[go: up one dir, main page]

WO2004070510A2 - Device and method of manipulating masked data - Google Patents

Device and method of manipulating masked data Download PDF

Info

Publication number
WO2004070510A2
WO2004070510A2 PCT/IL2004/000116 IL2004000116W WO2004070510A2 WO 2004070510 A2 WO2004070510 A2 WO 2004070510A2 IL 2004000116 W IL2004000116 W IL 2004000116W WO 2004070510 A2 WO2004070510 A2 WO 2004070510A2
Authority
WO
WIPO (PCT)
Prior art keywords
data
mask
representation
input
output
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/IL2004/000116
Other languages
French (fr)
Other versions
WO2004070510A3 (en
Inventor
Shay Gueron
Ori Parzanchevski
Or Zuk
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DISCRETIX TECHNOLOGIES Ltd
Original Assignee
DISCRETIX TECHNOLOGIES Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DISCRETIX TECHNOLOGIES Ltd filed Critical DISCRETIX TECHNOLOGIES Ltd
Priority to EP04708426A priority Critical patent/EP1595357A4/en
Priority to JP2006502631A priority patent/JP2006517036A/en
Publication of WO2004070510A2 publication Critical patent/WO2004070510A2/en
Publication of WO2004070510A3 publication Critical patent/WO2004070510A3/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/724Finite field arithmetic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7209Calculation via subfield, i.e. the subfield being GF(q) with q a prime power, e.g. GF ((2**m)**n) via GF(2**m)
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7219Countermeasures against side channel or fault attacks
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7219Countermeasures against side channel or fault attacks
    • G06F2207/7223Randomisation as countermeasure against side channel attacks
    • G06F2207/7233Masking, e.g. (A**e)+r mod n
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/04Masking or blinding
    • H04L2209/046Masking or blinding of operations, operands or results of the operations

