Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
  • G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
  • G06F7/724—Finite field arithmetic
  • G06F7/725—Finite field arithmetic over elliptic curves
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
  • G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
  • G06F7/723—Modular exponentiation
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
  • G06F2207/7219—Countermeasures against side channel or fault attacks
  • G06F2207/7223—Randomisation as countermeasure against side channel attacks
  • G06F2207/7228—Random curve mapping, e.g. mapping to an isomorphous or projective curve
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
  • G06F2207/7219—Countermeasures against side channel or fault attacks
  • G06F2207/7223—Randomisation as countermeasure against side channel attacks
  • G06F2207/7233—Masking, e.g. (A**e)+r mod n
  • G06F2207/7247—Modulo masking, e.g. A**e mod (n*r)
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
  • G06F2207/7276—Additional details of aspects covered by group G06F7/723
  • G06F2207/7285—Additional details of aspects covered by group G06F7/723 using the window method, i.e. left-to-right k-ary exponentiation

Definitions

• the present invention relates to a countermeasure method in an electronic component implementing a public key cryptographic algorithm.
• the disadvantage of the secret key encryption system is that said system requires the prior communication of the key K between the two persons via a secure channel, before any encrypted message be sent through the unsecured channel.
• the term “secure channel” is understood to mean a channel for which it is impossible to know or modify the information which passes through said channel. Such a secure channel can be produced by a cable connecting two terminals, owned by the two said people.
• Public key cryptography solves the problem of distributing keys across an insecure channel. Public key cryptography is based on the difficulty of solving certain (supposedly) calculable infeasible problems.
• the problem considered by Diffie and Hellman is the resolution of the discrete logarithm in the multiplicative group of a finite field. It is recalled that in a finite body, the number of elements of the body is always expressed in the form q A n, where q is a prime number called the characteristic of the body and n is an integer.
• a finite field having q ⁇ n elements is noted GF (q A n).
• the finite field is said to be prime.
• a body has two groups: a multiplicative group and an additive group.
• the multiplicative group the neutral element is noted 1 and the group law is noted multiplically by the symbol. and is called multiplication.
• K K a A (ab).
• Any elliptical curve on a body can be expressed in this form.
• the set of points (x, y) and the point at infinity form an abelian group, in which the point at infinity is the neutral element and in which the group operation is the addition of points, denoted + and given by the well-known rule of the secant and the tangent (see for example “Elliptic Curve Public Key Cryptosystems” by Alfred Menezes, Kluwer, 1993).
• the pair (x, y), where the abscissa x and the ordinate y are elements of the body GF (q ⁇ n) forms the affine coordinates of a point P of the elliptic curve.
• the Jacobian representation of a point is not unique because the triplet (X, Y, Z) and the triplet ( ⁇ ⁇ 2.X, ⁇ ⁇ 3.Y , ⁇ .Z) represent the same point whatever the non-zero element ⁇ belonging to the finite field on which the elliptical curve is defined.
• the homogeneous representation of a point is not unique because the triplet (X, Y, Z) and the triplet ( ⁇ .X, ⁇ .Y, ⁇ .Z) represent the same point regardless of the element not -nul ⁇ belonging to the finite field on which the elliptical curve is defined.
• the exponentiation is also called scalar multiplication.
• a common point with most cryptographic algorithms based on the problem of the discrete logarithm in a group G is that they include as an parameter an element g belonging to this group.
• the private key is an integer d chosen randomly.
• the number corresponding to m is the pair (h, c).
• the left-right binary exponentiation algorithm takes as input an element g from a group G and an exponent d.
• the left-right binary exponentiation algorithm has the following 3 steps:
• the left-right k-ary exponentiation algorithm can be adapted to take as input a signed representation of the exponent d.
• the exponent d is given by the representation (d (t), d (t-1), ..., d (0)) in which each digit d (i) is an integer between - (2 A kl) and 2 A kl for an integer k ⁇ l, with d (t) the most significant digit and d (0) the least significant digit.
