BACKGROUND OF THE INVENTION

[0001 ] The present invention relates generally to electronic cryptography technology, and in particular to a mechanism for protecting a cryptography device against side-channel attacks by performing a block cipher using a constant Hamming weight substitution-box.

[0002] Electronic communication and commerce can be powerful yet dangerous tools. With the wide-spread availability of network technology, such as the Internet, there is an ever increasing use of online tools for communication and commerce. Every year more users find it easier or quicker to conduct important transactions, whether in the form of correspondence or commerce, using computers and computer networks. However, there is always the risk that the security of electronic transactions is compromised through interception by third parties who do not have the right to partake in the transactions. When malicious third parties obtain access to otherwise private transactions and data there is risk of economic loss, privacy loss, and even loss of physical safety. Cryptography is one mechanism employed to avoid intrusion into the privacy of electronic transactions and data.

[0003] Cryptography is a technology for hiding a message in the presence of third parties using mathematical techniques in which a message is encrypted in such a way that it can only be decrypted using a secret key that should only be known by the recipient and/or sender of a message.

[0004] Cryptographic algorithms have inputs and outputs. In the case of encryption, the input is a message that is to be protected in plaintext. The plaintext message is manipulated by the cryptographic algorithm to produce a ciphertext, the output. To produce the ciphertext the cryptographic algorithm performs certain mathematical operations that include the use of a secret key. The key may be a shared secret, e.g., between a sender and recipient, or may be a private key held by the recipient.

[0005] Traditionally, both the sender and recipient of an encoded cryptographic message were considered secure. Cryptography's primary use is to transmit an encoded message from the sender to the recipient without fear that an intermediary will be able to decode the message. If an attacker has no access to the sender's or recipient's cryptography devices, the attacker is limited to using the encoded message itself, or possibly an encoded message and a corresponding plaintext message, to discern the cryptographic key used to encode or decode the message. However, if the attacker gains access to the cryptographic device, the picture changes dramatically.

[0006] One mechanism of ensuring that a private key is indeed kept private is to store the private key and any related key material on a secure portable device, e.g., a smart card or a mobile device. A smart card is a small tamper-resistant computer often in the form of a credit card sized and shaped package. Smart cards may be used to store cryptographic keys and cryptography engines for performing encryption, decryption, and digital signatures.

[0007] In one example, a user may receive an encrypted message and use his smart card to decrypt the message by first authenticating to the smart card and then passing the message to the smart card for decryption. If authentication is successful, the smart card may use a cryptographic key stored on the card, and a corresponding cryptography engine, to decrypt the message and provide the decrypted message to the user. Similarly, if a user wishes to cryptographically sign a message, the user may pass the message to the user's smart card, which uses a cryptographic key of the user to digitally sign the message and to provide the signature back to the user or to a third party recipient.

[0008] If an attacker has access to the smart card, the attacker may make repeated observations of the execution of the cryptographic algorithms, which may allow the attacker to discern the secret cryptographic keys stored on the smart card. One such attack is the so-called side-channel attack.

[0009] Side-channel attacks make use of the program timing, power consumption and/or the electronic emanation of a device that performs a cryptographic computation. The behavior of the device (timing, power consumption and electronic emanation) varies and depends directly on the program and on the data manipulated in the cryptographic algorithm. An attacker could take advantage of these variations to infer sensitive data leading to the recovery of a private key.

[0010] One frequently used cryptographic technique is the substitution box, also known as S-box. The S-box technique involves the non-linear substitution of a particular set of bits for another set of bits through the use of a two-dimensional lookup table. For example, the Rijndael family of block ciphers, including AES-128 (Advanced Encryption Standard with 128- bit key), operates on an internal 4x4 matrix of 8-bit bytes, the state matrix (hereinafter the Rijndael state). During encryption and decryption of a plaintext, a sequence of rounds are executed; during each round, each byte of the state is replaced with a corresponding byte from the Rijndael S-box.

[001 1 ] It has been found that the S-box step is vulnerable to side-channel attacks. Side-channel attacks rely on sensitive data, for example, the S-box output, appearing on memory cells and registers of a cryptographic device. The connection between 1 ) power consumption of the cryptographic device, 2) Hamming weight of data manipulated inside the cryptographic device, and 3) the manner in which known inputs interact with secret data is exploited. Statistical tools are used to determine the value of secret data by analyzing how power consumption changes when known inputs are changed.

[0012] As Rijndael ciphers include multiple rounds, there are multiple S-box operations. The first S-box operation is particularly vulnerable to a side-channel attack if the S-box input contains a straightforward interaction between a known input and secret keys, thus being relatively simple to analyze. The second S-box is also vulnerable. However, analysis of the second S-box operation requires a successful attack on the first S-box to get intermediate data, which may be used in the analysis.

