KR20070091063A - Cryptographic method and appratus for countering dfa in scalar multiplication using fault diffusion - Google Patents

Abstract

A cryptographic method for defending a DFA(Differential Fault Analysis) in a scalar product using a fault diffusion is provided to simplify a cryptographic system by defending the DFA without determining whether a fault is introduced in the scalar product. A basic point(P) and a scalar(k) on an elliptic curve are received(S301). An initializing variable is repeatedly calculated by using the basic point in response to the scalar, such that a scalar product of temperature basic point and the scalar is obtained. A fault diffusion process is performed to defend a possible fault(S303). The scalar product is outputted(S305). The fault diffusion process is performed whenever the variable is repeatedly reset.

Description

Cryptographic method and appratus for countering DFA in scalar multiplication using fault diffusion}

BRIEF DESCRIPTION OF THE DRAWINGS In order to better understand the drawings cited in the detailed description of the invention, a brief description of each drawing is provided.

1 is a flowchart of a CT & C method corresponding to DFA.

2 is a flowchart of a COP method corresponding to DFA.

3 is a flowchart of an encryption method according to an embodiment of the present invention.

FIG. 4 is an embodiment of computing the scalar product of FIG. 3 and performing fault spreading.

FIG. 5 is another embodiment of computing the scalar product of FIG. 3 and performing fault spreading.

FIG. 6 is yet another embodiment of computing the scalar product of FIG. 3 and performing fault spreading.

The present invention relates to an encryption method, and more particularly, to an encryption method capable of defending DFA in a scalar product using fault spreading.

With the advent of the information society, the protection of information using cryptographic algorithms and cryptographic protocols is increasing in importance. Among the cryptographic algorithms used to protect information, the open key cryptographic algorithms used in the RSA (Rivest Shamir Adleman) encryption system and the Elliptic Curve Cryptography (ECC) are secret key cryptographic algorithms. In order to solve the shortcomings of key distribution, digital signature, etc., it is rapidly being applied to various fields such as internet and financial network.

Side Channel Analysis (SCA) is used when attempting to break into RSA public key cryptosystems and ECC public key cryptosystems. Types of side channel analysis include timing analysis, power analysis, electro-magnetic analysis, and fault analysis. Side channel analysis is an effective attack method when the hardware configuration of the cryptographic system to be analyzed is known in detail.

During fault analysis, differential fault analysis (DFA) is widely used to find the secret key of a cryptographic system using the difference value of the variable (s) being computed. DFA is a method of finding a secret key of a cryptographic system by injecting a fault into the cryptographic system, analyzing the operation result corresponding to the injected fault.

The value to be stored or stored in the register is changed by a fault. Since the encryption system refers to the value stored in the register when performing a predetermined operation, an error corresponding to the value changed by the fault is included in the operation result. Crypt-analyst interprets the result of operation with error and obtains information about secret key.

To cope with DFA, several methods that can be used in ECC have been proposed.

1 is a flowchart of a CT & C method corresponding to DFA.

The CT & C (Calculate Twice and Check) method 100 first selects an arbitrary point P in an elliptic curve (110), then multiplies P by an arbitrary integer k to obtain a first comparison value Q1 (120). The second comparison value Q2 is obtained by multiplying P by an integer k (130).

Thereafter, the magnitudes of the first comparison value Q1 and the second comparison value Q2 are compared (140), so that if the first comparison value Q1 and the second comparison value Q2 are the same, no fault is found in the multiplication operation. It is determined that the flow does not flow, and one of the first comparison value Q1 and the second comparison value Q2 is output as the calculation result Q (150). On the other hand, if the first comparison value Q1 and the second comparison value Q2 are not the same, it is determined that a fault is introduced into the multiplication operation, and a warning signal is output instead of the operation result Q (160).

Here, it is assumed that all faults are introduced randomly, and the probability of simultaneously introducing faults having the same value in two multiplication operations is negligible. In addition, the predetermined integer k means a secret key, and the first comparison value Q1 and the second comparison value Q2 are generally calculated at the same time.

