EP1969459A1 - Kryptografisches verfahren mit einer modularen potenzierung, die gegen verborgene kanalangriffe geschützt ist, sowie kryptoprozessor zur umsetzung des verfahren und zugehörige chip-karte - Google Patents
Kryptografisches verfahren mit einer modularen potenzierung, die gegen verborgene kanalangriffe geschützt ist, sowie kryptoprozessor zur umsetzung des verfahren und zugehörige chip-karteInfo
- Publication number
- EP1969459A1 EP1969459A1 EP06841618A EP06841618A EP1969459A1 EP 1969459 A1 EP1969459 A1 EP 1969459A1 EP 06841618 A EP06841618 A EP 06841618A EP 06841618 A EP06841618 A EP 06841618A EP 1969459 A1 EP1969459 A1 EP 1969459A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- mod
- calculate
- exponentiation
- operand
- mgt
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 230000000873 masking effect Effects 0.000 claims abstract description 10
- 239000004300 potassium benzoate Substances 0.000 claims description 6
- 239000004322 Butylated hydroxytoluene Substances 0.000 claims description 4
- 239000004262 Ethyl gallate Substances 0.000 claims description 4
- 239000001679 citrus red 2 Substances 0.000 claims description 3
- 239000000555 dodecyl gallate Substances 0.000 claims description 3
- 239000000787 lecithin Substances 0.000 claims description 3
- 239000000574 octyl gallate Substances 0.000 claims description 3
- 239000004299 sodium benzoate Substances 0.000 claims description 3
- 239000003623 enhancer Substances 0.000 claims description 2
- 238000004364 calculation method Methods 0.000 description 16
- 238000011144 upstream manufacturing Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 2
- TVZRAEYQIKYCPH-UHFFFAOYSA-N 3-(trimethylsilyl)propane-1-sulfonic acid Chemical compound C[Si](C)(C)CCCS(O)(=O)=O TVZRAEYQIKYCPH-UHFFFAOYSA-N 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/723—Modular exponentiation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
- G06F2207/7233—Masking, e.g. (A**e)+r mod n
- G06F2207/7238—Operand masking, i.e. message blinding, e.g. (A+r)**e mod n; k.(P+R)
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
- G06F2207/7257—Random modification not requiring correction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/728—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic using Montgomery reduction
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/04—Masking or blinding
- H04L2209/046—Masking or blinding of operations, operands or results of the operations
Definitions
- Cryptoqr ⁇ phiqu ⁇ method comprising a secure modular exponentiation against hidden channel attacks, cryptoprocessor for implementing the method and associated smart card
- El hide the operand A by a number s, s is a random number, or a number resulting from a function generating a sequence of deterministic numbers, or a fixed secret number,
- A is then according to the application a message to sign, to verify, to encrypt or to decipher.
- Bl is according to the application a public or private key. This is a result depending on the application a signed message, or decrypted.
- Masking the number A by a number s is a known countermeasure for securing modular exponentiation operations, especially when implemented in smart card microcircuits, against so-called auxiliary channel or hidden channel attacks ( Side Chanel Attacks) which provide information on the number Bl.
- a first known countermeasure of Dl is to draw a hazard s, calculate s B2 , where B2 is a private or public key associated with Bl, then multiply s B2 by A (s B2 .A), raise the result of the multiplication to the power Bl ((s B2 .A) B1 ) then reduce modulo N.
- Bl and B2 being a public key and an associated private key, we have Bl.
- B2 1 modulo ⁇ (N), where ⁇ represents the function of Euler, so that the result ((s B2 .A) B1 ) modulo N is simplified to give (sA B1 ) modulo N.
- This solution is certainly effective, but its implementation is expensive. Indeed, for the measurement to be effective, it is essential that s B2 is larger than the size of A. This assumes that s is large, more precisely larger than the size of A divided by size. B2.
- B2 is small (for example less than seventeen bits)
- s must be large (for example, more than the number of bits in the module divided by seventeen).
- Producing random numbers of large sizes requires the use of a large generator, which on the one hand consumes a large current and on the other hand requires a relatively large time, which is not always compatible with applications smart card type. Moreover the time to realize the division can be long.
- a second countermeasure known in particular from the document D2 (J. S. Coron, P. Paillier "Countermeasure method in an electronic component which uses RSA-type public key cryptography algorithm" Patent number FR 2799851.
- An object of the invention is to provide a solution for performing a modular operation type A B1 mod N more interesting than the known solutions because inexpensive to implement.
- B1 and B2 are naturally associated private and public keys.
- the hazard s is on the one hand multiplied by B2 and on the other hand it is placed in exponent.