Definitions

  • the present invention relates generally to computations in finite fields and, more particularly, to masked data manipulation in finite fields.
  • Data manipulation algorithms may include performing an inverse operation on data elements of finite fields.
  • an Advanced Encryption Standard provides a Rijndael Block Cipher Algorithm ("the Rijndael algorithm"), which includes a ByteSub bit level operation on input data including a vector, e.g., byte, x.
  • the ByteSub operation includes an encryption mode and a decryption mode.
  • the encryption mode includes an inverse operation and an affine transformation, e.g., x is converted into Ax " +b, wherein A and b are predetermined parameters.
  • the •decryption mode includes an affine transformation followed by an inverse operation, e.g., x is transformed into (A 1 (x+b)) "1 .
  • the inverse operation is preformed over a Galois Field, GF(2 8 ).
  • Block Cipher algorithms which implement an inversion operation in the GF(2 8 ).
  • These algorithms include, for example, a Camelia cipher algorithm described by K. Aoki et al. in "Specification of Camellia - a 128-bit Block Cipher", http://info.isl.ntt.co.jp/camellia/, and a Zodiac cipher algorithm described by C. H. Lee in “Zodiac: Block Cipher Proposal", http://www.safedigm.com/productpds/download/Safedigm_Zodiac.pdf.
  • a Differential Power Analysis (DP A) attack may use a correlation between an input and an output of the data manipulation algorithm to reveal a secret key implemented by the algorithm.
  • a random input mask denoted R
  • R may be added, e.g., over GF(2), to the input vector (e.g., byte), x, before performing the algorithm, to obtain masked data.
  • the random mask may include a random vector having a bit-length equal to the length of x.
  • a method described by Trichina, E. et al in "Simplified Adaptive Multiplicative Masking for AES and its Securized Implementation ", CHES 2002 includes the steps of multiplying the masked input vector, x+R, by R to obtain xR+R 2 , adding R 2 to the result to obtain XR, inverting XR to obtain 7 R "; , adding 1 to ; R '7 to obtain X ; R "; +1, and multiplying the result by R to obtain AR.
  • Performing a masked inversion of AES data using the method described by Trichina, E. et al may require two multiplications, one squaring, and two additions over the GF(2 ).
  • a hardware implementation of such an inversion may be relatively complex and/or power consuming.
  • the hardware implementation may require using a square Look Up Table (LUT) having a size of 256 bytes, and two multiplication circuits for multiplication in the GF(2 8 ).
  • LUT square Look Up Table
  • Embodiments of the invention provide a method and a device for efficiently manipulating masked data provided in a first representation of a finite field, e.g., for implementing an inversion of masked input data provided in the first representation, by converting the masked input data into a second representation and performing in the second representation operations equivalent to operations of the first representation to obtain masked manipulated data.
  • the method of manipulating masked data may include converting the masked input data in the first representation into converted data in the second representation of the finite field, and manipulating the converted data to obtain masked manipulated data.
  • the method may also include converting an input mask of the masked input data into an updated mask in the second representation.
  • Manipulating the converted data may include manipulating the converted data using the updated mask.
  • converting the input data may result in the converted data being masked by the updated mask.
  • Manipulating the converted data may result in the manipulated data being masked by the updated mask.
  • manipulating the converted data may include performing at least one operation equivalent to at least one desired operation in the first representation.
  • manipulating the converted data may include multiplying the converted data by the updated mask to obtain first intermediate data, adding to the first intermediate data a square of the updated mask to obtain second intermediate data, inverting the second intermediate data to obtain third intermediate data, adding a unit data bit to the third intermediate data to obtain fourth intermediate data, and multiplying the fourth intermediate data by the updated mask to obtain masked inverted data in the second representation.
  • the method may include de-converting the manipulated data to obtain de-converted data in the first representation.
  • De-converting the manipulated data may result in the de-converted data being masked by a linear transformation of the input mask.
  • the finite field may include a Galois Field (GF).
  • the first representation may include a GF(2 2s ) and the second representation may include a GF((2 S ) 2 ).
  • s may equal four, i.e., the first representation may include a GF(2 8 ) and the second representation may include a GF((2 4 ) 2 ).
  • a device for manipulating masked input data may include a conversion block to convert the masked input data in the first representation into converted data in the second representation.
  • the conversion block may also convert an input mask of the masked input data into an updated mask.
  • the device may also include a manipulation block to manipulate the converted data in the second representation, and a de-conversion block to convert the manipulated data into de-converted data in the first representation.
  • the manipulation block may include an inversion block to invert the converted data in the second representation.
  • the de-converted data may be masked by an affine transformation of the input mask.
  • the conversion block may include an input conversion module to convert the masked input data in the first representation into corresponding converted data in the second representation.
  • the conversion block may also include a mask conversion module to convert the input mask into the updated mask.
  • the conversion of the input mask performed by the mask conversion module may be related to the conversion performed by the input conversion module.
  • the inversion block may include a first multiplier to multiply an output of the input conversion module with an output of the mask conversion module, and a squaring module to provide a square of the output of the mask conversion module.
  • the inversion block may also include a first adder to add an output of the squaring module to an output of the first multiplier, a zero detector to provide an output of a zero value if an output of the first adder is non-zero, and an AND gate to provide an output corresponding to a logical AND of an output of the zero detector and an output of the mask conversion module.
  • the inversion block may further include a second adder to add an output of the AND gate to an output of the first adder, an inversion module to invert an output of the second adder, a third adder to add a unit value to an output of the inversion module, a second multiplier to multiply the output of the mask conversion module with an output of the second adder, and a fourth adder to add an output of the second multiplier to an output of the AND gate.
  • the de-conversion block may include an output de-conversion module to de-convert the manipulated data in the second representation into corresponding de-converted data in the first representation.
  • the de-conversion block may also include a mask de-conversion module to de-convert the updated mask.
  • the de-conversion of the updated mask performed by the mask de-conversion module may be related to the conversion performed by the output de-conversion module.
  • FIG. 1 is a flow chart illustration of a method of manipulating masked data, in accordance with embodiments of the invention
  • FIG. 2 is a schematic illustration of a circuit implementation of a device for manipulating masked data, in accordance with some exemplary embodiments of the invention
  • FIG. 3A is a schematic illustration of a circuit implementation of a multiplier, in accordance with some exemplary embodiments of the invention.
  • FIG. 3B is a schematic illustration of a circuit implementation of a squaring module, in accordance with some exemplary embodiments of the invention.
  • Fig. 3C is a schematic illustration of a circuit implementation of an inversion module, in accordance with some exemplary embodiments of the invention.
  • FIG. 4 is a schematic illustration of a circuit implementation of an AES compatible device for encrypting/decrypting masked data, in accordance with some exemplary embodiments of the present invention
  • FIG. 5A is a schematic illustration of a circuit implementation of a data conversion module, in accordance with some exemplary embodiments of the invention.
  • FIG. 5B is a schematic illustration of a circuit implementation of a mask conversion module, in accordance with some exemplary embodiments of the invention.
  • FIG. 6A is a schematic illustration of a circuit implementation of an output de-conversion module, in accordance with some exemplary embodiments of the invention.
  • Fig. 6B is a schematic illustration of a circuit implementation of a mask de-conversion module, in accordance with some exemplary embodiments of the invention.
  • GF(2 2s ) refers to a representation of a Galois Field (GF) of order 2 2s as an extension field of GF(2) consisting a plurality of polynomials over GF(2) modulo p(t), wherein p(t) is an irreducible polynomial of the degree 2s over GF(2).
  • a polynomial may be represented in the GF(2 2s ) representation, by a string of 2s bits.
  • the GF(2 S ) is represented as an extension field of GF(2) consisting of a plurality of polynomials over GF(2) modulo q(t), wherein q(t) is an irreducible polynomial of a second degree over GF(2).
  • An element, z, in the GF((2 S ) 2 ) representation may be defined by a 2s-digit binary number representing a linear polynomial z ⁇ m> t+z ⁇ >, wherein and are elements of GF(2 S ) represented by polynomials modulo q(t).
  • Some exemplary embodiments of the invention described herein may refer to data in a binary field representation, e.g., a GF(2 s ) representation, of a finite field, e.g., a GF.
  • a binary field representation e.g., a GF(2 s ) representation
  • a finite field e.g., a GF.
  • embodiments of the invention may be implemented for data in any other representations, e.g., a GF(g h ) representation, wherein g and h may have any desired value.
  • Masking input data including a vector, x, of a predetermined finite field may include adding to x an input random mask, denoted R, wherein R is an element randomly chosen from the predetermined finite field, i.e., to obtain masked input data, e.g., x+R.
  • FIG. 1 schematically illustrates a flow chart of a method of manipulating masked data, in accordance with some embodiments of the invention.
  • the method may include converting masked input data, e.g., including a combination of input data and an input random mask, in a first representation of a predetermined finite field, e.g., a GF, into masked converted data in a second representation of the predetermined finite field, e.g., by applying to the masked input data in the first representation a conversion operator, as described in detail below.
  • a predetermined finite field e.g., a GF
  • the method may include converting the input random mask in the first representation into an updated mask in the second representation, as described in detail below.
  • the method may also include manipulating the converted data, e.g., using the updated mask, to obtain masked manipulated data in the second representation, as described in detail below.
  • the method may further include de-converting the manipulated data back into the first representation by applying a de-conversion operator to obtain masked de-converted data in the first representation, as described in detail below.
  • the method may also include unmasking the masked de-converted data, e.g., as described below.
  • the method may also include generating the input random mask, e.g., as described below.
  • the method may also include masking input data, e.g., using the input mask to obtain the masked input data, for example, by adding the input mask may be added to the input data, as is known in the art.
  • the conversion operator may include any suitable operator for converting data in the first representation into corresponding data in the second representation.
  • the conversion operator may include a representation-transformation matrix corresponding to the desired transformation, e.g., as described in International Application PCT/IL03/00647, entitled “Method and device of manipulating data in Finite Fields", filed August 6, 2003 and assigned to the assignee of the present application, the disclosure of which is incorporated herein by reference.
  • the conversion operator may include a combination of the representation-transformation matrix and an affine transformation, e.g., a decryption or an encryption affine transformation, as described below.
  • an isomorphism may exist between two representations of a predetermined finite field, e.g., a GF(2"), denoted Rej-»; and Rep 2 , respectively.
  • Each of the two representations may be a linear space of dimension n over GF(2) , and each isomorphism may be a linear transformation between the representations.
  • an nxn binary representation-transformation matrix, M may be computed for transforming, e.g. by matrix multiplication, elements in Repi into corresponding elements in Rep 2 .
  • an inverse representation-transformation matrix, M 1 may exist for each representation-transformation.
  • An irreducible polynomial, po, having n roots may represent Repi.
  • Each root of po is a generator of the GF(2 n ) and invariant under field isomorphism.
  • a pair of corresponding generators of representations Repi and Rep 2 respectively, may uniquely determine an isomorphism between Repi and Rep 2 , since a multiplicative group of the GF(2") is cyclic.
  • Equation System 1 includes 2 n linear equations, which may be solved to determine the representation-transformation matrix, M, corresponding to the pair of generators ⁇ and r 2 .
  • Equation System 1 may include redundant equations, which may be ignored in order to reduce the number of computations. For example, only the first n equations may be used to provide one representation-transformation matrix.
  • Another representation-transformation matrix may be provided by a solution of Equation System 1 using a different pair of generators rj and r 2 .
  • there may be n different equation systems corresponding to the n different generators in Rep 2 each defining an "image" of , thereby providing n different representation-transformation matrices from Repi to Rej_> 2 .
  • each root of the irreducible polynomial over GF(2 S ) may be a generator of the GF(2 S ) field.
  • eight possible representation-transformation matrices • corresponding to the eight roots of the irreducible polynomial, respectively, may be computed for each field extension of GF(2 S ) .
  • Polynomial representations of GF(2 4 ) over GF(2) may be defined by each of three irreducible reduction polynomials over GF(2 4 ) , e.g., 1 + t + t 4 , 1 + t 3 + t 4 , 1 + t + 1 2 + t 3 + t 4 .
  • Field extensions of one or more of the polynomial representations of GF(2 4 ) in GF(2 S ) may be computed using irreducible extension polynomials, e.g., polynomials of the type t 2 + ⁇ t + ⁇ , wherein ⁇ and ⁇ may be elements of GF(2 4 ), such that t 2 + ⁇ t + ⁇ ⁇ ' s irreducible over GF(2 4 ).
  • ⁇ values there may be fifteen different ⁇ values and 8 different ⁇ values providing 120 possible irreducible extension polynomials of the form t 2 + ⁇ t + ⁇ .
  • the three different reduction polynomials and the 120 irreducible extension polynomials result in 360 different GF((2 4 ) 2 ) representations of GF(2 8 ) as an extension of GF(2). Therefore, according to these exemplary embodiments, there may be 2880 possible representation-transformation matrices, corresponding to the 360 field extensions.
  • each of the possible representation-transformation matrices may enable transformation from the standard AES representation into a different GF((2 4 ) 2 ) representation of GF(2 S ) corresponding to a different extension of GF(2 4 ) .
  • the representation-transformation matrix, M may be pre-selected according to any desired criteria, e.g., complexity of a hardware implementation corresponding to the selected M.
  • Input data including vector x in a first representation may be converted into a second representation by applying the representation-transformation, e.g., representation-transformation matrix M.
  • An operation x > x "1 , denoted T(x), in the second representation may be performed on the converted data, e.g., M ⁇ x.
  • a de-conversion of the manipulated data back to the first representation, F(x) may be obtained by applying an inverse of the representation-transformation, e.g., M 1 .
  • F(x) and T(M • x) may be provided by the following nonlinear equation:
  • masked input data, x+R, in the first representation may be converted into converted data, Mx+MR, in the second representation.
  • the representation-transformation matrix, M is a regular matrix because the conversion between the first representation and the second representation is an invertible transformation, as described above.
  • MR may have, in correspondence to R, any non-zero value of the finite field.
  • the converted data, Mx+MR may include masked converted data wherein the mask includes an updated mask, e.g., MR.
  • the input mask the input mask
  • R may have a non-zero value.
  • Any suitable non-zero random mask generator e.g., as described below, may be implemented in order to obtain the non-zero random mask.
  • manipulating the converted data may include inverting the converted data, e.g., as described below. Inverting the converted data may include using the updated mask, e.g., as described below.
  • inverting the masked converted data may include multiplying the converted data, e.g., Mx+MR, by the updated mask, MR, to obtain first intermediate data, e.g., MxMR+(MR) 2 . Inverting the masked converted data may also include adding a square, e.g., (MR) 2 , of the updated mask to the first intermediate data to obtain second intermediate data, e.g., MxMR.
  • Inverting the converted data may further include inverting the second intermediate data, MxMR, to obtain third intermediate data, e.g., (MxMR) "1 .
  • Inverting the converted data may further include adding a unit data bit, i.e., 1, to the third intermediate data to obtain fourth intermediate data, e.g., (MxMRj ⁇ +l.
  • Inverting the converted data may further include multiplying the fourth intermediate data by the updated mask MR to obtain masked inverted data in the second representation, e.g., (MX)AMR.
  • At least some of the operations, e.g., addition, multiplication and/or inversion may be performed in the second representation.
  • the operations in the second representation may be implemented by any suitable circuitry and/or Look Up Tables (LUTs), e.g., as described below.
  • LUTs Look Up Tables
  • the de-conversion operator may include any suitable operator for de-converting data in the second representation back into corresponding data in the first representation.
  • M masked inverted data in the first representation
  • e.g., x "; + R may be obtained by applying the de-conversion operator to the masked inverted data in the second representation, e.g., (Mx)A MR.
  • the de-conversion operator may include a combination of the matrix M 1 and an affine transformation, e.g., a decrypt or an encrypt affine transformation, e.g., as described below.
  • FIG. 2 schematically illustrates a circuit implementation of a device 200 for manipulating masked data, in accordance with some exemplary embodiments of the invention.
  • device 200 may include a conversion block 202 to convert masked input data in a first representation into corresponding masked data in a second representation.
  • Block 202 may also be adapted to convert the mask R into an updated mask in the second representation.
  • Device 200 may also include a manipulation block, e.g., inversion block 204, to manipulate, e.g., invert, the converted data in the second representation, and a de-conversion block 206 to de-convert the manipulated data into de-converted data in the first representation.
  • a manipulation block e.g., inversion block 204
  • manipulate e.g., invert
  • de-conversion block 206 to de-convert the manipulated data into de-converted data in the first representation.
  • block 202 may include an input conversion module 208 to convert the masked input data, x+R, in the first representation into corresponding converted data in the second representation.
  • Block 202 may also include a mask conversion module 210 to convert input mask R into the updated mask.
  • the conversion of the mask performed by module 210 may be related to the conversion performed by module 208, e.g., as described below.
  • Module 208 and/or module 210 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to convert data in a first representation into corresponding data in a second representation, e.g., as described below.
  • LUTs Look-Up Tables
  • modules 208 and 210 may be implemented in one combined-conversion module, e.g., to convert the masked input data and the input mask sequentially.
  • block 204 may include a first multiplier 212 associated with an output 226 of module 210 and with an output 228 of module 208.
  • Block 204 may also include a squaring module 214 associated with output 226, and a first adder 216 associated with an output 230 of module 214 and with an output 232 of multiplier 212.
  • Block 204 may further include an inversion module 218 associated with an output 234 of adder 216, and a second adder 220 associated with an output 236 of module 218 and having an input 240 to receive a signal having the unit value, i.e., the value 1.
  • Block 204 may further include a second multiplier 222 associated with output 228 and with an output 242 of adder 220.
  • Multiplier 212 and/or multiplier 222 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to multiply two elements of the first representation using the second representation, e.g., as described below.
  • Unit 214 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to provide a square of an element of the first representation using the second representation, e.g., as described below.
  • Inversion module 218 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to invert data of the first representation using the second representation, e.g., as described below.
  • Adders 216 and 220 may include any software and/or hardware to implement an addition of two elements.
  • adder 216 and/or adder 220 may include a XOR gate, as is known in the art.
  • block 206 may include a de-conversion module 224 associated with an output 243 of block 204.
