EP2772005A2 - Détermination d'un reste d'une division et de candidats pour les nombres premiers pour application cryptographique - Google Patents

Détermination d'un reste d'une division et de candidats pour les nombres premiers pour application cryptographique

Info

Publication number
EP2772005A2
EP2772005A2 EP12787360.2A EP12787360A EP2772005A2 EP 2772005 A2 EP2772005 A2 EP 2772005A2 EP 12787360 A EP12787360 A EP 12787360A EP 2772005 A2 EP2772005 A2 EP 2772005A2
Authority
EP
European Patent Office
Prior art keywords
value
montgomery
multiplication
montgomery multiplication
correction factor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP12787360.2A
Other languages
German (de)
English (en)
Inventor
Jürgen PULKUS
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Giesecke and Devrient Mobile Security GmbH
Original Assignee
Giesecke and Devrient GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Giesecke and Devrient GmbH filed Critical Giesecke and Devrient GmbH
Publication of EP2772005A2 publication Critical patent/EP2772005A2/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3033Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to pseudo-prime or prime number generation, e.g. primality test
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/728Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic using Montgomery reduction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7204Prime number generation or prime number testing

Definitions

  • the invention generally relates to the technical field of efficiently implementable cryptographic methods. More particularly, a first aspect of the invention relates to determining a division remainder, while a second aspect of the invention relates to determining prime number candidates - these are values that are, with some probability, primes.
  • the invention is particularly suitable for use in a portable data carrier.
  • a portable data carrier may e.g. a chip card (smart card) in different designs or a chip module or a similar resource-limited system.
  • the prime search is by far the most computationally intensive step in RSA key generation.
  • the key generation be carried out by the data carrier itself.
  • this process may cause time during production of the data carrier (eg, completion or initialization or personalization), which may vary greatly and may take several minutes. Since production time is expensive, the time required for key generation is a significant cost factor. It is therefore desirable to avoid key generation. accelerate the attainable throughput of a portable data
  • this object is achieved in whole or in part by a method having the features of claim 1 or claim 8, a computer program product according to claim 14 and a device, in particular a portable data carrier, according to claim 15.
  • the dependent claims relate to optional features of some embodiments the invention.
  • a first aspect of the invention is based on the basic idea of performing a Montgomery multiplication instead of an otherwise conventional modular division in order to determine a division remainder.
  • the error caused by the Montgomery multiplication is then compensated for by another Montgomery multiplication, a suitably determined correction factor being one of the factors of this further Montgomery multiplication.
  • plication serves.
  • This method can be implemented much more efficiently on many common hardware platforms than a modular division with remainder.
  • the first Montgomery multiplication is a Montgomery reduction, that is, a multiplication by 1 as one of the two factors.
  • the two Montgomery multiplications are performed with different Montgomery coefficients.
  • the correction factor is calculated in some embodiments as a modular power of two in a loop, each loop pass having an intermediate result doubling and a conditional subtraction. In other embodiments, however, the correction factor is calculated as a modular power with a positive and integer correction factor exponent and the base Vi. In turn, Montgomery operations can be used for this purpose.
  • a second aspect of the invention is based on the basic idea to determine prime candidates in a screening process. Starting from a base value, several sieve runs are carried out in this case, in each case a marking value being determined and multiples of the marking value in the sieve being marked as composite numbers. Further, at each screen pass, a remainder of the base modulo of the tag value is determined with a remainder determination method that is particularly efficiently implementable on common hardware platforms because it includes at least one Montgomery operation.
  • Marking value a prime number.
  • several primes can be used as marking values for a sieve run.
  • the sieve can, for example, starting from the base value, only numbers one represent predetermined step size.
  • further primality tests are performed to determine probable primes from the prime candidates.
  • the method according to the second aspect of the invention is a
  • Residual determination method used according to the first aspect of the invention.
  • the computer program product according to the invention has program instructions in order to implement the method according to the invention.
  • a computer program product may be a physical medium, eg a semiconductor memory or a floppy disk or a CD-ROM.
  • the computer program product may also be a non-physical medium, eg, a signal transmitted over a computer network.
  • the computer program product may contain program instructions that are inserted in the course of the production of a portable data carrier.
