Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
  • G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
  • G06F7/723—Modular exponentiation
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F7/38—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation
  • G06F7/48—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation using non-contact-making devices, e.g. tube, solid state device; using unspecified devices
  • G06F7/544—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation using non-contact-making devices, e.g. tube, solid state device; using unspecified devices for evaluating functions by calculation
  • G06F7/556—Logarithmic or exponential functions
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F2207/556—Indexing scheme relating to group G06F7/556
  • G06F2207/5561—Exponentiation by multiplication, i.e. calculating Y**INT(X) by multiplying Y with itself or a power of itself, INT(X) being the integer part of X

Definitions

• the present invention relates to an exponentiation calculation device, as well as a method for programming and using the latter, with application in particular in the field of cryptology where cryptographic algorithms are implemented in electronic devices. such as smart cards.
• R x e
• x and e predetermined numbers which code an R value. This is notably the case with the algorithm of the RSA type (Rivert, Shamir and Adleman).
• the value R can correspond for example to an encrypted text, a confidential code, a public or private key for encryption or decryption, etc.
• An electronic device intended to execute such an algorithm must contain in memory on the one hand the executable part for raising x to the power of e, and on the other hand the values x and e.
• different types of possible algorithms are used: the so-called squared and multiply method, known by the English term “square and multiply” ( SAM), method M, M 3 , sliding windows, etc.
• SAM square and multiply
• M M 3
• sliding windows etc.
• SAM square and multiply
• a mask ROM is a memory whose recorded data is physically written during production. material of the microcircuit, in terms of the design of the masks used for manufacturing.
• an object of the invention is to make it possible to decompose an algorithm, in particular for cryptography, into a constant part, relatively simple to program, and a variable part according to the coded value and a setting. of the algorithm.
• This arrangement makes it possible to store the constant part in a mask ROM to benefit from the advantage of this technology, and the variable part in a rewritable memory, or quite simply programmable after its manufacture.
• the risks of errors are therefore considerably reduced at the level of the mask ROM part.
• reprogram the rewritable memory In the event of an error in the configuration of the algorithm, or in the event of a change of the key, it suffices only to reprogram the rewritable memory. This operation only takes place on the functional level, for example only modifying a program to be loaded in the memory.
• EPROM electrically programmable type
• EEPROM electrically programmable and erasable type
• the calculation means can be configured to execute said exponentiation calculation, from said addition-subtraction chain C (e), according to an exponentiation algorithm stored in a memory portion of the frozen memory type coded by masking ( ROM mask).
• R ⁇ (i ) and R ⁇ (i) respectively for the storage of the values of x exponent e (j! L>) and of x exponent e (k (1)) , and a third register R ⁇ ( i) for the storage of result of said multiplication.
• the exponent can be represented by the following sequence of registers:
• T (e) ⁇ ( ⁇ (i): ⁇ (i), ⁇ (i)) ⁇ i ⁇ i ⁇ r , meaning that ⁇ di ⁇ R ⁇ x (i) .R ⁇ (i) / the means of calculation being configured to execute the exponentiation algorithm (for e> l):
• the calculation means can also be configured to execute a universal type exponentiation algorithm from an addition chain.
• star type subtraction in English “star chains”
• C (e)
• the device uses for this algorithm a first register (Ri) intended to contain the successive values of x 2 and a current register (RO), the calculation means being active to execute an exponentiation algorithm "of right to left ":
• the device uses for this algorithm a first register (RI) and a current register (RO), the calculation means being active to execute an exponentiation algorithm "from left to right":
• calculation means consists in performing an algorithm according to a 2 k -ary method, where a number k of bits is processed at each iteration.
• the invention relates to a smart card, characterized in that it incorporates a device of the aforementioned type.
• the invention relates to the use of a device of the aforementioned type for carrying out an exponentiation calculation, in particular in the execution of a cryptographic algorithm.
• the object of the chain of additions is to produce a series of numbers, starting from 1, intended to serve as power indices so that the computation of elevation of x to these indices is possible by multiplying the results of previous calculations.
• addition chain This is a sequence which has the property that each of its elements is the sum of two previous elements. The first element of the sequence is worth 1, and the last element is equal to the exponent e. To calculate the value x e , we can therefore establish a chain of additions for the exponent e (something going from 1 to e). Now, since each element i
• x power e (r) x power e (r) .
• C (5) ⁇ 1,2,3,5 ⁇ . This chain begins with 1 and ends with 5, and each element in the sequence is equal to the sum of two previous elements. For example, the number 2 is formed by 1 + 1, 3 is formed by 2 + 1, 5 is formed by 3 + 2.
• a more general form of the chain is the so-called addition-subtraction chain, where each element e (1) of the sequence is more or less a preceding element e (jl , more or less another element e (k> We can therefore take into account either an element or its opposite.
• a star chain which is a chain of additions such that each element e (x) is equal to the immediately preceding element e (1_1) plus another preceding element e (k) .
• SAM squaring and multiplying
• FIG. 1 shows in the form of a block diagram a device 1 programmed in accordance with the invention, in this case a smart card intended to execute a cryptographic program.
• the device implements an addition chain C (e) stored in a portion of rewritable memory, and the multiplication algorithm is stored in a mask ROM memory.
• the latter can be based on an RSA algorithm
• the device 1 combines in a chip programmed means for the execution of calculations
• calculation means composed of a central unit (CPU) 2 functionally connected to a set of memories of which:
• the central unit 2 is also connected to a communication interface 10 which ensures the exchange of signals vis-à-vis the outside and the supply of the chip.
• This interface can be in the form of pads on the card for a so-called “contact” connection with a reader, and / or an antenna in the case of a so-called “contactless” card.
• One of the functions of the computing means 1 is to encrypt and decrypt confidential data respectively transmitted to and received from the outside. This data may relate, for example, to personal codes, medical information, accounting on bank or commercial transactions, authorizations to access certain restricted services, etc. Another function is to calculate a digital signature or verify it.
• the central unit 2 executes the cryptographic algorithm from programming data which, according to the invention, are stored in the mask ROM 4 and EEPROM 6 parts.
• the EEPROM memory 6 is written the addition chain C (e), which will serve in its general function to extract the successive multiplicands to the multiplication algorithm contained in the mask ROM 4 and, in its coding function, to code the exponentiation algorithm by the specific choices of the intermediate values e (l) for this chain.
• Such a multiplication algorithm is defined as follows.
• C (e) ⁇ e (0) , e (1) , ..., e (r) ⁇ which is supplied from the EEPROM 6 portion for an exponent e.
• e (1) e (:,)) + e (k (1)) .
• the algorithm will then transmit the values to the registers R ⁇ ( i), R ⁇ (i) and R ⁇ (i) .
• This algorithm is called the universal exponentiation algorithm.
• ⁇ (l ) ⁇ (l)
• ⁇ (i) ⁇ (i).
• the exponent is scanned from right to left.
• e (e t _ ⁇ , ..., e 0 ) 2 be the binary representation of e.
• X e (x 2 °) e ° (x 2l ) e ⁇ (x 22 ) e2 ... (x 2t "1 ) ⁇ l - 1.
• R x e
• the resulting algorithm is the SAM method
• EEPROM 6 which simply multiplies the elements given by it. This type of algorithm is very easy to program in ROM mask 4. What is put in EEPROM 6 is not the key (i.e. the exponent), which is usually done, but a representation of this key by a specific chain of additions. In the event of an error in the elaboration or programming of the chain, or even a modification of the key, it suffices to program the new suitable data in the EEPROM 6 portion only. Indeed, an algorithm error registered in the EEPROM memory would be equivalent to an error in the writing of a chain of additions. The multiplication program stored in the mask ROM portion 4 remains unchanged.
• This coding in the chain of additions in rewritable memory is therefore advantageous compared to the usual technique of putting the entire algorithm (for example of the SAM type) in mask ROM, which requires re-tagging. in case error.
• the SAM algorithm conventionally used under these conditions is relatively difficult to implement, in particular because of the countermeasures to be installed, which increases the risk of error.
• the execution time is much faster because the chain of additions can be processed by efficient algorithms, making it possible to go down to 1.3 or even l, 2x n multiplications, for a module of n bits.
• the invention can serve as protection against attacks called SPA (from the English "simple po er analysis"), or more generally against attacks called SSLA (from the English "simple secret-leakage analysis” ).
• SPA from the English "simple po er analysis”
• SSLA from the English "simple secret-leakage analysis”
• the diversity of the exponentiation calculation paths for a given value of e thanks to the choice of intermediate values e (l) in the addition chains, makes it possible to avoid so-called attacks "Differential". These attacks are based for example on an analysis of the average current consumed by a central unit.

Landscapes

• Physics & Mathematics (AREA)
• Engineering & Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Mathematical Analysis (AREA)
• Pure & Applied Mathematics (AREA)
• Computational Mathematics (AREA)
• Theoretical Computer Science (AREA)
• Mathematical Optimization (AREA)
• Computing Systems (AREA)
• General Engineering & Computer Science (AREA)
• Mathematical Physics (AREA)
• Storage Device Security (AREA)
• Complex Calculations (AREA)

Applications Claiming Priority (3)

Publications (1)

Family

ID=8858678

Family Applications (1)

Country Status (3)

Cited By (1)

Family Cites Families (2)

• 2001
  • 2001-01-11 FR FR0100296A patent/FR2819320B1/fr not_active Expired - Fee Related
  • 2001-12-21 EP EP01995782A patent/EP1350161A1/de not_active Withdrawn
  • 2001-12-21 WO PCT/FR2001/004182 patent/WO2002056171A1/fr not_active Application Discontinuation

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events