DE102005032731A1 - Method for side channel resistant multiplication - Google Patents

Abstract

The invention relates to side-channel attack-resistant cryptographic methods, a return value (r) being determined as a multiplication of an input value (a) by means of a module (Mult). The invention has set itself the task of achieving resistance to side-channel attacks while at the same time placing minimal restrictions on the implementation. For this purpose, it is proposed that a random number (c) and the inverse (d) of this be determined with regard to a link (K), each value 0 of the binary representation (n_i) a multiplication number (n) is assigned the inverse (d) and each value 1 is assigned the Binary representation (n_i) of the multiplication number (n) the result of the link (K) of the input value (a) with the inverse (d) is assigned, for all digits of the binary representation (n_i) an intermediate value (b) as the result of two successive links ( K) is determined, the result of the link (K) from the intermediate value (b) with itself and with the assignment value (E [n_i = 0], E [n_i = 1]) assigned to the digit of the binary representation (n_i) a new intermediate value (b) is determined, the return value (r) is determined as the result of the combination (K) of the new intermediate value (b) with the inverse (d).

Description

The The invention relates to a method for side channel attack resistant Calculation of a return value as a multiplication by means of a multiplication number under Use of a computing unit, in particular as a sub-process of a encryption decryption Signature generation, signature verification or key agreement using at least one cryptographic key, wherein in a step of the method a return value as a multiplication an input value is determined. Next to it is an arithmetic unit, in particular a computing unit of a tachograph, which data encoded and / or decrypted and / or signatures and / or signatures and / or key approvals performs using at least one cryptographic key item the invention, which is designed so that they after the works at the beginning.

Side channel attacks are a class of methods for cryptanalysis. In contrast to attempts to attack cryptographic applications Attackers do not, the underlying abstract mathematical Algorithm to break, but attacks a special implementation a cryptographic method. The attacker uses this easily accessible physical parameters of concrete implementation, such as the duration of the calculation, Power consumption and electromagnetic emissions of the processor while the calculation or the behavior of the implementation induced Errors. The physical measurements of a single calculation can analyzed directly, for example using Simple Power Analysis [SPA], or an attacker records the readings of several calculations (for example, using a storage oscilloscope) on and then evaluates the measured values statistically, for example by means of differential power analysis [DPA]. Side channel attacks are often much more efficient as classical cryptanalytic techniques and can themselves processes that from the point of view of algorithms are considered safe, break, if the implementation of these algorithms is not against side channel attacks is secured. Especially for Smart cards and embedded applications are countermeasures against side channel attacks important.

Side channel attacks are already featured in the following publications: Kocher: Timing attacks on implementation of Diffie-Hellman, RSA, DSS, and others systems, Crypto 1996, LNCS 1109, pages 104-113, Springer; Kocher, Jaffe, Jun: Differential power analysis, Crypto 1999, LNCS 1666, pages 388-397, Springer; Messerges, Dabbish, Sloan: Power analysis attacks of modular exponentiation in smartcards, CHES 1999, LNCS 1717, pages 144-157, Springer.

in this connection can be found in Boneh, Demillo, Lipton: On the importance of checking cryptographic protocols for faults, Eurocrypt 1997, LNCS 1233, pages 37-51, Springer already hints at a utilization of the information from the behavior the implementation of induced errors.

mathematical Methods for multiplication can also be found in Menezes, van Oorschot, Vanstone: Handbook of applied cryptography, CRC Press 1996.

masking techniques for crypto methods, in particular for DES and AES are also known from Goubin, Patarin: DES and differential power analysis, CHES 1999, LNCS 1717, pages 158-172, Springer; Akkar, Giraud: An implementation of DES and AES, secure against some attacks, CHES 2001, LNCS 2162, pages 309-318, Springer; Messerges Securing the AES finalists against power analysis attacks, FSE 2000, LNCS 1978, pages 150-164, Springer; Coron, Goubin On boolean and arithmetic masking against differential power analysis, CHES 2000, LNCS 1965, pages 213-237, Springer; Trichina, de Seta, Germani: Simplified adaptive multiplicative masking for AES and its securitized implementation, CHES 2002, LNCS 2523, pages 187-197, Springer; Golic, Tymen: Multiplicative masking and power analysis of AES, CHES 2002, LNCS 2523, pages 198-212, Springer.

The Generation of digital signatures according to the Digital Signature Standard is also themed in FIPS 186: Digital Signature Standard, Federal Information Processing Standards Publication 186, NIST 1997.

field of use In particular, the invention is the protection of fast exponentiation against in particular SPA and DPA. Many cryptographic methods (especially public-key methods) use finite arithmetic bodies or finite rings. An important step in this process is the calculation of the exponentiation or scalar multiplication in finite bodies, rings, Groups or half groups.

