DE102014004378A1 - Memory Efficient Side Channel Protected Masking - Google Patents

Abstract

The invention provides a method, in a processor, for performing a cryptographic calculation. When performing the calculation, a basic masking is used, by which intermediate values are included as masked intermediate values in the calculation. When performing the calculation, folding and secondary masking are additionally used. When folding, the masked intermediate value is calculated using the unmasked intermediate value and at least one second intermediate value. In the secondary masking, for each intermediate value masked by the base mask, the calculation is performed randomly with either the masked intermediate value or the one's complement of the masked intermediate value.

Description

The invention relates to a method of performing a cryptographic computation using a cryptographic key protected against spying on the key via side channel attacks.

Cryptographic calculations are z. Frequently performed by general purpose processors (CPUs), alternatively often by crypto co-processors, which are dedicated processors to the general processors. In particular, smart cards for payment or mobile applications often have processors (CPUs) with crypto coprocessors. Many smart cards for payment or mobile applications have crypto coprocessors specifically designed for DES or AES (see next paragraph).

Through a cryptographic calculation, input data is processed into output data using a secret key, e.g. For example, plain text data (input data) is encrypted with a key to cipher data (output data) or, conversely, cipher data (input data) is decrypted with a key to plain text data (output data). Examples of symmetric (encryption key = decryption key) cryptographic calculations are the algorithms DES (Data Encryption Standard) and AES (Advanced Encryption Standard).

In the AES, which is divided into several rounds (eg 10, 12 or 14), the input data and the key are divided into blocks and processed in blocks. Within each round, the data is processed byte by byte, so that in each case an input data byte (plaintext byte for encryption or cipher text byte for decryption) is processed with a key byte.

So z. For example, with an AES encryption that is in 2 is shown schematically in excerpts, a plaintext P with a key K to a ciphertext C encrypted. The plaintext P = pp ... ppp consists of a sequence of plaintext bytes p, the key K = kk ... kkk from a sequence of key bytes k. At the entrance of each round (in 2 shown in extracts are the first two rounds R = 1 and R = 2), a partial calculation is carried out, based on the example of a DPA attack is described later. In the sub-calculation, a plaintext byte p with a key byte k is used (p ⊕ k), the result of the corruption is inserted in a (substitution) table S (S-box) and thereby an intermediate value x = S through a table access to the table S [p ⊕ k] is calculated. The intermediate value x is fed within the round to further computation steps such as ShiftRow, MixColumn, in 2 not shown. Key expansions and selection of key bits performed at AES are in 2 also not shown. Table accesses are particularly vulnerable to DPA attacks.

Because the power consumption of a processor (eg, in a smart card) depends on the data being processed, processor-implemented cryptographic computations are prone to side-channel attacks in which the time-resolved power consumption of the processor is measured while performing the computation. Most of the power consumption depends more exactly on the Hamminggewicht of the data, d. H. from the number one in the data in binary representation. The power consumption of the processor during the execution of the calculation, recorded against the elapsed time during the calculation, is called the current curve. Current curves of a processor for a calculation are recorded, for example, by means of an oscilloscope.

In a DPA (Differential Power Analysis) attack, sometimes referred to as Correlation Power Attack (CPA), a plurality of current waveforms (eg, about 1000) are recorded and synchronized for structurally equal computation performed with randomly varying input data. In the calculation, output data is calculated using known input data and a secret key. For each possible value of the key, a time-resolved correlation curve between the synchronized current curves and the Hamming weight HW of the output data obtained with each key is calculated. The correlation curves for wrong keys consist of a more or less uniform noise, similar to the one in 1b shown correlation curve. The correlation curve for the key with which the calculation was performed has a statistical abnormality in the form of a peak ("peak") at a previously unknown time, similar to the one in 1a shown correlation curve.

In a DPA attack of higher (second, third, fourth, ...) order, current curves are recorded at several (two, three, four, ...) times in the time course of the calculation. [PRB10] describes a second-order DPA attack.

In case of a DPA attack on the partial calculation of the AES 2 a plaintext byte p of the known key K with a key byte k of the secret key K verxort (p ⊕ k), the result of Verxorung in the 256-byte substitution table S (S-box) is inserted and thereby by table access the intermediate value x = S [ p ⊕ k]. The attacker records approximately 1000 partial calculation power curves (p varies, k remains the same), synchronizes them, and calculates the correlation curve between the synchronized measured current curves and the Hamming weight HW (x ) of the intermediate value x calculated with the respective key byte k. The correlation curves for wrong key bytes consist of a more or less uniform noise, similar to the ones in 1b shown correlation curve. The correlation curve for the correct key byte that performed the calculation has a rash at a previously unknown time, similar to the one in 1a shown correlation curve. This procedure is performed with each key byte k of the key K until the key K is reconstructed byte by byte.

und einerkomplementierten Klartextbytes und Schlüsselbytes. Werden für einen Angriff ungefähr 1000 Durchführungen der kryptographischen Berechnung durchgeführt, wird statistisch in je der Hälfte mit dem Zwischenwert x und dem Einerkomplement x gerechnet. Für das Hamminggewicht HW(x) der komplementierenden Teilberechnung x = S'[p ⊕ k] gilt die Formel HW(x) = 8 – HW(x), in der das Hamminggewicht HW(x) der nicht-komplementierten Berechnung mit negativem Vorzeichen vorkommt. Hierdurch heben sich bei Zufallssteuerung im Mittel Korrelationen zwischen den Stromkurven und dem mit dem Schlüssel erzielten Rechenergebnis auf. Somit ergibt sich für zufallsgesteuertes Rechnen mit dem Zwischenwert x = S[p ⊕ k] oder dem komplementierten Zwischenwert x = S'[p ⊕ k] auch beim Rechnen mit dem richtigen Schlüsselbyte eine Korrelationskurve wie die in 1b gezeigte, wie sie ohne Abwehrmaßnahmen nur für ein falsch geratenes Schlüsselbit entsteht. Die Durchführung der Berechnung zufallsgesteuert mit dem Zwischenwert x = S[p ⊕ k] oder dem komplementierten Zwischenwert x = S'[p ⊕ k] ist somit resistent gegen den oben beschriebenen DPA-Seitenkanalangriff mit Korrelationsberechnung. Zudem ist die 00/FF-Maskierung speichersparend.According to an in-house unpublished state of the art, "00 / FF masking" is provided as a countermeasure against DPA attacks. In this case, an intermediate result of a partial calculation in the calculation is randomly calculated either directly, so that the intermediate result is generated, or computed computed, so that the one's complement of the intermediate result is calculated. If necessary, the input data (plaintext or ciphertext) and the key have to be complemented randomly independently of each other and the output data (ciphertext or plaintext) must be complemented at the output of the calculation. For example, the calculation is thus carried out randomly in such a way that a partial calculation x = S [p ⊕ k] is carried out, or a complementary partial calculation x = S '[ p ⊕ k ] is performed with a complemented S-box S '[x] =