  • the device according to the invention can be a portable data carrier, for example a chip card or a chip module.
  • Such a data carrier contains, in a manner known per se, at least one processor, a plurality of memories configured in different technologies, and various auxiliary subassemblies.
  • processor is intended to include both main processors and co-processors.
  • the computer program product and / or the device have features which correspond to the features mentioned in the present description and / or the features mentioned in the dependent method claims.
  • FIG. 1 shows a flowchart of a method for determining two primes and other parameters of an RSA CRT key
  • FIG. 2 shows a flow chart of a method for determining a prime number candidate
  • FIGS. 1 and 2 are schematic representations of components of a portable data carrier suitable for carrying out the methods of FIGS. 1 and 2;
  • FIG. 5 shows an example flow of a method for modular power calculation with the base Vi and a positive and integer exponent e using Montgomery operations.
  • the invention is described in particular in connection with the determination of one, several or all parameters of an RSA-CRT key pair.
  • the invention can also be used for other purposes, in particular for the determination of relative large and random primes, as needed for various cryptographic methods.
  • the parameters of an RSA-CRT key pair are derived from two common prime numbers p and q and a public exponent e.
  • the public exponent e is a non-divisive number ip-Vj * ( ⁇ 7 ⁇ 1), which may be randomly selected or fixed.
  • the public key contains the public exponent e and a public one
  • Module N: p - q.
  • the method according to FIG. 1 shows the calculation of all parameters of a secret RSA-CRT key for a given public exponent e.
  • the method consists of two parts, which are shown in a left and right column of Fig. 1.
  • the first part (steps 10, 12, 16 and 20) comprises the determination of one prime number p and the associated key parameter d v
  • the second part (steps 24, 26, 30, 34 and 38) comprises the determination of the other prime number q and the key parameters d q and pinv.
  • the method can be modified in alternative embodiments such that only some of the parameters just mentioned are calculated.
  • method steps can be omitted or shortened if some key parameters are otherwise calculated or even not needed.
  • Fig. 1 and the other drawing figures show the regular program flow, and the dashed arrows show alternative program flows which, under certain conditions - especially if a prime candidate or probable prime prove to be compound - are performed.
  • the dotted arrows illustrate the data flow.
  • a preselection is made which ensures that the prime candidate m is not already divisible by a small prime number (eg 2, 3, 5, 7,).
  • a suitable preselection determination method is shown in FIG. 2 and will be described in more detail below.
  • the prime candidate m is subjected to a Fermat test.
  • the Fermat test is a probabilistic primality test that recognizes a compound number as such with high probability, while a prime number is never mistaken for a composite number.
  • the inverse does not necessarily apply, but counterexamples are so rare that a prime m candidate who passes the Fermat test is almost certainly a prime.
  • the prime candidate m is recognized as a composite number in the Fermat test in step 12, a return 14 to step 10, in FIG a new prime candidate is determined. Otherwise, the process continues, with the prime candidate m being considered as the prospective prime number p.
  • a known inversion method is used.
  • the Miller-Rabin test is known from the article "Probabilistic algonthms or testing primality" by Michael O. Rabin, published in the Journal of Number Theory 12, 1980, pages 128-138.
  • a compound number is likely to be recognized as such, while a prime number is never mistaken for a composite number.
  • the error probability of the Miller-Rabin test depends on the number of test rounds and can be kept arbitrarily small by running a sufficient number of test rounds.
  • the probability that the probable prime p is recognized as a compound number in the Miller-Rabin test in step 20 is negligible.
  • the probability that the calculation of the CRT exponent d p in step 16 fails because of gcd (pl, e) ⁇ 1 and the return 18 must be carried out is orders of magnitude higher. It is therefore more efficient to perform step 16 before step 20 because it avoids unnecessary Miller-Rabin testing.
  • the CRT exponent d v is calculated only after the Miller-Rabin test or at another time.
  • the Miller-Rabin test in step 20 is performed to mathematically detect a desired maximum error probability, which may be 2 -100 , for example.
  • the Miller-Rabin test runs several rounds of testing, the number of which depends on this probability of error.
  • a test round for the probable prime p is that a random number is raised to the ((pl) / 2) -th power modulo p and that it is checked whether the result is ⁇ 1 modulo p.
  • the boundary condition p 3 mod 4 is assumed.
  • the prime number p is output as one of the results of the method described herein.
  • the second part of the method which is shown in the right-hand column of FIG. 1, is a repetition of the first part of the method according to the left-hand column of FIG. 1, with the exception of step 34, where the second prime number q is calculated. It is therefore largely referred to the above explanations.
  • step 34 a return is made to step 24 if the probable prime q does not pass the first Miller Rabin test round. Otherwise, in step 38, the remaining required test rounds of the Miller Rabin test are performed. If one of these test rounds fails, a return 40 is made to step 24 for selecting a new prime number candidate. Otherwise, the second prime q is fixed and the method ends.