  • Module 224 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to de-convert data in the second representation into corresponding de-converted data in the first representation, e.g., as described below.
  • LUTs Look-Up Tables
  • output 208, 210 and/or 224 may include a multiplier, e.g., as described below, to " implement a multiplication by M, M and M "1 , respectively.
  • output 228 may have a value corresponding to Mx+MR
  • output 226 may have a value corresponding to MR.
  • output 243 may have a value corresponding to (Mx) "] +MR
  • an output 244 of block 206 may have a value corresponding to x "7 +R.
  • the outputs of blocks 202 and 204 may be masked by the updated mask MR
  • the output of block 206 may be masked by input mask R.
  • the outputs of blocks 202, 204, 206 may be masked by either the input mask or the updated mask.
  • device 200 may include at least two XOR gates 216 and 220, two multiplication circuits 212 and 222 in the second representation, one squaring circuit or LUT 214 in the second representation, and three multiplication circuits 208, 210 and 224 for multiplying an nxn bit matrix, e.g., M, by a vector, e.g., as described below.
  • a hardware implementation of a device for manipulating masked data may be less complex, and thus more compact, in comparison with conventional masked-inversion devices.
  • the first representation includes a GF(2 2s ) representation
  • the second representation includes a GF((2 S ) 2 ) representation
  • a squaring LUT in the second representation may include 2 s s bits.
  • the bit size of the squaring LUT may be much smaller compared to the bit-size, e.g., 2 2s+1 s, of a squaring LUT in the first representation.
  • conventional masked-inversion devices may require implementing multiplication circuits to perform multiplications in the first representation. These circuits may be more complex in comparison with the multipliers implemented by embodiments of the invention.
  • the method and/or device described above may be implemented for encryption and/or decryption of masked input data, x+R, for example, by performing masked AES S-box encryption decryption operations, as described below.
  • 5 equals four. These embodiments are useful for converting data in a GF(2 ) representation into a GF((2 4 ) 2 ) representation.
  • an encryption block to perform encryption, and/or a decryption block to perform decryption may be implemented in embedded electrical circuitry, e.g., of the type that may be used in a smartcard.
  • the conversion operator that may be used for converting the data to and from the AES GF(2 S ) representation to and from the GF((2 4 ) 2 ) representation may be pre-programmed, e.g., into a smart card. Other configurations may be used additionally or alternatively.
  • the conversion circuitry or software may include circuitry implementing the representation-transformation matrix M.
  • the circuitry or software implementing the representation-transformation matrix M may be combined with the circuitry or software implementing a linear transformation, e.g., A.
  • the conversion circuitry or software may include four multiplication modules, e.g., as described below, for multiplication by AM 1 ' , MA '1 ' , M, and ⁇ f 1 , respectively.
  • the conversion circuitry may consist of a combination of applying an affine transformation, e.g., multiplication by A and/or addition of b, and the predetermined representation-transformation, e.g. multiplication by M.
  • an affine transformation e.g., multiplication by A and/or addition of b
  • the predetermined representation-transformation e.g. multiplication by M.
  • the use of such operation modules may enhance the efficiency of the conversion circuitry.
  • a hardware implementation of matrix multiplication may include any hardware implementation of matrix multiplication, as is known in the art.
  • values of v may be computed using Equation 7. This may be achieved by determining which of the elements of row are nonzero and performing a XOR operation of the corresponding values of x 7 .
  • operations e.g. inversion, addition, and/or multiplication operations, equivalent to AES operations may be defined in the second representation, e.g., a GF((2 4 ) 2 ) representation, as described below.
  • An element x of a GF(2 8 ) may be defined by an eight-digit binary number and an element z of a GF(2 4 ) may be defined by a four-digit binary number
  • GF(2 4 ) may have a polynomial representation defined by a reduction polynomial over GF(2), e.g., may be represented by the polynomial zo+zjt+Z 2 t 2 +z 3 t 3 .
  • Multiplication of elements in the GF may be defined by multiplying the polynomials representing the elements and reducing the result modulo the reduction polynomial.
  • a bit octet, of GF(2 ) may be analogous to a linear polynomial z ⁇ m> t+ ⁇ ⁇ ⁇ > , wherein and are elements of GF(2 4 ).
  • the second representation may include elements _? ⁇ , supplement > and _. ⁇ /> ofGF(2 4 ).
  • multiplication and addition operations in the second representation may be defined in terms of operations on GE(2 4 ) .
  • Provided below is one possible definition of multiplication and addition in the second representation in terms of operations over GF(2 4 ) . It will be appreciated that other definitions may also be used as part of some embodiments of the present invention.
  • Addition and subtraction of two elements of the first representation, e.g., a,d e GF(2 S ) , in the second representation may be defined as a bitwise XOR of the two elements, as is known in the art.
  • the product of the two elements, a and d may be defined as a polynomial product
  • the product of elements a and d in the AES i.e., GF(2 S )
  • the product of elements a and d in the AES representation may be calculated using a series of addition and multiplication operations over GF(2 4 ), e.g., according to Equation Set 9.
  • the minus sign and the plus sign are interchangeable.
  • the minus sign of the first equation of Equation Set 9 may be replaced with a plus sign, e.g., as described below.
  • FIG. 3 A schematically illustrates a circuit implementation of a multiplier 302, in accordance with some exemplary embodiments of the invention.
  • Multiplier 302 may include multiplication units 304, 306 and 316 for multiplying two GF(2 4 ) elements, and a ⁇ -multiplication unit 308 for multiplying two GF(2 4 ) elements and for multiplying the product of the two elements by ⁇ .
  • Units 304, 306, 308 and 316 may include any suitable LUTs and/or circuitry for performing a multiplication of two GF(2 4 ) elements, e.g., as described below.
  • Multiplier 302 may also include XOR gates 310, 312 and 314, as are known in the art.
  • Equation Set 9 the following Equation Set may be used, e.g., if the minus sign of the first equation of Equation Set 9 is replaced by a plus sign, as described above:
  • FIG. 3B schematically illustrates a circuit implementation of a squaring unit 320, in accordance with some exemplary embodiments of the invention.
  • Squaring unit 320 may include square LUTs 322 and 324 including values corresponding to a square of a GF(2 4 ) element, respectively, and a ⁇ -square LUT 326 including values corresponding to a multiplication by ⁇ of square of a GF(2 4 ) element.
  • LUTs 322, 324 and 326 may include any suitable LUTs, e.g., as described below.
  • Squaring unit 320 may also include XOR gate 328 as is known in the art.
  • Ox + 1 (c ⁇ m> a ⁇ m> a + c ⁇ m> a ⁇ t> + c ⁇ ;> -. ⁇ m> )t + c ⁇ l>a ⁇ l> + c ⁇ m> a ⁇ m> ⁇
  • Equation Set 11 may be translated into the following system of liner equations over GF(2) :
  • a > 0 ⁇ /> + a ⁇ m> a)(a; m> ⁇ + a 2 l> + a ⁇ l>a ⁇ m> a
  • the values of C ⁇ m> and C ⁇ > may be calculated, as described above.
  • the inverse of element x in the AES representation may be calculated using a series of addition, multiplication, squaring and inversion operations over GF(2 ), e.g., in accordance with Equation Set 12.
  • FIG. 3C schematically illustrates a circuit implementation of an inversion module 330, in accordance with some exemplary embodiments of the invention.
  • Inversion module 330 may include multiplication units 334, 342 and
  • Module 330 may also include a square LUT 331 including values corresponding to a square of a GF(2 4 ) element, and a ⁇ -square LUT 332 including values corresponding to a multiplication by ⁇ of a square of a GF(2 4 ) element, e.g., as described below.
  • Module 330 may further include an inverse LUT 344 including values corresponding to an inverse of a GF(2 4 ) element, e.g., as described below.
  • Module 330 may also include XOR gates 340 and 338, as are known in the art.
  • GE(2 4 ) may be performed more efficiently by defining GF(2 4 ) multipliers and selecting the appropriate multiplier in each case, as explained below.
  • the solutions of the multiplication of two elements may be as follows:
  • An appropriate GF(2 4 ) multiplier may be constructed for a given representation-transformation matrix. Since each representation-transformation matrix may be defined by one of the three irreducible reduction polynomials over GF(2 4 ) in combination with an extension polynomial, as described above, theGE(2 4 ) multipliers may be predetermined. It will be appreciated by persons skilled in the art that other suitable implementations of GE(2 4 ) multipliers may be used additionally or alternatively in accordance with exemplary embodiments of the invention.
  • Inversion, denoted INV, and squaring, denoted SQR, in GF(2 4 ) may be implemented by two respective, relatively small, Look-Up-Tables (LUTs), for example, having a size of 8-bytes each, e.g., 16 nibbles.
  • coefficient ⁇ may be predetermined.
  • the value ⁇ g 2 for an element g e GF(2 4 ) may also be stored in an 8-byte LUT, which may be denoted ⁇ SQR, thereby eliminating one multiplication fiom the set of computations required for computing Equation Set 12.
  • SQR, INV and/or ⁇ SQR in GE(2 4 ) may be implemented by any suitable circuit, as is known in the art.
  • [a ,a 2 ,a ⁇ ,ao] [a 2 , a ⁇ +a 2 , a 2 +a 3 , a 0 +a 2 ]
  • circuitry implementation of embodiments of the invention may be more compact than the corresponding LUT implementation.
  • a LUT may provide more efficient processing of the data.
  • FIG. 4 schematically illustrates a circuit implementation of an AES compatible device 400 for encrypting/decrypting masked data, in accordance with some exemplary embodiments of the present invention.
  • device 400 may include an input conversion block 412, a manipulation block, e.g., e.g., an inversion block 414, and an output de-conversion block 416.
  • Device 400 may have an encryption mode of operation and/or a decryption mode of operation, e.g., as described below.
  • block 412 may include an input conversion module 418 to receive a masked input data signal 438, e.g., corresponding to a 32-bit column vector of x+R, in AES representation, e.g., in a GF(2 8 ) representation, and to convert this data into data in a GF((2 4 ) 2 ) representation.
  • conversion module 418 may also apply the decrypt affine transformation to x+R, e.g., according to Equation 6 above.
  • Block 412 may also include a mask conversion module 420 to convert input mask R into an updated mask. In order to obtain an updated mask corresponding to the converted masked data, the conversion of the mask performed by module 420 may include a linear transformation corresponding to the linear transformation performed by module 418.
  • conversion module 420 may multiply R by M, i.e., to obtain MR.
  • conversion module 420 may multiply R by MA "1 , i.e., to obtain MA "! R.
  • Module 418 and/or module 420 may include any circuitry, Look-Up
  • Tables (LUTs) and/or any suitable hardware and or software to convert data in a first representation into corresponding data in a second representation and/or to perform an affine transformation, e.g., as described below.
  • FIG. 5 A schematically illustrates a circuit implementation of an input conversion module 500, in accordance with some exemplary embodiments of the invention.
  • module 500 may include a multiplier 506 to implement a multiplication of the x+R by M.
  • Module 500 may also include a XOR gate 508 to implement a XOR operation of x+R and b, and a multiplier 510 to implement a multiplication of an output 518 of XOR gate 508 by MA '1 .
  • Multipliers 506 and/or 510 may include any suitable multiplier for multiplying an nxn matrix by a vector, e.g., as described above.
  • Module 500 may also include a multiplexer 512, as is known in the art, to select between the encryption and decryption modes of operation, e.g., by selecting between an output signal 514 of multiplier 506 and an output signal 516 of multiplier 510.
  • a multiplexer 512 as is known in the art, to select between the encryption and decryption modes of operation, e.g., by selecting between an output signal 514 of multiplier 506 and an output signal 516 of multiplier 510.
  • FIG. 5B schematically illustrates a circuit implementation of a mask conversion module 530, in accordance with some exemplary embodiments of the invention.
  • module 530 may include a multiplier 532 to implement a multiplication of R by M.
  • Module 530 may also include a multiplier 534 to implement a multiplication of R by MA "1 .
  • Multipliers 532 and/or 534 may include any suitable multiplier for multiplying an nxn matrix by a vector, e.g., as described above.
  • Module 530 may also include a multiplexer 536, as is known in the art, to select between the encryption and decryption modes of operation, e.g., by selecting between an output signal 533 of multiplier 532 and an output signal 535 of multiplier 534.
  • Inversion block 414 may include any circuitry and/or LUTs and/or any suitable hardware and or software to invert the converted data in the second representation.
  • block 414 may include a first multiplier 470 to receive signal 440 and signal 442, and to provide a signal 471, e.g., corresponding to the value (x t +R)Rt.
  • Block 414 may also include a squaring unit 472 to receive signal 472 and to provide a signal 473, e.g., corresponding to the value R 2 , and a first adder 474 to receive signal 471 and signal 473 and to provide a signal 475, e.g., corresponding to the value o ⁇ x t R t .
  • Block 414 may further include a Zero Detection (ZD) module 480 to receive signal 475 and to provide a signal, e.g., having a zero value if x t R t ?0, and a non-zero value, e.g., 1, if x t R t -0.
  • Block 414 may also include an AND gate 482, e.g., as is known in the art, to receive signal 442 and signal 481 and to provide a signal 483.
  • Block 414 may further include an inversion module 478 to receive signal 485 and to provide a signal 487, e.g., corresponding to a value of (xtR) '1 if x t R t ?0 and to the value of R 1 if x . R .
  • Multiplier 470 and/or multiplier 486 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to multiply two elements of the first representation using the second representation, e.g., as described above.
  • Unit 472 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to provide a square of an element of the first representation using the second representation, e.g., as described above.
  • Inversion module 478 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to invert data of the first representation using the second representation, e.g., as described above.
  • Adder 474, adder 476, adder 479, and/or adder 484 may include any software and/or hardware to implement an addition of two elements.
  • adder 474, adder 476, adder 479, and or adder 484 may include a XOR gate, as is known in the art.
  • Module 480 may include, for example, any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to implement a logical NOT followed by a logical AND of signal 481.
  • the input to inversion module 478 i.e., signal 485
  • inversion block 414 may be implemented to inhibit a DPA attack, e.g., using a zero input, on the AES device.
  • block 414 may include any other suitable configuration, e.g., a configuration analogous to the configuration of inversion block 204, as described above with reference to Fig. 2.
  • signal 444 may have, for example, a value corresponding to ((MX) ⁇ MR) in the encryption mode of operation, and a value corresponding to ((MA) '1 (x+b) '1 +MA '1 R) in the decryption mode of operation, as described above.
  • block 416 may include an output de-conversion module 424 to receive the output of block 414, e.g., signal 444, in the second representation, e.g., in a GF((2 4 ) 2 ) representation, and to de-convert this data into de-converted data in the first, e.g., GF(2 8 ), representation.
  • conversion module 424 may also apply the encrypt affine transformation, e.g., according to Equation 7 above.
  • R ' may be used as a mask, since R' may correspond to a regular linear transformation of the mask R.
  • Block 416 may also include a mask de-conversion module 422 to de-convert the updated mask.
  • the de-conversion performed by module 422 may include a linear transformation corresponding to the linear transformation performed by module 420.
  • de-conversion module 422 may multiply A '1 MR by 1 , i.e., to obtain A '! R.
  • de-conversion module 422 may multiply MR by AM 1 , i.e., to obtain AR.
  • an output mask signal 432 may include a value corresponding to R'.
  • Module 422 and/or module 424 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to convert data in a first representation into corresponding data in a second representation and/or to perform an affine transformation, e.g., as described below.
  • LUTs Look-Up Tables
  • FIG. 6 A schematically illustrates a circuit implementation of an output de-conversion module 600, in accordance with some exemplary embodiments of the invention.
  • module 600 may include a multiplier 602 to implement a multiplication of the manipulated data, e.g., signal 444, by M 1 .
  • Module 600 may also include a multiplier 604 to implement a multiplication of the manipulated data by AM 1 , and a XOR gate 606 to implement a XOR operation of an output of multiplier 604 and b.
  • Multipliers 602 and/or 604 may include any suitable multiplier for multiplying an nxn matrix by a vector, e.g., as described above.
  • Module 600 may also include a multiplexer 608, as is known in the art, to select between the decryption and encryption modes of operation, e.g., by selecting between an output signal 614 of multiplier 602 and an output signal 616 of multiplier 606.
  • FIG. 6B schematically illustrates a circuit implementation of a mask de-conversion module 630, in accordance with some exemplary embodiments of the invention.
  • module 630 may include a multiplier 632 to implement a multiplication of the updated mask, e.g., signal 442, by AM 1 .
  • Module 630 may also include a multiplier 634 to implement a multiplication of the updated mask by ⁇ f 7 .
  • Multipliers 632 and/or 634 may include any suitable multiplier for multiplying an nxn matrix by a vector, e.g., as described above.
  • Module 630 may also include a multiplexer 636, as is known in the art, to select between the decryption and encryption modes of operation, e.g., by selecting between an output signal 633 of multiplier 632 and an output signal 635 of multiplier 634.
  • device 400 may also include a mix-column module 455 to provide a signal 456 corresponding to a mix-column operation on signal 434.
  • the mix-column operation may include multiplying signal 434, e.g., including the 32-bit column vector x'+R ', with a Rijndael mix-column matrix, as is known in the art.
  • the mix-column operation may be calculated as follows:
  • pre-set equal values may ensure that the product of the vector (R ';, R '_>, R ' 3 , R ' 4 ) with the Rijndael column-mix matrix is always non-zero.
  • Other pres-set values may also be used to ensure non-zero result of the Rijndael column-mix multiplication in accordance with embodiments of the invention.
  • the AES round may also include performing a shift-row operation, as is known in the art.
  • the shift-row operation may include shifting between elements of each row of a 4x4 data matrix representing 4 columns of masked data, as is known in the art.
  • all sixteen elements of R may have pre-set equal values, i.e., in order to ensure the mask of the subsequent round is not distorted. Other pres-set values may also be used to ensure non-zero result of the Rijndael row-mix multiplication in accordance with embodiments of the invention. It will be appreciated by those skilled in the art that pre-setting all sixteen elements of the mask R as described above may have a relatively negligible effect on the brute-force required for a DPA attack.
  • the value of signal 432 may not be updated in correspondence to the mix-column operation performed on signal 432.
  • module 400 may further include a mask-removing module 460 for unmasking the masked de-converted data, e.g., after a final AES round.
  • module 460 may include a XOR gate 462 to provide an output signal 464 corresponding to a sum of a first input corresponding to signal 456 and a second input. After the final AES round the second input of gate 462 may be associated with signal 432.
  • the value of the updated mask may be XORed with the masked de-converted data after the last round, such that the mask is removed from the manipulated data.
  • device 400 may further include a mask-input module 450 capable of using a new mask in a succeeding AES round, as described below.
  • Module may include a first XOR gate 428 to provide a sum of a first input corresponding to the value, e.g., x"+R ', of a signal 465 of a previous AES round, and a second input corresponding to a value, e.g., R, of a random mask signal 452.
  • an output signal 454 of XOR gate 428 may correspond to the value x"+R '+R.
  • Configuration 450 may also include a second XOR gate 426 to provide block 412 with signal 438 corresponding to a sum of signal 454 and signal 432.
  • signal 438 may have a value corresponding to x"+R.
  • each of the XOR gates of configuration 450 may include a mask, i.e., R and/or R '.
  • the representation-transformation matrix M implemented by device 400 may be predetermined based on desired optimization criteria, e.g., minimal circuit area for implementing device 400, as described below.
  • each one of the circuits may be synthesized using a DC Shell 2001.08-spl (DC Expert) available from Synopsis.
  • a target library TSMC 0.18 ⁇ SAAG-X Artisane
  • the synthesis may be performed for various timings, e.g., time propagation delays, for example, ranging from 12nSec to 6nSec.
  • a random bit generator may be implemented to produce the non-zero mask, R, e.g., as described below. However, it will be appreciated by those skilled in the art that any other suitable device and/or method may be implemented to produce non-zero mask R.
  • the generator may generate log v +v-l bits.
  • the first log v bits may be used to define a first number, w, wherein 0?w ⁇ v.
  • the remaining v-1 bits may be used to define a second number, p.

