TREA

Method for Protecting a Logic or Mathematical operator Installed in an Electronic Module with a Microprocessor, as well as the Associated Embarked Electronic Module and the System

Follow

Information

  • Patent Application
  • 20080016583
  • Publication Number
    20080016583
  • Date Filed
    December 20, 2001
    23 years ago
  • Date Published
    January 17, 2008
    17 years ago
Information
Abstract
The method for protecting a logic or mathematical operator of the NOR operator type, able to be used for executing a program in a microprocessor electronic module wherein the execution of the NOR operator is replaced by the execution (CAL-XORSEC(1) of a sequence Si operations having for final result a result identical to that of the XOR function.
Description

BRIEF DESCRIPTION OF THE DRAWINGS

Other aims, advantages and characteristics of the invention shall appear on a reading of the following description of the implementation of the method of the invention applied to the protection of the XOR operator and an embodiment of an electronic module with a microprocessor according to the invention and given by way of non-restrictive example with reference to the accompanying drawings on which:



FIG. 1 shows a diagrammatic representation of an embodiment of an electronic module with a microprocessor and a protected XOR operator according to the invention, and



FIG. 2 shows a diagrammatic representation of the equivalent execution of the XOR operator implementing the method of the invention in the module of FIG. 1.





DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The monolithic electronic module 10 with a microprocessor shown on FIG. 1 according to the present invention and described by way of non-restrictive example generally comprises one microprocessor or central unit CPU 11 connected bidirectionally by an internal bus 12 to a live RAM memory 14, a dead ROM memory 16, an EEPROM memory 18 and an I/O input/output interface 20. The module 10 also comprises a Timer 22 with automatic resetting (in an optional variant) and a generator of pseudo-random numbers GNPA 24 connected to the internal bus 12.


Application programs are installed at ROM 16, such as applications of bank card transactions or medical card applications which for reasons of confidentiality and protection comprise encryption/decryption, operator authentication or transaction validation sub-program in which the XOR operator is frequently present, especially for carrying out comparisons octet by octet.


As regards execution of the XOR operator, this operator most commonly used generally forms part of the set of arithmetic instructions with two operands OP1 et OP2) of the central unit CPU or microprocessor 11.


In the embodiment described here, the means for implementing the method for protecting the XOR operator are mainly software items in the form of a protected XOR calculation routine (or XORSEC routine) diagrammatically shown on FIG. 2. Thus, on each call from the XOR instruction OP1, OP2) the program is rerouted with the two operands OP1 and OP2 towards the XORSEC routine which shall be executed in place of the XOR instruction, it being understood that the execution of the XORSEC routine carries out a function equivalent to that of the original XOR instruction.


According to the main characteristic of the invention, the execution of the XOR instruction is replaced in the XORSEC routine by the execution of a sequence of operations, namely of the type but not exclusively of operations with a degree of less complexity, such as elementary operations, whose final result is identical to the result of the function of the XOR operator (condition easily verified amongst others by identical outlet tables).


By way of non-restrictive examples, a set of eight sequences S1 to S8 equivalent to the XOR instruction is given below:

  • S1=(x OR y) AND NOT (x AND y)
  • S2=(x OR y) AND (NOT x OR NOT y)
  • S3=NOT (NOT x AND NOT y) AND NOT (x AND y)
  • S4=NOT (NOT x AND NOT y) AND (NOT x OR NOT y)
  • S5=NOT(NOT(x OR y) OR (x AND y))
  • S6=NOT ((NOT x AND NOT y) OR (x AND y))
  • S7=NOT ((NOT x AND NOT y) OR NOT (NOT x OR NOT y))
  • S8=NOT (NOT (x OR y) OR NOT (NOT x OR NOT y))


It shall be observed that all these sequences S1 to S8 are based on the use of at least two of three AND, NOT and OR logic elementary instructions and have the same truth table outlet as for the XOR instruction.


By using the traditional presentation of truth tables with two inlets x, y and one outlet s, it is possible to write for the XOR, AND and OR operators and for the sequence S5 (selected by way of non-restrictive example) the following four truth tables:














XOR
AND
OR















x
y
s(XOR)
x
y
s(AND)
x
y
s(OR)





0
0
0
0
0
0
0
0
0


0
1
1
0
1
0
0
1
1


1
0
1
1
0
0
1
0
1


1
1
0
1
1
1
1
1
1










and for S5=NOT(NOT(x OR y) OR (x AND y)) with A=(x OR y), B=NOT A, C=(x AND y) D=(NOT(x OR y) OR (x AND y)=B OR C, and s(S5)=E=NOT D


















x
y
A
B
C
D
E







0
0
0
1
0
1
0


0
1
1
0
0
0
1


1
0
1
0
0
0
1


1
1
1
0
1
1
0









It is thus verified that s(S5)=E is identical to s(XOR).


