Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/002—Countermeasures against attacks on cryptographic mechanisms
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
  • G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
  • G06F7/723—Modular exponentiation
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
  • H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
  • H04L9/302—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
  • G06F2207/7219—Countermeasures against side channel or fault attacks
  • G06F2207/7223—Randomisation as countermeasure against side channel attacks
  • G06F2207/7233—Masking, e.g. (A**e)+r mod n
  • G06F2207/7242—Exponent masking, i.e. key masking, e.g. A**(e+r) mod n; (k+r).P
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
  • G06F2207/7219—Countermeasures against side channel or fault attacks
  • G06F2207/7223—Randomisation as countermeasure against side channel attacks
  • G06F2207/7257—Random modification not requiring correction
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/04—Masking or blinding

Definitions

• the present invention relates to a secure method for carrying out an exponentiation operation, with application in particular in the field of cryptography.
• the invention applies in particular to cryptographic algorithms implemented in electronic devices such as smart cards.
• U, V and X are integers most often of large size, and W a predetermined number.
• the numbers U, V can correspond for example to an encrypted text or to be encrypted, a data signed or to be signed, a data verified or to be verified, etc.
• the numbers W and X can correspond to elements of keys, private or public used for the encryption or the decryption of the numbers U, V.
• RSA Rivest, Sha ir and Adleman
• d and N are 1024 bits
• p and q are 512 bits.
• the CRT function (s p , s q ) is commonly called the recombination formula according to the Chinese remainder theorem.
• the CRT function is calculated, for example, as follows:
• the numbers e and N form the public key associated with the private key (d, p, q); the numbers e and N verify the relations:
• a malicious user can possibly initiate hidden channel attacks, aimed in particular at discovering confidential information (such as for example the numbers d or p) contained and manipulated in processing operations carried out by the computing device executing an exponentiation operation.
• the most well-known hidden channel attacks are said to be simple or differential.
• a simple or differential hidden channel attack is understood to mean an attack based on a measurable physical quantity from outside the device, the direct analysis of which (simple attack) or the analysis according to a statistical method (differential attack) allows discover information contained and manipulated in processing carried out in the device. These attacks can thus allow the discovery of confidential information.
• These attacks were notably exposed by Paul Kocher (Advances in Cryptology - CRYPTO'99, vol. 1666 of Lecture Notes in Computer Science, pp.388-397. Springer-Verlag, 1999).
• the CRT attack can be considered for any algorithm implemented through the Chinese remains theorem.
• the CRT attack makes it possible to obtain the number p of the private key.
• Y i p x (s q - s p ) mod (q) If p, q are of a bits (for example 512 bits), then, i p , s p , s q are of a bits, as well as Y The product pxY and the number s are therefore 2a bits. Since s p is of a bits, we deduce that the a most significant bits of s are equal to the a most significant bits of the product pxY.
• the Hamming weight H (Y) of the number Y can be obtained by a simple hidden channel attack during the calculation of Y. It is recalled that the Hamming weight of the number Y is the number of bits at "1" of the number Y.
• an object of the invention is to propose a secure method of carrying out an exponentiation operation, protected against all attacks, including CRT attacks such as as described above.
• Another object of the invention is to propose a secure method for carrying out an exponentiation operation, at least as efficient as the method disclosed in document WO 99/35782, in particular in terms of circuit size and time. Calculation.
• Another object of the invention finally is to provide a secure method for calculating an exponentiation operation, which can be incorporated into any calculation method during which a calculation of the type
• the masking parameter is a fractional number.
• the numbers W, X are in practice numbers which must be kept hidden, like elements of a private key, and / or numbers derived from such a key.
• the number W can be the variables d p , d q used in the usual way.
• the size of the numbers W, X is indifferent, it is for example 1024 bits.
• the masking parameter is of the form R / K.
• R is a random integer modified at each execution of the method.
• the size of number R determines the security 'of the algorithm with respect to said differential attacks, R may be chosen, for example size of 32 bits.
• K is an integer divisor of the number ⁇ (X), ⁇ being the indicative function of Euler. K can be chosen constant or can be modified each time the process is executed.
• the size of K is indifferent, it is for example close to the size of the number R.
• W is the default part of the result of the division of W by K, and R is equal to the product of the masking parameter (R / K) by the number ⁇ (X).
• the method of the invention as described above can be advantageously used in a global cryptographic method.
• the cryptographic method is of the RSA type, and it is implemented according to the Chinese remains theorem.