and one complemented plaintext bytes and key bytes. If approximately 1000 executions of the cryptographic computation are performed for an attack, it will be statistically divided into half each with the intermediate value x and the one's complement x expected. For the Hamming weight HW ( x ) the complementing part calculation x = S '[ p ⊕ k ] the formula applies HW ( x ) = 8 - HW (x), in the Hamming weight HW ( x ) the non-complemented calculation with a negative sign occurs. As a result, correlations between the current curves and the calculated result obtained with the key cancel each other out at random control on average. This results in randomized arithmetic with the intermediate value x = S [p ⊕ k] or the complemented intermediate value x = S '[ p ⊕ k ] even when calculating with the right key byte a correlation curve like the one in 1b showed how it arises without defensive measures only for a wrong guess key bit. Performing the calculation randomly with the intermediate value x = S [p ⊕ k] or the complemented intermediate value x = S '[ p ⊕ k ] is thus resistant to the DPA side channel attack with correlation calculation described above. In addition, the 00 / FF masking saves memory.

The calculation of the 1's complement of a value is carried out optionally by forcing the value with hexadecimal FF (other notation: 0xff), the provision of the value itself in this case optionally by verifying with 0 at the same place in the calculation process, at the 1er Complement with FF is being carried out. Verxoring with FF complements a value. By zeroing the value remains unchanged. Performing a forgery in both cases disguises when the value and when the 1's complement of the value is used. From this way of carrying out the random control results the name "00 / FF masking".

In a varied DPA attack, instead of the correlation, another statistic is computed, such as variance or a one-dimensional Kolmogorov-Smirnov statistic. As a result, the statistical abnormalities do not average out when using the correct key byte, even if randomly with the intermediate value x = S [p ⊕ k] or the complemented intermediate value x = S '[ p ⊕ k ] is expected. Thus, it is still recognizable when the right key is expected.

Another countermeasure against DPA attacks is XOR masking, which can be found in, for example, DE 198 22 217 A1 is described, and wherein instead of input data E with a random number r verxorte input data E '= E ⊕ r are processed.

For XOR masking, it is important that all intermediate values are always masked. If carelessly masked, this is not the case. Is the AES in a sub-calculation, z. B. those from 2 , an encryption of a masked plaintext byte p '= p ⊕ r performed with a masked key byte k' = k ⊕ r, (p ⊕ r) ⊕ (k ⊕ r) = p ⊕ k = x, that is an unmasked encryption result or Intermediate result x. That all intermediate results are masked, and never unmasked intermediate results occur, for example, achieved by different masking of input data and keys. For example, the input data (plaintext or ciphertext) with two random numbers r, s masked, the key is masked with only a random number r and a compensation masking performed. For example, masking is performed according to (((p⊕r) ⊕s) ⊕ (k⊕r)) ⊕ (r⊕s) = p⊕k⊕r = x⊕r = x _XOR . The plaintext byte p is thus masked with r and s, the key byte is masked only with s, and in addition the compensation masking with both random numbers r, s is performed. As a result, instead of the intermediate result x, an intermediate result x _XOR = x ⊕ r masked with r appears, cf. 3 , A calculation with careful XOR masking is resistant to the DPA attack described above, regardless of the statistics used (eg, correlation, variance, one-dimensional Kolmogorov-Smirnov statistic). The intermediate result of the partial calculation 2 is calculated according to S '[x] = S [x ⊕ r1] ⊕ r2, with r1, r2 independent random numbers. From this it can be seen that a separate substitution table (S-box) S 'is required for all values of the random numbers r1 and r2. Optionally, for each possible value of the random number r (= r1 or r2), a substitution table (S-box) S 'masked with r is stored (eg in the chip card or the processor), ie in a 256-byte substitution table (S-box) z. For example, 256 different 256-byte tables. Alternatively, the substitution table (S-box) is calculated only after the determination of the random number r, preferably in a RAM allocated to the processor. However, this costs computing time and possibly memory space in the RAM RAM. In the course of the implementation of the algorithm, for. AES, for example, and once the random number is set, the same substitution table will always be used. In the example off 2 Thus, the same substitution table is used for all plaintext bytes p of the plaintext P and key bytes k of the key K. As a result, are in the sub-calculation off 2 , carried out for different plaintext bytes p, p 'and key bytes k, k', ie at different times t, t 'in the AES, the calculated intermediate value x _XOR = S [p ⊕ k] ⊕ r or x' _XOR = S [p '⊕ k'] ⊕ r is masked by the same access number r, which is a weak point.

The fact that the same table (eg AES S-Box) is used in all table calls during XOR masking can be used for a higher-order DPA attack, as used for AES z. As described in [PRB10]. In the second-order DPA attack from [PRB10], the current consumption j (t), j (t ') is measured and normalized at two points in time t, t' j (T), j (T '). The correlation between the product j (T) · j (T ') and the Hamming weight of the value x ⊕ x '= S [p ⊕ k] ⊕ S [p' ⊕ k '] is calculated for each possible key pair k, k' and each pair of times t, t 'thereto. For the right key, there is a correlation curve like the one in 1a shown, with the significant rash at a time. The computational effort for the second-order attack from [PRB10] increases quadratically with the number of times and keys to be taken into account and is therefore significant.

In the German patent application DE 10 2012 018 924.9 Applicant of the present application is provided an internally "extended masking" method for performing cryptographic computation using a cryptographic key that is protected against spying the key via side channel attacks, in particular higher order DPA attacks, such that key spying is prevented or is at least severely hampered, and that is at the same time efficient.

This in 10 2012 018 924.9 specified method has in principle the structure of a combination of a base masking - z. XOR masking and 00 / FF masking applied to a cryptographic computation to protect secret data from being spied out. The mask according to the invention is also called internal masking by the applicant.

The procedure off 10 2012 018 924.9 is adapted for execution in a processor (eg, microprocessor, CPU, crypto-coprocessor, crypto-accelerator) adapted to perform a cryptographic computation in which output data is obtained from input data using a cryptographic key and via the generation of intermediate values be generated. An example of such a cryptographic calculation is the AES. In carrying out the calculation, a base masking is applied by which at least some, preferably all, intermediate values are included as masked intermediate values in the calculation. The method is characterized in that, when performing the calculation, secondary secondary masking is additionally applied, wherein for each intermediate masked by the basic masking, the one's complement of the masked intermediate value is formed, the masked intermediate value or the one's complement of the masked intermediate value is provided, and the calculation is randomized is performed with either the masked intermediate value or the one's complement of the masked intermediate value.

