FR3010562A1 - DATA PROCESSING METHOD AND ASSOCIATED DEVICE - Google Patents

Abstract

The invention relates to a method of processing, preferably cryptographic, data, for example implemented within an electronic entity, and an associated device. It is proposed the use of a single atomic block allowing the execution of an addition or a doubling without repetition of the block. This block serves to multiply a point of an elliptic curve by a scalar and preferably to the addition of two multiplications of a point by a scalar. Thus, a secure and particularly efficient implementation of these operations is obtained.

Description

The invention relates to a method of processing, preferably cryptographic, data, for example implemented within an electronic entity, and an associated device (for example this electronic entity). Many cryptographic systems have been built on the difficulty of solving the discrete logarithm problem in large groups or subgroups associated with an elliptic curve. This solution is now widely adopted by governments and standards. In these systems, the secret key is a randomly chosen scalar while the corresponding public key is a multiple of a given point by this scalar. Special attention is therefore paid to the implementation of the multiplication of a point of the curve by a scalar, both from the point of view of efficiency and that of security.

These calculations are used, among other things, for message encryption and decryption, message signing, key matching, password-based key matching. To put these treatments into practice, generally in an electronic entity, a particular representation of the points of the elliptic curve is used, for example by means of a plurality of elements of a Galois body (forming the coordinates of the point). , such as for example the jacobian projective representation (representation by a triplet of points of the Galois body Fp) or a modified jacobian projective representation (by means of four elements or coordinates of the Galois body Fp), as described for example in the "Coefficient elliptic curve exponentiation using mixed coordinate" from H. Cohen, T. Ono, and A. Miyaji, in K. Ohta and P.

Dinggyi, editors, Advances in Cryptology - ASIACRYPT '98, volume 1514 of Lecture Notes in Computer Science, pages 51-65. Springer, 1998. Operations on the elliptic curve are then reduced to operations in Galois IFp's body. Thus, for example, an addition or a doubling of the elliptic curve (operations which make it possible, by composition, to perform the multiplication by a scalar on the elliptic curve as described for example in the aforementioned article) are carried out by carrying out operations in the Galois body IFp on the coordinates of the point or points concerned (these operations in the Galois body must typically result in additions, subtractions, multiplications and elevations to a power 2, 3 or 4). In order to protect against Side Channel Attacks such as observing the energy consumption of the electronic entity in order to try to determine the operations that are implemented there, it has been proposed performing the aforementioned operations in the Galois body among a larger set of operations, some of which are therefore dummy, such that the sequence of successive operation types forms a periodic repetition of a predetermined number of types, and this, whatever the operation on the elliptic curve concerned. This technique is generally described in the patent application FR 2 838 210 and in its application to elliptic curves in the article "Low-cost Solutions for Preventing Single Side Channel Analysis: Side-Channel Atomicity" by B. Chevallier- Mames, M. Ciet, and M. Joye, IEEE Transactions on Computers, 53 (6): 760-768, 2004 (see also "Aspects of Fast and Secure Arithmetics for Elliptic Curve Cryptography" by M. Ciet, Ph.D. thesis, Catholic University of Louvain, June 2003).

In this article, we propose to implement the repetition of an elementary block of instructions for a processor (called atomic block) formed by the succession of a multiplication, addition, opposition and a new addition (all these operations being considered in the IFp Galois body). As already indicated, whatever the operation (doubling or addition) performed on the elliptic curve, this operation is practically implemented in the electronic entity by the repetition of elementary blocks of the same type (10 blocks in the case of doubling and 16 blocks in the case of addition), the manipulated data varying from one elementary block to another.

This solution involves the use of dummy operations within the atomic blocks. The multiplication in the Galois body, called modular multiplication, typically has a duration of execution much greater than that of the addition or the negation in this same body. The dummy operations can be limited to additions and negations whose execution time is considered negligible with regard to multiplication. This solution is also based on the fact that during a multiplication of a point of the curve by a scalar a greater number of doublings of points is made than additions of points. The implementation of the doubling is therefore preferred over that of the addition. These assumptions appear to have a significant impact on the effectiveness of this solution. The present invention aims to solve the aforementioned drawbacks. It proposes the use of a single atomic block allowing the execution of an addition or a doubling without repetition of the block. The invention relates to an electronic cryptographic data processing entity comprising processing means able to determine, from at least a first point on an elliptic curve represented by means of at least three first elements of a Galois body. a second point on the elliptic curve represented by means of at least three second elements of the Galois body, each of the second elements being obtained from the first elements by means of a set of operations in the Galois body, said processing means comprising: at least one addition operation of two points of the elliptical curve performed by executing a first sequence of successive operations in the Galois body; at least one operation of doubling a point of the elliptic curve realized by the execution of a second sequence of successive operations in the Galois body; the operations in the Galois field each having a type, the first sequence of successive operations and the second sequence of successive operations consist of the same number of operations, two operations of the same rank in the sequence have the same type in both sequences.

