Method for encoding data on a chip card by means of constant-weight codes

Abstract

The invention relates to a data-processing method that includes encoding a plurality of data of n bits into code words having a predefined constant Hamming weight, characterized in that said method also includes using (4000) encryption operations or arithmetic operations on the resulting code word(s) and also in that encoding each datum includes: decomposing (100) the datum into a plurality of m bit sequences to be encoded, m strictly being less than n; encoding (300) each bit sequence into a partial code word, each having a predefined Hamming weight, such that the sum of the Hamming weights of the partial code words are equal to the Hamming weights of the code word; and concatenating (300) the partial code words such as to produce the code word corresponding to the datum. The invention also relates to a data transmission method and to an electronic circuit configured to implement said methods.

Claims

1. A data-processing method carried out in an electronic circuit in order to secure the electronic circuit against side channel attacks or detect attacks by injection of errors, comprising encoding a plurality of data (D) of n bits into code words (M) having a predefined constant Hamming weight, further comprising encryption operations or arithmetical operations on the code word(s) obtained, and in that the encoding of each datum (D) comprises: decomposition of the datum into a plurality of m sequences of bits (d.sub.1, . . . , d.sub.m) to be coded, m being strictly less than n, coding of each sequence of bits into a partial code word having each a predefined Hamming weight, such that a sum of the Hamming weights of the partial code words (m.sub.1, . . . , m.sub.m) is equal to the Hamming weight of the code word (M), and concatenation of partial code words (m.sub.1, . . . , m.sub.m) to obtain the code word (M) corresponding to the datum (D), wherein the data (D) comprise 4 bits, each datum being decomposed into a first sequence of 3 bits, and a second sequence of one bit, the first sequence being coded in a partial code word of 5 bits size and of Hamming weight equal to 2 or 3, and the second sequence of one bit being coded in a partial code word of 2 bits size and Hamming weight equal to 1.

2. The data-processing processing method according to claim 1, wherein the code word obtained has a size strictly less than 2n bits.

3. The data-processing processing method according to claim 1, wherein the data (D) has a size n which is a power of 2 bits.

4. The data-processing processing method according to claim 1, wherein the sequences of bits (d.sub.1, . . . , d.sub.m) have a size which is a power of 2 bits.

5. The data-processing method according to claim 1, the encoding being performed by a first processing unit, the method further comprising transmission to a second processing unit of at least one code word (M) obtained from the datum or data (D) and the encryption operations or the arithmetical operations being executed on said at least one code word (M) by the second processing unit.

6. The data-processing method according to claim 5, further comprising verification, by the second processing unit, of a value of the Hamming weight of the received code word.

7. The data-processing method according to claim 1, wherein the arithmetical operations or the encryption operations take carried out on at least one code word, and produces at output a result coded of the operation applied to the datum corresponding to the code word.

8. The data-processing method according to claim 1, wherein the arithmetical operations or the encryption operations comprise linear operations applied to at least one code word, and said linear operations comprise: generation of at least one table taking at least one partial code word at input, and producing at output the result of the operation applied to the partial code word(s), decomposition of each code word on which the operation is performed into partial code words, and calculation of the operation by application of partial code words to the tables, and concatenation of the results obtained.

9. The data-processing method according to claim 1, wherein the arithmetical operations or the encryption operations are non-linear, wherein a non-linear operation comprises: generation of at least one table taking at input at least one partial code word of at least one code word, and producing at output a coded result of the operation applied to at least one complete datum from which the partial code words are drawn, decomposition of each code word on which the operation is performed into partial code words, and, calculation of the operation by application of partial code words to the tables.

10. The data-processing method according to claim 1, wherein encryption operations or arithmetical operations are processing steps of cryptographic algorithms, calculation algorithms of hashing functions, or integrity calculation algorithms adapted to receive said code words at input.

