EP1639451A2 - Verfahren für gegenmassnahmen durch maskierung des akkumulators in einer elektronsichen komponente bei gleichzeitiger benutzung eines kryptographischen algorithmus mit öffentlichem schlüssel - Google Patents
Verfahren für gegenmassnahmen durch maskierung des akkumulators in einer elektronsichen komponente bei gleichzeitiger benutzung eines kryptographischen algorithmus mit öffentlichem schlüsselInfo
- Publication number
- EP1639451A2 EP1639451A2 EP04766054A EP04766054A EP1639451A2 EP 1639451 A2 EP1639451 A2 EP 1639451A2 EP 04766054 A EP04766054 A EP 04766054A EP 04766054 A EP04766054 A EP 04766054A EP 1639451 A2 EP1639451 A2 EP 1639451A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- replace
- accumulator
- representation
- integer
- countermeasure method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/724—Finite field arithmetic
- G06F7/725—Finite field arithmetic over elliptic curves
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/723—Modular exponentiation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
- G06F2207/7228—Random curve mapping, e.g. mapping to an isomorphous or projective curve
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
- G06F2207/7233—Masking, e.g. (A**e)+r mod n
- G06F2207/7247—Modulo masking, e.g. A**e mod (n*r)
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7276—Additional details of aspects covered by group G06F7/723
- G06F2207/7285—Additional details of aspects covered by group G06F7/723 using the window method, i.e. left-to-right k-ary exponentiation
Definitions
- the present invention relates to a countermeasure method in an electronic component implementing a public key cryptographic algorithm.
- the disadvantage of the secret key encryption system is that said system requires the prior communication of the key K between the two persons via a secure channel, before any encrypted message be sent through the unsecured channel.
- the term “secure channel” is understood to mean a channel for which it is impossible to know or modify the information which passes through said channel. Such a secure channel can be produced by a cable connecting two terminals, owned by the two said people.
- Public key cryptography solves the problem of distributing keys across an insecure channel. Public key cryptography is based on the difficulty of solving certain (supposedly) calculable infeasible problems.
- the problem considered by Diffie and Hellman is the resolution of the discrete logarithm in the multiplicative group of a finite field. It is recalled that in a finite body, the number of elements of the body is always expressed in the form q A n, where q is a prime number called the characteristic of the body and n is an integer.
- a finite field having q ⁇ n elements is noted GF (q A n).
- the finite field is said to be prime.
- a body has two groups: a multiplicative group and an additive group.
- the multiplicative group the neutral element is noted 1 and the group law is noted multiplically by the symbol. and is called multiplication.
- K K a A (ab).
- Any elliptical curve on a body can be expressed in this form.
- the set of points (x, y) and the point at infinity form an abelian group, in which the point at infinity is the neutral element and in which the group operation is the addition of points, denoted + and given by the well-known rule of the secant and the tangent (see for example “Elliptic Curve Public Key Cryptosystems” by Alfred Menezes, Kluwer, 1993).
- the pair (x, y), where the abscissa x and the ordinate y are elements of the body GF (q ⁇ n) forms the affine coordinates of a point P of the elliptic curve.
- the Jacobian representation of a point is not unique because the triplet (X, Y, Z) and the triplet ( ⁇ ⁇ 2.X, ⁇ ⁇ 3.Y , ⁇ .Z) represent the same point whatever the non-zero element ⁇ belonging to the finite field on which the elliptical curve is defined.
- the homogeneous representation of a point is not unique because the triplet (X, Y, Z) and the triplet ( ⁇ .X, ⁇ .Y, ⁇ .Z) represent the same point regardless of the element not -nul ⁇ belonging to the finite field on which the elliptical curve is defined.
- the exponentiation is also called scalar multiplication.
- a common point with most cryptographic algorithms based on the problem of the discrete logarithm in a group G is that they include as an parameter an element g belonging to this group.
