FR2864390A1 - Cryptographic process for e.g. message encryption and decryption, involves scanning bits of preset value from left to right in loop, and calculating and storing partial updated result equal to exponentiation in accumulator - Google Patents

Abstract

The process involves scanning bits of a preset value from left to right in a loop indicated by a preset integer varying in a predetermined range. A partial updated result equal to exponentiation is calculated and stored in an accumulator. Result of multiplication of content in the accumulator with a function number in a register is stored in the accumulator for realizing modular exponentiation.

Description

CRYPTOGRAPHIC METHOD OF MODULAR EXPONENTIATION PROTECTED AGAINST

DPA ATTACKS

  In the field of protection of cryptographic algorithms against DPA attacks, the invention relates to a method in which a modular exponentiation of xAd type, with an integer exponent of m + 1 bits, is carried out by scanning the bits of d left to right in a loop indexed by i varying from m to 0 and calculating and storing in an accumulator (RO), at each turn of rank i, an updated partial result equal to x'b (i). b (i) corresponds to the m-i + 1 most significant bits of the exponent d: b (i) = dm_> i. The number of bits of weight j to k of d is defined by: dk-> j = (dk, ..., dj) 2 = e = j di.2A (i-j).

  Modular exponentiation is one of the basic operations used in many cryptosystems, such as RSA cryptosystems (Rivest, Shamir and Adleman) or DH (Diffie and Hellman) cryptosystems. For such applications, x is for example a message to be encrypted or decrypted, to sign or to authenticate, and d is for example a public key, a secret key, or a part of such a key.

  Since the invention of public key cryptography by Diffie and Hellman, many public key cryptosystems have been proposed. Among those that resist cryptographic analysis, the RSA cryptosystem is undoubtedly the most widely used. Its intrinsic security lies in the difficulty of factoring large integers. Despite intensive research, the problem of factorization is still considered an important problem, making the RSA cryptosystem safe for sensitive applications such as data encryption or digital signature.

  Also, rather than attempting to break the RSA algorithm at a mathematical level, cryptographers have been interested in the actual implementations of RSA cryptosystems. This has led to the rise of fake attacks and hidden channel attacks, aimed at discovering in particular confidential information (such as keys or parts of keys) manipulated during one or the other of steps implemented by the computing device executing a cryptographic operation.

  The most known hidden channel attacks are called simple or differential. Simple concealed channel (SPA) or differential (DPA) attack is understood to mean an attack based on the measurement of a physical quantity from outside the device, including direct analysis (simple SPA attack) or analysis according to a statistical method (DPA differential attack) makes it possible to discover information manipulated in the device. These attacks have been unveiled by Paul Kocher (Advances in Cryptology - CRYPTO'99, 1666 of Lecture Notes in Computer Science, pp.388-, 397. Springer-Verlag, 1999), Among physical quantities that can be exploited for these purposes, the execution time, the power consumption, the electromagnetic field radiated by the part of the component used to perform the calculation, etc., may be mentioned. These attacks are based on the fact that, during the execution of an algorithm, the manipulation of a bit, ie its use by a particular instruction, leaves a particular imprint on the physical quantity considered, according to the value of this bit and / or according to the instruction.

  There are two families of implementations of exponentiation algorithms for evaluating the value of y = x "d mod N: so-called right-to-left implementations and so-called left-to-right implementations.

  In the implementations from left to right, the bits of the exponent are scanned from the most significant bit to the least significant bit. In this second family of exponentiation algorithms, is notably known the SAM algorithm (for Square And Multiply or squaring and multiplying) and its variants such as sliding window algorithms.

  Compared to so-called right-to-left algorithms, the left-to-right algorithms require less memory and allow the use of pre-computed x'i powers to speed up the calculation of y. All algorithms from left to right have in common the use of an accumulator (or register) that is updated throughout the calculation to store the value of xAdm_> i mod N for decreasing values of i until the accumulator contains the final value y = xA dm_> o = xA d mod N. dk_> j is the word consisting of the bits of weight j to k of d.

  The general principle of the SAM algorithm is as follows. We denote d = (dm, ..., do) 2 = m = 0 di.2A i, the binary representation of the exponent d, with di e {0, 1}, the bit of weight i of d. For each bit of d, the SAM algorithm stores in an accumulator (register RO) an updated result calculated from the recurrence relation xA dm_> i = () eA dm-> i + 1) 2 * xA di, with xAdm_> m = xAdm, which is summarized by the algorithm below: Input: x, d = (dm, ..., do) 2 Output: y = xAd mod N RO <- 1; R2 <- x, i <m as i 0, do: RO <- ROxRO mod N if di = 1 then RO <- ROxR2 mod N i <- i-1 end as returning RO RO <- x means that l the value of x is stored in the register RO. ROxRO means that the contents of register R0 are squared. ROxR2 means that the product of the contents of the register RO is produced by the contents of the register R2. Finally, di_> j refers to bits of rank j to i of d.

