Method of counter-measuring against side-channel attacks

Abstract

According to the present invention there is provided a method of counter-measuring against side channel attacks, the method comprising executing a block-cipher algorithm to mask intermediate variables, wherein the block-cipher algorithm comprises one or more non-linear functions, characterized in that at least one of the non-linear functions is implemented using a match-in-place function.

Description

FIELD

The present invention concerns a method of counter-measuring against side-channel attacks for block-ciphers, and in particular, but not exclusively, to a method of counter-measuring which uses a match-in-place function.

DESCRIPTION OF RELATED ART

Many existing encryption algorithms in use today, such as the most widely used encryption algorithm ‘Advanced Encryption Standard (AES)’ are vulnerable to Differential Power Analysis (DPA). DPA is a side-channel attack that consists in first measuring a microprocessor's power consumption when executing a cryptographic algorithm and then performing statistical analysis in order to recover secret-keys used in the cryptographic algorithm for encryption. Once the secret-keys have been determined it is possible to decrypt encrypted information.

A microprocessor's electromagnetic emanations can also be measured and exploited to determine secret-keys used in a cryptographic algorithm for encryption.

A common technique to protect secret-key algorithms against DPA consists of masking every intermediate variable with a random mask. The masked data and the random mask are then processed separately and eventually recombined at the end of the algorithm. An attacker trying to analyze the power consumption of a microprocessor at a single point will obtain random values (random data values and random mask values); therefore, such masking will be secure against first-order DPA.

A masking counter-measure is characterized by the number of random masks used to protect a given sensitive variable; a masking with d random masks is called a d-th order masking. A d-th order masking can only be broken by a (d+1)^th order side-channel analysis, i.e. an attack that requires the processing of d+1 variables simultaneously. The number of executions required to break a counter-measure grows exponentially with the order d. Therefore, the order d is a good security criterion. However, in practice the most efficient counter-measures are of order d=1 only

It has been shown that a second-order DPA attacks to decrypt masked data is possible. Therefore, better counter-measures are needed in order to obtain fully secure encryption of data.

Further developments in counter-measures have been made; one of the most recent counter-measures against side-channel attacks is a counter-measure with order d=2.

For any masking counter-measure the main difficulty is to protect the non-linear parts of the algorithm; for Advanced Encryption Standard (AES) the non-linear parts of the algorithm are essentially SBOX functions. The technique used consists of iterating over the entire SBOX function for every SBOX look-up, using a comparison algorithm that is implemented as a subroutine. The comparison algorithm being called for every SBOX input, it is possible to show that the counter-measure can resist any second-order side-channel attack.

However such masking counter-measures are grossly inefficient as it requires many operations during execution and also utilises much of the microprocessors memory during execution.

It is an aim of the present invention to obviate, or mitigate, at least some of the afore-mentioned disadvantages.

SUMMARY

According to the invention, these aims are achieved by means of a method of counter-measuring against side channel attacks, the method comprising executing a block-cipher algorithm to mask intermediate variables, wherein the block-cipher algorithm comprises one or more non-linear functions, characterised in that at least one of the non-linear functions is implemented using a match-in-place function.

The method of the present invention makes use of a match-in-place function to improve the efficiency of the method. Using a match-in-place function reduces the number of operations which are required to provide an effective counter-measuring against side channel attacks. Furthermore, less memory is required to implement the method of the present invention compared to know methods.

The match-in-place function may be a bit-randomized match-in place function (MIP^I (data; adr,b)).

The bit-randomized match-in place function may be defined as:

${\mathrm{MIP}}^I\left(\mathrm{data};b\mathrm{if}\mathrm{read}\left(\mathrm{adr}\right)=\mathrm{adr},b\right)=\{\begin{array}{c}\mathrm{data}\\ b\mathrm{otherwise}\end{array}$ wherein adr is an address in a memory, data is a variable which can be stored at an address in a memory, and b is a value which is returned if the data variable is equal to actual data which is present at the address adr in memory; otherwise the complement of b is returned. b may be a bit value.

