WO2005069122A2 - Procede cryptographique d'exponentiation modulaire protege contre les attaques de type dpa - Google Patents
Procede cryptographique d'exponentiation modulaire protege contre les attaques de type dpa Download PDFInfo
- Publication number
- WO2005069122A2 WO2005069122A2 PCT/EP2004/053472 EP2004053472W WO2005069122A2 WO 2005069122 A2 WO2005069122 A2 WO 2005069122A2 EP 2004053472 W EP2004053472 W EP 2004053472W WO 2005069122 A2 WO2005069122 A2 WO 2005069122A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- mod
- during
- bits
- long
- accumulator
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/723—Modular exponentiation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7276—Additional details of aspects covered by group G06F7/723
- G06F2207/7285—Additional details of aspects covered by group G06F7/723 using the window method, i.e. left-to-right k-ary exponentiation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/724—Finite field arithmetic
- G06F7/725—Finite field arithmetic over elliptic curves
Definitions
- the invention relates to a process during which a modular exponentiation of type x ⁇ d is carried out, with d an integer exponent of m + 1 bits, by scanning the bits of d from left to right in a loop indicated by i varying from m to 0 and by calculating and storing in an accumulator (RO), at each turn of rank i, a partial updated result equal to xb ⁇ i).
- Modular exponentiation is one of the elementary operations used in many cryptosystems, such as RSA (Rivest, Shamir and Adleman) or DH (Diffie and Hellman) cryptosystems.
- x is for example a message to be encrypted or deciphered, to be signed or to be authenticated
- d is for example a public key, a secret key, or a part of such a key.
- a single hidden channel (SPA) or differential (DPA) attack means an attack based on the measurement of a physical quantity from outside the device, including direct analysis (single SPA attack) or analysis according to a statistical method (DPA differential attack) makes it possible to discover information manipulated in the device.
- the bits of the exponent are scanned from the most significant bit to the least significant bit.
- the SAM Square And Multiply
- sliding window algorithms are particularly known.
- the left-to-right algorithms require less memory and allow the use of precalculated powers x A i to accelerate the calculation of y.
- R0 ⁇ - x means that the value of x is stored in the register R0.
- ROxRO means that the content of the register R0 is squared.
- R0 ⁇ R2 means that one realizes the product of the content of the register R0 by the content of the register R2.
- d ⁇ -> j refers to the bits of rank j to i of d.
- the first type of countermeasure consists in making the input data of the algorithm random.
- a first example of this first countermeasure consists in making the data x random before carrying out the modular exponentiation, by adding to x a random term and in making the calculations modulo 2 A k N, before a final modulo N: x ⁇ - x + rl.N, with ri a random number of k-bits and do the modulo (2 A k) .N calculations, before a final modulo N reduction.
- This first countermeasure described by P. Kocher, has the advantage of being independent of the exponentiation algorithm.
- a second example of this first countermeasure consists in making the exponent d random before carrying out the modular exponentiation, by adding a random term to it: d ⁇ - d + r2. ⁇ (N), r2 a random number of k -bits.
- the second countermeasure consists in making the exponentiation algorithm itself random.
- the best practice of the 2 nd countermeasure is Walter's MIST algorithm.
- the MIST algorithm randomly generates a new addition chain for the exponent d to perform x A d mod N.
- the addition chain is performed on the fly through an adaptation of an exponentiation algorithm based on chains of divisions.
- Another example is an improved version of a sliding window algorithm (see Kouichi Itoh, Jun Yajima, Masahiko Takenaka and Naoya Torii. DPA countermeasures by improving the window method CHES 2002, volume 2523 of Lecture Notes in computer Science, pages 303- 317, Springer Verlag 2002).
- this makes it possible to randomize the exponentiation without needing to know ⁇ (N) but requires a secure division algorithm to calculate the chains of divisions and causes significant management concerns.
- the invention proposes a new method for randomizing the execution of a modular exponentiation, with the aim of preventing differential attacks (DPA), presenting the advantages of the two known countermeasures: as in the first countermeasure, the method according to the invention does not impose any particular exponentiation algorithm and applies to any exponentiation algorithm, and as in the second countermeasure, in the invention, the algorithm itself is made random , and no longer just the data it handles. Thus, the algorithm does not need to know ⁇ (N) and / or the public key e in an RSA exponentiation (the key e is often unavailable to the signature or decryption algorithm).
- DPA differential attacks
- the method according to the invention introduces the concept of auto-random exponentiation, meaning that the exponent d is itself used as an additional source of randomness in the exponentiation process.
- the invention relates to a cryptographic process during which a modular exponentiation of type x A d, with d an integer exponent of m + 1 bits, by scanning the bits of d from left to right in a loop indexed by i decremented from m to 0 in steps of 1 and by calculating and memorizing in an accumulator , at each round of rank i, a discounted partial result equal to x A b (i), b (i) being the m-i + 1 most significant bits of the exponent d.
