WO2004111831A2 - Procede de contre-mesure par masquage de l'accumulateur - Google Patents
Procede de contre-mesure par masquage de l'accumulateur Download PDFInfo
- Publication number
- WO2004111831A2 WO2004111831A2 PCT/EP2004/051144 EP2004051144W WO2004111831A2 WO 2004111831 A2 WO2004111831 A2 WO 2004111831A2 EP 2004051144 W EP2004051144 W EP 2004051144W WO 2004111831 A2 WO2004111831 A2 WO 2004111831A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- replace
- accumulator
- representation
- integer
- countermeasure method
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/724—Finite field arithmetic
- G06F7/725—Finite field arithmetic over elliptic curves
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/723—Modular exponentiation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
- G06F2207/7228—Random curve mapping, e.g. mapping to an isomorphous or projective curve
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
- G06F2207/7233—Masking, e.g. (A**e)+r mod n
- G06F2207/7247—Modulo masking, e.g. A**e mod (n*r)
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7276—Additional details of aspects covered by group G06F7/723
- G06F2207/7285—Additional details of aspects covered by group G06F7/723 using the window method, i.e. left-to-right k-ary exponentiation
Definitions
- the present invention relates to a countermeasure method in an electronic component implementing a public key cryptographic algorithm.
- the disadvantage of the secret key encryption system is that said system requires the prior communication of the key K between the two persons via a secure channel, before any encrypted message be sent through the unsecured channel.
- the term “secure channel” is understood to mean a channel for which it is impossible to know or modify the information which passes through said channel. Such a secure channel can be produced by a cable connecting two terminals, owned by the two said people.
- Public key cryptography solves the problem of distributing keys across an insecure channel. Public key cryptography is based on the difficulty of solving certain (supposedly) calculable infeasible problems.
- the problem considered by Diffie and Hellman is the resolution of the discrete logarithm in the multiplicative group of a finite field. It is recalled that in a finite body, the number of elements of the body is always expressed in the form q A n, where q is a prime number called the characteristic of the body and n is an integer.
- a finite field having q ⁇ n elements is noted GF (q A n).
- the finite field is said to be prime.
- a body has two groups: a multiplicative group and an additive group.
- the multiplicative group the neutral element is noted 1 and the group law is noted multiplically by the symbol. and is called multiplication.
- K K a A (ab).
- Any elliptical curve on a body can be expressed in this form.
- the set of points (x, y) and the point at infinity form an abelian group, in which the point at infinity is the neutral element and in which the group operation is the addition of points, denoted + and given by the well-known rule of the secant and the tangent (see for example “Elliptic Curve Public Key Cryptosystems” by Alfred Menezes, Kluwer, 1993).
- the pair (x, y), where the abscissa x and the ordinate y are elements of the body GF (q ⁇ n) forms the affine coordinates of a point P of the elliptic curve.
- the Jacobian representation of a point is not unique because the triplet (X, Y, Z) and the triplet ( ⁇ ⁇ 2.X, ⁇ ⁇ 3.Y , ⁇ .Z) represent the same point whatever the non-zero element ⁇ belonging to the finite field on which the elliptical curve is defined.
- the homogeneous representation of a point is not unique because the triplet (X, Y, Z) and the triplet ( ⁇ .X, ⁇ .Y, ⁇ .Z) represent the same point regardless of the element not -nul ⁇ belonging to the finite field on which the elliptical curve is defined.
- the exponentiation is also called scalar multiplication.
- a common point with most cryptographic algorithms based on the problem of the discrete logarithm in a group G is that they include as an parameter an element g belonging to this group.
- the private key is an integer d chosen randomly.
- the number corresponding to m is the pair (h, c).
- the left-right binary exponentiation algorithm takes as input an element g from a group G and an exponent d.
- the left-right binary exponentiation algorithm has the following 3 steps:
- the left-right k-ary exponentiation algorithm can be adapted to take as input a signed representation of the exponent d.
- the exponent d is given by the representation (d (t), d (t-1), ..., d (0)) in which each digit d (i) is an integer between - (2 A kl) and 2 A kl for an integer k ⁇ l, with d (t) the most significant digit and d (0) the least significant digit.
- This adaptation is particularly interesting when the inverse of the elements g i ⁇ denoted (gi) A (-l), is easy or inexpensive to calculate. This is for example the case in group G of the points of an elliptical curve. In the case where the inverse of the elements gi is not easy or too costly to calculate, their value is precalculated.
