WO2001052051A2 - Procede et dispositif pour realiser une inversion en particulier lors du cryptage au moyen de courbes elliptiques - Google Patents
Procede et dispositif pour realiser une inversion en particulier lors du cryptage au moyen de courbes elliptiques Download PDFInfo
- Publication number
- WO2001052051A2 WO2001052051A2 PCT/DE2001/000161 DE0100161W WO0152051A2 WO 2001052051 A2 WO2001052051 A2 WO 2001052051A2 DE 0100161 W DE0100161 W DE 0100161W WO 0152051 A2 WO0152051 A2 WO 0152051A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- prime number
- microprocessor
- number field
- inversion
- numbers
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/721—Modular inversion, reciprocal or quotient calculation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/724—Finite field arithmetic
- G06F7/725—Finite field arithmetic over elliptic curves
Definitions
- the invention relates to the field of cryptographic methods and devices, namely methods and devices which make it possible to carry out a special calculation, namely an inversion in the prime number field as e.g. is required for encryption using elliptic curves.
- decrypted information is to be decrypted at a location other than the location of the encryption, e.g. information from one computer system (transmitter) to another computer system (receiver) e.g. transmitted over the Internet, the symmetrical method must be the
- Recipients also receive the key in some form.
- the asymmetrical methods are considered to be more secure when transmitting encrypted information.
- the sender and receiver calculate and exchange a private key G s or G E for themselves from a public key G, and then exchange a key G for encryption or decryption SE is used. Even if a third party would query both G s and G E, he would not be able to decipher the message encrypted with the key G SE due to the so-called "problem of the discrete logarithm".
- Asymmetric encryption methods and devices for performing at least partial steps in the encryption and decryption using asymmetrical methods, in particular using elliptical curves are known from a large number of publications, for example from US 5,159,632, US 5,271,061, US 5,463,690, US 5,581,616. US 5,805,703, US 5,442,707, EP 0 892 520 A2, PCT / DE99 / 00278 and PCT / US99 / 12749, in which also the mathematical foundations of elliptic curves and their application in
- the cited documents also point out the advantages and disadvantages of the encryption techniques based on elliptic curves compared to the currently most widespread type of asymmetric encryption techniques, the so-called RSA method.
- the RSA method is based on the problem of factoring large numbers. Smart cards currently available use this algorithm
- the essential operation in the RSA method is the potentiation of a number m in a number field Z n , where n is a number resulting from the multiplication of two large prime numbers p and q, which as a binary number typically has a bit length of between 1024 and 2048 bits, (p and q usually have
- Bit lengths between 512 and 1024 bits Bit lengths between 512 and 1024 bits. Implementations of the RSA method on smart cards normally limit n to 1024 bits. In contrast to the RSA method, cryptographic methods based on elliptic curves require divisions in the prime number field. If sufficient resources are available, it is easy to implement such divisions using appropriate computer programs.
- the object of the invention is therefore on the one hand to provide methods and devices which make it possible to efficiently implement standard algorithms for cryptography with elliptic curves on the processors of smart cards (also called Smaraec ICs) with long-number crypto coprocessors.
- Another object is to specify methods and devices in which
- the number field and elliptic curve can be freely selected and can only be read into the EEPROM of the smart card when a corresponding storage medium, for example a smart card, is personalized.
- the invention proposes the use of the extended Euclidean algorithm for determining an inverse in the prime number field.
- the recalculation of A and the calculation of x are combined by storing the two values in a register (which then must necessarily be at least twice the length).
- Another long number register can have the following inscriptions: Q (left-justified), free (length k), B Q (right-justified)
- a sub-step now ensures that (in the case of processing X) P is set to the rest of the division of P / Q and (at the same time) the value in B P is adjusted accordingly. If Y is processed, the same procedure is followed. These calculations are performed as long as P and Q are greater than zero. If one has reached zero, then B P or B Q contains the inverse sought. With these methods, essentially half as many twice as long registers are sufficient for efficient implementation of the inversions, and the number of memory bits therefore remains unchanged.
