WO2005124578A2 - System, method and apparatus of error detection during a modular operation - Google Patents

System, method and apparatus of error detection during a modular operation Download PDF

Info

Publication number
WO2005124578A2
WO2005124578A2 PCT/IL2005/000640 IL2005000640W WO2005124578A2 WO 2005124578 A2 WO2005124578 A2 WO 2005124578A2 IL 2005000640 W IL2005000640 W IL 2005000640W WO 2005124578 A2 WO2005124578 A2 WO 2005124578A2
Authority
WO
WIPO (PCT)
Prior art keywords
value
stamp
modular
determining
stamp value
Prior art date
Application number
PCT/IL2005/000640
Other languages
French (fr)
Other versions
WO2005124578A3 (en
Inventor
Shay Gueron
Original Assignee
Discretix Technologies Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Discretix Technologies Ltd filed Critical Discretix Technologies Ltd
Publication of WO2005124578A2 publication Critical patent/WO2005124578A2/en
Publication of WO2005124578A3 publication Critical patent/WO2005124578A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/728Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic using Montgomery reduction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7219Countermeasures against side channel or fault attacks
    • G06F2207/7271Fault verification, e.g. comparing two values which should be the same, unless a computational fault occurred
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/723Modular exponentiation

Definitions

  • Fault analysis attacks are active attacks that may intentionally induce errors intentionally in a computation operation order to reveal secret information.
  • Fault analysis attacks may be used, for example, to attack hardware modules to compute modular exponential, e.g., as implemented by public key schemes such as RSA and DSA. Such attacks have become a serious threat to portable cryptographic devices such as smartcards.
  • Integrity checks performed by running test vectors before a computation commences may be insufficient, for example, if the attacker induces transient (random) faults on the hardware registers during the computation.
  • a "reverse operation approach” is conventionally used to detect transient faults. This approach includes verifying the correctness of the end-result by computing a "reverse operation".
  • One example e.g., in the context of a RSA private key exponential, may include verifying the correctness of the computation of the result value C kPmodN, wherein D denotes the RSA secret key.
  • CfmodN After C has been computed, and before it is released, the value of CfmodN may be computed, wherein E is the public RSA key.
  • the correctness of the result value C may be verified by comparing CfmodN with M. A difference between C E modN and M may indicate an error has occurred in the computation of C.
  • a similar technique (verify after signature) can be used with DSA.
  • the "reverse operation" computation may suffer from at least the following drawbacks: a) It involves a performance "penalty” (e.g., the delay before the result can be released, extra storage etc.). b) There are (current and potential) scenarios where this approach is not sufficiently safe, e.g., because the mere fact that an . error has occurred and was acknowledged only at the end of the computations may provide the attacker with information related to the computation. [005] For example, suppose that a square-and-multiply exponential algorithm is used as part of the exponential calculation, and that dummy multiplications are embedded in order to foil passive attacks that are based on measuring current consumption. The modified procedure is therefore a square-and-always-multiply exponential algorithm.
  • an induced fault may not produce an erroneous result, e.g., if the scanned exponent bit is 0, corresponding to a dummy multiplication. However, the induced fault may produce an erroneous result, e.g., if the scanned exponent bit is 1. This way, repeated (and timed) fault induction may reveal the whole key (assuming that the same private key is being used).
  • Some demonstrative embodiments of the invention may include an apparatus, a system, and/or a method of detecting an error in a modular operation.
  • the modular operation may include, for example, a modular exponential operation including a series of modular multiplications.
  • Some demonstrative embodiments may include determining a result stamp value corresponding to a calculated result of a modular multiplication of the series of modular multiplications; determining an expected stamp value corresponding to an expected result of the modular multiplication; and comparing the result stamp value with the expected stamp value.
  • Other embodiments are described and claimed.
  • Some demonstrative embodiments of the invention may include determining that the calculated result of the modular multiplication is erroneous, e.g., if the comparing fails.
  • comparing the result stamp value with the expected stamp value may include comparing the result stamp value with the expected stamp value, before performing another modular multiplication succeeding the modular multiplication in the series of modular multiplications.
  • Some demonstrative embodiments of the invention may include, during a time period at least partially overlapping a time period for calculating the modular multiplication, performing at least one of determining the result stamp value, determining the expected stamp value, and the comparing.
  • Some demonstrative embodiments of the invention may include determining the result stamp value by applying a predetermined stamp function to the calculated result of the modular multiplication.
  • the modular multiplication may include a Montgomery multiplication, e.g., a non-reduced Montgomery multiplication.
  • FIG. 1 is a schematic block-diagram illustration of a cryptographic system in accordance with some demonstrative embodiments of the invention
  • FIG. 2 is a schematic block-diagram illustration of a modular computation module in accordance with some demonstrative embodiments of the invention.
  • FIG. 3 is a schematic flow-chart illustration of a method of detecting an error in a modular exponential operation in accordance with some demonstrative embodiments of the invention.
  • Fig. 4 is a schematic flow-chart illustration of a method of determining an expected stamp value corresponding to a non-reduced Montgomery multiplication in accordance with some demonstrative embodiments of the invention.
  • An algorithm is here, and generally, considered to be a self-consistent sequence of acts or operations leading to a desired result. These include physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers or the like. It should be understood, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities.
  • These apparatuses may be specially constructed for the desired purposes, or they may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer.
  • a computer program may be stored in a computer readable storage medium, such as, but is not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), electrically programmable read-only memories (EPROMs), electrically erasable and programmable read only memories (EEPROMs), magnetic or optical cards, a Dynamic RAM (DRAM), a Synchronous DRAM (SD-RAM), a Flash memory, a volatile memory, a non-volatile memory, a cache memory, a buffer, a short term memory unit, a long term memory unit, or any other type of media suitable for storing electronic instructions, and capable of being coupled to a computer system bus.
  • DRAM Dynamic RAM
  • SD-RAM Synchronous DRAM
  • PLC Public Key Crypto-system
  • RSA RSA or an Elliptic Curve Cryptographic (ECC) system
  • ECC Elliptic Curve Cryptographic
  • Units of cryptographic systems intended to be included within the scope of the present invention may include, by way of example only, encryption and/or decryption units.
  • Embodiments of the invention may be implemented by an encryption and/or decryption engine, e.g., an encryption/decryption engine of an Internet
  • TLS protocol for public key signature verification, as is known in the art.
  • some demonstrative embodiments of the invention may be used, for example, for foiling transient fault attacks on devices, e.g., smartcards, implementing modular operations, e.g., modular exponential operations.
  • Detecting an error and/or acknowledging the error at the end of a computation operation may provide an attacker, for example, with information relating to the computation, e.g., information relating to one or more secret keys used during the computation.
  • a result of at least one intermediate operation of the computation may be verified examined and/or checked, e.g., independently of other intermediate operations of the computation.
  • one or more operations of an exponential operation may be examined, checked, verified, validated and/or authenticated independently of other operations of the exponential computation. This may enable identifying an error in the computation, for example, upon detecting an error in one of the intermediate operations, e.g., without completing the computation.
  • one or more of the intermediate operations may be examined, checked, verified, validated and/or authenticated "on-the-fly", e.g., in order to reduce or avoid a potential performance penalty, as described below.
  • Some demonstrative embodiments of the invention may be implemented for protecting hardware modules implementing modular exponential computations, e.g., as implemented by public key schemes such as RSA and DSA.