- the multiplication of the accumulator A by g in the group G can be substantially faster than the multiplication of two elements arbitrary of G.
- the group G is the multiplicative group of the prime field GF (q) and that g (respectively one of its powers g x ) is represented as an integer in single precision
- the addition of the accumulator A by P can be substantially faster than the addition of two arbitrary points on an elliptical curve.
- the DPA type attack therefore makes it possible to obtain additional information on the intermediate data manipulated by the microprocessor of the electronic component during the execution of a cryptographic algorithm . This additional information can in certain cases make it possible to reveal the private parameters of the cryptographic algorithm, making the cryptographic system vulnerable.
- a countermeasure method consists in masking the point P of the group of points of an elliptic curve defined on the body GF (q A n) using projective coordinates of this point, defined in a random manner .
- ⁇ non-zero random number
- P ( ⁇ A 2.x, ⁇ ⁇ 3.y, ⁇ ) in Jacobian representation
- P ( ⁇ .x, ⁇ .y, ⁇ ) in homogeneous representation.
- Another countermeasure method known to those skilled in the art for masking the element g of the multiplicative group G of a finite field GF (q ⁇ n) consists in representing this element in an extension of GF (q A n) , randomly.
- R GF (q) [X] / (p. K) obtained by quoting the polynomial ring GF (q) [X] by the product of the polynomials p and k with k given.
- We then draw a random polynomial ⁇ (X) in the ring GF [X] / (k) and we represent the element g by g * g + ⁇ .p.
- An object of the present invention is a countermeasure method, in particular with respect to attacks of the DPA type.
- Another object of the invention is a countermeasure method which is easy to implement.
- the idea underlying the invention is to randomize the accumulator A in the left-right exponentiation algorithm used. This masking process can be done at the start of the algorithm or even deterministically or probabilistically during the execution of the algorithm.
- This process applies in the same way if the group G is scored additively.
- the accumulator of said exponentiation algorithm is randomly masked.
- step 3c the multiplication is done with the integer g represented in simple precision.
- the masking of the accumulator A in step 3a is done only at the start of the exponentiation.
- the following countermeasure method is thus obtained:
- step 3b the multiplication is done with the integer g represented in simple precision.
- Another interesting application of the invention relates to the exponentation in group G of the points of an elliptic curve defined on a finite field GF (q A n).
- group G additively noted, the inversion of a point P, noted -P, is an inexpensive operation so that it is interesting to replace the binary exponentiation algorithm left-right by its version signed as explained in an article by Institut Morain and Jorge Olivos (Theoretical Informatics and Applications, volume 24, pages 531-543, 1990).
- the accumulator of said exponentiation algorithm is a triplet of values in GF (q A n) and is masked randomly.
- the masking of the accumulator A in step 2a is done only at the start of the exponentiation.
- This gives the following against-measuring method: 1) Draw a nonzero random element ⁇ in GF (q ⁇ n) and initialize the accumulator A (A x , Ay, A z ) with the triplet ( ⁇ ⁇ 2.x, ⁇ ⁇ 3.y, ⁇ )
- the countermeasure method according to the invention applies to any exponentiation algorithm of the left-right type in a group G, denoted in a multiplicative or additive manner.
