EP1639447A1 - Procede de securisation d'un ensemble electronique de cryptographie a base d'exponentiation modulaire contre les attaques par analyse physique - Google Patents
Procede de securisation d'un ensemble electronique de cryptographie a base d'exponentiation modulaire contre les attaques par analyse physiqueInfo
- Publication number
- EP1639447A1 EP1639447A1 EP00971508A EP00971508A EP1639447A1 EP 1639447 A1 EP1639447 A1 EP 1639447A1 EP 00971508 A EP00971508 A EP 00971508A EP 00971508 A EP00971508 A EP 00971508A EP 1639447 A1 EP1639447 A1 EP 1639447A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- values
- modular exponentiation
- secret
- exponent
- attacks
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000004364 calculation method Methods 0.000 claims description 31
- 238000004422 calculation algorithm Methods 0.000 claims description 29
- 230000010365 information processing Effects 0.000 claims description 6
- 238000004458 analytical method Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 8
- 230000015654 memory Effects 0.000 description 6
- 238000000354 decomposition reaction Methods 0.000 description 3
- 238000005259 measurement Methods 0.000 description 3
- 230000005670 electromagnetic radiation Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- VBMOHECZZWVLFJ-GXTUVTBFSA-N (2s)-2-[[(2s)-6-amino-2-[[(2s)-6-amino-2-[[(2s,3r)-2-[[(2s,3r)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-2-[[(2s)-2,6-diaminohexanoyl]amino]-5-(diaminomethylideneamino)pentanoyl]amino]propanoyl]amino]hexanoyl]amino]propanoyl]amino]hexan Chemical compound NC(N)=NCCC[C@@H](C(O)=O)NC(=O)[C@H](CCCCN)NC(=O)[C@H](CCCCN)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H]([C@H](O)C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCN=C(N)N)NC(=O)[C@@H](N)CCCCN VBMOHECZZWVLFJ-GXTUVTBFSA-N 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000005294 ferromagnetic effect Effects 0.000 description 1
- 108010068904 lysyl-arginyl-alanyl-lysyl-alanyl-lysyl-threonyl-threonyl-lysyl-lysyl-arginine Proteins 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000003936 working memory Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/723—Modular exponentiation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
- G06F2207/7233—Masking, e.g. (A**e)+r mod n
- G06F2207/7242—Exponent masking, i.e. key masking, e.g. A**(e+r) mod n; (k+r).P
Definitions
- the present invention relates to a method for securing an electronic assembly implementing an algorithm involving modular exponentiation, in which the exhibitor is secret. More specifically, the method aims to achieve a version of such an algorithm that is not vulnerable to a certain type of physical attack - called "differential electrical energy analysis or high level differential electrical energy analysis” ( Differential Power Analysis or High-Order Differential Power Analysis, in English, abbreviated to DPA or HO-DPA) - who seek to obtain information on the secret key from the study of the electrical consumption of the whole electronic during the execution of the calculation.
- DPA Differential Power Analysis or High-Order Differential Power Analysis
- the cryptographic algorithms considered here use a secret key to calculate output information as a function of input information; it can be an encryption, decryption or signature or signature verification, authentication or non-repudiation or key exchange operation. They are constructed in such a way that an attacker, knowing the inputs and the outputs, cannot in practice deduce any information on the secret key itself.
- differential electrical energy is an attack making it possible to obtain information on the secret key contained in the electronic assembly, by carrying out a statistical analysis of the records of electrical consumption carried out on a large number of calculations with this same key.
- the attacks called by high level electrical energy analysis are a generalization of the DP A attack described above. They can use several different sources of information: in addition to consumption, they can involve measurements of electromagnetic radiation, temperature, etc. and implement more sophisticated statistical processing than the simple notion of average, intermediate variables less elementary than a simple bit or a single byte. However, they are based on exactly the same basic assumption as CCA.
- the object of the present invention is to eliminate the risk of DPA or HO-DPA attacks on electronic or secret or private key cryptography systems, using modular exponentiation, in which the exhibitor is secret.