  • Some demonstrative embodiments of the invention e.g., as are described below, may relate to specific encryption/decryption systems, and/or a particular exponential computation method.
  • other embodiments of the invention may be implemented for any other desired encryption/decryption system and/or method.
  • Some demonstrative embodiments of the invention may relate to a modular exponential operation including a series of modular multiplications. Some demonstrative embodiments may include detecting an error in a calculated result of a modular multiplication of the series of modular multiplications, e.g., by determining a result stamp value corresponding to the calculated result of the modular multiplication, determining an expected stamp value corresponding to an expected result of the modular multiplication, and comparing the result stamp value with the expected stamp value, as described in detail below. [0033].
  • the modulus F may be determined based on a base of a representation of the value V.
  • the number of bits t may be determined, for example, based on a width of a bus implemented for receiving the value V.
  • the probability that two distinct, randomly chosen integers would have the same stamp value may be 2 ⁇ l .
  • a difference between the result stamp value and the expected stamp value fails may indicate, that the calculated result of the modular multiplication may be erroneous, e.g., at a probability which may be related to the value t.
  • the subsequent L-l words, Vi may then added to the accumulator value successively. Assuming L ⁇ F, the accumulated value may be bounded by F 2 , and thus may be stored in a two-word accumulator. At the end of the L accumulation cycles, the result stored in P may be reduced to one word in order to produce the stamp V. This may be done, for example, by adding, e.g., twice, the most significant word to the least significant word of P, in accordance with operations 3 and 4 of Algorithm 1.
  • FIG. 1 schematically illustrates a block-diagram of a cryptographic system 100 in accordance with some demonstrative embodiments of the invention.
  • system 100 may include an encryptor 102, a decryptor 104, an input 106, an output 108 and/or a storage
  • encryptor 102 may be able to encrypt input data received from input 106, e.g., via a signal 107, and/or from storage 110, e.g., via a signal 111, according to a desired encryption method, for example, according to a public key encryption method, as is known in the art. Encryptor 102 may be able to provide encrypted data to storage 110, e.g., via a signal 113, and/or to output 108, e.g., via a signal 109.
  • decryptor 104 may be able to decrypt encrypted input data received from input 106, e.g., via a signal 117, and/or from storage 110, e.g., via a signal 121, according to a desired decryption method, for example, according to a public key decryption method, as is known in the art.
  • decryptor 104 may be able to decrypt encrypted input data received from input 106, e.g., via a signal 117, and/or from storage 110, e.g., via a signal 121, according to a desired decryption method, for example, according to a public key decryption method, as is known in the art.
  • 104 may be able to provide decrypted data to storage 110, e.g., via a signal 123, and/or to output 108, e.g., via a signal 129.
  • encryptor 102 may include a modular computation module 139, and/or decryptor 104 may include a modular computation module
  • storage 110 may include, for example, memory, e.g., a Random Access Memory (RAM), a Read Only Memory (ROM), a Dynamic RAM (DRAM), a Synchronous DRAM (SD-RAM), a Flash memory, a volatile memory, a non- volatile memory, a cache memory, a buffer, a short term memory unit, a long term memory unit, or other suitable memory unit or storage unit.
  • RAM Random Access Memory
  • ROM Read Only Memory
  • DRAM Dynamic RAM
  • SD-RAM Synchronous DRAM
  • Flash memory e.g., a Flash memory
  • volatile memory e.g., a non- volatile memory
  • cache memory e.g., a buffer, a short term memory unit, a long term memory unit, or other suitable memory unit or storage unit.
  • storage 110 may be able to receive data from input 106, e.g., via a signal 141, and/or provide output 108 with data, e.g., via a signal 143.
  • encryptor 102 and decryptor 104 may be implemented, for example, using separate and/or integrated units, for example, using an encryption- decryption unit.
  • units 102, 104, 106, 108 and 110 may be part of a smartcard, as is known in the art.
  • Fig. 2 schematically illustrates a block-diagram of a modular computation module 200 in accordance with some demonstrative embodiments of the invention.
  • modular computation module may perform the functionality of modular computation module 139 (Fig. 1)
  • the data size of each of the values A and N may be, for example, n bits, and the data size of the base value Xmay be, for example, x bits.
  • computation module 200 may be able to perform the modular exponential operation by performing a series of modular multiplications.
  • computation module 200 may implement a most-to-least binary exponentiation algorithm or a least-to-most exponentiation algorithm, e.g., as are known in the art
  • one or more of the series of modular multiplications may include a Montgomery Multiplication (MMUL).
  • MMUL Montgomery Multiplication
  • MMUL Montgomery Multiplication
  • One or more of the Montgomery multiplications may include, for example, a Non- Reduced Montgomery Multiplication (TSfRMM).
  • TfRMM Non- Reduced Montgomery Multiplication
  • Embodiments of methods, devices and/or systems of performing an exponential operation and/or a NRMM operation, in accordance with some demonstrative embodiments of the invention, are described in International Application PCT/IL02/00318, filed April 22, 2002, entitled “A METHOD AND APPARATUS FOR CARRYING OUT EFFICIENTLY ARITHMETIC COMPUTATIONS IN HARDWARE" and published January 03, 2003 as PCT Publication WO 03/001362 (Reference 1), the disclosure of which is incorporated herein by reference.
  • computation module 200 may be able to perform one or more NRMMs, e.g., NRMMs of operations 1, 3 and/or 4 in Algorithm 2.
  • computation module 200 may perform a NRMM to determine a calculated NRMM result, denoted S, corresponding to the following inputs: the values /, m, and N; and a number of NRMM computation cycles, denoted r, e.g., in accordance with the following algorithm: Input: 1, m N r > n
  • computation module 200 may include a processor 202, and a Cryptographic Co-Processor (CCP) 204.
  • CCP Cryptographic Co-Processor
  • processor 202 may include, for example, a Central Processing Unit (CPU), a Digital Signal Processor (DSP), a microprocessor, a host processor, a plurality of processors, a controller, a chip, a microchip, or any other suitable multi-purpose or specific processor or controller.
  • processor 202 may include a relatively weak CPU, e.g., an ARM9 CPU as is known in the art.
  • CCP 204 may include any suitable hardware, software and/or circuitry to perform a modular multiplication operation, for example, a NRMM multiplication, e.g., as described in Reference 1.
  • processor 202 may perform the modular exponential computation, e.g., in accordance with Algorithm 2.
  • CCP 204 may be able to perform a modular multiplication operation, for example, a Montgomery multiplication operation, e.g., a NRMM.
  • CCP 204 may include a NRMM computation module 231 to determine the result S of the NRMM operation, e.g., in accordance with Algorithm 2.
  • processor 202 may controllably load data into one or more registers 205 of CCP 204, and or unload data from registers 205, for example, via a bus 211.
  • Processor 202 may control the operation of CCP 204, e.g., according to Algorithm 2.
  • processor 202 may provide CCP 204 via bus 211 with one or more inputs corresponding to a NRMM, e.g., the NRMM of operations 1, 3 and/or 4 in Algorithm 3.
  • CCP 204 may provide processor 202 with the result S, of the computed NRMM, and the zeroing value 7, corresponding to the computed NRMM.
  • At least some of the calculated results of the NRMM operations may be checked, verified, validated and/or authenticated using a stamp value, e.g., a stamp value in accordance with Equation 1, as described below.
  • computation module 200 may include an error detector 206 to determine whether a calculated result of a modular multiplication of the series of modular multiplications is erroneous. For example, detector 206 may determine a result stamp value corresponding to the calculated result of the modular multiplication. Detector 206 may also determine an expected stamp value corresponding to an expected result of the modular multiplication. Detector 206 may also determine whether the calculated result is erroneous based on a comparison between the result stamp value and the expected stamp value, e.g., as described in detail below.
  • error detector 206, processor 202, and/or CCP 204 may be implemented as separate elements of computation module 200. However, in other embodiments of the invention, error detector 206 may be implemented as part of processor 202, or as part of CCP 104, e.g., as described below.
  • detector 206 may be implemented by a processor, e.g., as part of processor 202 or as an independent processor, able to determine the arithmetic stamp of an L words value, e.g., using
  • detector 206 may be implemented, e.g., as part of CCP 204.
  • Detector 206 may additionally include appropriate control, e.g., to determine a stamp value using Algorithm 1.
  • FIG. 3 which schematically illustrates a method of detecting an error in a modular exponential operation including a series of modular multiplications in accordance with some demonstrative embodiments of the invention.
