EP2791784A1 - Verfahren zur erzeugung von nachgewiesenermassen für chipkarten geeignete primzahlen - Google Patents

Verfahren zur erzeugung von nachgewiesenermassen für chipkarten geeignete primzahlen

Info

Publication number
EP2791784A1
EP2791784A1 EP12815734.4A EP12815734A EP2791784A1 EP 2791784 A1 EP2791784 A1 EP 2791784A1 EP 12815734 A EP12815734 A EP 12815734A EP 2791784 A1 EP2791784 A1 EP 2791784A1
Authority
EP
European Patent Office
Prior art keywords
prime
candidate
procedure
bits
numbers
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
EP12815734.4A
Other languages
English (en)
French (fr)
Inventor
Benoît FEIX
Christophe Clavier
Pascal Paillier
Loïc THIERRY
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inside Secure SA
Original Assignee
Inside Secure SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from FR1161740A external-priority patent/FR2984548B1/fr
Priority claimed from FR1161742A external-priority patent/FR2984550B1/fr
Priority claimed from FR1161739A external-priority patent/FR2984547B1/fr
Priority claimed from FR1161741A external-priority patent/FR2984549A1/fr
Application filed by Inside Secure SA filed Critical Inside Secure SA
Publication of EP2791784A1 publication Critical patent/EP2791784A1/de
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/11Complex mathematical operations for solving equations, e.g. nonlinear equations, general mathematical optimization problems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7204Prime number generation or prime number testing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/24Key scheduling, i.e. generating round keys or sub-keys for block encryption

