FIELD OF THE INVENTION

The present invention relates to a method to secure a cryptographic algorithm performing operations on a matrix of n*n words, this cryptographic algorithm necessitating to, when the matrix of data is masked using a mask matrix, performing operations on the masked matrix and on a mask matrix.

More particularly, the invention concerns the security of Keccak implementation on all products for embedded systems, like smart cards, Mobile platforms, Network servers and desktop PCs but also present an interest for algorithms to be applied to matrix of n*n words.

The invention also pertains to relates to a method to recover an intermediate matrix masked using a securization method of the invention and to a device implementing said method.

BACKGROUND OF THE INVENTION

The Keccak algorithm by its structure is sensitive to side channel attacks as soon as a sensitive value is present in the input state. This algorithm has been selected as future SHA3 and also as the base of TUAK algorithm which should be an alternative at MILENAGE for secure element authentication. It is necessary to find solution to protect data that will be processed by it.

As a classical countermeasure to prevent side-channel attacks, we need to mask data manipulated during Keccak rounds. The straight forward method consists in generating a mask of the size of input data, meaning 1600 bits for Keccak, and doing the algorithm twice: one for data as masked and one for the mask.

Given the large state handled in Keccak algorithm, securing it against side-channel attacks requires the generation and management of a large random value to mask its large intermediate variables. Up to now none relevant publications has been done on the way to practically and efficiently secure Keccak. In practice masking of data requires such an amount of resources that it prevents it to be implemented.

Further alternative and advantageous solutions would, accordingly, be desirable in the art.

SUMMARY OF THE INVENTION

The present invention aims at accelerating the secure implementation with the same level of security.

The present invention is defined, in its broadest sense, as a method to secure a cryptographic algorithm comprising the steps of:

- generating a maximum of n*(n-1 ) random values of the size of the words of the matrix for the masking of the data;

- constructing a mask matrix where at least n values are obtained by an combination of at least two of the generated random values;

- using constructed mask matrix to secure the matrix of n*n words.

The invention reduces the size of the random values needed to however mask the sensitive values of the Keccak state. With the present invention, a new masking mechanism with a limited number of masks for the same level of security is thus described in order to limit the size of memory used and not to slow down performances. A countermeasure fully adapted to Keccak algorithm is thus proposed. It is however independent to the configuration and usage of Keccak as it can be used for Hash algorithms, authentication algorithms etc.

The invention enables a drastic memory cost optimization: 576 bits only are needed to store the mask instead of 1600 bits, with same level of security. The invention also offers the possibility to update the mask easily for each round by just replacing random values by new ones. The impact of the implementation of the invention on performances, code and RAM, is very small.

According to a preferred embodiment, said combination is an exclusive disjunction. Such a combination presents the advantage not to harm the randomization of the values, like AND or OR function while being very simple to reverse.

According to a particular feature, at least n values in the mask matrix are obtained by rotation of a random value.

Rotations also offer convenient properties in terms of reversibility while assuring a correct security level for the masking of data. It is here noted that rotations and exclusive disjunction can be used together in the constitution of a given mask according to the invention.

According to a preferred implementation, 2n-1 random values are generated, said random values being combined in the mask matrix.

This number of random values is optimal in terms of efficiency and security. Indeed it consists in generating 10 random values but with one equal to zero. The 2n random values are then combined to form an n*n matrix.

In the preferred application, said algorithm is Keccak algorithm, said matrix being of 5*5 size.

The invention aims particularly this algorithm which is sensitive to side channel attack and thus crucially benefit from a masking of the invention.

The invention also relates to a method to recover an intermediate matrix masked using a securization method of the invention from an intermediate calculated matrix corresponding to the application of at least a part of the cryptographic algorithm to the masked matrix, said intermediate matrix corresponding to the application of at least the given part of the cryptographic algorithm on the matrix of data, said method comprising a step of constructing a set of degraded operations to be applied on values in mask matrix instead of the whole set of operations of the algorithm to be applied on the whole mask matrix, a step of recovering the masked intermediate matrix of n*n words using the values as obtained after the set of degraded operations and the intermediate calculated matrix.

This method further increases the interest of the invention as the use of a degraded set of operations enables to further accelerate the processing. Indeed all operations are not applied but only those who are significant regarding the structure of the mask. Some calculations are thus mutualized.