- the private key is an integer d chosen randomly.
- the number corresponding to m is the pair (h, c).
- the left-right binary exponentiation algorithm takes as input an element g from a group G and an exponent d.
- the left-right binary exponentiation algorithm has the following 3 steps:
- the left-right k-ary exponentiation algorithm can be adapted to take as input a signed representation of the exponent d.
- the exponent d is given by the representation (d (t), d (t-1), ..., d (0)) in which each digit d (i) is an integer between - (2 A kl) and 2 A kl for an integer k ⁇ l, with d (t) the most significant digit and d (0) the least significant digit.
- This adaptation is particularly interesting when the inverse of the elements g i ⁇ denoted (gi) A (-l), is easy or inexpensive to calculate. This is for example the case in group G of the points of an elliptical curve. In the case where the inverse of the elements gi is not easy or too costly to calculate, their value is precalculated.
- the multiplication of the accumulator A by g in the group G can be substantially faster than the multiplication of two elements arbitrary of G.
- the group G is the multiplicative group of the prime field GF (q) and that g (respectively one of its powers g x ) is represented as an integer in single precision
- the addition of the accumulator A by P can be substantially faster than the addition of two arbitrary points on an elliptical curve.
- the DPA type attack therefore makes it possible to obtain additional information on the intermediate data manipulated by the microprocessor of the electronic component during the execution of a cryptographic algorithm . This additional information can in certain cases make it possible to reveal the private parameters of the cryptographic algorithm, making the cryptographic system vulnerable.
- a countermeasure method consists in masking the point P of the group of points of an elliptic curve defined on the body GF (q A n) using projective coordinates of this point, defined in a random manner .
- ⁇ non-zero random number
- P ( ⁇ A 2.x, ⁇ ⁇ 3.y, ⁇ ) in Jacobian representation
- P ( ⁇ .x, ⁇ .y, ⁇ ) in homogeneous representation.
- Another countermeasure method known to those skilled in the art for masking the element g of the multiplicative group G of a finite field GF (q ⁇ n) consists in representing this element in an extension of GF (q A n) , randomly.
- R GF (q) [X] / (p. K) obtained by quoting the polynomial ring GF (q) [X] by the product of the polynomials p and k with k given.
- We then draw a random polynomial ⁇ (X) in the ring GF [X] / (k) and we represent the element g by g * g + ⁇ .p.
- An object of the present invention is a countermeasure method, in particular with respect to attacks of the DPA type.
- Another object of the invention is a countermeasure method which is easy to implement.
- the idea underlying the invention is to randomize the accumulator A in the left-right exponentiation algorithm used. This masking process can be done at the start of the algorithm or even deterministically or probabilistically during the execution of the algorithm.
- This process applies in the same way if the group G is scored additively.
- the accumulator of said exponentiation algorithm is randomly masked.
- step 3c the multiplication is done with the integer g represented in simple precision.
- the masking of the accumulator A in step 3a is done only at the start of the exponentiation.
- the following countermeasure method is thus obtained:
- step 3b the multiplication is done with the integer g represented in simple precision.
- Another interesting application of the invention relates to the exponentation in group G of the points of an elliptic curve defined on a finite field GF (q A n).
- group G additively noted, the inversion of a point P, noted -P, is an inexpensive operation so that it is interesting to replace the binary exponentiation algorithm left-right by its version signed as explained in an article by Institut Morain and Jorge Olivos (Theoretical Informatics and Applications, volume 24, pages 531-543, 1990).
- the accumulator of said exponentiation algorithm is a triplet of values in GF (q A n) and is masked randomly.
- the masking of the accumulator A in step 2a is done only at the start of the exponentiation.
- This gives the following against-measuring method: 1) Draw a nonzero random element ⁇ in GF (q ⁇ n) and initialize the accumulator A (A x , Ay, A z ) with the triplet ( ⁇ ⁇ 2.x, ⁇ ⁇ 3.y, ⁇ )
- the countermeasure method according to the invention applies to any exponentiation algorithm of the left-right type in a group G, denoted in a multiplicative or additive manner.
