CN103246494A - Safety modular exponentiation method for resisting energy analysis and fault attack - Google Patents
Safety modular exponentiation method for resisting energy analysis and fault attack Download PDFInfo
- Publication number
- CN103246494A CN103246494A CN2013101994946A CN201310199494A CN103246494A CN 103246494 A CN103246494 A CN 103246494A CN 2013101994946 A CN2013101994946 A CN 2013101994946A CN 201310199494 A CN201310199494 A CN 201310199494A CN 103246494 A CN103246494 A CN 103246494A
- Authority
- CN
- China
- Prior art keywords
- tmpe
- tmpr
- rem
- intermediate variable
- tmpm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a safety modular exponentiation method for resisting energy analysis and fault attack. The safety modular exponentiation method includes the steps: reading a base number M, an index E and a modulus N; setting an intermediate variable TmpM=M, TmpE=E and TmpR=1; writing the modulus N into an NSRAM (non-volatile static random access memory), starting pre-computation and converting the TmpM and the TmpR into Montgomery numbers by the aid of an ASRAM (asynchronous static random access memory) and a BSRAM (burst static random access memory); randomly selecting a divisor D, updating TmpE=TmpE/D and computing the intermediate variable Rem=TmpEmodD; updating TmpR=TmpM^(Rem)*TmpRmodN and TmpM=TmpM^(D)modN according to a divisor remainder pair (D, Rem) if TmpE=0 and switching to the step of selecting the divisor; computing the intermediate variable TmpR1=TmpM^(Rem)*TmpRmodN according to a remainder Rem if TmpE=0; reloading the modulus N into the NSRAM and updating TmpR=TmpM^(Rem)*TmpRmodN according to the remainder Rem; comparing the TmpR1 with the TmpR and converting the TmpR into a general number command and outputting results if the TmpR1 is equal to the TmpR; and finishing the operation if the TmpR1 is unequal to the TmpR. By the safety modular exponentiation method, both energy attack and fault attack can be resisted.
Description
Technical field
The present invention relates to the safe execution field of public-key cryptosystem, be specifically related to a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting.
Background technology
Along with development and the application of infotech, it is more and more general that online transaction such as Web bank, E-Government and ecommerce also become, and the safety problem of thereupon bringing is also more and more serious, and this just need be encrypted the information in transmission over networks.What traditional cryptographic algorithm adopted is DSE arithmetic, and communicating pair is shared same key, and its advantage is to encrypt to be easy to realize that with hardware encryption/decryption speed is all very fast, but has potential safety hazard, and key is stolen by the people in exchange easily.And modern public-key cryptosystem is asymmetric cryptosystem, and the exchange that only requires key is fidelity, and does not require that it maintains secrecy.Key of each entity selection to (e, d), wherein e is PKI, and d is private key, private key is need to be keep secret.Can not calculate private key by PKI.At present, public key algorithm mainly contains two kinds, and a kind of is RSA, and another is exactly elliptic curve cipher ECC(Elliptic Curve Cryptography).Above-mentioned two kinds of public key algorithms all need to use mould power to calculate (M
EMod N).In some mould power calculated, when relating to the Montgomery Algorithm of private key, power exponent E needed protection, and can not be revealed.
For raising speed, modulus-power algorithm all is to realize with integrated circuit (IC) chip basically now.And chip all is made up of transistor gate, and circuit is when carrying out different operations, and the required time is different with energy, and this can be observed by oscillograph, and then can attack Montgomery Algorithm by the information of these leakages, thereby obtains private key.More common attack method comprises time series analysis attack method, electromagnetic radiation method, energy spectrometer attack method and wrong injection attacks method at present, and wherein energy spectrometer attack and wrong injection attacks are the most effective attack methods.