Thus the extra cost related to the call of the atomic blocks is minimized because only one atomic block is called to perform an addition where a doubling. A good level of performance is also offered because it requires far fewer dummy operations than an embodiment based on the successive call of small atomic blocks.

According to a particular embodiment, said first three elements are Jacobian coordinates of the first point. According to a particular embodiment, said three second elements 25 are Jacobian coordinates of the second point. According to a particular embodiment, the second point is the product of the first point by an integer. According to a particular embodiment, the elliptic curve has the Jacobian projective equation of Weierstrass Y2 = X3 + aXZ4 + bZ6, where a and b are elements of the Galois body and (4a3 + 27b2) # O.

According to a particular embodiment, an operation of adding two points of the elliptic curve always taking place after a doubling operation of a point of the elliptic curve, at least one operation in the Galois body serving to calculate the elliptic curve. The two-point addition operation of the elliptic curve is integrated within the second sequence of successive operations in the Galois body used to perform the doubling operation of a point of the elliptic curve.

Thus, the necessary number of operations is minimized. According to a particular embodiment, the addition of a point P = (X: Y: Z) and a point Q = (Xq: Yq: 1) gives the point P + Q = (X3: Y3: Z3 ); doubling a point P = (X: Y: Z) gives the point 2 - P = (X3: Y3: Z3); the first and second sequences of successive operations in the Galois body are the following: Addition Ro <- Z2 * <- * + * R1 <- (-Xq) - Ro R1 <- X + Ri R3 <- ( -Yq) - Ro R2 <- Ri Ro <- Z3 - R3 R3 <- Z3 - R1 Z3 <- R1 - R2 R1 <- X - R2 R2 <- R1 + R1 Ro <- Ro + Y3 * <- * + ## STR2 ## R3 <X3 R2 <R1 <X3 R2 <- Y3 Z3 Y3 <- Ro - R1 173 <_ 173 _ R2 _Z3 <- R3 Doubling Ro <- Z2 R1 <- Y + Y R2 <- R1 - Y Y2 <- R2 + R2 R3 <- R1 - Z Z2 -X2 R1 <- Y2 - R2 R2 <- Y2 - X X2 <- a - Ro Y2 <- X2 - RO Ro <- Z2 + Z2 X2 <- Ro + Z2 Ro <- X2 + Y2 X2 <- R1) X2 <- X2 - R2 X2 <- X2 - R2 Z2 <- R2 - X2 * <- * - * Y2 <- RO - Z2 Y2 <- Y2 R1 -Z2 <- R3 According to a particular embodiment, the addition of a point P = (X: Y: Z: Z2: Z3) and a point Q = (Xq: Yq: 1 ) gives the point P + Q = (X3: Y3: Z3: 4); the doubling of a point P = (X: Y: Z: Z2) gives the point 2 - P = (X2: Y2: Z2: 4: ZD, the first and second sequences of successive operations in the Galois body are the following: Addition Doubling -R1 <- Xq - Z2 Ro <- I - Z2 R1 <- R1 - X R1 <- X - Ro * <- * + * R2 <- Y + Y R2 <- R1 - R1 4 <- Y - R2 * <- * + * Y2 <-Z2 + ZZ R3 <- X - R2 R3 <- R2 - Z Ro <- Yq - Z3 R2 <- Y2 - X * <- * + * X2 <- X2 + Ro Z3 <- R1 - R2 Ro <- R1 - X2 R2 <- Z - R1 R1 <- Z - Y2 X3 <- R3 + R3 X2 <- Ro + Ro X3 <- Z3 + X3 Ro <- Ro + X2 <- R1 X2 <- 4 Ro <- Ro - Y X2 <- X2 - R2 R1 <- 4 - R1 X3 <- R1 X3 X2 <- X2 - R2 R1 <- R3 X3 R2 <- R2 X2 R3 < - R1 - Ro 4 <- 4 - R3 Ro <- Y3 - Z3 Y2 <- Ro - R2 Y3 <- R3 - Ro Y2 <- Y2 R1 _Z3 <- R2 -Z2 <- R3 According to one particular embodiment, the value of the parameter a of the Jacobian projective equation of Weierstrass being zero: the addition of a point P = (X: Y: Z: Z2: Z3) and a point Q = (Xq: Yq: 1) gives the point P + Q = (X3: Y3: Z3); the doubling from a point P = (X: Y: Z) gives the point 2 - P = (X2: Y2: Z2: Zj: Z2); the first and second sequences of successive operations in the Galois body are the following: Addition - * <- * + * Ro <- (-Xq) - Z2 R1 <- X + Ro R2 <- Ri Ro <- X - R2 R3 <- Z - R1 X3 <- (-Yq) - Z3 Z3 <- R2 - R1 R1 <- Ro + Ro R2 <- Y + X3 X3 <- R1 R1 <- R1 - Z3 X3 <- X3 R1 ## STR2 ## R1 <Z3 <- R3 Doubling -Ro <- Y + Y R1 <- Ro - Y Y2 <- Ri + Ri R2 < - X2 R3 <- Ro - Z Z2 <- Y2 - X Ro <- R1 - Y2 Z1 <- R3 - R3 R1 <- R2 + R2 R1 <- R1 + R2 X2 <- R1 X2 <- X2 Z2 X2 <- X2 Z2 Z2 <- Z2 X2 4 <- 4 - R3 Y2 <- R1 - Z2 Y2 <- Y2 RO _Z2 <- R3 The invention also relates to a method for the cryptographic processing of data implemented within an electronic entity wherein a first point on the elliptic curve represented by at least three seconds is determined from a first point on an elliptical curve represented by at least three first elements of a Galois body. Ga's body elements laws, each of the second elements being obtained from the first elements by means of a set of operations in the Galois body, said method comprising: at least one operation of adding two points of the elliptical curve produced by the execution of a first sequence of successive operations in the Galois body; at least one operation of doubling a point of the elliptic curve realized by the execution of a second sequence of successive operations in the Galois body; characterized in that: the operations in the Galois field each having a type, the first sequence of successive operations and the second sequence of successive operations consist of the same number of operations, two operations of the same rank in the sequences have the same type in both sequences. According to a particular embodiment of the method, a two-point addition operation of the elliptic curve always taking place after a doubling operation of a point of the elliptic curve, at least one operation in the Galois body serving for the calculation of the operation of adding two points of the elliptic curve is integrated within the second sequence of successive operations in the Galois body used to perform the operation of doubling a point of the elliptic curve.

