公开(公告)号：US09875377B2

公开(公告)日：2018-01-23

申请号：US14661862

申请日：2015-03-18

Applicant: STMicroelectronics S.r.l.

Inventor： Filippo Melzani

IPC: G06F21/72 ,  H04L9/00 ,  H04L9/06

CPC classification number: G06F21/72 ,  H04L9/002 ,  H04L9/0631 ,  H04L2209/046

Abstract: A device of the Substitution-Box (S-Box) type, which is suitable for operating in a symmetric-key encryption apparatus, in particular an AES (Advanced Encryption Standard) encryption apparatus, and includes at least one module configured for carrying out a non-linear operation in a finite field (GF(28)) of an encryption method implemented by the above encryption apparatus, the module including at least one reprogrammable look-up table to, for example, implement countermeasures against side-channel attacks. When no countermeasures are employed, the tables may be set to fixed values, instead of being reprogrammable. The above module includes a plurality of composite look-up tables that implement the non-linear operation in a composite field of finite subfields (GF(24)2; GF((22)2)2) deriving from the finite field (GF(28)), each of the above composite look-up tables being smaller than a look-up table that is able to implement autonomously the non-linear operation in a finite field (GF(28)).

公开(公告)号：US20170033923A1

公开(公告)日：2017-02-02

申请号：US15064339

申请日：2016-03-08

Applicant: STMicroelectronics S.r.l.

Inventor： Filippo Melzani

IPC: H04L9/00 ,  G06F7/58

CPC classification number: H04L9/005 ,  G06F7/588 ,  H04L9/003 ,  H04L2209/046 ,  H04L2209/34

Abstract: Cryptographic circuitry masks sensitive data values. The masking includes extracting unique combinations of random mask values from one or more sets of random mask values. Each sensitive data value is masked using a respective unique combination. The unique combinations have a combination class greater than or equal to a determined integer corresponding to a protection-level against side-channel attacks, and a number of unique combinations greater than or equal to a number of the sensitive data values. A number of random mask values in the one or more sets of random mask values is based on the number of unique combinations and the class of the plurality of unique combinations.

Abstract translation: 加密电路掩盖敏感数据值。 掩蔽包括从一个或多个随机掩码值组提取随机掩码值的唯一组合。 每个敏感数据值都使用相应的独特组合进行掩码。 唯一的组合具有大于或等于对应于针对侧信道攻击的保护级别的确定整数的组合类，以及大于或等于敏感数据值的数量的唯一组合的数量。 一组或多组随机掩模值中的多个随机掩码值基于唯一组合的数量和多个唯一组合的类别。

公开(公告)号：US11582039B2

公开(公告)日：2023-02-14

申请号：US17129688

申请日：2020-12-21

Applicant: STMICROELECTRONICS S.r.l.

Inventor： Ruggero Susella ,  Filippo Melzani ,  Guido Marco Bertoni

IPC: H04L9/30 ,  H04L9/08 ,  H04L9/14

Abstract: A method performs cryptographic operations on data in a processing device. An iterative operation between a first operand formed by a given number of words and a second operand using a secret key is performed. The iterative operation includes, for each bit of the secret key, applying one of a first set operations and a second set of operations to the first operand and to the second operand depending on of the bit, and conditionally swapping words of the first and the second operand based on a control bit value obtained by applying a logic XOR function to a random bit.

公开(公告)号：US10050776B2

公开(公告)日：2018-08-14

申请号：US15064339

申请日：2016-03-08

Applicant: STMicroelectronics S.r.l.

Inventor： Filippo Melzani

IPC: G06F21/72 ,  H04L9/00 ,  G06F7/58

Abstract: Cryptographic circuitry masks sensitive data values. The masking includes extracting unique combinations of random mask values from one or more sets of random mask values. Each sensitive data value is masked using a respective unique combination. The unique combinations have a combination class greater than or equal to a determined integer corresponding to a protection-level against side-channel attacks, and a number of unique combinations greater than or equal to a number of the sensitive data values. A number of random mask values in the one or more sets of random mask values is based on the number of unique combinations and the class of the plurality of unique combinations.

公开(公告)号：US09898623B2

公开(公告)日：2018-02-20

申请号：US14661885

申请日：2015-03-18

Applicant: STMicroelectronics S.r.l.