- a consolidation step E2 is carried out during which: E2: the result is stored (RO ⁇ - RlxRO) in the accumulator (RO) multiplication of the content of the accumulator (x A b (i)) by a function number of xz stored in a register (Ri).
- step E1 the number z is subtracted from the content of a register in which the exponent d is initially stored, and the result of the subtraction is stored in the same register, then we continue to scan the bits of b.
- the randomization step El must not modify the bits of d already used in the calculation (it is recalled that the method uses an algorithm from left to right).
- the index i (j) at which the randomization El, chosen randomly, must therefore be chosen such that the mid (j) +1 most significant bits of the register initially containing the exponent d remain unchanged during the step El. This condition will hereinafter be called a "consistency" condition.
- the method according to the invention applies independently of the exponentiation algorithm from left to right. Furthermore, the rank i (j) at which step E1 is carried out is chosen to be random, therefore the process itself is random, and not only the data that it manipulates.
- the method according to the invention is also effective in terms of space (it requires only one additional calculation register) and in terms of calculation time, as will be seen more clearly below in the example of the algorithm. SAT.
- the method according to the invention is still easy to implement regardless of the algorithm to which it is applied: it does not rely on any group property and its implementation does not require knowing the order of the group in which the exponentiation is carried out.
- the method according to the invention can be used in conjunction with other algorithm protection measures, such as for example the countermeasures disclosed by P. Kocher and recalled previously.
- it is chosen to carry out the consolidation step only once at the end of the process. This makes it necessary to systematically subtract z from the least significant bits of the exponent d, so as to obtain a correct result at the end of the process.
- the variable i (j) is chosen such that the bits of weight i (j) to m of the number db (i (j)) are equal to the bits of weight i (j) of the number d, so that the mi (j ) + l first rounds of the calculation of x A d are identical to mid (j) + l first rounds of the calculation of x A (d- b (i (j))) (condition of consistency).
- dz db (i (j)) and we store the content of the accumulator x A b in the register (El).
- p a Boolean variable used to determine, at the end of each round of index i, whether or not randomization is performed. If p takes an active value, then we carry out step El: we replace the number d by the number db (i (j)) and we store x A b (i (j)).
- the accumulator RO is used to keep the value of x A d m -> i, at each turn of index i.
- p ⁇ - R ⁇ 0, 1 ⁇ means that we choose the value of p randomly from the set ⁇ 0, 1 ⁇ . p is thus a random boolean variable.
- the condition di ( j ) _ ⁇ _> o ⁇ d m -> i ( j ) means that the bits of weight 0 to i-1 of d are greater than b (i (j)), b (i (j)) being equal to the bits of weight i (j) to m of d. This ensures that the m-i + 1 most significant bits of db (i (j)) are identical to the m-i + 1 most significant bits of d, and therefore that the first m-i + 1 turns of the calculation of xd are identical to the m-i + 1 first turns of the calculation of x A (db (i (j))).
- the instruction d ⁇ - d - 2 ⁇ .d m -> i which calculates dg.b (i) can be replaced by d m -> ⁇ ⁇ - d-> ⁇ - d m -> ⁇ or better, by the equivalent instruction di- ⁇ -> ⁇ ⁇ - di- ⁇ _> ⁇ - d m -> i.
- ⁇ random in the set ⁇ 0, ..., T ⁇ .
- the terminal T is chosen as the best compromise between the randomization of the most significant bits of d and the efficiency (in terms of computation time in particular) of the computation of the ⁇ squares.
- the algorithms I and I ' may be sufficient to protect the exponents in certain cases. For example, due to its construction, the RSA cryptosystem always reveals the most significant half of the private exponent if the corresponding public exponent is small. Randomize the most significant bits of d would therefore provide no protection for such an algorithm.
- step El of a randomization at rank i (j) the bits of weight i (j) _ c (j) to i (j) - 1 of d are modified and we choose not to perform only one randomization at a time, and we choose to carry out a consolidation step at the end of the row using the last bit of d modified during the preceding randomization step El (and no longer at the end of the process), ie after the evaluation of the partial result x A (d m -> ⁇ (j) -c (j)) ⁇ iod N.
- ⁇ has an inactive value as long as i> i (j) - c (j) and is activated when i ⁇ i (j) - c (j). It also becomes unusable as soon as i (j) - c (j) ⁇ 0.
- c (j) equal to mi (j) + l.
- i (j)> c (j) ⁇ 1 the condition c (j)> m - i (j) + 1 is satisfied if 2.i (j)>'m + 1.
- _ ⁇ .j_M ) _ C (j) > is satisfied during the first part of the algorithm, considering roughly that dj ⁇ j) _ ⁇ .