- the parameter ⁇ s - B2 is large enough to mask the operand A, even when s is small. With the invention, it is therefore not necessary to have a large random generator.
- Another object of the invention is to provide a rapid process to implement.
- the steps of E1 masking, E2 exponentiation and E3 unmasking are carried out using a Montgomery multiplier, which has the advantage of making modular multiplications which are particularly quick to execute compared to conventional multipliers and very useful for exponentiation.
- the constant K equal to 2 P is chosen, p being an integer between 0 and n, n being an enhancer of the size of the module N.
- N we mean here an equal number or slightly larger than the size of n, and conventionally dependent on the choice of implementation of Montgomery multiplication and / or the hardware capabilities of the processor in which the multiplication is implemented. For example, if N is a number of 520 bits, and if the processor used works with words of 576 bits, advantageously n will be chosen equal to 576 bits.
- the invention also relates to a cryptoprocessor including in particular a Montgomery multiplier for the implementation of a method as described above.
- the invention finally relates to a smart card comprising a cryptoprocessor as described above.
- operand A is multiplied by a parameter of the form K S ' B2 , where K is a constant and B2 is a second exponent such that B1 is a constant.
- step E3 the contribution K s brought by the hazard is removed at C to find the desired result vs.
- the invention is preferably implemented using a Montgomery multiplier.
- One advantage of this multiplier is its speed of computation.
- the disadvantage of this multiplier is that it introduces into the computation a constant R, called the Montgomery constant.
- the Montgomery constant is intrinsic to the multiplier and it is necessary to suppress its contribution upstream of the computation, during the calculation or at the end.
- Mgt (CA, B, N) AB mod N.
- the Montgomery multiplications and exponentiations are used to accelerate the exponentiation calculation masked by the hazard K S ' B2 .
- step E1 of masking operand A the following sub-steps are carried out, consisting of:
- step E3 of unmasking the masked result the following sub-steps are carried out:
- E012 choose a random number s and multiply it by B2 to get if, E013: calculate R 2 ,
- the same register or the same part of memory can be used to store intermediate variables whose name includes the same letter: Ml, M2 can be stored successively in a register M, likewise the variables II, 12, V can be stored in the same register I, and the variables U1, U2, U3, U4 can be stored in the same register U.
- Step ElIl also becomes unnecessary since R2 has been calculated during step E013
- step E211 becomes useless
- the invention can also be advantageously combined with the Chinese remainder theorem to accelerate the calculation of the exponentiation, it is commonly referred to as RSA-CRT.
- step E3 the value K 2 in (K 2 ) ⁇ s is appropriate for the Montgomery modular operations on the module N, given that the size of N is less than or equal to the sum of the sizes of p. and q, size (N) ⁇ size (p) + size (q) ⁇ 2 * max (size (p), size (q)).
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Computational Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0513305A FR2895609A1 (fr) | 2005-12-26 | 2005-12-26 | Procede cryptographique comprenant une exponentiation modulaire securisee contre les attaques a canaux caches, cryptoprocesseur pour la mise en oeuvre du procede et carte a puce associee |
PCT/EP2006/070206 WO2007074149A1 (fr) | 2005-12-26 | 2006-12-22 | Procédé cryptographique comprenant une exponentiation modulaire sécurisée contre les attaques à canaux cachés, cryptoprocesseur pour la mise en oeuvre du procédé et carte à puce associée |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1969459A1 true EP1969459A1 (de) | 2008-09-17 |
Family
ID=36782564
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP06841618A Ceased EP1969459A1 (de) | 2005-12-26 | 2006-12-22 | Kryptografisches verfahren mit einer modularen potenzierung, die gegen verborgene kanalangriffe geschützt ist, sowie kryptoprozessor zur umsetzung des verfahren und zugehörige chip-karte |