- Another object of the present invention is therefore a modification of the cryptographic calculation process implemented by the protected electronic cryptography systems so that the aforementioned fundamental hypothesis is no longer verified, namely that no intermediate variable depends on the consumption of an easily accessible subset of the secret or private key, attacks of the DPA or HO-DPA type being thus rendered inoperative.
- RSA is the most famous of the asymmetric cryptographic algorithms. It was developed by Rivest, Shamir and Adleman in 1978. For a more detailed description of this algorithm, one can usefully refer to the document below:
- PKCS # 1 RSA Encryption Standard, version 2, 1998, available at the following address: ftp: // ftp. rsa. com / pub / pkcs / doc / pkcs- 1 v2. Doc.
- the RSA algorithm uses an integer n which is the product of two large prime numbers p and q, and an integer e, prime with ppcm (pl, ql), and such that e ⁇ ⁇ 1 mod ppcm (pl, ql ).
- the integers “and e constitute the public key.
- a second method; the process of the present invention a method for securing an electronic assembly implementing a cryptographic calculation process involving a modular exponentiation of a quantity (x), said modular exponentiation using a secret exponent (d), is characterized in that that said secret exponent is broken down into a plurality of k unpredictable values (dj, d 2 dk) the sum of which is equal to said secret exponent.
- said values (di, d 2 , ⁇ &) are obtained in the following manner: a) (k-1) values are obtained by means of a random generator; b) the last value is obtained by difference between the secret exponent and the (k- 1) values.
- the calculation of the modular exponentiation is carried out as follows: a) for each of said k values, the quantity (x) is raised to an exponent comprising said value to obtain a result, a set of results being thus obtained; b) a product of the results obtained in step a) is calculated.
- At least one of said (k-1) values obtained by means of a random generator has a length greater than or equal to 64 bits.
- na has a length of 1024 bits
- dj 64 bits
- Rabin's algorithm uses an integer n which is the product of two large prime numbers? and q, further satisfying the following two conditions:
- the invention can be implemented in any electronic assembly performing a cryptographic calculation involving modular exponentiation, in particular a smart card 8 according to the single figure.
- the chip includes information processing means 9, connected on one side to a non-volatile memory 10 and to a volatile working memory RAM 11, and connected on the other hand to means 12 for cooperating with a device information processing.
- the non-volatile memory 10 can comprise a non-modifiable part ROM and a modifiable part EPROM, EEPROM, or made up of RAM memory of the "flash" or FRAM type (the latter being a ferromagnetic RAM memory), that is to say having the characteristics of an EEPROM memory with access times identical to those of a conventional RAM.
- the microprocessor of the chip is replaced - or at least supplemented - by logic circuits implanted in a semiconductor chip.
- logic circuits implanted in a semiconductor chip.
- such circuits are capable of carrying out calculations, in particular of authentication and signature, thanks to wired, and not microprogrammed, electronics. They can in particular be of the ASIC type (from the English “Application Specifies Integrated Circuit”).
- the chip will be designed in monolithic form.
- the invention consists of a method of securing an electronic assembly comprising means of information processing and information storage means, the method implementing a cryptographic calculation process involving a modular exponentiation of a quantity (x) stored in the information storage means, said modular exponentiation using a secret exponent (d) stored in the storage means, characterized in that, by means of said information processing means, said secret exponent read in said information storage means into a plurality of k unpredictable values ( d t , d dk) the sum of which is equal to said secret exponent, said k unpredictable values being stored in the information storage means.
- said values (d t , d 2 dk) are obtained in the following manner: a) (k-1) values are obtained by means of a random generator and stored in the information storage means; b) the last value is obtained by difference between the secret exponent and the (k-1) values, calculated using said information processing means.
- the calculation of the modular exponentiation is carried out as follows: a) for each of said k values, the quantity (x) is raised to an exponent comprising said value to obtain a result, a set of results being thus obtained; b) a product of the results obtained in step a) is calculated.