Other features and advantages of the invention will become apparent in the following description, illustrated by the accompanying drawings, in which: - Figure 1 shows schematically the main elements of a possible embodiment for a card to microcircuit; FIG. 2 represents the general physical appearance of the microcircuit card of FIG. 1; FIG. 3 illustrates the left-to-right algorithm for calculating the multiplication of a point of the curve by a scalar; FIG. 4 illustrates the algorithm for calculating the addition of two point multiplications by scalars according to Shamir's trick; FIG. 5 illustrates a first example of an atomic block according to the invention; FIG. 6 illustrates a second example of an atomic block according to the invention; FIG. 7 illustrates a third example of an atomic block according to the invention.

Figure 1 schematically shows a data processing device 40 in which the present invention is implemented. This device 40 comprises a microprocessor 10, to which is associated on the one hand a random access memory 60, for example by means of a bus 70, and on the other hand a non-volatile memory 20 (for example of the EEPROM type), for example through a bus 50.

The data processing device 40, and precisely the microprocessor 10 that it incorporates, can exchange data with external devices by means of a communication interface 30. FIG. 1 schematically shows the transmission of data input X received from an external device (not shown) and transmitted from the communication interface 30 to the microprocessor 10. Similarly, there is shown the transmission of an output data Y of the microprocessor 10 to the interface communication device 30 to an external device. This output data Y is derived from a data processing by the microprocessor 10, generally on the input data X using a secret datum 80 internal to the system, for example a private key. Although, for the illustration, the input data and the output data appear on two different arrows, the physical means which allow the communication between the microprocessor 10 and the interface 30 may be made by unique means, for example a serial communication port or a bus. The microprocessor 10 is capable of executing software (or computer program) which enables the data processing device 40 to execute a method according to the invention, examples of which are given hereinafter. The software consists of a series of instructions for controlling the microprocessor 10 which are for example stored in the memory 20. In a variant, the microprocessor assembly 10 - non-volatile memory 20 - random access memory 60 may be replaced by a circuit specific application which then comprises means for implementing the various steps of the data processing method. FIG. 2 represents a microcircuit card which constitutes an example of a data processing device according to the invention as represented in FIG. 1. The communication interface 30 is in this case realized by means of the contacts of the card to microcircuit. The microcircuit card incorporates a microprocessor 10, a random access memory 60 and a non-volatile memory 20 as shown in FIG.

