WO2007006649A1 - Procede pour la multiplication resistante aux attaques par canaux caches - Google Patents
Procede pour la multiplication resistante aux attaques par canaux caches Download PDFInfo
- Publication number
- WO2007006649A1 WO2007006649A1 PCT/EP2006/063619 EP2006063619W WO2007006649A1 WO 2007006649 A1 WO2007006649 A1 WO 2007006649A1 EP 2006063619 W EP2006063619 W EP 2006063619W WO 2007006649 A1 WO2007006649 A1 WO 2007006649A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- multiplication
- value
- link
- arithmetic unit
- determined
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/723—Modular exponentiation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
- G06F2207/7233—Masking, e.g. (A**e)+r mod n
- G06F2207/7238—Operand masking, i.e. message blinding, e.g. (A+r)**e mod n; k.(P+R)
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7261—Uniform execution, e.g. avoiding jumps, or using formulae with the same power profile
Definitions
- the invention relates to a method for the side channel attack resistant calculation of a return value as a multiplication by means of a multiplication using a computing unit, in particular as a subprocess encryption, decryption, signature generation, signature verification or key agreement using at least one cryptographic key, wherein in a step of the method, a return value as Multiplication of an input value is determined.
- a computing unit in particular a computing unit of a tachograph, which
- Data encrypted and / or decrypted and / or signed and / or signatures verifies and / or executes key transactions using at least one cryptographic key subject of the invention, which is designed such that it operates according to the aforementioned method.
- Measurements of a single calculation can be analyzed directly, for example, using Simple Power Analysis [SPA], or an attacker records the measurements of several calculations (using a storage oscilloscope, for example) and then statistically evaluates the measurements, for example, using Differential Power Analysis [DPA].
- SPA Simple Power Analysis
- DPA Differential Power Analysis
- Side-channel attacks are often much more efficient than traditional cryptanalysis techniques, and can break even procedures that are considered secure from the algorithmic point of view if the implementation of these algorithms is not protected against side-channel attacks. Countermeasures against side channel attacks are particularly important for smart cards and embedded applications.
- Trichina de Seta, Germani: Simplified adaptive multiplicative masking for AES and its securitized implementation, CHES 2002, LNCS 2523, pages 187-197, Springer; Golic, Tymen: Multiplicative masking and power analysis of AES, CHES 2002, LNCS 2523, pages 198-212, Springer.
- the field of application of the invention is in particular the protection of rapid exponentiation against, in particular, SPA and DPA.
- Many cryptographic methods (especially public-key methods) use arithmetic in finite fields or finite rings. An important used
- Calculation step is the calculation of exponentiation or scalar multiplication in finite fields, rings, groups or semigroups.
- Commonly used side channel attack defense techniques either seek to degrade the signal-to-noise ratio between the information to be protected and all other measurable signals, thus hampering the observation of the secret information, or use randomization techniques to determine the correlation between the information to be protected and cancel the measured values.
- Methods to complicate the observation of the secret information include, for example, the avoidance of data-dependent branches that depend on information to be protected, use of program steps with a little fluctuating power profile or program parts whose runtime no longer depends on the calculation data, performing random and / or
- These countermeasures generally protect against SPA attacks, but have the disadvantage that the implementation is subject to unfavorable constraints.
- Randomization techniques to remove the correlation between information to be protected and measured values serve to defend against statistical analysis methods, such as the DPA.
- Such measures usually consist of masking the secret information with random values.
- Each new calculation uses new independent random numbers for the masks.
- An attacker measures each time a seemingly random calculation because he does not know the mask and can not find simple correlations between measured physical values and input or output data.
- the standard fast exponentiation algorithm is vulnerable to both SPA and DPA attacks.