The following relationship may exist:MIP^I(data;adr;b)=MIP(data;adr)⊕b wherein b is the complement of b.

The at least one of the non-linear function may comprise a compare_b function, defined by:

${\mathrm{compare}}_b\left(x;y\right)b\mathrm{if}x=y=\{\begin{array}{c}b\mathrm{if}x\\ \ne y\end{array}$ wherein x is the first input variable of the compare_b function and y is the second input variable of the compare_b function, and b is a value which is returned if x is equal to y, such that the compare_b function can be implemented by: writing the variable x to an address adr in memory; executing the bit-randomized match-in place function defined as:

${\mathrm{MIP}}^I\left(y;\mathrm{adr},b\right)=b\mathrm{if}\mathrm{read}\left(\mathrm{adr}\right)=\{\begin{array}{c}y\\ b\mathrm{otherwise}\end{array}\mathrm{and},\mathrm{returning}{\mathrm{MIP}}^I\left(y;\mathrm{adr},b\right).$

The non-linear function may be comprised in a SubByte operation. The non-linear function may be comprised in a SubByte operation of an AES algorithm.

The block-cipher algorithm may further comprise one or more linear functions. At least one of the one or more linear functions may be masked by XORing variables of the function.

The block-cipher algorithm may be an Advanced Encryption Standard (AES) algorithm.

According to a further aspect of the present invention there is provided a computer readable medium comprising a computer program which is configured to implement a method according to any one of the afore mentioned methods.

According to a further aspect of the present invention there is provided a method of computing a second order masked Sbox function from a second order masked input, comprising the steps of:

$\left(i\right)b\leftarrow \mathrm{rand}\left(1\right)$ $\left(\mathrm{ii}\right)\mathrm{for}a=0\mathrm{to}{2}^n-1\mathrm{do}\left(a\right)\mathrm{write}\left(r_1\oplus a;\mathrm{adr}\right)$ $\left(b\right)\mathrm{cmp}\leftarrow {\mathrm{MIP}}^I\left(r_2;\mathrm{adr};b\right)$ $\left(c\right)R_{\mathrm{cmp}}\leftarrow \left(S\left(x\oplus a\right)\oplus s_1\right)\oplus s_2$

(iii) Return R_b

wherein, b is a variable which represents a random bit which indexes a register, and a is a variable which represents an index which defines the number of times steps (a)-(c) should be carried out, r₁, r₂ is a pair of input masks, x is a masked value wherein x=x⊕r₁⊕r₂⊕εFⁿ₂, and s₁, s₂ are a pair of output masks, and adr is a free memory address, cmp is a bit variable which indexes a register and is an output of the function MIP^I (r₂; adr; b), R_cmp is a register address of a register of a micro-processor. Typically, at least two registers R₀ and R₁ in the micro-processor are used (i.e. cmp can be 0 or 1; a first register R₀ is indexed/addressed if cmp=0, and a second register R₁ is indexed/addressed if cmp=1). R_b is a register address of a register of a micro-processor. Typically at least two registers R₀ and R₁ in the micro-processor are used (i.e. b can be 0 or 1; register R₀ is indexed/addressed if b=0, and register R₁ is indexed/addressed if b=1). MIP^I (r₂; adr; b) is a bit-randomized match-in place function defined as:

${\mathrm{MIP}}^I\left(\mathrm{data};b\mathrm{if}\mathrm{read}\left(\mathrm{adr}\right)=\mathrm{adr},b\right)=\{\begin{array}{c}\mathrm{data}\\ b\mathrm{otherwise}\end{array}$

According to a further aspect of the present invention there is provided a computer readable medium comprising a computer program which is configured to carry out the afore-mentioned method of computing a second order masked Sbox function.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be better understood with the aid of the description of an embodiment given by way of example and illustrated by the figures, in which:

FIG. 1 shows Pseudo-code for AES encryption;

FIG. 2 shows Pseudo-code for AES decryption;

FIG. 3 shows a table comprising the number of memory transfers (pre-processing phase), number of XORs and memory transfers (main phase) and memory required for the original implementation of a compare_b function and the implementation of the compare_b function according to the present invention;

FIG. 4 shows a table comprising number of XORs, number of memory transfers and memory required for a full second Rivain-Dottax-Prouff (RDP2) algorithm implementation which uses the method of the present invention to implementation a compare_b function.