  • detector 206 Fig. 2
  • the method may include determining a result stamp value, denoted S', corresponding to the calculated result 5Of a modular multiplication of the series of modular multiplications.
  • the result stamp value iS" may be determined, for example, using Algorithm 1.
  • detector 206 Fig. 2 may apply Algorithm 1 to the result S, e.g., as determined by CCP 204 (Fig. 2).
  • the method may also include determining am expected stamp value, denoted Q corresponding to an expected result of the modular multiplication.
  • detector 206 (Fig. 2) may dete ⁇ nine the expected stamp value Q e.g., as described in detail below.
  • the method may also include comparing the result stamp value ⁇ S" with the expected stamp value Q '.
  • detector 206 (Fig. 2) may compare the result stamp value S" with the expected stamp value Q '.
  • a difference between the result stamp value S' and the expected stamp value Q' may indicate the calculated result S of the modular multiplication is erroneous. Accordingly, the method may include determining that the calculated result of the modular multiplication is erroneous, e.g., if the comparing fails, as indicated at block 310.
  • the method may also include, determining that the exponential operation is erroneous, e.g., if the comparing fails. Accordingly, the method may also include stopping the exponential operation, e.g., as indicated at block 314. Determining that the exponential operation is erroneous, may be performed, for example, before performing another modular multiplication succeeding the modular multiplication in the series of modular multiplications.
  • comparing between the result stamp and the expected stamp values may be performed before performing another modular multiplication succeeding the modular multiplication in the series of modular multiplications, e.g., as described below.
  • the method may include continuing the exponential operation, for example, by performing another modular multiplication succeeding the modular multiplication in the series of modular multiplications, e.g., if the comparison between the result stamp value 5" with the expected stamp value Q ' does not fail.
  • the method may include, determining the expected stamp value, determining the result stamp value, and/or comparing between the result stamp value and the expected stamp value, during a time period at least partially overlapping a time period for calculating the modular multiplication, e.g., as described below with reference to Fig. 4.
  • the expected stamp Q ' of the NRMM may be determined, for example, as follows:
  • stamp values /', m ', Y', and N' may be determined, for example, by computation module 200 (Fig. 2), e.g., according to Equation 1.
  • the modulus F may be constant, e.g., at least during the exponential operation. Accordingly, a value, denoted Z, corresponding to the values of (2 s ) ' may be predetermined, e.g., as follows:
  • the higher number of cycles s may enable using a masked base value l mask and/or a masked modulus N mas k, e.g., having a data size bigger than 1024 bits.
  • the value of the modulus N may remain constant, e.g., if an RSA key used during the exponential operation is constant; and/or the value m may remain constant, e.g., during the exponential operation. Accordingly, the stamp values m ' and N' may be predetermined, e.g., in accordance with Equation 1.
  • the computation of Q ' in operation 2 of Algorithm 4 may include, for example, determining a first product value, denoted Ql, e.g., by multiplying the stamp value /' by the stamp value m '; determining a second product value, denoted Q2, e.g., by multiplying the stamp value N' by the stamp value Y' determining a sum stamp value, denoted Q3, e.g., by applying the stamp function of Equation 1 to a sum of the first and second product values; and determining the expected stamp value Q', e.g., by applying the stamp function of Equation 1 to the product of the sum stamp value and the value Z.
  • CCP 204 may include any suitable hardware and/or circuitry to determine the stamp value Y' and/or the result stamp value 5", e.g., in accordance with Algorithm 1.
  • processor 202 may receive from CCP the values S and Y, and may determine the stamp values S' and Y e.g., in accordance with Algorithm 1.
  • detector 206 may detect an error in the result of the modular multiplication, e.g., while CCP 204 (Fig. 2) calculates another modular multiplication succeeding the modular multiplication in the series of modular multiplications.
  • This may be achieved, for example, by implementing detector 206 (Fig. 2) and CCP 204 (Fig. 2) as separate elements of computation module 202, e.g., by implementing detector 206 (Fig. 2) as part of processor 202 (Fig. 2) or as a separate element.
  • the calculated result 5 may then be verified, e.g., by calculating the result stamp value 5" and comparing the expected stamp value ⁇ ' to the result stamp value S' e.g., as described above with reference to Fig. 3.
  • the expected stamp value Q ' corresponding to a modular multiplication may be determined "on the fly", i.e., the expected stamp value Q ' may be determined during a time period at least partially overlapping a time period for determining the result of the modular multiplication.
  • the expected stamp value Q ' may be determined based at least on the stamp value m ', and the modulus stamp N', e.g., as described below.
  • FIG. 4 schematically illustrates a method of determining the expected stamp value Q ' corresponding to a NRMM in accordance with some demonstrative embodiments of the invention.
  • the method may include determining the NRMM by performing a series of s NRMM calculation cycles, as described below.
  • the method may include setting the value S to zero.
  • the method may also include performing the operations of blocks 406, 408, 410 and 412 for the s NRMM. computation cycles, e.g., in accordance with Algorithm 3.
  • the method may include adding to the value S a product of the value m and the i-th bit of the value /.
  • the method may also include dete ⁇ nining an i-th bit of Y, denoted 7,-, corresponding to the LSB of the value S.
  • the method may also include adding to the value S the product of the bit 7 and the modulus N.
  • the method may also include dividing the value of S by two, e.g., by performing a right shift operation.
  • the method may include providing the result S.
  • the method may also include determining the result stamp £", e.g., in accordance with Algorithm 1.
  • the method may include determining the expected stamp value Q' by performing a series of s stamp computation cycles, e.g., corresponding the s NRMM calculation cycles, respectively, as described below.
  • the method may include setting the value Q ' to zero.
  • the method may also include performing the operations of blocks 426, 428, and 430 for the 5 stamp computation cycles.
  • the method may include adding to the value Q ' a product of the stamp value m ' and the i-th bit of the value /.
  • the method may also include adding to the value Q' the product of the bit and the modulus stamp N'.
  • the method may also include dividing by two the sum of Q' and the product of the LSB of Q' and the modulus F.
  • the method may include providing the expected stamp value Q', as indicated at block 432.
  • CCP 204 may be able to perform one or more operations of the method of Fig. 4.
  • CCP 204 may include a stamp computation module 233 to determine the expected stamp value Q', for example, in accordance with the operations of blocks 422, 424, 426, 428, 430, and 432 (Fig. 4).
  • an error and/or fault may occur when transferring one or more inputs from processor 202 to registers 205 of CCP 204, e.g., via bus 211; and/or when transferring one or more computed NRMM results from CCP 204 to processor 202 and/or detector 206, e.g., via bus 211.
  • This may result in the exponential operation being erroneous, e.g., since CCP 204 may perform a correct computation, though on faulty inputs.
  • the integrity of the data transferred between CCP 204, processor 202, and/or detector 206 may be verified , e.g., in addition to checking the correctness of the NRMM operation, as described below.
  • a "check-word”, denoted W may be added to data, e.g., transferred between CCP 204, processor 202, and/or detector 206.
  • an integer R may represented by a concatenation, denoted, (W
  • CCP 204, processor 202 and/or detector 206 may receive the concatenated data, determine a stamp value, R ', corresponding to the integer R, and compare the stamp value R ' to the check word W. A mismatch between R ' and W may indicate an error has occurred in the transfer of the data.
  • computation module 233 may determine the expected stamp Q ' during a time period at least partially overlapping the time period for determining the result S.
  • Embodiments of the present invention may be implemented by software, by hardware, or by any combination of software and/or hardware as may be suitable for specific applications or in accordance with specific design requirements.
  • Embodiments of the present invention may include units and sub-units, which may be separate of each other or combined together, in whole or in part, and may be implemented using specific, multipurpose or general processors, or devices as are known in the art.
  • Some embodiments of the present invention may include buffers, registers, storage units and/or memory units, for temporary or long-term storage of data and or in order to facilitate the operation of a specific embodiment.

