Technical Field
The present disclosure regards techniques for performing an encryption method that envisages performing a masking on the sensitive data.
Description of the Related Art
In the encryption sector it is in general known, in order to retrieve the key, in particular of symmetric-key block encryption algorithms, such as the AES algorithm, but also of non-symmetric public-key algorithms, to use so-called “side-channel” attacks, e.g., attacks that exploit the information that can be derived, through a process of so-called “leakage” of information, from the physical implementation of the encryption procedure, for example by measuring energy-absorption levels of the circuit.
It is known, for example, to use as countermeasure against side-channel attacks operations of linear, Boolean, masking of the data.
According to the above technique, each datum is masked via a Boolean XOR operation with mask values.
In general, a side-channel attack is said to be of d-th order if it requires considering statistical moments of order d to distinguish the correct hypotheses from the wrong ones.
Several of the countermeasures against such side-channel attacks exploit, for example, the presence of look-up tables (LUTs) in the circuits that implement the algorithms, and operations of initialization of the values contained in these tables are carried out. Look-up tables, also known as “association tables”, are data structures that facilitate association to each admissible combination of input data of a corresponding (not necessarily unique) configuration of output data. Normally, the use of a look-up table makes it possible to speed up the operations in so far as access to the datum in the table is faster than its calculation. Look-up tables are hence frequently used in encryption algorithms, whether hardware or software ones, for carrying out complex calculations. For example, a look-up table, the so-called Substitution Box (SBOX), is used in the known AES (Advanced Encryption Standard) encryption algorithm for implementing operations such as, for example, the SubBytes operation.
FIG. 1A shows a flowchart representing an implementation 200 of the AES encryption procedure. The steps represented constitute the steps for encryption of a 16-byte block, known as AES state. This procedure 200, as likewise the detail of the operations 210, 220, 230, 240, are in themselves known to the person skilled in the sector (see, for example: NIST, “Announcing the Advanced Encryption Standard (AES),” FIPS-197 (Nov. 26, 2001))
Since it is advantageous from the standpoint of management of Boolean masking to separate the non-linear part (corresponding to the SBOX) from the linear parts, the AES state to be encrypted, designated by A, is for example subjected to a first SubBytes operation 210, to supply at output a state B, which is subjected to a set 220 of operations ShiftRows+MixColumns+AddKey, to generate a state C. The operations 210, 220 correspond to a first round. Then, in a next round, a second SubBytes operation 230 is carried out, to obtain a state D, as well as a further set 240 of operations ShiftRows+MixColumns+AddKey, to generate a state E. A number of rounds that is envisaged by the procedure 200 and depends upon the number of corresponding round subkeys to be added is carried out. The various modalities of management of the AES rounds are in any case in themselves known to the person skilled in the sector. As has been said, the SubBytes operation 210 or 230, which contains a non-linear portion, is carried out with the aid of a Substitution Box (SBOX), which comprises a look-up table.
At the end of the AES encryption procedure 200, the masks are removed from the ciphertext that is the product of the AES encryption procedure 200.
Represented in FIG. 1B are the masks applied by the method with reference to the very same encryption procedure 200 of FIG. 1A.
For the input of the SBOX (input for sixteen 1-byte elements of the ABS state) input masks L are provided for masking in the first round (steps 210-220) and input masks N are provided for masking in the second round (steps 230-240). Output masks M of the SBOX are provided for masking in the first round (steps 210-220) and output masks O are provided for masking in the second round (steps 230-240).
The so-called high-order side-channel attacks attack different points of the algorithm that use the same mask values so as to be able to remove the protection of the mask. In general, given a mask, the initialization of the look-up table with this mask and the access to the masked data during calculation means having at least two different operations in two different instants in time that use the same mask, the corresponding attack thus being a second-order attack.
In this context, the countermeasures for high-order attacks are usually complex and are very penalizing in terms of latency time and circuit area required for their implementation. In addition, in hardware implementations the protection level is defined in the design stage since this affects the design itself and, as has been said, the area of the circuit to be designed. This constitutes a further complexity and drawback.
In order for the countermeasure to be effective, the masks generally present certain properties: for example, they are unknown to the hacker, are randomly extracted with uniform distribution, and are independent of one another.
A possibility, which may provide the best protection, is to use masks that are all independent of one another, produced by a true-random number generator (TRNG). However, generation of a large amount of values by a TRNG is slow. The large number of values is particularly critical for encryption operations carried out in constrained devices, such as smartcards. The storage space for the masks may easily reach ten times the space occupied by the actual data.
In general, TRNGs presuppose an entropy source based upon some unpredictable physical phenomenon. It is alternatively possible to use masks that appear independent of one another, produced by a pseudo-random number generator (PRNG). In order for the generation to be effectively faster and able to withstand the high demand for random values, this typically requires a dedicated hardware pseudo-random number generator. Moreover, it is difficult to evaluate the side-channel leakages associated to the above pseudo-random number generator, which could introduce new side-channel vulnerabilities.
In addition, in order to reduce the number of true random values, it is possible to reuse some masks that are to be applied to intermediate values. However, this may jeopardize the level of protection.