  To prevent implementation attacks, it is known that random algorithms must be made. In the case of the RSA cryptosystem, two types of countermeasures are currently known for making the calculation of y = xAd mod N. random. The first type of countermeasure consists in rendering the input data of the algorithm random.

  A first example of this first countermeasure consists in rendering the data x random before carrying out the modular exponentiation, adding to x a random term and making the modulo 2'k N calculations, before a final modulo N: x < - x + r1.N, with r1 a random number of k-bits 10 and to do the modulo calculations (2Ak) .N, before a final modulo N reduction. This first countermeasure, described by P. Kocher, has the advantage of being independent of the exponentiation algorithm.

  A second example of this first countermeasure consists in rendering the exponent d random before carrying out the modular exponentiation, adding to it a random term: d <- d + r2.ci) (N), r2 a random number of k-bits.

  Most often, these two solutions are combined to perform the operation y = y mod N with y = xA d mod (2k.N).

  A third example of this first countermeasure used alone for example when x is the result of a probabilistic formatting (for example using the PSS or Probabilistic Signature Scheme function), because in this case, x is already masked and we calculate directly y = xd mod N with d = d + r2.cl) (N) with random r2.

  Unfortunately, such a randomization of the exponent d is limited to particular implementations, called CRT implementations, of the RSA cryptosystem because the value of the Euler constant 4) (N) is not generally known to the algorithm of private exponentiation in its standard version (that is, non-CRT).

  The second countermeasure is to make the exponentiation algorithm itself random. The best practice of the 2nd countermeasure is Walter's MIST algorithm. The MIST algorithm randomly generates a new addition string for the exponent d to realize xAd mod N. To minimize the number of registers, the addition chain is performed on the fly via an adaptation an exponentiation algorithm based on division strings. Another example is an improved version of a sliding window algorithm (see Kouichi Itoh, Jun Yajima, Masahiko Takenaka, and Naoya Torii.) CHES 2002, Volume 2523 of Lecture Notes in Computer Science, pages 303- 317, Springer Verlag 2002). Compared to the first countermeasure, this makes it possible to randomize the exponentiation without needing to know 4 (N) but requires a secure division algorithm to calculate the division strings and causes significant management problems.

  The invention proposes a novel method for randomizing the execution of a modular exponentiation, with the aim of preventing differential attacks (DPA), having the advantages of the two known countermeasures as in the first countermeasure, the method according to the invention does not impose any particular exponentiation algorithm and applies to any exponentiation algorithm, and as in the second countermeasure, in the invention, the algorithm itself is made random, and not just the data he manipulates. Thus, the algorithm does not need to know 4 (N) and / or the public key e in an RSA exponentiation (the key e is often unavailable to the signature or decryption algorithm).

  The method according to the invention introduces the concept of auto-random exponentiation, meaning that the exponent d is itself used as an additional source of randomness in the exponentiation process.

  Thus, the invention relates to a cryptographic method in which a modular exponentiation of type xAd, with an integer exponent of m + 1 bits, is carried out by scanning the bits of d from left to right in a loop indexed by i decremented by m to 0 in steps of 1 and calculating and memorizing in an accumulator, at each turn of rank i, an updated partial result equal to xAb (i), b (i) being the m-i + 1 bits of weight the stronger of the exhibitor d.

  The method according to the invention is characterized in that: - at the end of a randomly selected turn of rank i (j) (i = i (0)), a randomization step E 1 is carried out during which: El: subtract a number z (z = b (i (j)), z = b (i (j)) .2i, z = u) random at some of the bits of d not yet used (di_1_> 0) in the method - then, after having used the bits of d modified by the randomization step E1, a consolidation step E2 is carried out during which: E2 is stored (RO <- R1xRO) in the accumulator (RO) the result of multiplying the contents of the accumulator (xAb (i)) by a function number of x'z stored in a register (R1).

  From a practical point of view, during the step E1, the number z is subtracted from the contents of a register in which the exponent d is initially stored, and the result of the subtraction is stored in the same register, then we continue to scan the bits of b.

  For the result of the exponentiation xAd mod N to be correct at the end of the process, the randomization step El, must not modify the bits of d already used in the computation (remember that the process uses a left algorithm to the right). The index i (j) to which the randomization El, randomly chosen, is to be chosen must be chosen such that the mid (j) + 1 most significant bits of the register initially containing the exponent d remain unchanged at the time. Step El. This condition will be called a condition of "consistency".

  The essential idea of the invention is thus to use a division of the calculation of xAd mod N of the form: xAd = xA (dz) * xAz (described in the French patent application No. 02 04117 (n to be confirmed) with z is a random number used as a means of masking the exponent d. Preferably, appropriate values of z are chosen such that xAz can easily be obtained from x'b already calculated elsewhere during the process. a totally random choice of z results in a near doubling of the computation time.

  The method according to the invention applies independently of the exponentiation algorithm from left to right. On the other hand, the rank i (j) at which step E 1 is performed is random, so the process itself is random, and not only the data it manipulates.