Definitions

  • the present invention relates to cryptography and in particular the generation of prime numbers. It also relates to integrated circuits such as those fitted to smart cards, and the generation of prime numbers in such integrated circuits.
  • the generation of a prime number is to randomly select a number and verify that it is prime, for example by applying a primality test such as the Eratosthenes sieve or the Miller-Rabin test. If the chosen number does not satisfy the primality test, a new number is chosen. The choice of a new number differs from one method to another. It turns out that the generation of a prime number is the heaviest computing task to implement in the cryptography systems commonly used today.
  • the confidence level of such a test can be increased by performing several iterations of the test.
  • generating a prime number of 1024 bits with a sufficient level of confidence requires 40 iterations of the Miller-Rabin test.
  • This number of iterations can be reduced to 3 when the Miller-Rabin test is followed by the Lucas test.
  • the Lucas test is not very compatible with the capabilities of smart cards.
  • Smart card microcircuits are an environment with multiple constraints compared to desktop computers or microprocessors on multimedia devices. Indeed, the capacity of the memories present in these microcircuits remains reduced.
  • Some cryptographic operations implemented by cryptographic algorithms such as DES (Digital Encryption System), Advanced Encryption System (AES), RSA and Elliptic Curve Cryptography (ECC) need to be deported in a coprocessor to be performed efficiently enough.
  • DES Digital Encryption System
  • AES Advanced Encryption System
  • ECC Elliptic Curve Cryptography
  • modular exponentiation operations are the most expensive operations in cryptographic systems such as RSA and DSA embedded in a smart card microcircuit. Such exponentiation operations may also be necessary for the generation of prime numbers.
  • microcircuit It is also necessary for the microcircuit to remain protected against attacks aimed at discovering the secret data stored or manipulated by the microcircuit. In recent years there have been a large number of types of attacks, so that the development of a microcircuit protected against all types of known attacks is a challenge.
  • Embodiments provide a method of cryptography in an electronic device, the method comprising the steps of: generating a prime number, generating an integer, generating a prime candidate number having a desired number of bits, by the following formula:
  • Pr being the prime candidate number, where P is the prime number and R is the integer
  • the method comprises steps of storing a group of small prime numbers greater than 2, calculating and storing a product of the prime numbers of the stored group, and generating an invertible number belonging to a set of invertible elements modulo the stored product, the integer being generated from the invertible number so that the prime candidate number is not divisible by any of the numbers of the stored group, the prime number having a bit number equal to one bit near to half to one-third of the number of bits in the first candidate number.
  • the integer is chosen equal to:
  • R is the integer
  • X is an invertible number modulo the stored product
  • P is the prime number
  • Z is an integer selected so that the number R has a size such that the prime candidate number Pr has the number desired bits.
  • the method comprises steps of generating a new first candidate number from the invertible number multiplied by 2 modulo the stored product, if the first candidate number fails the Pocklington primality test, and application of the Pocklington primality test to the new prime candidate number.
  • the invertible number is generated so as to be smaller than the stored product, from the following equation:
  • X being the invertible number generated
  • being the stored product
  • being the Carmichael indicator of all invertible elements modulo the stored product.
  • an invertible candidate number X is randomly chosen at a value lower than the stored product, and incremented by the quantity: B (1 - ⁇ ⁇ mod ⁇ ), in which B is an integer randomly selected between one and the stored product, X is the invertible candidate number, ⁇ is the stored product, ⁇ is the Carmichael indicator of the set of invertible elements modulo the stored product ⁇ , until it verifies the equation, the number B being randomly chosen at a value lower than the stored product.
  • the bit size of the prime candidate number is three times the size of the prime number, to one unit, the first generated candidate number being retained as the prime candidate number only if the division quotient integer of the integer by the prime number generated in the preceding generation step is odd.
  • the integer is chosen in the interval 21] with:
  • L is the number of bits of the new prime number to be generated.
  • the method comprises several steps of generating a new prime number, a first generation step providing a prime number from a first prime number, each subsequent generation step providing a prime number from the first first number obtained in the preceding generation step, until a prime number formed of a number of bits desired, each generation step comprising the steps of generating a first candidate number and Pocklington test.
  • the first steps of generating a new prime number include: a - computing a prime candidate number having a number of bits, by the following formula:
  • P being a prime number proved having a bit number equal to one bit to one-half to one-third of the number of bits in the first candidate number, and R being a randomly selected integer
  • b - the test of the divisibility of the candidate number first by small prime numbers
  • c - if the prime candidate number is not divisible by small prime numbers
  • the application of the Pocklington primality test to the prime candidate number Pr, d - if one of the divisibility tests and Pocklington failed for the first candidate number, incrementing the whole number of one, incrementing the first candidate number by twice the prime number, and again running steps b to d as the candidate number first incremented fails the divisibility and Pocklington tests.
  • the test of the divisibility of the prime candidate number by small prime numbers comprises the steps of: storing as first remains the remainders of the entire divisions of the prime candidate number by each of the small prime numbers, the prime candidate number being divisible by one of the small prime numbers if the corresponding remainder is zero, storing as second residues, the remainders of integer divisions of twice the prime number by each of the small prime numbers, and if a new number first candidate is calculated from the first candidate number by adding twice the prime number, update each of the first remains by adding the second remainder corresponding to the same small prime number modulo the same small prime number.
  • each of the second residues is updated by receiving twice the first remainder corresponding to the same small prime number, modulo the same prime number of the stored group, when a new prime candidate number is generated from the number first obtained in the previous generation step.
  • the first prime number is obtained by randomly selecting a number formed from the reduced number of bits and by successively applying a limited number of primality tests with several Miller-Rabin tests applied to different databases, until a number has passed the Miller-Rabin tests, the maximum number of bits and the values of the bases being chosen to prove the primality of the first prime number.
  • the Miller-Rabin tests applied to the randomly selected number are performed in bases 2, 7 and 61 with a maximum number of bits chosen less than or equal to 32, or else bases 2, 3, 5, 7, 11, 13 and 17, with a maximum number of bits chosen less than or equal to 48.
  • the Miller-Rabin tests applied to the randomly selected number are preceded by a divisibility test of the number randomly chosen by numbers from a list of the smallest prime numbers.
  • Embodiments also relate to a cryptographic method implemented in an electronic device and comprising steps of: generating prime numbers, generating cryptographic keys from prime numbers, prime numbers being generated by the method as above defined.
  • Embodiments also relate to an electronic device comprising a computing block for executing large number multiplications and / or modular exponentiation operations, and configured to implement the method of generating a prime number, such as than previously defined.
  • Embodiments also relate to a semiconductor chip integrated circuit, comprising a device as defined above.
  • FIG. 1 represents a sequence of steps configured to generate a large first number, according to a mode
  • FIGS. 2 and 3 show sequences of steps configured to generate a prime number of small size
  • FIG. 4 represents a sequence of steps configured to generate a prime number from a smaller prime number, according to one embodiment
  • FIGS. 5 and 6 represent sequences of steps called by the sequence of FIG. 4,
  • FIGS. 7 and 8 show sequences of steps implementing a deterministic primality test, according to embodiments
  • FIG. 9 represents a sequence of steps configured to generate a prime number from a prime number of size. lower, according to another embodiment,
  • FIG. 10 represents a sequence of steps configured to test the divisibility of a number by a list of prime numbers
  • FIG. 11 represents a sequence of steps configured to generate a prime number from a smaller prime number, according to another embodiment
  • FIGS. 12 and 13 show sequences of steps configured to test the divisibility of a number by a list of prime numbers
  • FIGS. 14 to 16 show sequences of steps configured to generate a prime number of large size, according to FIG. other embodiments,
  • FIGS. 17 to 19 show sequences of steps configured to generate a prime number from a smaller prime number, adapted to the sequence of steps of FIG. 16,
  • FIG. 20 schematically represents an example of an electronic device that can implement the various sequences of steps shown in FIGS. 1 to 20,