Country Status (5)
Country | Link |
---|---|
US (1) | US8265266B2 (de) |
EP (1) | EP1969459A1 (de) |
CN (1) | CN101346691A (de) |
FR (1) | FR2895609A1 (de) |
WO (1) | WO2007074149A1 (de) |
Families Citing this family (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2015171A1 (de) * | 2007-06-29 | 2009-01-14 | Gemplus | Kryptographieverfahren, das eine gesicherte modulare Potenzierung gegen Angriffe mit verborgenen Kanälen ohne Kenntnis des öffentlichen Exponenten umfasst, Kryptoprozessor zur Umsetzung des Verfahrens und dazugehörige Chipkarte |
CN101808089A (zh) * | 2010-03-05 | 2010-08-18 | 中国人民解放军国防科学技术大学 | 基于非对称加密算法同态性的秘密数据传输保护方法 |
EP2437160A1 (de) * | 2010-10-04 | 2012-04-04 | Nagravision S.A. | Verschleierte modulare Potenzierung |
WO2012090289A1 (ja) * | 2010-12-27 | 2012-07-05 | 富士通株式会社 | 暗号処理装置および方法 |
FR2972064B1 (fr) * | 2011-02-25 | 2013-03-15 | Inside Secure | Procede de cryptographie comprenant une operation d'exponentiation |
DE102011117236A1 (de) * | 2011-10-28 | 2013-05-02 | Giesecke & Devrient Gmbh | Effiziente Primzahlprüfung |
ITMI20111992A1 (it) * | 2011-11-03 | 2013-05-04 | St Microelectronics Srl | Metodo per crittografare un messaggio mediante calcolo di funzioni matematiche comprendenti moltiplicazioni modulari |
DE102012005427A1 (de) * | 2012-03-16 | 2013-09-19 | Giesecke & Devrient Gmbh | Verfahren und System zur gesicherten Kommunikation zwischen einen RFID-Tag und einem Lesegerät |
US9959429B2 (en) * | 2013-03-15 | 2018-05-01 | Cryptography Research, Inc. | Asymmetrically masked multiplication |
CN103207770B (zh) * | 2013-04-16 | 2016-09-28 | 飞天诚信科技股份有限公司 | 一种在嵌入式系统中实现大数预计算的方法 |
CN104796250B (zh) * | 2015-04-11 | 2018-05-25 | 成都信息工程学院 | 针对RSA密码算法M-ary实现的侧信道攻击方法 |
US10181944B2 (en) | 2015-06-16 | 2019-01-15 | The Athena Group, Inc. | Minimizing information leakage during modular exponentiation and elliptic curve point multiplication |
IL239880B (en) * | 2015-07-09 | 2018-08-30 | Kaluzhny Uri | Simplified montgomery multiplication |
US10462498B2 (en) * | 2017-02-07 | 2019-10-29 | The Directv Group, Inc. | Providing options to live stream multimedia content |
CN111712816B (zh) | 2018-03-28 | 2024-05-03 | 密码研究公司 | 使用密码蒙蔽以用于高效地使用蒙哥马利乘法 |
CN108599951B (zh) * | 2018-08-10 | 2021-10-01 | 北京奇虎科技有限公司 | 加密方法、加密装置、计算设备及计算机存储介质 |
FR3095709B1 (fr) * | 2019-05-03 | 2021-09-17 | Commissariat Energie Atomique | Procédé et système de masquage pour la cryptographie |
US11508263B2 (en) | 2020-06-24 | 2022-11-22 | Western Digital Technologies, Inc. | Low complexity conversion to Montgomery domain |
US11468797B2 (en) | 2020-06-24 | 2022-10-11 | Western Digital Technologies, Inc. | Low complexity conversion to Montgomery domain |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005048008A2 (en) * | 2003-11-16 | 2005-05-26 | M-Systems Flash Disk Pioneers Ltd. | Enhanced natural montgomery exponent masking |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6748410B1 (en) * | 1997-05-04 | 2004-06-08 | M-Systems Flash Disk Pioneers, Ltd. | Apparatus and method for modular multiplication and exponentiation based on montgomery multiplication |
US6064740A (en) * | 1997-11-12 | 2000-05-16 | Curiger; Andreas | Method and apparatus for masking modulo exponentiation calculations in an integrated circuit |
US6304658B1 (en) * | 1998-01-02 | 2001-10-16 | Cryptography Research, Inc. | Leak-resistant cryptographic method and apparatus |
CA2333095C (en) * | 1998-06-03 | 2005-05-10 | Cryptography Research, Inc. | Improved des and other cryptographic processes with leak minimization for smartcards and other cryptosystems |
FR2799851B1 (fr) | 1999-10-14 | 2002-01-25 | Gemplus Card Int | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type rsa |
JP4086503B2 (ja) * | 2002-01-15 | 2008-05-14 | 富士通株式会社 | 暗号演算装置及び方法並びにプログラム |
FR2848753B1 (fr) * | 2002-12-11 | 2005-02-18 | Gemplus Card Int | Procede de division entiere ou de reduction modulaire securise contre les attaques a canaux caches |
EP1840732A1 (de) * | 2006-03-31 | 2007-10-03 | Axalto SA | Schutz vor Seitenkanalangriffen |
EP2154604A1 (de) * | 2008-08-06 | 2010-02-17 | Gemalto SA | Gegenmassname zum Schutz von auf Potenzierung basierender Kryptographie |
