SPLIT-AND-MERGE APPROACH TO PROTECT AGAINST DFA ATTACKS

摘要

A device for performing a mapping an input message to an output message by a keyed cryptographic operation, wherein the keyed cryptographic operation includes a plurality of rounds, including: a memory; and a processor in communication with the memory, the processor being configured to: split data processed in a first round to produce a first output and a second output, wherein the first output equals the second output; process a first input by a second round to produce a third output, wherein the first input is based upon the first output; process a second input by the second round to produce a fourth output, wherein the second input is based upon the second output; process a third input by a third round to produce a first share using a first weight, wherein the third input is based upon the third output; process a fourth input by the third round to produce a second share using a second weight, wherein the first and second weights are complementary, wherein the fourth input is based upon the fourth output; combine the first share and the second share to produce a combined output; and process the combined output by a fourth round.