The CT & C method shown in FIG. 1 has an advantage that it can be applied to any type of encryption algorithm such as symmetric, asymmetric, and stream. However, the CT & C method has the disadvantage of having to perform the same multiplication twice. Also, since the fault component is always present in the areas of use of most smart cards and mobile devices, smart cards or mobile devices The CT & C method cannot be applied as it is.

2 is a flowchart of a COP method corresponding to DFA.

The COP (Check the Output Point) method 200 first selects any one point P in an elliptic curve (210), multiplies P by a predetermined integer k, and obtains a comparison value (Q) (220).

Then, it is determined whether the comparison value Q is one point of the elliptic curve E (230), and if the comparison value Q is one point of the elliptic curve E, it is determined that no fault has been introduced into the multiplication operation. The comparison value Q is output (240). On the other hand, if the comparison value (Q) is not one point of the elliptic curve (E), it is determined that it corresponds to the case where a fault flows during the multiplication operation, and a warning signal is output instead of the comparison value (Q) (250).

Here, it is assumed that all the faults are introduced without a certain rule, and the probability that the comparison value Q calculated at the point of the elliptic curve E, which is calculated under the influence of the fault input to the multiplication operation, is negligible. Also, a predetermined k value generally means a secret key.

The COP method 200 has an advantage in that it does not reduce performance performance of the encryption system while corresponding to DFA. However, the COP method can be applied only to cryptographic systems based on ECC, and its scope of application is limited, and the performance of the system is considerably reduced when responding to attacks using code-changing faults.

In addition, the CT & C method 100 and the COP method 200 use a "branching" operation in the process of checking for the presence of a fault. However, the branch operation has its own weaknesses, so the check process in the CT & C method 100 and the COP method 200 may be an attack target for cryptographers.

Therefore, it is necessary to develop a cryptographic system that can make the output information meaningless if the check process is performed without branch operation and a differential fault analysis is expected.

An object of the present invention is to provide an encryption method capable of defending DFA in a scalar product using fault spreading.

The encryption method according to an embodiment of the present invention for achieving the technical problem, receiving a base point P and a scalar k on an elliptic curve, variable P1 initialized using the base point P in response to the scalar k Calculating a scalar product Q (= kP), which is the product of the base point P and the scalar k by iterative operation, performing fault spreading to protect against potential faults, and outputting the scalar product Q It is provided.

The calculating of the scalar product Q may include initializing the variable P1 to the basic point P and setting an iteration variable i (i is an integer) to an initial value t-1 (t is an integer). Scalar k is represented by binary bits (kt-1, ..., k1, k0) 2 and kt-1 is 1, and setting the iterative variable i until the iteration variable i is less than zero. Repetitively resetting the variable P1 to a predetermined value in response to the binary bit ki while decreasing.

The resetting may include resetting the variable P1 doubled to the variable P1 when the binary bit ki is not 1, and resetting the variable P1 plus the basic point P to the variable P1 when ki is 1. do.

The fault spreading is performed every time the variable P1 is repeatedly reset, after the step of repeatedly resetting, or in any step of resetting repeatedly.

If the fault spreading is performed in any of the repeatedly resetting steps, the setting further sets a check rate RATE, and the resetting step includes receiving a randomly generated check value CHECK. Resetting the variable P1 to a predetermined value in response to the binary bit ki while reducing the iteration variable i. If the check value CHECK is less than or equal to the check rate RATE, performing a fault spreading and then performing the iteration variable. checking i is less than 0, checking if the iteration value i is less than 0 if the check value CHECK is greater than the check rate RATE, and checking the check value CHECK if the iteration variable i is not less than zero It proceeds to the step of receiving.

Performing the fault spread may include deriving a predetermined fault detection function, and performing an exclusive OR operation on the fault detection function and the scalar k.

In addition, performing the fault spreading may include deriving a predetermined fault detection function, and performing an exclusive OR operation on the fault detection function and the scalar product Q.

