A processor device for the purposes of the invention is understood to be a unit or another object having a processor, for example, a mobile end unit, such as e.g. a smartphone. Security-critical data used by the cryptographic algorithm, e.g. pins, passwords, cryptographic keys etc. are supplied in secured fashion to the processor device. Traditionally, security-critical data are secured by (grey-box) cryptography to protect them against an attack by unauthorized persons. For this purpose, the data are supplied on a security element of the mobile end unit, which is independent in terms of hardware, for example, on a SIM card removable from the mobile end unit.
An alternative approach which is applicable in particular also to mobile end units having no independent security element is based on the white-box cryptography. In a white-box implementation of a cryptographic algorithm it is attempted to hide the security-critical data, in particular secret cryptographic keys, in the implementation in such a way that an attacker having full access to the implementation is not capable of extracting the security-critical data from the implementation. A white-box implementation of the AES crypto-algorithm (AES=Advanced Encryption Standard) is known, for example, from the publication [1] “A Tutorial on White-box AES” from James A. Muir, Cryptology ePrint Archives, Report 2013/104. Likewise, white-box implementations of cryptographic algorithms or routines are commercially distributed.
An ideal white-box implementation of a crypto-algorithm conceals security-critical data such as cryptographic keys such that they are not ascertainable by an attack.
In the patent application DE 102014016548.5 of the applicant of the present application there is described a method for testing a white-box implementation of a cryptographic algorithm executable on a processor, with which the inventors have succeeded in ascertaining security-critical data by an attack, which actually should not be possible according to the concept of the white box. Under this aspect, the tested white-box implementations are by definition no longer perfect white-box due to their attackability, yet are hereinafter still designated as white-box implementations due to their objective of being perfect.
In the technical publication [3] “Differential Computation Analysis: Hiding your White-Box Designs is Not Enough”, J. W. Bos, Ch. Hubain, W. Michiels, and Ph. Teuwen, eprint.iacr.org/2015/753, by the company NXP, there is disclosed a similar test method like in the above-mentioned patent application 102014016548.5, with which the secret key could likewise be ascertained from a white-box implementation of a crypto-algorithm with statistical methods.
In the patent application 102014016548.5, further, a directive for action is supplied for a method for hardening the white-box implementation of a cryptographic algorithm executable on a processor. To achieve the hardening, the white-box implementation is here configured such that upon generating the cipher text at least one lookup table comes into use to statically map entry values of the lookup table onto exit values of the lookup table. The method comprises the step that the lookup table is statistically permutated such that the individual bits of the permutated lookup table substantially do not correlate with the bits of the lookup table. In other words: the lookup table T is statistically permutated by means of an inverted mapping f (there designated as permutation P) such that the individual bits of the permutated lookup table T′(x)=f(T(x)) do not correlate with the bits T(x) for randomly varying input x.
The inventors of the present application have developed three construction regulations for a function f, which function f allows a cryptographic algorithm, in particular a block cipher like the Data Encryption Standard (or also AES), to be white-box-masked in such a way that the attack described in the patent application 102014016548.5 is prevented or at least made very difficult. The basic principle here is to link exit values of security-critical computation steps with values/bits statistically independent thereof, so-called obfuscation values/bits y. Statistically independently means here that with a randomly varying entry value x the exit values of the computation step S[x] do not or only slightly correlate with the obfuscation values/bits. These construction regulations are described in separate applications. The construction regulations were first developed on the basis of the standard representation of crypto-algorithms, in particular of the Data Encryption Standard DES, and turned out to be memory-intensive and complicated to realize. There has thus been a desire to find an easier possibility to apply the developed construction regulations for the function f to crypto-algorithms, in particular to block ciphers, in particular the DES.
The invention is based on the object of stating a processor device having an implementation of the cryptographic algorithm DES, which allows a masking against attacks by means of white-box cryptography in an easier way than conventional standard implementations.
In the document [4] “A White-Box DES Implementation for DRM Applications”, S. Chow, P. Eisen, H. Johnson, P. C. van Oorschot, pre-proceedings for ACM DRM-2002, Oct. 15, in 2002, the authors have already found that a white-box implementation of the DES is demanding (e.g., [4] page 2, para. 5) and developed an alternative representation of the DES which allows an easier further development to a white-box implementation. Document [4] first starts out from a DES having 16 rounds. Each DES round of DES in standard representation (regarding DES round in standard representation see also FIG. 1 of the present application) has eight S-box operations S1, . . . S8, with an expansion operation E and a linkage (XOR) with key bits before the S-box operations and a permutation operation P after the S-box operations. For the subsequent round, input bits of the right side R are supplied, without going through S-boxes, as input bits of the left side to the subsequent DES round. According to [4], chapt. 5, the operations of two successive DES rounds are combined and newly grouped in a cross-DES-round manner. In doing so, the eight S-box operations S1, . . . S8 provided in DES in standard representation are replaced by twelve T-box operations ([4] chapt. 5.1). In eight of the T-box operations, besides the S-box operations, there additionally enter linkages with key bits at the input of the S-boxes. Four further T-boxes are supplied for receiving the input bits that are to be delivered merely to the next round (in [4) sometimes designated as dummy T-boxes). Between the T-box operations T, the M-box operations are carried out in which the permutation operation P of a round and the expansion operation E of the following round are absorbed ([4] FIG. 1 (a) and (b)). Inter alia for reasons of the total of twelve T-boxes required and the additional M-box operation, the white-box implementation stated in [4] is memory-intensive. The partial break-up of the round structure of the DES, because in the M-boxes there are included operations of two different rounds, also has the potential of incompatibility or requires at least increased care and attention.