  The method according to the invention is also effective in terms of space (it requires only one additional calculation register) and in terms of calculation time, as will be seen later in the example of the algorithm SAT.

  The method according to the invention is still easy to implement whatever the algorithm to which it is applied: it does not rely on any group property and its implementation does not require to know in advance the order of the group in which exponentiation is performed.

  Finally, the method according to the invention can be used in conjunction with other protection measures of the algorithms, such as the counter measures disclosed by P. Kocher and recalled previously.

  The randomization step E 1 can be carried out once during the process. Step E1 can also be performed several times, at the end of different turns of rank i (j) (that is to say at rank i = i (0), then at rank i = i (1), ..., then finally at the rank i = i (f)) randomly selected between 0 and m. The idea here is to further improve the safety of the process by using the relation xAd = xA (d-z1-z2 -_-zf) xxAz1xxAz2x xxAzf = xA (((d-z1) -z2) -...- zf) x ((xAzl) xxAz2) x ... xxAzf One can choose at the beginning of the process the random row or ranks i (j) to which one carries out a randomization El. For example, at the beginning of the process, one determines a predefined set {i (0), i (1), ..., i (f)} of f + 1 (f being random or not) values of the index i for which it is desired to carry out a randomization El. In this case, at each turn, it is decided whether or not to perform a randomization El according to whether the current index i is part of the predefined set or not.

  One can also choose randomly at the beginning of each turn i to perform or not the randomization step E1. In this case, we use for example a boolean variable p, randomly drawn at the end of each index round i.

  Various embodiments of the invention will now be described, which differ from each other essentially by the embodiment of step E1, and in particular by the choice of z and by the choice of the part of d. subtracted from z. According to a first embodiment, it is chosen to carry out the consolidation step once at the end of the process. This requires systematically subtracting the least significant bits of the exponent d, so as to obtain a correct result at the end of the process.

  According to a first variant of this embodiment, z = b (i (j)) = dm_> i (j) is chosen for a random number i (j) chosen and, during the randomization step E 1, subtract b (i (j)) to d, i.e., the least significant bits of d.

  The choice z = b (i (j)) is particularly advantageous since xAb (i (j)) = x'dm_> i (j) is already available in the accumulator at the end of the turn i (j) and n ' therefore does not need to be calculated. The variable i (j) is chosen such that the bits of weight i (j) to m of the number db (i (j)) are equal to the bits of weight i (j) of the number d, so that the mi (j) ) + l the first rounds of the xAd calculation are identical to the first mi (j) + l rounds of the x '(db (i (j))) computation (consistency condition). At the end of the turn i (j), one calculates d-z = d-b (i (j)) and one memorizes the contents of the accumulator xAb in the register (El).

  In a particular example, a boolean variable p is used to determine, at the end of each index round i, whether a randomization is performed or not. If p takes an active value, then step E1 is carried out: the number d is replaced by the number d-b (i (j)) and xAb (i (j)) is stored.

  As in the classical left-to-right algorithm, the RO accumulator is used to keep the value of x'dm_> i at each index round i. We use the register R1 to keep the product jljx ^ dm-> i (j) All applied to the known SAM algorithm, we obtain the following algorithm I: Input. x, d = (dm, ..., do) 2 Output: y = x'd mod N RO <- 1; R1 <- 1; R2 <- x; i <- m as long as i 0, do: RO <- ROxRO mod N if di = 1 then RO <ROxR2 mod N p <- R {0, 1} if p = 1) AND di_1_> 0 then d <- d - dm-> i R1 <RlxRO mod N fin if i <- ii end as long as RO <- ROxRl mod N return RO p <- R {0, i} means that we choose the value of p randomly in the set {0, i}. p is thus a random Boolean variable.

  The randomization step E1 (d <- d - dm -> i (j); R1 <- R1xRO mod N) is carried out only if p = 1 (that is to say if randomization is to be carried out) and if di (j) -1-> 0> _ dm-> i (j) The condition di (j) _I_> 0? dm-> i (j) means that the bits of weight 0 to i-1 of d are greater than b (i (j)), b (i (j)) being equal to the bits of weight i (j) to m of d. This makes it possible to guarantee that the m-i + 1 most significant bits of db (i (j)) are identical to the m-i + l most significant bits of d, and therefore that the first m-i + 1 The rounds of the xAd calculation are identical to the first m-i + l rounds of the xA calculation (d- b (i (j))).

  The condition of "consistency" (di (j) -1-> 0? D>) implies that only the least significant bits of exponent d are randomized. Moreover, we note that the randomization step d <- d - dm-> i (j) only modifies the (m-i (j) + l) least significant bits of d.

  Note that, in the algorithm I, as at the iteration i = i (j) the update step d <- d - dm_> i does not modify the (m-i + l) most Significantly, this step can be replaced by the equivalent step: di-1-> 0 <- di-1-> 0 - dm-> i.

