Method of executing a cryptographic protocol between two electronic entities

US 20010012360A1
Filed: 01/30/2001
Published: 08/09/2001
Est. Priority Date: 01/31/2000
Status: Active Grant

First Claim

Patent Images

1. Method of generating a cryptographic protocol between a first electronic entity (A) and a second electronic entity (B) subject to attack, according to which any message (M) is generated, on the basis of which a chain of operations is carried by the said second entity resulting in the generation of a resultant or response message (R), the said response being compared with the result of another similar processing applied to the said message and carried out by the said first entity, characterised in that, at least in certain stages of the said chain of operations, the said second entity carries out either an operation of a chosen type (O₁, O₂, O₃. . . O_n) or the same operation complemented ({overscore (O)}₁, {overscore (O)}₂, {overscore (O)}₃. . . O_n), the choice depending on a random decision and in that the said response is constituted by the result of the last operation of the said chain, possibly complemented.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Perfected cryptographic protocol making it possible to counter attacks based on the analysis of the current consumption during the execution of a DES or similar.

According to the invention, a message (M) is processed by two entities (A and B) and the entity (B) subject to attack executes a chain of operations known as DES in which it is chosen to carry out a given operation (O₁, O₂, O₃. . . O_n)

or the same operation complemented ({overscore (O)}₁, {overscore (O)}₂, {overscore (O)}₃. . . {overscore (O)}_n), the choice being random.

Citations

13 Claims

1. Method of generating a cryptographic protocol between a first electronic entity (A) and a second electronic entity (B) subject to attack, according to which any message (M) is generated, on the basis of which a chain of operations is carried by the said second entity resulting in the generation of a resultant or response message (R), the said response being compared with the result of another similar processing applied to the said message and carried out by the said first entity, characterised in that, at least in certain stages of the said chain of operations, the said second entity carries out either an operation of a chosen type (O₁, O₂, O₃. . . O_n) or the same operation complemented ({overscore (O)}₁, {overscore (O)}₂, {overscore (O)}₃. . . O_n), the choice depending on a random decision and in that the said response is constituted by the result of the last operation of the said chain, possibly complemented.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. Method according to claim 1, characterised in that an operation capable of being complemented is the operation known as the exclusive OR.
  - 3. Method according to claim 1 or 2, characterised in that an operation capable of being complemented is a known operation of permutation of the bits of the said message or of an intermediate result obtained on carrying out the said chain of operations.
  - 4. Method according to one of claims 1 to 3, characterised in that an operation capable of being complemented is the operation known as indexed access to a table.
  - 5. Method according to one of claims 1 to 4, characterised in that an operation capable of being complemented is a stable operation with respect to the application of the exclusive OR function.
  - 6. Method according to claim 5, characterised in that an operation capable of being complemented is the transfer of the said message or of an intermediate result obtained whilst carrying out an operation of the said chain, from one location to another of a storage space.
  - 7. Method according to one of the preceding claims, characterised in that consists in using the said message or an intermediate result resulting from the execution of a preceding operation of the said chain, in applying a new operation of the said chain to it, or this same operation complemented, depending on the state of a random parameter (S′
    - _a) associated with this new operation, in updating a complementing counter (C_c) and in taking into account the state of this counter at the end of the execution of the said chain of operations in order to decide on the final configuration of the said response.
  - 8. Method according to one of claims 1 to 6, characterised in that consists in using the said message, or an intermediate result of the execution of a preceding operation of the said chain, in applying to it a new operation of the said chain or this same operation complemented, depending on the state of a random parameter (S′
    - _a) associated with this new operation and in transmitting, from operation to operation, information forming part of the said intermediate results, necessary for the final configuration of the said response.
  - 9. Method according to one of claims 1 to 6, characterised in that there is defined in the said second entity two chains of operations (Ch₁, Ch₂) for the processing of the said message, one of the chains consisting of a series of data operations and the other chain consisting of a series of the same operations complemented and a final complementing (C) and in that it is decided randomly to execute one of the two chains of operations on each reception of a said message
  - 10. Method according to one of the preceding claims, characterised in that, whilst the said series of operations is being carried out, there is computed the difference (d) between the number of times when the operations have been carried out in a normal fashion and the number of times when they have been carried out with complementing and in that the hazard (S′
    - _a) is eliminated on the decision to carry out operations in a normal or complemented manner, in order to execute a certain number of subsequent operations, when the said difference exceeds a predetermined value, in the mode (normal or complemented) least used up to that point in view of reducing the said difference sufficiently.
  - 11. Method according to one of the preceding claims, characterised in that the complementing is carried out byte by byte.
  - 12. Method according to one of claims 1 to 10, characterised in that the complementing is carried out bit by bit.
  - 13. Method according to one of the preceding claims, characterised in that, when several consecutive operations of the said chain are commutative, the order of their execution is permuted in a random manner.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oberthur Card Systems, S.A. (Advent International Corporation)
Original Assignee
Oberthur Card Systems, S.A. (Advent International Corporation)
Inventors
Akkar, Mehdi-Laurent, Dischamp, Paul

Granted Patent

US 8,612,761 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/29
CPC Class Codes

G06F 2207/7223   Randomisation as countermea...

G06F 7/00   Methods or arrangements for...

G06K 19/07363   by preventing analysis of t...

H04L 2209/08   Randomization, e.g. dummy o...

H04L 9/003   for power analysis, e.g. di...

H04L 9/0625   with splitting of the data ...

Method of executing a cryptographic protocol between two electronic entities

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method of executing a cryptographic protocol between two electronic entities

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links