This microcircuit card is for example compliant with the ISO 7816 standard and provided with a secure microcontroller which groups together the microprocessor (or CPU) 20 and the random access memory 60.

Alternatively, the data processing device may be a USB key, a document or a paper information carrier having in one of its sheets a microcircuit associated with contactless communication means. This is preferably a portable or pocket electronic entity. It can also be a circuit dedicated to security (secure element in English) can be integrated directly within a device, for example welded in a mobile phone. The present embodiment is based on an elliptic curve E defined on a Galois field IFp, for a large prime number p> 3 defined by the short Weierstrass equation: y2 = x3 + ax + b (1) with x, y, a, b E IFp and (4a3 + 27b2) # 0. From the point of view of implementation, the best representation of the Weierstrass curves is the Jacobian equation projection: Y2 = X3 + aXZ4 + bZ6 (2) having neutral point 0 = (1: 1: 0). In this representation the double of a point P = (X: Y: Z) is the point 2.P = (X2: Y2: Z2) such that: {X2 = A2 - 2C A = 3X2 + aZ4 Z2 = 2YZ C = 2B X Y2 = A (C - X2) - D with B = 2Y2 D = 2B2 (3) Several operations in the Galois IFp body are necessary to evaluate this formula. These are squares (denoted S), multiplications (denoted M), additions and subtractions (denoted A). The evaluation of such a doubling typically requires 4S + 6M + 9A or 6S + 4M + 11A, depending on the methods of calculation.

The addition of a first point P = (Xp: Yp: Zp) and a second point Q = (Xq: Yq: Zq) is the point P + Q = (Xp + q: 17p-Eq.Zp + q) such that: {A = XpZ,? Xp + q = F2 - E3 - 2AE2 B = X Z2 Zp + q = ZpZe D = a Y Z3 Yp - Fq = F (AE2 - Xp + q) - C E3 with C = YPZil E = B - AF = D - C a PP 2 (4) This addition formula is valid only under the following assumptions: P # Q; P # 0; Q # 0.

Many cryptographic systems are based on the difficulty of solving the discrete logarithm problem in large groups or subgroups associated with an elliptic curve. Examples of such systems are described in the following references: "IEEE P1363 Draft 13: IEEE Standard Specifications for Public Key Cryptography." IEEE Computer Society (Nov. 1999) "; "ANSI X9.62-2005: Public Key Cryptography for the Financial Service Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)." American National Standards Institute (Nov 2005) "and" ANSI X9.63-2001: Public Key Cryptography for The Financial Service Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography, American National Standards Institute (Nov 2001) ". In such systems, the secret key is a randomly chosen scalar while the corresponding public key is a multiple of a particular public point and that scalar. Particular attention is given to the implementation of the scalar multiplication of a scalar k and a point P denoted by k. P = P + P + --- + P. In fact, this operation is the most expensive in terms of execution time and it is therefore important to optimize it from the point of view of the number of operations. required for its calculation. Moreover, since the scalar value k is typically secret, this calculation must be protected against possible attacks aimed at discovering it. Scalar multiplication is typically implemented using an efficient algorithm called "doubling and adding" as described for example in "Knuth, D .: The Art of Computer Programming, vol. 2. Addison Wesley, third edn. (1988) ". This algorithm is based on the path of the binary representation of the scalar value k. A doubling operation is performed for each bit of k, while an addition is required when the bit value is other than zero. This algorithm is available in two variants according to the order of the binary representation of k. In a first variant, called from right to left, this representation is traversed by starting with the least significant bits. In a second variant, called from left to right, this representation is traversed by starting with the most significant bits. The algorithm from left to right is shown in Figure 3.

Scalar multiplication consists of a succession of doublings and additions. Depending on the ratio between the number of doublings and the number of additions to be made, it will be interesting to optimize one or the other of these operations so as to have the shortest overall execution time. Several tips have been proposed to reduce the operational cost of these operations. In the algorithm of Figure 3, the points m-P are constants. Chudnovsky proposed to pre-compute and save the Zm2.p and ZI.p values in registers, which saves squaring and multiplication in equation (4). Moreover, at the cost of an inversion, it is possible to choose the representative of m - P for which Zm.p is equal to 1. This saves a squared elevation and four multiplications in the equation (4 ). In addition, squaring and multiplication can be further saved in equation (4) of the addition in the case where the values a and n have been calculated in equation (3) of the previous doubling. In fact, the addition operation always intervenes following a doubling operation because the doubling is always performed while the addition is only done for certain values of the bit considered in the binary representation of the scalar . The doubling formula can be further improved by the use of an additional coordinate W added to the Jacobian representation of P. W is initialized to the value aZ4, the value of W for the doubled point is given by 2DW. This saves two squares for an addition.

