Balanced cryptographic computational method and apparatus for leak minimizational in smartcards and other cryptosystems
DCFirst Claim
1. A method for using a secret key to cryptographically process a message, comprising:
- (a) receiving a message to be cryptographically processed;
(b) in a hardware device, cryptographically processing said message by performing a plurality of cryptographic suboperations thereon, each said suboperation;
(i) taking an input, via at least one intermediate, to an output, (ii) including a number of computational state transformations, said number being independent of said message and of said key, and (iii) characterized such that the Hamming weights of said message, said intermediate, and said output are independent of said message and of said key; and
(c) outputting said cryptographically processed message;
whereby external monitoring of said hardware device does not reveal useful information about said secret key.
1 Assignment
Litigations
0 Petitions
Accused Products
Abstract
Cryptographic devices that leak information about their secrets through externally monitorable characteristics (such as electromagnetic radiation and power consumption) may be vulnerable to attack, and previously-known methods that could address such leaking are inappropriate for smartcards and many other cryptographic applications. Methods and apparatuses are disclosed for performing computations in which the representation of data, the number of system state transitions at each computational step, and the Hamming weights of all operands are independent of computation inputs, intermediate values, or results. Exemplary embodiments implemented using conventional (leaky) hardware elements (such as electronic components, logic gates, etc.) as well as software executing on conventional (leaky) microprocessors are described. Smartcards and other tamper-resistant devices of the invention provide greatly improved resistance to cryptographic attacks involving external monitoring.
-
Citations
34 Claims
-
1. A method for using a secret key to cryptographically process a message, comprising:
-
(a) receiving a message to be cryptographically processed;
(b) in a hardware device, cryptographically processing said message by performing a plurality of cryptographic suboperations thereon, each said suboperation;
(i) taking an input, via at least one intermediate, to an output, (ii) including a number of computational state transformations, said number being independent of said message and of said key, and (iii) characterized such that the Hamming weights of said message, said intermediate, and said output are independent of said message and of said key; and
(c) outputting said cryptographically processed message;
whereby external monitoring of said hardware device does not reveal useful information about said secret key. - View Dependent Claims (33)
-
-
2. A method for performing a balanced cryptographic operation on input data, comprising:
-
(a) representing said input data using a constant Hamming weight representation; and
(b) using a secret key, manipulating said input data to produce output data by performing a balanced cryptographic operation thereon;
thereby cryptographically processing said input data in a manner resistant to detection of said secret key by external monitoring of a hardware device performing said cryptographic operation. - View Dependent Claims (3, 4)
-
-
5. A method for performing a balanced cryptographic operation on input data, comprising:
-
(a) representing said input data using a first constant Hamming weight representation;
(b) manipulating said input data to produce intermediate data in said first constant Hamming weight representation;
(c) converting said intermediate data from said first constant Hamming weight representation to a second constant Hamming weight representation; and
(d) manipulating said intermediate data to produce output data according to said cryptographic operation;
thereby cryptographically processing said input data in a manner resistant to detection of said secret key by external monitoring of a hardware device performing said cryptographic operation.
-
-
6. A balanced cryptographic processing device comprising:
-
(a) a secret key;
(b) an input interface for receiving data;
(c) a conversion unit to convert said data into a constant Hamming weight representation; and
(d) a processor configured to perform a cryptographic operation on said data by using said secret key while preserving said constant Hamming weight representation.
-
-
7. A method for performing a balanced cryptographic operation using secret data, comprising:
-
(a) performing a plurality of suboperations using said secret data and an operand; and
(b) for each of said plurality of suboperations, simultaneously performing corresponding suboperations using (i) said operand and the complement of said secret data, (ii) said secret data and the complement of said operand, and (iii) the complement of said secret data and the complement of said operand;
thereby cryptographically processing said operand and said secret data in a manner resistant to detection of said secret data by external monitoring of a hardware device performing said cryptographic operation.