DETAILED DESCRIPTION OF POSSIBLE EMBODIMENTS

The use of the method of the present invention in an AES encryption algorithm will be described in detail. However, it should be understood that the method of the present invention is not limited to use with an AES encryption algorithm; the method of the present invention could be used in any block-cipher algorithm.

The AES Encryption Algorithm operates on a 4×4 array of bytes s_i,j, termed the ‘state’. For encryption, each subpart of the AES Encryption Algorithm (except a last subpart) comprises the following four stages:

• • 1. AddRoundKey: each byte of the state is xored with the round key
    • k_i,j, derived from the key schedule:s_i,j←s_i,j⊕k_i,j
  • 2. SubBytes: each byte of the state is updated using an 8-bit S-box function:s_i,j←S(s_i,j)
    • The S-box function is defined as:S(x)=Aff(Inv(x))
    • where Aff is an affine function over GF(2⁸) andInv(x)=x²⁵⁴
    • is the inverse function over GF(2⁸) (with 0→0)
  • 3. ShiftRows: the bytes of the state are cyclically shifted in each row
    • by a certain offset; the first row is left unchanged.
  • 4. MixColumns: the bytes of the state are modified column by column as follows:s^I_0,c←(02·s_0,c)⊕(03·s_1,c)⊕s_2,c⊕s_3,c s^I_1,c←s_0,c⊕(02·s_1,c)⊕(03·s_2,c)⊕s_3,c s^I_2,c←s_0,c⊕s_1,c⊕(02·s_2,c)⊕(03·s_3,c)s^I_3,c←903·s_0,c)⊕s_1,c⊕s_2,c⊕(02·s_3,c)

The pseudo-code for AES encryption with a 128-bit key is given in FIG. 1. The word array ‘w’ contains round keys (k_i,j) which are generated by a key-schedule algorithm.

For decryption, every round (except the last) comprises the following operations:

• • 1. InvShiftRows: is the inverse of the ShiftRows operation (stage 3 of encryption). The bytes of the state (a set of intermediate variables used in AES encryption, as defined in paragraph [0025]) are cyclically shifted in each row by a certain offset; the first row of bytes is left unchanged.
  • 2. InvSubBytes: is the inverse of the SubBytes operation (stage 2 of encryption). The inverse S-box (S⁻) is applied on each byte of the state, with:S⁻¹(x)=Inv(Aff⁻¹(x))
  • 3. AddRoundKey: the operation is equal to its own inverse.
  • 4. InvMixColumns: is the inverse of the MixColumns operation (stage 4 of the encryption). The bytes of the state are modified column by column as follows:s^I_0,c←(0e·s_0,c)⊕(0b·s_1,c)⊕(0d·s_2,c)⊕(09·s_3,c)s^I_1,c←(09·s_0,c)⊕(0e·s_1,c)⊕(0b·s_2,c)⊕(0d·s_3,c)s^I_2,c←(0d·s_0,c)⊕(09·s_1,c)⊕(0e·s_2,c)⊕(0b·s_3,c)s^I_3,c←(0b·s_0,c)⊕(0d·s_1,c)⊕(09·s_2,c)⊕(0e·s_3,c)The pseudo-code for the inverse cipher is given in FIG. 2.

