EP1590731A2 - Exponentiation modulaire au moyen d'un exposant randomise - Google Patents

Exponentiation modulaire au moyen d'un exposant randomise

Info

Publication number
EP1590731A2
EP1590731A2 EP04704224A EP04704224A EP1590731A2 EP 1590731 A2 EP1590731 A2 EP 1590731A2 EP 04704224 A EP04704224 A EP 04704224A EP 04704224 A EP04704224 A EP 04704224A EP 1590731 A2 EP1590731 A2 EP 1590731A2
Authority
EP
European Patent Office
Prior art keywords
key
module
randomization
modular exponentiation
result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
EP04704224A
Other languages
German (de)
English (en)
Inventor
Wieland Fischer
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Infineon Technologies AG
Original Assignee
Infineon Technologies AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Infineon Technologies AG filed Critical Infineon Technologies AG
Publication of EP1590731A2 publication Critical patent/EP1590731A2/fr
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/723Modular exponentiation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7219Countermeasures against side channel or fault attacks
    • G06F2207/7223Randomisation as countermeasure against side channel attacks
    • G06F2207/7257Random modification not requiring correction
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/08Randomization, e.g. dummy operations or using noise

Definitions

  • the present invention relates to cryptographic systems and in particular to devices and methods for determining a result of a modular exponentiation within a cryptosystem.
  • the RSA algorithm is illustrated in FIG. 6, as described in the "Handbook of Applied Cryptography" by Menezes, van Oorschot, Vanstone, CRC Press, 1996, chapter 11.3.
  • An entity A signs one to execute the digital signature 60 Message m. This allows each entity B to verify the signature of entity A and retrieve the message m from the signature.
  • the entity A for the signature calculates the modular exponentiation with the base m, with the secret key d and the module N according to the equation shown in block 60.
  • the secret key d includes a public key e, which is required by an entity B for verification, as shown at 62 in FIG. 6.
  • the entity B takes the public key e belonging to d as an exponent and exposes that of the Entity A generates signature S with the public key. After a final reduction with respect to module N, a verified message is obtained. If entity B was aware of the unsigned message, it can use a comparison of m 'and determine whether the signature S actually came from entity A or not.
  • the entity B can determine whether the private key d used for the signature actually belongs to the public key e. If the entity B knows for other reasons that the entity A is authentic, then the verification, ie the modular exponentiation of the signature with the public key as the exponent, immediately gives the message m, since the second condition at 62 in FIG. 6 then surely is fulfilled.
  • the secret key of the RSA algorithm consists of the pair (d, N).
  • the public key consists of the pair (e, N).
  • the module is typically known, so the only secret information is the exponent d. It is also known that the product of d and e satisfies the following equation:
  • ⁇ (N) is the well-known Carmichael function.
  • the randomized exponent cannot be arbitrary. Therefore, wise a multiple of the Carmichael function ⁇ (N) is required for the randomization of the exponent. As a rule, however, this is not the case.
  • CTR Chinese residual sentence
  • Garner's algorithm a special version of the CRT is used, which is known as Garner's algorithm.
  • the Chinese remainder theorem is used to attribute the entire exponentiation to two exponentiations modulo p and q.
  • the Chinese remainder theorem is particularly interesting because the two exponentiations are performed with exponents that are only half the length of the original exponent (d or e). It is disadvantageous, however, that the Chinese remainder theorem can only be used if additional parameters p, q are present, the product of p and q resulting in the module N.
  • An alternative randomization consists in dividing the exponent to be randomized into two exponents. This has the advantage that you do not need any additional information. On the other hand, there is a disadvantage that the calculation takes twice as much time as the other described alternatives which use the Euler Phi function or the Carmichael ⁇ function.
  • the object of the present invention is a
  • the present invention is based on the knowledge that for the randomization of the exponent the product of the public and private key is less the value "1" than exd-1, is always a multiple of the Carmichael function ⁇ (N) and is therefore used for randomization It should be noted that there is only knowledge that the expression exd - 1 is a multiple of the Carmichael function, but it is not known which The expression exd - 1 is multiple. However, this knowledge is not required to randomize the exponent.
  • An advantage of the randomization auxiliary number according to the invention, as the expression exd-1 is referred to below, is that only known quantities, namely the public and the private key, are required to calculate this expression.
  • Figure 2 shows a sequence of steps in accordance with a preferred embodiment of the present invention for the concept of Figure 1;
  • FIG. 4 shows a more detailed illustration of the device for modular exponentiation with a first and / or second partial key
  • FIG. 5a shows a detailed implementation of the modular exponentiation with the first partial key according to FIG. 3;
  • 5c shows a detailed implementation of the device for combining the results according to the Chinese remainder of FIG. 3;
  • FIG. 6 shows an overview diagram for explaining a known signature algorithm and a known verification algorithm.
  • 1 shows a schematic block diagram of a device for determining a result of a modular exponentiation within a cryptosystem with a first and an associated second key.
  • the device comprises an input device in which cryptographic parameters m, e, d and N are provided.
  • the input stage is designated by 10 in FIG. 1.