[0013] Side-channel attack against the Rijndael family of ciphers is a well-studied subject and many countermeasures exist. Typically such countermeasures involve masking of the cryptographic operation. Some examples are techniques described in

[Akkar] Mehdi-Laurent Akkar and Christophe Giraud. An Implementation of DES and AES, Secure against Some Attacks. In Cetin Kaya Koc, David Naccache, and Christof Paar, editors, Cryptographic Hardware and Embedded Systems - CHES 2001, volume 21 62 of Lecture Notes in Computer Science, pages 309-31 8. Springer, 2001 ; [Golic] Jovan D. Golic and Christophe Tymen. Multiplicative Masking and Power Analysis of AES. In Burton S. Kaliski Jr., Cetin Kaya Koc, and Christof Paar, editors, Cryptographic Hardware and Embedded Systems - CHES 2002, volume 2535 of Lecture Notes in Computer Science, pages 1 98-21 2. Springer, 2003. Elisabeth Oswald, Stefan Mangard, and Norbert Pramstaller. Secure and Efficient Masking of AES - A Mission Impossible, Cryptology ePrint Archive (http://eprint.iacr.org/), Report 2004/1 34, 2004. These solutions require significant RAM to create a randomized S-Box derived from the standard S- box.

[0014] Thus, while there are existing solutions to protect against side-channel attacks, many of these techniques require significant RAM.

[0015] The MILENAGE algorithm set, which is used to provide security features in the context of UMTS (Universal Mobile Telecommunication System, is built on the Rijndael block cipher ([MILENAGE] 3GPP TS 35.205, v13.0.0 (201 6-01 ): Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1 ,f1 ^* , f2, f3, f4, f5, and f5 ^* ). Being a Rijndael block cipher, MILENAGE includes S-box substitutions, and is therefore prone to side-channel attacks mounted against the S-box substitutions.

[0016] MILENAGE is typically deployed on SIM (Subscriber

Identity Module) cards, also known as UICC cards. These cards are often quite resource constrained, for example, having a RAM of 128K bytes or less. Because of these resource constraints, countermeasures that require a significant amount of RAM are not possible.

[0017] As it is desirable to perform cryptography operations efficiently and securely on resource constrained devices, such as SIM cards, it is desirable to provide a countermeasure against side-channel attacks that does not require large use of RAM.

[0018] From the foregoing it will be apparent that there is still a need for an improved technology to provide a secure cryptography mechanism that is computationally efficient, does not require excessively large RAM or other storage, and with which a portable security device - e.g., a SIM card connected to a mobile communications device - can provide the capability of providing cryptographic services that are protected from side channel attacks.

BRIEF DESCRIPTION OF THE DRAWINGS

[0019] Figure 1 is a schematic illustration of a host computer with a portable security device, e.g., a smart card, connected thereto for performing cryptographic services through connection over a network to one or more servers.

[0020] Figure 2 is a schematic illustration of a cryptography device.

[0021 ] Figure 3 is a schematic illustration of programs stored in a memory of the cryptography device of Figure 2.

[0022] Figure 4 is a schematic illustration of a cryptography module program listing that may be stored in the memory of a portable security device as illustrated in Figure 3 and which performs a cryptographic operation including a round function.

[0023] Figure 5 a schematic illustration illustrating the use of AES-128 encryption in the MILENAGE algorithm.

[0024] Figure 6 a standard AES-128 substitution box.

[0025] Figure 7 is a flow-chart illustrating the computation of two

Hamming-weight neutral S-boxes from a standard S-box.

[0026] Figure 8 is a pseudocode listing of cryptographic operation using substitution boxes.

[0027] Figures 9 is an illustration of two Hamming-weight neutral

S-boxes corresponding to the standard substitution box of Figure 6.

[0028] Figures 10 and 1 1 are logic diagrams illustrating the performance of a round function using the Hamming-weight neutral S-boxes of Figure 9.

SUMMARY OF THE INVENTION

The following summary of the invention is provided in order to provide a basic understanding of some aspects and features of the invention. This summary is not an extensive overview of the invention and as such it is not intended to particularly identify key or critical elements of the invention or to delineate the scope of the invention. Its sole purpose is to present some concepts of the invention in a simplified form as a prelude to the more detailed description that is presented below.

The present invention addresses the aforementioned need for an improved technology to provide a secure cryptography mechanism that is computationally efficient, does not require excessively large RAM or other storage, and which can provide the capability of providing cryptographic services that are protected from side channel attacks.

To achieve those and other advantages, and in accordance with the purpose of the invention as embodied and broadly described, the invention proposes a method for operating a cryptography device, having a processor and memory, to perform a cryptography operation resistant to side-channel attack, comprising:

a single substitution box is split into a first and a second Hamming- weight-neutral substitution box,

the both first and second Hamming-weight-neutral substitution box are used in lieu of the single substitution box to obtain a first and second substitution output from a byte of an encryption state wherein each substitution in the first and the second Hamming-weight-neutral substitution boxes have an equal Hamming weight and each correspond to opposite nibbles of the corresponding substitution in the single substitution box.

