JP2004304800A - Protection of side channel for prevention of attack in data processing device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To reduce information leaking out to side channels as much as possible, because attacks on the side channels get sophisticated recently, to make it more difficult so that the errors are introduced into a data processing device, to detect the tried attacks as to cope with this technical problem, and to protect the data processing device, such as smart cards or the like against the attacks. <P>SOLUTION: The data processing device comprises a processing means which carries out processing operations, including a modular power method operation of a format of [m<SP>d</SP>mod N] having an exponent d and a modulus N and a radix blinding means which reduces the amount of side channel information leaking out from the data processing device, by changing the radix m before the power method operation is carried out, without affecting the result of the modular power method operation by producing an integer k, multiplying the integer k with the modulus N, and adding the multiplication result to the radix m. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to prevention of side channel attacks in a data processing device, for example, a smart card using an encryption algorithm to keep data secret.

  FIG. 1 of the accompanying drawings is a block diagram showing the main parts of a typical smart card known as an integrated circuit card (ICC). The smart card 1 of FIG. 1 includes a memory unit 3, a central processing unit (CPU) 5, an input / output (I / O) unit 7, and a processing unit 9. The CPU 5 performs bidirectional communication with the memory unit 3, the I / O unit 7, and the processing device 9. These parts are usually contained within one integrated circuit embedded in the smart card 1. The smart card 1 may be a contact type or a non-contact type.

  The smart card 1 can communicate with external devices via the POWER and CLK channels to receive the required power and clock signals CLK (although some smart cards have an internal power supply or clock source), Data can be communicated to and from the smart card 1 by communicating with external devices via the I / O channel. Such communication may be by electrical signals via contact pins of the contact card or by inductive, capacitive or optical coupling of the contactless card.

  Smart cards find many uses where the security and integrity of the data stored on the card and the data communicated to or from the card are of paramount importance. For example, a smart card may serve as an identification card used to prove the identity of the cardholder. A smart card can also be used as a medical card that stores a person's entire medical history. In addition, smart cards can be used as credit / debit bank cards that allow offline transactions. For this reason, smart cards generally have encryption / decryption capabilities so that sensitive data can be encrypted before leaving the card via the I / O channel.

  In the smart card 1 shown in FIG. 1, such encryption is performed by the processing device 9. For example, when data stored in the memory unit 3 needs to communicate with an external request device via an I / O channel, this data is requested from the memory unit 3 by the CPU 5 and is processed as input data DIN by the processing unit 9 Sent to. The processing device 9 encrypts the input data DIN to generate encrypted output data DOUT. DOUT is returned to the CPU 5, transferred to the I / O unit 7, and subsequently transmitted to an external request device via an I / O channel.

  Any suitable encryption model can be used in the processing device 9 to perform the encryption. Examples of encryption algorithms used in smart cards include Data Encryption Standard (DES), Triple DES, Advanced Encryption Standard (AES), High Speed Data Encryption Algorithm (FEAL), and International Data Encryption Algorithm (IDEA). There is symmetric (or secret) key cryptography. Alternatively, the use of asymmetric (or public) key encryption algorithms, such as the Rivest-Shamir-Aldreman (RSA) algorithm and the Rabin encryption scheme, is possible.

FIG. 2 of the accompanying drawings is a block diagram illustrating a conventional encryption model representing both a public key cryptosystem and a secret key cryptosystem. In this model, two parties, X and Y, attempt to conduct private communication over public channel 13 using cryptography. Party X encrypts plaintext P using encryption unit E, using encryption key K _X (which is a public key in an asymmetric encryption model and a secret key in a symmetric encryption model), A ciphertext C to be communicated to the party Y via the public channel 13 is generated. Party Y by using the secret key K _Y corresponding to the enciphering unit D and the key K _X, to decrypt the ciphertext C, and reproduce the original plaintext P.

However, the third party Z eavesdrops on the private exchange between X and Y by monitoring the public channel 13. Third party Z, all the details of the cryptographic algorithms used, resulting know all but the secret key K _X, has a sample of many ciphertext, some plaintext and a pair of a ciphertext ( (With plaintext obtained from either party X or party Y by some other means). The information collected in this way is then subjected to computationally intensive cryptanalysis to decrypt the used cipher and determine the secret key used to generate or decrypt the ciphertext.

  However, modern encryption techniques have been developed to be more resistant to such conventional attacks based on brute-force computational analysis of information gathered in conventional ways. Accordingly, the use of less obscure information sources based on the physical implementation of the encryption system has recently received attention.

