Method and system for protecting cryptographic operations against side-channel attacks
US-2024187206-A1 · Jun 6, 2024 · US
Access-controlled data storage medium
US9288038B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9288038-B2 |
| Application number | US-201313901262-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 23, 2013 |
| Priority date | May 18, 1998 |
| Publication date | Mar 15, 2016 |
| Grant date | Mar 15, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The invention relates to a data carrier having a semiconductor chip. In order to prevent an attacker from determining secret data of the chip from intercepted signal patterns of the chip, security-relevant operations are performed only with commands or command strings of the operating program whose use does not permit the processed data to be inferred from the signal patterns.
First claim
Opening claim text (preview).
We claim: 1. A data carrier comprising: a semiconductor chip having: at least one memory; an operating program stored in said memory; and a plurality of operating program commands contained in said operating program, each command causing signals detectable from outside the semiconductor chip during execution of the command within the semiconductor chip, wherein: the operating program is arranged to execute a plurality of operations; for at least a first subset of said plurality of operations, a total result achieved by execution of the first subset does not depend on an order of execution of at least a first portion of operations of the first subset of said plurality of operations, the first subset of said plurality of operations including at least one of said plurality of operations; the order of execution of the first subset of said plurality of operations is varied at least when the first subset of said plurality of operations contains one or more security-relevant operations; and for at least a second subset of said plurality of operations, a total result achieved by execution of the second subset depends on an order of execution of at least a second portion of operations of the second subset of said plurality of operations, and the order of execution of the second portion of the operations of the second subset is not varied, the second subset of said plurality of operations including at least one of said plurality of operations. 2. A data carrier according to claim 1 , wherein the order of execution of the first subset is varied at each run through the first subset of said plurality of operations. 3. A data carrier according to claim 1 , wherein the order of execution of the first subset is varied according to a fixed principle. 4. A data carrier according to claim 1 , wherein the order of execution of the first subset is varied randomly. 5. A data carrier according to claim 1 , wherein the order of execution of the first subset is varied in accordance with data processed with the plurality of operations. 6. A data carrier according to claim 1 , wherein, in the case that the order of execution of the first subset of said plurality of operation is varied, upon varying the order of execution of the first subset, the order of execution of the first subset is fixed before execution of an operation of the first subset of said plurality of operations in the case that the operations of the first subset are predetermined to be executed successively and consecutively. 7. A data carrier according to claim 1 , wherein, in the case that the order of execution of the first subset of said plurality of operation is varied, upon varying the order of execution of the first subset, before the onset of execution of an operation of the first subset, operation of the first subset is fixed in the case that a first operation of the first subset of said plurality of operations is predetermined to be executed successively and consecutively with a second operation of the first subset that is predetermined to be executed next. 8. A data carrier according to claim 1 , wherein the security-relevant operations are key permutations or permutations of other secret data. 9. A data carrier according to claim 1 , wherein the data carrier is a smart card. 10. A method for protecting secret data stored in a memory of a semiconductor chip of a data carrier, said secret data serving as input data for one or more of a plurality of operations executed on the semiconductor chip, the execution of the one or more of a plurality of operations causing signals detectable from outside of the data carrier, the signals being dependent on the one or more of a plurality of operations and on the input data for the one or more of a plurality of operations, said method comprising the steps of: executing the plurality of operations in such a manner that, for at least a first subset of said plurality of operations, a total result achieved by execution of more than one operations of the first subset does not depend on an order of execution of at least a first portion of operations of the first subset of said plurality of operations, the first subset of said plurality of operations including at least one of said plurality of operations, and for at least a second subset of said plurality of operations, a total result achieved by execution of the second subset depends on an order of execution of at least a second portion of operations of the second subset of said plurality of operations, the order of executions of the second portion of the operations of the second subset is not varied, the second subset of said plurality of operations including at least one of said plurality of operations; and varying the order of execution of the first subset of said plurality of operations at least when the first subset of said plurality of operations contains one or more security-relevant operations. 11. A method according to claim 10 , wherein the order of execution of the first subset is varied at each run through the first subset of said plurality of operations. 12. A method according to claim 10 , wherein the order of execution of the first subset is varied according to a fixed principle. 13. A method according to claim 10 , wherein the order of execution of the first subset is varied randomly. 14. A method according to claim 10 , wherein the order of execution of the first subset is varied in accordance with data processed with the plurality of operations. 15. A method according to claim 10 , wherein, in the case that the order of execution of the first subset of said plurality of operation is varied, upon varying the order of execution of the first subset, the order of execution of the first subset is fixed before execution of an operation of the first subset of said plurality of operations in the case that the operations of the first subset are predetermined to be executed successively and consecutively. 16. A method according to claim 15 , further comprising the step of fixing, before the onset of execution of an operation of the subset, operation of the first subset in the case that a first operation of the first subset of said plurality of operations is predetermined to be executed successively and consecutively with a second operation of the first subset that is predetermined to be executed next. 17. A method according to claim 10 , wherein the security-relevant operations are key permutations or permutations of other secret data.
Assignees
Inventors
Classifications
Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system · CPC title
- H04L9/003Primary
for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA] · CPC title
- G06Q20/341Primary
Active cards, i.e. cards including their own processing means, e.g. including an IC or chip · CPC title
by preventing analysis of the circuit, e.g. dynamic or static power analysis or current analysis · CPC title
Features insuring the integrity of the data on or in the card · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9288038B2 cover?
- The invention relates to a data carrier having a semiconductor chip. In order to prevent an attacker from determining secret data of the chip from intercepted signal patterns of the chip, security-relevant operations are performed only with commands or command strings of the operating program whose use does not permit the processed data to be inferred from the signal patterns.
- Who is the assignee on this patent?
- Giesecke & Devrient Gmbh
- What technology area does this patent fall under?
- Primary CPC classification H04L9/003. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 15 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).