Landscapes

  • Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computational Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • General Engineering & Computer Science (AREA)
  • Debugging And Monitoring (AREA)
  • Hardware Redundancy (AREA)
  • Complex Calculations (AREA)

Abstract

Some embodiments of the present invention provide an apparatus, a system, and/or a method of detecting an error in a modular operation, e.g., a modular exponential including a series of modular multiplications. Some demonstrative embodiments may include determining a result stamp value corresponding to a calculated result of a modular multiplication of the series of modular multiplications; determining an expected stamp value corresponding to an expected result of the modular multiplication; and comparing the result stamp value with the expected stamp value. Other embodiments are described and claimed.

Description

SYSTEM, METHOD AND APPARATUS OF ERROR DETECTION DURING A MODULAR OPERATION
BACKGROUND OF THE INVENTION
[001] Fault analysis attacks are active attacks that may intentionally induce errors intentionally in a computation operation order to reveal secret information. Fault analysis attacks may be used, for example, to attack hardware modules to compute modular exponential, e.g., as implemented by public key schemes such as RSA and DSA. Such attacks have become a serious threat to portable cryptographic devices such as smartcards.
[002] Integrity checks performed by running test vectors before a computation commences, e.g., a modular exponential computation commences may be insufficient, for example, if the attacker induces transient (random) faults on the hardware registers during the computation.
[003] A "reverse operation approach" is conventionally used to detect transient faults. This approach includes verifying the correctness of the end-result by computing a "reverse operation". One example, e.g., in the context of a RSA private key exponential, may include verifying the correctness of the computation of the result value C kPmodN, wherein D denotes the RSA secret key. After C has been computed, and before it is released, the value of CfmodN may be computed, wherein E is the public RSA key. The correctness of the result value C may be verified by comparing CfmodN with M. A difference between CEmodN and M may indicate an error has occurred in the computation of C. A similar technique (verify after signature) can be used with DSA.
[004] The "reverse operation" computation may suffer from at least the following drawbacks: a) It involves a performance "penalty" (e.g., the delay before the result can be released, extra storage etc.). b) There are (current and potential) scenarios where this approach is not sufficiently safe, e.g., because the mere fact that an. error has occurred and was acknowledged only at the end of the computations may provide the attacker with information related to the computation. [005] For example, suppose that a square-and-multiply exponential algorithm is used as part of the exponential calculation, and that dummy multiplications are embedded in order to foil passive attacks that are based on measuring current consumption. The modified procedure is therefore a square-and-always-multiply exponential algorithm. It carries an obvious performance penalty, which can be alleviated if squaring and multiplying are performed in parallel (and exponent bits are scanned from the proper direction). In this example, using the reverse operation approach against transient faults may provide information about the value of the exponent bit during which the fault occurred. For example, an induced fault may not produce an erroneous result, e.g., if the scanned exponent bit is 0, corresponding to a dummy multiplication. However, the induced fault may produce an erroneous result, e.g., if the scanned exponent bit is 1. This way, repeated (and timed) fault induction may reveal the whole key (assuming that the same private key is being used).
[006] Thus, using the reverse operation approach to detect computational errors in a computation, e.g., only at the end of the computation, may be complex, inefficient, and/or insecure.
SUMMARY OF SOME EMBODIMENTS OF THE INVENTION
[007] Some demonstrative embodiments of the invention may include an apparatus, a system, and/or a method of detecting an error in a modular operation. The modular operation may include, for example, a modular exponential operation including a series of modular multiplications.
[008] Some demonstrative embodiments may include determining a result stamp value corresponding to a calculated result of a modular multiplication of the series of modular multiplications; determining an expected stamp value corresponding to an expected result of the modular multiplication; and comparing the result stamp value with the expected stamp value. Other embodiments are described and claimed.
[009] Some demonstrative embodiments of the invention may include determining that the calculated result of the modular multiplication is erroneous, e.g., if the comparing fails.
[0010] In some demonstrative embodiments of the invention, comparing the result stamp value with the expected stamp value may include comparing the result stamp value with the expected stamp value, before performing another modular multiplication succeeding the modular multiplication in the series of modular multiplications.
[0011] Some demonstrative embodiments of the invention may include, during a time period at least partially overlapping a time period for calculating the modular multiplication, performing at least one of determining the result stamp value, determining the expected stamp value, and the comparing.
[0012] Some demonstrative embodiments of the invention may include determining the result stamp value by applying a predetermined stamp function to the calculated result of the modular multiplication.
[0013] In some demonstrative embodiments of the invention the modular multiplication may include a modular multiplication of first and second integer values and a modulus value. Determining the expected stamp value may include, for example, determining the expected stamp value based at least on a stamp value corresponding to the second integer value, and a modulus stamp value corresponding to the modulus. [0014] In some demonstrative embodiments of the invention, the modular multiplication may include a Montgomery multiplication, e.g., a non-reduced Montgomery multiplication.
BRTEF DESCRIPTION OF THE DRAWINGS
[0015] The subject matter regarded as the invention is particularly pointed out and distinctly claimed in the concluding portion of the specification. The invention, however, both as to organization and method of operation, together with objects, features and advantages thereof, may best be understood by reference to the following detailed description when read with the accompanied drawings in which:
[0016] Fig. 1 is a schematic block-diagram illustration of a cryptographic system in accordance with some demonstrative embodiments of the invention;
[0017] Fig. 2 is a schematic block-diagram illustration of a modular computation module in accordance with some demonstrative embodiments of the invention;
[0018] Fig. 3 is a schematic flow-chart illustration of a method of detecting an error in a modular exponential operation in accordance with some demonstrative embodiments of the invention; and
[0019] Fig. 4 is a schematic flow-chart illustration of a method of determining an expected stamp value corresponding to a non-reduced Montgomery multiplication in accordance with some demonstrative embodiments of the invention.
[0020] It will be appreciated that for simplicity and clarity of illustration, elements shown in the drawings have not necessarily been drawn accurately or to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity or several physical components included in one functional block or element. Further, where considered appropriate, reference numerals may be repeated among the drawings to indicate corresponding or analogous elements. Moreover, some of the blocks depicted in the drawings may be combined into a single function. DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION
[0021] In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the invention. However, it will be understood by those of ordinary skill in the art that the present invention may be practiced without these specific details. In other instances, well-known methods, procedures, components and circuits may not have been described in detail so as not to obscure the present invention.
[0022] Some portions of the following detailed are presented in terms of algorithms and symbolic representations of operations on data bits or binary digital signals within a computer memory. These algorithmic descriptions and representations may be the techniques used by those skilled in the data processing arts to convey the substance of their work to others skilled in the art.
[0023] An algorithm is here, and generally, considered to be a self-consistent sequence of acts or operations leading to a desired result. These include physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers or the like. It should be understood, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities.
[0024] Unless specifically stated otherwise, as apparent from the following discussions, it is appreciated that throughout the specification discussions utilizing terms such as "processing," "computing," "calculating," "determining", or the like, refer to the action and/or processes of a computer or computing platform, or similar electronic computing device, that manipulate and/or transform data represented as physical, such as electronic, quantities within the computing platform's registers and/or memories into other data similarly represented as physical quantities within the computing platform's memories, registers or other such information storage, transmission or display devices. In addition, the term "plurality" may be used throughout the specification to describe two or more components, devices, elements, parameters and the like. [0025] Embodiments of the present invention may include apparatuses for performing the operations herein. These apparatuses may be specially constructed for the desired purposes, or they may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but is not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), electrically programmable read-only memories (EPROMs), electrically erasable and programmable read only memories (EEPROMs), magnetic or optical cards, a Dynamic RAM (DRAM), a Synchronous DRAM (SD-RAM), a Flash memory, a volatile memory, a non-volatile memory, a cache memory, a buffer, a short term memory unit, a long term memory unit, or any other type of media suitable for storing electronic instructions, and capable of being coupled to a computer system bus.