  According to a second variant of the first embodiment, z is chosen equal to g.b (i), with g a random number such that di (j) _I_> 0? In this case, we use the relation xAd = xA (d-z) .xAz = x dg.b (i)). (xAb (i)) g, and, from a practical point of view, to perform a randomization El at the end of the index round i (j): - we calculate z = gb (i) and subtract the result to the exponent d, the register R1 is updated by multiplying its content by the content of the accumulator (xAb (i)) exposed to the power g. What concretely can be achieved by the instruction R1 <R1xRO'g mod N. We choose preferably g = 21, where T is a random integer. This considerably simplifies the computations since the computation of gb (i) = g.dm_> i (7) amounts to a simple bit shift and the evaluation of (x 'b (i))' g mod N amounts to realizing the calculating i squares.

  Since multiplying by 21 returns to a bit shift, the instruction d <- d - 2ti.dm_> i which calculates dg.b (i) can be replaced by dm_> 1 <- dm> t - dm -> i or moreover, by the equivalent instruction di_1_> T <- di-1-> 1 dm-> i Moreover, as for the other embodiments, it must be verified that at the iteration i = i (j), di- 1-> 0? This condition of consistency can be replaced by an equivalent but more effective test: di_1_> T dm-iE Preferably, we choose t random in the set {0, T}. The terminal T is chosen as the best compromise between the randomization of the most significant bits of d and the efficiency (in terms of computation time in particular) of the calculation of the i squares.

  In the particular example of the SAM algorithm, the following algorithm I 'is finally obtained. Input: x, d = (dm, ..., do) 2 Output: y = xAd mod N RO <- 1; R1 <- 1; R2 <- x; i <- m as long as i 0, do: RO <- ROxRO mod N if di = 1 then RO <- ROxR2 mod N p <- R {0, 1}; T <- R {0, ..., T} if p = 1) AND (di_1_ * T dm_i)) then ± di-1-> T - dm-> i R3 <- RO as long as (T> 0) do R3 <- R3A2 mod NT <- T-1 end as long as R1 <- R1xR3 mod N end if i <i-1 end as long as RO <- ROxRl mod N return RO An advantage of the algorithm I 'is that Partly, the upper half of d is randomized and entropy (that is, randomness) is added accordingly. On the other hand, an additional register R3 is necessary to calculate ROA2T.

  The I and I 'algorithms may be sufficient to protect the exponents in some cases. For example, because of its construction, the RSA cryptosystem still reveals the most significant half of the private exponent if the corresponding public exponent is small. Randomizing the high bits of d 10 would therefore not provide any protection for such an algorithm.

  However, for other algorithms and in other situations, randomizing all bits of d would provide additional security.

  For this purpose, it is proposed, in a second embodiment, to choose z = b (i (j)) = dm-> i (j) for a random number i (j) and, during step E1, subtracting b (i) no longer from d, but from a part of the bits of d corresponding to the bits of d of weight i (j) -c (j) to i (j) -1, where c (j) being a number integer such that i (j) c (j) 0. This can be expressed by the following statement: dm-> i (j) -c (j) <- dm-> i (j) -c (j) - dm-> i (j) Preferentially, as in step E1 of a randomization at rank i (j), the bits of weight i (j) - c (j) to i (j) - 1 of d and we choose to perform only one randomization at a time, and we choose to perform a consolidation step at the end of the rank using the last bit of modified d in the previous randomization step El (and no longer at the end of the process), ie after the evaluation of the partial result x '(dm-> i (j) -c (j)) mod N. This amounts to imposing the condition i (j + 1) S i (j) - c (j), where i (j + l) being index of the next randomization. This makes it possible not to use additional registers to memorize the bits of the exponent that have been modified during a previous randomization. Also, we choose i (j) - c (j) <0, so that i (j) - c (j) can be used to define the rank of a bit of d for the calculation of xA (dm-> i (j) -c (j)) mod N. These two conditions can be concretized by the use of a Boolean semaphore c which indicates whether an update is allowed or not 6 has an inactive value as long as ii (j ) - c (j) and is activated when i <i (j) - c (j). It becomes more unusable as soon as i (j) - c (j) O. The (mi (j) + l) most significant bits of d remain unchanged during the randomization step if (consistency condition) . di (j1-l-> i (j) - c (j) dm-> i (j) (i (j) - 1) (i (j) - c (j)) m - i (j) qc ( j) m - i (j) + 1 According to a first variant of the second embodiment, one chooses c (j) equal to mi (j) + 1. With the condition i (j) c (j)? condition c (j) m - i (j) + 1 is satisfied if 2.i (j) _> m + l.