As described above, z. By reference to [PRB10], spying on the secret key of an XOR-masked cryptographic computation is possible with a second order DPA attack, in which the power consumption j (t), j (t ') at two times t, t' , ie when two different calculation steps within the calculation, measured and evaluated. At [PRB10] are considered Calculation steps within the calculation realized by table accesses. The weak point exploited in the attack is that the same table is used at both times. According to the invention, in addition to the basic masking (eg XOR), the secondary masking is used, according to which either the intermediate value or the one's complement of the intermediate value is calculated randomly. As a result, calculation steps at different points in time in the course of the calculation, which would be similar in the case of pure XOR masking, are made randomly differentiated. For a partial calculation (computation step) realized as a table access, this means that different tables are randomly used within the calculation for the different partial computations-or equally different times. A statistical evaluation of the power consumption j (t), j (t ') at two (or more) times t, t' thus provides, as the Applicant could confirm experimentally, no information about the secret key used in the calculation. In particular, correlation curves like those in 1 showed even with the use of the right key the more or less uniform noise (see. 1b ), which arises when using a wrong key, but not the prominent rash ( 1a ), the z. B. with XOR masking and the correct key can be seen.

In contrast to the conceivable method of calculating a new XOR table with a new XOR mask for each table call in the case of XOR masking, in the case of the extended masking according to the invention only at the beginning of the calculation the table for table access must be extended by one or more complementary XOR tables. Tables are extended (hence the term extended masking). For subsequent table calls, the pre-calculated extended table can be used without recalculation for each table access. For other partial calculations (calculation steps) as table accesses, eg. B. calculations according to a calculation rule (operation), in AES z. As the shift operations "Shift Row" or "Mix Column", it behaves analogously. At the beginning of the calculation, the operation (calculation rule) is masked with the base masking and at least one complementary masked operation is formed. The partial calculations within the calculation are calculated using the previously calculated masked and complementary masked operations. Thus, the extended masking is safe and at the same time efficient.

Therefore, according to 10 2012 018 924.9 a method is provided for performing a cryptographic computation using a cryptographic key that is protected against spying on the key via side channel attacks, in particular higher order DPA attacks, such that key spying is prevented or at least severely hampered, and at the same time efficient.

A disadvantage of the method according to. 10 2012 018 924.9 is that the memory requirement is increased compared to a simple masking. Especially in a table access, which in practice regularly in the (volatile) memory z. B. RAM, the memory requirement in the (volatile) memory z. B. RAM increases. The present invention is based on the object of the method 10 2012 018 924.9 memory-efficient, preferably with savings in (volatile) memory z. B. RAM.

The document DE 10 2004 032 893 A1 describes a method for spy-protected calculation of a masked result value from a masked input value according to a predetermined mapping, which is provided in the form of a table. In the method, a masked table with a plurality of entries is first calculated in a first step, wherein for calculating at least some entries of the masked table, the predetermined mapping is evaluated in at least two places and the resulting result values, eg. For example, T (q1) and T (q2) will be used to calculate the entry of the masked table. Subsequently, in a second step, the masked result value is calculated using the masked table and the predetermined mapping. In the first step, the image is evaluated in at least two places to calculate a single table entry, the table is folded (this does not mean the mathematical operation also called "convolution") and can thereby save memory.

The invention in the present application is based on the object, which in 10 2012 018 924.9 to modify the specified method so that the storage requirements compared to the solution in 102012018924.9 is reduced. Preferably, the solution should be modified so that in the improved masking according to 102012018924.9 the memory requirement compared to a conventional masking such. B. XOR masking is not increased.

The inventive method according to claim 1 is in the preamble of a so-called "extended masking" according to 10 2012 018 924.9 A1 out. According to the extended masking, on the one hand, a base masking, for. B. XOR applied, and on the other hand additionally applied a secondary masking. Secondary masking causes each to be masked by basic masking (eg XOR) masked intermediate value (for example by random bit b) the calculation (eg AES) is carried out either with the masked intermediate value or with the one's complement of the masked intermediate value. The method according to the invention is characterized in that a further step of folding is performed on the calculation, which causes at least some intermediate values masked with the base masking to be provided as folded masked intermediate values, the folded masked intermediate value using the base-masked intermediate value and at least one further second intermediate value, wherein the second intermediate value is derived from the base-masked intermediate value using a convolution distance. The secondary masking is applied to the folded masked intermediate value, so that the calculation is carried out either randomly with the folded masked intermediate value or with the one-complement associated with the folded masked intermediate value. Thus, a value is first basismasked, processed by folding, and finally secondary masked. The masked intermediate value or the one's complement associated with the masked intermediate value is further computed, if necessary, using a correction element that is entered by the convolution distance. Random access to either the intermediate value or the one's complement of the intermediate value is then performed on intermediate values generated with base masking and the additional step of folding.

In other words, to generate a single intermediate value masked with wrinkles and the base mask, base-masked intermediate values at two or more locations are evaluated. This corresponds to a folding of the calculation carried out so that at least two intermediate values come to lie in the same place. This allows you to store two (single folding) or more (multiple folding) intermediate values in a single memory location. The required storage space is therefore reduced. The interfolded and base masked intermediate values are also analogous as in 10 2012 018 924.9 indicated extended masked. The correction element may be required, for. B. only if the one-complement is calculated in order to compensate for the influence of folding on the calculation result.

Thus, according to claim 1, a memory-saving modification of the in 10 2012 018 924.9 specified method created.

Optionally, only one of the folded masked intermediate value and the one's complement of the convolved masked intermediate value is computed using a correction term, since only at either the intermediate value or the one's complement is a correction term required, e.g. B. only in the one's complement.

As a calculation either encryption, decryption, signature generation or signature verification is provided, optionally according to a predetermined algorithm such. Eg AES.

Optionally, a simple or multiple XOR masking, or a disassembly masking, or a series connection of two or more of the aforementioned base masks is provided as basic masking.

Optionally, according to claim 3, the computation comprises a partial computation, by which an intermediate value can be generated from an input value by performing a table access to a table which has a plurality of table entries. In accordance with claim 3, in order to carry out the calculation or at least the partial calculation, the table with the basic masking is masked to form a masked table. The sub-calculation is performed by performing a table access. In table access, as in DE 10 2012 018 924.9 , a secondary masking is applied, wherein the secondary masking of a table causes a table access to the table to be performed randomly on either the table itself or the or a complementary table to the table. So far, the table access corresponds to an expanded masked table. The method of claim 3 further characterized in that a step of folding is performed, wherein the table already masked with the base mask is convoluted into a folded masked table, wherein, for at least some table entries of the folded masked table, the table entry using a basestocked input value of the table and at least one further base masked second input value of the table, the second input value being derived from the unmasked input value using a convolution distance. The folded masked table is finally filled with the (without folding in DE 10 2012 018 924.9 described), so that the table access is performed randomly on either the folded masked table itself or on the or a complementary table to the folded masked table. If desired, the one-folded masked entry or the one-complement mask associated with the folded-masked table entry is further subordinated Using a correction term and / or a correction table calculated, wherein the folding date in the correction term and in the correction table.