It shall be observed that the sequence automatically selected to replace the XOR operator is made up of five elementary operations whose signature shall be significantly different from the XOR operator. Thus, it is possible to embody the simplest variant for implementing the method of the invention.


According to one optional, but extremely advantageous, characteristic of the invention used in the embodiment described here, the sequence of replacement operations, namely the set ES constituted by the eight sequences S1 to S8 given above. Thus, the difficulty of identification of the XOR operator is further increased by the multiple changes of the sequence of operations replacing the XOR operator during execution of the program, the sequences S1 to S8 able to be used having all different signatures.


According to another optional characteristic of the invention, but also extremely advantageous, used in the embodiment described here, the order number NDO=i (i ranging from 1 to 8) in its entirety (S1 to S8) of the sequence S1 selected to be executed is determined according to certain parameters of the program currently being executed and/or of a random parameter. Advantageously, said random parameter is obtained from a pseudo-random numbers generator. This mechanism for scrambling sequences rendering random the sequence effectively selected to replace the XOR operator on each call proves to be extremely effective, especially in an encryption/decryption processing when the XOR operator is called several times in the program.


As shown on FIG. 2, the XORSEC routine comprises four main processing phases, namely in the order of execution:

  • a start or initialization phase IN-XORSEC with in particular the storing of the program counter values, and the operands OP1 and OP2,
  • a phase CAL-NDO for determining by calculation the order number NDO=i (i ranging from 1 to 8) of the sequence of operations Si to be executed to replace the instruction XOR with branching towards the corresponding sub-routine CAL-XORSEC(i) and present in the set CAL-XORSEC of eight sub-routines CAL-XORSEC(1) to CAL-XORSEC(8),
  • a phase CAL-XORSEC(i) for executing the sub-routine CAL-XORSEC(i) by logic calculation with the operands OP1 and OP2 of the sequence of operations Si selected by the phase CAL_NDO,
  • a phase OUT-XORSEC for return to the main program so as to resume its execution and transfer of the results of the CAL-XORSEC(i) equivalent to the calculation of an XOR between the two operands OP1 and OP2.


It shall be noted that for the phase CAL-NDO, the random generator GNPA 24 supplies on demand one random octet R used as a calculation parameter alone or with other parameters extracted from the values of the operands OP1 and OP2, the final result of the calculation being one octet F(R). By using for example an operation of the type NOD=i=F(R) AND 07 h, the three less significant bits are extracted from this octet so as to obtain the binary value of NOD=i (from 000 to 111 namely 00h to 07h), order number of the sequence Si to be executed. It is to be noted that the value of the order number is a sensitive data element of the algorithm in question.


Finally, the routine XORSEC exhibits a further improved variant as regards the difficulty of identification in which the series of replacement sequences is constituted by sequences with a given period of execution (and owing to this more difficult to distinguish). So as to achieve this, certain sequences comprise at least one non-operative instruction designed to introduce a delay time in the execution of the sequences concerned. In particular, the non-operative instruction is selected from non-operative instructions in relation to the microprocessor or from normally operative instructions but rendered ineffective via their positions in the sequence of operations.


If it is assumed that the elementary operations AND, OR and NOT have approximately equal periods of execution (for example 4 cycle times of the clock of the central unit CPU 11), as for the non-operative <<blank>> operation NOP, the set ES of the sequences S1 to S8 is modified into a new set of sequences made uniform to 9 operations ES′ being written by way of non-restrictive example as follows (and in which the added operations appear in thick type):

  • S′1=(x OR NOP y OR y) AND NOP NOT (x AND NOP y AND y)
  • S′2=(x OR y NOP OR y) AND NOP (NOT x OR NOP NOT y)
  • S′3=NOT (NOT x AND NOP NOT y) AND NOT (x AND y AND y)
  • S′4=NOT (NOT x AND NOP NOT y) AND (NOT x OR NOT y)
  • S′5=NOT(NOT(x NOP OR y OR y) OR (x NOP AND y AND y))
  • S′6=NOT ((NOT x AND NOT y NOP) OR (x AND y NOP AND y))
  • S′7=NOT ((NOT x AND NOT y) OR NOT (NOT x OR NOT y))
  • S′8=NOT (NOT (x OR y OR y) OR NOT (NOT x OR NOT y))


For example, for the sequence S′5:

  • S′5=NOT(NOT(x NOP OR y OR y) OR (x NOP AND y AND y)) with x′=x NOP, A=(x′ OR y), A′=A OR y , B=NOT A′, C=(x′ AND y), C′=C AND y, D=B OR C′


    and s(S′5)=E=NOT D


It is possible to write the truth table of the sequence S′5 which also verifies s(S′5)=s(XOR)












S′5
















x
y
x′
A
A′
B
C
C′
D
E





0
0
0
0
0
1
0
0
1
0


0
1
0
1
1
0
0
0
0
1


1
0
1
1
1
0
0
0
0
1


1
1
1
1
1
0
1
1
1
0









It shall be observed that for sequences with nine elementary operations, the machine time remains quite reasonable.