The present invention at least relates to a device implementing a cryptographic algorithm performing operations on a matrix of n*n words, this cryptographic algorithm necessitating to, when the matrix of data is masked using a mask matrix, performing operations on the masked matrix and on a mask matrix, said device comprising a masking module to implement the method to secure the cryptographic algorithm according to the invention and to recover intermediate matrix masked according to the invention, said device comprising at least a random values generator to generate a maximum of n*(n-1 ) random values of the size of the words of the matrix for the masking of the data, a mask construction module to construct a mask matrix where at least n values are obtained by an combination of at least two of the generated random values and to use constructed mask matrix to secure the matrix of n*n words, said device further comprising a transformation module having a degraded function calculation module to construct a set of degraded operations to be applied on values in mask matrix instead of the whole set of operations of the algorithm to be applied on the whole mask matrix, the transformation module further having a calculation module to recover the masked intermediate matrix of n*n words using the values as obtained after the set of degraded operations and the intermediate calculated matrix.

Such a device is able to perform Keccak algorithm while fulfilling high security and performance requirements.

To the accomplishment of the foregoing and related ends, one or more embodiments comprise the features hereinafter fully described and particularly pointed out in the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

The following description and the annexed drawing set forth in detail certain illustrative aspects and are indicative of but a few of the various ways in which the principles of the embodiments may be employed. Other advantages and novel features will become apparent from the following detailed description when considered in conjunction with the drawing and the disclosed embodiments are intended to include all such aspects and their equivalents.

• Figure 1 schematically represents a device of the invention and illustrates the functioning of the method of the invention.

DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION

For a more complete understanding of the invention, the invention will now be described in detail with reference to the accompanying drawing. The detailed description will illustrate and describe what is considered as a preferred embodiment of the invention. It should of course be understood that various modifications and changes in form or detail could readily be made without departing from the spirit of the invention. It is therefore intended that the invention may not be limited to the exact form and detail shown and described herein, nor to anything less than the whole of the invention disclosed herein and as claimed hereinafter. For clarity, only those elements and steps which are useful to the understanding of the present invention have been shown in the drawing and will be described.

Figure 1 schematically shows a device D of the invention. This device D is requested to process a matrix A comprising sensitive values. Those values are here represented as originated external to the device but these values can also be originated in the device itself. Besides the device D comprises an algorithm F, or at least a function of a cryptographic algorithm performing operations on the matrix A of n*n words. The cryptographic algorithm F necessitates to, when the matrix of data is masked using a mask matrix, performing operations on the masked matrix and on a mask matrix in order to be able to recover the results of the application of the algorithm on matrix A.

Matrix A is here a state of Keccak which can be seen as a matrix of 5x5 words of 64 bits:

Below is given an analysis of Keccak functions in relation with the masking of the matrix, all of them, alone or together, being potentially the function F as used as a reference in the specification and in drawings.

Function Theta consists at first on a XOR of all the elements of one column. This implies to have different masks for the 5 elements of a column, meaning at least one mask per row.

In a second step of this function, two of these results are combined together with a XOR, one with a rotation of one bit. If the masks of all columns are identical, let say equal to t, this second step transform the mask The mask will have a high Hamming Weight. To keep good entropy on the masks, it is necessary to have different masks per column.

Function Rho consists on a rotation of an element itself by a constant which is different per element. At this step, as no elements are combined there is no risk to remove a mask.

Function Pi consists on a permutation of the elements of the state.

There is thus no risk to remove a mask so no influence on the choice of the number of masks.

Function Chi has the following formula: & c) with a,

b, c being 3 elements of the state matrix A. If masks are denoted u, v, w the previous formulae applied on data masked becomes:

According to the following property:

It is thus obtained:

To obtain a data a' masked with a random value, the correction to apply on x is:

This implies to have u ≠ (v&w), meaning all masks different per elements. Function lota consists on a simple XOR with a constant value depending on the round number which has not influence on masking.

Below is disclosed the masking scheme as proposed according to the invention. The invention consists in generating 9 random values of 64 bits to mask the full state, which represent 576 bits of mask instead of 1600 bits. For this purpose the device D comprises a random value generator GEN.

The invention thus requires to define 10 values RV, for example:

which can be qualified as the rows' masks, and which

can be qualified as the columns' masks, with t ₀ =0. Only the random values RV are stored in a memory of the device for unmasking purpose which saves memory.

Then the device D comprises a masking module MM adapted to perform some specific actions.

According to the invention, the state matrix of the masks M is build using combination of several of these values.

For example:

For this purpose, a mask construction module MCM is thus reachable by the masking module MM. The output mask M is provided to a mask application module MAM. To mask the input state A, matrix M is thus constructed and applied by a XOR operation to the Keccak state matrix A.

With the invention, from pure implementation point of view, it is thus not necessary to store the complete matrix but only the 9 masks of 64 bits, 576 bits. Each 64-bit word of input state A can be masked by one or two of the 9 elements ri and/or ti, with i from 0 to 4, knowing the structure of M.

Then the algorithm F is applied to the masked matrix A+M. It results in

F(A+M).