- At least one of said (k-1) values obtained by means of a random generator has a length greater than or equal to 64 bits.
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR9913507A FR2800478B1 (fr) | 1999-10-28 | 1999-10-28 | Procede de securisation d'un ensemble electronique de cryptographie a base d'exponentiation modulaire contre les attaques par analyse physique |
PCT/FR2000/002978 WO2001031436A1 (fr) | 1999-10-28 | 2000-10-26 | Procede de securisation d'un ensemble electronique de cryptographie a base d'exponentiation modulaire contre les attaques par analyse physique |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1639447A1 true EP1639447A1 (fr) | 2006-03-29 |
Family
ID=9551481
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP00971508A Withdrawn EP1639447A1 (fr) | 1999-10-28 | 2000-10-26 | Procede de securisation d'un ensemble electronique de cryptographie a base d'exponentiation modulaire contre les attaques par analyse physique |
Country Status (5)
Country | Link |
---|---|
US (1) | US6973190B1 (fr) |
EP (1) | EP1639447A1 (fr) |
JP (1) | JP2003513491A (fr) |
FR (1) | FR2800478B1 (fr) |
WO (1) | WO2001031436A1 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102521544A (zh) * | 2011-12-26 | 2012-06-27 | 飞天诚信科技股份有限公司 | 一种在cpu中抗能量攻击的模幂运算的实现方法 |
Families Citing this family (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3926532B2 (ja) * | 2000-03-16 | 2007-06-06 | 株式会社日立製作所 | 情報処理装置、情報処理方法、及びカード部材 |
FR2810139B1 (fr) * | 2000-06-08 | 2002-08-23 | Bull Cp8 | Procede de securisation de la phase de pre-initialisation d'un systeme embarque a puce electronique, notamment d'une carte a puce, et systeme embarque mettant en oeuvre le procede |
FR2818772A1 (fr) * | 2000-12-21 | 2002-06-28 | Bull Cp8 | Procede de securisation d'un operateur logique ou mathematique implante dans un module electronique a microprocesseur, ainsi que le module electronique et le systeme embarque associes |
FR2820576B1 (fr) * | 2001-02-08 | 2003-06-20 | St Microelectronics Sa | Procede de cryptage protege contre les analyses de consommation energetique, et composant utilisant un tel procede de cryptage |
FR2823327B1 (fr) * | 2001-04-09 | 2003-08-08 | Gemplus Card Int | Dispositif destine a realiser des calculs d'exponentiation securisee et utilisation d'un tel dispositif |
GB0126317D0 (en) * | 2001-11-02 | 2002-01-02 | Comodo Res Lab Ltd | Improvements in and relating to cryptographic methods and apparatus in which an exponentiation is used |
DE10222212A1 (de) | 2002-05-16 | 2003-12-04 | Giesecke & Devrient Gmbh | Ausspähungsgeschützte modulare Inversion |
EP1398690A1 (fr) * | 2002-09-13 | 2004-03-17 | Schlumberger Systemes SA | Procédé et système de génération de signature |
DE10304451B3 (de) * | 2003-02-04 | 2004-09-02 | Infineon Technologies Ag | Modulare Exponentiation mit randomisiertem Exponenten |
FR2864390B1 (fr) * | 2003-12-19 | 2006-03-31 | Gemplus Card Int | Procede cryptographique d'exponentiation modulaire protege contre les attaques de type dpa. |
FR2887351A1 (fr) * | 2005-06-16 | 2006-12-22 | St Microelectronics Sa | Protection d'un calcul d'exponentiation modulaire effectue par un circuit integre |
CN101213513B (zh) | 2005-06-29 | 2013-06-12 | 爱迪德艾恩德霍芬公司 | 保护数据处理装置免受密码攻击或分析的设备和方法 |
WO2007052491A1 (fr) * | 2005-10-31 | 2007-05-10 | Matsushita Electric Industrial Co., Ltd. | Dispositif de traitement sécurisé, méthode de traitement sécurisé, méthode d’intégration d’informations confidentielles codées, programme, support de stockage et circuit intégré |