Aspects of the embodiments of the present invention relate in that combining the first and second substitution outputs into a combined value in a post-processing operation to obtain an output equivalent to that of a cryptographic operation performed using the single substitution box.

Aspects of the embodiments of the present invention relate in that: each substitution - in the single substitution box, the first Hamming- weight-neutral substitution box, and the second Hamming-weight-neutral substitution box - comprises an upper left nibble and a lower right nibble; and the left nibble of each substitution of the first Hamming-weight-neutral substitution box is a relevant nibble equaling the left nibble of a corresponding substitution in the single substitution box; the right nibble of each substitution of the first Hamming-weight-neutral substitution box is a compensation nibble set such that the combined Hamming weight of the left and right nibbles of each substitution in the first Hamming-weight-neutral substitution box equals said equal Hamming weight; the right nibble of each substitution of the second Hamming-weight- neutral substitution box is a relevant nibble equaling the right nibble of a corresponding substitution in the single substitution box; and

the left nibble of each substitution of the second Hamming-weight- neutral substitution box is a compensation nibble set such that the combined Hamming weight of the left and right nibbles of each substitution in the second Hamming-weight-neutral substitution box equals said equal Hamming weight.

Aspects of the embodiments of the present invention relate in that the post-processing operation comprises combining the first and the second substitution outputs by masking out the compensation nibbles used to compensate for the Hamming-weight of the corresponding relevant nibble.

Aspects of the embodiments of the present invention relate in that said equal Hamming weight is four and the combined Hamming weight of said left and right nibbles of each substitution of the first Hamming-weight-neutral substitution box equal four.

Aspects of the embodiments of the present invention relate in a cryptographic device protected against side-channel attacks, comprising:

a hardware processor coupled to an instruction memory;

a memory storing a first substitution box and a second substitution box, wherein each substitution in the first substitution box and in the second substitution box has a Hamming weight equal to the Hamming weight of all other substitutions in the first and second substitution boxes, respectively; and a cryptography module stored in the instruction memory and comprising instructions executable by the cryptographic processor to perform a byte substitution operation using said first and second substitution boxes.

Aspects of the embodiments of the present invention relate in that the cryptographic module further comprises instructions to cause the processor to combine the first and second substitution outputs into a combined value in a post-processing operation to obtain an output equivalent to that of a cryptographic operation performed using the single substitution box.

Aspects of the embodiments of the present invention relate in that each substitution - in the single substitution box, the first Hamming-weight-neutral substitution box, and the second Hamming-weight-neutral substitution box - comprises a left nibble and a right nibble; and the left nibble of each substitution of the first Hamming-weight-neutral substitution box is a relevant nibble equaling the left nibble of a corresponding substitution in the single substitution box;

the right nibble of each substitution of the first Hamming-weight-neutral substitution box is a compensation nibble set such that the combined Hamming weight of the left and right nibbles of each substitution in the first Hamming-weight-neutral substitution box equals said equal Hamming weight; the right nibble of each substitution of the second Hamming-weight- neutral substitution box is a relevant nibble equaling the right nibble of a corresponding substitution in the single substitution box; and

the left nibble of each substitution of the second Hamming-weight- neutral substitution box is a compensation nibble set such that the combined Hamming weight of the left and right nibbles of each substitution in the second Hamming-weight-neutral substitution box equals said equal Hamming weight.

Aspects of the embodiments of the present invention relate in that the post-processing operation comprises combining the first and the second substitution outputs by masking out the compensation nibbles used to compensate for the Hamming-weight of the corresponding relevant nibble.

Aspects of the embodiments of the present invention relate in that said equal Hamming weight is four and the combined Hamming weight of said left and right nibbles of each substitution of the first Hamming-weight-neutral substitution box equal four.

DETAILED DESCRIPTION OF THE INVENTION

[0029] In the following detailed description, reference is made to the accompanying drawings that show, by way of illustration, specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. It is to be understood that the various embodiments of the invention, although different, are not necessarily mutually exclusive. For example, a particular feature, structure, or characteristic described herein in connection with one embodiment may be implemented within other embodiments without departing from the spirit and scope of the invention. In addition, it is to be understood that the location or arrangement of individual elements within each disclosed embodiment may be modified without departing from the spirit and scope of the invention. The following detailed description is, therefore, not to be taken in a limiting sense, and the scope of the present invention is defined only by the appended claims, appropriately interpreted, along with the full range of equivalents to which the claims are entitled. In the drawings, like numerals refer to the same or similar functionality throughout the several views.

[0030] In an embodiment of the invention, a technology is provided that increases the computational efficiency of cryptographic apparatuses that perform block cipher cryptography by improving the utilization of the processing resources of the cryptography apparatus. Furthermore, the provided technology efficiently reduces the risk of differential power analysis attacks.