  • the method shown in FIG. 1 is modified such that no combined testing and inversion method is provided.
  • step 36 an additional round of the Miller-Rabin test may be performed in step 38.
  • the computation of the inverse p, TM can then be performed as a separate step - as part of, or separately from, the method described here, if Such a calculation is required at all.
  • the inverse i nv used in RSA-CRT calculations only to increase efficiency.
  • the inverse pi m is not needed at all.
  • FIG. 2 illustrates the determination of a prime number candidate m as performed in steps 10 and 24 of FIG.
  • a candidate field is used which provides several prime number candidates m.
  • the candidate field may be, for example, a packed bit array S whose bits S [i] indicate whether or not a number having an offset from a base value b dependent on the bit position i is a prime candidate m.
  • step 46 the candidate field is then generated.
  • a bit field S whose bit positions i each correspond to an offset of SWi to the base value b (with SW as a step size) is used as the data structure for the candidate field.
  • completed candidate field thus indicates whether the number b + SWi can be used as a prime candidate m or not.
  • first all bits S [i] are initialized to a first value, eg the value "1". Then, according to the principle of the sieve of Eratosthenes, those bits S [i] are changed to a second value, eg the value "0", corresponding to a number b + SWi divisible by a small prime number.
  • the size of the candidate field and the number of sieve runs are - depending on the Available space - chosen to minimize the average runtime of the overall process. This is an optimization task, the solution of which depends on the relative cost of pre-selection compared to the cost of a failed Fermat test. For example, for 2048-bit RSA keys, several thousand passes may be made, requiring approximately 40 Fermat tests to determine one of the prime numbers ⁇ and q.
  • step 48 a prime candidate m is selected from the filled candidate field. This selection can be done, for example, randomly or in a predetermined order. In further calls of the method shown in FIG. 2, step 48 is executed immediately after the test 42, and further prime candidates m are selected from the candidate field once created until the field is empty or a predetermined minimum fill quantity is undershot.
  • FIGS. 1 and 2 is performed by at least one processor of a portable data carrier.
  • Fig. 3 shows such a data carrier 50, which is designed for example as a chip card or chip module.
  • the data carrier 50 has a microcontroller 52 in which, in a manner known per se, a main processor 54, a coprocessor 56, a communication interface 58 and a memory module 60 are integrated on a single semiconductor chip and connected to one another via a bus 62.
  • the memory subassembly 60 includes a plurality of memory arrays configured in different technologies, including, for example, a read-only memory 64 (mask-programmed ROM), a nonvolatile rewritable memory 66 (EEPROM or flash memory), and a random access memory 68 (RAM).
  • a read-only memory 64 mask-programmed ROM
  • a nonvolatile rewritable memory 66 EEPROM or flash memory
  • RAM random access memory 68
  • the methods described here are in the form of pro- implemented in the read-only memory 64 and partly also in the non-volatile rewritable memory 66.
  • the coprocessor 56 of the data carrier 50 is designed for efficient execution of various cryptographic operations.
  • coprocessor 56 supports Montgomery multiplication with bit lengths needed for cryptographic applications.
  • coprocessor 56 does not support "normal" modular multiplication, so such multiplications must be performed by main processor 54 at a significantly higher cost.
  • Embodiments of co-processors 56 ', 56 ", 56” are known in currently commercially available microcontrollers 52 which do not perform exactly the Montgomery multiplication as defined above, but variations thereof. The reason for these modifications lies primarily in the fact that the decision as to whether the final conditional subtraction of the Montgomery multiplication should be carried out can be optimized in different ways. In general, the modified coprocessors 56 ', 56 ", 56"' in the calculation of the Montgomery multiplication provide a result that is potentially different from the result defined above by a small multiple of the modulus m.
  • the permissible value range for the factors x and y in the modified coprocessors 56 ', 56 ", 56'" is extended in such a way that a calculated result always again represents an admissible input value as a factor of the Montgomery multiplication.
  • a first modified coprocessor 56 'a first change tes off Montgomery product x *' y m, which is defined as follows: x * 'my: - (x y ⁇ ⁇ R 1 mod m) + k-m
  • R 2 n for certain register sizes n, which are multiples of 16.
  • the range of values for the factors x and y is extended to [0, Kl], and k is a natural number that is so small that x * ' m y ⁇ R.
  • R 2
  • a third modified coprocessor 56 '"finally calculates a third modified Montgomery product x *'" m y, which is defined as follows: x * '"my' ⁇ (x-y -2 ⁇ tc mod m) + ⁇ - m
  • the factors x and y here are natural numbers with x ⁇ 2 tc and y ⁇ 2 ⁇ m. Furthermore, ee ⁇ 0, 1 ⁇ .
  • Register size for the factor x is t c.
  • the Montgomery product of two factors x and y with respect to the modulus m is generally denoted by x * m y if it does not matter or if the context indicates that it is exactly the Montgomery product x * m y of the coprocessor 56 as originally defined or one of the three modified montgomery products.