Since people such as Kocher in 1996 proposed simple energy analysis (SPA) and differential power analysis (DPA), people just successfully attacked some modulus-power algorithms with these two kinds of methods.And along with the raising of energy spectrometer technology, some existing modulus-power algorithms can not be resisted energy spectrometer.In 1997, people such as Boneh proposed a kind of new attack method again: the mistake injection attacks.By injecting a mistake, obtain an error result, thereby utilize error result and correct result's inner link to decompose modulus N then, and then obtain private key.This attack method mainly is aimed at the modulus-power algorithm of realizing with Chinese remainder theorem CRT mode.Along with the development of technology, mistake injection attacks scope is also more and more wider, develops into to key injection mistake itself and to modulus N injection mistake from injecting mistake at random.Obtain misdata by injecting mistake, and then through some computings, thereby private key finally obtained.And existing a lot of Montgomery Algorithm is often only considered the opposing energy spectrometer, and has ignored the wrong injection attacks of opposing, and is perhaps opposite, so security is not high.
Summary of the invention
Based on the problems referred to above, the invention provides and a kind ofly can resist energy spectrometer, can resist the wrong safe modulus-power algorithm of attacking again, and have computing velocity faster, therefore be particularly suitable for using on the embedded devices such as USBKey at smart card.
To achieve these goals, technical scheme of the present invention provides a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting, and the method includes the steps of:
Step 4, select a divisor D at random, and upgrade intermediate variable TmpE=TmpE/D, and calculate intermediate variable Rem=TmpE mod D; Further comprise:
Step 4.1, establish intermediate variable D=0;
Step 4.2, the true random number and the assignment that produce one 32 are given intermediate variable temp, if temp less than 0xDfffffff, then forwards step 4.3 to, otherwise forward 4.6 to;
Step 4.3, establish t=TmpE mod 2, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 2, assignment D=2 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 2, then forwards step 4.4 to;
Step 4.4, establish t=TmpE mod 5, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 5, assignment D=5 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 5, then forwards step 4.5 to;
Step 4.5, establish t=TmpE mod 3, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 3, assignment D=3 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 3, then forwards step 4.6 to.
The value of step 4.6, judgement intermediate variable D if the value of D equals 0, then forwards step 4.7 to, otherwise forwards step 4.9 to;
Step 4.7, the true random number and the assignment that produce one 32 are given intermediate variable temp,
If temp is less than 0xBfffffff, assignment D=2 then;
If temp is less than 0xDfffffff, assignment D=3 then;
If temp is more than or equal to 0xDfffffff, assignment D=5 then;
Forward step 4.8 to.
Step 4.8, calculating intermediate variable Rem=TmpE mod D forward step 4.9 to;
Step 4.9, renewal TmpE=TmpE/D.
The value of step 5, judgement intermediate variable TmpE is if TmpE=0 then jumps to step 7, if TmpE ≠ 0 then jumps to step 6;
Step 8, the modulus N of reloading and are upgraded intermediate variable TmpR=TmpM^ (Rem) * TmpR mod N according to remainder R em in N SRAM;
Step 9, relatively intermediate variable TmpR1 and TmpR are if equate then forward step 10 to, if unequal then forward step 11 to;
Step 10, startup are converted into the order of common number with TmpR, and export the result;
Compare with prior art, a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting of the present invention, its advantage is: first, the present invention's modulus N of before calculate finishing, reloading, and recomputated final step, and the result that will recomputate compares with result calculated before, so just can resist wrong injection attacks; The second, adopt random algorithm to select divisor D, making can stronger opposing SPA and DPA; The 3rd, mould of the present invention takes advantage of mould square and other modulo operation to use the Montgomery algorithm of hardware to realize, and random number, and division and data carrying also are to realize with hardware, have improved algorithm performance; Four, step 4 of the present invention and step 6 can be moved simultaneously, to improve algorithm performance.
Description of drawings
Fig. 1 resists the general flow chart of energy spectrometer and wrong safe mould power computing method of attacking for the present invention is a kind of;
Fig. 2 resists the process flow diagram of selecting D at random and calculating quotient and the remainder in energy spectrometer and the wrong safe mould power computing method of attacking for the present invention is a kind of.