  • m represents the message to be signed, for example.
  • E represents the first key, which is also referred to below as the public key
  • d represents the second key of the cryptosystem, which is also referred to below as the secret key.
  • N represents the module with respect to which the modular exponentiation is to be carried out.
  • the module N can be formed from a product of the two numbers p and q, as is known from the RSA algorithm.
  • these two auxiliary numbers p and q are not required for the concept shown in FIG. 1. The entire calculation can only take place using the input parameters m, e, d and N.
  • the input stage 10 shows a device 12 for calculating a randomization auxiliary number based on the product of the first key e and the second key d less the number “1 ⁇ .
  • the device 12 for calculating a randomization auxiliary number based on the product of the first key e and the second key d less the number “1 ⁇ .
  • Randomization auxiliary number exactly the expression exd - 1.
  • a multiple of this expression could also be used, although it must be ensured here that this multiple of the expression exd - 1 can also be used at the same time in order to be able to be used as a randomization auxiliary number is a multiple of the Carmichael ⁇ function.
  • the means 14 for obtaining preferably combines the product of the random number and the randomization auxiliary number with the exponent d in an additive manner.
  • a randomized exponent then exists at the output of the device 14.
  • a device 16 for calculating the modular exponentiation then works in order to obtain the result S of the modular exponentiation, which can typically be a digital signature.
  • an output stage 18 is provided in order to output the signature in any form, for example graphically, binary or in some other way.
  • Fig. 2 The algorithm shown in Fig. 2 is shown below as a sequence of steps, although it can equally well be interpreted as a collection of different devices.
  • the data m, e, d and N are provided.
  • the randomization auxiliary number exd - 1 is first calculated and into that Register X written.
  • a random number with a length which is preferably between 16 and 32 bits, is then selected and written into the register R.
  • the content of register X is then multiplied by the content of register R, the result of this multiplication being written into register X again.
  • the randomization of the exponent is carried out, as is shown at 14 in FIG. 1.
  • a random number with a length of preferably between 16 or 32 bits is again selected and written into the register R.
  • the content of the register R is then multiplied by the module N in a step 26, the message m to be signed being added to the result of this multiplication.
  • Step 26 thus represents the additional randomization of the value to be processed, that is to say the message to be signed, in order to achieve additional security.
  • a random number with the length, for example, between 16 or 32 bits is then again selected and written into the register R.
  • a module randomization is then carried out in that the module N is multiplied by the random number just selected, which is in the register R. The result of this multiplication is written into a register N '.
  • a modular exponentiation is then carried out in a step 29, the content of the register m, which corresponds to the randomized message, being used as the basis, the content of the register D, which contains the randomized exponent, being used as the exponent, and the Contents of register N ', which contains the randomized module, as module of the module laren exponentiation is used in step 29.
  • the result of this modular exponentiation is written into the register S.
  • the content of the register S of a modular reduction is then carried out using the module provided in the input step 20 in order to finally obtain the result sought, which is written into the register S.
  • the content of the register S is then output, which is equal to the modular exponentiation, which would also be obtained on the basis of the non-randomized parameters provided in the input step 20.
  • a total of three randomizations are used, namely the randomization of the module using the randomization auxiliary number exd-1 (step 24), the randomization of the message in step 26 and the randomization of the module in step 28
  • the exponent can also be randomized using the randomization auxiliary number according to the invention alone, combined with the randomization of the message m to be signed and / or combined with the randomization of the module N.
  • the randomized exponent due to the addition of the expression R x (exd-1) in block 14 of FIG. 1 is a larger number than the originally used exponent d (or in principle also e).
  • R x (exd-1) is a larger number than the originally used exponent d (or in principle also e).
  • the keys can already assume considerable sizes anyway, for example 1024 or 2048 binary digits, it is preferred to use a comparatively small number as the randomization number R.
  • a random number that is too small would nullify the effect of randomization. It is therefore preferred to use a random number for the randomization of the exponent that is greater than or equal to 8 bits and less than or equal to 128 bits.
  • a length of the random number between 16 and 32 inclusive is preferably used, as shown in FIG. 2 is.
  • random numbers selected in steps 22, 25 and 27 it should also be pointed out that they do not necessarily have to have the same length in each step.
  • the random numbers selected in steps 25 and 27 can be smaller or larger, with smaller random numbers overall helping to reduce the computational effort, but a minimum size of the random number should be adhered to in order not to limit the concept of randomization as a whole To ask question.
  • the random numbers selected in steps 25 and 27 should therefore also have a length that is greater than or equal to 8 bits.
  • FIG. 3 shows a basic block diagram of the concept according to the invention, but now using the Chinese see residual CRT.
