Method to protect a cryptographic assembly by homographic masking
First Claim
1. A method to protect an assembly having a processor and a memory, the method comprising:
- operating the processor of the assembly according to instructions stored in the memory to cause the processor to perform the steps;
performing a cryptographic calculation process that uses a homographic function f of the type;
f(z)=(az+b)/(cz+d) when (cz+d) is not equal to 0 and
f(−
d/c)=a/c by operating on masked variables, wherein, for any k, if x is an input and y=f(x+k) is an output of the function f, to pass directly from a masked value x+m_i (additive masking of type XOR) to a masked value y+m_j using a composition of;
several transformations F_i and G_j wherein i≧
1 and j>
1, each transformation F_i and G_j operating on the set K′
wherein K′
=K U oo, and wherein K=GF(2^k), each transformation F_i(z) and G_j(z) are defined as (az+b)/(cz+d) when (cz+d) is not equal to 0, F_i(−
d/c) and G_j(−
d/c)=oo, and F_j(oo) and G_j(oo)=a/c; and
the exchange of two points.
2 Assignments
0 Petitions
Accused Products
Abstract
This invention relates to a method to protect an assembly implementing a cryptographic calculation process which uses a homographic function f of type:
f(z)=(az+b)/(cz+d) when (cz+d) is not equal to 0 and
f(−d/c)=a/c
the function f operating on masked variables, wherein, for any k, if x is an input and y=f(x+k) is an output of the function f, to pass directly from a masked value x+m_i (additive masking of type XOR) to a masked value y+m_j, the method consists in comprises of performing this operation using a composition of several transformations operating on GF(2^k) with addition of the infinite, defined as (ax+b)/(cx+d), and of transformations which exchange two points.
-
Citations
18 Claims
-
1. A method to protect an assembly having a processor and a memory, the method comprising:
-
operating the processor of the assembly according to instructions stored in the memory to cause the processor to perform the steps; performing a cryptographic calculation process that uses a homographic function f of the type;
f(z)=(az+b)/(cz+d) when (cz+d) is not equal to 0 and
f(−
d/c)=a/cby operating on masked variables, wherein, for any k, if x is an input and y=f(x+k) is an output of the function f, to pass directly from a masked value x+m_i (additive masking of type XOR) to a masked value y+m_j using a composition of; several transformations F_i and G_j wherein i≧
1 and j>
1, each transformation F_i and G_j operating on the set K′
wherein K′
=K U oo, and wherein K=GF(2^k), each transformation F_i(z) and G_j(z) are defined as (az+b)/(cz+d) when (cz+d) is not equal to 0, F_i(−
d/c) and G_j(−
d/c)=oo, and F_j(oo) and G_j(oo)=a/c; andthe exchange of two points. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. Electronic system including storage means comprising:
- a calculation process means to process a cryptographic calculation process which uses a homographic function f of type;
f(z)=(az+b)/(cz+d) when (cz+d) is not equal to 0 and
f(−
d/c)=a/cby operating on masked variables, wherein the function f includes means, for any k, if x is an input and y=f(x+k) is an output of the function f, to pass directly from a masked value x+m_i (additive masking of type XOR) to a masked value y+m_j, to perform this operation using a composition of; several transformations F_i and G_j wherein i≧
1 and j≧
1, each transformation F_i and G_j operating on the set K′
wherein K′
=K ∪
oo, and wherein K=GF(2^k), each transformation F_i(z) and G_j(z) are defined as (az+b)/(cz+d) when (cz+d) is not equal to 0, F_i(−
d/c) and G_j(−
d/c)=oo, and F_j(oo) and G_j(oo)=a/c andthe exchange of two points. - View Dependent Claims (11)
- a calculation process means to process a cryptographic calculation process which uses a homographic function f of type;
-
12. A program storage medium readable by a computer, comprising a program of instructions executable by the computer to perform method steps to process a cryptographic calculation process which uses a homographic function f of type:
-
f(z)=(az+b)/(cz+d) when (cz+d) is not equal to 0 and
f(−
d/c)=a/cby operating on masked variables, wherein the function f includes means, for any k, if x is an input and y=f(x+k) is an output of the function f, to pass directly from a masked value x+m_i (additive masking of type XOR) to a masked value y+m_j, to perform this operation using a composition of; several transformations F_i and G_j wherein i≧
1 and j≧
1, each transformation F_i and G_j operating on the set K′
wherein K′
=K ∪
oo, and wherein K=GF(2^k), each transformation F_i(z) and G_j(z) are defined as (az+b)/(cz+d) when (cz+d) is not equal to 0, F_i(−
d/c) and G_j(−
d/c)=oo, and F_j(oo) and G_j(oo)=a/c andthe exchange of two points. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A method to protect an assembly having a processor and a memory, the method performing a cryptographic calculation process, comprising:
-
define a set of transformations F_i(z) and G_j(z) operating on the set K′
wherein K′
=K Li oo, and wherein K=GF(2^k) and wherein each transformation F_i(z) and G_j(z) has the formF_i(z) and G_j(z)=(az+b)/(cz+d) when (cz+d) is not equal to 0, F_i(−
d/c) and G_j(−
d/c)=oo, andF_j(oo) and G_j(oo)=a/c; wherein the cryptographic calculation process includes operating the processor of the assembly according to instructions stored in the memory to cause the processor to perform the steps; computing a function Inv defined as a composition of a plurality of transformations F_i(z) and G_j(z), i=1 to n by performing the composition
F—
1 o . . . o F—
n o E[u,v] o G—
1 o . . . G—
nwherein E[u,v](x)=x if x not equal to either u or v, E[u,v](u)=v, E[u,v](v)=u; and wherein u=G—
1( . . . G_n(o)) andv=G—
1( . . . G_n(oo)).
-
Specification