• the invention is used in particular. to mask a possibly derived key (for example the keys derived d p , d q -) by a masking parameter chosen randomly at each execution of the method, the masking parameter being a fractional number.
• the invention also relates to an electronic component comprising a calculation circuit for implementing a method according to the invention, for example, but not necessarily, within the framework of a cryptographic algorithm.
• the invention also relates to a smart card comprising said electronic component.
• the single figure shows in the form of a block diagram an electronic device 1 capable of carrying out exponentiation calculations.
• this device is a smart card intended to execute a program Cryptographic.
• the device 1 brings together in a chip programmed calculation means, composed of a central unit. 2 functionally connected to a set of memories of which: a memory 4 accessible in read only, in the example of the mask ROM type, also known by the English name "mask read-only .memory (mask ROM)", a memory 6 electrically re-programmable, in the example of the EEPROM type (from the English “electrically erasable programmable ROM”), and
• a working memory 8 accessible in read and write, in the example of the RAM type (from the English "random access memory").
• This memory notably includes the registers used by the device 1.
• the executable code corresponding to the exponentiation algorithm is contained in program memory. This code can in practice be contained in memory 4, accessible in read only, and / or in memory 6, rewritable.
• the central unit 2 is connected to a communication interface 10 which ensures the exchange of signals vis-à-vis the outside and the supply of the chip.
• This interface can include studs on the card for a so-called “contact” connection with a reader, and / or an antenna in the case of a so-called “contactless” card.
• One of the functions of the device 1 is to encrypt or decrypt a confidential message m respectively transmitted to, or received from, the outside.
• This message can relate for example ' personal codes, information. medical, accounting on 'banking or business transactions, access permissions to certain restricted services, etc.
• Another function is to calculate or verify a digital signature.
• the central unit 2 executes a cryptographic algorithm, using an exponentiation calculation, on programming data which is stored in the mask ROM 4 and / or EEPROM 6 parts.
• the exponentiation algorithm is of the RSA type, implemented by the use of the Chinese remainder theorem.
• the algorithm is used to sign a message m using a private key comprising three integers d, p and q.
• d is 1024 bits
• p and q are 512 bits.
• the numbers d, p, q are stored in a portion of the rewritable memory 6, of the EEPROM type in the example.
• the central unit When the exponentiation calculation device 1 is requested for the exponentiation calculation, the central unit stores. first of all the number m, transmitted by the communication interface 10, in working memory 8, in a calculation register. The central unit will then read the keys d, p, q contained in rewritable memory 6, in order to memorize them temporarily, for the time of the exponentiation calculation, in a calculation register of the working memory 8. The central unit then launches the exponentiation algorithm.
• the keys derived d p , d q from the key d are masked by a random fractional number in the following manner.
• the central unit first chooses a number k p divisor of p-1, and a number k q divisor of q-1, p, q being elements of the key; k p , k q are stored in another working memory calculation register 8.
• k p can be modified each time the algorithm is implemented or else can be kept constant.
• the size of k p is indifferent, but necessarily smaller than the size of -p-1.
• the central unit also chooses two random numbers r p , r q and stores them in two other calculation registers of the working memory.
• r p , r q are preferably modified each time the algorithm is implemented.
• the size of the numbers r p , r q is generally a compromise between on the one hand the size of the memory 8 in which they are stored and the calculation times (which increase with the size of the numbers r p , r q ) and d on the other hand the security of the algorithm (which also increases with the size of the numbers r p , r q ).
• the central unit stores the variables d p *, a p , d q *, a q in registers of the working memory. Thereafter, the intermediate variables obtained throughout the calculation will also be stored in a portion of the working memory 8.

Landscapes

• Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Physics & Mathematics (AREA)
• Computer Security & Cryptography (AREA)
• Computing Systems (AREA)
• General Physics & Mathematics (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Computational Mathematics (AREA)
• Mathematical Analysis (AREA)
• Mathematical Optimization (AREA)
• Pure & Applied Mathematics (AREA)
• Mathematical Physics (AREA)
• General Engineering & Computer Science (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (3)

Publications (1)

Family

ID=8866432

Family Applications (1)

Country Status (5)

Families Citing this family (11)

Family Cites Families (2)

• 2001
  • 2001-08-10 FR FR0110671A patent/FR2828608B1/fr not_active Expired - Fee Related
• 2002
  • 2002-07-31 WO PCT/FR2002/002771 patent/WO2003014916A1/fr not_active Application Discontinuation
  • 2002-07-31 CN CN02820000.4A patent/CN1568457A/zh active Pending
  • 2002-07-31 EP EP02772476A patent/EP1419434A1/de not_active Withdrawn
  • 2002-07-31 US US10/486,340 patent/US20040184604A1/en not_active Abandoned

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events