[0026] The processes and displays presented herein are not inherently related to any particular computer or other apparatus. Various general-purpose systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct a more specialized apparatus to perform the desired method. The desired structure for a variety of these systems will appear from the description below. In addition, embodiments of the present invention are not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the invention as described herein.
[0027] It should be understood that the present invention may be used in a variety of applications. Although the present invention is not limited in this respect, the circuits and techniques disclosed herein may be used in many apparatuses such as units of a cryptographic system, such as for example, a Public Key Crypto-system (PKC), e.g., an
RSA or an Elliptic Curve Cryptographic (ECC) system, and/or in any other unit and/or device that implement modular multiplication. Units of cryptographic systems intended to be included within the scope of the present invention may include, by way of example only, encryption and/or decryption units. Embodiments of the invention may be implemented by an encryption and/or decryption engine, e.g., an encryption/decryption engine of an Internet
TLS protocol, for public key signature verification, as is known in the art.
[0028] Although the invention is not limited by this respect, some demonstrative embodiments of the invention may be used, for example, for foiling transient fault attacks on devices, e.g., smartcards, implementing modular operations, e.g., modular exponential operations. [0029] Detecting an error and/or acknowledging the error at the end of a computation operation may provide an attacker, for example, with information relating to the computation, e.g., information relating to one or more secret keys used during the computation. According to some demonstrative embodiments of the invention, a result of at least one intermediate operation of the computation may be verified examined and/or checked, e.g., independently of other intermediate operations of the computation. For example, in some demonstrative embodiments of the invention, one or more operations of an exponential operation, e.g., one or more multiplications and/or squaring operations of the exponential computation, may be examined, checked, verified, validated and/or authenticated independently of other operations of the exponential computation. This may enable identifying an error in the computation, for example, upon detecting an error in one of the intermediate operations, e.g., without completing the computation.
[0030] According to some demonstrative examples of the invention, one or more of the intermediate operations may be examined, checked, verified, validated and/or authenticated "on-the-fly", e.g., in order to reduce or avoid a potential performance penalty, as described below.
[0031] Some demonstrative embodiments of the invention may be implemented for protecting hardware modules implementing modular exponential computations, e.g., as implemented by public key schemes such as RSA and DSA. Some demonstrative embodiments of the invention, e.g., as are described below, may relate to specific encryption/decryption systems, and/or a particular exponential computation method. However, it will be appreciated by those skilled in the art that other embodiments of the invention may be implemented for any other desired encryption/decryption system and/or method.
[0032] Some demonstrative embodiments of the invention may relate to a modular exponential operation including a series of modular multiplications. Some demonstrative embodiments may include detecting an error in a calculated result of a modular multiplication of the series of modular multiplications, e.g., by determining a result stamp value corresponding to the calculated result of the modular multiplication, determining an expected stamp value corresponding to an expected result of the modular multiplication, and comparing the result stamp value with the expected stamp value, as described in detail below. [0033]. Although the invention is not limited in this respect, according to some demonstrative embodiments of the invention, a stamp value, denoted V, corresponding to an integer value, denoted V, may be determined as follows: V' = Stamp CV) = (Y-l) mod? + I (1) wherein F denotes a modulus value.
[0034] According to some demonstrative embodiments of the invention, the modulus F may be determined based on a base of a representation of the value V. For example, the modulus may be determined as follows: F = 2t - 1 (2) wherein V may be represented by a sequence of one or more "words", each including t bits, e.g., as described below. The number of bits t may be determined, for example, based on a width of a bus implemented for receiving the value V. For example, the modulus F may be determined as F=2 -1, e.g., if a 32-bit bus is implemented for receiving the value V. It will be appreciated by those skilled in the art, that in other embodiments of the invention any other modulus F may be used.
[0035] According to demonstrative embodiments of the invention, the probability that two distinct, randomly chosen integers would have the same stamp value may be 2~l. Thus, a difference between the result stamp value and the expected stamp value fails may indicate, that the calculated result of the modular multiplication may be erroneous, e.g., at a probability which may be related to the value t.
[0036] According to some demonstrative embodiments of the invention, the stamp V may be computed with relation to value V, which may be represented by a sequence of X words, each including t consecutive bits, i.e., V = [VL-L .., Vj, VoJ, wherein VQ denotes the least significant word of V, and Vι.j denotes the most significant word of V. The stamp V may be computed, for example, by adding Vi, wherein i=0...L-l, word by word, to an accumulator value, while the carry of each addition is added to the least significant word of the accumulator. Final reduction steps may be required at the end. For example, the stamp V may be computed as follows: Input: V = [VL.ι, .., V1, V0] Output: V = Stamp (V) = (V-l) mod F + 1 Computations: l. P=V0
Figure imgf000012_0001
P = P+Vi End 3. P = lsb(P)+ msb(P) 4. P = lsb(P)+ msb(P) Output P Algorithm 1 wherein P denotes the value of the accumulator, which may have, for example, a length of two-words. In Algorithm 1, the accumulator value may be initialized to have the value of the least significant word of V. The subsequent L-l words, Vi, may then added to the accumulator value successively. Assuming L<F, the accumulated value may be bounded by F2, and thus may be stored in a two-word accumulator. At the end of the L accumulation cycles, the result stored in P may be reduced to one word in order to produce the stamp V. This may be done, for example, by adding, e.g., twice, the most significant word to the least significant word of P, in accordance with operations 3 and 4 of Algorithm 1.
[0037] In one demonstrative embodiments of the invention, the value Fmay include the value V= 79228159673465750010344767471 in a decimal representation. Accordingly, the value V may be represented by binary representation including the following three words (L=3), each having a length of 32 bits: V=[V2V1V0]= 11111111111111111111111101100101 11111111111111111111111111001001 11111111111111111111111111101111
[0038] According to this demonstrative embodiment, the stamp V may be determined as follows, e.g., within L+2=4 clock cycles in accordance with Algorithm 1 : P= Vo=11111111111111111111111101100101 P = Vι+V0= 111111111111111111111111110111000 P =V2+P= 1011111111111111111111111100011101 P = lsb(P) + msb(P)=l1111111111111111111111100011111 P = lsb(P) -l- msb(P) = 11111111111111111111111100011111 Output P = Stamp (V) = V\
[0039] Thus, the value of P in decimal representation may be P=4294967071. It will be noted that P=V-1 modF + l=(79228159673465750010344767471-l)mod(232-l)+l.
[0040] Reference is made to Fig. 1, which schematically illustrates a block-diagram of a cryptographic system 100 in accordance with some demonstrative embodiments of the invention.
[0041] According to some demonstrative embodiments of the invention, system 100 may include an encryptor 102, a decryptor 104, an input 106, an output 108 and/or a storage
110.
[0042] According to some demonstrative embodiments of the invention, encryptor 102 may be able to encrypt input data received from input 106, e.g., via a signal 107, and/or from storage 110, e.g., via a signal 111, according to a desired encryption method, for example, according to a public key encryption method, as is known in the art. Encryptor 102 may be able to provide encrypted data to storage 110, e.g., via a signal 113, and/or to output 108, e.g., via a signal 109.
[0043] According to some demonstrative embodiments of the invention, decryptor 104 may be able to decrypt encrypted input data received from input 106, e.g., via a signal 117, and/or from storage 110, e.g., via a signal 121, according to a desired decryption method, for example, according to a public key decryption method, as is known in the art. Decryptor
104 may be able to provide decrypted data to storage 110, e.g., via a signal 123, and/or to output 108, e.g., via a signal 129.
[0044] According to embodiments of the invention encryptor 102 may include a modular computation module 139, and/or decryptor 104 may include a modular computation module
139, e.g., as described below with reference to Fig. 2.
[0045] According to some demonstrative embodiments of the invention, storage 110 may include, for example, memory, e.g., a Random Access Memory (RAM), a Read Only Memory (ROM), a Dynamic RAM (DRAM), a Synchronous DRAM (SD-RAM), a Flash memory, a volatile memory, a non- volatile memory, a cache memory, a buffer, a short term memory unit, a long term memory unit, or other suitable memory unit or storage unit. According to some demonstrative embodiments, storage 110 may be able to receive data from input 106, e.g., via a signal 141, and/or provide output 108 with data, e.g., via a signal 143.
[0046] In some embodiments, encryptor 102 and decryptor 104 may be implemented, for example, using separate and/or integrated units, for example, using an encryption- decryption unit. For example, in some embodiments, units 102, 104, 106, 108 and 110 may be part of a smartcard, as is known in the art.
[0047] Reference is made to Fig. 2, which schematically illustrates a block-diagram of a modular computation module 200 in accordance with some demonstrative embodiments of the invention. Although the invention is not limited in this respect, modular computation module may perform the functionality of modular computation module 139 (Fig. 1) [0048] According to some demonstrative embodiments of the invention, computation module 200 may be able to perform a modular exponential operation to determine an exponentiation result, denoted T=A mod N, corresponding to an integer base value, denoted A, an integer exponent, denoted x, and an odd modulus, denoted N, e.g., as described in detail below. The data size of each of the values A and N may be, for example, n bits, and the data size of the base value Xmay be, for example, x bits.