- ⁇ i (j) _ C (j) and d m ⁇ i (j) are random numbers of (mi (j) + l) bits. It will be noted, in this algorithm, that all the bits of the exponent are randomized. According to a second variant of the second embodiment, we choose c (j) random and between i (j) and mi (j) +1.
- V (j) increases the probability of success for the consistency condition (and therefore for the choice of randomization). On the other hand, it also reduces the possible values of the index i satisfying the condition 2.1 (j) ⁇ m + l + V (j).
- a good way to minimize the cost of additional operations is to slightly modify the random number generator producing the number p so that when the Hamming weight of dz (z can have different values as a function of b (i), depending on the envisaged embodiment) is weaker than the Hamming weight of d, pa a higher probability of being worth 1, and conversely. With this trick, the algorithm will tend to select the case with the lowest Hamming weight, that is to say the fastest branch.
- a random number u of v bits is chosen at the start of the method and one stores x A u in the register Ri.
- the number u is changed several times during the process, to increase the random factor in the process.
- H () is the Hamming weight of w, it is representative of the cost of the operation x A.
- H (-u) is the Hamming weight of x (wu), representative of x A (wu).
- the term "+ 1" is representative of the cost of multiplying x A (wu) by xu (x A u being stored elsewhere).
- this third embodiment has the advantage of being faster, since, in order to perform a randomization, the fastest path (the least expensive) is chosen each time.
- the complexity of this process is around 1.4.
- the complexity is the average number of multiplications of register contents carried out for each bit of the exponent d.
- the complexity of an unprotected SAM algorithm is 1.5; the complexity of the methods according to the first or second embodiments of the invention is slightly greater than 1.5.
- the source of randomness (the number u) is external to the method.
- the resources (notably the number of registers) used are the same.
- third embodiment can be embodied by the following IV algorithm:
- the exponent d is here divided into k blocks, of identical size if m + 1 is divisible by k or of identical size to the nearest unit otherwise.
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Pure & Applied Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
- Complex Calculations (AREA)
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP04804829A EP1695204A2 (fr) | 2003-12-19 | 2004-12-14 | Procede d'exponentiation modulaire protege contre les attaques du type dpa |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0314959 | 2003-12-19 | ||
FR0314959A FR2864390B1 (fr) | 2003-12-19 | 2003-12-19 | Procede cryptographique d'exponentiation modulaire protege contre les attaques de type dpa. |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2005069122A2 true WO2005069122A2 (fr) | 2005-07-28 |
WO2005069122A3 WO2005069122A3 (fr) | 2006-06-01 |
Family
ID=34630319
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2004/053472 WO2005069122A2 (fr) | 2003-12-19 | 2004-12-14 | Procede cryptographique d'exponentiation modulaire protege contre les attaques de type dpa |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP1695204A2 (fr) |
CN (1) | CN1918543A (fr) |
FR (1) | FR2864390B1 (fr) |
WO (1) | WO2005069122A2 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102684876A (zh) * | 2011-02-25 | 2012-09-19 | 英赛瑟库尔公司 | 包括求幂运算的加密方法 |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2888690A1 (fr) * | 2005-07-13 | 2007-01-19 | Gemplus Sa | Procede cryptographique pour la mise en oeuvre securisee d'une exponentiation et composant associe |
JP5482048B2 (ja) * | 2009-09-18 | 2014-04-23 | ソニー株式会社 | 集積回路および電子機器 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001031436A1 (fr) * | 1999-10-28 | 2001-05-03 | Bull Cp8 | Procede de securisation d'un ensemble electronique de cryptographie a base d'exponentiation modulaire contre les attaques par analyse physique |
FR2829646A1 (fr) * | 2001-09-07 | 2003-03-14 | Gemplus Card Int | Procede securise de mise en oeuvre d'un algorithme de cryptographie et composant correspondant |
-
2003
- 2003-12-19 FR FR0314959A patent/FR2864390B1/fr not_active Expired - Fee Related
-
2004
- 2004-12-14 EP EP04804829A patent/EP1695204A2/fr not_active Withdrawn
- 2004-12-14 CN CN 200480041877 patent/CN1918543A/zh active Pending
- 2004-12-14 WO PCT/EP2004/053472 patent/WO2005069122A2/fr not_active Application Discontinuation
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001031436A1 (fr) * | 1999-10-28 | 2001-05-03 | Bull Cp8 | Procede de securisation d'un ensemble electronique de cryptographie a base d'exponentiation modulaire contre les attaques par analyse physique |
