Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
  • G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
  • G06F7/723—Modular exponentiation
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/002—Countermeasures against attacks on cryptographic mechanisms
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
  • G06F2207/7219—Countermeasures against side channel or fault attacks
  • G06F2207/7223—Randomisation as countermeasure against side channel attacks
  • G06F2207/7233—Masking, e.g. (A**e)+r mod n
  • G06F2207/7238—Operand masking, i.e. message blinding, e.g. (A+r)**e mod n; k.(P+R)
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
  • G06F2207/7219—Countermeasures against side channel or fault attacks
  • G06F2207/7223—Randomisation as countermeasure against side channel attacks
  • G06F2207/7257—Random modification not requiring correction
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
  • G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
  • G06F7/728—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic using Montgomery reduction
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/04—Masking or blinding
  • H04L2209/046—Masking or blinding of operations, operands or results of the operations

Definitions

• Cryptoqr ⁇ phiqu ⁇ method comprising a secure modular exponentiation against hidden channel attacks, cryptoprocessor for implementing the method and associated smart card
• El hide the operand A by a number s, s is a random number, or a number resulting from a function generating a sequence of deterministic numbers, or a fixed secret number,
• A is then according to the application a message to sign, to verify, to encrypt or to decipher.
• Bl is according to the application a public or private key. This is a result depending on the application a signed message, or decrypted.
• Masking the number A by a number s is a known countermeasure for securing modular exponentiation operations, especially when implemented in smart card microcircuits, against so-called auxiliary channel or hidden channel attacks ( Side Chanel Attacks) which provide information on the number Bl.
• a first known countermeasure of Dl is to draw a hazard s, calculate s B2 , where B2 is a private or public key associated with Bl, then multiply s B2 by A (s B2 .A), raise the result of the multiplication to the power Bl ((s B2 .A) B1 ) then reduce modulo N.
• Bl and B2 being a public key and an associated private key, we have Bl.
• B2 1 modulo ⁇ (N), where ⁇ represents the function of Euler, so that the result ((s B2 .A) B1 ) modulo N is simplified to give (sA B1 ) modulo N.
• This solution is certainly effective, but its implementation is expensive. Indeed, for the measurement to be effective, it is essential that s B2 is larger than the size of A. This assumes that s is large, more precisely larger than the size of A divided by size. B2.
• B2 is small (for example less than seventeen bits)
• s must be large (for example, more than the number of bits in the module divided by seventeen).
• Producing random numbers of large sizes requires the use of a large generator, which on the one hand consumes a large current and on the other hand requires a relatively large time, which is not always compatible with applications smart card type. Moreover the time to realize the division can be long.
• a second countermeasure known in particular from the document D2 (J. S. Coron, P. Paillier "Countermeasure method in an electronic component which uses RSA-type public key cryptography algorithm" Patent number FR 2799851.
• An object of the invention is to provide a solution for performing a modular operation type A B1 mod N more interesting than the known solutions because inexpensive to implement.
• B1 and B2 are naturally associated private and public keys.
• the hazard s is on the one hand multiplied by B2 and on the other hand it is placed in exponent.
• the parameter ⁇ s - B2 is large enough to mask the operand A, even when s is small. With the invention, it is therefore not necessary to have a large random generator.
• Another object of the invention is to provide a rapid process to implement.
• the steps of E1 masking, E2 exponentiation and E3 unmasking are carried out using a Montgomery multiplier, which has the advantage of making modular multiplications which are particularly quick to execute compared to conventional multipliers and very useful for exponentiation.
• the constant K equal to 2 P is chosen, p being an integer between 0 and n, n being an enhancer of the size of the module N.
• N we mean here an equal number or slightly larger than the size of n, and conventionally dependent on the choice of implementation of Montgomery multiplication and / or the hardware capabilities of the processor in which the multiplication is implemented. For example, if N is a number of 520 bits, and if the processor used works with words of 576 bits, advantageously n will be chosen equal to 576 bits.
• the invention also relates to a cryptoprocessor including in particular a Montgomery multiplier for the implementation of a method as described above.
• the invention finally relates to a smart card comprising a cryptoprocessor as described above.
• operand A is multiplied by a parameter of the form K S ' B2 , where K is a constant and B2 is a second exponent such that B1 is a constant.
• step E3 the contribution K s brought by the hazard is removed at C to find the desired result vs.
• the invention is preferably implemented using a Montgomery multiplier.
• One advantage of this multiplier is its speed of computation.
• the disadvantage of this multiplier is that it introduces into the computation a constant R, called the Montgomery constant.
• the Montgomery constant is intrinsic to the multiplier and it is necessary to suppress its contribution upstream of the computation, during the calculation or at the end.
• Mgt (CA, B, N) AB mod N.
• the Montgomery multiplications and exponentiations are used to accelerate the exponentiation calculation masked by the hazard K S ' B2 .
• step E1 of masking operand A the following sub-steps are carried out, consisting of:
• step E3 of unmasking the masked result the following sub-steps are carried out:
• E012 choose a random number s and multiply it by B2 to get if, E013: calculate R 2 ,
• the same register or the same part of memory can be used to store intermediate variables whose name includes the same letter: Ml, M2 can be stored successively in a register M, likewise the variables II, 12, V can be stored in the same register I, and the variables U1, U2, U3, U4 can be stored in the same register U.
• Step ElIl also becomes unnecessary since R2 has been calculated during step E013
• step E211 becomes useless
• the invention can also be advantageously combined with the Chinese remainder theorem to accelerate the calculation of the exponentiation, it is commonly referred to as RSA-CRT.
• step E3 the value K 2 in (K 2 ) ⁇ s is appropriate for the Montgomery modular operations on the module N, given that the size of N is less than or equal to the sum of the sizes of p. and q, size (N) ⁇ size (p) + size (q) ⁇ 2 * max (size (p), size (q)).

Landscapes

• Engineering & Computer Science (AREA)
• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Mathematical Analysis (AREA)
• Mathematical Optimization (AREA)
• Pure & Applied Mathematics (AREA)
• Computational Mathematics (AREA)
• Theoretical Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computing Systems (AREA)
• Mathematical Physics (AREA)
• General Engineering & Computer Science (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=36782564

Family Applications (1)

Country Status (5)

Families Citing this family (19)

Citations (1)

Family Cites Families (11)

• 2005
  • 2005-12-26 FR FR0513305A patent/FR2895609A1/fr active Pending
• 2006
  • 2006-12-22 EP EP06841618A patent/EP1969459A1/de not_active Ceased
  • 2006-12-22 US US12/086,619 patent/US8265266B2/en not_active Expired - Fee Related
  • 2006-12-22 WO PCT/EP2006/070206 patent/WO2007074149A1/fr active Application Filing
  • 2006-12-22 CN CN200680049130.8A patent/CN101346691A/zh active Pending

Patent Citations (1)

Also Published As

Similar Documents

Legal Events