  • An input stage 100 represents cryptographic input parameters which, however, now that the Chinese remainder sentence is to be used, comprise more input parameters than in the exemplary embodiment shown in FIG. 1.
  • the message m to be signed, the public key e, a first private subkey dp, a second private subkey d q , the numbers p, q and the parameter q ⁇ nv are provided.
  • Fig. 3 it is shown how the numbers d p , d q and q ⁇ nv can be calculated from the quantities d, p and q.
  • the input stage 100 feeds a device 102 for performing a first modular exponentiation (102a) using a first partial key d p derived from the first key d in order to obtain a first intermediate result, and for performing a second modular exponentiation (102b) Use of a second partial key d q derived from the first key in order to obtain a second intermediate result.
  • the functionality of the device for performing using the first partial key dp is designated in FIG. 3 with 102a, while the functionality of the device for performing the modular exponentiation with the second partial key d q is labeled 102b.
  • the two devices 102a and 102b together form a device 102 for carrying out the first and the second modular exponentiation using the respective partial keys d p and d q .
  • Block 102a provides a first intermediate result S p as an output signal.
  • the block 102b delivers a second intermediate result S q as a result.
  • the two intermediate results S p and S q are combined in a device 104 according to the Chinese remainder theorem and particularly preferably according to the Garner algorithm, in order to finally output the result of the modular exponentiation, such as a signature, in the form of the parameter S. as illustrated by block 106 in FIG. 3.
  • block 102 comprises means 110 for calculating the randomization auxiliary number on the basis of the expression exd p - 1.
  • block 102b contains the block 102b, a means for calculating the randomization auxiliary number on the basis of the expression exd q - 1.
  • the Downstream of device 110 is a device 112 which receives a random number and then calculates the randomized exponent, either on the basis of the equation d p + R x (exd p - 1) for block 102a or on the basis of equation d q + R x (exd q - 1) for device 102b, where R is the random number obtained by block 112 in FIG. 4.
  • a first step 120 the randomization auxiliary number ex dp - 1 is calculated and stored in the register X.
  • a random number is selected and stored in the register R.
  • the content of register X and the content of register R are multiplied by one another, the result of this multiplication being stored again in register X.
  • the actual randomization of the exponent namely the first partial key d p derived from the private key, is carried out in a step 126, this result being stored in the register D.
  • a random number is selected again and stored in the register R.
  • a step 130 the message is now randomly 2, but now instead of the module N from FIG. 2 with the first auxiliary module p in FIG. 5a.
  • a random number is then selected again in a step 132 and multiplied by the auxiliary module p in a step 134.
  • This now randomized auxiliary module which is stored in the register p ', is used in a step 136 for the modular exponentiation shown in FIG. 5a, step 136.
  • the intermediate result written in the register S p in step 136 is then reduced with respect to the original auxiliary module p in order to obtain the first intermediate result S p .
  • FIG. 5b shows the analog steps of modular exposure with a second partial key according to block 102b of FIG. 3, the steps shown in FIG. 5b in principle proceeding exactly like the corresponding steps of FIG. 5a, but instead of the first partial key d p of FIG. 5 in Fig. 5b of the second partial key is made d q, and wherein instead of the first auxiliary module p in Fig. 5 in Fig. 5b of the second auxiliary module is used q.
  • the random numbers selected in FIGS. 5a and 5b can be independent of one another. Alternatively, however, the same random number could also be read out from a random number register in each corresponding step. In this respect, the same boundary conditions apply to the random numbers as have been explained with reference to FIG. 2.
  • Fig. 5c represents those designated by 104 in Fig. 3
  • Combination device implemented implementation to get the result from the first intermediate result S p and the second intermediate result S q, for example in the form of the signature S.
  • the concept according to the invention is that - if the CRT is not used - a randomization of the expon- In principle - without additional input parameters - the minimum private RSA data record can be created, which consists of the module N, the public key e and the private key d. Randomization can thus always be carried out, regardless of whether a security protocol provides an Euler Phi function, a Carmichael ⁇ function or something similar or not.
  • the functionality required for the calculation of the randomization auxiliary number in the form of a multiplication and an addition is on any conventional crypto chip, such as. B. in the form of a cryptocoproprocessor.
  • the randomization is performance-neutral. In other words, this means that there is no significant increase in the computing effort or the computing time, while at the same time a considerable degree of security is gained, which is scalable with respect to the length of the random number.
  • the method according to the invention for determining a result of a modular exponentiation can be implemented in hardware or in software.
  • the implementation can take place on a digital storage medium, in particular a floppy disk or CD with electronically readable control signals, which can cooperate with a programmable computer system in such a way that the corresponding method is carried out.
  • the invention thus also consists in a computer program product with a program code stored on a machine-readable carrier for carrying out the method according to the invention when the computer program product runs on a computer.
  • the invention thus also represents a computer program with a program code for carrying out the method when the computer program runs on a computer. LIST OF REFERENCE NUMBERS

