US20140314229A1  Cryptography on a simplified elliptical curve  Google Patents
Cryptography on a simplified elliptical curve Download PDFInfo
 Publication number
 US20140314229A1 US20140314229A1 US14/261,845 US201414261845A US2014314229A1 US 20140314229 A1 US20140314229 A1 US 20140314229A1 US 201414261845 A US201414261845 A US 201414261845A US 2014314229 A1 US2014314229 A1 US 2014314229A1
 Authority
 US
 United States
 Prior art keywords
 term
 point
 electronic component
 square root
 ƒ
 Prior art date
 Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
 Abandoned
Links
 238000004364 calculation methods Methods 0 abstract claims description 19
 230000000875 corresponding Effects 0 claims description 3
 238000004422 calculation algorithm Methods 0 description 3
 230000015654 memory Effects 0 description 3
 230000001131 transforming Effects 0 description 3
 238000000034 methods Methods 0 description 2
 230000002829 reduced Effects 0 description 2
 238000007792 addition Methods 0 description 1
 238000004458 analytical methods Methods 0 description 1
 238000010276 construction Methods 0 description 1
 238000003780 insertion Methods 0 description 1
 239000000047 products Substances 0 description 1
 230000001603 reducing Effects 0 description 1
 238000006722 reduction reaction Methods 0 description 1
Images
Classifications

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
 H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication using a plurality of keys or algorithms

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
 H04L9/002—Countermeasures against attacks on cryptographic mechanisms
 H04L9/005—Countermeasures against attacks on cryptographic mechanisms for timing attacks

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
 H04L9/002—Countermeasures against attacks on cryptographic mechanisms

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
 H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
 H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyperelliptic curves

 H—ELECTRICITY
 H04—ELECTRIC COMMUNICATION TECHNIQUE
 H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
 H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
 H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
Abstract
A cryptographic calculation includes obtaining a point P(X,Y) from a parameter t on an elliptical curve Y^{2}=f(X) and from polynomials satisfying: −f(X_{1}(t)).f(X_{2}(t))=U(t)^{2 }in the finite body F_{q}, irrespective of the parameter t, q=3 mod 4. A value of the parameter t is obtained and the point P is determined by: (i) calculating X_{1}=X_{1}(t), X_{2}=X_{2}(t) and U=U(t); (ii) testing whether the term f(X_{−1}) is a squared term in the finite body F_{q }and, if so, calculating the square root of the term f(X_{1}), the point P having X_{1 }as abscissa and Y_{1}, the square root of the term f(X_{1}), as ordinate; (iii) otherwise, calculating the square root of the term f(X_{2}), the point P having X_{2}, as abscissa and Y_{2}, the square root of the term f(X_{2}), as ordinate. The point P is useful in encryption, scrambling, signature, authentication or identification cryptographic applications.
Description
 This application is a continuation of U.S. application for patent Ser. No. 13/377,381 filed Dec. 9, 2011, which is a 371 filing from PCT/FR2010/051191 (published as WO 2010/146303) filed Jun. 15, 2010 which claims the benefit of French Application for Patent No. 0954043 filed Jun. 16, 2009, the disclosures of which are hereby incorporated by reference.
 The present invention relates to message cryptography based on the use of points on an elliptical curve, and more particularly said cryptography of a deterministic nature.
 In order to apply a cryptographic calculation to a message, conventionally algorithms are employed for inserting arbitrary values into mathematical structures. For this purpose, the elliptical curves are mathematical structures that are able to facilitate the application of such cryptographic calculations and at the same time save space in memory relative to the use of other cryptographic calculations.
 However, efficient algorithms for inserting arbitrary values using elliptical curves are probabilistic. Consequently, the application time of these algorithms is not constant, it depends on the message to be encoded. Thus, if an attacker determines different application times of the algorithm applied, he can obtain information about the coded message.
 In order to mask the time taken by a probabilistic insertion algorithm, it is possible to provide the addition of unnecessary steps in this algorithm so that its application always extends over a period of time of identical length, regardless of the message processed.
 A point P of an elliptical curve is defined by its abscissa X and its ordinate Y, X and Y satisfying the following equation:

f(X)=Y ^{2 } (1) 
 where f(X) is the polynomial f(X)=X^{3}+aX+b
 A family of polynomials is known, which satisfy Skalba's equality which makes it possible to determine such a point on an elliptical curve, as defined in the document ‘Construction of Rational Points on Elliptic curves over finite fields’ by Andrew Shallue and Christiaan van de Woestijne.
 Polynomials X_{1}(t), X_{2}(t), X_{3}(t) and U(t) satisfy Skalba's equality if they satisfy the following equation:

f(X _{1}(t)).f(X _{2}(t)).f(X _{3}(t))=U ^{2}(t) (2) 
 where f is the function that defines the elliptical curve under consideration, and
 where t is a parameter.
 The polynomials that satisfy Skalba's equality can take two parameters u and t. In this case, Skalba's equality is written:

f(X _{1}(t,u)).f(X _{2}(t,u)).f(X _{3}(t,u))=U ^{2}(t,u)  Equations of this type can be used with two parameters u and t. However, in the proposed applications, we can advantageously envisage setting u, or alternatively setting t, at any value. Thus, the value of a single parameter remains to be chosen.
 Given selected parameters t and u, it is noted that X_{1}=X_{1}(t,u), X_{2}=X_{2}(t,u), X_{3}=X_{3}(t,u), U=U(t,u), where X_{1}, X_{2}, X_{3 }and U are elements of F_{q}. This equation (2) signifies that at least one of the values f(X_{1}), f(X_{2}) and f(X_{3}) corresponds to a squared term in the finite field F_{q}.
 Then, once the squared term in F_{q}, f(X_{i}), is identified, we can then obtain a point on the elliptical curve P(X_{i}, √{square root over (ƒ(X_{i}))}.
 Calculation of √{square root over (ƒ(X_{i}))} can be performed by means of an exponentiation calculation when the characteristic q of the field F_{q }satisfies:

q=3 mod 4  In this case, it is known that:

√{square root over (ƒ(X _{i}))}=ƒ(X _{i})^{(q+1)/4 } (3)  In order to determine a point on the elliptical curve (1), it is therefore necessary to determine which value among the three values f(X_{1}), f(X_{2}) and f(X_{3}) corresponds to a squared term in the finite field F_{q}. For this purpose we could envisage checking firstly whether the term f(X_{1}) is a squared term in the finite field F_{q}, then, if it is not the case, apply this same check to the term f(X_{2}), and finally if this is still not so, check the term f(X_{3}) similarly. However, following this procedure, determination of a point on the elliptical curve does not always take the same time, since this determination is executed more quickly if the first term tested is a squared term than if only the third term is a squared term.
 A potential attacker could make use of this difference in elapsed time to determine a point on the elliptical curve for breaking the secret linked to the parameter that enabled this point to be generated. Now, in the field of cryptography, these parameters must remain secret.
 These parameters can in particular correspond to passwords. Thus, it is important that determination of these points does not in itself supply information that makes it possible to break the secret of the parameter, and accordingly, attacks based on an analysis of the elapsed time for determining a point on the curve are to be avoided.
 To overcome this disadvantage, it would be possible to check the three terms f(X_{i}) systematically for i in the range from 1 to 3. Thus, the time for determining a point on the curve would no longer be a function of the point determined.
 However, checking whether a term of equation (2) is a squared term in the finite field F_{q }is a complex operation in particular employing an exponentiation, which is costly in execution time. In the case when we wish to determine a point on an elliptical curve on the basis of Skalba's equalities, while performing these determinations in a constant time, four operations of exponentiation are required in the case described above, one exponentiation per check of each of the terms of Skalba's equation (2) and one exponentiation for calculating the square root, as described in equation (3).
 The present invention aims to improve this situation.
 A first aspect of the present invention proposes a method of execution of a cryptographic calculation in an electronic component comprising a step of obtaining a point P(X,Y) starting from at least one parameter t, on an elliptical curve satisfying the equation:

Y ^{2} =f(X); and  starting from polynomials X_{1}(t), X_{2}(t), and U(t) satisfying the following equality:

f(X _{1}(t)).f(X _{2}(t))=U(t)^{2 } 
 in the finite field F_{q}, regardless of the parameter t, q satisfying the equation q=3 mod 4;
said method comprising the following steps:
 in the finite field F_{q}, regardless of the parameter t, q satisfying the equation q=3 mod 4;
 /1/ obtain a value of the parameter t;
 /2/ determine point P by executing the following substeps:

 /i/ calculate X_{1}=X_{1}(t), X_{2}=X_{2}(t), and U=U(t)
 /ii/ test whether the term f(X_{1}) is a squared term in the finite field F_{q }and in this case, calculate the square root of the term f(X_{1}), point P having X_{1 }as abscissa and the square root of the term f(X_{1}) as ordinate;
 /iv/ otherwise, calculate the square root of the term f(X_{2}), point P having X_{2 }as abscissa and the square root of the term f(X_{2}) as ordinate;
 /3/ use said point P in a cryptographic application of encryption or hashing or signature or authentication or identification.
 It should be noted here that the determination of a point on an elliptical curve is carried out on the basis of an advantageous equation:

