KR100937869B1 - SPA-resistant Unsigned Left-to-Right Recoding and Unified Exponentiation Method - Google Patents

Abstract

The exponential multiplication method using left-to-right recording, which is safe for simple power analysis, is started without integrating the unsigned recording process and exponential multiplication process for a secret key supporting a fixed operation pattern without storing the recorded results separately. It is. The binary secret key k is recorded in the left-to-right direction using {1,2}. In the process of calculating the exponential power g ^k for a given secret key k and the base g by using the recording step, the recording process is performed simultaneously in the left-to-right direction without separately processing the recording step and the exponential power process. To calculate the exponential result.

Left-to-right recording, exponential method

Description

SPA-resistant Unsigned Left-to-Right Recoding and Unified Exponentiation Method for Simple Power Analysis

The present invention relates to an RSA cryptosystem and a digital signature DSA, and more particularly, to a method of recording a secret key represented by a binary method so that a fixed pattern of operations that are secure against side channel attacks is performed and the method is applied to an exponential multiplication algorithm. When applied, it relates to the Left-to-Right exponential method that simultaneously performs the recording process and the scalar multiplication process.

The present invention is derived from a study conducted as part of the next generation core technology development project of the Ministry of Information and Communication and the Ministry of Information and Communication Research and Development. [Task Management Number: 2005-S-088-02, Title: Information for Secure RFID / USN] Protection technology development].

Representative public key cryptosystems and application protocols are RSA and digital signature DSA. A common operation that involves the use of secret keys in these two systems is the exponential power operation, which computes g ^k for the key k and the base g. Representative exponential power algorithms are as follows.

Binary Left-to-Right Method

출력: g^k input:

Output: g ^k 1. Q [0] ← g. For i = n-2 to 0 by -1 do: 2.1 Q [0] = (Q [0]) If k _i = 1 then Q [0] = Q [0] .g. 3. Return Q [0].

Binary Right-to-Left Method

출력 g^k input:

Output g ^k 1. Q [0] ← g, Q [1] ← 1. 2. For i = 0 to n-1 by 1 do: 2.1 if k _i = 1 then Q [1] ← Q [0] · Q [1 2.2 Q [0] ← (Q [0]) 2. 3. Return Q [1].

Many methods have been proposed to increase the efficiency to implement exponential operations in environments with limited resources such as computing power or memory (eg smart cards, mobile phones, sensor nodes). However, in this limited environment, Side Channel Attacks can be used to find secret information hidden inside by utilizing various additional information generated by the equipment that runs the encryption algorithm. The power analysis attacks among the sub-channel attacks are divided into simple power analysis (SPA) and differential power analysis (DPA). SPA is simple because it can find secret information directly from power consumption without statistical analysis of power consumption. It's an easy attack. DPA finds a correlation between secret information and power consumption from multiple power consumption samples and can be used to attack cryptosystems built securely on SPA. Depending on the environment in which the private key is used, for example, in the case of DPA, only the SPA needs to be considered safe. And in an environment where DPA needs to be considered, DPA countermeasures don't have much meaning unless you consider how to respond to SPA. Therefore, for any environment where a private key applies, the response to SPA must be considered.

In general, there is a difference in the power consumed when calculating the multiplication and square operations, and it is possible to use this information to find the key used in the exponential power. The two exponential algorithm methods described above also include conditional branch statements that allow the multiplication operation to be selectively performed depending on each bit (or digit) of the secret key k. Therefore, the power consumption of the multiplication is different depending on whether the observed bit is 0 or not, so it is vulnerable to SPA.

Among the corresponding methods of the SPA, there is a method of recording a scalar with a new expression method so that a certain operation pattern appears. For example, an elliptic curve cryptographic system introduces a signed recording technique to produce a fixed operation pattern. In other words, when a secret key represented by a binary number is expressed using only 1 and -1, a double operation and an addition operation or a subtraction operation on a point on an elliptic curve always occur. At this time, the addition operation and the subtraction operation are almost indistinguishable from each other due to the characteristics of the operation on the elliptic curve. However, in an environment such as RSA and DSA, it is difficult to use signed recording techniques used in elliptic curve cryptography as SPA counterparts because inverse calculations require many operations. Therefore, in an environment such as RSA and DSA, an unsigned recording technique that generates a fixed operation pattern is required.