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Computational Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)
  • Signal Processing For Digital Recording And Reproducing (AREA)

Abstract

Selon l'invention, pour déterminer un résultat d'une exponentiation modulaire, un nombre auxiliaire de randomisation reposant sur le produit de la clé publique et de la clé privée est défini sur une valeur inférieure à "1" pour randomiser l'exposant. Ce nombre auxiliaire de randomisation peut être dérivé de l'ensemble de données RSA privées sans fonctionnalités spéciales. Une randomisation de l'exposant peut ainsi être effectuée sans moyens complexes de façon universelle pour chaque protocole de sécurité pour réaliser une signature numérique sûre vis-à-vis des attaques externes.
EP04704224A 2003-02-04 2004-01-22 Exponentiation modulaire au moyen d'un exposant randomise Ceased EP1590731A2 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE10304451A DE10304451B3 (de) 2003-02-04 2003-02-04 Modulare Exponentiation mit randomisiertem Exponenten
DE10304451 2003-02-04
PCT/EP2004/000522 WO2004070497A2 (fr) 2003-02-04 2004-01-22 Exponentiation modulaire au moyen d'un exposant randomise

Publications (1)

Publication Number Publication Date
EP1590731A2 true EP1590731A2 (fr) 2005-11-02

Family

ID=32797314

Family Applications (1)

Application Number Title Priority Date Filing Date
EP04704224A Ceased EP1590731A2 (fr) 2003-02-04 2004-01-22 Exponentiation modulaire au moyen d'un exposant randomise

Country Status (5)

Country Link
US (1) US7908641B2 (fr)
EP (1) EP1590731A2 (fr)
KR (1) KR100731387B1 (fr)
DE (1) DE10304451B3 (fr)
WO (1) WO2004070497A2 (fr)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1939838A1 (fr) * 2005-10-19 2008-07-02 Matsushita Electric Industrial Co., Ltd. Dispositif et procede de securite des informations, programme informatique, support d enregistrement lisible sur ordinateur et circuit integre
EP1840732A1 (fr) * 2006-03-31 2007-10-03 Axalto SA Protection contre les attaques latérales de la chaîne
US8670557B2 (en) * 2007-09-10 2014-03-11 Spansion Llc Cryptographic system with modular randomization of exponentiation
KR100953716B1 (ko) * 2008-02-28 2010-04-19 고려대학교 산학협력단 Crt-rsa 기반의 비트 연산을 이용한 디지털 서명방법, 그 장치 및 이를 기록한 기록 매체
EP2669789A3 (fr) * 2008-05-07 2014-06-25 Irdeto Corporate B.V. Obscurcissement d'exposant
KR101334040B1 (ko) * 2010-01-20 2013-11-28 한국전자통신연구원 대칭키 암호화 시스템의 마스킹 연산 방법 및 장치
DE102010039273B4 (de) * 2010-08-12 2014-12-04 Infineon Technologies Ag Kryptographie-Prozessor, Chipkarte und Verfahren zur Berechnung eines Ergebnisses einer Exponentiation
KR101344402B1 (ko) * 2010-08-12 2013-12-26 한국전자통신연구원 Rsa 서명 방법 및 장치
FR3010210B1 (fr) * 2013-08-29 2017-01-13 Stmicroelectronics Rousset Protection d'un calcul contre des attaques par canaux caches
WO2015088525A1 (fr) * 2013-12-12 2015-06-18 Empire Technology Development, Llc Randomisation de temporisation de sous-unités de processeur à des fins d'amélioration de la sécurité
US9444623B2 (en) * 2013-12-20 2016-09-13 Cryptography Research, Inc. Modular exponentiation optimization for cryptographic systems
KR101604009B1 (ko) 2014-05-12 2016-03-17 주식회사 키페어 공인인증을 위한 보안 토큰 및 그 구동 방법
US10181944B2 (en) 2015-06-16 2019-01-15 The Athena Group, Inc. Minimizing information leakage during modular exponentiation and elliptic curve point multiplication
US10367637B2 (en) * 2016-07-22 2019-07-30 Qualcomm Incorporated Modular exponentiation with transparent side channel attack countermeasures
US11902420B2 (en) * 2021-11-23 2024-02-13 Theon Technology Llc Partial cryptographic key transport using one-time pad encryption