  • Figures 21 and 22 show sequences of cryptographic key generation steps, using prime numbers.
  • N 2R P + 1 (1) is prime if there is an integer A greater than or equal to 2 and less than N such that:
  • a N_1 1 mod N
  • GCD (A 2R -1, N) 1, (3) mod representing the operation modulo and GCD (x, y) being a function giving the greatest common number divisor x and y.
  • This theorem makes it possible to obtain a prime number from a prime number of smaller size.
  • This theorem can therefore be applied in several iterations, starting from a prime number of small size obtained by another process, then starting from the prime number obtained during the previous iteration, until obtaining a number first of the desired size.
  • N and P Given the relation between the numbers N and P, a simple choice of the size of the number R can make it possible to obtain a new prime number having a size substantially equal to twice the size of the prime number P.
  • the prime character of the numbers obtained by applying this theorem is proved, as opposed to the probabilistic character of prime numbers obtained by certain known methods, for example based on the Fermat or Miller-Rabin test.
  • FIG. 1 represents steps S1 to S9 of a GNLP procedure for generating a large number of primes.
  • the GNLP procedure receives as an input parameter the size Ln in number of bits of the prime number to be generated.
  • Steps S1 to S3 make it possible to determine the size L (in number of bits) of a first prime number to be generated from the size Ln of the prime number to be generated.
  • step S1 the size Ln received as a parameter is loaded into a local variable L.
  • step S2 the variable L received at the input of the procedure is compared with a maximum value LL of the first prime number, for example equal to at 32 or 48 bits.
  • steps S2 and S3 as long as the variable L is larger than the maximum size LL, the value of the variable L is divided by 2 (receives the quotient of the entire division of L by 2).
  • the size L is incremented by one at step S4.
  • the steps S2 to S4 can be replaced by reading a table indexed by size Ln of the prime number to be generated and giving the size LO of the first number to generate.
  • the size Ln is generally limited to a reduced number of possible values, in particular powers of 2.
  • An example of this table when the maximum value LL is equal to 32, is given by the following table 1:
  • step S5 is called an INTP procedure for determining a first proved prime number having the size L.
  • the procedure receives as an input parameter the variable L and optionally the product ⁇ of the smaller v prime numbers, for example less than 150 (v between 10 and 30).
  • the INTP procedure provides a proved prime number Pr of size L.
  • step S6 the variable L is compared with the size Ln of the prime number to be generated. This step marks the entry of a processing loop in which steps S7 to S9 are executed at each iteration of the processing loop, until the size Ln of the prime number to be generated is reached.
  • the values of k provided in table 1 represent the number of iterations performed by the GNLP procedure, as a function of the size Ln of the prime number to be generated.
  • step S6 if the variable L is smaller than the size Ln, the steps S7 to S9 are executed, otherwise the GNLP procedure terminates by providing the last number Pr obtained which is a prime number proved of Ln bits.
  • step S7 a variable P receives the last prime number Pr obtained.
  • step S9 a GNSP procedure is called with P and L variables as input parameters.
  • the GNSP procedure provides a proven prime number Pr having the size L from the smaller prime number P input. For this purpose, the GNSP procedure is based on the Pocklington theorem or the derived theorem previously stated.
  • the INTP procedure can implement the Eratosthene sieve, that is to say, randomly choose a number prime candidate having a small size for example between 16 and 24 bits, and test the divisibility of the prime candidate number by all prime numbers less than the square root of the first candidate number.
  • the first proved first number Pr obtained in step S5 can be set to a certain value.
  • the INTP procedure may consist of randomly selecting a prime number from a pre-established list of proven primes of the same size set at a value of less than 33 or 49 bits.
  • the first proved small prime number provided by the INTP procedure in step S5 is obtained by randomly selecting a number having a size less than 32 bits, and applying the probabilistic Miller test. -Rabin, successively in base 2, 7 and 61.
  • Pomerance et al. see publication [1]
  • Jaeschke see publication [2]
  • the parameter LL in the procedures GNLP, GNLP1, GNM and GNST is then fixed fixed at a value less than or equal to 32 and represents the maximum size in number of bits that can have the prime number generated by the INTP procedure.
  • the Miller-Rabin test consists in decomposing a candidate number N prime to be tested, decreased by 1, as follows:
  • N - 1 2 S x D (4)
  • the number N is probably prime if either of the equations (4) and (5) is satisfied.
  • the first prime number is thus obtained by applying the Miller-Rabin test three times, with the number A successively chosen equal to 2, 7 and 61, and discarding the candidate numbers N not satisfying the test in base 2, 7 or 61.
  • the application of the Miller-Rabin tests in bases 2, 7 and 61 is preceded by a step of testing the divisibility of the prime candidate number by the v smaller prime numbers, v being understood by example between 20 and 50. In other words, a candidate number N is discarded if it is divisible by one of the v smaller prime numbers.
  • the application of the Miller-Rabin test in bases 2, 7 and 61 is preceded by a step of applying the probabilistic Fermat test in base 2.
  • the number N is probably prime if the following condition is satisfied:
  • a N_1 1 mod N, (7) where A is an integer representing the base (chosen to be 2).
  • the first small first number is obtained by executing a sequence of steps as shown in FIG. 2.
  • FIG. 2 represents an INTP procedure receiving as input parameter the size L of the first number to generating and the product nv of v smaller prime numbers, and providing a prime number Pr of the size L, L being less than 32.
  • the INTP procedure comprises steps S21 to S24b.
  • step S21 an odd number Pr of size L is randomly selected using a random or pseudo-random function RND.
  • Steps S22 to S24b are primality tests successively applied to the number Pr.
  • step S22 it is searched if the number Pr is divisible by one of the v prime numbers of the product ⁇ and the test fails if the number Pr is divisible by one of the v prime numbers of the product ⁇ .
  • This test can be carried out by looking for the greatest common divisor GCD of the number Pr and of the product ⁇ , the number Pr not being divisible by any of the v smaller prime numbers if the greatest common divisor thus calculated is equal to 1.
  • the product ⁇ may not include the number 2 if the number Pr is chosen odd in step S21.
  • the procedure can receive the first v prime numbers in the form of a list Q, and step 22 can consist in successively testing the divisibility of the number Pr by each of the prime numbers of the list Q .
  • represents the product of v smaller integers (possibly greater than 2), and the test of the The divisibility of the number Pr by one of these prime numbers can consist of calculating the greatest common divisor of the numbers Pr and ⁇ .
  • the Fermat test in base 2 is applied to the number Pr.
  • step S21 is again executed to choose another number Pr. If one of the tests is successfully executed in one of the steps S22 to S24a, the next step S23 to S24b is executed. If the last primality test executed in step S24b is successfully executed, the INTP procedure terminates providing the number Pr whose primality is thus proved. Instead of randomly choosing a new number Pr in step S21 if one of the tests performed in steps S23 to S24b fails, the number Pr can be incremented by two.
  • FIG. 3 represents an INTP1 procedure for generating a first small first number, according to another embodiment.
  • This procedure is based on the fact that a number of less than 48 bits that has been successfully tested by Miller-Rabin tests in bases 2, 3, 5, 7, 1 1, 13 and 17, is with certainty a number first.
  • the INTP1 procedure differs from the INTP procedure in that the Miller-Rabin primality tests in bases 7 and 61 are replaced by Miller-Rabin tests in bases 3, 5, 7, 1 1, 13 and 17, and in the first number obtained can be up to 48 bits in size.
  • the maximum size LL in the procedures GNLP, GNLP1, GNM and GNST can then be set to a value less than or equal to 48.
  • the procedure INTP1 comprises the steps S21, S22 and S24 of the INTP procedure (FIG. 14). Then the procedure INTP1 comprises steps S24c to S24h of application of the Miller-Rabin test in bases 3, 5, 7, 1 1, 13 and 17. If the first candidate number Pr chosen in step S21 succeeded one tests executed at one of the steps S22, S24, S24c to S24g, the next step S24, S24c to S24h is executed. If the prime number Pr fails one of the tests, a new prime candidate number Pr is selected in step S21. If the first candidate candidate number Pr checks all the tests and in particular the base 17 Miller-Rabin test executed in step S24g, the INTP1 procedure ends by supplying the number Pr as a proved prime number. Since the INTP1 procedure can provide a prime number close to 48 bits instead of a prime number close to 32 bits for the INTP procedure, this procedure can reduce the number of iterations of the GNLP procedure.
  • step S22 in the INTP and INTP1 procedures is designed to eliminate prime candidate numbers more easily (using operations that are less costly in terms of resources and calculation time) than a Fermat test or from Miller-Rabin. Step S22 can therefore be omitted without the proven character of the number Pr provided by the INTP procedure, INTP1 being affected.