  In practice, a cryptographic system interacts with its environment and is implemented on a physical device that is affected by the environment. Electronic devices such as pagers and smart cards consume power, emit radiation, and respond to temperature changes and electromagnetic fields during operation. These physical interactions can be manipulated and monitored by a third party, such as Z, to provide information useful in cryptanalysis. The conventional cryptographic model shown in FIG. 2 does not consider the physical side effects of using cryptography in the real world, and a more realistic model is the "side channel" as shown in FIG. 3 of the accompanying drawings. Can be explained using the concept of The side channel is a source of information specific to the physical implementation, and attacks using such information are called "side channel attacks".

  For example, the amount of time it takes to calculate a cryptographic function depends not only on what the function does, but also on what input is passed. In addition to the message to be encrypted, the encryption function typically takes a secret key as input, and thus the value of the secret key can affect publicly observable timing characteristics. Such an attack based on timing side channel information is proposed by Paul Kocher et al. In an article named "Timing Attack on Implementation of Diffie-Hellman, RSA, DSS and Other Systems" (CRYPTO $ 96). This document outlines a cryptanalysis method that can analyze a measure of the time it takes an attacker to calculate some RSA signatures and guess the secret key of the signing entity.

  In addition, the electronic device draws current from the power supply during operation. The amount of current drawn by an electronic device, or power consumption, varies as logic gates (typically CMOS) switch during the operation of the encryption algorithm. Power consumption is useful to the adversary as it correlates with the computation being performed. One of the most threatening types of power analysis based side channel attacks is the type called Differential Power Analysis (DPA) proposed by Kocher et al. In the document "Differential Power Analysis" CRYPTO '99. belongs to.

  Another form of side channel attack is based on artificially introducing errors into the encryption system and subsequently monitoring the effects caused by the errors. In a document entitled "On the Importance of Checking Cryptographic Protocols for Faults" (1997), Boneh, DeMillo and Lipton are based on the observation of errors induced in hardware device leak information for implemented encryption algorithms. Introduces side channel attacks using mistakes. By exposing the encryption device to ionization or microwave radiation, errors can be introduced into random bit positions in one of the registers, which can be used to factor the coefficients of the RSA public key cryptographic algorithm. Bihim and Shamir proposed an error-based channel attack called differential error analysis (DFA) in a document named "Differential Fault Analysis of Secret Key Cryptosystems" (CRYPTO'97). This attack works against symmetric or secret key cryptosystems such as DES. The DFA can use less than 200 ciphertexts (no plaintext) to find the last DES round key and even reveal the structure of an unknown cryptosystem implemented in a smart card. The best non-side-channel attacks on DES require slightly less than 64 terabytes of plaintext and one key encrypted ciphertext.

  Such side-channel attacks can be applied to a wide variety of data processing devices to reveal confidential information about the physical implementation of the device. As such side-channel attacks have become more sophisticated, such techniques have been developed by minimizing information leaking into the side-channel, making it more difficult to introduce errors, and detecting attempted attacks. It is important to address security challenges and protect data processing devices such as smart cards from such attacks.

1. Processing means for performing a processing operation including a modular exponentiation operation of the form ^md mod N having a radix m, a power exponent d and a modulus N;
Generating the integer k, multiplying the integer k by a modulus N, and adding the result of the multiplication to the radix m without affecting the result of the modular exponentiation operation. A radix blinding means for changing the radix m before the operation is performed to reduce the amount of side channel information leaking from the device.

  2. The apparatus of claim 1, wherein said radix blinding means changes said radix m in an unpredictable manner.

  3. The apparatus of claim 2, wherein said radix blinding means generates said integer k according to a pseudo-random algorithm.

  4. The apparatus of items 1 to 3, wherein the radix blinding means generates a new integer k every time such a modular exponentiation operation is performed.

  5. 5. The apparatus of items 1-4, wherein said modular exponentiation operation is part of a cryptographic algorithm.

  6. The apparatus of claim 5, wherein the encryption algorithm is an RSA algorithm.

  7. Generating an integer i, calculating an Euler-Chiient function φ (N) of N, multiplying the Euler-Chiient function φ (N) by the integer i, and the result of the multiplication by the exponent d To further reduce the amount of side channel information leaking from the device by changing the exponent d before the exponentiation operation is performed without affecting the result of the modular exponentiation operation 7. The apparatus of items 1 to 6, further comprising power exponential blinding means.

  8. The apparatus of items 1-7, wherein the modular exponentiation operation is performed as a series of intermediate calculations.

  9. The apparatus of claim 8, wherein the modular exponentiation operation is performed according to a square and multiplication technique.

  10. The apparatus of claim 8 or 9, wherein the intermediate calculation is performed such that the effect of changing the radix m continues throughout the execution of the modular exponentiation operation.

11. The modulo reduction operation mod N is performed after the exponentiation operation in the form ^{m d} is complete, device items 8, 9 or 10.

  12. 12. The apparatus of items 8-11, wherein said modulo reduction operation mod N is performed after one or more of said intermediate calculations.

13. Generating an integer j and generating a blinded modulus W by multiplying the unblinded modulus N by the integer j; and providing the processing means with the power operation in accordance with equation ( ^md mod W). 12. The apparatus of items 1-11, further comprising modulus blinding means for causing the apparatus to further reduce the amount of side channel information leaking from the apparatus without affecting the result of the modular exponentiation operation.

  14． The apparatus of claim 13, wherein the modulo reduction operation mod W is performed after one or more of the intermediate calculations when interpreted as being dependent on item 8.

15. A data processing method used in a data processing apparatus that performs a processing operation including a modular exponentiation operation of a form ^md mod N having a radix m, a power exponent d, and a modulus N,
Generating the integer k, multiplying the integer k by a modulus N, and adding the result of the multiplication to the radix m without affecting the result of the modular exponentiation operation. Changing the radix m before the operation is performed to reduce the amount of side channel information leaking from the device.

  16. A data processing apparatus substantially as described above with reference to FIGS.

  17. A data processing method substantially as described above with reference to FIGS.

  18. A smart card comprising the data processing device according to any one of items 1 to 14 and 16.

  19. An operating program which, when loaded into a data processing device, causes the device to be a device according to any one of claims 1 to 14 and 16 or a smart card of item 18.

  20. An operating program, which when executed on a data processing device, causes the device to perform the method of item 15 or 17.

  21. 21. An operating program according to item 19 or 20, executed on a carrier medium.

  22. Item 22. The operating program of item 21, wherein the carrier medium is a transmission medium.

  23. Item 22. The operating program of item 21, wherein the carrier medium is a storage medium.

According to a first aspect of the present invention, processing means for performing a processing operation including a modular exponentiation operation of a form ^md mod N having a radix m, a power exponent d and a modulus N, generating an integer k, Multiplying the result of the multiplication by the modulus N, and adding the result of the multiplication to the radix m, thereby changing the radix m before the exponentiation operation is performed without affecting the result of the modular exponentiation operation. Radix blinding means for reducing the amount of side channel information leaking from the data processing apparatus.

Therefore, the modular exponentiation operation actually performed is (m + k * N) ^d mod N. In the context of this description, a request to reduce the amount of side channel information leaking from a device means a request to reduce the amount of side channel information that may be of some use to an attacker. In other words, it is the leakage of secret information that should ideally be prevented from leaking from the device to the outside via the side channel. This has the same effect as making side channel attacks more difficult. Thus, embodiments of the present invention provide a real technical advantage.

  The radix blinding means preferably generates the integer k and changes the radix m in an unpredictable manner, for example, according to a random or pseudo-random algorithm. The radix blinding means preferably generates a new integer k every time such a modular exponentiation operation is performed. The modular exponentiation operation may be part of a cryptographic algorithm such as the RSA algorithm.

  The data processor generates the integer i, calculates the Euler-Chiient function φ (N) of N, multiplies the Euler-Chiient function φ (N) by the integer i, and multiplies the exponent d. By adding the results, the power exponent d can be changed before the exponentiation operation is performed without affecting the result of the modular exponentiation operation to further reduce the amount of side channel information leaking from the device. It may further include exponential blinding means.

  The modular exponentiation operation may be performed as a series of intermediate calculations, for example, according to squaring and multiplication techniques. The intermediate calculation is preferably performed such that the effect of changing the radix m continues throughout the execution of the modular exponentiation operation. The effects mentioned are the technical effects of reducing the amount of side channel information leaking from the device, ie the technical effects that make side channel attacks more difficult.

Modulo reduction operation mod N may be performed after the exponentiation operation in the form m ^d is complete. The modulo reduction operation mod N may also be performed after one or more intermediate calculations.

The data processing apparatus generates an integer j, and generates a blinded modulus W by multiplying the unblinded modulus N by the integer j, and instructs the processing means to use a power method according to the equation ( ^md mod W). Modulus blinding means may be further included for performing the operation and further reducing the amount of side channel information leaking from the device without affecting the result of the modular exponentiation operation.

  If the modular exponentiation operation is performed as a series of intermediate calculations using such modulus blinding means, the modulo reduction operation mod W, rather than the modulo reduction operation mod N, may be performed after one or more intermediate calculations. .

According to a second aspect of the present invention, there is provided a data processing method used in a data processing apparatus for performing a processing operation including a modular exponentiation operation of a form ^md mod N having a radix m, an exponent d and a modulus N, Generating the integer k, multiplying the integer k by the modulus N, and adding the result of the multiplication to the radix m before the exponentiation operation is performed without affecting the result of the modular exponentiation operation And changing the radix m to reduce the amount of side channel information leaking from the device.

  According to a third aspect of the present invention, there is provided a smart card including the data processing device according to the first aspect of the present invention.

  According to a fourth aspect of the invention, an operating program, when loaded into a data processing device, makes the device an apparatus according to the first aspect of the invention or a smart card according to the third aspect of the invention. Provided. The processing means and the radix blinding means of the data processing device may be said to be adapted to perform their respective functions.

  According to a fifth aspect of the present invention, there is provided an operating program, which when executed on a data processing device, causes the device to perform the method according to the second aspect of the present invention.

  Such an operating program may be executed on a carrier medium. The carrier medium may be a transmission medium or a storage medium.

  Certain embodiments of the present invention are particularly related to protection against side channel attacks (eg, power, timing, and error based attacks) in data processing devices that typically perform modular exponentiation operations associated with the RSA algorithm. . This algorithm, and the various methods previously considered for using such an algorithm to protect a cryptographic device from such side-channels, will first be described before describing the various embodiments of the present invention.

Suppose party X encrypts message m using the RSA algorithm and party Y receives and decrypts it. The party X first obtains the public key (N, e) of the party Y and, based on this, expresses the message m to be encrypted as an integer at the interval [0: N-1]. Thereafter, party X encrypts message m and generates ciphertext c using the following algorithm:
c = ^me mod N.

  Using standard squaring and multiplication techniques described in more detail below, this algorithm multiplies m by m e times, and is equivalent to expressing the solution modulo N.

To recover plaintext m from c, party Y uses the following algorithm, using its own secret key d:
m ⁼ c d mod N.

  Therefore, this decryption operation uses the same modular exponentiation form as the encryption operation.

  The method used by party Y to generate the public key (N, e) and the corresponding private key d is as follows. Two large prime numbers, p and q, are selected and the product N = pq is calculated. Here, N forms a public key module. The value e from the public key is selected to be smaller than N and relatively prime to (p-1) (q-1). This means that c and (p-1) (q-1) have no common divisor other than 1. It can be seen that the value of d is such that (ed-1) can be multiplied by (p-1) (q-1). The factors p and q may be discarded or kept with the enhanced secret key (d, p, q). Further details can be found in, for example, "Handbook of Applied Cryptography" by Menezes et al.

An alternative to using the public key (N, e) is to keep the transmitted data secret and then use the corresponding private key d for subsequent decryption. The secret key d can alternatively be used to encrypt the message m as a form of signature, so that the receiving party can confirm that the message m is genuine and unaltered And both can be guaranteed. In this way, party Y can create digital signature s with his private key d by using s = ^md mod N. Party Y may then send both m and s to party Y. To verify the signature, party X computes m = s ^e mod N using party Y's public key (N, e) and checks that the original message m has been restored.

  Therefore, encryption and authentication are performed without sharing a secret key. Each uses only the other public key or its own private key. Anyone can send an encrypted message or verify a signed message, but only the person who has the correct private key can decrypt or sign the message.

The Chinese Remainder Theorem (CRT) version of RSA is similar and gives the same result:
s = ( ^md mod p + p * (p- ¹ mod q) * ( ^md mod q- ^md mod p)) mod p * q.

The secret key of this algorithm is (d, p, q). Here, (p * q) is equal to the public key module N. In CRT version, speed efficiency ^(m d mod p) ^is calculated as ^{(m d mod p-1 mod} q), (m d mod q) is calculated as ^{(m d mod q-1 mod} q). Therefore, two separate exponentiation operations are performed.

  To make it more difficult to perform a side channel attack on the RSA algorithm, it is useful to add as much randomness to the calculation as possible. This can be at a low level, e.g., randomizing the timing of the operation, adding dummy operations at random intervals, or, in some cases, randomly selecting from several different ways of calculating intermediate steps. This can be done by: Alternatively, masking may be added to the input of an algorithm such as RSA so that the inputs and calculations are random, but the output remains accurate.

The technique in US Pat. No. 5,991,415 has already been presented. In this patent, the exponent is "blinded" by adding a random multiple of the number φ (N). Where φ (N) is Euler's Totient function of modulus N:
s = ^{md + k * φ (N)} mod N.
Here, k is a random integer. Euler's Totient function φ (N) is defined to be a positive integer of ≦ N that is relatively prime to N (ie, has no common divisor with N). However, 1 is considered to be relatively prime to all numbers. A number that is less than or equal to a given number and is relatively prime to the given number is called totive, so the totient function may be defined as the number of N totives. For example, φ (24) = 8 because 24 totives are eight (1, 5, 7, 11, 13, 17, 19, and 23). When N is a prime number, φ (N) = N−1, and when N = p * q (similar to the CRT version of RSA), φ (N) = (p−1) * (q−1) It is.

  It can be shown that the blind algorithm above produces the same output as the unblinded algorithm. In a blinded algorithm, the power signature looks very different each time the secret exponent is used, thereby guarding against DPA. The introduction of a random element in the computation also provides protection against time and error based side channel attacks. This technique is referred to herein as "power exponential blinding."

Similarly, blinding modulus N may be added using the following algorithm:
s = ( ^md mod k * N) mod N.
Where k is a random non-zero integer. This is particularly useful for the CRT version of the RSA algorithm where the modulus N (consisting of p and q) needs to be kept secret. This technique is referred to herein as "modulus blinding."

Similarly, blinding message m may be added using the following algorithm:
s = ((k * m) ^d ) * (k- ^d ) mod N
Where k is a random non-zero integer. This technique is referred to herein as "message blinding." The modification of this message blinding technique, the second exponentiation, using the public key exponent c (i.e., the k no ^{j e} is ^{used, (j} e * ^{m) d} and ^(j e) ^{- If d} is obtained, the exponentiation using c is generally cheaper than the exponentiation using d, so that j ^e is k ^d and (j ^e ) ^−d ≡ (j ^ed ) ⁻¹ ≡j ^Less expensive than ^-1 and the extra work becomes inversion and extra public key exponentiation) or storing the previous value of k, e.g. squaring to get a new almost random k Is included. The message itself is also padded using a padding scheme that randomizes (and effectively blinds) the message (eg, the padding scheme “EMSA-PSS” described in the PKCS # 1 v2.1 standard). obtain. This can be used with or in place of the message blinding technique.

  Each of these various paper technologies can be combined in the following algorithm.

ただし、ｋ_１、ｋ_２、およびｋ_３は、全てランダムな数であり、ｋ_１およびｋ_３は非ゼロである。このアルゴリズムは、べき指数ブラインディング（ｋ_２による）、モジュラスブラインディング（ｋ_３による）、およびメッセージブラインディング（ｋ_１による）を用いる。

Where k ₁ , k ₂ , and k ₃ are all random numbers, and k ₁ and k ₃ are non-zero. This algorithm (by _{k 2)} exponential blinding should (by _{k 3)} modulus blinding, and use message blinding _(k by _1).

  The message blinding technique described above requires inversion and extra powers, and is therefore relatively slow.

  FIG. 4 is a block diagram illustrating a data processing device according to the first embodiment of the present invention. The data processing device includes a processing device 2 having a calculation device 4 and a radix blinding device 6 having a multiplication device 8, an addition device 10, and an integer generation device 12. The operation of the data processing device according to the first embodiment of the present invention will be described with reference to the flowchart shown in FIG.

The processing device 2 performs various processing operations, and in this embodiment, processes the input data DIN to generate the output data DOUT. The processing operations performed by the processing device 2 include modular exponentiation operations of the form ^md mod N performed by the computing device 4. Here, m is a radix of the modular exponentiation operation, d is an exponent, and N is a modulus. For example, the radix message m in the input data DIN is received in step S1 shown in FIG.

However, before the exponentiation operation is performed, the radix blinding device 6 changes the radix m as described below so as not to affect the result of the modular exponentiation operation. The values of N and m are sent from the processing device 2 to the radix blinding device 6. In step S2, the integer generating device 12 generates an integer k. In step S3, the multiplication device 8 multiplies the integer k by the modulus N. In step S <b> 4, the adding device 10 adds the result of the multiplication to the radix m to generate a changed radix M = m + kN, and the changed radix M is returned to the processing device 2. In step S5, the computing device ^4, the m d mod N without compute the modular exponentiation operation ^M d mod N, to produce similar results.

Thus, the data processing apparatus shown in FIG. 4, the m d ^mod N without calculating the following modular exponentiation operation:
s = (m + k * N) ^d mod N.

This gives the same result as s = ^md mod N. This is because the formula (m + k * N) ^d is equal to md plus various ^powers of N. However, the exponents of N are all zero in modulo N.

The exponentiation operation M ^d may be performed in embodiments of the present invention using an algorithm associated with the “square and multiply” method, as shown in the following pseudo code. However, _{I d i} is the i-th binary digits d.

効率化のため、このようなアルゴリズムにおいては、この実施形態の場合のように、全体の結果のｍｏｄ Ｎが全ての中間計算 ｍｏｄ Ｎを還元させ、乗算演算が「ａ＝（ａ＊Ｍ）ｍｏｄ Ｎ」になり、二乗演算がａ＝（ａ＊ａ） ｍｏｄ Ｎになるようにすることが一般的である。しかし、本発明のある実施形態において、これは、メッセージブラインディングの効果が第１の中間計算の後に消えることを意味する。同様に、乗算演算は、しばしば、全て「ｍｏｄ Ｎ」である、多くのより小さい演算のシーケンスとして実行され得る。

For efficiency, in such an algorithm, as in this embodiment, the mod N of the overall result reduces all intermediate computations mod N, and the multiplication operation is "a = (a * M) mod N ”, and the square operation is generally set to a = (a * a) mod N. However, in some embodiments of the invention, this means that the effect of message blinding disappears after the first intermediate calculation. Similarly, multiplication operations can often be performed as a sequence of many smaller operations, all "mod N".

Thus, in certain embodiments of the present invention, for example, by leaving a modular reduction step "mod N" until after the exponentiation M ^d is complete, exponentiation to remain throughout the effect of message blinding is Math M Preferably, ^d is performed. However, it is also beneficial if the effect of message blinding is not the entire operation, but remains for at least part of the operation. For example, if the effect of message blinding is lost after some intermediate calculations, it is still somewhat beneficial. Other means for ensuring that the effect of message blinding in such a squaring and multiplication algorithm is not lost are described below in connection with the third embodiment.

  Using the radix blinding device 6 to change the radix m used in the modular exponentiation operation has the effect of changing the physical process performed by the data processing device, and thus the side leaking out of this device to the outside. The amount of channel information is reduced.

  The radix-blinding device 6 has a radix m in an unpredictable manner, i.e., in a manner that is unpredictable, at least in a pseudo manner, to anyone outside the data processing device attempting to monitor the side channel information emitted from the device. Is preferably changed. For example, the integer generator 12 may generate the integer k according to a pseudo-random algorithm.

Although it is preferred that the radix blinding device 6 generate a new integer k each time the modular exponentiation operation is performed, this is not essential. If the frequency of a new integer k is generated is low, or, is a base blinding device 6 temporary di active, as m ^d mod N radix m to time base blinding device 6 is inactive while no blind Even when modular exponentiation is performed, it still has some benefit.

  Certain embodiments of the present invention are useful for reducing the amount of side channel information leaking from any type of data processing device that uses modular exponentiation, where modular exponentiation is part of a cryptographic algorithm Has a specific use. For example, the data processing device of FIG. 4 can be used in a smart card as described above with reference to FIG. 1, so that the input data DIN of FIG. 4 represents the data to be encrypted and the output data DOUT of FIG. May represent the encrypted data. The processing device 2 in FIG. 4 can perform the decoding operation in the same manner. The cryptographic algorithm may be an RSA algorithm that utilizes a modular exponentiation operation, as described above. The cryptographic algorithm may also be a Diffie-Hellman algorithm, or any other such algorithm utilizing modular exponentiation. Cryptographic algorithms can be used for both exponents in the CRT version of RSA.

  Certain embodiments of the present invention have technical advantages as compared to previously contemplated blinding techniques. This is because addition and multiplication operations are much more efficient than exponentiation or inversion operations. Certain embodiments of the present invention may also have the advantage of adding more uncertainty to the calculation, with negligible additional cost.

  FIG. 6 is a block diagram of a data processing device according to the second embodiment of the present invention. The second embodiment includes a processing device 2 having a computing device 4 and a radix blinding device 6. The radix blinding device 6 operates as described above with reference to FIGS. 4 and 5 to blind by effectively replacing the radix m with (m + k * N). The second embodiment includes, in addition to the components shown in FIG. 4, an exponential blinding device 14 which should have an oil-tient device 16, a multiplier 18, an adder 20 and an integer generator 22.

Before the exponentiation operation is performed, the exponent blinding device 14 changes the exponent d as described below so as not to affect the result of the exponentiation operation. The results of N and d are sent from processing unit 2 to exponential blinding unit 14. As described above, the oil-latient device 16 calculates the oil-latient function φ (N), and the integer generator 22 generates an integer i. The multiplier 18 multiplies the integer i by the totient function φ (N), and the adder 20 adds the result of the multiplication to the exponent d to generate a modified exponent D = d + i * φ (N). I do. The index to be changed is returned to the processing device 2. In this way, the computing device 4 ^may calculate the m d in mod N without modular exponentiation operation ^M D mod N. Where M is the modified (blind) radix m, producing the same result. Thus, all the calculations performed are as follows:
s = (m + k * N) ^{d + i * φ (N)} mod N.

  The further use of the exponent blinding device 14 to change the exponent to be used in the modular exponentiation operation has the effect of further changing the physical process performed by the data processing device, and therefore, from this device to the outside The amount of leaked side channel information is further reduced.

  FIG. 7 is a block diagram of a data processing device according to the third embodiment of the present invention. The third embodiment includes a processing device 2 having a calculation device 4 and a radix blinding device 6. The radix blinding device 6 operates as described above with reference to FIGS. 4 and 5 to blind by effectively replacing the radix m with (m + k * N). The third embodiment includes, in addition to the components shown in FIG. 4, a modulus blinding device 24 having a modulus calculating device 28, a multiplying device 26, and an integer generating device 30.

In this embodiment, after performing the exponentiation operation M ^d, where M is the modified (blinded) radix m generated by the radix blinding device 6, the modulus blinding device 24 determines the modulus of the modulus. The calculation is performed in a slightly modified form compared to the normal M ^d mod N without affecting the result of the modular exponentiation operation. The values of N and M ^d are sent from processing unit 2 to modulus blinding unit 24. The integer generator 30 generates a non-zero integer j, and the multiplier 26 multiplies the integer j by an unblinded modulus N to generate a blinded modulus W = j * N. Thereafter, the modulus calculator 28 performs the modified modular operation by calculating (M ^d mod W) mod N instead of M ^d mod N. The same result is generated and returned to the processing unit 2. Therefore, all calculations performed are as follows:
s = ((m + k * N) ^d mod j * N) mod N.

  Further use of the modulus blinding device 24 to modify the modulus calculation used in the modular exponentiation operation has the effect of further altering the physical process performed by the data processing device, and therefore from the device to the outside. The amount of leaked side channel information is further reduced.

For efficiency reasons, "mod j * N" is preferably applied to each of the intermediate calculations used in the exponentiation operation (m + k * N) ^d . For example, if the squaring and multiplication techniques described above in connection with the first embodiment are used, the multiplication operation is "a = (a * M) mod j * N" where M = m + k * N, The square operation is “a = (a * a) mod j * N”. The modulo N reduction operation is performed after the square and multiplication operations (mod j * N) are completed.

  This scheme has the advantage of allowing efficient squaring and multiplication techniques with intermediate modulo reduction to be used in embodiments of the present invention without completely eliminating the effects of message blinding highlighted above. Having. If j equals "1" throughout the modular exponentiation operation, message blinding is lost in that operation, but a different value of j can be used for the next operation, and the leakage of useful side channel information is still reduced. You. Also, different values of j are generated in each of the intermediate modular calculations.

FIG. 8 is a block diagram of a data processing device according to the fourth embodiment of the present invention. The fourth embodiment is essentially a combination of the second and third embodiments. The fourth embodiment includes a processing device 2 having a calculation device 4, a radix blinding device 6, a power exponential blinding device 14, and a modulus blinding device 24. These members generally operate as described above with reference to FIGS. 4-7, and each of the radix m, the power exponent d, and the modulus N without affecting the result of the modular exponentiation operation. Blind. Therefore, all calculations performed are as follows:
s = ((m + k * N) ^{d + i * φ (N)} mod j * N) mod N.

  Modifying the modular exponentiation operation using all three blinding methods has the effect of significantly changing the physical process performed by the data processing device, and thus the side leakage from the device to the outside. The amount of channel information is significantly reduced.

  In the second to fourth embodiments, the exponent index device 14 and the modulus blinding device 24 each include a data processing device that attempts to monitor in an unpredictable manner, ie, side channel information emitted from the device. It is preferable to change the exponent d and the modulus N in a manner that is unpredictable, at least in a simulated manner, to the outsider. For example, integer generators 22 and 30 may generate integers i and j, respectively, according to a pseudo-random algorithm.

  Preferably, the power exponent unit 14 and modulus blinding unit 24 generate new integers i and j each time a modular exponentiation operation is performed, but this is not required. If the new integers i and j are generated infrequently, or if the power exponent device 14 and the modulus blinding device 24 are temporarily deactivated and these devices are inactive, either the power exponent d or the modulus N Even if a modular exponentiation operation is performed without blinding either or both, some advantages are still obtained.

  The integer generators 12, 22, 30, the multipliers 8, 18, 26, and the adders 10, 20 have been illustrated and described as separate devices, but of course, for more than one type of blinding device. It is understood that they may be combined to perform that function. Those skilled in the art will also appreciate that the configurations shown in FIGS. 4, 6 and 7 can be modified and / or combined in some other manner without affecting the functions performed by embodiments of the present invention. . For example, one or more of the blinding devices 6, 14, 24 may be located within the processing device 2 itself.

  Also, one of the main applications of the blinding technology has been described for use in a smart card as shown in FIG. 1, but the technology can be used for USB tokens, secure memory, secure multimedia, and secure access modules. (SAM).

  Although embodiments of the present invention have been described as being implemented in hardware, embodiments of the present invention may be implemented in software. For example, in the smart card device illustrated with reference to FIG. 1, instead of providing a separate processing unit 9 on the smart card as described, instead an operating program is provided (to be used). The CPU 5 controls the CPU 5 to perform the function of the processing device 9 (stored in the memory unit 3). The relevant parts of the smart card (or other data processing device) are thus adapted to perform the same functions as the components illustrated in the above embodiments of the present invention.

  An operating program embodying the present invention can be stored on a computer-readable medium, but can also be implemented in a signal, such as a downloadable data signal provided from an Internet website. The appended claims should be construed to include the operating program itself, as a record on a carrier, as a signal, or in any other form.

A processing device (2) for performing a processing operation including a modular exponentiation operation (4) of the form ^md mod N having a radix m, a power exponent d and a modulus N is provided. The data processing unit (2) also generates a modular exponentiation by generating an integer k (12), multiplying the integer k by a modulus N (8) and adding the result of the multiplication to a radix m (10). A radix blinding device (6) that changes the radix m before the exponentiation operation (4) is performed without affecting the result of the operation. This has the effect of reducing the amount of side channel information leaking from device (2), and thus has particular application where modular exponentiation is part of a cryptographic algorithm such as the RSA algorithm. For example, the data processing device (2) can be used in a smart card device.

For the purpose of illustration, reference is made to the accompanying drawings.
FIG. 1 is a block diagram showing main parts of a typical smart card as described above. FIG. 2 is an exemplary block diagram used in describing a conventional encryption model, as described above. FIG. 3 is an exemplary block diagram used to describe the encryption model, including the side channel, as described above. FIG. 4 is a block diagram of the data processing device according to the first embodiment of the present invention. FIG. 5 is a flowchart illustrating the operation of the first exemplary embodiment of the present invention. FIG. 6 is a block diagram of a data processing device according to the second embodiment of the present invention. FIG. 7 is a block diagram of a data processing device according to the third embodiment of the present invention. FIG. 8 is a block diagram of a data processing device according to the fourth embodiment of the present invention.

Claims (23)

Processing means for performing a processing operation including a modular exponentiation operation of the form ^md mod N having a radix m, a power exponent d and a modulus N;
Generating the integer k, multiplying the integer k by a modulus N, and adding the result of the multiplication to the radix m without affecting the result of the modular exponentiation operation. A radix blinding means for changing the radix m before the operation is performed to reduce the amount of side channel information leaking from the device.   The apparatus according to claim 1, wherein the radix blinding means changes the radix m in an unpredictable manner.   The apparatus according to claim 2, wherein the radix blinding means generates the integer k according to a pseudo-random algorithm.   Apparatus according to any preceding claim, wherein the radix blinding means generates a new integer k each time such a modular exponentiation operation is performed.   Apparatus according to any one of the preceding claims, wherein the modular exponentiation operation is part of a cryptographic algorithm.   The apparatus according to claim 5, wherein the encryption algorithm is an RSA algorithm.   Generating an integer i, calculating an Euler-Chiient function φ (N) of N, multiplying the Euler-Chiient function φ (N) by the integer i, and the result of the multiplication by the exponent d To further reduce the amount of side channel information leaking from the device by changing the exponent d before the exponentiation operation is performed without affecting the result of the modular exponentiation operation Apparatus according to any one of the preceding claims, further comprising means for exponential blinding.   Apparatus according to any one of the preceding claims, wherein the modular exponentiation operation is performed as a series of intermediate calculations.   9. The apparatus of claim 8, wherein the modular exponentiation operation is performed according to a square and multiplication technique.   Apparatus according to claim 8 or 9, wherein the intermediate calculation is performed such that the effect of changing the radix m continues throughout the execution of the modular exponentiation operation. The modulo reduction operation mod N is performed after the exponentiation operation in the form m ^d is completed, according to claim 8, 9 or 10.   The apparatus according to any one of claims 8 to 11, wherein the modulo reduction operation mod N is performed after one or more of the intermediate calculations. Generating an integer j and generating a blinded modulus W by multiplying the unblinded modulus N by the integer j; and providing the processing means with the power operation in accordance with equation ( ^md mod W). 12. The method according to any one of claims 1 to 11, further comprising a modulus blinding means for performing, without affecting the result of the modular exponentiation operation, further reducing the amount of side channel information leaking from the device. The described device.   14. The apparatus according to claim 13, wherein the modulo reduction operation mod W is performed after one or more of the intermediate calculations, when interpreted as being dependent on claim 8. A data processing method used in a data processing apparatus that performs a processing operation including a modular exponentiation operation of a form ^md mod N having a radix m, a power exponent d, and a modulus N,
Generating the integer k, multiplying the integer k by a modulus N, and adding the result of the multiplication to the radix m without affecting the result of the modular exponentiation operation. Changing the radix m before the operation is performed to reduce the amount of side channel information leaking from the device.   A data processing apparatus substantially as described above with reference to FIGS.   A data processing method substantially as described above with reference to FIGS.   A smart card comprising the data processing device according to claim 1.   An operating program which, when loaded into a data processing device, makes the device an apparatus according to any one of claims 1 to 14 or a smart card according to claim 18.   An operating program which, when executed on a data processing device, causes the device to perform the method of claim 15 or 17.   21. The operating program according to claim 19 or 20, which is executed on a carrier medium.   The operating program according to claim 21, wherein the carrier medium is a transmission medium.   22. The operating program according to claim 21, wherein the carrier medium is a storage medium.

Images