The encryption method according to another embodiment of the present invention for achieving the technical problem, receiving a base point P and a scalar k, and a check rate RATE on the elliptic curve, initializes the variable P1 to the base point P, and repeat Setting an operation variable i (i is an integer) to an initial value t-1 (t is an integer), wherein the scalar k is represented by binary bits (kt-1, ..., k1, k0) 2 and kt-1 is represented by 1, setting, receiving a randomly generated check value CHECK, resetting the variable P1 to a predetermined value in response to the binary bit ki while decreasing the iterative variable i, the check value CHECK If it is less than the check rate RATE, check whether the iteration variable i is smaller than 0 after performing a fault spread, and if the check value CHECK is greater than the check rate RATE, check whether the iteration variable i is less than zero. Proceeds to receiving the check value CHECK if the iteration variable i is not less than zero and outputting the last reset variable P1 as a scalar product Q if the iteration variable i is less than zero. It is provided.

DETAILED DESCRIPTION In order to fully understand the present invention, the operational advantages of the present invention, and the objects attained by the practice of the present invention, reference should be made to the accompanying drawings which illustrate preferred embodiments of the present invention.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. Like reference numerals in the drawings denote like elements.

In ECC, an arbitrary elliptic curve E and a point P on the elliptic curve E are selected as system parameters. User 1 who wants encrypted communication randomly generates an integer d and multiplies d by P to generate Q (= d ㅧ P). User 1 publishes Q as a public key and securely stores d as user 1's private key.

On the contrary, user 2 who wants to secretly send message M to user 1 first generates random integer k and multiplies integer P by one of the system parameters to generate A (= k k P). B (= M + kQ) is generated using the public key Q provided by user 1 and the message M to be sent. Finally, User 2 sends the final resulting ciphertexts A and B to User 1.

User 1 receives ciphertexts A and B from user 2, calculates dA using his private key d, and then restores message M by performing an operation as shown in Equation (1) below.

M = B-dA (1)

Referring to equation (1), it can be seen that the most important operations in the ECC public key cryptosystem are addition and scalar multiplication.

Any one point (x, y) on the elliptic curve E satisfies the following equation (2).

(2)

(2)

In cryptographic applications, the characteristics of the elliptic curves shown in equation (2) are calculated for the operation of prime finite field GF (p) or binary finite field GF (2 ⁿ ). Can be used.

The fractional finite field refers to a field in which the number of elements is limited to a prime number p. If p is an odd prime number greater than 3, there is only one prime finite field GF (p) having the number of components p.

On the other hand, the binary finite field GF (2 ⁿ ) means a finite field whose number of components is an exponential power of 2. When n is greater than or equal to 1, the configuration will be 2 ⁿ elements there is only one individual is a binary finite field GF (2 ^n).

On the other hand, in addition to the above "Weierstrass Affine" expression, there are various expressions representing points on the EC. "Ordinary Projective", "Jacobian Projective", "Lopez-Dahab Projective", and "Hessian". These point representations will be used to obtain the maximum efficiency of the scalar product operation. However, some of these methods are effective in responding to attacks of the same kind as SCA. Table 1 illustrates the EC equation for several point representations.

TABLE 1

In Table 1, WA stands for Weierstrass Affine, WP stands for Weierstrass ordinary projective, WJ stands for Weierstrass Jacobian projective, and WL stands for Weierstrass Lopez-Dahab projective.

In the present invention, the point representation of the "Weierstrass Affine" type described above will be considered, but the present invention is not limited thereto, and the scalar apparatus and method according to the present invention can be applied to any other type of finite field and point representation.

The main operation in ECC is a scalar point multiplication that calculates Q = k.P = P + P + ... + P (k times). k is the secret key. A scalar point product consists of point operations based on finite field operations as in the above equations. In the discrete logarithm operation associated with this, k is calculated from P and Q = k · P.

The basic principle of DFA is to apply a bit error to the encryption process in a smart card or other encryption device, and then analyze the information about the secret key by analyzing the outputs with and without the faults.

