WO2002019065A2 - Verfahren und vorrichtung zum durchführen einer modularen exponentiation in einem kryptographischen prozessor - Google Patents
Verfahren und vorrichtung zum durchführen einer modularen exponentiation in einem kryptographischen prozessor Download PDFInfo
- Publication number
- WO2002019065A2 WO2002019065A2 PCT/EP2001/009285 EP0109285W WO0219065A2 WO 2002019065 A2 WO2002019065 A2 WO 2002019065A2 EP 0109285 W EP0109285 W EP 0109285W WO 0219065 A2 WO0219065 A2 WO 0219065A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- mapping rule
- security module
- page
- logical
- mapping
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1416—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
- G06F12/145—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being virtual, e.g. for virtual blocks or segments before a translation mechanism
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/75—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation
- G06F21/755—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation with measures against power attack
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/723—Modular exponentiation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/302—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
- G06F2207/7257—Random modification not requiring correction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7271—Fault verification, e.g. comparing two values which should be the same, unless a computational fault occurred
Definitions
- the present invention relates to cryptography and in particular to modular exponentiation as one of the most important arithmetic operations, for example in public key cryptography methods.
- modular exponentiation can also be used for RSA decryption, for example.
- M is the encrypted message while C is the decrypted message.
- decryption such as. B. the RSA decryption
- the module N is usually known, while the exponent d is secret.
- So-called information leak attacks attempt to obtain secret data from the calculation of the modular exponentiation, for example via the secret key or exponent d.
- the algorithm begins in a block 100 and initially initializes the required variables, namely the module N, the exponent d and the message M to be signed, or alternatively the message to be decrypted (in the case of RSA decryption) in a block 102. From these The encrypted symbol C in the case of an RSA signature or the decrypted symbol C in the case of RSA decryption is calculated using the conventional modular exponentiation formula given in block 104. The result is then output in a block 106, after which the algorithm is ended in a block 108.
- This general scheme for calculating the modular exponentiation given in block 104 does not include any countermeasures against any form of attack, e.g. B. a timing attack, a performance attack or a radiation attack.
- DE 198 28 936 AI includes a method and a device for processing data in order to better secure a modular exponentiation against external attacks.
- the method disclosed in DE 198 28 936 AI is approximately as recorded in FIG. 4.
- exponent d is randomized using a Random number ri and a randomization of the base using an addition case number r 2 suggested.
- the variables M, d, N and ⁇ (N) are initialized in a block 110.
- ⁇ (N) represents the so-called Euler ⁇ function, which is defined by (p-1) x (q-1), as can be seen in the equation shown in FIG. 4.
- a random number ri is then selected in a step 112 to randomize the exponent.
- a random number r is then selected in a step 114 to randomize the base M.
- the modular exponentiation shown in block 116 is then carried out in the known method in order to obtain the processed symbol C in block 106, after which the algorithm is ended.
- CTR Chinese Residence or Reminder Theorem
- Modular exponentiation using the Chinese residual theorem is known in the art and is described, for example, in the Handbook of Applied Cryptography by Menezes, van Oorschort and van Stone, pages 610 to 613, published by Springer-Verlag.
- M, d p , d q , p and q are initialized in a block 118.
- p and q are the secret RSA prime numbers, the product of which gives the module N.
- the variable d is again the secret RSA exponent.
- the auxiliary quantities d p and d q are calculated, as is also shown in FIG. 5.
- ⁇ (p) here again means the Euler ⁇ function.
- FIG. 5 shows the modular exponentiation using the Chinese residual theorem according to the HL Garner algorithm.
- the object of the present invention is to provide a method and a device for carrying out a modular exponentiation, which deliver a high security standard, but at the same time do not require too much computing effort.
- p and q are two prime numbers of equal length.
- ⁇ (N) ⁇ (N) / ggT (p-1, q-1).
- the Carmichael ⁇ function is smaller than the Euler ⁇ function by the greatest common divisor (ggT) of (p-1) and (q-1).
- the exponent is therefore a few bits shorter than the exponent used the Euler function has been randomized so that the modified modular exponentiation can be calculated more quickly than can be achieved with the system shown in FIG. 4.
- the Carmichael ⁇ function can be formed not only with two prime numbers, but using any number of prime numbers as long as the product of the number of prime numbers is equal to the module N.
- ⁇ is defined by the quotient of the product of at least two numbers and the greatest common divisor of the at least two numbers, each of the numbers being the difference between a prime number and one, and the product of the at least two Prime numbers underlying the at least two numbers are equal to the module (N).
- ⁇ is calculated as follows for three prime numbers p, q, r:
- the function ⁇ can be formed for any number of prime numbers.
- the randomization of the exponent using the Carmichael ⁇ function is used for calculating the modular exponentiation either with or without a Chinese remainder theorem.
- Preferred exemplary embodiments of the present invention are explained in more detail below with reference to the accompanying figures. Show it:
- FIG. 1 shows a flowchart of the method according to a first exemplary embodiment of the present invention without using the Chinese remainder sentence;
- FIGS. 2A and 2B show a flow diagram of the method according to a second exemplary embodiment of the present invention using the Chinese remainder sentence;
- FIG. 1 shows a flowchart of a method according to a first exemplary embodiment of the present invention.
- the method is started by a block 10.
- the necessary variables M, d, N and ⁇ are then initialized in a block 12, ⁇ represents the Carmichael ⁇ function and, as shown in FIG. 1 at the bottom left, is calculated from the prime numbers p and q, the Product of the prime numbers p and q gives the module N.
- Carmichael's function can be used not only if the two prime numbers p, q have the same length, but that this function can always be used if the product of p and q gives the module N.
- a random number is chosen, for example between 0 and 2 32 , which is used to randomize the exponent.
- a random number r 2 can be selected in a step 16, with which the base, ie the symbol M, can be randomized in order to distribute the current consumption and power profiles of a crypto processor even more homogeneously, so that it is made more difficult for attackers, secret Find out information.
- the processed symbol which is the encrypted symbol in the case of the RSA signature, or which is the decrypted symbol in the case of RSA decryption, is then calculated.
- the value for C is finally stored in block 20, after which the algorithm ends in block 22.
- the following should be noted with regard to the randomization of the base. If the base M is replaced by the base M + r 2 * M, where r 0 is a random n-bit number, there is no change in the final results, since the following relationship applies:
- the random numbers ⁇ and r 2 It is preferred to take the same 32-bit numbers if module N is a 1024-bit module. If module N is a 2048-bit module, it is preferred to take 64-bit numbers for ri and r 2 .
- the length of the random numbers accomplishes two things. First, the higher randomization increases security. On the other hand, however the processing speed is also increased, which, however, is in any case better by using the Carmichael ⁇ function according to the invention than when using the Euler ⁇ function, since the relationship between ⁇ and ⁇ does not depend on the length of the numbers ri and r 2 .
- the selection of the random numbers ri and r 2 thus provides substantial flexibility in that an optimal relationship between security on the one hand and calculation effort on the other hand can be created with one and the same algorithm or with one and the same chip for a multitude of different requirements. If the random numbers are chosen to be very short, processing is quick, but security could suffer. On the other hand, if the random numbers are used very long for high-security applications in which the processing speed is not an essential criterion, a maximum security standard can be achieved without further ado.
- FIG. 2A shows a second exemplary embodiment according to the present invention, in which, like the first exemplary embodiment shown in FIG. 1, both the exponent and the base are randomized.
- the modular exponentiation is calculated using the Chinese residual theorem.
- M, d, p and q are initialized in block 12, where M is again the symbol to be processed, while d is the exponent and p and q are two prime numbers, the product of which corresponds to the module M.
- a parameter t is selected, the parameter t being a random prime number, which preferably has a length between 16 and 32.
- the length in bits of the parameter t can be set as desired.
- the random numbers ri and r 2 are selected in steps 14 and 16, the randomized base M t being calculated using the random number r 2 in a step 24, while in a block 26 the randomized exponent d t is calculated using the random number - number ri is calculated.
- the equation for the ⁇ function given at the bottom left in FIG. 1 is already written out in block 26.
- the individual parameters C p t, C qt , x pt and C t are then calculated in blocks 28 to 34 in accordance with the equations given in FIG. 2A, it being particularly pointed out that, for example, in block 28 the Carmichael ⁇ function of p and t is calculated, while in block 30 the Carmichael ⁇ function of q and t is calculated.
- Block 36 provides a kind of self-test function by checking the relationship between the parameters Ct, C qt and t.
- the method according to the invention and the device according to the invention can be implemented in various ways.
- a software-based implementation on a general-purpose computer is of course conceivable, for example, to carry out an RSA signature or an RSA decryption.
- the applications of the concept according to the invention are even more preferred in crypto processors on cash cards, smart cards, ID cards or the like, since these elements are to be used in large quantities and therefore reading devices with a limited cost framework are essential.
- the concept of the invention can be implemented partially or even completely in hardware.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Physics (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2001287675A AU2001287675A1 (en) | 2000-08-28 | 2001-08-10 | Method and device for carrying out a modular exponentiation in a cryptographic processor |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE10042234.9 | 2000-08-28 | ||
DE10042234A DE10042234C2 (de) | 2000-08-28 | 2000-08-28 | Verfahren und Vorrichtung zum Durchführen einer modularen Exponentiation in einem kryptographischen Prozessor |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2002019065A2 true WO2002019065A2 (de) | 2002-03-07 |
WO2002019065A8 WO2002019065A8 (de) | 2002-09-26 |
Family
ID=7654065
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2001/009285 WO2002019065A2 (de) | 2000-08-28 | 2001-08-10 | Verfahren und vorrichtung zum durchführen einer modularen exponentiation in einem kryptographischen prozessor |
Country Status (3)
Country | Link |
---|---|
AU (1) | AU2001287675A1 (de) |
DE (1) | DE10042234C2 (de) |
WO (1) | WO2002019065A2 (de) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE10304451B3 (de) | 2003-02-04 | 2004-09-02 | Infineon Technologies Ag | Modulare Exponentiation mit randomisiertem Exponenten |
DE10326057B4 (de) * | 2003-06-11 | 2010-06-10 | Cv Cryptovision Gmbh | Gegen Seitenkanalangriffe geschütztes Verfahren zum Testen einer natürlichen Zahl auf Primalität |
FR2869430A1 (fr) | 2004-04-27 | 2005-10-28 | St Microelectronics Sa | Controle de l'execution d'un algorithme par un circuit integre |
KR20110014630A (ko) * | 2008-05-07 | 2011-02-11 | 이르데토 비.브이. | 지수 불명료화 |
DE102010039273B4 (de) * | 2010-08-12 | 2014-12-04 | Infineon Technologies Ag | Kryptographie-Prozessor, Chipkarte und Verfahren zur Berechnung eines Ergebnisses einer Exponentiation |
DE102011115082A1 (de) | 2011-09-19 | 2013-03-21 | Giesecke & Devrient Gmbh | Gegen Ausspähung schützbarer geheimer RSA Verschlüsselungsexponent |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5046094A (en) * | 1989-02-02 | 1991-09-03 | Kabushiki Kaisha Toshiba | Server-aided computation method and distributed information processing unit |
US5991415A (en) * | 1997-05-12 | 1999-11-23 | Yeda Research And Development Co. Ltd. At The Weizmann Institute Of Science | Method and apparatus for protecting public key schemes from timing and fault attacks |
DE19828936A1 (de) * | 1998-05-29 | 1999-12-02 | Siemens Ag | Verfahren und Vorrichtung zum Verarbeiten von Daten |
-
2000
- 2000-08-28 DE DE10042234A patent/DE10042234C2/de not_active Expired - Fee Related
-
2001
- 2001-08-10 WO PCT/EP2001/009285 patent/WO2002019065A2/de active Application Filing
- 2001-08-10 AU AU2001287675A patent/AU2001287675A1/en not_active Abandoned
Non-Patent Citations (1)
Title |
---|
Keine Recherche * |
Also Published As
Publication number | Publication date |
---|---|
WO2002019065A8 (de) | 2002-09-26 |
DE10042234C2 (de) | 2002-06-20 |
DE10042234A1 (de) | 2002-03-14 |
AU2001287675A1 (en) | 2002-03-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE69917592T2 (de) | Gegen stromverbrauchsignaturanfall beständige kryptographie | |
DE69828787T2 (de) | Verbessertes verfahren und vorrichtung zum schutz eines verschlüsselungsverfahrens mit öffentlichem schlüssel gegen angriffe mit zeitmessung und fehlereinspeisung | |
DE112008000668B4 (de) | Kryptografisches Verfahren und System | |
DE60217260T2 (de) | Datenverarbeitungs- und Verschlüsselungseinheit | |
EP1262037A1 (de) | Tragbarer datenträger mit zugriffsschutz durch schlüsselteilung | |
EP1290545B1 (de) | Kryptographisches verfahren und kryptographische vorrichtung | |
DE102016120558A1 (de) | Datenverarbeitungsvorrichtung und -verfahren für kryptographische verarbeitung von daten | |
DE602004006628T2 (de) | Verfahren zur gesicherten ausführung eines rsa kryptographischen algorithmus, sowie diesbezüglicher baustein. | |
DE102017002153A1 (de) | Übergang von einer booleschen Maskierung zu einer arithmetischen Maskierung | |
DE102005041102A1 (de) | Verfahren zur Skalarmultiplikation von Punkten auf einer elliptischen Kurve | |
DE10143728A1 (de) | Vorrichtung und Verfahren zum Berechnen eines Ergebnisses einer modularen Exponentiation | |
DE102008051447B9 (de) | Verfahren und Vorrichtung zum Schützen einer RSA-Berechnung an einer Ausgabe mit Hilfe des chinesischen Restsatzes | |
DE112018002723B4 (de) | System, verfahren und vorrichtung zur verschleierung von vorrichtungsoperationen | |
WO2004070497A2 (de) | Modulare exponentiation mit randomisierten exponenten | |
WO2002019065A2 (de) | Verfahren und vorrichtung zum durchführen einer modularen exponentiation in einem kryptographischen prozessor | |
DE10151129B4 (de) | Verfahren und Vorrichtung zum Berechnen eines Ergebnisses einer Exponentiation in einer Kryptographieschaltung | |
WO2003034268A2 (de) | Verfahren und vorrichtung zum absichern einer exponentiations-berechnung mittels dem chinesischen restsatz (crt) | |
DE60221863T2 (de) | Verfahren zur implementierung eines kryptographischen algorithmus zum finden des öffentlichen exponenten in einer elektronischen komponente | |
DE102020134618A1 (de) | Sicherheits-controller und verfahren zur verarbeitung von datenelementen eines datenfeldes | |
EP1506473B1 (de) | Ausspähungsgeschützte modulare inversion | |
DE60220793T2 (de) | Verwürfelung bzw. Verschleierung (Scrambling) einer Berechnung, bei welcher eine modulare Funktion zur Anwendung kommt | |
DE102020102796A1 (de) | Datenverarbeitungsvorrichtung und verfahren zum verarbeiten von geheimen daten | |
DE102018006313A1 (de) | Verfahren mit Safe-Error-Abwehrmaßnahme | |
EP2128754B1 (de) | Sichere sliding window exponentiation | |
EP1518165B1 (de) | Berechnung eines vielfachen eines gruppenelements für kryptographische zwecke |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
AK | Designated states |
Kind code of ref document: C1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: C1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR |
|
D17 | Declaration under article 17(2)a | ||
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
122 | Ep: pct application non-entry in european phase | ||
NENP | Non-entry into the national phase |
Ref country code: JP |