Commonly used sidewall attack defense techniques either seek to degrade the signal-to-noise ratio between the information to be protected and all other measurable signals, thus hampering the observation of the secret information, or use randomization techniques to determine the correlation between the information to be protected and cancel the measured values. Methods to complicate the observation of the secret information include, for example, the avoidance of data-dependent branches that depend on information worthy of protection, use of program steps with a little fluctuating power profile, or program parts whose duration no longer depends on the calculation data, performing random and / or These countermeasures generally protect against SPA attacks, but have the disadvantage that the implementation is subject to unfavorable constraints.

randomization to cancel the correlation between information to be protected and measured Values serve the defense of statistical analysis methods, such as eg the DPA. Such measures usually exist from masking the secret information with random values. Every new one Calculation will be new independent random numbers for the masks selected. An attacker then measures each time a seemingly random calculation, because he does not know the mask and can not do simple correlations between measured physical values and input or output data.

Of the Standard algorithm for fast exponentiation is both against SPA as well as vulnerable to DPA attacks. To make the algorithm fast Exponentiation against a SPA attack too protect, The following techniques have also been proposed in the literature: instead a multiplication only for the case of a bit assignment with 1 will also be the case a zero assignment performed the multiplication, but the result of this Calculation is not used (always-square-and-multiply); Besides algorithms for multiplication and squaring are standardized. Furthermore find the Montgomery ladder (especially relevant to elliptical Curves) or the fixed-window method usage. As more techniques It is also known to protect exponents against DPA attacks with a small, random selected Multiply the order of the group [Kocher: Timing attacks on Implementations of Diffie-Hellman, RSA, DSS, and other systems, Crypto 1996, LNCS 1109, pages 104-113, Springer, Coron: Resistance against differential power analysis for elliptic curve cryptosystems, CHES 1999, LNCS 1717, pages 292-302, Springer] and to one fortuitously selected Element of the group (or body) a public-key operation first to pre-calculate a mask with which the base before the fast Exponentiation is randomized (eg multiplied). After completion of the exponentiation by means of a secret key can through the inverse operation (eg., a division), the masking Undone [Kocher: Timing attacks on implementation of Diffie-Hellman, RSA, DSS, and other systems, Crypto 1996, LNCS 1109, pages 104-113, Springer; Coron: Resistance against differential power analysis for elliptic curve cryptosystems, CHES 1999, LNCS 1717, pages 292-302, Springer]; Pairs of random Element and related Correction values are precalculated and stored or after use refreshed [Kocher: Timing attacks on implementation of Diffie-Hellman, RSA, DSS, and other systems, Crypto 1996, LNCS 1109, pages 104-113, Springer]; is the module used in modular arithmetic for reduction with a little random selected Random number expanded, resulting in a complete reduction of intermediate results is avoided. Upon completion of the exponentiation, the calculated value Completely reduced; Use of randomized addition chains for the exponent; the representation of the points of an elliptic curve or the one used finite body or the elliptic curve used is randomized, and after At the end of the exponentiation, the masking is undone [Coron: Resistance against differential power analysis for elliptic curve cryptosystems, CHES 1999, LNCS 1717, pages 292-302, Springer; Joye, Tymen: Protections against differential analysis for elliptic curve cryptography, CHES 2001, LNCS 2162, pages 377-390, Springer].

All known countermeasures against side channel attacks are computationally expensive.

outgoing from the disadvantages of the prior art, the invention is the Task underlying a method for side channel attack-resistant calculation a return value as a multiplication, which provides resistance to side channel attacks and at the same time have implementation limitations and the extra Effort for the purpose of protection against side channel attacks low holds.

According to the invention for this purpose a method according to claim 1 proposed. In addition, a computing unit proposed, which is designed so that they according to the method of claim 1 works. The respective dependent claims include advantageous developments that also without explicit references to each other can be combined.

The inventive technique allows any implementations of methods of calculation a multiplication against side channel attacks.

The use of an arithmetic homo Morph masking technique according to the invention has, inter alia, the advantage that the masking can be performed at the beginning of the calculation and at the outset the result is unmaskable and at the same time a hedge of the implementation against SPA and DPA attacks is given.

A advantageous application of the invention in a cryptographic Method, in particular in a tachograph according to the invention or a mobile according to the invention disk, is, for example, the generation of digital signatures according to the digital signature standard DSS.

A appropriate training the method according to the invention provides that the intermediate results according to the respective calculation steps deleted become.

The inventive method or the computing unit according to the invention allows a particularly versatile modularity, if the linking operator used optionally added or multiplied and thus multiplied in the result or potentiated.

Especially Safe against side channel attacks is an implementation of the method according to the invention in a fixed-window variant, where the multiplication number in blocks in blocks same length is processed.

In The result is the invention with reference to a specific embodiment explained in more detail with reference to drawings, the invention is not is limited to the illustrations of this example. Show it:

1 a schematic perspective view of a tachograph according to the invention with a data card according to the invention,

2 a schematic representation of the process according to the inventive method,

3 . 4 . 5 . 6 each a schematic representation of a variant of a submodule of the process according to the inventive method.

In 1 is a tachograph DTCO and a data card DC each with a computing unit, which operates according to the inventive method shown. The data card DC can enter the DTCO through one of two receptacles 2 are inserted, so that during a data transfer between the two elements, the data card DC is added to the tachograph DTCO inaccessible from the outside. The tachograph DTCO has its front panel 3 next to the two receiving shafts 2 a display unit 1 and controls 4 on. By means of data lines 5 enters the data card DC after entering into a receiving slot 2 with a central processor CPU in connection, which has access to an internal memory MEM. The data card also has a non-detailed internal memory and a central processor.

The data transfer between the tachograph DTCO and the data card DC by means of a session key encrypted while during the encryption and the decryption the central processors CPU of the tachograph DTCO and the data card DC among other exponentiations and multiplications after the Carry out invention.

To do this, the processors CPU from the in 2 illustrated module KRY use.

The Module KRY is part of a process of encryption. The input values a, n are transferred to the module KRY and within this module passed on to a module MULT.

The Module MULT first determines in a first step A. a random number c and determined in one second step B. to this one inverse d with respect to a link K.

By means of a module MULCO called from the module MULT ( 3 . 4 . 5 . 6 ) a multiplication v is determined and then linked to the inverse d. A return value r is set equal to this product and returned to the module KRY as a result.

in the Specifically, the procedure in the MULCO module is as follows. in this connection be first on with C.-E. designated central steps of the process. In a third step C., each value i of an interval assigned an assignment value E [i]. In a fourth step D. is based on the most significant Set the number representation n_i (binary representation) of the multiplication number n sequential for all digits of the number representation n_i (binary representation) an intermediate value b as a result of two consecutive links K determines, with the result of the link K from the intermediate value b with itself and with that of the digit representation n_i (Binary representation) assigned Assignment value E [n_i] is determined to a new intermediate value b. In a fifth step E. will be the return value r as a result of the link K of the new intermediate value b with the inverse d determined.

With the embodiments of the 3 . 4 and 5 respectively. 6 Different variants of this assignment according to the invention are shown. The explanations after the 3 and 5 show a fixed-window variant of the in the 4 respectively. 6 according to the invention shown module MULCO, in which each of the number representation n_i (binary representation) of the multiplication number n in bit blocks (u_0, ..., u_m) of a width w is shown.

The Module MULCO assigns in a third step each value i of an interval an assignment value E [i] too.

Variants after 4 . 6 Assign each digit of the numerical representation n_i (binary representation) having the value 0 to the inverse d as the first assignment value E [n_i = 0], and each digit of the numerical representation n_i (binary representation) of the multiplication number n having the value 1, the result the link K of the input value a with the inverse d as the second assignment value E [n_i = 1].

Variants after 3 . 5 assign to each bit block u_i the width w of the number representation n_i (binary representation) an assignment value E [u_i], where the bit block u_i the number representation n_i (binary representation) of the multiplication number n, the result of the link K from the result of the link K of u_i-times multiplying the input value a and the result of the link K of the (2 ^ w-1) -fold multiplication of the inverse d is assigned.

Variants after 3 and 5 respectively. 4 and 6 differ by the different type of link K. The link K is according to the embodiments of the 3 and 4 an addition, which results in a multiplication and according to the embodiments of the 5 and 6 a multiplication, which in the result leads to an exponentiation.

• 1) wähle gleichverteilt ein zufälliges Element c einer Gruppe (oder eines Körpers)
• 2) berechne das inverse Element d = c^(–1)
• 3) setze b = c, setze E[0] = d und E[1] = a·d
• 4) for i = 0 to i <= m do
• 5) setze b = b^2
• 6) setze b = b·E[n_i]
• 7) od
• 8) setze b = b·d

An implementation of the method in the sense of the embodiment according to 6 , ie for fast side channel resistant exponentiation, can be constructed according to the invention according to the following scheme:
Let (n_0, ..., n_m) be the binary representation of the exponent n and let a be the basis.

• 1) choose evenly a random element c of a group (or a body)
• 2) calculate the inverse element d = c ^ (- 1)
• 3) set b = c, set E [0] = d and E [1] = a · d
• 4) for i = 0 to i <= m do
• 5) set b = b ^ 2
• 6) set b = b · E [n_i]
• 7) od
• 8) set b = b · d

Claims (12)

Method for side channel attack-resistant calculation of a return value (r) as a multiplication by means of a computing unit, in particular as a sub-process of encryption, decryption, signature generation, signature verification or key agreement using at least one cryptographic key, wherein in one step of the method Return value (r) as a multiplication of an input value (a) is determined, characterized in that - in a first step (A.) with respect to a link (K) invertible random number (c) is determined, - in a second step (B. ) the inverse (d) of the random number (c) is determined with regard to the link (K), - in a third step (C.), assigning to each digit (n_i) a numerical representation of the multiplication number (n) an assignment value (E [n_i]) becomes that of the random number (c) and / or the inverse (d) in terms of linking g (K), - in a fourth step (D.) for all digits (n_i) of the number representation, at least one new intermediate value (b) is determined as a result of at least one calculation of the join (K), the result of at least one calculation the link (K) of at least one previous intermediate value (b) and the assignment value (E [n_i]) associated with the digit (n_i) of the number representation, - in a fifth step (E.) the return value (r) as a result of the linkage (K) of a new intermediate value (b) with the random number (c) and / or the inverse (d) is determined. Method according to claim 1, characterized in that in the third step (C.), a binary number representation for the multiplication number (n) is used and that each digit (n_i) of the binary representation the multiplication number (s) having the value 0, the inverse (d) or the random number (c) as the first allocation value (E [n_i = 0]) and each digit (n_i) of the binary representation the multiplication number (s) that has the value 1, the result the link (K) of the input value (a) with the inverse (d) or with the random number (c) is assigned as a second allocation value (E [n_i = 1]). Method according to claim 1, characterized in that in the third step (C.) a number representation is used for the multiplication number (n), in which the multiplication number (n) is broken down into bit blocks of a first bit length (w) and in that each bit block ( n_i) of the number representation in bit blocks of the bit length (w), which represents a value (k), the result of the combination (K) of the k-fold multiplication of the input value (a) in terms of the join (K) and the 2 ^ w-1 multiplication of the inverse (d) or the random number (c) with respect to the join (K) is assigned. Method according to Claims 1 to 3, characterized that the linkage is an addition, so the multiplication is a multiplication is. Method according to claim 4, characterized in that that the linkage an addition on a set of points of an elliptical or hyperelliptic curve and the method is the scalar point multiplication realized. Method according to Claims 1 to 3, characterized that the linkage is a multiplication, so the multiplication is an exponentiation is. Method according to Claim 6, characterized that the linkage a modular multiplication with respect to a primed or compound module and the process realized the fast modular exponentiation. Arithmetic unit, in particular arithmetic unit of a tachograph, which data is encrypted and / or decrypts and / or signatures and / or signatures and / or key-permits Use at least one cryptographic key, wherein the arithmetic unit is designed such that in one step of the procedure a return value (r) as a multiplication by means of a multiplication number (n) an input value (a) is determined, in particular after one the claims 1 to 5, characterized in that the arithmetic unit is designed such that - in a first step (A.) one concerning a link (K) invertible random number (c) is determined, - in one second step (B.) the inverse (d) with regard to the link (K) the random number (c) is determined - in a third step (C) each digit (n_i) of a number representation of the multiplication number (n) an assignment value (E [n_i]) is assigned that is determined by the random number (c) and / or the inverse (d) in terms of linkage (K) depends - in one fourth step (D.) for all digits (n_i) of the number representation at least one new intermediate value (b) as a result of at least one calculation of the link (K) is determined, the result of at least one calculation the link (K) from at least one previous one Intermediate value (b) and the position (n_i) assigned to the number representation Assignment value (E [n_i]) depends on - in one fifth Step (E.) the return value (r) as a result of the link (K) of a new intermediate value (b) with the random number (c) and / or the inverse (d) is determined. Computing unit according to claim 8, characterized in that that the arithmetic unit is designed such that the link is a Addition is such that the multiplication is a multiplication. Computing unit according to claim 9, characterized that the linkage an addition on a set of points of an elliptical or hyperelliptic Curve is and the arithmetic unit is the scalar point multiplication calculated. Computing unit according to claim 8, characterized in that that the arithmetic unit is designed such that the link is a Multiplication is such that the multiplication is an exponentiation is. Computing unit according to claim 11, characterized that the linkage a modular multiplication with respect to a primed or compound module and the arithmetic unit calculates the fast modular exponentiation.