Landscapes

  • Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Mathematical Optimization (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Signal Processing (AREA)
  • Pure & Applied Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Complex Calculations (AREA)
  • Monitoring And Testing Of Transmission In General (AREA)

Abstract

Embodiments of the invention provide a method and a device for manipulating data (108) by converting masked data in a first representation of a finite field into converted data in a second representation of the finite field (102), and manipulating the converted data (106) to obtain manipulated masked data.

Description

DEVICE AND METHOD OF MANIPULATING MASKED DATA
FIELD OF THE INVENTION
[001] The present invention relates generally to computations in finite fields and, more particularly, to masked data manipulation in finite fields.
BACKGROUND
[002] Data manipulation algorithms may include performing an inverse operation on data elements of finite fields. For example, an Advanced Encryption Standard (AES) provides a Rijndael Block Cipher Algorithm ("the Rijndael algorithm"), which includes a ByteSub bit level operation on input data including a vector, e.g., byte, x. The ByteSub operation includes an encryption mode and a decryption mode. The encryption mode includes an inverse operation and an affine transformation, e.g., x is converted into Ax" +b, wherein A and b are predetermined parameters. The •decryption mode includes an affine transformation followed by an inverse operation, e.g., x is transformed into (A1 (x+b))"1. According to the AES, the inverse operation is preformed over a Galois Field, GF(28). The field is represented by a polynomial form, using a reduction polynomial, p(t) =t8+t4+t3+t+l .
[003] There are other known block cipher algorithms, which implement an inversion operation in the GF(28). These algorithms include, for example, a Camelia cipher algorithm described by K. Aoki et al. in "Specification of Camellia - a 128-bit Block Cipher", http://info.isl.ntt.co.jp/camellia/, and a Zodiac cipher algorithm described by C. H. Lee in "Zodiac: Block Cipher Proposal", http://www.safedigm.com/productpds/download/Safedigm_Zodiac.pdf.
[004] A Differential Power Analysis (DP A) attack may use a correlation between an input and an output of the data manipulation algorithm to reveal a secret key implemented by the algorithm. In order to protect the manipulation algorithm, e.g., the AES algorithm, from a DPA attack, a random input mask, denoted R, may be added, e.g., over GF(2), to the input vector (e.g., byte), x, before performing the algorithm, to obtain masked data. The random mask may include a random vector having a bit-length equal to the length of x. Thus, the algorithm is performed on the sum x+R rather than on x, such that an attacker may not know the actual input to the -Jgorithm.
[005] It may be required to remove the mask, e.g., after performing the algorithm on the masked data, in order to be able to use the unmasked output of the algorithm.
[006] A method described by Trichina, E. et al in "Simplified Adaptive Multiplicative Masking for AES and its Securized Implementation ", CHES 2002, includes the steps of multiplying the masked input vector, x+R, by R to obtain xR+R2, adding R2 to the result to obtain XR, inverting XR to obtain 7R";, adding 1 to ;R'7 to obtain X;R";+1, and multiplying the result by R to obtain AR.
[007] Performing a masked inversion of AES data using the method described by Trichina, E. et al may require two multiplications, one squaring, and two additions over the GF(2 ). A hardware implementation of such an inversion may be relatively complex and/or power consuming. For example, the hardware implementation may require using a square Look Up Table (LUT) having a size of 256 bytes, and two multiplication circuits for multiplication in the GF(28).
SUMMARY OF EMBODIMENTS OF THE INVENTION
[008] Embodiments of the invention provide a method and a device for efficiently manipulating masked data provided in a first representation of a finite field, e.g., for implementing an inversion of masked input data provided in the first representation, by converting the masked input data into a second representation and performing in the second representation operations equivalent to operations of the first representation to obtain masked manipulated data.
[009] The method of manipulating masked data, according to embodiments of the invention, may include converting the masked input data in the first representation into converted data in the second representation of the finite field, and manipulating the converted data to obtain masked manipulated data.
[0010] According to some embodiments, the method may also include converting an input mask of the masked input data into an updated mask in the second representation. Manipulating the converted data may include manipulating the converted data using the updated mask.
[0011] According to embodiments of the invention, converting the input data may result in the converted data being masked by the updated mask. Manipulating the converted data may result in the manipulated data being masked by the updated mask.
[0012] According to some embodiments of the invention, manipulating the converted data may include performing at least one operation equivalent to at least one desired operation in the first representation.
[0013] According to some exemplary embodiments, manipulating the converted data may include multiplying the converted data by the updated mask to obtain first intermediate data, adding to the first intermediate data a square of the updated mask to obtain second intermediate data, inverting the second intermediate data to obtain third intermediate data, adding a unit data bit to the third intermediate data to obtain fourth intermediate data, and multiplying the fourth intermediate data by the updated mask to obtain masked inverted data in the second representation.
[0014] According to some embodiments of the invention, the method may include de-converting the manipulated data to obtain de-converted data in the first representation. De-converting the manipulated data may result in the de-converted data being masked by a linear transformation of the input mask. [0015] According to some embodiments of the invention, the finite field may include a Galois Field (GF).
[0016] According to some exemplary embodiments, the first representation may include a GF(22s) and the second representation may include a GF((2S)2). According to some of these embodiments, s may equal four, i.e., the first representation may include a GF(28) and the second representation may include a GF((24)2).
[0017] Accordmg to some embodiments of the invention, a device for manipulating masked input data may include a conversion block to convert the masked input data in the first representation into converted data in the second representation. The conversion block may also convert an input mask of the masked input data into an updated mask. The device may also include a manipulation block to manipulate the converted data in the second representation, and a de-conversion block to convert the manipulated data into de-converted data in the first representation. The manipulation block may include an inversion block to invert the converted data in the second representation. The de-converted data may be masked by an affine transformation of the input mask.
[0018] According to exemplary embodiments of the invention, the conversion block may include an input conversion module to convert the masked input data in the first representation into corresponding converted data in the second representation. The conversion block may also include a mask conversion module to convert the input mask into the updated mask. According to some embodiments, the conversion of the input mask performed by the mask conversion module may be related to the conversion performed by the input conversion module.
[0019] According to exemplary embodiments, the inversion block may include a first multiplier to multiply an output of the input conversion module with an output of the mask conversion module, and a squaring module to provide a square of the output of the mask conversion module. The inversion block may also include a first adder to add an output of the squaring module to an output of the first multiplier, a zero detector to provide an output of a zero value if an output of the first adder is non-zero, and an AND gate to provide an output corresponding to a logical AND of an output of the zero detector and an output of the mask conversion module. The inversion block may further include a second adder to add an output of the AND gate to an output of the first adder, an inversion module to invert an output of the second adder, a third adder to add a unit value to an output of the inversion module, a second multiplier to multiply the output of the mask conversion module with an output of the second adder, and a fourth adder to add an output of the second multiplier to an output of the AND gate.
[0020] According to exemplary embodiments of the invention, the de-conversion block may include an output de-conversion module to de-convert the manipulated data in the second representation into corresponding de-converted data in the first representation. The de-conversion block may also include a mask de-conversion module to de-convert the updated mask. According to some embodiments, the de-conversion of the updated mask performed by the mask de-conversion module may be related to the conversion performed by the output de-conversion module.
BRIEF DESCRIPTION OF THE DRAWINGS
[0021 ] The subject matter regarded as the invention is particularly pointed out and distinctly claimed in the concluding portion of the specification. The invention, however, both as to organization and method of operation, together with objects, features and advantages thereof, may best be understood by reference to the following detailed description when read with the accompanied drawings in which:
[0022] Fig. 1 is a flow chart illustration of a method of manipulating masked data, in accordance with embodiments of the invention;
[0023] FIG. 2 is a schematic illustration of a circuit implementation of a device for manipulating masked data, in accordance with some exemplary embodiments of the invention;
[0024] Fig. 3A is a schematic illustration of a circuit implementation of a multiplier, in accordance with some exemplary embodiments of the invention;
[0025] Fig. 3B is a schematic illustration of a circuit implementation of a squaring module, in accordance with some exemplary embodiments of the invention; [0026] Fig. 3C is a schematic illustration of a circuit implementation of an inversion module, in accordance with some exemplary embodiments of the invention;
[0027] FIG. 4 is a schematic illustration of a circuit implementation of an AES compatible device for encrypting/decrypting masked data, in accordance with some exemplary embodiments of the present invention;
[0028] Fig. 5A is a schematic illustration of a circuit implementation of a data conversion module, in accordance with some exemplary embodiments of the invention;
[0029] Fig. 5B is a schematic illustration of a circuit implementation of a mask conversion module, in accordance with some exemplary embodiments of the invention;
[0030] Fig. 6A is a schematic illustration of a circuit implementation of an output de-conversion module, in accordance with some exemplary embodiments of the invention; and
[0031] Fig. 6B is a schematic illustration of a circuit implementation of a mask de-conversion module, in accordance with some exemplary embodiments of the invention.
[0032] It will be appreciated that for simplicity and clarity of illustration, elements shown in the figures have not necessarily been drawn accurately or to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity or several physical components included in one element. Further, where considered appropriate, reference numerals may be repeated among the figures to indicate corresponding or analogous elements. It will be appreciated that these figures present examples of embodiments of the present invention and are not intended to limit the scope of the invention. DETAILED DESCRIPTION OF EMBODIMENTS OF THE iNVENTlON
[0033] In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the invention. However, it will be understood by those of ordinary skill in the art that the present invention may be practiced without these specific details. In other instances, well-known methods, procedures, and components have not been described in detail so as not to obscure the present invention.
[0034] In the following detailed description, the notation GF(22s) refers to a representation of a Galois Field (GF) of order 22s as an extension field of GF(2) consisting a plurality of polynomials over GF(2) modulo p(t), wherein p(t) is an irreducible polynomial of the degree 2s over GF(2). A polynomial may be represented in the GF(22s) representation, by a string of 2s bits. An element, u, in the GF(22s) representation may be defined by a 2s-digit binary number U=[U2S-Ϊ^2S-2— UIUQ]. wherein u, is the coefficient of t in a corresponding polynomial, e.g.
U2s-lt2S'1 + 2s-2t2S'2 + ■■■ +Ujt+Uo.
[0035] The notation GF((2S)2) refers to a representation of a GF of order 22s as an extension field of GF(23) consisting of a plurality of polynomials over GF(2S) modulo r(t), wherein r(t) is an irreducible polynomial of a second degree over GF(2S); i.e., r(t)=Aat+β, wherein α and β are elements of GF(2S). The GF(2S) is represented as an extension field of GF(2) consisting of a plurality of polynomials over GF(2) modulo q(t), wherein q(t) is an irreducible polynomial of a second degree over GF(2). An element, z, in the GF((2S)2) representation may be defined by a 2s-digit binary number
Figure imgf000009_0001
representing a linear polynomial z<m>t+z<ι>, wherein
Figure imgf000009_0002
and
Figure imgf000009_0003
are elements of GF(2S) represented by polynomials modulo q(t).
[0036] Some exemplary embodiments of the invention described herein, may refer to data in a binary field representation, e.g., a GF(2 s) representation, of a finite field, e.g., a GF. However, it will be appreciated by those skilled in the art, that embodiments of the invention may be implemented for data in any other representations, e.g., a GF(gh) representation, wherein g and h may have any desired value. [0037] Masking input data including a vector, x, of a predetermined finite field, may include adding to x an input random mask, denoted R, wherein R is an element randomly chosen from the predetermined finite field, i.e., to obtain masked input data, e.g., x+R.
[0038] Reference is made to Fig. 1, which schematically illustrates a flow chart of a method of manipulating masked data, in accordance with some embodiments of the invention.
[0039] As indicated at block 102, the method may include converting masked input data, e.g., including a combination of input data and an input random mask, in a first representation of a predetermined finite field, e.g., a GF, into masked converted data in a second representation of the predetermined finite field, e.g., by applying to the masked input data in the first representation a conversion operator, as described in detail below.
[0040] As indicated at block 104, the method may include converting the input random mask in the first representation into an updated mask in the second representation, as described in detail below.
[0041] As indicated at block 106, the method may also include manipulating the converted data, e.g., using the updated mask, to obtain masked manipulated data in the second representation, as described in detail below.
[0042] As indicated at block 108, the method may further include de-converting the manipulated data back into the first representation by applying a de-conversion operator to obtain masked de-converted data in the first representation, as described in detail below.
[0043] As indicated at block 109, the method may also include unmasking the masked de-converted data, e.g., as described below.
[0044] As indicated at block 101, the method may also include generating the input random mask, e.g., as described below.
