CN103246494A - Safety modular exponentiation method for resisting energy analysis and fault attack - Google Patents

Safety modular exponentiation method for resisting energy analysis and fault attack Download PDF

Info

Publication number
CN103246494A
CN103246494A CN2013101994946A CN201310199494A CN103246494A CN 103246494 A CN103246494 A CN 103246494A CN 2013101994946 A CN2013101994946 A CN 2013101994946A CN 201310199494 A CN201310199494 A CN 201310199494A CN 103246494 A CN103246494 A CN 103246494A
Authority
CN
China
Prior art keywords
tmpe
tmpr
rem
intermediate variable
tmpm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2013101994946A
Other languages
Chinese (zh)
Inventor
刘红明
周玉洁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHANGHAI AISINO CHIP ELECTRONIC TECHNOLOGY Co Ltd
Original Assignee
SHANGHAI AISINO CHIP ELECTRONIC TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SHANGHAI AISINO CHIP ELECTRONIC TECHNOLOGY Co Ltd filed Critical SHANGHAI AISINO CHIP ELECTRONIC TECHNOLOGY Co Ltd
Priority to CN2013101994946A priority Critical patent/CN103246494A/en
Publication of CN103246494A publication Critical patent/CN103246494A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a safety modular exponentiation method for resisting energy analysis and fault attack. The safety modular exponentiation method includes the steps: reading a base number M, an index E and a modulus N; setting an intermediate variable TmpM=M, TmpE=E and TmpR=1; writing the modulus N into an NSRAM (non-volatile static random access memory), starting pre-computation and converting the TmpM and the TmpR into Montgomery numbers by the aid of an ASRAM (asynchronous static random access memory) and a BSRAM (burst static random access memory); randomly selecting a divisor D, updating TmpE=TmpE/D and computing the intermediate variable Rem=TmpEmodD; updating TmpR=TmpM^(Rem)*TmpRmodN and TmpM=TmpM^(D)modN according to a divisor remainder pair (D, Rem) if TmpE=0 and switching to the step of selecting the divisor; computing the intermediate variable TmpR1=TmpM^(Rem)*TmpRmodN according to a remainder Rem if TmpE=0; reloading the modulus N into the NSRAM and updating TmpR=TmpM^(Rem)*TmpRmodN according to the remainder Rem; comparing the TmpR1 with the TmpR and converting the TmpR into a general number command and outputting results if the TmpR1 is equal to the TmpR; and finishing the operation if the TmpR1 is unequal to the TmpR. By the safety modular exponentiation method, both energy attack and fault attack can be resisted.

