METHOD FOR PROTECTING A COMPUTER SYSTEM FROM SIDE-CHANNEL ATTACKS

Abstract

A method for protecting a computer system from side-channel attacks when using an encryption or decryption method for data packets of a data stream, wherein interruptions in the encryption or decryption method are generated by a random generator, where further computing operations are applied during the interruptions to already encrypted or decrypted data packets of the data stream or to data packets of the data stream which are yet to be encrypted or decrypted to generate random noise in the power consumption of the computer system.

Claims

1. A method for protecting a computer system from side-channel attacks when using an encryption or decryption method for data packets of a data stream, the method comprising: generating interruptions in the encryption or decryption method via a random generator; and applying further computing operations to already encrypted or decrypted data packets of the data stream or to data packets of the data stream which are yet to be encrypted or decrypted during the generated interruptions to generate random noise in power consumption of the computer system.

2. The method as claimed in claim 1, wherein the further computing operations are part of an error-correction method.

3. The method as claimed in claim 1, wherein the further computing operations are part of an algorithm for message authentication via a message authentication code.

4. The method as claimed in claim 2, wherein the further computing operations are part of an algorithm for message authentication via a message authentication code.

5. The method as claimed in claim 1, wherein, in cases of encryption, the data stream is initially subjected to the encryption method and then subjected to the further computing operations.

6. The method as claimed in claim 2, wherein, in cases of encryption, the data stream is initially subjected to the encryption method and then subjected to the further computing operations.

7. The method as claimed in claim 3, wherein, in cases of encryption, the data stream is initially subjected to the encryption method and then subjected to the further computing operations.

8. The method as claimed in claim 5, wherein the further computing operations comprise an error-correction method.

9. The method as claimed in claim 1, wherein, in cases of decryption, the data stream is subjected initially subjected to the further computing operations and then subjected to the decryption method.

10. The method as claimed in claim 2, wherein, in cases of decryption, the data stream is subjected initially subjected to the further computing operations and then subjected to the decryption method.

11. The method as claimed in claim 3, wherein, in cases of decryption, the data stream is subjected initially subjected to the further computing operations and then subjected to the decryption method.

12. The method as claimed in claim 5, wherein the further computing operations comprise an error-correction method.

13. The method as claimed in one of claim 1, wherein a start and finish of the further computing operations are controlled by the encryption or decryption method.

14. The method as claimed in claim 1, wherein, if the further computing operations are finished, but the encryption or decryption method is unfinished, the interruptions generated by the encryption or decryption method are filled with computing operations based on random data.

15. The method as claimed in claim 2, wherein an error-correction method is performed with random data which are generated by the random generator.

16. The method as claimed in claim 14, wherein an error-correction method is performed with random data which are generated by the random generator.

17. A computer system, comprising: at least one encryption or decryption unit; a further computing unit arranged in series with the at least one encryption or decryption unit with respect to a data stream; and a random generator configured to generate interruptions in an encryption or decryption method in the encryption or decryption unit; wherein the encryption or decryption unit is operatively connected to the further computing unit such that, during the interruptions, the further computing unit applies further computing operations to already encrypted or decrypted data packets of the data stream or to data packets of the data stream which are yet to be encrypted or decrypted.

18. The computer system as claimed in claim 17, wherein the random generator is operatively connected to the further computing unit such that, in an event that the further computing operations are completed, but the encryption or decryption method is not yet finished, the interruptions generated by the encryption or decryption method are filled with computing operations of the further computing unit based on random data from the random generator.

19. The computer system as claimed in claim 17, wherein the computer system comprises a field-programmable gate array and the encryption or decryption unit and further computing unit are formed as a soft core or hard core.

20. A non-transitory computer program product encoded with a program which is directly loadable into a computing unit of a computer system which, when executed by the computing unit, provides protection of the computer system from side-channel attacks when using an encryption or decryption method for data packets of a data stream, the computer program comprising: program code generating interruptions in the encryption or decryption method via a random generator; and program code for applying further computing operations to already encrypted or decrypted data packets of the data stream or to data packets of the data stream which are yet to be encrypted or decrypted during the generated interruptions to generate random noise in power consumption of the computer system.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0027] The following part of the description explains the invention in greater detail with reference to the figure, from which further advantageous refinements, details and further developments of the invention may be inferred, in which:

[0028] FIG. 1 shows a schematic block diagram of part of a computer system according to the invention, where only those units of the computer system which are essential to the invention are shown, and further units, such as processors, input/output units, controllers, additional interfaces, storage devices, etc. may be and generally are present; and

[0029] FIG. 2 is a flowchart of the method in accordance with the invention.

DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

[0030] FIG. 1 should be considered exemplary and, while being intended to represent the nature of the invention, is not intended to restrict it or reproduce it exhaustively.

[0031] FIG. 1 shows only two computing units as part of the computer system, i.e., an encryption unit EnC, which is also designated encryption core, a further computing unit, which here, comprises an error-correction unit ErCC and is also designated error-correction core, and a random number generator TRNG. The computer system for decryption generally has two further corresponding computing units, a further error-correction unit ErCC and a decryption unit, where the error-correction unit ErCC is passed through first and then the decryption unit during decryption of the data. These two computing units for decryption may again be formed in accordance with the invention, with a dedicated random number generator TRNG. It would also be conceivable for the units shown in the FIG. 1, i.e., the encryption unit EnC, the error-correction unit ErCC and the random number generator TRNG, to optionally also to perform decryption. Here, data flow would be in the other direction, i.e., the data would thus first pass into the error-correction unit ErCC and only subsequently into the encryption unit EnC that is in this case operating as a decryption unit.

[0032] The encryption unit EnC (or decryption unit) and error-correction unit ErCC may each comprise a hard or soft core, while the computer system itself may comprise an application-specific integrated circuit (ASIC) or field-programmable gate array (FPGA).

[0033] The random number generator (TRNG) (true random number generator) is a physical random number generator that utilizes physical processes for number generation. Pulse fluctuations in electronic circuits (for example, thermal noise from a resistor) are utilized for this purpose. In general, it is possible to use not only any natural sources that are based on physical effects and deliver very high quality, but also other asynchronous sources, such as atmospheric noise, CCD sensor noise, the fluctuation in the actual duration of a period of time measured with a timer or voltage fluctuations at a Zener diode.

[0034] The data stream now passes as an unencrypted data stream (plaintext) PT into the encryption unit EnC, where it is encrypted and exits the encryption unit EnC as an encrypted data stream (ciphertext) CT. The ciphertext is supplied to the error-correction unit ErCC, which creates the error-correcting code ECC for it and forwards the code together with the encrypted data stream CT, outwards, such as by radio transmission or via electrical or optical lines.

[0035] The same clock signal CL is supplied both to the encryption unit EnC and to the error-correction unit ErCC for synchronization, where one cycle corresponds to an execution cycle or an idle cycle. The random number generator TRNG now generates, based on the random numbers it has generated, a signal S that causes an interruption of the encryption method in the encryption unit EnC. The encryption unit EnC then sends a switching signal (enable) E to the error-correction unit ErCC, which starts the error-correction method. Once the specified duration of the interruption to the encryption method has finished, the switching signal E is switched off, finishing error correction until further notice and the encryption method restarts. Encryption is then not re-interrupted until the random number generator specifies a new interruption.

[0036] Once the encryption method for a specified portion of the data stream is complete, error correction may be executed to completion without further interruptions for this portion.

[0037] Should the error-correction method for a specified portion of data stream be completed before encryption is finished, the encryption method would no longer be masked. Accordingly, in the event that the error-correction method is finished, but the encryption method is not yet complete, the error-correction method must continue to be operated based on the random data (random input) RI during the interruptions in the encryption method. The random data RI for this purpose are generated by the random number generator TRNG and supplied to the error-correction unit ErCC. While the resultant error-correction code ECC is indeed generated, in order to generate the desired noise, it is not transmitted onward.

[0038] FIG. 2 is a flowchart of the method for protecting a computer system from side-channel attacks when using an encryption or decryption method for data packets of a data stream (PT). The method comprises generating interruptions in the encryption or decryption method via a random generator (TRNG), as indicated in step 210. Next, further computing operations are applied to already encrypted or decrypted data packets of the data stream or to data packets of the data stream which are yet to be encrypted or decrypted during the generated interruptions to generate random noise in power consumption of the computer system, as indicated in step 220.

[0039] Thus, while there have shown, described and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements and/or method steps shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.