Classifications

• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
  • G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
  • G06F7/724—Finite field arithmetic
  • G06F7/725—Finite field arithmetic over elliptic curves
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/002—Countermeasures against attacks on cryptographic mechanisms
  • H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
  • H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves

Definitions

• the present invention relates to a universal calculation method applied to points of an 'elliptical curve, and an electronic component comprising ' means for implementing such a method.
• the invention is particularly applicable for the implementation of cryptographic algorithms of the public key type, - for example in smart cards.
• curves have. special properties. For example, an elliptical curve having a point of order 2 has a cardinal divisible by 2. Or, an elliptic curve having a point of order three is a curve such that the cardinal of the group ⁇ (1 is divisible by 3. The curves having the same particular property are grouped in the same family.
• a point on an elliptical curve can be represented by several types of coordinates, for example by affine coordinates or projective coordinates of Jac ' obi.
• a commonly used model is the so-called Weierstrass model.
• the ' Weierstrass ' model is very general since any elliptical curve can be reduced to this model.
• Each model can be used using different types of coordinates.
• the Weierstrass model is defined as follows: the neutral point O (the point at infinity in the Weierstrass model) and the set of points
• Y 2 X 3 + a * X + b (FI) with a, b ⁇ Î such that 4a 3 + 27b 2 ⁇ 0, form the group of rational points of an elliptic curve ⁇ E ().
• the point P can also be represented by projective Jacobi coordinates of the general form (U, V, W).
• V 2 U 3 + a * UW 4 + b * W 6 (F3)
• Projective coordinates are particularly interesting in exponentiation calculations applied to points on an elliptical curve, because they do not include inversion calculations in the body.
• the result . of this scalar multiplication dxPl is a point P2 of the elliptic curve.
• the obtained point P2 is the public key. is used to encrypt a message.
• etching is meant to cover channel • single or differential, an attack based on a physical quantity measurable from outside the device, and whose direct analysis (simple attack) or analysis using a statistical method (differential attack) allows to discover information contained and manipulated in processing in the device. These attacks can thus make it possible to discover confidential information. These attacks were notably revealed in Dl (Paul Kocher, Joshua JAFFE and Benjamin JUN. Differential Power Analysis. Advances in Cryptology - CRYPTO'99, vol. 1666 of Lecture Notes in Computer Science, pp.388-397. Springer-Verlag, 1999).
• One object of the invention is to propose a solution for protection against attacks with hidden channels, in particular SPA attacks, more effective than the solutions already known.
• Another object of the invention to provide a solution that can be implemented 'in a circuit having little memory space, for example for a smart card type application.
• the invention relates to a universal calculation method on points of an elliptical curve.
• the elliptical curve is defined by a quartic equation and identical programmed calculation means are used to carry out an operation of adding points, an operation of doubling points, and an operation of adding a point neutral, the calculation means comprising in particular a central unit associated with a memory.
• the use of a model of the elliptic curve in the form of a quartic that is to say of a polynomial of the 4 th degree) - makes it possible to use a formulation unique for performing point addition, point doubling • and neutral point addition operations. the curve.
• the invention also relates to the use of a
• the invention also relates to an electronic i5 component comprising programmed calculation means for implementing a universal calculation method as described above or a cryptographic method using the above universal calculation method.
• the calculation means notably comprise a central unit 20. associated with a memory.
• the invention also relates to a smart card comprising the above electronic component.
• the device 1 is a smart card intended to execute a cryptographic program. To this end, the device 1 brings together in
• a chip of the programmed calculation means composed of a Central unit 2 connected diagram 'ionnellement a memory array including:
• a memory 4 accessible in read only in the example of the mask ROM type, also known by the English name “mask read-only memory (mask ROM)", a memory 6 that can be re-programmable electrically, in the example of the type EEPROM (from English “electrically erasable programmable ROM”), and - a working memory 8 accessible in read and write, in the example of "type RAM (from English” random access memory ").
• memory notably includes calculation registers used by device 1.
• the executable code corresponding to the scalar multiplication algorithm is contained in program memory. This code can in practice be contained in memory 4, accessible in read only, and / or in memory 6, rewritable.
• the central unit 2 is connected to a communication interface 10 which ensures the exchange of signals vis-à-vis, from the outside and the supply of the chip.
• This interface can include pads on the card for a so-called “contact” connection with a reader, and / or an antenna in the case of a so-called “contactless” card.
• One of the functions of the device 1 is to encrypt or decrypt a confidential message m respectively transmitted to, or received from, the outside. This message can concern for example 'personal codes,
• the central unit 2 executes a cryptographic algorithm on data from programming which are stored in the mask 4 and / or EEPROM 6 ROM parts.
• the algorithm used here is a key algorithm. public on elliptical curve as part of a model in the form of a quartic. We will focus more precisely here on a part of this algorithm, which makes it possible to carry out basic operations, that is to say operations of addition: addition of two distinct points, of two identical points (it is i.e. an operation of doubling a point) ,, of a point
• equation ' F13 can also be written, in. Jacobi's projective coordinates:
• V 2 bU 4 + aU 3 W + UW 3 (F14)
• V3 (Ul 2 .V2 + u2 2 .Vl) * (4b. (U1.W2 + U2.W1) .W1.W2
• W3 (aUl.U2-Wl.W2) 2 -4bUl.U2 (U1.W2 + U2.W1) (F17)
• P2 can be different from PI, equal to PI and / or equal to neutral O of the curve.
• the addition operation is given in projective coordinates of Jacobi.
• V 2 ⁇ .X 4 - 2 ⁇ .U 2 X 2 + -W 4 ' (F20)
• the central unit 2 then calculates the coordinates of the point P3 according to the relationships:
• the coordinates (U3: V3: W3) of the point P3 are finally stored in registers of the working memory 8, to be used elsewhere, for example for the rest of the encryption algorithm.
• V3 [(W1.W2) 2 + (U1.U2) 2 ]
• formulas F27 to F29 can be carried out as follows: rl p ul.u2 r2 p wl .w2 r3 p rl. r2 r4 p vl.v2 r5 p ul. l + vl r6 p u2.w2 + v2 u3 p r5.r6 - r4-r3 w3 p (r2-rl). (r2 + rl) r6 p ⁇ * r3 r4 p r4 - 2. r6 r6 p (r2 + rl) '2 -2r3 r4 p r4.
• r6 r6 p (ul + wl). (u2 + w2) -rl-r2 r5 p r6 2 - 2r3 r6 p r5. r ' 3 v3 p r4 + 2. r6 where ul, vl, wl, u2, v2, w2, u3, v3, w3 are calculation registers in which the projective coordinates of points PI, P2, P3, and rl to r6 are temporary calculation registers.
• the coordinates of the point P3 are obtained in a time equal to approximately 13 times the time to complete a
• the invention is thus much less than the time for calculating the coordinates of P3 using a formulation such as those of the prior art.
• P2 can be different from PI, equal to PI and / or equal to neutral O of the curve.
• the addition operation is given in this example in affine coordinates.
• the unit central 2 When the exponentiation calculation device is requested -to perform an addition operation, the unit central 2 first of all stores in calculation registers the coordinates (XI, Yl) and (X2, Y2) of the points PI, P2 of the elliptical curve, to be added.
• Y3 ⁇ [l + ⁇ (Xl.X2) 2 ]. [Y1.Y2 - 2 ⁇ .Xl .X2] + 2 ⁇ .Xl .X2. (Xl 2 + X2 2 ) ⁇
• the coordinates (X3, Y3) of the point P3 are finally stored in registers of the working memory 8, to be used elsewhere, for example for the rest of the encryption algorithm.

