WO2004111833A1 - Procede de contre-mesure dans un composant electronique - Google Patents
Procede de contre-mesure dans un composant electronique Download PDFInfo
- Publication number
- WO2004111833A1 WO2004111833A1 PCT/EP2004/051142 EP2004051142W WO2004111833A1 WO 2004111833 A1 WO2004111833 A1 WO 2004111833A1 EP 2004051142 W EP2004051142 W EP 2004051142W WO 2004111833 A1 WO2004111833 A1 WO 2004111833A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- replace
- group
- exponentiation
- integers
- randomly
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/723—Modular exponentiation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/724—Finite field arithmetic
- G06F7/725—Finite field arithmetic over elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/3013—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/04—Masking or blinding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
Definitions
- the present invention relates to a countermeasure method in an electronic component implementing a public key encryption algorithm.
- K secret encryption key
- the encryption function and the decryption function use the same K key.
- the drawback of the secret key encryption system is that said system requires the prior communication of the K key between the two persons via a secure channel, before any encrypted message is received. be sent through the unsecured channel.
- secure channel is understood to mean a channel for which it is impossible to know or modify the information which passes through said channel. Such a secure channel can be produced by a cable connecting two terminals, owned by the two said people.
- the concept of public key cryptography was invented by Whitfield Diffie and Martin Hellman in 1976
- Public key cryptography solves the problem of distributing keys across an insecure channel.
- the principle of public key cryptography is to use a key pair, a public encryption key and a private decryption key. It must be computationally infeasible to find the private decryption key from the public encryption key.
- a person A wishing to communicate information to a person B uses the public encryption key of person B. Only person B has the private key associated with his public key. Only person B is therefore capable of deciphering the message addressed to him.
- the difficult computational problem considered by Diffie and Hellman is the resolution of the discrete logarithm in the multiplicative group of a finite field. It is recalled that in a finite body, the number of elements of the body is always expressed in the form q A n, where q is a prime number called the characteristic of the body and n is an integer. A finite field having q A n elements is noted GF (q A n). In the case where the integer n is equal to 1, the finite field is said to be prime.
- a body has two groups: a multiplicative group and an additive group. In the multiplicative group, the neutral element is noted 1 and the group law is noted multiplically by the symbol. and is called multiplication.
- Lagrange theorem the order of an element always divides the order of its group.
- Another advantage of public key cryptography over secret key cryptography is that public key cryptography allows authentication by the use of electronic signature.
- the first public key encryption scheme was developed in 1977 by Ronald Rivest, Adi Shamir and Léonard Adleman (Communications of the ACM, volume 21, number 2, pages 120-126, 1978), who invented the system RSA encryption.
- the security of RSA is based on the difficulty of factoring a large number which is the product of two prime numbers.
- the RSA encryption system is constructed in the multiplicative group G of the ring Z / (nZ) obtained by quoting the ring of integers Z by the ring nZ where n is a large integer which is the product of prime numbers p and Q.
- Merkle-Hellman backpack This encryption system is based on the difficulty of the problem of the sum of subsets. McEliece: This encryption system is based on the theory of algebraic codes. It is based on the problem of decoding linear codes. - El Gamal:
- This encryption system is based on the difficulty of the discrete logarithm in a finite body.
- the elliptic curve encryption system constitutes a modification of existing cryptographic systems to apply them to the domain of elliptic curves.
- Any elliptic curve defined on a body can be expressed in this form .
- the set of points (x, y) and the point at infinity form an abelian group, in which the point at infinity is the neutral element and in which the group operation is the addition of points, denoted + and given by the well-known rule of the secant and the tangent (see for example “Elliptic Curve Public Key Cryptosystems” by Alfred Menezes, Kluwer, 1993).
- the exponentiation is also called scalar multiplication.
- a common point with most cryptographic algorithms built on a group G is that they include as an parameter an element g belonging to this group.
- the private key is an integer d chosen randomly.
- an encryption algorithm based on the problem of the discrete logarithm in a group G, noted multiplicatively. This scheme is analogous to the encryption scheme of El Gamal. Let be a group G and an element g in G.
- a message m is encrypted as follows:
- the number corresponding to m is the pair (h, c).
- the simplest and most used algorithm is the left-right binary exponentiation algorithm.
- the left-right binary exponentiation algorithm takes as input an element g from a group G and an exponent d.
- the left-right binary exponentiation algorithm has the following 3 steps:
- each digit d (i) of the representation of d is an integer between 0 and 2 ⁇ kl for an integer k> l, with d (t) the most significant digit and d (0) the least significant digit.
- the left-right k-ary exponentiation algorithm can be adapted to take as input a signed representation of the exponent d.
- the exponent d is given by the signed k-ary representation (d (t), d (tl), ..., d (0)) in which each digit d (i) is an integer between - (2 ⁇ kl) and 2 ⁇ kl for an integer k ⁇ l, with d (t) the most significant digit and d (0) the least significant digit.