Thus, in the folded base-masked table, at least some of the table entries, preferably and unless contradicted, generate all the table entries with a folding step, folding the table one or more times such that two or more input values are stored one upon the other. For example, if all the table entries are created by stacking two input values, the table takes up only half as much space as it does without folding. On the other hand, an extended masked table, which includes a single original table and a single complementary table, requires twice as much space as a base-masked corresponding table. In this contouring-simple folding of the table, so that always two input values are included in each table entry, and extended masking with a single complementary table-the folding thus compensates exactly for the increase in memory demand generated by the extended masking. The memory requirement is thus exactly that of a basic-masked table only (eg masked with an XOR mask).

The folded and extended masking according to the invention is particularly advantageous for sub-calculations formed by table calls. Especially with a table call, a recalculation of the table would mean a considerable additional computation effort for each table call. In AES, the relatively complex non-linear S-box operation is realized as a table call. Due to the extended masking, depending on the embodiment, twice to four times as much table memory is required as with a base masked only - eg. B. XOR masked table. By folding the table, the additional requirement for storage in the advantageous case is completely or at least partially canceled (see above paragraph). Other, comparatively simple partial calculations such. Shift Row or Mix Column are formed by directly implemented operations. For these directly implemented simple operations, it can be justifiable from the computational effort to newly mask each sub-computation. Thus, the invention is optionally implemented such that table calls are masked with the folded expanded mask of the invention and directly implemented operations with another, e.g. B. stronger but more elaborate masking are masked. Optionally, complex partial calculations - such. B. S-box operations at the AES - masked with the folded extended masking, and are relatively simple sub-calculations - z. B. Shift Row or Mix Column - by another, z. B. stronger but more complex masking masked, z. B. Remapping at each sub-calculation (calculation step). Alternatively, the entire calculation can also be folded and expanded masked. Partial calculations between table calls should at least not be less masked than table calls.

Optionally, the correction table is masked with a secondary mask, i. H. expanded by (a) complementary table / (n).

The random accessing of either the folded masked table or the folded masked complementary table is optionally performed by expanding the input value to produce the intermediate value by a table selection section which defines the table being accessed , The length of the table selection section is chosen to match the one or more complementary tables. If a single complementary table is calculated, the table selection section is preferably one bit ("selection bit") long. If three complementary tables are calculated, the table selection section is preferably two bits long. Optionally, the bits may either be consecutive (eg aa) or interspersed between the bits of the table input (eg xax; axax ;, etc, see figures).

Optionally, the correction table also has a table selection section that defines the correction table that is being accessed. The table selection section of the actual table and the table selection section of the correction table may be preferably independent of one another. For example, a random bit is thus defined for the table and the correction table.

The table optionally has a table input and a table output, and exactly computes a masked complementary table in which both the table input and the table output are complemented by complementing the positions of the table entries in the table (complementing the input) and the values of the table entries in the table are complemented (complementation of the output).

• – bei einer ersten gefaltet maskierten Komplementär-Tabelle nur der Tabelleneingang komplementiert ist, indem die Positionen der Tabelleneinträge in der gefaltet maskierten Tabelle komplementiert sind,
• – bei einer zweiten gefaltet maskierten Komplementär-Tabelle nur der Tabellenausgang komplementiert ist, indem die Werte der Tabelleneinträge in der gefaltet maskierten Tabelle komplementiert sind, und
• – bei einer dritten gefaltet maskierten Komplementär-Tabelle sowohl der Tabelleneingang als auch der Tabellenausgang komplementiert sind, indem sowohl die Positionen als auch die Werte der Tabelleneinträge in der gefaltet basismaskierten Tabelle komplementiert sind.

Alternatively, alternatively, the table has a table input and a table output, and where three masked complementary tables are calculated, where

• In a first folded masked complementary table, only the table input is complemented by the positions of the table entries in the folded masked table being complemented,
• In a second folded masked complementary table, only the table output is complemented by the values of the table entries in the folded masked table being complemented, and
• In the case of a third folded masked complementary table, both the table input and the table output are complemented by complementing both the positions and the values of the table entries in the folded base-masked table.

Optionally, the folded masked table and the at least one (eg, one or alternatively three) complementary table (s) are entered into a single extended table containing the table entries of the folded masked table and the at least one complementary table in a predetermined one Arrangement contains. The arrangement of the table entries can z. B. in a row (see, for. 11 ), or alternatively checkered alternating (starting from the tables 11 checkerboard-like scrambling of the table entries, possibly with appropriate design of the table selection sections).

Optionally, the processor is assigned a non-volatile memory (eg, ROM, EEPROM, ...) and a volatile random access memory (eg RAM), the table being stored in non-volatile memory, and the folded masked table and the at least one folded masked complementary table to be calculated in volatile memory. For example, at AES, the original, unmasked S-boxes are stored in non-volatile memory. The folded masked table and its complementary table (s) are calculated and stored in volatile memory. In particular, preferably at the beginning of the calculation (eg AES) the tables (eg S-boxes) are loaded from the non-volatile memory into the volatile memory, in the volatile memory the folded-masked table is loaded (eg. 12 and their complementary tables) (this leads, for example, to 13 . 14 or 15 ) and in the further course of the calculation (eg AES) one and the same RAM tables calculated at the beginning of the calculation (AES) (masked table and its complementary table (s)) are always used. For a new pass of the calculation (eg AES), e.g. As new encryption, decryption, signature calculation, signature verification, new RAM tables (the folded masked table and its complementary table (s)) are calculated.

The folding is done here on tables, which are usually produced in the rather scarce (volatile) memory (eg RAM). Thus, the scarce main memory (eg RAM) is used sparingly. The fact that a correction table must additionally be maintained does not affect the saving in the working memory, since the correction table is preferably stored in non-volatile memory (eg ROM).

• – die gefaltet maskierte Tabelle und mindestens eine Komplementär-Tabelle für eine Mehrzahl von Tabellenzugriffen auf die Tabelle verwendet werden, wahlweise für zumindest eine gesamte Durchführung der kryptographischen Berechnung (z. B. ein Durchlauf des AES), und
• – innerhalb der Mehrzahl von Tabellenzugriffen zumindest einmal, vorzugsweise für jeden Tabellenzugriff, neu zufallsgesteuert festgelegt wird, dass die Berechnung bzw. Teilberechnung entweder mit dem gefaltet maskierten Zwischenwert oder mit dem Einerkomplement des gefaltet maskierten Zwischenwerts durchgeführt wird, und die Berechnung bzw. Teilberechnung entsprechend dem Festlegen durchgeführt wird.