[0045] As indicated at block 103, the method may also include masking input data, e.g., using the input mask to obtain the masked input data, for example, by adding the input mask may be added to the input data, as is known in the art. [0046] According to some embodiments of the invention the conversion operator may include any suitable operator for converting data in the first representation into corresponding data in the second representation. According to some exemplary embodiments, the conversion operator may include a representation-transformation matrix corresponding to the desired transformation, e.g., as described in International Application PCT/IL03/00647, entitled "Method and device of manipulating data in Finite Fields", filed August 6, 2003 and assigned to the assignee of the present application, the disclosure of which is incorporated herein by reference. According to some exemplary embodiments of the invention, the conversion operator may include a combination of the representation-transformation matrix and an affine transformation, e.g., a decryption or an encryption affine transformation, as described below.
[0047] Since, as is known in the art, any two finite fields of the same size may be isomorphic, an isomorphism may exist between two representations of a predetermined finite field, e.g., a GF(2"), denoted Rej-»; and Rep2, respectively. Each of the two representations may be a linear space of dimension n over GF(2) , and each isomorphism may be a linear transformation between the representations. Thus, as part of some embodiments of the present invention, an nxn binary representation-transformation matrix, M, may be computed for transforming, e.g. by matrix multiplication, elements in Repi into corresponding elements in Rep2. Since the transformation between the two field representations is invertible, an inverse representation-transformation matrix, M1 , may exist for each representation-transformation. An irreducible polynomial, po, having n roots may represent Repi. Each root of po is a generator of the GF(2n) and invariant under field isomorphism. Thus, there are n corresponding representation-transformation matrices for each field extension. A pair of corresponding generators of representations Repi and Rep2, respectively, may uniquely determine an isomorphism between Repi and Rep2, since a multiplicative group of the GF(2") is cyclic. Thus, for a generator vector, rj, of Rep/, and a generator vector, r2, of Rep, the corresponding representation-transformation matrix, M, must satisfy iWr;=r2. Since the two field representations are isomorphic, and since r; and r^ are generators of the GF(2n), the following equation system must be satisfied by M for any k (k=l ...2n):
M(r k=(r2)k (1) wherein (n)k denotes field generator r,- raised to the k-th power in representation Rep,-, to produce an element (rjf in representation Rep*; and wherein field element (rj)k in representation Repi may be treated as a vector in a linear space of dimension n over GF(2), and may be multiplied by representation-transformation matrix, M to provide
M(n)k.
[0048] Equation System 1 includes 2n linear equations, which may be solved to determine the representation-transformation matrix, M, corresponding to the pair of generators π and r2. Equation System 1 may include redundant equations, which may be ignored in order to reduce the number of computations. For example, only the first n equations may be used to provide one representation-transformation matrix. Another representation-transformation matrix may be provided by a solution of Equation System 1 using a different pair of generators rj and r2. Thus, there may be n different equation systems corresponding to the n different generators in Rep2, each defining an "image" of , thereby providing n different representation-transformation matrices from Repi to Rej_>2.
[0049] In exemplary embodiments of the invention, each root of the irreducible polynomial over GF(2S) , e.g., p(t)=t8+t4+t3+t+l; may be a generator of the GF(2S) field. Thus, eight possible representation-transformation matrices corresponding to the eight roots of the irreducible polynomial, respectively, may be computed for each field extension of GF(2S) . Polynomial representations of GF(24) over GF(2) may be defined by each of three irreducible reduction polynomials over GF(24 ) , e.g., 1 + t + t4, 1 + t3 + t4 , 1 + t + 12 + t3 + t4 . Field extensions of one or more of the polynomial representations of GF(24) in GF(2S) may be computed using irreducible extension polynomials, e.g., polynomials of the type t2 +αt + β , wherein β and α may be elements of GF(24), such that t2 +αt + β \'s irreducible over GF(24).
Accordmg to exemplary embodiments of the invention, there may be fifteen different β values and 8 different α values providing 120 possible irreducible extension polynomials of the form t2 +αt + β . The three different reduction polynomials and the 120 irreducible extension polynomials result in 360 different GF((24)2) representations of GF(28) as an extension of GF(2). Therefore, according to these exemplary embodiments, there may be 2880 possible representation-transformation matrices, corresponding to the 360 field extensions. According to some embodiments of the present invention, each of the possible representation-transformation matrices may enable transformation from the standard AES representation into a different GF((24)2) representation of GF(2S) corresponding to a different extension of GF(24) . Thus, the representation-transformation matrix, M, may be pre-selected according to any desired criteria, e.g., complexity of a hardware implementation corresponding to the selected M.
[0050] Input data including vector x in a first representation may be converted into a second representation by applying the representation-transformation, e.g., representation-transformation matrix M. An operation x > x"1, denoted T(x), in the second representation may be performed on the converted data, e.g., M x. A de-conversion of the manipulated data back to the first representation, F(x), may be obtained by applying an inverse of the representation-transformation, e.g., M1. Thus, according to exemplary embodiments of the invention, F(x) and T(M x) may be provided by the following nonlinear equation:
F(x) = Ml- T(M- x) (2)
[0051] According to exemplary embodiments of the invention, masked input data, x+R, in the first representation may be converted into converted data, Mx+MR, in the second representation. The representation-transformation matrix, M, is a regular matrix because the conversion between the first representation and the second representation is an invertible transformation, as described above. Thus, MR may have, in correspondence to R, any non-zero value of the finite field. And thus, the converted data, Mx+MR may include masked converted data wherein the mask includes an updated mask, e.g., MR.
[0052] According to exemplary embodiments of the invention, the input mask,
R, may have a non-zero value. Any suitable non-zero random mask generator, e.g., as described below, may be implemented in order to obtain the non-zero random mask.
[0053] According to some exemplary embodiments of the invention, manipulating the converted data may include inverting the converted data, e.g., as described below. Inverting the converted data may include using the updated mask, e.g., as described below. [0054] According to exemplary embodiments of the invention inverting the masked converted data may include multiplying the converted data, e.g., Mx+MR, by the updated mask, MR, to obtain first intermediate data, e.g., MxMR+(MR)2. Inverting the masked converted data may also include adding a square, e.g., (MR)2, of the updated mask to the first intermediate data to obtain second intermediate data, e.g., MxMR. Inverting the converted data may further include inverting the second intermediate data, MxMR, to obtain third intermediate data, e.g., (MxMR)"1. Inverting the converted data may further include adding a unit data bit, i.e., 1, to the third intermediate data to obtain fourth intermediate data, e.g., (MxMRj^+l. Inverting the converted data may further include multiplying the fourth intermediate data by the updated mask MR to obtain masked inverted data in the second representation, e.g., (MX)AMR. At least some of the operations, e.g., addition, multiplication and/or inversion, may be performed in the second representation. The operations in the second representation may be implemented by any suitable circuitry and/or Look Up Tables (LUTs), e.g., as described below.
[0055] According to some embodiments of the invention the de-conversion operator may include any suitable operator for de-converting data in the second representation back into corresponding data in the first representation. According to exemplary embodiments of the invention, the de-conversion operator may include multiplication by the matrix M , as described above. It will be noted that the result of applying the de-conversion operator may be calculated in accordance with Equation 2, e.g., M"1[(Mx)"1J=:x"1. Thus, masked inverted data in the first representation, e.g., x";+ R, may be obtained by applying the de-conversion operator to the masked inverted data in the second representation, e.g., (Mx)A MR. According to some exemplary embodiments of the invention, the de-conversion operator may include a combination of the matrix M1 and an affine transformation, e.g., a decrypt or an encrypt affine transformation, e.g., as described below.
[0056] Reference is made to Fig. 2, which schematically illustrates a circuit implementation of a device 200 for manipulating masked data, in accordance with some exemplary embodiments of the invention.
[0057] According to exemplary embodiments of the invention, device 200 may include a conversion block 202 to convert masked input data in a first representation into corresponding masked data in a second representation. Block 202 may also be adapted to convert the mask R into an updated mask in the second representation. Device 200 may also include a manipulation block, e.g., inversion block 204, to manipulate, e.g., invert, the converted data in the second representation, and a de-conversion block 206 to de-convert the manipulated data into de-converted data in the first representation.
[0058] According to exemplary embodiments of the invention, block 202 may include an input conversion module 208 to convert the masked input data, x+R, in the first representation into corresponding converted data in the second representation. Block 202 may also include a mask conversion module 210 to convert input mask R into the updated mask. In order to obtain an updated mask related to the converted masked data, the conversion of the mask performed by module 210 may be related to the conversion performed by module 208, e.g., as described below. Module 208 and/or module 210 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to convert data in a first representation into corresponding data in a second representation, e.g., as described below. It will be appreciated by those skilled in the art that, according to some other embodiments of the invention, modules 208 and 210 may be implemented in one combined-conversion module, e.g., to convert the masked input data and the input mask sequentially.
[0059] Accordmg to exemplary embodiments of the invention, block 204 may include a first multiplier 212 associated with an output 226 of module 210 and with an output 228 of module 208. Block 204 may also include a squaring module 214 associated with output 226, and a first adder 216 associated with an output 230 of module 214 and with an output 232 of multiplier 212. Block 204 may further include an inversion module 218 associated with an output 234 of adder 216, and a second adder 220 associated with an output 236 of module 218 and having an input 240 to receive a signal having the unit value, i.e., the value 1. Block 204 may further include a second multiplier 222 associated with output 228 and with an output 242 of adder 220. Multiplier 212 and/or multiplier 222 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to multiply two elements of the first representation using the second representation, e.g., as described below. Unit 214 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to provide a square of an element of the first representation using the second representation, e.g., as described below. Inversion module 218 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to invert data of the first representation using the second representation, e.g., as described below. Adders 216 and 220 may include any software and/or hardware to implement an addition of two elements. For example, adder 216 and/or adder 220 may include a XOR gate, as is known in the art.
[0060] According to exemplary embodiments of the invention, block 206 may include a de-conversion module 224 associated with an output 243 of block 204. Module 224 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to de-convert data in the second representation into corresponding de-converted data in the first representation, e.g., as described below.
[0061] According to an exemplary embodiment of the invention, modules
208, 210 and/or 224 may include a multiplier, e.g., as described below, to" implement a multiplication by M, M and M"1, respectively. Thus, output 228 may have a value corresponding to Mx+MR, and output 226 may have a value corresponding to MR. Accordingly, output 243 may have a value corresponding to (Mx)"]+MR, and an output 244 of block 206 may have a value corresponding to x"7+R. According to this embodiment, the outputs of blocks 202 and 204 may be masked by the updated mask MR, and the output of block 206 may be masked by input mask R. Thus, it will be appreciated that the outputs of blocks 202, 204, 206 may be masked by either the input mask or the updated mask.
[0062] According to exemplary embodiments, device 200 may include at least two XOR gates 216 and 220, two multiplication circuits 212 and 222 in the second representation, one squaring circuit or LUT 214 in the second representation, and three multiplication circuits 208, 210 and 224 for multiplying an nxn bit matrix, e.g., M, by a vector, e.g., as described below.
[0063] It will be appreciated by those skilled in the art, that a hardware implementation of a device for manipulating masked data according to embodiments of the invention, e.g., device 200, may be less complex, and thus more compact, in comparison with conventional masked-inversion devices. For example, if the first representation includes a GF(22s) representation and the second representation includes a GF((2S)2) representation, a squaring LUT in the second representation may include 2s s bits. The bit size of the squaring LUT, according to embodiments of the invention, may be much smaller compared to the bit-size, e.g., 22s+1s, of a squaring LUT in the first representation. Furthermore, conventional masked-inversion devices may require implementing multiplication circuits to perform multiplications in the first representation. These circuits may be more complex in comparison with the multipliers implemented by embodiments of the invention.
[0064] According to some exemplary embodiments, the method and/or device described above may be implemented for encryption and/or decryption of masked input data, x+R, for example, by performing masked AES S-box encryption decryption operations, as described below.
[0065] Although the scope of the present invention is not limited in this respect, for clarity, as part of the description of some embodiments of the present invention, reference may be made to a device and/or a method of encrypting data. Further embodiments of the present invention may be described with reference to a device and/or a method of decrypting data. However, it would be apparent to those with ordinary skill in the art how to modify and/or adapt the methods and/or devices of the present invention, as described herein, in order to implement encryption devices, decryption devices and/or devices combining both encryption and decryption. Unless specifically stated otherwise, the principles of the methods and devices described herein are intended for implementation in conjunction with any such modifications and/or adaptations.
[0066] In some exemplary embodiments of the invention, 5 equals four. These embodiments are useful for converting data in a GF(2 ) representation into a GF((24)2) representation.