- This new method works with a long-number accumulator and without substantial support from a host processor, since only elementary commands for the long-number register (add, shift, bit test and a way of comparing, this can also be done by a bit test) are required and the dividers with remainder (P and Q) do not have to be buffered.
- the method describes how a certain class of cryptographic on special microprocessors can be implemented efficiently. With the same security requirements, the necessary computing time on commercially available processors can be considerably reduced compared to the known methods.
- the algorithm is independent of the special parameters which of the
- the algorithm described here makes it possible to obtain the results of two necessary operators in one calculation step; this definitely means acceleration.
- the algorithm presented is an optimization in the event that the microprocessor provides arithmetic routines for numbers with a bit length which is really greater than twice the bit length of the numbers to be processed.
- Microprocessors with limited performance normally require the inversion of a number modulo a prime number (since an alternative method of calculation requires more buffers than is usually available on these processors). If you have a fast inversion available, the group law for points on elliptic curves is very simple, it is for the
- the first argument (a) is set to the prime number modulo which one wants to invert the second argument (b); Since the greatest common divisor of a prime number with any other number (smaller than this prime number) is always 1, one has the following identity:
- Calculation of x can be summarized by storing the two values in a register (which then must necessarily be at least twice the length).
- the frames should clarify the register length of the processor used below:
- the algorithm then works with the values of T and U, i.e. processes A and B or x 2 and xi simultaneously.
- the subtraction V T - q * U then provides the results for r & x 0 in one step.
- the quotient q is not really calculated in practice. Instead, the maximum possible multiples are successively subtracted (with a power of two). With the subtraction of X 2 and the respective multiple of X-, the sign bit propagates until the representation of A in the usual binary representation of the operands.
- the Euclidean algorithm is mainly required to calculate an inverse. Let P be a prime element, so the greatest common divisor is the 1 element, and B Q is also searched for
- the algorithm consists of steps of the form
- Part b Calculate new intermediate values
- a Q : p P A Q + qpAp
- the leading bit from Z is shifted to 0 by operations of the form (15) and the Z register is shifted to the left by 1 bit; It is not known in advance whether the leading bit of Z is 1. Because of this, the subtraction is in the form
- bit length of P ' A second consequence of the "bit borrow" is the bit length of P '. If the correct value were a power of two (2 ⁇ '1 ), the actual bit representation is 2 n "1 -1, the bit length of the
- the last question is whether one of the numbers B P B Q can be longer than I bits (more precisely: greater than P). For the Euclidean
- H hash function H (m) hash value of the message
- Extended Euclidean algorithm uses 2 Zahieniripei (P, a, b) and (Q, c, d) that switch roles after each step.
- a single step essentially consists of an arithmetic operation of the form
- Numbers p or q to be determined can be chosen so that the
- the algorithm uses the largest common divisor T of P and
- the length of the long number register is at least 2n + x bits.
- P and b are loaded into a long number register Z and Q and d into a long number register y and adjusted according to the separating x O bits:
- both registers are shifted in parallel to the left until the leading bit of the Z register is set (this is necessary for the implementation on CCP / ACE).
- the leading bit from P to Z is always set after initialization.
- “Test the most significant bit of the Z register” means the most significant it of the Z register that can be tested.
- the most significant bit of the Z register is the most significant set bit of P and Z and y are according to the separating one x O bits adjusted:
- This processor has a mathematical coprocessor with a length of 1120 bits (ACE, Advanced Crypto Engine) or 560 bits (CCP, Crypto Coprocessor) and thus fulfills the necessary requirements for the implementation of the proposed algorithm. It is possible to use the maximum parameter sizes provided in standardization efforts (NIST, ANSI 512 bit). For the use of the commonly used parameter sizes (160-256 Bit), it is sufficient to operate the processor in the operating mode with the short register length.