  • the Fermat test performed in step S23 of the INTP procedure is also intended to eliminate prime candidate numbers faster than the Miller-Rabin test. This step can also be removed if the computing means used to implement this procedure can effectively perform (in a time permissible for the user) the Miller-Rabin tests.
  • step S22 The choice of the value of the number v of the smallest prime numbers used in step S22 can be done according to the overall duration of execution of the procedure INTP or INTP1, knowing that the more one increases the value v, the longer the duration the execution time of step S22 increases, and the overall execution time (number of executions) of the tests performed in steps S23 to S24b or S24 to S24h decreases.
  • Fig. 4 shows steps S31 to S43 of the GNSP procedure, according to one embodiment.
  • the steps S31 to S39 make it possible to generate an integer R such that the first candidate Pr obtained by the formula (1) is not divisible by the small prime numbers of the list Q. For this purpose, it is based on the proposition next :
  • the quantity 2 ⁇ ( ⁇ + ⁇ ⁇ ) does not have either a common divisor with the product- ⁇ , Z being an integer. It suffices therefore to choose the quantity 2 ⁇ ( ⁇ + ⁇ ⁇ ) as the first candidate number Pr. As a result, the integer number R in formula (1) is chosen equal to:
  • Steps S31 to S38 of the GNSP procedure are executed successively.
  • a number I is calculated by the following formula:
  • a number J is calculated by the following formula:
  • step S33 a number Z is chosen in the interval [J, 2J-1] using a random or pseudo-random function RND.
  • step S34 an invertible number X of the set ( ⁇ / ⁇ ) * is generated.
  • a GINV procedure is called with, in input parameters, the product ⁇ and the associated Carmichael indicator ⁇ .
  • the GINV procedure provides an invertible number X.
  • Steps S35 to S41 make it possible to calculate the number R.
  • step S37 is calculated a number R equal to the number X minus the inverse number InvP modulo the product ⁇ .
  • step S39 to S41 it is ensured that the number R obtained in step S37 is in the range [1 + 1, 21], in order to obtain a prime candidate number Pr of size L.
  • steps S38 and S39 the number R is compared with the numbers 1 + 1 and 21. If the number R is less than I +1, steps S40 and S42 are executed. If the number R is greater than 21, steps S41 and S42 are executed. If the number R is between 1 + 1 and 21, only step S42 is executed.
  • step S40 the number R is incremented by the quantity- ⁇ .
  • step S41 the number R is decremented by the quantity- ⁇ .
  • step S42 a prime candidate number Pr is calculated using formula (1) using the number R obtained in step S37, S40 or S41 and the prime number P received as a call parameter of the GNSP procedure.
  • step S43 a procedure for applying the Pocklington PCKT test is called. This procedure receives the number Pr to be tested and the number R used to calculate the number Pr in step S42, and optionally the size L in number of bits of the number Pr. This procedure returns a Boolean variable to "True” ( “T”: “True”) if the number Pr passed the Pocklington test, and "False" (“F”: “False”) otherwise.
  • step S44 is executed and the execution of the procedure is continued in step S36.
  • step S44 the number X is multiplied by 2 modulo the product ⁇ .
  • FIG. 5 represents steps S1 1 to S13 of the procedure for generating an invertible GINV number, according to one embodiment.
  • the GINV procedure makes it possible to generate an invertible element of the set ( ⁇ / ⁇ ) * by an iterative process.
  • step S1 an integer X less than the product ⁇ is chosen using a random or pseudo-random function.
  • step S12 it is tested if the number X chosen in step S1 1 satisfies equation (8), that is, if the number X is invertible in the set ( ⁇ / ⁇ ) * .
  • step S13 the number X is incremented by 1. Steps S12 and S13 form a processing loop that is executed until the condition of step S12 is satisfied.
  • Figure 6 shows another embodiment GINV1 of the GINV procedure.
  • the procedure GINV1 differs from the GINV procedure in that steps S12 and S13 are replaced by steps S14 to S17.
  • a number Y is calculated by the following equation:
  • step S15 the number Y is compared to 0, and if it is zero, the number X satisfies equation (8).
  • the procedure GINV1 then ends by supplying the number X.
  • step S16, S17 are executed.
  • step S16 a number B less than the product ⁇ is chosen randomly.
  • step S17 the number X is incremented by the product of the numbers B and Y.
  • the execution of the procedure GINV1 is then continued in step S14 to test whether the number X satisfies equation (8).
  • Fig. 7 shows steps S52 to S56 of the PCKT procedure, according to one embodiment.
  • This procedure successively applies to the numbers P and R received at the input by the PCKT procedure the tests corresponding to the equations (2) and (3). If the numbers P and R pass both tests, the PCKT procedure returns "True", otherwise "False”.
  • step S52 an integer A is selected using a random or pseudo-random RND function in the interval [2, P-2].
  • step S53 if the number P satisfies in equation (2), step S54 is executed, otherwise step S55 is executed.
  • step S54 if the numbers P and R satisfy equation (3), step S46 is executed, otherwise step S55 is executed.
  • a Boolean variable TST is set to "False”.
  • step S56 the variable TST is set to "true”.
  • the PCKT procedure terminates after step S55 or S56 by returning the variable TST.
  • FIG. 8 shows another embodiment PCKT1 of the PCKT procedure of FIG. 7.
  • the PCKT1 procedure differs from the PCKT procedure in that it comprises additional steps S50 and S51 making it possible to force the number A to 2 (step S51 ) if the size L of the number P received as an input parameter of the procedure is greater than or equal to a certain value, for example equal to 129 (step S50). Forcing the number A to 2 makes it possible to perform the modular exponentiation operations more quickly in steps S53 and S54 when the numbers P and R are large.
  • another procedure for generating a prime number can be called in step S9 for the first iterations of the GNLP procedure, the GNSP procedure being called only during the following and last iterations.
  • the procedure called at the first iterations can consist in choosing a number R for calculating a prime candidate number Pr using the formula (1), and in testing the divisibility of the number Pr by the prime numbers of the product ⁇ , instead of generate a number R such that the number Pr obtained is not divisible by the prime numbers of this product.
  • FIG. 9 represents steps S90 to S99 of such a GNSP1 procedure, according to one embodiment. Steps S90 to S94 are executed successively.
  • a number I is calculated by the formula (10).
  • an integer R is chosen using a RND random or pseudo-random function in the interval [1 + 1, 21].
  • a prime candidate number Pr is calculated by the formula (1).
  • a DVT1 procedure for testing the divisibility of the number Pr by the prime numbers of the list Q is called.
  • the procedure DVT1 receives in input parameters the number Pr, the list Q, and a table W, and supplies a Boolean variable TST to "True” if the number Pr is not divisible by the numbers of the list ⁇ and to "False” otherwise.
  • the variable TST is tested. If the TST variable is "True”, step S95 is executed, otherwise step S97 is executed.
  • PCKT1 (or PCKT1) is called.
  • This procedure receives the number Pr to be tested and the number R used to calculate the number Pr in step S92, and optionally the size L in number of bits of the number Pr.
  • This procedure returns a Boolean variable to "True” if the number Pr passed the Pocklington test, and "False” otherwise. If the PCKT procedure returns "True”, the Pr number is prime with certainty, and the GNSP procedure terminates by supplying the Pr number. If the PCKT procedure returns "False", the TST variable is initialized to "False” at the same time. step S96 and the execution of the GNSP procedure is continued in step S97.
  • step S97 the number R is incremented by 1.
  • step S98 the number R is compared with the number 21, so that R remains in the range [1 + 1, 21]. If the number R is greater than the number 21, the execution of the procedure GNSP1 is continued in step S91 to choose a new number R randomly in the interval [1 + 1, 21], to calculate a new candidate number first Pr and test it. If in step S98, the number R is less than or equal to the number 21, the step S99 instead of the step S92 is executed to update the number Pr taking into account the incrementation of the number R to the number step S97. Thus, in step S99, the number Pr is simply incremented by twice the prime number P.
  • step S97 This calculation results from the incrementation of the number R carried out in step S97 and of formula (1).
  • the number Pr can be updated simply by a binary shift of P followed by an addition, instead of performing the multiplication of large integers in step S92 implementing the formula (1).
  • step S99 the execution of the GNSP1 procedure is continued in step S93.
  • the steps S93 to S99 form a first processing loop in which the number R is incremented by one at each iteration, up to the value 21 if necessary, and in which the primality of the number Pr corresponding to the number R is tested. in a proven way.
  • Steps S91 to S99 form a second processing loop for executing the first loop with a new value of R randomly selected in the range [1 + 1, 21].
  • step S92 or S99 As long as the number Pr obtained in step S92 or S99 does not satisfy the non-divisibility and Pocklington tests, a new prime candidate number is determined in steps S91 and S92 or S99. Note that steps S97 to S99 may be omitted, step S91 being executed directly if the variable TST is set to "False" in step S94.
  • Fig. 10 shows steps S120 to S125 of the DVT1 procedure, according to one embodiment.
  • a loop index j is initialized to 0 and a Boolean variable TST is initialized to "True".
  • the following step S121 forms the input of a loop comprising steps S122 to S125. This loop makes it possible to test the divisibility of the number Pr by each of the numbers Qj of the list Q.