WO2007051770A1 (fr) * | 2005-11-04 | 2007-05-10 | Gemplus | Procede securise de manipulations de donnees lors de l'execution d'algorithmes cryptographiques sur systemes embarques |
WO2009136361A1 (fr) * | 2008-05-07 | 2009-11-12 | Koninklijke Philips Electronics N.V. | Dissimulation d'exposant. |
JP5407352B2 (ja) * | 2009-01-19 | 2014-02-05 | 富士通株式会社 | 復号処理装置、復号処理プログラム、復号処理方法 |
US8334705B1 (en) | 2011-10-27 | 2012-12-18 | Certicom Corp. | Analog circuitry to conceal activity of logic circuitry |
US8635467B2 (en) | 2011-10-27 | 2014-01-21 | Certicom Corp. | Integrated circuit with logic circuitry and multiple concealing circuits |
US10181944B2 (en) | 2015-06-16 | 2019-01-15 | The Athena Group, Inc. | Minimizing information leakage during modular exponentiation and elliptic curve point multiplication |
FR3094522B1 (fr) * | 2019-03-29 | 2021-11-19 | St Microelectronics Rousset | Protection d’un calcul itératif |
US11249726B2 (en) | 2019-09-10 | 2022-02-15 | Intel Corporation | Integrated circuits with modular multiplication circuitry |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5978482A (en) * | 1995-08-21 | 1999-11-02 | International Business Machines Corporation | Method and system for protection of digital information |
US6748410B1 (en) * | 1997-05-04 | 2004-06-08 | M-Systems Flash Disk Pioneers, Ltd. | Apparatus and method for modular multiplication and exponentiation based on montgomery multiplication |
US5991415A (en) * | 1997-05-12 | 1999-11-23 | Yeda Research And Development Co. Ltd. At The Weizmann Institute Of Science | Method and apparatus for protecting public key schemes from timing and fault attacks |
US6108425A (en) * | 1997-06-30 | 2000-08-22 | International Business Machines Corporation | Method and apparatus for controlling the configuration of a cryptographic processor |
US6304658B1 (en) * | 1998-01-02 | 2001-10-16 | Cryptography Research, Inc. | Leak-resistant cryptographic method and apparatus |
US6378072B1 (en) * | 1998-02-03 | 2002-04-23 | Compaq Computer Corporation | Cryptographic system |
US6285761B1 (en) * | 1998-03-04 | 2001-09-04 | Lucent Technologies, Inc. | Method for generating pseudo-random numbers |
US6307938B1 (en) * | 1998-07-10 | 2001-10-23 | International Business Machines Corporation | Method, system and apparatus for generating self-validating prime numbers |
US6490357B1 (en) * | 1998-08-28 | 2002-12-03 | Qualcomm Incorporated | Method and apparatus for generating encryption stream ciphers |
-
1999
- 1999-10-28 FR FR9913507A patent/FR2800478B1/fr not_active Expired - Fee Related
-
2000
- 2000-10-26 WO PCT/FR2000/002978 patent/WO2001031436A1/fr active Application Filing
- 2000-10-26 US US09/869,435 patent/US6973190B1/en not_active Expired - Fee Related
- 2000-10-26 EP EP00971508A patent/EP1639447A1/fr not_active Withdrawn
- 2000-10-26 JP JP2001533507A patent/JP2003513491A/ja active Pending
Non-Patent Citations (1)
Title |
---|
TSUTOMU ET AL: "Speeding Up Secret Computations with Insecure Auxiliary Devices", ADVANCES IN CRYPTOLOGY, PROCEEDINGS OF THE CONFERENCE ON THE THEORY AND APPLICATION OF CRYPTOGRAPHY, 21 August 1998 (1998-08-21) - 25 August 1988 (1988-08-25), Berlin, pages 497 - 506, XP000345652 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102521544A (zh) * | 2011-12-26 | 2012-06-27 | 飞天诚信科技股份有限公司 | 一种在cpu中抗能量攻击的模幂运算的实现方法 |
CN102521544B (zh) * | 2011-12-26 | 2014-09-10 | 飞天诚信科技股份有限公司 | 一种在cpu中抗能量攻击的模幂运算的实现方法 |
Also Published As
Publication number | Publication date |
---|---|
JP2003513491A (ja) | 2003-04-08 |