- the inverse operation (eg a division) can be used to undo the masking [Kocher: Timing attacks on implementation of Diffie-Hellman, RSA, DSS, and other Systems, Crypto 1996, LNCS 1109, pages 104-113, Springer; Coron: Resistance against differential power analysis for elliptic curve cryptosystems, CHES 1999, LNCS 1717, pages 292-302, Springer]; Pairs of random element and associated correction value are precalculated and stored or refreshed after use [Kocher: Timing attacks on implementation of Diffie-Hellman, RSA, DSS and other Systems, Crypto 1996, LNCS 1109, pages 104-113, Springer]; the modulus used in modular arithmetic for reduction is extended with a small random random number, thus avoiding a complete reduction of the intermediate results.
- the invention has the object to provide a method for side channel attack resistant calculation of a return value as a multiplication, which has a resistance to side channel attacks and at the same time the restrictions on the implementation and the additional effort for the purpose of protection against Side channel attacks low.
- a method according to claim 1 is proposed for this purpose.
- a computing unit is proposed, which is designed such that it operates according to the method of claim 1.
- the technique according to the invention makes it possible to secure any implementations of methods for calculating a multiplication against side channel attacks.
- an arithmetic homomorphic masking technique has, inter alia, the advantage that the masking can be carried out at the beginning of the computation and at the outset the result can be unmasked and at the same time a safeguard against the implementation against SPA and DPA attacks is given.
- An advantageous application of the invention in a cryptographic method, in particular in a tachograph according to the invention or a mobile data carrier according to the invention, is, for example, the generation of digital signatures according to the Digital Signature Standard DSS.
- Procedure provides that the intermediate results are deleted after the respective calculation steps.
- the inventive method or the computing unit according to the invention enables a particularly versatile
- Modularity if the used link operator either adds or multiplies and thus multiplies or exponentiates in the result.
- Particularly safe against side channel attacks is an implementation of the method according to the invention in a fixed-window variant in which the multiplication number is processed in blocks in blocks of the same length.
- FIG. 1 is a schematic perspective view of a tachograph according to the invention with a data card according to the invention
- FIG. 1 shows a tachograph DTCO and a data card DC, each with a computing unit which operates according to the method of the invention.
- the data card DC can be inserted into the DTCO through one of two receiving slots 2, so that during a data transmission between the two elements, the data card DC in the tachograph DTCO is inaccessibly received from the outside.
- the tachograph DTCO has on its front side 3 in addition to the two receiving slots 2, a display unit 1 and 4 controls.
- the data card DC enters after entering a receiving shaft 2 with a central processor CPU in connection, which has access to an internal memory MEM.
- the data card also has a non-detailed internal memory and a central processor.
- the data transmission between the tachograph DTCO and the data card DC is encrypted by means of a session key, wherein during the encryption and the decryption the central processors CPU of the
- Tachograph DTCO and the data card DC perform among other exponentiations and multiplications according to the invention.
- the processors CPU make use of the module KRY shown in FIG.
- the module KRY is part of a process of encryption.
- the input values a, n are transferred to the module KRY and forwarded to a module MULT within this module.
- the module MULT first determines a random number c in a first step A. In a second step B, it determines an inverse d with respect to a link K.
- a multiplication v is determined and subsequently linked to the inverse d.
- a return value r is set equal to this product and returned to the module KRY as a result.
- the procedure in the module MULCO is as follows. Hereby be on first with CE. designated central steps of the process.
- an assignment value E [i] is assigned to each value i of an interval.
- a fourth step C an assignment value E [i] is assigned to each value i of an interval.
- Step D. is determined starting from the most significant digit of the number representation n_i (binary representation) of the multiplication number n sequentially for all positions of the number representation n_i (binary representation) an intermediate value b as a result of two successive links K, the result of the linkage K from the intermediate value b with itself and with the assignment value E [n_i] assigned to the location of the number representation n_i (binary representation) to a new intermediate value b.
- the return value r is determined as the result of the link K of the new intermediate value b with the inverse d.
- FIGS. 3 and 5 show a fixed-window variant of the inventive module MULCO shown in FIGS. 4 and 6, in which the numerical representation n_i (binary representation) of the multiplication number n in bit blocks (u_0,..., U_m ) of a width w is shown.
