Method of determining a representation of a product of a first element and a second element of a finite set, method of evaluating a function applied to an element of a finite set and associated devices

Abstract

A method for determining a representation of a product of a first element and a second element is disclosed comprising, picking a random value for each pair of a first integer between 1 and d and a second integer greater than the first integer, adding the random value to the product of a first value and a second value, and adding the result of the first addition and the product of the first value and the second value. Then summing, for each integer between 1 and d, a product of the first and second values associated with the integer, the random values associated with the pairs of which the first integer is the integer concerned, and the values obtained for the pairs of which the second integer is the integer concerned.

Claims

1. A data masking method, implemented by an electronic circuit, which determines a representation of a product of a first item of data and a second item of data of a finite set with cardinality strictly greater than two and in which are defined an addition and a multiplication that is commutative and distributive with respect to that addition, comprising: masking the first item of data to generate a plurality of d first values of which the sum is equal to the first item of data and which are each associated with an integer comprised between 1 and d, the second item of data being represented by a plurality of d second values of which the sum is equal to the second item of data and which are each associated with an integer comprised between 1 and d, comprising the following steps: for each pair, formed by a first integer comprised between 1 and d and a second integer strictly greater than the first integer, the first integer being associated with one of said first values and the second integer being associated with one of said second values, obtaining a value by performing the following sub-steps in an electronic circuit: generating a random value utilizing a computational random value generator, and associating the random value with the pair; performing a first addition of said random value and of a product of the first value associated with the first integer and of the second value associated with the second integer; performing a second addition of the result of the first addition and of a product of the first value associated with the second integer and of the second value associated with the first integer; for each integer comprised between 1 and d, determining the value associated with the integer concerned in said representation by summing a product of the first and second values associated with the integer concerned, the random values associated with the pairs of which the first integer is the integer concerned and the values obtained for the pairs of which the second integer is the integer concerned, wherein the first item of data is masked from an observer of the electronic circuit, such that it is difficult or impossible for the observer to deduce the first item of data.

2. The data masking method according to claim 1, wherein the first addition and the second addition are an operation of exclusive or type.

3. The data masking method according to claim 1, wherein the multiplication is a multiplication of polynomials having binary coefficients followed by a step of reducing by an irreducible polynomial having binary coefficients.

4. The data masking method according to claim 1, wherein each element of the finite set is a given power of a primitive element and wherein the multiplication is carried out by adding exponents respectively associated with the powers to multiply, modulo the cardinality of the field less one.

5. The data masking method according to claim 1, wherein a product of two items of data of the finite set is obtained by reading, from a table stored in memory, a third item of data associated with said two items of data.

6. The data masking method according to claim 1, wherein (d−1) values from among the d first values are obtained utilizing said random values.

7. The data masking method according to claim 1, implemented in a microprocessor.

8. The data masking method according to claim 1, wherein the first item of data and the second item of data are each coded over a plurality of bits.

9. The data masking method according to claim 1, wherein the finite set is a Galois field F.sub.2.sup.n, with n greater than or equal to 2.

10. The data masking method according to claim 9, wherein n is equal to 8.

11. A data masking method that evaluates a function applied to an element of a finite set, characterized in that it comprises determining a plurality of values representing a result of an application of a polynomial to said element of the finite set, said determining comprising applying the method according to claim 1, wherein the first item of data and the second item of data is each set equal to said element of the finite set.

12. The data masking method according to claim 11, wherein the function is non-linear with respect to an addition defined on the finite set.

13. A data masking microprocessor that determines a representation of a product of a first item of data and of a second item of data of a finite set with cardinality strictly greater than two and in which are defined an addition and a multiplication that is commutative and distributive with respect to that addition, the microprocessor being configured to mask the first item of data to generate a plurality of d first values of which the sum is equal to the first item of data and which are each associated with an integer comprised between 1 and d, the second item of data being represented by a plurality of d second values of which the sum is equal to the second item of data and which are each associated with an integer comprised between 1 and d, comprising: a value obtaining circuit to obtain a value for each pair formed by a first integer comprised between 1 and d, the first integer being associated with one of said first values, and a second integer, the second integer being associated with one of said second values, strictly greater than the first integer: by generating a random value utilizing a computational random value generator, and associating with the random value with the pair; by performing a first addition of said random value and of a product of the first value associated with the first integer and of the second value associated with the second integer; by performing a second addition of the result of the first addition and of a product of the first value associated with the second integer and of the second value associated with the first integer; and a determining circuit to determine for each integer comprised between 1 and d the value associated with the integer concerned in said representation by summing a product of the first and second values associated with the integer concerned, the random values associated with the pairs of which the first integer is the integer concerned and the values obtained for the pairs of which the second integer is the integer concerned; wherein the first item of data is masked from an observer of the microprocessor, such that it is difficult or impossible for the observer to deduce the first item of data.

14. A data masking device that evaluates a function applied to an element of a finite set by determining a plurality of values representing a result of an application of a polynomial to said element, comprising a device according to claim 13, wherein each of the first and second item of data is set equal to said element of the finite set.

Description

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

(1) Other features and advantages of the invention will appear in the light of the following description, made with reference to the accompanying drawings in which:

(2) FIG. 1 represents an example of a device capable of implementing the invention;

(3) FIG. 2 represents a method implemented by the device of FIG. 1 and which is in accordance with the teachings of the invention.

DETAILED DESCRIPTION OF THE INVENTION

(4) FIG. 1 represents the main components of a device adapted to implement the method provided by the invention;

(5) This device comprises a microprocessor 2 connected (via suitable buses) to a rewritable memory 4 (typically of EEPROM type) and to a random access memory 6.

(6) The device of FIG. 1 is for example a micro-computer. As a variant, it could be another type of electronic device, for example a secure electronic device, such as a microcircuit card.

(7) The rewritable memory 4 contains in particular instructions of a computer program PROG which, when they are executed by the microprocessor 2, enable the implementation of the methods provided by the invention, such as the one described below.

(8) The computer program PROG may as a variant be stored on another data carrier (for example a hard disk), which may possibly be removable (for example an optical disc or a removable memory). In this case, the computer program PROG may possibly be transferred first of all into the random access memory 6 before being executed by the microprocessor 2.

(9) At the time of its execution by the microprocessor 2, the computer program PROG implements a cryptographic data processing method which in particular involves an item of data x to process.

(10) The data to process (in particular the item of data x) are represented within the device of FIG. 1 (and in particular within the random access memory 6) by digital words each formed by several bits; for example a representation of the data is used here in the form of 8-bit bytes.

(11) The random access memory 6 stores the variables and data processed, in particular those manipulated by the method described later with reference to FIG. 2.

(12) In the context of their processing (in particular when cryptographic processing is involved), the data are (each) viewed as elements of a set F.sub.2.sup.n comprising 2.sup.n elements and provided with a field structure via the definition of an addition between two elements of the set (denoted ⊕ below) and via the definition a multiplication of two elements of the set (denoted ).

(13) It can be understood that, in the case described here in which the data are represented by 8-bit bytes, the field F.sub.2.sup.n comprises 256 elements (n=8).

(14) The addition ⊕ defined over this field is the “exclusive or” or XOR operation (which is a basic operation in processing by the microprocessor 2).

(15) As regards the multiplication between two elements (that is to say between two items of data coded over several bits, typically 8 bits), this may be defined as a modular polynomial multiplication, or as the multiplication of two powers of a primitive element (or generator) of the field (in which case, this multiplication amounts to an addition of two exponents of the primitive element modulo 2.sup.n−1). In this regard, reference may be made to the work “Finite fields”, volume 20 of the “Encyclopedia of mathematics and its applications” by Rudolph Lidl and Harald Niederreiter, Cambridge University Press, 2.sup.nd edition, 1997.

(16) Whatever the theoretical representation used, the multiplication is implemented here by means of a stored table (stored here in the rewritable memory 4). Such a table, denoted LUT (for “Look-Up Table”) stores, for any pair of elements of the field, the result of the multiplication of those elements.

(17) In this context, the processing of an item of data which achieves the transformation of that item of data into another item of data may be viewed as a function of the field on itself (that is to say a function f which associates with every element x of the field, that is to say with all the possible data, an element f(x) of the field, that is to say the item of data obtained by the processing).

(18) In the device of FIG. 1 a masking technique is furthermore used whereby a determined item of data x is manipulated only in a form masked by one or more masks x.sub.i (i>0), typically determined by random picking at the start of processing (that is to say in practice at the start of the algorithm concerned, which it is wished to protect by the masking). The masks may moreover be regenerated if necessary during the course of processing.

(19) The masking used here is successive addition (by application of the XOR operation) of the masks x.sub.i to the item of data x to mask.

(20) Such masking is said to be of higher order when several masks x.sub.i are successively applied to the item of data x.

(21) In this case, the item of data x is as represented while processing by d items of data x.sub.i, i.e. the masked item of data x.sub.0 and the masks x.sub.1, X.sub.2, X.sub.d-1. (The masks must indeed be stored to be able to retrieve the value x without masking). This is referred to as masking of order (d−1).

(22) The item of data x is thus represented during the processing by d items of data x.sub.i of which the sum (according to the addition ⊕ defined over the field referred to above) is equal to the item of data x so represented:
x.sub.0⊕x.sub.1⊕x.sub.2⊕ . . . ⊕x.sub.d-1=x.

(23) As already explained in the introduction, on account of the random picking of the masks at each execution of an algorithm, the masking makes it possible to modify the values manipulated at the time of the different executions of the algorithm and makes it difficult (or impossible) to deduce the data actually processed based on observation of the circuit, with the difficulty increasing with the order of masking.

(24) The masking however involves particular processing when, to the item of data x to be processed (and thus in practice to the data x.sub.i that are actually manipulated), a function f is to be applied that is non-linear with respect to the masking operation (here the addition ⊕, performed by an XOR operation). To be precise, contrary to the case of the functions that are linear with respect to that operation, the sum of the results f(x.sub.i) of the application of the function f to the manipulated data x.sub.i is (by the actual definition of the absence of linearity) different from the result f(x) of the application of the function to the item of data x processed.

(25) A method is provided below which, on the basis of the data x.sub.i (where x.sub.0⊕x.sub.1⊕x.sub.2⊕ . . . ⊕x.sub.d-1=x), enables data e.sub.i to be obtained the sum of which will be equal to f(x) while maintaining the masking of order (d−1) throughout the computation.

(26) It may be noted first of all that the Lagrange interpolation formula makes it possible to define a polynomial p(x) equal to the function f(x) in each element of the set F.sub.2.sup.n:

(27) $p\left(x\right)=\underset{a\in F_{2^n}}{\oplus }\left[f\left(a\right).Math.\underset{b\in F_{2^n},b\ne a}{.Math.}\frac{x-b}{a-b}\right],$

(28) where the multiple product Π uses the multiplication and where

(29) $\frac{x-b}{a-b}$
is the product (in the sense of the multiplication ) of the element (x−b) by the inverse (still in the sense of the multiplication ) of the element (a−b). It may be noted that the formula below is written in its general form (with subtraction), but that, in the sets of type F.sub.2.sup.n studied here, the subtraction (“−” symbol above) is also implemented by an XOR operation, denoted here by ⊕, on account of the fact that the application of the XOR operation with a given element (that is to say the addition of a given element) is involutary in this type of set.

(30) According to the above, the function f (in particular when it is non-linear with respect to the addition ⊕) may be written in the form of a polynomial of degree 2.sup.n−1 and it is thus possible to define the function f by a family of coefficients α.sub.i such that:

(31) $f\left(x\right)=\stackrel{2^n-1}{\underset{i=0}{\oplus }}\left[{\alpha }_i.Math.x^i\right],$

(32) where x.sup.0 is the identity element relative to the multiplication , x.sup.1 is the element x and, for i>1, x.sup.i is the element x multiplied (i−1) times by itself (by means of the operation ).

(33) The processing of an item of data x by the function f may thus be reduced to a combination of additions ⊕ and multiplications .

(34) The additions are naturally linear with respect to the masking operation (here constituted by the same XOR operation) and the summing of the different elements concerned may thus be carried out by summing the d manipulated items of data representing those elements.

(35) The same applies for the multiplication by each of the coefficients α.sub.i, which is also linear with respect to the masking operation.

(36) However it is necessary to employ a specific method to determine the result of the multiplications to implement (here to obtain powers of the element x to process) while maintaining the masking of order (d−1) on account of the non-linearity of the operation of multiplication with respect to the masking operation.

(37) The method of multiplying a number a (represented by d values a.sub.i) and a number b (represented by d values b.sub.i) provided to that end is now described with reference to FIG. 2.

(38) It can be understood that in the context of evaluating the function f described above, which is merely one possible application of that method, the items of data a and b are both equal to the item of data x to process.

(39) The method commences at step S10 by the initialization of a variable i to 0.

(40) At step S12 a variable j is then initialized to the value i+1.

(41) At step S14 a variable r.sub.i,j is next determined by random picking, typically using a random value generating function implemented in software form and which forms part of the program PROG.

(42) A variable r.sub.j,i is next computed at step S16 using the formula: (r.sub.i,j⊕a.sub.ib.sub.j)⊕a.sub.jb.sub.i. It may be noted that the index i is necessarily different from the index j in this formula (since j is initialized to i+1 and incremented as indicated later).

(43) It is to be recalled that, using conventional notation, multiplication takes priority over addition and that the multiplications a.sub.ib.sub.j and a.sub.jb.sub.i, are thus carried out first, before adding the value r.sub.i,j to the result of the first multiplication (using an XOR), and lastly adding to that sum the result of the second multiplication.