[0031 ] Smart cards are plastic cards with an embedded microprocessor and a secure storage. They are portable, secure, and tamper- resistant. Smart cards provide security services in many domains including telecommunication, banking, commerce, and citizen identity. Smart cards can take different forms, such as credit card shaped cards with electrical connectors to connect the smart card to a smart card reader, USB tokens with embedded smart cards, and SIM cards for use in mobile telephones and tablet devices. Smart cards are used herein as examples of portable security devices that may be used in implementations of the technology described herein. Other examples of portable security devices include smart memory cards, flash memory, etc. In a preferred embodiment, the portable security device has a processor, a memory for storing programs and data, and some security features to make the device relatively tamper-proof. Smart cards are used herein as examples of such devices.

[0032] While the mechanism for performing a cryptographic calculation described herein may be used advantageously in smart cards and other portable security tokens used for performing cryptographic calculations, the same mechanisms may also be used with other cryptographic processors. Thus, smart cards are used herein for illustrative purposes only.

[0033] Digital signature and other cryptography are examples of functions that smart cards provide. The smart card stores private or shared secret keys in its secure storage and performs cryptographic operations to generate a digital signature for a given input or to decrypt a given input. A smart card works with a host device, such as a personal computer (PC), cell phone, tablet device or banking terminal. A PC application, such as an email client or a web browser, typically works with a smart card to sign, encrypt, or decrypt a document. The cryptographic operation may be part of a challenge- response mechanism for user authentication. The PC application and the smart card interact through some cryptographic API called middleware, which is designed to communicate with the smart card. In this scenario, the smart card provides services locally to the PC.

[0034] Figure 1 is a schematic illustration of a network 1 1 1 connecting a host computer 103 with a portable security device 1 09, e.g., a smart card, connected thereto, to one or more remote servers 1 1 3. The host computer 1 03 is operated by a user 101 who interacts with one of the servers 1 1 3 via a web browser window 1 05 of a web browser. In the example scenario illustrated in Figure 1 , the smart card 1 09 provides the cryptographic operations on behalf of the user 1 01 , e.g., to cryptographically sign documents, to decrypt messages received from the relying party 1 1 3, or to perform a cryptographic operation as part of a challenge-response authentication mechanism.

[0035] While Figure 1 provides an illustration of a scenario in which cryptography may play an important role, there are many other important uses for cryptography. Thus, the technology described herein is not limited in its application to the usage example illustrated in Figure 1 .

[0036] Figure 2 is a schematic illustration of a portable security device 1 09, for example, a smart card. The portable security device 1 09 may include a processor 201 connected via a bus 202 to a random access memory (RAM) 203, a read-only memory (ROM) 204, and a non-volatile memory (NVM) 205. The portable security device 1 09 further includes an input/output interface 207 for connecting the processor 201 , again typically via the bus 202, to a connector 21 1 by which the portable security device 1 09 may be connected to the host computer 1 03.

[0037] In alternative embodiments, the connection between the host computer 1 03 and the portable security device 1 09 is wireless, for example, using near-field communication (NFC) or other radio or microwave communication technologies.

[0038] The ROM 204 and/or NVM 205 may include computer programs 301 as is illustrated in Figure 3. While it is here depicted that the computer programs 301 are all co-located in the ROM 204 or the NVM 205, in actual practice there is no such restriction as programs may be spread out over multiple memories and even temporarily installed in RAM 203. Furthermore, the portable security device 1 09 itself may include multiple ROMs or NVMs. The programs 301 include operating system programs as well as application programs loaded onto the portable security device 1 09. The ROM 204 or NVM 205 may also contain private data, such as a private key 209 or a shared secret key 210, stored either in its basic form or in derived quantities.

[0039] The portable security device 109 programs 301 may include a cryptography module 213, a user authentication module 215, a communications module 217, and the operating system OS 219.

[0040] Thus, the portable security device 109 may receive a document or message via the connector 21 1 . The processor 201 , by executing instructions of the cryptography module 213, may digitally sign the document/message or may decrypt the document/message using the private key 209 or shared secret key 210. Using functionality provided through the communications module 217, the processor 201 may receive and transmit communications with the host computer 103.

[0041 ] Figure 4 is a schematic illustration of a portion of an implementation of the cryptography module 213. The cryptography module 213, which may, for example, be an implementation of the MILENAGE algorithm, would contain one or more functions, methods, or routines. One possible function could be, as is illustrated in Figure 4, a function called CryptoFunction( ) which in this case, for illustrative purposes, takes the argument M as the message to encrypt. In the cryptography module 213 the encryption output is, for example, computed using the MILENAGE algorithm, which is closely related to the Advanced Encryption Standard (AES), specifically AES-128.

[0042] MILENAGE and the AES-128 algorithm is described in detail in [MILENAGE] 3GPP TS 35.305 v13.00 (201 6-01 ); Third Generation Partnership Project; Technical Specification Group Services and Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1 , f1 ^* , f2, f3, f4, f5 and f5 ^* ; Document 2: Algorithm specification (Release 13) (http://www.etsi.Org/deliver/etsi_ts/135200_135299/135206/13 .00.00_60/ts_1 35206v130000p.pdf, accessed on May 15, 201 6), incorporated herein by reference in its entirety.