  The modified SAM algorithm according to this variant can then be written (algorithm II). Entrance. x, d = (dm, ..., d0) 2 Output: y = xAd mod N RO <- 1; R1 <- 1; R2 <- x; i <- m; c <-1; a <- 1 while i 0, do: RO <ROxRO mod N if di = 1 then RO <- ROxR2 mod N end if if (2i? m + l) AND (a = 1) then c <- m-i + l otherwise a = 0 end if p <- R {0, 1} s <- p AND (di-1 -> ic dm-> i) AND if s = 1 then R1 <- RO; a <- 0 di-1 -> i-c <- di-1 -> i- c dm -> i end if if c = 0 then RO <- ROxRl mod N; 6 <- 1 end if c <- c- 1; It will be noted that algorithm I corresponds to algorithm II in the case where c (j) = i (j) for all j. It will also be noted that in algorithm II, the consistency condition (di (j) -1 + c (j) dm-) is satisfied during the first part of the algorithm, considering approximately that di (j) __ (j) -c (j) and dm-> i (j) are random numbers of (mi (j) + l) bits. It will be noted in this algorithm that all the bits of the exponent are randomized.

  According to a second variant of the second embodiment, one chooses c (j) random and between i (j) and m-i (j) + 1.

  We have seen previously that the condition c (j) m - i (j) + 1 must be verified. By putting c (j) = m - i (j) + 1 + v (j), we must therefore check v (j) O. Moreover, with the condition i (j) c (j)> - 0, comes 2.i (j) m + l + v (j). So the greatest possible value for v (j) is 2.i (j) -m-1 and so, like v (j)> _0, the parameter c (j) = m- i (j) + 1 + v (j) can take any value in the set {mi (j) + l, ..., i (j)}. We can then generalize algorithm II by choosing c (j) random in the set {m-i (j) + l, ..., i (j)}.

  In the particular example of the algorithm II it amounts to replacing the instruction: if (2i> - m + l) AND (a = 1) then c <- m-i + 1 by the instruction: if (2i > _ m + 1) AND (a = 1) then c <- R {m-i + l, i} which gives the following algorithm III: Input: x, d = (dm, ..., do) 2 Output: y = xAd mod N RO <- 1; R1 <- 1; R2 <- x; i <- m; c <-1; a <- 1 while i 0, do: RO <- ROxRO mod N if di = 1 then RO <- ROxR2 mod N end if if (2i> _ m + l) AND (a = 1) then c <- R {m-i + l, i} else a = 0 end if p <- R {O, 1} E <- p AND (di-1 -> ic dm-> i) AND if E = 1 then R1 < - RO; a <- 0 di-1 -> i-c <- di-1 -> i-c - dm -> i end if if c = 0 then RO <- ROxRl mod N; 6 <1 end if c <- c-1; end as returning RO A larger value for v (j) increases the probability of success for the consistency condition (and therefore for choosing a randomization). On the other hand, this also reduces the possible values of the indexe i satisfying the condition 2.i (j) m + 1 + v (j).

  The frequency of occurrence of the p = 0 value of the boolean variable p is a parameter of the method making it possible to choose the best compromise between performance and security, depending on the application envisaged: the more steps are taken to randomization, the more the global computation time is penalized; conversely, the less randomization steps are performed, the more the attacks by exhaustive search are facilitated.

  A good way to minimize the cost of the additional operations is to slightly modify the random number generator producing the number p so that, when the Hamming weight of dz (z can have different values as a function of b (i), according to the envisaged embodiment) is lower than the Hamming weight of d, pa has a higher probability of being 1, and vice versa. With this trick, the algorithm will tend to select the case with the lowest weight of Hamming, that is to say the fastest branch.

  We only note that this algorithm can not always select the fastest branch, otherwise it will become deterministic and therefore easily attackable.

  According to a third embodiment of the invention, a random number of v bits is selected at the beginning of the method and x'u is stored in the register R1. Preferably, the number u is changed several times during the process to increase the random factor in the process.

  Then, during the computation, for a given rank i (j), one wonders, for a packet w of v bits of d such that w> u, if the computation of xAw is more expensive (in term of computation time ) that of xA (wu) * xAu.

  To answer this question, it is sufficient to determine if H (w> H (wu) + 1. H (w) is the Hamming weight of w, it is representative of the cost of the operation x'w. ) is the Hamming weight of x '(wu), representative of x' (wu) The term "+ 1" is representative of the cost of multiplying x '(wu) by x'u (x'u being memorized otherwise).

  If the computation of x'w is less expensive than the computation of x w-u) * xAu, then the process is continued. Otherwise, if the calculation of xAw is more expensive than the calculation of xA (wu) * x'u, then we replace the packet w of bits of d by the number w-u. The consolidation step (here, a multiplication by xAu, which translates by the operation RO <- ROxRl mod N) will be performed when all the bits of modified d have been used.

  Compared with the two previous embodiments described, this third embodiment has the advantage of being faster, since, to perform a randomization, we choose each time the fastest path (the least expensive). Thus, it is shown experimentally that the complexity of this process is about 1.4. Complexity is the average number of register contents multiplied for each bit of exponent d. The complexity of an unprotected SAM algorithm is 1.5; the complexity of the processes according to the first or second embodiments of the invention is in turn slightly greater than 1.5.