−f(X _{1}).f(X _{2})=U ^{2 } (4)  This equation follows from the Skalba equality (2). In fact, this equation can be obtained by setting:

f(X _{3})=−1  Now, in the finite field F_{q }with q=3 mod 4, −1 is not a squared term. Consequently, only two terms of the equation (4) still remain to be checked in order to decide which of the two terms corresponds to a squared term in F_{q}.
 Thanks to these arrangements, it is possible to determine a point on an elliptical curve in a manner suitable for use in the field of cryptography, since on the one hand this determination takes the same time regardless of the input parameter t and on the other hand it is efficient as the number of demanding operations is reduced.
 This determination takes a constant time that does not depend on the input parameter or parameters. In fact, even if this method offers different processing options depending on the term that corresponds to a squared term in Skalba's equality, the same number of operations of the same type is performed regardless of the point on the curve that is determined. More precisely, regardless of the point on the curve that is determined, the following list of operations is executed:

 test for a squared term in F_{q};
 determination of a square root.
 Therefore it is not possible to launch an attack of the ‘timing attack’ type.
 Moreover, this determination is efficient since the number of costly operations employed is limited. In fact, thanks to equation (4) only two terms instead of three in the equation (2) are to be checked in order to determine whether they correspond to the squared terms in the finite field F_{q }by applying a maximum of two exponentiationtype operations.
 This embodiment is general and can easily be applied to any family of polynomials satisfying equality (4).
 In one embodiment of the present invention, it is provided at step /2//ii/, to carry out the following steps

 calculate R_{1 }such that:

${R}_{1}={\left(f\ue8a0\left({X}_{1}\right)\xb7f\ue8a0\left({X}_{2}\right)\right)}^{\frac{q+1}{4}}$ 
 if R_{1} ^{2 }is equal to 1,
 decide that the term f(X_{1}) is a squared term in the field F_{q}, and
 calculate
 if R_{1} ^{2 }is equal to 1,

${Y}_{1}={f\ue8a0\left({X}_{1}\right)}^{\frac{q+1}{4}}$ 
 otherwise calculate

${Y}_{2}={f\ue8a0\left({X}_{2}\right)}^{\frac{q+1}{4}}$  Here, only two exponentiations are carried out, whatever the processing option applied.
 In another embodiment, it is also possible to reduce the number of exponentiations, which are the most demanding operations to carry out in this method. In fact, at step /2//ii/, the following steps can be carried out:

 calculate R_{1}′ such that:

${R}_{1}^{\prime}={f\ue8a0\left({X}_{1}\right)}^{q1\frac{q+1}{4}}$ 
 calculate R_{2}′ such that:

R_{2}′=R_{1} ^{2}′ 
 calculate R_{3}′ such that:

R _{3} ′=R _{2}′.ƒ(X _{1})  if R_{3}′ is not equal to 1, at step /2//iii/, the square root of f(X_{2}) is obtained according to the following equation:

√{square root over (ƒ(X ^{2}))}=R _{0} .R _{1}′  where R_{0 }satisfies the following equation:

${R}_{0}=U\ue8a0\left(t\right)\xb7{\left(1\right)}^{q1\frac{q+1}{4}}$  It should be noted here that, advantageously, one exponentiation is carried out in this case during execution of a method according to one embodiment of the present invention
 In fact, ingenious use is made of the fact that we can finally recover the square root of f(X_{2}) in the case where the term f(X_{2}) corresponds to a squared term, without however implementing an additional exponentiation. In fact, the square root of f(X_{2}) obtained by:

√{square root over (ƒ(X _{2}))}=R _{0} .R _{1}′  where the term R_{0 }is finally obtained by a multiplication operation which is less demanding than the application of an exponentiation. Moreover, only the term U(t) is to be calculated in this embodiment, as the term

${\left(1\right)}^{q1\frac{q+1}{4}}$  is an immediate calculation term. Therefore it is in no way useful to precalculate this last term and store it in memory. Thus memory space can be saved.
 Then, if R_{3 }is equal to 1, then at step /2//iii/ the square root of f(X_{1}) can be obtained according to the following equation:

√{square root over (ƒ(X _{1}))}=R _{3}′.ƒ(X _{1})  This also corresponds to a multiplication.
 During execution of such calculations according to one embodiment of the present invention, the time taken for carrying out the operations other than an exponentiation is negligible relative to the time taken by the application of an exponentiation. Now, owing to the characteristics of the present invention, instead of four exponentiations, as described previously in a conventional case, two exponentiations are required at most. Such a reduction in the number of exponentiations is very advantageous.
 In one embodiment of the present invention, the polynomials satisfying equation (4) according to one embodiment of the present invention in X and Y are expressed in Jacobian coordinates in X′, Y′ and Z such that:

X′=X.Z^{2}, 
Y′=Y.Z^{3 }  and the operations of inversion are transformed into operations of multiplication.
 The transformation into Jacobian coordinates makes it possible to transform the inversions into multiplications, when the term Z is correctly selected.
 In one embodiment of the present invention, the polynomials are expressed in Jacobian coordinates, according to which the point P(X,Y) is written P(X′,Y′,Z) such that:

X′=X.Z ^{2}, 
Y′=Y.Z^{3 }  where the function f is written ƒ_{Z}(X′) and satisfies:

ƒ_{Z}(X′)=X′ ^{3} +a.X′.Z ^{4} +b.Z ^{6 }  with the elliptical curve satisfying the equation:

Y′ ^{2}=ƒ_{Z}(X′)  in which the polynomials expressed in Jacobian coordinates are X′_{1}(t), X′_{2}(t), X′_{3}(t), Z(t) and U′(t) and satisfy the following equality in Jacobian coordinates:

U′(t)^{2}=−ƒ_{Z(t)}(X′ _{1}(t)).ƒ_{Z(t)}(X′ _{2}(t)))  and in which Z(t) is determined in such a way that the operations of inversion are transformed into operations of multiplication.
 At step /1/, the value of the parameter t can be obtained as a function of a password or an identifier. It is thus possible to envisage using the password directly or a derivative of the password as parameter.
 In one embodiment of the present invention, the cryptographic application is an application of authentication or identification by a checking entity, and at step /1/, the following steps are executed:

 /a/ generate a random value;
 /b/ obtain an encrypted value by encrypting said random value based on an encryption function using an encryption key determined from a password or identifier corresponding to the parameter; and
 /c/ transmit the encrypted value to the checking entity.
 By following this procedure, the checking entity is able to obtain the random value as a function of the encrypted value received from the password. Then it recovers the value of the parameter t by applying a suitable function.
 A second aspect of the present invention proposes an electronic device comprising suitable means for applying a method of execution of a cryptographic calculation according to the first aspect of the present invention.
 Other aspects, aims and advantages of the invention will become clear on reading the description of one of its embodiments.
 The invention will also be better understood with the aid of the following figures:

FIG. 1 shows the main steps of a method of execution of a cryptographic calculation according to one embodiment of the present invention; 
FIG. 2 shows a method of execution of a cryptographic calculation in detail according to one embodiment of the present invention; and 
FIG. 3 shows a method of execution of a cryptographic calculation in detail according to one embodiment of the present invention. 
FIG. 1 shows the main steps of a method of execution of a calculation according to one embodiment of the present invention.  These main steps are suitable for determining a point on an elliptical curve with the aim of using said point in a cryptographic application. A cryptographic calculation of this kind can be executed in an electronic component in a secure manner, i.e. without the determination of this point giving any information on the point determined and therefore on parameter t.
 This calculation comprises, in a finite field F_{q}, where q is equal to 3 mod 4, a step of obtaining a point P(X,Y) on an elliptical curve satisfying the equation:

Y ^{2} =f(X)  A point P(X,Y) has its abscissa X which corresponds to one of X_{1}(t) and X_{2}(t), for a value of t obtained, such that:

−f(X _{1}(t)).f(X _{2}(t))=U ^{2}(t) (4)  in the finite field F_{q}.
 Such polynomials can be a function of two parameters u and t. In the context of the present invention, one of the parameters can advantageously be set and consequently the polynomials satisfying equation (4) are then functions of a single parameter t.
 Generally, in order to determine a point on the curve, we try to determine, given input parameters u and t, those among the values X_{1}=X_{1}(t,u) and X_{2}=X_{2}(t,u) that correspond to a squared term in the finite field F_{q}. For this purpose, at a step 11, the parameter t is taken into account and we calculate:

X _{i} =X _{i}(t) for i equal to 1 or 2, 
and 
U=U(t)  At a step 12, we decide whether the term f(X_{1}) is a squared term on the basis of certain calculations. If the term f(X_{1}) is a squared term then its square root is calculated in order to obtain, at step 13, the point P on abscissa X_{1 }and ordinate Y_{1 }obtained from the calculation of the previous square root.
 In the opposite case, the point P on the abscissa X_{2 }and the ordinate Y_{2 }are obtained at step 14. To this end we envisage calculating the square root of the term f(X_{2}).
 It should be noted that reaching steps 13 or 14 for obtaining a point on the elliptical curve according to one embodiment of the present invention requires similar operations. Thus, regardless of the input parameter or parameters t and u, it is not possible to launch an attack on the basis of the time elapsed.
 The point P(X_{i},Y_{i}), for an i equal to 1 or 2, can then be used advantageously in a cryptographic application of encryption or hashing or signature or authentication or identification, since its determination has not supplied any element that can break its secret.
 In the field F_{q}, q corresponding to 3 mod 4, it is possible to check whether a term is a squared term in various ways.

FIG. 2 illustrates the application of the method according to an embodiment of the present invention.  At step 21, we calculate:

${R}_{1}={f\ue8a0\left({X}_{1}\right)}^{\frac{q1}{2}}$  Then, the test for checking whether the term f(X_{1}) is a squared term in F_{q}, can be carried out, at a step 22, by comparing R_{1 }to 1. In fact, in Fq, if R_{1 }is equal to 1, then f(X_{1}) is a squared term. In this case, at step 24, the square root of this term is calculated as follows:

$\sqrt{f\ue8a0\left({X}_{1}\right)}={f\ue8a0\left({X}_{1}\right)}^{\frac{q+1}{4}}$  Otherwise, the term f(X_{2}) is a squared term. Then, at a step 23, its square root is calculated as follows:

$\sqrt{f\ue8a0\left({X}_{2}\right)}={f\ue8a0\left({X}_{2}\right)}^{\frac{q+1}{4}}$  In this embodiment, it should be noted that the number and the type of operations carried out for the determination of a point P is the same whatever the processing option taken, i.e. whatever the term which corresponds to a squared term in equation (4).

FIG. 3 illustrates another embodiment of an execution method according to one embodiment of the present invention in which only one exponentiation is applied.  Here, advantageously, the number of exponentiations can be further reduced, by not using the same test for a squared term 12 of
FIG. 1  In one embodiment of the present invention, when trying to determine whether a term A is a squared term in F_{q}, the following steps can be executed:

$\begin{array}{cc}{W}_{1}=\frac{1}{{A}^{\frac{q+1}{4}}}={A}^{q1\frac{q+1}{4}}& \left(i\right)\\ {W}_{2}={W}_{1}^{2}& \left(\mathrm{ii}\right)\\ {W}_{3}={W}_{2}\xb7A& \left(\mathrm{iii}\right)\end{array}$  Finally, if term A is a squared term then:

 W_{1 }corresponds to the reciprocal of the square root of A, i.e. 1/√{square root over (A)}, since an exponentiation at (q−1) corresponds to an inversion and an exponentiation at (q+1)/4 corresponds to a square root in the finite field F_{q};
 W_{2 }corresponds to the inverse of A; and
 W_{3 }corresponds to the value 1.
 Thus, when W_{3 }is equal to the value 1, it is concluded from this that the term A is a squared term in the finite field F_{q}. If A is not a squared term then W_{3 }is not equal to 1.
 The following sections describe an embodiment based on this type of test. In one embodiment of the present invention, at a step 311, the following multiplication is performed:

${R}_{1}^{\prime}={f\ue8a0\left({X}_{1}\right)}^{q1\frac{q+1}{4}}$  Then it is checked whether this term R_{0 }is a squared term as stated previously. Thus in a step 312, we calculate

R_{2}′=R_{1} ^{2}′  Then in a step 313, we calculate

R _{3} ′=R _{2}′.ƒ(X _{1})  Then, we decide whether the term R′_{3 }is equal to 1 at step 314. If this is the case, then the following term corresponds to the square root of the term f(X_{1}):

R _{4} ′=R _{3}′.ƒ(X _{1})  If the test 314 is not satisfied, then the term f(X2) is a square root in F_{q}. The square root of this term is thus obtained at step 316 according to the following equation:

R_{4}″=R_{0}.R_{1}′  where R_{0 }satisfies the following equation

${R}_{0}=U\ue8a0\left(t\right)\xb7{\left(1\right)}^{q1\frac{q+1}{4}}$  It should be noted that the above equation makes it possible to obtain advantageously the square root of f(X_{2}) but without carrying out an operation of exponentiation such as that carried out at step 23 or also at step 311. In fact, here it is, ingeniously, a matter of performing a multiplication instead of an exponentiation.
 We then obtain R_{4}″, which corresponds to the term f(X_{2}). Thus, a point P on the elliptical curve has been determined which has X_{2 }as abscissa and R_{4}″ as ordinate.
 In the embodiment described previously with reference to
FIG. 3 , like that described with reference toFIG. 2 , regardless of the determination of point P, i.e. whether this determination is based on the value X_{1 }or X_{2}, similar calculations are employed, thus ensuring determination of a point on the elliptical curve in a constant time.  In one embodiment of the present invention, it is possible to select polynomials that satisfy equation (4) according to one embodiment of the present invention, by basing it on Ulas polynomials as defined in the document “Rational points on certain hyperelliptic curves over finite fields” by Macie Ulas, dated 11 Jun. 2007.
 In this document, the polynomials satisfying Skalba's equation (2) are described:

${X}_{1}\ue8a0\left(t,u\right)=\frac{b}{a}\ue89e\left(1+\frac{1}{{t}^{4}\ue89ef\ue8a0\left(u\right)+{t}^{2}\ue8a0\left(u\right)}\right)$ ${X}_{2}\ue8a0\left(t,u\right)={t}^{2}\ue89ef\ue8a0\left(u\right)\ue89e{X}_{1}\ue8a0\left(t,u\right)$ ${X}_{3}\ue8a0\left(t,u\right)=u$ $U\ue8a0\left(t,u\right)={t}^{3}\ue89e{f\ue8a0\left(u\right)}^{4}\ue89ef\ue8a0\left({X}_{1}\ue8a0\left(t,u\right)\right)$ $\mathrm{where}\ue89e\phantom{\rule{0.8em}{0.8ex}}\ue89ef\ue8a0\left(u\right)={u}^{3}+\mathrm{au}+b$ 
 where a and b are elements of F_{q }such that their product is not zero.
 Thus, the equations can be rewritten by setting

f(u)=−1  without it being necessary to calculate a value of parameter u for which this last equation is satisfied. We then obtain

${X}_{1}\ue8a0\left(t\right)=\frac{b}{a}\ue89e\left(1+\frac{1}{{t}^{4}{t}^{2}}\right)$ ${X}_{2}\ue8a0\left(t\right)={t}^{2}\ue89e{X}_{1}\ue8a0\left(t\right),\mathrm{and}$ $U\ue8a0\left(t\right)={t}^{3}\ue89ef\ue8a0\left({X}_{1}\ue8a0\left(t\right)\right)$  Advantageously, these polynomials satisfy the following equation:

−f(X _{1}(t)).f(X _{2}(t)=U(t)^{2 }  In one embodiment of the present invention, the use of Jacobian coordinates is advantageously envisaged. This transformation into Jacobian coordinates makes it possible to transform the operations of inversion into operations of multiplication which are quicker and easier to apply.
 The equation of an elliptical curve:

X ^{3} +aX+b=Y ^{2 }  can be written in Jacobian coordinates:

X′ ^{3} +aX′Z ^{4} +bZ ^{6} =Y′ ^{2 }  It should be noted that the coordinates of a point (X,Y) can be written in Jacobian coordinates (X′,Y′,Z′) such that:

X′=X.Z^{2 } 
and 
Y′=Y.Z^{3 }  We should therefore determine a polynomial Z(t,u) in such a way that the Jacobian coordinates X′, Y′ and Z can be written without inversion.
 In the following sections, this transformation into Jacobian coordinates is applied to a particular case of polynomials as stated previously.
 In this context, any operation of inversion is eliminated by taking:

Z(t)=a(t ^{4} −t ^{2})  In fact, the polynomials can then be written in the following form in Jacobian coordinates:

X′ _{1}(t)=−b.Z(t)(t ^{4} −t ^{2}+1) 
X′ _{2}(t)=−t ^{2} .X′ _{2}(t)  It should therefore be noted that there is no longer any inversion in Jacobian coordinates. As this operation can be as costly as an exponentiation, these coordinates permit a significant improvement in calculation time.
 Then, to obtain the Jacobian coordinate Y′, it is advisable to calculate U′(t,u), the equivalent of U(t,u) in Jacobian coordinates.
 We can then write in Jacobian coordinates:

U′(t)=t ^{3}.ƒ_{Z}(X _{2}′(t)) 
with: 
ƒ_{Z(t)}(X′)=X′ ^{3} +a.X′.Z(t)^{4} +b.Z(t)^{6 }  By way of example only, the equations below make it possible to no longer have to carry out inversion operations. Under these conditions an execution method is then obtained which is more efficient and quick, while ensuring an execution still in a constant time.
 The present invention can advantageously be implemented in any type of cryptographic calculation using elliptical curves. It can in particular be advantageous in protocols for authentication by password, such as PACE (Password Authenticated Connection Establishment). In this case, it allows an improvement in calculation performance, while not allowing any attack linked to the execution time of the cryptographic calculation.
 The present invention can also be applied advantageously in the context of privacy protocols, such as those used for checking electronic identity documents, such as electronic passports.
Claims (7)
1. An electronic component configured to execute a cryptographic calculation and obtain a point P(X,Y) from at least one parameter t, on an elliptical curve that satisfies the equation: Y^{2}=f(X) and from polynomials X_{1}(t), X_{2}(t), and U(t) satisfying the following equality: −f(X_{1}(t)).f(X_{2}(t))=U(t)^{2 }in the finite field F_{q}, regardless of the parameter t, q satisfying the equation q=3 mod 4, said electronic component configured to:
obtain a value of the parameter t;
determine the point P by:
(i) calculating X_{1}=X_{1}(t), X_{2}=X_{2}(t) and U=U(t)
(ii) testing whether the term f(X_{1}) is a squared term in the finite field F_{q }and in this case calculating the square root of the term f(X_{1}), point P having X_{1 }as abscissa and the square root of the term f(X_{1}) as ordinate Y_{1};
(iii) otherwise calculating the square root of the term f(X_{2}), point P having X_{2 }as abscissa and the square root of the term f(X_{2}) as ordinate; and
wherein said electronic component is further configured to use said point P in a cryptographic application selected from the group consisting of encryption or hashing or signature or authentication or identification.
2. The electronic component according to claim 1 , wherein in order to determine the point P said electronic component is further configured to:
calculate R_{1 }such that:
if R_{1 }is equal to 1,
decide that the term f(X_{1}) is a squared term in field F_{q}; and
calculate
otherwise, calculate
3. The electronic component according to claim 1 , wherein in order to determine the point P said electronic component is further configured to:
calculate R_{1}′ such that:
calculate R_{2}′ such that:
R_{2}′=R_{1} ^{2}′
R_{2}′=R_{1} ^{2}′
calculate R_{3}′ such that:
R _{3} ′=R _{2}′.ƒ(X _{1})
R _{3} ′=R _{2}′.ƒ(X _{1})
if R_{3}′ is not equal to 1, then obtain the square root of f(X_{2}) according to the following equation:
√{square root over (ƒ(X _{2}))}=R _{0} .R _{1}′
√{square root over (ƒ(X _{2}))}=R _{0} .R _{1}′
where R_{0 }satisfies the following equation:
4. The electronic component according to claim 3 , further configured to determine the point P by obtaining the square root of f(X_{1}) according to the following equation:
√{square root over (ƒ(X _{1}))}=R _{3}′.ƒ(X _{1}).
√{square root over (ƒ(X _{1}))}=R _{3}′.ƒ(X _{1}).
if R_{3}′ is equal to 1.
5. The electronic component according to claim 1 , wherein the polynomials are expressed in Jacobian coordinates according to which the point P(X,Y) is written P(X′,Y′,Z) such that:
X′=X.Z^{2},
Y′=Y.Z^{3 }
X′=X.Z^{2},
Y′=Y.Z^{3 }
where the function f is written ƒ_{Z}(X′) and satisfies:
ƒ_{Z}(X′)=X′ ^{3} +a.X′.Z ^{4} +b.Z ^{6 }
ƒ_{Z}(X′)=X′ ^{3} +a.X′.Z ^{4} +b.Z ^{6 }
with the elliptical curve satisfying the equation:
Y′ ^{2}=ƒ_{Z}(X′)
Y′ ^{2}=ƒ_{Z}(X′)
in which the polynomials expressed in Jacobian coordinates are X′_{1}(t), X′_{2}(t), Z(t) and U′(t) and satisfy the equality in Jacobian coordinates:
U′(t)^{2}=−ƒ_{Z(t)}(X′ _{1}(t)).ƒ_{Z(t)}(X′ _{2}(t)))
U′(t)^{2}=−ƒ_{Z(t)}(X′ _{1}(t)).ƒ_{Z(t)}(X′ _{2}(t)))
and in which Z(t) is determined in such a way that the operations of inversion are transformed into operations of multiplication.
6. The electronic component according to claim 1 , wherein in obtaining the value of the parameter t said electronic component is further configured to obtain the value of the parameter t as a function of a password or an identifier.
7. The electronic component according to claim 1 , wherein the cryptographic application is an application of authentication or identification by a checking entity, and wherein said electronic component in obtaining the value of the parameter t is further configured to:
/a/ generate a random value;
/b/ obtain an encrypted value by encrypting said random value based on an encryption function using an encryption key determined from a password or identifier corresponding to the parameter; and
/c/ transmit the encrypted value to the checking entity.
Priority Applications (2)
Application Number  Priority Date  Filing Date  Title 

US201113377381A true  20111209  20111209  
US14/261,845 US20140314229A1 (en)  20111209  20140425  Cryptography on a simplified elliptical curve 
Applications Claiming Priority (2)
Application Number  Priority Date  Filing Date  Title 

US14/261,845 US20140314229A1 (en)  20111209  20140425  Cryptography on a simplified elliptical curve 
US15/178,478 US9866371B2 (en)  20090616  20160609  Cryptography on a simplified elliptical curve 
Related Parent Applications (3)
Application Number  Title  Priority Date  Filing Date  

PCT/FR2010/051191 Continuation WO2010146303A2 (en)  20090616  20100615  Cryptography on a simplified elliptical curve  
US13/377,381 Continuation US8712038B2 (en)  20090616  20100615  Cryptography on a simplified elliptical curve  
US201113377381A Continuation  20111209  20111209 
Related Child Applications (1)
Application Number  Title  Priority Date  Filing Date 

US15/178,478 Continuation US9866371B2 (en)  20090616  20160609  Cryptography on a simplified elliptical curve 
Publications (1)
Publication Number  Publication Date 

US20140314229A1 true US20140314229A1 (en)  20141023 
Family
ID=51729003
Family Applications (2)
Application Number  Title  Priority Date  Filing Date 

US14/261,845 Abandoned US20140314229A1 (en)  20111209  20140425  Cryptography on a simplified elliptical curve 
US15/178,478 Active 20300718 US9866371B2 (en)  20090616  20160609  Cryptography on a simplified elliptical curve 
Family Applications After (1)
Application Number  Title  Priority Date  Filing Date 

US15/178,478 Active 20300718 US9866371B2 (en)  20090616  20160609  Cryptography on a simplified elliptical curve 
Country Status (1)
Country  Link 

US (2)  US20140314229A1 (en) 
Family Cites Families (13)
Publication number  Priority date  Publication date  Assignee  Title 

AT325478T (en)  19980102  20060615  Cryptography Res Inc  Liquid resistant cryptographic process and device 
CA2243761C (en)  19980721  20091006  Certicom Corp.  Timing attack resistant cryptographic system 
JP3796993B2 (en) *  19981222  20060712  株式会社日立製作所  Elliptic curve cryptography execution method and apparatus, and recording medium 
FR2796177B1 (en) *  19990709  20011012  Oberthur Card Systems Sas  Method of cryptography implemented between two entities exchanging information 
US7308096B2 (en)  20000530  20071211  Hitachi, Ltd.  Elliptic scalar multiplication system 
AU7927801A (en) *  20000629  20020114  Oregon State  Elliptic curve cryptographic methods and apparatus 
JP2003085321A (en) *  20010911  20030320  Sony Corp  System and method for contents use authority control, information processing device, and computer program 
JP4155929B2 (en)  20030122  20080924  株式会社リコー  Image encoding apparatus, encoding / decoding apparatus, image encoding method, encoding / decoding method, program, and storage medium 
EP1616405A1 (en) *  20030424  20060118  Matsushita Electric Industrial Co., Ltd.  Apparatus to generate parameter for ntru, ntru decryption and encryption system, apparatus, method and program implementing said parameter generating unit 
EP1668818A2 (en) *  20031003  20060614  Matsushita Electric Industrial Co., Ltd.  Information transfer system, encryption device, and decryption device using elliptic curve cryptography 
KR101389100B1 (en)  20060609  20140425  베리사인, 인코포레이티드  A method and apparatus to provide authentication and privacy with low complexity devices 
US20100293379A1 (en)  20070531  20101118  Beijing Transpacific Ip Technology Development Ltd  method for secure data transmission in wireless sensor network 
US8225109B1 (en)  20080430  20120717  Netapp, Inc.  Method and apparatus for generating a compressed and encrypted baseline backup 

2014
 20140425 US US14/261,845 patent/US20140314229A1/en not_active Abandoned

2016
 20160609 US US15/178,478 patent/US9866371B2/en active Active
Also Published As
Publication number  Publication date 

US20170214527A1 (en)  20170727 
US9866371B2 (en)  20180109 
Similar Documents
Publication  Publication Date  Title 

US7792287B2 (en)  Leakresistant cryptographic payment smartcard  
Fouque et al.  The doubling attack–why upwards is better than downwards  
EP1873671B2 (en)  A method for protecting IC Cards against power analysis attacks  
Liardet et al.  Preventing SPA/DPA in ECC systems using the Jacobi form  
EP1617587A1 (en)  Method, system and computer program product for privacyprotecting integrity attestation of computing platform  
US7639808B2 (en)  Elliptic curve cryptosystem apparatus, elliptic curve cryptosystem method, elliptic curve cryptosystem program and computer readable recording medium storing the elliptic curve cryptosystem program  
EP1248408A2 (en)  Methods and apparatus for providing efficient passwordauthenticated key exchange  
US6298135B1 (en)  Method of preventing power analysis attacks on microelectronic assemblies  
JP3821631B2 (en)  Method and apparatus for scalar multiplication in elliptic curve cryptography, and storage medium  
EP1166494B1 (en)  Countermeasure procedures in an electronic component implementing an elliptical curve type public key encryption algorithm  
EP2173055A1 (en)  A method, a system, a client and a server for key negotiating  
US8300811B2 (en)  Method and device for processing data  
US8913739B2 (en)  Method for scalar multiplication in elliptic curve groups over prime fields for sidechannel attack resistant cryptosystems  
US20090092245A1 (en)  Protection Against Side Channel Attacks  
JP2001060947A (en)  Mutual network authentication method  
Dinur et al.  Side Channel Cube Attacks on Block Ciphers.  
EP1327932A1 (en)  Encryption apparatus and method with sidechannel attack resistance  
WO2001048974A1 (en)  Portable data carrier provided with access protection by dividing up codes  
US7961873B2 (en)  Password protocols using XZelliptic curve cryptography  
JP2005266810A (en)  Dataciphering processing apparatus applying masking method thereto, aesciphering system and aesciphering method  
US20060029221A1 (en)  Elliptic polynomial cryptography with multi ycoordinates embedding  
WO2013006785A2 (en)  Cryptographic security using fuzzy credentials for device and server communications  
CN101632255B (en)  Cryptographic method  
EP1816624A1 (en)  Encryption computing device  
US8145897B2 (en)  Direct anonymous attestation scheme with outsourcing capability 
Legal Events
Date  Code  Title  Description 

STCB  Information on status: application discontinuation 
Free format text: ABANDONED  FAILURE TO RESPOND TO AN OFFICE ACTION 

AS  Assignment 
Owner name: IDEMIA IDENTITY & SECURITY, FRANCE Free format text: CHANGE OF NAME;ASSIGNOR:SAFRAN IDENTITY & SECURITY;REEL/FRAME:047529/0948 Effective date: 20171002 

AS  Assignment 
Owner name: SAFRAN IDENTITY & SECURITY, FRANCE Free format text: CHANGE OF NAME;ASSIGNOR:MORPHO;REEL/FRAME:048039/0605 Effective date: 20160613 