The invention is not limited to its application concerning the protection of logic operators, but is also applicable to protection of mathematical operators, such as one-digit adders, adders, subtractors or multipliers or functional circuits similar to logic or mathematical operators, such as combinatory circuits, especially multiplexers and/or demultiplexers, coders and/or decoders, generators and/or parity detectors or comparators.


For example, according to another application of the method of the invention, the operator to be protected is the mathematical operator of the <<multiplication by two>> obtained by shifting left one bit with resetting of the low order bit. In notation C ANSI, this operator is also denoted (x<<1).


Thus, on each call from the operator (x<<1), its execution shall be replaced by the execution of a sequence of operations selected from the following equivalent sequences:

  • S′′1=(x ADD x)
  • S′′2=(x AND FOh) ADD x ADD (x AND OFh)
  • S′′3=(NOT ((NOT x) ADD (NOT x))) SUB 1
  • S′′4=(y ADD x) SUB (y SUB x),


    in which the operator ADD is the standard addition operator on one octet, the instruction SUB is the standard subtraction operator on one octet and the suffix <<h>> indicates a hexadecimal value. Generally speaking, the choice of the equivalent sequence S′′i and its implementation are embodied similarly, sometimes identically, to what has been described in details as previously for the XOR operator.


It shall also be noted that, without departing from the context of the invention, the smart card accommodating the electronic module with a protected operator according to the invention can be replaced by any other embarked system.


One embodiment of the invention is shown below concerning its implementation using an electronic module. In the method for protecting a logic or mathematical operator, or a similar functional circuit able to be used in the execution of a program in the electronic module including a microprocessor and a memory, the execution of said operator by the microprocessor is replaced by the execution of a sequence of replacement operations whose final result is identical to that of the function of said operator, said result being stored in the memory. The electronic module with a protected operator and comprising at least one microprocessor and a memory storing a program to be executed comprising at least one logic or mathematical operator or similar functional circuit to be protected wherein it comprises means to replace execution of the operator with the aid of the microprocessor by the execution of a sequence of operations whose final result is identical to that of the function de the operator, said result being stored in the memory.

Claims
  • 1. Method for protecting a logic or mathematical operator or a similar functional circuit able to be used for executing a program in an electronic module with a processor, wherein the execution of said operator is replaced by a sequence of replacement operations whose or final result is identical to that of the function of said operator.
  • 2. Method according to claim 1, wherein said sequence of replacement operations is selected on each call from said operator from a set of equivalent sequences.
  • 3. Method according to claim 2, wherein the order number in said set of the selected sequence is determined according to certain parameters of the program being executed and/or a random parameter obtained from a pseudo-random number generator.
  • 4. Method according to claim 2, wherein certain sequences include at least one non-operative instruction intended for introducing a delay time in the execution of the sequences in question, said non-operative instruction being selected from non-operative instructions in relation to the microprocessor or from instructions which are normally operative but rendered ineffective via their positions in the in the sequence of operations.
  • 5. Method according to claim 2, wherein at least one sequence of replacement operations is made up of elementary logic operators.
  • 6. Method according to claim 5, wherein at least one sequence of replacement operations is made up of AND, OR and NOT elementary logic operators.
  • 7. Electronic module including at least one microprocessor and one program to be executed and including at least one logic or mathematical operator or similar functional circuit to be protected, wherein the module includes means for replacing the execution of said operator by the execution of a sequence of operations whose final result is identical to that of the function of said operator.
  • 8. Electronic module according to claim 7, wherein it includes means for selecting said sequence of operations on each call of said operator from a set of equivalent sequences.
  • 9. Electronic module according to claim 8, wherein it includes data processing means so as to determine the order number in said set of the selected sequence according to certain parameters of the program being executed and/or a random parameter generated by a pseudo-random numbers generator.
  • 10. Installed system, wherein it includes an electronic module according to claim 7.
PCT Information
Filing Document Filing Date Country Kind 371c Date
PCT/FR01/04124 12/20/2001 WO 00 8/1/2007