  Moreover, in this third embodiment, the source of randomness (the number u) is external to the process. Finally, the resources (including the number of registers) used are the same.

  This third embodiment can be embodied by the following algorithm IV: Input. x, d = (dm, ..., do) 2 Parameters: v, k Output: y = xAd mod N RO <- 1; R2 <- x; i <- m; L = {} as long as i 0, make RO <- ROxRO mod N if di = 1 then RO <- ROxR2 mod N end if if i = m mod ((m + l) / k)) then a <- 1 end if if a = 1 and L = {} then (modification of the number u during the process) a <- 0; u <- R {0, 2v-1}; R1 = xAu mod N fin if w <- di-> i-v + l h <- H (w) if w u then A <- w-u; hp <- 1 + H (A) else hp <- v + 2 end if p <- R {0, 1} if [(a = 0) n (i-v + l> _0)] A [(h> ha) OR ((p = 1) AND (h = ho))] then (one chooses to realize x "(wu)) di-> i-v + 1 <- A; L <- L u {i-v + l} end if si (i EL) then RO <- ROxRl mod NL <- L \ {i} end if i <- i-1 end as return RO In this example, set L contains the list of indices for which a consolidation step must be performed The instruction "if di = 1 then RO <- ROxR2 mod N end si" is the classical instruction of a SAM algorithm, performed for each value of i.

  The exponent d is here cut into k blocks, of identical size if m + 1 is divisible by k or of identical size to a unit if not.

  At each beginning of the block (that is to say for i = m mod ((1 + 1) / k)), we put the variable a to 1. Then, when a is worth 1, we must wait for the set L be empty before performing a new randomization step. At each consolidation stage, a corresponding index i (j) of the set L (instruction L <- L \ {i}) is removed.

  When the set L is emptied, a new value of u can be chosen and xAu is calculated by a conventional SAM algorithm using registers R1 and R2.

  In the middle of each block (a = 0), one or more randomization steps are performed, when h> hA or (p = 1 and h = hA), and are stored each time (instruction L <- LU {i- v + l}) the index i (j) -v + 1 to which we will have to carry out a consolidation step. It is therefore necessary that iv + 1 be a valid consolidation index, that is i-v + 1> _0 (consistency condition). At each randomization step, if h> hA, we choose to perform the operation xA (wu) * xAu, which is less expensive, and we modify the bits of d accordingly (di-> i-v + 1 <- A) . If h <hA, we choose to make xAw, less expensive, and we do not modify d. If h = hA, one chooses randomly (p = 0 or 1 random) to realize x w-u) * xAu or x'w.

  As an indication, we give the average number of modular multiplications necessary to carry out an exponentiation of length 1024 with the SAM algorithm, protected or not: É SAM without protection: 1536 multiplication É SAM protected by adding a multiple of c (n) ( r.IV (n) with r of 64 bits) added to the exponent d (prior art): 1536 + 96 SAM multiplications protected according to algorithm II or III. 1536 + 10 10 SAM multiplications protected according to the algorithm I '1536 + 512 multiplications. p, p being the average value of p SAM protected by the algorithm IV 1443 multiplications It is found by these examples that a protected algorithm according to the invention is very efficient, in terms of multiplications (and therefore computing time) .

Claims (21)

