Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
  • G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
  • G06F21/75—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation
  • G06F21/755—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation with measures against power attack
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
  • G06F21/55—Detecting local intrusion or implementing counter-measures
  • G06F21/556—Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
  • G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
  • G06F21/77—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
  • G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/002—Countermeasures against attacks on cryptographic mechanisms
  • H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
  • H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
  • H04L9/302—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
  • H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme

Definitions

• the present invention relates to a cryptographic method enabling the secure implementation of an exponentiation in an electronic component, this implementation being more particularly used in the context of an asymmetric cryptographic algorithm, for example of the RSA type.
• the invention also relates to the electronic component comprising the means for implementing this method.
• Electronic components implementing cryptographic algorithms are generally used in applications where access to services or data is severely controlled. They have an architecture that allows them to execute any type of algorithm.
• such electronic components implement a cryptographic algorithm that makes it possible to ensure the encryption of transmitted data and / or the decryption of received data, the digital signature of a message and / or the verification of this signature. Indeed, from a message applied by a host system to the input of the electronic component, and from secret numbers contained in the electronic component, the electronic component provides back to the host system the signed message, which allows for example, the host system to authenticate the electronic component.
• the electronic component decrypts the message.
• the characteristics of cryptographic algorithms may be known, such as the calculations performed or the parameters used.
• the security of these cryptographic algorithms relies essentially on the secret number (s) used in the algorithm. This or these secret numbers are contained in the electronic component and are totally unknown to the external environment.
• the RSA-type cryptographic algorithms are based on a mathematical problem that is considered computationally complex for sufficiently large numbers, namely factorization.
• a number of protection techniques to prevent these external attacks are known. For example, it is possible to use a power supply device comprising capacitors able to mask the fluctuations in the power consumption. Computing devices can also be enclosed in shielded protective housings confining electromagnetic radiation.
• An object of the present invention is therefore to provide an RSA type cryptographic method and an associated electronic component which make it possible to counter hidden channel type attacks (whether simple or differential) more quickly and more efficiently.
• an asymmetric cryptographic method applied to a message M comprises a private operation of signing or decrypting the message M to obtain a signed or decrypted message, private operation being defined from at least one modular exponentiation EM of the form
• EM M mod B, A and B respectively being the exponent and the modular exponentiation module EM, mod denoting the modulo operation, and the private operation comprising the steps of:
• the step of calculating the signed or decrypted message s is performed by reducing EM *, the result of the intermediate modular exponentiation.
• a cryptographic method characterized in that it uses a public key and a private key, the public key being composed of a module ⁇ / RSA type and an exponent public e, and the private key being composed of the module N of type
• RSA a private exponent d
• ed lmod ⁇ ( ⁇ 0, ⁇ being the indicator function of Euler
• N * x N. N with x N a public value dependent on N and M; b) Calculate an intermediate message M * randomly, such as
• step a i) of calculating the value ⁇ comprises the steps of:
• a cryptographic method characterized in that it uses a public key and a private key, the public key being composed of a module ⁇ / RSA type product of two large prime numbers p and q, and a public exponent e, and the private key being composed of the "quintuplet" (p, q, d p , d q , i q ) with
• M p * [(M mod p *) + x Mp .p] mo ⁇ p *, with x Mp a value
• an asymmetric cryptographic method applied to a message M to be signed or deciphered in a signed or decrypted message characterized in that the cryptographic method uses a public key and a private key, the public key being composed of a module N of type RSA, produced by two large prime numbers p and q, and a public exponent e, and the private key being composed of the "quintuplet" (p, q, d p , d q , i q ) with
• the signed or decrypted message is calculated according to the steps of:
• an electronic component comprising means for implementing the cryptographic method according to the various embodiments of the invention.
• the electronic component comprises for example a programmed processing means, such as a microprocessor, for implementing the cryptographic method according to the invention.
• FIG. 1 is a schematic diagram of the standard mode RSA cryptographic method according to a preferred aspect of the invention
• FIG. 2 is a schematic diagram of the CRT mode RSA cryptographic method according to another preferred aspect of the invention.
• FIG. 3 is a schematic diagram of the RSA cryptographic method in CRT mode according to yet another aspect of the invention.
• the first embodiment of the public key signature and encryption scheme was developed by Rivest, Shamir and Adleman, who invented the RSA type cryptographic system. This system is the most used public key cryptosystem.
• It can be used as an encryption method or as a signature method.
• the RSA type cryptographic system uses modular exponentiation calculations. It consists firstly in generating the RSA key pair that will be used for these modular exponentiations. Thus, each user creates an RSA public key and a corresponding private key, according to the following 5-step process:
• the public key is the pair (N, e) and the private key is the pair (N, d).
• the integers e and d are called respectively public exponent and private exponent.
• the integer N is called the RSA module.
• the public operation on x which is called the message x encryption, consists of calculating the modular exponentiation: y - x e mod N
• the corresponding private operation is the decryption operation of the encrypted message y, and consists in calculating the modular exponentiation: / mod / V
• signature verification y uses the public key (N, e) and the x and y values and consists of checking whether
• the mode shown above is called standard mode.
• CRT mode Another mode of operation of the RSA cryptography algorithm
• CRT Chinese Reminder Theorem
• This mode of operation says CRT is much faster than the standard mode.
• the modular exponentiation is not directly calculated modulo N, but one carries out first two calculations of modular exponentiation, respectively modulo p and modulo q.