  • the index j is compared with the number v of prime numbers in the list Q. If the index j is less than at number v, a loop iteration starting at step S122 is executed, otherwise the DVT1 procedure terminates providing the variable TST.
  • a variable Wj stored at an index location j in the table W receives the remainder of the integer division of the number Pr by the number Qj.
  • the variable Wj can thus be calculated by the following formula:
  • step S123 the variable w is compared with 0. If the variable w is zero, meaning that the candidate number Pr is divisible by the number Qj, the steps S124 and S125 are executed, otherwise only step S125 is executed.
  • step S124 the TST variable is set to "False" to indicate that the number Pr is not a prime number.
  • step S125 the index j is incremented by one.
  • Step S121 is executed after step S125 either to perform a new iteration, or to provide the TST variable at the completion of the DVT1 procedure. Note that for the GNSP1 procedure, it is not necessary to store the remainders Wj in a table. The rest obtained in step S122 can simply be loaded into a register so that it can be compared to 0 in step S123.
  • FIG. 11 represents another GNSP2 embodiment of the GNSP1 procedure of FIG. 9.
  • the GNSP2 procedure differs from the GNSP1 procedure in that it includes calculation optimizations in the tests of the divisibility of the number Pr by the numbers.
  • the GNSP2 procedure comprises an additional step S100 executed between the steps S99 and S94, and an additional step S101 executed between the steps S90 and S91.
  • step S101 an UPDG procedure is called with, in input parameters, the prime number P, the size L of the number Pr (in number of bits), the list Q, the table W and a table of values G.
  • table G is intended to receive the remains of divisions of twice the number P by each of the numbers Qj.
  • the number of values in each table W, G corresponds to the number v of prime numbers in the list Q.
  • the UPDG procedure is provided to update the table G.
  • step S100 a procedure DVT2 is called with parameters of The list Q, and the tables of values W and G.
  • the procedure DVT2 makes it possible to update the table W only by operations involving small numbers, and to test the divisibility of the first candidate number Pr updated to step S99.
  • Fig. 12 shows steps S126 to S131 of the UPDG procedure.
  • a loop index j is initialized to 0.
  • the step S127 which forms the entry point of a loop comprising the steps S128 to S131, compares the index j with the number v of prime numbers in the list Q. This loop makes it possible to update the table G. If the index j is smaller than the number v in the step S127, a loop iteration starting at the step S128 is executed, otherwise the execution of the UPDG procedure is complete.
  • step S1208 it is determined whether the procedure (GNSP2) that called the UPDG procedure is called for the first time by the GNLP procedure, that is, if the number P received as a call parameter of the GNSP2 procedure has has been determined, for example, by the INTP procedure.
  • This condition can be determined from the size L of the prime number P, provided as a calling parameter of the GNSP2 procedure, taking into account the calculation of the size of the first prime number relative to the maximum size LL, carried out by the GNLP procedure (steps S2 to S4). If the size L corresponds to that of the first prime number provided by the INTP procedure, steps S129 and S131 are executed, otherwise steps S130 and S131 are executed.
  • the value Gj of index j in the table G is calculated by the following formula:
  • step S130 the value Gj is calculated by the following formula:
  • Fig. 13 shows steps S132 to S137 of the DVT2 procedure, according to one embodiment.
  • a loop index j is initialized to 0 and a Boolean variable TST is initialized to "True".
  • the following step S133 forms the entry point of a loop comprising the steps S134 to S137.
  • This loop makes it possible to test the divisibility of the number Pr by each of the numbers Qj of the list Q, when the number Pr has been incremented by 2P in the step S99 of the GNSP2 procedure.
  • This loop also makes it possible to update the table of values W, taking into account the modification of the number Pr in step S99.
  • the index j is compared with the number v of prime numbers in the list Q. If the index j is smaller than the number v, a loop iteration starting at step S134 is executed, otherwise the procedure DVT2 ends by providing the variable TST.
  • the table W at the index j is updated by the following formula:
  • Wj Wj + Gj mod Qj (16) which corresponds to the formula (13) taking into account the updating of the number Pr carried out at the step S99.
  • the implementation of formula (16) also constitutes a simplification of calculation with respect to formula (13) executed in step S134. Indeed, the formula (16) includes only an addition of small numbers, possibly followed by a subtraction of the small number Qj if Wj + Gj> Qj, while the formula (13) consists of a division of a large number number (Pr) by a small number (Qj), such a division requiring much more computing time and memory resource.
  • step S1335 the value Wj of index j in table W is compared with
  • step S136 the variable TST is set to "False", to indicate that the number Pr is not a prime number.
  • the index j is incremented by one. Step S133 is executed after step S137.
  • the choice of the number v of the smallest prime numbers used in the steps S123, S128, S129 and S133 can also be done according to the overall duration of execution of the GNLP procedure calling the GNSP2 procedure, knowing that more the value v is increased, the longer the execution time of the procedures DVT1, DVT2 increases, and the overall execution time of the tests carried out at the step S95 decreases.
  • the number v can be chosen to a value between 100 and 200. It should be noted that the number v chosen for the GNSP2 procedure can be applied to the INTP or INTP1 procedure executed in step S5.
  • FIG. 14 represents another GNM iterative procedure for generating a large first number Ln.
  • This procedure corresponds substantially to the Maurer procedure (see publication [3]).
  • this procedure receives as input parameter a size L of prime number to be generated and provides a prime number Pr.
  • procedure includes steps S60 to S69.
  • step S60 the size L is compared to a first number maximum size LL below which a procedure for generating a first proved prime number can be used without requiring excessive time and computation resources. If the size L is greater than the maximum size LL, the step S61 is executed, otherwise the step S62 is executed.
  • a prime number Pr smaller than the size LL is obtained.
  • the GNM procedure then ends by providing the number Pr.
  • the mode of obtaining a first prime number smaller than the size LL may be one of those described above (step S5).
  • Steps S62 to S67 make it possible to determine a sequence of intermediate prime number sizes between the initial size of the first prime number and the size of the prime number to be generated provided as an input parameter of the GNM procedure.
  • the size L is compared to twice the maximum size LL (2LL). If the size L is greater than 2LL, in other words, for the large values of L, the steps S63 to S65 and S67 are executed, otherwise only the steps S66 and S67 are executed.
  • step S63 a real number s between 0 and 1 is chosen randomly or pseudo-randomly.
  • a real number r is calculated by raising 2 to the power s - 1. Thus, the number r is between 1/2 and 1.
  • step S63 marks the input of a processing loop comprising steps S63 to S65 in which a new value of r is calculated until the condition of step S65 is satisfied.
  • the real number r is set to 0.5.
  • step S67 a new size L is calculated by multiplying the current value of L by the real number r, taking the integer part of the result obtained, and adding 1 to the integer part.
  • step S68 the GNM procedure is called with the new value of the size L obtained in step S67.
  • the GNM procedure is a recursive procedure.
  • step S69 the GNSP procedure is called to obtain a prime number Pr of size L, from the prime number P obtained in step S68.
  • the GNM procedure terminates at the end of step S69 by providing the prime number Pr provided by the GNSP procedure called in step S69.
  • Fig. 15 shows another GNST iterative procedure for generating a large prime number Ln.
  • This procedure corresponds substantially to the Shawe-Taylor procedure (see publication [4] or [5]).
  • this procedure receives as an input parameter the size L of the prime number to be generated, and provides a prime number Pr.
  • This procedure comprises steps S71 to S75.
  • step S71 the size L is compared to the maximum size LL. If the size L is greater than the size LL, the steps S73 to S75 are executed, otherwise the step S72 is executed.
  • step S72 a small prime number Pr smaller than the size LL is generated and the procedure ends by providing the prime number Pr.
  • step S73 the size L is decreased by adding 1 to the smallest integer greater than or equal to the size L divided by two.
  • the GNST procedure is called with the new value of L to obtain a prime number P of size L.
  • the GNST procedure is therefore also recursive.
  • step S75 the GNSP procedure is called to obtain a prime number Pr of size L, with as the input parameter the previous prime number P provided by the call of the GNST procedure in step S74 , and the size L obtained in step S73.
  • the prime number Pr obtained in step S75 is outputted from the GNST procedure that ends at the end of this step.
  • the GNM and GNST procedures can proceed in the same way as the GNLP procedure.
  • the GNM and GNST procedures can also call their first iterations the GNSP1 or GNSP2 procedure, and their last iterations, the GNSP procedure.
  • Fig. 16 shows another embodiment of the GNLP1 of the GNLP procedure of Fig. 1.
  • the procedure GNLP1 differs from the procedure GNLP in that steps S3, S8 and S9 are replaced by steps S3 ', S8' and S9 '.
  • step S3 ' the value of variable L is divided by 3 instead of 2.
  • a GNSP3 procedure is called with the P and L variables as input parameters and optionally the Q list.