Landscapes
- Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Computational Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- General Engineering & Computer Science (AREA)
- Complex Calculations (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/561,234 US20060282491A1 (en) | 2003-06-18 | 2004-06-17 | Method for countermeasuring by masking the accumulators in an electronic component while using a public key cryptographic algorithm |
EP04766054A EP1639451A2 (fr) | 2003-06-18 | 2004-06-17 | Procédé de contre-mesure par masquage de l'accumulateur |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR03/07379 | 2003-06-18 | ||
FR0307379A FR2856537B1 (fr) | 2003-06-18 | 2003-06-18 | Procede de contre-mesure par masquage de l'accumulateur dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2004111831A2 true WO2004111831A2 (fr) | 2004-12-23 |
WO2004111831A3 WO2004111831A3 (fr) | 2005-12-22 |
Family
ID=33484551
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2004/051144 WO2004111831A2 (fr) | 2003-06-18 | 2004-06-17 | Procede de contre-mesure par masquage de l'accumulateur |
Country Status (4)
Country | Link |
---|---|
US (1) | US20060282491A1 (fr) |
EP (1) | EP1639451A2 (fr) |
FR (1) | FR2856537B1 (fr) |
WO (1) | WO2004111831A2 (fr) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2897963A1 (fr) * | 2006-02-28 | 2007-08-31 | Atmel Corp | Procede pour les conjectures de quotient rapide et une manip ulation de congruences |
EP1889398A2 (fr) * | 2005-05-12 | 2008-02-20 | Atmel Corporation | Methode de reduction polynomiale modulaire randomisee et materiel destine a la mise en oeuvre de ce procede |
US7805480B2 (en) | 2005-05-12 | 2010-09-28 | Atmel Rousset S.A.S. | Randomized modular polynomial reduction method and hardware therefor |
US7809133B2 (en) | 2003-11-18 | 2010-10-05 | Atmel Rousset S.A.S. | Randomized modular reduction method and hardware therefor |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101527867B1 (ko) * | 2007-07-11 | 2015-06-10 | 삼성전자주식회사 | 타원 곡선 암호 시스템에 대한 부채널 공격에 대응하는방법 |
EP2169535A1 (fr) * | 2008-09-22 | 2010-03-31 | Thomson Licensing | Procédé, appareil et support de programme informatique pour le recodage régulier d'un entier positif |
EP2535804A1 (fr) * | 2011-06-17 | 2012-12-19 | Thomson Licensing | Algorithme de mise à la puissance résistant contre des fautes |
DE102017002153A1 (de) * | 2017-03-06 | 2018-09-06 | Giesecke+Devrient Mobile Security Gmbh | Übergang von einer booleschen Maskierung zu einer arithmetischen Maskierung |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002088934A1 (fr) * | 2001-04-30 | 2002-11-07 | Stmicroelectronics S.A. | Brouillage d'un calcul mettant en oeuvre une fonction modulaire |
EP1296224A1 (fr) * | 2001-09-20 | 2003-03-26 | Hitachi, Ltd. | Système de multiplication elliptique scalaire |
US20030079139A1 (en) * | 1999-12-28 | 2003-04-24 | Hermann Drexler | Portable data carrier provide with access protection by rendering messages unfamiliar |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2784831B1 (fr) * | 1998-10-16 | 2000-12-15 | Gemplus Card Int | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle secrete |
CA2369540C (fr) * | 2001-12-31 | 2013-10-01 | Certicom Corp. | Methode et appareil pour calculer une cle secrete partagee |
-
2003
- 2003-06-18 FR FR0307379A patent/FR2856537B1/fr not_active Expired - Fee Related
-
2004
- 2004-06-17 US US10/561,234 patent/US20060282491A1/en not_active Abandoned
- 2004-06-17 WO PCT/EP2004/051144 patent/WO2004111831A2/fr not_active Application Discontinuation
- 2004-06-17 EP EP04766054A patent/EP1639451A2/fr not_active Withdrawn
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030079139A1 (en) * | 1999-12-28 | 2003-04-24 | Hermann Drexler | Portable data carrier provide with access protection by rendering messages unfamiliar |
WO2002088934A1 (fr) * | 2001-04-30 | 2002-11-07 | Stmicroelectronics S.A. | Brouillage d'un calcul mettant en oeuvre une fonction modulaire |
EP1296224A1 (fr) * | 2001-09-20 | 2003-03-26 | Hitachi, Ltd. | Système de multiplication elliptique scalaire |
Non-Patent Citations (2)
Title |
---|
LIARDET P-Y ET AL: "PREVENTING SPA/DPA IN ECC SYSTEMS USING THE JACOBI FORM" CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS. 3RD INTERNATIONAL WORKSHOP, CHES 2001, PARIS, FRANCCE, MAY 14 - 16, 2001 PROCEEDINGS, LECTURE NOTES IN COMPUTER SCIENCE, BERLIN : SPRINGER, DE, vol. VOL. 2162, 14 mai 2001 (2001-05-14), pages 391-401, XP001061177 ISBN: 3-540-42521-7 * |