Landscapes

• Engineering & Computer Science (AREA)
• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Theoretical Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Pure & Applied Mathematics (AREA)
• Mathematical Optimization (AREA)
• Mathematical Analysis (AREA)
• Computing Systems (AREA)
• Mathematical Physics (AREA)
• Computational Mathematics (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• General Engineering & Computer Science (AREA)
• Algebra (AREA)
• Complex Calculations (AREA)
• Cash Registers Or Receiving Machines (AREA)

Applications Claiming Priority (3)

Publications (1)

Family

ID=30471060

Family Applications (1)

Country Status (6)

Families Citing this family (5)

Family Cites Families (2)

• 2002
  • 2002-08-09 FR FR0210193A patent/FR2843506B1/fr not_active Expired - Fee Related
• 2003
  • 2003-08-05 AU AU2003271831A patent/AU2003271831A1/en not_active Abandoned
  • 2003-08-05 WO PCT/FR2003/002462 patent/WO2004017193A2/fr not_active Ceased
  • 2003-08-05 JP JP2004528585A patent/JP2005535927A/ja not_active Withdrawn
  • 2003-08-05 EP EP03753669A patent/EP1530753A2/de not_active Withdrawn
  • 2003-08-05 US US10/523,840 patent/US20060056619A1/en not_active Abandoned

Non-Patent Citations (2)

Also Published As

Similar Documents

Legal Events