  • the GNSP3 procedure provides a prime number Pr having the size L from the prime number P of size lower.
  • the GNLP1 procedure is based on a theorem derived from the theorem demonstrated by Brillhart, Lehmer, Selfridge, Tuckerman and Wagstaff in 1988 (see publication [6]).
  • the derived theorem is formulated as follows:
  • N 2R P + 1 is prime if there exists an integer A greater than or equal to 2 and less than or equal to N such that:
  • condition R ⁇ P 2 +1 is satisfied substantially by the operation performed in step S8 'to determine the size of the first prime to be generated next.
  • Table 2 also provides the values of the number k of iterations executed by the procedure GNLP1 from step S6. If we compare tables 1 and 2, the procedure GNLP1 makes it possible to obtain a prime number of the desired size in a number of iterations reduced by 2 or 3 iterations compared to the GNLP procedure.
  • FIG 17 shows the GNSP3 procedure called by the GNLP1 procedure of Figure 16.
  • the GNSP3 procedure differs from the GNSP procedure in that it comprises two additional steps S45 and S46, to implement the test (ii) of the stated theorem previously, knowing that the test (i) is implemented by step S43.
  • Steps S45 and S46 are executed after one of steps S39 to S41 and before step S42.
  • step S45 the quotient U of the integer division of the number R by the number P is calculated.
  • step S46 if the quotient U is even, step S44 is executed to generate a new value of X and then R, otherwise step S42 is executed.
  • step S9 another procedure for generating a prime number can be called in step S9 'for the first iterations of the GNLP1 procedure, the GNSP3 procedure being called only during following and last iterations.
  • the procedure called at the first iterations consists of choosing a number R to calculate a prime candidate number using the formula (1), and to test the divisibility of the number Pr by the prime numbers of the list Q, instead of generating a number R such that the number Pr obtained is not divisible by any of the prime numbers of this list.
  • FIG. 18 represents a GNSP4 procedure that can be called by the procedure GNLP1 of FIG. 16, at step S9 ', during the first iterations of the procedure GNLP1.
  • the GNSP4 procedure differs from the GNSP1 procedure in that it comprises two additional steps S101 and S102, to implement the test (ii) of the theorem stated above, knowing that the test (i) is implemented by the step S95. Steps S101 and S102 are executed between steps S94 and S95.
  • step S101 the quotient U of the integer division of the number R by the number P is calculated.
  • step S102 if the quotient U is even, the execution of the GNSP4 procedure is continued in step S96 to generate a new value of R, otherwise step S95 is executed.
  • FIG. 19 represents a GNSP5 procedure that can be called by the procedure GNLP1 during the first iterations of the latter.
  • the GNSP5 procedure differs from the GNSP2 procedure in that it comprises the steps S102 and S103 which are executed as in the GNSP4 procedure, after the step S94 and before the step S95 or S96.
  • Fig. 20 shows an example of an electronic device DV in which the various embodiments of the first-number generation method described above can be implemented.
  • the DV device may be a semiconductor chip integrated circuit, generally forming a microprocessor.
  • the chip may for example be arranged on a support such as a plastic card, the assembly forming a smart card.
  • the device DV comprises a processing unit UC, a cryptographic calculation block CRU, and one or more memories MEM which can comprise a volatile memory and a non-volatile memory.
  • the electronic device DV also comprises a contact or non-contact IOI communication interface, for example an RF or UHF circuit operating by inductive coupling or by electrical coupling.
  • the CRU block may be a coprocessor equipped with a programmable state machine type central control unit, a fully hardware coprocessor, or subroutines executed by the CPU.
  • the calculation block CRU can be configured to perform on request of the unit UC multiplications of large numbers, for example of size between 32 bits and 2048 bits, and in particular that performed in the steps S42 and S92 GNSP procedures, GNSP1 to GNSP5, as well as those involved in the modular exponentiation calculations of the Fermat and Miller-Rabin tests performed in the INTP, INTP1, and Pocklington tests performed in the PCKT and PCKT1.
  • the calculation block can also be configured to perform on request of the CPU processing unit, directly the modular exponentiation operations of the Fermat and Miller-Rabin tests executed in the INTP, INTP1 procedures. , and the Pocklington test performed in the PCKT and PCKT1 procedures.
  • the DV device may also include a random or pseudo-random RGN generator of M bit bits for performing steps S21, S33, S1 1, S91 and S63.
  • the unit UC may thus comprise a PGN prime number generation module implementing one of the GNLP, GNLP1, GNM and GNST procedures.
  • the unit UC may also comprise a KGN cryptographic data generation module such as cryptographic keys, and SGN signature and ENC encryption modules using cryptographic data generated by the KGN module.
  • KGN cryptographic data generation module such as cryptographic keys
  • SGN signature and ENC encryption modules using cryptographic data generated by the KGN module.
  • Each of the PGN, KGN, ENC, SGN modules can use the CRU block to perform complex operations, such as multiplications of numbers of large sizes or modular exponentiations.
  • the cryptographic data generated are stored in the memory MEM.
  • the KGN, SGN and ENC modules can implement the RSA algorithm by generating two prime numbers of 512 or 1024 bits using the PGN module.
  • FIG. 21 represents a KGEN1 procedure for generating a secret and public key pair, in accordance with the RSA algorithm, executed by the KGN module.
  • the KGEN1 procedure comprises steps S141 to S146.
  • steps S141 and S142 two prime numbers P and Q are generated using a PRGN procedure receiving as input parameter the size L of the prime numbers to be generated.
  • the PRGN procedure corresponds to one of the GNLP, GNLP1, GNM, GNST procedures performed by the PGN module.
  • step S143 the numbers P and Q are multiplied by one another to obtain a number N.
  • step S144 an odd number E is randomly selected within a certain interval, for example between 3 and 2 L - 1.
  • step S145 if the selected number E is not invertible modulo the quantity (P-1) (Q-1), a new number E is chosen in step S144, otherwise step S146 is executed to choose a number D such that E x D is equal to 1 modulo (P-1) (Q-1).
  • the KGEN1 procedure terminates after step S146 by providing as a private key the pair of numbers (N, D) and as the public key the pair of numbers (N, E).
  • the DSA algorithm can also be implemented by the KGN, SGN and ENC modules, by generating two prime numbers of different sizes, for example 256 and 2048 bits.
  • FIG. 22 represents a KGEN2 procedure for generating a secret and public key pair, conforming to the DSA algorithm, executed by the KGN module.
  • the KGEN2 procedure comprises steps S151 to S155.
  • steps S151 and S152 two prime numbers P and Q are generated using a PRGN procedure receiving as input parameter successively the sizes L1, L2 of the prime numbers P and Q to be generated.
  • the sizes L1 and L2 are for example equal to 2048 and 256 bits respectively.
  • a GGEN procedure is called to generate a number G which constitutes a generator number of the modulo P subgroup P.
  • step S154 a secret key SK is randomly selected in the interval [1 , Q-1].
  • step S155 a public key PK is calculated by raising the number G to the power SK modulo P.
  • the KGEN2 procedure terminates after step S155 by providing the private and public key pair (SK, PK).
  • the invention limited to an iterative method of generating a large number of primes. Indeed, it may be envisaged to memorize a prime number having a size substantially equal to half or a third of the prime numbers to be generated and to execute a single iteration corresponding to the execution of one of the GNSP procedures. and GNSP1 to GNSP3. Compared to the solution of directly storing a prime usable number to generate cryptographic keys, this solution has a gain in terms of storage capacity equal to half or two thirds of the size of the prime numbers used. This solution also has an advantage in terms of security and confidentiality, since it is not possible to know in advance the prime number or numbers that will be used to generate the cryptographic keys. Indeed, even if the previous prime number is fixed, the random choice of the integer number R makes it possible to obtain in a single iteration most of the prime numbers having the desired size.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Physics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Algebra (AREA)
  • Operations Research (AREA)
  • Software Systems (AREA)
  • Tests Of Electronic Circuits (AREA)
  • Complex Calculations (AREA)
  • Testing Of Individual Semiconductor Devices (AREA)
  • Investigating Strength Of Materials By Application Of Mechanical Stress (AREA)
  • Error Detection And Correction (AREA)
EP12815734.4A 2011-12-15 2012-12-12 Verfahren zur erzeugung von nachgewiesenermassen für chipkarten geeignete primzahlen Ceased EP2791784A1 (de)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
FR1161740A FR2984548B1 (fr) 2011-12-15 2011-12-15 Procede de generation de nombres premiers prouves adapte aux cartes a puce
FR1161742A FR2984550B1 (fr) 2011-12-15 2011-12-15 Procede de generation de nombres premiers prouves adapte aux cartes a puce
FR1161739A FR2984547B1 (fr) 2011-12-15 2011-12-15 Procede de generation de nombres premiers prouves adapte aux cartes a puce
FR1161741A FR2984549A1 (fr) 2011-12-15 2011-12-15 Procede de generation de nombres premiers prouves adapte aux cartes a puce
FR1201550A FR2984551B1 (fr) 2011-12-15 2012-05-30 Procede de generation de nombres premiers prouves adapte aux cartes a puce
PCT/FR2012/052902 WO2013088066A1 (fr) 2011-12-15 2012-12-12 Procede de generation de nombres premiers prouves adapte aux cartes a puce

