FR3076013A1 - CRYPTOGRAPHIC PROCESSING METHOD, COMPUTER PROGRAM, AND DEVICE THEREFOR - Google Patents

Abstract

A method for the cryptographic processing of a data item (x), by predetermined module modular exponentiation, comprises the following steps: masking a cryptographic key (K) by adding, to the cryptographic key (K), a multiple (M) the Euler indicator (φ (N)) associated with the predetermined module; determining the quotient (q) and the remainder (r) of the entire division of the masked cryptographic key (K *) by a constant (v); obtaining a first number (N1) by modular exponentiation of the data at a first exponent equal to the product of the quotient (q) by the constant (v) modified as a function of the remainder (r); obtaining a second number (N2) by modular exponentiation of the data (x) at a second exponent determined as a function of the quotient (q) and the remainder (r); - Modular multiplication of the first number (N1) and the second number (N2). A computer program and an associated device are also described.

Description

Technical field to which the invention relates

The present invention relates generally to the field of cryptography.

It relates more particularly to a cryptographic processing method, as well as a computer program and an associated device.

Technological background

Certain cryptographic processing methods, such as the RSA algorithm, implement a modular exponentiation of the data to be processed (the exponent corresponding to a cryptographic key to be applied).

In order to counter possible attacks, it is known to randomly modify the data manipulated each time the algorithm is implemented (even when the data processed and the cryptographic key applied are identical).

For example, it has been proposed to mask the cryptographic key by adding a random multiple of the Euler indicator associated with the module used, which makes it possible to modify the data used without affecting the exponentiation result. modular.

It has also been proposed, as an alternative, to perform each time an entire division of the cryptographic key by a random number (providing a different quotient and remainder each time) and then to carry out two modular exponentiations: l 'one with exposing the product of the quotient and the random number, the other with exposing the rest (the result of the algorithm being obtained by combining the two results of modular exponentiation by modular multiplication).

Each of these countermeasures may however prove to be ineffective for certain values of a cryptographic module or key, which makes possible certain attacks when the attacker can have an influence on the process of generation of the cryptographic key.

Object of the invention

In this context, the present invention provides a method of cryptographic processing of data by modular exponentiation of predetermined module, comprising the following steps: - masking of a cryptographic key by adding, to the cryptographic key, a multiple of l 'Euler indicator associated with the predetermined module; - determination of the quotient and the remainder of the entire division of the cryptographic key masked by a constant; - obtaining a first number by modular exponentiation of the data to a first exponent equal to the product of the quotient by the constant modified as a function of the remainder; - obtaining a second number by modular exponentiation of the data to a second exponent determined according to the quotient and the rest; - modular multiplication of the first number and the second number.

According to this conception, it is possible to choose the aforementioned constant (for example 232-1 or 232 + 1) so as to make the abovementioned whole division almost immediate, as explained in the description which follows.

The first exponent used above is of the order of magnitude of the product of the quotient by the constant, but is also somehow masked by the intervention of the rest.

The second exponent used above allows to take into account the rest in the modular exponentiation, but also to correct the modification of the first exponent due to the intervention of the rest.

It also provides protection against possible attacks whatever the value of the module and the value of the cryptographic key since both masking by a multiple of the Euler indicative and separation of the exhibitor in two separate parts each time, without significantly increasing the computational cost. Other non-limiting and advantageous characteristics of such a process, taken individually or according to all technically possible combinations, are the following: - said multiple of the Euler indicator is determined by multiplication of the Euler indicator by a random number; - the first exponent is equal to the product of the quotient by the constant minus the rest; - the second exponent is equal to the product of the quotient incremented by one and the rest; - said constant is an integer power of two reduced by one or incremented by one; The invention also provides a computer program comprising instructions executable by a processor designed to implement a method as presented above when these instructions are executed by the processor. The invention also provides a device for cryptographic processing of data by modular exponentiation of a predetermined module, comprising: a module for masking a cryptographic key by adding, to the cryptographic key, a multiple of the indicator d 'Euler associated with the predetermined module; - a module for determining the quotient and the remainder of the entire division of the cryptographic key masked by a constant; - a module for obtaining a first number by modular exponentiation of the data to a first exponent equal to the product of the quotient by the constant modified as a function of the remainder; - a module for obtaining a second number by modular exponentiation of the data to a second exponent determined according to the quotient and the rest; - a modular multiplication module of the first number and the second number.

This device can also include a module for determining the multiple of the Euler indicator by multiplying the Euler indicator by a random number.

This device can also include at least some of the optional characteristics presented above in terms of process.