Finally, the round key-schedule (k_i,j) is based on the following operations:

• • 1. SubWord: takes a four-byte input word and applies the S-box (S(x)) to each of the four bytes.
  • 2. RotWord: takes a word [a₀; a₁; a₂; a₃] as input and performs a cyclic permutation to return [a₁; a₂; a₃; a₀]
  • 3. Xor with Rcon: takes as input a 32-bits word and xor it with the round constant word array Rcon[i]=[(02)ⁱ⁻¹; 00; 00; 00], for round 1≦i≦10. We refer to [5] for a full description of the key-schedule.

As discussed in the introduction, the principle of the masking counter-measure is to mask every intermediate variable with one or more random masks. In case of the masking counter-measure with order d=2, two masks are used, which gives a total of three shares. More precisely, any state variable p (represented as a byte in AES) is shared into three shares (p₀; p₁; p₂) with:p=p₀⊕p₁⊕p₂ where the shares p₁ and p₂ are called the masks.

The three shares p₀, p₁ and p₂ must be processed in such a way that the previous relation is preserved throughout the execution of the encryption algorithm. Note that similarly every byte k of the round key must be shared into three shares (k₀; k₁; k₂) such that k=k₀⊕k₁⊕k₂.

The linear parts of the block-cipher are easy to process. A function f is said to be linear when the following holds:f(x⊕y)=f(x)⊕f(y)  Equation (1)

Then for such linear function when given as input the three shares (p₀; p₁; p₂) such that:p=p₀⊕p₁⊕p₂ it suffices to compute f(p₀), f(p₁) and f(p₂) separately and forming Equation (1) one obtains:f(p)=f(p₀)⊕f(p₁)⊕f(p₂)Therefore, the three output shares f(p₀), f(p₁) and f(p₂) are a valid sharing of the output f(p). For AES encryption, the AddRoundKey, ShiftRows and MixColumns operation are linear functions and can therefore be processed in this manner. However, the SubBytes operation (such as the S-box function in the case of AES) is non-linear and must be processed differently.

To process non-linear operations such as the S-box function in the case of AES an algorithm can be defined as follows:S:{0;1}ⁿ→{0;1}^m Note that for AES n=m=8. The algorithm preferably comprises a masked function compare_b defined as follows:

${\mathrm{compare}}_b\left(x;y\right)b\mathrm{if}x=y=\{\begin{array}{c}b\mathrm{if}x\\ \ne y\end{array}$ where the x and y are the input variables of the compare_b function.

Computation of a second-order masked S-box function from a second-order masked input may be carried out as follows:

• • Input: A masked value x=x⊕r₁⊕r₂εFⁿ₂, wherein r₁; r₂ is a pair of input masks, and s₁; s₂εF^m₂ is a pair of output masks.
  • Output: The masked S-box function output S(x)⊕s₁⊕s₂.
  • 1. b←rand(1)
  • 2. for a=0 to 2n−1 do
    • (a) cmp←compare_b (r₁⊕a; r₂)
    • (b) Rcmp←(S(x⊕a)⊕s₁)⊕s₂
  • 3. Return R_b

Wherein r₁⊕a; r₂ are input variables of the compare_b function, a=r₁⊕r₂ then cmp=compare_b (r₁⊕a, r₂)=compare_b (r₂; r₂)=b which gives R_b=(S(x⊕r₁⊕r₂) ⊕s₁)⊕s₂=S(x)⊕s₁⊕s₂ as required.

In this particular embodiment, care should be taken when implementing the compare_b function. Namely the compare_b (x; y) function preferably should not be implemented by computing x⊕y directly, since in the above algorithm this would amount to computing (r₁⊕r₂⊕a) which combined with x would give a second-order leakage.

The method implementing of the compare_b function to prevent any first order side-channel leakage on x⊕y will now be described:

Recall that the function compare_b is defined as:

${\mathrm{compare}}_b\left(x;y\right)b\mathrm{if}x=y=\{\begin{array}{c}b\mathrm{if}x\\ \ne y\end{array}$

The method of implementing requires a table T of 2ⁿ bits in RAM. The table T is pre-processed as follows:

• • 1. r₃←{0; 1}ⁿ
  • 2. For i=0 to 2ⁿ−1 do T[i]←b
  • 3. T[r₃]←bThis completes the pre-processing step.