Publications (1)

Publication Number Publication Date
EP2791784A1 true EP2791784A1 (de) 2014-10-22

Family

ID=48611909

Family Applications (2)

Application Number Title Priority Date Filing Date
EP12815734.4A Ceased EP2791784A1 (de) 2011-12-15 2012-12-12 Verfahren zur erzeugung von nachgewiesenermassen für chipkarten geeignete primzahlen
EP12815733.6A Not-in-force EP2791783B1 (de) 2011-12-15 2012-12-12 Verfahren zur erzeugung von nachgewiesenermassen für chipkarten geeignete primzahlen

Family Applications After (1)

Application Number Title Priority Date Filing Date
EP12815733.6A Not-in-force EP2791783B1 (de) 2011-12-15 2012-12-12 Verfahren zur erzeugung von nachgewiesenermassen für chipkarten geeignete primzahlen

Country Status (5)

Country Link
US (2) US9577826B2 (de)
EP (2) EP2791784A1 (de)
CN (1) CN104067217A (de)
IN (1) IN2014CN04637A (de)
WO (2) WO2013088066A1 (de)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016094195A2 (en) * 2014-12-08 2016-06-16 Cryptography Research, Inc. Multiplicative masking for cryptographic operations
WO2016092097A1 (en) 2014-12-12 2016-06-16 Koninklijke Philips N.V. Electronic generation device
EP3035586A1 (de) * 2014-12-18 2016-06-22 Gemalto Sa Verfahren zur bordeigenen Erzeugung von Primzahlen
CN106685660B (zh) * 2015-11-07 2020-04-17 上海复旦微电子集团股份有限公司 大素数的测试方法及装置
WO2017135926A1 (en) * 2016-02-02 2017-08-10 Hewlett Packard Enterprise Development Lp Application event time adjustment based on a prime number time series
CN106778333B (zh) * 2016-11-29 2019-10-25 江苏蓝深远望科技股份有限公司 文件加密方法及装置
EP3364592A1 (de) * 2017-02-21 2018-08-22 Gemalto Sa Verfahren zur erzeugung einer primzahl für eine kryptographische anwendung
CN108228138B (zh) * 2017-12-28 2021-12-10 南京航空航天大学 一种sidh中特殊域快速模乘的方法
GB2574613B (en) * 2018-06-12 2020-07-22 Advanced Risc Mach Ltd Device, system, and method of generating and handling cryptographic parameters
US11509454B2 (en) * 2019-05-22 2022-11-22 Crypto Lab Inc. Apparatus for processing modular multiply operation and methods thereof
KR102203238B1 (ko) * 2019-05-22 2021-01-14 주식회사 크립토랩 모듈러 곱셈 연산을 수행하는 연산 장치 및 방법
CN111143758A (zh) * 2019-12-30 2020-05-12 陈倩仪 一种基于勒穆瓦纳猜想的数据处理方法及应用
WO2021182908A1 (ko) * 2020-03-12 2021-09-16 주식회사 크립토랩 모듈러 곱셈 연산을 수행하는 연산 장치 및 방법
KR102498133B1 (ko) * 2020-03-12 2023-02-09 주식회사 크립토랩 모듈러 곱셈 연산을 수행하는 연산 장치 및 방법
US11411732B2 (en) * 2020-04-17 2022-08-09 Juniper Networks, Inc. Prime number generation for encryption
US11251953B2 (en) * 2020-07-15 2022-02-15 Juniper Networks, Inc. Proving prime integers for encryption
US20240039715A1 (en) * 2022-07-26 2024-02-01 Accenture Global Solutions Limited Providing communications that are secure from quantum computer models