FR2800478B1 (fr) | 2001-11-30 |
FR2800478A1 (fr) | 2001-05-04 |
WO2001031436A1 (fr) | 2001-05-03 |
US6973190B1 (en) | 2005-12-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2001031436A1 (fr) | Procede de securisation d'un ensemble electronique de cryptographie a base d'exponentiation modulaire contre les attaques par analyse physique | |
EP1441313B1 (fr) | Procédé cryptographique à clé publique pour la protection d' une puce électronique contre la fraude | |
FR2789535A1 (fr) | Procede de securisation d'un ensemble electronique de cryptographie a cle secrete contre les attaques par analyse physique | |
EP1745366A1 (fr) | Procede de protection d"un ensemble cryptographique par masquage homographique | |
EP1807967B1 (fr) | Procede de delegation securisee de calcul d'une application bilineaire | |
FR3015080A1 (fr) | Verification d'integrite de paire de cles cryptographiques | |
EP0795241B1 (fr) | Procede de cryptographie a cle publique base sur le logarithme discret | |
EP1224765B1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type rsa | |
EP1904921A1 (fr) | Procede cryptographique pour la mise en oeuvre securisee d'une exponentiation et composant associe | |
EP0909495B1 (fr) | Procede de cryptographie a cle publique | |
EP1086547B1 (fr) | Procede de securisation d'un ou plusieurs ensembles electroniques mettant en oeuvre un algorithme crytographique avec cle secrete, et l'ensemble electronique | |
EP3328026B1 (fr) | Procédés de caviardage d'un document original ou de vérification de l'authenticité d'un document final | |
KR20030075146A (ko) | 암호 체계의 비밀 키 저장 및 복원 방법과 장치 | |
EP1419434A1 (fr) | Procede securise de realisation d'une operation d'exponentiation modulaire | |
EP1520370B1 (fr) | Procédé et dispositifs cryptographiques permettant d'alleger les calculs au cours de transactions | |
FR2818846A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie | |
EP0980607A1 (fr) | Generateur pseudo-aleatoire base sur une fonction de hachage pour systemes cryptographiques necessitant le tirage d'aleas | |
FR3010562A1 (fr) | Procede de traitement de donnees et dispositif associe | |
FR2792789A1 (fr) | Procede de verification de signature ou d'authentification | |
FR3076013A1 (fr) | Procede de traitement cryptographique, programme d’ordinateur et dispositif associes | |
FR2818473A1 (fr) | Procedes de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type rsa | |
WO2003013053A1 (fr) | Procede de determination de la taille d'un alea pour un schema de signature electronique | |
FR2834155A1 (fr) | Procede de generation de cles electroniques cryptographiques et composant correspondant | |
FR2952774A1 (fr) | Procede et dispositif permettant d'optimiser le dechiffrement et la signature rsa pour mieux securiser les cartes bancaires et les telephones portables |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20011105 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: GOUBIN, LOUIS |
|
R17C | First examination report despatched (corrected) |
Effective date: 20061002 |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
RTI1 | Title (correction) |
Free format text: SECURITY METHOD FOR A CRYPTOGRAPHIC ELECTRONIC ASSEMBLY BASED ON MODULAR EXPONENTIATION AGAINST POWER ATTACKS |
|
GRAJ | Information related to disapproval of communication of intention to grant by the applicant or resumption of examination proceedings by the epo deleted |
Free format text: ORIGINAL CODE: EPIDOSDIGR1 |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20080916 |