-
-
8. A method for performing a balanced computational process comprising:
-
(a) receiving a first and a second input variable, each input variable having N bits;
(b) creating a value of a first intermediate variable having 2N bits, each of a first half of said 2N bits being equal to a corresponding bit of said first input variable, each of a second half of said 2N bits being equal to the complement of a corresponding bit of said first input variable;
(c) creating a value of a second intermediate variable having 2N bits, each of a first half of said 2N bits corresponding to a bit of said second input variable, each of a second half of said 2N bits being equal to a corresponding bit of said first half of said 2N bits;
(d) creating a value of a third intermediate having 2N bits, each bit being the result of a bitwise logical operation on a corresponding bit of said first intermediate variable and a corresponding bit of said second intermediate variable; and
(e) extracting a result of said computational process from said third intermediate variable;
thereby cryptographically processing said input variables in a manner resistant to detection by external monitoring of a hardware device performing said computational process. - View Dependent Claims (9, 10)
-
-
11. A balanced cryptographic processing device comprising:
-
(a) an input interface for receiving a first and a second input variable to be used as inputs to a computation, each input variable represented by at least a first bit and a second bit, where said representation has a constant Hamming weight;
(b) a first computational unit for performing a bitwise logical operation on said first bit of said first input variable and said first bit of said second input variable;
(c) a second computational unit for performing said bitwise logical operation on said first bit of said first input variable and said second bit of said second input variable;
(d) a third computational unit for performing said bitwise logical operation on said second bit of said first input variable and said first bit of said second input variable; and
(e) a fourth computational unit for performing said bitwise logical operation on said second bit of said first input variable and said second bit of said second input variable;
thereby cryptographically processing said input variables in a manner resistant to detection by external monitoring of a hardware device performing said operations. - View Dependent Claims (12, 13, 14, 34)
-
-
15. An electronic circuit configured to perform a computation on input data represented in a balanced Hamming weight format, said computation comprising:
-
(a) receiving said input data through an input interface;
(b) producing from said input data an intermediate variable represented in said balanced Hamming weight format;
(c) deriving a result from said intermediate variable; and
(d) transmitting at least a portion of said result to a receiving circuit.
-
-
16. A method for reducing the amount of information available for detection through monitoring of the power consumption of a device during a digital cryptographic computation comprising:
-
(a) receiving input data represented by a plurality of sets of data bits in a representation format wherein;
(i) each data bit can have one of two values, (ii) each set of data bits includes at least two data bits;
(iii) the value of each set of data bits can be encoded as at least two functionally-equivalent combinations of values of said data bits;
(b) processing said input data through a series of substeps, wherein (i) said substeps combine said input data to compute intermediate data represented in said format, and (ii) by balancing at least one characteristic of said computation, the amount of power consumed at each substep is made not detectably correlated to the value of said intermediate data; and
(c) producing an output result from said intermediate data. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A method for converting a definition of a computational device capable of performing cryptographic operations using a secret key into a definition of a digital circuit, comprising:
-
(a) receiving a machine-readable definition of said computational device;
(b) using a processor to compile at least a portion of a process for said operation by (i) converting said process into a sequence including a plurality of logic operations, and (ii) converting said plurality of logic operations into a plurality of operations for which the power consumption is balanced;
(c) writing an output file representing said plurality of balanced logic operations; and
(d) transmitting said output file to a third party for fabrication into said digital circuit. - View Dependent Claims (26, 27, 28)
-
-
29. A method for converting a definition of a computational process into a definition of software whose power consumption is balanced, comprising the steps of:
-
(a) receiving a machine-readable definition of said computational process;
(b) using a processor to compile at least a portion of said process by (i) converting said process into a sequence of operations including a plurality of logic operations, and (ii) converting said plurality of logic operations into a plurality of operations for which the power consumption is balanced; and
(c) writing an output file representing said plurality of balanced logic operations expressed as a sequence of executable instructions. - View Dependent Claims (30)
-
-
31. A cryptographic processing device for securely performing a cryptographic processing operation in a manner resistant to the discovery of a secret by external monitoring, comprising:
-
(a) an input interface for receiving a quantity to be cryptographically processed and for converting said quantity into an expanded balanced representation; and
(b) a processing circuit operatively connected to said input interface and including;
(i) a plurality of main logic subunits configured to in compute the result of said cryptographic processing operation; and
(ii) a plurality of additional logic subunits of composition similar to said main logic units which operate simultaneously with said main logic units to balance the power consumption of the computation performed by said main logic units; and
(c) an output interface operatively connected to said processing circuit for outputting said result of said cryptographic processing operation. - View Dependent Claims (32)
-
Specification