The first information for applying DFA to an ECC-based public key cryptosystem is that parameter a6 of the elliptic equation described above is not used in the calculation. This assumption can be applied to other implementations, such as the scalar product algorithm at Lopez-Dahab of Montgomery Power Ladder for Binary Field. Only a6 of the EC definition is included in the calculation.

를 입력시키는 것이 가능하다.

가 약한 것, 즉 낮은 차수인 것으로 가정하면 이산 대수의 문제가 해결될 수 있다. Since only one of the EC region parameters can be used during the calculation,

It is possible to enter

Assuming weak, that is, low order, the problem of discrete algebra can be solved.

Most of the practical protocols use a predetermined base point P, which is stored in the nonvolatile memory of the encryption apparatus. Therefore, a fault analysis model for applying a fault to the base point P may be considered. However, in this model, only a few bits can be inserted into the base point P, so the feasibility is very low.

On the one hand, a fault analysis model that applies temporary and permanent faults to both the base point P and the region parameters may be considered, but there is a limitation that such a model can also be applied only to the secret key of the NAF-expression.

이 필요하며, 이 출력들은 약한 타원 곡선

에 대응된다. 그 후 비밀 키 k를 복원하는 이산 대수 문제는 약한 타원 곡선

상에서 쉽게 해결될 수 있다. Therefore, cryptographic analysts performing DFA aim to restore the secret key k from the scalar product Q = kp on the cryptographically strong elliptic curve E. To do this, outputs containing a large number of faults

This output requires a weak elliptic curve

Corresponds to. The discrete algebra problem then restoring the secret key k is a weak elliptic curve

Can be easily solved.

Therefore, in the present invention, the following fault model is assumed in the DFA defense method.

1. The region parameters (curve, finite field definitions, base point P) are assumed to have been modified by the CRC detection method or the like.

2. Finite field operations are assumed to be modified by a low level error check method.

3. Faults during the calculation process are assumed to be random and unpredictable.

Hereinafter, a general scalar multiplication algorithm by transforming binary scalar multiplication algorithms will be described. For the sake of convenience of explanation of the scalar multiplication algorithm below, it will be appreciated by those skilled in the art that the present invention may be applied to other known scalar multiplication algorithms.

3 is a flowchart of an encryption method according to an embodiment of the present invention. Referring to FIG. 3, in the encryption method 300 according to the embodiment of the present invention, an input is a base point P and a scalar k, and an output is a scalar product Q (= kP). Here the base point P is a point on any elliptic curve.

In the encryption method 300, a base point P and a scalar k are first received (S301). The scalar product Q (= kP), which is the product of the base point P and the scalar k, is then calculated by iteratively calculating the variable P1 initialized using the base point P in response to the scalar k. In addition, fault spreading is performed to prevent faults that may be introduced during or after calculating the scalar product Q (S303). Finally, the scalar product Q is calculated and after the fault spreading is performed, the scalar product Q is output (S305).

Hereinafter, an operation of repeatedly performing a scalar multiplication operation to calculate a scalar product Q and performing fault spreading will be described with reference to FIGS. 4 to 6. In the present invention, fault diffusion is used instead of checking whether a fault is introduced. Therefore, embodiments using the final check, regular check, and random check methods may be provided depending on the location where fault spreading is performed.

An embodiment using the final check is a method in which fault spreading is performed after all of the iterative scalar product operations are performed (FIG. 4). An embodiment using periodic checks is a method in which fault spreading is performed whenever a scalar product operation is repeated (FIG. 5). An embodiment using a random check is a method in which fault spreading is performed only for a specific scalar product operation among repeated scalar product operations (FIG. 6).

4 is an embodiment of using the final check as an embodiment of the step of computing the scalar product of FIG. 3 and performing fault spreading. The algorithm applied to FIG. 4 is as follows.