  A cryptographic method in an electronic component in which a modular exponentiation of type x ^ d, with an integer exponent of m + 1 bits, is carried out by scanning the bits of d from left to right in a loop indexed by i varying from m to 0 and calculating and storing in an accumulator (RO), at each turn of rank i, an updated partial result equal to x ^ b (i), b (i) being the m-i + 1 bits of the strongest weight of the exponent d (b (i) = dm_, i), the method being characterized in that, at the end of a turn of rank i (j) (i = i (0)) chosen randomly, a randomization step E1 is carried out in which: E1 subtracts a number z (z = b (i (j)), z = b (i (j)); 2i, z = u) random at a part of the bits of d not yet used (di-1-> o) in the process then, after having used the bits of d modified by the randomization step E1, a consolidation step E2 is carried out during which: E2 : we memorize (RO <- R1xRO) d in the accumulator (RO) the result of the multiplication of the contents of the accumulator (x ^ b (i)) by a function number of x ^ z stored in a register (R1).   2. Method according to the preceding claim, wherein step El is repeated one or more times, at the end of different rounds of rank i (j) (i = i (0), i = i (1), .. .) randomly selected between 0 and m.   2864390 26 3. Method according to the preceding claim, wherein, at each turn i, it is decided randomly (p = 1) if step E1 is performed or not.   4. Cryptographic method according to one of claims 1 to 3, wherein the number z (z = b (i (j)), z = b (i (j)). 2'r) is a function of the exponent d, in which, during the randomization step, the result of the multiplication of the content of the accumulator (x ^ b (i)) by the content is stored (R1 <- ROxRl) also in a register (R1). of said register (R1).   5. Method according to claim 4, wherein the consolidation step E2 is performed after the last round of rank i equal to 0.   6. Method according to the preceding claim, during which, in step El, subtracting the number b (i) from d.   7. The method according to claim 6, in which, to calculate y = x ^ d mod N, the following steps are carried out: A: initialization of the registers RO, R1, R2 and of a loop variable i: RO < - 1; R1 <- 1 R2 <xi <- m B: while i> _ 0, repeat the following steps: a: multiplication of the contents of the register RO by itself modulo N and storage of the result in the register RO RO <- ROxRO mod N b: if di = 1 then multiplication of the content of the register RO by the contents of the register R2 modulo N and storage of the result in RO if di = 1 then RO <- ROxR2 mod N c. random choice of a value of the variable p among two values, 0 and 1 p <- R {0, 1} 30 d: if ((p = 1) AND di-l_> o dm-i then aa: subtraction of bits of ranks i to m of the variable d to the variable d and storage in the variable ddd - dm_> i bb: multiplication of the contents of the register R1 by the contents of the register RO modulo N and storage of the result in R1 R1 <- RlxRO mod N end if e: decrementation of the variable i: i <i-1 end as long as C: multiplication of the contents of the register RO by the contents of the register R1 modulo N and storage of the result in RO RO <- ROxR1 mod N 15 D : return RO The method of claim 5, wherein step E1 is modified as follows: E1. subtracting from a number equal to g.b (i), g being a positive integer; the current partial result (x ^ b (i)) is raised to the power g and the result is stored in the register (R1).   9. Method according to the preceding claim, wherein g is equal to 21, ti being a random number selected from 0 and T. 10. Method according to the preceding claim, wherein, to calculate y = x ^ d mod N, one carries out: A: initialization of the registers RO, R1, R2 and a loop variable i: RO <- 1; R1 <- 1; R2 <- x i <- m B: as long as i? 0, do: a: multiplication of the contents of the register RO by itself modulo N and storage of the result in the register RO RO <- ROxRO mod N b: if di = 1 then multiplication of the contents of the register RO by 35 the contents of the register R2 modulo N and storing the result in RO if di = 1 then RO <- ROxR2 mod N 10 15 25 c: random choice of a value of the variable p among two values, 0 and 1: p <- R {0 , 1}; d: random choice of a value of the variable t among the values 0, .., T: ti <- R {O, T} e: if ((p = 1) AND (di-1_ti dm-i)) then aa: subtraction of the bits of ranks i to m from the variable d to the bits of ranks t to i-1 of the variable d and storage in the bits of ranks t to i-1 of the variable the variable d di-1- ti _ dm-> i bb: storage of the register RO in the register R3: R3 <RO cc: as long as (t> 0), squaring modulo N the contents of the register R3, memorize the result in R3 and decrement the variable ti as long as (t> 0) make R3 <- R3 '2 mod N; t <- t-1 end as dd: multiplication of the contents of the register R1 by the contents of the register R3 modulo N and storage of the result in the register R1 R1 <- R1xR3 mod N end if f: decrement the variable ii <- i -1 end as C: multiplication of the contents of the register RO by the contents of the register R1 modulo N and storage of the result in the register RO RO <- ROxRl mod ND: return RO 11. Method according to one of claims 1 to 4, wherein the consolidation step E2 is performed at the end of the rank using the last bit of d modified in step El.   12. The method according to claim 11, during which step E1 subtracts the number b (i) from the bits of d of rank i (j) -c (j) to i (j) -1. c (j) being an integer and storing the contents of the accumulator (x ^ b (i (j)) in the register (R1).   13. Method according to the preceding claim, in which, during the turn of rank i (j + 1), one selects randomly to perform the step El only if i (j + 1) i (j) -c (j ). (a = 1 free semaphore).   The method of claim 12 or 13, wherein c (j) is equal to m-i (j) +1.   