[0067] Although the scope of the present invention is not limited in this respect, for clarity, the description of some exemplary embodiments of the present invention relates to methods and/or devices wherein s equals four, i.e., for converting data in a GF(28) representation into a GF((24)2) representation. However, it would be apparent to those with ordinary skills in the art how to accordingly modify the methods and/or devices described herein for any other suitable value of s.
[0068] As part of some embodiments of the present invention, the method and/or device may be implemented in a variety of combinations and adaptations. According to an exemplary embodiment of the present invention, an encryption block to perform encryption, and/or a decryption block to perform decryption, may be implemented in embedded electrical circuitry, e.g., of the type that may be used in a smartcard. The conversion operator that may be used for converting the data to and from the AES GF(2S) representation to and from the GF((24)2) representation may be pre-programmed, e.g., into a smart card. Other configurations may be used additionally or alternatively.
[0069] A conventional AES S-box may perform affine transformations according to the following equations: sbσx[x] => A χF[x\ θ b (3) sboAfxJ = F[A x (x θ b)] ' (4) wherein sboxfxj denotes an encryption-related transformation, sboAfx] denotes a decryption-related transformation, and A and b are AES S-box parameter matrices, as are known in the art.
[0070] Thus, according to embodiments of the invention, substituting
Equation 2 in Equations 3 and 4, respectively, and substituting (x+R) for x in both equations, may yield the following modified equations to convert masked data, x+R, into the second representation, to perform operations in the second representation, and to de-convert the resulting data into corresponding data into the first, e.g., AES, representation: sbox[(x+R)J =AM1 T[M χ (xθ Rj] θ b (5) sbox"1 [(x+R)] = M1 7T 4-1 x ((x θ R) θ b)] (6)
[0071] In accordance with some embodiments of the present invention, the conversion circuitry or software may include circuitry implementing the representation-transformation matrix M. According to some of these embodiments, the circuitry or software implementing the representation-transformation matrix M may be combined with the circuitry or software implementing a linear transformation, e.g., A. According to further embodiments of the invention, the conversion circuitry or software may include four multiplication modules, e.g., as described below, for multiplication by AM1 ', MA'1 ', M, and Λf1, respectively. Thus, the conversion circuitry may consist of a combination of applying an affine transformation, e.g., multiplication by A and/or addition of b, and the predetermined representation-transformation, e.g. multiplication by M. The use of such operation modules may enhance the efficiency of the conversion circuitry.
[0072] A hardware implementation of matrix multiplication may include any hardware implementation of matrix multiplication, as is known in the art. For example, values yt of a block y defined by y=Dx, wherein i=l...n and wherein D is a fixed nxn binary matrix, may be computed using the following equation:
Figure imgf000019_0001
[0073] Thus, values of v may be computed using Equation 7. This may be achieved by determining which of the elements of row are nonzero and performing a XOR operation of the corresponding values of x7.
[0074] According to exemplary embodiments of the invention, operations, e.g. inversion, addition, and/or multiplication operations, equivalent to AES operations may be defined in the second representation, e.g., a GF((24)2) representation, as described below.
[0075] An element x of a GF(28) may be defined by an eight-digit binary number
Figure imgf000019_0002
and an element z of a GF(24) may be defined by a four-digit binary number
Figure imgf000019_0003
[0076] As is known in the art, GF(24) may have a polynomial representation defined by a reduction polynomial over GF(2), e.g.,
Figure imgf000019_0004
may be represented by the polynomial zo+zjt+Z2t2+z3t3. Multiplication of elements in the GF may be defined by multiplying the polynomials representing the elements and reducing the result modulo the reduction polynomial.
[0077] According to embodiments of the invention, a bit octet,
Figure imgf000019_0005
of GF(2 ) may be analogous to a linear polynomial z<m>t+∑<ι>, wherein
Figure imgf000019_0006
and
Figure imgf000019_0007
are elements of GF(24). Thus, the second representation may include elements _?<,„> and _.</> ofGF(24).
[0078] As part of some embodiments of the present invention, multiplication and addition operations in the second representation may be defined in terms of operations on GE(24) . Provided below is one possible definition of multiplication and addition in the second representation in terms of operations over GF(24 ) . It will be appreciated that other definitions may also be used as part of some embodiments of the present invention.
[0079] Addition and subtraction of two elements of the first representation, e.g., a,d e GF(2S) , in the second representation may be defined as a bitwise XOR of the two elements, as is known in the art. The product of the two elements, a and d, may be defined as a polynomial product
(Ω <m> ? + Ω < >) x (^<m>^ + ^< >)m°d(^2 + cd + β) , wherein multiplication and addition of the polynomial coefficients may be defined by operations over GF(2 ) using a given representation. Thus, the product of elements a and d may be calculated using the following equation:
(*<»>' + a <ι> ) x (d <m>t + d <t> )(mod t2 + at + β) =
(a <ι> d <m> - a<m>d<m>a + a<m>d<ι>)t ~ a<m>d<m>β + β </>^<;> ≡ r<m>t + r l>
wherein:
(A> d <m> - a<m>d<m>a + a<m>d<t> ) ≡ r<m> ≡ [rηr6r5r ] An>d<m>β + a<ι>d<ι> ≡ r<ι> ≡ fcWoJ
[0080] Thus, the product of elements a and d in the AES, i.e., GF(2S) , representation may be defined as
Figure imgf000020_0001
. Thus, the product of elements a and d in the AES representation may be calculated using a series of addition and multiplication operations over GF(24), e.g., according to Equation Set 9. It will be appreciated by those skilled in the art, that in the GF(24) the minus sign and the plus sign are interchangeable. Thus, the minus sign of the first equation of Equation Set 9 may be replaced with a plus sign, e.g., as described below.
[0081 ] Reference is made to Fig. 3 A, which schematically illustrates a circuit implementation of a multiplier 302, in accordance with some exemplary embodiments of the invention.
[0082] Multiplier 302 may include multiplication units 304, 306 and 316 for multiplying two GF(24) elements, and a β-multiplication unit 308 for multiplying two GF(24) elements and for multiplying the product of the two elements by β. Units 304, 306, 308 and 316 may include any suitable LUTs and/or circuitry for performing a multiplication of two GF(24) elements, e.g., as described below. Multiplier 302 may also include XOR gates 310, 312 and 314, as are known in the art.
[0083] A square of an element a in the AES representation may be calculated by substituting a=d in Equation Set 9. For example, the following Equation Set may be used, e.g., if the minus sign of the first equation of Equation Set 9 is replaced by a plus sign, as described above:
a <ιA<m> + a<m a ≡ r<m> ≡ [r7r6r5r ]
Figure imgf000021_0001
[0084] Reference is made to Fig. 3B, which schematically illustrates a circuit implementation of a squaring unit 320, in accordance with some exemplary embodiments of the invention.
[0085] Squaring unit 320 may include square LUTs 322 and 324 including values corresponding to a square of a GF(24) element, respectively, and a β-square LUT 326 including values corresponding to a multiplication by β of square of a GF(24) element. LUTs 322, 324 and 326 may include any suitable LUTs, e.g., as described below. Squaring unit 320 may also include XOR gate 328 as is known in the art.
[0086] Determining an inverse x";=(c<m>t + c</:>)of data element
(x<m>x + x<;> ) χ= (a<m>t + a4> ) , may require solving the following set of equations:
Ox + 1 = (c<m>t + C<1>) x (a<m>t + α<7>) =
0x + l = (c<m>t + c<1>) x (a<m>t + a<l>)mod(t2 +at + β) = (11)
Ox + 1 = (c<m>a<m>a + c<m>a<t> + c<;>-.<m>)t + c<l>a<l> + c<m>a<m>β
[0087] Equation Set 11 may be translated into the following system of liner equations over GF(2) :
c<;> = a<m> (a< 2 m>β + a; + a<l>a<m>
A> = 0</> + a<m>a)(a;m>β + a2 l> + a<l>a<m>a
[0088] Thus, in order to calculate an inverse x"1 of data element x, the values of C<m> and C< > may be calculated, as described above. Thus, the inverse of element x in the AES representation may be calculated using a series of addition, multiplication, squaring and inversion operations over GF(2 ), e.g., in accordance with Equation Set 12.
[0089] Reference is made to Fig. 3C, which schematically illustrates a circuit implementation of an inversion module 330, in accordance with some exemplary embodiments of the invention.
[0090] Inversion module 330 may include multiplication units 334, 342 and
346 for multiplying two GF(24) elements, e.g., as described below. Module 330 may also include a square LUT 331 including values corresponding to a square of a GF(24) element, and a β-square LUT 332 including values corresponding to a multiplication by β of a square of a GF(24) element, e.g., as described below. Module 330 may further include an inverse LUT 344 including values corresponding to an inverse of a GF(24) element, e.g., as described below. Module 330 may also include XOR gates 340 and 338, as are known in the art.
[0091] According to embodiments of the invention, multiplication over
GE(24 ) may be performed more efficiently by defining GF(24) multipliers and selecting the appropriate multiplier in each case, as explained below.
[0092] According to these exemplary embodiments, a multiplication a xd = [θ3, a aj, OQ] X [d3, d2, dj, do] over C7E(24), of two elements, e.g., a = [03, (2. o-i, ct-o] and b = [d.3, d2, di, do], of GF(24), may be defined as a sequence of bitwise operations, e.g., additions (XOR) and multiplications (AND), for a given reduction polynomial, e.g., as described above. Thus, for example, the solutions of the multiplication of two elements may be as follows:
Reduction polynomial: t4 + 1 + 1
[a3,a2,aι,a0] * [d3,d2,dι,d0] =
[aιd2+a3d3+a3do+a2dι+a0d3,a2d3+aod2+a3d3+a do+aιdι+d2a3, aιd3+d a3+aodι+a2d2+a2d3+aιdo+a3dι , aodo+aιd3+a2d2+a3dι]
Reduction polynomial: t4 + 13 + 1
[a3,a2,aι,a0] * [d3,d2,dι,d0] = aod +aιd +a3d2+a2d3+a3dι+a2dι+aιd2+a3d3+a do+a2d2,aod2+a3d3+aιdι+a2do,aodι+a3d2+a 3d3+aιdo+a2d3,aιd3+aodo+a d3+a3d2+a2d2+a3dι+a3d3] Reduction polynomial: t4 + 13 + 12 + 1 + 1
[a3,a2,aι,a0] * [d3,d2,dι,d0] =
[a2dι+a3do+a3dι+aιd2+aιd3+a d2+a0d3,a3dι+a2d2+aιdι+a2do+a0d2+aιd3, aodι+aιd3+aιdo+a3dι+a d3+a2d2, a3d2+aιd3+aodo+a2d3+a2d2+a3dι]
[0093] It should be noted that some of the multiplications of elements in each of the solutions may be similar for two or more output bits. For example, the expression aid3+a2d2+a di, appearing twice in the solutions listed above, may be computed only once in order to minimize hardware requirements, e.g., using XOR and AND gates. It will be appreciated by those skilled in the art that the solutions for multiplication of two elements in GE(24), using each of the three quadratic reduction polynomials discussed above, may be used to construct a GF(24) multiplier for each of the quadratic reduction polynomials. Such multiplier may be implemented in hardware and/or software as is known in the art. An appropriate GF(24) multiplier may be constructed for a given representation-transformation matrix. Since each representation-transformation matrix may be defined by one of the three irreducible reduction polynomials over GF(24) in combination with an extension polynomial, as described above, theGE(24) multipliers may be predetermined. It will be appreciated by persons skilled in the art that other suitable implementations of GE(24) multipliers may be used additionally or alternatively in accordance with exemplary embodiments of the invention.
[0094] Inversion, denoted INV, and squaring, denoted SQR, in GF(24) may be implemented by two respective, relatively small, Look-Up-Tables (LUTs), for example, having a size of 8-bytes each, e.g., 16 nibbles. According to some embodiments of the present invention, coefficient β may be predetermined. Thus, the value β g2 for an element g e GF(24) may also be stored in an 8-byte LUT, which may be denoted βSQR, thereby eliminating one multiplication fiom the set of computations required for computing Equation Set 12. According to alternative embodiments, SQR, INV and/or β SQR in GE(24) may be implemented by any suitable circuit, as is known in the art. For example, an SQR circuit may be implemented by substituting a=d in the solutions for multiplication of two elements, as described above. Thus, for example, the SQR circuits may implement the following solutions, for =l :
Reduction polynomial: t4 + 1 + 1
[a3,a2,aι,a0]2 = [a3, aι+a3, a2, ao +a2]
Reduction polynomial: t4 + 13 + 1
[a3,a2,aι,a0] :=:[a2+a3, aι+ a3, a3, a0+a2+a3]
Reduction polynomial: t4 + 13 + 12 + 1 + 1
[a ,a2,aι,ao] =[a2, aι+a2, a2+a3, a0+a2]
[0095] It may be noted that the circuitry implementation of embodiments of the invention, may be more compact than the corresponding LUT implementation. However, in some S-box implementations, a LUT may provide more efficient processing of the data.
[0096] Reference is made to Fig. 4, which schematically illustrates a circuit implementation of an AES compatible device 400 for encrypting/decrypting masked data, in accordance with some exemplary embodiments of the present invention.
[0097] According to exemplary embodiments of the invention, device 400 may include an input conversion block 412, a manipulation block, e.g., e.g., an inversion block 414, and an output de-conversion block 416. Device 400 may have an encryption mode of operation and/or a decryption mode of operation, e.g., as described below.
[0098] According to exemplary embodiments of the invention, block 412 may include an input conversion module 418 to receive a masked input data signal 438, e.g., corresponding to a 32-bit column vector of x+R, in AES representation, e.g., in a GF(28) representation, and to convert this data into data in a GF((24)2) representation. In the decrypt mode of operation, conversion module 418 may also apply the decrypt affine transformation to x+R, e.g., according to Equation 6 above. Thus, for example, an output signal 440 of module 418 may have a value corresponding to the value X;+Rz, wherein xt=Mx and Rt=MR in the encryption mode of operation, and wherein xt=MA"1x+MA~Ib and Rt=MA'1R in the decryption mode of operation. [0099] Block 412 may also include a mask conversion module 420 to convert input mask R into an updated mask. In order to obtain an updated mask corresponding to the converted masked data, the conversion of the mask performed by module 420 may include a linear transformation corresponding to the linear transformation performed by module 418. For example, in the encrypt mode of operation, conversion module 420 may multiply R by M, i.e., to obtain MR. In the decrypt mode of operation, conversion module 420 may multiply R by MA"1, i.e., to obtain MA"!R.
[00100] Module 418 and/or module 420 may include any circuitry, Look-Up
Tables (LUTs) and/or any suitable hardware and or software to convert data in a first representation into corresponding data in a second representation and/or to perform an affine transformation, e.g., as described below.
[00101] Reference is made to Fig. 5 A which schematically illustrates a circuit implementation of an input conversion module 500, in accordance with some exemplary embodiments of the invention.
[00102] According to exemplary embodiments, module 500 may include a multiplier 506 to implement a multiplication of the x+R by M. Module 500 may also include a XOR gate 508 to implement a XOR operation of x+R and b, and a multiplier 510 to implement a multiplication of an output 518 of XOR gate 508 by MA'1. Multipliers 506 and/or 510 may include any suitable multiplier for multiplying an nxn matrix by a vector, e.g., as described above. Module 500 may also include a multiplexer 512, as is known in the art, to select between the encryption and decryption modes of operation, e.g., by selecting between an output signal 514 of multiplier 506 and an output signal 516 of multiplier 510.
