EP1419434A1 - Gesichertes verfahren zum realisieren einer modularen potentierungsoperation - Google Patents
Gesichertes verfahren zum realisieren einer modularen potentierungsoperationInfo
- Publication number
- EP1419434A1 EP1419434A1 EP02772476A EP02772476A EP1419434A1 EP 1419434 A1 EP1419434 A1 EP 1419434A1 EP 02772476 A EP02772476 A EP 02772476A EP 02772476 A EP02772476 A EP 02772476A EP 1419434 A1 EP1419434 A1 EP 1419434A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- mod
- masking parameter
- modulo
- secure
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/723—Modular exponentiation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/302—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
- G06F2207/7233—Masking, e.g. (A**e)+r mod n
- G06F2207/7242—Exponent masking, i.e. key masking, e.g. A**(e+r) mod n; (k+r).P
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
- G06F2207/7257—Random modification not requiring correction
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/04—Masking or blinding
Definitions
- the present invention relates to a secure method for carrying out an exponentiation operation, with application in particular in the field of cryptography.
- the invention applies in particular to cryptographic algorithms implemented in electronic devices such as smart cards.
- U, V and X are integers most often of large size, and W a predetermined number.
- the numbers U, V can correspond for example to an encrypted text or to be encrypted, a data signed or to be signed, a data verified or to be verified, etc.
- the numbers W and X can correspond to elements of keys, private or public used for the encryption or the decryption of the numbers U, V.
- RSA Rivest, Sha ir and Adleman
- d and N are 1024 bits
- p and q are 512 bits.
- the CRT function (s p , s q ) is commonly called the recombination formula according to the Chinese remainder theorem.
- the CRT function is calculated, for example, as follows:
- the numbers e and N form the public key associated with the private key (d, p, q); the numbers e and N verify the relations:
- a malicious user can possibly initiate hidden channel attacks, aimed in particular at discovering confidential information (such as for example the numbers d or p) contained and manipulated in processing operations carried out by the computing device executing an exponentiation operation.
- the most well-known hidden channel attacks are said to be simple or differential.
- a simple or differential hidden channel attack is understood to mean an attack based on a measurable physical quantity from outside the device, the direct analysis of which (simple attack) or the analysis according to a statistical method (differential attack) allows discover information contained and manipulated in processing carried out in the device. These attacks can thus allow the discovery of confidential information.
- These attacks were notably exposed by Paul Kocher (Advances in Cryptology - CRYPTO'99, vol. 1666 of Lecture Notes in Computer Science, pp.388-397. Springer-Verlag, 1999).
- the CRT attack can be considered for any algorithm implemented through the Chinese remains theorem.
- the CRT attack makes it possible to obtain the number p of the private key.
- Y i p x (s q - s p ) mod (q) If p, q are of a bits (for example 512 bits), then, i p , s p , s q are of a bits, as well as Y The product pxY and the number s are therefore 2a bits. Since s p is of a bits, we deduce that the a most significant bits of s are equal to the a most significant bits of the product pxY.
- the Hamming weight H (Y) of the number Y can be obtained by a simple hidden channel attack during the calculation of Y. It is recalled that the Hamming weight of the number Y is the number of bits at "1" of the number Y.
- an object of the invention is to propose a secure method of carrying out an exponentiation operation, protected against all attacks, including CRT attacks such as as described above.
- Another object of the invention is to propose a secure method for carrying out an exponentiation operation, at least as efficient as the method disclosed in document WO 99/35782, in particular in terms of circuit size and time. Calculation.
- Another object of the invention finally is to provide a secure method for calculating an exponentiation operation, which can be incorporated into any calculation method during which a calculation of the type
- the masking parameter is a fractional number.
- the numbers W, X are in practice numbers which must be kept hidden, like elements of a private key, and / or numbers derived from such a key.
- the number W can be the variables d p , d q used in the usual way.
- the size of the numbers W, X is indifferent, it is for example 1024 bits.