• the operation that must necessarily be protected is the so-called private operation.
• the private operation is the only operation of the cryptography algorithm that uses private numbers unknown to the outside environment, namely the private exponent d in the case of a standard mode RSA cryptography algorithm, and the numbers p, q, d p , d q and i q forming the private elements in the case of an RSA cryptography algorithm in CRT mode.
• Hidden channel type attacks are based on an analysis of the calculations performed during the cryptography algorithm.
• the countermeasure proposed in this document is therefore a method for the secure implementation of an exponentiation that prevents the external detection of the private number or numbers used in the RSA type cryptography algorithm, especially during the private operation.
• M, A and B are respectively called the base, the exponent and the module.
• the progress of the private operation is based on the use of intermediate parameters, derived from the calculation parameters A, B, or M and can therefore be done according to the steps of:
• the intermediate exponent A * is calculated randomly or deterministically.
• the embodiment of the invention presented below relates to the standard mode RSA cryptography algorithm in the case of a signature operation.
• the invention is not limited to such a signature method and may also be used in the context of a method of encrypting a message.
• One way to secure this private operation is to perform a transformation of the calculation parameters used to compute s. This transformation of the parameters must be such that all or part of the parameters used for the calculation of s are wholly or partly modified at each execution of the cryptography algorithm.
• the first step of the secure implementation method according to the invention consists in transforming the RSA type module N into an intermediate module N *.
• N * x N .N with x N a public value dependent on both N and M and which allows the possible normalization of N module of type RSA.
• An exemplary embodiment of this function f is presented later in this document. It should be noted that, since the function f is deterministic and public, and M and N are also public, the value ⁇ is also public.
• the value T it corresponds to the normalization coefficient that can sometimes be used in certain types of multiplication algorithms modular, such as the multiplication of Quisquater. In the case where the normalization of the module is not necessary, then the coefficient T is taken equal to 1.
• the second step is to transform M into an intermediate message M *.
• the parameters ⁇ and T are identical to the parameters ⁇ and T taken to calculate the intermediate module ⁇ / *.
• r-i is an integer taken randomly according to any random draw process.
• e and d are respectively the public and private exponents of the RSA cryptography algorithm and r 2 is an integer randomly drawn according to any random draw method.
• the final step is to reduce the intermediate modular exponentiation s * to obtain the signed value s.
• the step of reducing s * to get the signed value s remains the same.
• the private operation of generating a signature s from a message M is much more secure because of the change of the intermediate values used during the RSA type cryptography algorithm.
• the intermediate parameter M * changes with each run of the RSA cryptography algorithm in standard mode.
• the parameter d * is not taken equal to d, it also changes value each time the algorithm is executed.
• the intermediate parameter N * changes each time the message M to sign varies.
• this method uses only one random number (even a second if the intermediate parameter of * is not equal to d), which allows, among other things, a saving in power consumption but also in computing time.
• the value ⁇ is obtained from a function / that one chooses determinist and public.
• the value ⁇ is thus obtained deterministically and publicly as a function of the message to sign M and N module RSA type.
• the method for obtaining the value ⁇ can for example be the following.
• the parameter M and the parameter N are decomposed as follows:
• I I w depends on the architecture of the microprocessor with which the calculations of the algorithm are made. We can take for example w among the values 8, 16, 32, or 64.
• ⁇ ⁇ is for example a rotation, or more generally a function belonging to the group of the set of permutations S of length a.
• Z 0 can be set to any value.
• the method of secure implementation of an RSA type cryptographic algorithm in CRT can be used both in a signature method and in a method of encrypting a message.
• the calculation of the intermediate modular exponentiation s p * includes the following steps.
• the first step of the secure implementation method according to the invention consists in transforming the module p into an intermediate module p *.
• f p a deterministic and public function, f p being a function comparable to the function / used in the case of the standard mode, k is a non-zero positive integer. Nevertheless, ⁇ p does not depend on ⁇ / but depends on Af mod 2.
• JVmod2 * (/?mod2*).(#mod2*).mod2*
• ⁇ p is determined from the k least significant bits of the N module.
• ⁇ p is therefore a deterministic and public value.
• the coefficient T corresponds to the normalization coefficient sometimes used in certain types of modular multiplication algorithms. If normalization is not necessary then Test taken equal to 1.
• M p * [(M mod p *) + x Mp .p] mod p *
• s p * M p * dp mo ⁇ p *
• the signed message s should be calculated from the intermediate exponentiations s p * and s q * which have just been calculated.
• the first way of calculating s from s p * and s q * is to reduce them in order to obtain s p and s q respectively .
• Another way of calculating the signed message s is to directly recombine the intermediate exponentiations s p * and s q *.
• This particular recombination notably allows a saving of memory time and calculation time.
• the computation of the signed message s of directly recombining the intermediate modular exponentiations s p * and s q * as above can be used in any other RSA cryptographic method, in CRT mode, which uses intermediate modular exponentiation s p * and s q * calculated respectively from the intermediate modules p * and q * (which themselves are respectively derived from the modules p and q).
• s * s q * + q. ((I q (s p * -s q *)) mod p *)

Landscapes

• Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Computer Hardware Design (AREA)
• General Engineering & Computer Science (AREA)
• Software Systems (AREA)
• Computing Systems (AREA)
• Mathematical Physics (AREA)
• Signal Processing (AREA)
• Computer Networks & Wireless Communication (AREA)
• Mathematical Analysis (AREA)
• Mathematical Optimization (AREA)
• Pure & Applied Mathematics (AREA)
• Computational Mathematics (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=36103656

Family Applications (1)

Country Status (4)

Families Citing this family (7)

Family Cites Families (5)

• 2005
  • 2005-07-13 FR FR0507519A patent/FR2888690A1/fr active Pending
• 2006
  • 2006-07-13 EP EP06764162A patent/EP1904921A1/de not_active Withdrawn
  • 2006-07-13 WO PCT/EP2006/064228 patent/WO2007006810A1/fr active Application Filing
  • 2006-07-13 US US11/988,750 patent/US20090122980A1/en not_active Abandoned

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events