Shamir proposed a trick allowing the simple and very efficient computation of a sum of two multiplications by a scalar of the form: u-P + vQ (5) A naive implementation of performing the two scalar multiplications and adding the results costs approximately 21 doublings and / additions. The trick proposed by Shamir and given in the algorithm of Figure 4 allows to obtain the result with only approximately / doubling and 0.751 additions. We recall that / represents the length of the binary representation of u and y.

This Shamir trick can be used to compute scalar multiplication by decomposing scalar k of length 1 into two scalars / cc) and k1 of length 1/2 as follows: k - P = ko - P + - ( À - P) (6) What is interesting if ko, k1 and Q = À - P are available at a reasonable cost. This is usually the case with a = 21/2 for cryptographic algorithms. When the length 1 is not even, it is always possible to reduce it, for example by introducing an additional 0 on the left. Shamir's trick can only be used with the course from left to right of the scalar representation.

It is also possible to reduce the number of additions by using other numerical representations of the scalar k typically using a base greater than 2. Examples can be found in the documents "Arno, S., Wheeler, F .: Signed digit representations of minimal Hamming weight. IEEE Transactions on Computers 42 (8), 1007-1009 (1993) "," Solinas, J .: Low-Weight Binary Representations for Pairs of Integers. Tech. rep. (2001), http://cacr.uwaterloo.ca/techreports/2001/corr2001-41.ps "and" Muir, J.A .: Efficient Integer Representation for Cryptographic Operations. Ph.D. thesis, University of Waterloo (2004).

As previously indicated, these calculation methods are sensitive to Side Channel Attacks such as observing the energy consumption of the computing entity. As we have seen, the protection of the calculation based on the use of atomic blocks called repeatedly protects against these attacks by making the flow of data independent operation at the cost of performing dummy operations. Although these dummy operations are typically reduced to additions and negations with a low unit cost, their large number leads to a significant additional cost.

In a typical implementation the atomic blocks are made by a cryptographic coprocessor while access to the binary representation of the scalar determining the atomic blocks to be called is performed on the main processor. It is then possible, by counting the operations separating two successive accesses to the binary representation, to determine whether an addition has been made in addition to the doubling and thus to obtain information on the binary value of the scalar. To protect itself from this, it is advantageous to perform the same scalar access processing before each call to an atomic block, whether this processing is necessary or not.

This protection introduces an additional cost related to each atomic block. Known implementations based on the use of atomic blocks have sought to optimize the computation of the doubling which is carried out for each bit of the digital representation of the scalar while the addition is performed only for the non-zero values of these bits. In the context of the use of the sum of two multiplications by a scalar the rate of additions compared to doubles is not so favorable. In addition, the optimization of the doubling with respect to the addition implies an additional cost in factual modular additions in the calculation of the additions. While the additional cost of these additional modular additions may be neglected in a software implementation or for a large value of the prime number p, this is no longer the case in the context of smart cards carrying dedicated hardware and for commonly used values. today for the size of the prime number. It should be noted that we call modular multiplication and modular addition, multiplication and addition in the Galois IFp body. These operations are the basic operations used in the implementation of additions and doublings on the points of the elliptic curve. In a first embodiment of the invention, there is provided a unified atomic block for performing an addition or a doubling by a single call to this unified atomic block. Thus the cost of addition and doubling are made equal. The flow of operations being strictly the same for the additions and doubling operations, they are absolutely indistinguishable by auxiliary channel attacks. A type can be defined for each operation. This type typically corresponds to addition, subtraction, multiplication and squaring. The operations are not strictly identical for an addition of two points or a doubling of points because the operations are not performed on the same operands. On the other hand, addition and doubling are defined by two sequences of operations. These two sequences of operations have the same number of operations and two operations of the same rank in the sequence have the same type in both sequences. This embodiment also minimizes the overhead associated with the call of the atomic blocks because only one atomic block is called to perform an addition where a doubling. It also offers a good level of performance because it requires far fewer dummy operations than an embodiment based on the successive call of small atomic blocks. An exemplary embodiment is illustrated in FIG. 5. This figure represents the calculation of an addition and that of a doubling with the aid of a single atomic block. It should be noted that the symbol <- represents the replacement of the data, usually the register, preceding the symbol <- by the result of the operation indicated after the symbol -.