[0049] According to some demonstrative embodiments of the invention, computation module 200 may be able to perform the modular exponential operation by performing a series of modular multiplications. For example, computation module 200 may implement a most-to-least binary exponentiation algorithm or a least-to-most exponentiation algorithm, e.g., as are known in the art
[0050] In some demonstrative embodiments of the invention, one or more of the series of modular multiplications may include a Montgomery Multiplication (MMUL). The
Montgomery Multiplication (MMUL) corresponding to first and second values, denoted / and m, respectively, and the modulus N, may be calculated, for example, according to the following equation: l - m + Y- N MMUL(l, m, N, n) = n (3) wherein N, I and m may have a data size of n bits, and wherein Y may denote a zeroing value having an n-bit data size, which may be calculated, such that l-m+Y-N may have, for example, a data size of 2n bits or less, and may include n LSBs having a zero value. [0051] One or more of the Montgomery multiplications may include, for example, a Non- Reduced Montgomery Multiplication (TSfRMM). [0052] Embodiments of methods, devices and/or systems of performing an exponential operation and/or a NRMM operation, in accordance with some demonstrative embodiments of the invention, are described in International Application PCT/IL02/00318, filed April 22, 2002, entitled "A METHOD AND APPARATUS FOR CARRYING OUT EFFICIENTLY ARITHMETIC COMPUTATIONS IN HARDWARE" and published January 03, 2003 as PCT Publication WO 03/001362 (Reference 1), the disclosure of which is incorporated herein by reference.
[0053] According to some demonstrative embodiments of the invention, computation module 200 be able to perform the modular exponential operation, e.g., in accordance with the following algorithm: Input: X (x bits long integer) A (n bits long integer, A < N) N (n bits long odd integer) s = n+2 Pre-computed value H = 22n mod N Output: A mod Computations: l. B - NRMM (A, H, N, s) 2. T = B
Figure imgf000015_0001
T = NRMM (T, T, N, s) if Xi=l then T = NRMM (T, B, N, s) end for 4. T = NRMM (T, l, N, s) Return T Algorithm 2
[0054] According to some demonstrative embodiments of the invention, computation module 200 may be able to perform one or more NRMMs, e.g., NRMMs of operations 1, 3 and/or 4 in Algorithm 2. For example, computation module 200 may perform a NRMM to determine a calculated NRMM result, denoted S, corresponding to the following inputs: the values /, m, and N; and a number of NRMM computation cycles, denoted r, e.g., in accordance with the following algorithm: Input: 1, m N r > n Output: NRMM (1, m, N, r) = (lm + YN) / 2r and Y = -lmN"1 mod 2r Computations: S=0 For i from O to r-1 do S = S + l;m Yi = S0
Figure imgf000016_0001
S = S/2 End for Return S, Y Algorithm 3
[0055] According to some demonstrative embodiments of the invention, computation module 200 may include a processor 202, and a Cryptographic Co-Processor (CCP) 204.
[0056] According to some demonstrative embodiments of the invention, processor 202 may include, for example, a Central Processing Unit (CPU), a Digital Signal Processor (DSP), a microprocessor, a host processor, a plurality of processors, a controller, a chip, a microchip, or any other suitable multi-purpose or specific processor or controller. For example, processor 202 may include a relatively weak CPU, e.g., an ARM9 CPU as is known in the art. CCP 204 may include any suitable hardware, software and/or circuitry to perform a modular multiplication operation, for example, a NRMM multiplication, e.g., as described in Reference 1.
[0057] According to some demonstrative embodiments of the invention, processor 202 may perform the modular exponential computation, e.g., in accordance with Algorithm 2.
[0058] According to some demonstrative embodiments of the invention, CCP 204 may be able to perform a modular multiplication operation, for example, a Montgomery multiplication operation, e.g., a NRMM. For example, CCP 204 may include a NRMM computation module 231 to determine the result S of the NRMM operation, e.g., in accordance with Algorithm 2. [0059] In some demonstrative embodiments of the invention, processor 202 may controllably load data into one or more registers 205 of CCP 204, and or unload data from registers 205, for example, via a bus 211. Processor 202 may control the operation of CCP 204, e.g., according to Algorithm 2. For example, processor 202 may provide CCP 204 via bus 211 with one or more inputs corresponding to a NRMM, e.g., the NRMM of operations 1, 3 and/or 4 in Algorithm 3.
[0060] According to some demonstrative embodiments of the invention, CCP 204 may provide processor 202 with the result S, of the computed NRMM, and the zeroing value 7, corresponding to the computed NRMM.
[0061] According to some demonstrative embodiments of the invention, at least some of the calculated results of the NRMM operations, e.g., all the calculated NRMM results, may be checked, verified, validated and/or authenticated using a stamp value, e.g., a stamp value in accordance with Equation 1, as described below.
[0062] According to some demonstrative embodiments of the invention, computation module 200 may include an error detector 206 to determine whether a calculated result of a modular multiplication of the series of modular multiplications is erroneous. For example, detector 206 may determine a result stamp value corresponding to the calculated result of the modular multiplication. Detector 206 may also determine an expected stamp value corresponding to an expected result of the modular multiplication. Detector 206 may also determine whether the calculated result is erroneous based on a comparison between the result stamp value and the expected stamp value, e.g., as described in detail below.
[0063] In some demonstrative embodiments of the invention, error detector 206, processor 202, and/or CCP 204 may be implemented as separate elements of computation module 200. However, in other embodiments of the invention, error detector 206 may be implemented as part of processor 202, or as part of CCP 104, e.g., as described below.
[0064] According to some demonstrative embodiments of the invention, detector 206 may be implemented by a processor, e.g., as part of processor 202 or as an independent processor, able to determine the arithmetic stamp of an L words value, e.g., using
Algorithm 1, within L+2 successive addition operations. For example, a 32 bit processor, e.g., an ARM 9 processor, may perform an addition of a 32 bit word to an accumulator value within one instruction. [0065] According to other embodiments of the invention, detector 206 may be implemented, e.g., as part of CCP 204. For example, detector 206 may be implemented using a bits adder, for example, a t=32 bits adder, e.g., a carry-save adder. Detector 206 may additionally include appropriate control, e.g., to determine a stamp value using Algorithm 1. [0066] Reference is now made to Fig. 3, which schematically illustrates a method of detecting an error in a modular exponential operation including a series of modular multiplications in accordance with some demonstrative embodiments of the invention. Although the invention is not limited in this respect, one or more operations of the method of Fig. 3 may be implemented, for example, by detector 206 (Fig. 2).
[0067] As indicated at block 302, the method may include determining a result stamp value, denoted S', corresponding to the calculated result 5Of a modular multiplication of the series of modular multiplications. The result stamp value iS" may be determined, for example, using Algorithm 1. For example, detector 206 (Fig. 2) may apply Algorithm 1 to the result S, e.g., as determined by CCP 204 (Fig. 2).
[0068] As indicated at block 304, the method may also include determining am expected stamp value, denoted Q corresponding to an expected result of the modular multiplication. For example, detector 206 (Fig. 2) may deteπnine the expected stamp value Q e.g., as described in detail below.
[0069] As indicated at block 306, the method may also include comparing the result stamp value <S" with the expected stamp value Q '. For example, detector 206 (Fig. 2) may compare the result stamp value S" with the expected stamp value Q '.
[0070] According to some demonstrative embodiments of the invention, a difference between the result stamp value S' and the expected stamp value Q' may indicate the calculated result S of the modular multiplication is erroneous. Accordingly, the method may include determining that the calculated result of the modular multiplication is erroneous, e.g., if the comparing fails, as indicated at block 310.
[0071] As indicated at block 312, the method may also include, determining that the exponential operation is erroneous, e.g., if the comparing fails. Accordingly, the method may also include stopping the exponential operation, e.g., as indicated at block 314. Determining that the exponential operation is erroneous, may be performed, for example, before performing another modular multiplication succeeding the modular multiplication in the series of modular multiplications.
[0072] In some demonstrative embodiments of the invention, comparing between the result stamp and the expected stamp values may be performed before performing another modular multiplication succeeding the modular multiplication in the series of modular multiplications, e.g., as described below.
[0073] As indicated at block 308, the method may include continuing the exponential operation, for example, by performing another modular multiplication succeeding the modular multiplication in the series of modular multiplications, e.g., if the comparison between the result stamp value 5" with the expected stamp value Q ' does not fail.
[0074] According to some demonstrative embodiments of the invention, the method may include, determining the expected stamp value, determining the result stamp value, and/or comparing between the result stamp value and the expected stamp value, during a time period at least partially overlapping a time period for calculating the modular multiplication, e.g., as described below with reference to Fig. 4.
[0075] According to some demonstrative embodiments of the invention, the expected stamp Q ' of the NRMM may be determined, for example, as follows:
Q = [NRMM(l, m, Nt s)]'= [l ' m + ' Nγ= ( (/' m << N') ■ (T" ) (4)