Recently, Vuillaume-Okeya proposed a recording method as a countermeasure of SPA. This method is a recording method that transforms to an unsigned scalar so that it can be efficiently configured in systems such as RSA and DSA, which are expensive in inverse operations. This method extends Moller's proposed recording method to an unsigned method, so that when the window size is w, an unsigned digit set 1,2,... , 2 ^w to represent the secret key. This method has a number of disadvantages, such as additional information being leaked because the bit length of the recorded value is not fixed, but the most important disadvantage is that it is recorded in the right-to-left direction.

Exponential multiplication algorithms calculate scalars by scanning from the leftmost bit (left-to-right), but can also compute by scanning from the least significant bit (right-to-left). However, in resource-constrained environments such as memory, left-to-right recording is preferred over right-to-left recording. For example, left-to-right exponential operations have the advantage of having fewer registers than right-to-left exponential operations. Therefore, when using the Right-to-Left recording method, scalar multiplication is inevitably performed after the recording is preceded in order to apply to the left-to-right exponential power calculation. In other words, you need extra space to store the recorded value (ie O (n) -size RAM). Where n is the bit length of the key. However, if the recording is done in the left-to-right direction, the recording algorithm and the exponential power algorithm can be integrated into one without storing the recorded result value separately, thereby obtaining an efficient exponential power algorithm. Therefore, designing left-to-right recording can be configured for a variety of memory-constrained environments.

The present invention is to solve the problems of the conventional product as described above, the object of which is to integrate the unsigned recording process and the exponential multiplication process for the secret key supporting a fixed operation pattern into one without storing the recorded results separately In addition, it provides an exponential power method using Left-to-Right recording that is safe for simple power analysis.

In order to achieve the above object, an exponential power method using Left-to-Right recording according to the present invention (i) recording the secret key k expressed in binary in the Left-to-Right direction using {1,2} ; And (ii) calculating the exponential power g ^k for a given secret key k and the base g by using the recording step, in the left-to-right direction without separately processing the recording step and the exponential power process. And calculating the exponential power result by simultaneously performing the recording step.

Preferably, step (i) comprises (i-1) inputting an (n + 2) -bit secret key k that satisfies k _{n + 1} = 1, k _n = 0; (i-2) substituting for z the index value of the least significant bit that satisfies k _z = 0 in the input (n + 2) -bit information and substituting n for the j value; (i-3) setting e _j to 1 or 2 according to the values of the index values j and k _j ; (i-4) updating the j value to j-1 and subtracting the j value one by one; (i-5) determining whether j is less than 0; (i-6) repeating steps (i-3) to (i-4) until the j value becomes -1; (i-7) if the j value becomes -1, outputting (e _n ,..., e ₁ , e ₀ ). More preferably, step (ii) receives the (ii-1) (n + 2) -bit secret key k, (1,0, k _n-1 , ..., k ₀ ) ₂ , and the following g values. step; (ii-2) assigning g [1] = g, g [2] = g ² , and c = g and assigning to z the index value of the least significant bit that satisfies k _z = 0; (ii-3) substituting n for j and c ² for c; (ii-4) updating c * g [1] or c * g [2] to c according to the values of the indexes j and k _j ; (ii-5) updating the j value to j-1 to subtract j values one by one; (ii-6) determining whether j is less than 0; (ii-7) repeating steps (ii-4) to (ii-6) until the j value becomes -1; (ii-8) outputting c = g ^k when the j value becomes -1.

The present invention is safe for simple power analysis and designed to simultaneously perform recording of a secret key and exponential power. It is suitable for memory-constrained environments, such as smart cards, sensor nodes, and RFID chips. In an environment constrained by the RSA or DSA cryptosystem, it is safe for side-channel attacks while minimizing memory usage.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

First, the (n + 2) -bit secret key (1,0, k _n-1 , ..., k ₀ ) ₂ expressed in binary form is left as (n + 1) -bit using the element of {1,2}. A process of -to-Right recording will be described with reference to FIG. 1.