At the end of this pre-processing step, the table T satisfies:

$b\mathrm{if}x=T\left[x\right]=\{\begin{array}{c}{r}_3\\ b\\ \mathrm{otherwise}\end{array}$ Then the compare_b function is implemented as:return T[(x⊕r₃)⊕y]In this case all intermediate variables in the computation are independent of x⊕y; this prevents any first-order side-channel leakage on x⊕y.

The above-mentioned implementation of the compare_b is known in the art. Disadvantageously, the above-mentioned implementation of the compare_b is inefficient; the compare_b algorithm requires 2ⁿ bits of RAM; in practice however it may be more convenient to use 2ⁿ bytes of RAM since otherwise bit-access techniques must be used which might be cumbersome to implement securely. Pre-processing requires 2ⁿ+1 memory transfers; such pre-processing must be done before every call to the RDP2 algorithm. Every call to compare_b then requires two XOR operations and one memory transfer. For AES with n=8, the compare_b function therefore requires 256 bytes of RAM and 257 memory transfers during pre-processing. In total, the RDP2 algorithm then requires 6·2ⁿ XOR operations, 3·2ⁿ+1 memory transfers and the generation of n+1 random bits.

The method according to the present invention is based on a different implementation of the compare_b function, and in particular an implementation which uses match-in-place function.

Any processor has the usual instructions data←read(adr) and write(data; adr) that read and write some data at some address adr in memory. In match-in-place technology the processor has an additional function MIP(data; adr) that works as follows:

$\mathrm{MIP}\left(\mathrm{data};\mathrm{adr}\right)1\mathrm{if}\mathrm{read}\left(\mathrm{adr}\right)==\{\begin{array}{c}\mathrm{data}\\ 0\mathrm{otherwise}\end{array}$

In other words, data is matched at the memory location adr and the value at address adr never leaves the memory.

In the present invention there is provided additional function MIP^I which is a bit-randomized version of the MIP function, defined as follows:

${\mathrm{MIP}}^I\left(\mathrm{data};b\mathrm{if}\mathrm{read}\left(\mathrm{adr}\right)==\mathrm{adr},b\right)=\{\begin{array}{c}\mathrm{data}\\ b\mathrm{otherwise}\end{array}$

Preferably there exists the following relationship:MIP^I(data;adr;b)=MIP(data;adr)⊕b

Using the MIP^I function, the compare_b function can be simply implemented as follows, where adr is a free address in memory.

• • compare_b (x; y):
    • 1. Write (x; adr)
    • 2. Return MIP^I (y; adr; b)Once x has been written at address adr in memory, the MIP^I(y; adr; b) function returns b if x=y and b otherwise, as required by the compare_b function.

Using the MIP^I function the computation of a second-order masked S-box function from a second-order masked input becomes as follows:

• • Input: A masked value x=x⊕r₁⊕r₂⊕εFⁿ₂, a pair of output masks s₁; s₂εFⁿ2, a free memory address adr.
  • Output: The masked S-box function output S(x)⊕s₁⊕s₂
    • 1. b←rand(1)
    • 2. for a=0 to 2ⁿ−1 do
      • (a) write (r₁⊕a; adr)
      • (b) cmp←MIP^I (r₂; adr; b)
      • (c) Rcmp←(S(x⊕a)⊕s₁)⊕s₂
    • 3. Return R_b

The implementation of the compare_b function based on the MIP^I function, satisfies the same property as the original compare_b function implementation; namely all intermediate variables are independent of x⊕y.

Note that the randomized function MIP^I(y; adr; b) is preferable. If the function MIP(y; adr) is used instead (by first computing MIP(y; adr) and then returning MIP(y; adr) ⊕b) then the implementation would be insecure, as the intermediate variable MIP(y; adr) is not independent from x⊕y.

