The invention concerns a method of determining a representation of a product of elements of a finite field each represented by a plurality of values, as well as a method of evaluating a function using the aforementioned determining method and associated devices.
In order to avoid malicious persons being able, through the observation of an electronic circuit, to deduce data that is manipulated by that circuit (principally in the field of cryptography), it is known to mask the manipulated data by means of a random value (typically by combination of the data to process and the random value by means of an exclusive or operation, also named XOR) such that the data actually manipulated by the electronic device differ at each execution of the algorithm concerned, even when the attacker purposefully attempts to reproduce the algorithm identically.
On account of its properties, the masking operation may be seen as an addition within the set formed by all the possible data, typically the set of words of n bits, in which case the set is a Galois field commonly designated F2n.
In order to combat the attacks even more effectively, it has been provided to use several masks to mask the same item of data, typically such that the sum (by means of the XOR operation) of the masked item of data and of the set of the masks enables the original item of data to be retrieved.
The original item of data is then in a way represented during the computations by d values (of which d−1 values come from random picking and of which the sum is equal to the original, i.e. not masked, item of data).
The processing of such data represented by a plurality of values must be such that the operations applied to those values in the end result in the desired processing for the sum of those values, which does not pose any difficulty when the function to apply is linear with respect to the operation of addition (since it then suffices to apply the desired processing to each of the values representing the item of data in order to obtain the different values representing the result of the operation).
A difficulty does arise on the other hand when a non-linear function is to be applied, as is the case for example in the context of the AES algorithm.
In context of the implementation of such functions by means of Boolean circuits, the paper “Private circuits: securing hardware against probing attacks”, by Y. Ishai et al., in Crypto 2003, LNCS 2729, pp. 463-481, 2003 proposes to secure AND gates by using a plurality of binary random values.
Any function implemented using wired logic, which may be a non-linear function the case arising, may thus be rendered secure, at the cost however of an increase in the area of silicon used.
This solution is not moreover applicable in practice to a software implementation of the function to be applied to the data (processing bit by bit in software form being of very low efficiency), although such an implementation may be preferable for other reasons. Such an implementation for example makes it possible in particular to avoid the presence of observable electrical phenomena (such as delays) linked to performing the masking by a circuit (which phenomena are named “glitches”), which make certain attacks possible or require the implementation of onerous counter-measures (such as additional synchronization circuits).