Referring to the algorithm and FIG. 4, unlike the general encryption method, an embodiment of the present invention does not use a method of checking whether a fault is introduced into a scalar product using a "branch" operation. Instead, the embodiment of the present invention performs a fault spreading operation.

First, the process of calculating the scalar product Q is described. In an embodiment of the present invention, the variable P1 and the iterative variable i are introduced to calculate the scalar product Q by performing an iterative scalar product operation.

After receiving the basic point P and the scalar k in step S301, the variable P1 is initialized to the basic point P and the iteration operation variable i (i is an integer) is set to an initial value t-1 (t is an integer) (S401). At this time, scalar k is represented by binary bits (kt-1, ..., k1, k0) ₂ , and k _t-1 is set to one.

The scalar multiplication operation is repeatedly performed in response to the binary bit ki while reducing the iteration variable i (S403) until the iteration variable i becomes smaller than 0 (S411). In other words, in response to the binary bit ki, the variable P1 is repeatedly reset to a predetermined value.

Specifically, if the binary bit ki is not 1, the value doubled by the variable P1 is reset to the variable P1 (S405). On the other hand, if the binary bit ki is 1, the value obtained by adding the variable P1 and the basic point P is reset to the variable P1 (S407).

In the embodiment of FIG. 4, fault spreading is performed 413 after the step of repeatedly resetting. That is, in response to the binary bit ki, it is determined whether the value of doubling the variable P1 or the sum of the variable P1 and the basic point P is reset to the variable P1 (S407 or S409) and then the iterative variable i is smaller than 0 (S411). ).

If the iteration variable i is not less than 0, the step of calculating the scalar product Q by repeating the scalar product operation is not completed. Therefore, the scalar product operation is continuously performed. However, if the iteration variable i is less than 0, the fault diffusion is performed because the step of calculating the scalar product Q is completed. Fault diffusion is described in detail later.

As described above, the embodiment of Fig. 4 is almost negligible because the fault spread calculated with the scalar product Q is performed. However, there is a disadvantage that the possibility of attack still exists because the location where the fault spreading is performed is known and predictable in the time domain.

FIG. 5 is an embodiment using periodic checks as another embodiment of calculating the scalar product of FIG. 3 and performing fault spreading. The algorithm applied to FIG. 5 is as follows.

Referring to FIG. 5, in the embodiment of FIG. 5, fault spreading is performed whenever the variable P1 is repeatedly reset. That is, a fault spread is performed every time a scalar product operation is performed repeatedly. Since other operations of FIG. 5 are the same as those of FIG. 4, description thereof will be omitted.

The embodiment of Figure 5 can be immediately removed if a fault is introduced, and can immediately respond, it is possible to maintain the highest security level. On the other hand, in the embodiment of FIG. 5, there is a disadvantage that a performance degradation may occur. However, the degradation in the embodiment of FIG. 5 will yield better results than the degradation in the general "Compute Twice and Check" method.

FIG. 6 illustrates another example of computing the scalar product of FIG. 3 and performing fault spreading. FIG. 6 illustrates a random check. The algorithm applied to FIG. 6 is as follows.

As shown in FIG. 6, fault spreading is performed in a step after a particular operation of the repeatedly resetting operation. That is, whenever a scalar product operation is repeatedly performed, it is determined whether a predetermined condition is satisfied or not to perform fault spreading. Hereinafter, the embodiment of FIG. 6 will be described.

First, the check rate RATE is set together in the process of setting and initializing parameters to be used in the encryption method 600 (S601). In addition, in the process of resetting the variable P1, before reducing the iteration variable i, a check value CHECK to be applied in operation on the iteration variable is received (S603). Here, the check value CHECK is a randomly generated value.

The process of repeatedly resetting P1 to a predetermined value, that is, the process of repeatedly performing a scalar product operation is the same as the process of FIG. 4.

After repetitively resetting P1 to a predetermined value (S607 to S611), it is determined whether to perform fault spreading by comparing the check value CHECK and the check rate RATE.

