Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
  • G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
  • G06F7/723—Modular exponentiation
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
  • G06F2207/7219—Countermeasures against side channel or fault attacks
  • G06F2207/7261—Uniform execution, e.g. avoiding jumps, or using formulae with the same power profile
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
  • G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
  • G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
  • G06F7/724—Finite field arithmetic
  • G06F7/725—Finite field arithmetic over elliptic curves

Definitions

• the present invention relates to a method of calculating an exponentiation or a multiplication by a scalar, with particular application in the field of cryptology.
• the invention applies in particular to cryptographic algorithms implemented in electronic devices such as smart cards.
• y x r
• x an element of a set multiplicatively noted
• r a predetermined number, which encode a value y.
• the value y may correspond, for example, to an encrypted text or to a signed or verified data item.
• the SAM algorithm can be written in the following way:
• the method generally used is to remove conditional branching at the value of the number r (the secret key), so that an algorithm can be obtained. constant code.
• the secure binary method thus becomes the "square and multiply always" method, or SMA algorithm, that is to say a method in which a multiplication and a squared elevation are systematically performed.
• a first object of the invention is to provide a scalar multiplication calculation method which is relatively protected against single-channel hidden attacks and "safe-error" type attacks.
• Another object of the invention is to provide a method of calculating the multiplication by a scalar that is unconditional.
• Another object of the invention is to provide a scalar multiplication calculation method that is relatively efficient in terms of the number of operations.
• Another object of the invention is to provide a scalar multiplication calculation method that is relatively efficient in terms of the types of operations to be implemented.
• Another object of the invention is to provide a scalar multiplication calculation method that is relatively efficient in terms of used memory space.
• Another object of the invention is to perform a multiplication calculation by a scalar by performing only type 2A + B doubling and adding operations.
• the invention which firstly relates to a method for calculating a multiplication of an element of a group that is additionally denoted by a scalar, said scalar being decomposed into a representation comprising a plurality of components, each of said components taking a component value from at least a first component value and a second component value, said method being intended to be implemented in an electronic device, said electronic device comprising at least one memory comprising at least a first register and a second register, said first register storing a first register value, said second register storing a second register value characterized in that said method comprises the steps of:
• the register value corresponding to the current value of the register at each iteration, is modified for example according to a formula of the type Rb ⁇ - 2.Rb + Rkj if kj is the binary value of the component of the representation during the iteration, b being 1 -kj.
• the operations performed at each step on registers Ro and Ri are therefore of the type 2.R 0 + Ri or 2.Ri + R 0 at each iteration.
• said memory may comprise a third register, said third register storing a third register value
• the aforementioned method may comprise the steps of: assigning to said third registering a third initial register value as a third register value, said second initial register value depending on said first initial register value and said second initial register value; said iteration comprising steps of: when said component is equal to said first component value, Calculating a first calculation value equal to said first register value added to said third register value;
• a third register R2 is introduced, and the calculation at each iteration of the value 2.Ro + Ri (respectively 2.R1 + R 0 ) is performed by an intermediate calculation of the type Ro + R2 (respectively Ri + R 2 ), the register R 2 keeping as third register value, the value R 0 + Ri equal to the first register value added to the second register value.
• This embodiment may be advantageous if only the addition operation is implemented in the electronic device on which the method according to the invention is implemented.
• said representation comprises an initial component taking an initial component value from a first initial component value and a second component value.
• initial component and the aforementioned method may comprise, following said iteration, steps of:
• said group comprises a neutral element
• said first initial register value may be equal to said neutral element and said second initial register value may be equal to said element.
• said first initial register value may be equal to said element and said second initial register value may be equal to said element, and said third initial register value may be twice that of said element.
• the invention also relates to a cryptographic device for calculating a multiplication of an element of a group noted additionally by a scalar, said scalar being decomposed into a representation comprising a plurality of components each of said components taking a component value from at least a first component value and a second component value, wherein said device comprises calculating means and at least one memory, said memory comprising at least : a first register; a second register; and wherein said calculating means is adapted to perform the aforementioned process steps.