11. An electronic circuit comprising an encoding module comprising a processing unit adapted to encrypt data of n bits into code words having a predefined constant Hamming weight and for implementing on said code words encryption operations or arithmetical operations 1, wherein the encryption of each datum (D) comprises: decomposition of the datum into a plurality of m sequences of bits to be coded, m being strictly less than n, coding of each sequence of bits into a partial code word having each a predefined Hamming weight, such that a sum of the Hamming weights of the partial code words is equal to the Hamming weight of the code word (M), and concatenation of the partial code words to obtain the code word (M) corresponding to the datum (D), wherein the data (D) comprise 4 bits, each datum being decomposed into a first sequence of 3 bits, and a second sequence of one bit, the first sequence being coded in a partial code word of 5 bits size and of Hamming weight equal to 2 or 3, and the second sequence of one bit being coded in a partial code word of 2 bits size and Hamming weight equal to 1.

12. The electronic circuit according to claim 11, wherein the encoding module further comprises data transmission means, and the circuit further comprises: a decoding module comprising a processing unit adapted to decode a code word transmitted by a first module, and an error signal generation module, adapted to generate an error signal when the Hamming weight of a code word transmitted by the first module is different to a predefined Hamming weight.

13. A smart card comprising an electronic circuit according to claim 11.

Description

DESCRIPTION OF FIGURES

(1) Other characteristics, aims and advantages of the present invention will emerge from the following detailed description, with respect to the appended figures, given by way of non-limiting examples and in which:

(2) FIG. 1 schematically illustrates an example of an electronic component processing a datum or several secret data,

(3) FIG. 2 illustrates the principal steps of an embodiment of an encryption method.

(4) FIG. 3 illustrates an example of the implementation of the encryption method.

(5) FIG. 4 illustrates the principal steps of an embodiment of a data processing method.

DETAILED DESCRIPTION OF AT LEAST ONE EMBODIMENT

(6) Computer Unit for Encryption of Data

(7) In reference to FIG. 1, an example of a computer unit is shown, that is able to encode data, including especially secret data, and to conduct operations from said data. This computer unit is advantageously a smart card 1, which comprises an electronic circuit comprising an encryption module 10 and a decoding module 20. Alternatively, the encoding module and the decoding module can belong to two separate computer units connected together to authorise communication of data.

(8) The encoding module 10 is advantageously integrated into a processor of the smart card, and the decoding module can be integrated into a peripheral such as memory or a coprocessor of the smart card.

(9) The encoding module 10 comprises data transmission means, for example a data communication bus 11, and a processing unit 12, adapted for implementing encryption and encoding operations on data, said unit being advantageously an arithmetic and logic unit (ALU). An arithmetic and logic unit is a circuit integrated into a processor for performing calculations on data.

(10) The module 20 comprises data reception means 21 such as a data reception bus, as well as a processing unit 22 configured to decode data received from the encoding module, the unit being advantageously an arithmetic and logic unit 22.

(11) Data Encryption Method

(12) In reference to FIG. 2, the processing unit 12 of the encoding module 10 is adapted to encode a plurality of data, including especially secret data, so that these data are not obtained during their use by a side channels attack.

(13) For a datum D of size equal to n bits, where n is a power of 2, the encoding method 1000 comprises a step 100 consisting of splitting the datum into several sequences of bits of size less than n, advantageously into m sequences of bits d.sub.1, . . . , d.sub.m, m being strictly less than n. There is therefore at least one sequence of bits comprising at least two bits. This decomposition of the datum is a partition, that is, no bit of the datum is present in two sequences of bits.

(14) This decomposition reduces the size of each sequence of bits for later calculation of binary operations having two operands such as for example the exclusive or.

(15) The sequences of bits obtained exhibit a size equal to a power of two bits. This creates a good compromise between the capacity for detection of errors and the memory occupied by the method. For example, FIG. 3 shows a datum D of a length of n=8 bits, split into two sequences of bits d.sub.1, d.sub.2 of 4 bits each.

(16) According to another example, a datum of a length of n=4 bits is split into two sequences of 2 bits each.