That is, if the check value CHECK is less than or equal to the check rate RATE, the fault spread is performed. However, if the check value CHECK is less than the check rate RATE, the fault spread is not performed.

Thereafter, the process of determining whether to perform the scalar product operation repeatedly by checking whether the iteration variable i is smaller than 0 is the same as the process of FIG. 4.

In an embodiment of the present invention, the check rate RATE is a value for determining whether to perform fault spreading. Referring to FIG. 6, the check rate RATE is a parameter in which the parameters used in the encryption method 600 are initialized or set. It may be set together in step (S603). On the other hand, the check value CHECK is a randomly generated value.

For example, both the check value CHECK and the check rate RATE may have a value between 0 and 100. If the check rate RATE is set to 70, if the randomly generated check value CHECK is 70 or less, fault spreading is performed. If the value CHECK is greater than 70, no fault spreading is performed.

Alternatively, both check value CHECK and check rate RATE can be randomly determined binary values (0 or 1), in which case when check value CHECK and check rate CHECK have the same value (or have different values) ) May perform a fault spread and not have a different value (or have the same value).

Those skilled in the art will be able to apply the random check method in various ways in addition to the above-described method, and also, the step of receiving the check value CHECK and the setting of the check rate RATE. It will also be appreciated that it may be placed in another location of 600). Since other operations of FIG. 6 are the same as those of FIG. 4, a detailed description thereof will be omitted.

Hereinafter, a method of performing fault spreading will be described. By performing fault spreading, it is possible to make the DFA useless by spreading the data into which the fault has flowed into the encrypted data.

Fault detection must first be performed before fault spreading can be performed. In an embodiment of the present invention, a predetermined fault detection function f (x, y, z, a4, a6) is used for fault detection. The fault detection function f (x, y, z, a4, a6) can be easily derived using the EC equation illustrated in Table 1.

The fault detection function for different point representations in decimal fields is illustrated in the following Table 2, and those of ordinary skill in the art will be shown in Table 2 not only for binary fields but also for other point and curve representations. The fault detection function may be obtained in a manner similar to that illustrated.

TABLE 2

Looking at Table 2, it can be seen that the computational overhead for performing such fault detection is acceptable.

In the present invention, two methods of fault spreading may be performed after fault detection is performed using a fault detection function. Two fault spreading methods are the secret key fault spreading method and the calculated point fault spreading method.

The secret key fault spreading method is a method of changing an original secret key value to a secret key value to which a fault is introduced when a fault is introduced. At this time, the faulted secret key value may be unpredictable. Fault diffusion is performed using the following equation (3).

(3)

(3)

Looking at Eq. (3), the secret key value k is not changed since the fault detection function is 0 when no fault is introduced during the calculation. On the other hand, if a fault is introduced during the calculation, the fault detection function is not zero, so the secret key value k will change to an unpredictable value.

In the last step of the scalar product, the result point Q (= kP) is output at a higher level, so cryptoanalysts will be able to solve discrete algebra problems for the result point. However, if a fault is introduced, the resulting point is also the value at which the fault was introduced, so even if the discrete algebra problem is solved, the cryptographer will get the secret key with the fault, not the original secret key.

Given that the faults occur randomly, the probability that the cryptographer obtains the original secret key if the fault is introduced is small enough to ignore it.

In some cases it may occur that the new secret key value is the same as the previously used secret key value. In such a case, the key change may be applied to the value that is rewritten and stored in the EEPROM as well as the temporarily existing value.

The secret key fault spreading method may be applicable to the embodiments of the present invention shown in FIGS. 4 to 6. Where the secret key k is a scalar k.

Next, the calculated point fault spreading method will be described. The calculated point fault spreading method is the same as the secret key fault spreading method except that the calculated point, that is, the scalar product Q is changed instead of the secret key, and thus a detailed description thereof will be omitted. The calculated point fault spread is performed using the following equation (4).