Landscapes
- Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Computational Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- General Engineering & Computer Science (AREA)
- Complex Calculations (AREA)
- Storage Device Security (AREA)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0307379A FR2856537B1 (fr) | 2003-06-18 | 2003-06-18 | Procede de contre-mesure par masquage de l'accumulateur dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique |
PCT/EP2004/051144 WO2004111831A2 (fr) | 2003-06-18 | 2004-06-17 | Procede de contre-mesure par masquage de l'accumulateur |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1639451A2 true EP1639451A2 (de) | 2006-03-29 |
Family
ID=33484551
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP04766054A Withdrawn EP1639451A2 (de) | 2003-06-18 | 2004-06-17 | Verfahren für gegenmassnahmen durch maskierung des akkumulators in einer elektronsichen komponente bei gleichzeitiger benutzung eines kryptographischen algorithmus mit öffentlichem schlüssel |
Country Status (4)
Country | Link |
---|---|
US (1) | US20060282491A1 (de) |
EP (1) | EP1639451A2 (de) |
FR (1) | FR2856537B1 (de) |
WO (1) | WO2004111831A2 (de) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2862454A1 (fr) | 2003-11-18 | 2005-05-20 | Atmel Corp | Methode de reduction modulaire aleatoire et equipement associe |
FR2885711B1 (fr) | 2005-05-12 | 2007-07-06 | Atmel Corp | Procede et materiel modulaire et aleatoire pour la reduction polynomiale |
EP1889398B1 (de) * | 2005-05-12 | 2016-01-13 | Inside Secure | Verfahren zur Randomisierten Modularpolynomreduktion und Hardware dafür |
FR2897963A1 (fr) | 2006-02-28 | 2007-08-31 | Atmel Corp | Procede pour les conjectures de quotient rapide et une manip ulation de congruences |
KR101527867B1 (ko) * | 2007-07-11 | 2015-06-10 | 삼성전자주식회사 | 타원 곡선 암호 시스템에 대한 부채널 공격에 대응하는방법 |
EP2169535A1 (de) * | 2008-09-22 | 2010-03-31 | Thomson Licensing | Verfahren, Vorrichtung und Computerprogrammunterstützung zur regelmäßigen Umkodierung einer positiven ganzen Zahl |
EP2535804A1 (de) * | 2011-06-17 | 2012-12-19 | Thomson Licensing | Fehlerbeständiger Potenzierungsalgorithmus |
DE102017002153A1 (de) * | 2017-03-06 | 2018-09-06 | Giesecke+Devrient Mobile Security Gmbh | Übergang von einer booleschen Maskierung zu einer arithmetischen Maskierung |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2784831B1 (fr) * | 1998-10-16 | 2000-12-15 | Gemplus Card Int | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle secrete |
DE19963407A1 (de) * | 1999-12-28 | 2001-07-12 | Giesecke & Devrient Gmbh | Tragbarer Datenträger mit Zugriffsschutz durch Nachrichtenverfremdung |
JP2003098962A (ja) * | 2001-09-20 | 2003-04-04 | Hitachi Ltd | 楕円曲線スカラー倍計算方法及び装置並びに記録媒体 |
FR2824209B1 (fr) * | 2001-04-30 | 2003-08-29 | St Microelectronics Sa | Brouillage d'un calcul mettant en oeuvre une fonction modulaire |
US7127063B2 (en) * | 2001-12-31 | 2006-10-24 | Certicom Corp. | Method and apparatus for computing a shared secret key |
-
2003
- 2003-06-18 FR FR0307379A patent/FR2856537B1/fr not_active Expired - Fee Related
-
2004
- 2004-06-17 WO PCT/EP2004/051144 patent/WO2004111831A2/fr not_active Application Discontinuation
- 2004-06-17 US US10/561,234 patent/US20060282491A1/en not_active Abandoned
- 2004-06-17 EP EP04766054A patent/EP1639451A2/de not_active Withdrawn
Non-Patent Citations (1)
Title |
---|
None * |
Also Published As
Publication number | Publication date |
---|---|
WO2004111831A2 (fr) | 2004-12-23 |