- the module MULCO assigns an assignment value E [i] to each value i of an interval.
- the variants according to FIGS. 3 and 5 or 4 and 6 differ by the different type of linkage K.
- the linkage K is according to the
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
L'invention concerne des procédés cryptographiques résistant aux attaques par canaux cachés, une valeur renvoyée (r) étant déterminée en tant que multiplication d'une valeur d'entrée (a) au moyen d'un module (Mult). L'invention vise à garantir une résistance aux attaques par canaux cachés tout en réduisant au minimum les restrictions pour l'implémentation. A cet effet, un nombre aléatoire (c) et son inverse (d) relativement à une combinaison (K) sont déterminés. L'inverse (d) est affecté à chaque valeur 0 de la représentation binaire (n i) d'un nombre de multiplications (n) et le résultat de la combinaison (K) de la valeur d'entrée (a) avec l'inverse (d) est affecté à chaque valeur 1 de la représentation binaire (n i). Une valeur intermédiaire (b) est déterminée pour toutes les positions de la représentation binaire (n i) en tant que résultat de deux combinaisons successives (K), le résultat de la combinaison (K) de la valeur intermédiaire (b) avec elle-même et avec la valeur d'affectation (E [n i=0], E [n i=l]) affectée à la position de la représentation binaire (n i) étant déterminé comme nouvelle valeur intermédiaire (b). La valeur renvoyée (r) est le résultat de la combinaison (K) de la nouvelle valeur intermédiaire (b) avec l'inverse (d).
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102005032731.1 | 2005-07-13 | ||
DE200510032731 DE102005032731A1 (de) | 2005-07-13 | 2005-07-13 | Verfahren zur seitenkanalresistenten Vervielfachung |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2007006649A1 true WO2007006649A1 (fr) | 2007-01-18 |
Family
ID=37103312
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2006/063619 WO2007006649A1 (fr) | 2005-07-13 | 2006-06-28 | Procede pour la multiplication resistante aux attaques par canaux caches |
Country Status (2)
Country | Link |
---|---|
DE (1) | DE102005032731A1 (fr) |
WO (1) | WO2007006649A1 (fr) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2437160A1 (fr) * | 2010-10-04 | 2012-04-04 | Nagravision S.A. | Mise à la puissance modulaire dissimulée |
CN104796250A (zh) * | 2015-04-11 | 2015-07-22 | 成都信息工程学院 | 针对RSA密码算法M-ary实现的侧信道攻击方法 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1999067909A2 (fr) * | 1998-06-03 | 1999-12-29 | Cryptography Research, Inc. | Exponentiation modulaire securitaire pour la minimisation des fuites dans les cartes a puce et autres systemes cryptographiques |
FR2810178A1 (fr) * | 2000-06-13 | 2001-12-14 | Gemplus Card Int | Procede de calcul cryptographique comportant une routine d'exponentiation modulaire |
US20050084098A1 (en) * | 2003-09-18 | 2005-04-21 | Brickell Ernie F. | Method of obscuring cryptographic computations |
-
2005
- 2005-07-13 DE DE200510032731 patent/DE102005032731A1/de not_active Withdrawn
-
2006
- 2006-06-28 WO PCT/EP2006/063619 patent/WO2007006649A1/fr active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1999067909A2 (fr) * | 1998-06-03 | 1999-12-29 | Cryptography Research, Inc. | Exponentiation modulaire securitaire pour la minimisation des fuites dans les cartes a puce et autres systemes cryptographiques |
FR2810178A1 (fr) * | 2000-06-13 | 2001-12-14 | Gemplus Card Int | Procede de calcul cryptographique comportant une routine d'exponentiation modulaire |
