Joshua B Jaffe

6381699, Apr 30, 2002

Dec 13, 2000

09/737182

Paul C. Kocher - San Francisco CA
Joshua M. Jaffe - San Francisco CA

Cryptography Research, Inc. - San Francisco CA

H04L 910

713172, 713174, 713340, 705 65

The present invention provides a method and apparatus for securing cryptographic devices against attacks involving external monitoring and analysis. A âself-healingâ property is introduced, enabling security to be continually re-established following partial compromises. In addition to producing useful cryptographic results, a typical leak-resistant cryptographic operation modifies or updates secret key material in a manner designed to render useless any information about the secrets that may have previously leaked from the system. Exemplary leak-proof and leak-resistant implementations of the invention are shown for symmetric authentication, certified Diffie-Hellman (when either one or both users have certificates), RSA, ElGamal public key decryption, ElGamal digital signing, and the Digital Signature Algorithm.

6510518, Jan 21, 2003

Jun 3, 1999

09/325611

Joshua M. Jaffe - San Francisco CA
Paul C. Kocher - San Francisco CA
Benjamin C. Jun - Palo Alto CA

Cryptography Research, Inc. - San Francisco CA

G06F 124

713168, 713171, 713200, 713201

Cryptographic devices that leak information about their secrets through externally monitorable characteristics (such as electromagnetic radiation and power consumption) may be vulnerable to attack, and previously-known methods that could address such leaking are inappropriate for smartcards and many other cryptographic applications. Methods and apparatuses are disclosed for performing computations in which the representation of data, the number of system state transitions at each computational step, and the Hamming weights of all operands are independent of computation inputs, intermediate values, or results. Exemplary embodiments implemented using conventional (leaky) hardware elements (such as electronic components, logic gates, etc. ) as well as software executing on conventional (leaky) microprocessors are described. Smartcards and other tamper-resistant devices of the invention provide greatly improved resistance to cryptographic attacks involving external monitoring.

6640305, Oct 28, 2003

Sep 6, 2001

09/948473

Paul C. Kocher - San Francisco CA
Joshua M. Jaffe - San Francisco CA
Benjamin C. Jun - Palo Alto CA

Cryptography Research, Inc. - San Francisco CA

H04L 910

713194, 713162, 713172, 380228, 380286

Before use, a population of tamper-resistant cryptographic enforcement devices is partitioned into groups and issued one or more group keys. Each tamper-resistant device contains multiple computational units to control access to digital content. One of the computational units within each tamper-resistant device communicates with another of the computational units acting as an interface control processor, and serves to protect the contents of a nonvolatile memory from unauthorized access or modification by other portions of the tamper-resistant device, while performing cryptographic computations using the memory contents. Content providers enforce viewing privileges by transmitting encrypted rights keys to a large number of recipient devices. These recipient devices process received messages using the protected processing environment and memory space of the secure unit. The processing result depends on whether the recipient device was specified by the content provider as authorized to view some encrypted digital content.

6654884, Nov 25, 2003

Jan 17, 2003

10/346848

Joshua M. Jaffe - San Francisco CA
Paul C. Kocher - San Francisco CA
Benjamin C. Jun - Palo Alto CA

Cryptography Research, Inc. - San Francisco CA

G06F 124

713168, 713171, 713200, 713201

Differential power analysis is a powerful cryptanalytic method that can be used to extract secret keys from cryptographic hardware during operation. To reduce the risk of compromise, cryptographic hardware can employ countermeasures to reduce the amount of secret information that can be deduced by power consumption measurements during processing. Such countermeasures can include balancing circuitry inside a cryptographic hardware device to reduce the amount of variation in power consumption that is correlated to data parameters being manipulated. This can be facilitated by using a constant-Hamming-weight representation when representing and manipulating secret parameters. Low-level operation modules, such as Boolean logic gates, can be built to process input parameters in a manner that balances the number of ON transistors while simultaneously maintaining a data-independent number of transistor transitions during computation. Leakage reduction may be used with other countermeasures, including introducing noise, unrelated to data being processed, into the power measurements.

7039816, May 2, 2006

Oct 27, 2003

10/695256

Paul C. Kocher - San Francisco CA, US
Joshua M. Jaffe - San Francisco CA, US
Benjamin C. Jun - Palo Alto CA, US

Cryptography Research, Inc. - San Francisco CA

H04N 7/167
H04L 9/30

713194, 713193, 380240, 380284

To prevent piracy, audiovisual content is encrypted prior to transmission to consumers. A low-cost, high-security cryptographic rights module (such as a smartcard) enables devices such as players/displays to decode such content. Security-critical functions may be performed by the cryptographic module in a manner that allows security compromises to be addressed by upgrading or replacing cryptographic modules, thereby avoiding the need to replace or modify other (typically much higher-cost) components. The security module contains cryptographic keys, which it uses to process rights enablement messages (REMs) and key derivation messages (KDMs). From a REM and KDM, the security module derives key data corresponding to content, uses public key and/or symmetric cryptography to re-encrypt the derived key data for another device, and provides the re-encrypted key data to the decoding device. The decoding device then uses cryptographic values derived from the re-encrypted key data to decrypt the content.

7506165, Mar 17, 2009

Apr 29, 2002

10/136012

Paul C. Kocher - San Francisco CA, US
Joshua M. Jaffe - San Francisco CA, US

Cryptography Research, Inc. - San Francisco CA

G06F 21/00

713172, 705 65

We disclose methods and apparatuses for securing cryptographic devices against attacks involving external monitoring and analysis. A “self-healing” property is introduced, enabling security to be continually re-established following partial compromises. In addition to producing useful cryptographic results, a typical leak-resistant cryptographic operation modifies or updates secret key material in a manner designed to render useless any information about the secrets that may have previously leaked from the system. Exemplary leak-proof and leak-resistant implementations are shown for symmetric authentication, certified Diffie-Hellman (when either one or both users have certificates), RSA, ElGamal public key decryption.

7587044, Sep 8, 2009

Dec 3, 2001

10/005105

Paul C. Kocher - San Francisco CA, US
Joshua M. Jaffe - San Francisco CA, US
Benjamin C. Jun - Foster City CA, US

Cryptography Research, Inc. - San Francisco CA

H04L 9/00
G06F 21/00

380 1, 380 37, 713194

Information leaked from smart cards and other tamper resistant cryptographic devices can be statistically analyzed to determine keys or other secret data. A data collection and analysis system is configured with an analog-to-digital converter connected to measure the device's consumption of electrical power, or some other property of the target device, that varies during the device's processing. As the target device performs cryptographic operations, data from the A/D converter are recorded for each cryptographic operation. The stored data are then processed using statistical analysis, yielding the entire key, or partial information about the key that can be used to accelerate a brute force search or other attack.

7599488, Oct 6, 2009

Oct 29, 2007

11/978364

Paul C. Kocher - San Francisco CA, US
Joshua M. Jaffe - San Francisco CA, US
Benjamin C. Jun - Oakland CA, US

Cryptography Research, Inc. - San Francisco CA

H04K 3/00
H04L 9/00
G06F 11/30

380 1, 380 37, 713194, 713340

Information leaked from smart cards and other tamper resistant cryptographic devices can be statistically analyzed to determine keys or other secret data. A data collection and analysis system is configured with an analog-to-digital converter connected to measure the device's consumption of electrical power, or some other property of the target device, that varies during the device's processing. As the target device performs cryptographic operations, data from the A/D converter are recorded for each cryptographic operation. The stored data are then processed using statistical analysis, yielding the entire key, or partial information about the key that can be used to accelerate a brute force search or other attack.