- Step 3b of the previous algorithm is then replaced by: 3b ') If d ⁇ ) is strictly positive, replace A with A.gi; and if d (i) is strictly negative, replace A by A. (gi) ⁇ (-l)
- This adaptation is particularly interesting when the inverse of the elements g if denoted (gi) A (-l), is easy or inexpensive to calculate. This is for example the case in group G of the points of an elliptical curve. In the case where the inverse of the elements gi is not easy or too costly to calculate, their value is precalculated.
- ⁇ h A e) in group G and includes the following 4 steps:
- multiplicative notation in other words, the group law of group G is noted. (multiplication).
- addition the group law of group G is denoted + (addition). This is for example the case of the group of points of an elliptical curve which is most often given in additive form.
- the DPA type attack therefore makes it possible to obtain additional information on the intermediate data manipulated by the microprocessor of the electronic component when executing a cryptographic algorithm. This additional information can in certain cases make it possible to reveal the private parameters of the cryptographic algorithm, making the cryptographic system vulnerable.
- a variant of this countermeasure consists in replacing d by d + rq where r is a random integer and q is a multiple of the order of the element g in the group G; by Lagrange's theorem, a current choice for this multiple is the order of the group G.
- a variant consists in drawing a random integer r and writing d in the form with d 2 equal to the default value of the integer division of d by r and di equal to the rest of said division.
- An object of the present invention is a countermeasure method, in particular with respect to attacks of the DPA type.
- Another object of the invention is a countermeasure method which is easy to implement.
- this method masks the exponent d and only requires at most three multiplications in G per iteration in step 2). This number of multiplications in G is reduced to two in the case where the product of g and h is precomputed.
- the following countermeasure method is thus obtained:
- Another interesting application of the invention relates to exponentation in the group G of the points of an elliptic curve defined on a finite field GF (q ⁇ n).
- this group G denoted additively, the inversion of a point P, denoted -P, is an inexpensive operation so that it is interesting to represent the exponents in a signed manner.
- a countermeasure method according to the invention applied to the group of points of an elliptical curve on a finite body GF (q A n) can be written as follows:
- the countermeasure method applies to any double exponentiation algorithm in a group G, noted in a multiplicative or additive manner.
- Another preferred embodiment for expressing the exponent d randomly in the form d d 2 .s + di where di, d 2 and s are integers in step la in the countermeasuring methods above. above is to choose a random integer di, set s to the value 1 and take d 2 equal to the difference of d and d x .
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP04741817A EP1639450A1 (fr) | 2003-06-18 | 2004-06-17 | Procede de contre-mesure dans un composant electronique |
US10/561,276 US20070121935A1 (en) | 2003-06-18 | 2004-06-17 | Method for countermeasuring in an electronic component |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0307380 | 2003-06-18 | ||
FR0307380A FR2856538B1 (fr) | 2003-06-18 | 2003-06-18 | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme cryptographique du type a cle publique |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2004111833A1 true WO2004111833A1 (fr) | 2004-12-23 |
Family
ID=33484552
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2004/051142 WO2004111833A1 (fr) | 2003-06-18 | 2004-06-17 | Procede de contre-mesure dans un composant electronique |
Country Status (4)
Country | Link |
---|---|
US (1) | US20070121935A1 (fr) |
EP (1) | EP1639450A1 (fr) |
FR (1) | FR2856538B1 (fr) |
WO (1) | WO2004111833A1 (fr) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1842128B1 (fr) * | 2005-01-18 | 2011-11-09 | Certicom Corp. | Verification acceleree de signatures numeriques et de cles publiques |
US7912886B2 (en) * | 2006-12-14 | 2011-03-22 | Intel Corporation | Configurable exponent FIFO |
EP2264939B1 (fr) * | 2008-03-31 | 2015-03-04 | Fujitsu Limited | Procédé de cryptage à fonction de contre-mesure contre les attaques par analyse de puissance |
EP2169535A1 (fr) * | 2008-09-22 | 2010-03-31 | Thomson Licensing | Procédé, appareil et support de programme informatique pour le recodage régulier d'un entier positif |
US9454494B2 (en) * | 2014-08-01 | 2016-09-27 | Honeywell International Inc. | Encrypting a communication from a device |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030061498A1 (en) * | 1999-12-28 | 2003-03-27 | Hermann Drexler | Portable data carrier provided with access protection by dividing up codes |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2784831B1 (fr) * | 1998-10-16 | 2000-12-15 | Gemplus Card Int | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle secrete |