- the masking parameter is of the form R / K.
- R is a random integer modified at each execution of the method.
- the size of number R determines the security 'of the algorithm with respect to said differential attacks, R may be chosen, for example size of 32 bits.
- K is an integer divisor of the number ⁇ (X), ⁇ being the indicative function of Euler. K can be chosen constant or can be modified each time the process is executed.
- the size of K is indifferent, it is for example close to the size of the number R.
- W is the default part of the result of the division of W by K, and R is equal to the product of the masking parameter (R / K) by the number ⁇ (X).
- the method of the invention as described above can be advantageously used in a global cryptographic method.
- the cryptographic method is of the RSA type, and it is implemented according to the Chinese remains theorem.
- the invention is used in particular. to mask a possibly derived key (for example the keys derived d p , d q -) by a masking parameter chosen randomly at each execution of the method, the masking parameter being a fractional number.
- the invention also relates to an electronic component comprising a calculation circuit for implementing a method according to the invention, for example, but not necessarily, within the framework of a cryptographic algorithm.
- the invention also relates to a smart card comprising said electronic component.
- the single figure shows in the form of a block diagram an electronic device 1 capable of carrying out exponentiation calculations.
- this device is a smart card intended to execute a program Cryptographic.
- the device 1 brings together in a chip programmed calculation means, composed of a central unit. 2 functionally connected to a set of memories of which: a memory 4 accessible in read only, in the example of the mask ROM type, also known by the English name "mask read-only .memory (mask ROM)", a memory 6 electrically re-programmable, in the example of the EEPROM type (from the English “electrically erasable programmable ROM”), and
- a working memory 8 accessible in read and write, in the example of the RAM type (from the English "random access memory").
- This memory notably includes the registers used by the device 1.
- the executable code corresponding to the exponentiation algorithm is contained in program memory. This code can in practice be contained in memory 4, accessible in read only, and / or in memory 6, rewritable.
- the central unit 2 is connected to a communication interface 10 which ensures the exchange of signals vis-à-vis the outside and the supply of the chip.
- This interface can include studs on the card for a so-called “contact” connection with a reader, and / or an antenna in the case of a so-called “contactless” card.
- One of the functions of the device 1 is to encrypt or decrypt a confidential message m respectively transmitted to, or received from, the outside.
- This message can relate for example ' personal codes, information. medical, accounting on 'banking or business transactions, access permissions to certain restricted services, etc.
- Another function is to calculate or verify a digital signature.
- the central unit 2 executes a cryptographic algorithm, using an exponentiation calculation, on programming data which is stored in the mask ROM 4 and / or EEPROM 6 parts.
- the exponentiation algorithm is of the RSA type, implemented by the use of the Chinese remainder theorem.
- the algorithm is used to sign a message m using a private key comprising three integers d, p and q.
- d is 1024 bits
- p and q are 512 bits.
- the numbers d, p, q are stored in a portion of the rewritable memory 6, of the EEPROM type in the example.
- the central unit When the exponentiation calculation device 1 is requested for the exponentiation calculation, the central unit stores. first of all the number m, transmitted by the communication interface 10, in working memory 8, in a calculation register. The central unit will then read the keys d, p, q contained in rewritable memory 6, in order to memorize them temporarily, for the time of the exponentiation calculation, in a calculation register of the working memory 8. The central unit then launches the exponentiation algorithm.
- the keys derived d p , d q from the key d are masked by a random fractional number in the following manner.
- the central unit first chooses a number k p divisor of p-1, and a number k q divisor of q-1, p, q being elements of the key; k p , k q are stored in another working memory calculation register 8.
- k p can be modified each time the algorithm is implemented or else can be kept constant.
- the size of k p is indifferent, but necessarily smaller than the size of -p-1.
- the central unit also chooses two random numbers r p , r q and stores them in two other calculation registers of the working memory.
- r p , r q are preferably modified each time the algorithm is implemented.