  • some or all of the modular multiplications can be implemented as Montgomery multiplications. It goes without saying that calculation sections which take place in the Montgomery number space should, if possible, be combined in order to reduce the number of required back and forth transformations. Additions and subtractions can be performed without difference in the "normal" number space and in the Montgomery number space.
  • the use of Montgomery multiplications is particularly advantageous when the data carrier 50 has a coprocessor 56, 56 ', 56 ", 56"' which, although it supports Montgomery multiplication, does not support normal modular multiplication. Even though coprocessor 56, 56 ', 56 ", 56”' supports both types of multiplication, Montgomery multiplication is often performed more efficiently. Depending on the number of transformations required-in particular the more complex outward transformations compared to the inverse transformations-considerable savings are achieved even if Montgomery multiplication should be carried out only slightly more efficiently than a normal modular multiplication.
  • the method shown in FIGS. 1 and 2 is optimized, in particular with regard to the generation of the candidate field in step 46 (FIG. 2).
  • the solution described above is based on the basic idea of determining prime candidates by means of a sieving process on the basis of the sieve of Eratosthenes. In the embodiments described here, however, the sieve starts at a random base value b, which already approximately equals
  • Has order of magnitude of the prime number to be determined and it contains entries corresponding respectively to the values b + SWi (with step size SW).
  • a predetermined number of sieve runs each with a small prime number p 'or a product p' of several primes, are carried out as marking values r, r '.
  • the values remaining in the sieve which are referred to as prime candidates m, only with a certain probability represent a prime number.
  • the number of sieve runs is determined in the course of optimizing the computation time for the overall process. For example, several thousand passes may be made, and then a number remaining in the sieve is a prime number with a probability of about 2.5%.
  • the sieve Since the sieve does not start at zero, the remainder of the base value b modulo of the marking value p which serves as the basis for the sieve run must be determined for each sieving pass. From this remainder, the first composite number b + SWk to be deleted from the sieve is then determined, and from this number b + SWk the further multiples b + SWfc + SWp ', b + SWfc + 2-SWp', fc + SW / + 3-SWp ', ... deleted from the screen.
  • the basic idea of these embodiments is to use for the determination of the remainder z not a "normal" modular division with remainder, but a Montgomery operation with at least one further correction step.
  • This Montgomery operation may in particular be a Montgomery reduction with p 'as module.
  • a Montgomery reduction here means a Montgomery multiplication in which one of the factors has the value 1.
  • the marker value p 'used for the loop pass - eg a prime number - has a width of d bits (eg 16 bits), and that the base b has a width of nd bits.
  • the Montgomery reduction b * p ⁇ , 2 ⁇ n 1 is then executed, which by definition yields the value b ⁇ 1 ⁇ 2 ⁇ n mod p.
  • the desired result of b mod p ' has thus resulted in an "error" by the factor 2 ⁇ dn mod p', which is compensated by one or more correction steps.
  • the required correction can be performed in any way. In the present embodiment, however, it is provided again for this purpose to perform a Montgomery operation, namely a Montgomery multiplication modulo p 'with respect to the Montgomery coefficient 2 d .
  • the correction factor 2 d mod P ' can be determined by a loop in a particularly simple method. Starting from a start value 1, the current value is doubled in this loop in each loop pass, and p 'is subtracted if the result is at least'.
  • the following illustration of the method just described more accurately reflects an example calculation procedure.
  • the method can also be used in
  • Input values d bit wide value (e.g., prime p ') in register X.
  • n-d bit wide value (e.g., base b) in register Y
  • the marking value is a prime number p '
  • the first Montgomery multiplication can be omitted.
  • Input values d bit wide value (e.g., prime p ') in register X.
  • n-d bit wide value (e.g., base b) in register Y registers: C, X, Y, Z
  • n-d bit wide value (e.g., base b) in register Y registers: B, C, C, X, X ', Y, Z, Z'
  • line (A.2) can be replaced by the following lines (A.2.1) - (A.2.5):
  • the embodiments described herein substitute for division with a long dividend by at least one Montgomery multiplication, they are particularly well suited for use with a volume 50 that does not support long divisions, or less efficiently, as Montgomery multiplies.
  • This constellation is common to many conventional data carriers 50 because efficient hardware support for long divisions would require a great deal of effort.
  • the volume 50 with the coprocessor 56 "does not support any divide operations, while the co-processor 56 '" does provide a divide function, but takes about 128 times longer to perform divide than for an equal length Montgomery multiplication.
  • the data carrier 50 with the coprocessor 50 ' it can even be advantageous not to use the techniques described herein, because on the main processor 54 of this disk 50 can implement a rapid residual value calculation modulo a small prime number. It is understood that the method steps described herein can be distributed to different degrees on the main processor 54 and the coprocessor 56, 56 ', 56 ", 56'" of the data carrier 50.
