Cryptographic computation using masking to prevent differential power analysis and other attacks
First Claim
Patent Images
1. A method for performing a cryptographic operation with resistance to external monitoring attacks, where said cryptographic operation includes performing a substitution operation using a predefined substitution table, said method comprising:
- (a) obtaining a representation of a predefined substitution table specifying a corresponding table value for each of a plurality of possible table index values;
(b) using random information, transforming said representation of said predefined substitution table into a new randomized representation of said substitution table;
(c) receiving a datum to be cryptographically processed;
(d) computing a blinded representation of a table index value from at least said datum;
(e) using said new randomized representation of said table, performing a substitution on said blinded table index value to derive a blinded representation of the table value corresponding to an unblinded version of said table index value in step (d); and
(f) using said blinded table value to compute a cryptographic result for use in securing a cryptographic protocol.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and apparatuses are disclosed for improving DES and other cryptographic protocols against external monitoring attacks by reducing the amount (and signal-to-noise ratio) of useful information leaked during processing. An improved DES implementation of the invention instead uses two 56-bit keys (K1 and K2) and two 64-bit plaintext messages (M1 and M2), each associated with a permutation (i.e., K1P, K2P and M1P, M2P) such that K1P{K1} XOR K2P {K2} equals the “standard” DES key K, and M1P{M1} XOR M2P{M2} equals the “standard” message. During operation of the device, the tables are preferably periodically updated, by introducing fresh entropy into the tables faster than information leaks out, so that attackers will not be able to obtain the table contents by analysis of measurements. The technique is implementable in cryptographic smartcards, tamper resistant chips, and secure processing systems of all kinds.
231 Citations
10 Claims
-
1. A method for performing a cryptographic operation with resistance to external monitoring attacks, where said cryptographic operation includes performing a substitution operation using a predefined substitution table, said method comprising:
-
(a) obtaining a representation of a predefined substitution table specifying a corresponding table value for each of a plurality of possible table index values; (b) using random information, transforming said representation of said predefined substitution table into a new randomized representation of said substitution table; (c) receiving a datum to be cryptographically processed; (d) computing a blinded representation of a table index value from at least said datum; (e) using said new randomized representation of said table, performing a substitution on said blinded table index value to derive a blinded representation of the table value corresponding to an unblinded version of said table index value in step (d); and (f) using said blinded table value to compute a cryptographic result for use in securing a cryptographic protocol. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for performing a cryptographic operation involving a substitution operation using a predefined substitution table, comprising:
-
(a) obtaining random information; (b) using said random information, producing a randomized representation of said table; (c) receiving a datum to be cryptographically processed; (d) applying said randomized representation of said table to a table input derived from at least said datum to produce a substitution result randomized by said random information; (e) using said randomized substitution result, deriving a cryptographic result, where said cryptographic result is independent of said random information; and (f) using said cryptographic result as part of securing a cryptographic protocol.
-
-
8. A device for performing a cryptographic operation, where said cryptographic operation involves a key and an input message and includes a substitution operation with a predefined substitution table, comprising:
-
(a) a source of random data; (b) table randomization logic configured to use an output from said source of random data; (c) a memory for storing a randomized representation of a predefined substitution table; (d) table input parameter computation logic, configured to produce a table input parameter from at least a portion of an input message and said output from said source of random data; (e) first cryptographic computation logic configured to perform substitution operations on said table input parameter using said randomized representation of said predefined substitution table in said memory; (f) second cryptographic logic, configured to use said first cryptographic computation logic to compute a cryptographic result, where said cryptographic result depends solely on said key and said input message and is independent of said output from said source of random data. - View Dependent Claims (9, 10)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeCryptography Research, Inc. (Rambus Inc.)
-
Original AssigneeCryptography Research, Inc. (Rambus Inc.)
-
InventorsJun, Benjamin C., Kocher, Paul C., Jaffe, Joshua M.
-
Primary Examiner(s)Dinh; Minh
-
Application NumberUS09/930,836Publication NumberTime in Patent Office3,114 DaysField of Search380/1, 380/28, 380/37, 380/42, 380/44, 380/46, 713/340US Class Current380/37CPC Class CodesG06F 21/556 involving covert channels, ...G06F 21/602 Providing cryptographic fac...G06F 21/755 with measures against power...G06F 2207/7219 Countermeasures against sid...H04L 2209/046 of operations, operands or ...H04L 2209/08 Randomization, e.g. dummy o...H04L 2209/127 Trusted platform modules [TPM]H04L 9/003 for power analysis, e.g. di...H04L 9/0625 with splitting of the data ...