Detailed description of an exemplary embodiment

The description which follows with reference to the appended drawings, given by way of nonlimiting examples, will make it clear what the invention consists of and how it can be carried out.

In the accompanying drawings: - Figure 1 shows schematically the main elements of a device in which the invention can be implemented; - Figure 2 shows, in functional form, the device of Figure 1; and - Figure 3 shows, in the form of a flowchart, an example of a process implemented in the device of Figure 1 and according to the invention.

FIG. 1 schematically represents the main elements of a cryptographic data processing device, here an electronic entity 1, within which the invention is implemented. This electronic entity is for example a microcircuit card, such as a universal integrated circuit card (or U ICC for "Universal Integrated Circuit Card"). As a variant, it could be a secure element (or SE for "Secure Element") - for example a secure microcontroller, a portable electronic device (or "hand-held electronic device" according to the English name). Saxon) - for example a communication terminal or an electronic passport, or a computer. The electronic entity 1 comprises a processor 2 (here a microprocessor), a random access memory 4 and a rewritable non-volatile memory 6 (for example EEPROM for "Electrically Erasable and Programmable Read-Only Memory"). The electronic entity 1 could possibly also include a read-only memory. The random access memory 4 and the rewritable non-volatile memory 6 (as well as if necessary the memory dead) are each linked to processor 2 so that processor 2 can read or write data in each of these memories.

One of these memories, for example the rewritable non-volatile memory 6, stores computer program instructions which allow, when these instructions are executed by the processor 2, the implementation of the functional modules presented below with reference to FIG. 2 and / or the implementation of a method by the processor 2, such as the method described below with reference to FIG. 3.

The memories 4, 6 also store data representative of values used during the implementation of the methods described below. For example, the rewritable non-volatile memory 6 stores a cryptographic key K (such as a private key) used in the cryptographic processing methods executed by the electronic entity 1 (such as the method described below with reference to the figure 3).

The rewritable non-volatile memory 6 also stores a constant v (for example equal to 232-1 or 232 +1) used in the method described below with reference to FIG. 3.

As described below, the electronic entity 1 makes it possible to perform modular arithmetic calculations with a predetermined module N and thus also stores in the non-volatile memory 6 the Euler indicator cp (N) associated with this module N. As a variant, the Euler indicator cp (N) could be calculated at each iteration of the cryptographic algorithm concerned and would not then be stored within the electronic entity 1.

We place ourselves here in the case of an implementation of the RSA algorithm using the Chinese remainder theorem (or RSA CRT according to the Anglo-Saxon name). In such an implementation, the module N used in the calculations is a prime number and the data x processed is therefore a prime number with the predetermined module N.

The random access memory 4 also stores, for example within variables, data processed during the methods described below. The electronic entity 1 also comprises a communication interface 8 with external electronic devices. In the case described here where the electronic entity 1 is a microcircuit card, the communication interface 8 comprises, for example, contacts which are flush with one face of the microcircuit card. As a variant, the communication interface 8 could be produced by a contactless communication module. In general, the communication interface 8 can be a communication module (wired or wireless) with another electronic entity.

The processor 2 can thus receive as input a data x coming from the other electronic entity via the communication interface 8 and output as another data, for example the result y obtained by application of a cryptographic algorithm (such as that described below with reference to FIG. 3) to the data x, destined for the other electronic entity via the communication interface 8.

FIG. 2 represents the electronic device of FIG. 1 (that is to say here the electronic entity 1) in the form of functional modules 10, 12, 14, 16, 18, 20, 22, each produced here by means processor 2, random access memory 4 and a corresponding part of the instructions stored in non-volatile memory 6 and executable by processor 2. The electronic entity 1 comprises a first module 10 designed to determine a multiple M of l indicator of Euler cp (N) by multiplication of the indicator of Euler (memorized in the non-volatile rewritable memory 6 or in a variant calculated within the first module 10) by a random number VAL (obtained for example by drawing random within the processor 2). The electronic entity 1 also includes a second module 12 designed to mask the cryptographic key K (stored in the rewritable non-volatile memory 6) by adding to the cryptographic key K the multiple M of the Eulerian indicative cp (N) determined by the first module 10. The electronic entity 1 comprises a third module 14 designed to determine the quotient q and the remainder r of the integer division of the masked cryptographic key K * (produced by the second module 12) by the constant v stored in the rewritable non-volatile memory 6. It is recalled that the constant v is here equal to 232-1 (or as a variant to 232 + 1). The constant could however have another value, for example of the type 2a-1 (with a> 16).