  • step 4 shows by way of example the individual method steps of generating the candidate field in step 46 (FIG. 2).
  • the input value is already the
  • the method includes a predetermined number of passes through which steps 72-78 are performed.
  • a mark value p ' is determined in step 72, the multiples of which are to be marked as compound numbers in the sieve.
  • Step 74 of FIG. 4 includes three substeps 74.1, 74.2 and 74.3.
  • the first substep 74.1 which corresponds to the line (A1) of method A
  • the Montgomery reduction Y * x, 2 dn 1 is carried out.
  • the second sub-step 74.2 corresponds to the line (A.2) or the lines (A.2.1) - (A.2.5).
  • the correction factor C is calculated.
  • the third sub-step 74.3 which corresponds to the line (A.3) of method A, the required correction of the result of the Montgomery reduction of sub-step 74.1 is carried out by means of the Montgomery multiplication B * x, 2 ⁇ * C.
  • a mark run is then performed in step 76.
  • first the first bit S [k] in the bit field S is determined, whose associated value b + SW-k corresponds to a multiple of the marking value ', ie a composite number.
  • This bit S [k] is marked accordingly, eg set to the value "0".
  • the further bits are then separated one after the other at intervals of p - that is, the bits S [k + p '], S [k + 2-p ⁇ ], S [k + 3p'], ... - each set to the value that stands for compound numbers.
  • bits correspond to the values b + SWfc + SWp 1 , b + SWk + 2-SWp ', b + SWk + 3-SWp', and so on. Intermediate multiples of p 'need not be taken into account because these multiples are not represented in bit field S.
  • step 74.1 the Montgomery reduction in step 74.1 can be omitted if the marking value is a prime number. If, on the other hand, as indicated in method A ", p 'is a product of (two or more) primes, then a tagging run is performed for each of these primes as a tagging value, step 74.1 is followed by steps 74.2 and 74.3 for each of (both) marking values r, r '. Starting from the remainder (b mod r) determined separately for each marker ring value, step 76 can also be carried out for each marking value.
  • step 78 After the end of the marking run from step 76, a check is made in step 78 as to whether a further sieving pass is to take place. If so, a return is made to step 72. Otherwise, the generation of the candidate field is completed, and the method continues with step 48 ( Figure 2).
  • the correction factor in step 74.2 - corresponding to line (A.2) or lines (A.2.1) - (A.2.5) was determined by a modular power calculation with base 2.
  • the inventor has recognized that on the hardware platforms discussed here, a significant increase in speed is possible if a power of y 2 is calculated instead of a power of two; suitable methods using Montgomery multiplications are described in detail below.
  • the correction factor C in the register C, indicated in line (A.2) by C 2 d '( " +1) mod X, can be expressed as the power of V2.
  • the comparison method 1 is based on the known quadrature and multiplier technique, in which for each bit of the exponent a squaring of an intermediate result and, depending on the value of the exponent bit, a further multiplication of the intermediate result by the base to be amplified ,
  • this quadrature-and-multiply technique is potentially susceptible to co-channel attacks if, by measuring current consumption or other parameters, it is possible to determine whether or not the intermediate result is doubled, that is, shifted to the left, when processing one bit of the exponent. Therefore, in the comparison method 1, a modified technique that could be termed a "quadrature-eight-times-and-multiply-eirimal technique" is used.
  • the registers M, X and Y each have a size of at least 256 bits.
  • the values e, represent 0 ⁇ , i ⁇ .
  • n represents the "digits" of the exponent e in a base 256 rank system; that is, 0 e x ⁇ 255.
  • comparison method 1 just described can be developed such that it uses Montgomery multiplications and is thus efficiently executable on data carriers 50 with suitable coprocessors 56, 56 ', 56 ", 56'". Surprisingly, this is possible with relatively minor modifications of the procedure.
  • an additional step is provided, in which the exponent e is suitably recoded in order to avoid the use of the Montgomery
  • the result of method 2 may differ from the desired final result 2 "e mod M by a small multiple of the modulus M. It may therefore be necessary be carried out as a final correction step, a modular reduction of the register Y modulo M.
  • step 80 the exponent e is recoded according to method 3 in order to obtain from the original exponent e with its bit groups 82 - here the bytes e n , e n - ⁇ , -, eo - the recoded exponents / with its bit groups 84 - here the - to obtain.
  • the process sequence following the transcoding in step 80 can be subdivided into an initialization 86 and n sections 88.
  • n sections 88 corresponds to each a looping through the process 2 and each one of the bit groups 84 of the transcoded exponent / assigned.
  • Each section 88 has three essential steps 92, 94 and 96.
  • step 92 according to lines (2.3) and (2.4) of method 2, eight Montgomery squarings of the intermediate result contained in register Y are executed.
  • step 94 which corresponds to line (2.6), a power of two is stored in register X with an exponent formed by the associated bit group 84 of the transcoded exponent /.