The secret key k = (k _n-1 ,..., K ₁ , k ₀ ) ₂ , represented by arbitrary n-bits, is first converted into the form (1,0, k _n-1 , ..., k ₀ ) ₂ . R + uses k + rΦ (N) instead of secret key k. Where Φ is Euler's Pi function, r is a random value, and N is a product of two prime numbers, a modular value used by RSA. Repeating the process of adding Φ (N) to k results in k <Φ (N) <2N, so k _{n + 1} = 1 and k _n = 0 are always satisfied for n bits of k. And since g ^{k + r Φ (N)} = g ^k mod N, the scalar length is equal to the result of the existing value even when calculated using the scalar with the extended scalar length. In the present invention, the (n + 2) -bit (1,0, k _n-1 ,..., K ₀ ) ₂ obtained by the above method is left- (n + 1) -bit using the element of {1,2}. Perform the process of to-Right recording.

FIG. 1 illustrates the input of (n + 2) -bit (1,0, k _n-1 , ..., k ₀ ) ₂ according to an embodiment of the present invention, using (1 + 1) This flowchart illustrates the process of left-to-right recording in -bit. The central idea of the present invention was derived from the following equation. As in the assumption of input values, k _{n + 1} = 0 and k _n = 0. Then, define _{z as} the index value of the least significant bit where k _z = 0 when k is represented in binary. Then, the following Equation 1 can be obtained.

As can be seen from Equation 1, it can be seen that the binary representation represented by (n + 2) -bits can be represented by (n + 1) -bits with elements of 1,2.

Referring to FIG. 1, a (n + 2) -bit secret key k that satisfies k _{n + 1} = 1 and k _n = 0 is input (step S110). In the input (n + 2) -bit information, the index value of the least significant bit that satisfies k _z = 0 is substituted into z (step S115). n is substituted into j (S120). In step S125, it is determined whether j> z.

If j> z as a result of the determination in step S125, it is determined whether k _j = 0 (step S130). If k _j = 0 as a result of the determination in step S130, it substitutes e _j = 1 (S140). That is, if j> z and k _j = 0, then e _j = 1.

In the determination of step S130, if k _j ≠ 0, e _j = 2 (step S145). If the result of the determination in step S125 is j≤z, it is determined whether j = z (step S135).

As a result of the determination in step S135, if j = z, e _j = 2 (step S150), otherwise e _j = 1 (S155). Subsequently, j is updated to j-1 to subtract j values one by one (step S160), and it is determined whether j value is less than zero (S165). The loop is returned to step S125 until j value becomes -1. Repeat. When j becomes -1, (e _n , ..., e ₁ , e ₀ ) is output (step S170).

Hereinafter, an algorithm for performing the calculation of the exponential power g ^k for the secret key k and the base g expressed in the binary method in the left-to-right direction in an integrated manner with the recording process will be described with reference to FIG. 2.

Figure 2, which will be described later, describes an algorithm that simultaneously performs the existing left-to-right scalar multiplication algorithm and the left-to-right recording proposed in FIG.

2 is an example of an algorithm for performing calculation of an exponential power g ^k for a secret key k and a base g expressed in binary according to an embodiment of the present invention in a left-to-right direction in an integrated manner with a recording process. It is a flowchart showing. This method is called SPA-resistant Unified binary Left-to-Right Exponentiation Algorithm.

Referring to FIG. 2, the scalar multiplication algorithm receives (n + 2) -bit secret key k, (1,0, k _n-1 ,..., K ₀ ) ₂ , and the value of g (step S210). Substituting g [1] = g, g [2] = g ² , and c = g by precomputation, and assigning to z the index value of the least significant bit that satisfies k _z = 0 (step S215). n is substituted for j (step S220). The value c ² is substituted into c (step S225).

In step S230, it is determined whether j> z. If j> z as a result of the determination in step S230, it is determined whether k _j = 0 (step S235).

If k _j = 0, i.e., j> z and k _j = 0, c * g [1] is substituted into c (S245). If k _j ≠ 0, c * g [2] is substituted. Substitute in c (S250). If the result of the determination in step S230 is j≤z, it is determined whether j = z (step S240).

As a result of the determination in step S240, if j = z, c * g [2] is substituted into c (S225), otherwise c * g [1] is substituted into c (S260).

Subsequently, j is updated to j-1 (S265) to subtract j values one by one, and it is determined whether j value is less than zero (step S270).

The loop returns to step S225 until the j value becomes -1. If the j value becomes -1, c is output (step S275).

1 is a flowchart illustrating a process of left-to-right recording a (n + 2) -bit secret key represented by a binary method according to the present invention to (n + 1) -bit using an element of {1,2}. to be.

FIG. 2 is a flowchart illustrating an example of an algorithm for performing the calculation of the exponential power g ^k for the secret key k and the base g represented by the binary method in the left-to-right direction in an integrated manner with the recording process. to be.

Claims (8)

(i) a recording step of recording the secret key k expressed in binary form in a Left-to-Right direction using {1,2}; And (ii) in the process of calculating the exponential power g ^k for a given secret key k and the base g by using the recording step, the recording step and the exponential power process are not processed separately and the left-to-right direction is performed. An exponential power method using integrated left-to-right recording, comprising the step of simultaneously performing a recording step to calculate an exponential power value. The method of claim 1, wherein the recording step comprises using a binary secret key k of the form (1, 0, k _n-1 , ..., k ₀ ) ₂ of (n + 2) -bit using {1, 2}. An exponential power method using integrated Left-to-Right recording, characterized in that it is recording with (n + 1) -bit. According to claim 1, Step (i) is (i-1) inputting an (n + 2) -bit secret key k that satisfies k _{n + 1} = 1, k _n = 0; (i-2) substituting for z the index value of the least significant bit that satisfies k _z = 0 in the input (n + 2) -bit information and substituting n for the j value; (i-3) setting e _j to 1 or 2 according to the values of z, j and k _j ; (i-4) updating j by j-1 to subtract the value of j one by one; (i-5) determining whether j is less than 0; (i-6) repeating steps (i-3) to (i-4) until the j value becomes -1; And (i-7) exponential multiplication method using integrated left-to-right recording, when j is -1, outputting values from e _n to e ₀ . The method of claim 3, wherein Step (i-3), Setting e _j to 1 if the _j value is greater than the z value and the k _j value is 0; Setting e _j to 2 if the _j value is greater than the z value and the k _j value is not zero; Setting e _j to 2 if the j value is equal to the z value; And If the j value is less than the z value, setting the e _j to 1, exponential multiplication method using integrated left-to-right recording, characterized in that. According to claim 1, In the step (ii), the left-to-right integration is performed by calculating the exponential power g ^k for the secret key k and the base g expressed in the binary method in a manner integrated with the recording process. Exponential power method using Right recording. According to claim 1, Step (ii) is (ii-1) receiving a (n + 2) -bit secret key k, (1,0, k _{n-1, ...,} k ₀ ) ₂ , and a value of g below; (ii-2) g to ² g of g of [1], the g [2], and the step of substituting the g c and substitutes the index value of the least significant bits that satisfy the k _z = 0 to z; (ii-3) inserting n into the j value and updating c to c ² ; (ii-4) updating c to c * g [1] or c * g [2] according to the values of z, j and k _j ; (ii-5) updating j to j-1 to subtract the value of j one by one; (ii-6) determining whether j is less than 0; (ii-7) repeating steps (ii-4) to (ii-6) until the j value becomes -1; (ii-8) when the j value is -1, outputting c = g ^k , wherein the exponential multiplication method using integrated left-to-right recording comprises: The method of claim 6, Step (ii-4) Updating c to c * g [1] if the _j value is greater than the z value and the k _j value is 0; Updating c to c * g [2] if the _j value is greater than the z value and the k _j value is not zero; Updating c to c * g [2] if the j value is equal to the z value; And And updating the c to c * g [1] if the j value is less than the z value. According to claim 1, converting the secret key k = (k _n-1 , ..., k ₁ , k ₀ ) ₂ represented by n-bit into the form (1,0, k _n-1 , ..., k ₀ ) ₂ Exponential power method using integrated Left-to-Right recording, characterized in that.

Images