Embodiment
Below in conjunction with accompanying drawing embodiments of the invention are described in further detail, but present embodiment is not limited to the present invention, every employing analog structure of the present invention, method and similar variation thereof all should be listed protection scope of the present invention in.
As shown in Figure 1, the invention discloses a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting, the method includes the steps of:
Write modulus N and start precomputation to N SRAM and (its objective is calculating parameter Nacc and R
2Mod N), next write intermediate variable TmpM and write intermediate variable TmpR and start the order (its objective is TmpM and TmpR are converted into the Montgomery number) be converted into the Montgomery number to B SRAM to A SRAM.
Step 4, select a divisor D at random, and upgrade intermediate variable TmpE=TmpE/D, and calculate intermediate variable Rem=TmpE mod D; It further comprises following steps as shown in Figure 2:
Step 4.1, establish intermediate variable D=0;
Step 4.2, the true random number and the assignment that produce one 32 are given intermediate variable temp, if temp less than 0xDfffffff, then forwards step 4.3 to, otherwise forward 4.6 to;
Step 4.3, establish t=TmpE mod 2, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 2, assignment D=2 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 2, then forwards step 4.4 to;
Step 4.4, establish t=TmpE mod 5, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 5, assignment D=5 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 5, then forwards step 4.5 to;
Step 4.5, establish t=TmpE mod 3, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 3, assignment D=3 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 3, then forwards step 4.6 to.
The value of step 4.6, judgement intermediate variable D if the value of D equals 0, then forwards step 4.7 to, otherwise forwards step 4.9 to;
Step 4.7, the true random number and the assignment that produce one 32 are given intermediate variable temp,
If temp is less than 0xBfffffff, assignment D=2 then;
If temp is less than 0xDfffffff, assignment D=3 then;
If temp is more than or equal to 0xDfffffff, assignment D=5 then;
Forward step 4.8 to.
Step 4.8, calculating intermediate variable Rem=TmpE mod D forward step 4.9 to;
Step 4.9, renewal TmpE=TmpE/D.
The value of step 5, judgement TmpE is if TmpE=0 then jumps to step 7, if TmpE ≠ 0 then jumps to step 6;
In the described step 6, the divisor remainder to (D, Rem) and corresponding calculating see the following form;
Annotate: following operand all is montgemory number (Montgomery number), and A represents the number among the A SRAM, and B represents the number among the B SRAM, and R represents the number among the R SRAM;
Number among the AAA:A carries out mould square, and sends the result back to A;
Number among the AAR:A carries out mould square, and sends the result back to R;
Number among the ARA:A and the number among the R carry out mould to be taken advantage of, and sends the result back to A;
Number among the ABB:A and the number among the B carry out mould to be taken advantage of, and sends the result back to B;
Number among the RRR:R carries out mould square, and sends the result back to R;
Number among the RBB:R and the number among the B carry out mould to be taken advantage of, and sends the result back to B;
R-〉A: the number among the R is transported among the A.
Step 8, the modulus N of reloading and are upgraded TmpR=TmpM^ (Rem) * TmpR mod N according to remainder R em in N SRAM;
Step 9, relatively TmpR1 and TmpR are if equate then forward step 10 to, if unequal then forward step 11 to;
Step 10, startup are converted into common number order (purpose is that TmpR is converted into common number), and the output result;
The true random number that relates in 5 SRAM that for example relate in the step 3 among the present invention, the step 4 calculates, the mould that relates in modular arithmetic and division arithmetic, the step 6 is taken advantage of, mould square, data carrying operation etc., all being to realize by hardware, for example is to be realized by the hardware module that safety chip SSX1108 provides.
Mould power computing method provided by the invention can not only be resisted energy and be attacked (such as SPA " Simple Power Analysis ", DPA " Differential Power Analysis " attacks), also can resist wrong the attack.
Although content of the present invention has been done detailed introduction by above preferred embodiment, will be appreciated that above-mentioned description should not be considered to limitation of the present invention.After those skilled in the art have read foregoing, for multiple modification of the present invention with to substitute all will be apparent.Therefore, protection scope of the present invention should be limited to the appended claims.
Claims (7)
1. resist energy spectrometer and wrong safe mould power computing method of attacking for one kind, it is characterized in that the method includes the steps of:
Step 1, read truth of a matter M, index E, modulus N;
Step 2, establish intermediate variable TmpM=M, TmpE=E, TmpR=1;
Step 3, the SRAM of 5 64X32 position sizes is set, called after A respectively, B, N, R, T SRAM; Write modulus N and start precomputation to N SRAM, obtain Parameter N acc and R
2Next the result of mod N writes intermediate variable TmpM and writes intermediate variable TmpR to B SRAM to A SRAM, and startup is converted into intermediate variable TmpM and TmpR the order of Montgomery number;
Step 4, select a divisor D at random, and upgrade intermediate variable TmpE=TmpE/D, and calculate intermediate variable Rem=TmpE mod D;
The value of step 5, judgement intermediate variable TmpE is if TmpE=0 then jumps to step 7, if TmpE ≠ 0 then jumps to step 6;
Step 6, according to the divisor remainder to (D Rem) upgrades corresponding intermediate variable: TmpR=TmpM^ (Rem) * TmpR mod N, TmpM=TmpM^ (D) mod N, and forward step 4 to;
Step 7, calculate intermediate variable TmpR1=TmpM^ (Rem) * TmpR mod N according to remainder R em;
Step 8, the modulus N of reloading and are upgraded intermediate variable TmpR=TmpM^ (Rem) * TmpR mod N according to remainder R em in N SRAM;
Step 9, relatively intermediate variable TmpR1 and TmpR are if equate then forward step 10 to, if unequal then forward step 11 to;
Step 10, startup are converted into the order of common number with TmpR, and export the result;
Step 11, finish this computing.
2. a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting as claimed in claim 1 is characterized in that the computing that relates to 5 SRAM in the described step 3 all is to realize with hardware.
3. a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting as claimed in claim 1 is characterized in that, further comprise following steps in the described step 4:
Step 4.1, establish intermediate variable D=0;
Step 4.2, the true random number and the assignment that produce one 32 are given intermediate variable temp, if temp less than 0xDfffffff, then forwards step 4.3 to, otherwise forward 4.6 to;
Step 4.3, establish t=TmpE mod 2, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 2, assignment D=2 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 2, then forwards step 4.4 to;
Step 4.4, establish t=TmpE mod 5, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 5, assignment D=5 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 5, then forwards step 4.5 to;
Step 4.5, establish t=TmpE mod 3, calculate the value of t, judge whether the value of t equals 0;
If t=0, expression TmpE can be divided exactly by 3, assignment D=3 then, and Rem=0, and forward step 4.6 to;
If t ≠ 0, expression TmpE can not be divided exactly by 3, then forwards step 4.6 to;
The value of step 4.6, judgement intermediate variable D if the value of D equals 0, then forwards step 4.7 to, otherwise forwards step 4.9 to;
Step 4.7, the true random number and the assignment that produce one 32 are given intermediate variable temp,
If temp is less than 0xBfffffff, assignment D=2 then;
If temp is less than 0xDfffffff, assignment D=3 then;
If temp is more than or equal to 0xDfffffff, assignment D=5 then;
Forward step 4.8 to;
Step 4.8, calculating intermediate variable Rem=TmpE mod D forward step 4.9 to;
Step 4.9, renewal TmpE=TmpE/D.
4. a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting as claimed in claim 3 is characterized in that the true random number that relates in the described step 4 is to realize with hardware.
5. a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting as claimed in claim 3 is characterized in that the modular arithmetic that relates in the described step 4 and division arithmetic are to realize with hardware.
6. a kind of energy spectrometer and wrong safe mould power computing method of attacking of resisting as claimed in claim 3 is characterized in that,
In the described step 6, the divisor remainder to (D, Rem) and corresponding calculating see the following form;
Operand in this table all is the montgemory number, and A represents the number among the A SRAM, and B represents the number among the B SRAM, and R represents the number among the R SRAM;
Number among the AAA:A carries out mould square, and sends the result back to A;
Number among the AAR:A carries out mould square, and sends the result back to R;
Number among the ARA:A and the number among the R carry out mould to be taken advantage of, and sends the result back to A;
Number among the ABB:A and the number among the B carry out mould to be taken advantage of, and sends the result back to B;
Number among the RRR:R carries out mould square, and sends the result back to R;
Number among the RBB:R and the number among the B carry out mould to be taken advantage of, and sends the result back to B;
R-〉A: the number among the R is transported among the A.
7. method as claimed in claim 6 is characterized in that, in the described step 6, the divisor remainder to (D, mould Rem) is taken advantage of, mould square, it all is to realize with hardware that data carrying operation is calculated.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2013101994946A CN103246494A (en) | 2013-05-27 | 2013-05-27 | Safety modular exponentiation method for resisting energy analysis and fault attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2013101994946A CN103246494A (en) | 2013-05-27 | 2013-05-27 | Safety modular exponentiation method for resisting energy analysis and fault attack |
Publications (1)
Publication Number | Publication Date |
---|---|
CN103246494A true CN103246494A (en) | 2013-08-14 |
Family
ID=48926029
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2013101994946A Pending CN103246494A (en) | 2013-05-27 | 2013-05-27 | Safety modular exponentiation method for resisting energy analysis and fault attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103246494A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105227296A (en) * | 2015-10-29 | 2016-01-06 | 深圳先进技术研究院 | A kind of error resilience misses manufacture method and the device of the 3D crypto chip of injection attacks |
CN106301756A (en) * | 2016-08-22 | 2017-01-04 | 上海交通大学 | Big digital-to-analogue power for SM2 signature is inverted consumption detection method and system thereof |
CN106487510A (en) * | 2015-08-27 | 2017-03-08 | 意法半导体(鲁塞)公司 | The protection of modular exponentiation calculation |
CN107896142A (en) * | 2017-10-11 | 2018-04-10 | 大唐微电子技术有限公司 | A kind of method and device for performing Montgomery Algorithm, computer-readable recording medium |
CN113627202A (en) * | 2021-07-21 | 2021-11-09 | 大唐互联科技(武汉)有限公司 | System for binding production data and products through code scanning |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101436932A (en) * | 2008-12-18 | 2009-05-20 | 天津大学 | Module power computation method capable of resisting simple current drain aggression |
US20100208887A1 (en) * | 2009-02-19 | 2010-08-19 | Thomson Licensing | Method and device for countering faul attacks |
JP2010273161A (en) * | 2009-05-22 | 2010-12-02 | Nippon Telegr & Teleph Corp <Ntt> | Encryption operation circuit, encryption operation method, program, and recording medium |
CN102231102A (en) * | 2011-06-16 | 2011-11-02 | 天津大学 | Method for processing RSA password based on residue number system and coprocessor |
CN102684876A (en) * | 2011-02-25 | 2012-09-19 | 英赛瑟库尔公司 | Encryption method comprising an exponentiation operation |
-
2013
- 2013-05-27 CN CN2013101994946A patent/CN103246494A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101436932A (en) * | 2008-12-18 | 2009-05-20 | 天津大学 | Module power computation method capable of resisting simple current drain aggression |
US20100208887A1 (en) * | 2009-02-19 | 2010-08-19 | Thomson Licensing | Method and device for countering faul attacks |
JP2010273161A (en) * | 2009-05-22 | 2010-12-02 | Nippon Telegr & Teleph Corp <Ntt> | Encryption operation circuit, encryption operation method, program, and recording medium |
CN102684876A (en) * | 2011-02-25 | 2012-09-19 | 英赛瑟库尔公司 | Encryption method comprising an exponentiation operation |
CN102231102A (en) * | 2011-06-16 | 2011-11-02 | 天津大学 | Method for processing RSA password based on residue number system and coprocessor |
Non-Patent Citations (1)
Title |
---|
HONGMING LIU ET AL: "Fault Attack on the MIST Algorithm and Countermeasure", 《2012 FOURTH INTERNATIONAL CONFERENCE ON COMPUTATIONAL INTELLIGENCE AND COMMUNICATION NETWORKS》 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106487510A (en) * | 2015-08-27 | 2017-03-08 | 意法半导体(鲁塞)公司 | The protection of modular exponentiation calculation |
CN106487510B (en) * | 2015-08-27 | 2019-10-29 | 意法半导体(鲁塞)公司 | The protection of modular exponentiation calculation |
CN105227296A (en) * | 2015-10-29 | 2016-01-06 | 深圳先进技术研究院 | A kind of error resilience misses manufacture method and the device of the 3D crypto chip of injection attacks |
CN105227296B (en) * | 2015-10-29 | 2019-01-25 | 深圳先进技术研究院 | A kind of manufacturing method and device of the 3D crypto chip of error resilience mistake injection attacks |
CN106301756A (en) * | 2016-08-22 | 2017-01-04 | 上海交通大学 | Big digital-to-analogue power for SM2 signature is inverted consumption detection method and system thereof |
CN106301756B (en) * | 2016-08-22 | 2019-04-05 | 上海交通大学 | Big digital-to-analogue power for SM2 signature is inverted consumption detection method and its system |
CN107896142A (en) * | 2017-10-11 | 2018-04-10 | 大唐微电子技术有限公司 | A kind of method and device for performing Montgomery Algorithm, computer-readable recording medium |
CN113627202A (en) * | 2021-07-21 | 2021-11-09 | 大唐互联科技(武汉)有限公司 | System for binding production data and products through code scanning |
CN113627202B (en) * | 2021-07-21 | 2024-03-29 | 大唐互联科技(武汉)有限公司 | System for binding production data with product through code scanning |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8472621B2 (en) | Protection of a prime number generation for an RSA algorithm | |
CN102138300B (en) | Message authentication code pre-computation with applications to secure memory | |
US11184164B2 (en) | Secure crypto system attributes | |
TWI462010B (en) | Cryptographic method and system using a representation change of a point on an elliptic curve | |
US10594471B2 (en) | Multiplicative blinding for cryptographic operations | |
JP2008252299A (en) | Encryption processing system and encryption processing method | |
EP3596876B1 (en) | Elliptic curve point multiplication device and method for signing a message in a white-box context | |
US20130279692A1 (en) | Protecting modular exponentiation in cryptographic operations | |
US10354063B2 (en) | Protection of a modular calculation | |
US8509429B2 (en) | Protection of a prime number generation against side-channel attacks | |
EP3503459B1 (en) | Device and method for protecting execution of a cryptographic operation | |
CN103246494A (en) | Safety modular exponentiation method for resisting energy analysis and fault attack | |
CN102271038A (en) | method for generating a bit vector | |
JP2004304800A (en) | Protection of side channel for prevention of attack in data processing device | |
JP2002261751A (en) | Code-processing method | |
CN107896142A (en) | A kind of method and device for performing Montgomery Algorithm, computer-readable recording medium | |
Blömer et al. | Wagner’s Attack on a secure CRT-RSA Algorithm Reconsidered | |
US20010036267A1 (en) | Method for generating electronic keys from integer numbers prime with each other and a device for implementing the method | |
US10977365B2 (en) | Protection of an iterative calculation against horizontal attacks | |
CN101465726B (en) | Decode-proof method for cipher key as well as controller and memory device for implementing the method | |
US11206126B2 (en) | Cryptographic scheme with fault injection attack countermeasure | |
CN107766725B (en) | Template attack resistant data transmission method and system | |
Paar et al. | Public-key cryptosystems based on the discrete logarithm problem | |
US11029922B2 (en) | Method for determining a modular inverse and associated cryptographic processing device | |
KR20240040437A (en) | Method of calculating cipher, and electronic device perporming the methods |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130814 |