According to one possible implementation, the remainder r can for example be determined (within the third module 14) by means of a method known as "Pascal ribbon · ', presented for example in the prologue" M. Pascal’s Division Machine "from the book" Elements of Automata Theory ”, by J. Sakarovitch, pp. 1-6, Cambridge, 2009, using r = K * mod v.

The quotient can then for example be determined by dividing (K * -r) by v (this last division being exact, that is to say having a zero remainder), for example by determining the inverse v'1 of the constant v and by multiplying (K * -r) by v'1 (in the sense of the modular multiplication of module 21 where I is the length of the cryptographic key K). The electronic entity 1 comprises a fourth module 16 designed to receive the data x on the communication interface 8 and supply this data x to the fifth module 18 and to the sixth module 20 described below. The electronic entity 1 indeed comprises a fifth module 18 designed to obtain a first number N1, here equal to xq (v'r), by modular exponentiation of the data x to a first exponent equal to the product of the quotient q by the constant v modified according to the rest r. Precisely here, as already indicated, the first exponent is equal to the product of the quotient q by the constant v modified by subtraction from the remainder r (i.e. to the product of the quotient q by the constant v minus the rest r). Recall that the quotient q and the rest r are produced by the third module 14 mentioned above.

Note that we could alternatively use another value of first exponent equal to the product of the quotient q by the modified constant v of the remainder r, for example a first exponent equal to q (v + r). The electronic entity 1 also includes a sixth module 20 designed to obtain a second number N2, here equal to xr (q + 1), by modular exponentiation of the data x to a second exponent determined as a function of the quotient q and of the remainder r . Precisely here, as already indicated, the second exponent is equal to the product of the incremented quotient of 1 (ie q + 1) and the remainder r.

As shown in dotted lines in FIG. 2, the sixth module 20 can optionally use a partial result provided by the fifth module 18 (as explained below with respect to the variable xi determined in step E14 and used in step E18 ).

As for the first exponent, we could alternatively use another value of second exponent determined as a function of the quotient q and the remainder r. In the variant mentioned above where the first exponent is equal to q (v + r), the second exponent determined as a function of the quotient q and the remainder may be for example r (1-q).

Finally, the electronic entity 1 comprises a seventh module 22 designed to perform a modular multiplication of the first number N1 and the second number N2 in order to obtain the desired result there. Indeed, x being prime with N: N1 N2 mod N = xq (v'r) xr (q + 1) mod N = xqv + r mod N = xK * mod N = xK mod N.

Note that, as indicated above, the modular multiplications and the modular exponentiations mentioned above are multiplications modulo the predetermined number N already mentioned.

FIG. 3 represents, in the form of a flow diagram, an example of a process in accordance with the invention.

This process is implemented here in the electronic entity 1, within the framework of the functional architecture described above. The invention is not, however, limited to implementation in such an electronic entity.

The method described below is a method of cryptographic processing of the data x, for example a cryptographic method of decrypting the data x by means of the cryptographic key (commonly designated in this case private key) K, or a cryptographic method of signature of the data x by means of the cryptographic key (commonly designated in this case private key) K.

The method of FIG. 3 begins at step E2 by the reception of the data x by the processor 2 via the communication interface 8.

The processor 2 then determines a number VAL, here by random drawing (step E4).

The processor 2 can thus determine in step E6 a multiple M (here random) of the Euler indicator φ (Ν) by multiplying the Euler indicator (stored here in the rewritable non-volatile memory 6 as already indicated or in a variant calculated within step E6) by the number VAL determined in step E4: M = VAL φ (Ν).

In the embodiment of FIG. 2, steps E4 and E6 are implemented by the first module 10.

The processor 2 then proceeds to step E8 to mask the cryptographic key K (stored in the rewritable non-volatile memory) by adding the multiple M determined in step E6 and the cryptographic key K, which makes it possible to obtain the hidden key K *: K * = K + M.

In the embodiment of FIG. 2, step E8 is implemented by the second module 12.

The processor 2 can thus determine in step E10 the remainder r of the integer division of the masked key K * by the constant v, then, in step E12, the quotient q of the integer division of the masked key K * by the constant v. In the embodiment of FIG. 2, these steps E10 and E12 are implemented by the third module 14.

The processor 2 will then proceed to the desired modular exponentiation calculation (of predetermined module N) as follows.

The processor 2 first of all performs in step E14 the modular exponentiation of the data x using the quotient q (determined in step E12) as an exponent and stores (for example in the RAM 4) the result of this modular exponentiation in a variable xi: xi = xq mod N.

Note that the value of the masked key K * is different at each implementation of the method (thanks to the use of the random number VAL) and that the value of the quotient q (used as an exponent) is therefore also different each time the process is implemented. Thus, the content of the variable x-i (then of the variable x2 mentioned below) is different each time the steps described below are implemented.

The processor 2 then performs in step E16 the modular exponentiation of the variable x-ι (determined in step E14) using an exponent equal to the difference between the constant v and the remainder r, and stores the result of this modular exponentiation in a variable x2: X2 = x / 'r rnod N.

In the embodiment of FIG. 2, steps E14 and E16 are implemented by the fifth module 18 and the value of the variable x2 (after step E16) corresponds to the first number N1 produced by the fifth module 18. (We have indeed: x2 = x-iv'r mod N = xq (v'r) mod N = N1.)

The processor 2 then performs in step E18 the modular multiplication of the content of the variable xi by the data x and stores the result (which is therefore equal to xq + 1 mod N) in the variable Xi (with overwriting).

The processor 2 performs in step E20 the modular exponentiation of the variable xi to an exponent equal to the remainder r and stores the result in the variable Xi (with overwriting). At the end of step E20, the variable Xi is therefore equal to: xr (q + 1) mod N.

In the embodiment of FIG. 2, steps E18 and E20 are implemented by the sixth module 20 and the value of the variable xi (after step E20) corresponds to the second number N2 produced by the sixth module 20.

The processor 2 can thus proceed in step E22 to the modular multiplication of the variable Xi and of the variable x2, which makes it possible to obtain the desired result y. Indeed, as already indicated (x being prime with N): y = x-Γ x2 mod N = xr (q + 1) xq (v “r) mod N = xqv + r mod N = xK * mod N = xK mod N.

In the embodiment of FIG. 2, step E22 is implemented by the seventh module 22.

The processor 2 can then transmit the result y via the communication interface 8 (step E24).

Claims (11)

1. Method for cryptographic processing of data (x) by modular exponentiation of predetermined module (N), comprising the following steps: - masking (E8) of a cryptographic key (K) by addition, to the cryptographic key (K ), a multiple (M) of the Euler indicator (φ (Ν)) associated with the predetermined module (N); - determination (E10, E12) of the quotient (q) and the remainder (r) of the entire division of the masked cryptographic key (K *) by a constant (v); - obtaining (E14, E16) of a first number (N1) by modular exponentiation of the data (x) to a first exponent equal to the product of the quotient (q) by the constant (v) modified according to the remainder (r) ; - obtaining (E14, E18, E20) of a second number (N2) by modular exponentiation of the data (x) to a second exponent determined according to the quotient (q) and the remainder (r); - modular multiplication (E22) of the first number (N1) and the second number (N2). 2. Method according to claim 1, in which said multiple (M) of the Euler indicator (cp (N)) is determined by multiplication of the Euler indicator (cp (N)) by a random number ( VAL). 3. Method according to claim 1 or 2, wherein the first exponent is equal to the product of the quotient (q) by the constant (v) minus the remainder (r) · 4. Method according to one of claims 1 to 3, wherein the second exponent is equal to the product of the quotient (q) incremented by one and the remainder (r). 5. Method according to one of claims 1 to 4, wherein said constant (v) is an integer power of two reduced by one or incremented by one. 6. Computer program comprising instructions executable by a processor (2) designed to implement a method according to one of claims 1 to 5 when these instructions are executed by the processor (2). 7. Device (1) for cryptographic processing of data (x) by modular exponentiation of predetermined module (N), comprising: - a module (12) for masking a cryptographic key (K) by addition, to the key cryptographic (K), a multiple (M) of the Eulerian indicative (φ (Ν)) associated with the predetermined module (N); - a module (14) for determining the quotient (q) and the remainder (r) of the entire division of the hidden cryptographic key (K *) by a constant (v); - a module (18) for obtaining a first number (N1) by modular exponentiation of the data (x) to a first exponent equal to the product of the quotient (q) by the constant (v) modified as a function of the remainder ( r); - a module (20) for obtaining a second number (N2) by modular exponentiation of the data (x) to a second exponent determined as a function of the quotient (q) and the remainder (r); - a module (22) for modular multiplication of the first number (N1) and the second number (N2). 8. Device according to claim 7, comprising a module (10) for determining the multiple (M) of the Euler indicator (φ (Ν)) by multiplication of the Euler indicator (<p (N)) by a random number (VAL). 9. Device according to claim 7 or 8, wherein the first exponent is equal to the product of the quotient (q) by the constant (v) minus the remainder (r). 10. Device according to one of claims 7 to 9, in which the second exponent is equal to the product of the quotient (q) incremented by one and the remainder (r). 11. Device according to one of claims 7 to 10, wherein said constant (v) is an integer power of two reduced by one or incremented by one.