- the size of the numbers r p , r q is generally a compromise between on the one hand the size of the memory 8 in which they are stored and the calculation times (which increase with the size of the numbers r p , r q ) and d on the other hand the security of the algorithm (which also increases with the size of the numbers r p , r q ).
- the central unit stores the variables d p *, a p , d q *, a q in registers of the working memory. Thereafter, the intermediate variables obtained throughout the calculation will also be stored in a portion of the working memory 8.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Physics (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0110671 | 2001-08-10 | ||
FR0110671A FR2828608B1 (fr) | 2001-08-10 | 2001-08-10 | Procede securise de realisation d'une operation d'exponentiation modulaire |
PCT/FR2002/002771 WO2003014916A1 (fr) | 2001-08-10 | 2002-07-31 | Procede securise de realisation d'une operation d'exponentiation modulaire |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1419434A1 true EP1419434A1 (de) | 2004-05-19 |
Family
ID=8866432
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP02772476A Withdrawn EP1419434A1 (de) | 2001-08-10 | 2002-07-31 | Gesichertes verfahren zum realisieren einer modularen potentierungsoperation |
Country Status (5)
Country | Link |
---|---|
US (1) | US20040184604A1 (de) |
EP (1) | EP1419434A1 (de) |
CN (1) | CN1568457A (de) |
FR (1) | FR2828608B1 (de) |
WO (1) | WO2003014916A1 (de) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2847402B1 (fr) * | 2002-11-15 | 2005-02-18 | Gemplus Card Int | Procede de division entiere securise contre les attaques a canaux caches |
TW586086B (en) * | 2002-12-27 | 2004-05-01 | Ind Tech Res Inst | Method and apparatus for protecting public key schemes from timing, power and fault attacks |
DE10341096A1 (de) * | 2003-09-05 | 2005-03-31 | Giesecke & Devrient Gmbh | Übergang zwischen maskierten Repräsentationen eines Wertes bei kryptographischen Berechnungen |
WO2005048008A2 (en) | 2003-11-16 | 2005-05-26 | M-Systems Flash Disk Pioneers Ltd. | Enhanced natural montgomery exponent masking |
KR100652377B1 (ko) * | 2004-08-06 | 2007-02-28 | 삼성전자주식회사 | 모듈라 지수승 알고리즘, 기록매체 및 시스템 |
DE102004061312B4 (de) * | 2004-12-20 | 2007-10-25 | Infineon Technologies Ag | Vorrichtung und Verfahren zum Detektieren eines potentiellen Angriffs auf eine kryptographische Berechnung |
FR2884004B1 (fr) | 2005-03-30 | 2007-06-29 | Oberthur Card Syst Sa | Procede de traitement de donnees impliquant une exponentiation modulaire et un dispositif associe |
EP1920324A1 (de) * | 2005-08-19 | 2008-05-14 | Nxp B.V. | Schaltungsanordnung und verfahren zur durchführung eines inversionsablaufs in einer kryptografischen berechnung |
EP1920325A2 (de) * | 2005-08-19 | 2008-05-14 | Nxp B.V. | Schaltungsanordnung und verfahren zur durchführung eines ablaufs, insbesondere eine kryptografische berechnung |
US8280041B2 (en) * | 2007-03-12 | 2012-10-02 | Inside Secure | Chinese remainder theorem-based computation method for cryptosystems |
KR101383690B1 (ko) * | 2008-12-10 | 2014-04-09 | 한국전자통신연구원 | 안전한 멀티캐스트 통신을 위한 그룹키 관리방법 |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5991415A (en) * | 1997-05-12 | 1999-11-23 | Yeda Research And Development Co. Ltd. At The Weizmann Institute Of Science | Method and apparatus for protecting public key schemes from timing and fault attacks |
DE19963408A1 (de) * | 1999-12-28 | 2001-08-30 | Giesecke & Devrient Gmbh | Tragbarer Datenträger mit Zugriffsschutz durch Schlüsselteilung |
-
2001
- 2001-08-10 FR FR0110671A patent/FR2828608B1/fr not_active Expired - Fee Related