TRICHINA E ET AL: "IMPLEMENTATION OF ELLIPTIC CURVE CRYPTOGRAPHY WITH BUILT-IN COUNTER MEASURES AGAINST SIDE CHANNEL ATTACKS" CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS - CHES 2002. 4TH INTERNATIONAL WORKSHOP REVISED PAPERS, REDWOOD SHORES, CA, USA, 13-15 AUG. 2002, 13 août 2002 (2002-08-13), pages 98-113, XP001160524 BERLIN, GERMANY, SPRINGER VERLAG * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7809133B2 (en) | 2003-11-18 | 2010-10-05 | Atmel Rousset S.A.S. | Randomized modular reduction method and hardware therefor |
EP1889398A2 (fr) * | 2005-05-12 | 2008-02-20 | Atmel Corporation | Methode de reduction polynomiale modulaire randomisee et materiel destine a la mise en oeuvre de ce procede |
EP1889398A4 (fr) * | 2005-05-12 | 2008-06-25 | Atmel Corp | Methode de reduction polynomiale modulaire randomisee et materiel destine a la mise en oeuvre de ce procede |
US7805480B2 (en) | 2005-05-12 | 2010-09-28 | Atmel Rousset S.A.S. | Randomized modular polynomial reduction method and hardware therefor |
FR2897963A1 (fr) * | 2006-02-28 | 2007-08-31 | Atmel Corp | Procede pour les conjectures de quotient rapide et une manip ulation de congruences |
US7788311B2 (en) | 2006-02-28 | 2010-08-31 | Atmel Rousset S.A.S. | Method for fast quotient guess and congruencies manipulation |
Also Published As
Publication number | Publication date |
---|---|
US20060282491A1 (en) | 2006-12-14 |
EP1639451A2 (fr) | 2006-03-29 |
FR2856537A1 (fr) | 2004-12-24 |
WO2004111831A3 (fr) | 2005-12-22 |
FR2856537B1 (fr) | 2005-11-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1166494B1 (fr) | Procedes de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type courbe elliptique | |
EP2946284B1 (fr) | Procédé de cryptographie comprenant une opération de multiplication par un scalaire ou une exponentiation | |
Liardet et al. | Preventing SPA/DPA in ECC systems using the Jacobi form | |
EP1381936B1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme cryptographique du type a cle publique sur une courbe elliptique | |
EP1969459A1 (fr) | Procédé cryptographique comprenant une exponentiation modulaire sécurisée contre les attaques à canaux cachés, cryptoprocesseur pour la mise en oeuvre du procédé et carte à puce associée | |
EP2162820A1 (fr) | Mise a la puissance modulaire selon montgomery securisee contre les attaques a canaux caches | |
FR2809893A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique sur courbe elliptique | |
WO2000059157A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type courbe elliptique | |
EP1804161B1 (fr) | Détection de perturbation dans un calcul cryptographique | |
EP1639451A2 (fr) | Procédé de contre-mesure par masquage de l'accumulateur | |
EP1804160B1 (fr) | Protection d'un calcul cryptographique effectué par un circuit intégré | |
EP1639450A1 (fr) | Procede de contre-mesure dans un composant electronique | |
WO2002001343A1 (fr) | Procedes de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type courbe elliptique de koblitz | |
EP4024753B1 (fr) | Procédé et module électronique de calcul d'une quantité cryptographique avec multiplications sans retenue, procédé et dispositif électronique de traitement d'une donnée et programme d'ordinateur associés | |
EP1222528B1 (fr) | Procede d'amelioration de performance de l'operation de multiplication sur un corps fini de caracteristique 2 | |
EP1695204A2 (fr) | Procede d'exponentiation modulaire protege contre les attaques du type dpa | |
EP3929726A1 (fr) | Procede de traitement cryptographique,dispositif electronique et programme d'ordinateur associes | |
FR2854997A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme cryptographique du type a cle publique sur une courbe elliptique definie sur un corps de caracteristique deux | |
EP3716044A1 (fr) | Protection d'un calcul itératif | |
FR3010562A1 (fr) | Procede de traitement de donnees et dispositif associe | |
WO2002050658A1 (fr) | Procedes de contre-mesure dans un composant electronique mettant en ouvre un algorithme de cryptographie a cle publique de type rsa | |
WO2002093411A1 (fr) | Dispositif destine a realiser des calculs d"exponentiation appliques a des points d"une courbe elliptique |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2004766054 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2004766054 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006282491 Country of ref document: US Ref document number: 10561234 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 10561234 Country of ref document: US |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2004766054 Country of ref document: EP |