15. Method according to the preceding claim, in which, to calculate Y = x ^ d mod N, the following steps are performed: A: initialization of the registers RO, Ri, R2 and variables i, c, a: RO < - 1; R1 <- 1; R2 <x; i <- m; c <-1; a <- 1 15 B as i> _ 0, do: a: multiplication of the contents of the register RO by itself modulo N and storage of the result in the register RO RO <- ROxRO mod N b: if di = 1 then multiplying the content of the register R2 by 20 the content of the register RO modulo N and storing the result in the register RO if di = 1 then RO <- ROxR2 mod N end if c if (2i> - m + 1) AND (a = 1) then update the variable c, otherwise set to zero of the variable a if (2i> _ m + l) AND (a = 1) then c <- m-i + 1 otherwise a = 0 end if d . random choice of a value of the variable P among two values, 0 and 1: p <- R {O, 1} e: update of the variable EE <- p AND (di-i -> ic dm-> i) AND af: if e = 1 then storage of the register RO in the register R1, setting the variable a to zero, subtraction of the bits of ranks i to m from the variable d to the bits of ranks ic to i-1 of the variable d and storing the result in the bits of ranks ic to i-1 of the variable d 35 if e = 1 then R1 <- RO; 6 <0 i-c i-c - dm -> i end if g: if c = 0 then multiplication of the contents of the register R1 by the contents of the register RO modulo N and storage of the result in the register RO; set 1 of the variable a if c = 0 then RO <- ROxRl mod N; a <- 1 10 end if h: decrementation of the variables c and i c <- c-1; i <- i-1 end as long as C return RO The method of claim 12 or 13, wherein c (j) is randomly selected from i (j) and m-i (j) +1.   17. Method according to the preceding claim, wherein, to calculate y = x ^ d mod N, one carries out: A: initialization of the registers RO, R1, R2 and loop variables c, a: RO <- 1; R1 <- 1; R2 <- x; i <m; c <-1; 6 <- 1 B: while i 0, do: a: multiplication of the contents of the register RO by itself modulo N 25 and storage of the result in the register RO RO <- ROxRO mod N b: if di = 1 then multiplication of the contents of the register R2 by the contents of the register RO modulo N and storage of the result in the register RO if di = 1 then RO <- ROxR2 mod N c: if (2i> - m + 1) AND (a = 1) then choosing a value of c randomly from among the integers between m-i + 1 and i, otherwise setting to zero the variable a if (2i> _ m + 1) AND (a = 1) then c <- R { m-i + 1, ..., i} else 6 = 0 d: update of the variable c E <- p AND (di-1 -> ic dm-> i) ANDe: if s = 1 then storing of RO in R1, zeroing of a, subtraction of bits of ranks i to m from variable d to bits of ranks i-c to i-1 of variable d and storing the result in bits of ranks ic to i-1 of the variable d if e = 1 then Ri <- RO; 6 <- 0 di-1 -> ic <- di-1 -> ic dm -> end if f: if c = 0 then multiplication of the contents of the register R1 by the contents of the register RO modulo N, storage of the result in the register RO, and set to 1 of the variable a if c = 0 then RO <- ROxRl mod N; a <- 1 end if g: decrementation of the variables c, i c <- c-1; i <i-i end as C: return RO 18. Method according to one of claims 1 to 2, wherein the number z is a number u (z = u) of v bits randomly selected and independent of the exponent d.   19. The method according to the preceding claim, wherein, during step El, the number u is subtracted from a packet w of v bits of d.   20. Method according to the preceding claim, in which: E if H (wu) + 1 <H (w), it is chosen to perform a randomization step E, E if H (wu) + 1> H (w), it is chosen not to carry out a step E1, E if H (w-1) + 1 = H (w), one randomly chooses to perform or not a randomization step E1.   21. The method according to the preceding claim, in which, v, k being parameters and x, d input data, for calculating y = x ^ d mod N, the following is carried out: registers RO, R2, of the loop variable i and of the set L: RO <- 1; R2 <- x; i <- m; L = {} B as long as i> _ 0, do a: multiplication of the contents of the register RO by itself modulo N and storage of the result in the register RO RO <ROxRO mod N b: if di = 1 then multiplication of the content of the register R2 by the contents of the register RO modulo N and storage of the result in the register RO if di = 1 then RO <- ROxR2 mod N fin if c: if i = m mod ((m + 1) / k)) then set 1 of the variable a if i = m mod ((m + 1) / k)) then a <- 1 end if d: if a = 1 and L = {} then set to zero of the variable s, choice random of the variable u in the set {0, 2v-1}, elevation of the data x to the power u modulo N and storage of the result in the register R1 if a = 1 and L = {} then s <- 0 ; u <- R {0, ..., 2v-1}; R1 = x ^ u mod N end if e: memorization of the bits of ranks i-v + l to i of the variable d in the variable ww <- di-> i-v + 1 f: storage of the Hamming weight of the variable w in the variable hh <- H (w) g: if w? u then subtraction of u to the variable w and storage in the variable p, storage of the Hamming weight of the variable p incremented by 1 in the variable hA, otherwise storage of the variable v incremented by 2 in the variable hA if w> _ u then <- wu; h8 <- 1 + H (A) else h0 <- v + 2 end if h: random choice of the variable u in the set {0, 1), p <- R {0, 1} i if [(a = O) n (i-v + 1> -0)] n [(h> hp) OR ((p = 1) AND (h = hp))] then storage of p in the bits of ranks i-v + 1 to i of the variable d, adding the value i-v + 1 to the set L if [(a = 0) n (i-v + 1> _0)] n [(h> hp) OR ( (p = 1) AND (h = hp))] then di-> i-v + 1 <-; L <- L u {i-v + 1} 33 end if j: if (i L) then multiplication of the contents of the register R1 by the contents of the register RO modulo N, storage of the result in the register RO, removal of the value i to the set L if (ie L) then RO <- ROxRl mod NL <- L \ {i} end if k: decrementation of the variable ii <- 1-1 end as C: return RO