  • This step 94 can be efficiently implemented by first clearing register X and then setting the one bit whose bit position is indicated by the associated bit group 84 to "1".
  • Step 96 corresponds to line (2.7) of method 2 and involves a Montgomery multiplication of registers Y and X.
  • the potential difficulty in exponent transcoding according to Method 3 is considered to be that for n, a value greater than 255 may occur.
  • a value greater than 255 may occur.
  • the one in step (2.1) 2 is greater than the modulus m and thus too large to be stored as an initial value in the register Y.
  • the is register size for the module m is selected such that for the respective gene Montgomery coefficient n 'satisfies the inequality 2 (4/5) "' ⁇ m ⁇ 2"'satisfied. condition 2 " ⁇ m may then for a very small ⁇ > 0 can be amplified as follows:
  • this value may be modularly reduced before step 90 of FIG. 5 with the module m, so that in step 90 the register Y is set to the resulting remainder.
  • e n ( ⁇ n ⁇ n '/ 256)
  • it may be provided to set the value of the exponent e such that f n remains sufficiently small.
  • step 74.2 the calculation of the correction factor C in step 74.2 (FIG. 4) can be carried out by the following method B:
  • Input values d bit wide value (e.g., prime p ') in register X n-d bit wide value (e.g., base b) in register Y registers: B, C, X, Y, Z
  • the lines (B.l) and (B.3) correspond to the lines (A.l) and (A.3) of the method A and each contain a Montgomery multiplication.
  • line (B.2) the above-described methods 2 and 3 for the modular power calculation for base V2 are executed.
  • the value k is chosen so that the exponent k - cp (X) - d - (n + 1) is positive, and that the inequality (*) is satisfied.
  • the module X and the exponents each have a length of at most 16 bits, so that 16 Montgomery squarings and 4 Montgomery multiplications are sufficient to calculate the correction factor in line (B.2).
  • the method described below is optimized both in terms of its execution speed and with regard to its spying security.
  • spying security there is a potential possibility of attack due to the fact that the remainder is calculated to the base value b of the sieve modulo many small primes.
  • An attacker could theoretically determine the current trajectory - or other tributary information - of these modular reductions and evaluate them for a minor channel attack in which the highest or lowest word of the underlying b is advised and then spied data on the beginning of each reduction.
  • the Montgomery reductions are carried out not modulo one prime number but modulo each of a pair of primes.
  • the screening process is also accelerated because only half as many time-consuming long reductions need to be carried out.
  • tuples with more than two primes can also be used.
  • the Montgomery coefficient R is 2 128, whereby the smallest possible register size 128 i is selected, which is sufficient to accommodate the underlying value b. It is assumed in the present case that the registers in which the factors b and 1 of the Montgomery reduction are stored are each 128 bits long.
  • X »n represents the bitwise shift of the register or constant X by n bit positions to the right, and X « n represents the corresponding shift to the left.
  • a suitable correction factor exponent / in the register F is calculated, which has a shape as in line (B.2), but is additionally recoded as in method 3.
  • the 16-bit integer in register X is first doubled in rows (C1) and (C.2) until it is negative.
  • line (C.3) a value between 2 and 33 is added to the high-order byte of -X, where X is the value contained in register X.
  • the intermediate result is corrected if it is too large.
  • the correction factor exponent / register F is calculated by halving the intermediate result in register Y.
  • lines (C.7) - (C.14) the correction factor in the register R is calculated by steps similar to the method 2. Because of the prerequisite ⁇ ' ⁇ 2 14 , the maximum required two grinding end passes of the method 2 are here "rolled up". More precisely, lines (C.7) - (C.9) correspond to a first Montgomery multiplication as in line (2.7) of method 2, the lines (C.10) - (C.12) correspond to a Montgomery 7 times Squaring, and lines (C.13) and (C.14) correspond to a second Montgomery multiplication as in line (2.7) of method 2. If in an alternative embodiment larger primes p 'may occur, then method C may be suitably modified by a corresponding number of further loop passes of the method 2 are added. For example, it can be provided that a further 7 Montgomery squares and a further Montgomery multiplication are carried out.
  • lines (C.15) and (C.16) the correction factor contained in register R after execution of the line (C.14) is applied to the result r of the Montgomery reduction.
  • lines (C1) - (C.15) of method C thus correspond to sub-step 74.2 in FIG. 4, while lines (C.15) and (C.16) correspond to sub-step 74.3.
  • the embodiments of an efficient remainder calculation and a determination of prime candidates described here are not limited to the method sequence according to FIGS. 1 and 2, but that they are also used in alternative embodiments for other purposes, in particular in the field of cryptography for execution by one or more processors.
  • the embodiments and variants described here are merely examples. Further modifications and combinations of the features described herein will be readily apparent to those skilled in the art.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Computing Systems (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Physics (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Complex Calculations (AREA)
  • Debugging And Monitoring (AREA)