It is easy to verify that the data flows of the addition and the doubling are identical from the point of view of the elementary operations performed. Operations marked with stars are dummy operations that can be performed on registers not used by the actual calculation. It should be noted that the calculation of the addition integrates only two dummy additions, while that of the doubling integrates a single dummy multiplication. This example is based on equations (3) and (4) and thus works with all unrestricted elliptic curves. It illustrates the addition of a point P = (X: Y: Z) and a point Q = (Xq: Yq: 1) to give the point P + Q = (X3: Y3: Z3). The doubling illustrates that of a point P = (X: Y: Z) to give the point 2 - P = (X2: Y2: Z2). It should be noted that the cost of the addition is reduced by the use of the affine representation of Q, that is, Zq = 1. Its execution cost is 11 modular multiplications or squared and 9 additions or subtractions. This embodiment is particularly advantageous in the context of the sum of two multiplications by a scalar of Shamir's trick. Indeed, in this case the rate of addition with respect to the doublings is higher than in the direct calculation of a scalar multiplication. It is therefore particularly interesting to have a dot addition operation that is not more expensive than doubling a point. It turns out that the atomic blocks proposed also prove to be generally more efficient than conventional methods even in the context of a classical scalar multiplication.

This process can be further improved. Indeed, it should be noted that in the context of a scalar multiplication, whether simple or double, the doubling operation is systematically called at each iteration on the numerical representation of the scalar value, whereas the operation of addition is only conditionally called after this doubling operation. It is possible to take advantage of the fact that the addition always occurs after a doubling to integrate in the doubling atomic block one or more operations related to the calculation of the addition. Thus, when the addition operation is not performed, these operations were then performed for nothing. These are then dummy operations. On the other hand, when an addition is made following a doubling, it can use the result of these operations that have just been performed as part of the doubling. The use of this trick allows to define a single atomic block that can be used for both the addition and the doubling, a single call of the block being necessary. This solution is therefore always in the context of the first embodiment.

Figure 6 illustrates an example of such an atomic block. It illustrates the use of the same atomic block for addition, subtraction and doubling. It is also based on the affine representation of Q. It is also assumed that the values Z ?, and 4 are pre-calculated. It is these values which are used in the addition, but which are calculated in the doubling. It should be noted that the value 4 is used in the two operations while the value 4 is, for its part, used only in the addition. If this single trick was used, the addition would then have a cost of 2 squares, 7 multiplications and 7 additions. The doubling would take place in 5 squared elevations, 7 multiplications and 9 additions. To arrive at the atomic block shown in Figure 6, the cost of doubling is further reduced, using a new pre-calculated value named I = V-a3-1. For any value of a, I exists only with a probability of 0.5. It turns out that the most used elliptic curves (NIST, twisted Brainpool, ANSSI) are characterized by a value of a = 3, which gives I = 1. Some curves have a value of a = 0, which gives I = 0. Still other curves have a value of I that can be calculated because -a3-1 is a quadratic residue. Only the curve called GOST has a value of a that can not allow the calculation of I. Using this value I, it is possible to calculate 3X2 + aZ4 = 3 (X - IZ2) (X + IZ2) using only two multiplications if Z2 is known. Finally, the addition can be calculated using 3 squares, 7 multiplications and 7 additions, while the doubling can be done in two squares, 8 multiplications and 10 additions. By replacing a squaring by multiplication and adding 3 dummy additions in the addition, it is possible to realize a unified atomic block allowing the execution of both the addition and the doubling as shown in Figure 6. It is it is possible to identify in the doubling operation flow the instruction Z3 <- Z2 - R3 which serves only in the addition and which is useless from the point of view of doubling. The flow of operations of Figure 6, using the same atomic block 15 are based on the following formulas. The sum of a point P = (X: Y: Z: Z2: Z3) and a point Q = (Xq: Yq: 1) is the point P + Q = (X3: Y3: Z3: 4) tel that: A = X (7) X3 = F2 - E2 - 2AE2 B = XqZ2 Y3 = F (AE2-X3) -CE3 with C = Y Z3 = ZE {z = (Z3) 2 D = Y Z3 a E = B - AF = D - C The subtraction P - Q is obtained by replacing F by F '= D + 20 2C - C and thus Y3 = F' (X3 - AE2) - CE3. The double of a point P = (X: Y: Z: Z2) is the point 2 - P = (X2: Y2: Z2: 4: 4) such that: {: 2 = A - 2C Y2 = A (C - X2) - DA = 3 (X - IZ2) (X + IZ2) Z2 = 2XY with B = 2172 Zj = (Z2) 2 C = 2BX D = 2B2 Z = (Z2) 3 In the particular case where a = 0 , a multiplication by zero is performed in the doubling operation. However, in some cases, it is possible to detect such multiplication by zero. Moreover, this multiplication by zero does not intervene in the addition. It then becomes possible to distinguish the progress of an addition from that of the doubling. An alternative atomic block allowing the addition and the doubling without multiplication by zero is proposed Figure 7 for the specific case where a is worth zero. The trick is to save in memory the opposite of the coordinates of Q: (- xq, -yq). The proposed atomic block contains 2 squares, 7 multiplications and 8 additions. This represents a gain of more than 10% over the atomic block of Figure 6. The sum of a point P = (X: Y: Z: Z2: Z3) and a point Q = (Xq: Yq: 1 ) is the point P + Q = (X3: Y3: Z3) such that: A = X X3 = F2 - (2AE2 - E'2) B '= (-Xq) Z2 1 = Y3 = Fi (AE12 - X3) - CE'3 with CD, Y = (_yq) z3 Z3 = ZE 'E' = B '+ AF' = D '+ C The double of a point P = (X: Y: Z) is the point 2 - P = (X2: Y2: Z2: Z: ZD such that: {: 2 = A2 - 2C Z2 = 2XY Z1 = (Z2) 2 Y2 - A (CX2) DA = 3X2 2 -2 3 - (Z) 3 with B = 2Y2 D = 2B2 C = 2BX The atomic blocks proposed allow an efficient and secure implementation of multiplications by a scalar and more particularly by the sum of two multiplications by a scalar of points belonging to an elliptic curve. Very fast keys in cryptographic systems based on elliptic curves Naturally, to satisfy specific needs, a person skilled in the field of the invention we will apply changes in the previous description.

Although the present invention has been described above with reference to specific embodiments, the present invention is not limited to specific embodiments, and modifications that are within the scope of the present invention will be obvious to someone skilled in the art.

Claims (11)

REVENDICATIONS1. An electronic cryptographic data processing entity comprising processing means adapted to determine, from at least a first point on an elliptic curve represented by means of at least three first elements of a Galois body, a second point on the elliptic curve represented by means of at least three second elements of the Galois body, each of the second elements being obtained from the first elements by means of a set of operations in the Galois body, said processing means comprising: at least one addition operation of two points of the elliptical curve performed by the execution of a first sequence of successive operations in the Galois body; at least one operation of doubling a point of the elliptic curve realized by the execution of a second sequence of successive operations in the Galois body; characterized in that: the operations in the Galois field each having a type, the first sequence of successive operations and the second sequence of successive operations consist of the same number of operations, two operations of the same rank in the sequences have the same type in both sequences. 2. Electronic entity according to claim 1, characterized in that said first three elements are Jacobian coordinates of the first point. 3. Electronic entity according to claim 1 or 2, characterized in that said three second elements are Jacobian coordinates of the second point. 4. Electronic entity according to one of claims 1 to 3, wherein the second point is the product of the first point by an integer. 5. Electronic entity according to one of claims 1 to 4, characterized in that the elliptic curve has a Jacobian projective equation of Weierstrass Y2 = X3 + aX Z4 + bZ6, where a and b are elements of the Galois body and 4a3 + 27b2) # O. 6. Electronic entity according to one of claims 1 to 5, characterized in that a two-point addition operation of the elliptical curve always occurring after a doubling operation of a point of the elliptical curve, at least one operation in the Galois body for calculating the operation of adding two points of the elliptic curve is integrated within the second sequence of successive operations in the Galois body used to perform the doubling operation of a point of the elliptic curve. 7. Electronic entity according to claim 1, characterized in that: adding a point P = (X: Y: Z) and a point Q = (Xq: Yq: 1) gives the point P + Q = (X3: Y3: Z3); doubling a point P = (X: Y: Z) gives the point 2 - P = (X3: Y3: Z3); the first and second sequences of successive operations in the Galois body are the following: 30Addition Ro <- Z2 * <- * + * R1 <- (-Xq) - Ro R1 <- X + Ri R3 <- (-Yq R 1 R 2 R 2 R 3 R 3 R 3 R 3 R 3 R 1 R 3 R 1 R 1 R 2 R 1 R 1 R 1 R 1 R 1 R 1 R 3 -RO R2 <- R2 Z3 X3 -X3 R2 R1 <- R1 - X3 R2 <- Y - Z3 Y3 <- Ro - R1 173 <_ 173 _ R2 _Z3 <- R3 Doubling Ro <- Z2 R1 <- Y + Y R2 <- R1 - Y Y2 <- R2 + R2 R3 <- R1 - Z Z2 -X2 R1 <- Y2 - R2 R2 <- Y2 - X X2 <- a - Ro Y2 <- X2 - RO Ro <- Z2 + Z2 X2 <- Ro + Z2 Ro <- X2 + Y2 X2 <- R1) X2 <- X2 - R2 X2 <- X2 - R2 Z2 <- R2 - X2 * <- * - * Y2 <- RO - Z2 Y2 < - Y2 R1 -Z2 <- R3 8. Electronic entity according to claim 6, characterized in that: adding a point P = (X: Y: Z: Z2: Z3) and a point Q = (Xq: Yq: 1) gives the point P + Q = (X3: Y3: Z3: 4); doubling a point P = (X: Y: Z: Z2) gives the point 2 - P = (X2: Y2: Z2: 4: 4); the first and second sequences of successive operations in the Galois body are as follows: 15Addition Doubling -R1 <- Xq - Z2 R1 <- R1 - X * <- * + * R2 <- R1 - R1 * <- * + R3 <- X - R2 Ro <- Yq - Z3 * <- * + * Z3 <- R1 'R2 R2 <- Z - R1 X3 <- R3 + R3 X3 <- Z3 + X3 4 <- Rj Ro <- Ro - Y R1 <- TM X3 <- R1 X3 R1 <- R3 X3 R3 <- R1 - RO Ro <- Y3 - Z3 Y3 <- R3 Ro _z3 <_ R2 Ro <- I - Z2 R1 <- X - Ro R2 <- Y + Y 4 <- Y - R2 Y2 <- Z1 + Z1 R3 <- R2 - Z R2 <- Y2 - X X2 <- X2 + Ro Ro <- R1 - X2 R1 <- Z - Y2 X2 < - Ro + Ro Ro <- Ro + X2 X2 - 4 X2 <- X2 R2 - R1 X2 <- X2 - R2 R2 <- R2 - X2 4 <- 4 - R3 Y2 <- RO - R2 Y2 <- Y2 R1 - Z2 <- R3 9. Electronic entity according to claim 5, characterized in that, the value of the parameter a of the Jacobian projective equation of Weierstrass being zero: the addition of a point P = (X: Y: Z: Z2: Z3) and from a point Q = (Xq: Yq: 1) gives the point P + Q = (X3: Y3: Z3); the doubling of a point P = (X: Y: Z) gives the point 2 - P = (X2: Y2: Z2: Z: ZD, the first and second sequences of successive operations in the Galois body are as follows : 15Addition - * <- * + * Ro <- (-Xq) - Z2 R1 <- X + Ro R2 <- Ri Ro <- X - R2 R3 <- Z - R1 X3 <- (-Yq) - Z3 Z3 R1 R1 R1 R1 R3 R3 R3 R3 R3 R3 R1 R3 R3 R1 R3 R3 R1 R1 R3 R3 R1 R1 R3 Y3 <_ 173 _ R1 _Z3 <- R3 Doubling -Ro <- Y + Y R1 <- Ro - Y Y2 <- Ri + Ri R2 <- X2 R3 <- Ro - Z Z2 <- Y2 'X Ro <- Ri Y2 Zj <- R3 - R3 R1 <- R2 + R2 R1 <- R1 + R2 X2 <- R1 X2 <- X2 Z2 X2 <- X2 Z2 Z2 <- Z2 X2 4 <- 4 - R3 Y2 <- R1 - Z2 Y2 <- Y2 RO _Z2 <- R3 A method of cryptographic processing of data implemented within an electronic entity, wherein from a first point on an elliptic curve represented by at least three first elements of a body Galois, a second point on the elliptic curve represented by means of at least three second elements of the Galois body, each of the second elements being obtained from the first elements by means of a set of operations in the Galois body, said method comprising: at least one operation of adding two points of the elliptical curve performed by executing a first sequence of successive operations in the Galois body; at least one operation of doubling a point of the elliptic curve realized by the execution of a second sequence of successive operations in the Galois body; characterized in that: - the operations in the Galois body each having a type, the first sequence of successive operations and the second sequence of successive operations consist of the same number of operations, two operations of the same rank in the sequences have the same type in both sequences. 11. The method of claim 10, characterized in that, an operation of adding two points of the elliptic curve always occurring after a doubling operation of a point of the elliptical curve, at least one operation in the body of Galois used for calculating the two-point addition operation of the elliptic curve is integrated within the second sequence of successive operations in the Galois body used to perform the operation of doubling a point of the elliptic curve .15