[0043] In a reference implementation of MILENAGE given in

[MILENAGE], Annex 1 : Figure of the Algorithms (reproduced as Figure 5, herein), each E _k is the result of applying the Rijndael encryption algorithm (e.g., AES-128).

[0044] The AES-128 algorithm operates on four-by-four byte blocks (i.e., 128 bytes: other AES varieties have different block lengths, e.g., 192 and 256). A message to be encrypted (or decrypted) is divided into such 128-bit plaintext blocks, the key used to encrypt (or decrypt) these blocks is 128 bits, the intermediate result (referred to as the state) are 128 bits, and the outputs are 128-bit blocks. While these 128 bit blocks are commonly viewed as 4x4 matrices, herein we consider them as 1 6-byte strings or vectors.

[0045] Returning to Figure 4, the AES-128 algorithm consists of a series of 1 1 rounds:

• an initial round with a Round Key Addition operation,

• 9 rounds (illustrated in Figure 4 as Round Function F 401 ), indexed 1 through 9, each performing:

a byte substitution transformation, S-box

a shift row transformation

a mix column transformation

a Round Key addition

• a final round (round 10) performing

a byte substitution transformation, S-box

a shift rows transformation

a Round Key addition

[0046] A complete discussion of AES-128 is outside the scope of this document]; only a few aspects of the algorithm are discussed here. Further details about AES-128 may be found in [MILENAGE], referenced above..

[0047] The byte substitution transformation, S-box, is performed by performing a linear transformation of each state byte independently using a substitution table (S-box) as illustrated in Figure 6, such that for every element in state:

where a, is the initial value of the element in state and is the output value. Each S-box entry corresponds to the values of a possible statebyte value, a,, indexed by the least significant nibble (column) and the most significant nibble (row) of the statebyte value, e.g., if the statebyte value is 7B, the new value for that statebyte becomes 21 .

[0048] The shift rows transformation is best understood by considering the state as a 4x4 matrix. Each row is cyclically shifted to the left by a different amount. The shift rows transformation is described in detail in [MILENAGE].

[0049] The mix columns transformation operates on each column of the state independently. The mix columns transformation is described in detail in [MILENAGE]. [0050] In practice, in a MILENAGE implementation of AES-128 the following pseudocode would appear in an implementation:

1 for(i=0; i<16; i++)

2 AES_STATE[i] = Milenage_Rand[i] XOR Milenage_OPC[i]

3

4 for(i=0; i<16; i++)

5 AES_STATE[i] = SBOX[AES_STATE[i]];

6

7 call SHIFT_ROW(AES_STATE);

8

9 call MIX_COLUMN(AES_STATE);

Table 1 : Pseudocode for MILENAGE implementation

Conventional AES-128

Round 1 .

[0051 ] Please note that this is not complete MILENAGE or AES- 128 pseudocode; rather, the statements in Table 1 above are representative of code that would be implemented in a MILENAGE implementation using AES-128 for the encryption function £). This process is referred to herein as the Conventional MILENAGE AES-128 Process (S-box -> Shift Rows -> Mix Column) (or, simply, Conventional AES Process).

[0052] Statement 1 of Table 1 produces an initial state for a

MILENAGE process. In Rounds 2 through 10, Step 1 and 2 are not used as the AES_STATE for Rounds 2 through 10 is simply the AES_STATE from the preceding round.

[0053] The for-loop 2 corresponds to the round function of AES- 128. The AES_STATE[i] = SBOX[AES_STATE[i]]; statement is the byte substitution transformation. The Hamming weight of the output, revised AES_STATE[i], has a dependence on the Hamming weight of Milenage_Rand[i]XORMilenage_OPC[i]. This dependence can be exploited to gain insight on Milenage_OPC[i]. Since Milenage_OPC can be set by individual operators, the situation provides a mechanism by which an attacker could differentiate the algorithms of different operators. As operators may consider their OPC values secret, Milenage_OPC is a value important to the secrecy of the MILENAGE algorithm implementations. [0054] The call SHI FT_ROW(AES_STATE) ; statement rearranges bytes of AES_STATE in a predictable way. Each byte from AES_STATE remains intact after the SHIFT_ROW function. Therefore, just as with the byte substitution transformation, the Hamming weight leakage during rearrangement of the intact bytes also presents the risk of exposing the value Mileange_OPC.

[0055] In the call MIX_COLUMN(AES_STATE); function the bytes of AES_STATE are mixed with each other. No byte remains intact.

There is nevertheless a risk to Milenage_OPC while the intact bytes are being manipulated before mixing. But after the MIX_COLUMN function, when all bytes are no longer intact, it becomes more difficult to find the relationship between the new AES_STATE and Milenage_OPC.

[0056] Furthermore, in an actual implementation, there is also an

A D D_RO U N D_K E Y step after the MIX_COLUMN step 9. However, the ADD_ROUND_KEY step is not prone to side-channel leakage due to varying

Hamming weights in the S-box substitution and the method described herein to avoid such side-channel leakage does not involve the ADD_ROUND_KEY step.