Abstract

L'invention concerne un procédé pour déterminer le reste d'une division (modulo) d'une première valeur (b) par une seconde valeur (p'), qui consiste à réaliser une première multiplication de Montgomery en prenant la première valeur (b) comme l'un des facteurs et la seconde valeur (p') comme module (74.1), à déterminer un coefficient de correction (74.2) et à réaliser une seconde multiplication de Montgomery en prenant le résultat de la première multiplication de Montgomery comme l'un des facteurs, le coefficient de correction comme autre facteur et la seconde valeur (p') comme module (74.3). L'invention porte en outre sur un procédé de détermination de candidats pour les nombres premiers, qui consiste à déterminer une valeur de base (b) pour un crible et à exécuter plusieurs passes du crible, au cours desquelles une valeur de marquage respective (p') est déterminée (72) et des multiples de cette valeur de marquage (p') sont marquées dans le crible comme nombres composés. A chaque passe du crible, un reste de la division de la valeur de base (b) par la valeur de marquage (p') est déterminé au moyen d'un procédé de détermination de reste (74) qui comprend au moins une opération de Montgomery. L'invention concerne également un dispositif et un produit-programme informatique possédant des caractéristiques correspondantes. Les procédés susmentionnés peuvent être implémentés de manière efficace sur des plates-formes appropriées.
EP12787360.2A 2011-10-28 2012-10-25 Détermination d'un reste d'une division et de candidats pour les nombres premiers pour application cryptographique Withdrawn EP2772005A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102011117219A DE102011117219A1 (de) 2011-10-28 2011-10-28 Bestimmen eines Divisionsrests und Ermitteln von Primzahlkandidaten für eine kryptographische Anwendung
PCT/EP2012/004476 WO2013060466A2 (fr) 2011-10-28 2012-10-25 Détermination d'un reste d'une division et de candidats pour les nombres premiers pour application cryptographique

Publications (1)

Publication Number Publication Date
EP2772005A2 true EP2772005A2 (fr) 2014-09-03

Family

ID=47189867

Family Applications (1)

Application Number Title Priority Date Filing Date
EP12787360.2A Withdrawn EP2772005A2 (fr) 2011-10-28 2012-10-25 Détermination d'un reste d'une division et de candidats pour les nombres premiers pour application cryptographique

Country Status (5)

Country Link
US (1) US20140286488A1 (fr)
EP (1) EP2772005A2 (fr)
CN (1) CN104012029A (fr)
DE (1) DE102011117219A1 (fr)
WO (1) WO2013060466A2 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102011122273A1 (de) * 2011-12-23 2013-06-27 Giesecke & Devrient Gmbh Vorrichtung und Verfahren zum Erzeugen von digitalen Bildern
CN105373366B (zh) * 2015-10-12 2018-11-09 武汉瑞纳捷电子技术有限公司 一种生成大素数的方法及装置
US11508263B2 (en) * 2020-06-24 2022-11-22 Western Digital Technologies, Inc. Low complexity conversion to Montgomery domain

