Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F7/38—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation
  • G06F7/48—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation using non-contact-making devices, e.g. tube, solid state device; using unspecified devices
  • G06F7/52—Multiplying; Dividing
  • G06F7/535—Dividing only
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
  • G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/002—Countermeasures against attacks on cryptographic mechanisms
  • H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
  • H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
  • H04L9/302—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
  • G06F2207/7219—Countermeasures against side channel or fault attacks
  • G06F2207/7223—Randomisation as countermeasure against side channel attacks
  • G06F2207/7233—Masking, e.g. (A**e)+r mod n
  • G06F2207/7238—Operand masking, i.e. message blinding, e.g. (A+r)**e mod n; k.(P+R)
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
  • G06F2207/7219—Countermeasures against side channel or fault attacks
  • G06F2207/7223—Randomisation as countermeasure against side channel attacks
  • G06F2207/7257—Random modification not requiring correction
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/04—Masking or blinding

Definitions

• the invention relates to a whole division or modular reduction method secured against hidden channel attacks, and in particular differential attacks.
• the invention can be used to perform division operations in a more general cryptographic method, 1 for example a secret or public key cryptographic method.
• a 'cryptographic process ' can for example be implemented in electronic devices such as' smart cards.
• a and / or b are secret data, for example elements of a process key.
• Such cryptographic methods using an integer division method and / or a modular reduction method are susceptible to hidden channel attacks, as will be seen in the example below.
• a known method for implementing both an integer division and a modular reduction is the so-called "pencil paper” method.
• This process takes up in practice the method used when such an operation is carried out by hand. This process is recalled below.
• the method successively performs several divisions of an integer A of n + 1 bits by the integer b of n bits.
• the remainder r is a number of at most n bits since r ⁇ b.
• the quotient q is stored in the m-n + 1 least significant bits of the register initially containing the number a.
• the most significant bit of the rest r is stored in a 1 bit register used as carry (carry) during computation and the n-1 least significant bits of. rest r are stored in the n-1 most significant bits of the register initially containing the number a.
• ⁇ - and the notation y ⁇ - x are used to indicate the loading of the content of the register x into a register y whose content is also called y.
• t A is a word of n bits corresponding to the content of the n most significant bits of the register initially containing the data a.
• Register A is of course modified at each iteration, as is register
• -n ⁇ is the complement to 1 (also called negation) 10 ( of the variable ⁇ .
• TRUE is a constant, equal to 1 in an example.
• lsb (a) is the least significant bit of the number -a, also called least significant bit of a.
• ADD n (A, b) is an operation of adding the n bits of the number b to the n bits of the word A. Note that the operation SHL n (a, 1) is equivalent to the operation
• SUB n (A, b) is an operation of subtraction of the number b from the word A.
• the subtraction SUB n (A, b) is carried out by subtracting, in an appropriate circuit, the
• method 1 performs the following steps:
• Method 1 is sensitive to hidden channel attacks. Indeed, it is noted on method 1 that, at each iteration, according to the value of ⁇ , that is to say according to the value of the bit of quotient which will be obtained during the iteration in progress, one carries out ' is an addition ADD n (A, b), ie setting the least significant bit of the register containing the data a to 1.
• ADD n A, b
• the implementation and the duration of execution of these two operations are different and the trace that they leave during their implementation is also different.
• the overall trace left during an iteration varies' therefore based on the result bit obtained during said iteration.
• Other known methods having the same drawbacks carry out either a modular division alone or a modular reduction alone. In general, a division process is quite similar to a modular reduction process. .
• An object of the invention is to secure a method 5 of implementing a division and / or a modular reduction.
• the method is characterized in that the number a is masked by a random number -p before performing the whole division and / or the modular reduction.
• the trace for example, the energy consumption
• -20 ' left during the execution of the process is different with each execution, so that it is no longer possible to put implementing a differential hidden channel attack.
• the invention can be applied for example to method 1 which ' performs both a division and a
• the invention can be more generally applied to any process which performs one or other of these operations.
• the random number p can be modified each time the process is executed, or simply after a number
• said predefined number is preferably chosen to be relatively small, for example a number from 32 to 64 bits.
• the result of the whole division carried out. with. the number masked in the form a + b * p is equal to a div b + p.
• we remove from the result of the whole division the contribution made by the random number p to find the expected result of the whole division on the number a, i.e. a div b .
• the result of the operation (a + b * p) mod b is equal to a mod b, expected result of the modular reduction- on the number a. -
• the invention also relates to an electronic component comprising means for implementing a method according to the invention, as described above.
• Means of Calculation programmed include multiple registers for storing the numbers a and b.
• the invention relates to a smart card comprising a component having the characteristics described above.

Landscapes

• Engineering & Computer Science (AREA)
• Physics & Mathematics (AREA)
• Theoretical Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Mathematical Analysis (AREA)
• Computational Mathematics (AREA)
• Computing Systems (AREA)
• Mathematical Optimization (AREA)
• Pure & Applied Mathematics (AREA)
• Computer Security & Cryptography (AREA)
• Signal Processing (AREA)
• Computer Networks & Wireless Communication (AREA)
• General Engineering & Computer Science (AREA)
• Mathematical Physics (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (3)

Publications (1)

Family

ID=32338660

Family Applications (1)

Country Status (7)

Families Citing this family (9)

Family Cites Families (3)

• 2002
  • 2002-12-11 FR FR0215623A patent/FR2848753B1/fr not_active Expired - Fee Related
• 2003
  • 2003-12-11 AU AU2003296823A patent/AU2003296823A1/en not_active Abandoned
  • 2003-12-11 WO PCT/FR2003/003681 patent/WO2004055665A1/fr active Application Filing
  • 2003-12-11 US US10/537,300 patent/US7639796B2/en not_active Expired - Fee Related
  • 2003-12-11 CN CN200380105308.2A patent/CN1723436A/zh active Pending
  • 2003-12-11 JP JP2004559820A patent/JP4378480B2/ja not_active Expired - Lifetime
  • 2003-12-11 EP EP03813170A patent/EP1579312A1/fr not_active Withdrawn

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events