- ACE Advanced Crypto Engine
- CCP Crypto Coprocessor
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- General Engineering & Computer Science (AREA)
- Complex Calculations (AREA)
Abstract
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU37218/01A AU3721801A (en) | 2000-01-16 | 2001-01-16 | Method and device for carrying out an inversion, especially during encoding by means of elliptic curves |
DE10190100T DE10190100D2 (de) | 2000-01-16 | 2001-01-16 | Verfahren und Vorrichtungen zur Durchführung einer Inversion insbesondere bei der Verschlüsselung mittels elliptischer Kurven |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE10002901.9 | 2000-01-16 | ||
DE10002901 | 2000-01-16 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2001052051A2 true WO2001052051A2 (fr) | 2001-07-19 |
WO2001052051A3 WO2001052051A3 (fr) | 2001-10-25 |
Family
ID=7628537
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/DE2001/000161 WO2001052051A2 (fr) | 2000-01-16 | 2001-01-16 | Procede et dispositif pour realiser une inversion en particulier lors du cryptage au moyen de courbes elliptiques |
Country Status (3)
Country | Link |
---|---|
AU (1) | AU3721801A (fr) |
DE (2) | DE10190100D2 (fr) |
WO (1) | WO2001052051A2 (fr) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007048430A1 (fr) * | 2005-10-28 | 2007-05-03 | Telecom Italia S.P.A. | Procede pour la multiplication scalaire dans des groupes de courbes elliptiques sur des champs polynomiaux binaires pour des cryptosystemes resistants a l'attaque par canal lateral |
US8913739B2 (en) | 2005-10-18 | 2014-12-16 | Telecom Italia S.P.A. | Method for scalar multiplication in elliptic curve groups over prime fields for side-channel attack resistant cryptosystems |
US9047167B2 (en) | 2002-05-06 | 2015-06-02 | Giesecke & Devrient Gmbh | Calculating the modular inverses of a value |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1999004332A1 (fr) * | 1997-07-14 | 1999-01-28 | Cipherit Ltd. | Calcul d'inverses multiplicateurs a champs composites a des fins de cryptographie de courbes elliptiques |
-
2001
- 2001-01-16 WO PCT/DE2001/000161 patent/WO2001052051A2/fr active Application Filing
- 2001-01-16 AU AU37218/01A patent/AU3721801A/en not_active Abandoned
- 2001-01-16 DE DE10190100T patent/DE10190100D2/de not_active Expired - Fee Related
- 2001-01-16 DE DE10101884A patent/DE10101884A1/de not_active Withdrawn
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1999004332A1 (fr) * | 1997-07-14 | 1999-01-28 | Cipherit Ltd. | Calcul d'inverses multiplicateurs a champs composites a des fins de cryptographie de courbes elliptiques |
Non-Patent Citations (3)
Title |
---|
BRUCE SCHNEIER: "Applied Cryptography" 1996 , JOHN WILEY & SONS, INC. , UNITED STATES XP002168658 Seite 246 -Seite 248 * |
DONALD E. KNUTH: "The Art of Computer Programming" 1998 , ADDISON WESLEY , UNITED STATES XP002168657 Seite 342 -Seite 343 * |
SEDLAK H ET AL: "EIN PUBLIC-KEY-CODE KRYPTOGRAPHIC-PROZESSOR A PUBLIC KEY CODE CRYPTOGRAPHY PROCESSOR" INFORMATIONSTECHNIK IT,DE,OLDENBOURG VERLAG. MUNCHEN, Bd. 28, Nr. 3, 1986, Seiten 157-161, XP000615686 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9047167B2 (en) | 2002-05-06 | 2015-06-02 | Giesecke & Devrient Gmbh | Calculating the modular inverses of a value |
US8913739B2 (en) | 2005-10-18 | 2014-12-16 | Telecom Italia S.P.A. | Method for scalar multiplication in elliptic curve groups over prime fields for side-channel attack resistant cryptosystems |
WO2007048430A1 (fr) * | 2005-10-28 | 2007-05-03 | Telecom Italia S.P.A. | Procede pour la multiplication scalaire dans des groupes de courbes elliptiques sur des champs polynomiaux binaires pour des cryptosystemes resistants a l'attaque par canal lateral |
US8243920B2 (en) | 2005-10-28 | 2012-08-14 | Telecom Italia S.P.A. | Method for scalar multiplication in elliptic curve groups over binary polynomial fields for side-channel attack-resistant cryptosystems |
Also Published As
Publication number | Publication date |
---|---|
DE10101884A1 (de) | 2001-10-25 |
WO2001052051A3 (fr) | 2001-10-25 |
AU3721801A (en) | 2001-07-24 |
DE10190100D2 (de) | 2002-06-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE69534603T2 (de) | Verschlüsselungssystem für elliptische kurve | |
DE69829967T2 (de) | Verfahren und vorrichtung zur schnellen elliptischen verschlüsselung mit unmittelbarer einbettung | |
DE2843583C2 (de) | Verfahren für den zugriffsicheren Nachrichtenverkehr über einen ungesicherten Nachrichtenübertragungskanal | |
DE60121066T2 (de) | Angriffsresistente kryptographische Verfahren und Vorrichtung | |
DE60316586T2 (de) | Effiziente arithmetik in galois-feldern ungerader charakterstik auf binärer hardware | |
EP1922837B1 (fr) | Procede de codage ou decodage securise d'un message | |
EP2771782A1 (fr) | Vérification efficace de nombre premier | |
DE102015104421A1 (de) | Verfahren zum Verwenden eines Tokens in der Kryptographie | |
DE19829643A1 (de) | Verfahren und Vorrichtung zur Block-Verifikation mehrerer digitaler Signaturen und Speichermedium, auf dem das Verfahren gespeichert ist | |
EP1346509B1 (fr) | Procédé et dispositif pour déterminer une paire de clés et pour produire des clés RSA | |
DE60117813T2 (de) | Verfahren und Vorrichtung zur Speicherung und wiedergewinnung eones Privaten Kryptoschlüssels | |
DE112018002723B4 (de) | System, verfahren und vorrichtung zur verschleierung von vorrichtungsoperationen | |
EP2641241B1 (fr) | Procédé de division longue ou de réduction modulaire | |
EP1442391B1 (fr) | Procede et dispositif pour garantir un calcul dans un algorithme cryptographique | |
DE10161137A1 (de) | Verfahren und System zum kryptographischen Bearbeiten von Daten | |
WO2001052051A2 (fr) | Procede et dispositif pour realiser une inversion en particulier lors du cryptage au moyen de courbes elliptiques | |
DE10328860A1 (de) | Vorrichtung und Verfahren zum Verschlüsseln von Daten | |
DE102020134618A1 (de) | Sicherheits-controller und verfahren zur verarbeitung von datenelementen eines datenfeldes | |
WO2013060466A2 (fr) | Détermination d'un reste d'une division et de candidats pour les nombres premiers pour application cryptographique | |
DE10161138A1 (de) | Verfahren und Vorrichtung zum Ermitteln einer elliptischen Kurve, Verfahren und Vorrichtung zum Multiplizieren eines Punktes mit einem Skalar | |
DE10042234C2 (de) | Verfahren und Vorrichtung zum Durchführen einer modularen Exponentiation in einem kryptographischen Prozessor | |
EP2128754B1 (fr) | Exponentiation sûre de fenêtre coulissante | |
DE102004001659B4 (de) | Vorrichtung und Verfahren zum Konvertieren einer ersten Nachricht in eine zweite Nachricht | |
DE10162496B4 (de) | Verfahren und Vorrichtung zum Absichern einer Berechnung in einem kryptographischen Algorithmus | |
DE10156708A1 (de) | Verfahren und Vorrichtung zum Multiplizieren und Verfahren und Vorrichtung zum Addieren auf einer elliptischen Kurve |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
AK | Designated states |
Kind code of ref document: A3 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A3 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
122 | Ep: pct application non-entry in european phase | ||
NENP | Non-entry into the national phase |
Ref country code: JP |