-
2002
- 2002-07-31 WO PCT/FR2002/002771 patent/WO2003014916A1/fr not_active Application Discontinuation
- 2002-07-31 CN CN02820000.4A patent/CN1568457A/zh active Pending
- 2002-07-31 EP EP02772476A patent/EP1419434A1/de not_active Withdrawn
- 2002-07-31 US US10/486,340 patent/US20040184604A1/en not_active Abandoned
Non-Patent Citations (1)
Title |
---|
See references of WO03014916A1 * |
Also Published As
Publication number | Publication date |
---|---|
WO2003014916A1 (fr) | 2003-02-20 |
FR2828608A1 (fr) | 2003-02-14 |
FR2828608B1 (fr) | 2004-03-05 |
CN1568457A (zh) | 2005-01-19 |
US20040184604A1 (en) | 2004-09-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2031792B1 (de) | Gesicherte modulare Exponentiation mit Verlustminimierung für Smart-Cards und andere Kryptosysteme | |
US7065788B2 (en) | Encryption operating apparatus and method having side-channel attack resistance | |
EP1166494A1 (de) | Gegenmassnahmen in einem elektronischen baustein zur ausführung eines krypto-algorithmus mit auf elliptischen kurven basierendem öffentlichem schlüssel | |
EP2296086B1 (de) | Seitenkanalangriffsresistente Erzeugung von Primzahlen | |
WO2003014916A1 (fr) | Procede securise de realisation d'une operation d'exponentiation modulaire | |
JP2004304800A (ja) | データ処理装置におけるサイドチャネル攻撃防止 | |
JP2004512570A (ja) | 非安全な暗号加速器を用いる方法と装置 | |
EP1421473B1 (de) | Universelles berechnungsverfahren für punkte auf einer elliptischen kurve | |
US8233615B2 (en) | Modular reduction using a special form of the modulus | |
US20090122980A1 (en) | Cryptographic Method for Securely Implementing an Exponentiation, and an Associated Component | |
US7123717B1 (en) | Countermeasure method in an electronic component which uses an RSA-type public key cryptographic algorithm | |
WO2007104706A1 (fr) | Procede de securisation d'un calcul d'une exponentiation ou d'une multiplication par un scalaire dans un dispositif electronique | |
WO2006067057A1 (fr) | Procede d'exponentiation securisee et compacte pour la cryptographie | |
WO2003055134A9 (fr) | Procede cryptographique permettant de repartir la charge entre plusieurs entites et dispositifs pour mettre en oeuvre ce procede | |
WO1998051038A1 (fr) | Generateur pseudo-aleatoire base sur une fonction de hachage pour systemes cryptographiques necessitant le tirage d'aleas | |
FR2842052A1 (fr) | Procede et dispositifs cryptographiques permettant d'alleger les calculs au cours de transactions | |
WO2004017193A2 (fr) | Procede de calcul universel applique a des points d'une courbe elliptique | |
FR2818846A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie | |
EP2738974A1 (de) | Verfahren zur Ableitung von multiplen kryptografischen Schlüsseln von einem Hauptschlüssel in einem Sicherheitsmikroprozessor | |
WO2002082257A1 (fr) | Dispositif destine a realiser des calculs d'exponentiation securisee et utilisation d'un tel dispositif | |
FR2829646A1 (fr) | Procede securise de mise en oeuvre d'un algorithme de cryptographie et composant correspondant | |
FR2864649A1 (fr) | Circuit de calcul d'inverse, procede de calcul d'inverse et support d'enregistrement contenant un code de programme lisible par ordinateur | |
AU2002348963A1 (en) | Device and method with reduced information leakage |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20040310 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LI LU MC NL PT SE SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK RO SI |
|
17Q | First examination report despatched |
Effective date: 20041124 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20060210 |