SAC '04, vol. 3357, pp. 69-83, Springer, Aug. 2004, Waterloo, Canada. |
| M. Akkar et al.: “A Generic Protection against High-Order Differential Power Analysis,” LNCS, Proceedings of FSE '03, vol. 2887 of LNCS, Springer, 2003, Berlin. |
| J. Lv et al.: “Enhanced DES Implementation Secure Against High-Order Differential Power Analysis in Smartcards,” Information Security and Privacy, 10th Australian Conference, vol. 3574 of LNCS, pp. 195-206, Brisbane, Jul. 2005, Springer-Verlag. |
| F.-X. Standaert et al.: “FPGA Implementations of the DES and Triple-DES Masked Against Power Analysis Attack,” Proceedings of FPL 2006, Aug. 2006, Madrid. |
| E. Peeters et al.: “Improved Higher-Order Side-Channel Attacks with FPGA Experiments,” CHES, vol. 3659 of LNCS, pp. 309-323, Springer-Verlag, 2005. |
| G. Piret et al.: “Security analysis of higher-order Boolean masking schemes for block ciphers (with conditions of perfect masking)”, IET Information Security, 2008, vol. 2, No. 1, pp. 1-11. |
| Houssem Maghrebi et al.: “Evaluation of Countermeasure Implementations Based on Boolean Masking to Thwart Side-Channel Attacks,” Signals, Circuits and Systems (SCS), 2009 3rd International Conference on, IEEE, Piscataway, NJ, USA, Nov. 6, 2009, pp. 1-6. |
| C. Gebotys: “Third Order Differential Analysis and a Split Mask Countermeasure for Low Energy Embedded Processors,” Internet Citation, [Online] XP002455442, retrieved Oct. 18, 2007. |
| L. Goubin et al.: “DES and Differential Power Analysis the Duplication Method,” Cryptographic Hardware and Embedded Systems. IST International Workshop, CHES '99. Worcester, MA, Aug. 12-13, 1999 Proceedings; [Lecture Notes in Computer Science], Berlin: Springer, DE, vol. 1717, Aug. 1, 1999, pp. 158-172. |
| Number | Date | Country | |
|---|---|---|---|
| 20120250854 A1 | Oct 2012 | US |