US7599491B2 (en) * | 1999-01-11 | 2009-10-06 | Certicom Corp. | Method for strengthening the implementation of ECDSA against power analysis |
FR2810138B1 (fr) * | 2000-06-08 | 2005-02-11 | Bull Cp8 | Procede de stockage securise d'une donnee sensible dans une memoire d'un systeme embarque a puce electronique, notamment d'une carte a puce, et systeme embarque mettant en oeuvre le procede |
CA2369540C (fr) * | 2001-12-31 | 2013-10-01 | Certicom Corp. | Methode et appareil pour calculer une cle secrete partagee |
US7551737B2 (en) * | 2003-03-31 | 2009-06-23 | International Business Machines Corporation | Cryptographic keys using random numbers instead of random primes |
-
2003
- 2003-06-18 FR FR0307380A patent/FR2856538B1/fr not_active Expired - Fee Related
-
2004
- 2004-06-17 EP EP04741817A patent/EP1639450A1/fr not_active Withdrawn
- 2004-06-17 WO PCT/EP2004/051142 patent/WO2004111833A1/fr not_active Application Discontinuation
- 2004-06-17 US US10/561,276 patent/US20070121935A1/en not_active Abandoned
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030061498A1 (en) * | 1999-12-28 | 2003-03-27 | Hermann Drexler | Portable data carrier provided with access protection by dividing up codes |
Non-Patent Citations (3)
Title |
---|
HASAN M A: "POWER ANALYSIS ATTACKS AND ALGORITHMIC APPROACHES TO THEIR COUNTERMEASURES FOR KOBLITZ CURVE CRYPTOSYSTEMS", CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS - CHES 2000. SECOND INTERNATIONAL WORKSHOP. PROCEEDINGS, WORCESTER, MA, USA, 17-18 AUG. 2000. LNCS VOL. 1965, August 2000 (2000-08-01), pages 93 - 108, XP001027949 * |
J. SOLINAS: "Low-Weight Binary Representations for Pairs of Integers", 2001, CENTRE FOR APPLIED CRYPTOGRAPHIC RESEARCH, UNIVERSITY OF WATERLOO, WATERLOO, ONTARIO, CA, XP002280821 * |
J-F DHEM: "Design of an efficient public-key cryptographic library for RISC-based smart cards", May 1998, THÈSE SOUTENUE EN VUE DE L'OBTENTION DU GRADE DE DOCTEUR EN SCIENCES APPLIQUÉES, UCL, FACULTÉ DES SCIENCES APPLIQUÉES , LOUVAIN-LA-NEUVE, BE, XP002280822 * |
Also Published As
Publication number | Publication date |
---|---|
FR2856538B1 (fr) | 2005-08-12 |
FR2856538A1 (fr) | 2004-12-24 |
EP1639450A1 (fr) | 2006-03-29 |
US20070121935A1 (en) | 2007-05-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1166494B1 (fr) | Procedes de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type courbe elliptique | |
EP2946284B1 (fr) | Procédé de cryptographie comprenant une opération de multiplication par un scalaire ou une exponentiation | |
EP1381936B1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme cryptographique du type a cle publique sur une courbe elliptique | |
EP1969459A1 (fr) | Procédé cryptographique comprenant une exponentiation modulaire sécurisée contre les attaques à canaux cachés, cryptoprocesseur pour la mise en oeuvre du procédé et carte à puce associée | |
EP2162820A1 (fr) | Mise a la puissance modulaire selon montgomery securisee contre les attaques a canaux caches | |
FR2809893A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique sur courbe elliptique | |
WO2000059157A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type courbe elliptique | |
FR2941798A1 (fr) | Appareil pour calculer un resultat d'une multiplication scalaire | |
WO2001080481A1 (fr) | Procede de cryptographie sur courbes elliptiques | |
EP1804161B1 (fr) | Détection de perturbation dans un calcul cryptographique | |
EP1804160B1 (fr) | Protection d'un calcul cryptographique effectué par un circuit intégré | |
EP1639451A2 (fr) | Procédé de contre-mesure par masquage de l'accumulateur | |
CA2257907A1 (fr) | Procede de cryptographie a cle publique | |
WO2004111833A1 (fr) | Procede de contre-mesure dans un composant electronique | |
WO2002028010A1 (fr) | Procede d'encodage de messages longs pour schemas de signature electronique a base de rsa | |
WO2002001343A1 (fr) | Procedes de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type courbe elliptique de koblitz | |
EP1222528B1 (fr) | Procede d'amelioration de performance de l'operation de multiplication sur un corps fini de caracteristique 2 | |
FR3010562A1 (fr) | Procede de traitement de donnees et dispositif associe | |
FR2843507A1 (fr) | Procede securise de realisation parallele d'une exponentiation modulaire, procede cryptographique et circuit de calcul associes | |
WO2002050658A1 (fr) | Procedes de contre-mesure dans un composant electronique mettant en ouvre un algorithme de cryptographie a cle publique de type rsa | |
FR2854997A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme cryptographique du type a cle publique sur une courbe elliptique definie sur un corps de caracteristique deux | |
WO2002093411A1 (fr) | Dispositif destine a realiser des calculs d"exponentiation appliques a des points d"une courbe elliptique |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2004741817 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2004741817 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2007121935 Country of ref document: US Ref document number: 10561276 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 10561276 Country of ref document: US |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2004741817 Country of ref document: EP |