Family Cites Families (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4611307A (en) * 1964-06-26 1986-09-09 Hewlett-Packard Company Function analyzing
US4499551A (en) * 1982-09-27 1985-02-12 At&T Bell Laboratories Rapid generation of discrete random variates from general distributions
US5046094A (en) * 1989-02-02 1991-09-03 Kabushiki Kaisha Toshiba Server-aided computation method and distributed information processing unit
US5208490A (en) 1991-04-12 1993-05-04 Hewlett-Packard Company Functionally complete family of self-timed dynamic logic circuits
US5369708A (en) * 1992-03-31 1994-11-29 Kabushiki Kaisha Toshiba Fast server-aided computation system and method for modular exponentiation without revealing client's secret to auxiliary device
WO1997039410A1 (fr) * 1996-04-02 1997-10-23 The Regents Of The University Of California Integration de donnees
US6282290B1 (en) * 1997-03-28 2001-08-28 Mykotronx, Inc. High speed modular exponentiator
US5991415A (en) * 1997-05-12 1999-11-23 Yeda Research And Development Co. Ltd. At The Weizmann Institute Of Science Method and apparatus for protecting public key schemes from timing and fault attacks
EP1050133B2 (fr) * 1998-01-02 2009-05-27 Cryptography Research Inc. Procede et appareil cryptographiques resistant aux fuites
US6957341B2 (en) * 1998-05-14 2005-10-18 Purdue Research Foundation Method and system for secure computational outsourcing and disguise
DE19828936A1 (de) * 1998-05-29 1999-12-02 Siemens Ag Verfahren und Vorrichtung zum Verarbeiten von Daten
FR2780177B1 (fr) * 1998-06-17 2001-10-05 Schlumberger Ind Sa Systeme de protection d'un logiciel
EP1096443B1 (fr) * 1998-07-02 2008-07-16 Sharp Kabushiki Kaisha Dispositif de gestion du droit d'auteur, dispositif de vente de produits electroniques, dispositif d'affichage de livres electroniques, dispositif de gestion d'informations codees, et systeme de gestion de la distribution de produits electroniques, dans lequel ces dispositifs sont relies par des lig
RU2153191C2 (ru) * 1998-09-29 2000-07-20 Закрытое акционерное общество "Алкорсофт" Способ изготовления вслепую цифровой rsa-подписи и устройство для его реализации (варианты)
US6298135B1 (en) * 1999-04-29 2001-10-02 Motorola, Inc. Method of preventing power analysis attacks on microelectronic assemblies
US6928163B1 (en) * 1999-07-20 2005-08-09 International Business Machines Corporation Methods, systems and computer program products for generating user-dependent RSA values without storing seeds
US6886098B1 (en) * 1999-08-13 2005-04-26 Microsoft Corporation Systems and methods for compression of key sets having multiple keys
JP2001117823A (ja) * 1999-10-15 2001-04-27 Fuji Xerox Co Ltd アクセス資格認証機能付きデータ記憶装置
FR2800478B1 (fr) * 1999-10-28 2001-11-30 Bull Cp8 Procede de securisation d'un ensemble electronique de cryptographie a base d'exponentiation modulaire contre les attaques par analyse physique
DE10042234C2 (de) * 2000-08-28 2002-06-20 Infineon Technologies Ag Verfahren und Vorrichtung zum Durchführen einer modularen Exponentiation in einem kryptographischen Prozessor
US6914983B2 (en) * 2000-12-19 2005-07-05 International Business Machines Corporation Method for checking modular multiplication
JP4199937B2 (ja) * 2001-03-06 2008-12-24 株式会社日立製作所 耐タンパー暗号処理方法
DE10143728B4 (de) * 2001-09-06 2004-09-02 Infineon Technologies Ag Vorrichtung und Verfahren zum Berechnen eines Ergebnisses einer modularen Exponentiation
JP3896047B2 (ja) * 2002-07-26 2007-03-22 株式会社豊田中央研究所 モータ駆動制御装置
EP1467512B1 (fr) * 2003-04-07 2008-07-23 STMicroelectronics S.r.l. Procédé de chiffrage utilisant un mappage chaotique et procédé de signature électronique