(17) During a step 200, the processing unit encodes the datum by means of a constant weight code to obtain a corresponding code word M, having constant and determined Hamming weight .

(18) Hereinbelow, x,y-code is the function which transforms a datum into a datum of Hamming weight x on y bits. The entire image of this function therefore contains

(19) $(\begin{matrix} y \\ x \end{matrix})$
elements. x.sub.1,y.sub.1-x.sub.2,y.sub.2-code is also the coding of a first part of a datum by a x.sub.1,y.sub.1-code and of its second part by a x.sub.2,y.sub.2-code.

(20) The entire image of this function therefore contains

(21) $(\begin{matrix} y_{1} \\ x_{1} \end{matrix}) (\begin{matrix} y_{2} \\ x_{2} \end{matrix})$
elements.

(22) According to the above notation, to realise encoding of the datum the processing unit uses encoding of type x.sub.0,y.sub.0-x.sub.1,y.sub.1- . . . -x.sub.m,y.sub.m-code, where m>0 is the number of sequence of bits into which the datum has been decomposed. In other terms, the processing unit encodes during step 200, by means of constant weight coding, each sequence of bits d.sub.1, . . . , d.sub.m of the datum to form a corresponding partial code word m.sub.1, . . . m.sub.m.

(23) Referring again to the example of FIG. 3, the sequences of bits d.sub.1, d.sub.2 are encoded each by means of a 3,6-code to obtain respective code words m.sub.1, m.sub.2.

(24) The code word M corresponding to the total datum D is the concatenation of partial code words m.sub.1, . . . m.sub.m, realised by the processing unit during a step 300.

(25) Highly advantageously, the sum of y.sub.m, that is, lengths (in bits) of partial code words which correspond to the total length in bits of the code word obtained, is strictly less than 2n. This creates a shorter code word than especially in the Dual Rail method, making it simpler for implementing in a low-memory computer system such as a smart card.

(26) Examples of preferred codes for the implementation of the method are also given; in the event where the size of the data D to be encrypted is 4 bits, a 3,5-1,2-code or a 2,5-1,2-code, is preferably used, with possible permutation of the first and of the second codes, that is to say that the datum D is decomposed into a sequence of 3 bits, then one bit. The first sequence being coded into a partial code word of 5 bits size and of Hamming weight equal to 2 or 3, and the remaining bit being coded in a partial code word of 2 bits size and of Hamming weight equal to 1.

(27) In the event where the size of the data D to be encoded is 8 bits, a 3,6-3,6-code is preferably used, the datum D is decomposed into two sequences of bits of 4 bits, each being coded into a partial code word of 6 bits and of Hamming weight equal to 3, as in the example of FIG. 3.

(28) The Data Processing Method

(29) The data encoding method 1000 described hereinabove enables secure transmission of secret data from one module to another, for later use, for example during encryption operations.

(30) It also executes encryption operations and/or arithmetical operations on the encrypted data, by processing units having low calculation capacities, such as smart cards..sup.2

(31) FIG. 4 illustrates a data-processing method comprising encoding, transmission, and later exploitation of transmitted data.

(32) In the example of a smart card comprising an encoding module 10 and a decoding module 20 as illustrated in FIG. 1, a first data transmission step comprises encoding 1000 of said data by the processing unit 12 of the decoding module 20.

(33) During a step 2000, the data communication bus 11 transfers to the receiving bus 21 of the decoding module 20 the code words obtained by encoding of data.

(34) Advantageously, the smart card can also comprise an error signal generation module 30, which can be integrated into the decoding module (as illustrated in FIG. 1) or connected to the latter. Advantageously, but optionally, during a step 3000 this module 30 verifies that the Hamming weight of code words transmitted by the encoding module is equal to the Hamming constant weight which is agreed prior to the implementation of the transmission method.