According to one embodiment, a method is given, wherein

• The folded masked table and at least one complementary table are used for a plurality of table accesses to the table, optionally for at least one entire execution of the cryptographic calculation (eg a pass of the AES), and
• Within the plurality of table accesses, at least once, preferably for each table access, it is newly randomly determined that the calculation or partial calculation is performed either with the folded masked intermediate value or with the one's complement of the folded masked intermediate value, and the calculation or partial calculation according to FIG Set is performed.

In particular, optionally at the beginning of the calculation (eg AES) a folded masked table (eg S-box) and starting from the folded masked table at least one (eg exactly one or exactly three) complementary table (n) calculated, z. In RAM. The rest of the calculation (eg, AES) uses the precalculated and complementary tables (eg, RAM). Previously, if necessary, the unmasked table is loaded from the non-volatile memory (eg ROM). Depending on the individual case, a RAM table generated in this way may also be used for several AES passes. Otherwise, the RAM table is recalculated before each AES pass.

• – entweder einen maskierten Tabelleneingang hat,
• – oder einen maskierten Tabellenausgang hat,
• – oder einen maskierten Tabelleneingang und einen maskierten Tabellenausgang hat, wobei weiter der Tabelleneingang und der Tabellenausgang entweder mit der gleichen Basismaskierung maskiert sind oder mit unterschiedlichen Basismaskierungen maskiert sind.

Optionally, the table has a table input and a table output, and where the masked table

• - either has a masked table input,
• - or has a masked table output,
• - or has a masked table input and a masked table output, further wherein the table input and the table output are either masked with the same base masking or are masked with different base masks.

The separate masking of table input and table output specified here represents a series connection of the two mappings of table input and table output.

In the following the invention will be explained in more detail with reference to exemplary embodiments and with reference to the drawing, in which:

1 Correlation curves for DPA 2nd order a) with XOR masking b) with extended masking according to the invention;

2 a partial calculation in AES comprising a table access suitable for the extended and folded masking according to the invention;

3 Calculation rules for base masking of an intermediate value to a masked intermediate value according to XOR masking and additive masking;

4 a table in unmasked form (original table);

5 a complemented table to the table 4 where only the table input is complemented (inverted);

6 a complemented table to the table 4 where only the table output is complemented;

7 a complemented table to the table 4 wherein the table input and the table output are complemented;

8th one, starting from the table 4 , XOR-randomized table, with input mask 31 and output mask 00;

9 one, starting from the table 4 , XOR-randomized table, with input mask 00 and output mask 02;

10 one, starting from the table 4 , XOR randomized table, with input mask 31 and output mask 02;

11 one, starting from the XOR randomized table 10 , simply extended table, with a single complementary table;

12 one, starting from the table 10 folded table with folding distance 12;

13 one, starting from the folded table 12 , simply extended table, with selection bit at the top binary bit position, according to an embodiment of the invention;

14 one, starting from the folded table 12 , simply extended table, with selection bit at the lowest binary bit position, according to another embodiment of the invention;

15 one, starting from the folded table 12 , two-times extended table, with selection bit at the two uppermost binary bit positions, according to another embodiment of the invention.

1 Figure 9 shows correlation curves for a second order DPA attack on a table access in AES a) in XOR masking and b) in extended masking according to embodiments of the invention. The table is an AES S-Box. The correlation curve off 1a was determined with a second-order DPA attack on a table access in the AES when performing table access with the correct key. The table is XOR masked. The significant peak indicates that the correct key k was used. If the table access was performed with an incorrect key k, the peak is missing, similar to 1b , 1b shows a correlation curve obtained from a second-order DPA attack on the same table access in the AES's history as the curve 1a , In contrast to 1a is at 1b the table, in addition to the base XOR masking masked with the secondary masking of the invention. Memory-efficient secondary masking is accomplished by using the XOR-masked table, the 1a is initially folded, and expanded to a simply extended table that is, the folded XOR-masked table (first the table was XOR masked, then it was folded) and the complement table to the folded XOR-masked table. The table access is performed on the extended folded XOR-masked table. In this case, either the folded XOR-masked table or the complementary table is randomly accessed within the extended folded XOR-masked table. When performing table access to the extended table with the correct key, the correlation is missing 1b compared to the correlation of the base-masked table only 1a the prominent peak indicating the presence of the correct key. Thus, with the simple expanded table instead of a merely XOR-masked table, table accesses with the correct key are indistinguishable from table accesses with wrong keys.

Table accesses to a two-extended table, which includes the base masked table and three complementary tables, provide similar correlation curves to those in FIG 1b shown. Even if the table is extended twice, table accesses with the correct key k are indistinguishable from table accesses with a wrong key. In the case of the three complementary tables, only the table input is complemented from the folded base-masked table; only the table output is complemented, or the table input and the table output are complemented.

2 shows a partial calculation from an AES encryption, in which a table access to a table S (S-box, AES substitution table) is performed. The table access 2 is suitable for being masked by the method according to the invention. In 2 Two tables S in the AES are shown, which are applied at different places in the algorithm AES, here in more detail in different rounds of the AES. The two tables S are in 2 with the same symbols p, k, x, y for plaintext p, key k, input value x of the table S and output value y of the table S, to indicate that the arithmetic operation due to the table S is the same for the two tables S. The values of plaintext p, key k, input value x and output value y are usually different for each table S.

3 shows calculation rules for base masking of an intermediate value to a masked intermediate value with XOR masking and additive masking. The calculation rule for masking x with an XOR base masking to x _XOR is x → x _XOR = x ⊕ r. The calculation rule for masking x with an additive base masking to x _add is x → x _add = x + r mod 2 ⁿ . The calculation rule for masking x with an affine base masking at x _α is x → x _α = α · x ⊕ r, will not be considered further here. In the context of the masking according to the invention with folding and widening, the affine masking is of subordinate importance, since folding is very inefficient in affine masked tables.

The example calculations 4 - 11 show tables S, whose table entries are generated without convolution of input values, and if it is expanded masked ( 11 ), so according to the solution 10 2012 018 924.9 , 12 and 13 show folded tables. The table generated only with pleats - and without extension masking (secondary masking) 12 is in principle the solution DE 10 2004 032 893 A1 , Tables without convolution are basically designated by the symbol S, if necessary with additions such as "'" or "-" etc. to indicate the degree of masking. A folded and expanded masked table is generally designated T. In principle, a table S = T is used as in 2 specified. In particular, the same function is implemented by the table T through the table S, for example an S-box according to FIG 2 , To avoid confusion with between non-convolved tables S and convolved tables T, tables with input values convolved to produce a table entry are generally denoted by T, tables without convolution, or tables in general, by S.

4 shows a table S in unmasked form (original table), z. For example, an AES-S box. The table is shown in the quad system with base 4. Thus, each bit can take the four values 0, 1, 2, 3. For a table access at the AES according to 2 , with a table according to 4 , is formed by the concatenation of column index and row index of the table input x = xx. The value in the table at the location specified by column index and row index is the table output y = yy. In 4 is an example of a table access with table input xx = 12 and table output yy = 11 drawn in (intersection of the two ellipses).