To unmask this result in order to obtain F(A)+M and then F(A) by simple exclusive disjunction with M reconstituted from random values as stored, the present invention further proposes the device D to comprise a transformation module TM having a degraded function calculation module DCM adapted to output a degraded set of operations F' to be applied to the random values RV as stored in the device D to obtain a degraded result F'(M) which can be used in an equivalent way as F(M). The degraded set of operations F' is obtained from the algorithm F, from the random values RV and from information S(M) on the structure of the mask from the random values RV. Once this degraded function F' is applied on the random values, a degraded result F'(M) is obtained. It is then provided to a calculation module CM which calculates F(A+M)+F'(M) which replaces F(A+M)+F(M). Both are equal to F(A)+M. The mask is then easily removable by performing an exclusive disjunction using M on this result.

The strategy used to mask the complete execution of Keccak algorithm consists in applying each function of Keccak on the masked state and applying a "correction" corresponding to the degraded set of operation F' on the state to recover a state masked by M.

The correction step can be performed after each function or at the end of a round. For a round of Keccak, the cost of correction step taking into account the structure of the mask according to the invention is lower than applying a second time all functions to the matrix M.

Below is given the mask evolution in Keccak functions. At the Input function, the input state is masked with M.

During function Theta, the first step of Theta computes values CO, C1 , C2, C3 and C4, being the XOR of the 5 elements of a column. A value Cj (j e[0,4]) is thus masked with

At the second step, an element (A+M)[i][j] is updated with the XOR of

The mask of each element in column j is corrected after Theta function by:

A state masked by M is thus recovered at the end of Theta function. For function Rho, a rotation is applied to each element of the matrix (A+M)[i][j] independently. The mask correction consists in a XOR with the initial mask followed by a XOR with the rotation of this mask

During function Pi, all the elements of the state are permuted. Applying the permutation to the mask would require more memory to store the permuted mask. To avoid extra storage, the mask is directly corrected on the fly. For one element, a mask of destination is first applied and then the mask as initially applied is removed. The order of mask application is important to avoid a data in clear.

For the function Chi, referring to the presented above formula, it can be noted that data a is masked with The correction of the mask

consists only in removing (v&w). In this way a state masked by M is recovered. An element (A+M)[i][j] is thus corrected by

Function lota does not require any manipulation of masks. At the output of the round 1 , the state matrix is masked with M.

It is here noted that it is possible to update the mask at each round by taking 9 new random values and applying them to the mask and the current state.

To validate the proposed masking scheme, practical experiments have been performed by computing correlation between a secret value, noted TOPc in TUAK algorithm set, and a secret Key and intermediate results of functions θ, p, π, χ masked according to the invention. Correlation between a random value and intermediate results has been analyzed to identify the measure of noise.

As a conclusion, correlation results obtained for the masking scheme according to the invention are low, at the same level as noise. Theoretically, it means that no correlation on data is possible. 9 Masks of 64 bits are sufficient to mask the Keccak state. It is here further noted that this scheme can be easily adapted to a 32-bit core by splitting each 64-bit mask n, t, in two parts of 32 bits.

The described embodiment uses an exclusive disjunction as combination between at least two of 9 generated random values. It requires the generation of 10 random values including one equal to zero. Only the storage of the 9 random values is required according to the invention. They are then used in recovery calculations and these recovery calculations are simplified because of the construction of the mask according to the invention.

It is however here noted that the number of random values can be different. A larger number can be used in cases where resources are large enough to support such a generation. It is awaited that the larger the number of random values, the better are the properties in terms of correlation of the values in the mask.

The knowledge of the used combination enables to simplify calculations to recover data. In particular calculations can be mutualized for several values in the matrix. Thus the correction function applied to the mask matrix M is not the function itself as applied to the masked matrix but a modified one F'.

F' is such that F(A+M) + F'(M) gives F(A) + M. The masked result is thus easily obtained by applying an exclusive disjunction using M. Unmasking is preferably done at the end of the algorithm but it can also be done after each round. In any case, the unmasking is rendered much easier with the invention.

The use of the exclusive disjunction as a combination enables, contrarily to other Boolean operations, not to harm the random properties of the values in the mask. Furthermore operations to recover the masked data are simple while using an exclusive disjunction. It avoids complex calculations to be done.

However rotations could be used in addition with the invention. It slightly complexifies the recovery calculation but can offer interesting additional randomization. Compatibility with linear and non-linear operations within the algorithm is assured using exclusive disjunctions and, possible rotations.

For example, while defining rol(a, x) the rotation of a by x bits to the left and generating 5 indexes between 0 and 63, all different, the mask matrix M becomes, with

In the above detailed description, reference is made to the accompanying drawings that show, by way of illustration, specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. The above detailed description is, therefore, not to be taken in a limiting sense, and the scope of the present invention is defined only by the appended claims, appropriately interpreted, along with the full range of equivalents to which the claims are entitled.