Description

A kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting
Technical field
The present invention relates to the safe execution field of public-key cryptosystem, be specifically related to a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting.
Background technology
Along with development and the application of infotech, it is more and more general that online transaction such as Web bank, E-Government and ecommerce also become, and the safety problem of thereupon bringing is also more and more serious, and this just need be encrypted the information in transmission over networks.What traditional cryptographic algorithm adopted is DSE arithmetic, and communicating pair is shared same key, and its advantage is to encrypt to be easy to realize that with hardware encryption/decryption speed is all very fast, but has potential safety hazard, and key is stolen by the people in exchange easily.And modern public-key cryptosystem is asymmetric cryptosystem, and the exchange that only requires key is fidelity, and does not require that it maintains secrecy.Key of each entity selection to (e, d), wherein e is PKI, and d is private key, private key is need to be keep secret.Can not calculate private key by PKI.At present, public key algorithm mainly contains two kinds, and a kind of is RSA, and another is exactly elliptic curve cipher ECC(Elliptic Curve Cryptography).Above-mentioned two kinds of public key algorithms all need to use mould power to calculate (M EMod N).In some mould power calculated, when relating to the Montgomery Algorithm of private key, power exponent E needed protection, and can not be revealed.
For raising speed, modulus-power algorithm all is to realize with integrated circuit (IC) chip basically now.And chip all is made up of transistor gate, and circuit is when carrying out different operations, and the required time is different with energy, and this can be observed by oscillograph, and then can attack Montgomery Algorithm by the information of these leakages, thereby obtains private key.More common attack method comprises time series analysis attack method, electromagnetic radiation method, energy spectrometer attack method and wrong injection attacks method at present, and wherein energy spectrometer attack and wrong injection attacks are the most effective attack methods.
Since people such as Kocher in 1996 proposed simple energy analysis (SPA) and differential power analysis (DPA), people just successfully attacked some modulus-power algorithms with these two kinds of methods.And along with the raising of energy spectrometer technology, some existing modulus-power algorithms can not be resisted energy spectrometer.In 1997, people such as Boneh proposed a kind of new attack method again: the mistake injection attacks.By injecting a mistake, obtain an error result, thereby utilize error result and correct result's inner link to decompose modulus N then, and then obtain private key.This attack method mainly is aimed at the modulus-power algorithm of realizing with Chinese remainder theorem CRT mode.Along with the development of technology, mistake injection attacks scope is also more and more wider, develops into to key injection mistake itself and to modulus N injection mistake from injecting mistake at random.Obtain misdata by injecting mistake, and then through some computings, thereby private key finally obtained.And existing a lot of Montgomery Algorithm is often only considered the opposing energy spectrometer, and has ignored the wrong injection attacks of opposing, and is perhaps opposite, so security is not high.
Summary of the invention
Based on the problems referred to above, the invention provides and a kind ofly can resist energy spectrometer, can resist the wrong safe modulus-power algorithm of attacking again, and have computing velocity faster, therefore be particularly suitable for using on the embedded devices such as USBKey at smart card.
To achieve these goals, technical scheme of the present invention provides a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting, and the method includes the steps of:
Step 1, read truth of a matter M, index E, modulus N;
Step 2, establish intermediate variable TmpM=M, TmpE=E, TmpR=1;
Step 3, the SRAM of 5 64X32 position sizes is set, called after A respectively, B, N, R, T SRAM; Write modulus N and start precomputation to N SRAM, obtain Parameter N acc and R 2Next the result of mod N writes intermediate variable TmpM and writes intermediate variable TmpR to B SRAM to A SRAM, and startup is converted into intermediate variable TmpM and TmpR the order of Montgomery number.
Step 4, select a divisor D at random, and upgrade intermediate variable TmpE=TmpE/D, and calculate intermediate variable Rem=TmpE mod D; Further comprise:
Step 4.1, establish intermediate variable D=0;
Step 4.2, the true random number and the assignment that produce one 32 are given intermediate variable temp, if temp less than 0xDfffffff, then forwards step 4.3 to, otherwise forward 4.6 to;
Step 4.3, establish t=TmpE mod 2, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 2, assignment D=2 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 2, then forwards step 4.4 to;
Step 4.4, establish t=TmpE mod 5, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 5, assignment D=5 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 5, then forwards step 4.5 to;
Step 4.5, establish t=TmpE mod 3, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 3, assignment D=3 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 3, then forwards step 4.6 to.
The value of step 4.6, judgement intermediate variable D if the value of D equals 0, then forwards step 4.7 to, otherwise forwards step 4.9 to;
Step 4.7, the true random number and the assignment that produce one 32 are given intermediate variable temp,
If temp is less than 0xBfffffff, assignment D=2 then;
If temp is less than 0xDfffffff, assignment D=3 then;
If temp is more than or equal to 0xDfffffff, assignment D=5 then;
Forward step 4.8 to.
Step 4.8, calculating intermediate variable Rem=TmpE mod D forward step 4.9 to;
Step 4.9, renewal TmpE=TmpE/D.
The value of step 5, judgement intermediate variable TmpE is if TmpE=0 then jumps to step 7, if TmpE ≠ 0 then jumps to step 6;
Step 6, according to the divisor remainder to (D Rem) upgrades corresponding intermediate variable: TmpR=TmpM^ (Rem) * TmpR mod N, TmpM=TmpM^ (D) mod N, and forward step 4 to;
Step 7, calculate intermediate variable TmpR1=TmpM^ (Rem) * TmpR mod N according to remainder R em;
Step 8, the modulus N of reloading and are upgraded intermediate variable TmpR=TmpM^ (Rem) * TmpR mod N according to remainder R em in N SRAM;
Step 9, relatively intermediate variable TmpR1 and TmpR are if equate then forward step 10 to, if unequal then forward step 11 to;
Step 10, startup are converted into the order of common number with TmpR, and export the result;