[00103] Reference is made to Fig. 5B which schematically illustrates a circuit implementation of a mask conversion module 530, in accordance with some exemplary embodiments of the invention.
[00104] According to exemplary embodiments, module 530 may include a multiplier 532 to implement a multiplication of R by M. Module 530 may also include a multiplier 534 to implement a multiplication of R by MA"1. Multipliers 532 and/or 534 may include any suitable multiplier for multiplying an nxn matrix by a vector, e.g., as described above. Module 530 may also include a multiplexer 536, as is known in the art, to select between the encryption and decryption modes of operation, e.g., by selecting between an output signal 533 of multiplier 532 and an output signal 535 of multiplier 534.
[00105] Referring back to Fig. 4, Inversion block 414 may include any circuitry and/or LUTs and/or any suitable hardware and or software to invert the converted data in the second representation.
[00106] According to an exemplary embodiment of the invention, block 414 may include a first multiplier 470 to receive signal 440 and signal 442, and to provide a signal 471, e.g., corresponding to the value (xt+R)Rt. Block 414 may also include a squaring unit 472 to receive signal 472 and to provide a signal 473, e.g., corresponding to the value R 2, and a first adder 474 to receive signal 471 and signal 473 and to provide a signal 475, e.g., corresponding to the value oϊxtRt. Block 414 may further include a Zero Detection (ZD) module 480 to receive signal 475 and to provide a signal, e.g., having a zero value if xtRt?0, and a non-zero value, e.g., 1, if xtRt-0. Block 414 may also include an AND gate 482, e.g., as is known in the art, to receive signal 442 and signal 481 and to provide a signal 483. For example, signal 483 may have zero value if xtRt?0, and a non-zero value, e.g., Rt, if xtRt=0. Block 414 may further include a second adder 476 to receive signal 475 and signal 483 and to provide a signal 485, e.g., corresponding to the value oϊxtRt iϊxtRt?0, and to the value of Rt if xtRt=0. Block 414 may further include an inversion module 478 to receive signal 485 and to provide a signal 487, e.g., corresponding to a value of (xtR)'1 if xtRt?0 and to the value of R 1 if x.R.=0, and a third adder 479 to receive signal 487 and a signal having the unit value, i.e., the value 1, and to provide a signal 489, e.g., corresponding to a value of (xtR^+l if xtRt?0 and to the value of R. ";+i if xtRτ=0. Block 414 may further include a second multiplier 486 to receive signal 486 and signal 489 and to provide a signal 491, e.g., corresponding to a value of xt " +R. if xtRt?0 and to the value of 1+Rt if x,R,=0. Block 414 may further include a fourth adder 484 to receive signals 491 and 483 and to provide a signal 444, e.g., corresponding to a value of x^+Rt if x.R.?0 and to the value of R, if xtRt=0. Multiplier 470 and/or multiplier 486 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to multiply two elements of the first representation using the second representation, e.g., as described above. Unit 472 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to provide a square of an element of the first representation using the second representation, e.g., as described above. Inversion module 478 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to invert data of the first representation using the second representation, e.g., as described above. Adder 474, adder 476, adder 479, and/or adder 484 may include any software and/or hardware to implement an addition of two elements. For example, adder 474, adder 476, adder 479, and or adder 484 may include a XOR gate, as is known in the art. Module 480 may include, for example, any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to implement a logical NOT followed by a logical AND of signal 481.
[00107] According to these exemplary embodiments, the input to inversion module 478, i.e., signal 485, has a non-zero value, e.g., even if xtRt=0 since Rt?0. Thus, a zero input, i.e., xt=0, is masked by block 414, e.g., such that the input to the inversion module has a non-zero mask value, e.g., Rt.
[00108] Thus, it will be appreciated by those skilled in the art that inversion block 414 may be implemented to inhibit a DPA attack, e.g., using a zero input, on the AES device.
[00109] According to other embodiments of the invention, block 414 may include any other suitable configuration, e.g., a configuration analogous to the configuration of inversion block 204, as described above with reference to Fig. 2.
[001 10] According to the exemplary embodiments described above, signal 444 may have, for example, a value corresponding to ((MX)ΑMR) in the encryption mode of operation, and a value corresponding to ((MA)'1 (x+b)'1 +MA'1 R) in the decryption mode of operation, as described above.
[001 1 1] According to exemplary embodiments of the invention, block 416 may include an output de-conversion module 424 to receive the output of block 414, e.g., signal 444, in the second representation, e.g., in a GF((24)2) representation, and to de-convert this data into de-converted data in the first, e.g., GF(28), representation. In the encrypt mode of operation, conversion module 424 may also apply the encrypt affine transformation, e.g., according to Equation 7 above. Thus, for example, an output signal 434 of module 424 may have a value corresponding to x '+R ', wherein A=Ax"!+b and R '=AR in the encryption mode of operation, and wherein x '=A"' (x+b)' and R'=_4";R in the decryption mode of operation. According to these embodiments, R ' may be used as a mask, since R' may correspond to a regular linear transformation of the mask R.
[00112] Block 416 may also include a mask de-conversion module 422 to de-convert the updated mask. In order to de-convert the updated mask in correspondence to the de-conversion of the data, the de-conversion performed by module 422 may include a linear transformation corresponding to the linear transformation performed by module 420. For example, in the decrypt mode of operation, de-conversion module 422 may multiply A'1 MR by 1, i.e., to obtain A'!R. In the encrypt mode of operation, de-conversion module 422 may multiply MR by AM1, i.e., to obtain AR. Thus, an output mask signal 432 may include a value corresponding to R'. Module 422 and/or module 424 may include any circuitry, Look-Up Tables (LUTs) and/or any suitable hardware and/or software to convert data in a first representation into corresponding data in a second representation and/or to perform an affine transformation, e.g., as described below.
[00113] Reference is made to Fig. 6 A which schematically illustrates a circuit implementation of an output de-conversion module 600, in accordance with some exemplary embodiments of the invention.
[00114] According to exemplary embodiments, module 600 may include a multiplier 602 to implement a multiplication of the manipulated data, e.g., signal 444, by M1. Module 600 may also include a multiplier 604 to implement a multiplication of the manipulated data by AM1, and a XOR gate 606 to implement a XOR operation of an output of multiplier 604 and b. Multipliers 602 and/or 604 may include any suitable multiplier for multiplying an nxn matrix by a vector, e.g., as described above. Module 600 may also include a multiplexer 608, as is known in the art, to select between the decryption and encryption modes of operation, e.g., by selecting between an output signal 614 of multiplier 602 and an output signal 616 of multiplier 606.
[00115] Reference is made to Fig. 6B which schematically illustrates a circuit implementation of a mask de-conversion module 630, in accordance with some exemplary embodiments of the invention.
[00116] According to exemplary embodiments, module 630 may include a multiplier 632 to implement a multiplication of the updated mask, e.g., signal 442, by AM1. Module 630 may also include a multiplier 634 to implement a multiplication of the updated mask by Λf7. Multipliers 632 and/or 634 may include any suitable multiplier for multiplying an nxn matrix by a vector, e.g., as described above. Module 630 may also include a multiplexer 636, as is known in the art, to select between the decryption and encryption modes of operation, e.g., by selecting between an output signal 633 of multiplier 632 and an output signal 635 of multiplier 634.
[001 17] Referring back to Fig. 4, device 400 may also include a mix-column module 455 to provide a signal 456 corresponding to a mix-column operation on signal 434. The mix-column operation may include multiplying signal 434, e.g., including the 32-bit column vector x'+R ', with a Rijndael mix-column matrix, as is known in the art. For example, the mix-column operation may be calculated as follows:
Figure imgf000029_0003
Figure imgf000029_0001
wherein X 'I+R ' , x'2+R 2, x'5+R 5, and x^+R are masked data elements of the column vector x '+R .
[001 18] It will be appreciated by those skilled in the art that all the elements of vector (R 'ι, R ' , R'3, and R '4) have non-zero values, i.e., R 'tf O, R '2?0, R '3?0, and R '4?0, since R '1, R '2, R '3, and R '4 correspond to a linear transformation of respective elements, e.g., R/, R2, R3. and R4, of R. However, the product of the vector (R 'ι, R '2, R '3, R '4) with the Rijndael column-mix matrix may have a zero value. This may have the undesired result of distorting the mask of a subsequent AES round. To prevent this potential problem, according to some exemplary embodiments of the invention, Ri, R2, R3, and R4, of R may have pre-set equal values, i.e., R/=R2=R5=R4(. It will be appreciated by those skilled in the art that pre-set equal values
Figure imgf000029_0002
may ensure that the product of the vector (R ';, R '_>, R '3, R '4) with the Rijndael column-mix matrix is always non-zero. Other pres-set values may also be used to ensure non-zero result of the Rijndael column-mix multiplication in accordance with embodiments of the invention.
[001 19] The AES round may also include performing a shift-row operation, as is known in the art. The shift-row operation may include shifting between elements of each row of a 4x4 data matrix representing 4 columns of masked data, as is known in the art. The data matrix may include 16 elements each corresponding to a sum x 'k+R 'k, wherein k=1..16. According to some exemplary embodiments of the invention, all sixteen elements of R may have pre-set equal values, i.e.,
Figure imgf000030_0001
in order to ensure the mask of the subsequent round is not distorted. Other pres-set values may also be used to ensure non-zero result of the Rijndael row-mix multiplication in accordance with embodiments of the invention. It will be appreciated by those skilled in the art that pre-setting all sixteen elements of the mask R as described above may have a relatively negligible effect on the brute-force required for a DPA attack.
[00120] It will be appreciated by those skilled in the art that the vector (1, I, 1, 1) is an eigenvector of the Rijndael mix-column matrix, i.e., as expressed by the following equation:
(14)
Figure imgf000030_0002
[00121] Thus, according to exemplary embodiments of the invention the value of signal 432 may not be updated in correspondence to the mix-column operation performed on signal 432.
[00122] According to some exemplary embodiments of the invention device
400 may further include a mask-removing module 460 for unmasking the masked de-converted data, e.g., after a final AES round. According to exemplary embodiments, module 460 may include a XOR gate 462 to provide an output signal 464 corresponding to a sum of a first input corresponding to signal 456 and a second input. After the final AES round the second input of gate 462 may be associated with signal 432. Thus, the value of the updated mask may be XORed with the masked de-converted data after the last round, such that the mask is removed from the manipulated data.
[00123] According to some exemplary embodiments of the invention, since output signal 464 is masked by R ', mask R ' may be used as the input mask in succeeding AES rounds, as described below. [00124] According to some exemplary embodiments of the invention, device 400 may further include a mask-input module 450 capable of using a new mask in a succeeding AES round, as described below. Module may include a first XOR gate 428 to provide a sum of a first input corresponding to the value, e.g., x"+R ', of a signal 465 of a previous AES round, and a second input corresponding to a value, e.g., R, of a random mask signal 452. Thus, for example, an output signal 454 of XOR gate 428 may correspond to the value x"+R '+R. Configuration 450 may also include a second XOR gate 426 to provide block 412 with signal 438 corresponding to a sum of signal 454 and signal 432. Thus, signal 438 may have a value corresponding to x"+R.
[00125] It will be appreciated by those skilled in the art that the input and output of each of the XOR gates of configuration 450 may include a mask, i.e., R and/or R '.
[00126] According to exemplary embodiments of the invention, the representation-transformation matrix M implemented by device 400, may be predetermined based on desired optimization criteria, e.g., minimal circuit area for implementing device 400, as described below.
[00127] According to exemplary embodiments of the invention, a set of circuits, e.g. 192 circuits corresponding to 192 possible transformation matrices when a=l, may be fabricated to implement device 400. For example, each one of the circuits may be synthesized using a DC Shell 2001.08-spl (DC Expert) available from Synopsis. A target library TSMC 0.18μ (SAAG-X Artisane) may be used. The synthesis may be performed for various timings, e.g., time propagation delays, for example, ranging from 12nSec to 6nSec. These parameters may enable using different respective frequencies, e.g., in the range of 66.7MHz to 111MHz by adding a margin, for example, a 3 -nanosecond margin. According to the results of the synthesis, a reduction of approximately 45% in the circuit area compared to the circuit area of a conventional AES device may be achieved if the representation-transformation matrix [01 0c 50 ed 42 35 67 92] is implemented.
[00128] According to exemplary embodiments of the invention, a random bit generator may be implemented to produce the non-zero mask, R, e.g., as described below. However, it will be appreciated by those skilled in the art that any other suitable device and/or method may be implemented to produce non-zero mask R. [00129] According to exemplary embodiments of the invention, the random bit generator may be used to produce non-zero mask R having v bits, wherein v is a power of two, e.g., v=8. The generator may generate log v +v-l bits. The first log v bits may be used to define a first number, w, wherein 0?w<v. The remaining v-1 bits may be used to define a second number, p. The v-bit mask may be generated by setting the value of the w-th bit of R to 1, and by substituting the other v-1 bits of R with the v-1 bits ofp, respectively. For example, if v=8, the random bit generator may generate log 8 +8-1=10 random bits, e.g., 1011100101. Accordingly, w=_O22=5, pAlOOΪOl, and R=l 1100101.
[00130] It will be appreciated by those skilled in the art that the method described above may provide a non-zero mask, since a value of one may always by substituted at the w-th bit of the mask. Furthermore, the above method may be implemented to provide any one of the possible non-zero v-bit masks. Furthermore, Masks having equal Hamming Weights may be generated at equal probabilities by a mask generator implementing the method described above. A conditional entropy value corresponding to generating a specific mask if a previously generated mask may be calculated, for example, as follows:
Figure imgf000032_0001
[00131] Thus, the method described above may be implemented to provide a relatively high entropy value, e.g., of approximately 7.90244 if v=8.
[00132] It will be appreciated by persons skilled in the art that the present invention is not limited to the exemplary embodiments of the invention shown and described herein with reference to the accompanying drawings. While certain features of the invention have been illustrated and described, many modifications, substitutions, changes, and equivalents may occur to those skilled in the art. It is, therefore, to be understood that the appended claims are intended to cover all such modifications and changes as fall within the true spirit of the invention.