5 shows a complemented table S to the table S from 4 , where only the table input x is complemented. The table input x is complemented by the fact that the positions of the table entries are complemented. For example, the entry to the index is x = xx = 00 4 in 5 to the index x = 33 moved the entry to the index x = 12 at the index x = 21, etc .. The example 4 becomes with the masking off 5 to a table access with table input xx = 21 and table output yy = 11 (intersection of the two ellipses).

6 shows a complemented table S to the table S from 4 , where only the table output y = yy is complemented to y , The table output y is complemented by the fact that the value of the table entry is complemented. For example, the table output value y = 11 at index x = 12 is off 4 in 6 to a table output value y = 22 complements, and remains in the same place. The example table access results with the masking 6 Table input x = 12 and table output y = 22 (Circle).

7 shows a complemented table S to the table S from 4 , where the table input x and the table output y are complemented. Starting from 5 is z. For example, the table entry that is in 5 from the input value x = 21 to the output value y = 11 leads to an output value y = 22 complemented. Starting from 6 is the initial value y = 22 from 6 from the index x = 12 to the index x = 21 shifted, ie in addition, the input value x is complemented to x , The table access 4 is in the masking of 7 thus for table access with table input x = 21 and table output y = 22 (Circle).

8th - 12 show starting from the table 4 randomized (= masked) tables S ', S ", with XOR masking as base masking. Each input value x of the tables in 8th - 12 is thus masked according to the calculation rule x → X _XOR = x ⊕ r to X _XOR .

8th shows an XOR randomized table S ', with input mask 31 and output mask 00, ie only the table input x is masked, namely with XOR mask 31, and the table output y is unmasked (XOR mask 00, which is equivalent to no masking) , Starting from the table S from 4 this gives input 23 and output 11 (circle).

9 shows an XOR randomized table S ', with input mask 00 and output mask 02, ie only the table output is masked, namely with XOR mask 02, and the table input is unmasked (XOR mask 00). Starting from the table 4 this gives input 12 and output 13.

10 shows an XOR randomized table S ', with input mask 31 and output mask 02. 10 shows a mask masked with XOR masking as base masking, which is used as the basis for generating single and double (twice) extended masked tables ( 11 . 12 ) serves. Starting from the table 4 this results in a table access with input value x _XOR = 23 and output value y _XOR = 13.

= axx = 123 und Tabellenausgang yy = 31 (untere Tabellenhälfte, Auswahlbit im Tabelleneingang 123 hat den Wert 1) durchgeführt wird, ist dabei zufallsgesteuert. 11 shows a simply extended XOR-randomized (= XOR-masked) table S '' (simple: extension only in one direction of the table, here to the right), with input mask 31 and output mask 02. In the extended table are the uncomplemented XOR basis -masked table S '(= table off 10 ) and a complementary table S 'to the XOR base masked table. The complementary table S ' is formed by that in the base-masked table S ' out 10 the table input x and the table output y are complemented. The second bit (column index) of the table input x is extended by a preceding selection bit a (= table selection section). Table inputs x are thus in the table 11 the form axx, table outputs y unchanged the form yy. The form axx is given as an example and may alternatively also be xax or xxa. The entries for the row indexes 00, 01, 02, 03 (top), in which the selection bit a in the table input value axx has the value zero (0), belong to the uncomplemented table masked only with the basic masking 10 ). The entries for the row indexes 10, 11, 12, 13 (above), in which the selection bit a in the table input value axx has the value one (1) belong to the complementary table. The sample table access 4 will be off in the extended mask S " 11 to a table access with table input axx = 023 and table exit yy = 13 or table input axx = 123 and table exit yy = 31. Whether the table access has either table entry x _XOR = axx = 023 and table exit yy = 13 (upper table half, selection bit in table entry 023) the value 0) or table input

= axx = 123 and table output yy = 31 (lower half of the table, selection bit in table input 123 has the value 1) is random.

The use of a simply extended table is explained below by means of 2 and 11 explained. In an AES crypto coprocessor, an AES calculation (optionally encryption, decryption, signature generation or signature verification) is started, in 2 an example of encryption. AES comprises several rounds R = 1, 2, .... In each round R, a partial computation is performed in which a plaintext byte p with a key byte k becomes corrupted (p ⊕ k), the result of the corruption into a (substitution) table S (S-box) is used and this is calculated by a table access to the table S an intermediate value x = S [p ⊕ k] is calculated.

According to one embodiment of the extended masking, the table S in FIG 2 one according to 11 simply extended table S '' used. The input value x is extended by one bit as a table selection section a. The input value x is thus x = αx ₁ x ₀ , in 11 For example, x = 023 if the non-complemented table S 'is accessed, with output value y = 13 (as in FIG 10 ), and x = 110 if on the complemented table S ' is accessed in S '', with output value y = 22.

12 shows one, starting from the table S 'from 10 , folded XOR-randomized table T, with input mask i = 31, output mask o = 02 and convolution distance d = 12. Circled is the table entry on which the table access takes place. Base is 4. Starting from the table 10 the table entry at the position (= at the input value) 23 is merged with the table entry at the position 23 xor 12 = 31. Ie. the table S 'is folded to the table T so that the table entries at the points 23 and 31 come to lie on each other. The convolution distance (at base 4) d = 12 (decimal 6) has the binary representation 0110. If we isolate in the (binary) convolution distance d the lowest bit, which is equal to 1, we get 0010. As said, the entries are at the positions 23 (= binary 0111) and 31 (= binary 1101) combined. For the folded table T we have to select the input value which is 0 at the position 0010, ie the input value 31 (= binary 1101). For the folded table T we have to delete the 0 at the position 0010, so we have as input value binary 111 (= 13 in the quad system). Therefore, the table access takes place in the table T 12 to the table output value 11 to the table input value 13 (circled).

Now we can check the value 11 there. The only randomized table S 'off 10 has at positions 23 and 31 the values 13 and 00, which gives xx = 13 13 xx. Since the original mask o = 02 is lifted out again by the Verxoren, we have to rewrite it once again and thus get 13 xor 02 = 11.

13 shows a, starting from the folded table T from 12 , simply extended table T ', with select bit at the top binary bit location, according to an embodiment of the invention. Overall, the table T 'is off 13 thus XOR-randomized, with input mask i = 31 and output mask o = 02, folded with convolution distance d = 12 and simply extended, with selection bit at the uppermost binary bit position (first column, first digit). The lower half of the table T 'off 13 has inverted output values in reverse order. The marked input value 13 from table T 12 is used to generate the table T ' 13 inverted to the input value 20. At the position 20 of the table T ' 13 is just the compared to the 13th place 12 inverted value 22.