WO2004111831A3 (fr) | 2005-12-22 |
FR2856537A1 (fr) | 2004-12-24 |
FR2856537B1 (fr) | 2005-11-04 |
US20060282491A1 (en) | 2006-12-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1166494B1 (de) | Gegenmassnahmen in einem elektronischen baustein zur ausführung eines krypto-algorithmus mit auf elliptischen kurven basierendem öffentlichem schlüssel | |
EP2946284B1 (de) | Kryptografisches verfahren mit einem betrieb durch multiplikation mittels eines skalars oder einer exponentiation | |
EP1358732B1 (de) | Verfahren zur gesicherten verschlüsselung und baustein zur ausführung eines solchen verschlüsselungsverfahrens | |
EP1381936B1 (de) | Gegenmassnahmen in einem elektronischen baustein zur ausführung eines krypto-algorithmus mit auf elliptischen kurven basierendem öffentlichen schlüssel | |
EP1969459A1 (de) | Kryptografisches verfahren mit einer modularen potenzierung, die gegen verborgene kanalangriffe geschützt ist, sowie kryptoprozessor zur umsetzung des verfahren und zugehörige chip-karte | |
EP2162820A1 (de) | Auf montgomery basierende modulare exponentierung mit sicherung vor verborgenen kanalattacken | |
FR2809893A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique sur courbe elliptique | |
WO2000059157A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type courbe elliptique | |
EP1804161B1 (de) | Störungsdetektion in einer kryptographischen Berechnung | |
EP1639451A2 (de) | Verfahren für gegenmassnahmen durch maskierung des akkumulators in einer elektronsichen komponente bei gleichzeitiger benutzung eines kryptographischen algorithmus mit öffentlichem schlüssel | |
EP1804160B1 (de) | Schutz einer kryptographischen Berechnung in einem integrierten Schaltkreis | |
WO2004111833A1 (fr) | Procede de contre-mesure dans un composant electronique | |
WO2002001343A1 (fr) | Procedes de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type courbe elliptique de koblitz | |
EP4024753B1 (de) | Verfahren und elektronisches modul zur berechnung einer kryptographischen grösse mit übertragslosen multiplikationen, zugehöriges verfahren und elektronische vorrichtung zur verarbeitung von daten, und computerprogramm | |
EP1222528B1 (de) | Verfahren zur leistungsverbesserung einer multiplizieroperation in einem endlichen feld mit kennzahl 2 | |
EP1695204A2 (de) | Kryptographisches Verfahren für die modulare Exponentierung, geschützt vor angriffen des DPA-Typs | |
EP3929726A1 (de) | Kryptographisches verarbeitungsverfahren, entsprechende elektronische vorrichtung und entsprechendes computerprogramm | |
FR2854997A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme cryptographique du type a cle publique sur une courbe elliptique definie sur un corps de caracteristique deux | |
WO2002050658A1 (fr) | Procedes de contre-mesure dans un composant electronique mettant en ouvre un algorithme de cryptographie a cle publique de type rsa | |
WO2002093411A1 (fr) | Dispositif destine a realiser des calculs d"exponentiation appliques a des points d"une courbe elliptique |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL HR LT LV MK |
|
17P | Request for examination filed |
Effective date: 20060622 |
|
RBV | Designated contracting states (corrected) |
Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PL PT RO SE SI SK TR |
|
DAX | Request for extension of the european patent (deleted) | ||
17Q | First examination report despatched |
Effective date: 20070212 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20070626 |