[0057] The above-identified risks to the Milenage_OPC value arise from the variation in Hamming weight in the S-box table. In a preferred embodiment, depicted at a high-level as a modified cryptomodule 213' in Figure 8, those risks are avoided by a modified Round Function P 801 , which performs the byte substitution transformation using a split S-box table, i.e., split into two tables such that every table entry has the same designated Hamming weight, for example, four.

[0058] On Figure 9, the first of the two tables, Sbox_0 901 corresponds to the lower nibble of the conventional S-box. The lower nibble is the same as in the conventional S-box. The higher nibble is set such that the Hamming weight for the entry equals the constant designated Hamming weight for the S-box, e.g., four. For example, consider the entry for 7A. In the conventional S-Box 601 (Fig. 6), the value is DA, i.e., 1 101 1001 . The Hamming weight for the lower nibble is 2. Therefore, in S-box_0 (Figure 9), the higher nibble is set to 5, such that the combined value, 5A (0101 1001 ), has a Hamming weight of 4. Of course, the higher nibble may be set to any value that has a Hamming weight of 2, e.g., 3, 5, 9, or A.

[0059] Again to Figure 9, the second table of the split S-box, Sbox_1 903, is constructed similarly to the construction of Sbox_0. However, Sbox_1 901 corresponds to the higher nibble from the conventional S-Box and the lower nibble is reset to a value which would bring the combined Hamming weight to the designated constant Hamming weight for all entries, e.g. the weight of four, used above. Consider, for example, the entry for DO. In the conventional S-Box (Figure 6), the value is 70. The higher order nibble, 7, has a Hamming weight of 3. Therefore, Sbox_1 , the lower order nibble is set to an exemplary value 8 which has a Hamming weight of 1 so that the combined Hamming weight becomes 4.

[0060] Figure 7 is a flow-chart illustrating one mechanism for splitting a standard S-box 601 into the two Hamming-weight neutral S-boxes 901 and 903.

[0061 ] Step 701 : A desired Hamming weight is selected, for example, four. In a cipher that is based on bytes, four is the only value that works for all possible nibble values. However, in alternative embodiments the desired Hamming weight may be a different value depending on whether the cipher is byte-based and whether all possible values are used.

[0062] Loop 703: For each entry ij in the standard S-box 601 , entries in the Hamming-weight neutral S-boxes 901 and 903 are determined.

[0063] Step 705: a CompensationValue is determined for the lower nibble by subtracting the Hamming weight of the lower nibble from the desired Hamming weight.

[0064] Step 707: The CompensationValue is used to select an UpperNibble having the Hamming weight equal to the CompensationValue.

[0065] Step 709: SBox_0[i,j] is set to the "concatenation" of the UpperNibble and the lower nibble from the standard S-box[i,j] entry, where "concatenation" here means concatenating the UpperNibble selected in Step 707 with the lower nibble from the standard S-Box to form one byte.

[0066] Steps 71 1 -715: performs the analogous operations for the high-order nibble in the standard S-box[i,j] entry.

[0067] The use of the split S-boxes to process an AES-state is illustrated in logic flow diagrams of Figures 10 and 1 1 , and described in conjunction with the pseudocode of Table 2, below. For an AES-state vector 1 17, consisting of sixteen bytes 121 a-c, the byte substitution transformation is processed by applying the split S-boxes 901 and 903 to each AES-state vector byte 121 , thereby producing two output vectors 1 19 and 120, each consisting of 1 6 output bytes 123 and 125, respectively. The AES-state vector 1 17 and the output vectors are indexed 0 through 15.

[0068] Ultimately the output from the modified Round Function F'

801 outputs the same result as the standard Round Function F 401 . A process illustrated in Figure 1 1 and described in the pseudocode below accomplishes that result.

[0069] The following pseudocode (referred to herein as the Modified MILENAGE AES-128 Process (or, simply, the Modified Process):

/ ^* First the initial AES_State as in the Conventional AES-128 process is input into the split_Sboxes 901 and 903, as illustrated in Figure 1 1 producing S-box_outputs 0 and 1 , 1 19 and 1207

1 for(i=0; i<16; i++)

2 AES_STATE[i] = Milenage_Ftand[i] XOR Milenage_OPC[i]

3 for(i=0; i<16; i++)

4 AES_STATE[0][i] = S-BOX_0[AES_STATE[i]];

5 for(i=0; i<16; i++)

6 AES_STATE[1 ][i] = S-BOX_1 [AES_STATE[i]];

/ ^* At this point AES_STATE[0] AND [1 ] have gone through the byte substitution of the split Sboxes producing the S-box outputs 1 19 and 120, respectively ^* /

/ ^* Next the S-box outputs are processed with the Shift_Row process 131 , respectively, producing intermediate state vectors A and B, 133 and 1347 call SHIFT_ROW(AES_STATE[0]);

call SHIFT_ROW(AES_STATE[1 ]);

/ ^* At this point AES_STATE[0] AND [1 ] have gone through the Shift- Row process and are transformed into a Hamming weight neutral form. However, the output from each round calculation is made to conform to the corresponding round in the Conventional AES process. That result is achieved by the following code. Additionally, to protect this portion of the calculation from side-channel leakage and associated attacks, a random number is introduced into the calculation.