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB9410337D0 (en) * 1994-05-24 1994-07-13 Cryptech Systems Inc Key transmission system
GB2342022B (en) * 1997-07-28 2002-12-18 Director Government Comm Headq Split-key cryptographic system and method
JP3835896B2 (ja) * 1997-07-30 2006-10-18 富士通株式会社 素数生成装置,B−smooth性判定装置及び記録媒体
GB9902687D0 (en) * 1999-02-08 1999-03-31 Hewlett Packard Co Cryptographic protocol
US7519178B1 (en) * 1999-02-24 2009-04-14 International Business Machines Corporation Method, system and apparatus for ensuring a uniform distribution in key generation
JP2001051831A (ja) * 1999-08-10 2001-02-23 Sony Corp 乱数発生装置及び乱数発生方法
TWI244610B (en) * 2001-04-17 2005-12-01 Matsushita Electric Ind Co Ltd Information security device, prime number generation device, and prime number generation method
US7233663B2 (en) * 2001-10-29 2007-06-19 Safenet, Inc. Key generation performance improvement
JP4668795B2 (ja) * 2003-12-26 2011-04-13 パナソニック株式会社 素数算出装置、鍵発行システム及び素数算出方法
CN1898897A (zh) * 2003-12-26 2007-01-17 松下电器产业株式会社 素数计算装置及方法、以及密钥发行系统
FR2879866B1 (fr) * 2004-12-22 2007-07-20 Sagem Procede et dispositif d'execution d'un calcul cryptographique
CN100579006C (zh) * 2006-09-27 2010-01-06 深圳兆日技术有限公司 一种实现快速大素数生成的rsa加密方法
US9111122B2 (en) * 2007-07-02 2015-08-18 Freescale Semiconductor, Inc. Asymmetric cryptographic device with local private key generation and method therefor
US8619977B2 (en) * 2008-01-15 2013-12-31 Inside Secure Representation change of a point on an elliptic curve
JP5328186B2 (ja) * 2008-03-21 2013-10-30 ルネサスエレクトロニクス株式会社 データ処理システム及びデータ処理方法
US8233620B2 (en) * 2009-02-27 2012-07-31 Inside Secure Key recovery mechanism for cryptographic systems
FR2946207A1 (fr) * 2009-05-28 2010-12-03 Proton World Internat Nv Protection d'une generation de nombres premiers pour algorithme rsa
US8971530B2 (en) * 2009-06-24 2015-03-03 Intel Corporation Cryptographic key generation using a stored input value and a stored count value
JP2011123356A (ja) * 2009-12-11 2011-06-23 Oki Semiconductor Co Ltd 素数生成装置、素数生成方法、及び素数生成プログラム

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
None *
See also references of WO2013088066A1 *

Also Published As

Publication number Publication date
EP2791783B1 (de) 2019-04-17
US20140355758A1 (en) 2014-12-04
WO2013088066A1 (fr) 2013-06-20
EP2791783A1 (de) 2014-10-22
WO2013088065A1 (fr) 2013-06-20
CN104067217A (zh) 2014-09-24
IN2014CN04637A (de) 2015-09-18
US20140358980A1 (en) 2014-12-04
US9596080B2 (en) 2017-03-14
US9577826B2 (en) 2017-02-21

Similar Documents

Publication Publication Date Title
EP2791783B1 (de) Verfahren zur erzeugung von nachgewiesenermassen für chipkarten geeignete primzahlen
EP2256987B1 (de) Schutz einer Generation von Primzahlen für RSA-Algorithmus
EP2296086B1 (de) Seitenkanalangriffsresistente Erzeugung von Primzahlen
EP2415199B1 (de) Verfahren zur durchführung einer kryptographischen aufgabe in einem elektronischen bauelement
EP1969459A1 (de) Kryptografisches verfahren mit einer modularen potenzierung, die gegen verborgene kanalangriffe geschützt ist, sowie kryptoprozessor zur umsetzung des verfahren und zugehörige chip-karte
EP1419610B1 (de) Verfahren zur herstellung einer kryptographischen einheit für ein asymmetrisches kryptographisches system unter verwendung einer diskreten logarithmusfunktion
WO2009109715A2 (fr) Procede et dispositifs de contre-mesure pour cryptographie asymetrique a schema de signature
EP1804161B1 (de) Störungsdetektion in einer kryptographischen Berechnung
WO2006070092A1 (fr) Procede de traitement de donnees et dispositif associe
FR2888690A1 (fr) Procede cryptographique pour la mise en oeuvre securisee d'une exponentiation et composant associe
EP2983083B1 (de) Kryptografie-verfahren auf einer elliptischen kurve, das eine fehlererfassung umfasst
EP1804160B1 (de) Schutz einer kryptographischen Berechnung in einem integrierten Schaltkreis
FR2788909A1 (fr) Procede d'authentification ou de signature a nombre de calculs reduit
EP1520370B1 (de) Kryptographisches verfahren und einrichtungen zur ermöglichung von berechnungen während transaktionen
WO2003055134A1 (fr) Procede cryptographique permettant de repartir la charge entre plusieurs entites et dispositifs pour mettre en oeuvre ce procede
FR2984551A1 (fr) Procede de generation de nombres premiers prouves adapte aux cartes a puce
FR2984548A1 (fr) Procede de generation de nombres premiers prouves adapte aux cartes a puce
FR2984550A1 (fr) Procede de generation de nombres premiers prouves adapte aux cartes a puce
FR2984547A1 (fr) Procede de generation de nombres premiers prouves adapte aux cartes a puce
WO1998051038A1 (fr) Generateur pseudo-aleatoire base sur une fonction de hachage pour systemes cryptographiques necessitant le tirage d'aleas
WO2015132524A2 (fr) Génération de message pour test de génération de clés cryptographiques
EP1832034A2 (de) Verfahren zur schnellen erzeugung einer zufallszahl, die nicht durch eine vorbestimmte menge von primzahlen dividiert werden kann
FR2986884A1 (fr) Procede de generation securise d'un nombre premier, produit programme d'ordinateur et composant electronique correspondants

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20140610

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20170301

REG Reference to a national code

Ref country code: DE

Ref legal event code: R003

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED

18R Application refused

Effective date: 20181001