FIG. 3 shows a table which compares the efficiency of the original implementation of compare_b function and the implementation of the compare_b function according to the present invention (i.e. using the MIP^I function). It is clear that fewer operations and less RAM is required to implement the compare_b function according to the present invention.

FIG. 4 shows a table which compares the efficiency of a masking algorithm originally implemented and a masking algorithm implemented according to the present invention (i.e. using the MIP^I function). For AES with n=8, the present invention requires 1 byte of RAM (instead of 2n), 1024 XORs (instead of 1536) and 512 memory transfers (instead of 769). If XORs and memory transfers have the same cost, the present invention variant is 33% faster the original implementation. Thus, for the same level of security, the present invention provides a faster counter-measure which requires less RAM.

Various modifications and variations to the described embodiments of the invention will be apparent to those skilled in the art without departing from the scope of the invention as defined in the appended claims. Although the invention has been described in connection with specific preferred embodiments, it should be understood that the invention as claimed should not be unduly limited to such specific embodiment.

Claims

1. A method of counter-measuring against side channel attacks, the method comprising executing a block-cipher algorithm on a processor to mask intermediate variables, wherein the block-cipher algorithm comprises one or more non-linear functions, such that at least one of the non-linear functions is implemented using the processor executing a match-in-place function.

2. The method according to claim 1 wherein, the match-in-place function is a bit-randomized match-in place function (MIPI(data; adr,b)).

3. The method according to claim 2 wherein, the bit-randomized match-in place function is defined as:

4. The method according to claim 3 wherein MIPI (data; adr; b)=MIP (data; adr)⊕ b wherein b is the complement of b.

5. The method according to claim 2 wherein, the at least one of the non-linear function comprises a compareb function, defined by:

6. The method according to claim 1 wherein, the non-linear function is comprised in a SubByte operation.

7. The method according to claim 1 wherein, the block-cipher algorithm further comprises one or more linear functions, wherein at least one of the one or more linear functions are encrypted by XORing the variables of the function.

8. The method according to claim 1 wherein, the block-cipher algorithm is an Advanced Encryption Standard (AES) algorithm.

9. A non-transitory computer readable medium comprising a computer program which is configured to implement a method of counter-measuring against side channel attacks, the method comprising executing a block-cipher algorithm to mask intermediate variables, wherein the block-cipher algorithm comprises one or more non-linear functions, characterised in that at least one of the non-linear functions is implemented using a match-in-place function.

10. A cipher apparatus operatively arranged to execute, with a computer comprising processor configured to execute a computer program including a block-cipher algorithm to mask intermediate variables, wherein the block-cipher algorithm comprises one or more nonlinear functions, at least one of the non-linear functions being implemented using a match-in-place function of the processor.

11. A method of counter-measuring against side channel attacks, the method comprising using a computer to execute a computer program including a block-cipher algorithm to mask intermediate variables, wherein the block-cipher algorithm comprises one or more non-linear functions, at least one of the non-linear functions being implemented using a processor having a match-in-place function, further comprising computing a second order masked Sbox function from a second order masked input, by the steps of: (i) b←rand(1)(ii) for a=0 to 2n−1 do (a) write (r1⊕a; adr)(b) cmp←MIP1 (r2; adr; b)(c) Rcmp←(S({tilde over (x)}⊕a)⊕s1)⊕s2 (iii) Return Rb.

12. A method of counter-measuring against side channel attacks, the method comprising using a computer to execute a computer program including a block-cipher algorithm to mask intermediate variables, wherein the block-cipher algorithm comprises one or more non-linear functions, characterised in that at least one of the non-linear functions is implemented using a match-in-place function defined as:

13. The method of claim 12, wherein MIPI (data; adr; b)=MIP(data; adr)⊕ b wherein b is the complement of b.