Method for Protecting IC Cards Against Power Analysis Attacks

Abstract

A method for protecting data against power analysis attacks includes at least a first phase of executing a cryptographic operation for ciphering data in corresponding enciphered data through a secret key. The method includes at least a second phase of executing an additional cryptographic operation for ciphering additional data in corresponding enciphered additional data. An execution of the first and second phases is undistinguishable by the data power analysis attacks. Secret parameters are randomly generated and processed by the at least one second phase. The secret parameters include an additional secret key ERK for ciphering the additional data in the corresponding enciphered additional data.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

Further characteristics and advantages of the method according to the present invention will be apparent from the following description of an embodiment thereof, made with reference to the annexed drawings, given for illustrative and non-limiting purposes.

FIG. 1 schematically shows in a block diagram a method for protecting data comprising a sequence of operations intended to cipher plain texts in corresponding enciphered texts according to the prior art.

FIG. 2 schematically shows in a block diagram a method for protecting data comprising a sequence of operations intended to cipher plain texts in corresponding enciphered texts according to the present invention.

FIG. 3 schematically shows method steps for protecting data according to the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

With reference to FIG. 2, a method for protecting data against power analysis attacks is schematically shown in a block diagram, globally indicated with numeral reference 20. More particularly, the method comprises a sequence of cryptographic operations OP intended to cipher one or more plain texts M1, . . . , MN in corresponding enciphered texts C1, . . . , CN. As schematically shown, the sequence of cryptographic operations OP cipher the plain texts M1, . . . , MN through a secret key ESK.

The plain texts M1, MN are stored in a memory unit of an IC card with at least a secret key ESK for their encryption, for example. The secret key ESK is unknown externally the IC card, and is object of external attacks. In fact, the plain texts M1, . . . , MN enciphered in enciphered texts C1, . . . , CN may be retrieved through the secret key ESK.

The cryptographic operations OP intended to cipher one or more plain texts M1, . . . , MN in corresponding enciphered texts C1, . . . , CN are interleaved by additional cryptographic operations AOP. More particularly, such additional cryptographic operations AOP comprise a plurality of secret parameters, random generated, such as one or more random plain texts RB, for example.

One or more elaborations of the random plain texts RB is inserted in the cryptographic algorithm, for example between one or more cryptographic operations intended to encipher one or more of the plain texts M1, . . . , MN.

The plurality of secret parameters also comprises random secret keys ERK, random generated and used to encipher the one or more plain texts RB. More particularly, a cryptographic operation OP intended to encipher a plain text M1, . . . , MN with the secret key ESK is interleaved by an additional cryptographic operation AOP intended to encipher a random plain text RB with a random secret key ERK.

The additional cryptographic operation AOP on the random plain text RB has the same behavior of cryptographic operation OP on a plain text M, for example requiring a similar time of execution. The additional cryptographic operation AOP generates a garbage output that is not considered by the cryptographic algorithm for the effective ciphering of data.

In such a way, an attack is involved in an additional series of analysis intended to examine the power consumption of the additional cryptographic operations AOP. The medium time of succeeding in finding a secret key ESK is arbitrarily increased. In fact, the attack analyzes not only the cryptographic operations using the secret key ESK but also the cryptographic operations based on the random secret key ERK. More particularly, the random plain texts RB may be inserted in a scattered way in the original plain text M.

Again with reference to FIG. 2, two subsequent additional cryptographic operations AOP are inserted between two cryptographic operations. These are intended to cipher the plain texts M1 and M2 through the secret key ESK. The plain texts M1 and M2 are ciphered in corresponding enciphered text C1 and C2 while a couple of random plain texts RB1 and RB2 are enciphered in corresponding garbage outputs GO through the additional cryptographic operations AOP.

The first additional cryptographic operation AOP encrypts the plain text RB1, randomly generated, through a secret key ERK that is also randomly generated. The corresponding output is marked as garbage output GO since it does not correspond to the plain text M1, MN to cipher.

The second additional cryptographic operation AOP encrypts the plain text RB2, randomly generated, through the secret key ERK. Also in this case, the corresponding output is marked as garbage output GO since it does not correspond to the plain text M1, MN and to a valid cryptographic operation.

All the cryptographic operations executed on these randomly generated plain texts RB do not influence the final output of the cryptographic algorithm. More particularly, the outputs of these additional cryptographic operations AOP are stored in one or more garbage-areas, for example in a portion of the memory unit of the IC card. These outputs are not considered in the successive additional cryptographic operations AOP.

Advantageously, the number and the disposition of additional cryptographic operations AOP between cryptographic operations may not be pre-determined but randomly managed. For example, depending on the use-requirements, a specific maximum number of additional cryptographic operations AOP is associated to the cryptographic algorithm.

With reference to FIG. 3, a pseudo-code representing the method according to the present invention is shown. The whole ciphering algorithm is represented in a sequence of steps. More particularly, a step of initialization provides:

n ¹ _v=SizeOf(M)/mbs

where n¹_v is a number of remaining cryptographic operations at a first iteration, M is a plain text and mbs is the minimum size in bytes of M. For instance, for DES, Triple DES, AES, mbs may be set to 8-bytes.

The step of initialization also provides to set n¹_f as the number of remaining additional cryptographic operations AOP at the first iteration. For example, n¹_f is a random integer chosen with uniform distribution in the interval 0, 1, 2, . . . , N. More particularly, the parameter N is fixed and chosen to balance the performance and the security of the cryptographic algorithm.