US8572406B2 (en) * | 2010-03-31 | 2013-10-29 | Inside Contactless | Integrated circuit protected against horizontal side channel analysis |
KR101610917B1 (ko) * | 2010-03-08 | 2016-04-11 | 삼성전자주식회사 | 암호 알고리즘의 복호 방법 및 그것을 포함하는 암호 시스템 |
-
2005
- 2005-12-26 FR FR0513305A patent/FR2895609A1/fr active Pending
-
2006
- 2006-12-22 EP EP06841618A patent/EP1969459A1/de not_active Ceased
- 2006-12-22 US US12/086,619 patent/US8265266B2/en not_active Expired - Fee Related
- 2006-12-22 WO PCT/EP2006/070206 patent/WO2007074149A1/fr active Application Filing
- 2006-12-22 CN CN200680049130.8A patent/CN101346691A/zh active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005048008A2 (en) * | 2003-11-16 | 2005-05-26 | M-Systems Flash Disk Pioneers Ltd. | Enhanced natural montgomery exponent masking |
Also Published As
Publication number | Publication date |
---|---|
US20100014656A1 (en) | 2010-01-21 |
WO2007074149A1 (fr) | 2007-07-05 |
US8265266B2 (en) | 2012-09-11 |
FR2895609A1 (fr) | 2007-06-29 |
CN101346691A (zh) | 2009-01-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1969459A1 (de) | Kryptografisches verfahren mit einer modularen potenzierung, die gegen verborgene kanalangriffe geschützt ist, sowie kryptoprozessor zur umsetzung des verfahren und zugehörige chip-karte | |
EP2162820A1 (de) | Auf montgomery basierende modulare exponentierung mit sicherung vor verborgenen kanalattacken | |
EP2946284B1 (de) | Kryptografisches verfahren mit einem betrieb durch multiplikation mittels eines skalars oder einer exponentiation | |
EP1757009B1 (de) | Verfahren und anordnung zur ausführung einer kryptographischen berechnung | |
EP1166494B1 (de) | Gegenmassnahmen in einem elektronischen baustein zur ausführung eines krypto-algorithmus mit auf elliptischen kurven basierendem öffentlichem schlüssel | |
EP2791784A1 (de) | Verfahren zur erzeugung von nachgewiesenermassen für chipkarten geeignete primzahlen | |
FR2926652A1 (fr) | Procede et dispositifs de contre-mesure pour cryptographie asymetrique a schema de signature | |
FR2809893A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique sur courbe elliptique | |
EP2391051B1 (de) | Verfahren zur Bestimmung der Darstellung einer Multiplikation von zwei Elementen eines endlichen Körpers | |
WO2000059157A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type courbe elliptique | |
FR2888690A1 (fr) | Procede cryptographique pour la mise en oeuvre securisee d'une exponentiation et composant associe | |
EP1291763A1 (de) | Verfahren zum Verwürflen einer Berechnung mit einer Geheimzahl | |
WO2006103149A1 (fr) | Procede et dispositif cryptographique permettant de proteger les logiques de cles publiques contre les attaques par faute | |
EP1804160B1 (de) | Schutz einer kryptographischen Berechnung in einem integrierten Schaltkreis | |
CA2257907A1 (fr) | Procede de cryptographie a cle publique | |
WO2004111831A2 (fr) | Procede de contre-mesure par masquage de l'accumulateur | |
EP1820297A1 (de) | Verfahren zur erzeugung einer signatur mit beweis der strengen sicherheit, zugehöriges verifizierungsverfahren und zugehöriges signaturschema auf basis des diffie-hellman-modells | |
EP1639450A1 (de) | Gegenmassnahmenverfahren in einem elektronischen bauelement | |
EP3929726A1 (de) | Kryptographisches verarbeitungsverfahren, entsprechende elektronische vorrichtung und entsprechendes computerprogramm | |
FR2864390A1 (fr) | Procede cryptographique d'exponentiation modulaire protege contre les attaques de type dpa. | |
FR2843507A1 (fr) | Procede securise de realisation parallele d'une exponentiation modulaire, procede cryptographique et circuit de calcul associes | |
FR3010562A1 (fr) | Procede de traitement de donnees et dispositif associe | |
FR2797126A1 (fr) | Procede d'amelioration de performance de l'operation de multiplication sur corps fini de caracteristique 2 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20080728 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: GEMALTO SA |
|
17Q | First examination report despatched |
Effective date: 20090904 |
|
DAX | Request for extension of the european patent (deleted) | ||
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R003 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED |
|
18R | Application refused |
Effective date: 20131104 |