(4)

(4)

The functions used in the methods and apparatus disclosed herein can be embodied as computer readable code on a computer readable recording medium. The computer-readable recording medium includes all kinds of recording devices in which data that can be read by a computer system is stored. Examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage, and the like, and may also be implemented in the form of a carrier wave (for example, transmission over the Internet). do. The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

As described above, optimal embodiments have been disclosed in the drawings and the specification. Although specific terms have been used herein, they are used only for the purpose of describing the present invention and are not intended to limit the scope of the present invention as defined in the claims or the claims. Therefore, those skilled in the art will understand that various modifications and equivalent other embodiments are possible therefrom. Therefore, the true technical protection scope of the present invention will be defined by the technical spirit of the appended claims.

As described above, the encryption method according to the present invention can protect the DFA without checking whether a fault is introduced into the scalar product using fault spreading, and there is no checking process, so that an encryption system can be implemented without branching. have.

Claims (12)

Receiving a base point P and a scalar k on an elliptic curve; Iteratively computes the variable P1 initialized using the base point P in response to the scalar k to calculate a scalar product Q (= kP), which is the product of the base point P and the scalar k, and defends against possible faults. Performing a fault spread to achieve; And And outputting the scalar product Q. The method of claim 1, wherein calculating the scalar product Q comprises: Initializing the variable P1 to the basic point P, and setting an iteration variable i (i is an integer) to an initial value t-1 (t is an integer), wherein the scalar k is a binary bit (kt-1,... , k1, k0) 2 and kt-1 is 1; And And resetting the variable P1 to a predetermined value in response to the binary bit ki while decreasing the iteration variable i until the iteration variable i becomes smaller than zero. The method of claim 2, wherein the resetting comprises: If the binary bit ki is not 1, the value of doubling the variable P1 is reset to the variable P1, and if ki is 1, the value obtained by adding the variable P1 and the base point P is reset to the variable P1. Encryption method. The method of claim 2, wherein the fault diffusion, And is performed whenever the variable P1 is repeatedly reset. The method of claim 2, wherein the fault diffusion, And after the step of repeatedly resetting. The method of claim 2, wherein the fault diffusion, And performing the resetting of any of the steps of repetitively resetting. The method of claim 6, The setting step further sets a check rate RATE, The resetting step, Receiving a randomly generated check value CHECK; Resetting the variable P1 to a predetermined value in response to the binary bit ki while decreasing the iteration variable i; If the check value CHECK is less than or equal to the check rate RATE, check whether the iteration variable i is smaller than 0 after performing fault spreading; if the check value CHECK is greater than the check rate RATE, the iteration variable i is smaller than 0 Confirming that; And And if the iteration operation variable i is not less than zero, proceeding to receiving the check value CHECK. The method of any one of claims 5 to 7, wherein performing the fault diffusion comprises: Deriving a predetermined fault detection function; And And an exclusive-OR operation on the fault detection function and the scalar k. The method of claim 6, wherein performing the fault spreading comprises: Deriving a predetermined fault detection function; And And an exclusive-OR operation on the fault detection function and the scalar product Q. Receiving a base point P and a scalar k on an elliptic curve, and a check rate RATE; Initializing a variable P1 to the basic point P and setting an iteration variable i (i is an integer) to an initial value t-1 (t is an integer), wherein the scalar k is a binary bit (kt-1,... setting k1, k0) 2 and kt-1 is 1; Receiving a randomly generated check value CHECK; Resetting the variable P1 to a predetermined value in response to the binary bit ki while reducing the iteration variable i; If the check value CHECK is less than or equal to the check rate RATE, check whether the iteration variable i is smaller than 0 after performing fault spreading; if the check value CHECK is greater than the check rate RATE, the iteration variable i is smaller than 0 Confirming that; And And if the iteration variable i is not less than zero, proceeding to receiving the check value CHECK and if the iteration variable i is less than zero, outputting the last reset variable P1 as a scalar product Q. An encryption method characterized by the above-mentioned. A computer readable medium having recorded thereon a program for performing the steps provided in the method of claim 1. An encryption device using the medium of claim 11.

Images