For example, N is in the interval N [n¹_v, 2*n¹_v] The initialization step also provides generation of a random plain text RB such that:

Size Of (RB)=n¹_f*mbs

A random key K_RAN is also generated during the initialization step, so that:

Size Of (K_RAN)=Size Of(K_SEC)

A plurality of iterations follow the initialization step. More particularly, the i-th iteration is such that

1≦i≦n¹_v+n¹_f, and

P(nⁱ_v)=nⁱ_v/(nⁱ_v+nⁱ_f)≦1

where P(nⁱ_v) is the probability to compute a cryptographic operation at iteration i-th.

Similarly,

P(nⁱ_f)=nⁱ_f/(nⁱ_v+nⁱ_f)≦1

where P (nⁱ_f) is the probability to compute an additional cryptographic operation AOP at iteration i-th, with P(nⁱ_v)+P(nⁱ_f)=1 because of the probability function.

At the i-th iteration the next operation is chosen between the remaining nⁱ_v cryptographic operation and the nⁱ_f additional cryptographic operation AOP using the probability functions defined above. More particularly, if the next operation is a cryptographic operation, then it is executed using the corresponding valid parameters, the secret key ESK and the plain text M. After the i-th step, nⁱ⁺¹_v is set so that

n ⁱ⁺¹ _v =n _{i v}−1

and the successive step is executed.

On the contrary, if the next operation is an additional cryptographic operation AOP, it is executed using the corresponding random parameters. For example, the random plain text block RB_i and the random secure key K_RAN are used. After the i-th step, nⁱ⁺¹_f is set so that

n ⁱ⁺¹ _f =n ⁱ _f−1

and the successive step is executed.

Advantageously, the probability function P(n) defined at iteration i-th, is convergent. In fact:

P(nⁱ_v)≦1,

P(nⁱ_f)≦1, and

P(nⁱ_v)+P(nⁱ_f)=1

for each i with 1≦i≦n¹_v+n¹_f

More particularly, for each i with 1<i<n¹_v+n¹_f

n ¹ _v +n ¹ _f <n ⁱ⁻¹ _v +n ⁱ⁻¹ _f

If, at iteration (i−1)-th, a cryptographic operation is chosen then:

n ⁱ _v +n ⁱ _f=(nⁱ⁻¹_v−1)+nⁱ⁻¹_f

P(nⁱ_v)<P(nⁱ⁻¹_v), and

P(nⁱ_f)>P(nⁱ⁻¹_f)

If, at iteration (i−1)-th, an additional cryptographic operation AOP is chosen then:

n ⁱ _v +n ⁱ _f =n ⁱ⁻¹ _v+(nⁱ⁻¹_f−1)

P(n_i^v)>P(nⁱ⁻¹_v), and

P(nⁱ_f)<P(nⁱ⁻¹_f)

At iteration i=n¹_v+nⁱ_f:

Either

nⁱ_v=1, nⁱ_f=0 with P(nⁱ_v)=1, P(nⁱ_f)=0; or

nⁱ_v=0, nⁱ_f=1 with P(nⁱ_v)=0, P(nⁱ_f)=1

Advantageously, the overall processing time T is a random variable depending on how many additional cryptographic operations AOP are included in the whole ciphering algorithm. The computational time required by the single cryptographic operation T is a random variable with uniform distribution in the interval:

T [t*n¹_v, t*(n¹_v+n¹_f)]

Advantageously, a power analysis attack on IC cards is not only able to dissociate a power consumption by a corresponding cryptographic operation involved in a cryptographic algorithm, but also to mislead such attack through an introducing of additional cryptographic operations AOP. Such additional cryptographic operations AOP sidetrack the attacker, accepting a small loss in terms of performance and providing a countermeasure that makes SPA-DPA and other time attacks more difficult to be implemented.

Advantageously, the order of cryptographic operations and additional cryptographic operations AOP is unpredictable and is balanced according to the required performance of the cryptographic algorithm.

Claims

1. Method for protecting data against power analysis attacks comprising at least a first phase of executing a cryptographic operation (OP) for ciphering said data in corresponding encipher data through a secret key (ESK) characterized by comprising at least a second phase of executing an additional cryptographic operation (AOP) for ciphering additional data in corresponding encipher additional data through an additional secret key (ERK), said additional data and said additional secret key (ERK) being randomly generated so that an execution of said first phase and second phase is undistinguishable by said power analysis attacks.

2. Method for protecting data according to claim 1 characterized by the fact that said additional data comprises one or more random plain texts (RB).

3. Method for protecting data according to claim 1 characterized by the fact that said additional cryptographic operation (AOP) enciphers said one or more random plain texts (RB) through said additional secret keys (ERK) in said corresponding encipher additional data.

4. Method for protecting data according to claim 1 characterized by the fact that said at least second phase of executing said additional cryptographic operation (AOP) generates a garbage output (GO) ignored by said first phase of executing said cryptographic operation (OP).

5. Method for protecting data according to claim 1 characterized by the fact that said at least second phase of executing said additional cryptographic operations (AOP) is randomly executed between a couple of said at least first phase of executing said cryptographic operations (OP).

6. Method for protecting data according to claim 1 characterized by the fact of setting a maximum number of execution of said at least second phase.

7. Method for protecting data according to claim 1 characterized by the fact of storing said data in a memory unit of an IC card.

8. IC Card comprising a secret key (ESK) for protecting data against power analysis attacks by executing at least a cryptographic operation (OP) enciphering said data in corresponding encipher data characterized by comprising means for generating additional data and additional secret keys (ERK) in order to execute an additional cryptographic operation (AOP) enciphering said additional data in corresponding encipher additional data, said cryptographic operation (OP) and said additional cryptographic operation (AOP) being undistinguishable by said power analysis attacks.