(35) If the Hamming weight of a code word differs from the Hamming weight , or if the received code word does not corresponds to the expected word (even though having the Hamming weight ) the module 30 detects an error signal during a step 3100. The verification step of the Hamming weight especially allows detecting an attack by error injection, which would consequently modify the Hamming weight of the transmitted data.

(36) If the Hamming weight complies with the expected weight, the processing unit 22 decodes the code words and/or exploits them for implementing an encryption operation or an arithmetic operation, for example of Boolean type, during a step 4000.

(37) The results of arithmetical or encryption operations applied to the non-coded data can be obtained from code words generated from said data, as described hereinbelow.

(38) Alternatively, decoding and/or exploitation 4000 of code words for the implementation of an encryption operation is carried out without previously verifying the exactness of the code words.

(39) Alternatively, the encryption and/or the arithmetical operations 4000 can be carried out by the first processing unit without or prior to implementing a step 2000 for transmission of data to the second processing unit.

(40) For example, an encryption operation can be a step of a cryptographic algorithm such as AES (for Advanced Encryption Standard) or LED, of an algorithm of hashing function calculation such as for example SHA-1,SHA-2 or the future SHA-3, or even an algorithm for integrity calculation such as cyclic redundancy control (known as the acronym CRC) or LRC (longitudinal redundancy check), such an algorithm having been previously adapted to receive as input the code words obtained by the method described hereinabove.

(41) Several types of adaptations can be made as a function of the nature of operations executed in the algorithms.

(42) In many algorithms, arithmetical operations are pre-calculated in the form of tables or truth tables.

(43) In the event where encryption functions are non-linear functions, adaptation of the function to the code words consists of picking up the pre-calculated tables and adapting them to calculation by taking as inputs and outputs the values corresponding to the code words on which calculation is based. In other terms, at least one table is generated having as inputs the partial code words, on the basis of which calculation or the complete code word is done, and providing at output the coded result of the operation applied to the complete non-coded datum, which is the concatenation of sequences of bits from which the partial code words are drawn. The operation is therefore applied to all partial code words.

(44) For example, a datum designated A comprises concatenation of two sequences of bits a.sub.0, a.sub.1 of respective sizes L.sub.0 and L.sub.1. B is a datum comprising the concatenation of two sequences of bits b.sub.0, b.sub.1, of respective sizes L.sub.0 and L.sub.1.

(45) Noted are A=a.sub.1a.sub.0, and B=b.sub.1b.sub.0, where is the concatenation symbol.

(46) Let K.sub.0 be a code taking L.sub.0 bits as input providing as output a code word of size lk.sub.0 bits, and K.sub.1 a code taking L.sub.1 bits at input, and providing at output a code word of size lk.sub.1 bits.

(47) Noted are CW(A)=K.sub.1(a.sub.1)K.sub.0(a.sub.0), and CW(B)=(b.sub.1)K.sub.0(b.sub.0), which are of size lk.sub.0+lk.sub.1 bits.

(48) A first example of calculation of a non-linear operation is given for a function having a single operand. As this function is called NLF, a table T_NLF is pre-calculated, giving: T_NLF [CW(A)]=CW (NLF (A)).

(49) In other terms, T_NLF is a table taking at input a complete code word CW(A) and providing at output the code word obtained by identical encryption of the image of A by the function NLF.

(50) A second example is given for calculation of a function having two operands, for example the addition modulo 2.sup.L0+L1.

(51) Three defined tables are generated, as follows:

(52) ADD-K.sub.0[K.sub.0(a), K.sub.0(b)]=K.sub.0[(a+b) modulo 2.sup.L0]

(53) This table takes at inputs two data coded by K.sub.0, and produces at output the rest of the Euclidian division of the sum of two data by 2.sup.L0, coded by K.sub.0.