Claims

[00133] What is claimed is:
1. A method of manipulating data comprising: converting masked input data in a first representation of a finite field into converted data in a second representation of said finite field; and manipulating said converted data to obtain masked manipulated data.
2. The method of claim 1 comprising converting an input mask of said masked input data into an updated mask in said second representation.
3. The method of claim 2, wherein converting said masked input data comprises performing an affine transformation.
4. The method of claim 3, wherein said affine transformation comprises a linear transformation, and wherein converting said input mask comprises performing said linear transformation.
5. The method of any one of claims 2-4, wherein manipulating said converted data comprises manipulating said converted data using said updated mask.
6. The method of anyone of claims 2-5, wherein converting said masked input data results in said converted data being masked by said updated mask.
7. The method of any one of claims 2-6, wherein manipulated said converted data results in said manipulated data being masked by said updated mask.
8. The method of any one of claims 2-7, wherein manipulating said converted data comprises: multiplying said converted data by said updated mask to obtain first intermediate data; adding to said first intermediate data a square of said updated mask to obtain second intermediate data; inverting said second intermediate data to obtain third intermediate data; adding a unit data bit to the third intermediate data to obtain fourth intermediate data; and multiplying said fourth intermediate data by said updated mask to obtain masked inverted data in said second representation. 9. The method of any one of claims 1-8 comprising de-converting said manipulated data to obtain masked de-converted data in said first representation. lO.The method of claim 9, wherein de-converting said manipulated data results in said de-converted data being masked by a linear transformation of said input mask:
1 l.The method of claim 9 or 10 comprising unmasking said de-converted masked data.
12.The method of any one of claims 9-11 comprising de-converting said updated mask.
13. The method of any one of claims 9-12, wherein de-converting said manipulated data comprises performing an affine transformation.
14.The method of claim 13 comprising de-converting said updated mask, wherein said affine transformation comprises a linear transformation, and wherein de-converting said updated mask comprises performing said linear transformation.
15. The method of any one of claims 1-14 wherein manipulating said converted data comprises performing at least one operation equivalent to at least one desired operation in said first representation.
16.The method of claim 15 wherein said at least one operation comprises an inversion operation.
17.The method of any one of claims 1-16 wherein said finite field comprises a Galois Field.
18. The method of claim 17 wherein said finite field comprises a GF(gh).
19. The method of claim 18 wherein g equals two.
20.The method of claim 19 wherein said first representation comprises a GF(22s) and wherein said second representation comprises a GF((2S)2).
2 l.The method of claim 20 wherein s equals four.
22.The method of any one of claims 2-21, comprising masking input data using said input mask to provide said masked input data.
23.The method of any one of claims 2-22, comprising generating said input mask.
24.The method of claim 23 comprising: generating a first set of log v bits and a second set of v-1 bits; defining a number w based on said first set of bits; •setting the value of a w-th bit of said input mask to equal one; and substituting v-1 bits of said input mask with the v-1 bits of said second set, respectively. 25. The method of any one of claims 2-24, wherein at least some bits of said input mask have pre-set values.
26.A device for manipulating data comprising: a conversion block to convert masked input data in a first representation of a finite field into converted data in a second representation of said finite field; and a manipulation block to manipulate said converted data to obtain masked manipulated data. 27.The device of claim 26, wherein said conversion block converts an input mask of said masked input data into an updated mask in said second representation.
28.The device of claim 27, wherein said conversion block comprises: an input conversion module to convert said masked input data in said first representation into said converted data; and a mask conversion module to convert said input mask into said updated mask. 29. The device of claim 28, wherein said input conversion module comprises a multiplier to multiply said masked input data by a representation-transformation matrix, and wherein said mask conversion module comprises a multiplier to multiply said input mask by said representation-transformation matrix.
30. The device of claim 29, wherein said input conversion module is adapted to perform on said masked input data an affine transformation. 3 l.The device of claim 30, wherein said mask conversion module is adapted to perform on said mask a linear transformation corresponding to said affine transformation.
32.The device of any one of claims 26-31 wherein said manipulating block performs at least one operation equivalent to at least one desired operation in said first representation.
33.The device of claim 32, wherein said manipulation block comprises an inversion block to invert said converted data in said second representation to provide masked inverted data.
34.The device of any one of claims 28-33, wherein said manipulation block comprises: a first multiplier to multiply an output of said input conversion module with an output of said mask conversion module; a squaring module to provide a square of the output of said mask conversion module; a first adder to add an output of said squaring module to an output of said first multiplier; a zero detector to provide an output of a zero value if an output of said first adder is non-zero; an AND gate to provide an output corresponding to a logical AND of an output of said zero detector and an output of said mask conversion module; a second adder to add an output of said AND gate to an output of said first adder; an inversion module to invert an output of said second adder; a third adder to add a unit value to an output of said inversion module; a second multiplier to multiply the output of said mask conversion module with an output of said second adder; and a fourth adder to add an output of said second multiplier to an output of said AND gate.
35.The device of any one of claims 28-33, wherein said manipulation block comprises: a first multiplier to multiply an output of said input conversion module with an output of said mask conversion module; a squaring module to provide a square of the output of said mask conversion module; a first adder to add an output of said squaring module to an output of said first multiplier; an inversion module to invert an output of said first adder; a second adder to add a unit value to an output of said inversion module; and a second multiplier to multiply the output of said mask conversion module with an output of said second adder. 36. The device of any one of claims 26-35 comprising a de-conversion block to de-convert said manipulated data to obtain masked de-converted data in said first representation.
37.The device of any one of claims 27-35 comprising a de-conversion block to de-convert said manipulated data to obtain masked de-converted data in said first representation, the de-conversion block comprising: an output de-conversion module to de-convert said manipulated data into said first representation; and a mask de-conversion module to de-convert said updated mask. 38. The device of claim 37, wherein said output de-conversion module is adapted to perform on said manipulated data an affine transformation.
39.The device of claim 38, wherein said mask de-conversion module is adapted to perform on said updated mask a linear transformation corresponding to said affine transformation.
40. The device of any one of claims 36-39 comprising a mask-removing module to unmask said masked de-converted data.
4 l.The device of any one of claims 27-40 comprising a mask generator to generate said input mask.
42. The device of claim 41, wherein said mask generator is able to generate a first set of log(v) bits and a second set of v-1 bits, define a number w based on said first set of bits, set the value of a w-th bit of said input mask to equal one, and substitute v-1 bits of said input mask with the v-1 bits of said second set of bits, respectively.
43.The device of any one of claims 27-42, wherein at least some bits of said input mask have pre-set values.
44.A method of generating a non-zero mask having v bits, the method comprising: generating a first set of log v bits and a second set of v-1 bits; defining a number w based on said first set of bits; setting the value of a w-th bit of said mask to equal one; and substituting v-1 bits of said mask with the v-1 bits of said second set, respectively. 45. A method of encrypting data comprising: converting masked input data in a first representation of a finite field into converted data in a second representation of said finite field; converting an input mask of said masked input data into an updated mask in said second representation; manipulating said converted data using said updated mask by performing at least one operation equivalent to a desired encryption operation in said first representation to obtain manipulated data; and de-converting said manipulated data to obtain manipulated data in said first representation. 46. A method of decrypting data comprising: converting masked input data in a first representation of a finite field into converted data in a second representation of said finite field; converting an input mask of said masked input data into an updated mask in said second representation; manipulating said converted data using said updated mask by performing at least one operation equivalent to a desired decryption operation in said first representation to obtain manipulated data; and de-converting said manipulated data to obtain manipulated data in said first representation.
PCT/IL2004/000116 2003-02-06 2004-02-05 Device and method of manipulating masked data Ceased WO2004070510A2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP04708426A EP1595357A4 (en) 2003-02-06 2004-02-05 Device and method of manipulating masked data
JP2006502631A JP2006517036A (en) 2003-02-06 2004-02-05 Apparatus and method for manipulating masked data

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US44524703P 2003-02-06 2003-02-06
US60/445,247 2003-02-06

Publications (2)

Publication Number Publication Date
WO2004070510A2 true WO2004070510A2 (en) 2004-08-19
WO2004070510A3 WO2004070510A3 (en) 2004-10-21

Family

ID=32850978

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2004/000116 Ceased WO2004070510A2 (en) 2003-02-06 2004-02-05 Device and method of manipulating masked data

Country Status (3)

Country Link
EP (1) EP1595357A4 (en)
JP (1) JP2006517036A (en)
WO (1) WO2004070510A2 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006125754A1 (en) * 2005-05-25 2006-11-30 Siemens Vdo Automotive Ag Determination of a modular inverse
US8199909B2 (en) 2004-06-18 2012-06-12 Morpho Method and device for carrying out a cryptographic calculation
US8504845B2 (en) 2011-03-30 2013-08-06 Apple Inc. Protecting states of a cryptographic process using group automorphisms
US8732227B2 (en) 2008-07-21 2014-05-20 Siemens Aktiengesellschaft Method and processor unit for implementing a characteristic-2-multiplication
US20210391977A1 (en) * 2020-06-16 2021-12-16 Stmicroelectronics (Rousset) Sas Protection of a cipher algorithm

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4968443B2 (en) * 2006-01-31 2012-07-04 大日本印刷株式会社 Cryptographic operation processing method and cryptographic operation processing device
US7995757B2 (en) * 2007-05-31 2011-08-09 Harris Corporation Closed galois field combination
JP5268609B2 (en) 2008-12-09 2013-08-21 株式会社東芝 Cryptographic processing apparatus and calculation method
US11507699B2 (en) 2019-09-27 2022-11-22 Intel Corporation Processor with private pipeline

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100296958B1 (en) * 1998-05-06 2001-09-22 이석우 Apparatus for encoding block data
CA2327911A1 (en) * 2000-12-08 2002-06-08 Cloakware Corporation Obscuring functions in computer software
EP1246389B1 (en) * 2001-03-27 2005-01-05 Amphion Semiconductor Limited Apparatus for selectably encrypting or decrypting data
US7508937B2 (en) * 2001-12-18 2009-03-24 Analog Devices, Inc. Programmable data encryption engine for advanced encryption standard algorithm

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of EP1595357A4 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8199909B2 (en) 2004-06-18 2012-06-12 Morpho Method and device for carrying out a cryptographic calculation
WO2006125754A1 (en) * 2005-05-25 2006-11-30 Siemens Vdo Automotive Ag Determination of a modular inverse
US8732227B2 (en) 2008-07-21 2014-05-20 Siemens Aktiengesellschaft Method and processor unit for implementing a characteristic-2-multiplication
US8504845B2 (en) 2011-03-30 2013-08-06 Apple Inc. Protecting states of a cryptographic process using group automorphisms
US20210391977A1 (en) * 2020-06-16 2021-12-16 Stmicroelectronics (Rousset) Sas Protection of a cipher algorithm
CN113806762A (en) * 2020-06-16 2021-12-17 意法半导体(鲁塞)公司 Protection of cryptographic algorithms
FR3111440A1 (en) * 2020-06-16 2021-12-17 Stmicroelectronics (Rousset) Sas Protecting an encryption algorithm
US12375263B2 (en) * 2020-06-16 2025-07-29 Stmicroelectronics (Rousset) Sas Protection of a cipher algorithm

Also Published As

Publication number Publication date
JP2006517036A (en) 2006-07-13
WO2004070510A3 (en) 2004-10-21
EP1595357A2 (en) 2005-11-16
EP1595357A4 (en) 2006-03-01

Similar Documents

Publication Publication Date Title
US10050778B2 (en) Method and apparatus for efficiently implementing the advanced encryption standard
US7532721B2 (en) Implementation of a switch-box using a subfield method
KR100800468B1 (en) Hardware encryption / decryption device and method for low power high speed operation
Jaffe A first-order DPA attack against AES in counter mode with unknown initial counter
KR20050120460A (en) The multiplication method and apparatus for preventing in galois field, the apparatus for inversion in galois field and the apparatus for aes byte substitution operation
CN100511331C (en) Encryption device, encryption method, and computer program thereof
US20030002663A1 (en) Method and apparatus for data encryption
Karthigaikumar et al. Simulation of image encryption using AES algorithm
EP1595357A2 (en) Device and method of manipulating masked data
Naskar et al. A secure symmetric image encryption based on bit-wise operation
Kosaraju et al. A high-performance VLSI architecture for advanced encryption standard (AES) algorithm
Jyrwa et al. An area-throughput efficient FPGA implementation of the block cipher AES algorithm
Venkatesha et al. AES based algorithm for image encryption and decryption
Abdul-Karim et al. High throughput and fully pipelined FPGA implementation of AES-192 algorithm
Goswami et al. Comparison of Hardware Implementations of Cryptographic Algorithms for IoT Applications
Canright et al. A more compact AES
Mellu et al. AES: Asymmetric key cryptographic System‖
Kim et al. Efficient masking methods appropriate for the block ciphers ARIA and AES
Rachh et al. Implementation of AES S-Boxes using combinational logic
EP1547301A1 (en) Method and device of manipulating data in finite fields
Jing et al. The diversity study of AES on FPGA application
RU2206961C2 (en) Method for iterative block encryption of binary data
US20040071287A1 (en) Encryption circuit arrangement and method therefor
Beuchat et al. A low-area unified hardware architecture for the AES and the cryptographic hash function ECHO
RU2204212C2 (en) Iterative method for block encryption

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2006502631

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 2004708426

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2004708426

Country of ref document: EP

WWW Wipo information: withdrawn in national office

Ref document number: 2004708426

Country of ref document: EP