wherein / ' denotes a stamp value corresponding to the value /, m ' denotes a stamp value corresponding to the value m, Y' denotes a stamp value corresponding to the zeroing value Y, and N' denotes a stamp value corresponding to the modulus N. One or more of stamp values /', m ', Y', and N' may be determined, for example, by computation module 200 (Fig. 2), e.g., according to Equation 1.
[0076] According to some demonstrative embodiments of the invention, the modulus F may be constant, e.g., at least during the exponential operation. Accordingly, a value, denoted Z, corresponding to the values of (2s) ' may be predetermined, e.g., as follows:
Z = (2-s) =2^ mod (5) [0077] According to some demonstrative embodiments of the invention, the number s of NRMM computation cycles may be determined such that Z=l. This may enable determining Q ', e.g., without computing the term (/' '+7'N')- Z in Equation 4. For example, it is noted from Equations 1, 2 and 5, that Z=l ifs is determined to be a multiple of the number of bits t. For example, the modulus N may have a data size of n= 1024 bits, e.g., if an RSA key is used, and the number of bits per word may be t=32. Accordingly, the number s of NRMM cycles may be determined to be equal to a multiple of t, and at least n+2=1026. For example, the number s of NRMM cycles may be determined to be s=1056. It is noted that the added computation time for performing the additional 30 NRMM cycles, may be relatively short. In addition, the higher number of cycles s may enable using a masked base value lmask and/or a masked modulus Nmask, e.g., having a data size bigger than 1024 bits.
[0078] In some demonstrative embodiments of the invention, the value of the modulus N may remain constant, e.g., if an RSA key used during the exponential operation is constant; and/or the value m may remain constant, e.g., during the exponential operation. Accordingly, the stamp values m ' and N' may be predetermined, e.g., in accordance with Equation 1.
[0079] . According to some demonstrative embodiments of the invention, the expected stamp value Q ' may be determined, e.g., as follows: Pre-Computations: Z, m', N' Input: Y. Computation: 1. Compute Y' 2. Compute Q' = ((I'm' + Y'N')' Z)': 2a. Ql=l'm' 2b. Q2=Y'N' 2c. Q3=(Q1+Q2)' 2d. Q'=(Q3Z)' Algorithm 4
[0080] According to some demonstrative embodiments of the invention, the computation of Q ' in operation 2 of Algorithm 4 may include, for example, determining a first product value, denoted Ql, e.g., by multiplying the stamp value /' by the stamp value m '; determining a second product value, denoted Q2, e.g., by multiplying the stamp value N' by the stamp value Y' determining a sum stamp value, denoted Q3, e.g., by applying the stamp function of Equation 1 to a sum of the first and second product values; and determining the expected stamp value Q', e.g., by applying the stamp function of Equation 1 to the product of the sum stamp value and the value Z.
[0081] According to one demonstrative embodiment of the invention, CCP 204 (Fig. 2) may include any suitable hardware and/or circuitry to determine the stamp value Y' and/or the result stamp value 5", e.g., in accordance with Algorithm 1. In another demonstrative embodiment of the invention, processor 202 (Fig. 2) may receive from CCP the values S and Y, and may determine the stamp values S' and Y e.g., in accordance with Algorithm 1.
[0082] According to some demonstrative embodiments of the invention, detector 206 (Fig, 2) may detect an error in the result of the modular multiplication, e.g., while CCP 204 (Fig. 2) calculates another modular multiplication succeeding the modular multiplication in the series of modular multiplications. This may be achieved, for example, by implementing detector 206 (Fig. 2) and CCP 204 (Fig. 2) as separate elements of computation module 202, e.g., by implementing detector 206 (Fig. 2) as part of processor 202 (Fig. 2) or as a separate element.
[0083] According to one demonstrative embodiment of the invention, the modular multiplication may correspond to the values N=8000082D80216E1B, 1=80002407, m-8000082D8020EElB. The modulus N may have a data size of n=64 bits, and the number of NRMM cycles may be selected as s=n+2=66.
[0084] According to this demonstrative embodiment, the calculated result of the modular multiplication may be, for example, S=NRMM(l, m, N, s)= 1D8921075EC05D7A, and the zeroing value may be Y = EC48F921E8425BF9. The expected stamp value Q' may be determined, for example, in accordance with Algorithm 4, e.g., as follows: Pre-Computation: N'=217649, Z=40000000, 1' = 80002407, m* = 20F649 Computation: l. Y' = D48B551B. 2. Compute Q' as follows: 2a. Ql=(l' m') -23997B28 2b. Q2=(Y' N') -CD8C7EDD 2c. Q3=(Q1+Q2)' =F125FA05 2d. Q'=(Q3Z)* =7C497E81 Algorithm 5 [0085] The calculated result 5 may then be verified, e.g., by calculating the result stamp value 5" and comparing the expected stamp value β' to the result stamp value S' e.g., as described above with reference to Fig. 3.
[0086] According to some demonstrative embodiments of the invention, the expected stamp value Q ' corresponding to a modular multiplication may be determined "on the fly", i.e., the expected stamp value Q ' may be determined during a time period at least partially overlapping a time period for determining the result of the modular multiplication.
[0087] According to some demonstrative embodiments of the invention, the expected stamp value Q ' may be determined based at least on the stamp value m ', and the modulus stamp N', e.g., as described below.
[0088] Reference is now made to Fig. 4, which schematically illustrates a method of determining the expected stamp value Q ' corresponding to a NRMM in accordance with some demonstrative embodiments of the invention.
[0089] The method may include determining the NRMM by performing a series of s NRMM calculation cycles, as described below.
[0090] As indicated at block 402 the method may include setting the value S to zero. As indicated at block 404, the method may also include performing the operations of blocks 406, 408, 410 and 412 for the s NRMM. computation cycles, e.g., in accordance with Algorithm 3. As indicated at block 406, the method may include adding to the value S a product of the value m and the i-th bit of the value /. As indicated at block 408, the method may also include deteπnining an i-th bit of Y, denoted 7,-, corresponding to the LSB of the value S. As indicated at block 410 the method may also include adding to the value S the product of the bit 7 and the modulus N. As indicated at block 412, the method may also include dividing the value of S by two, e.g., by performing a right shift operation. As indicated at block 414, the method may include providing the result S. As indicated at block 416, the method may also include determining the result stamp £", e.g., in accordance with Algorithm 1. [0091] According to some demonstrative embodiments of the invention, the method may include determining the expected stamp value Q' by performing a series of s stamp computation cycles, e.g., corresponding the s NRMM calculation cycles, respectively, as described below.
[0092] As indicated at block 422 the method may include setting the value Q ' to zero.
[0093] As indicated at block 424, the method may also include performing the operations of blocks 426, 428, and 430 for the 5 stamp computation cycles.
[0094] As indicated at block 426, the method may include adding to the value Q ' a product of the stamp value m ' and the i-th bit of the value /.
[0095] As indicated at block 428 the method may also include adding to the value Q' the product of the bit and the modulus stamp N'.
[0096] As indicated at block 430, the method may also include dividing by two the sum of Q' and the product of the LSB of Q' and the modulus F. The method may include providing the expected stamp value Q', as indicated at block 432.
[0097] Referring back to Fig. 2, according to some demonstrative embodiments of the invention, CCP 204 may be able to perform one or more operations of the method of Fig. 4. For example, CCP 204 may include a stamp computation module 233 to determine the expected stamp value Q', for example, in accordance with the operations of blocks 422, 424, 426, 428, 430, and 432 (Fig. 4).
[0098] According to some demonstrative embodiments of the invention, an error and/or fault may occur when transferring one or more inputs from processor 202 to registers 205 of CCP 204, e.g., via bus 211; and/or when transferring one or more computed NRMM results from CCP 204 to processor 202 and/or detector 206, e.g., via bus 211. This may result in the exponential operation being erroneous, e.g., since CCP 204 may perform a correct computation, though on faulty inputs.
[0099] Thus, in some demonstrative embodiments of the invention, the integrity of the data transferred between CCP 204, processor 202, and/or detector 206 may be verified , e.g., in addition to checking the correctness of the NRMM operation, as described below.
[00100] According to some demonstrative embodiments of the invention, a "check-word", denoted W, may be added to data, e.g., transferred between CCP 204, processor 202, and/or detector 206. For example, an integer R may represented by a concatenation, denoted, (W|R), of the integer R and the check- word W. The check word W may be determined, for example, by applying the stamp function, e.g., of Equation 1, to the integer R, i.e., W=R'.
[00101] According to some demonstrative embodiments of the invention, CCP 204, processor 202 and/or detector 206 may receive the concatenated data, determine a stamp value, R ', corresponding to the integer R, and compare the stamp value R ' to the check word W. A mismatch between R ' and W may indicate an error has occurred in the transfer of the data.
[00102] In some embodiments of the invention, computation module 233 may determine the expected stamp Q ' during a time period at least partially overlapping the time period for determining the result S.
[00103] Embodiments of the present invention may be implemented by software, by hardware, or by any combination of software and/or hardware as may be suitable for specific applications or in accordance with specific design requirements. Embodiments of the present invention may include units and sub-units, which may be separate of each other or combined together, in whole or in part, and may be implemented using specific, multipurpose or general processors, or devices as are known in the art. Some embodiments of the present invention may include buffers, registers, storage units and/or memory units, for temporary or long-term storage of data and or in order to facilitate the operation of a specific embodiment.
[00104] While certain features of the invention have been illustrated and described herein, many modifications, substitutions, changes, and equivalents may occur to those of ordinary skill in the art. It is, therefore, to be understood that the appended claims are intended to cover all such modifications and changes as fall within the true spirit of the invention.