ΓΑη "extra" buffer (Extra_Buffer[0]) is used to introduce a random number 135 into the input for mix column calculation. The random is on a per-byte basis. Thus, the Random 135 is set for each byte in the extra buffer vector.7 call MIX_COLUMN((AES_STATE[0]));

call MIX_COLUMN((AES_STATE[1 ])); for(i=0; i<16; i++)

Extra_Buffer[0][i]= Random Number

/ ^* A second "extra" buffer (Extra_Buffer[1 ] is used to combine, on a byte-for-byte basis, the intermediate state vectors 133 and 134 with masks masking out the irrelevant portions of each of the intermediate state vectors.

Ultimately the bytes of the second extra buffer 145 is a combination of the random value 135 and the intermediate state vectors 133 and 134 on a byte-by-byte basis. Specifically the upper half-byte of intermediate state vector A 133 is masked (XOR operation 141 ) with the quantity OxFO 137 and lower half-byte of intermediate state vector B 134 is masked (XOR operation 143) with the quantity OxOF 139. These quantities 141 and 143 are then XORed (XOR operation 147).

7

for(i=0; i<16; i++)

{

Extra_Buffer[1 ][i] =

( Extra_Buffer[0][i] XOR

(AES_STATE[0][i] XOR OxFO)

XOR

(AES_STATE[1 ][i] XOR OxOF) )

}

/ ^* Each of the two intermediate state vectors A and B, 133 and 134, the random vector Extra_Buffer[0] 135, and the combined vector 145 are processed by the MIX_COLUMN operation 149.7

call MIX_COLUMN((Extra_Buffer[0]));

call MIX_COLUMN((Extra_Buffer[1 ]));

/ ^* At this point AES_STATE[0], AES_STATE[1 ], Extra_Buffer[0] & Extra_Buffer[1 ] have gone through the Mix Column process7 / ^* The two Extra_Buffer vectors and the two intermediate AES state vectors 133 and 134 are XORed together (operation 151 ). The output from the XOR operation 151 is identical in value to the output from the corresponding round operation in the Conventional AES process.7

23 for(i=0; i<16; i++){

24 OUTPUT[i] =

25 AES_STATE[0][i]

26 XOR AES_STATE[1 ][i]

27 XOR Extra_Buffer[0][i]

28 XOR Extra_Buffer[1 ][i]

29 }

The OUTPUT vector is numerically identical to the corresponding round output for the conventional AES process.

Table 2. Pseudo code for Hamming-weight-neutral AES-128 Process

[0070] Steps 1 and 2 of the pseudocode of the Modified AES- 128 Process are the same as for the Conventional AES-128 Code, namely, establishing of the initial MILENAGE state. The initial MILENAGE state is illustrated in Figure 10 as AES State 1 17. For subsequent rounds, as with AES-128, the input AES state 1 17 is the output (Figure 1 1 , AES state 153) from the previous round. Thus, for the rounds following the first round, Steps 1 and 2 are not necessary and hence not executed.

[0071 ] Steps 3 through 6, of the pseudocode of Table 2 and illustrated in Figure 10, correspond to steps 4-5 in the Conventional AES-128 process. In the case of the Modified AES-128 process, the Byte Substitution step is performed using Hamming-weight neutral S-boxes that have been constructed as described herein above from the standard non-Hamming- weight neutral S-box. The substitutions in the Hamming-weight neutral S- boxes all have the same Hamming weight, for example, just as illustrated in the examples of S-box_0 901 and S-box_1 903 of Figure 9. Thus, in the Modified Process, the Hamming weight of the revised AES_STATE[j][i] has no dependence on Milenage_Rand[i]XORMilenage_OPC[i] because the Hamming weight of all the bytes in AES_STATE[j][i] are the same due to the design of SBox_0 and SBox_1 , in which all substitutions have the same Hamming weight.

[0072] The output from Steps 3 through 6, thus, are two AES state vectors, namely, AES_STATE[0] 1 19, from the SBox_0 901 , and AES_STATE[1 ] 120, from the SBoxJ 903. Each of AES_ STATE[0] 1 19 and AES_STATE[1 ] 120 consist of 1 6 bytes AES_STATE[0][0..15] (bytes 123 of Figure 10) and AES_STATE[1 ][0..15] (bytes 125 of Figure 10).

[0073] The two split AES_STATES[0] 1 19 and [1 ] 120 go through the Shift_Row and Mix_Column operations in parallel and the results are then merged in a manner to arrive at the same result for the round calculation as would be obtained from the Conventional AES-128 process. Figure 1 1 is logic flow diagram depicting this parallel processing of Shift_Row and Mix_Column operations and the merging of the two split AES_STATES.