• This adaptation is particularly interesting when the inverse of the elements g i ⁇ denoted (gi) A (-l), is easy or inexpensive to calculate. This is for example the case in group G of the points of an elliptical curve. In the case where the inverse of the elements gi is not easy or too costly to calculate, their value is precalculated.
• the multiplication of the accumulator A by g in the group G can be substantially faster than the multiplication of two elements arbitrary of G.
• the group G is the multiplicative group of the prime field GF (q) and that g (respectively one of its powers g x ) is represented as an integer in single precision
• the addition of the accumulator A by P can be substantially faster than the addition of two arbitrary points on an elliptical curve.
• the DPA type attack therefore makes it possible to obtain additional information on the intermediate data manipulated by the microprocessor of the electronic component during the execution of a cryptographic algorithm . This additional information can in certain cases make it possible to reveal the private parameters of the cryptographic algorithm, making the cryptographic system vulnerable.
• a countermeasure method consists in masking the point P of the group of points of an elliptic curve defined on the body GF (q A n) using projective coordinates of this point, defined in a random manner .
• ⁇ non-zero random number
• P ( ⁇ A 2.x, ⁇ ⁇ 3.y, ⁇ ) in Jacobian representation
• P ( ⁇ .x, ⁇ .y, ⁇ ) in homogeneous representation.
• Another countermeasure method known to those skilled in the art for masking the element g of the multiplicative group G of a finite field GF (q ⁇ n) consists in representing this element in an extension of GF (q A n) , randomly.
• R GF (q) [X] / (p. K) obtained by quoting the polynomial ring GF (q) [X] by the product of the polynomials p and k with k given.
• We then draw a random polynomial ⁇ (X) in the ring GF [X] / (k) and we represent the element g by g * g + ⁇ .p.
• An object of the present invention is a countermeasure method, in particular with respect to attacks of the DPA type.
• Another object of the invention is a countermeasure method which is easy to implement.
• the idea underlying the invention is to randomize the accumulator A in the left-right exponentiation algorithm used. This masking process can be done at the start of the algorithm or even deterministically or probabilistically during the execution of the algorithm.
• This process applies in the same way if the group G is scored additively.
• the accumulator of said exponentiation algorithm is randomly masked.
• step 3c the multiplication is done with the integer g represented in simple precision.
• the masking of the accumulator A in step 3a is done only at the start of the exponentiation.
• the following countermeasure method is thus obtained:
• step 3b the multiplication is done with the integer g represented in simple precision.
• Another interesting application of the invention relates to the exponentation in group G of the points of an elliptic curve defined on a finite field GF (q A n).
• group G additively noted, the inversion of a point P, noted -P, is an inexpensive operation so that it is interesting to replace the binary exponentiation algorithm left-right by its version signed as explained in an article by Institut Morain and Jorge Olivos (Theoretical Informatics and Applications, volume 24, pages 531-543, 1990).
• the accumulator of said exponentiation algorithm is a triplet of values in GF (q A n) and is masked randomly.
• the masking of the accumulator A in step 2a is done only at the start of the exponentiation.
• This gives the following against-measuring method: 1) Draw a nonzero random element ⁇ in GF (q ⁇ n) and initialize the accumulator A (A x , Ay, A z ) with the triplet ( ⁇ ⁇ 2.x, ⁇ ⁇ 3.y, ⁇ )
• the countermeasure method according to the invention applies to any exponentiation algorithm of the left-right type in a group G, denoted in a multiplicative or additive manner.

Landscapes

• Physics & Mathematics (AREA)
• Engineering & Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Mathematical Analysis (AREA)
• Mathematical Optimization (AREA)
• Pure & Applied Mathematics (AREA)
• Computational Mathematics (AREA)
• Theoretical Computer Science (AREA)
• Computing Systems (AREA)
• Mathematical Physics (AREA)
• General Engineering & Computer Science (AREA)
• Complex Calculations (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=33484551

Family Applications (1)

Country Status (4)

Families Citing this family (8)

Family Cites Families (5)

• 2003
  • 2003-06-18 FR FR0307379A patent/FR2856537B1/fr not_active Expired - Fee Related
• 2004
  • 2004-06-17 WO PCT/EP2004/051144 patent/WO2004111831A2/fr not_active Application Discontinuation
  • 2004-06-17 US US10/561,234 patent/US20060282491A1/en not_active Abandoned
  • 2004-06-17 EP EP04766054A patent/EP1639451A2/de not_active Withdrawn

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events