FR2829646A1 (fr) * | 2001-09-07 | 2003-03-14 | Gemplus Card Int | Procede securise de mise en oeuvre d'un algorithme de cryptographie et composant correspondant |
Non-Patent Citations (4)
Title |
---|
CHEVALLIER-MAMES B: "Self-randomized exponentiation algorithms" TOPICS IN CRYPTOLOGY - CT-RSA 2004. PROCEEDINGS. SPRINGER-VERLAG, LECTURE NOTES IN COMPUTER SCIENCE, vol. 2964, 27 février 2004 (2004-02-27), pages 236-249, XP002297836 BERLIN, GERMANY ISBN: 3-540-20996-4 * |
ITOH K ET AL: "DPA COUNTERMEASURES BY IMPROVING THE WINDOW METHOD" CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS. INTERNATIONAL WORKSHOP, XX, XX, 13 août 2002 (2002-08-13), pages 303-317, XP001160529 cité dans la demande * |
JOYE M: "Recovering lost efficiency of exponentiation algorithms on smart cards" ELECTRONICS LETTERS, IEE STEVENAGE, GB, vol. 38, no. 19, 12 septembre 2002 (2002-09-12), pages 1095-1097, XP006019065 ISSN: 0013-5194 * |
WALTER C D: "MIST: AN EFFICIENT, RANDOMIZED EXPONENTIATION ALGORITHM FOR RESISTING POWER ANALYSIS" LECTURE NOTES IN COMPUTER SCIENCE, SPRINGER VERLAG, NEW YORK, NY, US, vol. 2271, 18 février 2002 (2002-02-18), pages 53-66, XP008004946 ISSN: 0302-9743 cité dans la demande * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102684876A (zh) * | 2011-02-25 | 2012-09-19 | 英赛瑟库尔公司 | 包括求幂运算的加密方法 |
Also Published As
Publication number | Publication date |
---|---|
WO2005069122A3 (fr) | 2006-06-01 |
FR2864390A1 (fr) | 2005-06-24 |
CN1918543A (zh) | 2007-02-21 |
EP1695204A2 (fr) | 2006-08-30 |
FR2864390B1 (fr) | 2006-03-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2946284B1 (fr) | Procédé de cryptographie comprenant une opération de multiplication par un scalaire ou une exponentiation | |
EP1358732B2 (fr) | Procede de cryptage securise et composant utilisant un tel procede de cryptage | |
EP1757009B1 (fr) | Procédé et dispositif d'exécution d'un calcul cryptographique | |
EP1166494B1 (fr) | Procedes de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type courbe elliptique | |
EP1969459A1 (fr) | Procédé cryptographique comprenant une exponentiation modulaire sécurisée contre les attaques à canaux cachés, cryptoprocesseur pour la mise en oeuvre du procédé et carte à puce associée | |
WO2009003740A1 (fr) | Mise a la puissance modulaire selon montgomξry securisee contre les attaques a canaux caches | |
FR3010210A1 (fr) | Protection d'un calcul contre des attaques par canaux caches | |
EP2707989B1 (fr) | Dispositif et procede de generation de cles a securite renforcee pour algorithme de chiffrement pleinement homomorphique | |
EP1381936B1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme cryptographique du type a cle publique sur une courbe elliptique | |
WO2000059157A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type courbe elliptique | |
FR2888690A1 (fr) | Procede cryptographique pour la mise en oeuvre securisee d'une exponentiation et composant associe | |
CA2712180A1 (fr) | Procede et dispositifs de contre-mesure pour cryptographie asymetrique a schema de signature | |
FR2884088A1 (fr) | Procede et dispositif cryptographique permettant de proteger les logiques de cles publiques contre les attaques par faute | |
EP1224765A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type rsa | |
WO2005069122A2 (fr) | Procede cryptographique d'exponentiation modulaire protege contre les attaques de type dpa | |
EP1639451A2 (fr) | Procédé de contre-mesure par masquage de l'accumulateur | |
FR2976101A1 (fr) | Procede de traitement cryptographique de donnees | |
FR2942560A1 (fr) | Procede de traitement de donnees impliquant une exponentiation et un dispositif associe. | |
WO2004111833A1 (fr) | Procede de contre-mesure dans un composant electronique | |
EP3716044B1 (fr) | Protection d'un calcul itératif | |
EP3929726A1 (fr) | Procede de traitement cryptographique,dispositif electronique et programme d'ordinateur associes | |
WO2002001343A1 (fr) | Procedes de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type courbe elliptique de koblitz | |
EP3579493A1 (fr) | Protection d'un calcul itératif | |
EP4270855A1 (fr) | Protection contre les attaques par canal auxiliaire a l aide d'un masquage carre | |
EP3579492A1 (fr) | Protection d'un calcul itératif |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2004804829 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006544433 Country of ref document: JP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 200480041877.X Country of ref document: CN |
|
WWP | Wipo information: published in national office |
Ref document number: 2004804829 Country of ref document: EP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2004804829 Country of ref document: EP |