(54) REM-K.sub.0[K.sub.0(a), K.sub.0(b)]=K.sub.1[(a+b)/2.sup.L0]

(55) This table takes at inputs two data coded by K.sub.0, and produces the quotient of the Euclidian division of the sum of two data by 2.sup.L0, coded by K.sub.1, ADD-K.sub.1[K.sub.1(a)K.sub.1(b)]=K.sub.1[(a+b) modulo 2.sup.L1]

(56) This table takes at inputs two data coded by K1, and produces the rest of the Euclidian division of the sum of two data by 2.sup.L1, coded by K1.

(57) Obtaining CW(A+B modulo 2.sup.L0+L1) starting out from CW(A) and CW(B) will now be described.

(58) CW(A+B modulo 2.sup.L0+L1) is the encryption of A+B modulo 2.sup.L0+L1. By repeating the same notations as previously:
A+B=a.sub.1a.sub.0+b.sub.1b.sub.0=(a.sub.1+b.sub.1).Math.2.sup.L0+a.sub.0+b.sub.0
This can be noted: X.Math.2.sup.L0+L1+Y.Math.2.sup.L0+R.sub.0, therefore A+B mod 2.sup.L0+L1: Y.Math.2.sup.L0+R.sub.0.
Where: R.sub.0 is the result of a.sub.0+b.sub.0 modulo 2.sup.L0, that is, the rest of the Euclidian division of a.sub.0+b.sub.0 by 2.sup.L0 X is the quotient of the Euclidian division of a+b by 2.sup.L0+L1 Y is the result of a+b modulo 2.sup.L0-L1, that is, the rest of the Euclidian division of a+b by 2.sup.L0+L1, which decomposes into C.sub.0+R.sub.1, where C.sub.0 is the quotient of the Euclidian division of a.sub.1+b.sub.1 by 2.sup.L1, and R.sub.1 is withholding of the addition a.sub.0+b.sub.0 modulo 2.sup.L0.
CW(A+B modulo 2.sup.L0+L1) is therefore equal to K.sub.1(Y)+K.sub.0(R.sub.0). To obtain this from CW(A) and CW(B), the following are calculated with the tables introduced hereinabove:
K.sub.0(R.sub.0)=ADD-K.sub.0[K.sub.0(a.sub.0),K.sub.0(b.sub.0)]
K.sub.1(C.sub.0)=REM-K.sub.0[K.sub.0(a.sub.0),K.sub.0(b.sub.0)]
K.sub.1(R.sub.1)=ADD-K.sub.1[K.sub.1(a.sub.1),K.sub.1(b.sub.1)]
K.sub.1(Y)=ADD-K.sub.1[C.sub.0,R.sub.1]
This gives CW((A+B) modulo 2.sup.L0+L1)=K.sub.1(Y)K.sub.0(R.sub.0).

(59) In the event where encryption functions are linear functions, this adaptation step for exploitation or decoding of code words can for example be completed by decomposing the code word M into the partial code words m.sub.1, . . . , m.sub.m which compose them, and by performing the operation on each of the partial code words prior to concatenating the results obtained.

(60) In the case of a function having several operands, each code word on which the operation is implemented is decomposed into its partial code words, and the operation is applied separately on the corresponding partial code words of each code word.

(61) So for example, performing an operation of exclusive or (XOR) type on two encoded data comprises performing exclusive or operations on each partial code word.

(62) With the same notation as previously, the function exclusive or applied to two concatenated data is designated XOR-K.sub.0, coded by K.sub.0, and which sends back their XOR in representation coded by K.sub.0. Similarly with XOR-K.sub.1 which applies to data coded by K.sub.1 and sends back their XOR in representation coded by K.sub.1.
XOR-K.sub.0[K.sub.0(a),K.sub.0(b)]=K.sub.0[a XOR b]

(63) The result of A XOR B in coded form is therefore calculated as follows:
R.sub.0=XOR-K.sub.0[K.sub.0(a.sub.0),K.sub.0(b.sub.0)]
R.sub.1=XOR-K.sub.1[K.sub.1(a1),K.sub.1(b.sub.1)]
R=R.sub.1R.sub.0.