Inventor： Filippo Melzani

IPC: G06F21/72 ,  H04L9/00 ,  H04L9/06

CPC classification number: G06F21/72 ,  H04L9/002 ,  H04L9/0631 ,  H04L2209/046

Abstract: An encryption method includes accessing a look-up table (LUT) to implement countermeasures against side-channel attacks, such as embedding masks. The LUT is initialized by writing initialization values in the LUT by applying an address-mask to input data that identify a location of said LUT and a data-mask to data to be stored at a location of the LUT. The method includes carrying out an initialization of the LUT that includes providing at least one second address-mask and one second data-mask; and computing corresponding initialization values as a function of a logic combination of the aforesaid first address-mask and second address-mask and of a logic combination of the aforesaid first data-mask and second data-mask. In the resulting table the address data are masked only by the second address-mask and the data are masked only by the second data-mask. The structure of the LUT may allow convenient implementation by initializing all the values of the LUT in parallel in one cycle.

公开(公告)号：US20150278555A1

公开(公告)日：2015-10-01

申请号：US14661885

申请日：2015-03-18

Applicant: STMicroelectronics S.r.l.

Inventor： Filippo Melzani

IPC: G06F21/72

CPC classification number: G06F21/72 ,  H04L9/002 ,  H04L9/0631 ,  H04L2209/046

Abstract: An encryption method includes accessing a look-up table (LUT) to implement countermeasures against side-channel attacks, such as embedding masks. The LUT is initialized by writing initialization values in the LUT by applying an address-mask to input data that identify a location of said LUT and a data-mask to data to be stored at a location of the LUT. The method includes carrying out an initialization of the LUT that includes providing at least one second address-mask and one second data-mask; and computing corresponding initialization values as a function of a logic combination of the aforesaid first address-mask and second address-mask and of a logic combination of the aforesaid first data-mask and second data-mask. In the resulting table the address data are masked only by the second address-mask and the data are masked only by the second data-mask. The structure of the LUT may allow convenient implementation by initializing all the values of the LUT in parallel in one cycle.

Abstract translation: 一种加密方法包括访问查找表（LUT）以实现针对侧信道攻击的对策，例如嵌入掩码。 LUT通过在LUT中写入初始化值来初始化，该地址掩码用于将识别所述LUT的位置的数据和数据掩码应用于要存储在LUT的位置的数据。 该方法包括执行LUT的初始化，其包括提供至少一个第二地址掩码和一个第二数据掩码; 以及作为上述第一地址掩码和第二地址掩码的逻辑组合以及上述第一数据掩码和第二数据掩码的逻辑组合的函数来计算相应的初始化值。 在结果表中，地址数据仅被第二个地址掩码掩蔽，数据仅被第二个数据掩码掩蔽。 LUT的结构可以通过在一个周期中并行地初始化LUT的所有值来允许方便的实现。

公开(公告)号：US20150278554A1

公开(公告)日：2015-10-01

申请号：US14661862

申请日：2015-03-18

Applicant: STMicroelectronics S.r.l.

Inventor： Filippo Melzani

IPC: G06F21/72

CPC classification number: G06F21/72 ,  H04L9/002 ,  H04L9/0631 ,  H04L2209/046

Abstract: A device of the Substitution-Box (S-Box) type, which is suitable for operating in a symmetric-key encryption apparatus, in particular an AES (Advanced Encryption Standard) encryption apparatus, and includes at least one module configured for carrying out a non-linear operation in a finite field (GF(28)) of an encryption method implemented by the above encryption apparatus, the module comprising at least one reprogrammable look-up table to, for example, implement countermeasures against side-channel attacks. When no countermeasures are employed, the tables may be set to fixed values, instead of being reprogrammable. The above module comprises a plurality of composite look-up tables that implement the aforesaid non-linear operation in a composite field of finite subfields (GF(24)2; GF((22)2)2) deriving from the aforesaid finite field (GF(28)), each of the above composite look-up tables being smaller than a look-up table that is able to implement autonomously the aforesaid non-linear operation in a finite field (GF(28)).

Abstract translation: 替代盒（S-Box）类型的装置，其适用于在对称密钥加密装置中操作，特别是AES（高级加密标准）加密装置，并且包括至少一个模块，其被配置为执行 在由上述加密装置实现的加密方法的有限域（GF（28））中的非线性操作，该模块包括至少一个可重新编程的查找表，以便例如实施针对侧信道攻击的对策。 当不采用对策时，可以将表设置为固定值，而不是可重新编程。 上述模块包括多个复合查询表，其在有限子场（GF（24）2; GF（（22）2）2）的复合场中实现上述非线性运算，该有限子场从上述有限域（ GF（28）），上述复合查找表中的每一个小于能够在有限域（GF（28））中自主执行上述非线性运算的查找表。