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2004070497A2 *

Also Published As

Publication number Publication date
US7908641B2 (en) 2011-03-15
WO2004070497A3 (fr) 2005-01-06
KR100731387B1 (ko) 2007-06-21
KR20050106416A (ko) 2005-11-09
DE10304451B3 (de) 2004-09-02
US20070064930A1 (en) 2007-03-22
WO2004070497A2 (fr) 2004-08-19

Similar Documents

Publication Publication Date Title
EP2742643B1 (fr) Dispositif et procédé de décryptage de données
DE10201449C1 (de) Rechenwerk, Verfahren zum Ausführen einer Operation mit einem verschlüsselten Operanden, Carry-Select-Addierer und Kryptographieprozessor
DE60223337T3 (de) Verfahren zur gesicherten verschlüsselung und baustein zur ausführung eines solchen verschlüsselungsverfahrens
DE60119620T2 (de) Verfahren zur Skalarmultiplikation auf einer elliptischen Kurve und entsprechende Vorrichtung
EP2901611B1 (fr) Masquage protégé contre l'attaque par observation
DE10304451B3 (de) Modulare Exponentiation mit randomisiertem Exponenten
EP3218894A1 (fr) Procédé pour tester et durcir des applications logicielles
EP2605445A1 (fr) Procédé et dispositif de sécurisation de chiffrement par blocs contre les attaques par templates
DE102005028662A1 (de) Verfahren und Vorrichtung zum Berechnen einer Polynom-Multiplikation, insbesondere für die elliptische Kurven-Kryptographie
DE102012202015A1 (de) Vorrichtung und verfahren zum berechnen eines ergebnisses einer skalarmultiplikation
DE102005037598A1 (de) Verfahren und System zur Sicherung von Daten
DE102010001289B4 (de) Vorrichtung zum Berechnen eines Ergebnisses einer Skalarmultiplikation
DE10143728A1 (de) Vorrichtung und Verfahren zum Berechnen eines Ergebnisses einer modularen Exponentiation
DE10024325B4 (de) Kryptographisches Verfahren und kryptographische Vorrichtung
DE102015104421A1 (de) Verfahren zum Verwenden eines Tokens in der Kryptographie
EP1987421B1 (fr) Procédé, dispositif et système de vérification de points déterminés sur une courbe elliptique
EP2641241B1 (fr) Procédé de division longue ou de réduction modulaire
WO2003034172A2 (fr) Procede et dispositif pour calculer le resultat d'une exponentiation
EP1442391A2 (fr) Procede et dispositif pour garantir un calcul dans un algorithme cryptographique
EP1454260A2 (fr) Procede et dispositif pour garantir un calcul d'exponentiation au moyen du theoreme des restes chinois (trc)
DE10042234C2 (de) Verfahren und Vorrichtung zum Durchführen einer modularen Exponentiation in einem kryptographischen Prozessor
DE10162496B4 (de) Verfahren und Vorrichtung zum Absichern einer Berechnung in einem kryptographischen Algorithmus
DE10201450B4 (de) Carry-Skip-Addierer für verschlüsselte Daten
DE102004001659B4 (de) Vorrichtung und Verfahren zum Konvertieren einer ersten Nachricht in eine zweite Nachricht
EP3633914A1 (fr) Procédé et système de traitement de données détectables à l'aide d'un obscurcissement

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20050711

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK

DAX Request for extension of the european patent (deleted)
RBV Designated contracting states (corrected)

Designated state(s): DE FR

17Q First examination report despatched

Effective date: 20061123

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED

18R Application refused

Effective date: 20080801