[0074] Steps 7 and 8 from the pseudocode of Table 2 and the two Shift_Row operations 131 and 131 ' ¹ of the Modified AES-128 Process correspond to Step 7 of the Conventional AES-128 Process. The shift row operation 131 rearranges bytes of AES_STATE[0] in a predictable way. Each byte from AES_STATE[0] remains intact after the Shift_Row operation, but each byte's adjusted form now lessens the risk that the Mileange_OPC value can be discerned by an attacker because all bytes of AES_STATE[0] have no variation. This is similarly true for AES_STATE[1 ]. Other than repeating the shift_row operation on both of the split AES_States, AES_STATE[0] 1 19 and AES_STATE[1 ] 120, the Shift_Row operation is the same as in the Conventional AES-128 Process.

[0075] Steps 9 and 10, the two MIX_Column operations 149 and 149', in the Modified AES-128 Process correspond to Step 9 of the Conventional AES-128 Process. As with the Shift_Row operation, the MIX_Column operation 149 is the same as in the Conventional AES-128 Process other than that it is performed on both of the split AES_States, AES_STATE[0] 133 and AES_STATE[1 ] 134 output from the split Shift_Row operation 131 and 131 '.

[0076] At this stage, the split AES_States, AES_STATE[0] and AES_STATE[1 ], are combined to create the correct output AES state that has the same values as the AES state output from the Conventional AES Process would have.

[0077] One way to "go back" to obtain the same output as the standard is to perform the following operation:

¹ Herein, the notation x' etc. is used to refer to a specific operation, e.g.,

SHIFT_ROW, applied to different inputs, e.g., AES_STATE[0] and AES_STATE[1], respectively. Corrected_Output = MixColumn(AES_STATE[0][i]) XOR MixColumn(AES_STATE[1 ][i]) XOR MixColumn( (AES_STATE[0][i] XOR OxFO) XOR (AES_STATE[1 ][i] XOR OxOF) )

[0078] However, AES_STATE[0][i] XOR OxFO) XOR (AES_STATE[1 ][i] XOR OxOF) potentially may be used to discern the Milenage_OPC value though side-channel leakage. That is avoided by masking the state using a random number.

[0079] A 16-byte temporary storage buffer, Extra_Buffer[0] 135, is initialized with a fresh random number, Step 1 1 and 12.

[0080] Next, the relevant portion of AES_STATE[0], i.e., the higher nibble, and the relevant portion of AES_STATE[1 ], i.e., the low-order nibble, are masked with the values OxFO and OxOF, respectively (steps 17 and 19 in the pseudocode of Table 2 and XOR operations 141 and 143 of Figure 1 1 ). These quantities are further combined and masked with the random number stored in the first temporary storage buffer (steps 1 6 and 18, XOR operation 147) and placed in a second temporary storage buffer, Extra_Buffer[1 ]. These masking operations are performed on a byte-by-byte basis (Loop 13 in the pseudocode of Table 2, logic loop 145 of Figure 1 1 ).

[0081 ] In other words, after the for-loop of Steps 13 - 20, the two temporary storage buffers have the following values, for each value i in the range 0-15:

Extra_Buffer[0][i] = Random Number

Extra_Buffer[1 ][i] = Random Number XOR (AES_STATE[0][i] XOR OxFO) XOR (AES_STATE[1 ][i] XOR OxOF)

[0082] The temporary storage buffers, Extra_Buffer[0] and

Extra_Buffer[1 ], are then also processed by the MixColumn operation (operations 149" and 149"'), steps 21 and 22.

[0083] Finally, the AES-STATE output from the MixColumn operations 149 and 149' from steps 21 and 22 of the pseudocode of Table 2 are combined with the temporary storage values having the random number and the combined AES-State values from the Loop 13 in the XOR operation 151 and stored in a return value (OUTPUT 153), steps 23 through 29 of the pseudocode of Table 2.

[0084] In the final round of AES-128, the Shift Rows and Mix Columns operations are not included. However, after many rounds, there is little risk associated with the byte substitution operation. Therefore, for the final round, the Hamming-weight neutral S-boxes may not be used. [0085] The output from the process is identical in value to the corresponding Conventional AES-128 process.

[0086] An implementation of the process illustrated in Figures 10 and 1 1 , and described herein above, may be implemented in software or firmware and stored as part of the cryptography module 213, illustrated in Figure 3. As such, the process for performing Hamming weight neutral S-box substitutions, for example, as part of the AES-128 cryptography in the MILENAGE algorithm, improves the integrity of a security device, e.g., a smart card or SIM card, against side-channel attacks.

[0087] Although specific embodiments of the invention have been described and illustrated, the invention is not to be limited to the specific forms or arrangements of parts so described and illustrated. For example, the MILENAGE and AES-128 algorithms are used herein for illustrative purposes. The techniques described are applicable to any cipher that uses substitution boxes including, but not limited to, other versions of the AES. The invention is limited only by the claims.