US20050084098A1 (en) * | 2003-09-18 | 2005-04-21 | Brickell Ernie F. | Method of obscuring cryptographic computations |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012041942A1 (fr) * | 2010-09-29 | 2012-04-05 | Nagravision S.A. | Protection d'exponentiation modulaire dans des opérations cryptographiques |
CN103221917A (zh) * | 2010-09-29 | 2013-07-24 | 纳格拉影像股份有限公司 | 加密运算中模幂的保护 |
EP2437160A1 (fr) * | 2010-10-04 | 2012-04-04 | Nagravision S.A. | Mise à la puissance modulaire dissimulée |
CN104796250A (zh) * | 2015-04-11 | 2015-07-22 | 成都信息工程学院 | 针对RSA密码算法M-ary实现的侧信道攻击方法 |
CN104796250B (zh) * | 2015-04-11 | 2018-05-25 | 成都信息工程学院 | 针对RSA密码算法M-ary实现的侧信道攻击方法 |
Also Published As
Publication number | Publication date |
---|---|
DE102005032731A1 (de) | 2007-01-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1891512B1 (fr) | Determination d'une inverse modulaire | |
DE69828787T2 (de) | Verbessertes verfahren und vorrichtung zum schutz eines verschlüsselungsverfahrens mit öffentlichem schlüssel gegen angriffe mit zeitmessung und fehlereinspeisung | |
DE102006022960B4 (de) | Verfahren zum Verschlüsseln von Eingabedaten, kryptographisches System und Computerprogrammprodukt | |
US7334133B2 (en) | Method for making a computer system implementing a cryptographic algorithm secure using Boolean operations and arithmetic operations and a corresponding embedded system | |
DE102006009239B4 (de) | Vorrichtung und Verfahren zum Berechnen einer Darstellung eines Ergebnis-Operanden | |
EP3593483B1 (fr) | Transition d'un masquage booléen à un masquage arithmétique | |
DE102006033386B4 (de) | Kryptographisches System und Verfahren zum Verschlüsseln von Eingangsdaten | |
EP1922837B1 (fr) | Procede de codage ou decodage securise d'un message | |
DE102012202015A1 (de) | Vorrichtung und verfahren zum berechnen eines ergebnisses einer skalarmultiplikation | |
DE102012018924A1 (de) | Seitenkanalgeschützte Maskierung | |
DE102008051447B9 (de) | Verfahren und Vorrichtung zum Schützen einer RSA-Berechnung an einer Ausgabe mit Hilfe des chinesischen Restsatzes | |
DE102005041102A1 (de) | Verfahren zur Skalarmultiplikation von Punkten auf einer elliptischen Kurve | |
DE102010001289A1 (de) | Vorrichtung zum Berechnen eines Ergebnisses einer Skalarmultiplikation | |
DE10304451B3 (de) | Modulare Exponentiation mit randomisiertem Exponenten | |
KR100731575B1 (ko) | 전력분석공격에 대응하는 암호화 방법 | |
EP1442391B1 (fr) | Procede et dispositif pour garantir un calcul dans un algorithme cryptographique | |
EP1428112B1 (fr) | Procede et dispositif pour calculer le resultat d'une exponentiation | |
WO2007006649A1 (fr) | Procede pour la multiplication resistante aux attaques par canaux caches | |
EP1454260B1 (fr) | Procede et dispositif pour garantir un calcul d'exponentiation au moyen du theoreme des restes chinois (trc) | |
DE60100992T2 (de) | Verfahren zur modularen potenzierung in einem elekronischen baustein, der einen kryptographischen algorithmus mit öffentlichem schlüssel durchführt | |
DE10042234C2 (de) | Verfahren und Vorrichtung zum Durchführen einer modularen Exponentiation in einem kryptographischen Prozessor | |
EP2128754B1 (fr) | Exponentiation sûre de fenêtre coulissante | |
DE102008050800B4 (de) | Vorrichtung und Verfahren zum Bestimmen einer modularen multiplikativen Inversen | |
DE10162496B4 (de) | Verfahren und Vorrichtung zum Absichern einer Berechnung in einem kryptographischen Algorithmus | |
DE102012210354B3 (de) | Verfahren und Recheneinheit zur Erzeugung kryptographischer Daten |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 06777496 Country of ref document: EP Kind code of ref document: A1 |