Step 11, finish this computing.
Compare with prior art, a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting of the present invention, its advantage is: first, the present invention's modulus N of before calculate finishing, reloading, and recomputated final step, and the result that will recomputate compares with result calculated before, so just can resist wrong injection attacks; The second, adopt random algorithm to select divisor D, making can stronger opposing SPA and DPA; The 3rd, mould of the present invention takes advantage of mould square and other modulo operation to use the Montgomery algorithm of hardware to realize, and random number, and division and data carrying also are to realize with hardware, have improved algorithm performance; Four, step 4 of the present invention and step 6 can be moved simultaneously, to improve algorithm performance.
Description of drawings
Fig. 1 resists the general flow chart of energy spectrometer and wrong safe mould power computing method of attacking for the present invention is a kind of;
Fig. 2 resists the process flow diagram of selecting D at random and calculating quotient and the remainder in energy spectrometer and the wrong safe mould power computing method of attacking for the present invention is a kind of.
Embodiment
Below in conjunction with accompanying drawing embodiments of the invention are described in further detail, but present embodiment is not limited to the present invention, every employing analog structure of the present invention, method and similar variation thereof all should be listed protection scope of the present invention in.
As shown in Figure 1, the invention discloses a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting, the method includes the steps of:
Step 1, read truth of a matter M, index E, modulus N;
Step 2, establish intermediate variable TmpM=M, TmpE=E, TmpR=1;
Step 3, be provided with corresponding hardware and realize this step 3, include the SRAM of 5 64X32 position sizes in the described hardware, called after A respectively, B, N, R, T SRAM;
Write modulus N and start precomputation to N SRAM and (its objective is calculating parameter Nacc and R 2Mod N), next write intermediate variable TmpM and write intermediate variable TmpR and start the order (its objective is TmpM and TmpR are converted into the Montgomery number) be converted into the Montgomery number to B SRAM to A SRAM.
Step 4, select a divisor D at random, and upgrade intermediate variable TmpE=TmpE/D, and calculate intermediate variable Rem=TmpE mod D; It further comprises following steps as shown in Figure 2:
Step 4.1, establish intermediate variable D=0;
Step 4.2, the true random number and the assignment that produce one 32 are given intermediate variable temp, if temp less than 0xDfffffff, then forwards step 4.3 to, otherwise forward 4.6 to;
Step 4.3, establish t=TmpE mod 2, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 2, assignment D=2 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 2, then forwards step 4.4 to;
Step 4.4, establish t=TmpE mod 5, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 5, assignment D=5 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 5, then forwards step 4.5 to;
Step 4.5, establish t=TmpE mod 3, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 3, assignment D=3 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 3, then forwards step 4.6 to.
The value of step 4.6, judgement intermediate variable D if the value of D equals 0, then forwards step 4.7 to, otherwise forwards step 4.9 to;
Step 4.7, the true random number and the assignment that produce one 32 are given intermediate variable temp,
If temp is less than 0xBfffffff, assignment D=2 then;
If temp is less than 0xDfffffff, assignment D=3 then;
If temp is more than or equal to 0xDfffffff, assignment D=5 then;
Forward step 4.8 to.
Step 4.8, calculating intermediate variable Rem=TmpE mod D forward step 4.9 to;
Step 4.9, renewal TmpE=TmpE/D.
The value of step 5, judgement TmpE is if TmpE=0 then jumps to step 7, if TmpE ≠ 0 then jumps to step 6;
Step 6, according to the divisor remainder to (D Rem) upgrades following intermediate variable: TmpR=TmpM^ (Rem) * TmpR mod N, TmpM=TmpM^ (D) mod N, and forward step 4 to.
In the described step 6, the divisor remainder to (D, Rem) and corresponding calculating see the following form;
Figure 32726DEST_PATH_IMAGE001
Annotate: following operand all is montgemory number (Montgomery number), and A represents the number among the A SRAM, and B represents the number among the B SRAM, and R represents the number among the R SRAM;
Number among the AAA:A carries out mould square, and sends the result back to A;
Number among the AAR:A carries out mould square, and sends the result back to R;
Number among the ARA:A and the number among the R carry out mould to be taken advantage of, and sends the result back to A;
Number among the ABB:A and the number among the B carry out mould to be taken advantage of, and sends the result back to B;
Number among the RRR:R carries out mould square, and sends the result back to R;
Number among the RBB:R and the number among the B carry out mould to be taken advantage of, and sends the result back to B;
R-〉A: the number among the R is transported among the A.
Step 7, calculate intermediate variable TmpR1=TmpM^ (Rem) * TmpR mod N according to remainder R em;
Step 8, the modulus N of reloading and are upgraded TmpR=TmpM^ (Rem) * TmpR mod N according to remainder R em in N SRAM;
Step 9, relatively TmpR1 and TmpR are if equate then forward step 10 to, if unequal then forward step 11 to;
Step 10, startup are converted into common number order (purpose is that TmpR is converted into common number), and the output result;
Step 11, finish this computing.
The true random number that relates in 5 SRAM that for example relate in the step 3 among the present invention, the step 4 calculates, the mould that relates in modular arithmetic and division arithmetic, the step 6 is taken advantage of, mould square, data carrying operation etc., all being to realize by hardware, for example is to be realized by the hardware module that safety chip SSX1108 provides.
Mould power computing method provided by the invention can not only be resisted energy and be attacked (such as SPA " Simple Power Analysis ", DPA " Differential Power Analysis " attacks), also can resist wrong the attack.
Although content of the present invention has been done detailed introduction by above preferred embodiment, will be appreciated that above-mentioned description should not be considered to limitation of the present invention.After those skilled in the art have read foregoing, for multiple modification of the present invention with to substitute all will be apparent.Therefore, protection scope of the present invention should be limited to the appended claims.

Claims (7)

1. resist energy spectrometer and wrong safe mould power computing method of attacking for one kind, it is characterized in that the method includes the steps of:
Step 1, read truth of a matter M, index E, modulus N;
Step 2, establish intermediate variable TmpM=M, TmpE=E, TmpR=1;
Step 3, the SRAM of 5 64X32 position sizes is set, called after A respectively, B, N, R, T SRAM; Write modulus N and start precomputation to N SRAM, obtain Parameter N acc and R 2Next the result of mod N writes intermediate variable TmpM and writes intermediate variable TmpR to B SRAM to A SRAM, and startup is converted into intermediate variable TmpM and TmpR the order of Montgomery number;
Step 4, select a divisor D at random, and upgrade intermediate variable TmpE=TmpE/D, and calculate intermediate variable Rem=TmpE mod D;
The value of step 5, judgement intermediate variable TmpE is if TmpE=0 then jumps to step 7, if TmpE ≠ 0 then jumps to step 6;
Step 6, according to the divisor remainder to (D Rem) upgrades corresponding intermediate variable: TmpR=TmpM^ (Rem) * TmpR mod N, TmpM=TmpM^ (D) mod N, and forward step 4 to;
Step 7, calculate intermediate variable TmpR1=TmpM^ (Rem) * TmpR mod N according to remainder R em;
Step 8, the modulus N of reloading and are upgraded intermediate variable TmpR=TmpM^ (Rem) * TmpR mod N according to remainder R em in N SRAM;
Step 9, relatively intermediate variable TmpR1 and TmpR are if equate then forward step 10 to, if unequal then forward step 11 to;
Step 10, startup are converted into the order of common number with TmpR, and export the result;
Step 11, finish this computing.
2. a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting as claimed in claim 1 is characterized in that the computing that relates to 5 SRAM in the described step 3 all is to realize with hardware.
3. a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting as claimed in claim 1 is characterized in that, further comprise following steps in the described step 4:
Step 4.1, establish intermediate variable D=0;
Step 4.2, the true random number and the assignment that produce one 32 are given intermediate variable temp, if temp less than 0xDfffffff, then forwards step 4.3 to, otherwise forward 4.6 to;
Step 4.3, establish t=TmpE mod 2, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 2, assignment D=2 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 2, then forwards step 4.4 to;
Step 4.4, establish t=TmpE mod 5, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 5, assignment D=5 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 5, then forwards step 4.5 to;
Step 4.5, establish t=TmpE mod 3, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 3, assignment D=3 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 3, then forwards step 4.6 to;
The value of step 4.6, judgement intermediate variable D if the value of D equals 0, then forwards step 4.7 to, otherwise forwards step 4.9 to;
Step 4.7, the true random number and the assignment that produce one 32 are given intermediate variable temp,
If temp is less than 0xBfffffff, assignment D=2 then;
If temp is less than 0xDfffffff, assignment D=3 then;
If temp is more than or equal to 0xDfffffff, assignment D=5 then;
Forward step 4.8 to;
Step 4.8, calculating intermediate variable Rem=TmpE mod D forward step 4.9 to;
Step 4.9, renewal TmpE=TmpE/D.
4. a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting as claimed in claim 3 is characterized in that the true random number that relates in the described step 4 is to realize with hardware.
5. a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting as claimed in claim 3 is characterized in that the modular arithmetic that relates in the described step 4 and division arithmetic are to realize with hardware.
6. a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting as claimed in claim 3 is characterized in that,
In the described step 6, the divisor remainder to (D, Rem) and corresponding calculating see the following form;
Figure 2013101994946100001DEST_PATH_IMAGE001
Operand in this table all is the montgemory number, and A represents the number among the A SRAM, and B represents the number among the B SRAM, and R represents the number among the R SRAM;
Number among the AAA:A carries out mould square, and sends the result back to A;
Number among the AAR:A carries out mould square, and sends the result back to R;
Number among the ARA:A and the number among the R carry out mould to be taken advantage of, and sends the result back to A;
Number among the ABB:A and the number among the B carry out mould to be taken advantage of, and sends the result back to B;
Number among the RRR:R carries out mould square, and sends the result back to R;
Number among the RBB:R and the number among the B carry out mould to be taken advantage of, and sends the result back to B;
R-〉A: the number among the R is transported among the A.
7. method as claimed in claim 6 is characterized in that, in the described step 6, the divisor remainder to (D, mould Rem) is taken advantage of, mould square, it all is to realize with hardware that data carrying operation is calculated.
CN2013101994946A 2013-05-27 2013-05-27 Safety modular exponentiation method for resisting energy analysis and fault attack Pending CN103246494A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2013101994946A CN103246494A (en) 2013-05-27 2013-05-27 Safety modular exponentiation method for resisting energy analysis and fault attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2013101994946A CN103246494A (en) 2013-05-27 2013-05-27 Safety modular exponentiation method for resisting energy analysis and fault attack

Publications (1)

Publication Number Publication Date
CN103246494A true CN103246494A (en) 2013-08-14

Family

ID=48926029

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2013101994946A Pending CN103246494A (en) 2013-05-27 2013-05-27 Safety modular exponentiation method for resisting energy analysis and fault attack

Country Status (1)

Country Link
CN (1) CN103246494A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105227296A (en) * 2015-10-29 2016-01-06 深圳先进技术研究院 A kind of error resilience misses manufacture method and the device of the 3D crypto chip of injection attacks
CN106301756A (en) * 2016-08-22 2017-01-04 上海交通大学 Big digital-to-analogue power for SM2 signature is inverted consumption detection method and system thereof
CN106487510A (en) * 2015-08-27 2017-03-08 意法半导体(鲁塞)公司 The protection of modular exponentiation calculation
CN107896142A (en) * 2017-10-11 2018-04-10 大唐微电子技术有限公司 A kind of method and device for performing Montgomery Algorithm, computer-readable recording medium
CN113627202A (en) * 2021-07-21 2021-11-09 大唐互联科技(武汉)有限公司 System for binding production data and products through code scanning

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101436932A (en) * 2008-12-18 2009-05-20 天津大学 Module power computation method capable of resisting simple current drain aggression
US20100208887A1 (en) * 2009-02-19 2010-08-19 Thomson Licensing Method and device for countering faul attacks
JP2010273161A (en) * 2009-05-22 2010-12-02 Nippon Telegr & Teleph Corp <Ntt> Encryption operation circuit, encryption operation method, program, and recording medium
CN102231102A (en) * 2011-06-16 2011-11-02 天津大学 Method for processing RSA password based on residue number system and coprocessor
CN102684876A (en) * 2011-02-25 2012-09-19 英赛瑟库尔公司 Encryption method comprising an exponentiation operation

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101436932A (en) * 2008-12-18 2009-05-20 天津大学 Module power computation method capable of resisting simple current drain aggression
US20100208887A1 (en) * 2009-02-19 2010-08-19 Thomson Licensing Method and device for countering faul attacks
JP2010273161A (en) * 2009-05-22 2010-12-02 Nippon Telegr & Teleph Corp <Ntt> Encryption operation circuit, encryption operation method, program, and recording medium
CN102684876A (en) * 2011-02-25 2012-09-19 英赛瑟库尔公司 Encryption method comprising an exponentiation operation
CN102231102A (en) * 2011-06-16 2011-11-02 天津大学 Method for processing RSA password based on residue number system and coprocessor

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HONGMING LIU ET AL: "Fault Attack on the MIST Algorithm and Countermeasure", 《2012 FOURTH INTERNATIONAL CONFERENCE ON COMPUTATIONAL INTELLIGENCE AND COMMUNICATION NETWORKS》 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106487510A (en) * 2015-08-27 2017-03-08 意法半导体(鲁塞)公司 The protection of modular exponentiation calculation
CN106487510B (en) * 2015-08-27 2019-10-29 意法半导体(鲁塞)公司 The protection of modular exponentiation calculation
CN105227296A (en) * 2015-10-29 2016-01-06 深圳先进技术研究院 A kind of error resilience misses manufacture method and the device of the 3D crypto chip of injection attacks
CN105227296B (en) * 2015-10-29 2019-01-25 深圳先进技术研究院 A kind of manufacturing method and device of the 3D crypto chip of error resilience mistake injection attacks
CN106301756A (en) * 2016-08-22 2017-01-04 上海交通大学 Big digital-to-analogue power for SM2 signature is inverted consumption detection method and system thereof
CN106301756B (en) * 2016-08-22 2019-04-05 上海交通大学 Big digital-to-analogue power for SM2 signature is inverted consumption detection method and its system
CN107896142A (en) * 2017-10-11 2018-04-10 大唐微电子技术有限公司 A kind of method and device for performing Montgomery Algorithm, computer-readable recording medium
CN113627202A (en) * 2021-07-21 2021-11-09 大唐互联科技(武汉)有限公司 System for binding production data and products through code scanning
CN113627202B (en) * 2021-07-21 2024-03-29 大唐互联科技(武汉)有限公司 System for binding production data with product through code scanning

Similar Documents

Publication Publication Date Title
US8472621B2 (en) Protection of a prime number generation for an RSA algorithm
CN102138300B (en) Message authentication code pre-computation with applications to secure memory
US11184164B2 (en) Secure crypto system attributes
TWI462010B (en) Cryptographic method and system using a representation change of a point on an elliptic curve
US10594471B2 (en) Multiplicative blinding for cryptographic operations
JP2008252299A (en) Encryption processing system and encryption processing method
EP3596876B1 (en) Elliptic curve point multiplication device and method for signing a message in a white-box context
US20130279692A1 (en) Protecting modular exponentiation in cryptographic operations
US10354063B2 (en) Protection of a modular calculation
US8509429B2 (en) Protection of a prime number generation against side-channel attacks
EP3503459B1 (en) Device and method for protecting execution of a cryptographic operation
CN103246494A (en) Safety modular exponentiation method for resisting energy analysis and fault attack
CN102271038A (en) method for generating a bit vector
JP2004304800A (en) Protection of side channel for prevention of attack in data processing device
JP2002261751A (en) Code-processing method
CN107896142A (en) A kind of method and device for performing Montgomery Algorithm, computer-readable recording medium
Blömer et al. Wagner’s Attack on a secure CRT-RSA Algorithm Reconsidered
US20010036267A1 (en) Method for generating electronic keys from integer numbers prime with each other and a device for implementing the method
US10977365B2 (en) Protection of an iterative calculation against horizontal attacks
CN101465726B (en) Decode-proof method for cipher key as well as controller and memory device for implementing the method
US11206126B2 (en) Cryptographic scheme with fault injection attack countermeasure
CN107766725B (en) Template attack resistant data transmission method and system
Paar et al. Public-key cryptosystems based on the discrete logarithm problem
US11029922B2 (en) Method for determining a modular inverse and associated cryptographic processing device
KR20240040437A (en) Method of calculating cipher, and electronic device perporming the methods

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20130814