Claims

CLAIMS[00105] What is claimed is:
1. A method of detecting an error in a modular exponential operation including a series of modular multiplications, the method comprising: determining a result stamp value corresponding to a calculated result of a modular multiplication of said series of modular multiplications; determining an expected stamp value corresponding to an expected result of said modular multiplication; and comparing said result stamp value with said expected stamp value.
2. The method of claim 1 comprising determining that the calculated result of said modular multiplication is erroneous, if said comparing fails.
3. The method of claim 2 comprising determining that said modular exponential operation is erroneous, if said comparing fails.
4. The method of claim 3, wherein determining that said modular exponential operation is erroneous comprises determining that said modular exponential operation is erroneous before performing another modular multiplication succeeding said modular multiplication in said series of modular multiplications.
5. The method of claim 1, wherein comparing said result stamp value with said at expected stamp value comprises comparing said result stamp value with said expected stamp value, before performing another modular multiplication succeeding said modular multiplication in said series of modular multiplications.
6. The method of claim 1 comprising, during a time period at least partially overlapping a time period for calculating said modular multiplication, performing at least one of determining said result stamp value, detennming said expected stamp value, and said comparing.
7. The method of claim 1, wherein determining said result stamp value comprises applying a predetermined stamp function to the calculated result of said modular multiplication.
8. The method of claim 7, wherein said modular multiplication comprises a modular multiplication of first and second integer values and a modulus value, and wherein determining said expected stamp value comprises determining said expected stamp value based at least on a stamp value corresponding to said second integer value, and a modulus stamp value corresponding to said modulus.
9. The method of claim 8 comprising: performing a plurality of modular calculation cycles for determining said modular multiplication, wherein determining said expected stamp value comprises performing a plurality of stamp calculation cycles corresponding to said plurality of modular calculation cycles, respectively, one or more of said stamp calculation cycles comprising: adding to an accumulator value a first product value corresponding to a product of a selected bit of said first integer value and the stamp value corresponding to said second integer value; and adding to said accumulator value a second product value corresponding to a product of said modulus stamp value and a zeroing bit of a corresponding modular calculation cycle.
10. The method of claim 8, wherein determining said expected stamp value comprises: determining a first product value by multiplying a stamp value corresponding to said first integer by the stamp value corresponding to said second integer; determining a second product value by multiplying the stamp value corresponding to said modulus by a stamp value corresponding a determined zeroing value of said modular multiplication; determining a sum value by applying said stamp function to a sum of said first and second products; and determining said expected stamp value based on said sum value.
11. The method of claim 10, wherein determining said expected stamp based on said sum value comprises: determining a third product value by multiplying said sum value by a stamp value corresponding to a number of rounds of said modular multiplication; and determining said expected stamp value by applying said stamp function to said third product value.
12. The method of claim 1, wherein said modular multiplication comprises a Montgomery multiplication.
13. The method of claim 13, wherein said Montgomery multiplication comprises a non- reduced Montgomery multiplication.
14. A device able to perform a modular exponential operation including a series of modular multiplications, the device comprising: an error detector to determine whether a calculated result of a modular multiplication of said series of modular multiplications is erroneous by determining a result stamp value corresponding to the calculated result of said modular multiplication, determining an expected stamp value corresponding to an expected result of said modular multiplication, and comparing said result stamp value with said expected stamp value.
15. The device of claim 14, wherein said detector is able to determine that the calculated result of said modular multiplication is erroneous, if said comparing fails.
16. The device of claim 15, wherein said detector is able to determine that said modular exponential operation is erroneous, if said comparing fails.
17. The device of claim 16, wherein said detector is able to determine that said examined modular exponential operation is erroneous before performing another modular multiplication succeeding said modular multiplication in said series of modular multiplications.
18. The device of claim 14, wherein said detector is able to compare said result stamp value with said expected stamp value, before performing another modular multiplication succeeding said modular multiplication in said series of modular multiplications.
19. The device of claim 14, wherein said detector is able to perform, during a time period at least partially overlapping a time period for calculating said modular multiplication, at least one of determining said result stamp value, determining said expected stamp value, and said comparing.
20. The device of claim 14, wherein said detector is able to determine said result stamp value by applying a predetermined stamp function to the calculated result of said modular multiplication.
21. The device of claim 20, wherein said modular multiplication comprises a modular multiplication of first and second integer values and a modulus value, and wherein said detector is able to determine said expected stamp value based at least on a stamp value corresponding to said second integer value, and a modulus stamp value corresponding to said modulus.
22. The device of claim 21, wherein said device comprises a modular multiplication calculator to determine said modular multiplication by performing a plurality of modular calculation cycles, and wherein said detector is able to determine said expected stamp value by performing a plurality of stamp calculation cycles corresponding to said plurality of modular calculation cycles, respectively, one or more of said stamp calculation cycles comprising: adding to an accumulator value a first product value corresponding to a product of a selected bit of said first integer value and the stamp value corresponding to said second integer value; and adding to said accumulator value a second product value corresponding to a product of said modulus stamp value and a zeroing bit of a corresponding modular calculation cycle.
23. The device of claim 21, wherein said detector is able to determine said expected stamp value by determining a first product value by multiplying a stamp value corresponding to said first integer by the stamp value corresponding to said second integer; determining a second product value by multiplying the stamp value corresponding to said modulus by a stamp value corresponding a determined zeroing value of said modular multiplication; determining a sum value by applying said stamp function to a sum of said first and second products; and determining said expected stamp value based on said sum value.
24. The device of claim 23, wherein said detector is able to determine said expected stamp value based on said sum value by determining a third product value by multiplying said sum value by a stamp value corresponding to a number of rounds of said modular multiplication; and determining said expected stamp value by applying said stamp function to said third product value.
25. The device of claim 13, wherein said modular multiplication comprises a Montgomery multiplication.
26. The device of claim 25, wherein said Montgomery multiplication comprises a non- reduced Montgomery multiplication.
PCT/IL2005/000640 2004-06-16 2005-06-16 System, method and apparatus of error detection during a modular operation WO2005124578A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US57966104P 2004-06-16 2004-06-16
US60/579,661 2004-06-16

Publications (2)

Publication Number Publication Date
WO2005124578A2 true WO2005124578A2 (en) 2005-12-29
WO2005124578A3 WO2005124578A3 (en) 2006-08-24

Family

ID=35510392

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2005/000640 WO2005124578A2 (en) 2004-06-16 2005-06-16 System, method and apparatus of error detection during a modular operation

Country Status (1)

Country Link
WO (1) WO2005124578A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2138990A1 (en) * 2007-03-19 2009-12-30 Fujitsu Limited Built-in device with fault attack countermeasure function

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3816728A (en) * 1972-12-14 1974-06-11 Ibm Modulo 9 residue generating and checking circuit
US3873820A (en) * 1974-01-31 1975-03-25 Ibm Apparatus for checking partial products in iterative multiply operations
US4870607A (en) * 1986-07-03 1989-09-26 Nec Corporation Error detection carried out by the use of unused modulo-m code
US4926374A (en) * 1988-11-23 1990-05-15 International Business Machines Corporation Residue checking apparatus for detecting errors in add, subtract, multiply, divide and square root operations

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3816728A (en) * 1972-12-14 1974-06-11 Ibm Modulo 9 residue generating and checking circuit
US3873820A (en) * 1974-01-31 1975-03-25 Ibm Apparatus for checking partial products in iterative multiply operations
US4870607A (en) * 1986-07-03 1989-09-26 Nec Corporation Error detection carried out by the use of unused modulo-m code
US4926374A (en) * 1988-11-23 1990-05-15 International Business Machines Corporation Residue checking apparatus for detecting errors in add, subtract, multiply, divide and square root operations

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2138990A1 (en) * 2007-03-19 2009-12-30 Fujitsu Limited Built-in device with fault attack countermeasure function
EP2138990A4 (en) * 2007-03-19 2011-11-09 Fujitsu Ltd Built-in device with fault attack countermeasure function
US8327156B2 (en) 2007-03-19 2012-12-04 Fujitsu Limited Embedded device having countermeasure function against fault attack
EP2605232A3 (en) * 2007-03-19 2013-07-03 Fujitsu Limited Embedded device having countermeasure function against fault attack

Also Published As

Publication number Publication date
WO2005124578A3 (en) 2006-08-24

Similar Documents

Publication Publication Date Title
US8402287B2 (en) Protection against side channel attacks
US11983280B2 (en) Protection of cryptographic operations by intermediate randomization
EP1320027B1 (en) Elliptic curve cryptosystem apparatus, method and program
CN107040362B (en) Modular multiplication apparatus and method
US10505744B2 (en) Technologies for robust computation of elliptic curve digital signatures
US8457303B2 (en) Fault-resistant calculcations on elliptic curves
EP2211265B1 (en) Elliptic curve arithmetic processing unit and elliptic curve arithmetic processing program and method
US7809133B2 (en) Randomized modular reduction method and hardware therefor
US7907724B2 (en) Method and apparatus for protecting an RSA calculation on an output by means of the chinese remainder theorem
US7774160B2 (en) Method, device, and system for verifying points determined on an elliptic curve
CA2775325A1 (en) Modular exponentiation method and device resistant against side-channel attacks
US20040125950A1 (en) Method for protecting public key schemes from timing, power and fault attacks
US10229264B2 (en) Protection of a modular exponentiation calculation
US8588407B2 (en) Protection of a calculation performed by an integrated circuit
JP4766285B2 (en) Permanent data hardware integrity
Karaklajić et al. Low-cost fault detection method for ECC using Montgomery powering ladder
WO2005124578A2 (en) System, method and apparatus of error detection during a modular operation
US20140334621A1 (en) Method for Complete Atomic Blocks for Elliptic Curves in Jacobian Coordinates over Prime Fields Countermeasure for Simple-Side Channel Attacks and C-Safe-Fault Attacks for Left-to-Right Algorithms
US7730356B2 (en) Method and apparatus for testing mathematical algorithms
JP6262085B2 (en) Data processing apparatus and decryption processing method
CN113032797A (en) Method for performing cryptographic operations in a processing device
Breveglieri et al. A note on error detection in an RSA architecture by means of residue codes
Hu et al. A secure modular division algorithm embedding with error detection and low-area ASIC implementation
Francq et al. Error detection for borrow-save adders dedicated to ECC unit
Tunstall Random order m-ary exponentiation

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase in:

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase