CN101465726B - Decode-proof method for cipher key as well as controller and memory device for implementing the method - Google Patents

Decode-proof method for cipher key as well as controller and memory device for implementing the method Download PDF

Info

Publication number
CN101465726B
CN101465726B CN2007103001881A CN200710300188A CN101465726B CN 101465726 B CN101465726 B CN 101465726B CN 2007103001881 A CN2007103001881 A CN 2007103001881A CN 200710300188 A CN200710300188 A CN 200710300188A CN 101465726 B CN101465726 B CN 101465726B
Authority
CN
China
Prior art keywords
storage area
security information
storage
present
controller
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2007103001881A
Other languages
Chinese (zh)
Other versions
CN101465726A (en
Inventor
詹清文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Phison Electronics Corp
Original Assignee
Phison Electronics Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Phison Electronics Corp filed Critical Phison Electronics Corp
Priority to CN2007103001881A priority Critical patent/CN101465726B/en
Publication of CN101465726A publication Critical patent/CN101465726A/en
Application granted granted Critical
Publication of CN101465726B publication Critical patent/CN101465726B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

Disclosed are an anti-crack method for keys, a controller and a storage device for executing anti-crack method; the anti-crack method for keys includes that a plurality of storage areas are used to respectively store the same security information. The method also includes that when signature rules and keys are adopted to generate digital signature, one of the storage areas is selected to be used as current in-use storage area for storing security information; and when the security information in the current in-use storage area is updated, the security information in other storage areas are updated simultaneously. The method also includes that when the security information in the current in-use storage area is detected to be attacked in digital signature generation period, a storage area is selected to be used as current in-use storage area for providing correct security information and storing updated security information. Thereby, the invention can prevent attackers from damaging keys.

Description

Be used for the anti-crack method of secret key and the controller and the storage device of execution the method
Technical field
The invention relates to a kind of guard method that is used for secret key, and particularly relevant for the anti-crack method of the secret key of a kind of RSA, controller and the storage device and the computer-readable recording medium thereof of use the method.
Background technology
In cryptographic system (Cryptosystems), can access to your password golden key in the relevant calculating of cryptography, with asymmetric cryptographic system RSA (Rivest-Shamir-Adleman), its password gold key is with a public key and the paired mode of private key to be produced.Use the mode of " open private key to " to define two kinds of application.Whether a kind of private key that is to use is as stamped signature gold key, producing digital signature on digital information, and uses public key as a golden key of checking, be a correct stamped signature value to verify a certain numerical value.The another kind of application is to use public key as encrypting golden key, and plain text encryption is converted to ciphertext, and uses private key as the golden key of deciphering, this decrypt ciphertext is returned expressly.
The people of a combine digital stamped signature must maintain secrecy its stamped signature gold key, and a ciphertext recipient also must decipher it golden key and maintains secrecy.Therefore, private key is a secret.Although private key is a numerical value relevant with public key, the exposure of public key can't be leaked out the secret of corresponding private key.
In the method for RSA, the execution of calculating is to use modular arithmetic, and the modulus of modular arithmetic is the product of two prime numbers.Will derive private key from public key is very difficult calculating, and it is to decompose back two original prime numbers because of lacking the product of an efficient algorithm with two prime numbers.
The calculating of RSA can involve modular arithmetic usually.Give the next definition of modular arithmetic at this: suppose that x and y are two integers, then when z can be divided exactly x-y, it is that the congruence of the modulus of modular arithmetic equates that x and y are called with z, is x ≡ y (modz) with the symbolic representation.
RSA gold key can following step produce:
(1) index that positive integer e is selected as encrypting (encryption exponent), just this field who know open index (public exponent) known to the operator.
(2) select two different odd prime number p and q at random, and (p-1) and (q-1) both are all relatively prime with e.
(3) getting disclosed modulus (public modulus) is multiplier n-pq.
(4) select the index d (private exponent) of a secret to make (p-1) and (q-1) all aliquot (de-1).
The open exponent e of RSA and modulus n are used to plaintext integer value m is encrypted, with c ≡ m e(modn) calculate ciphertext integer value c, at this hypothesis m less than n.In addition with the index d of secret and modulus n by m ≡ c d(modn) calculating is in order to decipher back plaintext value m with ciphertext value c.
Secret index d and modulus n among the RSA also can be used for making digital signature.At first, a digital information M is via a certain informative abstract that possesses a M of conspicuous order function (collision-resistanthash function) generation of collision impedance operator, and it is expressed as hash (M).Then, the digital signature of information M can be by hash (M) d(modn) obtain, it is expressed as signature (M).
Open exponent e among the RSA and modulus n can be used to verify whether a certain numerical value is a correct digital signature.Suppose that a verifier receives M ‖ SGN, wherein on behalf of digital information and SGN, M represent the digital signature that is additional on the M.At first, the verifier uses the conspicuous order function of selecteed collision impedance to calculate hash (M), and (e is n) via SGN to use public key e(modn) calculating is to the SGN decryption acts.Then, the verifier makes comparisons the result after hash (M) and the deciphering, if obtain the result that equates relatively, then SGN is a correct stamped signature.The framework that general RSA realizes for example is a RSA rule 1:
0.1 Input:M,K,N
0.2 Output:R=M Kmod?N
0.3 R=1,B=M
0.4 for?i=0?to?length(K)-1,
0.5 if(K i==1)R=RB?modN
0.6 B=B 2mod?N
0.7 end?for
The secret key K of file M, RSA and the RSA modulus N that add digital signature in the above-mentioned rule 1 by the input desire, file R that then can the output device digital signature, wherein R and B are exactly the security information in the RSA operation, and K is 1024 or 2048 positions in addition.
Because above-mentioned key K need can be applicable to the network trading or the smart card of authentication, therefore become the object that the hacker desires to crack.Under this framework, in general, cryptographic system can be verified digital signature with PKI before digital signature output, and can export result of calculation when being proved to be successful.Base this, the assailant who desires to steal the secret key of RSA can carry out mistake attack (Fault Attack) from the B of the R of above-mentioned formula (0.5) or formula (0.6) and steal secret key.In other words, the assailant can guess the secret key K of RSA by the value of altering R or B in calculating process.Below be that example is described its attack pattern to alter R.The realization framework that below refers to multiplication for mould in the formula (0.5):
1.1 Input:R,M,N
1.2 Output:R=RM?mod?N
1.3 Suppose : R = Σ j = 0 m - 1 R j ( 2 t ) j ,
Figure S2007103001881D00052
n=length(R)
1.4 A=0
1.5 for?j=m-1?to?0,
1.6 A=(A2 i+R jM)mod?N
1.7 end?for
1.8 R=A
By above-mentioned (1.5) formula as can be known mould refer in the multiplication can be with the then mode of the position security information R that calculates and upgrade of the position of security information R.Suppose that the assailant attacks (modification) R when above-mentioned formula (1.6) is carried out j=k<m-1 M-1, R M-2..., R K+1These information.Because the assailant is an information of revising computing, so this revises the mistake that action can not cause last A value.Therefore, when in the end carrying out formula (1.8), mould refers to that multiplication still can arrive correct R value.From formula (0.5) as can be known if K i=1 o'clock, then last result of calculation can be identical with right value.Otherwise, if K i, refer to multiplication owing to do not carry out mould, at=0 o'clock so assailant's attack can make R different with right value.Therefore, when the operation result of last rule 1 is found mistake, but then the secret key Ki of assailant's inference RSA is 0, and when correct as if operation result, but then the secret key Ki of assailant's inference RSA is 1.
Whether the mechanism that general prevent criminals attacks is exactly to detect with public key verifications result of calculation as mentioned above to suffer attack to determine whether to export the result before the output result.Yet,, can't keep out attack though this practice can reach the detecting of attack.Also do not equal to inform that assailant's operation result is wrong because when being attacked, do not export the result.
Base this, having needs a kind of anti-crack method that can prevent the secret key of assailant's inference.
Summary of the invention
The invention provides a kind of anti-crack method that is used for secret key, it can prevent effectively that the assailant from stealing secret key.
The invention provides a kind of controller, it can be carried out the anti-crack method that is used for secret key and steal secret key effectively to prevent the assailant.
The invention provides a kind of storage device, its middle controller can be carried out the anti-crack method that is used for secret key and steal secret key effectively to prevent the assailant.
The present invention proposes a kind of anti-crack method that is used for secret key, and the method comprises uses a plurality of storage areas to store identical security information respectively.The method also comprise when using the stamped signature rule to produce digital signature, select the storage area with secret key one of them as using storage area stored security information in other storage area of renewal storage area synchronously and when upgrading the security information of using the storage area at present at present with the access security information.The method comprises that also another storage area of selecting when the security information that detects present use storage area during producing digital signature is attacked in the storage area is as using the storage area correct security information to be provided and to store the security information of upgrading at present.
In one embodiment of this invention, above-mentioned stamped signature rule is that RSA stamped signature rule and secret key are the secret key of RSA.
In one embodiment of this invention, above-mentioned attack detecting comprises the security information of other storage area among security information that comparison uses the storage area at present and a little storage areas.
In one embodiment of this invention, the above-mentioned anti-crack method that is used for secret key also is included in record check position, storage area or upset value with attack detecting.
In one embodiment of this invention, when the above-mentioned anti-crack method that is used for secret key also comprises the security information of upgrading the storage area, then select another storage area conduct in the storage area to use the storage area at present.
In one embodiment of this invention, above-mentioned present use storage area is to select with random fashion.
In one embodiment of this invention, the number of above-mentioned storage area is two.
In one embodiment of this invention, the above-mentioned anti-crack method that is used for secret key also comprises when the security information that detects when attacking another storage area and is copied to the storage area of being attacked.
In one embodiment of this invention, the above-mentioned anti-crack method that is used for secret key also comprises the running that stops the stamped signature rule when the storage area is all attacked.
The present invention proposes a kind of controller, and it is applicable to storage device, and this controller comprises non-volatility memorizer interface, buffer storage and microprocessing unit.The non-volatility memorizer interface is in order to the access non-volatility memorizer.Buffer storage is in order to temporarily to store data.Microprocessing unit is in order to the overall operation of control controller, and wherein microprocessing unit can use a plurality of storage areas to store identical security information respectively.Microprocessing unit when using the stamped signature rule to produce digital signature, can select the storage area with secret key one of them as using storage area stored security information in other storage area of renewal storage area synchronously and when upgrading the security information of using the storage area at present at present with the access security information.When being attacked, microprocessing unit detects present use storage area during producing digital signature security information can select another storage area in the storage area as using storage area at present correct security information to be provided and to store security information of upgrading.
In one embodiment of this invention, above-mentioned stamped signature rule is that RSA stamped signature rule and secret key are the secret key of RSA.
In one embodiment of this invention, above-mentioned attack detecting comprises the security information of other storage area among security information that comparison uses the storage area at present and a little storage areas.
In one embodiment of this invention, above-mentioned microprocessing unit is included in the storage area record check position or upset value with attack detecting.
In one embodiment of this invention, when above-mentioned microprocessing unit upgrades the security information of storage area, can select another storage area conduct in the storage area to use the storage area at present.
In one embodiment of this invention, above-mentioned microprocessing unit is to select to use at present the storage area with random fashion.
In one embodiment of this invention, the number of above-mentioned storage area is two.
In one embodiment of this invention, above-mentioned microprocessing unit detects when attacking and the security information of another storage area can be copied to the storage area of being attacked.
In one embodiment of this invention, the above-mentioned anti-crack method that is used for secret key also comprises the running that stops the stamped signature rule when the storage area is all attacked.
In one embodiment of this invention, above-mentioned storage device is flash memory stores medium, USB dish, flash memory cards, solid state hard disc or smart card (smart card) with oneself.
In one embodiment of this invention, above-mentioned non-volatility memorizer is single stage unit (Single Level Cell SLC) or multi-level unit (Multi Level Cell MLC) and non-(NAND) flash memory.
The present invention proposes a kind of storage device, and it comprises non-volatility memorizer, controller and data transmission interface.Non-volatility memorizer is in order to store data.Controller is electrically connected to non-volatility memorizer in order to control the running of this storage device.Data transmission interface is electrically connected to controller, in order to host communication.Controller comprises non-volatility memorizer interface, buffer storage and microprocessing unit.The non-volatility memorizer interface is in order to the access non-volatility memorizer.Buffer storage is in order to temporarily to store data.Microprocessing unit is in order to the overall operation of control controller, and wherein microprocessing unit can use a plurality of storage areas to store identical security information respectively.Microprocessing unit when using the stamped signature rule to produce digital signature, can select the storage area with secret key one of them as using storage area stored security information in other storage area of renewal storage area synchronously and when upgrading the security information of using the storage area at present at present with the access security information.When being attacked, microprocessing unit detects present use storage area during producing digital signature security information can select another storage area in the storage area as using storage area at present correct security information to be provided and to store security information of upgrading.
In one embodiment of this invention, above-mentioned non-volatility memorizer comprises directory area, secret zones and information data area, and wherein secret key is stored in the secret zones.
In one embodiment of this invention, above-mentioned stamped signature rule is that RSA stamped signature rule and secret key are the secret key of RSA.
In one embodiment of this invention, above-mentioned microprocessing unit attack detecting comprises the security information of other storage area among security information that comparison uses the storage area at present and a little storage areas.
In one embodiment of this invention, above-mentioned microprocessing unit in the storage area record check position or upset value with attack detecting.
In one embodiment of this invention, when above-mentioned microprocessing unit upgrades the security information of storage area, can select another storage area conduct in the storage area to use the storage area at present.
In one embodiment of this invention, above-mentioned microprocessing unit is to select to use at present the storage area with random fashion.
In one embodiment of this invention, the number of above-mentioned storage area is two.
In one embodiment of this invention, above-mentioned microprocessing unit detects when attacking and the security information of another storage area can be copied to the storage area of being attacked.
In one embodiment of this invention, above-mentioned microprocessing unit detects the running that can stop the stamped signature rule when storage area is all attacked.
In one embodiment of this invention, above-mentioned non-volatility memorizer is individual layer memory cell (Single Level Cell SLC) or multilayer memory cell (Multi Level Cell MLC) and non-(NAND) flash memory.
In one embodiment of this invention, above-mentioned data transmission interface comprises universal serial bus (Universal Serial Bus, USB) interface, IEEE1394 interface, SATA interface, PCIExpress interface, memory stick (Memory Stick, MS) interface, multimedia card (MultiMedia Card, MMC) interface, secure digital (Secure Digital, SD) card, exquisite quickflashing (Compact Flash, CF) card or integration drive electronics (Integrated Drive Electronics, IDE) interface.
In one embodiment of this invention, above-mentioned data transmission interface is an intelligent card interface, and it is compatible with ISO7816.
The present invention proposes a kind of computer-readable recording medium, has the computer program that is used for the anti-crack method of secret key in order to execution on it, and the anti-crack method that wherein is used for secret key comprises that a plurality of storage areas of use store identical security information respectively.The method also comprise when using the stamped signature rule to produce digital signature, select the storage area with secret key one of them as using storage area stored security information in other storage area of renewal storage area synchronously and when upgrading the security information of using the storage area at present at present with the access security information.The method comprises that also another storage area of selecting when the security information that detects present use storage area during producing digital signature is attacked in the storage area is as using the storage area correct security information to be provided and to store the security information of upgrading at present.
The present invention comes the value of storage safe information because of adopting a plurality of storage areas, and the fail safe that improves the stamped signature rule is thus stolen secret key to prevent the assailant.
Description of drawings
For above-mentioned feature and advantage of the present invention can be become apparent, preferred embodiment cited below particularly, and conjunction with figs. are described in detail below, wherein:
Figure 1A is the calcspar that illustrates a kind of storage device of tool authentication mechanism according to the embodiment of the invention.
Figure 1B is the calcspar that illustrates a kind of storage device of tool authentication mechanism according to another embodiment of the present invention.
Fig. 1 C is the example that illustrates storage device according to the embodiment of the invention.
Fig. 2 is the flow chart that illustrates the anti-crack method that is used for secret key according to the embodiment of the invention.
Fig. 3 is the flow chart that illustrates the anti-crack method that is used for secret key according to another embodiment of the present invention.
Embodiment
Figure 1A is the calcspar that illustrates a kind of storage device of tool authentication mechanism according to the embodiment of the invention.
Please refer to Figure 1A, storage device 100 comprises a data transmission interface 120, a non-volatility memorizer 140 and a controller 160.
Data transmission interface 120 is to be electrically connected at controller 160, and in order to a main frame 200 communications.In other words, main frame 200 can come accessing storing device 100 by data transmission interface 120.In more detail, main frame 200 can via data transmission interface 120 with data storage in the non-volatility memorizer 140 of storage device 100, perhaps from storage device 100, read data in the non-volatility memorizer 140 that is stored in storage device 100 via data transmission interface 120.Data transmission interface 120 can be a USB interface, an IEEE1394 interface, a SATA interface, a PCIExpress interface, a MS interface, a MMC interface, a SD interface, a CF interface or an ide interface.
Non-volatility memorizer 140 is to be electrically connected at controller 160 and in order to store data.For example, non-volatility memorizer 140 comprises a directory area 140a, a secret zones 140b and an information data area 140c, and wherein the employed secret key of authentication mechanism is to be stored among the secret zones 140b.In the present embodiment, non-volatility memorizer 140 is a flash memory, and more particularly, non-volatility memorizer 140 is that (Multi Level Cell is MLC) with non-(NAND) flash memory for the multilayer memory cell.But it must be appreciated, the invention is not restricted to this, for example non-volatility memorizer 140 also can be the individual layer memory cell (Single Level Cell, SLC) with non-flash memory.
Controller 160 is in order to the overall operation of control storage device 100, for example storage of data, reads and erases etc.Controller 100 comprises non-volatility memorizer interface 160a, buffer storage 160b and microprocessing unit 160c.
Non-volatility memorizer interface 160a is converted to 140 receptible forms of non-volatility memorizer in order to the data that main frame 200 is desired to write to via non-volatility memorizer interface 160a.
Buffer storage 160b is in order to stocking system data (for example mapping table) temporarily or data that main frame read or write.In the present embodiment, buffer storage 160b be static RAM (static random access memory, SRAM).Yet, it must be appreciated that the invention is not restricted to this, dynamic random access memory (DRAM), reluctance type memory (MRAM), Ovonics unified memory (PRAM) or other memory that is fit to also can be applicable to the present invention.
Microprocessing unit 160c, in order to the overall operation of control controller 100, wherein microprocessing unit 160c can carry out a stamped signature rule, and can carry out an anti-crack method to protect secret key according to the embodiment of the invention, will describe this anti-crack method after a while in detail.
In another embodiment of the present invention, controller also comprise memory management module 160d, host computer transmission interface 160e, program storage 160f, error correction module 160g and power management module 160h (as Figure 1B 160 ' shown in).
Memory management module 160d for example carries out average abrasion (wear leveling) method, bad block management, safeguards mapping table (mapping table) etc. in order to management non-volatility memorizer 140.
Host computer transmission interface 160e in order to main frame 200 communications, host computer transmission interface 160e can be USB interface, IEEE1394 interface, SATA interface, PCIExpress interface, MS interface, MMC interface, SD interface, CF interface or the ide interface data transmission interface 120 with corresponding storage device 100.
Program storage 160f is in order to the performed program code in order to control storage device 100 of store controller.
Error correction module 160g checks and proofreaies and correct the data that main frame reads or writes in order to mistake in computation correcting code (error correcting code).
Power management module 160h is in order to the power supply of management non-volatility memory storage device 220.
In the present embodiment, storage device 100 is the flash memory stores medium.Yet, it must be appreciated, the invention is not restricted to this, storage device can also be USB flash disc 1002 with said modules, digital camera (video camera) 1004 employed SD card 1004a, mmc card 1004b, CF card 1004c and (shown in Fig. 1 C) such as memory stick (memorystick) 1004d and solid state hard discs 1006.
In the present embodiment, be to describe based on the storage device of data memory function with one.Yet in another embodiment of the present invention, storage device can also be to be main smart card (not illustrating) as authentication, and wherein data transmission interface is an intelligent card interface, and it is compatible with ISO7816.
Fig. 2 is the flow chart that illustrates the anti-crack method that is used for secret key according to the embodiment of the invention.
Please refer to Fig. 2 and Figure 1A, in step S201, can in buffer storage 160b, store identical security information respectively in a plurality of storage areas of definition.In general, when using the computing of secret key execution stamped signature rule, can be a file and produce a digital signature.At this, security information is meant the computing information that is produced during the running of stamped signature rule, and it can produce digital signature at last.
In producing the process of digital signature, desiring to steal the assailant of secret key can be by the change security information and come the secret key of inference according to the last operation result of stamped signature rule thus.In embodiments of the present invention, anti-crack method can back up security information in a plurality of storage areas simultaneously, and its purpose is still can correct security information continue running when being attacked.
In step S203, select one of them conduct of the storage area that defines to use the storage area at present.At this, using the storage area at present is exactly in order to the storage area of access security information during stamped signature rule running.In step S205, can judge whether the stored security information in present use storage area is identical with the security information of other storage area.If judge that in step S205 using the stored security information in storage area at present is when being same as the security information of other storage area, then in step S207, can carry out the computing in the stamped signature rule.Afterwards, in step S209, the security information of using the storage area at present can be upgraded, and in step S211, the stored security information in other storage area can be upgraded synchronously.
If in step S205, judge when using the stored security information in storage area to be the security information (that is being subjected to attack) that is different from other storage area at present, one of them that then can select to use at present other storage area outside the storage area in step S213 is as new present use storage area, execution in step S207 afterwards.
In another embodiment of the present invention, step S213 comprises that also the security information of the storage area that will be attacked upgrades with the security information of other storage area of not attacked.
In the present embodiment, be to judge whether to be attacked with the security information of comparing all storage areas.In another embodiment of invention, also can use an inspection position (checksum) or a upset value (hash) to check that the security information of storage area is to detect this attack.Fig. 3 is the flow chart that illustrates the anti-crack method that is used for secret key according to another embodiment of the present invention.Please refer to Fig. 3, in Fig. 3, also comprise record check position (S202), and be in step S205 ' to check whether position affirmation security document correctly replaces the step S205 of Fig. 2 with attack detecting.
In the present embodiment, the replacing of the storage area of storage safe information is to carry out when taking place to attack.In another embodiment of the present invention, comprise also in step S211 the replacing storage area when attacking that another storage area of selecting in other storage area is as new present use storage area when upgrading the security information of storage area except generation.Because it is more frequent that the storage area of storage safe information is changed, so the assailant is more difficult carries out altering of security information.
In embodiments of the present invention, using the selection of storage area at present is to select with a random fashion.Yet, it must be appreciated to the invention is not restricted to this, for example also can use one in proper order mode select to use at present the storage area.
What deserves to be mentioned is, be to come synchronous storage safe information with two storage areas in embodiments of the present invention.Yet, it must be appreciated to the invention is not restricted to this, under the resource of considering buffer storage 160b, also can use more storage areas to do in fact.
In addition, in another embodiment of the present invention, anti-crack method also comprises the running that stops this stamped signature rule when all storage areas are all attacked when detecting.Thus, no matter why the value of secret key does not export the result, the assailant can't know the value of secret key by inference thus.Wherein detecting the method for whether being attacked all storage areas can implement with the mode of checking position or upset value by above-mentioned record.
It must be appreciated, the invention is not restricted to the execution in step described in Fig. 2 and Fig. 3.In other words, under purpose according to the present invention, can not carry out according to above-mentioned step.
Being clearer description spirit of the present invention, will be example with RSA stamped signature rule below, describe real work the of the present invention.
As described in prior art, RSA is a kind of of asymmetric cryptographic system, its be by professor Rivest, the Shamir of three of Massachusetts Institute Technologies and Adleman (RSA) 1978 develop out.Below will the present invention be described with various RSA rule examples.
[example one]
0.1 Input:M,K,N
0.2 Output:R=M Kmod?N
0.3 R=1,B=M
0.4 for?i=0?to?length(K)-1,
0.5 if(K i==1)R=RB?modN
0.6 B=B 2mod?N
0.7 end?for
The explanation of above-mentioned rule 1 is described in prior art, does not repeat them here.As previously mentioned, the assailant who desires to steal the secret key of RSA can carry out mistake from the B of the R of above-mentioned formula (0.5) or formula (0.6) and attacks and steal secret key.In other words, the assailant can guess the secret key K of RSA by the value of altering R or B in operation.
For solving the problem that the secret key of above-mentioned RSA may be cracked, the anti-crack method of the secret key of the RSA that is provided in the embodiment of the invention (as Fig. 2 or shown in Figure 3) can be applied in the above-mentioned rule 1, be stolen effectively to prevent the secret key of RSA.Below will describe the realization of anti-crack method shown in Figure 2 on RSA stamped signature rule in detail.The RSA rule 1 ' of the anti-crack method of tool:
2.1 Input:M,K,N
2.2 Output:R=M Kmod?N
2.3 Buffer:S 0,S 1
2.4 S 0=S 1=1,B=M,p=0,R?points?to?S p
2.5 for?i=0?to?length(K)-1,
2.6 if(K i==1),
2.7 R=RB?mod?N
2.8 Synchronize_MB(&R,&p)
2.9 end?if
2.1?0 B=B 2mod?N
2.1?1 if(S 0≠S 1)Remedy_MB(&R,&p)
2.1?2 end?for
Sub-routine?Synchronize_MB(*R,*p){
S (*p+1)mod?2=*R
*p=(*p+1)mod2
R=&S p//R?point?to?S p
}
Sub-routine?Remedy_MB(*R,*p){
S (*p+1)mod?2=S *p
*p=(*p+1)mod2
R=&S p
}
RSA rule 1 ' is that with the difference of RSA rule 1 RSA rule 1 ' is in formula (2.3) definition storage area S 0With S 1Come storage safe information R (step S201), and in formula (2.4), select one of them conduct of the storage area that defines to use storage area (step S203) at present.And, refer to take advantage of expression formula (2.7) afterwards at the execution mould, in formula (2.8), carry out and upgrade (being Synchronize_MB (* R, * p)) storage area S synchronously 0With S 1Security information (step S211).In addition, in formula (2.11), can judge use at present the stored security information in storage area whether with the security information of another storage area whether identical (step S205), and (use at present storage area make under attack) selects another storage area as using storage area (step S213) at present and the security information of this another storage area being copied to the storage area of being attacked (Remedy_MB (* R, * p)) when inequality.
From formula (2.6)-Shi (2.9) as can be known, when attacking generation, if secret key K i=1, S then 0With S 1Equate, and last security information R is also correct, if K i=0, then formula (2.1 1) can detect S 0With S 1Unequal, at this moment, can calculate with the security information R of another storage area.In other words, the storage area of being attacked can be corrected, so last security information R also is correct.
General anti-criminals mechanism when taking place to attack, can be kept off or recomputates comparison with attack detecting with RSA PKI (public key) again in last result exporting the result, and such practice can reach the detecting of attack, but can't keep out attack.Because when detecting when attacking, the general practice can stop to export the result, so, the also assailant of announcements, its attack obtains the result of calculation of a mistake, thereby also gets final product inference K i=0.Yet, in embodiments of the present invention, though when being attacked K i=0 or K i=1 all can obtain correct result at last, so the assailant can't the secret key K of inference.
In addition, in formula (2.6)-Shi (2.9) and formula (2.1 1), also can increase whether all storage area S of detecting 0With S 1The detecting mechanism of all being attacked is as all storage area S 0With S 1No matter secret key K when all being attacked i=0 or secret key K i=1 does not export the result, prevents that thus the assailant from knowing the value of secret key by inference.
[example two]
Reading of secret key K in the example one is from right to left.In this example, reading of secret key K is from left to right.RSA rule 2:
3.1 Input:M,K,N
3.2 Output:R=M Kmod?N
3.3 R=1
3.4 for?i=length(K)-1?downto?0,
3.5 R=R 2mod?N
3.6 if(K i==1)R=RM?mod?N
3.7 end?for
All input and output values of RSA rule 2 are same as rule 1, are not giving unnecessary details at this.RSA rule 2 is because in proper order different with RSA rule 1 to reading of secret key K, and therefore execution sequence is slightly different in formula (3.4)-Shi (3.7), but it is identical in essence.Therefore, RSA rule 2 also has the be stolen risk of secret key of similar RSA rule 1.For solving this problem, the described method of Fig. 2 can be implemented in RSA rule 2, as RSA rule 2 ':
4.1 Input:M,K,N
4.2 Output:R=M K?mod?N
4.3 Buffer:S 0,S 1
4.4 S 0=S 1=1,p=0,R?point?to?S p
4.5 for?i=length(K)-1?downto?0,
4.6 R=R 2mod?N
4.7 Synchronize_MB(&R,&p)
4.8 if(K i==1),
4.9 R=RM?mod?N
4.1?0 Synchronize_MB(&R,&p)
4.1?1 end?if
4.1?2 if(S 0≠S 1)Remedy_MB(&R,&p)
4.1?3 end?if
RSA rule 2 ' is that with the difference of RSA rule 2 RSA rule 2 ' is in formula (4.3) definition storage area S 0With S 1Come storage safe information R (step S201), and in formula (4.4), select one of them conduct of the storage area that defines to use storage area (step S203) at present.And, refer to take advantage of expression formula (4.6) and formula (6.9) afterwards at the execution mould, respectively at the synchronous renewal of the middle execution of formula (4.7) and formula (4.10) storage area S 0With S 1Security information (step S211).In addition, in formula (4.12), can judge use at present the stored security information in storage area whether with the security information of another storage area whether identical (step S205), and when inequality, (use the storage area to make under attack at present) to select another storage area to be copied to the storage area of being attacked as use storage area (step S213) at present and with the security information of this another storage area.
Similarly, in formula (4.6)-Shi (4.11) and formula (4.12), also can increase whether all storage area S of detecting 0With S 1The detecting mechanism of all being attacked is as all storage area S 0With S 1No matter secret key K when all being attacked i=0 or secret key K i=1 does not export the result, prevents that thus the assailant from knowing the value of secret key by inference.
[example three]
Above-mentioned example one all is to attack realization and the effect that (alter security information and guess secret key) illustrates the embodiment of the invention with mistake with example two.For RSA stamped signature rule, except mistake was attacked, common in addition was exactly timing attack.Please refer to RSA rule 1, because secret key K i=1 o'clock than secret key K i=0 o'clock must many execution formula (0.5) in mould refer to time of taking advantage of, therefore general secret key K i=1 o'clock performed time can be than secret key K i=0 duration.So, desire to steal secret key person and can judge secret key K via this both time of measurement.For avoiding above-mentioned timing attack, generally can change RSA rule 1 into RSA rule 3:
5.1 Input:M,K,N
5.2 Output:R=M K?mod?N
5.3 R=1,B=M
5.4 for?i=0?to?length(K)-1,
5.5 y=RB?mod?N
5.6 if(K i==1)R=y
5.7 B=B 2?mod?N
5.8 end?for
In the RSA rule 3, owing to carry out secret key K i=1 with secret key K i=0 o'clock only difference carry out formula (5.6), and formula (5.6) only is the moving of data in the memory, so the time is very short, so carry out secret key K i=1 with secret key K i=0 required time was identical in essence.RSA rule 3 and the RSA rule 1 similar risk (attacking) that the secret key K that is stolen is also arranged from security information R and B.In addition, in RSA rule 3, increased security information y more, therefore for the assailant, except security information R and B, more than again an assailable place.
For solving this problem, the described method of Fig. 2 can be implemented in RSA rule 3, as RSA rule 3 ':
6.1 Input:M,K,N
6.2 Output:R=M K?modN
6.3 Buffer:S 0,S 1
6.4 R=1,B=M,p=0,y?point?to?S p
6.5 for?i=0?to?length(K)-1,
6.6 y=RB?mod?N
6.7 Synchronize_MB(&y,&p)
6.8 if(K i==1),
6.9 if(S 0≠S 1)Remedy_MB(&y,&p)
6.1?0 R=y
6.1?1 end?if
6.1?2 B=B 2?mod?N
6.1?3 end?for
RSA rule 3 ' is that with the difference of RSA rule 3 RSA rule 3 ' is in formula (6.3) definition storage area S 0With S 1Come storage safe information R (step S201), and in formula (6.4), select one of them conduct of the storage area that defines to use storage area (step S203) at present.And, refer to take advantage of expression formula (6.6) afterwards at the execution mould, in formula (6.7), carry out and upgrade storage area S synchronously 0With S 1Security information (step S211).In addition, in formula (6.9), can judge use at present the stored security information in storage area whether with the security information of another storage area whether identical (step S205), and when inequality, (use the storage area to be subjected to attack at present) to select another storage area to be copied to the storage area of being attacked as use storage area (step S213) at present and with the security information of this another storage area.
Similarly, in formula (6.5)-Shi (6.1 2), also can increase whether all storage area S of detecting 0With S 1The detecting mechanism of all being attacked is as all storage area S 0With S 1No matter secret key K when all being attacked i=0 or secret key K i=1 does not export the result, prevents that thus the assailant from knowing the value of secret key by inference.
[example four]
Same in order to prevent timing attack, generally can change RSA rule 2 into RSA rule 4, the notion of its change is similar to RSA rule 3, does not repeat them here.RSA rule 4:
7.1 Input:M,K,N
7.2 Output:R=M K?mod?N
7.3 R=1
7.4 for?i=length(K)-1?downto?0,
7.5 y 0=R 2?mod?N
7.6 y 1=y 0M?mod?N
7.7 if(K i==1)R=y 1
7.8 else?R=y 0
7.9 end?for
Yet RSA rule 4 is same as RSA rule 3 in essence, so RSA rule 4 has also increased y except security information R and B 0With y 1The point of attack.For solving this problem, the described method of Fig. 2 can be implemented in RSA rule 4, as RSA rule 4 ':
8.1 Input:M,K,N
8.2 Output:R=M K?mod?N
8.3 Buffer:S 0,S 1
8.4 R=1,p=0,y 1?point?to?S p
8.5 for?i=length(K)-1?downto?0,
8.6 y 0=R 2mod?N
8.7 y 1=y 0M?mod?N
8.8 Synchronize_MB(&y 1,&p)
8.9 if(K i==1){
8.1?0 if(S 0≠S 1)Remedy_MB(&y 1,&p)
8.1?1 R=y 1
8.1?2 }else?R=y 0
8.1?3?end?for
RSA rule 4 ' is that with the difference of RSA rule 4 RSA rule 4 ' is in formula (8.3) definition storage area S 0With S 1Come storage safe information R (step S201), and in formula (8.4), select one of them conduct of the storage area that defines to use storage area (step S203) at present.And, refer to take advantage of expression formula (8.6) and (8.7) afterwards at the execution mould, in formula (8.8), carry out the security information (step S211) of upgrading storage area S0 and S1 synchronously.In addition, in formula (8.10), can judge use at present the stored security information in storage area whether with the security information of another storage area whether identical (step S205), and when inequality, (use the storage area to make under attack at present) to select another storage area to be copied to the storage area of being attacked as use storage area (step S213) at present and with the security information of this another storage area.
Similarly, in formula (8.6)-Shi (8.11), also can increase whether all storage area S of detecting 0With S 1The detecting mechanism of all being attacked is as all storage area S 0With S 1No matter secret key K when all being attacked i=0 or secret key K i=1 does not export the result, prevents that thus the assailant from knowing the value of secret key by inference.
Above-mentioned all examples all are to be example with protection security information R, yet must understand is security information B, y, y in the above-mentioned RSA rule 0With y 1All can storage area S 0With S 1Protect.
Though above-mentioned is to be implemented in a plurality of RSA rules with embodiment shown in Figure 2, yet Fig. 3 is also can be similar above-mentioned to be done in fact.
Above-mentionedly with multiple RSA stamped signature rule example the realization of the embodiment of the invention being described, mainly is that explanation the present invention can be applicable to multiple RSA stamped signature rule and other similar stamped signature rule.That is to say, the invention is not restricted to specific stamped signature rule.
The above-mentioned anti-crack method that is used for secret key can be in fact as the computer readable code on the computer-readable recording medium.Computer-readable recording medium can be any data storage device, can be by computer system reads after it.The example of computer-readable recording medium comprises read-only memory (read-only memory, ROM), random access memory (random-access memory, RAM), CD-ROM, tape, floppy disk, optical data storage device and the carrier wave transfer of data of world-wide web (for example by).
In sum, the anti-crack method that is used for secret key proposed by the invention is the value (as above-mentioned security information R and B) of coming storage safe information with a plurality of storage areas.In the time of in carrying out stamped signature rule process, will using (promptly read and write) to these security information, only can use one of them storage area.Whether at specific time point, it is identical to compare all storage areas, if find difference, promptly replaces with other storage area of not attacked.So that make the assailant can't obtain the information of secret key, the fail safe that improves the stamped signature rule thus from result of calculation.
Though the present invention discloses as above with preferred embodiment; right its is not in order to limit the present invention; have in the technical field under any and know the knowledgeable usually; without departing from the spirit and scope of the invention; when can doing a little change and retouching, so protection scope of the present invention is when looking being as the criterion that claim scope of the present invention defined.

Claims (37)

1. an anti-crack method that is used for secret key is characterized in that, comprising:
Use a plurality of storage areas to store an identical security information respectively;
One of them that select these a plurality of storage areas when using a stamped signature rule and this secret key to produce a digital signature used storage area stored security information in other storage area of these a plurality of storage areas of renewal synchronously with this security information of access and when upgrading this security information of using the storage area at present at present as one; And
Detecting another storage area conduct of selecting when this security information of using the storage area at present suffers an attack in these a plurality of storage areas during producing this digital signature should use the storage area so that this correct security information and this security information of storage renewal to be provided at present, and upgrade this and use the security information of storage area at present, and upgrade the stored security information in other storage area synchronously.
2. the anti-crack method that is used for secret key as claimed in claim 1 is characterized in that, wherein this stamped signature rule is that a RSA stamped signature rule and this secret key are the secret key of a RSA.
3. the anti-crack method that is used for secret key as claimed in claim 1 is characterized in that, wherein detects the security information that this attack comprises other storage area among this security information of using at present the storage area of comparison and these a plurality of storage areas.
4. the anti-crack method that is used for secret key as claimed in claim 1 is characterized in that, wherein also is included in these a plurality of storage areas record one and checks that a position or a upset value are to detect this attack.
5. the anti-crack method that is used for secret key as claimed in claim 1, it is characterized in that, when wherein also comprising the security information of upgrading these a plurality of storage areas, then select another storage area conduct in these present these a plurality of storage areas that use outside the storage area to be somebody's turn to do use storage area at present.
6. the anti-crack method that is used for secret key as claimed in claim 5 is characterized in that, wherein should use the storage area at present is to select with a random fashion.
7. the anti-crack method that is used for secret key as claimed in claim 1 is characterized in that wherein the number of these a plurality of storage areas is two.
8. the anti-crack method that is used for secret key as claimed in claim 1 is characterized in that, comprises also wherein that when detecting this attack the security information with this another storage area is copied to the storage area that this is attacked.
9. the anti-crack method that is used for secret key as claimed in claim 1 is characterized in that, comprises also that wherein these a plurality of storage areas stop the running of this stamped signature rule when all being attacked.
10. controller, it is in a storage device, it is characterized in that, and this controller comprises:
One non-volatility memorizer interface is in order to access one non-volatility memorizer;
One buffer storage is in order to temporarily to store data; And
One microprocessing unit, in order to controlling the overall operation of this controller,
Wherein this microprocessing unit can use a plurality of storage areas to store an identical security information respectively,
This microprocessing unit when using a stamped signature rule and first secretary's key to produce a digital signature, can select these a plurality of storage areas one of them use storage area stored security information in other storage area of these a plurality of storage areas of renewal synchronously and when upgrading this security information of using the storage area at present at present as one with this security information of access, and
This microprocessing unit detects another storage area conduct that can select when this security information of using the storage area at present suffers an attack in these a plurality of storage areas and should use the storage area so that this correct security information and this security information of storage renewal to be provided at present during producing this digital signature, and upgrade this and use the security information of storage area at present, and upgrade the stored security information in other storage area synchronously.
11. controller as claimed in claim 10 is characterized in that, wherein this stamped signature rule is that a RSA stamped signature rule and this secret key are the secret key of a RSA.
12. controller as claimed in claim 10 is characterized in that, wherein this microprocessing unit is detected the security information that this attack comprises other storage area among this security information of using at present the storage area of comparison and these a plurality of storage areas.
13. controller as claimed in claim 10 is characterized in that, wherein this microprocessing unit writes down one and checks that a position or a upset value are to detect this attack in these a plurality of storage areas.
14. controller as claimed in claim 10, it is characterized in that, when wherein this microprocessing unit upgrades the security information of these a plurality of storage areas, can select another storage area conduct in these present these a plurality of storage areas that use outside the storage area to be somebody's turn to do use storage area at present.
15. controller as claimed in claim 14 is characterized in that, wherein this microprocessing unit is to select this to use the storage area at present with a random fashion.
16. controller as claimed in claim 10 is characterized in that, wherein the number of these a plurality of storage areas is two.
17. controller as claimed in claim 10 is characterized in that, the security information of this another storage area can be copied to the storage area that this is attacked when wherein this microprocessing unit detects this attack.
18. controller as claimed in claim 10 is characterized in that, wherein this microprocessing unit detects the running that can stop this stamped signature rule when these a plurality of storage areas are all attacked.
19. controller as claimed in claim 10 is characterized in that, wherein this storage device is flash memory stores medium.
20. controller as claimed in claim 10 is characterized in that, wherein this storage device is that a USB coils with oneself.
21. controller as claimed in claim 10 is characterized in that, wherein this storage device is a flash memory cards.
22. controller as claimed in claim 10 is characterized in that, wherein this storage device is a solid state hard disc.
23. controller as claimed in claim 10 is characterized in that, wherein this storage device is a smart card.
24. controller as claimed in claim 10 is characterized in that, wherein this non-volatility memorizer is an individual layer memory cell or multilayer memory cell and non-flash memory.
25. a storage device is characterized in that, comprising:
One non-volatility memorizer is in order to store data;
One data transmission interface, in order to a host communication, and
One controller is electrically connected to this non-volatility memorizer and this data transmission interface, and in order to control the running of this storage device, this controller comprises:
One non-volatility memorizer interface is in order to access one non-volatility memorizer;
One buffer storage is in order to temporarily to store data; And
One microprocessing unit, in order to controlling the overall operation of this controller,
Wherein the microprocessing unit of this controller can use a plurality of storage areas to store an identical security information respectively,
The microprocessing unit of this controller when using a stamped signature rule and first secretary's key to produce a digital signature, select these a plurality of storage areas one of them use storage area stored security information in other storage area of these a plurality of storage areas of renewal synchronously and when upgrading this security information of using the storage area at present at present as one with this security information of access, and
The microprocessing unit of this controller detects another storage area conduct that can select when this security information of using the storage area at present suffers an attack in these a plurality of storage areas and should use the storage area so that this correct security information and this security information of storage renewal to be provided at present during producing this digital signature, and upgrade this and use the security information of storage area at present, and upgrade the stored security information in other storage area synchronously.
26. storage device as claimed in claim 25 is characterized in that, wherein this non-volatility memorizer comprises a directory area, a secret zones and an information data area, and wherein this secret key is stored in this secret zones.
27. storage device as claimed in claim 25 is characterized in that, wherein this stamped signature rule is that a RSA stamped signature rule and this secret key are the secret key of a RSA.
28. storage device as claimed in claim 25 is characterized in that, wherein this microprocessing unit is detected the security information that this attack comprises other storage area among this security information of using at present the storage area of comparison and these a plurality of storage areas.
29. storage device as claimed in claim 25 is characterized in that, wherein this microprocessing unit writes down one and checks that a position or a upset value are to detect this attack in these a plurality of storage areas.
30. storage device as claimed in claim 25, it is characterized in that, when wherein this microprocessing unit upgrades the security information of these a plurality of storage areas, can select another storage area conduct in these present these a plurality of storage areas that use outside the storage area to be somebody's turn to do use storage area at present.
31. storage device as claimed in claim 30 is characterized in that, wherein this microprocessing unit is to select this to use the storage area at present with a random fashion.
32. storage device as claimed in claim 25 is characterized in that, wherein the number of these a plurality of storage areas is two.
33. storage device as claimed in claim 25 is characterized in that, the security information of this another storage area can be copied to the storage area that this is attacked when wherein this microprocessing unit detects this attack.
34. storage device as claimed in claim 25 is characterized in that, wherein this microprocessing unit detects the running that can stop this stamped signature rule when these a plurality of storage areas are all attacked.
35. storage device as claimed in claim 25 is characterized in that, wherein this non-volatility memorizer is a SLC or MLC and non-flash memory.
36. storage device as claimed in claim 25, it is characterized in that wherein this data transmission interface comprises that a universal sequential bus interface, an IEEE 1394 interfaces, a SATA interface, a PCIExpress interface, a memory stick interface, a multimedia card interface, a secure digital card, an exquisite flash cards interface or an integration drive electrical interface.
37. storage device as claimed in claim 25 is characterized in that, wherein this data transmission interface is an intelligent card interface, and it is compatible with ISO 7816.
CN2007103001881A 2007-12-19 2007-12-19 Decode-proof method for cipher key as well as controller and memory device for implementing the method Active CN101465726B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007103001881A CN101465726B (en) 2007-12-19 2007-12-19 Decode-proof method for cipher key as well as controller and memory device for implementing the method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007103001881A CN101465726B (en) 2007-12-19 2007-12-19 Decode-proof method for cipher key as well as controller and memory device for implementing the method

Publications (2)

Publication Number Publication Date
CN101465726A CN101465726A (en) 2009-06-24
CN101465726B true CN101465726B (en) 2011-10-19

Family

ID=40806103

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007103001881A Active CN101465726B (en) 2007-12-19 2007-12-19 Decode-proof method for cipher key as well as controller and memory device for implementing the method

Country Status (1)

Country Link
CN (1) CN101465726B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102148054A (en) * 2010-02-05 2011-08-10 群联电子股份有限公司 Flash memory storage system, controller of flash memory storage system and data falsification preventing method
CN101982824B (en) * 2010-11-22 2014-06-25 北京北信源软件股份有限公司 Method for performing safe burning and audit
CN109194676B (en) * 2018-09-21 2020-11-27 无锡润盟软件有限公司 Data stream encryption method and data stream decryption method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5857025A (en) * 1996-09-09 1999-01-05 Intelligent Security Systems, Inc. Electronic encryption device and method
CN1265494A (en) * 2000-04-24 2000-09-06 后健慈 Enciphered and deciphered memory and its access controlling method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5857025A (en) * 1996-09-09 1999-01-05 Intelligent Security Systems, Inc. Electronic encryption device and method
CN1265494A (en) * 2000-04-24 2000-09-06 后健慈 Enciphered and deciphered memory and its access controlling method

Also Published As

Publication number Publication date
CN101465726A (en) 2009-06-24

Similar Documents

Publication Publication Date Title
US8670557B2 (en) Cryptographic system with modular randomization of exponentiation
JP3773488B2 (en) System mounted on an electronic chip, in particular a method for securing a chip card in a preliminary initialization stage, and a mounting system for implementing the method
US20090097637A1 (en) Randomized rsa-based cryptographic exponentiation resistant to side channel and fault attacks
CA2334597C (en) Leak-resistant cryptographic indexed key update
US8472621B2 (en) Protection of a prime number generation for an RSA algorithm
US8374345B2 (en) Data processing system and data processing method
US8509429B2 (en) Protection of a prime number generation against side-channel attacks
JP2010527219A (en) Method and system for electronically securing electronic device security using functions that cannot be physically copied
US7571329B2 (en) Method of storing unique constant values
JP2008252299A (en) Encryption processing system and encryption processing method
WO2006107697A2 (en) Methods for authenticating an identity of an article in electrical communication with a verifier system
US10354063B2 (en) Protection of a modular calculation
JP5261088B2 (en) Unauthorized operation detection circuit, device provided with unauthorized operation detection circuit, and unauthorized operation detection method
US8150029B2 (en) Detection of a disturbance in a calculation performed by an integrated circuit
US9076002B2 (en) Stored authorization status for cryptographic operations
CN101465726B (en) Decode-proof method for cipher key as well as controller and memory device for implementing the method
CN103246494A (en) Safety modular exponentiation method for resisting energy analysis and fault attack
WO2009088938A1 (en) Method for protecting data against differential fault analysis involved in rivest, shamir and adleman cryptography using the chinese remainder theorem
US20010036267A1 (en) Method for generating electronic keys from integer numbers prime with each other and a device for implementing the method
US20210286902A1 (en) Fault detection
US8074079B2 (en) Anti-attacking method for private key, controller, storage device and computer readable recording medium having the same
Molcut et al. Cybersecurity for embedded systems: A review
CA2327037A1 (en) Method to detect fault attacks against cryptographic algorithms
US11456853B2 (en) Protection of an iterative calculation
EP4307155A1 (en) Method and circuit for protecting an electronic device from a side-channel attack

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant