EP1350161A1 - Einrichtung zur durchführung von exponentialberechnungen und verfahren zur programmierung und verwendung dieser - Google Patents
Einrichtung zur durchführung von exponentialberechnungen und verfahren zur programmierung und verwendung dieserInfo
- Publication number
- EP1350161A1 EP1350161A1 EP01995782A EP01995782A EP1350161A1 EP 1350161 A1 EP1350161 A1 EP 1350161A1 EP 01995782 A EP01995782 A EP 01995782A EP 01995782 A EP01995782 A EP 01995782A EP 1350161 A1 EP1350161 A1 EP 1350161A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- exponentiation
- algorithm
- chain
- exponent
- execute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/723—Modular exponentiation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/38—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation
- G06F7/48—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation using non-contact-making devices, e.g. tube, solid state device; using unspecified devices
- G06F7/544—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation using non-contact-making devices, e.g. tube, solid state device; using unspecified devices for evaluating functions by calculation
- G06F7/556—Logarithmic or exponential functions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/556—Indexing scheme relating to group G06F7/556
- G06F2207/5561—Exponentiation by multiplication, i.e. calculating Y**INT(X) by multiplying Y with itself or a power of itself, INT(X) being the integer part of X
Definitions
- the present invention relates to an exponentiation calculation device, as well as a method for programming and using the latter, with application in particular in the field of cryptology where cryptographic algorithms are implemented in electronic devices. such as smart cards.
- R x e
- x and e predetermined numbers which code an R value. This is notably the case with the algorithm of the RSA type (Rivert, Shamir and Adleman).
- the value R can correspond for example to an encrypted text, a confidential code, a public or private key for encryption or decryption, etc.
- An electronic device intended to execute such an algorithm must contain in memory on the one hand the executable part for raising x to the power of e, and on the other hand the values x and e.
- different types of possible algorithms are used: the so-called squared and multiply method, known by the English term “square and multiply” ( SAM), method M, M 3 , sliding windows, etc.
- SAM square and multiply
- M M 3
- sliding windows etc.
- SAM square and multiply
- a mask ROM is a memory whose recorded data is physically written during production. material of the microcircuit, in terms of the design of the masks used for manufacturing.
- an object of the invention is to make it possible to decompose an algorithm, in particular for cryptography, into a constant part, relatively simple to program, and a variable part according to the coded value and a setting. of the algorithm.
- This arrangement makes it possible to store the constant part in a mask ROM to benefit from the advantage of this technology, and the variable part in a rewritable memory, or quite simply programmable after its manufacture.
- the risks of errors are therefore considerably reduced at the level of the mask ROM part.
- reprogram the rewritable memory In the event of an error in the configuration of the algorithm, or in the event of a change of the key, it suffices only to reprogram the rewritable memory. This operation only takes place on the functional level, for example only modifying a program to be loaded in the memory.
- EPROM electrically programmable type
- EEPROM electrically programmable and erasable type
- the calculation means can be configured to execute said exponentiation calculation, from said addition-subtraction chain C (e), according to an exponentiation algorithm stored in a memory portion of the frozen memory type coded by masking ( ROM mask).
- R ⁇ (i ) and R ⁇ (i) respectively for the storage of the values of x exponent e (j! L>) and of x exponent e (k (1)) , and a third register R ⁇ ( i) for the storage of result of said multiplication.
- the exponent can be represented by the following sequence of registers:
- T (e) ⁇ ( ⁇ (i): ⁇ (i), ⁇ (i)) ⁇ i ⁇ i ⁇ r , meaning that ⁇ di ⁇ R ⁇ x (i) .R ⁇ (i) / the means of calculation being configured to execute the exponentiation algorithm (for e> l):
- the calculation means can also be configured to execute a universal type exponentiation algorithm from an addition chain.
- star type subtraction in English “star chains”
- C (e)
- the device uses for this algorithm a first register (Ri) intended to contain the successive values of x 2 and a current register (RO), the calculation means being active to execute an exponentiation algorithm "of right to left ":
- the device uses for this algorithm a first register (RI) and a current register (RO), the calculation means being active to execute an exponentiation algorithm "from left to right":
- calculation means consists in performing an algorithm according to a 2 k -ary method, where a number k of bits is processed at each iteration.
- the invention relates to a smart card, characterized in that it incorporates a device of the aforementioned type.
- the invention relates to the use of a device of the aforementioned type for carrying out an exponentiation calculation, in particular in the execution of a cryptographic algorithm.
- the object of the chain of additions is to produce a series of numbers, starting from 1, intended to serve as power indices so that the computation of elevation of x to these indices is possible by multiplying the results of previous calculations.
- addition chain This is a sequence which has the property that each of its elements is the sum of two previous elements. The first element of the sequence is worth 1, and the last element is equal to the exponent e. To calculate the value x e , we can therefore establish a chain of additions for the exponent e (something going from 1 to e). Now, since each element i
- x power e (r) x power e (r) .
- C (5) ⁇ 1,2,3,5 ⁇ . This chain begins with 1 and ends with 5, and each element in the sequence is equal to the sum of two previous elements. For example, the number 2 is formed by 1 + 1, 3 is formed by 2 + 1, 5 is formed by 3 + 2.
- a more general form of the chain is the so-called addition-subtraction chain, where each element e (1) of the sequence is more or less a preceding element e (jl , more or less another element e (k> We can therefore take into account either an element or its opposite.
- a star chain which is a chain of additions such that each element e (x) is equal to the immediately preceding element e (1_1) plus another preceding element e (k) .
- SAM squaring and multiplying
- FIG. 1 shows in the form of a block diagram a device 1 programmed in accordance with the invention, in this case a smart card intended to execute a cryptographic program.
- the device implements an addition chain C (e) stored in a portion of rewritable memory, and the multiplication algorithm is stored in a mask ROM memory.
- the latter can be based on an RSA algorithm
- the device 1 combines in a chip programmed means for the execution of calculations
- calculation means composed of a central unit (CPU) 2 functionally connected to a set of memories of which:
- the central unit 2 is also connected to a communication interface 10 which ensures the exchange of signals vis-à-vis the outside and the supply of the chip.
- This interface can be in the form of pads on the card for a so-called “contact” connection with a reader, and / or an antenna in the case of a so-called “contactless” card.
- One of the functions of the computing means 1 is to encrypt and decrypt confidential data respectively transmitted to and received from the outside. This data may relate, for example, to personal codes, medical information, accounting on bank or commercial transactions, authorizations to access certain restricted services, etc. Another function is to calculate a digital signature or verify it.
- the central unit 2 executes the cryptographic algorithm from programming data which, according to the invention, are stored in the mask ROM 4 and EEPROM 6 parts.
- the EEPROM memory 6 is written the addition chain C (e), which will serve in its general function to extract the successive multiplicands to the multiplication algorithm contained in the mask ROM 4 and, in its coding function, to code the exponentiation algorithm by the specific choices of the intermediate values e (l) for this chain.
- Such a multiplication algorithm is defined as follows.
- C (e) ⁇ e (0) , e (1) , ..., e (r) ⁇ which is supplied from the EEPROM 6 portion for an exponent e.
- e (1) e (:,)) + e (k (1)) .
- the algorithm will then transmit the values to the registers R ⁇ ( i), R ⁇ (i) and R ⁇ (i) .
- This algorithm is called the universal exponentiation algorithm.
- ⁇ (l ) ⁇ (l)
- ⁇ (i) ⁇ (i).
- the exponent is scanned from right to left.
- e (e t _ ⁇ , ..., e 0 ) 2 be the binary representation of e.
- X e (x 2 °) e ° (x 2l ) e ⁇ (x 22 ) e2 ... (x 2t "1 ) ⁇ l - 1.
- R x e
- the resulting algorithm is the SAM method
- EEPROM 6 which simply multiplies the elements given by it. This type of algorithm is very easy to program in ROM mask 4. What is put in EEPROM 6 is not the key (i.e. the exponent), which is usually done, but a representation of this key by a specific chain of additions. In the event of an error in the elaboration or programming of the chain, or even a modification of the key, it suffices to program the new suitable data in the EEPROM 6 portion only. Indeed, an algorithm error registered in the EEPROM memory would be equivalent to an error in the writing of a chain of additions. The multiplication program stored in the mask ROM portion 4 remains unchanged.
- This coding in the chain of additions in rewritable memory is therefore advantageous compared to the usual technique of putting the entire algorithm (for example of the SAM type) in mask ROM, which requires re-tagging. in case error.
- the SAM algorithm conventionally used under these conditions is relatively difficult to implement, in particular because of the countermeasures to be installed, which increases the risk of error.
- the execution time is much faster because the chain of additions can be processed by efficient algorithms, making it possible to go down to 1.3 or even l, 2x n multiplications, for a module of n bits.
- the invention can serve as protection against attacks called SPA (from the English "simple po er analysis"), or more generally against attacks called SSLA (from the English "simple secret-leakage analysis” ).
- SPA from the English "simple po er analysis”
- SSLA from the English "simple secret-leakage analysis”
- the diversity of the exponentiation calculation paths for a given value of e thanks to the choice of intermediate values e (l) in the addition chains, makes it possible to avoid so-called attacks "Differential". These attacks are based for example on an analysis of the average current consumed by a central unit.
Landscapes
- Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Pure & Applied Mathematics (AREA)
- Computational Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Optimization (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
- Complex Calculations (AREA)
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0100296A FR2819320B1 (fr) | 2001-01-11 | 2001-01-11 | Dispositif destine a realiser des calculs d'exponentiation, et procede de programmation et d'utilisation du dispositif |
FR0100296 | 2001-01-11 | ||
PCT/FR2001/004182 WO2002056171A1 (fr) | 2001-01-11 | 2001-12-21 | Dispositif destine a realiser des calculs d'exponentiation, et procede de programmation et d'utilisation du dispositif |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1350161A1 true EP1350161A1 (de) | 2003-10-08 |
Family
ID=8858678
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP01995782A Withdrawn EP1350161A1 (de) | 2001-01-11 | 2001-12-21 | Einrichtung zur durchführung von exponentialberechnungen und verfahren zur programmierung und verwendung dieser |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP1350161A1 (de) |
FR (1) | FR2819320B1 (de) |
WO (1) | WO2002056171A1 (de) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101764735B (zh) * | 2008-12-25 | 2011-12-07 | 凌阳电通科技股份有限公司 | 通信系统的传输区块长度计算方法 |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH04116720A (ja) * | 1990-09-07 | 1992-04-17 | Hitachi Ltd | 半導体装置 |
US5987131A (en) * | 1997-08-18 | 1999-11-16 | Picturetel Corporation | Cryptographic key exchange using pre-computation |
-
2001
- 2001-01-11 FR FR0100296A patent/FR2819320B1/fr not_active Expired - Fee Related
- 2001-12-21 EP EP01995782A patent/EP1350161A1/de not_active Withdrawn
- 2001-12-21 WO PCT/FR2001/004182 patent/WO2002056171A1/fr not_active Application Discontinuation
Non-Patent Citations (1)
Title |
---|
See references of WO02056171A1 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101764735B (zh) * | 2008-12-25 | 2011-12-07 | 凌阳电通科技股份有限公司 | 通信系统的传输区块长度计算方法 |
Also Published As
Publication number | Publication date |
---|---|
FR2819320A1 (fr) | 2002-07-12 |
WO2002056171A1 (fr) | 2002-07-18 |
FR2819320B1 (fr) | 2003-08-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2842232B1 (de) | Zyklisches redundanzprüfungsverfahren mit schutz vor seitenkanalangriffen | |
EP1166494A1 (de) | Gegenmassnahmen in einem elektronischen baustein zur ausführung eines krypto-algorithmus mit auf elliptischen kurven basierendem öffentlichem schlüssel | |
EP1804161B1 (de) | Störungsdetektion in einer kryptographischen Berechnung | |
FR2888690A1 (fr) | Procede cryptographique pour la mise en oeuvre securisee d'une exponentiation et composant associe | |
EP1715410B1 (de) | Schutz einer von einem integrierten Schaltkreis durchgeführten Berechnung | |
EP2284690A2 (de) | Maskierung einer gemäß eines RSA-CRT-Algorithmus durchgeführten Berechnung | |
EP1804160B1 (de) | Schutz einer kryptographischen Berechnung in einem integrierten Schaltkreis | |
EP1419434A1 (de) | Gesichertes verfahren zum realisieren einer modularen potentierungsoperation | |
EP1224765A1 (de) | Gegenmassnahme in einem elektronischen baustein zur ausführung eines kryptoalgorithmus mit öffentlichem schlüssel vom rsa-typ | |
CA2257907A1 (fr) | Procede de cryptographie a cle publique | |
EP3502899B1 (de) | Verfahren zur ermittlung einer prüfsumme, zugeordnetes computerprogramm und elektronischer gegenstand | |
EP2315388B1 (de) | Gesichertes Verfahren zur kryptografischen Berechnung, und entsprechende elektronische Komponente | |
EP1350161A1 (de) | Einrichtung zur durchführung von exponentialberechnungen und verfahren zur programmierung und verwendung dieser | |
EP0793165A1 (de) | Koprozessor für moduläre Arithmetik mit einer schnellen Ausführung von nicht-modulären Operationen | |
EP1279141B1 (de) | Gegenmassnahmeverfahren in einer mikroschaltung und ic-karte mit einer solchen schaltung | |
WO2004017193A2 (fr) | Procede de calcul universel applique a des points d'une courbe elliptique | |
EP1109089A1 (de) | Verfahren für nicht deterministische gesicherte Datenübertragung | |
FR2818772A1 (fr) | Procede de securisation d'un operateur logique ou mathematique implante dans un module electronique a microprocesseur, ainsi que le module electronique et le systeme embarque associes | |
FR3004043A1 (fr) | Procedes de generation et d'utilisation de cles cryptographiques privees pour le rsa-crt ou les variantes du rsa-crt | |
FR2825863A1 (fr) | Procede de securisation d'un calcul d'exponentiation dans un dispositif electronique | |
EP1891769B1 (de) | Schutz einer modularen potenzierungsberechnung mittels integrierter schaltung | |
EP1639450A1 (de) | Gegenmassnahmenverfahren in einem elektronischen bauelement | |
EP1089175A1 (de) | Gesichertes Rechnersystem | |
EP2232762B1 (de) | Verfahren zum Kodieren eines Geheimnisses, das aus einem Zahlenwert besteht | |
WO2009083371A1 (fr) | Procede de securisation d'un branchement conditionnel, support d'informations, programme, systeme securise et processeur de securite pour ce procede |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20030704 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK RO SI |
|
17Q | First examination report despatched |
Effective date: 20050419 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20051101 |