Transition from a Boolean masking to an arithmetic masking

Abstract

A method for the transition is provided from a Boolean masking of a value to be kept secret to an additive masking of the value to be kept secret. The value to be kept secret is present in the Boolean masking as a representation masked with a first Boolean mask and a second Boolean mask. A first additive mask and a second additive mask are determined for the value to be kept secret. A first masking transition is executed in which the first Boolean mask is converted into the first additive mask. A second masking transition is executed in which the obfuscation value is converted into an additive correction value, and a third masking transition is executed in which the second Boolean mask is converted into the second additive mask.

Claims

1. A method for a masking transition of a cryptographic calculation, the masking transition being a transition from a Boolean masking of a value to be kept secret to an additive masking of the value to be kept secret, the value to be kept secret being present in the Boolean masking as a representation masked with a first Boolean mask and a second Boolean mask, and wherein a first additive mask and a second additive mask are determined for the value to be kept secret, the method comprising: executing a first masking transition in which the first Boolean mask is converted into the first additive mask, wherein the first additive mask is a masked representation of an additive mask corresponding to the first Boolean mask, wherein the first additive mask is masked with an obfuscation value serving as a Boolean mask; executing a second masking transition in which the obfuscation value is converted into an additive correction value; and executing a third masking transition in which the second Boolean mask is converted into the second additive mask, wherein a Boolean masked representation results from applying the first Boolean mask and the second Boolean mask to the value to be kept secret and an additive masked representation results from applying the first additive mask and the second additive mask to the value to be kept secret, and wherein the Boolean masked representation has a same value as the additive masked representation.

2. The method according to claim 1, wherein the obfuscation value serving as the Boolean mask is determined randomly.

3. The method according to claim 1, wherein at least two further random obfuscation values are used and each of the first, second, and third masking transitions uses at least one of these further random obfuscation values or a value derived therefrom.

4. The method according to claim 1, wherein at least two further random obfuscation values are used and both the first and the third masking transition respectively use at least two of the further random obfuscation values or values derived therefrom.

5. The method according to claim 1, wherein the first masking transition is executed with the value to be kept secret as a base value.

6. The method according to claim 1, wherein the second masking transition is executed with a base value which results from an additive mask corresponding to the first Boolean mask.

7. The method according to claim 1, wherein the third masking transition is executed with a base value which results from an additive masking of the value to be kept secret with an additive mask corresponding to the first Boolean mask.

8. The method according to claim 1, wherein the third masking transition is executed at least partly before the first masking transition or at least partly before the second masking transition.

9. The method according to claim 1, wherein the second additive mask is determined by applying the additive correction value in an additive operation to an additive mask corresponding to the second Boolean mask.

10. The method according to claim 1, wherein the second additive mask corresponds to the second Boolean mask and that the additive correction value is supplied as a further method result.

11. The method according to claim 1, wherein the method is embedded between a first section and a second section of the cryptographic calculation, wherein in the first section the masked representation is generated or processed by at least one operation which is compatible with the Boolean masking, and in the second section the masked representation is further processed by at least one operation which is compatible with the arithmetic masking.

12. The method according to claim 1, wherein at least one of the first, second and third masking transition is executed according to a method which, when regarded alone, is protected against first-order side channel attacks, but not against second-order side channel attacks.

13. The method according to claim 1, wherein the method serves for the protection against second-order side channel attacks.

14. A computer program product having a plurality of program commands which cause at least one processor to execute a method of claim 1.

15. The method according to claim 1, further comprising encrypting the Boolean masked representation, which is a value that results from applying the first Boolean mask and the second Boolean mask to the value to be kept secret, to generate encrypted data for secure communication.

16. The method according to claim 15, further comprising securely communicating the encrypted Boolean masked representation.

17. The method according to claim 1, further comprising preventing a side channel attack of the value to be kept secret by encrypting the Boolean masked representation rather than directly encrypting the value to be kept secret, and providing the encrypted the Boolean masked representation for secure communications.

18. A device comprising: a portable data carrier or chip module, wherein the device includes at least one processor and at least one memory, and wherein the device is arranged to execute a method for a masking transition of a cryptographic calculation, the masking transition being a transition from a Boolean masking of a value to be kept secret to an additive masking of the value to be kept secret, the value to be kept secret being present in the Boolean masking as a representation masked with a first Boolean mask and a second Boolean mask, and wherein a first additive mask and a second additive mask are determined for the value to be kept secret, the method including executing a first masking transition in which the first Boolean mask is converted into the first additive mask, wherein the first additive mask is a masked representation of an additive mask corresponding to the first Boolean mask, wherein the additive mask is masked with an obfuscation value serving as a Boolean mask; executing a second masking transition in which the obfuscation value is converted into an additive correction value; and executing a third masking transition in which the second Boolean mask is converted into the second additive mask, wherein a Boolean masked representation results from applying the first Boolean mask and the second Boolean mask to the value to be kept secret and an additive masked representation results from applying the first additive mask and the second additive mask to the value to be kept secret, and wherein the Boolean masked representation has a same value as the additive masked representation.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) FIG. 1 as the only FIGURE shows a diagram illustrating the operations of an embodiment example of the invention and the data utilized and generated by these operations.

DETAILED DESCRIPTION OF VARIOUS EMBODIMENTS

(2) In FIG. 1 there is depicted a part of a cryptographic calculation, e.g. of a hash function or of an IDEA encryption or decryption. A masking transition method 10 according to an embodiment example of the invention is embedded between a first section 12 and a second section 14 of the cryptographic calculation. The operations of the cryptographic calculation executed in the first section 12 are compatible with a Boolean masking rule and are executed using several Boolean masks. The result of the first section 12 is a masked representation x of a value d to be kept secret, which is masked according to a Boolean masking rule with two Boolean masks s.sub.1, s.sub.2; thus it holds e.g. that x=d⊕s.sub.1⊕s.sub.2.

(3) The second section 14 of the cryptographic calculation comprises further operations, which, however, are not compatible with the Boolean masking rule, but only with an additive masking rule. In the present embodiment example, the masking rule used in the second section 14 is x=d+r.sub.1a+r.sub.2a mod 2.sup.n, where r.sub.1a and r.sub.2a are each an additive mask and n indicates the word width in bits of the calculation performed. The masking transition method 10 should therefore determine, from the first masking of the value d to be kept secret with the Boolean masks s.sub.1, s.sub.2, a second masking which includes two additive masks r.sub.1a and r.sub.2a. In the configuration described first here, the masked representation x is to remain unchanged during the execution of the masking transition method 10, while this is not the case in other configurations described later.

(4) In the embodiment example described here, the masking transition method 10 includes a total of three simpler masking transitions 16, 18, 20. These masking transitions 16, 18, 20 are here also referred to as “first”, “second” and “third” masking transitions. This, however, only serves to simplify the naming without implying an order of execution. In implementation variants, the three masking transitions 16, 18, 20 can be executed in a different order or e.g. in an interleaved fashion, i.e. for example first a part of the third masking transition 20, which does not require the correction value a, and only then the second masking transition 18.

(5) Before describing the masking transitions 16, 18, 20 in more detail, now two general formulas are explained for a better understanding, with which masking transitions can be executed in a manner protected against first-order side channel attacks.

(6) A masked representation x of a base value d to be kept secret, with a Boolean mask s is given, so that thus it holds that x=d⊕s. What is to be calculated is an arithmetic mask r with which the masked representation x presents the base value d to be kept secret, for which it thus holds that x=d+r mod 2.sup.n with a given calculation bit width n. In order to secure the calculation against a first-order side channel attack, a random obfuscation value z is introduced. The arithmetic mask r then results from the formula:
r=((d⊕s⊕z)−(d⊕z))⊕s⊕((s⊕z)−z)

(7) This relation, hereinafter referred to as “XOR2ADD formula”, is already known in slightly modified form from EP 1 596 527 B1. The correctness of the XOR2ADD formula results from a consideration of the function defined by F(x, s):=(x−(x⊕s))mod 2.sup.n. For the above-mentioned masked representation x of the base value d to be kept secret and the above-mentioned Boolean mask s, the value F(x, s) presents the searched additive mask r, because it holds that d+F(x, s)=d+(x−(x⊕s))=d+x−d=x. For the mapping F(_, s) it holds that: F(x⊕y, s)=F(x, s)⊕F(y, s)⊕F(0, s). This results in the following equation chain:

(8) $\begin{matrix} r = F (x, s) \\ = F ((x \oplus z) \oplus (z \oplus s) \oplus s, s) \\ = F (x \oplus z, s) \oplus F (z \oplus s, s) \oplus F (s, s) \\ = ((x \oplus z) - (x \oplus z \oplus s)) \oplus ((z \oplus s) - z) \oplus s \end{matrix}$

(9) The XOR2ADD formula follows by replacing the value x by d⊕s in the just derived relation for r.

(10) The above mentioned XOR2ADD formula can be extended by using not only one random obfuscation value z, but two obfuscation values z.sub.1 and z.sub.2. Depending on the security requirements, the obfuscation values z.sub.1, z.sub.2 may each be random in themselves, or there may be certain dependencies either between the obfuscation values z.sub.1, z.sub.2 among themselves or between one of the obfuscation values z.sub.1, z.sub.2 and another value. Using the two obfuscation values z.sub.1, z.sub.2, the arithmetic mask r then results from the following relation, which is referred to here as the “extended XOR2ADD formula”:
r=((d⊕s⊕z.sub.1⊕z.sub.2)−(d⊕z.sub.1⊕z.sub.2))⊕((s⊕z.sub.1)−z.sub.1)⊕((s⊕z.sub.2)−z.sub.2)

(11) As already briefly explained above, the masking transition method 10 in the embodiment example shown in FIG. 1 starts out from a base value d to be kept secret, which is present in a first masking in the form of a representation x masked with two Boolean masks s.sub.1, s.sub.2 according to a Boolean masking rule; it thus holds that x=d⊕s.sub.1⊕s.sub.2. According to the present embodiment example, two additive masks r.sub.1a, r.sub.2a are determined, so that it holds that x=d+r.sub.1a+r.sub.2a mod 2.sup.n. In other words, a second masking of the base value d to be kept secret is ascertained, in which the masked representation x is also a masked representation according to an additive masking rule with the masks r.sub.1a, r.sub.2a. The masking transition method 10 shown in FIG. 1 utilizes for this one masking transition according to the XOR2ADD formula and two masking transitions according to the extended XOR2ADD formula. The masking transition method 10 is protected against second-order side channel attacks; even if two intermediate results are known, no information can be derived about the value d to be kept secret.

(12) In an experimental approach, which is now first described as an introduction to the embodiment example, two additive masks r.sub.1, r.sub.2 with x=d+r.sub.1+r.sub.2 would be determined by first performing an “inner” masking transition from d⊕s.sub.1 to d+r.sub.1 and then an “outer” masking transition from (d+r.sub.1)⊕s.sub.2 to (d+r.sub.1)+r.sub.2. Each of these two masking transitions is effected according to the experimental approach according to the extended XOR2ADD formula with suitable obfuscation values. Thus, according to the experimental approach, the value r.sub.1 with two obfuscation values z.sub.1, z.sub.2 results from the following relation, which is referred to as “(A0)”:
r.sub.1=((d⊕s.sub.1⊕z.sub.1⊕z.sub.2)−(d⊕z.sub.1⊕z.sub.2))⊕((s.sub.1⊕z.sub.1)−z.sub.1)⊕((s.sub.1⊕z.sub.2)−z.sub.2)

(13) When analysing the experimental approach just described, however, the inventors surprisingly realized that the calculation of r.sub.1 according to the relation (A0) is susceptible to second-order side channel attacks because an attacker could draw conclusions about the value d to be kept secret from the knowledge of n and s.sub.1. In the embodiment example described now, the experimental approach is hence modified to the extent that with the first masking transition 16 there is not determined the additive mask r.sub.1 corresponding to the Boolean mask s.sub.1, but instead a value r.sub.1a modified compared to r.sub.2. The value r.sub.1a, which presents the first mask searched for altogether, is the Boolean masking of the value r.sub.1 with another Boolean mask, namely a randomly selected obfuscation value a. Thus, it holds that r.sub.1a=r.sub.1⊕a, from which the following relation (A1) results by inserting the above relation (A0):
r.sub.1a=((d⊕s.sub.1⊕z.sub.1⊕z.sub.2)−(d⊕z.sub.1⊕z.sub.2))⊕((s.sub.1⊕z.sub.1)−z.sub.1)⊕((s.sub.1⊕z.sub.2)−z.sub.2)⊕a

(14) Since in the equation x=d⊕s.sub.1⊕s.sub.2 the exclusive-or-operations can be shifted arbitrarily from the right to the left side, the relation (A1) can also be written as relation (A2) as follows:
r.sub.1a=((x⊕s.sub.2⊕z.sub.1⊕z.sub.2)−(x⊕s.sub.1⊕s.sub.2⊕z.sub.1⊕z.sub.2))⊕((s.sub.1⊕z.sub.1)−z.sub.1)⊕((s.sub.1⊕z.sub.2)−z.sub.2)⊕a

(15) The relation (A2) depicts the first masking transition 16 according to the embodiment example described here. With a suitable implementation, the calculation of the relation (A2) is secure against second-order side channel attacks.

(16) As according to (A2), the value r.sub.1a was calculated instead of the actually desired value r.sub.1, a correction step is required in the embodiment example described here, for which the Boolean obfuscation value a is converted into a corresponding additive correction value α. As already mentioned, the value a depicts the mask according to a Boolean masking r.sub.1a=r.sub.1 ⊕a of the value r.sub.1. In the correction step, the Boolean mask a with the base value r.sub.1 is therefore converted into a corresponding additive mask α, for which it thus holds that r.sub.1a=r.sub.1+α. For this, the non-extended XOR2ADD formula and a further random obfuscation value z.sub.3 are used, so that the following relation (B) results:
α=((r.sub.1⊕a⊕z.sub.3)−(r.sub.1⊕z.sub.3))⊕a⊕((a⊕z.sub.3)−z.sub.3)

(17) In the embodiment example described here, the relation (B) depicts the second masking transition 18. The value r.sub.1 does not have to be explicitly used for the calculation of α, but the knowledge of the values r.sub.1a=r.sub.1⊕a and a is sufficient.

(18) Now, a further masking transition is required, which in the present embodiment example is based on the “outer” masking transition of the above-described experimental approach from (d+r.sub.1)⊕s.sub.2 to (d+r.sub.1)+r.sub.2. For this, the extended XOR2ADD formula and two further obfuscation values z.sub.4, z.sub.5 are used, so that the following relation designated as “(C0)” results:
r.sub.2=(((d+r.sub.1)⊕s.sub.2⊕z.sub.4⊕z.sub.5)−((d+r.sub.1)⊕z.sub.4⊕z.sub.5))⊕((s.sub.2⊕z.sub.4)−z.sub.4)⊕((s.sub.2⊕z.sub.5)−z.sub.5)

(19) Since it holds that x=(d+r.sub.1)⊕s.sub.2, the relation (C1) can also be written as a relation (C2) as follows:
r.sub.2=((x⊕z.sub.4⊕z.sub.5)−(x⊕s.sub.2⊕z.sub.4⊕z.sub.5))⊕((s.sub.2⊕z.sub.4)−z.sub.4)⊕((s.sub.2⊕z.sub.5)−z.sub.5)

(20) By using the two obfuscation values z.sub.4 and z.sub.5, no further protective measures against second-order side channel attacks are required. However, the result r.sub.2 is not yet the desired second additive mask r.sub.2a, because the use of the obfuscation value a has increased the first additive mask r.sub.1a, compared to r.sub.1, by the value α. This correction value α must now be subtracted from the result r.sub.2, so that the second additive mask r.sub.2a with r.sub.2a=r.sub.2−α results. In total, the second mask r.sub.2a is thus determined by the following relation (C3):
r.sub.2a=r.sub.2−α=(((x⊕z.sub.4⊕z.sub.5)−(x⊕s.sub.2⊕z.sub.4⊕z.sub.5))⊕((s.sub.2⊕z.sub.4)−z.sub.4)⊕((s.sub.2⊕z.sub.5)−z.sub.5)))−α

(21) In the embodiment example described here, the relation (C3) depicts the third masking transition 20.

(22) Altogether, the two additive masks r.sub.1a (according to relation (A2)) and r.sub.2a (according to relation (C3)) thus obtained form the desired result of the masking transition method 10, because it holds that:
x=d+r.sub.1+r.sub.2=d+(r.sub.1a−α)+(r.sub.2a+α)=d+r.sub.1a+r.sub.2a

(23) It is to be understood that in alternative embodiments various modifications of the embodiment example just described are possible. For example, the method can be modified in such a way that not the corrected value r.sub.2a is output as the second mask, but instead the uncorrected value r.sub.2 and separately therefrom the correction value α.

(24) Further, in the above-described embodiment example, besides the obfuscation value a five further obfuscation values z.sub.1, z.sub.2, z.sub.3, z.sub.4 and z.sub.5 are employed. In a simple but not very efficient implementation, independent random numbers can be used for these values. For optimization reasons, however, there are also provided implementations in which the obfuscation values are derived from fewer random numbers. Of course, one must make sure that the protection against spying out the method is not impaired. As can be seen from the two following exemplary implementations, however, it is possible to reduce the number of independent random numbers for the masking transition method 10 to three without compromising the protection against spying out.

(25) As already mentioned, various modifications of the masking transition method 10 are further provided, in which the masking transitions 16, 18 and 20—or parts thereof—are executed in a different order than that described above.

(26) In the following, two further embodiment examples of the masking transition method are depicted with reference to two exemplary implementations. In order to avoid misunderstandings, it should be noted that the naming conventions used in the following differ from those of the embodiment example described above.

(27) The first exemplary implementation starts out from the input values x, y and z, where y and z are Boolean masks and x is a masked representation of a base value d to be kept secret (which is not available as input value). Thus, it holds that x=d⊕y⊕z. Then the following method steps are executed:

(28) TABLE-US-00001 Select random obfuscation values r, s and a (step 1) t ← s ⊕ r (step 2) zs ← z ⊕ s (step 3) xr ← x ⊕ r (step 4) ztxr ← zs ⊕ x (step5) ztyr ← zs ⊕ y (step6) s11 ← ztxr − x (step 7) s12 ← ztyr − y (step 8) s13 ← s − z (step 9) ra ← r ⊕ α (step 10) s11ra ← s11 ⊕ ra (step 11) s112ra ← s11ra ⊕ s12 (step 12) r1ra ← s112ra ⊕ s13 (step 13) r1a ← r1ra ⊕ r (step 14) r1r ← r1ra ⊕ a (step 15) s31 ← r1ra − r1r (step 16) s32 ← ra − r (step 17) s31a ← s31 ⊕ a (step 18) alpha ← s3la ⊕ s32 (step 19) yt ← y ⊕ t (step 20) xry ← xr ⊕ y (step 21) s21 ← xry − x (step 22) s22 ← yt − s (step 23) s23 ← r − y (step24) s21s ← s21 ⊕ s (step 25) s212s ← s21s ⊕ s22 (step 26) r2s ← s212s ⊕ s23 (step 27) r2 ← r2s ⊕ s (step 28) r2a ← r2 − alpha (step 29) xm ← xr ⊕ s (step 30)

(29) As a result, one obtains the two additive masks r1a and r2a as well as a changed masked representation xm of the base value d. Altogether, it holds that:
xm=x⊕r⊕s=d⊕(y⊕r)⊕(z⊕s)=d+r1a+r2a

(30) The just described first implementation contains 29 elementary operations. However, the input-masked representation x differs from the output-masked representation xm. This is acceptable for many applications. For applications in which the masked representation is not to be changed by the masking transition, the following second implementation can be employed. This second implementation does not introduce any additional intermediate values and differs from the first implementation with regard to the naming of the input values and output values as well as with regard to the steps 1, 2, 4, 10 and 21.

(31) For the second exemplary implementation, the input values xm, yt and z are provided, where yt and z are Boolean masks and xm is a masked representation of the base value d to be kept secret. Thus, it holds that xm=d⊕yt⊕z. Then the following method steps are executed:

(32) TABLE-US-00002 Select random obfuscation values y, s and a (step 1′) t ← yt ⊕ y (step 2′) zs ← z ⊕ s (step 3′) x ← xm ⊕ t (step 4′) ztxr ← zs ⊕ x (step 5′) ztyr ← zs ⊕ y (step 6′) s11 ← ztxr − x (step 7′) s12 ← ztyr − y (step 8′) s13 ← s − z (step 9′) r ← t ⊕ s (step 10′) ra ← r ⊕ a (step 11′) s11ra ← s11 ⊕ ra (step 12′) s112ra ← s11ra ⊕ s12 (step 13′) r1ra ← s112ra ⊕ s13 (step 14′) r1a ← r1ra ⊕ r (step 15′) r1r ← r1ra ⊕ a (step 16′) s31 ← r1ra − r1r (step 17′) s32 ← ra − r (step 18′) s31a ← s31 ⊕ a (step 19′) alpha ← s31a ⊕ s32 (step 20′) xr ← x ⊕ r (step 21′) xry ← xr ⊕ y (step 22′) s21 ← xry − x (step 23′) s22 ← yt − s (step 24′) s23 ← r − y (step 25′) s21s ← s21 ⊕ s (step 26′) s212s ← s21s ⊕ s22 (step 27′) r2s ← s212s ⊕ s23 (step 28′) r2 ← r2s ⊕ s (step 29′) r2a ← r2 − alpha (step 30′)

(33) As a result, one obtains the two additive masks r1a and r2a. The masked representation xm of the base value d to be kept secret remains unchanged. Altogether, it holds that:
xm=d⊕(y⊕r)⊕(z⊕s)=d+r1a+r2a

(34) By numerical simulation for all input values with a width of 4 bits, it was proven for the two implementations just described that they are resistant to second-order side channel attacks.

(35) The correctness of the above first implementation can be illustrated as follows. According to the relation (A2) from the first embodiment example it holds that:
r.sub.1a=((x⊕s.sub.2⊕z.sub.1⊕z.sub.2)−(x⊕s.sub.1⊕s.sub.2⊕z.sub.1⊕z.sub.2))⊕((s.sub.1⊕z.sub.1)−z.sub.1)⊕((s.sub.1⊕z.sub.2)−z.sub.2)⊕a

(36) With z.sub.2:=z and s.sub.1:=z⊕s=zs there first follows that:
r.sub.1a=((x⊕s.sub.2⊕z.sub.1⊕z)−(x⊕S s.sub.2⊕z.sub.1))⊕((zs⊕z.sub.1)−z.sub.1)⊕(s−z)⊕a

(37) Through the substitution z.sub.1:=y it further results that:
r.sub.1a=((x⊕s.sub.2⊕y⊕z)−(x⊕s⊕s.sub.2⊕y))⊕((zs⊕y)−y)⊕(s−z)⊕a

(38) With x⊕s.sub.2:=x⊕y⊕s and a:=a, it finally results that:
r.sub.1a=((x⊕s⊕z)−x))⊕((zs⊕y)−y)⊕(s−z)⊕a

(39) However, this corresponds exactly to the value r1a calculated as the result of steps (2)-(14) of the first implementation, because it holds that:

(40) $\begin{matrix} r 1 a = s 11 \oplus s 12 \oplus s 13 \oplus a \\ = ((zs \oplus x) - x) \oplus ((zs \oplus y) - y) \oplus (s - z) \oplus a \end{matrix}$

(41) The same holds for to the value r.sub.2 according to the relation (C2):
r.sub.2=((x⊕z.sub.4⊕z.sub.5)−(x⊕s.sub.2⊕z.sub.4⊕z.sub.5))⊕((s.sub.2⊕z.sub.4)−z.sub.4)⊕((s.sub.2⊕z.sub.5)−z.sub.5)

(42) With s.sub.2:=y⊕r=yr and z.sub.5:=y one obtains:
r.sub.2=((x⊕z.sub.4⊕y)−((x⊕yr)⊕y⊕z.sub.4))⊕((yr⊕z.sub.4)−z.sub.4)⊕(r−y)

(43) Then, with z.sub.4:=s it finally results that:

(44) $\begin{matrix} r_{2} = ((x \oplus s \oplus y) - ((x \oplus yr) \oplus y \oplus s)) \oplus ((yr \oplus s) - s) \oplus (r - y) \\ = ((x \oplus r \oplus y) - x) \oplus ((y \oplus t) - s) \oplus (r - y) \end{matrix}$

(45) However, this corresponds exactly to the value r2 which was calculated according to steps (20)-(28) of the first implementation as follows:

(46) $\begin{matrix} r 2 = s 21 \oplus s 22 \oplus s 23 \\ = ((x \oplus r \oplus y) - x) \oplus ((y \oplus t) - s) \oplus (r - y) \end{matrix}$

(47) The method according to FIG. 1 and the embodiment examples, alternative embodiments and implementations described here are provided to be executed by a processor of a portable data carrier, in particular of a chip card or a chip module. The methods are implemented in the form of program commands which are contained in a ROM or an EEPROM or other memory of the data carrier.

Transition from a Boolean masking to an arithmetic masking

Assignee

Inventors

Cpc classification

Classification Explorer

G06F7/575

PHYSICS

Classification Explorer

H04L9/003

ELECTRICITY

Classification Explorer

G06F21/755

PHYSICS

Classification Explorer

G06F2207/7238

PHYSICS

Classification Explorer

H04L2209/046

ELECTRICITY

International classification

Classification Explorer

G06F21/75

PHYSICS

Classification Explorer

H04L9/00

ELECTRICITY

Abstract

Claims

Description