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4405829A (en) 1977-12-14 1983-09-20 Massachusetts Institute Of Technology Cryptographic communications system and method
JPH0720778A (ja) * 1993-07-02 1995-01-24 Fujitsu Ltd 剰余計算装置、テーブル作成装置および乗算剰余計算装置
FR2743908B1 (fr) * 1996-01-18 1998-02-27 Sgs Thomson Microelectronics Procede de production d'un parametre de correction d'erreur associe a la mise en oeuvre d'operation modulaire selon la methode de montgomery
FR2771525B1 (fr) * 1997-11-24 2002-10-11 Sgs Thomson Microelectronics Procede de production d'un parametre de correction d'erreur associe a la mise en oeuvre d'operation modulaire selon la methode de montgomery
JP2000132376A (ja) * 1998-10-27 2000-05-12 Fujitsu Ltd 剰余演算方法,乗算剰余演算方法,剰余演算装置,乗算剰余演算装置及び記録媒体
US7046800B1 (en) * 2000-03-31 2006-05-16 State Of Oregon Acting By And Through The State Board Of Higher Education On Behalf Of Oregon State University Scalable methods and apparatus for Montgomery multiplication
GB2383435A (en) * 2001-12-18 2003-06-25 Automatic Parallel Designs Ltd Logic circuit for performing modular multiplication and exponentiation
DE50302617D1 (de) 2002-09-11 2006-05-04 Giesecke & Devrient Gmbh Geschützte kryptographische berechnung
DE102004007615A1 (de) 2004-02-17 2005-09-01 Giesecke & Devrient Gmbh Ermitteln eines Datenwerts, der mit überwiegender Wahrscheinlichkeit eine Primzahl repräsentiert
US7278090B2 (en) * 2004-03-31 2007-10-02 Nxp B.V. Correction parameter determination system
DE102004044453A1 (de) 2004-09-14 2006-03-30 Giesecke & Devrient Gmbh Probabilistischer Primzahltest und probabilistische Primzahlermittlung
JP4351987B2 (ja) * 2004-11-19 2009-10-28 株式会社東芝 モンゴメリ変換装置、演算装置、icカード、暗号装置、復号装置及びプログラム
JP4662802B2 (ja) * 2005-03-30 2011-03-30 富士通株式会社 計算方法、計算装置及びコンピュータプログラム
US20100287384A1 (en) * 2005-06-29 2010-11-11 Koninklijke Philips Electronics, N.V. Arrangement for and method of protecting a data processing device against an attack or analysis
FR2917198B1 (fr) * 2007-06-07 2010-01-29 Thales Sa Operateur de reduction modulaire ameliore.
JP5328186B2 (ja) * 2008-03-21 2013-10-30 ルネサスエレクトロニクス株式会社 データ処理システム及びデータ処理方法
US8862651B2 (en) * 2008-10-30 2014-10-14 Certicom Corp. Method and apparatus for modulus reduction
DE102010051853A1 (de) * 2010-11-18 2012-05-24 Giesecke & Devrient Gmbh Verfahren zur Langzahldivision

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2013060466A2 *

Also Published As

Publication number Publication date
WO2013060466A2 (fr) 2013-05-02
DE102011117219A1 (de) 2013-05-02
WO2013060466A3 (fr) 2013-10-03
CN104012029A (zh) 2014-08-27
US20140286488A1 (en) 2014-09-25

Similar Documents

Publication Publication Date Title
EP2771782B1 (fr) Test de primalité efficace
EP3593483B1 (fr) Transition d'un masquage booléen à un masquage arithmétique
DE102005037598A1 (de) Verfahren und System zur Sicherung von Daten
EP1922837B1 (fr) Procede de codage ou decodage securise d'un message
DE10219158B4 (de) Vorrichtung und Verfahren zum Berechnen eines Ergebnisses einer modularen Multiplikation
DE10357661B4 (de) Modularer Montgomery-Multiplizierer und zugehöriges Multiplikationsverfahren
EP2772005A2 (fr) Détermination d'un reste d'une division et de candidats pour les nombres premiers pour application cryptographique
EP2641241B1 (fr) Procédé de division longue ou de réduction modulaire
EP2587713B1 (fr) Inversion modulaire efficace avec test de primalité
EP1999571B1 (fr) Procédé et dispositif de réduction d'un polynôme dans un champ fini binaire, en particulier dans le cadre d'une application cryptographique
EP1478999B1 (fr) Dispositif et procede pour convertir un terme
DE10161137A1 (de) Verfahren und System zum kryptographischen Bearbeiten von Daten
DE10219164B4 (de) Vorrichtung und Verfahren zum Berechnen eines ganzzahligen Quotienten
DE10042234A1 (de) Verfahren und Vorrichtung zum Durchführen einer modularen Exponentiation in einem kryptographischen Prozessor
DE102004001659B4 (de) Vorrichtung und Verfahren zum Konvertieren einer ersten Nachricht in eine zweite Nachricht
EP2128754B1 (fr) Exponentiation sûre de fenêtre coulissante
WO2001052051A2 (fr) Procede et dispositif pour realiser une inversion en particulier lors du cryptage au moyen de courbes elliptiques
EP3542262B1 (fr) Multiplication de points sur un élargissement d'une courbe elliptique
EP1271304B1 (fr) Procédé pour le calcul des inverses modulaires de deux nombres
DE102004022647B4 (de) Verfahren und Vorrichtung zur Ermittlung der Anzahl von abgelaufenen Taktzyklen eines binären Zufallsgenerators
EP2455852B1 (fr) Procédé de division à nombres longs
DE10357751A1 (de) Vorrichtung und Verfahren zum Bereitstellen einer Testzahl
DE102012204971A1 (de) Verfahren und Schaltung zur Approximation von Logarithmuswerten

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20140528

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: GIESECKE+DEVRIENT MOBILE SECURITY GMBH

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Effective date: 20171128