Smart devices, in particular those with low power requirements, typically called passive smart devices, are widely used for authentication and access control. Examples of such devices include contactless smart cards, which are a subset of radio-frequency identification (RFID) tags. Such passive smart devices typically use an application specific integrated circuit (ASIC).
Given the application of passive smart devices in security critical applications, cryptography is used to authenticate the passive smart device on use. Conversely, due to the desirability of the information that a passive smart device may hold or allow access to, they are also the focus of malicious attempted use.
A lot of time and effort is spent in implementation and analysis of side-channel countermeasures within security integrated circuits (ICs) like smartcards. A side-channel attack is any attack based on information gained from the physical information of a cryptographic system. Such attacks are different from a software brute force attack or an exploit or weakness in the encryption algorithms. Side-channel attacks typically examine the internal operation of the system, such as the power drawn by the system, electromagnetic (EM) emissions or other ‘side-channels’ to determine patterns and implementation steps. One such known side-channel attack is differential power analysis (DPA). This may involve a malicious user studying traces of power usage during use of the device and, utilising statistical analysis, determining features of the encryption algorithms.
With the use of currently available standardized algorithms and protocols, like the ones used in banking or e-government applications, attack scenarios for differential power analysis (DPA) (and differential fault attacks) are available, leading to devices implementing such protocols being threatened by such side-channel attacks (for example, because a varying input is always encrypted with the same (master) key, variations in the power signature of a system are solely or generally dependent on variations in the encryption algorithm).
One solution to such attacks uses a method of re-keying. In such a method, a session key is derived from the master key, where subsequently this session key is used for the actual operation. This session key is changed regularly in order to decrease the amount of power traces that can be obtained from the device for a specific (master) key.
A special instance of this re-keying has been applied within the CIPURSE protocol. In this approach the master key is used to derive an intermediate session key by using a random input and a function (called NLM (non-linear map)) that is easier to protect against implementation attacks. This intermediate session key is then used together with the master key to get to the used session key. (see reference US2010316217A1). The above solution to such DPA attacks relies on a random number agreement between the two parties. Such an approach prevents verification of previous transactions. In particular, it is not possible to repeat the sessions without the random numbers.
A relatively new area of research is leakage resilient cryptography. In leakage resilience (LR), it is sought to avoid having the typical DPA scenario where it is possible to attack the key of a block cipher chunk-wise (i.e. in chunks, such as byte by byte) with a varying input for every execution. In the LR approach the block cipher is executed multiple times where the complete input vector is only used chunk-wise (e.g. 1 bit at a time) and copied to the whole input state of the block cipher. In every iteration the next input chunk is used as the input (again copied to the whole state). This limits the data-complexity, i.e. the number of traces which can be used for an attack, and creates a dependency between the side-channel information of the different key chunks. However, an adversary can still apply a DPA attack due to the N>1 traces available per key.
In summary, there are still issues in performing symmetric cryptography security services (e.g. IC authentication, secure communication, key update etc.) on a low-cost IC without implementation of heavy countermeasures and the need for detailed side-channel investigations. The following disclosure aims to address these problems.