14 shows one starting from the folded table 12 , simply extended table T ', with selection bit at the lowest binary bit position, according to a preferred embodiment of the invention. The table 14 obtained from table 13 by alternating an entry from the top and from the bottom half of the table 13 selects (line by line). Therefore, the first, circled, value 22 appears in the second half of the table 13 the second value in the table 14 on, and according to the last, circled, value 11 of the upper half of table 13 as penultimate value of the table 14 ,

15 shows one starting from the folded table 12 , two times extended table, with two select bits, one at the top binary bit position (as in 13 ), as well as one at the second uppermost bit position. The selection bit at the top bin (as in 13 ) decides whether the table output is inverted or not. The selection bit at the second highest binary location decides whether the table input is inverted or not.

In the following, a preferred embodiment is set forth to generate a folded and expanded masked table T 'and a correction table T ^ and perform a table access to a table entry in the table T' comprising correction of the table entry by means of the correction table T ^. As T 'z. For example, the one table like the one out 13 or 14 be provided. This is based on the principle of a table S as in 2 and 4 - 12 specified. In particular, the same function is implemented by the unmasked table S as by the table S. For example, S is an S-box in the AES according to 2 , Each of the tables T 'and T ^ has the structure of an extended table, that is to say

In the non-volatile memory (preferably) ROM, the following correction table T ^ is stored, where x >> i is for a right shift of x by i digits in binary representation, and an override for one's complement formation.

A folded and expanded masked table T 'is generated in the main memory RAM. XOR masking is used as base masking, with a table input mask i and a table output mask o. On the occasion of each calculation of a table T 'in the main memory RAM, a folding distance d ≠ 0 is set at random. As an unmasked input for a table call on table T ', x is used, e.g. B. x = p ⊕ k according to 2 , For the masking of the table input with the mask i, a first random bit b is set, which, just like the random distance d, is again randomly set for each calculation of a table T 'in the main memory RAM. The extended XOR-masked table input value x 'is the same

The RAM table T 'formed from the masked table input value x' is defined as, with the convolution function f _d ,

The convolution function f _d (not meant hereby the mathematical operation of convolution) is formed in the following two steps. Where "&" denotes the bitwise AND. The random distance d in binary representation is represented by a sequence of 1-bits and 0-bits. The bit length of the convolution distance d is generally equal to the bit length of the input value x. For a particular value of the random distance d, at any given bit position in d, the lowest 1-bit z of d appears, ie the lowest bit which is one, and all even lower bits are zero. The lowest 1-bit is equal to z = d & (- d). At the bit position of the lowest 1-bit of the random distance d, only either the base-masked input value x 'or the convolutional partner to the base-masked input value x' ⊕ d has a 1-bit, ie only in either x 'or x' ⊕ d lowest 1-bit z of d (set to the value 1).

In the first step of forming the convolution function f _d , the value of x 'and x' ⊕ d is selected which has a zero at the bit position of the lowest 1-bit of the random distance d and defined as x ''.

In the second step, the zero, which is at the bit position of the lowest 1-bit of the random distance d, is deleted from the base-masked input value x '(the input value x' is still in binary representation). By deleting the zero, x '' is converted into the value of the convolution function f _d (x ') at the position x': f _d (x '): = (x''+(x''& m)) >> 1, where m = - (x'& z)

For all d ≠ 0, the convolution function f _d (x ') shortens its argument x' by one bit and is surjective. Therefore, the table T 'is well defined.

gilt, muss im Fall b = 1 der Term f_d(z) zur Korrektur des Eingangswerts x' der RAM Tabelle verwendet werden.There instead

is true, in case b = 1, the term f _d (z) must be used to correct the input value x 'of the RAM table.

• 1. Berechne den Index u = x' ⊕ d für die ROM Korrekturtabelle T ^
• 2. Für ein Zufallsbit b' (b', b unabhängig) maskiere den Index u um zu
  
• 3. Berechne den Index ν = f_d(x') für die RAM Tabelle T'
• 4. Berechne die Korrektur
  
• 5. Korrigiere den Index ν zu ν' = ν ⊕ c
• 6. Werte die ROM Korrekturtabelle T aus mittels y₀ = T ^[(u' << 1) + (b ⊕ b')]
• 7. Werte die RAM Tabelle T' (d. h. z. B. die AES S-Box) aus mittels y₁ = T'[(ν' << 1) + b]
• 8. Kombiniere die ausgelesenen Tabellenwerte y₀ der Korrekturtabelle und y₁ der Tabelle (z. B. AES S-Box) zum Ergebnis des Tabellenzugriffs (= Tabellen-Ausgangswert) y' = y₀ ⊕ y₁

Overall, in the present embodiment, an expanded masked table call with folded table consists of the following steps.

• 1. Compute the index u = x '⊕ d for the ROM correction table T ^
• 2. For a random bit b '(b', b independent) mask the index u to
  
• 3. Compute the index ν = f _d (x ') for the RAM table T'
• 4. Calculate the correction
  
• 5. Correct the index ν to ν '= ν ⊕ c
• 6. Read out the ROM correction table T using y ₀ = T ^ [(u '<< 1) + (b ⊕ b')]
• 7. Evaluate the RAM table T '(ie eg the AES S-Box) by means of y ₁ = T '[(ν'<< 1) + b]
• 8. Combine the read table values y _{0 of} the correction table and y _{1 of} the table (eg AES S-Box) to the result of the table access (= table output value) y '= y ₀ ⊕ y ₁

By construction, the result y 'of the table access to the table T' is the value masked with the XOR mask o and extended mask bit b 'to the unmasked value y = T [x]:

The calculation shows that the specified algorithm is functionally correct. The security against DPA 2nd order can be verified by careful analysis of the individual steps and has been practically verified by an implementation on a smart card.

In the above embodiment, it was signaled by a table selection section, specifically by means of an additionally supplemented at the lowest point bits, whether an additional complementation of the (base) masked value is given (bit = 1) or not (bit = 0). This bit does not have to be at the bottom, but can also be somewhere else. If the bit of the table selection section is inserted elsewhere, the formulas for the tables and the calculation of the indices (u, v) change accordingly. In addition, the coding can also be reversed, ie bit = 1 is without additional complementation and bit = 0 is with additional complementation. In general, the information for the table selection section is kept separate from the masked data and only the implementation of a table call is inserted. Optionally, instead of the simple extension provided in the exemplary embodiment (corresponding to FIG 13 . 14 ) provided a double extension (corresponding to 15 ).