(64) R is the same form as CW(A) and CW(B), that is, the concatenation of two code words coded respectively by K.sub.1 and K.sub.0.

(65) In the present case, the pre-calculated tables present sizes adapted to those of partial code words used for arithmetical operations. By way of non-limiting example, for code words M of type 2,5-1,3-2,5-code, to be used for the implementation of an or exclusive operation, two tables of type A XOR B are precalculated, one for A and B of Hamming weight 2 on a size of 5 bits, and one for A and B of Hamming weight 1 on a size of 3 bits.

(66) In the same way, if the processing unit intends to decode the code words, it separates each code word M into partial code words m.sub.1, . . . , m.sub.m, and on each partial code word executes decoding corresponding to encoding used to obtain it. The decoding algorithm depends of course on the encoding algorithm used previously.

(67) By way of non-limiting examples, other possibilities of encoding and decoding within the scope of the method described hereinabove are described hereinbelow.

(68) According to a first example, the aim is to code data of a starting set E containing the whole numbers from 0 to 15, that is, the binary whole numbers represented on 4 bits.

(69) The set of words of weight 3 from 6 bits is selected as input code, which is the following: {7, 11, 13, 14, 19, 21, 22, 25, 26, 28, 35, 37, 38, 41, 42, 44, 49, 50, 52, 56}. This set comprises 20 elements; it is therefore adapted to code the set E which contains 16. The set of the 16 first elements of the preceding code is designated J. In binary J=[111, 1011, 1101, 1110, 10011, 10101, 10110, 11001, 11010, 11100, 100011, 100101, 100110, 101001, 101010, 101100].

(70) Associated with the element E[a] (a-th element of E) is the element J[a].

(71) If the table J is saved in memory, this produces the coding method, which is a simple access to a table. A word a is coded by accessing in memory the value J[a].

(72) For decoding, table K is created, of size 2.sup.6 elements (=64), which at placement J[i], i going from 0 to 15, will take the value of i.

(73) This gives K[J[i]]=i, therefore decoding of the code word of i produces i itself. Table K is written as [X, X, X, X, X, X, X, 0, X, X, X, 1, X, 2, 3, X, X, X, X, 4, X, 5, 6, X, X, 7, 8, X, 9, X, X, X, X, X, X, 10, X, 11, 12, X, X, 13, 14, X, 15, X, X, X, X, X, X, X, X, X, X, X, X, X, X, X, X, X, X, X], where X is a value which is not in the starting set E.

(74) For a word of 8 bits M to be coded, this word is split into two sequences of 4 bits each, each coded on 6 bits as described previously, then the partial code words obtained are concatenated.

(75) For operations on the code word, a table is prepared which receives at input the partial code words and at output supplies the result of the operation applied to concatenation of the partial code words.

(76) Other possibilities of encoding and decoding of data applicable within the scope of the present invention are known and are available to those skilled in the art.

Method for encoding data on a chip card by means of constant-weight codes

Assignee

Inventors

Cpc classification

Classification Explorer

G06F11/10

PHYSICS

Classification Explorer

G09C1/00

PHYSICS

Classification Explorer

H04L9/06

ELECTRICITY

Classification Explorer

H04L9/004

ELECTRICITY

Classification Explorer

H04L9/003

ELECTRICITY

Classification Explorer

G06F21/755

PHYSICS

Classification Explorer

H04L2209/34

ELECTRICITY

Classification Explorer

H03M7/20

ELECTRICITY

Classification Explorer

G06K19/07309

PHYSICS

International classification

Classification Explorer

G06F21/75

PHYSICS

Classification Explorer

H03M7/20

ELECTRICITY

Classification Explorer

G06K19/073

PHYSICS

Classification Explorer

G06F11/10

PHYSICS

Classification Explorer

H04L9/00

ELECTRICITY

Classification Explorer

H04L9/06

ELECTRICITY

Classification Explorer

G09C1/00

PHYSICS

Abstract

Claims

Description