(44) It is to be noted that compliance with this order for the operations (in particular for the additions) is imperative if it is wished to maintain the security of the masking.

(45) At step S18 the incrementation of the variable j is next carried out.

(46) It is then tested at S20 whether the variable j is equal to d (which, as indicated earlier, represents the number of values representing a value to process).

(47) In the negative (that is to say if values of j between i+1 and d−1 remain that have not been processed), step S14 is looped back to.

(48) In the affirmative, that is to say when the last passage through step S16 was made with a value of the variable j equal to d−1, the following step S22 is proceeded to.

(49) This step S22 consists in incrementing the variable i.

(50) Next, at step S24, it is tested whether the variable i is equal to (d−1). In the negative, step S12 is looped back to which makes it possible to perform the processing already described with an incremented value of i. In the affirmative, all the values r.sub.i,j have been processed (since there are no values r.sub.i,i to determine, and thus in particular no value r.sub.d-1, d.sub.d-1) and the second part of the method is then proceeded to at step S26.

(51) Step S26 consists in initializing the variable i to 0.

(52) Step S28 is next proceeded to at which the product a.sub.ib.sub.i is computed, which is stored in a variable c.sub.i.

(53) Step S30 is then carried out at which the variable j is initialized to 0.

(54) At step S32, equality between the variables i and j is tested.

(55) In the negative, the variable r.sub.i,j determined in the first part of the method is added to the variable c.sub.i (by means of the operation ⊕). To be precise, the sum c.sub.i⊕r.sub.i,j is computed, which is again stored in the variable c.sub.i (by overwriting).

(56) In the affirmative at step S32 (that is to say if i=j), step S36 is proceeded to directly (that is to say without performing step S34).

(57) Step S34 is also followed by step S36, at which the variable j is incremented.

(58) At step S38 it is then tested whether the variable j is equal to d. In the negative, step S32 is looped back to. In the affirmative, step S40 is proceeded to.

(59) Step S22 consists in incrementing the variable i.

(60) Step S42 is then proceeded to at which it is tested whether the variable i is equal to d.

(61) In the negative, step S28 is looped back to in order to determine the next variable c.sub.i.

(62) In the affirmative, all the variables c.sub.i (for i from 0 to d−1) have been determined and the method is thus terminated (step S44).

(63) The d values c.sub.i so obtained represent the product c, which is the result of the multiplication ab, that is to say that:
c=ab and c.sub.0⊕c.sub.1⊕c.sub.2⊕ . . . ⊕c.sub.d-1=c.

(64) It is to be noted that this last equality may be verified as follows by using the properties of commutativity of the multiplication , and of distributivity of the multiplication with respect to the addition ⊕:

(65) $\stackrel{d-1}{\underset{i=0}{\oplus }}{c}_i=\stackrel{d-1}{\underset{i=0}{\oplus }}\left[a_i.Math.b_i\oplus \left(\underset{j\ne i}{\oplus }{r}_{i,j}\right)\right]$
thanks to steps S28 to S34, thus

(66) $\stackrel{d-1}{\underset{i=0}{\oplus }}{c}_i=\stackrel{d-1}{\underset{i=0}{\oplus }}\left[a_i.Math.b_i\oplus \left(\underset{j>i}{\oplus }{r}_{i,j}\right)\oplus \left(\underset{j<i}{\oplus }\left(r_{j,i}\oplus a_i.Math.b_j\oplus a_j.Math.b_i\right)\right)\right]$
according to S16, hence

(67) $\stackrel{d-1}{\underset{i=0}{\oplus }}{c}_i=\stackrel{d-1}{\underset{i=0}{\oplus }}\left[a_i.Math.b_i\oplus \left(\underset{j<i}{\oplus }\left(a_i.Math.b_j\oplus a_j.Math.b_i\right)\right)\right]$
since the r.sub.i,j cancel each other, i.e.

(68) $\stackrel{d-1}{\underset{i=0}{\oplus }}{c}_i=\left(\stackrel{d-1}{\underset{i=0}{\oplus }}{a}_i\right).Math.\left(\stackrel{d-1}{\underset{i=0}{\oplus }}{b}_i\right)=a.Math.b=c.$

(69) It has thus been made possible to obtain values representing the product c of the values a and b, while maintaining the masking of order (d−1).

(70) The embodiment which has just been described is merely a possible example of implementation of the invention, which is not limited thereto. In particular, the invention is not limited to the case of the field of type F.sub.2.sup.n but also applies in the case of other fields (because, as stated above, the solution relies on the rules of commutativity and distributivity in the field).