Cited prior art:

• 1) DE 198 22217 A1 ;
• 2) EP 2 302 552 A1 ;
• 3) DE 10 2012 018 924.9
• 4) DE 10 2004 032 893 A1
• 5) [PRB10] E. Prouff, M. Rivain, R. Bévan: Statistical Analysis of Second Order Differential Power Analysis, http://eprint.iacr.org/2010/646.pdf, IEEE Transactions on Computers 58, p. 799,811, 2009 ;

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• DE 19822217 A1 [0013, 0096]
• DE 102012018924 [0016, 0017, 0018, 0021, 0022, 0022, 0024, 0026, 0027, 0031, 0031, 0066, 0096]
• DE 102004032893 A1 [0023, 0066, 0096]
• DE 102012018924 A1 [0025]
• EP 2302552 A1 [0096]

Cited non-patent literature

• E. Prouff, M. Rivain, R. Bévan: Statistical Analysis of Second Order Differential Power Analysis, http://eprint.iacr.org/2010/646.pdf, IEEE Transactions on Computers 58, p. 799,811, 2009 [0096 ]

Claims (12)

Method, in a processor, for carrying out a cryptographic calculation (AES), in which output data (C) are generated from input data (P) using a cryptographic key (K) and via the generation of intermediate values (x, y) performing the calculation (AES) a base masking (XOR) is applied, by which at least some, preferably all, intermediate values (x, y, ...) are masked intermediate values (x _XOR , y _XOR , ...) in the calculation In addition, when carrying out the calculation (AES) a secondary masking (00 / FF) is applied which is set up so that, for each intermediate value (x _XOR ) masked with the secondary masking, it is effected randomly (random bit b) calculating (AES) either to the intermediate value (x _XOR) or with the complement (x _XOR) of the intermediate value (x _XOR) is performed, characterized in that, - in the calculation (AES), a step of folding ens that causes at least some intermediate masked intermediate masking values to be provided as folded intermediate masked values (x _XOR ), the intermediate masked masked value (x _XOR ) using the base masked intermediate value (x) and at least one further base masked one Second intermediate value (x ⊕ d) is calculated, wherein the intermediate intermediate value (x ⊕ d) is derived from the intermediate value (x) using a convolution distance (d), - applied to the folded masked intermediate value (x _XOR ), the secondary masking is such that randomly calculating either the folded masked intermediate value (x _XOR) or by the folded masked intermediate value (x _XOR) associated complement (x _XOR) is performed, and - if necessary, the folded masked intermediate value (x _XOR) or for folded masked intermediate value (x _XOR ) corresponding one's complement ( x _XOR ) is further calculated using a correction element (T ^; T ^, c) into which the folding distance (d) is received. The method of claim 1, wherein as the base masking a single or multiple XOR masking, or a Zerlegungsmaskierung, or a series connection of two or more of the aforementioned base masks is provided. Method according to claim 1 or 2, wherein the calculation (AES) comprises a partial calculation by which from an input value (x = p ⊕ k) performing a table access to a table (S) having a plurality of table entries (y), an intermediate value (y = S [x]) can be generated, wherein to perform the calculation or at least the partial calculation, the table (S) with the basic masking (XOR) is masked to a masked table (S '), wherein the masked table (S ') is complemented, whereby at least one masked complementary table ( S ') wherein the subcomputation is performed by performing a table access, wherein in the table access - a secondary masking (00 / FF) is applied, wherein the secondary masking of a masked table (S ') causes a table access to the masked table (S ') randomized to either the masked table (S') itself or the masked complementary table ( S ') to the masked table (S '), further characterized in that the masked table (S') is convoluted into a folded masked table (T '), wherein for at least some of the table entries (y') of the folded masked table (T ') ), The table entry (y ') is calculated using a base masked input value (x = p ⊕ k) of the table (S) and at least one further base masked second input value (x ⊕ d) of the table (S), wherein the second Input value (x ⊕ d) is derived from the input value (x = p ⊕ k) using a convolution distance (d), - the folded masked table (T ') is masked with the secondary mask, so that the table access is randomized to either of the folded masked table (T ') itself or on the or a complementary table ( T ') to the folded masked table (T ') is performed and, if necessary, the folded masked table entry (y') or the one-complement masked table entry (y ') ( y ') is further calculated using a correction term (c) and a correction table (T ^), wherein in the correction term (c) and in the correction table (T ^ ') the folding distance (d) is received. The method of claim 3, wherein the correction table (T ^), analogous to the table (S), is also masked with a base masking (XOR) and a secondary masking (random bit b '). The method of claim 3 or 4, wherein random accessing of either the masked table (T ') or the masked complementary table ( T ') is carried out by expanding the input value (x) for generating the intermediate value (y = S [x]) by a table selection section (a; a ₁ , ... a ₁ ) by which the table is fixed which is accessed. Method according to one of claims 3 to 5, wherein the table (S) has a table input (x) and a table output (y), and wherein exactly one masked complementary table ( S ') in which both the table entry (x) and the table exit (y) are complemented by complementing the positions of the table entries in the table (S) and completing the values of the table entries in the table (S). Method according to one of claims 3 to 5, wherein the table (S) has a table input (x) and a table output (y), and wherein three folded masked complementary tables ( T ') calculated, wherein - in a first folded masked complementary table ( T ') only the table input (x) is complemented by the positions of the table entries in the folded masked table (T ') are complemented, - in a second folded masked complementary table ( T ') only the table output (y) is complemented by the values of the table entries in the masked table (T ') are complemented, and - in a third folded masked complementary table ( T ') both the table input (x) and the table output (y) are complemented by complementing the positions of the table entries in the folded masked table (T ') and complementing the values of the table entries in the folded masked table (T'). Method according to one of claims 3 to 7, wherein the folded masked table (T ') and the at least one complementary table ( T ') to the folded masked table (T ') into a single extended table (T'') containing the table entries of the folded masked table (T') and the at least one complementary table ( T ') in a predetermined arrangement (one behind the other, alternating like a checkerboard; Method according to one of claims 3 to 8, wherein the processor, a non-volatile memory (ROM) and a volatile random access memory (RAM) are assigned, and wherein the table (S) and the correction table (T ^) are stored in non-volatile memory (ROM), and wherein the folded masked table (T ') and the at least one folded masked complementary table ( T ') calculated in volatile random access memory (RAM). Method according to one of claims 3 to 9, wherein - the folded masked table (T ') and at least one complementary table ( T ') are used for a plurality of table accesses to the table (S), optionally for at least one entire execution of the cryptographic calculation (AES), and - within the plurality of table accesses at least once, preferably for each table access, it is newly randomized that the calculation (AES) either with the intermediate masked value (x _XOR ) or with the one's complement ( x _XOR ) of the masked intermediate value (x _XOR ), and the calculation is performed according to the setting. Method according to one of claims 3 to 10, wherein the table (S) has a table input (x) and a table output (y), and wherein the masked table (T ') Either has a masked table input (x), - or has a masked table output (y), Or a masked table input (x) and a masked table output (y), further wherein the table input (x) and the table output (y) are either masked with the same basic mask (XOR) or masked with different base masks (XOR). Method according to one of claims 3 to 11, wherein at least the table input (x) of the masked table (T ') is corrected by means of the correction table.

Images