• said memory may comprise a third register and said calculation means may be able to carry out the aforementioned method steps, especially when a third register is used.
• the invention also relates to a smart card comprising a device as described above.
• It also relates to a cryptographic system based on a cryptographic algorithm involving at least one calculation of a multiplication of an element of a group noted additionally by a scalar said calculation being performed by a device as described above.
• FIG. 1 is a flowchart of the main elements of an electronic device, for example a smart card, to implement the invention
• FIG. 2 represents a diagram of the method implemented in the calculation of a multiplication by a scalar according to a first embodiment of the invention
• FIG. 3 represents a diagram of the method implemented in the calculation of a multiplication by a scalar according to a second embodiment of the invention.
• FIG. 4 represents a general diagram of the method implemented in the present invention.
• FIG. 1 represents, in block diagram form, an electronic device capable of performing multiplication calculations by a scalar.
• this device is a smart card for executing a cryptographic program.
• the device 1 combines in a chip programmed computing means, composed of a central unit 2 operatively connected to a set of memories including: - a memory 4 accessible in read only, in the example of the type ROM mask also known as "mask Read-Only Memory” or “mask ROM”,
• an electrically reprogrammable memory 6 in the example of the EEPROM type (of the English “Electrically Erasable Programmable ROM”), and
• This memory 8 comprises in particular the registers used by the device 1.
• the executable code corresponding to the multiplication algorithm is contained in program memory. This code can in practice be stored in memory 4, read-only, and / or memory 6, rewritable.
• the central unit 2 is connected to a communication interface 10 which ensures the exchange of signals vis-à-vis the outside and the supply of the chip.
• This interface may include pads on the card for a so-called “contact” connection with a reader, and / or an antenna in the case of a so-called “contactless” card.
• One of the functions of the device is to encrypt and decrypt confidential data respectively transmitted to and received from outside. These data may concern, for example, personal codes, medical information, accounting on banking or commercial transactions, or access authorizations to certain restricted services. Another function is the calculation of a digital signature or its verification.
• the central unit 2 executes a cryptographic algorithm from programming data stored in the ROM mask 4 and / or EEPROM 6 portions.
• the number y thus obtained is a piece of data encrypted, decrypted, signed or verified.
• the number r (the key) is stored in a portion of memory writable 6, EEPROM type in the example.
• the central unit stores the number x, transmitted by the communication interface 10, to working memory 8, in a calculation register.
• the central unit will read the key r contained in rewritable memory 6, for the temporary storage, the exponentiation calculation time, in a calculation register of the working memory. The central unit then launches the exponentiation or multiplication algorithm with a scalar according to the invention.
• the multiplication algorithm with a scalar is implemented as follows in pseudo language:
• the method according to the invention thus comprises a step of initialization of two registers Ro and Ri, an iteration step on the components ki of the scalar k, in which if ki is 0, calculates 2.Ri + R 0 and we replace Ri by this value and if ki is 1, we calculate 2.R 0 + Ri and we replace Ro by this value.
• the value of the register Ro is then returned.
• the + sign is used to denote the addition in a group noted additionally or to designate the addition between two scalars;
• the sign - is used to designate the subtraction in a group noted additionally or to designate the subtraction between two scalars;
• the notation A ⁇ -a denotes the operation of assigning to the variable A the value a. It also refers to the operation of assigning to the register A, the value a.
• an algorithm is provided that still only performs operations of type 2.A + B, but using only additions, and avoiding the use of computation of a doubling.
• FIG. 3 The steps of this algorithm ALGORITHM 2 are illustrated schematically FIG. 3.
• first registers Ro, Ri and R2 are initialized respectively with the values P, P and 2.P.
• An iteration is then performed on the binary decomposition of k for k ranging from 1 to t-1.
• the values of the binary decomposition, 0 or 1 are stored for example in a temporary variable b equal to 1 -ki for each component ki of the scalar k. If b is 0, then calculate the value 2. R 0 + Ri and replace Ro with this value. If b is 1, then calculate the value 2.R1 + Ro and replace Ri by this value. This calculation is performed via the register R2 to which a value equal to Ro + Ri is assigned.
• the register Ro always contains odd multiples of P.
• the register R2 always contains a multiple of P by a power of 2 for j strictly less than 1-1.
• Rb is always different from R2 for j between 1 and I-2.

Applications Claiming Priority (2)

Publications (1)

Family

ID=37232970

Family Applications (1)

Country Status (3)

Families Citing this family (6)

Family Cites Families (2)

• 2007
  • 2007-03-08 WO PCT/EP2007/052197 patent/WO2007104706A1/fr active Application Filing
  • 2007-03-08 US US12/282,806 patent/US8065735B2/en not_active Expired - Fee Related
  • 2007-03-08 EP EP07726722A patent/EP1994465A1/de not_active Withdrawn

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events